This repository contains a collection of proof-of-concept exploits for various vulnerabilities found in WSO2 products. Each exploit has its own detailed README.md with usage instructions.
account-takeover/: Exploits related to taking over user accounts.self_register.py: Registers a new user, even if self-registration is disabled.reset_password.py: Resets a user's password by exploiting the password recovery flow.
rce/authenticated/h2-rce/: Executes commands via a vulnerability in the H2 database engine.rce/authenticated/siddhi-rce/: Achieves RCE through the Siddhi event processing engine.rce/authenticated/sqlite-rce/: Uses a file write vulnerability in the SQLite JDBC driver to upload a webshell.
rce/unauthenticated/CVE-2022-29464/: An unauthenticated file upload vulnerability that leads to RCE.rce/unauthenticated/siddhi-rce-lexfo/: Unauthenticated RCE in the Siddhi "Try it" functionality.
ssrf/: An unauthenticated SSRF vulnerability that allows sending arbitrary requests from the server.
Most scripts require Python 3 and the ten library. You can install the requirements with:
pip install -r requirements.txtThese scripts are for educational and research purposes only. Do not use them on systems you do not have permission to test.