PoC
awesome-web-hacking
| PoC | awesome-web-hacking | |
|---|---|---|
| 10 | 2 | |
| 788 | 5,440 | |
| - | - | |
| 5.3 | 5.4 | |
| 3 months ago | about 2 months ago | |
| Ruby | ||
| GNU General Public License v3.0 only | MIT License |
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.
PoC
- Unauthenticated Remote Code Execution in Cisco Nexus Dashboard Fabric Controller (formerly DCNM) using a vulnerability in 2017 in 2022 (it wasn't patched prior March 2021)
- Cisco Nexus Dashboard Fabric Controller unauth web-to-root shell
-
Windows filehosting
And the fix that they couldn't be bothered to implement? Literally one line of code.
- Pre-auth WAN remote root for Cisco RV340 VPN Gateway Router
- “Podem tomar o controlo da sua TV e espiá-lo com a câmara e o microfone”. Ataque à Vodafone analisado por um dos maiores ‘hackers’ do mundo
- RCE vulnerability in TIBCO Data Virtualization
- Pwning Cisco ISE: from XSS to a root shell (w/ exploit video)
- Command Injection and SQL Injection Vulnerabilities in Micro Focus Operations Bridge Reporter (CVE-2021-22502)
- Unauth cmd injection as root on login / logout (plus other hilarious vulns) in Micro Focus Operations Bridge Reporter
-
How We Hacked a TP-Link Router and Took Home $55.000 in Pwn2Own
If you already have a day job in security, the $500 the manufacturer will give you won't give you a big boost. I prefer to drop the advisory and exploit after they fixed it even if I don't get money, as that gives me more street credz amongst the hacker crowd. See my github for examples: https://github.com/pedrib/PoC
awesome-web-hacking
What are some alternatives?
CVE-2021-36260 - command injection vulnerability in the web server of some Hikvision product. Due to the insufficient input validation, attacker can exploit the vulnerability to launch a command injection attack by sending some messages with malicious commands.
API-Security-Checklist - Checklist of the most important security countermeasures when designing, testing, and releasing your API
dawnscanner - Dawn is a static analysis security scanner for ruby written web applications. It supports Sinatra, Padrino and Ruby on Rails frameworks.
awesome-web-security - 🐶 A curated list of Web Security materials and resources.
WhatWeb - Next generation web scanner
31-days-of-API-Security-Tips - This challenge is Inon Shkedy's 31 days API Security Tips.
evil-winrm - The ultimate WinRM shell for hacking/pentesting
see awesome-security - A collection of awesome software, libraries, documents, books, resources and cools stuffs about security.
mad-metasploit - Metasploit custom modules, plugins, resource script and.. awesome metasploit collection
Infosec_Reference - An Information Security Reference That Doesn't Suck; https://rmusser.net/git/admin-2/Infosec_Reference for non-MS Git hosted version.
awesome-appsec - A curated list of resources for learning about application security
Local-File-Inclusion-Payloads - Local File inclusion (LFI), or simply File Inclusion, refers to an inclusion attack through which an attacker can trick the web application into including files on the web server