Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2021-25646 PoC — Authenticated users can override system configurations in their requests which allows them to execute arbitrary code.

Source
https://github.com/givemefivw/CVE-2021-25646
Associated Vulnerability
Title:Authenticated users can override system configurations in their requests which allows them to execute arbitrary code. (CVE-2021-25646)
Description:Apache Druid includes the ability to execute user-provided JavaScript code embedded in various types of requests. This functionality is intended for use in high-trust environments, and is disabled by default. However, in Druid 0.20.0 and earlier, it is possible for an authenticated user to send a specially-crafted request that forces Druid to run user-provided JavaScript code for that request, regardless of server configuration. This can be leveraged to execute code on the target machine with the privileges of the Druid server process.
Description
CVE-2021-25646 Apache Druid 远程代码执行漏洞 Wker脚本
Readme
# CVE-2021-25646 Apache Druid 远程代码执行漏洞 Wker脚本

编写ing...

=====================================================================================

首先感谢Wker大佬远程解答。

写脚本的目的在于练习。

## 使用

脚本是使用DNSLog进行判断,如果存在漏洞则会自动获取dnslog网址进行ping操作,将返回结果打印输出。

- 使用之间先在`script\ATTACKUTILS`目录下新建一dns.wker文件
```
#define dnsqian = Set-Cookie:[
#define dnshou =  path=/
#define re = "(.*?)"
function DnsRef(cookie){
	res = HttpGet("http://dnslog.cn/getrecords.php?t=0.3741317873165926",cookie.StrRN()."User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:87.0) Gecko/20100101 Firefox/87.0");
	r = StrRe(res[0],re);
	if(GetArrayNum(r) >= 3){
		return r[3];
	}else{
		return "";
	}
}
function GetDomain(){
	array r;
	res = HttpGet("http://dnslog.cn/getdomain.php?t=0.16082432252184475","User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:87.0) Gecko/20100101 Firefox/87.0");
	tmp = StrSplit(res[0],StrRN());
	dns = tmp[0];
	cookie = "Cookie: ".GettextMiddle(res[1],dnsqian,dnshou);
	ArrayAddEle(r,dns);
	ArrayAddEle(r,cookie);
	return r;
}
```
## 截图
![](re/re.png)
File Snapshot

 [4.0K]  /data/pocs/0f1a7541d19b20ae45323ba2d90b38afd34660dd
├── [1.7K]  CVE-2021-25646ApacheDruid远程命令执行漏洞.wker
├── [ 733]  dns.wker
├── [4.0K]  re
│   └── [126K]  re.png
└── [1.2K]  README.md

1 directory, 4 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →