56796 matches found
PHPizabi 0.848b C1 HP3 'id' Parameter Local File Include Vulnerability
No description provided by source...
Linux Kernel <= 2.6.37 - Local Privilege Escalation
No description provided by source. / Linux Kernel = 2.6.37 local privilege escalation by Dan Rosenberg @djrbliss on twitter Usage: gcc full-nelson.c -o full-nelson ./full-nelson This exploit leverages three vulnerabilities to get root, all of which were discovered by Nelson Elhage: CVE-2010-4258...
Coppermine Photo Gallery 1.x init.inc.php Remote File Inclusion
No description provided by source. source: http://www.securityfocus.com/bid/10253/info Coppermine Photo Gallery is reported prone to multiple input-validation vulnerabilities, some of which may lead to arbitrary command execution. These issues occur because the application fails to properly...
Cisco IOS Bind Shellcode 1.0
No description provided by source. ---------------------------------------------------------------------------------------- Cisco IOS Bind shellcode v1.0 c 2007 IRM Plc By Varun Uppal ---------------------------------------------------------------------------------------- The code creates a new...
yungoucmsSQL注入漏洞
简要描述: 官网 : http://www.yungoucms.com/ 演示站: http://www.yungoucms.cn/ 商品搜索可以构建SQL语句! http://www.yungoucms.cn/?/stag/ public function tag $search =$this-segment4; if!$searchmessage"输入搜索关键字"; $search = urldecode$search; $search = htmlspecialchars$search; if!isutf8$search $search = iconv"GBK", "UTF-8",...
CMSTOP vote.php文件SQL注入漏洞
CMSTOP是一款网站内容管理系统。 CMSTOP /apps/vote/controller/vote.php文件存在SQL注入漏洞,攻击者可以利用漏洞活动数据库敏感信息。 0 cmstop 目前厂商暂无提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本: http://www.cmstop.com/...
lighttpd畸形HTTP请求远程拒绝服务漏洞
BUGTRAQ ID: 38036 CVE ID: CVE-2010-0295 Lighttpd是一款轻型的开放源码Web Server软件包。 Lighttpd服务器每次接收到网络报文都会分配4K或16K的堆内存,如果远程攻击者缓慢的发送HTTP请求(如每秒钟发送1字节),就会耗尽所有可用内存导致服务器终止。 LightTPD LightTPD 1.5 LightTPD LightTPD 1.4.x 厂商补丁: Debian ------ Debian已经为此发布了一个安全公告(DSA-1987-1)以及相应补丁: DSA-1987-1:lighttpd -- denial of...
QNAP Roon Server未授权RCE漏洞(CVE-2021-28810、CVE-2021-28811)
...
Shopex 后台Getshell
...
Network Time Protocol Broadcast Mode Poll Interval Enforcement Denial of Service Vulnerability(CVE-2016-7428)
Summary An exploitable denial of service vulnerability exists in the broadcast mode poll interval enforcement functionality of ntpd. To limit abuse, ntpd restricts the rate at which each broadcast association will process incoming packets. ntpd will reject broadcast mode packets that arrive befor...
Microsoft Windows PowerShell Security Feature Bypass Vulnerability (CVE-2017-0007)
Over the past few months, I have had the pleasure to work side-by-side with Matt Graeber @mattifestation and Casey Smith @subtee in their previous job roles, researching Device Guard user mode code integrity UMCI bypasses. If you aren't familiar with Device Guard, you can read more about it here:...
Magento < 2.0.6 - Unauthenticated Remote Code Execution
参考来源:http://netanelrub.in/2016/05/17/magento-unauthenticated-remote-code-execution/ The vulnerability CVE-2016-4010 allows an attacker to execute PHP code at the vulnerable Magento server unauthenticated. This vulnerability actually consists of many small vulnerabilities Magento is an extremely...
Shopex V4.8.4-4.8.5 svinfo.php 文件信息泄露漏洞
0x01 框架简述 Shopex是国内市场占有率最高的网店软件,基于免费开源但却性能卓越的Lamp(Linux+Apache+Mysql+Php)架构,最大程度降低您的总体拥有成本。 中文名:商派 外文名:Shopex 服务商:上海派浓网络科技有限公司 官方主页:http://www.shopex.cn/ 0x02 漏洞细节 如果install目录没删,下面这个可以看phpinfo http://www.xx.com/install/svinfo.php?phpinfo=true 两个实例: http://www.5fa.cc/install/svinfo.php?phpinfo=tru...
Audiotran 1.4.1 - Direct RET BoF
No description provided by source...
Virtual Programming VP-ASP 4/5 shopdisplayproducts.asp Cross-Site Scripting Vulnerability
No description provided by source. source: http://www.securityfocus.com/bid/9164/info A vulnerability has been reported to exist in VP-ASP software that may allow a remote user to launch cross-site scripting attacks. A remote attacker may exploit this issue to potentially execute HTML or script...
CMS Openpage (index.php) SQL Injection Vulnerability
No description provided by source. ==================================================== CMS Openpage index.php SQL Injection Vulnerability ==================================================== + Discovered by: Phenom + My id: http://inj3ct0r.com/author/2157 + Original:...
Samba 2.2.8 - Remote Root Exploit - sambal.c
No description provided by source. / Remote root exploit for Samba 2.2.x and prior that works against Linux all distributions, FreeBSD 4.x, 5.x, NetBSD 1.x and OpenBSD 2.x, 3.x and 3.2 non-executable stack. sambal.c is able to identify samba boxes. It will send a netbios name packet to port 137. ...
eWebEditor 2.1.6 /upload.asp 文件上传漏洞
eWebEditor是一个基于浏览器的在线HTML编辑器,其 1.1.3 2.1.6版本/Upload.asp文件的InitUpload函数处第168行存在sql注入,这里并没有对请求中的参数style进行过滤。...
RealAdmin suffers from a remote blind SQL injection vulnerability
No description provided by source. .:. Author : AtT4CKxT3rR0r1ST [email protected] .:. Team : Sec Attack Team .:. Home : www.sec-attack.com/vb .:. Script : RealAdmin .:. Download Script: http://www.redcow.ca/products/realadmin/ .:. Bug Type : Blind Sql Injection .:. Dork : "Powered by RealAdmin and Red...
nginx ngx_http_process_request_headers()函数空指针引用拒绝服务漏洞
BUGTRAQ ID: 36839 CVECAN ID: CVE-2009-3896 nginx是多平台的HTTP服务器和邮件代理服务器。 nginx服务器的src/http/ngxhttpparse.c文件的ngxhttpprocessrequestheaders函数中存在空指针引用错误,远程攻击者可以通过超长的URI来触发这个漏洞,导致worker进程崩溃。 Igor Sysoev nginx 0.8.x Igor Sysoev nginx 0.7.x Igor Sysoev nginx 0.6.x Igor Sysoev nginx 0.5.x Igor Sysoev nginx...
Zeroboard文件泄露远程任意命令执行漏洞
BUGTRAQ: 12258 Zeroboard不正确过滤用户提交的URL请求,远程攻击者可以利用这个漏洞查看系统文件内容或以进程权限执行任意命令。 Zeroboard 4.1 pl2-p15 厂商补丁: Zeroboard --------- 目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本: http://www.zeroboard.com/ 远程用户可以提供包含多个'../'字符的数据作为参数提交给有漏洞的脚本处理,可以WEB进程权限查看任意文件内容:...
Dnsmasq TFTP服务远程堆溢出漏洞
BUGTRAQ ID: 36121 CVECAN ID: CVE-2009-2957 Dnsmasq是可方便配置的轻型DNS转发器和DHCP服务器。 dnsmasq在启用了TFTP服务(--enable-tftp命令行选项或在/etc/dnsmasq.conf中启用enable-tftp)的时候存在堆溢出漏洞。如果所配置的tftp-root足够长,且远程用户发送的请求中包含有超长的文件名,dnsmasq就可能崩溃或以dnsmasq服务的权限(通常为非特权的nobody用户)执行任意代码。...
Multiple AntiVirus (zip file) Detection Bypass Exploit
No description provided by source. / zipbrk.c - Proof-of-Concept for CAN-2004-0932 - CAN-2004-0937 Copyright C 2004 oc.192 This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either...
FreeCMS 'index.php' SQL注入漏洞
BUGTRAQ ID: 29773 CNCAN ID:CNCAN-2008061903 FreeCMS是一款基于PHP的WEB应用程序。 FreeCMS不正确处理用户提交的输入,远程攻击者可以利用漏洞进行SQL注入攻击,可能获得敏感信息或操作数据库。 问题是'index.php'脚本对用户提交给'page'参数缺少过滤,构建恶意SQL查询作为参数数据,可更改原来的SQL逻辑,获得敏感信息或操作数据库。 FreeCMS.us FreeCMS 0.2 目前没有解决方案提供: http://www.freecms.us/...
MySQL <=6.0 yaSSL <= 1.7.5 Hello Message Buffer Overflow
MySQL yaSSL SSL Hello Message Buffer Overflow 1. 漏洞介绍和分析 yaSSL是用于实现SSL的开源软件包。 yaSSL实现上存在多个远程溢出及无效内存访问问题,远程攻击者可能利用此漏洞控制服务器。 向堆栈缓冲区溢出的yaSSL1.7.5和更早的版本实现与MySQL捆绑 = 6.0。通过发送一个专门制作的HEllo 包 ,攻击者可以执行任意代码。 代码分析: 用于包含客户端所接收的Hello报文中的数据的缓冲区结构如下源自yasslimp.hpp: class ClientHello : public HandShakeBase...
Mozilla Firefox/SeaMonkey/Thunderbird多个远程安全漏洞
Mozilla Firefox/SeaMonkey/Thunderbird都是Mozilla发布的WEB浏览器和邮件新闻组客户端产品。 上述产品中存在多个安全漏洞,具体如下: 1 Mozilla产品中所捆绑的网络安全服务(NSS)库如果以指数3使用RSA密钥的话,就无法正确的处理签名中的额外数据,允许攻击者伪造SSL/TLS和邮件证书。这个漏洞是MFSA 2006-60中所报告RSA签名漏洞的变种。 2 攻击者可以在执行期间修改Script对象,导致执行任意JavaScript bytecode。 3...
iOS/MacOS kernel double free due to IOSurfaceRootUserClient not respecting MIG ownership rules(CVE-2017-13861)
I have previously detailed the lifetime management paradigms in MIG in the writeups for: CVE-2016-7612 https://bugs.chromium.org/p/project-zero/issues/detail?id=926 and CVE-2016-7633 https://bugs.chromium.org/p/project-zero/issues/detail?id=954 If a MIG method returns KERNSUCCESS it means that th...
Serviio PRO 1.8 DLNA Media Streaming Server (mediabrowser) DOM Based XSS
Summary Serviio is a free media server. It allows you to stream your media files music, video or images to renderer devices e.g. a TV set, Bluray player, games console or mobile phone on your connected home network. Description The application is vulnerable to a DOM-based cross-site scripting. Da...
Linux kernel: Exploitable memory corruption due to UFO to non-UFO path switch(CVE-2017-1000112)
Bug details When building a UFO packet with MSGMORE ipappenddata calls ipufoappenddata to append. However in between two send calls, the append path can be switched from UFO to non-UFO one, which leads to a memory corruption. In case UFO packet lengths exceeds MTU, copy = maxfraglen - skb-len...
WordPress Double-Opt-in-for-Download插件SQL注入漏洞
No description provided by source...
WebPhotoPro Multiple SQL Injection Vulnerabilities
No description provided by source. source: http://www.securityfocus.com/bid/32829/info WebPhotoPro is prone to multiple SQL-injection vulnerabilities because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. Exploiting these issues could allow an attacker to...
PostgreSQL contrib/hstore/hstore_io.c整数溢出漏洞
CVE ID:CVE-2014-2669 PostgreSQL是一款高级对象-关系型数据库管理系统,支持扩展的SQL标准子集。 PostgreSQL contrib/hstore/hstoreio.c存在整数溢出,允许远程通过验证的用户使应用程序崩溃。漏洞与hstorerecv, hstorefromarrays和hstorefromarray函数相关。 0 PostgreSQL 9.0.x PostgreSQL 9.1.x PostgreSQL 9.2.x PostgreSQL 9.3.x PostgreSQL...
PostgreSQL 'SECURITY DEFINER'和'SET'属性远程拒绝服务漏洞
BUGTRAQ ID: 53812 CVE ID: CVE-2012-2655 PostgreSQL是一款高级对象-关系型数据库管理系统,支持扩展的SQL标准子集。 PostgreSQL在ALTER FUNCTION RENAME的实现上存在远程拒绝服务漏洞,利用此漏洞可允许攻击者使应用崩溃。 0 PostgreSQL 9.x PostgreSQL 8.x 厂商补丁: PostgreSQL ---------- 目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载: http://www.postgresql.org...
CUPS texttops过滤器空指针引用漏洞
BUGTRAQ ID: 40943 CVE ID: CVE-2010-0542 Common Unix Printing System(CUPS)是一款通用Unix打印系统,是Unix环境下的跨平台打印解决方案,基于Internet打印协议,提供大多数 PostScript和raster打印机服务。 CUPS的texttops过滤器中缺少内存分配失败检查导致了空指针引用。攻击者可以创建恶意的文本文件,如果打印了该文件就会导致texttops崩溃或以lp用户权限执行任意代码。 Easy Software Products CUPS 1.4.4 厂商补丁: Easy Software...
OpenSSH 'X11UseLocalhost' X11转发会话劫持漏洞
BUGTRAQ ID: 30339 CNCAN ID:CNCAN-2008072308 OpenSSH是一种开放源码的SSH协议的实现。 部分操作系统下的OpenSSH存在安全问题,本地攻击者可以利用漏洞劫持转发X连接。 当尝试bind2到之前已经使用SOREUSEADDR设置绑定的端口,多数操作系统会检查是否有效user-id匹配之前的绑定一般BSD衍生系统或绑定地址没有交迭Linux和Solaris。...
Joomla Component com_facileforms 1.4.4 RFI Vulnerability
No description provided by source. Title: Joomla Component ComFacileforms ================================================================ + Author : Dr.Kacak + Special Thankz : KnocKout and all my friends + System 0VerfL0verZ ================================================================= Scri...
Apache Tomcat JULI日志组件默认安全策略漏洞
BUGTRAQ ID: 27006 CVECAN ID: CVE-2007-5342 Apache Tomcat是一个流行的开放源码的JSP应用服务器程序。 Apache Tomcat的JULI日志组件允许Web应用提供自己的日志配置,默认的安全策略没有限制这种配置,允许不可信任的Web应用添加文件,或覆盖Tomcat进程拥有权限的已有文件。 Apache Group Tomcat 6.0.0 - 6.0.15 Apache Group Tomcat 5.5.9 - 5.5.25 目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:...
LeadTools Raster Dialog File_D Object Remote Buffer Overflow Exploit
No description provided by source. pre span style="font: 14pt Courier New;"p align="center"b2007/05/25/b/p/span codespan style="font: 10pt Courier New;"span class="general1-symbol"--------------------------------------------------------------------------------------------------- bLeadTools Raster...
Kaspersky AntiVirus杀毒引擎ARJ文档解析堆溢出漏洞
CVECAN ID: CVE-2007-0445 Kaspersky Antivirus是非常流行的杀毒软件。 Kaspersky Antivirus的杀毒引擎在处理ARJ文档格式时存在堆溢出漏洞,如果使用该引擎的杀毒软件扫描了恶意文档的话就会触发这个溢出,可能导致执行任意指令。 来源:ZDI (http://www.zerodayinitiative.com/) 链接:http://www.zerodayinitiative.com/advisories/ZDI-07-013.html http://www.kaspersky.com/technews?id=203038693...
Apple QuickDraw _GetSrcBits32ARGB()远程内存破坏漏洞
QuickDraw是Apple操作系统中所捆绑的图形处理工具。 QuickDraw在解析带有畸形ARGB记录的PICT图形时存在内存破坏漏洞,远程攻击者可能利用此漏洞导致应用程序崩溃。 如果用户受骗打开了恶意图形文件的话,就会触发这个漏洞,破坏传送给GetSrcBits32ARGB函数的指针,导致拒绝服务。 Apple Mac OS X 10.4.8 目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本: http://www.apple.com...
D-Link DSL-3782 Code execution(CVE-2018-8941)
CVE-2018-8941: D-Link DSL-3782 Code execution Proof of Concept Adam Simuntis :: https://twitter.com/adamsimuntis Mindaugas Slusnys :: https://twitter.com/mislusnys The buffer overflow vulnerability was found in the "/userfs/bin/tcapi" binary which is used as a wrapper for the "Diagnostics"...
AppCMS 1.3.855 SQL注入
No description provided by source...
The Microsoft DirectX graphics kernel subsystem elevation of privilege vulnerability MS16-062)
来源: 腾讯科恩实验室官方博客 作者: Daniel King @long123king 如何攻破微软的Edge浏览器 攻破微软的Edge浏览器至少需要包含两方面基本要素:浏览器层面的远程代码执行RCE: Remote Code Execution和浏览器沙箱绕过。 浏览器层面的远程代码执行通常通过利用Javascript脚本的漏洞完成,而浏览器的沙箱绕过则可以有多种方式,比如用户态的逻辑漏洞,以及通过内核漏洞达到本地提权EoP: Escalation of Privilege。...
用友oa getSessionList.jsp信息泄露
https://g.jiuminghu.com/newwindow=1&q=intitle:%E3%80%8A%E7%94%A8%E5%8F%8BU8-OA%E3%80%8B&btnK=+%E6%90%9C%E7%B4%A2 intitle:《用友U8-OA》 谷歌搜索即可搜出来大量案例 漏洞存在于:http://www.example.com/yyoa/ext/https/getSessionList.jsp?cmd=getAll 该漏洞允许攻击者获取所有用户的用户名和密码MD5值...
SimpleBoard Mambo Component <= 1.1.0 - Remote Include Vulnerability
No description provided by source. Bug Found by h4ntu http://h4ntu.com batamhacker crew Another Mambo component remote inclusion vulneribility download : http://mamboxchange.com/frs/download.php/6920/Simpleboard-1.1.0-Stable.zip bug found in file fileupload.php : requireonce$sbp/sbhelpers.php;...
ACTi ASOC 2200 Web Configurator <= 2.6 - Remote Root Command Execution
No description provided by source. !perl ACTi ASOC 2200 Web Configurator = v2.6 Remote Root Command Execution Dicovery & Author: Todor Donev Author mail: todor.donev@@gmail.com Type: Hardware Vuln Type and Risk: Remote / High ACTi Corporation is the technology leader in IP surveillance, focusing ...
PHP Hash Table Collision Proof Of Concept
No description provided by source. ! /usr/bin/env python This script was written by Christian Mehlmauer [email protected] https://twitter.com/!/FireFart Sourcecode online at: https://github.com/FireFart/HashCollision-DOS-POC Original PHP Payloadgenerator taken from...
Yokogawa CENTUM CS3000 'BKBCopyD.exe'栈缓冲区溢出漏洞
Bugtraq ID:66114 Yokogawa CENTUM CS3000是一款生产控制系统。 Yokogawa CENTUM CS3000 'BKBCopyD.exe'处理特制报文时存在一个基于栈的缓冲区溢出,允许攻击者利用漏洞提交特殊的请求可使应用程序崩溃或执行任意代码。 0 Yokogawa CENTUM CS 3000 R3.08.50 厂商补丁: Yokogawa ----- 用户可联系厂商获得相应的升级或补丁程序: http://www.yokogawa.com This module requires Metasploit:...
CSCMS V3.5 最新版 后台命令执行GETSHELL(源码详析)
简要描述: CSCMS V3.5 最新版 后台PHP命令执行GETSHELL(源码详析) CSCMS的全新架构加强了安全性,以往的一串漏洞均已修复, 读代码,发现还有新的漏洞 代码分析见详细说明,测试演示在漏洞证明里 详细说明: 漏洞位置为后台的 网站设置-第三方登录设置 中 有关代码如下: /app/controllers/admin/setting.php line:426 public function dengluedit //设置第三方登录的几项配置 $this-CsdjAdmin-AdminQx'4'; //注意,本处已使用xssclean过滤特定字符,之后的结论会用到...
Mozilla Firefox gfxTextRun::ShrinkToLigatureBoundaries堆释放后重用漏洞
BUGTRAQ ID: 57198 CVECAN ID: CVE-2013-0771 Firefox是一款非常流行的开源WEB浏览器。SeaMonkey是开源的Web浏览器、邮件和新闻组客户端、IRC会话客户端和HTML编辑器。Thunderbird是一个邮件客户端,支持IMAP、POP邮件协议以及HTML邮件格式。 Mozilla Firefox 18, ESR 17.0.1的gfxTextRun::ShrinkToLigatureBoundaries内存在堆释放后重用漏洞,可导致远程代码执行。 0 Mozilla Firefox 18.0 Mozilla Firefox ESR...