c15d513766
Add configurable JAVA_GADGET_CHAIN option to Shiro module
...
The gadget chain was previously hardcoded to CommonsCollections2.
Add a JAVA_GADGET_CHAIN OptEnum so operators can select the chain
that matches the target's classpath without modifying the module.
Default remains CommonsCollections2 to preserve existing behaviour.
2026-05-05 17:55:20 +02:00
22a9dc4522
Add docs
2026-04-30 14:54:09 -04:00
f54374eaff
Update exploit to improve stability
2026-04-18 12:56:53 +09:00
b917de89c3
Merge branch 'rapid7:master' into langflow_rce_cve_2026_27966
2026-04-16 20:58:02 +09:00
c17c301e36
Merge pull request #21095 from LucasCsmt/multi/http/churchcrm_db_restore_rce
...
Adds exploit module for ChurchCRM authenticated RCE (CVE-2025-68109)
2026-04-15 14:22:56 -05:00
0ba59a1254
Update documentation/modules/exploit/multi/http/churchcrm_db_restore_rce.md
...
Co-authored-by: Brendan <bwatters@rapid7.com >
2026-04-15 16:07:43 +01:00
1d5eae0f5b
Merge pull request #21034 from Chocapikk/add-module-opendcim-sqli-rce
...
Add openDCIM install.php SQLi to RCE module
2026-04-14 16:04:13 -04:00
addcd69205
Merge pull request #20933 from madefourit/persis_pwrshell_profile
...
Windows Persistence: Powershell Profile
2026-04-14 15:43:06 -04:00
31a2de9562
Merge pull request #20839 from h00die/bits
...
New persistence module: Microsoft Bits
2026-04-14 15:42:55 -04:00
5b6c2be9d1
Land #21003 , unifies Selenium Firefox and Chrome modules
...
Unified Selenium Grid/Selenoid RCE with Firefox + Chrome auto-detection
2026-04-14 16:32:06 +02:00
05914feb4d
module docs and description_formatted
2026-04-14 09:45:45 -04:00
0ba93b6ae3
module docs and description
2026-04-14 09:45:45 -04:00
14cd7fad47
module docs
2026-04-14 09:45:44 -04:00
9e506cc5a0
update pshell module
2026-04-14 09:45:43 -04:00
a4d84fa734
Merge branch 'rapid7:master' into bits
2026-04-13 05:14:48 -04:00
a6d7502c8d
Add langflow_rce_cve_2026_27966 module
2026-04-09 22:12:10 +09:00
475f203760
windows telemetry persistence
2026-04-09 15:02:42 +02:00
08e29e833d
Merge pull request #20814 from h00die/s4u
...
s4u persistence updates
2026-04-07 05:22:01 -04:00
609866dc94
add doc
2026-03-31 23:46:09 +02:00
09a59af789
Merge pull request #21069 from Chocapikk/add-module-freescout-htaccess-rce
2026-03-31 18:09:30 +02:00
6d4b268f9f
Land #21029 , adds module for Grav CMS (CVE-2025-50286)
...
Adds exploit module for Grav CMS (CVE-2025-50286)
2026-03-31 14:47:44 +02:00
20bb912515
Merge pull request #21023 from g0tmi1k/os_cmd_exec
...
Add: exploits/multi/http/os_cmd_exec
2026-03-27 16:38:03 +00:00
d12e3945fe
plugin version parsing and check logic improvement, msftidy & rubocop compliant
2026-03-27 11:47:30 +05:30
de81c5f0dc
plugin version parsing and check logic improvement, msftidy & rubocop compliant
2026-03-27 11:45:20 +05:30
0976f88058
Land #20835 , adds module unauthenticated command injection Eclipse Che machine-exec (CVE-2025-12548)
...
Add Eclipse Che machine-exec unauthenticated RCE (CVE-2025-12548)
2026-03-25 14:39:01 +01:00
51f36982c7
Add: exploits/multi/http/os_cmd_exec
...
A lot of this was based on: exploits/unix/webapp/php_eval
2026-03-24 20:01:30 +00:00
81faae13ca
Merge pull request #21033 from Alpenlol/barracuda-esg-cve-2023-2868
...
Add exploit for CVE-2023-2868 Barracuda ESG command injection
2026-03-23 13:18:34 -07:00
5b5d1dbfaa
Merge pull request #21076 from Chocapikk/avideo-encoder-getimage-cmd-injection
...
Add AVideo Encoder getImage.php command injection (CVE-2026-29058)
2026-03-18 18:46:32 -05:00
3414611a3d
Refactor: Use inherited SSL option from HttpClient instead of HTTPSSL
2026-03-14 00:07:28 +01:00
c5c6c34232
Refactor: Remove HTTPSSL option, auto-detect SSL from port 443
2026-03-14 00:04:49 +01:00
db3654eebf
Fix: Address Copilot review feedback and fix cmd/dropper targets
...
- Fix http_send: use standalone Rex::Proto::Http::Client to avoid
SMTPDeliver/HttpClient connect() method conflict
- Fix cmd/dropper PHP stub: remove double $$ variable (vars[:cmd_varname]
already includes $ prefix)
- Fix cmd/dropper unlink: use cleanup POST param instead of inline
@unlink to preserve shell across multiple stager requests
- Fix wait_for_cron: use .to_i % fetch for correct modulo calculation
- Fix dir_exists?: use res&.redirect? instead of res&.code == 301
- Fix docs: RHOSTS -> RHOST (SMTPDeliver registers singular RHOST)
- Remove manual Date header (SMTPDeliver handles it)
- Update scan_paths comment to reflect MD5 digit extraction
- Replace php_exec_cmd with manual preamble + system_block stub
2026-03-13 23:38:30 +01:00
8ad5924bf1
Fix: Use parent of fix commit (78178d1~1) for vulnerable Encoder checkout
2026-03-13 22:59:51 +01:00
8d44dcd1fb
Fix: Lab setup documentation for first-time environments
...
- Fix DB permissions (bind mount creates files as www-data instead of mysql)
- Force table creation (cli.php skips it when configuration.php already exists)
- Revert entire Encoder working tree, not just getImage.php (78178d1 patched multiple files)
- Run git checkout from inside the container to avoid safe.directory issues
2026-03-13 22:55:23 +01:00
63561130af
Address PR review feedback for CVE-2023-2868 module
2026-03-12 12:59:30 -07:00
f34a0b5d31
Fix: Address PR review feedback for openDCIM module
...
Add ARTIFACTS_ON_DISK side effect and fetch payload note in docs.
2026-03-12 20:44:19 +01:00
5150a4b68b
Docs: Clarify that .compose/encoder is a clone of AVideo-Encoder repo
...
The commit c9861e9c exists in WWBN/AVideo-Encoder (not WWBN/AVideo).
Add a note explaining that .compose/encoder is a git clone created by
the container entrypoint, with a link to the correct repository.
2026-03-11 22:05:23 +01:00
38e74740f3
Fix: Use correct commit hash for vulnerable getImage.php in lab setup
...
The previous commit (e0c2768) did not touch getImage.php. Use c9861e9c
which is the last commit before the security patch (78178d1) that
modifies the file.
2026-03-11 21:23:27 +01:00
6467b7261d
Fix: Auto-provision admin user and fix filestore version downgrade in lab
2026-03-11 19:45:14 +01:00
c266e687c2
Add authenticated RCE module for FreePBX filestore (CVE-2025-64328)
2026-03-11 19:43:28 +01:00
3f25048d9b
Merge branch 'master' into multi/http/churchcrm_db_restore_rce
2026-03-11 09:41:33 +01:00
de72dcb88a
fixes review feedback
2026-03-11 12:56:14 +05:30
c6aabc1c75
Land #21001 , adds module for SPIP Saisies plugin (CVE-2025-71243)
...
Add SPIP Saisies plugin RCE module (CVE-2025-71243)
2026-03-09 10:34:52 +01:00
dfe73bb4c5
Add exploit for AVideo Encoder getImage.php command injection (CVE-2026-29058)
...
Unauthenticated OS command injection via the base64Url parameter in
getImage.php. The URL is interpolated into an ffmpeg shell command
without escapeshellarg(), and FILTER_VALIDATE_URL does not block
shell metacharacters in the URL path.
2026-03-06 21:30:12 +01:00
4ca2b22dff
Adding documentation to the module
2026-03-06 10:18:58 +01:00
9b7faea3c2
Feat: Add FreeScout ZWSP .htaccess RCE module (CVE-2026-28289)
2026-03-05 18:06:32 +01:00
59a1992214
Land #21017 , adds module for SSTI in Tactical RMM (CVE-2025-69516)
...
Add Tactical RMM Jinja2 SSTI RCE module (CVE-2025-69516)
2026-03-05 15:38:32 +01:00
3d38e9b27b
Fix: Fallback check to Detected when plugin version unavailable
...
- Use spip_version as fallback when spip_plugin_version fails
- Return Detected instead of Unknown so AutoCheck does not abort
- Fix lab healthcheck to wait for saisies form before reporting healthy
2026-03-05 14:13:05 +01:00
f87a5d9598
fixes review feedback
2026-03-02 17:38:14 +05:30
6f84c83135
Merge pull request #21000 from Chocapikk/add-modules-majordomo-rce
...
Add three MajorDoMo unauthenticated RCE modules
2026-03-02 05:20:22 -05:00
2d8c3d69ed
Feat: Add openDCIM install.php SQLi to RCE module
...
Exploits CVE-2026-28515, CVE-2026-28516, CVE-2026-28517 to chain
missing authorization, SQL injection, and command injection in
openDCIM's install.php for remote code execution.
2026-02-28 21:13:51 +01:00
inkognitobo