09f6c21f94
Add note about Host header limitations
2017-05-10 15:17:20 -05:00
b446cbcfce
Add reference to Exim string expansions
2017-05-10 15:17:20 -05:00
8842764d95
Add some comments about badchars
2017-05-10 15:17:20 -05:00
ecb79f2f85
Use reduce instead of extracting twice
2017-05-10 15:17:20 -05:00
b5f25ab7ca
Use extract instead of doubling /bin/echo
2017-05-10 15:17:20 -05:00
9a64ecc9b0
Create a pure-Exim, one-shot HTTP client
2017-05-10 15:17:20 -05:00
0ce475dea3
Add WordPress 4.6 PHPMailer exploit
2017-05-10 15:17:20 -05:00
b794bfe5db
Land #8335 , rank fixes for the msftidy god
2017-05-07 21:20:33 -05:00
88bef00f61
Add more ranks, remove module warnings
...
../vmware_mount.rb
Rank = Excellent
Exploit uses check code for target availability,
the vulnerability does not require user action,
and the exploit uses privilege escalation to run
arbitrary executables
../movabletype_upgrade_exec.rb
Rank = ExcellentRanking
Exploit utilizes code injection,
has a check for availability
../uptime_file_upload_2.rb
Rank = ExcellentRanking
Exploit allows execution of arbitrary commands,
has a check for availability
../zpanel_information_disclosure_rce.rb
Rank = ExcellentRanking
Exploit allows remote code execution,
implements version check for pChart
../spip_connect_exec.rb
Rank = ExcellentRanking
Exploit utilizes code injection,
has a check for availability
../wp_optimizepress_upload.rb
Rank = ExcellentRanking
Exploit allows execution of arbitrary code,
has a check for availability
../wing_ftp_admin_exec.rb
Rank = ExcellentRanking
Exploit allows execution of arbitrary commands,
has a check for availability
../novell_mdm_lfi.rb
Rank = ExcellentRanking
Exploit allows execution of arbitrary code,
has a check for availability
../run_as.rb
Rank = ExcellentRanking
Exploit utilizes command injection,
checks system type, and does not require user action
2017-05-07 15:41:26 -04:00
e2fe70d531
convert store_valid_credential to named params
2017-05-05 18:23:15 -05:00
63b6ab5355
simplify valid credential storage
2017-05-04 22:51:40 -05:00
a8983c831d
Updated links and authors
2017-05-04 18:25:45 -04:00
afe801b9e8
Updated target to 'universal'
2017-05-04 16:25:41 +02:00
073cd59cd3
Added qmail_bash_env_exec exploit module, which exploit the ShellShock flaw via Qmail.
2017-05-04 15:44:18 +02:00
64452de06d
Fix msf/core and self.class msftidy warnings
...
Also fixed rex requires.
2017-05-03 15:44:51 -05:00
03e4ee91c2
Correct Ghostscript 9.2.1 to 9.21 as per advisory
2017-05-01 16:23:14 -05:00
afc804fa03
Quick Ghostscript module based on the public PoC
2017-04-28 09:56:52 -05:00
bdeeb8ee1d
Add a check
2017-04-18 16:32:06 -05:00
06ca406d18
Fix weird whitespace
2017-04-09 22:23:58 -05:00
74dc7e478f
update piwik module
2017-04-05 20:19:07 +02:00
baa473a1c6
add piwik superuser plugin upload module
2017-02-11 00:20:50 +01:00
934b05e736
Land #7310 , at(1) persistence module
2016-12-22 03:33:58 -06:00
b65a62ba93
Clean up module
2016-12-22 03:33:08 -06:00
41355898fa
Remove extra def report_cred in vbulletin_vote_sqli_exec
2016-12-01 15:31:24 -06:00
f313389be4
Merge remote-tracking branch 'upstream/master' into land-7507-uuid-arch
2016-11-20 19:08:56 -06:00
8cd9a9b670
Deprecate wp_ninja_forms_unauthenticated_file_upload
...
wp_ninja_forms_unauthenticated_file_upload actually supports
multiple platforms.
Instead of using:
exploit/unix/webapp/wp_ninja_forms_unauthenticated_file_upload
Please use:
exploit/multi/http/wp_ninja_forms_unauthenticated_file_upload
2016-11-10 11:17:09 -06:00
57eabda5dc
Merge upstream/master
2016-10-29 13:54:31 +10:00
d918e25bde
Land #7439 , Add Ghostscript support to ImageMagick Exploit
2016-10-28 17:07:13 -05:00
1d617ae389
Implement first pass of architecture/platform refactor
2016-10-28 07:16:05 +10:00
1da40b5deb
Change HAVE_POPEN to USE_POPEN
...
PS target doesn't support it, so the option should be renamed.
2016-10-14 11:58:39 -05:00
acec45c8b3
Land #7409 , CVE-2013-5093 Graphite Pickle Handling - Add Version Check
2016-10-14 08:54:57 -05:00
5b46e72aea
Update module logic
2016-10-13 17:40:16 -05:00
6f4f2bfa5f
Add PS target and remove MIFF
2016-10-13 17:39:55 -05:00
e70ba8110d
Update references
2016-10-13 17:35:55 -05:00
88bb2e2295
Update description
2016-10-13 17:35:30 -05:00
7c20f20493
remove unneeded bash
2016-10-07 21:12:27 -04:00
fb0a438fdf
Perform a version check to determine exploitability for graphite pickle
2016-10-05 16:08:02 -07:00
f60d575d62
Add EOF newline back in
2016-10-04 11:14:15 -05:00
b1cb153c31
Make errors more meaningful
2016-10-03 15:29:40 -05:00
f838c9990f
Fix nonce bug in wp_ninja_forms_unauthenticated_file_upload
...
If wordpress saves the nonce value in JavaScript, we could get an
undefined method for nil.
2016-09-27 11:30:52 -05:00
e315ec4e73
Merge branch 'master' into bug/7321/fix-ssh-modules
2016-09-19 15:27:37 -05:00
3bc566a50c
fix email
2016-09-18 20:09:38 -04:00
a7103f2155
Fix missing form inputs
...
Also improve check string.
2016-09-15 19:19:24 -05:00
01327f0265
Land #7245 , NetBSD mail.local privilege escalation module
2016-09-14 16:07:12 -05:00
27be29edb4
Fix typo
2016-09-14 13:21:37 -05:00
7352029497
first round of SSL damage fixes
2016-09-13 17:42:31 -05:00
ed5bbb9885
Land #7284 , Add SugarCRM REST PHP Object Injection exploit
2016-09-13 15:46:46 -05:00
a0095ad809
Check res properly and update Ruby syntax
...
If res is nil, it should not be doing res.code
2016-09-13 15:45:57 -05:00
1ce9aedb97
parenthesis for condition expression
2016-09-13 03:37:47 -05:00
fd16c1c3b7
Fix issue-7295
2016-09-13 01:32:20 -05:00
df5fdbff41
Add module for KIS-2016-07: SugarCRM REST PHP Object Injection
...
This PR contains a module to exploit KIS-2016-07, a PHP Object Injection vulnerability in SugarCRM CE before version 6.5.24 that allows unauthenticated users to execute arbitrary PHP code with the permissions of the webserver. Successful exploitation of this vulnerability should require SugarCRM to be running on PHP before version 5.6.25 or 7.0.10, which fix CVE-2016-7124.
2016-09-07 01:58:41 +02:00
748c959cba
forgot to save before PR
2016-08-25 21:45:17 -04:00
5dff01625d
working code
2016-08-25 21:32:25 -04:00
226ded8d7e
Land #6921 , Support basic and form auth at the same time
2016-08-25 16:31:26 -05:00
f2e2cb6a5e
cant transfer file
2016-08-21 19:42:29 -04:00
6306fa5aa5
Per discussion in #7195 , trying a different route. Currently this compiles, then passes the binary. However, there isn't a reliable binary transfer method at this point, so the rewrite from this point will be to transfer the ascii file, then compile on system (gcc is installed by default I believe)
2016-08-21 19:16:04 -04:00
4228868c29
Clean up after yourself
...
Can't use FileDropper. :(
2016-08-16 23:09:14 -05:00
1f63f8f45b
Don't override payload
...
pl is a cheap replacement.
2016-08-16 23:08:53 -05:00
b3402a45f7
Add generic payloads
...
Useful for testing and custom stuff.
2016-08-16 23:08:09 -05:00
2fed51bb18
Land #7115 , Drupal CODER exploit
2016-08-15 01:15:23 -05:00
62d28f10cb
Clean up Mehmet modules
2016-08-15 01:12:58 -05:00
b4846e5793
Enabling cmd_bash payload type with bash-tcp cmd
2016-08-13 00:14:25 +03:00
d38e9f8ceb
Using # instead of ;. Semicolon is causing msg in error.log.
2016-08-12 23:35:29 +03:00
ba79579202
Extending Space limitation up to 250
2016-08-12 22:32:49 +03:00
abf435d6c2
Land #6960 , Auth bypass for Polycom HDX video endpoints
2016-08-01 14:02:50 -05:00
5309f2e4fb
endpoints, not end points
2016-08-01 14:02:17 -05:00
b34201e65c
restore session as an instance variable
2016-08-01 13:58:54 -05:00
dadafd1fdf
Use data:// instead of bogus web server and check() improvements.
2016-07-26 13:31:46 +03:00
780e83dabb
Fix for Opt params and Space limits
2016-07-22 20:48:15 +03:00
7e9c5f9011
Fix for double space and indentation
2016-07-21 20:27:52 +03:00
634ee93de4
Add Drupal CODER remote command execution
2016-07-21 20:23:54 +03:00
32f1c83c9e
Switch to single quotes
...
Might as well, since we're avoiding escaping.
2016-07-21 00:10:17 -05:00
2e631cab5b
Prefer quoting over escaping
...
Having to escape backslashes in a single-quoted string sucks.
2016-07-21 00:02:08 -05:00
c6b309d5c9
Fix drupal_restws_exec check method false positive
2016-07-20 23:28:49 -05:00
8bd6db8bd7
Land #7108 , Drupal RESTWS exploit
2016-07-20 13:49:37 -05:00
b49a847c98
Fix additional things
2016-07-20 13:49:23 -05:00
51bb950201
Avoid return where not required
2016-07-20 21:27:51 +03:00
b0a0544627
Remove random string from URI
2016-07-20 20:50:10 +03:00
ff63e6e05a
Land #7018 , unvendor net-ssh
2016-07-19 17:06:35 -05:00
089816236d
Remove double spaces and fix checkcode
2016-07-20 00:01:25 +03:00
9c8e351ba8
Use vars_get un send_request_cgi
2016-07-19 20:12:14 +03:00
ec2f8fcc71
Change check method and use meterpreter instead of unix cmd
2016-07-19 11:13:06 +03:00
650034b600
Use normalize_uri params instead of string concatenation
2016-07-19 01:01:05 +03:00
c8deb54938
Add Drupal RESTWS Remote Unauth PHP Code Exec
2016-07-18 21:32:10 +03:00
b08d1ad8d8
Revert "Land #6812 , remove broken OSVDB references"
...
This reverts commit 2b016e02167b1d9596c7
2016-07-15 12:00:31 -05:00
b6b52952f4
set ssh to non-interactive
...
have to set the non-interactive flag so that it does not
prompt the user on an incorrect password
MS-1688
2016-07-14 11:12:03 -05:00
01d0d1702b
Merge branch 'master' into feature/MS-1688/net-ssh-cleanup
2016-07-14 09:48:28 -05:00
b2c3267a2a
Land #7042 , fetch_ninja_form_nonce/wponce fix
2016-07-13 11:38:11 -05:00
f164afaef8
Land #6932 , joomla_contenthistory_sqli_rce fixes
2016-07-12 14:26:49 -05:00
310332b521
Clean up module
2016-07-12 11:17:10 -05:00
b869b890c7
Land #7090 , Add module for Tikiwiki Upload Exec
2016-07-12 11:16:50 -05:00
2471e8bc8c
Add FileDropper to cleanup properly
2016-07-12 11:16:18 -05:00
43833c8756
Fixing double normalize function call
2016-07-12 07:30:18 +03:00
2b016e0216
Land #6812 , remove broken OSVDB references
2016-07-11 22:59:11 -05:00
fc56ab6722
Fixing some coding style because of rubocop
2016-07-11 23:10:18 +03:00
e79c3ba7c0
Tiki Wiki unauth rce
2016-07-11 22:44:07 +03:00
1ecef265a1
Do a fail_with in case nonce is not found at all
2016-06-30 11:21:45 -05:00
e2b9225907
Fix #7022 , Failing to find wpnonce in fetch_ninja_form_nonce
...
This patch fixes a problem when the module is used against an older
version of ninja forms (such as 2.9.27), the nonce is found in a
hidden input instead of the JavaScript code, which actually causes
an undefined method 'gsub' bug in the module.
Fix #7022
2016-06-30 11:15:38 -05:00
3d93c55174
move sshfactory into a mixin method
...
use a convience method to DRY up creation
of the SSHFactory inside modules. This will make it easier
to apply changes as needed in future. Also changed msframework attr
to just framework as per our normal convention
MS-1688
2016-06-28 15:23:12 -05:00
6c3871bd0c
update ssh modules to use new SSHFactory
...
updated all of our SSh based module to use the
new SSHFactory class to plug Rex::Sockets into
Net::SSH
MS-1688
2016-06-24 13:55:28 -05:00
baa603b637
wvu-r7 rex sleep suggestions
2016-06-15 20:41:25 -04:00
16b4829d57
fixed socket.get issue
2016-06-09 21:36:21 -04:00
63db330a02
rubocop fixes, msftidy fixes
2016-06-09 21:03:57 -04:00
027f538300
original from EDB
2016-06-09 20:35:00 -04:00
4354b5d5d6
Changed class from Metasploit3 to MetasploitModule
2016-06-03 17:43:41 -07:00
99790e343d
Removed debug statement
2016-06-03 17:36:00 -07:00
9128ba3e57
Add popen() vuln to ImageMagick exploit
...
So... we've actually been sitting on this vuln for a while now. Now that
the cat's out of the bag [1], I'm updating the module. :)
Thanks to @hdm for his sharp eye. ;x
[1] http://permalink.gmane.org/gmane.comp.security.oss.general/19669
2016-06-02 11:35:37 -05:00
7f92088242
Revised the SQL query for the exploits/unix/webapps/joomla_content_history_sqli_rce.rb. The exploit is now working for me.
2016-06-01 09:47:32 -07:00
14adcce8bf
Missed the HTTPUSERNAME fix
2016-05-27 18:37:04 -05:00
61f9cc360b
Correct casing - should be HttpUsername and HttpPassword
2016-05-27 18:31:54 -05:00
4dcddb2399
Fix #4885 , Support basic and form auth at the same time
...
When a module uses the HttpClient mixin but registers the USERNAME
and PASSWORD datastore options in order to perform a form auth,
it ruins the ability to also perform a basic auth (sometimes it's
possible to see both). To avoid option naming conflicts, basic auth
options are now HTTPUSERNAME and HTTPPASSWORD.
Fix #4885
2016-05-27 16:25:42 -05:00
14e1baf331
Minor style changes
2016-05-25 15:39:26 -05:00
19c4d5b02b
Remove hard coded target path
2016-05-25 18:04:26 +01:00
adb8098b8c
Fix typo
2016-05-24 00:16:04 +01:00
aae7c25603
Add WordPress Ninja Forms unauthenticated file upload module
2016-05-23 23:47:41 +01:00
1bc2ec9c11
Update vulnerable versions to include 6.x (legacy)
2016-05-05 14:18:42 -05:00
26b749ff5a
Add default LHOST
...
This is a massive workaround and probably shouldn't be done. :-)
2016-05-05 14:18:42 -05:00
5c713d9f75
Set default payload
...
Land #6849 for this to be effective.
2016-05-05 14:18:42 -05:00
232cc114de
Change placeholder text to something useful
...
A la Shellshock. :)
2016-05-05 14:18:42 -05:00
f32c7ba569
Add template generation details
2016-05-05 14:18:42 -05:00
23a0517a01
Update description
2016-05-05 14:18:42 -05:00
d7b76c3ab4
Add more references
2016-05-05 14:18:42 -05:00
5c04db7a09
Add ImageMagick exploit
2016-05-05 14:18:42 -05:00
816bc91e45
Resolve #6807 , remove all OSVDB references.
...
OSVDB is no longer a vulnerability database, therefore all the
references linked to it are invalid.
Resolve #6807
2016-04-23 12:32:34 -05:00
252632a802
Use %w{} for a couple things
...
Why not? :)
2016-04-13 19:38:57 -05:00
de004d7da3
Line up some hash rockets
2016-04-13 19:32:35 -05:00
f8e4253e2f
Add telnet to RequiredCmd
...
Baffles me that cmd/unix/reverse isn't cmd/unix/reverse_telnet.
2016-04-13 18:22:28 -05:00
07ee18a62b
Do something shady with the exploit method
...
Hat tip @acammack-r7.
2016-04-13 18:15:17 -05:00
43e74fce9e
Add Exim privesc
2016-04-13 17:51:20 -05:00
1d1a495a93
Style check
2016-04-13 10:19:57 -05:00
b61175c6b4
Add Dell Kace K1000 unauthenticated remote root exploit
2016-04-12 16:15:37 +00:00
1375600780
Land #6644 , datastore validation on assignment
2016-03-17 11:16:12 -05:00
3123175ac7
use MetasploitModule as a class name
2016-03-08 14:02:44 +01:00
f703fa21d6
Revert "change Metasploit3 class names"
...
This reverts commit 666ae14259
2016-03-07 13:19:55 -06:00
44990e9721
Revert "change Metasploit4 class names"
...
This reverts commit 3da9535e22
2016-03-07 13:19:48 -06:00
3da9535e22
change Metasploit4 class names
2016-03-07 09:57:22 +01:00
666ae14259
change Metasploit3 class names
2016-03-07 09:56:58 +01:00
c7c0e12bb3
remove various module hacks for the datastore defaults not preserving types
2016-03-05 23:11:39 -06:00
3d1861b3f4
Land #6526 , integrate {peer} string into logging by default
2016-02-15 15:19:26 -06:00
12256a6423
Remove now-redundant peer
...
These all include either Msf::Exploit::Remote:Tcp or Msf::Exploit::Remote:HttpClient
2016-02-01 15:12:03 -06:00
a7cd5991ac
Add encoding of the upload path into the module
2016-01-17 22:44:41 +00:00
5660c1238b
Fix problem causing upload to fail on versions 1.2 and 1.3 of theme
2016-01-17 18:44:00 +00:00
283cf5b869
Update msftidy to catch more potential URL vs PACKETSTORM warnings
...
Fix the affected modules
2015-12-24 09:12:24 -08:00
27a6aa0be1
Fix current msftidy warnings about PACKETSTORM vs URL
2015-12-24 09:05:02 -08:00
11c1eb6c78
Raise Msf::NoCompatiblePayloadError if generate_payload_exe fails
...
Most exploits don't check nil for generate_payload_exe, they just
assume they will always have a payload. If the method returns nil,
it ends up making debugging more difficult. Instead of checking nil
one by one, we just raise.
2015-12-08 21:13:23 -06:00
16d0d53150
Update Shellshock modules, add Advantech coverage
2015-12-01 10:40:46 -06:00
b2d6458f50
Land #6129 , Joomla SQLi RCE
2015-11-20 14:30:23 -06:00
7c5d292e42
Land #6201 , chkrootkit privesc
2015-11-19 10:37:30 -06:00
657e50bb86
Clean up module
2015-11-18 12:50:57 -06:00
f86f427d54
Move Compat into Payload so that is actually used
2015-11-09 16:06:05 -06:00
2df149b0a5
Land #6189 , extraneous Content-Length fix
2015-11-06 14:36:40 -06:00
3cae7999aa
Prefer ctype over headers['Content-Type']
2015-11-06 14:36:21 -06:00
f957acf9ba
Fix Framework Rspec Failure
...
Needs to do:
include Msf::Exploit::Remote::HTTP::Wordpress
2015-11-06 13:56:05 -06:00
fb9a40f15c
Land #6103 , Add WordPress Plugin Ajax Load More Auth File Upload Vuln
2015-11-06 13:18:48 -06:00
73f630b25a
Note default.php
2015-11-06 13:18:24 -06:00
a71d7ae2ae
Land #6089 , @jvazquez-r7 Fix HTTP mixins namespaces
2015-11-05 16:56:41 -06:00
4390fda513
Remove extra Content-Length HTTP header
...
The send_request_raw already sets the header and if it's set also in the
module, Metasploit sends the header twice.
2015-11-05 14:38:06 +02:00
154fb585f4
Remove bad references (dead links)
...
These links are no longer available. They are dead links.
2015-10-27 12:41:32 -05:00
f632dd8f67
Add Joomla Content History SQLi RCE exploit module
2015-10-23 17:25:44 +07:00
997e8005ce
Fix nil http_method in php_include
2015-10-21 13:22:09 -05:00
ba75e85eb3
Add WP Ajax Load More Plugin File Upload Vuln.
2015-10-17 13:30:36 -03:00
67820f8b61
Fix Packetstorm references
2015-10-15 12:42:59 -05:00
cf9ddbb701
Update moduels using Msf::HTTP::Wordpress
2015-10-15 11:47:13 -05:00
bf9530d5ba
Land #5941 , X11 keyboard exec module
2015-10-14 11:38:47 -05:00
d67b55d195
Fix autofilter values for aggressive modules
2015-10-13 15:56:18 -07:00
dc8d1f6e6a
Small changes
2015-09-12 13:08:58 +07:00
1d492e4b25
Lots of X11 protocol changes
2015-09-06 15:55:16 +07:00
d55757350d
Use the latest credential API, no more report_auth_info
2015-09-04 03:04:14 -05:00
95b9208a63
Change recv to get_once to avoid indefinite hangs, cosmetic tweaks.
2015-09-02 10:30:19 -05:00
a81a9e0ef8
Added TIME_WAIT for GUI windows
2015-09-02 16:55:20 +07:00
cd65478d29
Land #5826 , swap ExitFunction -> EXITFUNC
2015-09-01 13:58:12 -05:00
115f409fef
change exitfunc to thread
2015-09-01 10:48:07 +02:00
3e613dc333
change exitfunc to thread
2015-09-01 10:43:45 +02:00
648c034d17
change exitfunc to thread
2015-09-01 10:42:15 +02:00
d670a62000
Land #5822 , migrate obsolete payload compatibility options
2015-08-31 15:20:20 -05:00
80a22412d9
use EXITFUNC instead of ExitFunction
2015-08-13 21:22:32 +02:00
203c231b74
Fix #5659 : Update CMD exploits payload compatibility options
2015-08-10 17:12:59 -05:00
54c5c6ea38
Another update
2015-07-29 14:31:35 -05:00
405261df4f
Land #5710 , php_wordpress_total_cache removal
...
Deprecated.
2015-07-13 18:33:12 +00:00
3feef639b9
Land #5711 , php_wordpress_optimizepress removal
...
Deprecated.
2015-07-13 18:32:37 +00:00
6e12cbf98f
Land #5712 , php_wordpress_lastpost removal
...
Deprecated.
2015-07-13 18:31:31 +00:00
dd188b1943
Land #5713 , php_wordpress_infusionsoft removal
...
Deprecated.
2015-07-13 18:31:01 +00:00
4960e64597
Remove php_wordpress_foxypress, use wp_foxypress_upload
...
Please use exploit/unix/webapp/wp_foxypress_upload instead.
2015-07-13 12:53:34 -05:00
dfbeb24a8f
Remove php_wordpress_infusionsoft, use wp_infusionsoft_upload
...
Please use exploit/unix/webapp/wp_infusionsoft_upload instead.
2015-07-13 12:51:48 -05:00
b80427aed2
Remove php_wordpress_lastpost, use wp_lastpost_exec instead.
...
Please use exploit/unix/webapp/wp_lastpost_exec instead
2015-07-13 12:49:27 -05:00
90cc3f7891
Remove php_wordpress_optimizepress, use wp_optimizepress_upload
...
Please use exploit/unix/webapp/wp_optimizepress_upload instead.
2015-07-13 12:45:39 -05:00
4177cdacd6
Remove php_wordpress_total_cache, please use wp_total_cache_exec
...
The time is up for exploit/unix/webapp/php_wordpress_total_cache,
please use exploit/unix/webapp/wp_total_cache_exec instead.
2015-07-13 12:41:29 -05:00
13a69e4011
X11 Keyboard Exec
2015-07-10 13:57:54 +07:00
afcb016814
Minor description fixups.
...
Edited modules/exploits/multi/browser/adobe_flash_pixel_bender_bof.rb
first landed in #5524 , adobe_flash_pixel_bender_bof in flash renderer .
Removed ASCII bullets since those rarely render correctly.
Edited modules/exploits/unix/webapp/wp_frontend_editor_file_upload.rb
first landed in #5252 , @espreto's module for WordPress Front-end Editor
File Upload Vuln . Fixed up some language usage, camel-cased "WordPress."
2015-06-18 13:25:39 -05:00
f279c6ca3f
Land #5252 , @espreto's module for WordPress Front-end Editor File Upload Vuln
2015-06-12 15:11:10 -05:00
9fa423464c
Fix #5224 , comma fixes
...
My fault for missing these.
2015-06-09 14:28:01 -05:00
8a69704d3e
Fix up commas
2015-06-09 14:27:35 -05:00
d31a59cd22
Fix #5224 , altered option description
2015-06-09 14:15:58 -05:00
cc8650f98a
Fix TMPPATH description
2015-06-09 14:15:18 -05:00
9c97da3b7c
Land #5224 , ProFTPD mod_copy exploit
2015-06-09 14:11:27 -05:00
5ab882a8d4
Clean up module
2015-06-09 14:10:46 -05:00
95b5ff6bea
Minor fixups on recent modules.
...
Edited modules/auxiliary/admin/http/netgear_soap_password_extractor.rb
first landed in #5301 , @m-1-k-3's aux module to extract passwords from
Netgear soap interfaces
Edited modules/auxiliary/scanner/http/influxdb_enum.rb first landed in
Edited modules/auxiliary/scanner/http/title.rb first landed in #5333 ,
HTML Title Grabber
Edited modules/exploits/multi/browser/adobe_flash_uncompress_zlib_uaf.rb
first landed in #5401 , multi-platform CVE-2015-0311 - Flash uncompress()
UAF
Edited modules/exploits/unix/webapp/wp_revslider_upload_execute.rb first
landed in #5290 , Wordpress RevSlider Module
2015-05-26 17:00:10 -05:00
eeb87a3489
Polish up module
2015-05-09 14:33:41 -05:00
fe907dfe98
Fix the disclosure date
2015-05-09 10:44:28 -05:00
cb51bcc776
Land #5147 , @lightsey's exploit for CVE-2015-1592 MovableType deserialization
2015-05-09 01:56:38 -05:00
89bc405c54
Do minor code cleanup
2015-05-09 01:54:05 -05:00
134a674ef3
Land #5312 , @todb-r7's release fixes
2015-05-07 15:34:31 -05:00
f423306b6f
Various post-commit fixups
...
Edited modules/auxiliary/dos/http/ms15_034_ulonglongadd.rb first landed
in #5150 , @wchen-r7's DOS module for CVE-2015-1635 HTTP.sys
Edited modules/auxiliary/gather/apple_safari_ftp_url_cookie_theft.rb
first landed in #5192 , @joevennix's module for Safari CVE-2015-1126
Edited modules/auxiliary/gather/java_rmi_registry.rb first landed in
Edited modules/auxiliary/gather/ssllabs_scan.rb first landed in #5016 ,
add SSL Labs scanner
Edited modules/auxiliary/scanner/http/goahead_traversal.rb first landed
in #5101 , Add Directory Traversal for GoAhead Web Server
Edited modules/auxiliary/scanner/http/owa_iis_internal_ip.rb first
landed in #5158 , OWA internal IP disclosure scanner
Edited modules/auxiliary/scanner/http/wp_mobileedition_file_read.rb
first landed in #5159 , WordPress Mobile Edition Plugin File Read Vuln
Edited modules/exploits/linux/http/multi_ncc_ping_exec.rb first landed
in #4924 , @m-1-k-3's DLink CVE-2015-1187 exploit
Edited modules/exploits/unix/webapp/wp_slideshowgallery_upload.rb first
landed in #5131 , WordPress Slideshow Upload
Edited modules/exploits/windows/local/run_as.rb first landed in #4649 ,
improve post/windows/manage/run_as and as an exploit
(These results courtesy of a delightful git alias, here:
```
cleanup-prs = !"for i in `git status | grep modules | sed
s/#.*modules/modules/`; do echo -n \"Edited $i first landed in \" && git
log --oneline --first-parent $i | tail -1 | sed 's/.*Land //' && echo
''; done"
```
So that's kind of fun.
2015-05-06 11:39:15 -05:00
94d1905fd6
Added WPVDB reference
...
Added a link to the new WPVDB article 7540 that @FireFart provided.
2015-05-06 05:41:02 -05:00
c293066198
Leverage check_version_from_custom_file in PR #5292
...
Change the 'check' code to leverage check_version_from_custom_file added to wordpress/version.rb by @FireFart in PR #5292
2015-05-06 05:41:02 -05:00
18697d8d02
Fixed the following based on feedback from @FireFart ( Thanks! )
...
- Adjusted references section
- Corrected call to normalize_uri
- Removed unnecessary require for rex/zip
2015-05-06 05:41:02 -05:00
8cb18f8afe
Initial commit of code
2015-05-06 05:41:02 -05:00
4bfb9262e6
Add exploit module for MovableType CVE-2015-1592
...
This module targets the deserialization of untrusted Storable data in
MovableType before 5.2.12 and 6.0.7. The destructive attack will
function on most installations, but will leave the webapp corrupted.
The non-destructive attack will only function on servers that have the
Object::MultiType (uncommon) and DateTime (common) Perl modules
installed in addition to MovableType.
2015-05-03 14:18:01 -05:00
b537c8ae2c
Changed fail_with output.
2015-04-26 01:28:55 -03:00
a4b4d7cf6a
Add WordPress Front-end Editor File Upload Vuln
2015-04-25 22:00:05 -03:00
ff96101dba
Land #5218 , fix #3816 , remove print_debug / DEBUG
2015-04-24 13:41:07 -05:00
7167dc1147
Land #5243 , @espreto's WordPress WPshop eCommerce File Upload exploit
2015-04-24 11:30:28 -05:00
558103b25d
Do code cleanup
2015-04-24 11:30:08 -05:00
8a8d9a26f4
Do code cleanup
2015-04-24 10:47:46 -05:00
b5223912cb
Fix check method
2015-04-24 10:41:41 -05:00
c9b4a272e3
Changed fail_with output.
2015-04-24 12:16:23 -03:00
e14c6af194
Removed double 'Calling payload'.
2015-04-24 06:26:04 -03:00
01efc97c4a
Add WordPress WPshop eCommerce File Upload.
2015-04-24 06:21:49 -03:00
5bf4c9187a
Removed double "Calling payload..."
2015-04-23 03:41:34 -03:00
844f768eee
Add WordPress InBoundio Marketing File Upload
2015-04-23 03:32:17 -03:00
92c91c76f7
Proftpd 1.3.5 Mod_Copy Command Execution
2015-04-22 01:41:16 -04:00
4224008709
Delete print_debug/vprint_debug
2015-04-21 11:14:03 -05:00
a60fe4af8e
Land #5201 , Change module wording to conform with other WP modules
2015-04-20 10:07:05 +02:00
1a32cf7fc0
Change module wording to conform with other WP modules.
2015-04-20 16:48:35 +10:00
a5583debdc
Land #5131 , WordPress Slideshow Upload
2015-04-19 23:12:26 +02:00
c1a1143377
Remove line in description and output line in fail_with
2015-04-18 15:38:42 -03:00
bba0927c7e
Land #5163 , WordPress Reflex Gallery Plugin File Upload
2015-04-17 11:26:34 +02:00
153344a1dd
fix Unkown typo
2015-04-16 23:59:28 +02:00
33cf2f1578
Added Faliure:: symbol to fail_with
2015-04-16 17:40:25 -03:00
2138325129
Add Failure:: symbol to fail_with
2015-04-16 17:15:24 -03:00
352e170624
more failure reasons
2015-04-16 22:04:11 +02:00
8c5890d506
more fixes
2015-04-16 21:56:42 +02:00
4dc402fd3c
moar fail_with's
2015-04-16 21:16:52 +02:00
0e186fa617
first fail_with fixes
2015-04-16 21:08:33 +02:00
f0d6735332
Land #5165 , version number correction
2015-04-16 12:10:12 -05:00
26f2b350d2
Land #5168 , more fail_with fixes
2015-04-16 12:04:55 -05:00
904339f0d7
Fix #5130 , Correct use of fail_with in wp_worktheflow_upload.rb
2015-04-16 10:32:50 -05:00
5c98270f4d
Fix #5137 - Correct use of fail_with
2015-04-16 09:57:02 -05:00
418d8586a5
Land #5137 (again), WordPress N-Media Website File Upload
2015-04-16 16:24:41 +02:00
7f79acb996
Land #5137 , WordPress N-Media Website File Upload
2015-04-16 16:17:20 +02:00
517ad54617
Fix the correct version in check.
2015-04-16 10:56:43 -03:00
95310dbe4f
Fix 'if' condition.
2015-04-16 10:51:36 -03:00
626a9f0508
Fix the correct version in check.
2015-04-16 10:46:08 -03:00
6ef074cd28
Fix the correct version in check
2015-04-16 10:34:34 -03:00
d9f4c7548f
Land #5136 , WordPress Creative Contact Form upload
2015-04-16 15:17:14 +02:00
84c74b8d42
use correct version number
2015-04-16 15:01:54 +02:00
ee8dc49a25
Fix wrong version in check.
2015-04-16 09:45:18 -03:00
e16cc6fa82
Fix the correct version in check.
2015-04-16 09:38:42 -03:00
dc7f161339
Add author, EDB, OSVDB and WPVDB.
2015-04-16 08:56:33 -03:00
1112a3b0ae
Add WordPress Reflex Gallery Plugin File Upload
2015-04-16 08:40:51 -03:00
William Vu
Bryan Chu
Jeffrey Martin
Gabriel Follon
HD Moore
James Lee
Christian Mehlmauer
wchen-r7
Brent Cook
OJ
dmohanty-r7
h00die
funkypickle
David Maloney
William Webb
nixawk
EgiX
h00die
Pearce Barry
Mehmet Ince
amarionette
rastating
Brendan Coles
Jon Hart
HD Moore
pyllyukko
xistence
Roberto Soares
jvazquez-r7
Tod Beardsley
Tom Sellers
John Lightsey
aushack