Table of Contents

March 14, 2026 · View on GitHub

🌐 Web Application Cheatsheet (Vulnhub)

A practical Web Application Penetration Testing cheat sheet designed for CTF players, penetration testers, bug bounty hunters, and cybersecurity learners to understand common web vulnerabilities and exploitation techniques.

🌐 Connect With Us

🔵 Telegram – Join Channel
Twitter/X – Follow Us
🟣 Discord – Join Server
💼 LinkedIn – Follow HackingArticles

🎓 Training Program

🚀 Join Our Cybersecurity Training Program

Hands-on training in Penetration Testing, Red Teaming, and Cybersecurity.

Table of Contents

Drupal

No.Machine NameExploit/Vulnerability
1.DroopyDrupalgeddon
2.Billu Box 2Drupalgeddon2
3.Lampiao : 1Drupalgeddon2
4.Typhoon : 1.02Drupalgeddon2
5.DC-1Drupalgeddon2
6.RootThis : 1Manual
7.DC:7Manual
8.DC:8

Jenkins

No.Machine NameExploit/Vulnerability
1.Jarbas : 1Jenkins Script Console

Joomla

No.Machine NameExploit/Vulnerability
1.Hackademic-RTB2SQL Injection
2.KevgirJoomla! 1.5.x - 'Token'
3.DC-3Joomla! 3.7.0 - 'com_fields' SQL Injection
4.Born2Root: 2Enumeration

WebMin

No.Machine NameExploit/Vulnerability
1.pWnOS -1.0Webmin File Disclosure
2.VulnOS: 1DistCC Daemon Command Execution
3.Nezuko:1Webmin 1.920 - Remote Code Execution

Wordpress

No.Machine NameExploit/Vulnerability
1.Hackademic-RTB1Enumeration
2.Mr. RobotBruteforce
3.StaplerEnumeration/Bruteforce
4.MinotaurWordpress SlideShow Gallery Authenticated File Upload
5.FreshlyManual
6.USVEnuemration
7.QuaoarEnumeration
8.LazysysadminWordPress Admin Shell Upload
9.BTRSys:dv 2.1Enumeration
10.Basic PenetrationWordPress Admin Shell Upload
11.DerpNStinkWordpress SlideShow Gallery Authenticated File Upload
12.BSides Vancuver: 2018WordPress Admin Shell Upload
13.RavenEnumeration
14.HackinOS : 1Enumeration
15.Web Developer : 1WordPress Photo Gallery Unrestricted File Upload
16.DC-2Enumeration/Bruteforce
17.DC6Plainview Activity Monitor 20161228
18.symfonos : 1WordPress Plugin Mail Masta 1.0 - Local File Inclusion
19.PumpkinFestivalEnumeration
20.SP:JeromeWordPress Crop-image Shell Upload
21.dpwwn:2Wordpress Plugin Site Editor 1.1.1
22.GrimTheRipper:1Bruteforce
23.symfonos : 2WordPress Plugin Mail Masta 1.0 - Local File Inclusion
24.Prime: 1Enumeration
25.HA: WordyMultiple Vulnerablities
26.Loly: 1WordPress Plugin AdRotate 3.6.5 - SQL Injection

Builder Engine

No.Machine NameExploit/Vulnerability
1.Sednabuilderengine_upload_exec

CMS Made Simple

No.Machine NameExploit/Vulnerability
1.West Wild: 2CMSMS Showtime2 File Upload RCE

CouchDB

No.Machine NameExploit/Vulnerability
1.Moonraker:1Node.js deserialization RCE

Cuppa

No.Machine NameExploit/Vulnerability
1.W1R3S.inc'/alertConfigField.php' LFI/RFI
2.BRAVERY'/alertConfigField.php' LFI/RFI

Cute News

No.Machine NameExploit/Vulnerability
1.SimpleCuteNews 2.0.3 Remote File Upload

Impress

No.Machine NameExploit/Vulnerability
1.Breach 1.0Enumeration

Moodle

No.Machine NameExploit/Vulnerability
1.Golden Eye:1Moodle - Remote Command Execution

PHP Mailer

No.Machine NameExploit/Vulnerability
1.Raven : 2PHPMailer < 5.2.18 - Remote Code Execution

Playsms

No.Machine NameExploit/Vulnerability
1.DinaPlaySMS import.php Authenticated CSV File Upload Code Execution

Rips

No.Machine NameExploit/Vulnerability
1.MercyRIPS 0.53 - Multiple Local File Inclusions

Simple PHP Blog

No.Machine NameExploit/Vulnerability
1.pWnOS -2.0Simple PHP Blog Remote Command Execution

Squirrel Mail

No.Machine NameExploit/Vulnerability
1.DE-ICE:S1.140Enumeration

PHPTax

No.Machine NameExploit/Vulnerability
1.Kioprtix: 5PhpTax Remote Code Injection

Wolf

No.Machine NameExploit/Vulnerability
1.SickOS 1.1Default Credential

Zenphoto

No.Machine NameExploit/Vulnerability
1.OrcusEnumeration

Redis

No.Machine NameExploit/Vulnerability
1.Gemini inc:2Remote Code Execution(RCE)

Nano CMS

No.Machine NameExploit/Vulnerability
1.LAMPSecurity: CTF 5NanoCMS '/data/pagesdata.txt' Password Hash Information Disclosure

GUnet OpenEclass E-learning platform

No.Machine NameExploit/Vulnerability
1.VulnUni 1.0.1GUnet OpenEclass E-learning platform 1.7.3