84ffa524e5
Land #19424 , WordPress GiveWP Plugin RCE
2024-08-28 21:09:42 +01:00
71ee987079
Add additional documentation steps, and use 0 for the payload http timeout
2024-08-28 19:21:27 +01:00
fabb5d1f78
Land #19422 , pgAdmin 8.4 RCE / CVE-2024-3116
2024-08-28 18:54:53 +01:00
aaf95f9134
Apply suggestions from code review
2024-08-28 18:46:08 +01:00
9eb630d993
Add credit
2024-08-28 19:20:32 +02:00
6bec3d2db0
Lint
2024-08-28 19:16:26 +02:00
d0d4c3083a
Fixing error message
2024-08-28 18:33:31 +02:00
2b7cf76fc8
Fixing wrong SideEffects and Reliability values
2024-08-28 18:20:20 +02:00
251c1c0c1e
Adding check for host operating system
2024-08-28 18:17:36 +02:00
a22db071f0
Appease rubocop
2024-08-28 10:46:48 -04:00
57343d3bc4
Update modules/exploits/multi/http/wp_givewp_rce.rb
...
Co-authored-by: Julien Voisin <jvoisin@users.noreply.github.com >
2024-08-28 13:00:20 +02:00
24750deab3
Add modules/encoders/php/hex.rb
...
This one increases the size of the payload by a bit more than a factor two,
but should be able to generate a valid encoded payload in some pathological
BADCHAR situations where modules/encoders/php/base64.rb can't.
2024-08-28 12:19:04 +02:00
02eb49ed00
Land #19395 , Electerm post password gather module
...
Merge branch 'land-19395' into upstream-master
2024-08-27 16:17:45 -05:00
1d7cffbdac
Refactored exploit module based on RCESecurity's analysis of CVE-2024-5932
...
- Completely overhauled the method for exploiting the GiveWP plugin by removing dependency on the REST API, which may require authentication.
- Instead, we now use the admin-ajax.php endpoint for retrieving form lists and nonce values, ensuring compatibility even when REST API authentication is required.
- The exploit now works with all form types; however, the give_price_id and give_amount must be set to '0' and '0.00', respectively, as attempts to randomize these values caused the exploit to fail.
2024-08-27 22:15:12 +02:00
8bf354cad2
Land #19417 , Improve wp_backup_migration_php exploit
...
The new PHP filter chain evaluates a POST parameter, which simplifies
the process and reduces the payload size enabling the module to send the
entire paylaod in one POST request instead of writing the payload to a
file character by character over many POST requests. Support for both
Windows and Linux Meterpreter payloads, not just PHP Meterpreter, has
also been added.
2024-08-27 15:17:00 -04:00
7f37731396
Lint
2024-08-27 21:14:35 +02:00
80c784f0e8
Update detail about payloads
2024-08-27 21:07:18 +02:00
23cd137fbd
Update module
2024-08-27 20:28:44 +02:00
bc7840ea7f
Add wp_givewp_rce exploit module
2024-08-27 19:50:35 +02:00
6c24e0a952
Land #19393 , Update OFBiz ProgramExport RCE for Patch Bypass
...
Merge branch 'land-19393' into upstream-master
2024-08-27 11:48:38 -05:00
4af2294709
Land #19386 , Ivanti Virtual Traffic Manager (vTM) Authentication Bypass (CVE-2024-7593) Module
...
Merge branch 'land-19386' into upstream-master
2024-08-27 09:39:10 -05:00
49d382692a
Land #19377 , Add compressinon to php/base64
...
This enables users to set a datastore option in enocoders/php/base64
which will compress the payload using zlib, greatly reducing its size
2024-08-27 10:27:45 -04:00
3ad24b45e3
Land #19241 , Remove uri unescape usage
2024-08-27 15:22:43 +01:00
f74b7ccef5
Land #19415 , Update the ldap_esc_vulnerable_cert_finder module
...
Merge branch 'land-19415' into upstream-master
2024-08-26 18:28:33 -05:00
84431b0a4e
Land #19380 , Control iD iDSecure Authentication Bypass (CVE-2023-6329) Module
...
Merge branch 'land-19380' into upstream-master
2024-08-26 18:09:09 -05:00
6326cac8d4
Fixing nil safe issue
2024-08-26 23:23:43 +02:00
7e9f52dd0b
Github release
2024-08-26 23:02:53 +02:00
573643a7b4
Update modules/encoders/php/base64.rb
2024-08-26 16:35:29 -04:00
e0037fb167
Land #19376 , Fix php/base64 encoder
...
This fixes the php/base64 encoder which was previously generating php
payloads that were failing when being being run
2024-08-26 16:08:03 -04:00
d1ce041fd0
Inital commit and Rubocop fixes
2024-08-26 19:27:20 +02:00
05b1837e7b
Random parameter generation
2024-08-24 17:27:13 +02:00
4ee30b24cb
Rewrite wp_backup_migration_php_filter
2024-08-24 17:16:58 +02:00
4cfa93f878
Update the ldap_esc_vulnerable_cert_finder module
2024-08-23 16:49:30 -04:00
ec5892ff1f
Land #19363 , Ray Modules CVE-2023-6019 CVE-2023-6020 CVE-2023-48022
2024-08-23 04:55:17 -04:00
ea6efff830
Update modules/post/multi/gather/electerm.rb
...
Co-authored-by: Spencer McIntyre <58950994+smcintyre-r7@users.noreply.github.com >
2024-08-22 22:28:01 +08:00
35da4662ed
Land #19351 , DIAEnergie SQL Injection
2024-08-21 09:44:15 -04:00
39f81e0a45
Update check function
2024-08-21 22:32:53 +09:00
ee58313d64
Update check function
2024-08-21 22:09:56 +09:00
f3a220518a
Land #19394 , SPIP Unauthenticated RCE Exploit
2024-08-21 13:58:26 +01:00
c66540ef2f
Update modules/exploits/linux/http/ray_agent_job_rce.rb
...
use MeterpreterTryToFork to avoid a meterpreter session get killed
Co-authored-by: Diego Ledda <diego_ledda@rapid7.com >
2024-08-21 21:38:37 +09:00
8d838d4d56
Land #19366 , Jenkins Login Scanner improvments
2024-08-21 10:28:22 +01:00
62ab17b14d
Update documentation and Docker Compose for SPIP, remove Rex.sleep() in Metasploit module due to stable payload.
2024-08-20 19:41:05 +02:00
fdbf7dd3ef
Update modules/exploits/multi/http/spip_porte_plume_previsu_rce.rb
...
Co-authored-by: Julien Voisin <jvoisin@users.noreply.github.com >
2024-08-20 18:54:03 +02:00
91167fc85f
Remove unnecessary option
2024-08-20 21:44:11 +09:00
4d1782640b
Update sideeffects
2024-08-20 19:12:18 +09:00
01b2a1c55c
Enable fetch payload
2024-08-20 13:20:42 +09:00
45677898a8
Add TARGET_URI
2024-08-20 13:08:01 +09:00
52852cea72
Add cve ref
2024-08-20 12:59:52 +09:00
99c81d7821
Set default fetch_command to wget
2024-08-20 08:59:39 +09:00
64bdf54bb0
Use Fetch Payload (Not tested)
2024-08-20 08:56:05 +09:00
adfoster-r7