47904 matches found
Canon LBP6030w - Authentication Bypass
Canon LBP6030w - Authentication Bypass. CVE-2018-12049. Webapps exploit for Hardware platform Exploit Title: Canon LBP6030w - Authentication Bypass Date: 2018-06-07 Exploit Author: Huy Kha Vendor Homepage: http://global.canon.com Version: LBP6030w Severity: High Leads to full System Manager Mode...
Joomla! Component EkRishta 2.10 - 'username' SQL Injection
Exploit Title: Joomla! Component EkRishta 2.10 - 'username' SQL Injection Date: 2018-06-11 Exploit Author: L0RD Software Link: https://extensions.joomla.org/extension/ek-rishta/ Vendor Homepage: https://www.joomlaextensions.co.in/ Version: 2.10 Tested on: Win 10 POC : SQLi : Parameter : username...
Canon PrintMe EFI - Cross-Site Scripting
Title: Canon PrintMe EFI - Cross-Site Scripting Date: 9.6.2018-06-09 Exploit Author: Huy Kha Vendor Homepage: https://www.efi.com/ Version: Canon PrintMe EFI Tested on: Mozilla FireFox CVE: CVE-2018-12111 XSS Payload used: '"--! PoC GET...
WordPress Plugin Google Map < 4.0.4 - SQL Injection
Title: WordPress Google Map Plugin getresults Vulnerable Variable: $GET'order' Vulnerable URL: http://vulnerablesite.com/wp-admin/admin.php?page=wpgmpmanagelocation&orderby=locationaddress&order=asc PROCEDURE ANALYSEEXTRACTVALUE4242,CONCAT0x42,BENCHMARK42000000,MD50x42424242,42 SQL injection...
OX App Suite 7.8.4 - Multiple Vulnerabilities
Product: OX App Suite Vendor: OX Software GmbH Internal reference: 55872 Bug ID Vulnerability type: Cross-Site Scripting CWE-80 Vulnerable version: 7.8.4 and earlier Vulnerable component: frontend Report confidence: Confirmed Solution status: Fixed by Vendor Fixed version: 7.6.3-rev30, 7.8.2-rev3...
WordPress Plugin Ultimate Form Builder Lite < 1.3.7 - SQL Injection
Title: WordPress Ultimate Form Builder Lite Plugin getrow Vulnerable Variable: $POST'entryid' Vulnerable URL: http://vulnerablesite.com/wp-admin/admin-ajax.php Vulnerable POST body: entryid=ExploitCodeHere&wpnonce=xxx&action=ufblgetentrydetailaction Disclosure Timeline 2018/06/01 Vulnerabilities...
Canon LBP7110Cw - Authentication Bypass
Canon LBP7110Cw - Authentication Bypass. CVE-2018-12048. Webapps exploit for Hardware platform Exploit Title: Canon LBP7110Cw - Authentication Bypass Date: 2018-06-07 Exploit Author: Huy Kha Vendor Homepage: http://global.canon.com Version: LBP7110Cw CVE: CVE-2018-12049 Severity: High Leads to fu...
Schools Alert Management Script - Arbitrary File Deletion
Exploit Title: Schools Alert Management Script - Arbitrary File Deletion Date: 2018-06-07 Vendor Homepage: https://www.phpscriptsmall.com/ Software Link: https://www.phpscriptsmall.com/product/schools-alert-management-system/ Category: Web Application Exploit Author: M3@Pandas Web:...
WordPress Plugin Pie Register < 3.0.9 - Blind SQL Injection
Title: WordPress Plugin Pie Register order = escsql $order ; IV. PROOF OF CONCEPT The following URL have been confirmed to all suffer from Time Based SQL Injection. GET /wordpress/wp-admin/admin.php?page=pie-invitation-codes&orderby=name&order=desc original GET...
Joomla! Component EkRishta 2.10 - 'cid' SQL Injection
Exploit Title: Joomla! Component Ek Rishta 2.10 - SQL Injection Dork: N/A Date: 08.06.2018 Vendor Homepage: https://www.joomlaextensions.co.in/ Software Link: https://extensions.joomla.org/extension/ek-rishta/ Version: 2.10 Tested on: WiN7x64/ video : https://youtu.be/UWGFVUU9AU0 Exploit Author:...
Schools Alert Management Script - SQL Injection
Exploit Title: Schools Alert Management Script - SQL Injection Date: 2018-06-07 Vendor Homepage: https://www.phpscriptsmall.com/ Software Link: https://www.phpscriptsmall.com/product/schools-alert-management-system/ Category: Web Application Exploit Author: M3@Pandas Web:...
Event Manager Admin panel - 'events_new.php' SQL injection
Exploit Title: Event Manager PHP Script Admin panel - 'eventsnew.php' SQL injection Date: 2018-06-10 Exploit Author: telahdihapus Vendor Homepage: https://codecanyon.net/user/ezcode Software Link: https://codecanyon.net/item/eventmanager-php-script-admin-panel/21280741 Tested on: windows 10 1...
Schools Alert Management Script - Arbitrary File Read
Exploit Title: Schools Alert Management Script - Arbitrary File Read Date: 2018-06-07 Vendor Homepage: https://www.phpscriptsmall.com/ Software Link: https://www.phpscriptsmall.com/product/schools-alert-management-system/ Category: Web Application Exploit Author: M3@Pandas Web:...
WebKitGTK+ < 2.21.3 - 'WebKitFaviconDatabase' Denial of Service (Metasploit)
Title: WebKitGTK+ "WebKitGTK+ WebKitFaviconDatabase DoS", 'Description' = %q This module exploits a vulnerability in WebKitFaviconDatabase when pageURL is unset. If successful, it could lead to application crash, resulting in denial of service. , 'License' = MSFLICENSE, 'Author' = 'Dhiraj Mishra'...
Siaberry 1.2.2 - Command Injection
Siaberry's Command Injection Vulnerability Today, I’d like to share several interesting vulnerabilities I discovered in Siaberry, a hardware device for earning cryptocurrency. Siaberry runs on Sia, a decentralized marketplace for buying and selling data storage. The device is intended to give...
Schools Alert Management Script - 'get_sec.php' SQL Injection
Exploit Title: Schools Alert Management Script - 'getsec.php' SQL Injection Date: 2018-06-07 Vendor Homepage: https://www.phpscriptsmall.com/ Software Link: https://www.phpscriptsmall.com/product/schools-alert-management-system/ Category: Web Application Exploit Author: M3@Pandas Web:...
userSpice 4.3.24 - 'X-Forwarded-For' Cross-Site Scripting
Exploit Title: userSpice 4.3.24 - 'X-Forwarded-For' Cross-Site Scripting Date: 2018-06-10 Author: Dolev Farhi Vendor or Software Link: www.userspice.com Version: 4.3.24 Tested on: Ubuntu Payload will get executed when admin visits the audit log page !/usr/bin/perl use strict; use LWP::UserAgent;...
userSpice 4.3.24 - Username Enumeration
Exploit Title: userSpice 4.3.24 - Username Enumeration Date: 2018-06-10 Author: Dolev Farhi Vendor or Software Link: www.userspice.com Version: 4.3.24 Tested on: Ubuntu import sys import os.path import requests print"+ UserSpice 4.3.24 Username Enumeration" if lensys.argv != 3: print 'Usage:',...
Google Chrome - Integer Overflow when Processing WebAssembly Locals
/ When v8 decodes the locals of a function, it performs a check: if count + typelist-size kV8MaxWasmFunctionLocals decoder-errordecoder-pc - 1, "local count too large"; return false; On a 32-bit platform, this check can be bypassed due to an integer overflow. This allows the number of function...
WebKit - WebAssembly Compilation Info Leak
arrayBufferView-vector : staticcastarrayBuffer-impl-data; If the source buffer is a view DataView or TypedArray, arrayBufferView-vector is returned. The vector method returns the start of the data in the buffer, including any offset. However, the function createSourceBufferFromValue copies the...
TrendMicro OfficeScan XG 11.0 - Change Prevention Bypass
Credits: John Page aka hyp3rlinx + Website: hyp3rlinx.altervista.org + Source: http://hyp3rlinx.altervista.org/advisories/TRENDMICRO-OFFICESCAN-XG-v11.0-UNAUTHORIZED-CHANGE-PREVENTION-SERVICE-BYPASS.txt + ISR: Apparition Security Greetz: indoushka|Eduardo|Dirty0tis Vendor: =============...
WebRTC - VP9 Frame Processing Out-of-Bounds Memory Access
There is a missing check in VP9 frame processing that could lead to memory corruption. In the file videocoding/rtpframereferencefinder.cc, the function RtpFrameReferenceFinder::ManageFrameVp9 fetches the GofInfo based on a picidx parsed from the incoming packet header. If the incoming frame is of...
XiongMai uc-httpd 1.0.0 - Buffer Overflow
Exploit Title: XiongMai uc-httpd 1.0.0 - Buffer Overflow Date: 2018-06-08 Exploit Author: Andrew Watson Software Version: XiongMai uc-httpd 1.0.0 Vendor Homepage: http://www.xiongmaitech.com/en/ Tested on: KKMoon DVR running XiongMai uc-httpd 1.0.0 on TCP/81 CVE ID: CVE-2018-10088 DISCLAIMER: Thi...
Splunk < 7.0.1 - Information Disclosure
Exploit Title: Splunk 7.0.1 - Information Disclosure Date: 2018-05-23 Exploit Author: KoF2002 Vendor Homepage: https://www.splunk.com/ Version: 6.2.3 - 7.01 MAYBE ALL VERSION AFFECTED Tested on: Linux OS CVE : CVE-2018-11409 Splunk through 6.2.3 7.0.1 allows information disclosure by appending...
WebRTC - VP9 Missing Frame Processing Out-of-Bounds Memory Access
There is a missing check in VP9 frame processing that could lead to memory corruption. In the file videocoding/rtpframereferencefinder.cc, the function RtpFrameReferenceFinder::MissingRequiredFrameVp9 contains the following code: sizet temporalidx = info.gof-temporalidxgofidx; ... for sizet l = 0...
WebKit - Use-After-Free when Resuming Generator
!-- In WebKit, resuming a generator is implemented in JavaScript. An internal object property, @generatorState is used to prevent recursion within generators. In GeneratorPrototype.js, the state is checked by calling: var state = this.@generatorState; and set by calling: generator.@generatorState...
Linux/ARM - Egghunter (0x50905090) + execve('/bin/sh') Shellcode (60 bytes)
Linux/ARM - Egghunter 0x50905090 + execve'/bin/sh' Shellcode 60 bytes. Shellcode exploit for ARM platform / Title: Linux/ARM - Memsafe egghunter 0x50905090 + execve"/bin/sh". Null free shellcode 60 bytes Date: 2018-06-06 Tested: armv7l Raspberry Pi v3 and armv6l Raspberry Pi Zero W Author: rtmcx ...
Gnome Web (Epiphany) < 3.28.2.1 - Denial of Service
Title: Gnome Web/Epiphany Browser libephymain.so in GNOME WEB/Epiphany PoC: b1tch3z = window.open"https://www.google.com", "bl1ngbl1ng", "width=250,height=250"; b1tch3z.document.write"ua b1tch3z"; // https://github.com/undergroundagency // https://github.com/ldpreload Video PoC:...
WampServer 3.0.6 - Cross-Site Request Forgery
Exploit Title: WampServer 3.0.6 - Cross-Site Request Forgery Date: 2018-06-11 Exploit Author: L0RD Software Link: https://ufile.io/gpqh9 Vendor Homepage: http://www.wampserver.com/en/ Version: 3.0.6 - 64bit Tested on: Win 10 Description : An issue was discovered in WampServer 3.0.6 which allows a...
WordPress Plugin Form Maker 1.12.24 - SQL Injection
Title: WordPress Form Maker Plugin 1.12.24 - SQL Injection Date: 2018-06-07 Author: Neven Biruski Software: WordPress Form Maker plugin https://wordpress.org/plugins/form-maker/ Version: 1.12.24 and below Vendor Status: Vendor contacted, update released The easiest way to reproduce the SQL...
WordPress Plugin Contact Form Maker 1.12.20 - SQL Injection
Title: WordPress Contact Form Maker Plugin 1.12.20 - SQL Injection Date: 2018-06-07 Author: Neven Biruski Software: WordPress Contact Form Maker plugin Software link: https://wordpress.org/plugins/contact-form-maker/ Version: 1.12.20 and below The easiest way to reproduce the SQL injection...
Ftp Server 1.32 - Credential Disclosure
Exploit Title: Ftp Server 1.32 - Credential Disclosure Date: 2018-05-29 Software Link: https://play.google.com/store/apps/details?id=com.theolivetree.ftpserver Version: 1.32 Android App Vendor: The Olive Tree Exploit Author: ManhNho CVE: N/A Category: Mobile Apps Tested on: Android 4.4 Descriptio...
Monstra CMS < 3.0.4 - Cross-Site Scripting (1)
Title: Monstra CMS www.target.com' url = input'Target : ' print' Required admin's PHPSESSID.' PHPSESSID = input'PHPSESSID : ' pagename = input'Pagename : ' script = input'Script : ' target = 'http://' + url + '/admin/index.php?id=pages&action=addpage' cookie = 'PHPSESSID':PHPSESSID data =...
Canon MF210/MF220 - Authenticaton Bypass
Canon MF210/MF220 - Authenticaton Bypass. CVE-2018-11711. Webapps exploit for Hardware platform Exploit Title: Incorrect Access Control in Canon MF210 & MF220 Series Date: 4.6.2018 Exploit Author: Huy Kha Vendor Homepage: http://global.canon.com Software Link: Website Version: MF210 & MF20 Series...
Canon LBP6650/LBP3370/LBP3460/LBP7750C - Authenticaton Bypass
Canon LBP6650/LBP3370/LBP3460/LBP7750C - Authenticaton Bypass. CVE-2018-11692. Webapps exploit for Hardware platform Exploit Title: Incorrect Access Control in Canon LBP6650, LBP3370, LBP3460, LBP7750C Date: 3.6.2018 Exploit Author: Huy Kha Vendor Homepage: http://global.canon.com Software Link:...
Apple macOS Kernel - Use-After-Free Due to Lack of Locking in nvidia GeForce Driver
/ nvDevice::SetAppSupportBits is external method 0x107 of the nvAccelerator IOService. It calls taskdeallocate without locking. Two threads can race calling this external method to drop two task references when only one is held. Note that the repro forks a child which give the nvAccelerator a...
Apple macOS/iOS Kernel - Heap Overflow Due to Lack of Lower Size Check in getvolattrlist
/ getvolattrlist takes a user controlled bufferSize argument via the fgetattrlist syscall. When allocating a kernel buffer to serialize the attr list to there's the following comment: / Allocate a target buffer for attribute results. Note that since we won't ever copy out more than the caller...
PHP 7.2.2 - 'php_stream_url_wrap_http_ex' Buffer Overflow
Description: ------------ The latest PHP distributions contain a memory corruption bug while parsing malformed HTTP response packets. Vulnerable code at: phpstreamurlwraphttpex /home/weilei/php-7.2.2/ext/standard/httpfopenwrapper.c:723 if tmplinetmplinelen - 1 == '\n' --tmplinelen; if...
XNU Kernel - Heap Overflow Due to Bad Bounds Checking in MPTCP
mptcpusrconnectx is the handler for the connectx syscall for the APMULTIPATH socket family. The logic of this function fails to correctly handle source and destination sockaddrs which aren't AFINET or AFINET6: // verify salen for AFINET: if dst-safamily == AFINET && dst-salen !=...
10-Strike Network Inventory Explorer 8.54 - 'Registration Key' Buffer Overflow (SEH)
Exploit Title: 10-Strike Network Inventory Explorer 8.54 - 'Registration Key' Buffer Overflow SEH Exploit Author: Hashim Jawad - ihack4falafelx Date: 2018-06-05 Vendor Homepage: https://www.10-strike.com/ Vulnerable Software:...
10-Strike Network Inventory Explorer 8.54 - Local Buffer Overflow (SEH)
Exploit Title : 10-Strike Network Inventory Explorer 8.54 - Local Buffer Overflow SEH Exploit Author : Hashim Jawad - ihack4falafel Vendor Homepage : https://www.10-strike.com/ Vulnerable Software: https://www.10-strike.com/networkinventoryexplorer/network-inventory-setup.exe Tested on : Windows ...
WebKitGTK+ < 2.21.3 - Crash (PoC)
Title: WebKitGTK+ win = window.open"sleeponesecond.php", "WIN"; window.open"https://www.paypal.com", "WIN"; win.document.execCommand'Stop'; win.document.write"Spoofed URL"; win.document.close; Backtrace using fedora 27: 0 WTF::StringImpl::rawHash at...
MyBB Recent Threads Plugin 1.0 - Cross-Site Scripting
Exploit Title: MyBB Recent Threads Plugin v1.0 - Cross-Site Scripting Date: 6/2/2018 Author: 0xB9 Twitter: @0xB9Sec Contact: 0xB9atpm.me Software Link: https://community.mybb.com/mods.php?action=view&pid=842 Version: 1.0 Tested on: Ubuntu 18.04 CVE: CVE-2018-11715 1. Description: Creates a page...
Clone2GO Video converter 2.8.2 - Buffer Overflow
!/usr/bin/python ---------------------------------------------------------------------------------------------------------------------- Exploit Title : Clone 2 GO Video converter 2.8.2 Unicode Buffer Overflow Remote Code Execution Exploit Author : Gokul Babu Organisation : Arridae Infosec P.V Ltd...
Pagekit < 1.0.13 - Cross-Site Scripting Code Generator
Title: Pagekit ' + code + '' f = openname, 'w+' f.writecode f.close if name == 'main': print''' / \ \ / / | | \ / / | / / | | / / | || | | | \ \ / /| | | | | | |/ \ | | | | ' | || | | | \ V / | ||/ /| || | | || | | | | | | / || ||/||/ |||/ / || Author : DEEPIN2Junseo Lee''' print' enter...
WebKit - not_number defineProperties UAF (Metasploit)
This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'WebKit notnumber defineProperties UAF', 'Description' = %q This module exploits a UAF vulnerability in WebKit's JavaScriptCore library. , 'Licens...
Linux Kernel < 4.16.11 - 'ext4_read_inline_data()' Memory Corruption
ext4 can store data for small regular files as "inline data", meaning that the data is stored inside the corresponding inode instead of in separate blocks. Inline data is stored in two places: The first 60 bytes go in the iblock field in the inode which normally contains a list of blocks instead,...
Jenkins Mailer Plugin < 1.20 - Cross-Site Request Forgery (Send Email)
Exploit Title : Jenkins mailer plugin \ '+table'covermessage'+'' s = smtplib.SMTPtable'smtpserver' s.starttls s.logintable'lid', table'lpw' s.sendmailmsg'From', msg'To', msg.asstring def urlset : url = strinput"Jenkins Server's UR...
10-Strike Network Scanner 3.0 - Local Buffer Overflow (SEH)
Exploit Title: 10-Strike Network Scanner 3.0 - Local Buffer Overflow SEH Exploit Author: Hashim Jawad - ihack4falafel Date: 2018-06-05 Vendor Homepage: https://www.10-strike.com/ Vulnerable Software: https://www.10-strike.com/network-scanner/network-scanner.exe Tested on: Windows XP Professional ...
Brother HL Series Printers 1.15 - Cross-Site Scripting
Exploit Title: XSS at Brother HL series printers Date: 30.05.2018 Exploit Author: Huy Kha Vendor Homepage: http://support.brother.com Software Link: Website Version: Brother HL series printers. Tested on: Mozilla FireFox Reflected XSS Payload : "--!" Description : Starting searching for printers...