RCE using Minecraft Mod

Educational Minecraft plugin demonstrating the dangers of installing unverified plugins.

This is an Exploit App I made when solving the DocumentViewer challenge (CVE-2021-40724) from MobileHackingLab. It will download a libdocviewe_pro.so library from your local machine unto the vulnerable app's internal storage, load it upon relaunch and achieve an RCE.

An unfinished RCE framework for Netty & Bukkit applications

Common Exploitation Techniques for Java RCE Vulnerabilities in Real-World Scenarios | 实战场景较通用的 Java Rce 相关漏洞的利用方式

A webshell application and interactive shell for pentesting Apache Tomcat servers.

一款支持自定义的 Java 回显载荷生成工具｜A customizable Java echo payload generation tool.

Java web common vulnerabilities and security code which is base on springboot and spring security

JNDI-Injection-Exploit 是一个用于生成可用 JNDI 链接并提供后台服务的工具，支持启动 RMI 服务器、LDAP 服务器和 HTTP 服务器。其 RMI 和 LDAP 服务基于 marshalsec，并进行修改以与 HTTP 服务联动。

两年多以前，Chris Frohoff 和 Gabriel Lawrence 发表了关于 Java 对象反序列化漏洞的研究，这一研究最终导致 Java 历史上最大的一波远程代码执行漏洞的爆发。 后续研究表明，这些漏洞不仅限于 Java 序列化或 XStream 这样的机制，还可以应用于其他机制。

Java General Vulnerable Web Application

Insecure Java Deserialization Lab

CVE-2023-38646 Metabase RCE

Vulnerable Client-Server Application (VuCSA) is made for learning how to perform penetration tests of non-http thick clients. It is written in Java (with JavaFX graphical user interface) and contains multiple challenges including SQL injection, RCE, XML vulnerabilities and more.

Security Research and PoC

CVE-2019-12814:Jackson JDOM XSLTransformer Gadget

CVE-2020-11113:Jackson-databind RCE

CVE-2020-10673:jackson-databind RCE

CVE-2022-41852 Proof of Concept (unofficial)

Automatically search for the required class and package it as a jar Create One Min Jar file