718aaca0f4
Land #10546 , Add Apache Struts exploit: CVE-2018-11776
2018-09-07 14:54:23 -05:00
bd50e00ccc
Make some small changes:
...
Changes made:
* DisclosureDate
* Privileged to false
* Remove gsub for ';'
* Set cmd/unix/generic as the default payload for ARCH_CMD (linux)
2018-09-07 14:48:33 -05:00
99ca6cef49
Quote-block cleanup and improved error handling
2018-09-07 11:43:04 -05:00
3671f8f6b0
Handling for Tomcat namespace issues, 'allowStaticMethodAccess' settings, and payload output
...
Depending on the configuration of the Tomcat server, `allowStaticMethodAccess` may already be set. We now try to detect this as part of `profile_target`. But that check might fail. If so, we'll try our best and let the user control whether we prepend OGNL to enable `allowStaticMethodAccess` via the 'ENABLE_OGNL' option.
Additionally, sometimes enabling `allowStaticMethodAccess` will cause the OGNL query to fail.
Additionally additionally, some Tomcat configurations won't provide output from the payload. We'll detect that the payload ran successfully, but tell the user there was no output.
2018-09-06 17:56:42 -05:00
7eb06b4592
Address travis errors: Updated metadata and target OS logic
2018-09-06 12:43:56 -05:00
cb16f812ec
struts2_namespace_ognl updates from code review
...
Thanks to @wvu, @firefart, and @wchen!
2018-09-06 11:50:57 -05:00
8fe8bf62e3
Renamed to match existing struts2_content_type_ognl and improved comments
2018-08-31 13:48:22 -05:00
35022d8332
Added payload upload+execution and OGNL-specific URI encoding
2018-08-31 13:39:42 -05:00
7c7f63df45
Fix missing normalize_uri in struts2_rest_xstream
...
I missed this one previously. May not be necessary but nice to have.
2018-08-30 15:56:43 -05:00
b373dcc5d4
First draft of module and documentation for struts_namespace_rce against CVE-2018-11776
2018-08-28 16:53:26 -05:00
f6b868bac2
Prefer regex for target check in exploit method
...
This is how I initially wrote it out, and I think I like it better.
Obviously we'll still check individual symbols in execute_command, since
some of the matching is disjoint.
2018-08-28 15:56:45 -05:00
3dec79da23
Add Windows ARCH_CMD target and refactor again
...
Must have been an oversight that I didn't add the target.
2018-08-28 15:03:41 -05:00
7d21c2094e
Improve PSH target and refactor check code
2018-08-27 20:18:35 -05:00
df5f4caaae
Uncomment PSH target in struts2_rest_xstream
...
I'm full of shit. It works.
msf5 exploit(multi/http/struts2_rest_xstream) > run
[*] Started reverse TCP handler on 192.168.56.1:4444
[*] Powershell command length: 2467
[*] Sending stage (206403 bytes) to 192.168.56.101
[*] Meterpreter session 1 opened (192.168.56.1:4444 -> 192.168.56.101:49691) at 2018-08-27 20:00:47 -0500
meterpreter > getuid
Server username: MSEDGEWIN10\IEUser
meterpreter > sysinfo
Computer : MSEDGEWIN10
OS : Windows 10 (Build 17134).
Architecture : x64
System Language : en_US
Domain : WORKGROUP
Logged On Users : 3
Meterpreter : x64/windows
meterpreter >
2018-08-27 20:01:00 -05:00
47ca6c6a14
Land #10527 , Fix msftdiy EDB link check, enable HTTPS
2018-08-27 10:49:20 -05:00
79b3e4564a
Land #10487 , add php5 session file target
2018-08-27 06:22:28 -05:00
9725e90ba7
Fix msftdiy EDB link check
2018-08-26 04:18:38 +00:00
7f3824b067
Additional path for Linux target
2018-08-24 07:18:24 -05:00
3d0d8f7773
Update false negatives on post auth information
2018-08-20 15:43:07 -05:00
b9809d9435
Added support for php5 as target
...
location of the session file in php5 is /var/lib/php5/sess_file
2018-08-20 03:47:04 +05:30
d9fc99ec4a
Correct false negative post_auth? status
2018-08-09 23:34:03 -05:00
6223685c37
Update auth requirement for json metadata
2018-08-07 16:42:00 -05:00
6c11d5800f
Register files on same line
2018-07-31 10:03:59 -05:00
569ddd9d59
Remove files from application
2018-07-31 09:47:39 -05:00
952ab801e8
Land #10060 , vTiger CRM v6.3.0 Upload RCE
2018-07-30 12:32:24 -05:00
62f663207b
Change option type
2018-07-30 12:15:59 -05:00
fe9315dc89
Update module, Add documentation
2018-07-30 12:11:08 -05:00
72d634b10b
Update module and its documentation
2018-07-26 23:08:20 -05:00
be1bf8b1fc
modified status
2018-07-26 15:41:19 -05:00
6accca4181
added documentation and check method
2018-07-26 15:32:37 -05:00
ed4c4046ba
parsing for uploaded file, gets session
2018-07-26 14:23:24 -05:00
c23ffcbf62
successfully uploads payload and gets a session
2018-07-26 11:09:01 -05:00
8f89275df8
authenticating to WordPress
2018-07-25 14:22:24 -05:00
668bcb38cb
metadata setup
2018-07-25 11:29:47 -05:00
19239c72c0
Update cmsms_upload_rename_rce check and docs
2018-07-19 18:26:42 +00:00
c5ac4c791f
Make changes based on community feedback
2018-07-19 12:17:02 -05:00
08e33cad0c
Spelling fix
2018-07-17 20:12:37 -05:00
20905d1ca1
Fix syntax error
2018-07-17 18:48:07 -05:00
a24666a00a
msftidy fixes
2018-07-17 18:28:33 -05:00
1e004769ca
CMS Made Simple Upload/Rename Authenticated RCE
2018-07-17 09:00:39 -05:00
2f37482535
Land #10278 , gitlist_arg_injection fixes
2018-07-12 19:03:52 -05:00
1a3a4ef5e4
Revised 88 aux and exploit modules to add CVEs / references
2018-07-12 17:34:52 -05:00
1ded8ffb29
Land #10260 , Add phpMyAdmin v4.8.1/4.8.0 LFI RCE
2018-07-11 11:10:52 -05:00
10cd6c99d9
Land #10231 , Monstra Fileupload Exec
2018-07-10 14:23:15 -05:00
07dca243ff
changed grammar, removed redundant code
2018-07-10 14:13:57 -05:00
171fa562a3
added parsing for repos in Gitlist source
2018-07-10 11:32:46 -05:00
5776b64a1b
modified exploit
2018-07-09 13:56:33 -05:00
f5e40b14a3
removed double eval as suggested
2018-07-09 13:24:31 -05:00
4f039de2fc
Fix CVE numbers
2018-07-09 13:22:08 -05:00
44b9798afb
modified regex, id=filesmanager lines
2018-07-09 10:55:29 -05:00
Wei Chen