47904 matches found
Joomla! Component JE Photo Gallery 1.1 - 'categoryid' SQL Injection
Exploit Title: Joomla! Component JE Photo Gallery 1.1 - SQL Injection Dork: N/A Date: 2018-11-26 Exploit Author: Ihsan Sencan Vendor Homepage: https://joomlaextensions.co.in Software Link: http://joomlaextensions.co.in/download/1387375463JE%20PhotoGallery%20%20J-%203.0%20.zip Version: 1.1 Categor...
Fleetco Fleet Maintenance Management 1.2 - Remote Code Execution
Exploit Title: Fleetco Fleet Maintenance Management 1.2 - Remote Code Execution Date: 2018-11-23 Exploit Author: Özkan Mustafa Akkuş AkkuS Contact: https://pentest.com.tr Vendor Homepage: https://www.fleetco.space Software Link: http://www.fleetco.space/download/215/ Version: v1.2 Category: Webap...
WordPress Plugin Advanced-Custom-Fields 5.7.7 - Cross-Site Scripting
Exploit Title: Wordpress Plugins Advanced-custom-fields 5.7.7 - Cross-Site Scripting Google Dork: N/A Date: 2018-12-02 Exploit Author: Loading Kura Kura Vendor Homepage: https://www.advancedcustomfields.com/ Software Link: https://www.advancedcustomfields.com/ Version: 5.7.7 Tested on: Win10...
Apache Superset < 0.23 - Remote Code Execution
Exploit Title: Apache Superset ' sys.exit else: Script arguments supersetIP = sys.argv1 supersetPort = sys.argv2 Verify these URLs match your environment loginURL = 'http://' + supersetIP + ':' + supersetPort + '/login/' uploadURL = 'http://' + supersetIP + ':' + supersetPort +...
Budabot 4.0 - Denial of Service (PoC)
Exploit Title: Budabot 4.0 - Denial of Service PoC Date: 2018-10-15 Exploit Author: Ryan Delaney Author Contact: [email protected] Vendor Homepage: http://budabot.com/ Software Link: http://budabot.com/forum/viewtopic.php?f=8&t=1413 Version: 0.6 - 4.0 Tested on: 4.0 CVE: CVE-2018-19290 1...
Mozilla Firefox 63.0.1 - Denial of Service (PoC)
Exploit Title: Mozilla Firefox 63.0.1 - Denial of Service PoC Date: 2018-11-29 Exploit Author: SAIKUMAR CHEBROLU Vendor Homepage: https://www.mozilla.org/en-US/firefox/new/ Bugzilla report: https://bugzilla.mozilla.org/showbug.cgi?id=1504512 Version: Firefox 63.0.1 Tested on: Windows 10 CVE : No...
PHP Server Monitor 3.3.1 - Cross-Site Request Forgery
Exploit Title: PHP Server Monitor 3.3.1 - Cross-Site Request Forgery Exploit Author: Javier Olmedo Website: https://www.sidertia.com Date: 2018-11-28 Google Dork: N/A Vendor: https://www.phpservermonitor.org/ Software Link: https://github.com/phpservermon/phpservermon/releases/tag/v3.3.1 Affected...
PhpSpreadsheet < 1.5.0 - XML External Entity (XXE)
Product Description PhpSpreadsheet is a library written in pure PHP that provides a set of classes allowing users to read from and write to different spreadsheet file formats, such as Excel and LibreOffice Calc. Vulnerabilities List One vulnerability was identified within the PhpSpreadsheet...
VBScript - 'OLEAUT32!VariantClear' and 'scrrun!VBADictionary::put_Item' Use-After-Free
Class class2 Private Sub ClassTerminate var17.RemoveAll End Sub End Class Set var17 = CreateObject"Scripting.Dictionary" Set var17.Item"foo" = new class2 var17.Item"foo" = 1 !-- =============================================================================== Preliminary Analysis: 1st issue: In...
Apache Spark - (Unauthenticated) Command Execution (Metasploit)
This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Apache Spark Unauthenticated Command Execution', 'Description' = %q This module exploits an unauthenticated command execution vulnerability in...
VBScript - 'rtFilter' Out-of-Bounds Read
On Error Resume Next Class class1 Public Default Property Get x ReDim arr1 End Property End Class set c = new class1 arr = Array"b", "b", "a", "a", c Call Filterarr, "a" !-- =============================================================================== Preliminary Analysis: The rtFilter function...
Synaccess netBooter NP-02x/NP-08x 6.8 - Authentication Bypass
Synaccess netBooter NP-02x/NP-08x 6.8 Authentication Bypass Vendor: Synaccess Networks Inc. Product web page: https://www.synaccess-net.com Affected version: NP-0201D ver 6.8C NP-02 ver 6.5C NP-02 ver 6.4BC NP-0801D ver 6.4A NP-08 ver 6.10 NP-02 ver 5.53BC Summary: netBooter NP-02B and NP-02BH...
xorg-x11-server < 1.20.3 - 'modulepath' Local Privilege Escalation
!/bin/sh raptorxorgy - xorg-x11-server LPE via modulepath switch Copyright c 2018 Marco Ivaldi A flaw was found in xorg-x11-server before 1.20.3. An incorrect permission check for -modulepath and -logfile options when starting Xorg. X server allows unprivileged users with the ability to log in to...
Schneider Electric PLC - Session Calculation Authentication Bypass
!/usr/bin/env python ''' Copyright 2018 Photubiasc Exploit Title: Schneider Session Calculation - CVE-2017-6026 Date: 2018-09-30 Exploit Author: Deneut Tijl Vendor Homepage: www.schneider-electric.com Software Link:...
Linux Kernel 4.8 (Ubuntu 16.04) - Leak sctp Kernel Pointer
/ Exploit Title: Linux Kernel 4.8 Ubuntu 16.04 - Leak sctp kernel pointer Google Dork: - Date: 2018-11-20 Exploit Author: Jinbum Park Vendor Homepage: - Software Link: - Version: Linux Kernel 4.8 Ubuntu 16.04 Tested on: 4.8.0-36-generic 3616.04.1-Ubuntu SMP Sun Feb 5 09:39:57 UTC 2017 x8664 x8664...
HTML5 Video Player 1.2.5 - Buffer Overflow (Metasploit)
This module requires Metasploit: http://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework require 'msf/core' class Metasploit3 'HTML5 Video Player 1.2.5 - Buffer Overflow SEH', 'Description' = %q This module exploits a stack based buffer overflow in HTML5 Vide...
WebKit JIT - 'ByteCodeParser::handleIntrinsicCall' Type Confusion
/ case ArrayPushIntrinsic: ... if staticcastargumentCountIncludingThis = MINSPARSEARRAYINDEX return false; ArrayMode arrayMode = getArrayModemcurrentInstructionOPCODELENGTHopcall - 2.u.arrayProfile, Array::Write; ... This code always assumes that the current instruction is an opcall instruction...
TeamCity Agent - XML-RPC Command Execution (Metasploit)
This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'TeamCity Agent XML-RPC Command Execution', 'Description' = %q This module allows remote code execution on TeamCity Agents configured to use...
Linux - Nested User Namespace idmap Limit Local Privilege Escalation (Metasploit)
This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Linux Nested User Namespace idmap Limit Local Privilege Escalation', 'Description' = %q This module exploits a vulnerability in Linux kernels...
WebKit JSC - BytecodeGenerator::hoistSloppyModeFunctionIfNecessary Does not Invalidate the 'ForInContext' Object
/ This is simillar to issue 1263 . When hoisting a function onto the outer scope, if it overwrites the iteration variable for a for-in loop it should invalidate the corresponding ForInContext object, but it doesn't. As a result, an arbitrary object can be passed as the property variable to the...
Mac OS X - libxpc MITM Privilege Escalation (Metasploit)
This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Mac OS X libxpc MITM Privilege Escalation', 'Description' = %q This module exploits a vulnerablity in libxpc on macOS MSFLICENSE, 'Author' =...
PHP imap_open - Remote Code Execution (Metasploit)
This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'php imapopen Remote Code Execution', 'Description' = %q The imapopen function within php, if called without the /norsh flag, will attempt to...
WebKit JSC JIT - 'JSPropertyNameEnumerator' Type Confusion
/ When a for-in loop is executed, a JSPropertyNameEnumerator object is created at the beginning and used to store the information of the input object to the for-in loop. Inside the loop, the structure ID of the "this" object of every getbyid expression taking the loop variable as the index is...
Unitrends Enterprise Backup - bpserverd Privilege Escalation (Metasploit)
This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Unitrends Enterprise Backup bpserverd Privilege Escalation', 'Description' = %q It was discovered that the Unitrends bpserverd proprietary...
Netgear Devices - (Unauthenticated) Remote Command Execution (Metasploit)
This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Netgear Devices Unauthenticated Remote Command Execution', 'Description' = %q From the CVE-2016-1555 page: 1 boardData102.php, 2 boardData103.php...
Xorg X11 Server - SUID privilege escalation (Metasploit)
This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Xorg X11 Server SUID privilege escalation', 'Description' = %q This module attempts to gain root privileges with SUID Xorg X11 server versions...
ELBA5 5.8.0 - Remote Code Execution
Exploit Title: ELBA5 5.8.0 - Remote Code Execution Date: 2018-11-16 Exploit Author: Florian Bogner Vendor Homepage: https://www.elba.at Vulnerable Software: https://www.elba.at/eBusiness/01template1/1206507788612244132-12065155957890496571206515641959948315-1292519691128454196-NA-38-NA.html...
Arm Whois 3.11 - Buffer Overflow (ASLR)
Exploit Title: Arm Whois 3.11 - Buffer Overflow ASLR Google Dork: if applicable Date: 23/11/2018 Exploit Author: zephyr Vendor Homepage: http://www.armcode.com Software Link: http://www.armcode.com/downloads/arm-whois.exe Version: 3.11 Tested on: Windows Vista Ultimate SP1 x86 unpatched CVE : nSE...
Zyxel VMG1312-B10D 5.13AAXA.8 - Directory Traversal
Exploit Title: Zyxel VMG1312-B10D 5.13AAXA.8 - Directory Traversal Date: 2018-11-17 Exploit Author: numan türle Vendor Homepage: https://www.zyxel.com/ Software Link: https://www.zyxel.com/productsservices/Wireless-N-VDSL2-4-port-Gateway-with-USB-VMG1312-B10D/ Tested on: macOS Fixed firmware:...
WordPress Plugin Easy Testimonials 3.2 - Cross-Site Scripting
Exploit Title: Wordpress Plugins Easy Testimonials 3.2 - Cross-Site Scripting Date: 2018-11-23 Exploit Author: Endust Vendor Homepage: https://wordpress.org/plugins/easy-testimonials/ Software Link: https://wordpress.org/plugins/easy-testimonials/ Version: 3.2 CVE : N/A Tested on: Windows 10 x64...
Ticketly 1.0 - 'kind_id' SQL Injection
Exploit Title: Ticketly 1.0 – Multiple SQL Injection Exploit Author: Javier Olmedo Website: https://hackpuntes.com Date: 2018-11-19 Google Dork: N/A Vendor: Abisoft https://abisoftgt.net Software Link: https://abisoftgt.net/software/6/sistema-de-tickets-y-soporte-con-php-y-mysql Affected Version:...
No-Cms 1.0 - 'order_by' SQL Injection
Exploit Title: No-Cms 1.0 - 'orderby' SQL Injection Date: 2018-11-28 Exploit Author: Loading Kura Kura Vendor Homepage: https://github.com/goFrendiAsgard/No-CMS Software Link: https://codeload.github.com/goFrendiAsgard/No-CMS/zip/master Tested on: Win10/Kali Linux Google Dork: n/a Version: n/a CV...
MariaDB Client 10.1.26 - Denial of Service (PoC)
Exploit Title: MariaDB Client 10.1.26 - Denial of Service PoC Google Dork: None Date: 2018-11-16 Exploit Author: strider Software Link: https://github.com/MariaDB/server Version: mysql Ver 15.1 Distrib 10.1.26-MariaDB, for debian-linux-gnu x8664 using readline 5.2 Tested on: Debian 9 Stretch x64 ...
Ricoh myPrint 2.9.2.4 - Hard-Coded Credentials
Exploit Title: Ricoh myPrint 2.9.2.4 - Hard-Coded Credentials Google Dork: intitle:"ricoh myprint" "Copyright Ricoh. All Rights Reserved" Date: 2018-11-19 Exploit Author: Hodorsec Vendor Homepage: https://www.ricoh.com Software Link:...
Linux Kernel 4.15.x < 4.19.2 - 'map_write() CAP_SYS_ADMIN' Local Privilege Escalation (cron Method)
!/bin/sh EDB Note: Download https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/47164.zip wrapper for Jann Horn's exploit for CVE-2018-18955 uses crontab technique --- test@linux-mint-19-2:/kernel-exploits/CVE-2018-18955$ ./exploit.cron.sh Compiling... Writing payload...
Linux Kernel 4.15.x < 4.19.2 - 'map_write() CAP_SYS_ADMIN' Local Privilege Escalation (ldpreload Method)
!/bin/sh EDB Note: Download https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/47166.zip wrapper for Jann Horn's exploit for CVE-2018-18955 uses ld.so.preload technique --- test@linux-mint-19-2:/kernel-exploits/CVE-2018-18955$ ./exploit.ldpreload.sh Compiling... Addi...
WordPress Theme CherryFramework 3.1.4 - Backup File Download
Exploit Title: Wordpress CherryFramework Themes 3.1.4 - Backup File Download Google Dork: inurl:/wp-content/themes/CherryFramework Date: 2018-11-17 Exploit Author: b1p0l4r Vendor Homepage: http://www.cherryframework.com/ Software Link: http://www.cherryframework.com/ Version: 3.x.x 3.1.4 Tested o...
WebOfisi E-Ticaret V4 - 'urun' SQL Injection
Exploit Title: WebOfisi E-Ticaret V4 - 'urun' SQL Injection Date: 2018-11-21 Exploit Author: Özkan Mustafa Akkuş AkkuS Contact: https://pentest.com.tr Vendor Homepage: https://www.web-ofisi.com Software Demo: http://demobul.net/eticaretv4/ Software Link:...
Synaccess netBooter NP-0801DU 7.4 - Cross-Site Request Forgery (Add Admin)
Title: Synaccess netBooter NP-0801DU 7.4 - Cross-Site Request Forgery Add Admin Author: Gjoko 'LiquidWorm' Krstic @zeroscience Exploit Date: 2018-11-17 Vendor: Synaccess Networks Inc. Product web page: https://www.synaccess-net.com Affected version: NP-0801DU HW6.0 BL1.5 FW7.23 WF7.4 Tested on:...
Ticketly 1.0 - 'name' SQL Injection
Exploit Title: Ticketly 1.0 – 'name' SQL Injection Exploit Author: Javier Olmedo Website: https://hackpuntes.com Date: 2018-11-19 Google Dork: N/A Vendor: Abisoft https://abisoftgt.net Software Link: https://abisoftgt.net/software/6/sistema-de-tickets-y-soporte-con-php-y-mysql Affected Version: 1...
Apple macOS 10.13 - 'workq_kernreturn' Denial of Service (PoC)
/ Exploit Title: MacOS 10.13 - 'workqkernreturn' Denial of Service PoC Date: 2018-07-30 Exploit Author: Fabiano Anemone Vendor Homepage: https://www.apple.com/ Version: iOS 11.4.1 / MacOS 10.13.6 Tested on: iOS / MacOS CVE: Not assigned Tweet: https://twitter.com/anoane/status/1048549170217451520...
Ticketly 1.0 - Cross-Site Request Forgery (Add Admin)
Exploit Title: Ticketly 1.0 - Cross-Site Request Forgery Add Admin Exploit Author: Javier Olmedo Website: https://hackpuntes.com Date: 2018-11-19 Google Dork: N/A Vendor: Abisoft https://abisoftgt.net Software Link: https://abisoftgt.net/software/6/sistema-de-tickets-y-soporte-con-php-y-mysql...
Microsoft Windows - DfMarshal Unsafe Unmarshaling Privilege Escalation
Windows: DfMarshal Unsafe Unmarshaling Elevation of Privilege Master Platform: Windows 10 1803 not tested earlier, although code looks similar on Win8+ Class: Elevation of Privilege Note, this is the master issue report for the DfMarshal unmarshaler. I’m reporting multiple, non-exhaustive, issues...
XMPlay 3.8.3 - '.m3u' Denial of Service (PoC)
Exploit Title: XMPlay 3.8.3 - '.m3u' Denial of Service PoC Date: 2018-11-18 Exploit Author: s7acktrac3 Vendor Homepage: https://www.xmplay.com/ Software Link: https://support.xmplay.com/filesview.php?fileid=676 Version: 3.8.3 latest Tested on: Windows XP/7/8 CVE : N/A Lauch XMPlay and either drag...
ImageMagick - Memory Leak
!/bin/bash help echo "Usage poc generator: basename $0 gen WIDTHxHEIGHT NAME.xbm minimal" echo " Example gen: basename $0 gen 512x512 poc.xbm" echo "Usage result recovery: basename $0 recover SAVEDPREVIEW.png|jpeg|gif|etc" echo " Example recovery: basename $0 recover avatar.png" if "$1" == "-h" ;...
HTML Video Player 1.2.5 - Buffer-Overflow (SEH)
Exploit Title: HTML Video Player 1.2.5 - Buffer-Overflow SEH Author: Kağan Çapar Discovery Date: 2018-11-16 Software Link: http://www.html5videoplayer.net/html5videoplayer-setup.exe Vendor Homepage : http://www.html5videoplayer.net Tested Version: 1.2.5 Tested on OS: Windows XP SP3 ENG Steps to...
Microsoft Edge Chakra - OP_Memset Type Confusion
/ Since the patch for CVE-2018-8372, it checks all inputs to native arrays, and if any input equals to the MissingItem value which can cause type confusion, it starts the bailout process. But it doesn't check the "value" argument to OPMemset. This can be exploited in the same way as for issue 158...
Linux - Broken uid/gid Mapping for Nested User Namespaces
commit 6397fac4915a "userns: bump idmap limits to 340" increases the number of possible uid/gid mappings that a namespace can have from 5 to 340. This is implemented by switching to a different data structure if the number of mappings exceeds 5: Instead of linear search over an unsorted array of...
Warranty Tracking System 11.06.3 - 'txtCustomerCode' SQL Injection
Exploit Title: Warranty Tracking System 11.06.3 - 'txtCustomerCode' SQL Injection Dork: N/A Date: 2018-11-14 Exploit Author: Ihsan Sencan Vendor Homepage: http://warrantytrack.org/ Software Link: https://kent.dl.sourceforge.net/project/warrantytrack/warrantytrack%20Rel.11.06.3.zip Version: 11.06....
DomainMOD 4.11.01 - 'raid' Cross-Site Scripting
Exploit Title: DomainMOD 4.11.01 - Cross-Site Scripting Date: 2018-11-09 Exploit Author: Dawood Ansar Vendor Homepage: domainmod https://domainmod.org/ Software Link: domainmod https://github.com/domainmod/domainmod Version: v4.09.03 to v4.11.01 CVE : CVE-2018-19136 A Reflected Cross-site scripti...