47904 matches found
MyBB New Threads Plugin 1.1 - Cross-Site Scripting
Exploit Title: MyBB New Threads Plugin - Cross-Site Scripting Date: 7/16/2018 Author: 0xB9 Twitter: @0xB9Sec Contact: 0xB9atpm.me Software Link: https://community.mybb.com/mods.php?action=view&pid=1143 Version: 1.1 Tested on: Ubuntu 18.04 CVE: CVE-2018-14392 1. Description: New Threads is a plugi...
WordPress Plugin All In One Favicon 4.6 - (Authenticated) Cross-Site Scripting
Exploit Title: WordPress Plugin All In One Favicon = 4.6 - Authenticated Multiple XSS Persistent Date: 2018-07-10 Exploit Author: Javier Olmedo Website: https://hackpuntes.com/ Vendor Homepage: http://www.techotronic.de/ Software Link: https://wordpress.org/plugins/all-in-one-favicon/ Version/s:...
Google Chrome - Swiftshader Blitting Floating-Point Precision Errors
getInternalFormat == FORMATNULL return; ifblitReactorsource, sourceRect, dest, destRect, options return; SliceRectF sRect = sourceRect; SliceRect dRect = destRect; bool flipX = destRect.x0 destRect.x1; bool flipY = destRect.y0 destRect.y1; ifflipX swapdRect.x0, dRect.x1; swapsRect.x0, sRect.x1;...
Smart SMS & Email Manager 3.3 - 'contact_type_id' SQL Injection
Exploit Title: Smart SMS & Email Manager v3.3 - SQL Injection Google Dork: N/A Date: 17.07.2018 Exploit Author: Özkan Mustafa Akkuş AkkuS Vendor Homepage: https://codecanyon.net/item/smart-sms-email-manager-ssem/14817919 Version: 3.3 Tested on: Kali linux...
FTP2FTP 1.0 - Arbitrary File Download
Exploit Title: FTP2FTP 1.0 - Arbitrary File Download Dork: N/A Date: 18.07.2018 Exploit Author: Özkan Mustafa Akkuş AkkuS Vendor Homepage: https://codecanyon.net/item/ftp2ftp-server-to-server-file-transfer-php-script/21972395 Version: 1.0 Category: Webapps Tested on: Kali linux Description : The...
Open-AudIT Community 2.1.1 - Cross-Site Scripting
Exploit Title: Open-AudIT Community - 2.1.1 - Cross Site Scripting Vulnerability Google Dork:NA Exploit Author: Ranjeet Jaiswal Vendor Homepage: https://opmantek.com/ Software Link:http://dl-openaudit.opmantek.com/OAE-Win-x8664- release2.2.1.exe Affected Version: 2.1.1 Category: WebApps Tested on...
HomeMatic Zentrale CCU2 - Remote Code Execution
Exploit Title: HomeMatic Zentrale CCU2 Unauthenticated RCE Date: 16-07-2018 Software Link: https://www.homematic.com/ Exploit Author: Kacper Szurek - ESET Contact: https://twitter.com/KacperSzurek Website: https://security.szurek.pl/ YouTube: https://www.youtube.com/c/KacperSzurek Category: remot...
Modx Revolution < 2.6.4 - Remote Code Execution
Exploit Title: Modx Revolution ' if requests.get target + '/connectors/system/phpthumb.php', verify=verify.statuscode != 404: printFore.GREEN + '/connectors/system/phpthumb.php - found' url = target + '/connectors/system/phpthumb.php' payload = 'ctx': 'web', 'cachefilename': '../../payload.php'...
Linux/x64 - Reverse (::1:1337/TCP) + IPv6 + Password (pwnd) Shellcode (115 bytes)
Linux/x64 - Reverse ::1:1337/TCP + IPv6 + Password pwnd Shellcode 115 bytes. Shellcode exploit for Linuxx86-64 platform / ; Title : Reverse Shell IPv6 with Password - Shellcode ; Author : Hashim Jawad @ihack4falafel ; OS : Linux kali 4.15.0-kali2-amd64 1 SMP Debian 4.15.11-1kali1 2018-03-21 x8664...
Microhard Systems 3G/4G Cellular Ethernet and Serial Gateway - Remote Root
Microhard Systems 3G/4G Cellular Ethernet and Serial Gateway Remote Root Exploit Vendor: Microhard Systems Inc. Product web page: http://www.microhardcorp.com Affected version: IPn4G 1.1.0 build 1098 IPn3Gb 2.2.0 build 2160 IPn4Gb 1.1.6 build 1184-14 IPn4Gb 1.1.0 Rev 2 build 1090-2 IPn4Gb 1.1.0 R...
Microhard Systems 3G/4G Cellular Ethernet and Serial Gateway - Cross-Site Request Forgery
Microhard Systems 3G/4G Cellular Ethernet and Serial Gateway CSRF Vulnerabilities Vendor: Microhard Systems Inc. Product web page: http://www.microhardcorp.com Affected version: IPn4G 1.1.0 build 1098 IPn3Gb 2.2.0 build 2160 IPn4Gb 1.1.6 build 1184-14 IPn4Gb 1.1.0 Rev 2 build 1090-2 IPn4Gb 1.1.0...
Microhard Systems 3G/4G Cellular Ethernet and Serial Gateway - Configuration Download
Microhard Systems 3G/4G Cellular Ethernet and Serial Gateway Configuration Download Vendor: Microhard Systems Inc. Product web page: http://www.microhardcorp.com Affected version: IPn4G 1.1.0 build 1098 IPn3Gb 2.2.0 build 2160 IPn4Gb 1.1.6 build 1184-14 IPn4Gb 1.1.0 Rev 2 build 1090-2 IPn4Gb 1.1....
Microhard Systems 3G/4G Cellular Ethernet and Serial Gateway - Denial of Service
Microhard Systems 3G/4G Cellular Ethernet and Serial Gateway Service Control DoS Vendor: Microhard Systems Inc. Product web page: http://www.microhardcorp.com Affected version: IPn4G 1.1.0 build 1098 IPn3Gb 2.2.0 build 2160 IPn4Gb 1.1.6 build 1184-14 IPn4Gb 1.1.0 Rev 2 build 1090-2 IPn4Gb 1.1.0 R...
Microhard Systems 3G/4G Cellular Ethernet and Serial Gateway - Restricted Shell Escape
Microhard Systems 3G/4G Cellular Ethernet and Serial Gateway Backdoor Jailbreak Vendor: Microhard Systems Inc. Product web page: http://www.microhardcorp.com Affected version: IPn4G 1.1.0 build 1098 IPn3Gb 2.2.0 build 2160 IPn4Gb 1.1.6 build 1184-14 IPn4Gb 1.1.0 Rev 2 build 1090-2 IPn4Gb 1.1.0 Re...
Microhard Systems 3G/4G Cellular Ethernet and Serial Gateway - Default Credentials
Microhard Systems 3G/4G Cellular Ethernet and Serial Gateway Default Credentials Vendor: Microhard Systems Inc. Product web page: http://www.microhardcorp.com Affected version: IPn4G 1.1.0 build 1098 IPn3Gb 2.2.0 build 2160 IPn4Gb 1.1.6 build 1184-14 IPn4Gb 1.1.0 Rev 2 build 1090-2 IPn4Gb 1.1.0 R...
Nanopool Claymore Dual Miner - APIs Remote Code Execution (Metasploit)
This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework require 'msf/core/exploit/powershell' class MetasploitModule 'Nanopool Claymore Dual Miner APIs RCE', 'Description' = %q This module takes advantage of miner remote...
Microhard Systems 3G/4G Cellular Ethernet and Serial Gateway - File Manipulation
Microhard Systems 3G/4G Cellular Ethernet and Serial Gateway Arbitrary File Attacks Vendor: Microhard Systems Inc. Product web page: http://www.microhardcorp.com Affected version: IPn4G 1.1.0 build 1098 IPn3Gb 2.2.0 build 2160 IPn4Gb 1.1.6 build 1184-14 IPn4Gb 1.1.0 Rev 2 build 1090-2 IPn4Gb 1.1....
QNAP Q'Center - 'change_passwd' Command Execution (Metasploit)
This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule "QNAP Q'Center changepasswd Command Execution", 'Description' = %q This module exploits a command injection vulnerability in the changepasswd API...
Linux/ARM - Bind (1234/TCP) Shell (/bin/sh) Shellcode (104 bytes)
Linux/ARM - Bind 1234/TCP Shell /bin/sh Shellcode 104 bytes. Shellcode exploit for ARM platform / Copyright © 2017 Odzhan. All Rights Reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 1...
Fortify Software Security Center (SSC) 17.x/18.1 - XML External Entity Injection
Details ================ Software: Fortify SSC Software Security Center Version: 17.10, 17.20 & 18.10 Homepage: https://www.microfocus.com Advisory report: https://github.com/alt3kx/CVE-2018-12463 CVE: CVE-2018-12463 at https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12463 CVSS: HIGH...
Microsoft Enterprise Mode Site List Manager - XML External Entity Injection
Credits: John Page aka hyp3rlinx + Website: hyp3rlinx.altervista.org + Source: http://hyp3rlinx.altervista.org/advisories/MICROSOFT-WINDOWS-ENTERPRISE-MODE-SITE-LIST-MANAGER-XXE.txt + ISR: Apparition Security Greetz: indoushka | Eduardo Vendor ============= www.microsoft Product ===========...
PrestaShop < 1.6.1.19 - 'BlowFish ECD' Privilege Escalation
!/usr/bin/env python3 PrestaShop = 1.6.1.19 Privilege Escalation Charles Fol 2018-07-10 See https://ambionics.io/blog/prestashop-privilege-escalation The condition for this exploit to work is for an employee to have the same password as a customer. The exploit will yield a valid employee cookie f...
VelotiSmart WiFi B-380 Camera - Directory Traversal
Title: Vulnerability in VelotiSmart Wifi - Directory Traversal Date: 12-07-2018 Scope: Directory Traversal Platforms: Unix Author: Miguel Mendez Z Vendor: VelotiSmart Version: B380 CVE: CVE-2018–14064 Vulnerability description ------------------------- - The vulnerability that affects the device ...
WordPress Plugin Job Manager 4.1.0 - Cross-Site Scripting
Exploit Title: Wordpress Plugin Job Manager v4.1.0 Stored Cross Site Scripting Google Dork: N/A Date: 2018-07-15 Exploit Author: Berk Dusunur & Selimcan Ozdemir Vendor Homepage: https://wpjobmanager.com Software Link: https://downloads.wordpress.org/plugin/wp-job-manager.latest-stable.zip Affecte...
PrestaShop < 1.6.1.19 - 'AES CBC' Privilege Escalation
!/usr/bin/env python3 PrestaShop = 1.6.1.19 AES Rijndael / opensslencrypt Cookie Read Charles Fol See https://ambionics.io/blog/prestashop-privilege-escalation This POC will reveal the content of an employee's cookie. By modifying it one can read/write any PrestaShop cookie. It is a simple paddin...
Linux (Ubuntu) - Other Users coredumps Can Be Read via setgid Directory and killpriv Bypass
/ Note: I am both sending this bug report to [email protected] and filing it in the Ubuntu bugtracker because I can't tell whether this counts as a kernel bug or as a Ubuntu bug. You may wish to talk to each other to determine the best place to fix this. I noticed halfdog's old writeup at...
macOS/iOS - JavaScript Injection Bug in OfficeImporter
QuickLook is a widely used feature in macOS/iOS which allows you to preview various formats such as pdf, docx, pptx, etc. The way it uses to show office files is quite interesting. First it parses the office file and converts it to HTML code using OfficeImport and renders it using WebKit. The...
Grundig Smart Inter@ctive 3.0 - Cross-Site Request Forgery
Exploit Title: Grundig Smart Inter@ctive 3.0 - Cross-Site Request Forgery Date: 2018-07-§3 Exploit Author: Ahmethan-Gultekin - t4rkd3vilz Vendor Homepage: https://www.grundig.com/ Software Link: https://play.google.com/store/apps/details?id=arcelik Version: Before Smart Inter@ctive 3.0 Tested on:...
Cela Link CLR-M20 2.7.1.6 - Arbitrary File Upload
Exploit Title: Cela Link CLR-M20 2.7.1.6 - Arbitrary File Upload Date: 2018-07-13 Shodan Dork: CLR-M20 Exploit Author: Safak Aslan Software Link: http://www.celalink.com Version: 2.7.1.6 CVE: 2018-15137 Authentication Required: No Tested on: Windows Vulnerability Description Due to the Via WebDAV...
Manage Engine Exchange Reporter Plus - Remote Code Execution (Metasploit)
This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Manage Engine Exchange Reporter Plus Unauthenticated RCE', 'Description' = %q This module exploits a remote code execution vulnerability that...
WAGO e!DISPLAY 7300T - Multiple Vulnerabilities
SEC Consult Vulnerability Lab Security Advisory ======================================================================= title: Remote code execution via multiple attack vectors product: WAGO e!DISPLAY 7300T - WP 4.3 480x272 PIO1 vulnerable version: FW 01 - 01.01.1001 fixed version: FW 02 CVE...
Apache CouchDB - Arbitrary Command Execution (Metasploit)
This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Apache CouchDB Arbitrary Command Execution', 'Description' = %q CouchDB administrative users can configure the database server via HTTPS. Some of...
Hadoop YARN ResourceManager - Command Execution (Metasploit)
This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Hadoop YARN ResourceManager Unauthenticated Command Execution', 'Description' = %q This module exploits an unauthenticated command execution...
Microsoft Windows - POP/MOV SS Local Privilege Elevation (Metasploit)
This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework require 'msf/core/post/common' require 'msf/core/post/file' require 'msf/core/post/windows/priv' require 'msf/core/post/windows/registry' require 'msf/core/exploit/exe'...
G DATA Total Security 25.4.0.3 - Activex Buffer Overflow
'for debugging/custom prolog targetFile = "C:\Program Files\G DATA\TotalSecurity\ASK\GDASpam.dll" prototype = "Function IsBlackListed ByVal strIP As String As Long" memberName = "IsBl...
Zeta Producer Desktop CMS 14.2.0 - Remote Code Execution / Local File Disclosure
SEC Consult Vulnerability Lab Security Advisory ======================================================================= title: Remote Code Execution & Local File Disclosure product: Zeta Producer Desktop CMS vulnerable version: =14.2.1 CVE number: CVE-2018-13981, CVE-2018-13980 impact: critical...
phpMyAdmin - (Authenticated) Remote Code Execution (Metasploit)
This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'phpMyAdmin Authenticated Remote Code Execution', 'Description' = %q phpMyAdmin v4.8.0 and v4.8.1 are vulnerable to local file inclusion, which ca...
QNAP Qcenter Virtual Appliance - Multiple Vulnerabilities
Core Security - Corelabs Advisory http://corelabs.coresecurity.com/ QNAP Qcenter Virtual Appliance Multiple Vulnerabilities 1. Advisory Information Title: QNAP Qcenter Virtual Appliance Multiple Vulnerabilities Advisory ID: CORE-2018-0006 Advisory URL:...
Microsoft Edge Chakra JIT - Type Confusion with Hoisted SetConcatStrMultiItemBE Instructions
/ Here's a PoC: / function optstr for let i = 0; i .var s9.var = LdSlot s32s18l53.var s7.var = LdSlot s20s18l51.var s8.var = LdSlot s19s18l52.var s1Object.var = LdA 0x7FFFF47A0000 GlobalObjectObject.var s2.var = LdCAI4 0 0x0.i32 s3.var = LdCAI4 200 0xC8.i32 s4.var = LdCAI4 1 0x1.i32 s5String.var ...
Microsoft Edge Chakra JIT - Out-of-Bounds Reads/Writes
/ It seems that this issue is similar to the issue 1429 MSRC 42111. It might need to refresh the page several times to observe a crash. PoC: / let arr = new Uint32Array1000; for let i = 0; i 0x1000000; i++ for let j = 0; j 1; j++ i--; i++; arri = 0x1234;...
Microsoft Edge Chakra JIT - BoundFunction::NewInstance Out-of-Bounds Read
/ BoundFunction::NewInstance is used to handle calls to a bound function. The method first allocates a new argument array and copies the prepended arguments and others into the new argument array and calls the actual function. The problem is, it doesn't care about the CallFlagsExtraArg flag which...
Awk to Perl 1.007-5 - Buffer Overflow (PoC)
Exploit Title: Awk to Perl 1.007-5 - Buffer Overflow PoC Author: Todor Donev Date: 2018-07-11 Software: Linux Awk to Perl Translator '/usr/bin/a2p' Version: 1.007-5 CVE: N/A Tested on: CentOS 6.9, Ubuntu 10 todor@adamantium $ python -c "print 'A' 2070" | a2p /dev/null Segmentation fault...
Instagram-Clone Script 2.0 - Cross-Site Scripting
Exploit Title: Instagram-clone Script 2.0 - Cross-Site Scripting Date: 2018-07-10 Exploit Author: L0RD Vendor Homepage: https://github.com/yTakkar/Instagram-clone Version: 2.0 CVE: CVE-2018-13849 Tested on: Kali linux POC : Persistent Cross site scripting : vulnerable file : editrequests.php...
Dicoogle PACS 2.5.0 - Directory Traversal
Exploit Title: Dicoogle PACS 2.5.0 - Directory Traversal Date: 2018-05-25 Software Link: http://www.dicoogle.com/home Version: Dicoogle PACS 2.5.0-201712291522 Category: webapps Tested on: Windows 2012 R2 Exploit Author: Carlos Avila Contact: http://twitter.com/badboynt 1. Description Dicoogle is...
IBM QRadar SIEM - Remote Code Execution (Metasploit)
This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework require 'securerandom' class MetasploitModule 'IBM QRadar SIEM Unauthenticated Remote Code Execution', 'Description' = %q IBM QRadar SIEM has three vulnerabilities in th...
JavaScript Core - Arbitrary Code Execution
// Load Int library, thanks saelo! load'util.js'; load'int64.js'; // Helpers to convert from float to in a few random places var conva = new ArrayBuffer8; var convf = new Float64Arrayconva; var convi = new Uint32Arrayconva; var convi8 = new Uint8Arrayconva; var floatarrmagic = new...
Elektronischer Leitz-Ordner 10 - SQL Injection
Title: Elektronischer Leitz-Ordner 10 - SQL Injection Author: Jens Regel, Schneider & Wulf EDV-Beratung GmbH & Co. KG Software: https://www.elo.com/en-de/ CVE: N/A Affected Products: ELOenterprise 10 ELO Access Manager = 10.17.120 ELOenterprise 9 ELO Access Manager = 9.17.120 ELOprofessional 10 E...
Linux Kernel < 4.13.9 (Ubuntu 16.04 / Fedora 27) - Local Privilege Escalation
/ Credit @bleidl, this is a slight modification to his original POC https://github.com/brl/grlh/blob/master/get-rekt-linux-hardened.c For details on how the exploit works, please visit https://ricklarabee.blogspot.com/2018/07/ebpf-and-analysis-of-get-rekt-linux.html Tested on Ubuntu 16.04 with th...
D-Link DIR601 2.02 - Credential Disclosure
Exploit title: D-Link DIR601 2.02NA - Credential disclosure Date: 2018-07-10 Exploit Author: Richard Rogerson Vendor Homepage: http://ca.dlink.com/ Software Link: http://support.dlink.ca/ProductInfo.aspx?m=DIR-601 Version: = 2.02NA Tested on: D-Link DIR601 Firmware 2.02NA Contact:...
WolfSight CMS 3.2 - SQL Injection
Exploit Title: WolfSight CMS 3.2 - SQL Injection Google Dork: N/A Date: 2018-07-10 Exploit Author: Berk Dusunur & Zehra Karabiber Vendor Homepage: http://www.wolfsight.com Software Link: http://www.wolfsight.com Version: v3.2 Tested on: Parrot OS / WinApp Server CVE : N/A PoC Sql Injection...