2e096be869
Remove debugging output
2017-03-21 11:26:02 -05:00
52cea93ea2
Merge remote-tracking branch 'upstream/master' into land-8118-
2017-03-17 12:39:30 -05:00
80c33fc27f
adding '-' to rails deserialization regex for cookie matching
2017-03-16 10:54:32 -05:00
59c7de671e
Updated rails_secret_deserialization to add '.' regex for cookie matching.
2017-03-16 10:45:43 -05:00
9201f5039d
Use vprint for check because of rules
2017-03-14 15:02:54 -05:00
f429b80c4e
Forgot to rm this when i combined
2017-03-14 12:18:11 -05:00
53c9caa013
Allow native payloads
2017-03-13 20:10:02 -05:00
2053b77b01
ARCH_CMD works
2017-03-13 18:37:50 -05:00
e7b65587b4
Move to a more descriptive name
2017-03-09 14:19:06 -06:00
e07d5332de
Don't step on the payload accessor
2017-03-09 13:54:00 -06:00
d92ffe2d51
Grab the os.name when checking
2017-03-09 13:52:58 -06:00
83f5f98bb0
Merge remote-tracking branch 'upstream/pr/8074' into land-8072
2017-03-09 11:08:29 -06:00
c5fb69bd89
Struts2 S2-045 Exploit 2017/03/08
2017-03-08 14:26:33 +08:00
b73a884c05
struts2_s2045_rce.rb
2017-03-08 13:38:18 +08:00
75a1d979dc
Fix: Incorrect disclosure month forma
2017-03-07 20:28:29 -06:00
fc0f63e774
exploit Apache Struts2 S2-045
2017-03-07 20:10:59 -06:00
92c1fa8390
remove downcase
2017-02-18 20:13:32 -05:00
f3bcc9f23f
Take care of suhosin
2017-02-08 09:59:36 +01:00
028d4d6077
Make the payload a bit more random
2017-02-08 09:59:22 +01:00
cb03ca91e1
Make php_cgi_arg_injection work in certain environnement
...
This commit sets two more options to `0` in the payload:
- [cgi.force_redirect](https://secure.php.net/manual/en/ini.core.php#ini.cgi.force-redirect )
- [cgi.redirect_status_env](https://secure.php.net/manual/en/ini.core.php#ini.cgi.redirect-status-env )
The configuration directive `cgi.force_redirect` prevents anyone from calling PHP
directly with a URL like http://my.host/cgi-bin/php/secretdir/script.php .
Instead, PHP will only parse in this mode if it has gone through a web server redirect rule.
The string set in the configuration directive `cgi.redirect_status_env`
is the one that PHP will look for to know it's ok to continue its
execution. This might be use together with the previous configuration
option as a security measure.
Setting those variables to 0 is (as stated in the documentation) a
security issue, but it also make the exploit work on some Apache2 setup.
2017-02-07 18:59:27 +01:00
48ed8a72c2
Add helpful comment
2017-01-24 20:03:39 -06:00
ec8add6caa
Always check and print status
2017-01-24 20:00:17 -06:00
42a8e2a113
Remove extraneous variable
2017-01-24 19:50:31 -06:00
97050a6c47
Fix nil bug in scan
2017-01-24 19:49:23 -06:00
836da6177f
Cipher::Cipher is deprecated
2017-01-22 10:20:03 -06:00
f69b4a330e
handle Ruby 2.4 Fixnum/Bignum -> Integer deprecations
2017-01-22 10:20:03 -06:00
3155af679a
Fix a typo
2017-01-03 16:03:45 -06:00
cd90fd3b1c
Fix PHPMailer targets since 5.2.20 is not affected
2016-12-30 15:31:15 -05:00
1eab4b3a7d
Add an optional explicit triggeruri for phpmailer
2016-12-30 14:24:07 -05:00
64037b0d6e
Use a proper target instead of VERSION
2016-12-29 17:37:16 -05:00
c9dd7a50b6
Add the PHPMailer Argument Injection exploit
2016-12-29 17:17:06 -05:00
005d34991b
update architecture
2016-11-20 19:09:33 -06:00
f313389be4
Merge remote-tracking branch 'upstream/master' into land-7507-uuid-arch
2016-11-20 19:08:56 -06:00
8cd9a9b670
Deprecate wp_ninja_forms_unauthenticated_file_upload
...
wp_ninja_forms_unauthenticated_file_upload actually supports
multiple platforms.
Instead of using:
exploit/unix/webapp/wp_ninja_forms_unauthenticated_file_upload
Please use:
exploit/multi/http/wp_ninja_forms_unauthenticated_file_upload
2016-11-10 11:17:09 -06:00
ca5610ccde
Land #7511 , Update jenkins_script_console to support newer versions
2016-11-04 11:24:25 -05:00
5ed030fcf6
Land #7529 , nil.downcase fix for tomcat_mgr_deploy
...
Don't think it was ever needed, since the password is case-sensitive.
Fixed a minor merge conflict where PASSWORD became HttpPassword.
2016-11-03 15:39:46 -05:00
2f8d3c3cf3
Remove the bug where downcase() is invoked on password which is optional and can be empty.
2016-11-03 15:23:19 -05:00
ccce361768
Remove accidentally included debug output
2016-10-29 18:46:51 -04:00
fa7cbf2c5a
Fix the jenkins exploit module for new versions
2016-10-29 18:19:14 -04:00
57eabda5dc
Merge upstream/master
2016-10-29 13:54:31 +10:00
1d617ae389
Implement first pass of architecture/platform refactor
2016-10-28 07:16:05 +10:00
16b7c77851
satisfying travis
2016-10-27 13:37:04 -05:00
a8ab7b09b0
Added Bassmaster batch Arbitrary JavaScript Injection Remote Code Execution Vulnerability (CVE-2014-720)
2016-10-27 13:22:39 -05:00
6b77f509ba
fixes bad file refs for cmdstagers
...
when moving to the rex-exploitation gem some of the
file references were missed, partially due to silly differences
between how each file was referenced
Fixes #7466
2016-10-21 12:31:18 -05:00
9e97febcd1
Land #7429 , Ruby on Rails Dynamic Render File Upload Remote Code Exec
2016-10-13 11:45:46 -05:00
e78d3d6bf0
Fix erroneous cred reporting in SonicWALL exploit
...
A session ID will be returned in the parsed JSON if the login succeeded.
Bad user:
{"noldapnouser"=>1, "loginfailed"=>1}
Bad password:
{"loginfailed"=>1}
Good user/password:
{"userid"=>"1", "sessionid"=>"4WJ9cNg1TkBrwjzX"}
2016-10-11 19:25:52 -05:00
bd646ded1b
fixed the check function
2016-10-11 14:06:03 -05:00
d8f98ccd4e
run through msftidy
2016-10-10 22:36:20 -05:00
f2252bb179
fixed a few things, thanks @h00die
2016-10-10 22:30:01 -05:00
3c3f424a4d
added a some references
2016-10-10 17:56:03 -05:00
James Lee
Brent Cook
Dallas Kaman
Thomas Reburn
wchen-r7
root
nixawk
h00die
jvoisin
William Vu
Spencer McIntyre
Jin Qian
OJ
mr_me
David Maloney