56796 matches found
TRS WCM后台SQL注入一枚
简要描述: 详细说明: 测试版本:WCM6.5,问题出在后台“新建栏目分发” 直接看图: select WCMDocument.DocId from WCMCHNLDOC,WCMDocument where WCMDocument.DocId=WCMChnlDoc.DocId and WCMChnlDoc.CHNLID=? AND 注入点 AND WCMChnlDoc.DOCSTATUS0 and WCMChnlDoc.Modal0 and WCMChnlDoc.DocChannel0 order by WCMChnlDoc.DOCORDERPRI desc,...
DedeCMS 5.7 config.php 跨站脚本漏洞
dedecms 5.7 config.php 跨站脚本漏洞 \include\dialog\config.php $cuserLogin = new userLogin; if$cuserLogin-getUserID 提示:需输入后台管理目录才能登录请输入后台管理目录名:", "javascript:;"; exit; $gurl = "../../$adminDirHand/login.php?gotopage=".urlencode$dedeNowurl; echo "location='$gurl';"; exit; 对用户提交的$adminDirHand...
Bitrix Site Manager用户身份欺骗漏洞
CVECAN ID: CVE-2013-6788 Bitrix Site Manager是一款web站点管理工具。 Bitrix Site Manager中的预购电子存储模块显示时,没能充分核查数据的真实性,远程未经认证的用户可以更改“BITRIXSMSALEUID”的cookie,浏览其他用户的购物信息和执行某些操作,如添加或删除购物车中的物品。 0 Bitrix Site Manager=12.5.13 厂商补丁: Bitrix ----- 升级"sale"模块到14.0.1版本,请到厂商的主页下载:...
MediaWiki任意文件上传漏洞
Bugtraq ID:60077 MediaWiki是一套以GPL授权发行的Wiki引擎。 MediaWiki文件上传实现存在安全漏洞,允许远程攻击者利用漏洞向受影响系统上传任意文件,并可能以WEB权限执行。 0 MediaWiki 1.20.0 - 1.20.5 MediaWiki 1.19.0 - 1.19.6 厂商解决方案 用户可联系厂商获得相应的升级或补丁程序: http://wikipedia.sourceforge.net/...
正方软件股份有限公司曾被渗透测试
简要描述: 这是一次成功的入侵事件,随着内部绝密信息泄漏,导致用户资料大量泄漏,发展为不可小窥的安全事件。 详细说明: www.zfsoft.com:3389 windows xp服务器 内网IP:10.71.19.19 公网IP:122.224.218.36 管理员账密: Administrator 密码:zf@^Web2HZsll 正方OA账密: 统一身份登录:https://portal.zfsoft.com:8443/zfca/ 672/310014 684/000000 400/zl 812/000000 815/wcf2012 291/hj 519/123...
SHOPEX 4.8.5 mdl.goods.php SQL注入漏洞
漏洞核心函数 \core\modelv5\trading\mdl.goods.php codepublic function getProducts $gid, $pid = 0 $sqlWhere = ""; if 0 $pid $sqlWhere = " AND A.productid = ".$pid; //www.lpboke.com 没过滤 $sql = "SELECT A.,B.imagedefault FROM sdbproducts AS A LEFT JOIN sdbgoods AS B ON A.goodsid=B.goodsid WHERE...
马克斯CMS(Maxcms) admin_inc.asp SQL注入漏洞
在文件admin/ admininc.asp中: Sub checkPower //第103行 dim loginValidate,rsObj : loginValidate = "maxcms2.0" err.clear on error resume next set rsObj=conn.db"select mrandom,mlevel from premanager where musername='"&rCookie"musername"&"'","execute" rCookie函数在文件inc/ CommonFun.asp中 Function rCookiecookieNa...
Mambo Component com_hestar Remote SQL Injection Vulnerability
No description provided by source. comhestar 1.0.0 Author : M3NW5 M3NW5athackermaildotcom Homepage : http://www.indonesiancoder.com Date : Monday, Semptember 07, 2009 ------------------------------------------------------------------------------------------------------- | |.-----..--|...
PHPMyInventory Global.Inc.PHP远程文件包含漏洞
PHPMyInventory是一款基于PHP的WEB应用程序。 PHPMyInventory不正确过滤用户提交的URI数据,远程攻击者可以利用漏洞以WEB进程权限执行任意命令。 问题是由于'Global.Inc.PHP'脚本对用户提交的'strIncludePrefix'参数缺少过滤,提交恶意的远程服务器作为包含对象,可导致以WEB进程权限执行任意PHP代码。 phpMyInventory 2.8 目前没有详细解决方案提供: http://sourceforge.net/projects/phpmyinventory/...
Mambo com_serverstat Component <= 0.4.4 File Include Vulnerability
No description provided by source. =-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-= + +Mambo comserverstat Component =0.4.4 Remote File Include Vulnerability + =-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-= + +Author: xoron turkish...
Apache Solr SSRF漏洞 (CVE-2021-27905)
...
Chrome 远程代码执行漏洞
...
MacOS process_policy stack leak through uninitialized field(CVE-2017-7154)
The syscall processpolicyscope=PROCPOLICYSCOPEPROCESS, action=PROCPOLICYACTIONGET, policy=PROCPOLICYRESOURCEUSAGE, policysubtype=PROCPOLICYRUSAGECPU, attrp=, targetpid=0, targetthreadid= causes 4 bytes of uninitialized kernel stack memory to be written to userspace. The call graph looks as follow...
JBOSSAS 5.x/6.x 反序列化命令执行漏洞(CVE-2017-12149)
CVE-2017-12149 It was found that the doFilter method in the ReadOnlyAccessFilter of the HTTP Invoker does not restrict classes for which it performs deserialization. This allows an attacker to execute arbitrary code via crafted serialized data. Find out more about CVE-2017-12149 from the MITRE CV...
Google PDFium TIFF Image Flate Decoder Code Execution Vulnerability(CVE-2017-5133)
Summary An off-by-one read/write on the heap vulnerability exists in the TIFF image decoder functionality of Pdfium as used by Google Chrome up to and including 60.0.3112.101. A specially crafted PDF file can trigger an off-by-one read and write on the heap resulting in memory corruption and a...
Network Time Protocol Ephemeral Association Time Spoofing Vulnerability(CVE-2016-1549)
SUMMARY ntpd is vulnerable to Sybil attacks. A malicious authenticated peer can create arbitrarily-many ephemeral associations in order to win ntpd's clock selection algorithm and modify a victim's clock. TESTED VERSIONS NTP 4.2.8p3 NTP 4.2.8p4 NTPsec 3e160db8dc248a0bcb053b56a80167dc742d2b74 NTPs...
Mozilla Firefox: out-of-bounds read in gfxTextRun(CVE-2017-5447)
Mozilla bug tracker link: https://bugzilla.mozilla.org/showbug.cgi?id=1343552 There is an out-of-bounds read vulnerability in Firefox. The vulnerability was confirmed on the nightly ASan build. PoC: .class1 float: left; white-space: pre-line; .class2 border-bottom-style: solid; font-face: Arial;...
emlog 5.3.1 反射型xss(无视浏览器filter)
No description provided by source...
用友致远A6协同管理系统 downloadAtt.jsp SQL注射
用友致远A6协同管理系统:面向广大的企事业组织应用设计,是一个基于互联网的高效协同工作平台和优秀的协同管理系统。它融入先进的协同管理理念,运用领先的网络技术,切实有效的解决企事业组织工作管理中的关键应用。利用它可把日常管理中的业务、事务、事件等信息在单位、部门、组群、个人之间进行及时高效、有序可控、全程共享的沟通和处理。是一套非常适合国情的、并具有很高性价比的软件。 漏洞描述: 用友致远A6协同管理系统对downloadAtt.jsp中的变量attachids过滤不严,导致用户可执行任意sql语句。...
hassan consulting shopping cart 1.18 - Directory Traversal vulnerability
No description provided by source. source: http://www.securityfocus.com/bid/1777/info The $page variable in Hassan Consulting Shopping Cart does not properly check for insecure relative paths such as the double dot ... Therefore, requesting the following URL will display the specified file:...
EasyFTP Server <= 1.7.0.11 CWD Command Stack Buffer Overflow
No description provided by source. $Id: easyftpcwdfixret.rb 9179 2010-04-30 08:40:19Z jduck $ This file is part of the Metasploit Framework and may be subject to redistribution and commercial restrictions. Please see the Metasploit Framework web site for more information on licensing and terms of...
SMF Forum Mambo Component <= 1.3.1.3 Include Vulnerability
No description provided by source. Joomla-SMF Forum Bridge For Mambo 4.5.3+ And Mambo 4.5.3+ Remote File Inclusion Vulnebrality Discovered by : ASIANEAGLE Remote:Yes Level:High --------------------------------------------------------- Application: SMF Forum 1.3.1.3 Bridge Component For Joomla And...
Pligg 9.9.5 - CSRF Protection Bypass and Captcha Bypass
No description provided by source. Written By Michael Brooks Special thanks to str0ke! Pligg - XSRF Protection Bypass and Captcha Bypass affects 9.9.5 XSRF Protection Bypass html !-- Remove this iframe from this file and place it on a site that you want to force people to vote for. Change these...
elgg <= 1.5 (/_css/js.php) Local File Inclusion Vulnerability
No description provided by source. Product: elgg.org Version: = 1.5 Dork: Powered by Elgg, the leading open source social networking platform eLwauxc2009 UASC.org.UA POC: /css/js.php?js=../../../../tmp/sessiondir%00&viewtype=xD need: in table datalists must be record simplecacheenabled = 0 defaul...
OpenSSL 1.0.1f TLS Heartbeat Extension - Memory Disclosure (Multiple SSL/TLS versions)
No description provided by source. Exploit Title: OpenSSL TLS Heartbeat Extension - Memory Disclosure - Multiple SSL/TLS versions Date: 2014-04-09 Exploit Author: Csaba Fitzl Vendor Homepage: http://www.openssl.org/ Software Link: http://www.openssl.org/source/openssl-1.0.1f.tar.gz Version: 1.0.1...
青果教务平台存在SQL注入漏洞
简要描述: 之前提交的没有链接证明,现在补充一下。第一次发没有经验,管理员莫见怪。 详细说明: 此次问题出现在ListXNXQZFXNJ.aspx文件在传递参数过程中未进行过滤导致SQL注入。注入链接:/xsxj/Private/ListXNXQZFXNJ.aspx?xnxq=20121%27&rad=0,问题参数为xnxq。 漏洞证明:...
FineCMS v1.8任意文件下载
简要描述: 代码审计是个技术活,需要很好的耐心.. o︶︿︶o 详细说明: 出现问题的版本是FineCMS V1.8.0 最新版。 1.顺藤摸瓜 漏洞文件:controllers/ApiController.php downAction方法 public function downAction $data = fnauthcodebase64decode$this-get'file', 'DECODE'; $file = isset$data'finecms' && $data'finecms' ? $data'finecms' : ''; if empty$file...
ezEIP 3 /download.ashx 任意文件下载漏洞
No description provided by source...
科讯KESION CMS最新版任意文件上传WEBSHELL
简要描述: 最新版本上传漏洞哦^^ 详细说明: 会员上传文件漏洞,可以上传任意后缀 user/swfupload.asp文件漏洞 If UpFileObj.Form"NoReName"="1" Then '不更名 Dim PhysicalPath,FsoObj:Set FsoObj = KS.InitialObjectKS.Setting99 PhysicalPath = Server.MapPathreplaceTempFileStr,"|","" TempFileStr= midTempFileStr,1, InStrRevTempFileStr, "/" & FileTitles ...
Microsoft Silverlight DEP/ASLR安全限制绕过漏洞(CVE-2014-0319)
BUGTRAQ ID: 66046 CVECAN ID: CVE-2014-0319 Microsoft Silverlight是跨浏览器、跨平台的.NET实现,用于为Web构建媒体体验和交互应用。 Silverlight没有正确实现DEP和ASLR,在实现上存在安全限制绕过漏洞。成功利用后可导致绕过DEP/ASLR安全功能。 0 Microsoft Silverlight 5.x 临时解决方法: 临时在IE中阻止Microsoft Silverlight 临时阻止在Mozilla Firefox内运行Microsoft Silverlight 临时阻止在Mozilla...
欧朋网数据库可被直接下载导致大量用户信息泄露
简要描述: 欧朋网数据库被直接下载,用户信息泄露,有用户名、邮箱、手机号,密码(已破解了一些),QQ号等。 详细说明: 下载地址: http://r.oupeng.com/tmp/users.sql 下载后不想麻烦建个表了,用记事本将就着看: 表结构: CREATE TABLE users uid int10 unsigned NOT NULL AUTOINCREMENT, username char20 NOT NULL, password char64 NOT NULL, email char125 NOT NULL, emailstate tinyint1 NOT NULL...
expat big2_toUtf8()函数XML文件解析拒绝服务漏洞
BUGTRAQ ID: 37203 CVE ID: CVE-2009-3560 Expat是用C语言编写的XML解析器库。 Expat库的lib/xmltok.c文件中的big2toUtf8函数存在拒绝服务漏洞。如果用户受骗打开了包含有畸形UTF-8序列的XML文档,就会在lib/xmlparse.c的doProlog函数中触发缓冲区越界读取,导致链接到Expat库上的应用崩溃。 James Clark Expat 2.0.1 厂商补丁: Debian ------ Debian已经为此发布了一个安全公告(DSA-1953-1)以及相应补丁: DSA-1953-1:New expat...
Linux Kernel <= 2.6.28.3 set_selection() UTF-8 Off By One Local Exploit
No description provided by source. / CVE-2009-1046 Virtual Console UTF-8 setselection off-by-onetwo Memory Corruption Linux Kernel = 2.6.28.3 coded by: sgrakkyu at antifork.org http://kernelbof.blogspot.com/2009/07/even-when-one-byte-matters.html Dedicated to all people talking nonsense about non...
Linux Kernel NFS客户端实现MAY_EXEC权限检查漏洞
BUGTRAQ ID: 34934 CVECAN ID: CVE-2009-1630 Linux Kernel是开放源码操作系统Linux所使用的内核。 如果atomicopen可用的话,Linux kernel NFS客户端实现中fs/nfs/dir.c的nfspermission函数没有检查执行(EXEC或MAYEXEC)权限位,这允许本地用户绕过限制执行文件。 Linux kernel 2.6.x Linux ----- 目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本: http://www.kernel.org/ mount -t...
PHP 'mbstring扩展缓冲区溢出漏洞
BUGTRAQ ID: 32948 CVE ID:CVE-2008-5557 PHP是一款网络编程语言。 PHP mbstring扩展存在输入验证错误,远程攻击者可以利用漏洞使应用程序崩溃。 mbstring扩展用于处理多字节unicode字符串,在解码部分HTML实体为unicode字符串时存在问题,由于解码器不正确处理错误条件,堆分配缓冲区的边界检查可被有效的绕过。攻击者利用漏洞可传送任意数据到堆特定域而以应用程序权限执行任意指令。 PHP PHP 5.2.6 PHP PHP 5.2.5 PHP PHP 5.2.4 PHP PHP 5.2.3 PHP PHP 5.2.2 PHP PH...
ASPapp (links.asp CatId) Remote SQL Injection Vulnerability
No description provided by source. ....... ...... ..... .....CoRPITX ..... ..... ...... ....... -----------------Turkey-------------------------------------- --------- www.Hayalet-hack.com------------------------------- ----------www.xcorpitx-hack.com------------------------------ Iatek | ASPapp...
XCMS 1.1 (Galerie.php) Local File Inclusion Vulnerabilities
No description provided by source. Author:: BlackNDoor | [email protected] Homepage:: www.learntohell.net Script:: XCMS : CMS Version:: 1.1 Type:: Remote Directory Listing & Local File Include Source:: http://groupeclan.free.fr/XCMS.zip Bug:: - Files: /Module/Galerie.php.php - vulncode:...
IBM AIX邮件服务绕过认证漏洞
IBM AIX是一款商业性质的UNIX操作系统。 AIX的各种邮件服务(pop3d、pop3ds、imapd和imapds)在认证过程中存在漏洞,在某些环境下可能允许本应拒绝的服务通过认证,这样攻击者就可以获得非授权访问。 IBM AIX 5.3 目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载: ftp://aix.software.ibm.com/aix/efixes/security/pop3difix.tar.Z...
Libtiff图形库多个安全漏洞
LibTiff是负责对TIFF图象格式进行编码/解码的应用库。 TIFF库中存在多个安全漏洞,具体如下: CVE-2006-3459 多个栈溢出漏洞可能允许执行任意代码。 CVE-2006-3460 JPEG解码器中存在堆溢出漏洞。 CVE-2006-3461 PixarLog解码器中存在堆溢出漏洞。 CVE-2006-3462 NeXT RLE解码器中存在堆溢出漏洞。 CVE-2006-3463 循环中16位的无符短型用于迭代32位的无符值,因此循环不会终止,导致死循环。 CVE-2006-3464...
TSEP <= 0.942 (colorswitch.php) Remote Inclusion Vulnerability
No description provided by source. Script: TSEP = 0.942 URL: www.tsep.info Discovered: beford xbefordx gmail com Comments: "registerglobals" must be enabled duh. document.this != http://www.milw0rm.com/exploits/2098 Vulnerable Files/Code:...
Yapi 远程命令执行漏洞
如何复现此问题 登录注册后,创建一个项目 然后选择设置全局的mock脚本,设置命令为远程访问我的服务器地址。 随后添加接口,访问接口的mock地址 服务器可看到响应如下,远程服务器接受到请求 poc: const sandbox = this const ObjectConstructor = this.constructor const FunctionConstructor = ObjectConstructor.constructor const myfun = FunctionConstructor'return process' const process = myfun...
Joomla <=3.9.24 管理员权限命令执行(CVE-2021-23132、CVE-2020-24597)
https://github.com/HoangKien1020/CVE-2021-23132...
The Document Foundation LibreOffice RTF Stylesheet Code Execution Vulnerability(CVE-2016-4324)
SUMMARY An exploitable Use After Free vulnerability exists in the RTF parser LibreOffice. A specially crafted file can cause a use after free resulting in a possible arbitrary code execution. To exploit the vulnerability a malicious file needs to be opened by the user via vulnerable application...
深澜安全认证网络管理计费系统(Srun 3000) /srun3/srun/services/modules/login/controller/login_controller.php任意文件下载漏
0x01 漏洞框架 Srun3000深澜校园宽带客户端是深澜软件面向校园网推出的安全认证网络管理计费产品。 /srun3/srun/services/modules/login/controller/logincontroller.php存在任意文件下载漏洞。 影响厂商:深澜软件 官方主页:http://www.srun.com/ 深澜软件的Srun 3000 安全认证网络管理计费产品家族由Srun 3000 Gateway System和 Srun 3000 Radius System组成。获得众多用户好评的Srun 3000 Gateway 认证计费系统在...
XYCMS管理咨询公司建站系统存在默认数据库下载和存储型XSS
简要描述: XYCMS管理咨询公司建站系统存在默认数据库下载和存储型XSS 详细说明: XYCMS管理咨询公司建站系统存在默认数据库下载和存储型XSS。 源码地址:http://down.chinaz.com/soft/29472.htm 一是存在存储型XSS,发生在在线应聘处,可插入XSS代码,漏洞文件:Careersyp.asp 可谷歌搜索:inurl:Careersyp.asp 实例如下:http://www.gaonengkedi.com/Careersyp.asp?id=4 http://njqygl.com/Careersyp.asp?id=1...
DESTOON前台getshell
简要描述: 如题。。 详细说明: \module\know\answer.inc.php 143 - 161行 case 'raise': //这个功能是 "知道功能" 悬赏的次数更新,因为默认只允许2次提高悬赏的次数 if$credit $credit dalert$L'lackcredit', 'goback'; $couldraise = $couldadmin;//是否是 "知道"发布的作者. if$item'process' != 1 $couldraise = false; if$item'raise' = $MOD'maxraise' $couldraise = false...
用友人力资源管理(e-HR)SQL注入漏洞
简要描述: ----------------------------------- 说点啥 详细说明: /hrss/rm/PositionDetail.jsp文件中PKEMPTYJOB参数存在SQL注入漏洞 直接丢SQLMAP里跑: http://219.140.193.253/hrss/rm/PositionDetail.jsp?PKEMPTYJOB=1001A11000000000G9WA& GET parameter 'PKEMPTYJOB' is vulnerable. Do you want to keep testing the others if any? y/N N...
Destoon最新 V5.0-UTF8 正式版命令执行漏洞(后台)
简要描述: RT 详细说明: 后台一处命令执行漏洞,可添加系统账户。 漏洞位于admin/tag.inc.php case 'preview': $db-halt = 0; $destoontask = ''; if$tagcss $tagcss = stripslashes$tagcss; if$taghtmls $taghtmls = stripslashes$taghtmls; if$taghtmle $taghtmle = stripslashes$taghtmle; if$tagcode $tagcode = stripslashes$tagcode; if$tagjs...
mail2forum phpBB Mod <= 1.2 (m2f_root_path) Remote Include Vulns
No description provided by source. Title : mail2forum = 1.2 Multiple Remote File Include Vulnerabilities Discovered By OLiBekaS ----------------------------------------------------------------------------- Affected software description : Application : mail for phpbb bulletin board/forum software...
EggAvatar for vBulletin 3.8.x SQL Injection Vulnerability
No description provided by source. !/usr/bin/env perl use LWP::UserAgent; sub banner print \n; print DSecurity \n; print \n; print Email:dsecurity.vnatgmail.com \n; print \n; if@ARGV5 print Usage: $0 address username password numberuser sleeptime\n; print Example: $0 http://localhost/vbb test tes...