718aaca0f4
Land #10546 , Add Apache Struts exploit: CVE-2018-11776
2018-09-07 14:54:23 -05:00
bd50e00ccc
Make some small changes:
...
Changes made:
* DisclosureDate
* Privileged to false
* Remove gsub for ';'
* Set cmd/unix/generic as the default payload for ARCH_CMD (linux)
2018-09-07 14:48:33 -05:00
b3cd4a89ad
Move CVE ref to top as per ~standard~
2018-09-07 14:33:25 -05:00
68ca771764
Add CVE reference to ghostscript_failed_restore.rb
2018-09-07 14:24:15 -05:00
99ca6cef49
Quote-block cleanup and improved error handling
2018-09-07 11:43:04 -05:00
3671f8f6b0
Handling for Tomcat namespace issues, 'allowStaticMethodAccess' settings, and payload output
...
Depending on the configuration of the Tomcat server, `allowStaticMethodAccess` may already be set. We now try to detect this as part of `profile_target`. But that check might fail. If so, we'll try our best and let the user control whether we prepend OGNL to enable `allowStaticMethodAccess` via the 'ENABLE_OGNL' option.
Additionally, sometimes enabling `allowStaticMethodAccess` will cause the OGNL query to fail.
Additionally additionally, some Tomcat configurations won't provide output from the payload. We'll detect that the payload ran successfully, but tell the user there was no output.
2018-09-06 17:56:42 -05:00
7eb06b4592
Address travis errors: Updated metadata and target OS logic
2018-09-06 12:43:56 -05:00
cb16f812ec
struts2_namespace_ognl updates from code review
...
Thanks to @wvu, @firefart, and @wchen!
2018-09-06 11:50:57 -05:00
243267b2f5
Add Linux dropper target
2018-09-05 19:57:12 -05:00
61044e8bca
Refactor targets to align with current style
2018-09-05 19:56:32 -05:00
692ddc8b8b
Eschew updating imagemagick_delegate
...
The hype is over, and the target was provided as a bonus. Now update the
module language to reflect that.
2018-09-05 19:56:32 -05:00
1491f13bd5
Add Ghostscript failed restore exploit
2018-09-05 19:56:32 -05:00
8fe8bf62e3
Renamed to match existing struts2_content_type_ognl and improved comments
2018-08-31 13:48:22 -05:00
35022d8332
Added payload upload+execution and OGNL-specific URI encoding
2018-08-31 13:39:42 -05:00
7c7f63df45
Fix missing normalize_uri in struts2_rest_xstream
...
I missed this one previously. May not be necessary but nice to have.
2018-08-30 15:56:43 -05:00
9d3e1c1942
Land #10540 , weblogic_deserialize, add check method and linux target
2018-08-30 06:08:03 -05:00
3161beff69
Prefer opt hash
2018-08-29 14:56:31 -05:00
bc4442694e
Fix Windows target options, remove comspec
2018-08-29 14:23:00 -05:00
b373dcc5d4
First draft of module and documentation for struts_namespace_rce against CVE-2018-11776
2018-08-28 16:53:26 -05:00
f6b868bac2
Prefer regex for target check in exploit method
...
This is how I initially wrote it out, and I think I like it better.
Obviously we'll still check individual symbols in execute_command, since
some of the matching is disjoint.
2018-08-28 15:56:45 -05:00
3dec79da23
Add Windows ARCH_CMD target and refactor again
...
Must have been an oversight that I didn't add the target.
2018-08-28 15:03:41 -05:00
94e8cdac37
Move files to correct location
2018-08-28 12:38:54 -05:00
7d21c2094e
Improve PSH target and refactor check code
2018-08-27 20:18:35 -05:00
df5f4caaae
Uncomment PSH target in struts2_rest_xstream
...
I'm full of shit. It works.
msf5 exploit(multi/http/struts2_rest_xstream) > run
[*] Started reverse TCP handler on 192.168.56.1:4444
[*] Powershell command length: 2467
[*] Sending stage (206403 bytes) to 192.168.56.101
[*] Meterpreter session 1 opened (192.168.56.1:4444 -> 192.168.56.101:49691) at 2018-08-27 20:00:47 -0500
meterpreter > getuid
Server username: MSEDGEWIN10\IEUser
meterpreter > sysinfo
Computer : MSEDGEWIN10
OS : Windows 10 (Build 17134).
Architecture : x64
System Language : en_US
Domain : WORKGROUP
Logged On Users : 3
Meterpreter : x64/windows
meterpreter >
2018-08-27 20:01:00 -05:00
47ca6c6a14
Land #10527 , Fix msftdiy EDB link check, enable HTTPS
2018-08-27 10:49:20 -05:00
79b3e4564a
Land #10487 , add php5 session file target
2018-08-27 06:22:28 -05:00
9725e90ba7
Fix msftdiy EDB link check
2018-08-26 04:18:38 +00:00
6df235062b
Land #10505 , post-auth and default creds info
2018-08-24 18:08:15 -05:00
7f3824b067
Additional path for Linux target
2018-08-24 07:18:24 -05:00
3d0d8f7773
Update false negatives on post auth information
2018-08-20 15:43:07 -05:00
b9809d9435
Added support for php5 as target
...
location of the session file in php5 is /var/lib/php5/sess_file
2018-08-20 03:47:04 +05:30
60c0272270
Make style consistent
2018-08-15 21:27:40 -05:00
cd01f11fd2
Remove verifying host keys for all exploits
2018-08-15 14:54:41 -07:00
d9fc99ec4a
Correct false negative post_auth? status
2018-08-09 23:34:03 -05:00
6223685c37
Update auth requirement for json metadata
2018-08-07 16:42:00 -05:00
6c11d5800f
Register files on same line
2018-07-31 10:03:59 -05:00
569ddd9d59
Remove files from application
2018-07-31 09:47:39 -05:00
952ab801e8
Land #10060 , vTiger CRM v6.3.0 Upload RCE
2018-07-30 12:32:24 -05:00
62f663207b
Change option type
2018-07-30 12:15:59 -05:00
fe9315dc89
Update module, Add documentation
2018-07-30 12:11:08 -05:00
72d634b10b
Update module and its documentation
2018-07-26 23:08:20 -05:00
be1bf8b1fc
modified status
2018-07-26 15:41:19 -05:00
6accca4181
added documentation and check method
2018-07-26 15:32:37 -05:00
ed4c4046ba
parsing for uploaded file, gets session
2018-07-26 14:23:24 -05:00
c23ffcbf62
successfully uploads payload and gets a session
2018-07-26 11:09:01 -05:00
8f89275df8
authenticating to WordPress
2018-07-25 14:22:24 -05:00
668bcb38cb
metadata setup
2018-07-25 11:29:47 -05:00
19239c72c0
Update cmsms_upload_rename_rce check and docs
2018-07-19 18:26:42 +00:00
28e3f3a5f0
Land #10327 , Add CMS Made Simple Upload/Rename Authenticated RCE
2018-07-19 12:18:12 -05:00
c5ac4c791f
Make changes based on community feedback
2018-07-19 12:17:02 -05:00
Wei Chen