Spring data rest 远程代码执行(cve-2017-8046)

漏洞描述 漏洞描述 Spring Data Rest 在处理 PATCH 请求时存在RCE高危漏洞, 可以使用手工构造的JSON数据构造恶意PATCH请求提交至spring-data-rest服务器，使得服务器运行恶意JAVA代码。Spring Data Rest项目的目标是提供一种灵活的、可配置的机制，编写出可以对外暴露出HTTP协议的简单服务。 Git地址: https://github.com/spring-projects/spring-data-rest 漏洞来源: https://pivotal.io/security/cve-2017-8046 影响版本： Spring...

youke365_SQL_Injection#1

优客365 v2.9版本 后台存在SQL注入，可导致获取后台管理员账号密码 1，一个单引号引发的血案 爆出了表名dirusers和一些列名 2，源码审计，问题代码在.\module\login.php 代码处理不严谨。根据上图，经测试，用户名可以用1' or '1'='1进行绕过 密码进行了md5加密，所以不能进行简单绕过 3，sql注入 将爆破后的密码进行md5解密，即可得到管理员密码。当然，也可以顺便爆破管理员账号。（所以通过管理员账号认证是有两种姿势） 4，愉快地登陆后台 最后附上payload payload = ' and select 1 fromselect...

unrar 5.40 - 'VMSF_DELTA' Filter Arbitrary Memory Write

Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1286&desc=6 It appears that the VMSFDELTA memory corruption that was reported to Sophos AV in 2012 and fixed there was actually inherited from upstream unrar. For unknown reasons the information did not reach upstream rar or was...

Drupal 8.0.0 Beta 14 Cross Site Scripting Vulnerability

Drupal version 8.0.0 Beta 14 suffers from a cross site scripting vulnerability. Drupal's sad fix was to simply throw an .htaccess file in place to block access to the file. Overview Recently, I was playing around with the Drupal CMS application code. Drupal is an open source CMS application widel...

A null pointer vulnerability Protection Technology-primary-vulnerability warning-the black bar safety net

Safety history due to a null pointer brought the vulnerability and attacks are numerous, but because of its use of the programming skills required for analysis and protective to have higher requirements, so the domestic to the null pointer vulnerability and a discussion of the related art is not...

Libuser Library - Multiple Vulnerabilities

Exploit for linux platform in category dos / poc CVE-2015-3245 userhelper chfn newline filtering CVE-2015-3246 libuser passwd file handling -- Summary ----------------------------------------------------------------- The libuser library implements a standardized interface for manipulating and...

Qualys Security Advisory - userhelper / libuser

Qualys Security Advisory CVE-2015-3245 userhelper chfn newline filtering CVE-2015-3246 libuser passwd file handling -- Summary ----------------------------------------------------------------- The libuser library implements a standardized interface for manipulating and administering user and grou...

74cms三处sql注入漏洞

简要描述： 代码审计第三发 详细说明： 看代码 include/funcompany.php 963-968行 function actionusersetmeal$uid,$action global $db; $sql="update ".table'memberssetmeal'." set ".$action."=".$action."-1 WHERE uid=".intval$uid." AND effective=1 LIMIT 1"; return $db-query$sql;...

kppw 最新版注入(有点奇葩)

简要描述： 人生第一发代码审计 详细说明： 首先给厂商说句抱歉，测试demo的时候把demo搞挂了 漏洞文件:control/ajax/balance.php 看代码 $arrSellerInfo = dbfactory::getonesprintf'select from %s a left join %s b on a.uid = b.uid where a.uid =%s',TABLEPRE.'witkeyspace',TABLEPRE.'witkeyshop',intval$id; if$arrSellerInfo'shopbackstyle' $arrBackgroudStyl...

tcpdump 4.6.2 Geonet Decoder Denial of Service Vulnerability

Exploit for multiple platform in category dos / poc CVE-2014-8768 tcpdump denial of service in verbose mode using malformed Geonet payload 1. Background tcpdump is a powerful command-line packet analyzer. It allows the user to intercept and display TCP/IP and other packets being transmitted or...

Code audit: eyou(billion mail)the mail system two getshell and two interesting vulnerability-vulnerability warning-the black bar safety net

Recently at a market value of over a hundred billion dollars of the company to do a penetration test and found that a domain name with the million mail system, by following a set of million post the source code and looked, and found that the system security is still stuck in the zero years, the...

Microsoft Media Player - (quartz.dll .wav) Multiple Remote DoS Vulns

No description provided by source. ! /usr/bin/perl CAL2quartzwavpoc.pl TwoMircoSoftMediaplayerquartz.dllwavremoteDosvulnerabilities by Code Audit Labs public 2009-04-19 http://www.vulnhunt.com/ Affected ======== test on full updated winxp sp3 windows media Player 10.00.00.3998 quartz.dll...

FineCMS v1.8任意文件下载

简要描述： 代码审计是个技术活，需要很好的耐心.. o︶︿︶o 详细说明： 出现问题的版本是FineCMS V1.8.0 最新版。 1.顺藤摸瓜 漏洞文件：controllers/ApiController.php downAction方法 public function downAction $data = fnauthcodebase64decode$this-get'file', 'DECODE'; $file = isset$data'finecms' && $data'finecms' ? $data'finecms' : ''; if empty$file...

CmsEasy_5.5_UTF-8_20140420 存在存储型xss 可打管理员和平行用户

简要描述： CmsEasy5.5UTF-820140420 存在存储型xss 可打管理员和平行用户 详细说明： 第一种情况（攻击管理员）: 注册用户后，然后访问/CmsEasy5.5UTF-820140420/uploads/bbs/add-archive.php?cid=1 进行发帖，其中主题填写： " oninput=alert1 然后登陆管理员，如图所示: 点击"操作"底下的编辑，然后，让管理员发现问题的时候，对其内容进行删除修改时候，抽发xss 如图所示： 第二种情况（攻击平行用户）:...

GnuTLS Bug Exposes Shortcomings in TLS Test Suites

Code audits are often ugly tasks and can sometimes find ugly things. Case in point: the GnuTLS goto bug. Chief architect and Red Hat engineer Nikos Mavrogiannopoulos initiated a code audit of the open source crypto library that eventually turned up last week’s critical bug. The bad code has been...

phpmywind最新版本注入漏洞第二弹

简要描述： 继续之前的代码审计，发现其他地方还有类似的问题存在，都是没有对变量进行适当的过滤就直接拼接到sql语句里面执行，导致任意sql指令的执行。 详细说明： 漏洞位于member.php 689行处： $r = $dosql-GetOne"SELECT checkinfo FROM @goodsorder WHERE username='$cuname' AND id=$id"; id参数未做任何过滤直接放到sql语句里面执行。 利用分析：...

TrueCrypt Audit Endorsed by Development Team

UPDATE — The effort to audit TrueCrypt, the open source encryption tool, received an important endorsement in the last week when a member of its anonymous development team reached out to the organizers of IsTrueCryptAuditedYet? “He wrote us a friendly but formal letter stating that they were happ...

Alpaca the CMS injection and getwebshell code audit study-vulnerability warning-the black bar safety net

Recently in the study of code audit,will go to chinaz looking for a personal gas of a relatively high cms,this fit I just start dropping people Ue batch checked the source code of the entire system are in the injection the injection Well,single quotes Ah,also need to bypass,open the gpc will...

[RIPS] A static source code analyser for vulnerabilities in PHP scripts

RIPS is a tool written in PHP to find vulnerabilities in PHP applications using static code analysis. By tokenizing and parsing all source code files RIPS is able to transform PHP source code into a program model and to detect sensitive sinks potentially vulnerable functions that can be tainted b...

dedeCMS latest injection vulnerability a gold-bug warning-the black bar safety net

Brief description: Since the parameters of the variables not be initialized testing and using the class reflection skills leads to plus\feedback.php in the variable $typeid presence of injection risk. Detailed description: Since the official has already released patches and vulnerabilities are no...