adam/metasploit-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
80,937 Commits 27 Branches 1,043 Tags
91633fdad7e9474debefbfd044d2b8bc7652deee
Commit Graph

1278 Commits

Author SHA1 Message Date
Christophe De La Fuente 09a59af789 Merge pull request #21069 from Chocapikk/add-module-freescout-htaccess-rce 2026-03-31 18:09:30 +02:00
msutovsky-r7 6d4b268f9f Land #21029, adds module for Grav CMS (CVE-2025-50286) 
Adds exploit module for Grav CMS (CVE-2025-50286)
 2026-03-31 14:47:44 +02:00
adfoster-r7 20bb912515 Merge pull request #21023 from g0tmi1k/os_cmd_exec 
Add: exploits/multi/http/os_cmd_exec
 2026-03-27 16:38:03 +00:00
x1o3 d12e3945fe plugin version parsing and check logic improvement, msftidy & rubocop compliant 2026-03-27 11:47:30 +05:30
x1o3 de81c5f0dc plugin version parsing and check logic improvement, msftidy & rubocop compliant 2026-03-27 11:45:20 +05:30
g0t mi1k 51f36982c7 Add: exploits/multi/http/os_cmd_exec 
A lot of this was based on: exploits/unix/webapp/php_eval
 2026-03-24 20:01:30 +00:00
Valentin Lobstein 3414611a3d Refactor: Use inherited SSL option from HttpClient instead of HTTPSSL 2026-03-14 00:07:28 +01:00
Valentin Lobstein c5c6c34232 Refactor: Remove HTTPSSL option, auto-detect SSL from port 443 2026-03-14 00:04:49 +01:00
Valentin Lobstein db3654eebf Fix: Address Copilot review feedback and fix cmd/dropper targets 
- Fix http_send: use standalone Rex::Proto::Http::Client to avoid
  SMTPDeliver/HttpClient connect() method conflict
- Fix cmd/dropper PHP stub: remove double $$ variable (vars[:cmd_varname]
  already includes $ prefix)
- Fix cmd/dropper unlink: use cleanup POST param instead of inline
  @unlink to preserve shell across multiple stager requests
- Fix wait_for_cron: use .to_i % fetch for correct modulo calculation
- Fix dir_exists?: use res&.redirect? instead of res&.code == 301
- Fix docs: RHOSTS -> RHOST (SMTPDeliver registers singular RHOST)
- Remove manual Date header (SMTPDeliver handles it)
- Update scan_paths comment to reflect MD5 digit extraction
- Replace php_exec_cmd with manual preamble + system_block stub
 2026-03-13 23:38:30 +01:00
x1o3 de72dcb88a fixes review feedback 2026-03-11 12:56:14 +05:30
msutovsky-r7 c6aabc1c75 Land #21001, adds module for SPIP Saisies plugin (CVE-2025-71243) 
Add SPIP Saisies plugin RCE module (CVE-2025-71243)
 2026-03-09 10:34:52 +01:00
Valentin Lobstein 9b7faea3c2 Feat: Add FreeScout ZWSP .htaccess RCE module (CVE-2026-28289) 2026-03-05 18:06:32 +01:00
Valentin Lobstein 3d38e9b27b Fix: Fallback check to Detected when plugin version unavailable 
- Use spip_version as fallback when spip_plugin_version fails
- Return Detected instead of Unknown so AutoCheck does not abort
- Fix lab healthcheck to wait for saisies form before reporting healthy
 2026-03-05 14:13:05 +01:00
x1o3 f87a5d9598 fixes review feedback 2026-03-02 17:38:14 +05:30
x1o3 7d6d592efe logic fix & cleanup 2026-02-28 22:56:28 +05:30
x1o3 8ba79db6b6 msftidy_docs compliant 2026-02-28 21:30:40 +05:30
x1o3 657e53dcec Add module documentation 2026-02-28 20:59:49 +05:30
Valentin Lobstein 76d103e483 Fix: Bootstrap cycle tables and update lab documentation 
Add cycle.php bootstrap request in cmd_injection module to create
missing MEMORY tables before starting the cycle_execs.php worker.
Update all three module docs with curl in Dockerfile, Docker gateway
instructions, Options sections, and verified scenario outputs.
 2026-02-27 14:33:04 +01:00
Valentin Lobstein 402ed5d50b Docs: Clarify 41086aaa is a pinned vulnerable commit on alpha branch 2026-02-26 17:18:22 +01:00
Valentin Lobstein 53652b3e3b Fix: Update SPIP saisies doc with working lab setup 2026-02-21 09:50:50 +01:00
Valentin Lobstein b904419f28 Fix: Update SPIP saisies doc with working lab setup 2026-02-21 09:50:02 +01:00
Valentin Lobstein a8f66a23d9 Feat: Add SPIP Saisies plugin RCE module (CVE-2025-71243) 2026-02-21 09:32:53 +01:00
Valentin Lobstein 05c12bb033 Feat: Add three MajorDoMo unauthenticated RCE modules 
- CVE-2026-27174: Console eval RCE via missing exit after redirect
- CVE-2026-27175: Command injection via rc/index.php + cycle_execs race condition
- CVE-2026-27180: Supply chain RCE via update URL poisoning in saverestore module

All three modules include documentation with Docker lab setup instructions.
 2026-02-21 08:34:31 +01:00
msutovsky-r7 b6f37bef11 Land #20976, adds module for StoryChief WP plugin (CVE-2025-7441) 
Add StoryChief WordPress 1.0.42 unauthenticated RCE module (CVE-2025-7441)
 2026-02-19 10:06:25 +01:00
Nayeraneru a48129b640 Updated doc after checking msftidy_docs 2026-02-18 16:58:51 +02:00
Nayeraneru 8ee79fa524 Add StoryChief WordPress 1.0.42 unauthenticated RCE module 2026-02-16 00:44:20 +02:00
LucasCsmt a39ed2beac Removing default version in the Dockerfile 2026-02-13 15:14:41 +01:00
LucasCsmt bbfe139e7f Merge branch 'master' into multi/http/churchcrm_unauth_rce 2026-02-13 15:01:52 +01:00
LucasCsmt 2b6d95d3c9 Adding a scenario in the documentation 
The documentation for PHP Fetch have been added. The scenario have been
redone in order to track the last changes.
 2026-02-13 15:01:17 +01:00
LucasCsmt 381972efd2 Changing the documentation 
According to the recent change, i've changed the documentation and the
scenario outputs.
 2026-02-13 14:05:29 +01:00
Diego Ledda a4ec3cd40d Merge pull request #20917 from sfewer-r7/solarwinds-webhelpdesk-rce 
Add exploit module for SolarWinds Web Help Desk (CVE-2025-40536 + CVE-2025-40551)
 2026-02-13 06:51:42 -05:00
LucasCsmt 78f4b8f97d Merge branch 'master' into multi/http/churchcrm_unauth_rce 2026-02-13 08:50:23 +01:00
Spencer McIntyre 35b52df28a Merge pull request #20849 from haicenhacks/haicen_xerte 
Add three modules for exploiting Xerte Online Toolkits
 2026-02-12 15:01:42 -05:00
Spencer McIntyre 41414b896b Tweak whitespacing in the docs for the renderer 2026-02-12 14:43:47 -05:00
haicen 7204c64b6b Improves documentation 2026-02-12 12:05:29 -05:00
haicen 66139795e5 Fixes problems with module documentation 2026-02-11 18:20:06 -05:00
sfewer-r7 58dd29107f remove SMB_SRVPORT as an option. It must allways be 445 so the user cannot change it. We print a message to inform the user this port is intended to be in use so that the SMB server is not compleatly opaque. 2026-02-05 17:21:31 +00:00
LucasCsmt eb5507844b Testing the module on different version 
The module have been tested on different version of ChurchCRM (6.8.0 and
6.2.0) prooving it's vulnerability to this exploit. This commit contains
modification of the dockerfile/docker-compose in order to support
multi-version installation.
 2026-02-05 12:36:26 +01:00
sfewer-r7 40073bcc8e typo in docs 2026-02-05 09:00:15 +00:00
sfewer-r7 50f46aa85d add docs 2026-02-04 20:36:10 +00:00
LucasCsmt 4d65f15884 Adding a link to the CVE 2026-02-04 16:17:15 +01:00
LucasCsmt ca5ceae1b3 Adding documentation to the churchcrm module 
The documentation of the module is addedd.
 2026-02-04 16:04:42 +01:00
jheysel-r7 f31776caf0 Merge pull request #20778 from h00die/ssh_keys 
Update and combine ssh key persistence with mixin
 2026-01-27 06:39:10 -08:00
Spencer McIntyre c0e9288ac5 Merge pull request #20799 from jheysel-r7/feat/cacti_graph_template_rce 
Cacti Graph Template Authenticated RCE [CVE-2025-24367]
 2026-01-22 14:26:38 -05:00
Jack Heysel 2e484d552e Finishing touches 2026-01-22 15:03:31 +01:00
Jack Heysel 99e032f4af SmarterTools SmarterMail Unauth File Upload RCE [CVE-2025-52691] 2026-01-22 15:03:30 +01:00
msutovsky-r7 537a1c5395 Land #19821, adds Burpsuite persistence module 
Burp extension persistence
 2026-01-22 11:03:08 +01:00
jheysel-r7 719874a7f4 Merge pull request #20750 from MatDupas/add-exploit-oracle-ebs-cve-2025-61882-module 
Add exploit oracle ebs CVE 2025 61882 module
 2026-01-21 16:08:09 -08:00
jheysel-r7 b6da204725 Apply suggestions from code review 
Co-authored-by: Spencer McIntyre <58950994+smcintyre-r7@users.noreply.github.com>
 2026-01-21 10:09:12 -08:00
haicen c3830f6987 adds documentation 2026-01-20 22:29:29 -05:00