【废了-准备删除02】信息收集——基于WAMP的drupal7.x管理系统
目录
1 概述
- 目的:
进行渗透测试之前, 最重要的一步就是信息收集,在这个阶段,我们要尽可能地收集目标组织的信息。所谓“知己知彼,百战不殆”,我们越是了解测试目标,测试的工作就越容易。 - 收集内容。在信息收集中,包括但不限于以下内容:
- 收集域名及子域名信息;
- 收集目标网站真实IP;
- 收集常用端口信息;
- 收集敏感信息;
- 收集CMS及WEB指纹信息;
- 收集敏感目录文件;
- 详细基础知识请参考文章《渗透测试信息收集的种类及方法》。
- 信息收集主要利用kali系统中各种工具进行。
2 域名、子域名、IP信息收集
鉴于本实验靶机是自己配置的,在局域网内IP地址为192.168.1.4/drupal7。
3 端口扫描
3.1 扫描过程
- 虚拟机打开kali系统,搜索打开nmap软件,先输入
sudo -i和密码切换到root用户。 - 使用命令
cd /home/kali/桌面,进入到桌面。 - 输入扫描命令
nmap -A 192.168.1.4 -p 1-65535 -oN nmap.A,对目标IP进行端口扫描,并将结果保存到当前目录下。 - 执行过程如下,
┌──(root💀kali)-[/home/kali/桌面]
└─# nmap -A 192.168.1.4 -p 1-65535 -oN nmap.A
Starting Nmap 7.92 ( https://nmap.org ) at 2022-03-22 04:48 EDT
Nmap scan report for 192.168.1.4 (192.168.1.4)
Host is up (0.00061s latency).
Not shown: 65523 closed tcp ports (reset)
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.23 ((Win32) OpenSSL/1.0.2j PHP/5.4.45)
|_http-server-header: Apache/2.4.23 (Win32) OpenSSL/1.0.2j PHP/5.4.45
|_http-title: \xE7\x95\x99\xE8\xA8\x80\xE8\xAE\xBA\xE5\x9D\x9B
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Windows Server 2008 R2 Enterprise 7601 Service Pack 1 microsoft-ds
3306/tcp open mysql MySQL (unauthorized)
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
49152/tcp open msrpc Microsoft Windows RPC
49153/tcp open msrpc Microsoft Windows RPC
49154/tcp open msrpc Microsoft Windows RPC
49155/tcp open msrpc Microsoft Windows RPC
49157/tcp open msrpc Microsoft Windows RPC
49158/tcp open msrpc Microsoft Windows RPC
MAC Address: 00:0C:29:83:7B:E2 (VMware)
Device type: general purpose
Running: Microsoft Windows 7|2008|8.1
OS CPE: cpe:/o:microsoft:windows_7::- cpe:/o:microsoft:windows_7::sp1 cpe:/o:microsoft:windows_server_2008::sp1 cpe:/o:microsoft:windows_server_2008:r2 cpe:/o:microsoft:windows_8 cpe:/o:microsoft:windows_8.1
OS details: Microsoft Windows 7 SP0 - SP1, Windows Server 2008 SP1, Windows Server 2008 R2, Windows 8, or Windows 8.1 Update 1
Network Distance: 1 hop
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows
Host script results:
| smb-os-discovery:
| OS: Windows Server 2008 R2 Enterprise 7601 Service Pack 1 (Windows Server 2008 R2 Enterprise 6.1)
| OS CPE: cpe:/o:microsoft:windows_server_2008::sp1
| Computer name: WIN-3BH0BJV654L
| NetBIOS computer name: WIN-3BH0BJV654L\x00
| Workgroup: WORKGROUP\x00
|_ System time: 2022-03-22T16:49:34+08:00
|_clock-skew: mean: -2h39m59s, deviation: 4h37m07s, median: 0s
| smb2-security-mode:
| 2.1:
|_ Message signing enabled but not required
|_nbstat: NetBIOS name: WIN-3BH0BJV654L, NetBIOS user: <unknown>, NetBIOS MAC: 00:0c:29:83:7b:e2 (VMware)
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-time:
| date: 2022-03-22T08:49:34
|_ start_date: 2022-03-22T07:02:16
TRACEROUTE
HOP RTT ADDRESS
1 0.61 ms 192.168.1.4 (192.168.1.4)
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 93.68 seconds
3.2 小结
可以看到扫描得到的重要端口有80、139、445、3306等。
- 对于80端口,可以考虑Web 攻击、爆破、对应服务器版本漏洞。
- 对于139端口,是samba服务端口,可以考虑爆破、未授权访问、远程代码执行。
- 对于445端口,是SMB服务端口,可以考虑空会话攻击。
- 对于3306端口,可以考虑注入、提权、爆破。
- 不同端口的开启,给渗透测试提供了思路和方向。
4 网站目录扫描
4.1 目的
- 目的:在渗透测试中,探测Web 目录结构和隐藏的敏感文件是一个必不可少的环节,从中可以获取网站的后台管理页面、文件上传界面, 甚至可能扫描出网站的源代码。
- 常用工具如下,本文只演示前两个。
- DirBuster
- 御剑后台扫描珍藏版
- wwwscan
- Spinder.py (轻量级快速单文件目录后台扫描)
- Sensitivefilescan (轻量级快速单文件目录后台扫描)
- Weakfilescan (轻量级快速单文件目录后台扫描)
4.2 dirbuster 扫描
- 鉴于靶机80端口的存在,利用kali系统的dirbuster软件对其下网站目录进行扫描。
- 点击kali开始按钮,搜索dirbuster,点击后可以看到软件窗口如下,将其窗口最大化。
- 在Target URL输入框中输入要扫描的网址,扫描时将请求方法设置为“Auto Switch”。
- 设置线程的数值,推荐在20-30之间。太大了容易引起系统死机。
- 选择字典类型,如果使用个人字典扫描,先选择“ List based brute force ”选项,再单击“ Browse ”选择字典,可以选择工具自带的字典,也可以选择自己的字典。可以点击List info查看软件自带字典的简介再做选择。
- 在Select starting options 中选择“standard ”方式进行扫描。注意设置根目录和后缀名。
- 参考以上说明设置如下图。
- 点击start,扫描过程如下。
- 扫描结束后,选择报告的保存类型、路径和文件名,点击生成报告。
- 生成报告如下,与实际文件夹对比,可以看到至扫出来了一部分。频繁出现
~%3F%3F%3F,应该是一种正则表达式的匹配条件,暂时未发现其含义。
/drupal7/
/drupal7/themes/
/drupal7/themes/bartik/
/drupal7/user/
/drupal7/misc/
/drupal7/sites/
/drupal7/sites/default/
/drupal7/~%3F%3F%3F/
/drupal7/themes/~%3F%3F%3F/
/drupal7/misc/~%3F%3F%3F/
/drupal7/themes/bartik/~%3F%3F%3F/
/drupal7/sites/~%3F%3F%3F/
/drupal7/sites/default/~%3F%3F%3F/
/drupal7/sites/default/~fukuchi/
/drupal7/sites/~fv/
/drupal7/user/~garland/
/drupal7/themes/~genocide/
/drupal7/themes/~genone/
/drupal7/~gifteduc/
/drupal7/sites/~fw242/
/drupal7/~name*censored*/
/drupal7/themes/~name*censored*/
/drupal7/misc/~name*censored*/
/drupal7/sites/default/~name*censored*/
/drupal7/themes/bartik/~name*censored*/
/drupal7/sites/~name*censored*/
/drupal7/user/register
/drupal7/user/password
/drupal7/misc/jquery.js
/drupal7/node
/drupal7/user
/drupal7/misc/jquery-extend-3.4.0.js
/drupal7/misc/jquery-html-prefilter-3.5.0-backport.js
/drupal7/misc/jquery.once.js
/drupal7/misc/drupal.js
/drupal7/sites/default/files/languages/zh-hans_hn17KBavlrqLd1EjfEzNn_EnzKOnc4K1T5YauTQnlbA.js
/drupal7/~%3F%3F%3F.txt
/drupal7/~%3F%3F%3F.html
/drupal7/~%3F%3F%3F.php
/drupal7/themes/~%3F%3F%3F.html
/drupal7/themes/~%3F%3F%3F.txt
/drupal7/themes/~%3F%3F%3F.php
/drupal7/misc/~%3F%3F%3F.txt
/drupal7/misc/~%3F%3F%3F.html
/drupal7/misc/~%3F%3F%3F.php
/drupal7/sites/default/~%3F%3F%3F.txt
/drupal7/themes/bartik/~%3F%3F%3F.html
/drupal7/themes/bartik/~%3F%3F%3F.php
/drupal7/themes/bartik/~%3F%3F%3F.txt
/drupal7/sites/default/~%3F%3F%3F.html
/drupal7/sites/~%3F%3F%3F.txt
/drupal7/sites/~%3F%3F%3F.php
/drupal7/sites/~%3F%3F%3F.html
/drupal7/sites/default/~%3F%3F%3F.php
/drupal7/user/~gabriel.txt
/drupal7/sites/default/~fsch.txt
/drupal7/themes/~gardiner.php
/drupal7/misc/~gates.txt
/drupal7/sites/~fwitness.php
/drupal7/sites/default/~fsuas.php
/drupal7/themes/bartik/~gaas.txt
/drupal7/~gke.html
/drupal7/user/~ganz.html
/drupal7/sites/default/~fukuchi/~a.txt
/drupal7/~gligor.php
/drupal7/sites/default/~fukuchi/~adam.php
/drupal7/~glotzer.html
/drupal7/~gyrobike.txt
/drupal7/sites/default/~fukuchi/~brian.txt
/drupal7/user/~ganter.txt
/drupal7/misc/~garch1.php
/drupal7/sites/~g1.txt
/drupal7/~name*censored*.txt
/drupal7/~name*censored*.html
/drupal7/~name*censored*.php
/drupal7/themes/~name*censored*.html
/drupal7/themes/bartik/~name*censored*.php
/drupal7/misc/~name*censored*.txt
/drupal7/themes/~name*censored*.php
/drupal7/themes/~name*censored*.txt
/drupal7/misc/~name*censored*.php
/drupal7/themes/bartik/~name*censored*.html
/drupal7/misc/~name*censored*.html
/drupal7/themes/bartik/~name*censored*.txt
/drupal7/sites/default/~name*censored*.php
/drupal7/sites/~name*censored*.html
/drupal7/sites/~name*censored*.php
/drupal7/sites/~name*censored*.txt
/drupal7/sites/default/~name*censored*.html
/drupal7/sites/default/~name*censored*.txt
4.3 御剑后台扫描
- 打开御剑后台扫描,简单容易使用,输入要扫描的域名,点击开始扫描,扫描过程如下:
- 经过约20个小时的扫描,御剑扫描结果如下,扫描出来的结果较少,且没有递归。对于响应为200的连接,双击可以直接访问该文件。
4.4 小结
- 对目标网站经过长时间的目录扫描,能否扫描到有用的目录和文件,需要看字典给不给力。
- 能发现网站一部分的目录结构,也许对后续文件上传漏洞和文件包含漏洞测试有一定帮助。
- 能发现一部分文件,能否发现一些敏感文件需要花时间去阅读每一份扫描到的文件。
5 指纹识别
5.1 目的
在渗透测试中,当识别出相应的Web容器或者CMS ,就能查找与其相关的漏洞,然后针对性进行相应的渗透操作。
5.2 指纹识别
- Web指纹识别代表工具有WhatWeb 、御剑Web 指纹识别、WebRobo 、椰树、轻量WEB指纹识别等,可以快速识别一些主流CMS。
- Whatweb是kali系统自带工具,可以搜索直接使用。
- 程序打开后,建议使用命令
sudo -i切换至root身份。 - 输入命令
whatweb http://192.168.1.4/drupal7/,执行结果如下。
5.3 指纹利用
- 在上述扫描结果中,可以看到网站文件管理系统是采用drupal7,环境是Apache/2.4.23 + OpenSSL/1.0.2j + PHP/5.4.45,系统是Windows32bit。到此,我们可以上网收集关于drupal、apache、OpenSSL、php等中间件的漏洞,在该网站上进行尝试,此处演示采用MSF进行中间件漏洞信息收集。
- 打开kali系统终端,切换至root用户,输入命令
msfconsole启动MSF。
5.3.1 drupal 漏洞
- 针对drupal这个CMS系统,使用命令
search drupal查询其对应的漏洞,可以看到有以下漏洞,共有8个。
msf6 > search drupal
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/unix/webapp/drupal_coder_exec 2016-07-13 excellent Yes Drupal CODER Module Remote Command Execution
1 exploit/unix/webapp/drupal_drupalgeddon2 2018-03-28 excellent Yes Drupal Drupalgeddon 2 Forms API Property Injection
2 exploit/multi/http/drupal_drupageddon 2014-10-15 excellent No Drupal HTTP Parameter Key/Value SQL Injection
3 auxiliary/gather/drupal_openid_xxe 2012-10-17 normal Yes Drupal OpenID External Entity Injection
4 exploit/unix/webapp/drupal_restws_exec 2016-07-13 excellent Yes Drupal RESTWS Module Remote PHP Code Execution
5 exploit/unix/webapp/drupal_restws_unserialize 2019-02-20 normal Yes Drupal RESTful Web Services unserialize() RCE
6 auxiliary/scanner/http/drupal_views_user_enum 2010-07-02 normal Yes Drupal Views Module Users Enumeration
7 exploit/unix/webapp/php_xmlrpc_eval 2005-06-29 excellent Yes PHP XML-RPC Arbitrary Code Execution
Interact with a module by name or index. For example info 7, use 7 or use exploit/unix/webapp/php_xmlrpc_eval
- 看上面最后一行提示,可以使用info加上漏洞索引号或漏洞名,查询漏洞信息。本实验使用命令
info 0,查询第一个漏洞信息,没有明确说明针对哪些版本的drupal,在说明中说在ubuntu系统上的drupal7.5版本进行过测试。
msf6 > info 0
Name: Drupal CODER Module Remote Command Execution
Module: exploit/unix/webapp/drupal_coder_exec
Platform: Unix
Arch: cmd
Privileged: No
License: Metasploit Framework License (BSD)
Rank: Excellent
Disclosed: 2016-07-13
Provided by:
Nicky Bloor <nick@nickbloor.co.uk>
Mehmet Ince <mehmet@mehmetince.net>
Available targets:
Id Name
-- ----
0 Automatic
Check supported:
Yes
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS yes The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-M
etasploit
RPORT 80 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
TARGETURI / yes The target URI of the Drupal installation
VHOST no HTTP server virtual host
Payload information:
Space: 250
Avoid: 1 characters
Description:
This module exploits a Remote Command Execution vulnerability in the
Drupal CODER Module. Unauthenticated users can execute arbitrary
commands under the context of the web server user. The CODER module
doesn't sufficiently validate user inputs in a script file that has
the PHP extension. A malicious unauthenticated user can make
requests directly to this file to execute arbitrary commands. The
module does not need to be enabled for this to be exploited. This
module was tested against CODER 2.5 with Drupal 7.5 installed on
Ubuntu Server.
References:
https://www.drupal.org/node/2765575
- 本实验使用命令
info 1,查询第2个漏洞信息,看到影响版本中说小于drupal7.58。
msf6 > info 1
Name: Drupal Drupalgeddon 2 Forms API Property Injection
Module: exploit/unix/webapp/drupal_drupalgeddon2
Platform: PHP, Unix, Linux
Arch: php, cmd, x86, x64
Privileged: No
License: Metasploit Framework License (BSD)
Rank: Excellent
Disclosed: 2018-03-28
Provided by:
Jasper Mattsson
a2u
Nixawk
FireFart
wvu <wvu@metasploit.com>
Available targets:
Id Name
-- ----
0 Automatic (PHP In-Memory)
1 Automatic (PHP Dropper)
2 Automatic (Unix In-Memory)
3 Automatic (Linux Dropper)
4 Drupal 7.x (PHP In-Memory)
5 Drupal 7.x (PHP Dropper)
6 Drupal 7.x (Unix In-Memory)
7 Drupal 7.x (Linux Dropper)
8 Drupal 8.x (PHP In-Memory)
9 Drupal 8.x (PHP Dropper)
10 Drupal 8.x (Unix In-Memory)
11 Drupal 8.x (Linux Dropper)
Check supported:
Yes
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
DUMP_OUTPUT false no Dump payload command output
PHP_FUNC passthru yes PHP function to execute
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS yes The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using
-Metasploit
RPORT 80 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
TARGETURI / yes Path to Drupal install
VHOST no HTTP server virtual host
Payload information:
Avoid: 3 characters
Description:
This module exploits a Drupal property injection in the Forms API.
Drupal 6.x, < 7.58, 8.2.x, < 8.3.9, < 8.4.6, and < 8.5.1 are
vulnerable.
References:
https://nvd.nist.gov/vuln/detail/CVE-2018-7600
https://www.drupal.org/sa-core-2018-002
https://greysec.net/showthread.php?tid=2912
https://research.checkpoint.com/uncovering-drupalgeddon-2/
https://github.com/a2u/CVE-2018-7600
https://github.com/nixawk/labs/issues/19
https://github.com/FireFart/CVE-2018-7600
Also known as:
SA-CORE-2018-002
Drupalgeddon 2
- 本实验使用命令
info 2,查询第3个漏洞信息,看到影响版本Drupal 7.0 - 7.31。
msf6 > info 2
Name: Drupal HTTP Parameter Key/Value SQL Injection
Module: exploit/multi/http/drupal_drupageddon
Platform: PHP
Arch: php
Privileged: No
License: Metasploit Framework License (BSD)
Rank: Excellent
Disclosed: 2014-10-15
Provided by:
SektionEins
WhiteWinterWolf
Christian Mehlmauer <FireFart@gmail.com>
Brandon Perry
Available targets:
Id Name
-- ----
0 Drupal 7.0 - 7.31 (form-cache PHP injection method)
1 Drupal 7.0 - 7.31 (user-post PHP injection method)
Check supported:
No
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS yes The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-M
etasploit
RPORT 80 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
TARGETURI / yes The target URI of the Drupal installation
VHOST no HTTP server virtual host
Payload information:
Description:
This module exploits the Drupal HTTP Parameter Key/Value SQL
Injection (aka Drupageddon) in order to achieve a remote shell on
the vulnerable instance. This module was tested against Drupal 7.0
and 7.31 (was fixed in 7.32). Two methods are available to trigger
the PHP payload on the target: - set TARGET 0: Form-cache PHP
injection method (default). This uses the SQLi to upload a malicious
form to Drupal's cache, then trigger the cache entry to execute the
payload using a POP chain. - set TARGET 1: User-post injection
method. This creates a new Drupal user, adds it to the
administrators group, enable Drupal's PHP module, grant the
administrators the right to bundle PHP code in their post, create a
new post containing the payload and preview it to trigger the
payload execution.
References:
https://nvd.nist.gov/vuln/detail/CVE-2014-3704
https://www.drupal.org/SA-CORE-2014-005
http://www.sektioneins.de/en/advisories/advisory-012014-drupal-pre-auth-sql-injection-vulnerability.html
https://www.whitewinterwolf.com/posts/2017/11/16/drupageddon-revisited-a-new-path-from-sql-injection-to-remote-command-execution-cve-2014-3704/
Also known as:
Drupageddon
- 本实验使用命令
info 3,查询第4个漏洞信息,没有看到影响版本总结,在Drupal 7.15 ~ 7.2 版本中测试成功过。
msf6 > info 3
Name: Drupal OpenID External Entity Injection
Module: auxiliary/gather/drupal_openid_xxe
License: Metasploit Framework License (BSD)
Rank: Normal
Disclosed: 2012-10-17
Provided by:
Reginaldo Silva
juan vazquez <juan.vazquez@metasploit.com>
Check supported:
Yes
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
FILEPATH /etc/passwd yes The filepath to read on the server
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS yes The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-M
etasploit
RPORT 80 yes The target port (TCP)
SRVHOST 0.0.0.0 yes The local host or network interface to listen on. This must be an address on the lo
cal machine or 0.0.0.0 to listen on all addresses.
SRVPORT 8080 yes The local port to listen on.
SSL false no Negotiate SSL/TLS for outgoing connections
SSLCert no Path to a custom SSL certificate (default is randomly generated)
TARGETURI /drupal yes Base Drupal directory path
URIPATH no The URI to use for this exploit (default is random)
VHOST no HTTP server virtual host
Description:
This module abuses an XML External Entity Injection vulnerability on
the OpenID module from Drupal. The vulnerability exists in the
parsing of a malformed XRDS file coming from a malicious OpenID
endpoint. This module has been tested successfully on Drupal 7.15
and 7.2 with the OpenID module enabled.
References:
https://nvd.nist.gov/vuln/detail/CVE-2012-4554
OSVDB (86429)
http://www.securityfocus.com/bid/56103
https://drupal.org/node/1815912
http://drupalcode.org/project/drupal.git/commit/b912710
http://www.ubercomp.com/posts/2014-01-16_facebook_remote_code_execution
- 本实验使用命令
info 4,查询第5个漏洞信息,没有明确说明针对哪些版本的drupal,在说明中说在ubuntu系统上的drupal7.5版本进行过测试。
msf6 > info 4
Name: Drupal RESTWS Module Remote PHP Code Execution
Module: exploit/unix/webapp/drupal_restws_exec
Platform: PHP
Arch: php
Privileged: No
License: Metasploit Framework License (BSD)
Rank: Excellent
Disclosed: 2016-07-13
Provided by:
Devin Zuczek
Mehmet Ince <mehmet@mehmetince.net>
Available targets:
Id Name
-- ----
0 Automatic
Check supported:
Yes
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS yes The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-M
etasploit
RPORT 80 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
TARGETURI / yes The target URI of the Drupal installation
VHOST no HTTP server virtual host
Payload information:
Description:
This module exploits a Remote PHP Code Execution vulnerability in
the Drupal RESTWS Module. Unauthenticated users can execute
arbitrary code under the context of the web server user. RESTWS
alters the default page callbacks for entities to provide additional
functionality. A vulnerability in this approach allows an
unauthenticated attacker to send specially crafted requests
resulting in arbitrary PHP execution. RESTWS 2.x prior to 2.6 and
1.x prior to 1.7 are affected by this issue. This module was tested
against RESTWS 2.5 with Drupal 7.5 installed on Ubuntu Server.
References:
https://www.drupal.org/node/2765567
- 本实验使用命令
info 5,查询第6个漏洞信息,影响版本为 < 8.5.11 和 < 8.6.10。
msf6 > info 5
Name: Drupal RESTful Web Services unserialize() RCE
Module: exploit/unix/webapp/drupal_restws_unserialize
Platform: PHP, Unix
Arch: php, cmd
Privileged: No
License: Metasploit Framework License (BSD)
Rank: Normal
Disclosed: 2019-02-20
Provided by:
Jasper Mattsson
Charles Fol
Rotem Reiss
wvu <wvu@metasploit.com>
Module side effects:
ioc-in-logs
Module stability:
crash-safe
Module reliability:
unreliable-session
Available targets:
Id Name
-- ----
0 PHP In-Memory
1 Unix In-Memory
Check supported:
Yes
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
DUMP_OUTPUT false no Dump payload command output
METHOD POST yes HTTP method to use (Accepted: GET, POST, PATCH, PUT)
NODE 1 no Node ID to target with GET method
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS yes The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using
-Metasploit
RPORT 80 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
TARGETURI / yes Path to Drupal install
VHOST no HTTP server virtual host
Payload information:
Avoid: 1 characters
Description:
This module exploits a PHP unserialize() vulnerability in Drupal
RESTful Web Services by sending a crafted request to the /node REST
endpoint. As per SA-CORE-2019-003, the initial remediation was to
disable POST, PATCH, and PUT, but Ambionics discovered that GET was
also vulnerable (albeit cached). Cached nodes can be exploited only
once. Drupal updated SA-CORE-2019-003 with PSA-2019-02-22 to notify
users of this alternate vector. Drupal < 8.5.11 and < 8.6.10 are
vulnerable.
References:
https://nvd.nist.gov/vuln/detail/CVE-2019-6340
https://www.drupal.org/sa-core-2019-003
https://www.drupal.org/psa-2019-02-22
https://www.ambionics.io/blog/drupal8-rce
https://github.com/ambionics/phpggc
https://twitter.com/jcran/status/1099206271901798400
Also known as:
SA-CORE-2019-003
- 本实验使用命令
info 6,查询第7个漏洞信息,影响版本为 Drupal 6 with ‘Views’ module <= 6.x-2.11。
msf6 > info 6
Name: Drupal Views Module Users Enumeration
Module: auxiliary/scanner/http/drupal_views_user_enum
License: Metasploit Framework License (BSD)
Rank: Normal
Disclosed: 2010-07-02
Provided by:
Justin Klein Keane
Robin Francois <rof@navixia.com>
Brandon McCann "zeknox" <bmccann@accuvant.com>
Check supported:
Yes
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS yes The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-M
etasploit
RPORT 80 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
TARGETURI / yes Drupal Path
THREADS 1 yes The number of concurrent threads (max one per host)
VHOST no HTTP server virtual host
Description:
This module exploits an information disclosure vulnerability in the
'Views' module of Drupal, brute-forcing the first 10 usernames from
'a' to 'z'. Drupal 6 with 'Views' module <= 6.x-2.11 are vulnerable.
Drupal does not consider disclosure of usernames as a weakness.
References:
http://www.madirish.net/node/465
https://www.drupal.org/node/1004778
- 本实验使用命令
info 7,查询第8个漏洞信息,该漏洞利用了在 PHP XML-RPC 模块,在许多实现中发现的任意代码执行缺陷。 此漏洞可通过许多 PHP Web 应用程序利用,包括但不限于 Drupal、Wordpress、Postnuke 和 TikiWiki。
msf6 > info 7
Name: PHP XML-RPC Arbitrary Code Execution
Module: exploit/unix/webapp/php_xmlrpc_eval
Platform: Unix
Arch: cmd
Privileged: No
License: Metasploit Framework License (BSD)
Rank: Excellent
Disclosed: 2005-06-29
Provided by:
hdm <x@hdm.io>
cazz <bmc@shmoo.com>
Available targets:
Id Name
-- ----
0 Automatic
Check supported:
Yes
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
PATH /xmlrpc.php yes Path to xmlrpc.php
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS yes The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Met
asploit
RPORT 80 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
VHOST no HTTP server virtual host
Payload information:
Space: 512
Description:
This module exploits an arbitrary code execution flaw discovered in
many implementations of the PHP XML-RPC module. This flaw is
exploitable through a number of PHP web applications, including but
not limited to Drupal, Wordpress, Postnuke, and TikiWiki.
References:
https://nvd.nist.gov/vuln/detail/CVE-2005-1921
OSVDB (17793)
http://www.securityfocus.com/bid/14088
5.3.2 Apache 漏洞
与上同理,在MSF控制台下,使用命令search apache可以查询到apache有关的漏洞,此时查询到有106个,此处就不再展开查询信息了。
msf6 > search apache
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/linux/http/atutor_filemanager_traversal 2016-03-01 excellent Yes ATutor 2.2.1 Directory Traversal / Remote Code Execution
1 exploit/multi/http/apache_activemq_upload_jsp 2016-06-01 excellent No ActiveMQ web shell upload
2 auxiliary/scanner/http/apache_userdir_enum normal No Apache "mod_userdir" User Enumeration
3 exploit/multi/http/apache_normalize_path_rce 2021-05-10 excellent Yes Apache 2.4.49/2.4.50 Traversal RCE
4 auxiliary/scanner/http/apache_normalize_path 2021-05-10 normal No Apache 2.4.49/2.4.50 Traversal RCE scanner
5 exploit/windows/http/apache_activemq_traversal_upload 2015-08-19 excellent Yes Apache ActiveMQ 5.x-5.11.1 Directory Traversal Shell Upload
6 auxiliary/scanner/http/apache_activemq_traversal normal No Apache ActiveMQ Directory Traversal
7 auxiliary/scanner/http/apache_activemq_source_disclosure normal No Apache ActiveMQ JSP Files Source Disclosure
8 auxiliary/scanner/http/axis_login normal No Apache Axis2 Brute Force Utility
9 auxiliary/scanner/http/axis_local_file_include normal No Apache Axis2 v1.4.1 Local File Inclusion
10 auxiliary/dos/http/apache_commons_fileupload_dos 2014-02-06 normal No Apache Commons FileUpload and Apache Tomcat DoS
11 exploit/linux/http/apache_continuum_cmd_exec 2016-04-06 excellent Yes Apache Continuum Arbitrary Command Execution
12 exploit/linux/http/apache_couchdb_cmd_exec 2016-04-06 excellent Yes Apache CouchDB Arbitrary Command Execution
13 exploit/linux/http/apache_druid_js_rce 2021-01-21 excellent Yes Apache Druid 0.20.0 Remote Command Execution
14 exploit/multi/http/apache_flink_jar_upload_exec 2019-11-13 excellent Yes Apache Flink JAR Upload Java Code Execution
15 auxiliary/scanner/http/apache_flink_jobmanager_traversal 2021-01-05 normal Yes Apache Flink JobManager Traversal
16 auxiliary/scanner/http/mod_negotiation_brute normal No Apache HTTPD mod_negotiation Filename Bruter
17 auxiliary/scanner/http/mod_negotiation_scanner normal No Apache HTTPD mod_negotiation Scanner
18 exploit/linux/smtp/apache_james_exec 2015-10-01 normal Yes Apache James Server 2.3.2 Insecure User Creation Arbitrary File Write
19 exploit/multi/http/apache_jetspeed_file_upload 2016-03-06 manual No Apache Jetspeed Arbitrary File Upload
20 auxiliary/scanner/ssh/apache_karaf_command_execution 2016-02-09 normal No Apache Karaf Default Credentials Command Execution
21 auxiliary/scanner/ssh/karaf_login normal No Apache Karaf Login Utility
22 exploit/windows/http/apache_mod_rewrite_ldap 2006-07-28 great Yes Apache Module mod_rewrite LDAP Protocol Buffer Overflow
23 exploit/multi/http/apache_nifi_processor_rce 2020-10-03 excellent Yes Apache NiFi API Remote Code Execution
24 exploit/linux/http/apache_ofbiz_deserialization_soap 2021-03-22 excellent Yes Apache OFBiz SOAP Java Deserialization
25 exploit/linux/http/apache_ofbiz_deserialization 2020-07-13 excellent Yes Apache OFBiz XML-RPC Java Deserialization
26 exploit/multi/misc/openoffice_document_macro 2017-02-08 excellent No Apache OpenOffice Text Document Malicious Macro Execution
27 auxiliary/scanner/http/apache_optionsbleed 2017-09-18 normal No Apache Optionsbleed Scanner
28 auxiliary/dos/http/apache_range_dos 2011-08-19 normal No Apache Range Header DoS (Apache Killer)
29 auxiliary/gather/apache_rave_creds normal No Apache Rave User Information Disclosure
30 auxiliary/scanner/http/rewrite_proxy_bypass normal No Apache Reverse Proxy Bypass Vulnerability Scanner
31 exploit/multi/http/apache_roller_ognl_injection 2013-10-31 excellent Yes Apache Roller OGNL Injection
32 exploit/multi/http/shiro_rememberme_v124_deserialize 2016-06-07 excellent No Apache Shiro v1.2.4 Cookie RememberME Deserial RCE
33 exploit/multi/http/solr_velocity_rce 2019-10-29 excellent Yes Apache Solr Remote Code Execution via Velocity Template
34 exploit/linux/http/spark_unauth_rce 2017-12-12 excellent Yes Apache Spark Unauthenticated Command Execution
35 exploit/multi/http/struts_default_action_mapper 2013-07-02 excellent Yes Apache Struts 2 DefaultActionMapper Prefixes OGNL Code Execution
36 exploit/multi/http/struts_dev_mode 2012-01-06 excellent Yes Apache Struts 2 Developer Mode OGNL Execution
37 exploit/multi/http/struts2_multi_eval_ognl 2020-09-14 excellent Yes Apache Struts 2 Forced Multi OGNL Evaluation
38 exploit/multi/http/struts2_namespace_ognl 2018-08-22 excellent Yes Apache Struts 2 Namespace Redirect OGNL Injection
39 exploit/multi/http/struts2_rest_xstream 2017-09-05 excellent Yes Apache Struts 2 REST Plugin XStream RCE
40 exploit/multi/http/struts2_code_exec_showcase 2017-07-07 excellent Yes Apache Struts 2 Struts 1 Plugin Showcase OGNL Code Execution
41 exploit/multi/http/struts_code_exec_classloader 2014-03-06 manual No Apache Struts ClassLoader Manipulation Remote Code Execution
42 exploit/multi/http/struts_dmi_exec 2016-04-27 excellent Yes Apache Struts Dynamic Method Invocation Remote Code Execution
43 exploit/multi/http/struts2_content_type_ognl 2017-03-07 excellent Yes Apache Struts Jakarta Multipart Parser OGNL Injection
44 exploit/multi/http/struts_code_exec_parameters 2011-10-01 excellent Yes Apache Struts ParametersInterceptor Remote Code Execution
45 exploit/multi/http/struts_dmi_rest_exec 2016-06-01 excellent Yes Apache Struts REST Plugin With Dynamic Method Invocation Remote Code Execution
46 exploit/multi/http/struts_code_exec 2010-07-13 good No Apache Struts Remote Command Execution
47 exploit/multi/http/struts_code_exec_exception_delegator 2012-01-06 excellent No Apache Struts Remote Command Execution
48 exploit/multi/http/struts_include_params 2013-05-24 great Yes Apache Struts includeParams Remote Code Execution
49 auxiliary/gather/cve_2021_27850_apache_tapestry_hmac_key 2021-04-15 normal Yes Apache Tapestry HMAC secret key leak
50 exploit/windows/http/apache_tika_jp2_jscript 2018-04-25 excellent Yes Apache Tika Header Command Injection
51 auxiliary/admin/http/tomcat_ghostcat 2020-02-20 normal Yes Apache Tomcat AJP File Read
52 exploit/windows/http/tomcat_cgi_cmdlineargs 2019-04-10 excellent Yes Apache Tomcat CGIServlet enableCmdLineArguments Vulnerability
53 exploit/multi/http/tomcat_mgr_deploy 2009-11-09 excellent Yes Apache Tomcat Manager Application Deployer Authenticated Code Execution
54 exploit/multi/http/tomcat_mgr_upload 2009-11-09 excellent Yes Apache Tomcat Manager Authenticated Upload Code Execution
55 auxiliary/dos/http/apache_tomcat_transfer_encoding 2010-07-09 normal No Apache Tomcat Transfer-Encoding Information Disclosure and DoS
56 auxiliary/scanner/http/tomcat_enum normal No Apache Tomcat User Enumeration
57 exploit/windows/http/apache_chunked 2002-06-19 good Yes Apache Win32 Chunked Encoding
58 auxiliary/gather/zookeeper_info_disclosure 2020-10-14 normal No Apache ZooKeeper Information Disclosure
59 exploit/multi/http/apache_mod_cgi_bash_env_exec 2014-09-24 excellent Yes Apache mod_cgi Bash Environment Variable Code Injection (Shellshock)
60 auxiliary/scanner/http/apache_mod_cgi_bash_env 2014-09-24 normal Yes Apache mod_cgi Bash Environment Variable Injection (Shellshock) Scanner
61 auxiliary/dos/http/apache_mod_isapi 2010-03-05 normal No Apache mod_isapi Dangling Pointer
62 exploit/windows/http/apache_modjk_overflow 2007-03-02 great Yes Apache mod_jk 1.2.20 Buffer Overflow
63 auxiliary/admin/appletv/appletv_display_video normal No Apple TV Video Remote Control
64 exploit/windows/http/bea_weblogic_jsessionid 2009-01-13 good No BEA WebLogic JSESSIONID Cookie Value Overflow
65 exploit/windows/http/bea_weblogic_transfer_encoding 2008-09-09 great No BEA Weblogic Transfer-Encoding Buffer Overflow
66 exploit/windows/http/cayin_xpost_sql_rce 2020-06-04 excellent Yes Cayin xPost wayfinder_seqid SQLi to RCE
67 exploit/multi/http/cisco_dcnm_upload_2019 2019-06-26 excellent Yes Cisco Data Center Network Manager Unauthenticated Remote Code Execution
68 exploit/linux/http/cpi_tararchive_upload 2019-05-15 excellent Yes Cisco Prime Infrastructure Health Monitor TarArchive Directory Traversal Vulnerability
69 exploit/linux/http/cisco_prime_inf_rce 2018-10-04 excellent Yes Cisco Prime Infrastructure Unauthenticated Remote Code Execution
70 exploit/unix/http/contentkeeperweb_mimencode 2009-02-25 excellent Yes ContentKeeper Web Remote Command Execution
71 auxiliary/scanner/couchdb/couchdb_enum normal Yes CouchDB Enum Utility
72 exploit/multi/http/sonicwall_scrutinizer_methoddetail_sqli 2014-07-24 excellent Yes Dell SonicWALL Scrutinizer 11.01 methodDetail SQL Injection
73 exploit/linux/http/eyesofnetwork_autodiscovery_rce 2020-02-06 excellent Yes EyesOfNetwork 5.1-5.3 AutoDiscovery Target Command Execution
74 exploit/multi/fileformat/zip_slip 2018-06-05 manual No Generic Zip Slip Traversal Vulnerability
75 auxiliary/gather/impersonate_ssl normal No HTTP SSL Certificate Impersonation
76 exploit/windows/misc/ibm_websphere_java_deserialize 2015-11-06 excellent No IBM WebSphere RCE Java Deserialization Vulnerability
77 exploit/linux/http/klog_server_authenticate_user_unauth_command_injection 2020-12-27 excellent Yes Klog Server authenticate.php user Unauthenticated Command Injection
78 exploit/linux/local/kloxo_lxsuexec 2012-09-18 excellent No Kloxo Local Privilege Escalation
79 auxiliary/fileformat/odt_badodt 2018-05-01 normal No LibreOffice 6.03 /Apache OpenOffice 4.1.5 Malicious ODT File Generator
80 post/linux/gather/enum_configs normal No Linux Gather Configurations
81 exploit/linux/http/mida_solutions_eframework_ajaxreq_rce 2020-07-24 excellent Yes Mida Solutions eFramework ajaxreq.php Command Injection
82 exploit/unix/webapp/moinmoin_twikidraw 2012-12-30 manual Yes MoinMoin twikidraw Action Traversal File Upload
83 exploit/linux/http/nagios_xi_snmptrap_authenticated_rce 2020-10-20 excellent Yes Nagios XI 5.5.0-5.7.3 - Snmptrap Authenticated Remote Code Exection
84 exploit/linux/http/nagios_xi_mibs_authenticated_rce 2020-10-20 excellent Yes Nagios XI 5.6.0-5.7.3 - Mibs.php Authenticated Remote Code Exection
85 exploit/linux/http/nagios_xi_plugins_filename_authenticated_rce 2020-12-19 excellent Yes Nagios XI Prior to 5.8.0 - Plugins Filename Authenticated Remote Code Exection
86 exploit/windows/http/bea_weblogic_post_bof 2008-07-17 great Yes Oracle Weblogic Apache Connector POST Request Buffer Overflow
87 payload/php/shell_findsock normal No PHP Command Shell, Find Sock
88 exploit/windows/http/php_apache_request_headers_bof 2012-05-08 normal No PHP apache_request_headers Function Buffer Overflow
89 exploit/unix/webapp/projectpier_upload_exec 2012-10-08 excellent Yes Project Pier Arbitrary File Upload Vulnerability
90 exploit/linux/http/rconfig_ajaxarchivefiles_rce 2020-03-11 good Yes Rconfig 3.x Chained Remote Code Execution
91 exploit/linux/http/piranha_passwd_exec 2000-04-04 excellent No RedHat Piranha Virtual Server Package passwd.php3 Arbitrary Command Execution
92 exploit/unix/webapp/spip_connect_exec 2012-07-04 excellent Yes SPIP connect Parameter PHP Injection
93 exploit/unix/misc/spamassassin_exec 2006-06-06 excellent No SpamAssassin spamd Remote Command Execution
94 exploit/linux/http/symantec_web_gateway_lfi 2012-05-17 excellent Yes Symantec Web Gateway 5.0.2.8 relfile File Inclusion Vulnerability
95 auxiliary/admin/http/tomcat_administration normal No Tomcat Administration Tool Default Access
96 auxiliary/scanner/http/tomcat_mgr_login normal No Tomcat Application Manager Login Utility
97 exploit/multi/http/tomcat_jsp_upload_bypass 2017-10-03 excellent Yes Tomcat RCE via JSP Upload Bypass
98 auxiliary/admin/http/tomcat_utf8_traversal 2009-01-09 normal No Tomcat UTF-8 Directory Traversal Vulnerability
99 exploit/linux/http/trendmicro_websecurity_exec 2020-06-10 excellent Yes Trend Micro Web Security (Virtual Appliance) Remote Code Execution
100 auxiliary/admin/http/trendmicro_dlp_traversal 2009-01-09 normal No TrendMicro Data Loss Prevention 5.5 Directory Traversal
101 exploit/linux/http/vmware_view_planner_4_6_uploadlog_rce 2021-03-02 excellent Yes VMware View Planner Unauthenticated Log File Upload RCE
102 auxiliary/scanner/http/wangkongbao_traversal normal No WANGKONGBAO CNS-1000 and 1100 UTM Directory Traversal
103 post/windows/gather/enum_tomcat normal No Windows Gather Apache Tomcat Enumeration
104 exploit/unix/webapp/wp_phpmailer_host_header 2017-05-03 average Yes WordPress PHPMailer Host Header Command Injection
105 exploit/unix/webapp/jquery_file_upload 2018-10-09 excellent Yes blueimp's jQuery (Arbitrary) File Upload
Interact with a module by name or index. For example info 105, use 105 or use exploit/unix/webapp/jquery_file_upload
5.3.3 OpenSSL 漏洞
与上同理,在MSF控制台下,使用命令search openssl可以查询到OpenSSL有关的漏洞,此时查询到有11个,此处就不再展开查询信息了。
msf6 > search openssl
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 payload/bsd/x86/exec normal No BSD Execute Command
1 payload/osx/x86/exec normal No OS X Execute Command
2 auxiliary/server/openssl_altchainsforgery_mitm_proxy 2015-07-09 normal No OpenSSL Alternative Chains Certificate Forgery MITM Proxy
3 auxiliary/dos/ssl/dtls_changecipherspec 2000-04-26 normal No OpenSSL DTLS ChangeCipherSpec Remote DoS
4 auxiliary/dos/ssl/dtls_fragment_overflow 2014-06-05 normal No OpenSSL DTLS Fragment Buffer Overflow DoS
5 auxiliary/server/openssl_heartbeat_client_memory 2014-04-07 normal No OpenSSL Heartbeat (Heartbleed) Client Memory Exposure
6 auxiliary/scanner/ssl/openssl_heartbleed 2014-04-07 normal Yes OpenSSL Heartbeat (Heartbleed) Information Leak
7 auxiliary/scanner/ssl/openssl_ccs 2014-06-05 normal No OpenSSL Server-Side ChangeCipherSpec Injection Scanner
8 auxiliary/dos/ssl/openssl_aesni 2013-02-05 normal No OpenSSL TLS 1.1 and 1.2 AES-NI DoS
9 exploit/unix/misc/polycom_hdx_traceroute_exec 2017-11-12 excellent Yes Polycom Shell HDX Series Traceroute Command Execution
10 payload/cmd/unix/reverse_openssl normal No Unix Command Shell, Double Reverse TCP SSL (openssl)
Interact with a module by name or index. For example info 10, use 10 or use payload/cmd/unix/reverse_openssl
5.3.4 PHP 漏洞
与上同理,在MSF控制台下,使用命令search php可以查询到PHP有关的漏洞,此时查询到有491个,此处就不再展开查询信息了。
msf6 > search php
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/windows/ftp/32bitftp_list_reply 2010-10-12 good No 32bit FTP Client Stack Buffer Overflow
1 exploit/windows/ftp/aasync_list_reply 2010-10-12 good No AASync v2.2.1.0 (Win32) Stack Buffer Overflow (LIST)
2 exploit/aix/rpc_cmsd_opcode21 2009-10-07 great No AIX Calendar Manager Service Daemon (rpc.cmsd) Opcode 21 Buffer Overflow
3 exploit/windows/browser/asus_net4switch_ipswcom 2012-02-17 normal No ASUS Net4Switch ipswcom.dll ActiveX Stack Buffer Overflow
4 exploit/linux/http/atutor_filemanager_traversal 2016-03-01 excellent Yes ATutor 2.2.1 Directory Traversal / Remote Code Execution
5 exploit/multi/http/atutor_upload_traversal 2019-05-17 excellent Yes ATutor 2.2.4 - Directory Traversal / Remote Code Execution,
6 exploit/unix/webapp/awstatstotals_multisort 2008-08-26 excellent Yes AWStats Totals multisort Remote Command Execution
7 exploit/unix/webapp/awstats_migrate_exec 2006-05-04 excellent Yes AWStats migrate Remote Command Execution
8 exploit/multi/http/activecollab_chat 2012-05-30 excellent Yes Active Collab "chat module" Remote PHP Code Injection Exploit
9 exploit/unix/webapp/actualanalyzer_ant_cookie_exec 2014-08-28 excellent Yes ActualAnalyzer 'ant' Cookie Command Execution
10 exploit/windows/browser/adobe_flash_otf_font 2012-08-09 normal No Adobe Flash Player 11.3 Kern Table Parsing Integer Overflow
11 exploit/windows/browser/adobe_flashplayer_arrayindexing 2012-06-21 great No Adobe Flash Player AVM Verification Logic Array Indexing Code Execution
12 exploit/windows/browser/adobe_flash_regex_value 2013-02-08 normal No Adobe Flash Player Regular Expression Heap Overflow
13 exploit/multi/http/agent_tesla_panel_rce 2019-08-14 excellent Yes Agent Tesla Panel Remote Code Execution
14 exploit/windows/misc/agentxpp_receive_agentx 2010-04-16 good No AgentX++ Master AgentX::receive_agentx Stack Buffer Overflow
15 exploit/multi/http/ajaxplorer_checkinstall_exec 2010-04-04 excellent Yes AjaXplorer checkInstall.php Remote Command Execution
16 auxiliary/gather/alienvault_iso27001_sqli 2014-03-30 normal No AlienVault Authenticated SQL Injection Arbitrary File Read
17 auxiliary/gather/alienvault_newpolicyform_sqli 2014-05-09 normal No AlienVault Authenticated SQL Injection Arbitrary File Read
18 exploit/linux/http/alienvault_exec 2017-01-31 excellent Yes AlienVault OSSIM/USM Remote Code Execution
19 exploit/multi/local/allwinner_backdoor 2016-04-30 excellent Yes Allwinner 3.4 Legacy Kernel Local Privilege Escalation
20 exploit/windows/http/altn_webadmin 2003-06-24 average No Alt-N WebAdmin USER Buffer Overflow
21 exploit/android/local/put_user_vroot 2013-09-06 excellent No Android get_user/put_user Exploit
22 exploit/windows/browser/apple_quicktime_marshaled_punk 2010-08-30 great No Apple QuickTime 7.6.7 _Marshaled_pUnk Code Execution
23 exploit/linux/http/vap2500_tools_command_exec 2014-11-25 normal Yes Arris VAP2500 tools_command.php Command Execution
24 exploit/linux/http/astium_sqli_upload 2013-09-17 manual Yes Astium Remote Code Execution
25 exploit/linux/http/asuswrt_lan_rce 2018-01-22 excellent No AsusWRT LAN Unauthenticated Remote Code Execution
26 exploit/multi/http/auxilium_upload_exec 2012-09-14 excellent Yes Auxilium RateMyPet Arbitrary File Upload Vulnerability
27 exploit/unix/webapp/base_qry_common 2008-06-14 excellent No BASE base_qry_common Remote File Include
28 exploit/multi/http/baldr_upload_exec 2018-12-19 excellent Yes Baldr Botnet Panel Shell Upload Exploit
29 exploit/unix/webapp/barracuda_img_exec 2005-09-01 excellent Yes Barracuda IMG.PL Remote Command Execution
30 exploit/unix/webapp/basilic_diff_exec 2012-06-28 excellent Yes Basilic 1.5.14 diff.php Arbitrary Command Execution
31 auxiliary/scanner/http/bitweaver_overlay_type_traversal 2012-10-23 normal No Bitweaver overlay_type Directory Traversal
32 exploit/unix/webapp/bolt_authenticated_rce 2020-05-07 excellent Yes Bolt CMS 3.7.0 - Authenticated Remote Code Execution
33 exploit/multi/http/bolt_file_upload 2015-08-17 excellent Yes CMS Bolt File Upload Vulnerability
34 exploit/multi/http/cmsms_showtime2_rce 2019-03-11 normal Yes CMS Made Simple (CMSMS) Showtime2 File Upload RCE
35 exploit/multi/http/cmsms_upload_rename_rce 2018-07-03 excellent Yes CMS Made Simple Authenticated RCE via File Upload/Copy
36 exploit/multi/http/cmsms_object_injection_rce 2019-03-26 normal Yes CMS Made Simple Authenticated RCE via object injection
37 exploit/unix/http/cacti_filter_sqli_rce 2020-06-17 excellent Yes Cacti color filter authenticated SQLi to RCE
38 exploit/unix/webapp/cacti_graphimage_exec 2005-01-15 excellent No Cacti graph_view.php Remote Command Execution
39 exploit/unix/webapp/cakephp_cache_corruption 2010-11-15 excellent No CakePHP Cache Corruption Code Execution
40 exploit/unix/webapp/carberp_backdoor_exec 2013-06-28 great Yes Carberp Web Panel C2 Backdoor Remote PHP Code Execution
41 exploit/linux/http/cayin_cms_ntp 2020-06-04 excellent Yes Cayin CMS NTP Server RCE
42 exploit/windows/http/cayin_xpost_sql_rce 2020-06-04 excellent Yes Cayin xPost wayfinder_seqid SQLi to RCE
43 exploit/linux/http/centreon_sqli_exec 2014-10-15 excellent Yes Centreon SQL and Command Injection
44 exploit/multi/http/caidao_php_backdoor_exec 2015-10-27 excellent Yes China Chopper Caidao PHP Backdoor Code Execution
45 auxiliary/scanner/http/caidao_bruteforce_login normal No Chinese Caidao Backdoor Bruteforce
46 exploit/windows/browser/cisco_anyconnect_exec 2011-06-01 excellent No Cisco AnyConnect VPN Client ActiveX URL Property Download and Execute
47 exploit/linux/http/cisco_prime_inf_rce 2018-10-04 excellent Yes Cisco Prime Infrastructure Unauthenticated Remote Code Execution
48 exploit/windows/browser/citrix_gateway_actx 2011-07-14 normal No Citrix Gateway ActiveX Control Stack Based Buffer Overflow Vulnerability
49 exploit/unix/http/pfsense_clickjacking 2017-11-21 normal No Clickjacking Vulnerability In CSRF Error Page pfSense
50 exploit/unix/webapp/clipbucket_upload_exec 2013-10-04 excellent Yes ClipBucket Remote Code Execution
51 exploit/multi/http/clipbucket_fileupload_exec 2018-03-03 excellent Yes ClipBucket beats_uploader Unauthenticated Arbitrary File Upload
52 exploit/windows/license/calicclnt_getconfig 2005-03-02 average No Computer Associates License Client GETCONFIG Overflow
53 exploit/windows/license/calicserv_getconfig 2005-03-02 normal Yes Computer Associates License Server GETCONFIG Overflow
54 exploit/windows/fileformat/coolpdf_image_stream_bof 2013-01-18 normal No Cool PDF Image Stream Buffer Overflow
55 exploit/unix/webapp/coppermine_piceditor 2008-01-30 excellent Yes Coppermine Photo Gallery picEditor.php Command Execution
56 exploit/linux/http/crypttech_cryptolog_login_exec 2017-05-03 excellent Yes Crypttech CryptoLog Remote Code Execution
57 exploit/windows/http/dlink_central_wifimanager_rce 2019-07-09 excellent Yes D-Link Central WiFi Manager CWM(100) RCE
58 exploit/linux/http/dlink_dcs931l_upload 2015-02-23 great Yes D-Link DCS-931L File Upload
59 auxiliary/admin/http/dlink_dir_300_600_exec_noauth 2013-02-04 normal No D-Link DIR-600 / DIR-300 Unauthenticated Remote Command Execution
60 exploit/linux/http/dlink_diagnostic_exec_noauth 2013-03-05 excellent No D-Link DIR-645 / DIR-815 diagnostic.php Command Execution
61 exploit/linux/http/dlink_command_php_exec_noauth 2013-02-04 excellent No D-Link Devices Unauthenticated Remote Command Execution
62 auxiliary/scanner/smb/impacket/secretsdump normal No DCOM Exec
63 exploit/linux/http/dlink_dir850l_unauth_exec 2017-08-09 excellent Yes DIR-850L (Un)authenticated OS Command Exec
64 auxiliary/admin/dns/dyn_dns_update normal No DNS Server Dynamic Update Record Injection
65 exploit/unix/webapp/datalife_preview_exec 2013-01-28 excellent Yes DataLife Engine preview.php PHP Code Injection
66 exploit/windows/http/sonicwall_scrutinizer_sqli 2012-07-22 excellent Yes Dell SonicWALL (Plixer) Scrutinizer 9 SQL Injection
67 exploit/multi/http/sonicwall_scrutinizer_methoddetail_sqli 2014-07-24 excellent Yes Dell SonicWALL Scrutinizer 11.01 methodDetail SQL Injection
68 exploit/multi/http/dexter_casinoloader_exec 2014-02-08 excellent Yes Dexter (CasinoLoader) SQL Injection
69 auxiliary/scanner/scada/digi_addp_version normal No Digi ADDP Information Discovery
70 auxiliary/scanner/scada/digi_addp_reboot normal No Digi ADDP Remote Reboot Initiator
71 exploit/unix/webapp/dogfood_spell_exec 2009-03-03 excellent Yes Dogfood CRM spell.php Remote Command Execution
72 auxiliary/gather/doliwamp_traversal_creds 2014-01-12 normal Yes DoliWamp 'jqueryFileTree.php' Traversal Gather Credentials
73 exploit/linux/http/dolibarr_cmd_exec 2012-04-06 excellent Yes Dolibarr ERP/CRM Post-Auth OS Command Injection
74 exploit/unix/webapp/drupal_coder_exec 2016-07-13 excellent Yes Drupal CODER Module Remote Command Execution
75 exploit/unix/webapp/drupal_drupalgeddon2 2018-03-28 excellent Yes Drupal Drupalgeddon 2 Forms API Property Injection
76 exploit/multi/http/drupal_drupageddon 2014-10-15 excellent No Drupal HTTP Parameter Key/Value SQL Injection
77 exploit/unix/webapp/drupal_restws_exec 2016-07-13 excellent Yes Drupal RESTWS Module Remote PHP Code Execution
78 exploit/unix/webapp/drupal_restws_unserialize 2019-02-20 normal Yes Drupal RESTful Web Services unserialize() RCE
79 exploit/unix/webapp/egallery_upload_exec 2012-07-08 excellent Yes EGallery PHP File Upload Vulnerability
80 exploit/windows/emc/alphastor_agent 2008-05-27 great No EMC AlphaStor Agent Buffer Overflow
81 auxiliary/admin/emc/alphastor_devicemanager_exec 2008-05-27 normal No EMC AlphaStor Device Manager Arbitrary Command Execution
82 auxiliary/admin/emc/alphastor_librarymanager_exec 2008-05-27 normal No EMC AlphaStor Library Manager Arbitrary Command Execution
83 exploit/windows/fileformat/easycdda_pls_bof 2010-06-07 normal No Easy CD-DA Recorder PLS Buffer Overflow
84 exploit/multi/misc/osgi_console_exec 2018-02-13 normal Yes Eclipse Equinox OSGi Console Command Execution
85 exploit/linux/http/efw_chpasswd_exec 2015-06-28 excellent No Endian Firewall Proxy Password Change Command Injection
86 auxiliary/scanner/http/f5_bigip_virtual_server normal No F5 BigIP HTTP Virtual Server Scanner
87 exploit/windows/ftp/ftpsynch_list_reply 2010-10-12 good No FTP Synchronizer Professional 4.0.73.274 Stack Buffer Overflow
88 exploit/windows/ftp/ftpgetter_pwd_reply 2010-10-12 good No FTPGetter Standard v3.55.0.05 Stack Buffer Overflow (PWD)
89 exploit/windows/ftp/ftppad_list_reply 2010-10-12 good No FTPPad 1.2.0 Stack Buffer Overflow
90 exploit/windows/ftp/ftpshell51_pwd_reply 2010-10-12 good No FTPShell 5.1 Stack Buffer Overflow
91 exploit/multi/http/familycms_less_exec 2011-11-29 excellent Yes Family Connections less.php Remote Command Execution
92 exploit/windows/ftp/filewrangler_list_reply 2010-10-12 good No FileWrangler 5.30 Stack Buffer Overflow
93 exploit/unix/webapp/flashchat_upload_exec 2013-10-04 excellent Yes FlashChat Arbitrary File Upload
94 exploit/windows/fileformat/foxit_title_bof 2010-11-13 great No Foxit PDF Reader v4.1.1 Title Stack Buffer Overflow
95 exploit/multi/http/freenas_exec_raw 2010-11-06 great No FreeNAS exec_raw.php Arbitrary Command Execution
96 exploit/unix/http/freepbx_callmenum 2012-03-20 manual No FreePBX 2.10.0 / 2.9.0 callmenum Remote Code Execution
97 exploit/unix/webapp/freepbx_config_exec 2014-03-21 excellent Yes FreePBX config.php Remote Code Execution
98 exploit/unix/webapp/fusionpbx_exec_cmd_exec 2019-11-02 excellent Yes FusionPBX Command exec.php Command Execution
99 exploit/unix/webapp/fusionpbx_operator_panel_exec_cmd_exec 2019-06-06 excellent Yes FusionPBX Operator Panel exec.php Command Execution
100 exploit/multi/http/glpi_install_rce 2013-09-12 manual Yes GLPI install.php Remote Command Execution
101 exploit/windows/ftp/gekkomgr_list_reply 2010-10-12 good No Gekko Manager FTP Client Stack Buffer Overflow
102 auxiliary/scanner/http/http_traversal normal No Generic HTTP Directory Traversal Utility
103 exploit/unix/webapp/php_eval 2008-10-13 manual Yes Generic PHP Code Evaluation
104 exploit/unix/webapp/get_simple_cms_upload_exec 2014-01-04 excellent Yes GetSimpleCMS PHP File Upload Vulnerability
105 exploit/multi/http/getsimplecms_unauth_code_exec 2019-04-28 excellent Yes GetSimpleCMS Unauthenticated RCE
106 exploit/multi/http/gitlist_arg_injection 2018-04-26 excellent Yes GitList v0.6.0 Argument Injection Vulnerability
107 exploit/windows/browser/hpmqc_progcolor 2007-04-04 normal No HP Mercury Quality Center ActiveX Control ProgColor Buffer Overflow
108 auxiliary/scanner/http/trace normal No HTTP Cross-Site Tracing Detection
109 auxiliary/fuzzers/http/http_form_field normal No HTTP Form Field Fuzzer
110 exploit/windows/http/httpdx_handlepeer 2009-10-08 great Yes HTTPDX h_handlepeer() Function Buffer Overflow
111 auxiliary/dos/http/hashcollision_dos 2011-12-28 normal No Hashtable Collisions
112 exploit/unix/webapp/hastymail_exec 2011-11-22 excellent Yes Hastymail 2.1.1 RC1 Command Injection
113 exploit/unix/webapp/havalite_upload_exec 2013-06-17 excellent Yes Havalite CMS Arbitary File Upload Vulnerability
114 exploit/multi/http/horde_href_backdoor 2012-02-13 excellent No Horde 3.3.12 Backdoor Arbitrary PHP Code Execution
115 exploit/multi/http/horde_csv_rce 2020-02-07 excellent No Horde CSV import arbitrary PHP code execution
116 exploit/multi/http/horde_form_file_upload 2019-03-24 excellent No Horde Form File Upload Vulnerability
117 exploit/unix/webapp/horde_unserialize_exec 2013-06-27 excellent Yes Horde Framework Unserialize PHP Code Execution
118 exploit/multi/http/horizontcms_upload_exec 2020-09-24 excellent Yes HorizontCMS Arbitrary PHP File Upload
119 auxiliary/scanner/http/httpbl_lookup normal No Http:BL Lookup
120 exploit/unix/webapp/hybridauth_install_php_exec 2014-08-04 manual Yes HybridAuth install.php PHP Code Execution
121 exploit/windows/http/ia_webmail 2003-11-03 average No IA WebMail 3.x Buffer Overflow
122 exploit/multi/http/ibm_openadmin_tool_soap_welcomeserver_exec 2017-05-30 excellent Yes IBM OpenAdmin Tool SOAP welcomeServer PHP Code Execution
123 exploit/linux/http/ibm_qradar_unauth_rce 2018-05-28 excellent Yes IBM QRadar SIEM Unauthenticated Remote Code Execution
124 exploit/windows/misc/ibm_websphere_java_deserialize 2015-11-06 excellent No IBM WebSphere RCE Java Deserialization Vulnerability
125 exploit/multi/http/ispconfig_php_exec 2013-10-30 excellent No ISPConfig Authenticated Arbitrary PHP Code Execution
126 exploit/multi/http/uptime_file_upload_1 2013-11-19 excellent Yes Idera Up.Time Monitoring Station 7.0 post2file.php Arbitrary File Upload
127 exploit/multi/http/uptime_file_upload_2 2013-11-18 excellent Yes Idera Up.Time Monitoring Station 7.4 post2file.php Arbitrary File Upload
128 auxiliary/scanner/scada/indusoft_ntwebserver_fileaccess normal No Indusoft WebStudio NTWebServer Remote File Access
129 exploit/unix/webapp/instantcms_exec 2013-06-26 excellent Yes InstantCMS 1.6 Remote PHP Code Execution
130 exploit/unix/webapp/invision_pboard_unserialize_exec 2012-10-25 excellent Yes Invision IP.Board unserialize() PHP Code Execution
131 exploit/multi/fileformat/swagger_param_inject 2016-06-23 excellent No JSON Swagger CodeGen Parameter Injector
132 exploit/multi/browser/java_jre17_exec 2012-08-26 excellent No Java 7 Applet Remote Code Execution
133 exploit/multi/browser/java_jre17_jmxbean 2013-01-10 excellent No Java Applet JMX Remote Code Execution
134 exploit/unix/webapp/joomla_comjce_imgmanager 2012-08-02 excellent Yes Joomla Component JCE File Upload Remote Code Execution
135 exploit/multi/http/joomla_http_header_rce 2015-12-14 excellent Yes Joomla HTTP Header Unauthenticated Remote Code Execution
136 exploit/linux/http/kaltura_unserialize_rce 2016-03-15 excellent Yes Kaltura Remote PHP Code Execution
137 exploit/linux/http/kaltura_unserialize_cookie_rce 2017-09-12 excellent Yes Kaltura Remote PHP Code Execution over Cookie
138 exploit/unix/webapp/kimai_sqli 2013-05-21 average Yes Kimai v0.9.2 'db_restore.php' SQL Injection
139 exploit/linux/http/klog_server_authenticate_user_unauth_command_injection 2020-12-27 excellent Yes Klog Server authenticate.php user Unauthenticated Command Injection
140 exploit/linux/local/kloxo_lxsuexec 2012-09-18 excellent No Kloxo Local Privilege Escalation
141 exploit/linux/http/kloxo_sqli 2014-01-28 manual Yes Kloxo SQL Injection and Remote Code Execution
142 auxiliary/gather/lansweeper_collector normal No Lansweeper Credential Collector
143 exploit/windows/ftp/leapftp_list_reply 2010-10-12 good No LeapFTP 3.0.1 Stack Buffer Overflow
144 exploit/linux/http/librenms_addhost_cmd_inject 2018-12-16 excellent No LibreNMS addhost Command Injection
145 exploit/unix/webapp/libretto_upload_exec 2013-06-14 excellent Yes LibrettoCMS File Manager Arbitary File Upload Vulnerability
146 exploit/linux/http/linksys_apply_cgi 2005-09-13 great No Linksys WRT54 Access Point apply.cgi Buffer Overflow
147 payload/linux/mipsbe/reboot normal No Linux Reboot
148 payload/linux/mipsle/reboot normal No Linux Reboot
149 exploit/linux/http/linuxki_rce 2020-05-17 excellent Yes LinuxKI Toolset 6.01 Remote Command Execution
150 exploit/multi/http/log1cms_ajax_create_folder 2011-04-11 excellent Yes Log1 CMS writeInfo() PHP Code Injection
151 exploit/windows/fileformat/lotusnotes_lzh 2011-05-24 good No Lotus Notes 8.0.x - 8.5.2 FP2 - Autonomy Keyview (.lzh Attachment)
152 exploit/windows/lotus/lotusnotes_lzh 2011-05-24 normal No Lotus Notes 8.0.x - 8.5.2 FP2 - Autonomy Keyview (.lzh Attachment)
153 exploit/multi/http/lcms_php_exec 2011-03-03 excellent Yes LotusCMS 3.0 eval() Remote Command Execution
154 exploit/windows/fileformat/mjm_coreplayer2011_s3m 2011-04-30 good No MJM Core Player 2011 .s3m Stack Buffer Overflow
155 exploit/windows/fileformat/mjm_quickplayer_s3m 2011-04-30 good No MJM QuickPlayer 1.00 Beta 60a / QuickPlayer 2010 .s3m Stack Buffer Overflow
156 exploit/windows/scada/moxa_mdmtool 2010-10-20 great No MOXA Device Manager Tool 2.1 Buffer Overflow
157 exploit/windows/fileformat/ms09_067_excel_featheader 2009-11-10 good No MS09-067 Microsoft Excel Malformed FEATHEADER Record Vulnerability
158 exploit/windows/browser/ms10_002_aurora 2010-01-14 normal No MS10-002 Microsoft Internet Explorer "Aurora" Memory Corruption
159 exploit/windows/browser/ms10_018_ie_behaviors 2010-03-09 good No MS10-018 Microsoft Internet Explorer DHTML Behaviors Use After Free
160 exploit/windows/fileformat/ms10_087_rtf_pfragments_bof 2010-11-09 great No MS10-087 Microsoft Word RTF pFragments Stack Buffer Overflow (File Format)
161 exploit/windows/browser/ms12_037_same_id 2012-06-12 normal No MS12-037 Microsoft Internet Explorer Same ID Property Deleted Object Handling Memory Corruption
162 exploit/windows/browser/ms13_037_svg_dashstyle 2013-03-06 normal No MS13-037 Microsoft Internet Explorer COALineDashStyleArray Integer Overflow
163 auxiliary/scanner/mysql/mysql_file_enum normal No MYSQL File/Directory Enumerator
164 exploit/unix/webapp/maarch_letterbox_file_upload 2015-02-11 excellent Yes Maarch LetterBox Unrestricted File Upload
165 exploit/multi/http/magento_unserialize 2016-05-17 excellent Yes Magento 2.0.6 Unserialize Remote Code Execution
166 exploit/windows/fileformat/magix_musikmaker_16_mmm 2011-04-26 good No Magix Musik Maker 16 .mmm Stack Buffer Overflow
167 exploit/windows/http/mailenable_auth_header 2005-04-24 great Yes MailEnable Authorization Header Buffer Overflow
168 exploit/windows/imap/mailenable_status 2005-07-13 great No MailEnable IMAPD (1.54) STATUS Request Buffer Overflow
169 exploit/multi/http/makoserver_cmd_exec 2017-09-03 excellent Yes Mako Server v2.5, 2.6 OS Command Injection RCE
170 exploit/unix/webapp/mambo_cache_lite 2008-06-14 excellent No Mambo Cache_Lite Class mosConfig_absolute_path Remote File Include
171 exploit/multi/http/mantisbt_manage_proj_page_rce 2008-10-16 excellent Yes Mantis manage_proj_page PHP Code Execution
172 auxiliary/gather/mantisbt_admin_sqli 2014-02-28 normal No MantisBT Admin SQL Injection Arbitrary File Read
173 exploit/multi/http/mantisbt_php_exec 2014-11-08 great Yes MantisBT XmlImportExport Plugin PHP Code Injection Vulnerability
174 auxiliary/admin/http/mantisbt_password_reset 2017-04-16 normal Yes MantisBT password reset
175 exploit/multi/http/maracms_upload_exec 2020-08-31 excellent Yes MaraCMS Arbitrary PHP File Upload
176 exploit/multi/http/mediawiki_syntaxhighlight 2017-04-06 good Yes MediaWiki SyntaxHighlight extension option injection vulnerability
177 exploit/multi/http/mediawiki_thumb 2014-01-28 excellent Yes MediaWiki Thumb.php Remote Command Execution
178 exploit/windows/imap/mercury_rename 2004-11-29 average Yes Mercury/32 v4.01a IMAP RENAME Buffer Overflow
179 exploit/linux/http/microfocus_secure_messaging_gateway 2018-06-19 excellent Yes MicroFocus Secure Messaging Gateway Remote Code Execution
180 exploit/windows/fileformat/office_excel_slk 2018-10-07 manual No Microsoft Excel .SLK Payload Delivery
181 auxiliary/admin/ms/ms08_059_his2006 2008-10-14 normal No Microsoft Host Integration Server 2006 Command Execution Vulnerability
182 exploit/windows/browser/ms09_043_owc_htmlurl 2009-08-11 normal No Microsoft OWC Spreadsheet HTMLURL Buffer Overflow
183 auxiliary/admin/mssql/mssql_idf normal No Microsoft SQL Server Interesting Data Finder
184 auxiliary/dos/windows/smb/ms06_035_mailslot 2006-07-11 normal No Microsoft SRV.SYS Mailslot Write Corruption
185 exploit/windows/browser/wmi_admintools 2010-12-21 great No Microsoft WMI Administration Tools ActiveX Buffer Overflow
186 exploit/linux/http/mida_solutions_eframework_ajaxreq_rce 2020-07-24 excellent Yes Mida Solutions eFramework ajaxreq.php Command Injection
187 exploit/multi/http/mobilecartly_upload_exec 2012-08-10 excellent Yes MobileCartly 1.0 Arbitrary File Creation Vulnerability
188 exploit/multi/http/monstra_fileupload_exec 2017-12-18 excellent Yes Monstra CMS Authenticated Arbitrary File Upload
189 exploit/multi/http/moodle_teacher_enrollment_priv_esc_to_rce 2020-07-20 good Yes Moodle Teacher Enrollment Privilege Escalation to RCE
190 exploit/multi/http/nas4free_php_exec 2013-10-30 great No NAS4Free Arbitrary Remote Code Execution
191 exploit/multi/http/nuuo_nvrmini_upgrade_rce 2018-08-04 excellent Yes NUUO NVRmini upgrade_handle.php Remote Command Execution
192 exploit/linux/http/nagios_xi_snmptrap_authenticated_rce 2020-10-20 excellent Yes Nagios XI 5.5.0-5.7.3 - Snmptrap Authenticated Remote Code Exection
193 exploit/linux/http/nagios_xi_mibs_authenticated_rce 2020-10-20 excellent Yes Nagios XI 5.6.0-5.7.3 - Mibs.php Authenticated Remote Code Exection
194 exploit/linux/http/nagios_xi_chained_rce_2_electric_boogaloo 2018-04-17 manual Yes Nagios XI Chained Remote Code Execution
195 exploit/linux/http/nagios_xi_magpie_debug 2018-11-14 excellent Yes Nagios XI Magpie_debug.php Root Remote Code Execution
196 exploit/unix/webapp/nagios_graph_explorer 2012-11-30 excellent Yes Nagios XI Network Monitor Graph Explorer Component Command Injection
197 exploit/linux/http/nagios_xi_plugins_check_plugin_authenticated_rce 2019-07-29 excellent Yes Nagios XI Prior to 5.6.6 getprofile.sh Authenticated Remote Command Execution
198 exploit/linux/http/nagios_xi_plugins_filename_authenticated_rce 2020-12-19 excellent Yes Nagios XI Prior to 5.8.0 - Plugins Filename Authenticated Remote Code Exection
199 exploit/unix/webapp/narcissus_backend_exec 2012-11-14 excellent Yes Narcissus Image Configuration Passthru Vulnerability
200 exploit/multi/http/navigate_cms_rce 2018-09-26 excellent Yes Navigate CMS Unauthenticated Remote Code Execution
201 exploit/linux/snmp/net_snmpd_rw_access 2004-05-10 normal No Net-SNMPd Write Access SNMP-EXTEND-MIB arbitrary code execution
202 exploit/linux/http/netgear_unauth_exec 2016-02-25 excellent Yes Netgear Devices Unauthenticated Remote Command Execution
203 exploit/linux/http/netgear_r7000_cgibin_exec 2016-12-06 excellent Yes Netgear R7000 and R6400 cgi-bin Command Injection
204 exploit/linux/http/netsweeper_webadmin_unixlogin 2020-04-28 excellent Yes Netsweeper WebAdmin unixlogin.php Python Code Injection
205 exploit/multi/http/eaton_nsm_code_exec 2012-06-26 excellent Yes Network Shutdown Module (sort_values) Remote PHP Code Injection
206 exploit/multi/http/nibbleblog_file_upload 2015-09-01 excellent Yes Nibbleblog File Upload Vulnerability
207 exploit/windows/fileformat/nitro_reader_jsapi 2017-07-24 excellent No Nitro Pro PDF Reader 11.0.3.173 Javascript API Remote Code Execution
208 exploit/windows/local/novell_client_nicm 2013-05-22 average Yes Novell Client 2 SP3 nicm.sys Local Privilege Escalation
209 exploit/windows/browser/novell_groupwise_gwcls1_actvx 2013-01-30 normal No Novell GroupWise Client gwcls1.dll ActiveX Remote Code Execution
210 auxiliary/scanner/http/groupwise_agents_http_traversal normal No Novell Groupwise Agents HTTP Directory Traversal
211 exploit/windows/smb/netidentity_xtierrpcpipe 2009-04-06 great No Novell NetIdentity Agent XTIERRPCPIPE Named Pipe Buffer Overflow
212 exploit/windows/imap/novell_netmail_subscribe 2006-12-23 average No Novell NetMail IMAP SUBSCRIBE Buffer Overflow
213 exploit/windows/novell/zenworks_preboot_op6_bof 2010-03-30 normal No Novell ZENworks Configuration Management Preboot Service 0x06 Buffer Overflow
214 exploit/windows/novell/zenworks_preboot_op21_bof 2010-03-30 normal No Novell ZENworks Configuration Management Preboot Service 0x21 Buffer Overflow
215 exploit/multi/http/zenworks_control_center_upload 2013-03-22 great Yes Novell ZENworks Configuration Management Remote Execution
216 exploit/windows/http/zenworks_uploadservlet 2010-03-30 excellent No Novell ZENworks Configuration Management Remote Execution
217 auxiliary/scanner/http/novell_mdm_creds normal No Novell Zenworks Mobile Device Managment Admin Credentials
218 exploit/windows/http/novell_mdm_lfi 2013-03-13 excellent Yes Novell Zenworks Mobile Managment MDM.php Local File Inclusion Vulnerability
219 exploit/linux/misc/novell_edirectory_ncp_bof 2012-12-12 normal Yes Novell eDirectory 8 Buffer Overflow
220 exploit/windows/fileformat/nuance_pdf_launch_overflow 2010-10-08 great No Nuance PDF Reader v6.0 Launch Stack Buffer Overflow
221 exploit/multi/http/op5_license 2012-01-05 excellent Yes OP5 license.php Remote Command Execution
222 exploit/multi/http/october_upload_bypass_exec 2017-04-25 excellent Yes October CMS Upload Protection Bypass Code Execution
223 exploit/windows/ftp/odin_list_reply 2010-10-12 good No Odin Secure FTP 4.1 Stack Buffer Overflow (LIST)
224 exploit/unix/webapp/open_flash_chart_upload_exec 2009-12-14 great Yes Open Flash Chart v2 Arbitrary File Upload
225 exploit/unix/webapp/openemr_sqli_privesc_upload 2013-09-16 excellent Yes OpenEMR 4.1.1 Patch 14 SQLi Privilege Escalation Remote Code Execution
226 exploit/unix/webapp/openemr_upload_exec 2013-02-13 excellent Yes OpenEMR PHP File Upload Vulnerability
227 exploit/unix/webapp/openmediavault_rpc_rce 2020-09-28 excellent Yes OpenMediaVault rpc.php Authenticated PHP Code Injection
228 exploit/unix/webapp/opensis_modname_exec 2012-12-04 excellent Yes OpenSIS 'modname' PHP Code Execution
229 exploit/multi/http/openx_backdoor_php 2013-08-07 excellent Yes OpenX Backdoor PHP Code Execution
230 exploit/unix/webapp/openx_banner_edit 2009-11-24 excellent Yes OpenX banner-edit.php File Upload PHP Code Execution
231 auxiliary/sqli/oracle/lt_mergeworkspace 2008-10-22 normal No Oracle DB SQL Injection via SYS.LT.MERGEWORKSPACE
232 auxiliary/admin/oracle/ora_ntlm_stealer 2009-04-07 normal No Oracle SMB Relay Code Execution
233 auxiliary/admin/oracle/osb_execqr2 2009-08-18 normal No Oracle Secure Backup Authentication Bypass/Command Injection Vulnerability
234 auxiliary/admin/oracle/osb_execqr3 2010-07-13 normal No Oracle Secure Backup Authentication Bypass/Command Injection Vulnerability
235 exploit/windows/http/osb_uname_jlist 2010-07-13 excellent No Oracle Secure Backup Authentication Bypass/Command Injection Vulnerability
236 exploit/windows/fileformat/orbital_viewer_orb 2010-02-27 great No Orbital Viewer ORB File Parsing Buffer Overflow
237 exploit/multi/http/orientdb_exec 2017-07-13 good Yes OrientDB 2.2.x Remote Code Execution
238 exploit/windows/email/ms10_045_outlook_ref_only 2010-06-01 excellent No Outlook ATTACH_BY_REF_ONLY File Execution
239 exploit/windows/email/ms10_045_outlook_ref_resolve 2010-06-01 excellent No Outlook ATTACH_BY_REF_RESOLVE File Execution
240 exploit/unix/webapp/pajax_remote_exec 2006-03-30 excellent No PAJAX Remote Command Execution
241 exploit/multi/fileformat/archive_tar_arb_file_write 2020-11-17 excellent No PEAR Archive_Tar 1.4.10 Arbitrary File Write
242 exploit/multi/php/php_unserialize_zval_cookie 2007-03-04 average Yes PHP 4 unserialize() ZVAL Reference Counter Overflow (Cookie)
243 encoder/php/base64 great No PHP Base64 Encoder
244 exploit/multi/http/php_cgi_arg_injection 2012-05-03 excellent Yes PHP CGI Argument Injection
245 payload/php/bind_php normal No PHP Command Shell, Bind TCP (via PHP)
246 payload/php/bind_perl normal No PHP Command Shell, Bind TCP (via Perl)
247 payload/php/bind_perl_ipv6 normal No PHP Command Shell, Bind TCP (via perl) IPv6
248 payload/php/bind_php_ipv6 normal No PHP Command Shell, Bind TCP (via php) IPv6
249 payload/php/shell_findsock normal No PHP Command Shell, Find Sock
250 payload/php/reverse_php normal No PHP Command Shell, Reverse TCP (via PHP)
251 payload/php/reverse_perl normal No PHP Command, Double Reverse TCP Connection (via Perl)
252 payload/php/download_exec normal No PHP Executable Download and Execute
253 payload/php/exec normal No PHP Execute Command
254 exploit/multi/misc/pbot_exec 2009-11-02 excellent Yes PHP IRC Bot pbot eval() Remote Code Execution
255 exploit/unix/http/laravel_token_unserialize_exec 2018-08-07 excellent Yes PHP Laravel Framework token Unserialize Remote Command Execution
256 payload/php/meterpreter/bind_tcp normal No PHP Meterpreter, Bind TCP Stager
257 payload/php/meterpreter/bind_tcp_ipv6 normal No PHP Meterpreter, Bind TCP Stager IPv6
258 payload/php/meterpreter/bind_tcp_ipv6_uuid normal No PHP Meterpreter, Bind TCP Stager IPv6 with UUID Support
259 payload/php/meterpreter/bind_tcp_uuid normal No PHP Meterpreter, Bind TCP Stager with UUID Support
260 payload/php/meterpreter/reverse_tcp normal No PHP Meterpreter, PHP Reverse TCP Stager
261 payload/php/meterpreter/reverse_tcp_uuid normal No PHP Meterpreter, PHP Reverse TCP Stager
262 payload/php/meterpreter_reverse_tcp normal No PHP Meterpreter, Reverse TCP Inline
263 nop/php/generic normal No PHP Nop Generator
264 exploit/unix/webapp/php_include 2006-12-17 normal Yes PHP Remote File Include Generic Code Execution
265 exploit/multi/http/php_utility_belt_rce 2015-12-08 excellent Yes PHP Utility Belt Remote Code Execution
266 exploit/multi/http/php_volunteer_upload_exec 2012-05-28 excellent No PHP Volunteer Management System v1.0.2 Arbitrary File Upload Vulnerability
267 exploit/unix/webapp/php_xmlrpc_eval 2005-06-29 excellent Yes PHP XML-RPC Arbitrary Code Execution
268 exploit/windows/http/php_apache_request_headers_bof 2012-05-08 normal No PHP apache_request_headers Function Buffer Overflow
269 exploit/unix/webapp/php_charts_exec 2013-01-16 excellent Yes PHP-Charts v1.0 PHP Code Execution Vulnerability
270 exploit/multi/http/php_fpm_rce 2019-10-22 normal Yes PHP-FPM Underflow RCE
271 exploit/multi/http/phpmailer_arg_injection 2016-12-26 manual No PHPMailer Sendmail Argument Injection
272 exploit/multi/http/phpmoadmin_exec 2015-03-03 excellent Yes PHPMoAdmin 1.1.2 Remote Code Execution
273 exploit/multi/http/phpstudy_backdoor_rce 2019-09-20 excellent Yes PHPStudy Backdoor Remote Code execution
274 exploit/linux/http/pandora_fms_events_exec 2020-06-04 excellent Yes Pandora FMS Events Remote Command Execution
275 exploit/linux/http/pandora_ping_cmd_exec 2020-03-09 excellent Yes Pandora FMS Ping Authenticated Remote Code Execution
276 auxiliary/analyze/crack_webapps normal No Password Cracker: Webapps
277 exploit/windows/local/vss_persistence 2011-10-21 excellent No Persistent Payload in Windows Volume Shadow Copy
278 exploit/multi/http/phoenix_exec 2016-07-01 excellent Yes Phoenix Exploit Kit Remote Code Execution
279 exploit/unix/webapp/phpmyadmin_config 2009-03-24 excellent No PhpMyAdmin Config File Code Injection
280 auxiliary/scanner/http/phpmyadmin_login normal No PhpMyAdmin Login Scanner
281 exploit/multi/http/phptax_exec 2012-10-08 excellent Yes PhpTax pfilez Parameter Exec Remote Code Injection
282 post/linux/gather/phpmyadmin_credsteal normal No Phpmyadmin credentials stealer
283 exploit/multi/http/phpwiki_ploticus_exec 2014-09-11 excellent No Phpwiki Ploticus Remote Code Execution
284 exploit/unix/http/pihole_blocklist_exec 2020-05-10 excellent Yes Pi-Hole heisenbergCompensator Blocklist OS Command Execution
285 auxiliary/gather/pimcore_creds_sqli 2018-08-13 normal No Pimcore Gather Credentials via SQL Injection
286 exploit/multi/http/pimcore_unserialize_rce 2019-03-11 normal Yes Pimcore Unserialize RCE
287 exploit/linux/http/pineapp_ldapsyncnow_exec 2013-07-26 excellent Yes PineApp Mail-SeCure ldapsyncnow.php Arbitrary Command Execution
288 exploit/linux/http/pineapp_livelog_exec 2013-07-26 excellent Yes PineApp Mail-SeCure livelog.html Arbitrary Command Execution
289 exploit/linux/http/pineapp_test_li_conn_exec 2013-07-26 excellent Yes PineApp Mail-SeCure test_li_connection.php Arbitrary Command Execution
290 exploit/multi/http/playsms_uploadcsv_exec 2017-05-21 excellent Yes PlaySMS import.php Authenticated CSV File Upload Code Execution
291 exploit/multi/http/playsms_template_injection 2020-02-05 excellent Yes PlaySMS index.php Unauthenticated Template Injection Code Execution
292 exploit/multi/http/playsms_filename_exec 2017-05-21 excellent Yes PlaySMS sendfromfile.php Authenticated "Filename" Field Code Execution
293 exploit/multi/http/pmwiki_pagelist 2011-11-09 excellent Yes PmWiki pagelist.php Remote PHP Code Injection Exploit
294 exploit/multi/http/polarcms_upload_exec 2012-01-21 excellent Yes PolarBear CMS PHP File Upload Vulnerability
295 auxiliary/scanner/postgres/postgres_login normal No PostgreSQL Login Utility
296 exploit/windows/ftp/proftp_banner 2009-08-25 normal No ProFTP 2.9 Banner Remote Buffer Overflow
297 exploit/unix/ftp/proftpd_modcopy_exec 2015-04-22 excellent Yes ProFTPD 1.3.5 Mod_Copy Command Execution
298 exploit/multi/http/processmaker_exec 2013-10-24 excellent Yes ProcessMaker Open Source Authenticated PHP Code Execution
299 exploit/multi/http/processmaker_plugin_upload 2010-08-25 excellent No ProcessMaker Plugin Upload
300 exploit/unix/webapp/projectpier_upload_exec 2012-10-08 excellent Yes Project Pier Arbitrary File Upload Vulnerability
301 exploit/unix/webapp/projectsend_upload_exec 2014-12-02 excellent Yes ProjectSend Arbitrary File Upload
302 exploit/linux/misc/qnap_transcode_server 2017-08-06 excellent Yes QNAP Transcode Server Command Execution
303 exploit/unix/http/quest_kace_systems_management_rce 2018-05-31 excellent Yes Quest KACE Systems Management Command Injection
304 exploit/multi/misc/ra1nx_pubcall_exec 2013-03-24 great Yes Ra1NX PHP Bot PubCall Authentication Bypass Remote Code Execution
305 exploit/windows/http/integard_password_bof 2010-09-07 great No Race River Integard Home/Pro LoginAdmin Password Stack Buffer Overflow
306 exploit/linux/http/rconfig_ajaxarchivefiles_rce 2020-03-11 good Yes Rconfig 3.x Chained Remote Code Execution
307 exploit/windows/scada/realwin_on_fcs_login 2011-03-21 great No RealWin SCADA Server DATAC Login Buffer Overflow
308 exploit/linux/http/piranha_passwd_exec 2000-04-04 excellent No RedHat Piranha Virtual Server Package passwd.php3 Arbitrary Command Execution
309 payload/windows/dllinject/reverse_hop_http normal No Reflective DLL Injection, Reverse Hop HTTP/HTTPS Stager
310 exploit/windows/http/rejetto_hfs_exec 2014-09-11 excellent Yes Rejetto HttpFileServer Remote Command Execution
311 exploit/windows/misc/sap_netweaver_dispatcher 2012-05-08 normal No SAP NetWeaver Dispatcher DiagTraceR3Info Buffer Overflow
312 auxiliary/dos/sap/sap_soap_rfc_eps_delete_file normal No SAP SOAP EPS_DELETE_FILE File Deletion
313 exploit/unix/webapp/spip_connect_exec 2012-07-04 excellent Yes SPIP connect Parameter PHP Injection
314 exploit/multi/http/stunshell_exec 2013-03-23 great Yes STUNSHELL Web Shell Remote Code Execution
315 exploit/multi/http/stunshell_eval 2013-03-23 great Yes STUNSHELL Web Shell Remote PHP Code Execution
316 exploit/windows/vpn/safenet_ike_11 2009-06-01 average No SafeNet SoftRemote IKE Service Buffer Overflow
317 exploit/multi/samba/usermap_script 2007-05-14 excellent No Samba "username map script" Command Execution
318 exploit/linux/samba/chain_reply 2010-06-16 good No Samba chain_reply Memory Corruption (Linux x86)
319 exploit/linux/http/samsung_srv_1670d_upload_exec 2017-03-14 good Yes Samsung SRN-1670D Web Viewer Version 1.0.0.193 Arbitrary File Read and Upload
320 exploit/multi/script/web_delivery 2013-07-19 manual No Script Web Delivery
321 exploit/unix/webapp/seportal_sqli_exec 2014-03-20 excellent Yes SePortal SQLi Remote Code Execution
322 exploit/linux/http/seagate_nas_php_exec_noauth 2015-03-01 normal Yes Seagate Business NAS Unauthenticated Remote Command Execution
323 exploit/windows/ftp/seagull_list_reply 2010-10-12 good No Seagull FTP v3.3 Build 409 Stack Buffer Overflow
324 exploit/windows/http/serviio_checkstreamurl_cmd_exec 2017-05-03 excellent Yes Serviio Media Server checkStreamUrl Command Execution
325 exploit/multi/http/sflog_upload_exec 2012-07-06 excellent Yes Sflog! CMS 1.0 Arbitrary File Upload Vulnerability
326 exploit/multi/http/shopware_createinstancefromnamedarguments_rce 2019-05-09 excellent Yes Shopware createInstanceFromNamedArguments PHP Object Instantiation RCE
327 exploit/unix/webapp/simple_e_document_upload_exec 2014-01-23 excellent Yes Simple E-Document Arbitrary File Upload
328 auxiliary/fuzzers/ftp/client_ftp normal No Simple FTP Client Fuzzer
329 exploit/unix/webapp/sphpblog_file_upload 2005-08-25 excellent Yes Simple PHP Blog Remote Command Execution
330 exploit/multi/php/wp_duplicator_code_inject 2018-08-29 manual Yes Snap Creek Duplicator WordPress plugin code injection
331 exploit/multi/http/snortreport_exec 2011-09-19 excellent No Snortreport nmap.php/nbtscan.php Remote Command Execution
332 exploit/solaris/local/libnspr_nspr_log_file_priv_esc 2006-10-11 excellent Yes Solaris libnspr NSPR_LOG_FILE Privilege Escalation
333 exploit/freebsd/webapp/spamtitan_unauth_rce 2020-04-17 normal Yes SpamTitan Unauthenticated RCE
334 exploit/unix/webapp/squirrelmail_pgp_plugin 2007-07-09 manual No SquirrelMail PGP Plugin Command Execution (SMTP)
335 exploit/unix/webapp/sugarcrm_rest_unserialize_exec 2016-06-23 excellent No SugarCRM REST Unserialize PHP Code Execution
336 exploit/unix/webapp/sugarcrm_unserialize_exec 2012-06-23 excellent No SugarCRM unserialize() PHP Code Execution
337 exploit/linux/http/suitecrm_log_file_rce 2021-04-28 good Yes SuiteCRM Log File Remote Code Execution
338 exploit/windows/browser/java_docbase_bof 2010-10-12 great No Sun Java Runtime New Plugin docbase Buffer Overflow
339 exploit/windows/browser/java_ws_arginject_altjvm 2010-04-09 excellent No Sun Java Web Start Plugin Command Line Argument Injection
340 exploit/multi/http/sit_file_upload 2011-11-10 excellent Yes Support Incident Tracker Remote Command Execution
341 auxiliary/scanner/http/sybase_easerver_traversal 2011-05-25 normal No Sybase Easerver 6.3 Directory Traversal
342 exploit/linux/http/symantec_web_gateway_restore 2014-12-16 excellent Yes Symantec Web Gateway 5 restore.php Post Authentication Command Injection
343 exploit/linux/http/symantec_web_gateway_pbcontrol 2012-07-23 excellent Yes Symantec Web Gateway 5.0.2.18 pbcontrol.php Command Injection
344 exploit/linux/http/symantec_web_gateway_file_upload 2012-05-17 excellent Yes Symantec Web Gateway 5.0.2.8 Arbitrary PHP File Upload Vulnerability
345 exploit/linux/http/symantec_web_gateway_exec 2012-05-17 excellent Yes Symantec Web Gateway 5.0.2.8 ipchange.php Command Injection
346 exploit/linux/http/symantec_web_gateway_lfi 2012-05-17 excellent Yes Symantec Web Gateway 5.0.2.8 relfile File Inclusion Vulnerability
347 auxiliary/admin/http/typo3_news_module_sqli 2017-04-06 normal No TYPO3 News Module SQL Injection
348 auxiliary/gather/teamtalk_creds normal No TeamTalk Gather Credentials
349 auxiliary/admin/http/telpho10_credential_dump 2016-09-02 normal No Telpho10 Backup Credentials Dumper
350 exploit/multi/http/mma_backdoor_upload 2012-04-02 excellent Yes Th3 MMA mma.php Backdoor Arbitrary File Upload
351 exploit/unix/webapp/thinkphp_rce 2018-12-10 excellent Yes ThinkPHP Multiple PHP Injection RCEs
352 exploit/unix/webapp/tikiwiki_upload_exec 2016-07-11 excellent Yes Tiki Wiki Unauthenticated File Upload Vulnerability
353 exploit/unix/webapp/tikiwiki_unserialize_exec 2012-07-04 excellent No Tiki Wiki unserialize() PHP Code Execution
354 exploit/unix/webapp/tikiwiki_jhot_exec 2006-09-02 excellent Yes TikiWiki jhot Remote Command Execution
355 exploit/unix/webapp/tikiwiki_graph_formula_exec 2007-10-10 excellent Yes TikiWiki tiki-graph_formula Remote PHP Code Execution
356 exploit/windows/smb/timbuktu_plughntcommand_bof 2009-06-25 great No Timbuktu PlughNTCommand Named Pipe Buffer Overflow
357 exploit/windows/http/trackercam_phparg_overflow 2005-02-18 average Yes TrackerCam PHP Argument Buffer Overflow
358 exploit/multi/http/traq_plugin_exec 2011-12-12 excellent Yes Traq admincp/common.php Remote Code Execution
359 exploit/linux/http/trendmicro_imsva_widget_exec 2017-10-07 excellent Yes Trend Micro InterScan Messaging Security (Virtual Appliance) Remote Code Execution
360 exploit/windows/http/trendmicro_officescan_widget_exec 2017-10-07 excellent Yes Trend Micro OfficeScan Remote Code Execution
361 exploit/unix/webapp/trixbox_ce_endpoint_devicemap_rce 2020-04-28 excellent Yes TrixBox CE endpoint_devicemap.php Authenticated Command Execution
362 exploit/unix/webapp/trixbox_langchoice 2008-07-09 manual Yes Trixbox langChoice PHP Local File Inclusion
363 exploit/linux/http/trueonline_billion_5200w_rce 2016-12-26 excellent No TrueOnline / Billion 5200W-T Router Unauthenticated Command Injection
364 exploit/linux/http/trueonline_p660hn_v1_rce 2016-12-26 excellent Yes TrueOnline / ZyXEL P660HN-T v1 Router Unauthenticated Command Injection
365 exploit/linux/http/trueonline_p660hn_v2_rce 2016-12-26 excellent Yes TrueOnline / ZyXEL P660HN-T v2 Router Authenticated Command Injection
366 exploit/unix/webapp/tuleap_rest_unserialize_exec 2017-10-23 excellent Yes Tuleap 9.6 Second-Order PHP Object Injection
367 exploit/unix/webapp/tuleap_unserialize_exec 2014-11-27 excellent Yes Tuleap PHP Unserialize Code Execution
368 exploit/windows/browser/ubisoft_uplay_cmd_exec 2012-07-29 normal No Ubisoft uplay 2.0.3 ActiveX Control Arbitrary Code Execution
369 payload/cmd/unix/reverse_php_ssl normal No Unix Command Shell, Reverse TCP SSL (via php)
370 exploit/linux/http/unraid_auth_bypass_exec 2020-02-10 excellent Yes Unraid 6.8.0 Auth Bypass PHP Code Execution
371 exploit/linux/http/vcms_upload 2011-11-27 excellent Yes V-CMS PHP File Upload and Execute
372 exploit/unix/webapp/vicidial_manager_send_cmd_exec 2013-10-23 excellent Yes VICIdial Manager Send OS Command Injection
373 exploit/unix/webapp/vicidial_user_authorization_unauth_cmd_exec 2017-05-26 excellent Yes VICIdial user_authorization Unauthenticated Command Execution
374 auxiliary/scanner/vmware/vmware_update_manager_traversal 2011-11-21 normal No VMWare Update Manager 4 Directory Traversal
375 payload/windows/vncinject/reverse_hop_http normal No VNC Server (Reflective Injection), Reverse Hop HTTP/HTTPS Stager
376 auxiliary/vsploit/malware/dns/dns_zeus normal No VSploit Zeus DNS Query Module
377 exploit/windows/fileformat/videospirit_visprj 2011-04-11 good No VeryTools Video Spirit Pro
378 exploit/windows/local/virtual_box_opengl_escape 2014-03-11 average Yes VirtualBox 3D Acceleration Virtual Machine Escape
379 exploit/windows/fileformat/visiwave_vwr_type 2011-05-20 great No VisiWave VWR File Parsing Vulnerability
380 exploit/multi/http/vtiger_logo_upload_exec 2015-09-28 excellent Yes Vtiger CRM - Authenticated Logo Upload RCE
381 exploit/linux/http/wanem_exec 2012-08-12 excellent Yes WAN Emulator v2.3 Command Execution
382 exploit/linux/http/webid_converter 2011-07-05 excellent Yes WeBid converter.php Remote PHP Code Injection
383 exploit/linux/http/webcalendar_settings_exec 2012-04-23 excellent Yes WebCalendar 1.2.4 Pre-Auth Remote Code Injection
384 exploit/windows/browser/webex_ucf_newobject 2008-08-06 good No WebEx UCF atucfobj.dll ActiveX NewObject Method Buffer Overflow
385 exploit/multi/http/webnms_file_upload 2016-07-04 excellent Yes WebNMS Framework Server Arbitrary File Upload
386 auxiliary/admin/http/webnms_file_download 2016-07-04 normal No WebNMS Framework Server Arbitrary Text File Download
387 auxiliary/admin/http/webnms_cred_disclosure 2016-07-04 normal No WebNMS Framework Server Credential Disclosure
388 exploit/multi/http/webpagetest_upload_exec 2012-07-13 excellent Yes WebPageTest Arbitrary PHP File Upload
389 auxiliary/scanner/http/webpagetest_traversal 2012-07-13 normal No WebPageTest Directory Traversal
390 exploit/unix/webapp/webtester_exec 2013-10-17 excellent Yes WebTester 5.x Command Execution
391 exploit/unix/webapp/arkeia_upload_exec 2013-09-16 excellent Yes Western Digital Arkeia Remote Code Execution
392 exploit/linux/http/wd_mycloud_multiupload_upload 2017-07-29 excellent Yes Western Digital MyCloud multi_uploadify File Upload Vulnerability
393 exploit/multi/http/wikka_spam_exec 2011-11-30 excellent Yes WikkaWiki 1.3.2 Spam Logging PHP Injection
394 exploit/windows/local/cve_2021_1732_win32k 2021-02-10 good Yes Win32k ConsoleControl Offset Confusion
395 post/windows/escalate/ms10_073_kbdlayout 2010-10-12 normal No Windows Escalate NtUserLoadKeyboardLayoutEx Privilege Escalation
396 payload/windows/meterpreter/reverse_hop_http normal No Windows Meterpreter (Reflective Injection), Reverse Hop HTTP/HTTPS Stager
397 exploit/multi/http/wp_ait_csv_rce 2020-11-14 excellent Yes WordPress AIT CSV Import Export Unauthenticated Remote Code Execution
398 exploit/unix/webapp/wp_asset_manager_upload_exec 2012-05-26 excellent Yes WordPress Asset-Manager PHP File Upload Vulnerability
399 auxiliary/scanner/http/wp_chopslider_id_sqli 2020-05-12 normal No WordPress ChopSlider3 id SQLi Scanner
400 exploit/multi/http/wp_file_manager_rce 2020-09-09 normal Yes WordPress File Manager Unauthenticated Remote Code Execution
401 auxiliary/scanner/http/wp_gimedia_library_file_read normal No WordPress GI-Media Library Plugin Directory Traversal Vulnerability
402 exploit/unix/webapp/wp_holding_pattern_file_upload 2015-02-11 excellent Yes WordPress Holding Pattern Theme Arbitrary File Upload
403 exploit/unix/webapp/wp_infinitewp_auth_bypass 2020-01-14 manual Yes WordPress InfiniteWP Client Authentication Bypass
404 exploit/multi/http/wp_ninja_forms_unauthenticated_file_upload 2016-05-04 excellent Yes WordPress Ninja Forms Unauthenticated File Upload
405 exploit/unix/webapp/wp_optimizepress_upload 2013-11-29 excellent Yes WordPress OptimizePress Theme File Upload Vulnerability
406 exploit/unix/webapp/wp_phpmailer_host_header 2017-05-03 average Yes WordPress PHPMailer Host Header Command Injection
407 exploit/unix/webapp/wp_photo_gallery_unrestricted_file_upload 2014-11-11 excellent Yes WordPress Photo Gallery Unrestricted File Upload
408 exploit/unix/webapp/wp_pixabay_images_upload 2015-01-19 excellent Yes WordPress Pixabay Images PHP Code Upload
409 exploit/unix/webapp/wp_platform_exec 2015-01-21 excellent No WordPress Platform Theme File Upload Vulnerability
410 exploit/unix/webapp/wp_advanced_custom_fields_exec 2012-11-14 excellent Yes WordPress Plugin Advanced Custom Fields Remote File Inclusion
411 exploit/unix/webapp/wp_foxypress_upload 2012-06-05 excellent Yes WordPress Plugin Foxypress uploadify.php Arbitrary Code Execution
412 exploit/unix/webapp/wp_google_document_embedder_exec 2013-01-03 normal Yes WordPress Plugin Google Document Embedder Arbitrary File Disclosure
413 auxiliary/scanner/http/wordpress_content_injection 2017-02-01 normal Yes WordPress REST API Content Injection
414 exploit/unix/webapp/wp_revslider_upload_execute 2014-11-26 excellent Yes WordPress RevSlider File Upload and Execute Vulnerability
415 exploit/multi/http/wp_simple_file_list_rce 2020-04-27 good Yes WordPress Simple File List Unauthenticated Remote Code Execution
416 auxiliary/admin/http/wp_symposium_sql_injection 2015-08-18 normal Yes WordPress Symposium Plugin SQL Injection
417 auxiliary/scanner/http/wp_total_upkeep_downloader 2020-12-12 normal No WordPress Total Upkeep Unauthenticated Backup Downloader
418 auxiliary/dos/http/wordpress_directory_traversal_dos normal No WordPress Traversal Directory DoS
419 auxiliary/gather/wp_ultimate_csv_importer_user_extract 2015-02-02 normal Yes WordPress Ultimate CSV Importer User Table Extract
420 exploit/unix/webapp/wp_total_cache_exec 2013-04-17 excellent Yes WordPress W3 Total Cache PHP Code Execution
421 auxiliary/admin/http/wp_easycart_privilege_escalation 2015-02-25 normal Yes WordPress WP EasyCart Plugin Privilege Escalation
422 exploit/unix/webapp/wp_easycart_unrestricted_file_upload 2015-01-08 excellent No WordPress WP EasyCart Unrestricted File Upload
423 auxiliary/admin/http/wp_gdpr_compliance_privesc 2018-11-08 normal Yes WordPress WP GDPR Compliance Plugin Privilege Escalation
424 exploit/unix/webapp/wp_mobile_detector_upload_execute 2016-05-31 excellent Yes WordPress WP Mobile Detector 3.5 Shell Upload
425 exploit/unix/webapp/wp_symposium_shell_upload 2014-12-11 excellent Yes WordPress WP Symposium 14.11 Shell Upload
426 exploit/unix/webapp/wp_property_upload_exec 2012-03-26 excellent Yes WordPress WP-Property PHP File Upload Vulnerability
427 auxiliary/admin/http/wp_wplms_privilege_escalation 2015-02-09 normal Yes WordPress WPLMS Theme Privilege Escalation
428 exploit/unix/webapp/wp_wpshop_ecommerce_file_upload 2015-03-09 excellent Yes WordPress WPshop eCommerce Arbitrary File Upload Vulnerability
429 exploit/unix/webapp/wp_lastpost_exec 2005-08-09 excellent No WordPress cache_lastpostdate Arbitrary Code Execution
430 exploit/unix/webapp/wp_wpdiscuz_unauthenticated_file_upload 2020-02-21 excellent Yes WordPress wpDiscuz Unauthenticated File Upload Vulnerability
431 exploit/unix/webapp/wp_ajax_load_more_file_upload 2015-10-10 excellent Yes Wordpress Ajax Load More PHP Upload Vulnerability
432 exploit/unix/webapp/wp_creativecontactform_file_upload 2014-10-22 excellent Yes Wordpress Creative Contact Form Upload Vulnerability
433 exploit/multi/http/wp_dnd_mul_file_rce 2020-05-11 excellent Yes Wordpress Drag and Drop Multi File Uploader RCE
434 exploit/unix/webapp/wp_inboundio_marketing_file_upload 2015-03-24 excellent Yes Wordpress InBoundio Marketing PHP Upload Vulnerability
435 exploit/unix/webapp/wp_infusionsoft_upload 2014-09-25 excellent Yes Wordpress InfusionSoft Upload Vulnerability
436 auxiliary/scanner/http/wp_learnpress_sqli 2020-04-29 normal No Wordpress LearnPress current_items Authenticated SQLi
437 exploit/unix/webapp/wp_wysija_newsletters_upload 2014-07-01 excellent Yes Wordpress MailPoet Newsletters (wysija-newsletters) Unauthenticated File Upload
438 exploit/unix/webapp/wp_nmediawebsite_file_upload 2015-04-12 excellent Yes Wordpress N-Media Website Contact Form Upload Vulnerability
439 exploit/unix/webapp/wp_plainview_activity_monitor_rce 2018-08-26 excellent Yes Wordpress Plainview Activity Monitor RCE
440 exploit/multi/http/wp_plugin_backup_guard_rce 2021-05-04 excellent Yes Wordpress Plugin Backup Guard - Authenticated Remote Code Execution
441 exploit/multi/http/wp_plugin_modern_events_calendar_rce 2021-01-29 excellent Yes Wordpress Plugin Modern Events Calendar - Authenticated Remote Code Execution
442 exploit/multi/http/wp_plugin_sp_project_document_rce 2021-06-14 excellent Yes Wordpress Plugin SP Project and Document - Authenticated Remote Code Execution
443 exploit/unix/webapp/wp_reflexgallery_file_upload 2012-12-30 excellent Yes Wordpress Reflex Gallery Upload Vulnerability
444 exploit/unix/webapp/wp_worktheflow_upload 2015-03-14 excellent Yes Wordpress Work The Flow Upload Vulnerability
445 exploit/multi/http/x7chat2_php_exec 2014-10-27 excellent Yes X7 Chat 2.0.5 lib/message.php preg_replace() PHP Code Execution
446 exploit/windows/http/xampp_webdav_upload_php 2012-01-14 excellent No XAMPP WebDAV PHP Upload
447 auxiliary/gather/xbmc_traversal 2012-11-04 normal No XBMC Web Server Directory Traversal
448 exploit/unix/webapp/xoda_file_upload 2012-08-21 excellent Yes XODA 0.4.5 Arbitrary PHP File Upload Vulnerability
449 exploit/windows/browser/yahoomessenger_fvcom 2007-08-30 normal No Yahoo! Messenger YVerInfo.dll ActiveX Control Buffer Overflow
450 exploit/unix/webapp/zpanel_username_exec 2013-06-07 excellent Yes ZPanel 10.0.0.2 htpasswd Module Username Command Execution
451 exploit/linux/http/zabbix_sqli 2013-09-23 excellent Yes Zabbix 2.0.8 SQL Injection and Remote Code Execution
452 exploit/multi/misc/zend_java_bridge 2011-03-28 great No Zend Server Java Bridge Arbitrary Java Code Execution
453 exploit/unix/webapp/zoneminder_packagecontrol_exec 2013-01-22 excellent Yes ZoneMinder Video Server packageControl Command Execution
454 exploit/multi/http/zpanel_information_disclosure_rce 2014-01-30 excellent No Zpanel Remote Unauthenticated RCE
455 exploit/multi/http/apprain_upload_exec 2012-01-19 excellent Yes appRain CMF Arbitrary PHP File Upload Vulnerability
456 exploit/unix/webapp/jquery_file_upload 2018-10-09 excellent Yes blueimp's jQuery (Arbitrary) File Upload
457 exploit/linux/local/blueman_set_dhcp_handler_dbus_priv_esc 2015-12-18 excellent Yes blueman set_dhcp_handler D-Bus Privilege Escalation
458 exploit/linux/http/elfinder_archive_cmd_injection 2021-06-13 excellent Yes elFinder Archive Command Injection
459 exploit/unix/webapp/elfinder_php_connector_exiftran_cmd_injection 2019-02-26 excellent Yes elFinder PHP Connector exiftran Command Injection
460 exploit/unix/webapp/mybb_backdoor 2011-10-06 excellent Yes myBB 1.6.4 Backdoor Arbitrary Command Execution
461 exploit/unix/webapp/opensis_chain_exec 2020-06-30 excellent Yes openSIS Unauthenticated PHP Code Execution
462 exploit/unix/webapp/oscommerce_filemanager 2009-08-31 excellent No osCommerce 2.2 Arbitrary PHP Code Execution
463 exploit/multi/http/oscommerce_installer_unauth_code_exec 2018-04-30 excellent Yes osCommerce Installer Unauthenticated Code Execution
464 exploit/unix/http/pfsense_graph_injection_exec 2016-04-18 excellent No pfSense authenticated graph status RCE
465 exploit/unix/http/pfsense_group_member_exec 2017-11-06 excellent Yes pfSense authenticated group member RCE
466 exploit/linux/http/php_imap_open_rce 2018-10-23 good Yes php imap_open Remote Code Execution
467 exploit/unix/webapp/phpbb_highlight 2004-11-12 excellent No phpBB viewtopic.php Arbitrary Code Execution
468 exploit/unix/webapp/phpcollab_upload_exec 2017-09-29 excellent Yes phpCollab 2.5.1 Unauthenticated File Upload
469 exploit/multi/http/phpfilemanager_rce 2015-08-28 excellent Yes phpFileManager 0.9.8 Remote Code Execution
470 exploit/multi/http/phpldapadmin_query_engine 2011-10-24 excellent Yes phpLDAPadmin query_engine Remote PHP Code Injection
471 exploit/multi/http/phpmyadmin_3522_backdoor 2012-09-25 normal No phpMyAdmin 3.5.2.2 server_sync.php Backdoor
472 exploit/multi/http/phpmyadmin_lfi_rce 2018-06-19 good Yes phpMyAdmin Authenticated Remote Code Execution
473 exploit/multi/http/phpmyadmin_null_termination_exec 2016-06-23 excellent Yes phpMyAdmin Authenticated Remote Code Execution
474 exploit/multi/http/phpmyadmin_preg_replace 2013-04-25 excellent Yes phpMyAdmin Authenticated Remote Code Execution via preg_replace()
475 exploit/multi/http/phpscheduleit_start_date 2008-10-01 excellent Yes phpScheduleIt PHP reserve.php start_date Parameter Arbitrary Code Injection
476 encoder/cmd/printf_php_mq manual No printf(1) via PHP magic_quotes Utility Command Encoder
477 exploit/multi/http/qdpm_upload_exec 2012-06-14 excellent Yes qdPM v7 Arbitrary PHP File Upload Vulnerability
478 exploit/linux/http/rconfig_vendors_auth_file_upload_rce 2021-03-17 excellent Yes rConfig Vendors Auth File Upload RCE
479 exploit/unix/webapp/rconfig_install_cmd_exec 2019-10-28 excellent Yes rConfig install Command Execution
480 exploit/multi/http/v0pcr3w_exec 2013-03-23 great Yes v0pCr3w Web Shell Remote Code Execution
481 exploit/multi/http/vbseo_proc_deutf 2012-01-23 excellent Yes vBSEO proc_deutf() Remote PHP Code Injection
482 exploit/multi/http/vbulletin_unserialize 2015-11-04 excellent Yes vBulletin 5.1.2 Unserialize Code Execution
483 exploit/multi/http/vbulletin_widget_template_rce 2020-08-09 excellent Yes vBulletin 5.x /ajax/render/widget_tabbedcontainer_tab_panel PHP remote code execution.
484 auxiliary/admin/http/vbulletin_upgrade_admin 2013-10-09 normal No vBulletin Administrator Account Creation
485 exploit/unix/webapp/vbulletin_vote_sqli_exec 2013-03-25 excellent Yes vBulletin index.php/ajax/api/reputation/vote nodeid Parameter SQL Injection
486 exploit/unix/webapp/php_vbulletin_template 2005-02-25 excellent Yes vBulletin misc.php Template Name Arbitrary Code Execution
487 exploit/multi/http/vbulletin_widgetconfig_rce 2019-09-23 excellent Yes vBulletin widgetConfig RCE
488 exploit/multi/http/vtiger_soap_upload 2013-03-26 excellent Yes vTiger CRM SOAP AddEmailAttachment Arbitrary File Upload
489 exploit/multi/http/vtiger_php_exec 2013-10-30 excellent Yes vTigerCRM v5.4.0/v5.3.0 Authenticated Remote Code Execution
490 exploit/unix/http/xdebug_unauth_exec 2017-09-17 excellent Yes xdebug Unauthenticated OS Command Execution
Interact with a module by name or index. For example info 490, use 490 or use exploit/unix/http/xdebug_unauth_exec
5.4 小结
- 指纹扫描与网站目录扫描一样,是为针对目标主机80端口进行渗透而进行的准备工作。
- 对目标主机进行指纹识别后结论如下:
- 目标网站搭建在Windows 32位系统上,暂时没有扫描到具体系统版本及漏洞,后续应加强。
- 目标网站中间件Apache版本为2.4.23,在MSF控制台下可以找到Apache平台有106个漏洞,暂未对每个漏洞详细查看其影响版本。
- 目标网站中间件OpenSSL版本为1.0.2,在MSF控制台下可以找到OpenSSL有106个漏洞,暂未对每个漏洞详细查看其影响版本。
- 目标网站中间件PHP版本为5.4.45,在MSF控制台下可以找到PHP语言有491个OpenSSL,暂未对每个漏洞详细查看其影响版本。
- 目标采用CMS系统是drupal,未扫描到具体版本,在MSF控制台下可以找到对应该CMS系统有漏洞8个。
- 实际渗透测试应根据目标主机中间件和系统版本,测试每一个可能存在的漏洞。
- 应进一步学习如何批量测验漏洞是否存在的方法。
6 总结
- 信息收集主要是为后续渗透测试提供了方向,信息收集内容越完善,后续渗透测试将越全面越精准。
- 渗透方向:
- 对于139端口,是samba服务端口,可以考虑爆破、未授权访问、远程代码执行。
- 对于445端口,是SMB服务端口,可以考虑空会话攻击。
- 对于3306端口,可以考虑注入、提权、爆破。
- 对于80端口,可以考虑Web 攻击、爆破、对应服务器版本漏洞。
- 目标网站搭建在Windows 32位系统上,暂时没有扫描到具体系统版本及漏洞,后续应加强。
- 目标网站中间件Apache版本为2.4.23,在MSF控制台下可以找到Apache平台有106个漏洞,暂未对每个漏洞详细查看其影响版本。
- 目标网站中间件OpenSSL版本为1.0.2,在MSF控制台下可以找到OpenSSL有106个漏洞,暂未对每个漏洞详细查看其影响版本。
- 目标网站中间件PHP版本为5.4.45,在MSF控制台下可以找到PHP语言有491个OpenSSL,暂未对每个漏洞详细查看其影响版本。
- 目标采用CMS系统是drupal,未扫描到具体版本,在MSF控制台下可以找到对应该CMS系统有漏洞8个。
- 后续内容将针对上述方向逐个进行渗透,对于中间件漏洞只以其一作为例子。
- 现阶段不足之处:
- 对网站目录扫描结果不近人意;
- 收集站点指纹信息时,没有收集到系统和CMS的版本;
- 收集中间件及系统漏洞时,没有收集到针对其版本的漏洞,这将给后续渗透测试增加了不少工作量。
参考文献
post SAP-Garson
原文链接:https://blog.csdn.net/Fighting_hawk/article/details/123671872文章来自于网络,如果侵犯了您的权益,请联系站长删除!
