56796 matches found
Rgboard <= 3.0.12 (RFI/XSS) Multiple Remote Vulnerabilities
No description provided by source. Rgboard 3.0.x Multiple Vulnerabilities RFI/XSS // Author:: e.wiZz! // Site:: www.balcanwarez.com // Contact:: N/A :D =========================================================== // Script :: Rgboard // Vulnerable version :: 3.0.0/3.0.12 // Not vulnerable :: 4.0 /...
PHP 5.2.3 bz2 com_print_typeinfo() Denial of Service Exploit
No description provided by source. ?php //PHP 5.2.3 bz2 comprinttypeinfo Remote DoS Exploit //author: shinnai //mail: shinnaiatautisticidotorg //site: http://shinnai.altervista.org //Tested on xp sp2, worked both from the cli and on apache //Bug discovered with "Footzo" thanks to rgod. //...
3proxy HTTP Proxy请求远程缓冲区溢出漏洞
3Proxy是一款小型的代理软件。 3Proxy处理HTTP代理请求存在缓冲区溢出,远程攻击者可以利用漏洞以应用程序进程权限执行任意指令。 目前没有详细漏洞细节提供。 3proxy 3proxy 0.6b devel 20061014 3proxy 3proxy 0.5.3g 3proxy 3proxy 0.5 升级到最新程序: http://3proxy.ru/0.5.3h/Changelog.txt...
PHP-Nuke Module Eve-Nuke 0.1 (mysql.php) RFI Vulnerability
No description provided by source. =========================================================================================== Eve-NukePortal file include phpbbrootpath =========================================================================================== Script name :Eve-Nuke Portal Downloa...
GnuPG包含多个安全漏洞
GnuPG是一款开放源代码的PGP加密、解密、签名工具。 GnuPG存在多个未明安全问题,远程攻击者可以利用漏洞可能以应用程序进程权限执行任意指令。 这些问题只是可能存在的问题,因此这些问题的发现是由于代码审核后对代码进行增加一些代码检查和其他源代码的修补。根据报告可能由于整数溢出和缓冲区溢出错误而造成代码执行。 GNU Privacy Guard 1.4.6 目前没有解决方案提供: http://www.gnupg.org/...
LeighBusinessEnterprisesWebHelpDeskSQL注入漏洞
LBE Web Helpdesk是一款可通过WEB浏览器进行操作的Helpdesk系统。LBE Web Helpdesk不正确过滤用户提交的数据,远程攻击者可以利用这个漏洞进行SQL注入攻击,可能获得敏感数据或修改数据库。问题存在于jobedit.asp脚本对用户提交给'id'参数缺少过滤,提交包含恶意SQL命令的数据作为'id'参数,可修改'users'表,增加操作员相等权限的新用户。 Leigh Business Enterprises Web HelpDesk 4.0.0.80 临时解决方法:如果您不能立刻安装补丁或者升级,NSFOCUS建议您采取以下措施以降低威胁: 在$nick...
Microsoft Internet Explorer MSOE.DLL拒绝服务漏洞
Microsoft Internet Explorer是一款流行的WEB浏览器。 Microsoft Internet Explorer实例化msoe.dll COM对象存在问题,远程攻击者可以利用漏洞进行内存破坏攻击,可能以进程权限执行任意指令。 当Microsoft Internet Explorer尝试以ActiveX控件实例化msoe.dll COM对象,可能破坏系统内存造成拒绝服务,可能导致任意代码执行。 Microsoft Internet Explorer 6.0 SP2 Microsoft Internet Explorer 6.0 SP1 Microsoft...
Pearl Forums 2.4 Multiple Remote File Include Vulnerabilities
No description provided by source. | \ | / | \ \ / | | | | | \ / | \ \ / / | | | | '| | |/| |/ \ / / \ / / | | '| | | / | | || | | | | | | | | \ / | | | | || \ \ |/|| || ||,//\ / ||| ,|/...
RealVNC远程终端控制软件存在远程认证绕过的漏洞
RealVNC VNC Server是一款远程终端控制软件。 RealVNC VNC Server采用的RFB(远程帧缓冲区)协议允许客户端与服务端协商合适的认证方法,协议的实现上存在设计错误,远程攻击者可以绕过认证无需口令实现对服务器的访问。 具体操作细节如下: 1 服务端发送其版本“RFB 003.008\n” 2 客户端回复其版本“RFB 003.008\n” 3 服务端发送1个字节,等于所提供安全类型的编号 3a 服务端发送字节数组说明所提供的安全类型 4 客户端回复1个字节,从3a的数组中选择安全类型 5 如果需要的话执行握手,然后是服务端的“0000” RealVNC...
OpenLDAP slapd "selfwrite"绕过安全限制漏洞
OpenLDAP是一款开放源代码的轻量级目录访问协议LDAP实现。 OpenLDAP在处理访问控制列表时存在错误,远程攻击者可能利用此漏洞绕过安全限制。 以下类型的ACL: access to dn.subtree="ou=groups,dc=example,dc=com" attr=member by selfwrite 应该仅允许用户对目标属性添加/删除自己的DN,但拥有selfwrite访问权限的用户确可以修改属性的任意值,允许攻击者绕过安全限制,获得非授权访问。 OpenLDAP OpenLDAP 2.3/HEAD 目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载...
Emerson Liebert IntelliSlot Web Card family delivers enhanced communications and control to Liebert UPS,AC Power and Thermal Management systems Unauthorized access
Emerson Liebert IntelliSlot Web Card family delivers enhanced communications and control to Liebert UPS,AC Power and Thermal Management systems Unauthorized access。Lots of them No authentication required and The Management configuration uses the default password. Liebert:Liebert devices in ZoomEy...
Windows Kernel 64-bit pool memory disclosure in win32k!UMPDOBJ::LockSurface(CVE-2018-0813)
We have discovered that the win32k!UMPDOBJ::LockSurface function discloses portions of uninitialized pool memory to user-mode clients. The bug was encountered on Windows 7 64-bit; other versions were not tested. The leak was detected in the context of the splwow64.exe process, under the following...
Tplink Bridge Authenticated RCE
Vulnerability: Command Injection in bridge.lua ------------------------------------------ Exploitation: Can remote command execution on the root shell. ------------------------------------------ Vendor of Product: Tp-Link router ------------------------------------------ Affected Products and...
Apple Image I/O EXR Color Component Remote Code Execution Vulnerability(CVE-2016-4629)
SUMMARY An exploitable heap based buffer overflow exists in the handling of EXR images on OS X. A crafted EXR document can lead to a heap based buffer overflow resulting in remote code execution. Vulnerability can be triggered via a saved EXR file delivered by other means when opened in any...
HDF5 Group libhdf5 Shareable Message Type Code Execution Vulnerability(CVE-2016-4332)
Description HDF5 is a file format that is maintained by a non-profit organization, The HDF Group. HDF5 is designed to be used for storage and organization of large amounts of scientific data and is used to exchange data structures between applications in industries such as the GIS industry via...
National Instruments LabVIEW LvVarientUnflatten Code Execution Vulnerability(CVE-2017-2775)
Summary An exploitable memory corruption vulnerability exists in the LvVarientUnflatten functionality of LabVIEW 2016 version 16.0.0.49152. A specially crafted VI file can cause a user controlled value to be used as a loop terminator resulting in internal heap corruption. An attacker controlled V...
Symantec Messaging Gateway <= 10.6.3-2 unauthenticated root RCE(CVE-2017-6327)
Bug 1: Web authentication bypass The web management interface is available via HTTPS, and you can't do much without logging in. If the current session identified by the JSESSIONID cookie has the user attribute set, the session is considered authenticated. The file LoginAction.class defines a numb...
New Firefox/Tor Browser 0-day vulnerability (CVE-2016-9079)
No description provided by source. var worker = new Worker'data:javascript,self.onmessage=functionmsgpostMessage"one";postMessage"two";;'; worker.postMessage"zero"; var svgns = 'http://www.w3.org/2000/svg'; worker.onmessage = functione containerA.pauseAnimations; var craftDOM = function container...
FineCMS AttachmentController arbitrary file upload vulnerability
Source link: http://www.hackersb.cn/shenji/170.html Is still AttachmentController, of course, this is no longer kindeditorupload upload the file and then include the file so simple, but directly uploaded the script execution. This time the problem is ajaxswfuploadAction method, the method code is...
Safari the showModalDialog method UXSS vulnerability
This article translated from: http://mksben.l0.cm/2016/09/safari-uxss-showModalDialog.html (English version) http://masatokinugawa.l0.cm/2016/09/safari-uxss-showModalDialog.html (Japanese version) Author:Masato Kinugawa Translator: Holic know Chong Yu 404 security lab Translator's note: as the...
D-Link DI 7200系列路由器命令执行漏洞
No description provided by source...
KesionCMS ASP版 /item/?c-5,key-1.html SQL注入漏洞
0x01漏洞简介 KesionCMS ASP版在/item/?c-5,key-1.html存在伪静态注入漏洞。 0x02漏洞详情 很明显的一处注入;但是好像需要闭合,先提交了证明下注入 http://.../item/?c-5,key-1%27.html Microsoft JET Database Engine 错误 '80040e14' 语法错误 在查询表达式 'Verific=1 and deltf=0 And Title Like '%1'%' Order by ID Desc' 中。 /item/Index.asp,行 618 0x03修复方案 过滤。...
正方教务系统 ResultXml_common.aspx 文件 column 参数SQL注入漏洞
No description provided by source...
泛微E-Office /inc/priv_user_list/priv_xml.php SQL注入漏洞
0x01 框架概述 泛微e-office是泛微公司面向中小型组织推出的OA产品,简单易用高效,部署快、投资少。提供免费试用体验。至今已为超过一万家客户提供方便高效的办公体验. 官方主页: www.weaver.com.cn 主页截图如下。 0x02 漏洞信息 先对系统进行解密。 /inc/privuserlist/privxml.php 大概18行开始 $pararr = explodestpar $REQUEST'par' ; $userpriv = $pararr'userpriv'; ... if $pararr'viewtype' == 0 unset $deptnameutf8...
SunshineCRM v1 /general/ERP/LOGIN/logincheck.php SQL注入漏洞
(0day)郑州单点科技软件有限公司开发的开源软件SunShineCRMv1版存在SQL注入漏洞漏洞分析过程如下:1、 源码分析: SunShineCRM系统登录页面index.php的POST表单action跳转到logincheck.php页面 Logincheck.php页面负责对登录的用户名和密码进行验证,虽然有校验特殊字符的代码,但却并 未过滤和转义这些特殊字符2、 POC过程: 首先检测注入是否存在 然后使用SQLMAP探测目标数据库信息,默认数据库mysql和CRM系统数据库crmmarket sqlmap-u...
某校园管理系统后台SQL注入(无需登录/SA权限)
简要描述: ... 详细说明: 百度dork:inurl:/ws2004/ 技术支持:南京苏亚星资讯科技开发有限公司 ---------------------------------------- 漏洞页面:ws2004/SysManage/LeaveWord/List.asp?AbPage=1&where=%20where%20Title%20like%20111 漏洞参数:where 均为sa权限 ---------------------------------------- 漏洞证明: 1 http://www.suyaxing.com:81/ws2004/...
某大型政府系统任意文件读取及Oracle注入
简要描述: 某大型政府系统任意文件读取及Oracle注入 详细说明: 这系统有人提交过,详情: WooYun: 某大型政府服务系统Oracle注入使用量大 文件读取(获取数据库用户、密码等): /download?url=../../WEB-INF/classes/wssp/util/dbconfig.properties http://hxasc.cn/download?url=../../WEB-INF/classes/wssp/util/dbconfig.properties...
金蝶政务GSiS服务平台通用任意文件上传漏洞
简要描述: 参照下前人的描述:GSiS政务服务平台:首个完全根据国家政策要求全新开发的,支撑政务服务体系和行政权力监督体系融合运转的一体化平台。 存在任意文件上传漏洞,可获取webshell PS:两$$符啥感觉,给一个爽爽吧 详细说明: 程序名称:Kingdee GSIS 开发公司:金蝶 漏洞类型:任意文件上传 漏洞文件:/corehttps://images.seebug.org/upload/upload.jsp 关键词:inurl:/kdgs/ 收集几个案例,方便测试 //判断上传格式 String fileDesc; String fileExt; String...
帝国CMS(全版) 验证码可无视!可导致验证码无效(验证码识别都是渣渣)
简要描述: 帝国CMS 验证码可无视!可导致验证码无效(验证码识别都是渣渣) 详细说明: 看帝国 获取验证码的代码 //显示验证码 function ShowKey$v $vname=ecmsReturnKeyVarname$v; $key=strtolowerdomakepassword4; ecmsSetShowKey$vname,$key; .................. ecmsReturnKeyVarname 是返回保存验证码的cookie的名称 比如本列打开的页面上注册页面的验证码 url 是...
方维团购 4.3 /app/source/goods_list.php SQL注入漏洞
No description provided by source. !/usr/bin/env python coding: utf-8 from pocsuite.net import req from pocsuite.poc import POCBase, Output from pocsuite.utils import register class TestPOCPOCBase: vulID = 'SSV-87131' vul ID version = '1' author = 'fenghh' vulDate = '2014-07-11' createDate =...
用友CRM注入漏洞(无需登录通杀所有版本)
简要描述: 用友CRM注入漏洞,无需登录,通杀所有版本 详细说明: 漏洞url: http://220.178.27.116:8001/webservice/service.php?class=WSSystem&orgcode=1 使用sqlmap进行注入。 sqlmap.py -u "http://220.178.27.116:8001/webservice/service.php?class=WSSystem&orgcode=1" --current-user --current-db --is-dba sqlmap identified the following injectio...
MS14-017 Microsoft Word RTF Object Confusion
No description provided by source. This module requires Metasploit: http//metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework require 'msf/core' class Metasploit3 Msf::Exploit::Remote Rank = NormalRanking include Msf::Exploit::FILEFORMAT def initializeinfo =...
Zavio IP Cameras Firmware 1.6.03 - Multiple Vulnerabilities
No description provided by source. Core Security - Corelabs Advisory http://corelabs.coresecurity.com Zavio IP Cameras multiple vulnerabilities 1. Advisory Information Title: Zavio IP Cameras multiple vulnerabilities Advisory ID: CORE-2013-0302 Advisory URL:...
SmartWin CyberOffice Shopping Cart 2.0 Client Information Disclosure Vulnerability
No description provided by source. source: http://www.securityfocus.com/bid/1734/info Smartwin Technology CyberOffice Shopping Cart is a shopping cart application for e-commerce enabled websites running Windows NT 4.0 or 2000. It is possible for a remote user to gain read access to the private...
ProductCart 1.x/2.x advSearch_h.asp Multiple Parameter SQL Injection
No description provided by source. source: http://www.securityfocus.com/bid/9669/info EarlyImpact ProductCart is reportedly prone to multiple vulnerabilities. The specific issues include SQL injection, cross-site scripting and cryptographic weaknesses. These issues could expose sensitive data suc...
Sharetronix 3.3 - Multiple Vulnerabilities
No description provided by source. Advisory ID: HTB23214 Product: Sharetronix Vendor: Blogtronix, LLC Vulnerable Versions: 3.3 and probably prior Tested Version: 3.3 Advisory Publication: May 7, 2014 without technical details Vendor Notification: May 7, 2014 Vendor Patch: May 27, 2014 Public...
SpamAssassin spamd Remote Command Execution
No description provided by source. $Id: spamassassinexec.rb 9179 2010-04-30 08:40:19Z jduck $ This file is part of the Metasploit Framework and may be subject to redistribution and commercial restrictions. Please see the Metasploit Framework web site for more information on licensing and terms of...
Sun Java Web Server 1.1 Beta Viewable .jhtml Source Vulnerability
No description provided by source. source: http://www.securityfocus.com/bid/1891/info A vulnerability exists in Sun Microsystems' JavaWebServer for Win32, version 1.1Beta. JavaWebServer is a Java-oriented web application development platform. If a URL is submitted requesting a .jhtml file an HTML...
PHP-Fusion 7.02.05 - Multiple Vulnerabilities
No description provided by source. waraxe-2013-SA097 - Multiple Vulnerabilities in PHP-Fusion 7.02.05 =============================================================================== Author: Janek Vind waraxe Date: 27. February 2013 Location: Estonia, Tartu Web: http://www.waraxe.us/advisory-97.ht...
Lotus Domino <= R6 Webmail Remote Password Hash Dumper Exploit
No description provided by source. !/bin/bash $Id: raptordominohash,v 1.3 2007/02/13 17:27:28 raptor Exp $ raptordominohash - Lotus Domino R5/R6 HTTPPassword dump Copyright c 2007 Marco Ivaldi [email protected] Lotus Domino R5 and R6 WebMail, with Generate HTML for all fields enabled, stores...
Srun3000计费系统无限制多处任意命令执行getshell
简要描述: Srun3000计费系统无限制任意命令执行getshell 详细说明: 文件: /enus/radonline.php srun3/web/online.php 4-76行 srun3/web/radonline.php 4-76行 if$POST"action"=="dm" $cmd = "/srun3/bin/raddrop -sdm ".$POST"sid"; if$fp=popen$cmd, "r" $con = fread$fp, 128; pclose$fp; $con = strreplace "\n", " ", $con; echo $con; exit;...
Unzipper目录遍历漏洞
Bugtraq ID:66250 CVE ID:CVE-2014-1975 Unzipper是一款基于PHP的在线解压应用。 Unzipper处理文件名存在目录遍历漏洞,允许远程攻击者可创建任意文件或覆盖已存在的文件。 0 Unzipper 1.0.1 用户可联系厂商获得最新的补丁或升级程序: https://play.google.com/store/apps/details?id=org.rhorita777.unzipper...
GE Intelligent Platforms Proficy HMI/SCADA - CIMPLICITY CimWebServer.exe目录遍历漏洞
CVECAN ID: CVE-2014-0751 GE Proficy CIMPLICITY是客户端/服务器业务可视化和控制解决方案。 GE Intelligent Platforms Proficy HMI/SCADA - CIMPLICITY 8.2 SIM 24之前版本中,CimWebServer.exe(即组件WebView)及Proficy Process Systems在实现上存在目录遍历漏洞,远程攻击者通过向TCP端口10212发送特制的消息,利用此漏洞可执行任意代码。 0 ge-ip Proficy CIMPLICITY 8.2 SIM 24 厂商补丁: ge-ip...
SiteServer 3.6.4 background_thread.aspx SQL注入漏洞
SiteServer 3.6.4 /siteserver/bbs/backgroundthread.aspx 文件Title参数没有合适过滤,导致SQL注入漏洞。 0 SiteServer 3.6.4 升级到官方最新版: http://www.siteserver.cn...
o2micro minica_down.php 任意文件下载漏洞
网御神州、天融信、美国凹凸等vpn设备开发疑似源于同一套技术,其中的"/minicadown.php"文件可以再下载其它任意文件 网御神州、天融信、美国凹凸等vpn设备...
phpwind 9 /src/service/tag/dao/PwTagDao.php SQL注入漏洞
phpwind是国内一款流行的内容管理系统软件,其9版本/src/service/tag/dao/PwTagDao.php文件代码第116行的$tagName变量由$GET方式获得,代码117-119行拼接SQL语句,带入数据查询。在查询之前执行了/wind/db/mysql/WindMysqlPdoAdapter.php文件代码第24行设置编码为gbk,由此导致宽字节漏洞产生。 phpwind 9...
正方教务管理系统 可直接查询教师提交但教务处未审核的成绩
简要描述: 可直接查询教师提交,但教务处未审核的成绩。无需登录,可查询全校所有学生。 详细说明: 如该学校教务管理系统地址为1.85.16.39 : 先获取到某学科的课程代码, 在个人信息-信息发送-查看源文件里 然后把获取的代码替换到下面的地址里即可下载 http://1.85.16.39/toexcelPrintDialog.aspx?kc=此处填写课程代码&tab=jxrwblsb&psb=30&qzb=0&qmb=70&syb=0&cjxn=2012-2013&cjxq=1&kclx=必修课 漏洞证明:...
ShopEx v4.8.5 Cookie数据远程SQL注入漏洞
ShopEx是在国内非常流行的网上商店平台软件。 ShopEx v4.8.5版本在处理某些Cookie的数据时存在输入验证漏洞,远程攻击者可能利用此漏洞执行SQL注入攻击,从而控制应用系统。 0 shopex 4.8.5 厂商补丁: shopex ------ 目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本: http://www.shopex.cn...
WordPress 3.3.1 Code Execution / Cross Site Scripting
No description provided by source. Trustwave's SpiderLabs Security Advisory TWSL2012-002: Multiple Vulnerabilities in WordPress https://www.trustwave.com/spiderlabs/advisories/TWSL2012-002.txt Published: 1/24/12 Version: 1.0 Vendor: WordPress http://wordpress.org/ Product: WordPress Version...
Adobe Flash Player authplay.dll库PDF文件解析远程代码执行漏洞
BUGTRAQ ID: 44504 CVE ID: CVE-2010-3654 Flash Player是一款非常流行的FLASH播放器。 Flash Player的authplay.dll库在解析畸形PDF文件时存在内存破坏漏洞,用户受骗打开了内嵌有恶意Flash内容的PDF文件时就可以触发这个漏洞,导致执行任意代码。 Adobe Acrobat 9.4 Adobe Flash Player 10.1.95.2 Adobe Flash Player 10.1.85.3 Adobe Reader 9.4 临时解决方法: 在浏览器中禁用Flash,禁止显示PDF文档。 在Adobe...