“Pwning SpyEye” – I wrote this paper after the release of 1.2.X on underground forums but i have seen it under other names. That's why the scene is so fag - because there is plagiarism and it's unpunished.
1. What do we need?
- Computer preferably running Linux, net connectivity, a browser
- One SpyEye 1.2.X C&C center (works on 1.3.X too)
- Sqlmap (python installed)
- A brain
II. The compromise
1. Locating your target
Best way to do is to reverse engineer SpyEye builder/bins or simply looking at your network traffic after infecting yourself (wireshark etc.). You can also social engineer the botnet master to reveal his IP/domain name but there will be different article on social engineering.
2. Pwning.
After we have know the SpyEye C&C (e.g. the-new-social-network.com/h0s7/) you start looking thorough SpyEye 1.2.X (works on 1.3.X too) you will notice many vulnerabilities including XSS, CSRF, SQL etc. but the most interesting of all is the SQLi (SQL injection) one. For this example I will be using frm_findrep_sub2.php which is vulnerable. Example path would be the-new-social-network.com/h0s7/p4n3l/frm_findrep_sub2.php). So we navigate to:
3. Gaining access – uploading a shell
To upload a shell we can either check for phpmyadmin (directories by default are phpMyAdmin or phpmyadmin) or try logging in by connecting to the port in config.php (3306 by default for MySQL). If you have the time, nerve and not being lazy at SQL injections you can manually expose the current directory. After connected in preferred method we do this query:
Now go to http:/the-new-social-network.com/h0s7/p4n3l/kns.php and see your PHP shell uploaded. A basic rooting tutorial will be created and link will be posted as continue of this.
III. Reference/Interesting
SQLmap - http://sqlmap.sourceforge.net/
Комментариев нет:
Отправить комментарий