Microsoft Windows CONTACT - HTML Injection / Remote Code Execution

Credits: John Page aka hyp3rlinx + Website: hyp3rlinx.altervista.org + Source: http://hyp3rlinx.altervista.org/advisories/MICROSOFT-WINDOWS-CONTACT-FILE-HTML-INJECTION-MAILTO-LINK-ARBITRARY-CODE-EXECUTION.txt + ISR: ApparitionSec + Zero Day Initiative Program + ZDI-CAN-7591 Vendor...

Joomla! Component J-ClassifiedsManager 3.0.5 - SQL Injection

Exploit Title: Joomla! Component J-ClassifiedsManager 3.0.5 - SQL Injection Dork: N/A Date: 2019-01-23 Exploit Author: Ihsan Sencan Vendor Homepage: http://cmsjunkie.com/ Software Link: https://extensions.joomla.org/extensions/extension/ads-a-affiliates/classified-ads/j-classifiedsmanager/ Versio...

Joomla! Component vBizz 1.0.7 - Remote Code Execution

Exploit Title: Joomla! Component vBizz 1.0.7 - Remote Code Execution Dork: N/A Date: 2019-01-23 Exploit Author: Ihsan Sencan Vendor Homepage: http://wdmtech.com/ Software Link: https://extensions.joomla.org/extensions/extension/marketing/crm/vbizz/ Version: 1.0.7 Category: Webapps Tested on:...

Joomla! Component J-BusinessDirectory 4.9.7 - 'type' SQL Injection

Exploit Title: Joomla! Component J-BusinessDirectory 4.9.7 - SQL Injection Dork: N/A Date: 2019-01-23 Exploit Author: Ihsan Sencan Vendor Homepage: http://cmsjunkie.com/ Software Link: https://extensions.joomla.org/extensions/extension/directory-a-documentation/directory/j-businessdirectory/...

Nagios XI 5.5.6 - Remote Code Execution / Privilege Escalation

Exploit Title: Nagios XI 5.5.6 Remote Code Execution and Privilege Escalation Date: 2019-01-22 Exploit Author: Chris Lyne @lynerc Vendor Homepage: https://www.nagios.com/ Product: Nagios XI Software Link: https://assets.nagios.com/downloads/nagiosxi/5/xi-5.5.6.tar.gz Version: From 2012r1.0 to 5.5...

Joomla! Component vAccount 2.0.2 - 'vid' SQL Injection

Exploit Title: Joomla! Component vAccount 2.0.2 - SQL Injection Dork: N/A Date: 2019-01-23 Exploit Author: Ihsan Sencan Vendor Homepage: http://wdmtech.com/ Software Link: https://extensions.joomla.org/extensions/extension/financial/cost-calculators/vaccount/ Version: 2.0.2 Category: Webapps Test...

Joomla! Component vRestaurant 1.9.4 - SQL Injection

Exploit Title: Joomla! Component vRestaurant 1.9.4 - SQL Injection Dork: N/A Date: 2019-01-23 Exploit Author: Ihsan Sencan Vendor Homepage: http://wdmtech.com/ Software Link: https://extensions.joomla.org/extensions/extension/vertical-markets/food-a-beverage/vrestaurant/ Version: 1.9.4 Category:...

Joomla! Component vBizz 1.0.7 - SQL Injection

Exploit Title: Joomla! Component vBizz 1.0.7 - SQL Injection Dork: N/A Date: 2019-01-23 Exploit Author: Ihsan Sencan Vendor Homepage: http://wdmtech.com/ Software Link: https://extensions.joomla.org/extensions/extension/marketing/crm/vbizz/ Version: 1.0.7 Category: Webapps Tested on:...

Joomla! Component Easy Shop 1.2.3 - Local File Inclusion

Exploit Title: Joomla! Component Easy Shop 1.2.3 - Local File Inclusion Dork: N/A Date: 2019-01-22 Exploit Author: Ihsan Sencan Vendor Homepage: https://joomtech.net/ Software D.: https://www.joomtech.net/products/easyshop?task=file.download&key=7bafaa65995fb3b1383328105df1e10f Software Link:...

Microsoft Windows VCF or Contact' File - URL Manipulation-Spoof Arbitrary Code Execution

Exploit Title: Microsoft Windows 'VCF' or 'Contact' File URL Manipulation-Spoof Arbitrary Code Execution Vulnerability -- Remote Vector Google Dork: N/A Date: January, 21 2019 Exploit Author: Eduardo Braun Prado Vendor Homepage: http://www.microsoft.com/ Software Link: http://www.microsoft.com/...

CloudMe Sync 1.11.2 - Buffer Overflow + Egghunt

Exploit Title: CloudMe Sync v1.11.2 Buffer Overflow + Egghunt Date: 23.04.2018 Exploit Author:T3jv1l Vendor Homepage:https://www.cloudme.com/en Software: https://www.cloudme.com/downloads/CloudMe1112.exe Category:Local Contact:https://twitter.com/T3jv1l Version: CloudMe Sync 1.11.2 - Buffer...

PHP Dashboards NEW 5.8 - Local File Inclusion

Exploit Title: PHP Dashboards NEW 5.8 - Local File Inclusion Dork: N/A Date: 2019-01-21 Exploit Author: Ihsan Sencan Vendor Homepage: http://dataninja.biz Software Link: https://codecanyon.net/item/php-dashboards-v50-brand-new-enterprise-edition/21540104 Version: 5.8 Category: Webapps Tested on:...

Kepler Wallpaper Script 1.1 - SQL Injection

Exploit Title: Kepler Wallpaper Script 1.1 - SQL Injection Dork: N/A Date: 2019-01-19 Exploit Author: Ihsan Sencan Vendor Homepage: https://keplerwallpapers.online/ Software Link: https://codeclerks.com/PHP/1559/Kepler-Wallpaper-Script Version: 1.1 Category: Webapps Tested on: WiN7x64/KaLiLinuXx6...

GattLib 0.2 - Stack Buffer Overflow

Exploit Title: stack-based overflow Date: 2019-11-21 Exploit Author: Dhiraj Mishra Vendor Homepage: http://labapart.com/ Software Link: https://github.com/labapart/gattlib/issues/81 Version: 0.2 Tested on: Linux 4.15.0-38-generic CVE: CVE-2019-6498 References:...

Coman 1.0 - 'id' SQL Injection

Exploit Title: Coman - Company Management System 1.0 - SQL Injection Dork: N/A Date: 2019-01-20 Exploit Author: Ihsan Sencan Vendor Homepage: http://ragob.com/ Software Link: https://codecanyon.net/item/coman-company-management-system/17799270 Version: 1.0 Category: Webapps Tested on:...

Linux Kernel 4.13 - 'compat_get_timex()' Leak Kernel Pointer

define GNUSOURCE define BSDSOURCE include include include include include include include include include include include include include include include include include include // Ubuntu 4.13.0-16-generic // gcc -o poc poc.c -m32 struct timex time; int mainint argc, char argv int r; unsigned lon...

Echo Mirage 3.1 - Buffer Overflow (PoC)

!/usr/bin/python Exploit Title: Echo Mirage 3.1 Buffer Overflow PoC Stack Overflow Date: 21-01-2019 Software Link: https://sourceforge.net/projects/echomirage.oldbutgold.p/ Version: 3.1 x64 Exploit Author: InitD Community Contact: https://twitter.com/initdsh Website: http://initd.sh/ Tested on:...

PHP Dashboards NEW 5.8 - 'dashID' SQL Injection

Exploit Title: PHP Dashboards NEW 5.8 - SQL Injection Dork: N/A Date: 2019-01-21 Exploit Author: Ihsan Sencan Vendor Homepage: http://dataninja.biz Software Link: https://codecanyon.net/item/php-dashboards-v50-brand-new-enterprise-edition/21540104 Version: 5.8 Category: Webapps Tested on:...

MoneyFlux 1.0 - 'id' SQL Injection

Exploit Title: MoneyFlux - Cashflow Management System 1.0 - SQL Injection Dork: N/A Date: 2019-01-20 Exploit Author: Ihsan Sencan Vendor Homepage: http://ragob.com/ Software Link: https://codecanyon.net/item/moneyflux-laravel-5-cashflow-system/21577611 Version: 1.0 Category: Webapps Tested on:...

Adianti Framework 5.5.0 - SQL Injection

Exploit Title: SQL Injection in Adianti Framework Date: 2018-12-18 Exploit Author: Joner de Mello Assolin Vendor Homepage: https://www.adianti.com.br Version: 5.5.0 and 5.6.0 REQUIRED Tested on: XAMPP Version 7.2.2, phpMyAdmin 4.7.7 and 4.8.4, PHP 7.1 , Apache/2.4.29 Win32 , libmysql - mysqlnd...

Reservic 1.0 - 'id' SQL Injection

Exploit Title: Reservic - Reserves Management System 1.0 - SQL Injection Dork: N/A Date: 2019-01-20 Exploit Author: Ihsan Sencan Vendor Homepage: http://ragob.com/ Software Link: https://codecanyon.net/item/reservic-reserves-management-system/11736786 Version: 1.0 Category: Webapps Tested on:...

PHP Uber-style GeoTracking 1.1 - SQL Injection

Exploit Title: PHP Uber-style GeoTracking 1.1 - SQL Injection Dork: N/A Date: 2019-01-21 Exploit Author: Ihsan Sencan Vendor Homepage: http://dataninja.biz Software Link: https://codecanyon.net/item/php-uberstyle-geotracking/20320021 Version: 1.1 Category: Webapps Tested on: WiN7x64/KaLiLinuXx64...

Webmin 1.900 - Remote Command Execution (Metasploit)

This module requires Metasploit: http://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework require 'msf/core' require 'uri' class MetasploitModule 'Webmin 1.900 - Remote Command Execution', 'Description' = %q This module exploits an arbitrary command execution...

One Search 1.1.0.0 - Denial of Service (PoC)

Exploit Title: One Search 1.1.0.0 - Denial of Service PoC Date: 1/18/2018 Author: 0xB9 Twitter: @0xB9Sec Contact: 0xB9atpm.me Software Link: https://www.microsoft.com/store/productId/9PMR5QNS5LTL Version: 1.1.0.0 Tested on: Windows 10 Proof of Concept: Run the python script, it will create a new...

phpTransformer 2016.9 - Directory Traversal

Exploit Title: phpTransformer 2016.9 - Directory Traversal Dork: N/A Date: 2019-01-18 Exploit Author: Ihsan Sencan Vendor Homepage: http://phptransformer.com/ Software Link: https://netcologne.dl.sourceforge.net/project/phptransformer/Version%202016.9/release2016.9.zip Version: 2016.9 Category:...

SCP Client - Multiple Vulnerabilities (SSHtranger Things)

Exploit Title: SSHtranger Things Date: 2019-01-17 Exploit Author: Mark E. Haase Vendor Homepage: https://www.openssh.com/ Software Link: download link if available Version: OpenSSH 7.6p1 Tested on: Ubuntu 18.04.1 LTS CVE : CVE-2019-6111, CVE-2019-6110 ''' Title: SSHtranger Things Author: Mark E...

Joomla! Core 3.9.1 - Persistent Cross-Site Scripting in Global Configuration Textfilter Settings

Exploit Title: Joomla Global Configuration Text Filter settings Stored XSS Vulnerability Date: 18/01/2019 Exploit Author: Praveen Sutar , Twitter: @praveensutar123 Vendor Homepage: https://www.joomla.org/ Affected Versions: Joomla versions 2.5.0 through 3.9.1 Tested on: Joomla 3.9.1 CVE :...

Microsoft Edge Chakra - 'InlineArrayPush' Type Confusion

/ In Chakra, if you add a numeric property to an object having inlined properties, it will start transition to a new type where the space for some of previously inlined properties become for the pointer to the property slots and the pointer to the object array which stores numeric properties. For...

Watchr 1.1.0.0 - Denial of Service (PoC)

Exploit Title: Watchr 1.1.0.0 - Denial of Service PoC Date: 1/18/2018 Author: 0xB9 Twitter: @0xB9Sec Contact: 0xB9atpm.me Software Link: https://www.microsoft.com/store/productId/9PN12GNX62VZ Version: 1.1.0.0 Tested on: Windows 10 Proof of Concept: Run the python script, it will create a new file...

phpTransformer 2016.9 - SQL Injection

Exploit Title: phpTransformer 2016.9 - SQL Injection Dork: N/A Date: 2019-01-18 Exploit Author: Ihsan Sencan Vendor Homepage: http://phptransformer.com/ Software Link: https://netcologne.dl.sourceforge.net/project/phptransformer/Version%202016.9/release2016.9.zip Version: 2016.9 Category: Webapps...

VPN Browser+ 1.1.0.0 - Denial of Service (PoC)

Exploit Title: VPN Browser+ 1.1.0.0 - Denial of Service PoC Date: 1/18/2018 Author: 0xB9 Twitter: @0xB9Sec Contact: 0xB9atpm.me Software Link: https://www.microsoft.com/store/productId/9NFFFFS5Z2C7 Version: 1.1.0.0 Tested on: Windows 10 Proof of Concept: Run the python script, it will create a ne...

SeoToaster Ecommerce / CRM / CMS 3.0.0 - Local File Inclusion

Exploit Title: SeoToaster Ecommerce 3.0.0 - Local File Inclusion Dork: N/A Date: 2019-01-17 Exploit Author: Ihsan Sencan Vendor Homepage: https://www.seotoaster.com/shopping-cart/ Software Link: https://www.seotoaster.com/downloads/seotoaster.v3.0.0.zip Version: 3.0.0 Category: Webapps Tested on:...

Microsoft Edge Chakra - 'NewScObjectNoCtor' or 'InitProto' Type Confusion

NewScObjectNoCtor and InitProto opcodes are treated as having no side effects, but actually they can have via the SetIsPrototype method of the type handler that can cause transition to a new type. This can lead to type confusion in the JITed code. In the PoC, it overwrites the pointer to property...

Microsoft Edge Chakra - 'JsBuiltInEngineInterfaceExtensionObject::InjectJsBuiltInLibraryCode' Use-After-Free

/ The JsBuiltInEngineInterfaceExtensionObject::InjectJsBuiltInLibraryCode method is used to execute JsBuiltIn.js which initializes some builtin objects. Because it's essentially written in JavaScript, it needs to clear the disable-implicit-call flag before calling the JavaScript code, otherwise i...

Microsoft Edge Chakra - 'InitClass' Type Confusion

/ Issue description This is similar to issue 1702 https://www.exploit-db.com/exploits/46203 . This time, it uses an InitClass instruction to reach the SetIsPrototype method. PoC: / function opto, c, value o.b = 1; class A extends c o.a = value; function main for let i = 0; i 2000; i++ let o = a: ...

Eco Search 1.0.2.0 - Denial of Service (PoC)

Exploit Title: Eco Search 1.0.2.0 - Denial of Service PoC Date: 1/18/2018 Author: 0xB9 Twitter: @0xB9Sec Contact: 0xB9atpm.me Software Link: https://www.microsoft.com/store/productId/9N05DCQP5C3W Version: 1.0.2.0 Tested on: Windows 10 Proof of Concept: Run the python script, it will create a new...

FastTube 1.0.1.0 - Denial of Service (PoC)

Exploit Title: FastTube 1.0.1.0 - Denial of Service PoC Date: 1/18/2018 Author: 0xB9 Twitter: @0xB9Sec Contact: 0xB9atpm.me Software Link: https://www.microsoft.com/store/productId/9MXS9JVDP25V Version: 1.0.1.0 Tested on: Windows 10 Proof of Concept: Run the python script, it will create a new fi...

7 Tik 1.0.1.0 - Denial of Service (PoC)

Exploit Title: 7 Tik 1.0.1.0 - Denial of Service PoC Date: 1/18/2018 Author: 0xB9 Twitter: @0xB9Sec Contact: 0xB9atpm.me Software Link: https://www.microsoft.com/store/productId/9NQL2QC8S935 Version: 1.0.1.0 Tested on: Windows 10 Proof of Concept: Run the python script, it will create a new file...

Pydio / AjaXplorer < 5.0.4 - (Unauthenticated) Arbitrary File Upload

Exploit Title: Unauthenticated Arbitrary File Upload Vulnerability In Pydio/AjaXplorer 5.0.3 – 3.3.5 Date: 01/18/2019 Exploit Author: @jazz Vendor Homepage: https://pydio.com/ Software Link:...

Check Point ZoneAlarm 8.8.1.110 - Local Privilege Escalation

Exploit Title: Check Point ZoneAlarm Local Privilege Escalation Date: 1/16/19 Exploit Author: Chris Anastasio Vendor Homepage: https://www.zonealarm.com/software/free-antivirus/ Software Link: Vulnerable Versions included in repo Version: ZoneAlarm Free Antivirus + Firewall version: 15.3.064.1772...

Oracle Reports Developer Component 12.2.1.3 - Cross-site Scripting

Exploit Title: Cross-site Scripting XSS Date: 2019-01-15 Exploit Author: Mohamed M.Fouad - From SecureMisr Company Vendor Homepage: https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html Version: 12.2.1.3 REQUIRED Tested on: Windows 10 CVE : CVE-2019-2413 POC:...

Microsoft Windows CONTACT - Remote Code Execution

Credits: John Page aka hyp3rlinx + Website: hyp3rlinx.altervista.org + Source: http://hyp3rlinx.altervista.org/advisories/MICROSOFT-WINDOWS-CONTACT-FILE-INSUFFECIENT-UI-WARNING-WEBSITE-LINK-ARBITRARY-CODE-EXECUTION.txt + ISR: ApparitionSec Vendor www.microsoft.com Product Microsoft .CONTACT File...

Microsoft Windows 10 - XmlDocument Insecure Sharing Privilege Escalation

Windows: XmlDocument Insecure Sharing Elevation of Privilege Platform: Windows 10 1809 almost certainly earlier versions as well. Class: Elevation of Privilege Security Boundary per Windows Security Service Criteria: AppContainer Sandbox Summary: A number of Partial Trust Windows Runtime classes...

Google Chrome V8 JavaScript Engine 71.0.3578.98 - Out-of-Memory in Invalid Array Length

function main var ar = ; forlet i = 0; i...

Coship Wireless Router 4.0.0.48 / 4.0.0.40 / 5.0.0.54 / 5.0.0.55 / 10.0.0.49 - Unauthenticated Admin Password Reset

history.pushState'', '', '/'...

Blueimp's jQuery File Upload 9.22.0 - Arbitrary File Upload Exploit

Exploit Title: Exploit for Blueimp's jQuery File Upload include include include include include include define BSIZE 1024 define DEBUG 1 define TESTONLY 0 void buildstring char p, char path, char arg, char ar1, int func; int main int argc, char argv int sock = 0, bytesread = 0, total = 0, functio...

NTPsec 1.1.2 - 'ctl_getitem' Out-of-Bounds Read (PoC)

!/usr/bin/env python Exploit Title: ntpsec 1.1.2 OOB read Proof of concept Bug Discovery: Magnus Klaaborg Stubman @magnusstubman Exploit Author: Magnus Klaaborg Stubman @magnusstubman Website: https://dumpco.re/bugs/ntpsec-oobread1 Vendor Homepage: https://ntpsec.org/ Software Link:...

Spotify 1.0.96.181 - 'Proxy configuration' Denial of Service (PoC)

Exploit Title: Spotify 1.0.96.181 - "Proxy configuration" Denial of Service PoC Discovery by: Aaron V. Hernandez Discovery Date: 2019-01-15 Vendor Homepage: https://www.spotify.com Software Link: https://www.spotify.com/mx/download/windows/ Tested Version: 1.0.96.181 Vulnerability Type: Denial of...

GL-AR300M-Lite 2.27 - (Authenticated) Command Injection / Arbitrary File Download / Directory Traversal

Exploit Title: GL-AR300M-Lite Authenticated Command injection - Arbitrary file download - Directory Traversal Date: 15/1/2019 Exploit Author: Pasquale Turi aka boombyte Vendor Homepage: https://www.gl-inet.com/ Software Link: https://www.gl-inet.com/products/gl-ar300m/ Version: Firmware version...

NTPsec 1.1.2 - 'config' (Authenticated) Out-of-Bounds Write Denial of Service (PoC)

!/usr/bin/env python Exploit Title: ntpsec 1.1.2 authenticated out of bounds write proof of concept DoS Bug Discovery: Magnus Klaaborg Stubman @magnusstubman Exploit Author: Magnus Klaaborg Stubman @magnusstubman Website: https://dumpco.re/bugs/ntpsec-authed-oobwrite Vendor Homepage:...