SPIP form PHP Injection

This module exploits a PHP code injection in SPIP. The vulnerability exists in the oubli parameter and allows an unauthenticated user to execute arbitrary commands with web user privileges. Branches 3.2, 4.0, 4.1 and 4.2 are concerned. Vulnerable versions are use exploit/multi/http/spiprceform ms...

SSH Username Enumeration

This module uses a malformed packet or timing attack to enumerate users on an OpenSSH server. The default action sends a malformed corrupted SSHMSGUSERAUTHREQUEST packet using public key authentication must be enabled to enumerate users. On some versions of OpenSSH under some configurations,...

SPIP connect Parameter PHP Injection

This module exploits a PHP code injection vulnerability in SPIP. The vulnerability exists in the connect parameter, allowing an unauthenticated user to execute arbitrary commands with web user privileges. Branches 2.0, 2.1, and 3 are affected. Vulnerable versions are use...

Apache 2.4.49/2.4.50 Traversal RCE

This module exploit an unauthenticated RCE vulnerability which exists in Apache version 2.4.49 CVE-2021-41773. If files outside of the document root are not protected by 'require all denied' and CGI has been explicitly enabled, it can be used to execute arbitrary commands Remote Command Execution...

SPIP form PHP Injection

This module exploits a PHP code injection in SPIP. The vulnerability exists in the oubli parameter and allows an unauthenticated user to execute arbitrary commands with web user privileges. Branches 3.2, 4.0, 4.1 and 4.2 are concerned. Vulnerable versions are use exploit/unix/webapp/spiprceform m...

WikkaWiki 1.3.2 Spam Logging PHP Injection

This module exploits a vulnerability found in WikkaWiki. When the spam logging feature is enabled, it is possible to inject PHP code into the spam log file via the UserAgent header, and then request it to execute our payload. There are at least three different ways to trigger spam protection, thi...

SSL/TLS Version Detection

Check if a server supports a given version of SSL/TLS and cipher suites. The certificate is stored in loot, and any known vulnerabilities against that SSL version and cipher suite combination are checked. These checks include POODLE, deprecated protocols, expired/not valid certs, low key strength...

Apache 2.4.49/2.4.50 Traversal RCE scanner

This module scans for an unauthenticated RCE vulnerability which exists in Apache version 2.4.49 CVE-2021-41773. If files outside of the document root are not protected by 'require all denied' and CGI has been explicitly enabled, it can be used to execute arbitrary commands Remote Command...

Log4Shell HTTP Header Injection

Versions of Apache Log4j2 impacted by CVE-2021-44228 which allow JNDI features used in configuration, log messages, and parameters, do not protect against attacker controlled LDAP and other JNDI related endpoints. This module will exploit an HTTP end point with the Log4Shell vulnerability by...

Decrypt Citrix NetScaler Config Secrets

This module takes a Citrix NetScaler ns.conf configuration file as input and extracts secrets that have been stored with reversible encryption. The module supports legacy NetScaler encryption RC4 as well as the newer AES-256-ECB and AES-256-CBC encryption types. It is also possible to decrypt...

Jetty WEB-INF File Disclosure

Jetty suffers from a vulnerability where certain encoded URIs and ambiguous paths can access protected files in the WEB-INF folder. Versions effected are: 9.4.37.v20210219, 9.4.38.v20210224 and 9.4.37-9.4.42, 10.0.1-10.0.5, 11.0.1-11.0.5. Exploitation can obtain any file in the WEB-INF folder, bu...

Prometheus Node Exporter And Windows Exporter Information Gather

This modules connects to a Prometheus Node Exporter or Windows Exporter service and gathers information about the host. Tested against Docker image 1.6.1, Linux 1.6.1, and Windows 0.23.1 Module Options msf use auxiliary/gather/prometheusnodeexportergather msf auxiliaryprometheusnodeexportergather...

Pyload RCE (CVE-2024-39205) with js2py sandbox escape (CVE-2024-28397)

CVE-2024-28397 is sandbox escape in js2py use exploit/linux/http/pyloadjs2pycve202439205 msf exploitpyloadjs2pycve202439205 show targets ...targets... msf exploitpyloadjs2pycve202439205 set TARGET msf exploitpyloadjs2pycve202439205 show options ...show and set options... msf...

OpenNMS Horizon Authenticated RCE

This module exploits built-in functionality in OpenNMS Horizon in order to execute arbitrary commands as the opennms user. For versions 32.0.2 and higher, this module requires valid credentials for a user with ROLEFILESYSTEMEDITOR privileges and either ROLEADMIN or ROLEREST. For versions 32.0.1 a...

Windows Gather MobaXterm Passwords

This module will determine if MobaXterm is installed on the target system and, if it is, it will try to dump all saved session information from the target. The passwords for these saved sessions will then be decrypted where possible, using the decryption information that HyperSine reverse...

Samba is_known_pipename() Arbitrary Module Load

This module triggers an arbitrary shared library load vulnerability in Samba versions 3.5.0 to 4.4.14, 4.5.10, and 4.6.4. This module requires valid credentials, a writeable folder in an accessible share, and knowledge of the server-side path of the writeable folder. In some cases, anonymous acce...

Cisco ASA Clientless SSL VPN (WebVPN) Brute-force Login Utility

This module scans for Cisco ASA Clientless SSL VPN WebVPN web login portals and performs login brute-force to identify valid credentials. Module Options msf use auxiliary/scanner/http/ciscoasaclientlessvpn msf auxiliaryciscoasaclientlessvpn show actions ...actions... msf...

BeyondTrust Privileged Remote Access (PRA) and Remote Support (RS) unauthenticated Remote Code Execution

This exploit achieves unauthenticated remote code execution against BeyondTrust Privileged Remote Access PRA and Remote Support RS, with the privileges of the site user of the targeted BeyondTrust product site. This exploit targets PRA and RS versions 24.3.1 and below. Module Options msf use...

Veeam Backup and Replication Credentials Dump

This module exports and decrypts credentials from Veeam Backup & Replication and Veeam ONE Monitor Server to a CSV file; it is intended as a post-exploitation module for Windows hosts with either of these products installed. The module supports automatic detection of VBR / Veeam ONE and is capabl...

Dell DBUtilDrv2.sys Memory Protection Modifier

The Dell DBUtilDrv2.sys drivers version 2.5 and 2.7 have a write-what-where condition that allows an attacker to read and write arbitrary kernel-mode memory. This module installs the provided driver, enables or disables LSA protection on the provided PID, and then removes the driver. This would...

Hikvision IP Camera Unauthenticated Password Change Via Improper Authentication Logic

Many Hikvision IP cameras contain improper authentication logic which allows unauthenticated impersonation of any configured user account. The vulnerability has been present in Hikvision products since 2014. In addition to Hikvision-branded devices, it affects many white-labeled camera products...

Dahua DVR Auth Bypass Scanner

Scans for Dahua-based DVRs and then grabs settings. Optionally resets a user's password and clears the device logs This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule %qDahua DVR Auth Bypass Scanner...

CVE-2023-21554 - QueueJumper - MSMQ RCE Check

This module checks the provided hosts for the CVE-2023-21554 vulnerability by sending a MSMQ message with an altered DataLength field within the SRMPEnvelopeHeader that overflows the given buffer. On patched systems, the error is caught and no response is sent back. On vulnerable systems, the...

Apache Struts 2 Namespace Redirect OGNL Injection

This module exploits a remote code execution vulnerability in Apache Struts version 2.3 - 2.3.4, and 2.5 - 2.5.16. Remote Code Execution can be performed via an endpoint that makes use of a redirect action. Note that this exploit is dependant on the version of Tomcat running on the target. Versio...

MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption

This module is a port of the Equation Group ETERNALBLUE exploit, part of the FuzzBunch toolkit released by Shadow Brokers. There is a buffer overflow memmove operation in Srv!SrvOs2FeaToNt. The size is calculated in Srv!SrvOs2FeaListSizeToNt, with mathematical error where a DWORD is subtracted in...

D-Tale RCE

This exploit effectively serves as a bypass for CVE-2024-3408. An attacker can override global state to enable custom filters, which then facilitates remote code execution. Specifically, this vulnerability leverages the ability to manipulate global application settings to activate the...

Primefaces Remote Code Execution Exploit

This module exploits a Java Expression Language remote code execution flaw in the Primefaces JSF framework. Primefaces versions prior to 5.2.21, 5.3.8 or 6.0 are vulnerable to a padding oracle attack, due to the use of weak crypto and default encryption password and salt. Tested against Docker...

VSFTPD v2.3.4 Backdoor Command Execution

This module exploits a malicious backdoor that was added to the VSFTPD download archive. This backdoor was introduced into the vsftpd-2.3.4.tar.gz archive between June 30th 2011 and July 1st 2011 according to the most recent information available. This backdoor was removed on July 3rd 2011. This...

JetBrains TeamCity Unauthenticated Remote Code Execution

This module exploits an authentication bypass vulnerability to achieve unauthenticated remote code execution against a vulnerable JetBrains TeamCity server. All versions of TeamCity prior to version 2023.05.4 are vulnerable to this issue. The vulnerability was originally discovered by SonarSource...

Acronis Cyber Protect/Backup remote code execution

Acronis Cyber Protect or Backup is an enterprise backup/recovery solution for all, compute, storage and application resources. Businesses and Service Providers are using it to protect and backup all IT assets in their IT environment. The Acronis Cyber Protect appliance, in its default...

Wordpress BookingPress bookingpress_front_get_category_services SQLi

The BookingPress WordPress plugin before 1.0.11 fails to properly sanitize user supplied data in the totalservice parameter of the bookingpressfrontgetcategoryservices AJAX action available to unauthenticated users, prior to using it in a dynamically constructed SQL query. As a result,...

Obsidian Plugin Persistence

This module searches for Obsidian vaults for a user, and uploads a malicious community plugin to the vault. The vaults must be opened with community plugins enabled NOT restricted mode, but the plugin will be enabled automatically. Tested against Obsidian 1.7.7 on Kali, Ubuntu 22.04, and Windows...

Apache ActiveMQ Unauthenticated Remote Code Execution

This module exploits a deserialization vulnerability in the OpenWire transport unmarshaller in Apache ActiveMQ. Affected versions include 5.18.0 through to 5.18.2, 5.17.0 through to 5.17.5, 5.16.0 through to 5.16.6, and all versions before 5.15.16. Module Options msf use...

Moodle Remote Code Execution (CVE-2024-43425)

This module exploits a command injection vulnerability in Moodle CVE-2024-43425 to obtain remote code execution. Affected versions include 4.4 to 4.4.1, 4.3 to 4.3.5, 4.2 to 4.2.8, 4.1 to 4.1.11, and earlier unsupported versions. Module Options msf use exploit/linux/http/moodlerce msf...

Cisco IOX XE Unauthenticated RCE Chain

This module leverages both CVE-2023-20198 and CVE-2023-20273 against vulnerable instances of Cisco IOS XE devices which have the Web UI exposed. An attacker can execute a payload with root privileges. The vulnerable IOS XE versions are: 16.1.1, 16.1.2, 16.1.3, 16.2.1, 16.2.2, 16.3.1, 16.3.2,...

Windows Kernel Time of Check Time of Use LPE in AuthzBasepCopyoutInternalSecurityAttributes

CVE-2024-30088 is a Windows Kernel Elevation of Privilege Vulnerability which affects many recent versions of Windows 10, Windows 11 and Windows Server 2022. The vulnerability exists inside the function called AuthzBasepCopyoutInternalSecurityAttributes specifically when the kernel copies the...

CVE-2019-0708 BlueKeep RDP Remote Windows Kernel Use After Free

The RDP termdd.sys driver improperly handles binds to internal-only channel MST120, allowing a malformed Disconnect Provider Indication message to cause use-after-free. With a controllable data/size remote nonpaged pool spray, an indirect call gadget of the freed channel is used to achieve...

SQL Server Reporting Services (SSRS) ViewState Deserialization

A vulnerability exists within Microsoft's SQL Server Reporting Services which can allow an attacker to craft an HTTP POST request with a serialized object to achieve remote code execution. The vulnerability is due to the fact that the serialized blob is not signed by the server. This module...

GLPI htmLawed php command injection

This exploit takes advantage of a unauthenticated php command injection available from GLPI versions 10.0.2 and below to execute a command. Module Options msf use exploit/linux/http/glpihtmlawedphpinjection msf exploitglpihtmlawedphpinjection show targets ...targets... msf...

Misconfigured Certificate Template Finder

This module allows users to query a LDAP server for vulnerable certificate templates and will print these certificates out in a table along with which attack they are vulnerable to and the SIDs that can be used to enroll in that certificate template. Additionally the module will also print out a...

Shell to Meterpreter Upgrade

This module attempts to upgrade a command shell to meterpreter. The shell platform is automatically detected and the best version of meterpreter for the target is selected. Currently meterpreter/reversetcp is used on Windows and Linux, with 'python/meterpreter/reversetcp' used on all others. This...

Remote Code Execution Vulnerability in MotionEye Frontend (CVE-2025-60787)

This module exploits a template injection vulnerability in the MotionEye Frontend. MotionEye Frontend versions 0.43.1b4 and prior are vulnerable to OS Command Injection in configuration parameters such as imagefilename. Unsanitized user input is written to MotionEye Frontend configuration files,...

Microsoft Exchange ProxyShell RCE

This module exploits a vulnerability on Microsoft Exchange Server that allows an attacker to bypass the authentication CVE-2021-31207, impersonate an arbitrary user CVE-2021-34523 and write an arbitrary file CVE-2021-34473 to achieve the RCE Remote Code Execution. By taking advantage of this...

Apache NiFi Credentials Gather

This module will grab Apache NiFi credentials from various files on Linux. Module Options msf use post/linux/gather/apachenificredentials msf postapachenificredentials show actions ...actions... msf postapachenificredentials set ACTION msf postapachenificredentials show options ...show and set...

Wifi Mouse RCE

The WiFi Mouse Mouse Server from Necta LLC contains an auth bypass as the authentication is completely implemented entirely on the client side. By utilizing this vulnerability, is possible to open a program on the server cmd.exe in our case and type commands that will be executed as the user...

WordPress Plugin Perfect Survey 1.5.1 SQLi (Unauthenticated)

This module exploits a SQL injection vulnerability in the Perfect Survey plugin for WordPress version 1.5.1. An unauthenticated attacker can exploit the SQLi to retrieve sensitive information such as usernames, emails, and password hashes from the wpusers table. Module Options msf use...

Log4Shell HTTP Scanner

Versions of Apache Log4j2 impacted by CVE-2021-44228 which allow JNDI features used in configuration, log messages, and parameters, do not protect against attacker controlled LDAP and other JNDI related endpoints. This module will scan an HTTP end point for the Log4Shell vulnerability by injectin...

pgAdmin Query Tool authenticated RCE (CVE-2025-2945)

This module exploits a vulnerability in pgAdmin where an authenticated user can establish a connection to the query tool and send a specific payload in the querycommited POST parameter. This payload is directly executed via a Python eval statement, resulting in remote code execution in versions...

Argus Surveillance DVR 4.0.0.0 - Directory Traversal

This module leverages an unauthenticated arbitrary file read for the Argus Surveillance 4.0.0.0 system which never saw an update since. As this is a Windows related application we recommend looking for common Windows file locations, especially C:\ProgramData\PYSoftware\Argus Surveillance...

Appsmith RCE

An incorrectly configured PostgreSQL instance in the Appsmith image leads to remote command execution inside the Appsmith Docker container. Module Options msf use exploit/linux/http/appsmithrcecve202455964 msf exploitappsmithrcecve202455964 show targets ...targets... msf...