6846 matches found
GitLab Authenticated File Read
GitLab version 16.0 contains a directory traversal for arbitrary file read as the gitlab-www user. This module requires authentication for exploitation. In order to use this module, a user must be able to create a project and groups. When exploiting this vulnerability, there is a direct correlati...
TFTP Fetch, Reverse TCP Stager
Fetch and execute an MIPSLE payload from a TFTP server. Connect back to the attacker Module Options msf use payload/cmd/linux/tftp/mipsle/meterpreter/reversetcp msf payloadreversetcp show actions ...actions... msf payloadreversetcp set ACTION msf payloadreversetcp show options ...show and set...
CyberPanel Multi CVE Pre-auth RCE
This module exploits three separate unauthenticated Remote Code Execution vulnerabilities in CyberPanel: - CVE-2024-51567: Command injection vulnerability in the "upgrademysqlstatus" endpoint. - CVE-2024-51568: Command Injection via the "completePath" parameter in the "outputExecutioner" sink. -...
NTP Timeroast
Windows authenticates NTP requests by calculating the message digest using the NT hash followed by the first 48 bytes of the NTP message all fields preceding the key ID. An attacker can abuse this to recover hashes that can be cracked offline for machine and trust accounts. The attacker must know...
Webmin Package Updates RCE
This module exploits an arbitrary command injection in Webmin versions prior to 1.997. Webmin uses the OS package manager apt, yum, etc. to perform package updates and installation. Due to a lack of input sanitization, it is possibe to inject arbitrary command that will be concatenated to the...
TFTP Fetch, Reverse TCP Stager
Fetch and execute an MIPSBE payload from a TFTP server. Connect back to the attacker Module Options msf use payload/cmd/linux/tftp/mipsbe/meterpreter/reversetcp msf payloadreversetcp show actions ...actions... msf payloadreversetcp set ACTION msf payloadreversetcp show options ...show and set...
Nextcloud Workflows Remote Code Execution
This module adds workflows as an authenticated user which can only be created by administrators by design. If the app "Nextcloud Workflow Script" is installed it is possible to generate a workflow that executes commands. Module Options msf use exploit/unix/webapp/nextcloudworkflowsrce msf...
Unix Command Shell, Reverse TCP (via socat)
Creates an interactive shell via socat Module Options msf use payload/cmd/unix/reversesocattcp msf payloadreversesocattcp show actions ...actions... msf payloadreversesocattcp set ACTION msf payloadreversesocattcp show options ...show and set options... msf payloadreversesocattcp run This module...
Lexmark Device Embedded Web Server RCE
A unauthenticated Remote Code Execution vulnerability exists in the embedded webserver in certain Lexmark devices through 2023-02-19. The vulnerability is only exposed if, when setting up the printer or device, the user selects "Set up Later" when asked if they would like to add an Admin user. If...
HTTPS Fetch, Linux Command Shell, Reverse TCP Inline
Fetch and execute an MIPSBE payload from an HTTPS server. Connect back to attacker and spawn a command shell Module Options msf use payload/cmd/linux/https/mipsbe/shellreversetcp msf payloadshellreversetcp show actions ...actions... msf payloadshellreversetcp set ACTION msf payloadshellreversetcp...
TFTP Fetch, Bind TCP Stager
Fetch and execute an ARMLE payload from a TFTP server. Listen for a connection Module Options msf use payload/cmd/linux/tftp/armle/meterpreter/bindtcp msf payloadbindtcp show actions ...actions... msf payloadbindtcp set ACTION msf payloadbindtcp show options ...show and set options... msf...
PHP Exec, PHP Command Shell, Reverse TCP (via PHP)
Execute a PHP payload as an OS command from a Posix-compatible shell. Reverse PHP connect back shell with checks for disabled functions Module Options msf use payload/cmd/unix/php/reversephp msf payloadreversephp show actions ...actions... msf payloadreversephp set ACTION msf payloadreversephp sh...
TFTP Fetch
Fetch and execute an ARMBE payload from a TFTP server. Module Options msf use payload/cmd/linux/tftp/armbe/meterpreterreversetcp msf payloadmeterpreterreversetcp show actions ...actions... msf payloadmeterpreterreversetcp set ACTION msf payloadmeterpreterreversetcp show options ...show and set...
InvokeAI RCE
InvokeAI has a critical vulnerability leading to remote code execution in the /api/v2/models/install API through unsafe model deserialization. The API allows users to specify a model URL, which is downloaded and loaded server-side using torch.load without proper validation. This functionality...
WordPress Depicter Plugin SQL Injection (CVE-2025-2011)
The Slider & Popup Builder by Depicter plugin for WordPress use auxiliary/gather/wpdepictersqlicve20252011 msf auxiliarywpdepictersqlicve20252011 show actions ...actions... msf auxiliarywpdepictersqlicve20252011 set ACTION msf auxiliarywpdepictersqlicve20252011 show options ...show and set...
TFTP Fetch
Fetch and execute an AARCH64 payload from a TFTP server. Module Options msf use payload/cmd/linux/tftp/aarch64/meterpreterreversetcp msf payloadmeterpreterreversetcp show actions ...actions... msf payloadmeterpreterreversetcp set ACTION msf payloadmeterpreterreversetcp show options ...show and se...
WMI Event Subscription Process Persistence
This module will create a permanent WMI event subscription to achieve file-less persistence using an event filter that triggers the payload when the specified process is started. Additionally a custom command can be specified to run once the trigger is activated using the advanced option...
JBOSS EAP/AS Remoting Unified Invoker RCE
An unauthenticated attacker with network access to the JBOSS EAP/AS use exploit/multi/misc/jbossremotingunifiedinvokerrce msf exploitjbossremotingunifiedinvokerrce show targets ...targets... msf exploitjbossremotingunifiedinvokerrce set TARGET msf exploitjbossremotingunifiedinvokerrce show option...
Erlang OTP Pre-Auth RCE Scanner and Exploit
This module detect and exploits CVE-2025-32433, a pre-authentication vulnerability in Erlang-based SSH servers that allows remote command execution. By sending crafted SSH packets, it executes a payload to establish a reverse shell on the target system. The exploit leverages a flaw in the SSH...
Sitecore CVE-2025-27218 BinaryFormatter Deserialization Exploit
This module exploits a .NET deserialization vulnerability in Sitecore Experience Manager XM and Experience Platform XP 10.4 by injecting a malicious Base64-encoded BinaryFormatter payload into an HTTP header. Module Options msf use exploit/windows/http/sitecorexpcve202527218 msf...
Malicious Windows Script Host JScript (.js) File
This module creates a Windows Script Host WSH JScript .js file. Module Options msf use exploit/windows/fileformat/windowsscripthostjscript msf exploitwindowsscripthostjscript show targets ...targets... msf exploitwindowsscripthostjscript set TARGET msf exploitwindowsscripthostjscript show options...
PHP Exec, PHP Meterpreter, Bind TCP Stager IPv6
Execute a PHP payload as an OS command from a Posix-compatible shell. Run a meterpreter server in PHP. Listen for a connection over IPv6 Module Options msf use payload/cmd/unix/php/meterpreter/bindtcpipv6 msf payloadbindtcpipv6 show actions ...actions... msf payloadbindtcpipv6 set ACTION msf...
Sonicwall
This module exploits a series of vulnerabilities - including auth bypass, SQL injection, and shell injection - to obtain remote code execution on SonicWall GMS versions use exploit/multi/http/sonicwallshellinjectioncve202334124 msf exploitsonicwallshellinjectioncve202334124 show targets...
Skyvern SSTI Remote Code Execution
This module exploits SSTI vulnerability in Skyvern use exploit/linux/http/skyvernssticve202549619 msf exploitskyvernssticve202549619 show targets ...targets... msf exploitskyvernssticve202549619 set TARGET msf exploitskyvernssticve202549619 show options ...show and set options... msf...
Ancillary Function Driver (AFD) for WinSock Elevation of Privilege
A vulnerability exists in the Windows Ancillary Function Driver for Winsock afd.sys can be leveraged by an attacker to escalate privileges to those of NT AUTHORITY\SYSTEM. Due to a flaw in AfdNotifyRemoveIoCompletion, it is possible to create an arbitrary kernel Write-Where primitive, which can b...
Windows IIS HTTP Protocol Stack DOS
This module exploits CVE-2021-31166, a UAF bug in http.sys when parsing specially crafted Accept-Encoding headers that was patched by Microsoft in May 2021, on vulnerable IIS servers. Successful exploitation will result in the target computer BSOD'ing before subsequently rebooting. Note that the...
WordPress AI Engine Plugin MCP Unauthenticated Admin Creation to RCE
This module exploits an unauthenticated vulnerability in the WordPress AI Engine plugin versions use exploit/multi/http/wpaienginemcprce msf exploitwpaienginemcprce show targets ...targets... msf exploitwpaienginemcprce set TARGET msf exploitwpaienginemcprce show options ...show and set options...
WordPress Royal Elementor Addons RCE
Exploit for the unauthenticated file upload vulnerability in WordPress Royal Elementor Addons and Templates plugin use exploit/multi/http/wproyalelementoraddonsrce msf exploitwproyalelementoraddonsrce show targets ...targets... msf exploitwproyalelementoraddonsrce set TARGET msf...
HTTPS Fetch
Fetch and execute an x64 payload from an HTTPS server. Module Options msf use payload/cmd/linux/https/x64/sethostname msf payloadsethostname show actions ...actions... msf payloadsethostname set ACTION msf payloadsethostname show options ...show and set options... msf payloadsethostname run This...
Microsoft Error Reporting Local Privilege Elevation Vulnerability
This module takes advantage of a bug in the way Windows error reporting opens the report parser. If you open a report, Windows uses a relative path to locate the rendering program. By creating a specific alternate directory structure, we can coerce Windows into opening an arbitrary executable as...
OS Command Exec, Unix Command Shell, Reverse TCP SSL (via php)
Execute an OS command from PHP. Creates an interactive shell via php, uses SSL Module Options msf use payload/php/unix/cmd/reversephpssl msf payloadreversephpssl show actions ...actions... msf payloadreversephpssl set ACTION msf payloadreversephpssl show options ...show and set options... msf...
Ivanti EPMM Authentication Bypass for Expression Language Remote Code Execution
This module exploits an unauthenticated remote code execution exploit chain for Ivanti EPMM, tracked as CVE-2025-4427 and CVE-2025-4428. An authentication flaw permits unauthenticated access to an administrator web API endpoint, which allows for code execution via expression language injection...
WordPress ACF Extended Unauthenticated RCE via prepare_form()
This module exploits an unauthenticated Remote Code Execution vulnerability in the Advanced Custom Fields: Extended ACF Extended WordPress plugin versions 0.9.0.5 through 0.9.1.1. The vulnerability exists in the prepareform function of the acfemoduleformfrontrender class, which accepts...
SonicWall HTTP Login Scanner
This module adds HTTP Login scanning for SonicWall NSv. It allows scanning both admin and user accounts. Module Options msf use auxiliary/scanner/sonicwall/sonicwalllogin msf auxiliarysonicwalllogin show actions ...actions... msf auxiliarysonicwalllogin set ACTION msf auxiliarysonicwalllogin show...
WordPress WPS Hide Login Login Page Revealer
This module exploits a bypass issue with WPS Hide Login version use auxiliary/scanner/http/wpwpshideloginrevealer msf auxiliarywpwpshideloginrevealer show actions ...actions... msf auxiliarywpwpshideloginrevealer set ACTION msf auxiliarywpwpshideloginrevealer show options ...show and set options...
Flowise JS Injection RCE
This module exploits a remote code execution vulnerability in Flowise versions = 2.2.7-patch.1 and = 3.0.1, authentication via FLOWISEEMAIL and FLOWISEPASSWORD is required due to JWT token verification. Module Options msf use exploit/multi/http/flowisejsrce msf exploitflowisejsrce show targets...
OS Command Exec, Unix Command, Generic Command Execution
Execute an OS command from PHP. Executes the supplied command Module Options msf use payload/php/unix/cmd/generic msf payloadgeneric show actions ...actions... msf payloadgeneric set ACTION msf payloadgeneric show options ...show and set options... msf payloadgeneric run This module requires...
SolarView Compact unauthenticated remote command execution vulnerability.
CONTEC's SolarView Series enables you to monitor and visualize solar power and is only available in Japan. This module exploits a command injection vulnerability on the SolarView Compact v6.00 web application via vulnerable endpoint downloader.php. After exploitation, an attacker will have full...
Gitea Git Fetch Remote Code Execution
This module exploits Git fetch command in Gitea repository migration process that leads to a remote command execution on the system. This vulnerability affect Gitea before 1.16.7 version. Module Options msf use exploit/multi/http/giteagitfetchrce msf exploitgiteagitfetchrce show targets...
PHP Exec
Execute a PHP payload as an OS command from a Posix-compatible shell Module Options msf use payload/cmd/unix/php/downloadexec msf payloaddownloadexec show actions ...actions... msf payloaddownloadexec set ACTION msf payloaddownloadexec show options ...show and set options... msf payloaddownloadex...
Microsoft RDP Web Client Login Enumeration
Enumerate valid usernames and passwords against a Microsoft RDP Web Client by attempting authentication and performing a timing based check against the provided username. Module Options msf use auxiliary/scanner/http/rdpweblogin msf auxiliaryrdpweblogin show actions ...actions... msf...
Clinic's Patient Management System 1.0 - Unauthenticated RCE
This module exploits an unauthenticated file upload vulnerability in Clinic's Patient Management System 1.0. An attacker can upload a PHP web shell and execute it by leveraging directory listing enabled on the /pms/userimages directory. Module Options msf use...
Pandora FMS authenticated command injection leading to RCE via chromium_path or phantomjs_bin
Pandora FMS is a monitoring solution that provides full observability for your organization's technology. This module exploits an command injection vulnerability in the chromium-path or phantomjs-bin directory setting at the application settings page of Pandora FMS. You need have admin access at...
Prometheus API Information Gather
This module utilizes Prometheus' API calls to gather information about the server's configuration, and targets. Fields which may contain credentials, or credential file names are then pulled out and printed. Targets may have a wealth of information, this module will print the following values whe...
Windows AArch64 Command Execution
Executes an arbitrary command on a Windows on ARM AArch64 target. This payload is a foundational example of position-independent shellcode for the AArch64 architecture. It dynamically resolves the address of the WinExec function from kernel32.dll by parsing the Process Environment Block PEB and t...
OS Command Exec, Unix Command Shell, Reverse TCP (via ncat)
Execute an OS command from PHP. Creates an interactive shell via ncat, utilizing ssl mode Module Options msf use payload/php/unix/cmd/reversencatssl msf payloadreversencatssl show actions ...actions... msf payloadreversencatssl set ACTION msf payloadreversencatssl show options ...show and set...
CUPS IPP Attributes LAN Remote Code Execution
This module exploits vulnerabilities in OpenPrinting CUPS, which is running by default on most Linux distributions. The vulnerabilities allow an attacker on the LAN to advertise a malicious printer that triggers remote code execution when a victim sends a print job to the malicious printer...
Elasticsearch Memory Disclosure
This module exploits a memory disclosure vulnerability in Elasticsearch 7.10.0 to 7.13.3 inclusive. A user with the ability to submit arbitrary queries to Elasticsearch can generate an error message containing previously used portions of a data buffer. This buffer could contain sensitive...
OS Command Exec, Unix Command Shell, Bind TCP (via nodejs)
Execute an OS command from PHP. Continually listen for a connection and spawn a command shell via nodejs Module Options msf use payload/php/unix/cmd/bindnodejs msf payloadbindnodejs show actions ...actions... msf payloadbindnodejs set ACTION msf payloadbindnodejs show options ...show and set...
TFTP Fetch
Fetch and execute an MIPSBE payload from a TFTP server. Module Options msf use payload/cmd/linux/tftp/mipsbe/meterpreterreversetcp msf payloadmeterpreterreversetcp show actions ...actions... msf payloadmeterpreterreversetcp set ACTION msf payloadmeterpreterreversetcp show options ...show and set...