zzcms arbitrary file deletion

No description provided by source...

zzcms a arbitrary file delete

No description provided by source...

WeiPHP reception xss vulnerability

No description provided by source...

zzcms8. 1 Background stored xss

No description provided by source...

Discuz X3. 3 authkey generation algorithm of the security vulnerability and the background arbitrary code execution vulnerability

0x00 background description Discuz official in 2017 8 May 1 release of the latest version of the X3. 4 version, the latest version fixes multiple security issues. 360CERT and 360 0KEE Team then for the events to follow. 0x01 vulnerability overview 360CERT and 360 0KEE Team by comparing DiscuzX3...

SQL Injection(CVE-2017-12650) and CSRF(CVE-2017-12651) Security Vulnerability in Loginizer

As part of a vulnerability research project for our WordPress Security Scanner at WPcans.com, we have been auditing popular WordPress plugins looking for security issues. While auditing the WordPress plugin Loginizer, we discovered a SQL Injection vulnerability and a Cross-Site Request Forgery...

Foxit Reader command injection(CVE-2017-10951)and file writing Vulnerability(CVE-2017-10952)

A tale about Foxit Reader - Safe Reading mode and other vulnerabilities Some days ago someone send me the following link, which describes two vulnerabilities in Foxit Reader: http://thehackernews.com/2017/08/two-critical-zero-day-flaws-disclosed.html These two vulnerabilities are similar to the...

zzcms8. 1 /user/adv2. php a sql injection

No description provided by source...

Symantec Messaging Gateway <= 10.6.3-2 unauthenticated root RCE(CVE-2017-6327)

Bug 1: Web authentication bypass The web management interface is available via HTTPS, and you can't do much without logging in. If the current session identified by the JSESSIONID cookie has the user attribute set, the session is considered authenticated. The file LoginAction.class defines a numb...

phpmywind <=5.4 version of the backstage blind official website demo to verify

No description provided by source...

zzcms8. 1 /user/zxadd.php a sql injection vulnerability

No description provided by source...

Microsoft Edge Security Bypass Vulnerability(CVE-2017-8637)

There is an issue in Chakra JIT server that can be potentially exploited to compromise the JIT process from a compromised browser content process. Bugs like this could potentially be used to bypass ACG Arbitrary Code Guard in Microsoft Edge. The issue has been confirmed on a ChakraCore build from...

zzcms8. 1 a stored xss+csrf can steal all the user cookies

No description provided by source...

Microsoft Edge: Chakra: incorrect jit optimization with TypedArray setter #3(CVE-2017-8601)

Coincidentally, Microsoft released the patch for the issue 1290 the day after I reported it. But it seems they fixed it incorrectly again. This time, "funca, b, i;" is replaced with "funca, b, ;". PoC: 'use strict'; function funca, b, c a0 = 1.2; b0 = c; a1 = 2.2; a0 = 2.3023e-320; function main...

Microsoft Edge: Chakra: Integer overflow in EmitNew(CVE-2017-8636)

The bytecode generator uses the "EmitNew" function to handle new operators. Here's the code how the function checks for integer overflow. void EmitNewParseNode pnode, ByteCodeGenerator byteCodeGenerator, FuncInfo funcInfo Js::ArgSlot argCount = pnode-sxCall.argCount; argCount++; // include "this"...

Microsoft Edge: Chakra: Uninitialized arguments(CVE-2017-8640)

Here's a snippet of "ParseVariableDeclaration" which is used for parsing declarations. template ParseNodePtr Parser::ParseVariableDeclaration tokens declarationType, charcountt ichMin, BOOL fAllowIn/ = TRUE/, BOOL pfForInOk/ = nullptr/, BOOL singleDefOnly/ = FALSE/, BOOL allowInit/ = TRUE/, BOOL...

Microsoft Edge: Chakra: JavascriptFunction::EntryCall doesn't handle CallInfo properly(CVE-2017-8671)

Here's the method. Var JavascriptFunction::EntryCallRecyclableObject function, CallInfo callInfo, ... PROBESTACKfunction-GetScriptContext, Js::Constants::MinStackDefault; RUNTIMEARGUMENTSargs, callInfo; ScriptContext scriptContext = function-GetScriptContext; Assert!callInfo.Flags & CallFlagsNew;...

zzcms最新版admin\about.php SQL injection

No description provided by source...

Microsoft Edge: Chakra: Type confusion in JavascriptArray::ConcatArgs(CVE-2017-8634)

Let's assume that the following method is called with "firstPromotedItemIsSpreadable = true", and "args" has two elements an array and an integer 0x1234 sequentially. In the first loop, "aItem" is an array, and "firstPromotedItemIsSpreadable" remains true because the condition for the fast path i...

Microsoft Edge: Chakra: incorrect jit optimization with TypedArray setter #2(CVE-2017-8548)

I think the fix for 1045 is incorrect. Here's the original PoC. 'use strict'; function funca, b, c a0 = 1.2; b0 = c; a1 = 2.2; a0 = 2.3023e-320; function main var a = 1.1, 2.2; var b = new Uint32Array100; // force to optimize for var i = 0; i a0 = ; return 0; ; a0.toString; main; I just changed...

Microsoft Edge: Chakra: Incorrect usage of PushPopFrameHelper in InterpreterStackFrame::ProcessLinkFailedAsmJsModule(CVE-2017-8646)

PushPopFrameHelper is a class that pushes the current stack frame object in its constructor and pops it in the destructor. So it should be used like "PushPopFrameHelper holder...", but InterpreterStackFrame::ProcessLinkFailedAsmJsModule uses it like a function. Var...

zzcms user/msg.php SQL injection and stored XSS

No description provided by source...

Microsoft Edge: Chakra: InterpreterStackFrame::ProcessLinkFailedAsmJsModule incorrectly re-parses(CVE-2017-8645)

When Chakra fails to link an asmjs module, it tries to re-parse the failed-to-link asmjs function to treat it as a normal javascript function. But it incorrectly handles the case where the function is a class. It starts to parse from the start of the class declaration instead of the constructor. ...

Microsoft Edge Scripting Engine Remote Memory Corruption Vulnerability(CVE-2017-8656)

function trigger try catch x var x = 1; printx; trigger; When Chakra executes the above code, it declares two "x"s. One is only for the catch scope, the other is for the whole function scope. The one for the whole function scope is initialized with undefined at the start of the function. If the...

Microsoft Edge: Chakra: Incorrect usage of TryUndeleteProperty(CVE-2017-8635)

Chakra implemented the reuse of deleted properties of an unordered dictionary object with the following code. bool SimpleDictionaryUnorderedTypeHandler::TryReuseDeletedPropertyIndex DynamicObject const object, TPropertyIndex const propertyIndex ifdeletedPropertyIndex == PropertyIndexRanges::NoSlo...

Microsoft Edge: Out-of-bounds read in CInputDateTimeScrollerElement::_SelectValueInternal(CVE-2017-8644)

The vulnerability has been confirmed on Windows 10 Enterprise 64-bit OS version 1607, OS build 14393.1198 and Microsoft Edge 38.14393.1066.0, Microsoft EdgeHTML 14.14393. PoC: ========================================== input:focus transform: scale10; =========================================...

Microsoft Edge Scripting Engine Information Disclosure Vulnerability(CVE-2017-8659)

There is an issue in Chakra JIT server that can be potentially exploited to compromise the JIT process from a compromised browser content process. Bugs like this could potentially be used to bypass ACG Arbitrary Code Guard in Microsoft Edge. The issue has been confirmed on a ChakraCore build from...

Microsoft Edge Information Disclosure Vulnerability(CVE-2017-8652)

There is a use-after free vulnerability in Microsoft Edge that can lead to memory disclosure. The vulnerability has been confirmed on Windows 10 Enterprise 64-bit OS version 1607, OS build 14393.1198, Microsoft Edge 38.14393.1066.0, Microsoft EdgeHTML 14.14393. PoC:...

Microsoft Edge: Chakra: Uninitialized arguments 2(CVE-2017-8670)

Similar to the issue 1297 . But this time, it happends in "Parser::ParseFncFormals" with the "PNodeFlags::fpnArgumentsoverriddenInParam" flag. template void Parser::ParseFncFormalsParseNodePtr pnodeFnc, ParseNodePtr pnodeParentFnc, ushort flags ... if IsES6DestructuringEnabled &&...

Microsoft Internet Explorer Remote Code Execution Vulnerability(CVE-2017-8618)

There is a type confusion issue related to how some arithmetic operations are performed in VBScript. To illustrate, see the following simplified code of VbsVarMod static unsigned char resultlookuptable1818 = ... void VbsVarModVAR v1, VAR v2 VAR arithv1 = v1-PvarGetArithVal; VAR arithv2 =...

Apache Subversion Remote Command Execution Vulnerability(CVE-2017-9800)

Arbitrary code execution on clients through malicious svn+ssh URLs in svn:externals and svn:sync-from-url Summary: ======== A Subversion client sometimes connects to URLs provided by the repository. This happens in two primary cases: during 'checkout', 'export', 'update', and 'switch', when the...

Linux kernel: Exploitable memory corruption due to UFO to non-UFO path switch(CVE-2017-1000112)

Bug details When building a UFO packet with MSGMORE ipappenddata calls ipufoappenddata to append. However in between two send calls, the append path can be switched from UFO to non-UFO one, which leads to a memory corruption. In case UFO packet lengths exceeds MTU, copy = maxfraglen - skb-len...

onethink reception code execution vulnerability

No description provided by source...

wordpress plugin updraftplus ssrf

No description provided by source...

ThinkPHP5. 0. 10-3. 2. 3 cache function design flaws can lead to Getshell

0x00 framework operating environment ThinkPHP is a free open source, fast, simple object-oriented lightweight PHP development framework, in order to agile WEB application development and simplify enterprise application development and birth. ThinkPHP from inception has been adhering to the simple...

Remote Command Execution in git client (CVE-2017-12426)

Remote Command Execution in git client CVE-2017-12426 An external code review performed by Recurity-Labs identified a remote command execution vulnerability in git that could be exploited via the "Repo by URL" import option in GitLab. The command line git client was not properly escaping command...

wordpress plugin updraftplus arbitrary file upload

No description provided by source...

zzcms front Desk unlimited Upload File getshell

No description provided by source...

WebFile Explorer 1.0 - Arbitrary File Download

Exploit Title: WebFile Explorer 1.0 - Arbitrary File Download Dork: N/A Date: 09.08.2017 Vendor Homepage : http://speicher.host/ Software Link: https://codecanyon.net/item/webfile-explorer/20366192/ Demo: http://speicher.host/envato/codecanyon/demo/web-file-explorer/ Version: 1.0 Category: Webapp...

DALIM SOFTWARE ES Core 5.0 build 7184.1 - Directory Traversal

DALIM SOFTWARE ES Core 5.0 build 7184.1 Multiple Remote File Disclosures Vendor: Dalim Software GmbH Product web page: https://www.dalim.com Affected version: ES/ESPRiT 5.0 build 7184.1 build 7163.2 build 7163.0 build 7135.0 build 7114.1 build 7114.0 build 7093.1 build 7093.0 build 7072.0 build...

OurPHP front Desk arbitrary file write

No description provided by source...

D-Link 850L Multiple Vulnerabilities (Hack2Win Contest)

Vulnerabilities Summary The following advisory describe three 3 vulnerabilities found in D-Link 850L router. The vulnerabilities have been reported as part of Hack2Win competition, for more information about Hack2Win – Hack2Win – https://blogs.securiteam.com/index.php/archives/3310. The...

Metinfo 5.3.17 front Desk SQL injection vulnerability

Metinfo 8 January 1, upgraded version, fixes an influence of less than or equal to 5. 3. 17 version almost can be traced back to all 5. x version of the SQL injection vulnerability. This SQL injection vulnerability is not affected by soft-WAF impact, can directly access the data, the impact is...

Synology Photo Station Unauthenticated Remote Code Execution

Vulnerability Summary The following advisory describes a Remote Code Execution found in Synology Photo Station versions 6.7.3-3432 and earlier / 6.3-2967 and earlier. Personal Photo Station is an online photo album with blog owned and managed by a DSM user. Synology NAS provides the home/photo...

VirtualBox: Windows Process DLL UNC Path Signature Bypass EoP(CVE-2017-10129)

VirtualBox: Windows Process DLL UNC Path Signature Bypass EoP Platform: VirtualBox v5.1.22 r115126 x64 Tested on Windows 10 Class: Elevation of Privilege Summary: The process hardening implemented by the VirtualBox driver can be circumvented to load arbitrary code inside a VirtualBox process givi...

SMBLoris Denial Of Service

There's a lot of talk about SMBLoris but nobody seems to have written a public efficient PoC yet, so I gave it a shot. A single instance takes down a fully patched Windows 10 Pro box with 8GiB of RAM in less than 10 seconds. I tried using Scapy initially, but it's dog slow, so I went with C. The...

Remote Exploitation of the NeoCoolcam IP Cameras and Gateway

Foreword The Internet of Connected Things has become a massive phenomenon during the past few years and will continue to grow at an incredible pace. More than 26 billion smart devices will be on the market by 2020, Gartner estimates. We’re looking at an explosive growth, as IoT opportunities...

Preferred Guest 365 site classification navigation system HTTP_REFERER exist SQL injection vulnerability

No description provided by source...

Solarwinds Kiwi Syslog 9.6.1.6 - Denial of Service

Exploit Title: Solarwinds Kiwi Syslog 9.6.1.6 - Remote Denial of Service Type Mismatch Date: 26/05/2017 Exploit Author: Guillaume Kaddouch Twitter: @gkweb76 Blog: https://networkfilter.blogspot.com GitHub: https://github.com/gkweb76/exploits Vendor Homepage: http://www.solarwinds.com/ Software...

DotNetNuke arbitrary code execution vulnerability(CVE-2017-9822)

0x00 background description DNN uses web cookies to identify users. A malicioususer can decode one of such cookies and identify who that user is, and possiblyimpersonate other users and even upload malicious code to the server. --DNNsecurity-center 2017 7 November 5, DNN security sector released ...