Add Nextcloud AppApi interactive shell module#21246
Open
Chocapikk wants to merge 1 commit intorapid7:masterfrom
Open
Add Nextcloud AppApi interactive shell module#21246Chocapikk wants to merge 1 commit intorapid7:masterfrom
Chocapikk wants to merge 1 commit intorapid7:masterfrom
Conversation
Chocapikk
force-pushed
the
add-nextcloud-appapi-shell
branch
from
e9f4b0e to
25677a0
Compare
Chocapikk
force-pushed
the
add-nextcloud-appapi-shell
branch
2 times, most recently
from
ade930a to
1cccbdd
Compare
Interactive auxiliary module for full Nextcloud takeover via leaked AppApi secret. Features user impersonation, file browsing/download/ upload, admin creation, share listing, and tab completion.
Chocapikk
force-pushed
the
add-nextcloud-appapi-shell
branch
from
1cccbdd to
5b59477
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Hello Metasploit Team,
This adds an interactive auxiliary module for full Nextcloud takeover via a leaked AppAPI secret.
This is PR 5/5 of the Windfall suite. Depends on #21243 (Nextcloud AppApi Mixin).
What It Does
auxiliary/admin/http/nextcloud_appapi_shellprovides an interactive shell for Nextcloud administration using a leakedAPP_SECRET. The AppAPI scope system was removed in PR #373, meaning any ExApp secret grants unrestricted access to the entire Nextcloud OCS API.The typical attack chain:
APP_SECRETfrom/proc/1/environviaauxiliary/gather/windmill_file_read((Add Windmill path traversal RCE, SQLi RCE, and auxiliary modules (CVE-2026-29059, CVE-2026-23696) #21245))Shell Commands
users/user <id>- List users, view user details and groupsadmins- List admin usersls [path]/cat <path>/upload <local> <remote>- Browse and manage files as any userdl <path>- Download files (saved to loot)search <query>- Recursive file searchshares- List file shares and public linksgroups/apps- List groups and installed appsmkadmin <user> <pass>- Create a new admin accountsu <user>- Switch impersonated userinfo- Show Nextcloud version and server infoAll commands impersonate users via the
AUTHORIZATION-APP-APIheader, bypassing 2FA.Verification
APP_SECRETfrom Flow container:docker exec nc_app_flow env | grep APP_SECRETuse auxiliary/admin/http/nextcloud_appapi_shellset RHOSTS localhost.localandset RPORT 443andset SSL trueset APP_SECRET <leaked_secret>run- interactive shell opensusers- lists all Nextcloud userssu adminandls /- browse admin's filesmkadmin hacker password123- creates admin accountBlog post: https://chocapikk.com/posts/2026/windfall-nextcloud-flow-windmill-rce/