39001 matches found
Clinic Management System 1.0 - SQL injection to Remote Code Execution Exploit
Exploit Title: Clinic Management System 1.0 - SQL injection to Remote Code Execution Exploit Author: Pablo Santiago Vendor Homepage: https://www.sourcecodester.com/php/14243/open-source-clinic-management-system-php-full-source-code.html Software Link:...
Samba 3.0.10 - 3.3.5 Format String And Security Bypass Vulnerabilities
Exploit for unknown platform in category remote exploits ====================================================================== Samba 3.0.10 - 3.3.5 Format String And Security Bypass Vulnerabilities ====================================================================== Title: Samba 3.0.10 - 3.3.5...
Google Play Protect 22.4.25 Detection Bypass Vulnerability
Exploit Title: Google Play Protect 22.4.25 - Detection Bypass Exploit Author: Aryan Chehreghani Contact: email protected Vendor Homepage: https://play.google.com Version: 22.4.25 Possibly all versions Tested on: Android 5.1.1 About - Google Play Protect : Google Play Protect is Google's built-in...
VMware ESXi Use-After-Free / Out-Of-Bounds Access Vulnerability
Several security issues have been identified in the VMware ESIx virtual machine monitor VMM. A use-after-free UAF vulnerability in PVNVRAM, a missing return value check in EHCI USB controller leading to private heap information disclosure, and several out-of-bounds reads. Overview ======= We...
Magento / Adobe Commerce Remote Code Execution Exploit
This Metasploit module uses a combination of an arbitrary file read CVE-2024-34102 and a buffer overflow in glibc CVE-2024-2961. It allows for unauthenticated remote code execution on various versions of Magento and Adobe Commerce and earlier versions if the PHP and glibc versions are also...
miniupnpc 2.0.20170421 Denial Of Service Exploit
miniupnpc suffers from an integer signedness error when parsing a chunked encoded http response. Author: Ref: https://github.com/tintinweb/pub/tree/master/pocs/cve-2017-8798 Version: 0.6 Date: May 1st, 2017 Tag: miniupnp miniupnpc getHTTPResponse chunked encoding integer signedness error Overview...
Nagios XI 5.5.6 - Remote Code Execution / Privilege Escalation Exploit
Exploit for linux platform in category web applications Exploit Title: Nagios XI 5.5.6 Remote Code Execution and Privilege Escalation Exploit Author: Chris Lyne @lynerc Vendor Homepage: https://www.nagios.com/ Product: Nagios XI Software Link:...
Windows Kerberos RC4 MD4 Encryption Downgrade Privilege Escalation Vulnerability
Windows: Kerberos RC4 MD4 Encryption Downgrade EoP Platform: Windows 10+ Class: Elevation of Privilege Security Boundary: User Summary: The KDC allows an interposing attacker to downgrade to RC4 MD4 encryption in compromising the user's TGT session key resulting in EoP. NOTE: I tried to look if...
Dojo Toolkit 1.13 Cross Site Scripting Vulnerability
Exploit for jsp platform in category web applications Product: Dojo Toolkit Manufacturer: JS Foundation Affected Versions: 1.13 Tested Versions: 1.13, 1.10.7 Vulnerability Type: Cross-Site Scripting CWE-79 Risk Level: Medium Solution Status: Fixed Manufacturer Notification: 2018-07-02 Solution...
BeyondTrust Remote Code Execution Exploit
This exploit achieves unauthenticated remote code execution against BeyondTrust Privileged Remote Access PRA and Remote Support RS, with the privileges of the site user of the targeted BeyondTrust product site. This exploit targets PRA and RS versions 24.3.1 and below. This module requires...
Exim 4.87 < 4.91 - (Local / Remote) Command Execution Exploit
Qualys Security Advisory The Return of the WIZard: RCE in Exim CVE-2019-10149 ======================================================================== Contents ======================================================================== Summary Local exploitation Remote exploitation - Non-default...
Cisco Catalyst 2960 IOS 12.2(55)SE1 - ROCEM Remote Code Execution Exploit
Exploit for hardware platform in category remote exploits !/usr/bin/python Author: Artem Kondratenko @artkond import socket import sys from time import sleep setcredless = True if lensys.argv 3: print sys.argv0 + ' host --set/--unset' sys.exit elif sys.argv2 == '--unset': setcredless = False elif...
AlstraSoft AskMe Pro <= 2.1 Multiple SQL Injection Vulnerabilities
Exploit for unknown platform in category web applications ================================================================== AlstraSoft AskMe Pro = 2.1 Multiple SQL Injection Vulnerabilities ================================================================== Discovered By: t0pP8uZz Discovered On: ...
Linux OverlayFS Local Privilege Escalation Exploit
This Metasploit module exploit targets the Linux kernel bug in OverlayFS. A flaw was found in the Linux kernel, where unauthorized access to the execution of the setuid file with capabilities was found in the Linux kernel’s OverlayFS subsystem in how a user copies a capable file from a nosuid mou...
Apache ActiveMQ < 5.14.0 - Web Shell Upload Exploit
The Fileserver web application in Apache ActiveMQ 5.x before 5.14.0 allows remote attackers to upload and execute arbitrary files via an HTTP PUT followed by an HTTP MOVE request. This module requires Metasploit: http://metasploit.com/download Current source:...
SugarCRM 12.x Remote Code Execution / Shell Upload Exploit
This Metasploit module exploits CVE-2023-22952, a remote code execution vulnerability in SugarCRM 11.0 Enterprise, Professional, Sell, Serve, and Ultimate versions prior to 11.0.5 and SugarCRM 12.0 Enterprise, Sell, and Serve versions prior to 12.0.2. This module requires Metasploit:...
Netwave IP Camera Secret Disclosure Exploit
!/bin/bash Exploit Title: Netwave Google Dork: "Netwave security camera" "Live feed" Exploit Author: Jeremie Amsellem Version: No version specified by the vendor Tested on: Kali Linux Written by lp1 Run this exploit on a vulnerable Netwave Camera in order To dump the camera's network configuratio...
Linux/ARM64 - Reverse (127.0.0.1:4444/TCP) Shell (/bin/sh) + Null-Free Shellcode (128 bytes)
/ Title: Linux/ARM64 - Reverse 127.0.0.1:4444/TCP Shell /bin/sh + Null-Free Shellcode 128 bytes Date: 2019-06-30 Tested: Ubuntu 16.04 aarch64 Author: Ken Kitahara Compilation: gcc -o loader loader.c ubuntu@ubuntu:/works$ lsbrelease -a No LSB modules are available. Distributor ID: Ubuntu...
ABB Cylon Aspect 3.08.02 uploadDb.php Remote Code Execution Vulnerability
ABB Cylon Aspect version 3.08.02 suffers from an authenticated OS command injection vulnerability. This can be exploited to inject and execute arbitrary shell commands through the contents of an uploaded .db file, which is passed to the copyFile.sh script. Although the filename is sanitized, the...
Linux/x86_64 - execve(/bin/sh) Shellcode (22 bytes)
Title: Linux/x8664 - execve/bin/sh 22 bytes ;Author: Aron Mihaljevic ;Architecture: Linux x8664 ;Shellcode Length: 22 bytes ;github = https://github.com/STARRBOY ============ASM=========================== global start section .text start: ;int execveconst char filename, char const argv,char const...
pfSense 2.4.4-p3 - Cross-Site Request Forgery Vulnerability
Exploit for php platform in category web applications Exploit Title: pfSense 2.4.4-p3 - Cross-Site Request Forgery Exploit Author: ghostfh Vendor Homepage: https://www.pfsense.org/ Software Link: https://www.pfsense.org/download/index.html?section=downloads Version: Till 2.4.4-p3 Tested on: freeb...
Cisco Prime Infrastructure Health Monitor HA TarArchive Directory Traversal / Remote Code Execution
!/usr/bin/python """ Cisco Prime Infrastructure Health Monitor HA TarArchive Directory Traversal Remote Code Execution Vulnerability Steven Seeley mrme of Source Incite - 2019 SRC: SRC-2019-0034 CVE: CVE-2019-1821 Example: ======== saturn: mrme$ ./poc.py + usage: ./poc.py + eg: ./poc.py...
TP-LINK Cloud Cameras NCXXX SetEncryptKey Command Injection Vulnerability
TP-LINK Cloud Cameras including products NC260 and NC450 suffer from a command injection vulnerability. The issue is located in the httpSetEncryptKeyRpm method handler for /setEncryptKey.fcgi of the ipcamera binary, where the user-controlled EncryptKey parameter is used directly as part of a...
Win32k ConsoleControl Offset Confusion / Privilege Escalation Exploit
A vulnerability exists within win32k that can be leveraged by an attacker to escalate privileges to those of NT AUTHORITY\SYSTEM. The flaw exists in how the WndExtra field of a window can be manipulated into being treated as an offset despite being populated by an attacker-controlled value. This...
GitLab Unauthenticated Remote ExifTool Command Injection Exploit
This Metasploit module exploits an unauthenticated file upload and command injection vulnerability in GitLab Community Edition CE and Enterprise Edition EE. The patched versions are 13.10.3, 13.9.6, and 13.8.8. Exploitation will result in command execution as the git user. This module requires...
PrestaShop 1.6.x/1.7.x - Remote Code Execution Exploit
Exploit for php platform in category web applications ?php / PrestaShop 1.6.x = 1.6.1.23 & 1.7.x = 1.7.4.4 - Back Office Remote Code Execution See https://github.com/farisv/PrestaShop-CVE-2018-19126 for explanation. Chaining multiple vulnerabilities to trigger deserialization via phar. Date:...
Dream Gallery 1.0 - Cross-Site Request Forgery (Add Admin)
Exploit for php platform in category web applications 0day.today 2018-04-14...
WordPress All-in-One WP Migration 7.64 plugin - Unauthenticated Backup Download Exploit
Title: All-in-One-WP-Migration-7.64 low-protection-file-disclosure - Unauthenticated Backup Download Author: nu11secur1ty Date: 09.01.2022 Vendor: https://servmask.com/ Software: https://wordpress.org/plugins/all-in-one-wp-migration/ Reference:...
Plex Unpickle Dict Windows Remote Code Execution Exploit
This Metasploit module exploits an authenticated Python unsafe pickle.load of a Dict file. An authenticated attacker can create a photo library and add arbitrary files to it. After setting the Windows only Plex variable LocalAppDataPath to the newly created photo library, a file named Dict will b...
CMS Made Simple 2.2.5 Authenticated Remote Command Execution Exploit
CMS Made Simple version 2.2.5 allows an authenticated administrator to upload a file and rename it to have a .php extension. The file can then be executed by opening the URL of the file in the /uploads/ directory. This module requires Metasploit: https://metasploit.com/download Current source:...
Linux Kernel < 3.16.39 (Debian 8 x64) - inotfiy Local Privilege Escalation Exploit
Exploit for linux platform in category local exploits / CVE-2017-7533 inotfiy linux kernel vulnerability. $ gcc -o exploit exploit.c -lpthread $./exploit Listening for events. Listening for events. alloclen : 50 longname="testdir/bbbb32103210321032100��1����" handleevents event-name : b, event-le...
Linux kernel versions 6.8. Local Privilege Escalation 0day Exploit
...
Moodle Cross Site Scripting / Server-Side Request Forgery Vulnerabilities
Moodle versions 3.10 to 3.10.1, 3.9 to 3.9.4, 3.8 to 3.8.7, and 3.5 to 3.5.16 suffer from cross site scripting and server-side request forgery vulnerabilities. Moodle is an opensource learning management system, popular in universities and workplaces largely used to manage courses, activities and...
Zimbra zmslapd Privilege Escalation Exploit
This Metasploit module exploits CVE-2022-37393, which is a vulnerability in Zimbra's sudo configuration that permits the zimbra user to execute the zmslapd binary as root with arbitrary parameters. As part of its intended functionality, zmslapd can load a user-defined configuration file, which...
Chkrootkit Local Privilege Escalation Exploit
Chkrootkit before 0.50 will run any executable file named /tmp/update as root, allowing a trivial privsec. WfsDelay is set to 24h, since this is how often a chkrootkit scan is scheduled by default. This module requires Metasploit: http://metasploit.com/download Current source:...
CoreDial sipXcom sipXopenfire 21.04 Remote Command Execution / Weak Permissionsundefined Exploit
CoreDial sipXcom sipXopenfire versions 21.04 and below suffer from XMPP message system command argument injection and insecure service file permissions that when chained together gives root. ¯¯¯¯¯¯¯/ ༼ つ ◕◕ ༽つ ง'̀-'́ง ╯°□°)╯︵ ┻━┻ ヽ´ー`ノ /¯¯...
runc 1.1.11 File Descriptor Leak Privilege Escalation Exploit
runc versions 1.1.11 and below, as used by containerization technologies such as Docker engine and Kubernetes, are vulnerable to an arbitrary file write vulnerability. Due to a file descriptor leak it is possible to mount the host file system with the permissions of runc typically root...
Webmin 1.984 File Manager Remote Code Execution Exploit
In Webmin version 1.984, any authenticated low privilege user without access rights to the File Manager module could interact with file manager functionalities such as downloading files from remote URLs and changing file permissions. It is possible to achieve remote code execution via a crafted...
Linux Kernel 4.4.0-21 (Ubuntu 16.04 x64) - netfilter target_offset Local Privilege Escalation Exploi
Exploit for linux platform in category local exploits / EDB Note: Download https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/44300.zip Video https://www.youtube.com/watch?v=qchiJn94kTo / / decr.c / / Ubuntu 16.04 local root exploit - netfilter targetoffset...
WordPress Code Generator Pro 1.2 SQL Injection Vulnerability
CVE-2024-55978 Code Generator Pro = 1.2 - Unauthenticated SQL Injection Description The Code Generator Pro plugin for WordPress is vulnerable to SQL Injection in versions up to, and including, 1.2 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on th...
Splunk edit_user Capability Privilege Escalation Exploit
Splunk suffers from an issue where a low-privileged user who holds a role that has the edituser capability assigned to it can escalate their privileges to that of the admin user by providing a specially crafted web request. This is because the edituser capability does not honor the grantableRoles...
Joomla 4.2.8 Information Disclosure Exploit
!/bin/bash Exploit Title: Joomla! \n" exit 1 else echo -e "\n Joomla! out.tmp echo -e "\ni Database info:\n" echo -e "+ DB Type: $sed -E 's/."dbtype":"^"+"./\1/' out.tmp" echo -e "+ DB Host: $sed -E 's/."host":"^"+"./\1/' out.tmp" echo -e "\e92m+ DB User: $sed -E 's/."user":"^"+"./\1/' out.tmp\e0...
VMware vCenter Server Virtual SAN Health Check Remote Code Execution Exploit
This Metasploit module exploits Java unsafe reflection and SSRF in the VMware vCenter Server Virtual SAN Health Check plugin's ProxygenController class to execute code as the vsphere-ui user. See the vendor advisory for affected and patched versions. Tested against VMware vCenter Server 6.7 Updat...
Windows Escalate UAC Protection Bypass Via SilentCleanup Exploit
There's a task in Windows Task Scheduler called "SilentCleanup" which, while it's executed as Users, automatically runs with elevated privileges. When it runs, it executes the file %windir%\system32\cleanmgr.exe. Since it runs as Users, and we can control user's environment variables, %windir%...
Netfilter x_tables Heap Out-Of-Bounds Write / Privilege Escalation Exploit
A heap out-of-bounds write affecting Linux since version 2.6.19-rc1 was discovered in net/netfilter/xtables.c. This allows an attacker to gain privileges or cause a denial of service via heap memory corruption through user name space. Kernels up to and including 5.11 are vulnerable. This module...
Elasticsearch 8.5.3 Stack Overflow Exploit
Exploit Author: TOUHAMI KASBAOUI Vendor Homepage: https://elastic.co/ Version: 8.5.3 / OpenSearch Tested on: Ubuntu 20.04 LTS CVE : CVE-2023-31419 Ref: https://github.com/sqrtZeroKnowledge/Elasticsearch-Exploit-CVE-2023-31419 import requests import random import string esurl =...
Linux Kernel watch_queue Out-Of-Bounds Write Exploit
This Metasploit module exploits a vulnerability in the Linux Kernel's watchqueue event notification system. It relies on a heap out-of-bounds write in kernel memory. The exploit may fail on the first attempt so multiple attempts may be needed. Note that the exploit can potentially cause a denial ...
nsGalPHP (includes/config.inc.php racineTBS) Remote Inclusion Vuln
Exploit for unknown platform in category web applications ================================================================== nsGalPHP includes/config.inc.php racineTBS Remote Inclusion Vuln ================================================================== | | \ | S.W.A.T. | / \ | | / / || \ / ...
WordPress UserPro 5.1.x Password Reset / Authentication Bypass / Privilege Escalation Vulnerability
WordPress UserPro plugin versions 5.1.1 and below suffer from an insecure password reset mechanism, information disclosure, and authentication bypass vulnerabilities. Versions 5.1.4 and below suffer from privilege escalation and shortcode execution vulnerabilities. Vulnerability Details & Technic...
Magic News Plus <= 1.0.3 Admin Pass Change Exploit
Exploit for unknown platform in category web applications ================================================== Magic News Plus All rights reserved. An input validation flaw exists within 'settings.php' of Magic News Plus which can lead to the changing of the administrative password. Here is where t...