This Metasploit module attempts to read a remote file from the server using a vulnerability in the way MediaWiki handles SVG files. The vulnerability occurs while trying to expand external entities with the SYSTEM identifier. In order to work MediaWiki must be configured to accept upload of SVG files. If anonymous uploads are allowed the username and password arent required, otherwise they are. This Metasploit module has been tested successfully on MediaWiki 1.19.4, 1.20.3 on Ubuntu 10.04 and Ubuntu 12.10. Older versions were also tested but do not seem to be vulnerable to this vulnerability. The following MediaWiki requirements must be met: File upload must be enabled, $wgFileExtensions[] must include svg, $wgSVGConverter must be set to something other than false.
71615d7c455fb2156a5414c500e8bff8843420ced30f06fff70abbf96f287ac8
This Metasploit module will scan for wordpress sites with the Pingback API enabled. By interfacing with the API an attacker can cause the wordpress site to port scan an external target and return results. Refer to the wordpress_pingback_portscanner module. This issue was fixed in wordpress 3.5.1.
65cbac95feefbe173371074c6a38d799642d743e4d6bf6a043123171794c676b
This Metasploit module can be used to determine hosts vulnerable to the GHOST vulnerability via a call to the WordPress XMLRPC interface. If the target is vulnerable, the system will segfault and return a server error. On patched systems, a normal XMLRPC error is returned.
0f56392ccd813c8e84a11e14ba4b1ff6a1b54575734b7fa3a67388cb4aa01425
The WordPress custom-contact-forms plugin less than or equal to 5.1.0.3 allows unauthenticated users to download a SQL dump of the plugins database tables. Its also possible to upload files containing SQL statements which will be executed. The module first tries to extract the WordPress table prefix from the dump and then attempts to create a new admin user.
1a80c7130e774898b0a92ea3c0917bafbdbbd5af2170e9e5a15940936f916185
This Metasploit module exploits an unauthenticated file download vulnerability in limesurvey between 2.0+ and 2.06+ Build 151014. The file is downloaded as a ZIP and unzipped automatically, thus binary files can be downloaded.
30ad0929e6b5c744fd9ac77f7ee226b311b36f66dca118f93f088a4d54c365cb
The W3-Total-Cache Wordpress plugin versions 0.9.2.4 and below can cache database statements and its results in files for fast access. Version 0.9.2.4 has been fixed afterwards so it can be vulnerable. These cache files are in the webroot of the Wordpress installation and can be downloaded if the name is guessed. This Metasploit module tries to locate them with brute force in order to find usernames and password hashes in these files. W3 Total Cache must be configured with Database Cache enabled and Database Cache Method set to Disk to be vulnerable.
c2aa1f41b792452240a3b9a5e06158fab4068fbbc3fbdc3aba4e94a3a2613bd5
This Metasploit module uses a denial-of-service (DoS) condition appearing in a variety of programming languages. This vulnerability occurs when storing multiple values in a hash table and all values have the same hash value. This can cause a web server parsing the POST parameters issued with a request into a hash table to consume hours of CPU with a single HTTP request. Currently, only the hash functions for PHP and Java are implemented. This Metasploit module was tested with PHP + httpd, Tomcat, Glassfish and Geronimo. It also generates a random payload to bypass some IDS signatures.
b029e67e4fc45769ef0806adf780beee36692122a886f5bb14135c025f43efbc
Wordpress XMLRPC parsing is vulnerable to a XML based denial of service. This vulnerability affects Wordpress 3.5 - 3.9.2 (3.8.4 and 3.7.4 are also patched).
319840bc56806d15a3488b2399aefda02a750095672ad0a5ef0cb256bb7f2917
Joomla suffers from an unauthenticated remote code execution that affects all versions from 1.5.0 to 3.4.5. By storing user supplied headers in the databases session table it's possible to truncate the input by sending an UTF-8 character. The custom created payload is then executed once the session is read from the database. You also need to have a PHP version before 5.4.45 (including 5.3.x), 5.5.29 or 5.6.13. In later versions the deserialisation of invalid session data stops on the first error and the exploit will not work. The PHP Patch was included in Ubuntu versions 5.5.9+dfsg-1ubuntu4.13 and 5.3.10-1ubuntu3.20 and in Debian in version 5.4.45-0+deb7u1.
5a665a27f3d12ff63349cd4ca300cdf8e60e5919f5df2fde458870a5b8bac108
This Metasploit module exploits a stack based buffer overflow in VideoCharge Studio 2.12.3.685 when processing a specially crafted .VSC file. This vulnerability could be exploited by a remote attacker to execute arbitrary code on the target machine by enticing a user of VideoCharge Studio to open a malicious .VSC file.
5afb52ddd9c049208eb1441710497e2625b20e4833296328ac22be987e5b2017
This Metasploit module exploits a PHP Code Injection vulnerability against WordPress plugin W3 Total Cache for versions up to and including 0.9.2.8. WP Super Cache 1.2 or older is also reported as vulnerable. The vulnerability is due to the handling of certain macros such as mfunc, which allows arbitrary PHP code injection. A valid post ID is needed in order to add the malicious comment. If the POSTID option isn't specified, then the module will automatically find or bruteforce one. Also, if anonymous comments aren't allowed, then a valid username and password must be provided. In addition, the "A comment is held for moderation" option on WordPress must be unchecked for successful exploitation. This Metasploit module has been tested against WordPress 3.5 and W3 Total Cache 0.9.2.3 on a Ubuntu 10.04 system.
bed096490dc9d7e2c3e5ae3b9e8234d981926a7705dfde36023179c919fb54aa
The Wordpress Theme "platform" contains a remote code execution vulnerability through an unchecked admin_init call. The theme includes the uploaded file from it's temp filename with php's include function.
c111d9d51c266ad61917964f9eea57d1334074e2ca4b8eb80252f3ed807ddc0f
The WordPress download-manager plugin contains multiple unauthenticated file upload vulnerabilities which were fixed in version 2.7.5.
079e34e20841af90322c299baf4e66895abbbef7cea8d6d73043669dc843d6bf
This Metasploit module exploits the Drupal HTTP Parameter Key/Value SQL Injection (aka Drupageddon) in order to achieve a remote shell on the vulnerable instance. This Metasploit module was tested against Drupal 7.0 and 7.31 (was fixed in 7.32).
59c783da21c64e0178897d8573702afbd579b90f368e1d6b75b500bd779f1e7d
The Wordpress WPTouch plugin contains an authenticated file upload vulnerability. A wp-nonce (CSRF token) is created on the backend index page and the same token is used on handling ajax file uploads through the plugin. By sending the captured nonce with the upload, we can upload arbitrary files to the upload folder. Because the plugin also uses it's own file upload mechanism instead of the wordpress api it's possible to upload any file type. The user provided does not need special rights. Also users with "Contributer" role can be abused.
3b83080229ddf1398d4c0e14805e19037ba1387ba609af42952912ac8e1c07bb
The Wordpress plugin "MailPoet Newsletters" (wysija-newsletters) before 2.6.8 is vulnerable to an unauthenticated file upload. The exploit uses the Upload Theme functionality to upload a zip file containing the payload. The plugin used the admin_init hook, which is also executed for unauthenticated users when accessing a specific URL. The developers tried to fix the vulnerability in version 2.6.7 but the fix can be bypassed. In PHPs default configuration, a POST variable overwrites a GET variable in the $_REQUEST array. The plugin uses $_REQUEST to check for access rights. By setting the POST parameter to something not beginning with 'wysija_', the check is bypassed. Wordpress uses the $_GET array to determine the page and is so not affected by this.
ce2cffe8515677c0d219f665bad07fe8ecea2cce4c18e01fcea51556c3c8c876
This Metasploit module implements the OpenSSL Heartbleed attack. The problem exists in the handling of heartbeat requests, where a fake length can be used to leak memory data in the response. Services that support STARTTLS may also be vulnerable.
81d080e43dc83f3e3ee46722a1679f1f403475e40beef0b849082092202ffa5c
This Metasploit module exploits a PHP Code Injection vulnerability against Wordpress plugin W3 Total Cache for versions up to and including 0.9.2.8. WP Super Cache 1.2 or older is also reported as vulnerable. The vulnerability is due to the handling of certain macros such as mfunc, which allows arbitrary PHP code injection. A valid post ID is needed in order to add the malicious comment. If the POSTID option isn't specified, then the module will automatically bruteforce one. Also, if anonymous comments aren't allowed, then a valid username and password must be provided. In addition, the "A comment is held for moderation" option on Wordpress must be unchecked for successful exploitation. This Metasploit module has been tested against Wordpress 3.5 and W3 Total Cache 0.9.2.3 on a Ubuntu 10.04 system.
e5ac9a6fad8c4d6319f7a5b50dd28589a34b1e7d2753c81dd9c0c17b9fb0bb79