Not so long ago I came across another bot panel based on TeamViewer. The authors of this miracle spyadmin.com (aka vzlomov.com) have been in the blades for a long time already, so we can break as much as we want (it’s not illegal and 95% safer than trapping pokemons in church).
In a nutshell:
config.php connect to the database, set login/password getinfo.php gate for bots index.php the panel itself install.php edit settings lang.php languages. setcmd. php sending commands to bots.
There’s nothing special in the folders styles, js, images.
To begin with, I decided to look through the gate code. As luck would have it, almost all the parameters were filtered. The developer made only two mistakes:
But even these two mistakes were enough for us. SQL injection was slightly complicated by the fact that all data going to gate had to be encrypted with RC4.
I finally sketched out a small script to handle SQL injection:
Basically, you could play a guessing game and get all the Bot IDs in a couple of hours. The default password for all the bots was the same. But fortunately, it was possible to change the data in the database, and so a shorter way to get total control over the admin panel was found.
Just like with SQLi, almost all variables were filtered out in the index.php panel. The only exceptions were $bot_comment, $bot_username, $bot_compname (why is unclear). Slightly change the code in the previous script (to output document.cookie):
Run the script, go to the admin panel:
Great. Ideally, all that’s left to do is send a cookie to your sniffer But there’s no such thing:
There is a binding to IP, which means that just stealing cookies makes no sense. You need to get the value of $cfg_secret_hash variable, which is in config.php file. And which can be changed using the install.php file.
Let’s steal the variable value from install.php with this code:
Shove it all to pastebin, and feed it to the admin panel with SQLi.
As soon as the botnet administrator logs into the panel, we will receive a secret hash. And now we have everything to log into the admin panel generate the hash, substitute it in the to_login cookie and log in.
Once again, pay attention to install.php. The code there is awesome:
We edit the config:
In any field, after the normal value, add:
Save. Go to upload.php and upload the shell.
Now we link everything together: we use SQL injection to inject XSS, then we steal the data from the install.php page and pour the shell.
Pour this js-code onto some shell:
And implement it using the previously described method. It is worth noting that do not choose to store the sites with self-signed certificates or large services like pastebin in both cases, the code may simply not work. As soon as the botologist enters the page, the root will be filled files. If you want, you can change the code, and pour the shell immediately.
I haven’t even mentioned the crippled LFI, a few CSRFs and other trivia, as I think the above is enough as it is. That’s how easy and simple it is to get into the admin of a bot that sold (and is still selling) for $500. Or, if you look on the other hand, for your own money you can buy a neighbor scammer, mentor, krebs. I agree in advance that the chance of such a deal is small, but why the unnecessary risks?
Do you have confidence that the software you are using now is more secure than spyadmin?
dumps credit card numbers