56796 matches found
OS X 10.10 Bluetooth BluetoothHCIChangeLocalName - Crash
No description provided by source. include include include include include include struct BluetoothCall uint64t args7; uint64t sizes7; uint64t index; ; int mainvoid / Finding vuln service / ioservicet service = IOServiceGetMatchingServicekIOMasterPortDefault,...
ThinkPHP Ubb标签 读取任意内容
详细说明: Common/extend.phpCore/Extend/Function/extend.php 成因:ThinkPHP的Ubb标签,有一个代码高亮的功能,即满足: codexxx/code或者phpxxx/php的时候,会对中间的xxx读取,并高亮,xxx是路径,而非具体的代码,如下图1,输入路径后,当文件存在,返回的是高亮后的文件内容 当path=code/etc/passwd/code,成功读取对应内容,也就是说,当某网站用ThinkPHP开发,并提供评论功能(支持UBB)标签的时候,发帖并输入code/etc/passwd/code,即可读取任意内容...
ISPConfig <= 3.0.5.4p7 monitor/show_sys_state.php SQL注入漏洞
因为不完整地过滤导致了SQL注入, 通过HTTP GET方式传递的server参数给了 /monitor/showsysstate.php页面攻击者可以传入任意恶意SQL命令并在数据库中执行该漏洞的成功的利用可以让攻击者获得数据库的读写权限甚至危机整个web应用但是该漏洞此时仍然是一个鸡肋漏洞, 因为攻击者要进行此攻击必须是认证通过的用户而且还需要有monitor权限然而, 结合CSRF Cross-Site Request Forgery in ISPConfig:...
WukongCRM 0.5.1 /App/Lib/Action/WeixinAction.class.php XXE漏洞
No description provided by source...
OS X 10.10 Bluetooth TransferACLPacketToHW - Crash
No description provided by source. include include include include include include struct BluetoothCall uint64t args7; uint64t sizes7; uint64t index; ; int mainvoid / Finding vuln service / ioservicet service = IOServiceGetMatchingServicekIOMasterPortDefault,...
微软 IE11 MSHTML.dll 远程拒绝服务漏洞
IE11发现的一个BUG,对HTML协议中的某些元素的处理存在代码完整性缺失。造成浏览器崩溃。 function boom var divA = document.createElement"div"; document.body.appendChilddivA; try //divA.contentEditable = "true"; divA.outerHTML = "AAAA"; var context = divA'msGetInputContext'; catch exception...
Ecmall 2.3.0 /app/my_goods.app.php SQL注射漏洞
简要描述: 不修复那我就一个一个的提出来 详细说明: 缺陷文件:/app/mygoods.app.phpcode 区域function brandlist if !empty$GET'brandname' || !empty$GET'store' $GET'brandname' && $filtered = " AND brandname LIKE '%$GET'brandname'%'"; $GET'store' && $filtered = $filtered . " AND storeid = " . $this-storeid; if isset$GET'sort' &&...
OS X 10.10 Bluetooth DispatchHCIWriteStoredLinkKey - Crash
No description provided by source. include include include include include include define SIZE 0x1000 struct BluetoothCall uint64t args7; uint64t sizes7; uint64t index; ; ifndef bswap64 define bswap64num \ uint64tnum 8 & UINT64C0x00000000FF000000 \ | uint64tnum 24 & UINT64C0x0000000000FF0000 \ |...
OS X < 10.10.x - Gatekeeper bypass Vulnerability
CVE : CVE-2014-8826Gatekeeper is a feature available in OS X Lion v10.7.5 and laterversions of OS X. Gatekeeper performs checks on files and applications downloaded from theInternet to prevent execution of supposedly malicious anduntrusted/unsigned code. Gatekeeper provides three different...
Sysphonic <= 2.3.0 Thetis SQL 注入漏洞
No description provided by source...
FineCMS高级版前台getshell(demo成功)
简要描述: demo也shell了哦 详细说明: 看到\member\api\uc.php define'DISCUZROOT', dirnamedirnamedirnameFILE.'/member/ucenter/'; include DISCUZROOT.'api/uc.php'; 就是包含了uc的那个插件。但是这个功能只有高级版才有,免费版没有 然后uckey都是默认的 8808cer8o1UJsEpt2G2Jn0uhEn/YgEva589Mfo0 然后就可以直接getshell了 附上脚本 ! /usr/bin/env python coding=utf-8 import...
Apache HTTP Server mod_rewrite Vulnerability
受影响系统:Apache Group Apache 2.2.x = 2.2.0Apache Group Apache 2.0.x = 2.0.46Apache Group Apache 1.3.x = 1.3.28不受影响系统:Apache Group Apache 2.2.3Apache Group Apache 2.0.59Apache Group Apache...
Mpxplay Multimedia Commander 2.00a - .m3u Stack-Based Buffer Overflow
使用如下python代码生成一个可以触发漏洞的m3u文件,调试环境为win7,由于存在ASLR,所以每次需要将改变的地址高4位加偏移计算真正地址。此漏洞依然是由于没有对长度进行检查的逻辑错误导致的本地溢出,可以构造畸形文件诱使目标点击后执行任意代码。 junk = "A"66666 file = open"CRASH.m3u",'w' file.writejunk file.close 生成后打开mmc,触发这个漏洞,程序中断 0:009 t 20ec.26d0: Access violation - code c0000005 first chance First chance...
Joomla GoogleSearch (CSE) 3.0.2 XSS Vulnerabilities
No description provided by source...
WordPress Plugin Slider Revolution 3.0.95 任意文件上传漏洞
下面是对版本号为3.0.3的分析和测试结果。任意文件上传漏洞源于该插件自带的 “插件更新”” 功能,在启用该插件的同时会将一系列的action操作都注册到WordPress的ajax请求里。并且插件在接受更新请求后并没有判断用户权限,导致恶意者可利用该点进行攻击。所涉及文件:/revslideradmin.php //add common scripts there //self::addActionself::ACTIONADMININIT, "onAdminInit"; //ajax response to save slider options...
用友网校系统 planid处 sql注入
WebPage/kclist.aspx的planid参数过滤不严只需对payload进行base编码即可绕过http://px2.timber2005.com/WebPage/kclist.aspx?planid=Y29udmVydChpbnQsKEBAdmVyc2lvbikp&examName=%E5%88%9D%E7%BA%A7%E4%BC%9A%E8%AE%A1%E5%B8%88...
Magento <= 1.9.2 (catalogProductCreate) Autoloaded File Inclusion Vulnerability
Software Link:http://magento.com/- Affected Versions:Version 1.9.2 and prior versions.- Vulnerability Description:The vulnerability is caused by the "catalogProductCreate" SOAP API implementation,which is defined into the /app/code/core/Mage/Catalog/Model/Product/Api/V2.php script:109. public...
华速网游交易平台SQL注入
SQL注入一:漏洞文件:/help.asp这里id参数过滤不严存在sql注入的,但是conn.asp中包含了:!--include file="conn.asp"-- !--include file="inc/config.asp"-- % if trimrequest"id" "" then set rs=conn.execute"select from help where id ="trimrequest"id"" order by paixu asc" if not rs.eof then title=rs"helptitle" content=rs"helpcontent" e...
SiS Windows VGA Display Manager 6.14.10.3930 Multiple Privilege Escalation
KL-001-2015-003 : SiS Windows VGA Display Manager Multiple Privilege Escalation Title: SiS Windows VGA Display Manager Multiple Privilege Escalation Advisory ID: KL-001-2015-003 Publication Date: 2015.09.01 Publication URL: https://www.korelogic.com/Resources/Advisories/KL-001-2015-003.txt 1...
WordPress White-Label Framework 2.0.6 - XSS Vulnerability
安装好whitelable主题之后漏洞文件位置是: /whitelable-framework/inc/snippets/form-sharebymailiframe.php Line 48 50: $recipient = $POST'recipemail'; if stripos$recipient, ',' $recipient = substr$recipient, 0, stripos$recipient, ','; 可以看到这里POST方式接收到的recipemail只是去掉了逗号之后的内容然后就直接存入变量$recipient Line 86: Your Message h...
用友致远A6协同系统 Session泄漏漏洞
该漏洞泄露了当前登录用户(所有登录的)的SessionID;利用泄露的SessionID即可登录该用户,包括管理员,进入后getshell毫无压力/yyoa/ext/https/getSessionList.jsp部分代码%@ page contentType="text/html;charset=GBK"% %@ page session= "false" % %@ page import="net.btdz.oa.ext.https."% % String reqType = request.getParameter"cmd"; String outXML = ""; boolean...
WordPress Car Rental System SQL Injection Vulnerability
Exploit Title : Car Rental System Native WordPress Plugin SQL Injection vulnerability version3.1 Author : Manish Kishan Tanwar AKA error1046 Vendor Link : http://codecanyon.net/item/car-rental-system-native-wordpress-plugin/11758680 Affected Version: below version 3.1 Date : 12/07/2015 Love to :...
Yahoo Bug Bounty #32 - Cross Site Request Forgery bulkImport Web Vulnerability
A client-side cross site scripting web vulnerability has been discovered in the official Yahoo online service web-application. The vulnerability allows remote attacker to manipulate client-side web-application to browser request to compromise session data. The vulnerability is located in the...
OpenSSH 6.6 以下 SFTP 远程溢出漏洞
Linux用户经常会采用OpenSSH上的SFTP来进行上传和下载的操作。 OpenSSH服务器中如果OpenSSH服务器中没有配置"ChrootDirectory",普通用户就可以访问所有文件系统的资源,包括 /proc,在=2.6.x的Linux内核上,/proc/self/maps会显示你的内存布局,/proc/self/mem可以让你任意在当前进程上下文中读写,而综合两者特性则可以造成远程溢出。 define GNUSOURCE // THIS PROGRAM IS NOT DESIGNED TO BE SAFE AGAINST VICTIM MACHINES THAT // T...
PageAdmin v3.0 /e/database/v3.mdb 数据库泄漏
PageAdmin CMS V3.0版,默认数据库地址“/e/database/v3.mdb“,默认后台地址:“/e/master/login.aspx”,由于数据库地址未做限制,导致可以下载。通过逆向管理员MD5加密算法获得md5密文,并通过md5密文可以破解管理员密码。发现非常规MD5加密,于是使用ILSPY逆向源代码,查看加密方式public string GetMd5string s MD5 mD = new MD5CryptoServiceProvider; Encoding encoding = Encoding.GetEncoding"UTF-8"; string s2 =...
蝉知企业门户系统 v2.5 SQL 注入
问题出在 用户修改资料的地方/system/module/user/control.phppublic function edit$account = '' if!$account or RUNMODE == 'front' $account = $this-app-user-account; if$this-app-user-account == 'guest' $this-locateinlink'login'; if!empty$POST $this-user-update$account;...
Discuz! admincp.php CSRF引起XSS
首先是一个CSRF:url:/admincp.php?action=members&operation=newsletter&username=%2A&uid=0&srchemail=®datebefore=®dateafter=&postshigher=&postslower=®ip=&lastip=&lastvisitafter=&lastvisitbefore=&lastpostafter=&lastpostbefore=&birthyear=&birthmonth=&birthday=&lowercredits=&lowerextcredits1=&lowere...
用友致远A6协同系统createMysql.jsp信息泄露
该漏洞泄露了数据库用户的账号,密码hash.code 区域/yyoa/createMysql.jsp /yyoa/ext/createMysql.jsp该文件的代码为:%@ page language="java" % %@ page session="true" % %@ page isThreadSafe="true" % %@ page import="java.sql.,net.btdz.oa.common." % % CommonSql.exeUpdate"DELETE FROM mysql.user WHERE User = 'cubetech' ";...
Discuz! X3.1 逻辑错误漏洞
Discuz! X3.1 在完成任务时(home.php?mod=draw&do=view&id=xx),任务先前的状态缺少判断完成任务的链接形如:home.php?mod=draw&do=view&id=xx这个地址最终在 source\class\classtask.php 中被处理约第370行:function draw$id global $G; if!$this-task = C::t'commontask'-fetchbyuid$G'uid', $id showmessage'tasknonexistence'; elseif$this-task'status' != 0...
Magento Bug Bounty #19 - Persistent Filename Vulnerability
Document Title: =============== Magento Bug Bounty 19 - Persistent Filename Vulnerability References Source: ==================== http://www.vulnerability-lab.com/getcontent.php?id=1570 ID: APPSEC-1059 Release Date: ============= 2015-09-11 Vulnerability Laboratory ID VL-ID:...
phpcms投票功能前台代码执行
No description provided by source...
PHP 5.6 / 5.5 / 5.4 Session Deserialized Use-After-Free
Use After Free Vulnerabilities in Session DeserializerTaoguang Chen @chtg - Write Date: 2015.8.9- Release Date: 2015.9.4 Multiple use-after-free vulnerabilities were discovered in session deserializer php/phpbinary/phpserialize that can be abused for leaking arbitrary memory blocks or execute...
Apabi数字资源平台系统存在某处POST注入漏洞
简要描述: 详细说明: http://.../bugs/wooyun-2010-0118453 http://.../bugs/wooyun-2010-0118667 漏洞证明: 注入:dlib/homepage/softdownload/softlist.asp?action=list&lang=gb ...:81/dlib/homepage/softdownload/softlist.asp?action=list&lang=gb .../dlib/homepage/softdownload/softlist.asp?action=list&lang=gb...
WordPress Plugin Slider Revolution <= 4.1.4 任意文件下载漏洞
所涉及文件:/incphp/framework/baseadmin.class.php //if not inside plugin don't continue if$this-isInsidePlugin == true self::addActionself::ACTIONADDSCRIPTS, "addCommonScripts"; self::addActionself::ACTIONADDSCRIPTS, "onAddScripts"; //a must event for any admin. call onActivate function...
Netgear FVS318 Router Multiple Vulnerabilities
Multiple Vulnerabilities in Netgear FVS318 Router ------------------------------------------------------------------------ SUMMARY The Netgear FVS318 is "an easy to use, firewall/router designed for home users and small businesses". SecuriNews Research has found 2 vulnerabilities in the router, o...
FineCms 免费版任意文件上传漏洞
路径:dayrui/libraries/Chart/ofcuploadimage.php $defaultpath = '../tmp-upload-images/'; if !fileexists$defaultpath mkdir$defaultpath, 0777, true; $destination = $defaultpath . basename $GET 'name' ; echo 'Saving your image to: '. $destination; $jfh = fopen$destination, 'w' or die"can't open file";...
Microsoft Exchange Server 中的漏洞可能允许信息泄漏 (MS15-103)
漏洞描述:Microsoft Exchange Server 是个消息与协作系统。Exchange server可以被用来构架应用于企业、学校的邮件系统或免费邮件系统。它还是一个协作平台。你可以在此基础上开发工作流,知识管理系统,Web系统或者是其他消息系统。 Microsoft Exchange Server 中存在多个漏洞。 Outlook Web Access OWA 未正确处理 Web 请求和清理用户输入和电子邮件内容,最严重的漏洞可能允许信息泄漏。漏洞影响:microsoft:exchangeserver:2013:cumulativeupdate8...
PCMan FTP Server 2.0.7 - GET Command Buffer Overflow
No description provided by source. !/usr/bin/python Exploit Title: PCMan's FTP Server v2.0 - GET command buffer overflow remote shell Date: 28 Aug 2015 Exploit Author: Koby Vendor Homepage: http://pcman.openfoundry.org/ Software Link:...
WordPress media-file-manager-advanced Plugin Multiple Vulnerabilites
No description provided by source. Post Delete http://domain.tld/wp-admin/admin-ajax.php?action=mfmarelocatordelete post: id=17 MKDIR http://domain.tld/wp-admin/admin-ajax.php?action=mfmarelocatormkdir newdir=EVEXFOLDER folder exists: http://domain.tld/wp-contents/uploads/EVEXFOLDER RMDIR Dir Mus...
NETGEAR N600 WIRELESS DUAL BAND WNDR3400 - Multiple Vulnerabilities
Title: Multiple vulnerabilities in NETGEAR N600 WIRELESS DUAL BAND WNDR3400 ==================================================================================== Notification Date: 4/14/2014 Affected Vendor: NETGEAR N600 WIRELESS DUAL BAND WNDR3400 Firmware Version: Firmware Version 1.0.0.38 AND...
万户OA某页面通用性SQL注入(影响N个政府网和医疗机构)
简要描述: 万户OA某页面通用性SQL注入(影响N个政府网和医疗机构) 详细说明: defaultroot/Logon.do 该页面存在越权访问,由于appinstanceid参数过滤不严,导致了SQL注入的产生 问题参数:appinstanceid EXP:defaultroot/Logon.do 利用方法:访问该页面,输入任意内容,抓包获取,SQLMAP跑之 涉及案例: ...:7001/defaultroot/aep/login.jsp http://.../defaultroot/aep/login.jsp http://...:7001/defaultroot/Logon.do...
DIR-514 A1 Backdoor y path equivalence
DIR-514 A1 tiene el telnetd listening en el puerto 2300 y los credenciales son "root:amittima". Supongo que los developers no querian soldar los pads microscopicos de la UART... Con un poquito de google encontre que otros dispositivos con chipsets Ralink tienen el mismo passwd... Por otra parte e...
Netgear RP614v4 config disclosure
Device: Netgear RP614v4 Firmware version: v1.1.209.01 Firmware release date: November 2009 HTTP service: Boa HTTPd 0.93.15 Exploit release date: Wednesday March 24, 2010 Default router credentials: username: admin password: password Scope: Local/Remote Vulnerability: The Netgear RP614v4 is...
Joomla com_memorix组件SQL注入漏洞
Description Normal user can inject sql query in the url which lead to read data from the database. 2. Proof of Concept http://www.example.com/index.php?option=commemorix&task=result&searchplugin=theme&Itemid=60&ThemeID=-8594 SQLI Injected column is 3...
Android Stagefright Media Playback Engine 远程代码执行漏洞
No description provided by source. !/usr/bin/env python Joshua J. Drake @jduck of ZIMPERIUM zLabs Shout outs to our friends at Optiv formerly Accuvant Labs C Joshua J. Drake, ZIMPERIUM Inc, Mobile Threat Protection, 2015 www.zimperium.com Exploit for RCE Vulnerability CVE-2015-1538 1 Integer...
ASUS RT-N16 - Text-plain Admin Password Disclosure
Description ----------- Several ASUS routers include reflected Cross-Site Scripting CWE-79 and authentication bypass CWE-592 vulnerabilities. An attacker who can lure a victim to browse to a web site containing a specially crafted JavaScript payload can execute arbitrary commands on the router as...
ZyXEL ZyWALL USG client side authorization config disclosure
Details ======= Product: ZyXEL USG Unified Security Gateway appliances ZyWALL USG-20 ZyWALL USG-20W ZyWALL USG-50 ZyWALL USG-100 ZyWALL USG-200 ZyWALL USG-300 ZyWALL USG-1000 ZyWALL USG-1050 ZyWALL USG-2000 Possibly other ZLD-based products Affected Versions: Firmware Releases before April 25, 20...
Mac OS X < 10.7.5, 10.8.2, 10.9.5 10.10.2 - rootpipe 本地提权漏洞
漏洞名称:Apple OS X Admin Framework 安全漏洞紧急程度:高危漏洞类型: 本地提权详细信息:Apple OS X是美国苹果(Apple)公司为Mac计算机所开发的一套专用操作系统。Apple OS X 10.10.2及之前版本的Admin Framework中的XPC实现过程中存在安全漏洞。本地攻击者可利用该漏洞绕过身份验证,获取管理员权限。 PoC exploit code for rootpipe CVE-2015-1130 Created by Emil Kvarnhammar, TrueSec Tested on OS X 10.7.5, 10.8.2,...
D-Link DAP-1160 Authentication Bypass
The IS-2010-005 advisory describes a vulnerability in the D-Link DAP-1160, that allows for authentication bypass and complete device reconfiguration. Authentication can be bypassed by accessing the URL: http://IPADDR/toolsfirmw.htm within 40 seconds of the web server start, and consequently after...
Arris Password of The Day Generator (list.txt)
Arris TM502G、TM602G 路由器进入高级模式时需要密码,这个密码会根据系统日期来自动生成,每天都有不同的密码。 具体算法已经在PoC中给出。 1.直接访问 Arris 路由器会显示路由器的一些信息,不需要任何认证。 2.但是当点击高级菜单的时候,会提示输入密码。 3.如果密码输入错误 4.如果密码输入的是在码表中的正确密码,但是时间不正确,会提示需要相应时间的密码: 5.当提交正确的密码后进入到高级设置: ---- PoC 默认使用调用者当前系统时间,如果时间与路由器时间不符合,会自动处理 如果调用者要手动指定时间,可以使用 --extra-params...