Sep 24, 2022

WordPress WP-UserOnline plugin version 2.88.0 suffers from a persistent cross site scripting vulnerability

Exploit Title: Wordpress Plugin WP-UserOnline 2.88.0 - Stored Cross Site Scripting (XSS)

# Google Dork: inurl:/wp-content/plugins/wp-useronline/
# Date: 2022-08-24
# Exploit Author: UnD3sc0n0c1d0
# Vendor Homepage: https://github.com/lesterchan/wp-useronline
# Software Link: https://downloads.wordpress.org/plugin/wp-useronline.2.88.0.zip
# Category: Web Application
# Version: 2.88.0
# Tested on: Debian / WordPress 6.0.1
# CVE : CVE-2022-2941
# Reference: https://github.com/lesterchan/wp-useronline/commit/59c76b20e4e27489f93dee4ef1254d6204e08b3c

# 1. Technical Description:
The WP-UserOnline plugin for WordPress has multiple Stored Cross-Site Scripting vulnerabilities in versions
up to, and including 2.88.0. This is due to the fact that all fields in the “Naming Conventions” section do
not properly sanitize user input, nor escape it on output. This makes it possible for authenticated attackers,
with administrative privileges, to inject JavaScript code into the setting that will execute whenever a user
accesses the injected page.

# 2. Proof of Concept (PoC):
a. Install and activate version 2.88.0 of the plugin.
b. Go to the plugin options panel (http://[TARGET]/wp-admin/options-general.php?page=useronline-settings).
c. Identify the "Naming Conventions" section and type your payload in any of the existing fields. You can use
the following payload:
<script>alert(/XSS/)</script>
d. Save the changes and now go to the Dashboard/WP-UserOnline option. As soon as you click here, your payload
will be executed.

Note: This change will be permanent until you modify the edited fields.

Jan 10, 2020

Overview of malicious code analysis process

Code Analysis Process

  1. Examine static properties of the Windows executable for initial assessment and triage.
  2. Identify strings and API calls that highlight the program’s suspicious or malicious capabilities.
  3. Perform automated and manual behavioral analysis to gather additional details.
  4. If relevant, supplement our understanding by using memory forensics techniques.
  5. Use a disassembler for static analysis to examine code that references risky strings and API calls.
  6. Use a debugger for dynamic analysis to examine how risky strings and API calls are used.
  7. If appropriate, unpack the code and its artifacts.
  8. As your understanding of the code increases, add comments, labels; rename functions, variables.
  9. Progress to examine the code that references or depends upon the code you’ve already analyzed.
  10. Repeat steps 5-9 above as necessary (the order may vary) until analysis objectives are met.

Apr 22, 2016

Panama Papers – How Hackers Breached the Mossack Fonseca Firm

Introduction

The Panama Papers are a huge trove of high confidential documents stolen from the computer systems of the Panamanian law firm Mossack Fonseca that was leaked online during recently.
It is considered the largest data leaks ever, the entire archive contains more than 11.5 Million files including 2.6 Terabytes of data related the activities of offshore shell companies used by the most powerful people around the world, including 72 current and former heads of state.
Figure 1 – Data Leaked (Source: Süddeutsche Zeitung)
To better scale the dimension of the data leaks, let’s compare the dimension of the stolen data to the size of archives disclosed after other

Mar 23, 2016

Android Forensic Logical Acquisition

Introduction

The following is a demonstration of how we will create an Android Emulator; then we will go through needed steps to acquire a logical image of the system and how we can start forensically analyzing it.
In mobile forensic world (depending on the OS, the OS version, and the device) there are in general three main acquisition techniques:
  • Direct acquisition
  • Logical acquisition
  • Physical acquisition
The direct acquisition technique can be performed if the seized device is either not locked or the PIN/Password/Pattern lock is known by the investigator, this way every data available to the user is available to the examiner via the usual user interface(UI). The only “disturbing” point is that if relying on only this method, system files, systems logs or system partition is not accessible.
The logical acquisition is a bit-by-bit copy of a given logical storage, (the storage may refer to user data partition as well as system data partition), and this acquisition method produces

Feb 13, 2016

How Malware Detects Virtualized Environment (and its Countermeasures)

Virtual Machines are usually considered a good way to analyze malware as they can provide an isolated environment for the malware to trigger but their actions can be controlled and intercepted. However, modern age malware detects their environment in which they