6846 matches found
WordPress WP Fastest Cache Unauthenticated SQLi (CVE-2023-6063)
WP Fastest Cache, a WordPress plugin, prior to version 1.2.2, is vulnerable to an unauthenticated SQL injection vulnerability via the 'wordpressloggedin' cookie. This can be exploited via a blind SQL injection attack without requiring any authentication. Module Options msf use...
MS-NRPC Domain Users Enumeration
This module will enumerate valid Domain Users via no authentication against MS-NRPC interface. It calls DsrGetDcNameEx2 to check if the domain user account exists or not. It has been tested with Windows servers 2012, 2016, 2019 and 2022. Module Options msf use auxiliary/scanner/dcerpc/nrpcenumuse...
OS Command Exec, Unix Command Shell, Reverse TCP (via Perl)
Execute an OS command from PHP. Creates an interactive shell via perl Module Options msf use payload/php/unix/cmd/reverseperl msf payloadreverseperl show actions ...actions... msf payloadreverseperl set ACTION msf payloadreverseperl show options ...show and set options... msf payloadreverseperl r...
Apache OFBiz forgotPassword/ProgramExport RCE
Apache OFBiz versions prior to 18.12.13 are vulnerable to a path traversal vulnerability CVE-2024-32113. The vulnerable endpoint /webtools/control/forgotPassword allows an attacker to access the ProgramExport endpoint which in turn allows for remote code execution in the context of the user runni...
HTTPS Fetch, Linux Reboot
Fetch and execute an MIPSLE payload from an HTTPS server. A very small shellcode for rebooting the system using the reboot syscall. This payload is sometimes helpful for testing purposes. Requires CAPSYSBOOT privileges. Module Options msf use payload/cmd/linux/https/mipsle/reboot msf payloadreboo...
n8n arbitrary file read
This module exploits CVE-2026-21858, a critical unauthenticated remote code execution vulnerability in n8n workflow automation platform versions 1.65.0 through 1.120.x. The vulnerability, dubbed "Ni8mare", is a content-type confusion flaw in webhook request handling that allows attackers to achie...
Rudder Server SQLI Remote Code Execution
This Metasploit module exploits a SQL injection vulnerability in RudderStack's rudder-server, an open source Customer Data Platform CDP. The vulnerability exists in versions of rudder-server prior to 1.3.0-rc.1. By exploiting this flaw, an attacker can execute arbitrary SQL commands, which may le...
HTTPS Fetch, Linux Command Shell, Reverse TCP Inline
Fetch and execute an MIPSLE payload from an HTTPS server. Connect back to attacker and spawn a command shell Module Options msf use payload/cmd/linux/https/ppc/shellreversetcp msf payloadshellreversetcp show actions ...actions... msf payloadshellreversetcp set ACTION msf payloadshellreversetcp sh...
FreePBX endpoint SQLi to RCE
FreePBX is an open-source IP PBX management tool that provides a modern phone system for businesses that use VoIP to make and receive phone calls. Versions before 16.0.44 and 17.0.23 are vulnerable to CVE-2025-66039, while versions before 16.0.92 and 17.0.6 are vulnerable to CVE-2025-61675. The...
HTTPS Fetch, Linux Command Shell, Reverse TCP Stager
Fetch and execute an MIPSBE payload from an HTTPS server. Spawn a command shell staged. Connect back to the attacker Module Options msf use payload/cmd/linux/https/mipsbe/shell/reversetcp msf payloadreversetcp show actions ...actions... msf payloadreversetcp set ACTION msf payloadreversetcp show...
TFTP Fetch
Fetch and execute an ARMLE payload from a TFTP server. Module Options msf use payload/cmd/linux/tftp/armle/meterpreterreversehttps msf payloadmeterpreterreversehttps show actions ...actions... msf payloadmeterpreterreversehttps set ACTION msf payloadmeterpreterreversehttps show options ...show an...
Assistive Technologies Persistence
This module achieves persistence by registering a custom Assistive Technology AT in the Windows registry. Then it configures the system to launch the AT executable during user logon or desktop switch such as with an admin prived program. Requires Windows 8 or higher and administrative privileges...
SMB Password Change
Change the password of an account using SMB. This provides several different APIs, each of which have their respective benefits and drawbacks. Module Options msf use auxiliary/admin/smb/changepassword msf auxiliarychangepassword show actions ...actions... msf auxiliarychangepassword set ACTION ms...
Moodle Authenticated Spelling Binary RCE
Moodle allows an authenticated user to define spellcheck settings via the web interface. The user can update the spellcheck mechanism to point to a system-installed aspell binary. By updating the path for the spellchecker to an arbitrary command, an attacker can run arbitrary commands in the...
OS Command Exec, Unix Command Shell, Bind TCP (via AWK)
Execute an OS command from PHP. Listen for a connection and spawn a command shell via GNU AWK Module Options msf use payload/php/unix/cmd/bindawk msf payloadbindawk show actions ...actions... msf payloadbindawk set ACTION msf payloadbindawk show options ...show and set options... msf payloadbinda...
HPE OneView unauthenticated RCE
This module exploits an unauthenticated RCE vulnerability, CVE-2025-37164, against Hewlett Packard Enterprise HPE OneView. All versions below 11.00 are vulnerable so long as the vendor supplied hotfix has not been applied, however some VM product versions do not enable the vulnerable "ID Pools"...
ICPR Certificate Management
Request certificates via MS-ICPR Active Directory Certificate Services. Depending on the certificate template's configuration the resulting certificate can be used for various operations such as authentication. PFX certificate files that are saved are encrypted with a blank password. This module ...
ManageEngine ADSelfService Plus Custom Script Execution
This module exploits the "custom script" feature of ADSelfService Plus. The feature was removed in build 6122 as part of the patch for CVE-2022-28810. For purposes of this module, a "custom script" is arbitrary operating system command execution. This module uses an attacker provided "admin"...
Grafana Plugin Path Traversal
Grafana versions 8.0.0-beta1 through 8.3.0 prior to 8.0.7, 8.1.8, 8.2.7, or 8.3.1 are vulnerable to directory traversal through the plugin URL. A valid plugin ID is required, but many are installed by default. Module Options msf use auxiliary/scanner/http/grafanaplugintraversal msf...
Samba _netr_ServerPasswordSet Uninitialized Credential State
This module checks if a Samba target is vulnerable to an uninitialized variable creds vulnerability. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Samba netrServerPasswordSet Uninitialized...
Western Digital MyCloud unauthenticated command injection
This module exploits authentication bypass CVE-2018-17153 and command injection CVE-2016-10108 vulnerabilities in Western Digital MyCloud before 2.30.196 in order to achieve unauthenticated remote code execution as the root user. The module first performs a check to see if the target is WD MyClou...
UnRAR Path Traversal in Zimbra (CVE-2022-30333)
This module creates a RAR file that can be emailed to a Zimbra server to exploit CVE-2022-30333. If successful, it plants a JSP-based backdoor in the public web directory, then executes that backdoor. The core vulnerability is a path-traversal issue in unRAR that can extract an arbitrary file to ...
Accessibility Features (Sticky Keys) Persistence via Debugger Registry Key
This module makes it possible to apply the 'sticky keys' hack to a session with appropriate rights. The hack provides a means to get a SYSTEM shell using UI-level interaction at an RDP login screen or via a UAC confirmation dialog. The module modifies the Debug registry setting for certain...
IGEL OS Persistent Payload
Gain persistence for specified payload on IGEL OS Workspace Edition, by writing a payload to disk or base64-encoding and executing from registry. Module Options msf use exploit/linux/persistence/igelpersistence msf exploitigelpersistence show targets ...targets... msf exploitigelpersistence set...
elFinder PHP Connector exiftran Command Injection
This module exploits a command injection vulnerability in elFinder versions prior to 2.1.48. The PHP connector component allows unauthenticated users to upload files and perform file modification operations, such as resizing and rotation of an image. The file name of uploaded files is not...
Linux Command Shell, Reverse TCP Inline
Connect back to attacker and spawn a command shell. Module Options msf use payload/linux/riscv64le/shellreversetcp msf payloadshellreversetcp show actions ...actions... msf payloadshellreversetcp set ACTION msf payloadshellreversetcp show options ...show and set options... msf...
Chamilo unauthenticated command injection in PowerPoint upload
Chamilo is an e-learning platform, also called Learning Management Systems LMS. This module exploits an unauthenticated remote command execution vulnerability that affects Chamilo versions 1.11.18 and below CVE-2023-34960. Due to a functionality called Chamilo Rapid to easily convert PowerPoint...
Android Meterpreter, Android Reverse HTTPS Stager
Run a meterpreter server in Android. Tunnel communication over HTTPS This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework module MetasploitModule CachedSize = :dynamic include Msf::Payload::Stager include...
Malicious XDG Desktop File
This module creates a malicious XDG Desktop .desktop file. On most modern systems, desktop files are not trusted by default. The user will receive a warning prompt that the file is not trusted when running the file, but may choose to run the file anyway. The default file manager applications in...
PRTG CVE-2023-32781 Authenticated RCE
Authenticated RCE in Paessler PRTG Module Options msf use exploit/windows/http/prtgauthenticatedrcecve202332781 msf exploitprtgauthenticatedrcecve202332781 show targets ...targets... msf exploitprtgauthenticatedrcecve202332781 set TARGET msf exploitprtgauthenticatedrcecve202332781 show options...
OPNSense Login Scanner
This module performs login attempts against a Deciso B.V OPNSense router webpage to bruteforce possible credentials. Module Options msf use auxiliary/scanner/http/opnsenselogin msf auxiliaryopnsenselogin show actions ...actions... msf auxiliaryopnsenselogin set ACTION msf auxiliaryopnsenselogin...
CrushFTP AWS4-HMAC Authentication Bypass
This module leverages an authentication bypass in CrushFTP 11 use auxiliary/gather/crushftpauthbypasscve20252825 msf auxiliarycrushftpauthbypasscve20252825 show actions ...actions... msf auxiliarycrushftpauthbypasscve20252825 set ACTION msf auxiliarycrushftpauthbypasscve20252825 show options...
HTTPS Fetch, Linux Command Shell, Reverse TCP Inline
Fetch and execute an ARMLE payload from an HTTPS server. Connect back to attacker and spawn a command shell Module Options msf use payload/cmd/linux/https/armle/shellreversetcp msf payloadshellreversetcp show actions ...actions... msf payloadshellreversetcp set ACTION msf payloadshellreversetcp...
IGEL OS Dump File
Dump a file with escalated privileges for IGEL OS Workspace Edition sessions, by elevating rights with setupcmd SUID and outputting with date. Module Options msf use post/linux/gather/igeldumpfile msf postigeldumpfile show actions ...actions... msf postigeldumpfile set ACTION msf postigeldumpfile...
Jenkins ACL Bypass and Metaprogramming RCE
This module exploits a vulnerability in Jenkins dynamic routing to bypass the Overall/Read ACL and leverage Groovy metaprogramming to download and execute a malicious JAR file. When the "Java Dropper" target is selected, the original entry point based on classLoader.parseClass is used, which...
Ivanti Connect Secure HTTP Scanner
This module will perform authentication scanning against Ivanti Connect Secure. Module Options msf use auxiliary/scanner/ivanti/ivantilogin msf auxiliaryivantilogin show actions ...actions... msf auxiliaryivantilogin set ACTION msf auxiliaryivantilogin show options ...show and set options... msf...
WordPress Ultimate Member SQL Injection (CVE-2024-1071)
The Ultimate Member plugin for WordPress up to version 2.8.2 is vulnerable to SQL injection via the 'sorting' parameter. This allows unauthenticated attackers to exploit blind SQL injections and extract sensitive information from the database. Module Options msf use...
WordPress Plugin Pie Register Auth Bypass to RCE
This module uses an authentication bypass vulnerability in Wordpress Plugin Pie Register use exploit/unix/webapp/wppieregisterbypassrce msf exploitwppieregisterbypassrce show targets ...targets... msf exploitwppieregisterbypassrce set TARGET msf exploitwppieregisterbypassrce show options ...show...
Ray Agent Job RCE
RCE in Ray via the agent job submission endpoint. This is intended functionality as Ray's main purpose is executing arbitrary workloads. By default Ray has no authentication. Module Options msf use exploit/linux/http/rayagentjobrce msf exploitrayagentjobrce show targets ...targets... msf...
Telerik Report Server Auth Bypass and Deserialization RCE
This module chains an authentication bypass vulnerability CVE-2024-4358 with a deserialization vulnerability CVE-2024-1800 to obtain remote code execution against Telerik Report Server version 10.0.24.130 and prior. The authentication bypass flaw allows an unauthenticated user to create a new use...
ProFTPD-1.3.3c Backdoor Command Execution
This module exploits a malicious backdoor that was added to the ProFTPD download archive. This backdoor was present in the proftpd-1.3.3c.tar.bz2|gz archive between November 28th 2010 and 2nd December 2010. This module requires Metasploit: https://metasploit.com/download Current source:...
Magento XXE Unserialize Arbitrary File Read
This module exploits a XXE vulnerability in Magento 2.4.7-p1 and below which allows an attacker to read any file on the system. Module Options msf use auxiliary/gather/magentoxxecve202434102 msf auxiliarymagentoxxecve202434102 show actions ...actions... msf auxiliarymagentoxxecve202434102 set...
HTTP Fetch, Windows x64 Command Shell, Reverse TCP Stager with UUID Support (Windows x64)
Fetch and execute an x64 payload from an HTTP server. Spawn a piped command shell Windows x64 staged. Connect back to the attacker with UUID Support Windows x64 Module Options msf use payload/cmd/windows/http/x64/shell/reversetcpuuid msf payloadreversetcpuuid show actions ...actions... msf...
Kerberos ticket converter
This module converts tickets to the ccache format from the kirbi format and vice versa. Module Options msf use auxiliary/admin/kerberos/ticketconverter msf auxiliaryticketconverter show actions ...actions... msf auxiliaryticketconverter set ACTION msf auxiliaryticketconverter show options ...show...
Python Exec, Python Meterpreter, Python Reverse TCP Stager
Execute a Python payload from a command. Run a meterpreter server in Python compatible with 2.5-2.7 & 3.1+. Connect back to the attacker Module Options msf use payload/cmd/windows/python/meterpreter/reversetcp msf payloadreversetcp show actions ...actions... msf payloadreversetcp set ACTION msf...
ThinManager Path Traversal (CVE-2023-2917) Arbitrary File Upload
This module exploits a path traversal vulnerability CVE-2023-2917 in ThinManager use auxiliary/admin/networking/thinmanagertraversalupload2 msf auxiliarythinmanagertraversalupload2 show actions ...actions... msf auxiliarythinmanagertraversalupload2 set ACTION msf...
HTTP Fetch, Reverse TCP Stager
Fetch and execute an MIPSLE payload from an HTTP server. Connect back to the attacker Module Options msf use payload/cmd/linux/http/mipsle/meterpreter/reversetcp msf payloadreversetcp show actions ...actions... msf payloadreversetcp set ACTION msf payloadreversetcp show options ...show and set...
HTTPS Fetch, Linux Execute Command
Fetch and execute an MIPSBE payload from an HTTPS server. A very small shellcode for executing commands. This module is sometimes helpful for testing purposes. Module Options msf use payload/cmd/linux/https/mipsbe/exec msf payloadexec show actions ...actions... msf payloadexec set ACTION msf...
Archer C7 Directory Traversal Vulnerability
This module exploits a directory traversal vulnerability in the PATHINFO found at /login/ on TP-Link Archer C5, C7, and C9 routers of varying versions. Module Options msf use auxiliary/gather/tplinkarcherc7traversal msf auxiliarytplinkarcherc7traversal show actions ...actions... msf...
Xorcom CompletePBX Arbitrary File Read and Deletion via systemDataFileName
This module exploits an authenticated path traversal vulnerability in Xorcom CompletePBX use auxiliary/scanner/http/xorcomcompletepbxdiagnosticsfileread msf auxiliaryxorcomcompletepbxdiagnosticsfileread show actions ...actions... msf auxiliaryxorcomcompletepbxdiagnosticsfileread set ACTION msf...