This Metasploit module extracts usernames using the IBM Lotus Notes Sametime web interface using either a dictionary attack (which is preferred), or a bruteforce attack trying all usernames of MAXDEPTH length or less.
9197c678abfd9c900269d06122e761b5dace0fcb1d702aca5d7b66daa70838e7
Apache Superset versions less than or equal to 2.0.0 utilize Flask with a known default secret key which is used to sign HTTP cookies. These cookies can therefore be forged. If a user is able to login to the site, they can decode the cookie, set their user_id to that of an administrator, and re-sign the cookie. This valid cookie can then be used to login as the targeted user and retrieve database credentials saved in Apache Superset.
d2f3f49f545f08316164ead81d35121c2e2d9bcf18db08e5892b4b09ada13936
Fortinet FortiOS versions 5.4.6 to 5.4.12, 5.6.3 to 5.6.7 and 6.0.0 to 6.0.4 are vulnerable to a path traversal vulnerability within the SSL VPN web portal which allows unauthenticated attackers to download FortiOS system files through specially crafted HTTP requests. This Metasploit module exploits this vulnerability to read the usernames and passwords of users currently logged into the FortiOS SSL VPN, which are stored in plaintext in the "/dev/cmdb/sslvpn_websession" file on the VPN server.
2149c48a70e99a03545bfa957dc701afcfcd46b50a3e6c27f2d9507f99388036
The Jasmin Ransomware web server contains an unauthenticated directory traversal vulnerability within the download functionality. As of April 15, 2024 this was still unpatched, so all versions are vulnerable. The last patch was in 2021, so it will likely not ever be patched.
1a47a9f079fd98ddb8e82daba4cc80d59e8ba4c54e1587cfbd504193442e68fb
Firmware versions up to 7.0.0-build1904 of Peplink Balance routers are affected by an unauthenticated SQL injection vulnerability in the bauth cookie, successful exploitation of the vulnerability allows an attacker to retrieve the cookies of authenticated users, bypassing the web portal authentication. By default, a session expires 4 hours after login (the setting can be changed by the admin), for this reason, the module attempts to retrieve the most recently created sessions.
b41d992081cc2b6eb2a8f48d7b8d7bae6acdc73882499f0a6250e5da83246835
This Metasploit module bruteforces Sametime meeting room names via the IBM Lotus Notes Sametime web interface.
7ffbd921baa1a67ca05c68d89620f4990b21816924913563d72365ae86ef1ab9
Many Hikvision IP cameras have improper authorization logic that allows unauthenticated information disclosure of camera information, such as detailed hardware and software configuration, user credentials, and camera snapshots. The vulnerability has been present in Hikvision products since 2014. In addition to Hikvision-branded devices, it affects many white-labeled camera products sold under a variety of brand names. Hundreds of thousands of vulnerable devices are still exposed to the Internet at the time of publishing (shodan search: "App-webs" "200 OK"). This Metasploit module allows the attacker to retrieve this information without any authentication. The information is stored in loot for future use.
1f5499387f298a518796e9593bfec804a68336af819f18d7706d318ae52db4d8
It was found that Internet Explorer allows the disclosure of local file names. This issue exists due to the fact that Internet Explorer behaves different for file:// URLs pointing to existing and non-existent files. When used in combination with HTML5 sandbox iframes it is possible to use this behavior to find out if a local file exists. This technique only works on Internet Explorer 10 and 11 since these support the HTML5 sandbox. Also it is not possible to do this from a regular website as file:// URLs are blocked all together. The attack must be performed locally (works with Internet zone Mark of the Web) or from a share.
0b30e1f06e794629552d9172732b96c2d1cf6a789686d06961747f044e43ffcb
A website that serves a JSONP endpoint that accepts a custom alphanumeric callback of 1200 chars can be abused to serve an encoded swf payload that steals the contents of a same-domain URL. Flash < 14.0.0.145 is required. This Metasploit module spins up a web server that, upon navigation from a user, attempts to abuse the specified JSONP endpoint URLs by stealing the response from GET requests to STEAL_URLS.
92e080f88fea448cf79daadcf325b642ed35659e502007b4093420f78d5d12d2
This Metasploit module scans an IBM Lotus Sametime web interface to enumerate the applications version and configuration information.
365f677622f89bc25680cef77c340b9c092065067cc3ff710bab8985bc653eae
This Metasploit module exploits a cross-domain issue within the Android web browser to exfiltrate files from a vulnerable device.
dd13356635f2999608328974a708d0fa3528aed773ff26396b6cd072f639afbd
Microweber CMS v1.2.10 has a backup functionality. Upload and download endpoints can be combined to read any file from the filesystem. Upload function may delete the local file if the web service user has access.
d140c745b815fe81da082fc26473f314fb74dc65ae2d3694532c7cb7f81aa0b4
This Metasploit module extracts the usernames and hashed passwords of all users of the Pimcore web service by exploiting a SQL injection vulnerability in Pimcores REST API. Pimcore begins to create password hashes by concatenating a users username, the name of the application, and the users password in the format USERNAME:pimcore:PASSWORD. The resulting string is then used to generate an MD5 hash, and then that MD5 hash is used to create the final hash, which is generated using PHPs built-in password_hash function.
a1fac0dca0eb708a1348babebd5e4be27016a27680c8d2967d94171f313a98ca
This Metasploit module exploits a SQL injection vulnerability found in vBulletin 5 that has been used in the wild since March 2013. This Metasploit module can be used to extract the web applications usernames and hashes, which could be used to authenticate into the vBulletin admin control panel.
9953eec6fb67362ca052bf437373a2bec59f84c7bb8d3f92c3865a42e0402bf8
This Metasploit module exploits an information disclosure vulnerability in Cisco PVC2300 cameras in order to download the configuration file containing the admin credentials for the web interface. The module first performs a basic check to see if the target is likely Cisco PVC2300. If so, the module attempts to obtain a sessionID via an HTTP GET request to the vulnerable /oamp/System.xml endpoint using hardcoded credentials. If a session ID is obtained, the module uses it in another HTTP GET request to /oamp/System.xml with the aim of downloading the configuration file. The configuration file, if obtained, is then decoded and saved to the loot directory. Finally, the module attempts to extract the admin credentials to the web interface from the decoded configuration file. No known solution was made available for this vulnerability and no CVE has been published. It is therefore likely that most (if not all) Cisco PVC2300 cameras are affected. This Metasploit module was successfully tested against several Cisco PVC2300 cameras.
21cb8f8a454867d17b74411c47b6b13454df373ea0d835da3d2329b96d222a9c
This Metasploit module exploits combined heap and stack buffer overflows for QNAP NAS and NVR devices to dump the admin (root) shadow hash from memory via an overwrite of __libc_argv[0] in the HTTP-header-bound glibc backtrace. A binary search is performed to find the correct offset for the BOFs. Since the server forks, blind remote exploitation is possible, provided the heap does not have ASLR.
95c0e11fc546ab62299c2204c0f7af71c9e0fb6c816a661a92afe279a76f00e3
This Metasploit module exploits a pre-auth directory traversal in the Pulse Secure VPN server to dump an arbitrary file. Dumped files are stored in loot. If the "Automatic" action is set, plaintext and hashed credentials, as well as session IDs, will be dumped. Valid sessions can be hijacked by setting the "DSIG" browser cookie to a valid session ID. For the "Manual" action, please specify a file to dump via the "FILE" option. /etc/passwd will be dumped by default. If the "PRINT" option is set, file contents will be printed to the screen, with any unprintable characters replaced by a period. Please see related module exploit/linux/http/pulse_secure_cmd_exec for a post-auth exploit that can leverage the results from this module.
9434228fa1dc2af2393abd6886ea6161415b95086765f63406754e8064f448e0
A vulnerability in the web-based management interface of Cisco Small Business RV320 and RV325 Dual Gigabit WAN VPN routers could allow an unauthenticated, remote attacker to retrieve sensitive information. The vulnerability is due to improper access controls for URLs. An attacker could exploit this vulnerability by connecting to an affected device via HTTP or HTTPS and requesting specific URLs. A successful exploit could allow the attacker to download the router configuration or detailed diagnostic information. Cisco has released firmware updates that address this vulnerability.
ae43a8160ec3b8d1f33b4bc9d020eb6ea0ce8e6b3ec100f14fa67f439395f1a7
This Metasploit module will extract the account information from the AVTECH 744 DVR devices, including usernames, cleartext passwords, and the device PIN, along with a few other miscellaneous details. In order to extract the information, hardcoded credentials admin/admin are used. These credentials cant be changed from the device console UI nor from the web UI.
f007e18ecfcbb746c5dff08fa0f6cf20514d359d9ecf2dcb5df700b205cc7d11
This Metasploit module exploits a local file inclusion in QNAP QTS and Photo Station that allows an unauthenticated attacker to download files from the QNAP filesystem. Because the HTTP server runs as root, it is possible to access sensitive files, such as SSH private keys and password hashes. This Metasploit module has been tested on QTS 4.3.3 (unknown Photo Station version) and QTS 4.3.6 with Photo Station 5.7.9.
70107b0adbe195b76131c10cdea4a24c8ea076a3a1b93c6596908a86f7bcd91a
This Metasploit module leverages an unauthenticated server-side template injection vulnerability in CrushFTP < 10.7.1 and < 11.1.0 (as well as legacy 9.x versions). Attackers can submit template injection payloads to the web API without authentication. When attacker payloads are reflected in the servers responses, the payloads are evaluated. The primary impact of the injection is arbitrary file read as root, which can result in authentication bypass, remote code execution, and NetNTLMv2 theft (when the host OS is Windows and SMB egress traffic is permitted).
060ed45f18a940bd2cb20db82dafffe7261720b5012750515c313f3b78cd0cde
This Metasploit module exploits CVE-2021-31166, a UAF bug in http.sys when parsing specially crafted Accept-Encoding headers that was patched by Microsoft in May 2021, on vulnerable IIS servers. Successful exploitation will result in the target computer BSODing before subsequently rebooting. Note that the target IIS server may or may not come back up, this depends on the targets settings as to whether IIS is configured to start on reboot.
97a44dc1fe6ca954dc341018f61c578a60177d84f6f32df13fcea55667e3fca9
The Pi3Web HTTP server crashes when a request is made for an invalid DLL file in /isapi for versions 2.0.13 and earlier. By default, the non-DLLs in this directory after installation are users.txt, install.daf and readme.daf.
95cc9c8490f634f68f0ab4a55b96207624ace357deeface518515da7d1cc3f1f
This Metasploit module exploits a denial of service flaw in the Microsoft Windows SMB client on Windows 7 and Windows Server 2008 R2. To trigger this bug, run this module as a service and forces a vulnerable client to access the IP of this system as an SMB server. This can be accomplished by embedding a UNC path (\\HOST\share\something) into a web page if the target is using Internet Explorer, or a Word document otherwise.
9beedad3e3c3103e0197e08fdbc451bf1f5445929f6c5022c987a0616228427c
This Metasploit module exploits a Denial of Service (DoS) condition in the HTTP parser of Node.js versions released before 0.10.21 and 0.8.26. The attack sends many pipelined HTTP requests on a single connection, which causes unbounded memory allocation when the client does not read the responses.
3c4090a80e405ae048f982af0147a29882b5e2144d973004c4f00f0a9a827a7b