当前节点:rss
时间节点
2022年9月25日 15:09Github_POC
A local privilege escalation vulnerability was found on polkit's pkexec utility. The pkexec application is a setuid tool designed to allow unprivileged users to run commands as privileged users according predefined policies. The current version of pkexec doesn't handle the calling parameters count correctly and ends trying to execute environment variables as commands. An attacker can leverage this by crafting environment variables in such a way it'll induce pkexec to execute arbitrary code. When successfully executed the attack can cause a local privilege escalation given unprivileged users administrative rights on the target machine.
[GitHub]Vulnerability to CVE-2021-4034 Pwnkit
在 polkit 的 pkexec 实用程序上发现了一个本地权限提升漏洞。Pkexec 应用程序是一个 setuid 工具,旨在允许非特权用户根据预定义的策略以特权用户的身份运行命令。当前版本的 pkexec 不能正确处理调用参数计数,并且不能以命令的形式执行环境变量。攻击者可以利用这一点,通过创建环境变量来诱导 pkexec 执行任意代码。当攻击成功执行时,可能会导致一个本地权限提升,给予不享有特权的用户在目标计算机上的管理权限。
CVE-2021-4034 Pwnkit 的漏洞
2022年9月25日 09:09Github_POC
Remote Procedure Call Runtime Remote Code Execution Vulnerability. This CVE ID is unique from CVE-2022-24492, CVE-2022-24528.
[GitHub]writeup and poc for [CVE-2022-26809]
远程过程调用运行时远程代码执行漏洞。这个 CVE ID 是 CVE-2022-24492,CVE-2022-24528中唯一的。
[ GitHub ] Writeup and poc for [ CVE-2022-26809]
2022年9月25日 09:09Github_POC
The OpenSSL 3.0.4 release introduced a serious bug in the RSA implementation for X86_64 CPUs supporting the AVX512IFMA instructions. This issue makes the RSA implementation with 2048 bit private keys incorrect on such machines and memory corruption will happen during the computation. As a consequence of the memory corruption an attacker may be able to trigger a remote code execution on the machine performing the computation. SSL/TLS servers or other servers using 2048 bit RSA private keys running on machines supporting AVX512IFMA instructions of the X86_64 architecture are affected by this issue.
[GitHub]A POC OF CVE-2022-2274 (openssl)
OpenSSL 3.0.4版本在支持 AVX512IFMA 指令的 X86 _ 64 CPU 的 RSA 实现中引入了一个严重的 bug。这个问题使得在这些机器上使用2048位私钥的 RSA 实现不正确,并且在计算过程中会发生内存损坏。由于内存损坏,攻击者可能能够在执行计算的机器上触发远程代码执行。使用2048位 RSA 私钥的 SSL/TLS 服务器或其他服务器运行在支持 X86 _ 64体系结构的 AVX512IFMA 指令的机器上,受到这个问题的影响。
[ GitHub ] CVE-2022-2274的 POC (openssl)
2022年9月25日 09:09Github_POC
Action Pack in Ruby on Rails before 3.2.22.2, 4.x before 4.1.14.2, and 4.2.x before 4.2.5.2 allows remote attackers to execute arbitrary Ruby code by leveraging an application's unrestricted use of the render method.
[GitHub]CVE-2016-2098 POC
3.2.22.2之前 Ruby on Rails 中的 Action Pack,4.1之前的4.x,14.2之前的4.2,4.2之前的4.2。5.2允许远程攻击者利用应用程序无限制地使用呈现方法来执行任意的 Ruby 代码。
[ GitHub ] CVE-2016-2098 POC
2022年9月25日 03:34CXSECURITY Database RSS Feed -
Topic: Testa 3.5.1 Online Test Management System Reflected Cross-Site Scripting (XSS) Risk: Low Text:# Exploit Title: Testa 3.5.1 Online Test Management System - Reflected Cross-Site Scripting (XSS) # Date: 28/08/2022 # Exploi...
2022年9月25日 03:34CXSECURITY Database RSS Feed -
Topic: TP-Link Tapo c200 1.1.15 Remote Code Execution Risk: High Text:# Exploit Title: TP-Link Tapo c200 1.1.15 - Remote Code Execution (RCE) # Date: 02/11/2022 # Exploit Author: hacefresko # Ve...
2022年9月25日 03:34CXSECURITY Database RSS Feed -
Topic: Teleport 10.1.1 Remote Code Execution Risk: High Text:# Exploit Title: Teleport v10.1.1 - Remote Code Execution (RCE) # Date: 08/01/2022 # Exploit Author: Brandon Roach & Brian La...
2022年9月25日 03:34CXSECURITY Database RSS Feed -
Topic: Multix 2.4 Cross Site Scripting Risk: Low Text:# Exploit Title: Multix - Multipurpose Website CMS with Codeigniter Reflected Cross Site Scripting # Exploit Author: th3d1gger...
主题: Multix 2.4跨网站脚本风险: 低文本: # 开发标题: Multix-multipurtieswebcmswithcodeigniter 反射跨网站脚本 # 开发作者: th3d1gger..。
2022年9月25日 03:34CXSECURITY Database RSS Feed -
Topic: WorkOrder CMS 0.1.0 Cross Site Scripting Risk: Low Text:# Exploit Title: WorkOrder CMS 0.1.0 Cross-Site Scripting (XSS) # Date: Sep 22, 2022 # Exploit Author: Chokri Hammedi ...
2022年9月25日 03:34CXSECURITY Database RSS Feed -
Topic: WorkOrder CMS 0.1.0 SQL Injection Risk: Medium Text:# Exploit Title: WorkOrder CMS 0.1.0 SQLI # Date: Sep 22, 2022 # Exploit Author: Chokri Hammedi # Vendor Homepage: htt...
2022年9月25日 02:10Exploitalert
Testa 3.5.1 Online Test Management System Reflected Cross-Site Scripting XSS
Testa 3.5.1在线测试管理系统反映了跨网站脚本 XSS
2022年9月25日 02:10Exploitalert
TP-Link Tapo c200 1.1.15 Remote Code Execution
2022年9月25日 02:10Exploitalert
Teleport 10.1.1 Remote Code Execution
传送10.1.1远程代码执行
2022年9月25日 02:10Exploitalert
Multix 2.4 Cross Site Scripting
多重2.4跨网站脚本
2022年9月25日 02:10Exploitalert
WorkOrder CMS 0.1.0 Cross Site Scripting
工作订单内容管理系统0.1.0跨网站脚本
2022年9月25日 02:10Exploitalert
WorkOrder CMS 0.1.0 SQL Injection
2022年9月24日 23:36Stories by SAFARAS K A on Medi
Understanding the NMAP methodology — Part 2
Understanding the NMAP methodology from beginner to advance
Description:
In today’s article we are going to learn about some advance network mapping techniques with nmap. If you haven’t read Part 1 then i suggest you to gone through before reading this article.
As we have already seen some basics on network mapping in part one it is worth to know some advanced and essentials techniques to scan and map a network.
1. TCP Null Scan
As the name suggests, TCP null scan does not sets any flags while sending a packet to a particular port or service. A TCP packet with no flags set will not trigger any response when it will reach to an open port. That indicates that the port is open.
nmap -sN <ip>
-sN : TCP null scan flag
1) NULL TCP Packet -->
(If no response, port is open/filtered)
2) NULL TCP Packet -->
RST/ACK <--
(Port closed/filtered)
If we receives a packet with RST(Reset)/ACK(Acknowledgement) that indicates the port is closed or filtered.
2. TCP FIN Scan
TCP FIN scan
2022年9月24日 23:36Stories by SAFARAS K A on Medi
How to exploit a stored XSS vulnerability on DVWA — StackZero
Introduction
Hi reader! Yet another walkthrough, this time I want to enforce your practical understanding of Stored XSS by exploiting DVWA again.
I just want to anticipate that the basic concept is not far from the reflected XSS we have already seen in our previous articles.
However, this vulnerability can be far more dangerous than Reflected XSS due to its persistence.
Just to give you an idea of what I said, the only victim in the case of Reflected XSS is the receiver of the malicious URL, on the contrary, a Stored XSS can hit everybody who visits the exploited page.
Before we get into the world of Stored XSS vulnerability in practice I recommend you take a look at my articles about XSS (they are in order of difficulty):
The terrifying world of Cross-Site Scripting (XSS) (Part 1)
The terrifying world of Cross-Site Scripting (XSS) (Part 2)
XSS in practice: how to exploit XSS in web applications
Reflected XSS DVWA — An Exploit With Real World Conse
2022年9月24日 20:40Github_POC
An XSS (Cross Site Scripting) vulnerability was found in HelpSystems Cobalt Strike through 4.7 that allowed a remote attacker to execute HTML on the Cobalt Strike teamserver. To exploit the vulnerability, one must first inspect a Cobalt Strike payload, and then modify the username field in the payload (or create a new payload with the extracted information and then modify that username field to be malformed).
[GitHub]Cobalt Strike RCE CVE-2022-39197
在4.7版本的帮助系统钴袭击中发现了一个 XSS (跨网站脚本)漏洞,该漏洞允许远程攻击者在钴袭击团队服务器上执行 HTML。要利用这个漏洞,首先必须检查一个 Cobalt Strike 有效载荷,然后修改有效载荷中的用户名字段(或者用提取的信息创建一个新的有效载荷,然后修改该用户名字段使其格式不正常)。
[ GitHub ] Cobalt Strike RCE CVE-2022-39197
2022年9月24日 08:40Github_POC
Multiple vulnerabilities in Cisco Small Business RV160, RV260, RV340, and RV345 Series Routers could allow an unauthenticated, remote attacker to execute arbitrary code or cause a denial of service (DoS) condition on an affected device. For more information about these vulnerabilities, see the Details section of this advisory.
[GitHub]Cisco Small Business RCE [included mass exploiter and scanner]
思科小型企业 RV160、 RV260、 RV340和 RV345系列路由器存在多个漏洞,可能使未经认证的远程攻击者执行任意代码,或在受影响的设备上导致分布式拒绝服务攻击(DoS)状态。有关这些漏洞的详细信息,请参阅本建议的详细信息部分。
[ GitHub ]思科小企业 RCE [包括大规模开发和扫描]
2022年9月24日 08:40Github_POC
The package com.alibaba:fastjson before 1.2.83 are vulnerable to Deserialization of Untrusted Data by bypassing the default autoType shutdown restrictions, which is possible under certain conditions. Exploiting this vulnerability allows attacking remote servers. Workaround: If upgrading is not possible, you can enable [safeMode](https://github.com/alibaba/fastjson/wiki/fastjson_safemode).
[GitHub]Fastjson exploit
在1.2.83之前的包 com.alibaba: fastjson 通过绕过默认的 autoType 关闭限制(在某些条件下是可能的) ,容易受到不可信数据反序列化的影响。利用此漏洞可以攻击远程服务器。解决方案: 如果不能升级,可以启用[ safeMode ]( https://github.com/alibaba/fastjson/wiki/fastjson_safemode )。
Fastjson 的漏洞
2022年9月24日 08:40Github_POC
An issue was discovered on certain DrayTek Vigor routers before July 2022 such as the Vigor3910 before 4.3.1.1. /cgi-bin/wlogin.cgi has a buffer overflow via the username or password to the aa or ab field.
[GitHub]DrayTek Vigor Exploit
在2022年7月之前,在某些 DrayTek Vigor 路由器上发现了一个问题,比如4.3.1.1之前的 Vigor3910。/cgi-bin/wlogin.cgi 通过 aa 或 ab 字段的用户名或密码有一个缓冲区溢出。
DrayTek Vigor 利用
2022年9月24日 08:40Github_POC
ASUS RT-AX56U Wi-Fi Router is vulnerable to stack-based buffer overflow due to improper validation for httpd parameter length. An authenticated local area network attacker can launch arbitrary code execution to control the system or disrupt service.
[GitHub]ASUS router exploit
由于 httpd 参数长度验证不当,ASUS RT-AX56U Wi-Fi 路由器容易受到基于堆栈的缓冲区溢出的影响。经过身份验证的局域网攻击者可以启动任意代码执行来控制系统或中断服务。
华硕路由器漏洞
2022年9月24日 05:34Microsoft Security Blog
Microsoft discovered an attack where attackers installed a malicious OAuth application in compromised tenants and used their Exchange Online service to launch spam runs.
The post Malicious OAuth applications abuse cloud email services to spread spam appeared first on Microsoft Security Blog.
Microsoft 发现了一种攻击,攻击者在受到攻击的租户中安装了恶意 OAuth 应用程序,并使用其 ExchangeOnline 服务启动垃圾邮件运行。
后恶意 OAuth 应用程序滥用云电子邮件服务传播垃圾邮件出现在微软安全博客第一。
2022年9月24日 03:10Github_POC
Nortek Linear eMerge E3-Series devices before 0.32-08f allow an unauthenticated attacker to inject OS commands via ReaderNo. NOTE: this issue exists because of an incomplete fix for CVE-2019-7256.
[GitHub]CVE-2022-31499 Proof of Concept
Nortek LineareMerge E3-0.32-08f 之前的系列设备允许未经身份验证的攻击者通过 ReaderNo 注入操作系统命令。注意: 这个问题的存在是因为 CVE-2019-7256的修复不完整。
[ GitHub ] CVE-2022-31499概念验证
2022年9月24日 03:10Github_POC
Nortek Linear eMerge E3-Series 0.32-07p devices are vulnerable to /card_scan.php?CardFormatNo= XSS with session fixation (via PHPSESSID) when they are chained together. This would allow an attacker to take over an admin account or a user account.
[GitHub]CVE-2022-31798 Proof of Concept
Nortek Online eMerge E3-Series 0.32-07p 设备是否容易受到/card _ Scan.php 的攻击?当它们被链接在一起时,CardFormatNo = XSS 具有会话固定(通过 PHPSESSID)。这将允许攻击者接管管理帐户或用户帐户。
[ GitHub ] CVE-2022-31798概念验证
2022年9月24日 02:40Github_POC
Nortek Linear eMerge E3-Series devices through 0.32-09c place admin credentials in /test.txt that allow an attacker to open a building's doors. (This occurs in situations where the CVE-2019-7271 default credentials have been changed.)
[GitHub]CVE-2022-31269 Proof of Concept
Nortek 线性 eMerge E3-系列设备通过0.32 -09c 将管理员凭证放在/test.txt 中,允许攻击者打开建筑物的门。(这种情况发生在 CVE-2019-7271缺省凭据已被更改的情况下。)
[ GitHub ] CVE-2022-31269概念验证
2022年9月24日 02:40Github_POC
[GitHub]CVE-2022-31499 Proof of Concept
[ GitHub ] CVE-2022-31499概念验证
2022年9月24日 02:40Github_POC
[GitHub]CVE-2022-31798 Proof of Concept
[ GitHub ] CVE-2022-31798概念验证
2022年9月24日 01:34Hex Rays
The Hex-Rays decompiler was initially created to decompile C code, so its pseudocode output uses (mostly) C syntax. However, the input binaries may be compiled using other languages: C++, Pascal, Basic, ADA, and many others. While the code of most of them can be represented in C without real issues, some have peculiarities which require [...]
Hex-Rays 反编译器最初是为了反编译 C 代码而创建的,所以它的伪代码输出(大部分)使用 C 语法。但是,可以使用其他语言编译输入二进制文件: C + + 、 Pascal、 Basic、 ADA 和许多其他语言。虽然它们中的大多数代码可以用 C 表示,没有实际问题,但是有些代码有一些特殊之处,需要[ ... ]
2022年9月24日 01:31burp
Issue has since been fixed
问题已经解决了
2022年9月23日 23:31burp
Webhook, line, and sinker
钩子,绳子,还有下沉器
2022年9月23日 22:39Packet Storm
Ubuntu Security Notice 5630-1 - It was discovered that the framebuffer driver on the Linux kernel did not verify size limits when changing font or screen size, leading to an out-of-bounds write. A local attacker could use this to cause a denial of service or possibly execute arbitrary code. Moshe Kol, Amit Klein and Yossi Gilad discovered that the IP implementation in the Linux kernel did not provide sufficient randomization when calculating port offsets. An attacker could possibly use this to expose sensitive information.
Ubuntu 安全公告5630-1-发现 Linux 内核上的 framebuffer 驱动程序在改变字体或屏幕大小时没有验证大小限制,导致了一个出界写入。一个本地攻击者可以利用这个分布式拒绝服务攻击导致一个错误或者可能执行任意的代码。Moshe Kol,Amit Klein 和 Yossi Gilad 发现 Linux 内核中的 IP 实现在计算端口偏移量时没有提供足够的随机性。攻击者可能会使用这个来暴露敏感信息。
2022年9月23日 22:39Packet Storm
TP-Link Tapo c200 version 1.1.15 suffers from a remote code execution vulnerability.
TP-Link Tapo c200 version 1.1.15存在远程代码执行漏洞。
2022年9月23日 22:39Packet Storm
Ubuntu Security Notice 5633-1 - It was discovered that the framebuffer driver on the Linux kernel did not verify size limits when changing font or screen size, leading to an out-of-bounds write. A local attacker could use this to cause a denial of service or possibly execute arbitrary code. Duoming Zhou discovered that race conditions existed in the timer handling implementation of the Linux kernel's Rose X.25 protocol layer, resulting in use-after-free vulnerabilities. A local attacker could use this to cause a denial of service.
Ubuntu 安全公告5633-1-发现 Linux 内核上的 framebuffer 驱动程序在改变字体或屏幕大小时没有检查大小限制,导致了一个出界写入。一个本地攻击者可以利用这个分布式拒绝服务攻击导致一个错误或者可能执行任意的代码。周发现,在 Linux 内核 Rose X.25协议层的定时器处理实现中存在竞态条件,导致免费使用后出现漏洞。当地的攻击者可以利用这一点引起分布式拒绝服务攻击。
2022年9月23日 22:39Packet Storm
Testa Online Test Management System version 3.5.1 suffers from a cross site scripting vulnerability.
Testa 在线测试管理系统版本3.5.1存在跨网站脚本漏洞。
2022年9月23日 22:39Packet Storm
Ubuntu Security Notice 5634-1 - Domingo Dirutigliano and Nicola Guerrera discovered that the netfilter subsystem in the Linux kernel did not properly handle rules that truncated packets below the packet header size. When such rules are in place, a remote attacker could possibly use this to cause a denial of service.
Ubuntu 安全公告5634-1-Domingo Dirutigliano 和 Nicola Guerrera 发现 Linux 内核中的 netfilter 子系统没有正确处理将包截断到包头大小以下的规则。当这些规则到位时,远程攻击者可能会利用这些规则引起分布式拒绝服务攻击。
2022年9月23日 22:39Packet Storm
Feehi CMS version 2.1.1 suffers from an authenticated remote code execution vulnerability.
Feehi CMS 版本2.1.1存在经过身份验证的远程代码执行漏洞。
2022年9月23日 22:39Packet Storm
Teleport version 10.1.1 suffers from a remote code execution vulnerability.
远程传送版本10.1.1存在远程代码执行漏洞。
2022年9月23日 22:39Packet Storm
Ubuntu Security Notice 5632-1 - Sebastian Chnelik discovered that OAuthLib incorrectly handled certain redirect uris. A remote attacker could possibly use this issue to cause OAuthLib to crash, resulting in a denial of service.
Ubuntu 安全公告5632-1-Sebastian Chnelik 发现 OAuthLib 错误地处理了某些重定向 uris。远程攻击者可能会利用这个问题导致 OAuthlib 崩溃,从而导致分布式拒绝服务攻击。
2022年9月23日 22:39Packet Storm
WordPress WP-UserOnline plugin version 2.88.0 suffers from a persistent cross site scripting vulnerability.
WordPress wP-UserOnline 插件2.88.0版本一直存在跨网站脚本漏洞。
2022年9月23日 22:39Packet Storm
WordPress 3dady Real-Time Web Stats plugin version 1.0 suffers from a persistent cross site scripting vulnerability.
WordPress 3 dady 实时网络统计插件1.0版一直存在跨网站脚本漏洞。
2022年9月23日 22:39Packet Storm
Ubuntu Security Notice 5631-1 - It was discovered that libjpeg-turbo incorrectly handled certain EOF characters. An attacker could possibly use this issue to cause libjpeg-turbo to consume resource, leading to a denial of service. This issue only affected Ubuntu 18.04 LTS. It was discovered that libjpeg-turbo incorrectly handled certain malformed jpeg files. An attacker could possibly use this issue to cause libjpeg-turbo to crash, resulting in a denial of service.
Ubuntu 安全公告5631-1-发现 libjpeg-turbo 错误地处理了某些 EOF 字符。攻击者可能会利用这个问题导致 libjpeg-turbo 消耗资源,从而导致分布式拒绝服务攻击。这个问题只影响了 Ubuntu 18.04 LTS。发现 libjpeg-turbo 错误地处理了某些格式不正确的 jpeg 文件。攻击者可能会利用这个问题导致 libjpeg-turbo 崩溃,从而导致分布式拒绝服务攻击。
2022年9月23日 22:39Packet Storm
Ubuntu Security Notice 5629-1 - It was discovered that the Python http.server module incorrectly handled certain URIs. An attacker could potentially use this to redirect web traffic.
Ubuntu 安全通知5629-1-发现 Python http.server 模块错误地处理了某些 URI。攻击者可能会利用这一点来重定向网络流量。
2022年9月23日 21:39Packet Storm
2022年9月23日 21:39Packet Storm
2022年9月23日 21:39Packet Storm
2022年9月23日 21:39Packet Storm
2022年9月23日 21:37Software Integrity Blog
Black Duck Audits help customers understand commercial software licenses associated with third-party code, reducing the risks involved during an M&A.
The post Commercial software licenses in software due diligence appeared first on Application Security Blog.
黑鸭审计帮助客户理解与第三方代码相关的商业软件许可证,减少并购过程中的风险。
后商业软件许可证在软件尽职调查首先出现在应用安全博客。
2022年9月23日 21:36Stories by SAFARAS K A on Medi
Hi, My name is Hashar Mujahid and in this blog, we will talk about some techniques to bypass the csrf protection.
You can read my previous blog here if you want to learn about what csrf is.
Cross-site request forgery (CSRF) Explained and Exploited I
And Bypassing techniques part 1:
Bypassing CSRF Protection (I)
So today we’re going to look into some more techniques to bypass the CSRF protection placed by web applications.
5: CSRF where the token is tied to a non-session cookie:
Some times csrf token is tied to a cookie but this cookie is not related to the session of the user. This happens because the application uses 2 different frameworks one for session handling and one for csrf protection and both aren’t integrated together.
example:
POST /email/change HTTP/1.1
Host: vulnerable-website.com
Content-Type: application/x-www-form-urlencoded
Content-Length: 68
Cookie: session=pSJYSScWKpmC60LpFOAHKixuFuM4uXWF;csrfKey=rZHCnSzEp8dbI6atzagGoSYyqJqTz5dv ==> Non Session Cookie
csrf=RhV7yQDO0xcq9gLEah2WVbmuFqyOq7tY&e
2022年9月23日 21:36Stories by SAFARAS K A on Medi
Hi everybody, SQL Injection is one of the most critical vulnerabilities that can be found in web applications I will show you today how I found multiple SQL Injection vulnerabilities while hunting in Bug Bounty program so let’s refer to our target as target.com
While i was taking a fast look at the HTML code
I have found that there are 2 hidden parameters
So i started to test the letter parameter by adding a single quote
I got response code 200 OK which means they do some error handling
but the response was Query failed it looks like a database handled our query in the backend
https://medium.com/media/78347e4cbd0fbdd9f4eae17ff3250319/href
So let’s try to know how many columns here
?letter=a’ ORDER BY 2 — V
I got Query failed
?letter=a’ ORDER BY 1 — V
It executed and didn’t get “Query Failed:”
So let’s try to extract the version
?letter=a’ UNION SELECT VERSION() — -
The query executed but didn’t get the version on the response
So i started to exfiltrate data using Blind SQL Injection techniques
?letter=a’ AND 
2022年9月23日 21:35Stories by SAFARAS K A on Medi
Hi, My name is Hashar Mujahid and in this blog, we will talk about some techniques to bypass the csrf protection.
You can read my previous blog here if you want to learn about what csrf is.
Cross-site request forgery (CSRF) Explained and Exploited I
And Bypassing techniques part 1:
Bypassing CSRF Protection (I)
So today we’re going to look into some more techniques to bypass the CSRF protection placed by web applications.
5: CSRF where the token is tied to a non-session cookie:
Some times csrf token is tied to a cookie but this cookie is not related to the session of the user. This happens because the application uses 2 different frameworks one for session handling and one for csrf protection and both aren’t integrated together.
example:
POST /email/change HTTP/1.1
Host: vulnerable-website.com
Content-Type: application/x-www-form-urlencoded
Content-Length: 68
Cookie: session=pSJYSScWKpmC60LpFOAHKixuFuM4uXWF;csrfKey=rZHCnSzEp8dbI6atzagGoSYyqJqTz5dv ==> Non Session Cookie
csrf=RhV7yQDO0xcq9gLEah2WVbmuFqyOq7tY&e
2022年9月23日 21:35Stories by SAFARAS K A on Medi
Hi everybody, SQL Injection is one of the most critical vulnerabilities that can be found in web applications I will show you today how I found multiple SQL Injection vulnerabilities while hunting in Bug Bounty program so let’s refer to our target as target.com
While i was taking a fast look at the HTML code
I have found that there are 2 hidden parameters
So i started to test the letter parameter by adding a single quote
I got response code 200 OK which means they do some error handling
but the response was Query failed it looks like a database handled our query in the backend
https://medium.com/media/78347e4cbd0fbdd9f4eae17ff3250319/href
So let’s try to know how many columns here
?letter=a’ ORDER BY 2 — V
I got Query failed
?letter=a’ ORDER BY 1 — V
It executed and didn’t get “Query Failed:”
So let’s try to extract the version
?letter=a’ UNION SELECT VERSION() — -
The query executed but didn’t get the version on the response
So i started to exfiltrate data using Blind SQL Injection techniques
?letter=a’ AND 
2022年9月23日 20:40Github_POC
An XSS (Cross Site Scripting) vulnerability was found in HelpSystems Cobalt Strike through 4.7 that allowed a remote attacker to execute HTML on the Cobalt Strike teamserver. To exploit the vulnerability, one must first inspect a Cobalt Strike payload, and then modify the username field in the payload (or create a new payload with the extracted information and then modify that username field to be malformed).
[GitHub]CVE-2022-39197(CobaltStrike XSS <=4.7) POC
在4.7版本的帮助系统钴袭击中发现了一个 XSS (跨网站脚本)漏洞,该漏洞允许远程攻击者在钴袭击团队服务器上执行 HTML。要利用这个漏洞,首先必须检查一个 Cobalt Strike 有效载荷,然后修改有效载荷中的用户名字段(或者用提取的信息创建一个新的有效载荷,然后修改该用户名字段使其格式不正常)。
[ GitHub ] CVE-2022-39197(CobaltStrike XSS < = 4.7) POC
2022年9月23日 20:40Github_POC
Multiple API endpoints in Atlassian Bitbucket Server and Data Center 7.0.0 before version 7.6.17, from version 7.7.0 before version 7.17.10, from version 7.18.0 before version 7.21.4, from version 8.0.0 before version 8.0.3, from version 8.1.0 before version 8.1.3, and from version 8.2.0 before version 8.2.2, and from version 8.3.0 before 8.3.1 allows remote attackers with read permissions to a public or private Bitbucket repository to execute arbitrary code by sending a malicious HTTP request. This vulnerability was reported via our Bug Bounty Program by TheGrandPew.
[GitHub]Mass rce exploit for CVE-2022-36804 BITBUCKET SERVER UNAUTHENTICATED RCE
Bitbucket 7.6.17之前的版本7.7.0,版本7.17.10之前的版本7.7.0,版本7.21.4之前的版本7.18.0,版本8.0.3之前的版本8.0.0,版本8.1.3之前的版本8.1.0,版本8.2.2之前的版本8.2.0,以及版本8.3.1之前的版本8.3.0中的多个 API 端点允许对公共或私有 Bitbucket 存储库具有读权限的远程攻击者通过发送恶意 HTTP 请求来执行任意代码。这个漏洞是通过我们的错误赏金计划报道的。
[ GitHub ] CVE-2022-36804位桶服务器未经认证的大规模 RCE 开发
2022年9月23日 20:40Github_POC
Multiple API endpoints in Atlassian Bitbucket Server and Data Center 7.0.0 before version 7.6.17, from version 7.7.0 before version 7.17.10, from version 7.18.0 before version 7.21.4, from version 8.0.0 before version 8.0.3, from version 8.1.0 before version 8.1.3, and from version 8.2.0 before version 8.2.2, and from version 8.3.0 before 8.3.1 allows remote attackers with read permissions to a public or private Bitbucket repository to execute arbitrary code by sending a malicious HTTP request. This vulnerability was reported via our Bug Bounty Program by TheGrandPew.
[GitHub]PoC exploit for CVE-2022-36804 (BitBucket Critical Command Injection)
Bitbucket 7.6.17之前的版本7.7.0,版本7.17.10之前的版本7.7.0,版本7.21.4之前的版本7.18.0,版本8.0.3之前的版本8.0.0,版本8.1.3之前的版本8.1.0,版本8.2.2之前的版本8.2.0,以及版本8.3.1之前的版本8.3.0中的多个 API 端点允许对公共或私有 Bitbucket 存储库具有读权限的远程攻击者通过发送恶意 HTTP 请求来执行任意代码。这个漏洞是通过我们的错误赏金计划报道的。
[ GitHub ]针对 CVE-2022-36804(BitBucket 关键命令注入)的 PoC 漏洞
2022年9月23日 19:34Data Breach – Security Affairs
Australian telecoms company Optus disclosed a data breach, threat actors gained access to former and current customers. Optus, one of the largest service providers in Australia, disclosed a data breach. The intruders gained access to the personal information of both former and current customers. The company is a subsidiary of Singtel with 10.5 million subscribers as of 2019. […]
The post Australian Telecoms company Optus discloses security breach appeared first on Security Affairs.
澳大利亚电信公司 Optus 披露了一起数据泄露事件,威胁行为者获得了访问以前和现在客户的机会。澳大利亚最大的服务提供商之一 Optus 披露了一起数据泄露事件。入侵者获取了以前和现在客户的个人信息。该公司是新加坡电信的子公司,截至2019年拥有1050万用户。[...]
澳大利亚电信公司 Optus 透露,安全漏洞首先出现在安全事务上。
2022年9月23日 19:32Confessions of a Penetration T
(Collaborative post by Gynvael Coldwind and hebi)
Crow is an asynchronous C++ HTTP/WebSocket framework for creating "flask-like" web services. While analyzing another vulnerability we've found a Cloudbleed-like information disclosure bug in the code path responsible for serving static files. Technically no special action on attacker's side was required - it was enough to request a static file smaller than 16KB and the server would send the file padded with uninitialized stack content (up to 16KB) back.
The vulnerability in question was reported mid-August and fixed within 6 days.
CVSS, CVE, etc
Human readable details are in the next section.
CVE: CVE-2022-38668
CVSS 3.1: 5.3 Medium (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) [as originally reported]
CVSS 3.1: 7.5 High (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) [as rated by NIST/NVD]
Timeline
2022-08-14: Vulnerability discovered.
2022-08-17: Vulnerability reported.
2022-08-21: Public fix was proposed.
2022-08-22: Public fix was merged in.
2022-08-22: CVE requested and as
2022年9月23日 19:32Confessions of a Penetration T
(Collaborative post by hebi and Gynvael Coldwind)
Crow is an asynchronous C++ HTTP/WebSocket framework for creating "flask-like" web services. In early August we discovered a pretty interesting use-after-free vulnerability. Since Crow takes advantage of the Asio library for asynchronous input/output operations, analysis of this vulnerability took a few long evenings since the cause was split between multiple interweaved tasks and callbacks. Eventually we traced the root cause to an interesting mismatch between two layers of code, one of which - the HTTP parser - was supporting HTTP pipelining (or rather was agnostic towards it, which resulted in pipelining being inadvertently supported), while the other - HTTP server logic - was not designed to take HTTP pipelining into account. This resulted in some interesting "race conditions" with one task "thinking" an HTTP connection was over (and deleting objects) while another still using them while processing a separate HTTP request.
One thing to note is that we neve
2022年9月23日 19:31burp
Vulnerability could have been used to bypass cloud isolation protection
漏洞可能被用来绕过云隔离保护