365caab8fc
Update the error message in case of Broken pipe error and update the documentation
2025-05-15 12:10:53 +02:00
3d121839c8
Fix from code review #2
2025-05-13 17:17:41 +02:00
4aea95f93c
Fix from code review
2025-05-13 12:54:31 +02:00
d83e6072ef
Add the module and documentation for Ivanti RCE CVE-2025-22457
2025-04-30 22:02:16 +02:00
73f0963d81
Lint ^^
2025-04-30 16:16:30 +02:00
691cead95c
Update modules/exploits/linux/http/craftcms_preauth_rce_cve_2025_32432.rb
...
Co-authored-by: Diego Ledda <diego_ledda@rapid7.com >
2025-04-30 16:10:32 +02:00
c85fe60596
Update modules/exploits/linux/http/craftcms_preauth_rce_cve_2025_32432.rb
...
Co-authored-by: Julien Voisin <jvoisin@users.noreply.github.com >
2025-04-30 11:33:14 +02:00
301e9e64e7
Update modules/exploits/linux/http/craftcms_preauth_rce_cve_2025_32432.rb
...
Co-authored-by: Julien Voisin <jvoisin@users.noreply.github.com >
2025-04-30 11:32:58 +02:00
39a5d710aa
Refactor module: modularization, session-path leak, randomized key, improved check
...
- Centralized fetch_cookies_and_csrf and execute_via_session methods for clarity
- Added leak_session_path() to call send_transform("phpinfo") and parse session.save_path via XPath
- In check(): first try to leak the PHP session directory (report vulnerable if successful), then perform a simple RCE check by summing two 4-digit random numbers with print_r()
- Stub injection now happens once in fetch_cookies_and_csrf; execute_via_session only needs the payload
- Randomized the "as hack" key in send_transform
- Simplified exploit() to reuse execute_via_session with a Base64-encoded payload
- Big thanks to @jvoisin for the suggestions!
2025-04-30 00:24:25 +02:00
9d0d12004e
Update modules/exploits/linux/http/craftcms_preauth_rce_cve_2025_32432.rb
...
Co-authored-by: Julien Voisin <jvoisin@users.noreply.github.com >
2025-04-29 19:59:09 +02:00
59b9249cec
Update modules/exploits/linux/http/craftcms_preauth_rce_cve_2025_32432.rb
...
Co-authored-by: Julien Voisin <jvoisin@users.noreply.github.com >
2025-04-29 19:58:38 +02:00
a0e9758c7f
Improve error handling, and search csrf_token in root uri
2025-04-27 08:01:17 +02:00
ba094199da
Fix typo
2025-04-26 10:41:30 +02:00
332c61b6ea
Fix cookie handling and switch to send_request_cgi for HTTP requests
2025-04-26 08:24:11 +02:00
3e96b4148e
Add comment about msftidy issue
2025-04-26 06:02:27 +02:00
9392d0bdf9
Add suggestions
2025-04-26 05:56:41 +02:00
c4e621f3cf
Add new exploit for CVE-2025-32432: Craft CMS Preauth RCE
2025-04-26 05:43:13 +02:00
dc8531e37f
Fix after applied suggestions (escape ')
2025-04-22 21:57:05 +09:00
f579235b95
Apply suggestions from code review
...
Co-authored-by: jheysel-r7 <Jack_Heysel@rapid7.com >
2025-04-22 21:53:05 +09:00
e1b5109c70
Add BentoML RCE module (CVE-2025-32375)
2025-04-17 20:46:43 +09:00
5945e0db0e
Update modules/exploits/linux/http/bentoml_rce_cve_2025_27520.rb
...
Co-authored-by: msutovsky-r7 <martin_sutovsky@rapid7.com >
2025-04-16 22:05:04 +09:00
edcc30699a
Make user be able to specify a particular endpoint
2025-04-16 21:47:31 +09:00
4463bb2ced
Support a pure-python payload
2025-04-16 21:25:36 +09:00
6d936a72b1
Delete ARTIFACTS_ON_DISK
2025-04-16 20:54:22 +09:00
e51cd24383
Add BentoML RCE module (CVE-2025-27520)
2025-04-15 22:46:42 +09:00
fe9a0ad25b
Land #20008 , PandoraFMS Auth RCE module
...
Pandora FMS authenticated RCE [CVE-2024-12971]
2025-04-08 07:50:28 +02:00
40ba981c98
update based on reviewer suggestions
2025-04-07 14:29:51 +00:00
39e4093310
Rubocop formatting after applied suggestions
2025-04-07 21:03:58 +09:00
7aabe06f66
Apply suggestions from code review
...
Co-authored-by: msutovsky-r7 <martin_sutovsky@rapid7.com >
2025-04-07 20:59:57 +09:00
ec6f4022cd
Make the Ruby code error-safe
2025-04-07 20:28:57 +09:00
f42083db03
Increased the size of email to avoid duplicate
2025-04-07 20:23:31 +09:00
35c1ccccdb
Update modules/exploits/linux/http/appsmith_rce_cve_2024_55964.rb
...
Co-authored-by: msutovsky-r7 <martin_sutovsky@rapid7.com >
2025-04-07 20:06:55 +09:00
76fb34a5db
small update in description of the module and documentation
2025-04-06 10:49:03 +00:00
8a72fd6861
init module and documentation
2025-04-06 10:33:56 +00:00
139dd50333
Add Appsmith RCE module (CVE-2024-55964)
2025-04-05 14:56:04 +09:00
bf1f919d9f
Merge pull request #19957 from msutovsky-r7/auxmodule-eramba-update
...
Auxmodule eramba update
2025-03-25 13:54:24 -04:00
95f9e22eff
Addressing comments
2025-03-20 20:46:38 +01:00
df027f3fdd
Update documentation, adding more precise check, removing unnecessary characters
2025-03-20 15:18:55 +01:00
741a222e9a
Land #19961 , fixing incorrect URL in the InvoiceNinja module
...
BUGFIX invoiceninja module - fixed invalid attackerkb reference
2025-03-14 11:15:23 +01:00
9961bfbc58
Land #19950 , module for InvoiceShelf unauthenticated PHP deserialization
...
InvoiceShelf unauthenticated PHP deserialization vulnerability [CVE-2024-55556]
2025-03-14 10:21:56 +01:00
84012fd60c
fixed invalid attackerkb reference
2025-03-14 08:23:10 +00:00
0ca2599f48
update based on review comments
2025-03-14 08:04:22 +00:00
9886f78575
Upgrade Eramba RCE module
2025-03-13 12:34:50 +01:00
1ca57c86fc
added base64 encoding in php payload execution
2025-03-11 21:30:32 +00:00
e341398871
small update on module and documentation
2025-03-10 19:35:37 +00:00
281b728000
initial module and documentation
2025-03-07 17:34:22 +00:00
196d95b2bf
Land #19944 , adding dynamic session for module CVE-2025-0655
...
Update dtale_rce_cve_2025_0655.rb to use dynamically generated session
2025-03-07 14:35:51 +01:00
edb47d968c
Update function name after applied suggestion
2025-03-07 08:05:00 +09:00
233c710d82
Update modules/exploits/linux/http/dtale_rce_cve_2025_0655.rb
...
Co-authored-by: Simon Janusz <85949464+sjanusz-r7@users.noreply.github.com >
2025-03-07 07:54:50 +09:00
8604c72ef4
Merge pull request #19895 from cgranleese-r7/update-dead-module-references
...
Update dead module references
2025-03-05 16:57:05 +00:00
Christophe De La Fuente