Last updated at Wed, 17 Jan 2024 21:57:58 GMT
That Privilege Escalation Escalated Quickly
This release features a module leveraging CVE-2023-22515, Atlassian的本地Confluence服务器中的一个漏洞首先被列为特权升级, 但很快就被重新归类为“访问控制被破坏”,CVSS得分为10分. 这个漏洞本身非常简单,很容易使用,所以当CISA发布一个 advisory 声明威胁行为者在野外使用它. 任何使用受影响版本的人都必须尽可能快地降低风险并打补丁.
Improved sessions searching
这个版本用额外的搜索过滤器增强了sessions命令,例如:
#返回会话id为1或5的所有会话
sessions -S 'sesion_id:1 session_id:5'
返回所有session_type等于meterpreter的会话
sessions -S 'session_type:meterpreter'
返回check in时间在1小时到10分钟之间,小于2小时的所有会话
sessions -S 'last_checkin:greater_than:1h10m last_checkin:less_than:2h'
这些搜索选项可以与其他会话选项一起使用. For instance the --verbose
flag:
msf6 exploit(windows/smb/psexec) > sessions -S 'last_checkin:greater_than:2h30m' -v
Active sessions
===============
Session ID: 8
Name:
Type: meterpreter windows
Info: NT AUTHORITY\SYSTEM @ WINDEV
Tunnel: 192.168.123.1:4444 -> 192.168.123.132:50564 (192.168.123.132)
Via: exploit/windows/smb/psexec
Encrypted: Yes (AES-256-CBC)
UUID: 4 = 1/2023-10-19T19:44:23Z d78f75abbdbf0c8 / x86 = 1 /窗口
CheckIn: 18003年前@ 2023-10-19 15:45:30 +0100
Registered: No
Session ID: 9
Name:
Type: meterpreter windows
Info: NT AUTHORITY\SYSTEM @ WINDEV
Tunnel: 192.168.123.1:4444 -> 192.168.123.132:50565 (192.168.123.132)
Via: exploit/windows/smb/psexec
Encrypted: Yes (AES-256-CBC)
UUID: 48 d32692e0633293 / x86 = 1 / windows = 1/2023-10-19T19:44:23Z
CheckIn: 10803s ago @ 2023-10-19 17:45:30 +0100
Registered: No
或者作为一种简单的方法来搜索和终止匹配陈旧的会话 --kill-all
:
msf6 exploit(windows/smb/psexec) > sessions -S 'last_checkin:greater_than:2h30m' -K
[*] Killing matching sessions...
Active sessions
===============
Id名称类型信息连接
-- ---- ---- ----------- ----------
4 meterpreter x86/windows NT AUTHORITY\SYSTEM @ WINDEV 192.168.123.1:4444 -> 192.168.123.132:50540 (192.168.123.132)
5 meterpreter x86/windows NT AUTHORITY\SYSTEM @ WINDEV 192.168.123.1:4444 -> 192.168.123.132:50555 (192.168.123.132)
[*] 192.168.123.132 - Meterpreter session 4 closed.
[*] 192.168.123.132 - Meterpreter session 5 closed.
New module content (2)
Apache Superset Signed Cookie RCE
作者:Naveen Sunkavally, Spencer McIntyre, h00die和paradoxis
Type: Exploit
Pull request: #18351 contributed by h00die
Path: linux/http/apache_superset_cookie_sig_rce
描述:这增加了一个针对CVE-2023-37941的漏洞,该漏洞是Apache Superset中经过身份验证的RCE.
Atlassian Confluence未验证远程代码执行
Author: sfewer-r7
Type: Exploit
Pull request: #18461 contributed by sfewer-r7
Path: 多/ http / atlassian_confluence_rce_cve_2023_22515
描述:这增加了一个漏洞利用模块,利用不正确的输入验证问题在Atlassian Confluence版本8之间.0.0 through to 8.3.2, 8.4.0 through to 8.4.2, and 8.5.0 through to 8.5.1. 此漏洞标识为CVE-2023-22515,允许未经身份验证的远程代码执行. 该模块首先通过滥用嵌入式XWorks2中间件并上传恶意插件来执行代码,从而创建一个新的管理员. 请注意,该模块目前无法删除它创建的新管理员帐户. This would require a manual clean up.
Enhancements and features (7)
- #17689 from manishkumarr1017 - Adds an additional column to the
creds
命令,以额外显示已被破解的密码auxiliary/analyze/crack_databases
module or similar. - #18364 from zgoldman-r7 —增加根据上次签入时间、会话类型和会话id过滤会话的支持.
- #18381 from sjanusz-r7 - Adds new options
-r
and--reload-libs
to thecheck
,recheck
,to_handler
,reload
,run
andrerun
commands. 这个新选项将在执行原始命令之前重新加载所有库文件. - #18428 from AleksaZatezalo —本PR增加了mssql_login模块的文档.
- #18438 from adfoster-r7 —改进了数据库管理提示的用户体验. Now when running
msfdb init
不再提示用户删除数据库. 清除未使用的数据服务凭据的消息已被改写. - #18450 from adfoster-r7 - Adds support for Ruby 3.3.0-preview2.
- #18451 from adfoster-r7 —将新增加的破解密码列作为
creds
to work with the remote database.
Bugs fixed (3)
- #18442 from adfoster-r7 —提高windows环境下msfdb初始化的稳定性. 以前,msfdb初始化脚本在Windows环境中会无限期挂起, 以及在检测数据库是否正在运行时存在假阴性.
- #18443 from adfoster-r7 - Adds a fix for the
handler/reverse_ssh
在Windows机器上启动msfconsole时返回警告的模块. - #18449 from adfoster-r7 - Fixes an issue with the
scanner/mysql/mysql_authbypass_hashdump
module to now correctly close sockets.
Documentation added (1)
- #18452 from jheysel-r7 -更新Metasploit Wiki,包括如何在模块文档上运行质量工具的信息.
你可以在我们的网站上找到更多的文档 docs.metasploit.com.
Get it
与往常一样,您可以使用 msfupdate
自上一篇博文以来,你可以从
GitHub:
If you are a git
user, you can clone the Metasploit Framework repo (master branch) for the latest.
要安装fresh而不使用git,您可以使用open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).