CVE-2025-32429 XWiki SQL Injection PoC Author: Byte Reaper Telegram: @ByteReaper0 CVE: CVE‑2025‑32429 Vulnerability: Blind SQL Injection in XWiki LiveData REST API Affected File: getdeleteddocuments.vm (sort parameter) Description : A blind SQL Injection vulnerability exists in XWiki Platform’s LiveData REST endpoint when using the sort parameter in getdeleteddocuments.vm. An attacker can inject arbitrary SQL fragments, leveraging time‐based payloads (SLEEP) or union‐based queries to enumerate database contents. This repository provides a C-based Proof‑of‑Concept that: Detects WAF/rate‑limiter interference before exploitation. Iterates a set of SQLi payloads (boolean, time‑based). Measures response time and searches for indicative keywords. Prints out any extracted evidence of vulnerability. Requirements Linux x86_64 GCC libcurl development headers argparse C library Compile: gcc -o exploit exploit.c argparse.c -lcurl Usage ./exploit -u [-c cookies.txt] [-v] -u, –url : Base URL of target XWiki instance -c, –cookies : (Optional) Path to cookie jar for authenticated sessions -v, –verbose : Enable verbose debug output Examples Unauthenticated test against public instance ./exploit -u https://victim.com Using cookies for authenticated context ./exploit -u https://intranet.xwiki.local -c session.txt -v Workflow: WAF Detection Sends a benign payload with User-Agent: sqlmap Checks for blocking HTTP codes (403/404/503), unusual redirects, time‑delays,…Read More