e25a06c649
delete comma
2013-03-27 21:33:58 +01:00
5fc5a4f429
use target_uri
2013-03-27 20:45:34 +01:00
f29cfbf393
cleanup for v0pCr3w_exec
2013-03-27 20:38:11 +01:00
787f8cc32f
up to date
2013-03-26 12:18:53 +01:00
6f5fc77019
up to date
2013-03-26 11:59:41 +01:00
2d0a813aa6
Merge branch 'heyder-joomla' of https://github.com/heyder/metasploit-framework
2013-03-26 11:23:33 +01:00
014c01099e
improve cleanup
2013-03-26 02:22:10 -03:00
0c169f94eb
correct some bad indent
2013-03-24 21:07:51 -03:00
50ac5cf247
Adjust payload size and others code adjustments
2013-03-24 20:25:29 -03:00
cb56b2de4b
Merge branch 'master' of https://github.com/rapid7/metasploit-framework
2013-03-23 20:06:05 +01:00
5bee1471df
many code adjustments
2013-03-22 23:07:08 -03:00
11754f271a
Merge branch 'mutiny_subnetmask_exec' of github.com:jvazquez-r7/metasploit-framework into jvazquez-r7-mutiny_subnetmask_exec
2013-03-22 13:05:16 -05:00
b5c65ad51b
add Joomla Component JCE File Upload Code Execution
2013-03-22 10:41:35 -03:00
bbff20fd65
cleanup for struts_code_exec_parameters
2013-03-21 22:17:47 +01:00
50c6a98530
Merge branch 'struts-param-rce' of https://github.com/Console/metasploit-framework into Console-struts-param-rce
2013-03-21 22:17:20 +01:00
296f2e7c2c
up to date
2013-03-21 22:10:18 +01:00
cbccda10ca
fixing issue raised by @meatballs1
2013-03-21 20:58:40 +00:00
9c1694e8a0
Merge branch 'struts-param-rce' of https://github.com/Console/metasploit-framework
2013-03-21 20:44:10 +01:00
302193f98b
Various fixes and improvements
...
Chunk_length now varies according to targeturi and parameter
A few typographical inconsistences corrected
CMD option removed as its not being used
custom http request timeout removed
2013-03-21 19:03:39 +00:00
8027615608
fixed comments left in by accident
2013-03-21 16:43:44 +00:00
4edf5260f4
check function now tells user about delay
2013-03-21 16:40:45 +00:00
a714b430ca
used normalize_uri
2013-03-21 14:05:08 +00:00
5c9bec1552
commit fix branch for Console-struts-RCE
2013-03-21 13:40:16 +00:00
29fff62869
up to date
2013-03-12 18:29:53 +01:00
73717f1522
Added webacoo code execution module
2013-03-09 19:12:22 +00:00
2160718250
Fix file header comment
...
[See #1555 ]
2013-03-07 17:53:19 -06:00
25db782b03
change print location
2013-03-07 19:15:40 +01:00
fdd7c375ad
added linux native target
2013-03-07 19:12:25 +01:00
4212c36566
Fix up basic auth madness
2013-03-01 11:59:02 -06:00
c290bc565e
Merge branch 'master' into feature/http/authv2
2013-02-28 14:33:44 -06:00
abdcde06cd
Fix polarcms_upload_exec exploit
2013-02-25 22:58:26 -08:00
181e3c0496
Uses normalize_uri
2013-02-25 19:36:48 -06:00
1ed74b46be
Add CVE-2013-0803
...
From:
http://dev.metasploit.com/redmine/issues/7691
2013-02-25 14:14:57 -06:00
f3f913edc5
Correct bad naming style
2013-02-25 13:29:27 -06:00
690e7ec8a7
Uses normalize_uri
2013-02-25 13:28:00 -06:00
b930613653
Merge branch 'kordil-edms-upload-exec' of github.com:bcoles/metasploit-framework into bcoles-kordil-edms-upload-exec
2013-02-25 12:43:50 -06:00
52241b847a
Uses normalize_uri instead of manually adding a slash
2013-02-25 12:20:37 -06:00
d7c0ce4e4a
Fix 'check()' in glossword_upload_exec
2013-02-25 15:52:07 +10:30
1f46b3aa02
Add Glossword Arbitrary File Upload Vulnerability exploit
2013-02-25 01:59:46 +10:30
002654317c
Add Kordil EDMS File Upload Vulnerability exploit
2013-02-22 23:32:17 +10:30
0ae489b37b
last of revert-merge snaffu
2013-02-19 23:16:46 -06:00
9d4a3ca729
Fix a typo that broke this module against x64
...
[SeeRM #7747 ]
2013-02-19 19:22:42 -06:00
8ddc19e842
Unmerge #1476 and #1444
...
In that order. #1476 was an attempt to salvage the functionality, but
sinn3r found some more bugs. So, undoing that, and undoing #1444 as
well.
First, do no harm. It's obvious we cannot be making sweeping changes in
libraries like this without a minimum of testing available. #1478 starts
to address that, by the way.
FixRM #7752
2013-02-11 20:49:55 -06:00
5b3b0a8b6d
Merge branch 'dmaloney-r7-http/auth_methods' into rapid7
2013-02-08 12:45:35 -06:00
9b6f2fcd1d
Use the install path to tell us the separator
...
Fixes the java target on windows victims
2013-02-08 12:10:42 -06:00
5b398076ae
Couple of fixes for windows
...
* Catch IOError when chmod doesn't exist (i.e. Windows)
* Proper escaping for paths
2013-02-08 11:52:50 -06:00
071df7241b
Merge branch 'rapid7' into sonicwall_gms
...
Conflicts:
modules/exploits/multi/http/sonicwall_gms_upload.rb
Adds a loop around triggering the WAR payload, which was causing some
unreliability with the Java target.
2013-02-07 21:53:49 -06:00
1f9a09d5dd
Add a method to upload and exec in one step
2013-02-07 21:09:32 -06:00
13d1045989
Works for java and native linux targets
2013-02-07 16:56:38 -06:00
b6c6397da3
typo
2013-02-06 19:21:20 -06:00
1095fe198b
Merge branch 'rapid7' into dmaloney-r7-http/auth_methods
2013-02-06 16:57:50 -06:00
9b30e354ea
Updates HTTP_METHOD option to use OptEnum.
2013-02-04 15:32:36 -06:00
4c1e630bf3
BasicAuth datastore cleanup
...
cleanup all the old BasicAuth datastore options
2013-02-04 13:02:26 -06:00
70b252dc7b
Merge branch 'normalize_uri_update2' of https://github.com/wchen-r7/metasploit-framework into wchen-r7-normalize_uri_update2
2013-01-31 22:32:50 +01:00
5332e80ae9
Fix errant use of .to_s instead of .path
2013-01-31 14:18:42 -06:00
66ca906bfb
This is a string, not a variable
2013-01-31 01:56:05 -06:00
c174e6a208
Correctly use normalize_uri()
...
normalize_uri() should be used when you're joining URIs. Because if
you're merging URIs after it's normalized, you could get double
slashes again.
2013-01-30 23:23:41 -06:00
ec0db66fcb
Merge branch 'patch-2' of github.com:jjarmoc/metasploit-framework into jjarmoc-patch-2
2013-01-30 12:36:53 -06:00
55600ce276
Update modules/exploits/multi/http/rails_xml_yaml_code_exec.rb
...
Remove unecessary include. Tested against rails 3.2.10.
2013-01-29 11:46:02 -06:00
929814dabf
Update modules/exploits/multi/http/rails_json_yaml_code_exec.rb
...
Removes unnecessary include. Tested on 3.0.19 and 2.3.15.
2013-01-29 11:04:20 -06:00
38785015e1
Missing period in description
2013-01-28 23:08:53 -06:00
464d048eca
Remove debugging print
2013-01-28 22:25:57 -06:00
dc19968555
Minor cleanups
2013-01-28 22:21:03 -06:00
c0757ce905
Add support for 2.x
2013-01-28 21:41:15 -06:00
92c736a6a9
Move fork stuff out of exploit into payload mixin
...
Tested xml against 3.2.10 and json against 3.0.19
2013-01-28 21:34:39 -06:00
ee2579607a
Working against 3.0.19
2013-01-28 21:05:14 -06:00
044fefd02a
Initial support for Java target
...
Still some debugging junk, needs some more love.
2013-01-28 00:02:26 -06:00
49aac302e6
normalize_uri() breaks URI parsing
...
Please see: http://dev.metasploit.com/redmine/issues/7727
2013-01-26 22:57:01 -06:00
1bccc410a3
Merge branch 'module-movabletype_upgrade_exec' of https://github.com/kacpern/metasploit-framework into kacpern-module-movabletype_upgrade_exec
2013-01-24 15:02:48 +01:00
ba41ee9c83
- applied all the changes from #1363
...
- some extra escaping for the sake of it
- removed the timeout in http_send_raw
2013-01-24 13:15:42 +00:00
96d0b13de2
Merge branch 'excellentrankings' of https://github.com/wchen-r7/metasploit-framework into wchen-r7-excellentrankings
2013-01-24 13:00:01 +01:00
3146b7ce77
Change default target
...
ExcellentRanking requires the module to auto-target. If the payload
is universal, that works too.
2013-01-23 23:40:47 -06:00
0c0f4a3e66
Lower ranking because they cannot auto-target
...
In order to be qualified as ExcellentRanking, auto-target is a must,
or the module has to default to a payload that's universal for
multiple platforms. Otherwise you're wasting time in Pro.
2013-01-23 23:35:31 -06:00
75f3a62ac4
Explain why we need this empty on_new_session
2013-01-23 16:43:36 -06:00
9c3e9f798f
Lower the ranking, because it cannot auto-target.
...
When it's excellent, Pro will fire this first, and that will only
generate more traffic than actually popping a shell.
2013-01-23 16:39:24 -06:00
53599e4c45
It's better to have a version # in the title, easier to find
2013-01-23 16:32:57 -06:00
c47392f5d1
normalize_uri and path fix
2013-01-23 16:57:30 +00:00
ff875d04e0
- RPATH changed to TARGETURI
...
- both CVE numbers referenced
- sightly changed exception handling
2013-01-23 16:50:35 +00:00
a3fa7cc6bc
adjusted disclosure date
2013-01-23 12:49:08 +00:00
e78174297e
assuring stdapi loads on meterpreter
2013-01-23 12:44:55 +01:00
5d6ca30422
removed spaces at EOL
2013-01-23 10:33:55 +00:00
17d1c9f996
- expanded description
...
- updated references
2013-01-23 10:29:11 +00:00
8a59c7b8fb
removed extra print_status() calls
2013-01-22 12:31:40 +00:00
08a5f467b1
added URL for developer site
2013-01-22 12:14:38 +00:00
cd29a88c18
added Movable Type 4.2x, 4.3x Web Upgrade Remote Code Execution
2013-01-22 11:58:24 +00:00
eb92070df8
added module for CVE-2013-1359
2013-01-22 01:54:41 +01:00
967c04e727
finally it doesn't use FileDropper atm
2013-01-20 19:54:24 +01:00
aed71f8446
linux stager plus little cleanup
2013-01-20 13:42:02 +01:00
6b40011a6f
use target_uri and normalize_uri as well as fix a cookie problem
2013-01-19 19:10:56 -05:00
9f7aafccdf
add module to execute commands via Jenkins Script Console
2013-01-18 14:56:52 -05:00
0b130e49e7
Squashed commit of the following:
...
commit 1beebe758c32a277e0a77f7d1011a56fda707732
Author: kernelsmith <kernelsmith@kernelsmith>
Date: Fri Jan 11 17:55:27 2013 -0600
fixes missing word in descript. of rails exploit
simple omission fix in description
[Closes #1295 ]
2013-01-11 19:02:06 -06:00
6471a70053
Pass the X-HTTP-Method-Override parameter for compat
2013-01-10 20:27:13 -06:00
9c652d1d55
Add a note about ruby 1.9 requirements
2013-01-10 17:10:03 -06:00
3b491ab998
Change charlisome in the list of authors to charliesome
2013-01-10 16:12:07 +01:00
42ea64c21b
Merge in Rails2 support now that its in master
2013-01-10 02:14:08 -06:00
0b74f98946
Rescue errors and update credits
2013-01-10 01:06:46 -06:00
1e94b090e7
The __END__ trick is no longer needed
2013-01-10 00:29:11 -06:00
acabc14ec3
This restores functionality across all rails 3.x
2013-01-10 00:28:12 -06:00
0e92de8f61
This works against a wider range of RoR 3.x targets
2013-01-10 00:10:26 -06:00
5e7a4f154e
Fix platform/arch
2013-01-09 23:24:37 -06:00
e15c731651
Clarify credit
2013-01-09 23:22:40 -06:00
4c1e501ed0
Exploit for CVE-2013-0156 and new ruby-platform modules
2013-01-09 23:10:13 -06:00
ad3ca3a6bb
regex to check version fixed
2013-01-09 23:48:55 +01:00
52157b9124
extplorer_upload_exec cleanup
2013-01-09 19:45:17 +01:00
8f91352c4a
Merge branch 'extplorer_upload_exec' of https://github.com/bcoles/metasploit-framework into bcoles-extplorer_upload_exec
2013-01-09 19:44:43 +01:00
36adf86184
Various and sundry fixes for normalize_uri
2013-01-07 12:02:08 -06:00
33751c7ce4
Merges and resolves CJR's normalize_uri fixes
...
Merge remote-tracking branch 'ChrisJohnRiley/set_normalize_uri_on_modules'
into set_normalize_uri_on_modules
Note that this trips all kinds of msftidy warnings, but that's for another
day.
Conflicts:
modules/exploits/unix/webapp/tikiwiki_jhot_exec.rb
modules/exploits/windows/http/xampp_webdav_upload_php.rb
2013-01-07 11:16:58 -06:00
8f2dd8e2ce
msftidy: Remove $Revision$
2013-01-04 00:48:10 +01:00
25aaf7a676
msftidy: Remove $Id$
2013-01-04 00:41:44 +01:00
97253d46a1
Multiple change for Juan
...
Incooperated changes as per Juan's suggestions.
- Removed redundant space option for the payload
- Doing the uri more intelligently
- Detecting allow_url_include being disabled and reporting it
- Moved to unix/webapp
- Removed redundant handler call
- Adding to description that this requires allow_url_include to be
enabled
2013-01-02 21:19:06 +00:00
78c6d04b31
Fixing from crlf to lf
...
By accident the line endings changed to crlf.
Mihi pointed out that the last diff was funky because the commit by
accident had crlf rather than the lf from the initial commits.
Also adding an email, as per the HACKING guide and since hdm pointed out
the usefulness of it.
2013-01-02 20:14:09 +00:00
ef3f15e881
Adding a PLUGINSPATH option
...
Adding a PUGINSPATH option as per FireFart's comment.
Because the path to plugins(and wp-content) can be changed, I've added a
PLUGINSPATH options.
This allows for targeting of sites where either folder has been moved,
by specifying the relative path to where all plugins are stored.
2013-01-02 18:56:49 +00:00
6fb2130265
Adding a damn space
...
It suddenly jumped at me that there was a missing space in the module
info. Couldn't unsee.
2013-01-01 23:40:01 +00:00
4ba5b45ad3
Fixed the check
...
Turns out the export returns a 500 by default. Fixing.
2013-01-01 23:15:10 +00:00
dd0482cb9d
Code style fix!
...
Now variable names are in-line with the coding guidelines!
2013-01-01 23:01:14 +00:00
2fe2d5d3dd
Adding exploit for OSVDB 87353
...
Adding an exploit for OSVDB 87353, which allows for a remote file
inclusion in the Advanced Custom Fields plugin for Wordpress. and shell
given that url include is enabled in the php installation.
2013-01-01 22:52:55 +00:00
8e543cf5f5
Add eXtplorer v2.1 auth bypass exploit module
2012-12-30 23:51:41 +10:30
d97a63a94c
Make changes based on juan and egypt's feedback
2012-12-22 02:35:22 -06:00
49248c79d6
Oops, didn't mean to keep these lines
2012-12-21 22:22:58 -06:00
ca72132fc0
Add a check
2012-12-21 16:23:31 -06:00
1323081bce
msftidy cleanup
2012-12-21 16:11:16 -06:00
529a3c9a63
Add Netwin SurgeFTP module
2012-12-21 16:10:27 -06:00
4595a96ece
updated CVE and OSVDB wikka_spam_exec references
2012-12-19 16:42:47 -05:00
fa42d0c7fe
Fixed minor spelling errors
2012-12-17 15:18:08 -07:00
10511e8281
Merge remote branch 'origin/bug/fix-double-slashes'
...
Ran the new normalize_uri() specs, all passes, so I'm quite confident in
this change.
2012-12-17 13:29:19 -06:00
3f4efea879
No twitter name, please.
2012-12-11 14:52:39 -06:00
f5193b595c
Update references
2012-12-10 11:42:21 -06:00
2260e4b471
Switch to manual payload selection, because we don't auto-detect
2012-12-07 11:07:11 -06:00
e5cc950fe1
fix identation
2012-12-07 11:57:11 +01:00
133ad04452
Cleanup of #1062
2012-12-07 11:55:48 +01:00
b764110e6e
Use PhpEXE to be able to support PHP and Linux native payloads
2012-11-28 15:06:39 -06:00
fd2296317d
Strip the credential dumping stuff (making it auxiliary)
...
Also a little description update
2012-11-28 14:27:01 -06:00
6b524ff22a
Merge branch 'eaton_network_shutdown' of git://github.com/h0ng10/metasploit-framework into h0ng10-eaton_network_shutdown
2012-11-28 11:22:36 -06:00
897ae102d4
fixed msftidy.rb complains
2012-11-28 01:22:19 -05:00
7109d63f36
Code clean up, thanks to Brandon Perry
2012-11-28 01:20:41 -05:00
4ef0d8699a
added exploit for OSVDB 83199
2012-11-27 12:29:10 -05:00
9c3be383d0
The 'Set-Cookie' header should be checked before accessing it
2012-11-26 12:06:43 -06:00
591b085858
Add support for shell sessions in FileDropper
2012-11-16 15:51:54 -06:00
83708a5a48
Add a FileDropper mixin for recording cleanup targets
...
Doesn't cover shell sessions yet, so needs a bit more work
2012-11-15 17:52:10 -06:00
f88ec5cbc8
Add normalize_uri to modules that may have
...
been missed by PULL 1045.
Please ensure PULL 1045 is in place prior to
looking at this (as it implements normalize_uri)
ref --> https://github.com/rapid7/metasploit-framework/pull/1045
2012-11-08 17:42:48 +01:00
36066f8c78
Catch a few stragglers for double slash
2012-11-08 07:21:37 -06:00
b1b85bee44
Actually require PhpEXE mixin.
2012-11-01 14:53:18 -05:00
4e6b5393c5
Merge branch 'manage_engine_sqli' of git://github.com/wchen-r7/metasploit-framework into wchen-r7-manage_engine_sqli
2012-10-27 18:53:47 -05:00
799c22554e
Warn user if a file/permission is being modified during new session
2012-10-24 00:54:17 -05:00
f1423bf0b4
If a message is clearly a warning, then use print_warning
2012-10-24 00:44:53 -05:00
8eb790f62c
Final touchup
2012-10-23 19:46:09 -05:00
f9bb910c3b
Make the check() try SQLI
2012-10-23 19:42:36 -05:00
8c5a73bb7f
Change exception handling
2012-10-23 19:34:12 -05:00
90542547c6
Add auto-target, and some changes to cleanup
2012-10-23 19:07:13 -05:00
910644400d
References EDB cleanup
...
All other types of references use String arguments, but approximately half
of the EDB references use Fixnums. Fix this by using Strings here too.
2012-10-23 21:02:09 +02:00
22223d5d81
Better cleanup abilities
2012-10-23 13:58:19 -05:00
21f6127e29
Platform windows cleanup
...
Change all Platform 'windows' to 'win', as it internally is an alias
anyway and only causes unnecessary confusion to have two platform names
that mean the same.
2012-10-23 20:33:01 +02:00
4c41319c7c
Remove unused vars
2012-10-23 12:55:43 -05:00
bef4539915
Update description
2012-10-23 12:47:46 -05:00
3ff888a5c0
Move to 'multi' because it supports windows and linux
2012-10-23 12:41:51 -05:00
5072156df6
Designed specifically for Windows, so let's move to Windows
...
Plus additional fixes
2012-10-22 23:01:58 -05:00
2484bb02cf
Add the initial version of the module
...
From EDB.
2012-10-22 22:41:30 -05:00
e9f7873afc
Version cleanup
...
Remove all values that are neither 0 nor $Revision$.
2012-10-22 20:57:02 +02:00
2acfb0537c
Merge branch 'ajaxplorer' of https://github.com/wchen-r7/metasploit-framework into wchen-r7-ajaxplorer
2012-10-15 08:30:08 +02:00
529f88c66d
Some msftidy fixes
2012-10-14 19:16:54 -05:00
cedcace1a7
Forgot to change the output variable
...
Because the original script used match()
2012-10-14 11:43:33 -05:00
cc303665e8
Credit
2012-10-13 00:42:44 -05:00
5b2998a121
Add OSVDB-63552 AjaXplorer module (2010)
2012-10-13 00:35:48 -05:00
90ae5c1178
Add PhpEXE support to RateMyPet module
2012-10-12 04:53:01 -05:00
13a5892e95
Add a mixin for uploading/executing bins with PHP
...
And use it in three modules that had copy-paste versions of the same
idea.
2012-10-12 02:57:41 -05:00
c094508119
Support Python payload
...
Pretty sure if the app is run on Unix/Apache, or supports perl and
ruby, chances are python works too.
2012-10-08 22:17:11 -05:00
06e2994b7e
connectiontype to find and python payload support
2012-10-08 15:13:27 -05:00
04aa69192d
Dang typo
2012-10-08 13:35:13 -05:00
8ff4442f9e
Add PhpTax pfilez exec module
...
This module exploits a vuln found in PhpTax. When generating a
PDF, the icondrawpng() function in drawimage.php does not
properly handle the pfilez parameter, which will be used in a
exec() statement, and results in arbitrary code execution.
2012-10-08 12:46:56 -05:00
3ade5a07e7
Add exploit for phpmyadmin backdoor
2012-09-25 10:47:53 -05:00
1111de0197
Add OSVDB reference
2012-09-25 01:19:58 -05:00
98f4190288
Add Auxilium RateMyPet module
2012-09-24 10:16:11 -05:00
caf7619b86
Remove extra comma, fixes syntax errors in 1.8
...
Thanks, Kanedaaa, for reporting
2012-09-13 12:07:34 -05:00
71a0db9ae5
Make sure the user has a 'myAccount' page
2012-09-13 10:33:43 -05:00
658502d5ad
Add OSVDB-82978
...
This module exploits a vuln in qdPM - a web-based project
management software. The user profile's photo upload feature can
be abused to upload any arbitrary file onto the victim server
machine, which allows remote code execution. However, note in
order to use this module, the attacker must have a valid cred
to sign.
2012-09-13 10:01:08 -05:00
bd596a3f39
Merge branch 'sflog_upload_exec' of https://github.com/wchen-r7/metasploit-framework into wchen-r7-sflog_upload_exec
2012-09-06 18:40:19 -05:00
b4270bb480
Add OSVDB-83767: SFlog Upload Exec Module
...
This module exploits multiiple flaws in SFlog!. By default, the
CMS has a default admin cred of "admin:secret", which can be
abused to access admin features such as blog management. Through
the management interface, we can upload a backdoor that's accessible
by any remote user, and then we gain code execution.
2012-09-06 18:30:45 -05:00
fc1c1c93ba
ZDI references fixed
2012-09-07 00:50:07 +02:00
65681dc3b6
added osvdb reference
2012-09-06 13:56:52 +02:00
b4113a2a38
hp_site_scope_uploadfileshandler is now multiplatform
2012-09-06 12:54:51 +02:00
9531c95627
Adding BID
2012-09-05 15:04:05 -05:00
99009da567
Merge branch 'mobilecartly_upload_exec' of https://github.com/wchen-r7/metasploit-framework into wchen-r7-mobilecartly_upload_exec
2012-09-04 14:32:23 -05:00
e926bc16ba
Add MobileCartly 1.0 module
2012-09-04 14:23:16 -05:00
4a92cc4641
jboss_invoke_deploy module cleanup
2012-09-04 18:49:11 +02:00
2b6aa6bbdb
Added Exploit for deployfilerepository via JMX
2012-09-03 13:50:16 -04:00
4fd9f88304
avoid the redefinition of Module.target_host
2012-08-30 14:45:14 +02:00
7ddcc787bd
Merge branch 'jboss-exploits-revision2' of https://github.com/h0ng10/metasploit-framework into h0ng10-jboss-exploits-revision2
2012-08-21 14:37:09 -05:00
c6b9121f8b
Added support for CVE-2010-0738
2012-08-15 15:47:44 -04:00
6965431389
Added support for CVE-2010-0738, msftidy
2012-08-15 15:47:14 -04:00
e5498e3e1d
Added fix for CVE-2010-0738, corrections
2012-08-15 15:46:34 -04:00
0e4e7dc903
Indentation fix
2012-08-14 12:27:27 -05:00
6597d25726
Shortening an over-200 long line for readability
...
It's a contrived fix, but scrolling over is a hassle. This comes up a
lot in long regexes, not sure the best way to address these.
2012-08-14 12:27:27 -05:00
d6b28dc44d
ranking changed plus on_new_session handler added
2012-08-13 19:29:13 +02:00
468030786f
small fixes, mainly check res agains nil, res.code and use send_request_cgi
2012-08-13 18:57:59 +02:00
8bb3181f68
Add TestLink v1.9.3 arbitrary file upload module
2012-08-13 16:30:10 +09:30
b46fb260a6
Comply with msftidy
...
*Knock, knock!* Who's there? Me, the msftidy nazi!
2012-08-07 15:59:01 -05:00
b646dcc87f
add osvdb ref
2012-08-05 09:02:32 -05:00
d5b165abbb
Msftidy.rb cleanup on recent modules.
...
Notably, DisclosureDate is required for other module parsers, so let's
not ignore those, even if you have to guess at the disclosure or call
the module's publish date the disclosure date.
2012-08-04 12:18:00 -05:00
8872ea693c
real support for cve-2010-0738/verb bypass
2012-08-03 14:22:40 -04:00
52b1919315
Additional cleanups, verb tampering
2012-08-02 17:33:17 -04:00
9815faec37
Add OSVDB-83822
2012-07-31 13:31:06 -05:00
36be7cd9c4
removed unnecessary cleanup
2012-07-27 16:32:08 -04:00
d67234bd03
Better regex and email format correction
2012-07-27 01:14:32 -05:00
2939e3918e
Rename file
2012-07-27 01:06:57 -05:00
cec15aa204
Added CuteFlow v2.11.2 Arbitrary File Upload
...
- modules/exploits/multi/http/cuteflow_2.11.2_upload_exec.rb
2012-07-27 12:30:20 +09:30
b133428bc1
Better error handling in two web app modules
2012-07-15 21:56:00 -05:00
6c8ee443c8
datastore cleanup according to sinn3r
2012-07-12 09:31:22 +02:00
87f5002516
added datastore cleanup
2012-07-11 12:56:23 -04:00
0d38a7e45f
switched to Rex::Text.encode_base64()
2012-07-11 12:52:09 -04:00
61ec07a10c
additional targets, meterpreter, bugfixes
2012-07-10 13:33:28 -04:00
e2a2789f78
Support Ruby 1.8 syntax. Thanks M M.
2012-07-02 14:15:14 -05:00
cf9a6d58cc
Update missing OSVDB ref
2012-06-28 00:44:01 -05:00
e605a35433
Make sure the check func is always returning the same data type
2012-06-27 17:07:55 -05:00
cb1af5ab79
Final cleanup
2012-06-27 16:57:04 -05:00
73360dfae3
minor fixes
2012-06-27 23:38:52 +02:00
245205c6c9
changes on openfire_auth_bypass
2012-06-27 23:15:40 +02:00
6ec990ed85
Merge branch 'Openfire-auth-bypass' of https://github.com/h0ng10/metasploit-framework into h0ng10-Openfire-auth-bypass
2012-06-27 23:09:26 +02:00
6cc8390da9
Module rewrite, included Java support, direct upload, plugin deletion
2012-06-26 11:56:44 -04:00
e31a09203d
Take into account an integer-normalized datastore
2012-06-24 22:59:14 -05:00
65197e79e2
added Exploit for CVE-2008-6508 (Openfire Auth bypass)
2012-06-24 07:35:38 -04:00
d40e39b71b
Additional exploit fail_with() changes to remove raise calls
2012-06-19 19:43:41 -05:00
fb7f6b49f0
This mega-diff adds better error classification to existing modules
2012-06-19 12:59:15 -05:00
a631e1fef1
Change the default state to make it work on Metasploitable by default
2012-06-13 00:43:59 -05:00
597726d433
Merge branch 'php_cgi_arg_injection' of https://github.com/jjarmoc/metasploit-framework into jjarmoc-php_cgi_arg_injection
2012-06-13 00:40:02 -05:00
bbfe0f8f49
" is 0x22, duh.
2012-06-12 20:00:28 -05:00
12a28bd519
Fixed ruby 1.9 String Indexing issue, using Rex::Text.uri_encode
2012-06-12 14:59:06 -05:00
c3c9051014
Merge branch 'php_cgi_arg_injection' of https://github.com/jjarmoc/metasploit-framework into jjarmoc-php_cgi_arg_injection
2012-06-11 11:15:15 -05:00
02a5dff51f
struts_code_exec_exception_delegator_on_new_session: on_new_session modified
2012-06-11 12:07:38 +02:00
b4d33fb85a
Add ARCH_JAVA support to struts_code_exec_exception_delegator
2012-06-09 21:53:43 +02:00
a709fe1fe3
Fix regex escaping thanks to w3bd3vil
2012-06-07 16:00:59 -05:00
a071d2805e
Fix the rest of possible nil res bugs I've found
2012-06-04 14:56:27 -05:00
b53a1396fc
Use of TARGETURI
2012-06-03 22:36:23 +02:00
659b030269
Verbose messages cleanup
2012-06-03 22:29:31 +02:00
34f42bab17
Fix typo in the URI param
2012-06-03 22:14:13 +02:00
efe4136e5b
Added module for CVE-2012-0391
2012-06-03 22:08:31 +02:00
1817942aae
Merge branch 'logcms_writeinfo' of https://github.com/wchen-r7/metasploit-framework into wchen-r7-logcms_writeinfo
2012-06-02 17:43:51 -05:00
7bb36bfbde
Fix typo thanks to juan
2012-06-02 16:57:53 -05:00
7e318e9787
Merge branch 'logcms_writeinfo' of https://github.com/wchen-r7/metasploit-framework into wchen-r7-logcms_writeinfo
2012-06-02 14:14:56 -05:00
3752c10ccf
Adding FireFart's RPORT(80) cleanup
...
This was tested by creating a resource script to load every changed
module and displaying the options, like so:
````
use auxiliary/admin/2wire/xslt_password_reset
show options
use auxiliary/admin/http/contentkeeper_fileaccess
show options
````
...etc. This was run in both the master branch and FireFart's branch
while spooling out the results of msfconsole, then diffing those
results. All modules loaded successfully, and there were no changes to
the option sets, so it looks like a successful fix.
Thanks FireFart!
Squashed commit of the following:
commit 7c1eea53fe3743f59402e445cf34fab84cf5a4b7
Author: Christian Mehlmauer <FireFart@gmail.com>
Date: Fri May 25 22:09:42 2012 +0200
Cleanup Opt::RPORT(80) since it is already registered by Msf::Exploit::Remote::HttpClient
2012-06-02 09:53:19 -05:00
59468846e3
Change filename
2012-06-02 01:51:20 -05:00
522991f351
Correct name
2012-06-02 01:49:43 -05:00
7fd3644b8b
Add CVE-2011-4825 module
2012-06-01 18:45:44 -05:00
4681ed1c1e
Whitespace, thanks msftidy.rb!
2012-05-31 18:18:27 -06:00
5105c1a4df
add osvdb ref
2012-05-31 08:49:58 -05:00
7e6c2f340e
Minor updates; added BID, fixed grammar
...
Modules should not refer to themselves in the first person unless they
are looking for Sarah Connor.
2012-05-30 16:16:41 -05:00
54e14014c3
Merge pull request #428 from wchen-r7/php_volunteer
...
Add PHP Volunteer Management System exploit
2012-05-30 09:33:32 -07:00
59ea8c9ab9
Print IP/Port for each message
2012-05-30 11:30:55 -05:00
43dffbe996
If we don't get a new file, we assume the upload failed. This is
...
possible when we actually don't have WRITE permission to the
'uploads/' directory.
2012-05-30 11:26:06 -05:00
efdcda55ef
Don't really care about the return value for the last send_request_raw
2012-05-30 11:00:31 -05:00
13ba51db34
Allow the login() function to be a little more verbose for debugging purposes
2012-05-30 10:56:59 -05:00
b81315790d
Add PHP Volunteer Management System exploit
2012-05-30 10:38:45 -05:00
ac0d22453a
Merge pull request #414 from wchen-r7/apprain
...
Add CVE-2012-1153
2012-05-23 16:34:30 -07:00
8d837f5d20
Module description update. TARGETURI description update.
2012-05-23 18:33:32 -05:00
fab3bfcea1
Add CVE-2012-1153
2012-05-23 17:50:13 -05:00
5dd866ed4a
Fixed print_status to include rhost:rport
...
Also don't let the failed user:pass be a mystery to the user.
2012-05-21 11:11:34 -05:00
1fc7597a56
Msftidy fixes.
...
Fixed up activecollab_chat, batik_svg_java, and foxit_reader_launch
All whitespace fixes.
2012-05-21 10:59:52 -05:00
ba2787df8a
add osvdb ref
2012-05-20 07:13:56 -05:00
964a6af423
Add Active Collab chat module PHP injection exploit, by mr_me
2012-05-19 02:06:30 -05:00
c2c160f86c
randomizes options from equivilants
2012-05-11 11:31:26 -05:00
2b13330483
Merge pull request #376 from wchen-r7/wikkawiki
...
Add CVE-2011-4449
2012-05-10 10:13:56 -07:00
6e8c3ad1e3
It's "inject", not "upload"... because technically that's what really happens.
2012-05-10 12:06:02 -05:00
c69e34d407
Update description
2012-05-10 12:02:55 -05:00
86c3ad5e0c
Add CVE-2011-4449
2012-05-10 11:57:40 -05:00
e1156834b9
Lots of encoding randomizations for php_cgi_arg_injection
2012-05-09 14:13:21 -05:00
4909d8073a
Added lots or encoding randomness
2012-05-09 11:01:15 -05:00
cef2da6110
add osvdb ref
2012-05-05 10:13:42 -05:00
18a44148dc
Randomize case for ini true/false values
2012-05-04 17:32:32 -06:00
423437c620
Woops, small typo in disable_functions
2012-05-04 12:17:41 -05:00
c6b39e8e5c
Add additional definitions to disable safe_mode, open_basedir, suhosin. (thanks @i0n1c)
2012-05-04 12:15:46 -05:00
2ce3558bb4
Bump the rank
2012-05-04 10:19:37 -05:00
bed4846763
A little more module cleanup
2012-05-04 10:06:18 -05:00
d668e2321d
Rename this to a more suitable location
2012-05-04 09:59:40 -05:00
5bebd01eb0
Tabs vs spaces war round 2
2012-04-24 16:06:08 -05:00
bc42375565
Fix spaces to proper hard tabs. Not very fun to do.
2012-04-24 16:03:41 -05:00
f4f1ec70bc
Altered regex to detect Jetty hosts
...
Added in detection for 401 Authentication responses
Added alternative REST based run method (seen in Axis2 1.1.1)
Added check to prevent // from appearing at the start of the URI (causes issues on Jetty hosts)
There should be a default method for URI to prevent double / from appearing at the start of the path (can cause unknown issues).
2012-04-15 15:13:21 +02:00
4e955e5870
replace spaces with tabs
2012-04-06 10:45:10 -05:00
67e6c7b850
tomcat_mgr_deploy may report successful creds
...
Using following code for 'check' as 'exploit':
report_auth_info(
:host => rhost,
:port => rport,
:sname => (ssl ? "https" : "http"),
:user => datastore['BasicAuthUser'],
:pass => datastore['BasicAuthPass'],
:proof => "WEBAPP=\"Tomcat Manager App\", VHOST=#{vhost}, PATH=#{datastore['PATH']}",
:active => true
)
Resulting in:
Credentials
===========
host port user pass type active?
---- ---- ---- ---- ---- -------
192.168.x.xxx 8080 tomcat s3cret password true
2012-04-06 10:45:10 -05:00
14e3cd75dc
Revert "tomcat_mgr_deploy may report successful creds"
...
This reverts commit 937f8f035a
2012-04-05 16:17:06 -05:00
937f8f035a
tomcat_mgr_deploy may report successful creds
2012-04-05 11:09:56 +02:00
2f3bbdc00c
Sed replacement of exploit-db links with EDB refs
...
This is the result of:
find modules/ -name \*.rb -exec sed -i -e 's#\x27URL\x27,
\x27http://www.exploit-db.com/exploits/ \([0-9]\+\).*\x27#\x27EDB\x27,
\1#' modules/*.rb {} \
2012-03-21 16:43:21 -05:00
23c9c51014
Fixing CVE format on sit_file_upload.
2012-03-21 09:59:20 -05:00
aeb691bbee
Massive whitespace cleanup
2012-03-18 00:07:27 -05:00
7c77fe20cc
Some variables don't need to be in a double-quote.
2012-03-17 20:37:42 -05:00
e3f2610985
Msftidy run through on the easy stuff.
...
Still have some hits, but that requires a little more code contortion to
fix.
2012-03-15 17:06:20 -05:00
9144c33345
MSFTidy check for capitalization in modules
...
And also fixes up a dozen or so failing modules.
2012-03-15 16:38:12 -05:00
5250b179c8
Add CVE and OSVDB ref
2012-03-15 04:40:27 -05:00
8d93e3ad44
Actually use the password we were given...
2012-03-08 10:17:39 -07:00
02ea38516f
Add a check method for tomcat_mgr_deploy
2012-03-06 23:22:44 -07:00
22a12a6dfc
Add Lotus CMS exploit (OSVDB-75095)
2012-03-06 11:36:28 -06:00
464cf7f65f
Normalize service names
...
Downcases lots and standardizes a few. Notably, modules that reported a
service name of "TNS" are now "oracle". Modules that report http
now check for SSL and report https instead.
[Fixes #6437 ]
2012-02-21 22:59:20 -07:00
4932a9ca25
Dont dump an HTML document to the console
2012-02-21 23:45:25 -06:00
4a631e463c
Module title normalization
...
Module titles should read like titles. For
capitalization rules in English, see:
http://owl.english.purdue.edu/owl/resource/592/01/
The only exceptions are function names (like 'thisFunc()') and specific
filenames (like thisfile.ocx).
2012-02-21 11:07:44 -06:00
ceb4888772
Fix up the boilerplate comment to use a better url
2012-02-20 19:40:50 -06:00
af56807668
Cleanup the titles of many exploit modules
2012-02-20 19:25:55 -06:00
5bb9afe789
Correct disclosure date format
2012-02-16 18:15:51 -06:00
01a6b02c3e
Add exploit for CVE-2012-0209, thx eromang!
2012-02-16 03:10:55 -06:00
d2444e1cf6
fix a few typos
2012-02-16 03:10:22 -06:00
829040d527
A bunch of msftidy fixes, no functional changes.
2012-02-10 19:44:03 -06:00
c3bd151197
add a ranking
2012-01-31 20:43:32 -06:00
e392958d90
add osvdb ref
2012-01-31 07:06:33 -06:00
jvazquez-r7
heyder
sinn3r
Console
Darren Martyn
James Lee
David Maloney
Joe Rozner
bcoles
Tod Beardsley
Jeff Jarmoc
Kacper Nowak
Julian Vilas
Spencer McIntyre
kernelsmith
HD Moore
Bouke van der Bijl
Christian Mehlmauer
Charlie Eriksen
sput-nick
Garret Picchioni
h0ng10
Chris John Riley
Michael Schierl
Steve Tornio
sinn3r
Chris John Riley
andurin
Joshua J. Drake
Jonathan Cran