6847 matches found
HTTP Fetch
Fetch and execute an ARMLE payload from an HTTP server. Module Options msf use payload/cmd/linux/http/armle/meterpreterreversehttp msf payloadmeterpreterreversehttp show actions ...actions... msf payloadmeterpreterreversehttp set ACTION msf payloadmeterpreterreversehttp show options ...show and s...
HTTP Fetch, Linux Execute Command
Fetch and execute an ARMLE payload from an HTTP server. Execute an arbitrary command or just a /bin/sh shell Module Options msf use payload/cmd/linux/http/armle/exec msf payloadexec show actions ...actions... msf payloadexec set ACTION msf payloadexec show options ...show and set options... msf...
TFTP Fetch, Linux Command Shell, Reverse TCP Inline
Fetch and execute an MIPSLE payload from a TFTP server. Connect back to attacker and spawn a command shell Module Options msf use payload/cmd/linux/tftp/mipsle/shellreversetcp msf payloadshellreversetcp show actions ...actions... msf payloadshellreversetcp set ACTION msf payloadshellreversetcp sh...
TFTP Fetch, Linux Command Shell, Bind TCP Inline
Fetch and execute an RISC-V 64-bit payload from a TFTP server. Listen for a connection and spawn a command shell Module Options msf use payload/cmd/linux/tftp/riscv64le/shellbindtcp msf payloadshellbindtcp show actions ...actions... msf payloadshellbindtcp set ACTION msf payloadshellbindtcp show...
ManageEngine ServiceDesk Plus Unauthenticated SAML RCE
This exploits an unauthenticated remote code execution vulnerability that affects Zoho ManageEngine ServiceDesk Plus versions 14003 and below CVE-2022-47966. Due to a dependency to an outdated library Apache Santuario version 1.4.1, it is possible to execute arbitrary code by providing a crafted...
Zyxel parse_config.py Command Injection
This module exploits vulnerabilities in multiple Zyxel devices including the VPN, USG and APT series. The affected firmware versions depend on the device module, see this module's documentation for more details. Note this module was unable to be tested against a real Zyxel device and was tested...
Adobe PDF Embedded EXE Social Engineering
This module embeds a Metasploit payload into an existing PDF file. The resulting PDF can be sent to a target as part of a social engineering attack. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModu...
AVideo Unauthenticated SQL Injection Credential Dump
AVideo use auxiliary/gather/avideocatnamesqli msf auxiliaryavideocatnamesqli show actions ...actions... msf auxiliaryavideocatnamesqli set ACTION msf auxiliaryavideocatnamesqli show options ...show and set options... msf auxiliaryavideocatnamesqli run This module requires Metasploit:...
n8n Workflow Expression Remote Code Execution
This module exploits a critical remote code execution vulnerability CVE-2025-68613 in the n8n workflow automation platform. The vulnerability exists in the workflow expression evaluation system where user-supplied expressions enclosed in are evaluated in an execution context that is not...
TFTP Fetch, Linux Chmod
Fetch and execute an RISC-V 64-bit payload from a TFTP server. Runs chmod on the specified file with specified mode. Module Options msf use payload/cmd/linux/tftp/riscv64le/chmod msf payloadchmod show actions ...actions... msf payloadchmod set ACTION msf payloadchmod show options ...show and set...
Gladinet CentreStack/Triofox ASP.NET ViewState Deserialization
A vulnerability in Gladinet CentreStack and Triofox application using hardcoded cryptographic keys for ViewState could allow an attacker to forge ViewState data. This can lead to unauthorized actions such as remote code execution. Both applications make use of a hardcoded machineKey in the IIS...
HTTP Fetch, Linux Command Shell, Reverse TCP Inline
Fetch and execute an ARMLE payload from an HTTP server. Connect back to attacker and spawn a command shell Module Options msf use payload/cmd/linux/http/armle/shellreversetcp msf payloadshellreversetcp show actions ...actions... msf payloadshellreversetcp set ACTION msf payloadshellreversetcp sho...
HTTP Fetch, Windows Meterpreter Shell, Reverse TCP Inline x64
Fetch and execute an x64 payload from an HTTP server. Connect back to attacker and spawn a Meterpreter shell. Requires Windows XP SP2 or newer. Module Options msf use payload/cmd/windows/http/x64/meterpreterreversetcp msf payloadmeterpreterreversetcp show actions ...actions... msf...
OS Command Exec, Unix Command Shell, Reverse TCP (via AWK)
Execute an OS command from PHP. Creates an interactive shell via GNU AWK Module Options msf use payload/php/unix/cmd/reverseawk msf payloadreverseawk show actions ...actions... msf payloadreverseawk set ACTION msf payloadreverseawk show options ...show and set options... msf payloadreverseawk run...
BentoML RCE
A Remote Code Execution RCE vulnerability caused by insecure deserialization has been identified in v1.4.2 of BentoML. It allows any unauthenticated user to execute arbitrary code on the server. Module Options msf use exploit/linux/http/bentomlrcecve202527520 msf exploitbentomlrcecve202527520 sho...
Langflow AI RCE
Langflow versions prior to 1.3.0 are susceptible to code injection in the /api/v1/validate/code endpoint. A remote and unauthenticated attacker can send crafted HTTP requests to execute arbitrary code. Module Options msf use exploit/multi/http/langflowunauthrcecve20253248 msf...
TFTP Fetch, Linux Reboot
Fetch and execute an MIPSLE payload from a TFTP server. A very small shellcode for rebooting the system using the reboot syscall. This payload is sometimes helpful for testing purposes. Requires CAPSYSBOOT privileges. Module Options msf use payload/cmd/linux/tftp/mipsle/reboot msf payloadreboot...
WordPress TI WooCommerce Wishlist SQL Injection (CVE-2024-43917)
The TI WooCommerce Wishlist plugin use auxiliary/scanner/http/wptiwoocommercewishlistsqli msf auxiliarywptiwoocommercewishlistsqli show actions ...actions... msf auxiliarywptiwoocommercewishlistsqli set ACTION msf auxiliarywptiwoocommercewishlistsqli show options ...show and set options... msf...
Junos OS PHPRC Environment Variable Manipulation RCE
This module exploits a PHP environment variable manipulation vulnerability affecting Juniper SRX firewalls and EX switches. The affected Juniper devices run FreeBSD and every FreeBSD process can access their stdin by opening /dev/fd/0. The exploit also makes use of two useful PHP features. The...
Microsoft Exchange ProxyLogon Collector
This module exploit a vulnerability on Microsoft Exchange Server that allows an attacker bypassing the authentication and impersonating as the admin CVE-2021-26855. By taking advantage of this vulnerability, it is possible to dump all mailboxes emails, attachments, contacts, .... This vulnerabili...
PHP Exec
Execute a PHP payload as an OS command from a Posix-compatible shell Module Options msf use payload/cmd/unix/php/meterpreterreversetcp msf payloadmeterpreterreversetcp show actions ...actions... msf payloadmeterpreterreversetcp set ACTION msf payloadmeterpreterreversetcp show options ...show and...
Palo Alto Expedition Remote Code Execution (CVE-2024-5910 and CVE-2024-9464)
Obtain remote code execution in Palo Alto Expedition version 1.2.91 and below. The first vulnerability, CVE-2024-5910, allows to reset the password of the admin user, and the second vulnerability, CVE-2024-9464, is an authenticated OS command injection. In a default installation, commands will ge...
Camaleon CMS Directory Traversal CVE-2024-46987
Exploits CVE-2024-46987, an authenticated directory traversal vulnerability in Camaleon CMS versions use auxiliary/gather/camaleondownloadprivatefile msf auxiliarycamaleondownloadprivatefile show actions ...actions... msf auxiliarycamaleondownloadprivatefile set ACTION msf...
Windows Persistence Bits Job
This module establishes persistence through a BITS job that downloads and executes a payload. Background Intelligent Transfer Service BITS is a Windows service for transferring files in the background using idle network bandwidth. BITS jobs are persistent and will resume across reboots until...
Windows Service for User (S4U) Scheduled Task Persistence - Schedule Trigger
Creates a scheduled task that will run using service-for-user S4U. This allows the scheduled task to run even as an unprivileged user that is not logged into the device. This will result in lower security context, allowing access to local resources only. The module requires 'Logon as a batch job'...
Oracle E-Business Suite CVE-2025-61882 RCE
This module exploits CVE-2025-61882 in Oracle E-Business Suite by combining SSRF, Path Traversal, HTTP request smuggling and XSLT injection. The exploit hosts a malicious XSL file that the target will fetch and process, leading to RCE. This module provides an interactive shell session. Vulnerable...
Obsidian Plugin Persistence
This module searches for Obsidian vaults for a user, and uploads a malicious community plugin to the vault. The vaults must be opened with community plugins enabled NOT restricted mode, but the plugin will be enabled automatically. Tested against Obsidian 1.7.7 on Kali, Ubuntu 22.04, and Windows...
HTTP Fetch
Fetch and execute an ARMLE payload from an HTTP server. Module Options msf use payload/cmd/linux/http/armle/meterpreterreversetcp msf payloadmeterpreterreversetcp show actions ...actions... msf payloadmeterpreterreversetcp set ACTION msf payloadmeterpreterreversetcp show options ...show and set...
WordPress Backup Migration Plugin PHP Filter Chain RCE
This module exploits an unauth RCE in the WordPress plugin: Backup Migration use exploit/multi/http/wpbackupmigrationphpfilter msf exploitwpbackupmigrationphpfilter show targets ...targets... msf exploitwpbackupmigrationphpfilter set TARGET msf exploitwpbackupmigrationphpfilter show options ...sh...
Car Rental System 1.0 File Upload RCE (Authenticated)
This module exploits an authenticated remote code execution vulnerability in the Online Car Rental System 1.0 via the changeimage1.php endpoint. An authenticated attacker can upload malicious PHP scripts without proper validation, enabling arbitrary code execution on the server. Module Options ms...
HTTP Fetch, Reverse TCP Stager
Fetch and execute an ARMLE payload from an HTTP server. Connect back to the attacker Module Options msf use payload/cmd/linux/http/armle/meterpreter/reversetcp msf payloadreversetcp show actions ...actions... msf payloadreversetcp set ACTION msf payloadreversetcp show options ...show and set...
Chamilo v1.11.24 Unrestricted File Upload PHP Webshell
Chamilo LMS is a free software e-learning and content management system. In versions prior to use exploit/linux/http/chamilobiguploadwebshell msf exploitchamilobiguploadwebshell show targets ...targets... msf exploitchamilobiguploadwebshell set TARGET msf exploitchamilobiguploadwebshell show...
HTTPS Fetch, Windows Meterpreter Shell, Reverse TCP Inline
Fetch and execute an x86 payload from an HTTPS server. Connect back to attacker and spawn a Meterpreter shell. Requires Windows XP SP2 or newer. Module Options msf use payload/cmd/windows/https/x86/meterpreterreversetcp msf payloadmeterpreterreversetcp show actions ...actions... msf...
HTTPS Fetch, Linux Command Shell, Reverse TCP Inline
Fetch and execute an PPC64 payload from an HTTPS server. Connect back to attacker and spawn a command shell Module Options msf use payload/cmd/linux/https/ppc64/shellreversetcp msf payloadshellreversetcp show actions ...actions... msf payloadshellreversetcp set ACTION msf payloadshellreversetcp...
HTTP Fetch
Fetch and execute an MIPSLE payload from an HTTP server. Module Options msf use payload/cmd/linux/http/mipsle/meterpreterreversetcp msf payloadmeterpreterreversetcp show actions ...actions... msf payloadmeterpreterreversetcp set ACTION msf payloadmeterpreterreversetcp show options ...show and set...
Kerberos TGT/TGS Ticket Requester
This module requests TGT/TGS Kerberos tickets from the KDC Module Options msf use auxiliary/admin/kerberos/getticket msf auxiliarygetticket show actions ...actions... msf auxiliarygetticket set ACTION msf auxiliarygetticket show options ...show and set options... msf auxiliarygetticket run This...
BeyondTrust Privileged Remote Access (PRA) and Remote Support (RS) unauthenticated Remote Code Execution
This exploit achieves unauthenticated remote code execution against BeyondTrust Privileged Remote Access PRA and Remote Support RS. The module targets CVE-2026-1731, a direct command injection affecting RS versions 25.3.1 and prior, and PRA versions 24.3.4 and prior. Exploitation occurs with the...
FreePBX firmware file upload
The FreePBX versions prior to 16.0.44,16.0.92 and 17.0.6,17.0.23 are vulnerable to multiple CVEs, specifically CVE-2025-66039 and CVE-2025-61678, in the context of this module. The versions before 16.0.44 and 17.0.23 are vulnerable to CVE-2025-66039, while versions before 16.0.92 and 17.0.6 are...
HTTPS Fetch, Linux Command Shell, Find Port Inline
Fetch and execute an PPC64 payload from an HTTPS server. Spawn a shell on an established connection Module Options msf use payload/cmd/linux/https/ppc64/shellfindport msf payloadshellfindport show actions ...actions... msf payloadshellfindport set ACTION msf payloadshellfindport show options...
HTTP Fetch, Linux Command Shell, Reverse TCP Stager
Fetch and execute an MIPSBE payload from an HTTP server. Spawn a command shell staged. Connect back to the attacker Module Options msf use payload/cmd/linux/http/mipsbe/shell/reversetcp msf payloadreversetcp show actions ...actions... msf payloadreversetcp set ACTION msf payloadreversetcp show...
TerraMaster TOS 4.2.29 or lower - Unauthenticated RCE chaining CVE-2022-24990 and CVE-2022-24989
This module exploits an unauthenticated remote code execution vulnerability in TerraMaster TOS 4.2.29 and lower by chaining two existing vulnerabilities, CVE-2022-24990 "Leaking sensitive information" and CVE-2022-24989, "Authenticated remote code execution". Exploiting vulnerable endpoint...
ThinManager Path Traversal (CVE-2023-2915) Arbitrary File Delete
This module exploits a path traversal vulnerability CVE-2023-2915 in ThinManager use auxiliary/admin/networking/thinmanagertraversaldelete msf auxiliarythinmanagertraversaldelete show actions ...actions... msf auxiliarythinmanagertraversaldelete set ACTION msf auxiliarythinmanagertraversaldelete...
Sante PACS Server Path Traversal (CVE-2025-2264)
This module exploits a path traversal vulnerability CVE-2025-2264 in Sante PACS Server use auxiliary/gather/pacsservertraversal msf auxiliarypacsservertraversal show actions ...actions... msf auxiliarypacsservertraversal set ACTION msf auxiliarypacsservertraversal show options ...show and set...
HTTP Fetch, Linux Command Shell, Reverse TCP Inline
Fetch and execute an MIPSBE payload from an HTTP server. Connect back to attacker and spawn a command shell Module Options msf use payload/cmd/linux/http/mipsbe/shellreversetcp msf payloadshellreversetcp show actions ...actions... msf payloadshellreversetcp set ACTION msf payloadshellreversetcp...
FreePBX Custom Extension SQL Injection
FreePBX versions prior to 16.0.44,16.0.92 and 17.0.23,17.0.6 are vulnerable to multiple CVEs, specifically CVE-2025-66039 and CVE-2025-61675, in the context of this module. The versions before 16.0.44 and 17.0.23 are vulnerable to CVE-2025-66039, while versions before 16.0.92 and 17.0.6 are...
Prison Management System 1.0 Authenticated RCE via Unrestricted File Upload
This module exploits an unrestricted file upload vulnerability in Prison Management System 1.0. An authenticated user can upload a PHP file with arbitrary content by abusing the avatar upload functionality in the add-admin.php endpoint. The application fails to properly validate the uploaded file...
N-able N-Central Authentication Bypass and XXE Scanner
This module scans for vulnerable N-able N-Central instances affected by CVE-2025-9316 Unauthenticated Session Bypass and CVE-2025-11700 XXE. The module attempts to exploit CVE-2025-9316 by sending a sessionHello SOAP request to the ServerMMS endpoint with various appliance IDs to obtain an...
HTTP Fetch, Linux Execute Command
Fetch and execute an MIPSLE payload from an HTTP server. A very small shellcode for executing commands. This module is sometimes helpful for testing purposes as well as on targets with extremely limited buffer space. Module Options msf use payload/cmd/linux/http/mipsle/exec msf payloadexec show...
BadSuccessor: dMSA abuse to Escalate Privileges in Windows Active Directory
This module exploits 'Bad Successor', which allows operators to elevate privileges on domain controllers running at the Windows 2025 forest functional level. Microsoft decided to introduce Delegated Managed Service Accounts in this forest level and they came ripe for exploitation. Normal users...
PandoraFMS Netflow Authenticated Remote Code Execution
This module exploits a command injection vulnerability in Netflow component of PandoraFMS. The module requires a set of user credentials to modify Netflow settings. Also, Netflow binaries have to be present on the system. Module Options msf use exploit/linux/http/pandorafmsauthnetflowrce msf...