【废了-准备删除02】信息收集——基于WAMP的drupal7.x管理系统

目录

  • 1 概述
  • 2 域名、子域名、IP信息收集
  • 3 端口扫描
    • 3.1 扫描过程
    • 3.2 小结
  • 4 网站目录扫描
    • 4.1 目的
    • 4.2 dirbuster 扫描
    • 4.3 御剑后台扫描
    • 4.4 小结
  • 5 指纹识别
    • 5.1 目的
    • 5.2 指纹识别
    • 5.3 指纹利用
      • 5.3.1 drupal 漏洞
      • 5.3.2 Apache 漏洞
      • 5.3.3 OpenSSL 漏洞
      • 5.3.4 PHP 漏洞
    • 5.4 小结
  • 6 总结
  • 参考文献

1 概述

  1. 目的:
    进行渗透测试之前, 最重要的一步就是信息收集,在这个阶段,我们要尽可能地收集目标组织的信息。所谓“知己知彼,百战不殆”,我们越是了解测试目标,测试的工作就越容易。
  2. 收集内容。在信息收集中,包括但不限于以下内容:
    1. 收集域名及子域名信息;
    2. 收集目标网站真实IP;
    3. 收集常用端口信息;
    4. 收集敏感信息;
    5. 收集CMS及WEB指纹信息;
    6. 收集敏感目录文件;
  3. 详细基础知识请参考文章《渗透测试信息收集的种类及方法》。
  4. 信息收集主要利用kali系统中各种工具进行。

2 域名、子域名、IP信息收集

鉴于本实验靶机是自己配置的,在局域网内IP地址为192.168.1.4/drupal7

3 端口扫描

3.1 扫描过程

  1. 虚拟机打开kali系统,搜索打开nmap软件,先输入sudo -i和密码切换到root用户。
  2. 使用命令cd /home/kali/桌面,进入到桌面。
  3. 输入扫描命令nmap -A 192.168.1.4 -p 1-65535 -oN nmap.A,对目标IP进行端口扫描,并将结果保存到当前目录下。
  4. 执行过程如下,
┌──(rootkali)-[/home/kali/桌面]
└─# nmap -A 192.168.1.4 -p 1-65535 -oN nmap.A
Starting Nmap 7.92 ( https://nmap.org ) at 2022-03-22 04:48 EDT
Nmap scan report for 192.168.1.4 (192.168.1.4)
Host is up (0.00061s latency).
Not shown: 65523 closed tcp ports (reset)
PORT      STATE SERVICE      VERSION
80/tcp    open  http         Apache httpd 2.4.23 ((Win32) OpenSSL/1.0.2j PHP/5.4.45)
|_http-server-header: Apache/2.4.23 (Win32) OpenSSL/1.0.2j PHP/5.4.45
|_http-title: \xE7\x95\x99\xE8\xA8\x80\xE8\xAE\xBA\xE5\x9D\x9B
135/tcp   open  msrpc        Microsoft Windows RPC
139/tcp   open  netbios-ssn  Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds Windows Server 2008 R2 Enterprise 7601 Service Pack 1 microsoft-ds
3306/tcp  open  mysql        MySQL (unauthorized)
47001/tcp open  http         Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
49152/tcp open  msrpc        Microsoft Windows RPC
49153/tcp open  msrpc        Microsoft Windows RPC
49154/tcp open  msrpc        Microsoft Windows RPC
49155/tcp open  msrpc        Microsoft Windows RPC
49157/tcp open  msrpc        Microsoft Windows RPC
49158/tcp open  msrpc        Microsoft Windows RPC
MAC Address: 00:0C:29:83:7B:E2 (VMware)
Device type: general purpose
Running: Microsoft Windows 7|2008|8.1
OS CPE: cpe:/o:microsoft:windows_7::- cpe:/o:microsoft:windows_7::sp1 cpe:/o:microsoft:windows_server_2008::sp1 cpe:/o:microsoft:windows_server_2008:r2 cpe:/o:microsoft:windows_8 cpe:/o:microsoft:windows_8.1
OS details: Microsoft Windows 7 SP0 - SP1, Windows Server 2008 SP1, Windows Server 2008 R2, Windows 8, or Windows 8.1 Update 1
Network Distance: 1 hop
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows

Host script results:
| smb-os-discovery: 
|   OS: Windows Server 2008 R2 Enterprise 7601 Service Pack 1 (Windows Server 2008 R2 Enterprise 6.1)
|   OS CPE: cpe:/o:microsoft:windows_server_2008::sp1
|   Computer name: WIN-3BH0BJV654L
|   NetBIOS computer name: WIN-3BH0BJV654L\x00
|   Workgroup: WORKGROUP\x00
|_  System time: 2022-03-22T16:49:34+08:00
|_clock-skew: mean: -2h39m59s, deviation: 4h37m07s, median: 0s
| smb2-security-mode: 
|   2.1: 
|_    Message signing enabled but not required
|_nbstat: NetBIOS name: WIN-3BH0BJV654L, NetBIOS user: <unknown>, NetBIOS MAC: 00:0c:29:83:7b:e2 (VMware)
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-time: 
|   date: 2022-03-22T08:49:34
|_  start_date: 2022-03-22T07:02:16

TRACEROUTE
HOP RTT     ADDRESS
1   0.61 ms 192.168.1.4 (192.168.1.4)

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 93.68 seconds

3.2 小结

可以看到扫描得到的重要端口有80、139、445、3306等。

  1. 对于80端口,可以考虑Web 攻击、爆破、对应服务器版本漏洞。
  2. 对于139端口,是samba服务端口,可以考虑爆破、未授权访问、远程代码执行。
  3. 对于445端口,是SMB服务端口,可以考虑空会话攻击。
  4. 对于3306端口,可以考虑注入、提权、爆破。
  5. 不同端口的开启,给渗透测试提供了思路和方向。

4 网站目录扫描

4.1 目的

  1. 目的:在渗透测试中,探测Web 目录结构和隐藏的敏感文件是一个必不可少的环节,从中可以获取网站的后台管理页面、文件上传界面, 甚至可能扫描出网站的源代码。
  2. 常用工具如下,本文只演示前两个。
    1. DirBuster
    2. 御剑后台扫描珍藏版
    3. wwwscan
    4. Spinder.py (轻量级快速单文件目录后台扫描)
    5. Sensitivefilescan (轻量级快速单文件目录后台扫描)
    6. Weakfilescan (轻量级快速单文件目录后台扫描)

4.2 dirbuster 扫描

  1. 鉴于靶机80端口的存在,利用kali系统的dirbuster软件对其下网站目录进行扫描。
  2. 点击kali开始按钮,搜索dirbuster,点击后可以看到软件窗口如下,将其窗口最大化。
    【废了-准备删除02】信息收集——基于WAMP的drupal7.x管理系统_第1张图片
  3. 在Target URL输入框中输入要扫描的网址,扫描时将请求方法设置为“Auto Switch”。
  4. 设置线程的数值,推荐在20-30之间。太大了容易引起系统死机。
  5. 选择字典类型,如果使用个人字典扫描,先选择“ List based brute force ”选项,再单击“ Browse ”选择字典,可以选择工具自带的字典,也可以选择自己的字典。可以点击List info查看软件自带字典的简介再做选择。
  6. 在Select starting options 中选择“standard ”方式进行扫描。注意设置根目录和后缀名。
  7. 参考以上说明设置如下图。
    【废了-准备删除02】信息收集——基于WAMP的drupal7.x管理系统_第2张图片
  8. 点击start,扫描过程如下。
    【废了-准备删除02】信息收集——基于WAMP的drupal7.x管理系统_第3张图片
  9. 扫描结束后,选择报告的保存类型、路径和文件名,点击生成报告。
    【废了-准备删除02】信息收集——基于WAMP的drupal7.x管理系统_第4张图片
  10. 生成报告如下,与实际文件夹对比,可以看到至扫出来了一部分。频繁出现~%3F%3F%3F,应该是一种正则表达式的匹配条件,暂时未发现其含义。
/drupal7/
/drupal7/themes/
/drupal7/themes/bartik/
/drupal7/user/
/drupal7/misc/
/drupal7/sites/
/drupal7/sites/default/
/drupal7/~%3F%3F%3F/
/drupal7/themes/~%3F%3F%3F/
/drupal7/misc/~%3F%3F%3F/
/drupal7/themes/bartik/~%3F%3F%3F/
/drupal7/sites/~%3F%3F%3F/
/drupal7/sites/default/~%3F%3F%3F/
/drupal7/sites/default/~fukuchi/
/drupal7/sites/~fv/
/drupal7/user/~garland/
/drupal7/themes/~genocide/
/drupal7/themes/~genone/
/drupal7/~gifteduc/
/drupal7/sites/~fw242/
/drupal7/~name*censored*/
/drupal7/themes/~name*censored*/
/drupal7/misc/~name*censored*/
/drupal7/sites/default/~name*censored*/
/drupal7/themes/bartik/~name*censored*/
/drupal7/sites/~name*censored*/
/drupal7/user/register
/drupal7/user/password
/drupal7/misc/jquery.js
/drupal7/node
/drupal7/user
/drupal7/misc/jquery-extend-3.4.0.js
/drupal7/misc/jquery-html-prefilter-3.5.0-backport.js
/drupal7/misc/jquery.once.js
/drupal7/misc/drupal.js
/drupal7/sites/default/files/languages/zh-hans_hn17KBavlrqLd1EjfEzNn_EnzKOnc4K1T5YauTQnlbA.js
/drupal7/~%3F%3F%3F.txt
/drupal7/~%3F%3F%3F.html
/drupal7/~%3F%3F%3F.php
/drupal7/themes/~%3F%3F%3F.html
/drupal7/themes/~%3F%3F%3F.txt
/drupal7/themes/~%3F%3F%3F.php
/drupal7/misc/~%3F%3F%3F.txt
/drupal7/misc/~%3F%3F%3F.html
/drupal7/misc/~%3F%3F%3F.php
/drupal7/sites/default/~%3F%3F%3F.txt
/drupal7/themes/bartik/~%3F%3F%3F.html
/drupal7/themes/bartik/~%3F%3F%3F.php
/drupal7/themes/bartik/~%3F%3F%3F.txt
/drupal7/sites/default/~%3F%3F%3F.html
/drupal7/sites/~%3F%3F%3F.txt
/drupal7/sites/~%3F%3F%3F.php
/drupal7/sites/~%3F%3F%3F.html
/drupal7/sites/default/~%3F%3F%3F.php
/drupal7/user/~gabriel.txt
/drupal7/sites/default/~fsch.txt
/drupal7/themes/~gardiner.php
/drupal7/misc/~gates.txt
/drupal7/sites/~fwitness.php
/drupal7/sites/default/~fsuas.php
/drupal7/themes/bartik/~gaas.txt
/drupal7/~gke.html
/drupal7/user/~ganz.html
/drupal7/sites/default/~fukuchi/~a.txt
/drupal7/~gligor.php
/drupal7/sites/default/~fukuchi/~adam.php
/drupal7/~glotzer.html
/drupal7/~gyrobike.txt
/drupal7/sites/default/~fukuchi/~brian.txt
/drupal7/user/~ganter.txt
/drupal7/misc/~garch1.php
/drupal7/sites/~g1.txt
/drupal7/~name*censored*.txt
/drupal7/~name*censored*.html
/drupal7/~name*censored*.php
/drupal7/themes/~name*censored*.html
/drupal7/themes/bartik/~name*censored*.php
/drupal7/misc/~name*censored*.txt
/drupal7/themes/~name*censored*.php
/drupal7/themes/~name*censored*.txt
/drupal7/misc/~name*censored*.php
/drupal7/themes/bartik/~name*censored*.html
/drupal7/misc/~name*censored*.html
/drupal7/themes/bartik/~name*censored*.txt
/drupal7/sites/default/~name*censored*.php
/drupal7/sites/~name*censored*.html
/drupal7/sites/~name*censored*.php
/drupal7/sites/~name*censored*.txt
/drupal7/sites/default/~name*censored*.html
/drupal7/sites/default/~name*censored*.txt

4.3 御剑后台扫描

  1. 打开御剑后台扫描,简单容易使用,输入要扫描的域名,点击开始扫描,扫描过程如下:
    【废了-准备删除02】信息收集——基于WAMP的drupal7.x管理系统_第5张图片
  2. 经过约20个小时的扫描,御剑扫描结果如下,扫描出来的结果较少,且没有递归。对于响应为200的连接,双击可以直接访问该文件。
    【废了-准备删除02】信息收集——基于WAMP的drupal7.x管理系统_第6张图片

4.4 小结

  1. 对目标网站经过长时间的目录扫描,能否扫描到有用的目录和文件,需要看字典给不给力。
  2. 能发现网站一部分的目录结构,也许对后续文件上传漏洞和文件包含漏洞测试有一定帮助。
  3. 能发现一部分文件,能否发现一些敏感文件需要花时间去阅读每一份扫描到的文件。

5 指纹识别

5.1 目的

在渗透测试中,当识别出相应的Web容器或者CMS ,就能查找与其相关的漏洞,然后针对性进行相应的渗透操作。

5.2 指纹识别

  1. Web指纹识别代表工具有WhatWeb 、御剑Web 指纹识别、WebRobo 、椰树、轻量WEB指纹识别等,可以快速识别一些主流CMS。
  2. Whatweb是kali系统自带工具,可以搜索直接使用。
    【废了-准备删除02】信息收集——基于WAMP的drupal7.x管理系统_第7张图片
  3. 程序打开后,建议使用命令sudo -i切换至root身份。
  4. 输入命令whatweb http://192.168.1.4/drupal7/,执行结果如下。
    在这里插入图片描述

5.3 指纹利用

  1. 在上述扫描结果中,可以看到网站文件管理系统是采用drupal7,环境是Apache/2.4.23 + OpenSSL/1.0.2j + PHP/5.4.45,系统是Windows32bit。到此,我们可以上网收集关于drupal、apache、OpenSSL、php等中间件的漏洞,在该网站上进行尝试,此处演示采用MSF进行中间件漏洞信息收集。
  2. 打开kali系统终端,切换至root用户,输入命令msfconsole启动MSF。
    【废了-准备删除02】信息收集——基于WAMP的drupal7.x管理系统_第8张图片

5.3.1 drupal 漏洞

  1. 针对drupal这个CMS系统,使用命令search drupal查询其对应的漏洞,可以看到有以下漏洞,共有8个。
msf6 > search drupal

Matching Modules
================

   #  Name                                           Disclosure Date  Rank       Check  Description
   -  ----                                           ---------------  ----       -----  -----------
   0  exploit/unix/webapp/drupal_coder_exec          2016-07-13       excellent  Yes    Drupal CODER Module Remote Command Execution
   1  exploit/unix/webapp/drupal_drupalgeddon2       2018-03-28       excellent  Yes    Drupal Drupalgeddon 2 Forms API Property Injection
   2  exploit/multi/http/drupal_drupageddon          2014-10-15       excellent  No     Drupal HTTP Parameter Key/Value SQL Injection
   3  auxiliary/gather/drupal_openid_xxe             2012-10-17       normal     Yes    Drupal OpenID External Entity Injection
   4  exploit/unix/webapp/drupal_restws_exec         2016-07-13       excellent  Yes    Drupal RESTWS Module Remote PHP Code Execution
   5  exploit/unix/webapp/drupal_restws_unserialize  2019-02-20       normal     Yes    Drupal RESTful Web Services unserialize() RCE
   6  auxiliary/scanner/http/drupal_views_user_enum  2010-07-02       normal     Yes    Drupal Views Module Users Enumeration
   7  exploit/unix/webapp/php_xmlrpc_eval            2005-06-29       excellent  Yes    PHP XML-RPC Arbitrary Code Execution

Interact with a module by name or index. For example info 7, use 7 or use exploit/unix/webapp/php_xmlrpc_eval
  1. 看上面最后一行提示,可以使用info加上漏洞索引号或漏洞名,查询漏洞信息。本实验使用命令info 0,查询第一个漏洞信息,没有明确说明针对哪些版本的drupal,在说明中说在ubuntu系统上的drupal7.5版本进行过测试。
msf6 > info 0

       Name: Drupal CODER Module Remote Command Execution
     Module: exploit/unix/webapp/drupal_coder_exec
   Platform: Unix
       Arch: cmd
 Privileged: No
    License: Metasploit Framework License (BSD)
       Rank: Excellent
  Disclosed: 2016-07-13

Provided by:
  Nicky Bloor <[email protected]>
  Mehmet Ince <[email protected]>

Available targets:
  Id  Name
  --  ----
  0   Automatic

Check supported:
  Yes

Basic options:
  Name       Current Setting  Required  Description
  ----       ---------------  --------  -----------
  Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
  RHOSTS                      yes       The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-M
                                        etasploit
  RPORT      80               yes       The target port (TCP)
  SSL        false            no        Negotiate SSL/TLS for outgoing connections
  TARGETURI  /                yes       The target URI of the Drupal installation
  VHOST                       no        HTTP server virtual host

Payload information:
  Space: 250
  Avoid: 1 characters

Description:
  This module exploits a Remote Command Execution vulnerability in the 
  Drupal CODER Module. Unauthenticated users can execute arbitrary 
  commands under the context of the web server user. The CODER module 
  doesn't sufficiently validate user inputs in a script file that has 
  the PHP extension. A malicious unauthenticated user can make 
  requests directly to this file to execute arbitrary commands. The 
  module does not need to be enabled for this to be exploited. This 
  module was tested against CODER 2.5 with Drupal 7.5 installed on 
  Ubuntu Server.

References:
  https://www.drupal.org/node/2765575
  1. 本实验使用命令info 1,查询第2个漏洞信息,看到影响版本中说小于drupal7.58。
msf6 > info 1

       Name: Drupal Drupalgeddon 2 Forms API Property Injection
     Module: exploit/unix/webapp/drupal_drupalgeddon2
   Platform: PHP, Unix, Linux
       Arch: php, cmd, x86, x64
 Privileged: No
    License: Metasploit Framework License (BSD)
       Rank: Excellent
  Disclosed: 2018-03-28

Provided by:
  Jasper Mattsson
  a2u
  Nixawk
  FireFart
  wvu <[email protected]>

Available targets:
  Id  Name
  --  ----
  0   Automatic (PHP In-Memory)
  1   Automatic (PHP Dropper)
  2   Automatic (Unix In-Memory)
  3   Automatic (Linux Dropper)
  4   Drupal 7.x (PHP In-Memory)
  5   Drupal 7.x (PHP Dropper)
  6   Drupal 7.x (Unix In-Memory)
  7   Drupal 7.x (Linux Dropper)
  8   Drupal 8.x (PHP In-Memory)
  9   Drupal 8.x (PHP Dropper)
  10  Drupal 8.x (Unix In-Memory)
  11  Drupal 8.x (Linux Dropper)

Check supported:
  Yes

Basic options:
  Name         Current Setting  Required  Description
  ----         ---------------  --------  -----------
  DUMP_OUTPUT  false            no        Dump payload command output
  PHP_FUNC     passthru         yes       PHP function to execute
  Proxies                       no        A proxy chain of format type:host:port[,type:host:port][...]
  RHOSTS                        yes       The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using
                                          -Metasploit
  RPORT        80               yes       The target port (TCP)
  SSL          false            no        Negotiate SSL/TLS for outgoing connections
  TARGETURI    /                yes       Path to Drupal install
  VHOST                         no        HTTP server virtual host

Payload information:
  Avoid: 3 characters

Description:
  This module exploits a Drupal property injection in the Forms API. 
  Drupal 6.x, < 7.58, 8.2.x, < 8.3.9, < 8.4.6, and < 8.5.1 are 
  vulnerable.

References:
  https://nvd.nist.gov/vuln/detail/CVE-2018-7600
  https://www.drupal.org/sa-core-2018-002
  https://greysec.net/showthread.php?tid=2912
  https://research.checkpoint.com/uncovering-drupalgeddon-2/
  https://github.com/a2u/CVE-2018-7600
  https://github.com/nixawk/labs/issues/19
  https://github.com/FireFart/CVE-2018-7600

Also known as:
  SA-CORE-2018-002
  Drupalgeddon 2
  1. 本实验使用命令info 2,查询第3个漏洞信息,看到影响版本Drupal 7.0 - 7.31。
msf6 > info 2

       Name: Drupal HTTP Parameter Key/Value SQL Injection
     Module: exploit/multi/http/drupal_drupageddon
   Platform: PHP
       Arch: php
 Privileged: No
    License: Metasploit Framework License (BSD)
       Rank: Excellent
  Disclosed: 2014-10-15

Provided by:
  SektionEins
  WhiteWinterWolf
  Christian Mehlmauer <[email protected]>
  Brandon Perry

Available targets:
  Id  Name
  --  ----
  0   Drupal 7.0 - 7.31 (form-cache PHP injection method)
  1   Drupal 7.0 - 7.31 (user-post PHP injection method)

Check supported:
  No

Basic options:
  Name       Current Setting  Required  Description
  ----       ---------------  --------  -----------
  Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
  RHOSTS                      yes       The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-M
                                        etasploit
  RPORT      80               yes       The target port (TCP)
  SSL        false            no        Negotiate SSL/TLS for outgoing connections
  TARGETURI  /                yes       The target URI of the Drupal installation
  VHOST                       no        HTTP server virtual host

Payload information:

Description:
  This module exploits the Drupal HTTP Parameter Key/Value SQL 
  Injection (aka Drupageddon) in order to achieve a remote shell on 
  the vulnerable instance. This module was tested against Drupal 7.0 
  and 7.31 (was fixed in 7.32). Two methods are available to trigger 
  the PHP payload on the target: - set TARGET 0: Form-cache PHP 
  injection method (default). This uses the SQLi to upload a malicious 
  form to Drupal's cache, then trigger the cache entry to execute the 
  payload using a POP chain. - set TARGET 1: User-post injection 
  method. This creates a new Drupal user, adds it to the 
  administrators group, enable Drupal's PHP module, grant the 
  administrators the right to bundle PHP code in their post, create a 
  new post containing the payload and preview it to trigger the 
  payload execution.

References:
  https://nvd.nist.gov/vuln/detail/CVE-2014-3704
  https://www.drupal.org/SA-CORE-2014-005
  http://www.sektioneins.de/en/advisories/advisory-012014-drupal-pre-auth-sql-injection-vulnerability.html
  https://www.whitewinterwolf.com/posts/2017/11/16/drupageddon-revisited-a-new-path-from-sql-injection-to-remote-command-execution-cve-2014-3704/

Also known as:
  Drupageddon
  1. 本实验使用命令info 3,查询第4个漏洞信息,没有看到影响版本总结,在Drupal 7.15 ~ 7.2 版本中测试成功过。
msf6 > info 3

       Name: Drupal OpenID External Entity Injection
     Module: auxiliary/gather/drupal_openid_xxe
    License: Metasploit Framework License (BSD)
       Rank: Normal
  Disclosed: 2012-10-17

Provided by:
  Reginaldo Silva
  juan vazquez <[email protected]>

Check supported:
  Yes

Basic options:
  Name       Current Setting  Required  Description
  ----       ---------------  --------  -----------
  FILEPATH   /etc/passwd      yes       The filepath to read on the server
  Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
  RHOSTS                      yes       The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-M
                                        etasploit
  RPORT      80               yes       The target port (TCP)
  SRVHOST    0.0.0.0          yes       The local host or network interface to listen on. This must be an address on the lo
                                        cal machine or 0.0.0.0 to listen on all addresses.
  SRVPORT    8080             yes       The local port to listen on.
  SSL        false            no        Negotiate SSL/TLS for outgoing connections
  SSLCert                     no        Path to a custom SSL certificate (default is randomly generated)
  TARGETURI  /drupal          yes       Base Drupal directory path
  URIPATH                     no        The URI to use for this exploit (default is random)
  VHOST                       no        HTTP server virtual host

Description:
  This module abuses an XML External Entity Injection vulnerability on 
  the OpenID module from Drupal. The vulnerability exists in the 
  parsing of a malformed XRDS file coming from a malicious OpenID 
  endpoint. This module has been tested successfully on Drupal 7.15 
  and 7.2 with the OpenID module enabled.

References:
  https://nvd.nist.gov/vuln/detail/CVE-2012-4554
  OSVDB (86429)
  http://www.securityfocus.com/bid/56103
  https://drupal.org/node/1815912
  http://drupalcode.org/project/drupal.git/commit/b912710
  http://www.ubercomp.com/posts/2014-01-16_facebook_remote_code_execution
  1. 本实验使用命令info 4,查询第5个漏洞信息,没有明确说明针对哪些版本的drupal,在说明中说在ubuntu系统上的drupal7.5版本进行过测试。
msf6 > info 4

       Name: Drupal RESTWS Module Remote PHP Code Execution
     Module: exploit/unix/webapp/drupal_restws_exec
   Platform: PHP
       Arch: php
 Privileged: No
    License: Metasploit Framework License (BSD)
       Rank: Excellent
  Disclosed: 2016-07-13

Provided by:
  Devin Zuczek
  Mehmet Ince <[email protected]>

Available targets:
  Id  Name
  --  ----
  0   Automatic

Check supported:
  Yes

Basic options:
  Name       Current Setting  Required  Description
  ----       ---------------  --------  -----------
  Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
  RHOSTS                      yes       The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-M
                                        etasploit
  RPORT      80               yes       The target port (TCP)
  SSL        false            no        Negotiate SSL/TLS for outgoing connections
  TARGETURI  /                yes       The target URI of the Drupal installation
  VHOST                       no        HTTP server virtual host

Payload information:

Description:
  This module exploits a Remote PHP Code Execution vulnerability in 
  the Drupal RESTWS Module. Unauthenticated users can execute 
  arbitrary code under the context of the web server user. RESTWS 
  alters the default page callbacks for entities to provide additional 
  functionality. A vulnerability in this approach allows an 
  unauthenticated attacker to send specially crafted requests 
  resulting in arbitrary PHP execution. RESTWS 2.x prior to 2.6 and 
  1.x prior to 1.7 are affected by this issue. This module was tested 
  against RESTWS 2.5 with Drupal 7.5 installed on Ubuntu Server.

References:
  https://www.drupal.org/node/2765567
  1. 本实验使用命令info 5,查询第6个漏洞信息,影响版本为 < 8.5.11 和 < 8.6.10。
msf6 > info 5

       Name: Drupal RESTful Web Services unserialize() RCE
     Module: exploit/unix/webapp/drupal_restws_unserialize
   Platform: PHP, Unix
       Arch: php, cmd
 Privileged: No
    License: Metasploit Framework License (BSD)
       Rank: Normal
  Disclosed: 2019-02-20

Provided by:
  Jasper Mattsson
  Charles Fol
  Rotem Reiss
  wvu <[email protected]>

Module side effects:
 ioc-in-logs

Module stability:
 crash-safe

Module reliability:
 unreliable-session

Available targets:
  Id  Name
  --  ----
  0   PHP In-Memory
  1   Unix In-Memory

Check supported:
  Yes

Basic options:
  Name         Current Setting  Required  Description
  ----         ---------------  --------  -----------
  DUMP_OUTPUT  false            no        Dump payload command output
  METHOD       POST             yes       HTTP method to use (Accepted: GET, POST, PATCH, PUT)
  NODE         1                no        Node ID to target with GET method
  Proxies                       no        A proxy chain of format type:host:port[,type:host:port][...]
  RHOSTS                        yes       The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using
                                          -Metasploit
  RPORT        80               yes       The target port (TCP)
  SSL          false            no        Negotiate SSL/TLS for outgoing connections
  TARGETURI    /                yes       Path to Drupal install
  VHOST                         no        HTTP server virtual host

Payload information:
  Avoid: 1 characters

Description:
  This module exploits a PHP unserialize() vulnerability in Drupal 
  RESTful Web Services by sending a crafted request to the /node REST 
  endpoint. As per SA-CORE-2019-003, the initial remediation was to 
  disable POST, PATCH, and PUT, but Ambionics discovered that GET was 
  also vulnerable (albeit cached). Cached nodes can be exploited only 
  once. Drupal updated SA-CORE-2019-003 with PSA-2019-02-22 to notify 
  users of this alternate vector. Drupal < 8.5.11 and < 8.6.10 are 
  vulnerable.

References:
  https://nvd.nist.gov/vuln/detail/CVE-2019-6340
  https://www.drupal.org/sa-core-2019-003
  https://www.drupal.org/psa-2019-02-22
  https://www.ambionics.io/blog/drupal8-rce
  https://github.com/ambionics/phpggc
  https://twitter.com/jcran/status/1099206271901798400

Also known as:
  SA-CORE-2019-003
  1. 本实验使用命令info 6,查询第7个漏洞信息,影响版本为 Drupal 6 with ‘Views’ module <= 6.x-2.11。
msf6 > info 6

       Name: Drupal Views Module Users Enumeration
     Module: auxiliary/scanner/http/drupal_views_user_enum
    License: Metasploit Framework License (BSD)
       Rank: Normal
  Disclosed: 2010-07-02

Provided by:
  Justin Klein Keane
  Robin Francois <[email protected]>
  Brandon McCann "zeknox" <[email protected]>

Check supported:
  Yes

Basic options:
  Name       Current Setting  Required  Description
  ----       ---------------  --------  -----------
  Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
  RHOSTS                      yes       The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-M
                                        etasploit
  RPORT      80               yes       The target port (TCP)
  SSL        false            no        Negotiate SSL/TLS for outgoing connections
  TARGETURI  /                yes       Drupal Path
  THREADS    1                yes       The number of concurrent threads (max one per host)
  VHOST                       no        HTTP server virtual host

Description:
  This module exploits an information disclosure vulnerability in the 
  'Views' module of Drupal, brute-forcing the first 10 usernames from 
  'a' to 'z'. Drupal 6 with 'Views' module <= 6.x-2.11 are vulnerable. 
  Drupal does not consider disclosure of usernames as a weakness.

References:
  http://www.madirish.net/node/465
  https://www.drupal.org/node/1004778
  1. 本实验使用命令info 7,查询第8个漏洞信息,该漏洞利用了在 PHP XML-RPC 模块,在许多实现中发现的任意代码执行缺陷。 此漏洞可通过许多 PHP Web 应用程序利用,包括但不限于 Drupal、Wordpress、Postnuke 和 TikiWiki。
msf6 > info 7

       Name: PHP XML-RPC Arbitrary Code Execution
     Module: exploit/unix/webapp/php_xmlrpc_eval
   Platform: Unix
       Arch: cmd
 Privileged: No
    License: Metasploit Framework License (BSD)
       Rank: Excellent
  Disclosed: 2005-06-29

Provided by:
  hdm <[email protected]>
  cazz <[email protected]>

Available targets:
  Id  Name
  --  ----
  0   Automatic

Check supported:
  Yes

Basic options:
  Name     Current Setting  Required  Description
  ----     ---------------  --------  -----------
  PATH     /xmlrpc.php      yes       Path to xmlrpc.php
  Proxies                   no        A proxy chain of format type:host:port[,type:host:port][...]
  RHOSTS                    yes       The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Met
                                      asploit
  RPORT    80               yes       The target port (TCP)
  SSL      false            no        Negotiate SSL/TLS for outgoing connections
  VHOST                     no        HTTP server virtual host

Payload information:
  Space: 512

Description:
  This module exploits an arbitrary code execution flaw discovered in 
  many implementations of the PHP XML-RPC module. This flaw is 
  exploitable through a number of PHP web applications, including but 
  not limited to Drupal, Wordpress, Postnuke, and TikiWiki.

References:
  https://nvd.nist.gov/vuln/detail/CVE-2005-1921
  OSVDB (17793)
  http://www.securityfocus.com/bid/14088

5.3.2 Apache 漏洞

与上同理,在MSF控制台下,使用命令search apache可以查询到apache有关的漏洞,此时查询到有106个,此处就不再展开查询信息了。

msf6 > search apache

Matching Modules
================

   #    Name                                                                       Disclosure Date  Rank       Check  Description
   -    ----                                                                       ---------------  ----       -----  -----------
   0    exploit/linux/http/atutor_filemanager_traversal                            2016-03-01       excellent  Yes    ATutor 2.2.1 Directory Traversal / Remote Code Execution
   1    exploit/multi/http/apache_activemq_upload_jsp                              2016-06-01       excellent  No     ActiveMQ web shell upload
   2    auxiliary/scanner/http/apache_userdir_enum                                                  normal     No     Apache "mod_userdir" User Enumeration
   3    exploit/multi/http/apache_normalize_path_rce                               2021-05-10       excellent  Yes    Apache 2.4.49/2.4.50 Traversal RCE
   4    auxiliary/scanner/http/apache_normalize_path                               2021-05-10       normal     No     Apache 2.4.49/2.4.50 Traversal RCE scanner
   5    exploit/windows/http/apache_activemq_traversal_upload                      2015-08-19       excellent  Yes    Apache ActiveMQ 5.x-5.11.1 Directory Traversal Shell Upload
   6    auxiliary/scanner/http/apache_activemq_traversal                                            normal     No     Apache ActiveMQ Directory Traversal
   7    auxiliary/scanner/http/apache_activemq_source_disclosure                                    normal     No     Apache ActiveMQ JSP Files Source Disclosure
   8    auxiliary/scanner/http/axis_login                                                           normal     No     Apache Axis2 Brute Force Utility
   9    auxiliary/scanner/http/axis_local_file_include                                              normal     No     Apache Axis2 v1.4.1 Local File Inclusion
   10   auxiliary/dos/http/apache_commons_fileupload_dos                           2014-02-06       normal     No     Apache Commons FileUpload and Apache Tomcat DoS
   11   exploit/linux/http/apache_continuum_cmd_exec                               2016-04-06       excellent  Yes    Apache Continuum Arbitrary Command Execution
   12   exploit/linux/http/apache_couchdb_cmd_exec                                 2016-04-06       excellent  Yes    Apache CouchDB Arbitrary Command Execution
   13   exploit/linux/http/apache_druid_js_rce                                     2021-01-21       excellent  Yes    Apache Druid 0.20.0 Remote Command Execution
   14   exploit/multi/http/apache_flink_jar_upload_exec                            2019-11-13       excellent  Yes    Apache Flink JAR Upload Java Code Execution
   15   auxiliary/scanner/http/apache_flink_jobmanager_traversal                   2021-01-05       normal     Yes    Apache Flink JobManager Traversal
   16   auxiliary/scanner/http/mod_negotiation_brute                                                normal     No     Apache HTTPD mod_negotiation Filename Bruter
   17   auxiliary/scanner/http/mod_negotiation_scanner                                              normal     No     Apache HTTPD mod_negotiation Scanner
   18   exploit/linux/smtp/apache_james_exec                                       2015-10-01       normal     Yes    Apache James Server 2.3.2 Insecure User Creation Arbitrary File Write
   19   exploit/multi/http/apache_jetspeed_file_upload                             2016-03-06       manual     No     Apache Jetspeed Arbitrary File Upload
   20   auxiliary/scanner/ssh/apache_karaf_command_execution                       2016-02-09       normal     No     Apache Karaf Default Credentials Command Execution
   21   auxiliary/scanner/ssh/karaf_login                                                           normal     No     Apache Karaf Login Utility
   22   exploit/windows/http/apache_mod_rewrite_ldap                               2006-07-28       great      Yes    Apache Module mod_rewrite LDAP Protocol Buffer Overflow
   23   exploit/multi/http/apache_nifi_processor_rce                               2020-10-03       excellent  Yes    Apache NiFi API Remote Code Execution
   24   exploit/linux/http/apache_ofbiz_deserialization_soap                       2021-03-22       excellent  Yes    Apache OFBiz SOAP Java Deserialization
   25   exploit/linux/http/apache_ofbiz_deserialization                            2020-07-13       excellent  Yes    Apache OFBiz XML-RPC Java Deserialization
   26   exploit/multi/misc/openoffice_document_macro                               2017-02-08       excellent  No     Apache OpenOffice Text Document Malicious Macro Execution
   27   auxiliary/scanner/http/apache_optionsbleed                                 2017-09-18       normal     No     Apache Optionsbleed Scanner
   28   auxiliary/dos/http/apache_range_dos                                        2011-08-19       normal     No     Apache Range Header DoS (Apache Killer)
   29   auxiliary/gather/apache_rave_creds                                                          normal     No     Apache Rave User Information Disclosure
   30   auxiliary/scanner/http/rewrite_proxy_bypass                                                 normal     No     Apache Reverse Proxy Bypass Vulnerability Scanner
   31   exploit/multi/http/apache_roller_ognl_injection                            2013-10-31       excellent  Yes    Apache Roller OGNL Injection
   32   exploit/multi/http/shiro_rememberme_v124_deserialize                       2016-06-07       excellent  No     Apache Shiro v1.2.4 Cookie RememberME Deserial RCE
   33   exploit/multi/http/solr_velocity_rce                                       2019-10-29       excellent  Yes    Apache Solr Remote Code Execution via Velocity Template
   34   exploit/linux/http/spark_unauth_rce                                        2017-12-12       excellent  Yes    Apache Spark Unauthenticated Command Execution
   35   exploit/multi/http/struts_default_action_mapper                            2013-07-02       excellent  Yes    Apache Struts 2 DefaultActionMapper Prefixes OGNL Code Execution
   36   exploit/multi/http/struts_dev_mode                                         2012-01-06       excellent  Yes    Apache Struts 2 Developer Mode OGNL Execution
   37   exploit/multi/http/struts2_multi_eval_ognl                                 2020-09-14       excellent  Yes    Apache Struts 2 Forced Multi OGNL Evaluation
   38   exploit/multi/http/struts2_namespace_ognl                                  2018-08-22       excellent  Yes    Apache Struts 2 Namespace Redirect OGNL Injection
   39   exploit/multi/http/struts2_rest_xstream                                    2017-09-05       excellent  Yes    Apache Struts 2 REST Plugin XStream RCE
   40   exploit/multi/http/struts2_code_exec_showcase                              2017-07-07       excellent  Yes    Apache Struts 2 Struts 1 Plugin Showcase OGNL Code Execution
   41   exploit/multi/http/struts_code_exec_classloader                            2014-03-06       manual     No     Apache Struts ClassLoader Manipulation Remote Code Execution
   42   exploit/multi/http/struts_dmi_exec                                         2016-04-27       excellent  Yes    Apache Struts Dynamic Method Invocation Remote Code Execution
   43   exploit/multi/http/struts2_content_type_ognl                               2017-03-07       excellent  Yes    Apache Struts Jakarta Multipart Parser OGNL Injection
   44   exploit/multi/http/struts_code_exec_parameters                             2011-10-01       excellent  Yes    Apache Struts ParametersInterceptor Remote Code Execution
   45   exploit/multi/http/struts_dmi_rest_exec                                    2016-06-01       excellent  Yes    Apache Struts REST Plugin With Dynamic Method Invocation Remote Code Execution
   46   exploit/multi/http/struts_code_exec                                        2010-07-13       good       No     Apache Struts Remote Command Execution
   47   exploit/multi/http/struts_code_exec_exception_delegator                    2012-01-06       excellent  No     Apache Struts Remote Command Execution
   48   exploit/multi/http/struts_include_params                                   2013-05-24       great      Yes    Apache Struts includeParams Remote Code Execution
   49   auxiliary/gather/cve_2021_27850_apache_tapestry_hmac_key                   2021-04-15       normal     Yes    Apache Tapestry HMAC secret key leak
   50   exploit/windows/http/apache_tika_jp2_jscript                               2018-04-25       excellent  Yes    Apache Tika Header Command Injection
   51   auxiliary/admin/http/tomcat_ghostcat                                       2020-02-20       normal     Yes    Apache Tomcat AJP File Read
   52   exploit/windows/http/tomcat_cgi_cmdlineargs                                2019-04-10       excellent  Yes    Apache Tomcat CGIServlet enableCmdLineArguments Vulnerability
   53   exploit/multi/http/tomcat_mgr_deploy                                       2009-11-09       excellent  Yes    Apache Tomcat Manager Application Deployer Authenticated Code Execution
   54   exploit/multi/http/tomcat_mgr_upload                                       2009-11-09       excellent  Yes    Apache Tomcat Manager Authenticated Upload Code Execution
   55   auxiliary/dos/http/apache_tomcat_transfer_encoding                         2010-07-09       normal     No     Apache Tomcat Transfer-Encoding Information Disclosure and DoS
   56   auxiliary/scanner/http/tomcat_enum                                                          normal     No     Apache Tomcat User Enumeration
   57   exploit/windows/http/apache_chunked                                        2002-06-19       good       Yes    Apache Win32 Chunked Encoding
   58   auxiliary/gather/zookeeper_info_disclosure                                 2020-10-14       normal     No     Apache ZooKeeper Information Disclosure
   59   exploit/multi/http/apache_mod_cgi_bash_env_exec                            2014-09-24       excellent  Yes    Apache mod_cgi Bash Environment Variable Code Injection (Shellshock)
   60   auxiliary/scanner/http/apache_mod_cgi_bash_env                             2014-09-24       normal     Yes    Apache mod_cgi Bash Environment Variable Injection (Shellshock) Scanner
   61   auxiliary/dos/http/apache_mod_isapi                                        2010-03-05       normal     No     Apache mod_isapi Dangling Pointer
   62   exploit/windows/http/apache_modjk_overflow                                 2007-03-02       great      Yes    Apache mod_jk 1.2.20 Buffer Overflow
   63   auxiliary/admin/appletv/appletv_display_video                                               normal     No     Apple TV Video Remote Control
   64   exploit/windows/http/bea_weblogic_jsessionid                               2009-01-13       good       No     BEA WebLogic JSESSIONID Cookie Value Overflow
   65   exploit/windows/http/bea_weblogic_transfer_encoding                        2008-09-09       great      No     BEA Weblogic Transfer-Encoding Buffer Overflow
   66   exploit/windows/http/cayin_xpost_sql_rce                                   2020-06-04       excellent  Yes    Cayin xPost wayfinder_seqid SQLi to RCE
   67   exploit/multi/http/cisco_dcnm_upload_2019                                  2019-06-26       excellent  Yes    Cisco Data Center Network Manager Unauthenticated Remote Code Execution
   68   exploit/linux/http/cpi_tararchive_upload                                   2019-05-15       excellent  Yes    Cisco Prime Infrastructure Health Monitor TarArchive Directory Traversal Vulnerability
   69   exploit/linux/http/cisco_prime_inf_rce                                     2018-10-04       excellent  Yes    Cisco Prime Infrastructure Unauthenticated Remote Code Execution
   70   exploit/unix/http/contentkeeperweb_mimencode                               2009-02-25       excellent  Yes    ContentKeeper Web Remote Command Execution
   71   auxiliary/scanner/couchdb/couchdb_enum                                                      normal     Yes    CouchDB Enum Utility
   72   exploit/multi/http/sonicwall_scrutinizer_methoddetail_sqli                 2014-07-24       excellent  Yes    Dell SonicWALL Scrutinizer 11.01 methodDetail SQL Injection
   73   exploit/linux/http/eyesofnetwork_autodiscovery_rce                         2020-02-06       excellent  Yes    EyesOfNetwork 5.1-5.3 AutoDiscovery Target Command Execution
   74   exploit/multi/fileformat/zip_slip                                          2018-06-05       manual     No     Generic Zip Slip Traversal Vulnerability
   75   auxiliary/gather/impersonate_ssl                                                            normal     No     HTTP SSL Certificate Impersonation
   76   exploit/windows/misc/ibm_websphere_java_deserialize                        2015-11-06       excellent  No     IBM WebSphere RCE Java Deserialization Vulnerability
   77   exploit/linux/http/klog_server_authenticate_user_unauth_command_injection  2020-12-27       excellent  Yes    Klog Server authenticate.php user Unauthenticated Command Injection
   78   exploit/linux/local/kloxo_lxsuexec                                         2012-09-18       excellent  No     Kloxo Local Privilege Escalation
   79   auxiliary/fileformat/odt_badodt                                            2018-05-01       normal     No     LibreOffice 6.03 /Apache OpenOffice 4.1.5 Malicious ODT File Generator
   80   post/linux/gather/enum_configs                                                              normal     No     Linux Gather Configurations
   81   exploit/linux/http/mida_solutions_eframework_ajaxreq_rce                   2020-07-24       excellent  Yes    Mida Solutions eFramework ajaxreq.php Command Injection
   82   exploit/unix/webapp/moinmoin_twikidraw                                     2012-12-30       manual     Yes    MoinMoin twikidraw Action Traversal File Upload
   83   exploit/linux/http/nagios_xi_snmptrap_authenticated_rce                    2020-10-20       excellent  Yes    Nagios XI 5.5.0-5.7.3 - Snmptrap Authenticated Remote Code Exection
   84   exploit/linux/http/nagios_xi_mibs_authenticated_rce                        2020-10-20       excellent  Yes    Nagios XI 5.6.0-5.7.3 - Mibs.php Authenticated Remote Code Exection
   85   exploit/linux/http/nagios_xi_plugins_filename_authenticated_rce            2020-12-19       excellent  Yes    Nagios XI Prior to 5.8.0 - Plugins Filename Authenticated Remote Code Exection
   86   exploit/windows/http/bea_weblogic_post_bof                                 2008-07-17       great      Yes    Oracle Weblogic Apache Connector POST Request Buffer Overflow
   87   payload/php/shell_findsock                                                                  normal     No     PHP Command Shell, Find Sock
   88   exploit/windows/http/php_apache_request_headers_bof                        2012-05-08       normal     No     PHP apache_request_headers Function Buffer Overflow                                                                                 
   89   exploit/unix/webapp/projectpier_upload_exec                                2012-10-08       excellent  Yes    Project Pier Arbitrary File Upload Vulnerability
   90   exploit/linux/http/rconfig_ajaxarchivefiles_rce                            2020-03-11       good       Yes    Rconfig 3.x Chained Remote Code Execution
   91   exploit/linux/http/piranha_passwd_exec                                     2000-04-04       excellent  No     RedHat Piranha Virtual Server Package passwd.php3 Arbitrary Command Execution
   92   exploit/unix/webapp/spip_connect_exec                                      2012-07-04       excellent  Yes    SPIP connect Parameter PHP Injection
   93   exploit/unix/misc/spamassassin_exec                                        2006-06-06       excellent  No     SpamAssassin spamd Remote Command Execution
   94   exploit/linux/http/symantec_web_gateway_lfi                                2012-05-17       excellent  Yes    Symantec Web Gateway 5.0.2.8 relfile File Inclusion Vulnerability
   95   auxiliary/admin/http/tomcat_administration                                                  normal     No     Tomcat Administration Tool Default Access
   96   auxiliary/scanner/http/tomcat_mgr_login                                                     normal     No     Tomcat Application Manager Login Utility
   97   exploit/multi/http/tomcat_jsp_upload_bypass                                2017-10-03       excellent  Yes    Tomcat RCE via JSP Upload Bypass
   98   auxiliary/admin/http/tomcat_utf8_traversal                                 2009-01-09       normal     No     Tomcat UTF-8 Directory Traversal Vulnerability
   99   exploit/linux/http/trendmicro_websecurity_exec                             2020-06-10       excellent  Yes    Trend Micro Web Security (Virtual Appliance) Remote Code Execution
   100  auxiliary/admin/http/trendmicro_dlp_traversal                              2009-01-09       normal     No     TrendMicro Data Loss Prevention 5.5 Directory Traversal
   101  exploit/linux/http/vmware_view_planner_4_6_uploadlog_rce                   2021-03-02       excellent  Yes    VMware View Planner Unauthenticated Log File Upload RCE
   102  auxiliary/scanner/http/wangkongbao_traversal                                                normal     No     WANGKONGBAO CNS-1000 and 1100 UTM Directory Traversal
   103  post/windows/gather/enum_tomcat                                                             normal     No     Windows Gather Apache Tomcat Enumeration
   104  exploit/unix/webapp/wp_phpmailer_host_header                               2017-05-03       average    Yes    WordPress PHPMailer Host Header Command Injection
   105  exploit/unix/webapp/jquery_file_upload                                     2018-10-09       excellent  Yes    blueimp's jQuery (Arbitrary) File Upload

Interact with a module by name or index. For example info 105, use 105 or use exploit/unix/webapp/jquery_file_upload

5.3.3 OpenSSL 漏洞

与上同理,在MSF控制台下,使用命令search openssl可以查询到OpenSSL有关的漏洞,此时查询到有11个,此处就不再展开查询信息了。

msf6 > search openssl

Matching Modules
================

   #   Name                                                  Disclosure Date  Rank       Check  Description
   -   ----                                                  ---------------  ----       -----  -----------
   0   payload/bsd/x86/exec                                                   normal     No     BSD Execute Command
   1   payload/osx/x86/exec                                                   normal     No     OS X Execute Command
   2   auxiliary/server/openssl_altchainsforgery_mitm_proxy  2015-07-09       normal     No     OpenSSL Alternative Chains Certificate Forgery MITM Proxy
   3   auxiliary/dos/ssl/dtls_changecipherspec               2000-04-26       normal     No     OpenSSL DTLS ChangeCipherSpec Remote DoS
   4   auxiliary/dos/ssl/dtls_fragment_overflow              2014-06-05       normal     No     OpenSSL DTLS Fragment Buffer Overflow DoS
   5   auxiliary/server/openssl_heartbeat_client_memory      2014-04-07       normal     No     OpenSSL Heartbeat (Heartbleed) Client Memory Exposure
   6   auxiliary/scanner/ssl/openssl_heartbleed              2014-04-07       normal     Yes    OpenSSL Heartbeat (Heartbleed) Information Leak
   7   auxiliary/scanner/ssl/openssl_ccs                     2014-06-05       normal     No     OpenSSL Server-Side ChangeCipherSpec Injection Scanner
   8   auxiliary/dos/ssl/openssl_aesni                       2013-02-05       normal     No     OpenSSL TLS 1.1 and 1.2 AES-NI DoS
   9   exploit/unix/misc/polycom_hdx_traceroute_exec         2017-11-12       excellent  Yes    Polycom Shell HDX Series Traceroute Command Execution
   10  payload/cmd/unix/reverse_openssl                                       normal     No     Unix Command Shell, Double Reverse TCP SSL (openssl)

Interact with a module by name or index. For example info 10, use 10 or use payload/cmd/unix/reverse_openssl

5.3.4 PHP 漏洞

与上同理,在MSF控制台下,使用命令search php可以查询到PHP有关的漏洞,此时查询到有491个,此处就不再展开查询信息了。

msf6 > search php

Matching Modules
================

   #    Name                                                                       Disclosure Date  Rank       Check  Description
   -    ----                                                                       ---------------  ----       -----  -----------
   0    exploit/windows/ftp/32bitftp_list_reply                                    2010-10-12       good       No     32bit FTP Client Stack Buffer Overflow
   1    exploit/windows/ftp/aasync_list_reply                                      2010-10-12       good       No     AASync v2.2.1.0 (Win32) Stack Buffer Overflow (LIST)
   2    exploit/aix/rpc_cmsd_opcode21                                              2009-10-07       great      No     AIX Calendar Manager Service Daemon (rpc.cmsd) Opcode 21 Buffer Overflow
   3    exploit/windows/browser/asus_net4switch_ipswcom                            2012-02-17       normal     No     ASUS Net4Switch ipswcom.dll ActiveX Stack Buffer Overflow
   4    exploit/linux/http/atutor_filemanager_traversal                            2016-03-01       excellent  Yes    ATutor 2.2.1 Directory Traversal / Remote Code Execution
   5    exploit/multi/http/atutor_upload_traversal                                 2019-05-17       excellent  Yes    ATutor 2.2.4 - Directory Traversal / Remote Code Execution,
   6    exploit/unix/webapp/awstatstotals_multisort                                2008-08-26       excellent  Yes    AWStats Totals multisort Remote Command Execution
   7    exploit/unix/webapp/awstats_migrate_exec                                   2006-05-04       excellent  Yes    AWStats migrate Remote Command Execution
   8    exploit/multi/http/activecollab_chat                                       2012-05-30       excellent  Yes    Active Collab "chat module" Remote PHP Code Injection Exploit
   9    exploit/unix/webapp/actualanalyzer_ant_cookie_exec                         2014-08-28       excellent  Yes    ActualAnalyzer 'ant' Cookie Command Execution
   10   exploit/windows/browser/adobe_flash_otf_font                               2012-08-09       normal     No     Adobe Flash Player 11.3 Kern Table Parsing Integer Overflow
   11   exploit/windows/browser/adobe_flashplayer_arrayindexing                    2012-06-21       great      No     Adobe Flash Player AVM Verification Logic Array Indexing Code Execution
   12   exploit/windows/browser/adobe_flash_regex_value                            2013-02-08       normal     No     Adobe Flash Player Regular Expression Heap Overflow
   13   exploit/multi/http/agent_tesla_panel_rce                                   2019-08-14       excellent  Yes    Agent Tesla Panel Remote Code Execution
   14   exploit/windows/misc/agentxpp_receive_agentx                               2010-04-16       good       No     AgentX++ Master AgentX::receive_agentx Stack Buffer Overflow
   15   exploit/multi/http/ajaxplorer_checkinstall_exec                            2010-04-04       excellent  Yes    AjaXplorer checkInstall.php Remote Command Execution
   16   auxiliary/gather/alienvault_iso27001_sqli                                  2014-03-30       normal     No     AlienVault Authenticated SQL Injection Arbitrary File Read
   17   auxiliary/gather/alienvault_newpolicyform_sqli                             2014-05-09       normal     No     AlienVault Authenticated SQL Injection Arbitrary File Read
   18   exploit/linux/http/alienvault_exec                                         2017-01-31       excellent  Yes    AlienVault OSSIM/USM Remote Code Execution
   19   exploit/multi/local/allwinner_backdoor                                     2016-04-30       excellent  Yes    Allwinner 3.4 Legacy Kernel Local Privilege Escalation
   20   exploit/windows/http/altn_webadmin                                         2003-06-24       average    No     Alt-N WebAdmin USER Buffer Overflow
   21   exploit/android/local/put_user_vroot                                       2013-09-06       excellent  No     Android get_user/put_user Exploit
   22   exploit/windows/browser/apple_quicktime_marshaled_punk                     2010-08-30       great      No     Apple QuickTime 7.6.7 _Marshaled_pUnk Code Execution
   23   exploit/linux/http/vap2500_tools_command_exec                              2014-11-25       normal     Yes    Arris VAP2500 tools_command.php Command Execution
   24   exploit/linux/http/astium_sqli_upload                                      2013-09-17       manual     Yes    Astium Remote Code Execution
   25   exploit/linux/http/asuswrt_lan_rce                                         2018-01-22       excellent  No     AsusWRT LAN Unauthenticated Remote Code Execution
   26   exploit/multi/http/auxilium_upload_exec                                    2012-09-14       excellent  Yes    Auxilium RateMyPet Arbitrary File Upload Vulnerability
   27   exploit/unix/webapp/base_qry_common                                        2008-06-14       excellent  No     BASE base_qry_common Remote File Include
   28   exploit/multi/http/baldr_upload_exec                                       2018-12-19       excellent  Yes    Baldr Botnet Panel Shell Upload Exploit
   29   exploit/unix/webapp/barracuda_img_exec                                     2005-09-01       excellent  Yes    Barracuda IMG.PL Remote Command Execution
   30   exploit/unix/webapp/basilic_diff_exec                                      2012-06-28       excellent  Yes    Basilic 1.5.14 diff.php Arbitrary Command Execution
   31   auxiliary/scanner/http/bitweaver_overlay_type_traversal                    2012-10-23       normal     No     Bitweaver overlay_type Directory Traversal
   32   exploit/unix/webapp/bolt_authenticated_rce                                 2020-05-07       excellent  Yes    Bolt CMS 3.7.0 - Authenticated Remote Code Execution
   33   exploit/multi/http/bolt_file_upload                                        2015-08-17       excellent  Yes    CMS Bolt File Upload Vulnerability
   34   exploit/multi/http/cmsms_showtime2_rce                                     2019-03-11       normal     Yes    CMS Made Simple (CMSMS) Showtime2 File Upload RCE
   35   exploit/multi/http/cmsms_upload_rename_rce                                 2018-07-03       excellent  Yes    CMS Made Simple Authenticated RCE via File Upload/Copy
   36   exploit/multi/http/cmsms_object_injection_rce                              2019-03-26       normal     Yes    CMS Made Simple Authenticated RCE via object injection
   37   exploit/unix/http/cacti_filter_sqli_rce                                    2020-06-17       excellent  Yes    Cacti color filter authenticated SQLi to RCE
   38   exploit/unix/webapp/cacti_graphimage_exec                                  2005-01-15       excellent  No     Cacti graph_view.php Remote Command Execution
   39   exploit/unix/webapp/cakephp_cache_corruption                               2010-11-15       excellent  No     CakePHP Cache Corruption Code Execution
   40   exploit/unix/webapp/carberp_backdoor_exec                                  2013-06-28       great      Yes    Carberp Web Panel C2 Backdoor Remote PHP Code Execution
   41   exploit/linux/http/cayin_cms_ntp                                           2020-06-04       excellent  Yes    Cayin CMS NTP Server RCE
   42   exploit/windows/http/cayin_xpost_sql_rce                                   2020-06-04       excellent  Yes    Cayin xPost wayfinder_seqid SQLi to RCE
   43   exploit/linux/http/centreon_sqli_exec                                      2014-10-15       excellent  Yes    Centreon SQL and Command Injection
   44   exploit/multi/http/caidao_php_backdoor_exec                                2015-10-27       excellent  Yes    China Chopper Caidao PHP Backdoor Code Execution
   45   auxiliary/scanner/http/caidao_bruteforce_login                                              normal     No     Chinese Caidao Backdoor Bruteforce
   46   exploit/windows/browser/cisco_anyconnect_exec                              2011-06-01       excellent  No     Cisco AnyConnect VPN Client ActiveX URL Property Download and Execute
   47   exploit/linux/http/cisco_prime_inf_rce                                     2018-10-04       excellent  Yes    Cisco Prime Infrastructure Unauthenticated Remote Code Execution
   48   exploit/windows/browser/citrix_gateway_actx                                2011-07-14       normal     No     Citrix Gateway ActiveX Control Stack Based Buffer Overflow Vulnerability
   49   exploit/unix/http/pfsense_clickjacking                                     2017-11-21       normal     No     Clickjacking Vulnerability In CSRF Error Page pfSense
   50   exploit/unix/webapp/clipbucket_upload_exec                                 2013-10-04       excellent  Yes    ClipBucket Remote Code Execution
   51   exploit/multi/http/clipbucket_fileupload_exec                              2018-03-03       excellent  Yes    ClipBucket beats_uploader Unauthenticated Arbitrary File Upload
   52   exploit/windows/license/calicclnt_getconfig                                2005-03-02       average    No     Computer Associates License Client GETCONFIG Overflow
   53   exploit/windows/license/calicserv_getconfig                                2005-03-02       normal     Yes    Computer Associates License Server GETCONFIG Overflow
   54   exploit/windows/fileformat/coolpdf_image_stream_bof                        2013-01-18       normal     No     Cool PDF Image Stream Buffer Overflow
   55   exploit/unix/webapp/coppermine_piceditor                                   2008-01-30       excellent  Yes    Coppermine Photo Gallery picEditor.php Command Execution
   56   exploit/linux/http/crypttech_cryptolog_login_exec                          2017-05-03       excellent  Yes    Crypttech CryptoLog Remote Code Execution
   57   exploit/windows/http/dlink_central_wifimanager_rce                         2019-07-09       excellent  Yes    D-Link Central WiFi Manager CWM(100) RCE
   58   exploit/linux/http/dlink_dcs931l_upload                                    2015-02-23       great      Yes    D-Link DCS-931L File Upload
   59   auxiliary/admin/http/dlink_dir_300_600_exec_noauth                         2013-02-04       normal     No     D-Link DIR-600 / DIR-300 Unauthenticated Remote Command Execution
   60   exploit/linux/http/dlink_diagnostic_exec_noauth                            2013-03-05       excellent  No     D-Link DIR-645 / DIR-815 diagnostic.php Command Execution
   61   exploit/linux/http/dlink_command_php_exec_noauth                           2013-02-04       excellent  No     D-Link Devices Unauthenticated Remote Command Execution
   62   auxiliary/scanner/smb/impacket/secretsdump                                                  normal     No     DCOM Exec
   63   exploit/linux/http/dlink_dir850l_unauth_exec                               2017-08-09       excellent  Yes    DIR-850L (Un)authenticated OS Command Exec
   64   auxiliary/admin/dns/dyn_dns_update                                                          normal     No     DNS Server Dynamic Update Record Injection
   65   exploit/unix/webapp/datalife_preview_exec                                  2013-01-28       excellent  Yes    DataLife Engine preview.php PHP Code Injection
   66   exploit/windows/http/sonicwall_scrutinizer_sqli                            2012-07-22       excellent  Yes    Dell SonicWALL (Plixer) Scrutinizer 9 SQL Injection
   67   exploit/multi/http/sonicwall_scrutinizer_methoddetail_sqli                 2014-07-24       excellent  Yes    Dell SonicWALL Scrutinizer 11.01 methodDetail SQL Injection
   68   exploit/multi/http/dexter_casinoloader_exec                                2014-02-08       excellent  Yes    Dexter (CasinoLoader) SQL Injection
   69   auxiliary/scanner/scada/digi_addp_version                                                   normal     No     Digi ADDP Information Discovery
   70   auxiliary/scanner/scada/digi_addp_reboot                                                    normal     No     Digi ADDP Remote Reboot Initiator
   71   exploit/unix/webapp/dogfood_spell_exec                                     2009-03-03       excellent  Yes    Dogfood CRM spell.php Remote Command Execution
   72   auxiliary/gather/doliwamp_traversal_creds                                  2014-01-12       normal     Yes    DoliWamp 'jqueryFileTree.php' Traversal Gather Credentials
   73   exploit/linux/http/dolibarr_cmd_exec                                       2012-04-06       excellent  Yes    Dolibarr ERP/CRM Post-Auth OS Command Injection
   74   exploit/unix/webapp/drupal_coder_exec                                      2016-07-13       excellent  Yes    Drupal CODER Module Remote Command Execution
   75   exploit/unix/webapp/drupal_drupalgeddon2                                   2018-03-28       excellent  Yes    Drupal Drupalgeddon 2 Forms API Property Injection
   76   exploit/multi/http/drupal_drupageddon                                      2014-10-15       excellent  No     Drupal HTTP Parameter Key/Value SQL Injection
   77   exploit/unix/webapp/drupal_restws_exec                                     2016-07-13       excellent  Yes    Drupal RESTWS Module Remote PHP Code Execution
   78   exploit/unix/webapp/drupal_restws_unserialize                              2019-02-20       normal     Yes    Drupal RESTful Web Services unserialize() RCE
   79   exploit/unix/webapp/egallery_upload_exec                                   2012-07-08       excellent  Yes    EGallery PHP File Upload Vulnerability
   80   exploit/windows/emc/alphastor_agent                                        2008-05-27       great      No     EMC AlphaStor Agent Buffer Overflow
   81   auxiliary/admin/emc/alphastor_devicemanager_exec                           2008-05-27       normal     No     EMC AlphaStor Device Manager Arbitrary Command Execution
   82   auxiliary/admin/emc/alphastor_librarymanager_exec                          2008-05-27       normal     No     EMC AlphaStor Library Manager Arbitrary Command Execution
   83   exploit/windows/fileformat/easycdda_pls_bof                                2010-06-07       normal     No     Easy CD-DA Recorder PLS Buffer Overflow
   84   exploit/multi/misc/osgi_console_exec                                       2018-02-13       normal     Yes    Eclipse Equinox OSGi Console Command Execution
   85   exploit/linux/http/efw_chpasswd_exec                                       2015-06-28       excellent  No     Endian Firewall Proxy Password Change Command Injection
   86   auxiliary/scanner/http/f5_bigip_virtual_server                                              normal     No     F5 BigIP HTTP Virtual Server Scanner
   87   exploit/windows/ftp/ftpsynch_list_reply                                    2010-10-12       good       No     FTP Synchronizer Professional 4.0.73.274 Stack Buffer Overflow
   88   exploit/windows/ftp/ftpgetter_pwd_reply                                    2010-10-12       good       No     FTPGetter Standard v3.55.0.05 Stack Buffer Overflow (PWD)
   89   exploit/windows/ftp/ftppad_list_reply                                      2010-10-12       good       No     FTPPad 1.2.0 Stack Buffer Overflow
   90   exploit/windows/ftp/ftpshell51_pwd_reply                                   2010-10-12       good       No     FTPShell 5.1 Stack Buffer Overflow
   91   exploit/multi/http/familycms_less_exec                                     2011-11-29       excellent  Yes    Family Connections less.php Remote Command Execution
   92   exploit/windows/ftp/filewrangler_list_reply                                2010-10-12       good       No     FileWrangler 5.30 Stack Buffer Overflow
   93   exploit/unix/webapp/flashchat_upload_exec                                  2013-10-04       excellent  Yes    FlashChat Arbitrary File Upload
   94   exploit/windows/fileformat/foxit_title_bof                                 2010-11-13       great      No     Foxit PDF Reader v4.1.1 Title Stack Buffer Overflow
   95   exploit/multi/http/freenas_exec_raw                                        2010-11-06       great      No     FreeNAS exec_raw.php Arbitrary Command Execution
   96   exploit/unix/http/freepbx_callmenum                                        2012-03-20       manual     No     FreePBX 2.10.0 / 2.9.0 callmenum Remote Code Execution
   97   exploit/unix/webapp/freepbx_config_exec                                    2014-03-21       excellent  Yes    FreePBX config.php Remote Code Execution
   98   exploit/unix/webapp/fusionpbx_exec_cmd_exec                                2019-11-02       excellent  Yes    FusionPBX Command exec.php Command Execution
   99   exploit/unix/webapp/fusionpbx_operator_panel_exec_cmd_exec                 2019-06-06       excellent  Yes    FusionPBX Operator Panel exec.php Command Execution
   100  exploit/multi/http/glpi_install_rce                                        2013-09-12       manual     Yes    GLPI install.php Remote Command Execution
   101  exploit/windows/ftp/gekkomgr_list_reply                                    2010-10-12       good       No     Gekko Manager FTP Client Stack Buffer Overflow
   102  auxiliary/scanner/http/http_traversal                                                       normal     No     Generic HTTP Directory Traversal Utility
   103  exploit/unix/webapp/php_eval                                               2008-10-13       manual     Yes    Generic PHP Code Evaluation
   104  exploit/unix/webapp/get_simple_cms_upload_exec                             2014-01-04       excellent  Yes    GetSimpleCMS PHP File Upload Vulnerability
   105  exploit/multi/http/getsimplecms_unauth_code_exec                           2019-04-28       excellent  Yes    GetSimpleCMS Unauthenticated RCE
   106  exploit/multi/http/gitlist_arg_injection                                   2018-04-26       excellent  Yes    GitList v0.6.0 Argument Injection Vulnerability
   107  exploit/windows/browser/hpmqc_progcolor                                    2007-04-04       normal     No     HP Mercury Quality Center ActiveX Control ProgColor Buffer Overflow
   108  auxiliary/scanner/http/trace                                                                normal     No     HTTP Cross-Site Tracing Detection
   109  auxiliary/fuzzers/http/http_form_field                                                      normal     No     HTTP Form Field Fuzzer
   110  exploit/windows/http/httpdx_handlepeer                                     2009-10-08       great      Yes    HTTPDX h_handlepeer() Function Buffer Overflow
   111  auxiliary/dos/http/hashcollision_dos                                       2011-12-28       normal     No     Hashtable Collisions
   112  exploit/unix/webapp/hastymail_exec                                         2011-11-22       excellent  Yes    Hastymail 2.1.1 RC1 Command Injection
   113  exploit/unix/webapp/havalite_upload_exec                                   2013-06-17       excellent  Yes    Havalite CMS Arbitary File Upload Vulnerability
   114  exploit/multi/http/horde_href_backdoor                                     2012-02-13       excellent  No     Horde 3.3.12 Backdoor Arbitrary PHP Code Execution
   115  exploit/multi/http/horde_csv_rce                                           2020-02-07       excellent  No     Horde CSV import arbitrary PHP code execution
   116  exploit/multi/http/horde_form_file_upload                                  2019-03-24       excellent  No     Horde Form File Upload Vulnerability
   117  exploit/unix/webapp/horde_unserialize_exec                                 2013-06-27       excellent  Yes    Horde Framework Unserialize PHP Code Execution
   118  exploit/multi/http/horizontcms_upload_exec                                 2020-09-24       excellent  Yes    HorizontCMS Arbitrary PHP File Upload
   119  auxiliary/scanner/http/httpbl_lookup                                                        normal     No     Http:BL Lookup
   120  exploit/unix/webapp/hybridauth_install_php_exec                            2014-08-04       manual     Yes    HybridAuth install.php PHP Code Execution
   121  exploit/windows/http/ia_webmail                                            2003-11-03       average    No     IA WebMail 3.x Buffer Overflow
   122  exploit/multi/http/ibm_openadmin_tool_soap_welcomeserver_exec              2017-05-30       excellent  Yes    IBM OpenAdmin Tool SOAP welcomeServer PHP Code Execution
   123  exploit/linux/http/ibm_qradar_unauth_rce                                   2018-05-28       excellent  Yes    IBM QRadar SIEM Unauthenticated Remote Code Execution
   124  exploit/windows/misc/ibm_websphere_java_deserialize                        2015-11-06       excellent  No     IBM WebSphere RCE Java Deserialization Vulnerability
   125  exploit/multi/http/ispconfig_php_exec                                      2013-10-30       excellent  No     ISPConfig Authenticated Arbitrary PHP Code Execution
   126  exploit/multi/http/uptime_file_upload_1                                    2013-11-19       excellent  Yes    Idera Up.Time Monitoring Station 7.0 post2file.php Arbitrary File Upload
   127  exploit/multi/http/uptime_file_upload_2                                    2013-11-18       excellent  Yes    Idera Up.Time Monitoring Station 7.4 post2file.php Arbitrary File Upload
   128  auxiliary/scanner/scada/indusoft_ntwebserver_fileaccess                                     normal     No     Indusoft WebStudio NTWebServer Remote File Access
   129  exploit/unix/webapp/instantcms_exec                                        2013-06-26       excellent  Yes    InstantCMS 1.6 Remote PHP Code Execution
   130  exploit/unix/webapp/invision_pboard_unserialize_exec                       2012-10-25       excellent  Yes    Invision IP.Board unserialize() PHP Code Execution
   131  exploit/multi/fileformat/swagger_param_inject                              2016-06-23       excellent  No     JSON Swagger CodeGen Parameter Injector
   132  exploit/multi/browser/java_jre17_exec                                      2012-08-26       excellent  No     Java 7 Applet Remote Code Execution
   133  exploit/multi/browser/java_jre17_jmxbean                                   2013-01-10       excellent  No     Java Applet JMX Remote Code Execution
   134  exploit/unix/webapp/joomla_comjce_imgmanager                               2012-08-02       excellent  Yes    Joomla Component JCE File Upload Remote Code Execution
   135  exploit/multi/http/joomla_http_header_rce                                  2015-12-14       excellent  Yes    Joomla HTTP Header Unauthenticated Remote Code Execution
   136  exploit/linux/http/kaltura_unserialize_rce                                 2016-03-15       excellent  Yes    Kaltura Remote PHP Code Execution
   137  exploit/linux/http/kaltura_unserialize_cookie_rce                          2017-09-12       excellent  Yes    Kaltura Remote PHP Code Execution over Cookie
   138  exploit/unix/webapp/kimai_sqli                                             2013-05-21       average    Yes    Kimai v0.9.2 'db_restore.php' SQL Injection
   139  exploit/linux/http/klog_server_authenticate_user_unauth_command_injection  2020-12-27       excellent  Yes    Klog Server authenticate.php user Unauthenticated Command Injection
   140  exploit/linux/local/kloxo_lxsuexec                                         2012-09-18       excellent  No     Kloxo Local Privilege Escalation
   141  exploit/linux/http/kloxo_sqli                                              2014-01-28       manual     Yes    Kloxo SQL Injection and Remote Code Execution
   142  auxiliary/gather/lansweeper_collector                                                       normal     No     Lansweeper Credential Collector
   143  exploit/windows/ftp/leapftp_list_reply                                     2010-10-12       good       No     LeapFTP 3.0.1 Stack Buffer Overflow
   144  exploit/linux/http/librenms_addhost_cmd_inject                             2018-12-16       excellent  No     LibreNMS addhost Command Injection
   145  exploit/unix/webapp/libretto_upload_exec                                   2013-06-14       excellent  Yes    LibrettoCMS File Manager Arbitary File Upload Vulnerability
   146  exploit/linux/http/linksys_apply_cgi                                       2005-09-13       great      No     Linksys WRT54 Access Point apply.cgi Buffer Overflow
   147  payload/linux/mipsbe/reboot                                                                 normal     No     Linux Reboot
   148  payload/linux/mipsle/reboot                                                                 normal     No     Linux Reboot
   149  exploit/linux/http/linuxki_rce                                             2020-05-17       excellent  Yes    LinuxKI Toolset 6.01 Remote Command Execution
   150  exploit/multi/http/log1cms_ajax_create_folder                              2011-04-11       excellent  Yes    Log1 CMS writeInfo() PHP Code Injection
   151  exploit/windows/fileformat/lotusnotes_lzh                                  2011-05-24       good       No     Lotus Notes 8.0.x - 8.5.2 FP2 - Autonomy Keyview (.lzh Attachment)
   152  exploit/windows/lotus/lotusnotes_lzh                                       2011-05-24       normal     No     Lotus Notes 8.0.x - 8.5.2 FP2 - Autonomy Keyview (.lzh Attachment)
   153  exploit/multi/http/lcms_php_exec                                           2011-03-03       excellent  Yes    LotusCMS 3.0 eval() Remote Command Execution
   154  exploit/windows/fileformat/mjm_coreplayer2011_s3m                          2011-04-30       good       No     MJM Core Player 2011 .s3m Stack Buffer Overflow
   155  exploit/windows/fileformat/mjm_quickplayer_s3m                             2011-04-30       good       No     MJM QuickPlayer 1.00 Beta 60a / QuickPlayer 2010 .s3m Stack Buffer Overflow
   156  exploit/windows/scada/moxa_mdmtool                                         2010-10-20       great      No     MOXA Device Manager Tool 2.1 Buffer Overflow
   157  exploit/windows/fileformat/ms09_067_excel_featheader                       2009-11-10       good       No     MS09-067 Microsoft Excel Malformed FEATHEADER Record Vulnerability
   158  exploit/windows/browser/ms10_002_aurora                                    2010-01-14       normal     No     MS10-002 Microsoft Internet Explorer "Aurora" Memory Corruption
   159  exploit/windows/browser/ms10_018_ie_behaviors                              2010-03-09       good       No     MS10-018 Microsoft Internet Explorer DHTML Behaviors Use After Free
   160  exploit/windows/fileformat/ms10_087_rtf_pfragments_bof                     2010-11-09       great      No     MS10-087 Microsoft Word RTF pFragments Stack Buffer Overflow (File Format)
   161  exploit/windows/browser/ms12_037_same_id                                   2012-06-12       normal     No     MS12-037 Microsoft Internet Explorer Same ID Property Deleted Object Handling Memory Corruption
   162  exploit/windows/browser/ms13_037_svg_dashstyle                             2013-03-06       normal     No     MS13-037 Microsoft Internet Explorer COALineDashStyleArray Integer Overflow
   163  auxiliary/scanner/mysql/mysql_file_enum                                                     normal     No     MYSQL File/Directory Enumerator
   164  exploit/unix/webapp/maarch_letterbox_file_upload                           2015-02-11       excellent  Yes    Maarch LetterBox Unrestricted File Upload
   165  exploit/multi/http/magento_unserialize                                     2016-05-17       excellent  Yes    Magento 2.0.6 Unserialize Remote Code Execution
   166  exploit/windows/fileformat/magix_musikmaker_16_mmm                         2011-04-26       good       No     Magix Musik Maker 16 .mmm Stack Buffer Overflow
   167  exploit/windows/http/mailenable_auth_header                                2005-04-24       great      Yes    MailEnable Authorization Header Buffer Overflow
   168  exploit/windows/imap/mailenable_status                                     2005-07-13       great      No     MailEnable IMAPD (1.54) STATUS Request Buffer Overflow
   169  exploit/multi/http/makoserver_cmd_exec                                     2017-09-03       excellent  Yes    Mako Server v2.5, 2.6 OS Command Injection RCE
   170  exploit/unix/webapp/mambo_cache_lite                                       2008-06-14       excellent  No     Mambo Cache_Lite Class mosConfig_absolute_path Remote File Include
   171  exploit/multi/http/mantisbt_manage_proj_page_rce                           2008-10-16       excellent  Yes    Mantis manage_proj_page PHP Code Execution
   172  auxiliary/gather/mantisbt_admin_sqli                                       2014-02-28       normal     No     MantisBT Admin SQL Injection Arbitrary File Read
   173  exploit/multi/http/mantisbt_php_exec                                       2014-11-08       great      Yes    MantisBT XmlImportExport Plugin PHP Code Injection Vulnerability
   174  auxiliary/admin/http/mantisbt_password_reset                               2017-04-16       normal     Yes    MantisBT password reset
   175  exploit/multi/http/maracms_upload_exec                                     2020-08-31       excellent  Yes    MaraCMS Arbitrary PHP File Upload
   176  exploit/multi/http/mediawiki_syntaxhighlight                               2017-04-06       good       Yes    MediaWiki SyntaxHighlight extension option injection vulnerability
   177  exploit/multi/http/mediawiki_thumb                                         2014-01-28       excellent  Yes    MediaWiki Thumb.php Remote Command Execution
   178  exploit/windows/imap/mercury_rename                                        2004-11-29       average    Yes    Mercury/32 v4.01a IMAP RENAME Buffer Overflow
   179  exploit/linux/http/microfocus_secure_messaging_gateway                     2018-06-19       excellent  Yes    MicroFocus Secure Messaging Gateway Remote Code Execution
   180  exploit/windows/fileformat/office_excel_slk                                2018-10-07       manual     No     Microsoft Excel .SLK Payload Delivery
   181  auxiliary/admin/ms/ms08_059_his2006                                        2008-10-14       normal     No     Microsoft Host Integration Server 2006 Command Execution Vulnerability
   182  exploit/windows/browser/ms09_043_owc_htmlurl                               2009-08-11       normal     No     Microsoft OWC Spreadsheet HTMLURL Buffer Overflow
   183  auxiliary/admin/mssql/mssql_idf                                                             normal     No     Microsoft SQL Server Interesting Data Finder
   184  auxiliary/dos/windows/smb/ms06_035_mailslot                                2006-07-11       normal     No     Microsoft SRV.SYS Mailslot Write Corruption
   185  exploit/windows/browser/wmi_admintools                                     2010-12-21       great      No     Microsoft WMI Administration Tools ActiveX Buffer Overflow
   186  exploit/linux/http/mida_solutions_eframework_ajaxreq_rce                   2020-07-24       excellent  Yes    Mida Solutions eFramework ajaxreq.php Command Injection
   187  exploit/multi/http/mobilecartly_upload_exec                                2012-08-10       excellent  Yes    MobileCartly 1.0 Arbitrary File Creation Vulnerability
   188  exploit/multi/http/monstra_fileupload_exec                                 2017-12-18       excellent  Yes    Monstra CMS Authenticated Arbitrary File Upload
   189  exploit/multi/http/moodle_teacher_enrollment_priv_esc_to_rce               2020-07-20       good       Yes    Moodle Teacher Enrollment Privilege Escalation to RCE
   190  exploit/multi/http/nas4free_php_exec                                       2013-10-30       great      No     NAS4Free Arbitrary Remote Code Execution
   191  exploit/multi/http/nuuo_nvrmini_upgrade_rce                                2018-08-04       excellent  Yes    NUUO NVRmini upgrade_handle.php Remote Command Execution
   192  exploit/linux/http/nagios_xi_snmptrap_authenticated_rce                    2020-10-20       excellent  Yes    Nagios XI 5.5.0-5.7.3 - Snmptrap Authenticated Remote Code Exection
   193  exploit/linux/http/nagios_xi_mibs_authenticated_rce                        2020-10-20       excellent  Yes    Nagios XI 5.6.0-5.7.3 - Mibs.php Authenticated Remote Code Exection
   194  exploit/linux/http/nagios_xi_chained_rce_2_electric_boogaloo               2018-04-17       manual     Yes    Nagios XI Chained Remote Code Execution
   195  exploit/linux/http/nagios_xi_magpie_debug                                  2018-11-14       excellent  Yes    Nagios XI Magpie_debug.php Root Remote Code Execution
   196  exploit/unix/webapp/nagios_graph_explorer                                  2012-11-30       excellent  Yes    Nagios XI Network Monitor Graph Explorer Component Command Injection
   197  exploit/linux/http/nagios_xi_plugins_check_plugin_authenticated_rce        2019-07-29       excellent  Yes    Nagios XI Prior to 5.6.6 getprofile.sh Authenticated Remote Command Execution
   198  exploit/linux/http/nagios_xi_plugins_filename_authenticated_rce            2020-12-19       excellent  Yes    Nagios XI Prior to 5.8.0 - Plugins Filename Authenticated Remote Code Exection
   199  exploit/unix/webapp/narcissus_backend_exec                                 2012-11-14       excellent  Yes    Narcissus Image Configuration Passthru Vulnerability
   200  exploit/multi/http/navigate_cms_rce                                        2018-09-26       excellent  Yes    Navigate CMS Unauthenticated Remote Code Execution
   201  exploit/linux/snmp/net_snmpd_rw_access                                     2004-05-10       normal     No     Net-SNMPd Write Access SNMP-EXTEND-MIB arbitrary code execution
   202  exploit/linux/http/netgear_unauth_exec                                     2016-02-25       excellent  Yes    Netgear Devices Unauthenticated Remote Command Execution
   203  exploit/linux/http/netgear_r7000_cgibin_exec                               2016-12-06       excellent  Yes    Netgear R7000 and R6400 cgi-bin Command Injection
   204  exploit/linux/http/netsweeper_webadmin_unixlogin                           2020-04-28       excellent  Yes    Netsweeper WebAdmin unixlogin.php Python Code Injection
   205  exploit/multi/http/eaton_nsm_code_exec                                     2012-06-26       excellent  Yes    Network Shutdown Module (sort_values) Remote PHP Code Injection
   206  exploit/multi/http/nibbleblog_file_upload                                  2015-09-01       excellent  Yes    Nibbleblog File Upload Vulnerability
   207  exploit/windows/fileformat/nitro_reader_jsapi                              2017-07-24       excellent  No     Nitro Pro PDF Reader 11.0.3.173 Javascript API Remote Code Execution
   208  exploit/windows/local/novell_client_nicm                                   2013-05-22       average    Yes    Novell Client 2 SP3 nicm.sys Local Privilege Escalation
   209  exploit/windows/browser/novell_groupwise_gwcls1_actvx                      2013-01-30       normal     No     Novell GroupWise Client gwcls1.dll ActiveX Remote Code Execution
   210  auxiliary/scanner/http/groupwise_agents_http_traversal                                      normal     No     Novell Groupwise Agents HTTP Directory Traversal
   211  exploit/windows/smb/netidentity_xtierrpcpipe                               2009-04-06       great      No     Novell NetIdentity Agent XTIERRPCPIPE Named Pipe Buffer Overflow
   212  exploit/windows/imap/novell_netmail_subscribe                              2006-12-23       average    No     Novell NetMail IMAP SUBSCRIBE Buffer Overflow
   213  exploit/windows/novell/zenworks_preboot_op6_bof                            2010-03-30       normal     No     Novell ZENworks Configuration Management Preboot Service 0x06 Buffer Overflow
   214  exploit/windows/novell/zenworks_preboot_op21_bof                           2010-03-30       normal     No     Novell ZENworks Configuration Management Preboot Service 0x21 Buffer Overflow
   215  exploit/multi/http/zenworks_control_center_upload                          2013-03-22       great      Yes    Novell ZENworks Configuration Management Remote Execution
   216  exploit/windows/http/zenworks_uploadservlet                                2010-03-30       excellent  No     Novell ZENworks Configuration Management Remote Execution
   217  auxiliary/scanner/http/novell_mdm_creds                                                     normal     No     Novell Zenworks Mobile Device Managment Admin Credentials
   218  exploit/windows/http/novell_mdm_lfi                                        2013-03-13       excellent  Yes    Novell Zenworks Mobile Managment MDM.php Local File Inclusion Vulnerability
   219  exploit/linux/misc/novell_edirectory_ncp_bof                               2012-12-12       normal     Yes    Novell eDirectory 8 Buffer Overflow
   220  exploit/windows/fileformat/nuance_pdf_launch_overflow                      2010-10-08       great      No     Nuance PDF Reader v6.0 Launch Stack Buffer Overflow
   221  exploit/multi/http/op5_license                                             2012-01-05       excellent  Yes    OP5 license.php Remote Command Execution
   222  exploit/multi/http/october_upload_bypass_exec                              2017-04-25       excellent  Yes    October CMS Upload Protection Bypass Code Execution
   223  exploit/windows/ftp/odin_list_reply                                        2010-10-12       good       No     Odin Secure FTP 4.1 Stack Buffer Overflow (LIST)
   224  exploit/unix/webapp/open_flash_chart_upload_exec                           2009-12-14       great      Yes    Open Flash Chart v2 Arbitrary File Upload
   225  exploit/unix/webapp/openemr_sqli_privesc_upload                            2013-09-16       excellent  Yes    OpenEMR 4.1.1 Patch 14 SQLi Privilege Escalation Remote Code Execution
   226  exploit/unix/webapp/openemr_upload_exec                                    2013-02-13       excellent  Yes    OpenEMR PHP File Upload Vulnerability
   227  exploit/unix/webapp/openmediavault_rpc_rce                                 2020-09-28       excellent  Yes    OpenMediaVault rpc.php Authenticated PHP Code Injection
   228  exploit/unix/webapp/opensis_modname_exec                                   2012-12-04       excellent  Yes    OpenSIS 'modname' PHP Code Execution
   229  exploit/multi/http/openx_backdoor_php                                      2013-08-07       excellent  Yes    OpenX Backdoor PHP Code Execution
   230  exploit/unix/webapp/openx_banner_edit                                      2009-11-24       excellent  Yes    OpenX banner-edit.php File Upload PHP Code Execution
   231  auxiliary/sqli/oracle/lt_mergeworkspace                                    2008-10-22       normal     No     Oracle DB SQL Injection via SYS.LT.MERGEWORKSPACE
   232  auxiliary/admin/oracle/ora_ntlm_stealer                                    2009-04-07       normal     No     Oracle SMB Relay Code Execution
   233  auxiliary/admin/oracle/osb_execqr2                                         2009-08-18       normal     No     Oracle Secure Backup Authentication Bypass/Command Injection Vulnerability
   234  auxiliary/admin/oracle/osb_execqr3                                         2010-07-13       normal     No     Oracle Secure Backup Authentication Bypass/Command Injection Vulnerability
   235  exploit/windows/http/osb_uname_jlist                                       2010-07-13       excellent  No     Oracle Secure Backup Authentication Bypass/Command Injection Vulnerability
   236  exploit/windows/fileformat/orbital_viewer_orb                              2010-02-27       great      No     Orbital Viewer ORB File Parsing Buffer Overflow
   237  exploit/multi/http/orientdb_exec                                           2017-07-13       good       Yes    OrientDB 2.2.x Remote Code Execution
   238  exploit/windows/email/ms10_045_outlook_ref_only                            2010-06-01       excellent  No     Outlook ATTACH_BY_REF_ONLY File Execution
   239  exploit/windows/email/ms10_045_outlook_ref_resolve                         2010-06-01       excellent  No     Outlook ATTACH_BY_REF_RESOLVE File Execution
   240  exploit/unix/webapp/pajax_remote_exec                                      2006-03-30       excellent  No     PAJAX Remote Command Execution
   241  exploit/multi/fileformat/archive_tar_arb_file_write                        2020-11-17       excellent  No     PEAR Archive_Tar 1.4.10 Arbitrary File Write
   242  exploit/multi/php/php_unserialize_zval_cookie                              2007-03-04       average    Yes    PHP 4 unserialize() ZVAL Reference Counter Overflow (Cookie)
   243  encoder/php/base64                                                                          great      No     PHP Base64 Encoder
   244  exploit/multi/http/php_cgi_arg_injection                                   2012-05-03       excellent  Yes    PHP CGI Argument Injection
   245  payload/php/bind_php                                                                        normal     No     PHP Command Shell, Bind TCP (via PHP)
   246  payload/php/bind_perl                                                                       normal     No     PHP Command Shell, Bind TCP (via Perl)
   247  payload/php/bind_perl_ipv6                                                                  normal     No     PHP Command Shell, Bind TCP (via perl) IPv6
   248  payload/php/bind_php_ipv6                                                                   normal     No     PHP Command Shell, Bind TCP (via php) IPv6
   249  payload/php/shell_findsock                                                                  normal     No     PHP Command Shell, Find Sock
   250  payload/php/reverse_php                                                                     normal     No     PHP Command Shell, Reverse TCP (via PHP)
   251  payload/php/reverse_perl                                                                    normal     No     PHP Command, Double Reverse TCP Connection (via Perl)
   252  payload/php/download_exec                                                                   normal     No     PHP Executable Download and Execute
   253  payload/php/exec                                                                            normal     No     PHP Execute Command
   254  exploit/multi/misc/pbot_exec                                               2009-11-02       excellent  Yes    PHP IRC Bot pbot eval() Remote Code Execution
   255  exploit/unix/http/laravel_token_unserialize_exec                           2018-08-07       excellent  Yes    PHP Laravel Framework token Unserialize Remote Command Execution
   256  payload/php/meterpreter/bind_tcp                                                            normal     No     PHP Meterpreter, Bind TCP Stager
   257  payload/php/meterpreter/bind_tcp_ipv6                                                       normal     No     PHP Meterpreter, Bind TCP Stager IPv6
   258  payload/php/meterpreter/bind_tcp_ipv6_uuid                                                  normal     No     PHP Meterpreter, Bind TCP Stager IPv6 with UUID Support
   259  payload/php/meterpreter/bind_tcp_uuid                                                       normal     No     PHP Meterpreter, Bind TCP Stager with UUID Support
   260  payload/php/meterpreter/reverse_tcp                                                         normal     No     PHP Meterpreter, PHP Reverse TCP Stager
   261  payload/php/meterpreter/reverse_tcp_uuid                                                    normal     No     PHP Meterpreter, PHP Reverse TCP Stager
   262  payload/php/meterpreter_reverse_tcp                                                         normal     No     PHP Meterpreter, Reverse TCP Inline
   263  nop/php/generic                                                                             normal     No     PHP Nop Generator
   264  exploit/unix/webapp/php_include                                            2006-12-17       normal     Yes    PHP Remote File Include Generic Code Execution
   265  exploit/multi/http/php_utility_belt_rce                                    2015-12-08       excellent  Yes    PHP Utility Belt Remote Code Execution
   266  exploit/multi/http/php_volunteer_upload_exec                               2012-05-28       excellent  No     PHP Volunteer Management System v1.0.2 Arbitrary File Upload Vulnerability
   267  exploit/unix/webapp/php_xmlrpc_eval                                        2005-06-29       excellent  Yes    PHP XML-RPC Arbitrary Code Execution
   268  exploit/windows/http/php_apache_request_headers_bof                        2012-05-08       normal     No     PHP apache_request_headers Function Buffer Overflow
   269  exploit/unix/webapp/php_charts_exec                                        2013-01-16       excellent  Yes    PHP-Charts v1.0 PHP Code Execution Vulnerability
   270  exploit/multi/http/php_fpm_rce                                             2019-10-22       normal     Yes    PHP-FPM Underflow RCE
   271  exploit/multi/http/phpmailer_arg_injection                                 2016-12-26       manual     No     PHPMailer Sendmail Argument Injection
   272  exploit/multi/http/phpmoadmin_exec                                         2015-03-03       excellent  Yes    PHPMoAdmin 1.1.2 Remote Code Execution
   273  exploit/multi/http/phpstudy_backdoor_rce                                   2019-09-20       excellent  Yes    PHPStudy Backdoor Remote Code execution
   274  exploit/linux/http/pandora_fms_events_exec                                 2020-06-04       excellent  Yes    Pandora FMS Events Remote Command Execution
   275  exploit/linux/http/pandora_ping_cmd_exec                                   2020-03-09       excellent  Yes    Pandora FMS Ping Authenticated Remote Code Execution
   276  auxiliary/analyze/crack_webapps                                                             normal     No     Password Cracker: Webapps
   277  exploit/windows/local/vss_persistence                                      2011-10-21       excellent  No     Persistent Payload in Windows Volume Shadow Copy
   278  exploit/multi/http/phoenix_exec                                            2016-07-01       excellent  Yes    Phoenix Exploit Kit Remote Code Execution
   279  exploit/unix/webapp/phpmyadmin_config                                      2009-03-24       excellent  No     PhpMyAdmin Config File Code Injection
   280  auxiliary/scanner/http/phpmyadmin_login                                                     normal     No     PhpMyAdmin Login Scanner
   281  exploit/multi/http/phptax_exec                                             2012-10-08       excellent  Yes    PhpTax pfilez Parameter Exec Remote Code Injection
   282  post/linux/gather/phpmyadmin_credsteal                                                      normal     No     Phpmyadmin credentials stealer
   283  exploit/multi/http/phpwiki_ploticus_exec                                   2014-09-11       excellent  No     Phpwiki Ploticus Remote Code Execution
   284  exploit/unix/http/pihole_blocklist_exec                                    2020-05-10       excellent  Yes    Pi-Hole heisenbergCompensator Blocklist OS Command Execution
   285  auxiliary/gather/pimcore_creds_sqli                                        2018-08-13       normal     No     Pimcore Gather Credentials via SQL Injection
   286  exploit/multi/http/pimcore_unserialize_rce                                 2019-03-11       normal     Yes    Pimcore Unserialize RCE
   287  exploit/linux/http/pineapp_ldapsyncnow_exec                                2013-07-26       excellent  Yes    PineApp Mail-SeCure ldapsyncnow.php Arbitrary Command Execution
   288  exploit/linux/http/pineapp_livelog_exec                                    2013-07-26       excellent  Yes    PineApp Mail-SeCure livelog.html Arbitrary Command Execution
   289  exploit/linux/http/pineapp_test_li_conn_exec                               2013-07-26       excellent  Yes    PineApp Mail-SeCure test_li_connection.php Arbitrary Command Execution
   290  exploit/multi/http/playsms_uploadcsv_exec                                  2017-05-21       excellent  Yes    PlaySMS import.php Authenticated CSV File Upload Code Execution
   291  exploit/multi/http/playsms_template_injection                              2020-02-05       excellent  Yes    PlaySMS index.php Unauthenticated Template Injection Code Execution
   292  exploit/multi/http/playsms_filename_exec                                   2017-05-21       excellent  Yes    PlaySMS sendfromfile.php Authenticated "Filename" Field Code Execution
   293  exploit/multi/http/pmwiki_pagelist                                         2011-11-09       excellent  Yes    PmWiki pagelist.php Remote PHP Code Injection Exploit
   294  exploit/multi/http/polarcms_upload_exec                                    2012-01-21       excellent  Yes    PolarBear CMS PHP File Upload Vulnerability
   295  auxiliary/scanner/postgres/postgres_login                                                   normal     No     PostgreSQL Login Utility
   296  exploit/windows/ftp/proftp_banner                                          2009-08-25       normal     No     ProFTP 2.9 Banner Remote Buffer Overflow
   297  exploit/unix/ftp/proftpd_modcopy_exec                                      2015-04-22       excellent  Yes    ProFTPD 1.3.5 Mod_Copy Command Execution
   298  exploit/multi/http/processmaker_exec                                       2013-10-24       excellent  Yes    ProcessMaker Open Source Authenticated PHP Code Execution
   299  exploit/multi/http/processmaker_plugin_upload                              2010-08-25       excellent  No     ProcessMaker Plugin Upload
   300  exploit/unix/webapp/projectpier_upload_exec                                2012-10-08       excellent  Yes    Project Pier Arbitrary File Upload Vulnerability
   301  exploit/unix/webapp/projectsend_upload_exec                                2014-12-02       excellent  Yes    ProjectSend Arbitrary File Upload
   302  exploit/linux/misc/qnap_transcode_server                                   2017-08-06       excellent  Yes    QNAP Transcode Server Command Execution
   303  exploit/unix/http/quest_kace_systems_management_rce                        2018-05-31       excellent  Yes    Quest KACE Systems Management Command Injection
   304  exploit/multi/misc/ra1nx_pubcall_exec                                      2013-03-24       great      Yes    Ra1NX PHP Bot PubCall Authentication Bypass Remote Code Execution                                                                   
   305  exploit/windows/http/integard_password_bof                                 2010-09-07       great      No     Race River Integard Home/Pro LoginAdmin Password Stack Buffer Overflow
   306  exploit/linux/http/rconfig_ajaxarchivefiles_rce                            2020-03-11       good       Yes    Rconfig 3.x Chained Remote Code Execution
   307  exploit/windows/scada/realwin_on_fcs_login                                 2011-03-21       great      No     RealWin SCADA Server DATAC Login Buffer Overflow
   308  exploit/linux/http/piranha_passwd_exec                                     2000-04-04       excellent  No     RedHat Piranha Virtual Server Package passwd.php3 Arbitrary Command Execution
   309  payload/windows/dllinject/reverse_hop_http                                                  normal     No     Reflective DLL Injection, Reverse Hop HTTP/HTTPS Stager
   310  exploit/windows/http/rejetto_hfs_exec                                      2014-09-11       excellent  Yes    Rejetto HttpFileServer Remote Command Execution
   311  exploit/windows/misc/sap_netweaver_dispatcher                              2012-05-08       normal     No     SAP NetWeaver Dispatcher DiagTraceR3Info Buffer Overflow
   312  auxiliary/dos/sap/sap_soap_rfc_eps_delete_file                                              normal     No     SAP SOAP EPS_DELETE_FILE File Deletion
   313  exploit/unix/webapp/spip_connect_exec                                      2012-07-04       excellent  Yes    SPIP connect Parameter PHP Injection
   314  exploit/multi/http/stunshell_exec                                          2013-03-23       great      Yes    STUNSHELL Web Shell Remote Code Execution
   315  exploit/multi/http/stunshell_eval                                          2013-03-23       great      Yes    STUNSHELL Web Shell Remote PHP Code Execution
   316  exploit/windows//safenet_ike_11                                         2009-06-01       average    No     SafeNet SoftRemote IKE Service Buffer Overflow
   317  exploit/multi/samba/usermap_script                                         2007-05-14       excellent  No     Samba "username map script" Command Execution
   318  exploit/linux/samba/chain_reply                                            2010-06-16       good       No     Samba chain_reply Memory Corruption (Linux x86)
   319  exploit/linux/http/samsung_srv_1670d_upload_exec                           2017-03-14       good       Yes    Samsung SRN-1670D Web Viewer Version 1.0.0.193 Arbitrary File Read and Upload
   320  exploit/multi/script/web_delivery                                          2013-07-19       manual     No     Script Web Delivery
   321  exploit/unix/webapp/seportal_sqli_exec                                     2014-03-20       excellent  Yes    SePortal SQLi Remote Code Execution
   322  exploit/linux/http/seagate_nas_php_exec_noauth                             2015-03-01       normal     Yes    Seagate Business NAS Unauthenticated Remote Command Execution
   323  exploit/windows/ftp/seagull_list_reply                                     2010-10-12       good       No     Seagull FTP v3.3 Build 409 Stack Buffer Overflow
   324  exploit/windows/http/serviio_checkstreamurl_cmd_exec                       2017-05-03       excellent  Yes    Serviio Media Server checkStreamUrl Command Execution
   325  exploit/multi/http/sflog_upload_exec                                       2012-07-06       excellent  Yes    Sflog! CMS 1.0 Arbitrary File Upload Vulnerability
   326  exploit/multi/http/shopware_createinstancefromnamedarguments_rce           2019-05-09       excellent  Yes    Shopware createInstanceFromNamedArguments PHP Object Instantiation RCE
   327  exploit/unix/webapp/simple_e_document_upload_exec                          2014-01-23       excellent  Yes    Simple E-Document Arbitrary File Upload
   328  auxiliary/fuzzers/ftp/client_ftp                                                            normal     No     Simple FTP Client Fuzzer
   329  exploit/unix/webapp/sphpblog_file_upload                                   2005-08-25       excellent  Yes    Simple PHP Blog Remote Command Execution                                                                                            
   330  exploit/multi/php/wp_duplicator_code_inject                                2018-08-29       manual     Yes    Snap Creek Duplicator WordPress plugin code injection
   331  exploit/multi/http/snortreport_exec                                        2011-09-19       excellent  No     Snortreport nmap.php/nbtscan.php Remote Command Execution
   332  exploit/solaris/local/libnspr_nspr_log_file_priv_esc                       2006-10-11       excellent  Yes    Solaris libnspr NSPR_LOG_FILE Privilege Escalation
   333  exploit/freebsd/webapp/spamtitan_unauth_rce                                2020-04-17       normal     Yes    SpamTitan Unauthenticated RCE
   334  exploit/unix/webapp/squirrelmail_pgp_plugin                                2007-07-09       manual     No     SquirrelMail PGP Plugin Command Execution (SMTP)
   335  exploit/unix/webapp/sugarcrm_rest_unserialize_exec                         2016-06-23       excellent  No     SugarCRM REST Unserialize PHP Code Execution
   336  exploit/unix/webapp/sugarcrm_unserialize_exec                              2012-06-23       excellent  No     SugarCRM unserialize() PHP Code Execution
   337  exploit/linux/http/suitecrm_log_file_rce                                   2021-04-28       good       Yes    SuiteCRM Log File Remote Code Execution
   338  exploit/windows/browser/java_docbase_bof                                   2010-10-12       great      No     Sun Java Runtime New Plugin docbase Buffer Overflow
   339  exploit/windows/browser/java_ws_arginject_altjvm                           2010-04-09       excellent  No     Sun Java Web Start Plugin Command Line Argument Injection
   340  exploit/multi/http/sit_file_upload                                         2011-11-10       excellent  Yes    Support Incident Tracker Remote Command Execution
   341  auxiliary/scanner/http/sybase_easerver_traversal                           2011-05-25       normal     No     Sybase Easerver 6.3 Directory Traversal
   342  exploit/linux/http/symantec_web_gateway_restore                            2014-12-16       excellent  Yes    Symantec Web Gateway 5 restore.php Post Authentication Command Injection
   343  exploit/linux/http/symantec_web_gateway_pbcontrol                          2012-07-23       excellent  Yes    Symantec Web Gateway 5.0.2.18 pbcontrol.php Command Injection
   344  exploit/linux/http/symantec_web_gateway_file_upload                        2012-05-17       excellent  Yes    Symantec Web Gateway 5.0.2.8 Arbitrary PHP File Upload Vulnerability
   345  exploit/linux/http/symantec_web_gateway_exec                               2012-05-17       excellent  Yes    Symantec Web Gateway 5.0.2.8 ipchange.php Command Injection
   346  exploit/linux/http/symantec_web_gateway_lfi                                2012-05-17       excellent  Yes    Symantec Web Gateway 5.0.2.8 relfile File Inclusion Vulnerability
   347  auxiliary/admin/http/typo3_news_module_sqli                                2017-04-06       normal     No     TYPO3 News Module SQL Injection
   348  auxiliary/gather/teamtalk_creds                                                             normal     No     TeamTalk Gather Credentials
   349  auxiliary/admin/http/telpho10_credential_dump                              2016-09-02       normal     No     Telpho10 Backup Credentials Dumper
   350  exploit/multi/http/mma_backdoor_upload                                     2012-04-02       excellent  Yes    Th3 MMA mma.php Backdoor Arbitrary File Upload
   351  exploit/unix/webapp/thinkphp_rce                                           2018-12-10       excellent  Yes    ThinkPHP Multiple PHP Injection RCEs                                                                                                
   352  exploit/unix/webapp/tikiwiki_upload_exec                                   2016-07-11       excellent  Yes    Tiki Wiki Unauthenticated File Upload Vulnerability
   353  exploit/unix/webapp/tikiwiki_unserialize_exec                              2012-07-04       excellent  No     Tiki Wiki unserialize() PHP Code Execution
   354  exploit/unix/webapp/tikiwiki_jhot_exec                                     2006-09-02       excellent  Yes    TikiWiki jhot Remote Command Execution
   355  exploit/unix/webapp/tikiwiki_graph_formula_exec                            2007-10-10       excellent  Yes    TikiWiki tiki-graph_formula Remote PHP Code Execution
   356  exploit/windows/smb/timbuktu_plughntcommand_bof                            2009-06-25       great      No     Timbuktu PlughNTCommand Named Pipe Buffer Overflow
   357  exploit/windows/http/trackercam_phparg_overflow                            2005-02-18       average    Yes    TrackerCam PHP Argument Buffer Overflow
   358  exploit/multi/http/traq_plugin_exec                                        2011-12-12       excellent  Yes    Traq admincp/common.php Remote Code Execution
   359  exploit/linux/http/trendmicro_imsva_widget_exec                            2017-10-07       excellent  Yes    Trend Micro InterScan Messaging Security (Virtual Appliance) Remote Code Execution
   360  exploit/windows/http/trendmicro_officescan_widget_exec                     2017-10-07       excellent  Yes    Trend Micro OfficeScan Remote Code Execution
   361  exploit/unix/webapp/trixbox_ce_endpoint_devicemap_rce                      2020-04-28       excellent  Yes    TrixBox CE endpoint_devicemap.php Authenticated Command Execution
   362  exploit/unix/webapp/trixbox_langchoice                                     2008-07-09       manual     Yes    Trixbox langChoice PHP Local File Inclusion
   363  exploit/linux/http/trueonline_billion_5200w_rce                            2016-12-26       excellent  No     TrueOnline / Billion 5200W-T Router Unauthenticated Command Injection
   364  exploit/linux/http/trueonline_p660hn_v1_rce                                2016-12-26       excellent  Yes    TrueOnline / ZyXEL P660HN-T v1 Router Unauthenticated Command Injection
   365  exploit/linux/http/trueonline_p660hn_v2_rce                                2016-12-26       excellent  Yes    TrueOnline / ZyXEL P660HN-T v2 Router Authenticated Command Injection
   366  exploit/unix/webapp/tuleap_rest_unserialize_exec                           2017-10-23       excellent  Yes    Tuleap 9.6 Second-Order PHP Object Injection
   367  exploit/unix/webapp/tuleap_unserialize_exec                                2014-11-27       excellent  Yes    Tuleap PHP Unserialize Code Execution                                                                                               
   368  exploit/windows/browser/ubisoft_uplay_cmd_exec                             2012-07-29       normal     No     Ubisoft uplay 2.0.3 ActiveX Control Arbitrary Code Execution
   369  payload/cmd/unix/reverse_php_ssl                                                            normal     No     Unix Command Shell, Reverse TCP SSL (via php)
   370  exploit/linux/http/unraid_auth_bypass_exec                                 2020-02-10       excellent  Yes    Unraid 6.8.0 Auth Bypass PHP Code Execution
   371  exploit/linux/http/vcms_upload                                             2011-11-27       excellent  Yes    V-CMS PHP File Upload and Execute                                                                                                   
   372  exploit/unix/webapp/vicidial_manager_send_cmd_exec                         2013-10-23       excellent  Yes    VICIdial Manager Send OS Command Injection
   373  exploit/unix/webapp/vicidial_user_authorization_unauth_cmd_exec            2017-05-26       excellent  Yes    VICIdial user_authorization Unauthenticated Command Execution
   374  auxiliary/scanner/vmware/vmware_update_manager_traversal                   2011-11-21       normal     No     VMWare Update Manager 4 Directory Traversal
   375  payload/windows/vncinject/reverse_hop_http                                                  normal     No     VNC Server (Reflective Injection), Reverse Hop HTTP/HTTPS Stager
   376  auxiliary/vsploit/malware/dns/dns_zeus                                                      normal     No     VSploit Zeus DNS Query Module
   377  exploit/windows/fileformat/videospirit_visprj                              2011-04-11       good       No     VeryTools Video Spirit Pro
   378  exploit/windows/local/virtual_box_opengl_escape                            2014-03-11       average    Yes    VirtualBox 3D Acceleration Virtual Machine Escape
   379  exploit/windows/fileformat/visiwave_vwr_type                               2011-05-20       great      No     VisiWave VWR File Parsing Vulnerability
   380  exploit/multi/http/vtiger_logo_upload_exec                                 2015-09-28       excellent  Yes    Vtiger CRM - Authenticated Logo Upload RCE
   381  exploit/linux/http/wanem_exec                                              2012-08-12       excellent  Yes    WAN Emulator v2.3 Command Execution
   382  exploit/linux/http/webid_converter                                         2011-07-05       excellent  Yes    WeBid converter.php Remote PHP Code Injection
   383  exploit/linux/http/webcalendar_settings_exec                               2012-04-23       excellent  Yes    WebCalendar 1.2.4 Pre-Auth Remote Code Injection
   384  exploit/windows/browser/webex_ucf_newobject                                2008-08-06       good       No     WebEx UCF atucfobj.dll ActiveX NewObject Method Buffer Overflow
   385  exploit/multi/http/webnms_file_upload                                      2016-07-04       excellent  Yes    WebNMS Framework Server Arbitrary File Upload
   386  auxiliary/admin/http/webnms_file_download                                  2016-07-04       normal     No     WebNMS Framework Server Arbitrary Text File Download
   387  auxiliary/admin/http/webnms_cred_disclosure                                2016-07-04       normal     No     WebNMS Framework Server Credential Disclosure
   388  exploit/multi/http/webpagetest_upload_exec                                 2012-07-13       excellent  Yes    WebPageTest Arbitrary PHP File Upload
   389  auxiliary/scanner/http/webpagetest_traversal                               2012-07-13       normal     No     WebPageTest Directory Traversal
   390  exploit/unix/webapp/webtester_exec                                         2013-10-17       excellent  Yes    WebTester 5.x Command Execution
   391  exploit/unix/webapp/arkeia_upload_exec                                     2013-09-16       excellent  Yes    Western Digital Arkeia Remote Code Execution
   392  exploit/linux/http/wd_mycloud_multiupload_upload                           2017-07-29       excellent  Yes    Western Digital MyCloud multi_uploadify File Upload Vulnerability
   393  exploit/multi/http/wikka_spam_exec                                         2011-11-30       excellent  Yes    WikkaWiki 1.3.2 Spam Logging PHP Injection
   394  exploit/windows/local/cve_2021_1732_win32k                                 2021-02-10       good       Yes    Win32k ConsoleControl Offset Confusion
   395  post/windows/escalate/ms10_073_kbdlayout                                   2010-10-12       normal     No     Windows Escalate NtUserLoadKeyboardLayoutEx Privilege Escalation
   396  payload/windows/meterpreter/reverse_hop_http                                                normal     No     Windows Meterpreter (Reflective Injection), Reverse Hop HTTP/HTTPS Stager
   397  exploit/multi/http/wp_ait_csv_rce                                          2020-11-14       excellent  Yes    WordPress AIT CSV Import Export Unauthenticated Remote Code Execution
   398  exploit/unix/webapp/wp_asset_manager_upload_exec                           2012-05-26       excellent  Yes    WordPress Asset-Manager PHP File Upload Vulnerability
   399  auxiliary/scanner/http/wp_chopslider_id_sqli                               2020-05-12       normal     No     WordPress ChopSlider3 id SQLi Scanner
   400  exploit/multi/http/wp_file_manager_rce                                     2020-09-09       normal     Yes    WordPress File Manager Unauthenticated Remote Code Execution
   401  auxiliary/scanner/http/wp_gimedia_library_file_read                                         normal     No     WordPress GI-Media Library Plugin Directory Traversal Vulnerability
   402  exploit/unix/webapp/wp_holding_pattern_file_upload                         2015-02-11       excellent  Yes    WordPress Holding Pattern Theme Arbitrary File Upload
   403  exploit/unix/webapp/wp_infinitewp_auth_bypass                              2020-01-14       manual     Yes    WordPress InfiniteWP Client Authentication Bypass
   404  exploit/multi/http/wp_ninja_forms_unauthenticated_file_upload              2016-05-04       excellent  Yes    WordPress Ninja Forms Unauthenticated File Upload
   405  exploit/unix/webapp/wp_optimizepress_upload                                2013-11-29       excellent  Yes    WordPress OptimizePress Theme File Upload Vulnerability
   406  exploit/unix/webapp/wp_phpmailer_host_header                               2017-05-03       average    Yes    WordPress PHPMailer Host Header Command Injection
   407  exploit/unix/webapp/wp_photo_gallery_unrestricted_file_upload              2014-11-11       excellent  Yes    WordPress Photo Gallery Unrestricted File Upload
   408  exploit/unix/webapp/wp_pixabay_images_upload                               2015-01-19       excellent  Yes    WordPress Pixabay Images PHP Code Upload
   409  exploit/unix/webapp/wp_platform_exec                                       2015-01-21       excellent  No     WordPress Platform Theme File Upload Vulnerability
   410  exploit/unix/webapp/wp_advanced_custom_fields_exec                         2012-11-14       excellent  Yes    WordPress Plugin Advanced Custom Fields Remote File Inclusion
   411  exploit/unix/webapp/wp_foxypress_upload                                    2012-06-05       excellent  Yes    WordPress Plugin Foxypress uploadify.php Arbitrary Code Execution
   412  exploit/unix/webapp/wp_google_document_embedder_exec                       2013-01-03       normal     Yes    WordPress Plugin Google Document Embedder Arbitrary File Disclosure
   413  auxiliary/scanner/http/wordpress_content_injection                         2017-02-01       normal     Yes    WordPress REST API Content Injection
   414  exploit/unix/webapp/wp_revslider_upload_execute                            2014-11-26       excellent  Yes    WordPress RevSlider File Upload and Execute Vulnerability
   415  exploit/multi/http/wp_simple_file_list_rce                                 2020-04-27       good       Yes    WordPress Simple File List Unauthenticated Remote Code Execution
   416  auxiliary/admin/http/wp_symposium_sql_injection                            2015-08-18       normal     Yes    WordPress Symposium Plugin SQL Injection
   417  auxiliary/scanner/http/wp_total_upkeep_downloader                          2020-12-12       normal     No     WordPress Total Upkeep Unauthenticated Backup Downloader
   418  auxiliary/dos/http/wordpress_directory_traversal_dos                                        normal     No     WordPress Traversal Directory DoS
   419  auxiliary/gather/wp_ultimate_csv_importer_user_extract                     2015-02-02       normal     Yes    WordPress Ultimate CSV Importer User Table Extract
   420  exploit/unix/webapp/wp_total_cache_exec                                    2013-04-17       excellent  Yes    WordPress W3 Total Cache PHP Code Execution
   421  auxiliary/admin/http/wp_easycart_privilege_escalation                      2015-02-25       normal     Yes    WordPress WP EasyCart Plugin Privilege Escalation
   422  exploit/unix/webapp/wp_easycart_unrestricted_file_upload                   2015-01-08       excellent  No     WordPress WP EasyCart Unrestricted File Upload
   423  auxiliary/admin/http/wp_gdpr_compliance_privesc                            2018-11-08       normal     Yes    WordPress WP GDPR Compliance Plugin Privilege Escalation
   424  exploit/unix/webapp/wp_mobile_detector_upload_execute                      2016-05-31       excellent  Yes    WordPress WP Mobile Detector 3.5 Shell Upload
   425  exploit/unix/webapp/wp_symposium_shell_upload                              2014-12-11       excellent  Yes    WordPress WP Symposium 14.11 Shell Upload
   426  exploit/unix/webapp/wp_property_upload_exec                                2012-03-26       excellent  Yes    WordPress WP-Property PHP File Upload Vulnerability
   427  auxiliary/admin/http/wp_wplms_privilege_escalation                         2015-02-09       normal     Yes    WordPress WPLMS Theme Privilege Escalation
   428  exploit/unix/webapp/wp_wpshop_ecommerce_file_upload                        2015-03-09       excellent  Yes    WordPress WPshop eCommerce Arbitrary File Upload Vulnerability
   429  exploit/unix/webapp/wp_lastpost_exec                                       2005-08-09       excellent  No     WordPress cache_lastpostdate Arbitrary Code Execution
   430  exploit/unix/webapp/wp_wpdiscuz_unauthenticated_file_upload                2020-02-21       excellent  Yes    WordPress wpDiscuz Unauthenticated File Upload Vulnerability
   431  exploit/unix/webapp/wp_ajax_load_more_file_upload                          2015-10-10       excellent  Yes    Wordpress Ajax Load More PHP Upload Vulnerability
   432  exploit/unix/webapp/wp_creativecontactform_file_upload                     2014-10-22       excellent  Yes    Wordpress Creative Contact Form Upload Vulnerability
   433  exploit/multi/http/wp_dnd_mul_file_rce                                     2020-05-11       excellent  Yes    Wordpress Drag and Drop Multi File Uploader RCE
   434  exploit/unix/webapp/wp_inboundio_marketing_file_upload                     2015-03-24       excellent  Yes    Wordpress InBoundio Marketing PHP Upload Vulnerability
   435  exploit/unix/webapp/wp_infusionsoft_upload                                 2014-09-25       excellent  Yes    Wordpress InfusionSoft Upload Vulnerability
   436  auxiliary/scanner/http/wp_learnpress_sqli                                  2020-04-29       normal     No     Wordpress LearnPress current_items Authenticated SQLi
   437  exploit/unix/webapp/wp_wysija_newsletters_upload                           2014-07-01       excellent  Yes    Wordpress MailPoet Newsletters (wysija-newsletters) Unauthenticated File Upload
   438  exploit/unix/webapp/wp_nmediawebsite_file_upload                           2015-04-12       excellent  Yes    Wordpress N-Media Website Contact Form Upload Vulnerability
   439  exploit/unix/webapp/wp_plainview_activity_monitor_rce                      2018-08-26       excellent  Yes    Wordpress Plainview Activity Monitor RCE
   440  exploit/multi/http/wp_plugin_backup_guard_rce                              2021-05-04       excellent  Yes    Wordpress Plugin Backup Guard - Authenticated Remote Code Execution
   441  exploit/multi/http/wp_plugin_modern_events_calendar_rce                    2021-01-29       excellent  Yes    Wordpress Plugin Modern Events Calendar - Authenticated Remote Code Execution
   442  exploit/multi/http/wp_plugin_sp_project_document_rce                       2021-06-14       excellent  Yes    Wordpress Plugin SP Project and Document - Authenticated Remote Code Execution
   443  exploit/unix/webapp/wp_reflexgallery_file_upload                           2012-12-30       excellent  Yes    Wordpress Reflex Gallery Upload Vulnerability
   444  exploit/unix/webapp/wp_worktheflow_upload                                  2015-03-14       excellent  Yes    Wordpress Work The Flow Upload Vulnerability
   445  exploit/multi/http/x7chat2_php_exec                                        2014-10-27       excellent  Yes    X7 Chat 2.0.5 lib/message.php preg_replace() PHP Code Execution
   446  exploit/windows/http/xampp_webdav_upload_php                               2012-01-14       excellent  No     XAMPP WebDAV PHP Upload
   447  auxiliary/gather/xbmc_traversal                                            2012-11-04       normal     No     XBMC Web Server Directory Traversal
   448  exploit/unix/webapp/xoda_file_upload                                       2012-08-21       excellent  Yes    XODA 0.4.5 Arbitrary PHP File Upload Vulnerability
   449  exploit/windows/browser/yahoomessenger_fvcom                               2007-08-30       normal     No     Yahoo! Messenger YVerInfo.dll ActiveX Control Buffer Overflow
   450  exploit/unix/webapp/zpanel_username_exec                                   2013-06-07       excellent  Yes    ZPanel 10.0.0.2 htpasswd Module Username Command Execution
   451  exploit/linux/http/zabbix_sqli                                             2013-09-23       excellent  Yes    Zabbix 2.0.8 SQL Injection and Remote Code Execution
   452  exploit/multi/misc/zend_java_bridge                                        2011-03-28       great      No     Zend Server Java Bridge Arbitrary Java Code Execution
   453  exploit/unix/webapp/zoneminder_packagecontrol_exec                         2013-01-22       excellent  Yes    ZoneMinder Video Server packageControl Command Execution
   454  exploit/multi/http/zpanel_information_disclosure_rce                       2014-01-30       excellent  No     Zpanel Remote Unauthenticated RCE
   455  exploit/multi/http/apprain_upload_exec                                     2012-01-19       excellent  Yes    appRain CMF Arbitrary PHP File Upload Vulnerability
   456  exploit/unix/webapp/jquery_file_upload                                     2018-10-09       excellent  Yes    blueimp's jQuery (Arbitrary) File Upload
   457  exploit/linux/local/blueman_set_dhcp_handler_dbus_priv_esc                 2015-12-18       excellent  Yes    blueman set_dhcp_handler D-Bus Privilege Escalation
   458  exploit/linux/http/elfinder_archive_cmd_injection                          2021-06-13       excellent  Yes    elFinder Archive Command Injection
   459  exploit/unix/webapp/elfinder_php_connector_exiftran_cmd_injection          2019-02-26       excellent  Yes    elFinder PHP Connector exiftran Command Injection
   460  exploit/unix/webapp/mybb_backdoor                                          2011-10-06       excellent  Yes    myBB 1.6.4 Backdoor Arbitrary Command Execution
   461  exploit/unix/webapp/opensis_chain_exec                                     2020-06-30       excellent  Yes    openSIS Unauthenticated PHP Code Execution
   462  exploit/unix/webapp/oscommerce_filemanager                                 2009-08-31       excellent  No     osCommerce 2.2 Arbitrary PHP Code Execution
   463  exploit/multi/http/oscommerce_installer_unauth_code_exec                   2018-04-30       excellent  Yes    osCommerce Installer Unauthenticated Code Execution
   464  exploit/unix/http/pfsense_graph_injection_exec                             2016-04-18       excellent  No     pfSense authenticated graph status RCE
   465  exploit/unix/http/pfsense_group_member_exec                                2017-11-06       excellent  Yes    pfSense authenticated group member RCE
   466  exploit/linux/http/php_imap_open_rce                                       2018-10-23       good       Yes    php imap_open Remote Code Execution
   467  exploit/unix/webapp/phpbb_highlight                                        2004-11-12       excellent  No     phpBB viewtopic.php Arbitrary Code Execution
   468  exploit/unix/webapp/phpcollab_upload_exec                                  2017-09-29       excellent  Yes    phpCollab 2.5.1 Unauthenticated File Upload
   469  exploit/multi/http/phpfilemanager_rce                                      2015-08-28       excellent  Yes    phpFileManager 0.9.8 Remote Code Execution
   470  exploit/multi/http/phpldapadmin_query_engine                               2011-10-24       excellent  Yes    phpLDAPadmin query_engine Remote PHP Code Injection
   471  exploit/multi/http/phpmyadmin_3522_backdoor                                2012-09-25       normal     No     phpMyAdmin 3.5.2.2 server_sync.php Backdoor
   472  exploit/multi/http/phpmyadmin_lfi_rce                                      2018-06-19       good       Yes    phpMyAdmin Authenticated Remote Code Execution
   473  exploit/multi/http/phpmyadmin_null_termination_exec                        2016-06-23       excellent  Yes    phpMyAdmin Authenticated Remote Code Execution
   474  exploit/multi/http/phpmyadmin_preg_replace                                 2013-04-25       excellent  Yes    phpMyAdmin Authenticated Remote Code Execution via preg_replace()
   475  exploit/multi/http/phpscheduleit_start_date                                2008-10-01       excellent  Yes    phpScheduleIt PHP reserve.php start_date Parameter Arbitrary Code Injection
   476  encoder/cmd/printf_php_mq                                                                   manual     No     printf(1) via PHP magic_quotes Utility Command Encoder
   477  exploit/multi/http/qdpm_upload_exec                                        2012-06-14       excellent  Yes    qdPM v7 Arbitrary PHP File Upload Vulnerability
   478  exploit/linux/http/rconfig_vendors_auth_file_upload_rce                    2021-03-17       excellent  Yes    rConfig Vendors Auth File Upload RCE
   479  exploit/unix/webapp/rconfig_install_cmd_exec                               2019-10-28       excellent  Yes    rConfig install Command Execution
   480  exploit/multi/http/v0pcr3w_exec                                            2013-03-23       great      Yes    v0pCr3w Web Shell Remote Code Execution
   481  exploit/multi/http/vbseo_proc_deutf                                        2012-01-23       excellent  Yes    vBSEO proc_deutf() Remote PHP Code Injection
   482  exploit/multi/http/vbulletin_unserialize                                   2015-11-04       excellent  Yes    vBulletin 5.1.2 Unserialize Code Execution
   483  exploit/multi/http/vbulletin_widget_template_rce                           2020-08-09       excellent  Yes    vBulletin 5.x /ajax/render/widget_tabbedcontainer_tab_panel PHP remote code execution.
   484  auxiliary/admin/http/vbulletin_upgrade_admin                               2013-10-09       normal     No     vBulletin Administrator Account Creation
   485  exploit/unix/webapp/vbulletin_vote_sqli_exec                               2013-03-25       excellent  Yes    vBulletin index.php/ajax/api/reputation/vote nodeid Parameter SQL Injection
   486  exploit/unix/webapp/php_vbulletin_template                                 2005-02-25       excellent  Yes    vBulletin misc.php Template Name Arbitrary Code Execution
   487  exploit/multi/http/vbulletin_widgetconfig_rce                              2019-09-23       excellent  Yes    vBulletin widgetConfig RCE
   488  exploit/multi/http/vtiger_soap_upload                                      2013-03-26       excellent  Yes    vTiger CRM SOAP AddEmailAttachment Arbitrary File Upload
   489  exploit/multi/http/vtiger_php_exec                                         2013-10-30       excellent  Yes    vTigerCRM v5.4.0/v5.3.0 Authenticated Remote Code Execution
   490  exploit/unix/http/xdebug_unauth_exec                                       2017-09-17       excellent  Yes    xdebug Unauthenticated OS Command Execution

Interact with a module by name or index. For example info 490, use 490 or use exploit/unix/http/xdebug_unauth_exec

5.4 小结

  1. 指纹扫描与网站目录扫描一样,是为针对目标主机80端口进行渗透而进行的准备工作。
  2. 对目标主机进行指纹识别后结论如下:
    1. 目标网站搭建在Windows 32位系统上,暂时没有扫描到具体系统版本及漏洞,后续应加强。
    2. 目标网站中间件Apache版本为2.4.23,在MSF控制台下可以找到Apache平台有106个漏洞,暂未对每个漏洞详细查看其影响版本。
    3. 目标网站中间件OpenSSL版本为1.0.2,在MSF控制台下可以找到OpenSSL有106个漏洞,暂未对每个漏洞详细查看其影响版本。
    4. 目标网站中间件PHP版本为5.4.45,在MSF控制台下可以找到PHP语言有491个OpenSSL,暂未对每个漏洞详细查看其影响版本。
    5. 目标采用CMS系统是drupal,未扫描到具体版本,在MSF控制台下可以找到对应该CMS系统有漏洞8个。
  3. 实际渗透测试应根据目标主机中间件和系统版本,测试每一个可能存在的漏洞。
  4. 应进一步学习如何批量测验漏洞是否存在的方法。

6 总结

  1. 信息收集主要是为后续渗透测试提供了方向,信息收集内容越完善,后续渗透测试将越全面越精准。
  2. 渗透方向:
    1. 对于139端口,是samba服务端口,可以考虑爆破、未授权访问、远程代码执行。
    2. 对于445端口,是SMB服务端口,可以考虑空会话攻击。
    3. 对于3306端口,可以考虑注入、提权、爆破。
    4. 对于80端口,可以考虑Web 攻击、爆破、对应服务器版本漏洞。
      1. 目标网站搭建在Windows 32位系统上,暂时没有扫描到具体系统版本及漏洞,后续应加强。
      2. 目标网站中间件Apache版本为2.4.23,在MSF控制台下可以找到Apache平台有106个漏洞,暂未对每个漏洞详细查看其影响版本。
      3. 目标网站中间件OpenSSL版本为1.0.2,在MSF控制台下可以找到OpenSSL有106个漏洞,暂未对每个漏洞详细查看其影响版本。
      4. 目标网站中间件PHP版本为5.4.45,在MSF控制台下可以找到PHP语言有491个OpenSSL,暂未对每个漏洞详细查看其影响版本。
      5. 目标采用CMS系统是drupal,未扫描到具体版本,在MSF控制台下可以找到对应该CMS系统有漏洞8个。
  3. 后续内容将针对上述方向逐个进行渗透,对于中间件漏洞只以其一作为例子。
  4. 现阶段不足之处:
    1. 对网站目录扫描结果不近人意;
    2. 收集站点指纹信息时,没有收集到系统和CMS的版本;
    3. 收集中间件及系统漏洞时,没有收集到针对其版本的漏洞,这将给后续渗透测试增加了不少工作量。

参考文献

  1. 《渗透测试流程和简单案例》
  2. 《渗透测试信息收集的种类及方法》

你可能感兴趣的:(#,筑基08:渗透测试综合实验,渗透测试,网络安全)