Phase Bot – Exploiting C&C Panel
I’ve been withholding this article for a while, due to the fact that the minute I post it all the vulnerabilities will be patched, thus becoming useless to us; however, it turns out hacking all of the phase C&C panels has generated a bit of noise, resulting in the vulnerabilities being found and patched anyway.
This is quite an easy mistake to make for someone not familiar with coding php: when the captcha image is loaded the session variable $_SESSION[‘captcha’] is set to the captcha code, each time the captcha image is loaded the $_SESSION[‘captcha’] variable is updated with the new captcha.
The code checks the submitted captcha code with the one stored in the session, unfortunately if the login fails it doesn’t destroy the session variable; meaning that as long as you don’t perform a GET request to captcha.php, you can reuse the same captcha code indefinitely, allowing login bruteforcing.
Obviously, no command and control panel would be complete without storing passwords in plaintext; this isn’t a huge issue because there’s no way for an outsider to read from the SQL database, right?
The bot implements are really lame method of supporting reverse HTTP proxies: The proxy will set $_GET[“i”] to the urlencoded IP of the bot, which is then input to the database without any sanitization. Sadly, there is no error checking (also popular with bot developers), meaning we can’t just output the password (the injection is totally blind).
What we can do, is use boolean logic, that is, we ask the database a question and tell it to do something if the answer is true, and nothing if the answer is false. For example: “If the first character of the password is ‘A’, hang for 5 seconds, else do nothing”. If the request takes 5+ seconds to complete, we know the first letter of the password is A. Boolean logic allows us to bruteforce each character of the password separately, which means it will only take about 5 minutes for a 30 character password using mixed case, numbers, and symbols.
An example SQL query would be: > IF(SUBSTRING((SELECT value FROM settings WHERE id=’2′), 1, 1) = BINARY CHAR(‘A’), SLEEP(5), 0)
Both Xylitol and I individually exploited this vulnerability, so I’ve posted both of our exploits.