56796 matches found
finecms front Desk arbitrary file upload vulnerability #1
No description provided by source...
finecms front Desk members arbitrary file upload vulnerability #2
No description provided by source...
The micro-engine technology category.ctrl.php arbitrary file deletion
No description provided by source...
thinksns apps\public\Lib\Action\AttachAction.class.php arbitrary file upload
Arbitrary file upload getshell vulnerabilities in C:\phpStudy\WWW\apps\public\Lib\Action\AttachAction.class.php中的ajaxUpload函数 You can see the first 192 lines $options'allowexts' = tjiemi$REQUEST'exts'; Get the variable exts, and then after jiemi function of the processing, the jiemi function in...
FengCms1. 32 System reinstall vulnerabilities to cause getshell
进入./install/index.php文件 alert"系统已安装,如需要重新安装,请手工删除upload目录下的INSTALL文件!";'; echo ''; switch'step' case '1': //安装许可协议 include ABSPATH."/step/step1.php"; break; case '2': //检查安装环境是否满足要求 = ''; ifextensionloaded'gd' iffunctionexists'imagepng' .= 'png'; iffunctionexists'imagejpeg' .= ' jpg';...
The micro-engine article. ctrl. php arbitrary file deletion
No description provided by source...
xycms add_article.php sql injection vulnerability
No description provided by source...
xycms add_ad.php sql injection vulnerability
No description provided by source...
Beetel BCM96338 Router - Unauthenticated DNS Change Exploit
shell !/bin/bash Beetel BCM96338 ADSL Router Unauthenticated Remote DNS Change Exploit Copyright 2017 c Todor Donev https://www.ethical-hacker.org/ https://www.facebook.com/ethicalhackerorg Description: The vulnerability exist in the web interface, which is accessible without authentication. Once...
TP-Link WR841N code execution( CVE-2017-9466)
CVE-2017-9466: Why Is My Router Blinking Morse Code? We recently discovered two vulnerabilities in TP-Link’s WR841N V8 router that we exploited to obtain custom code execution on the router. After working closely with the vendor to patch the router’s firmware, we are disclosing the details of our...
nuevoMailer version 6.0 and earlier time-based SQL Injection
Description: SQL injection vulnerability in rdr.php in nuevoMailer version 6.0 and earlier allows remote attackers to execute arbitrary SQL commands via the "r" parameter. PoC: https://vulnerablesite.com/inc/rdr.php?r=69387c602c1056c556time based SQL INJ...
DLink DSL-2640U - Unauthenticated DNS Change Exploit
shell !/bin/bash D-Link ADSL DSL-2640U IM1.00 Unauthenticated Remote DNS Change Exploit Copyright 2017 c Todor Donev https://www.ethical-hacker.org/ https://www.facebook.com/ethicalhackerorg Description: The vulnerability exist in the web interface, which is accessible without authentication. Onc...
DLink DSL-2640B - Unauthenticated Remote DNS Change Exploit
shell !/bin/bash D-Link ADSL DSL-2640B GE1.07 Unauthenticated Remote DNS Change Exploit Copyright 2017 c Todor Donev https://www.ethical-hacker.org/ https://www.facebook.com/ethicalhackerorg Description: The vulnerability exist in the web interface, which is accessible without authentication. Onc...
iBall Baton iB-WRA150N - Unauthenticated DNS Change Exploit
shell !/bin/bash iBall Baton iB-WRA150N Unauthenticated Remote DNS Change Exploit Copyright 2016 c Todor Donev https://www.ethical-hacker.org/ https://www.facebook.com/ethicalhackerorg Description: The vulnerability exist in the web interface, which is accessible without authentication. Once...
UTstarcom WA3002G4 - Unauthenticated DNS Change Exploit
shell !/bin/bash UTstarcom WA3002G4 Unauthenticated Remote DNS Change Exploit Copyright 2017 c Todor Donev https://www.ethical-hacker.org/ https://www.facebook.com/ethicalhackerorg Description: The vulnerability exist in the web interface, which is accessible without authentication. Once modified...
xycms add_book.php sql injection vulnerability
No description provided by source...
finecms a getshell
No description provided by source...
finecmsV5.0.8 \finecms\dayrui\controllers\member\Account.php getshell
Vulnerability in the file C:\phpStudy\WWW\finecms\dayrui\controllers\member\Account. in php upload function public function upload // Create the picture storage folder $dir = SYSUPLOADPATH.'/ member/'.$ this-uid.'/'; @drdirdelete$dir; ! isdir$dir && drmkdirs$dir; if $POST'tx' $file = strreplace' ...
finecmsV5.0.8 \finecms\dayrui\controllers\Api.php getshell
Vulnerability in the C:\phpStudy\WWW\finecms\dayrui\controllers\Api. in php data2 function, approximately in the line 115, the problematic code about 178 rows public function data2 $data = array; // Route authentication if defined'SYSREFERER' && strlenSYSREFERER $http = $SERVER'HTTPREFERER' ?...
OurPHP member center xss vulnerability
No description provided by source...
"Phoenix Talon" in Linux Kernel (Phoenix Talon)
About “Phoenix Talon” 2017 5 November 9, qimingxing e ADLab found that the Linux kernel there is a remote vulnerability“Phoenix Talon”the Phoenix claw fourth toe of Italy, and relates to CVE-2017-8890, CVE-2017-9075, CVE-2017-9076, CVE-2017-9077, can affect almost all Linux kernel 2.5.69 Linux...
HP PageWide Printers / HP OfficeJet Pro Printers (OfficeJet Pro 8210) - Arbitrary Code Execution
No description provided by source. Create a bind shell on an unpatched OfficeJet 8210 Write a script to profile.d and reboot the device. When it comes back online then nc to port 1270. easysnmp instructions: sudo apt-get install libsnmp-dev pip install easysnmp import socket import sys from...
Invision Power Board 4.1.19.2 XSS / CSRF / File Upload / Information Disclosure
Description: Invision Power Board version 4.1.19.2 current version as of this release and below, is vulnerable to pre-auth reflected XSS in the IPS UTF8 Converter v1.1.18 and stored XSS in the Announcements. The vulnerability in the IPS UTF8 Converter can easily be used to make a malicious...
Country micro CMS government website system list of attachments exist SQL injection vulnerability
No description provided by source...
Country micro CMS government website system list_picture SQL injection vulnerability
No description provided by source...
Country micro CMS government website system list_ask SQL injection vulnerability
No description provided by source...
Country micro CMS government website system list_content SQL injection vulnerability
No description provided by source...
A Look at --- SharePoint's Follow Feature XSS(CVE-2017-8514 )
A Look at CVE-2017-8514 --- SharePoint's Follow Feature XSS TL;DR: All your SharePoint installations are belong to us. The XSS worth $2500 affecting both on-premises and online version looks like ... http|https://?FollowSite=0&SiteName='-confirmdocument.domain-' SharePoint needs no more marketing...
Nexus 9 vs. Malicious Headphones, Take Two
Nexus 9 vs. Malicious Headphones, Take Two In March 2017 we disclosed CVE-2017-0510, a critical vulnerability in Nexus 9, that allowed for quite unique an attack by malicious headphones. Interestingly, its patch was insufficient. We had responsibly reported that finding CVE-2017-0648 to Google,...
One of my first sandbox escapes and bugs (CVE-2015-1743)
Advisory link: http://www.zerodayinitiative.com/advisories/ZDI-15-377/ CVE-2015-1743 Demo: https://www.youtube.com/watch?v=6Vtl8kh6keQ Below is one of my first sandbox escapes, and my entry into vulnerability research. My first bugs relied heavily on the work that Forshaw did my later ones deviat...
Country micro CMS government website system interviews module exist SQL injection vulnerability
No description provided by source...
ESPCMS csrf vulnerability to cause the arbitrary administrator to add
No description provided by source...
Craft CMS 2.6 - Cross-Site Scripting/Unrestricted File Upload
Technical Details & Description: ================================ The security risk of the xss vulnerability is estimated as medium with a common vulnerability scoring system count of 3.6. Exploitation of the persistent xss web vulnerability requires a limited editor user account with low...
Pivotal Spring Web Flow Security Bypass Vulnerability(CVE-2017-4971)
Author: iswin@ThreatHunter A. Vulnerability description This vulnerability is in year 6 at the beginning has just been submittedtransfer Gate, the official and there is no detailed information, by the official Description and a patch of the contrast, we can roughly infer should be the Spring Web...
Cicada-known cms 6.2 CSRF vulnerability
No description provided by source...
VMware vSphere Data Protection 5.x/6.x - Java Deserialization(CVE-2017-4914)
No description provided by source. !/usr/bin/env python import socket import sys import ssl def getHeader: return '\x4a\x52\x4d\x49\x00\x02\x4b' def payload: cmd = sys.argv4 cmdlen = lencmd data2 =...
espcms sex parameter sql injection
No description provided by source...
xycms b_title parameter sql injection vulnerability
No description provided by source...
OurPHP stored xss
No description provided by source...
Multiple Vulnerabilities in peplink balance routers
Multiple Vulnerabilities in peplink balance routers =================================================== Overview -------- Confirmed Affected Versions: 7.0.0-build1904 Confirmed Patched Versions: fw-b305hw2380hw6580hw2710hw31350hw22500-7.0.1-build2093.bin Vulnerable Firmware:...
WebKit JSC emitPutDerivedConstructorToArrowFunctionContextScope Incorrect Check(CVE-2017-2531)
WebKit: JSC: incorrect check in emitPutDerivedConstructorToArrowFunctionContextScope When a super expression is used in an arrow function, the following code, which generates bytecode, is called. if needsToUpdateArrowFunctionContext && !codeBlock-isArrowFunction bool canReuseLexicalEnvironment =...
WebKit: Element::setAttributeNodeNS UAF
WebKit: Element::setAttributeNodeNS UAF Here's a snippet of Element::setAttributeNodeNS. ExceptionOr Element::setAttributeNodeNSAttr& attrNode ... setAttributeInternalindex, attrNode.qualifiedName, attrNode.value, NotInSynchronizationOfLazyAttribute; attrNode.attachToElementthis;...
WebKit: UXSS via CachedFrameBase::restore
This is similar to the case https://bugs.chromium.org/p/project-zero/issues/detail?id=1151. But this time, javascript handlers may be fired in FrameLoader::open. void FrameLoader::openCachedFrameBase& cachedFrame ... cleardocument, true, true, cachedFrame.isMainFrame; Click anywhere... function...
WebKit: UXSS: CachedFrame doesn't detach openers(CVE-2017-2528)
When a document loads "about:blank" or "about:srcdoc", it tries to inherit the security origin from its parent frame, or its opener frame if the parent frame doesn't exist. Normally, it doesn't happen that a subframe's document inherits its opener frame's security origin, because it has the paren...
WebKit: UXSS via Document::prepareForDestruction and CachedFrame
WebKit: UXSS via Document::prepareForDestruction and CachedFrame Here's a snippet of Document::prepareForDestruction void Document::prepareForDestruction if mhasPreparedForDestruction return; ... detachFromFrame; mhasPreparedForDestruction = true; Document::prepareForDestruction is called on the...
WebKit Unspecified Memory Corruption Vulnerability(CVE-2017-2521)
WebKit: JSC: JSObject::ensureLength doesn't check if ensureLengthSlow failed. Here's a snippet of JSObject::ensureLength. bool WARNUNUSEDRETURN ensureLengthVM& vm, unsigned length ASSERTlength vectorLength publicLength setPublicLengthlength; return result; |setPublicLength| is called whether...
Exploiting an integer overflow with array spreading (WebKit)
This article is about CVE-2017-2536 / ZDI-17-358, a classic integer overflow while computing an allocation size, leading to a heap-based buffer overflow. It was introduced in 99ed479, which improved the way JavaScriptCore handled ECMAScript 6 spreading operations, and discovered by saelo in...
HP JetDirect unauthorized access
HP JetDirect unauthorized access Vulnerability details HP printers offer telnet the remote control the default not set the password exposed in the public network on a large number of devices may remotely view the printer's various details the use of the state, as well as the detailed configuratio...
Music Bang the CMS system has the versatility of a SQL injection vulnerability
No description provided by source...
xycms edit_book. php page id parameter there is SQL injection vulnerability
No description provided by source...