Console
ec315ad50d
Modified URI handling to make use of target_uri and vars_get/post.
...
Added support for both GET and POST methods as both are vulnerable to
this exploit.
2013-05-29 12:56:34 +01:00
Console
b39531cea6
Added references
2013-05-28 23:15:10 +01:00
Console
7b43117d87
Added RCE for Struts versions earlier than 2.3.14.2
...
Heavily based upon my previous module for parameters
interceptor based RCE.
Tested against the POC given at the reference website successfully.
2013-05-28 18:26:57 +01:00
jvazquez-r7
0dee5ae94d
Merge branch 'master' of https://github.com/rapid7/metasploit-framework
2013-05-22 12:54:44 -05:00
James Lee
f4498c3916
Remove $Id tags
...
Also adds binary coding magic comment to a few files
2013-05-20 16:21:03 -05:00
jvazquez-r7
0f3b13e21d
up to date
2013-05-16 15:02:41 -05:00
James Lee
3009bdb57e
Add a few more references for those without
2013-05-16 14:32:02 -05:00
h0ng10
378f0fff5b
added missing comma
2013-05-16 18:59:46 +02:00
jvazquez-r7
a4632b773a
Merge branch 'master' of https://github.com/rapid7/metasploit-framework
2013-04-28 12:59:16 -05:00
sinn3r
1d9a695d2b
Landing #1772 - Adds phpMyadmin Preg_Replace module (CVE-2013-3238)
...
[Closes #1772 ]
2013-04-28 12:17:16 -05:00
Meatballs
ccb630eca2
Whitespace and change default user
2013-04-27 10:39:27 +01:00
Meatballs
209188bc22
Add refs and use targeturi
2013-04-27 10:35:49 +01:00
Meatballs
3ac041386b
Add php version to check
2013-04-26 23:59:49 +01:00
Meatballs
e25fdebd8d
Add php version to check
2013-04-26 23:58:08 +01:00
Meatballs
cd842df3e2
Correct phpMyAdmin
2013-04-26 23:38:27 +01:00
Meatballs
6bb2af7cee
Add pma url
2013-04-26 23:37:26 +01:00
James Lee
a0c1b6d1ce
Clear out PMA's error handler
...
* Add an error_handler function that just returns true. This prevents eventual
ENOMEM errors and segfaults like these:
[Fri Apr 26 15:01:00 2013] [error] [client 127.0.0.1] PHP Fatal error: Allowed memory size of 134217728 bytes exhausted (tried to allocate 44659282 bytes) in /home/egypt/repo/phpmyadmin/libraries/Error.class.php on line 156
[Fri Apr 26 15:01:16 2013] [notice] child pid 7347 exit signal Segmentation fault (11)
* clean up some whitespace
2013-04-26 15:25:09 -05:00
Meatballs
1f2cab7aef
Tidyup and getcookies
2013-04-26 20:26:04 +01:00
Meatballs
0901d00da5
Remove redundant pay opts
2013-04-26 19:26:29 +01:00
Meatballs
a17d61897d
Change to send_rq_cgi
2013-04-26 19:19:11 +01:00
Meatballs
54233e9fba
Better entropy
2013-04-26 17:46:43 +01:00
Meatballs
c8da13cfa0
Add some entropy in request
2013-04-26 17:34:17 +01:00
Meatballs
a043d3b456
Fix auth check and cookie handling
2013-04-26 17:10:24 +01:00
Meatballs
025315e4e4
Move to http
2013-04-26 15:42:26 +01:00
jvazquez-r7
bbf7cc4394
up to date
2013-04-17 11:54:12 -05:00
jvazquez-r7
48def7dbdb
up to date
2013-04-17 06:36:44 -05:00
Jon Hart
83ec9757ec
Addressed feedback from PR#1717
2013-04-16 19:00:26 -07:00
jvazquez-r7
cc35591723
Merge branch 'master' of https://github.com/rapid7/metasploit-framework
2013-04-15 17:43:15 -05:00
Tod Beardsley
873bdbab57
Removing APSB13-03, not ready.
...
This was landed by @todb-r7 on #1709 but that was premature. #1717 was
a proposed set of fixes, but it didn't go far enough.
@jhart-r7 and @jvazquez-r7 should revisit this module for sure, there's
some good stuff in there, but it's not ready for a real release quite
yet. Take a look at the issues discussed in those PRs and open a new PR
with a new module?
Sorry for the switcheroo, not trying to be a jerk.
[Closes #1717 ]
2013-04-15 13:36:47 -05:00
jvazquez-r7
2ab7552a85
Merge branch 'master' of https://github.com/rapid7/metasploit-framework
2013-04-10 09:11:41 +02:00
Tod Beardsley
0d2746fb4c
defs should have parens when taking args
...
While it's allowed in ruby to drop most parens, many are useful for
readability.
Also adds a missing CVE.
2013-04-09 17:57:52 -05:00
Tod Beardsley
90e986860e
Adding most suggested changes to jhart's adobe module
2013-04-09 17:55:28 -05:00
Jon Hart
8a98b1af4a
Added command mode, plus fixed the dropping of payloads
2013-04-07 15:39:38 -07:00
Jon Hart
f482496795
Initial commit of an exploit module for the CVEs covered by APSB13-03.
...
Not complete but will currently get command execution on Coldfusion 9.x
instances with CSRF protection disabled
2013-04-06 20:08:50 -07:00
jvazquez-r7
358c43f6f6
Merge branch 'master' of https://github.com/rapid7/metasploit-framework
2013-04-03 19:17:53 +02:00
Tod Beardsley
e4d901d12c
Space at EOL (msftidy)
2013-04-03 09:20:01 -05:00
jvazquez-r7
070fd399f2
Merge branch 'master' of https://github.com/rapid7/metasploit-framework
2013-03-31 20:23:08 +02:00
jvazquez-r7
315abd8839
fix Privileged field
2013-03-30 19:39:01 +01:00
jvazquez-r7
a46805d95d
description updated
2013-03-30 19:36:35 +01:00
jvazquez-r7
c880a63e75
Added module for ZDI-13-049
2013-03-30 19:35:04 +01:00
jvazquez-r7
e9842eac2e
Merge branch 'master' of https://github.com/rapid7/metasploit-framework
2013-03-28 15:18:41 +01:00
jvazquez-r7
29ad9939e1
cleanup for stunshell_eval
2013-03-28 15:11:20 +01:00
jvazquez-r7
514aed404c
Merge branch 'STUNSHELL_eval' of https://github.com/bwall/metasploit-framework into bwall-STUNSHELL_eval
2013-03-28 15:10:57 +01:00
jvazquez-r7
3ffbc5e5b3
Merge branch 'master' of https://github.com/rapid7/metasploit-framework
2013-03-28 14:58:43 +01:00
jvazquez-r7
9b18eb858b
cleanup for stunshell_exec
2013-03-28 14:45:51 +01:00
jvazquez-r7
a7a5569725
Merge branch 'STUNSHELL_exec' of https://github.com/bwall/metasploit-framework into bwall-STUNSHELL_exec
2013-03-28 14:45:28 +01:00
jvazquez-r7
6cd6a7d6b9
Merge branch 'master' of https://github.com/rapid7/metasploit-framework
2013-03-28 12:16:18 +01:00
bwall
f14d5ba8ec
Removed extra comma
2013-03-27 17:15:34 -04:00
bwall
2a60ef2d60
Renamed and fixed some code issues
2013-03-27 17:14:41 -04:00
bwall
cc92b54e83
Moved module and cleaned code
2013-03-27 17:03:18 -04:00
jvazquez-r7
e25a06c649
delete comma
2013-03-27 21:33:58 +01:00
jvazquez-r7
5fc5a4f429
use target_uri
2013-03-27 20:45:34 +01:00
jvazquez-r7
f29cfbf393
cleanup for v0pCr3w_exec
2013-03-27 20:38:11 +01:00
jvazquez-r7
787f8cc32f
up to date
2013-03-26 12:18:53 +01:00
jvazquez-r7
6f5fc77019
up to date
2013-03-26 11:59:41 +01:00
jvazquez-r7
2d0a813aa6
Merge branch 'heyder-joomla' of https://github.com/heyder/metasploit-framework
2013-03-26 11:23:33 +01:00
heyder
014c01099e
improve cleanup
2013-03-26 02:22:10 -03:00
heyder
0c169f94eb
correct some bad indent
2013-03-24 21:07:51 -03:00
heyder
50ac5cf247
Adjust payload size and others code adjustments
2013-03-24 20:25:29 -03:00
jvazquez-r7
cb56b2de4b
Merge branch 'master' of https://github.com/rapid7/metasploit-framework
2013-03-23 20:06:05 +01:00
heyder
5bee1471df
many code adjustments
2013-03-22 23:07:08 -03:00
sinn3r
11754f271a
Merge branch 'mutiny_subnetmask_exec' of github.com:jvazquez-r7/metasploit-framework into jvazquez-r7-mutiny_subnetmask_exec
2013-03-22 13:05:16 -05:00
heyder
b5c65ad51b
add Joomla Component JCE File Upload Code Execution
2013-03-22 10:41:35 -03:00
jvazquez-r7
bbff20fd65
cleanup for struts_code_exec_parameters
2013-03-21 22:17:47 +01:00
jvazquez-r7
50c6a98530
Merge branch 'struts-param-rce' of https://github.com/Console/metasploit-framework into Console-struts-param-rce
2013-03-21 22:17:20 +01:00
jvazquez-r7
296f2e7c2c
up to date
2013-03-21 22:10:18 +01:00
Console
cbccda10ca
fixing issue raised by @meatballs1
2013-03-21 20:58:40 +00:00
jvazquez-r7
9c1694e8a0
Merge branch 'struts-param-rce' of https://github.com/Console/metasploit-framework
2013-03-21 20:44:10 +01:00
Console
302193f98b
Various fixes and improvements
...
Chunk_length now varies according to targeturi and parameter
A few typographical inconsistences corrected
CMD option removed as its not being used
custom http request timeout removed
2013-03-21 19:03:39 +00:00
Console
8027615608
fixed comments left in by accident
2013-03-21 16:43:44 +00:00
Console
4edf5260f4
check function now tells user about delay
2013-03-21 16:40:45 +00:00
Console
a714b430ca
used normalize_uri
2013-03-21 14:05:08 +00:00
Console
5c9bec1552
commit fix branch for Console-struts-RCE
2013-03-21 13:40:16 +00:00
jvazquez-r7
29fff62869
up to date
2013-03-12 18:29:53 +01:00
Darren Martyn
73717f1522
Added webacoo code execution module
2013-03-09 19:12:22 +00:00
James Lee
2160718250
Fix file header comment
...
[See #1555 ]
2013-03-07 17:53:19 -06:00
jvazquez-r7
25db782b03
change print location
2013-03-07 19:15:40 +01:00
jvazquez-r7
fdd7c375ad
added linux native target
2013-03-07 19:12:25 +01:00
David Maloney
4212c36566
Fix up basic auth madness
2013-03-01 11:59:02 -06:00
David Maloney
c290bc565e
Merge branch 'master' into feature/http/authv2
2013-02-28 14:33:44 -06:00
Joe Rozner
abdcde06cd
Fix polarcms_upload_exec exploit
2013-02-25 22:58:26 -08:00
sinn3r
181e3c0496
Uses normalize_uri
2013-02-25 19:36:48 -06:00
sinn3r
1ed74b46be
Add CVE-2013-0803
...
From:
http://dev.metasploit.com/redmine/issues/7691
2013-02-25 14:14:57 -06:00
sinn3r
f3f913edc5
Correct bad naming style
2013-02-25 13:29:27 -06:00
sinn3r
690e7ec8a7
Uses normalize_uri
2013-02-25 13:28:00 -06:00
sinn3r
b930613653
Merge branch 'kordil-edms-upload-exec' of github.com:bcoles/metasploit-framework into bcoles-kordil-edms-upload-exec
2013-02-25 12:43:50 -06:00
sinn3r
52241b847a
Uses normalize_uri instead of manually adding a slash
2013-02-25 12:20:37 -06:00
bcoles
d7c0ce4e4a
Fix 'check()' in glossword_upload_exec
2013-02-25 15:52:07 +10:30
bcoles
1f46b3aa02
Add Glossword Arbitrary File Upload Vulnerability exploit
2013-02-25 01:59:46 +10:30
bcoles
002654317c
Add Kordil EDMS File Upload Vulnerability exploit
2013-02-22 23:32:17 +10:30
David Maloney
0ae489b37b
last of revert-merge snaffu
2013-02-19 23:16:46 -06:00
James Lee
9d4a3ca729
Fix a typo that broke this module against x64
...
[SeeRM #7747 ]
2013-02-19 19:22:42 -06:00
Tod Beardsley
8ddc19e842
Unmerge #1476 and #1444
...
In that order. #1476 was an attempt to salvage the functionality, but
sinn3r found some more bugs. So, undoing that, and undoing #1444 as
well.
First, do no harm. It's obvious we cannot be making sweeping changes in
libraries like this without a minimum of testing available. #1478 starts
to address that, by the way.
FixRM #7752
2013-02-11 20:49:55 -06:00
James Lee
5b3b0a8b6d
Merge branch 'dmaloney-r7-http/auth_methods' into rapid7
2013-02-08 12:45:35 -06:00
James Lee
9b6f2fcd1d
Use the install path to tell us the separator
...
Fixes the java target on windows victims
2013-02-08 12:10:42 -06:00
James Lee
5b398076ae
Couple of fixes for windows
...
* Catch IOError when chmod doesn't exist (i.e. Windows)
* Proper escaping for paths
2013-02-08 11:52:50 -06:00
James Lee
071df7241b
Merge branch 'rapid7' into sonicwall_gms
...
Conflicts:
modules/exploits/multi/http/sonicwall_gms_upload.rb
Adds a loop around triggering the WAR payload, which was causing some
unreliability with the Java target.
2013-02-07 21:53:49 -06:00
James Lee
1f9a09d5dd
Add a method to upload and exec in one step
2013-02-07 21:09:32 -06:00
James Lee
13d1045989
Works for java and native linux targets
2013-02-07 16:56:38 -06:00
James Lee
b6c6397da3
typo
2013-02-06 19:21:20 -06:00
James Lee
1095fe198b
Merge branch 'rapid7' into dmaloney-r7-http/auth_methods
2013-02-06 16:57:50 -06:00
Jeff Jarmoc
9b30e354ea
Updates HTTP_METHOD option to use OptEnum.
2013-02-04 15:32:36 -06:00
David Maloney
4c1e630bf3
BasicAuth datastore cleanup
...
cleanup all the old BasicAuth datastore options
2013-02-04 13:02:26 -06:00
jvazquez-r7
70b252dc7b
Merge branch 'normalize_uri_update2' of https://github.com/wchen-r7/metasploit-framework into wchen-r7-normalize_uri_update2
2013-01-31 22:32:50 +01:00
egypt
5332e80ae9
Fix errant use of .to_s instead of .path
2013-01-31 14:18:42 -06:00
sinn3r
66ca906bfb
This is a string, not a variable
2013-01-31 01:56:05 -06:00
sinn3r
c174e6a208
Correctly use normalize_uri()
...
normalize_uri() should be used when you're joining URIs. Because if
you're merging URIs after it's normalized, you could get double
slashes again.
2013-01-30 23:23:41 -06:00
sinn3r
ec0db66fcb
Merge branch 'patch-2' of github.com:jjarmoc/metasploit-framework into jjarmoc-patch-2
2013-01-30 12:36:53 -06:00
Jeff Jarmoc
55600ce276
Update modules/exploits/multi/http/rails_xml_yaml_code_exec.rb
...
Remove unecessary include. Tested against rails 3.2.10.
2013-01-29 11:46:02 -06:00
Jeff Jarmoc
929814dabf
Update modules/exploits/multi/http/rails_json_yaml_code_exec.rb
...
Removes unnecessary include. Tested on 3.0.19 and 2.3.15.
2013-01-29 11:04:20 -06:00
Tod Beardsley
38785015e1
Missing period in description
2013-01-28 23:08:53 -06:00
James Lee
464d048eca
Remove debugging print
2013-01-28 22:25:57 -06:00
James Lee
dc19968555
Minor cleanups
2013-01-28 22:21:03 -06:00
James Lee
c0757ce905
Add support for 2.x
2013-01-28 21:41:15 -06:00
James Lee
92c736a6a9
Move fork stuff out of exploit into payload mixin
...
Tested xml against 3.2.10 and json against 3.0.19
2013-01-28 21:34:39 -06:00
James Lee
ee2579607a
Working against 3.0.19
2013-01-28 21:05:14 -06:00
James Lee
044fefd02a
Initial support for Java target
...
Still some debugging junk, needs some more love.
2013-01-28 00:02:26 -06:00
sinn3r
49aac302e6
normalize_uri() breaks URI parsing
...
Please see: http://dev.metasploit.com/redmine/issues/7727
2013-01-26 22:57:01 -06:00
jvazquez-r7
1bccc410a3
Merge branch 'module-movabletype_upgrade_exec' of https://github.com/kacpern/metasploit-framework into kacpern-module-movabletype_upgrade_exec
2013-01-24 15:02:48 +01:00
Kacper Nowak
ba41ee9c83
- applied all the changes from #1363
...
- some extra escaping for the sake of it
- removed the timeout in http_send_raw
2013-01-24 13:15:42 +00:00
jvazquez-r7
96d0b13de2
Merge branch 'excellentrankings' of https://github.com/wchen-r7/metasploit-framework into wchen-r7-excellentrankings
2013-01-24 13:00:01 +01:00
sinn3r
3146b7ce77
Change default target
...
ExcellentRanking requires the module to auto-target. If the payload
is universal, that works too.
2013-01-23 23:40:47 -06:00
sinn3r
0c0f4a3e66
Lower ranking because they cannot auto-target
...
In order to be qualified as ExcellentRanking, auto-target is a must,
or the module has to default to a payload that's universal for
multiple platforms. Otherwise you're wasting time in Pro.
2013-01-23 23:35:31 -06:00
sinn3r
75f3a62ac4
Explain why we need this empty on_new_session
2013-01-23 16:43:36 -06:00
sinn3r
9c3e9f798f
Lower the ranking, because it cannot auto-target.
...
When it's excellent, Pro will fire this first, and that will only
generate more traffic than actually popping a shell.
2013-01-23 16:39:24 -06:00
sinn3r
53599e4c45
It's better to have a version # in the title, easier to find
2013-01-23 16:32:57 -06:00
Kacper Nowak
c47392f5d1
normalize_uri and path fix
2013-01-23 16:57:30 +00:00
Kacper Nowak
ff875d04e0
- RPATH changed to TARGETURI
...
- both CVE numbers referenced
- sightly changed exception handling
2013-01-23 16:50:35 +00:00
Kacper Nowak
a3fa7cc6bc
adjusted disclosure date
2013-01-23 12:49:08 +00:00
jvazquez-r7
e78174297e
assuring stdapi loads on meterpreter
2013-01-23 12:44:55 +01:00
Kacper Nowak
5d6ca30422
removed spaces at EOL
2013-01-23 10:33:55 +00:00
Kacper Nowak
17d1c9f996
- expanded description
...
- updated references
2013-01-23 10:29:11 +00:00
Kacper Nowak
8a59c7b8fb
removed extra print_status() calls
2013-01-22 12:31:40 +00:00
Kacper Nowak
08a5f467b1
added URL for developer site
2013-01-22 12:14:38 +00:00
Kacper Nowak
cd29a88c18
added Movable Type 4.2x, 4.3x Web Upgrade Remote Code Execution
2013-01-22 11:58:24 +00:00
Julian Vilas
eb92070df8
added module for CVE-2013-1359
2013-01-22 01:54:41 +01:00
jvazquez-r7
967c04e727
finally it doesn't use FileDropper atm
2013-01-20 19:54:24 +01:00
jvazquez-r7
aed71f8446
linux stager plus little cleanup
2013-01-20 13:42:02 +01:00
Spencer McIntyre
6b40011a6f
use target_uri and normalize_uri as well as fix a cookie problem
2013-01-19 19:10:56 -05:00
Spencer McIntyre
9f7aafccdf
add module to execute commands via Jenkins Script Console
2013-01-18 14:56:52 -05:00
kernelsmith
0b130e49e7
Squashed commit of the following:
...
commit 1beebe758c32a277e0a77f7d1011a56fda707732
Author: kernelsmith <kernelsmith@kernelsmith>
Date: Fri Jan 11 17:55:27 2013 -0600
fixes missing word in descript. of rails exploit
simple omission fix in description
[Closes #1295 ]
2013-01-11 19:02:06 -06:00
HD Moore
6471a70053
Pass the X-HTTP-Method-Override parameter for compat
2013-01-10 20:27:13 -06:00
HD Moore
9c652d1d55
Add a note about ruby 1.9 requirements
2013-01-10 17:10:03 -06:00
Bouke van der Bijl
3b491ab998
Change charlisome in the list of authors to charliesome
2013-01-10 16:12:07 +01:00
HD Moore
42ea64c21b
Merge in Rails2 support now that its in master
2013-01-10 02:14:08 -06:00
HD Moore
0b74f98946
Rescue errors and update credits
2013-01-10 01:06:46 -06:00
HD Moore
1e94b090e7
The __END__ trick is no longer needed
2013-01-10 00:29:11 -06:00
HD Moore
acabc14ec3
This restores functionality across all rails 3.x
2013-01-10 00:28:12 -06:00
HD Moore
0e92de8f61
This works against a wider range of RoR 3.x targets
2013-01-10 00:10:26 -06:00
HD Moore
5e7a4f154e
Fix platform/arch
2013-01-09 23:24:37 -06:00
HD Moore
e15c731651
Clarify credit
2013-01-09 23:22:40 -06:00
HD Moore
4c1e501ed0
Exploit for CVE-2013-0156 and new ruby-platform modules
2013-01-09 23:10:13 -06:00
jvazquez-r7
ad3ca3a6bb
regex to check version fixed
2013-01-09 23:48:55 +01:00
jvazquez-r7
52157b9124
extplorer_upload_exec cleanup
2013-01-09 19:45:17 +01:00
jvazquez-r7
8f91352c4a
Merge branch 'extplorer_upload_exec' of https://github.com/bcoles/metasploit-framework into bcoles-extplorer_upload_exec
2013-01-09 19:44:43 +01:00
Tod Beardsley
36adf86184
Various and sundry fixes for normalize_uri
2013-01-07 12:02:08 -06:00
Tod Beardsley
33751c7ce4
Merges and resolves CJR's normalize_uri fixes
...
Merge remote-tracking branch 'ChrisJohnRiley/set_normalize_uri_on_modules'
into set_normalize_uri_on_modules
Note that this trips all kinds of msftidy warnings, but that's for another
day.
Conflicts:
modules/exploits/unix/webapp/tikiwiki_jhot_exec.rb
modules/exploits/windows/http/xampp_webdav_upload_php.rb
2013-01-07 11:16:58 -06:00
Christian Mehlmauer
8f2dd8e2ce
msftidy: Remove $Revision$
2013-01-04 00:48:10 +01:00
Christian Mehlmauer
25aaf7a676
msftidy: Remove $Id$
2013-01-04 00:41:44 +01:00
Charlie Eriksen
97253d46a1
Multiple change for Juan
...
Incooperated changes as per Juan's suggestions.
- Removed redundant space option for the payload
- Doing the uri more intelligently
- Detecting allow_url_include being disabled and reporting it
- Moved to unix/webapp
- Removed redundant handler call
- Adding to description that this requires allow_url_include to be
enabled
2013-01-02 21:19:06 +00:00
Charlie Eriksen
78c6d04b31
Fixing from crlf to lf
...
By accident the line endings changed to crlf.
Mihi pointed out that the last diff was funky because the commit by
accident had crlf rather than the lf from the initial commits.
Also adding an email, as per the HACKING guide and since hdm pointed out
the usefulness of it.
2013-01-02 20:14:09 +00:00
Charlie Eriksen
ef3f15e881
Adding a PLUGINSPATH option
...
Adding a PUGINSPATH option as per FireFart's comment.
Because the path to plugins(and wp-content) can be changed, I've added a
PLUGINSPATH options.
This allows for targeting of sites where either folder has been moved,
by specifying the relative path to where all plugins are stored.
2013-01-02 18:56:49 +00:00
Charlie Eriksen
6fb2130265
Adding a damn space
...
It suddenly jumped at me that there was a missing space in the module
info. Couldn't unsee.
2013-01-01 23:40:01 +00:00
Charlie Eriksen
4ba5b45ad3
Fixed the check
...
Turns out the export returns a 500 by default. Fixing.
2013-01-01 23:15:10 +00:00
Charlie Eriksen
dd0482cb9d
Code style fix!
...
Now variable names are in-line with the coding guidelines!
2013-01-01 23:01:14 +00:00
Charlie Eriksen
2fe2d5d3dd
Adding exploit for OSVDB 87353
...
Adding an exploit for OSVDB 87353, which allows for a remote file
inclusion in the Advanced Custom Fields plugin for Wordpress. and shell
given that url include is enabled in the php installation.
2013-01-01 22:52:55 +00:00
bcoles
8e543cf5f5
Add eXtplorer v2.1 auth bypass exploit module
2012-12-30 23:51:41 +10:30
sinn3r
d97a63a94c
Make changes based on juan and egypt's feedback
2012-12-22 02:35:22 -06:00
sinn3r
49248c79d6
Oops, didn't mean to keep these lines
2012-12-21 22:22:58 -06:00
sinn3r
ca72132fc0
Add a check
2012-12-21 16:23:31 -06:00
sinn3r
1323081bce
msftidy cleanup
2012-12-21 16:11:16 -06:00
sinn3r
529a3c9a63
Add Netwin SurgeFTP module
2012-12-21 16:10:27 -06:00
sput-nick
4595a96ece
updated CVE and OSVDB wikka_spam_exec references
2012-12-19 16:42:47 -05:00
Garret Picchioni
fa42d0c7fe
Fixed minor spelling errors
2012-12-17 15:18:08 -07:00
Tod Beardsley
10511e8281
Merge remote branch 'origin/bug/fix-double-slashes'
...
Ran the new normalize_uri() specs, all passes, so I'm quite confident in
this change.
2012-12-17 13:29:19 -06:00
sinn3r
3f4efea879
No twitter name, please.
2012-12-11 14:52:39 -06:00
sinn3r
f5193b595c
Update references
2012-12-10 11:42:21 -06:00
sinn3r
2260e4b471
Switch to manual payload selection, because we don't auto-detect
2012-12-07 11:07:11 -06:00
jvazquez-r7
e5cc950fe1
fix identation
2012-12-07 11:57:11 +01:00
jvazquez-r7
133ad04452
Cleanup of #1062
2012-12-07 11:55:48 +01:00
sinn3r
b764110e6e
Use PhpEXE to be able to support PHP and Linux native payloads
2012-11-28 15:06:39 -06:00
sinn3r
fd2296317d
Strip the credential dumping stuff (making it auxiliary)
...
Also a little description update
2012-11-28 14:27:01 -06:00
sinn3r
6b524ff22a
Merge branch 'eaton_network_shutdown' of git://github.com/h0ng10/metasploit-framework into h0ng10-eaton_network_shutdown
2012-11-28 11:22:36 -06:00
h0ng10
897ae102d4
fixed msftidy.rb complains
2012-11-28 01:22:19 -05:00
h0ng10
7109d63f36
Code clean up, thanks to Brandon Perry
2012-11-28 01:20:41 -05:00
h0ng10
4ef0d8699a
added exploit for OSVDB 83199
2012-11-27 12:29:10 -05:00
sinn3r
9c3be383d0
The 'Set-Cookie' header should be checked before accessing it
2012-11-26 12:06:43 -06:00
James Lee
591b085858
Add support for shell sessions in FileDropper
2012-11-16 15:51:54 -06:00
James Lee
83708a5a48
Add a FileDropper mixin for recording cleanup targets
...
Doesn't cover shell sessions yet, so needs a bit more work
2012-11-15 17:52:10 -06:00
Chris John Riley
f88ec5cbc8
Add normalize_uri to modules that may have
...
been missed by PULL 1045.
Please ensure PULL 1045 is in place prior to
looking at this (as it implements normalize_uri)
ref --> https://github.com/rapid7/metasploit-framework/pull/1045
2012-11-08 17:42:48 +01:00
HD Moore
36066f8c78
Catch a few stragglers for double slash
2012-11-08 07:21:37 -06:00
Tod Beardsley
b1b85bee44
Actually require PhpEXE mixin.
2012-11-01 14:53:18 -05:00
sinn3r
4e6b5393c5
Merge branch 'manage_engine_sqli' of git://github.com/wchen-r7/metasploit-framework into wchen-r7-manage_engine_sqli
2012-10-27 18:53:47 -05:00
sinn3r
799c22554e
Warn user if a file/permission is being modified during new session
2012-10-24 00:54:17 -05:00
sinn3r
f1423bf0b4
If a message is clearly a warning, then use print_warning
2012-10-24 00:44:53 -05:00
sinn3r
8eb790f62c
Final touchup
2012-10-23 19:46:09 -05:00
sinn3r
f9bb910c3b
Make the check() try SQLI
2012-10-23 19:42:36 -05:00
sinn3r
8c5a73bb7f
Change exception handling
2012-10-23 19:34:12 -05:00
sinn3r
90542547c6
Add auto-target, and some changes to cleanup
2012-10-23 19:07:13 -05:00
Michael Schierl
910644400d
References EDB cleanup
...
All other types of references use String arguments, but approximately half
of the EDB references use Fixnums. Fix this by using Strings here too.
2012-10-23 21:02:09 +02:00
sinn3r
22223d5d81
Better cleanup abilities
2012-10-23 13:58:19 -05:00
Michael Schierl
21f6127e29
Platform windows cleanup
...
Change all Platform 'windows' to 'win', as it internally is an alias
anyway and only causes unnecessary confusion to have two platform names
that mean the same.
2012-10-23 20:33:01 +02:00
sinn3r
4c41319c7c
Remove unused vars
2012-10-23 12:55:43 -05:00
sinn3r
bef4539915
Update description
2012-10-23 12:47:46 -05:00
sinn3r
3ff888a5c0
Move to 'multi' because it supports windows and linux
2012-10-23 12:41:51 -05:00
sinn3r
5072156df6
Designed specifically for Windows, so let's move to Windows
...
Plus additional fixes
2012-10-22 23:01:58 -05:00
sinn3r
2484bb02cf
Add the initial version of the module
...
From EDB.
2012-10-22 22:41:30 -05:00
Michael Schierl
e9f7873afc
Version cleanup
...
Remove all values that are neither 0 nor $Revision$.
2012-10-22 20:57:02 +02:00
jvazquez-r7
2acfb0537c
Merge branch 'ajaxplorer' of https://github.com/wchen-r7/metasploit-framework into wchen-r7-ajaxplorer
2012-10-15 08:30:08 +02:00
sinn3r
529f88c66d
Some msftidy fixes
2012-10-14 19:16:54 -05:00
sinn3r
cedcace1a7
Forgot to change the output variable
...
Because the original script used match()
2012-10-14 11:43:33 -05:00
sinn3r
cc303665e8
Credit
2012-10-13 00:42:44 -05:00
sinn3r
5b2998a121
Add OSVDB-63552 AjaXplorer module (2010)
2012-10-13 00:35:48 -05:00
James Lee
90ae5c1178
Add PhpEXE support to RateMyPet module
2012-10-12 04:53:01 -05:00
James Lee
13a5892e95
Add a mixin for uploading/executing bins with PHP
...
And use it in three modules that had copy-paste versions of the same
idea.
2012-10-12 02:57:41 -05:00
sinn3r
c094508119
Support Python payload
...
Pretty sure if the app is run on Unix/Apache, or supports perl and
ruby, chances are python works too.
2012-10-08 22:17:11 -05:00
sinn3r
06e2994b7e
connectiontype to find and python payload support
2012-10-08 15:13:27 -05:00
sinn3r
04aa69192d
Dang typo
2012-10-08 13:35:13 -05:00
sinn3r
8ff4442f9e
Add PhpTax pfilez exec module
...
This module exploits a vuln found in PhpTax. When generating a
PDF, the icondrawpng() function in drawimage.php does not
properly handle the pfilez parameter, which will be used in a
exec() statement, and results in arbitrary code execution.
2012-10-08 12:46:56 -05:00
HD Moore
3ade5a07e7
Add exploit for phpmyadmin backdoor
2012-09-25 10:47:53 -05:00
sinn3r
1111de0197
Add OSVDB reference
2012-09-25 01:19:58 -05:00
sinn3r
98f4190288
Add Auxilium RateMyPet module
2012-09-24 10:16:11 -05:00
James Lee
caf7619b86
Remove extra comma, fixes syntax errors in 1.8
...
Thanks, Kanedaaa, for reporting
2012-09-13 12:07:34 -05:00
sinn3r
71a0db9ae5
Make sure the user has a 'myAccount' page
2012-09-13 10:33:43 -05:00
sinn3r
658502d5ad
Add OSVDB-82978
...
This module exploits a vuln in qdPM - a web-based project
management software. The user profile's photo upload feature can
be abused to upload any arbitrary file onto the victim server
machine, which allows remote code execution. However, note in
order to use this module, the attacker must have a valid cred
to sign.
2012-09-13 10:01:08 -05:00
sinn3r
bd596a3f39
Merge branch 'sflog_upload_exec' of https://github.com/wchen-r7/metasploit-framework into wchen-r7-sflog_upload_exec
2012-09-06 18:40:19 -05:00
sinn3r
b4270bb480
Add OSVDB-83767: SFlog Upload Exec Module
...
This module exploits multiiple flaws in SFlog!. By default, the
CMS has a default admin cred of "admin:secret", which can be
abused to access admin features such as blog management. Through
the management interface, we can upload a backdoor that's accessible
by any remote user, and then we gain code execution.
2012-09-06 18:30:45 -05:00
jvazquez-r7
fc1c1c93ba
ZDI references fixed
2012-09-07 00:50:07 +02:00
jvazquez-r7
65681dc3b6
added osvdb reference
2012-09-06 13:56:52 +02:00
jvazquez-r7
b4113a2a38
hp_site_scope_uploadfileshandler is now multiplatform
2012-09-06 12:54:51 +02:00
Tod Beardsley
9531c95627
Adding BID
2012-09-05 15:04:05 -05:00
sinn3r
99009da567
Merge branch 'mobilecartly_upload_exec' of https://github.com/wchen-r7/metasploit-framework into wchen-r7-mobilecartly_upload_exec
2012-09-04 14:32:23 -05:00
sinn3r
e926bc16ba
Add MobileCartly 1.0 module
2012-09-04 14:23:16 -05:00
jvazquez-r7
4a92cc4641
jboss_invoke_deploy module cleanup
2012-09-04 18:49:11 +02:00
h0ng10
2b6aa6bbdb
Added Exploit for deployfilerepository via JMX
2012-09-03 13:50:16 -04:00
jvazquez-r7
4fd9f88304
avoid the redefinition of Module.target_host
2012-08-30 14:45:14 +02:00
sinn3r
7ddcc787bd
Merge branch 'jboss-exploits-revision2' of https://github.com/h0ng10/metasploit-framework into h0ng10-jboss-exploits-revision2
2012-08-21 14:37:09 -05:00
h0ng10
c6b9121f8b
Added support for CVE-2010-0738
2012-08-15 15:47:44 -04:00
h0ng10
6965431389
Added support for CVE-2010-0738, msftidy
2012-08-15 15:47:14 -04:00
h0ng10
e5498e3e1d
Added fix for CVE-2010-0738, corrections
2012-08-15 15:46:34 -04:00
Tod Beardsley
0e4e7dc903
Indentation fix
2012-08-14 12:27:27 -05:00
Tod Beardsley
6597d25726
Shortening an over-200 long line for readability
...
It's a contrived fix, but scrolling over is a hassle. This comes up a
lot in long regexes, not sure the best way to address these.
2012-08-14 12:27:27 -05:00
jvazquez-r7
d6b28dc44d
ranking changed plus on_new_session handler added
2012-08-13 19:29:13 +02:00
jvazquez-r7
468030786f
small fixes, mainly check res agains nil, res.code and use send_request_cgi
2012-08-13 18:57:59 +02:00
bcoles
8bb3181f68
Add TestLink v1.9.3 arbitrary file upload module
2012-08-13 16:30:10 +09:30
sinn3r
b46fb260a6
Comply with msftidy
...
*Knock, knock!* Who's there? Me, the msftidy nazi!
2012-08-07 15:59:01 -05:00
Steve Tornio
b646dcc87f
add osvdb ref
2012-08-05 09:02:32 -05:00
Tod Beardsley
d5b165abbb
Msftidy.rb cleanup on recent modules.
...
Notably, DisclosureDate is required for other module parsers, so let's
not ignore those, even if you have to guess at the disclosure or call
the module's publish date the disclosure date.
2012-08-04 12:18:00 -05:00
h0ng10
8872ea693c
real support for cve-2010-0738/verb bypass
2012-08-03 14:22:40 -04:00
h0ng10
52b1919315
Additional cleanups, verb tampering
2012-08-02 17:33:17 -04:00