Apple WebKit / Safari 10.0.3 (12602.4.8) - Synchronous Page Load Universal Cross-Site Scripting

URL scriptURL; URL url; if protocolIsJavaScripturlString scriptURL = completeURLurlString; // completeURL encodes the URL. url = blankURL; else url = completeURLurlString; if shouldConvertInvalidURLsToBlank && !url.isValid url = blankURL; Frame frame = loadOrRedirectSubframeownerElement, url,...

Moxa MXview 2.8 - Private Key Disclosure

Credits: John Page AKA HYP3RLINX + Website: hyp3rlinx.altervista.org + Source: http://hyp3rlinx.altervista.org/advisories/MOXA-MXVIEW-v2.8-REMOTE-PRIVATE-KEY-DISCLOSURE.txt + ISR: APPARITIONSEC Vendor: ============ www.moxa.com Product: =========== MXview V2.8 Download:...

Moxa MX AOPC-Server 1.5 - XML External Entity Injection

Credits: John Page AKA HYP3RLINX + Website: hyp3rlinx.altervista.org + Source: http://hyp3rlinx.altervista.org/advisories/MOXA-MX-AOPC-SERVER-v1.5-XML-EXTERNAL-ENTITY.txt + ISR: ApparitionSec Vendor: ============ www.moxa.com Product: ======================= MX-AOPC UA SERVER - 1.5 Moxa's MX-AOPC...

Quest Privilege Manager 6.0.0 - Arbitrary File Write

!/usr/bin/env python2 """ Exploit Title: Quest Privilege Manager pmmasterd Arbitrary File Write Date: 10/Mar/2017 Exploit Author: m0t Vendor Homepage: https://www.quest.com/products/privilege-manager-for-unix/ Version: 6.0.0-27, 6.0.0-50 Tested on: ubuntu 14.04 x8664, ubuntu 16.04 x86, ubuntu 12....

Moxa MXview 2.8 - Denial of Service

Credits: John Page AKA hyp3rlinx + Website: hyp3rlinx.altervista.org + Source: http://hyp3rlinx.altervista.org/advisories/MOXA-MXVIEW-v2.8-DENIAL-OF-SERVICE.txt + ISR: ApparitionSec Vendor: ============ www.moxa.com Product: =========== MXView v2.8 Download:...

Sony Playstation 4 (PS4) 3.50 < 4.07 - WebKit Code Execution (PoC)

PS4 4.0x Code Execution ============== This repo is my edit of the 4.0x webkit exploit released by qwertyoruiopz. The edit re-organizes, comments, and adds portability across 3.50 - 4.07 3.50, 3.55, 3.70, 4.00, and of course 4.06/4.07. The commenting and reorganization was mostly for my own...

Jobscript4Web 4.5 - Authentication Bypass

---------------- Title = Jobscript4Web 4.5 - Authentication Bypass Date = 8/4/2017 Soft = http://www.jobscript4web.com/index.html liVE Demo = http://www.simplejobs.co.in/soft4u --------------- AutHor = TurkCyberArmy --------------- Bizler Turk siber ordusu bunyesinde goreve basladik. Dosta guven...

Calendar Template 2.0 - 'editid1' SQL Injection

Exploit Title: Calendar v2.0 for ASPRunnerPro/PHPRunner/ASPRunner.NET. - SQL Injection Google Dork: N/A Date: 07.04.2017 Vendor Homepage: https://xlinesoft.com/ Software: https://xlinesoft.com/templates/calendar/index.htm Demo: https://xlinesoft.com/livedemo/calendar/ Version: 2.0 Tested on: Win7...

WordPress Plugin CopySafe Web Protect < 2.6 - Cross-Site Request Forgery

2.6 realease --...

Forum Template 1.0 - SQL Injection

Exploit Title: Forum Template v1.0 for ASPRunnerPro/PHPRunner/ASPRunner.NET. - SQL Injection Google Dork: N/A Date: 07.04.2017 Vendor Homepage: https://xlinesoft.com/ Software: https://xlinesoft.com/marketplace/productsview.php?editid1=9 Demo: https://xlinesoft.com/livedemo/forum/ Version: 1.0...

My Gaming Ladder Combo System 7.5 - SQL Injection

Exploit Title: My Gaming Ladder Combo System 7.5 - SQL Injection Google Dork: N/A Date: 07.04.2017 Vendor Homepage: http://www.mygamingladder.com/ Software: http://www.mygamingladder.com/demos.shtml Demo: http://www.mygamingladder.com/upgrade/combo/ Version: 7.5 Tested on: Win7 x64, Kali Linux x6...

Ladder System 6.0 - 'faqid' SQL Injection

Exploit Title: My Gaming Ladder System 6.0 - SQL Injection Google Dork: N/A Date: 07.04.2017 Vendor Homepage: http://www.mygamingladder.com/ Software: http://www.mygamingladder.com/ladder.shtml Demo: http://www.ladder.tf2.co.za/ Version: 6.0 Tested on: Win7 x64, Kali Linux x64 Exploit Author: Ihs...

QNAP TVS-663 QTS < 4.2.4 build 20170313 - Command Injection

QNAP QTS multiple RCE vulnerabilities ===================================== The latest version of this advisory is available at: https://sintonen.fi/advisories/qnap-qts-multiple-rce-vulnerabilities.txt Overview -------- QNAP QTS firmware contains multiple Command Injection CWE-77 vulnerabilities...

Survey Template 1.1 - 'masterkey1' SQL Injection

Exploit Title: Survey Template v1.1 for ASPRunnerPro,PHPRunner. - SQL Injection Google Dork: N/A Date: 07.04.2017 Vendor Homepage: https://xlinesoft.com/ Software: https://xlinesoft.com/marketplace/productsview.php?editid1=3 Demo: https://xlinesoft.com/livedemo/survey/ Version: 1.1 Tested on: Win...

Shopping Cart Template - 'item' SQL Injection

Exploit Title: Shopping Cart Template v1.0 for ASPRunnerPro/PHPRunner. - SQL Injection Google Dork: N/A Date: 07.04.2017 Vendor Homepage: https://xlinesoft.com/ Software: https://xlinesoft.com/templates/shoppingcart/index.htm Demo: https://xlinesoft.com/livedemo/shopcart/ Version: 1.0 Tested on:...

WordPress Plugin Firewall 2 1.3 - Cross-Site Request Forgery / Cross-Site Scripting

alert1" !-- In a real attack, forms can be submitted automatically and spear-phishing attacks can be convincing. Mitigations ================ Disable the plugin until a new version is released that fixes this bug. Disclosure policy ================ dxw believes in responsible disclosure. Your...

Document Management Template - 'hash' SQL Injection

Exploit Title: Document Management Template v1.0 for PHPRunner 8.x,ASPRunnerPro 9.x,ASPRunner.NET 8.x or better.- SQL Injection Google Dork: N/A Date: 07.04.2017 Vendor Homepage: https://xlinesoft.com/ Software: https://xlinesoft.com/docmanager Demo: https://xlinesoft.com/livedemo/docmanager/...

Invoice Template - 'hash' SQL Injection

Exploit Title: Invoice Template v1.0 for PHPRunner/ASPRunnerPro/ASPRunner.NET. - SQL Injection Google Dork: N/A Date: 07.04.2017 Vendor Homepage: https://xlinesoft.com/ Software: https://xlinesoft.com/invoice Demo: https://xlinesoft.com/livedemo/invoice/livedemo1/ Version: 1.0 Tested on: Win7 x64...

Intellinet NFC-30IR Camera - Multiple Vulnerabilities

Bitcrack Cyber Security - BitLabs Advisory http://www.bitcrack.net Multiple Vulnerabilities in Intellinet NFC-30IR Network Cameras ADVISORY -------- Title: Local File Inclusion in CGI-SCRIPT & Hard-Coded Manufacturer Backdoor Advisory ID: BITL-17-001 Date published: 2017-04-05 Date of last update...

D-Link DWR-116 / DWR-116A1 - Arbitrary File Download

Title: D-Link DWR-116 Arbitrary File Download Vendor: D-Link www.dlink.com Affected models: DWR-116 / DWR-116A1 Tested on: V1.01EU, V1.00CPb10, V1.05AU CVE: CVE-2017-6190 Date: 04.07.2016 Author: Patryk Bogdan @patrykbogdan Description: D-Link DWR-116 with firmware before V1.05b09 suffers from...

e107 CMS 2.1.4 - Cross-Site Request Forgery

...

Adobe (Multiple Products) - XML Injection File Content Disclosure

!/bin/bash Exploit Title: Adobe XML Injection file content disclosure Date: 07-04-2017 Exploit Author: Thomas Sluyter Website: https://www.kilala.nl Vendor Homepage: http://www.adobe.com/support/security/bulletins/apsb10-05.html Version: Multiple Adobe products Tested on: Windows Server 2003,...

WordPress Plugin WHIZZ < 1.1.1 - Cross-Site Request Forgery

====== Software: WordPress WHIZZ Version: active or disactive plugins: Mitigations ================ Disable the plugin until a new version is released that fixes this bug. FIX: ========== https://wordpress.org/plugins/whizz/ 1.1.1 changelog-Specifically...

Quiz Template 1.0 - 'testid' SQL Injection

Exploit Title: Quiz Template v1.0 for ASPRunnerPro/PHPRunner. - SQL Injection Google Dork: N/A Date: 07.04.2017 Vendor Homepage: https://xlinesoft.com/ Software: https://xlinesoft.com/marketplace/productsview.php?editid1=2 Demo: https://xlinesoft.com/livedemo/quiz/ Version: 1.0 Tested on: Win7 x6...

Windows 10 x64 - Egghunter Shellcode (45 bytes)

Windows 10 x64 - Egghunter Shellcode 45 bytes. Shellcode exploit for Winx86-64 platform PUBLIC Win10egghunterx64 .code Win10egghunterx64 PROC start: push 7fh pop rdi ; RDI is nonvolatile, so it will be preserved after syscalls setup: inc rdi ; parameter 1 - lpAddress - counter mov r9b,40h ;...

Cesanta Mongoose OS - Use-After-Free

COMPASS SECURITY ADVISORY https://www.compass-security.com/en/research/advisories/ Product: Mongoose OS Vendor: Cesanta CVE ID: CVE-2017-7185 CSNC ID: CSNC-2017-003 Subject: Use-after-free / Denial of Service Risk: Medium Effect: Remotely exploitable Authors: Philipp Promeuschel Carel van Rooyen...

Moodle 2.x/3.x - SQL Injection

Exploit: Moodle SQL Injection via Object Injection Through User Preferences Date: April 6th, 2017 Exploit Author: Marko Belzetski Contact: [email protected] Vendor Homepage: https://moodle.org/ Version: 3.2 to 3.2.1, 3.1 to 3.1.4, 3.0 to 3.0.8, 2.7.0 to 2.7.18 and other unsupported versio...

Sweepstakes Pro Software - SQL Injection

Exploit Title: Sweepstakes Pro Software - SQL Injection Google Dork: N/A Date: 05.04.2017 Vendor Homepage: http://bimedia.info/ Software: http://bimedia.info/sweepstakes-pro-software/ Demo: http://mysweepstakespro.com/demo/ Version: N/A Tested on: Win7 x64, Kali Linux x64 Exploit Author: Ihsan...

Premium Penny Auction Script - SQL Injection

Exploit Title: Premium Penny Auction Script - SQL Injection Google Dork: N/A Date: 05.04.2017 Vendor Homepage: http://bimedia.info/ Software: http://bimedia.info/premium-penny-auction-script/ Demo: http://pennyauction.clonedemo.com/ Version: N/A Tested on: Win7 x64, Kali Linux x64 Exploit Author:...

Airbnb Crashpadder Clone Script - SQL Injection

Exploit Title: Airbnb Crashpadder Clone Script - SQL Injection Google Dork: N/A Date: 05.04.2017 Vendor Homepage: http://bimedia.info/ Software: http://bimedia.info/airbnb-premium-clone-script/ Demo: http://airbnb.clonedemo.com/ Version: N/A Tested on: Win7 x64, Kali Linux x64 Exploit Author: Ihs...

Appointment Script - SQL Injection

Exploit Title: Doctors Appointment Script - SQL Injection Google Dork: N/A Date: 05.04.2017 Vendor Homepage: http://appointment-script.com/ Software: http://appointment-script.com/demo Demo: http://appointment-script.com/demo Version: N/A Tested on: Win7 x64, Kali Linux x64 Exploit Author: Ihsan...

Faveo Helpdesk Community 1.9.3 - Cross-Site Request Forgery

Exploit Title: CSRF / Privilege Escalation Manipulation of Role Agent to Admin on Faveo version Community 1.9.3 Google Dork: no Date: 05-April-2017 Exploit Author: @runggareksya, @yokoacc, @AdyWikradinata, @dickysofficial, @dvnrcy Vendor Homepage: http://www.faveohelpdesk.com/ Software Link:...

ImagePro Lazygirls Clone Script - SQL Injection

Exploit Title: ImagePro Lazygirls Clone Script - SQL Injection Google Dork: N/A Date: 05.04.2017 Vendor Homepage: http://bimedia.info/ Software: http://bimedia.info/8-2/ Demo: http://imagepro.clonedemo.com/ Version: N/A Tested on: Win7 x64, Kali Linux x64 Exploit Author: Ihsan Sencan Author Web:...

SpiceWorks 7.5 TFTP - Remote File Overwrite / Upload

Credits: John Page AKA HYP3RLINX + Website: hyp3rlinx.altervista.org + Source: http://hyp3rlinx.altervista.org/advisories/SPICEWORKS-IMPROPER-ACCESS-CONTROL-FILE-OVERWRITE.txt + ISR: APPARITIONSEC Vendor: ================== www.spiceworks.com Product: ================= Spiceworks - 7.5 Provides...

HelpDEZK 1.1.1 - Cross-Site Request Forgery / Code Execution

Exploit Title: Multiple CSRF Remote Code Execution Vulnerability on HelpDEZK 1.1.1 Date: 05-April-2017 Exploit Author: @runggareksya, @yokoacc, @AdyWikradinata, @dickysofficial, @dvnrcy Vendor Homepage: http://www.helpdezk.org/ Software Link: https://codeload.github.com/albandes/helpdezk/zip/v1.1...

D-Link DIR-615 - Cross-Site Request Forgery

Title: ==== D-Link DIR 615 HW: T1 FW:20.09 is vulnerable to Cross-Site Request Forgery CSRF vulnerability Credit: ====== Name: Pratik S. Shah Reference: ========= CVE Details: CVE-2017-7398. Date: ==== 1-04-2017 Vendor: ====== D-Link wireless router Product: ======= DIR-615...

Broadcom Wi-Fi SoC - TDLS Teardown Request Remote Heap Overflow

Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1046 https://googleprojectzero.blogspot.ca/2017/04/over-air-exploiting-broadcoms-wi-fi4.html Broadcom produces Wi-Fi HardMAC SoCs which are used to handle the PHY and MAC layer processing. These chips are present in both mobile...

Apple WebKit 10.0.2(12602.3.12.0.1) - 'Frame::setDocument (1)' Universal Cross-Site Scripting

&& newDocument ASSERT!newDocument || newDocument-frame == this; if mdoc && mdoc-pageCacheState != Document::InPageCache mdoc-prepareForDestruction; mdoc = newDocument.copyRef; ... The function |prepareForDestruction| only called when the cache state is not |Document::InPageCache|. So the frame wi...

Apple WebKit - 'ComposedTreeIterator::traverseNextInShadowTree' Use-After-Free

function go d.open = false; d.innerHTML = "foo"; d.open = true; foo !-- ================================================================= ASan log: ================================================================= ==570==ERROR: AddressSanitizer: heap-use-after-free on address 0x607000065058 at pc...

Apple WebKit 10.0.2 - HTMLInputElement Use-After-Free

function eventhandler1 input.type = "foo"; function eventhandler2 input.selectionStart = 25; !-- ================================================================= ASAN log from WebKit nightly on Mac: ================================================================= ==26782==ERROR: AddressSanitize...

Apple macOS/iOS Kernel 10.12.3 (16D32) - Bad Locking in necp_open Use-After-Free

/ Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1116 necpopen is a syscall used to obtain a new necp file descriptor The necp file's fp's fgdata points to a struct necpfddata allocated on the heap. Here's the relevant code from necpopen: error = fallocp, &fp, &fd,...

Apple WebKit - 'RenderLayer' Use-After-Free

function go div.style.setProperty"-webkit-flow-into", "foo"; document.execCommand"fontSize", false, 6; window.requestAnimationFramecb; h1.attachShadowmode: "open"; h1.replaceWith"foo"; function cb var a; //trigger garbage collector forvar i=0;i !--...

Apple macOS Kernel 10.12.3 (16D32) - Use-After-Free Due to Double-Release in posix_spawn

/ Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1104 exechandleportactions is responsible for handling the xnu port actions extension to posixspawn. It supports 4 different types of port PSPASPECIAL, PSPAEXCEPTION, PSPAAUSESSION and PSPAIMPWATCHPORTS For the special, exception...

Apple WebKit - Negative-Size memmove in HTMLFormElement

function go var iframe = document.getElementById"iframe"; var iframeWindow = window0; var toInsert = div; var iframeBody = iframeWindow.document.body; iframeBody.beforedocument.body; iframe.aftertoInsert; aaaaaaaa !-- ================================================================= Preliminary...

Apple macOS Kernel 10.12.3 (16D32) - 'audit_pipe_open' Off-by-One Memory Corruption

/ Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1126 MacOS kernel memory corruption due to off-by-one in auditpipeopen auditpipeopen is the special file open handler for the auditpipe device major number 10. Here's the code: static int auditpipeopendevt dev, unused int flags,...

Apple WebKit - 'WebCore::toJS' Use-After-Free

function freememory var a; forvar i=0;i !-- ================================================================= ASan log: ================================================================= ==25184==ERROR: AddressSanitizer: heap-use-after-free on address 0x61a000076e80 at pc 0x000115bea4e0 bp...

Broadcom Wi-Fi SoC - Heap Overflow 'wlc_tdls_cal_mic_chk' Due to Large RSN IE in TDLS Setup Confirm Frame

Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1047 Broadcom produces Wi-Fi HardMAC SoCs which are used to handle the PHY and MAC layer processing. These chips are present in both mobile devices and Wi-Fi routers, and are capable of handling many Wi-Fi related events without...

Apple macOS/iOS Kernel 10.12.3 (16D32) - SIOCSIFORDER Socket ioctl Memory Corruption Due to Bad Bounds Checking

/ Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1108 SIOCSIFORDER is a new ioctl added in iOS 10. It can be called on a regular tcp socket, so from pretty much any sandbox. it falls through to calling: ifnetresetorderorderedindices, ifo-ifocount where orderedindicies points to...

Apple WebKit 10.0.2 (12602.3.12.0.1) - 'disconnectSubframes' Universal Cross-Site Scripting

frameOwners; if policy == RootAndDescendants if isroot frameOwners.appenddowncastroot; collectFrameOwnersframeOwners, root; // Must disable frame loading in the subtree so an unload handler cannot // insert more frames and create loaded frames in detached subtrees. SubframeLoadingDisabler...

Apple Webkit - Universal Cross-Site Scripting by Accessing a Named Property from an Unloaded Window

document auto& htmlDocument = downcastdocument; auto atomicPropertyName = propertyName.publicName; if atomicPropertyName && htmlDocument.hasWindowNamedItematomicPropertyName JSValue namedItem; if UNLIKELYhtmlDocument.windowNamedItemContainsMultipleElementsatomicPropertyName Ref collection =...