6843 matches found
Python Exec, Python Meterpreter, Python Reverse HTTPS Stager
Execute a Python payload from a command. Run a meterpreter server in Python compatible with 2.5-2.7 & 3.1+. Tunnel communication over HTTP using SSL Module Options msf use payload/cmd/windows/python/meterpreter/reversehttps msf payloadreversehttps show actions ...actions... msf payloadreversehttp...
Python Exec, Python Meterpreter Shell, Reverse TCP Inline
Execute a Python payload from a command. Connect back to the attacker and spawn a Meterpreter shell Module Options msf use payload/cmd/windows/python/meterpreterreversetcp msf payloadmeterpreterreversetcp show actions ...actions... msf payloadmeterpreterreversetcp set ACTION msf...
Python Exec, Python Meterpreter Shell, Reverse HTTPS Inline
Execute a Python payload from a command. Connect back to the attacker and spawn a Meterpreter shell Module Options msf use payload/cmd/windows/python/meterpreterreversehttps msf payloadmeterpreterreversehttps show actions ...actions... msf payloadmeterpreterreversehttps set ACTION msf...
Python Exec, Python Meterpreter, Python Bind TCP Stager
Execute a Python payload from a command. Run a meterpreter server in Python compatible with 2.5-2.7 & 3.1+. Listen for a connection Module Options msf use payload/cmd/windows/python/meterpreter/bindtcp msf payloadbindtcp show actions ...actions... msf payloadbindtcp set ACTION msf payloadbindtcp...
Python Exec, Python Pingback, Reverse TCP (via python)
Execute a Python payload from a command. Connects back to the attacker, sends a UUID, then terminates Module Options msf use payload/cmd/windows/python/pingbackreversetcp msf payloadpingbackreversetcp show actions ...actions... msf payloadpingbackreversetcp set ACTION msf payloadpingbackreversetc...
Python Exec, Python Pingback, Bind TCP (via python)
Execute a Python payload from a command. Listens for a connection from the attacker, sends a UUID, then terminates Module Options msf use payload/cmd/windows/python/pingbackbindtcp msf payloadpingbackbindtcp show actions ...actions... msf payloadpingbackbindtcp set ACTION msf payloadpingbackbindt...
Python Exec, Python Meterpreter, Python Reverse TCP Stager
Execute a Python payload from a command. Run a meterpreter server in Python compatible with 2.5-2.7 & 3.1+. Connect back to the attacker Module Options msf use payload/cmd/windows/python/meterpreter/reversetcp msf payloadreversetcp show actions ...actions... msf payloadreversetcp set ACTION msf...
Python Exec, Command Shell, Reverse TCP (via python)
Execute a Python payload from a command. Creates an interactive shell via Python, encodes with base64 by design. Compatible with Python 2.4-2.7 and 3.4+. Module Options msf use payload/cmd/windows/python/shellreversetcp msf payloadshellreversetcp show actions ...actions... msf...
Python Exec, Python Meterpreter Shell, Reverse HTTP Inline
Execute a Python payload from a command. Connect back to the attacker and spawn a Meterpreter shell Module Options msf use payload/cmd/windows/python/meterpreterreversehttp msf payloadmeterpreterreversehttp show actions ...actions... msf payloadmeterpreterreversehttp set ACTION msf...
Python Exec, Command Shell, Bind TCP (via python)
Execute a Python payload from a command. Creates an interactive shell via Python, encodes with base64 by design. Compatible with Python 2.4-2.7 and 3.4+. Module Options msf use payload/cmd/windows/python/shellbindtcp msf payloadshellbindtcp show actions ...actions... msf payloadshellbindtcp set...
Python Exec, Python Meterpreter, Python Reverse TCP Stager with UUID Support
Execute a Python payload from a command. Run a meterpreter server in Python compatible with 2.5-2.7 & 3.1+. Connect back to the attacker with UUID Support Module Options msf use payload/cmd/windows/python/meterpreter/reversetcpuuid msf payloadreversetcpuuid show actions ...actions... msf...
Python Exec, Python Meterpreter, Python Bind TCP Stager with UUID Support
Execute a Python payload from a command. Run a meterpreter server in Python compatible with 2.5-2.7 & 3.1+. Listen for a connection with UUID Support Module Options msf use payload/cmd/windows/python/meterpreter/bindtcpuuid msf payloadbindtcpuuid show actions ...actions... msf payloadbindtcpuuid...
Python Exec, Command Shell, Reverse TCP SSL (via python)
Execute a Python payload from a command. Creates an interactive shell via Python, uses SSL, encodes with base64 by design. Compatible with Python 2.6-2.7 and 3.4+. Module Options msf use payload/cmd/windows/python/shellreversetcpssl msf payloadshellreversetcpssl show actions ...actions... msf...
Python Exec, Python Meterpreter, Python Reverse TCP SSL Stager
Execute a Python payload from a command. Run a meterpreter server in Python compatible with 2.5-2.7 & 3.1+. Reverse Python connect back stager using SSL Module Options msf use payload/cmd/windows/python/meterpreter/reversetcpssl msf payloadreversetcpssl show actions ...actions... msf...
Python Exec, Python Meterpreter Shell, Bind TCP Inline
Execute a Python payload from a command. Connect to the victim and spawn a Meterpreter shell Module Options msf use payload/cmd/windows/python/meterpreterbindtcp msf payloadmeterpreterbindtcp show actions ...actions... msf payloadmeterpreterbindtcp set ACTION msf payloadmeterpreterbindtcp show...
Python Exec, Python Meterpreter, Python Reverse HTTP Stager
Execute a Python payload from a command. Run a meterpreter server in Python compatible with 2.5-2.7 & 3.1+. Tunnel communication over HTTP Module Options msf use payload/cmd/windows/python/meterpreter/reversehttp msf payloadreversehttp show actions ...actions... msf payloadreversehttp set ACTION...
Cacti 1.2.22 unauthenticated command injection
This module exploits an unauthenticated command injection vulnerability in Cacti through 1.2.22 CVE-2022-46169 in order to achieve unauthenticated remote code execution as the www-data user. The module first attempts to obtain the Cacti version to see if the target is affected. If LOCALDATAID...
Wordpress Paid Membership Pro code Unauthenticated SQLi
Paid Membership Pro, a WordPress plugin, prior to 2.9.8 is affected by an unauthenticated SQL injection via the code parameter. Remote attackers can exploit this vulnerability to dump usernames and password hashes from the wpusers table of the affected WordPress installation. These password hashe...
Mirage firewall for QubesOS 0.8.0-0.8.3 Denial of Service (DoS) Exploit
This module allows remote attackers to cause a denial of service DoS in Mirage firewall for QubesOS 0.8.0-0.8.3 via a specifically crafted UDP request. Module Options msf use auxiliary/dos/mirageos/qubesmiragefirewalldos msf auxiliaryqubesmiragefirewalldos show actions ...actions... msf...
Ivanti Cloud Services Appliance (CSA) Command Injection
This module exploits a command injection vulnerability in the Ivanti Cloud Services Appliance CSA for Ivanti Endpoint Manager. A cookie based code injection vulnerability in the Cloud Services Appliance before 4.6.0-512 allows an unauthenticated user to execute arbitrary code with limited...
Gather Dbeaver Passwords
This module will determine if Dbeaver is installed on the target system and, if it is, it will try to dump all saved session information from the target. The passwords for these saved sessions will then be decrypted where possible. Module Options msf use post/multi/gather/dbeaver msf postdbeaver...
Gather MinIO Client Key
This module searches for MinIO Client credentials on a Windows host. Module Options msf use post/multi/gather/minioclient msf postminioclient show actions ...actions... msf postminioclient set ACTION msf postminioclient show options ...show and set options... msf postminioclient run This module...
Linear eMerge E3-Series Access Controller Command Injection
This module exploits a command injection vulnerability in the Linear eMerge E3-Series Access Controller. The Linear eMerge E3 versions 1.00-06 and below are vulnerable to unauthenticated command injection in cardscandecoder.php via the No and door HTTP GET parameter. Successful exploitation resul...
OpenTSDB 2.4.0 unauthenticated command injection
This module exploits an unauthenticated command injection vulnerability in the yrange parameter in OpenTSDB through 2.4.0 CVE-2020-35476 in order to achieve unauthenticated remote code execution as the root user. The module first attempts to obtain the OpenTSDB version via the api. If the version...
SolarWinds Orion Secrets Dump
This module exports and decrypts credentials from SolarWinds Orion Network Performance Monitor NPM to a CSV file; it is intended as a post-exploitation module for Windows hosts with SolarWinds Orion NPM installed. The module supports decryption of AES-256, RSA, and XMLSEC secrets. Separate action...
Syncovery For Linux Web-GUI Authenticated Remote Command Execution
This module exploits an authenticated command injection vulnerability in the Web GUI of Syncovery File Sync & Backup Software for Linux. Successful exploitation results in remote code execution under the context of the root user. Syncovery allows an authenticated user to create jobs, which are...
Syncovery For Linux Web-GUI Session Token Brute-Forcer
This module attempts to brute-force a valid session token for the Syncovery File Sync & Backup Software Web-GUI by generating all possible tokens, for every second between 'DateTime.now' and the given X days. By default today and yesterday DAYS = 1 will be checked. If a valid session token is...
F5 Big-IP Gather Information from MCP Datastore
This module gathers various interesting pieces of data from F5's "mcp" datastore, which is accessed via /var/run/mcp using a proprietary protocol. Adapted from: https://github.com/rbowes-r7/refreshing-mcp-tool/blob/main/mcp-getloot.rb Module Options msf use post/linux/gather/f5lootmcp msf...
Acronis TrueImage XPC Privilege Escalation
Acronis TrueImage versions 2019 update 1 through 2021 update 1 are vulnerable to privilege escalation. The com.acronis.trueimagehelper helper tool does not perform any validation on connecting clients, which gives arbitrary clients the ability to execute functions provided by the helper tool with...
Wordpress BookingPress bookingpress_front_get_category_services SQLi
The BookingPress WordPress plugin before 1.0.11 fails to properly sanitize user supplied data in the totalservice parameter of the bookingpressfrontgetcategoryservices AJAX action available to unauthenticated users, prior to using it in a dynamically constructed SQL query. As a result,...
VMware vCenter vScalation Priv Esc
This module exploits a privilege escalation in vSphere/vCenter due to improper permissions on the /usr/lib/vmware-vmon/java-wrapper-vmon file. It is possible for anyone in the cis group to write to the file, which will execute as root on vmware-vmon service restart or host reboot. This module was...
Syncovery For Linux Web-GUI Login Utility
This module will attempt to authenticate to Syncovery File Sync & Backup Software For Linux Web-GUI. Module Options msf use auxiliary/scanner/http/syncoverylinuxlogin msf auxiliarysyncoverylinuxlogin show actions ...actions... msf auxiliarysyncoverylinuxlogin set ACTION msf...
Microsoft Exchange ProxyNotShell RCE
This module chains two vulnerabilities on Microsoft Exchange Server that, when combined, allow an authenticated attacker to interact with the Exchange Powershell backend CVE-2022-41040, where a deserialization flaw can be leveraged to obtain code execution CVE-2022-41082. This exploit only suppor...
Remote Control Collection RCE
This module utilizes the Remote Control Server's, part of the Remote Control Collection by Steppschuh, protocol to deploy a payload and run it from the server. This module will only deploy a payload if the server is set without a password default. Tested against 3.1.1.12, current at the time of...
F5 BIG-IP iControl Authenticated RCE via RPM Creator
This module exploits a newline injection into an RPM .rpmspec file that permits authenticated users to remotely execute commands. Successful exploitation results in remote code execution as the root user. Module Options msf use exploit/linux/http/f5icontrolrpmspecrcecve202241800 msf...
ChurchInfo 1.2.13-1.3.0 Authenticated RCE
This module exploits the logic in the CartView.php page when crafting a draft email with an attachment. By uploading an attachment for a draft email, the attachment will be placed in the /tmpattach/ folder of the ChurchInfo web server, which is accessible over the web by any user. By uploading a...
F5 BIG-IP iControl CSRF File Write SOAP API
This module exploits a cross-site request forgery CSRF vulnerability in F5 Big-IP's iControl interface to write an arbitrary file to the filesystem. While any file can be written to any location as root, the exploitability is limited by SELinux; the vast majority of writable locations are...
Gitea Git Fetch Remote Code Execution
This module exploits Git fetch command in Gitea repository migration process that leads to a remote command execution on the system. This vulnerability affect Gitea before 1.16.7 version. Module Options msf use exploit/multi/http/giteagitfetchrce msf exploitgiteagitfetchrce show targets...
VMware NSX Manager XStream unauthenticated RCE
VMware Cloud Foundation NSX-V contains a remote code execution vulnerability via XStream open source library. VMware has evaluated the severity of this issue to be in the Critical severity range with a maximum CVSSv3 base score of 9.8. Due to an unauthenticated endpoint that leverages XStream for...
Reverse Lookup IP Addresses
This module reverse resolves an IP address or IP address range to hostnames. Module Options msf use post/multi/recon/reverselookup msf postreverselookup show actions ...actions... msf postreverselookup set ACTION msf postreverselookup show options ...show and set options... msf postreverselookup...
SSL/TLS Version Detection
Check if a server supports a given version of SSL/TLS and cipher suites. The certificate is stored in loot, and any known vulnerabilities against that SSL version and cipher suite combination are checked. These checks include POODLE, deprecated protocols, expired/not valid certs, low key strength...
Windows Gather Navicat Passwords
This module will find and decrypt stored Navicat passwords. Module Options msf use post/windows/gather/credentials/navicat msf postnavicat show actions ...actions... msf postnavicat set ACTION msf postnavicat show options ...show and set options... msf postnavicat run This module requires...
Misconfigured Certificate Template Finder
This module allows users to query a LDAP server for vulnerable certificate templates and will print these certificates out in a table along with which attack they are vulnerable to and the SIDs that can be used to enroll in that certificate template. Additionally the module will also print out a...
Linux Gather ManageEngine Password Manager Pro Password Extractor
This module gathers the encrypted passwords stored by Password Manager Pro and decrypt them using key materials stored in multiple configuration files. Module Options msf use post/linux/gather/manageenginepasswordmanagercreds msf postmanageenginepasswordmanagercreds show actions ...actions... msf...
VMware vCenter Secrets Dump
Grab secrets and keys from the vCenter server and add them to loot. This module is tested against the vCenter appliance only; it will not work on Windows vCenter instances. It is intended to be run after successfully acquiring root access on a vCenter appliance and is useful for penetrating furth...
Apache Couchdb Erlang RCE
In Apache CouchDB prior to 3.2.2, an attacker can access an improperly secured default installation without authenticating and gain admin privileges. Module Options msf use exploit/multi/http/apachecouchdberlangrce msf exploitapachecouchdberlangrce show targets ...targets... msf...
Webmin File Manager RCE
In Webmin version 1.984, any authenticated low privilege user without access rights to the File Manager module could interact with file manager functionalities such as downloading files from remote URLs and changing file permissions. It is possible to achieve Remote Code Execution via a crafted...
FLIR AX8 unauthenticated RCE
All FLIR AX8 thermal sensor cameras versions up to and including 1.46.16 are vulnerable to Remote Command Injection. This can be exploited to inject and execute arbitrary shell commands as the root user through the id HTTP POST parameter in the res.php endpoint. This module uses the vulnerability...
Role Base Constrained Delegation
This module can read and write the necessary LDAP attributes to configure a particular object for Role Based Constrained Delegation RBCD. When writing, the module will add an access control entry to allow the account specified in DELEGATEFROM to the object specified in DELEGATETO. In order for th...
Vagrant Synced Folder Vagrantfile Breakout
This module exploits a default Vagrant synced folder shared folder to append a Ruby payload to the Vagrant project Vagrantfile config file. By default, unless a Vagrant project explicitly disables shared folders, Vagrant mounts the project directory on the host as a writable 'vagrant' directory o...