New batchOverflow Bug in Multiple ERC20 Smart Contracts (CVE-2018–10299)

Built on our earlier efforts in analyzing EOS tokens, we have developed an automated system to scan and analyze Ethereum-based ERC-20 token transfers. Specifically, our system will automatically send out alerts if any suspicious transactions e.g., involving unreasonably large tokens occur. In...

New proxyOverflow Bug in Multiple ERC20 Smart Contracts (CVE-2018-10376)

On 4/24/2018, 01:17:50 p.m. UTC, PeckShield again detected an unusual MESH token transaction shown in Figure 1. In this particular transaction, someone transferred a large amount of MESH token — 0x8fff,ffff,ffff,ffff,ffff,ffff,ffff,ffff,ffff,ffff,ffff,ffff,ffff,ffff,ffff,ffff 63 f’s to herself...

Drupal core Remote Code Execution(CVE-2018-7602)

A remote code execution vulnerability exists within multiple subsystems of Drupal 7.x and 8.x. This potentially allows attackers to exploit multiple attack vectors on a Drupal site, which could result in the site being compromised. This vulnerability is related to Drupal core - Highly critical -...

Seagate Personal Cloud allows moving of arbitrary files

Abstract Seagate Personal Cloud is a consumer-grade Network-Attached Storage device NAS. It was found that the web application used to manage the NAS contains a vulnerability that allows an unauthenticated attacker to move arbitrary files. The move operation is done with root privileges, which...

NETSCRAPED EXPLOIT TOOL

NETSCRAPED EXPLOIT TOOL Author: @037 This tool allows you obtain all the credentials stored on Netwave IP cameras Prerequisites You need installed is Python 3.x apt-get install python3 You also require to have Shodan module installed pip install shodan You need cURL for this to work as well apt-g...

Server Directory Traversal at Huawei HG255s(CVE-2017-17309)

Exploit Title: Server Directory Traversal at Huawei HG255s Date: 20.10.2017 Exploit Author: Ismail Tasdelen Vendor Homepage: www.huawei.com Software Link: Not published this modem just used by Turkey Version: V100R001C163B025SP02 POC: Directory Traversal Payload:...

Vigor ACS Unsafe Flex AMF Java Object Deserialization(CVE-2017-5641)

Vulnerability Summary A vulnerability in Vigor ACS allows unauthenticated users to cause the product to execute arbitrary code. VigorACS 2 “is a powerful centralized management software for Vigor Routers and VigorAPs, it is an integrated solution for configuring, monitoring, and maintenance of...

TerraMaster TOS Unauthenticated Remote Command Execution

Vulnerability Summary The following advisory describes a unauthenticated remote command execution found in TerraMaster TOS 3.0.33. TOS is a “Linux platform-based operating system developed for TerraMaster cloud storage NAS server. TOS 3 is the third generation operating system newly launched.”...

Major Brands Sonos® and Bose® Multiple Vulnerabilities

漏洞详情请参考： https://paper.seebug.org/papers/Archive/D1%20COMMSEC%20-%20Stephen%20Hilt%20-%20Hacking%20IoT%20Speakers.pdf...

Jolokia Vulnerabilities - RCE & XSS(CVE-2018-1000130,CVE-2018-1000129)

Recently, during a client engagement, Gotham Digital Science found a couple of zero-day vulnerabilities in the Jolokia service. Jolokia is an open source product that provides an HTTP API interface for JMX Java Management Extensions technology. It contains an API we can use for calling MBeans...

CVE-2018-1273: RCE with Spring Data Commons

...

Weblogic反序列化远程代码执行漏洞(CVE-2018-2628)

Oracle WebLogic Server has CVE-2018-2628 CVSS Base Score: 9.8 – Vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware subcomponent: WLS Core Components. Supported versions that are affected are 10.3.6.0, 12.1.3.0, 12.2.1.2 and 12.2.1.3. The easily exploitable...

Thinkphp3.2.3最新版update注入漏洞

原文来自安全客，作者：0r3ak@0kee Team 原文： 简要描述 thinkphp是国内著名的php开发框架，有完善的开发文档，基于MVC架构，其中Thinkphp3.2.3是目前使用最广泛的thinkphp版本，虽然已经停止新功能的开发，但是普及度高于新出的thinkphp5系列，由于框架实现安全数据库过程中在update更新数据的过程中存在SQL语句的拼接，并且当传入数组未过滤时导致出现了SQL注入。 Git补丁更新 新增加了BIND表达式 漏洞详情...

Catfish(鲶鱼) Blog V1.3.15存储型 xss

...

Holey Beep: Linux 提权漏洞分析与利用(CVE-2018-0492)

Introduction Back in the old days, people were using the \a character to emit a horrible 'beep' sound from their speaker. It was a bit annoying, especially if you wanted more complicated stuff to do 8bits-like musics. That's why Johnathan Nightingale made the beep software. A very simple and shor...

Moxa EDR-810 Web Server Certificate Signing Request Command Injection Vulnerability(CVE-2017-12125)

Summary An exploitable command injection vulnerability exists in the web server functionality of Moxa EDR-810 V4.1 build 17030317. A specially crafted HTTP POST can cause a privilege escalation resulting in root shell. An attacker can inject OS commands into the CN= parm in the...

Moxa EDR-810 Web Server Weak Cryptography for Passwords Vulnerability(CVE-2017-12129)

Summary An exploitable Weak Cryptography for Passwords vulnerability exists in the web server functionality of Moxa EDR-810 V4.1 build 17030317. An attacker could intercept weakly encrypted passwords and could brute force them. Tested Versions Moxa EDR-810 V4.1 build 17030317 Product URLs...

Moxa EDR-810 Web Server strcmp Multiple Denial of Service Vulnerabilities(CVE-2017-14435 - CVE-2017-14437)

Summary An exploitable denial of service vulnerability exists in the web server functionality of Moxa EDR-810 V4.1 build 17030317. A specially crafted HTTP URI can cause a null pointer dereference resulting in denial of service. An attacker can send a GET request to "/MOXALOG.ini, /MOXACFG.ini, o...

Moxa EDR-810 Web Server URI Denial of Service Vulnerability(CVE-2017-12124)

Summary An exploitable denial of service vulnerability exists in the web server functionality of Moxa EDR-810 V4.1 build 17030317. A specially crafted HTTP URI can cause a null pointer dereference resulting in the web server crashing. An attacker can send a crafted URI to trigger this...

Moxa EDR-810 Web Server ping Command Injection Vulnerability(CVE-2017-12120)

Summary An exploitable command injection vulnerability exists in the web server functionality of Moxa EDR-810 V4.1 build 17030317. A specially crafted HTTP POST can cause a privilege escalation, resulting in a root shell. An attacker can inject OS commands into the ip= parm in the...

Moxa EDR-810 Web Server Cross-Site Request Forgery Vulnerability(CVE-2017-12126)

Summary An exploitable cross-site request forgery vulnerability exists in the web server functionality of Moxa EDR-810 V4.1 build 17030317. A specially crafted HTTP packet can cause cross-site request forgery. An attacker can create malicious HTML to trigger this vulnerability. Tested Versions Mo...

Moxa EDR-810 Cleartext Transmission of Password Vulnerability(CVE-2017-12123)

Summary An exploitable clear text transmission of password vulnerability exists in the web server and telnet functionality of Moxa EDR-810 V4.1 build 17030317. An attacker can look at network traffic to get the admin password for the device. The attacker can then use the credentials to login as...

Moxa EDR-810 Web Server OpenVPN Config Multiple Command Injection Vulnerabilities(CVE-2017-14432 - CVE-2017-14434)

Summary An exploitable command injection vulnerability exists in the web server functionality of Moxa EDR-810 V4.1 build 17030317. A specially crafted HTTP POST can cause a privilege escalation resulting in root shell. An attacker can inject OS commands into various paramaters in the...

Moxa EDR-810 Plaintext Password Storage Vulnerability(CVE-2017-12127)

Summary An password storage vulnerability exists in the operating system functionality of Moxa EDR-810 V4.1 build 17030317. An attacker with shell access could extract passwords in clear text from the device. Tested Versions Moxa EDR-810 V4.1 build 17030317 Product URLs...

Moxa EDR-810 Web RSA Key Generation Command Injection Vulnerability(CVE-2017-12121)

Summary An exploitable command injection vulnerability exists in the web server functionality of Moxa EDR-810 V4.1 build 17030317. A specially crafted HTTP POST can cause a privilege escalation resulting in root shell. An attacker can inject OS commands into the rsakeyname= parm in the...

Moxa EDR-810 Service Agent Multiple Denial of Service Vulnerabilities(CVE-2017-14438 - CVE-2017-14439)

Summary Exploitable denial of service vulnerabilities exists in the Service Agent functionality of Moxa EDR-810 V4.1 build 17030317. A specially crafted packet can cause a denial of service. An attacker can send a large packet to 4000/tcp and 4001/tcp to trigger this vulnerability. Tested Version...

Moxa EDR-810 Server Agent Information Disclosure Vulnerability(CVE-2017-12128)

Summary An exploitable information disclosure vulnerability exists in the Server Agent functionality of Moxa EDR-810 V4.1 build 17030317. A specially crafted TCP packet can cause information disclosure. An attacker can send a crafted TCP packet to trigger this vulnerability. Tested Versions Moxa...

EAadmin极简社区存在XSS反射型漏洞

...

EAadmin极简社区存在XSS存储型漏洞

EAadmin极简社区存在XSS存储型漏洞 在/application/index/controller/Frum.php 中 public fuction add 是一个添加帖子的函数 public function add $siteconfig = Cache::get'siteconfig'; if !session'userid' || !session'username' $this-error'亲！请登录',url'index/login'; else $forum = new ForumModel; if request-isPost...

Dedecms后台任意文件上传漏洞

...

Shenzhen TVT Digital Technology Co. Ltd & OEM {DVR/NVR/IPC} API RCE

Subject: Shenzhen TVT Digital Technology Co. Ltd & OEM DVR/NVR/IPC API RCE Attack vector: Remote Authentication: Anonymous no credentials needed Researcher: bashis December 2017 PoC: https://github.com/mcw0/PoC Python PoC: https://github.com/mcw0/PoC/blob/master/TVT-PoC.py Release date: April 9,...

Cisco Smart Install Protocol Misuse

SIET Smart Install Exploitation Tool Cisco Smart Install is a plug-and-play configuration and image-management feature that provides zero-touch deployment for new switches. You can ship a switch to a location, place it in the network and power it on with no configuration required on the device. Y...

Catfishcms_v4.7.18后台存储型XSS漏洞

一、漏洞简要概述： Catfish鲶鱼 CMS是一款开源的PHP内容管理系统，适合于CMS、Blog、企业站等不同类型的网站建设。 自动识别CMS、Blog 等网站类型，只要简单的切换主题就可以完成网站类型的切换。 多语言支持，包括简体中文、繁体中文、俄语、德语、法语、韩语、日语、英语各种语言。 全站自适应设计，适用于pc，手机等不同大小屏幕的终端显示，支持手机、微信等小屏幕访问。 在4.7.18版本中，该CMS后台默认自带一个插件，此插件因代码开发不严格，导致存在XSS漏洞。若用户启用该插件，将会造成危害。 二、漏洞演示...

spring-messaging Remote Code Execution(CVE-2018-1270)

漏洞公告 2018年4月5日漏洞公布： https://pivotal.io/security/cve-2018-1270 漏洞影响版本: Spring Framework 5.0 to 5.0.4 Spring Framework 4.3 to 4.3.14 Older unsupported versions are also affected 环境搭建 利用官方示例 https://github.com/spring-guides/gs-messaging-stomp-websocket ，git clone后checkout到未更新版本： git clone...

D-Link DSL-3782 Code execution(CVE-2018-8941)

CVE-2018-8941: D-Link DSL-3782 Code execution Proof of Concept Adam Simuntis :: https://twitter.com/adamsimuntis Mindaugas Slusnys :: https://twitter.com/mislusnys The buffer overflow vulnerability was found in the "/userfs/bin/tcapi" binary which is used as a wrapper for the "Diagnostics"...

MetInfo 6.0.0代码执行漏洞（后台直接拿shell）

...

DLink DIR-601 - Admin Password Disclosure(CVE-2018-5708)

Description Having local access to the network but being unauthenticated to the administrator panel, a user can disclose the built in Admin username/password to access the admin panel 2. Proof of Concept For proof of concept, the real Admin password is "thisisatest" Step 1: Access default...

Dedecms V5.7后台的两处getshell(CVE-2018-9175)

第一个是常见的思路，把语句写入inc文件，然后在其他的include语句中，包含了恶意代码进而getshell。 漏洞代码在:/dede/sysverifies.php 代码如下： else if $action == 'getfiles' if!isset$refiles ShowMsg"你没进行任何操作！","sysverifies.php"; exit; $cacheFiles = DEDEDATA.'/modifytmp.inc'; $fp = fopen$cacheFiles, 'w'; fwrite$fp, ''; fclose$fp; $dirinfos = ''; if$...

Drupal 8 – CVE-2017-6926漏洞详解

作者：绿盟科技 来源： 近期，著名的Drupal CMS网站爆出7个漏洞，其中1个严重漏洞CVE-2017-6926，具有发表评论权限的用户可以查看他们无权访问的内容和评论，并且还可以为该内容添加评论。绿盟科技于上周发布了《Drupal下周将发布重要安全补丁威胁预警通告》。 本篇文章对Drupal 8 – CVE-2017-6926漏洞进行了详细分析。 CVE-2017-6926 漏洞详情 先看下drupal官网的通告： 有发布评论权限的用户，可以查看他们无权访问的内容和评论。 并且还可以为此内容添加评论。 想要触发这个漏洞，必须启用评论系统，并且攻击者必须有权发布评论。...

Adobe ColdFusion 反序列化漏洞（CVE-2017-3066）

Exploiting Adobe ColdFusion before CVE-2017-3066 In a recent penetration test my teammate Thomas came across several servers running Adobe ColdFusion 11 and 12. Some of them were vulnerable to CVE-2017-3066 but no outgoing TCP connections were possible to exploit the vulnerability. He asked me...

Drupal core Remote Code Execution(CVE-2018-7600) (Drupalgeddon2)

Two weeks ago, a highly critical 21/25 NIST rank vulnerability, nicknamed Drupalgeddon 2 SA-CORE-2018-002 / CVE-2018-7600, was disclosed by the Drupal security team. This vulnerability allowed an unauthenticated attacker to perform remote code execution on default or common Drupal installations...

Joomla内核SQL注入漏洞（CVE-2018-8045)

作者：绿盟科技 来源： CVE-2018-8045 漏洞简介 漏洞具体情况可参见绿盟科技安全威胁周报-201812周 Joomla! Core SQL注入漏洞： NSFOCUS ID：39158 CVE ID：CVE-2018-8045 受影响版本：Joomla! Joomla! 3.5.0-3.8.5 漏洞点评：Joomla是一套网站内容管理系统,使用PHP语言和MySQL数据库开发。Joomla! 3.5.0 -3.8.5版本对SQL语句内的变量缺少类型转换，导致User Notes列表视图内SQL注 入漏洞，可使攻击者访问或修改数据等。目前厂商已经发布了升级补丁，修复了这个...

Cisco Smart Install Remote Code Execution(CVE-2018-0171)

Introduction Application: Cisco IOS, Cisco IOS-XE Vendor: Cisco Bugs: Stack-based buffer overflow CWE-20, CWE-121 Risk: Critical; AV:N/AC:L/Au:N/C:C/I:C/A:C 10.0 A stack-based buffer overflow vulnerability was found in Smart Install Client code. This vulnerability enables an attacker to remotely...

Apache Struts2 S2-056(CVE-2018-1327)

Summary A crafted XML request can be used to perform a DoS attack when using the Struts REST plugin | | | | :------------ | :------------ | | Who should read this | All Struts 2 developers and users which are using the REST plugin | | Impact of vulnerability | A DoS attack is possible when using...

Visual Studio Code remote code execution vulnerability

I occasionally noticed that Visual Studio Code was listening on a fixed TCP port 9333. After upgrading to 1.19.3, it’s gone. ➜ netstat -an | grep 9333 tcp4 0 0 127.0.0.1.9333 . LISTEN Looks like it’s a bug that affects VSCode 1.19.01.19.2. Extension process always run in debug mode, because of th...

Etcd REST API 未授权访问漏洞

From an application security perspective databases are the most valuable parts of our systems. They store the data that gives value to our apps and companies. This data which has been entrusted to us by our users should be kept safe and away of the hands of criminals. Every developer I talk to is...

Windows Kernel 64-bit stack memory disclosure in win32k!PROXYPORT::SendRequest(CVE-2018-0814)

We have discovered that the win32k!PROXYPORT::SendRequest function sends ALPC messages with portions of uninitialized memory from the local stack frame on Windows 7 64-bit other versions were not tested. The message is 0x20 bytes long, 8 of which are uninitialized. The layout of the memory area i...

Windows Kernel 64-bit stack memory disclosure in win32k!XDCOBJ::RestoreAttributes(CVE-2018-0811)

We have discovered that the win32k!XDCOBJ::RestoreAttributes function leaks portions of uninitialized kernel stack memory to user-mode address space on Windows 7 to 10. It was confirmed on 64-bit platforms, 32-bit builds were not tested. The overall copied memory area is 0x1a0 bytes long, 4 of...

Windows Kernel 64-bit stack memory disclosure in NtQueryInformationThread(ThreadBasicInformation)(CVE-2018-0895)

We have discovered that the nt!NtQueryInformationThread system call invoked with the 0 information class ThreadBasicInformation discloses portions of uninitialized kernel stack memory to user-mode clients. The vulnerability affects 64-bit versions of Windows 7 to 10. The specific layout of the...

Windows Kernel 64-bit stack memory disclosure in nt!KiDispatchException(CVE-2018-0897)

We have discovered a new Windows kernel memory disclosure vulnerability in the creation and copying of a EXCEPTIONRECORD structure to user-mode memory while passing execution to a user-mode exception handler. The vulnerability affects 64-bit versions of Windows 7 to 10. The leak was originally...