47904 matches found
ZKTime Web Software 2.0 - Cross-Site Request Forgery
Exploit Title: ZKTime Web Software 2.0 - Cross Site Request Forgery CVE-ID: CVE-2017-13129 Vendor Homepage: https://www.zkteco.com/product/ZKTimeWeb2.0435.html Vendor of Product: ZKTeco Affected Product Code: ZKTime Web - 2.0.1.12280 Category: WebApps Author: Arvind V. Author Social: @FindArvind...
iTech Freelancer Script 5.27 - SQL Injection
Exploit Title: iTech Freelancer Script 5.27 - SQL Injection Dork: N/A Date: 18.08.2017 Vendor Homepage : http://itechscripts.com/ Software Link: http://itechscripts.com/freelancer-script/ Demo: http://freelance.itechscripts.com/ Version: 5.27 Category: Webapps Tested on: WiN7x64/KaLiLinuXx64 CVE:...
Food Ordering Script 1.0 - SQL Injection
Exploit Title: Food Ordering Script 1.0 - SQL Injection Dork: N/A Date: 17.08.2017 Vendor Homepage : http://www.earthtechnology.co.in/ourproducts.html Software Link: https://www.foodorderingscript.com/ Demo: https://www.foodorderingscript.com/demo-new/ Version: 1.0 Category: Webapps Tested on:...
MyDoomScanner 1.00 - Local Buffer Overflow (PoC)
!/usr/bin/python Exploit Title : MyDoomScanner1.00 Hostname/IP Field SEH Overwrite POC Discovery by : Anurag Srivastava Email : [email protected] Discovery Date : 17/08/2017 Software Link : https://www.mcafee.com/in/downloads/free-tools/mydoomscanner.aspx Tested Version : 1.00...
Online Quiz Project 1.0 - SQL Injection
Exploit Title: Online Quiz Project 1.0 - Multiple Vulnerabilities Dork: N/A Date: 17.08.2017 Vendor Homepage : http://surajkumar.in/ Software Link: http://surajkumar.in/product/online-quiz-project-php/ Demo: http://surajkumar.in/ Version: 1.0 Category: Webapps Tested on: WiN7x64/KaLiLinuXx64 CVE:...
Microsoft Edge Chakra - 'InterpreterStackFrame::ProcessLinkFailedAsmJsModule' Incorrectly Re-parses
GetOriginalEntryPoint : nullptr; if this-pCurrentFunction && this-pCurrentFunction-IsFunctionParsed Assertthis-pCurrentFunction-StartInDocument == pnode-ichMin; pCurrentFunction" is the consturctor, but "pnode" refers to the method "f". PoC: -- class MyClass fa printa; constructor 'use asm';...
Microsoft Edge Chakra - 'chakra!Js::GlobalObject' Integer overflow
= 0; AnalysisAssertscriptContext; if scriptContext-GetThreadContext-EvalDisabled throw Js::EvalDisabledException; ifdef PROFILEEXEC scriptContext-ProfileBeginJs::EvalCompilePhase; endif void frameAddr = nullptr; GETCURRENTFRAMEIDframeAddr; HRESULT hr = SOK; HRESULT hrParser = SOK; HRESULT hrCodeG...
Microsoft Edge Chakra - 'EmitAssignment' uses the 'this' Register Without Initializing
000c ProfiledLdEnvSlot R4 = 13 Line 28: super.a = 1; Col 13: ^ 0018 LdHomeObjProto R8 R4 001d ProfiledStSuperFld R8.this=R5 = R3 0 0025 LdUndef R0 Line 29: Col 9: ^ 0027 Ret PoC: -- class Parent ; class Child extends Parent constructor = super.a = 10; // Implicitly use the "this" register. So it...
Microsoft Edge Chakra - 'JavascriptArray::ConcatArgs' Type Confusion
void JavascriptArray::ConcatArgsRecyclableObject pDestObj, TypeId remoteTypeIds, Js::Arguments& args, ScriptContext scriptContext, uint start, uint startIdxDest, BOOL firstPromotedItemIsSpreadable, BigIndex firstPromotedItemLength, bool spreadableCheckedAndTrue JSREENTRANCYLOCKjsReentLock,...
Microsoft Edge Chakra - Heap Buffer Overflow
IsCoroutine ... else InterpreterStackFrame::Setup setupfunction, args; sizet varAllocCount = setup.GetAllocationVarCount; //printf"varAllocCount: %d%X\r\n", varAllocCount, varAllocCount; sizet varSizeInBytes = varAllocCount sizeofVar; // // Allocate a new InterpreterStackFrame instance on the...
Microsoft Edge Chakra - 'PreVisitCatch' Missing Call
root-sxFnc.pnodeVars; pnode; pnode = pnode-sxVar.pnodeNext Symbol sym = pnode-sxVar.sym; if sym != nullptr && !pnode-sxVar.isBlockScopeFncDeclVar && sym-GetIsBlockVar if sym-GetIsCatch || pnode-nop == knopVarDecl && sym-GetIsBlockVar ... sym = funcInfo-bodyScope-FindLocalSymbolsym-GetName;...
Photogallery Project 1.0 - SQL Injection
Exploit Title: Photogallery Project 1.0 - Multiple Vulnerabilities Dork: N/A Date: 17.08.2017 Vendor Homepage : http://surajkumar.in/ Software Link: http://surajkumar.in/product/photogallery-project-in-php/ Demo: http://surajkumar.in/ Version: 1.0 Category: Webapps Tested on: WiN7x64/KaLiLinuXx64...
Microsoft Edge Chakra - Incorrect JIT Optimization with TypedArray Setter #2
a0 = ; return 0; ; a0.toString; main; I just changed "var b = new Uint32Array100;" to "var b = new Uint32Array0;", and it worked well. PoC: -- 'use strict'; function funca, b, c a0 = 1.2; b0 = c; a1 = 2.2; a0 = 2.3023e-320; function main var a = 1.1, 2.2; var b = new Uint32Array0; // 0 // force t...
Microsoft Edge Chakra - 'TryUndeleteProperty' Incorrect Usage (Denial of Service)
::NoSlots return false; propertyIndex = deletedPropertyIndex; deletedPropertyIndex = staticcastTaggedInt::ToInt32object-GetSlotdeletedPropertyIndex; return true; bool SimpleDictionaryUnorderedTypeHandle::TryUndeleteProperty DynamicObject const object, const TPropertyIndex existingPropertyIndex,...
Microsoft Edge Chakra - 'InterpreterStackFrame::ProcessLinkFailedAsmJsModule' Incorrect Usage of 'PushPopFrameHelper' (Denial of Service)
GetScriptContext-GetThreadContext-GetLeafInterpreterFrame; GetLoopHeaderinterpreterFrame-GetCurrentLoopNum; GetCurrentLoopNum == -1 ... PoC: -- function asmModule 'use asm'; let a = 1, 2, 3, 4; for let i = 0; i 0x100000; i++ // JIT a0 = 1; if i === 0x30000 a0 = ; // the array type changed,...
Microsoft Edge Chakra - Buffer Overflow
sxCall.argCount; //pnode-sxCall.argCount=0xFFFF argCount++; // include "this" //overflow!!!! argCount==0 BOOL fSideEffectArgs = FALSE; unsigned int tmpCount = CountArgumentspnode-sxCall.pnodeArgs, &fSideEffectArgs; AssertargCount == tmpCount; if argCount != Js::ArgSlotargCount...
Microsoft Edge Chakra - NULL Pointer Dereference
spreadIndices = nullptr // This function emits the arguments for a call. // ArgOut's with uses immediately following defs. EmitArgListStartthisLocation, byteCodeGenerator, funcInfo, callSiteId; Js::RegSlot evalLocation = Js::Constants::NoRegister; // // If Emitting arguments for eval and assignin...
Microsoft Edge - Out-of-Bounds Access when Fetching Source
// The attached JavaScript file causes an out-of-bounds access of the source buffer when fetching the source for one of the functions during delayed compilation. The out-of-bounds value is then treated as the pointer to the source. This is likely an exploitable condition. // In the debug build of...
Microsoft Edge Chakra - Uninitialized Arguments (1)
ParseNodePtr Parser::ParseVariableDeclaration tokens declarationType, charcountt ichMin, BOOL fAllowIn/ = TRUE/, BOOL pfForInOk/ = nullptr/, BOOL singleDefOnly/ = FALSE/, BOOL allowInit/ = TRUE/, BOOL isTopVarParse/ = TRUE/, BOOL isFor/ = FALSE/, BOOL nativeForOk /= nullptr/ ... if pid ==...
Microsoft Edge 40.15063.0.0 Chakra - Incorrect JIT Optimization with TypedArray Setter #3
'use strict'; function funca, b, c a0 = 1.2; b0 = c; a1 = 2.2; a0 = 2.3023e-320; function main let a = 1.1, 2.2; let b = new Uint32Array100; for let i = 0; i a0 = ; return 0; ; a0.toString; main; // Tested on Microsoft Edge 40.15063.0.0Insider Preview...
Microsoft Edge Chakra - Uninitialized Arguments (2)
void Parser::ParseFncFormalsParseNodePtr pnodeFnc, ParseNodePtr pnodeParentFnc, ushort flags ... if IsES6DestructuringEnabled && IsPossiblePatternStart ... // Instead of passing the STFormal all the way on many methods, it seems it is better to change the symbol type afterward. for ParseNodePtr...
Microsoft Edge Chakra - 'JavascriptFunction::EntryCall' Fails to Handle 'CallInfo' Properly
GetScriptContext, Js::Constants::MinStackDefault; RUNTIMEARGUMENTSargs, callInfo; ScriptContext scriptContext = function-GetScriptContext; Assert!callInfo.Flags & CallFlagsNew; /// /// Check Argument0 has internal Call property /// If not, throw TypeError /// if args.Info.Count == 0 ||...
Microsoft Edge Chakra - 'EmitNew' Integer Overflow
sxCall.argCount; argCount++; // include "this" BOOL fSideEffectArgs = FALSE; unsigned int tmpCount = CountArgumentspnode-sxCall.pnodeArgs, &fSideEffectArgs; AssertargCount == tmpCount; if argCount != Js::ArgSlotargCount Js::Throw::OutOfMemory; ... "Js::ArgSlot" is a 16 bit unsigned integer type...
Adobe Flash - Invoke Accesses Trait Out-of-Bounds
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1320 The attached fuzzed swf file causes the traits of an ActionScript object to be accessed out of bounds. This can probably lead to exploitable type confusion. Proof of Concept:...
Linux/x86-64 - Reverse Shell (192.168.1.2:4444) Shellcode (153 bytes)
Linux/x86-64 - Reverse Shell 192.168.1.2:4444 Shellcode 153 bytes. Shellcode exploit for Linx86-64 platform / ;Title: Linux/x8664 - Reverse Shell Shellcode 192.168.1.2:4444 ;Author: Touhid M.Shaikh ;Contact: https://github.com/touhidshaikh ;Category: Shellcode ;Architecture: Linux x8664...
Doctor Patient Project 1.0 - SQL Injection
Exploit Title: Doctor Patient Project 1.0 - Multiple Vulnerabilities Dork: N/A Date: 17.08.2017 Vendor Homepage : http://surajkumar.in/ Software Link: http://surajkumar.in/product/doctor-patient-project-php/ Demo: http://surajkumar.in/ Version: 1.0 Category: Webapps Tested on: WiN7x64/KaLiLinuXx6...
Microsoft Edge 38.14393.1066.0 - 'CInputDateTimeScrollerElement::_SelectValueInternal' Out-of-Bounds Read
input:focus transform: scale10; UpdateSelectedthis-arrayatoffset0xB8this-indexatoffset0xD4.ptratindex0, ...; ... The problem is that the index in the PoC has unsigned 32-bit value of 0xffffffff, possibly because the data structure has not been properly initialized, which leads to out-of-bound...
RPi Cam Control < 6.3.14 - Multiple Vulnerabilities
Exploit Title: RPi Cam Control = v6.3.14 RCE Multiple Vulnerabilities - preview.php Date: 16/08/2017 Exploit Author: Alexander Korznikov Vendor Homepage: https://github.com/silvanmelchior/RPiCamWebInterface Software Link: https://github.com/silvanmelchior/RPiCamWebInterface Version: = v6.3.14 Dat...
Apple macOS Sierra 10.12.3 - 'IOFireWireFamily-null-deref' FireWire Port Denial of Service
/ IOFireWireFamily-null-deref.c Brandon Azad NULL pointer dereference in IOFireWireUserClient::setAsyncRefIsochChannelForceStop. Download: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/44236.zip / include int main int ret = 0; ioservicet service =...
Internet Download Manager 6.28 Build 17 - Local Buffer Overflow (SEH Unicode)
!/usr/bin/python Exploit Title: Internet Download Manager 6.28 Build 17 - 'Find file' SEH Buffer Overflow Unicode Date: 14-06-2017 Exploit Author: f3ci Tested on: Windows 7 SP1 x86 How to exploit: Open IDM - Downloads - Find - paste exploit string into 'Find file' text field msfvenom -p...
AdvanDate iCupid Dating Software 12.2 - SQL Injection
Exploit Title: iCupid Dating Software 12.2 - SQL Injection Dork: N/A Date: 15.08.2017 Vendor Homepage : https://www.advandate.com/ Software Link: https://www.advandate.com/dating-software-features/ Demo: https://demo.advandate.com/ Version: 12.2 Category: Webapps Tested on: WiN7x64/KaLiLinuXx64...
ClipBucket 2.8.3 - Multiple Vulnerabilities
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ .:. Exploit Title ClipBucket 2.8.3 - Multiple Vulnerabilities .:. Google Dorks .:. "Forged by ClipBucket" inurl:viewcollection.php?cid= .:. Date: August 15, 2017 .:. Exploit Author: bRpsd .:. Skype contact: vegno...
ALLPlayer 7.4 - Local Buffer Overflow (SEH Unicode)
!/usr/bin/python Exploit Title: ALL Player v7.4 SEH Buffer Overflow Unicode Version: 7.4 Date: 15-08-2017 Exploit Author: f3ci Tested on: Windows 7 SP1 x86 head = "http://" seh = "\x0f\x47" 0x0047000f nseh = "\x61\x41" popad align junk = "\x41" 301 junk2 = "\x41" 45 msfvenom -p windows/shellbindt...
Xamarin Studio for Mac 6.2.1 (build 3) / 6.3 (build 863) - Local Privilege Escalation
Source: https://www.securify.nl/advisory/SFY20170403/xamarin-studio-for-mac-api-documentation-update-affected-by-local-privilege-escalation.html Abstract Xamarin Studio is an Integrated Development Environment IDE used to create iOS, Mac and Android applications. Xamarin Studio supports...
RPi Cam Control < 6.3.14 - Remote Command Execution
RPi Cam Control = v6.3.14 RCE preview.php Multiple Vulnerabilities A web interface for the RPi Cam Vendor github: https://github.com/silvanmelchior/RPiCamWebInterface Date 16/08/2017 Discovered by @nopernik https://www.linkedin.com/in/nopernik http://www.korznikov.com RPi Cam Control = v6.3.14 is...
Quali CloudShell 7.1.0.6508 (Patch 6) - Persistent Cross-Site Scripting
Vulnerability type: Multiple Stored Cross Site Scripting Vendor: Quali Product: CloudShell Affected version: v7.1.0.6508 Patch 6 Patched version: v8 and up Credit: Benjamin Lee CVE ID: CVE-2017-9767 ========================================================== Overview Quali CloudShell v7.1.0.6508...
Linux Kernel < 4.4.0-83 / < 4.8.0-58 (Ubuntu 14.04/16.04) - Local Privilege Escalation (KASLR / SMEP)
// A proof-of-concept local root exploit for CVE-2017-1000112. // Includes KASLR and SMEP bypasses. No SMAP bypass. // Tested on Ubuntu trusty 4.4.0- and Ubuntu xenial 4-8-0- kernels. // // EDB Note: Also included the work from...
Tomabo MP4 Converter 3.19.15 - Denial of Service
!/usr/bin/python Exploit Title: Tomabo MP4 Converter DOS Date: 13/08/17 Exploit Author: Andy Bowden Vendor Homepage: http://www.tomabo.com/ Software Link: http://www.tomabo.com/mp4-converter/index.html Version: 3.19.15 Tested on: Windows 7 x86 CVE : None Generate a .m3u file using the python scri...
RealTime RWR-3G-100 Router - Cross-Site Request Forgery (Change Admin Password)
!---Enable...
AirMaster 3000M - Multiple Vulnerabilities
?php Exploit Title: AirMaster 3000M multiple Vulnerabilities Date: 2017/08/12 Exploit Author: Koorosh Ghorbani Author Homepage: http://8thbit.net/ Vendor Homepage: http://mobinnet.ir/ Software Version: V2.0.1B1044 Web Server: GoAhead-Webs/2.5.0 define'isDebug',false; define'specialCookie','Cookie...
De-Tutor 1.0 - SQL Injection
Exploit Title: De-Tutor - Private Tutoring and Admission Processing 1.0 - SQL Injection Dork: N/A Date: 11.08.2017 Vendor Homepage : https://sarutech.com/ Software Link: https://codecanyon.net/item/detutor-private-tutoring-and-admission-processing/19053430 Demo: https://demo.sarutech.com/detutor/...
DeWorkshop 1.0 - SQL Injection
Exploit Title: De-Workshop - Auto Workshop Portal 1.0 - SQL Injection Dork: N/A Date: 11.08.2017 Vendor Homepage : https://sarutech.com/ Software Link: https://codecanyon.net/item/deworkshop-auto-workshop-portal/20336737 Demo: https://demo.sarutech.com/deworkshop/ Version: 1.0 Category: Webapps...
De-Journal 1.0 - SQL Injection
Exploit Title: De-Journal - Academic Journal and Peer Review System 1.0 - SQL Injection Dork: N/A Date: 11.08.2017 Vendor Homepage : https://sarutech.com/ Software Link: https://codecanyon.net/item/dejournal-academic-journal-and-peer-review-system/19533981 Demo: https://demo.sarutech.com/dejourna...
GIF Collection 2.0 - SQL Injection
Exploit Title: GIF Collection 2.0 - SQL Injection Dork: N/A Date: 10.08.2017 Vendor Homepage : http://www.scriptfolder.com/ Software Link: http://www.scriptfolder.com/scriptfolder-gif-collection-2-0/ Demo: http://gif2.scriptfolder.com/ Version: 2.0 Category: Webapps Tested on: WiN7x64/KaLiLinuXx6...
Piwigo Plugin User Tag 0.9.0 - Cross-Site Scripting
Exploit Title: Piwigo plugin User Tag , Persistent XSS Date: 10 Aug, 2017 Extension Version: 0.9.0 Software Link: http://piwigo.org/basics/downloads Extension link : http://piwigo.org/ext/extensionview.php?eid=441 Exploit Author: Touhid M.Shaikh Contact: http://twitter.com/touhidshaikh22 Website:...
Microsoft Edge 38.14393.1066.0 - 'textarea.defaultValue' Memory Disclosure
var n = 0; function go document.addEventListener"DOMNodeRemoved", eventhandler; eventhandler; function eventhandler n++; ifn==5 return; //prevent going into an infinite recursion t.defaultValue = "aaaaaaaaaaaaaaaaaaaa"; f.reset; aaa !-- ========================================= This seems to be t...
Red-Gate SQL Monitor < 3.10 / 4.2 - Authentication Bypass
Exploit Title: Red-Gate SQL Monitor authentication bypass Version: Redgate SQL Monitor before 3.10 and 4.x before 4.2 Date: 2017-08-10 Red-Gate made a security announcement and publicly released the fixed version more than two years before this exploit was published Vendor Advisory:...
ImageBay 1.0 - SQL Injection
Exploit Title: ImageBay 1.0 - SQL Injection Dork: N/A Date: 10.08.2017 Vendor Homepage : http://www.scriptfolder.com/ Software Link: http://www.scriptfolder.com/imagebay-publish-or-share-photography-and-pictures/ Demo: http://imagebay.scriptfolder.com/ Version: 1.0 Category: Webapps Tested on:...
DALIM SOFTWARE ES Core 5.0 build 7184.1 - User Enumeration
!/usr/bin/env python DALIM SOFTWARE ES Core 5.0 build 7184.1 User Enumeration Weakness Vendor: Dalim Software GmbH Product web page: https://www.dalim.com Affected version: ES/ESPRiT 5.0 build 7184.1 build 7163.2 build 7163.0 build 7135.0 build 7114.1 build 7114.0 build 7093.1 build 7093.0 build...
DALIM SOFTWARE ES Core 5.0 build 7184.1 - Directory Traversal
DALIM SOFTWARE ES Core 5.0 build 7184.1 Multiple Remote File Disclosures Vendor: Dalim Software GmbH Product web page: https://www.dalim.com Affected version: ES/ESPRiT 5.0 build 7184.1 build 7163.2 build 7163.0 build 7135.0 build 7114.1 build 7114.0 build 7093.1 build 7093.0 build 7072.0 build...