PHP Stock Management System 1.02 - Multiple Vulnerabilities

Exploit Title: PHP Stock Management System 1.02 - Multiple Vulnerabilty Date : 9-9-2014 Author : jsass ​ Vendor Homepage: ​http://www.posnic.com/​ Software Link:​ http://sourceforge.net/projects/stockmanagement/ Version: ​1.02 Tested on: kali linux Twitter : @KwSecurity Group : Q8 GRAY HAT TEAM X...

cmseasy csrf导致sql注入绕过union getshell

简要描述： 上一次做了一个csrf+sql注入getshell的 这一次我继续发一个，由于此属于一个get类型的，所以很简单的，管理员根本就不用去点击，就能触发sql并且getshell 详细说明： 首先我们分析一下sql语句： admin/live/header.php:line:16-21 include'../../include/config.inc.php'; includeCEROOT.'/include/admin/check.inc.php'; includeCEROOT.'/include/celive.class.php'; $adminheader = new...

Easy Forms for vBulletin 4.X - Upload Shell Code / Remote Code Execute

Easy Forms vBuletin 4.x have suffers from a remote code execute and upload shell code. This is private exploit. You can buy it at https://0day.today...

用友FE办公平台通用SQL注入（2个）

简要描述： 用友FE办公平台通用SQL注入（2个） 详细说明： SQL注入1 漏洞文件及参数 /witapprovemanage/report/depReimburse.jsp?depid=1 漏洞证明： sqlmap.py -u "http://oa.shunhengli.com:9090/witapprovemanage/report/depReimburse.jsp?depid=1" sqlmap.py -u "http://oa.shunhengli.com:9090/witapprovemanage/report/depReimburse.jsp?depid=1" --dbs...

CMSeasy SQL注入漏洞一发（bypass自身与360waf）

简要描述： 也不知道重复没有- -! 详细说明： /lib/default/archiveact.php： function respondaction includeonce ROOT . '/lib/plugins/pay/' . front::$get'code' . '.php'; $payclassname = front::$get'code'; $payobj = new $payclassname; $uri = $SERVER"REQUESTURI"; $uriget = strstr$uri, '?'; $uriget = strreplace'?', '',...

Pandora FMS 5.0 RC1 RCE

Remote command execution vulnerability in Pandora FMS Vulnerability Type: Remote Command Execution For the exploit source code contact DSquare Security sales team...

用友软件协作办公平台通用型任意文件上传getshell

简要描述： 通杀getshell 详细说明： 上传点： /oaerp/ui/sync/excelUpload.jsp 思路： 1.绕过javascript限制，上传小马； 2.根据小马命名规则getshell javascript代码： function upload var filePath = j$"file".val; if filePath == "" j$"file".click; return; var fileExt = filePath.substringfilePath.lastIndexOf"."; if fileExt == ".xls" || fileExt ==...

ActualAnalyzer Lite 2.81 - Command Execution

ActualAnalyzer Lite 2.81 - Command Execution ActualAnalyzer exploit. Tested on Lite version We load command into a dummy variable as we only have 6 characters to own the eval but load more as first 2 characters get rm'd. We then execute the eval with backticks. 11/05/2011 import urllib import...

PHPOK 存储型 xss两处

简要描述： 前台功能存在存储型 xss，可攻击后台，获取管理员权限。 详细说明： 第一处xss漏洞： 留言功能。 后台的输出点有一处输出如下： 可以看出，我们留言的标题直接输出在 onclick 事件中了，可简单构造 '+alert1+'，管理员删除留言时触发： 此时输出： 第二处xss漏洞： PHPOK 过滤 XSS 的函数如下： function safehtml$info if!$info return false; $tmp = "//isU"; $info = pregreplace$tmp,"",$info; //$info =...

TCCMS /app/controller/user.class.php 权限提升漏洞

No description provided by source...

RiverBed Stingray Traffic Manager 9.6 Cross Site Scripting

I. VULNERABILITY ------------------------- XSS Reflected vulnerability in RiverBed Stingray Traffic Manager Virtual Appliance V 9.6 II. BACKGROUND ------------------------- Silver Peak VX software marries the cost and flexibility benefits of virtualization with the performance gains associated wi...

php云问答功能处存储型xss

简要描述： 需要主动触发。 详细说明： http://www.hr135.com/ask/index.php 测试地址：http://www.hr135.com/ask/index.php?c=content&id=162 超级链接写入：javascriptalert1 &NewLine是HTML5新增的实体命名编码 firebug之类工具修改链接名称增加欺骗性 成功触发JS 使用追问功能再次添加超级链接：javascriptalertdocument.cookie 成功弹出cookie 漏洞证明：...

Weilian /product.asp SQL注入漏洞

No description provided by source...

Download Manager 0.2 - Arbitrary File Upload Exploit

The downloads-manager WordPress plugin was affected by an Arbitrary File Upload Exploit security vulnerability...

Lian Li NAS - Multiple Vulnerabilities

Lian Li NAS - Multiple Vulnerabilities Exploit Title: Lian Li NAS Multiple vulnerabilities Date: 21/07/2014 Exploit Author: pws Vendor Homepage: http://www.lian-li.com/en/dtportfoliocategory/nas/ Firmware Link: https://www.dropbox.com/s/imvkndl8m5yj7qp/G5S604121826700.tar.gz Tested on: Latest...

Lian Li NAS - Multiple Vulnerabilities

Exploit Title: Lian Li NAS Multiple vulnerabilities Date: 21/07/2014 Exploit Author: pws Vendor Homepage: http://www.lian-li.com/en/dtportfoliocategory/nas/ Firmware Link: https://www.dropbox.com/s/imvkndl8m5yj7qp/G5S604121826700.tar.gz Tested on: Latest version CVE : None yet 1. Hardcoded cookie...

Linux Kernel ptrace/sysret - Local Privilege Escalation Exploit

The Linux kernel before 3.15.4 on Intel processors does not properly restrict use of a non-canonical value for the saved RIP address in the case of a system call that does not use IRET, which allows local users to leverage a race condition and gain privileges, or cause a denial of service double...

Phpyun注入一枚绕过360注射附exp

简要描述： 可以引入单引号, 但是在这里也不需要引入单引号。 虽然有360 但是还是能注入出密码。 写了个小脚本来跑。（代码很渣 速度很慢 但是还是能跑完整） - - 特么的完全不会写, 太渣了。 详细说明： 在model/register.class.php中。 function ajaxregaction $post = arraykeys$POST; $keyname = $post0; if$keyname=="username" $username=@iconv"utf-8","gbk",$POST'username';...

华天动力OA任意文件删除

简要描述： Just another bug. 详细说明： 以官网http://demo.oa8000.com/为例， user:123456 登陆后， 向http://demo.oa8000.com/OAapp/bfapp//buffalo/oaPubptUploadService POST如下参数： \n removeFile\n C:/PROGRA1/htoa/Tomcat/webapps/OAapp/1.html\n 即可删除1.html 漏洞证明： 在删除前，利用wooyun-2014-065670看到的结果本来是这样的 删除后，...

Magic Photo Storage Website include/config.php _config[site_path] Parameter Remote File Inclusion

No description provided by source...