Hello Hacking8!

Awesome environment for antsword tests

[GitHub]PoC for CVE-2022-28282
[ GitHub ]用于 CVE-2022-28282的 PoC

在公众号看到一篇文章 里面用｛：｝包含绕过了php的检测，并且执行了php代码，但没有想明白为什么可以成功，我直接用php5.3环境测试 ｛：...

Cloud Exploitation Framework 云环境利用框架，方便红队人员在获得 AK 的后续工作

Because of Covid, the first quarantaine in France occured in March 2020. During that time I wrote a Python script to detect Subdomain Takeover. As I have been successful several times with the tool, one hit was especially beautiful. The story of how I have been able to take control of 450+ subdomains of the national french electricity company EDF. I'm not going to explain what is subdomain takeover so take a look at the following articles if you want to know more: OWASP test guide
由于冠状病毒疾病，法国于2020年3月实施了首次隔离。在此期间，我编写了一个 Python 脚本来检测子域接管。由于我已经成功使用了几次工具，其中一次打击是特别美丽的。我是如何能够控制法国国家电力公司 EDF 的450多个子域名的故事。我不打算解释什么是子域名接管，所以如果你想知道更多，请看下面的文章: OWASP 测试指南

A Collection of Logger++ Filters for Hunting API Vulnerabilities

SharpImpersonation是一款功能强大的用户模拟工具，该工具基于令牌机制和Shellcode注入技术实现其功能。

A local privilege escalation vulnerability was found on polkit's pkexec utility. The pkexec application is a setuid tool designed to allow unprivileged users to run commands as privileged users according predefined policies. The current version of pkexec doesn't handle the calling parameters count correctly and ends trying to execute environment variables as commands. An attacker can leverage this by crafting environment variables in such a way it'll induce pkexec to execute arbitrary code. When successfully executed the attack can cause a local privilege escalation given unprivileged users administrative rights on the target machine.
[GitHub]Vulnerability to CVE-2021-4034 Pwnkit
在 polkit 的 pkexec 实用程序上发现了一个本地权限提升漏洞。Pkexec 应用程序是一个 setuid 工具，旨在允许非特权用户根据预定义的策略以特权用户的身份运行命令。当前版本的 pkexec 不能正确处理调用参数计数，并且不能以命令的形式执行环境变量。攻击者可以利用这一点，通过创建环境变量来诱导 pkexec 执行任意代码。当攻击成功执行时，可能会导致一个本地权限提升，给予不享有特权的用户在目标计算机上的管理权限。
CVE-2021-4034 Pwnkit 的漏洞

Spring Cloud Function 是基于 Spring Boot 的函数计算框架。

数据安全高速扩张前提下，如何低成本、高效解决数据暴露性问题？戳美团安全团队技术文章了解～

Remote Procedure Call Runtime Remote Code Execution Vulnerability. This CVE ID is unique from CVE-2022-24492, CVE-2022-24528.
[GitHub]writeup and poc for [CVE-2022-26809]
远程过程调用运行时远程代码执行漏洞。这个 CVE ID 是 CVE-2022-24492，CVE-2022-24528中唯一的。
[ GitHub ] Writeup and poc for [ CVE-2022-26809]

The OpenSSL 3.0.4 release introduced a serious bug in the RSA implementation for X86_64 CPUs supporting the AVX512IFMA instructions. This issue makes the RSA implementation with 2048 bit private keys incorrect on such machines and memory corruption will happen during the computation. As a consequence of the memory corruption an attacker may be able to trigger a remote code execution on the machine performing the computation. SSL/TLS servers or other servers using 2048 bit RSA private keys running on machines supporting AVX512IFMA instructions of the X86_64 architecture are affected by this issue.
[GitHub]A POC OF CVE-2022-2274 (openssl)
OpenSSL 3.0.4版本在支持 AVX512IFMA 指令的 X86 _ 64 CPU 的 RSA 实现中引入了一个严重的 bug。这个问题使得在这些机器上使用2048位私钥的 RSA 实现不正确，并且在计算过程中会发生内存损坏。由于内存损坏，攻击者可能能够在执行计算的机器上触发远程代码执行。使用2048位 RSA 私钥的 SSL/TLS 服务器或其他服务器运行在支持 X86 _ 64体系结构的 AVX512IFMA 指令的机器上，受到这个问题的影响。
[ GitHub ] CVE-2022-2274的 POC (openssl)

Action Pack in Ruby on Rails before 3.2.22.2, 4.x before 4.1.14.2, and 4.2.x before 4.2.5.2 allows remote attackers to execute arbitrary Ruby code by leveraging an application's unrestricted use of the render method.
[GitHub]CVE-2016-2098 POC
3.2.22.2之前 Ruby on Rails 中的 Action Pack，4.1之前的4.x，14.2之前的4.2,4.2之前的4.2。5.2允许远程攻击者利用应用程序无限制地使用呈现方法来执行任意的 Ruby 代码。
[ GitHub ] CVE-2016-2098 POC

我想使用System.Net.HttpServerSessionHandle这个内部类，使用如下语句，获取到的变量是NULL，求教应该怎么解决？ var h...

it is very good

Finding potential software vulnerabilities from git commit messages

有新的漏洞组件被发现啦,组件ID:Adobe Experience Manager
Adobe Experience Manager versions 6.5.13.0 (and earlier) is affected by a reflected Cross-Site Scripting (XSS) vulnerability. If an attacker is able to convince a victim to visit a URL referencing a vulnerable page, malicious JavaScript content may be executed within the context of the victim's browser. Exploitation of this issue requires low-privilege access to AEM.

Adobe 体验管理器版本6.5.13.0(以及更早版本)受到反射跨网站脚本(xSS)漏洞的影响。如果攻击者能够说服受害者访问引用易受攻击页面的 URL，那么恶意的 JavaScript 内容可能会在受害者浏览器的上下文中执行。利用这个问题需要对 AEM 的低权限访问。

有新的漏洞组件被发现啦,组件ID:Adobe Experience Manager
Adobe Experience Manager versions 6.5.13.0 (and earlier) is affected by a reflected Cross-Site Scripting (XSS) vulnerability. If an attacker is able to convince a victim to visit a URL referencing a vulnerable page, malicious JavaScript content may be executed within the context of the victim's browser. Exploitation of this issue requires low-privilege access to AEM.

Adobe 体验管理器版本6.5.13.0(以及更早版本)受到反射跨网站脚本(xSS)漏洞的影响。如果攻击者能够说服受害者访问引用易受攻击页面的 URL，那么恶意的 JavaScript 内容可能会在受害者浏览器的上下文中执行。利用这个问题需要对 AEM 的低权限访问。

Topic: Testa 3.5.1 Online Test Management System Reflected Cross-Site Scripting (XSS) Risk: Low Text:# Exploit Title: Testa 3.5.1 Online Test Management System - Reflected Cross-Site Scripting (XSS) # Date: 28/08/2022 # Exploi...

Topic: TP-Link Tapo c200 1.1.15 Remote Code Execution Risk: High Text:# Exploit Title: TP-Link Tapo c200 1.1.15 - Remote Code Execution (RCE) # Date: 02/11/2022 # Exploit Author: hacefresko # Ve...

Topic: Teleport 10.1.1 Remote Code Execution Risk: High Text:# Exploit Title: Teleport v10.1.1 - Remote Code Execution (RCE) # Date: 08/01/2022 # Exploit Author: Brandon Roach & Brian La...

Topic: Multix 2.4 Cross Site Scripting Risk: Low Text:# Exploit Title: Multix - Multipurpose Website CMS with Codeigniter Reflected Cross Site Scripting # Exploit Author: th3d1gger...
主题: Multix 2.4跨网站脚本风险: 低文本: # 开发标题: Multix-multipurtieswebcmswithcodeigniter 反射跨网站脚本 # 开发作者: th3d1gger..。

Topic: WorkOrder CMS 0.1.0 Cross Site Scripting Risk: Low Text:# Exploit Title: WorkOrder CMS 0.1.0 Cross-Site Scripting (XSS) # Date: Sep 22, 2022 # Exploit Author: Chokri Hammedi ...

Topic: WorkOrder CMS 0.1.0 SQL Injection Risk: Medium Text:# Exploit Title: WorkOrder CMS 0.1.0 SQLI # Date: Sep 22, 2022 # Exploit Author: Chokri Hammedi # Vendor Homepage: htt...

有新的漏洞组件被发现啦,组件ID:Apache
Apache Pulsar Brokers and Proxies create an internal Pulsar Admin Client that does not verify peer TLS certificates, even when tlsAllowInsecureConnection is disabled via configuration. The Pulsar Admin Client's intra-cluster and geo-replication HTTPS connections are vulnerable to man in the middle attacks, which could leak authentication data, configuration data, and any other data sent by these clients. An attacker can only take advantage of this vulnerability by taking control of a machine 'between' the client and the server. The attacker must then actively manipulate traffic to perform the attack. This issue affects Apache Pulsar Broker and Proxy versions 2.7.0 to 2.7.4; 2.8.0 to 2.8.3; 2.9.0 to 2.9.2; 2.10.0; 2.6.4 and earlier.

Apache Pulsar Brokers 和 Proxy 创建一个内部 Pulsar Admin Client，它不验证对等 TLS 证书，即使通过配置禁用了 tlsAllowInsecureConnection。Pulsar Admin Client 的集群内部和地理复制 HTTPS 连接容易受到中间攻击者的攻击，这可能泄露身份验证数据、配置数据和这些客户机发送的任何其他数据。攻击者只能通过控制客户端和服务器之间的机器来利用这个漏洞。然后攻击者必须主动操纵流量来执行攻击。这个问题影响到 Apache Pu

有新的漏洞组件被发现啦,组件ID:Apache
TLS hostname verification cannot be enabled in the Pulsar Broker's Java Client, the Pulsar Broker's Java Admin Client, the Pulsar WebSocket Proxy's Java Client, and the Pulsar Proxy's Admin Client leaving intra-cluster connections and geo-replication connections vulnerable to man in the middle attacks, which could leak credentials, configuration data, message data, and any other data sent by these clients. The vulnerability is for both the pulsar+ssl protocol and HTTPS. An attacker can only take advantage of this vulnerability by taking control of a machine 'between' the client and the server. The attacker must then actively manipulate traffic to perform the attack by providing the client with a cryptographically valid certificate for an unrelated host. This issue affects Apache Pulsar Broker, Proxy, and WebSocket Proxy versions 2.7.0 to 2.7.4; 2.8.0 to 2.8.3; 2.9.0 to 2.9.2; 2.10.0; 2.6.4 and earlier.

在 Pulsar Broker 的 Java Client、 Pulsar Broker 的 Java Admin Client、 Pulsar WebSocket 

有新的漏洞组件被发现啦,组件ID:Apache
Delayed TLS hostname verification in the Pulsar Java Client and the Pulsar Proxy make each client vulnerable to a man in the middle attack. Connections from the Pulsar Java Client to the Pulsar Broker/Proxy and connections from the Pulsar Proxy to the Pulsar Broker are vulnerable. Authentication data is sent before verifying the server’s TLS certificate matches the hostname, which means authentication data could be exposed to an attacker. An attacker can only take advantage of this vulnerability by taking control of a machine 'between' the client and the server. The attacker must then actively manipulate traffic to perform the attack by providing the client with a cryptographically valid certificate for an unrelated host. Because the client sends authentication data before performing hostname verification, an attacker could gain access to the client’s authentication data. The client eventually closes the connection when it verifies the hostname and identifies the targeted h

有新的漏洞组件被发现啦,组件ID:Apache
Improper Input Validation vulnerability in Proxy component of Apache Pulsar allows an attacker to make TCP/IP connection attempts that originate from the Pulsar Proxy's IP address. When the Apache Pulsar Proxy component is used, it is possible to attempt to open TCP/IP connections to any IP address and port that the Pulsar Proxy can connect to. An attacker could use this as a way for DoS attacks that originate from the Pulsar Proxy's IP address. It hasn’t been detected that the Pulsar Proxy authentication can be bypassed. The attacker will have to have a valid token to a properly secured Pulsar Proxy. This issue affects Apache Pulsar Proxy versions 2.7.0 to 2.7.4; 2.8.0 to 2.8.2; 2.9.0 to 2.9.1; 2.6.4 and earlier.

Apache Pulsar 代理组件的不正确的输入验证漏洞允许攻击者尝试从 Pulsar 代理的 IP 地址进行 TCP/IP 连接。当使用 Apache Pulsar 代理组件时，可以尝试打开到 Pulsar 代理可以连接到的任何 IP 地址和端口的 TCP/IP 连接。攻击者可以利用这种方式来攻击源自 Pulsar 代理的 IP 地址的 DoS 攻击。它尚未检测到脉冲星代理身份验证可以绕过。攻击者必须有一个有效的令牌到一个适当安全的脉冲星代理。这个问题影响到 Apache Pulsar Proxy 版本2.7.0到2.7.4; 

🙃 A delightful community-driven (with 2,000+ contributors) framework for managing your zsh configuration. Includes 300+ optional plugins (rails, gi…

Erebus is a fast tool for parameter-based vulnerability scanning using a Yaml based template engine like nuclei.

Nuclei Templates Collection

Testa 3.5.1 Online Test Management System Reflected Cross-Site Scripting XSS
Testa 3.5.1在线测试管理系统反映了跨网站脚本 XSS

TP-Link Tapo c200 1.1.15 Remote Code Execution

Teleport 10.1.1 Remote Code Execution
传送10.1.1远程代码执行

Multix 2.4 Cross Site Scripting
多重2.4跨网站脚本

WorkOrder CMS 0.1.0 Cross Site Scripting
工作订单内容管理系统0.1.0跨网站脚本

WorkOrder CMS 0.1.0 SQL Injection

HTTP Request Smuggling over HTTP/2 Cleartext (h2c)

Installation of RasPBX for beginners.

Understanding the NMAP methodology — Part 2
Understanding the NMAP methodology from beginner to advance
Description:
In today’s article we are going to learn about some advance network mapping techniques with nmap. If you haven’t read Part 1 then i suggest you to gone through before reading this article.
As we have already seen some basics on network mapping in part one it is worth to know some advanced and essentials techniques to scan and map a network.
1. TCP Null Scan
As the name suggests, TCP null scan does not sets any flags while sending a packet to a particular port or service. A TCP packet with no flags set will not trigger any response when it will reach to an open port. That indicates that the port is open.
nmap -sN <ip>
-sN : TCP null scan flag
1) NULL TCP Packet -->
(If no response, port is open/filtered)
2) NULL TCP Packet -->
RST/ACK <--
(Port closed/filtered)
If we receives a packet with RST(Reset)/ACK(Acknowledgement) that indicates the port is closed or filtered.
2. TCP FIN Scan
TCP FIN scan

How to exploit a stored XSS vulnerability on DVWA — StackZero
Introduction
Hi reader! Yet another walkthrough, this time I want to enforce your practical understanding of Stored XSS by exploiting DVWA again.
I just want to anticipate that the basic concept is not far from the reflected XSS we have already seen in our previous articles.
However, this vulnerability can be far more dangerous than Reflected XSS due to its persistence.
Just to give you an idea of what I said, the only victim in the case of Reflected XSS is the receiver of the malicious URL, on the contrary, a Stored XSS can hit everybody who visits the exploited page.
Before we get into the world of Stored XSS vulnerability in practice I recommend you take a look at my articles about XSS (they are in order of difficulty):
The terrifying world of Cross-Site Scripting (XSS) (Part 1)
The terrifying world of Cross-Site Scripting (XSS) (Part 2)
XSS in practice: how to exploit XSS in web applications
Reflected XSS DVWA — An Exploit With Real World Conse

Java Agent Library to log SSL session keys to a file for Wireshark

A crossplatform mDNS enumeration tool.

Python version of the C# tool for "Shadow Credentials" attacks

Python tool to Check running WebClient services on multiple targets based on @leechristensen

Teleport是一款简单易用的堡垒机系统。

An Extensible Transpiler for PowerShell (and anything else)

TLD Parser in Go