Phase Bot – Exploiting C&C Panel

I’ve been withholding this article for a while, due to the fact that the minute I post it all the vulnerabilities will be patched, thus becoming useless to us; however, it turns out hacking all of the phase C&C panels has generated a bit of noise, resulting in the vulnerabilities being found and patched anyway.

Captcha Reuse

This is quite an easy mistake to make for someone not familiar with coding php: when the captcha image is loaded the session variable $_SESSION[‘captcha’] is set to the captcha code, each time the captcha image is loaded the $_SESSION[‘captcha’] variable is updated with the new captcha.

On page load, the browser will perform a GET request to captcha.php, resulting in a new image being returned and the session being updated with the new code.

The code checks the submitted captcha code with the one stored in the session, unfortunately if the login fails it doesn’t destroy the session variable; meaning that as long as you don’t perform a GET request to captcha.php, you can reuse the same captcha code indefinitely, allowing login bruteforcing.

Plaintext Passwords

Obviously, no command and control panel would be complete without storing passwords in plaintext; this isn’t a huge issue because there’s no way for an outsider to read from the SQL database, right?

SQL Inject

Another must have for your budding bot developer, the trusty old SQL injection vulnerability.

The bot implements are really lame method of supporting reverse HTTP proxies: The proxy will set $_GET[“i”] to the urlencoded IP of the bot, which is then input to the database without any sanitization. Sadly, there is no error checking (also popular with bot developers), meaning we can’t just output the password (the injection is totally blind).

What we can do, is use boolean logic, that is, we ask the database a question and tell it to do something if the answer is true, and nothing if the answer is false. For example: “If the first character of the password is ‘A’, hang for 5 seconds, else do nothing”. If the request takes 5+ seconds to complete, we know the first letter of the password is A. Boolean logic allows us to bruteforce each character of the password separately, which means it will only take about 5 minutes for a 30 character password using mixed case, numbers, and symbols.

An example SQL query would be: > IF(SUBSTRING((SELECT value FROM settings WHERE id=’2′), 1, 1) = BINARY CHAR(‘A’), SLEEP(5), 0)

The coolest thing about this kind of attack is that if we output each attempt, we get a program that looks like it came out of a lame 90s hacker movie, except it actually works!

Both Xylitol and I individually exploited this vulnerability, so I’ve posted both of our exploits.

SQL Injection (MalwareTech) SQL Injection (Xylitol) Test Panel (Vulnerabilities Intact)
Phase Samples

And of course, nobody uses the same password for their hacking forum account as they do for their botnet panel.