apache solr injection
play

Apache Solr Injection Michael Stepankin @artsploit DEF CON 27 - PowerPoint PPT Presentation

Sep 27, 2023 •98 likes •518 views

Apache Solr Injection Michael Stepankin @artsploit DEF CON 27 @whoami Michael Stepankin Security Researcher @ Veracode Web app breaker Works on making Dynamic and Static Code Analysis smarter Penetration tester in the

  1. Apache Solr Injection Michael Stepankin @artsploit DEF CON 27

  2. @whoami – Michael Stepankin • Security Researcher @ Veracode • Web app breaker • Works on making Dynamic and Static Code Analysis smarter • Penetration tester in the past • Never reported SSL ciphers

  3. Ones upon a time on bug bounty…

  4. What is Solr? • Solr is the popular, blazing-fast, open source enterprise search platform built on Apache Lucene • Written in Java, open source • REST API as a main connector • Used by many companies (AT&T, eBay, Netflix, Adobe etc…) https://lucene.apache.org/solr/

  5. How does it look like?

  6. Solr Quick Start //add some data //start solr $ ./bin/solr start -e dih //search data

  7. Solr 101: simple query Requested content-type

  8. Solr 101: more complex query Request Handler (select, update, config) Collection (‘database’) name Parser type Local parameter name (default field)

  9. Solr 101: more complex query Requested Fields (columns) Subquery for column ‘similar’ Requested response type

  10. Common Solr Usage in Web App :

  11. Solr Parameter Injection (HTTP Query Injection) : Browser /search?q=Apple%26xxx=yyy%23 Solr /solr/db/select?q=Apple&xxx=yyy#&fl=id,name&rows=10

  12. Solr Parameter Injection: Magic Parameters GET /solr/db/select?q=Apple&shards=http://127.0.0.1:8984/solr/db&qt=/ config%23&stream.body={"set-property":{"xxx":"yyy"}}&isShard=true • shards=http://127.0.0.1:8984/solr/db - allows to forward this request to the specified url • qt=/config%23 – allows to rewrite query • stream.body={"set-property":{"xxx":"yyy"}} – treated by Solr as a POST body • isShard=true - needed to prevent body parsing while proxying

  13. Solr Parameter Injection: Magic Parameters GET /solr/db/select?q=Apple&shards=http://127.0.0.1:8984/solr/db&qt=/ config%23&stream.body={"set-property":{"xxx":"yyy"}}&isShard=true

  14. Solr Parameter Injection: collection name leak

  15. Solr Parameter Injection: update another collection * The error is thrown after the update is done

  16. Solr Parameter Injection: query another collection * We can rename columns in our query to match the original collection

  17. Solr Parameter Injection: JSON response rewriting * json.wrf parameter acts like a JSONp callback, May work depending on the app’s JSON parser

  18. Solr Parameter Injection: XML response poisoning * ValueAugmenterFactory adds a new field to every returned document

  19. Solr Parameter Injection: XSS via response poisoning * Xml Transformer inserts a valid XML fragment in the document

  20. Solr Local Parameter Injection : Browser /search?q={!dismax+xxx=yyy}Apple Solr /solr/db/select?q={!dismax+xxx=yyy}Apple&fl=id…

  21. Solr Local parameter injection • Known since 2013, but nobody knew how to exploit • We can specify only the parser name and local parameters • ‘shards’, ‘stream.body‘ are not ‘local’ • XMLParser is the rescue!:

  22. Solr Local parameter injection: CVE-2017-12629 • XMLParser is vulnerable to XXE, allowing to perform SSRF: • Therefore, all ‘shards’ magic also works if we can only control the ‘q’ param!

  23. Wait! Are you mad telling us about HTTP injection, XXE and (even) XSS? Where is my CALCULATOR!!!???

  24. Ways to RCE • Documentation does not really help • But It’s java, so…. • For sure it has XXEs • For sure it has Serialization • Indeed it has ScriptEngine() • Indeed it even has Runtime.exec()

  25. CVE-2017-12629 RunExecutableListener RCE Target versions: 5.5x-5.5.4, 6x-6.6.3, 7x – 7.1 Requirements: None

  26. CVE-2017-12629 RunExecutableListener via shards • (step 1) Add a new query listener • (step 2) Perform any update operation *Tnx Olga Barinova (@_lely___) for help with making it work J

  27. CVE-2017-12629 RunExecutableListener via XXE • (step 1) Add a new query listener • (step 2) Perform any update operation

  28. CVE-2019-0192 RCE via jmx.serviceUrl Target versions: 5x – 6x. In v7-8 JMX is ignored Requirements: OOB connection or direct access

  29. CVE-2019-0192 RCE via jmx.serviceUrl What happen inside? Leads to un.rmi.transport.StreamRemoteCall#executeCall and then to ObjectInputStream.readObject()

  30. CVE-2019-0192 RCE via jmx.serviceUrl 1st way to exploit (via deserialization) • Start a malicious RMI server serving ROME2 object payload on port 1617 • Trigger a Solr connection to the malicious RMI server by setting the jmx.serviceUrl property • RMI server responds with a serialized object, triggering RCE on Solr *Note: ROME gadget chain requires Solr extraction libraries in the classpath

  31. CVE-2019-0192 RCE via jmx.serviceUrl

  32. CVE-2019-0192 RCE via jmx.serviceUrl 2nd way to exploit (via JMX) • Create an innocent rmiregistry • Trigger a Solr connection to the rmiregistry by setting the jmx.serviceUrl property. It will register Solr’s JMX port on our rmiregistry.

  33. CVE-2019-0192 RCE via jmx.serviceUrl 2nd way to exploit (via JMX) • Connect to the opened JMX port and create a malicious MBean

  34. CVE-2019-0193 DataImportHandler RCE Target version: 1.3 – 8.2 Requirements: DataImportHandler enabled

  35. CVE-2019-0193 DataImportHandler RCE

  36. Example: search.maven.org

  37. Example: search.maven.org

  38. Example: search.maven.org

  39. Example: search.maven.org

  40. Example: search.maven.org

  41. Thank you! F u ll wh ite p a p e r a t: h ttp s ://g ith u b .c o m/v e ra c o d e - re s e a rc h /s o lr-in jectio n

Recommend

Apache Lucene 5 New Features and Improvements for Apache Solr and Elasticsearch Uwe Schindler

Apache Lucene 5 New Features and Improvements for Apache Solr and Elasticsearch Uwe Schindler

Apache Lucene 5 New Features and Improvements for Apache Solr and Elasticsearch Uwe Schindler Apache Software Foundation | SD DataSolutions GmbH | PANGAEA My Background Committer and PMC member of Apache Lucene and Solr - main focus is on

1.09k views • 83 slides
Apache Solr An experience report 2013-10-23 - Corsin Decurtins Apache Solr Notes Full-Text

Apache Solr An experience report 2013-10-23 - Corsin Decurtins Apache Solr Notes Full-Text

Apache Solr An experience report 2013-10-23 - Corsin Decurtins Apache Solr Notes Full-Text Search Engine Fast Apache Lucene Project Proven and Well-Known Technology based on Apache Lucene Java based Open APIs Customizable Clustering

1.02k views • 69 slides
Faceted Searching With Apache Solr October 13, 2006 Chris Hostetter hossman apache org

Faceted Searching With Apache Solr October 13, 2006 Chris Hostetter hossman apache org

Faceted Searching With Apache Solr October 13, 2006 Chris Hostetter hossman apache org http://incubator.apache.org/solr/ What is Faceted Searching? 2 Example: Epicurious.com 3 Example: Nabble.com 4 Example: CNET.com 5 Aka:

774 views • 35 slides
What's coming next? Uwe Schindler SD DataSolutions GmbH / Apache Software Foundation thetaph1

What's coming next? Uwe Schindler SD DataSolutions GmbH / Apache Software Foundation thetaph1

Apache Lucene and Solr 8: What's coming next? Uwe Schindler SD DataSolutions GmbH / Apache Software Foundation thetaph1 https://www.thetaphi.de My Background Committer and PMC member of Apache Lucene and Solr - main focus is on

785 views • 37 slides
optimizations for e-commerce search with Apache Solr Tomasz Sobczak, MICES 2017 About me Work

optimizations for e-commerce search with Apache Solr Tomasz Sobczak, MICES 2017 About me Work

Performance optimizations for e-commerce search with Apache Solr Tomasz Sobczak, MICES 2017 About me Work at Lucene, Solr and Elasticsearch Everything related to search tech & business Focus on search relevancy Enterprise Search Warsaw

946 views • 29 slides
Apache Solr la piattaforma di ricerca enterprise LucaBonesini | Titulus User Group, Kion

Apache Solr la piattaforma di ricerca enterprise LucaBonesini | Titulus User Group, Kion

Apache Solr la piattaforma di ricerca enterprise LucaBonesini | Titulus User Group, Kion Bologna 4/dic/2013 Chi s hi son ono Luca Bonesini Infor orma matico Lanciatore di giavellotti Prog ogramma mmator ore Suonatore di chitarra

986 views • 39 slides
Building and Running a Solr-as-a-Service SHAI ERERA IBM Who Am I? Working at IBM Social

Building and Running a Solr-as-a-Service SHAI ERERA IBM Who Am I? Working at IBM Social

Building and Running a Solr-as-a-Service SHAI ERERA IBM Who Am I? Working at IBM Social Analytics & Technologies Lucene/Solr committer and PMC member http://shaierera.blogspot.com shaie@apache.org Background More and

637 views • 20 slides
Drupal and Apache Solr Search Go Together Like Pizza and Beer for Your Site Peter M. Wolanin,

Drupal and Apache Solr Search Go Together Like Pizza and Beer for Your Site Peter M. Wolanin,

February 2, 2013 Drupal and Apache Solr Search Go Together Like Pizza and Beer for Your Site Peter M. Wolanin, Ph.D. Momentum Specialist (principal engineer), Acquia, Inc. Drupal contributor drupal.org/user/49851 co-maintainer of the Drupal

550 views • 41 slides
Beyond full-text searches With Lucene and Solr Bertrand Delacrtaz ApacheCon EU 2007, Amsterdam

Beyond full-text searches With Lucene and Solr Bertrand Delacrtaz ApacheCon EU 2007, Amsterdam

Beyond full-text searches With Lucene and Solr Bertrand Delacrtaz ApacheCon EU 2007, Amsterdam bdelacretaz@apache.org www.codeconsult.ch slides revision: 2007-05-03 Slides at http://wiki.apache.org/apachecon/Eu2007OnlineSessionSlides How

748 views • 32 slides
Progressive Decoupling React + Drupal + Apache Solr November 9, 2018 Prepared by Chris Russo,

Progressive Decoupling React + Drupal + Apache Solr November 9, 2018 Prepared by Chris Russo,

DRUPAL CAMP ATLANTA 2018 Progressive Decoupling React + Drupal + Apache Solr November 9, 2018 Prepared by Chris Russo, CEO Drupalcamp Atlanta 2018 WHO AM I? SESSION GOALS CASE STUDY: THE APP EOMEGA.ORG/SEARCH PREVIOUS SEARCH

972 views • 34 slides
A1 (Part 2): Injection SQL Injection SQL injection is prevalent SQL injection is impactful Why a

A1 (Part 2): Injection SQL Injection SQL injection is prevalent SQL injection is impactful Why a

A1 (Part 2): Injection SQL Injection SQL injection is prevalent SQL injection is impactful Why a password manager is a good idea! SQL injection is ironic SQL injection is funny Overviewtrated Account Summary Account: Account: "SELECT

445 views • 32 slides
site with Apache solr Presentation by Janmejaya Mishra (drupal.org id - janmejaya) Deepak

site with Apache solr Presentation by Janmejaya Mishra (drupal.org id - janmejaya) Deepak

Building search engine for Drupal site with Apache solr Presentation by Janmejaya Mishra (drupal.org id - janmejaya) Deepak Kumar (drupal.org id deepak_123) 1. Drupal default search 2. Limitations of drupal default search 3.

700 views • 19 slides
Bugs, Bugs, Bugs Uwe Schindler Apache Lucene Committer & PMC Member uschindler@apache.org

Bugs, Bugs, Bugs Uwe Schindler Apache Lucene Committer & PMC Member uschindler@apache.org

Testing Lucene and Solr with various JVMs: Bugs, Bugs, Bugs Uwe Schindler Apache Lucene Committer & PMC Member uschindler@apache.org http://www.thetaphi.de, http://blog.thetaphi.de @ThetaPh1 SD DataSolutions GmbH , Wtjenstr. 49, 28213

1.13k views • 71 slides
Lucene And Solr Document Classification Alessandro Benedetti, Software Engineer, Sease Ltd. Who

Lucene And Solr Document Classification Alessandro Benedetti, Software Engineer, Sease Ltd. Who

Lucene And Solr Document Classification Alessandro Benedetti, Software Engineer, Sease Ltd. Who I am Alessandro Benedetti Search Consultant R&D Software Engineer Master in Computer Science Apache Lucene/Solr

875 views • 31 slides
5.2) Injections (part 2) Shell Injection, XML Injection, LDAP injection Emmanuel Benoist Spring

5.2) Injections (part 2) Shell Injection, XML Injection, LDAP injection Emmanuel Benoist Spring

5.2) Injections (part 2) Shell Injection, XML Injection, LDAP injection Emmanuel Benoist Spring Term 2016 Berner Fachhochschule | Haute cole spcialise bernoise | Berne University of Applied Sciences 1 Table of Contents Injection in PHP

995 views • 73 slides
Combining Solr and Elasticsearch to Improve Autosuggestion on Mobile Local Search Toan Vinh Luu,

Combining Solr and Elasticsearch to Improve Autosuggestion on Mobile Local Search Toan Vinh Luu,

Combining Solr and Elasticsearch to Improve Autosuggestion on Mobile Local Search Toan Vinh Luu, PhD Senior Search Engineer local.ch AG Apache: Big Data 2015 In this talk Requirements of an autosuggestion feature Autosuggestion

416 views • 30 slides
A1 (Part 3): Injection Blind SQL Injection Blind SQL Injection SQL injectio ion that tricks ks

A1 (Part 3): Injection Blind SQL Injection Blind SQL Injection SQL injectio ion that tricks ks

A1 (Part 3): Injection Blind SQL Injection Blind SQL Injection SQL injectio ion that tricks ks databases into reveal l information by way of the success or failure of injected querie ies Analogous example le: Login prompt that stops ps

602 views • 14 slides
Advanced Document Similarity With Apache Lucene Alessandro Benedetti, Software Engineer, Sease

Advanced Document Similarity With Apache Lucene Alessandro Benedetti, Software Engineer, Sease

Advanced Document Similarity With Apache Lucene Alessandro Benedetti, Software Engineer, Sease Ltd. Who I am Alessandro Benedetti Search Consultant R&D Software Engineer Master in Computer Science Apache Lucene/Solr

422 views • 30 slides
Beyond the Solr Eclipse Building blazing fast Drupal 8 search with Solr and no code TANAY SAI

Beyond the Solr Eclipse Building blazing fast Drupal 8 search with Solr and no code TANAY SAI

Beyond the Solr Eclipse Building blazing fast Drupal 8 search with Solr and no code TANAY SAI Technical Services Manager Acquia India www.tanay.co.in @saitanay JAYAKRISHNAN JAYABAL Technical Architect Acquia India @jayakrishnanjay

585 views • 32 slides
SoLR Cost Allocation Changes Gareth Evans Purpose Purpose of presentation is to go through

SoLR Cost Allocation Changes Gareth Evans Purpose Purpose of presentation is to go through

SoLR Cost Allocation Changes Gareth Evans Purpose Purpose of presentation is to go through potential changes to how Supplier of Last Resort (SoLR) costs are recovered from shippers by Gas Transporters. Intention is to ensure gas market

463 views • 15 slides
Injection mismatch type of injection mismatch will lead to an emittance blow-up. Off axis

Injection mismatch type of injection mismatch will lead to an emittance blow-up. Off axis

Injection mismatch: As a rule, proton/ion accelerators need their full aperture at injection, thus avoiding mismatch allows a beam of larger normalized emittance * and containing more Protons. In proton/ion ring accelerators any Injection

454 views • 4 slides
Bootstrapping Solr search clusters and maintain them using Puppet All you ever wanted to know

Bootstrapping Solr search clusters and maintain them using Puppet All you ever wanted to know

22 August 2012 Bootstrapping Solr search clusters and maintain them using Puppet All you ever wanted to know about maintaining Solr for a search-critical Drupal application Friday, August 24, 12 Who Are We Nick Veenhof Nick_vh,

522 views • 48 slides
A1 (Part 1): Injection Command and Code injection A1 Injection Tricking an application

A1 (Part 1): Injection Command and Code injection A1 Injection Tricking an application

A1 (Part 1): Injection Command and Code injection A1 Injection Tricking an application into executing commands or code embedded in data Data and code mixing! Often injected into interpreters SQL, PHP, Python, JavaScript, LDAP,

377 views • 14 slides
INJECTION GEL www.eurastechnology.com WHAT IS INJECTION GEL? An injectable gel is a flexible

INJECTION GEL www.eurastechnology.com WHAT IS INJECTION GEL? An injectable gel is a flexible

TECHNOLOGY APPLICATIONS FOR HYDRO ISOLATION AND REPAIR OF UNDERGROUND FACILITIES INJECTION GEL www.eurastechnology.com WHAT IS INJECTION GEL? An injectable gel is a flexible mass of mineral origin, for both dry and wet surfaces solvent-free,

487 views • 21 slides

More recommend