56796 matches found
PHP Use of uninitialized memory in unserialize() (CVE-2017-5340)
Description: ------------ There was found a bug showing that PHP uses uninitialized memory during calls to unserialize. As the following report shows, the payload supplied to unserialize may control this uninitialized memory region and thus may be used to trick PHP into operating on faked objects...
泛微E-mobile /calendar_page.php 文件 detailid 参数 SQL注入漏洞
No description provided by source...
node.js的ws模块存在远程内存泄露漏洞
近日,在允许用户通过简单地发送ping数据帧,来分配内存的ws模块中发现存在着漏洞。该漏洞会拒绝用户发送数据的请求,使用户发送ping数据帧功能失效,在此之前,还会加大数据帧的负载。 实际上,这就是漏洞的具体表现。但在模块中,ws通常将我们所要传入内存的所有数据进行相应的转换,这就是漏洞之所在。我们对所要发送数据的类型都没做任何检查。当你在node.js中需要存储一个数字时,该漏洞就会自动给数字分配一个存储大量字节的字符串空间,从而加大内存的负载。 var x = new Buffer100; // vs var x = new Buffer'100';...
致远A8-V5协同管理软件普通用户任意文件上传(通杀V5)
简要描述: 这几天一直在琢磨致远A8-V5,昨天发现几个小问题,今天进一步挖掘到任意文件上传漏洞。 详细说明: 致远A8-V5协同管理软件允许普通用户调用本属于system·权限的功能【登陆页模板管理】,虽然不能利用浏览器直接访问该功能,提示权限不足,但是直接发送数据包即可成功。 致远A8-V5协同管理软件充分的考虑了上传文件所带来的危险,全系统都采用上传文件缓存到web目录以外,不能直接获取webshell。但利用【登陆页模板管理】处的文件缓存迁移到web目录功能即可获取webshell。 漏洞证明: 演示地址: http://a8v51.seeyon.com/...
GNU bash 4.3.11 Environment Variable dhclient Exploit
No description provided by source. !/usr/bin/python Exploit Title: dhclient shellshocker Google Dork: n/a Date: 10/1/14 Exploit Author: @0x00string Vendor Homepage: gnu.org Software Link: http://ftp.gnu.org/gnu/bash/bash-4.3.tar.gz Version: 4.3.11 Tested on: Ubuntu 14.04.1 CVE :...
1WebCalendar 4.0 /news/newsView.cfm NewsID Parameter SQL Injection
No description provided by source. source: http://www.securityfocus.com/bid/17193/info 1WebCalendar is prone to multiple SQL-injection vulnerabilities. These issues are due to a failure in the application to properly sanitize user-supplied input before using it in SQL queries. A successful exploi...
cPanel 5.0 Guestbook.cgi Remote Command Execution Vulnerability (2)
No description provided by source. source: http://www.securityfocus.com/bid/6882/info A remote command execution vulnerability has been discovered in the cPanel CGI Application. This issue occurs due to insufficient sanitization of externally supplied data to the 'guestbook.cgi' script. An attack...
Apache Tomcat 5.5.25跨站请求伪造漏洞
CVE ID:CVE-2013-6357 Apache Tomcat是一款开放源码的JSP应用服务器程序。 Apache Tomcat 管理应用程序中存在跨站请求伪造漏洞,攻击者可以通过POST方法操纵应用程序部署。 0 Apache Tomcat 5.5.25 目前厂商暂无提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本: http://tomcat.apache.org/ Undeploy Applications html body onload="javascript:document.forms0.submit" H2CSRF Exploit to...
PHP Web表单哈希冲突拒绝服务漏洞
BUGTRAQ ID: 51193 CVE ID: CVE-2011-4885 PHP 5.3.9之前版本在计算表单参数哈希值的实现上没有提前限制哈希冲突,存在拒绝服务漏洞,通过发送小量的特制webform表单张贴到受影响应用程序,攻击者可利用此漏洞导致使用PHP的站点失去响应正常请求的能力 0 PHP 5.x 厂商补丁: PHP --- 目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载: http://www.php.net...
Windows 2000 TCP/IP窗口大小拒绝服务漏洞(MS09-048)
CVE ID:CVE-2008-4609 Microsoft Windows是一款流行的操作系统。 Microsoft Windows TCP/IP堆栈处理存在一个错误,可导致连接一直处于FIN-WAIT-1或FIN-WAIT-2状态,攻击者构建一个TCP接收窗口大小设置为零或极小值的恶意报文,"淹没"受此漏洞影响的系统,可导致系统停止对新请求的响应,造成拒绝服务攻击。 Microsoft Windows 2000 Advanced Server Microsoft Windows 2000 Datacenter Server Microsoft Windows 2000...
VMware产品Descheduled Time Accounting Driver拒绝服务漏洞
Bugraq ID: 35141 CVE ID:CVE-2009-1805 CNCVE ID:CNCVE-20091805 VMware提供包含多个虚拟主机和服务器的解决方案。 VMware Descheduled Time Accounting driver存在一个未明的安全问题,本地攻击者可以利用漏洞对虚拟机进行拒绝服务攻击。 符合如下条件的虚拟机受此漏洞影响: -虚拟机运行在windows操作系统下。 -VMware Descheduled Time Accounting driver安装在虚拟机上。 -VMware Descheduled Time...
Xpdf JBIG2处理多个缓冲区溢出和拒绝服务漏洞
BUGTRAQ ID: 34568 CVECAN ID: CVE-2009-0146,CVE-2009-0147,CVE-2009-0166,CVE-2009-0799,CVE-2009-0800,CVE-2009-1179,CVE-2009-1180,CVE-2009-1181,CVE-2009-1182,CVE-2009-1183,CVE-2009-1187,CVE-2009-1188 Xpdf是便携文档格式(PDF)文件的开放源码查看器。...
Downline Goldmine paidversion (tr.php id) SQL Injection Vulnerability
No description provided by source. paidversion tr.php id Remote SQL Injection Vulnerability Author: Hussin X Home : www.IQ-TY.com & www.TrYaG.cc script : http://www.downlinegoldmine.com/ DorK : inurl:tr.php?id= Exploit :...
Joomla 1.5.x (Token) Remote Admin Change Password Vulnerability
No description provided by source. Joomla 1.5.x Remote Admin Password Change Author: d3m0n [email protected] Greets: GregStar, gorion, d3d!k Polish "hackers" used this bug to deface turkish sites BUAHAHHA nice 0-day pff File : /components/comuser/controller.php Line : 379-399 function confirmreset //...
Asterisk日志函数及管理器远程格式串处理漏洞
BUGTRAQ ID: 28311 CVECAN ID: CVE-2008-1333 Asterisk是开放源码的软件PBX,支持各种VoIP协议和设备。 Asterisk的日志和管理器功能实现上存在漏洞,远程攻击者可能利用此漏洞导致拒绝服务。 使用astverbose日志API调用所显示的日志消息没有显示为字符串,而是格式串;管理器命令command结果输出没有作为字符串附加到生成的响应消息中,而是附加为格式串。这两种情况都允许攻击者在输入中提交特意的格式串值导致崩溃。 Asterisk Asterisk 1.6.x Asterisk --------...
Tiger PHP News System 1.0b build 39 Remote SQL Injection Vulnerability
No description provided by source. / Tiger PHP News System SQL Injection Bug found bY 0in from DaRk-Coders Group! Homepage: http://dark-coders.4rh.eu or http://dark-coders.prv.pl IRC:dark-coders at irc.freenode.org Email: 0indotemailatgmaildotcom / Script home: http://tpns.k-na.se/ Exploit:...
Joomla Component joom12Pic 1.0 Remote File Inclusion Vulnerability
No description provided by source. Joom!12Pic Component RFI Bug in : /administrator/components/comjoom12pic/admin.joom12pic.php?mosConfiglivesite= Variable : $mosConfiglivesite Dork: "comjoom12pic" Example:...
Archangel Weblog 0.90.02 Local File Inclusion / Admin Bypass Vulns
No description provided by source. \|/// \ - - // @ @ ----oOOo---oOOo-------------------------------------------------- Portal : Archangel Weblog version 0.90.02 Home : http://www.archangelmgt.com/weblog.shtml Download : http://www.archangelmgt.com/ArchangelWeblogv09002.zip Author : Dj7xpl /...
Simplog <= 0.9.2 (s) Remote Commands Execution Exploit
No description provided by source. !/usr/bin/php -q -d shortopentag=on ? echo "Simplog = 0.9.2 "s" remote cmmnds xctn\r\n"; echo "by rgod [email protected]\r\n"; echo "site: http://retrogod.altervista.org\r\n\r\n"; echo "dork: intext:"Powered by simplog"\r\n\r\n"; if $argc5 echo "Usage: php...
IceWarp 未授权RCE漏洞
...
Synology StorageManager smart.cgi Remote Command Execution
Vulnerability Summary The following advisory describes a remote command execution vulnerability found in Synology StorageManager. Storage Manager is “a management application that helps you organize and monitor the storage capacity on your Synology NAS. Depending on the model and number of...
Adobe ColdFusion Deserialization RCE (CVE-2017-11283, CVE-2017-11238)
During my research into the Java Remote Method Invocation RMI protocol, the most common RMI service that I came across was Adobe ColdFusion’s Flex integration service which is used to support integration between Flash applications and ColdFusion components. A quick look at this service led to the...
ASUSWRT - Multiple Vulnerabilities
ASUSWRT is a wireless router operating system that powers many routers produced by ASUS. Multiple exploitable vulnerabilities could be identified in the current version of ASUSWRT. Published: 08 Mar 2017 Affected routers: - RT-AC53 3.0.0.4.380.6038 ---------- Cross-Site Scripting XSS Component:...
Linux af_packet.c race condition (local root) (CVE-2016-8655)
To create AFPACKET sockets you need CAPNETRAW in your network namespace, which can be acquired by unprivileged processes on systems where unprivileged namespaces are enabled Ubuntu, Fedora, etc. It can be triggered from within containers to compromise the host kernel. On Android, processes with...
一采通电子采购系统任意文件上传Getshell #2
简要描述: 一采通电子采购系统任意文件上传Getshell 2 详细说明: 上传点 /Supplier/UploadFile.aspx 以吉利采购平台为例 http://.../Supplier/UploadFile.aspx 上传时抓包,修改两处 1.filename前面加\ 2.hidTrueName的值 shell:http://.../d.asp 漏洞证明: 其他例子还有 http://.../Supplier/UploadFile.aspx http://.../Supplier/UploadFile.aspx .../Supplier/UploadFile.aspx...
金蝶某重要系统sql注入漏洞(多参数配合)
简要描述: 最近很喜欢从已公开的漏洞中找漏洞,看看哪些厂商修复的时候不够仔细认真。。。 详细说明: 缘起这个漏洞 WooYun: 金蝶网重要分站sql注射漏洞 ,之前报的是显错注入,乍一看厂商好像已经修复了,实际测试之后发现还是可以盲注的,但是需要多参数配合进行注入。 漏洞所在分站:http://reg.kingdee.com/getpass.asp 产品注册页面,表单提交的数据如下:...
RealAdmin (detail.php) Blind SQL Injection Vulnerability
No description provided by source. RealAdmin detail.php Blind Sql Injection Vulnerability ======================================================== .:. Author : AtT4CKxT3rR0r1ST [email protected] .:. Team : Sec Attack Team .:. Home : www.sec-attack.com/vb .:. Script : RealAdmin .:. Download Script:...
Jasc Paint Shop Pro 8 - Local Buffer Overflow Exploit (UNIVERSAL)
No description provided by source. / Software: Jasc Paint Shop Pro v8 Local Buffer Overflow Exploit UNIVERSAL Bug type: Local buffer overflow Exploitation method: SEH handler overwrite Description: When a crafted .PNG file is oppened a stack buffer overflow occurs because of DEP a SEH handler is...
DCP-Portal 5.0.1 editor.php root Parameter Remote File Inclusion
No description provided by source. source: http://www.securityfocus.com/bid/6525/info DCP-Portal is prone to an issue which may allow remote attackers to include arbitrary files located on remote servers. An attacker may exploit this by supplying a path to a maliciously created file, located on a...
金蝶某软件存在多个安全漏洞(通用管理账号+获得数据库密码+远程代码执行)
简要描述: 金蝶某软件存在多个安全漏洞(通用管理账号+获得数据库密码+远程代码执行) 详细说明: 实际上是2个软件的漏洞,放在一起就不单独发了。金蝶eas存在通用管理账号+获得数据库密码漏洞,金蝶apusic存在远程代码执行漏洞。 下面的信息希望乌云在确认漏洞予以模糊处理,以免对厂商和用户产生不良影响:...
KesionCMS 9.0 /swfupload.asp 文件上传漏洞
No description provided by source...
Microsoft Windows OLE Object File Handling Remote Code Execution(CVE-2011-3400)
No description provided by source. This file is part of the Metasploit Framework and may be subject to redistribution and commercial restrictions. Please see the Metasploit web site for more information on licensing and terms of use. http://metasploit.com/ require 'msf/core' class Metasploit3...
Zope框架"cmd"参数远程命令执行漏洞
BUGTRAQ ID: 49857 CVE ID: CVE-2011-3587 Zope是一个开源的web应用服务器,主要用python写成 Zope在实现上存在远程命令执行漏洞,非法攻击者可利用此漏洞部署特制的Web请求并以Zope/Plone服务权限执行任意命令 0 Zope 2.13.9 Zope 2.13.8 Zope 2.13 Zope 2.12.19 Zope 2.12 Plone 4.x 厂商补丁: Zope ---- 目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载: http://www.zope.org/ Exploit Title: Plone -...
Erlang/OTP SSH库随机数生成漏洞
Bugtraq ID: 47980 CVE ID:CVE-2011-0766 Erlang是一种通用的面向并发的编程语言,OTP是包装在Erlang中的一组库程序。 Erlang/OTP ssh库依靠强大的加密随机数实现多个加密操作,但是库使用的RNG加密不够强壮,而且使用了可预测种子数据而进一步削弱了加密强度。RNGWichman-Hill没有与熵源进行混合处理。 库中所有ssh连接的种子使用当前时间大约微秒分辨率,通过观察从这个库建立的连接时间,可猜测三个RNG种子中前两个组成部分,第三个可通过尝试每个可能的值1..1000000暴力破解恢复。...
PHP ZipArchive::extractTo()函数.zip文件目录遍历漏洞
BUGTRAQ ID: 32625 PHP是广泛使用的通用目的脚本语言,特别适合于Web开发,可嵌入到HTML中。 PHP所捆绑的zip扩展使用ZipArchive::extractTo将用户上传的zip文档解压到临时目录,但在解压时没有正确地过滤文档中所存储的文件名,因此在解压包含有相对文件名的zip文档时可能导致在临时目录外创建或覆盖文件。 PHP 5.2.7 PHP --- 目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本: http://www.php.net...
X-Cart <= ? Multiple Remote File Inclusion Vulnerabilities
No description provided by source. xCart Remote file inclusion Download script : http://www.x-cart.com// Discovered By : aLiiF a.k.a arif @debuteam 07/09/2007 HomePage : http://www.debuteam.net// Thx to : Debu Newbie Payment Yogac nyubi Rozi ^S0ng0ku^ Kuris Sonix Toxicity newbi3 R4yn4ld0 DisJocKe...
Woltlab Burning Board WBB_UserID SQL注入漏洞
Woltlab Burning Board是一款基于PHP的WEB应用程序。 Woltlab Burning Board不充分过滤用户提交的URI输入,远程攻击者可以利用漏洞进行SQL注入攻击,获得敏感信息。 问题是脚本对用户提交的'WBBUserID'参数缺少过滤,提交恶意SQL查询作为参数数据,可更改原来的SQL逻辑,获得敏感信息。 WoltLab Burning Board Lite 1.0.2 http://www.woltlab.de/products/burningboardlite/indexen.php...
Google Chrome PDFium jpeg2000 SIZ Code Execution Vulnerability(CVE-2016-1681)
SUMMARY An exploitable heap buffer overflow vulnerability exists in the Pdfium PDF reader included in the Google Chrome web browser. A specially crafted PDF document with embedded jpeg2000 image can cause a heap buffer overflow potentially resulting in an arbitrary code execution. An attacker can...
Remote Command Execution in git client (CVE-2017-12426)
Remote Command Execution in git client CVE-2017-12426 An external code review performed by Recurity-Labs identified a remote command execution vulnerability in git that could be exploited via the "Repo by URL" import option in GitLab. The command line git client was not properly escaping command...
finecmsV5.0.8 \finecms\dayrui\controllers\member\Account.php getshell
Vulnerability in the file C:\phpStudy\WWW\finecms\dayrui\controllers\member\Account. in php upload function public function upload // Create the picture storage folder $dir = SYSUPLOADPATH.'/ member/'.$ this-uid.'/'; @drdirdelete$dir; ! isdir$dir && drmkdirs$dir; if $POST'tx' $file = strreplace' ...
Pivotal Spring Web Flow Security Bypass Vulnerability(CVE-2017-4971)
Author: iswin@ThreatHunter A. Vulnerability description This vulnerability is in year 6 at the beginning has just been submittedtransfer Gate, the official and there is no detailed information, by the official Description and a patch of the contrast, we can roughly infer should be the Spring Web...
THEOL网络教学平台 /common/script/search.jsp 参数keyword SQL注入漏洞
No description provided by source...
pigcms /index.php injection Vulnerability
0x01 漏洞简介 关键词:inurl:index.php?g=Home&m=Index&a=help intitle:营销系统 inurl:login 漏洞位置:index.php?m=Index&a=reg(注册页面) 0x02 漏洞利用 这里以http://.../index.php?m=Index&a=reg为例: 测试数据,截取数据包: POST /index.php?m=Users&a=checkreg HTTP/1.1 Host: ... Proxy-Connection: keep-alive Content-Length: 151 Cache-Control:...
Doyo建站 SQL注入
简要描述: 由用户输入表名,未任何过滤 详细说明: 在source/pay.php下 function buymolds $this-id=$this-syArgs'id'; $this-molds=$this-syArgs'molds',1; if!$this-id&&!$this-moldsmessage"a"; $this-info=syDB$this-molds-findarray'id'=$this-id,'isshow'=1,null,'title,mgold,litpic'; if!$this-infomessage"指定购买内容不存在或未审核。";...
linux/x86 if(read(fd,buf,512)<=2) _exit(1) else buf(); 29 bytes
No description provided by source. / h3ll-core.c by Charles Stevenson [email protected] I made this as a chunk you can paste in to make modular remote exploits. I use it as a first stage payload when I desire to follow up with a real large payload of goodness. This actually is a bit larger than...
AIDeX Mini-WebServer <= 1.1 - Remote Denial of Service Crash Exploit
No description provided by source. import socket print --------------------------------------------------------------------- print AID'eX Mini-Webserver Verion 1.1 early Release 3 Denial of Service print url: http://www.aidex.de/software/webserver/ print author: shinnai print mail:...
VMware多个产品OpenSSL TLS/DTLS心跳信息泄漏漏洞
CVE ID:CVE-2014-0160 VMware多个产品存在安全漏洞。 VMware多个产品所绑定的OpenSSL存在安全漏洞,OpenSSL处理TLS”心跳“扩展存在一个边界错误,允许攻击者利用漏洞获取64k大小的已链接客户端或服务器的内存内容。内存信息可包括私钥,用户名密码等。 0 Nicira Network Virtualization Platform NVP 3.x VMware ESXi 5.x VMware NSX 4.x VMware NSX 6.x VMware Fusion 6.x Vmware Horizon Mirage 4.x VMware Horizo...
VSFTPD v2.3.4 Backdoor Command Execution
No description provided by source. $Id: vsftpd234backdoor.rb 13099 2011-07-05 05:20:47Z hdm $ This file is part of the Metasploit Framework and may be subject to redistribution and commercial restrictions. Please see the Metasploit Framework web site for more information on licensing and terms of...
Libpng库未知类型块处理远程代码执行漏洞
BUGTRAQ ID: 28770 CVECAN ID: CVE-2008-1382 libpng是多种应用程序所使用的解析PNG图形格式的函数库。 libpng库在处理畸形格式的PNG文件时存在漏洞,成功利用此漏洞允许本地攻击者读取敏感信息、导致拒绝服务或执行任意指令。 libpng库没有正确地处理未知类型的PNG块,如果使用该库的应用程序在特定情况下调用了pngsetreaduserchunkfn或pngsetkeepunknownchunks函数的话,长度为0的PNG块就会导致通过free调用使用未初始化的内存。 0 libpng libpng 1.2.0 - 1.2.26...
yaSSL多个远程溢出及无效内存访问漏洞
BUGTRAQ ID: 27140 yaSSL是用于实现SSL的开源软件包。 yaSSL实现上存在多个远程溢出及无效内存访问问题,远程攻击者可能利用此漏洞控制服务器。 ------------------------------------------- A ProcessOldClientHello缓冲区溢出 ------------------------------------------- 用于包含客户端所接收的Hello报文中的数据的缓冲区结构如下(源自yasslimp.hpp): class ClientHello : public HandShakeBase...