id: CVE-2019-7609
info:
  name: Kibana Timelion Code Execution
  risk: Critical

params:
  - root: "{{.BaseURL}}"

replicate:
  ports: '5601'
  prefixes: 'kibana'

requests:
  - method: POST
    url: >-
      {{.root}}/api/timelion/run
    headers:
      - User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:55.0) Gecko/20100101 Firefox/55
      - Content-Type: "application/json; charset=utf-8"
    body: |
      {"sheet":[".es(*)"],"time":{"from":"now-1m","to":"now","mode":"quick","interval":"auto","timezone":"Asia/Shanghai"}}
    detections:
      - >-
        StatusCode() == 200 && StringSearch("response", "seriesList") && StringSearch("resHeaders", "application/json")

references:
  - https://www.cvebase.com/cve/2019/7609