cb6495e5bc
Merge pull request #20146 from Chocapikk/wp_suretriggers_auth_bypass
...
Add WP SureTriggers ≤1.0.78 admin-creation & RCE module (CVE-2025-3102)
2025-05-13 10:53:44 -05:00
5faa0a5b6b
Merge pull request #19777 from msutovsky-r7/linqpad_deserialization
...
Linqpad deserialization persistence
2025-05-13 08:03:30 -05:00
3af76cfa00
Renames incorrect option in documentation
...
Co-authored-by: Brendan <bwatters@rapid7.com >
2025-05-13 06:30:00 +02:00
8c647cd1ad
Land #20118 , changes target option for smb_to_ldap module
...
Fix the smb_to_ldap module's missing target option
2025-05-12 09:56:06 +02:00
4d0c7bb71a
Add WP SureTriggers ≤1.0.78 admin-creation & RCE module (CVE-2025-3102)
2025-05-07 17:45:30 +02:00
d16c639278
Adds cleanup option in documentation
2025-05-06 09:07:21 +02:00
24a86cd74a
Refactoring based on comments
2025-05-06 08:43:57 +02:00
4b9032a487
Merge pull request #20060 from mekhalleh/rce_cve-2025-21293
...
Added exploit module for CVE-2025-32433 (Erlang/OTP)
2025-05-02 07:05:30 -07:00
3216fbbde3
Fix the smb_to_ldap module
2025-05-01 16:59:16 -04:00
0f22a18dac
Merge pull request #20081 from msutovsky-r7/exploit/wondercms-rce
...
Adds module for CVE-2023-41425 WonderCMS RCE
2025-04-30 13:14:45 -07:00
f2e0fe79be
Responding to comments
2025-04-30 17:53:26 +02:00
39a5d710aa
Refactor module: modularization, session-path leak, randomized key, improved check
...
- Centralized fetch_cookies_and_csrf and execute_via_session methods for clarity
- Added leak_session_path() to call send_transform("phpinfo") and parse session.save_path via XPath
- In check(): first try to leak the PHP session directory (report vulnerable if successful), then perform a simple RCE check by summing two 4-digit random numbers with print_r()
- Stub injection now happens once in fetch_cookies_and_csrf; execute_via_session only needs the payload
- Randomized the "as hack" key in send_transform
- Simplified exploit() to reuse execute_via_session with a Base64-encoded payload
- Big thanks to @jvoisin for the suggestions!
2025-04-30 00:24:25 +02:00
f24801a4a4
Update doc
2025-04-29 20:06:40 +02:00
32a8e6797e
fixes review
...
Signed-off-by: RAMELLA Sebastien <sebastien.ramella@pirates.re >
2025-04-27 20:31:13 +04:00
89404c28e1
Fix markdown
2025-04-26 23:55:00 +02:00
b8d2681335
Remove useless config suggestions
2025-04-26 23:53:59 +02:00
c4e621f3cf
Add new exploit for CVE-2025-32432: Craft CMS Preauth RCE
2025-04-26 05:43:13 +02:00
b117843c00
Addressing comments
2025-04-25 20:17:46 +02:00
9d5c4a59e8
Adding documentation
2025-04-25 14:47:00 +02:00
665065e4df
Module init
2025-04-25 14:35:24 +02:00
740a8130d4
combine modules
...
Signed-off-by: RAMELLA Sebastien <sebastien.ramella@pirates.re >
2025-04-25 10:35:16 +04:00
f5aafdcfdf
Merge pull request #20046 from Takahiro-Yoko/bentoml_runner_server_rce_cve_2025_32375
...
Add BentoML's runner server unauth RCE module (CVE-2025-32375)
2025-04-22 12:32:08 -07:00
1da0ebff66
exploit/solaris/sunrpc/sadmind_*: Cleanup and add documentation
2025-04-22 13:33:25 +10:00
0a428b8d03
add scanner capability + code review
...
Signed-off-by: RAMELLA Sebastien <sebastien.ramella@pirates.re >
2025-04-20 18:02:52 +04:00
59ed219775
Added exploit module for CVE-2025-21293 (Erlang/OTP)
...
Signed-off-by: RAMELLA Sebastien <sebastien.ramella@pirates.re >
2025-04-19 00:18:46 +04:00
98702a6326
Merge pull request #20044 from jheysel-r7/cve_2025_21293
...
Updated service_permissions with action to exploit CVE-2025-21293
2025-04-17 13:24:46 -05:00
e1b5109c70
Add BentoML RCE module (CVE-2025-32375)
2025-04-17 20:46:43 +09:00
3ead0fdf42
Add check for is_uac_enabled?
2025-04-16 17:59:53 -07:00
9a95f60df6
Updated service_permissions with action to exploit CVE-2025-21293
2025-04-16 10:55:05 -07:00
edcc30699a
Make user be able to specify a particular endpoint
2025-04-16 21:47:31 +09:00
8dc4beba7f
Update documentation/modules/exploit/linux/http/bentoml_rce_cve_2025_27520.md
...
Co-authored-by: Julien Voisin <jvoisin@users.noreply.github.com >
2025-04-16 20:48:34 +09:00
a33a8d91fe
Update the document
2025-04-16 12:52:15 +09:00
e51cd24383
Add BentoML RCE module (CVE-2025-27520)
2025-04-15 22:46:42 +09:00
140b93e802
Land #20022 , Langflow RCE module
...
Add Langflow unauth RCE module (CVE-2025-3248)
2025-04-14 08:24:44 +02:00
c7fdcc8e91
Update the document
2025-04-12 10:21:13 +09:00
f67dfe6a62
Update check
2025-04-11 21:51:45 +09:00
0c20606c8c
Update documentation/modules/exploit/multi/http/langflow_unauth_rce_cve_2025_3248.md
...
Co-authored-by: Julien Voisin <jvoisin@users.noreply.github.com >
2025-04-11 20:44:03 +09:00
0b4e133001
Land #20018 , pgAdmin Authenticated RCE (CVE-2025-2945)
...
pgAdmin Query Tool Authenticated RCE (CVE-2025-2945)
2025-04-11 10:34:02 +02:00
718a0bc5c7
Change directory from linux to multi
2025-04-11 14:45:10 +09:00
b613b0a41b
Add Langflow unauth RCE module (CVE-2025-3248)
2025-04-11 14:07:54 +09:00
4cec129e1c
Responded to comments
2025-04-10 10:53:05 -07:00
ddb29d6181
Removed unnecessary method
2025-04-10 07:18:42 -07:00
290a35b0f6
pgAdmin Query Tool Authenticated RCE (CVE-2025-2945)
2025-04-09 17:32:10 -07:00
4da78bd550
Merge pull request #19994 from sfewer-r7/CVE-2021-35587
...
Adds exploit module for CVE-2021-35587, an unauthenticated deserialization vulnerability affecting Oracle Access Manager (OAM).
2025-04-08 08:59:18 -05:00
03f5291bcc
Improve the documentation, fix typo in console commands, add comment to wait for DB container to complete setup (Thanks Brendan).
...
Co-authored-by: Brendan <bwatters@rapid7.com >
2025-04-08 09:41:47 +01:00
16e374750f
Improve the documentation, add steps to create /opt/oracle/user_projects (thanks Brendan).
...
Co-authored-by: Brendan <bwatters@rapid7.com >
2025-04-08 09:40:21 +01:00
fe9a0ad25b
Land #20008 , PandoraFMS Auth RCE module
...
Pandora FMS authenticated RCE [CVE-2024-12971]
2025-04-08 07:50:28 +02:00
76fb34a5db
small update in description of the module and documentation
2025-04-06 10:49:03 +00:00
8a72fd6861
init module and documentation
2025-04-06 10:33:56 +00:00
139dd50333
Add Appsmith RCE module (CVE-2024-55964)
2025-04-05 14:56:04 +09:00
Brendan