47904 matches found
Adult Filter 1.0 - Denial of Service (PoC)
Exploit Title: ADULT FILTER 1.0 - Denial of Service PoC Date: 2018-10-28 Exploit Author: Beren Kuday GÖRÜN Vendor Homepage: http://www.armcode.com/adult-filter/ Software Link: http://www.armcode.com/downloads/adult-filter.exe Version: 1.0 Build 2007-Mar-12 Tested on OS: Windows XP Professional...
Apache OFBiz 16.11.04 - XML External Entity Injection
Exploit Title: Apache OFBiz 16.11.04 - XML External Entity Injection Date: 2018-10-15 Exploit Author: Jamie Parfet Vendor Homepage: https://ofbiz.apache.org/ Software Link: https://archive.apache.org/dist/ofbiz/ Version: xXx xXx """ if lensys.argv = 1: print' Apache OFBiz 16.11.04 XXE' print' Use...
SIM-PKH 2.4.1 - Arbitrary File Upload
Exploit Title: SIM-PKH 2.4.1 - Arbitrary File Upload Dork: N/A Date: 2018-10-22 Exploit Author: Ihsan Sencan Vendor Homepage: https://simpkh.sourceforge.io/ Software Link: https://sourceforge.net/projects/simpkh/files/latest/download Version: 2.4.1 Category: Webapps Tested on: WiN7x64/KaLiLinuXx6...
ServersCheck Monitoring Software 14.3.3 - Arbitrary File Write
Exploit Title: ServersCheck Monitoring Software 14.3.3 - Denial of Service PoC Author: John Page aka hyp3rlinx Date: 2018-10-23 Vendor: www.serverscheck.com Software Link: http://downloads.serverscheck.com/monitoringsoftware/setup.exe CVE: N/A References:...
Appsource School Management System 1.0 - 'student_id' SQL Injection
Exploit Title: Appsource School Management System 1.0 - 'studentid' SQL Injection Dork: N/A Date: 2018-10-19 Exploit Author: Ihsan Sencan Vendor Homepage: http://www.appsource.ug/school/ Software Link: https://sourceforge.net/p/appsource-school-system/code/ Version: 1.0 Category: Webapps Tested o...
SIM-PKH 2.4.1 - 'id' SQL Injection
Exploit Title: SIM-PKH 2.4.1 - 'id' SQL Injection Dork: N/A Date: 2018-10-22 Exploit Author: Ihsan Sencan Vendor Homepage: https://simpkh.sourceforge.io/ Software Link: https://sourceforge.net/projects/simpkh/files/latest/download Version: 2.4.1 Category: Webapps Tested on: WiN7x64/KaLiLinuXx64...
Microsoft Data Sharing - Local Privilege Escalation (PoC)
Bug description: RpcDSSMoveFromSharedFilehandle,L"token",L"c:\blah1\pci.sys"; This function exposed over alpc, has a arbitrary delete vuln. Hitting the timing was pretty annoying. But my PoC will keep rerunning until c:\windows\system32\drivers\pci.sys is deleted. I believe it's impossible to hit...
School ERP Pro+Responsive 1.0 - 'fid' SQL Injection
Exploit Title: School ERP Pro+Responsive 1.0 - 'fid' SQL Injection Dork: N/A Date: 2018-10-23 Exploit Author: Ihsan Sencan Vendor Homepage: http://www.arox.in/ Software Link: https://sourceforge.net/projects/school-management-system-php/files/latest/download Software Link: http://erp.arox.in/...
MGB OpenSource Guestbook 0.7.0.2 - 'id' SQL Injection
Exploit Title: MGB OpenSource Guestbook 0.7.0.2 - 'id' SQL Injection Dork: N/A Date: 2018-10-23 Exploit Author: Ihsan Sencan Vendor Homepage: http://www.m-gb.org/ Software Link: https://sourceforge.net/projects/mopzz-gb/files/latest/download Version: 0.7.0.2 Category: Webapps Tested on:...
ServersCheck Monitoring Software 14.3.3 - 'id' SQL Injection
Exploit Title: ServersCheck Monitoring Software 14.3.3 - 'id' SQL Injection Author: John Page aka hyp3rlinx Date: 2018-10-23 Vendor: www.serverscheck.com Software link: http://downloads.serverscheck.com/monitoringsoftware/setup.exe CVE: N/A References:...
School ERP Pro+Responsive 1.0 - Arbitrary File Download
Exploit Title: School ERP Pro+Responsive 1.0 - Arbitrary File Download Dork: N/A Date: 2018-10-23 Exploit Author: Ihsan Sencan Vendor Homepage: http://www.arox.in/ Software Link: https://sourceforge.net/projects/school-management-system-php/files/latest/download Software Link: http://erp.arox.in/...
Apple Intel GPU Driver - Use-After-Free/Double-Delete due to bad Locking
/ This PoC file might look familiar; this bug is a trivial variant of CVE-2016-1744 Apple bug id 635599405. That report showed the bug in the unmapusermemory external methods; a variant also exists in the mapusermemory external methods. The intel graphics drivers have their own hash table type...
Keybase keybase-redirector - '$PATH' Local Privilege Escalation
keybase-redirector is a setuid root binary. keybase-redirector calls the fusermount binary using a relative path and the application trusts the value of $PATH. This allows a local, unprivileged user to trick the application to executing a custom fusermount binary as root. Environment CentOS Linux...
Viva Visitor & Volunteer ID Tracking 0.95.1 - 'fname' SQL Injection
Exploit Title: Viva Visitor & Volunteer ID Tracking 0.95.1 - 'fname' SQL Injection Dork: N/A Date: 2018-10-19 Exploit Author: Ihsan Sencan Vendor Homepage: https://viva-visitor.sourceforge.io/ Software Link: https://sourceforge.net/projects/viva-visitor/files/latest/download Version: 0.95.1...
Microsoft Windows - SetImeInfoEx Win32k NULL Pointer Dereference (Metasploit)
This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Windows SetImeInfoEx Win32k NULL Pointer Dereference', 'Description' = %q This module exploits elevation of privilege vulnerability that exists i...
Apple iOS/macOS - Sandbox Escape due to mach Message sent from Shared Memory
iohideventsystem sets up a shared memory event queue; at the end of this shared memory buffer it puts a mach message which it sends whenever it wants to notify a client that there's data available in the queue. As a client we can modify this mach message such that the server hidd on MacOS,...
Apple iOS/macOS - Kernel Memory Corruption due to Integer Overflow in IOHIDResourceQueue::enqueueReport
/ IOHIDResourceQueue inherits from IOSharedDataQueue and adds its own ::enqueueReport method, which seems to be mostly copy-pasted from IOSharedDataQueue and IODataQueue's ::enqueue methods. I reported a bunch of integer overflows in IODataQueue over four years ago CVE-2014-4389, apple issue...
Apple iOS - Kernel Stack Memory Disclosure due to Failure to Check copyin Return Value
Here's a code snippet from sleh.c with the second level exception handler for undefined instruction exceptions: static void handleuncategorizedarmsavedstatet state, booleant instrLen2 exceptiontypet exception = EXCBADINSTRUCTION; machexceptiondatatypet codes2 = EXCARMUNDEFINED; machmsgtypenumbert...
Microsoft Windows 10 - Local Privilege Escalation (UAC Bypass)
!/usr/bin/env python Exploit Title: Windows 10 UAC Bypass by computerDefault Date: 2018-10-18 Exploit Author: Fabien DROMAS - Security consultant @ Synetis Twitter: st0rnpentest Vendor Homepage: www.microsoft.com Version: Version 10.0.17134.285 Tested on: Windows 10 pro Version 10.0.17134.285...
Modbus Poll 7.2.2 - Denial of Service (PoC)
Exploit Title: Modbus Poll 7.2.2 - Denial of Service PoC Discovery by: Cemal Cihad ÇİFTÇİ Discovery Date: 2018-10-19 Tested Version: 7.2.2 Vulnerability Type: DOS Tested on OS: Windows XP Professional Service Pack 3 Vendor Homepage: https://www.modbustools.com Download Link:...
Apple iOS Kernel - Use-After-Free due to bad Error Handling in Personas
/ There was recently some cleanup in the persona code to fix some race conditions there, I don't think it was sufficient: In kpersonaallocsyscall if we provide an invalid userspace pointer for the ipd outptr we can cause this copyout to fail: error = copyout&persona-pnaid, idp, sizeofpersona-pnai...
School ERP Ultimate 2018 - Arbitrary File Download
Exploit Title: School ERP Ultimate 2018 - Arbitrary File Download Dork: N/A Date: 2018-10-21 Exploit Author: Ihsan Sencan Vendor Homepage: http://freeschoolerp.com/ Software Link: http://freeschoolerp.com/schoolerp30Nov2017free.zip Software Link:...
MySQL Edit Table 1.0 - 'id' SQL Injection
Exploit Title: MySQL Edit Table 1.0 - 'id' SQL Injection Dork: N/A Date: 2018-10-18 Exploit Author: Ihsan Sencan Vendor Homepage: https://www.bookman.nl Software Link: https://sourceforge.net/projects/sql-edit-table/files/latest/download Version: 1.0 Category: Webapps Tested on:...
The Open ISES Project 3.30A - 'tick_lat' SQL Injection
Exploit Title: The Open ISES Project 3.30A - 'ticklat' SQL Injection Dork: N/A Date: 2018-10-18 Exploit Author: Ihsan Sencan Vendor Homepage: http://openises.sourceforge.net/ Software Link: https://sourceforge.net/projects/openises/files/latest/download Version: 3.30A050318 Category: Webapps Test...
The Open ISES Project 3.30A - Arbitrary File Download
Exploit Title: The Open ISES Project 3.30A - Arbitrary File Download Dork: N/A Date: 2018-10-18 Exploit Author: Ihsan Sencan Vendor Homepage: http://openises.sourceforge.net/ Software Link: https://sourceforge.net/projects/openises/files/latest/download Version: 3.30A050318 Category: Webapps Test...
eNdonesia Portal 8.7 - 'artid' SQL Injection
Exploit Title: eNdonesia Portal 8.7 - 'artid' SQL Injection Dork: N/A Date: 2018-10-21 Exploit Author: Ihsan Sencan Vendor Homepage: http://www.endonesia.org/ Software Link: https://sourceforge.net/projects/endonesia/files/latest/download Version: 8.7 Category: Webapps Tested on:...
Oracle Siebel CRM 8.1.1 - CSV Injection
Exploit Title: Oracle Siebel CRM 8.1.1 - CSV Injection Date: 2018-10-21 Exploit Author: Sarath Nair aka AceNeon13 Contact: @AceNeon13 Vendor Homepage: www.oracle.com Software Link: http://www.oracle.com/us/products/applications/siebel/siebel-crm-8-1-1-066196.html Version: Oracle Siebel CRM Versio...
Audacity 2.3 - Denial of Service (PoC)
Exploit Title: AudaCity 2.3 - Denial of Service PoC Author: Kağan Çapar Discovery Date: 2018-10-19 Software Link: https://www.fosshub.com/Audacity.html Vendor Homepage : https://www.audacityteam.org Tested Version: 2.3 Tested on OS: Windows 10 x64/86 Normal use CPU & Windows 7 High CPU usage &...
School ERP Ultimate 2018 - 'fid' SQL Injection
Exploit Title: School ERP Ultimate 2018 - 'fid' SQL Injection Dork: N/A Date: 2018-10-21 Exploit Author: Ihsan Sencan Vendor Homepage: http://freeschoolerp.com/ Software Link: http://freeschoolerp.com/schoolerp30Nov2017free.zip Software Link:...
Apple iOS/macOS - Sandbox Escape due to Trusted Length Field in Shared Memory used by HID Event Subsystem
iohideventsystem is a MIG service which provides proxy access to various HID devices for untrusted clients. On iOS it's hosted by backboardd and on MacOS by hidd. The actual implementation is in IOKit.framework. I, and also pangu jailbreak team, had previously found a few bugs in the kernel...
LibSSH 0.7.6 / 0.8.4 - Unauthorized Access
!/usr/bin/env python3 import sys import paramiko import socket import logging pip3 install paramiko==2.0.8 logging.basicConfigstream=sys.stdout, level=logging.DEBUG logging.basicConfigstream=sys.stdout bufsize = 2048 def executehostname, port, command: sock = socket.socket try:...
Learning with Texts 1.6.2 - 'start' SQL Injection
Exploit Title: Learning with Texts 1.6.2 - 'start' SQL Injection Dork: N/A Date: 2018-10-18 Exploit Author: Ihsan Sencan Vendor Homepage: http://lwt.sourceforge.net/ Software Link: https://sourceforge.net/projects/lwt/files/latest/download Version: 1.6.2 Category: Webapps Tested on:...
libSSH - Authentication Bypass
!/usr/bin/env python3 import paramiko import socket import argparse from sys import argv, exit parser = argparse.ArgumentParserdescription="libSSH Authentication Bypass" parser.addargument'--host', help='Host' parser.addargument'-p', '--port', help='libSSH port', default=22...
PHP-SHOP master 1.0 - Cross-Site Request Forgery (Add Admin)
Exploit Title: PHP-SHOP master 1.0 - Cross-Site Request Forgery Add admin Exploit Author : Alireza Norkazemi Date: 2018-10-15 Vendor Homepage : https://github.com/joeyrush/PHP-SHOP Software link: https://github.com/joeyrush/PHP-SHOP/archive/master.zip Version: 1.0 Tested on: Windows 10 CVE: N/A...
OwnTicket 1.0 - 'TicketID' SQL Injection
Exploit Title: OwnTicket 1.0 - 'TicketID' SQL Injection Dork: N/A Date: 2018-10-18 Exploit Author: Ihsan Sencan Vendor Homepage: https://ownticket.sourceforge.io/ Software Link: https://sourceforge.net/projects/ownticket/files/latest/download Version: 1.0 Category: Webapps Tested on:...
TP-Link TL-SC3130 1.6.18 - RTSP Stream Disclosure
Exploit Title: TP-Link TL-SC3130 1.6.18 - RTSP Stream Disclosure Author: Gjoko 'LiquidWorm' Krstic @zeroscience Date: 2018-10-17 Vendor: TP-LINK Technologies Co., Ltd. Product web page: http://www.tp-link.com Affected version: 1.6.18P12121101 Tested on: Boa/0.94.14rc21 CVE: N/A References: Adviso...
BigTree CMS 4.2.23 - Cross-Site Scripting
Exploit Title: BigTree CMS 4.2.23 - Cross-Site Scripting Date: 2018-10-15 Exploit Author: Ismail Tasdelen Vendor Homepage: https://www.bigtreecms.org/ Software Link : https://github.com/bigtreecms/BigTree-CMS/ Software : BigTree CMS Version : 4.2.23 Vulernability Type : Cross-site Scripting...
Time and Expense Management System 3.0 - 'table' SQL Injection
Exploit Title: Time and Expense Management System 3.0 - 'table' SQL Injection Dork: N/A Date: 2018-10-17 Exploit Author: Ihsan Sencan Vendor Homepage: http://www.initechs.com/ Software Link: http://sourceforge.net/projects/tems/files/latest Version: 3.0 Category: Webapps Tested on:...
Any Sound Recorder 2.93 - Buffer Overflow (SEH)
Exploit Title: Any Sound Recorder 2.93 - Buffer Overflow SEH Exploit Author: Abdullah Alic Discovery Date: 2018-10-16 Homepage: http://www.any-sound-recorder.com Software Link: http://www.any-sound-recorder.com/anysoundrecorder.exe Version: 2.93 Tested on: Windows XP Professional sp3 ENG Steps to...
FLIR AX8 Thermal Camera 1.32.16 - Hard-Coded Credentials
Exploit Title: FLIR AX8 Thermal Camera 1.32.16 - Hard-Coded Credentials Author: Gjoko 'LiquidWorm' Krstic @zeroscience Date: 2018-10-14 Vendor: FLIR Systems, Inc Product web page: https://www.flir.com Affected version: Firmware: 1.32.16, 1.17.13, OS: necov1.8-0-g7ffe5b3 Hardware: Flir Systems Nec...
Time and Expense Management System 3.0 - Cross-Site Request Forgery (Add Admin)
Exploit Title: Time and Expense Management System 3.0 - Cross-Site Request Forgery Add Admin Dork: N/A Date: 2018-10-17 Exploit Author: Ihsan Sencan Vendor Homepage: http://www.initechs.com/ Software Link: http://sourceforge.net/projects/tems/files/latest Version: 3.0 Category: Webapps Tested on:...
Solaris - RSH Stack Clash Privilege Escalation (Metasploit)
This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Solaris RSH Stack Clash Privilege Escalation', 'Description' = %q This module exploits a vulnerability in RSH on unpatched Solaris systems which...
HotelDruid 2.2.4 - 'anno' SQL Injection
Exploit Title: HotelDruid 2.2.4 - 'anno' SQL Injection Dork: N/A Date: 2018-10-13 Exploit Author: Ihsan Sencan Vendor Homepage: http://www.hoteldruid.com/ Software Link: http://www.hoteldruid.com/en/download.html Version: 2.2.4 Category: Webapps Tested on: WiN7x64/KaLiLinuXx64 CVE: N/A POC: 1...
Library CMS 2.1.1 - Cross-Site Scripting
Exploit Title: Library CMS 2.1.1 - Cross-Site Scripting Date: 2018-10-15 Exploit Author: Ismail Tasdelen Vendor Homepage: https://kaasoft.pro/ Software Link : https://library.kaasoft.pro/ Software : Library CMS - Powerful Book Management System Version : v 2.1.1 Vulernability Type : Cross-site...
Git Submodule - Arbitrary Code Execution
CVE-2018-17456 I've gotten a couple of questions about exploitation for the recent RCE in Git. So here we go with some technical details. TL;DR Here is a PoC repository. EDB Note: Mirror https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/45631.zip Exploitation The...
Rukovoditel Project Management CRM 2.3 - 'path' SQL Injection
Exploit Title: Rukovoditel Project Management CRM 2.3 - 'path' SQL Injection Dork: N/A Date: 2018-10-15 Exploit Author: Ihsan Sencan Vendor Homepage: https://www.rukovoditel.net/ Software Link: https://www.rukovoditel.net/download.php Version: 2.3 Category: Webapps Tested on: WiN7x64/KaLiLinuXx64...
Navigate CMS 2.8.5 - Arbitrary File Download
Exploit Title: Navigate CMS 2.8.5 - Arbitrary File Download Dork: N/A Date: 2018-10-13 Exploit Author: Ihsan Sencan Vendor Homepage: https://www.navigatecms.com/ Software Link: http://master.dl.sourceforge.net/project/navigatecms/releases/navigate-2.8.5r1355.zip Version: 2.8.5 Category: Webapps...
Microsoft Windows - 'FSCTL_FIND_FILES_BY_SID' Information Disclosure
Windows: FSCTLFINDFILESBYSID Information Disclosure Platform: Windows 10 1709, 1803 Class: Information Disclosure / Elevation of Privilege Summary: The FSCTLFINDFILESBYSID control code doesn’t check for permissions to list a directory leading to disclosure of file names when a user is not granted...
VLC Media Player - MKV Use-After-Free (Metasploit)
This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'VLC Media Player MKV Use After Free', 'Description' = %q This module exploits a use after free vulnerability in VideoLAN VLC = MSFLICENSE, 'Autho...
GIU Gallery Image Upload 0.3.1 - 'category' SQL Injection
Exploit Title: GIU Gallery Image Upload 0.3.1 - 'category' SQL Injection Dork: N/A Date: 2018-10-16 Exploit Author: Ihsan Sencan Vendor Homepage: http://tradesouthwest.com Software Link: https://sourceforge.net/projects/giugalleryimageupload/ Version: 0.3.1 Category: Webapps Tested on:...