Last updated at Sat, 20 Jan 2024 21:33:58 GMT
Bad WebLogic Part 2
Our own Shelby Pace authored another exploit taking advantage of a Java object deserialization vulnerability to gain unauthenticated remote code execution through the sending a serialized BadAttributeValueExpException object over the T3 protocol to vulnerable WebLogic servers. Leveraging an ExtractorComparator enables the ability to trigger method.invoke(), which will execute arbitrary code. This has been tested on WebLogic versions v12.2.1.4.0, v12.2.1.3.0, and v12.1.3.0.0.
Just Drag and Drop
A new module for a Wordpress Plugin, Drag and Drop Multiple File Upload - Contact Form 7, has been added by our frequent community contributor h00die. This module exploits a file upload feature of the plugin to allow php shells to be uploaded. It bypasses the file extension whitelist by simply appending % at the end of the file.
vBulletin SQL Injection
Community contributor Zenofex has added two new modules for vBulletin, a popular PHP bulletin board and blog web application. These modules exploit a SQL injection vulnerability present in vBulletin 5.2.0 through 5.6.1 in the getIndexableContent function. Both modules exploit the getIndexableContent vulnerability, one to achieve RCE on the target and the other to dump vBulletin table data.
New modules (4)
- vBulletin /ajax/api/content_infraction/getIndexableContent nodeid Parameter SQL Injection RCE by Charles Fol and Zenofex, which exploits CVE-2020-12720
- vBulletin /ajax/api/content_infraction/getIndexableContent nodeid Parameter SQL Injection Data Dump by Charles Fol and Zenofex, which exploits CVE-2020-12720
- Wordpress Drag and Drop Multi File Uploader RCE by Austin Martin and h00die, which exploits CVE-2020-12800
- WebLogic Server Deserialization RCE BadAttributeValueExpException ExtComp by Quynh Le, Shelby Pace, and Y4er, which exploits CVE-2020-2883
Enhancements and features
- PR #13497 by timwr adds the option for python and cmd targets to the
exploit/osx/local/persistencemodule. - PR #13538 by wvu-r7 adds Cisco CML and VIRL-PE advisory to Salt modules.
- PR #13541 by AlanFoster adds some controls to the screenshare interface allowing size and delay customizations and a switch between controlling and non-controlling interface.
Bugs fixed
- PR #13448 by red0xff makes Metasploit's HTTP client correctly handle relative redirect URIs that start from the root.
- PR #13514 by noraj updates Metasploit framework to explicitly depend on irb as a runtime dependency.
- PR #13522 by zeroSteiner fixes an issue where tab-completing an
OptAddressRangeoption, such asRHOSTS, would erroneously append a/character to the host address. - PR #13540 by cn-kali-team changes
OptStringof RPORT toOptPort. - PR #13553 by Zenofex fixes redundant guard clauses in the
auxiliary/gather/vbulletin_getindexablecontent_sqliandexploit/multi/http/vbulletin_getindexablecontentmodules.
Get it
As always, you can update to the latest Metasploit Framework with msfupdate and you can get more details on the changes since the last blog post from GitHub:
If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest. To install fresh without using git, you can use the open-source-only Nightly Installers or the binary installers (which also include the commercial edition).
