Netgear路由器信息泄露

NETGEAR美国网件NASDAQ: NTGR，致力于为全球商用企业用户和家庭个人用户提供创新的产品、卓越的智能家庭无线解决方案。 关于路由器漏洞挖掘历来都是是围绕着两个攻击面开展： 脚本语言htm/js/php/lua/sh/asp； 编译语言elf/mips/armv7/arm/。 本文介绍一个最简单也最容易发现的一种漏洞，暂归类为信息泄露吧，造成的危害则是权限绕过但不局限于只拿到用户登录凭证。 所有的美国网件系列路由器都有这样一个页面‘currentsetting.htm’ 可以查看型号和固件版本的特权页面，即不需登陆便可访问该页面。 下载V1.0.0.281.0.28...

Microsoft Edge: Chakra: Incorrect scope handling(CVE-2018-0774)

PoC: function funcarg = function printfunc; // SetHasOwnLocalInClosure should be called for the param scope in the PostVisitFunction function. printfunc; function func ; Chakra fails to distinguish whether the function is referenced in the param scope and ends up to emit an invalid opcode. functi...

Microsoft Edge: Chakra: Deferred parsing makes wrong scopes #2(CVE-2018-0775)

Since the PoC is only triggerable when the "DeferParse" flag enabled and requires a with statement, I think this is simillar to issue 1310 . PoC: // Enable the flag using '\n'.repeat0x1000 evalfunction f with function printf; ; ; + '\n'.repeat0x1000; PoC 2: // ./ch poc.js -ForceDeferParse functio...

Master IP CAM 01 Vulnerabilities

Some time ago I analized this ipcam with my friend Dzonerzy: var serialNum="VVVIPCSBC150617Z-06929VjmJH54vkK"; var model="RTIPC"; var hardVersion="5900-gc1004"; var softVersion="V3.3.4.2103-S50-SBC-B20150721E"; var ipcname="WIFICAM"; var startdate="2017-8-5 0:0:2"; var runtimes="0 day, 0:54"; var...

MacOS process_policy stack leak through uninitialized field(CVE-2017-7154)

The syscall processpolicyscope=PROCPOLICYSCOPEPROCESS, action=PROCPOLICYACTIONGET, policy=PROCPOLICYRESOURCEUSAGE, policysubtype=PROCPOLICYRUSAGECPU, attrp=, targetpid=0, targetthreadid= causes 4 bytes of uninitialized kernel stack memory to be written to userspace. The call graph looks as follow...

Microsoft Edge: Chakra: JIT: Loop analysis bug(CVE-2018-0777)

Here's the PoC demonstrating OOB write. function optarr, start, end for let i = start; i end; i++ if i === 10 i += 0; // -- a arri = 2.3023e-320; function main let arr = new Array100; arr.fill1.1; for let i = 0; i 1000; i++ optarr, 0, 3; optarr, 0, 100000; main; What happens here is as follows: I...

D-Link DNS-343 ShareCenter < 1.05 - Command Injection

Introduction The purpose of this article is to detail the research that I have recently completed regarding the D-Link DNS 343 ShareCenter. Background The D-Link ShareCenter 4-Bay Network Storage Enclosure DNS-343 connects to your network instead of to a computer so everyone on your network can...

DeDecms 任意用户登录,管理员密码重置漏洞

简述 Dedecms是一款开源的PHP开源网站管理系统。 DeDecms织梦CMS V5.7.72 正式版20180109 最新版 前台会员模块是采用Cookie中的 DedeUserID+DedeUserIDckMd5字段进行身份鉴别 DedeUserID用于定位区别用户，DedeUserIDckMd5则是服务器生成散列，用于安全验证 Dedecms一处代码由于逻辑不够严谨，导致可以输入字符并获得服务器生成散列 劫持DedeUserIDckMd5字段，绕过安全校验，配合类型转换造成任意用户登录漏洞 漏洞详细原理 文件位置:dedecms/member/index.php:110行...

MikroTik RouterOS < 6.38.5 RCE

!/usr/bin/env python2 Mikrotik Chimay Red Stack Clash Exploit by wsxarcher based on BigNerd95 POC tested on RouterOS 6.38.4 x86 ASLR enabled on libs only DEP enabled import socket, time, sys, struct from pwn import import ropgadget ASTSTACKSIZE = 0x20000 stack size per thread 128 KB SKIPSPACE =...

Multiple vulnerabilities in all versions of ASUS routers

1 ASUSWRT 3.0.0.4.376 - multiple vulnerabilities in httpd server all versions of AsusWRT at the time of report to vendor, for previous 376 version see next section 1. Highly predictable session tokens The session token is generated for an authenticated user using stdlib rand function. The token...

CODE EXECUTION (CVE-2018-5189) WALKTHROUGH ON JUNGO WINDRIVER 12.5.1

INTRODUCTION Windows kernel exploitation can be a daunting area to get into. There are tons of helpful tutorials out there and originally this post was going to add to that list. This is the story of how I found CVE-2018-5189 and a complete walkthrough of the exploit development cycle. The idea w...

An Analysis of the OpenSSL SSL Handshake Error State Security Bypass (CVE-2017-3737)

OpenSSL is a widely used library for SSL and TLS protocol implementation that secures data using encryption and decryption based on cryptographic functions. However, a Security Bypass vulnerability – recently addressed in a patch by the OpenSSL Project –can be exploited to make vulnerable SSL...

D-Link Routers 110/412/615/815 Arbitrary Code Execution

!/usr/bin/python Exploit Title: D-Link WAP 615/645/815 .?.?', 'Product Page : .?' def dlinkdetection: try: r = requests.getURL, timeout=10.00 except requests.exceptions.ConnectionError: print "Error: Failed to connect to " + URL return False if r.statuscode != 200: print "Error: " + URL + "...

rails_admin rails gem XSS vulnerability(CVE-2017-12098)

Summary An exploitable XSS vulnerability exists in the add filter functionality of the railsadmin rails gem version 1.2.0. A specially crafted URL can cause an XSS flaw resulting in an attacker being able to execute arbitrary javascript on the victim’s browser. An attacker can phish an...

TP-Link 路由器命令注入漏洞(CVE-2017-16957)

0x01 背景 TP-Link TL-WVR 等都是中国普联（TP-LINK）公司的无线路由器产品。 多款 TP-Link 系列产品存在命令注入漏洞，攻击者在登录后可发送恶意字段，经拼接后导致任意命令执行。 该漏洞由 coincoin7 发现，漏洞编号 CVE-2017-16957 0x02 受影响产品 TP-LINK TL-WVR 系列 TP-LINK TL-WAR 系列 TP-LINK TL-ER 系列 TP-LINK TL-R 系列 0x03 漏洞分析 根据原文提供的链接，下载了 TL-WVR450L 的固件，使用 binwalk 解包，拿到 squashfs 系统文件，再用...

Rails delayed_job_web XSS(CVE-2017-12097)

Summary An exploitable XSS vulnerability exists in the filter functionality of the delayedjobweb rails gem version 1.4. A specially crafted URL can cause an XSS flaw resulting in an attacker being able to execute arbitrary javascript on the victim’s browser. An attacker can phish an authenticated...

Sophos XG from Unauthenticated Persistent XSS to Unauthorized Root Access(CVE-2017-18014)

Vulnerability Summary The following advisory describes an unauthenticated persistent XSS that leads to unauthorized root access found in Sophos XG version 17. Sophos XG Firewall “provides unprecedented visibility into your network, users, and applications directly from the all-new control center...

Jackson-databind 远程代码执行漏洞(CVE-2017-17485)

jackson-rce-via-spel An example project that exploits the default typing issue in Jackson-databind https://github.com/FasterXML/jackson-databind via Spring application contexts and expressions Context The Jackson-databind project has a feature called default-typing not enabled by default. When th...

SugarCRM's Security Diet - Multiple Vulnerabilities

SugarCRM is one of the most popular customer relationship management solutions. It is available as a commercial edition and as an open-source community edition and is used by more than 2 million individuals in over 120 countries to manage sensitive customer data 1. Lately its security attracted...

CPP-Ethereum JSON-RPC admin_addPeer Authorization Bypass Vulnerability(CVE-2017-12112)

Summary An exploitable improper authorization vulnerability exists in adminaddPeer API of cpp-ethereum's JSON-RPC commit 4e1015743b95821849d001618a7ce82c7c073768. A JSON request can cause an access to the restricted functionality resulting in authorization bypass. An attacker can send JSON to...

D-Link soap.cgi Stack Buffer Overflow(CVE-2018-5318)

作者：Chu 1. 前言 老板前一段给买了几款路由把玩，研究了下 D-Link DIR 629、DIR 823 这两款板子。 发现在 soap.cgi 中存在几处栈溢出，均可以远程利用，并且其他型号的路由也有对 soap 这一部分代码的复用。 2. 逆向分析与漏洞挖掘 因为是想挖几个能远程利用的洞，首先去看了 HTTP 服务，也就是 /htdocs/cgibin。 D-Link HTTP 服务由cgibin提供，并通过软链接的文件名进入到不同的处理分支： 在各个 cgi 处理函数中，会通过 cgibinparserequest 来解析用户输入，其函数原型大致如下： 参数...

CPP-Ethereum JSON-RPC admin_peers improper authorization Vulnerability(CVE-2017-12114)

Summary An exploitable improper authorization vulnerability exists in adminpeers API of cpp-ethereum's JSON-RPC commit 4e1015743b95821849d001618a7ce82c7c073768. A JSON request can cause an access to the restricted functionality resulting in authorization bypass. An attacker can send JSON to trigg...

CPP-Ethereum JSON-RPC miner_setEtherbase improper authorization Vulnerability(CVE-2017-12115)

Summary An exploitable improper authorization vulnerability exists in minersetEtherbase API of cpp-ethereum's JSON-RPC commit 4e1015743b95821849d001618a7ce82c7c073768. A JSON request can cause an access to the restricted functionality resulting in authorization bypass. An attacker can send JSON t...

CPP-Ethereum JSON-RPC miner_setGasPrice improper authorization Vulnerability(CVE-2017-12116)

Summary An exploitable improper authorization vulnerability exists in minersetGasPrice API of cpp-ethereum's JSON-RPC commit 4e1015743b95821849d001618a7ce82c7c073768. A JSON request can cause an access to the restricted functionality resulting in authorization bypass. An attacker can send JSON to...

CPP-Ethereum JSON-RPC Denial Of Service Vulnerabilities(CVE-2017-12119)

Summary An exploitable unhandled exception vulnerability exists in multiple APIs of CPP-Ethereum's JSON-RPC. Specially crafted JSON requests can cause a unhandled exception resulting in denial of service. An attacker can send malicious JSON to trigger this vulnerability. Tested Versions Ethereum...

CPP-Ethereum JSON-RPC admin_nodeInfo improper authorization Vulnerability(CVE-2017-12113)

Summary An exploitable improper authorization vulnerability exists in adminnodeInfo API of cpp-ethereum's JSON-RPC commit 4e1015743b95821849d001618a7ce82c7c073768. A JSON request can cause an access to the restricted functionality resulting in authorization bypass. An attacker can send JSON to...

CPP-Ethereum JSON-RPC miner_start improper authorization Vulnerability(CVE-2017-12117)

Summary An exploitable improper authorization vulnerability exists in minerstart API of cpp-ethereum's JSON-RPC commit 4e1015743b95821849d001618a7ce82c7c073768. A JSON request can cause an access to the restricted functionality resulting in authorization bypass. An attacker can send JSON to trigg...

CPP-Ethereum JSON-RPC miner_stop improper authorization Vulnerability(CVE-2017-12118)

Summary An exploitable improper authorization vulnerability exists in minerstop API of cpp-ethereum's JSON-RPC commit 4e1015743b95821849d001618a7ce82c7c073768. A JSON request can cause an access to the restricted functionality resulting in authorization bypass. An attacker can send JSON to trigge...

CPP-Ethereum libevm create2 Information Leak Vulnerability(CVE-2017-14457)

Summary An exploitable information leak / denial of service vulnerability exists in the libevm Ethereum Virtual Machine create2 opcode handler of CPP-Ethereum. A specially crafted smart contract code can cause an out-of-bounds read leading to memory disclosure or denial of service. An attacker ca...

织梦前台任意用户密码修改

常见的弱类型问题 类型转换问题 类型转换是无法避免的问题。例如需要将GET或者是POST的参数转换为int类型，或者是两个变量不匹配的时候，PHP会自动地进行变量转换。但是PHP是一个弱类型的语言，导致在进行类型转换的时候会存在很多意想不到的问题。 数学运算 当php进行一些数学计算的时候 因为 md5's878926199a'=0e545993274517709034328855841020就是0的n次方，所以还是等于0 但是要注意： "0e123456abc"=="0e1dddada"//false 这种返回的是为假 语句条件的松散判断 函数的松散判断...

phpshe1.5商城系统任意文件删除加任意代码执行

...

seacms前台一处鸡肋报错注入，绕过80sec，360webscan获取数据

...

WDMyCloud 2.30.165 CSRF / File Upload / Code Execution / Backdoor / DoS

Released Date: 2018-01-04 Last Modified: 2017-06-11 Company Info: Western Digital Version Info: Vulnerable MyCloud = 2.30.165 MyCloudMirror = 2.30.165 My Cloud Gen 2 My Cloud PR2100 My Cloud PR4100 My Cloud EX2 Ultra My Cloud EX2 My Cloud EX4 My Cloud EX2100 My Cloud EX4100 My Cloud DL2100 My Clo...

D-Link DNS-320L 'mydlinkBRionyg' Backdoor

Released Date: 2018-01-03 Last Modified: 2017-06-14 Company Info: D-Link Version Info: Vulnerable D-Link DNS-320L ShareCenter = 1.06 Table of contents 00 - Introduction 00.1 Background 01 - Hard coded backdoor 01.1 - Vulnerable code analysis 01.2 - Remote exploitation 02 - Credit 03 - Proof of...

Reading privileged memory with a side-channel (Meltdown & Spectre)

We have discovered that CPU data cache timing can be abused to efficiently leak information out of mis-speculated execution, leading to at worst arbitrary virtual memory read vulnerabilities across local security boundaries in various contexts. Variants of this issue are known to affect many mode...

Samsung Internet Browser 6.2.01.12 SOP Bypass / UXSS

Samsung Internet Browser SOP Bypass/UXSS There is a Same Origin Policy bypass / Universal Cross Site Scripting issue in Samsung Internet Browser tested on latest version - 6.2.01.12. First of all, using the combination of MHTML and XSLT ends up resulting in a weird interaction. When you create an...

D-Link DSL-6850U Multiple Vulnerabilities

Vulnerabilities Summary The following advisory describes two 2 vulnerabilities found in D-Link DSL-6850U versions BZ1.00.01 – BZ1.00.09. D-Link DSL-6850U is a router “manufactured by D-Link for Bezeq in Israel” The vulnerabilities found are: Default Credentials Remote Command Execution Credit An...

InfraPower PPS-02-S Q213V1 Local File Disclosure Vulnerability

Summary InfraPower Manager PPS-02-S is a FREE built-in GUI of each IP dongle IPD-02-S only to remotely monitor the connected PDUs. Patented IP Dongle provides IP remote access to the PDUs by a true network IP address chain. Only 1xIP dongle allows access to max. 16 PDUs in daisy chain - which is ...

ZKTeco ZKBioSecurity 3.0 CSRF Add Superadmin Exploit

Summary ZKBioSecurity3.0 is the ultimate "All in One" web based security platform developed by ZKTeco. It contains four integrated modules: access control, video linkage, elevator control and visitor management. With an optimized system architecture designed for high level biometric identificatio...

ZKTeco ZKBioSecurity 3.0 User Enumeration Weakness

Summary ZKBioSecurity3.0 is the ultimate "All in One" web based security platform developed by ZKTeco. It contains four integrated modules: access control, video linkage, elevator control and visitor management. With an optimized system architecture designed for high level biometric identificatio...

ZKTeco ZKAccess Professional 3.5.3 Insecure File Permissions

Summary ZKAccess 3.5 is a desktop software which is suitable for small and medium businesses application. Compatible with all ZKAccess standalone reader controllers, the software can simultaneously manage access control and generate attendance report. The brand new flat GUI design and humanized...

InfraPower PPS-02-S Q213V1 Unauthenticated Remote Root Command Execution

Summary InfraPower Manager PPS-02-S is a FREE built-in GUI of each IP dongle IPD-02-S only to remotely monitor the connected PDUs. Patented IP Dongle provides IP remote access to the PDUs by a true network IP address chain. Only 1xIP dongle allows access to max. 16 PDUs in daisy chain - which is ...

InfraPower PPS-02-S Q213V1 Multiple XSS Vulnerabilities

Summary InfraPower Manager PPS-02-S is a FREE built-in GUI of each IP dongle IPD-02-S only to remotely monitor the connected PDUs. Patented IP Dongle provides IP remote access to the PDUs by a true network IP address chain. Only 1xIP dongle allows access to max. 16 PDUs in daisy chain - which is ...

ZKTeco ZKBioSecurity 3.0 File Path Manipulation Vulnerability

Summary ZKBioSecurity3.0 is the ultimate "All in One" web based security platform developed by ZKTeco. It contains four integrated modules: access control, video linkage, elevator control and visitor management. With an optimized system architecture designed for high level biometric identificatio...

Dell SonicWALL Global Management System GMS 8.1 Blind SQL Injection

Summary Provide your organization, distributed enterprise or managed service offering with an intuitive, powerful way to rapidly deploy and centrally manage SonicWall solutions, with SonicWall GMS. Get more value from your firewall, secure remote access, anti-spam, and backup and recovery solutio...

Dell SonicWALL Global Management System GMS 8.1 XSS Vulnerabilities

Summary Provide your organization, distributed enterprise or managed service offering with an intuitive, powerful way to rapidly deploy and centrally manage SonicWall solutions, with SonicWall GMS. Get more value from your firewall, secure remote access, anti-spam, and backup and recovery solutio...

InfraPower PPS-02-S Q213V1 Insecure Direct Object Reference Authorization Bypass

Summary InfraPower Manager PPS-02-S is a FREE built-in GUI of each IP dongle IPD-02-S only to remotely monitor the connected PDUs. Patented IP Dongle provides IP remote access to the PDUs by a true network IP address chain. Only 1xIP dongle allows access to max. 16 PDUs in daisy chain - which is ...

InfraPower PPS-02-S Q213V1 Cross-Site Request Forgery

Summary InfraPower Manager PPS-02-S is a FREE built-in GUI of each IP dongle IPD-02-S only to remotely monitor the connected PDUs. Patented IP Dongle provides IP remote access to the PDUs by a true network IP address chain. Only 1xIP dongle allows access to max. 16 PDUs in daisy chain - which is ...

Dell SonicWALL Network Security Appliance NSA 6600 Reflected XSS

Summary Uncompromising security and performance for emerging large organizations. The NSA 6600 network security appliance delivers best-in-class protection, speed and scalability with 12 Gbps throughput and up to 6000 VPN clients. Description SonicWALL NSA suffers from a XSS issue due to a failur...

InfraPower PPS-02-S Q213V1 Authentication Bypass Vulnerability

Summary InfraPower Manager PPS-02-S is a FREE built-in GUI of each IP dongle IPD-02-S only to remotely monitor the connected PDUs. Patented IP Dongle provides IP remote access to the PDUs by a true network IP address chain. Only 1xIP dongle allows access to max. 16 PDUs in daisy chain - which is ...