56796 matches found
JCMS系统opr_classajax.jsp SQL注入漏洞
漏洞文件:/jcms/jcmsfiles/jcms1/web1/site/module/sitesearch/oprclassajax.jsp漏洞参数:?classid=11漏洞成因:对参数没有做过滤处理,直接导致注入产生漏洞分析:oprclassajax.jsp文件:%@page language="java" contentType="text/html; charset=UTF-8"% %@page import="com.hanweb.common.util.Convert"% %@page import="jcms.dbmanager.Manager"% %@page...
青果教务系统多处漏洞可整站脱裤
简要描述: 绕过WAF 详细说明: 一、验证码可重复利用导致撞库漏洞 今年,随着国外Gmail及国内多个大型电商受到撞库攻击,撞库已然成为高危漏洞。通过撞库,黑客可成功窃取大量账户作为进一步攻击的手段,现在全国多个高校在用的青果教务系统验证码未处理导致可重复利用,最终经过一些暴力枚举可获取学生信息 谷歌:intitle:"学生综合管理系统" inurl:"xsweb" 可以获得不少青果管理系统 主站登陆处 案例1.http://xsweb.uvu.edu.cn/ 首先通过社工得到学号:...
Apache Tomcat请求对象安全限制绕过漏洞
BUGTRAQ ID: 51442 CVE ID: CVE-2011-3375 Apache Tomcat是一个流行的开放源码的JSP应用服务器程序。 Apache Tomcat在实现上存在安全限制绕过漏洞,成功利用后可允许攻击者绕过某些安全策略限制。 0 Apache Group Tomcat 7.x Apache Group Tomcat 6.x 厂商补丁: Apache Group ------------ 目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载: http://jakarta.apache.org/tomcat/index.html...
Vermillion FTP Deamon v1.31 Remote BOF Exploit
No description provided by source. Exploit Title: Vermillion FTP Deamon Remote BOF Exploit Date: 29/01/2010 Author: Dzattacker Software Link: http://www.softsea.com/download/Vermillion-FTP-Daemon.html Version: 1.31 Tested on: Windows xp sp3 Code : !/usr/bin/python + Original :...
ubuntu特权提升漏洞(CVE-2021-3493)
...
Aurora IDEX Membership(IDXM), ERC20 Token, allows attackers to acquire contract ownership (CVE-2018–10666)
Abstract I found a new vulnerability in smart contract of IDXM Token CVE-2018–106661. Attackers can acquire contract ownership because the setOwner function is delcared as public. A new owner can subsequently bypass intended access restrictions by, for example, calling uploadBalances. Details In...
Oracle PeopleSoft Remote Code Execution: Blind XXE to SYSTEM Shell
Oracle PeopleSoft I had the chance, a few months ago, to audit several Oracle PeopleSoft solutions, including PeopleSoft HRMS and PeopleTool. Despite several undocumented CVEs, the Internet did not have much to offer on how to attack the software, except for the very informative talk from ERPScan...
Lazarus Guestbook 1.6 codes-english.php show Parameter XSS
No description provided by source. source: http://www.securityfocus.com/bid/18956/info Lazarus Guestbook is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input. An attacker may leverage these issues to have arbitrary script code execute...
FileSeek CGI Script Remote Command Execution Vulnerability
No description provided by source. source: http://www.securityfocus.com/bid/6783/info FileSeek is an example cgi-script from The CGI/Perl Cookbook from John Wiley & Sons. The script is written and maintained by Craig Patchett. It is mainly used to find and download files on a web server. It has...
TSEP <= 0.942 (colorswitch.php) Remote Inclusion Vulnerability
No description provided by source. Script: TSEP = 0.942 URL: www.tsep.info Discovered: beford xbefordx gmail com Comments: registerglobals must be enabled duh. document.this != http://www.milw0rm.com/exploits/2098 Vulnerable Files/Code:...
大汉版通JCMS内容管理系统SQL注射漏洞
简要描述: 大汉版通JCMS内容管理系统某处参数未经处理即入库查询导致SQL注射漏洞产生,可利用来登录后台等,当前测试存在该漏洞的版本为JCMS2010。 详细说明: 1. 大汉版通JCMS内容管理系统JCMS2010默认后台登录页中由于用户名未经处理即带入数据库查询产生SQL注射漏洞。 2. 利用测试: 后台登录页:http://www.target.com/jcms/ 用户名:x' union select...
Lighttpd 'mod_userdir'大小写区分对比安全绕过漏洞
BUGTRAQ ID: 31600 CVE ID:CVE-2008-4360 CNCVE ID:CNCVE-20084360 Lighttpd是一款开放源代码的WEB服务器程序。 Lighttpd 'moduserdir'模块存在安全绕过问题,远程攻击者可以利用漏洞绕过部分安全限制,获得敏感信息。 lighttpd...
dedecms最新版本后台getshell
官方下载最新安装包http://updatenew.dedecms.com/base-v57/package/DedeCMS-V5.7-UTF8-SP2.tar.gz 环境:Linux+phpstudy 上传图片抓包 POST /dedecms/include/dialog/selectimagespost.php?CKEditor=body&CKEditorFuncNum=2&langCode=zh-cn HTTP/1.1 Host: Content-Length: 42080 Cache-Control: max-age=0 Origin: http://...
JEECMS XssFilter缺陷导致的存储型XSS漏洞
简要描述: 自带的XssFilter绕过。 详细说明: 在官网下载最新的jeecmsV7 http://.../fabu/41667.jhtml 其中的web.xml中配置了XssFilter如下: XssFilter ...mon.web.XssFilter excludeUrls /member/contribute@/jeeadmin/jeecms@/flowstatistic SplitChar @ FilterChar '@"@@@:@%@ ReplaceChar ‘@“@\@#@:@%@> 在...mon.web.XssFilter中代码如下: public class...
StrongSoft 四创灾害预警系统SQL报错注入(queryvalue参数)
No description provided by source...
nginx WebDAV目录遍历漏洞
BUGTRAQ ID: 36490 nginx是多平台的HTTP服务器和邮件代理服务器。 nginx可以用作webdav发布服务器,通过webdav用户可以将文件从一个位置拷贝或移动到另一个位置。MOVE或COPY方式需要使用包含有放置文件位置信息的Destination: HTTP头。如果在这个头中使用“../”等字符,攻击者就可以遍历目录树,将文件放置在webroot之外。 nginx默认以nobody用户权限运行,因此这个bug并不严重,因为攻击者仅允许向/tmp/或属于nobody的目录写入文件。此外,攻击还需要webdav的upload权限。 Igor Sysoev nginx...
Limbo CMS <= 1.0.4.2L (com_contact) Remote Code Execution Exploit
No description provided by source. !/usr/bin/php -q -d shortopentag=on ? printr' ----------------------------------------------------------------------------- Limbo = 1.0.4.2L "comcontact" remote commands execution exploit by rgod [email protected] site: http://retrogod.altervista.org dorks:...
TotalCalendar 2.4 (inc_dir) Remote File Inclusion Vulnerability
No description provided by source. //// //1 9 2 3 T U R K - G R U P// //// //-----------------------------------------------------------------------// --+-- Home Page : "http://www.simpoe.com/" Download : "http://www.simpoe.com/calendre/TotalCalendar2.4.zip" ScriptName: "Simpoe Event Calendar"...
ZyXEL ZyWALL Quagga/Zebra (default pass) Remote Root Vulnerability
No description provided by source. Name: ZyXEL ZyWALL Quagga/Zebra Remote Root Vulnerability Release Date: 10 March 2008 Discover: Pranav Joshi [email protected] Vendor: ZyXEL Products Affected: ZyWALL Status on other affected products & firmwares pending from vendor’s end CVE-2008-1160 BID...
PHP-Nuke Advertising Module Modules.PHP SQL注入漏洞
PHP-Nuke Advertising Module是一款基于PHP的WEB应用程序。 PHP-Nuke Advertising Module不正确过滤用户提交的URI数据,远程攻击者可以利用漏洞进行SQL注入攻击,可获得敏感信息或操作数据库。 问题是由于'Modules.PHP'脚本对用户提交的WEB参数缺少过滤,提交恶意SQL查询作为参数数据,可更改原来的SQL逻辑,获得敏感信息或可能操作数据库。 PHP-Nuke Advertising Module 0.9 升级到最新的PHP-Nuke Advertising Module 0.9...
jact大汉网上互动管理平台 前台getshell
简要描述: jact系统为南京大汉网络有限公司开发的一套面向政府机关的网上互动管理平台。该平台在政府部门得到广泛的应用 详细说明: jact系统为南京大汉网络有限公司开发的一套面向政府机关的网上互动管理平台。该平台在政府部门得到广泛的应用 jact前台写信功能,任意文件上传导致getshell 漏洞URL: http://www.anxiang.gov.cn/jact/front/frontmailwrite.action 在上传附件部分,存在任意文件上传 该功能,仅在前端做了文件名校验 function isattachfile,ImageFileExtend,isAlert...
Huawei eSpace 8950 IP Phone拒绝服务漏洞
No description provided by source...
Mambo MGM Component <= 0.95r2 Remote Inclusion Vulnerability
No description provided by source. ---------------------------------------------------- Mambo Gallery Manager v095.r3 Remote File Inclusion Vulnerabilities ---------------------------------------------------- Discovered By A-S-T TEAM WE ARE CrAsHoVeRrIdE & BLACK-CODE & MR-HCR...
NagiosXI <= 5.4.12 info.php SQL injection(CVE-2018-10736)
NagiosXI = 5.4.12 info.php SQL injectionCVE-2018-10736 Description A SQL injection issue was discovered in Nagios XI via the admin/info.php key1 parameter. Affected Version Nagios XI 5.2.x Nagios XI 5.4.x before 5.4.13 Proof of concept...
Linux kernel local privilege escalation flaw in n_hdlc(CVE-2017-2636)
This article discloses the exploitation of CVE-2017-2636, which is a race condition in the nhdlc Linux kernel driver drivers/tty/nhdlc.c. The described exploit gains root privileges bypassing Supervisor Mode Execution Protection SMEP. This driver provides HDLC serial line discipline and comes as ...
盈世Coremail XT3.0 附件处存储型XSS
No description provided by source...
ProjectSend r582 多个(持久)XSS漏洞
No description provided by source...
Wordpress Bonuspressx插件-ar_submit.php文件-跨站脚本漏洞
No description provided by source...
Pligg <= 9.9.0 - Remote Code Execution Exploit
No description provided by source. !/usr/bin/perl -w use LWP::UserAgent; use MIME::Base64; use Digest::MD5 qwmd5hex; use Getopt::Std; getopts'h:', %args; print \n; print Pligg = 9.9 Remote Code Execution Exploit \n; print \n; dork = Powered By Pligg + Legal: License and Source Proxy address...
CartWIZ 1.10 ProductDetails.ASP SQL Injection Vulnerability
No description provided by source. source: http://www.securityfocus.com/bid/13332/info CartWIZ is prone to an SQL injection vulnerability. This issue is due to a failure in the application to properly sanitize user-supplied input prior to utilizing the data in an SQL query. Successful exploitatio...
Thomson SpeedTouch 2030 SIP Empty Message Remote Denial of Service Vulnerability
No description provided by source. source: http://www.securityfocus.com/bid/25464/info Thomson SpeedTouch 2030 is prone to a denial-of-service vulnerability because the device fails to handle specially crafted SIP INVITE messages. Exploiting this issue allows remote attackers to cause the device ...
Linux内核 Keyrings 引用计数溢出 UAF 漏洞
漏洞分析 Linux Kernel的这个漏洞会造成两个影响,第一个是造成信息泄露,可以bypass ASLR,另一个是UAF造成代码执行,利用的是KeyRing机制中的两个漏洞,一个是对Keyring操作控制不严谨,另一个是利用对Keyring计数变量控制不严谨,其中代码执行利用条件相对苛刻,下面对此漏洞进行详细分析。 Keyring信息泄露: Keyring和安全密钥有关,进程可以申请自己新的keyring,同时也可以通过申请新的keyring替换老的keyring,其中,调用到joinsessionkeyring函数。 long joinsessionkeyringconst cha...
Shop7z show.asp cookie注入
No description provided by source...
用友致远A6协同系统createMysql.jsp信息泄露
该漏洞泄露了数据库用户的账号,密码hash.code 区域/yyoa/createMysql.jsp /yyoa/ext/createMysql.jsp该文件的代码为:%@ page language="java" % %@ page session="true" % %@ page isThreadSafe="true" % %@ page import="java.sql.,net.btdz.oa.common." % % CommonSql.exeUpdate"DELETE FROM mysql.user WHERE User = 'cubetech' ";...
deV!L`z Clanportal Gamebase Addon SQL Injection Vulnerability
No description provided by source...
PK-Designs PKs Movie Database 3.0.3 'index.php' SQL Injection and Cross-Site Scripting Vulnerabilities
No description provided by source. source: http://www.securityfocus.com/bid/27713/info PKs Movie Database is prone to a cross-site scripting vulnerability and an SQL-injection vulnerability because the application fails to sufficiently sanitize user-supplied input. Exploiting these issues could...
nginx 1.3.9-1.4.0 DoS PoC
No description provided by source. !/usr/bin/env python Exploit Title: nginx v1.3.9-1.4.0 DOS POC CVE-2013-2070 Google Dork: CVE-2013-2070 Date: 16.05.2013 Exploit Author: Mert SARICA - mert . sarica @ gmail . com - http://www.mertsarica.com Vendor Homepage: http://nginx.org/ Software Link:...
ECShop 2.7.3 flow.php SQL注入漏洞
No description provided by source...
Sudo <= 1.6.9p18 (Defaults setenv) Local Privilege Escalation Exploit
No description provided by source. !/bin/sh Sudo = 1.6.9p18 local r00t exploit by Kingcope/2008/www.com-winner.com Most lame exploit EVER! Needs a special configuration in the sudoers file: --- "Defaults setenv" so environ vars are preserved : --- May also need the current users password to be...
phpListPro <= 2.01 Multiple Remote File Include Vulnerabilities
No description provided by source. Title: phpListPro = 2.01 - Remote File Include Vulnerability ----------------------------------------------------------------- Vendor: SmartISoft URL: http://smartisoft.com ----------------------------------------------------------------- Credits: Discovered by:...
duomicms前台全局变量覆盖导致getshell
...
Symantec Endpoint Protection Manager 12.1.x - SEH Overflow POC
No description provided by source. Exploit-DB mirror: http://www.exploit-db.com/sploits/33056-sepm-secars-poc-v0.3.tar.gz !/usr/bin/perl -w Exploit Title: Symantec Endpoint Protection Manager 12.1.x - SEH Overflow POC Date: 31 January 2013 Exploit Author: [email protected] a.k.a...
XOOPS TeamSpeak Display TSDisplay4xoops_block2.PHP远程文件包含漏洞
XOOPS TeamSpeak Display是一款基于PHP的WEB应用程序。 XOOPS TeamSpeak Display不正确过滤用户提交的输入,远程攻击者可以利用漏洞以WEB权限执行任意命令。 问题是'tsdisplay4xoopsblock2.php'脚本对用户提交的'xoopsurl'参数缺少过滤,指定远程服务器上的文件作为包含参数,可导致以WEB权限执行任意命令。 tsdisplay4xoops tsdisplay4xoops 0.1 tsdisplay4xoops tsdisplay4xoops 0.08 目前没有解决方案提供:...
Pre-Auth MySQL remote DOS (Integer Overflow)(CVE-2017-3599)
MySQL server is affected by a remote DoS attack, which could be exploited by a remote unauthenticated attacker to cause a loss of availability on the targeted service. The issue has been verified to affect 5.6.X branch up to 5.6.35 and 5.7.X branch up to 5.7.17. It is strongly recommended that...
xpshop商城管理系统储存型XSS,可盲打后台
简要描述: 这个是商城管理系统,你们懂得哈 详细说明: demo演示哈 官网:http://xpshop.cn demo地址http://hzp.xpshop.cn demo后台:http://etp.xpshop.cn/admin 用户名:admin 密码:888888 先注册个会员账号,然后存在XSS的地址在会员中心--地址管理--收货人姓名那里我先插入 然后保存可以看到成功弹窗 然后查看源码可以看到是储存型XSS 接下来先去随便选个东西 然后购买,地址那里是我们之前插入的XSS语句...
phpmywind 5.0 后台GetShell漏洞
简要描述: 这各漏洞子前被报过,但是厂商的修复不彻底。 详细说明: admin/webcongif.php 的过滤代码如下。 //强制去掉 ' //强制去掉最后一位 / $vartmp = strreplace"'",'',$row'varvalue'; ifsubstr$vartmp, -1 == '\' $vartmp = substr$vartmp,1,-1; 只过滤了最后一位的反斜杠,只需要加两个反斜杠就可以了····· 首先修改网站配置信息 configcache.php中会变成这样 $cfgwebname = '的网站'; $cfgweburl =...
FangMail后台SQL注射漏洞
简要描述: 1.通用漏洞 2.本案例中,很多(1900+)企业的邮件系统都托管在同一个服务器上,那么,理论上我将得到多少信息? 详细说明: 举例说明 1.通过http://mail.aodacn.com/nmc/cgi/index.cgi登陆后台 2.注入点如下: http://mail.aodacn.com/nmc/cgi/ann.cgi?mode=editann&sid=gcipW8QUgtZsKVRpHWPKcFtjadministrator-aodacncom&annid=47&screen=editann.html 其中,annid存在注入 3. 4...
MS Internet Explorer Remote Wscript.Shell Exploit
No description provided by source. ----------------------------------------------------- default.htm ------------------------------------------------------- html body img src="cc.exe" width=0 height=0 style=display:none script language="Javascript" function InjectedDuringRedirection...
Apache HTTP Server 2.2.6, 2.0.61和1.3.39 'mod_status'跨站脚本漏洞
BUGTRAQ ID: 27237 CVE ID:CVE-2007-6388 CNCVE ID:CNCVE-20076388 Apache HTTP Server是一款开放源码的WEB服务程序。 Apache HTTP Server包含的modstatus模块存在输入验证问题,远程攻击者可以利用漏洞进行跨站脚本攻击,可能获得目标用户敏感信息。 server-status页默认不启用。目前没有详细漏洞细节提供。 Posadis Posadis 1.3.31 Posadis Posadis 1.3.28 Apache Software Foundation Apache 2.2.6 Apac...
Galleria远程文件包含漏洞
BUGTRAQ ID: 18808 CVECAN ID: CVE-2006-3396 Galleria是一款Mambo的组件。 Galleria处理用户请求时存在输入验证漏洞,远程攻击者可能利用此漏洞在服务器上以Web进程权限执行任意命令。 Galleria的galleria.html.php脚本没有正确验证mosConfigabsolutepath参数的输入,允许攻击者通过包含本地或外部资源的任意文件导致执行任意PHP代码。 Mambo Galleria Component 目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:...