Full Disclosure of Highly-Manipulatable, tradeTrap-Affected ERC20 Tokens in Multiple Top Exchanges(CVE-2018-11446)

Update: 2018-06-12 The BMB BMB contract 0x0e935e976a47342a4aee5e32ecf2e7b59195e82f is NOT affected by tradeTrap. We sincerely apology for mistakenly listing it as a vulnerable ERC20 token. Quoted from our last blog 1, “publicly tradable ERC-20 tokens have considerable high market value. Various...

NUCMS V1.1 后台SQL注入

...

Shopex 后台Getshell

...

MetInfo6.0.0任意文件读取漏洞

...

UsualToolCMS8.0系统安装可拿shell

...

Vodafone Spain console Information Disclosure

...

DouPHP-多处物理路径泄露

...

Major Vulnerabilities in Foscam Cameras

For the past several months, VDOO’s security research teams have been undertaking broad-scale security research of leading IoT products, from the fields of safety and security. In most cases, the research was carried out together with the device vendors for the sake of efficiency and transparency...

XXE in WeChat Pay SDK

Background “Mobile payments surge to $9 trillion a year, changing how people shop, borrow—even panhandle”, as WSJ.com once reported. As a payment security researcher, I occasionally found a perilous problem about WeChat Pay which I think may be esay to make use of. Therefore, I hope to be able to...

Mikrotik Winbox 任意文件访问漏洞

In April 23rd 2018, Mikrotik fixed a vulnerability “that allowed gaining access to an unsecured router”. myself and @yalpanian of BASU CERT reverse engineering lab tried to figure out what exactly got fixed, what was the problem in the first place and how severe was the impact of it. UPDATE: full...

Teradek Cube 7.3.6 (snapshot.cgi) Stream Disclosure

Summary Cube packs world-class video quality into a rugged, portable chassis for quick IP video deployments at any location. Each encoder and decoder includes HDMI and 3G-SDI I/O, Ethernet / WiFI connectivity, and full duplex IFB. Description Cube suffers from an unauthenticated and unauthorized...

KYOCERA Multi-Set Template Editor 3.4 Out-Of-Band XML External Entity Injection

Summary KYOCERA Net Admin is Kyocera's unified device management software that uses a web-based platform to give network administrators easy and uncomplicated control to handle a fleet for up to 10,000 devices. Tasks that used to require multiple programs or walking to each printer can now be...

Teradek Cube 7.3.6 CSRF Change Password Exploit

Summary Cube packs world-class video quality into a rugged, portable chassis for quick IP video deployments at any location. Each encoder and decoder includes HDMI and 3G-SDI I/O, Ethernet / WiFI connectivity, and full duplex IFB. Description The application interface allows users to perform...

AsusWRT RT-AC750GF - Cross-Site Request Forgery (Change Admin Password)

Vendor Homepage: https://www.asus.com/ Firmware Link: http://dlcdnet.asus.com/pub/ASUS/wireless/RT-AC750GF/FWRTAC750GF30043806038.zip Firmware Version: 3.0.0.4.380.6038 Tested on: ASUS RT-AC750GF with default firmware version 3.0.0.4.380.6038 Proof Of Concept -- // set username at admin // set...

Teradek T-RAX 7.3.2 (snapshot.cgi) Stream Disclosure

Summary T-RAX is a high-density enterprise-grade H.264 platform that encodes, decodes, and streams video at broadcast quality. Description T-RAX suffers from an unauthenticated and unauthorized live stream disclosure when snapshot.cgi script is called. Vendor Teradek, LLC - https://www.teradek.co...

Teradek VidiU Pro 3.0.3 SSRF Vulnerability

Summary The Teradek VidiU gives you the freedom to broadcast live high definition video directly to the Web without a PC. Whether you're streaming out of a video switcher or wirelessly from your camera, VidiU allows you to go live when you want, where you want. VidiU offers API level integration...

Teradek VidiU Pro 3.0.3 (snapshot.cgi) Stream Disclosure

Summary The Teradek VidiU gives you the freedom to broadcast live high definition video directly to the Web without a PC. Whether you're streaming out of a video switcher or wirelessly from your camera, VidiU allows you to go live when you want, where you want. VidiU offers API level integration...

BEESCMS 4.0 - Cross-Site Request Forgery (Add Admin)(CVE-2018-12739)

history.pushState'', '', '/'...

Teradek VidiU Pro 3.0.3 CSRF Change Password Exploit

Summary The Teradek VidiU gives you the freedom to broadcast live high definition video directly to the Web without a PC. Whether you're streaming out of a video switcher or wirelessly from your camera, VidiU allows you to go live when you want, where you want. VidiU offers API level integration...

RabbitMQ Web Management < 3.7.6 - Cross-Site Request Forgery (Add Admin)

Add RabbitMQ Admin window.onload = rabbit.submit...

Teradek Slice 7.3.15 CSRF Change Password Exploit

Summary Built on the award-winning Cube platform, Slice is a rack mount HEVC / H.264 codec designed to fit seamlessly into your broadcast studio. Like the Cube, Slice encoders and decoders includes 3G-SDI and HDMI I/O, Ethernet and WiFi connectivity, and full duplex IFB. Description The applicati...

KYOCERA Net Admin 3.4 Multiple XSS Vulnerabilities

Summary KYOCERA Net Admin is Kyocera's unified device management software that uses a web-based platform to give network administrators easy and uncomplicated control to handle a fleet for up to 10,000 devices. Tasks that used to require multiple programs or walking to each printer can now be...

TP-Link TL-WA850RE - Remote Command Execution

!/usr/bin/env python Exploit Title: TP-Link Technologies TL-WA850RE Wi-Fi Range Extender - Command Execution Date: 19/06/2018 Exploit Author: yoresongo - Advisability S.A.S Colombia www.advisability.co Vendor Homepage: https://www.tp-link.com/ Firmware Link:...

Teradek Slice 7.3.15 (snapshot.cgi) Stream Disclosure

Summary Built on the award-winning Cube platform, Slice is a rack mount HEVC / H.264 codec designed to fit seamlessly into your broadcast studio. Like the Cube, Slice encoders and decoders includes 3G-SDI and HDMI I/O, Ethernet and WiFi connectivity, and full duplex IFB. Description Slice suffers...

KYOCERA Net Admin 3.4 CSRF Add Admin Exploit

Summary KYOCERA Net Admin is Kyocera's unified device management software that uses a web-based platform to give network administrators easy and uncomplicated control to handle a fleet for up to 10,000 devices. Tasks that used to require multiple programs or walking to each printer can now be...

Foxes Among Us :: Foxit Reader Vulnerability Discovery and Exploitation

After discovering over 100 vulnerabilities in Foxit Reader, I figured it was about time I shared a full exploit chain that defeats ASLR and DEP. The first vulnerability is an uninitialized buffer that I found independently and was later killed by bit from meepwn. I leveraged this for an informati...

WordPress File Delete to Code Execution

WordPress is the most popular CMS on the web. According to w3tech, it is used by approximately 30% of all websites1. This wide adoption makes it an interesting target for cyber criminals. In this blog post we are going to introduce an authenticated arbitrary file deletion vulnerability in the...

eyoucms V1.0.4 后台任意文件读取漏洞

...

pharoscontrols Information Disclosure

pharoscontrols Unauthorized Information Disclosure zoomeye dork : https://www.zoomeye.org/searchResult?q=%22Location%3A%20%2Fdefault%2Findex.lsp%22 Remote administration interface http://xx.xx.xx.xx/default/index.lsp Unauthorized Logfile Disclosure http://xx.xx.xx.xx/default/log.lsp...

BWS Systems HA-Bridge is Bridge Application for IoTAnd They do not require any certification

BWS Systems HA-Bridge is Bridge Application for IoTAnd They do not require any certification There are 607 HA-Bridge had Exposed on the internet in ZoomEye : https://www.zoomeye.org/searchResult?q=%22HA%20Bridge%22 Bridge Device list unauth acceess Bridge Settings page http://xx.xx.xx.xx/!/system...

Baseon Lantronix MSS IOT/Cameras Device Servers telnet-Service NO require password authentication

Baseon Lantronix MSS IOT/Cameras Device Servers telnet-Service NO require password authentication had Exposed on the internet in ZoomEye : https://www.zoomeye.org/searchResult?q=%22prompt%20for%20assistance%22%20%2Bport:%2223%22&t=all login telnet with no password...

The Brickstream line of sensors provides highly accurate, anonymous information about how people move into, around, and out of physical places

The Brickstream line of sensors provides highly accurate, anonymous information about how people move into, around, and out of physical places Brickstream in ZoomEye: https://www.zoomeye.org/searchResult?q=%22%3Ctitle%3EBrickstream%22 ip info http://xx.xx.xx.xx/basic.htmlipsettings datadelivery...

Sollae Systems (Serial-Ethernet-Module/Remote-I/O-Device-Server etc.) Telnet-Service Unauthorized access

3,200 Sollae Systems Serial-Ethernet-Module/Remote-I/O-Device-Server etc. Telnet-Service had Exposed on the internet : https://www.zoomeye.org/searchResult?q=%22Sollae%20Systems%22%20%2Bport:%2223%22&t=all There are 1,300 in 2018,Almost in Korea. Most devices do not require password authenticatio...

Nep Inverter Monitor Information Disclosure

Nep Inverter Monitor Information Disclosure zoomeye: https://www.zoomeye.org/searchResult?q=%22nep%2Fstatus%2Findex%2F%22 Energy overvie Disclosure http://xx.xx.xx.xx//nep/status/index/1...

Electro Industries GaugeTech Nexus series Products Information Disclosure

Electro Industries GaugeTech Nexus series Products Information Disclosure Web Solutions in ZoomEye : https://www.zoomeye.org/searchResult?q=%22%3Ctitle%3ETotal%20Web%20Solutions%3C%2Ftitle%3E%22%20%2B%22Server%3A%20EIG%20Embedded%20Web%20Server%22 The default does not require authenticated...

Emerson Liebert IntelliSlot Web Card family delivers enhanced communications and control to Liebert UPS,AC Power and Thermal Management systems Unauthorized access

Emerson Liebert IntelliSlot Web Card family delivers enhanced communications and control to Liebert UPS,AC Power and Thermal Management systems Unauthorized access。Lots of them No authentication required and The Management configuration uses the default password. Liebert:Liebert devices in ZoomEy...

SAJ Solar Inverter Information Disclosure

...

Insteon Hub HTTPExecuteGet Parameters Extraction Code Execution Vulnerability(CVE-2017-14446)

Summary An exploitable stack-based buffer overflow vulnerability exists in Insteon Hub running firmware version 1012. The HTTP server implementation unsafely extracts parameters from the query string, leading to a buffer overflow on the stack. An attacker can send an HTTP GET request to trigger...

Insteon Hub PubNub Firmware Downgrade Vulnerability (CVE-2018-3833)

Summary An exploitable firmware downgrade vulnerability exists in Insteon Hub running firmware version 1013. The firmware upgrade functionality, triggered via PubNub, retrieves signed firmware binaries using plain HTTP requests. The device doesn't check the firmware version that is going to be...

Insteon Hub HTTPExecuteGet Firmware Update Information Leak Vulnerability(CVE-2017-14443)

Summary An exploitable information leak vulnerability exists in Insteon Hub running firmware version 1012. The HTTP server implementation incorrectly checks the number of GET parameters supplied, leading to an arbitrarily controlled information leak on the whole device memory. An attacker can sen...

Cisco Adaptive Security Appliance - Path Traversal (CVE-2018-0296)

!/usr/bin/python -- coding: utf-8 -- from pocsuite.net import req from pocsuite.poc import POCBase, Output from pocsuite.utils import register import urlparse class TestPOCPOCBase: name = "Cisco Adaptive Security Appliance - Path Traversal" vulID = 'CVE-2018-0296' author = 'sebao' vulType = 'Path...

Insteon Hub PubNub control Channel Message Handler Code Execution Vulnerabilities(CVE-2017-14452~CVE-2017-14455)

Summary Multiple exploitable buffer overflow vulnerabilities exists in the PubNub message handler for the "control" channel of Insteon Hub running firmware version 1012. Specially crafted replies received from the PubNub service can cause buffer overflows on a global section overwriting arbitrary...

Insteon Hub PubNub Firmware Upgrade Confusion Permanent Denial Of Service Vulnerability(CVE-2018-3834)

Summary An exploitable permanent denial of service vulnerability exists in Insteon Hub running firmware version 1013. The firmware upgrade functionality, triggered via PubNub, retrieves signed firmware binaries using plain HTTP requests. The device doesn't check the kind of firmware image that is...

OurPHP 1.8 后台任意文件读取漏洞

...

Insteon Hub MPFS Upload Firmware Update Vulnerability(CVE-2018-3832)

Summary An exploitable firmware update vulnerability exists in Insteon Hub running firmware version 1013. The HTTP server allows for uploading arbitrary MPFS binaries that could be modified to enable access to hidden resources which allow for uploading unsigned firmware images to the device. To...

Insteon Hub HTTPExecuteGet Firmware Update host Parameter Buffer Overflow Vulnerability(CVE-2017-14445)

Summary An exploitable buffer overflow vulnerability exists in Insteon Hub running firmware version 1012. The HTTP server implementation incorrectly handles the host parameter during a firmware update request, leading to a buffer overflow on a global section. An attacker can send an HTTP GET...

Insteon Hub Reboot Task Denial Of Service Vulnerability(CVE-2017-16348)

Summary An exploitable denial of service vulnerability exists in Insteon Hub running firmware version 1012. Leftover demo functionality allows for arbitrarily rebooting the device without authentication. An attacker can send an UDP packet to trigger this vulnerability. Tested Versions Insteon Hub...

Insteon Hub PubNub "cc" Channel Message Handler Multiple Global Overflow Code Execution Vulnerabilities(CVE-2017-16338 ~CVE-2017-16347)

Summary Multiple exploitable buffer overflow vulnerabilities exist in the PubNub message handler for the "cc" channel of Insteon Hub running firmware version 1012. Specially crafted commands sent through the PubNub service can cause a buffer overflow on a global section overwriting arbitrary data...

Insteon Hub PubNub "ad" Channel Message Handler Code Execution Vulnerability(CVE-2017-14447)

Summary An exploitable buffer overflow vulnerability exists in the PubNub message handler for the "ad" channel of Insteon Hub running firmware version 1012. Specially crafted commands sent through the PubNub service can cause a stack-based buffer overflow overwriting arbitrary data. An attacker...

CirCarLife Scada 未授权访问信息泄露

...