Unauthorized Access Vulnerability in Druid Monitoring Page
Vulnerability Introduction
Druid is a database connection pool produced by Alibaba Database, and its monitoring function provided by Druid monitors the execution time of SQL, the request of Web URI, and Session monitoring. First of all, Druid does not have any vulnerabilities. However, when the developer misconfigures, it may cause unauthorized access.
Environment Setup
pom.xml Configuration
<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>
<parent>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-parent</artifactId>
<version>2.6.3</version>
<relativePath/> <!-- lookup parent from repository -->
</parent>
<groupId>com.example</groupId>
<artifactId>demo</artifactId>
<version>0.0.1-SNAPSHOT</version>
<name>demo</name>
<description>Demo project for Spring Boot</description>
<properties>
<java.version>1.8</java.version>
</properties>
<dependencies>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-jdbc</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-web</artifactId>
</dependency>
<dependency>
<groupId>org.mybatis.spring.boot</groupId>
<artifactId>mybatis-spring-boot-starter</artifactId>
<version>2.2.2</version>
</dependency>
<dependency>
<groupId>mysql</groupId>
<artifactId>mysql-connector-java</artifactId>
<scope>runtime</scope>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-test</artifactId>
<scope>test</scope>
</dependency>
<dependency>
<groupId>com.alibaba</groupId>
<artifactId>druid-spring-boot-starter</artifactId>
<version>1.1.1</version>
</dependency>
</dependencies>
<build>
<plugins>
<plugin>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-maven-plugin</artifactId>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-resources-plugin</artifactId>
<version>3.1.0</version>
</plugin>
</plugins>
</build>
</project>
Configuration of application.properties
# Database connection
spring.datasource.type=com.alibaba.druid.pool.DruidDataSource
spring.datasource.url=jdbc:mysql://127.0.0.1:3306/t1?serverTimezone=Asia/Shanghai
spring.datasource.username=sec
spring.datasource.password=sec123
## Enable StatFilter
spring.datasource.druid.web-stat-filter.enabled=true
# Enable the built-in monitoring page
spring.datasource.druid.stat-view-servlet.enabled=true
Vulnerability Reproduction
Directly access druid/index.html
.

You can log in as a forged user through the session function.

Fix
Disable druid
application.properties
configuration
spring.datasource.druid.stat-view-servlet.enabled=false
spring.datasource.druid.web-stat-filter.enabled=false

Set authentication
# Set the login username
spring.datasource.druid.stat-view-servlet.login-username=admin
# Set the login password
spring.datasource.druid.stat-view-servlet.login-password=123

Modify the path
##The address of the built-in monitoring page
spring.datasource.druid.stat-view-servlet.url-pattern=/druid11111111111111111111111111111/*

PreviousUnauthorized Access Vulnerability in ClickhouseNextUnauthorized Access Vulnerability in Hadoop YARN Resourcemanager
Last updated