关联漏洞
标题:
XWiki Platform SQL注入漏洞
(CVE-2025-32429)
描述:XWiki Platform是XWiki开源的一套用于创建Web协作应用程序的Wiki平台。 XWiki Platform 9.4-rc-1至16.10.5版本和17.0.0-rc-1至17.2.2版本存在SQL注入漏洞,该漏洞源于getdeleteddocuments.vm中参数sort的错误操作导致SQL注入。
描述
Exploit for CVE-2025-32429 – SQLi in XWiki REST API (getdeleteddocuments.vm).
介绍
# CVE-2025-32429 XWiki SQL Injection PoC
**Author:** Byte Reaper
**Telegram:** [@ByteReaper0](https://t.me/ByteReaper0)
**CVE:** CVE‑2025‑32429
**Vulnerability:** Blind SQL Injection in XWiki LiveData REST API
**Affected File:** `getdeleteddocuments.vm` (sort parameter)
---
## Description :
A blind SQL Injection vulnerability exists in XWiki Platform’s LiveData REST endpoint when using the `sort` parameter in `getdeleteddocuments.vm`. An attacker can inject arbitrary SQL fragments, leveraging time‐based payloads (`SLEEP`) or union‐based queries to enumerate database contents.
This repository provides a C-based Proof‑of‑Concept that:
1. Detects WAF/rate‑limiter interference before exploitation.
2. Iterates a set of SQLi payloads (boolean, time‑based).
3. Measures response time and searches for indicative keywords.
4. Prints out any extracted evidence of vulnerability.
---
## Requirements
- Linux x86_64
- GCC
- [libcurl](https://curl.se/libcurl/) development headers
- [argparse](https://github.com/cofyc/argparse) C library
---
Compile:
gcc -o exploit exploit.c argparse.c -lcurl
## Usage
./exploit -u <BASE_URL> [-c cookies.txt] [-v]
-u, --url : Base URL of target XWiki instance
-c, --cookies : (Optional) Path to cookie jar for authenticated sessions
-v, --verbose : Enable verbose debug output
Examples
Unauthenticated test against public instance
./exploit -u http://victim.com
Using cookies for authenticated context
./exploit -u https://intranet.xwiki.local -c session.txt -v
## Workflow:
WAF Detection
Sends a benign payload with User-Agent: sqlmap
Checks for blocking HTTP codes (403/404/503), unusual redirects, time‑delays, signature keywords in response, and connection resets
Exploit Loop
Iterates through predefined SQL payloads: boolean checks, SLEEP() injections, union queries
Measures total request time (CURLINFO_TOTAL_TIME) to detect time‑based injection
Searches response body for SQL keywords (select, union, etc.) to confirm injection success
## Mitigation :
Upgrade XWiki to a version where getdeleteddocuments.vm properly sanitizes the sort parameter.
Apply parameterized queries or whitelist allowable sort fields.
Deploy a WAF or input‐validation layer that normalizes and rejects unexpected SQL metacharacters in parameters.
## License :
MIT
文件快照
[4.0K] /data/pocs/fe035de02a5996bcc1c03fc98a592bfadf9cb67c
├── [ 27K] exploit.c
├── [1.0K] LICENSE
└── [2.4K] README.md
0 directories, 3 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。