|
71657 | 71657 | "session_types": false, |
71658 | 71658 | "needs_cleanup": null |
71659 | 71659 | }, |
| 71660 | + "exploit_linux/http/control_web_panel_api_cmd_exec": { |
| 71661 | + "name": "Control Web Panel /admin/index.php Unauthenticated RCE", |
| 71662 | + "fullname": "exploit/linux/http/control_web_panel_api_cmd_exec", |
| 71663 | + "aliases": [], |
| 71664 | + "rank": 600, |
| 71665 | + "disclosure_date": "2025-12-16", |
| 71666 | + "type": "exploit", |
| 71667 | + "author": [ |
| 71668 | + "Lukas Johannes Möller", |
| 71669 | + "Egidio Romano" |
| 71670 | + ], |
| 71671 | + "description": "Control Web Panel (CWP) versions <= 0.9.8.1208 are vulnerable to\n unauthenticated OS command injection. User input passed via the\n \"key\" GET parameter to /admin/index.php (when the \"api\" parameter is set)\n is not properly sanitized before being used to execute OS commands.\n This can be exploited by unauthenticated attackers to inject and execute\n arbitrary OS commands with the privileges of the root user on the web server.\n\n Successful exploitation usually requires \"Softaculous\" and/or \"SitePad\"\n to be installed through the Scripts Manager.", |
| 71672 | + "references": [ |
| 71673 | + "CVE-2025-67888", |
| 71674 | + "URL-https://karmainsecurity.com/KIS-2025-09", |
| 71675 | + "URL-https://www.cve.org/CVERecord?id=CVE-2025-67888", |
| 71676 | + "URL-https://control-webpanel.com" |
| 71677 | + ], |
| 71678 | + "platform": "Linux,Unix", |
| 71679 | + "arch": "x86, x86_64, x64, mips, mipsle, mipsbe, mips64, mips64le, ppc, ppce500v2, ppc64, ppc64le, cbea, cbea64, sparc, sparc64, armle, armbe, aarch64, cmd, php, tty, java, ruby, dalvik, python, nodejs, firefox, zarch, r, riscv32be, riscv32le, riscv64be, riscv64le, loongarch64", |
| 71680 | + "rport": 2031, |
| 71681 | + "autofilter_ports": [ |
| 71682 | + 80, |
| 71683 | + 8080, |
| 71684 | + 443, |
| 71685 | + 8000, |
| 71686 | + 8888, |
| 71687 | + 8880, |
| 71688 | + 8008, |
| 71689 | + 3000, |
| 71690 | + 8443 |
| 71691 | + ], |
| 71692 | + "autofilter_services": [ |
| 71693 | + "http", |
| 71694 | + "https" |
| 71695 | + ], |
| 71696 | + "targets": [ |
| 71697 | + "Unix Command", |
| 71698 | + "Linux Dropper" |
| 71699 | + ], |
| 71700 | + "mod_time": "2026-01-13 14:24:04 +0000", |
| 71701 | + "path": "/modules/exploits/linux/http/control_web_panel_api_cmd_exec.rb", |
| 71702 | + "is_install_path": true, |
| 71703 | + "ref_name": "linux/http/control_web_panel_api_cmd_exec", |
| 71704 | + "check": true, |
| 71705 | + "post_auth": false, |
| 71706 | + "default_credential": false, |
| 71707 | + "notes": { |
| 71708 | + "Stability": [ |
| 71709 | + "crash-safe" |
| 71710 | + ], |
| 71711 | + "Reliability": [ |
| 71712 | + "repeatable-session" |
| 71713 | + ], |
| 71714 | + "SideEffects": [ |
| 71715 | + "ioc-in-logs" |
| 71716 | + ] |
| 71717 | + }, |
| 71718 | + "session_types": false, |
| 71719 | + "needs_cleanup": null |
| 71720 | + }, |
71660 | 71721 | "exploit_linux/http/control_web_panel_login_cmd_exec": { |
71661 | 71722 | "name": "CWP login.php Unauthenticated RCE", |
71662 | 71723 | "fullname": "exploit/linux/http/control_web_panel_login_cmd_exec", |
@@ -192879,53 +192940,6 @@ |
192879 | 192940 | "needs_cleanup": null, |
192880 | 192941 | "actions": [] |
192881 | 192942 | }, |
192882 | | - "exploit_windows/local/wmi_persistence": { |
192883 | | - "name": "WMI Event Subscription Persistence", |
192884 | | - "fullname": "exploit/windows/local/wmi_persistence", |
192885 | | - "aliases": [], |
192886 | | - "rank": 300, |
192887 | | - "disclosure_date": "2017-06-06", |
192888 | | - "type": "exploit", |
192889 | | - "author": [ |
192890 | | - "Nick Tyrer <@NickTyrer>" |
192891 | | - ], |
192892 | | - "description": "This module will create a permanent WMI event subscription to achieve file-less persistence using one\n of five methods. The EVENT method will create an event filter that will query the event log for an EVENT_ID_TRIGGER\n (default: failed logon request id 4625) that also contains a specified USERNAME_TRIGGER (note: failed logon auditing\n must be enabled on the target for this method to work, this can be enabled using \"auditpol.exe /set /subcategory:Logon\n /failure:Enable\"). When these criteria are met a command line event consumer will trigger an encoded powershell payload.\n The INTERVAL method will create an event filter that triggers the payload after the specified CALLBACK_INTERVAL. The LOGON\n method will create an event filter that will trigger the payload after the system has an uptime of 4 minutes. The PROCESS\n method will create an event filter that triggers the payload when the specified process is started. The WAITFOR method\n creates an event filter that utilizes the Microsoft binary waitfor.exe to wait for a signal specified by WAITFOR_TRIGGER\n before executing the payload. The signal can be sent from a windows host on a LAN utilizing the waitfor.exe command\n (note: requires target to have port 445 open). Additionally a custom command can be specified to run once the trigger is\n activated using the advanced option CUSTOM_PS_COMMAND. This module requires administrator level privileges as well as a\n high integrity process. It is also recommended not to use stageless payloads due to powershell script length limitations.", |
192893 | | - "references": [ |
192894 | | - "URL-https://www.blackhat.com/docs/us-15/materials/us-15-Graeber-Abusing-Windows-Management-Instrumentation-WMI-To-Build-A-Persistent%20Asynchronous-And-Fileless-Backdoor-wp.pdf", |
192895 | | - "URL-https://learn-powershell.net/2013/08/14/powershell-and-events-permanent-wmi-event-subscriptions/" |
192896 | | - ], |
192897 | | - "platform": "Windows", |
192898 | | - "arch": "", |
192899 | | - "rport": null, |
192900 | | - "autofilter_ports": [], |
192901 | | - "autofilter_services": [], |
192902 | | - "targets": [ |
192903 | | - "Windows" |
192904 | | - ], |
192905 | | - "mod_time": "2025-06-23 12:43:46 +0000", |
192906 | | - "path": "/modules/exploits/windows/local/wmi_persistence.rb", |
192907 | | - "is_install_path": true, |
192908 | | - "ref_name": "windows/local/wmi_persistence", |
192909 | | - "check": false, |
192910 | | - "post_auth": false, |
192911 | | - "default_credential": false, |
192912 | | - "notes": { |
192913 | | - "Reliability": [ |
192914 | | - "unknown-reliability" |
192915 | | - ], |
192916 | | - "Stability": [ |
192917 | | - "unknown-stability" |
192918 | | - ], |
192919 | | - "SideEffects": [ |
192920 | | - "unknown-side-effects" |
192921 | | - ] |
192922 | | - }, |
192923 | | - "session_types": [ |
192924 | | - "meterpreter" |
192925 | | - ], |
192926 | | - "needs_cleanup": null, |
192927 | | - "actions": [] |
192928 | | - }, |
192929 | 192943 | "exploit_windows/lotus/domino_http_accept_language": { |
192930 | 192944 | "name": "IBM Lotus Domino Web Server Accept-Language Stack Buffer Overflow", |
192931 | 192945 | "fullname": "exploit/windows/lotus/domino_http_accept_language", |
@@ -201230,6 +201244,222 @@ |
201230 | 201244 | "needs_cleanup": null, |
201231 | 201245 | "actions": [] |
201232 | 201246 | }, |
| 201247 | + "exploit_windows/persistence/wmi/wmi_event_subscription_event_log": { |
| 201248 | + "name": "WMI Event Subscription Event Log Persistence", |
| 201249 | + "fullname": "exploit/windows/persistence/wmi/wmi_event_subscription_event_log", |
| 201250 | + "aliases": [ |
| 201251 | + "exploits/windows/local/wmi_persistence" |
| 201252 | + ], |
| 201253 | + "rank": 300, |
| 201254 | + "disclosure_date": "2017-06-06", |
| 201255 | + "type": "exploit", |
| 201256 | + "author": [ |
| 201257 | + "Nick Tyrer <@NickTyrer>", |
| 201258 | + "h00die" |
| 201259 | + ], |
| 201260 | + "description": "This module will create a permanent WMI event subscription to achieve file-less persistence using an event filter\n that will query the event log for an EVENT_ID_TRIGGER\n (default: failed logon request id 4625) that also contains a specified USERNAME_TRIGGER (note: failed logon auditing\n must be enabled on the target for this method to work, this can be enabled using \"auditpol.exe /set /subcategory:Logon\n /failure:Enable\"). When these criteria are met a command line event consumer will trigger an encoded powershell payload.\n\n Additionally a custom command can be specified to run once the trigger is\n activated using the advanced option CustomPsCommand. This module requires administrator level privileges as well as a\n high integrity process. It is also recommended to use staged payloads due to powershell script length limitations.", |
| 201261 | + "references": [ |
| 201262 | + "URL-https://www.blackhat.com/docs/us-15/materials/us-15-Graeber-Abusing-Windows-Management-Instrumentation-WMI-To-Build-A-Persistent%20Asynchronous-And-Fileless-Backdoor-wp.pdf", |
| 201263 | + "URL-https://learn-powershell.net/2013/08/14/powershell-and-events-permanent-wmi-event-subscriptions/", |
| 201264 | + "ATT&CK-T1546", |
| 201265 | + "ATT&CK-T1546.003" |
| 201266 | + ], |
| 201267 | + "platform": "Windows", |
| 201268 | + "arch": "x64, x86, aarch64", |
| 201269 | + "rport": null, |
| 201270 | + "autofilter_ports": [], |
| 201271 | + "autofilter_services": [], |
| 201272 | + "targets": [ |
| 201273 | + "Windows" |
| 201274 | + ], |
| 201275 | + "mod_time": "2026-01-11 07:25:13 +0000", |
| 201276 | + "path": "/modules/exploits/windows/persistence/wmi/wmi_event_subscription_event_log.rb", |
| 201277 | + "is_install_path": true, |
| 201278 | + "ref_name": "windows/persistence/wmi/wmi_event_subscription_event_log", |
| 201279 | + "check": true, |
| 201280 | + "post_auth": false, |
| 201281 | + "default_credential": false, |
| 201282 | + "notes": { |
| 201283 | + "Reliability": [ |
| 201284 | + "event-dependent", |
| 201285 | + "repeatable-session" |
| 201286 | + ], |
| 201287 | + "Stability": [ |
| 201288 | + "crash-safe" |
| 201289 | + ], |
| 201290 | + "SideEffects": [ |
| 201291 | + "config-changes", |
| 201292 | + "ioc-in-logs" |
| 201293 | + ] |
| 201294 | + }, |
| 201295 | + "session_types": [ |
| 201296 | + "meterpreter" |
| 201297 | + ], |
| 201298 | + "needs_cleanup": null, |
| 201299 | + "actions": [] |
| 201300 | + }, |
| 201301 | + "exploit_windows/persistence/wmi/wmi_event_subscription_interval": { |
| 201302 | + "name": "WMI Event Subscription Interval Persistence", |
| 201303 | + "fullname": "exploit/windows/persistence/wmi/wmi_event_subscription_interval", |
| 201304 | + "aliases": [ |
| 201305 | + "exploits/windows/local/wmi_persistence" |
| 201306 | + ], |
| 201307 | + "rank": 300, |
| 201308 | + "disclosure_date": "2017-06-06", |
| 201309 | + "type": "exploit", |
| 201310 | + "author": [ |
| 201311 | + "Nick Tyrer <@NickTyrer>", |
| 201312 | + "h00die" |
| 201313 | + ], |
| 201314 | + "description": "This module will create a permanent WMI event subscription to achieve file-less persistence using an event filter\n that triggers the payload after the specified CALLBACK_INTERVAL.\n\n If the persistence is not installed, it will keep triggering payloads to spawn.\n\n Additionally a custom command can be specified to run once the trigger is\n activated using the advanced option CustomPsCommand. This module requires administrator level privileges as well as a\n high integrity process. It is also recommended to use staged payloads due to powershell script length limitations.", |
| 201315 | + "references": [ |
| 201316 | + "URL-https://www.blackhat.com/docs/us-15/materials/us-15-Graeber-Abusing-Windows-Management-Instrumentation-WMI-To-Build-A-Persistent%20Asynchronous-And-Fileless-Backdoor-wp.pdf", |
| 201317 | + "URL-https://learn-powershell.net/2013/08/14/powershell-and-events-permanent-wmi-event-subscriptions/", |
| 201318 | + "ATT&CK-T1546", |
| 201319 | + "ATT&CK-T1546.003" |
| 201320 | + ], |
| 201321 | + "platform": "Windows", |
| 201322 | + "arch": "x64, x86, aarch64", |
| 201323 | + "rport": null, |
| 201324 | + "autofilter_ports": [], |
| 201325 | + "autofilter_services": [], |
| 201326 | + "targets": [ |
| 201327 | + "Windows" |
| 201328 | + ], |
| 201329 | + "mod_time": "2026-01-11 07:25:13 +0000", |
| 201330 | + "path": "/modules/exploits/windows/persistence/wmi/wmi_event_subscription_interval.rb", |
| 201331 | + "is_install_path": true, |
| 201332 | + "ref_name": "windows/persistence/wmi/wmi_event_subscription_interval", |
| 201333 | + "check": true, |
| 201334 | + "post_auth": false, |
| 201335 | + "default_credential": false, |
| 201336 | + "notes": { |
| 201337 | + "Reliability": [ |
| 201338 | + "event-dependent", |
| 201339 | + "repeatable-session" |
| 201340 | + ], |
| 201341 | + "Stability": [ |
| 201342 | + "crash-safe" |
| 201343 | + ], |
| 201344 | + "SideEffects": [ |
| 201345 | + "config-changes", |
| 201346 | + "ioc-in-logs" |
| 201347 | + ] |
| 201348 | + }, |
| 201349 | + "session_types": [ |
| 201350 | + "meterpreter" |
| 201351 | + ], |
| 201352 | + "needs_cleanup": null, |
| 201353 | + "actions": [] |
| 201354 | + }, |
| 201355 | + "exploit_windows/persistence/wmi/wmi_event_subscription_process": { |
| 201356 | + "name": "WMI Event Subscription Process Persistence", |
| 201357 | + "fullname": "exploit/windows/persistence/wmi/wmi_event_subscription_process", |
| 201358 | + "aliases": [ |
| 201359 | + "exploits/windows/local/wmi_persistence" |
| 201360 | + ], |
| 201361 | + "rank": 300, |
| 201362 | + "disclosure_date": "2017-06-06", |
| 201363 | + "type": "exploit", |
| 201364 | + "author": [ |
| 201365 | + "Nick Tyrer <@NickTyrer>", |
| 201366 | + "h00die" |
| 201367 | + ], |
| 201368 | + "description": "This module will create a permanent WMI event subscription to achieve file-less persistence using an event filter\n that triggers the payload when the specified process is started.\n\n Additionally a custom command can be specified to run once the trigger is\n activated using the advanced option CustomPsCommand. This module requires administrator level privileges as well as a\n high integrity process. It is also recommended to use staged payloads due to powershell script length limitations.\n\n Many built-in apps on Windows 10/11 launch via a modern UWP app (Win32Bridge.Server.exe or ApplicationFrameHost.exe),\n not the legacy binary (like calc.exe). If you pick one of these apps, like calc.exe, it can still be triggered\n from command line, however GUI execution will not work.\n\n Duplicate CLASSNAMEs will not overwrite, so if the env isn't cleaned up before\n re-exploitation, the exploitation will fail.\n\n Tested and works being launched from GUI (windows 10):\n chrome.exe (several shells at once)\n calc.exe (only from command line calc.exe or calc)\n msedge.exe (several shells at once)\n cmd.exe", |
| 201369 | + "references": [ |
| 201370 | + "URL-https://www.blackhat.com/docs/us-15/materials/us-15-Graeber-Abusing-Windows-Management-Instrumentation-WMI-To-Build-A-Persistent%20Asynchronous-And-Fileless-Backdoor-wp.pdf", |
| 201371 | + "URL-https://learn-powershell.net/2013/08/14/powershell-and-events-permanent-wmi-event-subscriptions/", |
| 201372 | + "ATT&CK-T1546", |
| 201373 | + "ATT&CK-T1546.003" |
| 201374 | + ], |
| 201375 | + "platform": "Windows", |
| 201376 | + "arch": "x64, x86, aarch64", |
| 201377 | + "rport": null, |
| 201378 | + "autofilter_ports": [], |
| 201379 | + "autofilter_services": [], |
| 201380 | + "targets": [ |
| 201381 | + "Windows" |
| 201382 | + ], |
| 201383 | + "mod_time": "2026-01-14 08:26:11 +0000", |
| 201384 | + "path": "/modules/exploits/windows/persistence/wmi/wmi_event_subscription_process.rb", |
| 201385 | + "is_install_path": true, |
| 201386 | + "ref_name": "windows/persistence/wmi/wmi_event_subscription_process", |
| 201387 | + "check": true, |
| 201388 | + "post_auth": false, |
| 201389 | + "default_credential": false, |
| 201390 | + "notes": { |
| 201391 | + "Reliability": [ |
| 201392 | + "event-dependent", |
| 201393 | + "repeatable-session" |
| 201394 | + ], |
| 201395 | + "Stability": [ |
| 201396 | + "crash-safe" |
| 201397 | + ], |
| 201398 | + "SideEffects": [ |
| 201399 | + "config-changes", |
| 201400 | + "ioc-in-logs" |
| 201401 | + ] |
| 201402 | + }, |
| 201403 | + "session_types": [ |
| 201404 | + "meterpreter" |
| 201405 | + ], |
| 201406 | + "needs_cleanup": null, |
| 201407 | + "actions": [] |
| 201408 | + }, |
| 201409 | + "exploit_windows/persistence/wmi/wmi_event_subscription_uptime": { |
| 201410 | + "name": "WMI Event Subscription Logon Timer Persistence", |
| 201411 | + "fullname": "exploit/windows/persistence/wmi/wmi_event_subscription_uptime", |
| 201412 | + "aliases": [ |
| 201413 | + "exploits/windows/local/wmi_persistence" |
| 201414 | + ], |
| 201415 | + "rank": 300, |
| 201416 | + "disclosure_date": "2017-06-06", |
| 201417 | + "type": "exploit", |
| 201418 | + "author": [ |
| 201419 | + "Nick Tyrer <@NickTyrer>", |
| 201420 | + "h00die" |
| 201421 | + ], |
| 201422 | + "description": "This module will create a permanent WMI event subscription to achieve file-less persistence using an event filter that\n will trigger the payload after the system has a certain uptime. Payloads will trigger every minute until the set end time.\n\n Additionally a custom command can be specified to run once the trigger is\n activated using the advanced option CustomPsCommand. This module requires administrator level privileges as well as a\n high integrity process. It is also recommended to use staged payloads due to powershell script length limitations.", |
| 201423 | + "references": [ |
| 201424 | + "URL-https://www.blackhat.com/docs/us-15/materials/us-15-Graeber-Abusing-Windows-Management-Instrumentation-WMI-To-Build-A-Persistent%20Asynchronous-And-Fileless-Backdoor-wp.pdf", |
| 201425 | + "URL-https://learn-powershell.net/2013/08/14/powershell-and-events-permanent-wmi-event-subscriptions/", |
| 201426 | + "ATT&CK-T1546", |
| 201427 | + "ATT&CK-T1546.003" |
| 201428 | + ], |
| 201429 | + "platform": "Windows", |
| 201430 | + "arch": "x64, x86, aarch64", |
| 201431 | + "rport": null, |
| 201432 | + "autofilter_ports": [], |
| 201433 | + "autofilter_services": [], |
| 201434 | + "targets": [ |
| 201435 | + "Windows" |
| 201436 | + ], |
| 201437 | + "mod_time": "2026-01-11 07:25:13 +0000", |
| 201438 | + "path": "/modules/exploits/windows/persistence/wmi/wmi_event_subscription_uptime.rb", |
| 201439 | + "is_install_path": true, |
| 201440 | + "ref_name": "windows/persistence/wmi/wmi_event_subscription_uptime", |
| 201441 | + "check": true, |
| 201442 | + "post_auth": false, |
| 201443 | + "default_credential": false, |
| 201444 | + "notes": { |
| 201445 | + "Reliability": [ |
| 201446 | + "event-dependent", |
| 201447 | + "repeatable-session" |
| 201448 | + ], |
| 201449 | + "Stability": [ |
| 201450 | + "crash-safe" |
| 201451 | + ], |
| 201452 | + "SideEffects": [ |
| 201453 | + "config-changes", |
| 201454 | + "ioc-in-logs" |
| 201455 | + ] |
| 201456 | + }, |
| 201457 | + "session_types": [ |
| 201458 | + "meterpreter" |
| 201459 | + ], |
| 201460 | + "needs_cleanup": null, |
| 201461 | + "actions": [] |
| 201462 | + }, |
201233 | 201463 | "exploit_windows/persistence/wsl/registry": { |
201234 | 201464 | "name": "Windows WSL via Registry Persistence", |
201235 | 201465 | "fullname": "exploit/windows/persistence/wsl/registry", |
|
0 commit comments