Skip to main content

Overview

This section covers POCs for various other systems including VMware vCenter, Atlassian Confluence, GitLab, F5 BIG-IP, ThinkPHP, Fortinet, Microsoft products, and more.

VMware

vCenter RCE vulnerabilities

Confluence

OGNL injection RCE

GitLab

ExifTool RCE

F5 BIG-IP

TMUI & iControl RCE

ThinkPHP

PHP framework RCE

Microsoft

Exchange & SMB vulns

Fastjson

Java JSON RCE

JBoss

Deserialization RCE

PHPUnit

PHP testing RCE

VMware vCenter

CVE-2021-21985 - vCenter RCE

CVE-2021-21985

TypeRemote Code Execution
Affected ProductVMware vCenter Server
Discovery DateMay 2021
CVSS Score9.8 (Critical)
Description: RCE vulnerability in the vSphere Client (HTML5) via the Virtual SAN Health Check plugin. Allows unauthenticated attackers to execute arbitrary commands. Source: pocs_go/VMware/vCenter/CVE_2021_21985.go

CVE-2022-22954 - VMware Workspace ONE RCE

CVE-2022-22954

TypeRemote Code Execution (SSTI)
Affected ProductVMware Workspace ONE Access, Identity Manager
Discovery DateApril 2022
CVSS Score9.8 (Critical)
Description: Server-side template injection (SSTI) vulnerability allowing unauthenticated RCE. Attack Vector: Template injection in authentication workflow Source: pocs_go/VMware/vCenter/CVE-2022-22954.go

CVE-2022-22972 - Authentication Bypass

CVE-2022-22972

TypeAuthentication Bypass
Affected ProductVMware Workspace ONE Access, Identity Manager
Discovery DateMay 2022
CVSS Score9.8 (Critical)
Description: Authentication bypass leading to privilege escalation and potential RCE. Source: pocs_go/VMware/vCenter/CVE_2022_22972.go

Atlassian Confluence

CVE-2021-26084 - OGNL Injection RCE

CVE-2021-26084

TypeRemote Code Execution (OGNL Injection)
Affected ProductAtlassian Confluence Server/Data Center
Discovery DateAugust 2021
CVSS Score9.8 (Critical)
Description: OGNL (Object-Graph Navigation Language) injection vulnerability in Confluence Server and Data Center that allows unauthenticated attackers to execute arbitrary code. Attack Vector: Malicious OGNL expressions in HTTP requests Source: pocs_go/confluence/CVE_2021_26084.go

CVE-2021-26085

CVE-2021-26085

TypeConfluence Vulnerability
Affected ProductAtlassian Confluence
Discovery DateAugust 2021
Source: pocs_go/confluence/CVE-2021-26085.go

CVE-2022-26134 - OGNL Injection RCE

CVE-2022-26134

TypeRemote Code Execution
Affected ProductAtlassian Confluence Server/Data Center
Discovery DateJune 2022
CVSS Score9.8 (Critical)
Description: Unauthenticated OGNL injection leading to RCE. Actively exploited in the wild. Source: pocs_go/confluence/CVE_2022_26134.go

CVE-2022-26318

CVE-2022-26318

TypeConfluence Vulnerability
Affected ProductAtlassian Confluence
Discovery Date2022
Source: pocs_go/confluence/CVE_2022_26318.go

GitLab

CVE-2021-22205 - ExifTool RCE

CVE-2021-22205

TypeRemote Code Execution
Affected ProductGitLab CE/EE
Discovery DateApril 2021
CVSS Score10.0 (Critical)
Description: RCE via ExifTool when processing image files. The vulnerability exists in GitLab’s image upload functionality. Attack Vector: Malicious image file with crafted metadata Exploitation:
  1. Upload crafted image file
  2. ExifTool processes metadata
  3. Arbitrary command execution
Source: pocs_go/gitlab/CVE_2021_22205.go

CVE-2022-2185

CVE-2022-2185

TypeGitLab Vulnerability
Affected ProductGitLab
Discovery DateJune 2022
Source: pocs_go/gitlab/CVE-2022-2185.go

F5 BIG-IP

CVE-2020-5902 - TMUI RCE

CVE-2020-5902

TypeRemote Code Execution
Affected ProductF5 BIG-IP
Discovery DateJuly 2020
CVSS Score9.8 (Critical)
Description: Directory traversal and RCE in Traffic Management User Interface (TMUI). Allows unauthenticated attackers to execute arbitrary commands. Vulnerable Component: TMUI (web management interface) Attack Vector: Directory traversal → file read/write → RCE Source: pocs_go/f5/CVE_2020_5902.go

CVE-2021-22986 - iControl REST RCE

CVE-2021-22986

TypeRemote Code Execution
Affected ProductF5 BIG-IP iControl REST
Discovery DateMarch 2021
CVSS Score9.8 (Critical)
Description: Unauthenticated RCE via iControl REST API. Source: pocs_go/f5/CVE_2021_22986.go

CVE-2022-1388 - Authentication Bypass RCE

CVE-2022-1388

TypeAuthentication Bypass → RCE
Affected ProductF5 BIG-IP
Discovery DateMay 2022
CVSS Score9.8 (Critical)
Description: Missing authentication check in iControl REST allows unauthenticated RCE. Exploitation: Manipulate HTTP headers to bypass authentication Source: pocs_go/f5/CVE_2022_1388.go

ThinkPHP

CVE-2019-9082

CVE-2019-9082

TypeRemote Code Execution
Affected Versions< 3.2.4
Discovery DateFebruary 2019
Description: RCE vulnerability in ThinkPHP framework versions before 3.2.4. Source: pocs_go/ThinkPHP/check.go

CVE-2018-20062

CVE-2018-20062

TypeRemote Code Execution
Affected Versions5.0.23 and earlier, 5.1.31 and earlier
Discovery DateDecember 2018
CVSS Score9.8 (Critical)
Description: RCE via Request class in ThinkPHP 5.x. Source: pocs_go/ThinkPHP/check.go

Fastjson

VER-1262 - Autotype RCE

Fastjson VER-1262

TypeRemote Code Execution
Affected Versions≤ 1.2.62
IssueAutotype Deserialization
Description: Fastjson autotype feature allows deserialization of arbitrary Java objects, leading to RCE. Attack Vector: Malicious JSON payload with @type directive Example Payload: 
{
  "@type": "java.net.Inet4Address",
  "val": "dnslog.cn"
}
Source: pocs_go/fastjson/check.go

JBoss

CVE-2017-12149 - Deserialization RCE

CVE-2017-12149

TypeDeserialization RCE
Affected VersionsJBoss AS 5.x/6.x
Discovery DateAugust 2017
CVSS Score8.1 (High)
Description: Java deserialization vulnerability in JBoss Application Server. Component: ReadOnlyAccessFilter Source: pocs_go/jboss/CVE_2017_12149.go

PHPUnit

CVE-2017-9841 - RCE

CVE-2017-9841

TypeRemote Code Execution
Affected Versions4.x < 4.8.28, 5.x < 5.6.3
Discovery DateJune 2017
CVSS Score9.8 (Critical)
Description: PHPUnit’s eval-stdin.php allows arbitrary PHP code execution when left in production. Vulnerable File: /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php Exploitation: 
curl -X POST http://target/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php \
  --data '<?php system("id"); ?>'
Source: pocs_go/phpunit/CVE_2017_9841.go

Microsoft Products

CVE-2020-0796 - SMBGhost

CVE-2020-0796 (SMBGhost)

TypeRemote Code Execution
Affected ProductWindows 10, Windows Server 2019
Discovery DateMarch 2020
CVSS Score10.0 (Critical)
Description: Wormable RCE in SMBv3 protocol. Buffer overflow in compression handling. Port: 445 (SMB) Source: pocs_go/ms/CVE-2020-0796.go

CVE-2021-26855 - ProxyLogon

CVE-2021-26855 (ProxyLogon)

TypeSSRF → Authentication Bypass → RCE
Affected ProductMicrosoft Exchange Server
Discovery DateMarch 2021
CVSS Score9.8 (Critical)
Description: Part of ProxyLogon chain. SSRF allows bypassing authentication and accessing arbitrary backend resources. Attack Chain: CVE-2021-26855 (SSRF) → CVE-2021-26857 (Deserialization) → CVE-2021-26858 (File Write) → CVE-2021-27065 (File Write) Sources:
  • pocs_go/ms/CVE_2021_26855.go
  • pocs_go/ms/exchange/proxylogon.go
  • pocs_go/ms/exchange/chkproxyshell.go

CVE-2018-14847 - MikroTik RouterOS

CVE-2018-14847

TypeDirectory Traversal
Affected ProductMikroTik RouterOS
Discovery DateJuly 2018
Description: Directory traversal in MikroTik RouterOS web interface. Source: pocs_go/ms/CVE_2018_14847.go

Fortinet

CVE-2018-13380 - FortiOS SSL VPN

CVE-2018-13380

TypePath Traversal / Credential Disclosure
Affected ProductFortinet FortiOS SSL VPN
Discovery DateMay 2019
CVSS Score9.8 (Critical)
Description: Path traversal vulnerability allows reading system files including plaintext VPN credentials. Source: pocs_go/CVE-2018-13380.go

Open Management Infrastructure

CVE-2021-38647 - OMI RCE

CVE-2021-38647

TypeRemote Code Execution
Affected ProductOpen Management Infrastructure (OMI)
Discovery DateSeptember 2021
CVSS Score9.8 (Critical)
Description: RCE in Microsoft’s Open Management Infrastructure agent used in Azure. Source: pocs_go/CVE-2021-38647.go

Zabbix

CVE-2022-23131 - Authentication Bypass

CVE-2022-23131

TypeAuthentication Bypass
Affected ProductZabbix
Discovery DateJanuary 2022
Description: Authentication bypass in Zabbix monitoring system. Source: pocs_go/zabbix/CVE-2022-23131.go

Chinese Software Systems

scan4all also includes POCs for various Chinese software systems commonly used in China:
System: Seeyon Office AutomationLocation: pocs_go/seeyon/Description: Multiple vulnerabilities in Seeyon OA system
System: Tongda Office AutomationLocation: pocs_go/tongda/Description: Multiple vulnerabilities in Tongda OA system
System: Landray EKPCVE: Landray_RCELocation: pocs_go/landray/Landray_RCE.go
System: Zentao Project ManagementLocation: pocs_go/zentao/
System: MCMS Content ManagementVulnerability: Front Desk SQL InjectionLocation: pocs_go/mcms/Front_Desk_sqlinject.go
System: Sunlogin Remote ControlLocation: pocs_go/sunlogin/

Usage

# Scan for all vulnerabilities
scan4all -h http://target.com

# Scan specific system
scan4all -h http://vcenter.example.com -poc vmware
scan4all -h http://confluence.example.com -poc confluence

# Test specific CVE
scan4all -h http://target.com -poc CVE-2021-22205

Source Code Structure

pocs_go/
├── VMware/vCenter/          # VMware vCenter vulnerabilities
├── confluence/              # Atlassian Confluence
├── gitlab/                  # GitLab vulnerabilities
├── f5/                      # F5 BIG-IP
├── ThinkPHP/                # ThinkPHP framework
├── fastjson/                # Fastjson library
├── jboss/                   # JBoss Application Server
├── phpunit/                 # PHPUnit testing framework
├── ms/                      # Microsoft products
│   └── exchange/           # Microsoft Exchange
├── seeyon/                  # Seeyon OA
├── tongda/                  # Tongda OA
├── landray/                 # Landray EKP
├── zentao/                  # Zentao PM
├── mcms/                    # MCMS
├── sunlogin/                # Sunlogin
├── zabbix/                  # Zabbix monitoring
├── spark/                   # Apache Spark
└── *.go                     # Root-level POCs

Mitigation General Guidelines

1

Keep Software Updated

Regularly update all software to the latest stable versions
2

Network Segmentation

Isolate critical systems from public internet
3

Enable Authentication

Ensure all services require strong authentication
4

Monitor Logs

Implement centralized logging and monitoring
5

Security Assessments

Perform regular vulnerability assessments
6

Incident Response

Have an incident response plan ready

References

Many of these vulnerabilities are actively exploited in the wild. Ensure affected systems are patched immediately.

Build docs developers (and LLMs) love

Get started for freeTalk to us