6847 matches found
Langflow RCE
The CSV Agent node in Langflow hardcodes allowdangerouscode=True, which automatically exposes LangChain's Python REPL tool pythonreplast. As a result, an attacker can execute arbitrary Python and OS commands on the server via prompt injection, leading to full Remote Code Execution RCE. Module...
Palo Alto Networks PAN-OS Management Interface Unauthenticated Remote Code Execution
This module exploits an authentication bypass vulnerability CVE-2024-0012 and a command injection vulnerability CVE-2024-9474 in the PAN-OS management web interface. An unauthenticated attacker can execute arbitrary code with root privileges. The following versions are affected: PAN-OS 11.2 up to...
Ivanti Virtual Traffic Manager Authentication Bypass (CVE-2024-7593)
This module exploits an access control issue in Ivanti Virtual Traffic Manager vTM, by adding a new administrative user to the web interface of the application. Affected versions include 22.7R1, 22.6R1, 22.5R1, 22.3R2, 22.3, 22.2. Module Options msf use auxiliary/admin/http/ivantivtmadmin msf...
Ansible Config Gather
This module will grab ansible information including hosts, ping status, and the configuration file. Module Options msf use post/linux/gather/ansible msf postansible show actions ...actions... msf postansible set ACTION msf postansible show options ...show and set options... msf postansible run Th...
F5 Big-IP Gather Information from MCP Datastore
This module gathers various interesting pieces of data from F5's "mcp" datastore, which is accessed via /var/run/mcp using a proprietary protocol. Adapted from: https://github.com/rbowes-r7/refreshing-mcp-tool/blob/main/mcp-getloot.rb Module Options msf use post/linux/gather/f5lootmcp msf...
HTTPS Fetch
Fetch and execute an MIPSBE payload from an HTTPS server. Module Options msf use payload/cmd/linux/https/mipsbe/meterpreterreversehttp msf payloadmeterpreterreversehttp show actions ...actions... msf payloadmeterpreterreversehttp set ACTION msf payloadmeterpreterreversehttp show options ...show a...
WhatsUp Gold SQL Injection (CVE-2024-6670)
This module exploits a SQL injection vulnerability in WhatsUp Gold, by changing the password of an existing user such as of the default admin account to an attacker-controlled one. WhatsUp Gold versions use auxiliary/admin/http/whatsupgoldsqli msf auxiliarywhatsupgoldsqli show actions ...actions...
Vicidial SQL Injection Time-based Admin Credentials Enumeration
This module exploits a time-based SQL injection vulnerability in VICIdial, allowing attackers to dump admin credentials usernames and passwords via SQL injection. Module Options msf use auxiliary/scanner/http/vicidialsqlenumuserspass msf auxiliaryvicidialsqlenumuserspass show actions ...actions...
OSX Meterpreter, Reverse HTTP Inline
Run the Meterpreter / Mettle server payload stageless Module Options msf use payload/osx/aarch64/meterpreterreversehttp msf payloadmeterpreterreversehttp show actions ...actions... msf payloadmeterpreterreversehttp set ACTION msf payloadmeterpreterreversehttp show options ...show and set options...
VMWare Aria Operations for Networks (vRealize Network Insight) pre-authenticated RCE
VMWare Aria Operations for Networks vRealize Network Insight is vulnerable to command injection when accepting user input through the Apache Thrift RPC interface. This vulnerability allows a remote unauthenticated attacker to execute arbitrary commands on the underlying operating system as the ro...
HTTP Fetch, Windows x64 Reverse Named Pipe (SMB) Stager
Fetch and execute an x64 payload from an HTTP server. Connect back to the attacker via a named pipe pivot Module Options msf use payload/cmd/windows/http/x64/peinject/reversenamedpipe msf payloadreversenamedpipe show actions ...actions... msf payloadreversenamedpipe set ACTION msf...
WebDAV PHP Upload
This module exploits WebDAV which also has PHP enabled, such as found on XAMPP servers. It can use do by using any supplied credentials to upload via WebDAV, a PHP payload and then execute it. Module Options msf use exploit/multi/http/webdavuploadphp msf exploitwebdavuploadphp show targets...
TFTP Fetch
Fetch and execute an PPC payload from an TFTP server. Module Options msf use payload/cmd/linux/tftp/ppc/meterpreterreversehttps msf payloadmeterpreterreversehttps show actions ...actions... msf payloadmeterpreterreversehttps set ACTION msf payloadmeterpreterreversehttps show options ...show and s...
HTTP Fetch, Windows shellcode stage, Reverse TCP Stager with UUID Support (Windows x64)
Fetch and execute an x64 payload from an HTTP server. Custom shellcode stage. Connect back to the attacker with UUID Support Windows x64 Module Options msf use payload/cmd/windows/http/x64/custom/reversetcpuuid msf payloadreversetcpuuid show actions ...actions... msf payloadreversetcpuuid set...
Squid Proxy Range Header DoS
The range handler in The Squid Caching Proxy Server 3.0-4.1.4 and 5.0.1-5.0.5 suffers from multiple vulnerabilities triggered by specific HTTP requests and responses. These vulnerabilities allow remote attackers to cause a denial of service through specifically crafted requests. Module Options ms...
Authenticated RCE in Splunk (SimpleXML dashboard PDF generation)
This Metasploit module exploits a Remote Code Execution RCE vulnerability in Splunk Enterprise. An attacker can inject arbitrary Python code into style parameters, such as the fillColor or lineColor of a sparkline element within a Splunk SimpleXML dashboard. The malicious code is executed when a...
CrushFTP Unauthenticated Arbitrary File Read
This module leverages an unauthenticated server-side template injection vulnerability in CrushFTP use auxiliary/gather/crushftpfilereadcve20244040 msf auxiliarycrushftpfilereadcve20244040 show actions ...actions... msf auxiliarycrushftpfilereadcve20244040 set ACTION msf...
HTTP Fetch, Windows x64 Command Shell, Windows x64 IPv6 Bind TCP Stager
Fetch and execute an x64 payload from an HTTP server. Spawn a piped command shell Windows x64 staged. Listen for an IPv6 connection Windows x64 Module Options msf use payload/cmd/windows/http/x64/shell/bindipv6tcp msf payloadbindipv6tcp show actions ...actions... msf payloadbindipv6tcp set ACTION...
VMware NSX Manager XStream unauthenticated RCE
VMware Cloud Foundation NSX-V contains a remote code execution vulnerability via XStream open source library. VMware has evaluated the severity of this issue to be in the Critical severity range with a maximum CVSSv3 base score of 9.8. Due to an unauthenticated endpoint that leverages XStream for...
Nagios XI Autodiscovery Webshell Upload
This module exploits a path traversal issue in Nagios XI before version 5.8.5 CVE-2021-37343. The path traversal allows a remote and authenticated administrator to upload a PHP web shell and execute code as www-data. The module achieves this by creating an autodiscovery job with an id field...
UniFi Network Application Unauthenticated JNDI Injection RCE (via Log4Shell)
The Ubiquiti UniFi Network Application versions 5.13.29 through 6.5.53 are affected by the Log4Shell vulnerability whereby a JNDI string can be sent to the server via the 'remember' field of a POST request to the /api/login endpoint that will cause the server to connect to the attacker and...
TFTP Fetch, Linux Reboot
Fetch and execute an RISC-V 32-bit payload from a TFTP server. A very small shellcode for rebooting the system using the reboot syscall. This payload is sometimes helpful for testing purposes. Requires CAPSYSBOOT privileges. Module Options msf use payload/cmd/linux/tftp/riscv32le/reboot msf...
Halloy IRC Credential Gatherer
This module searches for credentials stored on Halloy IRC Client on a Windows host. Module Options msf use post/windows/gather/credentials/halloyirc msf posthalloyirc show actions ...actions... msf posthalloyirc set ACTION msf posthalloyirc show options ...show and set options... msf posthalloyir...
Role Base Constrained Delegation
This module can read and write the necessary LDAP attributes to configure a particular object for Role Based Constrained Delegation RBCD. When writing, the module will add an access control entry to allow the account specified in DELEGATEFROM to the object specified in DELEGATETO. In order for th...
SolarWinds Web Help Desk Backdoor (CVE-2024-28987)
This module exploits a backdoor in SolarWinds Web Help Desk use auxiliary/gather/solarwindswebhelpdeskbackdoor msf auxiliarysolarwindswebhelpdeskbackdoor show actions ...actions... msf auxiliarysolarwindswebhelpdeskbackdoor set ACTION msf auxiliarysolarwindswebhelpdeskbackdoor show options ...sho...
Windows Service for User (S4U) Scheduled Task Persistence - Logon Trigger
Creates a scheduled task that will run using service-for-user S4U. This allows the scheduled task to run even as an unprivileged user that is not logged into the device. This will result in lower security context, allowing access to local resources only. The module requires 'Logon as a batch job'...
HTTP Fetch, Windows x64 Reverse TCP Stager
Fetch and execute an x64 payload from an HTTP server. Connect back to the attacker Windows x64 Module Options msf use payload/cmd/windows/http/x64/vncinject/reversetcp msf payloadreversetcp show actions ...actions... msf payloadreversetcp set ACTION msf payloadreversetcp show options ...show and...
Reverse Lookup IP Addresses
This module reverse resolves an IP address or IP address range to hostnames. Module Options msf use post/multi/recon/reverselookup msf postreverselookup show actions ...actions... msf postreverselookup set ACTION msf postreverselookup show options ...show and set options... msf postreverselookup...
cPanel/WHM CRLF Injection Authentication Bypass RCE
Exploits CVE-2026-41940, a CRLF injection in cPanel/WHM's cpsrvd daemon that allows unauthenticated remote code execution as root. The Basic-auth handler writes the password to the raw session file without stripping newlines. Omitting the ob-part of the session cookie bypasses the encoder, so...
TFTP Fetch, Linux Command Shell, Bind TCP Inline
Fetch and execute an PPC payload from an TFTP server. Listen for a connection and spawn a command shell Module Options msf use payload/cmd/linux/tftp/ppc/shellbindtcp msf payloadshellbindtcp show actions ...actions... msf payloadshellbindtcp set ACTION msf payloadshellbindtcp show options ...show...
HTTPS Fetch, Linux Command Shell, Reverse TCP Inline
Fetch and execute an AARCH64 payload from an HTTPS server. Connect back to attacker and spawn a command shell Module Options msf use payload/cmd/linux/https/aarch64/shellreversetcp msf payloadshellreversetcp show actions ...actions... msf payloadshellreversetcp set ACTION msf payloadshellreverset...
HTTP Fetch, Bind TCP Stager
Fetch and execute an ARMLE payload from an HTTP server. Listen for a connection Module Options msf use payload/cmd/linux/http/armle/meterpreter/bindtcp msf payloadbindtcp show actions ...actions... msf payloadbindtcp set ACTION msf payloadbindtcp show options ...show and set options... msf...
HTTPS Fetch, Windows x64 Command Shell, Bind TCP Stager with UUID Support (Windows x64)
Fetch and execute an x64 payload from an HTTPS server. Spawn a piped command shell Windows x64 staged. Listen for a connection with UUID Support Windows x64 Module Options msf use payload/cmd/windows/https/x64/shell/bindtcpuuid msf payloadbindtcpuuid show actions ...actions... msf...
osTicket Arbitrary File Read via PHP Filter Chains in mPDF
This module exploits an arbitrary file read vulnerability in osTicket CVE-2026-22200. The vulnerability exists in osTicket's PDF export functionality which uses mPDF. By injecting a specially crafted HTML payload containing PHP filter chain URIs into a ticket reply, an attacker can read arbitrary...
Apache NiFi Login Scanner
This module attempts to take login details for Apache NiFi websites and identify if they are valid or not. Tested against NiFi major releases 1.14.0 - 1.21.0, and 1.13.0 Also works against NiFi use auxiliary/scanner/http/apachenifilogin msf auxiliaryapachenifilogin show actions ...actions... msf...
Linux Chmod
Runs chmod on the specified file with specified mode. Module Options msf use payload/linux/loongarch64/chmod msf payloadchmod show actions ...actions... msf payloadchmod set ACTION msf payloadchmod show options ...show and set options... msf payloadchmod run frozenstringliteral: true This module...
PHP Exec, PHP Command Shell, Find Sock
Execute a PHP payload as an OS command from a Posix-compatible shell. Spawn a shell on the established connection to the webserver. Unfortunately, this payload can leave conspicuous evil-looking entries in the apache error logs, so it is probably a good idea to use a bind or reverse shell unless...
POWERCOM UPSMON PRO Path Traversal (CVE-2022-38120) and Credential Harvester (CVE-2022-38121)
This module exploits a path traversal vulnerability in UPSMON PRO use auxiliary/gather/upsmontraversal msf auxiliaryupsmontraversal show actions ...actions... msf auxiliaryupsmontraversal set ACTION msf auxiliaryupsmontraversal show options ...show and set options... msf auxiliaryupsmontraversal...
HTTPS Fetch, Linux Execute Command
Fetch and execute an ARMLE payload from an HTTPS server. Execute an arbitrary command or just a /bin/sh shell Module Options msf use payload/cmd/linux/https/armle/exec msf payloadexec show actions ...actions... msf payloadexec set ACTION msf payloadexec show options ...show and set options... msf...
Make Token Command
In its default configuration, this module creates a new network security context with the specified logon data username, domain and password. Under the hood, Meterpreter's access token is cloned, and a new logon session is created and linked to that token. The token is then impersonated to acquir...
HTTP Fetch, Windows x64 Command Shell, Reverse TCP Inline
Fetch and execute an x64 payload from an HTTP server. Connect back to attacker and spawn a command shell Windows x64 Module Options msf use payload/cmd/windows/http/x64/shellreversetcp msf payloadshellreversetcp show actions ...actions... msf payloadshellreversetcp set ACTION msf...
TFTP Fetch, Linux x64 Command Shell, Reverse TCP Inline (IPv6)
Fetch and execute an x64 payload from a TFTP server. Connect back to attacker and spawn a command shell over IPv6 Module Options msf use payload/cmd/linux/tftp/x64/shellreverseipv6tcp msf payloadshellreverseipv6tcp show actions ...actions... msf payloadshellreverseipv6tcp set ACTION msf...
X11 Keylogger
This module binds to an open X11 host to log keystrokes. This is a fairly close copy of the old xspy c program which has been on Kali for a long time. The module works by connecting to the X11 session, creating a background window, binding a keyboard to it and creating a notification alert when a...
XOR POLY Encoder
An x86 Simple POLY Xor encoding method. using polymorphism Register swapping, and instructions modification Module Options msf use encoder/x86/xorpoly msf encoderxorpoly show actions ...actions... msf encoderxorpoly set ACTION msf encoderxorpoly show options ...show and set options... msf...
HTTPS Fetch
Fetch and execute a PPC64LE payload from an HTTPS server. Module Options msf use payload/cmd/linux/https/ppc64le/meterpreterreversetcp msf payloadmeterpreterreversetcp show actions ...actions... msf payloadmeterpreterreversetcp set ACTION msf payloadmeterpreterreversetcp show options ...show and...
Palo Alto Networks Authenticated Remote Code Execution
An OS Command Injection vulnerability in the PAN-OS management interface that allows authenticated administrators to execute arbitrary OS commands with root privileges. This issue impacts PAN-OS versions use exploit/linux/http/panosopcmdexec msf exploitpanosopcmdexec show targets ...targets... ms...
TFTP Fetch, Linux Chmod
Fetch and execute an AARCH64 payload from a TFTP server. Runs chmod on the specified file with specified mode. Module Options msf use payload/cmd/linux/tftp/aarch64/chmod msf payloadchmod show actions ...actions... msf payloadchmod set ACTION msf payloadchmod show options ...show and set options...
Ivanti Sentry MICSLogService Auth Bypass resulting in RCE (CVE-2023-38035)
This module exploits an authentication bypass in Ivanti Sentry which exposes API functionality which allows for code execution in the context of the root user. Module Options msf use exploit/linux/http/ivantisentrymisclogservice msf exploitivantisentrymisclogservice show targets ...targets... msf...
SmarterTools SmarterMail GUID File Upload Vulnerability
This module exploits a pre-auth remote code execution vulnerability in SmarterTools SmarterMail before version 100.0.9413. The endpoint /api/upload fails to sanitize the contextData POST parameter which can contain JSON data with a "guid" key that allows directory traversal. By leveraging this...
HTTPS Fetch, Linux Command Shell, Bind TCP Inline
Fetch and execute an RISC-V 64-bit payload from an HTTPS server. Listen for a connection and spawn a command shell Module Options msf use payload/cmd/linux/https/riscv64le/shellbindtcp msf payloadshellbindtcp show actions ...actions... msf payloadshellbindtcp set ACTION msf payloadshellbindtcp sh...