Appsmith RCE

An incorrectly configured PostgreSQL instance in the Appsmith image leads to remote command execution inside the Appsmith Docker container. Module Options msf use exploit/linux/http/appsmithrcecve202455964 msf exploitappsmithrcecve202455964 show targets ...targets... msf...

Metabase Setup Token RCE

Metabase versions before 0.46.6.1 contain a flaw where the secret setup-token is accessible even after the setup process has been completed. With this token a user is able to submit the setup functionality to create a new database. When creating a new database, an H2 database string is created wi...

Windows Secrets Dump

Dumps SAM hashes and LSA secrets including cached creds from the remote Windows target without executing any agent locally. This is done by remotely updating the registry key security descriptor, taking advantage of the WriteDACL privileges held by local administrators to set temporary read...

Roxy-WI Prior to 6.1.1.0 Unauthenticated Command Injection RCE

This module exploits an unauthenticated command injection vulnerability in Roxy-WI prior to version 6.1.1.0. Successful exploitation results in remote code execution under the context of the web server user. Roxy-WI is an interface for managing HAProxy, Nginx and Keepalived servers. Module Option...

Wordpress File Manager Advanced Shortcode 2.3.2 - Unauthenticated Remote Code Execution through shortcode

The Wordpress plugin does not adequately prevent uploading files with disallowed MIME types when using the shortcode. This leads to RCE in cases where the allowed MIME type list does not include PHP files. In the worst case, this is available to unauthenticated users, but is also works in an...

Local Privilege Escalation in polkits pkexec

A bug exists in the polkit pkexec binary in how it processes arguments. If the binary is provided with no arguments, it will continue to process environment variables as argument variables, but without any security checking. By using the execve call we can specify a null argument list and populat...

Autostart Desktop Item Persistence

This module will create an autostart .desktop entry to execute a payload. The payload will be executed when the users logs in. Verified on Ubuntu 22.04 desktop with Gnome, and 18.04.3. The following payloads were used in testing: - cmd/unix/reversenetcat - linux/x64/meterpreter/reversetcp -...

Pure-FTPd External Authentication Bash Environment Variable Code Injection (Shellshock)

This module exploits the Shellshock vulnerability, a flaw in how the Bash shell handles external environment variables. This module targets the Pure-FTPd FTP server when it has been compiled with the --with-extauth flag and an external Bash script is used for authentication. If the server is not...

FreeSWITCH Event Socket Login

This module tests FreeSWITCH Event Socket logins on a range of machines and report successful attempts. Module Options msf use auxiliary/scanner/misc/freeswitcheventsocketlogin msf auxiliaryfreeswitcheventsocketlogin show actions ...actions... msf auxiliaryfreeswitcheventsocketlogin set ACTION ms...

NetAlertX File Read Vulnerability

This module exploits improper authentication in logs.php endpoint. An unathenticated attacker can request log file and read any file due path traversal vulnerability. Module Options msf use auxiliary/scanner/http/netalertxfileread msf auxiliarynetalertxfileread show actions ...actions... msf...

MinIO Bootstrap Verify Information Disclosure

MinIO is a Multi-Cloud Object Storage framework. In a cluster deployment starting with RELEASE.2019-12-17T23-16-33Z and prior to RELEASE.2023-03-20T20-16-18Z, MinIO returns all environment variables, including MINIOSECRETKEY and MINIOROOTPASSWORD, resulting in information disclosure. Verified...

Zip Path Traversal in Zimbra (mboximport) (CVE-2022-27925)

This module POSTs a ZIP file containing path traversal characters to the administrator interface for Zimbra Collaboration Suite. If successful, it plants a JSP-based backdoor within the web directory, then executes it. The core vulnerability is a path-traversal issue in Zimbra Collaboration Suite...

H2 Web Interface Create Alias RCE

The H2 database contains an alias function which allows for arbitrary Java code to be used. This functionality can be abused to create an exec functionality to pull our payload down and execute it. H2's web interface contains restricts MANY characters, so injecting a payload directly is not...

Kibana Timelion Prototype Pollution RCE

Kibana versions before 5.6.15 and 6.6.1 contain an arbitrary code execution flaw in the Timelion visualizer. An attacker with access to the Timelion application could send a request that will attempt to execute javascript code. This leads to an arbitrary command execution with permissions of the...

Mac OS X Persistent Payload Installer

This module provides a persistent boot payload by creating a launch item, which can be a LaunchAgent or a LaunchDaemon. LaunchAgents run with user level permissions and are triggered upon login by a plist entry in /Library/LaunchAgents. LaunchDaemons run with elevated privilleges, and are launche...

ZoomEye Search

The module use the ZoomEye API to search ZoomEye. ZoomEye is a search engine for cyberspace that lets the user find specific network componentsip, services, etc.. Setting facets will output a simple report on the overall search. It's values are: Host search: app, device, service, os, port, countr...

FreePBX ajax.php unauthenticated SQLi to RCE

This module exploits an unauthenticated SQL injection flaw in FreePBX prior to versions 15.0.66, 16.0.89, and 17.0.3. The vulnerability lies in the /admin/ajax.php endpoint, which is accessible without authentication. Additionally, the database user created by FreePBX can schedule cronjobs,...

GLPI Inventory Plugin Unauthenticated Blind Boolean SQLi

GLPI use auxiliary/gather/glpiinventorypluginunauthsqli msf auxiliaryglpiinventorypluginunauthsqli show actions ...actions... msf auxiliaryglpiinventorypluginunauthsqli set ACTION msf auxiliaryglpiinventorypluginunauthsqli show options ...show and set options... msf...

GameOver(lay) Privilege Escalation and Container Escape

This module exploits the use of unsafe functions in a number of Ubuntu kernels utilizing vulnerable versions of overlayfs. To mitigate CVE-2021-3493 the Linux kernel added a call to vfssetxattr during ovldosetxattr. Due to independent changes to the kernel by the Ubuntu development team...

Wordpress Plugin WooCommerce Payments Unauthenticated Admin Creation

WooCommerce-Payments plugin for Wordpress versions 4.8', '4.8.2, 4.9', '4.9.1, 5.0', '5.0.4, 5.1', '5.1.3, 5.2', '5.2.2, 5.3', '5.3.1, 5.4', '5.4.1, 5.5', '5.5.2, and 5.6', '5.6.2 contain an authentication bypass by specifying a valid user ID number within the X-WCPAY-PLATFORM-CHECKOUT-USER heade...

Windows Silent Process Exit Persistence

Windows allows you to set up a debug process when a process exits. This module uploads a payload and declares that it is the debug process to launch when a specified process exits. Module Options msf use exploit/windows/persistence/imageexecoptions msf exploitimageexecoptions show targets...

pgAdmin Binary Path API RCE

pgAdmin use exploit/windows/http/pgadminbinarypathapi msf exploitpgadminbinarypathapi show targets ...targets... msf exploitpgadminbinarypathapi set TARGET msf exploitpgadminbinarypathapi show options ...show and set options... msf exploitpgadminbinarypathapi exploit This module requires...

Ivanti Connect Secure Unauthenticated Remote Code Execution via Stack-based Buffer Overflow

This module exploits a Stack-based Buffer Overflow vulnerability in Ivanti Connect Secure to achieve remote code execution CVE-2025-22457. Versions 22.7R2.5 and earlier are vulnerable. Note that Ivanti Pulse Connect Secure, Ivanti Policy Secure and ZTA gateways are also vulnerable but this module...

Remote Code Execution Vulnerability in XWiki Platform (CVE-2025-24893)

This module exploits a template injection vulnerability in the the XWiki Platform. XWiki includes a macro called SolrSearch defined in Main.SolrSearchMacros that enables full-text search through the embedded Solr engine. The vulnerability stems from the way this macro evaluates search parameters ...

OS Command Exec, Unix Command Shell, Reverse TCP (via R)

Execute an OS command from PHP. Connect back and create a command shell via R Module Options msf use payload/php/unix/cmd/reverser msf payloadreverser show actions ...actions... msf payloadreverser set ACTION msf payloadreverser show options ...show and set options... msf payloadreverser run This...

Maltrail Unauthenticated Command Injection

Maltrail is a malicious traffic detection system, utilizing publicly available blacklists containing malicious and/or generally suspicious trails. The Maltrail versions use exploit/unix/http/maltrailrce msf exploitmaltrailrce show targets ...targets... msf exploitmaltrailrce set TARGET msf...

UNIX Gather Cached AD Hashes

Post Module to obtain all cached AD hashes on the targeted UNIX machine. These can be cracked with John the Ripper JtR. Module Options msf use post/multi/gather/unixcachedadhashes msf postunixcachedadhashes show actions ...actions... msf postunixcachedadhashes set ACTION msf postunixcachedadhashe...

AD CS Certificate Template Management

This module can create, read, update, and delete AD CS certificate templates from a Active Directory Domain Controller. The READ, UPDATE, and DELETE actions will write a copy of the certificate template to disk that can be restored using the CREATE or UPDATE actions. The CREATE and UPDATE actions...

SPIP BigUp Plugin Unauthenticated RCE

This module exploits a Remote Code Execution vulnerability in the BigUp plugin of SPIP. The vulnerability lies in the listerfichiersparchamps function, which is triggered when the bigupretrouverfichiers parameter is set to any value. By exploiting the improper handling of multipart form data in...

Print Spooler Remote DLL Injection

The print spooler service can be abused by an authenticated remote attacker to load a DLL through a crafted DCERPC request, resulting in remote code execution as NT AUTHORITY\SYSTEM. This module uses the MS-RPRN vector which requires the Print Spooler service to be running. Module Options msf use...

RDP DOUBLEPULSAR Remote Code Execution

This module executes a Metasploit payload against the Equation Group's DOUBLEPULSAR implant for RDP. While this module primarily performs code execution against the implant, the "Neutralize implant" target allows you to disable the implant. This module requires Metasploit:...

Apache Druid JNDI Injection RCE

This module is designed to exploit the JNDI injection vulnerability in Druid. The vulnerability specifically affects the indexer/v1/sampler interface of Druid, enabling an attacker to execute arbitrary commands on the targeted server. The vulnerability is found in Apache Kafka clients versions...

Windows Server Update Service Deserialization Remote Code Execution

This module exploits deserialization vulnerability in legacy serialization mechanism in Windows Server Update Services WSUS. The vulnerability allows unauthenticated attacker to create specially crafted event, which triggers unsafe deserialization upon server synchronization. The module does not...

Malicious Git HTTP Server For CVE-2017-1000117

This module exploits CVE-2017-1000117, which affects Git version 2.7.5 and lower. A submodule of the form 'ssh://' can be passed parameters from the username incorrectly. This can be used to inject commands to the operating system when the submodule is cloned. This module creates a fake git...

Windows Persistent Service Installer

This Module will generate and upload an executable to a remote host. It will create a new service which will start the payload whenever the service is running. Admin or system privilege is required. Module Options msf use exploit/windows/persistence/service msf exploitservice show targets...

pyLoad js2py Python Execution

pyLoad versions prior to 0.5.0b3.dev31 are vulnerable to Python code injection due to the pyimport functionality exposed through the js2py library. An unauthenticated attacker can issue a crafted POST request to the flash/addcrypted2 endpoint to leverage this for code execution. pyLoad by default...

Tomcat Partial PUT Java Deserialization

This module exploits a Java deserialization vulnerability in Apache Tomcat's session restoration functionality that can be exploited with a partial HTTP PUT request to place an attacker controlled deserialization payload in the /webapps/ROOT/ directory. For the exploit to succeed, writes must be...

Apache Solr Backup/Restore APIs RCE

Apache Solr from 6.0.0 through 8.11.2, from 9.0.0 before 9.4.1 is affected by an Unrestricted Upload of File with Dangerous Type vulnerability which can result in remote code execution in the context of the user running Apache Solr. When Apache Solr creates a Collection, it will use a specific...

SPIP Unauthenticated RCE via porte_plume Plugin

This module exploits a Remote Code Execution vulnerability in SPIP versions up to and including 4.2.12. The vulnerability occurs in SPIP's templating system where it incorrectly handles user-supplied input, allowing an attacker to inject and execute arbitrary PHP code. This can be achieved by...

OS Command Exec, Unix Command Shell, Reverse TCP (/dev/tcp)

Execute an OS command from PHP. Creates an interactive shell via bash's builtin /dev/tcp. This will not work on circa 2009 and older Debian-based Linux distributions including Ubuntu because they compile bash without the /dev/tcp feature. Module Options msf use payload/php/unix/cmd/reversebash ms...

Adobe ColdFusion Unauthenticated Arbitrary File Read

This module exploits a remote unauthenticated deserialization of untrusted data vulnerability in Adobe ColdFusion 2021 Update 5 and earlier as well as ColdFusion 2018 Update 15 and earlier, in order to read an arbitrary file from the server. To run this module you must provide a valid ColdFusion...

Sitecore XP CVE-2025-34511 Post-Authentication File Upload

This module exploits CVE-2025-34511, a file upload vulnerability in PowerShell extensions. The module exploits also CVE-2025-34509 - hardcoded credentials of ServicesAPI account - to gain foothold. Module Options msf use exploit/windows/http/sitecorexpcve202534511 msf exploitsitecorexpcve20253451...

Dirty Pipe Local Privilege Escalation via CVE-2022-0847

This exploit targets a vulnerability in the Linux kernel since 5.8, that allows writing of read only or immutable memory. The vulnerability was fixed in Linux 5.16.11, 5.15.25 and 5.10.102. The module exploits this vulnerability by overwriting a suid binary with the payload, executing it, and the...

Zyxel chained RCE using LFI and weak password derivation algorithm

This module exploits multiple vulnerabilities in the zhttpd binary /bin/zhttpd and zcmd binary /bin/zcmd. It is present on more than 40 Zyxel routers and CPE devices. The remote code execution vulnerability can be exploited by chaining the local file disclosure vulnerability in the zhttpd binary...

APT Package Manager Persistence

This module will run a payload when the APT package manager is used. This module creates a pre-invoke hook for APT in apt.conf.d. Write access to the apt.conf.d directory is required, typically requiring root access. The hook name is randomized if not specified. Verified on Ubuntu 22.04 Module...

Openfire authentication bypass with RCE plugin

Openfire is an XMPP server licensed under the Open Source Apache License. Openfire's administrative console, a web-based application, was found to be vulnerable to a path traversal attack via the setup environment. This permitted an unauthenticated user to use the unauthenticated Openfire Setup...

Service SystemD override.conf Persistence

This module will create an override.conf file for a SystemD service on the box. The ExecStartPost hook is used to launch the payload after the service is started. We need enough access typically root to write in the /etc/systemd/system directory and potentially restart services. Verified on Ubunt...

Citrix ADC (NetScaler) Bleed Scanner

This module scans for a vulnerability that allows a remote, unauthenticated attacker to leak memory for a target Citrix ADC server. The leaked memory is then scanned for session cookies which can be hijacked if found. Module Options msf use auxiliary/scanner/http/citrixbleedcve20234966 msf...

Flowise Custom MCP Remote Code Execution

This module exploits a remote code execution vulnerability in Flowise versions = 2.2.7-patch.1 and use exploit/multi/http/flowisecustommcprce msf exploitflowisecustommcprce show targets ...targets... msf exploitflowisecustommcprce set TARGET msf exploitflowisecustommcprce show options ...show and...

Change Password

This module allows Active Directory users to change their own passwords, or reset passwords for accounts they have privileges over. Module Options msf use auxiliary/admin/ldap/changepassword msf auxiliarychangepassword show actions ...actions... msf auxiliarychangepassword set ACTION msf...