Because of the XML schema used by the vulnerable component, generally only plaintext results can be retrieved - anything which is marked up using XML, HTML, or other similar languages will fail to load via XXE.

Like all of Solr's request handlers, this one can be bound to multiple URI-stems on the server. If you have access to the web administration interface for Solr (e.g. http://targetserver:8983/solr/admin/), you can view the running configuration (e.g. http://targetserver/solr/admin/file/?file=solrconfig.xml) to determine all of the paths bound to this request handler - just look in that configuration XML file for lines like this:

<requestHandler name="/analysis/document" class="solr.DocumentAnalysisRequestHandler"/>

For example, newer versions of Solr may bind a DocumentAnalysisRequestHandler to each "core". E.g. in the example deployment package provided with Solr, both of the following will work:

/solr/analysis/documentation
/solr/collection1/analysis/document

In other words, if the system administrator has used path-based controls in an attempt to restrict access to vulnerable functionality, you may be able to work around this by using an alternate variation of the path.

The XML configuration file - and the web administration interface in general - are full of helpful information such as the absolute paths on the server that Solr components are using, in case you need to perform a blind or targeted request for content instead of using directory listings and broad-scope harvesting.

Example URLs which may be provide information helpful for using this module to its full extent (port 8983 is used in the examples because it is the port used in Solr's own bundled example configurations):

(Older versions of Solr, such as 1.4.1 and 3.6.2)
http://targetserver:8983/solr/admin/
http://targetserver:8983/solr/admin/file/?file=schema.xml
http://targetserver:8983/solr/admin/file/?file=scripts.conf
http://targetserver:8983/solr/admin/file/?file=solrconfig.xml
http://targetserver:8983/solr/admin/luke/
http://targetserver:8983/solr/admin/plugins/
http://targetserver:8983/solr/admin/properties/
http://targetserver:8983/solr/admin/system/
http://targetserver:8983/solr/admin/threads/


(Newer versions of Solr, such as 4.3.0)
http://targetserver:8983/solr/admin/
http://targetserver:8983/solr/admin/cores
http://targetserver:8983/solr/admin/file/
http://targetserver:8983/solr/admin/file/?file=schema.xml
http://targetserver:8983/solr/admin/file/?file=scripts.conf
http://targetserver:8983/solr/admin/file/?file=solrconfig.xml
http://targetserver:8983/solr/admin/info/logging
http://targetserver:8983/solr/admin/info/properties
http://targetserver:8983/solr/admin/info/system
http://targetserver:8983/solr/admin/info/threads
http://targetserver:8983/solr/admin/luke/
http://targetserver:8983/solr/admin/plugins/
http://targetserver:8983/solr/admin/properties/
http://targetserver:8983/solr/admin/system/
http://targetserver:8983/solr/admin/threads/

See the Solr documentation for more technical details.

This module will typically operate correctly when the --dos-lulz mode is used. If --dos-quad is used, the server will typically experience the desired out-of-memory condition, but you will receive a 'Connection reset by peer' message instead.
