191e772f06
fix issues highlighted by smcintyre-r7
2021-01-25 22:25:07 +07:00
fc0e221f5a
add comment for self removal
2021-01-24 22:47:47 +07:00
7220dc3ff6
add new note on broken payloads
2021-01-24 22:39:01 +07:00
12157163f7
Merge branch 'obm_deser' into ucmdb
2021-01-24 22:25:57 +07:00
bf4ac7b1a8
add UCMDB sploit
2021-01-24 22:25:45 +07:00
7d7263cf1f
spelling
2021-01-09 08:13:19 -05:00
d8c55501a5
ait csv improter exploit
2021-01-01 12:14:52 -05:00
7de662c807
Land #14521 , Struts2 Multi Eval OGNL RCE
2020-12-23 11:40:16 -06:00
70f8ff31f8
Update documentation to include missing extra options I forgot to document, edit the wording on the module to match the documentation, and do final touch ups.
2020-12-23 10:50:22 -06:00
8a932b847a
Apply RuboCop edits
2020-12-22 17:57:38 -06:00
4a449f97d3
Land #14522 , Replace hard-coded Shiro default key with ENC_KEY
2020-12-22 09:26:49 -06:00
7d0cb771a5
Apply RuboCop updates to module.
2020-12-21 17:31:24 -06:00
24e8aeffe5
Incorporate review feedback and update the associated documentation.
2020-12-21 17:29:21 -06:00
dc6b67f4c6
Land #14509 , Fixes for Solr RCE
2020-12-18 21:51:06 +01:00
be3a1eb9d6
Guard against empty response
2020-12-16 18:25:17 -06:00
9be1e8c295
replace hard-coded shiro default key with SHIROKEY
2020-12-16 11:03:30 +08:00
941ba923f7
Add missing module notes
2020-12-15 19:58:04 -05:00
3d7ed70cec
Tweak the check method and add module docs
2020-12-15 19:49:29 -05:00
289605f532
Require that the user know the CVE since the check is questionable
2020-12-15 19:17:35 -05:00
9bdf591a98
Add a working command stager for CVE-2020-17530
2020-12-15 09:13:06 -05:00
7826cbb8de
Initial addition of the Struts2 Double Eval exploit
2020-12-15 09:13:06 -05:00
f255724e01
Changes to support older Solr (tested 5.3.0)
...
Use a new parameter instead of a header because older versions don't
have access to the request object.
There was an issue where the exploit would fail if the exec returned -1
despite the payload otherwise working, fixed by not trying to return
output in that case.
Also updates the documentation to reflect that we have a Java target now
and quoting is no longer a concern.
2020-12-13 19:05:47 -06:00
9696e709ae
Remove unused vprint_status conditional
2020-12-09 22:48:16 -06:00
a33a6e6c55
Don't be lazy about checking the redirect
...
And don't be lazy about sending the request.
To trigger UnexpectedExceptionPage, we can send bogus data instead of
telegraphing our payload-less gadget chain.
God, I'm so lazy. This took like five extra minutes. :|
2020-12-09 21:09:49 -06:00
d337d832b8
Land #14422 , add GitLab file read/rce
2020-12-09 11:34:14 -06:00
941762b3c5
remove trailing commas
2020-12-09 11:29:00 -06:00
1617b3ec9b
Use zeitwerk for lib/msf/core folder
2020-12-07 10:31:45 +00:00
835059f00c
[CVE-2020-10977] Gitlab arbitrary file read to RCE
2020-12-07 01:26:54 +00:00
bc3d41bbe8
Request json response
...
For compatibility with older versions of Solr (I tested 5.3.0) where the
default is XML.
2020-11-29 17:57:36 -06:00
4b5dd7389c
Cleanup debug prints
2020-11-29 13:15:14 -06:00
4496fe0d82
Randomize the header name for commands
2020-11-29 11:32:35 -06:00
1be51ded25
Use HTTP ClassLoader instead
2020-11-29 10:53:33 -06:00
f6f78d4710
Make changes suggested in code review
2020-11-26 13:46:02 +01:00
7fa10a0684
Update modules/exploits/multi/http/apache_nifi_processor_rce.rb
...
Co-authored-by: cdelafuente-r7 <56716719+cdelafuente-r7@users.noreply.github.com >
2020-11-26 13:46:02 +01:00
5dc7e8f04e
Update modules/exploits/multi/http/apache_nifi_processor_rce.rb
...
Co-authored-by: cdelafuente-r7 <56716719+cdelafuente-r7@users.noreply.github.com >
2020-11-26 13:46:02 +01:00
78c042cbb7
Update modules/exploits/multi/http/apache_nifi_processor_rce.rb
...
Co-authored-by: cdelafuente-r7 <56716719+cdelafuente-r7@users.noreply.github.com >
2020-11-26 13:46:01 +01:00
7894f1eb9a
Update modules/exploits/multi/http/apache_nifi_processor_rce.rb
...
Co-authored-by: cdelafuente-r7 <56716719+cdelafuente-r7@users.noreply.github.com >
2020-11-26 13:46:01 +01:00
fcde932e1b
Update modules/exploits/multi/http/apache_nifi_processor_rce.rb
...
Co-authored-by: cdelafuente-r7 <56716719+cdelafuente-r7@users.noreply.github.com >
2020-11-26 13:46:01 +01:00
2a9898df25
Update modules/exploits/multi/http/apache_nifi_processor_rce.rb
...
Co-authored-by: cdelafuente-r7 <56716719+cdelafuente-r7@users.noreply.github.com >
2020-11-26 13:46:01 +01:00
9a35a5fdee
Remove frozen_string_literal directive
...
Remove directive that was added by `rubocop -A`, as suggested in review.
Note that this results in an additional offense being reported by rubocop
2020-11-26 13:46:01 +01:00
e33a2ca463
Use cleanup method to perform cleanup
2020-11-26 13:46:01 +01:00
f6d39147af
Removed pointless comment.
2020-11-26 13:46:01 +01:00
2de77b6e8a
Refactored code. Primarily line length increased.
2020-11-26 13:46:01 +01:00
012b040fc1
Reformat code layout to satisfy msftidy
2020-11-26 13:46:01 +01:00
41ff86178b
Add new module exploit module
...
Add new module /exploits/multi/http/apache_nifi_processor_rce.rb
2020-11-26 13:46:01 +01:00
63a98adff0
Land #14427 , phpstudy_backdoor_rce.rb TARGETURI handling and default value modifications
2020-11-25 10:32:53 -06:00
ca28f59ac4
Update the description of the TARGETURI option to reflect the recent changes
2020-11-25 10:32:17 -06:00
95665e916c
Land #14416 , wordpress plugin 'simple file list' rce
2020-11-25 09:58:26 -05:00
94c157bc95
Tweak the documentation and module output just a little for clarity
2020-11-25 09:58:07 -05:00
31426576e0
Land #14264 , Add exploit/multi/http/kong_gateway_admin_api_rce
2020-11-25 11:09:02 +00:00
Pedro Ribeiro