最后更新于2024年1月17日星期三21:57:58 GMT

这种特权升级迅速升级

这个版本的特点是利用了一个模块 cve - 2023 - 22515, a vulnerability in Atlassian’s on-premises Confluence Server first listed as a privilege escalation, but quickly recategorized as a “broken access control” with a CVSS score of 10. The exploit itself is very simple and easy to use so there was little surprise when CISA published an advisory stating that threat actors were using it in the wild. It is imperative that anyone using the affected versions mitigate risk and patch as quickly as possible.

改进会话搜索

This release enhances the sessions command with additional search filters, for instance:

# Return all sessions that have a session id of 1 or 5
session_id: 1 session_id:5

# Return all sessions that have a session_type equal to meterpreter
session -S 'session_type:meterpreter'

# Return all sessions that have a check in time between 1 hour and 10 minutes, and less than 2 hours 
sessions -S 'last_checkin:greater_than:1h10m last_checkin:less_than:2h'

These search options can be used in conjunction with other session options. 例如 --verbose flag:

msf6 exploit(windows/smb/psexec) > sessions -S 'last_checkin:greater_than:2h30m' -v

活动会话
===============

  会话ID: 8
        Name: 
        类型:仪表窗口
        信息:NT权威\系统@ WINDEV
      Tunnel: 192.168.123.1:4444 -> 192.168.123.132:50564 (192.168.123.132)
         通过:利用/ windows / smb / psexec
   加密:是(AES-256-CBC)
        UUID: 4d78f75abbdbf0c8/x86=1/windows=1/2023-10-19T19:44:23Z
     CheckIn: 18003s ago @ 2023-10-19 15:45:30 +0100
  注册:不

  会话ID: 9
        Name: 
        类型:仪表窗口
        信息:NT权威\系统@ WINDEV
      Tunnel: 192.168.123.1:4444 -> 192.168.123.132:50565 (192.168.123.132)
         通过:利用/ windows / smb / psexec
   加密:是(AES-256-CBC)
        UUID: 48d32692e0633293/x86=1/windows=1/2023-10-19T19:44:23Z
     CheckIn: 10803s ago @ 2023-10-19 17:45:30 +0100
  注册:不

Or as an easy way to search for and kill matching stale sessions with --kill-all:

msf6 exploit(windows/smb/psexec) > sessions -S 'last_checkin:greater_than:2h30m' -K
[*]杀戮匹配环节...

活动会话
===============

  Id  Name  Type                     Information                   Connection
  --  ----  ----                     -----------                   ----------
  4         meterpreter x86/windows  NT AUTHORITY\SYSTEM @ WINDEV  192.168.123.1:4444 -> 192.168.123.132:50540 (192.168.123.132)
  5         meterpreter x86/windows  NT AUTHORITY\SYSTEM @ WINDEV  192.168.123.1:4444 -> 192.168.123.132:50555 (192.168.123.132)

[*] 192.168.123.132 - meter - preter第4届会议结束.
[*] 192.168.123.132 - meter - preter第5届会议结束.

新增模块内容(2)

Apache Superset Signed Cookie RCE

Authors: Naveen Sunkavally, Spencer McIntyre, h00die, and paradoxis
类型:利用
拉的要求: #18351 提供的 h00die
Path: linux / http / apache_superset_cookie_sig_rce

Description: This adds an exploit for CVE-2023-37941 which is an authenticated RCE in Apache Superset.

Atlassian Confluence Unauthenticated Remote Code Execution

作者:sfewer-r7
类型:利用
拉的要求: #18461 提供的 sfewer-r7
Path: multi/http/atlassian_confluence_rce_cve_2023_22515

Description: This adds an exploit module that leverages an improper input validation issue in Atlassian Confluence versions between 8.0.0到8.3.2, 8.4.0到8.4.2, and 8.5.0到8.5.1. This vulnerability is identified as cve - 2023 - 22515 and allows unauthenticated remote code execution. The module first creates a new administrator by abusing the embedded XWorks2 middleware and uploading a malicious plugin to get code execution. Note that the module is currently not able to delete the new administrator account it created. 这需要人工清理.

增强功能和特性(7)

  • #17689 from manishkumarr1017 —在 creds command to additionally show any cracked passwords that have been created by the 辅助/分析/ crack_databases 模块或类似.
  • #18364 from zgoldman-r7 - Add support for filtering sessions based on last checkin time, session type and id.
  • #18381 from sjanusz-r7 -增加新的选项 -r and ——reload-libs to the check, recheck, to_handler, reload, run and rerun commands. This new option will reload all library files before performing the original command.
  • #18428 from AleksaZatezalo - This PR adds documentation for the mssql_login module.
  • #18438 from adfoster-r7 - Makes improvements to the UX for database management prompts. 现在运行时 msfdb init the user is no longer prompted for database deletion. The message for clearing unused data service credentials has been reworded.
  • #18450 from adfoster-r7 增加了对Ruby 3的支持.3.0-preview2.
  • #18451 from adfoster-r7 - Updates the newly added cracked password column as part of the creds 使用远程数据库.

bug修复(3)

  • #18442 from adfoster-r7 - Improves stability of msfdb initialization on windows environments. Previously the msfdb init script would hang indefinitely on Windows environments, as well as there being false negatives on detecting if the database was running or not.
  • #18443 from adfoster-r7 -增加了一个修复 处理程序/ reverse_ssh module that was returning warnings when msfconsole was booted on a Windows machine.
  • #18449 from adfoster-r7 修复了 扫描仪/ mysql / mysql_authbypass_hashdump 模块现在正确关闭套接字.

新增文档(1)

  • #18452 from jheysel-r7 - Updates the Metasploit Wiki to include information on how to run quality tools on module documentation.

You can always find more documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

如果你是 git 用户,可以克隆 Metasploit框架 (主分支)为最新.
To install fresh without using git, you can use the open-source-only 夜间的安装程序 or the
二进制安装程序 (也包括商业版).