Brandon Perry brandonprry

## gist:11019699
 at Mono.CSharp.CSharpCodeCompiler.CompileFromFileBatch (System.CodeDom.Compiler.CompilerParameters options, System.String[] fileNames) [0x00135] in /private/tmp/source/bockbuild-mono-3.2.6/profiles/mono-mac-xamarin/build-root/mono-3.2.6/mcs/class/System/Microsoft.CSharp/CSharpCodeCompiler.cs:236
  at Mono.CSharp.CSharpCodeCompiler.CompileAssemblyFromFileBatch (System.CodeDom.Compiler.CompilerParameters options, System.String[] fileNames) [0x00011] in /private/tmp/source/bockbuild-mono-3.2.6/profiles/mono-mac-xamarin/build-root/mono-3.2.6/mcs/class/System/Microsoft.CSharp/CSharpCodeCompiler.cs:135
  at System.CodeDom.Compiler.CodeDomProvider.CompileAssemblyFromFile (System.CodeDom.Compiler.CompilerParameters options, System.String[] fileNames) [0x00014] in /private/tmp/source/bockbuild-mono-3.2.6/profiles/mono-mac-xamarin/build-root/mono-3.2.6/mcs/class/System/System.CodeDom.Compiler/CodeDomProvider.cs:111
  at System.Web.Compilation.AssemblyBuilder.BuildAssembly (System.Web.VirtualPath virtualPath, System

## gist:2e73acd63094fa2a4f63
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'
require 'json'

class Metasploit3 < Msf::Exploit::Remote
  Rank = ExcellentRanking

## dotclear_file_upload.rb
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##


require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
  Rank = ExcellentRanking

## gist:c5805e4235a90f1e39a9
bperry@w00den-pickle:~/tmp/discourse$ brakeman

WARNING: --------------------------------------------------------------------------
You are running an old version of bundler, please update by running: gem install bundler

Loading scanner...
[Notice] Detected Rails 3 application
Processing application in /home/bperry/tmp/discourse
Processing gems...
Processing configuration...

## gist:c2de8ac2be825007c4de
<?php

$m = new MongoClient("mongodb://127.0.0.1:27017");
$m->selectDB('foo');
$collection = $m->selectCollection('test', 'phpmanual');

if ($_GET["age"] != "") {
	$js = 'function(){if(this.name == "Joe"||this.age=='.$_GET["age"].')return true;}';
	$cursor = $collection->find(array('$where' => $js));
	foreach($cursor as $doc) {

## gist:4f150364621b0515c0fe
##
## This module requires Metasploit: http//metasploit.com/download
## Current source: https://github.com/rapid7/metasploit-framework
###

require 'msf/core'

class Metasploit4 < Msf::Auxiliary
  Rank = GoodRanking

## gist:470bb4ec7d019cbfe4e6
<?xml version="1.0" encoding="utf-8"?>!
<!DOCTYPE foo [ !
<!ELEMENT foo ANY >!
<!ENTITY xxe SYSTEM "file:///etc/passwd" >]>!
<wsdl:definitions xmlns:tm="http://microsoft.com/wsdl/mime/textMatching/"
xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/" xmlns:mime="http://
schemas.xmlsoap.org/wsdl/mime/" xmlns:tns="http://www.webserviceX.NET/"
xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/" xmlns:s="http://www.w3.org/2001/
XMLSchema" xmlns:soap12="http://schemas.xmlsoap.org/wsdl/soap12/" xmlns:http="http://
schemas.xmlsoap.org/wsdl/http/" targetNamespace="http://www.webserviceX.NET/"

## gist:ede22661373ff130f459
bperry@w00den-pickle:~/tools/msf_dev$ ./msfconsole
  +-------------------------------------------------------+
  |  METASPLOIT by Rapid7                                 |
  +---------------------------+---------------------------+
  |      __________________   |                           |
  |  ==c(______(o(______(_()  | |""""""""""""|======[***  |
  |             )=\           | |  EXPLOIT   \            |
  |            // \\          | |_____________\_______    |
  |           //   \\         | |==[msf >]============\   |
  |          //     \\        | |______________________\  |

## gist:fc4d396ca7503d49a0f5
InvGate Service Desk v4.2.36 multiple vulnerabilities
http://www.invgate.com/en/service-desk/
http://www.invgate.com/en/service-desk/on-premise-trial/

Invgate Service Desk suffers from many SQL injections as an authenticated, but non-privileged
(end-user role) user. Most are also stacked injections, so an attacker also has the ability to
modify any of the data in the database. The payloads used to determine exploitability are in the
sqlmap payload output, but each was verified to be able to enumerate the current database,
current user, and an assortment of other things. These were tested with an ‘end-user’ user.

## gist:36b4b8df1cde279a9305
Dell Scrutinizer 11.01 several vulnerabilities
http://www.mysonicwall.com has a trial available.


Dell Sonicwall Scrutinizer suffers from several SQL injections, many of which can end up with
remote code execution. An attacker needs to be authenticated, but not as an administrator.
However, that wouldn’t stop anyone since there is also a privilege escalation vulnerability in that
any authenticated user can change any other user’s password, including the admin. One SQL
injection, which a Metasploit module was provided for, requires this privilege escalation to reach
since it exists in the new user mechanism only available to admins.
	at Mono.CSharp.CSharpCodeCompiler.CompileFromFileBatch (System.CodeDom.Compiler.CompilerParameters options, System.String[] fileNames) [0x00135] in /private/tmp/source/bockbuild-mono-3.2.6/profiles/mono-mac-xamarin/build-root/mono-3.2.6/mcs/class/System/Microsoft.CSharp/CSharpCodeCompiler.cs:236
	at Mono.CSharp.CSharpCodeCompiler.CompileAssemblyFromFileBatch (System.CodeDom.Compiler.CompilerParameters options, System.String[] fileNames) [0x00011] in /private/tmp/source/bockbuild-mono-3.2.6/profiles/mono-mac-xamarin/build-root/mono-3.2.6/mcs/class/System/Microsoft.CSharp/CSharpCodeCompiler.cs:135
	at System.CodeDom.Compiler.CodeDomProvider.CompileAssemblyFromFile (System.CodeDom.Compiler.CompilerParameters options, System.String[] fileNames) [0x00014] in /private/tmp/source/bockbuild-mono-3.2.6/profiles/mono-mac-xamarin/build-root/mono-3.2.6/mcs/class/System/System.CodeDom.Compiler/CodeDomProvider.cs:111
	at System.Web.Compilation.AssemblyBuilder.BuildAssembly (System.Web.VirtualPath virtualPath, System
	##
	# This module requires Metasploit: http//metasploit.com/download
	# Current source: https://github.com/rapid7/metasploit-framework
	##

	require 'msf/core'
	require 'json'

	class Metasploit3 < Msf::Exploit::Remote
	Rank = ExcellentRanking
	bperry@w00den-pickle:~/tmp/discourse$ brakeman

	WARNING: --------------------------------------------------------------------------
	You are running an old version of bundler, please update by running: gem install bundler

	Loading scanner...
	[Notice] Detected Rails 3 application
	Processing application in /home/bperry/tmp/discourse
	Processing gems...
	Processing configuration...
	<?php

	$m = new MongoClient("mongodb://127.0.0.1:27017");
	$m->selectDB('foo');
	$collection = $m->selectCollection('test', 'phpmanual');

	if ($_GET["age"] != "") {
	$js = 'function(){if(this.name == "Joe"\|\|this.age=='.$_GET["age"].')return true;}';
	$cursor = $collection->find(array('$where' => $js));
	foreach($cursor as $doc) {
	##
	## This module requires Metasploit: http//metasploit.com/download
	## Current source: https://github.com/rapid7/metasploit-framework
	###

	require 'msf/core'

	class Metasploit4 < Msf::Auxiliary
	Rank = GoodRanking
	<?xml version="1.0" encoding="utf-8"?>!
	<!DOCTYPE foo [ !
	<!ELEMENT foo ANY >!
	<!ENTITY xxe SYSTEM "file:///etc/passwd" >]>!
	<wsdl:definitions xmlns:tm="http://microsoft.com/wsdl/mime/textMatching/"
	xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/" xmlns:mime="http://
	schemas.xmlsoap.org/wsdl/mime/" xmlns:tns="http://www.webserviceX.NET/"
	xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/" xmlns:s="http://www.w3.org/2001/
	XMLSchema" xmlns:soap12="http://schemas.xmlsoap.org/wsdl/soap12/" xmlns:http="http://
	schemas.xmlsoap.org/wsdl/http/" targetNamespace="http://www.webserviceX.NET/"
	bperry@w00den-pickle:~/tools/msf_dev$ ./msfconsole
	+-------------------------------------------------------+
	\| METASPLOIT by Rapid7 \|
	+---------------------------+---------------------------+
	\| __________________ \| \|
	\| ==c(______(o(______(_() \| \|""""""""""""\|======[*** \|
	\| )=\ \| \| EXPLOIT \ \|
	\| // \\ \| \|_____________\_______ \|
	\| // \\ \| \|==[msf >]============\ \|
	\| // \\ \| \|______________________\ \|
	InvGate Service Desk v4.2.36 multiple vulnerabilities
	http://www.invgate.com/en/service-desk/
	http://www.invgate.com/en/service-desk/on-premise-trial/

	Invgate Service Desk suffers from many SQL injections as an authenticated, but non-privileged
	(end-user role) user. Most are also stacked injections, so an attacker also has the ability to
	modify any of the data in the database. The payloads used to determine exploitability are in the
	sqlmap payload output, but each was verified to be able to enumerate the current database,
	current user, and an assortment of other things. These were tested with an ‘end-user’ user.
	Dell Scrutinizer 11.01 several vulnerabilities
	http://www.mysonicwall.com has a trial available.


	Dell Sonicwall Scrutinizer suffers from several SQL injections, many of which can end up with
	remote code execution. An attacker needs to be authenticated, but not as an administrator.
	However, that wouldn’t stop anyone since there is also a privilege escalation vulnerability in that
	any authenticated user can change any other user’s password, including the admin. One SQL
	injection, which a Metasploit module was provided for, requires this privilege escalation to reach
	since it exists in the new user mechanism only available to admins.