CVE-2025-24893 PoC — Remote code execution as guest via SolrSearchMacros request in xwiki

Title:Remote code execution as guest via SolrSearchMacros request in xwiki (CVE-2025-24893)
Description:XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Any guest can perform arbitrary remote code execution through a request to `SolrSearch`. This impacts the confidentiality, integrity and availability of the whole XWiki installation. To reproduce on an instance, without being logged in, go to `<host>/xwiki/bin/get/Main/SolrSearch?media=rss&text=%7D%7D%7D%7B%7Basync%20async%3Dfalse%7D%7D%7B%7Bgroovy%7D%7Dprintln%28"Hello%20from"%20%2B%20"%20search%20text%3A"%20%2B%20%2823%20%2B%2019%29%29%7B%7B%2Fgroovy%7D%7D%7B%7B%2Fasync%7D%7D%20`. If there is an output, and the title of the RSS feed contains `Hello from search text:42`, then the instance is vulnerable. This vulnerability has been patched in XWiki 15.10.11, 16.4.1 and 16.5.0RC1. Users are advised to upgrade. Users unable to upgrade may edit `Main.SolrSearchMacros` in `SolrSearchMacros.xml` on line 955 to match the `rawResponse` macro in `macros.vm#L2824` with a content type of `application/xml`, instead of simply outputting the content of the feed.

XWiki SolrSearchMacros 远程代码执行漏洞PoC（CVE-2025-24893）

免责申明： 

本文所描述的漏洞及其复现步骤仅供网络安全研究与教育目的使用。任何人不得将本文提供的信息用于非法目的或未经授权的系统测试。 作者不对任何由于使用本文信息而导致的直接或间接损害承担责任。 如涉及侵权，请及时与我们联系，我们将尽快处理并删除相关内容。


博客地址：https://blog.csdn.net/xc_214/article/details/145852677?spm=1001.2014.3001.5501

使用方法：
python CVE-2025-24893.py [URL] [COMMAND]


![image](https://github.com/user-attachments/assets/7c88a60d-17d5-4205-8a58-e7d2d8b28ae8)


![image](https://github.com/user-attachments/assets/4770a00a-9751-44a7-8b7f-80a87091a9fe)

 [4.0K]  /data/pocs/2aeaf18db3fc26ece81c9fe2d8884f7fc7319565
├── [2.3K]  CVE-2025-24893.py
└── [ 719]  README.md

0 directories, 2 files