41207 matches found
ImgHosting 1.5 - Cross-Site Scripting
ImgHosting 1.5 - Cross-Site Scripting Exploit Title: ImgHosting Image Storage System 1.5 - Cross-Site-Scripting Date: 12-01-2018 Exploit Author: Dennis Veninga Contact Author: d.veninga at networking4all.com Vendor Homepage: foxsash.com Version: 1.5 CVE-ID: CVE-2018-5479 ImgHosting – Image Storag...
Adminer 4.3.1 - Server-Side Request Forgery
Adminer 4.3.1 - Server-Side Request Forgery + Credits: John Page aka hyp3rlinx + Website: hyp3rlinx.altervista.org + Source: http://hyp3rlinx.altervista.org/advisories/ADMINER-UNAUTHENTICATED-SERVER-SIDE-REQUEST-FORGERY.txt + ISR: apparition security Vendor: ============== www.adminer.org Product...
pfSense 2.1.4 - status_rrd_graph_img.php Command Injection
pfSense 2.1.4 - statusrrdgraphimg.php Command Injection !/usr/bin/env python3 Exploit Title: pfSense = 2.1.3 statusrrdgraphimg.php Command Injection. Date: 2018-01-12 Exploit Author: absolomb Vendor Homepage: https://www.pfsense.org/ Software Link: https://atxfiles.pfsense.org/mirror/downloads/ol...
SysGauge Server 3.6.18 - Remote Buffer Overflow
SysGauge Server 3.6.18 - Remote Buffer Overflow Exploit Title: SysGauge Server 3.6.18 - Buffer Overflow Exploit Author: Ahmad Mahfouz Description: Sysgauge Server Unauthenticated Remote Buffer Overflow SEH Contact: http://twitter.com/eln1x Date: 12/01/2018 CVE: CVE-2018-5359 Version: 3.6.18 Teste...
D-Link DNS-343 ShareCenter 1.05 - Command Injection
D-Link DNS-343 ShareCenter 1.05 - Command Injection D-Link DNS-343 ShareCenter Remote Root Vendor: D-Link Product: D-Link DNS-343 ShareCenter Version: = 1.05 Website: http://sharecenter.dlink.com/products/DNS-343 / / / / / / / / / / / / / / / / / / / / / \ / // / // / / / / / / / // / / / /,///...
Synology Photo Station 6.8.2-3461 - SYNOPHOTO_Flickr_MultiUpload Race Condition File Write Remote Code Execution
Synology Photo Station 6.8.2-3461 - SYNOPHOTOFlickrMultiUpload Race Condition File Write Remote Code Execution !/usr/local/bin/python """ Synology Photo Station = 6.8.2-3461 latest SYNOPHOTOFlickrMultiUpload Race Condition File Write Remote Code Execution Vulnerability Found by: mrme Tested:...
Domains Hostings Manager PRO 3.0 - Authentication Bypass
Domains Hostings Manager PRO 3.0 - Authentication Bypass Exploit Title: Domains & Hostings Manager PRO v 3.0 - Authentication Bypass Date: 13.01.2018 Vendor Homepage: http://endavi.com/ Software Buy: https://codecanyon.net/item/advanced-domains-and-hostings-pro-v3-multiuser/10368735 Demo:...
GitStack - Remote Code Execution
GitStack - Remote Code Execution Vulnerability Summary The following advisory describes an unauthenticated action that allows a remote attacker to add a user to GitStack and then used to trigger an unauthenticated remote code execution. GitStack is “a software that lets you setup your own private...
DarkComet (C2 Server) - File Upload
DarkComet C2 Server - File Upload !/usr/bin/env python3 EDB Note: Source https://gist.github.com/PseudoLaboratories/260b6f24844785aacc1e2fb61dd05c01/259944bd94a0d289ef80b9138c1e3f97a97aa9cd from time import sleep from socket import socket, AFINET, SOCKSTREAM, error from re import search from...
PerfexCRM 1.9.7 - Arbitrary File Upload
PerfexCRM 1.9.7 - Arbitrary File Upload Exploit Title: PerfexCRM 1.9.7 – Unrestricted php5 File upload Exploit Author: Ahmad Mahfouz Description: PerfexCRM 1.9.7 prone to unrestricted file upload that lead to system take over by misconfigured elfinder plugin Contact: http://twitter.com/eln1x Date...
RISE 1.9 - search SQL Injection
RISE 1.9 - search SQL Injection Exploit Title: RISE Ultimate Project Manager 1.9 - SQL Injection Exploit Author: Ahmad Mahfouz Contact: http://twitter.com/eln1x Date: 30/12/2017 CVE: CVE-2017-17999 Vendor Homepage: http://fairsketch.com/ Version: 1.9 POST...
Oracle E-Business Suite 12.1.312.2.x - Open Redirect
Oracle E-Business Suite 12.1.312.2.x - Open Redirect Exploit Title: Oracle E-Business suite Open Redirect Google Dork: inurl:OAHTML/cabo/ Date: April 2017 Exploit Author: author Vendor Homepage: http://www.oracle.com/technetwork/security-advisory/cpuapr2017-3236618.html Software Link: download li...
Taxi Booking Script 1.0 - Cross-site Scripting
Taxi Booking Script 1.0 - Cross-site Scripting Exploit Title: Taxi Booking Script v1.0 - Cross-site Scripting XSS Date: 11.01.2018 Vendor Homepage: https://www.phpjabbers.com/taxi-booking-script/ Software Link: Demo:...
PyroBatchFTP 3.19 - Buffer Overflow
PyroBatchFTP 3.19 - Buffer Overflow ============================================= MGC ALERT 2018-001 - Original release date: December 22, 2017 - Last revised: January 12, 2018 - Discovered by: Manuel García Cárdenas - Severity: 7,5/10 CVSS Base Score =============================================...
Xnami 1.0 - Cross-Site Scripting
Xnami 1.0 - Cross-Site Scripting Exploit Title: Xnami Image Sharing - Persistent XSS Vulnerability Google Dork: " Copyright 2017 xnami. " & 2018 Date: 11-01-2018 Exploit Author: Dennis Veninga Contact Author: d.veninga at networking4all.com Vendor Homepage: bizlogicdev.com Version: 1.0 CVE-ID:...
Kentico CMS 11.0 - Buffer Overflow
Kentico CMS 11.0 - Buffer Overflow Document Title: =============== Kentico CMS v11.0 - Stack Buffer Overflow Vulnerability References Source: ==================== https://www.vulnerability-lab.com/getcontent.php?id=1943 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-5282 CVE-ID: =======...
Microsoft Edge Chakra - AppendLeftOverItemsFromEndSegment Out-of-Bounds Read
Microsoft Edge Chakra - AppendLeftOverItemsFromEndSegment Out-of-Bounds Read / Here's a snippet of AppendLeftOverItemsFromEndSegment in JavascriptArray.inl. growby = endSeg-length; current = current-GrowByMinrecycler, growby; CopyArraycurrent-elements + endIndex + 1, endSeg-length,...
Transmission - RPC DNS Rebinding
Transmission - RPC DNS Rebinding The transmission bittorrent client uses a client/server architecture, the user interface is the client and a daemon runs in the background managing the downloading, seeding, etc. Clients interact with the daemon using JSON RPC requests to a web server listening on...
Microsoft Windows - NtImpersonateAnonymousToken AC to Non-AC Privilege Escalation
Microsoft Windows - NtImpersonateAnonymousToken AC to Non-AC Privilege Escalation Windows: NtImpersonateAnonymousToken AC to Non-AC EoP Platform: Windows 10 1703 and 1709 Class: Elevation of Privilege Summary: The check for an AC token when impersonating the anonymous token doesn’t check...
Microsoft Windows - NtImpersonateAnonymousToken LPAC to Non-LPAC Privilege Escalation
Microsoft Windows - NtImpersonateAnonymousToken LPAC to Non-LPAC Privilege Escalation Windows: NtImpersonateAnonymousToken LPAC to Non-LPAC EoP Platform: Windows 10 1703 and 1709 not tested Windows 8.x Class: Elevation of Privilege Summary: When impersonating the anonymous token in an LPAC the...
Microsoft Windows SMB Server (v1v2) - Mount Point Arbitrary Device Open Privilege Escalation
Microsoft Windows SMB Server v1v2 - Mount Point Arbitrary Device Open Privilege Escalation Windows: SMB Server v1 and v2 Mount Point Arbitrary Device Open EoP Platform: Windows 10 1703 and 1709 seems the same on 7 and 8.1 but not extensively tested Class: Elevation of Privilege Summary: The SMB...
macOS - process_policy Stack Leak Through Uninitialized Field
macOS - processpolicy Stack Leak Through Uninitialized Field / The syscall processpolicyscope=PROCPOLICYSCOPEPROCESS, action=PROCPOLICYACTIONGET, policy=PROCPOLICYRESOURCEUSAGE, policysubtype=PROCPOLICYRUSAGECPU, attrp=, targetpid=0, targetthreadid= causes 4 bytes of uninitialized kernel stack...
Seagate Personal Cloud - Multiple Vulnerabilities
Seagate Personal Cloud - Multiple Vulnerabilities SSD Advisory – Seagate Personal Cloud Multiple Vulnerabilities Vulnerabilities summary The following advisory describes two 2 unauthenticated command injection vulnerabilities. Seagate Personal Cloud Home Media Storage is “the easiest way to store...
Android - Hardware Service Manager Arbitrary Service Replacement due to getpidcon
Android - Hardware Service Manager Arbitrary Service Replacement due to getpidcon This bug is similar to Jann Horn's issue https://bugs.chromium.org/p/project-zero/issues/detail?id=851 -- credit should go to him. The hardware service manager allows the registration of HAL services. These services...
ALLMediaServer 0.95 - Remote Buffer Overflow
ALLMediaServer 0.95 - Remote Buffer Overflow !/usr/bin/python Exploit Title: Stack Buffer Overflow in ALLMediaServer 0.95 Exploit Author: Mario Kartone Ciccarelli Contact: https://twitter.com/Kartone CVE: CVE-2017-17932 Date: 09-01-2018 Thanks to PoC: https://www.exploit-db.com/exploits/43406/...
Microsoft Windows - NTFS OwnerMandatory Label Privilege Bypass
Microsoft Windows - NTFS OwnerMandatory Label Privilege Bypass / Windows: NTFS Owner/Mandatory Label Privilege Bypass EoP Platform: Windows 10 1709 not tested 8.1 Update 2 or Windows 7 Class: Elevation of Privilege Summary: When creating a new file on an NTFS drive it’s possible to circumvent...
WordPress Plugin Admin Menu Tree Page View 2.6.9 - Cross-Site Request Forgery Privilege Escalation
WordPress Plugin Admin Menu Tree Page View 2.6.9 - Cross-Site Request Forgery Privilege Escalation Exploit Title: Admin Menu Tree Page View CSRF, Privilege Escalation Discovery Date: 2017-12-12 Exploit Author: Panagiotis Vagenas Author Link: https://twitter.com/panVagenas Vendor Homepage:...
WordPress Plugin Service Finder Booking 3.2 - Local File Disclosure
WordPress Plugin Service Finder Booking 3.2 - Local File Disclosure Exploit Title: Worpress Plugin Service Finder Booking 3.2 - Local File Disclosure Google Dork: N/A Date: 09/01/2018 GMT+7 Exploit Author: telahdihapus Vendor Homepage: https://themeforest.net/user/aonetheme Software Link:...
Muviko 1.1 - SQL Injection
Muviko 1.1 - SQL Injection Exploit Title: Muviko 1.1 - Multiple SQL Injection Exploit Author: Ahmad Mahfouz Contact: http://twitter.com/eln1x Date: 09/01/2018 CVE: CVE-2017-17970 Vendor Homepage: https://www.muvikoscript.com Version: 1.1 Tested on: Mac OS...
Parity Browser 1.6.10 - Bypass Same Origin Policy
Parity Browser 1.6.10 - Bypass Same Origin Policy VuNote ====== Author: Ref: https://github.com/tintinweb/pub/tree/master/pocs/cve-2017-18016 Version: 0.3 Date: Jun 16th, 2017 Tag: parity same origin policy bypass webproxy token reuse Overview -------- Name: parity Vendor: paritytech References:...
Synology Photostation 6.7.2-3429 - Remote Code Execution (Metasploit)
Synology Photostation 6.7.2-3429 - Remote Code Execution Metasploit This module requires Metasploit: http://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule "Synology PhotoStation Multiple Vulnerabilities", 'Description' = %q This modul...
WordPress Plugin Social Media Widget by Acurax 3.2.5 - Cross-Site Request Forgery
WordPress Plugin Social Media Widget by Acurax 3.2.5 - Cross-Site Request Forgery Exploit Title: Social Media Widget by Acurax CSRF Discovery Date: 2017-12-12 Exploit Author: Panagiotis Vagenas Author Link: https://twitter.com/panVagenas Vendor Homepage: http://www.acurax.com/ Software Link:...
Multiple CPUs - Information Leak Using Speculative Execution
Multiple CPUs - Information Leak Using Speculative Execution == INTRODUCTION == This is a bug report about a CPU security issue that affects processors by Intel, AMD and to some extent ARM. I have written a PoC for this issue that, when executed in userspace on an Intel Xeon CPU E5-1650 v3 machin...
WordPress Plugin Events Calendar - event_id SQL Injection
WordPress Plugin Events Calendar - eventid SQL Injection Exploit Title: Wichipi Events Calendar - SQL Injection Date: 09-01-2018 Exploit Author: Dennis Veninga Contact Author: d.veninga at networking4all.com Vendor Homepage: codecanyon.net/user/wachipi Version: 1.0 CVE-ID: CVE-2018-5315 Events...
SAP NetWeaver J2EE Engine 7.40 - SQL Injection
SAP NetWeaver J2EE Engine 7.40 - SQL Injection !/usr/bin/env python coding=utf-8 """ Author: Vahagn Vardanyan https://twitter.com/vah13 Bugs: CVE-2016-2386 SQL injection CVE-2016-2388 Information disclosure CVE-2016-1910 Crypto issue Follow HTTP request is a simple PoC for anon time-based SQL...
Jungo Windriver 12.5.1 - Local Privilege Escalation
Jungo Windriver 12.5.1 - Local Privilege Escalation // ConsoleApplication1.cpp : Defines the entry point for the console application. // include "stdafx.h" include include define device L"\\.\WINDRVR1251" define SPRAYSIZE 30000 typedef NTSTATUSWINAPI PNtAllocateVirtualMemory HANDLE...
Microsoft Edge Chakra JIT - Lowerer::LowerSetConcatStrMultiItem Missing Integer Overflow Check
Microsoft Edge Chakra JIT - Lowerer::LowerSetConcatStrMultiItem Missing Integer Overflow Check / The method "Lowerer::LowerSetConcatStrMultiItem" is used to generate machine code to concatenate strings. Here's a snippet of the method. void Lowerer::LowerSetConcatStrMultiItemIR::Instr instr...
WordPress Plugin WordPress Download Manager 2.9.60 - Cross-Site Request Forgery
WordPress Plugin WordPress Download Manager 2.9.60 - Cross-Site Request Forgery Exploit Title: WordPress Download Manager CSRF Discovery Date: 2017-12-12 Exploit Author: Panagiotis Vagenas Author Link: https://twitter.com/panVagenas Vendor Homepage: https://www.wpdownloadmanager.com/ Software Lin...
D-Link Routers 110412615815 1.03 - service.cgi Arbitrary Code Execution
D-Link Routers 110412615815 1.03 - service.cgi Arbitrary Code Execution !/usr/bin/python Exploit Title: D-Link WAP 615/645/815 .?.?', 'Product Page : .?' def dlinkdetection: try: r = requests.getURL, timeout=10.00 except requests.exceptions.ConnectionError: print "Error: Failed to connect to " +...
Joomla! Component Easydiscuss 4.0.21 - Cross-Site Scripting
Joomla! Component Easydiscuss 4.0.21 - Cross-Site Scripting Exploit Title: Joomla Plugin Easydiscuss inside the body, everything after the will be executed in the user’s browser. Works with every version up to 4.0.20 2. Proof of Concept Login with permissions to post a message, insert in the body...
DiskBoss Enterprise 8.8.16 - Remote Buffer Overflow
DiskBoss Enterprise 8.8.16 - Remote Buffer Overflow Exploit Title: DiskBoss = 8.8.16 - Unauthenticated Remote Code Execution Date: 2017-08-27 Exploit Author: Arris Huijgen Vendor Homepage: http://www.diskboss.com/ Software Link: http://www.diskboss.com/setups/diskbossentsetupv8.8.16.exe Version:...
WordPress Plugin CMS Tree Page View 1.4 - Cross-Site Request Forgery Privilege Escalation
WordPress Plugin CMS Tree Page View 1.4 - Cross-Site Request Forgery Privilege Escalation Exploit Title: CMS Tree Page View CSRF, Privilege Escalation Discovery Date: 2017-12-12 Exploit Author: Panagiotis Vagenas Author Link: https://twitter.com/panVagenas Vendor Homepage: http://eskapism.se/...
Microsoft Office - Composite Moniker Remote Code Execution
Microsoft Office - Composite Moniker Remote Code Execution What? This repo contains a Proof of Concept exploit for CVE-2017-8570, a.k.a the "Composite Moniker" vulnerability. This demonstrates using the Packager.dll trick to drop an sct file into the %TEMP% directory, and then execute it using th...
Microsoft Edge Chakra JIT - Op_MaxInAnArray and Op_MinInAnArray can Explicitly call User-Defined JavaScript Functions
Microsoft Edge Chakra JIT - OpMaxInAnArray and OpMinInAnArray can Explicitly call User-Defined JavaScript Functions / 1. Call patterns like "Math.max.applyMath, 1, 2, 3, 4, 5" and "Math.max.applyMath, arr" can be optimized to directly call the method "JavascriptMath::MaxInAnArray" in the Inline...
Microsoft Edge Chakra - asm.js Out-of-Bounds Read
Microsoft Edge Chakra - asm.js Out-of-Bounds Read / Here's a snippet of AsmJSByteCodeGenerator::EmitAsmJsFunctionBody. AsmJsVar initSource = nullptr; if decl-sxVar.pnodeInit-nop == knopName AsmJsSymbol initSym = mCompiler-LookupIdentifierdecl-sxVar.pnodeInit-name, mFunction; if...
Microsoft Windows - nt!NtQuerySystemInformation (information class 138_ QueryMemoryTopologyInformation) Kernel Pool Memory Disclosure
Microsoft Windows - nt!NtQuerySystemInformation information class 138 QueryMemoryTopologyInformation Kernel Pool Memory Disclosure / We have discovered that the nt!NtQuerySystemInformation system call invoked with the 138 information class discloses portions of uninitialized kernel pool memory to...
Microsoft Edge Chakra JIT - Escape Analysis Bug
Microsoft Edge Chakra JIT - Escape Analysis Bug / Escape analysis: https://en.wikipedia.org/wiki/Escapeanalysis Chakra fails to detect if "tmp" escapes the scope, allocates it to the stack. This may lead to dereference uninitialized stack values. PoC: / function opt let tmp = ; tmp0 = tmp; return...
Microsoft Windows - nt!NtQueryInformationProcess (information class 76_ QueryProcessEnergyValues) Kernel Stack Memory Disclosure
Microsoft Windows - nt!NtQueryInformationProcess information class 76 QueryProcessEnergyValues Kernel Stack Memory Disclosure / We have discovered that the nt!NtQueryInformationProcess system call invoked with the 76 information class discloses portions of uninitialized kernel stack memory to...
Microsoft Edge Chakra JIT - BackwardPass::RemoveEmptyLoopAfterMemOp Does not Insert Branches
Microsoft Edge Chakra JIT - BackwardPass::RemoveEmptyLoopAfterMemOp Does not Insert Branches / The optimizations for memory operations may leave empty loops as follows: for let i = 0; i arr.length; i++ arri = 0; Becomes: Memsetarr, 0, arr.length; for let i = 0; i arr.length; i++ // empty! These...
VX Search Enterprise 10.1.12 - Denial of Service
VX Search Enterprise 10.1.12 - Denial of Service Exploit Title: VX Search Enterprise Server v10.1.12 - Denial of Service Date: 2017-10-20 Exploit Author: Ahmad Mahfouz Software Link: http://www.vxsearch.com/setups/vxsearchsrvsetupv10.1.12.exe Version: v10.1.12 Category; Windows Remote DOS CVE:...