Joomla! Component com_rand - SQL Injection

Joomla! Component comrand - SQL Injection Exploit Title : Joomla Spider Random Article Component SQL Injection vulnerability Author : Jagriti Sahu AKA Incredible Vendor Link : http://demo.web-dorado.com/spider-random-article.html Date : 22/03/2015 Discovered at : IndiShell Lab Love to : error1046...

WordPress Plugin Video Gallery 2.8 - Multiple Cross-Site Request Forgery Vulnerabilities

WordPress Plugin Video Gallery 2.8 - Multiple Cross-Site Request Forgery Vulnerabilities Exploit Title: Wordpress Video Gallery Plugin Multiple CSRF File Upload Google Dork: inurl:/wp-content/plugins/contus-video-gallery Date: 31 March 2015 Exploit Author: Divya Vendor Homepage:...

WordPress Plugin Simple Ads Manager 2.5.94 - Arbitrary File Upload

WordPress Plugin Simple Ads Manager 2.5.94 - Arbitrary File Upload Vulnerability title: Wordpress plugin Simple Ads Manager - Arbitrary File Upload Product: Wordpress plugin Simple Ads Manager Vendor: https://profiles.wordpress.org/minimus/ Affected version: Simple Ads Manager 2.5.94 Download lin...

WebGate eDVR Manager 2.6.4 - AudioOnlySiteChannel Stack Buffer Overflow

WebGate eDVR Manager 2.6.4 - AudioOnlySiteChannel Stack Buffer Overflow var arg1 = ""; var arg2 = 1; var arg3 = 1; var nops = ""; var shellcode = ""; var buff2 = ""; for i=0; i128; i++ arg1 += "B"; var nseh = "\xeb\x10PD"; var seh = "\xa0\xf2\x07\x10"; for i=0;i80; i++ nops += "\x90"; shellcode =...

WordPress Plugin SP Project Document Manager 2.5.3 - Blind SQL Injection

WordPress Plugin SP Project Document Manager 2.5.3 - Blind SQL Injection Exploit Title: WordPress SP Project & Document Manager 2.5.3 Blind SQL Injection Google Dork: inurl:wp-content/plugins/sp-client-document-manager Date: 2015-03-04 Exploit Author: catsecurity Vendor Homepage:...

JBoss AS 3456 - Remote Command Execution

JBoss AS 3456 - Remote Command Execution coding: utf-8 JexBoss v1.0. @autor: João Filho Matos Figueiredo [email protected] Updates: https://github.com/joaomatosf/jexboss Free for distribution and modification, but the authorship should be preserved. import httplib, sys, urllib, os, time from...

Fiyo CMS 2.0.1.8 - Multiple Vulnerabilities

Fiyo CMS 2.0.1.8 - Multiple Vulnerabilities Exploit Title: FiyoCMS Multiple Vulnerabilities Date: 29 March 2015 Exploit Author: Mahendra Vendor Homepage: www.fiyo.org Software Link: http://sourceforge.net/projects/fiyo-cms/ Version: 2.0.1.8, other version might be vulnerable. Tested : Kali Linux...

Airties Air5650TT - Remote Stack Overflow

Airties Air5650TT - Remote Stack Overflow !/usr/bin/env python Exploit for the AIRTIES Air5650v3TT Spawns a reverse root shell Author: Batuhan Burakcin Contact: [email protected] Twitter: @batuhanburakcin Web: http://www.bmicrosystems.com import sys import time import string import socket...

Palo Alto Traps Server 3.1.2.1546 - Persistent Cross-Site Scripting

Palo Alto Traps Server 3.1.2.1546 - Persistent Cross-Site Scripting !/usr/bin/ruby =begin ------------------------------------------------------------------------ Product: Palo Alto Traps Server formerly Cyvera Endpoint Protection Vendor: Palo Alto Networks Vulnerable Versions: 3.1.2.1546 Tested...

Acunetix-9.5

Date: 27 Mar 2015 Version: 9.5 Tested on: Windows 7 Description: Acunetix Login Sequence Recorder lsr.exe Uses CoCreateInstance API From Ole32.dll To Record Target Login Sequence Exploit Based on MS14-064 CVE2014-6332 http://www.exploit-db.com/exploits/35229/ This Python Script Will Start A Sampl...

RM-Downloader-2.7.5.400

Exploit Title: RM Downloader v2.7.5.400 Local Buffer Overflow + Date: 25-03-2015 + Type: Local Exploits + Tested on: WinXp/Windows 7 Pro + Vendor: http://software-files-a.cnet.com/s/software/10/65/60/49/Mini-streamRM-MP3Converter.exe?token=142731898198f71d0e10e2e3bd2e730179341feb0a + Friendly...

Mini-stream-Ripper-v2.7.7.100

Exploit Title: Mini-sream Ripper v2.7.7.100 Local Buffer Overflow + Date: 25-03-2015 + Type: Local Exploits + Tested on: WinXp/Windows 7 Pro + Vendor: http://software-files-a.cnet.com/s/software/10/65/60/43/Mini-streamRipper.exe?token=14273348648d9c5d7d948871f54ae14ed9304d1ddf + Friendly Sites:...

Joomla! Component Contact Form Maker 1.0.1 - SQL Injection

Joomla! Component Contact Form Maker 1.0.1 - SQL Injection +Title: Joomla Contact Form Maker v1.0.1 Component - SQL injection vulnerability +Author: TUNISIAN CYBER +Date: 29/03/2015 +Vendor: http://extensions.joomla.org/extensions/extension/contacts-and-feedback/contact-forms/contact-form-maker...

JBoss JMXInvokerServlet JMXInvoker 0.3 - Remote Command Execution

JBoss JMXInvokerServlet JMXInvoker 0.3 - Remote Command Execution / JBoss JMXInvokerServlet Remote Command Execution JMXInvoker.java v0.3 - Luca Carettoni @ikki This code exploits a common misconfiguration in JBoss Application Server 4.x, 5.x, .... Whenever the JMX Invoker is exposed with the...

WordPress Plugin aspose-doc-exporter 1.0 - Arbitrary File Download

WordPress Plugin aspose-doc-exporter 1.0 - Arbitrary File Download |||||||||||||||||||||||||||||||||||||||||||||||||| |-------------------------------------------------------------------------| | + Exploit Title:Wordpress aspose-doc-exporter Plugin Arbitrary File Download Vulnerability | | +...

WordPress Plugin Slider REvolution 4.1.4 - Arbitrary File Download

WordPress Plugin Slider REvolution 4.1.4 - Arbitrary File Download Exploit Title : WordPress Slider Revolution Responsive = 4.1.4 Arbitrary File Download vulnerability Exploit Author : Claudio Viviani Vendor Homepage : http://codecanyon.net/item/slider-revolution-responsive-wordpress-plugin/27513...

Fedora 21 setroubleshootd 3.2.22 - Local Privilege Escalation

Fedora 21 setroubleshootd 3.2.22 - Local Privilege Escalation setroubleshoot tries to find out which rpm a particular file belongs to when it finds SELinux access violation reports. The idea is probably to have convenient reports for the admin which type enforcement rules have to be relaxed...

Joomla! Component com_gallery_wd - SQL Injection

Joomla! Component comgallerywd - SQL Injection Exploit Title: Joomla Gallery WD - SQL Injection Vulnerability Google Dork: inurl:option=comgallerywd Date: 29.03.2015 Exploit Author: CrashBandicot @DosPerl Vendor HomePage: http://web-dorado.com/ Source Component :...

Apache Spark Cluster 1.3.x - Arbitrary Code Execution

Apache Spark Cluster 1.3.x - Arbitrary Code Execution Exploit Title: Arbitary Code Execution in Apache Spark Cluster Date: 23/03/2015 Exploit Author: AkhlD AkhilDas CodeBreach.in Vendor Homepage: https://spark.apache.org/ Software Link: https://spark.apache.org/downloads.html Version: All 0.0.x,...

IDM 6.20 - Local Buffer Overflow

IDM 6.20 - Local Buffer Overflow !/usr/bin/env python + Author: TUNISIAN CYBER + Exploit Title: IDM v6.20 Local Buffer Overflow + Date: 27-03-2015 + Type: Local Exploits + Tested on: WinXp/Windows 7 Pro + Vendor: http://www.internetdownloadmanager.com/ + Friendly Sites: sec4ever.com + Twitter:...

Berta CMS - Arbitrary File Upload

Berta CMS - Arbitrary File Upload Berta CMS is a web based content management system using PHP and local file storage. http://www.berta.me/ Due to use of a 3rd party Berta CMS website to redirect links within a phishing email brought to our attention we checked the file upload functionality of th...

Acunetix 9.5 - OLE Automation Array Remote Code Execution

Acunetix 9.5 - OLE Automation Array Remote Code Execution !/usr/bin/python import BaseHTTPServer, sys, socket Acunetix OLE Automation Array Remote Code Execution Author: Naser Farhadi Linkedin: http://ir.linkedin.com/pub/naser-farhadi/85/b3b/909 Date: 27 Mar 2015 Version: acunetix.exe Video:...

WebGate eDVR Manager 2.6.4 - SiteName Stack Overflow

WebGate eDVR Manager 2.6.4 - SiteName Stack Overflow var buff1= ""; var buff2= "PraveenD"; var nops = ""; for i=0; i128; i++ buff1 += "B"; var nseh = "\xeb\x08PD"; var seh = "\xa0\xf2\x07\x10"; for i=0;i80; i++ nops += "\x90"; //calc.exe payload sc =...

WebGate Control Center 4.8.7 - GetThumbnail Stack Overflow

WebGate Control Center 4.8.7 - GetThumbnail Stack Overflow var buff1 = ""; var arg2=1; var arg3=1; var arg4=1; var nops = ""; var buff2 = ""; for i=0;i24; i++ buff1 += "B"; // jump over seh to shellcode nseh = "\xeb\x08PD"; // pop pop ret var seh = "\xa0\xf2\x07\x10"; for i=0;i80; i++ nops +=...

WebGate WinRDS 2.0.8 - StopSiteAllChannel Stack Overflow

WebGate WinRDS 2.0.8 - StopSiteAllChannel Stack Overflow WebGate WinRDS WESPPlayback.WESPPlaybackCtrl.1 StopSiteAllChannel Stack Buffer Overflow Vulnerability 0Day var buff1 = ""; var nops = ""; var buff2 = ""; for i=0;i128; i++ buff1 += "B"; nseh = "\xeb\x08PD"; //pop pop ret = 1007f2a0 0x1007f2...

Free-MP3-CD-Ripper-2.6

Author: TUNISIAN CYBER + Exploit Title: Free MP3 CD Ripper All versions Local Buffer Overflow + Date: 20-03-2015 + Type: Local Exploits + Tested on: WinXp/Windows 7 Pro...

Bsplayer-2.68-HTTP

Bsplayer suffers from a buffer overflow vulnerability when processing the HTTP response when opening a URL. In order to exploit this bug I partially overwrited the seh record to land at pop pop ret instead of the full address and then used backward jumping to jump to a long jump that eventually...

WebGate eDVR Manager - Remote Stack Buffer Overflow

WebGate eDVR Manager - Remote Stack Buffer Overflow var arg1 = ""; nops = ""; var buff = ""; fori=0;i"+"Lengths: arg1="+arg1.length+" seh="+seh.length+""; fori=0;i200;i++ nops += "\x90"; sc = "\x54\x5d\xda\xc9\xd9\x75\xf4\x59\x49\x49\x49\x49\x49" +...

Mini-stream Ripper 2.7.7.100 - Local Buffer Overflow

Mini-stream Ripper 2.7.7.100 - Local Buffer Overflow !/usr/bin/env python + Author: TUNISIAN CYBER + Exploit Title: Mini-sream Ripper v2.7.7.100 Local Buffer Overflow + Date: 25-03-2015 + Type: Local Exploits + Tested on: WinXp/Windows 7 Pro + Vendor:...

RM Downloader 2.7.5.400 - Local Buffer Overflow

RM Downloader 2.7.5.400 - Local Buffer Overflow !/usr/bin/env python + Author: TUNISIAN CYBER + Exploit Title: RM Downloader v2.7.5.400 Local Buffer Overflow + Date: 25-03-2015 + Type: Local Exploits + Tested on: WinXp/Windows 7 Pro + Vendor:...

pfSense 2.2 - Multiple Vulnerabilities

pfSense 2.2 - Multiple Vulnerabilities Advisory ID: HTB23251 Product: pfSense Vendor: Electric Sheep Fencing LLC Vulnerable Versions: 2.2 and probably prior Tested Version: 2.2 Advisory Publication: March 4, 2015 without technical details Vendor Notification: March 4, 2015 Vendor Patch: March 5,...

QNAP - Admin Shell via Bash Environment Variable Code Injection (Metasploit)

QNAP - Admin Shell via Bash Environment Variable Code Injection Metasploit Exploit Title: QNAP admin shell via Bash Environment Variable Code Injection Date: 7 February 2015 Exploit Author: Patrick Pellegrino | [email protected] work /...

QNAP - Web Server Remote Code Execution via Bash Environment Variable Code Injection (Metasploit)

QNAP - Web Server Remote Code Execution via Bash Environment Variable Code Injection Metasploit Exploit Title: QNAP Web server remote code execution via Bash Environment Variable Code Injection Date: 7 February 2015 Exploit Author: Patrick Pellegrino |...

Adobe Flash Player - Arbitrary Code Execution

Adobe Flash Player - Arbitrary Code Execution Source: https://github.com/SecurityObscurity/cve-2015-0313 PoC: https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/36491.zip Adobe Flash vulnerability source code cve-2015-0313 from Angler Exploit Kit Reference:...

WordPress Plugin Marketplace 2.4.0 - Remote Code Execution (Add Admin)

WordPress Plugin Marketplace 2.4.0 - Remote Code Execution Add Admin !/usr/bin/python Exploit Name: WP Marketplace 2.4.0 Remote Command Execution Vulnerability discovered by Kacper Szurek http://security.szurek.pl Exploit written by Claudio Viviani...

WordPress Plugin InBoundio Marketing 1.0 - Arbitrary File Upload

WordPress Plugin InBoundio Marketing 1.0 - Arbitrary File Upload Dx . Made In Algeria . xZ Title : WordPress plugin InBoundio Marketing Shell Upload Vulnerability Author : KedAns-Dz + E-mail : ked-h @hotmail.com + FaCeb0ok : fb.me/K3d.Dz + TwiTter : @kedans Platform : PHP / WebApp + Cat/Tag : Fil...

Bsplayer 2.68 - HTTP Response Universal

Bsplayer 2.68 - HTTP Response Universal !/usr/bin/python ''' Bsplayer suffers from a buffer overflow vulnerability when processing the HTTP response when opening a URL. In order to exploit this bug I partially overwrited the seh record to land at pop pop ret instead of the full address and then...

Free MP3 CD Ripper 2.6 - .wav Local Buffer Overflow

Free MP3 CD Ripper 2.6 - .wav Local Buffer Overflow !/usr/bin/python + Author: TUNISIAN CYBER + Exploit Title: Free MP3 CD Ripper All versions Local Buffer Overflow + Date: 20-03-2015 + Type: Local Exploits + Tested on: WinXp/Windows 7 Pro + Vendor:...

Joomla! Component Spider FAQ - SQL Injection

Joomla! Component Spider FAQ - SQL Injection Exploit Title : Joomla Spider FAQ component SQL Injection vulnerability Author : Manish Kishan Tanwar AKA error1046 Vendor Link : http://demo.web-dorado.com/spider-faq.html Date : 21/03/2015 Discovered at : IndiShell Lab Love to : zero cool,Team...

WordPress Plugin Marketplace 2.4.0 - Arbitrary File Download

WordPress Plugin Marketplace 2.4.0 - Arbitrary File Download Exploit Title: WP Marketplace 2.4.0 Arbitrary File Download Date: 26-10-2014 Software Link: https://wordpress.org/plugins/wpmarketplace/ Exploit Author: Kacper Szurek Contact: http://twitter.com/KacperSzurek Website:...

Telescope 0.9.2 - Markdown Persistent Cross-Site Scripting

Telescope 0.9.2 - Markdown Persistent Cross-Site Scripting Exploit Title: Persistent XSS via Markdown on Telescope = 0.9.2 Date: Aug 22 2014 Exploit Author: shubs Vendor Homepage: http://www.telescopeapp.org/ Software Link: https://github.com/TelescopeJS/Telescope Version: = 0.9.2 CVE :...

EMC MR (Watch4net) - Credential Disclosure

EMC MR Watch4net - Credential Disclosure Abstract It was discovered that EMC M&R Watch4net credentials of remote servers stored in Watch4net are encrypted using a fixed hardcoded password. If an attacker manages to obtain a copy of the encrypted credentials, it is trivial to decrypt them. Affecte...

Citrix Command Center - Credential Disclosure

Citrix Command Center - Credential Disclosure Abstract It was discovered that Citrix Command Center stores configuration files containing credentials of managed devices within a folder accessible through the web server. Unauthenticated attackers can download any configuration file stored in this...

Joomla! Component ECommerce-WD 1.2.5 - SQL Injection

Joomla! Component ECommerce-WD 1.2.5 - SQL Injection Version 1.2.5 of the ECommerce-WD plugin for Joomla! has multiple unauthenticated SQL injections available via the advanced search functionality. http://extensions.joomla.org/extension/ecommerce-wd The vulnerable parameters are searchcategoryid...

FastStone Image Viewer 5.3 - .tga Crash (PoC)

FastStone Image Viewer 5.3 - .tga Crash PoC Exploit Title : FastStoneImage Viewer Corrupted tga IMAGESPECIFICATION.Width Crash POC Product : FastStoneImage Viewer Date : 25.02.2015 Exploit Author : ITDefensor Vulnerability Research Team http://itdefensor.ru/ Software Link :...

Microsoft Windows 8.1 - Local WebDAV NTLM Reflection Privilege Escalation

Microsoft Windows 8.1 - Local WebDAV NTLM Reflection Privilege Escalation Source: https://code.google.com/p/google-security-research/issues/detail?id=222 Windows: Local WebDAV NTLM Reflection Elevation of Privilege Platform: Windows 8.1 Update, Windows 7 Class: Elevation of Privilege Summary: A...

Citrix Nitro SDK - Command Injection

Citrix Nitro SDK - Command Injection Abstract Securify discovered a command injection vulnerability in xenhotfix page of the NITRO SDK. The attacker-supplied command is executed with elevated privileges nsroot. This issue can be used to compromise of the entire Citrix SDX appliance and all...

Chamilo LMS 1.9.10 - Multiple Vulnerabilities

Chamilo LMS 1.9.10 - Multiple Vulnerabilities I. Overview ======================================================== Chamilo LMS 1.9.10 or prior versions are prone to a multiple Cross-Site Scripting Stored + Reflected & CSRF vulnerabilities. These vulnerabilities allows an attacker to gain control...

EMC MR (Watch4net) - Directory Traversal

EMC MR Watch4net - Directory Traversal Abstract A path traversal vulnerability was found in EMC M&R Watch4net Device Discovery. This vulnerability allows an attacker to access sensitive files containing configuration data, passwords, database records, log data, source code, and program scripts an...

Brasero-CDDVD-Burner-3.4.1

Exploit title: Brasero 3.4.1 'm3u' Buffer Overflow POC Date Discovered: 15th March' 2015 Exploit Author: Avinash Kumar Thapa "-Acid" Vulnerable Software: Brasero 3.4.1 CD/DVD for the Gnome Desktop Homepage:https://wiki.gnome.org/Apps/Brasero Tested on: Kali Linux 1.0.9...