exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New
Showing 1 - 18 of 18 RSS Feed

Files from Christian Mehlmauer

First Active2013-04-29
Last Active2024-09-01
MediaWiki SVG XML Entity Expansion Remote File Access
Posted Sep 1, 2024
Authored by juan vazquez, Christian Mehlmauer, Daniel Franke | Site metasploit.com

This Metasploit module attempts to read a remote file from the server using a vulnerability in the way MediaWiki handles SVG files. The vulnerability occurs while trying to expand external entities with the SYSTEM identifier. In order to work MediaWiki must be configured to accept upload of SVG files. If anonymous uploads are allowed the username and password arent required, otherwise they are. This Metasploit module has been tested successfully on MediaWiki 1.19.4, 1.20.3 on Ubuntu 10.04 and Ubuntu 12.10. Older versions were also tested but do not seem to be vulnerable to this vulnerability. The following MediaWiki requirements must be met: File upload must be enabled, $wgFileExtensions[] must include svg, $wgSVGConverter must be set to something other than false.

tags | exploit, remote, file upload
systems | linux, ubuntu
SHA-256 | 71615d7c455fb2156a5414c500e8bff8843420ced30f06fff70abbf96f287ac8
Wordpress Pingback Locator
Posted Sep 1, 2024
Authored by Brandon McCann, Thomas McCarthy, Christian Mehlmauer | Site metasploit.com

This Metasploit module will scan for wordpress sites with the Pingback API enabled. By interfacing with the API an attacker can cause the wordpress site to port scan an external target and return results. Refer to the wordpress_pingback_portscanner module. This issue was fixed in wordpress 3.5.1.

tags | exploit
advisories | CVE-2013-0235
SHA-256 | 65cbac95feefbe173371074c6a38d799642d743e4d6bf6a043123171794c676b
WordPress XMLRPC GHOST Scanner
Posted Sep 1, 2024
Authored by Christophe de la Fuente, Jonathan Claudius, Christian Mehlmauer, Karl Sigler, Chaim Sanders, Robert Rowley, Felipe Costa | Site metasploit.com

This Metasploit module can be used to determine hosts vulnerable to the GHOST vulnerability via a call to the WordPress XMLRPC interface. If the target is vulnerable, the system will segfault and return a server error. On patched systems, a normal XMLRPC error is returned.

tags | exploit
advisories | CVE-2015-0235
SHA-256 | 0f56392ccd813c8e84a11e14ba4b1ff6a1b54575734b7fa3a67388cb4aa01425
WordPress Custom-contact-forms Plugin SQL Upload
Posted Aug 31, 2024
Authored by Christian Mehlmauer, Marc-Alexandre Montpas | Site metasploit.com

The WordPress custom-contact-forms plugin less than or equal to 5.1.0.3 allows unauthenticated users to download a SQL dump of the plugins database tables. Its also possible to upload files containing SQL statements which will be executed. The module first tries to extract the WordPress table prefix from the dump and then attempts to create a new admin user.

tags | exploit
SHA-256 | 1a80c7130e774898b0a92ea3c0917bafbdbbd5af2170e9e5a15940936f916185
Limesurvey Unauthenticated File Download
Posted Aug 31, 2024
Authored by Christian Mehlmauer, Pichaya Morimoto | Site metasploit.com

This Metasploit module exploits an unauthenticated file download vulnerability in limesurvey between 2.0+ and 2.06+ Build 151014. The file is downloaded as a ZIP and unzipped automatically, thus binary files can be downloaded.

tags | exploit
SHA-256 | 30ad0929e6b5c744fd9ac77f7ee226b311b36f66dca118f93f088a4d54c365cb
WordPress W3-Total-Cache 0.9.2.4 Username / Hash Extraction
Posted Aug 31, 2024
Authored by Jason A. Donenfeld, Christian Mehlmauer | Site metasploit.com

The W3-Total-Cache Wordpress plugin versions 0.9.2.4 and below can cache database statements and its results in files for fast access. Version 0.9.2.4 has been fixed afterwards so it can be vulnerable. These cache files are in the webroot of the Wordpress installation and can be downloaded if the name is guessed. This Metasploit module tries to locate them with brute force in order to find usernames and password hashes in these files. W3 Total Cache must be configured with Database Cache enabled and Database Cache Method set to Disk to be vulnerable.

tags | exploit
SHA-256 | c2aa1f41b792452240a3b9a5e06158fab4068fbbc3fbdc3aba4e94a3a2613bd5
Hashtable Collisions
Posted Aug 31, 2024
Authored by Dan S. Wallach, Alexander Klink, Krzysztof Kotowicz, Christian Mehlmauer, Julian Waelde, Scott A. Crosby | Site metasploit.com

This Metasploit module uses a denial-of-service (DoS) condition appearing in a variety of programming languages. This vulnerability occurs when storing multiple values in a hash table and all values have the same hash value. This can cause a web server parsing the POST parameters issued with a request into a hash table to consume hours of CPU with a single HTTP request. Currently, only the hash functions for PHP and Java are implemented. This Metasploit module was tested with PHP + httpd, Tomcat, Glassfish and Geronimo. It also generates a random payload to bypass some IDS signatures.

tags | exploit, java, web, php
advisories | CVE-2011-4858, CVE-2011-4885, CVE-2011-5034, CVE-2011-5035
SHA-256 | b029e67e4fc45769ef0806adf780beee36692122a886f5bb14135c025f43efbc
Wordpress XMLRPC Denial of Service
Posted Aug 31, 2024
Authored by Nir Goldshlager, Christian Mehlmauer | Site metasploit.com

Wordpress XMLRPC parsing is vulnerable to a XML based denial of service. This vulnerability affects Wordpress 3.5 - 3.9.2 (3.8.4 and 3.7.4 are also patched).

tags | exploit, denial of service
advisories | CVE-2014-5266
SHA-256 | 319840bc56806d15a3488b2399aefda02a750095672ad0a5ef0cb256bb7f2917
Joomla HTTP Header Unauthenticated Remote Code Execution
Posted Dec 17, 2015
Authored by Christian Mehlmauer, Marc-Alexandre Montpas | Site metasploit.com

Joomla suffers from an unauthenticated remote code execution that affects all versions from 1.5.0 to 3.4.5. By storing user supplied headers in the databases session table it's possible to truncate the input by sending an UTF-8 character. The custom created payload is then executed once the session is read from the database. You also need to have a PHP version before 5.4.45 (including 5.3.x), 5.5.29 or 5.6.13. In later versions the deserialisation of invalid session data stops on the first error and the exploit will not work. The PHP Patch was included in Ubuntu versions 5.5.9+dfsg-1ubuntu4.13 and 5.3.10-1ubuntu3.20 and in Debian in version 5.4.45-0+deb7u1.

tags | exploit, remote, php, code execution
systems | linux, debian, ubuntu
advisories | CVE-2015-8562
SHA-256 | 5a665a27f3d12ff63349cd4ca300cdf8e60e5919f5df2fde458870a5b8bac108
VideoCharge Studio Buffer Overflow (SEH)
Posted Aug 17, 2015
Authored by metacom, Christian Mehlmauer, Andrew Smith aka jakx | Site metasploit.com

This Metasploit module exploits a stack based buffer overflow in VideoCharge Studio 2.12.3.685 when processing a specially crafted .VSC file. This vulnerability could be exploited by a remote attacker to execute arbitrary code on the target machine by enticing a user of VideoCharge Studio to open a malicious .VSC file.

tags | exploit, remote, overflow, arbitrary
advisories | OSVDB-69616
SHA-256 | 5afb52ddd9c049208eb1441710497e2625b20e4833296328ac22be987e5b2017
WordPress W3 Total Cache PHP Code Execution
Posted Mar 24, 2015
Authored by H D Moore, juan vazquez, temp66, Christian Mehlmauer | Site metasploit.com

This Metasploit module exploits a PHP Code Injection vulnerability against WordPress plugin W3 Total Cache for versions up to and including 0.9.2.8. WP Super Cache 1.2 or older is also reported as vulnerable. The vulnerability is due to the handling of certain macros such as mfunc, which allows arbitrary PHP code injection. A valid post ID is needed in order to add the malicious comment. If the POSTID option isn't specified, then the module will automatically find or bruteforce one. Also, if anonymous comments aren't allowed, then a valid username and password must be provided. In addition, the "A comment is held for moderation" option on WordPress must be unchecked for successful exploitation. This Metasploit module has been tested against WordPress 3.5 and W3 Total Cache 0.9.2.3 on a Ubuntu 10.04 system.

tags | exploit, arbitrary, php
systems | linux, ubuntu
advisories | CVE-2013-2010, OSVDB-92652
SHA-256 | bed096490dc9d7e2c3e5ae3b9e8234d981926a7705dfde36023179c919fb54aa
WordPress Platform Theme Remote Code Execution
Posted Feb 4, 2015
Authored by Christian Mehlmauer, Marc-Alexandre Montpas | Site metasploit.com

The Wordpress Theme "platform" contains a remote code execution vulnerability through an unchecked admin_init call. The theme includes the uploaded file from it's temp filename with php's include function.

tags | exploit, remote, php, code execution
SHA-256 | c111d9d51c266ad61917964f9eea57d1334074e2ca4b8eb80252f3ed807ddc0f
Wordpress Download Manager (download-manager) Unauthenticated File Upload
Posted Dec 12, 2014
Authored by Christian Mehlmauer, Mickael Nadeau | Site metasploit.com

The WordPress download-manager plugin contains multiple unauthenticated file upload vulnerabilities which were fixed in version 2.7.5.

tags | exploit, vulnerability, file upload
SHA-256 | 079e34e20841af90322c299baf4e66895abbbef7cea8d6d73043669dc843d6bf
Drupal HTTP Parameter Key/Value SQL Injection
Posted Oct 18, 2014
Authored by Brandon Perry, Christian Mehlmauer, SektionEins | Site metasploit.com

This Metasploit module exploits the Drupal HTTP Parameter Key/Value SQL Injection (aka Drupageddon) in order to achieve a remote shell on the vulnerable instance. This Metasploit module was tested against Drupal 7.0 and 7.31 (was fixed in 7.32).

tags | exploit, remote, web, shell, sql injection
advisories | CVE-2014-3704
SHA-256 | 59c783da21c64e0178897d8573702afbd579b90f368e1d6b75b500bd779f1e7d
Wordpress WPTouch Authenticated File Upload
Posted Jul 15, 2014
Authored by Christian Mehlmauer, Marc-Alexandre Montpas | Site metasploit.com

The Wordpress WPTouch plugin contains an authenticated file upload vulnerability. A wp-nonce (CSRF token) is created on the backend index page and the same token is used on handling ajax file uploads through the plugin. By sending the captured nonce with the upload, we can upload arbitrary files to the upload folder. Because the plugin also uses it's own file upload mechanism instead of the wordpress api it's possible to upload any file type. The user provided does not need special rights. Also users with "Contributer" role can be abused.

tags | exploit, arbitrary, file upload
SHA-256 | 3b83080229ddf1398d4c0e14805e19037ba1387ba609af42952912ac8e1c07bb
Wordpress MailPoet (wysija-newsletters) Unauthenticated File Upload
Posted Jul 6, 2014
Authored by Christian Mehlmauer, Marc-Alexandre Montpas | Site metasploit.com

The Wordpress plugin "MailPoet Newsletters" (wysija-newsletters) before 2.6.8 is vulnerable to an unauthenticated file upload. The exploit uses the Upload Theme functionality to upload a zip file containing the payload. The plugin used the admin_init hook, which is also executed for unauthenticated users when accessing a specific URL. The developers tried to fix the vulnerability in version 2.6.7 but the fix can be bypassed. In PHPs default configuration, a POST variable overwrites a GET variable in the $_REQUEST array. The plugin uses $_REQUEST to check for access rights. By setting the POST parameter to something not beginning with 'wysija_', the check is bypassed. Wordpress uses the $_GET array to determine the page and is so not affected by this.

tags | exploit, php, file upload
SHA-256 | ce2cffe8515677c0d219f665bad07fe8ecea2cce4c18e01fcea51556c3c8c876
OpenSSL Heartbeat (Heartbleed) Information Leak
Posted Apr 10, 2014
Authored by Neel Mehta, juan vazquez, Christian Mehlmauer, wvu, Jared Stafford, Matti, Riku, Antti, FiloSottile | Site metasploit.com

This Metasploit module implements the OpenSSL Heartbleed attack. The problem exists in the handling of heartbeat requests, where a fake length can be used to leak memory data in the response. Services that support STARTTLS may also be vulnerable.

tags | exploit
advisories | CVE-2014-0160
SHA-256 | 81d080e43dc83f3e3ee46722a1679f1f403475e40beef0b849082092202ffa5c
Wordpress W3 Total Cache PHP Code Execution
Posted Apr 29, 2013
Authored by H D Moore, juan vazquez, temp66, Christian Mehlmauer | Site metasploit.com

This Metasploit module exploits a PHP Code Injection vulnerability against Wordpress plugin W3 Total Cache for versions up to and including 0.9.2.8. WP Super Cache 1.2 or older is also reported as vulnerable. The vulnerability is due to the handling of certain macros such as mfunc, which allows arbitrary PHP code injection. A valid post ID is needed in order to add the malicious comment. If the POSTID option isn't specified, then the module will automatically bruteforce one. Also, if anonymous comments aren't allowed, then a valid username and password must be provided. In addition, the "A comment is held for moderation" option on Wordpress must be unchecked for successful exploitation. This Metasploit module has been tested against Wordpress 3.5 and W3 Total Cache 0.9.2.3 on a Ubuntu 10.04 system.

tags | exploit, arbitrary, php
systems | linux, ubuntu
advisories | OSVDB-92652
SHA-256 | e5ac9a6fad8c4d6319f7a5b50dd28589a34b1e7d2753c81dd9c0c17b9fb0bb79
Page 1 of 1
Back1Next

File Archive:

December 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Dec 1st
    0 Files
  • 2
    Dec 2nd
    41 Files
  • 3
    Dec 3rd
    0 Files
  • 4
    Dec 4th
    0 Files
  • 5
    Dec 5th
    0 Files
  • 6
    Dec 6th
    0 Files
  • 7
    Dec 7th
    0 Files
  • 8
    Dec 8th
    0 Files
  • 9
    Dec 9th
    0 Files
  • 10
    Dec 10th
    0 Files
  • 11
    Dec 11th
    0 Files
  • 12
    Dec 12th
    0 Files
  • 13
    Dec 13th
    0 Files
  • 14
    Dec 14th
    0 Files
  • 15
    Dec 15th
    0 Files
  • 16
    Dec 16th
    0 Files
  • 17
    Dec 17th
    0 Files
  • 18
    Dec 18th
    0 Files
  • 19
    Dec 19th
    0 Files
  • 20
    Dec 20th
    0 Files
  • 21
    Dec 21st
    0 Files
  • 22
    Dec 22nd
    0 Files
  • 23
    Dec 23rd
    0 Files
  • 24
    Dec 24th
    0 Files
  • 25
    Dec 25th
    0 Files
  • 26
    Dec 26th
    0 Files
  • 27
    Dec 27th
    0 Files
  • 28
    Dec 28th
    0 Files
  • 29
    Dec 29th
    0 Files
  • 30
    Dec 30th
    0 Files
  • 31
    Dec 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close