47904 matches found
Zimbra Collaboration - Autodiscover Servlet XXE and ProxyServlet SSRF (Metasploit)
This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Zimbra Collaboration Autodiscover Servlet XXE and ProxyServlet SSRF', 'Description' = %q This module exploits an XML external entity vulnerabilit...
ATutor < 2.2.4 - 'file_manager' Remote Code Execution (Metasploit)
This module requires Metasploit: http://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule "ATutor %q This module allows the user to run commands on the server with teacher user privilege. The 'Upload files' section in the 'File Manager'...
Microsoft Internet Explorer 11 - XML External Entity Injection
Credits: John Page aka hyp3rlinx + Website: hyp3rlinx.altervista.org + Source: http://hyp3rlinx.altervista.org/advisories/MICROSOFT-INTERNET-EXPLORER-v11-XML-EXTERNAL-ENTITY-INJECTION-0DAY.txt + ISR: ApparitionSec Vendor www.microsoft.com Product Microsoft Internet Explorer v11 latest version...
FTPShell Server 6.83 - 'Account name to ban' Local Buffer
!/usr/bin/python Exploit Title: FTP Shell Server 6.83 'Account name to ban' Buffer Overflow Date: 09-04-2019 Exploit Author: Dino Covotsos - Telspace Systems Vendor Homepage: http://www.ftpshell.com/index.htm Version: 6.83 Software Link : http://www.ftpshell.com/downloadserver.htm Contact:...
D-Link DI-524 V2.06RU - Multiple Cross-Site Scripting
Exploit Title: Multiple Stored and Reflected XSS vulnerabilities in D-Link DI-524 Date: April 6, 2019 Exploit Author: Semen Alexandrovich Lyhin https://www.linkedin.com/in/semenlyhin/ Vendor Homepage: https://www.dlink.com Version: D-Link DI-524 - V2.06RU CVE : CVE-2019-11017 To re-create Reflect...
Dell KACE Systems Management Appliance (K1000) 6.4.120756 - Unauthenticated Remote Code Execution
!/usr/bin/python Exploit Title: Dell KACE Systems Management Appliance K1000 = 6.4.120756 Unauthenticated RCE Version: = 6.4.120756 Date: 2019-04-09 Author: Julien Ahrens @MrTuxracer Software Link: https://www.quest.com/products/kace-systems-management-appliance/ Write-up:...
FTPShell Server 6.83 - 'Virtual Path Mapping' Local Buffer
!/usr/bin/python Exploit Title: FTP Shell Server 6.83 'Virtual Path Mapping' Buffer Overflow Date: 09-04-2019 Exploit Author: Dino Covotsos - Telspace Systems Vendor Homepage: http://www.ftpshell.com/index.htm Version: 6.83 Software Link : http://www.ftpshell.com/downloadserver.htm Contact:...
Microsoft Windows - AppX Deployment Service Privilege Escalation
This vulnerability allows low privileged users to hijack file that are owned by NT AUTHORITY\SYSTEM by overwriting permissions on the targeted file. Successful exploitation results in "Full Control" permissions for the low privileged user. 1. The exploit first checks if the targeted file exists, ...
Apache Axis 1.4 - Remote Code Execution
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Apache Axis 1.4 Remote Code Execution CVE-2019-0227 https://rhinosecuritylabs.com/Application-Security/CVE-2019-0227-Expired-Domain-to-RCE-in-Apache-Axis Author: David Yesland @daveysec, Rhino...
TP-LINK TL-WR940N / TL-WR941ND - Buffer Overflow
Author Grzegorz Wypych - h0rac TP-LINK TL-WR940N/TL-WR941ND buffer overflow remote shell exploit import requests import md5 import base64 import string import struct import socket password = md5.new'admin'.hexdigest cookie = base64.b64encode'admin:'+password print '+ Authorization cookie: ', cook...
Ashop Shopping Cart Software - 'bannedcustomers.php?blacklistitemid' SQL Injection
Exploit Title: Ashop Shopping Cart Software - SQL Injection Date: 08.04.2019 Exploit Author: Doğukan Karaciğer Vendor Homepage: http://www.ashopsoftware.com Software Link: https://sourceforge.net/projects/ashop/ Demo Site: http://demo.ashopsoftware.com/ Version: Lastest Tested on: Ubuntu-trusty-6...
Bolt CMS 3.6.6 - Cross-Site Request Forgery / Remote Code Execution
history.pushState'', '', '/' function exploit var target = "http://127.0.0.1" var boltadminurl = target + "/bolt"; var xhr = new XMLHttpRequest; xhr.open"POST", boltadminurl + "/upload", true; xhr.setRequestHeader"Accept", "application/json, text/javascript, /; q=0.01";...
WordPress Plugin Limit Login Attempts Reloaded 2.7.4 - Login Limit Bypass
!/usr/bin/env node const request = require"request" / Exploit Title: Limit Login Attempts Reloaded by WPChef rate limiter bypass Date: 2019-04-08 Exploit Author: isdampe Software Link: https://wordpress.org/plugins/limit-login-attempts-reloaded Version: 2.7.4 Tested on: WordPress 5.1.1 Descriptio...
River Past Cam Do 3.7.6 - 'Activation Code' Local Buffer Overflow
!/usr/bin/python -w Exploit Author: Chris Au Exploit Title: River Past Cam Do 3.7.6 Local Buffer Overflow in Activation Code Date: 07-04-2019 Vulnerable Software: River Past Cam Do 3.7.6 Vendor Homepage: http://www.flexhex.com Version: 3.7.6 Software Link:...
CentOS Web Panel 0.9.8.793 (Free) / 0.9.8.753 (Pro) - Cross-Site Scripting
Exploit Title: CentOS Web Panel v0.9.8.793 Free and v0.9.8.753 Pro - Email Field Stored Cross-Site Scripting Vulnerability Google Dork: N/A Date: 06 - April - 2019 Exploit Author: DKM Vendor Homepage: http://centos-webpanel.com Software Link: http://centos-webpanel.com Version: v0.9.8.793 Free an...
ManageEngine ServiceDesk Plus 9.3 - User Enumeration
Exploit Title: ManageEngine ServiceDesk Plus - 9.3 User enumeration vulnerability Date: 2019-03-29 Exploit Author: Operat0r Vendor Homepage: https://www.manageengine.com/ Software Link: https://www.manageengine.com/products/service-desk/download.html Version: 9.3 Tested on: Ubuntu Linux CVE :...
Apache 2.4.17 < 2.4.38 - 'apache2ctl graceful' 'logrotate' Local Privilege Escalation
?php CARPE DIEM: CVE-2019-0211 Apache Root Privilege Escalation Charles Fol @cfreal 2019-04-08 INFOS https://cfreal.github.io/carpe-diem-cve-2019-0211-apache-local-root.html USAGE 1. Upload exploit to Apache HTTP server 2. Send request to page 3. Await 6:25AM for logrotate to restart Apache 4...
ShoreTel Connect ONSITE < 19.49.1500.0 - Multiple Vulnerabilities
Exploit Title: Shoretel Connect Multiple Vulnerability Google Dork: inurl:/signin.php?ret= Date: 14/06/2017 Author: Ramikan Vendor Homepage: https://www.shoretel.com/ Software Link: https://www.shoretel.com/resource-center/shoretel-connect-onsite-overview Version: Tested on 18.62.2000.0,...
Jobgator - 'experience' SQL Injection
Exploit Title: NCrypted Jobgator - SQL Injection Date: 05.03.2019 Exploit Author: Ahmet Ümit BAYRAM Vendor Homepage: https://www.ncrypted.net/jobgator/ Demo Site: https://demo.ncryptedprojects.com/jobgator/ Version: Lastest Tested on: Kali Linux CVE: N/A ----- PoC 1: SQLi ----- Request:...
FlexHEX 2.71 - SEH Buffer Overflow (Unicode)
!/usr/bin/python -w Exploit Author: Chris Au Exploit Title: FlexHEX 2.71 - Local Buffer Overflow SEH Unicode Date: 06-04-2019 Vulnerable Software: FlexHEX 2.71 Vendor Homepage: http://www.flexhex.com Version: 2.71 Software Link: http://www.flexhex.com/download/flexhexsetup.exe Tested Windows...
AllPlayer 7.4 - SEH Buffer Overflow (Unicode)
!/usr/bin/python -w Exploit Author: Chris Au Exploit Title: AllPlayer V7.4 - Local Buffer Overflow SEH Unicode Date: 07-04-2019 Vulnerable Software: AllPlayer V7.4 Vendor Homepage: https://www.allplayer.org/ Version: 7.4 Software Link: http://allplayer.org/Download/ALLPlayerEN.exe Tested Windows...
SaLICru -SLC-20-cube3(5) - HTML Injection
Exploit Title: Reflected HTML Injection Google Dork: None Date: 16/12/2015 Exploit Author: Ramikan Vendor Homepage:https://www.salicru.com/en/ Software Link: N/A Version: Tested on SaLICru -SLC-20-cube35. Firmware: cs121-SNMP v4.54.82.130611 CVE : CVE-2019-10887 Category:Web Apps Vulnerability:...
Download Accelerator Plus (DAP) 10.0.6.0 - SEH Buffer Overflow
!/usr/bin/python Exploit Title: Download Accelerator Plus DAP 10.0.6.0 - SEH Buffer Overflow Date: 2019-04-05 Vendor Homepage: http://www.speedbit.com/dap/ Software Link: http://www.speedbit.com/dap/download/downloading.asp Exploit Author: Peyman Forouzan Tested Version: 10.0.6.0 Tested on: Win10...
QNAP Netatalk < 3.1.12 - Authentication Bypass
Exploit Title: QNAP Netatalk Authentication Bypass Date: 12/20/2018 Original Exploit Author: Jacob Baines Modifications for QNAP devices: Mati Aharoni Vendor Homepage: http://netatalk.sourceforge.net/ Software Link: https://sourceforge.net/projects/netatalk/files/ Version: Before 3.1.12 CVE :...
Tradebox CryptoCurrency - 'symbol' SQL Injection
Title: Tradebox - CryptoCurrency Buy Sell and Trading Date: 04.04.2019 Exploit Author: Abdullah Çelebi Vendor Homepage: https://www.bdtask.com Software Link: tradebox.bdtask.com/demo-v5.3/ Version: 5.4 Category: Webapps Tested on: WAMPP @Win Software description: Tradebox – CryptoCurrency Buy Sel...
Manage Engine ServiceDesk Plus 10.0 - Privilege Escalation
!/usr/bin/python Exploit Title: Manage Engine ServiceDesk Plus Version 10.0 Privilege Escalation Date: 30-03-2019 Exploit Author: Ata Hakçıl, Melih Kaan Yıldız Vendor: ManageEngine Vendor Homepage: www.manageengine.com Product: Service Desk Plus Version: 10.0 Tested On: Kali Linux CVE:...
WordPress Core 5.0.0 - Crop-image Shell Upload (Metasploit)
This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'WordPress Crop-image Shell Upload', 'Description' = %q This module exploits a path traversal and a local file inclusion vulnerability on WordPres...
WordPress Plugin Contact Form Maker 1.13.1 - Cross-Site Request Forgery
Exploit Title: Contact Form by WD CSRF → LFI Date: 2019-03-17 Exploit Author: Panagiotis Vagenas Vendor Homepage: http://web-dorado.com/ Software Link: https://wordpress.org/plugins/contact-form-maker Version: 1.13.1 Tested on: WordPress 5.1.1 Description ----------- Plugin implements the followi...
AIDA64 Extreme 5.99.4900 - 'Logging' SEH Buffer Overflow
!/usr/bin/python Exploit Title: AIDA64 Extreme 5.99.4900 - Logging SEH Buffer Overflow Date: 2019-04-02 Vendor Homepage: https://www.aida64.com Software Link: http://download.aida64.com/aida64extreme599.exe Mirror Link : https://www.nikktech.com/main/downloads/finalwire/aida64extreme599.exe Explo...
Magic ISO Maker 5.5(build 281) - 'Serial Code' Denial of Service (PoC)
-- coding: utf-8 -- Exploit Title: Magic Iso Maker 5.5build 281 - "Serial Code" Denial of Service PoC Date: 03/04/2019 Author: Alejandra Sánchez Vendor Homepage: http://www.magiciso.com Software Link: http://www.magiciso.com/SetupMagicISO.exe Version: 5.5build 281 Tested on: Windows 10 Proof of...
FreeSMS 2.1.2 - SQL Injection (Authentication Bypass)
Exploit Title: FreeSMS 2.1.2 - Authentication Bypass Date: 2019-04-03 Exploit Author: Yilmaz Degirmenci Vendor Homepage: https://freesms.sourceforge.io/ Software Link: https://sourceforge.net/projects/freesms/ Version: v2.1.2 Category: Webapps Tested on: LAMPP for Linux Software Description :...
AIDA64 Engineer 5.99.4900 - 'Load from file' Field Buffer Overflow (SEH)
!/usr/bin/python Exploit Title: AIDA64 Engineer 5.99.4900 - 'Load from file' Field Buffer Overflow SEH Date: 04-04-2019 Exploit Author: Anurag Srivastava and Vardan Bansal Website: www.theanuragsrivastava.in Vulnerable Software: AIDA64 Engineer Vendor Homepage: http://download.aida64.com/ Version...
WebKit JavaScriptCore - CodeBlock Dangling Watchpoints Use-After-Free
/ While fuzzing JavaScriptCore, I encountered the following simplified and commented JavaScript program which crashes jsc from current HEAD and release: / function v9 // Some watchpoint on the LexicalEnvironment is triggered here // during the 2nd invocation which jettisons the CodeBlock for v9. ...
Clinic Pro v4 - 'month' SQL Injection
Title: Clinic Pro - Clinic Management Software Date: 03.04.2019 Exploit Author: Abdullah Çelebi Vendor Homepage: https://softwebinternational.com Software Link: https://cms.softwebinternational.com Category: Webapps Tested on: WAMPP @Win Software description: It is developed by PHP Codeigniter...
SpiderMonkey - IonMonkey Compiled Code Fails to Update Inferred Property Types (Type Confusion)
A bug in IonMonkey leaves type inference information inconsistent, which in turn allows the compilation of JITed functions that cause type confusions between arbitrary objects. Prerequisites In Spidermonkey, every JavaScript objects is an instance of the JSObject class 1. Plain JavaScript objects...
AIDA64 Business 5.99.4900 - SEH Buffer Overflow (EggHunter)
!/usr/bin/python Exploit Title: AIDA64 Business 5.99.4900 - SEH Buffer Overflow EggHunter Date: 2019-04-01 Vendor Homepage: https://www.aida64.com Software Link: https://www.aida64.com/downloads Mirror Link : https://www.softpedia.com/get/System/System-Info/AIDA64-Business-Edition.shtml Exploit...
WebKit JavaScriptCore - Out-Of-Bounds Access in FTL JIT due to LICM Moving Array Access Before the Bounds Check
/ While fuzzing JavaScriptCore, I encountered the following JavaScript program which crashes jsc in current HEAD and release /System/Library/Frameworks/JavaScriptCore.framework/Resources/jsc on macOS: / // Run with --thresholdForFTLOptimizeAfterWarmUp=1000 // First array probably required to avoi...
TeemIp IPAM < 2.4.0 - 'new_config' Command Injection (Metasploit)
This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule "TeemIp IPAM %q This module exploits a command injection vulnerability in TeemIp versions prior to 2.4.0. The "newconfig" parameter of "exec.php"...
WebKit JavaScriptCore - 'createRegExpMatchesArray' Type Confusion
/ Prerequisites ------------- In JavaScriptCore, JSObjects have an associated Structure: an object describing various aspects of the JSObject such as its type, its properties, and the type of elements being stored e.g. unboxed double or JSValues. Whenever a property is added to an object or some...
iOS < 12.2 / macOS < 10.14.4 XNU - pidversion Increment During execve is Unsafe
Privileged IPC services in userspace often have to verify the security context of their client processes such as whether the client is sandboxed, has a specific entitlement, or is signed by some code signing authority. This, in turn, requires a way to identify a client process. If PIDs are used f...
Google Chrome 72.0.3626.96 / 74.0.3702.0 - 'JSPromise::TriggerPromiseReactions' Type Confusion
JSPromise::TriggerPromiseReactionsIsolate isolate, Handle reactions, Handle argument, PromiseReaction::Type type DCHECKreactions-IsSmi || reactions-IsPromiseReaction; // We need to reverse the reactions here, since we record them // on the JSPromise in the reverse order. DisallowHeapAllocation...
iScripts ReserveLogic - SQL Injection
Exploit Title: iScripts ReserveLogic - SQL Injection Date: 29.03.2019 Exploit Author: Ahmet Ümit BAYRAM Vendor Homepage: https://www.iscripts.com/reservelogic/ Demo Site: https://www.demo.iscripts.com/reservelogic/demo/ Version: Lastest Tested on: Kali Linux CVE: N/A ----- PoC: SQLi ----- Request...
Ashop Shopping Cart Software - SQL Injection
Exploit Title: Ashop Shopping Cart Software - SQL Injection Date: 03.03.2019 Exploit Author: Ahmet Ümit BAYRAM Vendor Homepage: http://www.ashopsoftware.com Software Link: https://sourceforge.net/projects/ashop/ Demo Site: http://demo.ashopsoftware.com/ Version: Lastest Tested on: Kali Linux CVE:...
PhreeBooks ERP 5.2.3 - Arbitrary File Upload
PhreeBooks ERP v5.2.3 - Arbitrary File Upload Date: 03.04.2019 Exploit Author: Abdullah Çelebi Vendor Homepage: https://www.phreesoft.com/ Software Link: https://sourceforge.net/projects/phreebooks/files/latest/download Category: Webapps Version: 5.2.3 Tested on: WAMPP @Win Software description:...
Cisco RV320 and RV325 - Unauthenticated Remote Code Execution (Metasploit)
This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule "Cisco RV320 and RV325 Unauthenticated Remote Code Execution", 'Description' = %q This exploit module combines an information disclosure...
Google Chrome 73.0.3683.39 / Chromium 74.0.3712.0 - 'ReadableStream' Internal Object Leak Type Confusion
binding // These values are only used when serialization is enabled. if !RuntimeEnabledFeatures::TransferableStreamsEnabled return; v8::Local global = scriptstate-GetContext-Global; v8::Local context = scriptstate-GetContext; v8::Isolate isolate = scriptstate-GetIsolate; const auto ObjectGet =...
WebKitGTK+ - 'ThreadedCompositor' Race Condition
@keyframes foo 0% opacity: 0; 100% opacity: 1; div animation-name: foo; animation-duration: 1s; animation-iteration-count: infinite; filter: saturate50%; frame = document.createElement"iframe"; setInterval = frame.remove; document.body.appendChildframe; doc = frame.contentDocument;...
PhreeBooks ERP 5.2.3 - Remote Command Execution (1)
Exploit Title: PhreeBooks ERP 5.2.3 - Remote Command Execution Date: 2010-04-03 Exploit Author: Metin Yunus Kandemir kandemir Vendor Homepage: https://www.phreesoft.com/ Software Link: https://sourceforge.net/projects/phreebooks/ Version: v5.2.3 Category: Webapps Tested on: XAMPP for Linux 5.6.38...
Google Chrome 72.0.3626.81 - 'V8TrustedTypePolicyOptions::ToImpl' Type Confusion
VULNERABILITY DETAILS The binding code generator doesn't add checks to ensure that the callback properties of a dictionary are indeed JS functions. For example, for the the TrustedTypePolicyOptions dictionary:...
Fiverr Clone Script 1.2.2 - SQL Injection / Cross-Site Scripting
Exploit Title: Fiverr Clone Script 1.2.2 - SQL Injection / Cross Site Scripting Exploit Author: Mr Winst0n Author E-mail: [email protected] Discovery Date: Apr 1, 2019 Vendor Homepage: https://www.phpscriptsmall.com Software Link : https://www.phpscriptsmall.com/product/fiverr-clone-scrip...