This module chains two vulnerabilities in n8n to achieve unauthenticated remote code execution. The module abuses a vulnerable unauthenticated form endpoint to read local files from the target system. That file read primitive is then used to recover the n8n home path, configuration data, and encryption key material. The module then reads the n8n SQLite database to extract administrator account data from the application datastore. With that information, it forges an authenticated administrator token and creates a malicious workflow through the n8n API. Finally, the crafted workflow is used to execute operating system commands and deploy an agent on the target. The deployed agent will run with the privileges of the n8n service account.

This module uses an authentication bypass vulnerability in telnetd to deploy a network agent. The module will bypass authentication by adding the "-f root" value to the USER environment variable in a telnet connection. The deployed network agent will run with root user privileges.

This module uses an authenticated OS command injection vulnerability in Fortinet FortiWeb to deploy a python agent. First, the module will login in the target application using the given credentials. If no credentials are supplied, the module will attempt to create a new user with administrative privileges (prof_admin) in the target system using random credentials via CVE-2025-64446 vulnerability. If authentication succeeds, the module will save the new user credentials as an identity in Impact. Next, the module will retrieve the target system version via the /api/v2.0/system/state endpoint. The version will be used to select the attack payload. Then, the module will switch to websockets usage via the /ws/cli/open endpoint to access the CLI. Finally, it will send CLI commands to create a new SAML configuration with the OS commands to deploy a python agent. The deployed python agent will run with root user privileges.

MongoDB Server is vulnerable to a memory disclosure flaw due to improper validation of length parameters in Zlib-compressed protocol headers. This vulnerability allows unauthenticated remote attackers to read sensitive information from server memory. This module will check if the target machine is vulnerable and it will try to dump memory contents to the Module Log window and also writes them in a file. This memory dump may contain sensitive data, as explained above. This module performs the following steps: Establishes TCP connection to the target MongoDB server on port 27017. Sends crafted malicious packets containing BSON documents with intentionally inflated length values, Zlib-compressed OP_MSG messages wrapped in OP_COMPRESSED headers and a crafted Buffer size. Iterates through document lengths. Extracts and collects leaked memory from server error responses. Show collected memory leaks in the module output, and save it to disk (if output folder specified) for further analysis.

This module uses a relative path traversal vulnerability that leads to an authentication bypass in Fortinet FortiWeb to create a new user with administrative privileges (prof_admin) in the target system. First, the module will check if the target is vulnerable to the authentication bypass by checking the path traversal against a specific endpoint with an empty payload. If the target is vulnerable, the vulnerability will be used again to create a new user with administrative privileges (prof_admin) in the target system using the provided credentials. If no credentials are provided, the module will generate a random one. The new user credentials will be added as an identity in Impact.

This module uses a relative path traversal vulnerability that leads to an authentication bypass in Fortinet FortiWeb to create a new user with administrative privileges (prof_admin) in the target system. First, the module will check if the target is vulnerable to the authentication bypass by checking the path traversal against a specific endpoint with an empty payload. If the target is vulnerable, the vulnerability will be used again to create a new user with administrative privileges (prof_admin) in the target system using the provided credentials. If no credentials are provided, the module will generate a random one. The new user credentials will be added as an identity in Impact.

This module uses an insecure deserialization vulnerability in React Server Components to deploy an agent. The module will first check if the target is vulnerable by using the given endpoint with a generic payload. If the target is vulnerable, an OSCI agent will be deployed and the vulnerability will be used again, with a payload that will deploy an in-memory webshell. This webshell can be used later by the OSCI agent to execute OS commands or deploy a network agent. The deployed agent will run with the same privileges of the webapp.

This module exploits a nested PHP array object deserialization in the MagentoFrameworkSessionSessionManager class via the $sessionConfig variable using the /rest/default/V1/guest-carts/abc/order endpoint of Magento Open Source and Adobe Commerce to deploy an agent. First, the module will upload a PHP script in the /pub/media/customer_address/s/e directory of the web application using the /customer/address_file/upload endpoint. The default webroot directory value (/var/www/html/magento/pub/) can be changed using the WEBROOT module parameter. Then, it will trigger the vulnerability using a crafted PHP array object via the /rest/default/V1/guest-carts/abc/order endpoint, that will copy the uploaded PHP script to the given webroot directory. Finally, it will deploy the agent by calling the PHP script in the webroot directory. It's important to notice that the apache user account (www-data) must have write access to the webroot directory for this exploit to work. The deployed agent will run with the apache user account (www-data) privileges.

This module exploits a nested PHP array object deserialization in the MagentoFrameworkSessionSessionManager class via the $sessionConfig variable using the /rest/default/V1/guest-carts/abc/order endpoint of Magento Open Source and Adobe Commerce to deploy an agent. First, the module will upload a PHP script in the /pub/media/customer_address/s/e directory of the web application using the /customer/address_file/upload endpoint. The default webroot directory value (/var/www/html/magento/pub/) can be changed using the WEBROOT module parameter. Then, it will trigger the vulnerability using a crafted PHP array object via the /rest/default/V1/guest-carts/abc/order endpoint, that will copy the uploaded PHP script to the given webroot directory. Finally, it will deploy the agent by calling the PHP script in the webroot directory. It's important to notice that the apache user account (www-data) must have write access to the webroot directory for this exploit to work. The deployed agent will run with the apache user account (www-data) privileges.

This module exploits a Server-Side Request Forgery via the getUiType parameter in the /OA_HTML/configurator/UiServlet endpoint of Oracle E-Business Suite to deploy an agent. First, the module will register an endpoint in the local webserver that will be used in the attack to send a xsl file to the target that will execute system commands to deploy the agent. Then, it will retrieve a required CSRF token via the /OA_HTML/runforms.jsp and /OA_HTML/JavaScriptServlet endpoints. Finally, it will use the Server-Side Request Forgery vulnerability combined with a Carriage Return/Line Feed (CRLF) injection to smuggle a request to the /OA_HTML/help/../ieshostedsurvey.jsp endpoint that will trigger a GET HTTP request to the local webserver, which will, in turn, deliver the xsl file that will deploy the agent. The deployed agent will run with the oracle user account privileges.