Unauthorized Access Vulnerability in Druid Monitoring Page

Vulnerability Introduction

Druid is a database connection pool produced by Alibaba Database, and its monitoring function provided by Druid monitors the execution time of SQL, the request of Web URI, and Session monitoring. First of all, Druid does not have any vulnerabilities. However, when the developer misconfigures, it may cause unauthorized access.

Environment Setup

pom.xml Configuration

<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
    <modelVersion>4.0.0</modelVersion>
    <parent>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-starter-parent</artifactId>
        <version>2.6.3</version>
        <relativePath/> <!-- lookup parent from repository -->
    </parent>
    <groupId>com.example</groupId>
    <artifactId>demo</artifactId>
    <version>0.0.1-SNAPSHOT</version>
    <name>demo</name>
    <description>Demo project for Spring Boot</description>
    <properties>
        <java.version>1.8</java.version>
    </properties>
    <dependencies>
        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-jdbc</artifactId>
        </dependency>
        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-web</artifactId>
        </dependency>
        <dependency>
            <groupId>org.mybatis.spring.boot</groupId>
            <artifactId>mybatis-spring-boot-starter</artifactId>
            <version>2.2.2</version>
        </dependency>

        <dependency>
            <groupId>mysql</groupId>
            <artifactId>mysql-connector-java</artifactId>
            <scope>runtime</scope>
        </dependency>
        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-test</artifactId>
            <scope>test</scope>
        </dependency>
        <dependency>
            <groupId>com.alibaba</groupId>
            <artifactId>druid-spring-boot-starter</artifactId>
            <version>1.1.1</version>
        </dependency>
    </dependencies>

    <build>
        <plugins>
            <plugin>
                <groupId>org.springframework.boot</groupId>
                <artifactId>spring-boot-maven-plugin</artifactId>
            </plugin>
            <plugin>
                <groupId>org.apache.maven.plugins</groupId>
                <artifactId>maven-resources-plugin</artifactId>
                <version>3.1.0</version>
            </plugin>
        </plugins>
    </build>

</project>

Configuration of application.properties

# Database connection
spring.datasource.type=com.alibaba.druid.pool.DruidDataSource
spring.datasource.url=jdbc:mysql://127.0.0.1:3306/t1?serverTimezone=Asia/Shanghai
spring.datasource.username=sec
spring.datasource.password=sec123

## Enable StatFilter
spring.datasource.druid.web-stat-filter.enabled=true

# Enable the built-in monitoring page
spring.datasource.druid.stat-view-servlet.enabled=true

Vulnerability Reproduction

Directly access druid/index.html.

image-20220523135905077

You can log in as a forged user through the session function.

image-20220523135949721

Fix

Disable druid

application.properties configuration

spring.datasource.druid.stat-view-servlet.enabled=false
spring.datasource.druid.web-stat-filter.enabled=false
image-20220523140255506

Set authentication

# Set the login username
spring.datasource.druid.stat-view-servlet.login-username=admin
# Set the login password
spring.datasource.druid.stat-view-servlet.login-password=123
image-20220523140430917

Modify the path

##The address of the built-in monitoring page
spring.datasource.druid.stat-view-servlet.url-pattern=/druid11111111111111111111111111111/*
image-20230130121549821

Last updated