56796 matches found
Yonyou e-HR /hrss/rm/ResetPwd.jsp SQL注入漏洞
No description provided by source...
DirPHP 1.0 - LFI Vulnerability
No description provided by source. !/usr/bin/env python -- coding:utf-8 -- from pocsuite.net import req from pocsuite.poc import Output, POCBase from pocsuite.utils import register class TestPOCPOCBase: vulID = '87159' version = '1' vulDate = '1406390400' createDate = '1442937600' references =...
Cuumall商城系统过滤不完全导致xss可打后台
简要描述: xss 详细说明: 官方演示站点最新版:http://demo.cuumall.com/ Google:Power by CuuMall v2.3 在地址处填写alert1 会提示非法注入 然后把地址改成dz 可以打后台 提交订单后台查看 漏洞证明:...
通达T9智能管理平台sql注入可获取多个库
简要描述: 开心就好。 详细说明: 官方站点:http://t9.tongda2000.com/ 通达OA T9智能管理平台标准版 官方演示站点:http://t9.go2oa.com:86/ URL:http://t9.go2oa.com:86/t9/t9/core/funcs/system/act/T9SystemAct/doLoginIn.act...
Sagem Fast 3304-V1 - Denial Of Service Vulnerability
No description provided by source. Title : Sagem F@st 3304-V1 denial of service Vulnerability Vendor Homepage : http://www.sagemcom.com Tested on : Firefox, Google Chrome Tested Router : Sagem F@st 3304-V1 Date : 2014-07-26 Author : Z3ro0ne Contact : [email protected] Facebook Page :...
Moodle 2.7 - Persistent XSS
No description provided by source. Title: Moodle 2.7 Persistent XSS Vendor: https://moodle.org/ Moodle advisory: https://moodle.org/mod/forum/discuss.php?d=264265 Researched by: Osanda Malith Jayathissa @OsandaMalith E-Mail: osandacatunseen.is Original write-up:...
PHPB2B 最新版sql注射无限充值(官网demo成功)
简要描述: rt 详细说明: 看到注册用户处 ifisset$POST'register' $iscompany = false; $ifneedcheck = false; $registertype = trim$POST'register'; $registertypename = trim$POST'typename'; pbsubmitcheck'data'; $defaultmembergroupidres = $pdb-GetRow"SELECT FROM $tbprefixmembertypes WHERE name='".$registertypename."'";...
Omeka 2.2.1 - Remote Code Execution Exploit
No description provided by source. !/usr/bin/env python Omeka 2.2.1 Remote Code Execution Exploit Vendor: Omeka Team CHNM GMU Product web page: http://www.omeka.org Affected version: 2.2.1 and 2.2 Summary: Omeka is a free, flexible, and open source web-publishing platform for the display of...
Zenoss Monitoring System 4.2.5-2108 64bit - Stored XSS
No description provided by source. Exploit Title: Stored XSS vulnerability in Zenoss core open source monitoring system Date: 12/05/2014 Exploit author: Dolev Farhi dolevatopenflare.org Vendor homepage: http://zenoss.com Software Link: http://www.zenoss.com Version: Core 4.2.5-2108 64bit Tested o...
Cmseasy存储型XSS一枚(绕过xss防护)
简要描述: 不搞论坛了,换个姿势继续x,最新版也受到影响 详细说明: 存在xss的地方在商品评论的用户名处 直接给出xss语句,360脚本拦截html实体编码,所以需要使用\uxxxx编码。语句如下: 漏洞的成因主要是因为正则没写好,并且碰巧用户名处没去除html标签导致的。我们一步一步看: 首先我们输入的数据会来到uploads\lib\default\commentact.php的第8行: function addaction iffront::post'submit' &&front::post'aid' ifconfig::get'verifycode'...
Ucenter Home最新版SQL注入三处
简要描述: Ucenter Home最新版SQL注入三处 详细说明: 从官方下载最新版Ucenter Home 第一处SQL注入: 个人设置——个人资料——基本资料 文件/source/cpprofile.php: if$GET'op' == 'base' ifsubmitcheck'profilesubmit' || submitcheck'nextsubmit' if!@includeonceSROOT.'./data/dataprofilefield.php' includeonceSROOT.'./source/functioncache.php';...
BulletProof FTP Client 2010 - Buffer Overflow (SEH)
No description provided by source...
Make 3.81 - Heap Overflow PoC
No description provided by source. =for comment Exploit Title: MAKE Heap Overflow - Pointer dereferencing POC Calloc-X86 X64 Date: 14.07.14 Exploit Author: HyP Vendor Homepage: http://www.gnu.org/software/make/ Software Link: http://ftp.gnu.org/gnu/make/ Version: Make 3.81 Tested on: linux32,64...
Lian Li NAS - Multiple Vulnerabilities
No description provided by source. Exploit Title: Lian Li NAS Multiple vulnerabilities Date: 21/07/2014 Exploit Author: pws Vendor Homepage: http://www.lian-li.com/en/dtportfoliocategory/nas/ Firmware Link: https://www.dropbox.com/s/imvkndl8m5yj7qp/G5S604121826700.tar.gz Tested on: Latest version...
Ucenter Home最新版SQL注入两处
简要描述: Ucenter Home最新版SQL注入两处,比较隐蔽 详细说明: 在编辑日志处 文件cpblog.php: //添加编辑操作 ifsubmitcheck'blogsubmit' ifempty$blog'blogid' $blog = array; else if!checkperm'allowblog' ckspacelog; showmessage'noauthoritytoaddlog'; //验证码 ifcheckperm'seccode' && !ckseccode$POST'seccode' showmessage'incorrectcode';...
Wordpress Video Gallery Plugin 2.5 - Multiple Vulnerabilities
No description provided by source. Wordpress Video Gallery Exploit Title : Wordpress Video Gallery 2.5 SQL Injection and XSS Vulnerabilities Exploit Author : Claudio Viviani Vendor Homepage : http://www.apptha.com/category/extension/Wordpress/Video-Gallery Software Link :...
Apache 2.4.x mod_proxy 拒绝服务攻击 PoC
No description provided by source. Exploit Title: Apache 2.4.x modproxy Denial Of ServiceCVE-2014-0117 Date: 2014-07-20 Exploit Author: aisyhi Version: 0.1 Apache httpd 2.4.6 to 2.4.9 Tested on: Apache/2.4.7 CVE : CVE-2014-0117 import httplib import logging import time import socket import sys...
DESTOON 补丁没补好导致的注射
简要描述: 2014-07-22 .应该对关键的地方打补 详细说明: $post = daddslashesdstripslashes$post; 打的补丁只是对 修改资料的$post做了daddslashes的措施 但是 注册的时候还是能注册特殊字符的 .找了一处 可以利用的地方 extract$USER, EXTRPREFIXALL, ''; //common.inc.php中的初始化(登录) /module/quote/price.inc.php 24-28 if$userid $post'company' = $company;//这里使用了 require...
cmseasy 存储型XSS一枚(无需登录无视360)
简要描述: 信pandas出真相! 详细说明: cmseasy在bbs中回帖处允许非登录用户回帖,但取用户名的时候又是从COOKIE中取的,导致了安全问题: /bbs/ajax.php userid; $data'addtime' = mktime; $data'ip' = $SERVER'REMOTEADDR'; $reply = dbbbsreply::getInstance; $r = $reply-inserData$data; 这是回复处的代码。 可见$data'username' = isset$COOKIE'username' ? $COOKIE'username' : '...
方维团购4.3版本注射又一枚
简要描述: ..... 详细说明: ..... 漏洞证明: http://t1.fanwe.net:93/t1/index.php?m=Goods&a=showcate&id=46 Target: http://t1.fanwe.net:93/t1/index.php?m=Goods&a=showcate&id=46 Host IP: 112.124.32.200 Web Server: IIS Powered-by: WAF/2.0 Powered-by: WAF/2.0 DB Server: MySQL =5 Resp. Timeavg: 487 ms Compile OS: Win...
Microsoft XP SP3 MQAC.sys - Arbitrary Write Privilege Escalation
No description provided by source. Title: Microsoft XP SP3 MQAC.sys Arbitrary Write Privilege Escalation Advisory ID: KL-001-2014-003 Publication Date: 2014.07.18 Publication URL: https://www.korelogic.com/Resources/Advisories/KL-001-2014-003.txt 1. Vulnerability Details Affected Vendor: Microsof...
ToolTalk rpc.ttdbserverd_tt_internal_realpath 缓冲区溢出漏洞 (AIX)
No description provided by source...
unix ibstat $PATH环境变量 权限提升漏洞
No description provided by source...
cmseasy最新版存储型XSS(可绕过xss防护机制)#2
简要描述: rt 详细说明: html是一种很有趣的语言。。 cmseasy的bbs发帖处的 过滤xss代码 将内的html代码进行了一次很完整的过滤。 function xssclean$data if empty$data return $data; if isarray$data foreach $data as $key = $value $dataxssclean$key = xssclean$value; return $data; $data = strreplacearray'&', '', '', array'', '', '', $data; $data =...
Barracuda Networks #35 Web Firewall 610 6.0.1 - Filter Bypass & Persistent Vulnerability
No description provided by source. Document Title: =============== Barracuda Networks 35 Web Firewall 610 v6.0.1 - Filter Bypass & Persistent Vulnerability References Source: ==================== http://www.vulnerability-lab.com/getcontent.php?id=1101 Barracuda Networks Security ID BNSEC:...
AIX Calendar Manager Service Daemon (rpc.cmsd) Opcode 21缓冲区溢出漏洞
No description provided by source...
destoon存储型xss指哪打哪
简要描述: rt 20140722 详细说明: 会员发送信件处,上传附件允许 上传swf格式文件, 同时 未对标签做过滤。 我们构造一个恶意的swf。例如这样 上传附件 f12 查看代码 得到swf路径后。抓包提交 查看短信时 触发 因为 同域,那么这个swf就可以做很多啦,盗取cookie 之类的。 漏洞证明:...
Microsoft XP SP3 - BthPan.sys Arbitrary Write Privilege Escalation
No description provided by source. """ Title: Microsoft XP SP3 BthPan.sys Arbitrary Write Privilege Escalation Advisory ID: KL-001-2014-002 Publication Date: 2014-07-18 Publication URL: https://www.korelogic.com/Resources/Advisories/KL-001-2014-002.txt 1. Vulnerability Details Affected Vendor:...
Phpyun设计缺陷致任意文件删除可致重装getshell或注入
简要描述: 设计缺陷可致任意文件删除 删除lock可直接进行重装直接达到getshell。 或者删除某文件也可以来注入了。 也可导致破坏sql语句。 P.S.又是1点多了,明天又无法认真上课了。 2014年7月23日 01:30:01 新的一天快乐。 详细说明: 依旧官网下的最新版。 在model/ajax.class.php中 function deluploadaction if!$this-uid && !$this-username && $COOKIE"usertype"!=2 echo 0;die; else $dir=$POSTstr0; $isuser =...
cmseasy最新版(20140718)存储型XSS盲打后台
简要描述: 存储型XSS可以盲打后台 详细说明: /lib/table/stats.php 13行getbot函数: public static function getbot $ServerName = $SERVER"SERVERNAME"; $ServerPort = $SERVER"SERVERPORT"; $ScriptName = $SERVER"SCRIPTNAME"; $QueryString = $SERVER"QUERYSTRING"; $serverip = $SERVER"REMOTEADDR"; $GetLocationURL=self::geturl;...
mcms任意删除用户收货地址
简要描述: 越权删除用户收获地址 详细说明: 问题发生在plugins\gov.user下的index.php中mdeladdr段的问题 如图 代码中只判断了收获地址id等信息,并没有判断用的行为出现,导致了,直接更改id即可删除任意用户的收货地址 首先用户admin123的收货id为5 我们换一个用户登录 我们点击删除用burp抓包看看 显示的是3,如果我们改成5呢,也就是上一个用户的收获id https://images.seebug.org/upload/201407/23164525e...
DjVuLibre <= 3.5.25.3 - Out of Bounds Access Violation
No description provided by source. from shutil import copyfile import sys """ Exploit Title: DjVuLibre = 3.5.25 Out of Bounds Access Violation Date: 07/14/24 Exploit Author: drone @dronesec Vendor: http://djvu.sourceforge.net/ Software link:...
Joomla com youtubegallery 4.x /gallery.php SQL注入漏洞
No description provided by source...
DouPHP 1.1 /guestbook.php SQL注入漏洞
No description provided by source...
ESPCMS 6.0 /interface/enquiry.php SQL注入漏洞
No description provided by source...
TRS WCM越权直接创建任意用户(无需审核)
简要描述: 任意创建用户,无需审核,直接登录。 详细说明: 1、首先我们确定一个不存在或者密码错误的用户名: 2、通过webservice调用创建用户的方法,创建一个用户: =============================== 在乌云找了找, WooYun: TRS系统任意文件下载漏洞 中只发现一个存在该方法的案例 http://wcm.xxz.gov.cn:8080/wcm/ 湘西州政府站群 漏洞证明: 成功登录新创建的用户:...
YXcms的cookie注入
简要描述: 程序对注入过滤不严格,可以进行cookie注入。 详细说明: 前一篇中说到,我们可以绕过cookie验证,伪造登录,可是登录之后我们能做什么呢,权限太小了,找个注入玩玩吧。 PowerCheck函数用于验证登录权限。 Protected/apps/members/meberApi.php public function powerCheck//参数一:返回1没有权限,返回2为登陆有权限,返回数组登陆有权限 $cookieauth=getcookie'auth';//验证的时候从cookie中获取信息,拿我们看getcookie函数 ifempty$cookieauth...
cmseasy 最新版20140718 SQL注入一枚(无视360webscan)
简要描述: 20140718,无视360webscan,无需登录。 详细说明: /lib/table/stats.php 13行getbot函数: public static function getbot $ServerName = $SERVER"SERVERNAME"; $ServerPort = $SERVER"SERVERPORT"; $ScriptName = $SERVER"SCRIPTNAME"; $QueryString = $SERVER"QUERYSTRING"; $serverip = $SERVER"REMOTEADDR";...
泛微OA系统通用后台几处注入(官方demo验证)
简要描述: 注入直接危及到主库,多数是sa权限 详细说明: 管理员情况下的注入:http://www.e-cology.cn/systeminfo/sysadmin/sysadminEdit.jsp?id=1 普通用户注入:http://127.0.0.1//cowork/CoworkLogView.jsp?id=151 普通用户注入地址:http://127.0.0.1/system/basedata/basedatarole.jsp?roleid=32...
Ecmall某处SQL注入第五弹&一处能引入单引号的地方
简要描述: 做完作业再看看0618补丁。 非二次注入, 连载了这么多弹 有感情了。 应该是最后一弹了, 看在是最后一弹了 也别再3rank了把。给高点把。 一枚注入 & 另外一处能引入单引号或者转义符 不过也就只能引入这个而已这里不太好利用。 详细说明: 首先还是把我之前发的ecmall的那两个先确认了来下撒? 刚在bbs下的20140618的补丁 0x01 能引入单引号或者转义符的地方 首先来看看mygoods.app.php中的 这函数 function getpostdata$id = 0 $goods = array 'goodsname' = $POST'goodsname',...
YXcms可打后台xss
简要描述: 过滤不严格,xss可打后台。 详细说明: 输入: Protected/member/controller/inforController.php中 public function index if!$this-isPost $auth=$this-auth; $id=$auth'id'; $info=model'members'-find"id='$id'"; $this-info=$info; $this-path=ROOT.'https://images.seebug.org/upload/member/image/'; $this-twidth=config'HEADW...
php云人才系统多处Xss漏洞(绕过360防护)
简要描述: php云人才系统多处Xss漏洞(绕过360),可影响后台及其他用户。 360防护挂掉了,这该怎么办。。 详细说明: 虽然php云人才系统里加入360防注入脚本,对于一般的xss都可以过滤 但是我意外的发现了一种绕过方法,从而对多处产生xss影响 先说下绕过方法 肯定是过不了的,但是就可以了 至于这个%20加哪就随意了,总之就是不要使句子完整出现,这样可以绕过360,然后是数据提交后,会变回,从而绕过。 可以利用的xss地方很多 凡是有编辑器,源码模式下直接插入就行 以官网demo为例子,除了上述地方可以插入xss代码外,在http://www.hr135.com/friend...
Discuz NT3.1 版本可利用恶意图片进行XSS攻击
简要描述: 好吧,纯粹业余的,在使用公司内部论坛的时候无意间发现的,百度谷歌都没搜到类似的报告,姑且认为这个漏洞没过时吧…… 详细说明: 程序解析图片Exif信息所致。 首先,图片详细信息我们可以自己编辑,如图: 然后,回帖添加附件的时候只要不插入附件就可以让页面读取图片exif信息并运行脚本,就像这样…… 漏洞证明:...
MTS MBlaze Ultra Wi-Fi / ZTE AC3633 - 多个漏洞
No description provided by source. Author: Ajin Abraham - xboz http://opensecurity.in Product MTS MBlaze 3G Wi-Fi Modem System Version 107 Manufacturer ZTE Model AC3633 import requests import os import urllib2 print "MTS MBlaze Ultra Wi-Fi / ZTE AC3633 Exploit" print "Vulnerabilities" print "Logi...
Raritan PowerIQ 4.1.0 - SQL Injection Vulnerability
No description provided by source. =begin Raritan PowerIQ suffers from an unauthenticated SQL injection vulnerability within an endpoint used during initial configuration of the licensing for the product. This endpoint is still available after the appliance has been fully configured. POST...
Apache 2.4.7 mod_status Scoreboard Handling Race Condition
No description provided by source. -- 0. Sparse summary Race condition between updating httpd's "scoreboard" and modstatus, leading to several critical scenarios like heap buffer overflow with user supplied payload and leaking heap which can leak critical memory containing htaccess credentials, s...
World Of Warcraft 3.3.5a (macros-cache.txt) - Stack Overflow
No description provided by source. Exploit Title: World Of Warcraft 3.3.5a Stack Overflow macros-cache.txt Date: 21 Jul 2014 Exploit Author: Alireza Chegini @nimaarek Vendor Homepage: http://us.battle.net/wow/ Version: 3.3.5a Tested on: Win7 Output: --WoWError CrashDUmp : World of WarCraft build...
c99 2.0 登录绕过漏洞
@extract$REQUEST"c99shcook";这行代码导致变量覆盖可以使得$login=0,直接登陆if $login if empty$md5pass $md5pass = md5$pass; if $SERVER"PHPAUTHUSER" != $login or md5$SERVER"PHPAUTHPW" != $md5pass if $logintxt === false $logintxt = ""; elseif empty$logintxt $logintxt = striptagseregreplace"nbsp;|br", " ", $donatedhtml;...
TinyShop Sql Injection 1(无视GPC)
简要描述: TinyShop Sql Injection 1(无视GPC) 详细说明: 后台登陆界面存在检查功能,不安全取值导致的SQL注入。 /controller/controllerclass.php public function check $this-safebox = Safebox::getInstance; $this-title='后台登录'; $code = $this-safebox-get$this-captchaKey; if$code != strtolowerReq::args$this-captchaKey $this-msg='验证码错误!';...
FengCMS 1.23 /app/controller/downController.php 任意文件下载漏洞
No description provided by source...