Insert 'What Year Is It' meme
h00die contributed the Mikrotik unauthenticated directory traversal file read auxiliary gather module, largely a port of the PoC by Ali Mosajjal. The vulnerability CVE-2018-14847 allows any file from the router to be read through the Winbox server in RouterOS due to a lack of validation and trust in the Winbox client. The
auxiliary/gather/mikrotik_winbox_fileread module exploits this vulnerability by communicating with the Winbox server on port 8291 and requests the system user database file. One would hope all vulnerable MikroTik’s have been patched by now, but if you happen to discover a vulnerable instance it's time to dump the credentials! Vulnerable versions of MikroTik RouterOS are:
- (bugfix) 6.30.1-6.40.7
- (current) 6.29-6.42
- (RC) 6.29rc1-6.43rc3
WordPress plugin giveth
Security researcher mslavco discovered an unauthenticated, time-based blind SQL injection in the Loginizer WordPress plugin’s
log parameter. h00die contributed the WordPress Loginizer log SQLi Scanner auxiliary scanner module that exploits the vulnerability (CVE-2020-27615 to extract user credentials and then store them in the database. Loginizer versions 1.6.3 and earlier are vulnerable to the
auxiliary/scanner/http/wp_loginizer_log_sqli module, and it is important to note that successful exploitation requires WordPress 5.4 (or newer) or 5.5 (or newer).
New modules (2)
- Mikrotik Winbox Arbitrary File Read by h00die and mosajjal, which exploits CVE-2018-14847
- WordPress Loginizer log SQLi Scanner by h00die, mslavco, and red0xff, which exploits CVE-2020-27615
Enhancements and features
- PR #14252 by h00die updates the Avira password gather to store captured credentials in the database and adds support for exporting
Raw-MD5uhashes, which are used by Avira to store passwords.
- PR #14270 by Jeffrey Martin adds guards to notify users of incorrect or missing encoders while allowing the encoding process to continue.
- PR #14282 by h00die enhanced the Metasploit loader to provide more accurate error messages when an external module fails to load.
- PR #14297 by Steve Passino updated
auxiliary/scanner/http/zabbix_loginto support Zabbix version 3.x, 4.x, and 5.x up to the latest 5.2 LTS release.
- PR #14222 by JRodriguez556 replace calls to the depreciated
URI.encodefunction with calls to
- PR #14323 by Spencer McIntyre fixes an issue in
auxiliary/gather/enum_dnsthat only affects zone transfer enumeration (AXFR) by using the nameservers specified in the datastore
- PR #14326 by Christopher Granleese fixes an issue in
store_lootin which certain data types were not properly stored and resulted in a subsequent stack trace.
- PR #14350 by Matúš Bursa added the missing
nasmdependency to ensure that
tools/exploit/nasm_shell.rbworks as expected when running inside of Docker.
As always, you can update to the latest Metasploit Framework with
and you can get more details on the changes since the last blog post from
If you are a
git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).