Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Digita Information Technology Smartrise Document Management System allows SQL Injection.This issue affects Smartrise Document Management System: before Hvl-2.0.



CVE-2023-4034

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Coyav Travel Proagent allows SQL Injection.This issue affects Proagent: before 20230904 .



CVE-2023-35072

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Mava Software Hotel Management System allows SQL Injection.This issue affects Hotel Management System: before 2.0.



CVE-2023-3616

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Osoft Paint Production Management allows SQL Injection.This issue affects Paint Production Management: before 2.1.



CVE-2023-35065

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in BMA Personnel Tracking System allows SQL Injection.This issue affects Personnel Tracking System: before 20230904.



CVE-2023-35068

Audimexee v14.1.7 was discovered to contain a SQL injection vulnerability via the p_table_name parameter.

CVE-2023-36361

Categories: News
Categories: Ransomware
A attack that uses a database as an entry point to a network reminds us that you should never expose your databases to the Internet.



(Read more...)




The post FreeWorld ransomware attacks MSSQL—get your databases off the Internet appeared first on Malwarebytes Labs.

When we think of ransomware and brute force password guessing attacks, we normally think of RDP, but recent research from Securonix reminds us that anything secured with a password and exposed to the Internet is of interest to cybercriminals.

Microsoft's Remote Desktop Protocol has been a favourite point of entry for ransomware gangs for several years now. Cybercriminals seek out machines with RDP exposed to the Internet and attempt to guess their passwords, hoping to gain entry. They like RDP because it gives them exactly the same access as sitting at a chair in front of the computer, and because there are millions of targets to choose from.

But other systems can be abused to gain entry in a similar way, and the Securonix Threat Research team reports that it has spotted attackers targeting exposed Microsoft SQL (MSSQL) services using brute force attacks.

In an attack described by Securonix, attackers brute forced a MSSQL password and then used the database's xp\_cmdshell feature to run commands on the host machine the database was running on.

> Next, discovering that the MSSQL function xp\_cmdshell stored procedure was enabled, the attackers began running shell commands on the host. This function allows for command execution and should normally not be enabled unless required.

The attackers used this ability to run commands on the host machine to try to give themselves RDP accesss. When that failed, they used AnyDesk remote access software instead. From there they explored the network the server was running on, before ultimately running FreeWorld ransomware. Securonix provide a detailed breakdown of the precise steps taken by the attackers, and its article is well worth reading.

The attack is a timely reminder of an old security adage, one that's at least as old as the 25 years or so I've been messing around with databases: Never expose your databases to the Internet. Typically, databases contain sensitive information that should be at the centre of your network and not the periphery, and that should only be accessbile to internal systems. Where data needs to be accessed from the Internet it should be made available via an application or API.

Although the situation is much improved now, historically, some databases made the situation worse by shipping with default passwords, or even no authentication at all.

As I mentioned before, one of the things that attracts attackers to RDP is the large number of available targets, so I wondered how many databases I could find via Shodan, the search engine that finds Internet-connected computers.

For comparison, every time I've looked in the last five years or so, there have been around two or three million computers running RDP accessible via Shodan, meaning that attackers have two to three million targets to choose from.

**Finding databases on the Internet**

The first database I looked up was MSSQL, the target in the attack spotted by Securonix. A simple search on Shodan found almost 90,000 potential targets. Although there are seemingly far fewer Internet-exposed computers running MSSQL than RDP, a server running MSSQL is likely to be a far higher value target than a desktop running RDP.

Anything connected to the Internet should expect to be the subject of relentless password guessing, and these are no exception.

Next up was MongoDB, a "noSQL" database with a that has been the subject of significant ransomware campaigns in the past. Historically, some configurations of MongoDB made it possible to install it without setting a password, and attackers made hay with those who didn't.

The problem was so serious that in 2017, the MongoDB website published an article called How to Avoid a Malicious Attack That Ransoms Your Data, reminding its users to use the product's security features.

Evidently, plenty of people didn't read it and in 2020, an automated ransomware campaign dropped ransom notes on 22,900 databases left exposed without a password. At the time this was said to represent 47% of Internet-connected MongoDB databases.

Those mass exploitation events are a thing of the past, but according to Shodan there are now almost 110,000 MongoDB databases connected to the Internet for potential attackers to probe.

Next I searched for MySQL, the world's most popular database. Shodan found more than three million servers running MySQL, giving it parity with RDP in terms of the total number of potential targets. Alongside those there are a further 800,000 instances of the MySQL fork, MariaDB, making a huge, four million-strong pool of targets.

MySQL and MariaDB often act as the source of data for websites, rather than as an enterprise data store like MSSQL, so _may_ carry less business-critical data, but they still represent a prize, and a potential entry point into a network.

While there are exceptions to every rule, it's always good to start with the assumption that you should probably follow the rule. It remains good advice to keep your databases off the Internet, so think long and hard before you decide that's the right solution. And whether they are on the Internet or not, databases should always be secured with an exceptionally strong password.

Malwarebytes EDR and MDR removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

FreeWorld ransomware attacks MSSQL—get your databases off the Internet

Parse Server is an open source backend server. In affected versions the Parse Cloud trigger `beforeFind` is not invoked in certain conditions of `Parse.Query`. This can pose a vulnerability for deployments where the `beforeFind` trigger is used as a security layer to modify the incoming query. The vulnerability has been fixed by refactoring the internal query pipeline for a more concise code structure and implementing a patch to ensure the `beforeFind` trigger is invoked. This fix was introduced in commit `be4c7e23c6` and has been included in releases 6.2.2 and 5.5.5. Users are advised to upgrade. Users unable to upgrade should make use of parse server's security layers to manage access levels with Class-Level Permissions and Object-Level Access Control that should be used instead of custom security layers in Cloud Code triggers.

CVE-2023-41058: Parse

jSQL Injection is a lightweight application used to find database information from a distant server. jSQL Injection is also part of the official penetration testing distribution Kali Linux and is included in various other distributions like Pentest Box, Parrot Security OS, ArchStrike and BlackArch Linux. This is the source code release.

jSQL Injection 0.92

ImpressionTech CMS version 1.4 suffers from a remote SQL injection vulnerability.

    ====================================================================================================================================| # Title     : ImpressionTech CMS ٍv1.4 Sql injection Vulnerability                                                                || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 61.0.1 (32-bit)                                            || # Vendor    : http://www.imprtech.com/                                                                                           |  | # Dork      : "Website | Impression Technologies LLC"  .php?id=                                                                  |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine [+] Use Payload : /news.php?id=58[+] http://127.0.0.1/xxxxxxxxxx.com/news.php?id=58 <======= inject hereGreetings to :=========================================================================================================================jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr  |=======================================================================================================================================

Tag

#sql