Good afternoon ladies and gentlemen, today we are going to crack the Smoke Bot Loader. The product is quite popular and has been on the market for quite a long time, and I think this will only make it more interesting
Tightening first. SQL-injection and active XSS
First of all, the gate was examined. As far as I understood, the author implied that since the data coming into the admin panel from the bot will be encrypted using rc4, we can skip some checks. And in vain.
After a brief search, code vulnerable to SQL injection was found:
In turn, the data from the cname column was not filtered in any way when displayed in the admin, which meant that it was possible to combine SQL injection and XSS.
Exploit code (2 requests to gate and active XSS already in panel):
Place a file named 12 on the controlled resource (you can change the length of the file, as long as the string that goes into the cname is 40 characters long) and containing trivial code inside:
And the result:
Now, let’s try to get some profit.
Tightening second. CSRF and bot hijacking
Unfortunately, basic authorization was used to login, so it would be impossible to hijack cookies and login as an admin (XST is rare, phpinfo and other stuff like that are not always found). So, in order to get at least some profit from the vulnerability we found, we will try to hijack a bunch of bots. Let’s update our file 12:
Now, after the administrator visits the bot page, a new task will be added:
The bots load our exe, and once it’s launched the smokey bot self-deletes an ingenious combination, brilliantly carried out to completion! And all we need to know for the attack is just the address to the gate.
Butts and ashes
By the way, comment field in tasks section is also vulnerable to XSS. Although I’ve already achieved the main goal, I found a couple of XSS in the code related to the modules (styler, formgrabber, ddos, etc.).
Well, if the version of puff on the server is really old, you can also read the config:
The code that enables this:
But it’s only worth considering seriously if you have a time machine and can go back to that golden age when nullbytes weren’t a rarity.
Now, another product has become safer and more reliable. I am very pleased to have been able to work with such a product, which, mind you, has been on the market since 2011.
p.s.at the time of publication all bugs are fixed
free cvv telegram