56796 matches found
OS X < 10.10.x - Gatekeeper bypass Vulnerability
CVE : CVE-2014-8826Gatekeeper is a feature available in OS X Lion v10.7.5 and laterversions of OS X. Gatekeeper performs checks on files and applications downloaded from theInternet to prevent execution of supposedly malicious anduntrusted/unsigned code. Gatekeeper provides three different...
Apache HTTP Server mod_rewrite Vulnerability
受影响系统:Apache Group Apache 2.2.x = 2.2.0Apache Group Apache 2.0.x = 2.0.46Apache Group Apache 1.3.x = 1.3.28不受影响系统:Apache Group Apache 2.2.3Apache Group Apache 2.0.59Apache Group Apache...
Sysphonic <= 2.3.0 Thetis SQL 注入漏洞
No description provided by source...
WukongCRM 0.5.1 /App/Lib/Action/WeixinAction.class.php XXE漏洞
No description provided by source...
Ecmall 2.3.0 /app/my_goods.app.php SQL注射漏洞
简要描述: 不修复那我就一个一个的提出来 详细说明: 缺陷文件:/app/mygoods.app.phpcode 区域function brandlist if !empty$GET'brandname' || !empty$GET'store' $GET'brandname' && $filtered = " AND brandname LIKE '%$GET'brandname'%'"; $GET'store' && $filtered = $filtered . " AND storeid = " . $this-storeid; if isset$GET'sort' &&...
FineCMS高级版前台getshell(demo成功)
简要描述: demo也shell了哦 详细说明: 看到\member\api\uc.php define'DISCUZROOT', dirnamedirnamedirnameFILE.'/member/ucenter/'; include DISCUZROOT.'api/uc.php'; 就是包含了uc的那个插件。但是这个功能只有高级版才有,免费版没有 然后uckey都是默认的 8808cer8o1UJsEpt2G2Jn0uhEn/YgEva589Mfo0 然后就可以直接getshell了 附上脚本 ! /usr/bin/env python coding=utf-8 import...
微软 IE11 MSHTML.dll 远程拒绝服务漏洞
IE11发现的一个BUG,对HTML协议中的某些元素的处理存在代码完整性缺失。造成浏览器崩溃。 function boom var divA = document.createElement"div"; document.body.appendChilddivA; try //divA.contentEditable = "true"; divA.outerHTML = "AAAA"; var context = divA'msGetInputContext'; catch exception...
OS X 10.10 Bluetooth BluetoothHCIChangeLocalName - Crash
No description provided by source. include include include include include include struct BluetoothCall uint64t args7; uint64t sizes7; uint64t index; ; int mainvoid / Finding vuln service / ioservicet service = IOServiceGetMatchingServicekIOMasterPortDefault,...
OS X 10.10 Bluetooth TransferACLPacketToHW - Crash
No description provided by source. include include include include include include struct BluetoothCall uint64t args7; uint64t sizes7; uint64t index; ; int mainvoid / Finding vuln service / ioservicet service = IOServiceGetMatchingServicekIOMasterPortDefault,...
OS X 10.10 Bluetooth DispatchHCIWriteStoredLinkKey - Crash
No description provided by source. include include include include include include define SIZE 0x1000 struct BluetoothCall uint64t args7; uint64t sizes7; uint64t index; ; ifndef bswap64 define bswap64num \ uint64tnum 8 & UINT64C0x00000000FF000000 \ | uint64tnum 24 & UINT64C0x0000000000FF0000 \ |...
ThinkPHP Ubb标签 读取任意内容
详细说明: Common/extend.phpCore/Extend/Function/extend.php 成因:ThinkPHP的Ubb标签,有一个代码高亮的功能,即满足: codexxx/code或者phpxxx/php的时候,会对中间的xxx读取,并高亮,xxx是路径,而非具体的代码,如下图1,输入路径后,当文件存在,返回的是高亮后的文件内容 当path=code/etc/passwd/code,成功读取对应内容,也就是说,当某网站用ThinkPHP开发,并提供评论功能(支持UBB)标签的时候,发帖并输入code/etc/passwd/code,即可读取任意内容...
OS X 10.10 Bluetooth DispatchHCICreateConnection
No description provided by source. include include include include include include define SIZE 0x1000 struct BluetoothCall uint64t args7; uint64t sizes7; uint64t index; ; int mainvoid / Finding vuln service / ioservicet service = IOServiceGetMatchingServicekIOMasterPortDefault,...
用友致远A6协同系统 Session泄漏漏洞
该漏洞泄露了当前登录用户(所有登录的)的SessionID;利用泄露的SessionID即可登录该用户,包括管理员,进入后getshell毫无压力/yyoa/ext/https/getSessionList.jsp部分代码%@ page contentType="text/html;charset=GBK"% %@ page session= "false" % %@ page import="net.btdz.oa.ext.https."% % String reqType = request.getParameter"cmd"; String outXML = ""; boolean...
Joomla GoogleSearch (CSE) 3.0.2 XSS Vulnerabilities
No description provided by source...
Discuz! X3.1 逻辑错误漏洞
Discuz! X3.1 在完成任务时(home.php?mod=draw&do=view&id=xx),任务先前的状态缺少判断完成任务的链接形如:home.php?mod=draw&do=view&id=xx这个地址最终在 source\class\classtask.php 中被处理约第370行:function draw$id global $G; if!$this-task = C::t'commontask'-fetchbyuid$G'uid', $id showmessage'tasknonexistence'; elseif$this-task'status' != 0...
Mpxplay Multimedia Commander 2.00a - .m3u Stack-Based Buffer Overflow
使用如下python代码生成一个可以触发漏洞的m3u文件,调试环境为win7,由于存在ASLR,所以每次需要将改变的地址高4位加偏移计算真正地址。此漏洞依然是由于没有对长度进行检查的逻辑错误导致的本地溢出,可以构造畸形文件诱使目标点击后执行任意代码。 junk = "A"66666 file = open"CRASH.m3u",'w' file.writejunk file.close 生成后打开mmc,触发这个漏洞,程序中断 0:009 t 20ec.26d0: Access violation - code c0000005 first chance First chance...
SiS Windows VGA Display Manager 6.14.10.3930 Multiple Privilege Escalation
KL-001-2015-003 : SiS Windows VGA Display Manager Multiple Privilege Escalation Title: SiS Windows VGA Display Manager Multiple Privilege Escalation Advisory ID: KL-001-2015-003 Publication Date: 2015.09.01 Publication URL: https://www.korelogic.com/Resources/Advisories/KL-001-2015-003.txt 1...
Discuz! admincp.php CSRF引起XSS
首先是一个CSRF:url:/admincp.php?action=members&operation=newsletter&username=%2A&uid=0&srchemail=®datebefore=®dateafter=&postshigher=&postslower=®ip=&lastip=&lastvisitafter=&lastvisitbefore=&lastpostafter=&lastpostbefore=&birthyear=&birthmonth=&birthday=&lowercredits=&lowerextcredits1=&lowere...
WordPress Plugin Slider Revolution 3.0.95 任意文件上传漏洞
下面是对版本号为3.0.3的分析和测试结果。任意文件上传漏洞源于该插件自带的 “插件更新”” 功能,在启用该插件的同时会将一系列的action操作都注册到WordPress的ajax请求里。并且插件在接受更新请求后并没有判断用户权限,导致恶意者可利用该点进行攻击。所涉及文件:/revslideradmin.php //add common scripts there //self::addActionself::ACTIONADMININIT, "onAdminInit"; //ajax response to save slider options...
PageAdmin v3.0 /e/database/v3.mdb 数据库泄漏
PageAdmin CMS V3.0版,默认数据库地址“/e/database/v3.mdb“,默认后台地址:“/e/master/login.aspx”,由于数据库地址未做限制,导致可以下载。通过逆向管理员MD5加密算法获得md5密文,并通过md5密文可以破解管理员密码。发现非常规MD5加密,于是使用ILSPY逆向源代码,查看加密方式public string GetMd5string s MD5 mD = new MD5CryptoServiceProvider; Encoding encoding = Encoding.GetEncoding"UTF-8"; string s2 =...
用友网校系统 planid处 sql注入
WebPage/kclist.aspx的planid参数过滤不严只需对payload进行base编码即可绕过http://px2.timber2005.com/WebPage/kclist.aspx?planid=Y29udmVydChpbnQsKEBAdmVyc2lvbikp&examName=%E5%88%9D%E7%BA%A7%E4%BC%9A%E8%AE%A1%E5%B8%88...
华速网游交易平台SQL注入
SQL注入一:漏洞文件:/help.asp这里id参数过滤不严存在sql注入的,但是conn.asp中包含了:!--include file="conn.asp"-- !--include file="inc/config.asp"-- % if trimrequest"id" "" then set rs=conn.execute"select from help where id ="trimrequest"id"" order by paixu asc" if not rs.eof then title=rs"helptitle" content=rs"helpcontent" e...
Magento Bug Bounty #19 - Persistent Filename Vulnerability
Document Title: =============== Magento Bug Bounty 19 - Persistent Filename Vulnerability References Source: ==================== http://www.vulnerability-lab.com/getcontent.php?id=1570 ID: APPSEC-1059 Release Date: ============= 2015-09-11 Vulnerability Laboratory ID VL-ID:...
Yahoo Bug Bounty #32 - Cross Site Request Forgery bulkImport Web Vulnerability
A client-side cross site scripting web vulnerability has been discovered in the official Yahoo online service web-application. The vulnerability allows remote attacker to manipulate client-side web-application to browser request to compromise session data. The vulnerability is located in the...
WordPress White-Label Framework 2.0.6 - XSS Vulnerability
安装好whitelable主题之后漏洞文件位置是: /whitelable-framework/inc/snippets/form-sharebymailiframe.php Line 48 50: $recipient = $POST'recipemail'; if stripos$recipient, ',' $recipient = substr$recipient, 0, stripos$recipient, ','; 可以看到这里POST方式接收到的recipemail只是去掉了逗号之后的内容然后就直接存入变量$recipient Line 86: Your Message h...
用友致远A6协同系统createMysql.jsp信息泄露
该漏洞泄露了数据库用户的账号,密码hash.code 区域/yyoa/createMysql.jsp /yyoa/ext/createMysql.jsp该文件的代码为:%@ page language="java" % %@ page session="true" % %@ page isThreadSafe="true" % %@ page import="java.sql.,net.btdz.oa.common." % % CommonSql.exeUpdate"DELETE FROM mysql.user WHERE User = 'cubetech' ";...
蝉知企业门户系统 v2.5 SQL 注入
问题出在 用户修改资料的地方/system/module/user/control.phppublic function edit$account = '' if!$account or RUNMODE == 'front' $account = $this-app-user-account; if$this-app-user-account == 'guest' $this-locateinlink'login'; if!empty$POST $this-user-update$account;...
OpenSSH 6.6 以下 SFTP 远程溢出漏洞
Linux用户经常会采用OpenSSH上的SFTP来进行上传和下载的操作。 OpenSSH服务器中如果OpenSSH服务器中没有配置"ChrootDirectory",普通用户就可以访问所有文件系统的资源,包括 /proc,在=2.6.x的Linux内核上,/proc/self/maps会显示你的内存布局,/proc/self/mem可以让你任意在当前进程上下文中读写,而综合两者特性则可以造成远程溢出。 define GNUSOURCE // THIS PROGRAM IS NOT DESIGNED TO BE SAFE AGAINST VICTIM MACHINES THAT // T...
Magento <= 1.9.2 (catalogProductCreate) Autoloaded File Inclusion Vulnerability
Software Link:http://magento.com/- Affected Versions:Version 1.9.2 and prior versions.- Vulnerability Description:The vulnerability is caused by the "catalogProductCreate" SOAP API implementation,which is defined into the /app/code/core/Mage/Catalog/Model/Product/Api/V2.php script:109. public...
WordPress Car Rental System SQL Injection Vulnerability
Exploit Title : Car Rental System Native WordPress Plugin SQL Injection vulnerability version3.1 Author : Manish Kishan Tanwar AKA error1046 Vendor Link : http://codecanyon.net/item/car-rental-system-native-wordpress-plugin/11758680 Affected Version: below version 3.1 Date : 12/07/2015 Love to :...
phpcms投票功能前台代码执行
No description provided by source...
Apabi数字资源平台系统存在某处POST注入漏洞
简要描述: 详细说明: http://.../bugs/wooyun-2010-0118453 http://.../bugs/wooyun-2010-0118667 漏洞证明: 注入:dlib/homepage/softdownload/softlist.asp?action=list&lang=gb ...:81/dlib/homepage/softdownload/softlist.asp?action=list&lang=gb .../dlib/homepage/softdownload/softlist.asp?action=list&lang=gb...
PHP 5.6 / 5.5 / 5.4 Session Deserialized Use-After-Free
Use After Free Vulnerabilities in Session DeserializerTaoguang Chen @chtg - Write Date: 2015.8.9- Release Date: 2015.9.4 Multiple use-after-free vulnerabilities were discovered in session deserializer php/phpbinary/phpserialize that can be abused for leaking arbitrary memory blocks or execute...
WordPress media-file-manager-advanced Plugin Multiple Vulnerabilites
No description provided by source. Post Delete http://domain.tld/wp-admin/admin-ajax.php?action=mfmarelocatordelete post: id=17 MKDIR http://domain.tld/wp-admin/admin-ajax.php?action=mfmarelocatormkdir newdir=EVEXFOLDER folder exists: http://domain.tld/wp-contents/uploads/EVEXFOLDER RMDIR Dir Mus...
WordPress Plugin Slider Revolution <= 4.1.4 任意文件下载漏洞
所涉及文件:/incphp/framework/baseadmin.class.php //if not inside plugin don't continue if$this-isInsidePlugin == true self::addActionself::ACTIONADDSCRIPTS, "addCommonScripts"; self::addActionself::ACTIONADDSCRIPTS, "onAddScripts"; //a must event for any admin. call onActivate function...
NETGEAR N600 WIRELESS DUAL BAND WNDR3400 - Multiple Vulnerabilities
Title: Multiple vulnerabilities in NETGEAR N600 WIRELESS DUAL BAND WNDR3400 ==================================================================================== Notification Date: 4/14/2014 Affected Vendor: NETGEAR N600 WIRELESS DUAL BAND WNDR3400 Firmware Version: Firmware Version 1.0.0.38 AND...
PCMan FTP Server 2.0.7 - GET Command Buffer Overflow
No description provided by source. !/usr/bin/python Exploit Title: PCMan's FTP Server v2.0 - GET command buffer overflow remote shell Date: 28 Aug 2015 Exploit Author: Koby Vendor Homepage: http://pcman.openfoundry.org/ Software Link:...
万户OA某页面通用性SQL注入(影响N个政府网和医疗机构)
简要描述: 万户OA某页面通用性SQL注入(影响N个政府网和医疗机构) 详细说明: defaultroot/Logon.do 该页面存在越权访问,由于appinstanceid参数过滤不严,导致了SQL注入的产生 问题参数:appinstanceid EXP:defaultroot/Logon.do 利用方法:访问该页面,输入任意内容,抓包获取,SQLMAP跑之 涉及案例: ...:7001/defaultroot/aep/login.jsp http://.../defaultroot/aep/login.jsp http://...:7001/defaultroot/Logon.do...
Microsoft Exchange Server 中的漏洞可能允许信息泄漏 (MS15-103)
漏洞描述:Microsoft Exchange Server 是个消息与协作系统。Exchange server可以被用来构架应用于企业、学校的邮件系统或免费邮件系统。它还是一个协作平台。你可以在此基础上开发工作流,知识管理系统,Web系统或者是其他消息系统。 Microsoft Exchange Server 中存在多个漏洞。 Outlook Web Access OWA 未正确处理 Web 请求和清理用户输入和电子邮件内容,最严重的漏洞可能允许信息泄漏。漏洞影响:microsoft:exchangeserver:2013:cumulativeupdate8...
Netgear RP614v4 config disclosure
Device: Netgear RP614v4 Firmware version: v1.1.209.01 Firmware release date: November 2009 HTTP service: Boa HTTPd 0.93.15 Exploit release date: Wednesday March 24, 2010 Default router credentials: username: admin password: password Scope: Local/Remote Vulnerability: The Netgear RP614v4 is...
FineCms 免费版任意文件上传漏洞
路径:dayrui/libraries/Chart/ofcuploadimage.php $defaultpath = '../tmp-upload-images/'; if !fileexists$defaultpath mkdir$defaultpath, 0777, true; $destination = $defaultpath . basename $GET 'name' ; echo 'Saving your image to: '. $destination; $jfh = fopen$destination, 'w' or die"can't open file";...
Netgear FVS318 Router Multiple Vulnerabilities
Multiple Vulnerabilities in Netgear FVS318 Router ------------------------------------------------------------------------ SUMMARY The Netgear FVS318 is "an easy to use, firewall/router designed for home users and small businesses". SecuriNews Research has found 2 vulnerabilities in the router, o...
DIR-514 A1 Backdoor y path equivalence
DIR-514 A1 tiene el telnetd listening en el puerto 2300 y los credenciales son "root:amittima". Supongo que los developers no querian soldar los pads microscopicos de la UART... Con un poquito de google encontre que otros dispositivos con chipsets Ralink tienen el mismo passwd... Por otra parte e...
Joomla com_memorix组件SQL注入漏洞
Description Normal user can inject sql query in the url which lead to read data from the database. 2. Proof of Concept http://www.example.com/index.php?option=commemorix&task=result&searchplugin=theme&Itemid=60&ThemeID=-8594 SQLI Injected column is 3...
ASUS RT-N16 - Text-plain Admin Password Disclosure
Description ----------- Several ASUS routers include reflected Cross-Site Scripting CWE-79 and authentication bypass CWE-592 vulnerabilities. An attacker who can lure a victim to browse to a web site containing a specially crafted JavaScript payload can execute arbitrary commands on the router as...
D-Link DAP-1160 Authentication Bypass
The IS-2010-005 advisory describes a vulnerability in the D-Link DAP-1160, that allows for authentication bypass and complete device reconfiguration. Authentication can be bypassed by accessing the URL: http://IPADDR/toolsfirmw.htm within 40 seconds of the web server start, and consequently after...
Linksys EA2700 apply.cgi 目录穿越
No description provided by source...
Arris Password of The Day Generator (list.txt)
Arris TM502G、TM602G 路由器进入高级模式时需要密码,这个密码会根据系统日期来自动生成,每天都有不同的密码。 具体算法已经在PoC中给出。 1.直接访问 Arris 路由器会显示路由器的一些信息,不需要任何认证。 2.但是当点击高级菜单的时候,会提示输入密码。 3.如果密码输入错误 4.如果密码输入的是在码表中的正确密码,但是时间不正确,会提示需要相应时间的密码: 5.当提交正确的密码后进入到高级设置: ---- PoC 默认使用调用者当前系统时间,如果时间与路由器时间不符合,会自动处理 如果调用者要手动指定时间,可以使用 --extra-params...
74cms(20150209)SQL 注入漏洞
该漏洞是由于官方对上一版本的SQL注入错误(详见http://www.wooyun.org/bugs/wooyun-2014-080490)进行修改未彻底产生的。 首先试试带入单引号,用宽字节试试,可以看到显示数据库出错 看看数据库怎么带入可以看到出错了,单引号被带入sql语句了 找到/include/mysql.class.php中最下面代码: function dbshow$err if$err $info = "Error:".$err; else $info = "Errno:".$this-errno." Error:".$this-error; //exit$info;...
ZyXEL ZyWALL USG client side authorization config disclosure
Details ======= Product: ZyXEL USG Unified Security Gateway appliances ZyWALL USG-20 ZyWALL USG-20W ZyWALL USG-50 ZyWALL USG-100 ZyWALL USG-200 ZyWALL USG-300 ZyWALL USG-1000 ZyWALL USG-1050 ZyWALL USG-2000 Possibly other ZLD-based products Affected Versions: Firmware Releases before April 25, 20...