sinn3r
3ff888a5c0
Move to 'multi' because it supports windows and linux
2012-10-23 12:41:51 -05:00
sinn3r
5072156df6
Designed specifically for Windows, so let's move to Windows
...
Plus additional fixes
2012-10-22 23:01:58 -05:00
sinn3r
2484bb02cf
Add the initial version of the module
...
From EDB.
2012-10-22 22:41:30 -05:00
Michael Schierl
e9f7873afc
Version cleanup
...
Remove all values that are neither 0 nor $Revision$.
2012-10-22 20:57:02 +02:00
jvazquez-r7
2acfb0537c
Merge branch 'ajaxplorer' of https://github.com/wchen-r7/metasploit-framework into wchen-r7-ajaxplorer
2012-10-15 08:30:08 +02:00
sinn3r
529f88c66d
Some msftidy fixes
2012-10-14 19:16:54 -05:00
sinn3r
cedcace1a7
Forgot to change the output variable
...
Because the original script used match()
2012-10-14 11:43:33 -05:00
sinn3r
cc303665e8
Credit
2012-10-13 00:42:44 -05:00
sinn3r
5b2998a121
Add OSVDB-63552 AjaXplorer module (2010)
2012-10-13 00:35:48 -05:00
James Lee
90ae5c1178
Add PhpEXE support to RateMyPet module
2012-10-12 04:53:01 -05:00
James Lee
13a5892e95
Add a mixin for uploading/executing bins with PHP
...
And use it in three modules that had copy-paste versions of the same
idea.
2012-10-12 02:57:41 -05:00
sinn3r
c094508119
Support Python payload
...
Pretty sure if the app is run on Unix/Apache, or supports perl and
ruby, chances are python works too.
2012-10-08 22:17:11 -05:00
sinn3r
06e2994b7e
connectiontype to find and python payload support
2012-10-08 15:13:27 -05:00
sinn3r
04aa69192d
Dang typo
2012-10-08 13:35:13 -05:00
sinn3r
8ff4442f9e
Add PhpTax pfilez exec module
...
This module exploits a vuln found in PhpTax. When generating a
PDF, the icondrawpng() function in drawimage.php does not
properly handle the pfilez parameter, which will be used in a
exec() statement, and results in arbitrary code execution.
2012-10-08 12:46:56 -05:00
HD Moore
3ade5a07e7
Add exploit for phpmyadmin backdoor
2012-09-25 10:47:53 -05:00
sinn3r
1111de0197
Add OSVDB reference
2012-09-25 01:19:58 -05:00
sinn3r
98f4190288
Add Auxilium RateMyPet module
2012-09-24 10:16:11 -05:00
James Lee
caf7619b86
Remove extra comma, fixes syntax errors in 1.8
...
Thanks, Kanedaaa, for reporting
2012-09-13 12:07:34 -05:00
sinn3r
71a0db9ae5
Make sure the user has a 'myAccount' page
2012-09-13 10:33:43 -05:00
sinn3r
658502d5ad
Add OSVDB-82978
...
This module exploits a vuln in qdPM - a web-based project
management software. The user profile's photo upload feature can
be abused to upload any arbitrary file onto the victim server
machine, which allows remote code execution. However, note in
order to use this module, the attacker must have a valid cred
to sign.
2012-09-13 10:01:08 -05:00
sinn3r
bd596a3f39
Merge branch 'sflog_upload_exec' of https://github.com/wchen-r7/metasploit-framework into wchen-r7-sflog_upload_exec
2012-09-06 18:40:19 -05:00
sinn3r
b4270bb480
Add OSVDB-83767: SFlog Upload Exec Module
...
This module exploits multiiple flaws in SFlog!. By default, the
CMS has a default admin cred of "admin:secret", which can be
abused to access admin features such as blog management. Through
the management interface, we can upload a backdoor that's accessible
by any remote user, and then we gain code execution.
2012-09-06 18:30:45 -05:00
jvazquez-r7
fc1c1c93ba
ZDI references fixed
2012-09-07 00:50:07 +02:00
jvazquez-r7
65681dc3b6
added osvdb reference
2012-09-06 13:56:52 +02:00
jvazquez-r7
b4113a2a38
hp_site_scope_uploadfileshandler is now multiplatform
2012-09-06 12:54:51 +02:00
Tod Beardsley
9531c95627
Adding BID
2012-09-05 15:04:05 -05:00
sinn3r
99009da567
Merge branch 'mobilecartly_upload_exec' of https://github.com/wchen-r7/metasploit-framework into wchen-r7-mobilecartly_upload_exec
2012-09-04 14:32:23 -05:00
sinn3r
e926bc16ba
Add MobileCartly 1.0 module
2012-09-04 14:23:16 -05:00
jvazquez-r7
4a92cc4641
jboss_invoke_deploy module cleanup
2012-09-04 18:49:11 +02:00
h0ng10
2b6aa6bbdb
Added Exploit for deployfilerepository via JMX
2012-09-03 13:50:16 -04:00
jvazquez-r7
4fd9f88304
avoid the redefinition of Module.target_host
2012-08-30 14:45:14 +02:00
sinn3r
7ddcc787bd
Merge branch 'jboss-exploits-revision2' of https://github.com/h0ng10/metasploit-framework into h0ng10-jboss-exploits-revision2
2012-08-21 14:37:09 -05:00
h0ng10
c6b9121f8b
Added support for CVE-2010-0738
2012-08-15 15:47:44 -04:00
h0ng10
6965431389
Added support for CVE-2010-0738, msftidy
2012-08-15 15:47:14 -04:00
h0ng10
e5498e3e1d
Added fix for CVE-2010-0738, corrections
2012-08-15 15:46:34 -04:00
Tod Beardsley
0e4e7dc903
Indentation fix
2012-08-14 12:27:27 -05:00
Tod Beardsley
6597d25726
Shortening an over-200 long line for readability
...
It's a contrived fix, but scrolling over is a hassle. This comes up a
lot in long regexes, not sure the best way to address these.
2012-08-14 12:27:27 -05:00
jvazquez-r7
d6b28dc44d
ranking changed plus on_new_session handler added
2012-08-13 19:29:13 +02:00
jvazquez-r7
468030786f
small fixes, mainly check res agains nil, res.code and use send_request_cgi
2012-08-13 18:57:59 +02:00
bcoles
8bb3181f68
Add TestLink v1.9.3 arbitrary file upload module
2012-08-13 16:30:10 +09:30
sinn3r
b46fb260a6
Comply with msftidy
...
*Knock, knock!* Who's there? Me, the msftidy nazi!
2012-08-07 15:59:01 -05:00
Steve Tornio
b646dcc87f
add osvdb ref
2012-08-05 09:02:32 -05:00
Tod Beardsley
d5b165abbb
Msftidy.rb cleanup on recent modules.
...
Notably, DisclosureDate is required for other module parsers, so let's
not ignore those, even if you have to guess at the disclosure or call
the module's publish date the disclosure date.
2012-08-04 12:18:00 -05:00
h0ng10
8872ea693c
real support for cve-2010-0738/verb bypass
2012-08-03 14:22:40 -04:00
h0ng10
52b1919315
Additional cleanups, verb tampering
2012-08-02 17:33:17 -04:00
sinn3r
9815faec37
Add OSVDB-83822
2012-07-31 13:31:06 -05:00
h0ng10
36be7cd9c4
removed unnecessary cleanup
2012-07-27 16:32:08 -04:00
sinn3r
d67234bd03
Better regex and email format correction
2012-07-27 01:14:32 -05:00
sinn3r
2939e3918e
Rename file
2012-07-27 01:06:57 -05:00
bcoles
cec15aa204
Added CuteFlow v2.11.2 Arbitrary File Upload
...
- modules/exploits/multi/http/cuteflow_2.11.2_upload_exec.rb
2012-07-27 12:30:20 +09:30
HD Moore
b133428bc1
Better error handling in two web app modules
2012-07-15 21:56:00 -05:00
jvazquez-r7
6c8ee443c8
datastore cleanup according to sinn3r
2012-07-12 09:31:22 +02:00
h0ng10
87f5002516
added datastore cleanup
2012-07-11 12:56:23 -04:00
h0ng10
0d38a7e45f
switched to Rex::Text.encode_base64()
2012-07-11 12:52:09 -04:00
h0ng10
61ec07a10c
additional targets, meterpreter, bugfixes
2012-07-10 13:33:28 -04:00
sinn3r
e2a2789f78
Support Ruby 1.8 syntax. Thanks M M.
2012-07-02 14:15:14 -05:00
sinn3r
cf9a6d58cc
Update missing OSVDB ref
2012-06-28 00:44:01 -05:00
sinn3r
e605a35433
Make sure the check func is always returning the same data type
2012-06-27 17:07:55 -05:00
sinn3r
cb1af5ab79
Final cleanup
2012-06-27 16:57:04 -05:00
jvazquez-r7
73360dfae3
minor fixes
2012-06-27 23:38:52 +02:00
jvazquez-r7
245205c6c9
changes on openfire_auth_bypass
2012-06-27 23:15:40 +02:00
jvazquez-r7
6ec990ed85
Merge branch 'Openfire-auth-bypass' of https://github.com/h0ng10/metasploit-framework into h0ng10-Openfire-auth-bypass
2012-06-27 23:09:26 +02:00
h0ng10
6cc8390da9
Module rewrite, included Java support, direct upload, plugin deletion
2012-06-26 11:56:44 -04:00
HD Moore
e31a09203d
Take into account an integer-normalized datastore
2012-06-24 22:59:14 -05:00
h0ng10
65197e79e2
added Exploit for CVE-2008-6508 (Openfire Auth bypass)
2012-06-24 07:35:38 -04:00
HD Moore
d40e39b71b
Additional exploit fail_with() changes to remove raise calls
2012-06-19 19:43:41 -05:00
HD Moore
fb7f6b49f0
This mega-diff adds better error classification to existing modules
2012-06-19 12:59:15 -05:00
sinn3r
a631e1fef1
Change the default state to make it work on Metasploitable by default
2012-06-13 00:43:59 -05:00
sinn3r
597726d433
Merge branch 'php_cgi_arg_injection' of https://github.com/jjarmoc/metasploit-framework into jjarmoc-php_cgi_arg_injection
2012-06-13 00:40:02 -05:00
Jeff Jarmoc
bbfe0f8f49
" is 0x22, duh.
2012-06-12 20:00:28 -05:00
Jeff Jarmoc
12a28bd519
Fixed ruby 1.9 String Indexing issue, using Rex::Text.uri_encode
2012-06-12 14:59:06 -05:00
sinn3r
c3c9051014
Merge branch 'php_cgi_arg_injection' of https://github.com/jjarmoc/metasploit-framework into jjarmoc-php_cgi_arg_injection
2012-06-11 11:15:15 -05:00
jvazquez-r7
02a5dff51f
struts_code_exec_exception_delegator_on_new_session: on_new_session modified
2012-06-11 12:07:38 +02:00
Michael Schierl
b4d33fb85a
Add ARCH_JAVA support to struts_code_exec_exception_delegator
2012-06-09 21:53:43 +02:00
sinn3r
a709fe1fe3
Fix regex escaping thanks to w3bd3vil
2012-06-07 16:00:59 -05:00
sinn3r
a071d2805e
Fix the rest of possible nil res bugs I've found
2012-06-04 14:56:27 -05:00
jvazquez-r7
b53a1396fc
Use of TARGETURI
2012-06-03 22:36:23 +02:00
jvazquez-r7
659b030269
Verbose messages cleanup
2012-06-03 22:29:31 +02:00
jvazquez-r7
34f42bab17
Fix typo in the URI param
2012-06-03 22:14:13 +02:00
jvazquez-r7
efe4136e5b
Added module for CVE-2012-0391
2012-06-03 22:08:31 +02:00
sinn3r
1817942aae
Merge branch 'logcms_writeinfo' of https://github.com/wchen-r7/metasploit-framework into wchen-r7-logcms_writeinfo
2012-06-02 17:43:51 -05:00
sinn3r
7bb36bfbde
Fix typo thanks to juan
2012-06-02 16:57:53 -05:00
sinn3r
7e318e9787
Merge branch 'logcms_writeinfo' of https://github.com/wchen-r7/metasploit-framework into wchen-r7-logcms_writeinfo
2012-06-02 14:14:56 -05:00
Christian Mehlmauer
3752c10ccf
Adding FireFart's RPORT(80) cleanup
...
This was tested by creating a resource script to load every changed
module and displaying the options, like so:
````
use auxiliary/admin/2wire/xslt_password_reset
show options
use auxiliary/admin/http/contentkeeper_fileaccess
show options
````
...etc. This was run in both the master branch and FireFart's branch
while spooling out the results of msfconsole, then diffing those
results. All modules loaded successfully, and there were no changes to
the option sets, so it looks like a successful fix.
Thanks FireFart!
Squashed commit of the following:
commit 7c1eea53fe3743f59402e445cf34fab84cf5a4b7
Author: Christian Mehlmauer <FireFart@gmail.com>
Date: Fri May 25 22:09:42 2012 +0200
Cleanup Opt::RPORT(80) since it is already registered by Msf::Exploit::Remote::HttpClient
2012-06-02 09:53:19 -05:00
sinn3r
59468846e3
Change filename
2012-06-02 01:51:20 -05:00
sinn3r
522991f351
Correct name
2012-06-02 01:49:43 -05:00
sinn3r
7fd3644b8b
Add CVE-2011-4825 module
2012-06-01 18:45:44 -05:00
James Lee
4681ed1c1e
Whitespace, thanks msftidy.rb!
2012-05-31 18:18:27 -06:00
Steve Tornio
5105c1a4df
add osvdb ref
2012-05-31 08:49:58 -05:00
Tod Beardsley
7e6c2f340e
Minor updates; added BID, fixed grammar
...
Modules should not refer to themselves in the first person unless they
are looking for Sarah Connor.
2012-05-30 16:16:41 -05:00
sinn3r
54e14014c3
Merge pull request #428 from wchen-r7/php_volunteer
...
Add PHP Volunteer Management System exploit
2012-05-30 09:33:32 -07:00
sinn3r
59ea8c9ab9
Print IP/Port for each message
2012-05-30 11:30:55 -05:00
sinn3r
43dffbe996
If we don't get a new file, we assume the upload failed. This is
...
possible when we actually don't have WRITE permission to the
'uploads/' directory.
2012-05-30 11:26:06 -05:00
sinn3r
efdcda55ef
Don't really care about the return value for the last send_request_raw
2012-05-30 11:00:31 -05:00
sinn3r
13ba51db34
Allow the login() function to be a little more verbose for debugging purposes
2012-05-30 10:56:59 -05:00
sinn3r
b81315790d
Add PHP Volunteer Management System exploit
2012-05-30 10:38:45 -05:00
sinn3r
ac0d22453a
Merge pull request #414 from wchen-r7/apprain
...
Add CVE-2012-1153
2012-05-23 16:34:30 -07:00
sinn3r
8d837f5d20
Module description update. TARGETURI description update.
2012-05-23 18:33:32 -05:00
sinn3r
fab3bfcea1
Add CVE-2012-1153
2012-05-23 17:50:13 -05:00
Tod Beardsley
5dd866ed4a
Fixed print_status to include rhost:rport
...
Also don't let the failed user:pass be a mystery to the user.
2012-05-21 11:11:34 -05:00
Tod Beardsley
1fc7597a56
Msftidy fixes.
...
Fixed up activecollab_chat, batik_svg_java, and foxit_reader_launch
All whitespace fixes.
2012-05-21 10:59:52 -05:00
Steve Tornio
ba2787df8a
add osvdb ref
2012-05-20 07:13:56 -05:00
sinn3r
964a6af423
Add Active Collab chat module PHP injection exploit, by mr_me
2012-05-19 02:06:30 -05:00
Jeff Jarmoc
c2c160f86c
randomizes options from equivilants
2012-05-11 11:31:26 -05:00
sinn3r
2b13330483
Merge pull request #376 from wchen-r7/wikkawiki
...
Add CVE-2011-4449
2012-05-10 10:13:56 -07:00
sinn3r
6e8c3ad1e3
It's "inject", not "upload"... because technically that's what really happens.
2012-05-10 12:06:02 -05:00
sinn3r
c69e34d407
Update description
2012-05-10 12:02:55 -05:00
sinn3r
86c3ad5e0c
Add CVE-2011-4449
2012-05-10 11:57:40 -05:00
Jeff Jarmoc
e1156834b9
Lots of encoding randomizations for php_cgi_arg_injection
2012-05-09 14:13:21 -05:00
Jeff Jarmoc
4909d8073a
Added lots or encoding randomness
2012-05-09 11:01:15 -05:00
Steve Tornio
cef2da6110
add osvdb ref
2012-05-05 10:13:42 -05:00
James Lee
18a44148dc
Randomize case for ini true/false values
2012-05-04 17:32:32 -06:00
HD Moore
423437c620
Woops, small typo in disable_functions
2012-05-04 12:17:41 -05:00
HD Moore
c6b39e8e5c
Add additional definitions to disable safe_mode, open_basedir, suhosin. (thanks @i0n1c)
2012-05-04 12:15:46 -05:00
HD Moore
2ce3558bb4
Bump the rank
2012-05-04 10:19:37 -05:00
HD Moore
bed4846763
A little more module cleanup
2012-05-04 10:06:18 -05:00
HD Moore
d668e2321d
Rename this to a more suitable location
2012-05-04 09:59:40 -05:00
sinn3r
5bebd01eb0
Tabs vs spaces war round 2
2012-04-24 16:06:08 -05:00
sinn3r
bc42375565
Fix spaces to proper hard tabs. Not very fun to do.
2012-04-24 16:03:41 -05:00
Chris John Riley
f4f1ec70bc
Altered regex to detect Jetty hosts
...
Added in detection for 401 Authentication responses
Added alternative REST based run method (seen in Axis2 1.1.1)
Added check to prevent // from appearing at the start of the URI (causes issues on Jetty hosts)
There should be a default method for URI to prevent double / from appearing at the start of the path (can cause unknown issues).
2012-04-15 15:13:21 +02:00
andurin
4e955e5870
replace spaces with tabs
2012-04-06 10:45:10 -05:00
andurin
67e6c7b850
tomcat_mgr_deploy may report successful creds
...
Using following code for 'check' as 'exploit':
report_auth_info(
:host => rhost,
:port => rport,
:sname => (ssl ? "https" : "http"),
:user => datastore['BasicAuthUser'],
:pass => datastore['BasicAuthPass'],
:proof => "WEBAPP=\"Tomcat Manager App\", VHOST=#{vhost}, PATH=#{datastore['PATH']}",
:active => true
)
Resulting in:
Credentials
===========
host port user pass type active?
---- ---- ---- ---- ---- -------
192.168.x.xxx 8080 tomcat s3cret password true
2012-04-06 10:45:10 -05:00
Tod Beardsley
14e3cd75dc
Revert "tomcat_mgr_deploy may report successful creds"
...
This reverts commit 937f8f035a
.
2012-04-05 16:17:06 -05:00
andurin
937f8f035a
tomcat_mgr_deploy may report successful creds
2012-04-05 11:09:56 +02:00
Tod Beardsley
2f3bbdc00c
Sed replacement of exploit-db links with EDB refs
...
This is the result of:
find modules/ -name \*.rb -exec sed -i -e 's#\x27URL\x27,
\x27http://www.exploit-db.com/exploits/ \([0-9]\+\).*\x27#\x27EDB\x27,
\1#' modules/*.rb {} \
2012-03-21 16:43:21 -05:00
Tod Beardsley
23c9c51014
Fixing CVE format on sit_file_upload.
2012-03-21 09:59:20 -05:00
sinn3r
aeb691bbee
Massive whitespace cleanup
2012-03-18 00:07:27 -05:00
sinn3r
7c77fe20cc
Some variables don't need to be in a double-quote.
2012-03-17 20:37:42 -05:00
Tod Beardsley
e3f2610985
Msftidy run through on the easy stuff.
...
Still have some hits, but that requires a little more code contortion to
fix.
2012-03-15 17:06:20 -05:00
Tod Beardsley
9144c33345
MSFTidy check for capitalization in modules
...
And also fixes up a dozen or so failing modules.
2012-03-15 16:38:12 -05:00
sinn3r
5250b179c8
Add CVE and OSVDB ref
2012-03-15 04:40:27 -05:00
James Lee
8d93e3ad44
Actually use the password we were given...
2012-03-08 10:17:39 -07:00
James Lee
02ea38516f
Add a check method for tomcat_mgr_deploy
2012-03-06 23:22:44 -07:00
sinn3r
22a12a6dfc
Add Lotus CMS exploit (OSVDB-75095)
2012-03-06 11:36:28 -06:00
James Lee
464cf7f65f
Normalize service names
...
Downcases lots and standardizes a few. Notably, modules that reported a
service name of "TNS" are now "oracle". Modules that report http
now check for SSL and report https instead.
[Fixes #6437 ]
2012-02-21 22:59:20 -07:00
HD Moore
4932a9ca25
Dont dump an HTML document to the console
2012-02-21 23:45:25 -06:00
Tod Beardsley
4a631e463c
Module title normalization
...
Module titles should read like titles. For
capitalization rules in English, see:
http://owl.english.purdue.edu/owl/resource/592/01/
The only exceptions are function names (like 'thisFunc()') and specific
filenames (like thisfile.ocx).
2012-02-21 11:07:44 -06:00
HD Moore
ceb4888772
Fix up the boilerplate comment to use a better url
2012-02-20 19:40:50 -06:00
HD Moore
af56807668
Cleanup the titles of many exploit modules
2012-02-20 19:25:55 -06:00
sinn3r
5bb9afe789
Correct disclosure date format
2012-02-16 18:15:51 -06:00
Joshua J. Drake
01a6b02c3e
Add exploit for CVE-2012-0209, thx eromang!
2012-02-16 03:10:55 -06:00
Joshua J. Drake
d2444e1cf6
fix a few typos
2012-02-16 03:10:22 -06:00
Tod Beardsley
829040d527
A bunch of msftidy fixes, no functional changes.
2012-02-10 19:44:03 -06:00
Jonathan Cran
c3bd151197
add a ranking
2012-01-31 20:43:32 -06:00
Steve Tornio
e392958d90
add osvdb ref
2012-01-31 07:06:33 -06:00
sinn3r
bfd4734cbf
Forgot to add CMD as a datastore option, here it is
2012-01-30 17:34:58 -06:00
sinn3r
08134ad600
Add Exploit-DB reference
2012-01-30 16:17:25 -06:00
sinn3r
f3c340a9ab
Add vBSEO proc_deutf() Remote Code Execution (Feature #6307 )
2012-01-30 16:15:27 -06:00
sinn3r
9e5d2ff60e
Improve URI, plus some other minor changes.
2012-01-19 13:26:25 -06:00