#BadCandy #Webshell threatens unpatched #Cisco IOS XE devices, warns Australian government
https://securityaffairs.com/184095/hacking/badcandy-webshell-threatens-unpatched-cisco-ios-xe-devices-warns-australian-government.html
#securityaffairs #hacking

🌘 MD5 碰撞：webshell 與普通檔案的雙重身分
➤ 當惡意程式碼披上合法外衣
✤ https://github.com/phith0n/collision-webshell
本儲存庫展示了一個獨特的資安技術，其中一個 PHP webshell 檔案與一個看似無害的普通 PHP 檔案，在 MD5 雜湊值上完全相同。這意味著，儘管兩者的內容截然不同，但它們經過 MD5 演算法計算後會產生相同的雜湊值。這種現象稱為 MD5 碰撞，為資安研究和應用帶來了新的視角，尤其是在檔案驗證和惡意軟體識別方面。
+ 太驚人了！原本以為 MD5 已經過時，沒想到還能玩出這種花樣。這對於防毒軟體和入侵偵測系統來說是個大挑戰。
+ 這個概念很有趣，但實際應用是什麼？是否可以在偵測系統中繞過檢查？
#資訊安全 #雜湊碰撞 #webshell #PHP

😱 Breaking news: Someone discovered a #webshell and a normal file share an MD5 hash! 🚨 Stop the presses, this changes everything! Meanwhile, #GitHub is busy deploying #AI to write better code while nobody noticed the hash collision between a sandwich and a rock. 🍔🗿
https://github.com/phith0n/collision-webshell #BreakingNews #HashCollision #CodeSecurity #HackerNews #ngated

A webshell and a normal file that have the same MD5

https://github.com/phith0n/collision-webshell

#HackerNews #webshell #MD5collision #cybersecurity #GitHub #hacking #securityresearch

I loved when I see web shells challenges (Red or Blue) in CTF games. Reminds me of my web shells research I did years ago, paper: https://vulnex.com/data/VULNEX_VB2017_ShellInTheWeb.pdf #WebShell #pentesting #cybersecurity #APT #AppSec

#BREAKING #ESETResearch has been monitoring the recently discovered #ToolShell zero-day vulnerabilities in #SharePoint Server: CVE-2025-53770 and CVE-2025-53771. SharePoint Online in Microsoft 365 is not impacted. https://www.welivesecurity.com/en/eset-research/toolshell-an-all-you-can-eat-buffet-for-threat-actors/
ESET first detected an attempt to exploit part of the execution chain on July 17 in Germany 🇩🇪. Here, the final #webshell payload was not delivered. The first time we registered the payload was on July 18 in Italy 🇮🇹. We have since seen active ToolShell exploitation all over the world.
We have uncovered several IP addresses that were used in the attacks from July 17 to July 22. The charts show the timeline of the attacks from the three most active of these IP addresses.
ToolShell is being exploited by all sorts of threat actors, from petty cybercriminals to state-sponsored groups, among them China 🇨🇳-aligned #APTs. We expect these attacks to continue taking advantage of unpatched systems.
IoCs available in our GitHub repo: https://github.com/eset/

🚨 CRITICAL CVE-2025-28951: CreedAlly Bulk Featured Image (≤1.2.1) vulnerability lets attackers upload web shells via unrestricted file uploads. Review deployments, restrict uploads, and monitor now. https://radar.offseq.com/threat/cve-2025-28951-cwe-434-unrestricted-upload-of-file-4dd0578c #OffSeq #WordPress #Vuln #WebShell

Offline webshell scanning tool, based on YARA rules https://github.com/ekky19/Yara-Standalone-Webshell-Scanner #DFIR #yara #webshell

#webshell #opendir #netsupport #rat at:

https://appointedtimeagriculture\.com/wp-includes/blocks/post-content/

GatewayAddress=95.179.158.213:443
RADIUSSecret=dgAAAPpMkI7ke494fKEQRUoablcA

2024-12-04 (Wednesday): Casual review of my most recent Apache web server access logs shows what looks like an attempt to get a PHP #webshell on my web server.

URL for the PHP webshell is hxxp://1.14.123[.]164/ote.txt

Actief misbruik van zimbra-kwetsbaarheid cve-2024-45519: wat u moet weten https://www.trendingtech.news/trending-news/2024/10/41625/actief-misbruik-van-zimbra-kwetsbaarheid-cve-2024-45519-wat-u-moet-weten #Zimbra #kwetsbaarheid #CVE-2024-45519 #beveiliging #webshell #Trending #News #Nieuws

Jak przejąć sieć operatora telekomunikacyjnego oraz dane jego klientów poprzez upload favicona?

Niedawno wykryto kampanię hackerską celującą w amerykańskich dostawców sieci (zainfekowano w ten sposób minimum czterech ISP). W tym celu wykorzystano podatność w rozwiązaniu SD-WAN firmy Versa Networks. Podatność występuje w mechanizmie uploadu favicona w aplikacji webowej. Ale zamiast favicona można zuploadować webshella w Javie… Upload favicona wymaga jednak posiadania dostępu...

#WBiegu #Apt #Atak #Chiny #Websec #Webshell

https://sekurak.pl/jak-przejac-siec-operatora-telekomunikacyjnego-oraz-dane-jego-klientow-poprzez-upload-favicona/

Podatności o niskim ryzyku, a jednak dały RCE – zobacz wektor ataku jaki odnaleźliśmy z naszego ostatniego pentestu

W pracy pentestera bardzo często spotykamy się z podatnościami, które same w sobie niosą niskie lub średnie ryzyko. Ich wykorzystanie do niecnych celów przez atakującego wymaga spełnienia szeregu warunków, nierzadko bardzo trudnych do osiągnięcia – na przykład kliknięcie przez użytkownika w spreparowany i podesłany mu link. Im bardziej wyśrubowane warunki,...

#Aktualności #Cve #Lfd #Pentesty #Rce #SQLInjection #Webshell

https://sekurak.pl/podatnosci-o-niskim-ryzyku-a-jednak-daly-rce-zobacz-wektor-ataku-jaki-odnalezlismy-z-naszego-ostatniego-pentestu/

[Перевод] Перевод статьи «Injecting Java in-memory payloads for post-exploitation»

В марте Synacktiv описали способы эксплуатации небезопасной десериализации в приложениях, написанных на Java. Позже, команда красных автора столкнулась с Java-приложениями, в которых были обнаружены другие уязвимости, приводящие к исполнению кода. А уже в этой статье автор представил несколько приемов, которые использовались для внедрения полезной нагрузки в память на примере широко известных приложений. Ну а мы, авторы telegram-канала AUTHORITY , перевели эту статью на русский.

https://habr.com/ru/articles/833262/

#Java #tomcat #jenkins #bitbucket #confluence #pentest #inmemory #exploit #webshell

Как защититься от «бестелесных» веб-шеллов

В сегодняшней статье эксперты Сайбер ОК проведут вас за руку по лабиринту хакерских уловок и на пальцах объяснят, что такое "бестелесные" веб-шеллы и как защитить от них свои ресурсы.

https://habr.com/ru/companies/cyberok/articles/787320/

#webshell #вебшелл #fileless_webshell #php #rce #cve #edr #soldr

🏴‍☠️ Navigate the cyber seas! Explore the mysterious HrServ web shell in our latest post: 'Web Shell on the Horizon'. Dive in: https://cybercorsair.blogspot.com/2023/11/from-crows-nest-web-shell-on-horizon.html #CyberSecurity #DigitalPirates #webshell

This novel web shell “hijacks the underlying Apache Tomcat webserver and silently inserts itself between Confluence and Tomcat–making itself available on every webpage ...”

Interesting CVE-2023-22515 post-exploit behavior discovered by Aon's Stroz Friedberg Incident Response practice.

“… patching Confluence to address CVE-2023-22515 and CVE-2023-22518 will not remediate the web shell if it has been deployed.”

See the blog post for insights on identification of this web shell on your #Confluence server.

https://www.aon.com/cyber-solutions/aon_cyber_labs/detecting-effluence-an-unauthenticated-confluence-web-shell/

#dfir #cve #webshell #exploit #atlassian #security

Backlink slot gacor di web2 pemerintah/kampus tidak semudah itu bakal hilang soale banyak yang jual dan banyak juga yang mau beli akses webshell/cpanel domain .go.id dan .ac.id 😑

@indonesia #webshell #cpanel #backdoor

"⚠️ #Updated: Citrix CVE-2023-3519 Exploitation - Webshells Implanted! ⚠️"

Initial Release Date: July 20, 2023

The CISA has updated the alarm on CVE-2023-3519, a severe RCE vulnerability in NetScaler (Citrix) ADC & Gateway. In June 2023, threat actors exploited this as a zero-day, compromising a critical infrastructure organization. They planted a webshell, enabling AD reconnaissance & data exfiltration. Thankfully, network-segmentation controls halted their lateral movement. Citrix has since released a patch. Stay vigilant!

Summary:
The Cybersecurity and Infrastructure Security Agency (CISA) has issued an advisory regarding the exploitation of CVE-2023-3519, an unauthenticated remote code execution (RCE) vulnerability affecting NetScaler (formerly Citrix) Application Delivery Controller (ADC) and NetScaler Gateway. Threat actors exploited this vulnerability as a zero-day in June 2023, compromising a critical infrastructure organization's non-production environment NetScaler ADC appliance. The attackers planted a webshell, enabling them to perform Active Directory (AD) reconnaissance and data exfiltration. Although they attempted lateral movement to a domain controller, network-segmentation controls prevented their progress. Citrix released a patch on July 18, 2023.

Technical Details:

• CVE-2023-3519: This unauthenticated RCE vulnerability impacts various versions of NetScaler ADC and NetScaler Gateway. The affected appliance must be configured as a Gateway or for authentication, authorization, and auditing (AAA) to be exploited.

Threat Actor Activity (Victim 1):

• Initial exploit chain involved uploading a TGZ file containing a webshell, discovery script, and setuid binary.
• The webshell was used for AD enumeration and data exfiltration.
• NetScaler configuration files and decryption keys were accessed.
• Actors queried AD data and encrypted discovery data for exfiltration.
• Attempts to move laterally and delete artifacts were blocked by network-segmentation controls.

Update September 6, 2023: Victim 2:

• Actors uploaded a PHP webshell, gained root access, and conducted AD queries.
• Exfiltrated data and deleted files and logs.
• Used compromised pfSense devices for command and control (C2).

Additional Observed Activity:

• Actors leveraged open source webshells and tools for various purposes, including exfiltration, persistence, and tampering with monitoring tools.
• Modified open-source tools to capture and exfiltrate credentials.
• Deployed tunnellers for encrypted reverse TCP/TLS connections.
• Employed Sysinternals ADExplorer for AD reconnaissance.

Update September 6, 2023:
The advisory was updated with additional techniques, including infrastructure compromise, tool acquisition, scripting interpreter usage, autostart execution, multi-hop proxying, file deobfuscation, permissions modification, defense impairment, indicator removal, masquerading, data staging, and protocol tunneling.

Organizations are urged to apply the provided patches by Citrix and implement the detection guidance to identify potential system compromises. Incident response recommendations are included in the advisory for confirmed compromises, while vigilant monitoring and security measures are advised to prevent further exploitation.

Source: CISA Advisory - AA23-201A

Tags: #Cybersecurity #Citrix #CVE20233519 #NetScaler #ZeroDay #Webshell #DataExfiltration #PatchNow #StaySafe

Nano & Ninja - webshell w 35 i 93 bajtach ( https://nfsec.pl/hacks/6219 ) #php #webshell #security #backdoor #twittermigration