Metasploit Wrap-Up 01/30/2026

[carlospolop]

🤖 Automated Content Update

This PR was automatically generated by the HackTricks News Bot based on a technical blog post.

📝 Source Information

• Blog URL: https://www.rapid7.com/blog/post/pt-metasploit-wrap-up-01-30-2026
• Blog Title: Metasploit Wrap-Up 01/30/2026
• Suggested Section: Pentesting Web -> SQL Injection (add: SQLi write-primitive to scheduler/cron_job table -> RCE) AND Pentesting Web -> File Upload / File Inclusion/Path Traversal (add: path traversal in upload destination -> arbitrary file write -> webroot webshell or /etc/cron.d) AND Generic Hacking / Post-Exploitation (add: persistence via malicious BurpSuite extension loading)

🎯 Content Summary

This Rapid7 post (Metasploit Wrap-Up dated Jan 30, 2026) summarizes newly merged Metasploit Framework content: multiple exploit modules (mostly CVE-based), new persistence modules, and a few framework fixes. While the post itself does not include raw exploit code, it provides directly actionable module names/paths, CVE IDs, and the exploitation primitives each module implements (auth-bypass chaining, SQLi-to-cron execution, unrestricted upload to webshell, and path tr...

🔧 Technical Details

Auth-bypass chaining (pre-auth → post-auth attack surface exposure)
If an application has an authentication bypass (e.g., CVE-2025-66039 in FreePBX), an attacker can treat “authenticated-only” endpoints as reachable. This expands the reachable attack surface to include bugs that normally require login (SQLi, upload endpoints), enabling pre-auth compromise by chaining vulnerabilities.

SQL injection as a write primitive to gain OS execution via schedulers
When SQL injection (CVE-2025-61675) allows INSERT/UPDATE of scheduler-related database tables (e.g., a cron_job table), an attacker can create a job that runs attacker-controlled commands. This turns database-layer write access into RCE when the scheduler executes the inserted task.

Unrestricted file upload → webshell placement → HTTP-triggered RCE
If a feature permits uploading arbitrary files (e.g., firmware upload, CVE-2025-61678), an attacker...

🤖 Agent Actions

Updated HackTricks with new exploitation primitives and persistence TTPs:

• SQL Injection page: restored full content and added a new section on using SQLi as a database write primitive to scheduler/cron tables (leveraging pre-auth bypassed endpoints) to obtain RCE, including a sample cron job insert and operational guidance. Added Rapid7 wrap-up reference.
• File Upload page: added guidance on path-traversal-controlled upload destinations to achieve arbitrary file write and convert it into RCE (webroot webshell on Windows or /etc/cron.d drop-in on Linux). Added Rapid7 wrap-up reference.
• Linux Post-Exploitation page: documented BurpSuite extension autoload persistence (userland), including where to patch Burp config and how the trigger works, with reference to the Rapid7 wrap-up.

No tests were run (documentation-only changes).

---

This PR was automatically created by the HackTricks Feed Bot. Please review the changes carefully before merging.

[carlospolop]

🔗 Additional Context

Original Blog Post: https://www.rapid7.com/blog/post/pt-metasploit-wrap-up-01-30-2026

Content Categories: Based on the analysis, this content was categorized under "Pentesting Web -> SQL Injection (add: SQLi write-primitive to scheduler/cron_job table -> RCE) AND Pentesting Web -> File Upload / File Inclusion/Path Traversal (add: path traversal in upload destination -> arbitrary file write -> webroot webshell or /etc/cron.d) AND Generic Hacking / Post-Exploitation (add: persistence via malicious BurpSuite extension loading)".

Repository Maintenance:

• MD Files Formatting: 944 files processed

Review Notes:

• This content was automatically processed and may require human review for accuracy
• Check that the placement within the repository structure is appropriate
• Verify that all technical details are correct and up-to-date
• All .md files have been checked for proper formatting (headers, includes, etc.)

Bot Version: HackTricks News Bot v1.0