Last updated at Fri, 03 Jun 2022 19:35:44 GMT
Ask and you may receive
Module suggestions for the win, this week we see a new module written by jheysel-r7 based on CVE-2022-26352 that happens to have been suggested by jvoisin in the issue queue last month. This module targets an arbitrary file upload in dotCMS versions before 22.03, 220.127.116.11, and 21.06.7 to obtain shells. Make sure you have covered your bases for permission to target this vulnerability before testing this as one blog post suggests some banking sites may rely on this tool.
Everything comes full circle
As the GSoC 2022 program starts to ramp up, a contributor that participated in 2020, red0xff, contributed an enhancement to SQLi library support to give module writers a quicker path to injection on Microsoft SQL. The enhancement updates the
auxiliary/gather/billquick_txtid_sqli module to showcase library utility and can reduce logic code required in modules significantly—saving about 20% in this one instance.
New module content (2)
- DotCMS RCE via Arbitrary File Upload by Hussein Daher, Shubham Shah, and jheysel-r7, which exploits CVE-2022-26352 - Adds an exploit module that leverages CVE-2022-26352, an arbitrary file upload vulnerability in dotCMS versions before 22.03, 18.104.22.168, and 21.06.7, that allows an attacker to execute arbitrary code remotely in the context of the user running the application. The module uploads a
.jsppayload to the tomcat ROOT directory and accesses it to trigger its execution.
- MyBB Admin Control Code Injection RCE by Altelus, Christophe De La Fuente, and Cillian Collins, which exploits CVE-2022-24734 - Adds an exploit module that leverages an improper input validation vulnerability in MyBB prior to 1.8.30 to execute arbitrary code in the context of the user running the application. Authentication to the MyBB Admin Control is required for this exploit to work and the account must have rights to add or update settings.
Enhancements and features (2)
- #16435 from red0xff - This adds support for Microsoft SQL Server to the SQL injection library. Additionally, this updates the
auxiliary/gather/billquick_txtid_sqlimodule to leverage the new library features for exploitation.
- #16492 from h00die - Improves the
nfs_mountscanner module by detecting if a NFS network share is mountable or not based on the provided IP address and hostname.
Bugs fixed (2)
- #16621 from sjanusz-r7 - Fixes a bug where running
multi/manage/shell_to_meterpreterto upgrade from a Python Meterpreter session to a Native Meterpreter session would kill the original Meterpreter session.
- #16640 from zeroSteiner - A bug has been fixed where the Net::LDAP library would fail due to the socket returning less data than was requested. This was addressed by introducing a custom
read()method to appropriately handle cases where the socket may return less data than was expected.
As always, you can update to the latest Metasploit Framework with
and you can get more details on the changes since the last blog post from
If you are a
git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).