A professional Web Application Security Testing toolkit that helps you reproduce & verify multiple CVE vulnerabilities and evaluate WAF (Web Application Firewall) protections.
Need Chinese? Click the 中文 badge above to switch.
- Linux (Ubuntu 18.04+ / CentOS 7+)
- Docker & Docker Compose
- Bash 4.0+
git clone https://github.com/liaboveall/SecureGuard-WAF.git
cd SecureGuard-WAF
# Use the main control script
bash main.sh
# Or run a specific CVE script directly
bash scripts/cve-2020-17530.sh| CVE | Description | Component | Severity |
|---|---|---|---|
| CVE-2016-10134 | Zabbix SQL Injection | Zabbix 2.2.x / 3.0.x | 🔴 High |
| CVE-2020-17530 | Struts2 S2-061 OGNL Injection | Struts 2.0.0 - 2.5.25 | 🟠 Critical |
| CVE-2021-21389 | WordPress BuddyPress Privilege Escalation | BuddyPress < 7.2.1 | 🔴 High |
| CVE-2021-22205 | GitLab DjVu File Upload RCE | GitLab CE/EE | 🟠 Critical |
├── config/ # Global configuration
├── scripts/ # CVE exploitation / reproduction scripts
├── utils/ # Common helper functions
├── templates/ # (Planned / optional) template files
└── logs/ # (Generated at runtime) log directory
If templates/ or logs/ are not present yet, they are either generated later or reserved for roadmap features.
Edit config/global.conf to adjust ports, container names, etc.:
# Struts2 related
STRUTS2_PORT=8080
STRUTS2_CONTAINER_NAME="struts2-s2-061"
# WAF related
WAF_PORT=8090
WAF_CONTAINER_NAME="waf-protection"Each script may (or will in roadmap) auto-generate:
- 🚀
deploy.sh- Deployment - 🧪
test_*.sh- Vulnerability test cases - 🧹
cleanup.sh- Environment cleanup - 📊 Dashboard - Live status / metrics
- Do NOT use in production
- Ensure proper network isolation
- Comply with local laws & regulations
MIT License - see LICENSE.
Contributions (issues / PRs) are welcome. Help extend more CVE scenarios & WAF detection rules.