92c1fa8390
remove downcase
2017-02-18 20:13:32 -05:00
f3bcc9f23f
Take care of suhosin
2017-02-08 09:59:36 +01:00
028d4d6077
Make the payload a bit more random
2017-02-08 09:59:22 +01:00
cb03ca91e1
Make php_cgi_arg_injection work in certain environnement
...
This commit sets two more options to `0` in the payload:
- [cgi.force_redirect](https://secure.php.net/manual/en/ini.core.php#ini.cgi.force-redirect )
- [cgi.redirect_status_env](https://secure.php.net/manual/en/ini.core.php#ini.cgi.redirect-status-env )
The configuration directive `cgi.force_redirect` prevents anyone from calling PHP
directly with a URL like http://my.host/cgi-bin/php/secretdir/script.php .
Instead, PHP will only parse in this mode if it has gone through a web server redirect rule.
The string set in the configuration directive `cgi.redirect_status_env`
is the one that PHP will look for to know it's ok to continue its
execution. This might be use together with the previous configuration
option as a security measure.
Setting those variables to 0 is (as stated in the documentation) a
security issue, but it also make the exploit work on some Apache2 setup.
2017-02-07 18:59:27 +01:00
48ed8a72c2
Add helpful comment
2017-01-24 20:03:39 -06:00
ec8add6caa
Always check and print status
2017-01-24 20:00:17 -06:00
42a8e2a113
Remove extraneous variable
2017-01-24 19:50:31 -06:00
97050a6c47
Fix nil bug in scan
2017-01-24 19:49:23 -06:00
836da6177f
Cipher::Cipher is deprecated
2017-01-22 10:20:03 -06:00
f69b4a330e
handle Ruby 2.4 Fixnum/Bignum -> Integer deprecations
2017-01-22 10:20:03 -06:00
3155af679a
Fix a typo
2017-01-03 16:03:45 -06:00
cd90fd3b1c
Fix PHPMailer targets since 5.2.20 is not affected
2016-12-30 15:31:15 -05:00
1eab4b3a7d
Add an optional explicit triggeruri for phpmailer
2016-12-30 14:24:07 -05:00
64037b0d6e
Use a proper target instead of VERSION
2016-12-29 17:37:16 -05:00
c9dd7a50b6
Add the PHPMailer Argument Injection exploit
2016-12-29 17:17:06 -05:00
005d34991b
update architecture
2016-11-20 19:09:33 -06:00
f313389be4
Merge remote-tracking branch 'upstream/master' into land-7507-uuid-arch
2016-11-20 19:08:56 -06:00
8cd9a9b670
Deprecate wp_ninja_forms_unauthenticated_file_upload
...
wp_ninja_forms_unauthenticated_file_upload actually supports
multiple platforms.
Instead of using:
exploit/unix/webapp/wp_ninja_forms_unauthenticated_file_upload
Please use:
exploit/multi/http/wp_ninja_forms_unauthenticated_file_upload
2016-11-10 11:17:09 -06:00
ca5610ccde
Land #7511 , Update jenkins_script_console to support newer versions
2016-11-04 11:24:25 -05:00
5ed030fcf6
Land #7529 , nil.downcase fix for tomcat_mgr_deploy
...
Don't think it was ever needed, since the password is case-sensitive.
Fixed a minor merge conflict where PASSWORD became HttpPassword.
2016-11-03 15:39:46 -05:00
2f8d3c3cf3
Remove the bug where downcase() is invoked on password which is optional and can be empty.
2016-11-03 15:23:19 -05:00
ccce361768
Remove accidentally included debug output
2016-10-29 18:46:51 -04:00
fa7cbf2c5a
Fix the jenkins exploit module for new versions
2016-10-29 18:19:14 -04:00
57eabda5dc
Merge upstream/master
2016-10-29 13:54:31 +10:00
1d617ae389
Implement first pass of architecture/platform refactor
2016-10-28 07:16:05 +10:00
16b7c77851
satisfying travis
2016-10-27 13:37:04 -05:00
a8ab7b09b0
Added Bassmaster batch Arbitrary JavaScript Injection Remote Code Execution Vulnerability (CVE-2014-720)
2016-10-27 13:22:39 -05:00
6b77f509ba
fixes bad file refs for cmdstagers
...
when moving to the rex-exploitation gem some of the
file references were missed, partially due to silly differences
between how each file was referenced
Fixes #7466
2016-10-21 12:31:18 -05:00
9e97febcd1
Land #7429 , Ruby on Rails Dynamic Render File Upload Remote Code Exec
2016-10-13 11:45:46 -05:00
e78d3d6bf0
Fix erroneous cred reporting in SonicWALL exploit
...
A session ID will be returned in the parsed JSON if the login succeeded.
Bad user:
{"noldapnouser"=>1, "loginfailed"=>1}
Bad password:
{"loginfailed"=>1}
Good user/password:
{"userid"=>"1", "sessionid"=>"4WJ9cNg1TkBrwjzX"}
2016-10-11 19:25:52 -05:00
bd646ded1b
fixed the check function
2016-10-11 14:06:03 -05:00
d8f98ccd4e
run through msftidy
2016-10-10 22:36:20 -05:00
f2252bb179
fixed a few things, thanks @h00die
2016-10-10 22:30:01 -05:00
3c3f424a4d
added a some references
2016-10-10 17:56:03 -05:00
bca3aab1db
added CVE-2016-0752
2016-10-10 17:36:20 -05:00
5de1d34869
Land #7341 , add module metasploit_static_secret_key_base
2016-09-23 09:20:48 -05:00
9f3c8c7eee
Land #7268 , add metasploit_webui_console_command_execution post-auth exploit
2016-09-22 00:50:58 -05:00
dcfbb9ee6a
Tidy info
...
Replace errant \t with \x20
2016-09-21 20:14:11 +10:00
1e24568406
Tweak verbosity re: found secrets
2016-09-21 20:14:08 +10:00
30d07ce0c7
Tidy metasploit_static_secret_key_base module
...
* Inline magic values
* Optimise out dead Rails3-specific code
2016-09-21 20:13:58 +10:00
8b1d29feef
Land #7304 , fix rails_secret_deserialization popchain
2016-09-20 16:05:03 -05:00
a1ca27d491
add module metasploit_static_secret_key_base
2016-09-20 07:04:00 +10:00
116c754328
tidy Platform
2016-09-15 10:35:42 +10:00
8a0c8b54fc
merge branch 'master' into PR branch
...
make Travis happy
2016-09-15 10:31:24 +10:00
ff1c839b7d
appease msftidy
...
trailing whitespace
2016-09-15 08:18:43 +10:00
6509b34da1
Land #7255 , Fix issue causing Glassfish to fail uploading to Windows targets.
2016-09-14 12:57:41 -05:00
8533e6c5fd
Land #7252 , ARCH_CMD to ARCH_PHP for phoenix_exec
2016-09-14 10:38:37 -05:00
8d4ee3fac6
Forgot the bracket!
2016-09-13 19:01:22 +01:00
41bdae4b84
update links and CVE on webnms_file_upload
2016-09-13 18:50:25 +01:00
17bad7bd4f
fix popchain
...
ERB changed as per <https://github.com/ruby/ruby/commit/e82f4195d4 >
which broke the popchain used for code execution.
2016-09-13 21:25:14 +10:00
h00die