Aggregator

去年，诈骗者在针对超过 300,000 个钱包地址的钱包耗尽攻击中窃取了价值 4.94 亿美元的加密货币，比 2023 年增加了 67%，受害者人数仅增加了 3.7%，表明受害者平均持有金额更多。这些

A vulnerability, which was classified as critical, has been found in Cisco IOS 12.1(19). Affected by this issue is some unknown functionality of the component VLAN Trunking Protocol. The manipulation leads to memory corruption. This vulnerability is handled as CVE-2006-4776. The attack may be launched remotely. There is no exploit available.

A vulnerability classified as critical was found in Cisco IOS up to R12.x. Affected by this vulnerability is an unknown functionality of the component VLAN Trunking Protocol Configuration. The manipulation with the input 0x7FFFFFFF leads to improper resource management. This vulnerability is known as CVE-2006-4774. The attack can be launched remotely. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability, which was classified as critical, has been found in Cisco IOS up to R12.x. Affected by this issue is some unknown functionality of the component VLAN Trunking Protocol. The manipulation as part of VTP Summary Advertisement Message leads to improper resource management. This vulnerability is handled as CVE-2006-4774. The attack may be launched remotely. Furthermore, there is an exploit available. It is recommended to upgrade the affected component.

A vulnerability, which was classified as critical, was found in Cisco Catalyst CatOS up to 8.x. This affects an unknown part of the component VLAN Truncing Protocol Summary Paket Handler. The manipulation leads to improper resource management. This vulnerability is uniquely identified as CVE-2006-4775. It is possible to initiate the attack remotely. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability classified as critical has been found in Cisco IOS up to R12.x. Affected is an unknown function of the component VLAN Trunking Protocol Handler. The manipulation as part of Summary Packet leads to improper resource management. This vulnerability is traded as CVE-2006-4774. It is possible to launch the attack remotely. There is no exploit available. It is recommended to upgrade the affected component.

Rockwell Automationが提供するArenaには、複数の脆弱性が存在します。

error code: 521

HackerNews 编译，转载请注明出处： 非营利性献血机构OneBlood证实，去年夏天的一次勒索软件攻击中，捐赠者的个人信息被盗。 OneBlood于2024年7月31日首次向公众通报此次攻击，指出勒索软件攻击者对其虚拟机进行了加密，迫使这家医疗机构回退到使用手动流程。 OneBlood为美国250多家医院提供血液，此次攻击导致血液采集、检测和分发工作延误，一些诊所启动了“严重血液短缺”预案。 当时，这家非营利机构紧急呼吁民众捐赠O型阳性、O型阴性和血小板，这些血型普遍适用，可用于紧急输血。 上周，OneBlood开始向受影响的个人发送数据泄露通知，告知他们针对此事件的调查已于2024年12月12日完成，并确定泄露的确切日期为2024年7月14日。 威胁者在OneBlood发现泄露后的一天，即7月29日之前，一直可以访问其网络。 “我们的调查显示，2024年7月14日至7月29日期间，我们的网络中某些文件和文件夹被未经授权地复制。”OneBlood的数据泄露通知中写道。 “调查确定，您的姓名和社保号码包含在相关文件和文件夹中。”同一份文件指出。 虽然采血中心通常会收集更多信息，如电话号码、电子邮件和实体地址、人口统计数据和病史，但此次泄露的数据仅限于姓名和社保号码。 姓名和社保号码可能会被用于身份盗窃和金融欺诈，由于这些信息不易更改，相关风险将持续多年。 为减轻这一风险，OneBlood在信中附上了免费一年期信用监测服务的激活码，通知收件人需在2025年4月9日前使用。 此外，受影响个人应考虑对其账户进行信用冻结和欺诈警报设置，以防止遭受经济损失。 虽然OneBlood确实遵守了其最初承诺，即告知受影响个人可能存在的数据泄露风险，但六个月的延迟通知仍使这些人处于风险之中。 OneBlood在勒索软件攻击中受影响的人数尚未披露。   消息来源：Bleeping Computer, 编译：zhongx；  本文由 HackerNews.cc 翻译整理，封面来源于网络；   转载请注明“转自 HackerNews.cc”并附上原文

A vulnerability has been found in AuraCMS 3.0 and classified as problematic. This vulnerability affects unknown code of the file filemanager.php. The manipulation of the argument viewdir leads to path traversal. This vulnerability was named CVE-2014-3975. The attack can be initiated remotely. Furthermore, there is an exploit available.

Web-based attacks are becoming increasingly sophisticated, and payment parameter tampering stands out as a silent yet potent threat. This attack involves manipulating parameters exchanged between the client and server to alter sensitive application data, such as user credentials, permissions, product prices, or quantities. The data targeted in parameter tampering is typically stored in cookies, hidden […]

The post What is Payment Parameter Tampering And How to Prevent It? appeared first on Kratikal Blogs.

The post What is Payment Parameter Tampering And How to Prevent It? appeared first on Security Boulevard.

Web-based attacks are becoming increasingly sophisticated, and payment parameter tampering stand

A vulnerability has been found in Microsoft XML Core Services up to 2.6 and classified as critical. This vulnerability affects unknown code. The manipulation leads to memory corruption. This vulnerability was named CVE-2006-4686. The attack can be initiated remotely. There is no exploit available. It is recommended to apply a patch to fix this issue.

A vulnerability, which was classified as critical, was found in Microsoft XML Core Services up to 2.6. This affects an unknown part. The manipulation leads to memory corruption. This vulnerability is uniquely identified as CVE-2006-4685. It is possible to initiate the attack remotely. There is no exploit available. It is recommended to apply a patch to fix this issue.

In 2025, CISOs will have powerful new capabilities as generative artificial intelligence (GenAI) continues to mature. Evolving beyond providing answers to questions, GenAI will provide proactive recommendations, take action, and communicate in a personalized manner. This transition will enable CISOs and their teams to unlock the true impact of GenAI to bolster cybersecurity defenses.

The post This is the year CISOs unlock AI’s full potential appeared first on Help Net Security.

Schneider Electricが提供する複数の製品には、複数の脆弱性が存在します。

A vulnerability classified as critical was found in Citrix Receiver Desktop Lock 4.5. This vulnerability affects unknown code of the component Screen Lock. The manipulation leads to improper access controls. This vulnerability was named CVE-2016-9111. It is possible to launch the attack on the physical device. Furthermore, there is an exploit available.

2023年HVV中爆出来的洞了，但是有一些漏洞点修复了，刚好地市级的攻防演练中遇到了一个，想着把可能出现问题的点全部审计一下，顺便熟悉一下.net代码审计。ps:感兴趣的师傅们可以自行根

2023年HVV中爆出来的洞了，但是有一些漏洞点修复了，刚好地市级的攻防演练中遇到了一个，想着把可能出现问题的点全部审计一下，顺便熟悉一下.net代码审计。ps:感兴趣的师傅们可以自行根据poc搜索源码。

0x1 反编译

好吧，当我没说，下载dnspy反编译即可，但是首先要找到web逻辑代码才能开始审计，因为这套oa是使用了mvc开发模式，简单介绍一下mvc，其实就是model，controller，view，其中的view是视图也就是html等展示给用户看的东西，model是模型也就是控制数据库的代码。controller是控制器负责执行代码的逻辑，也就是我们需要审计的地方了。

然后找到controller就是web的主要逻辑了。

0x2 身份校验绕过

首先可以随便点入一个controller，发现filesController继承自TopVisionApi。

然后我们发现IsAuthorityCheck()这个函数用于判断权限。

首先看到第一行代码getByValue这个函数,其实Request.Properties["MS_HttpContext"]).Request[value]就是获取http请求中的某个参数，而value就是调用传过来的参数，在这里是token，那么这段代码就是获取http中的token参数。

然后if判断了token是不是空值然后再判断token参数的值是不是等于"zxh"，如果登录则直接返回一个UserInfo对象。

然后回到filesController的身份判断，发现只判断了IsAuthorityCheck返回是否为null，所以只需要让token参数是zxh的时候，那么就可以绕过身份校验了。

0x3 任意文件下载

还是 filesController 这个控制器 DownloadRptFile方法。这时我们已经绕过了身份认证，所以只需要看之后代码即可。requestFileName就是我们传递的http参数，

然后跟进代码。并未发现任何过滤../的行为，直接传递给getBinaryFile函数

getBinaryFile函数如下。

结果证明: （读取文件内容会以base64返回）

0x4 信息泄露

发现GetCurrentUserList方法查询了所有用户信息。并且返回给前台。

<UserInfo>是c#中的泛型，这里是用来查询数据库的。可以看到遍历了dicUserList这个数组。这个数组就是初始化的用户信息数组了。

直接访问：

0x5 任意文件删除

发现DeleteFile2方法是一个删除文件方法。这里也没有发现过滤../以及过滤删除文件的后缀名。

虽然是有限制了文件路径，但是全然没有过滤../，而且filename参数也是完全可控的。所以这里其实是存在任意文件删除漏洞的。

ps: 这里就不放验证截图了，感兴趣的师傅们可以自行本地验证。

0x6 任意文件上传

UploadFile2方法中获取了各种参数，然后传入UploadFile2

跟进该方法。pathType就是限制文件上传到哪个文件夹的。

pathType详解：

fs参数是我们传递的byte数组也就是文件的内容。

startPoint等于0就好这样才能创建一个新的文件，datasize则是数组的长度。

漏洞验证：

0x7 SQL注入

InventoryController的GetProductInv方法，直接从参数获取boxNoName未经过过滤直接通过string.Format拼接至sql语句中，导致了sql注入。

验证：直接sqlmap即可