Commit Graph

565 Commits (c070108da6444fbaa76ba3cac24974f9693c869f)

Author SHA1 Message Date
jvazquez-r7 2086c51b67 Add module for Joomla Upload Exploit in the wild 2013-08-13 16:27:27 -05:00
jvazquez-r7 567873f3cc Use normalize_uri a little better 2013-08-08 15:12:51 -05:00
jvazquez-r7 40a61ec654 Do minor cleanup 2013-08-08 14:47:46 -05:00
Charlie Eriksen 28b36ea29b Removing a space at EOL I missed. 2013-08-08 14:30:53 -04:00
Charlie Eriksen 1c6e994fe8 Adding improvements based on Juan's feedback 2013-08-08 14:29:35 -04:00
root 3a24765585 Adding CVE ID 2013-08-07 18:11:43 -04:00
root 7412981138 Adding an OSVDB reference 2013-08-07 07:15:00 -04:00
root 36bab2fdfa Adding a space between init and check 2013-08-06 16:14:21 -04:00
root be683d5dc6 Fixing the TARGETURI variable, adding check 2013-08-06 16:13:44 -04:00
root a745ec8fa6 Adding reference 2013-08-06 14:43:25 -04:00
root cfd5f29220 Fixing the use of APIKEY, which is not needed 2013-08-06 14:10:48 -04:00
root 69a86b60e2 Added initial squash RCE exploit 2013-08-06 14:00:17 -04:00
Tod Beardsley 7e539332db Reverting disaster merge to 593363c5f with diff
There was a disaster of a merge at 6f37cf22eb that is particularly
difficult to untangle (it was a bad merge from a long-running local
branch).

What this commit does is simulate a hard reset, by doing thing:

 git checkout -b reset-hard-ohmu
 git reset --hard 593363c5f9
 git checkout upstream-master
 git checkout -b revert-via-diff
 git diff --no-prefix upstream-master..reset-hard-ohmy > patch
 patch -p0 < patch

Since there was one binary change, also did this:

 git checkout upstream-master data/exploits/CVE-2012-1535/Main.swf

Now we have one commit that puts everything back. It screws up
file-level history a little, but it's at least at a point where we can
move on with our lives. Sorry.
2013-07-29 21:47:52 -05:00
jvazquez-r7 3a8856ae7f Apply review to spip_connect_exec 2013-07-15 09:44:05 -05:00
jvazquez-r7 bc44d42888 Move module to unix/webapps 2013-07-15 09:43:28 -05:00
jvazquez-r7 64b2f3f7a0 Merge branch 'master' of https://github.com/rapid7/metasploit-framework 2013-07-08 16:55:39 -05:00
Tod Beardsley 8d7396d60a Minor description changes on new modules 2013-07-08 16:24:40 -05:00
jvazquez-r7 6e44cb56bf Merge branch 'master' of https://github.com/rapid7/metasploit-framework 2013-07-03 12:44:47 -05:00
jvazquez-r7 f3f3a8239e Land #2043, @ricardojba exploit for InstantCMS 2013-07-03 12:11:30 -05:00
jvazquez-r7 c07e65d16e Improve and clean instantcms_exec 2013-07-03 11:37:57 -05:00
Ricardo Almeida dd876008f9 Update instantcms_exec.rb 2013-07-02 17:26:14 +01:00
jvazquez-r7 72f19181d1 Merge branch 'master' of https://github.com/rapid7/metasploit-framework 2013-07-01 16:38:19 -05:00
Ricardo Almeida dafa333e57 Update instantcms_exec.rb 2013-07-01 22:03:37 +01:00
Tod Beardsley bc24f99f8d Various description and title updates 2013-07-01 15:37:37 -05:00
Ricardo Almeida 760133d878 Error on line 60 2013-07-01 12:04:03 -04:00
Ricardo Almeida 4cd08966ff added InstantCMS 1.6 PHP Code Injection 2013-07-01 11:44:47 -04:00
jvazquez-r7 0ff1cd24a9 Merge branch 'master' of https://github.com/rapid7/metasploit-framework 2013-06-30 10:03:30 -05:00
jvazquez-r7 867eed7957 Make msftidy happy 2013-06-30 10:01:40 -05:00
jvazquez-r7 db00599d44 Move carberp_backdoor_exec to unix webapp exploits foler 2013-06-30 10:00:14 -05:00
jvazquez-r7 90b30dc317 Merge branch 'master' of https://github.com/rapid7/metasploit-framework 2013-06-26 14:31:52 -05:00
Steve Tornio 6ea622c45e reference updates 2013-06-26 09:44:56 -05:00
jvazquez-r7 0c306260be Merge branch 'master' of https://github.com/rapid7/metasploit-framework 2013-06-25 09:13:01 -05:00
sinn3r 4df943d1a2 CVE and OSVDB update 2013-06-25 02:06:20 -05:00
jvazquez-r7 31fcb911f2 Merge branch 'master' of https://github.com/rapid7/metasploit-framework 2013-06-23 21:41:10 -05:00
sinn3r 5b0092ff39 Land #2006 - Ref updates 2013-06-23 18:26:48 -05:00
jvazquez-r7 345773592f Merge branch 'master' of https://github.com/rapid7/metasploit-framework 2013-06-22 13:54:47 -05:00
Steve Tornio 14850cd387 reference updates for multiple modules 2013-06-22 07:28:04 -05:00
sinn3r 339f2a5c83 Hmmm, one extra ',' 2013-06-21 21:29:17 -05:00
sinn3r 8d422c9a39 Forgot to randomize the fake pass and remove the payload during testing 2013-06-21 21:27:11 -05:00
sinn3r e7d75d6d16 Add OSVDB-94038: ZPanel htpasswd Module Username Command Execution 2013-06-21 21:03:10 -05:00
jvazquez-r7 fc7670fa5f Merge branch 'master' of https://github.com/rapid7/metasploit-framework 2013-06-19 23:16:04 -05:00
jvazquez-r7 494ee160af Fix indent 2013-06-19 23:12:12 -05:00
jvazquez-r7 2d99c46414 Land #1990, @wchen-r7's exploit for Libretto CMS 2013-06-19 23:11:34 -05:00
sinn3r 079477c57d Commit final version 2013-06-19 20:35:24 -05:00
jvazquez-r7 869438cb73 Merge branch 'master' of https://github.com/rapid7/metasploit-framework 2013-06-19 19:57:40 -05:00
sinn3r 62b23bc594 Initial (incomplete) commit 2013-06-19 16:59:15 -05:00
James Lee 81b4efcdb8 Fix requires for PhpEXE
And incidentally fix some msftidy complaints
2013-06-19 16:27:59 -05:00
jvazquez-r7 6d1101b65b Merge branch 'master' of https://github.com/rapid7/metasploit-framework 2013-06-19 12:14:53 -05:00
sinn3r d347be35e9 Land #1986 - Restores MoinMoin during exploitation 2013-06-19 12:14:10 -05:00
jvazquez-r7 a894dc83c2 Try restore also at exploiting time 2013-06-19 11:35:52 -05:00
sinn3r 7b0977f897 Change base path 2013-06-19 11:33:45 -05:00
sinn3r f0c81ed3cc Correct disclosure date 2013-06-19 03:00:32 -05:00
sinn3r 67593d6ef4 Eh, PHP, not "php" 2013-06-19 02:34:49 -05:00
sinn3r 9c3bd12613 If I can't write, I want to know.
It's possible that the upload directory doesn't allow write, the
module should be aware of that.  Other reasons may be possible.
2013-06-19 02:32:30 -05:00
sinn3r 19d868748d Final version 2013-06-19 02:21:01 -05:00
sinn3r 5c1822ea17 Initial commit for havalite module 2013-06-18 19:00:42 -05:00
jvazquez-r7 2b46828d9c Merge branch 'master' of https://github.com/rapid7/metasploit-framework 2013-06-18 08:27:18 -05:00
sinn3r 3223ea799c An invalid WritablePage option can result the same message as well. 2013-06-17 22:30:44 -05:00
jvazquez-r7 044bd2101f Authenticate against the page to modify 2013-06-17 20:34:02 -05:00
jvazquez-r7 0bd6ca2a6a Add module for CVE-2012-6081 2013-06-17 16:13:55 -05:00
jvazquez-r7 0f3b13e21d up to date 2013-05-16 15:02:41 -05:00
h0ng10 ccef6e12d2 changed to array in array 2013-05-16 19:03:47 +02:00
h0ng10 460542506d changed to array 2013-05-16 19:01:20 +02:00
jvazquez-r7 a7e4ba5015 Merge branch 'master' of https://github.com/rapid7/metasploit-framework 2013-04-30 08:32:24 -05:00
Tod Beardsley 60e0cfb17b Trivial description cleanup 2013-04-29 14:11:20 -05:00
jvazquez-r7 a4632b773a Merge branch 'master' of https://github.com/rapid7/metasploit-framework 2013-04-28 12:59:16 -05:00
sinn3r 6c76bee02f Trying to make the description sound smoother 2013-04-26 16:02:28 -05:00
jvazquez-r7 9b5e96b66f Fix @jlee-r7's feedback 2013-04-25 14:53:09 -05:00
jvazquez-r7 52b721c334 Update description 2013-04-25 14:47:35 -05:00
jvazquez-r7 84e9f80ffa Add check for WP-Super-Cache 2013-04-25 14:43:16 -05:00
jvazquez-r7 15c8d92148 Fix version checked and add reference 2013-04-25 12:48:36 -05:00
jvazquez-r7 7d317e5933 Switch from post to get on check 2013-04-25 07:51:28 -05:00
jvazquez-r7 d55faa14d3 Add check function 2013-04-25 07:44:37 -05:00
jvazquez-r7 51fd07a145 Add BID reference 2013-04-24 21:48:05 -05:00
jvazquez-r7 378c2079a2 Add hdm also as author 2013-04-24 17:37:29 -05:00
jvazquez-r7 b816dd569c Update description 2013-04-24 17:34:25 -05:00
jvazquez-r7 573e880a62 Use the correct post id when posting 2013-04-24 17:30:24 -05:00
jvazquez-r7 ded0269ba0 Add POST ID bruteforcing capabality 2013-04-24 17:21:36 -05:00
jvazquez-r7 fca4c3b8b2 Add sha1 sum check to allow execution 2013-04-24 16:10:49 -05:00
jvazquez-r7 d2e29b846c Add module for Wordpress Total Cache PHP Injection 2013-04-24 15:29:40 -05:00
jvazquez-r7 787f8cc32f up to date 2013-03-26 12:18:53 +01:00
jvazquez-r7 1d95abc458 cleanup for joomla_comjce_imgmanager 2013-03-26 12:02:39 +01:00
jvazquez-r7 9b3bbd577f module moved to unix webapps 2013-03-26 12:02:08 +01:00
jvazquez-r7 c151d867dc up to date 2013-03-12 17:04:27 +01:00
jvazquez-r7 6603dcd652 up to date 2013-03-12 17:04:13 +01:00
jvazquez-r7 5a70314f55 up to date 2013-03-12 16:57:48 +01:00
jvazquez-r7 15742c49cb up to date 2013-03-12 16:57:48 +01:00
Patrick Webster 1c3aa97bf8 Added Lotus Protector exploit module. 2013-03-12 16:57:47 +01:00
jvazquez-r7 4852f1b9f7 modify exploits to be compatible with the new netcat payloads 2013-03-11 18:35:44 +01:00
James Lee 2160718250 Fix file header comment
[See #1555]
2013-03-07 17:53:19 -06:00
David Maloney c290bc565e Merge branch 'master' into feature/http/authv2 2013-02-28 14:33:44 -06:00
David Maloney 0ae489b37b last of revert-merge snaffu 2013-02-19 23:16:46 -06:00
jvazquez-r7 6b1bb9e1e8 Added module for OSVDB 90222 2013-02-16 13:11:46 +01:00
Tod Beardsley 8ddc19e842 Unmerge #1476 and #1444
In that order. #1476 was an attempt to salvage the functionality, but
sinn3r found some more bugs. So, undoing that, and undoing #1444 as
well.

First, do no harm. It's obvious we cannot be making sweeping changes in
libraries like this without a minimum of testing available. #1478 starts
to address that, by the way.

FixRM #7752
2013-02-11 20:49:55 -06:00
David Maloney 8d013d1034 Merge branch 'master' into http/auth_methods 2013-02-04 13:11:57 -06:00
David Maloney 4c1e630bf3 BasicAuth datastore cleanup
cleanup all the old BasicAuth datastore options
2013-02-04 13:02:26 -06:00
sinn3r 027ba28e70 Merge branch 'jvazquez-r7-datalife_template' 2013-02-01 16:27:18 -06:00
HD Moore a63cf6977c Fix 1.8 support 2013-02-01 14:39:32 -06:00
jvazquez-r7 bf7bb9952e added template stuff improve 2013-02-01 11:53:42 +01:00
sinn3r de8572d934 Use normalize_uri for URI 2013-01-31 16:57:48 -06:00
jvazquez-r7 70b252dc7b Merge branch 'normalize_uri_update2' of https://github.com/wchen-r7/metasploit-framework into wchen-r7-normalize_uri_update2 2013-01-31 22:32:50 +01:00
jvazquez-r7 b2ce9302c6 uri normalization in the old way 2013-01-31 16:59:49 +01:00
jvazquez-r7 365e1b0557 added module for cve-2013-1412 2013-01-31 16:09:14 +01:00
sinn3r c174e6a208 Correctly use normalize_uri()
normalize_uri() should be used when you're joining URIs.  Because if
you're merging URIs after it's normalized, you could get double
slashes again.
2013-01-30 23:23:41 -06:00
bcoles 970591a85f Add ZoneMinder arbitrary command execution exploit 2013-01-22 22:56:50 +10:30
jvazquez-r7 9769efbf01 references and date updated 2013-01-20 17:38:37 +01:00
bcoles dc318c5aed update php_charts_exec metadata 2013-01-21 02:12:42 +10:30
bcoles f975a42571 move and update php_charts_exec metadata 2013-01-21 02:10:48 +10:30
jvazquez-r7 2348a0b066 final cleanup and testing 2013-01-16 11:55:14 +01:00
Jose Selvi 064ea63a72 Fixes 2013-01-16 05:22:43 +01:00
Jose Selvi 18f81fd6f4 Nagios3 history.cgi exploit 2013-01-15 15:32:32 +01:00
sinn3r 2a1ab2c99a Improve the module 2013-01-07 19:03:58 -06:00
sinn3r 1d3c1ec7fc Merge branch 'master' of github.com:CharlieEriksen/metasploit-framework into CharlieEriksen-master 2013-01-07 19:03:35 -06:00
Charlie Eriksen 4e0fca6d0f Adding DB error handling
As per sinn3r's suggestion, adding handling for the most common MySQL
errors.

Also adding HostNotPrivileged, which I encountered during my testing.
2013-01-07 23:52:13 +00:00
Tod Beardsley 33751c7ce4 Merges and resolves CJR's normalize_uri fixes
Merge remote-tracking branch 'ChrisJohnRiley/set_normalize_uri_on_modules'
into set_normalize_uri_on_modules

Note that this trips all kinds of msftidy warnings, but that's for another
day.

Conflicts:
	modules/exploits/unix/webapp/tikiwiki_jhot_exec.rb
	modules/exploits/windows/http/xampp_webdav_upload_php.rb
2013-01-07 11:16:58 -06:00
Charlie Eriksen a8df3d71ff Changes based on Sinn3r's feedback
A bucket-load of changes!

- Added a fallback for if there is no Set-Cookie header
- Added a check if the cookie we produce is simply empty, meaning we
failed something :(
- Removed use of flatten. Though I may look into making that extraction
better
- Changed cgi requests to use vars_(post|get)
- Clarified a few status prints
- A few EOL space fixes
2013-01-06 12:34:27 +00:00
Charlie Eriksen a5113f0da4 Adding a check function
Because it makes sense. The non-vulnerable versions doesn't have
/libs/pdf.php.

So pretty simple.
2013-01-05 18:37:29 +00:00
Charlie Eriksen ae72022777 Improvement for CVE 2012-4915
Made two tiny improvements based on Meatballs' points

- Added handling for 127.0.0.1 as DB_HOST
- Added a note in the description about it changing the pasword
2013-01-05 18:23:00 +00:00
Charlie Eriksen 25cadf8b87 Adding exploit for CVE 2012-4915
Initial commit.

Major functionality working. A bit of polish is still needed in a few
spots to handle exceptions and such.
2013-01-05 14:21:02 +00:00
sinn3r b50e040e69 Fix e-mail format, and the extra comma 2013-01-04 01:11:40 -06:00
Christian Mehlmauer 8f2dd8e2ce msftidy: Remove $Revision$ 2013-01-04 00:48:10 +01:00
Christian Mehlmauer 25aaf7a676 msftidy: Remove $Id$ 2013-01-04 00:41:44 +01:00
jvazquez-r7 758edd7aed make msftidy happy 2013-01-03 00:02:03 +01:00
Charlie Eriksen 97253d46a1 Multiple change for Juan
Incooperated changes as per Juan's suggestions.

- Removed redundant space option for the payload
- Doing the uri more intelligently
- Detecting allow_url_include being disabled and reporting it
- Moved to unix/webapp
- Removed redundant handler call
- Adding to description that this requires allow_url_include to be
enabled
2013-01-02 21:19:06 +00:00
sinn3r 2682908ff2 Small corrections here and there 2012-12-24 18:20:46 -06:00
jvazquez-r7 5b8492fc0d module cleanup by juan 2012-12-24 23:26:40 +01:00
jvazquez-r7 ac6f34dc09 module name renamed 2012-12-24 23:26:06 +01:00
jvazquez-r7 bf036c97ad added initial submission from james fitts 2012-12-24 23:25:25 +01:00
jvazquez-r7 7173c9b598 update james email address 2012-12-24 22:46:47 +01:00
sinn3r d69e506221 Final changes 2012-12-24 15:08:52 -06:00
sinn3r 3d27397429 This error will still show even if we get a shell 2012-12-24 15:06:15 -06:00
jvazquez-r7 0950240d9a module cleanup by juan 2012-12-24 18:59:45 +01:00
jvazquez-r7 9020c96373 module renamed 2012-12-24 18:59:25 +01:00
jvazquez-r7 09568f255e Submission by James Fitts 2012-12-24 18:58:53 +01:00
sinn3r 9af8c9b457 Small corrections 2012-12-21 18:52:40 -06:00
jvazquez-r7 d5f08a2405 Added module for CVE-2012-6329 for foswiki 2012-12-21 22:08:08 +01:00
sinn3r 115ad9ae33 Small corrections 2012-12-21 12:56:44 -06:00
jvazquez-r7 76cad3dd4c Added module for CVE-2012-6329 2012-12-21 11:30:04 +01:00
HD Moore b3c0c6175d FixRM #3398 by removing double user-agent headers 2012-12-20 14:45:18 -06:00
sinn3r f5193b595c Update references 2012-12-10 11:42:21 -06:00
jvazquez-r7 d921c6f6e9 bid reference added 2012-12-08 15:09:32 +01:00
sinn3r 60feba164d Add OSVDB 2012-12-07 23:18:02 -06:00
sinn3r 15661b82bc Add Nagios Network Monitor Graph Explorer module 2012-12-07 23:16:25 -06:00
sinn3r 06927345e5 If message becomes nil, we should force a to_s for the regex
next_message can be nil sometimes if packet is nil (see net/ssh's
poll_message source)
2012-12-06 10:44:16 -06:00
sinn3r 530332b176 Apply evil-e's fix when port isn't 22
See #1130
2012-12-05 21:42:53 -06:00
sinn3r 32c5f12912 Hmm, I should change the target name 2012-12-05 21:38:31 -06:00
sinn3r d3c1fa842a Lots of improvements
Keyboard-interactive method isn't required to exploit Tectia SSH.
So this update will just go straight to password method. There's
also improvements for the check() method: Not only does it check
the SSH version (banner), it will also check and see if the server
is using password method to auth.
2012-12-05 21:34:33 -06:00
sinn3r 49999a56ea Added CVE & vendor advisory information 2012-12-05 10:13:44 -06:00
sinn3r e6c6133c90 must be password authentication 2012-12-04 09:56:51 -06:00
sinn3r 2467183c4f "Appears" is better
"Appears" is a more accureate way describing how much we think the
host is vulnerable.
2012-12-04 09:28:05 -06:00