baa603b637
wvu-r7 rex sleep suggestions
2016-06-15 20:41:25 -04:00
16b4829d57
fixed socket.get issue
2016-06-09 21:36:21 -04:00
63db330a02
rubocop fixes, msftidy fixes
2016-06-09 21:03:57 -04:00
027f538300
original from EDB
2016-06-09 20:35:00 -04:00
4354b5d5d6
Changed class from Metasploit3 to MetasploitModule
2016-06-03 17:43:41 -07:00
99790e343d
Removed debug statement
2016-06-03 17:36:00 -07:00
9128ba3e57
Add popen() vuln to ImageMagick exploit
...
So... we've actually been sitting on this vuln for a while now. Now that
the cat's out of the bag [1], I'm updating the module. :)
Thanks to @hdm for his sharp eye. ;x
[1] http://permalink.gmane.org/gmane.comp.security.oss.general/19669
2016-06-02 11:35:37 -05:00
7f92088242
Revised the SQL query for the exploits/unix/webapps/joomla_content_history_sqli_rce.rb. The exploit is now working for me.
2016-06-01 09:47:32 -07:00
14adcce8bf
Missed the HTTPUSERNAME fix
2016-05-27 18:37:04 -05:00
61f9cc360b
Correct casing - should be HttpUsername and HttpPassword
2016-05-27 18:31:54 -05:00
4dcddb2399
Fix #4885 , Support basic and form auth at the same time
...
When a module uses the HttpClient mixin but registers the USERNAME
and PASSWORD datastore options in order to perform a form auth,
it ruins the ability to also perform a basic auth (sometimes it's
possible to see both). To avoid option naming conflicts, basic auth
options are now HTTPUSERNAME and HTTPPASSWORD.
Fix #4885
2016-05-27 16:25:42 -05:00
14e1baf331
Minor style changes
2016-05-25 15:39:26 -05:00
19c4d5b02b
Remove hard coded target path
2016-05-25 18:04:26 +01:00
adb8098b8c
Fix typo
2016-05-24 00:16:04 +01:00
aae7c25603
Add WordPress Ninja Forms unauthenticated file upload module
2016-05-23 23:47:41 +01:00
1bc2ec9c11
Update vulnerable versions to include 6.x (legacy)
2016-05-05 14:18:42 -05:00
26b749ff5a
Add default LHOST
...
This is a massive workaround and probably shouldn't be done. :-)
2016-05-05 14:18:42 -05:00
5c713d9f75
Set default payload
...
Land #6849 for this to be effective.
2016-05-05 14:18:42 -05:00
232cc114de
Change placeholder text to something useful
...
A la Shellshock. :)
2016-05-05 14:18:42 -05:00
f32c7ba569
Add template generation details
2016-05-05 14:18:42 -05:00
23a0517a01
Update description
2016-05-05 14:18:42 -05:00
d7b76c3ab4
Add more references
2016-05-05 14:18:42 -05:00
5c04db7a09
Add ImageMagick exploit
2016-05-05 14:18:42 -05:00
816bc91e45
Resolve #6807 , remove all OSVDB references.
...
OSVDB is no longer a vulnerability database, therefore all the
references linked to it are invalid.
Resolve #6807
2016-04-23 12:32:34 -05:00
252632a802
Use %w{} for a couple things
...
Why not? :)
2016-04-13 19:38:57 -05:00
de004d7da3
Line up some hash rockets
2016-04-13 19:32:35 -05:00
f8e4253e2f
Add telnet to RequiredCmd
...
Baffles me that cmd/unix/reverse isn't cmd/unix/reverse_telnet.
2016-04-13 18:22:28 -05:00
07ee18a62b
Do something shady with the exploit method
...
Hat tip @acammack-r7.
2016-04-13 18:15:17 -05:00
43e74fce9e
Add Exim privesc
2016-04-13 17:51:20 -05:00
1d1a495a93
Style check
2016-04-13 10:19:57 -05:00
b61175c6b4
Add Dell Kace K1000 unauthenticated remote root exploit
2016-04-12 16:15:37 +00:00
1375600780
Land #6644 , datastore validation on assignment
2016-03-17 11:16:12 -05:00
3123175ac7
use MetasploitModule as a class name
2016-03-08 14:02:44 +01:00
f703fa21d6
Revert "change Metasploit3 class names"
...
This reverts commit 666ae14259
2016-03-07 13:19:55 -06:00
44990e9721
Revert "change Metasploit4 class names"
...
This reverts commit 3da9535e22
2016-03-07 13:19:48 -06:00
3da9535e22
change Metasploit4 class names
2016-03-07 09:57:22 +01:00
666ae14259
change Metasploit3 class names
2016-03-07 09:56:58 +01:00
c7c0e12bb3
remove various module hacks for the datastore defaults not preserving types
2016-03-05 23:11:39 -06:00
3d1861b3f4
Land #6526 , integrate {peer} string into logging by default
2016-02-15 15:19:26 -06:00
12256a6423
Remove now-redundant peer
...
These all include either Msf::Exploit::Remote:Tcp or Msf::Exploit::Remote:HttpClient
2016-02-01 15:12:03 -06:00
a7cd5991ac
Add encoding of the upload path into the module
2016-01-17 22:44:41 +00:00
5660c1238b
Fix problem causing upload to fail on versions 1.2 and 1.3 of theme
2016-01-17 18:44:00 +00:00
283cf5b869
Update msftidy to catch more potential URL vs PACKETSTORM warnings
...
Fix the affected modules
2015-12-24 09:12:24 -08:00
27a6aa0be1
Fix current msftidy warnings about PACKETSTORM vs URL
2015-12-24 09:05:02 -08:00
11c1eb6c78
Raise Msf::NoCompatiblePayloadError if generate_payload_exe fails
...
Most exploits don't check nil for generate_payload_exe, they just
assume they will always have a payload. If the method returns nil,
it ends up making debugging more difficult. Instead of checking nil
one by one, we just raise.
2015-12-08 21:13:23 -06:00
16d0d53150
Update Shellshock modules, add Advantech coverage
2015-12-01 10:40:46 -06:00
b2d6458f50
Land #6129 , Joomla SQLi RCE
2015-11-20 14:30:23 -06:00
7c5d292e42
Land #6201 , chkrootkit privesc
2015-11-19 10:37:30 -06:00
657e50bb86
Clean up module
2015-11-18 12:50:57 -06:00
f86f427d54
Move Compat into Payload so that is actually used
2015-11-09 16:06:05 -06:00
2df149b0a5
Land #6189 , extraneous Content-Length fix
2015-11-06 14:36:40 -06:00
3cae7999aa
Prefer ctype over headers['Content-Type']
2015-11-06 14:36:21 -06:00
f957acf9ba
Fix Framework Rspec Failure
...
Needs to do:
include Msf::Exploit::Remote::HTTP::Wordpress
2015-11-06 13:56:05 -06:00
fb9a40f15c
Land #6103 , Add WordPress Plugin Ajax Load More Auth File Upload Vuln
2015-11-06 13:18:48 -06:00
73f630b25a
Note default.php
2015-11-06 13:18:24 -06:00
a71d7ae2ae
Land #6089 , @jvazquez-r7 Fix HTTP mixins namespaces
2015-11-05 16:56:41 -06:00
4390fda513
Remove extra Content-Length HTTP header
...
The send_request_raw already sets the header and if it's set also in the
module, Metasploit sends the header twice.
2015-11-05 14:38:06 +02:00
154fb585f4
Remove bad references (dead links)
...
These links are no longer available. They are dead links.
2015-10-27 12:41:32 -05:00
f632dd8f67
Add Joomla Content History SQLi RCE exploit module
2015-10-23 17:25:44 +07:00
997e8005ce
Fix nil http_method in php_include
2015-10-21 13:22:09 -05:00
ba75e85eb3
Add WP Ajax Load More Plugin File Upload Vuln.
2015-10-17 13:30:36 -03:00
67820f8b61
Fix Packetstorm references
2015-10-15 12:42:59 -05:00
cf9ddbb701
Update moduels using Msf::HTTP::Wordpress
2015-10-15 11:47:13 -05:00
bf9530d5ba
Land #5941 , X11 keyboard exec module
2015-10-14 11:38:47 -05:00
d67b55d195
Fix autofilter values for aggressive modules
2015-10-13 15:56:18 -07:00
dc8d1f6e6a
Small changes
2015-09-12 13:08:58 +07:00
1d492e4b25
Lots of X11 protocol changes
2015-09-06 15:55:16 +07:00
d55757350d
Use the latest credential API, no more report_auth_info
2015-09-04 03:04:14 -05:00
95b9208a63
Change recv to get_once to avoid indefinite hangs, cosmetic tweaks.
2015-09-02 10:30:19 -05:00
a81a9e0ef8
Added TIME_WAIT for GUI windows
2015-09-02 16:55:20 +07:00
cd65478d29
Land #5826 , swap ExitFunction -> EXITFUNC
2015-09-01 13:58:12 -05:00
115f409fef
change exitfunc to thread
2015-09-01 10:48:07 +02:00
3e613dc333
change exitfunc to thread
2015-09-01 10:43:45 +02:00
648c034d17
change exitfunc to thread
2015-09-01 10:42:15 +02:00
d670a62000
Land #5822 , migrate obsolete payload compatibility options
2015-08-31 15:20:20 -05:00
80a22412d9
use EXITFUNC instead of ExitFunction
2015-08-13 21:22:32 +02:00
203c231b74
Fix #5659 : Update CMD exploits payload compatibility options
2015-08-10 17:12:59 -05:00
54c5c6ea38
Another update
2015-07-29 14:31:35 -05:00
405261df4f
Land #5710 , php_wordpress_total_cache removal
...
Deprecated.
2015-07-13 18:33:12 +00:00
3feef639b9
Land #5711 , php_wordpress_optimizepress removal
...
Deprecated.
2015-07-13 18:32:37 +00:00
6e12cbf98f
Land #5712 , php_wordpress_lastpost removal
...
Deprecated.
2015-07-13 18:31:31 +00:00
dd188b1943
Land #5713 , php_wordpress_infusionsoft removal
...
Deprecated.
2015-07-13 18:31:01 +00:00
4960e64597
Remove php_wordpress_foxypress, use wp_foxypress_upload
...
Please use exploit/unix/webapp/wp_foxypress_upload instead.
2015-07-13 12:53:34 -05:00
dfbeb24a8f
Remove php_wordpress_infusionsoft, use wp_infusionsoft_upload
...
Please use exploit/unix/webapp/wp_infusionsoft_upload instead.
2015-07-13 12:51:48 -05:00
b80427aed2
Remove php_wordpress_lastpost, use wp_lastpost_exec instead.
...
Please use exploit/unix/webapp/wp_lastpost_exec instead
2015-07-13 12:49:27 -05:00
90cc3f7891
Remove php_wordpress_optimizepress, use wp_optimizepress_upload
...
Please use exploit/unix/webapp/wp_optimizepress_upload instead.
2015-07-13 12:45:39 -05:00
4177cdacd6
Remove php_wordpress_total_cache, please use wp_total_cache_exec
...
The time is up for exploit/unix/webapp/php_wordpress_total_cache,
please use exploit/unix/webapp/wp_total_cache_exec instead.
2015-07-13 12:41:29 -05:00
13a69e4011
X11 Keyboard Exec
2015-07-10 13:57:54 +07:00
afcb016814
Minor description fixups.
...
Edited modules/exploits/multi/browser/adobe_flash_pixel_bender_bof.rb
first landed in #5524 , adobe_flash_pixel_bender_bof in flash renderer .
Removed ASCII bullets since those rarely render correctly.
Edited modules/exploits/unix/webapp/wp_frontend_editor_file_upload.rb
first landed in #5252 , @espreto's module for WordPress Front-end Editor
File Upload Vuln . Fixed up some language usage, camel-cased "WordPress."
2015-06-18 13:25:39 -05:00
f279c6ca3f
Land #5252 , @espreto's module for WordPress Front-end Editor File Upload Vuln
2015-06-12 15:11:10 -05:00
9fa423464c
Fix #5224 , comma fixes
...
My fault for missing these.
2015-06-09 14:28:01 -05:00
8a69704d3e
Fix up commas
2015-06-09 14:27:35 -05:00
d31a59cd22
Fix #5224 , altered option description
2015-06-09 14:15:58 -05:00
cc8650f98a
Fix TMPPATH description
2015-06-09 14:15:18 -05:00
9c97da3b7c
Land #5224 , ProFTPD mod_copy exploit
2015-06-09 14:11:27 -05:00
5ab882a8d4
Clean up module
2015-06-09 14:10:46 -05:00
95b5ff6bea
Minor fixups on recent modules.
...
Edited modules/auxiliary/admin/http/netgear_soap_password_extractor.rb
first landed in #5301 , @m-1-k-3's aux module to extract passwords from
Netgear soap interfaces
Edited modules/auxiliary/scanner/http/influxdb_enum.rb first landed in
Edited modules/auxiliary/scanner/http/title.rb first landed in #5333 ,
HTML Title Grabber
Edited modules/exploits/multi/browser/adobe_flash_uncompress_zlib_uaf.rb
first landed in #5401 , multi-platform CVE-2015-0311 - Flash uncompress()
UAF
Edited modules/exploits/unix/webapp/wp_revslider_upload_execute.rb first
landed in #5290 , Wordpress RevSlider Module
2015-05-26 17:00:10 -05:00
eeb87a3489
Polish up module
2015-05-09 14:33:41 -05:00
fe907dfe98
Fix the disclosure date
2015-05-09 10:44:28 -05:00
cb51bcc776
Land #5147 , @lightsey's exploit for CVE-2015-1592 MovableType deserialization
2015-05-09 01:56:38 -05:00
89bc405c54
Do minor code cleanup
2015-05-09 01:54:05 -05:00
134a674ef3
Land #5312 , @todb-r7's release fixes
2015-05-07 15:34:31 -05:00
f423306b6f
Various post-commit fixups
...
Edited modules/auxiliary/dos/http/ms15_034_ulonglongadd.rb first landed
in #5150 , @wchen-r7's DOS module for CVE-2015-1635 HTTP.sys
Edited modules/auxiliary/gather/apple_safari_ftp_url_cookie_theft.rb
first landed in #5192 , @joevennix's module for Safari CVE-2015-1126
Edited modules/auxiliary/gather/java_rmi_registry.rb first landed in
Edited modules/auxiliary/gather/ssllabs_scan.rb first landed in #5016 ,
add SSL Labs scanner
Edited modules/auxiliary/scanner/http/goahead_traversal.rb first landed
in #5101 , Add Directory Traversal for GoAhead Web Server
Edited modules/auxiliary/scanner/http/owa_iis_internal_ip.rb first
landed in #5158 , OWA internal IP disclosure scanner
Edited modules/auxiliary/scanner/http/wp_mobileedition_file_read.rb
first landed in #5159 , WordPress Mobile Edition Plugin File Read Vuln
Edited modules/exploits/linux/http/multi_ncc_ping_exec.rb first landed
in #4924 , @m-1-k-3's DLink CVE-2015-1187 exploit
Edited modules/exploits/unix/webapp/wp_slideshowgallery_upload.rb first
landed in #5131 , WordPress Slideshow Upload
Edited modules/exploits/windows/local/run_as.rb first landed in #4649 ,
improve post/windows/manage/run_as and as an exploit
(These results courtesy of a delightful git alias, here:
```
cleanup-prs = !"for i in `git status | grep modules | sed
s/#.*modules/modules/`; do echo -n \"Edited $i first landed in \" && git
log --oneline --first-parent $i | tail -1 | sed 's/.*Land //' && echo
''; done"
```
So that's kind of fun.
2015-05-06 11:39:15 -05:00
94d1905fd6
Added WPVDB reference
...
Added a link to the new WPVDB article 7540 that @FireFart provided.
2015-05-06 05:41:02 -05:00
c293066198
Leverage check_version_from_custom_file in PR #5292
...
Change the 'check' code to leverage check_version_from_custom_file added to wordpress/version.rb by @FireFart in PR #5292
2015-05-06 05:41:02 -05:00
18697d8d02
Fixed the following based on feedback from @FireFart ( Thanks! )
...
- Adjusted references section
- Corrected call to normalize_uri
- Removed unnecessary require for rex/zip
2015-05-06 05:41:02 -05:00
8cb18f8afe
Initial commit of code
2015-05-06 05:41:02 -05:00
4bfb9262e6
Add exploit module for MovableType CVE-2015-1592
...
This module targets the deserialization of untrusted Storable data in
MovableType before 5.2.12 and 6.0.7. The destructive attack will
function on most installations, but will leave the webapp corrupted.
The non-destructive attack will only function on servers that have the
Object::MultiType (uncommon) and DateTime (common) Perl modules
installed in addition to MovableType.
2015-05-03 14:18:01 -05:00
b537c8ae2c
Changed fail_with output.
2015-04-26 01:28:55 -03:00
a4b4d7cf6a
Add WordPress Front-end Editor File Upload Vuln
2015-04-25 22:00:05 -03:00
ff96101dba
Land #5218 , fix #3816 , remove print_debug / DEBUG
2015-04-24 13:41:07 -05:00
7167dc1147
Land #5243 , @espreto's WordPress WPshop eCommerce File Upload exploit
2015-04-24 11:30:28 -05:00
558103b25d
Do code cleanup
2015-04-24 11:30:08 -05:00
8a8d9a26f4
Do code cleanup
2015-04-24 10:47:46 -05:00
b5223912cb
Fix check method
2015-04-24 10:41:41 -05:00
c9b4a272e3
Changed fail_with output.
2015-04-24 12:16:23 -03:00
e14c6af194
Removed double 'Calling payload'.
2015-04-24 06:26:04 -03:00
01efc97c4a
Add WordPress WPshop eCommerce File Upload.
2015-04-24 06:21:49 -03:00
5bf4c9187a
Removed double "Calling payload..."
2015-04-23 03:41:34 -03:00
844f768eee
Add WordPress InBoundio Marketing File Upload
2015-04-23 03:32:17 -03:00
92c91c76f7
Proftpd 1.3.5 Mod_Copy Command Execution
2015-04-22 01:41:16 -04:00
4224008709
Delete print_debug/vprint_debug
2015-04-21 11:14:03 -05:00
a60fe4af8e
Land #5201 , Change module wording to conform with other WP modules
2015-04-20 10:07:05 +02:00
1a32cf7fc0
Change module wording to conform with other WP modules.
2015-04-20 16:48:35 +10:00
a5583debdc
Land #5131 , WordPress Slideshow Upload
2015-04-19 23:12:26 +02:00
c1a1143377
Remove line in description and output line in fail_with
2015-04-18 15:38:42 -03:00
bba0927c7e
Land #5163 , WordPress Reflex Gallery Plugin File Upload
2015-04-17 11:26:34 +02:00
153344a1dd
fix Unkown typo
2015-04-16 23:59:28 +02:00
33cf2f1578
Added Faliure:: symbol to fail_with
2015-04-16 17:40:25 -03:00
2138325129
Add Failure:: symbol to fail_with
2015-04-16 17:15:24 -03:00
352e170624
more failure reasons
2015-04-16 22:04:11 +02:00
8c5890d506
more fixes
2015-04-16 21:56:42 +02:00
4dc402fd3c
moar fail_with's
2015-04-16 21:16:52 +02:00
0e186fa617
first fail_with fixes
2015-04-16 21:08:33 +02:00
f0d6735332
Land #5165 , version number correction
2015-04-16 12:10:12 -05:00
26f2b350d2
Land #5168 , more fail_with fixes
2015-04-16 12:04:55 -05:00
904339f0d7
Fix #5130 , Correct use of fail_with in wp_worktheflow_upload.rb
2015-04-16 10:32:50 -05:00
5c98270f4d
Fix #5137 - Correct use of fail_with
2015-04-16 09:57:02 -05:00
418d8586a5
Land #5137 (again), WordPress N-Media Website File Upload
2015-04-16 16:24:41 +02:00
7f79acb996
Land #5137 , WordPress N-Media Website File Upload
2015-04-16 16:17:20 +02:00
517ad54617
Fix the correct version in check.
2015-04-16 10:56:43 -03:00
95310dbe4f
Fix 'if' condition.
2015-04-16 10:51:36 -03:00
626a9f0508
Fix the correct version in check.
2015-04-16 10:46:08 -03:00
6ef074cd28
Fix the correct version in check
2015-04-16 10:34:34 -03:00
d9f4c7548f
Land #5136 , WordPress Creative Contact Form upload
2015-04-16 15:17:14 +02:00
84c74b8d42
use correct version number
2015-04-16 15:01:54 +02:00
ee8dc49a25
Fix wrong version in check.
2015-04-16 09:45:18 -03:00
e16cc6fa82
Fix the correct version in check.
2015-04-16 09:38:42 -03:00
dc7f161339
Add author, EDB, OSVDB and WPVDB.
2015-04-16 08:56:33 -03:00
1112a3b0ae
Add WordPress Reflex Gallery Plugin File Upload
2015-04-16 08:40:51 -03:00
4aa4f83372
Removed timeout 2.
2015-04-16 05:37:11 -03:00
39556c10c7
Rewrote check method.
2015-04-16 05:36:20 -03:00
ace316a54f
Added WPVDB and EDB references.
2015-04-16 05:29:21 -03:00
10c218319a
Rewrote response condition.
2015-04-16 05:26:48 -03:00
5cb9b1a44c
Removed timeout 2.
2015-04-16 05:21:59 -03:00
0e1b173d15
Renamed USER/PASSWORD to WP_USER/WP_PASSWORD.
2015-04-16 05:11:56 -03:00
13ded8abe7
Added WPVDB.
2015-04-16 05:08:45 -03:00
64923ffdc2
Fixed plugin name in check method
2015-04-16 05:06:36 -03:00
e9212c4d6b
wordpress_url_admin_ajax intead of wordpress_url_backend
2015-04-16 04:53:05 -03:00
81d898fd7e
Rewrote check code.
2015-04-16 04:51:40 -03:00
aeb0484889
Removed timeout 2.
2015-04-16 04:48:00 -03:00
e6e9c173e3
Rewrote res conditions.
2015-04-16 04:43:34 -03:00
d11db4edc7
Rewrote check code.
2015-04-16 04:37:30 -03:00
f13d31c7c2
Added WPVDB.
2015-04-16 04:31:23 -03:00
cccda4e851
Removed unnecessary line.
2015-04-16 04:27:15 -03:00
d3a6de761d
Removed timeout 2.
2015-04-16 04:09:02 -03:00
1249f29ee8
Add JSON::ParserError exception handler.
2015-04-16 04:03:54 -03:00
a09e643a71
Add author, URL, WPVDB and disclosure date.
2015-04-13 22:54:05 -03:00
271a81778e
Add Module WP N-Media Website Contact Form Upload
2015-04-13 22:48:34 -03:00
7f10fb5bf0
Fix disclosure date
2015-04-13 18:53:20 -03:00
e94ca0bdd1
Add EDB, OSVDB and author.
2015-04-13 18:42:17 -03:00
d5d975c450
Add Module WordPress Creative Contact Form Upload
2015-04-13 18:38:43 -03:00
7b57496501
Fix typo and add email addr.
2015-04-13 04:12:32 -03:00
abee3f17c4
Add author, CVE and EDB references
2015-04-13 04:08:34 -03:00
58c4042321
Add Module WP Slideshow Gallery Shell Upload
2015-04-13 03:56:59 -03:00
2d1f8c510e
Add author and references
2015-04-12 21:21:49 -03:00
9f06cee53d
Add Module WordPress WorkTheFlow Shell Upload
2015-04-12 21:09:44 -03:00
49a6057f74
Grammaring harder
2015-03-24 11:10:36 -05:00
fadac30f00
Fix deprecated year
2015-03-24 00:34:38 -05:00
e338b77389
Readd and deprecate renamed WordPress modules
2015-03-23 23:48:56 -05:00
b191f92713
Renamed WordPress files to fit majority naming convention.
2015-03-23 18:15:04 +11:00
5dd718e4fa
Better description
2015-03-18 09:51:51 +01:00
00de437918
Initial commit
2015-03-18 09:45:08 +01:00
7d42dcee9c
Land #4769 , Wordpress holding-pattern theme file upload
2015-02-21 23:13:06 +01:00
708340ec5a
Tidy up various bits of code
2015-02-21 12:53:33 +00:00
76a64b31d7
Resolve msftidy issues
2015-02-21 01:41:29 +00:00
7d30b214ee
Add WordPress admin shell upload module
2015-02-21 01:31:33 +00:00
6370c99755
Avoid version numbers in titles
2015-02-17 10:28:56 -06:00
62a679ebb8
Avoid version numbers in titles
...
Usually, the versions are more of a range, and nearly always, the module
author never truly knows where the ranges are bounded. It's okay to
clarify in the description.
2015-02-17 10:26:40 -06:00
40c92f5fe3
Add URL reference
2015-02-14 13:09:37 +00:00
4dce589bbe
Add WordPress Holding Pattern file upload module
2015-02-14 12:54:03 +00:00
55f57e0b9b
Land #4746 , WordPress photo-gallery exploit
2015-02-12 22:24:12 +01:00
bce7211f86
added url and randomize upload directory
2015-02-12 22:16:37 +01:00
155651e187
Make filename shorter
2015-02-12 11:45:51 -06:00
95bfe7a7de
Do minor cleanup
2015-02-12 11:45:51 -06:00
30f310321d
Added CVE reference
2015-02-12 11:45:51 -06:00
38ad960640
Add Maarch LetterBox file upload module
2015-02-12 11:45:51 -06:00
cb1efa3edd
Improved error handling, tidied up some code
2015-02-11 10:16:18 +00:00
80a086d5f6
Add WordPress Photo Gallery upload module
2015-02-11 01:03:51 +00:00
6d46182c2f
Land #4570 , @rastating 's module for wp-easycart
2015-02-07 23:42:23 +01:00
f2b834cebe
remove check because the vuln is unpatched
2015-02-07 23:38:44 +01:00
d2421a2d75
wrong version
2015-02-07 23:34:19 +01:00
56d2bc5adb
correct version number
2015-02-07 23:22:43 +01:00
345d5c5c08
Update version numbers to reflect latest release
2015-02-07 19:09:16 +00:00
1ea4a326c1
Land #4656 , @nanomebia's fixes for sugarcrm_unserialize_exec
2015-02-06 16:42:01 -06:00
e511f72ab4
Delete final check
...
* A session is the best proof of success
2015-02-06 16:34:34 -06:00
c633c710bc
Mostly caps/grammar/spelling, GoodRanking on MBAM
2015-02-05 12:36:47 -06:00
c0e1440572
Land #4685 , @FireFart's module for Wordpress Platform Theme RCE
2015-02-03 17:35:59 -06:00
28f303d431
Decrease timeout
2015-02-03 17:33:29 -06:00
a1c157a4db
Land #4609 , @h0ng10's module for Wordpress Pixabay Images PHP Code Upload
2015-02-03 17:01:32 -06:00
eebee7c066
Do better session creation handling
2015-02-03 17:00:37 -06:00
4ca4fd1be2
Allow to provide the traversal depth
2015-02-03 16:38:40 -06:00
e62a5a4fff
Make the calling payload code easier
2015-02-03 16:23:04 -06:00
61cdb5dfc9
Change filename
2015-02-03 16:13:10 -06:00
82be43ea58
Do minor cleanup
2015-02-03 16:07:27 -06:00
2c956c0a0f
add wordpress platform theme rce
2015-01-31 22:02:44 +01:00
d04fd3b978
Fixing Indentation
...
Small indentation fix
2015-01-29 13:03:19 +08:00
af90c6482b
Sanity Changes
...
Reverted failure behaviour on line 70
Removed a space that prevented line 98 from working as intended
2015-01-28 18:40:43 +08:00
27c412341f
Syntax Changes
...
Cleaned up this statement a tiny bit
2015-01-28 18:34:19 +08:00
fc3094ec9b
Syntax changes
...
Fixed some more syntax - failures
2015-01-28 18:30:21 +08:00
321eb452c5
Syntax Fixes
...
Fixed some or's to || - and's to &&.
Fixed failure if statement (fails using fail_with())
Fixed nested else (now and elsif)
Changed final execute logic - checks for success rather than failure.
2015-01-28 18:08:15 +08:00
fefc3d088c
Cookie fix and success display
...
Added handling for if the server doesn't correctly assign a cookie using
Set-Cookie by changing the regex and doing an additional check. Also
fixed the success display - changed the if statement to match others in
this module and fixed the text output based on server response.
2015-01-28 17:11:05 +08:00
bae19405a7
Various grammar, spelling, word choice fixes
2015-01-26 11:00:07 -06:00
419fa93897
Add OSVDB and WPScan references
2015-01-23 09:27:42 +01:00
dfbbc79e0d
make retries a datastore option
2015-01-23 09:23:09 +01:00
11bf58e548
Use metasploit methods
2015-01-23 08:48:52 +01:00
9d3397901b
Correct version numbers and code tidy up
2015-01-19 20:59:46 +00:00
5813c639d1
Initial commit
2015-01-19 17:23:48 +01:00
8a89b3be28
Cleanup of various bits of code
2015-01-13 22:20:40 +00:00
8246f4e0bb
Add ability to use both WP and EC attack vectors
2015-01-12 23:30:59 +00:00
e6f6acece9
Add a date hash to the post data
2015-01-12 21:21:50 +00:00
ea37e2e198
Add WP EasyCart file upload exploit module
2015-01-10 21:05:02 +00:00
d4d1a53533
fix invalid url
2015-01-09 21:57:52 +01:00
82e6183136
Add Msf::Exploit::FileDropper mixin
2015-01-08 21:07:00 +00:00
93dc90d9d3
Tidied up some code with existing mixins
2015-01-08 20:53:56 +00:00
7b92c6c2df
Add WP Symposium Shell Upload module
2015-01-07 22:02:39 +00:00
44dfa746eb
Resolve #4513 - Change #inspect to #to_s
...
Resolve #4513
2015-01-05 11:50:51 -06:00
b5b0be9001
Do minor cleanup
2014-12-26 11:24:02 -06:00
5c82b8a827
Add ProjectSend Arbitrary File Upload module
2014-12-23 10:53:03 +00:00
d3050de862
Remove references to Redmine in code
...
See #4400 . This should be all of them, except for, of course, the module
that targets Redmine itself.
Note that this also updates the README.md with more current information
as well.
2014-12-19 17:27:08 -06:00
025c0771f8
Have exploit call check. Have check report_vuln
2014-12-15 09:53:11 -08:00
f521e7d234
Use newer Ruby hash syntax
2014-12-15 09:17:32 -08:00
c93dc04a52
Resolve address before storing the working cred
2014-12-15 09:11:12 -08:00
5ca8f187b3
Merge remote-tracking branch 'upstream/pr/4328' into temp
2014-12-15 08:15:51 -08:00
4530066187
return nil
2014-12-15 01:04:39 +11:00
55d9e9cff6
Use list of potential analytics hosts
2014-12-14 23:15:41 +11:00
008c33ff51
Fix description
2014-12-12 13:36:28 -06:00
81460198b0
Add openssl payload to distcc exploit
...
This is required to test #4274
2014-12-12 13:25:55 -06:00
b334e7e0c6
Land #4322 , @FireFart's wordpress exploit for download-manager plugin
2014-12-12 12:41:59 -06:00
aaed7fe957
Make the timeout for the calling payload request lower
2014-12-12 12:41:06 -06:00
00f66b6050
Correct named captures
2014-12-12 10:22:14 -08:00
98dca6161c
Delete unused variable
2014-12-12 12:03:32 -06:00
810bf598b1
Use fail_with
2014-12-12 12:03:12 -06:00
1e6bbc5be8
Use blank?
2014-12-12 09:51:08 -08:00
4f3ac430aa
Land #4341 , @EgiX's module for tuleap PHP Unserialize CVE-2014-8791
2014-12-12 11:48:25 -06:00
64f529dcb0
Modify default timeout for the exploiting request
2014-12-12 11:47:49 -06:00
24f1b916e0
Minor ruby style cleanup
2014-12-12 09:47:35 -08:00
1d1aa5838f
Use Gem::Version to compare versions in check
2014-12-12 09:47:01 -08:00
d01a07b1c7
Add requirement to description
2014-12-12 11:42:45 -06:00
fd09b5c2f6
Fix title
2014-12-12 10:52:18 -06:00
4871228816
Do minor cleanup
2014-12-12 10:52:06 -06:00
544f75e7be
fix invalid URI scheme, closes #4362
2014-12-11 23:34:10 +01:00
245b76477e
Fix issue with execution of perl due to gsub not matching across newlines
2014-12-10 21:38:04 +00:00
700ccc71e7
Create tuleap_unserialize_exec.rb
2014-12-09 10:15:46 +01:00
42744e5650
Add actualanalyzer_ant_cookie_exec exploit
2014-12-06 19:09:20 +00:00
5ea062bb9c
fix bug
2014-12-05 11:30:45 +01:00
55b8d6720d
add wordpress download-manager exploit
2014-12-05 11:17:54 +01:00
6b4eb9a8e2
Differentiate failed binds from connects, closes #4169
...
This change adds two new Rex exceptions and changes the local comm to raise the right one depending on the circumstances. The problem with the existing model is
that failed binds and failed connections both raised the same exception. This change is backwards compatible with modules that rescue Rex::AddressInUse in additi
on to Rex::ConnectionError. There were two corner cases that rescued Rex::AddressInUse specifically:
1. The 'r'-services mixin and modules caught the old exception when handling bind errors. These have been updated to use BindFailed
2. The meterpreter client had a catch for the old exception when the socket reports a bad destination (usually a network connection dropped). This has been updat
ed to use InvalidDestination as that was the intention prior to this change.
Since AddressInUse was part of ConnectionError, modules and mixins which caught both in the same rescue have been updated to just catch ConnectionError.
2014-11-11 14:59:41 -06:00
51b96cb85b
Cosmetic title/desc updates
2014-11-03 13:37:45 -06:00
b7a1722b46
Pass msftidy, more descriptive name and description
2014-10-30 22:14:18 -05:00
64a59e805c
Fix a simple typo
2014-10-29 12:40:24 -04:00
1bf1be0e46
Updated to module based feedback from wchen-r7
2014-10-29 11:42:07 -04:00
9021e4dae6
Xerox Workcentre firmware injection exploit
2014-10-28 11:15:43 -04:00
c77a0984bd
Land #3989 , @us3r777's exploit for CVE-2014-7228, Joomla Update unserialize
...
the commit.
empty message aborts
2014-10-20 13:39:08 -05:00
4e6f61766d
Change module filename
2014-10-20 13:31:22 -05:00
e202bc10f0
Fix title
2014-10-20 13:30:44 -05:00
f07c5de711
Do code cleanup
2014-10-20 13:27:48 -05:00
052a9fec86
Delete return
2014-10-20 10:52:33 -05:00
199f6eba76
Fix check method
2014-10-20 10:46:40 -05:00
16101612a4
Some changes to use primer
...
Follow wiki How-to-write-a-module-using-HttpServer-and-HttpClient
2014-10-20 17:26:16 +02:00
1e143fa300
Removed unused variables
2014-10-20 16:58:41 +02:00
35d3bbf74d
Fix up comment splats with the correct URI
...
See the complaint on #4039 . This doesn't fix that particular
issue (it's somewhat unrelated), but does solve around
a file parsing problem reported by @void-in
2014-10-17 11:47:33 -05:00
b1223165d4
Trivial grammar fixes
2014-10-14 12:00:50 -05:00
444b01c4b0
Typo + shorten php serialized object
2014-10-12 21:29:04 +02:00
2428688565
CVE-2014-7228 Joomla/Akeeba Kickstart RCE
...
Exploit via serialiazed PHP object injection. The Joomla! must be
updating more precisely, the file $JOOMLA_WEBROOT/administrator/
components/com_joomlaupdate/restoration.php must be present
2014-10-09 18:51:24 +02:00
1584c4781c
Add reference
2014-10-09 06:58:15 +02:00
4f96d88a2f
Land #3949 , @us3r777's exploit for CVE-2014-6446, wordpress infusionsoft plugin php upload
2014-10-08 16:35:49 -05:00
66a8e7481b
Fix description
2014-10-08 16:35:14 -05:00
8ba8402be3
Update timeout
2014-10-08 16:32:05 -05:00
bbf180997a
Do minor cleanup
2014-10-08 16:29:11 -05:00
03888bc97b
Change the check function
...
Use regex based detection
2014-10-06 18:56:01 +02:00
29111c516c
Wordpress Infusionsoft Gravity Forms CVE-2014-6446
...
The Infusionsoft Gravity Forms plugin 1.5.3 through 1.5.10 for
WordPress does not properly restrict access, which allows remote
attackers to upload arbitrary files and execute arbitrary PHP
code via a request to utilities/code_generator.php.
2014-10-06 14:10:01 +02:00
f45b89503d
change WPVULNDBID to WPVDB
2014-10-03 17:13:18 +02:00
33b37727c7
Added wpvulndb links
2014-10-02 23:03:31 +02:00
df44dfb01a
Add OSVDB and EDB references to Shellshock modules
2014-09-29 21:39:07 -05:00
6e2d297e0c
Credit the original vuln discoverer
2014-09-26 13:45:09 -05:00
a4bc17ef89
deregister options needed for exploitation
2014-09-26 10:15:46 -05:00
54e6763990
Add injection to HOSTNAME and URL
2014-09-26 10:13:24 -05:00
86f85a356d
Add DHCP server module for CVE-2014-6271
2014-09-26 01:24:42 -05:00
9acccfe9ba
Fix description
2014-09-19 17:18:59 -05:00
d826132f87
Delete CVE, add EDB
2014-09-19 17:16:03 -05:00
7afbec9d6c
Land #2890 , @Ahmed-Elhady-Mohamed module for OSVDB 93034
2014-09-19 17:12:49 -05:00
1fa5c8c00c
Add check method
2014-09-19 17:11:16 -05:00
ce0b00bb0b
Change module location and filename
2014-09-19 16:59:35 -05:00
c73ec66c7a
Land #3659 - Add HybridAuth install.php PHP Code Execution
2014-08-19 17:19:01 -05:00
564431fd41
Use arrays in refs for consistency
2014-08-18 18:54:54 +00:00
cad281494f
Minor caps, grammar, desc fixes
2014-08-18 13:35:34 -05:00
b8b2e3edff
Add HybridAuth install.php PHP Code Execution module
2014-08-16 23:31:46 +00:00
4ff73a1467
Add version build check
2014-08-13 09:53:43 +02:00
3440f82b2e
Minor description adjustment
2014-08-12 22:18:59 +02:00
9e38ffb797
Add the check for the manual payload setting
2014-08-12 21:55:42 +02:00
5b6be55c50
Fix (properly) 'execute_command()' missing 'opts' parameter
2014-08-12 19:49:27 +02:00
3af17ffad0
Fixed 'execute_command()' missing 'opts' parameter
2014-08-12 19:24:24 +02:00
f71589f534
Simplify payload upload using 'CmdStager' mixin
2014-08-12 10:49:17 +02:00
cc5770558d
Remove local payload saving used for debugging
2014-08-11 19:16:14 +02:00
4790b18424
Use FileDropper mixin to delete uploaded file
2014-08-11 19:02:09 +02:00
ac526ca9bd
Fix print_* to vprint_* in check method
2014-08-11 18:58:11 +02:00
4b4b24b79d
Fix errors printing
2014-08-11 18:54:43 +02:00
c97cd75beb
Rephrase 'Author' section
2014-08-11 18:52:21 +02:00
0138f3648d
Add VMTurbo Operations Manager 'vmtadmin.cgi' Remote Command Execution module.
2014-08-11 16:57:39 +02:00
a79eec84ac
Land #3584 , @FireFart's update for wp_asset_manager_upload_exec
2014-07-30 10:28:51 -05:00
9de8297848
Use [] for References
2014-07-30 10:28:00 -05:00
58fbb0b421
Use [] for References
2014-07-30 10:24:14 -05:00
75057b5df3
Fixed variable
2014-07-29 21:02:15 +02:00
cc3285fa57
Updated checkcode
2014-07-29 20:53:54 +02:00
61ab88b2c5
Updated wp_asset_manager_upload_exec module
2014-07-29 20:53:18 +02:00
e438c140ab
Updated wp_property_upload_exec module
2014-07-29 20:34:34 +02:00
621e85a32d
Correct version
2014-07-28 22:45:04 +02:00
d334797116
Updated foxpress module
2014-07-28 22:23:22 +02:00
79fe342688
Land #3558 , @FireFart's improvements to wordpress mixin
2014-07-28 09:52:20 -05:00
a6479a77d6
Implented feedback from @jhart-r7
2014-07-22 19:49:58 +02:00
baff003ecc
extracted check version to module
...
also added some wordpress specs and applied
rubocop
2014-07-22 17:02:35 +02:00
6048f21875
Land #3552 - Correct DbVisualizer title name
2014-07-21 13:07:33 -05:00
a41768fd7d
Correct DbVisualizer title name
...
I think "DbVis Software" is the name of the company and the product
itself is called DbVisualizer.
Also fixed the description on the WPTouch module.
2014-07-21 12:35:01 -05:00
a809c9e0b5
Changed to vprint and added comment
2014-07-18 22:15:56 +02:00
c6e129c622
Fix rubocop warnings
2014-07-18 21:58:33 +02:00
ff6c8bd5de
Land #3479 , broken sock.get fix
2014-07-16 14:57:32 -05:00
c1f612b82a
Use vprint_ instead of print_
2014-07-15 06:58:33 +02:00
144c6aecba
Added WPTouch fileupload exploit
2014-07-14 21:35:18 +02:00
8937fbb2f5
Fix email format
2014-07-11 12:45:23 -05:00
9fef2ca0f3
Description/whitespace changes (minor)
...
Four modules updated for the weekly release with minor cosmetic fixes.
- [ ] See all affected modules still load.
- [ ] See all affected modules have expected `info`
2014-07-07 12:39:05 -05:00
d5843f8eaf
Updated Mailpoet exploit to work with another version
2014-07-06 10:53:40 +02:00
cf5d29c53b
Add EOF newline to satisfy msftidy
2014-07-05 13:51:12 -05:00
6d9bf83ded
Small fixes for the recent WP MailPoet module
...
Correct casing in the title
Anchor the use of ::File
Force body.to_s since it can be nil in corner cases
2014-07-05 13:17:23 -05:00
2efa3d6bc0
Land #3487 , @FireFart's exploit for WordPress MailPoet file upload
2014-07-03 14:34:58 -05:00
97a6b298a8
Use print_warning
2014-07-03 13:38:20 -05:00
dcba357ec3
implement feedback
2014-07-03 20:27:08 +02:00
aeb4fff796
Added FileDropper
2014-07-03 19:25:31 +02:00
071f236946
Changed check method
2014-07-02 22:31:02 +02:00
a58ff816c5
Changed check method
2014-07-02 22:29:00 +02:00
h00die
amarionette
William Vu
wchen-r7
rastating
Brendan Coles
James Lee
Christian Mehlmauer
Brent Cook
Jon Hart
HD Moore
dmohanty-r7
pyllyukko
xistence
Roberto Soares
jvazquez-r7
Tod Beardsley
Tom Sellers
John Lightsey
aushack
Hans-Martin Münch (h0ng10)
Nanomebia
Marc Wickenden
EgiX
Deral Heiland
us3r777
URI Assassin
Emilio Pinna