adam/metasploit-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
80,584 Commits 27 Branches 1,043 Tags
55152da83acd030976ba8d90ff40e0ca9e3cfac0
Commit Graph

3625 Commits

Author SHA1 Message Date
adfoster-r7 438b8e0875 Merge pull request #21102 from zeroSteiner/fix/re-add-20989 
Reapply "This adjusts module options that need a routable address"
 2026-03-30 14:50:05 +01:00
adfoster-r7 20bb912515 Merge pull request #21023 from g0tmi1k/os_cmd_exec 
Add: exploits/multi/http/os_cmd_exec
 2026-03-27 16:38:03 +00:00
Spencer McIntyre 700d063645 Implement copilot feedback 2026-03-26 14:43:33 -04:00
Spencer McIntyre b743296f48 Reapply "This adjusts module options that need a routable address" 
This reverts commit 628275ef59.
 2026-03-26 14:43:31 -04:00
g0t mi1k 17161c42e2 Make Rubocop happy 2026-03-25 13:39:20 +00:00
g0t mi1k 89af3ad558 Sync datastore_headers 
Note: This code was suggested by a LLM (Copilot) in the MR
 2026-03-25 13:32:46 +00:00
g0t mi1k 51f36982c7 Add: exploits/multi/http/os_cmd_exec 
A lot of this was based on: exploits/unix/webapp/php_eval
 2026-03-24 20:01:30 +00:00
Spencer McIntyre ccf56437da Merge pull request #20960 from g0tmi1k/dhcp_server 
dhcp_server: Add DHCPINTERFACE
 2026-03-12 15:48:36 -04:00
g0t mi1k 3852276028 OptString -> OptAddressLocal 2026-03-12 16:41:25 +00:00
g0t mi1k b2f1e46c82 OptString -> OptAddress 2026-03-12 16:41:25 +00:00
msutovsky-r7 c6aabc1c75 Land #21001, adds module for SPIP Saisies plugin (CVE-2025-71243) 
Add SPIP Saisies plugin RCE module (CVE-2025-71243)
 2026-03-09 10:34:52 +01:00
adfoster-r7 628275ef59 Revert "This adjusts module options that need a routable address" 2026-03-08 17:37:49 +00:00
Valentin Lobstein 3d38e9b27b Fix: Fallback check to Detected when plugin version unavailable 
- Use spip_version as fallback when spip_plugin_version fails
- Return Detected instead of Unknown so AutoCheck does not abort
- Fix lab healthcheck to wait for saisies form before reporting healthy
 2026-03-05 14:13:05 +01:00
Valentin Lobstein 4534a8a07e Fix: Address msutovsky-r7 PR review feedback 
- Add IOC_IN_LOGS to SideEffects (POST payload may appear in app logs)
- Pass page parameter via vars_get instead of embedding in URI string
- Apply vars_get consistently in crawl seed request
 2026-03-05 14:07:22 +01:00
Spencer McIntyre ea915acba3 Appease rubocop 2026-03-03 09:37:27 -05:00
Spencer McIntyre 1b39311784 Remove redundant definitions of SRVHOST 2026-03-03 09:37:27 -05:00
Spencer McIntyre 821e3c28f1 Replace old patterns with srvhost_addr 2026-03-03 09:37:27 -05:00
Spencer McIntyre 6e38f8568c Update tftphost usage in cmd stagers 2026-03-03 09:37:27 -05:00
Spencer McIntyre b7fc0c6613 Replace usage of #lookup_lhost 2026-03-03 09:37:27 -05:00
adfoster-r7 9df6879a95 Update modules to use srvhost method 2026-03-03 09:37:25 -05:00
Spencer McIntyre 758ac7f2f6 Apply rubocop changes 2026-03-03 09:34:49 -05:00
Spencer McIntyre fc49421939 Replace checks for nonroutable addresses 
This consolidates modules that check for a nonroutable SRVHOST value and
replaces it with OptAddressRoutable, defaulting to a reasonable address.
 2026-03-03 09:34:49 -05:00
Spencer McIntyre 92e77de800 Update to use OptAddressRourtable for SRVHOST 2026-03-03 09:34:48 -05:00
Diego Ledda 6f84c83135 Merge pull request #21000 from Chocapikk/add-modules-majordomo-rce 
Add three MajorDoMo unauthenticated RCE modules
 2026-03-02 05:20:22 -05:00
Valentin Lobstein 615ca34e29 Fix: Remove explicit timeouts from send_request_cgi calls 2026-02-27 14:42:00 +01:00
Valentin Lobstein 6923badeac Fix: Use background thread for cycle.php bootstrap instead of timeout 2026-02-27 14:34:24 +01:00
Valentin Lobstein 76d103e483 Fix: Bootstrap cycle tables and update lab documentation 
Add cycle.php bootstrap request in cmd_injection module to create
missing MEMORY tables before starting the cycle_execs.php worker.
Update all three module docs with curl in Dockerfile, Docker gateway
instructions, Options sections, and verified scenario outputs.
 2026-02-27 14:33:04 +01:00
Valentin Lobstein a0cf8b488b Fix: Resolve protocol-relative URLs instead of skipping them 2026-02-25 13:10:30 +01:00
Valentin Lobstein ece296ba6a Fix: Address jvoisin's PR review feedback 
- Remove IOC_IN_LOGS (payload is in POST body, not logged)
- Remove redundant early filter (regex handles it)
- Use non-capturing groups in static asset regex
- Filter protocol-relative URLs before link resolution
- Clarify relative vs absolute path handling in crawler

Co-Authored-By: jvoisin <325724+jvoisin@users.noreply.github.com>
 2026-02-24 23:23:17 +01:00
Valentin Lobstein c905ec66e4 Update modules/exploits/multi/http/spip_saisies_rce.rb 
Co-authored-by: Julien Voisin <jvoisin@users.noreply.github.com>
 2026-02-24 23:19:03 +01:00
Diego Ledda 1e4c184512 Merge pull request #20988 from adfoster-r7/add-solarwinds-srvhost-defaults 
Add solarwinds srvhost defaults
 2026-02-24 04:41:23 -05:00
Valentin Lobstein a8f66a23d9 Feat: Add SPIP Saisies plugin RCE module (CVE-2025-71243) 2026-02-21 09:32:53 +01:00
Valentin Lobstein 05c12bb033 Feat: Add three MajorDoMo unauthenticated RCE modules 
- CVE-2026-27174: Console eval RCE via missing exit after redirect
- CVE-2026-27175: Command injection via rc/index.php + cycle_execs race condition
- CVE-2026-27180: Supply chain RCE via update URL poisoning in saverestore module

All three modules include documentation with Docker lab setup instructions.
 2026-02-21 08:34:31 +01:00
adfoster-r7 2c7348ec50 Add solarwinds srvhost defaults 2026-02-20 18:23:41 +00:00
msutovsky-r7 b6f37bef11 Land #20976, adds module for StoryChief WP plugin (CVE-2025-7441) 
Add StoryChief WordPress 1.0.42 unauthenticated RCE module (CVE-2025-7441)
 2026-02-19 10:06:25 +01:00
Nayeraneru 9c7347d6b5 Trriged failed_with and Removed unnecessary line 2026-02-18 02:20:36 +02:00
Nayera faca50288d Enhance CheckCode::Safe message for clarity 
Update CheckCode::Safe to include a detailed message.
 2026-02-18 00:14:18 +02:00
Nayeraneru 8ee79fa524 Add StoryChief WordPress 1.0.42 unauthenticated RCE module 2026-02-16 00:44:20 +02:00
LucasCsmt bbfe139e7f Merge branch 'master' into multi/http/churchcrm_unauth_rce 2026-02-13 15:01:52 +01:00
LucasCsmt b1758de52b Adding version control on the check method 2026-02-13 14:42:07 +01:00
LucasCsmt d90b3fdc89 Resolving compatibility issues 
In the last version of ChurchCRM (6.8.0), in order to be correct, the
url in the post request needed to end with a '/'. This issues is now
fixed and the exploit work again on the 6.8.0 version.
 2026-02-13 14:36:52 +01:00
LucasCsmt efcd0411e4 Adding a code to the check method 2026-02-13 14:04:40 +01:00
LucasCsmt fe302d30e1 Refactoring the code 2026-02-13 13:43:00 +01:00
LucasCsmt dcf4221cff Adding support for fetch payload 2026-02-13 13:23:40 +01:00
Diego Ledda a4ec3cd40d Merge pull request #20917 from sfewer-r7/solarwinds-webhelpdesk-rce 
Add exploit module for SolarWinds Web Help Desk (CVE-2025-40536 + CVE-2025-40551)
 2026-02-13 06:51:42 -05:00
LucasCsmt 3e98c7a045 Changing code according to Rubocop 2026-02-13 11:35:11 +01:00
LucasCsmt 06eba2245e Creating a check method 2026-02-13 11:34:46 +01:00
LucasCsmt 867624cad3 Removing default option 
The default option has been remove in favor of metasploit's default
selection.
 2026-02-13 10:42:42 +01:00
LucasCsmt dc2e73b44a Adding a failwith if the injection fail 2026-02-13 09:57:39 +01:00
LucasCsmt aacbd1d180 Changing PHP injection logic 
The PHP payload is injected directly into the PHP code injection. The
cleanup method has been remove in favor of a InitialAutoRunScript that
clear the config file.
 2026-02-13 09:52:48 +01:00