6841 matches found
pfSense plugin pfBlockerNG unauthenticated RCE as root
pfBlockerNG is a popular pfSense plugin that is not installed by default. It's generally used to block inbound connections from whole countries or IP ranges. Versions 2.1.426 and below are affected by an unauthenticated RCE vulnerability that results in root access. Note that version 3.x is...
Cron Persistence
This module will create a cron or crontab entry to execute a payload. The module includes the ability to automatically clean up those entries to prevent multiple executions. syslog will get a copy of the cron entry. Verified on Ubuntu 22.04.1, MacOS 13.7.4 Module Options msf use...
OS Command Exec, Unix Command Shell, Reverse TCP SSH
Execute an OS command from PHP. Connect back and create a command shell via SSH Module Options msf use payload/php/unix/cmd/reversessh msf payloadreversessh show actions ...actions... msf payloadreversessh set ACTION msf payloadreversessh show options ...show and set options... msf...
ISPConfig language_edit.php PHP Code Injection
This module exploits a PHP code injection vulnerability in ISPConfig's languageedit.php file. The vulnerability occurs when the adminallowlangedit setting is enabled, allowing authenticated administrators to inject arbitrary PHP code through the language editor interface. This module will...
Linux Set Hostname
Sets the hostname of the machine. Module Options msf use payload/linux/x64/sethostname msf payloadsethostname show actions ...actions... msf payloadsethostname set ACTION msf payloadsethostname show options ...show and set options... msf payloadsethostname run This module requires Metasploit:...
TFTP Fetch
Fetch and execute an AARCH64 payload from a TFTP server. Module Options msf use payload/cmd/linux/tftp/aarch64/meterpreterreversehttps msf payloadmeterpreterreversehttps show actions ...actions... msf payloadmeterpreterreversehttps set ACTION msf payloadmeterpreterreversehttps show options ...sho...
Atlassian Confluence SSTI Injection
This module exploits an SSTI injection in Atlassian Confluence servers. A specially crafted HTTP request uses the injection to evaluate an OGNL expression resulting in OS command execution. Versions 8.5.0 through 8.5.3 and 8.0 to 8.4 are known to be vulnerable. Module Options msf use...
Malicious Windows Script Host Script File (.wsf)
This module creates a Windows Script Host WSH Windows Script File .wsf. Module Options msf use exploit/windows/fileformat/windowsscripthostwsf msf exploitwindowsscripthostwsf show targets ...targets... msf exploitwindowsscripthostwsf set TARGET msf exploitwindowsscripthostwsf show options ...show...
Malicious Windows Script Host VBScript (.vbs) File
This module creates a Windows Script Host WSH VBScript .vbs file. Module Options msf use exploit/windows/fileformat/windowsscripthostvbscript msf exploitwindowsscripthostvbscript show targets ...targets... msf exploitwindowsscripthostvbscript set TARGET msf exploitwindowsscripthostvbscript show...
Mirth Connect Deserialization RCE
A vulnerability exists within Mirth Connect due to its mishandling of deserialized data. This vulnerability can be leveraged by an attacker using a crafted HTTP request to execute OS commands within the context of the target application. The original vulnerability was identified by IHTeam and...
Sitecore XP CVE-2025-34510 Post-Authentication Remote Code Execution
This module exploits CVE-2025-34510, path traversal leading to remote code execution. The module exploits also CVE-2025-34509 - hardcoded credentials of ServicesAPI account - to gain foothold. Module Options msf use exploit/windows/http/sitecorexpcve202534510 msf exploitsitecorexpcve202534510 sho...
Cleo LexiCom, VLTrader, and Harmony Unauthenticated Remote Code Execution
This module exploits an unauthenticated file write vulnerability in Cleo LexiCom, VLTrader, and Harmony versions 5.8.0.23 and below. Module Options msf use exploit/multi/http/cleorcecve202455956 msf exploitcleorcecve202455956 show targets ...targets... msf exploitcleorcecve202455956 set TARGET ms...
Windows WSL via Registry Persistence
This module will install a payload in WSL and execute it at user logon or system startup via the registry value in "CurrentVersion\Run" or "RunOnce" depending on privilege and selected method. The payload will be installed completely in registry. Staged payloads, like fetch payloads in linux X64...
at(1) Persistence
This module executes a metasploit payload utilizing at1 to execute jobs at a specific time. It should work out of the box with any UNIX-like operating system with atd running. Verified on Kali linux and OSX 13.7.4 Module Options msf use exploit/multi/persistence/at msf exploitat show targets...
Oracle Access Manager unauthenticated Remote Code Execution
This module exploits an unauthenticated deserialization of untrusted data vulnerability in the OpenSSO Agent component of the Oracle Access Manager OAM product. The affected product versions are 11.1.2.3.0, 12.2.1.3.0, and 12.2.1.4.0. Module Options msf use...
Exploits AD CS Template misconfigurations which involve updating an LDAP object: ESC9, ESC10, and ESC16
This module exploits Active Directory Certificate Services AD CS template misconfigurations, specifically ESC9, ESC10, and ESC16, by updating an LDAP object and requesting a certificate on behalf of a target user. The module leverages the auxiliary/admin/ldap/ldapobjectattribute module to update...
Cacti Import Packages RCE
This exploit module leverages an arbitrary file write vulnerability CVE-2024-25641 in Cacti versions prior to 1.2.27 to achieve RCE. It abuses the Import Packages feature to upload a specially crafted package that embeds a PHP file. Cacti will extract this file to an accessible location. The modu...
LibreNMS Authenticated RCE (CVE-2024-51092)
An authenticated attacker can create dangerous directory names on the system and alter sensitive configuration parameters through the web portal. Those two defects combined then allows to inject arbitrary OS commands inside shellexec calls, thus achieving arbitrary code execution. Module Options...
OS Command Exec, Unix Command Shell, Pingback Reverse TCP (via netcat)
Execute an OS command from PHP. Creates a socket, send a UUID, then exit Module Options msf use payload/php/unix/cmd/pingbackreverse msf payloadpingbackreverse show actions ...actions... msf payloadpingbackreverse set ACTION msf payloadpingbackreverse show options ...show and set options... msf...
PHP Exec, PHP Meterpreter, Bind TCP Stager
Execute a PHP payload as an OS command from a Posix-compatible shell. Run a meterpreter server in PHP. Listen for a connection Module Options msf use payload/cmd/unix/php/meterpreter/bindtcp msf payloadbindtcp show actions ...actions... msf payloadbindtcp set ACTION msf payloadbindtcp show option...
TFTP Fetch, Linux Command Shell, Reverse TCP Inline
Fetch and execute an ARMLE payload from a TFTP server. Connect back to attacker and spawn a command shell Module Options msf use payload/cmd/linux/tftp/armle/shellreversetcp msf payloadshellreversetcp show actions ...actions... msf payloadshellreversetcp set ACTION msf payloadshellreversetcp show...
Base64 Command Encoder
This encoder uses base64 encoding to avoid bad characters. Module Options msf use encoder/cmd/base64 msf encoderbase64 show actions ...actions... msf encoderbase64 set ACTION msf encoderbase64 show options ...show and set options... msf encoderbase64 run This module requires Metasploit:...
Invoice Ninja unauthenticated PHP Deserialization Vulnerability
Invoice Ninja is a free invoicing software for small businesses, based on the PHP framework Laravel. A Remote Code Execution vulnerability in Invoice Ninja = 5.8.22 which accepts a Laravel ciphered value which is unsafe unserialized, if an attacker has access to the APPKEY. As it allows remote co...
Tatsu Wordpress Plugin RCE
This module adds exploit for CVE-2021-25094 - unauthenticated remote code execution in Tatsu Wordpress plugin use exploit/multi/http/wptatsurce msf exploitwptatsurce show targets ...targets... msf exploitwptatsurce set TARGET msf exploitwptatsurce show options ...show and set options... msf...
Sudoedit Extra Arguments Priv Esc
This exploit takes advantage of a vulnerability in sudoedit, part of the sudo package. The sudoedit aka sudo -e feature mishandles extra arguments passed in the user-provided environment variables SUDOEDITOR, VISUAL, and EDITOR, allowing a local attacker to append arbitrary entries to the list of...
OS Command Exec, Unix Command Shell, Bind TCP (via netcat -e)
Execute an OS command from PHP. Listen for a connection and spawn a command shell via netcat Module Options msf use payload/php/unix/cmd/bindnetcatgaping msf payloadbindnetcatgaping show actions ...actions... msf payloadbindnetcatgaping set ACTION msf payloadbindnetcatgaping show options ...show...
SmarterTools SmarterMail less than build 6985 - .NET Deserialization Remote Code Execution
This module exploits a vulnerability in the SmarterTools SmarterMail software for version numbers use exploit/windows/http/smartermailrce msf exploitsmartermailr...
OS Command Exec, Unix Command Shell, Reverse TCP (via netcat)
Execute an OS command from PHP. Creates an interactive shell via netcat Module Options msf use payload/php/unix/cmd/reversenetcat msf payloadreversenetcat show actions ...actions... msf payloadreversenetcat set ACTION msf payloadreversenetcat show options ...show and set options... msf...
Webmin password_change.cgi Backdoor
This module exploits a backdoor in Webmin versions 1.890 through 1.920. Only the SourceForge downloads were backdoored, but they are listed as official downloads on the project's site. Unknown attackers inserted Perl qx statements into the build server's source code on two separate occasions: onc...
ProFTPD 1.3.5 Mod_Copy Command Execution
This module exploits the SITE CPFR/CPTO modcopy commands in ProFTPD version 1.3.5. Any unauthenticated client can leverage these commands to copy files from any part of the filesystem to a chosen destination. The copy commands are executed with the rights of the ProFTPD service, which by default...
Listmonk Insecure Sprig Template Functions Environment Disclosure
This module exploits insecure Sprig template functions in Listmonk versions prior to v5.0.2. The env and expandenv functions are enabled by default, allowing authenticated users with campaign permissions to extract sensitive environment variables via campaign preview. Module Options msf use...
Nagios XI 5.5.6 to 5.7.5 - ConfigWizards Authenticated Remote Code Exection
This module exploits CVE-2021-25296, CVE-2021-25297, and CVE-2021-25298, which are OS command injection vulnerabilities in the windowswmi, switch, and cloud-vm configuration wizards that allow an authenticated user to perform remote code execution on Nagios XI versions 5.5.6 to 5.7.5 as the apach...
SimpleHelp Path Traversal Vulnerability CVE-2024-57727
There exists a path traversal vulnerability in the /toolbox-resource endpoint that enables unauthenticated remote attackers to download arbitrary files from the SimpleHelp server via crafted HTTP requests Module Options msf use auxiliary/scanner/http/simplehelptoolboxpathtraversal msf...
Pandora FMS authenticated command injection leading to RCE via LDAP using default DB password
Pandora FMS is a monitoring solution that provides full observability for your organization's technology. This module exploits an command injection vulnerability in the LDAP authentication mechanism of Pandora FMS. You need have admin access at the Pandora FMS Web application in order to execute...
TFTP Fetch, Linux Command Shell, Reverse TCP Inline
Fetch and execute an MIPSBE payload from a TFTP server. Connect back to attacker and spawn a command shell Module Options msf use payload/cmd/linux/tftp/mipsbe/shellreversetcp msf payloadshellreversetcp show actions ...actions... msf payloadshellreversetcp set ACTION msf payloadshellreversetcp sh...
Apache Airflow 1.10.10 - Example DAG Remote Code Execution
This module exploits an unauthenticated command injection vulnerability by combining two critical vulnerabilities in Apache Airflow 1.10.10. The first, CVE-2020-11978, is an authenticated command injection vulnerability found in one of Airflow's example DAGs, "exampletriggertargetdag", which allo...
Microsoft IIS FTP Server Encoded Response Overflow Trigger
This module triggers a heap overflow when processing a specially crafted FTP request containing Telnet IAC 0xff bytes. When constructing the response, the Microsoft IIS FTP Service overflows the heap buffer with 0xff bytes. This issue can be triggered pre-auth and may in fact be exploitable for...
Get NAA Credentials
This module attempts to retrieve the Network Access Accounts, if configured, from the SCCM server. This requires a computer account, which can be added using the samraccount module. Module Options msf use auxiliary/admin/sccm/getnaacredentials msf auxiliarygetnaacredentials show actions...
Rejetto HTTP File Server (HFS) Unauthenticated Remote Code Execution
The Rejetto HTTP File Server HFS version 2.x is vulnerable to an unauthenticated server side template injection SSTI vulnerability. A remote unauthenticated attacker can execute code with the privileges of the user account running the HFS.exe server process. This exploit has been tested to work...
OS Command Exec, Unix Command Shell, Bind SCTP (via socat)
Execute an OS command from PHP. Creates an interactive shell via socat Module Options msf use payload/php/unix/cmd/bindsocatsctp msf payloadbindsocatsctp show actions ...actions... msf payloadbindsocatsctp set ACTION msf payloadbindsocatsctp show options ...show and set options... msf...
OSX Meterpreter, Reverse TCP Inline
Run the Meterpreter / Mettle server payload stageless Module Options msf use payload/osx/aarch64/meterpreterreversetcp msf payloadmeterpreterreversetcp show actions ...actions... msf payloadmeterpreterreversetcp set ACTION msf payloadmeterpreterreversetcp show options ...show and set options... m...
Intelliants Subrion CMS 4.2.1 - Authenticated File Upload Bypass to RCE
This module exploits an authenticated file upload vulnerability in Subrion CMS versions 4.2.1 and lower. The vulnerability is caused by the .htaccess file not preventing the execution of .pht, .phar, and .xhtml files. Files with these extensions are not included in the .htaccess blacklist, hence...
WP User Registration and Membership Unauthenticated Privilege Escalation (CVE-2025-2563)
Exploits CVE-2025-2563 in the WordPress User Registration & Membership plugin. 1 Registers a free-membership user via AJAX. 2 Elevates that user to administrator via the membership AJAX action. 3 Logs in, uploads & executes a PHP payload. Module Options msf use...
Linux Command Shell, Reverse TCP Inline
Connect back to attacker and spawn a command shell. Module Options msf use payload/linux/riscv32le/shellreversetcp msf payloadshellreversetcp show actions ...actions... msf payloadshellreversetcp set ACTION msf payloadshellreversetcp show options ...show and set options... msf...
Right-Click Execution - Windows LNK File Special UNC Path NTLM Leak
This module creates a malicious Windows shortcut LNK file that specifies a special UNC path in EnvironmentVariableDataBlock of Shell Link .LNK that can trigger an authentication attempt to a remote server. This can be used to harvest NTLM authentication credentials. When a victim right-click the...
OS Command Exec, Unix Command Shell, Bind TCP (via Perl)
Execute an OS command from PHP. Listen for a connection and spawn a command shell via perl Module Options msf use payload/php/unix/cmd/bindperl msf payloadbindperl show actions ...actions... msf payloadbindperl set ACTION msf payloadbindperl show options ...show and set options... msf...
TFTP Fetch, Reverse TCP Stager
Fetch and execute an ARMLE payload from a TFTP server. Connect back to the attacker Module Options msf use payload/cmd/linux/tftp/armle/meterpreter/reversetcp msf payloadreversetcp show actions ...actions... msf payloadreversetcp set ACTION msf payloadreversetcp show options ...show and set...
OS Command Exec, Unix Command Shell, Bind TCP (via BusyBox telnetd)
Execute an OS command from PHP. Listen for a connection and spawn a command shell via BusyBox telnetd Module Options msf use payload/php/unix/cmd/bindbusyboxtelnetd msf payloadbindbusyboxtelnetd show actions ...actions... msf payloadbindbusyboxtelnetd set ACTION msf payloadbindbusyboxtelnetd show...
Wazuh server remote code execution caused by an unsafe deserialization vulnerability.
Wazuh is a free and open source platform used for threat prevention, detection, and response. Starting in version 4.4.0 and prior to version 4.9.1, an unsafe deserialization vulnerability allows for remote code execution on Wazuh servers. DistributedAPI parameters are serialized as JSON and...
GraphQL Introspection Scanner
This module queries a GraphQL API Endpoint to retrieve schema data by using introspection, if it is enabled on the server. This module works on all GraphQL versions. Module Options msf use auxiliary/scanner/http/graphqlintrospectionscanner msf auxiliarygraphqlintrospectionscanner show actions...