a1c157a4db
Land #4609 , @h0ng10's module for Wordpress Pixabay Images PHP Code Upload
2015-02-03 17:01:32 -06:00
eebee7c066
Do better session creation handling
2015-02-03 17:00:37 -06:00
4ca4fd1be2
Allow to provide the traversal depth
2015-02-03 16:38:40 -06:00
e62a5a4fff
Make the calling payload code easier
2015-02-03 16:23:04 -06:00
61cdb5dfc9
Change filename
2015-02-03 16:13:10 -06:00
82be43ea58
Do minor cleanup
2015-02-03 16:07:27 -06:00
2c956c0a0f
add wordpress platform theme rce
2015-01-31 22:02:44 +01:00
d04fd3b978
Fixing Indentation
...
Small indentation fix
2015-01-29 13:03:19 +08:00
af90c6482b
Sanity Changes
...
Reverted failure behaviour on line 70
Removed a space that prevented line 98 from working as intended
2015-01-28 18:40:43 +08:00
27c412341f
Syntax Changes
...
Cleaned up this statement a tiny bit
2015-01-28 18:34:19 +08:00
fc3094ec9b
Syntax changes
...
Fixed some more syntax - failures
2015-01-28 18:30:21 +08:00
321eb452c5
Syntax Fixes
...
Fixed some or's to || - and's to &&.
Fixed failure if statement (fails using fail_with())
Fixed nested else (now and elsif)
Changed final execute logic - checks for success rather than failure.
2015-01-28 18:08:15 +08:00
fefc3d088c
Cookie fix and success display
...
Added handling for if the server doesn't correctly assign a cookie using
Set-Cookie by changing the regex and doing an additional check. Also
fixed the success display - changed the if statement to match others in
this module and fixed the text output based on server response.
2015-01-28 17:11:05 +08:00
bae19405a7
Various grammar, spelling, word choice fixes
2015-01-26 11:00:07 -06:00
419fa93897
Add OSVDB and WPScan references
2015-01-23 09:27:42 +01:00
dfbbc79e0d
make retries a datastore option
2015-01-23 09:23:09 +01:00
11bf58e548
Use metasploit methods
2015-01-23 08:48:52 +01:00
9d3397901b
Correct version numbers and code tidy up
2015-01-19 20:59:46 +00:00
5813c639d1
Initial commit
2015-01-19 17:23:48 +01:00
8a89b3be28
Cleanup of various bits of code
2015-01-13 22:20:40 +00:00
8246f4e0bb
Add ability to use both WP and EC attack vectors
2015-01-12 23:30:59 +00:00
e6f6acece9
Add a date hash to the post data
2015-01-12 21:21:50 +00:00
ea37e2e198
Add WP EasyCart file upload exploit module
2015-01-10 21:05:02 +00:00
d4d1a53533
fix invalid url
2015-01-09 21:57:52 +01:00
82e6183136
Add Msf::Exploit::FileDropper mixin
2015-01-08 21:07:00 +00:00
93dc90d9d3
Tidied up some code with existing mixins
2015-01-08 20:53:56 +00:00
7b92c6c2df
Add WP Symposium Shell Upload module
2015-01-07 22:02:39 +00:00
44dfa746eb
Resolve #4513 - Change #inspect to #to_s
...
Resolve #4513
2015-01-05 11:50:51 -06:00
b5b0be9001
Do minor cleanup
2014-12-26 11:24:02 -06:00
5c82b8a827
Add ProjectSend Arbitrary File Upload module
2014-12-23 10:53:03 +00:00
025c0771f8
Have exploit call check. Have check report_vuln
2014-12-15 09:53:11 -08:00
f521e7d234
Use newer Ruby hash syntax
2014-12-15 09:17:32 -08:00
c93dc04a52
Resolve address before storing the working cred
2014-12-15 09:11:12 -08:00
5ca8f187b3
Merge remote-tracking branch 'upstream/pr/4328' into temp
2014-12-15 08:15:51 -08:00
4530066187
return nil
2014-12-15 01:04:39 +11:00
55d9e9cff6
Use list of potential analytics hosts
2014-12-14 23:15:41 +11:00
008c33ff51
Fix description
2014-12-12 13:36:28 -06:00
b334e7e0c6
Land #4322 , @FireFart's wordpress exploit for download-manager plugin
2014-12-12 12:41:59 -06:00
aaed7fe957
Make the timeout for the calling payload request lower
2014-12-12 12:41:06 -06:00
00f66b6050
Correct named captures
2014-12-12 10:22:14 -08:00
98dca6161c
Delete unused variable
2014-12-12 12:03:32 -06:00
810bf598b1
Use fail_with
2014-12-12 12:03:12 -06:00
1e6bbc5be8
Use blank?
2014-12-12 09:51:08 -08:00
4f3ac430aa
Land #4341 , @EgiX's module for tuleap PHP Unserialize CVE-2014-8791
2014-12-12 11:48:25 -06:00
64f529dcb0
Modify default timeout for the exploiting request
2014-12-12 11:47:49 -06:00
24f1b916e0
Minor ruby style cleanup
2014-12-12 09:47:35 -08:00
1d1aa5838f
Use Gem::Version to compare versions in check
2014-12-12 09:47:01 -08:00
d01a07b1c7
Add requirement to description
2014-12-12 11:42:45 -06:00
fd09b5c2f6
Fix title
2014-12-12 10:52:18 -06:00
4871228816
Do minor cleanup
2014-12-12 10:52:06 -06:00
544f75e7be
fix invalid URI scheme, closes #4362
2014-12-11 23:34:10 +01:00
700ccc71e7
Create tuleap_unserialize_exec.rb
2014-12-09 10:15:46 +01:00
42744e5650
Add actualanalyzer_ant_cookie_exec exploit
2014-12-06 19:09:20 +00:00
5ea062bb9c
fix bug
2014-12-05 11:30:45 +01:00
55b8d6720d
add wordpress download-manager exploit
2014-12-05 11:17:54 +01:00
c77a0984bd
Land #3989 , @us3r777's exploit for CVE-2014-7228, Joomla Update unserialize
...
the commit.
empty message aborts
2014-10-20 13:39:08 -05:00
4e6f61766d
Change module filename
2014-10-20 13:31:22 -05:00
e202bc10f0
Fix title
2014-10-20 13:30:44 -05:00
f07c5de711
Do code cleanup
2014-10-20 13:27:48 -05:00
052a9fec86
Delete return
2014-10-20 10:52:33 -05:00
199f6eba76
Fix check method
2014-10-20 10:46:40 -05:00
16101612a4
Some changes to use primer
...
Follow wiki How-to-write-a-module-using-HttpServer-and-HttpClient
2014-10-20 17:26:16 +02:00
1e143fa300
Removed unused variables
2014-10-20 16:58:41 +02:00
35d3bbf74d
Fix up comment splats with the correct URI
...
See the complaint on #4039 . This doesn't fix that particular
issue (it's somewhat unrelated), but does solve around
a file parsing problem reported by @void-in
2014-10-17 11:47:33 -05:00
b1223165d4
Trivial grammar fixes
2014-10-14 12:00:50 -05:00
444b01c4b0
Typo + shorten php serialized object
2014-10-12 21:29:04 +02:00
2428688565
CVE-2014-7228 Joomla/Akeeba Kickstart RCE
...
Exploit via serialiazed PHP object injection. The Joomla! must be
updating more precisely, the file $JOOMLA_WEBROOT/administrator/
components/com_joomlaupdate/restoration.php must be present
2014-10-09 18:51:24 +02:00
1584c4781c
Add reference
2014-10-09 06:58:15 +02:00
4f96d88a2f
Land #3949 , @us3r777's exploit for CVE-2014-6446, wordpress infusionsoft plugin php upload
2014-10-08 16:35:49 -05:00
66a8e7481b
Fix description
2014-10-08 16:35:14 -05:00
8ba8402be3
Update timeout
2014-10-08 16:32:05 -05:00
bbf180997a
Do minor cleanup
2014-10-08 16:29:11 -05:00
03888bc97b
Change the check function
...
Use regex based detection
2014-10-06 18:56:01 +02:00
29111c516c
Wordpress Infusionsoft Gravity Forms CVE-2014-6446
...
The Infusionsoft Gravity Forms plugin 1.5.3 through 1.5.10 for
WordPress does not properly restrict access, which allows remote
attackers to upload arbitrary files and execute arbitrary PHP
code via a request to utilities/code_generator.php.
2014-10-06 14:10:01 +02:00
f45b89503d
change WPVULNDBID to WPVDB
2014-10-03 17:13:18 +02:00
33b37727c7
Added wpvulndb links
2014-10-02 23:03:31 +02:00
9acccfe9ba
Fix description
2014-09-19 17:18:59 -05:00
d826132f87
Delete CVE, add EDB
2014-09-19 17:16:03 -05:00
7afbec9d6c
Land #2890 , @Ahmed-Elhady-Mohamed module for OSVDB 93034
2014-09-19 17:12:49 -05:00
1fa5c8c00c
Add check method
2014-09-19 17:11:16 -05:00
ce0b00bb0b
Change module location and filename
2014-09-19 16:59:35 -05:00
564431fd41
Use arrays in refs for consistency
2014-08-18 18:54:54 +00:00
b8b2e3edff
Add HybridAuth install.php PHP Code Execution module
2014-08-16 23:31:46 +00:00
a79eec84ac
Land #3584 , @FireFart's update for wp_asset_manager_upload_exec
2014-07-30 10:28:51 -05:00
9de8297848
Use [] for References
2014-07-30 10:28:00 -05:00
58fbb0b421
Use [] for References
2014-07-30 10:24:14 -05:00
75057b5df3
Fixed variable
2014-07-29 21:02:15 +02:00
cc3285fa57
Updated checkcode
2014-07-29 20:53:54 +02:00
61ab88b2c5
Updated wp_asset_manager_upload_exec module
2014-07-29 20:53:18 +02:00
e438c140ab
Updated wp_property_upload_exec module
2014-07-29 20:34:34 +02:00
621e85a32d
Correct version
2014-07-28 22:45:04 +02:00
d334797116
Updated foxpress module
2014-07-28 22:23:22 +02:00
79fe342688
Land #3558 , @FireFart's improvements to wordpress mixin
2014-07-28 09:52:20 -05:00
a6479a77d6
Implented feedback from @jhart-r7
2014-07-22 19:49:58 +02:00
baff003ecc
extracted check version to module
...
also added some wordpress specs and applied
rubocop
2014-07-22 17:02:35 +02:00
6048f21875
Land #3552 - Correct DbVisualizer title name
2014-07-21 13:07:33 -05:00
a41768fd7d
Correct DbVisualizer title name
...
I think "DbVis Software" is the name of the company and the product
itself is called DbVisualizer.
Also fixed the description on the WPTouch module.
2014-07-21 12:35:01 -05:00
a809c9e0b5
Changed to vprint and added comment
2014-07-18 22:15:56 +02:00
c6e129c622
Fix rubocop warnings
2014-07-18 21:58:33 +02:00
c1f612b82a
Use vprint_ instead of print_
2014-07-15 06:58:33 +02:00
144c6aecba
Added WPTouch fileupload exploit
2014-07-14 21:35:18 +02:00
8937fbb2f5
Fix email format
2014-07-11 12:45:23 -05:00
9fef2ca0f3
Description/whitespace changes (minor)
...
Four modules updated for the weekly release with minor cosmetic fixes.
- [ ] See all affected modules still load.
- [ ] See all affected modules have expected `info`
2014-07-07 12:39:05 -05:00
d5843f8eaf
Updated Mailpoet exploit to work with another version
2014-07-06 10:53:40 +02:00
cf5d29c53b
Add EOF newline to satisfy msftidy
2014-07-05 13:51:12 -05:00
6d9bf83ded
Small fixes for the recent WP MailPoet module
...
Correct casing in the title
Anchor the use of ::File
Force body.to_s since it can be nil in corner cases
2014-07-05 13:17:23 -05:00
2efa3d6bc0
Land #3487 , @FireFart's exploit for WordPress MailPoet file upload
2014-07-03 14:34:58 -05:00
97a6b298a8
Use print_warning
2014-07-03 13:38:20 -05:00
dcba357ec3
implement feedback
2014-07-03 20:27:08 +02:00
aeb4fff796
Added FileDropper
2014-07-03 19:25:31 +02:00
071f236946
Changed check method
2014-07-02 22:31:02 +02:00
a58ff816c5
Changed check method
2014-07-02 22:29:00 +02:00
40175d3526
added check method
2014-07-02 11:07:58 +02:00
54a28a103c
Updated description
2014-07-02 10:49:28 +02:00
1ff549f9c1
Replaced Tab
2014-07-02 10:35:30 +02:00
09131fec28
Added wysija file upload exploit
2014-07-02 10:24:27 +02:00
bd49d3b17b
Explicitly use the echo stager and deregister options
...
Certain modules will only work with the echo cmd stager so
specify that one as a parameter to execute_cmdstager and
remove the datastore options to change it.
2014-06-28 16:21:08 -04:00
870fa96bd4
Allow quotes in CmdStagerFlavor metadata
2014-06-27 08:34:56 -04:00
91e2e63f42
Add CmdStagerFlavor to metadata
2014-06-27 08:34:55 -04:00
7ced5927d8
Use One CMDStagermixin
2014-06-27 08:34:55 -04:00
ae25c300e5
Initial attempt to unify the command stagers.
2014-06-27 08:34:55 -04:00
8e1949f3c8
Added newline at EOF
2014-06-17 21:03:18 +02:00
8d4d40b8ba
Resolved some Set-Cookie warnings
2014-05-24 00:34:46 +02:00
69369c04b3
Land #3126 , @xistence's exploit for SePortal
2014-03-28 13:52:59 -05:00
7b56c9edac
Add references
2014-03-28 13:51:56 -05:00
0b766cd412
changes per firefart
2014-03-27 10:08:44 -07:00
744308bd35
tab...
2014-03-27 05:24:55 -07:00
a8c96213f0
normalize_uri for wp_property_upload_exec
2014-03-27 05:22:56 -07:00
cfdd64d5b1
Title, description grammar and spelling
2014-03-24 12:16:59 -05:00
c7ba7e4d92
Land #3131 , @xistence's exploit for CVE-2014-1903
2014-03-24 08:48:06 -05:00
c3b753f92e
Make PHPFUNC advanced option
2014-03-24 08:47:31 -05:00
4f333d84c9
Clean up code
2014-03-24 08:15:54 -05:00
c4f0d8e179
FreePBX config.php RCE CVE-2014-1903
2014-03-21 10:29:15 +07:00
b02337d8b6
Land #3123 - Horde Framework Unserialize PHP Code Execution
2014-03-20 12:32:14 -05:00
2845f834c6
changed cookie retrieval to res.get_cookies
2014-03-20 16:39:26 +07:00
7bfb8e95e6
minor changes to seportal module
2014-03-20 13:44:39 +07:00
5ef49ff64b
SePortal 2.5 SQLi Remote Code Execution
2014-03-20 12:02:06 +07:00
d6faf20981
Make title more accurate
2014-03-19 12:43:34 -05:00
379c0efd5a
Update POP chain documentation
2014-03-18 16:29:30 -05:00
77c128fbc5
Fix disclosure date and add ref
2014-03-18 16:21:44 -05:00
b6e8bb62bb
Switch exploitation technique to use default available classes
2014-03-18 16:07:50 -05:00
f86fd8af5d
Delete debug print
2014-03-17 21:01:41 -05:00
3bdd906aae
Add module for CVE-2014-1691
2014-03-17 20:47:45 -05:00
c916b62f47
Removes hash rockets from references.
...
[SeeRM #8776 ]
2014-03-17 09:40:32 -05:00
25ebb05093
Add next chunk of fixes
...
Going roughly a third at a time.
2014-03-11 12:23:59 -05:00
170608e97b
Fix first chunk of msftidy "bad char" errors
...
There needs to be a better way to go about preventing/fixing these.
2014-03-11 11:18:54 -05:00
79d559a0c9
Fix MIME message to_s
2014-02-10 22:23:23 -06:00
7e2a9a7072
More desc fixes, add a vprint to give a hint
2014-02-03 13:18:52 -06:00
710902dc56
Move file location
2014-01-31 09:18:59 -06:00
f086655075
Land #2913 , @bcoles Exploit for Simple E-Document
2014-01-27 08:09:45 -06:00
861126fdbd
Clean exploit code
2014-01-27 08:09:18 -06:00
32d6032893
Add Simple E-Document Arbitrary File Upload module
2014-01-24 19:19:25 +10:30
689999c8b8
Saving progress
...
Progress group 3: Making sure these checks comply with the new
guidelines. Please read: "How to write a check() method" found in
the wiki.
2014-01-21 13:03:36 -06:00
fe767f3f64
Saving progress
...
Progress group 2: Making sure these checks comply with the new
guidelines. Please read: "How to write a check() method" found in
the wiki.
2014-01-21 11:07:03 -06:00
ce8b8e8ef9
Land #2783 - OpenSIS 'modname' PHP Code Execution
2013-12-20 11:29:10 -06:00
d0ef860f75
Strip default username/password
...
There isn't one. So force the user to supply one.
2013-12-20 11:28:18 -06:00
fb6cd9c149
add osvdb+url refs and module tidy up
2013-12-20 20:27:07 +10:30
fc2da15c87
Add OpenSIS 'modname' PHP Code Execution module for CVE-2013-1349
2013-12-19 19:10:48 +10:30
198667b650
Land #2774 , @Mekanismen's module for CVE-2013-7091
2013-12-18 16:23:44 -06:00
aec2e0c92c
Change ranking
2013-12-18 16:23:14 -06:00
d4ec858051
Clean zimbra_lfi
2013-12-18 15:46:37 -06:00
0c0e8c3a49
various updates
2013-12-18 20:54:35 +01:00
2de15bdc8b
added module for Zimbra Collaboration Server CVE-2013-7091
2013-12-17 19:32:04 +01:00
e737b136cc
Minor grammar/caps fixup for release
2013-12-09 14:01:27 -06:00
d47292ba10
Add module for CVE-2013-3522
2013-12-06 13:50:12 -06:00
e4c6413643
Land #2718 , @wchen-r7's deletion of @peer on HttpClient modules
2013-12-05 17:25:59 -06:00
f5a45bfe52
@twitternames not supported for author fields
...
It's kind of a dumb reason but there are metasploit metadata parsers out
there that barf all over @names. They assume user@email.address . Should
be fixed some day.
2013-12-04 13:31:22 -06:00
230db6451b
Remove @peer for modules that use HttpClient
...
The HttpClient mixin has a peer() method, therefore these modules
should not have to make their own. Also new module writers won't
repeat the same old code again.
2013-12-03 12:58:16 -06:00
47bff9a416
Land #2711 , @Mekanismen exploit for wordpress OptimizePress theme
2013-12-02 16:30:24 -06:00
5c3ca1c8ec
Fix title
2013-12-02 16:30:01 -06:00
c32b734680
Fix regex
2013-12-02 16:24:21 -06:00
55847ce074
Fixup for release
...
Notably, adds a description for the module landed in #2709 .
2013-12-02 16:19:05 -06:00
79a6f8c2ea
Clean php_wordpress_optimizepress
2013-12-02 15:43:41 -06:00
57b7d89f4d
Updated
2013-12-01 09:06:41 +01:00
045b848a30
added exploit module for optimizepress
2013-11-30 21:51:56 +01:00
a02e0ee3e4
Land #2682 - Kimai v0.9.2 'db_restore.php' SQL Injection
2013-11-27 19:10:44 -06:00
a03cfce74c
Add table prefix and doc root as fallback options
2013-11-25 17:44:26 +10:30
d8700314e7
Add Kimai v0.9.2 'db_restore.php' SQL Injection module
2013-11-24 02:32:16 +10:30
2c485c509e
Fix caps on module titles (first pass)
2013-11-15 00:03:42 -06:00
65993704c3
Actually commit the mode change.
2013-11-11 22:16:29 -06:00
bdba80c05c
Land #2569 , @averagesecurityguy and others exploit for CVE-2013-4468, CVE-2013-4467
2013-11-07 12:20:42 -06:00
2d4090d9c3
Make option astGUIclient credentials
2013-11-06 20:33:47 -06:00
24d22c96a5
Improve exploitation
2013-11-06 20:15:40 -06:00
2b2ec1a576
Change module location
2013-11-06 15:53:45 -06:00
f5d1d8eace
chmod -x .rb files without #! in modules and lib
...
It wasn't just cmdstager_printf.rb. :/
2013-10-30 19:51:25 -05:00
2ef33aabe7
Clean open_flash_chart_upload_exec
2013-10-24 10:15:28 -05:00
8a5d4d45b4
Add Open Flash Chart v2 Arbitrary File Upload exploit
2013-10-24 22:46:41 +10:30
1599d1171d
Land #2558 - Release fixes
2013-10-21 13:48:11 -05:00
c070108da6
Release-related updates
...
* Lua is not an acronym
* Adds an OSVDB ref
* credit @jvazquez-r7, not HD, for the Windows CMD thing
2013-10-21 13:33:00 -05:00
032da9be10
Land #2426 - make use of Msf::Config.data_directory
2013-10-21 13:07:33 -05:00
22b4bf2e94
Resplat webtester_exec.rb
2013-10-17 13:30:54 -05:00
07ab53ab39
Merge from master to clear conflict
...
Conflicts:
modules/exploits/windows/brightstor/tape_engine_8A.rb
modules/exploits/windows/fileformat/a-pdf_wav_to_mp3.rb
2013-10-17 13:29:24 -05:00
352eca1147
Fix check method and set a big space available for payload
2013-10-17 09:30:59 -05:00
54cf7855a2
Add WebTester 5.x Command Execution exploit module
2013-10-17 16:57:57 +10:30
ed0b84b7f7
Another round of re-splatting.
2013-10-15 14:14:15 -05:00
c83262f4bd
Resplat another common boilerplate.
2013-10-15 14:07:48 -05:00
23d058067a
Redo the boilerplate / splat
...
[SeeRM #8496 ]
2013-10-15 13:51:57 -05:00
e2a9339592
Add CVE to joomla media upload module.
2013-10-12 21:20:11 -05:00
9ca9b4ab29
Merge branch 'master' into data_dir
...
Conflicts:
lib/msf/core/auxiliary/jtr.rb
2013-10-10 19:55:26 +01:00
52574b09cb
Add OSVDB reference
2013-10-09 14:13:45 -05:00
jvazquez-r7
Christian Mehlmauer
Nanomebia
Tod Beardsley
Hans-Martin Münch (h0ng10)
rastating
sinn3r
Brendan Coles
Jon Hart
EgiX
us3r777
URI Assassin
William Vu
HD Moore
Spencer McIntyre
Kurt Grutzmacher
xistence
Mekanismen
jvazquez-r7
joev
Meatballs