Rapid 7 - Metasploit Wrap-Up
LearnPress authenticated SQL injection
Metasploit contributor h00die added a new module that exploits CVE-2020-6010, an authenticated SQL injection vulnerability in the WordPress LearnPress plugin. When a user is logged in with contributor
privileges or higher, the id
parameter can be used to inject arbitrary code through an SQL
query. This exploit can be used to collect usernames and password hashes. The responsible code is located in learnpress/inc/admin/lp-admin-functions.php
at line 1690
. The vulnerability affects plugin versions v3.2.6.7
and prior.
Continuous improvement
In addition to new exploit modules, Metasploit releases include a number of enhancements and bug fixes. This week we would like to highlight a few key enhancements that improve usability. Contributor pingport80 added support for easy reading of binary files from target systems compromised through a PowerShell session. Our very own sjanusz-r7 added a default payload option to the postgres_payload
module so that payloads update correctly when changing target systems. An enhancement made by our own gwillcox-r7 extends Windows process lib injection beyond just notepad.exe
. The logic now selects from a random list that can be updated in the future. We appreciate all the contributions that make Metasploit more robust and easier to use.
New module content (1)
- Wordpress LearnPress current_items Authenticated SQLi by Omri Herscovici, Sagi Tzadik, h00die, and nhattruong, which exploits CVE-2020-6010 - This collects usernames and password hashes from Wordpress installations via an authenticated SQL injection vulnerability that exists in LearnPress plugin versions below
v3.2.6.8
.
Enhancements and features
- #15384 from gwillcox-r7 - This consolidates and changes the library code used by exploits that use RDLLs. The changes improve upon the logic used to start a process to host the RDLL so it is no longer notepad.exe but randomly selected from a list that can also be updated in the future.
- #15477 from pingport80 - This adds PowerShell session support to the
readable?
andread_file
functions provided by thePost::File
API. - #15580 from sjanusz-r7 - Updates
postgres_payload
exploit modules to specify a valid default PAYLOAD option when changing target architectures - #15584 from h00die - Updates the list of WordPress plugins and themes to allow users to discover more plugins and themes when running tools such as
auxiliary/scanner/http/wordpress_scanner
Bugs fixed
- #15496 from zeroSteiner - Users can now specify the SSL version for servers with the
SSLVersion
datastore option, ensuring compatibility with a range of targets old and new.
Get it
As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from GitHub:
If you are a git
user, you can clone the Metasploit Framework repo (master branch) for the latest. To install fresh without using git, you can use the open-source-only Nightly Installers or the binary installers (which also include the commercial edition).
from Rapid7 Blog https://blog.rapid7.com/2021/08/27/metasploit-wrap-up-127/
Comments
Post a Comment