6843 matches found
GLPI htmLawed php command injection
This exploit takes advantage of a unauthenticated php command injection available from GLPI versions 10.0.2 and below to execute a command. Module Options msf use exploit/linux/http/glpihtmlawedphpinjection msf exploitglpihtmlawedphpinjection show targets ...targets... msf...
TAR Path Traversal in Zimbra (CVE-2022-41352)
This module creates a .tar file that can be emailed to a Zimbra server to exploit CVE-2022-41352. If successful, it plants a JSP-based backdoor in the public web directory, then executes that backdoor. The core vulnerability is a path-traversal issue in the cpio command- line utlity that can...
Unauthenticated information disclosure such as configuration, credentials and camera snapshots of a vulnerable Hikvision IP Camera
Many Hikvision IP cameras have improper authorization logic that allows unauthenticated information disclosure of camera information, such as detailed hardware and software configuration, user credentials, and camera snapshots. The vulnerability has been present in Hikvision products since 2014. ...
Zimbra sudo + postfix privilege escalation
This module exploits a vulnerable sudo configuration that permits the zimbra user to execute postfix as root. In turn, postfix can execute arbitrary shellscripts, which means it can execute a root shell. Module Options msf use exploit/linux/local/zimbrapostfixprivesc msf exploitzimbrapostfixprive...
Fortinet FortiOS, FortiProxy, and FortiSwitchManager authentication bypass.
This module exploits an authentication bypass vulnerability in the Fortinet FortiOS, FortiProxy, and FortiSwitchManager API to gain access to a chosen account. And then add a SSH key to the authorizedkeys file of the chosen account, allowing to login to the system with the chosen account...
pfSense plugin pfBlockerNG unauthenticated RCE as root
pfBlockerNG is a popular pfSense plugin that is not installed by default. It's generally used to block inbound connections from whole countries or IP ranges. Versions 2.1.426 and below are affected by an unauthenticated RCE vulnerability that results in root access. Note that version 3.x is...
Spring Cloud Gateway Remote Code Execution
This module exploits an unauthenticated remote code execution vulnerability in Spring Cloud Gateway versions = 3.1.0 and 3.0.0 to 3.0.6. The vulnerability can be exploited when the Gateway Actuator endpoint is enabled, exposed and unsecured. An unauthenticated attacker can use SpEL expressions to...
Windows Gather MobaXterm Passwords
This module will determine if MobaXterm is installed on the target system and, if it is, it will try to dump all saved session information from the target. The passwords for these saved sessions will then be decrypted where possible, using the decryption information that HyperSine reverse...
RedisDesktopManager Credential Gatherer
This module searches for RedisDesktopManager credentials on a Windows host. Module Options msf use post/windows/gather/credentials/redisdesktopmanager msf postredisdesktopmanager show actions ...actions... msf postredisdesktopmanager set ACTION msf postredisdesktopmanager show options ...show and...
Remote Mouse RCE
This module utilizes the Remote Mouse Server by Emote Interactive protocol to deploy a payload and run it from the server on versions use exploit/windows/misc/remotemouserce msf exploitremotemouserce show targets ...targets... msf exploitremotemouserce set TARGET msf exploitremotemouserce show...
Wordpress Plugin Elementor Authenticated Upload Remote Code Execution
The WordPress plugin Elementor versions 3.6.0 - 3.6.2, inclusive have a vulnerability that allows any authenticated user to upload and execute any PHP file. This is achieved by sending a request to install Elementor Pro from a user supplied zip file. Any user with Subscriber or more permissions i...
Ubuntu Enlightenment Mount Priv Esc
This module exploits a command injection within Enlightenment's enlightenmentsys binary. This is done by calling the mount command and feeding it paths which meet all of the system requirements, but execute a specific path as well due to a semi-colon being used. This module was tested on Ubuntu...
Delinea Thycotic Secret Server Dump
This module exports and decrypts Secret Server credentials to a CSV file; it is intended as a post-exploitation module for Windows hosts with Delinea/Thycotic Secret Server installed. Master Encryption Key MEK and associated IV values are decrypted from encryption.config using a static key baked...
qdPM 9.1 Authenticated Arbitrary PHP File Upload (RCE)
A remote code execution RCE vulnerability exists in qdPM 9.1 and earlier. An attacker can upload a malicious PHP code file via the profile photo functionality, by leveraging a path traversal vulnerability in the users'photoppreview' delete photo feature, allowing bypass of .htaccess protection...
Mobile Mouse RCE
This module utilizes the Mobile Mouse Server by RPA Technologies, Inc protocol to deploy a payload and run it from the server. This module will only deploy a payload if the server is set without a password default. Tested against 3.6.0.4, current at the time of module writing Module Options msf u...
Netfilter nft_set_elem_init Heap Overflow Privilege Escalation
An issue was discovered in the Linux kernel through 5.18.9. A type confusion bug in nftseteleminit leading to a buffer overflow could be used by a local attacker to escalate privileges. The attacker can obtain root access, but must start with an unprivileged user namespace to obtain CAPNETADMIN...
Wifi Mouse RCE
The WiFi Mouse Mouse Server from Necta LLC contains an auth bypass as the authentication is completely implemented entirely on the client side. By utilizing this vulnerability, is possible to open a program on the server cmd.exe in our case and type commands that will be executed as the user...
Hikvision IP Camera Unauthenticated Password Change Via Improper Authentication Logic
Many Hikvision IP cameras contain improper authentication logic which allows unauthenticated impersonation of any configured user account. The vulnerability has been present in Hikvision products since 2014. In addition to Hikvision-branded devices, it affects many white-labeled camera products...
Veritas Backup Exec Agent Remote Code Execution
Veritas Backup Exec Agent supports multiple authentication schemes and SHA authentication is one of them. This authentication scheme is no longer used within Backup Exec versions, but hadn't yet been disabled. An attacker could remotely exploit the SHA authentication scheme to gain unauthorized...
VICIdial Multiple Authenticated SQLi
This module exploits several authenticated SQL Inject vulnerabilities in VICIdial 2.14b0.5 prior to svn/trunk revision 3555 VICIBox 10.0.0, prior to January 20 is vulnerable. Injection point 1 is on vicidial/admin.php when adding a user, in the modifyemailaccounts parameter. Injection point 2 is ...
Unified Remote Auth Bypass to RCE
This module utilizes the Unified Remote remote control protocol to type out and deploy a payload. The remote control protocol can be configured to have no passwords, a group password, or individual user accounts. If the web page is accessible, the access control is set to no password for...
Bitbucket Git Command Injection
Various versions of Bitbucket Server and Data Center are vulnerable to an unauthenticated command injection vulnerability in multiple API endpoints. The /rest/api/latest/projects/projectKey/repos/repositorySlug/archive endpoint creates an archive of the repository, leveraging the git-archive...
MimiPenguin
This searches process memory for needles that indicate where cleartext passwords may be located. If any needles are discovered in the target process memory, collected strings in adjacent memory will be hashed and compared with password hashes found in /etc/shadow. Module Options msf use...
Palo Alto Networks Authenticated Remote Code Execution
An OS Command Injection vulnerability in the PAN-OS management interface that allows authenticated administrators to execute arbitrary OS commands with root privileges. This issue impacts PAN-OS versions use exploit/linux/http/panosopcmdexec msf exploitpanosopcmdexec show targets ...targets... ms...
SuiteCRM authenticated SQL injection in export functionality
This module exploits an authenticated SQL injection in SuiteCRM in versions before 7.12.6. The vulnerability allows an authenticated attacker to send specially crafted requests to the export entry point of the application in order to retrieve all the usernames and their associated password from t...
Windows shellcode stage, Reverse TCP Stager with UUID Support (Windows x64)
Custom shellcode stage. Connect back to the attacker with UUID Support Windows x64 Module Options msf use payload/windows/x64/custom/reversetcpuuid msf payloadreversetcpuuid show actions ...actions... msf payloadreversetcpuuid set ACTION msf payloadreversetcpuuid show options ...show and set...
Windows shellcode stage, Windows x64 Reverse TCP Stager
Custom shellcode stage. Connect back to the attacker Windows x64 Module Options msf use payload/windows/x64/custom/reversetcp msf payloadreversetcp show actions ...actions... msf payloadreversetcp set ACTION msf payloadreversetcp show options ...show and set options... msf payloadreversetcp run...
Windows shellcode stage, Windows x64 Reverse Named Pipe (SMB) Stager
Custom shellcode stage. Connect back to the attacker via a named pipe pivot Module Options msf use payload/windows/x64/custom/reversenamedpipe msf payloadreversenamedpipe show actions ...actions... msf payloadreversenamedpipe set ACTION msf payloadreversenamedpipe show options ...show and set...
Windows shellcode stage, Windows x64 Reverse HTTP Stager (wininet)
Custom shellcode stage. Tunnel communication over HTTP Windows x64 wininet Module Options msf use payload/windows/x64/custom/reversehttps msf payloadreversehttps show actions ...actions... msf payloadreversehttps set ACTION msf payloadreversehttps show options ...show and set options... msf...
Windows shellcode stage, Windows x64 Bind TCP Stager
Custom shellcode stage. Listen for a connection Windows x64 Module Options msf use payload/windows/x64/custom/bindtcp msf payloadbindtcp show actions ...actions... msf payloadbindtcp set ACTION msf payloadbindtcp show options ...show and set options... msf payloadbindtcp run This module requires...
Windows shellcode stage, Windows x64 Reverse HTTP Stager (winhttp)
Custom shellcode stage. Tunnel communication over HTTP Windows x64 winhttp Module Options msf use payload/windows/x64/custom/reversewinhttp msf payloadreversewinhttp show actions ...actions... msf payloadreversewinhttp set ACTION msf payloadreversewinhttp show options ...show and set options... m...
Windows shellcode stage, Reverse TCP Stager (RC4 Stage Encryption, Metasm)
Custom shellcode stage. Connect back to the attacker Module Options msf use payload/windows/x64/custom/reversetcprc4 msf payloadreversetcprc4 show actions ...actions... msf payloadreversetcprc4 set ACTION msf payloadreversetcprc4 show options ...show and set options... msf payloadreversetcprc4 ru...
Windows shellcode stage, Windows x64 Reverse HTTPS Stager (winhttp)
Custom shellcode stage. Tunnel communication over HTTPS Windows x64 winhttp Module Options msf use payload/windows/x64/custom/reversewinhttps msf payloadreversewinhttps show actions ...actions... msf payloadreversewinhttps set ACTION msf payloadreversewinhttps show options ...show and set...
Windows shellcode stage, Windows x64 Reverse HTTP Stager (wininet)
Custom shellcode stage. Tunnel communication over HTTP Windows x64 wininet Module Options msf use payload/windows/x64/custom/reversehttp msf payloadreversehttp show actions ...actions... msf payloadreversehttp set ACTION msf payloadreversehttp show options ...show and set options... msf...
Windows shellcode stage, Bind TCP Stager with UUID Support (Windows x64)
Custom shellcode stage. Listen for a connection with UUID Support Windows x64 Module Options msf use payload/windows/x64/custom/bindtcpuuid msf payloadbindtcpuuid show actions ...actions... msf payloadbindtcpuuid set ACTION msf payloadbindtcpuuid show options ...show and set options... msf...
Windows shellcode stage, Bind TCP Stager (RC4 Stage Encryption, Metasm)
Custom shellcode stage. Connect back to the attacker Module Options msf use payload/windows/x64/custom/bindtcprc4 msf payloadbindtcprc4 show actions ...actions... msf payloadbindtcprc4 set ACTION msf payloadbindtcprc4 show options ...show and set options... msf payloadbindtcprc4 run -- coding:...
Windows shellcode stage, Windows x64 Bind Named Pipe Stager
Custom shellcode stage. Listen for a pipe connection Windows x64 Module Options msf use payload/windows/x64/custom/bindnamedpipe msf payloadbindnamedpipe show actions ...actions... msf payloadbindnamedpipe set ACTION msf payloadbindnamedpipe show options ...show and set options... msf...
Windows shellcode stage, Reverse TCP Stager (No NX or Win7)
Custom shellcode stage. Connect back to the attacker No NX Module Options msf use payload/windows/custom/reversenonxtcp msf payloadreversenonxtcp show actions ...actions... msf payloadreversenonxtcp set ACTION msf payloadreversenonxtcp show options ...show and set options... msf...
Windows shellcode stage, Windows Reverse HTTPS Stager (wininet)
Custom shellcode stage. Tunnel communication over HTTPS Windows wininet Module Options msf use payload/windows/custom/reversehttps msf payloadreversehttps show actions ...actions... msf payloadreversehttps set ACTION msf payloadreversehttps show options ...show and set options... msf...
Windows shellcode stage, Windows Reverse HTTPS Stager (winhttp)
Custom shellcode stage. Tunnel communication over HTTPS Windows winhttp Module Options msf use payload/windows/custom/reversewinhttps msf payloadreversewinhttps show actions ...actions... msf payloadreversewinhttps set ACTION msf payloadreversewinhttps show options ...show and set options... msf...
Windows shellcode stage, Bind TCP Stager (Windows x86)
Custom shellcode stage. Listen for a connection Windows x86 Module Options msf use payload/windows/custom/bindtcp msf payloadbindtcp show actions ...actions... msf payloadbindtcp set ACTION msf payloadbindtcp show options ...show and set options... msf payloadbindtcp run This module requires...
Windows shellcode stage, Hidden Bind Ipknock TCP Stager
Custom shellcode stage. Listen for a connection. First, the port will need to be knocked from the IP defined in KHOST. This IP will work as an authentication method you can spoof it with tools like hping. After that you could get your shellcode from any IP. The socket will appear as "closed," thu...
Windows shellcode stage, Windows x86 Bind Named Pipe Stager
Custom shellcode stage. Listen for a pipe connection Windows x86 Module Options msf use payload/windows/custom/bindnamedpipe msf payloadbindnamedpipe show actions ...actions... msf payloadbindnamedpipe set ACTION msf payloadbindnamedpipe show options ...show and set options... msf...
Windows shellcode stage, Bind IPv6 TCP Stager (Windows x86)
Custom shellcode stage. Listen for an IPv6 connection Windows x86 Module Options msf use payload/windows/custom/bindipv6tcp msf payloadbindipv6tcp show actions ...actions... msf payloadbindipv6tcp set ACTION msf payloadbindipv6tcp show options ...show and set options... msf payloadbindipv6tcp run...
Windows shellcode stage, Reverse UDP Stager with UUID Support
Custom shellcode stage. Connect back to the attacker with UUID Support Module Options msf use payload/windows/custom/reverseudp msf payloadreverseudp show actions ...actions... msf payloadreverseudp set ACTION msf payloadreverseudp show options ...show and set options... msf payloadreverseudp run...
Windows shellcode stage, Windows Reverse HTTP Stager (winhttp)
Custom shellcode stage. Tunnel communication over HTTP Windows winhttp Module Options msf use payload/windows/custom/reversewinhttp msf payloadreversewinhttp show actions ...actions... msf payloadreversewinhttp set ACTION msf payloadreversewinhttp show options ...show and set options... msf...
Windows shellcode stage, Reverse TCP Stager (DNS)
Custom shellcode stage. Connect back to the attacker Module Options msf use payload/windows/custom/reversetcpdns msf payloadreversetcpdns show actions ...actions... msf payloadreversetcpdns set ACTION msf payloadreversetcpdns show options ...show and set options... msf payloadreversetcpdns run Th...
Windows shellcode stage, Bind TCP Stager with UUID Support (Windows x86)
Custom shellcode stage. Listen for a connection with UUID Support Windows x86 Module Options msf use payload/windows/custom/bindtcpuuid msf payloadbindtcpuuid show actions ...actions... msf payloadbindtcpuuid set ACTION msf payloadbindtcpuuid show options ...show and set options... msf...
Windows shellcode stage, Reverse TCP Stager (IPv6)
Custom shellcode stage. Connect back to the attacker over IPv6 Module Options msf use payload/windows/custom/reverseipv6tcp msf payloadreverseipv6tcp show actions ...actions... msf payloadreverseipv6tcp set ACTION msf payloadreverseipv6tcp show options ...show and set options... msf...
Windows shellcode stage, Windows Reverse HTTP Stager (wininet)
Custom shellcode stage. Tunnel communication over HTTP Windows wininet Module Options msf use payload/windows/custom/reversehttp msf payloadreversehttp show actions ...actions... msf payloadreversehttp set ACTION msf payloadreversehttp show options ...show and set options... msf payloadreversehtt...