微信打赏（Wechat Reward) Security Vulnerabilities

Tencent WeChat WXAM Decoder Out-Of-Bounds Read Information Disclosure Vulnerability

This vulnerability allows remote attackers to disclose sensitive information on affected installations of Tencent WeChat. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the WXAM...

Tencent WeChat WXAM Decoder Heap-based Buffer Overflow Remote Code Execution Vulnerability

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Tencent WeChat. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the WXAM decoder....

Tencent WeChat WXAM Decoder Uninitialized Pointer Remote Code Execution Vulnerability

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Tencent WeChat. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the WXAM decoder....

Tencent WeChat WXAM Decoder Heap-based Buffer Overflow Remote Code Execution Vulnerability

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Tencent WeChat. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the WXAM decoder....

Spear phish, whale phish, regular phish: What’s the difference?

There are many types of phishing attack nowadays, to the extent it can be tricky to keep up with them all. We have unique names for mobile attacks, postal attacks, threats sent via SMS and many more besides. However, we often see folks mix up their spears and their whales, and even occasionally...

Exploit for Improper Input Validation in Microsoft

noPac Exploiting CVE-2021-42278 and CVE-2021-42287 ...

Karakurt: A New Emerging Data Theft and Cyber Extortion Hacking Group

A previously undocumented, financially motivated threat group has been connected to a string of data theft and extortion attacks on over 40 entities between September and November 2021. The hacker collective, which goes by the self-proclaimed name Karakurt and was first identified in June 2021, is....

Exploit for Deserialization of Untrusted Data in Apache Log4J

CVE-2021-4428 复现 本DEMO是针对Log4j2...

Exploit for Deserialization of Untrusted Data in Apache Log4J

Log4j-check 支持RC1绕过 log4J...

Exploit for Deserialization of Untrusted Data in Apache Log4J

青藤 log4j2-patch...

Malicious Promotion Creators Can Drain Token Balances

Handle leastwood Vulnerability details Impact The createPromotion allows any user to create and fund promotions for a specific number of epochs. Ticket holders are entitled to a percentage of the rewards based on their TWAB. createPromotion references a _ticket address which can be controlled by...

claimRewards Does Not Prevent Users From Claiming Rewards After A Promotion's End Epoch

Handle leastwood Vulnerability details Impact claimRewards allows a user to collect their TWAB calculated rewards for a provided set of epochIds. The contract utilises a _claimedEpochs mapping which tracks claimed rewards per user. Each claimed epoch is represented by a single bit within a uint256....

Attacker can empty all the funds by creating fake promotions

Handle WatchPug Vulnerability details The current implementation of _calculateRewardAmount allows a arbitrary _epochId, which can even be a _epochId > _numberOfEpochs. A malicious user can call claimRewards() with _epochIds larger than _numberOfEpochs and claim other users' rewards. Furthermore,...

Reward stuck if promotion cancel before all past reward claimed

Handle gzeon Vulnerability details Impact When owner call cancelPromotion, the contract Delete the promotion struct (L132) Return all token reserved for future epochs (L133) If there are token left for previous epochs, they will be stuck in the contract as the promotion struct is gone. Proof of...

TwabRewards: fee on transfer token as promotion token will block at least one epoch reward claim

Handle GiveMeTestEther Vulnerability details Impact If the promotion token applies transfer fees, the total amount to claim will be less than "_tokensPerEpoch * _numberOfEpochs" ( bcs a part of this amount is the fee => (funds + fee), but only the "funds" can be withdrawn) but the calculation in...

Tokens with fee on transfer are not supported

Handle WatchPug Vulnerability details There are ERC20 tokens that charge fee for every transfer() or transferFrom(). In the current implementation, createPromotion() assumes that the received amount is the same as the transfer amount, and uses it to calculate reward amounts. As a result, in...

Missing Check When Transferring Tokens Out For A Given Promotion

Handle leastwood Vulnerability details Impact The claimRewards function is called upon by ticket holders who parse a set of _epochIds they wish to claim rewards on. An internal call is made to _calculateRewardAmount to calculate the correct reward amount owed to the user. Subsequently, the...

Can claim epoch > 255 repeatedly due to bitshift truncation

Handle gzeon Vulnerability details Can claim epoch > 255 repeatedly due to bitshift truncation Impact TwabRewards contract store user claimed reward in a _claimedEpochs bitmap....

Possibility to drain TwabRewards smart contract tokens (even with valid ticket)

Handle kemmio Vulnerability details Impact Possibility to drain all smart contract assets abusing uint256 overflow in _updateClaimedEpoch() Proof of Concept The vulnerability arises because of uint256 overflow in _updateClaimedEpoch()...

Can drain any promotion rewards

Handle gzeon Vulnerability details Impact There are no checks to make sure _epochId < _numberOfEpochs in claimRewards. This allow one to create a promotion with 0 epoch without cost, and drain any promotion rewards Proof of Concept Attacker can create a promotion with the following...

Can drain any promotion rewards with a evil ticket

Handle gzeon Vulnerability details Impact TwabRewards check legitimacy of ticket by checking if the ticket have a controller() method. https://github.com/pooltogether/v4-periphery/blob/b520faea26bcf60371012f6cb246aa149abd3c7d/contracts/TwabRewards.sol#L230 function _requireTicket(address...

Exploit for Deserialization of Untrusted Data in Apache Log4J

0x01、环境 Jdk7u21（随便版本都可以） 影响版本：Apache Log4j 2.x <= 2.14.1...

Exploit for Deserialization of Untrusted Data in Apache Log4J

本工具仅为企业测试漏洞使用，严禁他人使用本工具攻击 本工具仅为企业测试漏洞使用，严禁他人使用本工具攻击...

CVE-2021-40834

A user interface overlay vulnerability was discovered in F-secure SAFE Browser for Android. When user click on a specially crafted seemingly legitimate URL SAFE browser goes into full screen and hides the user interface. A remote attacker can leverage this to perform spoofing...

CVE-2021-40834

A user interface overlay vulnerability was discovered in F-secure SAFE Browser for Android. When user click on a specially crafted seemingly legitimate URL SAFE browser goes into full screen and hides the user interface. A remote attacker can leverage this to perform spoofing...

Input validation

A user interface overlay vulnerability was discovered in F-secure SAFE Browser for Android. When user click on a specially crafted seemingly legitimate URL SAFE browser goes into full screen and hides the user interface. A remote attacker can leverage this to perform spoofing...

CVE-2021-40834 User interface Spoofing in F-Secure SAFE browser for Android

A user interface overlay vulnerability was discovered in F-secure SAFE Browser for Android. When user click on a specially crafted seemingly legitimate URL SAFE browser goes into full screen and hides the user interface. A remote attacker can leverage this to perform spoofing...

Basket can be fully drained if the auction is settled within a specific block

Handle Ruhum Vulnerability details Impact The settleAuction() function allows someone to settle the auction by transferring funds in a way that the new pending index is fulfilled. As a reward, they are able to take out as many tokens as they want as long as the pending index is fulfilled after...

Exploit for Path Traversal in Grafana

CVE-2021-43798-grafana_fileread...

Exploit for Path Traversal in Grafana

grafanaExp 利用grafana...

Exploit for Path Traversal in Grafana

grafanaExp 利用grafana...

Exploit for CVE-2021-34045

CVE-2021-34045 druid未授权访问批量扫描poc 工具利用...

Tencent WeChat WXAM Decoder Out-Of-Bounds Read Information Disclosure Vulnerability

This vulnerability allows remote attackers to disclose sensitive information on affected installations of Tencent WeChat. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the WXAM...

Tokens can be stolen when depositToken == rewardToken

Handle cmichel Vulnerability details The Streaming contract allows the deposit and reward tokens to be the same token. I believe this is intended, think Sushi reward on Sushi as is the case with xSushi. The reward and deposit balances are also correctly tracked independently in...

Reward token not correctly recovered

Handle cmichel Vulnerability details The Streaming contract allows recovering the reward token by calling recoverTokens(rewardToken, recipient). However, the excess amount is computed incorrectly as ERC20(token).balanceOf(address(this)) - (rewardTokenAmount + rewardTokenFeeAmount): function...

Tencent WeChat WXAM Decoder Out-Of-Bounds Read Information Disclosure Vulnerability

This vulnerability allows remote attackers to disclose sensitive information on affected installations of Tencent WeChat. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the WXAM...

Tencent WeChat WAXM Decoder Use-After-Free Remote Code Execution Vulnerability

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Tencent WeChat. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the WXAM Decoder....

Tencent WeChat WXAM Decoder Out-Of-Bounds Read Information Disclosure Vulnerability

This vulnerability allows remote attackers to disclose sensitive information on affected installations of Tencent WeChat. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the WXAM...

Tencent WeChat WXAM Decoder Out-Of-Bounds Read Information Disclosure Vulnerability

This vulnerability allows remote attackers to disclose sensitive information on affected installations of Tencent WeChat. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the WXAM...

Tencent WeChat WXAM Decoder Stack-based Buffer Overflow Remote Code Execution Vulnerability

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Tencent WeChat. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the WXAM decoder....

Tencent WeChat WXAM Decoder Out-Of-Bounds Read Information Disclosure Vulnerability

This vulnerability allows remote attackers to disclose sensitive information on affected installations of Tencent WeChat. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the WXAM...

check for deposit token and reward token are not same

Handle hack3r-0m Vulnerability details Impact createStream does not check if deposit token and reward token are different addresses. Proof of Concept Not Required Tools Used Manual Review Recommended Mitigation Steps add check require(rewardToken != depositToken) The text was updated...

Tencent WeChat WXAM Decoder Out-Of-Bounds Read Information Disclosure Vulnerability

This vulnerability allows remote attackers to disclose sensitive information on affected installations of Tencent WeChat. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the WXAM...

Tencent WeChat WXAM Decoder Out-Of-Bounds Read Information Disclosure Vulnerability

This vulnerability allows remote attackers to disclose sensitive information on affected installations of Tencent WeChat. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the WXAM...

Tencent WeChat WXAM Decoder Out-Of-Bounds Write Remote Code Execution Vulnerability

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Tencent WeChat. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the WXAM decoder....

Tencent WeChat WXAM Decoder Out-Of-Bounds Read Information Disclosure Vulnerability

This vulnerability allows remote attackers to disclose sensitive information on affected installations of Tencent WeChat. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the WXAM...

Recover tokens function will become unusable with reward tokens if they are withdrawn first.

Handle pedroais Vulnerability details Impact The recoverTokens function will become unusable with reward tokens if they are withdrawn first. Proof of Concept With reward tokens excess is defined as balance - (rewardTokenAmount + rewardTokenFeeAmount)...

Deposit token flash loan fees can be stolen by streamCreator

Handle 0x0x0x Vulnerability details Concept On recoverTokens function in Stream. Excess amount of deposit token is calculated as follows: uint256 excess = ERC20(token).balanceOf(address(this)) - (depositTokenAmount - redeemedDepositTokens); This calculation does not include...

Fund freezing is possible as claimed reward tokens aren't accounted for by recoverTokens

Handle hyh Vulnerability details Impact Reward tokens accidently sent to the Stream contract cannot be recovered with recoverTokens if some reward tokens were already claimed with claimReward. As recoverTokens is the only recovering functionality in the contract the corresponding reward tokens...

MetInfo is vulnerable to SQL injection (CNVD-2021-103138)

MetInfo is an open source, free CMS website builder for businesses.MetInfo is vulnerable to SQL injection. An attacker can use the vulnerability to obtain sensitive database...