Unauthenticated Privileged Directory Traversal in IPConfigure Orchid Core VMS(CVE-2018-10956)

Affected Software: IPConfigure Orchid Core VMS All versions 2.0.6, tested on Linux and Windows Vulnerability: Unauthenticated Privileged Directory Traversal CVE: CVE-2018-10956 Impact: Arbitrary File Read Access Metasploit module:...

phpmyadmin4.8.1后台getshell

官网下载的最新版，文件名是phpMyAdmin-4.8.1-all-languages.zip 问题就出现在了 /index.php 找到5563行 第61行出现了 include $REQUEST'target'; 很明显这是LFI的前兆，我们只要绕过5559的限制就行 第57行限制 target 参数不能以index开头 第58行限制 target 参数不能出现在 $targetblacklist 内 找到 $targetblacklist 的定义： 就在 /index.php 的第50行 只要 target 参数不是 import.php 或 export.php...

Microsoft wimgapi LoadIntegrityInfo Code Execution Vulnerability(CVE-2018-8210)

Summary An exploitable heap corruption exists in the LoadIntegrityInfo function of wimgapi version 10.0.16299.15 WinBuild.160101.0800. A crafted WIM image can lead to a heap corruption, resulting in direct code execution. Tested Versions WIMGAPI 10.0.16299.15 WinBuild.160101.0800 Product URLs...

CirCarLife Scada 未授权访问信息泄露

...

AVTECH {DVR/NVR/IPC} IPCP API RCE

!/usr/bin/env python2.7 SOF Subject: AVTECH DVR/NVR/IPC IPCP API admin l/p, RCE 2018 bashis Attack vector: Remote Authentication: Anonymous no credentials needed Researcher: bashis March 2018 Authenticated Reverse Shell; Using admin l/p that we can retrieve with unauthenticated and undocumented...

NUCMS 前台SQL注入漏洞--2

...

Reliable Controls® MACH-ProWebCom™ 未授权访问信息泄露

MACH-ProWebCom™ 是一个功能强大内置网络服务器完全可自由编程的BACnet® 楼宇控制器。可以快速方便地同 Reliable Controls® MACH-ProWebCom™ 将楼宇自控系统发布到网络上。 MACH-ProWebCom™ Web 服务存在未授权访问，可以下载服务配置等敏感信息 MACH-ProWebCom™, a fully programmable BACnet® Building Controller with a powerful, built-in Web server.It can post your building graphics to t...

ColdFusion RCE(CVE-2018-4939)

In October 2017 I published an overview and video proof-of-concept of a Java RMI/deserialization vulnerability affecting the Flex Integration service of Adobe ColdFusion. I held off on publishing all of the details and exploit code at the time because I spotted an additional exploit payload that...

ecshop 2.7.3 代码执行漏洞

...

Code Injection in Moodle

Moodle is a widely-used open-source e-Learning software with more than 127 million users allowing teachers and students to digitally manage course activities and exchange learning material, often deployed by large universities. In this post we will examine the technical intrinsics of a critical...

NUCMS 前台SQL注入漏洞

...

cscms getshell

...

Microsoft Edge: Chakra: Cross context bug(CVE-2018-0946)

Background The CrossSite class is used for passing JavaScript variables across different contexts. Chakra is basically trying to wrap every variable being passed from a context to another context. The way it wraps an object is, first overwrite the virtual function table pointer of the given objec...

MacOS/iOS kernel heap overflow due to lack of lower size check in getvolattrlist(CVE-2018-4243)

getvolattrlist takes a user controlled bufferSize argument via the fgetattrlist syscall. When allocating a kernel buffer to serialize the attr list to there's the following comment: / Allocate a target buffer for attribute results. Note that since we won't ever copy out more than the caller...

WebKit: Use-after-free when resuming generator(CVE-2018-4218)

In WebKit, resuming a generator is implemented in JavaScript. An internal object property, @generatorState is used to prevent recursion within generators. In GeneratorPrototype.js, the state is checked by calling: var state = this.@generatorState; and set by calling: generator.@generatorState =...

MacOS kernel UAF due to lack of locking in nvidia GeForce driver(CVE-2018-4230)

nvDevice::SetAppSupportBits is external method 0x107 of the nvAccelerator IOService. It calls taskdeallocate without locking. Two threads can race calling this external method to drop two task references when only one is held. Note that the repro forks a child which give the nvAccelerator a...

Google Chrome: Integer Overflow when Processing WebAssembly Locals(CVE-2018-6092)

When v8 decodes the locals of a function, it performs a check: if count + typelist-size kV8MaxWasmFunctionLocals decoder-errordecoder-pc - 1, "local count too large"; return false; On a 32-bit platform, this check can be bypassed due to an integer overflow. This allows the number of function loca...

Microsoft Edge: Chakra: EntrySimpleObjectSlotGetter can have side effects(CVE-2018-8133)

function optw, arr arr0 = 1.1; let res = w.event; arr0 = 2.3023e-320; return res; let arr = 1.1; for let i = 0; i ::EntrySimpleObjectSlotGetter 00007fffd5cf3d50 // w.event 000001a880001235 48ffd0 call rax 000001a880001238 488b8e30bdf0ff mov rcx,qword ptr rsi-0F42D0h 000001a88000123f f2480f104158...

XNU kernel heap overflow due to bad bounds checking in MPTCP(CVE-2018-4241)

mptcpusrconnectx is the handler for the connectx syscall for the APMULTIPATH socket family. The logic of this function fails to correctly handle source and destination sockaddrs which aren't AFINET or AFINET6: // verify salen for AFINET: if dst-safamily == AFINET && dst-salen !=...

Linux ext4: out-of-bounds memcpy via non-inline system.data xattr(CVE-2018-11412)

ext4 can store data for small regular files as "inline data", meaning that the data is stored inside the corresponding inode instead of in separate blocks. Inline data is stored in two places: The first 60 bytes go in the iblock field in the inode which normally contains a list of blocks instead,...

Skia and Firefox: Integer overflow in SkTDArray leading to out-of-bounds write(CVE-2018-5159)

Skia bug report: https://bugs.chromium.org/p/skia/issues/detail?id=7674 Mozilla bug report: https://bugzilla.mozilla.org/showbug.cgi?id=1441941 In Skia, SkTDArray stores length fCount and capacity fReserve as 32-bit ints and does not perform any integer overflow checks. There are a couple of plac...

WebKit: Info leak in WebAssembly Compilation(CVE-2018-4222)

There is an out-of-bounds read when compiling WebAssembly source buffers in WebKit. When a source buffer is compiled, it is first copied into a read-only buffer by the functuion getWasmBufferFromValue. This function returns the code buffer as follows: return arrayBufferView ?...

Samsung Galaxy S7 Edge: Overflow in OMACP WbXml String Extension Processing(CVE-2018-10751)

OMACP is a protocol supported by many mobile devices which allows them to receive provisioning information over the mobile network. One way to provision a device is via a WAP push SMS message containing provisioning information in WbXML. A malformed OMACP WAP push message can cause memory...

Canon LBP6650/LBP3370/LBP3460/LBP7750C - Authenticaton Bypass(CVE-2018-11692)

Description : An issue was discovered on Canon LBP6650, LBP3370, LBP3460, LBP7750C printers. It is possible for a remote unauthenticated attacker to bypass the Administrator Mode authentication without a password at any URL of the device that requires authentication. PoC : Start searching for Can...

semcmsPHP-V2.7任意密码重置漏洞

...

DedeCMS后台地址爆破漏洞

...

DuomiCMS前台SQL注入

...

youke365 V1.0.7 最新版 前台SQL注入

...

New burnOverflow Bug Identified in Multiple ERC20 Smart Contracts (CVE-2018-11239)

Our vulnerability-scanning system at PeckShield has so far discovered several dangerous smart contract vulnerabilities batchOverflow1, proxyOverflow2, transferFlaw3, ownerAnyone4, multiOverflow5. Some of them could be used by attackers to generate tokens out of nowhere while others can be used to...

New multiOverflow Bug Identified in Multiple ERC20 Smart Contracts (CVE-2018-10706)

Our vulnerability-scanning system at PeckShield has so far discovered several dangerous smart contract vulnerabilities batchOverflow, proxyOverflow, transferFlaw, ownerAnyone. Some of them could be used by attackers to generate tokens out of nowhere while others can be used to steal tokens from...

New ownerAnyone Bug Allows For Anyone to ''Own'' Certain ERC20-Based Smart Contracts (CVE-2018-10705)

This morning, our vulnerability-scanning system at PeckShield identified a new vulnerability named ownerAnyone in certain ERC20-based smart contracts such as AURA, which is deployed by a decentralized banking and finance platform – AURORA. This bug, if successfully exploited, might introduce the...

New transferFlaw Bug Used For Possible Scam Token Listed In A Top Exchange(CVE-2018-10468)

Our automated scanning system at PeckShield discovered a new vulnerability named transferFlaw CVE-2018–10468. This particular vulnerability affects a publicly traded ERC20 token listed in a top exchange. Different from batchOverflow 1 and proxyOverflow 2 we identified before, this vulnerability...

New allowAnyone Bug Identified in Multiple ERC20 Smart Contracts (CVE-2018-11397, CVE-2018-11398)

Our vulnerability-scanning system at PeckShield has so far discovered several dangerous smart contract vulnerabilities batchOverflow1, proxyOverflow2, transferFlaw3, ownerAnyone4, multiOverflow5, burnOverflow6, ceoAnyone7. Some of them could be used by attackers to generate tokens out of nowhere ...

PHPMyWind 5.5前台存在sql注入，可重置管理员密码

...

QRadar Remote Command Execution(CVE-2018-1418)

Vulnerability Summary Multiple vulnerabilities in QRadar allow a remote unauthenticated attackers to cause the product to execute arbitrary commands. Each vulnerability on its own is not as strong as their chaining – which allows a user to change from unauthenticated to authenticated access, to...

TP-Link TL-WR840N/TL-WR841N - Authenticaton Bypass

Title: TP-Link Multiple RouterTL-WR840N and TL-WR841N Unauthenticated Router Access Vulnerability Author: BlackFog Team Date: 27 May 2018 Website: SecureLayer7.net Contact: [email protected] Version: 0.9.1 4.16 v0001.0 Build 170622 Rel.64334n Hardware: TL-WR841N v13 00000013 Version : Firmwar...

feifeicms前台任意文件读取

...

Bitmain Antminer D3/L3+/S9 - Remote Command Execution(CVE-2018-11220)

Exploit Title: Bitmain Antminer D3, L3+, and S9 devices allow Remote Command Execution Google Dork: N/A Date: 27/05/2018 Exploit Author: Corrado Liotta Vendor Homepage: https://www.bitmain.com/ Software Link: N/A Version: Antminer - D3, L3+, S9, and other Tested on: Windows/Linux CVE :...

semcms php v2.7 sql注入

...

UEditor SSRF漏洞(JSP版本)分析与复现

作者： 浮萍@猎户安全实验室 公众号：猎户安全实验室 前些时间测试的时候遇到了一个系统采用了UEditor编辑器，版本为1.4.3。已知该编辑器v1.4.3版本存在SSRF漏洞，虽然是Bool型的SSRF，除了可以进行内网探测外，也可以根据web应用指纹信息，之后进行进一步的测试。 0x01 前言 查看官方的更新日志可以发现UEditor编辑器在版本1.4.3.1修复了SSRF漏洞。...

semcms外贸网站管理系统php2.7版本sql注入

...

Axublog 1.1.0 存在sql注入漏洞

...

Microsoft Windows Kernel 'Win32k.sys' Local Privilege Escalation Vulnerability(CVE-2018-8120)

作者：bigric3 作者博客： 5月15日ESET发文其在3月份捕获了一个 pdf远程代码执行（cve-2018-4990）+windows本地权限提升（cve-2018-8120）的样本。ESET发文后，我从vt上下载了这样一份样本（）。初步逆向，大致明确如外界所传，该漏洞处于开发测试阶段，不慎被上传到了公网样本检测的网上，由ESET捕获并提交微软和adobe修补。测试特征字符串如下 定位样本中关键的代码并调试分析...

Adobe Enterprise Manager (AEM) < 6.3 - Remote Code Execution

Exploit Title: Adobe Experience Manager AEM 6.3 default credentials leads to RCE Date: 5/19/18 Exploit Author: StaticFlow Vendor Homepage: https://www.adobe.com/in/marketing-cloud/experience-manager.html Version: 6.3 import requests import sys baseUrl = 'https://test.com/' default domain, change...

Claymore Dual Miner Remote Code Execution(CVE-2018-1000049)

Hello everybody, today I will show you how I found a Remote Code Execution vulnerability on popular Claymore Dual Miner developed by nanopool which you can download from GitHub here. Before continuing to read I want to clarify that I already emailed nanopool without receiving any kind or response...

Hyland Perceptive Document Filters OpenDocument to JPEG conversion SkCanvas Code Execution vulnerability(CVE-2018-3845)

Summary An exploitable double free exists in the OpenDocument to JPEG conversion functionality of the Hyland Perspective Document Filters version 11.4.0.2647. A crafted OpenDocument document can lead to a SkCanvas object double free resulting in direct code execution. Tested Versions Perceptive...

Foxit PDF Reader AssociatedFile Annotation Type Confusion(CVE-2018-3843)

Summary An exploitable type confusion vulnerability exists in the way Foxit PDF Reader version 9.0.1.1049 parses files with associated file annotations. A specially crafted PDF document can lead to an object of invalid type to be dereferenced, which can potentially lead to sensitive memory...

Foscam IP Video Camera Firmware Recovery Unsigned Image Vulnerability(CVE-2017-2871)

Summary Insufficient security checks exist in the recovery procedure used by the Foscam C1 Indoor HD Camera running application firmware 2.52.2.43. An attacker who is in the same subnetwork of the camera or has remote administrator access, can fully compromise the device by performing a firmware...

Foxit PDF Reader JavaScript setPersistent Remote Code Execution Vulnerability(CVE-2018-3842)

Summary An exploitable use of an uninitialized pointer vulnerability exists in the JavaScript engine in Foxit PDF Reader version 9.0.1.1049. A specially crafted PDF document can lead to a dereference of an uninitialized pointer which, if under attacker control, can result in arbitrary code...

Foxit PDF Reader JavaScript createTemplate Remote Code Execution Vulnerability(CVE-2018-3853)

Summary An exploitable use-after-free vulnerability exists in the JavaScript engine of Foxit Software Foxit PDF Reader version 9.0.1.1049. A specially crafted PDF document can trigger a previously freed object in memory to be reused resulting in arbitrary code execution. An attacker needs to tric...