关联漏洞
标题:Apache Solr 代码问题漏洞 (CVE-2021-27905)Description:Apache Solr是美国阿帕奇(Apache)基金会的一款基于Lucene(一款全文搜索引擎)的搜索服务器。该产品支持层面搜索、垂直搜索、高亮显示搜索结果等。 Apache Solr 8.8.2之前版本存在代码问题漏洞,攻击者可利用masterUrl参数将索引数据复制到本地内核中。
Description
POC for LFI related to CVE-2021-27905
介绍
# CVE-2021-27905.POC
POC for LFI related to CVE-2021-27905
POC for [apache-solr-file-read nuclei template](https://github.com/projectdiscovery/nuclei-templates/blob/master/vulnerabilities/apache/apache-solr-file-read.yaml)
# Use
`traverse.sh path`
For example, using /root as path, will display the content of all files (recursively)
`> ./traverse.sh /root `
It's also possible to traverse and get the content of every file on the server (with reading privileges obviously)
`> ./traverse.sh / `
# Documentation
The response from the vulnerable solr instance returns a `status code` the interesting values are:
```
status: 0 -> OK
status: 500 -> denied/forbidden.
```
After that I needed to check if the response was the content of a file of a list of files and folders. To do this I just counted how many spaces the param `stream` had. Afortunately there were only 2 cases:
```
# spaces = 0 -> list of files and folders
# spaces > 0 -> content of a file.
```
文件快照
[4.0K] /data/pocs/c17d49186664e4b2c9df30d31a7ca73d515635b4
├── [ 985] README.md
└── [1.3K] traverse.sh
0 directories, 2 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮件到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对 POC 代码进行快照,为了长期维护,请考虑为本地 POC 付费/捐赠,感谢您的支持。