84ffa524e5
Land #19424 , WordPress GiveWP Plugin RCE
2024-08-28 21:09:42 +01:00
71ee987079
Add additional documentation steps, and use 0 for the payload http timeout
2024-08-28 19:21:27 +01:00
9eb630d993
Add credit
2024-08-28 19:20:32 +02:00
6bec3d2db0
Lint
2024-08-28 19:16:26 +02:00
57343d3bc4
Update modules/exploits/multi/http/wp_givewp_rce.rb
...
Co-authored-by: Julien Voisin <jvoisin@users.noreply.github.com >
2024-08-28 13:00:20 +02:00
1d7cffbdac
Refactored exploit module based on RCESecurity's analysis of CVE-2024-5932
...
- Completely overhauled the method for exploiting the GiveWP plugin by removing dependency on the REST API, which may require authentication.
- Instead, we now use the admin-ajax.php endpoint for retrieving form lists and nonce values, ensuring compatibility even when REST API authentication is required.
- The exploit now works with all form types; however, the give_price_id and give_amount must be set to '0' and '0.00', respectively, as attempts to randomize these values caused the exploit to fail.
2024-08-27 22:15:12 +02:00
8bf354cad2
Land #19417 , Improve wp_backup_migration_php exploit
...
The new PHP filter chain evaluates a POST parameter, which simplifies
the process and reduces the payload size enabling the module to send the
entire paylaod in one POST request instead of writing the payload to a
file character by character over many POST requests. Support for both
Windows and Linux Meterpreter payloads, not just PHP Meterpreter, has
also been added.
2024-08-27 15:17:00 -04:00
7f37731396
Lint
2024-08-27 21:14:35 +02:00
80c784f0e8
Update detail about payloads
2024-08-27 21:07:18 +02:00
23cd137fbd
Update module
2024-08-27 20:28:44 +02:00
bc7840ea7f
Add wp_givewp_rce exploit module
2024-08-27 19:50:35 +02:00
6c24e0a952
Land #19393 , Update OFBiz ProgramExport RCE for Patch Bypass
...
Merge branch 'land-19393' into upstream-master
2024-08-27 11:48:38 -05:00
3ad24b45e3
Land #19241 , Remove uri unescape usage
2024-08-27 15:22:43 +01:00
05b1837e7b
Random parameter generation
2024-08-24 17:27:13 +02:00
4ee30b24cb
Rewrite wp_backup_migration_php_filter
2024-08-24 17:16:58 +02:00
f3a220518a
Land #19394 , SPIP Unauthenticated RCE Exploit
2024-08-21 13:58:26 +01:00
62ab17b14d
Update documentation and Docker Compose for SPIP, remove Rex.sleep() in Metasploit module due to stable payload.
2024-08-20 19:41:05 +02:00
fdbf7dd3ef
Update modules/exploits/multi/http/spip_porte_plume_previsu_rce.rb
...
Co-authored-by: Julien Voisin <jvoisin@users.noreply.github.com >
2024-08-20 18:54:03 +02:00
334a9bafa9
Use encoder/php/base64
2024-08-19 18:26:19 +02:00
3d00f819c6
Update
2024-08-20 07:04:30 +02:00
b0f3bf1576
Add credit
2024-08-20 07:02:59 +02:00
eaf5661896
Lint
2024-08-19 19:27:29 +02:00
f65ccbec73
Update modules/exploits/multi/http/spip_porte_plume_previsu_rce.rb
...
Co-authored-by: Julien Voisin <jvoisin@users.noreply.github.com >
2024-08-18 21:23:59 +02:00
6ad0b56099
Update modules/exploits/multi/http/spip_porte_plume_previsu_rce.rb
...
Co-authored-by: Julien Voisin <jvoisin@users.noreply.github.com >
2024-08-18 21:22:16 +02:00
718c215b96
Update modules/exploits/multi/http/spip_porte_plume_previsu_rce.rb
...
Co-authored-by: Julien Voisin <jvoisin@users.noreply.github.com >
2024-08-18 21:22:09 +02:00
c982aabaa3
Minor update
2024-08-16 12:17:56 -07:00
3d90eb0f43
Add spip_porte_plume_previsu_rce
2024-08-16 10:50:23 +02:00
ea10360c81
Update OFBiz ProgramExport RCE for Patch Bypass
2024-08-15 09:18:15 -07:00
1390251e87
Code cleanup
...
Updated code for version detection and exploit invocation
2024-08-03 05:13:33 +01:00
2ce0a7a3fd
v7.15 Support added
...
Updated to work with v7.15 too.
2024-08-02 15:43:26 +01:00
6dbb264a0d
Calibre Python Code Injection (CVE-2024-6782)
...
New Exploit Module for Calibre Python Code Injection (CVE-2024-6782)
2024-08-02 06:03:15 +01:00
ba7c7b6456
Land #19298 , OpenMediaVault authenticated RCE [CVE-2013-3632]
2024-07-30 17:40:39 +02:00
c94dc8f28c
changes based on cdelafuente-r7 comments
2024-07-29 14:02:29 +00:00
62a3f73e70
Update rubocop target ruby version
2024-07-24 16:47:17 +01:00
9b7b1fd16e
Land #19313 , Ghostscript Command Execution via Format String (CVE-2024-29510)
...
Merge branch 'land-19313' into upstream-master
2024-07-19 11:24:11 -05:00
4d485acb73
Remove Windows target since it doesn't work for now
2024-07-19 16:19:56 +02:00
a9f8475bf5
moved module + doc to exploit/unix/webapp
2024-07-16 15:50:20 +00:00
e9c511c979
Add documentation and some updates
2024-07-16 16:34:28 +02:00
8a0c65e603
Update geoserver_unauth_rce_cve_2024_36401.rb
...
looks like a copy/paste typo from another exploit
2024-07-16 11:20:35 +02:00
f7449ea850
Land #19311 , Add GeoServer unauth RCE module
...
This adds an exploit module for CVE-2024-36401, an unauthenticated RCE
vulnerability in GeoServer versions prior to 2.23.6, between version
2.24.0 and 2.24.3 and in version 2.25.0, 2.25.1.
2024-07-12 11:07:36 -07:00
c5dad68322
Remove comma after the last item of a hash
2024-07-12 13:38:59 -04:00
292c177b74
Apply suggestions from code review
...
Co-authored-by: jheysel-r7 <Jack_Heysel@rapid7.com >
2024-07-12 19:20:46 +02:00
5d210b548b
added windows support
2024-07-11 16:34:07 -07:00
4e76068cea
added armle architecture support
2024-07-11 21:42:45 +00:00
1ee2131d8d
update based on cgranleese-r7 review comments
2024-07-11 16:12:52 +00:00
f9bd079618
Apply suggestions from code review
2024-07-10 20:45:53 -04:00
28d6ef92dd
fourth release module
2024-07-10 21:44:28 +00:00
198f3f8d9b
update based on review comments of jvoisin
2024-07-10 11:05:22 +00:00
92637c4293
third release module
2024-07-09 21:54:55 +00:00
108e60ae4d
Peer review suggestion to swap out fail_with for print_error
...
If the response to the code execution request isn't a 200, the module should error instead of fail. All versions tested returned 200s, but it's a great point that some Confluence versions might return a different status code but still pop a shell.
2024-07-09 16:23:25 -05:00
adfoster-r7