Exploits AD CS Template misconfigurations which involve updating an LDAP object: ESC9, ESC10, and ESC16

This module exploits Active Directory Certificate Services AD CS template misconfigurations, specifically ESC9, ESC10, and ESC16, by updating an LDAP object and requesting a certificate on behalf of a target user. The module leverages the auxiliary/admin/ldap/ldapobjectattribute module to update...

Malicious Windows Script Host VBScript (.vbs) File

This module creates a Windows Script Host WSH VBScript .vbs file. Module Options msf use exploit/windows/fileformat/windowsscripthostvbscript msf exploitwindowsscripthostvbscript show targets ...targets... msf exploitwindowsscripthostvbscript set TARGET msf exploitwindowsscripthostvbscript show...

Malicious Windows Script Host JScript (.js) File

This module creates a Windows Script Host WSH JScript .js file. Module Options msf use exploit/windows/fileformat/windowsscripthostjscript msf exploitwindowsscripthostjscript show targets ...targets... msf exploitwindowsscripthostjscript set TARGET msf exploitwindowsscripthostjscript show options...

Malicious Windows Registration Entries (.reg) File

This module creates a Windows Registration Entries .reg file which adds the specified payload to the Windows Registry. The payload runs upon Windows login for the current user. If the user has elevated privileges when opening the file, the payload will run upon login when any user logs in. The us...

Xorcom CompletePBX Authenticated Command Injection via Task Scheduler

This module exploits an authenticated command injection vulnerability in Xorcom CompletePBX versions use exploit/linux/http/xorcomcompletepbxscheduler msf exploitxorcomcompletepbxscheduler show targets ...targets... msf exploitxorcomcompletepbxscheduler set TARGET msf...

Xorcom CompletePBX Authenticated File Disclosure via Backup Download

This module exploits an authenticated file disclosure vulnerability in CompletePBX use auxiliary/scanner/http/xorcomcompletepbxfiledisclosure msf auxiliaryxorcomcompletepbxfiledisclosure show actions ...actions... msf auxiliaryxorcomcompletepbxfiledisclosure set ACTION msf...

Xorcom CompletePBX Arbitrary File Read and Deletion via systemDataFileName

This module exploits an authenticated path traversal vulnerability in Xorcom CompletePBX use auxiliary/scanner/http/xorcomcompletepbxdiagnosticsfileread msf auxiliaryxorcomcompletepbxdiagnosticsfileread show actions ...actions... msf auxiliaryxorcomcompletepbxdiagnosticsfileread set ACTION msf...

WordPress Photo Gallery Plugin SQL Injection (CVE-2022-0169)

The Photo Gallery by 10Web WordPress plugin use auxiliary/gather/wpphotogallerysqli msf auxiliarywpphotogallerysqli show actions ...actions... msf auxiliarywpphotogallerysqli set ACTION msf auxiliarywpphotogallerysqli show options ...show and set options... msf auxiliarywpphotogallerysqli run Thi...

PandoraFMS Netflow Authenticated Remote Code Execution

This module exploits a command injection vulnerability in Netflow component of PandoraFMS. The module requires a set of user credentials to modify Netflow settings. Also, Netflow binaries have to be present on the system. Module Options msf use exploit/linux/http/pandorafmsauthnetflowrce msf...

GraphQL Introspection Scanner

This module queries a GraphQL API Endpoint to retrieve schema data by using introspection, if it is enabled on the server. This module works on all GraphQL versions. Module Options msf use auxiliary/scanner/http/graphqlintrospectionscanner msf auxiliarygraphqlintrospectionscanner show actions...

Windows AArch64 Command Execution

Executes an arbitrary command on a Windows on ARM AArch64 target. This payload is a foundational example of position-independent shellcode for the AArch64 architecture. It dynamically resolves the address of the WinExec function from kernel32.dll by parsing the Process Environment Block PEB and t...

ISPConfig language_edit.php PHP Code Injection

This module exploits a PHP code injection vulnerability in ISPConfig's languageedit.php file. The vulnerability occurs when the adminallowlangedit setting is enabled, allowing authenticated administrators to inject arbitrary PHP code through the language editor interface. This module will...

Multiple Brother devices authentication bypass via default administrator password generation

By leaking a target devices serial number, a remote attacker can generate the target devices default administrator password. The target device may leak its serial number via unauthenticated HTTP, HTTPS, IPP, SNMP, or PJL requests. Module Options msf use...

Wing FTP Server NULL-byte Authentication Bypass (CVE-2025-47812)

Wing FTP Server allows arbitrary Lua code injection via a NULL-byte %00 truncation bug CVE-2025-47812. Supplying %00 as the username makes the C++ authentication routine validate only the prefix, while the full string is written unfiltered into the session file and later executed with root/SYSTEM...

Linux Set Hostname

Sets the hostname of the machine. Module Options msf use payload/linux/x64/sethostname msf payloadsethostname show actions ...actions... msf payloadsethostname set ACTION msf payloadsethostname show options ...show and set options... msf payloadsethostname run This module requires Metasploit:...

HTTP Fetch

Fetch and execute an x64 payload from an HTTP server. Module Options msf use payload/cmd/linux/http/x64/sethostname msf payloadsethostname show actions ...actions... msf payloadsethostname set ACTION msf payloadsethostname show options ...show and set options... msf payloadsethostname run This...

HTTPS Fetch

Fetch and execute an x64 payload from an HTTPS server. Module Options msf use payload/cmd/linux/https/x64/sethostname msf payloadsethostname show actions ...actions... msf payloadsethostname set ACTION msf payloadsethostname show options ...show and set options... msf payloadsethostname run This...

TFTP Fetch

Fetch and execute an x64 payload from a TFTP server. Module Options msf use payload/cmd/linux/tftp/x64/sethostname msf payloadsethostname show actions ...actions... msf payloadsethostname set ACTION msf payloadsethostname show options ...show and set options... msf payloadsethostname run This...

CVE-2025-33053 Exploit via Malicious .URL File and WebDAV

This module exploits CVE-2025-33053 by generating a malicious .URL file pointing to a trusted LOLBAS binary with parameters designed to trigger unintended behavior. Optionally, a payload is generated and hosted on a specified WebDAV directory. When the victim opens the shortcut, it will attempt t...

vBulletin replaceAdTemplate Remote Code Execution

This module exploits a design flaw in vBulletin's AJAX API handler and template rendering system, present in versions 5.0.0 through 6.0.3. The vulnerability allows unauthenticated attackers to invoke protected controller methods via the ajax/api/ad/replaceAdTemplate endpoint, due to improper use ...

Tatsu Wordpress Plugin RCE

This module adds exploit for CVE-2021-25094 - unauthenticated remote code execution in Tatsu Wordpress plugin use exploit/multi/http/wptatsurce msf exploitwptatsurce show targets ...targets... msf exploitwptatsurce set TARGET msf exploitwptatsurce show options ...show and set options... msf...

Skyvern SSTI Remote Code Execution

This module exploits SSTI vulnerability in Skyvern use exploit/linux/http/skyvernssticve202549619 msf exploitskyvernssticve202549619 show targets ...targets... msf exploitskyvernssticve202549619 set TARGET msf exploitskyvernssticve202549619 show options ...show and set options... msf...

Roundcube Post-Auth RCE via PHP Object Deserialization

Roundcube Webmail before 1.5.10 and 1.6.x before 1.6.11 allows remote code execution by authenticated users because the from parameter in a URL is not validated in program/actions/settings/upload.php, leading to PHP Object Deserialization. An attacker can execute arbitrary system commands as the...

OS Command Exec, Unix Command Shell, Bind TCP (via Ruby)

Execute an OS command from PHP. Continually listen for a connection and spawn a command shell via Ruby Module Options msf use payload/php/unix/cmd/bindruby msf payloadbindruby show actions ...actions... msf payloadbindruby set ACTION msf payloadbindruby show options ...show and set options... msf...

OS Command Exec, Unix Command Shell, Reverse TCP (/dev/tcp)

Execute an OS command from PHP. Creates an interactive shell via bash's builtin /dev/tcp. This will not work on circa 2009 and older Debian-based Linux distributions including Ubuntu because they compile bash without the /dev/tcp feature. Module Options msf use payload/php/unix/cmd/reversebash ms...

OS Command Exec, Unix Command Shell, Pingback Reverse TCP (via netcat)

Execute an OS command from PHP. Creates a socket, send a UUID, then exit Module Options msf use payload/php/unix/cmd/pingbackreverse msf payloadpingbackreverse show actions ...actions... msf payloadpingbackreverse set ACTION msf payloadpingbackreverse show options ...show and set options... msf...

OS Command Exec, Unix Command Shell, Reverse UDP (/dev/udp)

Execute an OS command from PHP. Creates an interactive shell via bash's builtin /dev/udp. This will not work on circa 2009 and older Debian-based Linux distributions including Ubuntu because they compile bash without the /dev/udp feature. Module Options msf use payload/php/unix/cmd/reversebashudp...

OS Command Exec, Unix Command Shell, Reverse TCP (via Lua)

Execute an OS command from PHP. Creates an interactive shell via Lua Module Options msf use payload/php/unix/cmd/reverselua msf payloadreverselua show actions ...actions... msf payloadreverselua set ACTION msf payloadreverselua show options ...show and set options... msf payloadreverselua run Thi...

OS Command Exec, Unix Command Shell, Reverse TCP (via nodejs)

Execute an OS command from PHP. Continually listen for a connection and spawn a command shell via nodejs Module Options msf use payload/php/unix/cmd/reversenodejs msf payloadreversenodejs show actions ...actions... msf payloadreversenodejs set ACTION msf payloadreversenodejs show options ...show...

OS Command Exec, Unix Command Shell, Reverse TCP (via Perl)

Execute an OS command from PHP. Creates an interactive shell via perl Module Options msf use payload/php/unix/cmd/reverseperl msf payloadreverseperl show actions ...actions... msf payloadreverseperl set ACTION msf payloadreverseperl show options ...show and set options... msf payloadreverseperl r...

OS Command Exec, Unix Command Shell, Reverse TCP SSL (via Ruby)

Execute an OS command from PHP. Connect back and create a command shell via Ruby, uses SSL Module Options msf use payload/php/unix/cmd/reverserubyssl msf payloadreverserubyssl show actions ...actions... msf payloadreverserubyssl set ACTION msf payloadreverserubyssl show options ...show and set...

OS Command Exec, Unix Command Shell, Reverse TCP SSH

Execute an OS command from PHP. Connect back and create a command shell via SSH Module Options msf use payload/php/unix/cmd/reversessh msf payloadreversessh show actions ...actions... msf payloadreversessh set ACTION msf payloadreversessh show options ...show and set options... msf...

OS Command Exec, Unix Command Shell, Bind TCP (via Lua)

Execute an OS command from PHP. Listen for a connection and spawn a command shell via Lua Module Options msf use payload/php/unix/cmd/bindlua msf payloadbindlua show actions ...actions... msf payloadbindlua set ACTION msf payloadbindlua show options ...show and set options... msf payloadbindlua r...

OS Command Exec, Unix Command Shell, Bind TCP (via netcat)

Execute an OS command from PHP. Listen for a connection and spawn a command shell via netcat Module Options msf use payload/php/unix/cmd/bindnetcat msf payloadbindnetcat show actions ...actions... msf payloadbindnetcat set ACTION msf payloadbindnetcat show options ...show and set options... msf...

OS Command Exec, Unix Command Shell, Bind TCP (stub)

Execute an OS command from PHP. Listen for a connection and spawn a command shell stub only, no payload Module Options msf use payload/php/unix/cmd/bindstub msf payloadbindstub show actions ...actions... msf payloadbindstub set ACTION msf payloadbindstub show options ...show and set options... ms...

OS Command Exec, Unix Command, Generic Command Execution

Execute an OS command from PHP. Executes the supplied command Module Options msf use payload/php/unix/cmd/generic msf payloadgeneric show actions ...actions... msf payloadgeneric set ACTION msf payloadgeneric show options ...show and set options... msf payloadgeneric run This module requires...

OS Command Exec, Unix Command Shell, Pingback Bind TCP (via netcat)

Execute an OS command from PHP. Accept a connection, send a UUID, then exit Module Options msf use payload/php/unix/cmd/pingbackbind msf payloadpingbackbind show actions ...actions... msf payloadpingbackbind set ACTION msf payloadpingbackbind show options ...show and set options... msf...

OS Command Exec, Unix Command Shell, Reverse TCP (via jjs)

Execute an OS command from PHP. Connect back and create a command shell via jjs Module Options msf use payload/php/unix/cmd/reversejjs msf payloadreversejjs show actions ...actions... msf payloadreversejjs set ACTION msf payloadreversejjs show options ...show and set options... msf...

OS Command Exec, Unix Command Shell, Reverse TCP (via ncat)

Execute an OS command from PHP. Creates an interactive shell via ncat, utilizing ssl mode Module Options msf use payload/php/unix/cmd/reversencatssl msf payloadreversencatssl show actions ...actions... msf payloadreversencatssl set ACTION msf payloadreversencatssl show options ...show and set...

OS Command Exec, Unix Command Shell, Reverse TCP (via netcat -e)

Execute an OS command from PHP. Creates an interactive shell via netcat Module Options msf use payload/php/unix/cmd/reversenetcatgaping msf payloadreversenetcatgaping show actions ...actions... msf payloadreversenetcatgaping set ACTION msf payloadreversenetcatgaping show options ...show and set...

OS Command Exec, Unix Command Shell, Double Reverse TCP SSL (openssl)

Execute an OS command from PHP. Creates an interactive shell through two inbound connections Module Options msf use payload/php/unix/cmd/reverseopenssl msf payloadreverseopenssl show actions ...actions... msf payloadreverseopenssl set ACTION msf payloadreverseopenssl show options ...show and set...

OS Command Exec, Unix Command Shell, Reverse TCP (via Python)

Execute an OS command from PHP. Connect back and create a command shell via Python Module Options msf use payload/php/unix/cmd/reversepython msf payloadreversepython show actions ...actions... msf payloadreversepython set ACTION msf payloadreversepython show options ...show and set options... msf...

OS Command Exec, Unix Command Shell, Reverse TCP (via Ruby)

Execute an OS command from PHP. Connect back and create a command shell via Ruby Module Options msf use payload/php/unix/cmd/reverseruby msf payloadreverseruby show actions ...actions... msf payloadreverseruby set ACTION msf payloadreverseruby show options ...show and set options... msf...

OS Command Exec, Unix Command Shell, Reverse UDP (via socat)

Execute an OS command from PHP. Creates an interactive shell via socat Module Options msf use payload/php/unix/cmd/reversesocatudp msf payloadreversesocatudp show actions ...actions... msf payloadreversesocatudp set ACTION msf payloadreversesocatudp show options ...show and set options... msf...

OS Command Exec, Unix Command Shell, Reverse TCP (stub)

Execute an OS command from PHP. Creates an interactive shell through an inbound connection stub only, no payload Module Options msf use payload/php/unix/cmd/reversestub msf payloadreversestub show actions ...actions... msf payloadreversestub set ACTION msf payloadreversestub show options ...show...

OS Command Exec, Add user with useradd

Execute an OS command from PHP. Creates a new user. By default the new user is set with sudo but other options exist to make the new user automatically root but this is not automatically set since the new user will be treated as root and login may be difficult. The new user can also be set as jus...

OS Command Exec, Unix Command Shell, Bind TCP (via AWK)

Execute an OS command from PHP. Listen for a connection and spawn a command shell via GNU AWK Module Options msf use payload/php/unix/cmd/bindawk msf payloadbindawk show actions ...actions... msf payloadbindawk set ACTION msf payloadbindawk show options ...show and set options... msf payloadbinda...

OS Command Exec, Unix Command Shell, Bind TCP (via BusyBox telnetd)

Execute an OS command from PHP. Listen for a connection and spawn a command shell via BusyBox telnetd Module Options msf use payload/php/unix/cmd/bindbusyboxtelnetd msf payloadbindbusyboxtelnetd show actions ...actions... msf payloadbindbusyboxtelnetd set ACTION msf payloadbindbusyboxtelnetd show...

OS Command Exec, Unix Command Shell, Bind TCP (inetd)

Execute an OS command from PHP. Listen for a connection and spawn a command shell persistent Module Options msf use payload/php/unix/cmd/bindinetd msf payloadbindinetd show actions ...actions... msf payloadbindinetd set ACTION msf payloadbindinetd show options ...show and set options... msf...

OS Command Exec, Unix Command Shell, Bind TCP (via jjs)

Execute an OS command from PHP. Listen for a connection and spawn a command shell via jjs Module Options msf use payload/php/unix/cmd/bindjjs msf payloadbindjjs show actions ...actions... msf payloadbindjjs set ACTION msf payloadbindjjs show options ...show and set options... msf payloadbindjjs r...