RunCMS <= 1.2 (class.forumposts.php) Arbitrary Remote Inclusion Exploit

No description provided by source. ?php ---runcms13axpl.php 17.30 09/02/2006 RunCMS = 1.2 arbitrary remote inclusion exploit " = 1.3a shell upload through FCKEditor coded by rgod site: http://retrogod.altervista.org usage: launch from Apache, fill in requested fields, then go! Sun-Tzu: "But when...

Foxes Among Us :: Foxit Reader Vulnerability Discovery and Exploitation

After discovering over 100 vulnerabilities in Foxit Reader, I figured it was about time I shared a full exploit chain that defeats ASLR and DEP. The first vulnerability is an uninitialized buffer that I found independently and was later killed by bit from meepwn. I leveraged this for an informati...

Reliable Controls® MACH-ProWebCom™ 未授权访问信息泄露

MACH-ProWebCom™ 是一个功能强大内置网络服务器完全可自由编程的BACnet® 楼宇控制器。可以快速方便地同 Reliable Controls® MACH-ProWebCom™ 将楼宇自控系统发布到网络上。 MACH-ProWebCom™ Web 服务存在未授权访问，可以下载服务配置等敏感信息 MACH-ProWebCom™, a fully programmable BACnet® Building Controller with a powerful, built-in Web server.It can post your building graphics to t...

NagiosXI <= 5.4.12 commandline.php SQL injection(CVE-2018-10735)

NagiosXI = 5.4.12 commandline.php SQL injectionCVE-2018-10735 Description A SQL injection issue was discovered in Nagios XI via the admin/commandline.php cname parameter. Affected Version Nagios XI 5.2.x Nagios XI 5.4.x before 5.4.13 Proof of concept http...

Joomla内核SQL注入漏洞（CVE-2018-8045)

作者：绿盟科技 来源： CVE-2018-8045 漏洞简介 漏洞具体情况可参见绿盟科技安全威胁周报-201812周 Joomla! Core SQL注入漏洞： NSFOCUS ID：39158 CVE ID：CVE-2018-8045 受影响版本：Joomla! Joomla! 3.5.0-3.8.5 漏洞点评：Joomla是一套网站内容管理系统,使用PHP语言和MySQL数据库开发。Joomla! 3.5.0 -3.8.5版本对SQL语句内的变量缺少类型转换，导致User Notes列表视图内SQL注 入漏洞，可使攻击者访问或修改数据等。目前厂商已经发布了升级补丁，修复了这个...

Windows Kernel 64-bit stack memory disclosure in win32k!SfnINLPHELPINFOSTRUCT (via user-mode callback)(CVE-2018-0810)

We have discovered that a user-mode callback invoked by the win32k!SfnINLPHELPINFOSTRUCT function via KeUserModeCallback leads to the disclosure of uninitialized stack memory to user-mode clients, due to compiler-introduced structure padding. The vulnerability affects Windows 7 64-bit; other...

Microsoft Edge Content Security Bypass Vulnerability

Summary An exploitable information leak vulnerability exists in the Content Security Policy enforcement functionality of Microsoft Edge 40.15063.0.0. A specially crafted web page can cause a content security policy bypass resulting in an information leak. An attacker can create a malicious webpag...

Linux kernel Local Denial of Service Vulnerability (CVE-2017-7308 )

The packetsetring function in net/packet/afpacket.c in the Linux kernel through 4.10.6 does not properly validate certain block-size data, which allows local users to cause a denial of service integer signedness error and out-of-bounds write, or gain privileges if the CAPNETRAW capability is held...

威速科技官网某子站SQL注入可提权服务器

简要描述： 详细说明： 第三方会议系统，V2 Conference. 见: WooYun: V2视频会议系统某处SQL注射、XXE漏洞可getshell 漏洞证明： http://zuyong.v2tech.com/Conf/jsp/systembulletin/bulletinAction.do?operator=details&sysId=-1%20union%20select%201,user%28%29,3,version%28%29,5%23 mysql root权限注入，可写shell. 查看远程桌面端口：39556 创建了wooyun用户，连接远程桌面： img...

AnyMacro邮件系统 webmailgo.php 存储xss漏洞

No description provided by source...

DFE SCADA(东方电子电力工控)默认弱口令漏洞

No description provided by source...

shopNC member_address.php SQL注入漏洞

No description provided by source...

金蝶某重要系统漏洞可导致大量信息泄露以及资金操作

简要描述： 金蝶某重要系统漏洞可导致大量信息泄露/可影响在线交易 详细说明： 存在漏洞的系统为 金蝶商城 http://shop.k3cloud.kingdee.com/ 其中 http://shop.k3cloud.kingdee.com/show.aspx?type=1&action=GetImg&pids=1 参数pids存在注入漏洞 漏洞证明： 直接爆出后台管理员密码： 密码比较简单，登陆后后台，有大量会员信息 包括16位MD5密码，部分信息如下： 另外可以在线生成礼品卡，可以换取商品： 总之 后台功能比较强大，权限大 可以更改添加商品 修改商品价格等等，危害相当严重！...

ZCMS(JSP) V1.1 登陆绕过&SQL注入&跨站漏洞

No description provided by source...

MyBB 1.8.1 /member.php SQL注入漏洞

注册时post参数questionid存在SQL注入 http://xxx/mybb/member.php?action=register...

某图书管理系统存在通用型SQL注入漏洞

简要描述： ... 详细说明： 系统名称：博云非书资料管理系统 厂商信息：杭州麦达电子有限公司版权所有 该系统有个特别 高大上 的功能：“云中心查找”功能 恰好这个查找的链接的参数存在sql注入漏洞，且该功能无需登录。 百度搜索：inurl:poweb 非书资料管理系统 罗嗦到这里，看证明吧 -------------------------------- 下面的漏洞证明，直接给出“云中心查找”功能得出链接（只要是该系统，都存在查找的功能，且无需登陆到系统中），链接类似于...

Member ID The Fish Index PHP SQL Injection Vulnerability

No description provided by source. , | ,---. , . |---. ,---. ,---. ,---. ,---. ,---. , . , | --- | | | | | |---' | | | |---' | | | | ---' ---| ---' ---' ---' ---' ------ ---' V Member ID The Fish Index PHP SQL Injection Vulnerability --== Author ==-- + Author : v4lc0m87 + Contact :...

DZOIC Handshakes Auth Bypass SQL Injection

No description provided by source. ? ?????????????????????????In The Name Of Allah The Mercifull?????????????????????? ? Tybe: DZOIC Handshakes suffer from auth bypass remote sql injection Vendor: www.dzoic.com ? Software: DZOIC Handshakes - ? author: R3d-D3v!L ? TEAM: ArAB!AN !NFORMAT!ON SeCuR!T...

phpCOIN 1.2.2 includes/db.php $_CCFG[_PKG_PATH_DBSE] Parameter Traversal Arbitrary File Access

No description provided by source. source: http://www.securityfocus.com/bid/15831/info PhpCOIN is prone to a file include vulnerability. This issue is due to a failure in the application to properly sanitize user-supplied input. An attacker can exploit this issue to include arbitrary remote PHP...

Web Wiz Forum Injection Vulnerability

No description provided by source. Title : Web Wiz Forum Injection Vulnerability Author: eXeSoul Home : www.indishell.in or www.andhrahackers.com Email : [email protected] date : 23/3/2011 D0rk : i Powered by Web Wiz Forums category : Web Apps SQli Go To Site :- SQL injection Vulnerability...

Coremail一个CSRF 攻击可窃取用户邮件

简要描述： 利用 Coremail 邮件正文 filter 的一个漏洞，当用户打开 bad mail 时会触发 CSRF，进而设置邮件转发规则。 详细说明： Coremail 把邮件正文的 替换成 嗯，这里是相对地址，正巧 Coremail 没有过滤 tag。 以 http://mail..edu.cn 为例，用户浏览器会解析此地址为 http://hack.com/coremail/s?func=user:proxyGet&sid=CAPplXssSmOlqAgclQsslyZkmdzLcYdA&mid=2:1tbiAgQPE1KpqPIw4QAAsq&url=csrf.jpg...

SiteServer 3.6.4 /siteserver/bbs/background_user.aspx SQL注入漏洞

SiteServer 3.6.4 /siteserver/bbs/backgrounduser.aspx 文件keyword使用了位于/Bin/SiteServer.BBS.dll代码，在接收参数没有合适过滤，导致SQL注入漏洞。 SiteServer 3.6.4...

ionCube Loader Wizard 'loader-wizard.php'多个安全漏洞

Bugtraq ID:66531 ionCube Loader Wizard是一款基于WEB的应用。 ionCube Loader Wizard允许攻击者利用漏洞获取phpinfo信息，下载配置文件，进行反射型跨站脚本攻击，下载任意文件。 0 ionCube Loader Wizard 2.42 ionCube Loader Wizard 2.36 ionCube Loader Wizard 2.46版本已修复该漏洞，建议用户下载使用： http://www.ioncube.com/loaders.php...

PHP &quot;OpenSSL&quot;扩展多个拒绝服务漏洞

BUGTRAQ ID: 46977 CVE ID: CVE-2011-1468 PHP是广泛使用的通用目的脚本语言，特别适合于Web开发，可嵌入到HTML中。 PHP “OpenSSL”扩展在实现上存在拒绝服务漏洞，远程攻击者可利用此漏洞消耗大量内存，造成拒绝服务。 MandrakeSoft Corporate Server 4.0 x8664 MandrakeSoft Corporate Server 4.0 PHP PHP 5.x 厂商补丁： PHP --- 目前厂商已经发布了升级补丁以修复这个安全问题，请到厂商的主页下载： http://www.php.net ?php $data...

MS10-081: Windows Common Control Library (Comctl32) Heap Overflow

No description provided by source. !/usr/bin/env ruby http://breakingpointsystems.com/community/blog/microsoft-vulnerability-proof-of-concept Nephi Johnson require 'socket' def httpsendsock, data, opts= defaults = :code="200", :message="OK", :type="text/html", :desc="content" opts =...

Linux Kernel &lt; 2.6.36-rc1 CAN BCM Privilege Escalation Exploit

No description provided by source. / i-CAN-haz-MODHARDEN.c Linux Kernel 2.6.36-rc1 CAN BCM Privilege Escalation Exploit Jon Oberheide [email protected] http://jon.oberheide.org Information: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2959 Ben Hawkes discovered an integer overflow in th...

PostgreSQL bitsubstr函数远程溢出漏洞

BUGTRAQ ID: 37973 CVECAN ID: CVE-2010-0442 PostgreSQL是一款高级对象－关系型数据库管理系统，支持扩展的SQL标准子集。 远程攻击者可以利用PostgreSQL的bitsubstr函数处理超长字符串时的缓冲区溢出导致拒绝服务或执行任意代码。 PostgreSQL 8.0.23 厂商补丁： PostgreSQL ---------- 目前厂商还没有提供补丁或者升级程序，我们建议使用此软件的用户随时关注厂商的主页以获取最新版本： http://www.postgresql.org testdb= select...

HP OpenView Network Node Manager多个远程代码执行漏洞

HP OpenView Network Node Manager是一款HP公司开发和维护的网络管理系统软件，具有强大的网络节点管理功能。 HP OpenView Network Node Manager存在多个安全漏洞： CVE-2009-3845： CNCVE ID：CNCVE-20090898 CNCVE-20093845 CNCVE-20093846 CNCVE-20093849 CNCVE-20093848 CNCVE-20094176 CNCVE-20094177 CNCVE-20094178 CNCVE-20094179 CNCVE-20094180 CNCVE-200941...

NTP MODE_PRIVATE报文远程拒绝服务漏洞

BUGTRAQ ID: 37255 CVE ID: CVE-2009-3563 NTP（Network Time Protocol）是用于通过网络同步计算机时钟的协议。 ntpdc查询和控制工具使用NTP模式7（MODEPRIVATE），ntpq使用NTP模式6（MODECONTROL），而例程NTP时间传输使用模式1到5。在从非restrict ... noquery或restrict ... ignore网段所列出的地址接收到错误的模式7请求或模式7错误响应时，ntpd会回复模式7出错响应并记录一条消息日志。如果攻击者能够在发送给主机...

Dnsmasq TFTP服务远程空指针引用漏洞

BUGTRAQ ID: 36120 CVECAN ID: CVE-2009-2958 Dnsmasq是可方便配置的轻型DNS转发器和DHCP服务器。 dnsmasq在启用了TFTP服务的时候存在空指针引用漏洞，可能允许恶意的TFTP服务端导致dnsmasq服务崩溃。 漏洞的起因是以下循环中的第一个if： /----------- while opt = next&p, end if strcasecmpopt, "blksize" == 0 && opt = next&p, end && !daemon-options & OPTTFTPNOBLOCK transfer-blocksiz...

xine-lib NES声音格式解码器copyright字段栈溢出漏洞

BUGTRAQ ID: 28908 xine是一款免费的媒体播放器，支持多种格式。 xine播放器的demuxnfs.c文件中没有正确地验证媒体文件中的copyright字段： line 111: this-copyright = strdup&header0x4E; line 189: char copyright100; line 208: sprintfcopyright, "C %s", this-copyright; 如果用户受骗打开了带有超长copyright字段的媒体文件的话，就可能触发栈溢出，导致执行任意指令。 xine-lib 1.1.12 xine ----...

CodeBB 1.0 beta 2 (phpbb_root_path) Remote File Inclusion Vulnerability

No description provided by source. codebb 1.1b3 phpbbrootpath Remote File Include Vulnerability D.Script: http://rd.cycnus.de/download/codebb-1.1b3.tar.bz2 Discovered by: Alkomandoz Hacker Homepage: http://www.asb-may.net V.Code includeonce$phpbbrootpath . 'includes/codebb/config.'.$phpEx;...

PHP 4.4.5 / 4.4.6 session_decode() Double Free Exploit PoC

No description provided by source. ?php //////////////////////////////////////////////////////////////////////// // // // | || | | | | | | | || || // // | |/ || '|/ |/ -| ' / -/ |||| /| || / //...

Barracuda Networks Spam Firewall存在多个漏洞

Barracuda Networks Spam Firewall是一款用于保护邮件服务器的集成硬件和软件垃圾邮件解决方案。 Barracuda Networks Spam Firewall存在多个安全问题，远程攻击者可以利用漏洞获得密码和文件信息。 Barracuda Networks Spam Firewall 3.3.01.001到3.3.02.053版本存在内置"guest"帐户密码"bnadmin99"，利用这个帐户可登录WEB接口。...

MDaemon POP3服务器预认证远程溢出漏洞

Alt-N MDaemon是一款基于Windows的邮件服务程序。 MDaemon POP3服务器在处理USER和APOP命令时存在缓冲区溢出漏洞。如果向USER或APOP命令发送了包含有“@”字符的超长字符串的话，就会触发这个漏洞，导致堆溢出。如果要利用这个漏洞，必须向POP3服务器发送多个USER命令。成功利用这个漏洞的攻击者可能会执行任意代码，具体取决于堆的状态及字符串的长度。 Alt-N MDaemon 9.06 目前厂商已经发布了升级补丁以修复这个安全问题，请到厂商的主页下载： http://www.altn.com PoC for Mdaemon POP3 preauth...

AOL YGPPDownload ActiveX控件堆溢出漏洞

America Online 9.0 Security Edition是美国在线发布的基于Internet Explorer技术的客户端软件，可提供安全性和可用性功能。 AOL的YGPPDownload ActiveX控件（YGPPicDownload.dll）在处理对AddPictureNoAlbum方式及downloadFileDirectory属性的输入时存在两个堆溢出漏洞，可能允许攻击者在用户浏览器中执行任意指令。 AOL AOL 9.0 目前厂商已经发布了升级补丁以修复这个安全问题，请到厂商的主页下载： http://www.aol.com/...

cisco RV34X系列身份绕过和远程命令执行漏洞（CVE-2021-1472 CVE-2021-1473）

Advisory: Cisco RV34X Series – Authentication Bypass and Remote Command Execution APRIL 13, 2021 TL;DR In early 2021, we reported a few security issues to Cisco related to their RV34X series of routers, two of which have been recently patched. The issues in question were an authentication bypass...

GitLab 未授权RCE漏洞（CVE-2021-22192）

When rendering wiki content with certain extensions such as .rmd, renderwikicontent will call othermarkupunsafe which will end up calling GitHub::Markup.render from the github-markup gem. Files with any extension can be uploaded by checking out the wiki with git, commiting the files and pushing t...

Backdoor in Tpshop <= 2.0.8 (CVE-2018-9919)

Backdoor in Tpshop = 2.0.8 CVE-2018-9919 The Tpshop open source mall system is a multi-merchant mode mall system developed by Shenzhen Leopard Network Co., Ltd.This system is based on the Thinkphp development framework. Product Download: http://www.tp-shop.cn/Index/Index/download.html Vulnerabili...

Hanbanggaoke IP Camera Arbitrary Password Change(CVE-2017-14335)

Vulnerability summary The following advisory describes an arbitrary password change vulnerability found in Hanbanggaoke webcams. Beijing Hanbang Technology, “one of the first enterprises entering into digital video surveillance industry, has been focusing on R&D of products and technology of...

Foscam C1 Webcam FTP Hard Coded Password Vulnerability(CVE-2016-8731)

Summary Hard-coded FTP credentials r:r are included in the Foscam C1 running firmware 1.9.1.12. Knowledge of these credentials would allow remote access to any cameras found on the internet that do not have port 50021 blocked by an intermediate device. Tested Versions Foscam C1 Firmware Version...

Multiple Vulnerabilities in peplink balance routers

Multiple Vulnerabilities in peplink balance routers =================================================== Overview -------- Confirmed Affected Versions: 7.0.0-build1904 Confirmed Patched Versions: fw-b305hw2380hw6580hw2710hw31350hw22500-7.0.1-build2093.bin Vulnerable Firmware:...

MS15-051 Win32k ClientCopyImage Elevation of Privilege Vulnerability (CVE-2015-1701)

No description provided by source. This module requires Metasploit: http://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework require 'msf/core' require 'msf/core/post/windows/reflectivedllinjection' require 'rex' class MetasploitModule 'Windows ClientCopyImage...

迈普ISG1000网关sys_dia_data_check_file_name文件遍历漏洞

No description provided by source...

神器而已之EMobile某版本表达式注入（命令执行）

简要描述： 神器扫出来的 详细说明： 版本：E-Mobile 4.5 查看源码即可看到 .../verifyLogin.do data：loginid=CasterJs&password=CasterJs&clienttype=Webclient&clientver=4.5&language=&country=&[email protected]@[email protected]@getRuntime.exec'ipconfig'.getInputStream 其他案例 http://.../verifyLogin.do data:...

emlog <=5.3.1 后台任意删除漏洞

No description provided by source...

金蝶某系统管理后台密码泄露可getshell

简要描述： 不知道是否处在内网，看起来像是测试程序，求大牛带内网漫游 详细说明： http://k3shop.k3cloud.kingdee.com/ ip 202.104.120.51 http://k3shop.k3cloud.kingdee.com/admin/打开后台地址吓到我了，竟然直接跳转登陆。抓了下密码 admin kingdee&admin 怀疑多套系统使用此密码 上传文件地址 http://k3shop.k3cloud.kingdee.com/admin/Marketing/upload.aspx?tempFolder=aspx tempFolder该参数可控...

Apache James Server 2.3.2 - Remote Command Execution

Exploit Title: Apache James Server 2.3.2 Authenticated User Remote Command Execution Date: 16\10\2014 Vendor Homepage: http://james.apache.org/server/ Software Link: http://ftp.ps.pl/pub/apache/james/server/apache-james-2.3.2.zip 版本: Apache James Server 2.3.2 Tested on: Ubuntu, Debian...

强智教务管理信息系统任意文件下载致多所学校沦陷打包部分学校（赤裸裸的sa）

简要描述： RT 详细说明： 关键字：版 权:长沙市强智科技发展有限责任公司·版权所有 这只是我搜索的部分网站。 http://58.18.213.238/jwgl/public/download.asp?filename=../jwjs/conn/connstring.asp. http://jiaowu.hustwenhua.net/public/download.asp?filename=../jwjs/conn/connstring.asp...

Adobe Reader 9.3.2 (CoolType.dll) Remote Memory Corruption / DoS Vulnerability

No description provided by source. / Title: Adobe Reader 9.3.2 CoolType.dll Remote Memory Corruption / DoS Vulnerability Summary: Adobe Reader software is the global standard for electronic document sharing. It is the only PDF file viewer that can open and interact with all PDF documents. Use Ado...