c7d3b5dfbb
Update payload and disable check functionality
...
The check functionality is broken as MSF cannot handle HttpServer and HttpClient at this time.
The payloads were updated to ensure CVE-2017-10271 is being exploited instead of CVE-2017-3506 as explained on https://blog.nsfocusglobal.com/threats/vulnerability-analysis/technical-analysis-and-solution-of-weblogic-server-wls-component-vulnerability/
2018-01-18 13:26:44 -05:00
04e4ff6b3c
Use stop_service to avoid cleanup overload
2018-01-11 19:14:26 -05:00
40f54df129
Feedback updates
2018-01-11 18:54:58 -05:00
172ffdfea1
Use geturi instead of building it ourselves
2018-01-11 18:27:56 -05:00
d4056e72da
Lower the default timeout for CHECK
2018-01-11 17:38:30 -05:00
3617a30e34
Add URIPATH random URI
2018-01-11 17:33:14 -05:00
a28d4a4b5b
Add check and update for some style considerations
2018-01-11 17:28:09 -05:00
0d9a40d2e5
Use target['Platform'] instead of target_platform
2018-01-11 15:44:07 -05:00
c490d642e2
Was missing a comma
2018-01-11 09:42:24 -05:00
3132566d8f
Fix OptFloat error
2018-01-11 09:22:16 -05:00
c05b440f26
Fix additional feedback
...
This
* uses ternary operators
* uses an `RPORT` option shortcut
* removes the `xml_payload` variable and instead more explicitly uses the method directly
* Uses `OptFloat` for the timeout option to allow partial seconds
2018-01-11 08:17:13 -05:00
ab89e552ed
Remove accidental trailing space
2018-01-08 14:42:03 -05:00
2252490e62
Fix using arbitrary keys to instead use "URL"
2018-01-08 14:30:03 -05:00
e80ca348cf
Add Exploit-DB ID
2018-01-08 10:55:46 -05:00
6beeece708
Re-add timeout value
2018-01-07 20:21:29 -05:00
eefd432161
Make sure Platforms match our actual target list
2018-01-06 08:31:30 -05:00
4bd196f8b2
Fix missing single quotes and remove comma
2018-01-06 08:30:48 -05:00
867b32415d
Fix feedback from wvu-r7
...
Fixes feedback from wvu-r7
- Consolidates payload to single method
- Replaces gsub! with standard encode method
- Note exploit discovery and proof of concept code used in authors (still seems weird to include the discovery as an author...)
- Change link
- Use `ARCH_CMD` instead of `[ARCH_CMD]`
- Remove Linux target as it's only Windows or Unix
- Remove timeout as I don't know how to pass it to `send_request_cgi`
2018-01-06 08:12:43 -05:00
744f20304c
Remove hardcoded user-agent from the headers
...
Remove hardcoded user-agent from the headers allowing for `send_request_cgi` to control this
2018-01-05 18:22:27 -05:00
2478de934b
Add CVE-2017-10271 / Oracle WebLogic wls-wsat RCE
2018-01-05 15:05:21 -05:00
366a20a4a4
Fix #9215 , minor style nitpick
2018-01-03 23:11:51 -06:00
a1d43c8f33
Land #9215 , new Drupageddon vector
2018-01-03 14:45:32 -06:00
e9b9c80841
Fix #9307 , credit to @r0610205
2017-12-18 03:55:01 -06:00
76823e9fe6
Land #9183 , Jenkins Groovy XStream RCE
2017-12-18 03:38:27 -06:00
bfd5c2d330
Keep the initial option name 'ADMIN_ROLE'
2017-11-22 22:03:56 +01:00
2be3433bdb
Update references URLs
2017-11-17 13:27:35 +01:00
a636380e4b
Merge the new method into drupal_drupageddon.rb
2017-11-17 13:00:15 +01:00
704514a420
New exploit method for Drupageddon (CVE-2014-3704)
...
This new script exploits the same vulnerability as
*exploits/multi/http/drupal_drupageddon.rb*, but in a more efficient way.
2017-11-16 20:47:44 +01:00
4219959c6d
Bump ranking to Excellent
2017-11-15 15:00:47 -06:00
df2b62dc27
Add Mako Server CMD injection Linux support, update docs, move to multi
2017-11-10 16:28:39 -05:00
500bde1150
get_vars tweak
2017-11-09 04:16:34 -05:00
a04bc0a25b
Add get_vars, remove a https instance
2017-11-08 16:30:59 -05:00
7173e7f4b4
Add CVE to module description
2017-11-07 11:05:14 -05:00
371f3c333a
This commit adds the jenkins_xstream_deserialize module
2017-11-07 09:46:42 -05:00
cfaa34d2a4
more style cleanup for tomcat_jsp_upload_bypass
2017-10-11 15:53:35 -05:00
9885dc07f7
updates for style
2017-10-11 15:29:47 -05:00
03e7797d6c
fixed msftidy errors and added documentation
2017-10-11 07:57:01 -04:00
facc38cde1
set timeout for DELETE request
2017-10-09 21:53:31 -04:00
be8680ba3d
Create tomcat_jsp_upload_bypass.rb
...
Created a module for CVE-2017-12617 which uploads a jsp payload and executes it.
2017-10-08 21:48:47 -04:00
7535fe255f
land #8736 RCE for orientdb
2017-10-06 14:35:42 -04:00
5f66b7eb1a
Land #8940 , @h00die's second round of desc fixes
...
One ninja edit along the way as well.
2017-09-11 13:05:13 -05:00
54a62976f8
update versions and add quick module docs
2017-09-08 13:59:29 -05:00
978fdb07b0
Comment out PSH target and explain why
...
I hope we can fix the PSH target in the future, but the Windows dropper
works today, and you can specify a custom EXE if you really want.
2017-09-08 13:41:06 -05:00
2ebf53b647
Minor tweaks...
2017-09-08 10:04:47 -05:00
00c593e0a2
55 pages of spelling done
2017-09-07 21:18:50 -04:00
a9a307540f
Assign cmd to entire case and use encode for XML
...
Hat tip @acammack-r7. Forgot about that first syntax!
2017-09-07 19:36:08 -05:00
8f1e353b6e
Add Apache Struts 2 REST Plugin XStream RCE
2017-09-07 19:30:48 -05:00
86db2a5771
Land #8888 from @h00die, with two extra fixes
...
Fixes spelling and grammar in a bunch of modules. More to come!
2017-08-31 14:37:02 -05:00
202c936868
Land #8826 , git submodule remote command execution
2017-08-29 18:11:32 -05:00
46eeb1bee0
update style
2017-08-29 17:44:39 -05:00
Kevin Kirsche