56796 matches found
Pomelo Admin Console Web存在任意文件写入漏洞
...
SonicDICOM PACS 2.3.2 Remote Vertical Privilege Escalation Exploit
Summary SonicDICOM is PACS software that combines the capabilities of DICOM Server with web browser based DICOM Viewer. Description The application suffers from a privilege escalation vulnerability. Normal user can elevate his/her privileges by sending a HTTP PATCH request seting the parameter...
Polycom HDX Series RCE
When doing external assessments you spend a decent amount of time footprinting your target and finding possible avenues of attack. Given a large corporate, you are pretty likely to hit video conferencing end-points. This post details a vulnerability in one of these video conferencing systems, the...
Tinysvcmdns Multi-label DNS Heap Overflow Vulnerability(CVE-2017-12087)
Summary An exploitable heap overflow vulnerability exists in the tinysvcmdns library version 2016-07-18. A specially crafted packet can make the library overwrite an arbitrary amount of data on the heap with attacker controlled values. An attacker needs send a dns packet to trigger this...
Apple Image I/O EXR Compression Remote Code Execution Vulnerability(CVE-2016-4630)
SUMMARY An exploitable heap based buffer overflow exists in the handling of EXR images on OS X. A crafted EXR document can lead to a heap based buffer overflow resulting in remote code execution. Vulnerability can be triggered via a saved EXR file delivered by other means when opened in any...
Windows KEPT remote code execution vulnerability analysis(CVE-2017-11779)
根据 Microsoft 安全通告,多个版本 Windows 中的 DNSAPI.dll 在处理 DNS response 时可导致 SYSTEM 权限 RCE。 以 DNS Client API DLL 10.0.15063.0 与 10.0.15063.674 为例,补丁对比, 可知漏洞存在于 DNSAPI.dll 中的 Nsec3RecordRead 函数,那么可以确定问题就是出在解析 DNS response 的 NSEC3 Resource record,为了构造 PoC,先得了解这个 "NSEC3" 的背景。首先,DNS 协议数据结构如下图所示, 例如,当访问...
HDF5 Group libhdf5 H5T_COMPOUND Code Execution Vulnerability(CVE-2016-4333)
Description HDF5 is a file format that is maintained by a non-profit organization, The HDF Group. HDF5 is designed to be used for storage and organization of large amounts of scientific data and is used to exchange data structures between applications in industries such as the GIS industry via...
Poppler PDF library JPEG 2000 levels Code Execution Vulnerability(CVE-2017-2820)
Summary An exploitable integer overflow vulnerability exists in the JPEG 2000 image parsing functionality of freedesktop.org Poppler 0.53.0. A specially crafted PDF file can lead to an integer overflow causing out of bounds memory overwrite on the heap resulting in potential arbitrary code...
Microsoft Internet Explorer Remote Code Execution Vulnerability(CVE-2017-8618)
There is a type confusion issue related to how some arithmetic operations are performed in VBScript. To illustrate, see the following simplified code of VbsVarMod static unsigned char resultlookuptable1818 = ... void VbsVarModVAR v1, VAR v2 VAR arithv1 = v1-PvarGetArithVal; VAR arithv2 =...
WebKit: UXSS via CachedFrameBase::restore
This is similar to the case https://bugs.chromium.org/p/project-zero/issues/detail?id=1151. But this time, javascript handlers may be fired in FrameLoader::open. void FrameLoader::openCachedFrameBase& cachedFrame ... cleardocument, true, true, cachedFrame.isMainFrame; Click anywhere... function...
macOS HelpViewer XSS leads to arbitrary file execution and arbitrary file read(CVE-2017-2361)
HelpViewer is an application and using WebView to show a help file. You can see it simply by the command: open /Applications/Safari.app/Contents/Resources/Safari.help or using "help:" scheme: help:openbook=com.apple.safari.help...
Jenkins remote code execution vulnerability (CVE-2017-2608)
No description provided by source...
Paviansystems product_detail.php parameters product_id SQL injection vulnerability
No description provided by source...
XYCMS广告设计中心网站系统 v3.0 view_detail.asp参数id SQL注入漏洞
0x01漏洞简介 XYCMS广告设计中心网站系统采用asp+access架构,其在/viewdetail.asp处对参数id过滤不严格,导致出现SQL注入漏洞。远程攻击者可以利用该漏洞执行SQL指令。 0x02漏洞详情 该系统默认存在一个管理员数据表adminuser,该表包含管理员名称字段admin和密码 md5加密字段password,远程攻击者可以结合union方式获取敏感信息,登陆后台,上传shell。 0x03修复方案 过滤。...
易企CMS install/install.php 代码执行
看代码\install\install.php 作用就是安装该cms,然后把install.php改为install.php.bak。由于apache解析问题,改文件还是会解析成php,然后就可以暴力getshell。 数据库连接文件会写到\include\config.inc.php 由于是双引号可直接shell,无限制。...
phpok v4.3.18 index.php 信息泄漏漏洞
No description provided by source...
PycURL远程代码执行漏洞
简要描述: 利用pycurl上传文件时,如果文件内容是unicode类型,那么会产生Use After Free漏洞 详细说明: 文件名: pycurl\src\easy.c 如果setopt给定的FORMBUFFERPTR的内容是Unicode,如 curl.setoptpycurl.HTTPPOST, 'field2', pycurl.FORMBUFFER, 'uploaded.file', pycurl.FORMBUFFERPTR, u'test', 那么会进入如下流程: 代码1571行会先把unicode转换成str,ostr和olen,分别是str的字符串指针和长度...
FCKeditor JSP版本 connector模块文件上传漏洞
No description provided by source...
大汉网站群访问统计系统 /vc/vc/style/opr_copycode.jsp SQL注入
No description provided by source...
Windows 权限提升漏洞 CVE-2015-6132
No description provided by source...
某Zoomla系统漏洞导致服务器可控(已登录Zoomla公司邮箱和官方老论坛管理员帐号)
简要描述: 上传漏洞引起的一系列问题,乌云有该漏洞说明 详细说明: 通过http://www.njzxw.cn/Plugins/swfFileUpload/UploadHandler.ashx 可构造上传表单提交aspx马到服务器,原理可参考: WooYun: 逐浪cms 2.4某处任意文件上传(不需要登录) 通过查看,该应用所属权限较高,可以控制该服务器挂的几十个大小网站,发现其中有一个bbs.zoomla.cn的官方老版论坛也在该服务器,并且配置公司邮箱账户密码: 该密码可登录mail.hx008.com ,mail.zoomla.cn的官方账户:web,分别是逐浪和华夏互联的官方邮...
iGENUS 邮件系统 V5.0 任意文件读取漏洞
login.php 文件中,选择语言环境后会读取语言文件,并加载到页面,后台接到请求后,没有对 Lang 参数过滤,就直接读取文件,从而造成任意文件读取漏洞。 http://221.130.182.230/igenus/login.php?Lang=../../../../../../../../../../etc/passwd%00.jpg...
用友优普U8系统三处SQL注射漏洞
简要描述: 用友某系统两处SQL注射漏洞 详细说明: 前面有人提交这系统的漏洞 WooYun: 用友优普U8某系统两处SQL注入无需登录DBA权限83案例 搜索了好久终于找到了案例,于是乎漏洞来了。。。 总共三处漏洞, 0x01 SQL注入一 /Server/CmxUserGroup.php?pgid=GroupDelUserOK UserID=1&OrgID=1 POST /Server/CmxUserGroup.php?pgid=GroupDelUserOK HTTP/1.1 Referer: http://218.27.137.242:8080/ Cookie:...
用友内部论坛数据备份信息泄露一万多员工已经内部交流信息泄露
简要描述: 看到这有个正在维护的系统,写着"系统正在升级中...将于2011年10月27日正常访问,敬请谅解!" 于是果断扫了目录,果然有数据备份、 涉及一万多的内部人员数据、大量的用友邮箱、还有部分的内部交流信息、 能再上首页吗? 详细说明: 涉及的IP:http://219.141.185.30/wk.htm 备份数据下载地址:http://219.141.185.30/webroot.rar 果断的解压、 数据挺多的,看了下下面这两个比较有意思、 搜了下,涉及用友邮箱一共1500多、 账户总数是一万七千多、 下面这个比较有意思、...
Microsoft XP SP3 - BthPan.sys Arbitrary Write Privilege Escalation
No description provided by source. """ Title: Microsoft XP SP3 BthPan.sys Arbitrary Write Privilege Escalation Advisory ID: KL-001-2014-002 Publication Date: 2014-07-18 Publication URL: https://www.korelogic.com/Resources/Advisories/KL-001-2014-002.txt 1. Vulnerability Details Affected Vendor:...
SOOP Portal Raven 1.0b SQL Injection Vulnerability
No description provided by source. Exploit Title: SOOP Portal Raven 1.0b sql injection Google Dork: Powered by SOOP Portal Raven 1.0b Date: date Author: Evil-Thinker Version: Raven 1.0b Tested on: Windows Soft Technologie : ASP.net Exploit Details :...
Oracle Document Capture 10.1.3.5 Insecure Method / Buffer Overflow
No description provided by source. Source: http://packetstormsecurity.org/files/view/97871/DSECRG-11-006.txt ActiveX components contain insecure methods. Digital Security Research Group DSecRG Advisory DSECRG-11-006 internal DSECRG-09-066 Application: Oracle Document Capture Versions Affected:...
Roundcube Webmail 0.8.0 - Stored XSS
No description provided by source. !/usr/bin/python ''' Exploit Title: Roundcube Webmail Stored XSS. Date: 14/08/2012 Exploit Author: Shai rod @NightRang3r Vendor Homepage: http://roundcube.net Software Link:...
Final Draft 8 Multiple Stack Buffer Overflows
No description provided by source. Name : Final Draft 8 Multiple Stack Buffer Overflows Vendor Website : http://www.finaldraft.com/index.php Date Released : 29/11/2011 Affected Software : Final Draft 8.02 Researcher : Nick Freeman [email protected] Description...
Dotproject 2.0 /includes/db_connect.php baseDir Remote File Inclusion
No description provided by source. source: http://www.securityfocus.com/bid/16648/info Dotproject is prone to multiple remote file-include vulnerabilities. These issues are due to a failure in the application to properly sanitize user-supplied input. An attacker can exploit these issues to includ...
Namad (IMenAfzar) 2.0.0.0 - Remote File Disclosure Vulnerability
No description provided by source. Securitylab.ir Application Info: Name: Namad Version: 2.0.0.0 Website: http://imenafzar.com Discoverd By: Securitylab.ir Website: http://securitylab.ir Contacts: adminatsecuritylab.ir & info@securitylabdotir Vulnerability Info: Type: Remote File Download...
shop7z 注入漏洞2
简要描述: shop7z 注入漏洞2 详细说明: News.asp 漏洞证明: 测试 192.168.236.131/news.asp?lid=1' http://www.shop7z.com/Demo/news.asp?lid=1%27...
AWStats (6.0-6.2) configdir Remote Command Execution Exploit (c code)
No description provided by source. / AwStats exploit by Thunder, [email protected] This exploit makes use of the remote command execution bug discovered in AwStats ver 6.2 and below. The bug resides in the awstats.pl perl script. The script does not sanitise correctly the user input for the...
Kayako eSupport <= 2.3.1 (subd) Remote File Inclusion Vulnerability
No description provided by source. Script: Kayako eSupport = 2.3.1 Vendor: Kayako www.kayako.com Discovered: beford xbefordx gmail com Comments: It seems like the vendor silently fixed the issue in the current version more like since v2.3.5 withouth warning users of previous versions, noobs...
Cisco Wireless Lan Controller 7.2.110.0 - Multiple Vulnerabilities
No description provided by source. Cisco WLC CSRF, DoS, and Persistent XSS Vulnerabilities Exploit Title: u M@d? - Cisco WLC CSRF, DoS, and Persistent XSS Vulnerabilities Date: Discovered and reported November 2012 Author: Jacob Holcomb/Gimppy042 - Security Analyst @ Independent Security Evaluato...
phpwcms <= 1.1-RC4 (spaw) Remote File Include Vulnerability
No description provided by source. PhpwCMS 1.2.6 = Multiple Remote file inclusion vulnerabilities Discovered by : |/| . .. | || ||| | | Vuln In : include $spawroot.'class/lang.class.php'; Affected Files : include/incext/spaw/dialogs/table.php include/incext/spaw/dialogs/a.php...
siemens tecnomatix factorylink 8.0.1.1473 - Multiple Vulnerabilities
No description provided by source. Sources: http://aluigi.org/adv/factorylink1-adv.txt http://aluigi.org/adv/factorylink2-adv.txt http://aluigi.org/adv/factorylink3-adv.txt http://aluigi.org/adv/factorylink4-adv.txt http://aluigi.org/adv/factorylink5-adv.txt...
OpenSSL SSLv2 - Null Pointer Dereference Client Denial of Service Vulnerability
No description provided by source. source: http://www.securityfocus.com/bid/20246/info OpenSSL is prone to a denial-of-service vulnerability. A malicious server could cause a vulnerable client application to crash, effectively denying service. !/usr/bin/perl Copyrightc Beyond Security Written by...
DFD Cart 1.1 - Multiple Remote File Inclusion Vulnerabilities
No description provided by source. DFD Cart 1.1 Multiple Remote File Inclusion Vulnerabilities Vulnerability Type: Remote File Inclusion Vulnerable file: /dfdcart/app.lib/product.control/core.php/product.control.config.php Exploit URL:...
OpenConf <= 4.11 (author/edit.php) Remote Blind SQL Injection Exploit
No description provided by source. ?php / --------------------------------------------------------------------- OpenConf = 4.11 author/edit.php Remote Blind SQL Injection Exploit --------------------------------------------------------------------- author...............: Egidio Romano aka EgiX...
XMB Forum 1.6 Magic Lantern Cross Site Scripting Vulnerabilities
No description provided by source. source: http://www.securityfocus.com/bid/4721/info XMB Forum 1.6 Magic Lantern is a web-based discussion forum. It is vulnerable to a number of cross-site scripting issues because of improper filtering of user input. 1. The first involves 'member.php'; submittin...
phpBB <= 2.0.20 (Admin/Restore DB/default_lang) Remote Exploit
No description provided by source. !/usr/bin/php -q -d shortopentag=on ? echo PhpBB = v2.0.20 \Admin/Restore Database/defaultlang remote commands execution\r\n; echo by rgod [email protected]\r\n; echo site: http://retrogod.altervista.org\r\n; echo - you need an admin sid, works regardless of...
Apache Struts ParametersInterceptor Remote Code Execution
No description provided by source. This file is part of the Metasploit Framework and may be subject to redistribution and commercial restrictions. Please see the Metasploit web site for more information on licensing and terms of use. http://metasploit.com/ require 'msf/core' class Metasploit3...
Adobe Reader - util.printf() JavaScript Function Stack Overflow Exploit (2)
No description provided by source. Adobe Reader Javascript Printf Buffer Overflow Exploit =========================================================== Reference: http://www.coresecurity.com/content/adobe-reader-buffer-overflow CVE-2008-2992 Thanks to coresecurity for the technical background...
Parallels H-Sphere 3.0/3.1 'login.php' Multiple Cross Site Scripting Vulnerabilities
No description provided by source. source: http://www.securityfocus.com/bid/31256/info H-Sphere is prone to multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied data. An attacker may leverage these issues to execute arbitrary script code in the...
Mambo/Joomla Com_comprofiler 1.0 Plugin.class.PHP Remote File Include Vulnerability
No description provided by source. source: http://www.securityfocus.com/bid/19725/info The Mambo and Joomla comcomprofiler component is prone to a remote file-include vulnerability because it fails to properly sanitize user-supplied input. An attacker can exploit this issue to include arbitrary...
Piwik 0.4.5 /core/cookie.php 命令执行漏洞
No description provided by source...
SeedDMS '/op/op.AddFile2.php'任意文件上传漏洞
Bugtraq ID:66255 CVE ID:CVE-2014-2278 SeedDMS是一个强大易用的文档管理系统。 SeedDMS /op/op.AddFile2.php上传功能不充分的访问控制,允许攻击者控制上传文件的位置,并上传任意文件类型的文件,以服务器上下文执行任意代码。 0 SeedDMS 4.3.3 SeedDMS 4.3.4已经修复该漏洞,建议用户下载更新: https://sourceforge.net/projects/seeddms/files/seeddms-4.3.4/...
getID3() XML外部实体漏洞
CVE ID:CVE-2014-2053 getID3是一款从MP3等媒体文件中提取文件信息的php类,既可以提取也能修改文件的标签信息。 解析XML实体时的错误,可以被利用来如披露某些本地文件内容,或例如通过特制的使用iXML块的WAV文件用消耗过多的服务器资源。 0 getID3 1.x 目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载: https://github.com/JamesHeinrich/getID3/commit/dc8549079a24bb0619b6124ef2df767704f8d0bc...
FreeType 'src/cff/cf2ft.c'远程拒绝服务漏洞
BUGTRAQ ID: 66292 CVE ID:CVE-2014-2241 FreeType是一个流行的字体函数库。 FreeType 'src/cff/cf2ft.c'中的cf2initLocalRegionBuffer, cf2initGlobalRegionBuffer函数存在一个断言失败错误,允许攻击者利用漏洞构建恶意字体,诱使应用解析,可使应用程序崩溃。 0 FreeType 2.5.3 厂商补丁: FreeType ----- 用户可参考厂商的GIT库以获得补丁修复此漏洞:...