Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2021-25646 PoC — Authenticated users can override system configurations in their requests which allows them to execute arbitrary code.

Source
https://github.com/tiemio/RCE-PoC-CVE-2021-25646
Associated Vulnerability
Title:Authenticated users can override system configurations in their requests which allows them to execute arbitrary code. (CVE-2021-25646)
Description:Apache Druid includes the ability to execute user-provided JavaScript code embedded in various types of requests. This functionality is intended for use in high-trust environments, and is disabled by default. However, in Druid 0.20.0 and earlier, it is possible for an authenticated user to send a specially-crafted request that forces Druid to run user-provided JavaScript code for that request, regardless of server configuration. This can be leveraged to execute code on the target machine with the privileges of the Druid server process.
Description
A proof-of-concept for the CVE-2021-25646, which allows for Command Injection
Readme
# CVE-2021-25646 Proof-of-Concept (Go Version)

## Overview

This repository contains a proof-of-concept (PoC) exploit for [CVE-2021-25646](https://nvd.nist.gov/vuln/detail/CVE-2021-25646), a critical remote code execution vulnerability in [Apache Druid](https://druid.apache.org/).  
The exploit is written in Go and allows for interactive command injection via the terminal.

---

## Features

- **Interactive Command Injection:**  
  Execute arbitrary commands on a vulnerable Apache Druid server through an interactive shell interface.

---

## Build

You need [Go](https://golang.org/dl/) installed (version 2.23.4 recommended).

```bash
go build .
```

This will produce a binary in the current directory.

---

## Usage

You can run the exploit either by building the binary or directly with `go run`.

### Command-Line Options

- `-i` : Target Druid server IP address (required)
- `-p` : Target Druid server port (required)
- `-proxy` : Specifying the proxy url (optional)

### Examples

**Run the built binary:**

```bash
./cve -i 127.0.0.1 -p 8888
```

**Or run directly with Go:**

```bash
go run main.go -i 127.0.0.1 -p 8888
```

---

## Example Session

```bash
$ ./cve -i 127.0.0.1 -p 8888
~ $ whoami
root
~ $ uname -a
Linux druid-server 4.15.0-123-generic #126-Ubuntu SMP ...
```

---

## Technical Details

- **Vulnerability:**  
  The exploit abuses improper input validation in the Druid `indexer` component, specifically in the `task` API, allowing for command injection via crafted JSON payloads.

- **References:**  
  - [CVE-2021-25646 - NVD](https://nvd.nist.gov/vuln/detail/CVE-2021-25646)
  - [Apache Druid Security Advisory](https://github.com/apache/druid/security/advisories/GHSA-2p3x-3w7x-v2wq)

---

## ToDo 
- [ ] Add support for HTTPS
- [ ] Automate switch to reverse shell
- [ ] More native command prompt feeling

---

## Disclaimer

This software is provided **for educational purposes only**.  
The author is **not responsible** for any misuse or damage caused by this code.  
Always obtain **proper authorization** before testing any system.
File Snapshot

 [4.0K]  /data/pocs/66e083fe3c31a250d8818822e19edbba1c8aaad8
├── [  22]  go.mod
├── [1.2K]  main.go
├── [2.0K]  README.md
└── [4.0K]  utils
    └── [1.8K]  payload.go

1 directory, 4 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →