Top 10 Remote Exploits of 2018

With 2018 over, I thought it would be useful to look back at the most notable exploits to come out in the last year and provide a brief review for each. My criteria here is to provide a list of the most notable remote exploits (in my opinion…) affecting the most systems with the highest impact and released in 2018 only. This is by no means a complete list and I may have missed some. If so, let me know via Twitter (@xer0dayz) or leave a comment. Also, if there’s any remote exploits you think I should add to Sn1per (, let me know!

OpenSSH User Enum Exploit CVE-2018-15473

OpenSSH through 7.7 is prone to a user enumeration vulnerability due to not delaying bailout for an invalid authenticating user until after the packet containing the request has been fully parsed, related to auth2-gss.c, auth2-hostbased.c, and auth2-pubkey.c.

Exploit Link:

* Autopwn module added to Sn1per v6.0 (

libSSH Auth Bypass Exploit CVE-2018-10933

A vulnerability was found in libssh’s server-side state machine before versions 0.7.6 and 0.8.4. A malicious client could create channels without first performing authentication, resulting in unauthorized access.

Exploit Link:

* Autopwn module added to Sn1per v6.0 (

Drupal v7.x + v8.x Remote Code Execution (Drupalgeddon 2 / CVE-2018-7600 / SA-CORE-2018-002)


A remote code execution vulnerability exists within multiple subsystems of Drupal 7.x and 8.x. This potentially allows attackers to exploit multiple attack vectors on a Drupal site, which could result in the site being compromised. This vulnerability is related to Drupal core – Highly critical – Remote Code Execution – SA-CORE-2018-002. Both SA-CORE-2018-002 and this vulnerability are being exploited in the wild.

Exploit Link:

* Autopwn module added to Sn1per v6.0 (

Apache Struts 2 Remote Code Execution CVE-2018-11776

Apache Struts versions 2.3 to 2.3.34 and 2.5 to 2.5.16 suffer from possible Remote Code Execution when alwaysSelectFullNamespace is true (either by user or a plugin like Convention Plugin) and then: results are used with no namespace and in same time, its upper package have no or wildcard namespace and similar to results, same possibility when using url tag which doesn’t have value and action set and in same time, its upper package have no or wildcard namespace.

Exploit Link:

* Autopwn module added to Sn1per v6.0 (

WebLogic Unrestricted File Upload Remote Code Execution CVE-2018-2894

Vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware (subcomponent: WLS – Web Services). Supported versions that are affected are, and Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server. CVSS 3.0 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

Exploit Link:

Cisco ASA Directory Traversal CVE-2018-0296

A vulnerability in the web interface of the Cisco Adaptive Security Appliance (ASA) could allow an unauthenticated, remote attacker to cause an affected device to reload unexpectedly, resulting in a denial of service (DoS) condition. It is also possible on certain software releases that the ASA will not reload, but an attacker could view sensitive system information without authentication by using directory traversal techniques. The vulnerability is due to lack of proper input validation of the HTTP URL. An attacker could exploit this vulnerability by sending a crafted HTTP request to an affected device. An exploit could allow the attacker to cause a DoS condition or unauthenticated disclosure of information. This vulnerability applies to IPv4 and IPv6 HTTP traffic. This vulnerability affects Cisco ASA Software and Cisco Firepower Threat Defense (FTD) Software that is running on the following Cisco products: 3000 Series Industrial Security Appliance (ISA), ASA 1000V Cloud Firewall, ASA 5500 Series Adaptive Security Appliances, ASA 5500-X Series Next-Generation Firewalls, ASA Services Module for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers, Adaptive Security Virtual Appliance (ASAv), Firepower 2100 Series Security Appliance, Firepower 4100 Series Security Appliance, Firepower 9300 ASA Security Module, FTD Virtual (FTDv). Cisco Bug IDs: CSCvi16029.

Exploit Link:

* Autopwn module added to Sn1per v6.0 (

Exim < 4.90.1 Remote Code Execution CVE-2018-6789

An issue was discovered in the base64d function in the SMTP listener in Exim before 4.90.1. By sending a handcrafted message, a buffer overflow may happen. This can be used to execute code remotely.

Exploit Link:

* To be added to Sn1per v6.1 at a future date.

DHCP Client Command Injection (DynoRoot) CVE-2018-1111

DHCP packages in Red Hat Enterprise Linux 6 and 7, Fedora 28, and earlier are vulnerable to a command injection flaw in the NetworkManager integration script included in the DHCP client. A malicious DHCP server, or an attacker on the local network able to spoof DHCP responses, could use this flaw to execute arbitrary commands with root privileges on systems using NetworkManager and configured to obtain network configuration using the DHCP protocol.

Exploit Link:

osCommerce Installer Unauthenticated Code Execution

If the /install/ directory was not removed, it is possible for an unauthenticated attacker to run the “install_4.php” script, which will create the configuration file for the installation. This allows the attacker to inject PHP code into the configuration file and execute it.

Exploit Link:

* To be added to Sn1per v6.1 at a future date.

Oracle Weblogic Server Deserialization RCE CVE-2018-2628

Vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware (subcomponent: WLS Core Components). Supported versions that are affected are,, and Easily exploitable vulnerability allows unauthenticated attacker with network access via T3 to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server. CVSS 3.0 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

Exploit Link:

* Autopwn module added to Sn1per v6.0 (

Sn1per Professional v6.0 now available!

Sn1per Professional v6.0 is now available from the XeroSecurity website.

This is a BIG release with tons of new features and improvements, including:

  • 100% responsive web UI resizes to fit any resolution or device.
  • New scan progress bar indicates overall scan status to ensure 100% scan coverage of the entire workspace.
  • Improved scan dashboard gives high level overview of workspace, including downloadable lists to all domains, scanned targets and unscanned targets. These can be easily referenced and used to scan the entire attack surface using Sn1per.
  • New reports menu includes links to all Sn1per console reports which can be downloaded and viewed from the main report.
  • New sidebar shortcuts added to both the main Sn1per report and all detailed host reports to quickly jump to each section of the report.
  • Slideshow for all gathered screenshots
  • Improved host table allows searching for scan mode tags, IP/DNS, HTTP titles, status codes, HTTP headers, WAF detection and open ports.
  • New quick links for both the HTTP and HTTPS versions for each host in the host table.
  • New scan tags to indicate which hosts has been scanned and which mode (ie. Stealth, Web, Portscan, Bruteforce, etc.) and which are new in the host table section of the report.
  • New email security section indicates any email spoofing vulnerabilities for the workspace.
  • New takeovers security section indicates any potential domain takeovers or hijacking vulnerabilities.
  • New HTML5 notepad saves automatically to the main report elevating the need to save your work (keep in mind, it uses the local browser cache, so switching browsers or clearing your browser cache will remove your notes!).
  • New detailed host reports are now separate from the main report and include the following features:
    • 34 customized recon links.
    • 26 customized Google dork links.
    • HTTP/HTTPS quick links.
    • Reports menu to download the full HTML console reports for each host.
    • New sidebar links for each detailed host report to quickly jump to each section of the report.
    • HTTP/HTTPS screenshots
    • DNS
    • Sub-domains
    • Open ports
      • New links to full NMap HTML host reports.
    • Fingerprint info
    • HTTP headers
    • Web files
    • Web URL’s
      • New links to download all discovered URL’s for each host
    • SSL/TLS info


For all questions regarding payment, licensing, installation or general usage, refer to our online documentation for more info or contact us at [email protected].


Purchase Link

Sn1per Professional v6.0 (Pre-Order)

Bug Bounty Recon Like A Pro


In this blog post, I will cover the basic steps to performing bug bounty recon against large, open scoped programs and penetration tests.

If you’re like most starting out, this process can seem daunting and overwhelming depending on how many hosts you’re dealing with. Twitter for instance has 20,000+ subdomains and a HUGE attack surface to go through. How do you know where to focus your time? How do you keep track of which hosts you scanned and reviewed? These questions can quickly lead you spinning in circles, wasting valuable time while more experienced hunters get the gold. Luckily, there are tools and methodologies that can assist and make your life easier as a bug bounty hunter or penetration tester. This is where Sn1per comes in…

What is Sn1per?

Sn1per is an automated pentest reconnaissance scanner that can be used during penetration tests and bug bounties and to enumerate targets and scan for vulnerabilities. There are two versions of Sn1per available depending on your needs. Sn1per Community Edition (CE) is the open source scan engine that is maintained on Github ( Sn1per Professional is XeroSecurity’s premium reporting add on for Sn1per and is available exclusively from the XeroSecurity website (


Installation is extremely easy. Just clone the Github repo (git clone and run ./ from a Kali Linux OS. This will install all tools and dependencies which are used to collect recon info and scan for vulnerabilities.

Scoping your target

So we have Sn1per installed and we’ve recited “The Rifleman’s Creed” a few times, the next phase is scoping our target. This is fairly obvious but we need to carefully review the bug bounty or pentest scope which gives us legal permission to test without getting thrown in prison. If you find yourself getting outside the intended scope, you’ve been warned – This “could” land you in jail!.
Now that the legal disclaimer is out of the way, what’s the first step?

Tactical Reconnaissance & OSINT

The first step in your reconnaissance process should be enumerating all subdomains and hosts within the target scope. For this, we’re interested in any wildcard domains (ie. * In this case, it is up to the researcher to hunt for subdomains and hosts which fall within this target scope but haven’t been explicitly stated. For this, we will use sniper to actively and passively scan a target domain for subdomains via the -re switch and we’ll create a new workspace to store all our hosts via the -w switch. Additionally, we’ll also add the –osint switch to our scan to perform basic OSINT (Open Source Intelligence Gathering) searches on the target domain. This can reveal tons of useful information such as email addresses, public domains, documents, usernames, software used, whois info, reverse IP lookups, virtual hosts, etc. In addition, Sn1per will perform basic checks for subdomain hijacking and takeovers.
sniper -t --recon --osint -w workspace_alias
This will store a complete list of all subdomains discovered and sorted at the following location:

Calling In The Airstrike…


Now that we’ve enumerated all subdomains for the in-scope wildcard domain, we need to quickly enumerate all hosts with a high level flyover. This can be done by passing our host list from the previous step via the -f switch and running sniper in airstrike mode via the -m airstrike options. This will store all gathered data to our workspace and combine the data from all hosts scanned under /usr/share/sniper/loot/workspace/<WORKSPACE_ALIAS>/. Some basic info gathered from this mode include: DNS, open ports, HTTP headers, SSL ciphers, web fingerprints, TCP banners, WAF detection and basic file/directory and passive URL discovery.
sniper -f /usr/share/sniper/loot/workspace/<WORKSPACE_ALIAS>/domains/domains-all-sorted.txt -m airstrike -w workspace


After the Sn1per finishes scanning all hosts in our workspace, Sn1per Professional gives us some high level info via the console for each host as shown below. This will help us get a high level visual of the attack surface based on which ports are open, interesting HTTP headers, page titles and DNS records. It will become very clear that if the host has no DNS or open ports, there probably isn’t much of an attack surface to dig into further. It’s best to focus on interesting ports (ie. port 21 (FTP), port 22 (SSH), 3306 (MySQL), etc.) and web targets with interesting headers (ie. Server: Apache Tomcat v7.0.0) may be vulnerable and have known exploit code available.

Professional Reporting Interface

After our report gets generated, we can see Sn1per enumerated and scanned 1268 unique hosts automatically. As a penetration tester, you can now sift through all the information contained in your workspace to begin looking for interesting hosts and potential vulnerabilities. To help us manage all this data, we will leverage Sn1per Professional for the next steps in the process. Sn1per Professional offers the following features to help make our lives a bit easier.


– Professional reporting interface.
– Slideshow for all gathered screenshots.
– Searchable and sortable DNS, IP and open port database.
– Quick links to online recon tools and Google hacking queries.
– Personalized notes field for each host.

Demo Video:

Slideshow For All Gathered Screenshots

From here, we can perform visual recon via the “Slideshow” feature in Sn1per Pro. This can reveal all sorts of potentially interesting hosts which can help identify which hosts need to be scanned further for more information.

Searchable/Sortable DNS, IP and Open Port Database

To supplement our surface level reconnaissance, we can also utilize the “Port List” feature which provides a widget of all subdomains, open ports, DNS and page titles. All data stored within this widget can then be sorted and searched for based on your needs (ie. If you’re looking for port 22/tcp (SSH), search for “22”. If you want to find all virtual hosts in the environment based on the same page title, enter the full page title (ie. “Overstock Cars”), etc. The possibilities here are endless but we can quickly find interesting hosts and ports or DNS records using this feature in Sn1per Professional.


This concludes part one of this series. This is by no means a comprehensive recon tutorial, but it should be enough to get you started in the process. Stay tuned for more recon tips and tricks for getting the most out of your bug bounty and pentest recon with Sn1per.