AVideo notify.ffmpeg.json.php Unauthenticated RCE via Salt Discovery

This module exploits an unauthenticated remote code execution RCE vulnerability in AVideo's notify.ffmpeg.json.php endpoint. The vulnerability stems from a critical cryptographic weakness in the salt generation mechanism combined with information disclosure vulnerabilities that allow an attacker ...

HTTP Fetch, Linux Command Shell, Bind TCP Inline

Fetch and execute an RISC-V 64-bit payload from an HTTP server. Listen for a connection and spawn a command shell Module Options msf use payload/cmd/linux/http/riscv64le/shellbindtcp msf payloadshellbindtcp show actions ...actions... msf payloadshellbindtcp set ACTION msf payloadshellbindtcp show...

WordPress wp-automatic Plugin SQLi Admin Creation

This module exploits an unauthenticated SQL injection vulnerability in the WordPress wp-automatic plugin versions use exploit/multi/http/wpautomaticsqlitorce msf exploitwpautomaticsqlitorce show targets ...targets... msf exploitwpautomaticsqlitorce set TARGET msf exploitwpautomaticsqlitorce show...

Fortinet FortiManager Unauthenticated RCE

This module exploits a missing authentication vulnerability affecting FortiManager and FortiManager Cloud devices to achieve unauthenticated RCE with root privileges. The vulnerable FortiManager versions are: 7.6.0 7.4.0 through 7.4.4 7.2.0 through 7.2.7 7.0.0 through 7.0.12 6.4.0 through 6.4.14...

Chaos RAT XSS to RCE

CHAOS v5.0.8 is a free and open-source Remote Administration Tool that allows generated binaries to control remote operating systems. The webapp contains a remote command execution vulnerability which can be triggered by an authenticated user when generating a new executable. The webapp also...

HTTP Fetch, Windows x64 IPv6 Bind TCP Stager

Fetch and execute an x64 payload from an HTTP server. Listen for an IPv6 connection Windows x64 Module Options msf use payload/cmd/windows/http/x64/peinject/bindipv6tcp msf payloadbindipv6tcp show actions ...actions... msf payloadbindipv6tcp set ACTION msf payloadbindipv6tcp show options ...show...

OS Command Exec, Unix Command Shell, Bind TCP (via Ruby)

Execute an OS command from PHP. Continually listen for a connection and spawn a command shell via Ruby Module Options msf use payload/php/unix/cmd/bindruby msf payloadbindruby show actions ...actions... msf payloadbindruby set ACTION msf payloadbindruby show options ...show and set options... msf...

TFTP Fetch, Linux dup2 Command Shell, Bind TCP Stager

Fetch and execute an ARMLE payload from a TFTP server. dup2 socket in r12, then execve. Listen for a connection Module Options msf use payload/cmd/linux/tftp/armle/shell/bindtcp msf payloadbindtcp show actions ...actions... msf payloadbindtcp set ACTION msf payloadbindtcp show options ...show and...

TFTP Fetch, Linux Command Shell, Bind TCP Inline

Fetch and execute an MIPSLE payload from a TFTP server. Listen for a connection and spawn a command shell Module Options msf use payload/cmd/linux/tftp/mipsle/shellbindtcp msf payloadshellbindtcp show actions ...actions... msf payloadshellbindtcp set ACTION msf payloadshellbindtcp show options...

Microsoft Exchange ProxyLogon RCE

This module exploit a vulnerability on Microsoft Exchange Server that allows an attacker bypassing the authentication, impersonating as the admin CVE-2021-26855 and write arbitrary file CVE-2021-27065 to get the RCE Remote Code Execution. By taking advantage of this vulnerability, you can execute...

HTTPS Fetch, Linux Command Shell, Bind TCP Inline

Fetch and execute an MIPSLE payload from an HTTPS server. Listen for a connection and spawn a command shell Module Options msf use payload/cmd/linux/https/ppc/shellbindtcp msf payloadshellbindtcp show actions ...actions... msf payloadshellbindtcp set ACTION msf payloadshellbindtcp show options...

OS Command Exec, Unix Command Shell, Reverse TCP SSL (via Ruby)

Execute an OS command from PHP. Connect back and create a command shell via Ruby, uses SSL Module Options msf use payload/php/unix/cmd/reverserubyssl msf payloadreverserubyssl show actions ...actions... msf payloadreverserubyssl set ACTION msf payloadreverserubyssl show options ...show and set...

TFTP Fetch, Linux Command Shell, Bind TCP Inline

Fetch and execute an PPC64 payload from a TFTP server. Listen for a connection and spawn a command shell Module Options msf use payload/cmd/linux/tftp/ppc64/shellbindtcp msf payloadshellbindtcp show actions ...actions... msf payloadshellbindtcp set ACTION msf payloadshellbindtcp show options...

PHP CGI Argument Injection

When run as a CGI, PHP up to version 5.3.12 and 5.4.2 is vulnerable to an argument injection vulnerability. This module takes advantage of the -d flag to set php.ini directives to achieve code execution. From the advisory: "if there is NO unescaped '=' in the query string, the string is split on...

Notepad++ Plugin Persistence

This module create persistence by adding a malicious plugin to Notepad++, as it blindly loads and executes DLL from its plugin directory on startup, meaning that the payload will be executed every time Notepad++ is launched. Module Options msf use exploit/windows/persistence/notepadppplugin msf...

ChurchInfo 1.2.13-1.3.0 Authenticated RCE

This module exploits the logic in the CartView.php page when crafting a draft email with an attachment. By uploading an attachment for a draft email, the attachment will be placed in the /tmpattach/ folder of the ChurchInfo web server, which is accessible over the web by any user. By uploading a...

Redis Lua Sandbox Escape

This module exploits CVE-2022-0543, a Lua-based Redis sandbox escape. The vulnerability was introduced by Debian and Ubuntu Redis packages that insufficiently sanitized the Lua environment. The maintainers failed to disable the package interface, allowing attackers to load arbitrary libraries. On...

Vesta Control Panel Authenticated Remote Code Execution

This module exploits an authenticated command injection vulnerability in the v-list-user-backups bash script file in Vesta Control Panel to gain remote code execution as the root user. This module requires Metasploit: https://metasploit.com/download Current source:...

Persistence Exploit Suggester

This module suggests persistence modules that can be used. The modules are suggested based on the architecture and platform that the user has a shell opened as well as the available exploits in meterpreter. It's important to note that not all modules will be checked. Exploits are chosen based on...

OS Command Exec, Unix Command Shell, Bind TCP (via jjs)

Execute an OS command from PHP. Listen for a connection and spawn a command shell via jjs Module Options msf use payload/php/unix/cmd/bindjjs msf payloadbindjjs show actions ...actions... msf payloadbindjjs set ACTION msf payloadbindjjs show options ...show and set options... msf payloadbindjjs r...

OS Command Exec, Unix Command Shell, Bind TCP (via Zsh)

Execute an OS command from PHP. Listen for a connection and spawn a command shell via Zsh. Note: Although Zsh is often available, please be aware it isn't usually installed by default. Module Options msf use payload/php/unix/cmd/bindzsh msf payloadbindzsh show actions ...actions... msf...

Strapi CMS Unauthenticated Password Reset

This module abuses the mishandling of a password reset request for Strapi CMS version 3.0.0-beta.17.4 to change the password of the admin user. Successfully tested against Strapi CMS version 3.0.0-beta.17.4. Module Options msf use auxiliary/scanner/http/strapi3passwordreset msf...

Ivanti Connect Secure Unauthenticated Remote Code Execution

This module chains an authentication bypass vulnerability CVE-2023-46805 and a command injection vulnerability CVE-2024-21887 to exploit vulnerable instances of either Ivanti Connect Secure or Ivanti Policy Secure, to achieve unauthenticated remote code execution. All currently supported versions...

Apache James Server 2.3.2 Insecure User Creation Arbitrary File Write

This module exploits a vulnerability that exists due to a lack of input validation when creating a user. Messages for a given user are stored in a directory partially defined by the username. By creating a user with a directory traversal payload as the username, commands can be written to a given...

OS Command Exec, Unix Command Shell, Reverse TCP (via nodejs)

Execute an OS command from PHP. Continually listen for a connection and spawn a command shell via nodejs Module Options msf use payload/php/unix/cmd/reversenodejs msf payloadreversenodejs show actions ...actions... msf payloadreversenodejs set ACTION msf payloadreversenodejs show options ...show...

TFTP Fetch, Windows Encrypted Reverse Shell

Fetch and execute an x64 payload from a TFTP server. Connect back to attacker and spawn an encrypted command shell Module Options msf use payload/cmd/windows/tftp/x64/encryptedshellreversetcp msf payloadencryptedshellreversetcp show actions ...actions... msf payloadencryptedshellreversetcp set...

Burp Extension Persistence

This module adds a java based malicious extension to the Burp Suite configuration file. When burp is opened, the extension will be loaded and the payload will be executed. Tested against Burp Suite Community Edition v2024.9.4, on Ubuntu Desktop 24.04. Tested against Burp Suite Community Edition...

OS Command Exec, Unix Command Shell, Bind TCP (via Lua)

Execute an OS command from PHP. Listen for a connection and spawn a command shell via Lua Module Options msf use payload/php/unix/cmd/bindlua msf payloadbindlua show actions ...actions... msf payloadbindlua set ACTION msf payloadbindlua show options ...show and set options... msf payloadbindlua r...

OS Command Exec, Unix Command Shell, Reverse UDP (via socat)

Execute an OS command from PHP. Creates an interactive shell via socat Module Options msf use payload/php/unix/cmd/reversesocatudp msf payloadreversesocatudp show actions ...actions... msf payloadreversesocatudp set ACTION msf payloadreversesocatudp show options ...show and set options... msf...

HTTP Fetch

Fetch and execute a PPC64LE payload from an HTTP server. Module Options msf use payload/cmd/linux/http/ppc64le/meterpreterreversehttps msf payloadmeterpreterreversehttps show actions ...actions... msf payloadmeterpreterreversehttps set ACTION msf payloadmeterpreterreversehttps show options ...sho...

HTTP Fetch, Windows shellcode stage, Windows x64 Reverse HTTP Stager (wininet)

Fetch and execute an x64 payload from an HTTP server. Custom shellcode stage. Tunnel communication over HTTP Windows x64 wininet Module Options msf use payload/cmd/windows/http/x64/custom/reversehttp msf payloadreversehttp show actions ...actions... msf payloadreversehttp set ACTION msf...

GitLab Password Reset Account Takeover

This module exploits an account-take-over vulnerability that allows users to take control of a gitlab account without user interaction. The vulnerability lies in the password reset functionality. Its possible to provide 2 emails and the reset code will be sent to both. It is therefore possible to...

Ivanti Connect Secure Unauthenticated Remote Code Execution

This module chains a server side request forgery SSRF vulnerability CVE-2024-21893 and a command injection vulnerability CVE-2024-21887 to exploit vulnerable instances of either Ivanti Connect Secure or Ivanti Policy Secure, to achieve unauthenticated remote code execution. All currently supporte...

Add a new user to the system

This command adds a new user to the system Module Options msf use post/linux/manage/adduser msf postadduser show actions ...actions... msf postadduser set ACTION msf postadduser show options ...show and set options... msf postadduser run This module requires Metasploit:...

openDCIM install.php SQL Injection to RCE

This module exploits a SQL injection vulnerability in openDCIM's install.php endpoint CVE-2026-28515 to achieve remote code execution. The install.php script remains accessible after installation and processes LDAP configuration parameters via UpdateParameter without authentication or input...

OS Command Exec, Unix Command Shell, Reverse TCP (via netcat -e)

Execute an OS command from PHP. Creates an interactive shell via netcat Module Options msf use payload/php/unix/cmd/reversenetcatgaping msf payloadreversenetcatgaping show actions ...actions... msf payloadreversenetcatgaping set ACTION msf payloadreversenetcatgaping show options ...show and set...

HTTP Fetch, Linux Command Shell, Reverse TCP Inline

Fetch and execute an PPC64 payload from an HTTP server. Connect back to attacker and spawn a command shell Module Options msf use payload/cmd/linux/http/ppc64/shellreversetcp msf payloadshellreversetcp show actions ...actions... msf payloadshellreversetcp set ACTION msf payloadshellreversetcp sho...

TFTP Fetch

Fetch and execute an ARMLE payload from a TFTP server. Module Options msf use payload/cmd/linux/tftp/armle/meterpreterreversehttp msf payloadmeterpreterreversehttp show actions ...actions... msf payloadmeterpreterreversehttp set ACTION msf payloadmeterpreterreversehttp show options ...show and se...

Traccar v5 Remote Code Execution (CVE-2024-31214 and CVE-2024-24809)

Remote Code Execution in Traccar v5.1 - v5.12. Remote code execution can be obtained by combining two vulnerabilities: A path traversal vulnerability CVE-2024-24809 and an unrestricted file upload vulnerability CVE-2024-31214. By default, the application allows self-registration, enabling any use...

AVideo WWBNIndex Plugin Unauthenticated RCE

This module exploits an unauthenticated remote code execution RCE vulnerability in the WWBNIndex plugin of the AVideo platform. The vulnerability exists within the submitIndex.php file, where user-supplied input is passed directly to the require function without proper sanitization. By exploiting...

Icingaweb Directory Traversal in Static Library File Requests

Icingaweb versions from 2.9.0 to 2.9.5 inclusive, and 2.8.0 to 2.8.5 inclusive suffer from an unauthenticated directory traversal vulnerability. The vulnerability is triggered through the icinga-php-thirdparty library, which allows unauthenticated users to retrieve arbitrary files from the target...

Syncovery For Linux Web-GUI Login Utility

This module will attempt to authenticate to Syncovery File Sync & Backup Software For Linux Web-GUI. Module Options msf use auxiliary/scanner/http/syncoverylinuxlogin msf auxiliarysyncoverylinuxlogin show actions ...actions... msf auxiliarysyncoverylinuxlogin set ACTION msf...

pfSense Diag Routes Web Shell Upload

This module exploits an arbitrary file creation vulnerability in the pfSense HTTP interface CVE-2021-41282. The vulnerability affects versions use exploit/unix/http/pfsensediagrouteswebshell msf exploitpfsensediagrouteswebshell show targets ...targets... msf exploitpfsensediagrouteswebshell set...

Microsoft Office Word Malicious MSHTML RCE

This module creates a malicious docx file that when opened in Word on a vulnerable Windows system will lead to code execution. This vulnerability exists because an attacker can craft a malicious ActiveX control to be used by a Microsoft Office document that hosts the browser rendering engine...

Multi Gather Ubiquiti UniFi Controller Backup

On an Ubiquiti UniFi controller, reads the system.properties configuration file and downloads the backup and autobackup files. The files are then decrypted using a known encryption key, then attempted to be repaired by zip. Meterpreter must be used due to the large file sizes, which can be flaky ...

HTTPS Fetch, Reverse TCP Stager

Fetch and execute an MIPSBE payload from an HTTPS server. Connect back to the attacker Module Options msf use payload/cmd/linux/https/mipsbe/meterpreter/reversetcp msf payloadreversetcp show actions ...actions... msf payloadreversetcp set ACTION msf payloadreversetcp show options ...show and set...

Windows Telemetry Persistence

This persistence mechanism installs a new telemetry provider for windows. If telemetry is turned on, when the scheduled task launches, it will execute the telemetry provider and execute our payload with system permissions. Module Options msf use exploit/windows/persistence/telemetry msf...

Clinic's Patient Management System 1.0 - Unauthenticated RCE

This module exploits an SQL injection in login portal, which allows to log in as admin. Next, it allows the attacker to upload malicious files through user modification to achieve RCE. Module Options msf use exploit/multi/http/clinicpmssqlitorce msf exploitclinicpmssqlitorce show targets...

HTTPS Fetch, Windows x64 Reverse TCP Stager

Fetch and execute an x64 payload from an HTTPS server. Connect back to the attacker Windows x64 Module Options msf use payload/cmd/windows/https/x64/meterpreter/reversetcp msf payloadreversetcp show actions ...actions... msf payloadreversetcp set ACTION msf payloadreversetcp show options ...show...

Powershell Exec, Windows Meterpreter Shell, Bind Named Pipe Inline

Execute an x86 payload from a command via PowerShell. Connect to victim and spawn a Meterpreter shell. Requires Windows XP SP2 or newer. Module Options msf use payload/cmd/windows/powershell/meterpreterbindnamedpipe msf payloadmeterpreterbindnamedpipe show actions ...actions... msf...