Bolt CMS 3.6.6 - Cross-Site Request Forgery / Remote Code Execution

history.pushState'', '', '/' function exploit var target = "http://127.0.0.1" var boltadminurl = target + "/bolt"; var xhr = new XMLHttpRequest; xhr.open"POST", boltadminurl + "/upload", true; xhr.setRequestHeader"Accept", "application/json, text/javascript, /; q=0.01";...

QNAP Netatalk < 3.1.12 - Authentication Bypass

Exploit Title: QNAP Netatalk Authentication Bypass Date: 12/20/2018 Original Exploit Author: Jacob Baines Modifications for QNAP devices: Mati Aharoni Vendor Homepage: http://netatalk.sourceforge.net/ Software Link: https://sourceforge.net/projects/netatalk/files/ Version: Before 3.1.12 CVE :...

ShoreTel Connect ONSITE < 19.49.1500.0 - Multiple Vulnerabilities

Exploit Title: Shoretel Connect Multiple Vulnerability Google Dork: inurl:/signin.php?ret= Date: 14/06/2017 Author: Ramikan Vendor Homepage: https://www.shoretel.com/ Software Link: https://www.shoretel.com/resource-center/shoretel-connect-onsite-overview Version: Tested on 18.62.2000.0,...

FlexHEX 2.71 - SEH Buffer Overflow (Unicode)

!/usr/bin/python -w Exploit Author: Chris Au Exploit Title: FlexHEX 2.71 - Local Buffer Overflow SEH Unicode Date: 06-04-2019 Vulnerable Software: FlexHEX 2.71 Vendor Homepage: http://www.flexhex.com Version: 2.71 Software Link: http://www.flexhex.com/download/flexhexsetup.exe Tested Windows...

WordPress Plugin Limit Login Attempts Reloaded 2.7.4 - Login Limit Bypass

!/usr/bin/env node const request = require"request" / Exploit Title: Limit Login Attempts Reloaded by WPChef rate limiter bypass Date: 2019-04-08 Exploit Author: isdampe Software Link: https://wordpress.org/plugins/limit-login-attempts-reloaded Version: 2.7.4 Tested on: WordPress 5.1.1 Descriptio...

AIDA64 Extreme 5.99.4900 - 'Logging' SEH Buffer Overflow

!/usr/bin/python Exploit Title: AIDA64 Extreme 5.99.4900 - Logging SEH Buffer Overflow Date: 2019-04-02 Vendor Homepage: https://www.aida64.com Software Link: http://download.aida64.com/aida64extreme599.exe Mirror Link : https://www.nikktech.com/main/downloads/finalwire/aida64extreme599.exe Explo...

WordPress Plugin Contact Form Maker 1.13.1 - Cross-Site Request Forgery

Exploit Title: Contact Form by WD CSRF → LFI Date: 2019-03-17 Exploit Author: Panagiotis Vagenas Vendor Homepage: http://web-dorado.com/ Software Link: https://wordpress.org/plugins/contact-form-maker Version: 1.13.1 Tested on: WordPress 5.1.1 Description ----------- Plugin implements the followi...

WordPress Core 5.0.0 - Crop-image Shell Upload (Metasploit)

This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'WordPress Crop-image Shell Upload', 'Description' = %q This module exploits a path traversal and a local file inclusion vulnerability on WordPres...

Manage Engine ServiceDesk Plus 10.0 - Privilege Escalation

!/usr/bin/python Exploit Title: Manage Engine ServiceDesk Plus Version 10.0 Privilege Escalation Date: 30-03-2019 Exploit Author: Ata Hakçıl, Melih Kaan Yıldız Vendor: ManageEngine Vendor Homepage: www.manageengine.com Product: Service Desk Plus Version: 10.0 Tested On: Kali Linux CVE:...

Magic ISO Maker 5.5(build 281) - 'Serial Code' Denial of Service (PoC)

-- coding: utf-8 -- Exploit Title: Magic Iso Maker 5.5build 281 - "Serial Code" Denial of Service PoC Date: 03/04/2019 Author: Alejandra Sánchez Vendor Homepage: http://www.magiciso.com Software Link: http://www.magiciso.com/SetupMagicISO.exe Version: 5.5build 281 Tested on: Windows 10 Proof of...

AIDA64 Engineer 5.99.4900 - 'Load from file' Field Buffer Overflow (SEH)

!/usr/bin/python Exploit Title: AIDA64 Engineer 5.99.4900 - 'Load from file' Field Buffer Overflow SEH Date: 04-04-2019 Exploit Author: Anurag Srivastava and Vardan Bansal Website: www.theanuragsrivastava.in Vulnerable Software: AIDA64 Engineer Vendor Homepage: http://download.aida64.com/ Version...

FreeSMS 2.1.2 - SQL Injection (Authentication Bypass)

Exploit Title: FreeSMS 2.1.2 - Authentication Bypass Date: 2019-04-03 Exploit Author: Yilmaz Degirmenci Vendor Homepage: https://freesms.sourceforge.io/ Software Link: https://sourceforge.net/projects/freesms/ Version: v2.1.2 Category: Webapps Tested on: LAMPP for Linux Software Description :...

Google Chrome 72.0.3626.96 / 74.0.3702.0 - 'JSPromise::TriggerPromiseReactions' Type Confusion

JSPromise::TriggerPromiseReactionsIsolate isolate, Handle reactions, Handle argument, PromiseReaction::Type type DCHECKreactions-IsSmi || reactions-IsPromiseReaction; // We need to reverse the reactions here, since we record them // on the JSPromise in the reverse order. DisallowHeapAllocation...

WebKitGTK+ - 'ThreadedCompositor' Race Condition

@keyframes foo 0% opacity: 0; 100% opacity: 1; div animation-name: foo; animation-duration: 1s; animation-iteration-count: infinite; filter: saturate50%; frame = document.createElement"iframe"; setInterval = frame.remove; document.body.appendChildframe; doc = frame.contentDocument;...

WebKit JavaScriptCore - 'createRegExpMatchesArray' Type Confusion

/ Prerequisites ------------- In JavaScriptCore, JSObjects have an associated Structure: an object describing various aspects of the JSObject such as its type, its properties, and the type of elements being stored e.g. unboxed double or JSValues. Whenever a property is added to an object or some...

Google Chrome 72.0.3626.81 - 'V8TrustedTypePolicyOptions::ToImpl' Type Confusion

VULNERABILITY DETAILS The binding code generator doesn't add checks to ensure that the callback properties of a dictionary are indeed JS functions. For example, for the the TrustedTypePolicyOptions dictionary:...

iScripts ReserveLogic - SQL Injection

Exploit Title: iScripts ReserveLogic - SQL Injection Date: 29.03.2019 Exploit Author: Ahmet Ümit BAYRAM Vendor Homepage: https://www.iscripts.com/reservelogic/ Demo Site: https://www.demo.iscripts.com/reservelogic/demo/ Version: Lastest Tested on: Kali Linux CVE: N/A ----- PoC: SQLi ----- Request...

Clinic Pro v4 - 'month' SQL Injection

Title: Clinic Pro - Clinic Management Software Date: 03.04.2019 Exploit Author: Abdullah Çelebi Vendor Homepage: https://softwebinternational.com Software Link: https://cms.softwebinternational.com Category: Webapps Tested on: WAMPP @Win Software description: It is developed by PHP Codeigniter...

Cisco RV320 and RV325 - Unauthenticated Remote Code Execution (Metasploit)

This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule "Cisco RV320 and RV325 Unauthenticated Remote Code Execution", 'Description' = %q This exploit module combines an information disclosure...

SpiderMonkey - IonMonkey Compiled Code Fails to Update Inferred Property Types (Type Confusion)

A bug in IonMonkey leaves type inference information inconsistent, which in turn allows the compilation of JITed functions that cause type confusions between arbitrary objects. Prerequisites In Spidermonkey, every JavaScript objects is an instance of the JSObject class 1. Plain JavaScript objects...

iOS < 12.2 / macOS < 10.14.4 XNU - pidversion Increment During execve is Unsafe

Privileged IPC services in userspace often have to verify the security context of their client processes such as whether the client is sandboxed, has a specific entitlement, or is signed by some code signing authority. This, in turn, requires a way to identify a client process. If PIDs are used f...

PhreeBooks ERP 5.2.3 - Arbitrary File Upload

PhreeBooks ERP v5.2.3 - Arbitrary File Upload Date: 03.04.2019 Exploit Author: Abdullah Çelebi Vendor Homepage: https://www.phreesoft.com/ Software Link: https://sourceforge.net/projects/phreebooks/files/latest/download Category: Webapps Version: 5.2.3 Tested on: WAMPP @Win Software description:...

PhreeBooks ERP 5.2.3 - Remote Command Execution (1)

Exploit Title: PhreeBooks ERP 5.2.3 - Remote Command Execution Date: 2010-04-03 Exploit Author: Metin Yunus Kandemir kandemir Vendor Homepage: https://www.phreesoft.com/ Software Link: https://sourceforge.net/projects/phreebooks/ Version: v5.2.3 Category: Webapps Tested on: XAMPP for Linux 5.6.38...

WebKit JavaScriptCore - Out-Of-Bounds Access in FTL JIT due to LICM Moving Array Access Before the Bounds Check

/ While fuzzing JavaScriptCore, I encountered the following JavaScript program which crashes jsc in current HEAD and release /System/Library/Frameworks/JavaScriptCore.framework/Resources/jsc on macOS: / // Run with --thresholdForFTLOptimizeAfterWarmUp=1000 // First array probably required to avoi...

TeemIp IPAM < 2.4.0 - 'new_config' Command Injection (Metasploit)

This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule "TeemIp IPAM %q This module exploits a command injection vulnerability in TeemIp versions prior to 2.4.0. The "newconfig" parameter of "exec.php"...

Ashop Shopping Cart Software - SQL Injection

Exploit Title: Ashop Shopping Cart Software - SQL Injection Date: 03.03.2019 Exploit Author: Ahmet Ümit BAYRAM Vendor Homepage: http://www.ashopsoftware.com Software Link: https://sourceforge.net/projects/ashop/ Demo Site: http://demo.ashopsoftware.com/ Version: Lastest Tested on: Kali Linux CVE:...

Google Chrome 73.0.3683.39 / Chromium 74.0.3712.0 - 'ReadableStream' Internal Object Leak Type Confusion

binding // These values are only used when serialization is enabled. if !RuntimeEnabledFeatures::TransferableStreamsEnabled return; v8::Local global = scriptstate-GetContext-Global; v8::Local context = scriptstate-GetContext; v8::Isolate isolate = scriptstate-GetIsolate; const auto ObjectGet =...

WebKit JavaScriptCore - CodeBlock Dangling Watchpoints Use-After-Free

/ While fuzzing JavaScriptCore, I encountered the following simplified and commented JavaScript program which crashes jsc from current HEAD and release: / function v9 // Some watchpoint on the LexicalEnvironment is triggered here // during the 2nd invocation which jettisons the CodeBlock for v9. ...

AIDA64 Business 5.99.4900 - SEH Buffer Overflow (EggHunter)

!/usr/bin/python Exploit Title: AIDA64 Business 5.99.4900 - SEH Buffer Overflow EggHunter Date: 2019-04-01 Vendor Homepage: https://www.aida64.com Software Link: https://www.aida64.com/downloads Mirror Link : https://www.softpedia.com/get/System/System-Info/AIDA64-Business-Edition.shtml Exploit...

CMS Made Simple < 2.2.10 - SQL Injection

!/usr/bin/env python Exploit Title: Unauthenticated SQL Injection on CMS Made Simple = 2.2.9 Date: 30-03-2019 Exploit Author: Daniele Scanu @ Certimeter Group Vendor Homepage: https://www.cmsmadesimple.org/ Software Link: https://www.cmsmadesimple.org/downloads/cmsms/ Version: = 2.2.9 Tested on:...

LimeSurvey < 3.16 - Remote Code Execution

!/usr/bin/python Description: LimeSurvey shell.php" -p phar -o /tmp/exploit.jpg PHAR = "\x3c\x3f\x70\x68\x70\x20\x5f\x5f\x48\x41\x4c\x54\x5f\x43\x4f\x4d\x50\x49\x4c\x45\x52\x28\x29\x3b\x20\x3f\x3e\x0d\x0a\x38"...

Fiverr Clone Script 1.2.2 - SQL Injection / Cross-Site Scripting

Exploit Title: Fiverr Clone Script 1.2.2 - SQL Injection / Cross Site Scripting Exploit Author: Mr Winst0n Author E-mail: [email protected] Discovery Date: Apr 1, 2019 Vendor Homepage: https://www.phpscriptsmall.com Software Link : https://www.phpscriptsmall.com/product/fiverr-clone-scrip...

Inout EasyRooms - SQL Injection

Exploit Title: Inout EasyRooms Ultimate Edition - SQL Injection Date: 29.03.2019 Exploit Author: Ahmet Ümit BAYRAM Vendor Homepage: https://www.inoutscripts.com/products/inout-easyrooms/ Demo Site: http://inout-easyrooms.demo.inoutscripts.net/ Version: v1.0 Tested on: Kali Linux CVE: N/A ----- Po...

phpFileManager 1.7.8 - Local File Inclusion

Exploit Title: phpFileManager 1.7.8 - Local File Inclusion Date: 01.04.2019 Exploit Author: Murat Kalafatoglu Vendor Homepage: https://sourceforge.net/projects/phpfm/ Software Demo: https://phpfm-demo.000webhostapp.com/ Version: v1.7.8 Category: Webapps Tested on: XAMPP for Linux Description: Any...

JioFi 4G M2S 1.0.2 - Cross-Site Request Forgery

Exploit Title: JioFi 4G M2S 1.0.2 devices have CSRF via the SSID name and Security Key field under Edit Wi-Fi Settings aka a SetWiFiSetting request to cgi-bin/qcmapwebcgi Exploit Author: Vikas Chaudhary Date: 21-01-2019 Vendor Homepage: https://www.jio.com/ Hardware Link:...

AIDA64 Extreme / Engineer / Network Audit 5.99.4900 - SEH Buffer Overflow (EggHunter)

!/usr/bin/python Exploit Title: AIDA64 Extreme 5.99.4900 - SEH Buffer Overflow EggHunter Date: 2019-04-01 Vendor Homepage: https://www.aida64.com Software Link: http://download.aida64.com/aida64extreme599.exe Mirror Link : https://www.nikktech.com/main/downloads/finalwire/aida64extreme599.exe...

WordPress Plugin PayPal Checkout Payment Gateway 1.6.8 - Parameter Tampering

Exploit Title: cgi-bin/webscr?cmd=cart in the WooCommerce PayPal Checkout Payment Gateway plugin 1.6.8 for WordPress allows Parameter Tampering in an amount parameter such as amount1, as demonstrated by purchasing an item for lower than the intended price Date: 27.01.2019 Product Title :Woocommer...

Inout RealEstate - 'city' SQL Injection

Exploit Title: Inout RealEstate - SQL Injection Date: 29.03.2019 Exploit Author: Ahmet Ümit BAYRAM Vendor Homepage: https://www.inoutscripts.com/products/inout-realestate/ Demo Site: http://inout-realestate.demo.inoutscripts.net/ Version: Lastest Tested on: Kali Linux CVE: N/A ----- PoC: SQLi ---...

CentOS Web Panel 0.9.8.789 - NameServer Field Persistent Cross-Site Scripting

Exploit Title: CentOS Web Panel 0.9.8.789 - NameServer Field Stored Cross-Site Scripting Vulnerability Google Dork: N/A Date: 28 - March - 2019 Exploit Author: DKM Vendor Homepage: http://centos-webpanel.com Software Link: http://centos-webpanel.com Version: 0.9.8.789 Tested on: CentOS 7 CVE :...

Fat Free CRM 0.19.0 - HTML Injection

Exploit Title: Fat Free CRM v0.19.0 - HTML Injection Date: 2019-03-20 Exploit Author: Ismail Tasdelen Vendor Homepage: http://www.fatfreecrm.com/ Source Code : https://github.com/fatfreecrm Software : Fat Free CRM Product Version: v0.19.0 Vulnerability Type : Code Injection Vulnerability : HTML...

Microsoft Visio 2016 16.0.4738.1000 - 'Log in accounts' Denial of Service

-⋆- coding: utf-8 -⋆- Created on Thu Feb 21 01:32:50 2019 @author: César """ Exploit Title: Microsoft Visio 2016 16.0.4738.1000 "Log in accounts" allows go on whit email formed by one thousand A in every of its parts [email protected] Descovered by: César Adrián Coronado Llanos Descovered...

Airbnb Clone Script - Multiple SQL Injection

Exploit Title: Homey BNB Airbnb Clone Script - Multiple SQL Injection Date: 27.03.2019 Exploit Author: Ahmet Ümit BAYRAM Vendor Homepage: https://www.doditsolutions.com/airbnb-clone-script/ Demo Site: http://sitedemos.in/homeybnb/ Version: V4 Tested on: Kali Linux CVE: N/A ----- PoC 1: SQLi -----...

BigTree 4.3.4 CMS - Multiple SQL Injection

=========================================================================================== Exploit Title: BigTree CMS - 'parent' SQL Inj. Dork: N/A Date: 24-03-2019 Exploit Author: Mehmet EMIROGLU Vendor Homepage: https://www.bigtreecms.org/ Software Link: https://www.bigtreecms.org/download/cor...

i-doit 1.12 - 'qr.php' Cross-Site Scripting

Exploit Title: i-doit 1.12 Cross Site Scripting on qr.php file Date: 28-03-2019 Software Link: https://www.i-doit.org/ Version: 1.12 Exploit Author: BlackFog Team Contact: [email protected] Website: https://securelayer7.net Category: webapps Tested on: Firefox in Kali Linux. CVE: CVE-2019-696...

Job Portal 3.1 - 'job_submit' SQL Injection

=========================================================================================== Exploit Title: NewJobPortal v3.1 - 'jobsubmit' SQL Inj. Dork: N/A Date: 25-03-2019 Exploit Author: Mehmet EMIROGLU Vendor Homepage: https://codecanyon.net/item/job-portal/15330095 Version: v3.1 Category:...

WordPress Plugin Anti-Malware Security and Brute-Force Firewall 4.18.63 - Local File Inclusion (PoC)

Exploit Title: Wordpress Anti-Malware Security and Bruteforce Firewall - Local File Inclusion Google Dork: N/A Date: 03 / 26 / 2019 Exploit Author: Ali S. Ahmad S4R1N Vendor Homepage: N/A Software Link: https://wordpress.org/plugins/gotmls/ Version: Version 4.18.63 Tested on: Debian GNU/Linux 9...

gnutls 3.6.6 - 'verify_crt()' Use-After-Free

Description of problem: This is a critical memory corruption vulnerability in any API backed by verifycrt, including gnutlsx509trustlistverifycrt and related routines. I suspect any client or server that verifies X.509 certificates with GnuTLS is likely affected and can be compromised by a...

Oracle Weblogic Server Deserialization RCE - Raw Object (Metasploit)

This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework require 'msf/core/exploit/powershell' class MetasploitModule 'Oracle Weblogic Server Deserialization RCE - Raw Object', 'Description' = %q An unauthenticated attacker wi...

WordPress Plugin Loco Translate 2.2.1 - Local File Inclusion

Exploit Title: Wordpress Loco Translate Version 2.2.1 Plugin LFI Google Dork: N/A Date: 03 / 26 / 2019 Exploit Author: Ali S. Ahmad S4R1N Vendor Homepage: https://localise.biz/ Software Link: https://wordpress.org/plugins/loco-translate/ Version: Version 2.2.1 Tested on: Debian GNU/Linux 9 Docker...

Jettweb PHP Hazır Rent A Car Sitesi Scripti V2 - 'arac_kategori_id' SQL Injection

Exploit Title: Jettweb PHP Hazır Rent A Car Sitesi Scripti V2 - 'arackategoriid' SQL Injection Date: 28.03.2019 Exploit Author: Ahmet Ümit BAYRAM Vendor Homepage: https://jettweb.net/u-4-php-hazir-rent-a-car-sitesi-scripti-v2.html Demo Site: http://rentv2.proemlaksitesi.net/ Version: V2 Tested on...