Simple

Simple NOP generator Module Options msf use nop/riscv64le/simple msf nopsimple show actions ...actions... msf nopsimple set ACTION msf nopsimple show options ...show and set options... msf nopsimple run This module requires Metasploit: https://metasploit.com/download Current source:...

Simple

Simple NOP generator Module Options msf use nop/riscv32le/simple msf nopsimple show actions ...actions... msf nopsimple set ACTION msf nopsimple show options ...show and set options... msf nopsimple run This module requires Metasploit: https://metasploit.com/download Current source:...

Advanced Browser Data Extraction for Chromium and Gecko Browsers

This post-exploitation module extracts sensitive browser data from both Chromium-based and Gecko-based browsers on the target system. It supports the decryption of passwords and cookies using Windows Data Protection API DPAPI and can extract additional data such as browsing history, keyword searc...

WordPress TI WooCommerce Wishlist SQL Injection (CVE-2024-43917)

The TI WooCommerce Wishlist plugin use auxiliary/scanner/http/wptiwoocommercewishlistsqli msf auxiliarywptiwoocommercewishlistsqli show actions ...actions... msf auxiliarywptiwoocommercewishlistsqli set ACTION msf auxiliarywptiwoocommercewishlistsqli show options ...show and set options... msf...

SolarWinds Web Help Desk Backdoor (CVE-2024-28987)

This module exploits a backdoor in SolarWinds Web Help Desk use auxiliary/gather/solarwindswebhelpdeskbackdoor msf auxiliarysolarwindswebhelpdeskbackdoor show actions ...actions... msf auxiliarysolarwindswebhelpdeskbackdoor set ACTION msf auxiliarysolarwindswebhelpdeskbackdoor show options ...sho...

WordPress wp-automatic Plugin SQLi Admin Creation

This module exploits an unauthenticated SQL injection vulnerability in the WordPress wp-automatic plugin versions use exploit/multi/http/wpautomaticsqlitorce msf exploitwpautomaticsqlitorce show targets ...targets... msf exploitwpautomaticsqlitorce set TARGET msf exploitwpautomaticsqlitorce show...

WordPress Ultimate Member SQL Injection (CVE-2024-1071)

The Ultimate Member plugin for WordPress up to version 2.8.2 is vulnerable to SQL injection via the 'sorting' parameter. This allows unauthenticated attackers to exploit blind SQL injections and extract sensitive information from the database. Module Options msf use...

CosmicSting: Magento Arbitrary File Read (CVE-2024-34102) + PHP Buffer Overflow in the iconv() function of glibc (CVE-2024-2961)

This combination of an Arbitrary File Read CVE-2024-34102 and a Buffer Overflow in glibc CVE-2024-2961 allows for unauthenticated Remote Code Execution on the following versions of Magento and Adobe Commerce and earlier if the PHP and glibc versions are also vulnerable: - 2.4.7 and earlier -...

WordPress LearnPress Unauthenticated SQLi (CVE-2024-8522, CVE-2024-8529)

The LearnPress WordPress LMS Plugin up to version 4.2.7 is vulnerable to SQL injection via the 'conlyfields' and 'cfields' parameters. This allows unauthenticated attackers to exploit blind SQL injections and extract sensitive information. Module Options msf use...

BYOB Unauthenticated RCE via Arbitrary File Write and Command Injection (CVE-2024-45256, CVE-2024-45257)

This module exploits two vulnerabilities in the BYOB Build Your Own Botnet web GUI: 1. CVE-2024-45256: Unauthenticated arbitrary file write that allows modification of the SQLite database, adding a new admin user. 2. CVE-2024-45257: Authenticated command injection in the payload generation page...

WordPress WP Fastest Cache Unauthenticated SQLi (CVE-2023-6063)

WP Fastest Cache, a WordPress plugin, prior to version 1.2.2, is vulnerable to an unauthenticated SQL injection vulnerability via the 'wordpressloggedin' cookie. This can be exploited via a blind SQL injection attack without requiring any authentication. Module Options msf use...

cups-browsed Information Disclosure

Retrieve CUPS version and kernel version information from cups-browsed services. Module Options msf use auxiliary/scanner/misc/cupsbrowsedinfodisclosure msf auxiliarycupsbrowsedinfodisclosure show actions ...actions... msf auxiliarycupsbrowsedinfodisclosure set ACTION msf...

Acronis Cyber Infrastructure default password remote code execution

Acronis Cyber Infrastructure ACI is an IT infrastructure solution that provides storage, compute, and network resources. Businesses and Service Providers are using it for data storage, backup storage, creating and managing virtual machines and software-defined networks, running cloud-native...

VICIdial Authenticated Remote Code Execution

An attacker with authenticated access to VICIdial as an "agent" can execute arbitrary shell commands as the "root" user. This attack can be chained with CVE-2024-8503 to execute arbitrary shell commands starting from an unauthenticated perspective. Module Options msf use...

Local Privilege Escalation via CVE-2023-0386

This exploit targets the Linux kernel bug in OverlayFS. A flaw was found in the Linux kernel, where unauthorized access to the execution of the setuid file with capabilities was found in the Linux kernel's OverlayFS subsystem in how a user copies a capable file from a nosuid mount into another...

WhatsUp Gold SQL Injection (CVE-2024-6670)

This module exploits a SQL injection vulnerability in WhatsUp Gold, by changing the password of an existing user such as of the default admin account to an attacker-controlled one. WhatsUp Gold versions use auxiliary/admin/http/whatsupgoldsqli msf auxiliarywhatsupgoldsqli show actions ...actions...

Vicidial SQL Injection Time-based Admin Credentials Enumeration

This module exploits a time-based SQL injection vulnerability in VICIdial, allowing attackers to dump admin credentials usernames and passwords via SQL injection. Module Options msf use auxiliary/scanner/http/vicidialsqlenumuserspass msf auxiliaryvicidialsqlenumuserspass show actions ...actions...

Traccar v5 Remote Code Execution (CVE-2024-31214 and CVE-2024-24809)

Remote Code Execution in Traccar v5.1 - v5.12. Remote code execution can be obtained by combining two vulnerabilities: A path traversal vulnerability CVE-2024-24809 and an unrestricted file upload vulnerability CVE-2024-31214. By default, the application allows self-registration, enabling any use...

Cisco Smart Software Manager (SSM) On-Prem Account Takeover (CVE-2024-20419)

This module exploits an improper access control vulnerability in Cisco Smart Software Manager SSM On-Prem use auxiliary/admin/http/ciscossmonpremaccount msf auxiliaryciscossmonpremaccount show actions ...actions... msf auxiliaryciscossmonpremaccount set ACTION msf auxiliaryciscossmonpremaccount...

Windows Kernel Time of Check Time of Use LPE in AuthzBasepCopyoutInternalSecurityAttributes

CVE-2024-30088 is a Windows Kernel Elevation of Privilege Vulnerability which affects many recent versions of Windows 10, Windows 11 and Windows Server 2022. The vulnerability exists inside the function called AuthzBasepCopyoutInternalSecurityAttributes specifically when the kernel copies the...

Wordpress LiteSpeed Cache plugin cookie theft

This module exploits an unauthenticated account takeover vulnerability in LiteSpeed Cache, a Wordpress plugin that currently has around 6 million active installations. In LiteSpeed Cache versions prior to 6.5.0.1, when the Debug Logging feature is enabled, the plugin will log admin cookies to the...

update-motd.d Persistence

This module will add a script in /etc/update-motd.d/ in order to persist a payload. The payload will be executed with root privileges everytime a user logs in. Module Options msf use exploit/linux/local/motdpersistence msf exploitmotdpersistence show targets ...targets... msf exploitmotdpersisten...

SPIP form PHP Injection

This module exploits a PHP code injection in SPIP. The vulnerability exists in the oubli parameter and allows an unauthenticated user to execute arbitrary commands with web user privileges. Branches 3.2, 4.0, 4.1 and 4.2 are concerned. Vulnerable versions are use exploit/multi/http/spiprceform ms...

SPIP BigUp Plugin Unauthenticated RCE

This module exploits a Remote Code Execution vulnerability in the BigUp plugin of SPIP. The vulnerability lies in the listerfichiersparchamps function, which is triggered when the bigupretrouverfichiers parameter is set to any value. By exploiting the improper handling of multipart form data in...

SPIP connect Parameter PHP Injection

This module exploits a PHP code injection vulnerability in SPIP. The vulnerability exists in the connect parameter, allowing an unauthenticated user to execute arbitrary commands with web user privileges. Branches 2.0, 2.1, and 3 are affected. Vulnerable versions are use...

PHP Minify Encoder

This encoder minifies a PHP payload by removing leasing spaces, trailing new lines, comments, ... Module Options msf use encoder/php/minify msf encoderminify show actions ...actions... msf encoderminify set ACTION msf encoderminify show options ...show and set options... msf encoderminify run Thi...

GiveWP Unauthenticated Donation Process Exploit

The GiveWP Donation Plugin and Fundraising Platform for WordPress, in all versions up to and including 3.16.1, is vulnerable to a PHP Object Injection POI attack that allows unauthenticated arbitrary code execution. Although a patch was introduced in version 3.14.2, it was incorrect and can be...

Gather electerm Passwords

This module will determine if electerm is installed on the target system and, if it is, it will try to dump all saved session information from the target. The passwords for these saved sessions will then be decrypted where possible. Module Options msf use post/multi/gather/electerm msf postelecte...

pgAdmin Binary Path API RCE

pgAdmin use exploit/windows/http/pgadminbinarypathapi msf exploitpgadminbinarypathapi show targets ...targets... msf exploitpgadminbinarypathapi set TARGET msf exploitpgadminbinarypathapi show options ...show and set options... msf exploitpgadminbinarypathapi exploit This module requires...

PHP Hex Encoder

This encoder returns a hex string encapsulated in evalhex2bin, increasing the size by a bit more than a factor two. Module Options msf use encoder/php/hex msf encoderhex show actions ...actions... msf encoderhex set ACTION msf encoderhex show options ...show and set options... msf encoderhex run...

Control iD iDSecure Authentication Bypass (CVE-2023-6329)

This module exploits an improper access control vulnerability CVE-2023-6329 in Control iD iDSecure use auxiliary/admin/http/idsecureauthbypass msf auxiliaryidsecureauthbypass show actions ...actions... msf auxiliaryidsecureauthbypass set ACTION msf auxiliaryidsecureauthbypass show options ...show...

Ivanti Virtual Traffic Manager Authentication Bypass (CVE-2024-7593)

This module exploits an access control issue in Ivanti Virtual Traffic Manager vTM, by adding a new administrative user to the web interface of the application. Affected versions include 22.7R1, 22.6R1, 22.5R1, 22.3R2, 22.3, 22.2. Module Options msf use auxiliary/admin/http/ivantivtmadmin msf...

Ray cpu_profile command injection

Ray RCE via cpuprofile command injection vulnerability. Module Options msf use exploit/linux/http/raycpuprofilecmdinjectioncve20236019 msf exploitraycpuprofilecmdinjectioncve20236019 show targets ...targets... msf exploitraycpuprofilecmdinjectioncve20236019 set TARGET msf...

Ray Agent Job RCE

RCE in Ray via the agent job submission endpoint. This is intended functionality as Ray's main purpose is executing arbitrary workloads. By default Ray has no authentication. Module Options msf use exploit/linux/http/rayagentjobrce msf exploitrayagentjobrce show targets ...targets... msf...

Ray static arbitrary file read

Ray before 2.8.1 is vulnerable to a local file inclusion. Module Options msf use auxiliary/gather/raylficve20236020 msf auxiliaryraylficve20236020 show actions ...actions... msf auxiliaryraylficve20236020 set ACTION msf auxiliaryraylficve20236020 show options ...show and set options... msf...

DIAEnergie SQL Injection (CVE-2024-4548)

SQL injection vulnerability in DIAEnergie use exploit/windows/scada/diaenergiesqli msf exploitdiaenergiesqli show targets ...targets... msf exploitdiaenergiesqli set TARGET msf exploitdiaenergiesqli show options ...show and set options... msf exploitdiaenergiesqli exploit class MetasploitModule...

SPIP Unauthenticated RCE via porte_plume Plugin

This module exploits a Remote Code Execution vulnerability in SPIP versions up to and including 4.2.12. The vulnerability occurs in SPIP's templating system where it incorrectly handles user-supplied input, allowing an attacker to inject and execute arbitrary PHP code. This can be achieved by...

Fortra FileCatalyst Workflow SQL Injection (CVE-2024-5276)

This module exploits a SQL injection vulnerability in Fortra FileCatalyst Workflow use auxiliary/admin/http/fortrafilecatalystworkflowsqli msf auxiliaryfortrafilecatalystworkflowsqli show actions ...actions... msf auxiliaryfortrafilecatalystworkflowsqli set ACTION msf...

LG Simple Editor Command Injection (CVE-2023-40504)

Unauthenticated Command Injection in LG Simple Editor use exploit/windows/http/lgsimpleeditorrceuploadvideo msf exploitlgsimpleeditorrceuploadvideo show targets ...targets... msf exploitlgsimpleeditorrceuploadvideo set TARGET msf exploitlgsimpleeditorrceuploadvideo show options ...show and set...

OpenMetadata authentication bypass and SpEL injection exploit chain

OpenMetadata is a unified platform for discovery, observability, and governance powered by a central metadata repository, in-depth lineage, and seamless team collaboration. This module chains two vulnerabilities that exist in the OpenMetadata aplication. The first vulnerability, CVE-2024-28255,...

Apache HugeGraph Gremlin RCE

This module exploits CVE-2024-27348 which is a Remote Code Execution RCE vulnerability that exists in Apache HugeGraph Server in versions before 1.3.0. An attacker can bypass the sandbox restrictions and achieve RCE through Gremlin, resulting in complete control over the server Module Options msf...

Calibre Python Code Injection (CVE-2024-6782)

This module exploits a Python code injection vulnerability in the Content Server component of Calibre v6.9.0 - v7.15.0. Once enabled disabled by default, it will listen in its default configuration on all network interfaces on TCP port 8080 for incoming traffic, and does not require any...

OpenMediaVault rpc.php Authenticated Cron Remote Code Execution

OpenMediaVault allows an authenticated user to create cron jobs as root on the system. An attacker can abuse this by sending a POST request via rpc.php to schedule and execute a cron entry that runs arbitrary commands as root on the system. All OpenMediaVault versions including the latest release...

mySCADA MyPRO Authenticated Command Injection (CVE-2023-28384)

Authenticated Command Injection in MyPRO use exploit/windows/scada/myprocmdexe msf exploitmyprocmdexe show targets ...targets... msf exploitmyprocmdexe set TARGET msf exploitmyprocmdexe show options ...show and set options... msf exploitmyprocmdexe exploit class MetasploitModule 'mySCADA MyPRO...

Softing Secure Integration Server v1.22 Remote Code Execution

This module chains two vulnerabilities CVE-2022-1373 and CVE-2022-2334 to achieve authenticated remote code execution against Softing Secure Integration Server v1.22. In CVE-2022-1373, the restore configuration feature is vulnerable to a directory traversal vulnerablity when processing zip files...

Ghostscript Command Execution via Format String

This module exploits a format string vulnerability in Ghostscript versions before 10.03.1 to achieve a SAFER sandbox bypass and execute arbitrary commands. This vulnerability is reachable via libraries such as ImageMagick. This exploit only works against Ghostscript versions 10.03.0 and 10.01.2...

Magento XXE Unserialize Arbitrary File Read

This module exploits a XXE vulnerability in Magento 2.4.7-p1 and below which allows an attacker to read any file on the system. Module Options msf use auxiliary/gather/magentoxxecve202434102 msf auxiliarymagentoxxecve202434102 show actions ...actions... msf auxiliarymagentoxxecve202434102 set...

Geoserver unauthenticated Remote Code Execution

GeoServer is an open-source software server written in Java that provides the ability to view, edit, and share geospatial data. It is designed to be a flexible, efficient solution for distributing geospatial data from a variety of sources such as Geographic Information System GIS databases,...

Atlassian Confluence Administrator Code Macro Remote Code Execution

This module exploits an authenticated administrator-level vulnerability in Atlassian Confluence, tracked as CVE-2024-21683. The vulnerability exists due to the Rhino script engine parser evaluating tainted data from uploaded text files. This facilitates arbitrary code execution. This exploit will...

Ivanti EPM RecordGoodApp SQLi RCE

Ivanti Endpoint Manager EPM 2022 SU5 and prior are vulnerable to unauthenticated SQL injection which can be leveraged to achieve unauthenticated remote code execution. Module Options msf use exploit/windows/http/ivantiepmrecordgoodappsqlirce msf exploitivantiepmrecordgoodappsqlirce show targets...