.. / CVE-2019-17558

Exploit for Apache Solr <= 8.3.1 - Remote Code Execution (CVE-2019-17558)

Description:

Apache Solr versions 5.0.0 to 8.3.1 are vulnerable to remote code execution vulnerabilities through the VelocityResponseWriter. A Velocity template can be provided through Velocity templates in a configset velocity/ directory or as a parameter. A user defined configset could contain renderable, potentially malicious, templates. Parameter provided templates are disabled by default, but can be enabled by setting params.resource.loader.enabled by defining a response writer with that setting set to true. Defining a response writer requires configuration API access. Solr 8.4 removed the params resource loader entirely, and only enables the configset-provided template rendering when the configset is trusted (has been uploaded by an authenticated user).

Proof of Concept

PoC exploit

Nuclei Template

View the template here CVE-2019-17558.yaml

Validate with Nuclei

echo "$URL" | nuclei -t ~/nuclei-templates/http/cves/2019/CVE-2019-17558.yaml

Try the exploit in a lab environment:

Lab	Machine	Link
Hack The Box	Laser	Go to Practice

References:

https://lists.apache.org/thread.html/r0b7b9d4113e6ec1ae1d3d0898c645f758511107ea44f0f3a1210c5d5@%3Cissues.lucene.apache.org%3E
https://nvd.nist.gov/vuln/detail/CVE-2019-17558
https://issues.apache.org/jira/browse/SOLR-13971
http://packetstormsecurity.com/files/157078/Apache-Solr-8.3.0-Velocity-Template-Remote-Code-Execution.html
https://lists.apache.org/thread.html/rb964fe5c4e3fc05f75e8f74bf6b885f456b7a7750c36e9a8045c627a@%3Cissues.lucene.apache.org%3E

.. / CVE-2019-17558 if(localStorage["style"]=="true"){ document.getElementById('pagestyle').setAttribute('href','/assets/styleDark.css'); document.querySelector('input[type="checkbox"]').checked = true }