56796 matches found
Linux Kernel ZLib无效内存访问本地拒绝服务漏洞
BUGTRAQ ID: 14719 CVECAN ID: CAN-2005-2458 Linux Kernel是开放源码操作系统Linux所使用的内核。 Linux Kernel的zlib例程的inflate.c中存在漏洞。如果用户打开了特制的压缩文件的话,就可能导致kernel崩溃。 Linux kernel 2.6.12.5 Linux ----- 目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载: Linux linux-2.6.12.5.tar.gz...
Oracle DBMS绕过登录访问控制漏洞
BUGTRAQ ID: 16287 CVECAN ID: CVE-2006-0256 Oracle Database是一款大型商业数据库系统。 Oracle Database的登录过程实现存在漏洞,远程攻击者可能在登录过程中对服务器进行SQL注入攻击。...
RealVNC 4.1.0 - 4.1.1 (VNC Null Authentication) Auth Bypass Patch/EXE
No description provided by source. xx vnc-411-unixsrc.bl4ck/common/rfb/CConnection.cxx --- vnc-411-unixsrc/common/rfb/CConnection.cxx 2005-03-11 09:08:41.000000000 -0600 +++ vnc-411-unixsrc.bl4ck/common/rfb/CConnection.cxx 2006-05-15 14:03:30.000000000 -0500 @@ -183,7 +183,12 @@ // Inform the...
Invision Power Board <= 1.3.1 Login.PHP SQL Injection (working)
No description provided by source. ?php / = 1.3.1 Final /str0ke / $server = "SERVER"; $port = 80; $file = "PATH"; $target = 81; / User id and password used to fake-logon are not important. '10' is a random number. / $id = 10; $pass = ""; $hex = "0123456789abcdef"; for$i = 1; $i = 32; $i++ $idx = ...
AOL Instant Messenger AIM ""Away"" Message Remote Exploit
No description provided by source. / CAN-2004-0636 / / AIM Away Message Buffer Overflow Exploit Exploit by John Bissell A.K.A. HighT1mes Exploit: ======== drizzit.c Vulnerable Software: ==================== - AIM 5.5.3588 - AIM 5.5.3590 Beta - AIM 5.5.3591 - AIM 5.5.3595 and a couple others...
Insteon Hub HTTPExecuteGet Firmware Update Information Leak Vulnerability(CVE-2017-14443)
Summary An exploitable information leak vulnerability exists in Insteon Hub running firmware version 1012. The HTTP server implementation incorrectly checks the number of GET parameters supplied, leading to an arbitrarily controlled information leak on the whole device memory. An attacker can sen...
phpmyadmin4.8.1后台getshell
官网下载的最新版,文件名是phpMyAdmin-4.8.1-all-languages.zip 问题就出现在了 /index.php 找到5563行 第61行出现了 include $REQUEST'target'; 很明显这是LFI的前兆,我们只要绕过5559的限制就行 第57行限制 target 参数不能以index开头 第58行限制 target 参数不能出现在 $targetblacklist 内 找到 $targetblacklist 的定义: 就在 /index.php 的第50行 只要 target 参数不是 import.php 或 export.php...
Windows Kernel 64-bit pool memory disclosure via REG_RESOURCE_LIST registry values (videoprt.sys descriptors)(CVE-2018-0899)
We have discovered a Windows kernel memory disclosure vulnerability through the body of "AllocConfig" registry values of type REGRESOURCELIST corresponding to devices handled by videoprt.sys, which can be found under HKLM\SYSTEM\CurrentControlSet\Enum\\Control\AllocConfig. The vulnerability...
Chromium: Information disclosure via "memory_instrumentation::mojom::Coordinator" interface in "resource_coordinator" service(CVE-2018-6080)
VULNERABILITY DETAILS The "memoryinstrumentation::mojom::Coordinator" mojo interface is exposed by the "resourcecoordinator" service, running under the browser process. The interface requires the "app" capability https://cs.chromium.org/chromium/src/services/resourcecoordinator/manifest.json?l=8,...
Windows Kernel double fetches in win32kfull!xxxImeWindowPosChanged and win32kfull!InternalRebuildHwndListForIMEClass( CVE-2018-0809)
We have noticed the following code in the win32kfull!xxxImeWindowPosChanged function on Windows 10 version 1709 32-bit listing from the IDA Pro disassembler: .text:000485A4 ; try // except at locF3502 .text:000485A4 mov ebp+msexc.registration.TryLevel, 0 .text:000485AB mov eax, ecx .text:000485AD...
zzcms 8.2 任意用户密码修改
zzcms 8.2 任意用户密码修改 漏洞描述 zzcms是一款企业建站程序。 zzcms 8.2版本/one/getpassword.php文件存在漏洞,攻击者可利用该漏洞修改任意用户密码。 漏洞分析 /one/getpassword.php文件第 73行,触发漏洞的关键代码。 elseif$action=="step3" && @$SESSION'username'!='' $passwordtrue = isset$POST'password'?$POST'password':""; $password=md5trim$passwordtrue; query"update...
Microsoft Edge: Chakra: Deferred parsing makes wrong scopes #2(CVE-2018-0775)
Since the PoC is only triggerable when the "DeferParse" flag enabled and requires a with statement, I think this is simillar to issue 1310 . PoC: // Enable the flag using '\n'.repeat0x1000 evalfunction f with function printf; ; ; + '\n'.repeat0x1000; PoC 2: // ./ch poc.js -ForceDeferParse functio...
ZKTeco ZKTime.Net 3.0.1.6 Insecure File Permissions
Summary ZKTime.Net V3.0 is a new generation time attendance management software. Meanwhile, it integrates with time attendance and access control system. Some frequently used functions such as attendance reports, device management and employee management can be managed directly on the home page...
ZKTeco ZKAccess Professional 3.5.3 Insecure File Permissions
Summary ZKAccess 3.5 is a desktop software which is suitable for small and medium businesses application. Compatible with all ZKAccess standalone reader controllers, the software can simultaneously manage access control and generate attendance report. The brand new flat GUI design and humanized...
Cesanta Mongoose MQTT SUBSCRIBE Multiple Topics Remote Code Execution(CVE-2017-2894)
Summary An exploitable stack buffer overflow vulnerability exists in the MQTT packet parsing functionality of Cesanta Mongoose 6.8. A specially crafted MQTT SUBSCRIBE packet can cause a stack buffer overflow resulting in remote code execution. An attacker needs to send a specially crafted MQTT...
Simple DirectMedia Layer Create RGB Surface Code Execution Vulnerability(CVE-2017-2888)
Summary An exploitable integer overflow vulnerability exists when creating a new RGB Surface in SDL 2.0.5. A specially crafted file can cause an integer overflow resulting in too little memory being allocated which can lead to a buffer overflow and potential code execution. An attacker can provid...
7zip UDF CInArchive::ReadFileItem Code Execution Vulnerability(CVE-2016-2335)
Summary An out of bound read vulnerability exists in the CInArchive::ReadFileItem method functionality of 7zip for handling UDF files that can lead to denial of service or code execution. Tested Versions 7-Zip 32 15.05 beta 7-Zip 64 9.20 Product URLs http://www.7-zip.org/ Details...
Network Time Protocol ntpd Reference Clock Impersonation Vulnerability(CVE-2016-1551)
SUMMARY ntpd relies on the underlying operating system to protect it from requests that impersonate reference clocks. Because reference clocks are treated like other peers and stored in the same structure, any packet with a source ip address of a reference clock 127.127.1.1 for example that reach...
Aerospike Database Server Client Message Memory Disclosure Vulnerability(CVE-2016-9050)
Summary An exploitable out-of-bounds read vulnerability exists in the client message-parsing functionality of Aerospike Database Server 3.10.0.3. A specially crafted packet can cause an out-of-bounds read resulting in disclosure of memory within the process, the same vulnerability can also be use...
Aerospike Database Server Set Name Code Execution Vulnerability(CVE-2016-9054)
Summary An exploitable stack-based buffer overflow vulnerability exists in the querying functionality of Aerospike Database Server 3.10.0.3. A specially crafted packet can cause a stack-based buffer overflow in the function assindexsimatchlistbysetbinid resulting in remote code execution. An...
Foscam IP Video Camera CGIProxy.fcgi SMTP Test Command Injection Vulnerability(CVE-2017-2845)
Summary An exploitable command injection vulnerability exists in the web management interface used by the Foscam C1 Indoor HD Camera running application firmware 2.52.2.37. A specially crafted HTTP request can allow for a user to inject arbitrary shell characters during the SMTP configuration tes...
Gdk-Pixbuf TIFF tiff_image_parse Code Execution Vulnerability(CVE-2017-2870)
Summary An exploitable integer overflow vulnerability exists in the tiffimageparse functionality of Gdk-Pixbuf 2.36.6 when compiled with Clang. A specially crafted tiff file can cause a heap-overflow resulting in remote code execution. An attacker can send a file or a URL to trigger this...
ThinkPHP5. 0. 10-3. 2. 3 cache function design flaws can lead to Getshell
0x00 framework operating environment ThinkPHP is a free open source, fast, simple object-oriented lightweight PHP development framework, in order to agile WEB application development and simplify enterprise application development and birth. ThinkPHP from inception has been adhering to the simple...
WebKit: heap-buffer-overflow in WebCore::RenderSearchField::addSearchResult(CVE-2017-7049)
There is a heap buffer overflow in WebKit. The vulnerability was confirmed on ASan build of WebKit nightly. PoC: ================================================================= function go i.value = "1"; i.type = "search"; f.submit;...
Microsoft Windows Uniscribe Information Disclosure Vulnerability(CVE-2017-0284)
We have encountered a crash in the Windows Uniscribe user-mode library, in the USP10!ttoGetTableData function, while trying to display text using a corrupted TTF font file: --- 210.274: Access violation - code c0000005 first chance First chance exceptions are reported before any exception handlin...
Windows Kernel stack memory disclosure in win32kfull!SfnINLPUAHDRAWMENUITEM (CVE-2017-0167)
We have discovered that it is possible to disclose portions of uninitialized kernel stack memory to user-mode applications in Windows 10 indirectly through the win32k! NtUserPaintMenuBar system call, or more specifically, through the user32! fnINLPUAHDRAWMENUITEM user-mode callback 107 on Windows...
Windows Kernel win32k.sys multiple bugs in the NtGdiGetDIBitsInternal system call (CVE-2017-0058)
We have discovered two bugs in the implementation of the win32k!NtGdiGetDIBitsInternal system call, which is a part of the graphic subsystem in all modern versions of Windows. The issues can potentially lead to kernel pool memory disclosure bug 1 or denial of service bug 1 and 2. Under certain...
2017 Visual Studio Code Workspace settings code execution
The following issue constitutes an arbitrary code execution vulnerability in Visual Studio Code herein referred to as "Code". Users should upgrade to Code 1.9.0 or later. says: Visual Studio Code is a source code editor developed by Microsoft for Windows, Linux and macOS. It includes support for...
Android Arbitrary class loading and instantiation in protobuf parcelable "javanano" compiler
The protobuf library includes the "javanano" compiler, commonly used in many Android applications due to its tiny resource footprint. The "javanano" compiler supports a variety of Android-specific compilation flags which can be used to modify the generated message classes. One such compilation fl...
ZTE ZXECS EBG2800 enterprise business gateway system sys_backuprestore.be.php arbitrary file upload vulnerability
No description provided by source...
海康威视 /serverLog/showFile.php 参数fileName 文件读取漏洞
No description provided by source...
JDCMS v1.5 typeid.php 参数typeid SQL注入漏洞
0x01漏洞描述 Jdcms(简单CMS) v1.5在页面typeid.php对参数typeid过滤不严格,导致出现SQL注入漏洞,远程攻击者可以结合回显报错等方式,执行SQL指令。 0x02漏洞分析 问题出现在jdcms的typeid.php中,无视gpc和全局转义: fetcharraymysqlquery$sql="select from ".$db-tablepre."newstype where newstypeid=".$typeid;//typeid参数存在注入,数字型; ? 可见,没有对输入的参数typeid进行有效过滤,导致出现SQL注入漏洞。 0x03漏洞利用...
惠普打印机设备 HP Color LaserJet 系列未授权访问漏洞
No description provided by source...
shopnc /shop/index.php?act=member&op=address&inajax=1 sql注入漏洞(需要登录)
No description provided by source...
极限OA系统 /logincheck.php SQL注入漏洞
No description provided by source...
福建四创灾害预警系统 /Disaster/ReportCount.aspx 文件 tabnm 参数SQL注入漏洞
0x01 框架介绍 四创软件――中国防灾减灾信息与应用服务提供商,是国内企业信息防灾第一人。 影响厂商:福建四创软件有限公司 官方主页:http://www.strongsoft.net 谷歌搜索: intitle:预警 系统 技术支持:福建四创 0x02 漏洞利用 注入链接:/Disaster/ReportCount.aspx?tabnm=1 注入参数:tabnm 【获取数据库版本】 /Disaster/ReportCount.aspx?tabnm=1%27%2bselect+1+where+1=convertint,@@version%2b%27 【管理员账号密码】...
用友致远A6协同系统 /yyoa/ext/trafaxserver/ExtnoManage/setextno.jsp 文件 user_ids 参数SQL注入漏洞
No description provided by source...
B&B ELECTRONICS XR5i v2E/XR5i v2/XR5i/XR5i SL 弱口令
参考链接: http://www.cd.lucom.de/vpn-industrie-router/dokumentation/handbuch/xr5iv2e-guide.pdf...
科信邮件系统 (KXmail)/prog/get_composer_att.php 任意文件下载漏洞
No description provided by source...
Zblog 2.0 /zb_install/index.php 本地文件包含漏洞
问题出现在zbinstall/index.php中 $zbloglang=&$zbp-option'ZCBLOGLANGUAGEPACK'; //首先定义zbloglang ifisset$POST'zbloglang'$zbloglang=$POST'zbloglang';//如果设置了post的 就用post传递来的做这变量了。 因为zblog防止sql注入都是通过在查询函数的时候 不采用拼接 所以他们也没对post转义 这样是注入少了 但是也造成了这里的漏洞。 $zbp-LoadLanguage'system','',$zbloglang;//跟跟跟...
WordPress <= 4.3.0 跨站脚本漏洞
WordPress 在编辑文章内容时允许使用简码(shorcodes)来表示资源(图片,链接等)。WordPress 中开启了白名单机制去过滤 HTML 标签,只有在白名单规则里的标签,才允许被使用,并且会使用专用脚本 "KSES" 去检测和过滤这些 HTML 标签。这里需要说明的是,WordPress 对 HTML 标签的检测和过滤发生在将内容插入数据库时,而简码的解析渲染发生在将内容输出到页面时,下面简单用例子说明一下两个处理过程的差别,编辑文章插入内容为:TEST!!!caption width="1" caption='a href="'...
XR网关平台SQL注入
在IP/msa/main.xp ,username处存在SQL注入(post) !/usr/bin/env python coding=utf-8 import requests def login: url = target + '/msa/main.xp' data = 'Fun':'msaAdminLogon', 'username': "admin' or'1'='1", 'password': '123456' req = requests.posturl = url, data = data print req.text def download: url = target ...
齐博分类信息系统最新版前台存储型XSS一枚
简要描述: 原本想搞个校园二手交易平台,下载了这个分类系统,测试时发现了这个存储型 估计是设计者忘了过滤这个参数吧- - ,不应该出现 详细说明: 下载了最新的齐博分类系统,搭建环境xampp+win764 安装完后,齐博分类信息默认游客可以免费发两条信息,其他权限用户组发布信息权限可以后台设置。存储型xss就发现在发布信息的时候。 因为我后台设置游客不能发,所以以admin权限发布一下信息看看。。。具体信息填写如下图: 漏洞证明: 限制字符长度为30个字符,我没有短域名,,,,,只能alert一下啦=。= 来看看代码 发布信息提交后电话那一栏信息提交为 postdbtelephone ...
53KF一处通用注入通杀旗下大部分域名
简要描述: RT 详细说明: 案例如下: http://www3.53kf.com/zdydbgg2.php?styleid=103458019&companyid=62748324&dbggtype=2 http://www22.53kf.com/zdydbgg2.php?styleid=103766842&companyid=70818335&dbggtype=2 http://www17.53kf.com/zdydbgg2.php?styleid=106052692&companyid=72028138&dbggtype=2...
万户OA未修补漏洞致多个政府&集团OA中招
简要描述: 该漏洞在7月份已经有人在wooyun报了,可修补效果几乎为0。 详细说明: 瘦蛟舞 提交的漏洞地址: WooYun: 万户OA任意文件上传导致代码执行(多处总结) 漏洞还是瘦蛟舞(http://www.wooyun.org/whitehats/%E7%98%A6%E8%9B%9F%E8%88%9E)提交的漏洞。 于是用google搜索:inurl:7001/defaultroot 有324条记录。 随便测其中一个上传: 被改名的文件名直接返回到页面: 然后访问:...
Dexter (CasinoLoader) Panel - SQL Injection
No description provided by source. Exploit Title: Dexter CasinoLoader Panel SQLi Date: Feb, 13, 2014 Exploit Author: Brian Wallace @botnethunter Version: CasinoLoader Tested on: Windows 7, Ubuntu, Debian import pycurl import urllib import cStringIO import base64 import argparse import sys import...
MS HyperV Persistent DoS Vulnerability
No description provided by source. Core Security Technologies - Corelabs Advisory http://corelabs.coresecurity.com/ MS HyperV Persistent DoS Vulnerability 1. Advisory Information Title: MS HyperV Persistent DoS Vulnerability Advisory ID: CORE-2011-0203 Advisory URL:...
MS IIS 4.0/5.0 and PWS Extended Unicode Directory Traversal Vulnerability (4)
No description provided by source. source: http://www.securityfocus.com/bid/1806/info Microsoft IIS 4.0 and 5.0 are both vulnerable to double dot ../ directory traversal exploitation if extended UNICODE character representations are used in substitution for / and . Unauthenticated users may acces...
Microsoft Windows XP/2000/NT 4 ntdll.dll Buffer Overflow Vulnerability (1)
No description provided by source. source: http://www.securityfocus.com/bid/7116/info The Windows library ntdll.dll includes a function that does not perform sufficient bounds checking. The vulnerability is present in the function RtlDosPathNameToNtPathNameU and may be exploited through other...
Coppermine Photo Gallery <= 1.4.20 (IMG) Privilege Escalation Exploit
No description provided by source. !/usr/bin/perl inphex - inphex0 at gmail dot com based on http://milw0rm.com/exploits/8114 - found by StAkeR In case this does not work check out posLine 80 and find another value for it use IO::Socket; use LWP::UserAgent; use LWP::Simple; use HTTP::Cookies; $1 ...