1d5eae0f5b
Merge pull request #21034 from Chocapikk/add-module-opendcim-sqli-rce
...
Add openDCIM install.php SQLi to RCE module
2026-04-14 16:04:13 -04:00
5b6c2be9d1
Land #21003 , unifies Selenium Firefox and Chrome modules
...
Unified Selenium Grid/Selenoid RCE with Firefox + Chrome auto-detection
2026-04-14 16:32:06 +02:00
0976f88058
Land #20835 , adds module unauthenticated command injection Eclipse Che machine-exec (CVE-2025-12548)
...
Add Eclipse Che machine-exec unauthenticated RCE (CVE-2025-12548)
2026-03-25 14:39:01 +01:00
8ad5924bf1
Fix: Use parent of fix commit (78178d1~1) for vulnerable Encoder checkout
2026-03-13 22:59:51 +01:00
8d44dcd1fb
Fix: Lab setup documentation for first-time environments
...
- Fix DB permissions (bind mount creates files as www-data instead of mysql)
- Force table creation (cli.php skips it when configuration.php already exists)
- Revert entire Encoder working tree, not just getImage.php (78178d1 patched multiple files)
- Run git checkout from inside the container to avoid safe.directory issues
2026-03-13 22:55:23 +01:00
f34a0b5d31
Fix: Address PR review feedback for openDCIM module
...
Add ARTIFACTS_ON_DISK side effect and fetch payload note in docs.
2026-03-12 20:44:19 +01:00
5150a4b68b
Docs: Clarify that .compose/encoder is a clone of AVideo-Encoder repo
...
The commit c9861e9c exists in WWBN/AVideo-Encoder (not WWBN/AVideo).
Add a note explaining that .compose/encoder is a git clone created by
the container entrypoint, with a link to the correct repository.
2026-03-11 22:05:23 +01:00
38e74740f3
Fix: Use correct commit hash for vulnerable getImage.php in lab setup
...
The previous commit (e0c2768) did not touch getImage.php. Use c9861e9c
which is the last commit before the security patch (78178d1) that
modifies the file.
2026-03-11 21:23:27 +01:00
dfe73bb4c5
Add exploit for AVideo Encoder getImage.php command injection (CVE-2026-29058)
...
Unauthenticated OS command injection via the base64Url parameter in
getImage.php. The URL is interpolated into an ffmpeg shell command
without escapeshellarg(), and FILTER_VALIDATE_URL does not block
shell metacharacters in the URL path.
2026-03-06 21:30:12 +01:00
59a1992214
Land #21017 , adds module for SSTI in Tactical RMM (CVE-2025-69516)
...
Add Tactical RMM Jinja2 SSTI RCE module (CVE-2025-69516)
2026-03-05 15:38:32 +01:00
2d8c3d69ed
Feat: Add openDCIM install.php SQLi to RCE module
...
Exploits CVE-2026-28515, CVE-2026-28516, CVE-2026-28517 to chain
missing authorization, SQL injection, and command injection in
openDCIM's install.php for remote code execution.
2026-02-28 21:13:51 +01:00
fae76b2961
Land #20978 , adds module BeyondTrust unauth command injection (CVE-2026-1731)
...
Add CVE-2026-1731 support and modernize targets for BeyondTrust PRA/R…
2026-02-25 14:18:59 +01:00
7dcc036b6d
Land #21006 , adds module for Ollama path traversal RCE (CVE-2024-37032)
...
Add Ollama path traversal RCE module (CVE-2024-37032)
2026-02-25 13:06:09 +01:00
002daf8d7d
Merge branch 'beyondtrust-rce-2026' into collab/exploit/beyondtrust/cve-2026-1731
2026-02-25 12:53:37 +01:00
12e21e4c66
Fixes documentation
2026-02-24 12:23:26 -05:00
5aeff61b26
Fix: Address PR review feedback for Ollama RCE module
...
Co-Authored-By: msutovsky-r7 <190406428+msutovsky-r7@users.noreply.github.com >
2026-02-24 17:51:23 +01:00
51af9d0ff1
Adds documentation
2026-02-24 10:25:49 -05:00
bef9b7ad3b
Feat: Add Tactical RMM Jinja2 SSTI RCE module (CVE-2025-69516)
2026-02-23 19:31:22 +01:00
b17d227d28
Feat: Add Ollama path traversal RCE module (CVE-2024-37032)
2026-02-21 16:52:43 +01:00
638b47ebf3
Feat: Unified Selenium Grid/Selenoid RCE with Firefox + Chrome auto-detection
...
Replace separate Chrome and Firefox modules with a single module that
auto-detects available browsers and picks the best attack vector.
Firefox profile handler preferred (unpatched on all Grid versions).
Remove incorrect CSRF framing, sudo wrapper, add FileDropper and
Selenoid support.
2026-02-21 14:41:42 +01:00
3dd3661352
Feat: Add Selenoid support to Selenium Grid Chrome RCE module
2026-02-21 12:34:09 +01:00
9e72f45349
Feat: Add Selenium Grid Chrome binary override RCE module
2026-02-21 12:07:08 +01:00
36b29fb458
Add vulnerable environment setup guide to module documentation
...
Step-by-step minikube-based setup for deploying a vulnerable
che-machine-exec instance for module verification.
2026-02-19 11:27:27 +00:00
08efa9cd16
add in the Grandstream modules
2026-02-17 22:33:46 +00:00
f632cf34bf
add in a module and docs fo rteh EPMM exploit
2026-02-05 12:26:38 +00:00
c47a74d0dd
Merge pull request #20770 from vognik/Splunk_2022-43571_CVE-2024-36985
...
Add Splunk RCE Exploits (CVE-2022-43571 & CVE-2024-36985)
2026-01-20 12:36:51 -08:00
7b092aeedb
Land #20806 , adds module for unauthenticated command injection in Control Web Panel API (CVE-2025-67888)
...
Adds module for Control Web Panel API Command Injection (CVE-2025-67888)
2026-01-14 15:44:25 +01:00
be9b2c9491
Add documentation for prison_management_rce
2026-01-06 12:33:49 +02:00
c225256956
Add meterpreter scenario and redact IPs in documentation
2025-12-31 15:37:46 +00:00
475846ea2a
Add Eclipse Che machine-exec unauthenticated RCE (CVE-2025-12548)
...
This module exploits an unauthenticated RCE vulnerability in the
Eclipse Che machine-exec service. The service accepts WebSocket
connections without authentication on port 3333, allowing command
execution via JSON-RPC.
Affects Red Hat OpenShift DevSpaces environments.
2025-12-30 21:14:55 +00:00
455275d087
add module for CVE-2025-67888
2025-12-23 19:21:34 -05:00
d40a35acdb
the version logic changes, update the docs
2025-12-19 15:48:07 +00:00
a4dba96712
add in the HPE OneView exploit
2025-12-19 15:30:53 +00:00
8977538910
add docker lab deploy guide into docs
2025-12-13 12:28:55 -08:00
da0dc35cb8
add documentation
2025-12-12 13:44:44 -08:00
795c38c524
Combine the 7.x and 6.x targets together, as Linux payloads work on 7.x also, so this target is Unix and Linux. This leaves the 8.x target Unix only due to IMA appraisal.
2025-11-28 10:12:02 +00:00
014312873c
get both unix and linux payloads working on 6.x. Add a note to the docs about setting a gateway.
2025-11-27 20:28:44 +00:00
f5e8aa83be
add in exploit support for FortiWeb versions 6.x which are vulnerable, but no longer under support from the vendor.
2025-11-27 12:43:19 +00:00
fa03ac8b66
on 7.4.8 the command nohup is not available. we must execute our payload in a new session, so we use a python stub to essentially call setsid. This has been tested to work on both 8.0.1 and 7.4.8. Teh payload cmd/unix/reverse_python isnot working as it previously was, so I am removing from the list of confirmed paylaods. The other two, cmd/unix/reverse_bash and cmd/unix/reverse_openssl work fine on both versions
2025-11-25 11:25:41 +00:00
aff76622fa
add in the unauth RCE exploit module for CVE-2025-64446 + CVE-2025-58034
2025-11-21 12:22:25 +00:00
b646e0e044
docs editing for consistency
2025-11-07 15:42:27 -05:00
fb02ec4554
remove 4 space indents in options
2025-11-07 15:42:27 -05:00
caa2873a14
more adjustments
2025-11-07 15:42:27 -05:00
d8c73f6684
replace bold options with h3
2025-11-07 15:42:23 -05:00
110cb837aa
Merge pull request #20672 from h00die-gr3y/centreon_auth_rce
...
Centreon authenticated command injection leading to RCE via broker engine "reload" parameter [CVE-2025-5946]
2025-11-05 16:29:29 +01:00
408eceb2d9
small update documentation
2025-11-03 10:27:44 +00:00
85b4233345
updated module based on review comments and added documentation
2025-11-03 10:21:31 +00:00
91c0adb17f
Merge pull request #20585 from vognik/CVE_2025_60787
...
Add MotionEye Authenticated RCE (CVE-2025-60787)
2025-10-09 13:50:25 -05:00
267a26b763
code review changes from smcintyre-r7@
2025-10-09 21:51:31 +04:00
1314f5d0bb
Merge pull request #20455 from Chocapikk/aitemi_m300_time_rce
...
Add unauthenticated RCE on Shenzhen Aitemi M300 MT02 (CVE-2025-34152)
2025-09-10 10:12:41 +02:00
Diego Ledda