Technicolor TC7337 - 'SSID' Persistent Cross-Site Scripting

// Device : Technicolor TC7337 // Vulnerable URL : https://your.rou.ter.ip/wlscanresults.html // XSS through SSID : ' Exactly 32 bytes uu // ^ // 5char domains are running | 'src' does not requires quotes , and passing the URL with ony '//' // out, grab yours ! +--- it will cause the browser to...

DNSTracer 1.9 - Local Buffer Overflow

Exploit Title: DNSTracer 1.9 - Buffer Overflow Google Dork: if applicable Date: 03-08-2017 Exploit Author: j0lama Vendor Homepage: http://www.mavetju.org/unix/dnstracer.php Software Link: http://www.mavetju.org/download/dnstracer-1.9.tar.gz Version: 1.9 Tested on: Ubuntu 12.04 CVE : CVE-2017-9430...

Horde Groupware 5.2.21 - Unauthorized File Download

Vulnerability Summary The following advisory describes an unauthorized file download vulnerability found in Horde Groupware version 5.2.21. Horde Groupware Webmail Edition is “a free, enterprise ready, browser based communication suite. Users can read, send and organize email messages and manage...

VirtualBox 5.1.22 - Windows Process DLL Signature Bypass Privilege Escalation

Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1257 VirtualBox: Windows Process DLL Signature Bypass EoP Platform: VirtualBox v5.1.22 r115126 x64 Tested on Windows 10 Class: Elevation of Privilege Summary: The process hardening implemented by the VirtualBox driver can be...

Dashlane - DLL Hijacking

Vulnerability Summary The following advisory describes a DLL Hijacking vulnerability found in Dashlane. Dashlane is “a password manager app and secure digital wallet. The app is available on Mac, PC, iOS and Android. The app’s premium feature enables users to securely sync their data between an...

Entrepreneur B2B Script - 'pid' SQL Injection

Exploit Title: Entrepreneur B2B Script - 'pid' Parameter SQL Injection Date: 2017-08-02 Exploit Author: Meisam Monsef [email protected] or [email protected] Vendor Homepage: http://readymadeb2bscript.com/ Version: All Version Exploit : http://site.com/path/productview1.php?pid=-99999+SQL+Comm...

Joomla! Component Ultimate Property Listing 1.0.2 - SQL Injection

Exploit Title: Joomla! Component Ultimate Property Listing v1.0.2 - SQL Injection Dork: N/A Date: 02.08.2017 Vendor : http://faboba.com/ Software: https://extensions.joomla.org/extensions/extension/vertical-markets/real-estate/ultimate-property-listing/ Demo: http://demoupl.faboba.com/ Version:...

Joomla! Component LMS King Professional 3.2.4.0 - SQL Injection

Exploit Title: Joomla! Component LMS King Professional v3.2.4.0 - SQL Injection Dork: N/A Date: 02.08.2017 Vendor : http://king-products.net/ Software: https://extensions.joomla.org/extensions/extension/living/education-a-culture/lms-king-professional-for-joomla/ Demo:...

Premium Servers List Tracker 1.0 - SQL Injection

Exploit Title: Premium Servers List Tracker v1.0 – SQL Injection Date: 02.08.2017 Vendor Homepage: https://codecanyon.net/item/premium-servers-list-tracker/19796599?srank=270 Exploit Author: Kaan KAMIS Contact: iletisimatk2andotcom Website: http://k2an.com Category: Web Application Exploits...

Joomla! Component SIMGenealogy 2.1.5 - SQL Injection

Exploit Title: Joomla! Component SIMGenealogy v2.1.5 - SQL Injection Dork: N/A Date: 02.08.2017 Vendor : https://www.simbunch.com/ Software: https://extensions.joomla.org/extensions/extension/clients-a-communities/communities/simgenealogy/ Demo: https://www.simbunch.com/demos/simgenealogy Version...

EDUMOD Pro 1.3 - SQL Injection

Exploit Title: School Management System | EDUMOD Pro v1.3 – SQL Injection Date: 02.08.2017 Vendor Homepage: https://codecanyon.net/item/school-management-system-edumod-pro/19764430?srank=288 Exploit Author: Kaan KAMIS Contact: iletisimatk2andotcom Website: http://k2an.com Category: Web Applicatio...

Joomla! Component Event Registration Pro Calendar 4.1.3 - SQL Injection

Exploit Title: Joomla! Component Event Registration Pro Calendar v4.1.3 - SQL Injection Dork: N/A Date: 02.08.2017 Vendor : http://joomlashowroom.com/ Software: https://www.joomlashowroom.com/products/event-registration-pro-calendar Demo: http://demo3.joomlashowroom.com/ Version: 4.1.3 Author:...

Nitro Pro PDF Reader 11.0.3.173 - Javascript API Code Execution (Metasploit)

This module requires Metasploit: http://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Nitro Pro PDF Reader 11.0.3.173 Javascript API Remote Code Execution', 'Description' = %q This module exploits an unsafe Javascript API implemente...

Muviko 1.0 - 'q' SQL Injection

Exploit Title: Muviko - Video CMS v1.0 – 'q' Parameter SQL Injection Date: 02.08.2017 Vendor Homepage: https://muvikoscript.com/ Exploit Author: Kaan KAMIS Contact: iletisimatk2andotcom Website: http://k2an.com Category: Web Application Exploits Overview Muviko is a movie & video content manageme...

Joomla! Component PHP-Bridge 1.2.3 - SQL Injection

Exploit Title: Joomla! Component PHP-Bridge v1.2.3 - SQL Injection Dork: N/A Date: 02.08.2017 Vendor : http://www.henryschorradt.de/ Software: https://extensions.joomla.org/extensions/extension/miscellaneous/development/php-bridge/ Demo: http://www.henryschorradt.de/joomla-php-bridge/ Version:...

JoySale 2.2.1 - Arbitrary File Upload

JoySale Arbitrary File Upload Exploit Title: JoySale Arbitrary File Upload Exploit Author: Mutlu Benmutlu Date: 1/08/2017 Vendor Homepage: http://www.hitasoft.com/product/joysale-advanced-classifieds-script/ Version: Joysale v2.2.1 latest Google Dork: "joysale-style.css" Tested on : MacOS Sierra...

libmad 0.15.1b - 'mp3' Memory Corruption

libmad memory corruption vulnerability ================ Author : qflb.wu =============== Introduction: ============= libmad is a high-quality MPEG audio decoder capable of 24-bit output. Affected version: ===== 0.15.1b Vulnerability Description: ========================== the maddecoderrun functi...

Solarwinds Kiwi Syslog 9.6.1.6 - Denial of Service

Exploit Title: Solarwinds Kiwi Syslog 9.6.1.6 - Remote Denial of Service Type Mismatch Date: 26/05/2017 Exploit Author: Guillaume Kaddouch Twitter: @gkweb76 Blog: https://networkfilter.blogspot.com GitHub: https://github.com/gkweb76/exploits Vendor Homepage: http://www.solarwinds.com/ Software...

VehicleWorkshop - Arbitrary File Upload

Exploit Title: VehicleWorkshop Unrestricted File Upload or Shell Upload Exploit Author: Touhid M.Shaikh Date: 1/08/2017 Vendor Homepage: https://github.com/spiritson/VehicleWorkshop Tested on : Kali Linux 2.0 64 bit and Windows 7 =================== Vulnerable Page: ===================...

SOL.Connect ISET-mpp meter 1.2.4.2 - SQL Injection

Vulnerability type: SQL injection, leading to administrative access through authentication bypass. ----------------------------------- Product: SOL.Connect ISET-mpp meter ----------------------------------- Affected version: SOL.Connect ISET-mpp meter 1.2.4.2 and possibly earlier Vulnerable...

Apple macOS/iOS - 'xpc_data' Objects Sandbox Escape Privilege Escalation

Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1247 When XPC serializes large xpcdata objects it creates mach memory entry ports to represent the memory region then transfers that region to the receiving process by sending a send right to the memory entry port in the underlying...

Advantech SUSIAccess < 3.0 - Directory Traversal / Information Disclosure (Metasploit)

require 'msf/core' class MetasploitModule 'Advantech SUSIAccess Server Directory Traversal Information Disclosure', 'Description' = %q This module exploits an information disclosure vulnerability found in Advantech SUSIAccess 'james fitts' , 'License' = MSFLICENSE, 'References' = 'CVE', '2016-934...

VehicleWorkshop - Authentication Bypass

Type: Admin or Customer login bypass via SQL injection Author: Touhid M.Shaikh Vendor Homepage: https://github.com/spiritson/VehicleWorkshop Mail: touhidshaikh22atgmaildotcom More info: https://blog.touhidshaikh.com/ ===================== PoC ================ Admin Login Page :...

Advantech SUSIAccess < 3.0 - 'RecoveryMgmt' File Upload

!/usr/bin/env ruby =begin Exploit Title: Advantech SUSIAccess RecoveryMgmt File Upload Date: 07/31/17 Exploit Author: james fitts Vendor Homepage: http://www.advantech.com/ Version: Advantech SUSIAccess = 3.0 Tested on: Windows 7 SP1 Relavant Advisories: ZDI-16-630 ZDI-16-628 CVE-2016-9349...

Vorbis Tools oggenc 1.4.0 - '.wav' Denial of Service

vorbis-tools oggenc vulnerability ================ Author : qflb.wu =============== Introduction: ============= The Vorbis Tools package contains command-line tools useful for encoding, playing or editing files using the Ogg CODEC. Affected version: ===== 1.4.0 Vulnerability Description:...

Sound eXchange (SoX) 14.4.2 - Multiple Vulnerabilities

Sound eXchange SoX multiple vulnerabilities ================ Author : qflb.wu =============== Introduction: ============= SoX is a cross-platform Windows, Linux, MacOS X, etc. command line utility that can convert various formats of computer audio files in to other formats. It can also apply...

DivFix++ 0.34 - Denial of Service

DivFix++ denial of service vulnerability ================ Author : qflb.wu =============== Introduction: ============= DivFix++ is FREE AVI Video Fix & Preview program. Affected version: ===== v0.34 Vulnerability Description: ========================== the DivFixppCore::aviheaderfix function in...

libvorbis 1.3.5 - Multiple Vulnerabilities

libvorbis multiple vulnerabilities ================ Author : qflb.wu =============== Introduction: ============= The libvorbis package contains a general purpose audio and music encoding format. This is useful for creating encoding and playing decoding sound in an open patent free format. Affecte...

libao 1.2.0 - Denial of Service

libao memory corruption vulnerability ================ Author : qflb.wu =============== Introduction: ============= Libao is a cross-platform audio library that allows programs to output audio using a simple API on a wide variety of platforms. Affected version: ===== 1.2.0 Vulnerability...

McAfee Security Scan Plus - Remote Command Execution

Vulnerability Summary The following advisory describes a Remote Code Execution found in McAfee Security Scan Plus. An active network attacker could launch a man-in-the-middle attack on a plaintext-HTTP response to a client to run any residing executables with privileges of a logged in user. McAfe...

Jenkins < 1.650 - Java Deserialization

import random import string from decimal import Decimal import requests from requests.exceptions import RequestException Exploit Title: Jenkins CVE-2016-0792 Deserialization Remote Exploit Google Dork: intitle: "Dashboard Jenkins" + "Manage Jenkins" Date: 30-07-2017 Exploit Author: Janusz Piechów...

DiskBoss Enterprise 8.2.14 - Remote Buffer Overflow

!/usr/bin/env python Exploit Title: DiskBoss Enterprise v8.2.14 Remote buffer overflow Date: 2017-07-30 Exploit Author: Ahmad Mahfouz Author Homepage: www.unixawy.com Vendor Homepage: http://www.diskboss.com/ Software Link: http://www.diskboss.com/setups/diskbossentsetupv8.2.14.exe Version: v8.2....

SoundTouch 1.9.2 - Multiple Vulnerabilities

SoundTouch multiple vulnerabilities ================ Author : qflb.wu =============== Introduction: ============= SoundTouch is an open-source audio processing library for changing the Tempo, Pitch and Playback Rates of audio streams or audio files. The library additionally supports estimating...

VehicleWorkshop - SQL Injection

Exploit Title: VehicleWorkshop SQL Injection Data: 07.28.2017 Exploit Author: Shahab Shamsi Vendor HomagePage: https://github.com/spiritson/VehicleWorkshop Tested on: Windows Google Dork: N/A ========= Vulnerable Page: ========= /viewvehiclestoremore.php ========== Vulnerable Source: ==========...

LAME 3.99.5 - Multiple Vulnerabilities

LAME multiple vulnerabilities ================ Author : qflb.wu =============== Introduction: ============= Following the great history of GNU naming, LAME originally stood for LAME Ain't an Mp3 Encoder. LAME is an educational tool to be used for learning about MP3 encoding. The goal of the LAME...

libjpeg-turbo 1.5.1 - Denial of Service

libjpeg-turbo denial of service vulnerability ====================== Author : qflb.wu CVE : CVE-2017-9614 ====================== Introduction: ============= libjpeg-turbo is a JPEG image codec that uses SIMD instructions MMX, SSE2, AVX2, NEON, AltiVec to accelerate baseline JPEG compression and...

Fortinet FortiOS < 5.6.0 - Cross-Site Scripting

Title: FortiOS = 5.6.0 Multiple XSS Vulnerabilities Vendor: Fortinet www.fortinet.com CVE: CVE-2017-3131, CVE-2017-3132, CVE-2017-3133 Date: 28.07.2016 Author: Patryk Bogdan @patrykbogdan Affected FortiNet products: CVE-2017-3131 : FortiOS versions 5.4.0 to 5.6.0 CVE-2017-3132 : FortiOS versions...

Joomla! Component CCNewsLetter 2.1.9 - 'sbid' SQL Injection

"Joomla Component ccnewsletter 2.1.9 - 'sbid' Parameter SQL Injection" Exploit Title: Joomla Component ccnewsletter 2.1.9 - SQL Injection Date: 07-26-2017 Exploit Author: Shahab Shamsi Vendor Homepage: https://extensions.joomla.org/extension/ccnewsletter/ Version: = 2.1.9 Final Version Tested on:...

GNU libiberty - Buffer Overflow

Source: https://gcc.gnu.org/bugzilla/showbug.cgi?id=69687 The attached program binary causes a buffer overflow in cplus-dem.c when it tries to demangle specially crafted function arguments in the binary. Both the buffer size as well as the buffer content are controlled from the binary. objdump -x...

AudioCoder 0.8.46 - Local Buffer Overflow (SEH)

!/usr/bin/python Exploit Title : AudioCoder 0.8.46 Local Buffer Overflow SEH CVE : CVE-2017-8870 Exploit Author : Muhann4d @0xSecured Vendor Homepage : http://www.mediacoderhq.com Vulnerable Software:...

Friends in War Make or Break 1.7 - SQL Injection

Exploit Title: Friends in War Make or Break 1.7 SQL Injection Dork: N/A Date: 26.07.2017 Vendor : http://software.friendsinwar.com/ Software: http://software.friendsinwar.com/downloads.php?catid=2&fileid=9 Demo: http://localhost/PATH/ Version: 1.7 Author: Ihsan Sencan SQL Injection/Exploit :...

Microsoft Windows - '.LNK' Shortcut File Code Execution (Metasploit)

This module requires Metasploit: http://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'LNK Remote Code Execution Vulnerability', 'Description' = %q This module exploits a vulnerability in the handling of Windows Shortcut files .LNK...

Friends in War Make or Break 1.7 - Cross-Site Request Forgery (Change Admin Password)

Friends in War Make or Break 1.7 - Unauthenticated admin password change Url: http://software.friendsinwar.com/ http://software.friendsinwar.com/downloads.php?catid=2&fileid=9 Author: shinnai mail: shinnaiatautisticidotorg site: http://www.shinnai.altervista.org/...

MediaCoder 0.8.48.5888 - Local Buffer Overflow (SEH)

MediaCoder 0.8.48.5888 - Local Buffer Overflow SEH. CVE-2017-8869. Local exploit for Windows platform !/usr/bin/python Exploit Title : MediaCoder 0.8.48.5888 Local Buffer Overflow SEH CVE : CVE-2017-8869 Exploit Author : Muhann4d @0xSecured Vendor Homepage : http://www.mediacoderhq.com Vulnerable...

Friends in War Make or Break 1.7 - Authentication Bypass

x Type: Admin login bypass via SQLi x Vendor: http://software.friendsinwar.com/ x Script Name: Make or Break x Script Version: 1.7 x Script DL: http://software.friendsinwar.com/downloads.php?catid=2&fileid=9 x Author: Anarchy Angel x Mail: anarchydotang31@gmaildotcom x More info:...

WebKit JSC - 'ObjectPatternNode::appendEntry' Stack Use-After-Free

Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1256 Here's a snippet of ObjectPatternNode::appendEntry. void appendEntryconst JSTokenLocation&, ExpressionNode propertyExpression, DestructuringPatternNode pattern, ExpressionNode defaultValue, BindingType bindingType...

WordPress Plugin Ads Pro < 3.4 - Cross-Site Scripting / SQL Injection

Exploit Title: Ads Pro Plugin - Multi-Purpose WordPress Advertising Manager = 5.0.12 AND time-based blind Payload: bsaprostats=1&[email protected]&bsaproid=xx AND SLEEP5 Credits & Author...

WebKit JSC - 'JSArray::appendMemcpy' Uninitialized Memory Copy

indexingType; if type == ArrayWithUndecided && copyType != NonArray if copyType == ArrayWithInt32 convertUndecidedToInt32vm; else if copyType == ArrayWithDouble convertUndecidedToDoublevm; else if copyType == ArrayWithContiguous convertUndecidedToContiguousvm; else ASSERTcopyType ==...

WebKit JSC - 'arrayProtoFuncSplice' Uninitialized Memory Reference

lexicalGlobalObject-arrayStructureForIndexingTypeDuringAllocationArrayWithUndecided, actualDeleteCount; if UNLIKELY!result throwOutOfMemoryErrorexec, scope; return encodedJSValue; // The result can have an ArrayStorage indexing type if we're having a bad time. bool isArrayStorage =...

WebKit JSC - 'ArgumentsEliminationPhase::transform' Incorrect LoadVarargs Handling

op == PhantomNewArrayWithSpread || candidate-op == PhantomSpread ... if argumentCountIncludingThis limit storeArgumentCountIncludingThisargumentCountIncludingThis; // store arguments ... node-remove; node-origin.exitOK = canExit; break; Whether or not the "argumentCountIncludingThis limit"...