Lending And Borrowing - 'pid' SQL Injection

Exploit Title: Lending And Borrowing Script - SQL Injection Dork: N/A Date: 22.09.2017 Vendor Homepage: http://www.i-netsolution.com/ Software Link: http://www.i-netsolution.com/product/lending-borrowing-script/ Demo: http://74.124.215.220/realfund/ Version: N/A Category: Webapps Tested on:...

Claydip Airbnb Clone 1.0 - Arbitrary File Upload

Exploit Title: Claydip Laravel Airbnb Clone 1.0 - Arbitrary File Upload Dork: N/A Date: 22.09.2017 Vendor Homepage: https://www.claydip.com/ Software Link: https://www.claydip.com/airbnb-clone.html Demo: https://www.claydip.com/airbnbdemo.html Version: N/A Category: Webapps Tested on:...

JitBit HelpDesk < 9.0.2 - Authentication Bypass

Exploit Title: JitBit HelpDesk = 9.0.2 Broken Authentication Google Dork: "Powered by Jitbit HelpDesk" -site:jitbit.com Date: 09/22/2017 Exploit Author: Rob Simon Kc57 - TrustedSec www.trustedsec.com Vendor Homepage: https://www.jitbit.com/helpdesk/ Download Link:...

Cash Back Comparison Script 1.0 - SQL Injection

!/usr/bin/perl -w Exploit Title: Cash Back Comparison Script 1.0 - SQL Injection Dork: N/A Date: 22.09.2017 Vendor Homepage: http://cashbackcomparisonscript.com/ Software Link: http://cashbackcomparisonscript.com/demo/features/ Demo: http://www.cashbackcomparison.info/ Version: 1.0 Category:...

PHP Auction Ecommerce Script 1.6 - SQL Injection

Exploit Title: PHP Auction Ecommerce Script v1.6 - SQL Injection Date: 2017-09-22 Exploit Author: 8bitsec Vendor Homepage: http://www.phpscriptsmall.com/ Software Link: http://www.phpscriptsmall.com/product/php-auction-ecommerce-script/ Version: 1.6 Tested on: Kali Linux 2.0 | Mac OS 10.12.6 Emai...

Multi Level Marketing - SQL Injection

Exploit Title: Multi Level Marketing Script - SQL Injection Dork: N/A Date: 22.09.2017 Vendor Homepage: http://www.i-netsolution.com/ Software Link: http://www.i-netsolution.com/product/multi-level-marketing-script/ Demo: http://74.124.215.220/advaemlm/ Version: N/A Category: Webapps Tested on:...

Stock Photo Selling 1.0 - SQL Injection

!/usr/bin/perl -w Exploit Title: Stock Photo Selling Script 1.0 - SQL Injection Dork: N/A Date: 21.09.2017 Vendor Homepage: http://sixthlife.net/ Software Link: http://sixthlife.net/product/stock-photo-selling-website/ Demo: http://www.photoreels.com/ Version: 1.0 Category: Webapps Tested on:...

Microsoft Edge - Chakra Incorrectly Parses Object Patterns

function f a: b = 0x1111, c = 0x2222, .c = 0x3333 = ; f;...

ERS Data System 1.8.1 - Java Deserialization

Exploit Title: ERS Data System 1.8.1 Deserialize Vulnerability Google Dork: N/A Date: 9/21/2017 Exploit Author: West Shepherd Vendor Homepage: http://www.ersdata.com Software Link: www.ersdata.com/downloads/ErsSetup.exe Version: 1.8.1.0 Tested on: Windows 7 x86 CVE : CVE-2017-14702 Description: E...

Microsoft Edge Chakra - 'JavascriptFunction::ReparseAsmJsModule' Incorrectly Re-parses

GetParseableFunctionInfo; AssertfunctionInfo; functionInfo-GetFunctionBody-AddDeferParseAttribute; functionInfo-GetFunctionBody-ResetEntryPoint; functionInfo-GetFunctionBody-ResetInParams; FunctionBody funcBody = functionInfo-ParsefunctionRef; if ENABLEPROFILEINFO // This is the first call to the...

PHPMyFAQ 2.9.8 - Cross-Site Scripting (1)

Exploit Title: phpMyFAQ 2.9.8 Stored XSS Vendor Homepage: http://www.phpmyfaq.de/ Software Link: http://download.phpmyfaq.de/phpMyFAQ-2.9.8.zip Exploit Author: Ishaq Mohammed Contact: https://twitter.com/securityprince Website: https://about.me/security-prince Category: webapps CVE: CVE-2017-1461...

Disk Pulse Enterprise 9.9.16 - GET Buffer Overflow (Metasploit)

This module requires Metasploit: http://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Disk Pulse Enterprise GET Buffer Overflow', 'Description' = %q This module exploits an SEH buffer overflow in Disk Pulse Enterprise 9.9.16. If a...

Microsoft Edge Chakra - 'Parser::ParseCatch' Does Not Handle 'eval()' (Denial of Service)

PnodeBlockType::Regular, isPattern ? ScopeTypeCatchParamPattern : ScopeTypeCatch; ... ParseNodePtr pnodePattern = ParseDestructuredLiteraltkLET, true /isDecl/, true /topLevel/, DICForceErrorOnInitializer; ... 1. "pnodeCatchScope" is a temporary block used to create a scope, and it is not actually...

Microsoft Edge Chakra - Deferred Parsing Makes Wrong Scopes

GetFuncExprNameReference || funcInfo-funcExprScope && funcInfo-funcExprScope-GetIsObject ... Js::RegSlot ldFuncExprDst = sym-GetLocation; this-mwriter.Reg1Js::OpCode::LdFuncExpr, ldFuncExprDst; if sym-IsInSlotfuncInfo Js::RegSlot scopeLocation; AnalysisAssertfuncInfo-funcExprScope; if...

Linux Kernel < 4.13.1 - BlueTooth Buffer Overflow (PoC)

Exploit Title: BlueBorne - Proof of Concept - Unarmed/Unweaponized - DoS Crash only Date: 09/21/2017 Exploit Author: Marcin Kozlowski Version: Kernel version v3.3-rc1, and thus affects all version from there on Tested on: Linux 4.4.0-93-generic 116 CVE : CVE-2017-1000251 Provided for legal securi...

Android Bluetooth - 'Blueborne' Information Leak (2)

from pwn import import bluetooth if not 'TARGET' in args: log.info"Usage: CVE-2017-0785.py TARGET=XX:XX:XX:XX:XX:XX" exit target = args'TARGET' servicelong = 0x0100 serviceshort = 0x0001 mtu = 50 n = 30 def packetservice, continuationstate: pkt = '\x02\x00\x00' pkt += p167 + lencontinuationstate...

Apache Tomcat < 9.0.1 (Beta) / < 8.5.23 / < 8.0.47 / < 7.0.8 - JSP Upload Bypass / Remote Code Execution (1)

E-DB Note: https://www.alphabot.com/security/blog/2017/java/Apache-Tomcat-RCE-CVE-2017-12617.html When running on Windows with HTTP PUTs enabled e.g. via setting the readonly initialisation parameter of the Default to false it was possible to upload a JSP file to the server via a specially crafte...

DenyAll WAF < 6.3.0 - Remote Code Execution (Metasploit)

This module requires Metasploit: http://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule "DenyAll Web Application Firewall Remote Code Execution", 'Description' = %q This module exploits the command injection vulnerability of DenyAll We...

Microsoft Edge 38.14393.1066.0 - Memory Corruption with Partial Page Loading

Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1309 There is a security issue in Microsoft Edge related to how HTML documents are loaded. If Edge displays a HTML document from a slow HTTP server, it is possible that a part of the document is going to be rendered before the serv...

Microsoft Edge 38.14393.1066.0 - 'COptionsCollectionCacheItem::GetAt' Out-of-Bounds Read

function go select1.multiple = false; var optgroup = document.createElement"optgroup"; select1.addoptgroup; var options = select1.options; select2 = document.createElement"select"; textarea.setSelectionRange0,1000000; select1.length = 2; document.getElementsByTagName'option'0.appendChildtextarea;...

HPE < 7.2 - Java Deserialization

!/usr/bin/env python HPE/H3C IMC - Java Deserialization Exploit Version 0.1 Tested on Windows Server 2008 R2 Name HPE/H3C IMC Intelligent Management Center Java 1.8.091 Author: Raphael Kuhn Daimler TSS Special thanks to: Jan Esslinger @Hngan for the websphere exploit this one is based upon import...

Microsoft Windows Kernel - 'win32k.sys' '.TTF' Font Processing Out-of-Bounds Reads/Writes with Malformed 'fpgm' table 'win32k!bGeneratePath' (Denial of Service)

Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1273 We have encountered a number of Windows kernel crashes in the win32k.sys driver while processing corrupted TTF font files. The most frequent one occurring for the bug reported here is as follows: --- PAGEFAULTINNONPAGEDAREA 50...

Apache < 2.2.34 / < 2.4.27 - OPTIONS Memory Leak

!/usr/bin/env python3 Optionsbleed proof of concept test by Hanno Böck import argparse import urllib3 import re def testbleedurl, args: r = pool.request'OPTIONS', url try: allow = strr.headers"Allow" except KeyError: return False if allow in dup: return dup.appendallow if allow == "": print"empty...

Microsoft Windows Kernel - 'win32k!NtGdiEngCreatePalette' Stack Memory Disclosure

/ Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1276&desc=2 We have discovered that the nt!NtGdiEngCreatePalette system call discloses large portions of uninitialized kernel stack memory to user-mode clients. This is caused by the fact that for palettes created in the PALINDEX...

Microsoft Windows Kernel - 'win32k.sys' '.TTF' Font Processing Out-of-Bounds Read with Malformed 'glyf' Table 'win32k!fsc_CalcGrayRow' (Denial of Service)

Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1274 We have encountered a number of Windows kernel crashes in the win32k.sys driver while processing corrupted TTF font files: --- PAGEFAULTINNONPAGEDAREA 50 Invalid system memory was referenced. This cannot be protected by...

Digileave 1.2 - Cross-Site Request Forgery (Update Admin)

!/usr/local/bin/python Exploit Title: Digileave 1.2 - Cross-Site Request Forgery Update User & Admin Dork: N/A Date: 18.09.2017 Vendor Homepage: http://www.digiappz.com/ Software Link: http://www.digiappz.com/digileave.asp?id=1 Demo: http://www.digiappz.com/digileave/login.asp Version: 1.2...

Microsoft Windows Kernel - 'win32k!NtQueryCompositionSurfaceBinding' Stack Memory Disclosure

/ Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1307 We have discovered that the win32k!NtQueryCompositionSurfaceBinding system call discloses portions of uninitialized kernel stack memory to user-mode clients, as tested on Windows 10 32-bit. The output buffer, and the...

Microsoft Windows Kernel - 'win32k!NtGdiGetGlyphOutline' Pool Memory Disclosure

/ Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1267&desc=2 We have discovered that the win32k!NtGdiGetGlyphOutline system call handler may disclose large portions of uninitialized pool memory to user-mode clients. The function first allocates memory using...

iBall ADSL2+ Home Router - Authentication Bypass

Exploit Title: iBall ADSL2+ Home Router Authentication Bypass Vulnerability CVE: CVE-2017-14244 Date: 15-09-2017 Exploit Author: Gem George Author Contact: https://www.linkedin.com/in/gemgrge Vulnerable Product: iBall ADSL2+ Home Router WRA150N https://www.iball.co.in/Product/ADSL2--Home-Router/7...

Microsoft Windows Kernel - 'win32k!NtGdiDoBanding' Stack Memory Disclosure

/ Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1304 We have discovered that the win32k!NtGdiDoBanding system call discloses portions of uninitialized kernel stack memory to user-mode clients. More specifically, exactly 8 bytes of uninitialized kernel stack memory are copied t...

Microsoft Windows Kernel - 'nt!NtSetIoCompletion / nt!NtRemoveIoCompletion' Pool Memory Disclosure

/ Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1269 We have discovered that the nt!NtRemoveIoCompletion system call handler discloses 4 bytes of uninitialized pool memory to user-mode clients on 64-bit platforms. The bug manifests itself while passing the IOSTATUSBLOCK...

Digirez 3.4 - Cross-Site Request Forgery (Update Admin)

!/usr/local/bin/python Exploit Title: Digirez 3.4 - Cross-Site Request Forgery Update User & Admin Dork: N/A Date: 18.09.2017 Vendor Homepage: http://www.digiappz.com/ Software Link: http://www.digiappz.com/index.asp Demo: http://www.digiappz.com/room/index.asp Version: 3.4 Category: Webapps Test...

Microsoft Windows Kernel - 'win32k!NtGdiGetFontResourceInfoInternalW' Stack Memory Disclosure

/ Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1275 We have discovered that the nt!NtGdiGetFontResourceInfoInternalW system call discloses portions of uninitialized kernel stack memory to user-mode clients. This is caused by the fact that for user-specified output buffer size...

Microsoft Windows Kernel - 'win32k!NtGdiGetPhysicalMonitorDescription' Stack Memory Disclosure

/ Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1268 We have discovered that the nt!NtGdiGetPhysicalMonitorDescription system call discloses portions of uninitialized kernel stack memory to user-mode clients, on Windows 7 to Windows 10. This is caused by the fact that the...

DigiAffiliate 1.4 - Cross-Site Request Forgery (Update Admin)

!/usr/local/bin/python Exploit Title: DigiAffiliate 1.4 - Cross-Site Request Forgery Update Admin Dork: N/A Date: 18.09.2017 Vendor Homepage: http://www.digiappz.com/ Software Link: http://www.digiappz.com/digiaffiliate.asp?id=7 Demo: http://www.digiappz.com/digiaffiliate/login.asp Version: 1.4...

WordPress Plugin Content Timeline - SQL Injection

Exploit Title: Multiple Blind SQL Injections Wordpress Plugin: Content Timeline Google Dork: - Date: September 16, 2017 Exploit Author: Jeroen - ITNerdbox Vendor Homepage: http://www.shindiristudio.com/ Software Link:...

Netdecision 5.8.2 - Local Privilege Escalation

// Netdecision.cpp : Defines the entry point for the console application. / Exploit Title: Netdecision 5.8.2 - Local Privilege Escalation - Winring0x32.sys Date: 2017.09.17 Exploit Author: Peter Baris Vendor Homepage: www.netmechanica.com Software Link: http://www.netmechanica.com/downloads/...

UTStar WA3002G4 ADSL Broadband Modem - Authentication Bypass

Exploit Title: UTStar WA3002G4 ADSL Broadband Modem Authentication Bypass Vulnerability CVE: CVE-2017-14243 Date: 15-09-2017 Exploit Author: Gem George Author Contact: https://www.linkedin.com/in/gemgrge Vulnerable Product: UTStar WA3002G4 ADSL Broadband Modem Firmware version: WA3002G4-0021.01...

iTech Gigs Script 1.20 - 'cat' SQL Injection

Exploit Title: iTech Gigs Script v1.20 - SQL Injection Date: 2017-09-15 Exploit Author: 8bitsec Vendor Homepage: http://itechscripts.com/ Software Link: http://itechscripts.com/the-gigs-script/ Version: 1.20 Tested on: Kali Linux 2.0 | Mac OS 10.12.6 Email: [email protected] Contact:...

PTCEvolution 5.50 - SQL Injection

Exploit Title: PTCEvolution 5.50 - SQL Injection Dork: N/A Date: 15.09.2017 Vendor Homepage: http://ptcevolution.com/ Software Link: http://www.ptcevolution.com/demoo/ Demo: http://demo.ptcevolution.com/ Version: 5.50 Category: Webapps Tested on: WiN7x64/KaLiLinuXx64 CVE: N/A Exploit Author: Ihsa...

Contact Manager 1.0 - 'femail' SQL Injection

Exploit Title: Contact Manager 1.0 - SQL Injection Dork: N/A Date: 15.09.2017 Vendor Homepage: http://savsofteproducts.com/ Software Link: http://www.contactmanagerscript.com/download/contactmanager1380185909.zip Demo: http://contactmanagerscript.com/demo/ Version: 1.0 Category: Webapps Tested on...

Cloudview NMS 2.00b - Writable Directory Traversal Execution (Metasploit)

require 'msf/core' class MetasploitModule "Cloudview NMS 2.00b Writable Directory Traversal Execution", 'Description' = %q This module exploits a vulnerability found in Cloudview NMS server. The software contains a directory traversal vulnerability that allows a remote attacker to write arbitrary...

KingScada AlarmServer 3.1.2.13 - Remote Stack Buffer Overflow (Metasploit)

require 'msf/core' class MetasploitModule 'KingScada AlarmServer Stack Buffer Overflow', 'Description' = %q This module exploits a stack based buffer overflow found in KingScada 'James Fitts' , 'License' = MSFLICENSE, 'References' = 'CVE', '2014-0787' , 'ZDI', '14-071' , 'URL',...

Justdial Clone Script - 'fid' SQL Injection

Exploit Title: Justdial Clone Script - SQL Injection Dork: N/A Date: 14.09.2017 Vendor Homepage: http://www.phpscriptsmall.com/ Software Link: http://www.exclusivescript.com/product/z1mt4303451/php-scripts/justdial-clone-script Demo: http://74.124.215.220/jusdil/ Version: N/A Category: Webapps...

EMC AlphaStor Device Manager - Opcode 0x72 Buffer Overflow (Metasploit)

require 'msf/core' class MetasploitModule 'EMC AlphaStor Device Manager Opcode 0x72', 'Description' = %q This module exploits a stack based buffer overflow vulnerability found in EMC Alphastor Device Manager. The overflow is triggered when sending a specially crafted packet to the rrobotd.exe...

Humax Wi-Fi Router HG100R 2.0.6 - Authentication Bypass

coding: utf-8 Exploit Title: Humax HG100R- Authentication Bypass Date: 14/09/2017 Exploit Author: Kivson Vendor Homepage: http://humaxdigital.com Version: VER 2.0.6 Tested on: OSX Linux CVE : CVE-2017-11435 The Humax Wi-Fi Router model HG100R- 2.0.6 is prone to an authentication bypass...

Enterprise Edition Payment Processor Script 3.7 - SQL Injection

Exploit Title: Enterprise Edition Payment Processor Script 3.7 - SQL Injection Dork: N/A Date: 14.09.2017 Vendor Homepage: https://www.goterhosting.com/ Software Link: https://www.goterhosting.com/payment-processor-script.php Demo: http://www.enterprise-edition.gvmhosting.com/ Version: 3.7...

haneWIN DNS Server 1.5.3 - Remote Buffer Overflow (Metasploit)

require 'msf/core' class MetasploitModule 'haneWIN DNS Server Buffer Overflow', 'Description' = %q This module exploits a buffer overflow vulnerability found in haneWIN DNS Server 'james fitts' , 'License' = MSFLICENSE, 'References' = 'EDB', '31260' , 'OSVDB', '102773' , 'Privileged' = false,...

Adserver Script 5.6 - SQL Injection

Exploit Title: Adserver Script 5.6 - SQL Injection Dork: N/A Date: 14.09.2017 Vendor Homepage: https://www.goterhosting.com/ Software Link: https://www.goterhosting.com/adserverscript.php Demo: http://adserverscript.gvmhosting.com/ Version: 5.6 Category: Webapps Tested on: WiN7x64/KaLiLinuXx64 CV...

Theater Management Script - SQL Injection

Exploit Title: Theater Management Script - SQL Injection Dork: N/A Date: 14.09.2017 Vendor Homepage: http://www.phpscriptsmall.com/ Software Link: http://www.exclusivescript.com/product/8o2b4417538/php-scripts/theater-management-script Demo: http://198.38.86.159/dineshkumarwork/demo/movie/ Versio...