Solr Injection by abusing Local Parameters on

Hi All,

This article is about bug which i discovered on last month. Honestly, I couldn’t provide exploitation details to the Zomato security team while submitting bug but i had a strong gut feelings about injection at the vulnerable endpoint. Although, I haven’t done technically much from my side but still i think Solr Injection is not much known in our community. Hence, I decided to share my thought processing while i was finding this bug and illustrating it step by step.

I always prefer to test application by first going through functionalities directly visible on webpages and observing each request generated using Burp.

While opening main page, it contains link for the Order food as visible in below screenshot.

Upon clicking link for the Order food, it will navigate to the link as illustrated in below screenshot. This page contains the search functionality to allow users to search for restaurants and cuisines in your location.

While searching for the restaurant, it generated request to the endpoint &delivery_subzone_id=number&

I observed this request and initially thought to check for the sql injection vulnerability manually on the parameter delivery_subzone_id parameter.

I started including single quotes, double quotes and random strings on parameter delivery_subzone_id. What i observed is that server is responding to the our injection of Double quotes on parameter.

As shown in below screenshot, server threw 500 internal server error with the odd number of double quotes and normal 200 Okay response with the even number of double quotes. This is the strong indication that our double quotes are being injected on query.

Now, second step was to find out which technology or database or which kind of query it could be in backend where our input is being injected.I though it as a sql and tried various payloads and techniques to further find out backend technology and create exploit as explained by Gerben Javado on below awseome article for manual sql testing but i couldn’t get any sign of sql injection in response.

At this stage, i thought to move ahead and not report this behavior as i couldn’t find working exploit to create poc but then i went ahead and reported issue to the Zomato security team with the above findings.

Zomato security team investigated and resolved issue within two hours and awarded me with the bounty of 500$ and 200$ as a bonus for the uniqueness of the bug. They updated me that it was Solr Injection. Solr is a search platform built by apache.

Further, i did research and found below article on solr injection which is very well explained so i am not repeating same technical details here and instead embedding link below.

I hope this article was worth reading.

Full time bug bounty hunter

Full time bug bounty hunter