POC详情: 47ece05a923dce6e56697e8589edd4c51ba4c0e4

来源
https://github.com/dollarboysushil/CVE-2025-24893-XWiki-Unauthenticated-RCE-Exploit-POC
关联漏洞
标题: XWiki Platform 安全漏洞 (CVE-2025-24893)
描述:XWiki Platform是XWiki开源的一套用于创建Web协作应用程序的Wiki平台。 XWiki Platform存在安全漏洞,该漏洞源于任何来宾用户都可以通过对SolrSearch的请求,造成远程代码执行。
描述
CVE-2025-24893 is a critical unauthenticated remote code execution vulnerability in XWiki (versions < 15.10.11, 16.4.1, 16.5.0RC1) caused by improper handling of Groovy expressions in the SolrSearch macro.
介绍
# CVE-2025-24893 - XWiki Unauthenticated RCE Exploit POC

> ⚠️ Unauthenticated Remote Code Execution in XWiki  
> 🛠️ PoC implementation by [@dollarboysushil](https://dollarboysushil.com)

## 💡 Overview

**CVE-2025-24893** is a critical RCE vulnerability in [XWiki](https://xwiki.org), caused by unsafe Groovy expression handling inside the `SolrSearch` macro. An attacker can inject Groovy code through a crafted GET request, leading to **remote code execution** (no authentication required).

- **Severity:** Critical (CVSS 9.8)
- **Affected:** Versions < 15.10.11, 16.4.1, 16.5.0RC1

---

## 🛠 Technical Breakdown

The vulnerability resides in the **`SolrSearch` macro** (`Main.SolrSearch`) of XWiki, which handles search input using unsafe Groovy evaluation. The macro fails to sanitize user-supplied input, allowing for **arbitrary code execution**.

### 🔥 Vulnerable Endpoint

```
/xwiki/bin/get/Main/SolrSearch?media=rss&text=
```

An attacker can inject Groovy code into the `text` parameter, which is evaluated server-side due to improper input handling within the macro system.

### 💥 Example Payload

```text
}}}{{async async=false}}{{groovy}}'id'.execute(){{/groovy}}{{/async}}
```

This leads to unauthenticated **Remote Code Execution (RCE)** on vulnerable XWiki instances.

### 🔬 Proof-of-Concept (PoC) Demonstration

#### 🧪 Target Environment

The vulnerable target is an XWiki instance running version `15.10.8`, which is affected by CVE-2025-24893.

![Vulnerable XWiki Interface](images/image.png)

---

#### 📡 Preparing the Listener

Start a Netcat listener on the attacker's machine to capture the reverse shell connection:

```bash
nc -lvnp 1337
```

![Netcat Listener Active on Port 1337](images/image1.png)

---

#### 🚀 Launching the Exploit

Run the exploit script `CVE-2025-24893-dbs.py` to deliver the Groovy-based RCE payload to the vulnerable XWiki endpoint.

![Running Exploit Script](images/image2.png)

---

#### 💻 Successful Remote Shell Access

Upon successful execution, the reverse shell will connect back to the listener, granting the attacker remote access to the server.

![Reverse Shell Acquired](images/image3.png)

---

### 📚 References

- OffSec Blog: [CVE-2025-24893 XWiki Groovy RCE](https://www.offsec.com/blog/cve-2025-24893/)
- NVD Entry: [CVE-2025-24893](https://nvd.nist.gov/vuln/detail/CVE-2025-24893)
文件快照

 [4.0K]  /data/pocs/47ece05a923dce6e56697e8589edd4c51ba4c0e4
├── [3.1K]  CVE-2025-24893-dbs.py
├── [4.0K]  images
│   ├── [ 11K]  image1.png
│   ├── [141K]  image2.png
│   ├── [ 30K]  image3.png
│   └── [134K]  image.png
└── [2.4K]  README.md

1 directory, 6 files
神龙机器人已为您缓存
备注
    1. 建议优先通过来源进行访问。
    2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
    3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。