Merge pull request #3500 from todb-r7/fixup-release
Release fixup: Description/whitespace changes (minor)bug/bundler_fix 2014070901
commit
e5b5439e47
|
@ -13,18 +13,18 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||||
|
|
||||||
def initialize(info = {})
|
def initialize(info = {})
|
||||||
super(update_info(info,
|
super(update_info(info,
|
||||||
'Name' => 'Wordpress MailPoet (wysija-newsletters) Unauthenticated File Upload',
|
'Name' => 'Wordpress MailPoet Newsletters (wysija-newsletters) Unauthenticated File Upload',
|
||||||
'Description' => %q{
|
'Description' => %q{
|
||||||
The Wordpress plugin "MailPoet Newsletters" (wysija-newsletters) before 2.6.8
|
The Wordpress plugin "MailPoet Newsletters" (wysija-newsletters) before 2.6.8
|
||||||
is vulnerable to an unauthenticated file upload. The exploit uses the Upload Theme
|
is vulnerable to an unauthenticated file upload. The exploit uses the Upload Theme
|
||||||
functionality to upload a zip file containing the payload. The plugin used the
|
functionality to upload a zip file containing the payload. The plugin uses the
|
||||||
admin_init hook, which is also executed for unauthenticated users when accessing
|
admin_init hook, which is also executed for unauthenticated users when accessing
|
||||||
a specific URL. The developers tried to fix the vulnerablility
|
a specific URL. The first fix for this vulnerability appeared in version 2.6.7,
|
||||||
in version 2.6.7 but the fix can be bypassed. In PHPs default configuration,
|
but the fix can be bypassed. In PHP's default configuration,
|
||||||
a POST variable overwrites a GET variable in the $_REQUEST array. The plugin
|
a POST variable overwrites a GET variable in the $_REQUEST array. The plugin
|
||||||
uses $_REQUEST to check for access rights. By setting the POST parameter to
|
uses $_REQUEST to check for access rights. By setting the POST parameter to
|
||||||
something not beginning with 'wysija_', the check is bypassed. Wordpress uses
|
something not beginning with 'wysija_', the check is bypassed. Wordpress uses
|
||||||
the $_GET array to determine the page and is so not affected by this.
|
the $_GET array to determine the page, so it is not affected by this.
|
||||||
},
|
},
|
||||||
'Author' =>
|
'Author' =>
|
||||||
[
|
[
|
||||||
|
|
|
@ -17,7 +17,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||||
super(update_info(info,
|
super(update_info(info,
|
||||||
'Name' => 'Oracle Event Processing FileUploadServlet Arbitrary File Upload',
|
'Name' => 'Oracle Event Processing FileUploadServlet Arbitrary File Upload',
|
||||||
'Description' => %q{
|
'Description' => %q{
|
||||||
This module exploits an Arbitrary File Upload vulnerability in Oracle Event Processing
|
This module exploits an arbitrary file upload vulnerability in Oracle Event Processing
|
||||||
11.1.1.7.0. The FileUploadServlet component, which requires no authentication, can be
|
11.1.1.7.0. The FileUploadServlet component, which requires no authentication, can be
|
||||||
abused to upload a malicious file onto an arbitrary location due to a directory traversal
|
abused to upload a malicious file onto an arbitrary location due to a directory traversal
|
||||||
flaw, and compromise the server. By default Oracle Event Processing uses a Jetty
|
flaw, and compromise the server. By default Oracle Event Processing uses a Jetty
|
||||||
|
|
|
@ -18,7 +18,11 @@ module Metasploit3
|
||||||
'Description' => "Tunnel communication over an HTTP hop point (note you must first upload "+
|
'Description' => "Tunnel communication over an HTTP hop point (note you must first upload "+
|
||||||
"the hop.php found at #{File.expand_path("../../../../data/php/hop.php", __FILE__)} "+
|
"the hop.php found at #{File.expand_path("../../../../data/php/hop.php", __FILE__)} "+
|
||||||
"to the HTTP server you wish to use as a hop)",
|
"to the HTTP server you wish to use as a hop)",
|
||||||
'Author' => ['scriptjunkie <scriptjunkie@scriptjunkie.us>', 'hdm'],
|
'Author' =>
|
||||||
|
[
|
||||||
|
'scriptjunkie <scriptjunkie[at]scriptjunkie.us>',
|
||||||
|
'hdm'
|
||||||
|
],
|
||||||
'License' => MSF_LICENSE,
|
'License' => MSF_LICENSE,
|
||||||
'Platform' => 'win',
|
'Platform' => 'win',
|
||||||
'Arch' => ARCH_X86,
|
'Arch' => ARCH_X86,
|
||||||
|
@ -37,8 +41,7 @@ module Metasploit3
|
||||||
deregister_options('LHOST', 'LPORT')
|
deregister_options('LHOST', 'LPORT')
|
||||||
|
|
||||||
register_options([
|
register_options([
|
||||||
OptString.new('HOPURL',
|
OptString.new('HOPURL', [ true, "The full URL of the hop script", "http://example.com/hop.php" ]
|
||||||
[ true, "The full URL of the hop script", "http://example.com/hop.php" ]
|
|
||||||
)
|
)
|
||||||
], self.class)
|
], self.class)
|
||||||
end
|
end
|
||||||
|
|
|
@ -52,7 +52,6 @@ puts hash.hexdigest
|
||||||
|
|
||||||
=end
|
=end
|
||||||
|
|
||||||
|
|
||||||
def decrypt_reg(data)
|
def decrypt_reg(data)
|
||||||
rg = session.railgun
|
rg = session.railgun
|
||||||
pid = session.sys.process.getpid
|
pid = session.sys.process.getpid
|
||||||
|
|
Loading…
Reference in New Issue