Merge pull request #3500 from todb-r7/fixup-release
Release fixup: Description/whitespace changes (minor)bug/bundler_fix 2014070901
commit
e5b5439e47
|
@ -13,18 +13,18 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
'Name' => 'Wordpress MailPoet (wysija-newsletters) Unauthenticated File Upload',
|
||||
'Name' => 'Wordpress MailPoet Newsletters (wysija-newsletters) Unauthenticated File Upload',
|
||||
'Description' => %q{
|
||||
The Wordpress plugin "MailPoet Newsletters" (wysija-newsletters) before 2.6.8
|
||||
is vulnerable to an unauthenticated file upload. The exploit uses the Upload Theme
|
||||
functionality to upload a zip file containing the payload. The plugin used the
|
||||
functionality to upload a zip file containing the payload. The plugin uses the
|
||||
admin_init hook, which is also executed for unauthenticated users when accessing
|
||||
a specific URL. The developers tried to fix the vulnerablility
|
||||
in version 2.6.7 but the fix can be bypassed. In PHPs default configuration,
|
||||
a specific URL. The first fix for this vulnerability appeared in version 2.6.7,
|
||||
but the fix can be bypassed. In PHP's default configuration,
|
||||
a POST variable overwrites a GET variable in the $_REQUEST array. The plugin
|
||||
uses $_REQUEST to check for access rights. By setting the POST parameter to
|
||||
something not beginning with 'wysija_', the check is bypassed. Wordpress uses
|
||||
the $_GET array to determine the page and is so not affected by this.
|
||||
the $_GET array to determine the page, so it is not affected by this.
|
||||
},
|
||||
'Author' =>
|
||||
[
|
||||
|
|
|
@ -17,7 +17,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
super(update_info(info,
|
||||
'Name' => 'Oracle Event Processing FileUploadServlet Arbitrary File Upload',
|
||||
'Description' => %q{
|
||||
This module exploits an Arbitrary File Upload vulnerability in Oracle Event Processing
|
||||
This module exploits an arbitrary file upload vulnerability in Oracle Event Processing
|
||||
11.1.1.7.0. The FileUploadServlet component, which requires no authentication, can be
|
||||
abused to upload a malicious file onto an arbitrary location due to a directory traversal
|
||||
flaw, and compromise the server. By default Oracle Event Processing uses a Jetty
|
||||
|
|
|
@ -18,7 +18,11 @@ module Metasploit3
|
|||
'Description' => "Tunnel communication over an HTTP hop point (note you must first upload "+
|
||||
"the hop.php found at #{File.expand_path("../../../../data/php/hop.php", __FILE__)} "+
|
||||
"to the HTTP server you wish to use as a hop)",
|
||||
'Author' => ['scriptjunkie <scriptjunkie@scriptjunkie.us>', 'hdm'],
|
||||
'Author' =>
|
||||
[
|
||||
'scriptjunkie <scriptjunkie[at]scriptjunkie.us>',
|
||||
'hdm'
|
||||
],
|
||||
'License' => MSF_LICENSE,
|
||||
'Platform' => 'win',
|
||||
'Arch' => ARCH_X86,
|
||||
|
@ -37,8 +41,7 @@ module Metasploit3
|
|||
deregister_options('LHOST', 'LPORT')
|
||||
|
||||
register_options([
|
||||
OptString.new('HOPURL',
|
||||
[ true, "The full URL of the hop script", "http://example.com/hop.php" ]
|
||||
OptString.new('HOPURL', [ true, "The full URL of the hop script", "http://example.com/hop.php" ]
|
||||
)
|
||||
], self.class)
|
||||
end
|
||||
|
|
|
@ -52,7 +52,6 @@ puts hash.hexdigest
|
|||
|
||||
=end
|
||||
|
||||
|
||||
def decrypt_reg(data)
|
||||
rg = session.railgun
|
||||
pid = session.sys.process.getpid
|
||||
|
|
Loading…
Reference in New Issue